summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/libssl/src/crypto/x509v3/pcy_int.h27
-rw-r--r--lib/libssl/src/crypto/x509v3/pcy_lib.c2
-rw-r--r--lib/libssl/src/crypto/x509v3/pcy_map.c58
3 files changed, 76 insertions, 11 deletions
diff --git a/lib/libssl/src/crypto/x509v3/pcy_int.h b/lib/libssl/src/crypto/x509v3/pcy_int.h
index ccff92846e4..ba62a209dad 100644
--- a/lib/libssl/src/crypto/x509v3/pcy_int.h
+++ b/lib/libssl/src/crypto/x509v3/pcy_int.h
@@ -1,5 +1,5 @@
/* pcy_int.h */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
* project 2004.
*/
/* ====================================================================
@@ -56,10 +56,12 @@
*
*/
+DECLARE_STACK_OF(X509_POLICY_DATA)
+DECLARE_STACK_OF(X509_POLICY_REF)
+DECLARE_STACK_OF(X509_POLICY_NODE)
typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
-
-DECLARE_STACK_OF(X509_POLICY_DATA)
+typedef struct X509_POLICY_REF_st X509_POLICY_REF;
/* Internal structures */
@@ -108,6 +110,16 @@ struct X509_POLICY_DATA_st
#define POLICY_DATA_FLAG_CRITICAL 0x10
+/* This structure is an entry from a table of mapped policies which
+ * cross reference the policy it refers to.
+ */
+
+struct X509_POLICY_REF_st
+ {
+ ASN1_OBJECT *subjectDomainPolicy;
+ const X509_POLICY_DATA *data;
+ };
+
/* This structure is cached with a certificate */
struct X509_POLICY_CACHE_st {
@@ -115,6 +127,8 @@ struct X509_POLICY_CACHE_st {
X509_POLICY_DATA *anyPolicy;
/* other policy data */
STACK_OF(X509_POLICY_DATA) *data;
+ /* If policyMappings extension present a table of mapped policies */
+ STACK_OF(X509_POLICY_REF) *maps;
/* If InhibitAnyPolicy present this is its value or -1 if absent. */
long any_skip;
/* If policyConstraints and requireExplicitPolicy present this is its
@@ -179,7 +193,7 @@ struct X509_POLICY_TREE_st
/* Internal functions */
-X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id,
+X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id,
int crit);
void policy_data_free(X509_POLICY_DATA *data);
@@ -195,18 +209,15 @@ void policy_cache_init(void);
void policy_cache_free(X509_POLICY_CACHE *cache);
X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
- const X509_POLICY_NODE *parent,
const ASN1_OBJECT *id);
X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
const ASN1_OBJECT *id);
X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
- const X509_POLICY_DATA *data,
+ X509_POLICY_DATA *data,
X509_POLICY_NODE *parent,
X509_POLICY_TREE *tree);
void policy_node_free(X509_POLICY_NODE *node);
-int policy_node_match(const X509_POLICY_LEVEL *lvl,
- const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
const X509_POLICY_CACHE *policy_cache_set(X509 *x);
diff --git a/lib/libssl/src/crypto/x509v3/pcy_lib.c b/lib/libssl/src/crypto/x509v3/pcy_lib.c
index 93bfd927037..dae4840bc5d 100644
--- a/lib/libssl/src/crypto/x509v3/pcy_lib.c
+++ b/lib/libssl/src/crypto/x509v3/pcy_lib.c
@@ -1,5 +1,5 @@
/* pcy_lib.c */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
* project 2004.
*/
/* ====================================================================
diff --git a/lib/libssl/src/crypto/x509v3/pcy_map.c b/lib/libssl/src/crypto/x509v3/pcy_map.c
index 21163b529d4..35221e8ba82 100644
--- a/lib/libssl/src/crypto/x509v3/pcy_map.c
+++ b/lib/libssl/src/crypto/x509v3/pcy_map.c
@@ -1,5 +1,5 @@
/* pcy_map.c */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
* project 2004.
*/
/* ====================================================================
@@ -62,6 +62,31 @@
#include "pcy_int.h"
+static int ref_cmp(const X509_POLICY_REF * const *a,
+ const X509_POLICY_REF * const *b)
+ {
+ return OBJ_cmp((*a)->subjectDomainPolicy, (*b)->subjectDomainPolicy);
+ }
+
+static void policy_map_free(X509_POLICY_REF *map)
+ {
+ if (map->subjectDomainPolicy)
+ ASN1_OBJECT_free(map->subjectDomainPolicy);
+ OPENSSL_free(map);
+ }
+
+static X509_POLICY_REF *policy_map_find(X509_POLICY_CACHE *cache, ASN1_OBJECT *id)
+ {
+ X509_POLICY_REF tmp;
+ int idx;
+ tmp.subjectDomainPolicy = id;
+
+ idx = sk_X509_POLICY_REF_find(cache->maps, &tmp);
+ if (idx == -1)
+ return NULL;
+ return sk_X509_POLICY_REF_value(cache->maps, idx);
+ }
+
/* Set policy mapping entries in cache.
* Note: this modifies the passed POLICY_MAPPINGS structure
*/
@@ -69,6 +94,7 @@
int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
{
POLICY_MAPPING *map;
+ X509_POLICY_REF *ref = NULL;
X509_POLICY_DATA *data;
X509_POLICY_CACHE *cache = x->policy_cache;
int i;
@@ -78,6 +104,7 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
ret = -1;
goto bad_mapping;
}
+ cache->maps = sk_X509_POLICY_REF_new(ref_cmp);
for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++)
{
map = sk_POLICY_MAPPING_value(maps, i);
@@ -89,6 +116,13 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
goto bad_mapping;
}
+ /* If we've already mapped from this OID bad mapping */
+ if (policy_map_find(cache, map->subjectDomainPolicy) != NULL)
+ {
+ ret = -1;
+ goto bad_mapping;
+ }
+
/* Attempt to find matching policy data */
data = policy_cache_find_data(cache, map->issuerDomainPolicy);
/* If we don't have anyPolicy can't map */
@@ -104,7 +138,7 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
if (!data)
goto bad_mapping;
data->qualifier_set = cache->anyPolicy->qualifier_set;
- /*map->issuerDomainPolicy = NULL;*/
+ map->issuerDomainPolicy = NULL;
data->flags |= POLICY_DATA_FLAG_MAPPED_ANY;
data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
if (!sk_X509_POLICY_DATA_push(cache->data, data))
@@ -115,10 +149,23 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
}
else
data->flags |= POLICY_DATA_FLAG_MAPPED;
+
if (!sk_ASN1_OBJECT_push(data->expected_policy_set,
map->subjectDomainPolicy))
goto bad_mapping;
+
+ ref = OPENSSL_malloc(sizeof(X509_POLICY_REF));
+ if (!ref)
+ goto bad_mapping;
+
+ ref->subjectDomainPolicy = map->subjectDomainPolicy;
map->subjectDomainPolicy = NULL;
+ ref->data = data;
+
+ if (!sk_X509_POLICY_REF_push(cache->maps, ref))
+ goto bad_mapping;
+
+ ref = NULL;
}
@@ -126,6 +173,13 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
bad_mapping:
if (ret == -1)
x->ex_flags |= EXFLAG_INVALID_POLICY;
+ if (ref)
+ policy_map_free(ref);
+ if (ret <= 0)
+ {
+ sk_X509_POLICY_REF_pop_free(cache->maps, policy_map_free);
+ cache->maps = NULL;
+ }
sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
return ret;