diff options
-rw-r--r-- | lib/libssl/src/crypto/x509v3/pcy_int.h | 27 | ||||
-rw-r--r-- | lib/libssl/src/crypto/x509v3/pcy_lib.c | 2 | ||||
-rw-r--r-- | lib/libssl/src/crypto/x509v3/pcy_map.c | 58 |
3 files changed, 76 insertions, 11 deletions
diff --git a/lib/libssl/src/crypto/x509v3/pcy_int.h b/lib/libssl/src/crypto/x509v3/pcy_int.h index ccff92846e4..ba62a209dad 100644 --- a/lib/libssl/src/crypto/x509v3/pcy_int.h +++ b/lib/libssl/src/crypto/x509v3/pcy_int.h @@ -1,5 +1,5 @@ /* pcy_int.h */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL * project 2004. */ /* ==================================================================== @@ -56,10 +56,12 @@ * */ +DECLARE_STACK_OF(X509_POLICY_DATA) +DECLARE_STACK_OF(X509_POLICY_REF) +DECLARE_STACK_OF(X509_POLICY_NODE) typedef struct X509_POLICY_DATA_st X509_POLICY_DATA; - -DECLARE_STACK_OF(X509_POLICY_DATA) +typedef struct X509_POLICY_REF_st X509_POLICY_REF; /* Internal structures */ @@ -108,6 +110,16 @@ struct X509_POLICY_DATA_st #define POLICY_DATA_FLAG_CRITICAL 0x10 +/* This structure is an entry from a table of mapped policies which + * cross reference the policy it refers to. + */ + +struct X509_POLICY_REF_st + { + ASN1_OBJECT *subjectDomainPolicy; + const X509_POLICY_DATA *data; + }; + /* This structure is cached with a certificate */ struct X509_POLICY_CACHE_st { @@ -115,6 +127,8 @@ struct X509_POLICY_CACHE_st { X509_POLICY_DATA *anyPolicy; /* other policy data */ STACK_OF(X509_POLICY_DATA) *data; + /* If policyMappings extension present a table of mapped policies */ + STACK_OF(X509_POLICY_REF) *maps; /* If InhibitAnyPolicy present this is its value or -1 if absent. */ long any_skip; /* If policyConstraints and requireExplicitPolicy present this is its @@ -179,7 +193,7 @@ struct X509_POLICY_TREE_st /* Internal functions */ -X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id, +X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit); void policy_data_free(X509_POLICY_DATA *data); @@ -195,18 +209,15 @@ void policy_cache_init(void); void policy_cache_free(X509_POLICY_CACHE *cache); X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, - const X509_POLICY_NODE *parent, const ASN1_OBJECT *id); X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, const ASN1_OBJECT *id); X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - const X509_POLICY_DATA *data, + X509_POLICY_DATA *data, X509_POLICY_NODE *parent, X509_POLICY_TREE *tree); void policy_node_free(X509_POLICY_NODE *node); -int policy_node_match(const X509_POLICY_LEVEL *lvl, - const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); const X509_POLICY_CACHE *policy_cache_set(X509 *x); diff --git a/lib/libssl/src/crypto/x509v3/pcy_lib.c b/lib/libssl/src/crypto/x509v3/pcy_lib.c index 93bfd927037..dae4840bc5d 100644 --- a/lib/libssl/src/crypto/x509v3/pcy_lib.c +++ b/lib/libssl/src/crypto/x509v3/pcy_lib.c @@ -1,5 +1,5 @@ /* pcy_lib.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL * project 2004. */ /* ==================================================================== diff --git a/lib/libssl/src/crypto/x509v3/pcy_map.c b/lib/libssl/src/crypto/x509v3/pcy_map.c index 21163b529d4..35221e8ba82 100644 --- a/lib/libssl/src/crypto/x509v3/pcy_map.c +++ b/lib/libssl/src/crypto/x509v3/pcy_map.c @@ -1,5 +1,5 @@ /* pcy_map.c */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL * project 2004. */ /* ==================================================================== @@ -62,6 +62,31 @@ #include "pcy_int.h" +static int ref_cmp(const X509_POLICY_REF * const *a, + const X509_POLICY_REF * const *b) + { + return OBJ_cmp((*a)->subjectDomainPolicy, (*b)->subjectDomainPolicy); + } + +static void policy_map_free(X509_POLICY_REF *map) + { + if (map->subjectDomainPolicy) + ASN1_OBJECT_free(map->subjectDomainPolicy); + OPENSSL_free(map); + } + +static X509_POLICY_REF *policy_map_find(X509_POLICY_CACHE *cache, ASN1_OBJECT *id) + { + X509_POLICY_REF tmp; + int idx; + tmp.subjectDomainPolicy = id; + + idx = sk_X509_POLICY_REF_find(cache->maps, &tmp); + if (idx == -1) + return NULL; + return sk_X509_POLICY_REF_value(cache->maps, idx); + } + /* Set policy mapping entries in cache. * Note: this modifies the passed POLICY_MAPPINGS structure */ @@ -69,6 +94,7 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) { POLICY_MAPPING *map; + X509_POLICY_REF *ref = NULL; X509_POLICY_DATA *data; X509_POLICY_CACHE *cache = x->policy_cache; int i; @@ -78,6 +104,7 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) ret = -1; goto bad_mapping; } + cache->maps = sk_X509_POLICY_REF_new(ref_cmp); for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++) { map = sk_POLICY_MAPPING_value(maps, i); @@ -89,6 +116,13 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) goto bad_mapping; } + /* If we've already mapped from this OID bad mapping */ + if (policy_map_find(cache, map->subjectDomainPolicy) != NULL) + { + ret = -1; + goto bad_mapping; + } + /* Attempt to find matching policy data */ data = policy_cache_find_data(cache, map->issuerDomainPolicy); /* If we don't have anyPolicy can't map */ @@ -104,7 +138,7 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) if (!data) goto bad_mapping; data->qualifier_set = cache->anyPolicy->qualifier_set; - /*map->issuerDomainPolicy = NULL;*/ + map->issuerDomainPolicy = NULL; data->flags |= POLICY_DATA_FLAG_MAPPED_ANY; data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; if (!sk_X509_POLICY_DATA_push(cache->data, data)) @@ -115,10 +149,23 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) } else data->flags |= POLICY_DATA_FLAG_MAPPED; + if (!sk_ASN1_OBJECT_push(data->expected_policy_set, map->subjectDomainPolicy)) goto bad_mapping; + + ref = OPENSSL_malloc(sizeof(X509_POLICY_REF)); + if (!ref) + goto bad_mapping; + + ref->subjectDomainPolicy = map->subjectDomainPolicy; map->subjectDomainPolicy = NULL; + ref->data = data; + + if (!sk_X509_POLICY_REF_push(cache->maps, ref)) + goto bad_mapping; + + ref = NULL; } @@ -126,6 +173,13 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) bad_mapping: if (ret == -1) x->ex_flags |= EXFLAG_INVALID_POLICY; + if (ref) + policy_map_free(ref); + if (ret <= 0) + { + sk_X509_POLICY_REF_pop_free(cache->maps, policy_map_free); + cache->maps = NULL; + } sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free); return ret; |