OLD | NEW |
1 /* pcy_map.c */ | 1 /* pcy_map.c */ |
2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
3 * project 2004. | 3 * project 2004. |
4 */ | 4 */ |
5 /* ==================================================================== | 5 /* ==================================================================== |
6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved. | 6 * Copyright (c) 2004 The OpenSSL Project. All rights reserved. |
7 * | 7 * |
8 * Redistribution and use in source and binary forms, with or without | 8 * Redistribution and use in source and binary forms, with or without |
9 * modification, are permitted provided that the following conditions | 9 * modification, are permitted provided that the following conditions |
10 * are met: | 10 * are met: |
(...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
55 * Hudson (tjh@cryptsoft.com). | 55 * Hudson (tjh@cryptsoft.com). |
56 * | 56 * |
57 */ | 57 */ |
58 | 58 |
59 #include "cryptlib.h" | 59 #include "cryptlib.h" |
60 #include <openssl/x509.h> | 60 #include <openssl/x509.h> |
61 #include <openssl/x509v3.h> | 61 #include <openssl/x509v3.h> |
62 | 62 |
63 #include "pcy_int.h" | 63 #include "pcy_int.h" |
64 | 64 |
65 static int ref_cmp(const X509_POLICY_REF * const *a, | |
66 const X509_POLICY_REF * const *b) | |
67 { | |
68 return OBJ_cmp((*a)->subjectDomainPolicy, (*b)->subjectDomainPolicy); | |
69 } | |
70 | |
71 static void policy_map_free(X509_POLICY_REF *map) | |
72 { | |
73 if (map->subjectDomainPolicy) | |
74 ASN1_OBJECT_free(map->subjectDomainPolicy); | |
75 OPENSSL_free(map); | |
76 } | |
77 | |
78 static X509_POLICY_REF *policy_map_find(X509_POLICY_CACHE *cache, ASN1_OBJECT *i
d) | |
79 { | |
80 X509_POLICY_REF tmp; | |
81 int idx; | |
82 tmp.subjectDomainPolicy = id; | |
83 | |
84 idx = sk_X509_POLICY_REF_find(cache->maps, &tmp); | |
85 if (idx == -1) | |
86 return NULL; | |
87 return sk_X509_POLICY_REF_value(cache->maps, idx); | |
88 } | |
89 | |
90 /* Set policy mapping entries in cache. | 65 /* Set policy mapping entries in cache. |
91 * Note: this modifies the passed POLICY_MAPPINGS structure | 66 * Note: this modifies the passed POLICY_MAPPINGS structure |
92 */ | 67 */ |
93 | 68 |
94 int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) | 69 int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) |
95 { | 70 { |
96 POLICY_MAPPING *map; | 71 POLICY_MAPPING *map; |
97 X509_POLICY_REF *ref = NULL; | |
98 X509_POLICY_DATA *data; | 72 X509_POLICY_DATA *data; |
99 X509_POLICY_CACHE *cache = x->policy_cache; | 73 X509_POLICY_CACHE *cache = x->policy_cache; |
100 int i; | 74 int i; |
101 int ret = 0; | 75 int ret = 0; |
102 if (sk_POLICY_MAPPING_num(maps) == 0) | 76 if (sk_POLICY_MAPPING_num(maps) == 0) |
103 { | 77 { |
104 ret = -1; | 78 ret = -1; |
105 goto bad_mapping; | 79 goto bad_mapping; |
106 } | 80 } |
107 cache->maps = sk_X509_POLICY_REF_new(ref_cmp); | |
108 for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++) | 81 for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++) |
109 { | 82 { |
110 map = sk_POLICY_MAPPING_value(maps, i); | 83 map = sk_POLICY_MAPPING_value(maps, i); |
111 /* Reject if map to or from anyPolicy */ | 84 /* Reject if map to or from anyPolicy */ |
112 if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy) | 85 if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy) |
113 || (OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy)) | 86 || (OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy)) |
114 { | 87 { |
115 ret = -1; | 88 ret = -1; |
116 goto bad_mapping; | 89 goto bad_mapping; |
117 } | 90 } |
118 | 91 |
119 /* If we've already mapped from this OID bad mapping */ | |
120 if (policy_map_find(cache, map->subjectDomainPolicy) != NULL) | |
121 { | |
122 ret = -1; | |
123 goto bad_mapping; | |
124 } | |
125 | |
126 /* Attempt to find matching policy data */ | 92 /* Attempt to find matching policy data */ |
127 data = policy_cache_find_data(cache, map->issuerDomainPolicy); | 93 data = policy_cache_find_data(cache, map->issuerDomainPolicy); |
128 /* If we don't have anyPolicy can't map */ | 94 /* If we don't have anyPolicy can't map */ |
129 if (!data && !cache->anyPolicy) | 95 if (!data && !cache->anyPolicy) |
130 continue; | 96 continue; |
131 | 97 |
132 /* Create a NODE from anyPolicy */ | 98 /* Create a NODE from anyPolicy */ |
133 if (!data) | 99 if (!data) |
134 { | 100 { |
135 data = policy_data_new(NULL, map->issuerDomainPolicy, | 101 data = policy_data_new(NULL, map->issuerDomainPolicy, |
136 cache->anyPolicy->flags | 102 cache->anyPolicy->flags |
137 & POLICY_DATA_FLAG_CRITICAL); | 103 & POLICY_DATA_FLAG_CRITICAL); |
138 if (!data) | 104 if (!data) |
139 goto bad_mapping; | 105 goto bad_mapping; |
140 data->qualifier_set = cache->anyPolicy->qualifier_set; | 106 data->qualifier_set = cache->anyPolicy->qualifier_set; |
141 » » » map->issuerDomainPolicy = NULL; | 107 » » » /*map->issuerDomainPolicy = NULL;*/ |
142 data->flags |= POLICY_DATA_FLAG_MAPPED_ANY; | 108 data->flags |= POLICY_DATA_FLAG_MAPPED_ANY; |
143 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; | 109 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; |
144 if (!sk_X509_POLICY_DATA_push(cache->data, data)) | 110 if (!sk_X509_POLICY_DATA_push(cache->data, data)) |
145 { | 111 { |
146 policy_data_free(data); | 112 policy_data_free(data); |
147 goto bad_mapping; | 113 goto bad_mapping; |
148 } | 114 } |
149 } | 115 } |
150 else | 116 else |
151 data->flags |= POLICY_DATA_FLAG_MAPPED; | 117 data->flags |= POLICY_DATA_FLAG_MAPPED; |
152 | |
153 if (!sk_ASN1_OBJECT_push(data->expected_policy_set, | 118 if (!sk_ASN1_OBJECT_push(data->expected_policy_set, |
154 map->subjectDomainPolicy)) | 119 map->subjectDomainPolicy)) |
155 goto bad_mapping; | 120 goto bad_mapping; |
156 | |
157 ref = OPENSSL_malloc(sizeof(X509_POLICY_REF)); | |
158 if (!ref) | |
159 goto bad_mapping; | |
160 | |
161 ref->subjectDomainPolicy = map->subjectDomainPolicy; | |
162 map->subjectDomainPolicy = NULL; | 121 map->subjectDomainPolicy = NULL; |
163 ref->data = data; | |
164 | |
165 if (!sk_X509_POLICY_REF_push(cache->maps, ref)) | |
166 goto bad_mapping; | |
167 | |
168 ref = NULL; | |
169 | 122 |
170 } | 123 } |
171 | 124 |
172 ret = 1; | 125 ret = 1; |
173 bad_mapping: | 126 bad_mapping: |
174 if (ret == -1) | 127 if (ret == -1) |
175 x->ex_flags |= EXFLAG_INVALID_POLICY; | 128 x->ex_flags |= EXFLAG_INVALID_POLICY; |
176 if (ref) | |
177 policy_map_free(ref); | |
178 if (ret <= 0) | |
179 { | |
180 sk_X509_POLICY_REF_pop_free(cache->maps, policy_map_free); | |
181 cache->maps = NULL; | |
182 } | |
183 sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free); | 129 sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free); |
184 return ret; | 130 return ret; |
185 | 131 |
186 } | 132 } |
OLD | NEW |