Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / chromium_org / third_party / boringssl / src / 95c29f3cd1f6c08c6c0927868683392eea727ccb / . / crypto / x509v3 / pcy_tree.c
blob: dbaa4981d22127c27539a9ba233d11864f0a447d [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame^]1/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
2 * project 2004.
3 */
4/* ====================================================================
5 * Copyright (c) 2004 The OpenSSL Project. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
17 * distribution.
18 *
19 * 3. All advertising materials mentioning features or use of this
20 * software must display the following acknowledgment:
21 * "This product includes software developed by the OpenSSL Project
22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23 *
24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25 * endorse or promote products derived from this software without
26 * prior written permission. For written permission, please contact
27 * licensing@OpenSSL.org.
28 *
29 * 5. Products derived from this software may not be called "OpenSSL"
30 * nor may "OpenSSL" appear in their names without prior written
31 * permission of the OpenSSL Project.
32 *
33 * 6. Redistributions of any form whatsoever must retain the following
34 * acknowledgment:
35 * "This product includes software developed by the OpenSSL Project
36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37 *
38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49 * OF THE POSSIBILITY OF SUCH DAMAGE.
50 * ====================================================================
51 *
52 * This product includes cryptographic software written by Eric Young
53 * (eay@cryptsoft.com). This product includes software written by Tim
54 * Hudson (tjh@cryptsoft.com).
55 *
56 */
57
58#include <openssl/mem.h>
59#include <openssl/obj.h>
60#include <openssl/stack.h>
61#include <openssl/thread.h>
62#include <openssl/x509.h>
63#include <openssl/x509v3.h>
64
65#include "pcy_int.h"
66
67
68/* Enable this to print out the complete policy tree at various point during
69 * evaluation.
70 */
71
72/*#define OPENSSL_POLICY_DEBUG*/
73
74#ifdef OPENSSL_POLICY_DEBUG
75
76static void expected_print(BIO *err, X509_POLICY_LEVEL *lev,
77 X509_POLICY_NODE *node, int indent)
78 {
79 if ( (lev->flags & X509_V_FLAG_INHIBIT_MAP)
80 || !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK))
81 BIO_puts(err, " Not Mapped\n");
82 else
83 {
84 int i;
85 STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set;
86 ASN1_OBJECT *oid;
87 BIO_puts(err, " Expected: ");
88 for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++)
89 {
90 oid = sk_ASN1_OBJECT_value(pset, i);
91 if (i)
92 BIO_puts(err, ", ");
93 i2a_ASN1_OBJECT(err, oid);
94 }
95 BIO_puts(err, "\n");
96 }
97 }
98
99static void tree_print(char *str, X509_POLICY_TREE *tree,
100 X509_POLICY_LEVEL *curr)
101 {
102 X509_POLICY_LEVEL *plev;
103 X509_POLICY_NODE *node;
104 int i;
105 BIO *err;
106 err = BIO_new_fp(stderr, BIO_NOCLOSE);
107 if (!curr)
108 curr = tree->levels + tree->nlevel;
109 else
110 curr++;
111 BIO_printf(err, "Level print after %s\n", str);
112 BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels);
113 for (plev = tree->levels; plev != curr; plev++)
114 {
115 BIO_printf(err, "Level %ld, flags = %x\n",
116 plev - tree->levels, plev->flags);
117 for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++)
118 {
119 node = sk_X509_POLICY_NODE_value(plev->nodes, i);
120 X509_POLICY_NODE_print(err, node, 2);
121 expected_print(err, plev, node, 2);
122 BIO_printf(err, " Flags: %x\n", node->data->flags);
123 }
124 if (plev->anyPolicy)
125 X509_POLICY_NODE_print(err, plev->anyPolicy, 2);
126 }
127
128 BIO_free(err);
129
130 }
131#else
132
133#define tree_print(a,b,c) /* */
134
135#endif
136
137/* Initialize policy tree. Return values:
138 * 0 Some internal error occured.
139 * -1 Inconsistent or invalid extensions in certificates.
140 * 1 Tree initialized OK.
141 * 2 Policy tree is empty.
142 * 5 Tree OK and requireExplicitPolicy true.
143 * 6 Tree empty and requireExplicitPolicy true.
144 */
145
146static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
147 unsigned int flags)
148 {
149 X509_POLICY_TREE *tree;
150 X509_POLICY_LEVEL *level;
151 const X509_POLICY_CACHE *cache;
152 X509_POLICY_DATA *data = NULL;
153 X509 *x;
154 int ret = 1;
155 int i, n;
156 int explicit_policy;
157 int any_skip;
158 int map_skip;
159 *ptree = NULL;
160 n = sk_X509_num(certs);
161
162#if 0
163 /* Disable policy mapping for now... */
164 flags |= X509_V_FLAG_INHIBIT_MAP;
165#endif
166
167 if (flags & X509_V_FLAG_EXPLICIT_POLICY)
168 explicit_policy = 0;
169 else
170 explicit_policy = n + 1;
171
172 if (flags & X509_V_FLAG_INHIBIT_ANY)
173 any_skip = 0;
174 else
175 any_skip = n + 1;
176
177 if (flags & X509_V_FLAG_INHIBIT_MAP)
178 map_skip = 0;
179 else
180 map_skip = n + 1;
181
182 /* Can't do anything with just a trust anchor */
183 if (n == 1)
184 return 1;
185 /* First setup policy cache in all certificates apart from the
186 * trust anchor. Note any bad cache results on the way. Also can
187 * calculate explicit_policy value at this point.
188 */
189 for (i = n - 2; i >= 0; i--)
190 {
191 x = sk_X509_value(certs, i);
192 X509_check_purpose(x, -1, -1);
193 cache = policy_cache_set(x);
194 /* If cache NULL something bad happened: return immediately */
195 if (cache == NULL)
196 return 0;
197 /* If inconsistent extensions keep a note of it but continue */
198 if (x->ex_flags & EXFLAG_INVALID_POLICY)
199 ret = -1;
200 /* Otherwise if we have no data (hence no CertificatePolicies)
201 * and haven't already set an inconsistent code note it.
202 */
203 else if ((ret == 1) && !cache->data)
204 ret = 2;
205 if (explicit_policy > 0)
206 {
207 if (!(x->ex_flags & EXFLAG_SI))
208 explicit_policy--;
209 if ((cache->explicit_skip != -1)
210 && (cache->explicit_skip < explicit_policy))
211 explicit_policy = cache->explicit_skip;
212 }
213 }
214
215 if (ret != 1)
216 {
217 if (ret == 2 && !explicit_policy)
218 return 6;
219 return ret;
220 }
221
222
223 /* If we get this far initialize the tree */
224
225 tree = OPENSSL_malloc(sizeof(X509_POLICY_TREE));
226
227 if (!tree)
228 return 0;
229
230 tree->flags = 0;
231 tree->levels = OPENSSL_malloc(sizeof(X509_POLICY_LEVEL) * n);
232 tree->nlevel = 0;
233 tree->extra_data = NULL;
234 tree->auth_policies = NULL;
235 tree->user_policies = NULL;
236
237 if (!tree->levels)
238 {
239 OPENSSL_free(tree);
240 return 0;
241 }
242
243 memset(tree->levels, 0, n * sizeof(X509_POLICY_LEVEL));
244
245 tree->nlevel = n;
246
247 level = tree->levels;
248
249 /* Root data: initialize to anyPolicy */
250
251 data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0);
252
253 if (!data || !level_add_node(level, data, NULL, tree))
254 goto bad_tree;
255
256 for (i = n - 2; i >= 0; i--)
257 {
258 level++;
259 x = sk_X509_value(certs, i);
260 cache = policy_cache_set(x);
261 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
262 level->cert = x;
263
264 if (!cache->anyPolicy)
265 level->flags |= X509_V_FLAG_INHIBIT_ANY;
266
267 /* Determine inhibit any and inhibit map flags */
268 if (any_skip == 0)
269 {
270 /* Any matching allowed if certificate is self
271 * issued and not the last in the chain.
272 */
273 if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
274 level->flags |= X509_V_FLAG_INHIBIT_ANY;
275 }
276 else
277 {
278 if (!(x->ex_flags & EXFLAG_SI))
279 any_skip--;
280 if ((cache->any_skip >= 0)
281 && (cache->any_skip < any_skip))
282 any_skip = cache->any_skip;
283 }
284
285 if (map_skip == 0)
286 level->flags |= X509_V_FLAG_INHIBIT_MAP;
287 else
288 {
289 if (!(x->ex_flags & EXFLAG_SI))
290 map_skip--;
291 if ((cache->map_skip >= 0)
292 && (cache->map_skip < map_skip))
293 map_skip = cache->map_skip;
294 }
295
296 }
297
298 *ptree = tree;
299
300 if (explicit_policy)
301 return 1;
302 else
303 return 5;
304
305 bad_tree:
306
307 X509_policy_tree_free(tree);
308
309 return 0;
310
311 }
312
313static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
314 const X509_POLICY_DATA *data)
315 {
316 X509_POLICY_LEVEL *last = curr - 1;
317 X509_POLICY_NODE *node;
318 int matched = 0;
319 size_t i;
320 /* Iterate through all in nodes linking matches */
321 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++)
322 {
323 node = sk_X509_POLICY_NODE_value(last->nodes, i);
324 if (policy_node_match(last, node, data->valid_policy))
325 {
326 if (!level_add_node(curr, data, node, NULL))
327 return 0;
328 matched = 1;
329 }
330 }
331 if (!matched && last->anyPolicy)
332 {
333 if (!level_add_node(curr, data, last->anyPolicy, NULL))
334 return 0;
335 }
336 return 1;
337 }
338
339/* This corresponds to RFC3280 6.1.3(d)(1):
340 * link any data from CertificatePolicies onto matching parent
341 * or anyPolicy if no match.
342 */
343
344static int tree_link_nodes(X509_POLICY_LEVEL *curr,
345 const X509_POLICY_CACHE *cache)
346 {
347 size_t i;
348 X509_POLICY_DATA *data;
349
350 for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++)
351 {
352 data = sk_X509_POLICY_DATA_value(cache->data, i);
353 /* If a node is mapped any it doesn't have a corresponding
354 * CertificatePolicies entry.
355 * However such an identical node would be created
356 * if anyPolicy matching is enabled because there would be
357 * no match with the parent valid_policy_set. So we create
358 * link because then it will have the mapping flags
359 * right and we can prune it later.
360 */
361#if 0
362 if ((data->flags & POLICY_DATA_FLAG_MAPPED_ANY)
363 && !(curr->flags & X509_V_FLAG_INHIBIT_ANY))
364 continue;
365#endif
366 /* Look for matching nodes in previous level */
367 if (!tree_link_matching_nodes(curr, data))
368 return 0;
369 }
370 return 1;
371 }
372
373/* This corresponds to RFC3280 6.1.3(d)(2):
374 * Create new data for any unmatched policies in the parent and link
375 * to anyPolicy.
376 */
377
378static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
379 const X509_POLICY_CACHE *cache,
380 const ASN1_OBJECT *id,
381 X509_POLICY_NODE *node,
382 X509_POLICY_TREE *tree)
383 {
384 X509_POLICY_DATA *data;
385 if (id == NULL)
386 id = node->data->valid_policy;
387 /* Create a new node with qualifiers from anyPolicy and
388 * id from unmatched node.
389 */
390 data = policy_data_new(NULL, id, node_critical(node));
391
392 if (data == NULL)
393 return 0;
394 /* Curr may not have anyPolicy */
395 data->qualifier_set = cache->anyPolicy->qualifier_set;
396 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
397 if (!level_add_node(curr, data, node, tree))
398 {
399 policy_data_free(data);
400 return 0;
401 }
402
403 return 1;
404 }
405
406static int tree_link_unmatched(X509_POLICY_LEVEL *curr,
407 const X509_POLICY_CACHE *cache,
408 X509_POLICY_NODE *node,
409 X509_POLICY_TREE *tree)
410 {
411 const X509_POLICY_LEVEL *last = curr - 1;
412 size_t i;
413
414 if ( (last->flags & X509_V_FLAG_INHIBIT_MAP)
415 || !(node->data->flags & POLICY_DATA_FLAG_MAPPED))
416 {
417 /* If no policy mapping: matched if one child present */
418 if (node->nchild)
419 return 1;
420 if (!tree_add_unmatched(curr, cache, NULL, node, tree))
421 return 0;
422 /* Add it */
423 }
424 else
425 {
426 /* If mapping: matched if one child per expected policy set */
427 STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set;
428 if (node->nchild == sk_ASN1_OBJECT_num(expset))
429 return 1;
430 /* Locate unmatched nodes */
431 for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++)
432 {
433 ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(expset, i);
434 if (level_find_node(curr, node, oid))
435 continue;
436 if (!tree_add_unmatched(curr, cache, oid, node, tree))
437 return 0;
438 }
439
440 }
441
442 return 1;
443
444 }
445
446static int tree_link_any(X509_POLICY_LEVEL *curr,
447 const X509_POLICY_CACHE *cache,
448 X509_POLICY_TREE *tree)
449 {
450 size_t i;
451 /*X509_POLICY_DATA *data;*/
452 X509_POLICY_NODE *node;
453 X509_POLICY_LEVEL *last = curr - 1;
454
455 for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++)
456 {
457 node = sk_X509_POLICY_NODE_value(last->nodes, i);
458
459 if (!tree_link_unmatched(curr, cache, node, tree))
460 return 0;
461
462#if 0
463
464 /* Skip any node with any children: we only want unmathced
465 * nodes.
466 *
467 * Note: need something better for policy mapping
468 * because each node may have multiple children
469 */
470 if (node->nchild)
471 continue;
472
473 /* Create a new node with qualifiers from anyPolicy and
474 * id from unmatched node.
475 */
476 data = policy_data_new(NULL, node->data->valid_policy,
477 node_critical(node));
478
479 if (data == NULL)
480 return 0;
481 /* Curr may not have anyPolicy */
482 data->qualifier_set = cache->anyPolicy->qualifier_set;
483 data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
484 if (!level_add_node(curr, data, node, tree))
485 {
486 policy_data_free(data);
487 return 0;
488 }
489
490#endif
491
492 }
493 /* Finally add link to anyPolicy */
494 if (last->anyPolicy)
495 {
496 if (!level_add_node(curr, cache->anyPolicy,
497 last->anyPolicy, NULL))
498 return 0;
499 }
500 return 1;
501 }
502
503/* Prune the tree: delete any child mapped child data on the current level
504 * then proceed up the tree deleting any data with no children. If we ever
505 * have no data on a level we can halt because the tree will be empty.
506 */
507
508static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
509 {
510 STACK_OF(X509_POLICY_NODE) *nodes;
511 X509_POLICY_NODE *node;
512 int i;
513 nodes = curr->nodes;
514 if (curr->flags & X509_V_FLAG_INHIBIT_MAP)
515 {
516 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--)
517 {
518 node = sk_X509_POLICY_NODE_value(nodes, i);
519 /* Delete any mapped data: see RFC3280 XXXX */
520 if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK)
521 {
522 node->parent->nchild--;
523 OPENSSL_free(node);
524 (void)sk_X509_POLICY_NODE_delete(nodes,i);
525 }
526 }
527 }
528
529 for(;;) {
530 --curr;
531 nodes = curr->nodes;
532 for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--)
533 {
534 node = sk_X509_POLICY_NODE_value(nodes, i);
535 if (node->nchild == 0)
536 {
537 node->parent->nchild--;
538 OPENSSL_free(node);
539 (void)sk_X509_POLICY_NODE_delete(nodes, i);
540 }
541 }
542 if (curr->anyPolicy && !curr->anyPolicy->nchild)
543 {
544 if (curr->anyPolicy->parent)
545 curr->anyPolicy->parent->nchild--;
546 OPENSSL_free(curr->anyPolicy);
547 curr->anyPolicy = NULL;
548 }
549 if (curr == tree->levels)
550 {
551 /* If we zapped anyPolicy at top then tree is empty */
552 if (!curr->anyPolicy)
553 return 2;
554 return 1;
555 }
556 }
557
558 return 1;
559
560 }
561
562static int tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes,
563 X509_POLICY_NODE *pcy)
564 {
565 if (!*pnodes)
566 {
567 *pnodes = policy_node_cmp_new();
568 if (!*pnodes)
569 return 0;
570 }
571 else if (sk_X509_POLICY_NODE_find(*pnodes, NULL, pcy))
572 return 1;
573
574 if (!sk_X509_POLICY_NODE_push(*pnodes, pcy))
575 return 0;
576
577 return 1;
578
579 }
580
581/* Calculate the authority set based on policy tree.
582 * The 'pnodes' parameter is used as a store for the set of policy nodes
583 * used to calculate the user set. If the authority set is not anyPolicy
584 * then pnodes will just point to the authority set. If however the authority
585 * set is anyPolicy then the set of valid policies (other than anyPolicy)
586 * is store in pnodes. The return value of '2' is used in this case to indicate
587 * that pnodes should be freed.
588 */
589
590static int tree_calculate_authority_set(X509_POLICY_TREE *tree,
591 STACK_OF(X509_POLICY_NODE) **pnodes)
592 {
593 X509_POLICY_LEVEL *curr;
594 X509_POLICY_NODE *node, *anyptr;
595 STACK_OF(X509_POLICY_NODE) **addnodes;
596 int i;
597 size_t j;
598 curr = tree->levels + tree->nlevel - 1;
599
600 /* If last level contains anyPolicy set is anyPolicy */
601 if (curr->anyPolicy)
602 {
603 if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy))
604 return 0;
605 addnodes = pnodes;
606 }
607 else
608 /* Add policies to authority set */
609 addnodes = &tree->auth_policies;
610
611 curr = tree->levels;
612 for (i = 1; i < tree->nlevel; i++)
613 {
614 /* If no anyPolicy node on this this level it can't
615 * appear on lower levels so end search.
616 */
617 if (!(anyptr = curr->anyPolicy))
618 break;
619 curr++;
620 for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++)
621 {
622 node = sk_X509_POLICY_NODE_value(curr->nodes, j);
623 if ((node->parent == anyptr)
624 && !tree_add_auth_node(addnodes, node))
625 return 0;
626 }
627 }
628
629 if (addnodes == pnodes)
630 return 2;
631
632 *pnodes = tree->auth_policies;
633
634 return 1;
635 }
636
637static int tree_calculate_user_set(X509_POLICY_TREE *tree,
638 STACK_OF(ASN1_OBJECT) *policy_oids,
639 STACK_OF(X509_POLICY_NODE) *auth_nodes)
640 {
641 size_t i;
642 X509_POLICY_NODE *node;
643 ASN1_OBJECT *oid;
644
645 X509_POLICY_NODE *anyPolicy;
646 X509_POLICY_DATA *extra;
647
648 /* Check if anyPolicy present in authority constrained policy set:
649 * this will happen if it is a leaf node.
650 */
651
652 if (sk_ASN1_OBJECT_num(policy_oids) <= 0)
653 return 1;
654
655 anyPolicy = tree->levels[tree->nlevel - 1].anyPolicy;
656
657 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++)
658 {
659 oid = sk_ASN1_OBJECT_value(policy_oids, i);
660 if (OBJ_obj2nid(oid) == NID_any_policy)
661 {
662 tree->flags |= POLICY_FLAG_ANY_POLICY;
663 return 1;
664 }
665 }
666
667 for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++)
668 {
669 oid = sk_ASN1_OBJECT_value(policy_oids, i);
670 node = tree_find_sk(auth_nodes, oid);
671 if (!node)
672 {
673 if (!anyPolicy)
674 continue;
675 /* Create a new node with policy ID from user set
676 * and qualifiers from anyPolicy.
677 */
678 extra = policy_data_new(NULL, oid,
679 node_critical(anyPolicy));
680 if (!extra)
681 return 0;
682 extra->qualifier_set = anyPolicy->data->qualifier_set;
683 extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
684 | POLICY_DATA_FLAG_EXTRA_NODE;
685 node = level_add_node(NULL, extra, anyPolicy->parent,
686 tree);
687 }
688 if (!tree->user_policies)
689 {
690 tree->user_policies = sk_X509_POLICY_NODE_new_null();
691 if (!tree->user_policies)
692 return 1;
693 }
694 if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
695 return 0;
696 }
697 return 1;
698
699 }
700
701static int tree_evaluate(X509_POLICY_TREE *tree)
702 {
703 int ret, i;
704 X509_POLICY_LEVEL *curr = tree->levels + 1;
705 const X509_POLICY_CACHE *cache;
706
707 for(i = 1; i < tree->nlevel; i++, curr++)
708 {
709 cache = policy_cache_set(curr->cert);
710 if (!tree_link_nodes(curr, cache))
711 return 0;
712
713 if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
714 && !tree_link_any(curr, cache, tree))
715 return 0;
716 tree_print("before tree_prune()", tree, curr);
717 ret = tree_prune(tree, curr);
718 if (ret != 1)
719 return ret;
720 }
721
722 return 1;
723
724 }
725
726static void exnode_free(X509_POLICY_NODE *node)
727 {
728 if (node->data && (node->data->flags & POLICY_DATA_FLAG_EXTRA_NODE))
729 OPENSSL_free(node);
730 }
731
732
733void X509_policy_tree_free(X509_POLICY_TREE *tree)
734 {
735 X509_POLICY_LEVEL *curr;
736 int i;
737
738 if (!tree)
739 return;
740
741 sk_X509_POLICY_NODE_free(tree->auth_policies);
742 sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free);
743
744 for(i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++)
745 {
746 if (curr->cert)
747 X509_free(curr->cert);
748 if (curr->nodes)
749 sk_X509_POLICY_NODE_pop_free(curr->nodes,
750 policy_node_free);
751 if (curr->anyPolicy)
752 policy_node_free(curr->anyPolicy);
753 }
754
755 if (tree->extra_data)
756 sk_X509_POLICY_DATA_pop_free(tree->extra_data,
757 policy_data_free);
758
759 OPENSSL_free(tree->levels);
760 OPENSSL_free(tree);
761
762 }
763
764/* Application policy checking function.
765 * Return codes:
766 * 0 Internal Error.
767 * 1 Successful.
768 * -1 One or more certificates contain invalid or inconsistent extensions
769 * -2 User constrained policy set empty and requireExplicit true.
770 */
771
772int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
773 STACK_OF(X509) *certs,
774 STACK_OF(ASN1_OBJECT) *policy_oids,
775 unsigned int flags)
776 {
777 int ret;
778 X509_POLICY_TREE *tree = NULL;
779 STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL;
780 *ptree = NULL;
781
782 *pexplicit_policy = 0;
783 ret = tree_init(&tree, certs, flags);
784
785 switch (ret)
786 {
787
788 /* Tree empty requireExplicit False: OK */
789 case 2:
790 return 1;
791
792 /* Some internal error */
793 case -1:
794 return -1;
795
796 /* Some internal error */
797 case 0:
798 return 0;
799
800 /* Tree empty requireExplicit True: Error */
801
802 case 6:
803 *pexplicit_policy = 1;
804 return -2;
805
806 /* Tree OK requireExplicit True: OK and continue */
807 case 5:
808 *pexplicit_policy = 1;
809 break;
810
811 /* Tree OK: continue */
812
813 case 1:
814 if (!tree)
815 /*
816 * tree_init() returns success and a null tree
817 * if it's just looking at a trust anchor.
818 * I'm not sure that returning success here is
819 * correct, but I'm sure that reporting this
820 * as an internal error which our caller
821 * interprets as a malloc failure is wrong.
822 */
823 return 1;
824 break;
825 }
826
827 if (!tree) goto error;
828 ret = tree_evaluate(tree);
829
830 tree_print("tree_evaluate()", tree, NULL);
831
832 if (ret <= 0)
833 goto error;
834
835 /* Return value 2 means tree empty */
836 if (ret == 2)
837 {
838 X509_policy_tree_free(tree);
839 if (*pexplicit_policy)
840 return -2;
841 else
842 return 1;
843 }
844
845 /* Tree is not empty: continue */
846
847 ret = tree_calculate_authority_set(tree, &auth_nodes);
848
849 if (!ret)
850 goto error;
851
852 if (!tree_calculate_user_set(tree, policy_oids, auth_nodes))
853 goto error;
854
855 if (ret == 2)
856 sk_X509_POLICY_NODE_free(auth_nodes);
857
858 if (tree)
859 *ptree = tree;
860
861 if (*pexplicit_policy)
862 {
863 nodes = X509_policy_tree_get0_user_policies(tree);
864 if (sk_X509_POLICY_NODE_num(nodes) <= 0)
865 return -2;
866 }
867
868 return 1;
869
870 error:
871
872 X509_policy_tree_free(tree);
873
874 return 0;
875
876 }
877