From 2018f220d5e8242fd9a06f05383d2140bf3fd3cf Mon Sep 17 00:00:00 2001 From: tb Date: Wed, 26 Apr 2023 21:07:32 +0000 Subject: [PATCH] KNF according to knfmt(1) --- lib/libcrypto/x509/x509_policy.c | 1115 ++++++++++++++++-------------- 1 file changed, 600 insertions(+), 515 deletions(-) diff --git a/lib/libcrypto/x509/x509_policy.c b/lib/libcrypto/x509/x509_policy.c index 8d182ef45a5..6005acd4fbc 100644 --- a/lib/libcrypto/x509/x509_policy.c +++ b/lib/libcrypto/x509/x509_policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_policy.c,v 1.9 2023/04/26 20:52:11 tb Exp $ */ +/* $OpenBSD: x509_policy.c,v 1.10 2023/04/26 21:07:32 tb Exp $ */ /* Copyright (c) 2022, Google Inc. * * Permission to use, copy, modify, and/or distribute this software for any @@ -55,7 +55,7 @@ // from RFC 5280, section 6.1.2, step (a), but we store some fields differently. typedef struct x509_policy_node_st { // policy is the "valid_policy" field from RFC 5280. - ASN1_OBJECT *policy; + ASN1_OBJECT *policy; // parent_policies, if non-empty, is the list of "valid_policy" values for all // nodes which are a parent of this node. In this case, no entry in this list @@ -70,15 +70,15 @@ typedef struct x509_policy_node_st { // concrete policy as a parent. Section 6.1.3, step (d.1.ii) only runs if // there was no match in step (d.1.i). We do not need to represent a parent // list of, say, {anyPolicy, OID1, OID2}. - STACK_OF(ASN1_OBJECT) *parent_policies; + STACK_OF(ASN1_OBJECT) *parent_policies; // mapped is one if this node matches a policy mapping in the certificate and // zero otherwise. - int mapped; + int mapped; // reachable is one if this node is reachable from some valid policy in the // end-entity certificate. It is computed during |has_explicit_policy|. - int reachable; + int reachable; } X509_POLICY_NODE; DECLARE_STACK_OF(X509_POLICY_NODE) @@ -111,11 +111,11 @@ DECLARE_STACK_OF(X509_POLICY_NODE) typedef struct x509_policy_level_st { // nodes is the list of nodes at this depth, except for the anyPolicy node, if // any. This list is sorted by policy OID for efficient lookup. - STACK_OF(X509_POLICY_NODE) *nodes; + STACK_OF(X509_POLICY_NODE) *nodes; // has_any_policy is one if there is an anyPolicy node at this depth, and zero // otherwise. - int has_any_policy; + int has_any_policy; } X509_POLICY_LEVEL; DECLARE_STACK_OF(X509_POLICY_LEVEL) @@ -165,84 +165,106 @@ sk_X509_POLICY_NODE_delete_if(STACK_OF(X509_POLICY_NODE) *nodes, sk->num = new_num; } -static int is_any_policy(const ASN1_OBJECT *obj) { - return OBJ_obj2nid(obj) == NID_any_policy; +static int +is_any_policy(const ASN1_OBJECT *obj) +{ + return OBJ_obj2nid(obj) == NID_any_policy; } -static void x509_policy_node_free(X509_POLICY_NODE *node) { - if (node != NULL) { - ASN1_OBJECT_free(node->policy); - sk_ASN1_OBJECT_pop_free(node->parent_policies, ASN1_OBJECT_free); - free(node); - } +static void +x509_policy_node_free(X509_POLICY_NODE *node) +{ + if (node != NULL) { + ASN1_OBJECT_free(node->policy); + sk_ASN1_OBJECT_pop_free(node->parent_policies, + ASN1_OBJECT_free); + free(node); + } } -static X509_POLICY_NODE *x509_policy_node_new(const ASN1_OBJECT *policy) { - assert(!is_any_policy(policy)); - X509_POLICY_NODE *node = malloc(sizeof(X509_POLICY_NODE)); - if (node == NULL) { - return NULL; - } - memset(node, 0, sizeof(X509_POLICY_NODE)); - node->policy = OBJ_dup(policy); - node->parent_policies = sk_ASN1_OBJECT_new_null(); - if (node->policy == NULL || node->parent_policies == NULL) { - x509_policy_node_free(node); - return NULL; - } - return node; +static X509_POLICY_NODE * +x509_policy_node_new(const ASN1_OBJECT *policy) +{ + assert(!is_any_policy(policy)); + X509_POLICY_NODE *node = malloc(sizeof(X509_POLICY_NODE)); + if (node == NULL) { + return NULL; + } + memset(node, 0, sizeof(X509_POLICY_NODE)); + node->policy = OBJ_dup(policy); + node->parent_policies = sk_ASN1_OBJECT_new_null(); + if (node->policy == NULL || node->parent_policies == NULL) { + x509_policy_node_free(node); + return NULL; + } + return node; } -static int x509_policy_node_cmp(const X509_POLICY_NODE *const *a, - const X509_POLICY_NODE *const *b) { - return OBJ_cmp((*a)->policy, (*b)->policy); +static int +x509_policy_node_cmp(const X509_POLICY_NODE *const *a, + const X509_POLICY_NODE *const *b) +{ + return OBJ_cmp((*a)->policy, (*b)->policy); } -static void x509_policy_level_free(X509_POLICY_LEVEL *level) { - if (level != NULL) { - sk_X509_POLICY_NODE_pop_free(level->nodes, x509_policy_node_free); - free(level); - } +static void +x509_policy_level_free(X509_POLICY_LEVEL *level) +{ + if (level != NULL) { + sk_X509_POLICY_NODE_pop_free(level->nodes, + x509_policy_node_free); + free(level); + } } -static X509_POLICY_LEVEL *x509_policy_level_new(void) { - X509_POLICY_LEVEL *level = malloc(sizeof(X509_POLICY_LEVEL)); - if (level == NULL) { - return NULL; - } - memset(level, 0, sizeof(X509_POLICY_LEVEL)); - level->nodes = sk_X509_POLICY_NODE_new(x509_policy_node_cmp); - if (level->nodes == NULL) { - x509_policy_level_free(level); - return NULL; - } - return level; +static X509_POLICY_LEVEL * +x509_policy_level_new(void) +{ + X509_POLICY_LEVEL *level = malloc(sizeof(X509_POLICY_LEVEL)); + if (level == NULL) { + return NULL; + } + memset(level, 0, sizeof(X509_POLICY_LEVEL)); + level->nodes = sk_X509_POLICY_NODE_new(x509_policy_node_cmp); + if (level->nodes == NULL) { + x509_policy_level_free(level); + return NULL; + } + return level; } -static int x509_policy_level_is_empty(const X509_POLICY_LEVEL *level) { - return !level->has_any_policy && sk_X509_POLICY_NODE_num(level->nodes) == 0; +static int +x509_policy_level_is_empty(const X509_POLICY_LEVEL *level) +{ + return !level->has_any_policy && + sk_X509_POLICY_NODE_num(level->nodes) == 0; } -static void x509_policy_level_clear(X509_POLICY_LEVEL *level) { - level->has_any_policy = 0; - for (size_t i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { - x509_policy_node_free(sk_X509_POLICY_NODE_value(level->nodes, i)); - } - sk_X509_POLICY_NODE_zero(level->nodes); +static void +x509_policy_level_clear(X509_POLICY_LEVEL *level) +{ + level->has_any_policy = 0; + for (size_t i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { + x509_policy_node_free( + sk_X509_POLICY_NODE_value(level->nodes, i)); + } + sk_X509_POLICY_NODE_zero(level->nodes); } // x509_policy_level_find returns the node in |level| corresponding to |policy|, // or NULL if none exists. -static X509_POLICY_NODE *x509_policy_level_find(X509_POLICY_LEVEL *level, - const ASN1_OBJECT *policy) { - assert(sk_X509_POLICY_NODE_is_sorted(level->nodes)); - X509_POLICY_NODE node; - node.policy = (ASN1_OBJECT *)policy; - int idx; - if ((idx = sk_X509_POLICY_NODE_find(level->nodes, &node)) < 0) { - return NULL; - } - return sk_X509_POLICY_NODE_value(level->nodes, idx); +static X509_POLICY_NODE * +x509_policy_level_find(X509_POLICY_LEVEL *level, + const ASN1_OBJECT *policy) +{ + assert(sk_X509_POLICY_NODE_is_sorted(level->nodes)); + X509_POLICY_NODE node; + node.policy = (ASN1_OBJECT *)policy; + int idx; + if ((idx = sk_X509_POLICY_NODE_find(level->nodes, &node)) < 0) { + return NULL; + } + return sk_X509_POLICY_NODE_value(level->nodes, idx); } // x509_policy_level_add_nodes adds the nodes in |nodes| to |level|. It returns @@ -252,42 +274,50 @@ static X509_POLICY_NODE *x509_policy_level_find(X509_POLICY_LEVEL *level, // // This function is used to add nodes to |level| in bulk, and avoid resorting // |level| after each addition. -static int x509_policy_level_add_nodes(X509_POLICY_LEVEL *level, - STACK_OF(X509_POLICY_NODE) *nodes) { - for (size_t i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) { - X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(nodes, i); - if (!sk_X509_POLICY_NODE_push(level->nodes, node)) { - return 0; - } - sk_X509_POLICY_NODE_set(nodes, i, NULL); - } - sk_X509_POLICY_NODE_sort(level->nodes); +static int +x509_policy_level_add_nodes(X509_POLICY_LEVEL *level, + STACK_OF(X509_POLICY_NODE) *nodes) +{ + for (size_t i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) { + X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(nodes, i); + if (!sk_X509_POLICY_NODE_push(level->nodes, node)) { + return 0; + } + sk_X509_POLICY_NODE_set(nodes, i, NULL); + } + sk_X509_POLICY_NODE_sort(level->nodes); #if !defined(NDEBUG) // There should be no duplicate nodes. - for (size_t i = 1; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { - assert(OBJ_cmp(sk_X509_POLICY_NODE_value(level->nodes, i - 1)->policy, - sk_X509_POLICY_NODE_value(level->nodes, i)->policy) != 0); - } + for (size_t i = 1; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { + assert( + OBJ_cmp( + sk_X509_POLICY_NODE_value(level->nodes, i - 1)->policy, + sk_X509_POLICY_NODE_value(level->nodes, i)->policy) != 0); + } #endif - return 1; + return 1; } -static int policyinfo_cmp(const POLICYINFO *const *a, - const POLICYINFO *const *b) { - return OBJ_cmp((*a)->policyid, (*b)->policyid); +static int +policyinfo_cmp(const POLICYINFO *const *a, + const POLICYINFO *const *b) +{ + return OBJ_cmp((*a)->policyid, (*b)->policyid); } -static int delete_if_not_in_policies(X509_POLICY_NODE *node, void *data) { - const CERTIFICATEPOLICIES *policies = data; - assert(sk_POLICYINFO_is_sorted(policies)); - POLICYINFO info; - info.policyid = node->policy; - if (sk_POLICYINFO_find(policies, &info) >= 0) { - return 0; - } - x509_policy_node_free(node); - return 1; +static int +delete_if_not_in_policies(X509_POLICY_NODE *node, void *data) +{ + const CERTIFICATEPOLICIES *policies = data; + assert(sk_POLICYINFO_is_sorted(policies)); + POLICYINFO info; + info.policyid = node->policy; + if (sk_POLICYINFO_find(policies, &info) >= 0) { + return 0; + } + x509_policy_node_free(node); + return 1; } // process_certificate_policies updates |level| to incorporate |x509|'s @@ -297,115 +327,128 @@ static int delete_if_not_in_policies(X509_POLICY_NODE *node, void *data) { // the output of |process_policy_mappings|. |any_policy_allowed| specifies // whether anyPolicy is allowed or inhibited, taking into account the exception // for self-issued certificates. -static int process_certificate_policies(const X509 *x509, - X509_POLICY_LEVEL *level, - int any_policy_allowed) { - int ret = 0; - int critical; - STACK_OF(X509_POLICY_NODE) *new_nodes = NULL; - CERTIFICATEPOLICIES *policies = - X509_get_ext_d2i(x509, NID_certificate_policies, &critical, NULL); - if (policies == NULL) { - if (critical != -1) { - return 0; // Syntax error in the extension. - } +static int +process_certificate_policies(const X509 *x509, + X509_POLICY_LEVEL *level, + int any_policy_allowed) +{ + int ret = 0; + int critical; + STACK_OF(X509_POLICY_NODE) *new_nodes = NULL; + CERTIFICATEPOLICIES *policies = + X509_get_ext_d2i(x509, NID_certificate_policies, &critical, NULL); + if (policies == NULL) { + if (critical != -1) { + return 0; // Syntax error in the extension. + } // RFC 5280, section 6.1.3, step (e). - x509_policy_level_clear(level); - return 1; - } + x509_policy_level_clear(level); + return 1; + } // certificatePolicies may not be empty. See RFC 5280, section 4.2.1.4. // TODO(https://crbug.com/boringssl/443): Move this check into the parser. - if (sk_POLICYINFO_num(policies) == 0) { - X509error(X509_R_INVALID_POLICY_EXTENSION); - goto err; - } - - sk_POLICYINFO_set_cmp_func(policies, policyinfo_cmp); - sk_POLICYINFO_sort(policies); - int cert_has_any_policy = 0; - for (size_t i = 0; i < sk_POLICYINFO_num(policies); i++) { - const POLICYINFO *policy = sk_POLICYINFO_value(policies, i); - if (is_any_policy(policy->policyid)) { - cert_has_any_policy = 1; - } - if (i > 0 && OBJ_cmp(sk_POLICYINFO_value(policies, i - 1)->policyid, - policy->policyid) == 0) { + if (sk_POLICYINFO_num(policies) == 0) { + X509error(X509_R_INVALID_POLICY_EXTENSION); + goto err; + } + + sk_POLICYINFO_set_cmp_func(policies, policyinfo_cmp); + sk_POLICYINFO_sort(policies); + int cert_has_any_policy = 0; + for (size_t i = 0; i < sk_POLICYINFO_num(policies); i++) { + const POLICYINFO *policy = sk_POLICYINFO_value(policies, i); + if (is_any_policy(policy->policyid)) { + cert_has_any_policy = 1; + } + if (i > 0 && + OBJ_cmp(sk_POLICYINFO_value(policies, i - 1)->policyid, + policy->policyid) == 0) { // Per RFC 5280, section 4.2.1.4, |policies| may not have duplicates. - X509error(X509_R_INVALID_POLICY_EXTENSION); - goto err; - } - } + X509error(X509_R_INVALID_POLICY_EXTENSION); + goto err; + } + } // This does the same thing as RFC 5280, section 6.1.3, step (d), though in // a slighty different order. |level| currently contains "expected_policy_set" // values of the previous level. See |process_policy_mappings| for details. - const int previous_level_has_any_policy = level->has_any_policy; + const int previous_level_has_any_policy = level->has_any_policy; // First, we handle steps (d.1.i) and (d.2). The net effect of these two steps // is to intersect |level| with |policies|, ignoring anyPolicy if it is // inhibited. - if (!cert_has_any_policy || !any_policy_allowed) { - sk_X509_POLICY_NODE_delete_if(level->nodes, delete_if_not_in_policies, - policies); - level->has_any_policy = 0; - } + if (!cert_has_any_policy || !any_policy_allowed) { + sk_X509_POLICY_NODE_delete_if(level->nodes, + delete_if_not_in_policies, policies); + level->has_any_policy = 0; + } // Step (d.1.ii) may attach new nodes to the previous level's anyPolicy node. - if (previous_level_has_any_policy) { - new_nodes = sk_X509_POLICY_NODE_new_null(); - if (new_nodes == NULL) { - goto err; - } - for (size_t i = 0; i < sk_POLICYINFO_num(policies); i++) { - const POLICYINFO *policy = sk_POLICYINFO_value(policies, i); + if (previous_level_has_any_policy) { + new_nodes = sk_X509_POLICY_NODE_new_null(); + if (new_nodes == NULL) { + goto err; + } + for (size_t i = 0; i < sk_POLICYINFO_num(policies); i++) { + const POLICYINFO *policy = sk_POLICYINFO_value(policies, + i); // Though we've reordered the steps slightly, |policy| is in |level| if // and only if it would have been a match in step (d.1.ii). - if (!is_any_policy(policy->policyid) && - x509_policy_level_find(level, policy->policyid) == NULL) { - X509_POLICY_NODE *node = x509_policy_node_new(policy->policyid); - if (node == NULL || // - !sk_X509_POLICY_NODE_push(new_nodes, node)) { - x509_policy_node_free(node); - goto err; - } - } - } - if (!x509_policy_level_add_nodes(level, new_nodes)) { - goto err; - } - } - - ret = 1; + if (!is_any_policy(policy->policyid) && + x509_policy_level_find(level, policy->policyid) == + NULL) { + X509_POLICY_NODE *node = x509_policy_node_new( + policy->policyid); + if (node == NULL || // + !sk_X509_POLICY_NODE_push(new_nodes, + node)) { + x509_policy_node_free(node); + goto err; + } + } + } + if (!x509_policy_level_add_nodes(level, new_nodes)) { + goto err; + } + } + + ret = 1; err: - sk_X509_POLICY_NODE_pop_free(new_nodes, x509_policy_node_free); - CERTIFICATEPOLICIES_free(policies); - return ret; + sk_X509_POLICY_NODE_pop_free(new_nodes, x509_policy_node_free); + CERTIFICATEPOLICIES_free(policies); + return ret; } -static int compare_issuer_policy(const POLICY_MAPPING *const *a, - const POLICY_MAPPING *const *b) { - return OBJ_cmp((*a)->issuerDomainPolicy, (*b)->issuerDomainPolicy); +static int +compare_issuer_policy(const POLICY_MAPPING *const *a, + const POLICY_MAPPING *const *b) +{ + return OBJ_cmp((*a)->issuerDomainPolicy, (*b)->issuerDomainPolicy); } -static int compare_subject_policy(const POLICY_MAPPING *const *a, - const POLICY_MAPPING *const *b) { - return OBJ_cmp((*a)->subjectDomainPolicy, (*b)->subjectDomainPolicy); +static int +compare_subject_policy(const POLICY_MAPPING *const *a, + const POLICY_MAPPING *const *b) +{ + return OBJ_cmp((*a)->subjectDomainPolicy, (*b)->subjectDomainPolicy); } -static int delete_if_mapped(X509_POLICY_NODE *node, void *data) { - const POLICY_MAPPINGS *mappings = data; +static int +delete_if_mapped(X509_POLICY_NODE *node, void *data) +{ + const POLICY_MAPPINGS *mappings = data; // |mappings| must have been sorted by |compare_issuer_policy|. - assert(sk_POLICY_MAPPING_is_sorted(mappings)); - POLICY_MAPPING mapping; - mapping.issuerDomainPolicy = node->policy; - if (sk_POLICY_MAPPING_find(mappings, &mapping) < 0) { - return 0; - } - x509_policy_node_free(node); - return 1; + assert(sk_POLICY_MAPPING_is_sorted(mappings)); + POLICY_MAPPING mapping; + mapping.issuerDomainPolicy = node->policy; + if (sk_POLICY_MAPPING_find(mappings, &mapping) < 0) { + return 0; + } + x509_policy_node_free(node); + return 1; } // process_policy_mappings processes the policy mappings extension of |cert|, @@ -424,224 +467,245 @@ static int delete_if_mapped(X509_POLICY_NODE *node, void *data) { // This is equivalent to the |X509_POLICY_LEVEL| that would result if the next // certificats contained anyPolicy. |process_certificate_policies| will filter // this result down to compute the actual level. -static X509_POLICY_LEVEL *process_policy_mappings(const X509 *cert, - X509_POLICY_LEVEL *level, - int mapping_allowed) { - int ok = 0; - STACK_OF(X509_POLICY_NODE) *new_nodes = NULL; - X509_POLICY_LEVEL *next = NULL; - int critical; - POLICY_MAPPINGS *mappings = - X509_get_ext_d2i(cert, NID_policy_mappings, &critical, NULL); - if (mappings == NULL && critical != -1) { +static X509_POLICY_LEVEL * +process_policy_mappings(const X509 *cert, + X509_POLICY_LEVEL *level, + int mapping_allowed) +{ + int ok = 0; + STACK_OF(X509_POLICY_NODE) *new_nodes = NULL; + X509_POLICY_LEVEL *next = NULL; + int critical; + POLICY_MAPPINGS *mappings = + X509_get_ext_d2i(cert, NID_policy_mappings, &critical, NULL); + if (mappings == NULL && critical != -1) { // Syntax error in the policy mappings extension. - goto err; - } + goto err; + } - if (mappings != NULL) { + if (mappings != NULL) { // PolicyMappings may not be empty. See RFC 5280, section 4.2.1.5. // TODO(https://crbug.com/boringssl/443): Move this check into the parser. - if (sk_POLICY_MAPPING_num(mappings) == 0) { - X509error(X509_R_INVALID_POLICY_EXTENSION); - goto err; - } + if (sk_POLICY_MAPPING_num(mappings) == 0) { + X509error(X509_R_INVALID_POLICY_EXTENSION); + goto err; + } // RFC 5280, section 6.1.4, step (a). - for (size_t i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) { - POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings, i); - if (is_any_policy(mapping->issuerDomainPolicy) || - is_any_policy(mapping->subjectDomainPolicy)) { - goto err; - } - } + for (size_t i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) { + POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings, + i); + if (is_any_policy(mapping->issuerDomainPolicy) || + is_any_policy(mapping->subjectDomainPolicy)) { + goto err; + } + } // Sort to group by issuerDomainPolicy. - sk_POLICY_MAPPING_set_cmp_func(mappings, compare_issuer_policy); - sk_POLICY_MAPPING_sort(mappings); + sk_POLICY_MAPPING_set_cmp_func(mappings, compare_issuer_policy); + sk_POLICY_MAPPING_sort(mappings); - if (mapping_allowed) { + if (mapping_allowed) { // Mark nodes as mapped, and add any nodes to |level| which may be needed // as part of RFC 5280, section 6.1.4, step (b.1). - new_nodes = sk_X509_POLICY_NODE_new_null(); - if (new_nodes == NULL) { - goto err; - } - const ASN1_OBJECT *last_policy = NULL; - for (size_t i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) { - const POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings, i); - // There may be multiple mappings with the same |issuerDomainPolicy|. - if (last_policy != NULL && - OBJ_cmp(mapping->issuerDomainPolicy, last_policy) == 0) { - continue; - } - last_policy = mapping->issuerDomainPolicy; - - X509_POLICY_NODE *node = - x509_policy_level_find(level, mapping->issuerDomainPolicy); - if (node == NULL) { - if (!level->has_any_policy) { - continue; - } - node = x509_policy_node_new(mapping->issuerDomainPolicy); - if (node == NULL || // - !sk_X509_POLICY_NODE_push(new_nodes, node)) { - x509_policy_node_free(node); - goto err; - } - } - node->mapped = 1; - } - if (!x509_policy_level_add_nodes(level, new_nodes)) { - goto err; - } - } else { + new_nodes = sk_X509_POLICY_NODE_new_null(); + if (new_nodes == NULL) { + goto err; + } + const ASN1_OBJECT *last_policy = NULL; + for (size_t i = 0; i < sk_POLICY_MAPPING_num(mappings); + i++) { + const POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings, + i); + // There may be multiple mappings with the same |issuerDomainPolicy|. + if (last_policy != NULL && + OBJ_cmp(mapping->issuerDomainPolicy, + last_policy) == 0) { + continue; + } + last_policy = mapping->issuerDomainPolicy; + + X509_POLICY_NODE *node = + x509_policy_level_find(level, + mapping->issuerDomainPolicy); + if (node == NULL) { + if (!level->has_any_policy) { + continue; + } + node = x509_policy_node_new( + mapping->issuerDomainPolicy); + if (node == NULL || // + !sk_X509_POLICY_NODE_push(new_nodes, + node)) { + x509_policy_node_free(node); + goto err; + } + } + node->mapped = 1; + } + if (!x509_policy_level_add_nodes(level, new_nodes)) { + goto err; + } + } else { // RFC 5280, section 6.1.4, step (b.2). If mapping is inhibited, delete // all mapped nodes. - sk_X509_POLICY_NODE_delete_if(level->nodes, delete_if_mapped, mappings); - sk_POLICY_MAPPING_pop_free(mappings, POLICY_MAPPING_free); - mappings = NULL; - } - } + sk_X509_POLICY_NODE_delete_if(level->nodes, + delete_if_mapped, mappings); + sk_POLICY_MAPPING_pop_free(mappings, + POLICY_MAPPING_free); + mappings = NULL; + } + } // If a node was not mapped, it retains the original "explicit_policy_set" // value, itself. Add those to |mappings|. - if (mappings == NULL) { - mappings = sk_POLICY_MAPPING_new_null(); - if (mappings == NULL) { - goto err; - } - } - for (size_t i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { - X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(level->nodes, i); - if (!node->mapped) { - POLICY_MAPPING *mapping = POLICY_MAPPING_new(); - if (mapping == NULL) { - goto err; - } - mapping->issuerDomainPolicy = OBJ_dup(node->policy); - mapping->subjectDomainPolicy = OBJ_dup(node->policy); - if (mapping->issuerDomainPolicy == NULL || - mapping->subjectDomainPolicy == NULL || - !sk_POLICY_MAPPING_push(mappings, mapping)) { - POLICY_MAPPING_free(mapping); - goto err; - } - } - } + if (mappings == NULL) { + mappings = sk_POLICY_MAPPING_new_null(); + if (mappings == NULL) { + goto err; + } + } + for (size_t i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { + X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(level->nodes, + i); + if (!node->mapped) { + POLICY_MAPPING *mapping = POLICY_MAPPING_new(); + if (mapping == NULL) { + goto err; + } + mapping->issuerDomainPolicy = OBJ_dup(node->policy); + mapping->subjectDomainPolicy = OBJ_dup(node->policy); + if (mapping->issuerDomainPolicy == NULL || + mapping->subjectDomainPolicy == NULL || + !sk_POLICY_MAPPING_push(mappings, mapping)) { + POLICY_MAPPING_free(mapping); + goto err; + } + } + } // Sort to group by subjectDomainPolicy. - sk_POLICY_MAPPING_set_cmp_func(mappings, compare_subject_policy); - sk_POLICY_MAPPING_sort(mappings); + sk_POLICY_MAPPING_set_cmp_func(mappings, compare_subject_policy); + sk_POLICY_MAPPING_sort(mappings); // Convert |mappings| to our "expected_policy_set" representation. - next = x509_policy_level_new(); - if (next == NULL) { - goto err; - } - next->has_any_policy = level->has_any_policy; - - X509_POLICY_NODE *last_node = NULL; - for (size_t i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) { - POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings, i); + next = x509_policy_level_new(); + if (next == NULL) { + goto err; + } + next->has_any_policy = level->has_any_policy; + + X509_POLICY_NODE *last_node = NULL; + for (size_t i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) { + POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings, i); // Skip mappings where |issuerDomainPolicy| does not appear in the graph. - if (!level->has_any_policy && - x509_policy_level_find(level, mapping->issuerDomainPolicy) == NULL) { - continue; - } - - if (last_node == NULL || - OBJ_cmp(last_node->policy, mapping->subjectDomainPolicy) != 0) { - last_node = x509_policy_node_new(mapping->subjectDomainPolicy); - if (last_node == NULL || - !sk_X509_POLICY_NODE_push(next->nodes, last_node)) { - x509_policy_node_free(last_node); - goto err; - } - } - - if (!sk_ASN1_OBJECT_push(last_node->parent_policies, - mapping->issuerDomainPolicy)) { - goto err; - } - mapping->issuerDomainPolicy = NULL; - } - - sk_X509_POLICY_NODE_sort(next->nodes); - ok = 1; + if (!level->has_any_policy && + x509_policy_level_find(level, + mapping->issuerDomainPolicy) == NULL) { + continue; + } + + if (last_node == NULL || + OBJ_cmp(last_node->policy, mapping->subjectDomainPolicy) != + 0) { + last_node = x509_policy_node_new( + mapping->subjectDomainPolicy); + if (last_node == NULL || + !sk_X509_POLICY_NODE_push(next->nodes, last_node)) { + x509_policy_node_free(last_node); + goto err; + } + } + + if (!sk_ASN1_OBJECT_push(last_node->parent_policies, + mapping->issuerDomainPolicy)) { + goto err; + } + mapping->issuerDomainPolicy = NULL; + } + + sk_X509_POLICY_NODE_sort(next->nodes); + ok = 1; err: - if (!ok) { - x509_policy_level_free(next); - next = NULL; - } - - sk_POLICY_MAPPING_pop_free(mappings, POLICY_MAPPING_free); - sk_X509_POLICY_NODE_pop_free(new_nodes, x509_policy_node_free); - return next; + if (!ok) { + x509_policy_level_free(next); + next = NULL; + } + + sk_POLICY_MAPPING_pop_free(mappings, POLICY_MAPPING_free); + sk_X509_POLICY_NODE_pop_free(new_nodes, x509_policy_node_free); + return next; } // apply_skip_certs, if |skip_certs| is non-NULL, sets |*value| to the minimum // of its current value and |skip_certs|. It returns one on success and zero if // |skip_certs| is negative. -static int apply_skip_certs(const ASN1_INTEGER *skip_certs, size_t *value) { - if (skip_certs == NULL) { - return 1; - } +static int +apply_skip_certs(const ASN1_INTEGER *skip_certs, size_t *value) +{ + if (skip_certs == NULL) { + return 1; + } // TODO(https://crbug.com/boringssl/443): Move this check into the parser. - if (skip_certs->type & V_ASN1_NEG) { - X509error(X509_R_INVALID_POLICY_EXTENSION); - return 0; - } + if (skip_certs->type & V_ASN1_NEG) { + X509error(X509_R_INVALID_POLICY_EXTENSION); + return 0; + } // If |skip_certs| does not fit in |uint64_t|, it must exceed |*value|. - uint64_t u64; - if (ASN1_INTEGER_get_uint64(&u64, skip_certs) && u64 < *value) { - *value = (size_t)u64; - } - ERR_clear_error(); - return 1; + uint64_t u64; + if (ASN1_INTEGER_get_uint64(&u64, skip_certs) && u64 < *value) { + *value = (size_t)u64; + } + ERR_clear_error(); + return 1; } // process_policy_constraints updates |*explicit_policy|, |*policy_mapping|, and // |*inhibit_any_policy| according to |x509|'s policy constraints and inhibit // anyPolicy extensions. It returns one on success and zero on error. This // implements steps (i) and (j) of RFC 5280, section 6.1.4. -static int process_policy_constraints(const X509 *x509, size_t *explicit_policy, - size_t *policy_mapping, - size_t *inhibit_any_policy) { - int critical; - POLICY_CONSTRAINTS *constraints = - X509_get_ext_d2i(x509, NID_policy_constraints, &critical, NULL); - if (constraints == NULL && critical != -1) { - return 0; - } - if (constraints != NULL) { - if (constraints->requireExplicitPolicy == NULL && - constraints->inhibitPolicyMapping == NULL) { +static int +process_policy_constraints(const X509 *x509, size_t *explicit_policy, + size_t *policy_mapping, + size_t *inhibit_any_policy) +{ + int critical; + POLICY_CONSTRAINTS *constraints = + X509_get_ext_d2i(x509, NID_policy_constraints, &critical, NULL); + if (constraints == NULL && critical != -1) { + return 0; + } + if (constraints != NULL) { + if (constraints->requireExplicitPolicy == NULL && + constraints->inhibitPolicyMapping == NULL) { // Per RFC 5280, section 4.2.1.11, at least one of the fields must be // present. - X509error(X509_R_INVALID_POLICY_EXTENSION); - POLICY_CONSTRAINTS_free(constraints); - return 0; - } - int ok = - apply_skip_certs(constraints->requireExplicitPolicy, explicit_policy) && - apply_skip_certs(constraints->inhibitPolicyMapping, policy_mapping); - POLICY_CONSTRAINTS_free(constraints); - if (!ok) { - return 0; - } - } - - ASN1_INTEGER *inhibit_any_policy_ext = - X509_get_ext_d2i(x509, NID_inhibit_any_policy, &critical, NULL); - if (inhibit_any_policy_ext == NULL && critical != -1) { - return 0; - } - int ok = apply_skip_certs(inhibit_any_policy_ext, inhibit_any_policy); - ASN1_INTEGER_free(inhibit_any_policy_ext); - return ok; + X509error(X509_R_INVALID_POLICY_EXTENSION); + POLICY_CONSTRAINTS_free(constraints); + return 0; + } + int ok = + apply_skip_certs(constraints->requireExplicitPolicy, + explicit_policy) && + apply_skip_certs(constraints->inhibitPolicyMapping, + policy_mapping); + POLICY_CONSTRAINTS_free(constraints); + if (!ok) { + return 0; + } + } + + ASN1_INTEGER *inhibit_any_policy_ext = + X509_get_ext_d2i(x509, NID_inhibit_any_policy, &critical, NULL); + if (inhibit_any_policy_ext == NULL && critical != -1) { + return 0; + } + int ok = apply_skip_certs(inhibit_any_policy_ext, inhibit_any_policy); + ASN1_INTEGER_free(inhibit_any_policy_ext); + return ok; } // has_explicit_policy returns one if the set of authority-space policy OIDs @@ -649,215 +713,236 @@ static int process_policy_constraints(const X509 *x509, size_t *explicit_policy, // otherwise. This mirrors the logic in RFC 5280, section 6.1.5, step (g). This // function modifies |levels| and should only be called at the end of policy // evaluation. -static int has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels, - const STACK_OF(ASN1_OBJECT) *user_policies) { - assert(user_policies == NULL || sk_ASN1_OBJECT_is_sorted(user_policies)); +static int +has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels, + const STACK_OF(ASN1_OBJECT) *user_policies) +{ + assert(user_policies == NULL || + sk_ASN1_OBJECT_is_sorted(user_policies)); // Step (g.i). If the policy graph is empty, the intersection is empty. - size_t num_levels = sk_X509_POLICY_LEVEL_num(levels); - X509_POLICY_LEVEL *level = sk_X509_POLICY_LEVEL_value(levels, num_levels - 1); - if (x509_policy_level_is_empty(level)) { - return 0; - } + size_t num_levels = sk_X509_POLICY_LEVEL_num(levels); + X509_POLICY_LEVEL *level = sk_X509_POLICY_LEVEL_value(levels, + num_levels - 1); + if (x509_policy_level_is_empty(level)) { + return 0; + } // If |user_policies| is empty, we interpret it as having a single anyPolicy // value. The caller may also have supplied anyPolicy explicitly. - int user_has_any_policy = sk_ASN1_OBJECT_num(user_policies) == 0; - for (size_t i = 0; i < sk_ASN1_OBJECT_num(user_policies); i++) { - if (is_any_policy(sk_ASN1_OBJECT_value(user_policies, i))) { - user_has_any_policy = 1; - break; - } - } + int user_has_any_policy = sk_ASN1_OBJECT_num(user_policies) == 0; + for (size_t i = 0; i < sk_ASN1_OBJECT_num(user_policies); i++) { + if (is_any_policy(sk_ASN1_OBJECT_value(user_policies, i))) { + user_has_any_policy = 1; + break; + } + } // Step (g.ii). If the policy graph is not empty and the user set contains // anyPolicy, the intersection is the entire (non-empty) graph. - if (user_has_any_policy) { - return 1; - } + if (user_has_any_policy) { + return 1; + } // Step (g.iii) does not delete anyPolicy nodes, so if the graph has // anyPolicy, some explicit policy will survive. The actual intersection may // synthesize some nodes in step (g.iii.3), but we do not return the policy // list itself, so we skip actually computing this. - if (level->has_any_policy) { - return 1; - } + if (level->has_any_policy) { + return 1; + } // We defer pruning the tree, so as we look for nodes with parent anyPolicy, // step (g.iii.1), we must limit to nodes reachable from the bottommost level. // Start by marking each of those nodes as reachable. - for (size_t i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { - sk_X509_POLICY_NODE_value(level->nodes, i)->reachable = 1; - } - - for (size_t i = num_levels - 1; i < num_levels; i--) { - level = sk_X509_POLICY_LEVEL_value(levels, i); - for (size_t j = 0; j < sk_X509_POLICY_NODE_num(level->nodes); j++) { - X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(level->nodes, j); - if (!node->reachable) { - continue; - } - if (sk_ASN1_OBJECT_num(node->parent_policies) == 0) { - // |node|'s parent is anyPolicy and is part of "valid_policy_node_set". - // If it exists in |user_policies|, the intersection is non-empty and we - // can return immediately. - if (sk_ASN1_OBJECT_find(user_policies, node->policy) >= 0) { - return 1; - } - } else if (i > 0) { - // |node|'s parents are concrete policies. Mark the parents reachable, - // to be inspected by the next loop iteration. - X509_POLICY_LEVEL *prev = sk_X509_POLICY_LEVEL_value(levels, i - 1); - for (size_t k = 0; k < sk_ASN1_OBJECT_num(node->parent_policies); k++) { - X509_POLICY_NODE *parent = x509_policy_level_find( - prev, sk_ASN1_OBJECT_value(node->parent_policies, k)); - if (parent != NULL) { - parent->reachable = 1; - } - } - } - } - } - - return 0; + for (size_t i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { + sk_X509_POLICY_NODE_value(level->nodes, i)->reachable = 1; + } + + for (size_t i = num_levels - 1; i < num_levels; i--) { + level = sk_X509_POLICY_LEVEL_value(levels, i); + for (size_t j = 0; j < sk_X509_POLICY_NODE_num(level->nodes); + j++) { + X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(level->nodes, + j); + if (!node->reachable) { + continue; + } + if (sk_ASN1_OBJECT_num(node->parent_policies) == 0) { + // |node|'s parent is anyPolicy and is part of "valid_policy_node_set". + // If it exists in |user_policies|, the intersection is non-empty and we + // can return immediately. + if (sk_ASN1_OBJECT_find(user_policies, + node->policy) >= 0) { + return 1; + } + } else if (i > 0) { + // |node|'s parents are concrete policies. Mark the parents reachable, + // to be inspected by the next loop iteration. + X509_POLICY_LEVEL *prev = sk_X509_POLICY_LEVEL_value(levels, + i - 1); + for (size_t k = 0; k < + sk_ASN1_OBJECT_num(node->parent_policies); + k++) { + X509_POLICY_NODE *parent = x509_policy_level_find( + prev, + + sk_ASN1_OBJECT_value(node->parent_policies, + k)); + if (parent != NULL) { + parent->reachable = 1; + } + } + } + } + } + + return 0; } -static int asn1_object_cmp(const ASN1_OBJECT *const *a, - const ASN1_OBJECT *const *b) { - return OBJ_cmp(*a, *b); +static int +asn1_object_cmp(const ASN1_OBJECT *const *a, + const ASN1_OBJECT *const *b) +{ + return OBJ_cmp(*a, *b); } -int X509_policy_check(const STACK_OF(X509) *certs, - const STACK_OF(ASN1_OBJECT) *user_policies, - unsigned long flags, X509 **out_current_cert) { - *out_current_cert = NULL; - int ret = X509_V_ERR_OUT_OF_MEM; - X509_POLICY_LEVEL *level = NULL; - STACK_OF(X509_POLICY_LEVEL) *levels = NULL; - STACK_OF(ASN1_OBJECT) *user_policies_sorted = NULL; - size_t num_certs = sk_X509_num(certs); +int +X509_policy_check(const STACK_OF(X509) *certs, + const STACK_OF(ASN1_OBJECT) *user_policies, + unsigned long flags, X509 **out_current_cert) +{ + *out_current_cert = NULL; + int ret = X509_V_ERR_OUT_OF_MEM; + X509_POLICY_LEVEL *level = NULL; + STACK_OF(X509_POLICY_LEVEL) *levels = NULL; + STACK_OF(ASN1_OBJECT) *user_policies_sorted = NULL; + size_t num_certs = sk_X509_num(certs); // Skip policy checking if the chain is just the trust anchor. - if (num_certs <= 1) { - return X509_V_OK; - } + if (num_certs <= 1) { + return X509_V_OK; + } // See RFC 5280, section 6.1.2, steps (d) through (f). - size_t explicit_policy = - (flags & X509_V_FLAG_EXPLICIT_POLICY) ? 0 : num_certs + 1; - size_t inhibit_any_policy = - (flags & X509_V_FLAG_INHIBIT_ANY) ? 0 : num_certs + 1; - size_t policy_mapping = - (flags & X509_V_FLAG_INHIBIT_MAP) ? 0 : num_certs + 1; - - levels = sk_X509_POLICY_LEVEL_new_null(); - if (levels == NULL) { - goto err; - } - - for (size_t i = num_certs - 2; i < num_certs; i--) { - X509 *cert = sk_X509_value(certs, i); - if (!x509v3_cache_extensions(cert)) { - goto err; - } - const int is_self_issued = (cert->ex_flags & EXFLAG_SI) != 0; - - if (level == NULL) { - assert(i == num_certs - 2); - level = x509_policy_level_new(); - if (level == NULL) { - goto err; - } - level->has_any_policy = 1; - } + size_t explicit_policy = + (flags & X509_V_FLAG_EXPLICIT_POLICY) ? 0 : num_certs + 1; + size_t inhibit_any_policy = + (flags & X509_V_FLAG_INHIBIT_ANY) ? 0 : num_certs + 1; + size_t policy_mapping = + (flags & X509_V_FLAG_INHIBIT_MAP) ? 0 : num_certs + 1; + + levels = sk_X509_POLICY_LEVEL_new_null(); + if (levels == NULL) { + goto err; + } + + for (size_t i = num_certs - 2; i < num_certs; i--) { + X509 *cert = sk_X509_value(certs, i); + if (!x509v3_cache_extensions(cert)) { + goto err; + } + const int is_self_issued = (cert->ex_flags & EXFLAG_SI) != 0; + + if (level == NULL) { + assert(i == num_certs - 2); + level = x509_policy_level_new(); + if (level == NULL) { + goto err; + } + level->has_any_policy = 1; + } // RFC 5280, section 6.1.3, steps (d) and (e). |any_policy_allowed| is // computed as in step (d.2). - const int any_policy_allowed = - inhibit_any_policy > 0 || (i > 0 && is_self_issued); - if (!process_certificate_policies(cert, level, any_policy_allowed)) { - ret = X509_V_ERR_INVALID_POLICY_EXTENSION; - *out_current_cert = cert; - goto err; - } + const int any_policy_allowed = + inhibit_any_policy > 0 || (i > 0 && is_self_issued); + if (!process_certificate_policies(cert, level, + any_policy_allowed)) { + ret = X509_V_ERR_INVALID_POLICY_EXTENSION; + *out_current_cert = cert; + goto err; + } // RFC 5280, section 6.1.3, step (f). - if (explicit_policy == 0 && x509_policy_level_is_empty(level)) { - ret = X509_V_ERR_NO_EXPLICIT_POLICY; - goto err; - } + if (explicit_policy == 0 && x509_policy_level_is_empty(level)) { + ret = X509_V_ERR_NO_EXPLICIT_POLICY; + goto err; + } // Insert into the list. - if (!sk_X509_POLICY_LEVEL_push(levels, level)) { - goto err; - } - X509_POLICY_LEVEL *current_level = level; - level = NULL; + if (!sk_X509_POLICY_LEVEL_push(levels, level)) { + goto err; + } + X509_POLICY_LEVEL *current_level = level; + level = NULL; // If this is not the leaf certificate, we go to section 6.1.4. If it // is the leaf certificate, we go to section 6.1.5 instead. - if (i != 0) { + if (i != 0) { // RFC 5280, section 6.1.4, steps (a) and (b). - level = process_policy_mappings(cert, current_level, policy_mapping > 0); - if (level == NULL) { - ret = X509_V_ERR_INVALID_POLICY_EXTENSION; - *out_current_cert = cert; - goto err; - } - } + level = process_policy_mappings(cert, current_level, + policy_mapping > 0); + if (level == NULL) { + ret = X509_V_ERR_INVALID_POLICY_EXTENSION; + *out_current_cert = cert; + goto err; + } + } // RFC 5280, section 6.1.4, step (h-j) for non-leaves, and section 6.1.5, // step (a-b) for leaves. In the leaf case, RFC 5280 says only to update // |explicit_policy|, but |policy_mapping| and |inhibit_any_policy| are no // longer read at this point, so we use the same process. - if (i == 0 || !is_self_issued) { - if (explicit_policy > 0) { - explicit_policy--; - } - if (policy_mapping > 0) { - policy_mapping--; - } - if (inhibit_any_policy > 0) { - inhibit_any_policy--; - } - } - if (!process_policy_constraints(cert, &explicit_policy, &policy_mapping, - &inhibit_any_policy)) { - ret = X509_V_ERR_INVALID_POLICY_EXTENSION; - *out_current_cert = cert; - goto err; - } - } + if (i == 0 || !is_self_issued) { + if (explicit_policy > 0) { + explicit_policy--; + } + if (policy_mapping > 0) { + policy_mapping--; + } + if (inhibit_any_policy > 0) { + inhibit_any_policy--; + } + } + if (!process_policy_constraints(cert, &explicit_policy, + &policy_mapping, &inhibit_any_policy)) { + ret = X509_V_ERR_INVALID_POLICY_EXTENSION; + *out_current_cert = cert; + goto err; + } + } // RFC 5280, section 6.1.5, step (g). We do not output the policy set, so it // is only necessary to check if the user-constrained-policy-set is not empty. - if (explicit_policy == 0) { + if (explicit_policy == 0) { // Build a sorted copy of |user_policies| for more efficient lookup. - if (user_policies != NULL) { - user_policies_sorted = sk_ASN1_OBJECT_dup(user_policies); - if (user_policies_sorted == NULL) { - goto err; - } - sk_ASN1_OBJECT_set_cmp_func(user_policies_sorted, asn1_object_cmp); - sk_ASN1_OBJECT_sort(user_policies_sorted); - } - - if (!has_explicit_policy(levels, user_policies_sorted)) { - ret = X509_V_ERR_NO_EXPLICIT_POLICY; - goto err; - } - } - - ret = X509_V_OK; + if (user_policies != NULL) { + user_policies_sorted = sk_ASN1_OBJECT_dup( + user_policies); + if (user_policies_sorted == NULL) { + goto err; + } + sk_ASN1_OBJECT_set_cmp_func(user_policies_sorted, + asn1_object_cmp); + sk_ASN1_OBJECT_sort(user_policies_sorted); + } + + if (!has_explicit_policy(levels, user_policies_sorted)) { + ret = X509_V_ERR_NO_EXPLICIT_POLICY; + goto err; + } + } + + ret = X509_V_OK; err: - x509_policy_level_free(level); + x509_policy_level_free(level); // |user_policies_sorted|'s contents are owned by |user_policies|, so we do // not use |sk_ASN1_OBJECT_pop_free|. - sk_ASN1_OBJECT_free(user_policies_sorted); - sk_X509_POLICY_LEVEL_pop_free(levels, x509_policy_level_free); - return ret; + sk_ASN1_OBJECT_free(user_policies_sorted); + sk_X509_POLICY_LEVEL_pop_free(levels, x509_policy_level_free); + return ret; } #endif /* LIBRESSL_HAS_POLICY_DAG */ -- 2.20.1