*
*/
-#include "cryptlib.h"
+#include "internal/cryptlib.h"
#include <openssl/x509.h>
#include <openssl/x509v3.h>
int explicit_policy;
int any_skip;
int map_skip;
+
*ptree = NULL;
n = sk_X509_num(certs);
-#if 0
- /* Disable policy mapping for now... */
- flags |= X509_V_FLAG_INHIBIT_MAP;
-#endif
-
if (flags & X509_V_FLAG_EXPLICIT_POLICY)
explicit_policy = 0;
else
* explicit_policy value at this point.
*/
for (i = n - 2; i >= 0; i--) {
+ uint32_t ex_flags;
x = sk_X509_value(certs, i);
+ ex_flags = X509_get_extension_flags(x);
X509_check_purpose(x, -1, -1);
cache = policy_cache_set(x);
/* If cache NULL something bad happened: return immediately */
/*
* If inconsistent extensions keep a note of it but continue
*/
- if (x->ex_flags & EXFLAG_INVALID_POLICY)
+ if (ex_flags & EXFLAG_INVALID_POLICY)
ret = -1;
/*
* Otherwise if we have no data (hence no CertificatePolicies) and
else if ((ret == 1) && !cache->data)
ret = 2;
if (explicit_policy > 0) {
- if (!(x->ex_flags & EXFLAG_SI))
+ if (!(ex_flags & EXFLAG_SI))
explicit_policy--;
if ((cache->explicit_skip != -1)
&& (cache->explicit_skip < explicit_policy))
}
/* If we get this far initialize the tree */
-
- tree = OPENSSL_malloc(sizeof(X509_POLICY_TREE));
-
- if (!tree)
+ tree = OPENSSL_zalloc(sizeof(*tree));
+ if (tree == NULL)
return 0;
-
- tree->flags = 0;
- tree->levels = OPENSSL_malloc(sizeof(X509_POLICY_LEVEL) * n);
- tree->nlevel = 0;
- tree->extra_data = NULL;
- tree->auth_policies = NULL;
- tree->user_policies = NULL;
-
- if (!tree->levels) {
+ tree->levels = OPENSSL_zalloc(sizeof(*tree->levels) * n);
+ if (tree->levels == NULL) {
OPENSSL_free(tree);
return 0;
}
-
- memset(tree->levels, 0, n * sizeof(X509_POLICY_LEVEL));
-
tree->nlevel = n;
-
level = tree->levels;
/* Root data: initialize to anyPolicy */
-
data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0);
- if (!data || !level_add_node(level, data, NULL, tree))
+ if (data == NULL || !level_add_node(level, data, NULL, tree))
goto bad_tree;
for (i = n - 2; i >= 0; i--) {
+ uint32_t ex_flags;
level++;
x = sk_X509_value(certs, i);
+ ex_flags = X509_get_extension_flags(x);
cache = policy_cache_set(x);
- CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+ X509_up_ref(x);
level->cert = x;
if (!cache->anyPolicy)
* Any matching allowed if certificate is self issued and not the
* last in the chain.
*/
- if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
+ if (!(ex_flags & EXFLAG_SI) || (i == 0))
level->flags |= X509_V_FLAG_INHIBIT_ANY;
} else {
- if (!(x->ex_flags & EXFLAG_SI))
+ if (!(ex_flags & EXFLAG_SI))
any_skip--;
if ((cache->any_skip >= 0)
&& (cache->any_skip < any_skip))
if (map_skip == 0)
level->flags |= X509_V_FLAG_INHIBIT_MAP;
else {
- if (!(x->ex_flags & EXFLAG_SI))
+ if (!(ex_flags & EXFLAG_SI))
map_skip--;
if ((cache->map_skip >= 0)
&& (cache->map_skip < map_skip))
}
static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
- const X509_POLICY_DATA *data)
+ X509_POLICY_DATA *data)
{
X509_POLICY_LEVEL *last = curr - 1;
X509_POLICY_NODE *node;
for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++) {
data = sk_X509_POLICY_DATA_value(cache->data, i);
- /*
- * If a node is mapped any it doesn't have a corresponding
- * CertificatePolicies entry. However such an identical node would
- * be created if anyPolicy matching is enabled because there would be
- * no match with the parent valid_policy_set. So we create link
- * because then it will have the mapping flags right and we can prune
- * it later.
- */
-#if 0
- if ((data->flags & POLICY_DATA_FLAG_MAPPED_ANY)
- && !(curr->flags & X509_V_FLAG_INHIBIT_ANY))
- continue;
-#endif
/* Look for matching nodes in previous level */
if (!tree_link_matching_nodes(curr, data))
return 0;
X509_POLICY_TREE *tree)
{
int i;
- /*
- * X509_POLICY_DATA *data;
- */
X509_POLICY_NODE *node;
X509_POLICY_LEVEL *last = curr - 1;
if (!tree_link_unmatched(curr, cache, node, tree))
return 0;
-
-#if 0
-
- /*
- * Skip any node with any children: we only want unmathced nodes.
- * Note: need something better for policy mapping because each node
- * may have multiple children
- */
- if (node->nchild)
- continue;
-
- /*
- * Create a new node with qualifiers from anyPolicy and id from
- * unmatched node.
- */
- data = policy_data_new(NULL, node->data->valid_policy,
- node_critical(node));
-
- if (data == NULL)
- return 0;
- /* Curr may not have anyPolicy */
- data->qualifier_set = cache->anyPolicy->qualifier_set;
- data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
- if (!level_add_node(curr, data, node, tree)) {
- policy_data_free(data);
- return 0;
- }
-#endif
-
}
/* Finally add link to anyPolicy */
if (last->anyPolicy) {
static int tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes,
X509_POLICY_NODE *pcy)
{
- if (!*pnodes) {
+ if (*pnodes == NULL) {
*pnodes = policy_node_cmp_new();
- if (!*pnodes)
+ if (*pnodes == NULL)
return 0;
} else if (sk_X509_POLICY_NODE_find(*pnodes, pcy) != -1)
return 1;
* If no anyPolicy node on this this level it can't appear on lower
* levels so end search.
*/
- if (!(anyptr = curr->anyPolicy))
+ if ((anyptr = curr->anyPolicy) == NULL)
break;
curr++;
for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++) {
* from anyPolicy.
*/
extra = policy_data_new(NULL, oid, node_critical(anyPolicy));
- if (!extra)
+ if (extra == NULL)
return 0;
extra->qualifier_set = anyPolicy->data->qualifier_set;
extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free);
for (i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++) {
- if (curr->cert)
- X509_free(curr->cert);
- if (curr->nodes)
- sk_X509_POLICY_NODE_pop_free(curr->nodes, policy_node_free);
- if (curr->anyPolicy)
- policy_node_free(curr->anyPolicy);
+ X509_free(curr->cert);
+ sk_X509_POLICY_NODE_pop_free(curr->nodes, policy_node_free);
+ policy_node_free(curr->anyPolicy);
}
- if (tree->extra_data)
- sk_X509_POLICY_DATA_pop_free(tree->extra_data, policy_data_free);
-
+ sk_X509_POLICY_DATA_pop_free(tree->extra_data, policy_data_free);
OPENSSL_free(tree->levels);
OPENSSL_free(tree);