diff options
Diffstat (limited to 'crypto/x509/pcy_tree.c')
| -rw-r--r-- | crypto/x509/pcy_tree.c | 93 |
1 files changed, 45 insertions, 48 deletions
diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c index 2012810303ed..2fcf8cec3dac 100644 --- a/crypto/x509/pcy_tree.c +++ b/crypto/x509/pcy_tree.c @@ -22,14 +22,14 @@ * door on CVE-2023-0464. */ #ifndef OPENSSL_POLICY_TREE_NODES_MAX -# define OPENSSL_POLICY_TREE_NODES_MAX 1000 +#define OPENSSL_POLICY_TREE_NODES_MAX 1000 #endif static void exnode_free(X509_POLICY_NODE *node); static void expected_print(BIO *channel, - X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node, - int indent) + X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node, + int indent) { if ((lev->flags & X509_V_FLAG_INHIBIT_MAP) || !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK)) @@ -51,8 +51,8 @@ static void expected_print(BIO *channel, } static void tree_print(BIO *channel, - char *str, X509_POLICY_TREE *tree, - X509_POLICY_LEVEL *curr) + char *str, X509_POLICY_TREE *tree, + X509_POLICY_LEVEL *curr) { X509_POLICY_LEVEL *plev; @@ -63,15 +63,14 @@ static void tree_print(BIO *channel, BIO_printf(channel, "Level print after %s\n", str); BIO_printf(channel, "Printing Up to Level %ld\n", - (long)(curr - tree->levels)); + (long)(curr - tree->levels)); for (plev = tree->levels; plev != curr; plev++) { int i; BIO_printf(channel, "Level %ld, flags = %x\n", - (long)(plev - tree->levels), plev->flags); + (long)(plev - tree->levels), plev->flags); for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++) { - X509_POLICY_NODE *node = - sk_X509_POLICY_NODE_value(plev->nodes, i); + X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(plev->nodes, i); X509_POLICY_NODE_print(channel, node, 2); expected_print(channel, plev, node, 2); @@ -82,10 +81,12 @@ static void tree_print(BIO *channel, } } -#define TREE_PRINT(str, tree, curr) \ - OSSL_TRACE_BEGIN(X509V3_POLICY) { \ +#define TREE_PRINT(str, tree, curr) \ + OSSL_TRACE_BEGIN(X509V3_POLICY) \ + { \ tree_print(trc_out, "before tree_prune()", tree, curr); \ - } OSSL_TRACE_END(X509V3_POLICY) + } \ + OSSL_TRACE_END(X509V3_POLICY) /*- * Return value: <= 0 on error, or positive bit mask: @@ -95,7 +96,7 @@ static void tree_print(BIO *channel, * X509_PCY_TREE_EXPLICIT: explicit policy required */ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - unsigned int flags) + unsigned int flags) { X509_POLICY_TREE *tree; X509_POLICY_LEVEL *level; @@ -103,9 +104,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, X509_POLICY_DATA *data = NULL; int ret = X509_PCY_TREE_VALID; int n = sk_X509_num(certs) - 1; /* RFC5280 paths omit the TA */ - int explicit_policy = (flags & X509_V_FLAG_EXPLICIT_POLICY) ? 0 : n+1; - int any_skip = (flags & X509_V_FLAG_INHIBIT_ANY) ? 0 : n+1; - int map_skip = (flags & X509_V_FLAG_INHIBIT_MAP) ? 0 : n+1; + int explicit_policy = (flags & X509_V_FLAG_EXPLICIT_POLICY) ? 0 : n + 1; + int any_skip = (flags & X509_V_FLAG_INHIBIT_ANY) ? 0 : n + 1; + int map_skip = (flags & X509_V_FLAG_INHIBIT_MAP) ? 0 : n + 1; int i; *ptree = NULL; @@ -142,8 +143,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, * policy is required we're done. */ for (i = n - 1; - i >= 0 && (explicit_policy > 0 || (ret & X509_PCY_TREE_EMPTY) == 0); - i--) { + i >= 0 && (explicit_policy > 0 || (ret & X509_PCY_TREE_EMPTY) == 0); + i--) { X509 *x = sk_X509_value(certs, i); uint32_t ex_flags = X509_get_extension_flags(x); @@ -186,15 +187,16 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, * policies of anyPolicy. (RFC 5280 has the TA at depth 0 and the leaf at * depth n, we have the leaf at depth 0 and the TA at depth n). */ - if ((tree->levels = OPENSSL_zalloc(sizeof(*tree->levels)*(n+1))) == NULL) { + if ((tree->levels = OPENSSL_zalloc(sizeof(*tree->levels) * (n + 1))) == NULL) { OPENSSL_free(tree); ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); return X509_PCY_TREE_INTERNAL; } - tree->nlevel = n+1; + tree->nlevel = n + 1; level = tree->levels; if ((data = ossl_policy_data_new(NULL, - OBJ_nid2obj(NID_any_policy), 0)) == NULL) + OBJ_nid2obj(NID_any_policy), 0)) + == NULL) goto bad_tree; if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) { ossl_policy_data_free(data); @@ -246,7 +248,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, *ptree = tree; return ret; - bad_tree: +bad_tree: X509_policy_tree_free(tree); return X509_PCY_TREE_INTERNAL; } @@ -255,8 +257,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, * Return value: 1 on success, 0 otherwise */ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, - X509_POLICY_DATA *data, - X509_POLICY_TREE *tree) + X509_POLICY_DATA *data, + X509_POLICY_TREE *tree) { X509_POLICY_LEVEL *last = curr - 1; int i, matched = 0; @@ -285,8 +287,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, * Return value: 1 on success, 0 otherwise. */ static int tree_link_nodes(X509_POLICY_LEVEL *curr, - const X509_POLICY_CACHE *cache, - X509_POLICY_TREE *tree) + const X509_POLICY_CACHE *cache, + X509_POLICY_TREE *tree) { int i; @@ -307,9 +309,9 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr, * Return value: 1 on success, 0 otherwise. */ static int tree_add_unmatched(X509_POLICY_LEVEL *curr, - const X509_POLICY_CACHE *cache, - const ASN1_OBJECT *id, - X509_POLICY_NODE *node, X509_POLICY_TREE *tree) + const X509_POLICY_CACHE *cache, + const ASN1_OBJECT *id, + X509_POLICY_NODE *node, X509_POLICY_TREE *tree) { X509_POLICY_DATA *data; @@ -336,8 +338,8 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr, * Return value: 1 on success, 0 otherwise. */ static int tree_link_unmatched(X509_POLICY_LEVEL *curr, - const X509_POLICY_CACHE *cache, - X509_POLICY_NODE *node, X509_POLICY_TREE *tree) + const X509_POLICY_CACHE *cache, + X509_POLICY_NODE *node, X509_POLICY_TREE *tree) { const X509_POLICY_LEVEL *last = curr - 1; int i; @@ -363,7 +365,6 @@ static int tree_link_unmatched(X509_POLICY_LEVEL *curr, if (!tree_add_unmatched(curr, cache, oid, node, tree)) return 0; } - } return 1; } @@ -372,8 +373,8 @@ static int tree_link_unmatched(X509_POLICY_LEVEL *curr, * Return value: 1 on success, 0 otherwise */ static int tree_link_any(X509_POLICY_LEVEL *curr, - const X509_POLICY_CACHE *cache, - X509_POLICY_TREE *tree) + const X509_POLICY_CACHE *cache, + X509_POLICY_TREE *tree) { int i; X509_POLICY_NODE *node; @@ -386,9 +387,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, return 0; } /* Finally add link to anyPolicy */ - if (last->anyPolicy && - ossl_policy_level_add_node(curr, cache->anyPolicy, - last->anyPolicy, tree, 0) == NULL) + if (last->anyPolicy && ossl_policy_level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0) == NULL) return 0; return 1; } @@ -452,10 +451,9 @@ static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr) * Return value: 1 on success, 0 otherwise. */ static int tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes, - X509_POLICY_NODE *pcy) + X509_POLICY_NODE *pcy) { - if (*pnodes == NULL && - (*pnodes = ossl_policy_node_cmp_new()) == NULL) + if (*pnodes == NULL && (*pnodes = ossl_policy_node_cmp_new()) == NULL) return 0; if (sk_X509_POLICY_NODE_find(*pnodes, pcy) >= 0) return 1; @@ -479,7 +477,7 @@ static int tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes, * TREE_CALC_OK_DOFREE on success and pnodes needs to be freed */ static int tree_calculate_authority_set(X509_POLICY_TREE *tree, - STACK_OF(X509_POLICY_NODE) **pnodes) + STACK_OF(X509_POLICY_NODE) **pnodes) { X509_POLICY_LEVEL *curr; X509_POLICY_NODE *node, *anyptr; @@ -528,8 +526,8 @@ static int tree_calculate_authority_set(X509_POLICY_TREE *tree, * Return value: 1 on success, 0 otherwise. */ static int tree_calculate_user_set(X509_POLICY_TREE *tree, - STACK_OF(ASN1_OBJECT) *policy_oids, - STACK_OF(X509_POLICY_NODE) *auth_nodes) + STACK_OF(ASN1_OBJECT) *policy_oids, + STACK_OF(X509_POLICY_NODE) *auth_nodes) { int i; X509_POLICY_NODE *node; @@ -571,7 +569,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree, extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS | POLICY_DATA_FLAG_EXTRA_NODE; node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent, - tree, 1); + tree, 1); if (node == NULL) { ossl_policy_data_free(extra); return 0; @@ -646,7 +644,6 @@ void X509_policy_tree_free(X509_POLICY_TREE *tree) sk_X509_POLICY_DATA_pop_free(tree->extra_data, ossl_policy_data_free); OPENSSL_free(tree->levels); OPENSSL_free(tree); - } /*- @@ -658,8 +655,8 @@ void X509_policy_tree_free(X509_POLICY_TREE *tree) * X509_PCY_TREE_VALID: Success (null tree if empty or bare TA) */ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, - STACK_OF(X509) *certs, - STACK_OF(ASN1_OBJECT) *policy_oids, unsigned int flags) + STACK_OF(X509) *certs, + STACK_OF(ASN1_OBJECT) *policy_oids, unsigned int flags) { int init_ret; int ret; @@ -717,7 +714,7 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, } return X509_PCY_TREE_VALID; - error: +error: X509_policy_tree_free(tree); return X509_PCY_TREE_INTERNAL; } |