crypto/libressl/crypto/x509v3/v3_pci.c

   1 /* $OpenBSD: v3_pci.c,v 1.13 2017/05/02 04:11:08 deraadt Exp $ */
   2 /* Contributed to the OpenSSL Project 2004
   3  * by Richard Levitte (richard@levitte.org)
   4  */
   5 /* Copyright (c) 2004 Kungliga Tekniska Högskolan
   6  * (Royal Institute of Technology, Stockholm, Sweden).
   7  * All rights reserved.
   8  *
   9  * Redistribution and use in source and binary forms, with or without
  10  * modification, are permitted provided that the following conditions
  11  * are met:
  12  *
  13  * 1. Redistributions of source code must retain the above copyright
  14  *    notice, this list of conditions and the following disclaimer.
  15  *
  16  * 2. Redistributions in binary form must reproduce the above copyright
  17  *    notice, this list of conditions and the following disclaimer in the
  18  *    documentation and/or other materials provided with the distribution.
  19  *
  20  * 3. Neither the name of the Institute nor the names of its contributors
  21  *    may be used to endorse or promote products derived from this software
  22  *    without specific prior written permission.
  23  *
  24  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  25  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  26  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  27  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  28  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  29  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  30  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  31  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  32  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  33  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  34  * SUCH DAMAGE.
  35  */
  36
  37 #include <stdio.h>
  38 #include <string.h>
  39
  40 #include <openssl/conf.h>
  41 #include <openssl/err.h>
  42 #include <openssl/x509v3.h>
  43
  44 static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
  45     BIO *out, int indent);
  46 static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
  47     X509V3_CTX *ctx, char *str);
  48
  49 const X509V3_EXT_METHOD v3_pci = {
  50         .ext_nid = NID_proxyCertInfo,
  51         .ext_flags = 0,
  52         .it = &PROXY_CERT_INFO_EXTENSION_it,
  53         .ext_new = NULL,
  54         .ext_free = NULL,
  55         .d2i = NULL,
  56         .i2d = NULL,
  57         .i2s = NULL,
  58         .s2i = NULL,
  59         .i2v = NULL,
  60         .v2i = NULL,
  61         .i2r = (X509V3_EXT_I2R)i2r_pci,
  62         .r2i = (X509V3_EXT_R2I)r2i_pci,
  63         .usr_data = NULL,
  64 };
  65
  66 static int
  67 i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, BIO *out,
  68     int indent)
  69 {
  70         BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
  71         if (pci->pcPathLengthConstraint)
  72                 i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
  73         else
  74                 BIO_printf(out, "infinite");
  75         BIO_puts(out, "\n");
  76         BIO_printf(out, "%*sPolicy Language: ", indent, "");
  77         i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
  78         BIO_puts(out, "\n");
  79         if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
  80                 BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
  81                     pci->proxyPolicy->policy->data);
  82         return 1;
  83 }
  84
  85 static int
  86 process_pci_value(CONF_VALUE *val, ASN1_OBJECT **language,
  87     ASN1_INTEGER **pathlen, ASN1_OCTET_STRING **policy)
  88 {
  89         int free_policy = 0;
  90
  91         if (strcmp(val->name, "language") == 0) {
  92                 if (*language) {
  93                         X509V3error(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);
  94                         X509V3_conf_err(val);
  95                         return 0;
  96                 }
  97                 if (!(*language = OBJ_txt2obj(val->value, 0))) {
  98                         X509V3error(X509V3_R_INVALID_OBJECT_IDENTIFIER);
  99                         X509V3_conf_err(val);
 100                         return 0;
 101                 }
 102         }
 103         else if (strcmp(val->name, "pathlen") == 0) {
 104                 if (*pathlen) {
 105                         X509V3error(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);
 106                         X509V3_conf_err(val);
 107                         return 0;
 108                 }
 109                 if (!X509V3_get_value_int(val, pathlen)) {
 110                         X509V3error(X509V3_R_POLICY_PATH_LENGTH);
 111                         X509V3_conf_err(val);
 112                         return 0;
 113                 }
 114         }
 115         else if (strcmp(val->name, "policy") == 0) {
 116                 unsigned char *tmp_data = NULL;
 117                 long val_len;
 118                 if (!*policy) {
 119                         *policy = ASN1_OCTET_STRING_new();
 120                         if (!*policy) {
 121                                 X509V3error(ERR_R_MALLOC_FAILURE);
 122                                 X509V3_conf_err(val);
 123                                 return 0;
 124                         }
 125                         free_policy = 1;
 126                 }
 127                 if (strncmp(val->value, "hex:", 4) == 0) {
 128                         unsigned char *tmp_data2 =
 129                             string_to_hex(val->value + 4, &val_len);
 130
 131                         if (!tmp_data2) {
 132                                 X509V3error(X509V3_R_ILLEGAL_HEX_DIGIT);
 133                                 X509V3_conf_err(val);
 134                                 goto err;
 135                         }
 136
 137                         tmp_data = realloc((*policy)->data,
 138                             (*policy)->length + val_len + 1);
 139                         if (tmp_data) {
 140                                 (*policy)->data = tmp_data;
 141                                 memcpy(&(*policy)->data[(*policy)->length],
 142                                     tmp_data2, val_len);
 143                                 (*policy)->length += val_len;
 144                                 (*policy)->data[(*policy)->length] = '\0';
 145                         } else {
 146                                 free(tmp_data2);
 147                                 free((*policy)->data);
 148                                 (*policy)->data = NULL;
 149                                 (*policy)->length = 0;
 150                                 X509V3error(ERR_R_MALLOC_FAILURE);
 151                                 X509V3_conf_err(val);
 152                                 goto err;
 153                         }
 154                         free(tmp_data2);
 155                 }
 156                 else if (strncmp(val->value, "file:", 5) == 0) {
 157                         unsigned char buf[2048];
 158                         int n;
 159                         BIO *b = BIO_new_file(val->value + 5, "r");
 160                         if (!b) {
 161                                 X509V3error(ERR_R_BIO_LIB);
 162                                 X509V3_conf_err(val);
 163                                 goto err;
 164                         }
 165                         while ((n = BIO_read(b, buf, sizeof(buf))) > 0 ||
 166                             (n == 0 && BIO_should_retry(b))) {
 167                                 if (!n)
 168                                         continue;
 169
 170                                 tmp_data = realloc((*policy)->data,
 171                                     (*policy)->length + n + 1);
 172
 173                                 if (!tmp_data)
 174                                         break;
 175
 176                                 (*policy)->data = tmp_data;
 177                                 memcpy(&(*policy)->data[(*policy)->length],
 178                                     buf, n);
 179                                 (*policy)->length += n;
 180                                 (*policy)->data[(*policy)->length] = '\0';
 181                         }
 182                         BIO_free_all(b);
 183
 184                         if (n < 0) {
 185                                 X509V3error(ERR_R_BIO_LIB);
 186                                 X509V3_conf_err(val);
 187                                 goto err;
 188                         }
 189                 }
 190                 else if (strncmp(val->value, "text:", 5) == 0) {
 191                         val_len = strlen(val->value + 5);
 192                         tmp_data = realloc((*policy)->data,
 193                             (*policy)->length + val_len + 1);
 194                         if (tmp_data) {
 195                                 (*policy)->data = tmp_data;
 196                                 memcpy(&(*policy)->data[(*policy)->length],
 197                                     val->value + 5, val_len);
 198                                 (*policy)->length += val_len;
 199                                 (*policy)->data[(*policy)->length] = '\0';
 200                         } else {
 201                                 free((*policy)->data);
 202                                 (*policy)->data = NULL;
 203                                 (*policy)->length = 0;
 204                                 X509V3error(ERR_R_MALLOC_FAILURE);
 205                                 X509V3_conf_err(val);
 206                                 goto err;
 207                         }
 208                 } else {
 209                         X509V3error(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
 210                         X509V3_conf_err(val);
 211                         goto err;
 212                 }
 213                 if (!tmp_data) {
 214                         X509V3error(ERR_R_MALLOC_FAILURE);
 215                         X509V3_conf_err(val);
 216                         goto err;
 217                 }
 218         }
 219         return 1;
 220
 221 err:
 222         if (free_policy) {
 223                 ASN1_OCTET_STRING_free(*policy);
 224                 *policy = NULL;
 225         }
 226         return 0;
 227 }
 228
 229 static PROXY_CERT_INFO_EXTENSION *
 230 r2i_pci(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value)
 231 {
 232         PROXY_CERT_INFO_EXTENSION *pci = NULL;
 233         STACK_OF(CONF_VALUE) *vals;
 234         ASN1_OBJECT *language = NULL;
 235         ASN1_INTEGER *pathlen = NULL;
 236         ASN1_OCTET_STRING *policy = NULL;
 237         int i, j;
 238
 239         vals = X509V3_parse_list(value);
 240         for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
 241                 CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
 242                 if (!cnf->name || (*cnf->name != '@' && !cnf->value)) {
 243                         X509V3error(X509V3_R_INVALID_PROXY_POLICY_SETTING);
 244                         X509V3_conf_err(cnf);
 245                         goto err;
 246                 }
 247                 if (*cnf->name == '@') {
 248                         STACK_OF(CONF_VALUE) *sect;
 249                         int success_p = 1;
 250
 251                         sect = X509V3_get_section(ctx, cnf->name + 1);
 252                         if (!sect) {
 253                                 X509V3error(X509V3_R_INVALID_SECTION);
 254                                 X509V3_conf_err(cnf);
 255                                 goto err;
 256                         }
 257                         for (j = 0; success_p &&
 258                             j < sk_CONF_VALUE_num(sect); j++) {
 259                                 success_p = process_pci_value(
 260                                     sk_CONF_VALUE_value(sect, j),
 261                                     &language, &pathlen, &policy);
 262                         }
 263                         X509V3_section_free(ctx, sect);
 264                         if (!success_p)
 265                                 goto err;
 266                 } else {
 267                         if (!process_pci_value(cnf,
 268                             &language, &pathlen, &policy)) {
 269                                 X509V3_conf_err(cnf);
 270                                 goto err;
 271                         }
 272                 }
 273         }
 274
 275         /* Language is mandatory */
 276         if (!language) {
 277                 X509V3error(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
 278                 goto err;
 279         }
 280         i = OBJ_obj2nid(language);
 281         if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy) {
 282                 X509V3error(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
 283                 goto err;
 284         }
 285
 286         pci = PROXY_CERT_INFO_EXTENSION_new();
 287         if (!pci) {
 288                 X509V3error(ERR_R_MALLOC_FAILURE);
 289                 goto err;
 290         }
 291
 292         pci->proxyPolicy->policyLanguage = language;
 293         language = NULL;
 294         pci->proxyPolicy->policy = policy;
 295         policy = NULL;
 296         pci->pcPathLengthConstraint = pathlen;
 297         pathlen = NULL;
 298         goto end;
 299
 300 err:
 301         ASN1_OBJECT_free(language);
 302         language = NULL;
 303         ASN1_INTEGER_free(pathlen);
 304         pathlen = NULL;
 305         ASN1_OCTET_STRING_free(policy);
 306         policy = NULL;
 307 end:
 308         sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
 309         return pci;
 310 }