xref: /third_party/openssl/crypto/x509/pcy_tree.c

18  * If the maximum number of nodes in the policy tree isn't defined, set it to
21  * Defining this to be zero means unlimited policy tree growth which opens the
54                        char *str, X509_POLICY_TREE *tree,
60         curr = tree->levels + tree->nlevel;
66                (long)(curr - tree->levels));
67     for (plev = tree->levels; plev != curr; plev++) {
71                    (long)(plev - tree->levels), plev->flags);
85 #define TREE_PRINT(str, tree, curr) \
87         tree_print(trc_out, "before tree_prune()", tree, curr); \
93  * X509_PCY_TREE_VALID: valid tree
94  * X509_PCY_TREE_EMPTY: empty tree (including bare TA case)
100     X509_POLICY_TREE *tree;
173     /* If we get this far initialize the tree */
174     if ((tree = OPENSSL_zalloc(sizeof(*tree))) == NULL) {
179     /* Limit the growth of the tree to mitigate CVE-2023-0464 */
180     tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
189     if ((tree->levels = OPENSSL_zalloc(sizeof(*tree->levels)*(n+1))) == NULL) {
190         OPENSSL_free(tree);
194     tree->nlevel = n+1;
195     level = tree->levels;
199     if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) {
205      * In this pass initialize all the tree levels and whether anyPolicy and
246     *ptree = tree;
250     X509_policy_tree_free(tree);
259                                     X509_POLICY_TREE *tree)
269             if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL)
275         if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
289                            X509_POLICY_TREE *tree)
297         if (!tree_link_matching_nodes(curr, data, tree))
312                               X509_POLICY_NODE *node, X509_POLICY_TREE *tree)
328     if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) {
340                                X509_POLICY_NODE *node, X509_POLICY_TREE *tree)
350         if (!tree_add_unmatched(curr, cache, NULL, node, tree))
363             if (!tree_add_unmatched(curr, cache, oid, node, tree))
376                          X509_POLICY_TREE *tree)
385         if (!tree_link_unmatched(curr, cache, node, tree))
391                                        last->anyPolicy, tree, 0) == NULL)
397  * Prune the tree: delete any child mapped child data on the current level then
398  * proceed up the tree deleting any data with no children. If we ever have no
399  * data on a level we can halt because the tree will be empty.
403  * X509_PCY_TREE_VALID: valid tree
404  * X509_PCY_TREE_EMPTY: empty tree
406 static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
441         if (curr == tree->levels) {
442             /* If we zapped anyPolicy at top then tree is empty */
470  * Calculate the authority set based on policy tree. The 'pnodes' parameter is
481 static int tree_calculate_authority_set(X509_POLICY_TREE *tree,
488     curr = tree->levels + tree->nlevel - 1;
492         if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy))
497         addnodes = &tree->auth_policies;
499     curr = tree->levels;
500     for (i = 1; i < tree->nlevel; i++) {
523     *pnodes = tree->auth_policies;
530 static int tree_calculate_user_set(X509_POLICY_TREE *tree,
547     anyPolicy = tree->levels[tree->nlevel - 1].anyPolicy;
552             tree->flags |= POLICY_FLAG_ANY_POLICY;
574                                               tree, 1);
580         if (!tree->user_policies) {
581             tree->user_policies = sk_X509_POLICY_NODE_new_null();
582             if (!tree->user_policies) {
587         if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) {
597  *  X509_PCY_TREE_VALID: valid tree
598  *  X509_PCY_TREE_EMPTY: empty tree
601 static int tree_evaluate(X509_POLICY_TREE *tree)
604     X509_POLICY_LEVEL *curr = tree->levels + 1;
607     for (i = 1; i < tree->nlevel; i++, curr++) {
609         if (!tree_link_nodes(curr, cache, tree))
613             && !tree_link_any(curr, cache, tree))
615         TREE_PRINT("before tree_prune()", tree, curr);
616         ret = tree_prune(tree, curr);
629 void X509_policy_tree_free(X509_POLICY_TREE *tree)
634     if (!tree)
637     sk_X509_POLICY_NODE_free(tree->auth_policies);
638     sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free);
640     for (i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++) {
646     sk_X509_POLICY_DATA_pop_free(tree->extra_data, ossl_policy_data_free);
647     OPENSSL_free(tree->levels);
648     OPENSSL_free(tree);
658  *  X509_PCY_TREE_VALID:    Success (null tree if empty or bare TA)
667     X509_POLICY_TREE *tree = NULL;
672     init_ret = tree_init(&tree, certs, flags);
679             X509_policy_tree_free(tree);
689     ret = tree_evaluate(tree);
690     TREE_PRINT("tree_evaluate()", tree, NULL);
695         X509_policy_tree_free(tree);
703     if ((calc_ret = tree_calculate_authority_set(tree, &auth_nodes)) == 0)
705     ret = tree_calculate_user_set(tree, policy_oids, auth_nodes);
711     *ptree = tree;
714         nodes = X509_policy_tree_get0_user_policies(tree);
721     X509_policy_tree_free(tree);

Indexes created Thu Nov 07 10:32:03 CST 2024