1 | /* |
2 | * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at |
7 | * https://www.openssl.org/source/license.html |
8 | */ |
9 | |
10 | /* |
11 | * This file is dual-licensed and is also available under the following |
12 | * terms: |
13 | * |
14 | * Copyright (c) 2004 Kungliga Tekniska Högskolan |
15 | * (Royal Institute of Technology, Stockholm, Sweden). |
16 | * All rights reserved. |
17 | * |
18 | * Redistribution and use in source and binary forms, with or without |
19 | * modification, are permitted provided that the following conditions |
20 | * are met: |
21 | * |
22 | * 1. Redistributions of source code must retain the above copyright |
23 | * notice, this list of conditions and the following disclaimer. |
24 | * |
25 | * 2. Redistributions in binary form must reproduce the above copyright |
26 | * notice, this list of conditions and the following disclaimer in the |
27 | * documentation and/or other materials provided with the distribution. |
28 | * |
29 | * 3. Neither the name of the Institute nor the names of its contributors |
30 | * may be used to endorse or promote products derived from this software |
31 | * without specific prior written permission. |
32 | * |
33 | * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND |
34 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
35 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
36 | * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE |
37 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
38 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
39 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
40 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
41 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
42 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
43 | * SUCH DAMAGE. |
44 | */ |
45 | |
46 | #include <stdio.h> |
47 | #include "internal/cryptlib.h" |
48 | #include <openssl/conf.h> |
49 | #include <openssl/x509v3.h> |
50 | #include "ext_dat.h" |
51 | |
52 | static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext, |
53 | BIO *out, int indent); |
54 | static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method, |
55 | X509V3_CTX *ctx, char *str); |
56 | |
57 | const X509V3_EXT_METHOD v3_pci = |
58 | { NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION), |
59 | 0, 0, 0, 0, |
60 | 0, 0, |
61 | NULL, NULL, |
62 | (X509V3_EXT_I2R)i2r_pci, |
63 | (X509V3_EXT_R2I)r2i_pci, |
64 | NULL, |
65 | }; |
66 | |
67 | static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, |
68 | BIO *out, int indent) |
69 | { |
70 | BIO_printf(out, "%*sPath Length Constraint: " , indent, "" ); |
71 | if (pci->pcPathLengthConstraint) |
72 | i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint); |
73 | else |
74 | BIO_printf(out, "infinite" ); |
75 | BIO_puts(out, "\n" ); |
76 | BIO_printf(out, "%*sPolicy Language: " , indent, "" ); |
77 | i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage); |
78 | if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data) |
79 | BIO_printf(out, "\n%*sPolicy Text: %s" , indent, "" , |
80 | pci->proxyPolicy->policy->data); |
81 | return 1; |
82 | } |
83 | |
84 | static int process_pci_value(CONF_VALUE *val, |
85 | ASN1_OBJECT **language, ASN1_INTEGER **pathlen, |
86 | ASN1_OCTET_STRING **policy) |
87 | { |
88 | int free_policy = 0; |
89 | |
90 | if (strcmp(val->name, "language" ) == 0) { |
91 | if (*language) { |
92 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, |
93 | X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED); |
94 | X509V3_conf_err(val); |
95 | return 0; |
96 | } |
97 | if ((*language = OBJ_txt2obj(val->value, 0)) == NULL) { |
98 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, |
99 | X509V3_R_INVALID_OBJECT_IDENTIFIER); |
100 | X509V3_conf_err(val); |
101 | return 0; |
102 | } |
103 | } else if (strcmp(val->name, "pathlen" ) == 0) { |
104 | if (*pathlen) { |
105 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, |
106 | X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED); |
107 | X509V3_conf_err(val); |
108 | return 0; |
109 | } |
110 | if (!X509V3_get_value_int(val, pathlen)) { |
111 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, |
112 | X509V3_R_POLICY_PATH_LENGTH); |
113 | X509V3_conf_err(val); |
114 | return 0; |
115 | } |
116 | } else if (strcmp(val->name, "policy" ) == 0) { |
117 | unsigned char *tmp_data = NULL; |
118 | long val_len; |
119 | |
120 | if (*policy == NULL) { |
121 | *policy = ASN1_OCTET_STRING_new(); |
122 | if (*policy == NULL) { |
123 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_MALLOC_FAILURE); |
124 | X509V3_conf_err(val); |
125 | return 0; |
126 | } |
127 | free_policy = 1; |
128 | } |
129 | if (strncmp(val->value, "hex:" , 4) == 0) { |
130 | unsigned char *tmp_data2 = |
131 | OPENSSL_hexstr2buf(val->value + 4, &val_len); |
132 | |
133 | if (!tmp_data2) { |
134 | X509V3_conf_err(val); |
135 | goto err; |
136 | } |
137 | |
138 | tmp_data = OPENSSL_realloc((*policy)->data, |
139 | (*policy)->length + val_len + 1); |
140 | if (tmp_data) { |
141 | (*policy)->data = tmp_data; |
142 | memcpy(&(*policy)->data[(*policy)->length], |
143 | tmp_data2, val_len); |
144 | (*policy)->length += val_len; |
145 | (*policy)->data[(*policy)->length] = '\0'; |
146 | } else { |
147 | OPENSSL_free(tmp_data2); |
148 | /* |
149 | * realloc failure implies the original data space is b0rked |
150 | * too! |
151 | */ |
152 | OPENSSL_free((*policy)->data); |
153 | (*policy)->data = NULL; |
154 | (*policy)->length = 0; |
155 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_MALLOC_FAILURE); |
156 | X509V3_conf_err(val); |
157 | goto err; |
158 | } |
159 | OPENSSL_free(tmp_data2); |
160 | } else if (strncmp(val->value, "file:" , 5) == 0) { |
161 | unsigned char buf[2048]; |
162 | int n; |
163 | BIO *b = BIO_new_file(val->value + 5, "r" ); |
164 | if (!b) { |
165 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_BIO_LIB); |
166 | X509V3_conf_err(val); |
167 | goto err; |
168 | } |
169 | while ((n = BIO_read(b, buf, sizeof(buf))) > 0 |
170 | || (n == 0 && BIO_should_retry(b))) { |
171 | if (!n) |
172 | continue; |
173 | |
174 | tmp_data = OPENSSL_realloc((*policy)->data, |
175 | (*policy)->length + n + 1); |
176 | |
177 | if (!tmp_data) { |
178 | OPENSSL_free((*policy)->data); |
179 | (*policy)->data = NULL; |
180 | (*policy)->length = 0; |
181 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, |
182 | ERR_R_MALLOC_FAILURE); |
183 | X509V3_conf_err(val); |
184 | BIO_free_all(b); |
185 | goto err; |
186 | } |
187 | |
188 | (*policy)->data = tmp_data; |
189 | memcpy(&(*policy)->data[(*policy)->length], buf, n); |
190 | (*policy)->length += n; |
191 | (*policy)->data[(*policy)->length] = '\0'; |
192 | } |
193 | BIO_free_all(b); |
194 | |
195 | if (n < 0) { |
196 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_BIO_LIB); |
197 | X509V3_conf_err(val); |
198 | goto err; |
199 | } |
200 | } else if (strncmp(val->value, "text:" , 5) == 0) { |
201 | val_len = strlen(val->value + 5); |
202 | tmp_data = OPENSSL_realloc((*policy)->data, |
203 | (*policy)->length + val_len + 1); |
204 | if (tmp_data) { |
205 | (*policy)->data = tmp_data; |
206 | memcpy(&(*policy)->data[(*policy)->length], |
207 | val->value + 5, val_len); |
208 | (*policy)->length += val_len; |
209 | (*policy)->data[(*policy)->length] = '\0'; |
210 | } else { |
211 | /* |
212 | * realloc failure implies the original data space is b0rked |
213 | * too! |
214 | */ |
215 | OPENSSL_free((*policy)->data); |
216 | (*policy)->data = NULL; |
217 | (*policy)->length = 0; |
218 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_MALLOC_FAILURE); |
219 | X509V3_conf_err(val); |
220 | goto err; |
221 | } |
222 | } else { |
223 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, |
224 | X509V3_R_INCORRECT_POLICY_SYNTAX_TAG); |
225 | X509V3_conf_err(val); |
226 | goto err; |
227 | } |
228 | if (!tmp_data) { |
229 | X509V3err(X509V3_F_PROCESS_PCI_VALUE, ERR_R_MALLOC_FAILURE); |
230 | X509V3_conf_err(val); |
231 | goto err; |
232 | } |
233 | } |
234 | return 1; |
235 | err: |
236 | if (free_policy) { |
237 | ASN1_OCTET_STRING_free(*policy); |
238 | *policy = NULL; |
239 | } |
240 | return 0; |
241 | } |
242 | |
243 | static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method, |
244 | X509V3_CTX *ctx, char *value) |
245 | { |
246 | PROXY_CERT_INFO_EXTENSION *pci = NULL; |
247 | STACK_OF(CONF_VALUE) *vals; |
248 | ASN1_OBJECT *language = NULL; |
249 | ASN1_INTEGER *pathlen = NULL; |
250 | ASN1_OCTET_STRING *policy = NULL; |
251 | int i, j; |
252 | |
253 | vals = X509V3_parse_list(value); |
254 | for (i = 0; i < sk_CONF_VALUE_num(vals); i++) { |
255 | CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i); |
256 | if (!cnf->name || (*cnf->name != '@' && !cnf->value)) { |
257 | X509V3err(X509V3_F_R2I_PCI, |
258 | X509V3_R_INVALID_PROXY_POLICY_SETTING); |
259 | X509V3_conf_err(cnf); |
260 | goto err; |
261 | } |
262 | if (*cnf->name == '@') { |
263 | STACK_OF(CONF_VALUE) *sect; |
264 | int success_p = 1; |
265 | |
266 | sect = X509V3_get_section(ctx, cnf->name + 1); |
267 | if (!sect) { |
268 | X509V3err(X509V3_F_R2I_PCI, X509V3_R_INVALID_SECTION); |
269 | X509V3_conf_err(cnf); |
270 | goto err; |
271 | } |
272 | for (j = 0; success_p && j < sk_CONF_VALUE_num(sect); j++) { |
273 | success_p = |
274 | process_pci_value(sk_CONF_VALUE_value(sect, j), |
275 | &language, &pathlen, &policy); |
276 | } |
277 | X509V3_section_free(ctx, sect); |
278 | if (!success_p) |
279 | goto err; |
280 | } else { |
281 | if (!process_pci_value(cnf, &language, &pathlen, &policy)) { |
282 | X509V3_conf_err(cnf); |
283 | goto err; |
284 | } |
285 | } |
286 | } |
287 | |
288 | /* Language is mandatory */ |
289 | if (!language) { |
290 | X509V3err(X509V3_F_R2I_PCI, |
291 | X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED); |
292 | goto err; |
293 | } |
294 | i = OBJ_obj2nid(language); |
295 | if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy) { |
296 | X509V3err(X509V3_F_R2I_PCI, |
297 | X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY); |
298 | goto err; |
299 | } |
300 | |
301 | pci = PROXY_CERT_INFO_EXTENSION_new(); |
302 | if (pci == NULL) { |
303 | X509V3err(X509V3_F_R2I_PCI, ERR_R_MALLOC_FAILURE); |
304 | goto err; |
305 | } |
306 | |
307 | pci->proxyPolicy->policyLanguage = language; |
308 | language = NULL; |
309 | pci->proxyPolicy->policy = policy; |
310 | policy = NULL; |
311 | pci->pcPathLengthConstraint = pathlen; |
312 | pathlen = NULL; |
313 | goto end; |
314 | err: |
315 | ASN1_OBJECT_free(language); |
316 | ASN1_INTEGER_free(pathlen); |
317 | pathlen = NULL; |
318 | ASN1_OCTET_STRING_free(policy); |
319 | policy = NULL; |
320 | PROXY_CERT_INFO_EXTENSION_free(pci); |
321 | pci = NULL; |
322 | end: |
323 | sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); |
324 | return pci; |
325 | } |
326 | |