Turn the validation_err() macro into a function

validation_err() is an ugly macro with side effects and a goto in it. At the cost of a few lines of code we can turn this into a function where the side effects are explicit and ret is now explicitly set in the main body of addr_validate_path_internal(). We get to a point where it is halfway possible to reason about the convoluted control flow in this function. ok inoguchi jsing
author: tb <> 2022-01-05 17:36:32 +0000
committer: tb <> 2022-01-05 17:36:32 +0000
commit: 75b59f2a54d9fb2d74bb1ef9d3d48594ef09f873 (patch)
tree: 1411b9537d83751da6656d9720afcbcf72192d33
parent: 5cabdad28dc4f0eff24398d5fda161c2e7862a4a (diff)
download: openbsd-75b59f2a54d9fb2d74bb1ef9d3d48594ef09f873.tar.gz
openbsd-75b59f2a54d9fb2d74bb1ef9d3d48594ef09f873.tar.bz2
openbsd-75b59f2a54d9fb2d74bb1ef9d3d48594ef09f873.zip
1 files changed, 44 insertions, 31 deletions
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index bee852d8db..dac9d8e055 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_addr.c,v 1.63 2022/01/05 17:27:40 tb Exp $ */
+/*      $OpenBSD: x509_addr.c,v 1.64 2022/01/05 17:36:32 tb Exp $ */
 /*
 * Contributed to the OpenSSL Project by the American Registry for
 * Internet Numbers ("ARIN").
@@ -1719,22 +1719,18 @@ X509v3_addr_subset(IPAddrBlocks *child, IPAddrBlocks *parent)
        return 1;
 }
-/*
+static int
- * Validation error handling via callback.
+verify_error(X509_STORE_CTX *ctx, X509 *cert, int error, int depth)
- */
+{
-#define validation_err(_err_)           \
+        if (ctx == NULL)
-  do {                                  \
+                return 0;
-    if (ctx != NULL) {                  \
-      ctx->error = _err_;               \
+        ctx->current_cert = cert;
-      ctx->error_depth = i;             \
+        ctx->error = error;
-      ctx->current_cert = x;            \
+        ctx->error_depth = depth;
-      ret = ctx->verify_cb(0, ctx);     \
-    } else {                            \
+        return ctx->verify_cb(0, ctx);
-      ret = 0;                          \
+}
-    }                                   \
-    if (!ret)                           \
-      goto done;                        \
-  } while (0)
 /*
 * Core code for RFC 3779 2.3 path validation.
@@ -1780,8 +1776,13 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
                if ((ext = x->rfc3779_addr) == NULL)
                        goto done;
        }
-        if (!X509v3_addr_is_canonical(ext))
-                validation_err(X509_V_ERR_INVALID_EXTENSION);
+        if (!X509v3_addr_is_canonical(ext)) {
+                if ((ret = verify_error(ctx, x,
+                    X509_V_ERR_INVALID_EXTENSION, i)) == 0)
+                        goto done;
+        }
        (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
        if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
                X509V3error(ERR_R_MALLOC_FAILURE);
@@ -1802,16 +1803,22 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
                        for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
                                fc = sk_IPAddressFamily_value(child, j);
-                                if (IPAddressFamily_inheritance(fc) == NULL) {
+                                if (IPAddressFamily_inheritance(fc) != NULL)
-                                        validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+                                        continue;
-                                        break;
-                                }
+                                if ((ret = verify_error(ctx, x,
+                                    X509_V_ERR_UNNESTED_RESOURCE, i)) == 0)
+                                        goto done;
+                                break;
                        }
                        continue;
                }
-                if (!X509v3_addr_is_canonical(parent))
+                if (!X509v3_addr_is_canonical(parent)) {
-                        validation_err(X509_V_ERR_INVALID_EXTENSION);
+                        if ((ret = verify_error(ctx, x,
+                            X509_V_ERR_INVALID_EXTENSION, i)) == 0)
+                                goto done;
+                }
                sk_IPAddressFamily_set_cmp_func(parent, IPAddressFamily_cmp);
@@ -1836,7 +1843,9 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
                                        continue;
                                /* Otherwise the child isn't covered. */
-                                validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+                                if ((ret = verify_error(ctx, x,
+                                    X509_V_ERR_UNNESTED_RESOURCE, i)) == 0)
+                                        goto done;
                                break;
                        }
@@ -1870,7 +1879,9 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
                                continue;
                        }
-                        validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+                        if ((ret = verify_error(ctx, x,
+                            X509_V_ERR_UNNESTED_RESOURCE, i)) == 0)
+                                goto done;
                }
        }
@@ -1884,8 +1895,12 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
                        if (IPAddressFamily_inheritance(fp) == NULL)
                                continue;
-                        if (sk_IPAddressFamily_find(child, fp) >= 0)
+                        if (sk_IPAddressFamily_find(child, fp) < 0)
-                                validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+                                continue;
+                        if ((ret = verify_error(ctx, x,
+                            X509_V_ERR_UNNESTED_RESOURCE, i)) == 0)
+                                goto done;
                }
        }
@@ -1902,8 +1917,6 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
        return 0;
 }
-#undef validation_err
 /*
 * RFC 3779 2.3 path validation -- called from X509_verify_cert().
 */
author	tb <>	2022-01-05 17:36:32 +0000
committer	tb <>	2022-01-05 17:36:32 +0000
commit	75b59f2a54d9fb2d74bb1ef9d3d48594ef09f873 (patch)
tree	1411b9537d83751da6656d9720afcbcf72192d33
parent	5cabdad28dc4f0eff24398d5fda161c2e7862a4a (diff)
download	openbsd-75b59f2a54d9fb2d74bb1ef9d3d48594ef09f873.tar.gz openbsd-75b59f2a54d9fb2d74bb1ef9d3d48594ef09f873.tar.bz2 openbsd-75b59f2a54d9fb2d74bb1ef9d3d48594ef09f873.zip

diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c index bee852d8db..dac9d8e055 100644 --- a/src/lib/libcrypto/x509/x509_addr.c +++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_addr.c,v 1.63 2022/01/05 17:27:40 tb Exp $ */	1	/* $OpenBSD: x509_addr.c,v 1.64 2022/01/05 17:36:32 tb Exp $ */
2	/*	2	/*
3	* Contributed to the OpenSSL Project by the American Registry for	3	* Contributed to the OpenSSL Project by the American Registry for
4	* Internet Numbers ("ARIN").	4	* Internet Numbers ("ARIN").
@@ -1719,22 +1719,18 @@ X509v3_addr_subset(IPAddrBlocks child, IPAddrBlocks parent)
1719	return 1;	1719	return 1;
1720	}	1720	}
1721		1721
1722	/*	1722	static int
1723	* Validation error handling via callback.	1723	verify_error(X509_STORE_CTX ctx, X509 cert, int error, int depth)
1724	*/	1724	{
1725	#define validation_err(_err_) \	1725	if (ctx == NULL)
1726	do { \	1726	return 0;
1727	if (ctx != NULL) { \	1727
1728	ctx->error = _err_; \	1728	ctx->current_cert = cert;
1729	ctx->error_depth = i; \	1729	ctx->error = error;
1730	ctx->current_cert = x; \	1730	ctx->error_depth = depth;
1731	ret = ctx->verify_cb(0, ctx); \	1731
1732	} else { \	1732	return ctx->verify_cb(0, ctx);
1733	ret = 0; \	1733	}
1734	} \
1735	if (!ret) \
1736	goto done; \
1737	} while (0)
1738		1734
1739	/*	1735	/*
1740	* Core code for RFC 3779 2.3 path validation.	1736	* Core code for RFC 3779 2.3 path validation.
@@ -1780,8 +1776,13 @@ addr_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509) chain,
1780	if ((ext = x->rfc3779_addr) == NULL)	1776	if ((ext = x->rfc3779_addr) == NULL)
1781	goto done;	1777	goto done;
1782	}	1778	}
1783	if (!X509v3_addr_is_canonical(ext))	1779
1784	validation_err(X509_V_ERR_INVALID_EXTENSION);	1780	if (!X509v3_addr_is_canonical(ext)) {
		1781	if ((ret = verify_error(ctx, x,
		1782	X509_V_ERR_INVALID_EXTENSION, i)) == 0)
		1783	goto done;
		1784	}
		1785
1785	(void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);	1786	(void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
1786	if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {	1787	if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
1787	X509V3error(ERR_R_MALLOC_FAILURE);	1788	X509V3error(ERR_R_MALLOC_FAILURE);
@@ -1802,16 +1803,22 @@ addr_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509) chain,
1802	for (j = 0; j < sk_IPAddressFamily_num(child); j++) {	1803	for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1803	fc = sk_IPAddressFamily_value(child, j);	1804	fc = sk_IPAddressFamily_value(child, j);
1804		1805
1805	if (IPAddressFamily_inheritance(fc) == NULL) {	1806	if (IPAddressFamily_inheritance(fc) != NULL)
1806	validation_err(X509_V_ERR_UNNESTED_RESOURCE);	1807	continue;
1807	break;	1808
1808	}	1809	if ((ret = verify_error(ctx, x,
		1810	X509_V_ERR_UNNESTED_RESOURCE, i)) == 0)
		1811	goto done;
		1812	break;
1809	}	1813	}
1810	continue;	1814	continue;
1811	}	1815	}
1812		1816
1813	if (!X509v3_addr_is_canonical(parent))	1817	if (!X509v3_addr_is_canonical(parent)) {
1814	validation_err(X509_V_ERR_INVALID_EXTENSION);	1818	if ((ret = verify_error(ctx, x,
		1819	X509_V_ERR_INVALID_EXTENSION, i)) == 0)
		1820	goto done;
		1821	}
1815		1822
1816	sk_IPAddressFamily_set_cmp_func(parent, IPAddressFamily_cmp);	1823	sk_IPAddressFamily_set_cmp_func(parent, IPAddressFamily_cmp);
1817		1824
@@ -1836,7 +1843,9 @@ addr_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509) chain,
1836	continue;	1843	continue;
1837		1844
1838	/* Otherwise the child isn't covered. */	1845	/* Otherwise the child isn't covered. */
1839	validation_err(X509_V_ERR_UNNESTED_RESOURCE);	1846	if ((ret = verify_error(ctx, x,
		1847	X509_V_ERR_UNNESTED_RESOURCE, i)) == 0)
		1848	goto done;
1840	break;	1849	break;
1841	}	1850	}
1842		1851
@@ -1870,7 +1879,9 @@ addr_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509) chain,
1870	continue;	1879	continue;
1871	}	1880	}
1872		1881
1873	validation_err(X509_V_ERR_UNNESTED_RESOURCE);	1882	if ((ret = verify_error(ctx, x,
		1883	X509_V_ERR_UNNESTED_RESOURCE, i)) == 0)
		1884	goto done;
1874	}	1885	}
1875	}	1886	}
1876		1887
@@ -1884,8 +1895,12 @@ addr_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509) chain,
1884	if (IPAddressFamily_inheritance(fp) == NULL)	1895	if (IPAddressFamily_inheritance(fp) == NULL)
1885	continue;	1896	continue;
1886		1897
1887	if (sk_IPAddressFamily_find(child, fp) >= 0)	1898	if (sk_IPAddressFamily_find(child, fp) < 0)
1888	validation_err(X509_V_ERR_UNNESTED_RESOURCE);	1899	continue;
		1900
		1901	if ((ret = verify_error(ctx, x,
		1902	X509_V_ERR_UNNESTED_RESOURCE, i)) == 0)
		1903	goto done;
1889	}	1904	}
1890	}	1905	}
1891		1906
@@ -1902,8 +1917,6 @@ addr_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509) chain,
1902	return 0;	1917	return 0;
1903	}	1918	}
1904		1919
1905	#undef validation_err
1906
1907	/*	1920	/*
1908	* RFC 3779 2.3 path validation -- called from X509_verify_cert().	1921	* RFC 3779 2.3 path validation -- called from X509_verify_cert().
1909	*/	1922	*/