summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509/x509_asid.c
diff options
context:
space:
mode:
authorjob <>2021-09-07 10:24:51 +0000
committerjob <>2021-09-07 10:24:51 +0000
commit332d783e39d5ca2e8e2567053bb948d21c726c17 (patch)
tree7e6ebe604bd9a651a41bcb4629762742384dfe26 /src/lib/libcrypto/x509/x509_asid.c
parentb5224f0b8edbb0671c0257b56baee589c711702b (diff)
downloadopenbsd-332d783e39d5ca2e8e2567053bb948d21c726c17.tar.gz
openbsd-332d783e39d5ca2e8e2567053bb948d21c726c17.tar.bz2
openbsd-332d783e39d5ca2e8e2567053bb948d21c726c17.zip
KNF
OK tb@ jsing@ beck@
Diffstat (limited to '')
-rw-r--r--src/lib/libcrypto/x509/x509_asid.c1182
1 files changed, 607 insertions, 575 deletions
diff --git a/src/lib/libcrypto/x509/x509_asid.c b/src/lib/libcrypto/x509/x509_asid.c
index f5b5d86384..d9c7fd1bdb 100644
--- a/src/lib/libcrypto/x509/x509_asid.c
+++ b/src/lib/libcrypto/x509/x509_asid.c
@@ -188,7 +188,8 @@ ASIdOrRange_free(ASIdOrRange *a)
188} 188}
189 189
190ASIdentifierChoice * 190ASIdentifierChoice *
191d2i_ASIdentifierChoice(ASIdentifierChoice **a, const unsigned char **in, long len) 191d2i_ASIdentifierChoice(ASIdentifierChoice **a, const unsigned char **in,
192 long len)
192{ 193{
193 return (ASIdentifierChoice *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 194 return (ASIdentifierChoice *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
194 (&(ASIdentifierChoice_it))); 195 (&(ASIdentifierChoice_it)));
@@ -198,7 +199,6 @@ int
198i2d_ASIdentifierChoice(ASIdentifierChoice *a, unsigned char **out) 199i2d_ASIdentifierChoice(ASIdentifierChoice *a, unsigned char **out)
199{ 200{
200 return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(ASIdentifierChoice_it))); 201 return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(ASIdentifierChoice_it)));
201
202} 202}
203 203
204ASIdentifierChoice * 204ASIdentifierChoice *
@@ -226,12 +226,14 @@ i2d_ASIdentifiers(ASIdentifiers *a, unsigned char **out)
226 return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(ASIdentifiers_it))); 226 return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(ASIdentifiers_it)));
227} 227}
228 228
229ASIdentifiers *ASIdentifiers_new(void) 229ASIdentifiers *
230ASIdentifiers_new(void)
230{ 231{
231 return (ASIdentifiers *)ASN1_item_new((&(ASIdentifiers_it))); 232 return (ASIdentifiers *)ASN1_item_new((&(ASIdentifiers_it)));
232} 233}
233 234
234void ASIdentifiers_free(ASIdentifiers *a) 235void
236ASIdentifiers_free(ASIdentifiers *a)
235{ 237{
236 ASN1_item_free((ASN1_VALUE *)a, (&(ASIdentifiers_it))); 238 ASN1_item_free((ASN1_VALUE *)a, (&(ASIdentifiers_it)));
237} 239}
@@ -239,644 +241,672 @@ void ASIdentifiers_free(ASIdentifiers *a)
239/* 241/*
240 * i2r method for an ASIdentifierChoice. 242 * i2r method for an ASIdentifierChoice.
241 */ 243 */
242static int i2r_ASIdentifierChoice(BIO *out, 244static int
243 ASIdentifierChoice *choice, 245i2r_ASIdentifierChoice(BIO *out, ASIdentifierChoice *choice, int indent,
244 int indent, const char *msg) 246 const char *msg)
245{ 247{
246 int i; 248 int i;
247 char *s; 249 char *s;
248 if (choice == NULL) 250 if (choice == NULL)
249 return 1; 251 return 1;
250 BIO_printf(out, "%*s%s:\n", indent, "", msg); 252 BIO_printf(out, "%*s%s:\n", indent, "", msg);
251 switch (choice->type) { 253 switch (choice->type) {
252 case ASIdentifierChoice_inherit: 254 case ASIdentifierChoice_inherit:
253 BIO_printf(out, "%*sinherit\n", indent + 2, ""); 255 BIO_printf(out, "%*sinherit\n", indent + 2, "");
254 break; 256 break;
255 case ASIdentifierChoice_asIdsOrRanges: 257 case ASIdentifierChoice_asIdsOrRanges:
256 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges); i++) { 258 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges);
257 ASIdOrRange *aor = 259 i++) {
258 sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); 260 ASIdOrRange *aor =
259 switch (aor->type) { 261 sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
260 case ASIdOrRange_id: 262 switch (aor->type) {
261 if ((s = i2s_ASN1_INTEGER(NULL, aor->u.id)) == NULL) 263 case ASIdOrRange_id:
262 return 0; 264 if ((s = i2s_ASN1_INTEGER(NULL, aor->u.id)) ==
263 BIO_printf(out, "%*s%s\n", indent + 2, "", s); 265 NULL)
264 free(s); 266 return 0;
265 break; 267 BIO_printf(out, "%*s%s\n", indent + 2, "", s);
266 case ASIdOrRange_range: 268 free(s);
267 if ((s = i2s_ASN1_INTEGER(NULL, aor->u.range->min)) == NULL) 269 break;
268 return 0; 270 case ASIdOrRange_range:
269 BIO_printf(out, "%*s%s-", indent + 2, "", s); 271 if ((s = i2s_ASN1_INTEGER(NULL,
270 free(s); 272 aor->u.range->min)) == NULL)
271 if ((s = i2s_ASN1_INTEGER(NULL, aor->u.range->max)) == NULL) 273 return 0;
272 return 0; 274 BIO_printf(out, "%*s%s-", indent + 2, "", s);
273 BIO_printf(out, "%s\n", s); 275 free(s);
274 free(s); 276 if ((s = i2s_ASN1_INTEGER(NULL,
275 break; 277 aor->u.range->max)) == NULL)
276 default: 278 return 0;
277 return 0; 279 BIO_printf(out, "%s\n", s);
278 } 280 free(s);
279 } 281 break;
280 break; 282 default:
281 default: 283 return 0;
282 return 0; 284 }
283 } 285 }
284 return 1; 286 break;
287 default:
288 return 0;
289 }
290 return 1;
285} 291}
286 292
287/* 293/*
288 * i2r method for an ASIdentifier extension. 294 * i2r method for an ASIdentifier extension.
289 */ 295 */
290static int i2r_ASIdentifiers(const X509V3_EXT_METHOD *method, 296static int
291 void *ext, BIO *out, int indent) 297i2r_ASIdentifiers(const X509V3_EXT_METHOD *method, void *ext, BIO *out,
298 int indent)
292{ 299{
293 ASIdentifiers *asid = ext; 300 ASIdentifiers *asid = ext;
294 return (i2r_ASIdentifierChoice(out, asid->asnum, indent, 301 return (i2r_ASIdentifierChoice(out, asid->asnum, indent,
295 "Autonomous System Numbers") && 302 "Autonomous System Numbers") &&
296 i2r_ASIdentifierChoice(out, asid->rdi, indent, 303 i2r_ASIdentifierChoice(out, asid->rdi, indent,
297 "Routing Domain Identifiers")); 304 "Routing Domain Identifiers"));
298} 305}
299 306
300/* 307/*
301 * Sort comparison function for a sequence of ASIdOrRange elements. 308 * Sort comparison function for a sequence of ASIdOrRange elements.
302 */ 309 */
303static int ASIdOrRange_cmp(const ASIdOrRange *const *a_, 310static int
304 const ASIdOrRange *const *b_) 311ASIdOrRange_cmp(const ASIdOrRange *const *a_, const ASIdOrRange *const *b_)
305{ 312{
306 const ASIdOrRange *a = *a_, *b = *b_; 313 const ASIdOrRange *a = *a_, *b = *b_;
307 314
308 /* XXX: these asserts need to be replaced */ 315 /* XXX: these asserts need to be replaced */
309 OPENSSL_assert((a->type == ASIdOrRange_id && a->u.id != NULL) || 316 OPENSSL_assert((a->type == ASIdOrRange_id && a->u.id != NULL) ||
310 (a->type == ASIdOrRange_range && a->u.range != NULL && 317 (a->type == ASIdOrRange_range && a->u.range != NULL &&
311 a->u.range->min != NULL && a->u.range->max != NULL)); 318 a->u.range->min != NULL && a->u.range->max != NULL));
312 319
313 OPENSSL_assert((b->type == ASIdOrRange_id && b->u.id != NULL) || 320 OPENSSL_assert((b->type == ASIdOrRange_id && b->u.id != NULL) ||
314 (b->type == ASIdOrRange_range && b->u.range != NULL && 321 (b->type == ASIdOrRange_range && b->u.range != NULL &&
315 b->u.range->min != NULL && b->u.range->max != NULL)); 322 b->u.range->min != NULL && b->u.range->max != NULL));
316 323
317 if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id) 324 if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id)
318 return ASN1_INTEGER_cmp(a->u.id, b->u.id); 325 return ASN1_INTEGER_cmp(a->u.id, b->u.id);
319 326
320 if (a->type == ASIdOrRange_range && b->type == ASIdOrRange_range) { 327 if (a->type == ASIdOrRange_range && b->type == ASIdOrRange_range) {
321 int r = ASN1_INTEGER_cmp(a->u.range->min, b->u.range->min); 328 int r = ASN1_INTEGER_cmp(a->u.range->min, b->u.range->min);
322 return r != 0 ? r : ASN1_INTEGER_cmp(a->u.range->max, 329 return r != 0 ? r : ASN1_INTEGER_cmp(a->u.range->max,
323 b->u.range->max); 330 b->u.range->max);
324 } 331 }
325 332
326 if (a->type == ASIdOrRange_id) 333 if (a->type == ASIdOrRange_id)
327 return ASN1_INTEGER_cmp(a->u.id, b->u.range->min); 334 return ASN1_INTEGER_cmp(a->u.id, b->u.range->min);
328 else 335 else
329 return ASN1_INTEGER_cmp(a->u.range->min, b->u.id); 336 return ASN1_INTEGER_cmp(a->u.range->min, b->u.id);
330} 337}
331 338
332/* 339/*
333 * Add an inherit element. 340 * Add an inherit element.
334 */ 341 */
335int X509v3_asid_add_inherit(ASIdentifiers *asid, int which) 342int
343X509v3_asid_add_inherit(ASIdentifiers *asid, int which)
336{ 344{
337 ASIdentifierChoice **choice; 345 ASIdentifierChoice **choice;
338 if (asid == NULL) 346 if (asid == NULL)
339 return 0; 347 return 0;
340 switch (which) { 348 switch (which) {
341 case V3_ASID_ASNUM: 349 case V3_ASID_ASNUM:
342 choice = &asid->asnum; 350 choice = &asid->asnum;
343 break; 351 break;
344 case V3_ASID_RDI: 352 case V3_ASID_RDI:
345 choice = &asid->rdi; 353 choice = &asid->rdi;
346 break; 354 break;
347 default: 355 default:
348 return 0; 356 return 0;
349 } 357 }
350 if (*choice == NULL) { 358 if (*choice == NULL) {
351 if ((*choice = ASIdentifierChoice_new()) == NULL) 359 if ((*choice = ASIdentifierChoice_new()) == NULL)
352 return 0; 360 return 0;
353 if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL) 361 if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL)
354 return 0; 362 return 0;
355 (*choice)->type = ASIdentifierChoice_inherit; 363 (*choice)->type = ASIdentifierChoice_inherit;
356 } 364 }
357 return (*choice)->type == ASIdentifierChoice_inherit; 365 return (*choice)->type == ASIdentifierChoice_inherit;
358} 366}
359 367
360/* 368/*
361 * Add an ID or range to an ASIdentifierChoice. 369 * Add an ID or range to an ASIdentifierChoice.
362 */ 370 */
363int X509v3_asid_add_id_or_range(ASIdentifiers *asid, 371int
364 int which, ASN1_INTEGER *min, ASN1_INTEGER *max) 372X509v3_asid_add_id_or_range(ASIdentifiers *asid, int which, ASN1_INTEGER *min,
373 ASN1_INTEGER *max)
365{ 374{
366 ASIdentifierChoice **choice; 375 ASIdentifierChoice **choice;
367 ASIdOrRange *aor; 376 ASIdOrRange *aor;
368 if (asid == NULL) 377 if (asid == NULL)
369 return 0; 378 return 0;
370 switch (which) { 379 switch (which) {
371 case V3_ASID_ASNUM: 380 case V3_ASID_ASNUM:
372 choice = &asid->asnum; 381 choice = &asid->asnum;
373 break; 382 break;
374 case V3_ASID_RDI: 383 case V3_ASID_RDI:
375 choice = &asid->rdi; 384 choice = &asid->rdi;
376 break; 385 break;
377 default: 386 default:
378 return 0; 387 return 0;
379 } 388 }
380 if (*choice != NULL && (*choice)->type == ASIdentifierChoice_inherit) 389 if (*choice != NULL && (*choice)->type == ASIdentifierChoice_inherit)
381 return 0; 390 return 0;
382 if (*choice == NULL) { 391 if (*choice == NULL) {
383 if ((*choice = ASIdentifierChoice_new()) == NULL) 392 if ((*choice = ASIdentifierChoice_new()) == NULL)
384 return 0; 393 return 0;
385 (*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp); 394 (*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp);
386 if ((*choice)->u.asIdsOrRanges == NULL) 395 if ((*choice)->u.asIdsOrRanges == NULL)
387 return 0; 396 return 0;
388 (*choice)->type = ASIdentifierChoice_asIdsOrRanges; 397 (*choice)->type = ASIdentifierChoice_asIdsOrRanges;
389 } 398 }
390 if ((aor = ASIdOrRange_new()) == NULL) 399 if ((aor = ASIdOrRange_new()) == NULL)
391 return 0; 400 return 0;
392 if (max == NULL) { 401 if (max == NULL) {
393 aor->type = ASIdOrRange_id; 402 aor->type = ASIdOrRange_id;
394 aor->u.id = min; 403 aor->u.id = min;
395 } else { 404 } else {
396 aor->type = ASIdOrRange_range; 405 aor->type = ASIdOrRange_range;
397 if ((aor->u.range = ASRange_new()) == NULL) 406 if ((aor->u.range = ASRange_new()) == NULL)
398 goto err; 407 goto err;
399 ASN1_INTEGER_free(aor->u.range->min); 408 ASN1_INTEGER_free(aor->u.range->min);
400 aor->u.range->min = min; 409 aor->u.range->min = min;
401 ASN1_INTEGER_free(aor->u.range->max); 410 ASN1_INTEGER_free(aor->u.range->max);
402 aor->u.range->max = max; 411 aor->u.range->max = max;
403 } 412 }
404 if (!(sk_ASIdOrRange_push((*choice)->u.asIdsOrRanges, aor))) 413 if (!(sk_ASIdOrRange_push((*choice)->u.asIdsOrRanges, aor)))
405 goto err; 414 goto err;
406 return 1; 415 return 1;
407 416
408 err: 417err:
409 ASIdOrRange_free(aor); 418 ASIdOrRange_free(aor);
410 return 0; 419 return 0;
411} 420}
412 421
413/* 422/*
414 * Extract min and max values from an ASIdOrRange. 423 * Extract min and max values from an ASIdOrRange.
415 */ 424 */
416static int extract_min_max(ASIdOrRange *aor, 425static int
417 ASN1_INTEGER **min, ASN1_INTEGER **max) 426extract_min_max(ASIdOrRange *aor, ASN1_INTEGER **min, ASN1_INTEGER **max)
418{ 427{
419 OPENSSL_assert(aor != NULL); 428 OPENSSL_assert(aor != NULL);
420 429
421 switch (aor->type) { 430 switch (aor->type) {
422 case ASIdOrRange_id: 431 case ASIdOrRange_id:
423 *min = aor->u.id; 432 *min = aor->u.id;
424 *max = aor->u.id; 433 *max = aor->u.id;
425 return 1; 434 return 1;
426 case ASIdOrRange_range: 435 case ASIdOrRange_range:
427 *min = aor->u.range->min; 436 *min = aor->u.range->min;
428 *max = aor->u.range->max; 437 *max = aor->u.range->max;
429 return 1; 438 return 1;
430 } 439 }
431 440
432 return 0; 441 return 0;
433} 442}
434 443
435/* 444/*
436 * Check whether an ASIdentifierChoice is in canonical form. 445 * Check whether an ASIdentifierChoice is in canonical form.
437 */ 446 */
438static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice) 447static int
448ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
439{ 449{
440 ASN1_INTEGER *a_max_plus_one = NULL; 450 ASN1_INTEGER *a_max_plus_one = NULL;
441 ASN1_INTEGER *orig; 451 ASN1_INTEGER *orig;
442 BIGNUM *bn = NULL; 452 BIGNUM *bn = NULL;
443 int i, ret = 0; 453 int i, ret = 0;
444 454
445 /* 455 /*
446 * Empty element or inheritance is canonical. 456 * Empty element or inheritance is canonical.
447 */ 457 */
448 if (choice == NULL || choice->type == ASIdentifierChoice_inherit) 458 if (choice == NULL || choice->type == ASIdentifierChoice_inherit)
449 return 1; 459 return 1;
450 460
451 /* 461 /*
452 * If not a list, or if empty list, it's broken. 462 * If not a list, or if empty list, it's broken.
453 */ 463 */
454 if (choice->type != ASIdentifierChoice_asIdsOrRanges || 464 if (choice->type != ASIdentifierChoice_asIdsOrRanges ||
455 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) 465 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0)
456 return 0; 466 return 0;
457 467
458 /* 468 /*
459 * It's a list, check it. 469 * It's a list, check it.
460 */ 470 */
461 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) { 471 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
462 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); 472 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges,
463 ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1); 473 i);
464 ASN1_INTEGER *a_min = NULL, *a_max = NULL, *b_min = NULL, *b_max = 474 ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges,
465 NULL; 475 i + 1);
466 476 ASN1_INTEGER *a_min = NULL,
467 if (!extract_min_max(a, &a_min, &a_max) 477 *a_max = NULL,
468 || !extract_min_max(b, &b_min, &b_max)) 478 *b_min = NULL,
469 goto done; 479 *b_max =
480 NULL;
481
482 if (!extract_min_max(a, &a_min, &a_max) ||
483 !extract_min_max(b, &b_min, &b_max))
484 goto done;
470 485
471 /* 486 /*
472 * Punt misordered list, overlapping start, or inverted range. 487 * Punt misordered list, overlapping start, or inverted range.
473 */ 488 */
474 if (ASN1_INTEGER_cmp(a_min, b_min) >= 0 || 489 if (ASN1_INTEGER_cmp(a_min, b_min) >= 0 ||
475 ASN1_INTEGER_cmp(a_min, a_max) > 0 || 490 ASN1_INTEGER_cmp(a_min, a_max) > 0 ||
476 ASN1_INTEGER_cmp(b_min, b_max) > 0) 491 ASN1_INTEGER_cmp(b_min, b_max) > 0)
477 goto done; 492 goto done;
478 493
479 /* 494 /*
480 * Calculate a_max + 1 to check for adjacency. 495 * Calculate a_max + 1 to check for adjacency.
481 */ 496 */
482 if ((bn == NULL && (bn = BN_new()) == NULL) || 497 if ((bn == NULL && (bn = BN_new()) == NULL) ||
483 ASN1_INTEGER_to_BN(a_max, bn) == NULL || 498 ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
484 !BN_add_word(bn, 1)) { 499 !BN_add_word(bn, 1)) {
485 X509V3error(ERR_R_MALLOC_FAILURE); 500 X509V3error(ERR_R_MALLOC_FAILURE);
486 goto done; 501 goto done;
487 } 502 }
488 503
489 if ((a_max_plus_one = 504 if ((a_max_plus_one =
490 BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) { 505 BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) {
491 a_max_plus_one = orig; 506 a_max_plus_one = orig;
492 X509V3error(ERR_R_MALLOC_FAILURE); 507 X509V3error(ERR_R_MALLOC_FAILURE);
493 goto done; 508 goto done;
494 } 509 }
495 510
496 /* 511 /*
497 * Punt if adjacent or overlapping. 512 * Punt if adjacent or overlapping.
498 */ 513 */
499 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) >= 0) 514 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) >= 0)
500 goto done; 515 goto done;
501 } 516 }
502 517
503 /* 518 /*
504 * Check for inverted range. 519 * Check for inverted range.
505 */ 520 */
506 i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; 521 i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1;
507 { 522 {
508 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); 523 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges,
509 ASN1_INTEGER *a_min, *a_max; 524 i);
510 if (a != NULL && a->type == ASIdOrRange_range) { 525 ASN1_INTEGER *a_min, *a_max;
511 if (!extract_min_max(a, &a_min, &a_max) 526 if (a != NULL && a->type == ASIdOrRange_range) {
512 || ASN1_INTEGER_cmp(a_min, a_max) > 0) 527 if (!extract_min_max(a, &a_min, &a_max) ||
513 goto done; 528 ASN1_INTEGER_cmp(a_min, a_max) > 0)
514 } 529 goto done;
515 } 530 }
516 531 }
517 ret = 1; 532
518 533 ret = 1;
519 done: 534
520 ASN1_INTEGER_free(a_max_plus_one); 535done:
521 BN_free(bn); 536 ASN1_INTEGER_free(a_max_plus_one);
522 return ret; 537 BN_free(bn);
538 return ret;
523} 539}
524 540
525/* 541/*
526 * Check whether an ASIdentifier extension is in canonical form. 542 * Check whether an ASIdentifier extension is in canonical form.
527 */ 543 */
528int X509v3_asid_is_canonical(ASIdentifiers *asid) 544int
545X509v3_asid_is_canonical(ASIdentifiers *asid)
529{ 546{
530 return (asid == NULL || 547 return (asid == NULL ||
531 (ASIdentifierChoice_is_canonical(asid->asnum) && 548 (ASIdentifierChoice_is_canonical(asid->asnum) &&
532 ASIdentifierChoice_is_canonical(asid->rdi))); 549 ASIdentifierChoice_is_canonical(asid->rdi)));
533} 550}
534 551
535/* 552/*
536 * Whack an ASIdentifierChoice into canonical form. 553 * Whack an ASIdentifierChoice into canonical form.
537 */ 554 */
538static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice) 555static int
556ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
539{ 557{
540 ASN1_INTEGER *a_max_plus_one = NULL; 558 ASN1_INTEGER *a_max_plus_one = NULL;
541 ASN1_INTEGER *orig; 559 ASN1_INTEGER *orig;
542 BIGNUM *bn = NULL; 560 BIGNUM *bn = NULL;
543 int i, ret = 0; 561 int i, ret = 0;
544 562
545 /* 563 /*
546 * Nothing to do for empty element or inheritance. 564 * Nothing to do for empty element or inheritance.
547 */ 565 */
548 if (choice == NULL || choice->type == ASIdentifierChoice_inherit) 566 if (choice == NULL || choice->type == ASIdentifierChoice_inherit)
549 return 1; 567 return 1;
550 568
551 /* 569 /*
552 * If not a list, or if empty list, it's broken. 570 * If not a list, or if empty list, it's broken.
553 */ 571 */
554 if (choice->type != ASIdentifierChoice_asIdsOrRanges || 572 if (choice->type != ASIdentifierChoice_asIdsOrRanges ||
555 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) { 573 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) {
556 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 574 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
557 return 0; 575 return 0;
558 } 576 }
559 577
560 /* 578 /*
561 * We have a non-empty list. Sort it. 579 * We have a non-empty list. Sort it.
562 */ 580 */
563 sk_ASIdOrRange_sort(choice->u.asIdsOrRanges); 581 sk_ASIdOrRange_sort(choice->u.asIdsOrRanges);
564 582
565 /* 583 /*
566 * Now check for errors and suboptimal encoding, rejecting the 584 * Now check for errors and suboptimal encoding, rejecting the
567 * former and fixing the latter. 585 * former and fixing the latter.
568 */ 586 */
569 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) { 587 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
570 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); 588 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges,
571 ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1); 589 i);
572 ASN1_INTEGER *a_min = NULL, *a_max = NULL, *b_min = NULL, *b_max = 590 ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges,
573 NULL; 591 i + 1);
574 592 ASN1_INTEGER *a_min = NULL,
575 if (!extract_min_max(a, &a_min, &a_max) 593 *a_max = NULL,
576 || !extract_min_max(b, &b_min, &b_max)) 594 *b_min = NULL,
577 goto done; 595 *b_max =
596 NULL;
597
598 if (!extract_min_max(a, &a_min, &a_max) ||
599 !extract_min_max(b, &b_min, &b_max))
600 goto done;
578 601
579 /* 602 /*
580 * Make sure we're properly sorted (paranoia). 603 * Make sure we're properly sorted (paranoia).
581 */ 604 */
582 OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0); 605 OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
583 606
584 /* 607 /*
585 * Punt inverted ranges. 608 * Punt inverted ranges.
586 */ 609 */
587 if (ASN1_INTEGER_cmp(a_min, a_max) > 0 || 610 if (ASN1_INTEGER_cmp(a_min, a_max) > 0 ||
588 ASN1_INTEGER_cmp(b_min, b_max) > 0) 611 ASN1_INTEGER_cmp(b_min, b_max) > 0)
589 goto done; 612 goto done;
590 613
591 /* 614 /*
592 * Check for overlaps. 615 * Check for overlaps.
593 */ 616 */
594 if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) { 617 if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) {
595 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 618 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
596 goto done; 619 goto done;
597 } 620 }
598 621
599 /* 622 /*
600 * Calculate a_max + 1 to check for adjacency. 623 * Calculate a_max + 1 to check for adjacency.
601 */ 624 */
602 if ((bn == NULL && (bn = BN_new()) == NULL) || 625 if ((bn == NULL && (bn = BN_new()) == NULL) ||
603 ASN1_INTEGER_to_BN(a_max, bn) == NULL || 626 ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
604 !BN_add_word(bn, 1)) { 627 !BN_add_word(bn, 1)) {
605 X509V3error(ERR_R_MALLOC_FAILURE); 628 X509V3error(ERR_R_MALLOC_FAILURE);
606 goto done; 629 goto done;
607 } 630 }
608 631
609 if ((a_max_plus_one = 632 if ((a_max_plus_one =
610 BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) { 633 BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) {
611 a_max_plus_one = orig; 634 a_max_plus_one = orig;
612 X509V3error(ERR_R_MALLOC_FAILURE); 635 X509V3error(ERR_R_MALLOC_FAILURE);
613 goto done; 636 goto done;
614 } 637 }
615 638
616 /* 639 /*
617 * If a and b are adjacent, merge them. 640 * If a and b are adjacent, merge them.
618 */ 641 */
619 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) == 0) { 642 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) == 0) {
620 ASRange *r; 643 ASRange *r;
621 switch (a->type) { 644 switch (a->type) {
622 case ASIdOrRange_id: 645 case ASIdOrRange_id:
623 if ((r = calloc(1, sizeof(*r))) == NULL) { 646 if ((r = calloc(1, sizeof(*r))) == NULL) {
624 X509V3error(ERR_R_MALLOC_FAILURE); 647 X509V3error(ERR_R_MALLOC_FAILURE);
625 goto done; 648 goto done;
626 } 649 }
627 r->min = a_min; 650 r->min = a_min;
628 r->max = b_max; 651 r->max = b_max;
629 a->type = ASIdOrRange_range; 652 a->type = ASIdOrRange_range;
630 a->u.range = r; 653 a->u.range = r;
631 break; 654 break;
632 case ASIdOrRange_range: 655 case ASIdOrRange_range:
633 ASN1_INTEGER_free(a->u.range->max); 656 ASN1_INTEGER_free(a->u.range->max);
634 a->u.range->max = b_max; 657 a->u.range->max = b_max;
635 break; 658 break;
636 } 659 }
637 switch (b->type) { 660 switch (b->type) {
638 case ASIdOrRange_id: 661 case ASIdOrRange_id:
639 b->u.id = NULL; 662 b->u.id = NULL;
640 break; 663 break;
641 case ASIdOrRange_range: 664 case ASIdOrRange_range:
642 b->u.range->max = NULL; 665 b->u.range->max = NULL;
643 break; 666 break;
644 } 667 }
645 ASIdOrRange_free(b); 668 ASIdOrRange_free(b);
646 (void)sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1); 669 (void)sk_ASIdOrRange_delete(choice->u.asIdsOrRanges,
647 i--; 670 i + 1);
648 continue; 671 i--;
649 } 672 continue;
650 } 673 }
674 }
651 675
652 /* 676 /*
653 * Check for final inverted range. 677 * Check for final inverted range.
654 */ 678 */
655 i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; 679 i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1;
656 { 680 {
657 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); 681 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges,
658 ASN1_INTEGER *a_min, *a_max; 682 i);
659 if (a != NULL && a->type == ASIdOrRange_range) { 683 ASN1_INTEGER *a_min, *a_max;
660 if (!extract_min_max(a, &a_min, &a_max) 684 if (a != NULL && a->type == ASIdOrRange_range) {
661 || ASN1_INTEGER_cmp(a_min, a_max) > 0) 685 if (!extract_min_max(a, &a_min, &a_max) ||
662 goto done; 686 ASN1_INTEGER_cmp(a_min, a_max) > 0)
663 } 687 goto done;
664 } 688 }
689 }
665 690
666 /* Paranoia */ 691 /* Paranoia */
667 OPENSSL_assert(ASIdentifierChoice_is_canonical(choice)); 692 OPENSSL_assert(ASIdentifierChoice_is_canonical(choice));
668 693
669 ret = 1; 694 ret = 1;
670 695
671 done: 696done:
672 ASN1_INTEGER_free(a_max_plus_one); 697 ASN1_INTEGER_free(a_max_plus_one);
673 BN_free(bn); 698 BN_free(bn);
674 return ret; 699 return ret;
675} 700}
676 701
677/* 702/*
678 * Whack an ASIdentifier extension into canonical form. 703 * Whack an ASIdentifier extension into canonical form.
679 */ 704 */
680int X509v3_asid_canonize(ASIdentifiers *asid) 705int
706X509v3_asid_canonize(ASIdentifiers *asid)
681{ 707{
682 return (asid == NULL || 708 return (asid == NULL ||
683 (ASIdentifierChoice_canonize(asid->asnum) && 709 (ASIdentifierChoice_canonize(asid->asnum) &&
684 ASIdentifierChoice_canonize(asid->rdi))); 710 ASIdentifierChoice_canonize(asid->rdi)));
685} 711}
686 712
687/* 713/*
688 * v2i method for an ASIdentifier extension. 714 * v2i method for an ASIdentifier extension.
689 */ 715 */
690static void *v2i_ASIdentifiers(const struct v3_ext_method *method, 716static void *
691 struct v3_ext_ctx *ctx, 717v2i_ASIdentifiers(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
692 STACK_OF(CONF_VALUE) *values) 718 STACK_OF(CONF_VALUE)*values)
693{ 719{
694 ASN1_INTEGER *min = NULL, *max = NULL; 720 ASN1_INTEGER *min = NULL, *max = NULL;
695 ASIdentifiers *asid = NULL; 721 ASIdentifiers *asid = NULL;
696 int i; 722 int i;
697 723
698 if ((asid = ASIdentifiers_new()) == NULL) { 724 if ((asid = ASIdentifiers_new()) == NULL) {
699 X509V3error(ERR_R_MALLOC_FAILURE); 725 X509V3error(ERR_R_MALLOC_FAILURE);
700 return NULL; 726 return NULL;
701 } 727 }
702 728
703 for (i = 0; i < sk_CONF_VALUE_num(values); i++) { 729 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
704 CONF_VALUE *val = sk_CONF_VALUE_value(values, i); 730 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
705 int i1 = 0, i2 = 0, i3 = 0, is_range = 0, which = 0; 731 int i1 = 0, i2 = 0, i3 = 0, is_range = 0, which = 0;
706 732
707 /* 733 /*
708 * Figure out whether this is an AS or an RDI. 734 * Figure out whether this is an AS or an RDI.
709 */ 735 */
710 if (!name_cmp(val->name, "AS")) { 736 if (!name_cmp(val->name, "AS")) {
711 which = V3_ASID_ASNUM; 737 which = V3_ASID_ASNUM;
712 } else if (!name_cmp(val->name, "RDI")) { 738 } else if (!name_cmp(val->name, "RDI")) {
713 which = V3_ASID_RDI; 739 which = V3_ASID_RDI;
714 } else { 740 } else {
715 X509V3error(X509V3_R_EXTENSION_NAME_ERROR); 741 X509V3error(X509V3_R_EXTENSION_NAME_ERROR);
716 X509V3_conf_err(val); 742 X509V3_conf_err(val);
717 goto err; 743 goto err;
718 } 744 }
719 745
720 /* 746 /*
721 * Handle inheritance. 747 * Handle inheritance.
722 */ 748 */
723 if (strcmp(val->value, "inherit") == 0) { 749 if (strcmp(val->value, "inherit") == 0) {
724 if (X509v3_asid_add_inherit(asid, which)) 750 if (X509v3_asid_add_inherit(asid, which))
725 continue; 751 continue;
726 X509V3error(X509V3_R_INVALID_INHERITANCE); 752 X509V3error(X509V3_R_INVALID_INHERITANCE);
727 X509V3_conf_err(val); 753 X509V3_conf_err(val);
728 goto err; 754 goto err;
729 } 755 }
730 756
731 /* 757 /*
732 * Number, range, or mistake, pick it apart and figure out which. 758 * Number, range, or mistake, pick it apart and figure out which.
733 */ 759 */
734 i1 = strspn(val->value, "0123456789"); 760 i1 = strspn(val->value, "0123456789");
735 if (val->value[i1] == '\0') { 761 if (val->value[i1] == '\0') {
736 is_range = 0; 762 is_range = 0;
737 } else { 763 } else {
738 is_range = 1; 764 is_range = 1;
739 i2 = i1 + strspn(val->value + i1, " \t"); 765 i2 = i1 + strspn(val->value + i1, " \t");
740 if (val->value[i2] != '-') { 766 if (val->value[i2] != '-') {
741 X509V3error(X509V3_R_INVALID_ASNUMBER); 767 X509V3error(X509V3_R_INVALID_ASNUMBER);
742 X509V3_conf_err(val); 768 X509V3_conf_err(val);
743 goto err; 769 goto err;
744 } 770 }
745 i2++; 771 i2++;
746 i2 = i2 + strspn(val->value + i2, " \t"); 772 i2 = i2 + strspn(val->value + i2, " \t");
747 i3 = i2 + strspn(val->value + i2, "0123456789"); 773 i3 = i2 + strspn(val->value + i2, "0123456789");
748 if (val->value[i3] != '\0') { 774 if (val->value[i3] != '\0') {
749 X509V3error(X509V3_R_INVALID_ASRANGE); 775 X509V3error(X509V3_R_INVALID_ASRANGE);
750 X509V3_conf_err(val); 776 X509V3_conf_err(val);
751 goto err; 777 goto err;
752 } 778 }
753 } 779 }
754 780
755 /* 781 /*
756 * Syntax is ok, read and add it. 782 * Syntax is ok, read and add it.
757 */ 783 */
758 if (!is_range) { 784 if (!is_range) {
759 if (!X509V3_get_value_int(val, &min)) { 785 if (!X509V3_get_value_int(val, &min)) {
760 X509V3error(ERR_R_MALLOC_FAILURE); 786 X509V3error(ERR_R_MALLOC_FAILURE);
761 goto err; 787 goto err;
762 } 788 }
763 } else { 789 } else {
764 char *s = strdup(val->value); 790 char *s = strdup(val->value);
765 if (s == NULL) { 791 if (s == NULL) {
766 X509V3error(ERR_R_MALLOC_FAILURE); 792 X509V3error(ERR_R_MALLOC_FAILURE);
767 goto err; 793 goto err;
768 } 794 }
769 s[i1] = '\0'; 795 s[i1] = '\0';
770 min = s2i_ASN1_INTEGER(NULL, s); 796 min = s2i_ASN1_INTEGER(NULL, s);
771 max = s2i_ASN1_INTEGER(NULL, s + i2); 797 max = s2i_ASN1_INTEGER(NULL, s + i2);
772 free(s); 798 free(s);
773 if (min == NULL || max == NULL) { 799 if (min == NULL || max == NULL) {
774 X509V3error(ERR_R_MALLOC_FAILURE); 800 X509V3error(ERR_R_MALLOC_FAILURE);
775 goto err; 801 goto err;
776 } 802 }
777 if (ASN1_INTEGER_cmp(min, max) > 0) { 803 if (ASN1_INTEGER_cmp(min, max) > 0) {
778 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 804 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
779 goto err; 805 goto err;
780 } 806 }
781 } 807 }
782 if (!X509v3_asid_add_id_or_range(asid, which, min, max)) { 808 if (!X509v3_asid_add_id_or_range(asid, which, min, max)) {
783 X509V3error(ERR_R_MALLOC_FAILURE); 809 X509V3error(ERR_R_MALLOC_FAILURE);
784 goto err; 810 goto err;
785 } 811 }
786 min = max = NULL; 812 min = max = NULL;
787 } 813 }
788 814
789 /* 815 /*
790 * Canonize the result, then we're done. 816 * Canonize the result, then we're done.
791 */ 817 */
792 if (!X509v3_asid_canonize(asid)) 818 if (!X509v3_asid_canonize(asid))
793 goto err; 819 goto err;
794 return asid; 820 return asid;
795 821
796 err: 822err:
797 ASIdentifiers_free(asid); 823 ASIdentifiers_free(asid);
798 ASN1_INTEGER_free(min); 824 ASN1_INTEGER_free(min);
799 ASN1_INTEGER_free(max); 825 ASN1_INTEGER_free(max);
800 return NULL; 826 return NULL;
801} 827}
802 828
803/* 829/*
804 * OpenSSL dispatch. 830 * OpenSSL dispatch.
805 */ 831 */
806const X509V3_EXT_METHOD v3_asid = { 832const X509V3_EXT_METHOD v3_asid = {
807 NID_sbgp_autonomousSysNum, /* nid */ 833 NID_sbgp_autonomousSysNum, /* nid */
808 0, /* flags */ 834 0, /* flags */
809 &ASIdentifiers_it, /* template */ 835 &ASIdentifiers_it, /* template */
810 0, 0, 0, 0, /* old functions, ignored */ 836 0, 0, 0, 0, /* old functions, ignored */
811 0, /* i2s */ 837 0, /* i2s */
812 0, /* s2i */ 838 0, /* s2i */
813 0, /* i2v */ 839 0, /* i2v */
814 v2i_ASIdentifiers, /* v2i */ 840 v2i_ASIdentifiers, /* v2i */
815 i2r_ASIdentifiers, /* i2r */ 841 i2r_ASIdentifiers, /* i2r */
816 0, /* r2i */ 842 0, /* r2i */
817 NULL /* extension-specific data */ 843 NULL /* extension-specific data */
818}; 844};
819 845
820/* 846/*
821 * Figure out whether extension uses inheritance. 847 * Figure out whether extension uses inheritance.
822 */ 848 */
823int X509v3_asid_inherits(ASIdentifiers *asid) 849int
850X509v3_asid_inherits(ASIdentifiers *asid)
824{ 851{
825 return (asid != NULL && 852 return (asid != NULL &&
826 ((asid->asnum != NULL && 853 ((asid->asnum != NULL &&
827 asid->asnum->type == ASIdentifierChoice_inherit) || 854 asid->asnum->type == ASIdentifierChoice_inherit) ||
828 (asid->rdi != NULL && 855 (asid->rdi != NULL &&
829 asid->rdi->type == ASIdentifierChoice_inherit))); 856 asid->rdi->type == ASIdentifierChoice_inherit)));
830} 857}
831 858
832/* 859/*
833 * Figure out whether parent contains child. 860 * Figure out whether parent contains child.
834 */ 861 */
835static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child) 862static int
863asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)
836{ 864{
837 ASN1_INTEGER *p_min = NULL, *p_max = NULL, *c_min = NULL, *c_max = NULL; 865 ASN1_INTEGER *p_min = NULL, *p_max = NULL, *c_min = NULL, *c_max = NULL;
838 int p, c; 866 int p, c;
839 867
840 if (child == NULL || parent == child) 868 if (child == NULL || parent == child)
841 return 1; 869 return 1;
842 if (parent == NULL) 870 if (parent == NULL)
843 return 0; 871 return 0;
844 872
845 p = 0; 873 p = 0;
846 for (c = 0; c < sk_ASIdOrRange_num(child); c++) { 874 for (c = 0; c < sk_ASIdOrRange_num(child); c++) {
847 if (!extract_min_max(sk_ASIdOrRange_value(child, c), &c_min, &c_max)) 875 if (!extract_min_max(sk_ASIdOrRange_value(child, c), &c_min,
848 return 0; 876 &c_max))
849 for (;; p++) { 877 return 0;
850 if (p >= sk_ASIdOrRange_num(parent)) 878 for (;; p++) {
851 return 0; 879 if (p >= sk_ASIdOrRange_num(parent))
852 if (!extract_min_max(sk_ASIdOrRange_value(parent, p), &p_min, 880 return 0;
853 &p_max)) 881 if (!extract_min_max(sk_ASIdOrRange_value(parent, p),
854 return 0; 882 &p_min, &p_max))
855 if (ASN1_INTEGER_cmp(p_max, c_max) < 0) 883 return 0;
856 continue; 884 if (ASN1_INTEGER_cmp(p_max, c_max) < 0)
857 if (ASN1_INTEGER_cmp(p_min, c_min) > 0) 885 continue;
858 return 0; 886 if (ASN1_INTEGER_cmp(p_min, c_min) > 0)
859 break; 887 return 0;
860 } 888 break;
861 } 889 }
862 890 }
863 return 1; 891
892 return 1;
864} 893}
865 894
866/* 895/*
867 * Test whether a is a subset of b. 896 * Test whether a is a subset of b.
868 */ 897 */
869int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b) 898int
899X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
870{ 900{
871 return (a == NULL || 901 return (a == NULL ||
872 a == b || 902 a == b ||
873 (b != NULL && 903 (b != NULL &&
874 !X509v3_asid_inherits(a) && 904 !X509v3_asid_inherits(a) &&
875 !X509v3_asid_inherits(b) && 905 !X509v3_asid_inherits(b) &&
876 asid_contains(b->asnum->u.asIdsOrRanges, 906 asid_contains(b->asnum->u.asIdsOrRanges,
877 a->asnum->u.asIdsOrRanges) && 907 a->asnum->u.asIdsOrRanges) &&
878 asid_contains(b->rdi->u.asIdsOrRanges, 908 asid_contains(b->rdi->u.asIdsOrRanges,
879 a->rdi->u.asIdsOrRanges))); 909 a->rdi->u.asIdsOrRanges)));
880} 910}
881 911
882/* 912/*
@@ -899,121 +929,121 @@ int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
899/* 929/*
900 * Core code for RFC 3779 3.3 path validation. 930 * Core code for RFC 3779 3.3 path validation.
901 */ 931 */
902static int asid_validate_path_internal(X509_STORE_CTX *ctx, 932static int
903 STACK_OF(X509) *chain, 933asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
904 ASIdentifiers *ext) 934 ASIdentifiers *ext)
905{ 935{
906 ASIdOrRanges *child_as = NULL, *child_rdi = NULL; 936 ASIdOrRanges *child_as = NULL, *child_rdi = NULL;
907 int i, ret = 1, inherit_as = 0, inherit_rdi = 0; 937 int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
908 X509 *x; 938 X509 *x;
909 939
910 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); 940 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
911 OPENSSL_assert(ctx != NULL || ext != NULL); 941 OPENSSL_assert(ctx != NULL || ext != NULL);
912 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); 942 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
913 943
914 /* 944 /*
915 * Figure out where to start. If we don't have an extension to 945 * Figure out where to start. If we don't have an extension to
916 * check, we're done. Otherwise, check canonical form and 946 * check, we're done. Otherwise, check canonical form and
917 * set up for walking up the chain. 947 * set up for walking up the chain.
918 */ 948 */
919 if (ext != NULL) { 949 if (ext != NULL) {
920 i = -1; 950 i = -1;
921 x = NULL; 951 x = NULL;
922 } else { 952 } else {
923 i = 0; 953 i = 0;
924 x = sk_X509_value(chain, i); 954 x = sk_X509_value(chain, i);
925 if ((ext = x->rfc3779_asid) == NULL) 955 if ((ext = x->rfc3779_asid) == NULL)
926 goto done; 956 goto done;
927 } 957 }
928 if (!X509v3_asid_is_canonical(ext)) 958 if (!X509v3_asid_is_canonical(ext))
929 validation_err(X509_V_ERR_INVALID_EXTENSION); 959 validation_err(X509_V_ERR_INVALID_EXTENSION);
930 if (ext->asnum != NULL) { 960 if (ext->asnum != NULL) {
931 switch (ext->asnum->type) { 961 switch (ext->asnum->type) {
932 case ASIdentifierChoice_inherit: 962 case ASIdentifierChoice_inherit:
933 inherit_as = 1; 963 inherit_as = 1;
934 break; 964 break;
935 case ASIdentifierChoice_asIdsOrRanges: 965 case ASIdentifierChoice_asIdsOrRanges:
936 child_as = ext->asnum->u.asIdsOrRanges; 966 child_as = ext->asnum->u.asIdsOrRanges;
937 break; 967 break;
938 } 968 }
939 } 969 }
940 if (ext->rdi != NULL) { 970 if (ext->rdi != NULL) {
941 switch (ext->rdi->type) { 971 switch (ext->rdi->type) {
942 case ASIdentifierChoice_inherit: 972 case ASIdentifierChoice_inherit:
943 inherit_rdi = 1; 973 inherit_rdi = 1;
944 break; 974 break;
945 case ASIdentifierChoice_asIdsOrRanges: 975 case ASIdentifierChoice_asIdsOrRanges:
946 child_rdi = ext->rdi->u.asIdsOrRanges; 976 child_rdi = ext->rdi->u.asIdsOrRanges;
947 break; 977 break;
948 } 978 }
949 } 979 }
950 980
951 /* 981 /*
952 * Now walk up the chain. Extensions must be in canonical form, no 982 * Now walk up the chain. Extensions must be in canonical form, no
953 * cert may list resources that its parent doesn't list. 983 * cert may list resources that its parent doesn't list.
954 */ 984 */
955 for (i++; i < sk_X509_num(chain); i++) { 985 for (i++; i < sk_X509_num(chain); i++) {
956 x = sk_X509_value(chain, i); 986 x = sk_X509_value(chain, i);
957 OPENSSL_assert(x != NULL); 987 OPENSSL_assert(x != NULL);
958 988
959 if (x->rfc3779_asid == NULL) { 989 if (x->rfc3779_asid == NULL) {
960 if (child_as != NULL || child_rdi != NULL) 990 if (child_as != NULL || child_rdi != NULL)
961 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 991 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
962 continue; 992 continue;
963 } 993 }
964 if (!X509v3_asid_is_canonical(x->rfc3779_asid)) 994 if (!X509v3_asid_is_canonical(x->rfc3779_asid))
965 validation_err(X509_V_ERR_INVALID_EXTENSION); 995 validation_err(X509_V_ERR_INVALID_EXTENSION);
966 if (x->rfc3779_asid->asnum == NULL && child_as != NULL) { 996 if (x->rfc3779_asid->asnum == NULL && child_as != NULL) {
967 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 997 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
968 child_as = NULL; 998 child_as = NULL;
969 inherit_as = 0; 999 inherit_as = 0;
970 } 1000 }
971 if (x->rfc3779_asid->asnum != NULL && 1001 if (x->rfc3779_asid->asnum != NULL &&
972 x->rfc3779_asid->asnum->type == 1002 x->rfc3779_asid->asnum->type ==
973 ASIdentifierChoice_asIdsOrRanges) { 1003 ASIdentifierChoice_asIdsOrRanges) {
974 if (inherit_as 1004 if (inherit_as ||
975 || asid_contains(x->rfc3779_asid->asnum->u.asIdsOrRanges, 1005 asid_contains(x->rfc3779_asid->asnum->u.asIdsOrRanges,
976 child_as)) { 1006 child_as)) {
977 child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges; 1007 child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges;
978 inherit_as = 0; 1008 inherit_as = 0;
979 } else { 1009 } else {
980 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1010 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
981 } 1011 }
982 } 1012 }
983 if (x->rfc3779_asid->rdi == NULL && child_rdi != NULL) { 1013 if (x->rfc3779_asid->rdi == NULL && child_rdi != NULL) {
984 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1014 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
985 child_rdi = NULL; 1015 child_rdi = NULL;
986 inherit_rdi = 0; 1016 inherit_rdi = 0;
987 } 1017 }
988 if (x->rfc3779_asid->rdi != NULL && 1018 if (x->rfc3779_asid->rdi != NULL &&
989 x->rfc3779_asid->rdi->type == ASIdentifierChoice_asIdsOrRanges) { 1019 x->rfc3779_asid->rdi->type == ASIdentifierChoice_asIdsOrRanges) {
990 if (inherit_rdi || 1020 if (inherit_rdi ||
991 asid_contains(x->rfc3779_asid->rdi->u.asIdsOrRanges, 1021 asid_contains(x->rfc3779_asid->rdi->u.asIdsOrRanges,
992 child_rdi)) { 1022 child_rdi)) {
993 child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges; 1023 child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges;
994 inherit_rdi = 0; 1024 inherit_rdi = 0;
995 } else { 1025 } else {
996 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1026 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
997 } 1027 }
998 } 1028 }
999 } 1029 }
1000 1030
1001 /* 1031 /*
1002 * Trust anchor can't inherit. 1032 * Trust anchor can't inherit.
1003 */ 1033 */
1004 OPENSSL_assert(x != NULL); 1034 OPENSSL_assert(x != NULL);
1005 1035
1006 if (x->rfc3779_asid != NULL) { 1036 if (x->rfc3779_asid != NULL) {
1007 if (x->rfc3779_asid->asnum != NULL && 1037 if (x->rfc3779_asid->asnum != NULL &&
1008 x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit) 1038 x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit)
1009 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1039 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1010 if (x->rfc3779_asid->rdi != NULL && 1040 if (x->rfc3779_asid->rdi != NULL &&
1011 x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit) 1041 x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit)
1012 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1042 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1013 } 1043 }
1014 1044
1015 done: 1045done:
1016 return ret; 1046 return ret;
1017} 1047}
1018 1048
1019#undef validation_err 1049#undef validation_err
@@ -1021,31 +1051,33 @@ static int asid_validate_path_internal(X509_STORE_CTX *ctx,
1021/* 1051/*
1022 * RFC 3779 3.3 path validation -- called from X509_verify_cert(). 1052 * RFC 3779 3.3 path validation -- called from X509_verify_cert().
1023 */ 1053 */
1024int X509v3_asid_validate_path(X509_STORE_CTX *ctx) 1054int
1055X509v3_asid_validate_path(X509_STORE_CTX *ctx)
1025{ 1056{
1026 if (ctx->chain == NULL 1057 if (ctx->chain == NULL ||
1027 || sk_X509_num(ctx->chain) == 0 1058 sk_X509_num(ctx->chain) == 0 ||
1028 || ctx->verify_cb == NULL) { 1059 ctx->verify_cb == NULL) {
1029 ctx->error = X509_V_ERR_UNSPECIFIED; 1060 ctx->error = X509_V_ERR_UNSPECIFIED;
1030 return 0; 1061 return 0;
1031 } 1062 }
1032 return asid_validate_path_internal(ctx, ctx->chain, NULL); 1063 return asid_validate_path_internal(ctx, ctx->chain, NULL);
1033} 1064}
1034 1065
1035/* 1066/*
1036 * RFC 3779 3.3 path validation of an extension. 1067 * RFC 3779 3.3 path validation of an extension.
1037 * Test whether chain covers extension. 1068 * Test whether chain covers extension.
1038 */ 1069 */
1039int X509v3_asid_validate_resource_set(STACK_OF(X509) *chain, 1070int
1040 ASIdentifiers *ext, int allow_inheritance) 1071X509v3_asid_validate_resource_set(STACK_OF(X509)*chain, ASIdentifiers *ext,
1072 int allow_inheritance)
1041{ 1073{
1042 if (ext == NULL) 1074 if (ext == NULL)
1043 return 1; 1075 return 1;
1044 if (chain == NULL || sk_X509_num(chain) == 0) 1076 if (chain == NULL || sk_X509_num(chain) == 0)
1045 return 0; 1077 return 0;
1046 if (!allow_inheritance && X509v3_asid_inherits(ext)) 1078 if (!allow_inheritance && X509v3_asid_inherits(ext))
1047 return 0; 1079 return 0;
1048 return asid_validate_path_internal(NULL, chain, ext); 1080 return asid_validate_path_internal(NULL, chain, ext);
1049} 1081}
1050 1082
1051#endif /* OPENSSL_NO_RFC3779 */ 1083#endif /* OPENSSL_NO_RFC3779 */
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-15 05:05:17 +0000