summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorjob <>2021-09-07 10:24:51 +0000
committerjob <>2021-09-07 10:24:51 +0000
commit332d783e39d5ca2e8e2567053bb948d21c726c17 (patch)
tree7e6ebe604bd9a651a41bcb4629762742384dfe26 /src
parentb5224f0b8edbb0671c0257b56baee589c711702b (diff)
downloadopenbsd-332d783e39d5ca2e8e2567053bb948d21c726c17.tar.gz
openbsd-332d783e39d5ca2e8e2567053bb948d21c726c17.tar.bz2
openbsd-332d783e39d5ca2e8e2567053bb948d21c726c17.zip
KNF
OK tb@ jsing@ beck@
Diffstat (limited to 'src')
-rw-r--r--src/lib/libcrypto/x509/x509_addr.c1844
-rw-r--r--src/lib/libcrypto/x509/x509_asid.c1182
2 files changed, 1548 insertions, 1478 deletions
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index d23981b033..1c13e361ee 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -191,7 +191,7 @@ d2i_IPAddressOrRange(IPAddressOrRange **a, const unsigned char **in, long len)
191} 191}
192 192
193int 193int
194i2d_IPAddressOrRange(IPAddressOrRange *a, unsigned char ** out) 194i2d_IPAddressOrRange(IPAddressOrRange *a, unsigned char **out)
195{ 195{
196 return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(IPAddressOrRange_it))); 196 return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(IPAddressOrRange_it)));
197} 197}
@@ -203,7 +203,8 @@ IPAddressOrRange_new(void)
203} 203}
204 204
205void 205void
206IPAddressOrRange_free(IPAddressOrRange *a) { 206IPAddressOrRange_free(IPAddressOrRange *a)
207{
207 ASN1_item_free((ASN1_VALUE *)a, (&(IPAddressOrRange_it))); 208 ASN1_item_free((ASN1_VALUE *)a, (&(IPAddressOrRange_it)));
208} 209}
209 210
@@ -224,7 +225,6 @@ IPAddressChoice *
224IPAddressChoice_new(void) 225IPAddressChoice_new(void)
225{ 226{
226 return (IPAddressChoice *)ASN1_item_new((&(IPAddressChoice_it))); 227 return (IPAddressChoice *)ASN1_item_new((&(IPAddressChoice_it)));
227
228} 228}
229 229
230void 230void
@@ -266,53 +266,55 @@ IPAddressFamily_free(IPAddressFamily *a)
266/* 266/*
267 * What's the address length associated with this AFI? 267 * What's the address length associated with this AFI?
268 */ 268 */
269static int length_from_afi(const unsigned afi) 269static int
270length_from_afi(const unsigned afi)
270{ 271{
271 switch (afi) { 272 switch (afi) {
272 case IANA_AFI_IPV4: 273 case IANA_AFI_IPV4:
273 return 4; 274 return 4;
274 case IANA_AFI_IPV6: 275 case IANA_AFI_IPV6:
275 return 16; 276 return 16;
276 default: 277 default:
277 return 0; 278 return 0;
278 } 279 }
279} 280}
280 281
281/* 282/*
282 * Extract the AFI from an IPAddressFamily. 283 * Extract the AFI from an IPAddressFamily.
283 */ 284 */
284unsigned int X509v3_addr_get_afi(const IPAddressFamily *f) 285unsigned int
286X509v3_addr_get_afi(const IPAddressFamily *f)
285{ 287{
286 if (f == NULL 288 if (f == NULL ||
287 || f->addressFamily == NULL 289 f->addressFamily == NULL ||
288 || f->addressFamily->data == NULL 290 f->addressFamily->data == NULL ||
289 || f->addressFamily->length < 2) 291 f->addressFamily->length < 2)
290 return 0; 292 return 0;
291 return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1]; 293 return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1];
292} 294}
293 295
294/* 296/*
295 * Expand the bitstring form of an address into a raw byte array. 297 * Expand the bitstring form of an address into a raw byte array.
296 * At the moment this is coded for simplicity, not speed. 298 * At the moment this is coded for simplicity, not speed.
297 */ 299 */
298static int addr_expand(unsigned char *addr, 300static int
299 const ASN1_BIT_STRING *bs, 301addr_expand(unsigned char *addr, const ASN1_BIT_STRING *bs, const int length,
300 const int length, const unsigned char fill) 302 const unsigned char fill)
301{ 303{
302 if (bs->length < 0 || bs->length > length) 304 if (bs->length < 0 || bs->length > length)
303 return 0; 305 return 0;
304 if (bs->length > 0) { 306 if (bs->length > 0) {
305 memcpy(addr, bs->data, bs->length); 307 memcpy(addr, bs->data, bs->length);
306 if ((bs->flags & 7) != 0) { 308 if ((bs->flags & 7) != 0) {
307 unsigned char mask = 0xFF >> (8 - (bs->flags & 7)); 309 unsigned char mask = 0xFF >> (8 - (bs->flags & 7));
308 if (fill == 0) 310 if (fill == 0)
309 addr[bs->length - 1] &= ~mask; 311 addr[bs->length - 1] &= ~mask;
310 else 312 else
311 addr[bs->length - 1] |= mask; 313 addr[bs->length - 1] |= mask;
312 } 314 }
313 } 315 }
314 memset(addr + bs->length, fill, length - bs->length); 316 memset(addr + bs->length, fill, length - bs->length);
315 return 1; 317 return 1;
316} 318}
317 319
318/* 320/*
@@ -323,143 +325,149 @@ static int addr_expand(unsigned char *addr,
323/* 325/*
324 * i2r handler for one address bitstring. 326 * i2r handler for one address bitstring.
325 */ 327 */
326static int i2r_address(BIO *out, 328static int
327 const unsigned afi, 329i2r_address(BIO *out, const unsigned afi, const unsigned char fill,
328 const unsigned char fill, const ASN1_BIT_STRING *bs) 330 const ASN1_BIT_STRING *bs)
329{ 331{
330 unsigned char addr[ADDR_RAW_BUF_LEN]; 332 unsigned char addr[ADDR_RAW_BUF_LEN];
331 int i, n; 333 int i, n;
332 334
333 if (bs->length < 0) 335 if (bs->length < 0)
334 return 0; 336 return 0;
335 switch (afi) { 337 switch (afi) {
336 case IANA_AFI_IPV4: 338 case IANA_AFI_IPV4:
337 if (!addr_expand(addr, bs, 4, fill)) 339 if (!addr_expand(addr, bs, 4, fill))
338 return 0; 340 return 0;
339 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]); 341 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2],
340 break; 342 addr[3]);
341 case IANA_AFI_IPV6: 343 break;
342 if (!addr_expand(addr, bs, 16, fill)) 344 case IANA_AFI_IPV6:
343 return 0; 345 if (!addr_expand(addr, bs, 16, fill))
344 for (n = 16; n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00; 346 return 0;
345 n -= 2) ; 347 for (n = 16;
346 for (i = 0; i < n; i += 2) 348 n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00; n -= 2)
347 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1], 349 ;
348 (i < 14 ? ":" : "")); 350 for (i = 0; i < n; i += 2)
349 if (i < 16) 351 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1],
350 BIO_puts(out, ":"); 352 (i < 14 ? ":" : ""));
351 if (i == 0) 353 if (i < 16)
352 BIO_puts(out, ":"); 354 BIO_puts(out, ":");
353 break; 355 if (i == 0)
354 default: 356 BIO_puts(out, ":");
355 for (i = 0; i < bs->length; i++) 357 break;
356 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]); 358 default:
357 BIO_printf(out, "[%d]", (int)(bs->flags & 7)); 359 for (i = 0; i < bs->length; i++)
358 break; 360 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""),
359 } 361 bs->data[i]);
360 return 1; 362 BIO_printf(out, "[%d]", (int)(bs->flags & 7));
363 break;
364 }
365 return 1;
361} 366}
362 367
363/* 368/*
364 * i2r handler for a sequence of addresses and ranges. 369 * i2r handler for a sequence of addresses and ranges.
365 */ 370 */
366static int i2r_IPAddressOrRanges(BIO *out, 371static int
367 const int indent, 372i2r_IPAddressOrRanges(BIO *out, const int indent,
368 const IPAddressOrRanges *aors, 373 const IPAddressOrRanges *aors, const unsigned afi)
369 const unsigned afi)
370{ 374{
371 int i; 375 int i;
372 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) { 376 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) {
373 const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i); 377 const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i);
374 BIO_printf(out, "%*s", indent, ""); 378 BIO_printf(out, "%*s", indent, "");
375 switch (aor->type) { 379 switch (aor->type) {
376 case IPAddressOrRange_addressPrefix: 380 case IPAddressOrRange_addressPrefix:
377 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix)) 381 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix))
378 return 0; 382 return 0;
379 BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix)); 383 BIO_printf(out, "/%d\n",
380 continue; 384 addr_prefixlen(aor->u.addressPrefix));
381 case IPAddressOrRange_addressRange: 385 continue;
382 if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min)) 386 case IPAddressOrRange_addressRange:
383 return 0; 387 if (!i2r_address(out, afi, 0x00,
384 BIO_puts(out, "-"); 388 aor->u.addressRange->min))
385 if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max)) 389 return 0;
386 return 0; 390 BIO_puts(out, "-");
387 BIO_puts(out, "\n"); 391 if (!i2r_address(out, afi, 0xFF,
388 continue; 392 aor->u.addressRange->max))
389 } 393 return 0;
390 } 394 BIO_puts(out, "\n");
391 return 1; 395 continue;
396 }
397 }
398 return 1;
392} 399}
393 400
394/* 401/*
395 * i2r handler for an IPAddrBlocks extension. 402 * i2r handler for an IPAddrBlocks extension.
396 */ 403 */
397static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, 404static int
398 void *ext, BIO *out, int indent) 405i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, void *ext, BIO *out,
406 int indent)
399{ 407{
400 const IPAddrBlocks *addr = ext; 408 const IPAddrBlocks *addr = ext;
401 int i; 409 int i;
402 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 410 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
403 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 411 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
404 const unsigned int afi = X509v3_addr_get_afi(f); 412 const unsigned int afi = X509v3_addr_get_afi(f);
405 switch (afi) { 413 switch (afi) {
406 case IANA_AFI_IPV4: 414 case IANA_AFI_IPV4:
407 BIO_printf(out, "%*sIPv4", indent, ""); 415 BIO_printf(out, "%*sIPv4", indent, "");
408 break; 416 break;
409 case IANA_AFI_IPV6: 417 case IANA_AFI_IPV6:
410 BIO_printf(out, "%*sIPv6", indent, ""); 418 BIO_printf(out, "%*sIPv6", indent, "");
411 break; 419 break;
412 default: 420 default:
413 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi); 421 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi);
414 break; 422 break;
415 } 423 }
416 if (f->addressFamily->length > 2) { 424 if (f->addressFamily->length > 2) {
417 switch (f->addressFamily->data[2]) { 425 switch (f->addressFamily->data[2]) {
418 case 1: 426 case 1:
419 BIO_puts(out, " (Unicast)"); 427 BIO_puts(out, " (Unicast)");
420 break; 428 break;
421 case 2: 429 case 2:
422 BIO_puts(out, " (Multicast)"); 430 BIO_puts(out, " (Multicast)");
423 break; 431 break;
424 case 3: 432 case 3:
425 BIO_puts(out, " (Unicast/Multicast)"); 433 BIO_puts(out, " (Unicast/Multicast)");
426 break; 434 break;
427 case 4: 435 case 4:
428 BIO_puts(out, " (MPLS)"); 436 BIO_puts(out, " (MPLS)");
429 break; 437 break;
430 case 64: 438 case 64:
431 BIO_puts(out, " (Tunnel)"); 439 BIO_puts(out, " (Tunnel)");
432 break; 440 break;
433 case 65: 441 case 65:
434 BIO_puts(out, " (VPLS)"); 442 BIO_puts(out, " (VPLS)");
435 break; 443 break;
436 case 66: 444 case 66:
437 BIO_puts(out, " (BGP MDT)"); 445 BIO_puts(out, " (BGP MDT)");
438 break; 446 break;
439 case 128: 447 case 128:
440 BIO_puts(out, " (MPLS-labeled VPN)"); 448 BIO_puts(out, " (MPLS-labeled VPN)");
441 break; 449 break;
442 default: 450 default:
443 BIO_printf(out, " (Unknown SAFI %u)", 451 BIO_printf(out, " (Unknown SAFI %u)",
444 (unsigned)f->addressFamily->data[2]); 452 (unsigned)f->addressFamily->data[2]);
445 break; 453 break;
446 } 454 }
447 } 455 }
448 switch (f->ipAddressChoice->type) { 456 switch (f->ipAddressChoice->type) {
449 case IPAddressChoice_inherit: 457 case IPAddressChoice_inherit:
450 BIO_puts(out, ": inherit\n"); 458 BIO_puts(out, ": inherit\n");
451 break; 459 break;
452 case IPAddressChoice_addressesOrRanges: 460 case IPAddressChoice_addressesOrRanges:
453 BIO_puts(out, ":\n"); 461 BIO_puts(out, ":\n");
454 if (!i2r_IPAddressOrRanges(out, 462 if (!i2r_IPAddressOrRanges(out,
455 indent + 2, 463 indent + 2,
456 f->ipAddressChoice-> 464 f->ipAddressChoice->
457 u.addressesOrRanges, afi)) 465 u.addressesOrRanges, afi))
458 return 0; 466 return 0;
459 break; 467 break;
460 } 468 }
461 } 469 }
462 return 1; 470 return 1;
463} 471}
464 472
465/* 473/*
@@ -472,145 +480,152 @@ static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
472 * function returns -1. If this messes up your preferred sort order 480 * function returns -1. If this messes up your preferred sort order
473 * for garbage input, tough noogies. 481 * for garbage input, tough noogies.
474 */ 482 */
475static int IPAddressOrRange_cmp(const IPAddressOrRange *a, 483static int
476 const IPAddressOrRange *b, const int length) 484IPAddressOrRange_cmp(const IPAddressOrRange *a, const IPAddressOrRange *b,
485 const int length)
477{ 486{
478 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN]; 487 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN];
479 int prefixlen_a = 0, prefixlen_b = 0; 488 int prefixlen_a = 0, prefixlen_b = 0;
480 int r; 489 int r;
481 490
482 switch (a->type) { 491 switch (a->type) {
483 case IPAddressOrRange_addressPrefix: 492 case IPAddressOrRange_addressPrefix:
484 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00)) 493 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
485 return -1; 494 return -1;
486 prefixlen_a = addr_prefixlen(a->u.addressPrefix); 495 prefixlen_a = addr_prefixlen(a->u.addressPrefix);
487 break; 496 break;
488 case IPAddressOrRange_addressRange: 497 case IPAddressOrRange_addressRange:
489 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00)) 498 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
490 return -1; 499 return -1;
491 prefixlen_a = length * 8; 500 prefixlen_a = length * 8;
492 break; 501 break;
493 } 502 }
494 503
495 switch (b->type) { 504 switch (b->type) {
496 case IPAddressOrRange_addressPrefix: 505 case IPAddressOrRange_addressPrefix:
497 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00)) 506 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
498 return -1; 507 return -1;
499 prefixlen_b = addr_prefixlen(b->u.addressPrefix); 508 prefixlen_b = addr_prefixlen(b->u.addressPrefix);
500 break; 509 break;
501 case IPAddressOrRange_addressRange: 510 case IPAddressOrRange_addressRange:
502 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00)) 511 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
503 return -1; 512 return -1;
504 prefixlen_b = length * 8; 513 prefixlen_b = length * 8;
505 break; 514 break;
506 } 515 }
507 516
508 if ((r = memcmp(addr_a, addr_b, length)) != 0) 517 if ((r = memcmp(addr_a, addr_b, length)) != 0)
509 return r; 518 return r;
510 else 519 else
511 return prefixlen_a - prefixlen_b; 520 return prefixlen_a - prefixlen_b;
512} 521}
513 522
514/* 523/*
515 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort() 524 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()
516 * comparison routines are only allowed two arguments. 525 * comparison routines are only allowed two arguments.
517 */ 526 */
518static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a, 527static int
519 const IPAddressOrRange *const *b) 528v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
529 const IPAddressOrRange *const *b)
520{ 530{
521 return IPAddressOrRange_cmp(*a, *b, 4); 531 return IPAddressOrRange_cmp(*a, *b, 4);
522} 532}
523 533
524/* 534/*
525 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort() 535 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()
526 * comparison routines are only allowed two arguments. 536 * comparison routines are only allowed two arguments.
527 */ 537 */
528static int v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a, 538static int
529 const IPAddressOrRange *const *b) 539v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
540 const IPAddressOrRange *const *b)
530{ 541{
531 return IPAddressOrRange_cmp(*a, *b, 16); 542 return IPAddressOrRange_cmp(*a, *b, 16);
532} 543}
533 544
534/* 545/*
535 * Calculate whether a range collapses to a prefix. 546 * Calculate whether a range collapses to a prefix.
536 * See last paragraph of RFC 3779 2.2.3.7. 547 * See last paragraph of RFC 3779 2.2.3.7.
537 */ 548 */
538static int range_should_be_prefix(const unsigned char *min, 549static int
539 const unsigned char *max, const int length) 550range_should_be_prefix(const unsigned char *min, const unsigned char *max,
551 const int length)
540{ 552{
541 unsigned char mask; 553 unsigned char mask;
542 int i, j; 554 int i, j;
543 555
544 if (memcmp(min, max, length) <= 0) 556 if (memcmp(min, max, length) <= 0)
545 return -1; 557 return -1;
546 for (i = 0; i < length && min[i] == max[i]; i++) ; 558 for (i = 0; i < length && min[i] == max[i]; i++)
547 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ; 559 ;
548 if (i < j) 560 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--)
549 return -1; 561 ;
550 if (i > j) 562 if (i < j)
551 return i * 8; 563 return -1;
552 mask = min[i] ^ max[i]; 564 if (i > j)
553 switch (mask) { 565 return i * 8;
554 case 0x01: 566 mask = min[i] ^ max[i];
555 j = 7; 567 switch (mask) {
556 break; 568 case 0x01:
557 case 0x03: 569 j = 7;
558 j = 6; 570 break;
559 break; 571 case 0x03:
560 case 0x07: 572 j = 6;
561 j = 5; 573 break;
562 break; 574 case 0x07:
563 case 0x0F: 575 j = 5;
564 j = 4; 576 break;
565 break; 577 case 0x0F:
566 case 0x1F: 578 j = 4;
567 j = 3; 579 break;
568 break; 580 case 0x1F:
569 case 0x3F: 581 j = 3;
570 j = 2; 582 break;
571 break; 583 case 0x3F:
572 case 0x7F: 584 j = 2;
573 j = 1; 585 break;
574 break; 586 case 0x7F:
575 default: 587 j = 1;
576 return -1; 588 break;
577 } 589 default:
578 if ((min[i] & mask) != 0 || (max[i] & mask) != mask) 590 return -1;
579 return -1; 591 }
580 else 592 if ((min[i] & mask) != 0 || (max[i] & mask) != mask)
581 return i * 8 + j; 593 return -1;
594 else
595 return i * 8 + j;
582} 596}
583 597
584/* 598/*
585 * Construct a prefix. 599 * Construct a prefix.
586 */ 600 */
587static int make_addressPrefix(IPAddressOrRange **result, 601static int
588 unsigned char *addr, const int prefixlen) 602make_addressPrefix(IPAddressOrRange **result, unsigned char *addr,
603 const int prefixlen)
589{ 604{
590 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8; 605 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;
591 IPAddressOrRange *aor = IPAddressOrRange_new(); 606 IPAddressOrRange *aor = IPAddressOrRange_new();
592 607
593 if (aor == NULL) 608 if (aor == NULL)
594 return 0; 609 return 0;
595 aor->type = IPAddressOrRange_addressPrefix; 610 aor->type = IPAddressOrRange_addressPrefix;
596 if (aor->u.addressPrefix == NULL && 611 if (aor->u.addressPrefix == NULL &&
597 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL) 612 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL)
598 goto err; 613 goto err;
599 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen)) 614 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen))
600 goto err; 615 goto err;
601 aor->u.addressPrefix->flags &= ~7; 616 aor->u.addressPrefix->flags &= ~7;
602 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT; 617 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT;
603 if (bitlen > 0) { 618 if (bitlen > 0) {
604 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen); 619 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen);
605 aor->u.addressPrefix->flags |= 8 - bitlen; 620 aor->u.addressPrefix->flags |= 8 - bitlen;
606 } 621 }
607 622
608 *result = aor; 623 *result = aor;
609 return 1; 624 return 1;
610 625
611 err: 626err:
612 IPAddressOrRange_free(aor); 627 IPAddressOrRange_free(aor);
613 return 0; 628 return 0;
614} 629}
615 630
616/* 631/*
@@ -618,241 +633,245 @@ static int make_addressPrefix(IPAddressOrRange **result,
618 * return a prefix instead. Doing this here simplifies 633 * return a prefix instead. Doing this here simplifies
619 * the rest of the code considerably. 634 * the rest of the code considerably.
620 */ 635 */
621static int make_addressRange(IPAddressOrRange **result, 636static int
622 unsigned char *min, 637make_addressRange(IPAddressOrRange **result, unsigned char *min,
623 unsigned char *max, const int length) 638 unsigned char *max, const int length)
624{ 639{
625 IPAddressOrRange *aor; 640 IPAddressOrRange *aor;
626 int i, prefixlen; 641 int i, prefixlen;
627 642
628 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0) 643 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
629 return make_addressPrefix(result, min, prefixlen); 644 return make_addressPrefix(result, min, prefixlen);
630 645
631 if ((aor = IPAddressOrRange_new()) == NULL) 646 if ((aor = IPAddressOrRange_new()) == NULL)
632 return 0; 647 return 0;
633 aor->type = IPAddressOrRange_addressRange; 648 aor->type = IPAddressOrRange_addressRange;
634 if ((aor->u.addressRange = IPAddressRange_new()) == NULL) 649 if ((aor->u.addressRange = IPAddressRange_new()) == NULL)
635 goto err; 650 goto err;
636 if (aor->u.addressRange->min == NULL && 651 if (aor->u.addressRange->min == NULL &&
637 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL) 652 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL)
638 goto err; 653 goto err;
639 if (aor->u.addressRange->max == NULL && 654 if (aor->u.addressRange->max == NULL &&
640 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL) 655 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL)
641 goto err; 656 goto err;
642 657
643 for (i = length; i > 0 && min[i - 1] == 0x00; --i) ; 658 for (i = length; i > 0 && min[i - 1] == 0x00; --i)
644 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i)) 659 ;
645 goto err; 660 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i))
646 aor->u.addressRange->min->flags &= ~7; 661 goto err;
647 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT; 662 aor->u.addressRange->min->flags &= ~7;
648 if (i > 0) { 663 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT;
649 unsigned char b = min[i - 1]; 664 if (i > 0) {
650 int j = 1; 665 unsigned char b = min[i - 1];
651 while ((b & (0xFFU >> j)) != 0) 666 int j = 1;
652 ++j; 667 while ((b & (0xFFU >> j)) != 0)
653 aor->u.addressRange->min->flags |= 8 - j; 668 ++j;
654 } 669 aor->u.addressRange->min->flags |= 8 - j;
655 670 }
656 for (i = length; i > 0 && max[i - 1] == 0xFF; --i) ; 671
657 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i)) 672 for (i = length; i > 0 && max[i - 1] == 0xFF; --i)
658 goto err; 673 ;
659 aor->u.addressRange->max->flags &= ~7; 674 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i))
660 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT; 675 goto err;
661 if (i > 0) { 676 aor->u.addressRange->max->flags &= ~7;
662 unsigned char b = max[i - 1]; 677 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT;
663 int j = 1; 678 if (i > 0) {
664 while ((b & (0xFFU >> j)) != (0xFFU >> j)) 679 unsigned char b = max[i - 1];
665 ++j; 680 int j = 1;
666 aor->u.addressRange->max->flags |= 8 - j; 681 while ((b & (0xFFU >> j)) != (0xFFU >> j))
667 } 682 ++j;
668 683 aor->u.addressRange->max->flags |= 8 - j;
669 *result = aor; 684 }
670 return 1; 685
671 686 *result = aor;
672 err: 687 return 1;
673 IPAddressOrRange_free(aor); 688
674 return 0; 689err:
690 IPAddressOrRange_free(aor);
691 return 0;
675} 692}
676 693
677/* 694/*
678 * Construct a new address family or find an existing one. 695 * Construct a new address family or find an existing one.
679 */ 696 */
680static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr, 697static IPAddressFamily *
681 const unsigned afi, 698make_IPAddressFamily(IPAddrBlocks *addr, const unsigned afi,
682 const unsigned *safi) 699 const unsigned *safi)
683{ 700{
684 IPAddressFamily *f; 701 IPAddressFamily *f;
685 unsigned char key[3]; 702 unsigned char key[3];
686 int keylen; 703 int keylen;
687 int i; 704 int i;
688 705
689 key[0] = (afi >> 8) & 0xFF; 706 key[0] = (afi >> 8) & 0xFF;
690 key[1] = afi & 0xFF; 707 key[1] = afi & 0xFF;
691 if (safi != NULL) { 708 if (safi != NULL) {
692 key[2] = *safi & 0xFF; 709 key[2] = *safi & 0xFF;
693 keylen = 3; 710 keylen = 3;
694 } else { 711 } else {
695 keylen = 2; 712 keylen = 2;
696 } 713 }
697 714
698 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 715 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
699 f = sk_IPAddressFamily_value(addr, i); 716 f = sk_IPAddressFamily_value(addr, i);
700 if (f->addressFamily->length == keylen && 717 if (f->addressFamily->length == keylen &&
701 !memcmp(f->addressFamily->data, key, keylen)) 718 !memcmp(f->addressFamily->data, key, keylen))
702 return f; 719 return f;
703 } 720 }
704 721
705 if ((f = IPAddressFamily_new()) == NULL) 722 if ((f = IPAddressFamily_new()) == NULL)
706 goto err; 723 goto err;
707 if (f->ipAddressChoice == NULL && 724 if (f->ipAddressChoice == NULL &&
708 (f->ipAddressChoice = IPAddressChoice_new()) == NULL) 725 (f->ipAddressChoice = IPAddressChoice_new()) == NULL)
709 goto err; 726 goto err;
710 if (f->addressFamily == NULL && 727 if (f->addressFamily == NULL &&
711 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL) 728 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL)
712 goto err; 729 goto err;
713 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen)) 730 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen))
714 goto err; 731 goto err;
715 if (!sk_IPAddressFamily_push(addr, f)) 732 if (!sk_IPAddressFamily_push(addr, f))
716 goto err; 733 goto err;
717 734
718 return f; 735 return f;
719 736
720 err: 737err:
721 IPAddressFamily_free(f); 738 IPAddressFamily_free(f);
722 return NULL; 739 return NULL;
723} 740}
724 741
725/* 742/*
726 * Add an inheritance element. 743 * Add an inheritance element.
727 */ 744 */
728int X509v3_addr_add_inherit(IPAddrBlocks *addr, 745int
729 const unsigned afi, const unsigned *safi) 746X509v3_addr_add_inherit(IPAddrBlocks *addr, const unsigned afi,
747 const unsigned *safi)
730{ 748{
731 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); 749 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
732 if (f == NULL || 750 if (f == NULL ||
733 f->ipAddressChoice == NULL || 751 f->ipAddressChoice == NULL ||
734 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && 752 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
735 f->ipAddressChoice->u.addressesOrRanges != NULL)) 753 f->ipAddressChoice->u.addressesOrRanges != NULL))
736 return 0; 754 return 0;
737 if (f->ipAddressChoice->type == IPAddressChoice_inherit && 755 if (f->ipAddressChoice->type == IPAddressChoice_inherit &&
738 f->ipAddressChoice->u.inherit != NULL) 756 f->ipAddressChoice->u.inherit != NULL)
739 return 1; 757 return 1;
740 if (f->ipAddressChoice->u.inherit == NULL && 758 if (f->ipAddressChoice->u.inherit == NULL &&
741 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL) 759 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL)
742 return 0; 760 return 0;
743 f->ipAddressChoice->type = IPAddressChoice_inherit; 761 f->ipAddressChoice->type = IPAddressChoice_inherit;
744 return 1; 762 return 1;
745} 763}
746 764
747/* 765/*
748 * Construct an IPAddressOrRange sequence, or return an existing one. 766 * Construct an IPAddressOrRange sequence, or return an existing one.
749 */ 767 */
750static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr, 768static IPAddressOrRanges *
751 const unsigned afi, 769make_prefix_or_range(IPAddrBlocks *addr, const unsigned afi,
752 const unsigned *safi) 770 const unsigned *safi)
753{ 771{
754 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); 772 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
755 IPAddressOrRanges *aors = NULL; 773 IPAddressOrRanges *aors = NULL;
756 774
757 if (f == NULL || 775 if (f == NULL ||
758 f->ipAddressChoice == NULL || 776 f->ipAddressChoice == NULL ||
759 (f->ipAddressChoice->type == IPAddressChoice_inherit && 777 (f->ipAddressChoice->type == IPAddressChoice_inherit &&
760 f->ipAddressChoice->u.inherit != NULL)) 778 f->ipAddressChoice->u.inherit != NULL))
761 return NULL; 779 return NULL;
762 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) 780 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges)
763 aors = f->ipAddressChoice->u.addressesOrRanges; 781 aors = f->ipAddressChoice->u.addressesOrRanges;
764 if (aors != NULL) 782 if (aors != NULL)
765 return aors; 783 return aors;
766 if ((aors = sk_IPAddressOrRange_new_null()) == NULL) 784 if ((aors = sk_IPAddressOrRange_new_null()) == NULL)
767 return NULL; 785 return NULL;
768 switch (afi) { 786 switch (afi) {
769 case IANA_AFI_IPV4: 787 case IANA_AFI_IPV4:
770 (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp); 788 (void)sk_IPAddressOrRange_set_cmp_func(aors,
771 break; 789 v4IPAddressOrRange_cmp);
772 case IANA_AFI_IPV6: 790 break;
773 (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp); 791 case IANA_AFI_IPV6:
774 break; 792 (void)sk_IPAddressOrRange_set_cmp_func(aors,
775 } 793 v6IPAddressOrRange_cmp);
776 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; 794 break;
777 f->ipAddressChoice->u.addressesOrRanges = aors; 795 }
778 return aors; 796 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
797 f->ipAddressChoice->u.addressesOrRanges = aors;
798 return aors;
779} 799}
780 800
781/* 801/*
782 * Add a prefix. 802 * Add a prefix.
783 */ 803 */
784int X509v3_addr_add_prefix(IPAddrBlocks *addr, 804int
785 const unsigned afi, 805X509v3_addr_add_prefix(IPAddrBlocks *addr, const unsigned afi,
786 const unsigned *safi, 806 const unsigned *safi, unsigned char *a, const int prefixlen)
787 unsigned char *a, const int prefixlen)
788{ 807{
789 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); 808 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
790 IPAddressOrRange *aor; 809 IPAddressOrRange *aor;
791 if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen)) 810 if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen))
792 return 0; 811 return 0;
793 if (sk_IPAddressOrRange_push(aors, aor)) 812 if (sk_IPAddressOrRange_push(aors, aor))
794 return 1; 813 return 1;
795 IPAddressOrRange_free(aor); 814 IPAddressOrRange_free(aor);
796 return 0; 815 return 0;
797} 816}
798 817
799/* 818/*
800 * Add a range. 819 * Add a range.
801 */ 820 */
802int X509v3_addr_add_range(IPAddrBlocks *addr, 821int
803 const unsigned afi, 822X509v3_addr_add_range(IPAddrBlocks *addr, const unsigned afi,
804 const unsigned *safi, 823 const unsigned *safi, unsigned char *min, unsigned char *max)
805 unsigned char *min, unsigned char *max)
806{ 824{
807 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); 825 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
808 IPAddressOrRange *aor; 826 IPAddressOrRange *aor;
809 int length = length_from_afi(afi); 827 int length = length_from_afi(afi);
810 if (aors == NULL) 828 if (aors == NULL)
811 return 0; 829 return 0;
812 if (!make_addressRange(&aor, min, max, length)) 830 if (!make_addressRange(&aor, min, max, length))
813 return 0; 831 return 0;
814 if (sk_IPAddressOrRange_push(aors, aor)) 832 if (sk_IPAddressOrRange_push(aors, aor))
815 return 1; 833 return 1;
816 IPAddressOrRange_free(aor); 834 IPAddressOrRange_free(aor);
817 return 0; 835 return 0;
818} 836}
819 837
820/* 838/*
821 * Extract min and max values from an IPAddressOrRange. 839 * Extract min and max values from an IPAddressOrRange.
822 */ 840 */
823static int extract_min_max(IPAddressOrRange *aor, 841static int
824 unsigned char *min, unsigned char *max, int length) 842extract_min_max(IPAddressOrRange *aor, unsigned char *min, unsigned char *max,
843 int length)
825{ 844{
826 if (aor == NULL || min == NULL || max == NULL) 845 if (aor == NULL || min == NULL || max == NULL)
827 return 0; 846 return 0;
828 switch (aor->type) { 847 switch (aor->type) {
829 case IPAddressOrRange_addressPrefix: 848 case IPAddressOrRange_addressPrefix:
830 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) && 849 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
831 addr_expand(max, aor->u.addressPrefix, length, 0xFF)); 850 addr_expand(max, aor->u.addressPrefix, length, 0xFF));
832 case IPAddressOrRange_addressRange: 851 case IPAddressOrRange_addressRange:
833 return (addr_expand(min, aor->u.addressRange->min, length, 0x00) && 852 return (addr_expand(min, aor->u.addressRange->min, length,
834 addr_expand(max, aor->u.addressRange->max, length, 0xFF)); 853 0x00) &&
835 } 854 addr_expand(max, aor->u.addressRange->max, length, 0xFF));
836 return 0; 855 }
856 return 0;
837} 857}
838 858
839/* 859/*
840 * Public wrapper for extract_min_max(). 860 * Public wrapper for extract_min_max().
841 */ 861 */
842int X509v3_addr_get_range(IPAddressOrRange *aor, 862int
843 const unsigned afi, 863X509v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
844 unsigned char *min, 864 unsigned char *min, unsigned char *max, const int length)
845 unsigned char *max, const int length)
846{ 865{
847 int afi_length = length_from_afi(afi); 866 int afi_length = length_from_afi(afi);
848 if (aor == NULL || min == NULL || max == NULL || 867 if (aor == NULL || min == NULL || max == NULL ||
849 afi_length == 0 || length < afi_length || 868 afi_length == 0 || length < afi_length ||
850 (aor->type != IPAddressOrRange_addressPrefix && 869 (aor->type != IPAddressOrRange_addressPrefix &&
851 aor->type != IPAddressOrRange_addressRange) || 870 aor->type != IPAddressOrRange_addressRange) ||
852 !extract_min_max(aor, min, max, afi_length)) 871 !extract_min_max(aor, min, max, afi_length))
853 return 0; 872 return 0;
854 873
855 return afi_length; 874 return afi_length;
856} 875}
857 876
858/* 877/*
@@ -865,479 +884,492 @@ int X509v3_addr_get_range(IPAddressOrRange *aor,
865 * null-SAFI rule to apply only within a single AFI, which is what I 884 * null-SAFI rule to apply only within a single AFI, which is what I
866 * would have expected and is what the following code implements. 885 * would have expected and is what the following code implements.
867 */ 886 */
868static int IPAddressFamily_cmp(const IPAddressFamily *const *a_, 887static int
869 const IPAddressFamily *const *b_) 888IPAddressFamily_cmp(const IPAddressFamily *const *a_,
889 const IPAddressFamily *const *b_)
870{ 890{
871 const ASN1_OCTET_STRING *a = (*a_)->addressFamily; 891 const ASN1_OCTET_STRING *a = (*a_)->addressFamily;
872 const ASN1_OCTET_STRING *b = (*b_)->addressFamily; 892 const ASN1_OCTET_STRING *b = (*b_)->addressFamily;
873 int len = ((a->length <= b->length) ? a->length : b->length); 893 int len = ((a->length <= b->length) ? a->length : b->length);
874 int cmp = memcmp(a->data, b->data, len); 894 int cmp = memcmp(a->data, b->data, len);
875 return cmp ? cmp : a->length - b->length; 895 return cmp ? cmp : a->length - b->length;
876} 896}
877 897
878/* 898/*
879 * Check whether an IPAddrBLocks is in canonical form. 899 * Check whether an IPAddrBLocks is in canonical form.
880 */ 900 */
881int X509v3_addr_is_canonical(IPAddrBlocks *addr) 901int
902X509v3_addr_is_canonical(IPAddrBlocks *addr)
882{ 903{
883 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 904 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
884 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 905 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
885 IPAddressOrRanges *aors; 906 IPAddressOrRanges *aors;
886 int i, j, k; 907 int i, j, k;
887 908
888 /* 909 /*
889 * Empty extension is canonical. 910 * Empty extension is canonical.
890 */ 911 */
891 if (addr == NULL) 912 if (addr == NULL)
892 return 1; 913 return 1;
893 914
894 /* 915 /*
895 * Check whether the top-level list is in order. 916 * Check whether the top-level list is in order.
896 */ 917 */
897 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) { 918 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {
898 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i); 919 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i);
899 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1); 920 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1);
900 if (IPAddressFamily_cmp(&a, &b) >= 0) 921 if (IPAddressFamily_cmp(&a, &b) >= 0)
901 return 0; 922 return 0;
902 } 923 }
903 924
904 /* 925 /*
905 * Top level's ok, now check each address family. 926 * Top level's ok, now check each address family.
906 */ 927 */
907 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 928 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
908 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 929 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
909 int length = length_from_afi(X509v3_addr_get_afi(f)); 930 int length = length_from_afi(X509v3_addr_get_afi(f));
910 931
911 /* 932 /*
912 * Inheritance is canonical. Anything other than inheritance or 933 * Inheritance is canonical. Anything other than inheritance or
913 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something. 934 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something.
914 */ 935 */
915 if (f == NULL || f->ipAddressChoice == NULL) 936 if (f == NULL || f->ipAddressChoice == NULL)
916 return 0; 937 return 0;
917 switch (f->ipAddressChoice->type) { 938 switch (f->ipAddressChoice->type) {
918 case IPAddressChoice_inherit: 939 case IPAddressChoice_inherit:
919 continue; 940 continue;
920 case IPAddressChoice_addressesOrRanges: 941 case IPAddressChoice_addressesOrRanges:
921 break; 942 break;
922 default: 943 default:
923 return 0; 944 return 0;
924 } 945 }
925 946
926 /* 947 /*
927 * It's an IPAddressOrRanges sequence, check it. 948 * It's an IPAddressOrRanges sequence, check it.
928 */ 949 */
929 aors = f->ipAddressChoice->u.addressesOrRanges; 950 aors = f->ipAddressChoice->u.addressesOrRanges;
930 if (sk_IPAddressOrRange_num(aors) == 0) 951 if (sk_IPAddressOrRange_num(aors) == 0)
931 return 0; 952 return 0;
932 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) { 953 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
933 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 954 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
934 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1); 955 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors,
935 956 j + 1);
936 if (!extract_min_max(a, a_min, a_max, length) || 957
937 !extract_min_max(b, b_min, b_max, length)) 958 if (!extract_min_max(a, a_min, a_max, length) ||
938 return 0; 959 !extract_min_max(b, b_min, b_max, length))
960 return 0;
939 961
940 /* 962 /*
941 * Punt misordered list, overlapping start, or inverted range. 963 * Punt misordered list, overlapping start, or inverted range.
942 */ 964 */
943 if (memcmp(a_min, b_min, length) >= 0 || 965 if (memcmp(a_min, b_min, length) >= 0 ||
944 memcmp(a_min, a_max, length) > 0 || 966 memcmp(a_min, a_max, length) > 0 ||
945 memcmp(b_min, b_max, length) > 0) 967 memcmp(b_min, b_max, length) > 0)
946 return 0; 968 return 0;
947 969
948 /* 970 /*
949 * Punt if adjacent or overlapping. Check for adjacency by 971 * Punt if adjacent or overlapping. Check for adjacency by
950 * subtracting one from b_min first. 972 * subtracting one from b_min first.
951 */ 973 */
952 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) ; 974 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--)
953 if (memcmp(a_max, b_min, length) >= 0) 975 ;
954 return 0; 976 if (memcmp(a_max, b_min, length) >= 0)
977 return 0;
955 978
956 /* 979 /*
957 * Check for range that should be expressed as a prefix. 980 * Check for range that should be expressed as a prefix.
958 */ 981 */
959 if (a->type == IPAddressOrRange_addressRange && 982 if (a->type == IPAddressOrRange_addressRange &&
960 range_should_be_prefix(a_min, a_max, length) >= 0) 983 range_should_be_prefix(a_min, a_max, length) >= 0)
961 return 0; 984 return 0;
962 } 985 }
963 986
964 /* 987 /*
965 * Check range to see if it's inverted or should be a 988 * Check range to see if it's inverted or should be a
966 * prefix. 989 * prefix.
967 */ 990 */
968 j = sk_IPAddressOrRange_num(aors) - 1; 991 j = sk_IPAddressOrRange_num(aors) - 1;
969 { 992 {
970 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 993 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
971 if (a != NULL && a->type == IPAddressOrRange_addressRange) { 994 if (a != NULL &&
972 if (!extract_min_max(a, a_min, a_max, length)) 995 a->type == IPAddressOrRange_addressRange) {
973 return 0; 996 if (!extract_min_max(a, a_min, a_max, length))
974 if (memcmp(a_min, a_max, length) > 0 || 997 return 0;
975 range_should_be_prefix(a_min, a_max, length) >= 0) 998 if (memcmp(a_min, a_max, length) > 0 ||
976 return 0; 999 range_should_be_prefix(a_min, a_max,
977 } 1000 length) >= 0)
978 } 1001 return 0;
979 } 1002 }
1003 }
1004 }
980 1005
981 /* 1006 /*
982 * If we made it through all that, we're happy. 1007 * If we made it through all that, we're happy.
983 */ 1008 */
984 return 1; 1009 return 1;
985} 1010}
986 1011
987/* 1012/*
988 * Whack an IPAddressOrRanges into canonical form. 1013 * Whack an IPAddressOrRanges into canonical form.
989 */ 1014 */
990static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors, 1015static int
991 const unsigned afi) 1016IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi)
992{ 1017{
993 int i, j, length = length_from_afi(afi); 1018 int i, j, length = length_from_afi(afi);
994 1019
995 /* 1020 /*
996 * Sort the IPAddressOrRanges sequence. 1021 * Sort the IPAddressOrRanges sequence.
997 */ 1022 */
998 sk_IPAddressOrRange_sort(aors); 1023 sk_IPAddressOrRange_sort(aors);
999 1024
1000 /* 1025 /*
1001 * Clean up representation issues, punt on duplicates or overlaps. 1026 * Clean up representation issues, punt on duplicates or overlaps.
1002 */ 1027 */
1003 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) { 1028 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
1004 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i); 1029 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);
1005 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1); 1030 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
1006 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 1031 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
1007 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 1032 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
1008 1033
1009 if (!extract_min_max(a, a_min, a_max, length) || 1034 if (!extract_min_max(a, a_min, a_max, length) ||
1010 !extract_min_max(b, b_min, b_max, length)) 1035 !extract_min_max(b, b_min, b_max, length))
1011 return 0; 1036 return 0;
1012 1037
1013 /* 1038 /*
1014 * Punt inverted ranges. 1039 * Punt inverted ranges.
1015 */ 1040 */
1016 if (memcmp(a_min, a_max, length) > 0 || 1041 if (memcmp(a_min, a_max, length) > 0 ||
1017 memcmp(b_min, b_max, length) > 0) 1042 memcmp(b_min, b_max, length) > 0)
1018 return 0; 1043 return 0;
1019 1044
1020 /* 1045 /*
1021 * Punt overlaps. 1046 * Punt overlaps.
1022 */ 1047 */
1023 if (memcmp(a_max, b_min, length) >= 0) 1048 if (memcmp(a_max, b_min, length) >= 0)
1024 return 0; 1049 return 0;
1025 1050
1026 /* 1051 /*
1027 * Merge if a and b are adjacent. We check for 1052 * Merge if a and b are adjacent. We check for
1028 * adjacency by subtracting one from b_min first. 1053 * adjacency by subtracting one from b_min first.
1029 */ 1054 */
1030 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) ; 1055 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--)
1031 if (memcmp(a_max, b_min, length) == 0) { 1056 ;
1032 IPAddressOrRange *merged; 1057 if (memcmp(a_max, b_min, length) == 0) {
1033 if (!make_addressRange(&merged, a_min, b_max, length)) 1058 IPAddressOrRange *merged;
1034 return 0; 1059 if (!make_addressRange(&merged, a_min, b_max, length))
1035 (void)sk_IPAddressOrRange_set(aors, i, merged); 1060 return 0;
1036 (void)sk_IPAddressOrRange_delete(aors, i + 1); 1061 (void)sk_IPAddressOrRange_set(aors, i, merged);
1037 IPAddressOrRange_free(a); 1062 (void)sk_IPAddressOrRange_delete(aors, i + 1);
1038 IPAddressOrRange_free(b); 1063 IPAddressOrRange_free(a);
1039 --i; 1064 IPAddressOrRange_free(b);
1040 continue; 1065 --i;
1041 } 1066 continue;
1042 } 1067 }
1068 }
1043 1069
1044 /* 1070 /*
1045 * Check for inverted final range. 1071 * Check for inverted final range.
1046 */ 1072 */
1047 j = sk_IPAddressOrRange_num(aors) - 1; 1073 j = sk_IPAddressOrRange_num(aors) - 1;
1048 { 1074 {
1049 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 1075 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
1050 if (a != NULL && a->type == IPAddressOrRange_addressRange) { 1076 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
1051 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 1077 unsigned char a_min[ADDR_RAW_BUF_LEN],
1052 if (!extract_min_max(a, a_min, a_max, length)) 1078 a_max[ADDR_RAW_BUF_LEN];
1053 return 0; 1079 if (!extract_min_max(a, a_min, a_max, length))
1054 if (memcmp(a_min, a_max, length) > 0) 1080 return 0;
1055 return 0; 1081 if (memcmp(a_min, a_max, length) > 0)
1056 } 1082 return 0;
1057 } 1083 }
1058 1084 }
1059 return 1; 1085
1086 return 1;
1060} 1087}
1061 1088
1062/* 1089/*
1063 * Whack an IPAddrBlocks extension into canonical form. 1090 * Whack an IPAddrBlocks extension into canonical form.
1064 */ 1091 */
1065int X509v3_addr_canonize(IPAddrBlocks *addr) 1092int
1093X509v3_addr_canonize(IPAddrBlocks *addr)
1066{ 1094{
1067 int i; 1095 int i;
1068 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 1096 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1069 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 1097 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1070 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && 1098 if (f->ipAddressChoice->type ==
1071 !IPAddressOrRanges_canonize(f->ipAddressChoice-> 1099 IPAddressChoice_addressesOrRanges &&
1072 u.addressesOrRanges, 1100 !IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges,
1073 X509v3_addr_get_afi(f))) 1101 X509v3_addr_get_afi(f)))
1074 return 0; 1102 return 0;
1075 } 1103 }
1076 (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); 1104 (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
1077 sk_IPAddressFamily_sort(addr); 1105 sk_IPAddressFamily_sort(addr);
1078 OPENSSL_assert(X509v3_addr_is_canonical(addr)); 1106 OPENSSL_assert(X509v3_addr_is_canonical(addr));
1079 return 1; 1107 return 1;
1080} 1108}
1081 1109
1082/* 1110/*
1083 * v2i handler for the IPAddrBlocks extension. 1111 * v2i handler for the IPAddrBlocks extension.
1084 */ 1112 */
1085static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, 1113static void *
1086 struct v3_ext_ctx *ctx, 1114v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
1087 STACK_OF(CONF_VALUE) *values) 1115 STACK_OF(CONF_VALUE)*values)
1088{ 1116{
1089 static const char v4addr_chars[] = "0123456789."; 1117 static const char v4addr_chars[] = "0123456789.";
1090 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF"; 1118 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF";
1091 IPAddrBlocks *addr = NULL; 1119 IPAddrBlocks *addr = NULL;
1092 char *s = NULL, *t; 1120 char *s = NULL, *t;
1093 int i; 1121 int i;
1094 1122
1095 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) { 1123 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) {
1096 X509V3error(ERR_R_MALLOC_FAILURE); 1124 X509V3error(ERR_R_MALLOC_FAILURE);
1097 return NULL; 1125 return NULL;
1098 } 1126 }
1099 1127
1100 for (i = 0; i < sk_CONF_VALUE_num(values); i++) { 1128 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
1101 CONF_VALUE *val = sk_CONF_VALUE_value(values, i); 1129 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
1102 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN]; 1130 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN];
1103 unsigned afi, *safi = NULL, safi_; 1131 unsigned afi, *safi = NULL, safi_;
1104 const char *addr_chars = NULL; 1132 const char *addr_chars = NULL;
1105 int prefixlen, i1, i2, delim, length; 1133 int prefixlen, i1, i2, delim, length;
1106 1134
1107 if (!name_cmp(val->name, "IPv4")) { 1135 if (!name_cmp(val->name, "IPv4")) {
1108 afi = IANA_AFI_IPV4; 1136 afi = IANA_AFI_IPV4;
1109 } else if (!name_cmp(val->name, "IPv6")) { 1137 } else if (!name_cmp(val->name, "IPv6")) {
1110 afi = IANA_AFI_IPV6; 1138 afi = IANA_AFI_IPV6;
1111 } else if (!name_cmp(val->name, "IPv4-SAFI")) { 1139 } else if (!name_cmp(val->name, "IPv4-SAFI")) {
1112 afi = IANA_AFI_IPV4; 1140 afi = IANA_AFI_IPV4;
1113 safi = &safi_; 1141 safi = &safi_;
1114 } else if (!name_cmp(val->name, "IPv6-SAFI")) { 1142 } else if (!name_cmp(val->name, "IPv6-SAFI")) {
1115 afi = IANA_AFI_IPV6; 1143 afi = IANA_AFI_IPV6;
1116 safi = &safi_; 1144 safi = &safi_;
1117 } else { 1145 } else {
1118 X509V3error(X509V3_R_EXTENSION_NAME_ERROR); 1146 X509V3error(X509V3_R_EXTENSION_NAME_ERROR);
1119 X509V3_conf_err(val); 1147 X509V3_conf_err(val);
1120 goto err; 1148 goto err;
1121 } 1149 }
1122 1150
1123 switch (afi) { 1151 switch (afi) {
1124 case IANA_AFI_IPV4: 1152 case IANA_AFI_IPV4:
1125 addr_chars = v4addr_chars; 1153 addr_chars = v4addr_chars;
1126 break; 1154 break;
1127 case IANA_AFI_IPV6: 1155 case IANA_AFI_IPV6:
1128 addr_chars = v6addr_chars; 1156 addr_chars = v6addr_chars;
1129 break; 1157 break;
1130 } 1158 }
1131 1159
1132 length = length_from_afi(afi); 1160 length = length_from_afi(afi);
1133 1161
1134 /* 1162 /*
1135 * Handle SAFI, if any, and strdup() so we can null-terminate 1163 * Handle SAFI, if any, and strdup() so we can null-terminate
1136 * the other input values. 1164 * the other input values.
1137 */ 1165 */
1138 if (safi != NULL) { 1166 if (safi != NULL) {
1139 *safi = strtoul(val->value, &t, 0); 1167 *safi = strtoul(val->value, &t, 0);
1140 t += strspn(t, " \t"); 1168 t += strspn(t, " \t");
1141 if (*safi > 0xFF || *t++ != ':') { 1169 if (*safi > 0xFF || *t++ != ':') {
1142 X509V3error(X509V3_R_INVALID_SAFI); 1170 X509V3error(X509V3_R_INVALID_SAFI);
1143 X509V3_conf_err(val); 1171 X509V3_conf_err(val);
1144 goto err; 1172 goto err;
1145 } 1173 }
1146 t += strspn(t, " \t"); 1174 t += strspn(t, " \t");
1147 s = strdup(t); 1175 s = strdup(t);
1148 } else { 1176 } else {
1149 s = strdup(val->value); 1177 s = strdup(val->value);
1150 } 1178 }
1151 if (s == NULL) { 1179 if (s == NULL) {
1152 X509V3error(ERR_R_MALLOC_FAILURE); 1180 X509V3error(ERR_R_MALLOC_FAILURE);
1153 goto err; 1181 goto err;
1154 } 1182 }
1155 1183
1156 /* 1184 /*
1157 * Check for inheritance. Not worth additional complexity to 1185 * Check for inheritance. Not worth additional complexity to
1158 * optimize this (seldom-used) case. 1186 * optimize this (seldom-used) case.
1159 */ 1187 */
1160 if (strcmp(s, "inherit") == 0) { 1188 if (strcmp(s, "inherit") == 0) {
1161 if (!X509v3_addr_add_inherit(addr, afi, safi)) { 1189 if (!X509v3_addr_add_inherit(addr, afi, safi)) {
1162 X509V3error(X509V3_R_INVALID_INHERITANCE); 1190 X509V3error(X509V3_R_INVALID_INHERITANCE);
1163 X509V3_conf_err(val); 1191 X509V3_conf_err(val);
1164 goto err; 1192 goto err;
1165 } 1193 }
1166 free(s); 1194 free(s);
1167 s = NULL; 1195 s = NULL;
1168 continue; 1196 continue;
1169 } 1197 }
1170 1198
1171 i1 = strspn(s, addr_chars); 1199 i1 = strspn(s, addr_chars);
1172 i2 = i1 + strspn(s + i1, " \t"); 1200 i2 = i1 + strspn(s + i1, " \t");
1173 delim = s[i2++]; 1201 delim = s[i2++];
1174 s[i1] = '\0'; 1202 s[i1] = '\0';
1175 1203
1176 if (a2i_ipadd(min, s) != length) { 1204 if (a2i_ipadd(min, s) != length) {
1177 X509V3error(X509V3_R_INVALID_IPADDRESS); 1205 X509V3error(X509V3_R_INVALID_IPADDRESS);
1178 X509V3_conf_err(val); 1206 X509V3_conf_err(val);
1179 goto err; 1207 goto err;
1180 } 1208 }
1181 1209
1182 switch (delim) { 1210 switch (delim) {
1183 case '/': 1211 case '/':
1184 prefixlen = (int)strtoul(s + i2, &t, 10); 1212 prefixlen = (int)strtoul(s + i2, &t, 10);
1185 if (t == s + i2 || *t != '\0') { 1213 if (t == s + i2 || *t != '\0') {
1186 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1214 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
1187 X509V3_conf_err(val); 1215 X509V3_conf_err(val);
1188 goto err; 1216 goto err;
1189 } 1217 }
1190 if (!X509v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) { 1218 if (!X509v3_addr_add_prefix(addr, afi, safi, min,
1191 X509V3error(ERR_R_MALLOC_FAILURE); 1219 prefixlen)) {
1192 goto err; 1220 X509V3error(ERR_R_MALLOC_FAILURE);
1193 } 1221 goto err;
1194 break; 1222 }
1195 case '-': 1223 break;
1196 i1 = i2 + strspn(s + i2, " \t"); 1224 case '-':
1197 i2 = i1 + strspn(s + i1, addr_chars); 1225 i1 = i2 + strspn(s + i2, " \t");
1198 if (i1 == i2 || s[i2] != '\0') { 1226 i2 = i1 + strspn(s + i1, addr_chars);
1199 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1227 if (i1 == i2 || s[i2] != '\0') {
1200 X509V3_conf_err(val); 1228 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
1201 goto err; 1229 X509V3_conf_err(val);
1202 } 1230 goto err;
1203 if (a2i_ipadd(max, s + i1) != length) { 1231 }
1204 X509V3error(X509V3_R_INVALID_IPADDRESS); 1232 if (a2i_ipadd(max, s + i1) != length) {
1205 X509V3_conf_err(val); 1233 X509V3error(X509V3_R_INVALID_IPADDRESS);
1206 goto err; 1234 X509V3_conf_err(val);
1207 } 1235 goto err;
1208 if (memcmp(min, max, length_from_afi(afi)) > 0) { 1236 }
1209 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1237 if (memcmp(min, max, length_from_afi(afi)) > 0) {
1210 X509V3_conf_err(val); 1238 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
1211 goto err; 1239 X509V3_conf_err(val);
1212 } 1240 goto err;
1213 if (!X509v3_addr_add_range(addr, afi, safi, min, max)) { 1241 }
1214 X509V3error(ERR_R_MALLOC_FAILURE); 1242 if (!X509v3_addr_add_range(addr, afi, safi, min, max)) {
1215 goto err; 1243 X509V3error(ERR_R_MALLOC_FAILURE);
1216 } 1244 goto err;
1217 break; 1245 }
1218 case '\0': 1246 break;
1219 if (!X509v3_addr_add_prefix(addr, afi, safi, min, length * 8)) { 1247 case '\0':
1220 X509V3error(ERR_R_MALLOC_FAILURE); 1248 if (!X509v3_addr_add_prefix(addr, afi, safi, min,
1221 goto err; 1249 length * 8)) {
1222 } 1250 X509V3error(ERR_R_MALLOC_FAILURE);
1223 break; 1251 goto err;
1224 default: 1252 }
1225 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1253 break;
1226 X509V3_conf_err(val); 1254 default:
1227 goto err; 1255 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
1228 } 1256 X509V3_conf_err(val);
1229 1257 goto err;
1230 free(s); 1258 }
1231 s = NULL; 1259
1232 } 1260 free(s);
1261 s = NULL;
1262 }
1233 1263
1234 /* 1264 /*
1235 * Canonize the result, then we're done. 1265 * Canonize the result, then we're done.
1236 */ 1266 */
1237 if (!X509v3_addr_canonize(addr)) 1267 if (!X509v3_addr_canonize(addr))
1238 goto err; 1268 goto err;
1239 return addr; 1269 return addr;
1240 1270
1241 err: 1271err:
1242 free(s); 1272 free(s);
1243 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); 1273 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
1244 return NULL; 1274 return NULL;
1245} 1275}
1246 1276
1247/* 1277/*
1248 * OpenSSL dispatch 1278 * OpenSSL dispatch
1249 */ 1279 */
1250const X509V3_EXT_METHOD v3_addr = { 1280const X509V3_EXT_METHOD v3_addr = {
1251 NID_sbgp_ipAddrBlock, /* nid */ 1281 NID_sbgp_ipAddrBlock, /* nid */
1252 0, /* flags */ 1282 0, /* flags */
1253 &IPAddrBlocks_it, 1283 &IPAddrBlocks_it,
1254 0, 0, 0, 0, /* old functions, ignored */ 1284 0, 0, 0, 0, /* old functions, ignored */
1255 0, /* i2s */ 1285 0, /* i2s */
1256 0, /* s2i */ 1286 0, /* s2i */
1257 0, /* i2v */ 1287 0, /* i2v */
1258 v2i_IPAddrBlocks, /* v2i */ 1288 v2i_IPAddrBlocks, /* v2i */
1259 i2r_IPAddrBlocks, /* i2r */ 1289 i2r_IPAddrBlocks, /* i2r */
1260 0, /* r2i */ 1290 0, /* r2i */
1261 NULL /* extension-specific data */ 1291 NULL /* extension-specific data */
1262}; 1292};
1263 1293
1264/* 1294/*
1265 * Figure out whether extension sues inheritance. 1295 * Figure out whether extension sues inheritance.
1266 */ 1296 */
1267int X509v3_addr_inherits(IPAddrBlocks *addr) 1297int
1298X509v3_addr_inherits(IPAddrBlocks *addr)
1268{ 1299{
1269 int i; 1300 int i;
1270 if (addr == NULL) 1301 if (addr == NULL)
1271 return 0; 1302 return 0;
1272 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 1303 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1273 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 1304 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1274 if (f->ipAddressChoice->type == IPAddressChoice_inherit) 1305 if (f->ipAddressChoice->type == IPAddressChoice_inherit)
1275 return 1; 1306 return 1;
1276 } 1307 }
1277 return 0; 1308 return 0;
1278} 1309}
1279 1310
1280/* 1311/*
1281 * Figure out whether parent contains child. 1312 * Figure out whether parent contains child.
1282 */ 1313 */
1283static int addr_contains(IPAddressOrRanges *parent, 1314static int
1284 IPAddressOrRanges *child, int length) 1315addr_contains(IPAddressOrRanges *parent, IPAddressOrRanges *child, int length)
1285{ 1316{
1286 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN]; 1317 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN];
1287 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN]; 1318 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN];
1288 int p, c; 1319 int p, c;
1289 1320
1290 if (child == NULL || parent == child) 1321 if (child == NULL || parent == child)
1291 return 1; 1322 return 1;
1292 if (parent == NULL) 1323 if (parent == NULL)
1293 return 0; 1324 return 0;
1294 1325
1295 p = 0; 1326 p = 0;
1296 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) { 1327 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
1297 if (!extract_min_max(sk_IPAddressOrRange_value(child, c), 1328 if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
1298 c_min, c_max, length)) 1329 c_min, c_max, length))
1299 return -1; 1330 return -1;
1300 for (;; p++) { 1331 for (;; p++) {
1301 if (p >= sk_IPAddressOrRange_num(parent)) 1332 if (p >= sk_IPAddressOrRange_num(parent))
1302 return 0; 1333 return 0;
1303 if (!extract_min_max(sk_IPAddressOrRange_value(parent, p), 1334 if (!extract_min_max(sk_IPAddressOrRange_value(parent,
1304 p_min, p_max, length)) 1335 p), p_min, p_max, length))
1305 return 0; 1336 return 0;
1306 if (memcmp(p_max, c_max, length) < 0) 1337 if (memcmp(p_max, c_max, length) < 0)
1307 continue; 1338 continue;
1308 if (memcmp(p_min, c_min, length) > 0) 1339 if (memcmp(p_min, c_min, length) > 0)
1309 return 0; 1340 return 0;
1310 break; 1341 break;
1311 } 1342 }
1312 } 1343 }
1313 1344
1314 return 1; 1345 return 1;
1315} 1346}
1316 1347
1317/* 1348/*
1318 * Test whether a is a subset of b. 1349 * Test whether a is a subset of b.
1319 */ 1350 */
1320int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) 1351int
1352X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
1321{ 1353{
1322 int i; 1354 int i;
1323 if (a == NULL || a == b) 1355 if (a == NULL || a == b)
1324 return 1; 1356 return 1;
1325 if (b == NULL || X509v3_addr_inherits(a) || X509v3_addr_inherits(b)) 1357 if (b == NULL || X509v3_addr_inherits(a) || X509v3_addr_inherits(b))
1326 return 0; 1358 return 0;
1327 (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); 1359 (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
1328 for (i = 0; i < sk_IPAddressFamily_num(a); i++) { 1360 for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
1329 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); 1361 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
1330 int j = sk_IPAddressFamily_find(b, fa); 1362 int j = sk_IPAddressFamily_find(b, fa);
1331 IPAddressFamily *fb; 1363 IPAddressFamily *fb;
1332 fb = sk_IPAddressFamily_value(b, j); 1364 fb = sk_IPAddressFamily_value(b, j);
1333 if (fb == NULL) 1365 if (fb == NULL)
1334 return 0; 1366 return 0;
1335 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, 1367 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
1336 fa->ipAddressChoice->u.addressesOrRanges, 1368 fa->ipAddressChoice->u.addressesOrRanges,
1337 length_from_afi(X509v3_addr_get_afi(fb)))) 1369 length_from_afi(X509v3_addr_get_afi(fb))))
1338 return 0; 1370 return 0;
1339 } 1371 }
1340 return 1; 1372 return 1;
1341} 1373}
1342 1374
1343/* 1375/*
@@ -1365,105 +1397,109 @@ int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
1365 * When returning 0, ctx->error MUST be set to an appropriate value other than 1397 * When returning 0, ctx->error MUST be set to an appropriate value other than
1366 * X509_V_OK. 1398 * X509_V_OK.
1367 */ 1399 */
1368static int addr_validate_path_internal(X509_STORE_CTX *ctx, 1400static int
1369 STACK_OF(X509) *chain, 1401addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
1370 IPAddrBlocks *ext) 1402 IPAddrBlocks *ext)
1371{ 1403{
1372 IPAddrBlocks *child = NULL; 1404 IPAddrBlocks *child = NULL;
1373 int i, j, ret = 1; 1405 int i, j, ret = 1;
1374 X509 *x; 1406 X509 *x;
1375 1407
1376 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); 1408 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
1377 OPENSSL_assert(ctx != NULL || ext != NULL); 1409 OPENSSL_assert(ctx != NULL || ext != NULL);
1378 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); 1410 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
1379 1411
1380 /* 1412 /*
1381 * Figure out where to start. If we don't have an extension to 1413 * Figure out where to start. If we don't have an extension to
1382 * check, we're done. Otherwise, check canonical form and 1414 * check, we're done. Otherwise, check canonical form and
1383 * set up for walking up the chain. 1415 * set up for walking up the chain.
1384 */ 1416 */
1385 if (ext != NULL) { 1417 if (ext != NULL) {
1386 i = -1; 1418 i = -1;
1387 x = NULL; 1419 x = NULL;
1388 } else { 1420 } else {
1389 i = 0; 1421 i = 0;
1390 x = sk_X509_value(chain, i); 1422 x = sk_X509_value(chain, i);
1391 if ((ext = x->rfc3779_addr) == NULL) 1423 if ((ext = x->rfc3779_addr) == NULL)
1392 goto done; 1424 goto done;
1393 } 1425 }
1394 if (!X509v3_addr_is_canonical(ext)) 1426 if (!X509v3_addr_is_canonical(ext))
1395 validation_err(X509_V_ERR_INVALID_EXTENSION); 1427 validation_err(X509_V_ERR_INVALID_EXTENSION);
1396 (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); 1428 (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
1397 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { 1429 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
1398 X509V3error(ERR_R_MALLOC_FAILURE); 1430 X509V3error(ERR_R_MALLOC_FAILURE);
1399 if (ctx != NULL) 1431 if (ctx != NULL)
1400 ctx->error = X509_V_ERR_OUT_OF_MEM; 1432 ctx->error = X509_V_ERR_OUT_OF_MEM;
1401 ret = 0; 1433 ret = 0;
1402 goto done; 1434 goto done;
1403 } 1435 }
1404 1436
1405 /* 1437 /*
1406 * Now walk up the chain. No cert may list resources that its 1438 * Now walk up the chain. No cert may list resources that its
1407 * parent doesn't list. 1439 * parent doesn't list.
1408 */ 1440 */
1409 for (i++; i < sk_X509_num(chain); i++) { 1441 for (i++; i < sk_X509_num(chain); i++) {
1410 x = sk_X509_value(chain, i); 1442 x = sk_X509_value(chain, i);
1411 if (!X509v3_addr_is_canonical(x->rfc3779_addr)) 1443 if (!X509v3_addr_is_canonical(x->rfc3779_addr))
1412 validation_err(X509_V_ERR_INVALID_EXTENSION); 1444 validation_err(X509_V_ERR_INVALID_EXTENSION);
1413 if (x->rfc3779_addr == NULL) { 1445 if (x->rfc3779_addr == NULL) {
1414 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { 1446 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1415 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); 1447 IPAddressFamily *fc = sk_IPAddressFamily_value(child,
1416 if (fc->ipAddressChoice->type != IPAddressChoice_inherit) { 1448 j);
1417 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1449 if (fc->ipAddressChoice->type !=
1418 break; 1450 IPAddressChoice_inherit) {
1419 } 1451 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1420 } 1452 break;
1421 continue; 1453 }
1422 } 1454 }
1423 (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, 1455 continue;
1424 IPAddressFamily_cmp); 1456 }
1425 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { 1457 (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr,
1426 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); 1458 IPAddressFamily_cmp);
1427 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc); 1459 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1428 IPAddressFamily *fp = 1460 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1429 sk_IPAddressFamily_value(x->rfc3779_addr, k); 1461 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
1430 if (fp == NULL) { 1462 IPAddressFamily *fp =
1431 if (fc->ipAddressChoice->type == 1463 sk_IPAddressFamily_value(x->rfc3779_addr, k);
1432 IPAddressChoice_addressesOrRanges) { 1464 if (fp == NULL) {
1433 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1465 if (fc->ipAddressChoice->type ==
1434 break; 1466 IPAddressChoice_addressesOrRanges) {
1435 } 1467 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1436 continue; 1468 break;
1437 } 1469 }
1438 if (fp->ipAddressChoice->type == 1470 continue;
1439 IPAddressChoice_addressesOrRanges) { 1471 }
1440 if (fc->ipAddressChoice->type == IPAddressChoice_inherit 1472 if (fp->ipAddressChoice->type ==
1441 || addr_contains(fp->ipAddressChoice->u.addressesOrRanges, 1473 IPAddressChoice_addressesOrRanges) {
1442 fc->ipAddressChoice->u.addressesOrRanges, 1474 if (fc->ipAddressChoice->type ==
1443 length_from_afi(X509v3_addr_get_afi(fc)))) 1475 IPAddressChoice_inherit ||
1444 sk_IPAddressFamily_set(child, j, fp); 1476 addr_contains(fp->ipAddressChoice->u.addressesOrRanges,
1445 else 1477 fc->ipAddressChoice->u.addressesOrRanges,
1446 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1478 length_from_afi(X509v3_addr_get_afi(fc))))
1447 } 1479 sk_IPAddressFamily_set(child, j, fp);
1448 } 1480 else
1449 } 1481 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1482 }
1483 }
1484 }
1450 1485
1451 /* 1486 /*
1452 * Trust anchor can't inherit. 1487 * Trust anchor can't inherit.
1453 */ 1488 */
1454 if (x->rfc3779_addr != NULL) { 1489 if (x->rfc3779_addr != NULL) {
1455 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) { 1490 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
1456 IPAddressFamily *fp = 1491 IPAddressFamily *fp =
1457 sk_IPAddressFamily_value(x->rfc3779_addr, j); 1492 sk_IPAddressFamily_value(x->rfc3779_addr, j);
1458 if (fp->ipAddressChoice->type == IPAddressChoice_inherit 1493 if (fp->ipAddressChoice->type ==
1459 && sk_IPAddressFamily_find(child, fp) >= 0) 1494 IPAddressChoice_inherit &&
1460 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1495 sk_IPAddressFamily_find(child, fp) >= 0)
1461 } 1496 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1462 } 1497 }
1463 1498 }
1464 done: 1499
1465 sk_IPAddressFamily_free(child); 1500done:
1466 return ret; 1501 sk_IPAddressFamily_free(child);
1502 return ret;
1467} 1503}
1468 1504
1469#undef validation_err 1505#undef validation_err
@@ -1471,31 +1507,33 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx,
1471/* 1507/*
1472 * RFC 3779 2.3 path validation -- called from X509_verify_cert(). 1508 * RFC 3779 2.3 path validation -- called from X509_verify_cert().
1473 */ 1509 */
1474int X509v3_addr_validate_path(X509_STORE_CTX *ctx) 1510int
1511X509v3_addr_validate_path(X509_STORE_CTX *ctx)
1475{ 1512{
1476 if (ctx->chain == NULL 1513 if (ctx->chain == NULL ||
1477 || sk_X509_num(ctx->chain) == 0 1514 sk_X509_num(ctx->chain) == 0 ||
1478 || ctx->verify_cb == NULL) { 1515 ctx->verify_cb == NULL) {
1479 ctx->error = X509_V_ERR_UNSPECIFIED; 1516 ctx->error = X509_V_ERR_UNSPECIFIED;
1480 return 0; 1517 return 0;
1481 } 1518 }
1482 return addr_validate_path_internal(ctx, ctx->chain, NULL); 1519 return addr_validate_path_internal(ctx, ctx->chain, NULL);
1483} 1520}
1484 1521
1485/* 1522/*
1486 * RFC 3779 2.3 path validation of an extension. 1523 * RFC 3779 2.3 path validation of an extension.
1487 * Test whether chain covers extension. 1524 * Test whether chain covers extension.
1488 */ 1525 */
1489int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain, 1526int
1490 IPAddrBlocks *ext, int allow_inheritance) 1527X509v3_addr_validate_resource_set(STACK_OF(X509)*chain, IPAddrBlocks *ext,
1528 int allow_inheritance)
1491{ 1529{
1492 if (ext == NULL) 1530 if (ext == NULL)
1493 return 1; 1531 return 1;
1494 if (chain == NULL || sk_X509_num(chain) == 0) 1532 if (chain == NULL || sk_X509_num(chain) == 0)
1495 return 0; 1533 return 0;
1496 if (!allow_inheritance && X509v3_addr_inherits(ext)) 1534 if (!allow_inheritance && X509v3_addr_inherits(ext))
1497 return 0; 1535 return 0;
1498 return addr_validate_path_internal(NULL, chain, ext); 1536 return addr_validate_path_internal(NULL, chain, ext);
1499} 1537}
1500 1538
1501#endif /* OPENSSL_NO_RFC3779 */ 1539#endif /* OPENSSL_NO_RFC3779 */
diff --git a/src/lib/libcrypto/x509/x509_asid.c b/src/lib/libcrypto/x509/x509_asid.c
index f5b5d86384..d9c7fd1bdb 100644
--- a/src/lib/libcrypto/x509/x509_asid.c
+++ b/src/lib/libcrypto/x509/x509_asid.c
@@ -188,7 +188,8 @@ ASIdOrRange_free(ASIdOrRange *a)
188} 188}
189 189
190ASIdentifierChoice * 190ASIdentifierChoice *
191d2i_ASIdentifierChoice(ASIdentifierChoice **a, const unsigned char **in, long len) 191d2i_ASIdentifierChoice(ASIdentifierChoice **a, const unsigned char **in,
192 long len)
192{ 193{
193 return (ASIdentifierChoice *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 194 return (ASIdentifierChoice *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
194 (&(ASIdentifierChoice_it))); 195 (&(ASIdentifierChoice_it)));
@@ -198,7 +199,6 @@ int
198i2d_ASIdentifierChoice(ASIdentifierChoice *a, unsigned char **out) 199i2d_ASIdentifierChoice(ASIdentifierChoice *a, unsigned char **out)
199{ 200{
200 return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(ASIdentifierChoice_it))); 201 return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(ASIdentifierChoice_it)));
201
202} 202}
203 203
204ASIdentifierChoice * 204ASIdentifierChoice *
@@ -226,12 +226,14 @@ i2d_ASIdentifiers(ASIdentifiers *a, unsigned char **out)
226 return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(ASIdentifiers_it))); 226 return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(ASIdentifiers_it)));
227} 227}
228 228
229ASIdentifiers *ASIdentifiers_new(void) 229ASIdentifiers *
230ASIdentifiers_new(void)
230{ 231{
231 return (ASIdentifiers *)ASN1_item_new((&(ASIdentifiers_it))); 232 return (ASIdentifiers *)ASN1_item_new((&(ASIdentifiers_it)));
232} 233}
233 234
234void ASIdentifiers_free(ASIdentifiers *a) 235void
236ASIdentifiers_free(ASIdentifiers *a)
235{ 237{
236 ASN1_item_free((ASN1_VALUE *)a, (&(ASIdentifiers_it))); 238 ASN1_item_free((ASN1_VALUE *)a, (&(ASIdentifiers_it)));
237} 239}
@@ -239,644 +241,672 @@ void ASIdentifiers_free(ASIdentifiers *a)
239/* 241/*
240 * i2r method for an ASIdentifierChoice. 242 * i2r method for an ASIdentifierChoice.
241 */ 243 */
242static int i2r_ASIdentifierChoice(BIO *out, 244static int
243 ASIdentifierChoice *choice, 245i2r_ASIdentifierChoice(BIO *out, ASIdentifierChoice *choice, int indent,
244 int indent, const char *msg) 246 const char *msg)
245{ 247{
246 int i; 248 int i;
247 char *s; 249 char *s;
248 if (choice == NULL) 250 if (choice == NULL)
249 return 1; 251 return 1;
250 BIO_printf(out, "%*s%s:\n", indent, "", msg); 252 BIO_printf(out, "%*s%s:\n", indent, "", msg);
251 switch (choice->type) { 253 switch (choice->type) {
252 case ASIdentifierChoice_inherit: 254 case ASIdentifierChoice_inherit:
253 BIO_printf(out, "%*sinherit\n", indent + 2, ""); 255 BIO_printf(out, "%*sinherit\n", indent + 2, "");
254 break; 256 break;
255 case ASIdentifierChoice_asIdsOrRanges: 257 case ASIdentifierChoice_asIdsOrRanges:
256 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges); i++) { 258 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges);
257 ASIdOrRange *aor = 259 i++) {
258 sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); 260 ASIdOrRange *aor =
259 switch (aor->type) { 261 sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
260 case ASIdOrRange_id: 262 switch (aor->type) {
261 if ((s = i2s_ASN1_INTEGER(NULL, aor->u.id)) == NULL) 263 case ASIdOrRange_id:
262 return 0; 264 if ((s = i2s_ASN1_INTEGER(NULL, aor->u.id)) ==
263 BIO_printf(out, "%*s%s\n", indent + 2, "", s); 265 NULL)
264 free(s); 266 return 0;
265 break; 267 BIO_printf(out, "%*s%s\n", indent + 2, "", s);
266 case ASIdOrRange_range: 268 free(s);
267 if ((s = i2s_ASN1_INTEGER(NULL, aor->u.range->min)) == NULL) 269 break;
268 return 0; 270 case ASIdOrRange_range:
269 BIO_printf(out, "%*s%s-", indent + 2, "", s); 271 if ((s = i2s_ASN1_INTEGER(NULL,
270 free(s); 272 aor->u.range->min)) == NULL)
271 if ((s = i2s_ASN1_INTEGER(NULL, aor->u.range->max)) == NULL) 273 return 0;
272 return 0; 274 BIO_printf(out, "%*s%s-", indent + 2, "", s);
273 BIO_printf(out, "%s\n", s); 275 free(s);
274 free(s); 276 if ((s = i2s_ASN1_INTEGER(NULL,
275 break; 277 aor->u.range->max)) == NULL)
276 default: 278 return 0;
277 return 0; 279 BIO_printf(out, "%s\n", s);
278 } 280 free(s);
279 } 281 break;
280 break; 282 default:
281 default: 283 return 0;
282 return 0; 284 }
283 } 285 }
284 return 1; 286 break;
287 default:
288 return 0;
289 }
290 return 1;
285} 291}
286 292
287/* 293/*
288 * i2r method for an ASIdentifier extension. 294 * i2r method for an ASIdentifier extension.
289 */ 295 */
290static int i2r_ASIdentifiers(const X509V3_EXT_METHOD *method, 296static int
291 void *ext, BIO *out, int indent) 297i2r_ASIdentifiers(const X509V3_EXT_METHOD *method, void *ext, BIO *out,
298 int indent)
292{ 299{
293 ASIdentifiers *asid = ext; 300 ASIdentifiers *asid = ext;
294 return (i2r_ASIdentifierChoice(out, asid->asnum, indent, 301 return (i2r_ASIdentifierChoice(out, asid->asnum, indent,
295 "Autonomous System Numbers") && 302 "Autonomous System Numbers") &&
296 i2r_ASIdentifierChoice(out, asid->rdi, indent, 303 i2r_ASIdentifierChoice(out, asid->rdi, indent,
297 "Routing Domain Identifiers")); 304 "Routing Domain Identifiers"));
298} 305}
299 306
300/* 307/*
301 * Sort comparison function for a sequence of ASIdOrRange elements. 308 * Sort comparison function for a sequence of ASIdOrRange elements.
302 */ 309 */
303static int ASIdOrRange_cmp(const ASIdOrRange *const *a_, 310static int
304 const ASIdOrRange *const *b_) 311ASIdOrRange_cmp(const ASIdOrRange *const *a_, const ASIdOrRange *const *b_)
305{ 312{
306 const ASIdOrRange *a = *a_, *b = *b_; 313 const ASIdOrRange *a = *a_, *b = *b_;
307 314
308 /* XXX: these asserts need to be replaced */ 315 /* XXX: these asserts need to be replaced */
309 OPENSSL_assert((a->type == ASIdOrRange_id && a->u.id != NULL) || 316 OPENSSL_assert((a->type == ASIdOrRange_id && a->u.id != NULL) ||
310 (a->type == ASIdOrRange_range && a->u.range != NULL && 317 (a->type == ASIdOrRange_range && a->u.range != NULL &&
311 a->u.range->min != NULL && a->u.range->max != NULL)); 318 a->u.range->min != NULL && a->u.range->max != NULL));
312 319
313 OPENSSL_assert((b->type == ASIdOrRange_id && b->u.id != NULL) || 320 OPENSSL_assert((b->type == ASIdOrRange_id && b->u.id != NULL) ||
314 (b->type == ASIdOrRange_range && b->u.range != NULL && 321 (b->type == ASIdOrRange_range && b->u.range != NULL &&
315 b->u.range->min != NULL && b->u.range->max != NULL)); 322 b->u.range->min != NULL && b->u.range->max != NULL));
316 323
317 if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id) 324 if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id)
318 return ASN1_INTEGER_cmp(a->u.id, b->u.id); 325 return ASN1_INTEGER_cmp(a->u.id, b->u.id);
319 326
320 if (a->type == ASIdOrRange_range && b->type == ASIdOrRange_range) { 327 if (a->type == ASIdOrRange_range && b->type == ASIdOrRange_range) {
321 int r = ASN1_INTEGER_cmp(a->u.range->min, b->u.range->min); 328 int r = ASN1_INTEGER_cmp(a->u.range->min, b->u.range->min);
322 return r != 0 ? r : ASN1_INTEGER_cmp(a->u.range->max, 329 return r != 0 ? r : ASN1_INTEGER_cmp(a->u.range->max,
323 b->u.range->max); 330 b->u.range->max);
324 } 331 }
325 332
326 if (a->type == ASIdOrRange_id) 333 if (a->type == ASIdOrRange_id)
327 return ASN1_INTEGER_cmp(a->u.id, b->u.range->min); 334 return ASN1_INTEGER_cmp(a->u.id, b->u.range->min);
328 else 335 else
329 return ASN1_INTEGER_cmp(a->u.range->min, b->u.id); 336 return ASN1_INTEGER_cmp(a->u.range->min, b->u.id);
330} 337}
331 338
332/* 339/*
333 * Add an inherit element. 340 * Add an inherit element.
334 */ 341 */
335int X509v3_asid_add_inherit(ASIdentifiers *asid, int which) 342int
343X509v3_asid_add_inherit(ASIdentifiers *asid, int which)
336{ 344{
337 ASIdentifierChoice **choice; 345 ASIdentifierChoice **choice;
338 if (asid == NULL) 346 if (asid == NULL)
339 return 0; 347 return 0;
340 switch (which) { 348 switch (which) {
341 case V3_ASID_ASNUM: 349 case V3_ASID_ASNUM:
342 choice = &asid->asnum; 350 choice = &asid->asnum;
343 break; 351 break;
344 case V3_ASID_RDI: 352 case V3_ASID_RDI:
345 choice = &asid->rdi; 353 choice = &asid->rdi;
346 break; 354 break;
347 default: 355 default:
348 return 0; 356 return 0;
349 } 357 }
350 if (*choice == NULL) { 358 if (*choice == NULL) {
351 if ((*choice = ASIdentifierChoice_new()) == NULL) 359 if ((*choice = ASIdentifierChoice_new()) == NULL)
352 return 0; 360 return 0;
353 if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL) 361 if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL)
354 return 0; 362 return 0;
355 (*choice)->type = ASIdentifierChoice_inherit; 363 (*choice)->type = ASIdentifierChoice_inherit;
356 } 364 }
357 return (*choice)->type == ASIdentifierChoice_inherit; 365 return (*choice)->type == ASIdentifierChoice_inherit;
358} 366}
359 367
360/* 368/*
361 * Add an ID or range to an ASIdentifierChoice. 369 * Add an ID or range to an ASIdentifierChoice.
362 */ 370 */
363int X509v3_asid_add_id_or_range(ASIdentifiers *asid, 371int
364 int which, ASN1_INTEGER *min, ASN1_INTEGER *max) 372X509v3_asid_add_id_or_range(ASIdentifiers *asid, int which, ASN1_INTEGER *min,
373 ASN1_INTEGER *max)
365{ 374{
366 ASIdentifierChoice **choice; 375 ASIdentifierChoice **choice;
367 ASIdOrRange *aor; 376 ASIdOrRange *aor;
368 if (asid == NULL) 377 if (asid == NULL)
369 return 0; 378 return 0;
370 switch (which) { 379 switch (which) {
371 case V3_ASID_ASNUM: 380 case V3_ASID_ASNUM:
372 choice = &asid->asnum; 381 choice = &asid->asnum;
373 break; 382 break;
374 case V3_ASID_RDI: 383 case V3_ASID_RDI:
375 choice = &asid->rdi; 384 choice = &asid->rdi;
376 break; 385 break;
377 default: 386 default:
378 return 0; 387 return 0;
379 } 388 }
380 if (*choice != NULL && (*choice)->type == ASIdentifierChoice_inherit) 389 if (*choice != NULL && (*choice)->type == ASIdentifierChoice_inherit)
381 return 0; 390 return 0;
382 if (*choice == NULL) { 391 if (*choice == NULL) {
383 if ((*choice = ASIdentifierChoice_new()) == NULL) 392 if ((*choice = ASIdentifierChoice_new()) == NULL)
384 return 0; 393 return 0;
385 (*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp); 394 (*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp);
386 if ((*choice)->u.asIdsOrRanges == NULL) 395 if ((*choice)->u.asIdsOrRanges == NULL)
387 return 0; 396 return 0;
388 (*choice)->type = ASIdentifierChoice_asIdsOrRanges; 397 (*choice)->type = ASIdentifierChoice_asIdsOrRanges;
389 } 398 }
390 if ((aor = ASIdOrRange_new()) == NULL) 399 if ((aor = ASIdOrRange_new()) == NULL)
391 return 0; 400 return 0;
392 if (max == NULL) { 401 if (max == NULL) {
393 aor->type = ASIdOrRange_id; 402 aor->type = ASIdOrRange_id;
394 aor->u.id = min; 403 aor->u.id = min;
395 } else { 404 } else {
396 aor->type = ASIdOrRange_range; 405 aor->type = ASIdOrRange_range;
397 if ((aor->u.range = ASRange_new()) == NULL) 406 if ((aor->u.range = ASRange_new()) == NULL)
398 goto err; 407 goto err;
399 ASN1_INTEGER_free(aor->u.range->min); 408 ASN1_INTEGER_free(aor->u.range->min);
400 aor->u.range->min = min; 409 aor->u.range->min = min;
401 ASN1_INTEGER_free(aor->u.range->max); 410 ASN1_INTEGER_free(aor->u.range->max);
402 aor->u.range->max = max; 411 aor->u.range->max = max;
403 } 412 }
404 if (!(sk_ASIdOrRange_push((*choice)->u.asIdsOrRanges, aor))) 413 if (!(sk_ASIdOrRange_push((*choice)->u.asIdsOrRanges, aor)))
405 goto err; 414 goto err;
406 return 1; 415 return 1;
407 416
408 err: 417err:
409 ASIdOrRange_free(aor); 418 ASIdOrRange_free(aor);
410 return 0; 419 return 0;
411} 420}
412 421
413/* 422/*
414 * Extract min and max values from an ASIdOrRange. 423 * Extract min and max values from an ASIdOrRange.
415 */ 424 */
416static int extract_min_max(ASIdOrRange *aor, 425static int
417 ASN1_INTEGER **min, ASN1_INTEGER **max) 426extract_min_max(ASIdOrRange *aor, ASN1_INTEGER **min, ASN1_INTEGER **max)
418{ 427{
419 OPENSSL_assert(aor != NULL); 428 OPENSSL_assert(aor != NULL);
420 429
421 switch (aor->type) { 430 switch (aor->type) {
422 case ASIdOrRange_id: 431 case ASIdOrRange_id:
423 *min = aor->u.id; 432 *min = aor->u.id;
424 *max = aor->u.id; 433 *max = aor->u.id;
425 return 1; 434 return 1;
426 case ASIdOrRange_range: 435 case ASIdOrRange_range:
427 *min = aor->u.range->min; 436 *min = aor->u.range->min;
428 *max = aor->u.range->max; 437 *max = aor->u.range->max;
429 return 1; 438 return 1;
430 } 439 }
431 440
432 return 0; 441 return 0;
433} 442}
434 443
435/* 444/*
436 * Check whether an ASIdentifierChoice is in canonical form. 445 * Check whether an ASIdentifierChoice is in canonical form.
437 */ 446 */
438static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice) 447static int
448ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
439{ 449{
440 ASN1_INTEGER *a_max_plus_one = NULL; 450 ASN1_INTEGER *a_max_plus_one = NULL;
441 ASN1_INTEGER *orig; 451 ASN1_INTEGER *orig;
442 BIGNUM *bn = NULL; 452 BIGNUM *bn = NULL;
443 int i, ret = 0; 453 int i, ret = 0;
444 454
445 /* 455 /*
446 * Empty element or inheritance is canonical. 456 * Empty element or inheritance is canonical.
447 */ 457 */
448 if (choice == NULL || choice->type == ASIdentifierChoice_inherit) 458 if (choice == NULL || choice->type == ASIdentifierChoice_inherit)
449 return 1; 459 return 1;
450 460
451 /* 461 /*
452 * If not a list, or if empty list, it's broken. 462 * If not a list, or if empty list, it's broken.
453 */ 463 */
454 if (choice->type != ASIdentifierChoice_asIdsOrRanges || 464 if (choice->type != ASIdentifierChoice_asIdsOrRanges ||
455 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) 465 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0)
456 return 0; 466 return 0;
457 467
458 /* 468 /*
459 * It's a list, check it. 469 * It's a list, check it.
460 */ 470 */
461 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) { 471 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
462 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); 472 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges,
463 ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1); 473 i);
464 ASN1_INTEGER *a_min = NULL, *a_max = NULL, *b_min = NULL, *b_max = 474 ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges,
465 NULL; 475 i + 1);
466 476 ASN1_INTEGER *a_min = NULL,
467 if (!extract_min_max(a, &a_min, &a_max) 477 *a_max = NULL,
468 || !extract_min_max(b, &b_min, &b_max)) 478 *b_min = NULL,
469 goto done; 479 *b_max =
480 NULL;
481
482 if (!extract_min_max(a, &a_min, &a_max) ||
483 !extract_min_max(b, &b_min, &b_max))
484 goto done;
470 485
471 /* 486 /*
472 * Punt misordered list, overlapping start, or inverted range. 487 * Punt misordered list, overlapping start, or inverted range.
473 */ 488 */
474 if (ASN1_INTEGER_cmp(a_min, b_min) >= 0 || 489 if (ASN1_INTEGER_cmp(a_min, b_min) >= 0 ||
475 ASN1_INTEGER_cmp(a_min, a_max) > 0 || 490 ASN1_INTEGER_cmp(a_min, a_max) > 0 ||
476 ASN1_INTEGER_cmp(b_min, b_max) > 0) 491 ASN1_INTEGER_cmp(b_min, b_max) > 0)
477 goto done; 492 goto done;
478 493
479 /* 494 /*
480 * Calculate a_max + 1 to check for adjacency. 495 * Calculate a_max + 1 to check for adjacency.
481 */ 496 */
482 if ((bn == NULL && (bn = BN_new()) == NULL) || 497 if ((bn == NULL && (bn = BN_new()) == NULL) ||
483 ASN1_INTEGER_to_BN(a_max, bn) == NULL || 498 ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
484 !BN_add_word(bn, 1)) { 499 !BN_add_word(bn, 1)) {
485 X509V3error(ERR_R_MALLOC_FAILURE); 500 X509V3error(ERR_R_MALLOC_FAILURE);
486 goto done; 501 goto done;
487 } 502 }
488 503
489 if ((a_max_plus_one = 504 if ((a_max_plus_one =
490 BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) { 505 BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) {
491 a_max_plus_one = orig; 506 a_max_plus_one = orig;
492 X509V3error(ERR_R_MALLOC_FAILURE); 507 X509V3error(ERR_R_MALLOC_FAILURE);
493 goto done; 508 goto done;
494 } 509 }
495 510
496 /* 511 /*
497 * Punt if adjacent or overlapping. 512 * Punt if adjacent or overlapping.
498 */ 513 */
499 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) >= 0) 514 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) >= 0)
500 goto done; 515 goto done;
501 } 516 }
502 517
503 /* 518 /*
504 * Check for inverted range. 519 * Check for inverted range.
505 */ 520 */
506 i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; 521 i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1;
507 { 522 {
508 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); 523 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges,
509 ASN1_INTEGER *a_min, *a_max; 524 i);
510 if (a != NULL && a->type == ASIdOrRange_range) { 525 ASN1_INTEGER *a_min, *a_max;
511 if (!extract_min_max(a, &a_min, &a_max) 526 if (a != NULL && a->type == ASIdOrRange_range) {
512 || ASN1_INTEGER_cmp(a_min, a_max) > 0) 527 if (!extract_min_max(a, &a_min, &a_max) ||
513 goto done; 528 ASN1_INTEGER_cmp(a_min, a_max) > 0)
514 } 529 goto done;
515 } 530 }
516 531 }
517 ret = 1; 532
518 533 ret = 1;
519 done: 534
520 ASN1_INTEGER_free(a_max_plus_one); 535done:
521 BN_free(bn); 536 ASN1_INTEGER_free(a_max_plus_one);
522 return ret; 537 BN_free(bn);
538 return ret;
523} 539}
524 540
525/* 541/*
526 * Check whether an ASIdentifier extension is in canonical form. 542 * Check whether an ASIdentifier extension is in canonical form.
527 */ 543 */
528int X509v3_asid_is_canonical(ASIdentifiers *asid) 544int
545X509v3_asid_is_canonical(ASIdentifiers *asid)
529{ 546{
530 return (asid == NULL || 547 return (asid == NULL ||
531 (ASIdentifierChoice_is_canonical(asid->asnum) && 548 (ASIdentifierChoice_is_canonical(asid->asnum) &&
532 ASIdentifierChoice_is_canonical(asid->rdi))); 549 ASIdentifierChoice_is_canonical(asid->rdi)));
533} 550}
534 551
535/* 552/*
536 * Whack an ASIdentifierChoice into canonical form. 553 * Whack an ASIdentifierChoice into canonical form.
537 */ 554 */
538static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice) 555static int
556ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
539{ 557{
540 ASN1_INTEGER *a_max_plus_one = NULL; 558 ASN1_INTEGER *a_max_plus_one = NULL;
541 ASN1_INTEGER *orig; 559 ASN1_INTEGER *orig;
542 BIGNUM *bn = NULL; 560 BIGNUM *bn = NULL;
543 int i, ret = 0; 561 int i, ret = 0;
544 562
545 /* 563 /*
546 * Nothing to do for empty element or inheritance. 564 * Nothing to do for empty element or inheritance.
547 */ 565 */
548 if (choice == NULL || choice->type == ASIdentifierChoice_inherit) 566 if (choice == NULL || choice->type == ASIdentifierChoice_inherit)
549 return 1; 567 return 1;
550 568
551 /* 569 /*
552 * If not a list, or if empty list, it's broken. 570 * If not a list, or if empty list, it's broken.
553 */ 571 */
554 if (choice->type != ASIdentifierChoice_asIdsOrRanges || 572 if (choice->type != ASIdentifierChoice_asIdsOrRanges ||
555 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) { 573 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) {
556 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 574 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
557 return 0; 575 return 0;
558 } 576 }
559 577
560 /* 578 /*
561 * We have a non-empty list. Sort it. 579 * We have a non-empty list. Sort it.
562 */ 580 */
563 sk_ASIdOrRange_sort(choice->u.asIdsOrRanges); 581 sk_ASIdOrRange_sort(choice->u.asIdsOrRanges);
564 582
565 /* 583 /*
566 * Now check for errors and suboptimal encoding, rejecting the 584 * Now check for errors and suboptimal encoding, rejecting the
567 * former and fixing the latter. 585 * former and fixing the latter.
568 */ 586 */
569 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) { 587 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
570 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); 588 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges,
571 ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1); 589 i);
572 ASN1_INTEGER *a_min = NULL, *a_max = NULL, *b_min = NULL, *b_max = 590 ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges,
573 NULL; 591 i + 1);
574 592 ASN1_INTEGER *a_min = NULL,
575 if (!extract_min_max(a, &a_min, &a_max) 593 *a_max = NULL,
576 || !extract_min_max(b, &b_min, &b_max)) 594 *b_min = NULL,
577 goto done; 595 *b_max =
596 NULL;
597
598 if (!extract_min_max(a, &a_min, &a_max) ||
599 !extract_min_max(b, &b_min, &b_max))
600 goto done;
578 601
579 /* 602 /*
580 * Make sure we're properly sorted (paranoia). 603 * Make sure we're properly sorted (paranoia).
581 */ 604 */
582 OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0); 605 OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
583 606
584 /* 607 /*
585 * Punt inverted ranges. 608 * Punt inverted ranges.
586 */ 609 */
587 if (ASN1_INTEGER_cmp(a_min, a_max) > 0 || 610 if (ASN1_INTEGER_cmp(a_min, a_max) > 0 ||
588 ASN1_INTEGER_cmp(b_min, b_max) > 0) 611 ASN1_INTEGER_cmp(b_min, b_max) > 0)
589 goto done; 612 goto done;
590 613
591 /* 614 /*
592 * Check for overlaps. 615 * Check for overlaps.
593 */ 616 */
594 if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) { 617 if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) {
595 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 618 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
596 goto done; 619 goto done;
597 } 620 }
598 621
599 /* 622 /*
600 * Calculate a_max + 1 to check for adjacency. 623 * Calculate a_max + 1 to check for adjacency.
601 */ 624 */
602 if ((bn == NULL && (bn = BN_new()) == NULL) || 625 if ((bn == NULL && (bn = BN_new()) == NULL) ||
603 ASN1_INTEGER_to_BN(a_max, bn) == NULL || 626 ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
604 !BN_add_word(bn, 1)) { 627 !BN_add_word(bn, 1)) {
605 X509V3error(ERR_R_MALLOC_FAILURE); 628 X509V3error(ERR_R_MALLOC_FAILURE);
606 goto done; 629 goto done;
607 } 630 }
608 631
609 if ((a_max_plus_one = 632 if ((a_max_plus_one =
610 BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) { 633 BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) {
611 a_max_plus_one = orig; 634 a_max_plus_one = orig;
612 X509V3error(ERR_R_MALLOC_FAILURE); 635 X509V3error(ERR_R_MALLOC_FAILURE);
613 goto done; 636 goto done;
614 } 637 }
615 638
616 /* 639 /*
617 * If a and b are adjacent, merge them. 640 * If a and b are adjacent, merge them.
618 */ 641 */
619 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) == 0) { 642 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) == 0) {
620 ASRange *r; 643 ASRange *r;
621 switch (a->type) { 644 switch (a->type) {
622 case ASIdOrRange_id: 645 case ASIdOrRange_id:
623 if ((r = calloc(1, sizeof(*r))) == NULL) { 646 if ((r = calloc(1, sizeof(*r))) == NULL) {
624 X509V3error(ERR_R_MALLOC_FAILURE); 647 X509V3error(ERR_R_MALLOC_FAILURE);
625 goto done; 648 goto done;
626 } 649 }
627 r->min = a_min; 650 r->min = a_min;
628 r->max = b_max; 651 r->max = b_max;
629 a->type = ASIdOrRange_range; 652 a->type = ASIdOrRange_range;
630 a->u.range = r; 653 a->u.range = r;
631 break; 654 break;
632 case ASIdOrRange_range: 655 case ASIdOrRange_range:
633 ASN1_INTEGER_free(a->u.range->max); 656 ASN1_INTEGER_free(a->u.range->max);
634 a->u.range->max = b_max; 657 a->u.range->max = b_max;
635 break; 658 break;
636 } 659 }
637 switch (b->type) { 660 switch (b->type) {
638 case ASIdOrRange_id: 661 case ASIdOrRange_id:
639 b->u.id = NULL; 662 b->u.id = NULL;
640 break; 663 break;
641 case ASIdOrRange_range: 664 case ASIdOrRange_range:
642 b->u.range->max = NULL; 665 b->u.range->max = NULL;
643 break; 666 break;
644 } 667 }
645 ASIdOrRange_free(b); 668 ASIdOrRange_free(b);
646 (void)sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1); 669 (void)sk_ASIdOrRange_delete(choice->u.asIdsOrRanges,
647 i--; 670 i + 1);
648 continue; 671 i--;
649 } 672 continue;
650 } 673 }
674 }
651 675
652 /* 676 /*
653 * Check for final inverted range. 677 * Check for final inverted range.
654 */ 678 */
655 i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; 679 i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1;
656 { 680 {
657 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); 681 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges,
658 ASN1_INTEGER *a_min, *a_max; 682 i);
659 if (a != NULL && a->type == ASIdOrRange_range) { 683 ASN1_INTEGER *a_min, *a_max;
660 if (!extract_min_max(a, &a_min, &a_max) 684 if (a != NULL && a->type == ASIdOrRange_range) {
661 || ASN1_INTEGER_cmp(a_min, a_max) > 0) 685 if (!extract_min_max(a, &a_min, &a_max) ||
662 goto done; 686 ASN1_INTEGER_cmp(a_min, a_max) > 0)
663 } 687 goto done;
664 } 688 }
689 }
665 690
666 /* Paranoia */ 691 /* Paranoia */
667 OPENSSL_assert(ASIdentifierChoice_is_canonical(choice)); 692 OPENSSL_assert(ASIdentifierChoice_is_canonical(choice));
668 693
669 ret = 1; 694 ret = 1;
670 695
671 done: 696done:
672 ASN1_INTEGER_free(a_max_plus_one); 697 ASN1_INTEGER_free(a_max_plus_one);
673 BN_free(bn); 698 BN_free(bn);
674 return ret; 699 return ret;
675} 700}
676 701
677/* 702/*
678 * Whack an ASIdentifier extension into canonical form. 703 * Whack an ASIdentifier extension into canonical form.
679 */ 704 */
680int X509v3_asid_canonize(ASIdentifiers *asid) 705int
706X509v3_asid_canonize(ASIdentifiers *asid)
681{ 707{
682 return (asid == NULL || 708 return (asid == NULL ||
683 (ASIdentifierChoice_canonize(asid->asnum) && 709 (ASIdentifierChoice_canonize(asid->asnum) &&
684 ASIdentifierChoice_canonize(asid->rdi))); 710 ASIdentifierChoice_canonize(asid->rdi)));
685} 711}
686 712
687/* 713/*
688 * v2i method for an ASIdentifier extension. 714 * v2i method for an ASIdentifier extension.
689 */ 715 */
690static void *v2i_ASIdentifiers(const struct v3_ext_method *method, 716static void *
691 struct v3_ext_ctx *ctx, 717v2i_ASIdentifiers(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
692 STACK_OF(CONF_VALUE) *values) 718 STACK_OF(CONF_VALUE)*values)
693{ 719{
694 ASN1_INTEGER *min = NULL, *max = NULL; 720 ASN1_INTEGER *min = NULL, *max = NULL;
695 ASIdentifiers *asid = NULL; 721 ASIdentifiers *asid = NULL;
696 int i; 722 int i;
697 723
698 if ((asid = ASIdentifiers_new()) == NULL) { 724 if ((asid = ASIdentifiers_new()) == NULL) {
699 X509V3error(ERR_R_MALLOC_FAILURE); 725 X509V3error(ERR_R_MALLOC_FAILURE);
700 return NULL; 726 return NULL;
701 } 727 }
702 728
703 for (i = 0; i < sk_CONF_VALUE_num(values); i++) { 729 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
704 CONF_VALUE *val = sk_CONF_VALUE_value(values, i); 730 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
705 int i1 = 0, i2 = 0, i3 = 0, is_range = 0, which = 0; 731 int i1 = 0, i2 = 0, i3 = 0, is_range = 0, which = 0;
706 732
707 /* 733 /*
708 * Figure out whether this is an AS or an RDI. 734 * Figure out whether this is an AS or an RDI.
709 */ 735 */
710 if (!name_cmp(val->name, "AS")) { 736 if (!name_cmp(val->name, "AS")) {
711 which = V3_ASID_ASNUM; 737 which = V3_ASID_ASNUM;
712 } else if (!name_cmp(val->name, "RDI")) { 738 } else if (!name_cmp(val->name, "RDI")) {
713 which = V3_ASID_RDI; 739 which = V3_ASID_RDI;
714 } else { 740 } else {
715 X509V3error(X509V3_R_EXTENSION_NAME_ERROR); 741 X509V3error(X509V3_R_EXTENSION_NAME_ERROR);
716 X509V3_conf_err(val); 742 X509V3_conf_err(val);
717 goto err; 743 goto err;
718 } 744 }
719 745
720 /* 746 /*
721 * Handle inheritance. 747 * Handle inheritance.
722 */ 748 */
723 if (strcmp(val->value, "inherit") == 0) { 749 if (strcmp(val->value, "inherit") == 0) {
724 if (X509v3_asid_add_inherit(asid, which)) 750 if (X509v3_asid_add_inherit(asid, which))
725 continue; 751 continue;
726 X509V3error(X509V3_R_INVALID_INHERITANCE); 752 X509V3error(X509V3_R_INVALID_INHERITANCE);
727 X509V3_conf_err(val); 753 X509V3_conf_err(val);
728 goto err; 754 goto err;
729 } 755 }
730 756
731 /* 757 /*
732 * Number, range, or mistake, pick it apart and figure out which. 758 * Number, range, or mistake, pick it apart and figure out which.
733 */ 759 */
734 i1 = strspn(val->value, "0123456789"); 760 i1 = strspn(val->value, "0123456789");
735 if (val->value[i1] == '\0') { 761 if (val->value[i1] == '\0') {
736 is_range = 0; 762 is_range = 0;
737 } else { 763 } else {
738 is_range = 1; 764 is_range = 1;
739 i2 = i1 + strspn(val->value + i1, " \t"); 765 i2 = i1 + strspn(val->value + i1, " \t");
740 if (val->value[i2] != '-') { 766 if (val->value[i2] != '-') {
741 X509V3error(X509V3_R_INVALID_ASNUMBER); 767 X509V3error(X509V3_R_INVALID_ASNUMBER);
742 X509V3_conf_err(val); 768 X509V3_conf_err(val);
743 goto err; 769 goto err;
744 } 770 }
745 i2++; 771 i2++;
746 i2 = i2 + strspn(val->value + i2, " \t"); 772 i2 = i2 + strspn(val->value + i2, " \t");
747 i3 = i2 + strspn(val->value + i2, "0123456789"); 773 i3 = i2 + strspn(val->value + i2, "0123456789");
748 if (val->value[i3] != '\0') { 774 if (val->value[i3] != '\0') {
749 X509V3error(X509V3_R_INVALID_ASRANGE); 775 X509V3error(X509V3_R_INVALID_ASRANGE);
750 X509V3_conf_err(val); 776 X509V3_conf_err(val);
751 goto err; 777 goto err;
752 } 778 }
753 } 779 }
754 780
755 /* 781 /*
756 * Syntax is ok, read and add it. 782 * Syntax is ok, read and add it.
757 */ 783 */
758 if (!is_range) { 784 if (!is_range) {
759 if (!X509V3_get_value_int(val, &min)) { 785 if (!X509V3_get_value_int(val, &min)) {
760 X509V3error(ERR_R_MALLOC_FAILURE); 786 X509V3error(ERR_R_MALLOC_FAILURE);
761 goto err; 787 goto err;
762 } 788 }
763 } else { 789 } else {
764 char *s = strdup(val->value); 790 char *s = strdup(val->value);
765 if (s == NULL) { 791 if (s == NULL) {
766 X509V3error(ERR_R_MALLOC_FAILURE); 792 X509V3error(ERR_R_MALLOC_FAILURE);
767 goto err; 793 goto err;
768 } 794 }
769 s[i1] = '\0'; 795 s[i1] = '\0';
770 min = s2i_ASN1_INTEGER(NULL, s); 796 min = s2i_ASN1_INTEGER(NULL, s);
771 max = s2i_ASN1_INTEGER(NULL, s + i2); 797 max = s2i_ASN1_INTEGER(NULL, s + i2);
772 free(s); 798 free(s);
773 if (min == NULL || max == NULL) { 799 if (min == NULL || max == NULL) {
774 X509V3error(ERR_R_MALLOC_FAILURE); 800 X509V3error(ERR_R_MALLOC_FAILURE);
775 goto err; 801 goto err;
776 } 802 }
777 if (ASN1_INTEGER_cmp(min, max) > 0) { 803 if (ASN1_INTEGER_cmp(min, max) > 0) {
778 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 804 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
779 goto err; 805 goto err;
780 } 806 }
781 } 807 }
782 if (!X509v3_asid_add_id_or_range(asid, which, min, max)) { 808 if (!X509v3_asid_add_id_or_range(asid, which, min, max)) {
783 X509V3error(ERR_R_MALLOC_FAILURE); 809 X509V3error(ERR_R_MALLOC_FAILURE);
784 goto err; 810 goto err;
785 } 811 }
786 min = max = NULL; 812 min = max = NULL;
787 } 813 }
788 814
789 /* 815 /*
790 * Canonize the result, then we're done. 816 * Canonize the result, then we're done.
791 */ 817 */
792 if (!X509v3_asid_canonize(asid)) 818 if (!X509v3_asid_canonize(asid))
793 goto err; 819 goto err;
794 return asid; 820 return asid;
795 821
796 err: 822err:
797 ASIdentifiers_free(asid); 823 ASIdentifiers_free(asid);
798 ASN1_INTEGER_free(min); 824 ASN1_INTEGER_free(min);
799 ASN1_INTEGER_free(max); 825 ASN1_INTEGER_free(max);
800 return NULL; 826 return NULL;
801} 827}
802 828
803/* 829/*
804 * OpenSSL dispatch. 830 * OpenSSL dispatch.
805 */ 831 */
806const X509V3_EXT_METHOD v3_asid = { 832const X509V3_EXT_METHOD v3_asid = {
807 NID_sbgp_autonomousSysNum, /* nid */ 833 NID_sbgp_autonomousSysNum, /* nid */
808 0, /* flags */ 834 0, /* flags */
809 &ASIdentifiers_it, /* template */ 835 &ASIdentifiers_it, /* template */
810 0, 0, 0, 0, /* old functions, ignored */ 836 0, 0, 0, 0, /* old functions, ignored */
811 0, /* i2s */ 837 0, /* i2s */
812 0, /* s2i */ 838 0, /* s2i */
813 0, /* i2v */ 839 0, /* i2v */
814 v2i_ASIdentifiers, /* v2i */ 840 v2i_ASIdentifiers, /* v2i */
815 i2r_ASIdentifiers, /* i2r */ 841 i2r_ASIdentifiers, /* i2r */
816 0, /* r2i */ 842 0, /* r2i */
817 NULL /* extension-specific data */ 843 NULL /* extension-specific data */
818}; 844};
819 845
820/* 846/*
821 * Figure out whether extension uses inheritance. 847 * Figure out whether extension uses inheritance.
822 */ 848 */
823int X509v3_asid_inherits(ASIdentifiers *asid) 849int
850X509v3_asid_inherits(ASIdentifiers *asid)
824{ 851{
825 return (asid != NULL && 852 return (asid != NULL &&
826 ((asid->asnum != NULL && 853 ((asid->asnum != NULL &&
827 asid->asnum->type == ASIdentifierChoice_inherit) || 854 asid->asnum->type == ASIdentifierChoice_inherit) ||
828 (asid->rdi != NULL && 855 (asid->rdi != NULL &&
829 asid->rdi->type == ASIdentifierChoice_inherit))); 856 asid->rdi->type == ASIdentifierChoice_inherit)));
830} 857}
831 858
832/* 859/*
833 * Figure out whether parent contains child. 860 * Figure out whether parent contains child.
834 */ 861 */
835static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child) 862static int
863asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)
836{ 864{
837 ASN1_INTEGER *p_min = NULL, *p_max = NULL, *c_min = NULL, *c_max = NULL; 865 ASN1_INTEGER *p_min = NULL, *p_max = NULL, *c_min = NULL, *c_max = NULL;
838 int p, c; 866 int p, c;
839 867
840 if (child == NULL || parent == child) 868 if (child == NULL || parent == child)
841 return 1; 869 return 1;
842 if (parent == NULL) 870 if (parent == NULL)
843 return 0; 871 return 0;
844 872
845 p = 0; 873 p = 0;
846 for (c = 0; c < sk_ASIdOrRange_num(child); c++) { 874 for (c = 0; c < sk_ASIdOrRange_num(child); c++) {
847 if (!extract_min_max(sk_ASIdOrRange_value(child, c), &c_min, &c_max)) 875 if (!extract_min_max(sk_ASIdOrRange_value(child, c), &c_min,
848 return 0; 876 &c_max))
849 for (;; p++) { 877 return 0;
850 if (p >= sk_ASIdOrRange_num(parent)) 878 for (;; p++) {
851 return 0; 879 if (p >= sk_ASIdOrRange_num(parent))
852 if (!extract_min_max(sk_ASIdOrRange_value(parent, p), &p_min, 880 return 0;
853 &p_max)) 881 if (!extract_min_max(sk_ASIdOrRange_value(parent, p),
854 return 0; 882 &p_min, &p_max))
855 if (ASN1_INTEGER_cmp(p_max, c_max) < 0) 883 return 0;
856 continue; 884 if (ASN1_INTEGER_cmp(p_max, c_max) < 0)
857 if (ASN1_INTEGER_cmp(p_min, c_min) > 0) 885 continue;
858 return 0; 886 if (ASN1_INTEGER_cmp(p_min, c_min) > 0)
859 break; 887 return 0;
860 } 888 break;
861 } 889 }
862 890 }
863 return 1; 891
892 return 1;
864} 893}
865 894
866/* 895/*
867 * Test whether a is a subset of b. 896 * Test whether a is a subset of b.
868 */ 897 */
869int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b) 898int
899X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
870{ 900{
871 return (a == NULL || 901 return (a == NULL ||
872 a == b || 902 a == b ||
873 (b != NULL && 903 (b != NULL &&
874 !X509v3_asid_inherits(a) && 904 !X509v3_asid_inherits(a) &&
875 !X509v3_asid_inherits(b) && 905 !X509v3_asid_inherits(b) &&
876 asid_contains(b->asnum->u.asIdsOrRanges, 906 asid_contains(b->asnum->u.asIdsOrRanges,
877 a->asnum->u.asIdsOrRanges) && 907 a->asnum->u.asIdsOrRanges) &&
878 asid_contains(b->rdi->u.asIdsOrRanges, 908 asid_contains(b->rdi->u.asIdsOrRanges,
879 a->rdi->u.asIdsOrRanges))); 909 a->rdi->u.asIdsOrRanges)));
880} 910}
881 911
882/* 912/*
@@ -899,121 +929,121 @@ int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
899/* 929/*
900 * Core code for RFC 3779 3.3 path validation. 930 * Core code for RFC 3779 3.3 path validation.
901 */ 931 */
902static int asid_validate_path_internal(X509_STORE_CTX *ctx, 932static int
903 STACK_OF(X509) *chain, 933asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
904 ASIdentifiers *ext) 934 ASIdentifiers *ext)
905{ 935{
906 ASIdOrRanges *child_as = NULL, *child_rdi = NULL; 936 ASIdOrRanges *child_as = NULL, *child_rdi = NULL;
907 int i, ret = 1, inherit_as = 0, inherit_rdi = 0; 937 int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
908 X509 *x; 938 X509 *x;
909 939
910 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); 940 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
911 OPENSSL_assert(ctx != NULL || ext != NULL); 941 OPENSSL_assert(ctx != NULL || ext != NULL);
912 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); 942 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
913 943
914 /* 944 /*
915 * Figure out where to start. If we don't have an extension to 945 * Figure out where to start. If we don't have an extension to
916 * check, we're done. Otherwise, check canonical form and 946 * check, we're done. Otherwise, check canonical form and
917 * set up for walking up the chain. 947 * set up for walking up the chain.
918 */ 948 */
919 if (ext != NULL) { 949 if (ext != NULL) {
920 i = -1; 950 i = -1;
921 x = NULL; 951 x = NULL;
922 } else { 952 } else {
923 i = 0; 953 i = 0;
924 x = sk_X509_value(chain, i); 954 x = sk_X509_value(chain, i);
925 if ((ext = x->rfc3779_asid) == NULL) 955 if ((ext = x->rfc3779_asid) == NULL)
926 goto done; 956 goto done;
927 } 957 }
928 if (!X509v3_asid_is_canonical(ext)) 958 if (!X509v3_asid_is_canonical(ext))
929 validation_err(X509_V_ERR_INVALID_EXTENSION); 959 validation_err(X509_V_ERR_INVALID_EXTENSION);
930 if (ext->asnum != NULL) { 960 if (ext->asnum != NULL) {
931 switch (ext->asnum->type) { 961 switch (ext->asnum->type) {
932 case ASIdentifierChoice_inherit: 962 case ASIdentifierChoice_inherit:
933 inherit_as = 1; 963 inherit_as = 1;
934 break; 964 break;
935 case ASIdentifierChoice_asIdsOrRanges: 965 case ASIdentifierChoice_asIdsOrRanges:
936 child_as = ext->asnum->u.asIdsOrRanges; 966 child_as = ext->asnum->u.asIdsOrRanges;
937 break; 967 break;
938 } 968 }
939 } 969 }
940 if (ext->rdi != NULL) { 970 if (ext->rdi != NULL) {
941 switch (ext->rdi->type) { 971 switch (ext->rdi->type) {
942 case ASIdentifierChoice_inherit: 972 case ASIdentifierChoice_inherit:
943 inherit_rdi = 1; 973 inherit_rdi = 1;
944 break; 974 break;
945 case ASIdentifierChoice_asIdsOrRanges: 975 case ASIdentifierChoice_asIdsOrRanges:
946 child_rdi = ext->rdi->u.asIdsOrRanges; 976 child_rdi = ext->rdi->u.asIdsOrRanges;
947 break; 977 break;
948 } 978 }
949 } 979 }
950 980
951 /* 981 /*
952 * Now walk up the chain. Extensions must be in canonical form, no 982 * Now walk up the chain. Extensions must be in canonical form, no
953 * cert may list resources that its parent doesn't list. 983 * cert may list resources that its parent doesn't list.
954 */ 984 */
955 for (i++; i < sk_X509_num(chain); i++) { 985 for (i++; i < sk_X509_num(chain); i++) {
956 x = sk_X509_value(chain, i); 986 x = sk_X509_value(chain, i);
957 OPENSSL_assert(x != NULL); 987 OPENSSL_assert(x != NULL);
958 988
959 if (x->rfc3779_asid == NULL) { 989 if (x->rfc3779_asid == NULL) {
960 if (child_as != NULL || child_rdi != NULL) 990 if (child_as != NULL || child_rdi != NULL)
961 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 991 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
962 continue; 992 continue;
963 } 993 }
964 if (!X509v3_asid_is_canonical(x->rfc3779_asid)) 994 if (!X509v3_asid_is_canonical(x->rfc3779_asid))
965 validation_err(X509_V_ERR_INVALID_EXTENSION); 995 validation_err(X509_V_ERR_INVALID_EXTENSION);
966 if (x->rfc3779_asid->asnum == NULL && child_as != NULL) { 996 if (x->rfc3779_asid->asnum == NULL && child_as != NULL) {
967 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 997 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
968 child_as = NULL; 998 child_as = NULL;
969 inherit_as = 0; 999 inherit_as = 0;
970 } 1000 }
971 if (x->rfc3779_asid->asnum != NULL && 1001 if (x->rfc3779_asid->asnum != NULL &&
972 x->rfc3779_asid->asnum->type == 1002 x->rfc3779_asid->asnum->type ==
973 ASIdentifierChoice_asIdsOrRanges) { 1003 ASIdentifierChoice_asIdsOrRanges) {
974 if (inherit_as 1004 if (inherit_as ||
975 || asid_contains(x->rfc3779_asid->asnum->u.asIdsOrRanges, 1005 asid_contains(x->rfc3779_asid->asnum->u.asIdsOrRanges,
976 child_as)) { 1006 child_as)) {
977 child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges; 1007 child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges;
978 inherit_as = 0; 1008 inherit_as = 0;
979 } else { 1009 } else {
980 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1010 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
981 } 1011 }
982 } 1012 }
983 if (x->rfc3779_asid->rdi == NULL && child_rdi != NULL) { 1013 if (x->rfc3779_asid->rdi == NULL && child_rdi != NULL) {
984 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1014 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
985 child_rdi = NULL; 1015 child_rdi = NULL;
986 inherit_rdi = 0; 1016 inherit_rdi = 0;
987 } 1017 }
988 if (x->rfc3779_asid->rdi != NULL && 1018 if (x->rfc3779_asid->rdi != NULL &&
989 x->rfc3779_asid->rdi->type == ASIdentifierChoice_asIdsOrRanges) { 1019 x->rfc3779_asid->rdi->type == ASIdentifierChoice_asIdsOrRanges) {
990 if (inherit_rdi || 1020 if (inherit_rdi ||
991 asid_contains(x->rfc3779_asid->rdi->u.asIdsOrRanges, 1021 asid_contains(x->rfc3779_asid->rdi->u.asIdsOrRanges,
992 child_rdi)) { 1022 child_rdi)) {
993 child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges; 1023 child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges;
994 inherit_rdi = 0; 1024 inherit_rdi = 0;
995 } else { 1025 } else {
996 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1026 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
997 } 1027 }
998 } 1028 }
999 } 1029 }
1000 1030
1001 /* 1031 /*
1002 * Trust anchor can't inherit. 1032 * Trust anchor can't inherit.
1003 */ 1033 */
1004 OPENSSL_assert(x != NULL); 1034 OPENSSL_assert(x != NULL);
1005 1035
1006 if (x->rfc3779_asid != NULL) { 1036 if (x->rfc3779_asid != NULL) {
1007 if (x->rfc3779_asid->asnum != NULL && 1037 if (x->rfc3779_asid->asnum != NULL &&
1008 x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit) 1038 x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit)
1009 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1039 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1010 if (x->rfc3779_asid->rdi != NULL && 1040 if (x->rfc3779_asid->rdi != NULL &&
1011 x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit) 1041 x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit)
1012 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1042 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1013 } 1043 }
1014 1044
1015 done: 1045done:
1016 return ret; 1046 return ret;
1017} 1047}
1018 1048
1019#undef validation_err 1049#undef validation_err
@@ -1021,31 +1051,33 @@ static int asid_validate_path_internal(X509_STORE_CTX *ctx,
1021/* 1051/*
1022 * RFC 3779 3.3 path validation -- called from X509_verify_cert(). 1052 * RFC 3779 3.3 path validation -- called from X509_verify_cert().
1023 */ 1053 */
1024int X509v3_asid_validate_path(X509_STORE_CTX *ctx) 1054int
1055X509v3_asid_validate_path(X509_STORE_CTX *ctx)
1025{ 1056{
1026 if (ctx->chain == NULL 1057 if (ctx->chain == NULL ||
1027 || sk_X509_num(ctx->chain) == 0 1058 sk_X509_num(ctx->chain) == 0 ||
1028 || ctx->verify_cb == NULL) { 1059 ctx->verify_cb == NULL) {
1029 ctx->error = X509_V_ERR_UNSPECIFIED; 1060 ctx->error = X509_V_ERR_UNSPECIFIED;
1030 return 0; 1061 return 0;
1031 } 1062 }
1032 return asid_validate_path_internal(ctx, ctx->chain, NULL); 1063 return asid_validate_path_internal(ctx, ctx->chain, NULL);
1033} 1064}
1034 1065
1035/* 1066/*
1036 * RFC 3779 3.3 path validation of an extension. 1067 * RFC 3779 3.3 path validation of an extension.
1037 * Test whether chain covers extension. 1068 * Test whether chain covers extension.
1038 */ 1069 */
1039int X509v3_asid_validate_resource_set(STACK_OF(X509) *chain, 1070int
1040 ASIdentifiers *ext, int allow_inheritance) 1071X509v3_asid_validate_resource_set(STACK_OF(X509)*chain, ASIdentifiers *ext,
1072 int allow_inheritance)
1041{ 1073{
1042 if (ext == NULL) 1074 if (ext == NULL)
1043 return 1; 1075 return 1;
1044 if (chain == NULL || sk_X509_num(chain) == 0) 1076 if (chain == NULL || sk_X509_num(chain) == 0)
1045 return 0; 1077 return 0;
1046 if (!allow_inheritance && X509v3_asid_inherits(ext)) 1078 if (!allow_inheritance && X509v3_asid_inherits(ext))
1047 return 0; 1079 return 0;
1048 return asid_validate_path_internal(NULL, chain, ext); 1080 return asid_validate_path_internal(NULL, chain, ext);
1049} 1081}
1050 1082
1051#endif /* OPENSSL_NO_RFC3779 */ 1083#endif /* OPENSSL_NO_RFC3779 */
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-24 09:10:37 +0000