diff options
| author | tb <> | 2022-05-12 19:56:43 +0000 |
|---|---|---|
| committer | tb <> | 2022-05-12 19:56:43 +0000 |
| commit | de3601f2e1e6ee4ff034d168947992efb01a83b0 (patch) | |
| tree | eacd1e541d102f04cefa01df3c16542d6fc07ab9 /src | |
| parent | 540bbdf30960c9ead73d3d602b60c159183caf60 (diff) | |
| download | openbsd-de3601f2e1e6ee4ff034d168947992efb01a83b0.tar.gz openbsd-de3601f2e1e6ee4ff034d168947992efb01a83b0.tar.bz2 openbsd-de3601f2e1e6ee4ff034d168947992efb01a83b0.zip | |
Rewrite and fix X509v3_asid_subset()
X509v3_asid_subset() assumes that both asnum and rdi are present while
they are both marked OPTIONAL in RFC 3779, 3.2.3. It will crash if
either one is missing. In RPKI land RDI is a MUST NOT use (e.g, RFC
6487, 4.8.11), so this API is currently useless (and seemingly unused).
Pick apart an ugly logical pipeline and implement this check in a
readable fashion.
ok jsing
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_asid.c | 42 |
1 files changed, 30 insertions, 12 deletions
diff --git a/src/lib/libcrypto/x509/x509_asid.c b/src/lib/libcrypto/x509/x509_asid.c index 514b88bc0e..5967e26d4d 100644 --- a/src/lib/libcrypto/x509/x509_asid.c +++ b/src/lib/libcrypto/x509/x509_asid.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_asid.c,v 1.32 2022/04/21 05:06:07 tb Exp $ */ | 1 | /* $OpenBSD: x509_asid.c,v 1.33 2022/05/12 19:56:43 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Contributed to the OpenSSL Project by the American Registry for | 3 | * Contributed to the OpenSSL Project by the American Registry for |
| 4 | * Internet Numbers ("ARIN"). | 4 | * Internet Numbers ("ARIN"). |
| @@ -944,20 +944,38 @@ asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child) | |||
| 944 | } | 944 | } |
| 945 | 945 | ||
| 946 | /* | 946 | /* |
| 947 | * Test whether a is a subset of b. | 947 | * Test whether child is a subset of parent. |
| 948 | */ | 948 | */ |
| 949 | int | 949 | int |
| 950 | X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b) | 950 | X509v3_asid_subset(ASIdentifiers *child, ASIdentifiers *parent) |
| 951 | { | 951 | { |
| 952 | return (a == NULL || | 952 | if (child == NULL || child == parent) |
| 953 | a == b || | 953 | return 1; |
| 954 | (b != NULL && | 954 | if (parent == NULL) |
| 955 | !X509v3_asid_inherits(a) && | 955 | return 0; |
| 956 | !X509v3_asid_inherits(b) && | 956 | |
| 957 | asid_contains(b->asnum->u.asIdsOrRanges, | 957 | if (X509v3_asid_inherits(child) || X509v3_asid_inherits(parent)) |
| 958 | a->asnum->u.asIdsOrRanges) && | 958 | return 0; |
| 959 | asid_contains(b->rdi->u.asIdsOrRanges, | 959 | |
| 960 | a->rdi->u.asIdsOrRanges))); | 960 | if (child->asnum != NULL) { |
| 961 | if (parent->asnum == NULL) | ||
| 962 | return 0; | ||
| 963 | |||
| 964 | if (!asid_contains(parent->asnum->u.asIdsOrRanges, | ||
| 965 | child->asnum->u.asIdsOrRanges)) | ||
| 966 | return 0; | ||
| 967 | } | ||
| 968 | |||
| 969 | if (child->rdi != NULL) { | ||
| 970 | if (parent->rdi == NULL) | ||
| 971 | return 0; | ||
| 972 | |||
| 973 | if (!asid_contains(parent->rdi->u.asIdsOrRanges, | ||
| 974 | child->rdi->u.asIdsOrRanges)) | ||
| 975 | return 0; | ||
| 976 | } | ||
| 977 | |||
| 978 | return 1; | ||
| 961 | } | 979 | } |
| 962 | 980 | ||
| 963 | /* | 981 | /* |