diff options
| author | tb <> | 2021-12-28 20:50:37 +0000 |
|---|---|---|
| committer | tb <> | 2021-12-28 20:50:37 +0000 |
| commit | f3aa4f68c2f15c781d66ff3ee3b216eca30d8f43 (patch) | |
| tree | 2359b04cc892b8d4c334f00559aec658c6c7ef24 /src | |
| parent | 5b2b0b2e4ca91d6ecbeadee2ab34c05f3a4ebfbf (diff) | |
| download | openbsd-f3aa4f68c2f15c781d66ff3ee3b216eca30d8f43.tar.gz openbsd-f3aa4f68c2f15c781d66ff3ee3b216eca30d8f43.tar.bz2 openbsd-f3aa4f68c2f15c781d66ff3ee3b216eca30d8f43.zip | |
Rewrite/simplify X509v3_addr_is_canonical()
This is a more or less straightforward conversion using the new
IPAddressFamily accessor API. As a result, some checks have become
a bit stricter, which is only desirable here.
ok jsing
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_addr.c | 76 |
1 files changed, 36 insertions, 40 deletions
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c index 242d1b4982..3686d6a823 100644 --- a/src/lib/libcrypto/x509/x509_addr.c +++ b/src/lib/libcrypto/x509/x509_addr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_addr.c,v 1.42 2021/12/28 20:44:56 tb Exp $ */ | 1 | /* $OpenBSD: x509_addr.c,v 1.43 2021/12/28 20:50:37 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Contributed to the OpenSSL Project by the American Registry for | 3 | * Contributed to the OpenSSL Project by the American Registry for |
| 4 | * Internet Numbers ("ARIN"). | 4 | * Internet Numbers ("ARIN"). |
| @@ -1077,8 +1077,10 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr) | |||
| 1077 | { | 1077 | { |
| 1078 | unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; | 1078 | unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; |
| 1079 | unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; | 1079 | unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; |
| 1080 | IPAddressFamily *f; | ||
| 1080 | IPAddressOrRanges *aors; | 1081 | IPAddressOrRanges *aors; |
| 1081 | int i, j, k; | 1082 | IPAddressOrRange *aor, *aor_a, *aor_b; |
| 1083 | int i, j, k, length; | ||
| 1082 | 1084 | ||
| 1083 | /* | 1085 | /* |
| 1084 | * Empty extension is canonical. | 1086 | * Empty extension is canonical. |
| @@ -1107,41 +1109,37 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr) | |||
| 1107 | * Top level's ok, now check each address family. | 1109 | * Top level's ok, now check each address family. |
| 1108 | */ | 1110 | */ |
| 1109 | for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { | 1111 | for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { |
| 1110 | IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); | 1112 | f = sk_IPAddressFamily_value(addr, i); |
| 1111 | int length; | ||
| 1112 | 1113 | ||
| 1113 | if (!IPAddressFamily_afi_length(f, &length)) | 1114 | if (!IPAddressFamily_afi_length(f, &length)) |
| 1114 | return 0; | 1115 | return 0; |
| 1115 | 1116 | ||
| 1116 | /* | 1117 | /* |
| 1117 | * Inheritance is canonical. Anything other than inheritance | 1118 | * If this family has an inheritance element, it is canonical. |
| 1118 | * or a SEQUENCE OF IPAddressOrRange is an ASN.1 error or | ||
| 1119 | * something. | ||
| 1120 | */ | 1119 | */ |
| 1121 | if (f == NULL || f->ipAddressChoice == NULL) | 1120 | if (IPAddressFamily_inheritance(f) != NULL) |
| 1122 | return 0; | ||
| 1123 | switch (f->ipAddressChoice->type) { | ||
| 1124 | case IPAddressChoice_inherit: | ||
| 1125 | continue; | 1121 | continue; |
| 1126 | case IPAddressChoice_addressesOrRanges: | ||
| 1127 | break; | ||
| 1128 | default: | ||
| 1129 | return 0; | ||
| 1130 | } | ||
| 1131 | 1122 | ||
| 1132 | /* | 1123 | /* |
| 1133 | * It's an IPAddressOrRanges sequence, check it. | 1124 | * If this family has neither an inheritance element nor an |
| 1125 | * addressesOrRanges, we don't know what this is. | ||
| 1134 | */ | 1126 | */ |
| 1135 | aors = f->ipAddressChoice->u.addressesOrRanges; | 1127 | if ((aors = IPAddressFamily_addressesOrRanges(f)) == NULL) |
| 1128 | return 0; | ||
| 1129 | |||
| 1136 | if (sk_IPAddressOrRange_num(aors) == 0) | 1130 | if (sk_IPAddressOrRange_num(aors) == 0) |
| 1137 | return 0; | 1131 | return 0; |
| 1132 | |||
| 1138 | for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) { | 1133 | for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) { |
| 1139 | IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); | 1134 | aor_a = sk_IPAddressOrRange_value(aors, j); |
| 1140 | IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, | 1135 | aor_b = sk_IPAddressOrRange_value(aors, j + 1); |
| 1141 | j + 1); | 1136 | |
| 1137 | /* | ||
| 1138 | * XXX - check that both are either a prefix or a range. | ||
| 1139 | */ | ||
| 1142 | 1140 | ||
| 1143 | if (!extract_min_max(a, a_min, a_max, length) || | 1141 | if (!extract_min_max(aor_a, a_min, a_max, length) || |
| 1144 | !extract_min_max(b, b_min, b_max, length)) | 1142 | !extract_min_max(aor_b, b_min, b_max, length)) |
| 1145 | return 0; | 1143 | return 0; |
| 1146 | 1144 | ||
| 1147 | /* | 1145 | /* |
| @@ -1154,8 +1152,8 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr) | |||
| 1154 | return 0; | 1152 | return 0; |
| 1155 | 1153 | ||
| 1156 | /* | 1154 | /* |
| 1157 | * Punt if adjacent or overlapping. Check for adjacency by | 1155 | * Punt if adjacent or overlapping. Check for adjacency |
| 1158 | * subtracting one from b_min first. | 1156 | * by subtracting one from b_min first. |
| 1159 | */ | 1157 | */ |
| 1160 | for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) | 1158 | for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) |
| 1161 | continue; | 1159 | continue; |
| @@ -1165,27 +1163,25 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr) | |||
| 1165 | /* | 1163 | /* |
| 1166 | * Check for range that should be expressed as a prefix. | 1164 | * Check for range that should be expressed as a prefix. |
| 1167 | */ | 1165 | */ |
| 1168 | if (a->type == IPAddressOrRange_addressRange && | 1166 | if (aor_a->type == IPAddressOrRange_addressPrefix) |
| 1169 | range_should_be_prefix(a_min, a_max, length) >= 0) | 1167 | continue; |
| 1168 | |||
| 1169 | if (range_should_be_prefix(a_min, a_max, length) >= 0) | ||
| 1170 | return 0; | 1170 | return 0; |
| 1171 | } | 1171 | } |
| 1172 | 1172 | ||
| 1173 | /* | 1173 | /* |
| 1174 | * Check range to see if it's inverted or should be a | 1174 | * Check final range to see if it's inverted or should be a |
| 1175 | * prefix. | 1175 | * prefix. |
| 1176 | */ | 1176 | */ |
| 1177 | j = sk_IPAddressOrRange_num(aors) - 1; | 1177 | aor = sk_IPAddressOrRange_value(aors, j); |
| 1178 | { | 1178 | if (aor->type == IPAddressOrRange_addressRange) { |
| 1179 | IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); | 1179 | if (!extract_min_max(aor, a_min, a_max, length)) |
| 1180 | if (a != NULL && | 1180 | return 0; |
| 1181 | a->type == IPAddressOrRange_addressRange) { | 1181 | if (memcmp(a_min, a_max, length) > 0) |
| 1182 | if (!extract_min_max(a, a_min, a_max, length)) | 1182 | return 0; |
| 1183 | return 0; | 1183 | if (range_should_be_prefix(a_min, a_max, length) >= 0) |
| 1184 | if (memcmp(a_min, a_max, length) > 0 || | 1184 | return 0; |
| 1185 | range_should_be_prefix(a_min, a_max, | ||
| 1186 | length) >= 0) | ||
| 1187 | return 0; | ||
| 1188 | } | ||
| 1189 | } | 1185 | } |
| 1190 | } | 1186 | } |
| 1191 | 1187 | ||