1 files changed, 29 insertions, 24 deletions
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index 90288445ab..ad92e49e45 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_addr.c,v 1.70 2022/01/05 17:49:39 tb Exp $ */
+/*      $OpenBSD: x509_addr.c,v 1.71 2022/01/05 17:51:30 tb Exp $ */
 /*
 * Contributed to the OpenSSL Project by the American Registry for
 * Internet Numbers ("ARIN").
@@ -1699,7 +1699,7 @@ addr_contains(IPAddressOrRanges *parent, IPAddressOrRanges *child, int length)
 int
 X509v3_addr_subset(IPAddrBlocks *child, IPAddrBlocks *parent)
 {
-        IPAddressFamily *fc, *fp;
+        IPAddressFamily *child_af, *parent_af;
        IPAddressOrRanges *aorc, *aorp;
        int i, length;
@@ -1712,16 +1712,18 @@ X509v3_addr_subset(IPAddrBlocks *child, IPAddrBlocks *parent)
                return 0;
        for (i = 0; i < sk_IPAddressFamily_num(child); i++) {
-                fc = sk_IPAddressFamily_value(child, i);
+                child_af = sk_IPAddressFamily_value(child, i);
-                if ((fp = IPAddressFamily_find_in_parent(parent, fc)) == NULL)
+                parent_af = IPAddressFamily_find_in_parent(parent, child_af);
+                if (parent_af == NULL)
                        return 0;
-                if (!IPAddressFamily_afi_length(fp, &length))
+                if (!IPAddressFamily_afi_length(parent_af, &length))
                        return 0;
-                aorc = IPAddressFamily_addressesOrRanges(fc);
+                aorc = IPAddressFamily_addressesOrRanges(child_af);
-                aorp = IPAddressFamily_addressesOrRanges(fp);
+                aorp = IPAddressFamily_addressesOrRanges(parent_af);
                if (!addr_contains(aorp, aorc, length))
                        return 0;
@@ -1755,7 +1757,7 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
    IPAddrBlocks *ext)
 {
        IPAddrBlocks *child = NULL, *parent = NULL;
-        IPAddressFamily *fc, *fp;
+        IPAddressFamily *child_af, *parent_af;
        IPAddressOrRanges *aorc, *aorp;
        X509 *cert = NULL;
        int depth = -1;
@@ -1809,9 +1811,10 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
                if ((parent = cert->rfc3779_addr) == NULL) {
                        for (i = 0; i < sk_IPAddressFamily_num(child); i++) {
-                                fc = sk_IPAddressFamily_value(child, i);
+                                child_af = sk_IPAddressFamily_value(child, i);
-                                if (IPAddressFamily_inheritance(fc) != NULL)
+                                if (IPAddressFamily_inheritance(child_af) !=
+                                    NULL)
                                        continue;
                                if ((ret = verify_error(ctx, cert,
@@ -1835,15 +1838,17 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
                 * parent's resources are covered by the grandparent.
                 */
                for (i = 0; i < sk_IPAddressFamily_num(child); i++) {
-                        fc = sk_IPAddressFamily_value(child, i);
+                        child_af = sk_IPAddressFamily_value(child, i);
-                        fp = IPAddressFamily_find_in_parent(parent, fc);
+                        parent_af = IPAddressFamily_find_in_parent(parent,
-                        if (fp == NULL) {
+                            child_af);
+                        if (parent_af == NULL) {
                                /*
                                 * If we have no match in the parent and the
                                 * child inherits, that's fine.
                                 */
-                                if (IPAddressFamily_inheritance(fc) != NULL)
+                                if (IPAddressFamily_inheritance(child_af) !=
+                                    NULL)
                                        continue;
                                /* Otherwise the child isn't covered. */
@@ -1854,17 +1859,17 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
                        }
                        /* Parent inherits, nothing to do. */
-                        if (IPAddressFamily_inheritance(fp) != NULL)
+                        if (IPAddressFamily_inheritance(parent_af) != NULL)
                                continue;
                        /* Child inherits. Use parent's address family. */
-                        if (IPAddressFamily_inheritance(fc) != NULL) {
+                        if (IPAddressFamily_inheritance(child_af) != NULL) {
-                                sk_IPAddressFamily_set(child, i, fp);
+                                sk_IPAddressFamily_set(child, i, parent_af);
                                continue;
                        }
-                        aorc = IPAddressFamily_addressesOrRanges(fc);
+                        aorc = IPAddressFamily_addressesOrRanges(child_af);
-                        aorp = IPAddressFamily_addressesOrRanges(fp);
+                        aorp = IPAddressFamily_addressesOrRanges(parent_af);
                        /*
                         * Child and parent are canonical and neither inherits.
@@ -1874,12 +1879,12 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
                        if (aorc == NULL || aorp == NULL)
                                goto err;
-                        if (!IPAddressFamily_afi_length(fc, &length))
+                        if (!IPAddressFamily_afi_length(child_af, &length))
                                goto err;
                        /* Now check containment and replace or error. */
                        if (addr_contains(aorp, aorc, length)) {
-                                sk_IPAddressFamily_set(child, i, fp);
+                                sk_IPAddressFamily_set(child, i, parent_af);
                                continue;
                        }
@@ -1894,12 +1899,12 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
         */
        if ((parent = cert->rfc3779_addr) != NULL) {
                for (i = 0; i < sk_IPAddressFamily_num(parent); i++) {
-                        fp = sk_IPAddressFamily_value(parent, i);
+                        parent_af = sk_IPAddressFamily_value(parent, i);
-                        if (IPAddressFamily_inheritance(fp) == NULL)
+                        if (IPAddressFamily_inheritance(parent_af) == NULL)
                                continue;
-                        if (sk_IPAddressFamily_find(child, fp) < 0)
+                        if (sk_IPAddressFamily_find(child, parent_af) < 0)
                                continue;
                        if ((ret = verify_error(ctx, cert,

diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c index 90288445ab..ad92e49e45 100644 --- a/src/lib/libcrypto/x509/x509_addr.c +++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_addr.c,v 1.70 2022/01/05 17:49:39 tb Exp $ */	1	/* $OpenBSD: x509_addr.c,v 1.71 2022/01/05 17:51:30 tb Exp $ */
2	/*	2	/*
3	* Contributed to the OpenSSL Project by the American Registry for	3	* Contributed to the OpenSSL Project by the American Registry for
4	* Internet Numbers ("ARIN").	4	* Internet Numbers ("ARIN").
@@ -1699,7 +1699,7 @@ addr_contains(IPAddressOrRanges parent, IPAddressOrRanges child, int length)
1699	int	1699	int
1700	X509v3_addr_subset(IPAddrBlocks child, IPAddrBlocks parent)	1700	X509v3_addr_subset(IPAddrBlocks child, IPAddrBlocks parent)
1701	{	1701	{
1702	IPAddressFamily fc, fp;	1702	IPAddressFamily child_af, parent_af;
1703	IPAddressOrRanges aorc, aorp;	1703	IPAddressOrRanges aorc, aorp;
1704	int i, length;	1704	int i, length;
1705		1705
@@ -1712,16 +1712,18 @@ X509v3_addr_subset(IPAddrBlocks child, IPAddrBlocks parent)
1712	return 0;	1712	return 0;
1713		1713
1714	for (i = 0; i < sk_IPAddressFamily_num(child); i++) {	1714	for (i = 0; i < sk_IPAddressFamily_num(child); i++) {
1715	fc = sk_IPAddressFamily_value(child, i);	1715	child_af = sk_IPAddressFamily_value(child, i);
1716		1716
1717	if ((fp = IPAddressFamily_find_in_parent(parent, fc)) == NULL)	1717
		1718	parent_af = IPAddressFamily_find_in_parent(parent, child_af);
		1719	if (parent_af == NULL)
1718	return 0;	1720	return 0;
1719		1721
1720	if (!IPAddressFamily_afi_length(fp, &length))	1722	if (!IPAddressFamily_afi_length(parent_af, &length))
1721	return 0;	1723	return 0;
1722		1724
1723	aorc = IPAddressFamily_addressesOrRanges(fc);	1725	aorc = IPAddressFamily_addressesOrRanges(child_af);
1724	aorp = IPAddressFamily_addressesOrRanges(fp);	1726	aorp = IPAddressFamily_addressesOrRanges(parent_af);
1725		1727
1726	if (!addr_contains(aorp, aorc, length))	1728	if (!addr_contains(aorp, aorc, length))
1727	return 0;	1729	return 0;
@@ -1755,7 +1757,7 @@ addr_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509) chain,
1755	IPAddrBlocks *ext)	1757	IPAddrBlocks *ext)
1756	{	1758	{
1757	IPAddrBlocks child = NULL, parent = NULL;	1759	IPAddrBlocks child = NULL, parent = NULL;
1758	IPAddressFamily fc, fp;	1760	IPAddressFamily child_af, parent_af;
1759	IPAddressOrRanges aorc, aorp;	1761	IPAddressOrRanges aorc, aorp;
1760	X509 *cert = NULL;	1762	X509 *cert = NULL;
1761	int depth = -1;	1763	int depth = -1;
@@ -1809,9 +1811,10 @@ addr_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509) chain,
1809		1811
1810	if ((parent = cert->rfc3779_addr) == NULL) {	1812	if ((parent = cert->rfc3779_addr) == NULL) {
1811	for (i = 0; i < sk_IPAddressFamily_num(child); i++) {	1813	for (i = 0; i < sk_IPAddressFamily_num(child); i++) {
1812	fc = sk_IPAddressFamily_value(child, i);	1814	child_af = sk_IPAddressFamily_value(child, i);
1813		1815
1814	if (IPAddressFamily_inheritance(fc) != NULL)	1816	if (IPAddressFamily_inheritance(child_af) !=
		1817	NULL)
1815	continue;	1818	continue;
1816		1819
1817	if ((ret = verify_error(ctx, cert,	1820	if ((ret = verify_error(ctx, cert,
@@ -1835,15 +1838,17 @@ addr_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509) chain,
1835	* parent's resources are covered by the grandparent.	1838	* parent's resources are covered by the grandparent.
1836	*/	1839	*/
1837	for (i = 0; i < sk_IPAddressFamily_num(child); i++) {	1840	for (i = 0; i < sk_IPAddressFamily_num(child); i++) {
1838	fc = sk_IPAddressFamily_value(child, i);	1841	child_af = sk_IPAddressFamily_value(child, i);
1839		1842
1840	fp = IPAddressFamily_find_in_parent(parent, fc);	1843	parent_af = IPAddressFamily_find_in_parent(parent,
1841	if (fp == NULL) {	1844	child_af);
		1845	if (parent_af == NULL) {
1842	/*	1846	/*
1843	* If we have no match in the parent and the	1847	* If we have no match in the parent and the
1844	* child inherits, that's fine.	1848	* child inherits, that's fine.
1845	*/	1849	*/
1846	if (IPAddressFamily_inheritance(fc) != NULL)	1850	if (IPAddressFamily_inheritance(child_af) !=
		1851	NULL)
1847	continue;	1852	continue;
1848		1853
1849	/* Otherwise the child isn't covered. */	1854	/* Otherwise the child isn't covered. */
@@ -1854,17 +1859,17 @@ addr_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509) chain,
1854	}	1859	}
1855		1860
1856	/* Parent inherits, nothing to do. */	1861	/* Parent inherits, nothing to do. */
1857	if (IPAddressFamily_inheritance(fp) != NULL)	1862	if (IPAddressFamily_inheritance(parent_af) != NULL)
1858	continue;	1863	continue;
1859		1864
1860	/* Child inherits. Use parent's address family. */	1865	/* Child inherits. Use parent's address family. */
1861	if (IPAddressFamily_inheritance(fc) != NULL) {	1866	if (IPAddressFamily_inheritance(child_af) != NULL) {
1862	sk_IPAddressFamily_set(child, i, fp);	1867	sk_IPAddressFamily_set(child, i, parent_af);
1863	continue;	1868	continue;
1864	}	1869	}
1865		1870
1866	aorc = IPAddressFamily_addressesOrRanges(fc);	1871	aorc = IPAddressFamily_addressesOrRanges(child_af);
1867	aorp = IPAddressFamily_addressesOrRanges(fp);	1872	aorp = IPAddressFamily_addressesOrRanges(parent_af);
1868		1873
1869	/*	1874	/*
1870	* Child and parent are canonical and neither inherits.	1875	* Child and parent are canonical and neither inherits.
@@ -1874,12 +1879,12 @@ addr_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509) chain,
1874	if (aorc == NULL \|\| aorp == NULL)	1879	if (aorc == NULL \|\| aorp == NULL)
1875	goto err;	1880	goto err;
1876		1881
1877	if (!IPAddressFamily_afi_length(fc, &length))	1882	if (!IPAddressFamily_afi_length(child_af, &length))
1878	goto err;	1883	goto err;
1879		1884
1880	/* Now check containment and replace or error. */	1885	/* Now check containment and replace or error. */
1881	if (addr_contains(aorp, aorc, length)) {	1886	if (addr_contains(aorp, aorc, length)) {
1882	sk_IPAddressFamily_set(child, i, fp);	1887	sk_IPAddressFamily_set(child, i, parent_af);
1883	continue;	1888	continue;
1884	}	1889	}
1885		1890
@@ -1894,12 +1899,12 @@ addr_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509) chain,
1894	*/	1899	*/
1895	if ((parent = cert->rfc3779_addr) != NULL) {	1900	if ((parent = cert->rfc3779_addr) != NULL) {
1896	for (i = 0; i < sk_IPAddressFamily_num(parent); i++) {	1901	for (i = 0; i < sk_IPAddressFamily_num(parent); i++) {
1897	fp = sk_IPAddressFamily_value(parent, i);	1902	parent_af = sk_IPAddressFamily_value(parent, i);
1898		1903
1899	if (IPAddressFamily_inheritance(fp) == NULL)	1904	if (IPAddressFamily_inheritance(parent_af) == NULL)
1900	continue;	1905	continue;
1901		1906
1902	if (sk_IPAddressFamily_find(child, fp) < 0)	1907	if (sk_IPAddressFamily_find(child, parent_af) < 0)
1903	continue;	1908	continue;
1904		1909
1905	if ((ret = verify_error(ctx, cert,	1910	if ((ret = verify_error(ctx, cert,