1 files changed, 23 insertions, 21 deletions
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index b1ff93d4d0..ba5aaff7e6 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_addr.c,v 1.80 2022/04/21 05:06:07 tb Exp $ */
+/*      $OpenBSD: x509_addr.c,v 1.81 2022/05/17 07:50:59 tb Exp $ */
 /*
 * Contributed to the OpenSSL Project by the American Registry for
 * Internet Numbers ("ARIN").
@@ -73,6 +73,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "asn1_locl.h"
 #include "bytestring.h"
 #include "x509_lcl.h"
@@ -847,44 +848,45 @@ range_should_be_prefix(const unsigned char *min, const unsigned char *max,
 }
 /*
- * Construct a prefix.
+ * Fill IPAddressOrRange with bit string encoding of a prefix - RFC 3779, 2.1.1.
 */
 static int
-make_addressPrefix(IPAddressOrRange **result, unsigned char *addr,
+make_addressPrefix(IPAddressOrRange **out_aor, uint8_t *addr, uint32_t afi,
-    unsigned int afi, int prefix_len)
+    int prefix_len)
 {
-        IPAddressOrRange *aor;
+        IPAddressOrRange *aor = NULL;
-        int afi_len, byte_len, bit_len, max_len;
+        int afi_len, max_len, num_bits, num_octets;
+        uint8_t unused_bits;
        if (prefix_len < 0)
-                return 0;
+                goto err;
        max_len = 16;
        if ((afi_len = length_from_afi(afi)) > 0)
                max_len = afi_len;
        if (prefix_len > 8 * max_len)
-                return 0;
+                goto err;
+        num_octets = (prefix_len + 7) / 8;
+        num_bits = prefix_len % 8;
-        byte_len = (prefix_len + 7) / 8;
+        unused_bits = 0;
-        bit_len = prefix_len % 8;
+        if (num_bits > 0)
+                unused_bits = 8 - num_bits;
        if ((aor = IPAddressOrRange_new()) == NULL)
-                return 0;
+                goto err;
        aor->type = IPAddressOrRange_addressPrefix;
        if ((aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL)
                goto err;
+        if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, num_octets))
-        if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, byte_len))
+                goto err;
+        if (!asn1_abs_set_unused_bits(aor->u.addressPrefix, unused_bits))
                goto err;
-        aor->u.addressPrefix->flags &= ~7;
+        *out_aor = aor;
-        aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT;
-        if (bit_len > 0) {
-                aor->u.addressPrefix->data[byte_len - 1] &= ~(0xff >> bit_len);
-                aor->u.addressPrefix->flags |= 8 - bit_len;
-        }
-        *result = aor;
        return 1;
 err:

diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c index b1ff93d4d0..ba5aaff7e6 100644 --- a/src/lib/libcrypto/x509/x509_addr.c +++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_addr.c,v 1.80 2022/04/21 05:06:07 tb Exp $ */	1	/* $OpenBSD: x509_addr.c,v 1.81 2022/05/17 07:50:59 tb Exp $ */
2	/*	2	/*
3	* Contributed to the OpenSSL Project by the American Registry for	3	* Contributed to the OpenSSL Project by the American Registry for
4	* Internet Numbers ("ARIN").	4	* Internet Numbers ("ARIN").
@@ -73,6 +73,7 @@
73	#include <openssl/x509.h>	73	#include <openssl/x509.h>
74	#include <openssl/x509v3.h>	74	#include <openssl/x509v3.h>
75		75
		76	#include "asn1_locl.h"
76	#include "bytestring.h"	77	#include "bytestring.h"
77	#include "x509_lcl.h"	78	#include "x509_lcl.h"
78		79
@@ -847,44 +848,45 @@ range_should_be_prefix(const unsigned char min, const unsigned char max,
847	}	848	}
848		849
849	/*	850	/*
850	* Construct a prefix.	851	* Fill IPAddressOrRange with bit string encoding of a prefix - RFC 3779, 2.1.1.
851	*/	852	*/
852	static int	853	static int
853	make_addressPrefix(IPAddressOrRange *result, unsigned char addr,	854	make_addressPrefix(IPAddressOrRange *out_aor, uint8_t addr, uint32_t afi,
854	unsigned int afi, int prefix_len)	855	int prefix_len)
855	{	856	{
856	IPAddressOrRange *aor;	857	IPAddressOrRange *aor = NULL;
857	int afi_len, byte_len, bit_len, max_len;	858	int afi_len, max_len, num_bits, num_octets;
		859	uint8_t unused_bits;
858		860
859	if (prefix_len < 0)	861	if (prefix_len < 0)
860	return 0;	862	goto err;
861		863
862	max_len = 16;	864	max_len = 16;
863	if ((afi_len = length_from_afi(afi)) > 0)	865	if ((afi_len = length_from_afi(afi)) > 0)
864	max_len = afi_len;	866	max_len = afi_len;
865	if (prefix_len > 8 * max_len)	867	if (prefix_len > 8 * max_len)
866	return 0;	868	goto err;
		869
		870	num_octets = (prefix_len + 7) / 8;
		871	num_bits = prefix_len % 8;
867		872
868	byte_len = (prefix_len + 7) / 8;	873	unused_bits = 0;
869	bit_len = prefix_len % 8;	874	if (num_bits > 0)
		875	unused_bits = 8 - num_bits;
870		876
871	if ((aor = IPAddressOrRange_new()) == NULL)	877	if ((aor = IPAddressOrRange_new()) == NULL)
872	return 0;	878	goto err;
		879
873	aor->type = IPAddressOrRange_addressPrefix;	880	aor->type = IPAddressOrRange_addressPrefix;
		881
874	if ((aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL)	882	if ((aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL)
875	goto err;	883	goto err;
876		884	if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, num_octets))
877	if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, byte_len))	885	goto err;
		886	if (!asn1_abs_set_unused_bits(aor->u.addressPrefix, unused_bits))
878	goto err;	887	goto err;
879		888
880	aor->u.addressPrefix->flags &= ~7;	889	*out_aor = aor;
881	aor->u.addressPrefix->flags \|= ASN1_STRING_FLAG_BITS_LEFT;
882	if (bit_len > 0) {
883	aor->u.addressPrefix->data[byte_len - 1] &= ~(0xff >> bit_len);
884	aor->u.addressPrefix->flags \|= 8 - bit_len;
885	}
886
887	*result = aor;
888	return 1;	890	return 1;
889		891
890	err:	892	err: