1 files changed, 36 insertions, 40 deletions
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index 242d1b4982..3686d6a823 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_addr.c,v 1.42 2021/12/28 20:44:56 tb Exp $ */
+/*      $OpenBSD: x509_addr.c,v 1.43 2021/12/28 20:50:37 tb Exp $ */
 /*
 * Contributed to the OpenSSL Project by the American Registry for
 * Internet Numbers ("ARIN").
@@ -1077,8 +1077,10 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
 {
        unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
        unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
+        IPAddressFamily *f;
        IPAddressOrRanges *aors;
-        int i, j, k;
+        IPAddressOrRange *aor, *aor_a, *aor_b;
+        int i, j, k, length;
        /*
         * Empty extension is canonical.
@@ -1107,41 +1109,37 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
         * Top level's ok, now check each address family.
         */
        for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
-                IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
+                f = sk_IPAddressFamily_value(addr, i);
-                int length;
                if (!IPAddressFamily_afi_length(f, &length))
                        return 0;
                /*
-                 * Inheritance is canonical.  Anything other than inheritance
+                 * If this family has an inheritance element, it is canonical.
-                 * or a SEQUENCE OF IPAddressOrRange is an ASN.1 error or
-                 * something.
                 */
-                if (f == NULL || f->ipAddressChoice == NULL)
+                if (IPAddressFamily_inheritance(f) != NULL)
-                        return 0;
-                switch (f->ipAddressChoice->type) {
-                case IPAddressChoice_inherit:
                        continue;
-                case IPAddressChoice_addressesOrRanges:
-                        break;
-                default:
-                        return 0;
-                }
                /*
-                 * It's an IPAddressOrRanges sequence, check it.
+                 * If this family has neither an inheritance element nor an
+                 * addressesOrRanges, we don't know what this is.
                 */
-                aors = f->ipAddressChoice->u.addressesOrRanges;
+                if ((aors = IPAddressFamily_addressesOrRanges(f)) == NULL)
+                        return 0;
                if (sk_IPAddressOrRange_num(aors) == 0)
                        return 0;
                for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
-                        IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
+                        aor_a = sk_IPAddressOrRange_value(aors, j);
-                        IPAddressOrRange *b = sk_IPAddressOrRange_value(aors,
+                        aor_b = sk_IPAddressOrRange_value(aors, j + 1);
-                            j + 1);
+                        /*
+                         * XXX - check that both are either a prefix or a range.
+                         */
-                        if (!extract_min_max(a, a_min, a_max, length) ||
+                        if (!extract_min_max(aor_a, a_min, a_max, length) ||
-                            !extract_min_max(b, b_min, b_max, length))
+                            !extract_min_max(aor_b, b_min, b_max, length))
                                return 0;
                        /*
@@ -1154,8 +1152,8 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
                                return 0;
                        /*
-                         * Punt if adjacent or overlapping.  Check for adjacency by
+                         * Punt if adjacent or overlapping.  Check for adjacency
-                         * subtracting one from b_min first.
+                         * by subtracting one from b_min first.
                         */
                        for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--)
                                continue;
@@ -1165,27 +1163,25 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
                        /*
                         * Check for range that should be expressed as a prefix.
                         */
-                        if (a->type == IPAddressOrRange_addressRange &&
+                        if (aor_a->type == IPAddressOrRange_addressPrefix)
-                            range_should_be_prefix(a_min, a_max, length) >= 0)
+                                continue;
+                        if (range_should_be_prefix(a_min, a_max, length) >= 0)
                                return 0;
                }
                /*
-                 * Check range to see if it's inverted or should be a
+                 * Check final range to see if it's inverted or should be a
                 * prefix.
                 */
-                j = sk_IPAddressOrRange_num(aors) - 1;
+                aor = sk_IPAddressOrRange_value(aors, j);
-                {
+                if (aor->type == IPAddressOrRange_addressRange) {
-                        IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
+                        if (!extract_min_max(aor, a_min, a_max, length))
-                        if (a != NULL &&
+                                return 0;
-                            a->type == IPAddressOrRange_addressRange) {
+                        if (memcmp(a_min, a_max, length) > 0)
-                                if (!extract_min_max(a, a_min, a_max, length))
+                                return 0;
-                                        return 0;
+                        if (range_should_be_prefix(a_min, a_max, length) >= 0)
-                                if (memcmp(a_min, a_max, length) > 0 ||
+                                return 0;
-                                    range_should_be_prefix(a_min, a_max,
-                                    length) >= 0)
-                                        return 0;
-                        }
                }
        }

diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c index 242d1b4982..3686d6a823 100644 --- a/src/lib/libcrypto/x509/x509_addr.c +++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_addr.c,v 1.42 2021/12/28 20:44:56 tb Exp $ */	1	/* $OpenBSD: x509_addr.c,v 1.43 2021/12/28 20:50:37 tb Exp $ */
2	/*	2	/*
3	* Contributed to the OpenSSL Project by the American Registry for	3	* Contributed to the OpenSSL Project by the American Registry for
4	* Internet Numbers ("ARIN").	4	* Internet Numbers ("ARIN").
@@ -1077,8 +1077,10 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
1077	{	1077	{
1078	unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];	1078	unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
1079	unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];	1079	unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
		1080	IPAddressFamily *f;
1080	IPAddressOrRanges *aors;	1081	IPAddressOrRanges *aors;
1081	int i, j, k;	1082	IPAddressOrRange aor, aor_a, *aor_b;
		1083	int i, j, k, length;
1082		1084
1083	/*	1085	/*
1084	* Empty extension is canonical.	1086	* Empty extension is canonical.
@@ -1107,41 +1109,37 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
1107	* Top level's ok, now check each address family.	1109	* Top level's ok, now check each address family.
1108	*/	1110	*/
1109	for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {	1111	for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1110	IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);	1112	f = sk_IPAddressFamily_value(addr, i);
1111	int length;
1112		1113
1113	if (!IPAddressFamily_afi_length(f, &length))	1114	if (!IPAddressFamily_afi_length(f, &length))
1114	return 0;	1115	return 0;
1115		1116
1116	/*	1117	/*
1117	* Inheritance is canonical. Anything other than inheritance	1118	* If this family has an inheritance element, it is canonical.
1118	* or a SEQUENCE OF IPAddressOrRange is an ASN.1 error or
1119	* something.
1120	*/	1119	*/
1121	if (f == NULL \|\| f->ipAddressChoice == NULL)	1120	if (IPAddressFamily_inheritance(f) != NULL)
1122	return 0;
1123	switch (f->ipAddressChoice->type) {
1124	case IPAddressChoice_inherit:
1125	continue;	1121	continue;
1126	case IPAddressChoice_addressesOrRanges:
1127	break;
1128	default:
1129	return 0;
1130	}
1131		1122
1132	/*	1123	/*
1133	* It's an IPAddressOrRanges sequence, check it.	1124	* If this family has neither an inheritance element nor an
		1125	* addressesOrRanges, we don't know what this is.
1134	*/	1126	*/
1135	aors = f->ipAddressChoice->u.addressesOrRanges;	1127	if ((aors = IPAddressFamily_addressesOrRanges(f)) == NULL)
		1128	return 0;
		1129
1136	if (sk_IPAddressOrRange_num(aors) == 0)	1130	if (sk_IPAddressOrRange_num(aors) == 0)
1137	return 0;	1131	return 0;
		1132
1138	for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {	1133	for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
1139	IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);	1134	aor_a = sk_IPAddressOrRange_value(aors, j);
1140	IPAddressOrRange *b = sk_IPAddressOrRange_value(aors,	1135	aor_b = sk_IPAddressOrRange_value(aors, j + 1);
1141	j + 1);	1136
		1137	/*
		1138	* XXX - check that both are either a prefix or a range.
		1139	*/
1142		1140
1143	if (!extract_min_max(a, a_min, a_max, length) \|\|	1141	if (!extract_min_max(aor_a, a_min, a_max, length) \|\|
1144	!extract_min_max(b, b_min, b_max, length))	1142	!extract_min_max(aor_b, b_min, b_max, length))
1145	return 0;	1143	return 0;
1146		1144
1147	/*	1145	/*
@@ -1154,8 +1152,8 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
1154	return 0;	1152	return 0;
1155		1153
1156	/*	1154	/*
1157	* Punt if adjacent or overlapping. Check for adjacency by	1155	* Punt if adjacent or overlapping. Check for adjacency
1158	* subtracting one from b_min first.	1156	* by subtracting one from b_min first.
1159	*/	1157	*/
1160	for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--)	1158	for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--)
1161	continue;	1159	continue;
@@ -1165,27 +1163,25 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
1165	/*	1163	/*
1166	* Check for range that should be expressed as a prefix.	1164	* Check for range that should be expressed as a prefix.
1167	*/	1165	*/
1168	if (a->type == IPAddressOrRange_addressRange &&	1166	if (aor_a->type == IPAddressOrRange_addressPrefix)
1169	range_should_be_prefix(a_min, a_max, length) >= 0)	1167	continue;
		1168
		1169	if (range_should_be_prefix(a_min, a_max, length) >= 0)
1170	return 0;	1170	return 0;
1171	}	1171	}
1172		1172
1173	/*	1173	/*
1174	* Check range to see if it's inverted or should be a	1174	* Check final range to see if it's inverted or should be a
1175	* prefix.	1175	* prefix.
1176	*/	1176	*/
1177	j = sk_IPAddressOrRange_num(aors) - 1;	1177	aor = sk_IPAddressOrRange_value(aors, j);
1178	{	1178	if (aor->type == IPAddressOrRange_addressRange) {
1179	IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);	1179	if (!extract_min_max(aor, a_min, a_max, length))
1180	if (a != NULL &&	1180	return 0;
1181	a->type == IPAddressOrRange_addressRange) {	1181	if (memcmp(a_min, a_max, length) > 0)
1182	if (!extract_min_max(a, a_min, a_max, length))	1182	return 0;
1183	return 0;	1183	if (range_should_be_prefix(a_min, a_max, length) >= 0)
1184	if (memcmp(a_min, a_max, length) > 0 \|\|	1184	return 0;
1185	range_should_be_prefix(a_min, a_max,
1186	length) >= 0)
1187	return 0;
1188	}
1189	}	1185	}
1190	}	1186	}
1191		1187