1 files changed, 82 insertions, 80 deletions
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index 110b5b63f8..1530c3174c 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -623,7 +623,7 @@ make_addressPrefix(IPAddressOrRange **result, unsigned char *addr,
        *result = aor;
        return 1;
-err:
+ err:
        IPAddressOrRange_free(aor);
        return 0;
 }
@@ -686,7 +686,7 @@ make_addressRange(IPAddressOrRange **result, unsigned char *min,
        *result = aor;
        return 1;
-err:
+ err:
        IPAddressOrRange_free(aor);
        return 0;
 }
@@ -734,7 +734,7 @@ make_IPAddressFamily(IPAddrBlocks *addr, const unsigned afi,
        return f;
-err:
+ err:
        IPAddressFamily_free(f);
        return NULL;
 }
@@ -906,15 +906,15 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
        IPAddressOrRanges *aors;
        int i, j, k;
-    /*
+        /*
-     * Empty extension is canonical.
+         * Empty extension is canonical.
-     */
+         */
        if (addr == NULL)
                return 1;
-    /*
+        /*
-     * Check whether the top-level list is in order.
+         * Check whether the top-level list is in order.
-     */
+         */
        for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {
                const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i);
                const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1);
@@ -922,17 +922,18 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
                        return 0;
        }
-    /*
+        /*
-     * Top level's ok, now check each address family.
+         * Top level's ok, now check each address family.
-     */
+         */
        for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
                IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
                int length = length_from_afi(X509v3_addr_get_afi(f));
-        /*
+                /*
-         * Inheritance is canonical.  Anything other than inheritance or
+                 * Inheritance is canonical.  Anything other than inheritance
-         * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something.
+                 * or a SEQUENCE OF IPAddressOrRange is an ASN.1 error or
-         */
+                 * something.
+                 */
                if (f == NULL || f->ipAddressChoice == NULL)
                        return 0;
                switch (f->ipAddressChoice->type) {
@@ -944,9 +945,9 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
                        return 0;
                }
-        /*
+                /*
-         * It's an IPAddressOrRanges sequence, check it.
+                 * It's an IPAddressOrRanges sequence, check it.
-         */
+                 */
                aors = f->ipAddressChoice->u.addressesOrRanges;
                if (sk_IPAddressOrRange_num(aors) == 0)
                        return 0;
@@ -959,35 +960,36 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
                            !extract_min_max(b, b_min, b_max, length))
                                return 0;
-            /*
+                        /*
-             * Punt misordered list, overlapping start, or inverted range.
+                         * Punt misordered list, overlapping start, or inverted
-             */
+                         * range.
+                         */
                        if (memcmp(a_min, b_min, length) >= 0 ||
                            memcmp(a_min, a_max, length) > 0 ||
                            memcmp(b_min, b_max, length) > 0)
                                return 0;
-            /*
+                        /*
-             * Punt if adjacent or overlapping.  Check for adjacency by
+                         * Punt if adjacent or overlapping.  Check for adjacency by
-             * subtracting one from b_min first.
+                         * subtracting one from b_min first.
-             */
+                         */
                        for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--)
                                ;
                        if (memcmp(a_max, b_min, length) >= 0)
                                return 0;
-            /*
+                        /*
-             * Check for range that should be expressed as a prefix.
+                         * Check for range that should be expressed as a prefix.
-             */
+                         */
                        if (a->type == IPAddressOrRange_addressRange &&
                            range_should_be_prefix(a_min, a_max, length) >= 0)
                                return 0;
                }
-        /*
+                /*
-         * Check range to see if it's inverted or should be a
+                 * Check range to see if it's inverted or should be a
-         * prefix.
+                 * prefix.
-         */
+                 */
                j = sk_IPAddressOrRange_num(aors) - 1;
                {
                        IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
@@ -1003,9 +1005,9 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
                }
        }
-    /*
+        /*
-     * If we made it through all that, we're happy.
+         * If we made it through all that, we're happy.
-     */
+         */
        return 1;
 }
@@ -1017,14 +1019,14 @@ IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi)
 {
        int i, j, length = length_from_afi(afi);
-    /*
+        /*
-     * Sort the IPAddressOrRanges sequence.
+         * Sort the IPAddressOrRanges sequence.
-     */
+         */
        sk_IPAddressOrRange_sort(aors);
-    /*
+        /*
-     * Clean up representation issues, punt on duplicates or overlaps.
+         * Clean up representation issues, punt on duplicates or overlaps.
-     */
+         */
        for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
                IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);
                IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
@@ -1035,23 +1037,23 @@ IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi)
                    !extract_min_max(b, b_min, b_max, length))
                        return 0;
-        /*
+                /*
-         * Punt inverted ranges.
+                 * Punt inverted ranges.
-         */
+                 */
                if (memcmp(a_min, a_max, length) > 0 ||
                    memcmp(b_min, b_max, length) > 0)
                        return 0;
-        /*
+                /*
-         * Punt overlaps.
+                 * Punt overlaps.
-         */
+                 */
                if (memcmp(a_max, b_min, length) >= 0)
                        return 0;
-        /*
+                /*
-         * Merge if a and b are adjacent.  We check for
+                 * Merge if a and b are adjacent.  We check for
-         * adjacency by subtracting one from b_min first.
+                 * adjacency by subtracting one from b_min first.
-         */
+                 */
                for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--)
                        ;
                if (memcmp(a_max, b_min, length) == 0) {
@@ -1067,9 +1069,9 @@ IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi)
                }
        }
-    /*
+        /*
-     * Check for inverted final range.
+         * Check for inverted final range.
-     */
+         */
        j = sk_IPAddressOrRange_num(aors) - 1;
        {
                IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
@@ -1159,10 +1161,10 @@ v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
                length = length_from_afi(afi);
-        /*
+                /*
-         * Handle SAFI, if any, and strdup() so we can null-terminate
+                 * Handle SAFI, if any, and strdup() so we can null-terminate
-         * the other input values.
+                 * the other input values.
-         */
+                 */
                if (safi != NULL) {
                        *safi = strtoul(val->value, &t, 0);
                        t += strspn(t, " \t");
@@ -1181,10 +1183,10 @@ v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
                        goto err;
                }
-        /*
+                /*
-         * Check for inheritance.  Not worth additional complexity to
+                 * Check for inheritance. Not worth additional complexity to
-         * optimize this (seldom-used) case.
+                 * optimize this (seldom-used) case.
-         */
+                 */
                if (strcmp(s, "inherit") == 0) {
                        if (!X509v3_addr_add_inherit(addr, afi, safi)) {
                                X509V3error(X509V3_R_INVALID_INHERITANCE);
@@ -1261,14 +1263,14 @@ v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
                s = NULL;
        }
-    /*
+        /*
-     * Canonize the result, then we're done.
+         * Canonize the result, then we're done.
-     */
+         */
        if (!X509v3_addr_canonize(addr))
                goto err;
        return addr;
-err:
+ err:
        free(s);
        sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
        return NULL;
@@ -1409,11 +1411,11 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
        OPENSSL_assert(ctx != NULL || ext != NULL);
        OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
-    /*
+        /*
-     * Figure out where to start.  If we don't have an extension to
+         * Figure out where to start. If we don't have an extension to check,
-     * check, we're done.  Otherwise, check canonical form and
+         * we're done.  Otherwise, check canonical form and set up for walking
-     * set up for walking up the chain.
+         * up the chain.
-     */
+         */
        if (ext != NULL) {
                i = -1;
                x = NULL;
@@ -1434,10 +1436,10 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
                goto done;
        }
-    /*
+        /*
-     * Now walk up the chain.  No cert may list resources that its
+         * Now walk up the chain. No cert may list resources that its parent
-     * parent doesn't list.
+         * doesn't list.
-     */
+         */
        for (i++; i < sk_X509_num(chain); i++) {
                x = sk_X509_value(chain, i);
                if (!X509v3_addr_is_canonical(x->rfc3779_addr))
@@ -1483,9 +1485,9 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
                }
        }
-    /*
+        /*
-     * Trust anchor can't inherit.
+         * Trust anchor can't inherit.
-     */
+         */
        if (x->rfc3779_addr != NULL) {
                for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
                        IPAddressFamily *fp =
@@ -1497,7 +1499,7 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
                }
        }
-done:
+ done:
        sk_IPAddressFamily_free(child);
        return ret;
 }

diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c index 110b5b63f8..1530c3174c 100644 --- a/src/lib/libcrypto/x509/x509_addr.c +++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -623,7 +623,7 @@ make_addressPrefix(IPAddressOrRange *result, unsigned char addr,
623	*result = aor;	623	*result = aor;
624	return 1;	624	return 1;
625		625
626	err:	626	err:
627	IPAddressOrRange_free(aor);	627	IPAddressOrRange_free(aor);
628	return 0;	628	return 0;
629	}	629	}
@@ -686,7 +686,7 @@ make_addressRange(IPAddressOrRange *result, unsigned char min,
686	*result = aor;	686	*result = aor;
687	return 1;	687	return 1;
688		688
689	err:	689	err:
690	IPAddressOrRange_free(aor);	690	IPAddressOrRange_free(aor);
691	return 0;	691	return 0;
692	}	692	}
@@ -734,7 +734,7 @@ make_IPAddressFamily(IPAddrBlocks *addr, const unsigned afi,
734		734
735	return f;	735	return f;
736		736
737	err:	737	err:
738	IPAddressFamily_free(f);	738	IPAddressFamily_free(f);
739	return NULL;	739	return NULL;
740	}	740	}
@@ -906,15 +906,15 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
906	IPAddressOrRanges *aors;	906	IPAddressOrRanges *aors;
907	int i, j, k;	907	int i, j, k;
908		908
909	/*	909	/*
910	* Empty extension is canonical.	910	* Empty extension is canonical.
911	*/	911	*/
912	if (addr == NULL)	912	if (addr == NULL)
913	return 1;	913	return 1;
914		914
915	/*	915	/*
916	* Check whether the top-level list is in order.	916	* Check whether the top-level list is in order.
917	*/	917	*/
918	for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {	918	for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {
919	const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i);	919	const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i);
920	const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1);	920	const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1);
@@ -922,17 +922,18 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
922	return 0;	922	return 0;
923	}	923	}
924		924
925	/*	925	/*
926	* Top level's ok, now check each address family.	926	* Top level's ok, now check each address family.
927	*/	927	*/
928	for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {	928	for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
929	IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);	929	IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
930	int length = length_from_afi(X509v3_addr_get_afi(f));	930	int length = length_from_afi(X509v3_addr_get_afi(f));
931		931
932	/*	932	/*
933	* Inheritance is canonical. Anything other than inheritance or	933	* Inheritance is canonical. Anything other than inheritance
934	* a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something.	934	* or a SEQUENCE OF IPAddressOrRange is an ASN.1 error or
935	*/	935	* something.
		936	*/
936	if (f == NULL \|\| f->ipAddressChoice == NULL)	937	if (f == NULL \|\| f->ipAddressChoice == NULL)
937	return 0;	938	return 0;
938	switch (f->ipAddressChoice->type) {	939	switch (f->ipAddressChoice->type) {
@@ -944,9 +945,9 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
944	return 0;	945	return 0;
945	}	946	}
946		947
947	/*	948	/*
948	* It's an IPAddressOrRanges sequence, check it.	949	* It's an IPAddressOrRanges sequence, check it.
949	*/	950	*/
950	aors = f->ipAddressChoice->u.addressesOrRanges;	951	aors = f->ipAddressChoice->u.addressesOrRanges;
951	if (sk_IPAddressOrRange_num(aors) == 0)	952	if (sk_IPAddressOrRange_num(aors) == 0)
952	return 0;	953	return 0;
@@ -959,35 +960,36 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
959	!extract_min_max(b, b_min, b_max, length))	960	!extract_min_max(b, b_min, b_max, length))
960	return 0;	961	return 0;
961		962
962	/*	963	/*
963	* Punt misordered list, overlapping start, or inverted range.	964	* Punt misordered list, overlapping start, or inverted
964	*/	965	* range.
		966	*/
965	if (memcmp(a_min, b_min, length) >= 0 \|\|	967	if (memcmp(a_min, b_min, length) >= 0 \|\|
966	memcmp(a_min, a_max, length) > 0 \|\|	968	memcmp(a_min, a_max, length) > 0 \|\|
967	memcmp(b_min, b_max, length) > 0)	969	memcmp(b_min, b_max, length) > 0)
968	return 0;	970	return 0;
969		971
970	/*	972	/*
971	* Punt if adjacent or overlapping. Check for adjacency by	973	* Punt if adjacent or overlapping. Check for adjacency by
972	* subtracting one from b_min first.	974	* subtracting one from b_min first.
973	*/	975	*/
974	for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--)	976	for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--)
975	;	977	;
976	if (memcmp(a_max, b_min, length) >= 0)	978	if (memcmp(a_max, b_min, length) >= 0)
977	return 0;	979	return 0;
978		980
979	/*	981	/*
980	* Check for range that should be expressed as a prefix.	982	* Check for range that should be expressed as a prefix.
981	*/	983	*/
982	if (a->type == IPAddressOrRange_addressRange &&	984	if (a->type == IPAddressOrRange_addressRange &&
983	range_should_be_prefix(a_min, a_max, length) >= 0)	985	range_should_be_prefix(a_min, a_max, length) >= 0)
984	return 0;	986	return 0;
985	}	987	}
986		988
987	/*	989	/*
988	* Check range to see if it's inverted or should be a	990	* Check range to see if it's inverted or should be a
989	* prefix.	991	* prefix.
990	*/	992	*/
991	j = sk_IPAddressOrRange_num(aors) - 1;	993	j = sk_IPAddressOrRange_num(aors) - 1;
992	{	994	{
993	IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);	995	IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
@@ -1003,9 +1005,9 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
1003	}	1005	}
1004	}	1006	}
1005		1007
1006	/*	1008	/*
1007	* If we made it through all that, we're happy.	1009	* If we made it through all that, we're happy.
1008	*/	1010	*/
1009	return 1;	1011	return 1;
1010	}	1012	}
1011		1013
@@ -1017,14 +1019,14 @@ IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi)
1017	{	1019	{
1018	int i, j, length = length_from_afi(afi);	1020	int i, j, length = length_from_afi(afi);
1019		1021
1020	/*	1022	/*
1021	* Sort the IPAddressOrRanges sequence.	1023	* Sort the IPAddressOrRanges sequence.
1022	*/	1024	*/
1023	sk_IPAddressOrRange_sort(aors);	1025	sk_IPAddressOrRange_sort(aors);
1024		1026
1025	/*	1027	/*
1026	* Clean up representation issues, punt on duplicates or overlaps.	1028	* Clean up representation issues, punt on duplicates or overlaps.
1027	*/	1029	*/
1028	for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {	1030	for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
1029	IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);	1031	IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);
1030	IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);	1032	IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
@@ -1035,23 +1037,23 @@ IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi)
1035	!extract_min_max(b, b_min, b_max, length))	1037	!extract_min_max(b, b_min, b_max, length))
1036	return 0;	1038	return 0;
1037		1039
1038	/*	1040	/*
1039	* Punt inverted ranges.	1041	* Punt inverted ranges.
1040	*/	1042	*/
1041	if (memcmp(a_min, a_max, length) > 0 \|\|	1043	if (memcmp(a_min, a_max, length) > 0 \|\|
1042	memcmp(b_min, b_max, length) > 0)	1044	memcmp(b_min, b_max, length) > 0)
1043	return 0;	1045	return 0;
1044		1046
1045	/*	1047	/*
1046	* Punt overlaps.	1048	* Punt overlaps.
1047	*/	1049	*/
1048	if (memcmp(a_max, b_min, length) >= 0)	1050	if (memcmp(a_max, b_min, length) >= 0)
1049	return 0;	1051	return 0;
1050		1052
1051	/*	1053	/*
1052	* Merge if a and b are adjacent. We check for	1054	* Merge if a and b are adjacent. We check for
1053	* adjacency by subtracting one from b_min first.	1055	* adjacency by subtracting one from b_min first.
1054	*/	1056	*/
1055	for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--)	1057	for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--)
1056	;	1058	;
1057	if (memcmp(a_max, b_min, length) == 0) {	1059	if (memcmp(a_max, b_min, length) == 0) {
@@ -1067,9 +1069,9 @@ IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi)
1067	}	1069	}
1068	}	1070	}
1069		1071
1070	/*	1072	/*
1071	* Check for inverted final range.	1073	* Check for inverted final range.
1072	*/	1074	*/
1073	j = sk_IPAddressOrRange_num(aors) - 1;	1075	j = sk_IPAddressOrRange_num(aors) - 1;
1074	{	1076	{
1075	IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);	1077	IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
@@ -1159,10 +1161,10 @@ v2i_IPAddrBlocks(const struct v3_ext_method method, struct v3_ext_ctx ctx,
1159		1161
1160	length = length_from_afi(afi);	1162	length = length_from_afi(afi);
1161		1163
1162	/*	1164	/*
1163	* Handle SAFI, if any, and strdup() so we can null-terminate	1165	* Handle SAFI, if any, and strdup() so we can null-terminate
1164	* the other input values.	1166	* the other input values.
1165	*/	1167	*/
1166	if (safi != NULL) {	1168	if (safi != NULL) {
1167	*safi = strtoul(val->value, &t, 0);	1169	*safi = strtoul(val->value, &t, 0);
1168	t += strspn(t, " \t");	1170	t += strspn(t, " \t");
@@ -1181,10 +1183,10 @@ v2i_IPAddrBlocks(const struct v3_ext_method method, struct v3_ext_ctx ctx,
1181	goto err;	1183	goto err;
1182	}	1184	}
1183		1185
1184	/*	1186	/*
1185	* Check for inheritance. Not worth additional complexity to	1187	* Check for inheritance. Not worth additional complexity to
1186	* optimize this (seldom-used) case.	1188	* optimize this (seldom-used) case.
1187	*/	1189	*/
1188	if (strcmp(s, "inherit") == 0) {	1190	if (strcmp(s, "inherit") == 0) {
1189	if (!X509v3_addr_add_inherit(addr, afi, safi)) {	1191	if (!X509v3_addr_add_inherit(addr, afi, safi)) {
1190	X509V3error(X509V3_R_INVALID_INHERITANCE);	1192	X509V3error(X509V3_R_INVALID_INHERITANCE);
@@ -1261,14 +1263,14 @@ v2i_IPAddrBlocks(const struct v3_ext_method method, struct v3_ext_ctx ctx,
1261	s = NULL;	1263	s = NULL;
1262	}	1264	}
1263		1265
1264	/*	1266	/*
1265	* Canonize the result, then we're done.	1267	* Canonize the result, then we're done.
1266	*/	1268	*/
1267	if (!X509v3_addr_canonize(addr))	1269	if (!X509v3_addr_canonize(addr))
1268	goto err;	1270	goto err;
1269	return addr;	1271	return addr;
1270		1272
1271	err:	1273	err:
1272	free(s);	1274	free(s);
1273	sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);	1275	sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
1274	return NULL;	1276	return NULL;
@@ -1409,11 +1411,11 @@ addr_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509)chain,
1409	OPENSSL_assert(ctx != NULL \|\| ext != NULL);	1411	OPENSSL_assert(ctx != NULL \|\| ext != NULL);
1410	OPENSSL_assert(ctx == NULL \|\| ctx->verify_cb != NULL);	1412	OPENSSL_assert(ctx == NULL \|\| ctx->verify_cb != NULL);
1411		1413
1412	/*	1414	/*
1413	* Figure out where to start. If we don't have an extension to	1415	* Figure out where to start. If we don't have an extension to check,
1414	* check, we're done. Otherwise, check canonical form and	1416	* we're done. Otherwise, check canonical form and set up for walking
1415	* set up for walking up the chain.	1417	* up the chain.
1416	*/	1418	*/
1417	if (ext != NULL) {	1419	if (ext != NULL) {
1418	i = -1;	1420	i = -1;
1419	x = NULL;	1421	x = NULL;
@@ -1434,10 +1436,10 @@ addr_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509)chain,
1434	goto done;	1436	goto done;
1435	}	1437	}
1436		1438
1437	/*	1439	/*
1438	* Now walk up the chain. No cert may list resources that its	1440	* Now walk up the chain. No cert may list resources that its parent
1439	* parent doesn't list.	1441	* doesn't list.
1440	*/	1442	*/
1441	for (i++; i < sk_X509_num(chain); i++) {	1443	for (i++; i < sk_X509_num(chain); i++) {
1442	x = sk_X509_value(chain, i);	1444	x = sk_X509_value(chain, i);
1443	if (!X509v3_addr_is_canonical(x->rfc3779_addr))	1445	if (!X509v3_addr_is_canonical(x->rfc3779_addr))
@@ -1483,9 +1485,9 @@ addr_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509)chain,
1483	}	1485	}
1484	}	1486	}
1485		1487
1486	/*	1488	/*
1487	* Trust anchor can't inherit.	1489	* Trust anchor can't inherit.
1488	*/	1490	*/
1489	if (x->rfc3779_addr != NULL) {	1491	if (x->rfc3779_addr != NULL) {
1490	for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {	1492	for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
1491	IPAddressFamily *fp =	1493	IPAddressFamily *fp =
@@ -1497,7 +1499,7 @@ addr_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509)chain,
1497	}	1499	}
1498	}	1500	}
1499		1501
1500	done:	1502	done:
1501	sk_IPAddressFamily_free(child);	1503	sk_IPAddressFamily_free(child);
1502	return ret;	1504	return ret;
1503	}	1505	}