1 files changed, 28 insertions, 15 deletions
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index 80260dca10..705fc7df32 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_addr.c,v 1.60 2022/01/05 07:29:47 tb Exp $ */
+/*      $OpenBSD: x509_addr.c,v 1.61 2022/01/05 07:37:01 tb Exp $ */
 /*
 * Contributed to the OpenSSL Project by the American Registry for
 * Internet Numbers ("ARIN").
@@ -1678,24 +1678,37 @@ addr_contains(IPAddressOrRanges *parent, IPAddressOrRanges *child, int length)
 * Test whether a is a subset of b.
 */
 int
-X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
+X509v3_addr_subset(IPAddrBlocks *child, IPAddrBlocks *parent)
 {
-        int i;
+        IPAddressFamily *fc, *fp;
-        if (a == NULL || a == b)
+        IPAddressOrRanges *aorc, *aorp;
+        int i, j, length;
+        if (child == NULL || child == parent)
                return 1;
-        if (b == NULL || X509v3_addr_inherits(a) || X509v3_addr_inherits(b))
+        if (parent == NULL)
+                return 0;
+        if (X509v3_addr_inherits(child) || X509v3_addr_inherits(parent))
                return 0;
-        (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
-        for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
+        sk_IPAddressFamily_set_cmp_func(parent, IPAddressFamily_cmp);
-                IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
-                int j = sk_IPAddressFamily_find(b, fa);
+        for (i = 0; i < sk_IPAddressFamily_num(child); i++) {
-                IPAddressFamily *fb;
+                fc = sk_IPAddressFamily_value(child, i);
-                fb = sk_IPAddressFamily_value(b, j);
-                if (fb == NULL)
+                j = sk_IPAddressFamily_find(parent, fc);
+                fp = sk_IPAddressFamily_value(parent, j);
+                if (fp == NULL)
                        return 0;
-                if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
-                    fa->ipAddressChoice->u.addressesOrRanges,
+                if (!IPAddressFamily_afi_length(fp, &length))
-                    length_from_afi(X509v3_addr_get_afi(fb))))
+                        return 0;
+                aorc = IPAddressFamily_addressesOrRanges(fc);
+                aorp = IPAddressFamily_addressesOrRanges(fp);
+                if (!addr_contains(aorp, aorc, length))
                        return 0;
        }
        return 1;

diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c index 80260dca10..705fc7df32 100644 --- a/src/lib/libcrypto/x509/x509_addr.c +++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_addr.c,v 1.60 2022/01/05 07:29:47 tb Exp $ */	1	/* $OpenBSD: x509_addr.c,v 1.61 2022/01/05 07:37:01 tb Exp $ */
2	/*	2	/*
3	* Contributed to the OpenSSL Project by the American Registry for	3	* Contributed to the OpenSSL Project by the American Registry for
4	* Internet Numbers ("ARIN").	4	* Internet Numbers ("ARIN").
@@ -1678,24 +1678,37 @@ addr_contains(IPAddressOrRanges parent, IPAddressOrRanges child, int length)
1678	* Test whether a is a subset of b.	1678	* Test whether a is a subset of b.
1679	*/	1679	*/
1680	int	1680	int
1681	X509v3_addr_subset(IPAddrBlocks a, IPAddrBlocks b)	1681	X509v3_addr_subset(IPAddrBlocks child, IPAddrBlocks parent)
1682	{	1682	{
1683	int i;	1683	IPAddressFamily fc, fp;
1684	if (a == NULL \|\| a == b)	1684	IPAddressOrRanges aorc, aorp;
		1685	int i, j, length;
		1686
		1687	if (child == NULL \|\| child == parent)
1685	return 1;	1688	return 1;
1686	if (b == NULL \|\| X509v3_addr_inherits(a) \|\| X509v3_addr_inherits(b))	1689	if (parent == NULL)
		1690	return 0;
		1691
		1692	if (X509v3_addr_inherits(child) \|\| X509v3_addr_inherits(parent))
1687	return 0;	1693	return 0;
1688	(void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);	1694
1689	for (i = 0; i < sk_IPAddressFamily_num(a); i++) {	1695	sk_IPAddressFamily_set_cmp_func(parent, IPAddressFamily_cmp);
1690	IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);	1696
1691	int j = sk_IPAddressFamily_find(b, fa);	1697	for (i = 0; i < sk_IPAddressFamily_num(child); i++) {
1692	IPAddressFamily *fb;	1698	fc = sk_IPAddressFamily_value(child, i);
1693	fb = sk_IPAddressFamily_value(b, j);	1699
1694	if (fb == NULL)	1700	j = sk_IPAddressFamily_find(parent, fc);
		1701	fp = sk_IPAddressFamily_value(parent, j);
		1702	if (fp == NULL)
1695	return 0;	1703	return 0;
1696	if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,	1704
1697	fa->ipAddressChoice->u.addressesOrRanges,	1705	if (!IPAddressFamily_afi_length(fp, &length))
1698	length_from_afi(X509v3_addr_get_afi(fb))))	1706	return 0;
		1707
		1708	aorc = IPAddressFamily_addressesOrRanges(fc);
		1709	aorp = IPAddressFamily_addressesOrRanges(fp);
		1710
		1711	if (!addr_contains(aorp, aorc, length))
1699	return 0;	1712	return 0;
1700	}	1713	}
1701	return 1;	1714	return 1;