1 files changed, 94 insertions, 25 deletions
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index 038319087b..723890e436 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_addr.c,v 1.34 2021/12/28 16:26:53 tb Exp $ */
+/*      $OpenBSD: x509_addr.c,v 1.35 2021/12/28 16:37:37 tb Exp $ */
 /*
 * Contributed to the OpenSSL Project by the American Registry for
 * Internet Numbers ("ARIN").
@@ -78,6 +78,8 @@
 #ifndef OPENSSL_NO_RFC3779
+static int length_from_afi(const unsigned afi);
 /*
 * OpenSSL ASN.1 template translation of RFC 3779 2.2.3.
 */
@@ -309,6 +311,75 @@ IPAddressFamily_free(IPAddressFamily *a)
 }
 /*
+ * Convenience accessors for IPAddressFamily.
+ */
+static int
+IPAddressFamily_type(IPAddressFamily *f)
+{
+        /* XXX - can f->ipAddressChoice == NULL actually happen? */
+        if (f == NULL || f->ipAddressChoice == NULL)
+                return -1;
+        switch (f->ipAddressChoice->type) {
+        case IPAddressChoice_inherit:
+        case IPAddressChoice_addressesOrRanges:
+                return f->ipAddressChoice->type;
+        default:
+                return -1;
+        }
+}
+static IPAddressOrRanges *
+IPAddressFamily_addressesOrRanges(IPAddressFamily *f)
+{
+        if (IPAddressFamily_type(f) == IPAddressChoice_addressesOrRanges)
+                return f->ipAddressChoice->u.addressesOrRanges;
+        return NULL;
+}
+static ASN1_NULL *
+IPAddressFamily_inheritance(IPAddressFamily *f)
+{
+        if (IPAddressFamily_type(f) == IPAddressChoice_inherit)
+                return f->ipAddressChoice->u.inherit;
+        return NULL;
+}
+static int
+IPAddressFamily_set_inheritance(IPAddressFamily *f)
+{
+        if (IPAddressFamily_addressesOrRanges(f) != NULL)
+                return 0;
+        if (IPAddressFamily_inheritance(f) != NULL)
+                return 1;
+        if ((f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL)
+                return 0;
+        f->ipAddressChoice->type = IPAddressChoice_inherit;
+        return 1;
+}
+static int
+IPAddressFamily_afi_length(const IPAddressFamily *f, int *out_length)
+{
+        unsigned int afi;
+        *out_length = 0;
+        if ((afi = X509v3_addr_get_afi(f)) == 0)
+                return 0;
+        *out_length = length_from_afi(afi);
+        return 1;
+}
+/*
 * How much buffer space do we need for a raw address?
 */
 #define ADDR_RAW_BUF_LEN        16
@@ -532,14 +603,14 @@ i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, void *ext, BIO *out,
                                break;
                        }
                }
-                switch (f->ipAddressChoice->type) {
+                switch (IPAddressFamily_type(f)) {
                case IPAddressChoice_inherit:
                        BIO_puts(out, ": inherit\n");
                        break;
                case IPAddressChoice_addressesOrRanges:
                        BIO_puts(out, ":\n");
                        if (!i2r_IPAddressOrRanges(out, indent + 2,
-                            f->ipAddressChoice->u.addressesOrRanges, afi))
+                            IPAddressFamily_addressesOrRanges(f), afi))
                                return 0;
                        break;
                }
@@ -832,20 +903,12 @@ int
 X509v3_addr_add_inherit(IPAddrBlocks *addr, const unsigned afi,
    const unsigned *safi)
 {
-        IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
+        IPAddressFamily *f;
-        if (f == NULL ||
-            f->ipAddressChoice == NULL ||
+        if ((f = make_IPAddressFamily(addr, afi, safi)) == NULL)
-            (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
-             f->ipAddressChoice->u.addressesOrRanges != NULL))
-                return 0;
-        if (f->ipAddressChoice->type == IPAddressChoice_inherit &&
-            f->ipAddressChoice->u.inherit != NULL)
-                return 1;
-        if (f->ipAddressChoice->u.inherit == NULL &&
-            (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL)
                return 0;
-        f->ipAddressChoice->type = IPAddressChoice_inherit;
-        return 1;
+        return IPAddressFamily_set_inheritance(f);
 }
 /*
@@ -855,20 +918,21 @@ static IPAddressOrRanges *
 make_prefix_or_range(IPAddrBlocks *addr, const unsigned afi,
    const unsigned *safi)
 {
-        IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
+        IPAddressFamily *f;
        IPAddressOrRanges *aors = NULL;
-        if (f == NULL ||
+        if ((f = make_IPAddressFamily(addr, afi, safi)) == NULL)
-            f->ipAddressChoice == NULL ||
-            (f->ipAddressChoice->type == IPAddressChoice_inherit &&
-             f->ipAddressChoice->u.inherit != NULL))
                return NULL;
-        if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges)
-                aors = f->ipAddressChoice->u.addressesOrRanges;
+        if (IPAddressFamily_inheritance(f) != NULL)
-        if (aors != NULL)
+                return NULL;
+        if ((aors = IPAddressFamily_addressesOrRanges(f)) != NULL)
                return aors;
        if ((aors = sk_IPAddressOrRange_new_null()) == NULL)
                return NULL;
        switch (afi) {
        case IANA_AFI_IPV4:
                sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
@@ -877,8 +941,10 @@ make_prefix_or_range(IPAddrBlocks *addr, const unsigned afi,
                sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
                break;
        }
        f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
        f->ipAddressChoice->u.addressesOrRanges = aors;
        return aors;
 }
@@ -1011,7 +1077,10 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
         */
        for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
                IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
-                int length = length_from_afi(X509v3_addr_get_afi(f));
+                int length;
+                if (!IPAddressFamily_afi_length(f, &length))
+                        return 0;
                /*
                 * Inheritance is canonical.  Anything other than inheritance

diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c index 038319087b..723890e436 100644 --- a/src/lib/libcrypto/x509/x509_addr.c +++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_addr.c,v 1.34 2021/12/28 16:26:53 tb Exp $ */	1	/* $OpenBSD: x509_addr.c,v 1.35 2021/12/28 16:37:37 tb Exp $ */
2	/*	2	/*
3	* Contributed to the OpenSSL Project by the American Registry for	3	* Contributed to the OpenSSL Project by the American Registry for
4	* Internet Numbers ("ARIN").	4	* Internet Numbers ("ARIN").
@@ -78,6 +78,8 @@
78		78
79	#ifndef OPENSSL_NO_RFC3779	79	#ifndef OPENSSL_NO_RFC3779
80		80
		81	static int length_from_afi(const unsigned afi);
		82
81	/*	83	/*
82	* OpenSSL ASN.1 template translation of RFC 3779 2.2.3.	84	* OpenSSL ASN.1 template translation of RFC 3779 2.2.3.
83	*/	85	*/
@@ -309,6 +311,75 @@ IPAddressFamily_free(IPAddressFamily *a)
309	}	311	}
310		312
311	/*	313	/*
		314	* Convenience accessors for IPAddressFamily.
		315	*/
		316
		317	static int
		318	IPAddressFamily_type(IPAddressFamily *f)
		319	{
		320	/* XXX - can f->ipAddressChoice == NULL actually happen? */
		321	if (f == NULL \|\| f->ipAddressChoice == NULL)
		322	return -1;
		323
		324	switch (f->ipAddressChoice->type) {
		325	case IPAddressChoice_inherit:
		326	case IPAddressChoice_addressesOrRanges:
		327	return f->ipAddressChoice->type;
		328	default:
		329	return -1;
		330	}
		331	}
		332
		333	static IPAddressOrRanges *
		334	IPAddressFamily_addressesOrRanges(IPAddressFamily *f)
		335	{
		336	if (IPAddressFamily_type(f) == IPAddressChoice_addressesOrRanges)
		337	return f->ipAddressChoice->u.addressesOrRanges;
		338
		339	return NULL;
		340	}
		341
		342	static ASN1_NULL *
		343	IPAddressFamily_inheritance(IPAddressFamily *f)
		344	{
		345	if (IPAddressFamily_type(f) == IPAddressChoice_inherit)
		346	return f->ipAddressChoice->u.inherit;
		347
		348	return NULL;
		349	}
		350
		351	static int
		352	IPAddressFamily_set_inheritance(IPAddressFamily *f)
		353	{
		354	if (IPAddressFamily_addressesOrRanges(f) != NULL)
		355	return 0;
		356
		357	if (IPAddressFamily_inheritance(f) != NULL)
		358	return 1;
		359
		360	if ((f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL)
		361	return 0;
		362	f->ipAddressChoice->type = IPAddressChoice_inherit;
		363
		364	return 1;
		365	}
		366
		367	static int
		368	IPAddressFamily_afi_length(const IPAddressFamily f, int out_length)
		369	{
		370	unsigned int afi;
		371
		372	*out_length = 0;
		373
		374	if ((afi = X509v3_addr_get_afi(f)) == 0)
		375	return 0;
		376
		377	*out_length = length_from_afi(afi);
		378
		379	return 1;
		380	}
		381
		382	/*
312	* How much buffer space do we need for a raw address?	383	* How much buffer space do we need for a raw address?
313	*/	384	*/
314	#define ADDR_RAW_BUF_LEN 16	385	#define ADDR_RAW_BUF_LEN 16
@@ -532,14 +603,14 @@ i2r_IPAddrBlocks(const X509V3_EXT_METHOD method, void ext, BIO *out,
532	break;	603	break;
533	}	604	}
534	}	605	}
535	switch (f->ipAddressChoice->type) {	606	switch (IPAddressFamily_type(f)) {
536	case IPAddressChoice_inherit:	607	case IPAddressChoice_inherit:
537	BIO_puts(out, ": inherit\n");	608	BIO_puts(out, ": inherit\n");
538	break;	609	break;
539	case IPAddressChoice_addressesOrRanges:	610	case IPAddressChoice_addressesOrRanges:
540	BIO_puts(out, ":\n");	611	BIO_puts(out, ":\n");
541	if (!i2r_IPAddressOrRanges(out, indent + 2,	612	if (!i2r_IPAddressOrRanges(out, indent + 2,
542	f->ipAddressChoice->u.addressesOrRanges, afi))	613	IPAddressFamily_addressesOrRanges(f), afi))
543	return 0;	614	return 0;
544	break;	615	break;
545	}	616	}
@@ -832,20 +903,12 @@ int
832	X509v3_addr_add_inherit(IPAddrBlocks *addr, const unsigned afi,	903	X509v3_addr_add_inherit(IPAddrBlocks *addr, const unsigned afi,
833	const unsigned *safi)	904	const unsigned *safi)
834	{	905	{
835	IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);	906	IPAddressFamily *f;
836	if (f == NULL \|\|	907
837	f->ipAddressChoice == NULL \|\|	908	if ((f = make_IPAddressFamily(addr, afi, safi)) == NULL)
838	(f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
839	f->ipAddressChoice->u.addressesOrRanges != NULL))
840	return 0;
841	if (f->ipAddressChoice->type == IPAddressChoice_inherit &&
842	f->ipAddressChoice->u.inherit != NULL)
843	return 1;
844	if (f->ipAddressChoice->u.inherit == NULL &&
845	(f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL)
846	return 0;	909	return 0;
847	f->ipAddressChoice->type = IPAddressChoice_inherit;	910
848	return 1;	911	return IPAddressFamily_set_inheritance(f);
849	}	912	}
850		913
851	/*	914	/*
@@ -855,20 +918,21 @@ static IPAddressOrRanges *
855	make_prefix_or_range(IPAddrBlocks *addr, const unsigned afi,	918	make_prefix_or_range(IPAddrBlocks *addr, const unsigned afi,
856	const unsigned *safi)	919	const unsigned *safi)
857	{	920	{
858	IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);	921	IPAddressFamily *f;
859	IPAddressOrRanges *aors = NULL;	922	IPAddressOrRanges *aors = NULL;
860		923
861	if (f == NULL \|\|	924	if ((f = make_IPAddressFamily(addr, afi, safi)) == NULL)
862	f->ipAddressChoice == NULL \|\|
863	(f->ipAddressChoice->type == IPAddressChoice_inherit &&
864	f->ipAddressChoice->u.inherit != NULL))
865	return NULL;	925	return NULL;
866	if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges)	926
867	aors = f->ipAddressChoice->u.addressesOrRanges;	927	if (IPAddressFamily_inheritance(f) != NULL)
868	if (aors != NULL)	928	return NULL;
		929
		930	if ((aors = IPAddressFamily_addressesOrRanges(f)) != NULL)
869	return aors;	931	return aors;
		932
870	if ((aors = sk_IPAddressOrRange_new_null()) == NULL)	933	if ((aors = sk_IPAddressOrRange_new_null()) == NULL)
871	return NULL;	934	return NULL;
		935
872	switch (afi) {	936	switch (afi) {
873	case IANA_AFI_IPV4:	937	case IANA_AFI_IPV4:
874	sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);	938	sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
@@ -877,8 +941,10 @@ make_prefix_or_range(IPAddrBlocks *addr, const unsigned afi,
877	sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);	941	sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
878	break;	942	break;
879	}	943	}
		944
880	f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;	945	f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
881	f->ipAddressChoice->u.addressesOrRanges = aors;	946	f->ipAddressChoice->u.addressesOrRanges = aors;
		947
882	return aors;	948	return aors;
883	}	949	}
884		950
@@ -1011,7 +1077,10 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
1011	*/	1077	*/
1012	for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {	1078	for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1013	IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);	1079	IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1014	int length = length_from_afi(X509v3_addr_get_afi(f));	1080	int length;
		1081
		1082	if (!IPAddressFamily_afi_length(f, &length))
		1083	return 0;
1015		1084
1016	/*	1085	/*
1017	* Inheritance is canonical. Anything other than inheritance	1086	* Inheritance is canonical. Anything other than inheritance