summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/libcrypto/x509/x509_addr.c162
-rw-r--r--src/lib/libcrypto/x509/x509_asid.c170
2 files changed, 167 insertions, 165 deletions
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index 110b5b63f8..1530c3174c 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -623,7 +623,7 @@ make_addressPrefix(IPAddressOrRange **result, unsigned char *addr,
623 *result = aor; 623 *result = aor;
624 return 1; 624 return 1;
625 625
626err: 626 err:
627 IPAddressOrRange_free(aor); 627 IPAddressOrRange_free(aor);
628 return 0; 628 return 0;
629} 629}
@@ -686,7 +686,7 @@ make_addressRange(IPAddressOrRange **result, unsigned char *min,
686 *result = aor; 686 *result = aor;
687 return 1; 687 return 1;
688 688
689err: 689 err:
690 IPAddressOrRange_free(aor); 690 IPAddressOrRange_free(aor);
691 return 0; 691 return 0;
692} 692}
@@ -734,7 +734,7 @@ make_IPAddressFamily(IPAddrBlocks *addr, const unsigned afi,
734 734
735 return f; 735 return f;
736 736
737err: 737 err:
738 IPAddressFamily_free(f); 738 IPAddressFamily_free(f);
739 return NULL; 739 return NULL;
740} 740}
@@ -906,15 +906,15 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
906 IPAddressOrRanges *aors; 906 IPAddressOrRanges *aors;
907 int i, j, k; 907 int i, j, k;
908 908
909 /* 909 /*
910 * Empty extension is canonical. 910 * Empty extension is canonical.
911 */ 911 */
912 if (addr == NULL) 912 if (addr == NULL)
913 return 1; 913 return 1;
914 914
915 /* 915 /*
916 * Check whether the top-level list is in order. 916 * Check whether the top-level list is in order.
917 */ 917 */
918 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) { 918 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {
919 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i); 919 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i);
920 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1); 920 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1);
@@ -922,17 +922,18 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
922 return 0; 922 return 0;
923 } 923 }
924 924
925 /* 925 /*
926 * Top level's ok, now check each address family. 926 * Top level's ok, now check each address family.
927 */ 927 */
928 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 928 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
929 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 929 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
930 int length = length_from_afi(X509v3_addr_get_afi(f)); 930 int length = length_from_afi(X509v3_addr_get_afi(f));
931 931
932 /* 932 /*
933 * Inheritance is canonical. Anything other than inheritance or 933 * Inheritance is canonical. Anything other than inheritance
934 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something. 934 * or a SEQUENCE OF IPAddressOrRange is an ASN.1 error or
935 */ 935 * something.
936 */
936 if (f == NULL || f->ipAddressChoice == NULL) 937 if (f == NULL || f->ipAddressChoice == NULL)
937 return 0; 938 return 0;
938 switch (f->ipAddressChoice->type) { 939 switch (f->ipAddressChoice->type) {
@@ -944,9 +945,9 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
944 return 0; 945 return 0;
945 } 946 }
946 947
947 /* 948 /*
948 * It's an IPAddressOrRanges sequence, check it. 949 * It's an IPAddressOrRanges sequence, check it.
949 */ 950 */
950 aors = f->ipAddressChoice->u.addressesOrRanges; 951 aors = f->ipAddressChoice->u.addressesOrRanges;
951 if (sk_IPAddressOrRange_num(aors) == 0) 952 if (sk_IPAddressOrRange_num(aors) == 0)
952 return 0; 953 return 0;
@@ -959,35 +960,36 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
959 !extract_min_max(b, b_min, b_max, length)) 960 !extract_min_max(b, b_min, b_max, length))
960 return 0; 961 return 0;
961 962
962 /* 963 /*
963 * Punt misordered list, overlapping start, or inverted range. 964 * Punt misordered list, overlapping start, or inverted
964 */ 965 * range.
966 */
965 if (memcmp(a_min, b_min, length) >= 0 || 967 if (memcmp(a_min, b_min, length) >= 0 ||
966 memcmp(a_min, a_max, length) > 0 || 968 memcmp(a_min, a_max, length) > 0 ||
967 memcmp(b_min, b_max, length) > 0) 969 memcmp(b_min, b_max, length) > 0)
968 return 0; 970 return 0;
969 971
970 /* 972 /*
971 * Punt if adjacent or overlapping. Check for adjacency by 973 * Punt if adjacent or overlapping. Check for adjacency by
972 * subtracting one from b_min first. 974 * subtracting one from b_min first.
973 */ 975 */
974 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) 976 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--)
975 ; 977 ;
976 if (memcmp(a_max, b_min, length) >= 0) 978 if (memcmp(a_max, b_min, length) >= 0)
977 return 0; 979 return 0;
978 980
979 /* 981 /*
980 * Check for range that should be expressed as a prefix. 982 * Check for range that should be expressed as a prefix.
981 */ 983 */
982 if (a->type == IPAddressOrRange_addressRange && 984 if (a->type == IPAddressOrRange_addressRange &&
983 range_should_be_prefix(a_min, a_max, length) >= 0) 985 range_should_be_prefix(a_min, a_max, length) >= 0)
984 return 0; 986 return 0;
985 } 987 }
986 988
987 /* 989 /*
988 * Check range to see if it's inverted or should be a 990 * Check range to see if it's inverted or should be a
989 * prefix. 991 * prefix.
990 */ 992 */
991 j = sk_IPAddressOrRange_num(aors) - 1; 993 j = sk_IPAddressOrRange_num(aors) - 1;
992 { 994 {
993 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 995 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
@@ -1003,9 +1005,9 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
1003 } 1005 }
1004 } 1006 }
1005 1007
1006 /* 1008 /*
1007 * If we made it through all that, we're happy. 1009 * If we made it through all that, we're happy.
1008 */ 1010 */
1009 return 1; 1011 return 1;
1010} 1012}
1011 1013
@@ -1017,14 +1019,14 @@ IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi)
1017{ 1019{
1018 int i, j, length = length_from_afi(afi); 1020 int i, j, length = length_from_afi(afi);
1019 1021
1020 /* 1022 /*
1021 * Sort the IPAddressOrRanges sequence. 1023 * Sort the IPAddressOrRanges sequence.
1022 */ 1024 */
1023 sk_IPAddressOrRange_sort(aors); 1025 sk_IPAddressOrRange_sort(aors);
1024 1026
1025 /* 1027 /*
1026 * Clean up representation issues, punt on duplicates or overlaps. 1028 * Clean up representation issues, punt on duplicates or overlaps.
1027 */ 1029 */
1028 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) { 1030 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
1029 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i); 1031 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);
1030 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1); 1032 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
@@ -1035,23 +1037,23 @@ IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi)
1035 !extract_min_max(b, b_min, b_max, length)) 1037 !extract_min_max(b, b_min, b_max, length))
1036 return 0; 1038 return 0;
1037 1039
1038 /* 1040 /*
1039 * Punt inverted ranges. 1041 * Punt inverted ranges.
1040 */ 1042 */
1041 if (memcmp(a_min, a_max, length) > 0 || 1043 if (memcmp(a_min, a_max, length) > 0 ||
1042 memcmp(b_min, b_max, length) > 0) 1044 memcmp(b_min, b_max, length) > 0)
1043 return 0; 1045 return 0;
1044 1046
1045 /* 1047 /*
1046 * Punt overlaps. 1048 * Punt overlaps.
1047 */ 1049 */
1048 if (memcmp(a_max, b_min, length) >= 0) 1050 if (memcmp(a_max, b_min, length) >= 0)
1049 return 0; 1051 return 0;
1050 1052
1051 /* 1053 /*
1052 * Merge if a and b are adjacent. We check for 1054 * Merge if a and b are adjacent. We check for
1053 * adjacency by subtracting one from b_min first. 1055 * adjacency by subtracting one from b_min first.
1054 */ 1056 */
1055 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) 1057 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--)
1056 ; 1058 ;
1057 if (memcmp(a_max, b_min, length) == 0) { 1059 if (memcmp(a_max, b_min, length) == 0) {
@@ -1067,9 +1069,9 @@ IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi)
1067 } 1069 }
1068 } 1070 }
1069 1071
1070 /* 1072 /*
1071 * Check for inverted final range. 1073 * Check for inverted final range.
1072 */ 1074 */
1073 j = sk_IPAddressOrRange_num(aors) - 1; 1075 j = sk_IPAddressOrRange_num(aors) - 1;
1074 { 1076 {
1075 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 1077 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
@@ -1159,10 +1161,10 @@ v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
1159 1161
1160 length = length_from_afi(afi); 1162 length = length_from_afi(afi);
1161 1163
1162 /* 1164 /*
1163 * Handle SAFI, if any, and strdup() so we can null-terminate 1165 * Handle SAFI, if any, and strdup() so we can null-terminate
1164 * the other input values. 1166 * the other input values.
1165 */ 1167 */
1166 if (safi != NULL) { 1168 if (safi != NULL) {
1167 *safi = strtoul(val->value, &t, 0); 1169 *safi = strtoul(val->value, &t, 0);
1168 t += strspn(t, " \t"); 1170 t += strspn(t, " \t");
@@ -1181,10 +1183,10 @@ v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
1181 goto err; 1183 goto err;
1182 } 1184 }
1183 1185
1184 /* 1186 /*
1185 * Check for inheritance. Not worth additional complexity to 1187 * Check for inheritance. Not worth additional complexity to
1186 * optimize this (seldom-used) case. 1188 * optimize this (seldom-used) case.
1187 */ 1189 */
1188 if (strcmp(s, "inherit") == 0) { 1190 if (strcmp(s, "inherit") == 0) {
1189 if (!X509v3_addr_add_inherit(addr, afi, safi)) { 1191 if (!X509v3_addr_add_inherit(addr, afi, safi)) {
1190 X509V3error(X509V3_R_INVALID_INHERITANCE); 1192 X509V3error(X509V3_R_INVALID_INHERITANCE);
@@ -1261,14 +1263,14 @@ v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
1261 s = NULL; 1263 s = NULL;
1262 } 1264 }
1263 1265
1264 /* 1266 /*
1265 * Canonize the result, then we're done. 1267 * Canonize the result, then we're done.
1266 */ 1268 */
1267 if (!X509v3_addr_canonize(addr)) 1269 if (!X509v3_addr_canonize(addr))
1268 goto err; 1270 goto err;
1269 return addr; 1271 return addr;
1270 1272
1271err: 1273 err:
1272 free(s); 1274 free(s);
1273 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); 1275 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
1274 return NULL; 1276 return NULL;
@@ -1409,11 +1411,11 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
1409 OPENSSL_assert(ctx != NULL || ext != NULL); 1411 OPENSSL_assert(ctx != NULL || ext != NULL);
1410 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); 1412 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
1411 1413
1412 /* 1414 /*
1413 * Figure out where to start. If we don't have an extension to 1415 * Figure out where to start. If we don't have an extension to check,
1414 * check, we're done. Otherwise, check canonical form and 1416 * we're done. Otherwise, check canonical form and set up for walking
1415 * set up for walking up the chain. 1417 * up the chain.
1416 */ 1418 */
1417 if (ext != NULL) { 1419 if (ext != NULL) {
1418 i = -1; 1420 i = -1;
1419 x = NULL; 1421 x = NULL;
@@ -1434,10 +1436,10 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
1434 goto done; 1436 goto done;
1435 } 1437 }
1436 1438
1437 /* 1439 /*
1438 * Now walk up the chain. No cert may list resources that its 1440 * Now walk up the chain. No cert may list resources that its parent
1439 * parent doesn't list. 1441 * doesn't list.
1440 */ 1442 */
1441 for (i++; i < sk_X509_num(chain); i++) { 1443 for (i++; i < sk_X509_num(chain); i++) {
1442 x = sk_X509_value(chain, i); 1444 x = sk_X509_value(chain, i);
1443 if (!X509v3_addr_is_canonical(x->rfc3779_addr)) 1445 if (!X509v3_addr_is_canonical(x->rfc3779_addr))
@@ -1483,9 +1485,9 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
1483 } 1485 }
1484 } 1486 }
1485 1487
1486 /* 1488 /*
1487 * Trust anchor can't inherit. 1489 * Trust anchor can't inherit.
1488 */ 1490 */
1489 if (x->rfc3779_addr != NULL) { 1491 if (x->rfc3779_addr != NULL) {
1490 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) { 1492 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
1491 IPAddressFamily *fp = 1493 IPAddressFamily *fp =
@@ -1497,7 +1499,7 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
1497 } 1499 }
1498 } 1500 }
1499 1501
1500done: 1502 done:
1501 sk_IPAddressFamily_free(child); 1503 sk_IPAddressFamily_free(child);
1502 return ret; 1504 return ret;
1503} 1505}
diff --git a/src/lib/libcrypto/x509/x509_asid.c b/src/lib/libcrypto/x509/x509_asid.c
index b44b01489f..ed99ca7b6d 100644
--- a/src/lib/libcrypto/x509/x509_asid.c
+++ b/src/lib/libcrypto/x509/x509_asid.c
@@ -414,7 +414,7 @@ X509v3_asid_add_id_or_range(ASIdentifiers *asid, int which, ASN1_INTEGER *min,
414 goto err; 414 goto err;
415 return 1; 415 return 1;
416 416
417err: 417 err:
418 ASIdOrRange_free(aor); 418 ASIdOrRange_free(aor);
419 return 0; 419 return 0;
420} 420}
@@ -452,22 +452,22 @@ ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
452 BIGNUM *bn = NULL; 452 BIGNUM *bn = NULL;
453 int i, ret = 0; 453 int i, ret = 0;
454 454
455 /* 455 /*
456 * Empty element or inheritance is canonical. 456 * Empty element or inheritance is canonical.
457 */ 457 */
458 if (choice == NULL || choice->type == ASIdentifierChoice_inherit) 458 if (choice == NULL || choice->type == ASIdentifierChoice_inherit)
459 return 1; 459 return 1;
460 460
461 /* 461 /*
462 * If not a list, or if empty list, it's broken. 462 * If not a list, or if empty list, it's broken.
463 */ 463 */
464 if (choice->type != ASIdentifierChoice_asIdsOrRanges || 464 if (choice->type != ASIdentifierChoice_asIdsOrRanges ||
465 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) 465 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0)
466 return 0; 466 return 0;
467 467
468 /* 468 /*
469 * It's a list, check it. 469 * It's a list, check it.
470 */ 470 */
471 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) { 471 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
472 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, 472 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges,
473 i); 473 i);
@@ -483,17 +483,17 @@ ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
483 !extract_min_max(b, &b_min, &b_max)) 483 !extract_min_max(b, &b_min, &b_max))
484 goto done; 484 goto done;
485 485
486 /* 486 /*
487 * Punt misordered list, overlapping start, or inverted range. 487 * Punt misordered list, overlapping start, or inverted range.
488 */ 488 */
489 if (ASN1_INTEGER_cmp(a_min, b_min) >= 0 || 489 if (ASN1_INTEGER_cmp(a_min, b_min) >= 0 ||
490 ASN1_INTEGER_cmp(a_min, a_max) > 0 || 490 ASN1_INTEGER_cmp(a_min, a_max) > 0 ||
491 ASN1_INTEGER_cmp(b_min, b_max) > 0) 491 ASN1_INTEGER_cmp(b_min, b_max) > 0)
492 goto done; 492 goto done;
493 493
494 /* 494 /*
495 * Calculate a_max + 1 to check for adjacency. 495 * Calculate a_max + 1 to check for adjacency.
496 */ 496 */
497 if ((bn == NULL && (bn = BN_new()) == NULL) || 497 if ((bn == NULL && (bn = BN_new()) == NULL) ||
498 ASN1_INTEGER_to_BN(a_max, bn) == NULL || 498 ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
499 !BN_add_word(bn, 1)) { 499 !BN_add_word(bn, 1)) {
@@ -508,16 +508,16 @@ ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
508 goto done; 508 goto done;
509 } 509 }
510 510
511 /* 511 /*
512 * Punt if adjacent or overlapping. 512 * Punt if adjacent or overlapping.
513 */ 513 */
514 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) >= 0) 514 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) >= 0)
515 goto done; 515 goto done;
516 } 516 }
517 517
518 /* 518 /*
519 * Check for inverted range. 519 * Check for inverted range.
520 */ 520 */
521 i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; 521 i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1;
522 { 522 {
523 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, 523 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges,
@@ -532,7 +532,7 @@ ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
532 532
533 ret = 1; 533 ret = 1;
534 534
535done: 535 done:
536 ASN1_INTEGER_free(a_max_plus_one); 536 ASN1_INTEGER_free(a_max_plus_one);
537 BN_free(bn); 537 BN_free(bn);
538 return ret; 538 return ret;
@@ -560,30 +560,30 @@ ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
560 BIGNUM *bn = NULL; 560 BIGNUM *bn = NULL;
561 int i, ret = 0; 561 int i, ret = 0;
562 562
563 /* 563 /*
564 * Nothing to do for empty element or inheritance. 564 * Nothing to do for empty element or inheritance.
565 */ 565 */
566 if (choice == NULL || choice->type == ASIdentifierChoice_inherit) 566 if (choice == NULL || choice->type == ASIdentifierChoice_inherit)
567 return 1; 567 return 1;
568 568
569 /* 569 /*
570 * If not a list, or if empty list, it's broken. 570 * If not a list, or if empty list, it's broken.
571 */ 571 */
572 if (choice->type != ASIdentifierChoice_asIdsOrRanges || 572 if (choice->type != ASIdentifierChoice_asIdsOrRanges ||
573 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) { 573 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) {
574 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 574 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
575 return 0; 575 return 0;
576 } 576 }
577 577
578 /* 578 /*
579 * We have a non-empty list. Sort it. 579 * We have a non-empty list. Sort it.
580 */ 580 */
581 sk_ASIdOrRange_sort(choice->u.asIdsOrRanges); 581 sk_ASIdOrRange_sort(choice->u.asIdsOrRanges);
582 582
583 /* 583 /*
584 * Now check for errors and suboptimal encoding, rejecting the 584 * Now check for errors and suboptimal encoding, rejecting the
585 * former and fixing the latter. 585 * former and fixing the latter.
586 */ 586 */
587 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) { 587 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
588 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, 588 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges,
589 i); 589 i);
@@ -599,29 +599,29 @@ ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
599 !extract_min_max(b, &b_min, &b_max)) 599 !extract_min_max(b, &b_min, &b_max))
600 goto done; 600 goto done;
601 601
602 /* 602 /*
603 * Make sure we're properly sorted (paranoia). 603 * Make sure we're properly sorted (paranoia).
604 */ 604 */
605 OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0); 605 OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
606 606
607 /* 607 /*
608 * Punt inverted ranges. 608 * Punt inverted ranges.
609 */ 609 */
610 if (ASN1_INTEGER_cmp(a_min, a_max) > 0 || 610 if (ASN1_INTEGER_cmp(a_min, a_max) > 0 ||
611 ASN1_INTEGER_cmp(b_min, b_max) > 0) 611 ASN1_INTEGER_cmp(b_min, b_max) > 0)
612 goto done; 612 goto done;
613 613
614 /* 614 /*
615 * Check for overlaps. 615 * Check for overlaps.
616 */ 616 */
617 if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) { 617 if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) {
618 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 618 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
619 goto done; 619 goto done;
620 } 620 }
621 621
622 /* 622 /*
623 * Calculate a_max + 1 to check for adjacency. 623 * Calculate a_max + 1 to check for adjacency.
624 */ 624 */
625 if ((bn == NULL && (bn = BN_new()) == NULL) || 625 if ((bn == NULL && (bn = BN_new()) == NULL) ||
626 ASN1_INTEGER_to_BN(a_max, bn) == NULL || 626 ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
627 !BN_add_word(bn, 1)) { 627 !BN_add_word(bn, 1)) {
@@ -636,9 +636,9 @@ ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
636 goto done; 636 goto done;
637 } 637 }
638 638
639 /* 639 /*
640 * If a and b are adjacent, merge them. 640 * If a and b are adjacent, merge them.
641 */ 641 */
642 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) == 0) { 642 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) == 0) {
643 ASRange *r; 643 ASRange *r;
644 switch (a->type) { 644 switch (a->type) {
@@ -673,9 +673,9 @@ ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
673 } 673 }
674 } 674 }
675 675
676 /* 676 /*
677 * Check for final inverted range. 677 * Check for final inverted range.
678 */ 678 */
679 i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; 679 i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1;
680 { 680 {
681 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, 681 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges,
@@ -688,12 +688,12 @@ ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
688 } 688 }
689 } 689 }
690 690
691 /* Paranoia */ 691 /* Paranoia */
692 OPENSSL_assert(ASIdentifierChoice_is_canonical(choice)); 692 OPENSSL_assert(ASIdentifierChoice_is_canonical(choice));
693 693
694 ret = 1; 694 ret = 1;
695 695
696done: 696 done:
697 ASN1_INTEGER_free(a_max_plus_one); 697 ASN1_INTEGER_free(a_max_plus_one);
698 BN_free(bn); 698 BN_free(bn);
699 return ret; 699 return ret;
@@ -730,9 +730,9 @@ v2i_ASIdentifiers(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
730 CONF_VALUE *val = sk_CONF_VALUE_value(values, i); 730 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
731 int i1 = 0, i2 = 0, i3 = 0, is_range = 0, which = 0; 731 int i1 = 0, i2 = 0, i3 = 0, is_range = 0, which = 0;
732 732
733 /* 733 /*
734 * Figure out whether this is an AS or an RDI. 734 * Figure out whether this is an AS or an RDI.
735 */ 735 */
736 if (!name_cmp(val->name, "AS")) { 736 if (!name_cmp(val->name, "AS")) {
737 which = V3_ASID_ASNUM; 737 which = V3_ASID_ASNUM;
738 } else if (!name_cmp(val->name, "RDI")) { 738 } else if (!name_cmp(val->name, "RDI")) {
@@ -743,9 +743,9 @@ v2i_ASIdentifiers(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
743 goto err; 743 goto err;
744 } 744 }
745 745
746 /* 746 /*
747 * Handle inheritance. 747 * Handle inheritance.
748 */ 748 */
749 if (strcmp(val->value, "inherit") == 0) { 749 if (strcmp(val->value, "inherit") == 0) {
750 if (X509v3_asid_add_inherit(asid, which)) 750 if (X509v3_asid_add_inherit(asid, which))
751 continue; 751 continue;
@@ -754,9 +754,9 @@ v2i_ASIdentifiers(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
754 goto err; 754 goto err;
755 } 755 }
756 756
757 /* 757 /*
758 * Number, range, or mistake, pick it apart and figure out which. 758 * Number, range, or mistake, pick it apart and figure out which
759 */ 759 */
760 i1 = strspn(val->value, "0123456789"); 760 i1 = strspn(val->value, "0123456789");
761 if (val->value[i1] == '\0') { 761 if (val->value[i1] == '\0') {
762 is_range = 0; 762 is_range = 0;
@@ -778,9 +778,9 @@ v2i_ASIdentifiers(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
778 } 778 }
779 } 779 }
780 780
781 /* 781 /*
782 * Syntax is ok, read and add it. 782 * Syntax is ok, read and add it.
783 */ 783 */
784 if (!is_range) { 784 if (!is_range) {
785 if (!X509V3_get_value_int(val, &min)) { 785 if (!X509V3_get_value_int(val, &min)) {
786 X509V3error(ERR_R_MALLOC_FAILURE); 786 X509V3error(ERR_R_MALLOC_FAILURE);
@@ -812,14 +812,14 @@ v2i_ASIdentifiers(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
812 min = max = NULL; 812 min = max = NULL;
813 } 813 }
814 814
815 /* 815 /*
816 * Canonize the result, then we're done. 816 * Canonize the result, then we're done.
817 */ 817 */
818 if (!X509v3_asid_canonize(asid)) 818 if (!X509v3_asid_canonize(asid))
819 goto err; 819 goto err;
820 return asid; 820 return asid;
821 821
822err: 822 err:
823 ASIdentifiers_free(asid); 823 ASIdentifiers_free(asid);
824 ASN1_INTEGER_free(min); 824 ASN1_INTEGER_free(min);
825 ASN1_INTEGER_free(max); 825 ASN1_INTEGER_free(max);
@@ -941,11 +941,11 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
941 OPENSSL_assert(ctx != NULL || ext != NULL); 941 OPENSSL_assert(ctx != NULL || ext != NULL);
942 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); 942 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
943 943
944 /* 944 /*
945 * Figure out where to start. If we don't have an extension to 945 * Figure out where to start. If we don't have an extension to
946 * check, we're done. Otherwise, check canonical form and 946 * check, we're done. Otherwise, check canonical form and
947 * set up for walking up the chain. 947 * set up for walking up the chain.
948 */ 948 */
949 if (ext != NULL) { 949 if (ext != NULL) {
950 i = -1; 950 i = -1;
951 x = NULL; 951 x = NULL;
@@ -978,10 +978,10 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
978 } 978 }
979 } 979 }
980 980
981 /* 981 /*
982 * Now walk up the chain. Extensions must be in canonical form, no 982 * Now walk up the chain. Extensions must be in canonical form, no
983 * cert may list resources that its parent doesn't list. 983 * cert may list resources that its parent doesn't list.
984 */ 984 */
985 for (i++; i < sk_X509_num(chain); i++) { 985 for (i++; i < sk_X509_num(chain); i++) {
986 x = sk_X509_value(chain, i); 986 x = sk_X509_value(chain, i);
987 OPENSSL_assert(x != NULL); 987 OPENSSL_assert(x != NULL);
@@ -1028,9 +1028,9 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
1028 } 1028 }
1029 } 1029 }
1030 1030
1031 /* 1031 /*
1032 * Trust anchor can't inherit. 1032 * Trust anchor can't inherit.
1033 */ 1033 */
1034 OPENSSL_assert(x != NULL); 1034 OPENSSL_assert(x != NULL);
1035 1035
1036 if (x->rfc3779_asid != NULL) { 1036 if (x->rfc3779_asid != NULL) {
@@ -1042,7 +1042,7 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
1042 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1042 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1043 } 1043 }
1044 1044
1045done: 1045 done:
1046 return ret; 1046 return ret;
1047} 1047}
1048 1048
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-19 23:27:25 +0000