From de3601f2e1e6ee4ff034d168947992efb01a83b0 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Thu, 12 May 2022 19:56:43 +0000
Subject: Rewrite and fix X509v3_asid_subset()

X509v3_asid_subset() assumes that both asnum and rdi are present while
they are both marked OPTIONAL in RFC 3779, 3.2.3. It will crash if
either one is missing. In RPKI land RDI is a MUST NOT use (e.g, RFC
6487, 4.8.11), so this API is currently useless (and seemingly unused).

Pick apart an ugly logical pipeline and implement this check in a
readable fashion.

ok jsing
---
 src/lib/libcrypto/x509/x509_asid.c | 42 +++++++++++++++++++++++++++-----------
 1 file changed, 30 insertions(+), 12 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/x509/x509_asid.c b/src/lib/libcrypto/x509/x509_asid.c
index 514b88bc0e..5967e26d4d 100644
--- a/src/lib/libcrypto/x509/x509_asid.c
+++ b/src/lib/libcrypto/x509/x509_asid.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_asid.c,v 1.32 2022/04/21 05:06:07 tb Exp $ */
+/*	$OpenBSD: x509_asid.c,v 1.33 2022/05/12 19:56:43 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -944,20 +944,38 @@ asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)
 }
 
 /*
- * Test whether a is a subset of b.
+ * Test whether child is a subset of parent.
  */
 int
-X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
+X509v3_asid_subset(ASIdentifiers *child, ASIdentifiers *parent)
 {
-	return (a == NULL ||
-	    a == b ||
-	    (b != NULL &&
-	     !X509v3_asid_inherits(a) &&
-	     !X509v3_asid_inherits(b) &&
-	     asid_contains(b->asnum->u.asIdsOrRanges,
-	     a->asnum->u.asIdsOrRanges) &&
-	     asid_contains(b->rdi->u.asIdsOrRanges,
-	     a->rdi->u.asIdsOrRanges)));
+	if (child == NULL || child == parent)
+		return 1;
+	if (parent == NULL)
+		return 0;
+
+	if (X509v3_asid_inherits(child) || X509v3_asid_inherits(parent))
+		return 0;
+
+	if (child->asnum != NULL) {
+		if (parent->asnum == NULL)
+			return 0;
+
+		if (!asid_contains(parent->asnum->u.asIdsOrRanges,
+		    child->asnum->u.asIdsOrRanges))
+			return 0;
+	}
+
+	if (child->rdi != NULL) {
+		if (parent->rdi == NULL)
+			return 0;
+
+		if (!asid_contains(parent->rdi->u.asIdsOrRanges,
+		    child->rdi->u.asIdsOrRanges))
+			return 0;
+	}
+
+	return 1;
 }
 
 /*
-- 
cgit v1.2.3-55-g6feb