OLD | NEW |
1 /* | 1 /* |
2 * Contributed to the OpenSSL Project by the American Registry for | 2 * Contributed to the OpenSSL Project by the American Registry for |
3 * Internet Numbers ("ARIN"). | 3 * Internet Numbers ("ARIN"). |
4 */ | 4 */ |
5 /* ==================================================================== | 5 /* ==================================================================== |
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. | 6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. |
7 * | 7 * |
8 * Redistribution and use in source and binary forms, with or without | 8 * Redistribution and use in source and binary forms, with or without |
9 * modification, are permitted provided that the following conditions | 9 * modification, are permitted provided that the following conditions |
10 * are met: | 10 * are met: |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
54 * (eay@cryptsoft.com). This product includes software written by Tim | 54 * (eay@cryptsoft.com). This product includes software written by Tim |
55 * Hudson (tjh@cryptsoft.com). | 55 * Hudson (tjh@cryptsoft.com). |
56 */ | 56 */ |
57 | 57 |
58 /* | 58 /* |
59 * Implementation of RFC 3779 section 3.2. | 59 * Implementation of RFC 3779 section 3.2. |
60 */ | 60 */ |
61 | 61 |
62 #include <stdio.h> | 62 #include <stdio.h> |
63 #include <string.h> | 63 #include <string.h> |
64 #include <assert.h> | |
65 #include "cryptlib.h" | 64 #include "cryptlib.h" |
66 #include <openssl/conf.h> | 65 #include <openssl/conf.h> |
67 #include <openssl/asn1.h> | 66 #include <openssl/asn1.h> |
68 #include <openssl/asn1t.h> | 67 #include <openssl/asn1t.h> |
69 #include <openssl/x509v3.h> | 68 #include <openssl/x509v3.h> |
70 #include <openssl/x509.h> | 69 #include <openssl/x509.h> |
71 #include <openssl/bn.h> | 70 #include <openssl/bn.h> |
72 | 71 |
73 #ifndef OPENSSL_NO_RFC3779 | 72 #ifndef OPENSSL_NO_RFC3779 |
74 | 73 |
(...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
145 break; | 144 break; |
146 default: | 145 default: |
147 return 0; | 146 return 0; |
148 } | 147 } |
149 return 1; | 148 return 1; |
150 } | 149 } |
151 | 150 |
152 /* | 151 /* |
153 * i2r method for an ASIdentifier extension. | 152 * i2r method for an ASIdentifier extension. |
154 */ | 153 */ |
155 static int i2r_ASIdentifiers(X509V3_EXT_METHOD *method, | 154 static int i2r_ASIdentifiers(const X509V3_EXT_METHOD *method, |
156 void *ext, | 155 void *ext, |
157 BIO *out, | 156 BIO *out, |
158 int indent) | 157 int indent) |
159 { | 158 { |
160 ASIdentifiers *asid = ext; | 159 ASIdentifiers *asid = ext; |
161 return (i2r_ASIdentifierChoice(out, asid->asnum, indent, | 160 return (i2r_ASIdentifierChoice(out, asid->asnum, indent, |
162 "Autonomous System Numbers") && | 161 "Autonomous System Numbers") && |
163 i2r_ASIdentifierChoice(out, asid->rdi, indent, | 162 i2r_ASIdentifierChoice(out, asid->rdi, indent, |
164 "Routing Domain Identifiers")); | 163 "Routing Domain Identifiers")); |
165 } | 164 } |
166 | 165 |
167 /* | 166 /* |
168 * Sort comparision function for a sequence of ASIdOrRange elements. | 167 * Sort comparision function for a sequence of ASIdOrRange elements. |
169 */ | 168 */ |
170 static int ASIdOrRange_cmp(const ASIdOrRange * const *a_, | 169 static int ASIdOrRange_cmp(const ASIdOrRange * const *a_, |
171 const ASIdOrRange * const *b_) | 170 const ASIdOrRange * const *b_) |
172 { | 171 { |
173 const ASIdOrRange *a = *a_, *b = *b_; | 172 const ASIdOrRange *a = *a_, *b = *b_; |
174 | 173 |
175 assert((a->type == ASIdOrRange_id && a->u.id != NULL) || | 174 OPENSSL_assert((a->type == ASIdOrRange_id && a->u.id != NULL) || |
176 (a->type == ASIdOrRange_range && a->u.range != NULL && | 175 (a->type == ASIdOrRange_range && a->u.range != NULL && |
177 a->u.range->min != NULL && a->u.range->max != NULL)); | 176 a->u.range->min != NULL && a->u.range->max != NULL)); |
178 | 177 |
179 assert((b->type == ASIdOrRange_id && b->u.id != NULL) || | 178 OPENSSL_assert((b->type == ASIdOrRange_id && b->u.id != NULL) || |
180 (b->type == ASIdOrRange_range && b->u.range != NULL && | 179 (b->type == ASIdOrRange_range && b->u.range != NULL && |
181 b->u.range->min != NULL && b->u.range->max != NULL)); | 180 b->u.range->min != NULL && b->u.range->max != NULL)); |
182 | 181 |
183 if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id) | 182 if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id) |
184 return ASN1_INTEGER_cmp(a->u.id, b->u.id); | 183 return ASN1_INTEGER_cmp(a->u.id, b->u.id); |
185 | 184 |
186 if (a->type == ASIdOrRange_range && b->type == ASIdOrRange_range) { | 185 if (a->type == ASIdOrRange_range && b->type == ASIdOrRange_range) { |
187 int r = ASN1_INTEGER_cmp(a->u.range->min, b->u.range->min); | 186 int r = ASN1_INTEGER_cmp(a->u.range->min, b->u.range->min); |
188 return r != 0 ? r : ASN1_INTEGER_cmp(a->u.range->max, b->u.range->max); | 187 return r != 0 ? r : ASN1_INTEGER_cmp(a->u.range->max, b->u.range->max); |
189 } | 188 } |
(...skipping 18 matching lines...) Expand all Loading... |
208 break; | 207 break; |
209 case V3_ASID_RDI: | 208 case V3_ASID_RDI: |
210 choice = &asid->rdi; | 209 choice = &asid->rdi; |
211 break; | 210 break; |
212 default: | 211 default: |
213 return 0; | 212 return 0; |
214 } | 213 } |
215 if (*choice == NULL) { | 214 if (*choice == NULL) { |
216 if ((*choice = ASIdentifierChoice_new()) == NULL) | 215 if ((*choice = ASIdentifierChoice_new()) == NULL) |
217 return 0; | 216 return 0; |
218 assert((*choice)->u.inherit == NULL); | 217 OPENSSL_assert((*choice)->u.inherit == NULL); |
219 if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL) | 218 if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL) |
220 return 0; | 219 return 0; |
221 (*choice)->type = ASIdentifierChoice_inherit; | 220 (*choice)->type = ASIdentifierChoice_inherit; |
222 } | 221 } |
223 return (*choice)->type == ASIdentifierChoice_inherit; | 222 return (*choice)->type == ASIdentifierChoice_inherit; |
224 } | 223 } |
225 | 224 |
226 /* | 225 /* |
227 * Add an ID or range to an ASIdentifierChoice. | 226 * Add an ID or range to an ASIdentifierChoice. |
228 */ | 227 */ |
(...skipping 14 matching lines...) Expand all Loading... |
243 choice = &asid->rdi; | 242 choice = &asid->rdi; |
244 break; | 243 break; |
245 default: | 244 default: |
246 return 0; | 245 return 0; |
247 } | 246 } |
248 if (*choice != NULL && (*choice)->type == ASIdentifierChoice_inherit) | 247 if (*choice != NULL && (*choice)->type == ASIdentifierChoice_inherit) |
249 return 0; | 248 return 0; |
250 if (*choice == NULL) { | 249 if (*choice == NULL) { |
251 if ((*choice = ASIdentifierChoice_new()) == NULL) | 250 if ((*choice = ASIdentifierChoice_new()) == NULL) |
252 return 0; | 251 return 0; |
253 assert((*choice)->u.asIdsOrRanges == NULL); | 252 OPENSSL_assert((*choice)->u.asIdsOrRanges == NULL); |
254 (*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp); | 253 (*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp); |
255 if ((*choice)->u.asIdsOrRanges == NULL) | 254 if ((*choice)->u.asIdsOrRanges == NULL) |
256 return 0; | 255 return 0; |
257 (*choice)->type = ASIdentifierChoice_asIdsOrRanges; | 256 (*choice)->type = ASIdentifierChoice_asIdsOrRanges; |
258 } | 257 } |
259 if ((aor = ASIdOrRange_new()) == NULL) | 258 if ((aor = ASIdOrRange_new()) == NULL) |
260 return 0; | 259 return 0; |
261 if (max == NULL) { | 260 if (max == NULL) { |
262 aor->type = ASIdOrRange_id; | 261 aor->type = ASIdOrRange_id; |
263 aor->u.id = min; | 262 aor->u.id = min; |
(...skipping 15 matching lines...) Expand all Loading... |
279 return 0; | 278 return 0; |
280 } | 279 } |
281 | 280 |
282 /* | 281 /* |
283 * Extract min and max values from an ASIdOrRange. | 282 * Extract min and max values from an ASIdOrRange. |
284 */ | 283 */ |
285 static void extract_min_max(ASIdOrRange *aor, | 284 static void extract_min_max(ASIdOrRange *aor, |
286 ASN1_INTEGER **min, | 285 ASN1_INTEGER **min, |
287 ASN1_INTEGER **max) | 286 ASN1_INTEGER **max) |
288 { | 287 { |
289 assert(aor != NULL && min != NULL && max != NULL); | 288 OPENSSL_assert(aor != NULL && min != NULL && max != NULL); |
290 switch (aor->type) { | 289 switch (aor->type) { |
291 case ASIdOrRange_id: | 290 case ASIdOrRange_id: |
292 *min = aor->u.id; | 291 *min = aor->u.id; |
293 *max = aor->u.id; | 292 *max = aor->u.id; |
294 return; | 293 return; |
295 case ASIdOrRange_range: | 294 case ASIdOrRange_range: |
296 *min = aor->u.range->min; | 295 *min = aor->u.range->min; |
297 *max = aor->u.range->max; | 296 *max = aor->u.range->max; |
298 return; | 297 return; |
299 } | 298 } |
(...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
366 BN_free(bn); | 365 BN_free(bn); |
367 return ret; | 366 return ret; |
368 } | 367 } |
369 | 368 |
370 /* | 369 /* |
371 * Check whether an ASIdentifier extension is in canonical form. | 370 * Check whether an ASIdentifier extension is in canonical form. |
372 */ | 371 */ |
373 int v3_asid_is_canonical(ASIdentifiers *asid) | 372 int v3_asid_is_canonical(ASIdentifiers *asid) |
374 { | 373 { |
375 return (asid == NULL || | 374 return (asid == NULL || |
376 » (ASIdentifierChoice_is_canonical(asid->asnum) || | 375 » (ASIdentifierChoice_is_canonical(asid->asnum) && |
377 ASIdentifierChoice_is_canonical(asid->rdi))); | 376 ASIdentifierChoice_is_canonical(asid->rdi))); |
378 } | 377 } |
379 | 378 |
380 /* | 379 /* |
381 * Whack an ASIdentifierChoice into canonical form. | 380 * Whack an ASIdentifierChoice into canonical form. |
382 */ | 381 */ |
383 static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice) | 382 static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice) |
384 { | 383 { |
385 ASN1_INTEGER *a_max_plus_one = NULL; | 384 ASN1_INTEGER *a_max_plus_one = NULL; |
386 BIGNUM *bn = NULL; | 385 BIGNUM *bn = NULL; |
387 int i, ret = 0; | 386 int i, ret = 0; |
388 | 387 |
389 /* | 388 /* |
390 * Nothing to do for empty element or inheritance. | 389 * Nothing to do for empty element or inheritance. |
391 */ | 390 */ |
392 if (choice == NULL || choice->type == ASIdentifierChoice_inherit) | 391 if (choice == NULL || choice->type == ASIdentifierChoice_inherit) |
393 return 1; | 392 return 1; |
394 | 393 |
395 /* | 394 /* |
396 * We have a list. Sort it. | 395 * We have a list. Sort it. |
397 */ | 396 */ |
398 assert(choice->type == ASIdentifierChoice_asIdsOrRanges); | 397 OPENSSL_assert(choice->type == ASIdentifierChoice_asIdsOrRanges); |
399 sk_ASIdOrRange_sort(choice->u.asIdsOrRanges); | 398 sk_ASIdOrRange_sort(choice->u.asIdsOrRanges); |
400 | 399 |
401 /* | 400 /* |
402 * Now check for errors and suboptimal encoding, rejecting the | 401 * Now check for errors and suboptimal encoding, rejecting the |
403 * former and fixing the latter. | 402 * former and fixing the latter. |
404 */ | 403 */ |
405 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) { | 404 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) { |
406 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); | 405 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); |
407 ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1); | 406 ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1); |
408 ASN1_INTEGER *a_min, *a_max, *b_min, *b_max; | 407 ASN1_INTEGER *a_min, *a_max, *b_min, *b_max; |
409 | 408 |
410 extract_min_max(a, &a_min, &a_max); | 409 extract_min_max(a, &a_min, &a_max); |
411 extract_min_max(b, &b_min, &b_max); | 410 extract_min_max(b, &b_min, &b_max); |
412 | 411 |
413 /* | 412 /* |
414 * Make sure we're properly sorted (paranoia). | 413 * Make sure we're properly sorted (paranoia). |
415 */ | 414 */ |
416 assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0); | 415 OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0); |
417 | 416 |
418 /* | 417 /* |
419 * Check for overlaps. | 418 * Check for overlaps. |
420 */ | 419 */ |
421 if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) { | 420 if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) { |
422 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, | 421 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, |
423 X509V3_R_EXTENSION_VALUE_ERROR); | 422 X509V3_R_EXTENSION_VALUE_ERROR); |
424 goto done; | 423 goto done; |
425 } | 424 } |
426 | 425 |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
459 } | 458 } |
460 switch (b->type) { | 459 switch (b->type) { |
461 case ASIdOrRange_id: | 460 case ASIdOrRange_id: |
462 b->u.id = NULL; | 461 b->u.id = NULL; |
463 break; | 462 break; |
464 case ASIdOrRange_range: | 463 case ASIdOrRange_range: |
465 b->u.range->max = NULL; | 464 b->u.range->max = NULL; |
466 break; | 465 break; |
467 } | 466 } |
468 ASIdOrRange_free(b); | 467 ASIdOrRange_free(b); |
469 (void)sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1); | 468 sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1); |
470 i--; | 469 i--; |
471 continue; | 470 continue; |
472 } | 471 } |
473 } | 472 } |
474 | 473 |
475 assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */ | 474 OPENSSL_assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */ |
476 | 475 |
477 ret = 1; | 476 ret = 1; |
478 | 477 |
479 done: | 478 done: |
480 ASN1_INTEGER_free(a_max_plus_one); | 479 ASN1_INTEGER_free(a_max_plus_one); |
481 BN_free(bn); | 480 BN_free(bn); |
482 return ret; | 481 return ret; |
483 } | 482 } |
484 | 483 |
485 /* | 484 /* |
486 * Whack an ASIdentifier extension into canonical form. | 485 * Whack an ASIdentifier extension into canonical form. |
487 */ | 486 */ |
488 int v3_asid_canonize(ASIdentifiers *asid) | 487 int v3_asid_canonize(ASIdentifiers *asid) |
489 { | 488 { |
490 return (asid == NULL || | 489 return (asid == NULL || |
491 (ASIdentifierChoice_canonize(asid->asnum) && | 490 (ASIdentifierChoice_canonize(asid->asnum) && |
492 ASIdentifierChoice_canonize(asid->rdi))); | 491 ASIdentifierChoice_canonize(asid->rdi))); |
493 } | 492 } |
494 | 493 |
495 /* | 494 /* |
496 * v2i method for an ASIdentifier extension. | 495 * v2i method for an ASIdentifier extension. |
497 */ | 496 */ |
498 static void *v2i_ASIdentifiers(struct v3_ext_method *method, | 497 static void *v2i_ASIdentifiers(const struct v3_ext_method *method, |
499 struct v3_ext_ctx *ctx, | 498 struct v3_ext_ctx *ctx, |
500 STACK_OF(CONF_VALUE) *values) | 499 STACK_OF(CONF_VALUE) *values) |
501 { | 500 { |
502 ASIdentifiers *asid = NULL; | 501 ASIdentifiers *asid = NULL; |
503 int i; | 502 int i; |
504 | 503 |
505 if ((asid = ASIdentifiers_new()) == NULL) { | 504 if ((asid = ASIdentifiers_new()) == NULL) { |
506 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); | 505 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); |
507 return NULL; | 506 return NULL; |
508 } | 507 } |
(...skipping 191 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
700 | 699 |
701 /* | 700 /* |
702 * Core code for RFC 3779 3.3 path validation. | 701 * Core code for RFC 3779 3.3 path validation. |
703 */ | 702 */ |
704 static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx, | 703 static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx, |
705 STACK_OF(X509) *chain, | 704 STACK_OF(X509) *chain, |
706 ASIdentifiers *ext) | 705 ASIdentifiers *ext) |
707 { | 706 { |
708 ASIdOrRanges *child_as = NULL, *child_rdi = NULL; | 707 ASIdOrRanges *child_as = NULL, *child_rdi = NULL; |
709 int i, ret = 1, inherit_as = 0, inherit_rdi = 0; | 708 int i, ret = 1, inherit_as = 0, inherit_rdi = 0; |
710 X509 *x = NULL; | 709 X509 *x; |
711 | 710 |
712 assert(chain != NULL && sk_X509_num(chain) > 0); | 711 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); |
713 assert(ctx != NULL || ext != NULL); | 712 OPENSSL_assert(ctx != NULL || ext != NULL); |
714 assert(ctx == NULL || ctx->verify_cb != NULL); | 713 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); |
715 | 714 |
716 /* | 715 /* |
717 * Figure out where to start. If we don't have an extension to | 716 * Figure out where to start. If we don't have an extension to |
718 * check, we're done. Otherwise, check canonical form and | 717 * check, we're done. Otherwise, check canonical form and |
719 * set up for walking up the chain. | 718 * set up for walking up the chain. |
720 */ | 719 */ |
721 if (ext != NULL) { | 720 if (ext != NULL) { |
722 i = -1; | 721 i = -1; |
| 722 x = NULL; |
723 } else { | 723 } else { |
724 i = 0; | 724 i = 0; |
725 x = sk_X509_value(chain, i); | 725 x = sk_X509_value(chain, i); |
726 assert(x != NULL); | 726 OPENSSL_assert(x != NULL); |
727 if ((ext = x->rfc3779_asid) == NULL) | 727 if ((ext = x->rfc3779_asid) == NULL) |
728 goto done; | 728 goto done; |
729 } | 729 } |
730 if (!v3_asid_is_canonical(ext)) | 730 if (!v3_asid_is_canonical(ext)) |
731 validation_err(X509_V_ERR_INVALID_EXTENSION); | 731 validation_err(X509_V_ERR_INVALID_EXTENSION); |
732 if (ext->asnum != NULL) { | 732 if (ext->asnum != NULL) { |
733 switch (ext->asnum->type) { | 733 switch (ext->asnum->type) { |
734 case ASIdentifierChoice_inherit: | 734 case ASIdentifierChoice_inherit: |
735 inherit_as = 1; | 735 inherit_as = 1; |
736 break; | 736 break; |
(...skipping 12 matching lines...) Expand all Loading... |
749 break; | 749 break; |
750 } | 750 } |
751 } | 751 } |
752 | 752 |
753 /* | 753 /* |
754 * Now walk up the chain. Extensions must be in canonical form, no | 754 * Now walk up the chain. Extensions must be in canonical form, no |
755 * cert may list resources that its parent doesn't list. | 755 * cert may list resources that its parent doesn't list. |
756 */ | 756 */ |
757 for (i++; i < sk_X509_num(chain); i++) { | 757 for (i++; i < sk_X509_num(chain); i++) { |
758 x = sk_X509_value(chain, i); | 758 x = sk_X509_value(chain, i); |
759 assert(x != NULL); | 759 OPENSSL_assert(x != NULL); |
760 if (x->rfc3779_asid == NULL) { | 760 if (x->rfc3779_asid == NULL) { |
761 if (child_as != NULL || child_rdi != NULL) | 761 if (child_as != NULL || child_rdi != NULL) |
762 validation_err(X509_V_ERR_UNNESTED_RESOURCE); | 762 validation_err(X509_V_ERR_UNNESTED_RESOURCE); |
763 continue; | 763 continue; |
764 } | 764 } |
765 if (!v3_asid_is_canonical(x->rfc3779_asid)) | 765 if (!v3_asid_is_canonical(x->rfc3779_asid)) |
766 validation_err(X509_V_ERR_INVALID_EXTENSION); | 766 validation_err(X509_V_ERR_INVALID_EXTENSION); |
767 if (x->rfc3779_asid->asnum == NULL && child_as != NULL) { | 767 if (x->rfc3779_asid->asnum == NULL && child_as != NULL) { |
768 validation_err(X509_V_ERR_UNNESTED_RESOURCE); | 768 validation_err(X509_V_ERR_UNNESTED_RESOURCE); |
769 child_as = NULL; | 769 child_as = NULL; |
(...skipping 22 matching lines...) Expand all Loading... |
792 inherit_rdi = 0; | 792 inherit_rdi = 0; |
793 } else { | 793 } else { |
794 validation_err(X509_V_ERR_UNNESTED_RESOURCE); | 794 validation_err(X509_V_ERR_UNNESTED_RESOURCE); |
795 } | 795 } |
796 } | 796 } |
797 } | 797 } |
798 | 798 |
799 /* | 799 /* |
800 * Trust anchor can't inherit. | 800 * Trust anchor can't inherit. |
801 */ | 801 */ |
| 802 OPENSSL_assert(x != NULL); |
802 if (x->rfc3779_asid != NULL) { | 803 if (x->rfc3779_asid != NULL) { |
803 if (x->rfc3779_asid->asnum != NULL && | 804 if (x->rfc3779_asid->asnum != NULL && |
804 x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit) | 805 x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit) |
805 validation_err(X509_V_ERR_UNNESTED_RESOURCE); | 806 validation_err(X509_V_ERR_UNNESTED_RESOURCE); |
806 if (x->rfc3779_asid->rdi != NULL && | 807 if (x->rfc3779_asid->rdi != NULL && |
807 x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit) | 808 x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit) |
808 validation_err(X509_V_ERR_UNNESTED_RESOURCE); | 809 validation_err(X509_V_ERR_UNNESTED_RESOURCE); |
809 } | 810 } |
810 | 811 |
811 done: | 812 done: |
(...skipping 21 matching lines...) Expand all Loading... |
833 if (ext == NULL) | 834 if (ext == NULL) |
834 return 1; | 835 return 1; |
835 if (chain == NULL || sk_X509_num(chain) == 0) | 836 if (chain == NULL || sk_X509_num(chain) == 0) |
836 return 0; | 837 return 0; |
837 if (!allow_inheritance && v3_asid_inherits(ext)) | 838 if (!allow_inheritance && v3_asid_inherits(ext)) |
838 return 0; | 839 return 0; |
839 return v3_asid_validate_path_internal(NULL, chain, ext); | 840 return v3_asid_validate_path_internal(NULL, chain, ext); |
840 } | 841 } |
841 | 842 |
842 #endif /* OPENSSL_NO_RFC3779 */ | 843 #endif /* OPENSSL_NO_RFC3779 */ |
OLD | NEW |