| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Contributed to the OpenSSL Project by the American Registry for | 2 * Contributed to the OpenSSL Project by the American Registry for |
| 3 * Internet Numbers ("ARIN"). | 3 * Internet Numbers ("ARIN"). |
| 4 */ | 4 */ |
| 5 /* ==================================================================== | 5 /* ==================================================================== |
| 6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. | 6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. |
| 7 * | 7 * |
| 8 * Redistribution and use in source and binary forms, with or without | 8 * Redistribution and use in source and binary forms, with or without |
| 9 * modification, are permitted provided that the following conditions | 9 * modification, are permitted provided that the following conditions |
| 10 * are met: | 10 * are met: |
| (...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 54 * (eay@cryptsoft.com). This product includes software written by Tim | 54 * (eay@cryptsoft.com). This product includes software written by Tim |
| 55 * Hudson (tjh@cryptsoft.com). | 55 * Hudson (tjh@cryptsoft.com). |
| 56 */ | 56 */ |
| 57 | 57 |
| 58 /* | 58 /* |
| 59 * Implementation of RFC 3779 section 3.2. | 59 * Implementation of RFC 3779 section 3.2. |
| 60 */ | 60 */ |
| 61 | 61 |
| 62 #include <stdio.h> | 62 #include <stdio.h> |
| 63 #include <string.h> | 63 #include <string.h> |
| 64 #include <assert.h> | |
| 65 #include "cryptlib.h" | 64 #include "cryptlib.h" |
| 66 #include <openssl/conf.h> | 65 #include <openssl/conf.h> |
| 67 #include <openssl/asn1.h> | 66 #include <openssl/asn1.h> |
| 68 #include <openssl/asn1t.h> | 67 #include <openssl/asn1t.h> |
| 69 #include <openssl/x509v3.h> | 68 #include <openssl/x509v3.h> |
| 70 #include <openssl/x509.h> | 69 #include <openssl/x509.h> |
| 71 #include <openssl/bn.h> | 70 #include <openssl/bn.h> |
| 72 | 71 |
| 73 #ifndef OPENSSL_NO_RFC3779 | 72 #ifndef OPENSSL_NO_RFC3779 |
| 74 | 73 |
| (...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 145 break; | 144 break; |
| 146 default: | 145 default: |
| 147 return 0; | 146 return 0; |
| 148 } | 147 } |
| 149 return 1; | 148 return 1; |
| 150 } | 149 } |
| 151 | 150 |
| 152 /* | 151 /* |
| 153 * i2r method for an ASIdentifier extension. | 152 * i2r method for an ASIdentifier extension. |
| 154 */ | 153 */ |
| 155 static int i2r_ASIdentifiers(X509V3_EXT_METHOD *method, | 154 static int i2r_ASIdentifiers(const X509V3_EXT_METHOD *method, |
| 156 void *ext, | 155 void *ext, |
| 157 BIO *out, | 156 BIO *out, |
| 158 int indent) | 157 int indent) |
| 159 { | 158 { |
| 160 ASIdentifiers *asid = ext; | 159 ASIdentifiers *asid = ext; |
| 161 return (i2r_ASIdentifierChoice(out, asid->asnum, indent, | 160 return (i2r_ASIdentifierChoice(out, asid->asnum, indent, |
| 162 "Autonomous System Numbers") && | 161 "Autonomous System Numbers") && |
| 163 i2r_ASIdentifierChoice(out, asid->rdi, indent, | 162 i2r_ASIdentifierChoice(out, asid->rdi, indent, |
| 164 "Routing Domain Identifiers")); | 163 "Routing Domain Identifiers")); |
| 165 } | 164 } |
| 166 | 165 |
| 167 /* | 166 /* |
| 168 * Sort comparision function for a sequence of ASIdOrRange elements. | 167 * Sort comparision function for a sequence of ASIdOrRange elements. |
| 169 */ | 168 */ |
| 170 static int ASIdOrRange_cmp(const ASIdOrRange * const *a_, | 169 static int ASIdOrRange_cmp(const ASIdOrRange * const *a_, |
| 171 const ASIdOrRange * const *b_) | 170 const ASIdOrRange * const *b_) |
| 172 { | 171 { |
| 173 const ASIdOrRange *a = *a_, *b = *b_; | 172 const ASIdOrRange *a = *a_, *b = *b_; |
| 174 | 173 |
| 175 assert((a->type == ASIdOrRange_id && a->u.id != NULL) || | 174 OPENSSL_assert((a->type == ASIdOrRange_id && a->u.id != NULL) || |
| 176 (a->type == ASIdOrRange_range && a->u.range != NULL && | 175 (a->type == ASIdOrRange_range && a->u.range != NULL && |
| 177 a->u.range->min != NULL && a->u.range->max != NULL)); | 176 a->u.range->min != NULL && a->u.range->max != NULL)); |
| 178 | 177 |
| 179 assert((b->type == ASIdOrRange_id && b->u.id != NULL) || | 178 OPENSSL_assert((b->type == ASIdOrRange_id && b->u.id != NULL) || |
| 180 (b->type == ASIdOrRange_range && b->u.range != NULL && | 179 (b->type == ASIdOrRange_range && b->u.range != NULL && |
| 181 b->u.range->min != NULL && b->u.range->max != NULL)); | 180 b->u.range->min != NULL && b->u.range->max != NULL)); |
| 182 | 181 |
| 183 if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id) | 182 if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id) |
| 184 return ASN1_INTEGER_cmp(a->u.id, b->u.id); | 183 return ASN1_INTEGER_cmp(a->u.id, b->u.id); |
| 185 | 184 |
| 186 if (a->type == ASIdOrRange_range && b->type == ASIdOrRange_range) { | 185 if (a->type == ASIdOrRange_range && b->type == ASIdOrRange_range) { |
| 187 int r = ASN1_INTEGER_cmp(a->u.range->min, b->u.range->min); | 186 int r = ASN1_INTEGER_cmp(a->u.range->min, b->u.range->min); |
| 188 return r != 0 ? r : ASN1_INTEGER_cmp(a->u.range->max, b->u.range->max); | 187 return r != 0 ? r : ASN1_INTEGER_cmp(a->u.range->max, b->u.range->max); |
| 189 } | 188 } |
| (...skipping 18 matching lines...) Expand all Loading... |
| 208 break; | 207 break; |
| 209 case V3_ASID_RDI: | 208 case V3_ASID_RDI: |
| 210 choice = &asid->rdi; | 209 choice = &asid->rdi; |
| 211 break; | 210 break; |
| 212 default: | 211 default: |
| 213 return 0; | 212 return 0; |
| 214 } | 213 } |
| 215 if (*choice == NULL) { | 214 if (*choice == NULL) { |
| 216 if ((*choice = ASIdentifierChoice_new()) == NULL) | 215 if ((*choice = ASIdentifierChoice_new()) == NULL) |
| 217 return 0; | 216 return 0; |
| 218 assert((*choice)->u.inherit == NULL); | 217 OPENSSL_assert((*choice)->u.inherit == NULL); |
| 219 if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL) | 218 if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL) |
| 220 return 0; | 219 return 0; |
| 221 (*choice)->type = ASIdentifierChoice_inherit; | 220 (*choice)->type = ASIdentifierChoice_inherit; |
| 222 } | 221 } |
| 223 return (*choice)->type == ASIdentifierChoice_inherit; | 222 return (*choice)->type == ASIdentifierChoice_inherit; |
| 224 } | 223 } |
| 225 | 224 |
| 226 /* | 225 /* |
| 227 * Add an ID or range to an ASIdentifierChoice. | 226 * Add an ID or range to an ASIdentifierChoice. |
| 228 */ | 227 */ |
| (...skipping 14 matching lines...) Expand all Loading... |
| 243 choice = &asid->rdi; | 242 choice = &asid->rdi; |
| 244 break; | 243 break; |
| 245 default: | 244 default: |
| 246 return 0; | 245 return 0; |
| 247 } | 246 } |
| 248 if (*choice != NULL && (*choice)->type == ASIdentifierChoice_inherit) | 247 if (*choice != NULL && (*choice)->type == ASIdentifierChoice_inherit) |
| 249 return 0; | 248 return 0; |
| 250 if (*choice == NULL) { | 249 if (*choice == NULL) { |
| 251 if ((*choice = ASIdentifierChoice_new()) == NULL) | 250 if ((*choice = ASIdentifierChoice_new()) == NULL) |
| 252 return 0; | 251 return 0; |
| 253 assert((*choice)->u.asIdsOrRanges == NULL); | 252 OPENSSL_assert((*choice)->u.asIdsOrRanges == NULL); |
| 254 (*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp); | 253 (*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp); |
| 255 if ((*choice)->u.asIdsOrRanges == NULL) | 254 if ((*choice)->u.asIdsOrRanges == NULL) |
| 256 return 0; | 255 return 0; |
| 257 (*choice)->type = ASIdentifierChoice_asIdsOrRanges; | 256 (*choice)->type = ASIdentifierChoice_asIdsOrRanges; |
| 258 } | 257 } |
| 259 if ((aor = ASIdOrRange_new()) == NULL) | 258 if ((aor = ASIdOrRange_new()) == NULL) |
| 260 return 0; | 259 return 0; |
| 261 if (max == NULL) { | 260 if (max == NULL) { |
| 262 aor->type = ASIdOrRange_id; | 261 aor->type = ASIdOrRange_id; |
| 263 aor->u.id = min; | 262 aor->u.id = min; |
| (...skipping 15 matching lines...) Expand all Loading... |
| 279 return 0; | 278 return 0; |
| 280 } | 279 } |
| 281 | 280 |
| 282 /* | 281 /* |
| 283 * Extract min and max values from an ASIdOrRange. | 282 * Extract min and max values from an ASIdOrRange. |
| 284 */ | 283 */ |
| 285 static void extract_min_max(ASIdOrRange *aor, | 284 static void extract_min_max(ASIdOrRange *aor, |
| 286 ASN1_INTEGER **min, | 285 ASN1_INTEGER **min, |
| 287 ASN1_INTEGER **max) | 286 ASN1_INTEGER **max) |
| 288 { | 287 { |
| 289 assert(aor != NULL && min != NULL && max != NULL); | 288 OPENSSL_assert(aor != NULL && min != NULL && max != NULL); |
| 290 switch (aor->type) { | 289 switch (aor->type) { |
| 291 case ASIdOrRange_id: | 290 case ASIdOrRange_id: |
| 292 *min = aor->u.id; | 291 *min = aor->u.id; |
| 293 *max = aor->u.id; | 292 *max = aor->u.id; |
| 294 return; | 293 return; |
| 295 case ASIdOrRange_range: | 294 case ASIdOrRange_range: |
| 296 *min = aor->u.range->min; | 295 *min = aor->u.range->min; |
| 297 *max = aor->u.range->max; | 296 *max = aor->u.range->max; |
| 298 return; | 297 return; |
| 299 } | 298 } |
| (...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 366 BN_free(bn); | 365 BN_free(bn); |
| 367 return ret; | 366 return ret; |
| 368 } | 367 } |
| 369 | 368 |
| 370 /* | 369 /* |
| 371 * Check whether an ASIdentifier extension is in canonical form. | 370 * Check whether an ASIdentifier extension is in canonical form. |
| 372 */ | 371 */ |
| 373 int v3_asid_is_canonical(ASIdentifiers *asid) | 372 int v3_asid_is_canonical(ASIdentifiers *asid) |
| 374 { | 373 { |
| 375 return (asid == NULL || | 374 return (asid == NULL || |
| 376 » (ASIdentifierChoice_is_canonical(asid->asnum) || | 375 » (ASIdentifierChoice_is_canonical(asid->asnum) && |
| 377 ASIdentifierChoice_is_canonical(asid->rdi))); | 376 ASIdentifierChoice_is_canonical(asid->rdi))); |
| 378 } | 377 } |
| 379 | 378 |
| 380 /* | 379 /* |
| 381 * Whack an ASIdentifierChoice into canonical form. | 380 * Whack an ASIdentifierChoice into canonical form. |
| 382 */ | 381 */ |
| 383 static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice) | 382 static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice) |
| 384 { | 383 { |
| 385 ASN1_INTEGER *a_max_plus_one = NULL; | 384 ASN1_INTEGER *a_max_plus_one = NULL; |
| 386 BIGNUM *bn = NULL; | 385 BIGNUM *bn = NULL; |
| 387 int i, ret = 0; | 386 int i, ret = 0; |
| 388 | 387 |
| 389 /* | 388 /* |
| 390 * Nothing to do for empty element or inheritance. | 389 * Nothing to do for empty element or inheritance. |
| 391 */ | 390 */ |
| 392 if (choice == NULL || choice->type == ASIdentifierChoice_inherit) | 391 if (choice == NULL || choice->type == ASIdentifierChoice_inherit) |
| 393 return 1; | 392 return 1; |
| 394 | 393 |
| 395 /* | 394 /* |
| 396 * We have a list. Sort it. | 395 * We have a list. Sort it. |
| 397 */ | 396 */ |
| 398 assert(choice->type == ASIdentifierChoice_asIdsOrRanges); | 397 OPENSSL_assert(choice->type == ASIdentifierChoice_asIdsOrRanges); |
| 399 sk_ASIdOrRange_sort(choice->u.asIdsOrRanges); | 398 sk_ASIdOrRange_sort(choice->u.asIdsOrRanges); |
| 400 | 399 |
| 401 /* | 400 /* |
| 402 * Now check for errors and suboptimal encoding, rejecting the | 401 * Now check for errors and suboptimal encoding, rejecting the |
| 403 * former and fixing the latter. | 402 * former and fixing the latter. |
| 404 */ | 403 */ |
| 405 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) { | 404 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) { |
| 406 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); | 405 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); |
| 407 ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1); | 406 ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1); |
| 408 ASN1_INTEGER *a_min, *a_max, *b_min, *b_max; | 407 ASN1_INTEGER *a_min, *a_max, *b_min, *b_max; |
| 409 | 408 |
| 410 extract_min_max(a, &a_min, &a_max); | 409 extract_min_max(a, &a_min, &a_max); |
| 411 extract_min_max(b, &b_min, &b_max); | 410 extract_min_max(b, &b_min, &b_max); |
| 412 | 411 |
| 413 /* | 412 /* |
| 414 * Make sure we're properly sorted (paranoia). | 413 * Make sure we're properly sorted (paranoia). |
| 415 */ | 414 */ |
| 416 assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0); | 415 OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0); |
| 417 | 416 |
| 418 /* | 417 /* |
| 419 * Check for overlaps. | 418 * Check for overlaps. |
| 420 */ | 419 */ |
| 421 if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) { | 420 if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) { |
| 422 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, | 421 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, |
| 423 X509V3_R_EXTENSION_VALUE_ERROR); | 422 X509V3_R_EXTENSION_VALUE_ERROR); |
| 424 goto done; | 423 goto done; |
| 425 } | 424 } |
| 426 | 425 |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 459 } | 458 } |
| 460 switch (b->type) { | 459 switch (b->type) { |
| 461 case ASIdOrRange_id: | 460 case ASIdOrRange_id: |
| 462 b->u.id = NULL; | 461 b->u.id = NULL; |
| 463 break; | 462 break; |
| 464 case ASIdOrRange_range: | 463 case ASIdOrRange_range: |
| 465 b->u.range->max = NULL; | 464 b->u.range->max = NULL; |
| 466 break; | 465 break; |
| 467 } | 466 } |
| 468 ASIdOrRange_free(b); | 467 ASIdOrRange_free(b); |
| 469 (void)sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1); | 468 sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1); |
| 470 i--; | 469 i--; |
| 471 continue; | 470 continue; |
| 472 } | 471 } |
| 473 } | 472 } |
| 474 | 473 |
| 475 assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */ | 474 OPENSSL_assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */ |
| 476 | 475 |
| 477 ret = 1; | 476 ret = 1; |
| 478 | 477 |
| 479 done: | 478 done: |
| 480 ASN1_INTEGER_free(a_max_plus_one); | 479 ASN1_INTEGER_free(a_max_plus_one); |
| 481 BN_free(bn); | 480 BN_free(bn); |
| 482 return ret; | 481 return ret; |
| 483 } | 482 } |
| 484 | 483 |
| 485 /* | 484 /* |
| 486 * Whack an ASIdentifier extension into canonical form. | 485 * Whack an ASIdentifier extension into canonical form. |
| 487 */ | 486 */ |
| 488 int v3_asid_canonize(ASIdentifiers *asid) | 487 int v3_asid_canonize(ASIdentifiers *asid) |
| 489 { | 488 { |
| 490 return (asid == NULL || | 489 return (asid == NULL || |
| 491 (ASIdentifierChoice_canonize(asid->asnum) && | 490 (ASIdentifierChoice_canonize(asid->asnum) && |
| 492 ASIdentifierChoice_canonize(asid->rdi))); | 491 ASIdentifierChoice_canonize(asid->rdi))); |
| 493 } | 492 } |
| 494 | 493 |
| 495 /* | 494 /* |
| 496 * v2i method for an ASIdentifier extension. | 495 * v2i method for an ASIdentifier extension. |
| 497 */ | 496 */ |
| 498 static void *v2i_ASIdentifiers(struct v3_ext_method *method, | 497 static void *v2i_ASIdentifiers(const struct v3_ext_method *method, |
| 499 struct v3_ext_ctx *ctx, | 498 struct v3_ext_ctx *ctx, |
| 500 STACK_OF(CONF_VALUE) *values) | 499 STACK_OF(CONF_VALUE) *values) |
| 501 { | 500 { |
| 502 ASIdentifiers *asid = NULL; | 501 ASIdentifiers *asid = NULL; |
| 503 int i; | 502 int i; |
| 504 | 503 |
| 505 if ((asid = ASIdentifiers_new()) == NULL) { | 504 if ((asid = ASIdentifiers_new()) == NULL) { |
| 506 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); | 505 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); |
| 507 return NULL; | 506 return NULL; |
| 508 } | 507 } |
| (...skipping 191 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 700 | 699 |
| 701 /* | 700 /* |
| 702 * Core code for RFC 3779 3.3 path validation. | 701 * Core code for RFC 3779 3.3 path validation. |
| 703 */ | 702 */ |
| 704 static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx, | 703 static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx, |
| 705 STACK_OF(X509) *chain, | 704 STACK_OF(X509) *chain, |
| 706 ASIdentifiers *ext) | 705 ASIdentifiers *ext) |
| 707 { | 706 { |
| 708 ASIdOrRanges *child_as = NULL, *child_rdi = NULL; | 707 ASIdOrRanges *child_as = NULL, *child_rdi = NULL; |
| 709 int i, ret = 1, inherit_as = 0, inherit_rdi = 0; | 708 int i, ret = 1, inherit_as = 0, inherit_rdi = 0; |
| 710 X509 *x = NULL; | 709 X509 *x; |
| 711 | 710 |
| 712 assert(chain != NULL && sk_X509_num(chain) > 0); | 711 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); |
| 713 assert(ctx != NULL || ext != NULL); | 712 OPENSSL_assert(ctx != NULL || ext != NULL); |
| 714 assert(ctx == NULL || ctx->verify_cb != NULL); | 713 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); |
| 715 | 714 |
| 716 /* | 715 /* |
| 717 * Figure out where to start. If we don't have an extension to | 716 * Figure out where to start. If we don't have an extension to |
| 718 * check, we're done. Otherwise, check canonical form and | 717 * check, we're done. Otherwise, check canonical form and |
| 719 * set up for walking up the chain. | 718 * set up for walking up the chain. |
| 720 */ | 719 */ |
| 721 if (ext != NULL) { | 720 if (ext != NULL) { |
| 722 i = -1; | 721 i = -1; |
| 722 x = NULL; |
| 723 } else { | 723 } else { |
| 724 i = 0; | 724 i = 0; |
| 725 x = sk_X509_value(chain, i); | 725 x = sk_X509_value(chain, i); |
| 726 assert(x != NULL); | 726 OPENSSL_assert(x != NULL); |
| 727 if ((ext = x->rfc3779_asid) == NULL) | 727 if ((ext = x->rfc3779_asid) == NULL) |
| 728 goto done; | 728 goto done; |
| 729 } | 729 } |
| 730 if (!v3_asid_is_canonical(ext)) | 730 if (!v3_asid_is_canonical(ext)) |
| 731 validation_err(X509_V_ERR_INVALID_EXTENSION); | 731 validation_err(X509_V_ERR_INVALID_EXTENSION); |
| 732 if (ext->asnum != NULL) { | 732 if (ext->asnum != NULL) { |
| 733 switch (ext->asnum->type) { | 733 switch (ext->asnum->type) { |
| 734 case ASIdentifierChoice_inherit: | 734 case ASIdentifierChoice_inherit: |
| 735 inherit_as = 1; | 735 inherit_as = 1; |
| 736 break; | 736 break; |
| (...skipping 12 matching lines...) Expand all Loading... |
| 749 break; | 749 break; |
| 750 } | 750 } |
| 751 } | 751 } |
| 752 | 752 |
| 753 /* | 753 /* |
| 754 * Now walk up the chain. Extensions must be in canonical form, no | 754 * Now walk up the chain. Extensions must be in canonical form, no |
| 755 * cert may list resources that its parent doesn't list. | 755 * cert may list resources that its parent doesn't list. |
| 756 */ | 756 */ |
| 757 for (i++; i < sk_X509_num(chain); i++) { | 757 for (i++; i < sk_X509_num(chain); i++) { |
| 758 x = sk_X509_value(chain, i); | 758 x = sk_X509_value(chain, i); |
| 759 assert(x != NULL); | 759 OPENSSL_assert(x != NULL); |
| 760 if (x->rfc3779_asid == NULL) { | 760 if (x->rfc3779_asid == NULL) { |
| 761 if (child_as != NULL || child_rdi != NULL) | 761 if (child_as != NULL || child_rdi != NULL) |
| 762 validation_err(X509_V_ERR_UNNESTED_RESOURCE); | 762 validation_err(X509_V_ERR_UNNESTED_RESOURCE); |
| 763 continue; | 763 continue; |
| 764 } | 764 } |
| 765 if (!v3_asid_is_canonical(x->rfc3779_asid)) | 765 if (!v3_asid_is_canonical(x->rfc3779_asid)) |
| 766 validation_err(X509_V_ERR_INVALID_EXTENSION); | 766 validation_err(X509_V_ERR_INVALID_EXTENSION); |
| 767 if (x->rfc3779_asid->asnum == NULL && child_as != NULL) { | 767 if (x->rfc3779_asid->asnum == NULL && child_as != NULL) { |
| 768 validation_err(X509_V_ERR_UNNESTED_RESOURCE); | 768 validation_err(X509_V_ERR_UNNESTED_RESOURCE); |
| 769 child_as = NULL; | 769 child_as = NULL; |
| (...skipping 22 matching lines...) Expand all Loading... |
| 792 inherit_rdi = 0; | 792 inherit_rdi = 0; |
| 793 } else { | 793 } else { |
| 794 validation_err(X509_V_ERR_UNNESTED_RESOURCE); | 794 validation_err(X509_V_ERR_UNNESTED_RESOURCE); |
| 795 } | 795 } |
| 796 } | 796 } |
| 797 } | 797 } |
| 798 | 798 |
| 799 /* | 799 /* |
| 800 * Trust anchor can't inherit. | 800 * Trust anchor can't inherit. |
| 801 */ | 801 */ |
| 802 OPENSSL_assert(x != NULL); |
| 802 if (x->rfc3779_asid != NULL) { | 803 if (x->rfc3779_asid != NULL) { |
| 803 if (x->rfc3779_asid->asnum != NULL && | 804 if (x->rfc3779_asid->asnum != NULL && |
| 804 x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit) | 805 x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit) |
| 805 validation_err(X509_V_ERR_UNNESTED_RESOURCE); | 806 validation_err(X509_V_ERR_UNNESTED_RESOURCE); |
| 806 if (x->rfc3779_asid->rdi != NULL && | 807 if (x->rfc3779_asid->rdi != NULL && |
| 807 x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit) | 808 x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit) |
| 808 validation_err(X509_V_ERR_UNNESTED_RESOURCE); | 809 validation_err(X509_V_ERR_UNNESTED_RESOURCE); |
| 809 } | 810 } |
| 810 | 811 |
| 811 done: | 812 done: |
| (...skipping 21 matching lines...) Expand all Loading... |
| 833 if (ext == NULL) | 834 if (ext == NULL) |
| 834 return 1; | 835 return 1; |
| 835 if (chain == NULL || sk_X509_num(chain) == 0) | 836 if (chain == NULL || sk_X509_num(chain) == 0) |
| 836 return 0; | 837 return 0; |
| 837 if (!allow_inheritance && v3_asid_inherits(ext)) | 838 if (!allow_inheritance && v3_asid_inherits(ext)) |
| 838 return 0; | 839 return 0; |
| 839 return v3_asid_validate_path_internal(NULL, chain, ext); | 840 return v3_asid_validate_path_internal(NULL, chain, ext); |
| 840 } | 841 } |
| 841 | 842 |
| 842 #endif /* OPENSSL_NO_RFC3779 */ | 843 #endif /* OPENSSL_NO_RFC3779 */ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 9254031:
Upgrade chrome's OpenSSL to same version Android ships with. (Closed)
Base URL: http://src.chromium.org/svn/trunk/deps/third_party/openssl/