summaryrefslogtreecommitdiff
path: root/Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c
diff options
context:
space:
mode:
Diffstat (limited to 'Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c')
-rw-r--r--Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c179
1 files changed, 112 insertions, 67 deletions
diff --git a/Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c b/Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c
index ef1d775a..1290dec9 100644
--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c
+++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_addr.c
@@ -1,10 +1,58 @@
/*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Contributed to the OpenSSL Project by the American Registry for
+ * Internet Numbers ("ARIN").
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
*
- * Licensed under the OpenSSL license (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
*/
/*
@@ -14,14 +62,12 @@
#include <stdio.h>
#include <stdlib.h>
-#include "internal/cryptlib.h"
+#include "cryptlib.h"
#include <openssl/conf.h>
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/buffer.h>
#include <openssl/x509v3.h>
-#include "internal/x509_int.h"
-#include "ext_dat.h"
#ifndef OPENSSL_NO_RFC3779
@@ -52,7 +98,7 @@ ASN1_SEQUENCE(IPAddressFamily) = {
ASN1_ITEM_TEMPLATE(IPAddrBlocks) =
ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
IPAddrBlocks, IPAddressFamily)
-static_ASN1_ITEM_TEMPLATE_END(IPAddrBlocks)
+ASN1_ITEM_TEMPLATE_END(IPAddrBlocks)
IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange)
IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange)
@@ -62,7 +108,7 @@ IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily)
/*
* How much buffer space do we need for a raw address?
*/
-#define ADDR_RAW_BUF_LEN 16
+# define ADDR_RAW_BUF_LEN 16
/*
* What's the address length associated with this AFI?
@@ -82,7 +128,7 @@ static int length_from_afi(const unsigned afi)
/*
* Extract the AFI from an IPAddressFamily.
*/
-unsigned int X509v3_addr_get_afi(const IPAddressFamily *f)
+unsigned int v3_addr_get_afi(const IPAddressFamily *f)
{
return ((f != NULL &&
f->addressFamily != NULL && f->addressFamily->data != NULL)
@@ -117,7 +163,7 @@ static int addr_expand(unsigned char *addr,
/*
* Extract the prefix length from a bitstring.
*/
-#define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7)))
+# define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7)))
/*
* i2r handler for one address bitstring.
@@ -200,7 +246,7 @@ static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
int i;
for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
- const unsigned int afi = X509v3_addr_get_afi(f);
+ const unsigned int afi = v3_addr_get_afi(f);
switch (afi) {
case IANA_AFI_IPV4:
BIO_printf(out, "%*sIPv4", indent, "");
@@ -312,7 +358,7 @@ static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
/*
* IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()
- * comparison routines are only allowed two arguments.
+ * comparision routines are only allowed two arguments.
*/
static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
const IPAddressOrRange *const *b)
@@ -322,7 +368,7 @@ static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
/*
* IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()
- * comparison routines are only allowed two arguments.
+ * comparision routines are only allowed two arguments.
*/
static int v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
const IPAddressOrRange *const *b)
@@ -482,7 +528,7 @@ static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr,
{
IPAddressFamily *f;
unsigned char key[3];
- int keylen;
+ unsigned keylen;
int i;
key[0] = (afi >> 8) & 0xFF;
@@ -525,8 +571,8 @@ static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr,
/*
* Add an inheritance element.
*/
-int X509v3_addr_add_inherit(IPAddrBlocks *addr,
- const unsigned afi, const unsigned *safi)
+int v3_addr_add_inherit(IPAddrBlocks *addr,
+ const unsigned afi, const unsigned *safi)
{
IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
if (f == NULL ||
@@ -581,10 +627,10 @@ static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
/*
* Add a prefix.
*/
-int X509v3_addr_add_prefix(IPAddrBlocks *addr,
- const unsigned afi,
- const unsigned *safi,
- unsigned char *a, const int prefixlen)
+int v3_addr_add_prefix(IPAddrBlocks *addr,
+ const unsigned afi,
+ const unsigned *safi,
+ unsigned char *a, const int prefixlen)
{
IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
IPAddressOrRange *aor;
@@ -599,10 +645,10 @@ int X509v3_addr_add_prefix(IPAddrBlocks *addr,
/*
* Add a range.
*/
-int X509v3_addr_add_range(IPAddrBlocks *addr,
- const unsigned afi,
- const unsigned *safi,
- unsigned char *min, unsigned char *max)
+int v3_addr_add_range(IPAddrBlocks *addr,
+ const unsigned afi,
+ const unsigned *safi,
+ unsigned char *min, unsigned char *max)
{
IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
IPAddressOrRange *aor;
@@ -639,10 +685,10 @@ static int extract_min_max(IPAddressOrRange *aor,
/*
* Public wrapper for extract_min_max().
*/
-int X509v3_addr_get_range(IPAddressOrRange *aor,
- const unsigned afi,
- unsigned char *min,
- unsigned char *max, const int length)
+int v3_addr_get_range(IPAddressOrRange *aor,
+ const unsigned afi,
+ unsigned char *min,
+ unsigned char *max, const int length)
{
int afi_length = length_from_afi(afi);
if (aor == NULL || min == NULL || max == NULL ||
@@ -656,7 +702,7 @@ int X509v3_addr_get_range(IPAddressOrRange *aor,
}
/*
- * Sort comparison function for a sequence of IPAddressFamily.
+ * Sort comparision function for a sequence of IPAddressFamily.
*
* The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about
* the ordering: I can read it as meaning that IPv6 without a SAFI
@@ -678,7 +724,7 @@ static int IPAddressFamily_cmp(const IPAddressFamily *const *a_,
/*
* Check whether an IPAddrBLocks is in canonical form.
*/
-int X509v3_addr_is_canonical(IPAddrBlocks *addr)
+int v3_addr_is_canonical(IPAddrBlocks *addr)
{
unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
@@ -686,7 +732,7 @@ int X509v3_addr_is_canonical(IPAddrBlocks *addr)
int i, j, k;
/*
- * Empty extension is canonical.
+ * Empty extension is cannonical.
*/
if (addr == NULL)
return 1;
@@ -706,7 +752,7 @@ int X509v3_addr_is_canonical(IPAddrBlocks *addr)
*/
for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
- int length = length_from_afi(X509v3_addr_get_afi(f));
+ int length = length_from_afi(v3_addr_get_afi(f));
/*
* Inheritance is canonical. Anything other than inheritance or
@@ -849,8 +895,7 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
if (a != NULL && a->type == IPAddressOrRange_addressRange) {
unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
- if (!extract_min_max(a, a_min, a_max, length))
- return 0;
+ extract_min_max(a, a_min, a_max, length);
if (memcmp(a_min, a_max, length) > 0)
return 0;
}
@@ -862,7 +907,7 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
/*
* Whack an IPAddrBlocks extension into canonical form.
*/
-int X509v3_addr_canonize(IPAddrBlocks *addr)
+int v3_addr_canonize(IPAddrBlocks *addr)
{
int i;
for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
@@ -870,12 +915,12 @@ int X509v3_addr_canonize(IPAddrBlocks *addr)
if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
!IPAddressOrRanges_canonize(f->ipAddressChoice->
u.addressesOrRanges,
- X509v3_addr_get_afi(f)))
+ v3_addr_get_afi(f)))
return 0;
}
(void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
sk_IPAddressFamily_sort(addr);
- OPENSSL_assert(X509v3_addr_is_canonical(addr));
+ OPENSSL_assert(v3_addr_is_canonical(addr));
return 1;
}
@@ -901,7 +946,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN];
unsigned afi, *safi = NULL, safi_;
- const char *addr_chars = NULL;
+ const char *addr_chars;
int prefixlen, i1, i2, delim, length;
if (!name_cmp(val->name, "IPv4")) {
@@ -933,7 +978,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
length = length_from_afi(afi);
/*
- * Handle SAFI, if any, and OPENSSL_strdup() so we can null-terminate
+ * Handle SAFI, if any, and BUF_strdup() so we can null-terminate
* the other input values.
*/
if (safi != NULL) {
@@ -945,9 +990,9 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
goto err;
}
t += strspn(t, " \t");
- s = OPENSSL_strdup(t);
+ s = BUF_strdup(t);
} else {
- s = OPENSSL_strdup(val->value);
+ s = BUF_strdup(val->value);
}
if (s == NULL) {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
@@ -958,8 +1003,8 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
* Check for inheritance. Not worth additional complexity to
* optimize this (seldom-used) case.
*/
- if (strcmp(s, "inherit") == 0) {
- if (!X509v3_addr_add_inherit(addr, afi, safi)) {
+ if (!strcmp(s, "inherit")) {
+ if (!v3_addr_add_inherit(addr, afi, safi)) {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
X509V3_R_INVALID_INHERITANCE);
X509V3_conf_err(val);
@@ -990,7 +1035,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
X509V3_conf_err(val);
goto err;
}
- if (!X509v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) {
+ if (!v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -1016,13 +1061,13 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
X509V3_conf_err(val);
goto err;
}
- if (!X509v3_addr_add_range(addr, afi, safi, min, max)) {
+ if (!v3_addr_add_range(addr, afi, safi, min, max)) {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
goto err;
}
break;
case '\0':
- if (!X509v3_addr_add_prefix(addr, afi, safi, min, length * 8)) {
+ if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -1041,7 +1086,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
/*
* Canonize the result, then we're done.
*/
- if (!X509v3_addr_canonize(addr))
+ if (!v3_addr_canonize(addr))
goto err;
return addr;
@@ -1071,7 +1116,7 @@ const X509V3_EXT_METHOD v3_addr = {
/*
* Figure out whether extension sues inheritance.
*/
-int X509v3_addr_inherits(IPAddrBlocks *addr)
+int v3_addr_inherits(IPAddrBlocks *addr)
{
int i;
if (addr == NULL)
@@ -1124,12 +1169,12 @@ static int addr_contains(IPAddressOrRanges *parent,
/*
* Test whether a is a subset of b.
*/
-int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
+int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
{
int i;
if (a == NULL || a == b)
return 1;
- if (b == NULL || X509v3_addr_inherits(a) || X509v3_addr_inherits(b))
+ if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
return 0;
(void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
@@ -1141,7 +1186,7 @@ int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
return 0;
if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
fa->ipAddressChoice->u.addressesOrRanges,
- length_from_afi(X509v3_addr_get_afi(fb))))
+ length_from_afi(v3_addr_get_afi(fb))))
return 0;
}
return 1;
@@ -1150,7 +1195,7 @@ int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
/*
* Validation error handling via callback.
*/
-#define validation_err(_err_) \
+# define validation_err(_err_) \
do { \
if (ctx != NULL) { \
ctx->error = _err_; \
@@ -1172,9 +1217,9 @@ int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
* When returning 0, ctx->error MUST be set to an appropriate value other than
* X509_V_OK.
*/
-static int addr_validate_path_internal(X509_STORE_CTX *ctx,
- STACK_OF(X509) *chain,
- IPAddrBlocks *ext)
+static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
+ STACK_OF(X509) *chain,
+ IPAddrBlocks *ext)
{
IPAddrBlocks *child = NULL;
int i, j, ret = 1;
@@ -1199,11 +1244,11 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx,
if ((ext = x->rfc3779_addr) == NULL)
goto done;
}
- if (!X509v3_addr_is_canonical(ext))
+ if (!v3_addr_is_canonical(ext))
validation_err(X509_V_ERR_INVALID_EXTENSION);
(void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
- X509V3err(X509V3_F_ADDR_VALIDATE_PATH_INTERNAL,
+ X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL,
ERR_R_MALLOC_FAILURE);
ctx->error = X509_V_ERR_OUT_OF_MEM;
ret = 0;
@@ -1217,7 +1262,7 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx,
for (i++; i < sk_X509_num(chain); i++) {
x = sk_X509_value(chain, i);
OPENSSL_assert(x != NULL);
- if (!X509v3_addr_is_canonical(x->rfc3779_addr))
+ if (!v3_addr_is_canonical(x->rfc3779_addr))
validation_err(X509_V_ERR_INVALID_EXTENSION);
if (x->rfc3779_addr == NULL) {
for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
@@ -1249,7 +1294,7 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx,
if (fc->ipAddressChoice->type == IPAddressChoice_inherit
|| addr_contains(fp->ipAddressChoice->u.addressesOrRanges,
fc->ipAddressChoice->u.addressesOrRanges,
- length_from_afi(X509v3_addr_get_afi(fc))))
+ length_from_afi(v3_addr_get_afi(fc))))
sk_IPAddressFamily_set(child, j, fp);
else
validation_err(X509_V_ERR_UNNESTED_RESOURCE);
@@ -1276,30 +1321,30 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx,
return ret;
}
-#undef validation_err
+# undef validation_err
/*
* RFC 3779 2.3 path validation -- called from X509_verify_cert().
*/
-int X509v3_addr_validate_path(X509_STORE_CTX *ctx)
+int v3_addr_validate_path(X509_STORE_CTX *ctx)
{
- return addr_validate_path_internal(ctx, ctx->chain, NULL);
+ return v3_addr_validate_path_internal(ctx, ctx->chain, NULL);
}
/*
* RFC 3779 2.3 path validation of an extension.
* Test whether chain covers extension.
*/
-int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain,
+int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
IPAddrBlocks *ext, int allow_inheritance)
{
if (ext == NULL)
return 1;
if (chain == NULL || sk_X509_num(chain) == 0)
return 0;
- if (!allow_inheritance && X509v3_addr_inherits(ext))
+ if (!allow_inheritance && v3_addr_inherits(ext))
return 0;
- return addr_validate_path_internal(NULL, chain, ext);
+ return v3_addr_validate_path_internal(NULL, chain, ext);
}
#endif /* OPENSSL_NO_RFC3779 */
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-30 09:22:00 +0000