Bug Summary

File:out/../deps/openssl/openssl/crypto/x509/v3_addr.c
Warning:line 1271, column 9
Access to field 'rfc3779_addr' results in a dereference of a null pointer (loaded from variable 'x')

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-unknown-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name v3_addr.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=all -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/home/maurizio/node-v18.6.0/out -resource-dir /usr/local/lib/clang/16.0.0 -D V8_DEPRECATION_WARNINGS -D V8_IMMINENT_DEPRECATION_WARNINGS -D _GLIBCXX_USE_CXX11_ABI=1 -D NODE_OPENSSL_CONF_NAME=nodejs_conf -D NODE_OPENSSL_HAS_QUIC -D __STDC_FORMAT_MACROS -D OPENSSL_NO_PINSHARED -D OPENSSL_THREADS -D OPENSSL_NO_HW -D OPENSSL_API_COMPAT=0x10100001L -D STATIC_LEGACY -D NDEBUG -D OPENSSL_USE_NODELETE -D L_ENDIAN -D OPENSSL_BUILDING_OPENSSL -D AES_ASM -D BSAES_ASM -D CMLL_ASM -D ECP_NISTZ256_ASM -D GHASH_ASM -D KECCAK1600_ASM -D MD5_ASM -D OPENSSL_BN_ASM_GF2m -D OPENSSL_BN_ASM_MONT -D OPENSSL_BN_ASM_MONT5 -D OPENSSL_CPUID_OBJ -D OPENSSL_IA32_SSE2 -D PADLOCK_ASM -D POLY1305_ASM -D SHA1_ASM -D SHA256_ASM -D SHA512_ASM -D VPAES_ASM -D WHIRLPOOL_ASM -D X25519_ASM -D OPENSSL_PIC -D MODULESDIR="/home/maurizio/node-v18.6.0/out/Release/obj.target/deps/openssl/lib/openssl-modules" -D OPENSSLDIR="/home/maurizio/node-v18.6.0/out/Release/obj.target/deps/openssl" -D OPENSSLDIR="/etc/ssl" -D ENGINESDIR="/dev/null" -D TERMIOS -I ../deps/openssl/openssl -I ../deps/openssl/openssl/include -I ../deps/openssl/openssl/crypto -I ../deps/openssl/openssl/crypto/include -I ../deps/openssl/openssl/crypto/modes -I ../deps/openssl/openssl/crypto/ec/curve448 -I ../deps/openssl/openssl/crypto/ec/curve448/arch_32 -I ../deps/openssl/openssl/providers/common/include -I ../deps/openssl/openssl/providers/implementations/include -I ../deps/openssl/config -I ../deps/openssl/config/archs/linux-x86_64/asm -I ../deps/openssl/config/archs/linux-x86_64/asm/include -I ../deps/openssl/config/archs/linux-x86_64/asm/crypto -I ../deps/openssl/config/archs/linux-x86_64/asm/crypto/include/internal -I ../deps/openssl/config/archs/linux-x86_64/asm/providers/common/include -internal-isystem /usr/local/lib/clang/16.0.0/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-redhat-linux/8/../../../../x86_64-redhat-linux/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -Wno-unused-parameter -Wno-missing-field-initializers -Wno-old-style-declaration -fdebug-compilation-dir=/home/maurizio/node-v18.6.0/out -ferror-limit 19 -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/scan-build-2022-08-22-142216-507842-1 -x c ../deps/openssl/openssl/crypto/x509/v3_addr.c
1/*
2 * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10/*
11 * Implementation of RFC 3779 section 2.2.
12 */
13
14#include <stdio.h>
15#include <stdlib.h>
16#include <assert.h>
17#include <string.h>
18
19#include "internal/cryptlib.h"
20#include <openssl/conf.h>
21#include <openssl/asn1.h>
22#include <openssl/asn1t.h>
23#include <openssl/buffer.h>
24#include <openssl/x509v3.h>
25#include "crypto/x509.h"
26#include "ext_dat.h"
27#include "x509_local.h"
28
29#ifndef OPENSSL_NO_RFC3779
30
31/*
32 * OpenSSL ASN.1 template translation of RFC 3779 2.2.3.
33 */
34
35ASN1_SEQUENCE(IPAddressRange)static const ASN1_TEMPLATE IPAddressRange_seq_tt[] = {
36 ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING){ (0), (0), __builtin_offsetof(IPAddressRange, min), "min", (
ASN1_BIT_STRING_it) },
37 ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING){ (0), (0), __builtin_offsetof(IPAddressRange, max), "max", (
ASN1_BIT_STRING_it) }
38} ASN1_SEQUENCE_END(IPAddressRange); const ASN1_ITEM * IPAddressRange_it(void) { static const ASN1_ITEM
local_it = { 0x1, 16, IPAddressRange_seq_tt, sizeof(IPAddressRange_seq_tt
) / sizeof(ASN1_TEMPLATE), ((void*)0), sizeof(IPAddressRange)
, "IPAddressRange" }; return &local_it; }
39
40ASN1_CHOICE(IPAddressOrRange)static const ASN1_TEMPLATE IPAddressOrRange_ch_tt[] = {
41 ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING){ (0), (0), __builtin_offsetof(IPAddressOrRange, u.addressPrefix
), "u.addressPrefix", (ASN1_BIT_STRING_it) },
42 ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange){ (0), (0), __builtin_offsetof(IPAddressOrRange, u.addressRange
), "u.addressRange", (IPAddressRange_it) }
43} ASN1_CHOICE_END(IPAddressOrRange); const ASN1_ITEM * IPAddressOrRange_it(void) { static const ASN1_ITEM
local_it = { 0x2, __builtin_offsetof(IPAddressOrRange, type)
, IPAddressOrRange_ch_tt, sizeof(IPAddressOrRange_ch_tt) / sizeof
(ASN1_TEMPLATE), ((void*)0), sizeof(IPAddressOrRange), "IPAddressOrRange"
}; return &local_it; }
44
45ASN1_CHOICE(IPAddressChoice)static const ASN1_TEMPLATE IPAddressChoice_ch_tt[] = {
46 ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL){ (0), (0), __builtin_offsetof(IPAddressChoice, u.inherit), "u.inherit"
, (ASN1_NULL_it) },
47 ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange){ ((0x2 << 1)), (0), __builtin_offsetof(IPAddressChoice
, u.addressesOrRanges), "u.addressesOrRanges", (IPAddressOrRange_it
) }
48} ASN1_CHOICE_END(IPAddressChoice); const ASN1_ITEM * IPAddressChoice_it(void) { static const ASN1_ITEM
local_it = { 0x2, __builtin_offsetof(IPAddressChoice, type) ,
IPAddressChoice_ch_tt, sizeof(IPAddressChoice_ch_tt) / sizeof
(ASN1_TEMPLATE), ((void*)0), sizeof(IPAddressChoice), "IPAddressChoice"
}; return &local_it; }
49
50ASN1_SEQUENCE(IPAddressFamily)static const ASN1_TEMPLATE IPAddressFamily_seq_tt[] = {
51 ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING){ (0), (0), __builtin_offsetof(IPAddressFamily, addressFamily
), "addressFamily", (ASN1_OCTET_STRING_it) },
52 ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice){ (0), (0), __builtin_offsetof(IPAddressFamily, ipAddressChoice
), "ipAddressChoice", (IPAddressChoice_it) }
53} ASN1_SEQUENCE_END(IPAddressFamily); const ASN1_ITEM * IPAddressFamily_it(void) { static const ASN1_ITEM
local_it = { 0x1, 16, IPAddressFamily_seq_tt, sizeof(IPAddressFamily_seq_tt
) / sizeof(ASN1_TEMPLATE), ((void*)0), sizeof(IPAddressFamily
), "IPAddressFamily" }; return &local_it; }
54
55ASN1_ITEM_TEMPLATE(IPAddrBlocks)static const ASN1_TEMPLATE IPAddrBlocks_item_tt =
56 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,{ ((0x2 << 1)), (0), 0, "IPAddrBlocks", (IPAddressFamily_it
) }
57 IPAddrBlocks, IPAddressFamily){ ((0x2 << 1)), (0), 0, "IPAddrBlocks", (IPAddressFamily_it
) }
58static_ASN1_ITEM_TEMPLATE_END(IPAddrBlocks); static const ASN1_ITEM * IPAddrBlocks_it(void) { static const
ASN1_ITEM local_it = { 0x0, -1, &IPAddrBlocks_item_tt, 0
, ((void*)0), 0, "IPAddrBlocks" }; return &local_it; }
59
60IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange)IPAddressRange *d2i_IPAddressRange(IPAddressRange **a, const unsigned
char **in, long len) { return (IPAddressRange *)ASN1_item_d2i
((ASN1_VALUE **)a, in, len, (IPAddressRange_it())); } int i2d_IPAddressRange
(const IPAddressRange *a, unsigned char **out) { return ASN1_item_i2d
((const ASN1_VALUE *)a, out, (IPAddressRange_it())); } IPAddressRange
*IPAddressRange_new(void) { return (IPAddressRange *)ASN1_item_new
((IPAddressRange_it())); } void IPAddressRange_free(IPAddressRange
*a) { ASN1_item_free((ASN1_VALUE *)a, (IPAddressRange_it()))
; }
61IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange)IPAddressOrRange *d2i_IPAddressOrRange(IPAddressOrRange **a, const
unsigned char **in, long len) { return (IPAddressOrRange *)ASN1_item_d2i
((ASN1_VALUE **)a, in, len, (IPAddressOrRange_it())); } int i2d_IPAddressOrRange
(const IPAddressOrRange *a, unsigned char **out) { return ASN1_item_i2d
((const ASN1_VALUE *)a, out, (IPAddressOrRange_it())); } IPAddressOrRange
*IPAddressOrRange_new(void) { return (IPAddressOrRange *)ASN1_item_new
((IPAddressOrRange_it())); } void IPAddressOrRange_free(IPAddressOrRange
*a) { ASN1_item_free((ASN1_VALUE *)a, (IPAddressOrRange_it()
)); }
62IMPLEMENT_ASN1_FUNCTIONS(IPAddressChoice)IPAddressChoice *d2i_IPAddressChoice(IPAddressChoice **a, const
unsigned char **in, long len) { return (IPAddressChoice *)ASN1_item_d2i
((ASN1_VALUE **)a, in, len, (IPAddressChoice_it())); } int i2d_IPAddressChoice
(const IPAddressChoice *a, unsigned char **out) { return ASN1_item_i2d
((const ASN1_VALUE *)a, out, (IPAddressChoice_it())); } IPAddressChoice
*IPAddressChoice_new(void) { return (IPAddressChoice *)ASN1_item_new
((IPAddressChoice_it())); } void IPAddressChoice_free(IPAddressChoice
*a) { ASN1_item_free((ASN1_VALUE *)a, (IPAddressChoice_it())
); }
63IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily)IPAddressFamily *d2i_IPAddressFamily(IPAddressFamily **a, const
unsigned char **in, long len) { return (IPAddressFamily *)ASN1_item_d2i
((ASN1_VALUE **)a, in, len, (IPAddressFamily_it())); } int i2d_IPAddressFamily
(const IPAddressFamily *a, unsigned char **out) { return ASN1_item_i2d
((const ASN1_VALUE *)a, out, (IPAddressFamily_it())); } IPAddressFamily
*IPAddressFamily_new(void) { return (IPAddressFamily *)ASN1_item_new
((IPAddressFamily_it())); } void IPAddressFamily_free(IPAddressFamily
*a) { ASN1_item_free((ASN1_VALUE *)a, (IPAddressFamily_it())
); }
64
65/*
66 * How much buffer space do we need for a raw address?
67 */
68#define ADDR_RAW_BUF_LEN16 16
69
70/*
71 * What's the address length associated with this AFI?
72 */
73static int length_from_afi(const unsigned afi)
74{
75 switch (afi) {
76 case IANA_AFI_IPV41:
77 return 4;
78 case IANA_AFI_IPV62:
79 return 16;
80 default:
81 return 0;
82 }
83}
84
85/*
86 * Extract the AFI from an IPAddressFamily.
87 */
88unsigned int X509v3_addr_get_afi(const IPAddressFamily *f)
89{
90 if (f == NULL((void*)0)
91 || f->addressFamily == NULL((void*)0)
92 || f->addressFamily->data == NULL((void*)0)
93 || f->addressFamily->length < 2)
94 return 0;
95 return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1];
96}
97
98/*
99 * Expand the bitstring form of an address into a raw byte array.
100 * At the moment this is coded for simplicity, not speed.
101 */
102static int addr_expand(unsigned char *addr,
103 const ASN1_BIT_STRING *bs,
104 const int length, const unsigned char fill)
105{
106 if (bs->length < 0 || bs->length > length)
107 return 0;
108 if (bs->length > 0) {
109 memcpy(addr, bs->data, bs->length);
110 if ((bs->flags & 7) != 0) {
111 unsigned char mask = 0xFF >> (8 - (bs->flags & 7));
112 if (fill == 0)
113 addr[bs->length - 1] &= ~mask;
114 else
115 addr[bs->length - 1] |= mask;
116 }
117 }
118 memset(addr + bs->length, fill, length - bs->length);
119 return 1;
120}
121
122/*
123 * Extract the prefix length from a bitstring.
124 */
125#define addr_prefixlen(bs)((int) ((bs)->length * 8 - ((bs)->flags & 7))) ((int) ((bs)->length * 8 - ((bs)->flags & 7)))
126
127/*
128 * i2r handler for one address bitstring.
129 */
130static int i2r_address(BIO *out,
131 const unsigned afi,
132 const unsigned char fill, const ASN1_BIT_STRING *bs)
133{
134 unsigned char addr[ADDR_RAW_BUF_LEN16];
135 int i, n;
136
137 if (bs->length < 0)
138 return 0;
139 switch (afi) {
140 case IANA_AFI_IPV41:
141 if (!addr_expand(addr, bs, 4, fill))
142 return 0;
143 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
144 break;
145 case IANA_AFI_IPV62:
146 if (!addr_expand(addr, bs, 16, fill))
147 return 0;
148 for (n = 16; n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00;
149 n -= 2) ;
150 for (i = 0; i < n; i += 2)
151 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1],
152 (i < 14 ? ":" : ""));
153 if (i < 16)
154 BIO_puts(out, ":");
155 if (i == 0)
156 BIO_puts(out, ":");
157 break;
158 default:
159 for (i = 0; i < bs->length; i++)
160 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]);
161 BIO_printf(out, "[%d]", (int)(bs->flags & 7));
162 break;
163 }
164 return 1;
165}
166
167/*
168 * i2r handler for a sequence of addresses and ranges.
169 */
170static int i2r_IPAddressOrRanges(BIO *out,
171 const int indent,
172 const IPAddressOrRanges *aors,
173 const unsigned afi)
174{
175 int i;
176 for (i = 0; i < sk_IPAddressOrRange_num(aors)OPENSSL_sk_num(ossl_check_const_IPAddressOrRange_sk_type(aors
)); i++) {
177 const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i)((IPAddressOrRange *)OPENSSL_sk_value(ossl_check_const_IPAddressOrRange_sk_type
(aors), (i)));
178 BIO_printf(out, "%*s", indent, "");
179 switch (aor->type) {
180 case IPAddressOrRange_addressPrefix0:
181 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix))
182 return 0;
183 BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix)((int) ((aor->u.addressPrefix)->length * 8 - ((aor->
u.addressPrefix)->flags & 7))));
184 continue;
185 case IPAddressOrRange_addressRange1:
186 if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min))
187 return 0;
188 BIO_puts(out, "-");
189 if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max))
190 return 0;
191 BIO_puts(out, "\n");
192 continue;
193 }
194 }
195 return 1;
196}
197
198/*
199 * i2r handler for an IPAddrBlocks extension.
200 */
201static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
202 void *ext, BIO *out, int indent)
203{
204 const IPAddrBlocks *addr = ext;
205 int i;
206 for (i = 0; i < sk_IPAddressFamily_num(addr)OPENSSL_sk_num(ossl_check_const_IPAddressFamily_sk_type(addr)
); i++) {
207 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i)((IPAddressFamily *)OPENSSL_sk_value(ossl_check_const_IPAddressFamily_sk_type
(addr), (i)));
208 const unsigned int afi = X509v3_addr_get_afi(f);
209 switch (afi) {
210 case IANA_AFI_IPV41:
211 BIO_printf(out, "%*sIPv4", indent, "");
212 break;
213 case IANA_AFI_IPV62:
214 BIO_printf(out, "%*sIPv6", indent, "");
215 break;
216 default:
217 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi);
218 break;
219 }
220 if (f->addressFamily->length > 2) {
221 switch (f->addressFamily->data[2]) {
222 case 1:
223 BIO_puts(out, " (Unicast)");
224 break;
225 case 2:
226 BIO_puts(out, " (Multicast)");
227 break;
228 case 3:
229 BIO_puts(out, " (Unicast/Multicast)");
230 break;
231 case 4:
232 BIO_puts(out, " (MPLS)");
233 break;
234 case 64:
235 BIO_puts(out, " (Tunnel)");
236 break;
237 case 65:
238 BIO_puts(out, " (VPLS)");
239 break;
240 case 66:
241 BIO_puts(out, " (BGP MDT)");
242 break;
243 case 128:
244 BIO_puts(out, " (MPLS-labeled VPN)");
245 break;
246 default:
247 BIO_printf(out, " (Unknown SAFI %u)",
248 (unsigned)f->addressFamily->data[2]);
249 break;
250 }
251 }
252 switch (f->ipAddressChoice->type) {
253 case IPAddressChoice_inherit0:
254 BIO_puts(out, ": inherit\n");
255 break;
256 case IPAddressChoice_addressesOrRanges1:
257 BIO_puts(out, ":\n");
258 if (!i2r_IPAddressOrRanges(out,
259 indent + 2,
260 f->ipAddressChoice->
261 u.addressesOrRanges, afi))
262 return 0;
263 break;
264 }
265 }
266 return 1;
267}
268
269/*
270 * Sort comparison function for a sequence of IPAddressOrRange
271 * elements.
272 *
273 * There's no sane answer we can give if addr_expand() fails, and an
274 * assertion failure on externally supplied data is seriously uncool,
275 * so we just arbitrarily declare that if given invalid inputs this
276 * function returns -1. If this messes up your preferred sort order
277 * for garbage input, tough noogies.
278 */
279static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
280 const IPAddressOrRange *b, const int length)
281{
282 unsigned char addr_a[ADDR_RAW_BUF_LEN16], addr_b[ADDR_RAW_BUF_LEN16];
283 int prefixlen_a = 0, prefixlen_b = 0;
284 int r;
285
286 switch (a->type) {
287 case IPAddressOrRange_addressPrefix0:
288 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
289 return -1;
290 prefixlen_a = addr_prefixlen(a->u.addressPrefix)((int) ((a->u.addressPrefix)->length * 8 - ((a->u.addressPrefix
)->flags & 7)));
291 break;
292 case IPAddressOrRange_addressRange1:
293 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
294 return -1;
295 prefixlen_a = length * 8;
296 break;
297 }
298
299 switch (b->type) {
300 case IPAddressOrRange_addressPrefix0:
301 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
302 return -1;
303 prefixlen_b = addr_prefixlen(b->u.addressPrefix)((int) ((b->u.addressPrefix)->length * 8 - ((b->u.addressPrefix
)->flags & 7)));
304 break;
305 case IPAddressOrRange_addressRange1:
306 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
307 return -1;
308 prefixlen_b = length * 8;
309 break;
310 }
311
312 if ((r = memcmp(addr_a, addr_b, length)) != 0)
313 return r;
314 else
315 return prefixlen_a - prefixlen_b;
316}
317
318/*
319 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()
320 * comparison routines are only allowed two arguments.
321 */
322static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
323 const IPAddressOrRange *const *b)
324{
325 return IPAddressOrRange_cmp(*a, *b, 4);
326}
327
328/*
329 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()
330 * comparison routines are only allowed two arguments.
331 */
332static int v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
333 const IPAddressOrRange *const *b)
334{
335 return IPAddressOrRange_cmp(*a, *b, 16);
336}
337
338/*
339 * Calculate whether a range collapses to a prefix.
340 * See last paragraph of RFC 3779 2.2.3.7.
341 */
342static int range_should_be_prefix(const unsigned char *min,
343 const unsigned char *max, const int length)
344{
345 unsigned char mask;
346 int i, j;
347
348 /*
349 * It is the responsibility of the caller to confirm min <= max. We don't
350 * use ossl_assert() here since we have no way of signalling an error from
351 * this function - so we just use a plain assert instead.
352 */
353 assert(memcmp(min, max, length) <= 0)((void) (0));
354
355 for (i = 0; i < length && min[i] == max[i]; i++) ;
356 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ;
357 if (i < j)
358 return -1;
359 if (i > j)
360 return i * 8;
361 mask = min[i] ^ max[i];
362 switch (mask) {
363 case 0x01:
364 j = 7;
365 break;
366 case 0x03:
367 j = 6;
368 break;
369 case 0x07:
370 j = 5;
371 break;
372 case 0x0F:
373 j = 4;
374 break;
375 case 0x1F:
376 j = 3;
377 break;
378 case 0x3F:
379 j = 2;
380 break;
381 case 0x7F:
382 j = 1;
383 break;
384 default:
385 return -1;
386 }
387 if ((min[i] & mask) != 0 || (max[i] & mask) != mask)
388 return -1;
389 else
390 return i * 8 + j;
391}
392
393/*
394 * Construct a prefix.
395 */
396static int make_addressPrefix(IPAddressOrRange **result,
397 unsigned char *addr, const int prefixlen)
398{
399 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;
400 IPAddressOrRange *aor = IPAddressOrRange_new();
401
402 if (aor == NULL((void*)0))
403 return 0;
404 aor->type = IPAddressOrRange_addressPrefix0;
405 if (aor->u.addressPrefix == NULL((void*)0) &&
406 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL((void*)0))
407 goto err;
408 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen))
409 goto err;
410 aor->u.addressPrefix->flags &= ~7;
411 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT0x08;
412 if (bitlen > 0) {
413 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen);
414 aor->u.addressPrefix->flags |= 8 - bitlen;
415 }
416
417 *result = aor;
418 return 1;
419
420 err:
421 IPAddressOrRange_free(aor);
422 return 0;
423}
424
425/*
426 * Construct a range. If it can be expressed as a prefix,
427 * return a prefix instead. Doing this here simplifies
428 * the rest of the code considerably.
429 */
430static int make_addressRange(IPAddressOrRange **result,
431 unsigned char *min,
432 unsigned char *max, const int length)
433{
434 IPAddressOrRange *aor;
435 int i, prefixlen;
436
437 if (memcmp(min, max, length) > 0)
438 return 0;
439
440 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
441 return make_addressPrefix(result, min, prefixlen);
442
443 if ((aor = IPAddressOrRange_new()) == NULL((void*)0))
444 return 0;
445 aor->type = IPAddressOrRange_addressRange1;
446 if ((aor->u.addressRange = IPAddressRange_new()) == NULL((void*)0))
447 goto err;
448 if (aor->u.addressRange->min == NULL((void*)0) &&
449 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL((void*)0))
450 goto err;
451 if (aor->u.addressRange->max == NULL((void*)0) &&
452 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL((void*)0))
453 goto err;
454
455 for (i = length; i > 0 && min[i - 1] == 0x00; --i) ;
456 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i))
457 goto err;
458 aor->u.addressRange->min->flags &= ~7;
459 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT0x08;
460 if (i > 0) {
461 unsigned char b = min[i - 1];
462 int j = 1;
463 while ((b & (0xFFU >> j)) != 0)
464 ++j;
465 aor->u.addressRange->min->flags |= 8 - j;
466 }
467
468 for (i = length; i > 0 && max[i - 1] == 0xFF; --i) ;
469 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i))
470 goto err;
471 aor->u.addressRange->max->flags &= ~7;
472 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT0x08;
473 if (i > 0) {
474 unsigned char b = max[i - 1];
475 int j = 1;
476 while ((b & (0xFFU >> j)) != (0xFFU >> j))
477 ++j;
478 aor->u.addressRange->max->flags |= 8 - j;
479 }
480
481 *result = aor;
482 return 1;
483
484 err:
485 IPAddressOrRange_free(aor);
486 return 0;
487}
488
489/*
490 * Construct a new address family or find an existing one.
491 */
492static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr,
493 const unsigned afi,
494 const unsigned *safi)
495{
496 IPAddressFamily *f;
497 unsigned char key[3];
498 int keylen;
499 int i;
500
501 key[0] = (afi >> 8) & 0xFF;
502 key[1] = afi & 0xFF;
503 if (safi != NULL((void*)0)) {
504 key[2] = *safi & 0xFF;
505 keylen = 3;
506 } else {
507 keylen = 2;
508 }
509
510 for (i = 0; i < sk_IPAddressFamily_num(addr)OPENSSL_sk_num(ossl_check_const_IPAddressFamily_sk_type(addr)
); i++) {
511 f = sk_IPAddressFamily_value(addr, i)((IPAddressFamily *)OPENSSL_sk_value(ossl_check_const_IPAddressFamily_sk_type
(addr), (i)));
512 if (f->addressFamily->length == keylen &&
513 !memcmp(f->addressFamily->data, key, keylen))
514 return f;
515 }
516
517 if ((f = IPAddressFamily_new()) == NULL((void*)0))
518 goto err;
519 if (f->ipAddressChoice == NULL((void*)0) &&
520 (f->ipAddressChoice = IPAddressChoice_new()) == NULL((void*)0))
521 goto err;
522 if (f->addressFamily == NULL((void*)0) &&
523 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL((void*)0))
524 goto err;
525 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen))
526 goto err;
527 if (!sk_IPAddressFamily_push(addr, f)OPENSSL_sk_push(ossl_check_IPAddressFamily_sk_type(addr), ossl_check_IPAddressFamily_type
(f)))
528 goto err;
529
530 return f;
531
532 err:
533 IPAddressFamily_free(f);
534 return NULL((void*)0);
535}
536
537/*
538 * Add an inheritance element.
539 */
540int X509v3_addr_add_inherit(IPAddrBlocks *addr,
541 const unsigned afi, const unsigned *safi)
542{
543 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
544 if (f == NULL((void*)0) ||
545 f->ipAddressChoice == NULL((void*)0) ||
546 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges1 &&
547 f->ipAddressChoice->u.addressesOrRanges != NULL((void*)0)))
548 return 0;
549 if (f->ipAddressChoice->type == IPAddressChoice_inherit0 &&
550 f->ipAddressChoice->u.inherit != NULL((void*)0))
551 return 1;
552 if (f->ipAddressChoice->u.inherit == NULL((void*)0) &&
553 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL((void*)0))
554 return 0;
555 f->ipAddressChoice->type = IPAddressChoice_inherit0;
556 return 1;
557}
558
559/*
560 * Construct an IPAddressOrRange sequence, or return an existing one.
561 */
562static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
563 const unsigned afi,
564 const unsigned *safi)
565{
566 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
567 IPAddressOrRanges *aors = NULL((void*)0);
568
569 if (f == NULL((void*)0) ||
570 f->ipAddressChoice == NULL((void*)0) ||
571 (f->ipAddressChoice->type == IPAddressChoice_inherit0 &&
572 f->ipAddressChoice->u.inherit != NULL((void*)0)))
573 return NULL((void*)0);
574 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges1)
575 aors = f->ipAddressChoice->u.addressesOrRanges;
576 if (aors != NULL((void*)0))
577 return aors;
578 if ((aors = sk_IPAddressOrRange_new_null()((struct stack_st_IPAddressOrRange *)OPENSSL_sk_new_null())) == NULL((void*)0))
579 return NULL((void*)0);
580 switch (afi) {
581 case IANA_AFI_IPV41:
582 (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp)((sk_IPAddressOrRange_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_IPAddressOrRange_sk_type
(aors), ossl_check_IPAddressOrRange_compfunc_type(v4IPAddressOrRange_cmp
)));
583 break;
584 case IANA_AFI_IPV62:
585 (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp)((sk_IPAddressOrRange_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_IPAddressOrRange_sk_type
(aors), ossl_check_IPAddressOrRange_compfunc_type(v6IPAddressOrRange_cmp
)));
586 break;
587 }
588 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges1;
589 f->ipAddressChoice->u.addressesOrRanges = aors;
590 return aors;
591}
592
593/*
594 * Add a prefix.
595 */
596int X509v3_addr_add_prefix(IPAddrBlocks *addr,
597 const unsigned afi,
598 const unsigned *safi,
599 unsigned char *a, const int prefixlen)
600{
601 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
602 IPAddressOrRange *aor;
603 if (aors == NULL((void*)0) || !make_addressPrefix(&aor, a, prefixlen))
604 return 0;
605 if (sk_IPAddressOrRange_push(aors, aor)OPENSSL_sk_push(ossl_check_IPAddressOrRange_sk_type(aors), ossl_check_IPAddressOrRange_type
(aor)))
606 return 1;
607 IPAddressOrRange_free(aor);
608 return 0;
609}
610
611/*
612 * Add a range.
613 */
614int X509v3_addr_add_range(IPAddrBlocks *addr,
615 const unsigned afi,
616 const unsigned *safi,
617 unsigned char *min, unsigned char *max)
618{
619 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
620 IPAddressOrRange *aor;
621 int length = length_from_afi(afi);
622 if (aors == NULL((void*)0))
623 return 0;
624 if (!make_addressRange(&aor, min, max, length))
625 return 0;
626 if (sk_IPAddressOrRange_push(aors, aor)OPENSSL_sk_push(ossl_check_IPAddressOrRange_sk_type(aors), ossl_check_IPAddressOrRange_type
(aor)))
627 return 1;
628 IPAddressOrRange_free(aor);
629 return 0;
630}
631
632/*
633 * Extract min and max values from an IPAddressOrRange.
634 */
635static int extract_min_max(IPAddressOrRange *aor,
636 unsigned char *min, unsigned char *max, int length)
637{
638 if (aor == NULL((void*)0) || min == NULL((void*)0) || max == NULL((void*)0))
639 return 0;
640 switch (aor->type) {
641 case IPAddressOrRange_addressPrefix0:
642 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
643 addr_expand(max, aor->u.addressPrefix, length, 0xFF));
644 case IPAddressOrRange_addressRange1:
645 return (addr_expand(min, aor->u.addressRange->min, length, 0x00) &&
646 addr_expand(max, aor->u.addressRange->max, length, 0xFF));
647 }
648 return 0;
649}
650
651/*
652 * Public wrapper for extract_min_max().
653 */
654int X509v3_addr_get_range(IPAddressOrRange *aor,
655 const unsigned afi,
656 unsigned char *min,
657 unsigned char *max, const int length)
658{
659 int afi_length = length_from_afi(afi);
660 if (aor == NULL((void*)0) || min == NULL((void*)0) || max == NULL((void*)0) ||
661 afi_length == 0 || length < afi_length ||
662 (aor->type != IPAddressOrRange_addressPrefix0 &&
663 aor->type != IPAddressOrRange_addressRange1) ||
664 !extract_min_max(aor, min, max, afi_length))
665 return 0;
666
667 return afi_length;
668}
669
670/*
671 * Sort comparison function for a sequence of IPAddressFamily.
672 *
673 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about
674 * the ordering: I can read it as meaning that IPv6 without a SAFI
675 * comes before IPv4 with a SAFI, which seems pretty weird. The
676 * examples in appendix B suggest that the author intended the
677 * null-SAFI rule to apply only within a single AFI, which is what I
678 * would have expected and is what the following code implements.
679 */
680static int IPAddressFamily_cmp(const IPAddressFamily *const *a_,
681 const IPAddressFamily *const *b_)
682{
683 const ASN1_OCTET_STRING *a = (*a_)->addressFamily;
684 const ASN1_OCTET_STRING *b = (*b_)->addressFamily;
685 int len = ((a->length <= b->length) ? a->length : b->length);
686 int cmp = memcmp(a->data, b->data, len);
687 return cmp ? cmp : a->length - b->length;
688}
689
690/*
691 * Check whether an IPAddrBLocks is in canonical form.
692 */
693int X509v3_addr_is_canonical(IPAddrBlocks *addr)
694{
695 unsigned char a_min[ADDR_RAW_BUF_LEN16], a_max[ADDR_RAW_BUF_LEN16];
696 unsigned char b_min[ADDR_RAW_BUF_LEN16], b_max[ADDR_RAW_BUF_LEN16];
697 IPAddressOrRanges *aors;
698 int i, j, k;
699
700 /*
701 * Empty extension is canonical.
702 */
703 if (addr == NULL((void*)0))
704 return 1;
705
706 /*
707 * Check whether the top-level list is in order.
708 */
709 for (i = 0; i < sk_IPAddressFamily_num(addr)OPENSSL_sk_num(ossl_check_const_IPAddressFamily_sk_type(addr)
) - 1; i++) {
710 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i)((IPAddressFamily *)OPENSSL_sk_value(ossl_check_const_IPAddressFamily_sk_type
(addr), (i)));
711 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1)((IPAddressFamily *)OPENSSL_sk_value(ossl_check_const_IPAddressFamily_sk_type
(addr), (i + 1)));
712 if (IPAddressFamily_cmp(&a, &b) >= 0)
713 return 0;
714 }
715
716 /*
717 * Top level's ok, now check each address family.
718 */
719 for (i = 0; i < sk_IPAddressFamily_num(addr)OPENSSL_sk_num(ossl_check_const_IPAddressFamily_sk_type(addr)
); i++) {
720 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i)((IPAddressFamily *)OPENSSL_sk_value(ossl_check_const_IPAddressFamily_sk_type
(addr), (i)));
721 int length = length_from_afi(X509v3_addr_get_afi(f));
722
723 /*
724 * Inheritance is canonical. Anything other than inheritance or
725 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something.
726 */
727 if (f == NULL((void*)0) || f->ipAddressChoice == NULL((void*)0))
728 return 0;
729 switch (f->ipAddressChoice->type) {
730 case IPAddressChoice_inherit0:
731 continue;
732 case IPAddressChoice_addressesOrRanges1:
733 break;
734 default:
735 return 0;
736 }
737
738 /*
739 * It's an IPAddressOrRanges sequence, check it.
740 */
741 aors = f->ipAddressChoice->u.addressesOrRanges;
742 if (sk_IPAddressOrRange_num(aors)OPENSSL_sk_num(ossl_check_const_IPAddressOrRange_sk_type(aors
)) == 0)
743 return 0;
744 for (j = 0; j < sk_IPAddressOrRange_num(aors)OPENSSL_sk_num(ossl_check_const_IPAddressOrRange_sk_type(aors
)) - 1; j++) {
745 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j)((IPAddressOrRange *)OPENSSL_sk_value(ossl_check_const_IPAddressOrRange_sk_type
(aors), (j)));
746 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1)((IPAddressOrRange *)OPENSSL_sk_value(ossl_check_const_IPAddressOrRange_sk_type
(aors), (j + 1)));
747
748 if (!extract_min_max(a, a_min, a_max, length) ||
749 !extract_min_max(b, b_min, b_max, length))
750 return 0;
751
752 /*
753 * Punt misordered list, overlapping start, or inverted range.
754 */
755 if (memcmp(a_min, b_min, length) >= 0 ||
756 memcmp(a_min, a_max, length) > 0 ||
757 memcmp(b_min, b_max, length) > 0)
758 return 0;
759
760 /*
761 * Punt if adjacent or overlapping. Check for adjacency by
762 * subtracting one from b_min first.
763 */
764 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) ;
765 if (memcmp(a_max, b_min, length) >= 0)
766 return 0;
767
768 /*
769 * Check for range that should be expressed as a prefix.
770 */
771 if (a->type == IPAddressOrRange_addressRange1 &&
772 range_should_be_prefix(a_min, a_max, length) >= 0)
773 return 0;
774 }
775
776 /*
777 * Check range to see if it's inverted or should be a
778 * prefix.
779 */
780 j = sk_IPAddressOrRange_num(aors)OPENSSL_sk_num(ossl_check_const_IPAddressOrRange_sk_type(aors
)) - 1;
781 {
782 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j)((IPAddressOrRange *)OPENSSL_sk_value(ossl_check_const_IPAddressOrRange_sk_type
(aors), (j)));
783 if (a != NULL((void*)0) && a->type == IPAddressOrRange_addressRange1) {
784 if (!extract_min_max(a, a_min, a_max, length))
785 return 0;
786 if (memcmp(a_min, a_max, length) > 0 ||
787 range_should_be_prefix(a_min, a_max, length) >= 0)
788 return 0;
789 }
790 }
791 }
792
793 /*
794 * If we made it through all that, we're happy.
795 */
796 return 1;
797}
798
799/*
800 * Whack an IPAddressOrRanges into canonical form.
801 */
802static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
803 const unsigned afi)
804{
805 int i, j, length = length_from_afi(afi);
806
807 /*
808 * Sort the IPAddressOrRanges sequence.
809 */
810 sk_IPAddressOrRange_sort(aors)OPENSSL_sk_sort(ossl_check_IPAddressOrRange_sk_type(aors));
811
812 /*
813 * Clean up representation issues, punt on duplicates or overlaps.
814 */
815 for (i = 0; i < sk_IPAddressOrRange_num(aors)OPENSSL_sk_num(ossl_check_const_IPAddressOrRange_sk_type(aors
)) - 1; i++) {
816 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i)((IPAddressOrRange *)OPENSSL_sk_value(ossl_check_const_IPAddressOrRange_sk_type
(aors), (i)));
817 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1)((IPAddressOrRange *)OPENSSL_sk_value(ossl_check_const_IPAddressOrRange_sk_type
(aors), (i + 1)));
818 unsigned char a_min[ADDR_RAW_BUF_LEN16], a_max[ADDR_RAW_BUF_LEN16];
819 unsigned char b_min[ADDR_RAW_BUF_LEN16], b_max[ADDR_RAW_BUF_LEN16];
820
821 if (!extract_min_max(a, a_min, a_max, length) ||
822 !extract_min_max(b, b_min, b_max, length))
823 return 0;
824
825 /*
826 * Punt inverted ranges.
827 */
828 if (memcmp(a_min, a_max, length) > 0 ||
829 memcmp(b_min, b_max, length) > 0)
830 return 0;
831
832 /*
833 * Punt overlaps.
834 */
835 if (memcmp(a_max, b_min, length) >= 0)
836 return 0;
837
838 /*
839 * Merge if a and b are adjacent. We check for
840 * adjacency by subtracting one from b_min first.
841 */
842 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) ;
843 if (memcmp(a_max, b_min, length) == 0) {
844 IPAddressOrRange *merged;
845 if (!make_addressRange(&merged, a_min, b_max, length))
846 return 0;
847 (void)sk_IPAddressOrRange_set(aors, i, merged)((IPAddressOrRange *)OPENSSL_sk_set(ossl_check_IPAddressOrRange_sk_type
(aors), (i), ossl_check_IPAddressOrRange_type(merged)));
848 (void)sk_IPAddressOrRange_delete(aors, i + 1)((IPAddressOrRange *)OPENSSL_sk_delete(ossl_check_IPAddressOrRange_sk_type
(aors), (i + 1)));
849 IPAddressOrRange_free(a);
850 IPAddressOrRange_free(b);
851 --i;
852 continue;
853 }
854 }
855
856 /*
857 * Check for inverted final range.
858 */
859 j = sk_IPAddressOrRange_num(aors)OPENSSL_sk_num(ossl_check_const_IPAddressOrRange_sk_type(aors
)) - 1;
860 {
861 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j)((IPAddressOrRange *)OPENSSL_sk_value(ossl_check_const_IPAddressOrRange_sk_type
(aors), (j)));
862 if (a != NULL((void*)0) && a->type == IPAddressOrRange_addressRange1) {
863 unsigned char a_min[ADDR_RAW_BUF_LEN16], a_max[ADDR_RAW_BUF_LEN16];
864 if (!extract_min_max(a, a_min, a_max, length))
865 return 0;
866 if (memcmp(a_min, a_max, length) > 0)
867 return 0;
868 }
869 }
870
871 return 1;
872}
873
874/*
875 * Whack an IPAddrBlocks extension into canonical form.
876 */
877int X509v3_addr_canonize(IPAddrBlocks *addr)
878{
879 int i;
880 for (i = 0; i < sk_IPAddressFamily_num(addr)OPENSSL_sk_num(ossl_check_const_IPAddressFamily_sk_type(addr)
); i++) {
881 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i)((IPAddressFamily *)OPENSSL_sk_value(ossl_check_const_IPAddressFamily_sk_type
(addr), (i)));
882 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges1 &&
883 !IPAddressOrRanges_canonize(f->ipAddressChoice->
884 u.addressesOrRanges,
885 X509v3_addr_get_afi(f)))
886 return 0;
887 }
888 (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp)((sk_IPAddressFamily_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_IPAddressFamily_sk_type
(addr), ossl_check_IPAddressFamily_compfunc_type(IPAddressFamily_cmp
)));
889 sk_IPAddressFamily_sort(addr)OPENSSL_sk_sort(ossl_check_IPAddressFamily_sk_type(addr));
890 if (!ossl_assert(X509v3_addr_is_canonical(addr))((X509v3_addr_is_canonical(addr)) != 0))
891 return 0;
892 return 1;
893}
894
895/*
896 * v2i handler for the IPAddrBlocks extension.
897 */
898static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
899 struct v3_ext_ctx *ctx,
900 STACK_OF(CONF_VALUE)struct stack_st_CONF_VALUE *values)
901{
902 static const char v4addr_chars[] = "0123456789.";
903 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF";
904 IPAddrBlocks *addr = NULL((void*)0);
905 char *s = NULL((void*)0), *t;
906 int i;
907
908 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)((struct stack_st_IPAddressFamily *)OPENSSL_sk_new(ossl_check_IPAddressFamily_compfunc_type
(IPAddressFamily_cmp)))) == NULL((void*)0)) {
909 ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/crypto/x509/v3_addr.c"
,909,__func__), ERR_set_error)((34),((256|((0x1 << 18L)
|(0x2 << 18L)))),((void*)0));
910 return NULL((void*)0);
911 }
912
913 for (i = 0; i < sk_CONF_VALUE_num(values)OPENSSL_sk_num(ossl_check_const_CONF_VALUE_sk_type(values)); i++) {
914 CONF_VALUE *val = sk_CONF_VALUE_value(values, i)((CONF_VALUE *)OPENSSL_sk_value(ossl_check_const_CONF_VALUE_sk_type
(values), (i)));
915 unsigned char min[ADDR_RAW_BUF_LEN16], max[ADDR_RAW_BUF_LEN16];
916 unsigned afi, *safi = NULL((void*)0), safi_;
917 const char *addr_chars = NULL((void*)0);
918 int prefixlen, i1, i2, delim, length;
919
920 if (!ossl_v3_name_cmp(val->name, "IPv4")) {
921 afi = IANA_AFI_IPV41;
922 } else if (!ossl_v3_name_cmp(val->name, "IPv6")) {
923 afi = IANA_AFI_IPV62;
924 } else if (!ossl_v3_name_cmp(val->name, "IPv4-SAFI")) {
925 afi = IANA_AFI_IPV41;
926 safi = &safi_;
927 } else if (!ossl_v3_name_cmp(val->name, "IPv6-SAFI")) {
928 afi = IANA_AFI_IPV62;
929 safi = &safi_;
930 } else {
931 ERR_raise_data(ERR_new(), ERR_set_debug("../deps/openssl/openssl/crypto/x509/v3_addr.c"
,931,__func__), ERR_set_error)(ERR_LIB_X509V334, X509V3_R_EXTENSION_NAME_ERROR115,
932 "%s", val->name);
933 goto err;
934 }
935
936 switch (afi) {
937 case IANA_AFI_IPV41:
938 addr_chars = v4addr_chars;
939 break;
940 case IANA_AFI_IPV62:
941 addr_chars = v6addr_chars;
942 break;
943 }
944
945 length = length_from_afi(afi);
946
947 /*
948 * Handle SAFI, if any, and OPENSSL_strdup() so we can null-terminate
949 * the other input values.
950 */
951 if (safi != NULL((void*)0)) {
952 *safi = strtoul(val->value, &t, 0);
953 t += strspn(t, " \t");
954 if (*safi > 0xFF || *t++ != ':') {
955 ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_SAFI)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/crypto/x509/v3_addr.c"
,955,__func__), ERR_set_error)((34),(164),((void*)0));
956 X509V3_conf_add_error_name_value(val)ERR_add_error_data(4, "name=", (val)->name, ", value=", (val
)->value);
957 goto err;
958 }
959 t += strspn(t, " \t");
960 s = OPENSSL_strdup(t)CRYPTO_strdup(t, "../deps/openssl/openssl/crypto/x509/v3_addr.c"
, 960);
961 } else {
962 s = OPENSSL_strdup(val->value)CRYPTO_strdup(val->value, "../deps/openssl/openssl/crypto/x509/v3_addr.c"
, 962);
963 }
964 if (s == NULL((void*)0)) {
965 ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/crypto/x509/v3_addr.c"
,965,__func__), ERR_set_error)((34),((256|((0x1 << 18L)
|(0x2 << 18L)))),((void*)0));
966 goto err;
967 }
968
969 /*
970 * Check for inheritance. Not worth additional complexity to
971 * optimize this (seldom-used) case.
972 */
973 if (strcmp(s, "inherit") == 0) {
974 if (!X509v3_addr_add_inherit(addr, afi, safi)) {
975 ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_INHERITANCE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/crypto/x509/v3_addr.c"
,975,__func__), ERR_set_error)((34),(165),((void*)0));
976 X509V3_conf_add_error_name_value(val)ERR_add_error_data(4, "name=", (val)->name, ", value=", (val
)->value);
977 goto err;
978 }
979 OPENSSL_free(s)CRYPTO_free(s, "../deps/openssl/openssl/crypto/x509/v3_addr.c"
, 979);
980 s = NULL((void*)0);
981 continue;
982 }
983
984 i1 = strspn(s, addr_chars);
985 i2 = i1 + strspn(s + i1, " \t");
986 delim = s[i2++];
987 s[i1] = '\0';
988
989 if (ossl_a2i_ipadd(min, s) != length) {
990 ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_IPADDRESS)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/crypto/x509/v3_addr.c"
,990,__func__), ERR_set_error)((34),(166),((void*)0));
991 X509V3_conf_add_error_name_value(val)ERR_add_error_data(4, "name=", (val)->name, ", value=", (val
)->value);
992 goto err;
993 }
994
995 switch (delim) {
996 case '/':
997 prefixlen = (int)strtoul(s + i2, &t, 10);
998 if (t == s + i2 || *t != '\0') {
999 ERR_raise(ERR_LIB_X509V3, X509V3_R_EXTENSION_VALUE_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/crypto/x509/v3_addr.c"
,999,__func__), ERR_set_error)((34),(116),((void*)0));
1000 X509V3_conf_add_error_name_value(val)ERR_add_error_data(4, "name=", (val)->name, ", value=", (val
)->value);
1001 goto err;
1002 }
1003 if (!X509v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) {
1004 ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/crypto/x509/v3_addr.c"
,1004,__func__), ERR_set_error)((34),((256|((0x1 << 18L
)|(0x2 << 18L)))),((void*)0));
1005 goto err;
1006 }
1007 break;
1008 case '-':
1009 i1 = i2 + strspn(s + i2, " \t");
1010 i2 = i1 + strspn(s + i1, addr_chars);
1011 if (i1 == i2 || s[i2] != '\0') {
1012 ERR_raise(ERR_LIB_X509V3, X509V3_R_EXTENSION_VALUE_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/crypto/x509/v3_addr.c"
,1012,__func__), ERR_set_error)((34),(116),((void*)0));
1013 X509V3_conf_add_error_name_value(val)ERR_add_error_data(4, "name=", (val)->name, ", value=", (val
)->value);
1014 goto err;
1015 }
1016 if (ossl_a2i_ipadd(max, s + i1) != length) {
1017 ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_IPADDRESS)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/crypto/x509/v3_addr.c"
,1017,__func__), ERR_set_error)((34),(166),((void*)0));
1018 X509V3_conf_add_error_name_value(val)ERR_add_error_data(4, "name=", (val)->name, ", value=", (val
)->value);
1019 goto err;
1020 }
1021 if (memcmp(min, max, length_from_afi(afi)) > 0) {
1022 ERR_raise(ERR_LIB_X509V3, X509V3_R_EXTENSION_VALUE_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/crypto/x509/v3_addr.c"
,1022,__func__), ERR_set_error)((34),(116),((void*)0));
1023 X509V3_conf_add_error_name_value(val)ERR_add_error_data(4, "name=", (val)->name, ", value=", (val
)->value);
1024 goto err;
1025 }
1026 if (!X509v3_addr_add_range(addr, afi, safi, min, max)) {
1027 ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/crypto/x509/v3_addr.c"
,1027,__func__), ERR_set_error)((34),((256|((0x1 << 18L
)|(0x2 << 18L)))),((void*)0));
1028 goto err;
1029 }
1030 break;
1031 case '\0':
1032 if (!X509v3_addr_add_prefix(addr, afi, safi, min, length * 8)) {
1033 ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/crypto/x509/v3_addr.c"
,1033,__func__), ERR_set_error)((34),((256|((0x1 << 18L
)|(0x2 << 18L)))),((void*)0));
1034 goto err;
1035 }
1036 break;
1037 default:
1038 ERR_raise(ERR_LIB_X509V3, X509V3_R_EXTENSION_VALUE_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/crypto/x509/v3_addr.c"
,1038,__func__), ERR_set_error)((34),(116),((void*)0));
1039 X509V3_conf_add_error_name_value(val)ERR_add_error_data(4, "name=", (val)->name, ", value=", (val
)->value);
1040 goto err;
1041 }
1042
1043 OPENSSL_free(s)CRYPTO_free(s, "../deps/openssl/openssl/crypto/x509/v3_addr.c"
, 1043);
1044 s = NULL((void*)0);
1045 }
1046
1047 /*
1048 * Canonize the result, then we're done.
1049 */
1050 if (!X509v3_addr_canonize(addr))
1051 goto err;
1052 return addr;
1053
1054 err:
1055 OPENSSL_free(s)CRYPTO_free(s, "../deps/openssl/openssl/crypto/x509/v3_addr.c"
, 1055);
1056 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free)OPENSSL_sk_pop_free(ossl_check_IPAddressFamily_sk_type(addr),
ossl_check_IPAddressFamily_freefunc_type(IPAddressFamily_free
));
1057 return NULL((void*)0);
1058}
1059
1060/*
1061 * OpenSSL dispatch
1062 */
1063const X509V3_EXT_METHOD ossl_v3_addr = {
1064 NID_sbgp_ipAddrBlock290, /* nid */
1065 0, /* flags */
1066 ASN1_ITEM_ref(IPAddrBlocks)(IPAddrBlocks_it), /* template */
1067 0, 0, 0, 0, /* old functions, ignored */
1068 0, /* i2s */
1069 0, /* s2i */
1070 0, /* i2v */
1071 v2i_IPAddrBlocks, /* v2i */
1072 i2r_IPAddrBlocks, /* i2r */
1073 0, /* r2i */
1074 NULL((void*)0) /* extension-specific data */
1075};
1076
1077/*
1078 * Figure out whether extension sues inheritance.
1079 */
1080int X509v3_addr_inherits(IPAddrBlocks *addr)
1081{
1082 int i;
1083 if (addr == NULL((void*)0))
1084 return 0;
1085 for (i = 0; i < sk_IPAddressFamily_num(addr)OPENSSL_sk_num(ossl_check_const_IPAddressFamily_sk_type(addr)
); i++) {
1086 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i)((IPAddressFamily *)OPENSSL_sk_value(ossl_check_const_IPAddressFamily_sk_type
(addr), (i)));
1087 if (f->ipAddressChoice->type == IPAddressChoice_inherit0)
1088 return 1;
1089 }
1090 return 0;
1091}
1092
1093/*
1094 * Figure out whether parent contains child.
1095 */
1096static int addr_contains(IPAddressOrRanges *parent,
1097 IPAddressOrRanges *child, int length)
1098{
1099 unsigned char p_min[ADDR_RAW_BUF_LEN16], p_max[ADDR_RAW_BUF_LEN16];
1100 unsigned char c_min[ADDR_RAW_BUF_LEN16], c_max[ADDR_RAW_BUF_LEN16];
1101 int p, c;
1102
1103 if (child == NULL((void*)0) || parent == child)
1104 return 1;
1105 if (parent == NULL((void*)0))
1106 return 0;
1107
1108 p = 0;
1109 for (c = 0; c < sk_IPAddressOrRange_num(child)OPENSSL_sk_num(ossl_check_const_IPAddressOrRange_sk_type(child
)); c++) {
1110 if (!extract_min_max(sk_IPAddressOrRange_value(child, c)((IPAddressOrRange *)OPENSSL_sk_value(ossl_check_const_IPAddressOrRange_sk_type
(child), (c))),
1111 c_min, c_max, length))
1112 return 0;
1113 for (;; p++) {
1114 if (p >= sk_IPAddressOrRange_num(parent)OPENSSL_sk_num(ossl_check_const_IPAddressOrRange_sk_type(parent
)))
1115 return 0;
1116 if (!extract_min_max(sk_IPAddressOrRange_value(parent, p)((IPAddressOrRange *)OPENSSL_sk_value(ossl_check_const_IPAddressOrRange_sk_type
(parent), (p))),
1117 p_min, p_max, length))
1118 return 0;
1119 if (memcmp(p_max, c_max, length) < 0)
1120 continue;
1121 if (memcmp(p_min, c_min, length) > 0)
1122 return 0;
1123 break;
1124 }
1125 }
1126
1127 return 1;
1128}
1129
1130/*
1131 * Test whether a is a subset of b.
1132 */
1133int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
1134{
1135 int i;
1136 if (a == NULL((void*)0) || a == b)
1137 return 1;
1138 if (b == NULL((void*)0) || X509v3_addr_inherits(a) || X509v3_addr_inherits(b))
1139 return 0;
1140 (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp)((sk_IPAddressFamily_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_IPAddressFamily_sk_type
(b), ossl_check_IPAddressFamily_compfunc_type(IPAddressFamily_cmp
)));
1141 for (i = 0; i < sk_IPAddressFamily_num(a)OPENSSL_sk_num(ossl_check_const_IPAddressFamily_sk_type(a)); i++) {
1142 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i)((IPAddressFamily *)OPENSSL_sk_value(ossl_check_const_IPAddressFamily_sk_type
(a), (i)));
1143 int j = sk_IPAddressFamily_find(b, fa)OPENSSL_sk_find(ossl_check_IPAddressFamily_sk_type(b), ossl_check_IPAddressFamily_type
(fa));
1144 IPAddressFamily *fb;
1145 fb = sk_IPAddressFamily_value(b, j)((IPAddressFamily *)OPENSSL_sk_value(ossl_check_const_IPAddressFamily_sk_type
(b), (j)));
1146 if (fb == NULL((void*)0))
1147 return 0;
1148 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
1149 fa->ipAddressChoice->u.addressesOrRanges,
1150 length_from_afi(X509v3_addr_get_afi(fb))))
1151 return 0;
1152 }
1153 return 1;
1154}
1155
1156/*
1157 * Validation error handling via callback.
1158 */
1159#define validation_err(_err_) \
1160 do { \
1161 if (ctx != NULL((void*)0)) { \
1162 ctx->error = _err_; \
1163 ctx->error_depth = i; \
1164 ctx->current_cert = x; \
1165 ret = ctx->verify_cb(0, ctx); \
1166 } else { \
1167 ret = 0; \
1168 } \
1169 if (!ret) \
1170 goto done; \
1171 } while (0)
1172
1173/*
1174 * Core code for RFC 3779 2.3 path validation.
1175 *
1176 * Returns 1 for success, 0 on error.
1177 *
1178 * When returning 0, ctx->error MUST be set to an appropriate value other than
1179 * X509_V_OK.
1180 */
1181static int addr_validate_path_internal(X509_STORE_CTX *ctx,
1182 STACK_OF(X509)struct stack_st_X509 *chain,
1183 IPAddrBlocks *ext)
1184{
1185 IPAddrBlocks *child = NULL((void*)0);
1186 int i, j, ret = 1;
1187 X509 *x;
1188
1189 if (!ossl_assert(chain != NULL && sk_X509_num(chain) > 0)((chain != ((void*)0) && OPENSSL_sk_num(ossl_check_const_X509_sk_type
(chain)) > 0) != 0)
6
Assuming the condition is true
7
Taking false branch
1190 || !ossl_assert(ctx != NULL || ext != NULL)((ctx != ((void*)0) || ext != ((void*)0)) != 0)
1191 || !ossl_assert(ctx == NULL || ctx->verify_cb != NULL)((ctx == ((void*)0) || ctx->verify_cb != ((void*)0)) != 0)) {
1192 if (ctx != NULL((void*)0))
1193 ctx->error = X509_V_ERR_UNSPECIFIED1;
1194 return 0;
1195 }
1196
1197 /*
1198 * Figure out where to start. If we don't have an extension to
1199 * check, we're done. Otherwise, check canonical form and
1200 * set up for walking up the chain.
1201 */
1202 if (ext
7.1
'ext' is not equal to NULL
 != NULL((void*)0)) {
8
Taking true branch
1203 i = -1;
1204 x = NULL((void*)0);
9
Null pointer value stored to 'x'
1205 } else {
1206 i = 0;
1207 x = sk_X509_value(chain, i)((X509 *)OPENSSL_sk_value(ossl_check_const_X509_sk_type(chain
), (i)));
1208 if ((ext = x->rfc3779_addr) == NULL((void*)0))
1209 goto done;
1210 }
1211 if (!X509v3_addr_is_canonical(ext))
10
Assuming the condition is false
11
Taking false branch
1212 validation_err(X509_V_ERR_INVALID_EXTENSION41);
1213 (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp)((sk_IPAddressFamily_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_IPAddressFamily_sk_type
(ext), ossl_check_IPAddressFamily_compfunc_type(IPAddressFamily_cmp
)));
1214 if ((child = sk_IPAddressFamily_dup(ext)((struct stack_st_IPAddressFamily *)OPENSSL_sk_dup(ossl_check_const_IPAddressFamily_sk_type
(ext)))) == NULL((void*)0)) {
12
Assuming the condition is false
13
Taking false branch
1215 ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/crypto/x509/v3_addr.c"
,1215,__func__), ERR_set_error)((34),((256|((0x1 << 18L
)|(0x2 << 18L)))),((void*)0));
1216 if (ctx != NULL((void*)0))
1217 ctx->error = X509_V_ERR_OUT_OF_MEM17;
1218 ret = 0;
1219 goto done;
1220 }
1221
1222 /*
1223 * Now walk up the chain. No cert may list resources that its
1224 * parent doesn't list.
1225 */
1226 for (i++; i < sk_X509_num(chain)OPENSSL_sk_num(ossl_check_const_X509_sk_type(chain)); i++) {
14
Assuming the condition is false
15
Loop condition is false. Execution continues on line 1271
1227 x = sk_X509_value(chain, i)((X509 *)OPENSSL_sk_value(ossl_check_const_X509_sk_type(chain
), (i)));
1228 if (!X509v3_addr_is_canonical(x->rfc3779_addr))
1229 validation_err(X509_V_ERR_INVALID_EXTENSION41);
1230 if (x->rfc3779_addr == NULL((void*)0)) {
1231 for (j = 0; j < sk_IPAddressFamily_num(child)OPENSSL_sk_num(ossl_check_const_IPAddressFamily_sk_type(child
)); j++) {
1232 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j)((IPAddressFamily *)OPENSSL_sk_value(ossl_check_const_IPAddressFamily_sk_type
(child), (j)));
1233 if (fc->ipAddressChoice->type != IPAddressChoice_inherit0) {
1234 validation_err(X509_V_ERR_UNNESTED_RESOURCE46);
1235 break;
1236 }
1237 }
1238 continue;
1239 }
1240 (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr,((sk_IPAddressFamily_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_IPAddressFamily_sk_type
(x->rfc3779_addr), ossl_check_IPAddressFamily_compfunc_type
(IPAddressFamily_cmp)))
1241 IPAddressFamily_cmp)((sk_IPAddressFamily_compfunc)OPENSSL_sk_set_cmp_func(ossl_check_IPAddressFamily_sk_type
(x->rfc3779_addr), ossl_check_IPAddressFamily_compfunc_type
(IPAddressFamily_cmp)));
1242 for (j = 0; j < sk_IPAddressFamily_num(child)OPENSSL_sk_num(ossl_check_const_IPAddressFamily_sk_type(child
)); j++) {
1243 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j)((IPAddressFamily *)OPENSSL_sk_value(ossl_check_const_IPAddressFamily_sk_type
(child), (j)));
1244 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc)OPENSSL_sk_find(ossl_check_IPAddressFamily_sk_type(x->rfc3779_addr
), ossl_check_IPAddressFamily_type(fc));
1245 IPAddressFamily *fp =
1246 sk_IPAddressFamily_value(x->rfc3779_addr, k)((IPAddressFamily *)OPENSSL_sk_value(ossl_check_const_IPAddressFamily_sk_type
(x->rfc3779_addr), (k)));
1247 if (fp == NULL((void*)0)) {
1248 if (fc->ipAddressChoice->type ==
1249 IPAddressChoice_addressesOrRanges1) {
1250 validation_err(X509_V_ERR_UNNESTED_RESOURCE46);
1251 break;
1252 }
1253 continue;
1254 }
1255 if (fp->ipAddressChoice->type ==
1256 IPAddressChoice_addressesOrRanges1) {
1257 if (fc->ipAddressChoice->type == IPAddressChoice_inherit0
1258 || addr_contains(fp->ipAddressChoice->u.addressesOrRanges,
1259 fc->ipAddressChoice->u.addressesOrRanges,
1260 length_from_afi(X509v3_addr_get_afi(fc))))
1261 (void)sk_IPAddressFamily_set(child, j, fp)((IPAddressFamily *)OPENSSL_sk_set(ossl_check_IPAddressFamily_sk_type
(child), (j), ossl_check_IPAddressFamily_type(fp)));
1262 else
1263 validation_err(X509_V_ERR_UNNESTED_RESOURCE46);
1264 }
1265 }
1266 }
1267
1268 /*
1269 * Trust anchor can't inherit.
1270 */
1271 if (x->rfc3779_addr != NULL((void*)0)) {
16
Access to field 'rfc3779_addr' results in a dereference of a null pointer (loaded from variable 'x')
1272 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr)OPENSSL_sk_num(ossl_check_const_IPAddressFamily_sk_type(x->
rfc3779_addr)); j++) {
1273 IPAddressFamily *fp =
1274 sk_IPAddressFamily_value(x->rfc3779_addr, j)((IPAddressFamily *)OPENSSL_sk_value(ossl_check_const_IPAddressFamily_sk_type
(x->rfc3779_addr), (j)));
1275 if (fp->ipAddressChoice->type == IPAddressChoice_inherit0
1276 && sk_IPAddressFamily_find(child, fp)OPENSSL_sk_find(ossl_check_IPAddressFamily_sk_type(child), ossl_check_IPAddressFamily_type
(fp)) >= 0)
1277 validation_err(X509_V_ERR_UNNESTED_RESOURCE46);
1278 }
1279 }
1280
1281 done:
1282 sk_IPAddressFamily_free(child)OPENSSL_sk_free(ossl_check_IPAddressFamily_sk_type(child));
1283 return ret;
1284}
1285
1286#undef validation_err
1287
1288/*
1289 * RFC 3779 2.3 path validation -- called from X509_verify_cert().
1290 */
1291int X509v3_addr_validate_path(X509_STORE_CTX *ctx)
1292{
1293 if (ctx->chain == NULL((void*)0)
1294 || sk_X509_num(ctx->chain)OPENSSL_sk_num(ossl_check_const_X509_sk_type(ctx->chain)) == 0
1295 || ctx->verify_cb == NULL((void*)0)) {
1296 ctx->error = X509_V_ERR_UNSPECIFIED1;
1297 return 0;
1298 }
1299 return addr_validate_path_internal(ctx, ctx->chain, NULL((void*)0));
1300}
1301
1302/*
1303 * RFC 3779 2.3 path validation of an extension.
1304 * Test whether chain covers extension.
1305 */
1306int X509v3_addr_validate_resource_set(STACK_OF(X509)struct stack_st_X509 *chain,
1307 IPAddrBlocks *ext, int allow_inheritance)
1308{
1309 if (ext == NULL((void*)0))
1
Assuming 'ext' is not equal to NULL
1310 return 1;
1311 if (chain == NULL((void*)0) || sk_X509_num(chain)OPENSSL_sk_num(ossl_check_const_X509_sk_type(chain)) == 0)
2
Assuming 'chain' is not equal to NULL
3
Assuming the condition is false
1312 return 0;
1313 if (!allow_inheritance && X509v3_addr_inherits(ext))
4
Assuming 'allow_inheritance' is not equal to 0
1314 return 0;
1315 return addr_validate_path_internal(NULL((void*)0), chain, ext);
5
Calling 'addr_validate_path_internal'
1316}
1317
1318#endif /* OPENSSL_NO_RFC3779 */