~ubuntu-branches/ubuntu/precise/openssl/precise

Viewing changes to crypto/x509v3/v3_addr.c

Committer: Package Import Robot
Author(s): Marc Deslauriers
Date: 2012-02-11 13:27:31 UTC
mfrom: (11.1.27 sid)
Revision ID: package-import@ubuntu.com-20120211132731-ff58ncra13oof2r1

Tags: 1.0.0g-1ubuntu1

* Resynchronise with Debian. Remaining changes:
  - debian/libssl1.0.0.postinst:
    + Display a system restart required notification on libssl1.0.0
      upgrade on servers.
    + Use a different priority for libssl1.0.0/restart-services depending
      on whether a desktop, or server dist-upgrade is being performed.
  - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
    libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
    in Debian).
  - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
    rules}: Move runtime libraries to /lib, for the benefit of
    wpasupplicant.
  - debian/patches/aesni.patch: Backport Intel AES-NI support, now from
    http://rt.openssl.org/Ticket/Display.html?id=2065 rather than the
    0.9.8 variant.
  - debian/patches/Bsymbolic-functions.patch: Link using
    -Bsymbolic-functions.
  - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
    .pc.
  - debian/rules:
    + Don't run 'make test' when cross-building.
    + Use host compiler when cross-building.  Patch from Neil Williams.
    + Don't build for processors no longer supported: i586 (on i386)
    + Fix Makefile to properly clean up libs/ dirs in clean target.
    + Replace duplicate files in the doc directory with symlinks.
  - Unapply patch c_rehash-multi and comment it out in the series as it
    breaks parsing of certificates with CRLF line endings and other cases
    (see Debian #642314 for discussion), it also changes the semantics of
    c_rehash directories by requiring applications to parse hash link
    targets as files containing potentially *multiple* certificates
    rather than exactly one.

files removed:
Makefile.bak

files modified:
.pc/Bsymbolic-functions.patch/Configure

.pc/aesni.patch/Configure

.pc/block_digicert_malaysia.patch/crypto/x509/x509_vfy.c

.pc/block_diginotar.patch/crypto/x509/x509_vfy.c

.pc/debian-targets.patch/Configure

.pc/engines-path.patch/Configure

.pc/openssl-pod-misspell.patch/apps/ca.c

.pc/shared-lib-ext.patch/Configure

.pc/version-script.patch/Configure

CHANGES

Configure

Makefile

NEWS

README

VMS/mkshared.com

apps/ca.c

apps/cms.c

apps/openssl-vms.cnf

apps/openssl.cnf

apps/s_client.c

apps/s_server.c

apps/x509.c

crypto/aes/asm/aes-sparcv9.pl

crypto/asn1/a_int.c

crypto/asn1/asn_mime.c

crypto/asn1/t_x509.c

crypto/bio/bf_buff.c

crypto/bio/bio.h

crypto/bn/asm/ppc.pl

crypto/bn/asm/x86-mont.pl

crypto/bn/bn_blind.c

crypto/ec/ec2_smpl.c

crypto/ecdsa/ecdsatest.c

crypto/opensslv.h

crypto/rand/rand_unix.c

crypto/rand/randfile.c

crypto/rsa/rsa_eay.c

crypto/x509/x509_vfy.c

crypto/x509v3/v3_addr.c

debian/changelog

doc/crypto/ecdsa.pod

doc/ssl/SSL_clear.pod

e_os2.h

engines/ccgost/gost2001_keyx.c

engines/ccgost/gost94_keyx.c

engines/ccgost/gost_pmeth.c

openssl.spec

ssl/d1_both.c

ssl/d1_lib.c

ssl/d1_pkt.c

ssl/d1_srvr.c

ssl/s3_clnt.c

ssl/s3_enc.c

ssl/s3_lib.c

ssl/s3_srvr.c

ssl/ssl.h

ssl/ssl3.h

ssl/ssl_ciph.c

ssl/ssl_err.c

ssl/ssl_lib.c

ssl/ssl_locl.h

ssl/t1_lib.c

test/testssl

util/mkerr.pl

Show diffs side-by-side

added added

removed removed

crypto/x509v3/v3_addr.c

142

* Expand the bitstring form of an address into a raw byte array.

143

* At the moment this is coded for simplicity, not speed.

144

145

static void addr_expand(unsigned char *addr,

145

static int addr_expand(unsigned char *addr,

146

const ASN1_BIT_STRING *bs,

147

const int length,

148

const unsigned char fill)

149

{

150

OPENSSL_assert(bs->length >= 0 && bs->length <= length);

150

if (bs->length < 0 || bs->length > length)

151

return 0;

151

152

if (bs->length > 0) {

152

153

memcpy(addr, bs->data, bs->length);

153

154

if ((bs->flags & 7) != 0) {

159

160

}

160

161

}

161

162

memset(addr + bs->length, fill, length - bs->length);

163

return 1;

162

164

}

163

165

164

166

181

183

return 0;

182

184

switch (afi) {

183

185

case IANA_AFI_IPV4:

184

if (bs->length > 4)

186

if (!addr_expand(addr, bs, 4, fill))

185

187

return 0;

186

addr_expand(addr, bs, 4, fill);

187

188

BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);

188

189

break;

189

190

case IANA_AFI_IPV6:

190

if (bs->length > 16)

191

if (!addr_expand(addr, bs, 16, fill))

191

192

return 0;

192

addr_expand(addr, bs, 16, fill);

193

for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2)

194

;

195

for (i = 0; i < n; i += 2)

315

316

* Sort comparison function for a sequence of IPAddressOrRange

317

* elements.

318

319

* There's no sane answer we can give if addr_expand() fails, and an

320

* assertion failure on externally supplied data is seriously uncool,

321

* so we just arbitrarily declare that if given invalid inputs this

322

* function returns -1. If this messes up your preferred sort order

323

* for garbage input, tough noogies.

318

324

319

325

static int IPAddressOrRange_cmp(const IPAddressOrRange *a,

320

326

const IPAddressOrRange *b,

326

332

327

333

switch (a->type) {

328

334

case IPAddressOrRange_addressPrefix:

329

addr_expand(addr_a, a->u.addressPrefix, length, 0x00);

335

if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))

336

return -1;

330

337

prefixlen_a = addr_prefixlen(a->u.addressPrefix);

331

338

break;

332

339

case IPAddressOrRange_addressRange:

333

addr_expand(addr_a, a->u.addressRange->min, length, 0x00);

340

if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))

341

return -1;

334

342

prefixlen_a = length * 8;

335

343

break;

336

344

}

337

345

338

346

switch (b->type) {

339

347

case IPAddressOrRange_addressPrefix:

340

addr_expand(addr_b, b->u.addressPrefix, length, 0x00);

348

if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))

349

return -1;

341

350

prefixlen_b = addr_prefixlen(b->u.addressPrefix);

342

351

break;

343

352

case IPAddressOrRange_addressRange:

344

addr_expand(addr_b, b->u.addressRange->min, length, 0x00);

353

if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))

354

return -1;

345

355

prefixlen_b = length * 8;

346

356

break;

347

357

}

383

393

unsigned char mask;

384

394

int i, j;

385

395

396

OPENSSL_assert(memcmp(min, max, length) <= 0);

386

397

for (i = 0; i < length && min[i] == max[i]; i++)

387

398

;

388

399

for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--)

601

612

return NULL;

602

613

switch (afi) {

603

614

case IANA_AFI_IPV4:

604

sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);

615

(void) sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);

605

616

break;

606

617

case IANA_AFI_IPV6:

607

sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);

618

(void) sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);

608

619

break;

609

620

}

610

621

f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;

656

667

657

668

* Extract min and max values from an IPAddressOrRange.

658

669

659

static void extract_min_max(IPAddressOrRange *aor,

670

static int extract_min_max(IPAddressOrRange *aor,

660

671

unsigned char *min,

661

672

unsigned char *max,

662

673

int length)

663

674

{

664

OPENSSL_assert(aor != NULL && min != NULL && max != NULL);

675

if (aor == NULL || min == NULL || max == NULL)

676

return 0;

665

677

switch (aor->type) {

666

678

case IPAddressOrRange_addressPrefix:

667

addr_expand(min, aor->u.addressPrefix, length, 0x00);

668

addr_expand(max, aor->u.addressPrefix, length, 0xFF);

669

return;

679

return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&

680

addr_expand(max, aor->u.addressPrefix, length, 0xFF));

670

681

case IPAddressOrRange_addressRange:

671

addr_expand(min, aor->u.addressRange->min, length, 0x00);

672

addr_expand(max, aor->u.addressRange->max, length, 0xFF);

673

return;

682

return (addr_expand(min, aor->u.addressRange->min, length, 0x00) &&

683

addr_expand(max, aor->u.addressRange->max, length, 0xFF));

674

684

}

685

return 0;

675

686

}

676

687

677

688

687

698

if (aor == NULL || min == NULL || max == NULL ||

688

699

afi_length == 0 || length < afi_length ||

689

700

(aor->type != IPAddressOrRange_addressPrefix &&

690

aor->type != IPAddressOrRange_addressRange))

701

aor->type != IPAddressOrRange_addressRange) ||

702

!extract_min_max(aor, min, max, afi_length))

691

703

return 0;

692

extract_min_max(aor, min, max, afi_length);

704

693

705

return afi_length;

694

706

}

695

707

771

783

IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);

772

784

IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);

773

785

774

extract_min_max(a, a_min, a_max, length);

775

extract_min_max(b, b_min, b_max, length);

786

if (!extract_min_max(a, a_min, a_max, length) ||

787

!extract_min_max(b, b_min, b_max, length))

788

return 0;

776

789

777

790

778

791

* Punt misordered list, overlapping start, or inverted range.

800

813

}

801

814

802

815

803

* Check final range to see if it should be a prefix.

816

* Check range to see if it's inverted or should be a

817

* prefix.

804

818

805

819

j = sk_IPAddressOrRange_num(aors) - 1;

806

820

{

807

821

IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);

808

if (a->type == IPAddressOrRange_addressRange) {

809

extract_min_max(a, a_min, a_max, length);

810

if (range_should_be_prefix(a_min, a_max, length) >= 0)

822

if (a != NULL && a->type == IPAddressOrRange_addressRange) {

823

if (!extract_min_max(a, a_min, a_max, length))

824

return 0;

825

if (memcmp(a_min, a_max, length) > 0 ||

826

range_should_be_prefix(a_min, a_max, length) >= 0)

811

827

return 0;

812

828

}

813

829

}

841

857

unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];

842

858

unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];

843

859

844

extract_min_max(a, a_min, a_max, length);

845

extract_min_max(b, b_min, b_max, length);

860

if (!extract_min_max(a, a_min, a_max, length) ||

861

!extract_min_max(b, b_min, b_max, length))

862

return 0;

863

864

865

* Punt inverted ranges.

866

867

if (memcmp(a_min, a_max, length) > 0 ||

868

memcmp(b_min, b_max, length) > 0)

869

return 0;

846

870

847

871

848

872

* Punt overlaps.

860

884

IPAddressOrRange *merged;

861

885

if (!make_addressRange(&merged, a_min, b_max, length))

862

886

return 0;

863

sk_IPAddressOrRange_set(aors, i, merged);

864

sk_IPAddressOrRange_delete(aors, i + 1);

887

(void) sk_IPAddressOrRange_set(aors, i, merged);

888

(void) sk_IPAddressOrRange_delete(aors, i + 1);

865

889

IPAddressOrRange_free(a);

866

890

IPAddressOrRange_free(b);

867

891

--i;

869

893

}

870

894

}

871

895

896

897

* Check for inverted final range.

898

899

j = sk_IPAddressOrRange_num(aors) - 1;

900

{

901

IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);

902

if (a != NULL && a->type == IPAddressOrRange_addressRange) {

903

unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];

904

extract_min_max(a, a_min, a_max, length);

905

if (memcmp(a_min, a_max, length) > 0)

906

return 0;

907

}

908

}

909

872

910

return 1;

873

911

}

874

912

885

923

v3_addr_get_afi(f)))

886

924

return 0;

887

925

}

888

sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);

926

(void) sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);

889

927

sk_IPAddressFamily_sort(addr);

890

928

OPENSSL_assert(v3_addr_is_canonical(addr));

891

929

return 1;

1017

1055

X509V3_conf_err(val);

1018

1056

goto err;

1019

1057

}

1058

if (memcmp(min, max, length_from_afi(afi)) > 0) {

1059

X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);

1060

X509V3_conf_err(val);

1061

goto err;

1062

}

1020

1063

if (!v3_addr_add_range(addr, afi, safi, min, max)) {

1021

1064

X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);

1022

1065

goto err;

1102

1145

1103

1146

p = 0;

1104

1147

for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {

1105

extract_min_max(sk_IPAddressOrRange_value(child, c),

1106

c_min, c_max, length);

1148

if (!extract_min_max(sk_IPAddressOrRange_value(child, c),

1149

c_min, c_max, length))

1150

return -1;

1107

1151

for (;; p++) {

1108

1152

if (p >= sk_IPAddressOrRange_num(parent))

1109

1153

return 0;

1110

extract_min_max(sk_IPAddressOrRange_value(parent, p),

1111

p_min, p_max, length);

1154

if (!extract_min_max(sk_IPAddressOrRange_value(parent, p),

1155

p_min, p_max, length))

1156

return 0;

1112

1157

if (memcmp(p_max, c_max, length) < 0)

1113

1158

continue;

1114

1159

if (memcmp(p_min, c_min, length) > 0)

1130

1175

return 1;

1131

1176

if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))

1132

1177

return 0;

1133

sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);

1178

(void) sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);

1134

1179

for (i = 0; i < sk_IPAddressFamily_num(a); i++) {

1135

1180

IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);

1136

1181

int j = sk_IPAddressFamily_find(b, fa);

1195

1240

}

1196

1241

if (!v3_addr_is_canonical(ext))

1197

1242

validation_err(X509_V_ERR_INVALID_EXTENSION);

1198

sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);

1243

(void) sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);

1199

1244

if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {

1200

1245

X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE);

1201

1246

ret = 0;

1221

1266

}

1222

1267

continue;

1223

1268

}

1224

sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);

1269

(void) sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);

1225

1270

for (j = 0; j < sk_IPAddressFamily_num(child); j++) {

1226

1271

IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);

1227

1272

int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);

Older »