X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;ds=sidebyside;f=crypto%2Fx509v3%2Fv3_addr.c;h=f08e6a6902dc171db8cec38ff9ea95b8fdde5d89;hb=42d7d7dd6a9ea5d610856b7ccec1767ba93ed30c;hp=f68f937ffa9542a9ac60b74a7625752be2b41249;hpb=dfefe7ec1e21078be4ad456c3f465cc174071d7c;p=oweals%2Fopenssl.git diff --git a/crypto/x509v3/v3_addr.c b/crypto/x509v3/v3_addr.c index f68f937ffa..f08e6a6902 100644 --- a/crypto/x509v3/v3_addr.c +++ b/crypto/x509v3/v3_addr.c @@ -1,58 +1,10 @@ /* - * Contributed to the OpenSSL Project by the American Registry for - * Internet Numbers ("ARIN"). - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. + * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html */ /* @@ -388,7 +340,8 @@ static int range_should_be_prefix(const unsigned char *min, unsigned char mask; int i, j; - OPENSSL_assert(memcmp(min, max, length) <= 0); + if (memcmp(min, max, length) <= 0) + return -1; for (i = 0; i < length && min[i] == max[i]; i++) ; for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ; if (i < j) @@ -477,7 +430,8 @@ static int make_addressRange(IPAddressOrRange **result, if ((aor = IPAddressOrRange_new()) == NULL) return 0; aor->type = IPAddressOrRange_addressRange; - OPENSSL_assert(aor->u.addressRange == NULL); + if (!ossl_assert(aor->u.addressRange == NULL)) + return 0; if ((aor->u.addressRange = IPAddressRange_new()) == NULL) goto err; if (aor->u.addressRange->min == NULL && @@ -544,7 +498,8 @@ static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr, for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { f = sk_IPAddressFamily_value(addr, i); - OPENSSL_assert(f->addressFamily->data != NULL); + if (!ossl_assert(f->addressFamily->data != NULL)) + goto err; if (f->addressFamily->length == keylen && !memcmp(f->addressFamily->data, key, keylen)) return f; @@ -734,7 +689,7 @@ int X509v3_addr_is_canonical(IPAddrBlocks *addr) int i, j, k; /* - * Empty extension is cannonical. + * Empty extension is canonical. */ if (addr == NULL) return 1; @@ -923,7 +878,8 @@ int X509v3_addr_canonize(IPAddrBlocks *addr) } (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); sk_IPAddressFamily_sort(addr); - OPENSSL_assert(X509v3_addr_is_canonical(addr)); + if (!ossl_assert(X509v3_addr_is_canonical(addr))) + return 0; return 1; } @@ -1214,6 +1170,11 @@ int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) /* * Core code for RFC 3779 2.3 path validation. + * + * Returns 1 for success, 0 on error. + * + * When returning 0, ctx->error MUST be set to an appropriate value other than + * X509_V_OK. */ static int addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, @@ -1223,9 +1184,13 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, int i, j, ret = 1; X509 *x; - OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); - OPENSSL_assert(ctx != NULL || ext != NULL); - OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); + if (!ossl_assert(chain != NULL && sk_X509_num(chain) > 0) + || !ossl_assert(ctx != NULL || ext != NULL) + || !ossl_assert(ctx == NULL || ctx->verify_cb != NULL)) { + if (ctx != NULL) + ctx->error = X509_V_ERR_UNSPECIFIED; + return 0; + } /* * Figure out where to start. If we don't have an extension to @@ -1238,7 +1203,11 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, } else { i = 0; x = sk_X509_value(chain, i); - OPENSSL_assert(x != NULL); + if (!ossl_assert(x != NULL)) { + if (ctx != NULL) + ctx->error = X509_V_ERR_UNSPECIFIED; + return 0; + } if ((ext = x->rfc3779_addr) == NULL) goto done; } @@ -1248,6 +1217,8 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { X509V3err(X509V3_F_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE); + if (ctx != NULL) + ctx->error = X509_V_ERR_OUT_OF_MEM; ret = 0; goto done; } @@ -1258,7 +1229,11 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, */ for (i++; i < sk_X509_num(chain); i++) { x = sk_X509_value(chain, i); - OPENSSL_assert(x != NULL); + if (!ossl_assert(x != NULL)) { + if (ctx != NULL) + ctx->error = X509_V_ERR_UNSPECIFIED; + return 0; + } if (!X509v3_addr_is_canonical(x->rfc3779_addr)) validation_err(X509_V_ERR_INVALID_EXTENSION); if (x->rfc3779_addr == NULL) { @@ -1302,7 +1277,11 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, /* * Trust anchor can't inherit. */ - OPENSSL_assert(x != NULL); + if (!ossl_assert(x != NULL)) { + if (ctx != NULL) + ctx->error = X509_V_ERR_UNSPECIFIED; + return 0; + } if (x->rfc3779_addr != NULL) { for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) { IPAddressFamily *fp = @@ -1325,6 +1304,10 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, */ int X509v3_addr_validate_path(X509_STORE_CTX *ctx) { + if (ctx->chain == NULL + || sk_X509_num(ctx->chain) == 0 + || ctx->verify_cb == NULL) + return 0; return addr_validate_path_internal(ctx, ctx->chain, NULL); }