int j = sk_IPAddressFamily_find(b, fa);
IPAddressFamily *fb = sk_IPAddressFamily_value(b, j);
- if (!IPAddressFamily_check_len(fa) || !IPAddressFamily_check_len(fb))
- return 0;
if (fb == NULL)
return 0;
+ if (!IPAddressFamily_check_len(fa) || !IPAddressFamily_check_len(fb))
+ return 0;
if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
fa->ipAddressChoice->u.addressesOrRanges,
length_from_afi(X509v3_addr_get_afi(fb))))
ctx->error = _err_; \
ctx->error_depth = i; \
ctx->current_cert = x; \
- ret = ctx->verify_cb(0, ctx); \
+ rv = ctx->verify_cb(0, ctx); \
} else { \
- ret = 0; \
+ rv = 0; \
} \
- if (!ret) \
+ if (rv == 0) \
goto done; \
} while (0)
IPAddrBlocks *ext)
{
IPAddrBlocks *child = NULL;
- int i, j, ret = 1;
+ int i, j, ret = 0, rv;
X509 *x;
if (!ossl_assert(chain != NULL && sk_X509_num(chain) > 0)
i = 0;
x = sk_X509_value(chain, i);
if ((ext = x->rfc3779_addr) == NULL)
- goto done;
+ return 1; /* Return success */
}
if (!X509v3_addr_is_canonical(ext))
validation_err(X509_V_ERR_INVALID_EXTENSION);
ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
if (ctx != NULL)
ctx->error = X509_V_ERR_OUT_OF_MEM;
- ret = 0;
goto done;
}
IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
if (!IPAddressFamily_check_len(fc))
- return 0;
+ goto done;
if (fc->ipAddressChoice->type != IPAddressChoice_inherit) {
validation_err(X509_V_ERR_UNNESTED_RESOURCE);
IPAddressFamily *fp =
sk_IPAddressFamily_value(x->rfc3779_addr, k);
- if (!IPAddressFamily_check_len(fc) || !IPAddressFamily_check_len(fp))
- return 0;
-
if (fp == NULL) {
if (fc->ipAddressChoice->type ==
IPAddressChoice_addressesOrRanges) {
}
continue;
}
+
+ if (!IPAddressFamily_check_len(fc) || !IPAddressFamily_check_len(fp))
+ goto done;
+
if (fp->ipAddressChoice->type ==
IPAddressChoice_addressesOrRanges) {
if (fc->ipAddressChoice->type == IPAddressChoice_inherit
IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, j);
if (!IPAddressFamily_check_len(fp))
- return 0;
+ goto done;
if (fp->ipAddressChoice->type == IPAddressChoice_inherit
&& sk_IPAddressFamily_find(child, fp) >= 0)
validation_err(X509_V_ERR_UNNESTED_RESOURCE);
}
}
-
+ ret = 1;
done:
sk_IPAddressFamily_free(child);
return ret;
return testresult;
}
+
+static int test_addr_subset(void)
+{
+ int i;
+ int ret = 0;
+ IPAddrBlocks *addrEmpty = NULL;
+ IPAddrBlocks *addr[3] = { NULL, NULL };
+ ASN1_OCTET_STRING *ip1[3] = { NULL, NULL };
+ ASN1_OCTET_STRING *ip2[3] = { NULL, NULL };
+ int sz = OSSL_NELEM(addr);
+
+ for (i = 0; i < sz; ++i) {
+ /* Create the IPAddrBlocks with a good IPAddressFamily */
+ if (!TEST_ptr(addr[i] = sk_IPAddressFamily_new_null())
+ || !TEST_ptr(ip1[i] = a2i_IPADDRESS(ranges[i].ip1))
+ || !TEST_ptr(ip2[i] = a2i_IPADDRESS(ranges[i].ip2))
+ || !TEST_true(X509v3_addr_add_range(addr[i], ranges[i].afi, NULL,
+ ip1[i]->data, ip2[i]->data)))
+ goto end;
+ }
+
+ ret = TEST_ptr(addrEmpty = sk_IPAddressFamily_new_null())
+ && TEST_true(X509v3_addr_subset(NULL, NULL))
+ && TEST_true(X509v3_addr_subset(NULL, addr[0]))
+ && TEST_true(X509v3_addr_subset(addrEmpty, addr[0]))
+ && TEST_true(X509v3_addr_subset(addr[0], addr[0]))
+ && TEST_true(X509v3_addr_subset(addr[0], addr[1]))
+ && TEST_true(X509v3_addr_subset(addr[0], addr[2]))
+ && TEST_true(X509v3_addr_subset(addr[1], addr[2]))
+ && TEST_false(X509v3_addr_subset(addr[0], NULL))
+ && TEST_false(X509v3_addr_subset(addr[1], addr[0]))
+ && TEST_false(X509v3_addr_subset(addr[2], addr[1]))
+ && TEST_false(X509v3_addr_subset(addr[0], addrEmpty));
+end:
+ sk_IPAddressFamily_pop_free(addrEmpty, IPAddressFamily_free);
+ for (i = 0; i < sz; ++i) {
+ sk_IPAddressFamily_pop_free(addr[i], IPAddressFamily_free);
+ ASN1_OCTET_STRING_free(ip1[i]);
+ ASN1_OCTET_STRING_free(ip2[i]);
+ }
+ return ret;
+}
+
#endif /* OPENSSL_NO_RFC3779 */
OPT_TEST_DECLARE_USAGE("cert.pem\n")
ADD_TEST(test_addr_ranges);
ADD_TEST(test_ext_syntax);
ADD_TEST(test_addr_fam_len);
+ ADD_TEST(test_addr_subset);
#endif /* OPENSSL_NO_RFC3779 */
return 1;
}