xref: /openbsd-src/lib/libcrypto/x509/x509_asid.c (revision 8b5faa7170599a10b7304ec693b84d6d6fd0697f) 
1*8b5faa71Stb /*	$OpenBSD: x509_asid.c,v 1.45 2024/07/13 15:08:58 tb Exp $ */
20b5aa37fSjob /*
3f49a1506Stb  * Contributed to the OpenSSL Project by the American Registry for
4f49a1506Stb  * Internet Numbers ("ARIN").
5f49a1506Stb  */
6f49a1506Stb /* ====================================================================
7f49a1506Stb  * Copyright (c) 2006-2018 The OpenSSL Project.  All rights reserved.
80b5aa37fSjob  *
9f49a1506Stb  * Redistribution and use in source and binary forms, with or without
10f49a1506Stb  * modification, are permitted provided that the following conditions
11f49a1506Stb  * are met:
12f49a1506Stb  *
13f49a1506Stb  * 1. Redistributions of source code must retain the above copyright
14f49a1506Stb  *    notice, this list of conditions and the following disclaimer.
15f49a1506Stb  *
16f49a1506Stb  * 2. Redistributions in binary form must reproduce the above copyright
17f49a1506Stb  *    notice, this list of conditions and the following disclaimer in
18f49a1506Stb  *    the documentation and/or other materials provided with the
19f49a1506Stb  *    distribution.
20f49a1506Stb  *
21f49a1506Stb  * 3. All advertising materials mentioning features or use of this
22f49a1506Stb  *    software must display the following acknowledgment:
23f49a1506Stb  *    "This product includes software developed by the OpenSSL Project
24f49a1506Stb  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25f49a1506Stb  *
26f49a1506Stb  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27f49a1506Stb  *    endorse or promote products derived from this software without
28f49a1506Stb  *    prior written permission. For written permission, please contact
29f49a1506Stb  *    licensing@OpenSSL.org.
30f49a1506Stb  *
31f49a1506Stb  * 5. Products derived from this software may not be called "OpenSSL"
32f49a1506Stb  *    nor may "OpenSSL" appear in their names without prior written
33f49a1506Stb  *    permission of the OpenSSL Project.
34f49a1506Stb  *
35f49a1506Stb  * 6. Redistributions of any form whatsoever must retain the following
36f49a1506Stb  *    acknowledgment:
37f49a1506Stb  *    "This product includes software developed by the OpenSSL Project
38f49a1506Stb  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39f49a1506Stb  *
40f49a1506Stb  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41f49a1506Stb  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42f49a1506Stb  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43f49a1506Stb  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
44f49a1506Stb  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45f49a1506Stb  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46f49a1506Stb  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47f49a1506Stb  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48f49a1506Stb  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49f49a1506Stb  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50f49a1506Stb  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51f49a1506Stb  * OF THE POSSIBILITY OF SUCH DAMAGE.
52f49a1506Stb  * ====================================================================
53f49a1506Stb  *
54f49a1506Stb  * This product includes cryptographic software written by Eric Young
55f49a1506Stb  * (eay@cryptsoft.com).  This product includes software written by Tim
56f49a1506Stb  * Hudson (tjh@cryptsoft.com).
570b5aa37fSjob  */
580b5aa37fSjob 
590b5aa37fSjob /*
600b5aa37fSjob  * Implementation of RFC 3779 section 3.2.
610b5aa37fSjob  */
620b5aa37fSjob 
630b5aa37fSjob #include <stdio.h>
64c93c90b2Sjob #include <stdlib.h>
650b5aa37fSjob #include <string.h>
66bb6956c3Sjob 
670b5aa37fSjob #include <openssl/asn1.h>
680b5aa37fSjob #include <openssl/asn1t.h>
690b5aa37fSjob #include <openssl/bn.h>
70bb6956c3Sjob #include <openssl/conf.h>
711ec75446Sjob #include <openssl/err.h>
72bb6956c3Sjob #include <openssl/x509.h>
73bb6956c3Sjob #include <openssl/x509v3.h>
74bb6956c3Sjob 
75c9675a23Stb #include "x509_local.h"
76838f0b6dStb 
770b5aa37fSjob #ifndef OPENSSL_NO_RFC3779
780b5aa37fSjob 
794dab7425Sjob static const ASN1_TEMPLATE ASRange_seq_tt[] = {
804dab7425Sjob 	{
814dab7425Sjob 		.flags = 0,
824dab7425Sjob 		.tag = 0,
834dab7425Sjob 		.offset = offsetof(ASRange, min),
844dab7425Sjob 		.field_name = "min",
854dab7425Sjob 		.item = &ASN1_INTEGER_it,
864dab7425Sjob 	},
874dab7425Sjob 	{
884dab7425Sjob 		.flags = 0,
894dab7425Sjob 		.tag = 0,
904dab7425Sjob 		.offset = offsetof(ASRange, max),
914dab7425Sjob 		.field_name = "max",
924dab7425Sjob 		.item = &ASN1_INTEGER_it,
934dab7425Sjob 	},
944dab7425Sjob };
950b5aa37fSjob 
964dab7425Sjob const ASN1_ITEM ASRange_it = {
974dab7425Sjob 	.itype = ASN1_ITYPE_SEQUENCE,
984dab7425Sjob 	.utype = V_ASN1_SEQUENCE,
994dab7425Sjob 	.templates = ASRange_seq_tt,
1004dab7425Sjob 	.tcount = sizeof(ASRange_seq_tt) / sizeof(ASN1_TEMPLATE),
1014dab7425Sjob 	.funcs = NULL,
1024dab7425Sjob 	.size = sizeof(ASRange),
1034dab7425Sjob 	.sname = "ASRange",
1044dab7425Sjob };
105c0ebdaf2Sbeck LCRYPTO_ALIAS(ASRange_it);
1060b5aa37fSjob 
1074dab7425Sjob static const ASN1_TEMPLATE ASIdOrRange_ch_tt[] = {
1084dab7425Sjob 	{
1094dab7425Sjob 		.flags = 0,
1104dab7425Sjob 		.tag = 0,
1114dab7425Sjob 		.offset = offsetof(ASIdOrRange, u.id),
1124dab7425Sjob 		.field_name = "u.id",
1134dab7425Sjob 		.item = &ASN1_INTEGER_it,
1144dab7425Sjob 	},
1154dab7425Sjob 	{
1164dab7425Sjob 		.flags = 0,
1174dab7425Sjob 		.tag = 0,
1184dab7425Sjob 		.offset = offsetof(ASIdOrRange, u.range),
1194dab7425Sjob 		.field_name = "u.range",
1204dab7425Sjob 		.item = &ASRange_it,
1214dab7425Sjob 	},
1224dab7425Sjob };
1230b5aa37fSjob 
1244dab7425Sjob const ASN1_ITEM ASIdOrRange_it = {
1254dab7425Sjob 	.itype = ASN1_ITYPE_CHOICE,
1264dab7425Sjob 	.utype = offsetof(ASIdOrRange, type),
1274dab7425Sjob 	.templates = ASIdOrRange_ch_tt,
1284dab7425Sjob 	.tcount = sizeof(ASIdOrRange_ch_tt) / sizeof(ASN1_TEMPLATE),
1294dab7425Sjob 	.funcs = NULL,
1304dab7425Sjob 	.size = sizeof(ASIdOrRange),
1314dab7425Sjob 	.sname = "ASIdOrRange",
1324dab7425Sjob };
133c0ebdaf2Sbeck LCRYPTO_ALIAS(ASIdOrRange_it);
1340b5aa37fSjob 
1354dab7425Sjob static const ASN1_TEMPLATE ASIdentifierChoice_ch_tt[] = {
1364dab7425Sjob 	{
1374dab7425Sjob 		.flags = 0,
1384dab7425Sjob 		.tag = 0,
1394dab7425Sjob 		.offset = offsetof(ASIdentifierChoice, u.inherit),
1404dab7425Sjob 		.field_name = "u.inherit",
1414dab7425Sjob 		.item = &ASN1_NULL_it,
1424dab7425Sjob 	},
1434dab7425Sjob 	{
1444dab7425Sjob 		.flags = ASN1_TFLG_SEQUENCE_OF,
1454dab7425Sjob 		.tag = 0,
1464dab7425Sjob 		.offset = offsetof(ASIdentifierChoice, u.asIdsOrRanges),
1474dab7425Sjob 		.field_name = "u.asIdsOrRanges",
1484dab7425Sjob 		.item = &ASIdOrRange_it,
1494dab7425Sjob 	},
1504dab7425Sjob };
1514dab7425Sjob 
1524dab7425Sjob const ASN1_ITEM ASIdentifierChoice_it = {
1534dab7425Sjob 	.itype = ASN1_ITYPE_CHOICE,
1544dab7425Sjob 	.utype = offsetof(ASIdentifierChoice, type),
1554dab7425Sjob 	.templates = ASIdentifierChoice_ch_tt,
1564dab7425Sjob 	.tcount = sizeof(ASIdentifierChoice_ch_tt) / sizeof(ASN1_TEMPLATE),
1574dab7425Sjob 	.funcs = NULL,
1584dab7425Sjob 	.size = sizeof(ASIdentifierChoice),
1594dab7425Sjob 	.sname = "ASIdentifierChoice",
1604dab7425Sjob };
161c0ebdaf2Sbeck LCRYPTO_ALIAS(ASIdentifierChoice_it);
1624dab7425Sjob 
1634dab7425Sjob static const ASN1_TEMPLATE ASIdentifiers_seq_tt[] = {
1644dab7425Sjob 	{
1654dab7425Sjob 		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
1664dab7425Sjob 		.tag = 0,
1674dab7425Sjob 		.offset = offsetof(ASIdentifiers, asnum),
1684dab7425Sjob 		.field_name = "asnum",
1694dab7425Sjob 		.item = &ASIdentifierChoice_it,
1704dab7425Sjob 	},
1714dab7425Sjob 	{
1724dab7425Sjob 		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
1734dab7425Sjob 		.tag = 1,
1744dab7425Sjob 		.offset = offsetof(ASIdentifiers, rdi),
1754dab7425Sjob 		.field_name = "rdi",
1764dab7425Sjob 		.item = &ASIdentifierChoice_it,
1774dab7425Sjob 	},
1784dab7425Sjob };
1794dab7425Sjob 
1804dab7425Sjob const ASN1_ITEM ASIdentifiers_it = {
1814dab7425Sjob 	.itype = ASN1_ITYPE_SEQUENCE,
1824dab7425Sjob 	.utype = V_ASN1_SEQUENCE,
1834dab7425Sjob 	.templates = ASIdentifiers_seq_tt,
1844dab7425Sjob 	.tcount = sizeof(ASIdentifiers_seq_tt) / sizeof(ASN1_TEMPLATE),
1854dab7425Sjob 	.funcs = NULL,
1864dab7425Sjob 	.size = sizeof(ASIdentifiers),
1874dab7425Sjob 	.sname = "ASIdentifiers",
1884dab7425Sjob };
189c0ebdaf2Sbeck LCRYPTO_ALIAS(ASIdentifiers_it);
1900b5aa37fSjob 
191306ab8c3Sjob ASRange *
d2i_ASRange(ASRange ** a,const unsigned char ** in,long len)192306ab8c3Sjob d2i_ASRange(ASRange **a, const unsigned char **in, long len)
193306ab8c3Sjob {
194306ab8c3Sjob 	return (ASRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
1951993757bSjob 	    &ASRange_it);
196306ab8c3Sjob }
197cedac418Stb LCRYPTO_ALIAS(d2i_ASRange);
198306ab8c3Sjob 
199306ab8c3Sjob int
i2d_ASRange(ASRange * a,unsigned char ** out)200306ab8c3Sjob i2d_ASRange(ASRange *a, unsigned char **out)
201306ab8c3Sjob {
2021993757bSjob 	return ASN1_item_i2d((ASN1_VALUE *)a, out, &ASRange_it);
203306ab8c3Sjob }
204cedac418Stb LCRYPTO_ALIAS(i2d_ASRange);
205306ab8c3Sjob 
206306ab8c3Sjob ASRange *
ASRange_new(void)207306ab8c3Sjob ASRange_new(void)
208306ab8c3Sjob {
2091993757bSjob 	return (ASRange *)ASN1_item_new(&ASRange_it);
210306ab8c3Sjob }
211cedac418Stb LCRYPTO_ALIAS(ASRange_new);
212306ab8c3Sjob 
213306ab8c3Sjob void
ASRange_free(ASRange * a)214306ab8c3Sjob ASRange_free(ASRange *a)
215306ab8c3Sjob {
2161993757bSjob 	ASN1_item_free((ASN1_VALUE *)a, &ASRange_it);
217306ab8c3Sjob }
218cedac418Stb LCRYPTO_ALIAS(ASRange_free);
219306ab8c3Sjob 
220306ab8c3Sjob ASIdOrRange *
d2i_ASIdOrRange(ASIdOrRange ** a,const unsigned char ** in,long len)221306ab8c3Sjob d2i_ASIdOrRange(ASIdOrRange **a, const unsigned char **in, long len)
222306ab8c3Sjob {
223306ab8c3Sjob 	return (ASIdOrRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
2241993757bSjob 	    &ASIdOrRange_it);
225306ab8c3Sjob }
226cedac418Stb LCRYPTO_ALIAS(d2i_ASIdOrRange);
227306ab8c3Sjob 
228306ab8c3Sjob int
i2d_ASIdOrRange(ASIdOrRange * a,unsigned char ** out)229306ab8c3Sjob i2d_ASIdOrRange(ASIdOrRange *a, unsigned char **out)
230306ab8c3Sjob {
2311993757bSjob 	return ASN1_item_i2d((ASN1_VALUE *)a, out, &ASIdOrRange_it);
232306ab8c3Sjob }
233cedac418Stb LCRYPTO_ALIAS(i2d_ASIdOrRange);
234306ab8c3Sjob 
235306ab8c3Sjob ASIdOrRange *
ASIdOrRange_new(void)236306ab8c3Sjob ASIdOrRange_new(void)
237306ab8c3Sjob {
2381993757bSjob 	return (ASIdOrRange *)ASN1_item_new(&ASIdOrRange_it);
239306ab8c3Sjob }
240cedac418Stb LCRYPTO_ALIAS(ASIdOrRange_new);
241306ab8c3Sjob 
242306ab8c3Sjob void
ASIdOrRange_free(ASIdOrRange * a)243306ab8c3Sjob ASIdOrRange_free(ASIdOrRange *a)
244306ab8c3Sjob {
2451993757bSjob 	ASN1_item_free((ASN1_VALUE *)a, &ASIdOrRange_it);
246306ab8c3Sjob }
247cedac418Stb LCRYPTO_ALIAS(ASIdOrRange_free);
248306ab8c3Sjob 
249306ab8c3Sjob ASIdentifierChoice *
d2i_ASIdentifierChoice(ASIdentifierChoice ** a,const unsigned char ** in,long len)2501a94ae9bSjob d2i_ASIdentifierChoice(ASIdentifierChoice **a, const unsigned char **in,
2511a94ae9bSjob     long len)
252306ab8c3Sjob {
253306ab8c3Sjob 	return (ASIdentifierChoice *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
2541993757bSjob 	    &ASIdentifierChoice_it);
255306ab8c3Sjob }
256cedac418Stb LCRYPTO_ALIAS(d2i_ASIdentifierChoice);
257306ab8c3Sjob 
258306ab8c3Sjob int
i2d_ASIdentifierChoice(ASIdentifierChoice * a,unsigned char ** out)259306ab8c3Sjob i2d_ASIdentifierChoice(ASIdentifierChoice *a, unsigned char **out)
260306ab8c3Sjob {
2611993757bSjob 	return ASN1_item_i2d((ASN1_VALUE *)a, out, &ASIdentifierChoice_it);
262306ab8c3Sjob }
263cedac418Stb LCRYPTO_ALIAS(i2d_ASIdentifierChoice);
264306ab8c3Sjob 
265306ab8c3Sjob ASIdentifierChoice *
ASIdentifierChoice_new(void)266306ab8c3Sjob ASIdentifierChoice_new(void)
267306ab8c3Sjob {
2681993757bSjob 	return (ASIdentifierChoice *)ASN1_item_new(&ASIdentifierChoice_it);
269306ab8c3Sjob }
270cedac418Stb LCRYPTO_ALIAS(ASIdentifierChoice_new);
271306ab8c3Sjob 
272306ab8c3Sjob void
ASIdentifierChoice_free(ASIdentifierChoice * a)273306ab8c3Sjob ASIdentifierChoice_free(ASIdentifierChoice *a)
274306ab8c3Sjob {
2751993757bSjob 	ASN1_item_free((ASN1_VALUE *)a, &ASIdentifierChoice_it);
276306ab8c3Sjob }
277cedac418Stb LCRYPTO_ALIAS(ASIdentifierChoice_free);
278306ab8c3Sjob 
279306ab8c3Sjob ASIdentifiers *
d2i_ASIdentifiers(ASIdentifiers ** a,const unsigned char ** in,long len)280306ab8c3Sjob d2i_ASIdentifiers(ASIdentifiers **a, const unsigned char **in, long len)
281306ab8c3Sjob {
282306ab8c3Sjob 	return (ASIdentifiers *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
2831993757bSjob 	    &ASIdentifiers_it);
284306ab8c3Sjob }
285cedac418Stb LCRYPTO_ALIAS(d2i_ASIdentifiers);
286306ab8c3Sjob 
287306ab8c3Sjob int
i2d_ASIdentifiers(ASIdentifiers * a,unsigned char ** out)288306ab8c3Sjob i2d_ASIdentifiers(ASIdentifiers *a, unsigned char **out)
289306ab8c3Sjob {
2901993757bSjob 	return ASN1_item_i2d((ASN1_VALUE *)a, out, &ASIdentifiers_it);
291306ab8c3Sjob }
292cedac418Stb LCRYPTO_ALIAS(i2d_ASIdentifiers);
293306ab8c3Sjob 
2941a94ae9bSjob ASIdentifiers *
ASIdentifiers_new(void)2951a94ae9bSjob ASIdentifiers_new(void)
296306ab8c3Sjob {
2971993757bSjob 	return (ASIdentifiers *)ASN1_item_new(&ASIdentifiers_it);
298306ab8c3Sjob }
299cedac418Stb LCRYPTO_ALIAS(ASIdentifiers_new);
300306ab8c3Sjob 
3011a94ae9bSjob void
ASIdentifiers_free(ASIdentifiers * a)3021a94ae9bSjob ASIdentifiers_free(ASIdentifiers *a)
303306ab8c3Sjob {
3041993757bSjob 	ASN1_item_free((ASN1_VALUE *)a, &ASIdentifiers_it);
305306ab8c3Sjob }
306cedac418Stb LCRYPTO_ALIAS(ASIdentifiers_free);
3070b5aa37fSjob 
3080b5aa37fSjob /*
3090b5aa37fSjob  * i2r method for an ASIdentifierChoice.
3100b5aa37fSjob  */
3111a94ae9bSjob static int
i2r_ASIdentifierChoice(BIO * out,ASIdentifierChoice * choice,int indent,const char * msg)3121a94ae9bSjob i2r_ASIdentifierChoice(BIO *out, ASIdentifierChoice *choice, int indent,
3131a94ae9bSjob     const char *msg)
3140b5aa37fSjob {
3150b5aa37fSjob 	int i;
3160b5aa37fSjob 	char *s;
3170b5aa37fSjob 	if (choice == NULL)
3180b5aa37fSjob 		return 1;
3190b5aa37fSjob 	BIO_printf(out, "%*s%s:\n", indent, "", msg);
3200b5aa37fSjob 	switch (choice->type) {
3210b5aa37fSjob 	case ASIdentifierChoice_inherit:
3220b5aa37fSjob 		BIO_printf(out, "%*sinherit\n", indent + 2, "");
3230b5aa37fSjob 		break;
3240b5aa37fSjob 	case ASIdentifierChoice_asIdsOrRanges:
3251a94ae9bSjob 		for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges);
3261a94ae9bSjob 		    i++) {
3270b5aa37fSjob 			ASIdOrRange *aor =
3280b5aa37fSjob 			    sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
3290b5aa37fSjob 			switch (aor->type) {
3300b5aa37fSjob 			case ASIdOrRange_id:
3311a94ae9bSjob 				if ((s = i2s_ASN1_INTEGER(NULL, aor->u.id)) ==
3321a94ae9bSjob 				    NULL)
3330b5aa37fSjob 					return 0;
3340b5aa37fSjob 				BIO_printf(out, "%*s%s\n", indent + 2, "", s);
33595e11b57Sjob 				free(s);
3360b5aa37fSjob 				break;
3370b5aa37fSjob 			case ASIdOrRange_range:
3381a94ae9bSjob 				if ((s = i2s_ASN1_INTEGER(NULL,
3391a94ae9bSjob 				    aor->u.range->min)) == NULL)
3400b5aa37fSjob 					return 0;
3410b5aa37fSjob 				BIO_printf(out, "%*s%s-", indent + 2, "", s);
34295e11b57Sjob 				free(s);
3431a94ae9bSjob 				if ((s = i2s_ASN1_INTEGER(NULL,
3441a94ae9bSjob 				    aor->u.range->max)) == NULL)
3450b5aa37fSjob 					return 0;
3460b5aa37fSjob 				BIO_printf(out, "%s\n", s);
34795e11b57Sjob 				free(s);
3480b5aa37fSjob 				break;
3490b5aa37fSjob 			default:
3500b5aa37fSjob 				return 0;
3510b5aa37fSjob 			}
3520b5aa37fSjob 		}
3530b5aa37fSjob 		break;
3540b5aa37fSjob 	default:
3550b5aa37fSjob 		return 0;
3560b5aa37fSjob 	}
3570b5aa37fSjob 	return 1;
3580b5aa37fSjob }
3590b5aa37fSjob 
3600b5aa37fSjob /*
3610b5aa37fSjob  * i2r method for an ASIdentifier extension.
3620b5aa37fSjob  */
3631a94ae9bSjob static int
i2r_ASIdentifiers(const X509V3_EXT_METHOD * method,void * ext,BIO * out,int indent)3641a94ae9bSjob i2r_ASIdentifiers(const X509V3_EXT_METHOD *method, void *ext, BIO *out,
3651a94ae9bSjob     int indent)
3660b5aa37fSjob {
3670b5aa37fSjob 	ASIdentifiers *asid = ext;
3680b5aa37fSjob 	return (i2r_ASIdentifierChoice(out, asid->asnum, indent,
3690b5aa37fSjob 	    "Autonomous System Numbers") &&
3700b5aa37fSjob 	    i2r_ASIdentifierChoice(out, asid->rdi, indent,
3710b5aa37fSjob 	    "Routing Domain Identifiers"));
3720b5aa37fSjob }
3730b5aa37fSjob 
3740b5aa37fSjob /*
3750b5aa37fSjob  * Sort comparison function for a sequence of ASIdOrRange elements.
3760b5aa37fSjob  */
3771a94ae9bSjob static int
ASIdOrRange_cmp(const ASIdOrRange * const * a_,const ASIdOrRange * const * b_)3781a94ae9bSjob ASIdOrRange_cmp(const ASIdOrRange *const *a_, const ASIdOrRange *const *b_)
3790b5aa37fSjob {
3800b5aa37fSjob 	const ASIdOrRange *a = *a_, *b = *b_;
3810b5aa37fSjob 
382afcad173Sjob 	/* XXX: these asserts need to be replaced */
3838e54c06aSjob 	OPENSSL_assert((a->type == ASIdOrRange_id && a->u.id != NULL) ||
3840b5aa37fSjob 	    (a->type == ASIdOrRange_range && a->u.range != NULL &&
3850b5aa37fSjob 	     a->u.range->min != NULL && a->u.range->max != NULL));
3860b5aa37fSjob 
3878e54c06aSjob 	OPENSSL_assert((b->type == ASIdOrRange_id && b->u.id != NULL) ||
3880b5aa37fSjob 	    (b->type == ASIdOrRange_range && b->u.range != NULL &&
3890b5aa37fSjob 	     b->u.range->min != NULL && b->u.range->max != NULL));
3900b5aa37fSjob 
3910b5aa37fSjob 	if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id)
3920b5aa37fSjob 		return ASN1_INTEGER_cmp(a->u.id, b->u.id);
3930b5aa37fSjob 
3940b5aa37fSjob 	if (a->type == ASIdOrRange_range && b->type == ASIdOrRange_range) {
3950b5aa37fSjob 		int r = ASN1_INTEGER_cmp(a->u.range->min, b->u.range->min);
3960b5aa37fSjob 		return r != 0 ? r : ASN1_INTEGER_cmp(a->u.range->max,
3970b5aa37fSjob 		    b->u.range->max);
3980b5aa37fSjob 	}
3990b5aa37fSjob 
4000b5aa37fSjob 	if (a->type == ASIdOrRange_id)
4010b5aa37fSjob 		return ASN1_INTEGER_cmp(a->u.id, b->u.range->min);
4020b5aa37fSjob 	else
4030b5aa37fSjob 		return ASN1_INTEGER_cmp(a->u.range->min, b->u.id);
4040b5aa37fSjob }
4050b5aa37fSjob 
4060b5aa37fSjob /*
4070b5aa37fSjob  * Add an inherit element.
4080b5aa37fSjob  */
4091a94ae9bSjob int
X509v3_asid_add_inherit(ASIdentifiers * asid,int which)4101a94ae9bSjob X509v3_asid_add_inherit(ASIdentifiers *asid, int which)
4110b5aa37fSjob {
4120b5aa37fSjob 	ASIdentifierChoice **choice;
4139b790dc7Stb 	ASIdentifierChoice *aic = NULL;
4149b790dc7Stb 	int ret = 0;
4159b790dc7Stb 
4160b5aa37fSjob 	if (asid == NULL)
4179b790dc7Stb 		goto err;
4189b790dc7Stb 
4190b5aa37fSjob 	switch (which) {
4200b5aa37fSjob 	case V3_ASID_ASNUM:
4210b5aa37fSjob 		choice = &asid->asnum;
4220b5aa37fSjob 		break;
4230b5aa37fSjob 	case V3_ASID_RDI:
4240b5aa37fSjob 		choice = &asid->rdi;
4250b5aa37fSjob 		break;
4260b5aa37fSjob 	default:
4279b790dc7Stb 		goto err;
4280b5aa37fSjob 	}
4299b790dc7Stb 
4309b790dc7Stb 	if (*choice != NULL) {
4319b790dc7Stb 		if ((*choice)->type != ASIdentifierChoice_inherit)
4329b790dc7Stb 			goto err;
4339b790dc7Stb 	} else {
4349b790dc7Stb 		if ((aic = ASIdentifierChoice_new()) == NULL)
4359b790dc7Stb 			goto err;
4369b790dc7Stb 		if ((aic->u.inherit = ASN1_NULL_new()) == NULL)
4379b790dc7Stb 			goto err;
4389b790dc7Stb 		aic->type = ASIdentifierChoice_inherit;
4399b790dc7Stb 
4409b790dc7Stb 		*choice = aic;
4419b790dc7Stb 		aic = NULL;
4420b5aa37fSjob 	}
4439b790dc7Stb 
4449b790dc7Stb 	ret = 1;
4459b790dc7Stb 
4469b790dc7Stb  err:
4479b790dc7Stb 	ASIdentifierChoice_free(aic);
4489b790dc7Stb 
4499b790dc7Stb 	return ret;
4500b5aa37fSjob }
451cedac418Stb LCRYPTO_ALIAS(X509v3_asid_add_inherit);
4520b5aa37fSjob 
4539b790dc7Stb static int
ASIdOrRanges_add_id_or_range(ASIdOrRanges * aors,ASN1_INTEGER * min,ASN1_INTEGER * max)4549b790dc7Stb ASIdOrRanges_add_id_or_range(ASIdOrRanges *aors, ASN1_INTEGER *min,
4559b790dc7Stb     ASN1_INTEGER *max)
4569b790dc7Stb {
4579b790dc7Stb 	ASIdOrRange *aor = NULL;
4589b790dc7Stb 	ASRange *asr = NULL;
4599b790dc7Stb 	int ret = 0;
4609b790dc7Stb 
4619b790dc7Stb 	/* Preallocate since we must not fail after sk_ASIdOrRange_push(). */
4629b790dc7Stb 	if (max != NULL) {
4639b790dc7Stb 		if ((asr = ASRange_new()) == NULL)
4649b790dc7Stb 			goto err;
4659b790dc7Stb 	}
4669b790dc7Stb 
4679b790dc7Stb 	if ((aor = ASIdOrRange_new()) == NULL)
4689b790dc7Stb 		goto err;
4699b790dc7Stb 	if (sk_ASIdOrRange_push(aors, aor) <= 0)
4709b790dc7Stb 		goto err;
4719b790dc7Stb 
4729b790dc7Stb 	if (max == NULL) {
4739b790dc7Stb 		aor->type = ASIdOrRange_id;
4749b790dc7Stb 		aor->u.id = min;
4759b790dc7Stb 	} else {
4769b790dc7Stb 		ASN1_INTEGER_free(asr->min);
4779b790dc7Stb 		asr->min = min;
4789b790dc7Stb 		ASN1_INTEGER_free(asr->max);
4799b790dc7Stb 		asr->max = max;
4809b790dc7Stb 
4819b790dc7Stb 		aor->type = ASIdOrRange_range;
4829b790dc7Stb 		aor->u.range = asr;
4839b790dc7Stb 		asr = NULL;
4849b790dc7Stb 	}
4859b790dc7Stb 
4869b790dc7Stb 	aor = NULL;
4879b790dc7Stb 
4889b790dc7Stb 	ret = 1;
4899b790dc7Stb 
4909b790dc7Stb  err:
4919b790dc7Stb 	ASIdOrRange_free(aor);
4929b790dc7Stb 	ASRange_free(asr);
4939b790dc7Stb 
4949b790dc7Stb 	return ret;
4959b790dc7Stb }
4969b790dc7Stb 
4970b5aa37fSjob /*
4980b5aa37fSjob  * Add an ID or range to an ASIdentifierChoice.
4990b5aa37fSjob  */
5001a94ae9bSjob int
X509v3_asid_add_id_or_range(ASIdentifiers * asid,int which,ASN1_INTEGER * min,ASN1_INTEGER * max)5011a94ae9bSjob X509v3_asid_add_id_or_range(ASIdentifiers *asid, int which, ASN1_INTEGER *min,
5021a94ae9bSjob     ASN1_INTEGER *max)
5030b5aa37fSjob {
5040b5aa37fSjob 	ASIdentifierChoice **choice;
5059b790dc7Stb 	ASIdentifierChoice *aic = NULL, *new_aic = NULL;
5069b790dc7Stb 	int ret = 0;
5079b790dc7Stb 
5080b5aa37fSjob 	if (asid == NULL)
5099b790dc7Stb 		goto err;
5109b790dc7Stb 
5110b5aa37fSjob 	switch (which) {
5120b5aa37fSjob 	case V3_ASID_ASNUM:
5130b5aa37fSjob 		choice = &asid->asnum;
5140b5aa37fSjob 		break;
5150b5aa37fSjob 	case V3_ASID_RDI:
5160b5aa37fSjob 		choice = &asid->rdi;
5170b5aa37fSjob 		break;
5180b5aa37fSjob 	default:
5199b790dc7Stb 		goto err;
5200b5aa37fSjob 	}
5219b790dc7Stb 
5229b790dc7Stb 	if ((aic = *choice) != NULL) {
5239b790dc7Stb 		if (aic->type != ASIdentifierChoice_asIdsOrRanges)
5249b790dc7Stb 			goto err;
5250b5aa37fSjob 	} else {
5269b790dc7Stb 		if ((aic = new_aic = ASIdentifierChoice_new()) == NULL)
5270b5aa37fSjob 			goto err;
5289b790dc7Stb 		aic->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp);
5299b790dc7Stb 		if (aic->u.asIdsOrRanges == NULL)
5309b790dc7Stb 			goto err;
5319b790dc7Stb 		aic->type = ASIdentifierChoice_asIdsOrRanges;
5320b5aa37fSjob 	}
5339b790dc7Stb 
5349b790dc7Stb 	if (!ASIdOrRanges_add_id_or_range(aic->u.asIdsOrRanges, min, max))
5350b5aa37fSjob 		goto err;
5369b790dc7Stb 
5379b790dc7Stb 	*choice = aic;
5389b790dc7Stb 	aic = new_aic = NULL;
5399b790dc7Stb 
5409b790dc7Stb 	ret = 1;
5410b5aa37fSjob 
5420b5aa37fSjob  err:
5439b790dc7Stb 	ASIdentifierChoice_free(new_aic);
5449b790dc7Stb 
5459b790dc7Stb 	return ret;
5460b5aa37fSjob }
547cedac418Stb LCRYPTO_ALIAS(X509v3_asid_add_id_or_range);
5480b5aa37fSjob 
5490b5aa37fSjob /*
5500b5aa37fSjob  * Extract min and max values from an ASIdOrRange.
5510b5aa37fSjob  */
5521a94ae9bSjob static int
extract_min_max(ASIdOrRange * aor,ASN1_INTEGER ** min,ASN1_INTEGER ** max)5531a94ae9bSjob extract_min_max(ASIdOrRange *aor, ASN1_INTEGER **min, ASN1_INTEGER **max)
5540b5aa37fSjob {
5550b5aa37fSjob 	switch (aor->type) {
5560b5aa37fSjob 	case ASIdOrRange_id:
5570b5aa37fSjob 		*min = aor->u.id;
5580b5aa37fSjob 		*max = aor->u.id;
5590b5aa37fSjob 		return 1;
5600b5aa37fSjob 	case ASIdOrRange_range:
5610b5aa37fSjob 		*min = aor->u.range->min;
5620b5aa37fSjob 		*max = aor->u.range->max;
5630b5aa37fSjob 		return 1;
5640b5aa37fSjob 	}
5654ec4c6bcStb 	*min = NULL;
5664ec4c6bcStb 	*max = NULL;
5670b5aa37fSjob 
5680b5aa37fSjob 	return 0;
5690b5aa37fSjob }
5700b5aa37fSjob 
5710b5aa37fSjob /*
5720b5aa37fSjob  * Check whether an ASIdentifierChoice is in canonical form.
5730b5aa37fSjob  */
5741a94ae9bSjob static int
ASIdentifierChoice_is_canonical(ASIdentifierChoice * choice)5751a94ae9bSjob ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
5760b5aa37fSjob {
577660b594eStb 	ASIdOrRange *a, *b;
578660b594eStb 	ASN1_INTEGER *a_min = NULL, *a_max = NULL, *b_min = NULL, *b_max = NULL;
5790b5aa37fSjob 	ASN1_INTEGER *a_max_plus_one = NULL;
5800b5aa37fSjob 	ASN1_INTEGER *orig;
5810b5aa37fSjob 	BIGNUM *bn = NULL;
5820b5aa37fSjob 	int i, ret = 0;
5830b5aa37fSjob 
5840b5aa37fSjob 	/*
5850b5aa37fSjob 	 * Empty element or inheritance is canonical.
5860b5aa37fSjob 	 */
5870b5aa37fSjob 	if (choice == NULL || choice->type == ASIdentifierChoice_inherit)
5880b5aa37fSjob 		return 1;
5890b5aa37fSjob 
5900b5aa37fSjob 	/*
5910b5aa37fSjob 	 * If not a list, or if empty list, it's broken.
5920b5aa37fSjob 	 */
5930b5aa37fSjob 	if (choice->type != ASIdentifierChoice_asIdsOrRanges ||
5940b5aa37fSjob 	    sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0)
5950b5aa37fSjob 		return 0;
5960b5aa37fSjob 
5970b5aa37fSjob 	/*
5980b5aa37fSjob 	 * It's a list, check it.
5990b5aa37fSjob 	 */
6000b5aa37fSjob 	for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
601660b594eStb 		a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
602660b594eStb 		b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1);
6030b5aa37fSjob 
6041a94ae9bSjob 		if (!extract_min_max(a, &a_min, &a_max) ||
6051a94ae9bSjob 		    !extract_min_max(b, &b_min, &b_max))
6060b5aa37fSjob 			goto done;
6070b5aa37fSjob 
6080b5aa37fSjob 		/*
6090b5aa37fSjob 		 * Punt misordered list, overlapping start, or inverted range.
6100b5aa37fSjob 		 */
6110b5aa37fSjob 		if (ASN1_INTEGER_cmp(a_min, b_min) >= 0 ||
6120b5aa37fSjob 		    ASN1_INTEGER_cmp(a_min, a_max) > 0 ||
6130b5aa37fSjob 		    ASN1_INTEGER_cmp(b_min, b_max) > 0)
6140b5aa37fSjob 			goto done;
6150b5aa37fSjob 
6160b5aa37fSjob 		/*
6170b5aa37fSjob 		 * Calculate a_max + 1 to check for adjacency.
6180b5aa37fSjob 		 */
6190b5aa37fSjob 		if ((bn == NULL && (bn = BN_new()) == NULL) ||
6200b5aa37fSjob 		    ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
6210b5aa37fSjob 		    !BN_add_word(bn, 1)) {
622dd120803Sjob 			X509V3error(ERR_R_MALLOC_FAILURE);
6230b5aa37fSjob 			goto done;
6240b5aa37fSjob 		}
6250b5aa37fSjob 
6260b5aa37fSjob 		if ((a_max_plus_one =
6270b5aa37fSjob 		    BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) {
6280b5aa37fSjob 			a_max_plus_one = orig;
629dd120803Sjob 			X509V3error(ERR_R_MALLOC_FAILURE);
6300b5aa37fSjob 			goto done;
6310b5aa37fSjob 		}
6320b5aa37fSjob 
6330b5aa37fSjob 		/*
6340b5aa37fSjob 		 * Punt if adjacent or overlapping.
6350b5aa37fSjob 		 */
6360b5aa37fSjob 		if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) >= 0)
6370b5aa37fSjob 			goto done;
6380b5aa37fSjob 	}
6390b5aa37fSjob 
6400b5aa37fSjob 	/*
6410b5aa37fSjob 	 * Check for inverted range.
6420b5aa37fSjob 	 */
6430b5aa37fSjob 	i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1;
644660b594eStb 	a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
6450b5aa37fSjob 	if (a != NULL && a->type == ASIdOrRange_range) {
6461a94ae9bSjob 		if (!extract_min_max(a, &a_min, &a_max) ||
6471a94ae9bSjob 		    ASN1_INTEGER_cmp(a_min, a_max) > 0)
6480b5aa37fSjob 			goto done;
6490b5aa37fSjob 	}
6500b5aa37fSjob 
6510b5aa37fSjob 	ret = 1;
6520b5aa37fSjob 
6530b5aa37fSjob  done:
6540b5aa37fSjob 	ASN1_INTEGER_free(a_max_plus_one);
6550b5aa37fSjob 	BN_free(bn);
6560b5aa37fSjob 	return ret;
6570b5aa37fSjob }
6580b5aa37fSjob 
6590b5aa37fSjob /*
6600b5aa37fSjob  * Check whether an ASIdentifier extension is in canonical form.
6610b5aa37fSjob  */
6621a94ae9bSjob int
X509v3_asid_is_canonical(ASIdentifiers * asid)6631a94ae9bSjob X509v3_asid_is_canonical(ASIdentifiers *asid)
6640b5aa37fSjob {
6650b5aa37fSjob 	return (asid == NULL ||
6660b5aa37fSjob 	    (ASIdentifierChoice_is_canonical(asid->asnum) &&
6670b5aa37fSjob 	     ASIdentifierChoice_is_canonical(asid->rdi)));
6680b5aa37fSjob }
669cedac418Stb LCRYPTO_ALIAS(X509v3_asid_is_canonical);
6700b5aa37fSjob 
6710b5aa37fSjob /*
6720b5aa37fSjob  * Whack an ASIdentifierChoice into canonical form.
6730b5aa37fSjob  */
6741a94ae9bSjob static int
ASIdentifierChoice_canonize(ASIdentifierChoice * choice)6751a94ae9bSjob ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
6760b5aa37fSjob {
677660b594eStb 	ASIdOrRange *a, *b;
678660b594eStb 	ASN1_INTEGER *a_min = NULL, *a_max = NULL, *b_min = NULL, *b_max = NULL;
6790b5aa37fSjob 	ASN1_INTEGER *a_max_plus_one = NULL;
6800b5aa37fSjob 	ASN1_INTEGER *orig;
6810b5aa37fSjob 	BIGNUM *bn = NULL;
6820b5aa37fSjob 	int i, ret = 0;
6830b5aa37fSjob 
6840b5aa37fSjob 	/*
6850b5aa37fSjob 	 * Nothing to do for empty element or inheritance.
6860b5aa37fSjob 	 */
6870b5aa37fSjob 	if (choice == NULL || choice->type == ASIdentifierChoice_inherit)
6880b5aa37fSjob 		return 1;
6890b5aa37fSjob 
6900b5aa37fSjob 	/*
6910b5aa37fSjob 	 * If not a list, or if empty list, it's broken.
6920b5aa37fSjob 	 */
6930b5aa37fSjob 	if (choice->type != ASIdentifierChoice_asIdsOrRanges ||
6940b5aa37fSjob 	    sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) {
695dd120803Sjob 		X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
6960b5aa37fSjob 		return 0;
6970b5aa37fSjob 	}
6980b5aa37fSjob 
6990b5aa37fSjob 	/*
7000b5aa37fSjob 	 * We have a non-empty list.  Sort it.
7010b5aa37fSjob 	 */
7020b5aa37fSjob 	sk_ASIdOrRange_sort(choice->u.asIdsOrRanges);
7030b5aa37fSjob 
7040b5aa37fSjob 	/*
7050b5aa37fSjob 	 * Now check for errors and suboptimal encoding, rejecting the
7060b5aa37fSjob 	 * former and fixing the latter.
7070b5aa37fSjob 	 */
7080b5aa37fSjob 	for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
709660b594eStb 		a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
710660b594eStb 		b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1);
7110b5aa37fSjob 
7121a94ae9bSjob 		if (!extract_min_max(a, &a_min, &a_max) ||
7131a94ae9bSjob 		    !extract_min_max(b, &b_min, &b_max))
7140b5aa37fSjob 			goto done;
7150b5aa37fSjob 
7160b5aa37fSjob 		/*
7170b5aa37fSjob 		 * Make sure we're properly sorted (paranoia).
7180b5aa37fSjob 		 */
719920304faStb 		if (ASN1_INTEGER_cmp(a_min, b_min) > 0)
720920304faStb 			goto done;
7210b5aa37fSjob 
7220b5aa37fSjob 		/*
7230b5aa37fSjob 		 * Punt inverted ranges.
7240b5aa37fSjob 		 */
7250b5aa37fSjob 		if (ASN1_INTEGER_cmp(a_min, a_max) > 0 ||
7260b5aa37fSjob 		    ASN1_INTEGER_cmp(b_min, b_max) > 0)
7270b5aa37fSjob 			goto done;
7280b5aa37fSjob 
7290b5aa37fSjob 		/*
7300b5aa37fSjob 		 * Check for overlaps.
7310b5aa37fSjob 		 */
7320b5aa37fSjob 		if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) {
733dd120803Sjob 			X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
7340b5aa37fSjob 			goto done;
7350b5aa37fSjob 		}
7360b5aa37fSjob 
7370b5aa37fSjob 		/*
7380b5aa37fSjob 		 * Calculate a_max + 1 to check for adjacency.
7390b5aa37fSjob 		 */
7400b5aa37fSjob 		if ((bn == NULL && (bn = BN_new()) == NULL) ||
7410b5aa37fSjob 		    ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
7420b5aa37fSjob 		    !BN_add_word(bn, 1)) {
743dd120803Sjob 			X509V3error(ERR_R_MALLOC_FAILURE);
7440b5aa37fSjob 			goto done;
7450b5aa37fSjob 		}
7460b5aa37fSjob 
7470b5aa37fSjob 		if ((a_max_plus_one =
7480b5aa37fSjob 		    BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) {
7490b5aa37fSjob 			a_max_plus_one = orig;
750dd120803Sjob 			X509V3error(ERR_R_MALLOC_FAILURE);
7510b5aa37fSjob 			goto done;
7520b5aa37fSjob 		}
7530b5aa37fSjob 
7540b5aa37fSjob 		/*
7550b5aa37fSjob 		 * If a and b are adjacent, merge them.
7560b5aa37fSjob 		 */
7570b5aa37fSjob 		if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) == 0) {
7580b5aa37fSjob 			ASRange *r;
7590b5aa37fSjob 			switch (a->type) {
7600b5aa37fSjob 			case ASIdOrRange_id:
761c93c90b2Sjob 				if ((r = calloc(1, sizeof(*r))) == NULL) {
762dd120803Sjob 					X509V3error(ERR_R_MALLOC_FAILURE);
7630b5aa37fSjob 					goto done;
7640b5aa37fSjob 				}
7650b5aa37fSjob 				r->min = a_min;
7660b5aa37fSjob 				r->max = b_max;
7670b5aa37fSjob 				a->type = ASIdOrRange_range;
7680b5aa37fSjob 				a->u.range = r;
7690b5aa37fSjob 				break;
7700b5aa37fSjob 			case ASIdOrRange_range:
7710b5aa37fSjob 				ASN1_INTEGER_free(a->u.range->max);
7720b5aa37fSjob 				a->u.range->max = b_max;
7730b5aa37fSjob 				break;
7740b5aa37fSjob 			}
7750b5aa37fSjob 			switch (b->type) {
7760b5aa37fSjob 			case ASIdOrRange_id:
7770b5aa37fSjob 				b->u.id = NULL;
7780b5aa37fSjob 				break;
7790b5aa37fSjob 			case ASIdOrRange_range:
7800b5aa37fSjob 				b->u.range->max = NULL;
7810b5aa37fSjob 				break;
7820b5aa37fSjob 			}
7830b5aa37fSjob 			ASIdOrRange_free(b);
7841a94ae9bSjob 			(void)sk_ASIdOrRange_delete(choice->u.asIdsOrRanges,
7851a94ae9bSjob 			    i + 1);
7860b5aa37fSjob 			i--;
7870b5aa37fSjob 			continue;
7880b5aa37fSjob 		}
7890b5aa37fSjob 	}
7900b5aa37fSjob 
7910b5aa37fSjob 	/*
7920b5aa37fSjob 	 * Check for final inverted range.
7930b5aa37fSjob 	 */
7940b5aa37fSjob 	i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1;
795660b594eStb 	a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
7960b5aa37fSjob 	if (a != NULL && a->type == ASIdOrRange_range) {
7971a94ae9bSjob 		if (!extract_min_max(a, &a_min, &a_max) ||
7981a94ae9bSjob 		    ASN1_INTEGER_cmp(a_min, a_max) > 0)
7990b5aa37fSjob 			goto done;
8000b5aa37fSjob 	}
8010b5aa37fSjob 
8020b5aa37fSjob 	/* Paranoia */
803920304faStb 	if (!ASIdentifierChoice_is_canonical(choice))
804920304faStb 		goto done;
8050b5aa37fSjob 
8060b5aa37fSjob 	ret = 1;
8070b5aa37fSjob 
8080b5aa37fSjob  done:
8090b5aa37fSjob 	ASN1_INTEGER_free(a_max_plus_one);
8100b5aa37fSjob 	BN_free(bn);
8110b5aa37fSjob 	return ret;
8120b5aa37fSjob }
8130b5aa37fSjob 
8140b5aa37fSjob /*
8150b5aa37fSjob  * Whack an ASIdentifier extension into canonical form.
8160b5aa37fSjob  */
8171a94ae9bSjob int
X509v3_asid_canonize(ASIdentifiers * asid)8181a94ae9bSjob X509v3_asid_canonize(ASIdentifiers *asid)
8190b5aa37fSjob {
82027efdf34Stb 	if (asid == NULL)
82127efdf34Stb 		return 1;
82227efdf34Stb 
82327efdf34Stb 	if (!ASIdentifierChoice_canonize(asid->asnum))
82427efdf34Stb 		return 0;
82527efdf34Stb 
82627efdf34Stb 	return ASIdentifierChoice_canonize(asid->rdi);
8270b5aa37fSjob }
828cedac418Stb LCRYPTO_ALIAS(X509v3_asid_canonize);
8290b5aa37fSjob 
8300b5aa37fSjob /*
8310b5aa37fSjob  * v2i method for an ASIdentifier extension.
8320b5aa37fSjob  */
8331a94ae9bSjob static void *
v2i_ASIdentifiers(const struct v3_ext_method * method,struct v3_ext_ctx * ctx,STACK_OF (CONF_VALUE)* values)8341a94ae9bSjob v2i_ASIdentifiers(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
8350b5aa37fSjob     STACK_OF(CONF_VALUE)*values)
8360b5aa37fSjob {
8370b5aa37fSjob 	ASN1_INTEGER *min = NULL, *max = NULL;
8380b5aa37fSjob 	ASIdentifiers *asid = NULL;
8390b5aa37fSjob 	int i;
8400b5aa37fSjob 
8410b5aa37fSjob 	if ((asid = ASIdentifiers_new()) == NULL) {
842dd120803Sjob 		X509V3error(ERR_R_MALLOC_FAILURE);
8430b5aa37fSjob 		return NULL;
8440b5aa37fSjob 	}
8450b5aa37fSjob 
8460b5aa37fSjob 	for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
8470b5aa37fSjob 		CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
8480b5aa37fSjob 		int i1 = 0, i2 = 0, i3 = 0, is_range = 0, which = 0;
8490b5aa37fSjob 
8500b5aa37fSjob 		/*
8510b5aa37fSjob 		 * Figure out whether this is an AS or an RDI.
8520b5aa37fSjob 		 */
8530b5aa37fSjob 		if (!name_cmp(val->name, "AS")) {
8540b5aa37fSjob 			which = V3_ASID_ASNUM;
8550b5aa37fSjob 		} else if (!name_cmp(val->name, "RDI")) {
8560b5aa37fSjob 			which = V3_ASID_RDI;
8570b5aa37fSjob 		} else {
858dd120803Sjob 			X509V3error(X509V3_R_EXTENSION_NAME_ERROR);
8590b5aa37fSjob 			X509V3_conf_err(val);
8600b5aa37fSjob 			goto err;
8610b5aa37fSjob 		}
8620b5aa37fSjob 
8630b5aa37fSjob 		/*
8640b5aa37fSjob 		 * Handle inheritance.
8650b5aa37fSjob 		 */
8660b5aa37fSjob 		if (strcmp(val->value, "inherit") == 0) {
8670b5aa37fSjob 			if (X509v3_asid_add_inherit(asid, which))
8680b5aa37fSjob 				continue;
869dd120803Sjob 			X509V3error(X509V3_R_INVALID_INHERITANCE);
8700b5aa37fSjob 			X509V3_conf_err(val);
8710b5aa37fSjob 			goto err;
8720b5aa37fSjob 		}
8730b5aa37fSjob 
8740b5aa37fSjob 		/*
8753c1c1242Sjob 		 * Number, range, or mistake, pick it apart and figure out which
8760b5aa37fSjob 		 */
8770b5aa37fSjob 		i1 = strspn(val->value, "0123456789");
8780b5aa37fSjob 		if (val->value[i1] == '\0') {
8790b5aa37fSjob 			is_range = 0;
8800b5aa37fSjob 		} else {
8810b5aa37fSjob 			is_range = 1;
8820b5aa37fSjob 			i2 = i1 + strspn(val->value + i1, " \t");
8830b5aa37fSjob 			if (val->value[i2] != '-') {
884dd120803Sjob 				X509V3error(X509V3_R_INVALID_ASNUMBER);
8850b5aa37fSjob 				X509V3_conf_err(val);
8860b5aa37fSjob 				goto err;
8870b5aa37fSjob 			}
8880b5aa37fSjob 			i2++;
8890b5aa37fSjob 			i2 = i2 + strspn(val->value + i2, " \t");
8900b5aa37fSjob 			i3 = i2 + strspn(val->value + i2, "0123456789");
8910b5aa37fSjob 			if (val->value[i3] != '\0') {
892dd120803Sjob 				X509V3error(X509V3_R_INVALID_ASRANGE);
8930b5aa37fSjob 				X509V3_conf_err(val);
8940b5aa37fSjob 				goto err;
8950b5aa37fSjob 			}
8960b5aa37fSjob 		}
8970b5aa37fSjob 
8980b5aa37fSjob 		/*
8990b5aa37fSjob 		 * Syntax is ok, read and add it.
9000b5aa37fSjob 		 */
9010b5aa37fSjob 		if (!is_range) {
9020b5aa37fSjob 			if (!X509V3_get_value_int(val, &min)) {
903dd120803Sjob 				X509V3error(ERR_R_MALLOC_FAILURE);
9040b5aa37fSjob 				goto err;
9050b5aa37fSjob 			}
9060b5aa37fSjob 		} else {
907d5d37c3eSjob 			char *s = strdup(val->value);
9080b5aa37fSjob 			if (s == NULL) {
909dd120803Sjob 				X509V3error(ERR_R_MALLOC_FAILURE);
9100b5aa37fSjob 				goto err;
9110b5aa37fSjob 			}
9120b5aa37fSjob 			s[i1] = '\0';
9130b5aa37fSjob 			min = s2i_ASN1_INTEGER(NULL, s);
9140b5aa37fSjob 			max = s2i_ASN1_INTEGER(NULL, s + i2);
91595e11b57Sjob 			free(s);
9160b5aa37fSjob 			if (min == NULL || max == NULL) {
917dd120803Sjob 				X509V3error(ERR_R_MALLOC_FAILURE);
9180b5aa37fSjob 				goto err;
9190b5aa37fSjob 			}
9200b5aa37fSjob 			if (ASN1_INTEGER_cmp(min, max) > 0) {
921dd120803Sjob 				X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
9220b5aa37fSjob 				goto err;
9230b5aa37fSjob 			}
9240b5aa37fSjob 		}
9250b5aa37fSjob 		if (!X509v3_asid_add_id_or_range(asid, which, min, max)) {
926dd120803Sjob 			X509V3error(ERR_R_MALLOC_FAILURE);
9270b5aa37fSjob 			goto err;
9280b5aa37fSjob 		}
9290b5aa37fSjob 		min = max = NULL;
9300b5aa37fSjob 	}
9310b5aa37fSjob 
9320b5aa37fSjob 	/*
9330b5aa37fSjob 	 * Canonize the result, then we're done.
9340b5aa37fSjob 	 */
9350b5aa37fSjob 	if (!X509v3_asid_canonize(asid))
9360b5aa37fSjob 		goto err;
9370b5aa37fSjob 	return asid;
9380b5aa37fSjob 
9390b5aa37fSjob  err:
9400b5aa37fSjob 	ASIdentifiers_free(asid);
9410b5aa37fSjob 	ASN1_INTEGER_free(min);
9420b5aa37fSjob 	ASN1_INTEGER_free(max);
9430b5aa37fSjob 	return NULL;
9440b5aa37fSjob }
9450b5aa37fSjob 
9460b5aa37fSjob /*
9470b5aa37fSjob  * OpenSSL dispatch.
9480b5aa37fSjob  */
949*8b5faa71Stb static const X509V3_EXT_METHOD x509v3_ext_sbgp_autonomousSysNum = {
9501e9dee73Stb 	.ext_nid = NID_sbgp_autonomousSysNum,
9511e9dee73Stb 	.ext_flags = 0,
9521e9dee73Stb 	.it = &ASIdentifiers_it,
9531e9dee73Stb 	.ext_new = NULL,
9541e9dee73Stb 	.ext_free = NULL,
9551e9dee73Stb 	.d2i = NULL,
9561e9dee73Stb 	.i2d = NULL,
9571e9dee73Stb 	.i2s = NULL,
9581e9dee73Stb 	.s2i = NULL,
9591e9dee73Stb 	.i2v = NULL,
9601e9dee73Stb 	.v2i = v2i_ASIdentifiers,
9611e9dee73Stb 	.i2r = i2r_ASIdentifiers,
9621e9dee73Stb 	.r2i = NULL,
9631e9dee73Stb 	.usr_data = NULL,
9640b5aa37fSjob };
9650b5aa37fSjob 
966*8b5faa71Stb const X509V3_EXT_METHOD *
x509v3_ext_method_sbgp_autonomousSysNum(void)967*8b5faa71Stb x509v3_ext_method_sbgp_autonomousSysNum(void)
968*8b5faa71Stb {
969*8b5faa71Stb 	return &x509v3_ext_sbgp_autonomousSysNum;
970*8b5faa71Stb }
971*8b5faa71Stb 
9720b5aa37fSjob /*
9730b5aa37fSjob  * Figure out whether extension uses inheritance.
9740b5aa37fSjob  */
9751a94ae9bSjob int
X509v3_asid_inherits(ASIdentifiers * asid)9761a94ae9bSjob X509v3_asid_inherits(ASIdentifiers *asid)
9770b5aa37fSjob {
97827efdf34Stb 	if (asid == NULL)
97927efdf34Stb 		return 0;
98027efdf34Stb 
98127efdf34Stb 	if (asid->asnum != NULL) {
98227efdf34Stb 		if (asid->asnum->type == ASIdentifierChoice_inherit)
98327efdf34Stb 			return 1;
98427efdf34Stb 	}
98527efdf34Stb 
98627efdf34Stb 	if (asid->rdi != NULL) {
98727efdf34Stb 		if (asid->rdi->type == ASIdentifierChoice_inherit)
98827efdf34Stb 			return 1;
98927efdf34Stb 	}
99027efdf34Stb 
99127efdf34Stb 	return 0;
9920b5aa37fSjob }
993cedac418Stb LCRYPTO_ALIAS(X509v3_asid_inherits);
9940b5aa37fSjob 
9950b5aa37fSjob /*
9960b5aa37fSjob  * Figure out whether parent contains child.
9970b5aa37fSjob  */
9981a94ae9bSjob static int
asid_contains(ASIdOrRanges * parent,ASIdOrRanges * child)9991a94ae9bSjob asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)
10000b5aa37fSjob {
10010b5aa37fSjob 	ASN1_INTEGER *p_min = NULL, *p_max = NULL, *c_min = NULL, *c_max = NULL;
10020b5aa37fSjob 	int p, c;
10030b5aa37fSjob 
10040b5aa37fSjob 	if (child == NULL || parent == child)
10050b5aa37fSjob 		return 1;
1006592c9208Stb 
10070b5aa37fSjob 	if (parent == NULL)
10080b5aa37fSjob 		return 0;
10090b5aa37fSjob 
10100b5aa37fSjob 	p = 0;
10110b5aa37fSjob 	for (c = 0; c < sk_ASIdOrRange_num(child); c++) {
10121a94ae9bSjob 		if (!extract_min_max(sk_ASIdOrRange_value(child, c), &c_min,
10131a94ae9bSjob 		    &c_max))
10140b5aa37fSjob 			return 0;
10150b5aa37fSjob 		for (;; p++) {
10160b5aa37fSjob 			if (p >= sk_ASIdOrRange_num(parent))
10170b5aa37fSjob 				return 0;
10181a94ae9bSjob 			if (!extract_min_max(sk_ASIdOrRange_value(parent, p),
10191a94ae9bSjob 			    &p_min, &p_max))
10200b5aa37fSjob 				return 0;
10210b5aa37fSjob 			if (ASN1_INTEGER_cmp(p_max, c_max) < 0)
10220b5aa37fSjob 				continue;
10230b5aa37fSjob 			if (ASN1_INTEGER_cmp(p_min, c_min) > 0)
10240b5aa37fSjob 				return 0;
10250b5aa37fSjob 			break;
10260b5aa37fSjob 		}
10270b5aa37fSjob 	}
10280b5aa37fSjob 
10290b5aa37fSjob 	return 1;
10300b5aa37fSjob }
10310b5aa37fSjob 
10320b5aa37fSjob /*
10334809fbfdStb  * Test whether child is a subset of parent.
10340b5aa37fSjob  */
10351a94ae9bSjob int
X509v3_asid_subset(ASIdentifiers * child,ASIdentifiers * parent)10364809fbfdStb X509v3_asid_subset(ASIdentifiers *child, ASIdentifiers *parent)
10370b5aa37fSjob {
10384809fbfdStb 	if (child == NULL || child == parent)
10394809fbfdStb 		return 1;
1040592c9208Stb 
10414809fbfdStb 	if (parent == NULL)
10424809fbfdStb 		return 0;
10434809fbfdStb 
10444809fbfdStb 	if (X509v3_asid_inherits(child) || X509v3_asid_inherits(parent))
10454809fbfdStb 		return 0;
10464809fbfdStb 
10474809fbfdStb 	if (child->asnum != NULL) {
10484809fbfdStb 		if (parent->asnum == NULL)
10494809fbfdStb 			return 0;
10504809fbfdStb 
10514809fbfdStb 		if (!asid_contains(parent->asnum->u.asIdsOrRanges,
10524809fbfdStb 		    child->asnum->u.asIdsOrRanges))
10534809fbfdStb 			return 0;
10544809fbfdStb 	}
10554809fbfdStb 
10564809fbfdStb 	if (child->rdi != NULL) {
10574809fbfdStb 		if (parent->rdi == NULL)
10584809fbfdStb 			return 0;
10594809fbfdStb 
10604809fbfdStb 		if (!asid_contains(parent->rdi->u.asIdsOrRanges,
10614809fbfdStb 		    child->rdi->u.asIdsOrRanges))
10624809fbfdStb 			return 0;
10634809fbfdStb 	}
10644809fbfdStb 
10654809fbfdStb 	return 1;
10660b5aa37fSjob }
1067cedac418Stb LCRYPTO_ALIAS(X509v3_asid_subset);
10680b5aa37fSjob 
10690b5aa37fSjob /*
10700b5aa37fSjob  * Validation error handling via callback.
10710b5aa37fSjob  */
10720b5aa37fSjob #define validation_err(_err_)           \
10730b5aa37fSjob   do {                                  \
10740b5aa37fSjob     if (ctx != NULL) {                  \
10750b5aa37fSjob       ctx->error = _err_;               \
10760b5aa37fSjob       ctx->error_depth = i;             \
10770b5aa37fSjob       ctx->current_cert = x;            \
10780b5aa37fSjob       ret = ctx->verify_cb(0, ctx);     \
10790b5aa37fSjob     } else {                            \
10800b5aa37fSjob       ret = 0;                          \
10810b5aa37fSjob     }                                   \
10820b5aa37fSjob     if (!ret)                           \
10830b5aa37fSjob       goto done;                        \
10840b5aa37fSjob   } while (0)
10850b5aa37fSjob 
10860b5aa37fSjob /*
10870b5aa37fSjob  * Core code for RFC 3779 3.3 path validation.
10880b5aa37fSjob  */
10891a94ae9bSjob static int
asid_validate_path_internal(X509_STORE_CTX * ctx,STACK_OF (X509)* chain,ASIdentifiers * ext)10901a94ae9bSjob asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
10910b5aa37fSjob     ASIdentifiers *ext)
10920b5aa37fSjob {
10930b5aa37fSjob 	ASIdOrRanges *child_as = NULL, *child_rdi = NULL;
10940b5aa37fSjob 	int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
10950b5aa37fSjob 	X509 *x;
10960b5aa37fSjob 
10974e76aadeStb 	/* We need a non-empty chain to test against. */
10984e76aadeStb 	if (sk_X509_num(chain) <= 0)
10994e76aadeStb 		goto err;
11004e76aadeStb 	/* We need either a store ctx or an extension to work with. */
11014e76aadeStb 	if (ctx == NULL && ext == NULL)
11024e76aadeStb 		goto err;
11034e76aadeStb 	/* If there is a store ctx, it needs a verify_cb. */
11044e76aadeStb 	if (ctx != NULL && ctx->verify_cb == NULL)
11054e76aadeStb 		goto err;
11060b5aa37fSjob 
11070b5aa37fSjob 	/*
1108f34e4695Stb 	 * Figure out where to start. If we don't have an extension to check,
1109f34e4695Stb 	 * (either extracted from the leaf or passed by the caller), we're done.
1110f34e4695Stb 	 * Otherwise, check canonical form and set up for walking up the chain.
11110b5aa37fSjob 	 */
11120b5aa37fSjob 	if (ext != NULL) {
11130b5aa37fSjob 		i = -1;
11140b5aa37fSjob 		x = NULL;
11151b14589dStb 		if (!X509v3_asid_is_canonical(ext))
11161b14589dStb 			validation_err(X509_V_ERR_INVALID_EXTENSION);
11170b5aa37fSjob 	} else {
11180b5aa37fSjob 		i = 0;
11190b5aa37fSjob 		x = sk_X509_value(chain, i);
11201b14589dStb 		if ((X509_get_extension_flags(x) & EXFLAG_INVALID) != 0)
11211b14589dStb 			goto done;
11220b5aa37fSjob 		if ((ext = x->rfc3779_asid) == NULL)
11230b5aa37fSjob 			goto done;
11240b5aa37fSjob 	}
11250b5aa37fSjob 	if (ext->asnum != NULL) {
11260b5aa37fSjob 		switch (ext->asnum->type) {
11270b5aa37fSjob 		case ASIdentifierChoice_inherit:
11280b5aa37fSjob 			inherit_as = 1;
11290b5aa37fSjob 			break;
11300b5aa37fSjob 		case ASIdentifierChoice_asIdsOrRanges:
11310b5aa37fSjob 			child_as = ext->asnum->u.asIdsOrRanges;
11320b5aa37fSjob 			break;
11330b5aa37fSjob 		}
11340b5aa37fSjob 	}
11350b5aa37fSjob 	if (ext->rdi != NULL) {
11360b5aa37fSjob 		switch (ext->rdi->type) {
11370b5aa37fSjob 		case ASIdentifierChoice_inherit:
11380b5aa37fSjob 			inherit_rdi = 1;
11390b5aa37fSjob 			break;
11400b5aa37fSjob 		case ASIdentifierChoice_asIdsOrRanges:
11410b5aa37fSjob 			child_rdi = ext->rdi->u.asIdsOrRanges;
11420b5aa37fSjob 			break;
11430b5aa37fSjob 		}
11440b5aa37fSjob 	}
11450b5aa37fSjob 
11460b5aa37fSjob 	/*
11470b5aa37fSjob 	 * Now walk up the chain.  Extensions must be in canonical form, no
11480b5aa37fSjob 	 * cert may list resources that its parent doesn't list.
11490b5aa37fSjob 	 */
11500b5aa37fSjob 	for (i++; i < sk_X509_num(chain); i++) {
11510b5aa37fSjob 		x = sk_X509_value(chain, i);
11528e54c06aSjob 
11531b14589dStb 		if ((X509_get_extension_flags(x) & EXFLAG_INVALID) != 0)
11541b14589dStb 			validation_err(X509_V_ERR_INVALID_EXTENSION);
11550b5aa37fSjob 		if (x->rfc3779_asid == NULL) {
11560b5aa37fSjob 			if (child_as != NULL || child_rdi != NULL)
11570b5aa37fSjob 				validation_err(X509_V_ERR_UNNESTED_RESOURCE);
11580b5aa37fSjob 			continue;
11590b5aa37fSjob 		}
11600b5aa37fSjob 		if (x->rfc3779_asid->asnum == NULL && child_as != NULL) {
11610b5aa37fSjob 			validation_err(X509_V_ERR_UNNESTED_RESOURCE);
11620b5aa37fSjob 			child_as = NULL;
11630b5aa37fSjob 			inherit_as = 0;
11640b5aa37fSjob 		}
11650b5aa37fSjob 		if (x->rfc3779_asid->asnum != NULL &&
11660b5aa37fSjob 		    x->rfc3779_asid->asnum->type ==
11670b5aa37fSjob 		    ASIdentifierChoice_asIdsOrRanges) {
11681a94ae9bSjob 			if (inherit_as ||
11691a94ae9bSjob 			    asid_contains(x->rfc3779_asid->asnum->u.asIdsOrRanges,
11700b5aa37fSjob 			    child_as)) {
11710b5aa37fSjob 				child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges;
11720b5aa37fSjob 				inherit_as = 0;
11730b5aa37fSjob 			} else {
11740b5aa37fSjob 				validation_err(X509_V_ERR_UNNESTED_RESOURCE);
11750b5aa37fSjob 			}
11760b5aa37fSjob 		}
11770b5aa37fSjob 		if (x->rfc3779_asid->rdi == NULL && child_rdi != NULL) {
11780b5aa37fSjob 			validation_err(X509_V_ERR_UNNESTED_RESOURCE);
11790b5aa37fSjob 			child_rdi = NULL;
11800b5aa37fSjob 			inherit_rdi = 0;
11810b5aa37fSjob 		}
11820b5aa37fSjob 		if (x->rfc3779_asid->rdi != NULL &&
11830b5aa37fSjob 		    x->rfc3779_asid->rdi->type == ASIdentifierChoice_asIdsOrRanges) {
11840b5aa37fSjob 			if (inherit_rdi ||
11850b5aa37fSjob 			    asid_contains(x->rfc3779_asid->rdi->u.asIdsOrRanges,
11860b5aa37fSjob 			    child_rdi)) {
11870b5aa37fSjob 				child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges;
11880b5aa37fSjob 				inherit_rdi = 0;
11890b5aa37fSjob 			} else {
11900b5aa37fSjob 				validation_err(X509_V_ERR_UNNESTED_RESOURCE);
11910b5aa37fSjob 			}
11920b5aa37fSjob 		}
11930b5aa37fSjob 	}
11940b5aa37fSjob 
11950b5aa37fSjob 	/*
11960b5aa37fSjob 	 * Trust anchor can't inherit.
11970b5aa37fSjob 	 */
11984e76aadeStb 
11994e76aadeStb 	if (x == NULL)
12004e76aadeStb 		goto err;
12018e54c06aSjob 
12020b5aa37fSjob 	if (x->rfc3779_asid != NULL) {
12030b5aa37fSjob 		if (x->rfc3779_asid->asnum != NULL &&
12040b5aa37fSjob 		    x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit)
12050b5aa37fSjob 			validation_err(X509_V_ERR_UNNESTED_RESOURCE);
12060b5aa37fSjob 		if (x->rfc3779_asid->rdi != NULL &&
12070b5aa37fSjob 		    x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit)
12080b5aa37fSjob 			validation_err(X509_V_ERR_UNNESTED_RESOURCE);
12090b5aa37fSjob 	}
12100b5aa37fSjob 
12110b5aa37fSjob  done:
12120b5aa37fSjob 	return ret;
12134e76aadeStb 
12144e76aadeStb  err:
12154e76aadeStb 	if (ctx != NULL)
12164e76aadeStb 		ctx->error = X509_V_ERR_UNSPECIFIED;
12174e76aadeStb 
12184e76aadeStb 	return 0;
12190b5aa37fSjob }
12200b5aa37fSjob 
12210b5aa37fSjob #undef validation_err
12220b5aa37fSjob 
12230b5aa37fSjob /*
12240b5aa37fSjob  * RFC 3779 3.3 path validation -- called from X509_verify_cert().
12250b5aa37fSjob  */
12261a94ae9bSjob int
X509v3_asid_validate_path(X509_STORE_CTX * ctx)12271a94ae9bSjob X509v3_asid_validate_path(X509_STORE_CTX *ctx)
12280b5aa37fSjob {
12294e76aadeStb 	if (sk_X509_num(ctx->chain) <= 0 || ctx->verify_cb == NULL) {
12300b5aa37fSjob 		ctx->error = X509_V_ERR_UNSPECIFIED;
12310b5aa37fSjob 		return 0;
12320b5aa37fSjob 	}
12330b5aa37fSjob 	return asid_validate_path_internal(ctx, ctx->chain, NULL);
12340b5aa37fSjob }
1235cedac418Stb LCRYPTO_ALIAS(X509v3_asid_validate_path);
12360b5aa37fSjob 
12370b5aa37fSjob /*
12380b5aa37fSjob  * RFC 3779 3.3 path validation of an extension.
12390b5aa37fSjob  * Test whether chain covers extension.
12400b5aa37fSjob  */
12411a94ae9bSjob int
X509v3_asid_validate_resource_set(STACK_OF (X509)* chain,ASIdentifiers * ext,int allow_inheritance)12421a94ae9bSjob X509v3_asid_validate_resource_set(STACK_OF(X509) *chain, ASIdentifiers *ext,
12431a94ae9bSjob     int allow_inheritance)
12440b5aa37fSjob {
12450b5aa37fSjob 	if (ext == NULL)
12460b5aa37fSjob 		return 1;
12474e76aadeStb 	if (sk_X509_num(chain) <= 0)
12480b5aa37fSjob 		return 0;
12490b5aa37fSjob 	if (!allow_inheritance && X509v3_asid_inherits(ext))
12500b5aa37fSjob 		return 0;
12510b5aa37fSjob 	return asid_validate_path_internal(NULL, chain, ext);
12520b5aa37fSjob }
1253cedac418Stb LCRYPTO_ALIAS(X509v3_asid_validate_resource_set);
12540b5aa37fSjob 
12550b5aa37fSjob #endif                          /* OPENSSL_NO_RFC3779 */
1256