Skip to content

Commit

Permalink
Remove OPENSSL_assert() from crypto/x509v3
Browse files Browse the repository at this point in the history 
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from openssl#3740)
  • Loading branch information
@mattcaswell
mattcaswell committed Aug 21, 2017
1 parent 24664a3 commit 42d7d7d
Show file tree
Hide file tree
Showing 2 changed files with 99 additions and 41 deletions.
47 changes: 36 additions & 11 deletions crypto/x509v3/v3_addr.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -340,7 +340,8 @@ static int range_should_be_prefix(const unsigned char *min,
unsigned char mask;
int i, j;

OPENSSL_assert(memcmp(min, max, length) <= 0);
if (memcmp(min, max, length) <= 0)
return -1;
for (i = 0; i < length && min[i] == max[i]; i++) ;
for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ;
if (i < j)
Expand Down Expand Up @@ -429,7 +430,8 @@ static int make_addressRange(IPAddressOrRange **result,
if ((aor = IPAddressOrRange_new()) == NULL)
return 0;
aor->type = IPAddressOrRange_addressRange;
OPENSSL_assert(aor->u.addressRange == NULL);
if (!ossl_assert(aor->u.addressRange == NULL))
return 0;
if ((aor->u.addressRange = IPAddressRange_new()) == NULL)
goto err;
if (aor->u.addressRange->min == NULL &&
Expand Down Expand Up @@ -496,7 +498,8 @@ static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr,

for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
f = sk_IPAddressFamily_value(addr, i);
OPENSSL_assert(f->addressFamily->data != NULL);
if (!ossl_assert(f->addressFamily->data != NULL))
goto err;
if (f->addressFamily->length == keylen &&
!memcmp(f->addressFamily->data, key, keylen))
return f;
Expand Down Expand Up @@ -875,7 +878,8 @@ int X509v3_addr_canonize(IPAddrBlocks *addr)
}
(void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
sk_IPAddressFamily_sort(addr);
OPENSSL_assert(X509v3_addr_is_canonical(addr));
if (!ossl_assert(X509v3_addr_is_canonical(addr)))
return 0;
return 1;
}

Expand Down Expand Up @@ -1180,9 +1184,13 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx,
int i, j, ret = 1;
X509 *x;

OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
OPENSSL_assert(ctx != NULL || ext != NULL);
OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
if (!ossl_assert(chain != NULL && sk_X509_num(chain) > 0)
|| !ossl_assert(ctx != NULL || ext != NULL)
|| !ossl_assert(ctx == NULL || ctx->verify_cb != NULL)) {
if (ctx != NULL)
ctx->error = X509_V_ERR_UNSPECIFIED;
return 0;
}

/*
* Figure out where to start. If we don't have an extension to
Expand All @@ -1195,7 +1203,11 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx,
} else {
i = 0;
x = sk_X509_value(chain, i);
OPENSSL_assert(x != NULL);
if (!ossl_assert(x != NULL)) {
if (ctx != NULL)
ctx->error = X509_V_ERR_UNSPECIFIED;
return 0;
}
if ((ext = x->rfc3779_addr) == NULL)
goto done;
}
Expand All @@ -1205,7 +1217,8 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx,
if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
X509V3err(X509V3_F_ADDR_VALIDATE_PATH_INTERNAL,
ERR_R_MALLOC_FAILURE);
ctx->error = X509_V_ERR_OUT_OF_MEM;
if (ctx != NULL)
ctx->error = X509_V_ERR_OUT_OF_MEM;
ret = 0;
goto done;
}
Expand All @@ -1216,7 +1229,11 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx,
*/
for (i++; i < sk_X509_num(chain); i++) {
x = sk_X509_value(chain, i);
OPENSSL_assert(x != NULL);
if (!ossl_assert(x != NULL)) {
if (ctx != NULL)
ctx->error = X509_V_ERR_UNSPECIFIED;
return 0;
}
if (!X509v3_addr_is_canonical(x->rfc3779_addr))
validation_err(X509_V_ERR_INVALID_EXTENSION);
if (x->rfc3779_addr == NULL) {
Expand Down Expand Up @@ -1260,7 +1277,11 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx,
/*
* Trust anchor can't inherit.
*/
OPENSSL_assert(x != NULL);
if (!ossl_assert(x != NULL)) {
if (ctx != NULL)
ctx->error = X509_V_ERR_UNSPECIFIED;
return 0;
}
if (x->rfc3779_addr != NULL) {
for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
IPAddressFamily *fp =
Expand All @@ -1283,6 +1304,10 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx,
*/
int X509v3_addr_validate_path(X509_STORE_CTX *ctx)
{
if (ctx->chain == NULL
|| sk_X509_num(ctx->chain) == 0
|| ctx->verify_cb == NULL)
return 0;
return addr_validate_path_internal(ctx, ctx->chain, NULL);
}

Expand Down
93 changes: 63 additions & 30 deletions crypto/x509v3/v3_asid.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
* Implementation of RFC 3779 section 3.2.
*/

#include <assert.h>
#include <stdio.h>
#include <string.h>
#include "internal/cryptlib.h"
Expand Down Expand Up @@ -123,13 +124,13 @@ static int ASIdOrRange_cmp(const ASIdOrRange *const *a_,
{
const ASIdOrRange *a = *a_, *b = *b_;

OPENSSL_assert((a->type == ASIdOrRange_id && a->u.id != NULL) ||
(a->type == ASIdOrRange_range && a->u.range != NULL &&
a->u.range->min != NULL && a->u.range->max != NULL));
assert((a->type == ASIdOrRange_id && a->u.id != NULL) ||
(a->type == ASIdOrRange_range && a->u.range != NULL &&
a->u.range->min != NULL && a->u.range->max != NULL));

OPENSSL_assert((b->type == ASIdOrRange_id && b->u.id != NULL) ||
(b->type == ASIdOrRange_range && b->u.range != NULL &&
b->u.range->min != NULL && b->u.range->max != NULL));
assert((b->type == ASIdOrRange_id && b->u.id != NULL) ||
(b->type == ASIdOrRange_range && b->u.range != NULL &&
b->u.range->min != NULL && b->u.range->max != NULL));

if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id)
return ASN1_INTEGER_cmp(a->u.id, b->u.id);
Expand Down Expand Up @@ -167,7 +168,8 @@ int X509v3_asid_add_inherit(ASIdentifiers *asid, int which)
if (*choice == NULL) {
if ((*choice = ASIdentifierChoice_new()) == NULL)
return 0;
OPENSSL_assert((*choice)->u.inherit == NULL);
if (!ossl_assert((*choice)->u.inherit == NULL))
return 0;
if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL)
return 0;
(*choice)->type = ASIdentifierChoice_inherit;
Expand Down Expand Up @@ -200,7 +202,8 @@ int X509v3_asid_add_id_or_range(ASIdentifiers *asid,
if (*choice == NULL) {
if ((*choice = ASIdentifierChoice_new()) == NULL)
return 0;
OPENSSL_assert((*choice)->u.asIdsOrRanges == NULL);
if (!ossl_assert((*choice)->u.asIdsOrRanges == NULL))
return 0;
(*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp);
if ((*choice)->u.asIdsOrRanges == NULL)
return 0;
Expand Down Expand Up @@ -232,20 +235,23 @@ int X509v3_asid_add_id_or_range(ASIdentifiers *asid,
/*
* Extract min and max values from an ASIdOrRange.
*/
static void extract_min_max(ASIdOrRange *aor,
ASN1_INTEGER **min, ASN1_INTEGER **max)
static int extract_min_max(ASIdOrRange *aor,
ASN1_INTEGER **min, ASN1_INTEGER **max)
{
OPENSSL_assert(aor != NULL && min != NULL && max != NULL);
if (!ossl_assert(aor != NULL && min != NULL && max != NULL))
return 0;
switch (aor->type) {
case ASIdOrRange_id:
*min = aor->u.id;
*max = aor->u.id;
return;
return 1;
case ASIdOrRange_range:
*min = aor->u.range->min;
*max = aor->u.range->max;
return;
return 1;
}

return 0;
}

/*
Expand Down Expand Up @@ -279,8 +285,9 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
ASN1_INTEGER *a_min = NULL, *a_max = NULL, *b_min = NULL, *b_max =
NULL;

extract_min_max(a, &a_min, &a_max);
extract_min_max(b, &b_min, &b_max);
if (!extract_min_max(a, &a_min, &a_max)
|| !extract_min_max(b, &b_min, &b_max))
goto done;

/*
* Punt misordered list, overlapping start, or inverted range.
Expand Down Expand Up @@ -318,8 +325,8 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
ASN1_INTEGER *a_min, *a_max;
if (a != NULL && a->type == ASIdOrRange_range) {
extract_min_max(a, &a_min, &a_max);
if (ASN1_INTEGER_cmp(a_min, a_max) > 0)
if (!extract_min_max(a, &a_min, &a_max)
|| ASN1_INTEGER_cmp(a_min, a_max) > 0)
goto done;
}
}
Expand Down Expand Up @@ -382,13 +389,15 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
ASN1_INTEGER *a_min = NULL, *a_max = NULL, *b_min = NULL, *b_max =
NULL;

extract_min_max(a, &a_min, &a_max);
extract_min_max(b, &b_min, &b_max);
if (!extract_min_max(a, &a_min, &a_max)
|| !extract_min_max(b, &b_min, &b_max))
goto done;

/*
* Make sure we're properly sorted (paranoia).
*/
OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
if (!ossl_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0))
goto done;

/*
* Punt inverted ranges.
Expand Down Expand Up @@ -464,13 +473,15 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
ASN1_INTEGER *a_min, *a_max;
if (a != NULL && a->type == ASIdOrRange_range) {
extract_min_max(a, &a_min, &a_max);
if (ASN1_INTEGER_cmp(a_min, a_max) > 0)
if (!extract_min_max(a, &a_min, &a_max)
|| ASN1_INTEGER_cmp(a_min, a_max) > 0)
goto done;
}
}

OPENSSL_assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */
/* Paranoia */
if (!ossl_assert(ASIdentifierChoice_is_canonical(choice)))
goto done;

ret = 1;

Expand Down Expand Up @@ -655,7 +666,8 @@ static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)

p = 0;
for (c = 0; c < sk_ASIdOrRange_num(child); c++) {
extract_min_max(sk_ASIdOrRange_value(child, c), &c_min, &c_max);
if (!extract_min_max(sk_ASIdOrRange_value(child, c), &c_min, &c_max))
return 0;
for (;; p++) {
if (p >= sk_ASIdOrRange_num(parent))
return 0;
Expand Down Expand Up @@ -715,9 +727,14 @@ static int asid_validate_path_internal(X509_STORE_CTX *ctx,
int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
X509 *x;

OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
OPENSSL_assert(ctx != NULL || ext != NULL);
OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
if (!ossl_assert(chain != NULL && sk_X509_num(chain) > 0)
|| !ossl_assert(ctx != NULL || ext != NULL)
|| !ossl_assert(ctx == NULL || ctx->verify_cb != NULL)) {
if (ctx != NULL)
ctx->error = X509_V_ERR_UNSPECIFIED;
return 0;
}


/*
* Figure out where to start. If we don't have an extension to
Expand All @@ -730,7 +747,11 @@ static int asid_validate_path_internal(X509_STORE_CTX *ctx,
} else {
i = 0;
x = sk_X509_value(chain, i);
OPENSSL_assert(x != NULL);
if (!ossl_assert(x != NULL)) {
if (ctx != NULL)
ctx->error = X509_V_ERR_UNSPECIFIED;
return 0;
}
if ((ext = x->rfc3779_asid) == NULL)
goto done;
}
Expand Down Expand Up @@ -763,7 +784,11 @@ static int asid_validate_path_internal(X509_STORE_CTX *ctx,
*/
for (i++; i < sk_X509_num(chain); i++) {
x = sk_X509_value(chain, i);
OPENSSL_assert(x != NULL);
if (!ossl_assert(x != NULL)) {
if (ctx != NULL)
ctx->error = X509_V_ERR_UNSPECIFIED;
return 0;
}
if (x->rfc3779_asid == NULL) {
if (child_as != NULL || child_rdi != NULL)
validation_err(X509_V_ERR_UNNESTED_RESOURCE);
Expand Down Expand Up @@ -809,7 +834,11 @@ static int asid_validate_path_internal(X509_STORE_CTX *ctx,
/*
* Trust anchor can't inherit.
*/
OPENSSL_assert(x != NULL);
if (!ossl_assert(x != NULL)) {
if (ctx != NULL)
ctx->error = X509_V_ERR_UNSPECIFIED;
return 0;
}
if (x->rfc3779_asid != NULL) {
if (x->rfc3779_asid->asnum != NULL &&
x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit)
Expand All @@ -830,6 +859,10 @@ static int asid_validate_path_internal(X509_STORE_CTX *ctx,
*/
int X509v3_asid_validate_path(X509_STORE_CTX *ctx)
{
if (ctx->chain == NULL
|| sk_X509_num(ctx->chain) == 0
|| ctx->verify_cb == NULL)
return 0;
return asid_validate_path_internal(ctx, ctx->chain, NULL);
}

Expand Down

0 comments on commit 42d7d7d

Please sign in to comment.