Commit 42d7d7dd authored by Matt Caswell's avatar Matt Caswell
Browse files

Remove OPENSSL_assert() from crypto/x509v3 



Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3740)
parent 24664a3b

crypto/x509v3/v3_addr.c

+36 −11
Original line number Diff line number Diff line
@@ -340,7 +340,8 @@ static int range_should_be_prefix(const unsigned char *min, 
    unsigned char mask;

    int i, j;



    OPENSSL_assert(memcmp(min, max, length) <= 0);

    if (memcmp(min, max, length) <= 0)

        return -1;

    for (i = 0; i < length && min[i] == max[i]; i++) ;

    for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ;

    if (i < j)
@@ -429,7 +430,8 @@ static int make_addressRange(IPAddressOrRange **result, 
    if ((aor = IPAddressOrRange_new()) == NULL)

        return 0;

    aor->type = IPAddressOrRange_addressRange;

    OPENSSL_assert(aor->u.addressRange == NULL);

    if (!ossl_assert(aor->u.addressRange == NULL))

        return 0;

    if ((aor->u.addressRange = IPAddressRange_new()) == NULL)

        goto err;

    if (aor->u.addressRange->min == NULL &&
@@ -496,7 +498,8 @@ static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr, 


    for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {

        f = sk_IPAddressFamily_value(addr, i);

        OPENSSL_assert(f->addressFamily->data != NULL);

        if (!ossl_assert(f->addressFamily->data != NULL))

            goto err;

        if (f->addressFamily->length == keylen &&

            !memcmp(f->addressFamily->data, key, keylen))

            return f;
@@ -875,7 +878,8 @@ int X509v3_addr_canonize(IPAddrBlocks *addr) 
    }

    (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);

    sk_IPAddressFamily_sort(addr);

    OPENSSL_assert(X509v3_addr_is_canonical(addr));

    if (!ossl_assert(X509v3_addr_is_canonical(addr)))

        return 0;

    return 1;

}
@@ -1180,9 +1184,13 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, 
    int i, j, ret = 1;

    X509 *x;



    OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);

    OPENSSL_assert(ctx != NULL || ext != NULL);

    OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);

    if (!ossl_assert(chain != NULL && sk_X509_num(chain) > 0)

            || !ossl_assert(ctx != NULL || ext != NULL)

            || !ossl_assert(ctx == NULL || ctx->verify_cb != NULL)) {

        if (ctx != NULL)

            ctx->error = X509_V_ERR_UNSPECIFIED;

        return 0;

    }



    /*

     * Figure out where to start.  If we don't have an extension to
@@ -1195,7 +1203,11 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, 
    } else {

        i = 0;

        x = sk_X509_value(chain, i);

        OPENSSL_assert(x != NULL);

        if (!ossl_assert(x != NULL)) {

            if (ctx != NULL)

                ctx->error = X509_V_ERR_UNSPECIFIED;

            return 0;

        }

        if ((ext = x->rfc3779_addr) == NULL)

            goto done;

    }
@@ -1205,6 +1217,7 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, 
    if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {

        X509V3err(X509V3_F_ADDR_VALIDATE_PATH_INTERNAL,

                  ERR_R_MALLOC_FAILURE);

        if (ctx != NULL)

            ctx->error = X509_V_ERR_OUT_OF_MEM;

        ret = 0;

        goto done;
@@ -1216,7 +1229,11 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, 
     */

    for (i++; i < sk_X509_num(chain); i++) {

        x = sk_X509_value(chain, i);

        OPENSSL_assert(x != NULL);

        if (!ossl_assert(x != NULL)) {

            if (ctx != NULL)

                ctx->error = X509_V_ERR_UNSPECIFIED;

            return 0;

        }

        if (!X509v3_addr_is_canonical(x->rfc3779_addr))

            validation_err(X509_V_ERR_INVALID_EXTENSION);

        if (x->rfc3779_addr == NULL) {
@@ -1260,7 +1277,11 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, 
    /*

     * Trust anchor can't inherit.

     */

    OPENSSL_assert(x != NULL);

    if (!ossl_assert(x != NULL)) {

        if (ctx != NULL)

            ctx->error = X509_V_ERR_UNSPECIFIED;

        return 0;

    }

    if (x->rfc3779_addr != NULL) {

        for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {

            IPAddressFamily *fp =
@@ -1283,6 +1304,10 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, 
 */

int X509v3_addr_validate_path(X509_STORE_CTX *ctx)

{

    if (ctx->chain == NULL

            || sk_X509_num(ctx->chain) == 0

            || ctx->verify_cb == NULL)

        return 0;

    return addr_validate_path_internal(ctx, ctx->chain, NULL);

}

crypto/x509v3/v3_asid.c

+63 −30
Original line number Diff line number Diff line
@@ -11,6 +11,7 @@ 
 * Implementation of RFC 3779 section 3.2.

 */



#include <assert.h>

#include <stdio.h>

#include <string.h>

#include "internal/cryptlib.h"
@@ -123,11 +124,11 @@ static int ASIdOrRange_cmp(const ASIdOrRange *const *a_, 
{

    const ASIdOrRange *a = *a_, *b = *b_;



    OPENSSL_assert((a->type == ASIdOrRange_id && a->u.id != NULL) ||

    assert((a->type == ASIdOrRange_id && a->u.id != NULL) ||

           (a->type == ASIdOrRange_range && a->u.range != NULL &&

            a->u.range->min != NULL && a->u.range->max != NULL));



    OPENSSL_assert((b->type == ASIdOrRange_id && b->u.id != NULL) ||

    assert((b->type == ASIdOrRange_id && b->u.id != NULL) ||

           (b->type == ASIdOrRange_range && b->u.range != NULL &&

            b->u.range->min != NULL && b->u.range->max != NULL));
@@ -167,7 +168,8 @@ int X509v3_asid_add_inherit(ASIdentifiers *asid, int which) 
    if (*choice == NULL) {

        if ((*choice = ASIdentifierChoice_new()) == NULL)

            return 0;

        OPENSSL_assert((*choice)->u.inherit == NULL);

        if (!ossl_assert((*choice)->u.inherit == NULL))

            return 0;

        if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL)

            return 0;

        (*choice)->type = ASIdentifierChoice_inherit;
@@ -200,7 +202,8 @@ int X509v3_asid_add_id_or_range(ASIdentifiers *asid, 
    if (*choice == NULL) {

        if ((*choice = ASIdentifierChoice_new()) == NULL)

            return 0;

        OPENSSL_assert((*choice)->u.asIdsOrRanges == NULL);

        if (!ossl_assert((*choice)->u.asIdsOrRanges == NULL))

            return 0;

        (*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp);

        if ((*choice)->u.asIdsOrRanges == NULL)

            return 0;
@@ -232,20 +235,23 @@ int X509v3_asid_add_id_or_range(ASIdentifiers *asid, 
/*

 * Extract min and max values from an ASIdOrRange.

 */

static void extract_min_max(ASIdOrRange *aor,

static int extract_min_max(ASIdOrRange *aor,

                           ASN1_INTEGER **min, ASN1_INTEGER **max)

{

    OPENSSL_assert(aor != NULL && min != NULL && max != NULL);

    if (!ossl_assert(aor != NULL && min != NULL && max != NULL))

        return 0;

    switch (aor->type) {

    case ASIdOrRange_id:

        *min = aor->u.id;

        *max = aor->u.id;

        return;

        return 1;

    case ASIdOrRange_range:

        *min = aor->u.range->min;

        *max = aor->u.range->max;

        return;

        return 1;

    }



    return 0;

}



/*
@@ -279,8 +285,9 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice) 
        ASN1_INTEGER *a_min = NULL, *a_max = NULL, *b_min = NULL, *b_max =

            NULL;



        extract_min_max(a, &a_min, &a_max);

        extract_min_max(b, &b_min, &b_max);

        if (!extract_min_max(a, &a_min, &a_max)

                || !extract_min_max(b, &b_min, &b_max))

            goto done;



        /*

         * Punt misordered list, overlapping start, or inverted range.
@@ -318,8 +325,8 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice) 
        ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);

        ASN1_INTEGER *a_min, *a_max;

        if (a != NULL && a->type == ASIdOrRange_range) {

            extract_min_max(a, &a_min, &a_max);

            if (ASN1_INTEGER_cmp(a_min, a_max) > 0)

            if (!extract_min_max(a, &a_min, &a_max)

                    || ASN1_INTEGER_cmp(a_min, a_max) > 0)

                goto done;

        }

    }
@@ -382,13 +389,15 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice) 
        ASN1_INTEGER *a_min = NULL, *a_max = NULL, *b_min = NULL, *b_max =

            NULL;



        extract_min_max(a, &a_min, &a_max);

        extract_min_max(b, &b_min, &b_max);

        if (!extract_min_max(a, &a_min, &a_max)

                || !extract_min_max(b, &b_min, &b_max))

            goto done;



        /*

         * Make sure we're properly sorted (paranoia).

         */

        OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);

        if (!ossl_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0))

            goto done;



        /*

         * Punt inverted ranges.
@@ -464,13 +473,15 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice) 
        ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);

        ASN1_INTEGER *a_min, *a_max;

        if (a != NULL && a->type == ASIdOrRange_range) {

            extract_min_max(a, &a_min, &a_max);

            if (ASN1_INTEGER_cmp(a_min, a_max) > 0)

            if (!extract_min_max(a, &a_min, &a_max)

                    || ASN1_INTEGER_cmp(a_min, a_max) > 0)

                goto done;

        }

    }



    OPENSSL_assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */

    /* Paranoia */

    if (!ossl_assert(ASIdentifierChoice_is_canonical(choice)))

        goto done;



    ret = 1;
@@ -655,7 +666,8 @@ static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child) 


    p = 0;

    for (c = 0; c < sk_ASIdOrRange_num(child); c++) {

        extract_min_max(sk_ASIdOrRange_value(child, c), &c_min, &c_max);

        if (!extract_min_max(sk_ASIdOrRange_value(child, c), &c_min, &c_max))

            return 0;

        for (;; p++) {

            if (p >= sk_ASIdOrRange_num(parent))

                return 0;
@@ -715,9 +727,14 @@ static int asid_validate_path_internal(X509_STORE_CTX *ctx, 
    int i, ret = 1, inherit_as = 0, inherit_rdi = 0;

    X509 *x;



    OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);

    OPENSSL_assert(ctx != NULL || ext != NULL);

    OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);

    if (!ossl_assert(chain != NULL && sk_X509_num(chain) > 0)

            || !ossl_assert(ctx != NULL || ext != NULL)

            || !ossl_assert(ctx == NULL || ctx->verify_cb != NULL)) {

        if (ctx != NULL)

            ctx->error = X509_V_ERR_UNSPECIFIED;

        return 0;

    }





    /*

     * Figure out where to start.  If we don't have an extension to
@@ -730,7 +747,11 @@ static int asid_validate_path_internal(X509_STORE_CTX *ctx, 
    } else {

        i = 0;

        x = sk_X509_value(chain, i);

        OPENSSL_assert(x != NULL);

        if (!ossl_assert(x != NULL)) {

            if (ctx != NULL)

                ctx->error = X509_V_ERR_UNSPECIFIED;

            return 0;

        }

        if ((ext = x->rfc3779_asid) == NULL)

            goto done;

    }
@@ -763,7 +784,11 @@ static int asid_validate_path_internal(X509_STORE_CTX *ctx, 
     */

    for (i++; i < sk_X509_num(chain); i++) {

        x = sk_X509_value(chain, i);

        OPENSSL_assert(x != NULL);

        if (!ossl_assert(x != NULL)) {

            if (ctx != NULL)

                ctx->error = X509_V_ERR_UNSPECIFIED;

            return 0;

        }

        if (x->rfc3779_asid == NULL) {

            if (child_as != NULL || child_rdi != NULL)

                validation_err(X509_V_ERR_UNNESTED_RESOURCE);
@@ -809,7 +834,11 @@ static int asid_validate_path_internal(X509_STORE_CTX *ctx, 
    /*

     * Trust anchor can't inherit.

     */

    OPENSSL_assert(x != NULL);

    if (!ossl_assert(x != NULL)) {

        if (ctx != NULL)

            ctx->error = X509_V_ERR_UNSPECIFIED;

        return 0;

    }

    if (x->rfc3779_asid != NULL) {

        if (x->rfc3779_asid->asnum != NULL &&

            x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit)
@@ -830,6 +859,10 @@ static int asid_validate_path_internal(X509_STORE_CTX *ctx, 
 */

int X509v3_asid_validate_path(X509_STORE_CTX *ctx)

{

    if (ctx->chain == NULL

            || sk_X509_num(ctx->chain) == 0

            || ctx->verify_cb == NULL)

        return 0;

    return asid_validate_path_internal(ctx, ctx->chain, NULL);

}