Tweaks to get null inheritance working

svn path=/openssl/trunk/crypto/x509v3/v3_addr.c; revision=160

2 files changed, 18 insertions, 6 deletions

diff --git a/openssl/trunk/crypto/x509v3/v3_addr.c b/openssl/trunk/crypto/x509v3/v3_addr.c
index 131aeffb..cea013e0 100644
--- a/openssl/trunk/crypto/x509v3/v3_addr.c
+++ b/openssl/trunk/crypto/x509v3/v3_addr.c
@@ -983,7 +983,13 @@ int v3_addr_validate_path(X509_STORE_CTX *ctx)
     x = sk_X509_value(ctx->chain, i);
     assert(x != NULL);
     if (x->rfc3779_addr == NULL) {
-      validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+      for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
+	IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
+	if (fc->ipAddressChoice->type != IPAddressChoice_inherit) {
+	  validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+	  break;
+	}
+      }
       continue;
     }
     sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
@@ -992,8 +998,13 @@ int v3_addr_validate_path(X509_STORE_CTX *ctx)
       int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
       IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, k);
       if (fp == NULL) {
-	validation_err(X509_V_ERR_UNNESTED_RESOURCE);
-      } else if (fp->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) {
+	if (fc->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) {
+	  validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+	  break;
+	}
+	continue;
+      }
+      if (fp->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) {
 	if (fc->ipAddressChoice->type == IPAddressChoice_inherit ||
 	    addr_contains(fp->ipAddressChoice->u.addressesOrRanges, 
 			  fc->ipAddressChoice->u.addressesOrRanges,
diff --git a/openssl/trunk/crypto/x509v3/v3_asid.c b/openssl/trunk/crypto/x509v3/v3_asid.c
index 0ecafb0c..bcc00200 100644
--- a/openssl/trunk/crypto/x509v3/v3_asid.c
+++ b/openssl/trunk/crypto/x509v3/v3_asid.c
@@ -693,10 +693,11 @@ int v3_asid_validate_path(X509_STORE_CTX *ctx)
     x = sk_X509_value(ctx->chain, i);
     assert(x != NULL);
     if (x->rfc3779_asid == NULL) {
-      validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+      if (child_as != NULL || child_rdi != NULL)
+	validation_err(X509_V_ERR_UNNESTED_RESOURCE);
       continue;
     }
-    if (x->rfc3779_asid->asnum == NULL && (child_as != NULL || inherit_as)) {
+    if (x->rfc3779_asid->asnum == NULL && child_as != NULL) {
       validation_err(X509_V_ERR_UNNESTED_RESOURCE);
       child_as = NULL;
       inherit_as = 0;
@@ -711,7 +712,7 @@ int v3_asid_validate_path(X509_STORE_CTX *ctx)
 	validation_err(X509_V_ERR_UNNESTED_RESOURCE);
       }
     }
-    if (x->rfc3779_asid->rdi == NULL && (child_rdi != NULL || inherit_rdi)) {
+    if (x->rfc3779_asid->rdi == NULL && child_rdi != NULL) {
       validation_err(X509_V_ERR_UNNESTED_RESOURCE);
       child_rdi = NULL;
       inherit_rdi = 0;