Reorganize slightly to make canonical form functions global.

svn path=/openssl/README; revision=174

5 files changed, 74 insertions, 35 deletions

diff --git a/openssl/README b/openssl/README
index 20fd46fd..a451e1dc 100644
--- a/openssl/README
+++ b/openssl/README
@@ -267,15 +267,12 @@ notes and questions at the end.
    pass a ref to a data structure (or fill in a data struct or
    whatever makes sense!)
 
-   Status: Done other than a bit of reorganization.
+   Status: Done.
 
    CLI: openssl x509, openssl req, ....   Called automatically as part
    of anything that reads RFC 3779 extensions from openssl.conf.
 
-   API: Canonization routines themselves are currently static
-   functions called by the routines that read extension data during
-   request formation.  Would require minor reorganization and cleanup
-   to make the canonization routines themselves global functions.
+   API: v3_asid_canonize(), v3_addr_canonize().
 
 4. 3779_cmp reads in 2 x 3779_canonicalised data sets and outputs a
    comparison = EQUAL is the two are equal, or =SUBSET if data1 is a
@@ -287,14 +284,13 @@ notes and questions at the end.
 5. is_3379_canonical tests a single data set and returns CANONICAL if
    the resource is formatted according to 3779 or NOT is otherwise
 
-   Status: Done other than a bit of reorganization.
+   Status: Done.
 
    CLI: openssl verify calls this during path validation.  No separate
    program to perform just this function, would not be hard to write
    one if it were needed.
 
-   API: Currently static functions called during path validation.
-   Would require minor reorganization and cleanup to make global.
+   API: v3_asid_is_canonical(), v3_addr_is_canonical().
 
 6. is_in_cert takes a certificate and a resource set description and
    checks if the certificate 'covers' the resource set The outpouts
diff --git a/openssl/trunk/crypto/x509v3/v3_addr.c b/openssl/trunk/crypto/x509v3/v3_addr.c
index 01e509d2..88a53ab8 100644
--- a/openssl/trunk/crypto/x509v3/v3_addr.c
+++ b/openssl/trunk/crypto/x509v3/v3_addr.c
@@ -645,7 +645,7 @@ static int IPAddressFamily_cmp(const IPAddressFamily * const *a_,
 /*
  * Check whether an IPAddrBLocks is in canonical form.
  */
-static int IPAddrBlocks_is_canonical(IPAddrBlocks *addr)
+int v3_addr_is_canonical(IPAddrBlocks *addr)
 {
   unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
   unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
@@ -748,7 +748,6 @@ static int IPAddrBlocks_is_canonical(IPAddrBlocks *addr)
   return 1;
 }
 
-
 /*
  * Whack an IPAddressOrRanges into canonical form.
  */
@@ -763,7 +762,7 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
   sk_IPAddressOrRange_sort(aors);
 
   /*
-   * Resolve any duplicates or overlaps.
+   * Clean up representation issues, punt on duplicates or overlaps.
    */
   for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
     IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);
@@ -803,6 +802,24 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
 }
 
 /*
+ * Whack an IPAddrBlocks extension into canonical form.
+ */
+int v3_addr_canonize(IPAddrBlocks *addr)
+{
+  int i;
+  for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
+    IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
+    if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
+	!IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges,
+				    afi_from_addressfamily(f)))
+      return 0;
+  }
+  sk_IPAddressFamily_sort(addr);
+  assert(v3_addr_is_canonical(addr));
+  return 1;
+}
+
+/*
  * v2i handler for the IPAddrBlocks extension.
  */
 static void *v2i_IPAddrBlocks(struct v3_ext_method *method,
@@ -952,15 +969,8 @@ static void *v2i_IPAddrBlocks(struct v3_ext_method *method,
   /*
    * Canonize the result, then we're done.
    */
-  for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
-    IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
-    if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
-	!IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges,
-				    afi_from_addressfamily(f)))
-      goto err;
-  }
-  sk_IPAddressFamily_sort(addr);
-  assert(IPAddrBlocks_is_canonical(addr));
+  if (!v3_addr_canonize(addr))
+    goto err;    
   return addr;
 
  err:
@@ -1062,7 +1072,7 @@ int v3_addr_validate_path(X509_STORE_CTX *ctx)
    * certificate's extension.  Make sure the extension is in canonical
    * form first.
    */
-  if (!IPAddrBlocks_is_canonical(x->rfc3779_addr))
+  if (!v3_addr_is_canonical(x->rfc3779_addr))
     validation_err(X509_V_ERR_INVALID_EXTENSION);
   sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
   if ((child = sk_IPAddressFamily_dup(x->rfc3779_addr)) == NULL) {
@@ -1077,7 +1087,7 @@ int v3_addr_validate_path(X509_STORE_CTX *ctx)
   for (i = 1; i < sk_X509_num(ctx->chain); i++) {
     x = sk_X509_value(ctx->chain, i);
     assert(x != NULL);
-    if (!IPAddrBlocks_is_canonical(x->rfc3779_addr))
+    if (!v3_addr_is_canonical(x->rfc3779_addr))
       validation_err(X509_V_ERR_INVALID_EXTENSION);
     if (x->rfc3779_addr == NULL) {
       for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
diff --git a/openssl/trunk/crypto/x509v3/v3_asid.c b/openssl/trunk/crypto/x509v3/v3_asid.c
index 58372270..c9c679e9 100644
--- a/openssl/trunk/crypto/x509v3/v3_asid.c
+++ b/openssl/trunk/crypto/x509v3/v3_asid.c
@@ -239,7 +239,7 @@ static void extract_min_max(ASIdOrRange *aor,
 /*
  * Check whether an ASIdentifierChoice is in canonical form.
  */
-static int asid_is_canonical(ASIdentifierChoice *choice)
+static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
 {
   ASN1_INTEGER *a_max_plus_one = NULL;
   BIGNUM *bn = NULL;
@@ -284,7 +284,8 @@ static int asid_is_canonical(ASIdentifierChoice *choice)
 	ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
 	!BN_add_word(bn, 1) ||
 	(a_max_plus_one = BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {
-      X509V3err(X509V3_F_ASID_IS_CANONICAL, ERR_R_MALLOC_FAILURE);
+      X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL,
+		ERR_R_MALLOC_FAILURE);
       goto done;
     }
     
@@ -304,9 +305,19 @@ static int asid_is_canonical(ASIdentifierChoice *choice)
 }
 
 /*
+ * Check whether an ASIdentifier extension is in canonical form.
+ */
+int v3_asid_is_canonical(ASIdentifiers *asid)
+{
+  return (asid == NULL ||
+	  (ASIdentifierChoice_is_canonical(asid->asnum) ||
+	   ASIdentifierChoice_is_canonical(asid->rdi)));
+}
+
+/*
  * Whack an ASIdentifierChoice into canonical form.
  */
-static int asid_canonize(ASIdentifierChoice *choice)
+static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
 {
   ASN1_INTEGER *a_max_plus_one = NULL;
   BIGNUM *bn = NULL;
@@ -345,7 +356,8 @@ static int asid_canonize(ASIdentifierChoice *choice)
      * Check for overlaps.
      */
     if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) {
-      X509V3err(X509V3_F_ASID_CANONIZE, X509V3_R_EXTENSION_VALUE_ERROR);
+      X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
+		X509V3_R_EXTENSION_VALUE_ERROR);
       goto done;
     }
 
@@ -356,7 +368,7 @@ static int asid_canonize(ASIdentifierChoice *choice)
 	ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
 	!BN_add_word(bn, 1) ||
 	(a_max_plus_one = BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {
-      X509V3err(X509V3_F_ASID_CANONIZE, ERR_R_MALLOC_FAILURE);
+      X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, ERR_R_MALLOC_FAILURE);
       goto done;
     }
     
@@ -368,7 +380,8 @@ static int asid_canonize(ASIdentifierChoice *choice)
       switch (a->type) {
       case ASIdOrRange_id:
 	if ((r = OPENSSL_malloc(sizeof(ASRange))) == NULL) {
-	  X509V3err(X509V3_F_ASID_CANONIZE, ERR_R_MALLOC_FAILURE);
+	  X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
+		    ERR_R_MALLOC_FAILURE);
 	  goto done;
 	}
 	r->min = a_min;
@@ -396,7 +409,7 @@ static int asid_canonize(ASIdentifierChoice *choice)
     }
   }
 
-  assert(asid_is_canonical(choice)); /* Paranoia */
+  assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */
 
   ret = 1;
 
@@ -407,6 +420,16 @@ static int asid_canonize(ASIdentifierChoice *choice)
 }
 
 /*
+ * Whack an ASIdentifier extension into canonical form.
+ */
+int v3_asid_canonize(ASIdentifiers *asid)
+{
+  return (asid == NULL ||
+	  (ASIdentifierChoice_canonize(asid->asnum) &&
+	   ASIdentifierChoice_canonize(asid->rdi)));
+}
+
+/*
  * v2i method for an ASIdentifier extension.
  */
 static void *v2i_ASIdentifiers(struct v3_ext_method *method,
@@ -511,8 +534,8 @@ static void *v2i_ASIdentifiers(struct v3_ext_method *method,
   /*
    * Canonize the result, then we're done.
    */
-  asid_canonize(asid->asnum);
-  asid_canonize(asid->rdi);
+  if (!v3_asid_canonize(asid))
+    goto err;
   return asid;
 
  err:
@@ -607,8 +630,7 @@ int v3_asid_validate_path(X509_STORE_CTX *ctx)
    * extension is in canonical form, then pull its resource lists
    * so we can check whether its parents had them to grant.
    */
-  if (!asid_is_canonical(x->rfc3779_asid->asnum) ||
-      !asid_is_canonical(x->rfc3779_asid->rdi))
+  if (!v3_asid_is_canonical(x->rfc3779_asid))
     validation_err(X509_V_ERR_INVALID_EXTENSION);
   if (x->rfc3779_asid->asnum != NULL)  {
     switch (x->rfc3779_asid->asnum->type) {
@@ -643,8 +665,7 @@ int v3_asid_validate_path(X509_STORE_CTX *ctx)
 	validation_err(X509_V_ERR_UNNESTED_RESOURCE);
       continue;
     }
-    if (!asid_is_canonical(x->rfc3779_asid->asnum) ||
-	!asid_is_canonical(x->rfc3779_asid->rdi))
+    if (!v3_asid_is_canonical(x->rfc3779_asid))
       validation_err(X509_V_ERR_INVALID_EXTENSION);
     if (x->rfc3779_asid->asnum == NULL && child_as != NULL) {
       validation_err(X509_V_ERR_UNNESTED_RESOURCE);
diff --git a/openssl/trunk/crypto/x509v3/v3err.c b/openssl/trunk/crypto/x509v3/v3err.c
index 2393e8c2..dca567ea 100644
--- a/openssl/trunk/crypto/x509v3/v3err.c
+++ b/openssl/trunk/crypto/x509v3/v3err.c
@@ -70,6 +70,8 @@
 
 static ERR_STRING_DATA X509V3_str_functs[]=
 	{
+{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE),	"ASIDENTIFIERCHOICE_CANONIZE"},
+{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL),	"ASIDENTIFIERCHOICE_IS_CANONICAL"},
 {ERR_FUNC(X509V3_F_ASID_CANONIZE),	"ASID_CANONIZE"},
 {ERR_FUNC(X509V3_F_ASID_IS_CANONICAL),	"ASID_IS_CANONICAL"},
 {ERR_FUNC(X509V3_F_COPY_EMAIL),	"COPY_EMAIL"},
diff --git a/openssl/trunk/crypto/x509v3/x509v3.h b/openssl/trunk/crypto/x509v3/x509v3.h
index 2e2e2e21..660b5c73 100644
--- a/openssl/trunk/crypto/x509v3/x509v3.h
+++ b/openssl/trunk/crypto/x509v3/x509v3.h
@@ -725,6 +725,14 @@ DECLARE_ASN1_FUNCTIONS(IPAddressFamily)
 #define	IANA_AFI_IPV6	2
 
 /*
+ * Canonical forms.
+ */
+int v3_asid_is_canonical(ASIdentifiers *asid);
+int v3_addr_is_canonical(IPAddrBlocks *addr);
+int v3_asid_canonize(ASIdentifiers *asid);
+int v3_addr_canonize(IPAddrBlocks *addr);
+
+/*
  * Check whether RFC 3779 extensions nest properly.
  */
 int v3_asid_validate_path(X509_STORE_CTX *);
@@ -743,6 +751,8 @@ void ERR_load_X509V3_strings(void);
 /* Error codes for the X509V3 functions. */
 
 /* Function codes. */
+#define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE		 161
+#define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL	 162
 #define X509V3_F_ASID_CANONIZE				 159
 #define X509V3_F_ASID_IS_CANONICAL			 158
 #define X509V3_F_COPY_EMAIL				 122