aboutsummaryrefslogtreecommitdiff
path: root/openssl/trunk/crypto/x509v3
diff options
context:
space:
mode:
Diffstat (limited to 'openssl/trunk/crypto/x509v3')
-rw-r--r--openssl/trunk/crypto/x509v3/v3_addr.c17
-rw-r--r--openssl/trunk/crypto/x509v3/v3_asid.c7
2 files changed, 18 insertions, 6 deletions
diff --git a/openssl/trunk/crypto/x509v3/v3_addr.c b/openssl/trunk/crypto/x509v3/v3_addr.c
index 131aeffb..cea013e0 100644
--- a/openssl/trunk/crypto/x509v3/v3_addr.c
+++ b/openssl/trunk/crypto/x509v3/v3_addr.c
@@ -983,7 +983,13 @@ int v3_addr_validate_path(X509_STORE_CTX *ctx)
x = sk_X509_value(ctx->chain, i);
assert(x != NULL);
if (x->rfc3779_addr == NULL) {
- validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+ for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
+ IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
+ if (fc->ipAddressChoice->type != IPAddressChoice_inherit) {
+ validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+ break;
+ }
+ }
continue;
}
sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
@@ -992,8 +998,13 @@ int v3_addr_validate_path(X509_STORE_CTX *ctx)
int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, k);
if (fp == NULL) {
- validation_err(X509_V_ERR_UNNESTED_RESOURCE);
- } else if (fp->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) {
+ if (fc->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) {
+ validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+ break;
+ }
+ continue;
+ }
+ if (fp->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) {
if (fc->ipAddressChoice->type == IPAddressChoice_inherit ||
addr_contains(fp->ipAddressChoice->u.addressesOrRanges,
fc->ipAddressChoice->u.addressesOrRanges,
diff --git a/openssl/trunk/crypto/x509v3/v3_asid.c b/openssl/trunk/crypto/x509v3/v3_asid.c
index 0ecafb0c..bcc00200 100644
--- a/openssl/trunk/crypto/x509v3/v3_asid.c
+++ b/openssl/trunk/crypto/x509v3/v3_asid.c
@@ -693,10 +693,11 @@ int v3_asid_validate_path(X509_STORE_CTX *ctx)
x = sk_X509_value(ctx->chain, i);
assert(x != NULL);
if (x->rfc3779_asid == NULL) {
- validation_err(X509_V_ERR_UNNESTED_RESOURCE);
+ if (child_as != NULL || child_rdi != NULL)
+ validation_err(X509_V_ERR_UNNESTED_RESOURCE);
continue;
}
- if (x->rfc3779_asid->asnum == NULL && (child_as != NULL || inherit_as)) {
+ if (x->rfc3779_asid->asnum == NULL && child_as != NULL) {
validation_err(X509_V_ERR_UNNESTED_RESOURCE);
child_as = NULL;
inherit_as = 0;
@@ -711,7 +712,7 @@ int v3_asid_validate_path(X509_STORE_CTX *ctx)
validation_err(X509_V_ERR_UNNESTED_RESOURCE);
}
}
- if (x->rfc3779_asid->rdi == NULL && (child_rdi != NULL || inherit_rdi)) {
+ if (x->rfc3779_asid->rdi == NULL && child_rdi != NULL) {
validation_err(X509_V_ERR_UNNESTED_RESOURCE);
child_rdi = NULL;
inherit_rdi = 0;
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-13 20:23:59 +0000