From 3ba51255e5662338da485789a7f469d1c58c79ac Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Wed, 26 Jul 2006 19:48:46 +0000 Subject: Fix IPAddressFamily_cmp() to do what the authors of RFC 3779 probably meant. svn path=/openssl/trunk/crypto/x509v3/v3_addr.c; revision=93 --- openssl/trunk/crypto/x509v3/v3_addr.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) (limited to 'openssl/trunk/crypto/x509v3/v3_addr.c') diff --git a/openssl/trunk/crypto/x509v3/v3_addr.c b/openssl/trunk/crypto/x509v3/v3_addr.c index 95e3672a..c209afb1 100644 --- a/openssl/trunk/crypto/x509v3/v3_addr.c +++ b/openssl/trunk/crypto/x509v3/v3_addr.c @@ -673,12 +673,22 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors, /* * Sort comparision function for a sequence of IPAddressFamily. + * + * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about + * the ordering: I can read it as meaning that IPv6 without a SAFI + * comes before IPv4 with a SAFI, which seems pretty weird. The + * examples in appendix B suggest that the author intended the + * null-SAFI rule to apply only within a single AFI, which is what I + * would have expected and is what the following code implements. */ -static int IPAddressFamily_cmp(const IPAddressFamily * const *a, - const IPAddressFamily * const *b) +static int IPAddressFamily_cmp(const IPAddressFamily * const *a_, + const IPAddressFamily * const *b_) { - return ASN1_OCTET_STRING_cmp((*a)->addressFamily, - (*b)->addressFamily); + const ASN1_OCTET_STRING *a = (*a_)->addressFamily; + const ASN1_OCTET_STRING *b = (*b_)->addressFamily; + int len = (( a->length <= b->length) ? a->length : b->length); + int cmp = memcmp(a->data, b->data, len); + return cmp ? cmp : a->length - b->length; } /* -- cgit v1.2.3