OpenCoverage

v3_ncons.c

Absolute File Name:/home/opencoverage/opencoverage/guest-scripts/openssl/src/crypto/x509v3/v3_ncons.c
Source codeSwitch to Preprocessed file
LineSourceCount
1/*-
2 * Copyright 2003-2018 The OpenSSL Project Authors. All Rights Reserved.-
3 *-
4 * Licensed under the OpenSSL license (the "License"). You may not use-
5 * this file except in compliance with the License. You can obtain a copy-
6 * in the file LICENSE in the source distribution or at-
7 * https://www.openssl.org/source/license.html-
8 */-
9-
10#include "internal/cryptlib.h"-
11#include "internal/numbers.h"-
12#include <stdio.h>-
13#include "internal/asn1_int.h"-
14#include <openssl/asn1t.h>-
15#include <openssl/conf.h>-
16#include <openssl/x509v3.h>-
17-
18#include "internal/x509_int.h"-
19#include "ext_dat.h"-
20-
21static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,-
22 X509V3_CTX *ctx,-
23 STACK_OF(CONF_VALUE) *nval);-
24static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,-
25 BIO *bp, int ind);-
26static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,-
27 STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp,-
28 int ind, const char *name);-
29static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);-
30-
31static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);-
32static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);-
33static int nc_dn(X509_NAME *sub, X509_NAME *nm);-
34static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);-
35static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);-
36static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);-
37static int nc_ip(ASN1_OCTET_STRING *ip, ASN1_OCTET_STRING *base);-
38-
39const X509V3_EXT_METHOD v3_name_constraints = {-
40 NID_name_constraints, 0,-
41 ASN1_ITEM_ref(NAME_CONSTRAINTS),-
42 0, 0, 0, 0,-
43 0, 0,-
44 0, v2i_NAME_CONSTRAINTS,-
45 i2r_NAME_CONSTRAINTS, 0,-
46 NULL-
47};-
48-
49ASN1_SEQUENCE(GENERAL_SUBTREE) = {-
50 ASN1_SIMPLE(GENERAL_SUBTREE, base, GENERAL_NAME),-
51 ASN1_IMP_OPT(GENERAL_SUBTREE, minimum, ASN1_INTEGER, 0),-
52 ASN1_IMP_OPT(GENERAL_SUBTREE, maximum, ASN1_INTEGER, 1)-
53} ASN1_SEQUENCE_END(GENERAL_SUBTREE)-
54-
55ASN1_SEQUENCE(NAME_CONSTRAINTS) = {-
56 ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, permittedSubtrees,-
57 GENERAL_SUBTREE, 0),-
58 ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, excludedSubtrees,-
59 GENERAL_SUBTREE, 1),-
60} ASN1_SEQUENCE_END(NAME_CONSTRAINTS)-
61-
62-
63IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
never executed: end of block
never executed: return (GENERAL_SUBTREE *)ASN1_item_new((&(GENERAL_SUBTREE_it)));
0
64IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
executed 39780 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
never executed: return (NAME_CONSTRAINTS *)ASN1_item_new((&(NAME_CONSTRAINTS_it)));
0-39780
65-
66/*-
67 * We cannot use strncasecmp here because that applies locale specific rules.-
68 * For example in Turkish 'I' is not the uppercase character for 'i'. We need to-
69 * do a simple ASCII case comparison ignoring the locale (that is why we use-
70 * numeric constants below).-
71 */-
72static int ia5ncasecmp(const char *s1, const char *s2, size_t n)-
73{-
74 for (; n > 0; n--, s1++, s2++) {
n > 0Description
TRUEevaluated 1010307 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
0-1010307
75 if (*s1 != *s2) {
*s1 != *s2Description
TRUEevaluated 751182 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 259125 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
259125-751182
76 unsigned char c1 = (unsigned char)*s1, c2 = (unsigned char)*s2;-
77-
78 /* Convert to lower case */-
79 if (c1 >= 0x41 /* A */ && c1 <= 0x5A /* Z */)
c1 >= 0x41Description
TRUEevaluated 556786 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 194396 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
c1 <= 0x5ADescription
TRUEnever evaluated
FALSEevaluated 556786 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-556786
80 c1 += 0x20;
never executed: c1 += 0x20;
0
81 if (c2 >= 0x41 /* A */ && c2 <= 0x5A /* Z */)
c2 >= 0x41Description
TRUEevaluated 556786 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 194396 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
c2 <= 0x5ADescription
TRUEnever evaluated
FALSEevaluated 556786 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-556786
82 c2 += 0x20;
never executed: c2 += 0x20;
0
83-
84 if (c1 == c2)
c1 == c2Description
TRUEnever evaluated
FALSEevaluated 751182 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-751182
85 continue;
never executed: continue;
0
86-
87 if (c1 < c2)
c1 < c2Description
TRUEevaluated 194406 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 556776 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
194406-556776
88 return -1;
executed 194406 times by 1 test: return -1;
Executed by:
  • libcrypto.so.1.1
194406
89-
90 /* c1 > c2 */-
91 return 1;
executed 556776 times by 1 test: return 1;
Executed by:
  • libcrypto.so.1.1
556776
92 } else if (*s1 == 0) {
*s1 == 0Description
TRUEevaluated 1316 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 257809 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
1316-257809
93 /* If we get here we know that *s2 == 0 too */-
94 return 0;
executed 1316 times by 1 test: return 0;
Executed by:
  • libcrypto.so.1.1
1316
95 }-
96 }
executed 257809 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
257809
97-
98 return 0;
never executed: return 0;
0
99}-
100-
101static int ia5casecmp(const char *s1, const char *s2)-
102{-
103 return ia5ncasecmp(s1, s2, SIZE_MAX);
executed 752498 times by 1 test: return ia5ncasecmp(s1, s2, (18446744073709551615UL) );
Executed by:
  • libcrypto.so.1.1
752498
104}-
105-
106static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,-
107 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)-
108{-
109 int i;-
110 CONF_VALUE tval, *val;-
111 STACK_OF(GENERAL_SUBTREE) **ptree = NULL;-
112 NAME_CONSTRAINTS *ncons = NULL;-
113 GENERAL_SUBTREE *sub = NULL;-
114-
115 ncons = NAME_CONSTRAINTS_new();-
116 if (ncons == NULL)
ncons == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
117 goto memerr;
never executed: goto memerr;
0
118 for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
i < sk_CONF_VALUE_num(nval)Description
TRUEnever evaluated
FALSEnever evaluated
0
119 val = sk_CONF_VALUE_value(nval, i);-
120 if (strncmp(val->name, "permitted", 9) == 0 && val->name[9]) {
never executed: __result = (((const unsigned char *) (const char *) ( val->name ))[3] - __s2[3]);
never executed: end of block
never executed: end of block
never executed: __result = (((const unsigned char *) (const char *) ( "permitted" ))[3] - __s2[3]);
never executed: end of block
never executed: end of block
(__extension__..." , 9 ))) == 0Description
TRUEnever evaluated
FALSEnever evaluated
__builtin_constant_p ( 9 )Description
TRUEnever evaluated
FALSEnever evaluated
__builtin_cons... ( val->name )Description
TRUEnever evaluated
FALSEnever evaluated
strlen ( val->...size_t) ( 9 ))Description
TRUEnever evaluated
FALSEnever evaluated
__builtin_cons... "permitted" )Description
TRUEnever evaluated
FALSEnever evaluated
strlen ( "perm...size_t) ( 9 ))Description
TRUEnever evaluated
FALSEnever evaluated
__s1_len > 0Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
__s1_len > 1Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
__s1_len > 2Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
__s2_len > 0Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
__s2_len > 1Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
__s2_len > 2Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
val->name[9]Description
TRUEnever evaluated
FALSEnever evaluated
0
121 ptree = &ncons->permittedSubtrees;-
122 tval.name = val->name + 10;-
123 } else if (strncmp(val->name, "excluded", 8) == 0 && val->name[8]) {
never executed: end of block
never executed: __result = (((const unsigned char *) (const char *) ( val->name ))[3] - __s2[3]);
never executed: end of block
never executed: end of block
never executed: __result = (((const unsigned char *) (const char *) ( "excluded" ))[3] - __s2[3]);
never executed: end of block
never executed: end of block
(__extension__..." , 8 ))) == 0Description
TRUEnever evaluated
FALSEnever evaluated
__builtin_constant_p ( 8 )Description
TRUEnever evaluated
FALSEnever evaluated
__builtin_cons... ( val->name )Description
TRUEnever evaluated
FALSEnever evaluated
strlen ( val->...size_t) ( 8 ))Description
TRUEnever evaluated
FALSEnever evaluated
__builtin_cons...( "excluded" )Description
TRUEnever evaluated
FALSEnever evaluated
strlen ( "excl...size_t) ( 8 ))Description
TRUEnever evaluated
FALSEnever evaluated
__s1_len > 0Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
__s1_len > 1Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
__s1_len > 2Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
__s2_len > 0Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
__s2_len > 1Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
__s2_len > 2Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
val->name[8]Description
TRUEnever evaluated
FALSEnever evaluated
0
124 ptree = &ncons->excludedSubtrees;-
125 tval.name = val->name + 9;-
126 } else {
never executed: end of block
0
127 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, X509V3_R_INVALID_SYNTAX);-
128 goto err;
never executed: goto err;
0
129 }-
130 tval.value = val->value;-
131 sub = GENERAL_SUBTREE_new();-
132 if (sub == NULL)
sub == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
133 goto memerr;
never executed: goto memerr;
0
134 if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
!v2i_GENERAL_N...ctx, &tval, 1)Description
TRUEnever evaluated
FALSEnever evaluated
0
135 goto err;
never executed: goto err;
0
136 if (*ptree == NULL)
*ptree == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
137 *ptree = sk_GENERAL_SUBTREE_new_null();
never executed: *ptree = sk_GENERAL_SUBTREE_new_null();
0
138 if (*ptree == NULL || !sk_GENERAL_SUBTREE_push(*ptree, sub))
*ptree == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
!sk_GENERAL_SU...h(*ptree, sub)Description
TRUEnever evaluated
FALSEnever evaluated
0
139 goto memerr;
never executed: goto memerr;
0
140 sub = NULL;-
141 }
never executed: end of block
0
142-
143 return ncons;
never executed: return ncons;
0
144-
145 memerr:-
146 X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE);-
147 err:
code before this statement never executed: err:
0
148 NAME_CONSTRAINTS_free(ncons);-
149 GENERAL_SUBTREE_free(sub);-
150-
151 return NULL;
never executed: return ((void *)0) ;
0
152}-
153-
154static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,-
155 BIO *bp, int ind)-
156{-
157 NAME_CONSTRAINTS *ncons = a;-
158 do_i2r_name_constraints(method, ncons->permittedSubtrees,-
159 bp, ind, "Permitted");-
160 do_i2r_name_constraints(method, ncons->excludedSubtrees,-
161 bp, ind, "Excluded");-
162 return 1;
executed 1215 times by 1 test: return 1;
Executed by:
  • libcrypto.so.1.1
1215
163}-
164-
165static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,-
166 STACK_OF(GENERAL_SUBTREE) *trees,-
167 BIO *bp, int ind, const char *name)-
168{-
169 GENERAL_SUBTREE *tree;-
170 int i;-
171 if (sk_GENERAL_SUBTREE_num(trees) > 0)
sk_GENERAL_SUB...num(trees) > 0Description
TRUEevaluated 946 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 1484 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
946-1484
172 BIO_printf(bp, "%*s%s:\n", ind, "", name);
executed 946 times by 1 test: BIO_printf(bp, "%*s%s:\n", ind, "", name);
Executed by:
  • libcrypto.so.1.1
946
173 for (i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++) {
i < sk_GENERAL...REE_num(trees)Description
TRUEevaluated 1530 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 2430 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
1530-2430
174 tree = sk_GENERAL_SUBTREE_value(trees, i);-
175 BIO_printf(bp, "%*s", ind + 2, "");-
176 if (tree->base->type == GEN_IPADD)
tree->base->type == 7Description
TRUEevaluated 918 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 612 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
612-918
177 print_nc_ipadd(bp, tree->base->d.ip);
executed 918 times by 1 test: print_nc_ipadd(bp, tree->base->d.ip);
Executed by:
  • libcrypto.so.1.1
918
178 else-
179 GENERAL_NAME_print(bp, tree->base);
executed 612 times by 1 test: GENERAL_NAME_print(bp, tree->base);
Executed by:
  • libcrypto.so.1.1
612
180 BIO_puts(bp, "\n");-
181 }
executed 1530 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
1530
182 return 1;
executed 2430 times by 1 test: return 1;
Executed by:
  • libcrypto.so.1.1
2430
183}-
184-
185static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)-
186{-
187 int i, len;-
188 unsigned char *p;-
189 p = ip->data;-
190 len = ip->length;-
191 BIO_puts(bp, "IP:");-
192 if (len == 8) {
len == 8Description
TRUEevaluated 271 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 647 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
271-647
193 BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d",-
194 p[0], p[1], p[2], p[3], p[4], p[5], p[6], p[7]);-
195 } else if (len == 32) {
executed 271 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
len == 32Description
TRUEevaluated 297 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 350 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
271-350
196 for (i = 0; i < 16; i++) {
i < 16Description
TRUEevaluated 4752 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 297 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
297-4752
197 BIO_printf(bp, "%X", p[0] << 8 | p[1]);-
198 p += 2;-
199 if (i == 7)
i == 7Description
TRUEevaluated 297 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 4455 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
297-4455
200 BIO_puts(bp, "/");
executed 297 times by 1 test: BIO_puts(bp, "/");
Executed by:
  • libcrypto.so.1.1
297
201 else if (i != 15)
i != 15Description
TRUEevaluated 4158 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 297 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
297-4158
202 BIO_puts(bp, ":");
executed 4158 times by 1 test: BIO_puts(bp, ":");
Executed by:
  • libcrypto.so.1.1
4158
203 }
executed 4752 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
4752
204 } else
executed 297 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
297
205 BIO_printf(bp, "IP Address:<invalid>");
executed 350 times by 1 test: BIO_printf(bp, "IP Address:<invalid>");
Executed by:
  • libcrypto.so.1.1
350
206 return 1;
executed 918 times by 1 test: return 1;
Executed by:
  • libcrypto.so.1.1
918
207}-
208-
209#define NAME_CHECK_MAX (1 << 20)-
210-
211static int add_lengths(int *out, int a, int b)-
212{-
213 /* sk_FOO_num(NULL) returns -1 but is effectively 0 when iterating. */-
214 if (a < 0)
a < 0Description
TRUEevaluated 2 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 54 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
2-54
215 a = 0;
executed 2 times by 1 test: a = 0;
Executed by:
  • libcrypto.so.1.1
2
216 if (b < 0)
b < 0Description
TRUEevaluated 22 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 34 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
22-34
217 b = 0;
executed 22 times by 1 test: b = 0;
Executed by:
  • libcrypto.so.1.1
22
218-
219 if (a > INT_MAX - b)
a > 0x7fffffff - bDescription
TRUEnever evaluated
FALSEevaluated 56 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-56
220 return 0;
never executed: return 0;
0
221 *out = a + b;-
222 return 1;
executed 56 times by 1 test: return 1;
Executed by:
  • libcrypto.so.1.1
56
223}-
224-
225/*--
226 * Check a certificate conforms to a specified set of constraints.-
227 * Return values:-
228 * X509_V_OK: All constraints obeyed.-
229 * X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation.-
230 * X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation.-
231 * X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type.-
232 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type.-
233 * X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: bad unsupported constraint syntax.-
234 * X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: bad or unsupported syntax of name-
235 */-
236-
237int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)-
238{-
239 int r, i, name_count, constraint_count;-
240 X509_NAME *nm;-
241-
242 nm = X509_get_subject_name(x);-
243-
244 /*-
245 * Guard against certificates with an excessive number of names or-
246 * constraints causing a computationally expensive name constraints check.-
247 */-
248 if (!add_lengths(&name_count, X509_NAME_entry_count(nm),
!add_lengths(&...m(x->altname))Description
TRUEnever evaluated
FALSEevaluated 28 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-28
249 sk_GENERAL_NAME_num(x->altname))
!add_lengths(&...m(x->altname))Description
TRUEnever evaluated
FALSEevaluated 28 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-28
250 || !add_lengths(&constraint_count,
!add_lengths(&...udedSubtrees))Description
TRUEnever evaluated
FALSEevaluated 28 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-28
251 sk_GENERAL_SUBTREE_num(nc->permittedSubtrees),
!add_lengths(&...udedSubtrees))Description
TRUEnever evaluated
FALSEevaluated 28 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-28
252 sk_GENERAL_SUBTREE_num(nc->excludedSubtrees))
!add_lengths(&...udedSubtrees))Description
TRUEnever evaluated
FALSEevaluated 28 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-28
253 || (name_count > 0 && constraint_count > NAME_CHECK_MAX / name_count))
name_count > 0Description
TRUEevaluated 28 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
constraint_cou...) / name_countDescription
TRUEevaluated 3 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 25 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-28
254 return X509_V_ERR_UNSPECIFIED;
executed 3 times by 1 test: return 1;
Executed by:
  • libcrypto.so.1.1
3
255-
256 if (X509_NAME_entry_count(nm) > 0) {
X509_NAME_entry_count(nm) > 0Description
TRUEevaluated 25 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
0-25
257 GENERAL_NAME gntmp;-
258 gntmp.type = GEN_DIRNAME;-
259 gntmp.d.directoryName = nm;-
260-
261 r = nc_match(&gntmp, nc);-
262-
263 if (r != X509_V_OK)
r != 0Description
TRUEnever evaluated
FALSEevaluated 25 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-25
264 return r;
never executed: return r;
0
265-
266 gntmp.type = GEN_EMAIL;-
267-
268 /* Process any email address attributes in subject name */-
269-
270 for (i = -1;;) {-
271 const X509_NAME_ENTRY *ne;-
272-
273 i = X509_NAME_get_index_by_NID(nm, NID_pkcs9_emailAddress, i);-
274 if (i == -1)
i == -1Description
TRUEevaluated 23 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 258 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
23-258
275 break;
executed 23 times by 1 test: break;
Executed by:
  • libcrypto.so.1.1
23
276 ne = X509_NAME_get_entry(nm, i);-
277 gntmp.d.rfc822Name = X509_NAME_ENTRY_get_data(ne);-
278 if (gntmp.d.rfc822Name->type != V_ASN1_IA5STRING)
gntmp.d.rfc822Name->type != 22Description
TRUEnever evaluated
FALSEevaluated 258 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-258
279 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
never executed: return 53;
0
280-
281 r = nc_match(&gntmp, nc);-
282-
283 if (r != X509_V_OK)
r != 0Description
TRUEevaluated 2 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 256 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
2-256
284 return r;
executed 2 times by 1 test: return r;
Executed by:
  • libcrypto.so.1.1
2
285 }
executed 256 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
256
286-
287 }
executed 23 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
23
288-
289 for (i = 0; i < sk_GENERAL_NAME_num(x->altname); i++) {
i < sk_GENERAL...um(x->altname)Description
TRUEevaluated 1332 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 17 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
17-1332
290 GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, i);-
291 r = nc_match(gen, nc);-
292 if (r != X509_V_OK)
r != 0Description
TRUEevaluated 6 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 1326 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
6-1326
293 return r;
executed 6 times by 1 test: return r;
Executed by:
  • libcrypto.so.1.1
6
294 }
executed 1326 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
1326
295-
296 return X509_V_OK;
executed 17 times by 1 test: return 0;
Executed by:
  • libcrypto.so.1.1
17
297-
298}-
299-
300static int cn2dnsid(ASN1_STRING *cn, unsigned char **dnsid, size_t *idlen)-
301{-
302 int utf8_length;-
303 unsigned char *utf8_value;-
304 int i;-
305 int isdnsname = 0;-
306-
307 /* Don't leave outputs uninitialized */-
308 *dnsid = NULL;-
309 *idlen = 0;-
310-
311 /*--
312 * Per RFC 6125, DNS-IDs representing internationalized domain names appear-
313 * in certificates in A-label encoded form:-
314 *-
315 * https://tools.ietf.org/html/rfc6125#section-6.4.2-
316 *-
317 * The same applies to CNs which are intended to represent DNS names.-
318 * However, while in the SAN DNS-IDs are IA5Strings, as CNs they may be-
319 * needlessly encoded in 16-bit Unicode. We perform a conversion to UTF-8-
320 * to ensure that we get an ASCII representation of any CNs that are-
321 * representable as ASCII, but just not encoded as ASCII. The UTF-8 form-
322 * may contain some non-ASCII octets, and that's fine, such CNs are not-
323 * valid legacy DNS names.-
324 *-
325 * Note, 'int' is the return type of ASN1_STRING_to_UTF8() so that's what-
326 * we must use for 'utf8_length'.-
327 */-
328 if ((utf8_length = ASN1_STRING_to_UTF8(&utf8_value, cn)) < 0)
(utf8_length =...alue, cn)) < 0Description
TRUEnever evaluated
FALSEevaluated 10 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-10
329 return X509_V_ERR_OUT_OF_MEM;
never executed: return 17;
0
330-
331 /*-
332 * Some certificates have had names that include a *trailing* NUL byte.-
333 * Remove these harmless NUL characters. They would otherwise yield false-
334 * alarms with the following embedded NUL check.-
335 */-
336 while (utf8_length > 0 && utf8_value[utf8_length - 1] == '\0')
utf8_length > 0Description
TRUEevaluated 10 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
utf8_value[utf...h - 1] == '\0'Description
TRUEnever evaluated
FALSEevaluated 10 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-10
337 --utf8_length;
never executed: --utf8_length;
0
338-
339 /* Reject *embedded* NULs */-
340 if ((size_t)utf8_length != strlen((char *)utf8_value)) {
(size_t)utf8_l... *)utf8_value)Description
TRUEnever evaluated
FALSEevaluated 10 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-10
341 OPENSSL_free(utf8_value);-
342 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
never executed: return 53;
0
343 }-
344-
345 /*-
346 * XXX: Deviation from strict DNS name syntax, also check names with '_'-
347 * Check DNS name syntax, any '-' or '.' must be internal,-
348 * and on either side of each '.' we can't have a '-' or '.'.-
349 *-
350 * If the name has just one label, we don't consider it a DNS name. This-
351 * means that "CN=sometld" cannot be precluded by DNS name constraints, but-
352 * that is not a problem.-
353 */-
354 for (i = 0; i < utf8_length; ++i) {
i < utf8_lengthDescription
TRUEevaluated 92 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 6 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
6-92
355 unsigned char c = utf8_value[i];-
356-
357 if ((c >= 'a' && c <= 'z')
c >= 'a'Description
TRUEevaluated 75 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 17 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
c <= 'z'Description
TRUEevaluated 75 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
0-75
358 || (c >= 'A' && c <= 'Z')
c >= 'A'Description
TRUEnever evaluated
FALSEevaluated 17 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
c <= 'Z'Description
TRUEnever evaluated
FALSEnever evaluated
0-17
359 || (c >= '0' && c <= '9')
c >= '0'Description
TRUEevaluated 1 time by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 16 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
c <= '9'Description
TRUEnever evaluated
FALSEevaluated 1 time by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-16
360 || c == '_')
c == '_'Description
TRUEnever evaluated
FALSEevaluated 17 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-17
361 continue;
executed 75 times by 1 test: continue;
Executed by:
  • libcrypto.so.1.1
75
362-
363 /* Dot and hyphen cannot be first or last. */-
364 if (i > 0 && i < utf8_length - 1) {
i > 0Description
TRUEevaluated 17 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
i < utf8_length - 1Description
TRUEevaluated 16 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 1 time by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-17
365 if (c == '-')
c == '-'Description
TRUEevaluated 1 time by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 15 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
1-15
366 continue;
executed 1 time by 1 test: continue;
Executed by:
  • libcrypto.so.1.1
1
367 /*-
368 * Next to a dot the preceding and following characters must not be-
369 * another dot or a hyphen. Otherwise, record that the name is-
370 * plausible, since it has two or more labels.-
371 */-
372 if (c == '.'
c == '.'Description
TRUEevaluated 14 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 1 time by 1 test
Evaluated by:
  • libcrypto.so.1.1
1-14
373 && utf8_value[i + 1] != '.'
utf8_value[i + 1] != '.'Description
TRUEevaluated 13 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 1 time by 1 test
Evaluated by:
  • libcrypto.so.1.1
1-13
374 && utf8_value[i - 1] != '-'
utf8_value[i - 1] != '-'Description
TRUEevaluated 12 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 1 time by 1 test
Evaluated by:
  • libcrypto.so.1.1
1-12
375 && utf8_value[i + 1] != '-') {
utf8_value[i + 1] != '-'Description
TRUEevaluated 12 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
0-12
376 isdnsname = 1;-
377 continue;
executed 12 times by 1 test: continue;
Executed by:
  • libcrypto.so.1.1
12
378 }-
379 }
executed 3 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
3
380 isdnsname = 0;-
381 break;
executed 4 times by 1 test: break;
Executed by:
  • libcrypto.so.1.1
4
382 }-
383-
384 if (isdnsname) {
isdnsnameDescription
TRUEevaluated 6 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 4 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
4-6
385 *dnsid = utf8_value;-
386 *idlen = (size_t)utf8_length;-
387 return X509_V_OK;
executed 6 times by 1 test: return 0;
Executed by:
  • libcrypto.so.1.1
6
388 }-
389 OPENSSL_free(utf8_value);-
390 return X509_V_OK;
executed 4 times by 1 test: return 0;
Executed by:
  • libcrypto.so.1.1
4
391}-
392-
393/*-
394 * Check CN against DNS-ID name constraints.-
395 */-
396int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc)-
397{-
398 int r, i;-
399 X509_NAME *nm = X509_get_subject_name(x);-
400 ASN1_STRING stmp;-
401 GENERAL_NAME gntmp;-
402-
403 stmp.flags = 0;-
404 stmp.type = V_ASN1_IA5STRING;-
405 gntmp.type = GEN_DNS;-
406 gntmp.d.dNSName = &stmp;-
407-
408 /* Process any commonName attributes in subject name */-
409-
410 for (i = -1;;) {-
411 X509_NAME_ENTRY *ne;-
412 ASN1_STRING *cn;-
413 unsigned char *idval;-
414 size_t idlen;-
415-
416 i = X509_NAME_get_index_by_NID(nm, NID_commonName, i);-
417 if (i == -1)
i == -1Description
TRUEevaluated 1 time by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 10 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
1-10
418 break;
executed 1 time by 1 test: break;
Executed by:
  • libcrypto.so.1.1
1
419 ne = X509_NAME_get_entry(nm, i);-
420 cn = X509_NAME_ENTRY_get_data(ne);-
421-
422 /* Only process attributes that look like host names */-
423 if ((r = cn2dnsid(cn, &idval, &idlen)) != X509_V_OK)
(r = cn2dnsid(... &idlen)) != 0Description
TRUEnever evaluated
FALSEevaluated 10 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-10
424 return r;
never executed: return r;
0
425 if (idlen == 0)
idlen == 0Description
TRUEevaluated 4 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 6 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
4-6
426 continue;
executed 4 times by 1 test: continue;
Executed by:
  • libcrypto.so.1.1
4
427-
428 stmp.length = idlen;-
429 stmp.data = idval;-
430 r = nc_match(&gntmp, nc);-
431 OPENSSL_free(idval);-
432 if (r != X509_V_OK)
r != 0Description
TRUEevaluated 3 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 3 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
3
433 return r;
executed 3 times by 1 test: return r;
Executed by:
  • libcrypto.so.1.1
3
434 }
executed 3 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
3
435 return X509_V_OK;
executed 1 time by 1 test: return 0;
Executed by:
  • libcrypto.so.1.1
1
436}-
437-
438static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)-
439{-
440 GENERAL_SUBTREE *sub;-
441 int i, r, match = 0;-
442-
443 /*-
444 * Permitted subtrees: if any subtrees exist of matching the type at-
445 * least one subtree must match.-
446 */-
447-
448 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) {
i < sk_GENERAL...ittedSubtrees)Description
TRUEevaluated 792466 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 1621 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
1621-792466
449 sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);-
450 if (gen->type != sub->base->type)
gen->type != sub->base->typeDescription
TRUEevaluated 133420 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 659046 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
133420-659046
451 continue;
executed 133420 times by 1 test: continue;
Executed by:
  • libcrypto.so.1.1
133420
452 if (sub->minimum || sub->maximum)
sub->minimumDescription
TRUEnever evaluated
FALSEevaluated 659046 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
sub->maximumDescription
TRUEnever evaluated
FALSEevaluated 659046 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-659046
453 return X509_V_ERR_SUBTREE_MINMAX;
never executed: return 49;
0
454 /* If we already have a match don't bother trying any more */-
455 if (match == 2)
match == 2Description
TRUEevaluated 362382 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 296664 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
296664-362382
456 continue;
executed 362382 times by 1 test: continue;
Executed by:
  • libcrypto.so.1.1
362382
457 if (match == 0)
match == 0Description
TRUEevaluated 1331 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 295333 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
1331-295333
458 match = 1;
executed 1331 times by 1 test: match = 1;
Executed by:
  • libcrypto.so.1.1
1331
459 r = nc_match_single(gen, sub->base);-
460 if (r == X509_V_OK)
r == 0Description
TRUEevaluated 1322 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 295342 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
1322-295342
461 match = 2;
executed 1322 times by 1 test: match = 2;
Executed by:
  • libcrypto.so.1.1
1322
462 else if (r != X509_V_ERR_PERMITTED_VIOLATION)
r != 47Description
TRUEnever evaluated
FALSEevaluated 295342 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-295342
463 return r;
never executed: return r;
0
464 }
executed 296664 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
296664
465-
466 if (match == 1)
match == 1Description
TRUEevaluated 9 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 1612 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
9-1612
467 return X509_V_ERR_PERMITTED_VIOLATION;
executed 9 times by 1 test: return 47;
Executed by:
  • libcrypto.so.1.1
9
468-
469 /* Excluded subtrees: must not match any of these */-
470-
471 for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) {
i < sk_GENERAL...ludedSubtrees)Description
TRUEevaluated 790579 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 1610 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
1610-790579
472 sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);-
473 if (gen->type != sub->base->type)
gen->type != sub->base->typeDescription
TRUEevaluated 132898 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 657681 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
132898-657681
474 continue;
executed 132898 times by 1 test: continue;
Executed by:
  • libcrypto.so.1.1
132898
475 if (sub->minimum || sub->maximum)
sub->minimumDescription
TRUEnever evaluated
FALSEevaluated 657681 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
sub->maximumDescription
TRUEnever evaluated
FALSEevaluated 657681 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-657681
476 return X509_V_ERR_SUBTREE_MINMAX;
never executed: return 49;
0
477-
478 r = nc_match_single(gen, sub->base);-
479 if (r == X509_V_OK)
r == 0Description
TRUEevaluated 2 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 657679 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
2-657679
480 return X509_V_ERR_EXCLUDED_VIOLATION;
executed 2 times by 1 test: return 48;
Executed by:
  • libcrypto.so.1.1
2
481 else if (r != X509_V_ERR_PERMITTED_VIOLATION)
r != 47Description
TRUEnever evaluated
FALSEevaluated 657679 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-657679
482 return r;
never executed: return r;
0
483-
484 }
executed 657679 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
657679
485-
486 return X509_V_OK;
executed 1610 times by 1 test: return 0;
Executed by:
  • libcrypto.so.1.1
1610
487-
488}-
489-
490static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)-
491{-
492 switch (base->type) {-
493 case GEN_DIRNAME:
never executed: case 4:
0
494 return nc_dn(gen->d.directoryName, base->d.directoryName);
never executed: return nc_dn(gen->d.directoryName, base->d.directoryName);
0
495-
496 case GEN_DNS:
executed 954296 times by 1 test: case 2:
Executed by:
  • libcrypto.so.1.1
954296
497 return nc_dns(gen->d.dNSName, base->d.dNSName);
executed 954296 times by 1 test: return nc_dns(gen->d.dNSName, base->d.dNSName);
Executed by:
  • libcrypto.so.1.1
954296
498-
499 case GEN_EMAIL:
executed 31 times by 1 test: case 1:
Executed by:
  • libcrypto.so.1.1
31
500 return nc_email(gen->d.rfc822Name, base->d.rfc822Name);
executed 31 times by 1 test: return nc_email(gen->d.rfc822Name, base->d.rfc822Name);
Executed by:
  • libcrypto.so.1.1
31
501-
502 case GEN_URI:
never executed: case 6:
0
503 return nc_uri(gen->d.uniformResourceIdentifier,
never executed: return nc_uri(gen->d.uniformResourceIdentifier, base->d.uniformResourceIdentifier);
0
504 base->d.uniformResourceIdentifier);
never executed: return nc_uri(gen->d.uniformResourceIdentifier, base->d.uniformResourceIdentifier);
0
505-
506 case GEN_IPADD:
executed 18 times by 1 test: case 7:
Executed by:
  • libcrypto.so.1.1
18
507 return nc_ip(gen->d.iPAddress, base->d.iPAddress);
executed 18 times by 1 test: return nc_ip(gen->d.iPAddress, base->d.iPAddress);
Executed by:
  • libcrypto.so.1.1
18
508-
509 default:
never executed: default:
0
510 return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
never executed: return 51;
0
511 }-
512-
513}-
514-
515/*-
516 * directoryName name constraint matching. The canonical encoding of-
517 * X509_NAME makes this comparison easy. It is matched if the subtree is a-
518 * subset of the name.-
519 */-
520-
521static int nc_dn(X509_NAME *nm, X509_NAME *base)-
522{-
523 /* Ensure canonical encodings are up to date. */-
524 if (nm->modified && i2d_X509_NAME(nm, NULL) < 0)
nm->modifiedDescription
TRUEnever evaluated
FALSEnever evaluated
i2d_X509_NAME(...oid *)0) ) < 0Description
TRUEnever evaluated
FALSEnever evaluated
0
525 return X509_V_ERR_OUT_OF_MEM;
never executed: return 17;
0
526 if (base->modified && i2d_X509_NAME(base, NULL) < 0)
base->modifiedDescription
TRUEnever evaluated
FALSEnever evaluated
i2d_X509_NAME(...oid *)0) ) < 0Description
TRUEnever evaluated
FALSEnever evaluated
0
527 return X509_V_ERR_OUT_OF_MEM;
never executed: return 17;
0
528 if (base->canon_enclen > nm->canon_enclen)
base->canon_en...->canon_enclenDescription
TRUEnever evaluated
FALSEnever evaluated
0
529 return X509_V_ERR_PERMITTED_VIOLATION;
never executed: return 47;
0
530 if (memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen))
memcmp(base->c...>canon_enclen)Description
TRUEnever evaluated
FALSEnever evaluated
0
531 return X509_V_ERR_PERMITTED_VIOLATION;
never executed: return 47;
0
532 return X509_V_OK;
never executed: return 0;
0
533}-
534-
535static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)-
536{-
537 char *baseptr = (char *)base->data;-
538 char *dnsptr = (char *)dns->data;-
539 /* Empty matches everything */-
540 if (!*baseptr)
!*baseptrDescription
TRUEnever evaluated
FALSEevaluated 954296 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-954296
541 return X509_V_OK;
never executed: return 0;
0
542 /*-
543 * Otherwise can add zero or more components on the left so compare RHS-
544 * and if dns is longer and expect '.' as preceding character.-
545 */-
546 if (dns->length > base->length) {
dns->length > base->lengthDescription
TRUEevaluated 201834 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 752462 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
201834-752462
547 dnsptr += dns->length - base->length;-
548 if (*baseptr != '.' && dnsptr[-1] != '.')
*baseptr != '.'Description
TRUEevaluated 201834 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
dnsptr[-1] != '.'Description
TRUEevaluated 201817 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 17 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-201834
549 return X509_V_ERR_PERMITTED_VIOLATION;
executed 201817 times by 1 test: return 47;
Executed by:
  • libcrypto.so.1.1
201817
550 }
executed 17 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
17
551-
552 if (ia5casecmp(baseptr, dnsptr))
ia5casecmp(baseptr, dnsptr)Description
TRUEevaluated 751177 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 1302 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
1302-751177
553 return X509_V_ERR_PERMITTED_VIOLATION;
executed 751177 times by 1 test: return 47;
Executed by:
  • libcrypto.so.1.1
751177
554-
555 return X509_V_OK;
executed 1302 times by 1 test: return 0;
Executed by:
  • libcrypto.so.1.1
1302
556-
557}-
558-
559static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)-
560{-
561 const char *baseptr = (char *)base->data;-
562 const char *emlptr = (char *)eml->data;-
563-
564 const char *baseat = strchr(baseptr, '@');
__builtin_constant_p ( '@' )Description
TRUEevaluated 31 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
!__builtin_con..._p ( baseptr )Description
TRUEevaluated 31 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
( '@' ) == '\0'Description
TRUEnever evaluated
FALSEevaluated 31 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-31
565 const char *emlat = strchr(emlptr, '@');
__builtin_constant_p ( '@' )Description
TRUEevaluated 31 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
!__builtin_con...t_p ( emlptr )Description
TRUEevaluated 31 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
( '@' ) == '\0'Description
TRUEnever evaluated
FALSEevaluated 31 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-31
566 if (!emlat)
!emlatDescription
TRUEnever evaluated
FALSEevaluated 31 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-31
567 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
never executed: return 53;
0
568 /* Special case: initial '.' is RHS match */-
569 if (!baseat && (*baseptr == '.')) {
!baseatDescription
TRUEevaluated 12 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 19 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
(*baseptr == '.')Description
TRUEnever evaluated
FALSEevaluated 12 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-19
570 if (eml->length > base->length) {
eml->length > base->lengthDescription
TRUEnever evaluated
FALSEnever evaluated
0
571 emlptr += eml->length - base->length;-
572 if (ia5casecmp(baseptr, emlptr) == 0)
ia5casecmp(bas..., emlptr) == 0Description
TRUEnever evaluated
FALSEnever evaluated
0
573 return X509_V_OK;
never executed: return 0;
0
574 }
never executed: end of block
0
575 return X509_V_ERR_PERMITTED_VIOLATION;
never executed: return 47;
0
576 }-
577-
578 /* If we have anything before '@' match local part */-
579-
580 if (baseat) {
baseatDescription
TRUEevaluated 19 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 12 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
12-19
581 if (baseat != baseptr) {
baseat != baseptrDescription
TRUEevaluated 19 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
0-19
582 if ((baseat - baseptr) != (emlat - emlptr))
(baseat - base...mlat - emlptr)Description
TRUEevaluated 11 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 8 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
8-11
583 return X509_V_ERR_PERMITTED_VIOLATION;
executed 11 times by 1 test: return 47;
Executed by:
  • libcrypto.so.1.1
11
584 /* Case sensitive match of local part */-
585 if (strncmp(baseptr, emlptr, emlat - emlptr))
never executed: __result = (((const unsigned char *) (const char *) ( baseptr ))[3] - __s2[3]);
never executed: end of block
never executed: end of block
never executed: __result = (((const unsigned char *) (const char *) ( emlptr ))[3] - __s2[3]);
never executed: end of block
never executed: end of block
(__extension__...t - emlptr )))Description
TRUEevaluated 1 time by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 7 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
__builtin_cons...lat - emlptr )Description
TRUEnever evaluated
FALSEevaluated 8 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
__builtin_cons..._p ( baseptr )Description
TRUEnever evaluated
FALSEnever evaluated
strlen ( basep...at - emlptr ))Description
TRUEnever evaluated
FALSEnever evaluated
__builtin_cons...t_p ( emlptr )Description
TRUEnever evaluated
FALSEnever evaluated
strlen ( emlpt...at - emlptr ))Description
TRUEnever evaluated
FALSEnever evaluated
__s1_len > 0Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
__s1_len > 1Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
__s1_len > 2Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
__s2_len > 0Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
__s2_len > 1Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
__s2_len > 2Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
0-8
586 return X509_V_ERR_PERMITTED_VIOLATION;
executed 1 time by 1 test: return 47;
Executed by:
  • libcrypto.so.1.1
1
587 }
executed 7 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
7
588 /* Position base after '@' */-
589 baseptr = baseat + 1;-
590 }
executed 7 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
7
591 emlptr = emlat + 1;-
592 /* Just have hostname left to match: case insensitive */-
593 if (ia5casecmp(baseptr, emlptr))
ia5casecmp(baseptr, emlptr)Description
TRUEevaluated 5 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 14 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
5-14
594 return X509_V_ERR_PERMITTED_VIOLATION;
executed 5 times by 1 test: return 47;
Executed by:
  • libcrypto.so.1.1
5
595-
596 return X509_V_OK;
executed 14 times by 1 test: return 0;
Executed by:
  • libcrypto.so.1.1
14
597-
598}-
599-
600static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)-
601{-
602 const char *baseptr = (char *)base->data;-
603 const char *hostptr = (char *)uri->data;-
604 const char *p = strchr(hostptr, ':');
__builtin_constant_p ( ':' )Description
TRUEnever evaluated
FALSEnever evaluated
!__builtin_con..._p ( hostptr )Description
TRUEnever evaluated
FALSEnever evaluated
( ':' ) == '\0'Description
TRUEnever evaluated
FALSEnever evaluated
0
605 int hostlen;-
606 /* Check for foo:// and skip past it */-
607 if (!p || (p[1] != '/') || (p[2] != '/'))
!pDescription
TRUEnever evaluated
FALSEnever evaluated
(p[1] != '/')Description
TRUEnever evaluated
FALSEnever evaluated
(p[2] != '/')Description
TRUEnever evaluated
FALSEnever evaluated
0
608 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
never executed: return 53;
0
609 hostptr = p + 3;-
610-
611 /* Determine length of hostname part of URI */-
612-
613 /* Look for a port indicator as end of hostname first */-
614-
615 p = strchr(hostptr, ':');
__builtin_constant_p ( ':' )Description
TRUEnever evaluated
FALSEnever evaluated
!__builtin_con..._p ( hostptr )Description
TRUEnever evaluated
FALSEnever evaluated
( ':' ) == '\0'Description
TRUEnever evaluated
FALSEnever evaluated
0
616 /* Otherwise look for trailing slash */-
617 if (!p)
!pDescription
TRUEnever evaluated
FALSEnever evaluated
0
618 p = strchr(hostptr, '/');
never executed: p = (__extension__ (__builtin_constant_p ( '/' ) && !__builtin_constant_p ( hostptr ) && ( '/' ) == '\0' ? (char *) __rawmemchr ( hostptr , '/' ) : __builtin_strchr ( hostptr , '/' ))) ;
__builtin_constant_p ( '/' )Description
TRUEnever evaluated
FALSEnever evaluated
!__builtin_con..._p ( hostptr )Description
TRUEnever evaluated
FALSEnever evaluated
( '/' ) == '\0'Description
TRUEnever evaluated
FALSEnever evaluated
0
619-
620 if (!p)
!pDescription
TRUEnever evaluated
FALSEnever evaluated
0
621 hostlen = strlen(hostptr);
never executed: hostlen = strlen(hostptr);
0
622 else-
623 hostlen = p - hostptr;
never executed: hostlen = p - hostptr;
0
624-
625 if (hostlen == 0)
hostlen == 0Description
TRUEnever evaluated
FALSEnever evaluated
0
626 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
never executed: return 53;
0
627-
628 /* Special case: initial '.' is RHS match */-
629 if (*baseptr == '.') {
*baseptr == '.'Description
TRUEnever evaluated
FALSEnever evaluated
0
630 if (hostlen > base->length) {
hostlen > base->lengthDescription
TRUEnever evaluated
FALSEnever evaluated
0
631 p = hostptr + hostlen - base->length;-
632 if (ia5ncasecmp(p, baseptr, base->length) == 0)
ia5ncasecmp(p,...->length) == 0Description
TRUEnever evaluated
FALSEnever evaluated
0
633 return X509_V_OK;
never executed: return 0;
0
634 }
never executed: end of block
0
635 return X509_V_ERR_PERMITTED_VIOLATION;
never executed: return 47;
0
636 }-
637-
638 if ((base->length != (int)hostlen)
(base->length != (int)hostlen)Description
TRUEnever evaluated
FALSEnever evaluated
0
639 || ia5ncasecmp(hostptr, baseptr, hostlen))
ia5ncasecmp(ho...eptr, hostlen)Description
TRUEnever evaluated
FALSEnever evaluated
0
640 return X509_V_ERR_PERMITTED_VIOLATION;
never executed: return 47;
0
641-
642 return X509_V_OK;
never executed: return 0;
0
643-
644}-
645-
646static int nc_ip(ASN1_OCTET_STRING *ip, ASN1_OCTET_STRING *base)-
647{-
648 int hostlen, baselen, i;-
649 unsigned char *hostptr, *baseptr, *maskptr;-
650 hostptr = ip->data;-
651 hostlen = ip->length;-
652 baseptr = base->data;-
653 baselen = base->length;-
654-
655 /* Invalid if not IPv4 or IPv6 */-
656 if (!((hostlen == 4) || (hostlen == 16)))
(hostlen == 4)Description
TRUEevaluated 18 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
(hostlen == 16)Description
TRUEnever evaluated
FALSEnever evaluated
0-18
657 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
never executed: return 53;
0
658 if (!((baselen == 8) || (baselen == 32)))
(baselen == 8)Description
TRUEevaluated 18 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
(baselen == 32)Description
TRUEnever evaluated
FALSEnever evaluated
0-18
659 return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
never executed: return 53;
0
660-
661 /* Do not match IPv4 with IPv6 */-
662 if (hostlen * 2 != baselen)
hostlen * 2 != baselenDescription
TRUEnever evaluated
FALSEevaluated 18 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-18
663 return X509_V_ERR_PERMITTED_VIOLATION;
never executed: return 47;
0
664-
665 maskptr = base->data + hostlen;-
666-
667 /* Considering possible not aligned base ipAddress */-
668 /* Not checking for wrong mask definition: i.e.: 255.0.255.0 */-
669 for (i = 0; i < hostlen; i++)
i < hostlenDescription
TRUEevaluated 45 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 8 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
8-45
670 if ((hostptr[i] & maskptr[i]) != (baseptr[i] & maskptr[i]))
(hostptr[i] & ... & maskptr[i])Description
TRUEevaluated 10 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 35 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
10-35
671 return X509_V_ERR_PERMITTED_VIOLATION;
executed 10 times by 1 test: return 47;
Executed by:
  • libcrypto.so.1.1
10
672-
673 return X509_V_OK;
executed 8 times by 1 test: return 0;
Executed by:
  • libcrypto.so.1.1
8
674-
675}-
Source codeSwitch to Preprocessed file
Generated by Squish Coco 4.2.2