From f07a60cae0bf09dc69d3017c685146cd06fb63a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Wed, 22 Feb 2006 13:11:05 +0000
Subject: [PATCH] Name constraits needs to be evaluated in block as they appear
 in the certificates, they can not be joined to one list. One example of this
 is:

* cert is cn=foo,dc=bar,dc=baz
* subca is  dc=foo,dc=baz with name restriction dc=kaka,dc=baz
* ca is  dc=baz with name restriction dc=baz

If the name restrictions are merged to a list, the certificate will
pass this test.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16757 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/hx509/cert.c | 116 +++++++++++++++--------------------------------
 1 file changed, 37 insertions(+), 79 deletions(-)

diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index 27a0f68ca..600bacd7b 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -61,11 +61,8 @@ struct hx509_cert_data {
 };
 
 typedef struct hx509_name_constraints {
-    /* NameConstraints nc; */
-    struct {
-	GeneralSubtrees *permittedSubtrees;
-	GeneralSubtrees *excludedSubtrees;
-    } nc;
+    NameConstraints *val;
+    size_t len;
 } hx509_name_constraints;
 
 #define GeneralSubtrees_SET(g,var) \
@@ -816,44 +813,6 @@ static int
 init_name_constraints(hx509_name_constraints *nc)
 {
     memset(nc, 0, sizeof(*nc));
-
-    nc->nc.permittedSubtrees = calloc(1, sizeof(*nc->nc.permittedSubtrees));
-    if (nc->nc.permittedSubtrees == NULL)
-	return ENOMEM;
-    nc->nc.excludedSubtrees = calloc(1, sizeof(*nc->nc.excludedSubtrees));
-    if (nc->nc.excludedSubtrees == NULL) {
-	free(nc->nc.permittedSubtrees);
-	nc->nc.permittedSubtrees = NULL;
-	return ENOMEM;
-    }
-    return 0;
-}
-
-static int
-append_tree(const GeneralSubtrees *add, GeneralSubtrees *merge)
-{
-    unsigned int num, i;
-    GeneralSubtree *st;
-    int ret;
-	    
-    num = merge->len + add->len;
-    if (num < merge->len)
-	return HX509_RANGE;
-    if (num > UINT_MAX/sizeof(merge->val[0]))
-	return HX509_RANGE;
-    st = realloc(merge->val, sizeof(*st) * num);
-    if (st == NULL)
-	return ENOMEM;
-    merge->val = st;
-    memset(&st[merge->len], 0, sizeof(add->val[0]) * add->len);
-    for (i = 0; i < add->len; i++) {
-	ret = copy_GeneralSubtree(&add->val[i],
-				  &merge->val[merge->len + i]);
-	if (ret)
-	    return ret;
-    }
-    merge->len = num;
-
     return 0;
 }
 
@@ -872,16 +831,19 @@ add_name_constraints(const Certificate *c, int not_ca,
     else if (not_ca) {
 	ret = HX509_VERIFY_CONSTRAINTS;
     } else {
-	GeneralSubtrees gs;
-	if (tnc.permittedSubtrees) {
-	    GeneralSubtrees_SET(&gs, tnc.permittedSubtrees);
-	    ret = append_tree(&gs, nc->nc.permittedSubtrees);
-	}
-	if (ret == 0 && tnc.excludedSubtrees) {
-	    GeneralSubtrees_SET(&gs, tnc.excludedSubtrees);
-	    ret = append_tree(&gs, nc->nc.excludedSubtrees);
+	NameConstraints *val;
+	val = realloc(nc->val, sizeof(nc->val[0]) * (nc->len + 1));
+	if (val == NULL) {
+	    ret = ENOMEM;
+	    goto out;
 	}
+	nc->val = val;
+	ret = copy_NameConstraints(&tnc, &nc->val[nc->len]);
+	if (ret)
+	    goto out;
+	nc->len += 1;
     }
+out:
     free_NameConstraints(&tnc);
     return ret;
 }
@@ -1079,26 +1041,28 @@ static int
 check_name_constraints(const hx509_name_constraints *nc,
 		       const Certificate *c)
 {
-    GeneralSubtrees gs;
     int match, ret;
+    int i;
 
-    if (nc->nc.permittedSubtrees->len > 0) {
-	GeneralSubtrees_SET(&gs, nc->nc.permittedSubtrees);
+    for (i = 0 ; i < nc->len; i++) {
+	GeneralSubtrees gs;
 
-	ret = match_tree(&gs, c, &match);
-	if (ret)
-	    return ret;
-	if (match == 0)
-	    return HX509_VERIFY_CONSTRAINTS;
-    }
-    if (nc->nc.excludedSubtrees->len > 0) {
-	GeneralSubtrees_SET(&gs, nc->nc.excludedSubtrees);
-
-	ret = match_tree(&gs, c, &match);
-	if (ret)
-	    return ret;
-	if (match)
-	    return HX509_VERIFY_CONSTRAINTS;
+	if (nc->val[i].permittedSubtrees) {
+	    GeneralSubtrees_SET(&gs, nc->val[i].permittedSubtrees);
+	    ret = match_tree(&gs, c, &match);
+	    if (ret)
+		return ret;
+	    if (match == 0)
+		return HX509_VERIFY_CONSTRAINTS;
+	}
+	if (nc->val[i].excludedSubtrees) {
+	    GeneralSubtrees_SET(&gs, nc->val[i].excludedSubtrees);
+	    ret = match_tree(&gs, c, &match);
+	    if (ret)
+		return ret;
+	    if (match)
+		return HX509_VERIFY_CONSTRAINTS;
+	}
     }
     return 0;
 }
@@ -1106,17 +1070,11 @@ check_name_constraints(const hx509_name_constraints *nc,
 static void
 free_name_constraints(hx509_name_constraints *nc)
 {
-    /* free_NameConstraints(&nc->nc); */
-    if (nc->nc.permittedSubtrees) {
-	free_GeneralSubtrees(nc->nc.permittedSubtrees);
-	free(nc->nc.permittedSubtrees);
-	nc->nc.permittedSubtrees = NULL;
-    }
-    if (nc->nc.excludedSubtrees) {
-	free_GeneralSubtrees(nc->nc.excludedSubtrees);
-	free(nc->nc.excludedSubtrees);
-	nc->nc.excludedSubtrees = NULL;
-    }
+    int i;
+
+    for (i = 0 ; i < nc->len; i++)
+	free_NameConstraints(&nc->val[i]);
+    free(nc->val);
 }
 
 int