Re-run clang-format with InsertBraces.
This CL runs the same command as in the preceding CL, but with
'IncludeBraces: true' added to .clang-format. I've split this out
separately because the documentation says:
> Setting this option to true could lead to incorrect code formatting
> due to clang-format’s lack of complete semantic information. As such,
> extra care should be taken to review code changes made by this option.
I've also kept InsertBraces out of .clang-format for now because it's a
fairly recent option, and clang-format fails when it sees unrecognized
options.
Change-Id: I305ea7bb2633704053a1f8de1e11b037b9fc8a76
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53086
Commit-Queue: Bob Beck <bbe@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
diff --git a/crypto/x509v3/pcy_cache.c b/crypto/x509v3/pcy_cache.c
index af1871e..f4de366 100644
--- a/crypto/x509v3/pcy_cache.c
+++ b/crypto/x509v3/pcy_cache.c
@@ -80,16 +80,19 @@
X509_POLICY_CACHE *cache = x->policy_cache;
X509_POLICY_DATA *data = NULL;
POLICYINFO *policy;
- if (sk_POLICYINFO_num(policies) == 0)
+ if (sk_POLICYINFO_num(policies) == 0) {
goto bad_policy;
+ }
cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
- if (!cache->data)
+ if (!cache->data) {
goto bad_policy;
+ }
for (i = 0; i < sk_POLICYINFO_num(policies); i++) {
policy = sk_POLICYINFO_value(policies, i);
data = policy_data_new(policy, NULL, crit);
- if (!data)
+ if (!data) {
goto bad_policy;
+ }
/*
* Duplicate policy OIDs are illegal: reject if matches found.
*/
@@ -103,16 +106,19 @@
} else if (sk_X509_POLICY_DATA_find(cache->data, NULL, data)) {
ret = -1;
goto bad_policy;
- } else if (!sk_X509_POLICY_DATA_push(cache->data, data))
+ } else if (!sk_X509_POLICY_DATA_push(cache->data, data)) {
goto bad_policy;
+ }
data = NULL;
}
ret = 1;
bad_policy:
- if (ret == -1)
+ if (ret == -1) {
x->ex_flags |= EXFLAG_INVALID_POLICY;
- if (data)
+ }
+ if (data) {
policy_data_free(data);
+ }
sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
if (ret <= 0) {
sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
@@ -129,8 +135,9 @@
POLICY_MAPPINGS *ext_pmaps = NULL;
int i;
cache = OPENSSL_malloc(sizeof(X509_POLICY_CACHE));
- if (!cache)
+ if (!cache) {
return 0;
+ }
cache->anyPolicy = NULL;
cache->data = NULL;
cache->any_skip = -1;
@@ -146,17 +153,21 @@
ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
if (!ext_pcons) {
- if (i != -1)
+ if (i != -1) {
goto bad_cache;
+ }
} else {
- if (!ext_pcons->requireExplicitPolicy && !ext_pcons->inhibitPolicyMapping)
+ if (!ext_pcons->requireExplicitPolicy && !ext_pcons->inhibitPolicyMapping) {
goto bad_cache;
+ }
if (!policy_cache_set_int(&cache->explicit_skip,
- ext_pcons->requireExplicitPolicy))
+ ext_pcons->requireExplicitPolicy)) {
goto bad_cache;
+ }
if (!policy_cache_set_int(&cache->map_skip,
- ext_pcons->inhibitPolicyMapping))
+ ext_pcons->inhibitPolicyMapping)) {
goto bad_cache;
+ }
}
/* Process CertificatePolicies */
@@ -168,8 +179,9 @@
*/
if (!ext_cpols) {
/* If not absent some problem with extension */
- if (i != -1)
+ if (i != -1) {
goto bad_cache;
+ }
return 1;
}
@@ -177,50 +189,60 @@
/* NB: ext_cpols freed by policy_cache_set_policies */
- if (i <= 0)
+ if (i <= 0) {
return i;
+ }
ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
if (!ext_pmaps) {
/* If not absent some problem with extension */
- if (i != -1)
+ if (i != -1) {
goto bad_cache;
+ }
} else {
i = policy_cache_set_mapping(x, ext_pmaps);
- if (i <= 0)
+ if (i <= 0) {
goto bad_cache;
+ }
}
ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
if (!ext_any) {
- if (i != -1)
+ if (i != -1) {
goto bad_cache;
- } else if (!policy_cache_set_int(&cache->any_skip, ext_any))
+ }
+ } else if (!policy_cache_set_int(&cache->any_skip, ext_any)) {
goto bad_cache;
+ }
if (0) {
bad_cache:
x->ex_flags |= EXFLAG_INVALID_POLICY;
}
- if (ext_pcons)
+ if (ext_pcons) {
POLICY_CONSTRAINTS_free(ext_pcons);
+ }
- if (ext_any)
+ if (ext_any) {
ASN1_INTEGER_free(ext_any);
+ }
return 1;
}
void policy_cache_free(X509_POLICY_CACHE *cache) {
- if (!cache)
+ if (!cache) {
return;
- if (cache->anyPolicy)
+ }
+ if (cache->anyPolicy) {
policy_data_free(cache->anyPolicy);
- if (cache->data)
+ }
+ if (cache->data) {
sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
+ }
OPENSSL_free(cache);
}
@@ -239,12 +261,14 @@
cache = x->policy_cache;
CRYPTO_STATIC_MUTEX_unlock_read(&g_x509_policy_cache_lock);
- if (cache != NULL)
+ if (cache != NULL) {
return cache;
+ }
CRYPTO_STATIC_MUTEX_lock_write(&g_x509_policy_cache_lock);
- if (x->policy_cache == NULL)
+ if (x->policy_cache == NULL) {
policy_cache_new(x);
+ }
cache = x->policy_cache;
CRYPTO_STATIC_MUTEX_unlock_write(&g_x509_policy_cache_lock);
@@ -258,8 +282,9 @@
tmp.valid_policy = (ASN1_OBJECT *)id;
sk_X509_POLICY_DATA_sort(cache->data);
- if (!sk_X509_POLICY_DATA_find(cache->data, &idx, &tmp))
+ if (!sk_X509_POLICY_DATA_find(cache->data, &idx, &tmp)) {
return NULL;
+ }
return sk_X509_POLICY_DATA_value(cache->data, idx);
}
@@ -269,10 +294,12 @@
}
static int policy_cache_set_int(long *out, ASN1_INTEGER *value) {
- if (value == NULL)
+ if (value == NULL) {
return 1;
- if (value->type == V_ASN1_NEG_INTEGER)
+ }
+ if (value->type == V_ASN1_NEG_INTEGER) {
return 0;
+ }
*out = ASN1_INTEGER_get(value);
return 1;
}
diff --git a/crypto/x509v3/pcy_data.c b/crypto/x509v3/pcy_data.c
index a442629..e2df5b2 100644
--- a/crypto/x509v3/pcy_data.c
+++ b/crypto/x509v3/pcy_data.c
@@ -69,8 +69,9 @@
void policy_data_free(X509_POLICY_DATA *data) {
ASN1_OBJECT_free(data->valid_policy);
/* Don't free qualifiers if shared */
- if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS))
+ if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS)) {
sk_POLICYQUALINFO_pop_free(data->qualifier_set, POLICYQUALINFO_free);
+ }
sk_ASN1_OBJECT_pop_free(data->expected_policy_set, ASN1_OBJECT_free);
OPENSSL_free(data);
}
@@ -87,14 +88,17 @@
int crit) {
X509_POLICY_DATA *ret;
ASN1_OBJECT *id;
- if (!policy && !cid)
+ if (!policy && !cid) {
return NULL;
+ }
if (cid) {
id = OBJ_dup(cid);
- if (!id)
+ if (!id) {
return NULL;
- } else
+ }
+ } else {
id = NULL;
+ }
ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA));
if (!ret) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
@@ -108,14 +112,15 @@
return NULL;
}
- if (crit)
+ if (crit) {
ret->flags = POLICY_DATA_FLAG_CRITICAL;
- else
+ } else {
ret->flags = 0;
+ }
- if (id)
+ if (id) {
ret->valid_policy = id;
- else {
+ } else {
ret->valid_policy = policy->policyid;
policy->policyid = NULL;
}
@@ -123,8 +128,9 @@
if (policy) {
ret->qualifier_set = policy->qualifiers;
policy->qualifiers = NULL;
- } else
+ } else {
ret->qualifier_set = NULL;
+ }
return ret;
}
diff --git a/crypto/x509v3/pcy_lib.c b/crypto/x509v3/pcy_lib.c
index e339bd7f..3775d35 100644
--- a/crypto/x509v3/pcy_lib.c
+++ b/crypto/x509v3/pcy_lib.c
@@ -65,56 +65,66 @@
/* X509_POLICY_TREE stuff */
int X509_policy_tree_level_count(const X509_POLICY_TREE *tree) {
- if (!tree)
+ if (!tree) {
return 0;
+ }
return tree->nlevel;
}
X509_POLICY_LEVEL *X509_policy_tree_get0_level(const X509_POLICY_TREE *tree,
int i) {
- if (!tree || (i < 0) || (i >= tree->nlevel))
+ if (!tree || (i < 0) || (i >= tree->nlevel)) {
return NULL;
+ }
return tree->levels + i;
}
STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_policies(
const X509_POLICY_TREE *tree) {
- if (!tree)
+ if (!tree) {
return NULL;
+ }
return tree->auth_policies;
}
STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_user_policies(
const X509_POLICY_TREE *tree) {
- if (!tree)
+ if (!tree) {
return NULL;
- if (tree->flags & POLICY_FLAG_ANY_POLICY)
+ }
+ if (tree->flags & POLICY_FLAG_ANY_POLICY) {
return tree->auth_policies;
- else
+ } else {
return tree->user_policies;
+ }
}
/* X509_POLICY_LEVEL stuff */
int X509_policy_level_node_count(X509_POLICY_LEVEL *level) {
int n;
- if (!level)
+ if (!level) {
return 0;
- if (level->anyPolicy)
+ }
+ if (level->anyPolicy) {
n = 1;
- else
+ } else {
n = 0;
- if (level->nodes)
+ }
+ if (level->nodes) {
n += sk_X509_POLICY_NODE_num(level->nodes);
+ }
return n;
}
X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i) {
- if (!level)
+ if (!level) {
return NULL;
+ }
if (level->anyPolicy) {
- if (i == 0)
+ if (i == 0) {
return level->anyPolicy;
+ }
i--;
}
return sk_X509_POLICY_NODE_value(level->nodes, i);
@@ -123,21 +133,24 @@
/* X509_POLICY_NODE stuff */
const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node) {
- if (!node)
+ if (!node) {
return NULL;
+ }
return node->data->valid_policy;
}
STACK_OF(POLICYQUALINFO) *X509_policy_node_get0_qualifiers(
const X509_POLICY_NODE *node) {
- if (!node)
+ if (!node) {
return NULL;
+ }
return node->data->qualifier_set;
}
const X509_POLICY_NODE *X509_policy_node_get0_parent(
const X509_POLICY_NODE *node) {
- if (!node)
+ if (!node) {
return NULL;
+ }
return node->parent;
}
diff --git a/crypto/x509v3/pcy_map.c b/crypto/x509v3/pcy_map.c
index 6a411f0..efc3ecd 100644
--- a/crypto/x509v3/pcy_map.c
+++ b/crypto/x509v3/pcy_map.c
@@ -91,16 +91,18 @@
/* Attempt to find matching policy data */
data = policy_cache_find_data(cache, map->issuerDomainPolicy);
/* If we don't have anyPolicy can't map */
- if (!data && !cache->anyPolicy)
+ if (!data && !cache->anyPolicy) {
continue;
+ }
/* Create a NODE from anyPolicy */
if (!data) {
data =
policy_data_new(NULL, map->issuerDomainPolicy,
cache->anyPolicy->flags & POLICY_DATA_FLAG_CRITICAL);
- if (!data)
+ if (!data) {
goto bad_mapping;
+ }
data->qualifier_set = cache->anyPolicy->qualifier_set;
/*
* map->issuerDomainPolicy = NULL;
@@ -111,18 +113,21 @@
policy_data_free(data);
goto bad_mapping;
}
- } else
+ } else {
data->flags |= POLICY_DATA_FLAG_MAPPED;
+ }
if (!sk_ASN1_OBJECT_push(data->expected_policy_set,
- map->subjectDomainPolicy))
+ map->subjectDomainPolicy)) {
goto bad_mapping;
+ }
map->subjectDomainPolicy = NULL;
}
ret = 1;
bad_mapping:
- if (ret == -1)
+ if (ret == -1) {
x->ex_flags |= EXFLAG_INVALID_POLICY;
+ }
sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
return ret;
}
diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c
index 3da223a..330194f 100644
--- a/crypto/x509v3/pcy_node.c
+++ b/crypto/x509v3/pcy_node.c
@@ -81,8 +81,9 @@
l.data = &n;
sk_X509_POLICY_NODE_sort(nodes);
- if (!sk_X509_POLICY_NODE_find(nodes, &idx, &l))
+ if (!sk_X509_POLICY_NODE_find(nodes, &idx, &l)) {
return NULL;
+ }
return sk_X509_POLICY_NODE_value(nodes, idx);
}
@@ -95,8 +96,9 @@
for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {
node = sk_X509_POLICY_NODE_value(level->nodes, i);
if (node->parent == parent) {
- if (!OBJ_cmp(node->data->valid_policy, id))
+ if (!OBJ_cmp(node->data->valid_policy, id)) {
return node;
+ }
}
}
return NULL;
@@ -108,37 +110,46 @@
X509_POLICY_TREE *tree) {
X509_POLICY_NODE *node;
node = OPENSSL_malloc(sizeof(X509_POLICY_NODE));
- if (!node)
+ if (!node) {
return NULL;
+ }
node->data = data;
node->parent = parent;
node->nchild = 0;
if (level) {
if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
- if (level->anyPolicy)
+ if (level->anyPolicy) {
goto node_error;
+ }
level->anyPolicy = node;
} else {
- if (!level->nodes)
+ if (!level->nodes) {
level->nodes = policy_node_cmp_new();
- if (!level->nodes)
+ }
+ if (!level->nodes) {
goto node_error;
- if (!sk_X509_POLICY_NODE_push(level->nodes, node))
+ }
+ if (!sk_X509_POLICY_NODE_push(level->nodes, node)) {
goto node_error;
+ }
}
}
if (tree) {
- if (!tree->extra_data)
+ if (!tree->extra_data) {
tree->extra_data = sk_X509_POLICY_DATA_new_null();
- if (!tree->extra_data)
+ }
+ if (!tree->extra_data) {
goto node_error;
- if (!sk_X509_POLICY_DATA_push(tree->extra_data, data))
+ }
+ if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) {
goto node_error;
+ }
}
- if (parent)
+ if (parent) {
parent->nchild++;
+ }
return node;
@@ -162,15 +173,17 @@
if ((lvl->flags & X509_V_FLAG_INHIBIT_MAP) ||
!(x->flags & POLICY_DATA_FLAG_MAP_MASK)) {
- if (!OBJ_cmp(x->valid_policy, oid))
+ if (!OBJ_cmp(x->valid_policy, oid)) {
return 1;
+ }
return 0;
}
for (i = 0; i < sk_ASN1_OBJECT_num(x->expected_policy_set); i++) {
policy_oid = sk_ASN1_OBJECT_value(x->expected_policy_set, i);
- if (!OBJ_cmp(policy_oid, oid))
+ if (!OBJ_cmp(policy_oid, oid)) {
return 1;
+ }
}
return 0;
}
diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index 4d684e2..db7704e 100644
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -83,17 +83,18 @@
static void expected_print(BIO *err, X509_POLICY_LEVEL *lev,
X509_POLICY_NODE *node, int indent) {
if ((lev->flags & X509_V_FLAG_INHIBIT_MAP) ||
- !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK))
+ !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK)) {
BIO_puts(err, " Not Mapped\n");
- else {
+ } else {
int i;
STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set;
ASN1_OBJECT *oid;
BIO_puts(err, " Expected: ");
for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++) {
oid = sk_ASN1_OBJECT_value(pset, i);
- if (i)
+ if (i) {
BIO_puts(err, ", ");
+ }
i2a_ASN1_OBJECT(err, oid);
}
BIO_puts(err, "\n");
@@ -107,10 +108,11 @@
int i;
BIO *err;
err = BIO_new_fp(stderr, BIO_NOCLOSE);
- if (!curr)
+ if (!curr) {
curr = tree->levels + tree->nlevel;
- else
+ } else {
curr++;
+ }
BIO_printf(err, "Level print after %s\n", str);
BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels);
for (plev = tree->levels; plev != curr; plev++) {
@@ -122,8 +124,9 @@
expected_print(err, plev, node, 2);
BIO_printf(err, " Flags: %x\n", node->data->flags);
}
- if (plev->anyPolicy)
+ if (plev->anyPolicy) {
X509_POLICY_NODE_print(err, plev->anyPolicy, 2);
+ }
}
BIO_free(err);
@@ -164,24 +167,28 @@
flags |= X509_V_FLAG_INHIBIT_MAP;
#endif
- if (flags & X509_V_FLAG_EXPLICIT_POLICY)
+ if (flags & X509_V_FLAG_EXPLICIT_POLICY) {
explicit_policy = 0;
- else
+ } else {
explicit_policy = n + 1;
+ }
- if (flags & X509_V_FLAG_INHIBIT_ANY)
+ if (flags & X509_V_FLAG_INHIBIT_ANY) {
any_skip = 0;
- else
+ } else {
any_skip = n + 1;
+ }
- if (flags & X509_V_FLAG_INHIBIT_MAP)
+ if (flags & X509_V_FLAG_INHIBIT_MAP) {
map_skip = 0;
- else
+ } else {
map_skip = n + 1;
+ }
/* Can't do anything with just a trust anchor */
- if (n == 1)
+ if (n == 1) {
return 1;
+ }
/*
* First setup policy cache in all certificates apart from the trust
* anchor. Note any bad cache results on the way. Also can calculate
@@ -192,31 +199,37 @@
X509_check_purpose(x, -1, -1);
cache = policy_cache_set(x);
/* If cache NULL something bad happened: return immediately */
- if (cache == NULL)
+ if (cache == NULL) {
return 0;
+ }
/*
* If inconsistent extensions keep a note of it but continue
*/
- if (x->ex_flags & EXFLAG_INVALID_POLICY)
+ if (x->ex_flags & EXFLAG_INVALID_POLICY) {
ret = -1;
+ }
/*
* Otherwise if we have no data (hence no CertificatePolicies) and
* haven't already set an inconsistent code note it.
*/
- else if ((ret == 1) && !cache->data)
+ else if ((ret == 1) && !cache->data) {
ret = 2;
+ }
if (explicit_policy > 0) {
- if (!(x->ex_flags & EXFLAG_SI))
+ if (!(x->ex_flags & EXFLAG_SI)) {
explicit_policy--;
+ }
if ((cache->explicit_skip != -1) &&
- (cache->explicit_skip < explicit_policy))
+ (cache->explicit_skip < explicit_policy)) {
explicit_policy = cache->explicit_skip;
+ }
}
}
if (ret != 1) {
- if (ret == 2 && !explicit_policy)
+ if (ret == 2 && !explicit_policy) {
return 6;
+ }
return ret;
}
@@ -224,8 +237,9 @@
tree = OPENSSL_malloc(sizeof(X509_POLICY_TREE));
- if (!tree)
+ if (!tree) {
return 0;
+ }
tree->flags = 0;
tree->levels = OPENSSL_malloc(sizeof(X509_POLICY_LEVEL) * n);
@@ -249,8 +263,9 @@
data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0);
- if (!data || !level_add_node(level, data, NULL, tree))
+ if (!data || !level_add_node(level, data, NULL, tree)) {
goto bad_tree;
+ }
for (i = n - 2; i >= 0; i--) {
level++;
@@ -259,8 +274,9 @@
X509_up_ref(x);
level->cert = x;
- if (!cache->anyPolicy)
+ if (!cache->anyPolicy) {
level->flags |= X509_V_FLAG_INHIBIT_ANY;
+ }
/* Determine inhibit any and inhibit map flags */
if (any_skip == 0) {
@@ -268,31 +284,37 @@
* Any matching allowed if certificate is self issued and not the
* last in the chain.
*/
- if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
+ if (!(x->ex_flags & EXFLAG_SI) || (i == 0)) {
level->flags |= X509_V_FLAG_INHIBIT_ANY;
+ }
} else {
- if (!(x->ex_flags & EXFLAG_SI))
+ if (!(x->ex_flags & EXFLAG_SI)) {
any_skip--;
- if ((cache->any_skip >= 0) && (cache->any_skip < any_skip))
+ }
+ if ((cache->any_skip >= 0) && (cache->any_skip < any_skip)) {
any_skip = cache->any_skip;
+ }
}
- if (map_skip == 0)
+ if (map_skip == 0) {
level->flags |= X509_V_FLAG_INHIBIT_MAP;
- else {
- if (!(x->ex_flags & EXFLAG_SI))
+ } else {
+ if (!(x->ex_flags & EXFLAG_SI)) {
map_skip--;
- if ((cache->map_skip >= 0) && (cache->map_skip < map_skip))
+ }
+ if ((cache->map_skip >= 0) && (cache->map_skip < map_skip)) {
map_skip = cache->map_skip;
+ }
}
}
*ptree = tree;
- if (explicit_policy)
+ if (explicit_policy) {
return 1;
- else
+ } else {
return 5;
+ }
bad_tree:
@@ -311,14 +333,16 @@
for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
node = sk_X509_POLICY_NODE_value(last->nodes, i);
if (policy_node_match(last, node, data->valid_policy)) {
- if (!level_add_node(curr, data, node, NULL))
+ if (!level_add_node(curr, data, node, NULL)) {
return 0;
+ }
matched = 1;
}
}
if (!matched && last->anyPolicy) {
- if (!level_add_node(curr, data, last->anyPolicy, NULL))
+ if (!level_add_node(curr, data, last->anyPolicy, NULL)) {
return 0;
+ }
}
return 1;
}
@@ -349,8 +373,9 @@
continue;
#endif
/* Look for matching nodes in previous level */
- if (!tree_link_matching_nodes(curr, data))
+ if (!tree_link_matching_nodes(curr, data)) {
return 0;
+ }
}
return 1;
}
@@ -365,16 +390,18 @@
const ASN1_OBJECT *id, X509_POLICY_NODE *node,
X509_POLICY_TREE *tree) {
X509_POLICY_DATA *data;
- if (id == NULL)
+ if (id == NULL) {
id = node->data->valid_policy;
+ }
/*
* Create a new node with qualifiers from anyPolicy and id from unmatched
* node.
*/
data = policy_data_new(NULL, id, node_critical(node));
- if (data == NULL)
+ if (data == NULL) {
return 0;
+ }
/* Curr may not have anyPolicy */
data->qualifier_set = cache->anyPolicy->qualifier_set;
data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
@@ -395,23 +422,28 @@
if ((last->flags & X509_V_FLAG_INHIBIT_MAP) ||
!(node->data->flags & POLICY_DATA_FLAG_MAPPED)) {
/* If no policy mapping: matched if one child present */
- if (node->nchild)
+ if (node->nchild) {
return 1;
- if (!tree_add_unmatched(curr, cache, NULL, node, tree))
+ }
+ if (!tree_add_unmatched(curr, cache, NULL, node, tree)) {
return 0;
+ }
/* Add it */
} else {
/* If mapping: matched if one child per expected policy set */
STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set;
- if ((size_t)node->nchild == sk_ASN1_OBJECT_num(expset))
+ if ((size_t)node->nchild == sk_ASN1_OBJECT_num(expset)) {
return 1;
+ }
/* Locate unmatched nodes */
for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++) {
ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(expset, i);
- if (level_find_node(curr, node, oid))
+ if (level_find_node(curr, node, oid)) {
continue;
- if (!tree_add_unmatched(curr, cache, oid, node, tree))
+ }
+ if (!tree_add_unmatched(curr, cache, oid, node, tree)) {
return 0;
+ }
}
}
@@ -431,8 +463,9 @@
for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
node = sk_X509_POLICY_NODE_value(last->nodes, i);
- if (!tree_link_unmatched(curr, cache, node, tree))
+ if (!tree_link_unmatched(curr, cache, node, tree)) {
return 0;
+ }
#if 0
@@ -464,8 +497,9 @@
}
/* Finally add link to anyPolicy */
if (last->anyPolicy) {
- if (!level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL))
+ if (!level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL)) {
return 0;
+ }
}
return 1;
}
@@ -505,15 +539,17 @@
}
}
if (curr->anyPolicy && !curr->anyPolicy->nchild) {
- if (curr->anyPolicy->parent)
+ if (curr->anyPolicy->parent) {
curr->anyPolicy->parent->nchild--;
+ }
OPENSSL_free(curr->anyPolicy);
curr->anyPolicy = NULL;
}
if (curr == tree->levels) {
/* If we zapped anyPolicy at top then tree is empty */
- if (!curr->anyPolicy)
+ if (!curr->anyPolicy) {
return 2;
+ }
return 1;
}
}
@@ -523,15 +559,18 @@
X509_POLICY_NODE *pcy) {
if (!*pnodes) {
*pnodes = policy_node_cmp_new();
- if (!*pnodes)
+ if (!*pnodes) {
return 0;
+ }
} else {
sk_X509_POLICY_NODE_sort(*pnodes);
- if (sk_X509_POLICY_NODE_find(*pnodes, NULL, pcy))
+ if (sk_X509_POLICY_NODE_find(*pnodes, NULL, pcy)) {
return 1;
+ }
}
- if (!sk_X509_POLICY_NODE_push(*pnodes, pcy))
+ if (!sk_X509_POLICY_NODE_push(*pnodes, pcy)) {
return 0;
+ }
return 1;
}
@@ -556,12 +595,14 @@
/* If last level contains anyPolicy set is anyPolicy */
if (curr->anyPolicy) {
- if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy))
+ if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy)) {
return 0;
+ }
addnodes = pnodes;
- } else
+ } else {
/* Add policies to authority set */
addnodes = &tree->auth_policies;
+ }
curr = tree->levels;
for (i = 1; i < tree->nlevel; i++) {
@@ -569,18 +610,21 @@
* If no anyPolicy node on this this level it can't appear on lower
* levels so end search.
*/
- if (!(anyptr = curr->anyPolicy))
+ if (!(anyptr = curr->anyPolicy)) {
break;
+ }
curr++;
for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++) {
node = sk_X509_POLICY_NODE_value(curr->nodes, j);
- if ((node->parent == anyptr) && !tree_add_auth_node(addnodes, node))
+ if ((node->parent == anyptr) && !tree_add_auth_node(addnodes, node)) {
return 0;
+ }
}
}
- if (addnodes == pnodes)
+ if (addnodes == pnodes) {
return 2;
+ }
*pnodes = tree->auth_policies;
@@ -602,8 +646,9 @@
* will happen if it is a leaf node.
*/
- if (sk_ASN1_OBJECT_num(policy_oids) <= 0)
+ if (sk_ASN1_OBJECT_num(policy_oids) <= 0) {
return 1;
+ }
anyPolicy = tree->levels[tree->nlevel - 1].anyPolicy;
@@ -619,15 +664,17 @@
oid = sk_ASN1_OBJECT_value(policy_oids, i);
node = tree_find_sk(auth_nodes, oid);
if (!node) {
- if (!anyPolicy)
+ if (!anyPolicy) {
continue;
+ }
/*
* Create a new node with policy ID from user set and qualifiers
* from anyPolicy.
*/
extra = policy_data_new(NULL, oid, node_critical(anyPolicy));
- if (!extra)
+ if (!extra) {
return 0;
+ }
extra->qualifier_set = anyPolicy->data->qualifier_set;
extra->flags =
POLICY_DATA_FLAG_SHARED_QUALIFIERS | POLICY_DATA_FLAG_EXTRA_NODE;
@@ -635,11 +682,13 @@
}
if (!tree->user_policies) {
tree->user_policies = sk_X509_POLICY_NODE_new_null();
- if (!tree->user_policies)
+ if (!tree->user_policies) {
return 1;
+ }
}
- if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
+ if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) {
return 0;
+ }
}
return 1;
}
@@ -651,47 +700,56 @@
for (i = 1; i < tree->nlevel; i++, curr++) {
cache = policy_cache_set(curr->cert);
- if (!tree_link_nodes(curr, cache))
+ if (!tree_link_nodes(curr, cache)) {
return 0;
+ }
if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) &&
- !tree_link_any(curr, cache, tree))
+ !tree_link_any(curr, cache, tree)) {
return 0;
+ }
tree_print("before tree_prune()", tree, curr);
ret = tree_prune(tree, curr);
- if (ret != 1)
+ if (ret != 1) {
return ret;
+ }
}
return 1;
}
static void exnode_free(X509_POLICY_NODE *node) {
- if (node->data && (node->data->flags & POLICY_DATA_FLAG_EXTRA_NODE))
+ if (node->data && (node->data->flags & POLICY_DATA_FLAG_EXTRA_NODE)) {
OPENSSL_free(node);
+ }
}
void X509_policy_tree_free(X509_POLICY_TREE *tree) {
X509_POLICY_LEVEL *curr;
int i;
- if (!tree)
+ if (!tree) {
return;
+ }
sk_X509_POLICY_NODE_free(tree->auth_policies);
sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free);
for (i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++) {
- if (curr->cert)
+ if (curr->cert) {
X509_free(curr->cert);
- if (curr->nodes)
+ }
+ if (curr->nodes) {
sk_X509_POLICY_NODE_pop_free(curr->nodes, policy_node_free);
- if (curr->anyPolicy)
+ }
+ if (curr->anyPolicy) {
policy_node_free(curr->anyPolicy);
+ }
}
- if (tree->extra_data)
+ if (tree->extra_data) {
sk_X509_POLICY_DATA_pop_free(tree->extra_data, policy_data_free);
+ }
OPENSSL_free(tree->levels);
OPENSSL_free(tree);
@@ -745,7 +803,7 @@
/* Tree OK: continue */
case 1:
- if (!tree)
+ if (!tree) {
/*
* tree_init() returns success and a null tree
* if it's just looking at a trust anchor.
@@ -755,50 +813,59 @@
* interprets as a malloc failure is wrong.
*/
return 1;
+ }
break;
}
- if (!tree)
+ if (!tree) {
goto error;
+ }
ret = tree_evaluate(tree);
tree_print("tree_evaluate()", tree, NULL);
- if (ret <= 0)
+ if (ret <= 0) {
goto error;
+ }
/* Return value 2 means tree empty */
if (ret == 2) {
X509_policy_tree_free(tree);
- if (*pexplicit_policy)
+ if (*pexplicit_policy) {
return -2;
- else
+ } else {
return 1;
+ }
}
/* Tree is not empty: continue */
calc_ret = tree_calculate_authority_set(tree, &auth_nodes);
- if (!calc_ret)
+ if (!calc_ret) {
goto error;
+ }
ret = tree_calculate_user_set(tree, policy_oids, auth_nodes);
- if (calc_ret == 2)
+ if (calc_ret == 2) {
sk_X509_POLICY_NODE_free(auth_nodes);
+ }
- if (!ret)
+ if (!ret) {
goto error;
+ }
- if (tree)
+ if (tree) {
*ptree = tree;
+ }
if (*pexplicit_policy) {
nodes = X509_policy_tree_get0_user_policies(tree);
- if (sk_X509_POLICY_NODE_num(nodes) <= 0)
+ if (sk_X509_POLICY_NODE_num(nodes) <= 0) {
return -2;
+ }
}
return 1;
diff --git a/crypto/x509v3/v3_akey.c b/crypto/x509v3/v3_akey.c
index ec39b57..e893561 100644
--- a/crypto/x509v3/v3_akey.c
+++ b/crypto/x509v3/v3_akey.c
@@ -153,12 +153,14 @@
cnf = sk_CONF_VALUE_value(values, i);
if (!strcmp(cnf->name, "keyid")) {
keyid = 1;
- if (cnf->value && !strcmp(cnf->value, "always"))
+ if (cnf->value && !strcmp(cnf->value, "always")) {
keyid = 2;
+ }
} else if (!strcmp(cnf->name, "issuer")) {
issuer = 1;
- if (cnf->value && !strcmp(cnf->value, "always"))
+ if (cnf->value && !strcmp(cnf->value, "always")) {
issuer = 2;
+ }
} else {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNKNOWN_OPTION);
ERR_add_error_data(2, "name=", cnf->name);
@@ -167,8 +169,9 @@
}
if (!ctx || !ctx->issuer_cert) {
- if (ctx && (ctx->flags == CTX_TEST))
+ if (ctx && (ctx->flags == CTX_TEST)) {
return AUTHORITY_KEYID_new();
+ }
OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_ISSUER_CERTIFICATE);
return NULL;
}
@@ -177,8 +180,9 @@
if (keyid) {
j = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
- if ((j >= 0) && (ext = X509_get_ext(cert, j)))
+ if ((j >= 0) && (ext = X509_get_ext(cert, j))) {
ikeyid = X509V3_EXT_d2i(ext);
+ }
if (keyid == 2 && !ikeyid) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
return NULL;
@@ -194,8 +198,9 @@
}
}
- if (!(akeyid = AUTHORITY_KEYID_new()))
+ if (!(akeyid = AUTHORITY_KEYID_new())) {
goto err;
+ }
if (isname) {
if (!(gens = sk_GENERAL_NAME_new_null()) || !(gen = GENERAL_NAME_new()) ||
diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509v3/v3_alt.c
index 93427ab..3f47901 100644
--- a/crypto/x509v3/v3_alt.c
+++ b/crypto/x509v3/v3_alt.c
@@ -108,8 +108,9 @@
}
ret = tmp;
}
- if (!ret)
+ if (!ret) {
return sk_CONF_VALUE_new_null();
+ }
return ret;
}
@@ -124,69 +125,80 @@
int i;
switch (gen->type) {
case GEN_OTHERNAME:
- if (!X509V3_add_value("othername", "<unsupported>", &ret))
+ if (!X509V3_add_value("othername", "<unsupported>", &ret)) {
return NULL;
+ }
break;
case GEN_X400:
- if (!X509V3_add_value("X400Name", "<unsupported>", &ret))
+ if (!X509V3_add_value("X400Name", "<unsupported>", &ret)) {
return NULL;
+ }
break;
case GEN_EDIPARTY:
- if (!X509V3_add_value("EdiPartyName", "<unsupported>", &ret))
+ if (!X509V3_add_value("EdiPartyName", "<unsupported>", &ret)) {
return NULL;
+ }
break;
case GEN_EMAIL:
- if (!x509V3_add_value_asn1_string("email", gen->d.ia5, &ret))
+ if (!x509V3_add_value_asn1_string("email", gen->d.ia5, &ret)) {
return NULL;
+ }
break;
case GEN_DNS:
- if (!x509V3_add_value_asn1_string("DNS", gen->d.ia5, &ret))
+ if (!x509V3_add_value_asn1_string("DNS", gen->d.ia5, &ret)) {
return NULL;
+ }
break;
case GEN_URI:
- if (!x509V3_add_value_asn1_string("URI", gen->d.ia5, &ret))
+ if (!x509V3_add_value_asn1_string("URI", gen->d.ia5, &ret)) {
return NULL;
+ }
break;
case GEN_DIRNAME:
if (X509_NAME_oneline(gen->d.dirn, oline, 256) == NULL ||
- !X509V3_add_value("DirName", oline, &ret))
+ !X509V3_add_value("DirName", oline, &ret)) {
return NULL;
+ }
break;
case GEN_IPADD:
p = gen->d.ip->data;
- if (gen->d.ip->length == 4)
+ if (gen->d.ip->length == 4) {
BIO_snprintf(oline, sizeof(oline), "%d.%d.%d.%d", p[0], p[1], p[2],
p[3]);
- else if (gen->d.ip->length == 16) {
+ } else if (gen->d.ip->length == 16) {
oline[0] = 0;
for (i = 0; i < 8; i++) {
uint16_t v = ((uint16_t)p[0] << 8) | p[1];
BIO_snprintf(htmp, sizeof(htmp), "%X", v);
p += 2;
OPENSSL_strlcat(oline, htmp, sizeof(oline));
- if (i != 7)
+ if (i != 7) {
OPENSSL_strlcat(oline, ":", sizeof(oline));
+ }
}
} else {
- if (!X509V3_add_value("IP Address", "<invalid>", &ret))
+ if (!X509V3_add_value("IP Address", "<invalid>", &ret)) {
return NULL;
+ }
break;
}
- if (!X509V3_add_value("IP Address", oline, &ret))
+ if (!X509V3_add_value("IP Address", oline, &ret)) {
return NULL;
+ }
break;
case GEN_RID:
i2t_ASN1_OBJECT(oline, 256, gen->d.rid);
- if (!X509V3_add_value("Registered ID", oline, &ret))
+ if (!X509V3_add_value("Registered ID", oline, &ret)) {
return NULL;
+ }
break;
}
return ret;
@@ -231,9 +243,9 @@
case GEN_IPADD:
p = gen->d.ip->data;
- if (gen->d.ip->length == 4)
+ if (gen->d.ip->length == 4) {
BIO_printf(out, "IP Address:%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
- else if (gen->d.ip->length == 16) {
+ } else if (gen->d.ip->length == 16) {
BIO_printf(out, "IP Address");
for (i = 0; i < 8; i++) {
uint16_t v = ((uint16_t)p[0] << 8) | p[1];
@@ -268,12 +280,14 @@
cnf = sk_CONF_VALUE_value(nval, i);
if (!x509v3_name_cmp(cnf->name, "issuer") && cnf->value &&
!strcmp(cnf->value, "copy")) {
- if (!copy_issuer(ctx, gens))
+ if (!copy_issuer(ctx, gens)) {
goto err;
+ }
} else {
GENERAL_NAME *gen;
- if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
+ if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) {
goto err;
+ }
sk_GENERAL_NAME_push(gens, gen);
}
}
@@ -286,15 +300,17 @@
/* Append subject altname of issuer to issuer alt name of subject */
static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens) {
- if (ctx && (ctx->flags == CTX_TEST))
+ if (ctx && (ctx->flags == CTX_TEST)) {
return 1;
+ }
if (!ctx || !ctx->issuer_cert) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_ISSUER_DETAILS);
return 0;
}
int i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1);
- if (i < 0)
+ if (i < 0) {
return 1;
+ }
int ret = 0;
GENERAL_NAMES *ialt = NULL;
@@ -335,16 +351,19 @@
cnf = sk_CONF_VALUE_value(nval, i);
if (!x509v3_name_cmp(cnf->name, "email") && cnf->value &&
!strcmp(cnf->value, "copy")) {
- if (!copy_email(ctx, gens, 0))
+ if (!copy_email(ctx, gens, 0)) {
goto err;
+ }
} else if (!x509v3_name_cmp(cnf->name, "email") && cnf->value &&
!strcmp(cnf->value, "move")) {
- if (!copy_email(ctx, gens, 1))
+ if (!copy_email(ctx, gens, 1)) {
goto err;
+ }
} else {
GENERAL_NAME *gen;
- if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
+ if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) {
goto err;
+ }
sk_GENERAL_NAME_push(gens, gen);
}
}
@@ -364,17 +383,19 @@
X509_NAME_ENTRY *ne;
GENERAL_NAME *gen = NULL;
int i;
- if (ctx != NULL && ctx->flags == CTX_TEST)
+ if (ctx != NULL && ctx->flags == CTX_TEST) {
return 1;
+ }
if (!ctx || (!ctx->subject_cert && !ctx->subject_req)) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_SUBJECT_DETAILS);
goto err;
}
/* Find the subject name */
- if (ctx->subject_cert)
+ if (ctx->subject_cert) {
nm = X509_get_subject_name(ctx->subject_cert);
- else
+ } else {
nm = X509_REQ_get_subject_name(ctx->subject_req);
+ }
/* Now add any email address(es) to STACK */
i = -1;
@@ -420,8 +441,9 @@
}
for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
cnf = sk_CONF_VALUE_value(nval, i);
- if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
+ if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) {
goto err;
+ }
sk_GENERAL_NAME_push(gens, gen);
}
return gens;
@@ -446,9 +468,9 @@
return NULL;
}
- if (out)
+ if (out) {
gen = out;
- else {
+ } else {
gen = GENERAL_NAME_new();
if (gen == NULL) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
@@ -474,10 +496,11 @@
} break;
case GEN_IPADD:
- if (is_nc)
+ if (is_nc) {
gen->d.ip = a2i_IPADDRESS_NC(value);
- else
+ } else {
gen->d.ip = a2i_IPADDRESS(value);
+ }
if (gen->d.ip == NULL) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_BAD_IP_ADDRESS);
ERR_add_error_data(2, "value=", value);
@@ -516,8 +539,9 @@
return gen;
err:
- if (!out)
+ if (!out) {
GENERAL_NAME_free(gen);
+ }
return NULL;
}
@@ -536,21 +560,21 @@
return NULL;
}
- if (!x509v3_name_cmp(name, "email"))
+ if (!x509v3_name_cmp(name, "email")) {
type = GEN_EMAIL;
- else if (!x509v3_name_cmp(name, "URI"))
+ } else if (!x509v3_name_cmp(name, "URI")) {
type = GEN_URI;
- else if (!x509v3_name_cmp(name, "DNS"))
+ } else if (!x509v3_name_cmp(name, "DNS")) {
type = GEN_DNS;
- else if (!x509v3_name_cmp(name, "RID"))
+ } else if (!x509v3_name_cmp(name, "RID")) {
type = GEN_RID;
- else if (!x509v3_name_cmp(name, "IP"))
+ } else if (!x509v3_name_cmp(name, "IP")) {
type = GEN_IPADD;
- else if (!x509v3_name_cmp(name, "dirName"))
+ } else if (!x509v3_name_cmp(name, "dirName")) {
type = GEN_DIRNAME;
- else if (!x509v3_name_cmp(name, "otherName"))
+ } else if (!x509v3_name_cmp(name, "otherName")) {
type = GEN_OTHERNAME;
- else {
+ } else {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNSUPPORTED_OPTION);
ERR_add_error_data(2, "name=", name);
return NULL;
@@ -563,26 +587,31 @@
char *objtmp = NULL;
const char *p;
int objlen;
- if (!(p = strchr(value, ';')))
+ if (!(p = strchr(value, ';'))) {
return 0;
- if (!(gen->d.otherName = OTHERNAME_new()))
+ }
+ if (!(gen->d.otherName = OTHERNAME_new())) {
return 0;
+ }
/*
* Free this up because we will overwrite it. no need to free type_id
* because it is static
*/
ASN1_TYPE_free(gen->d.otherName->value);
- if (!(gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)))
+ if (!(gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx))) {
return 0;
+ }
objlen = p - value;
objtmp = OPENSSL_malloc(objlen + 1);
- if (objtmp == NULL)
+ if (objtmp == NULL) {
return 0;
+ }
OPENSSL_strlcpy(objtmp, value, objlen + 1);
gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
OPENSSL_free(objtmp);
- if (!gen->d.otherName->type_id)
+ if (!gen->d.otherName->type_id) {
return 0;
+ }
return 1;
}
@@ -590,8 +619,9 @@
int ret = 0;
STACK_OF(CONF_VALUE) *sk = NULL;
X509_NAME *nm = X509_NAME_new();
- if (nm == NULL)
+ if (nm == NULL) {
goto err;
+ }
sk = X509V3_get_section(ctx, value);
if (sk == NULL) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_SECTION_NOT_FOUND);
@@ -599,14 +629,16 @@
goto err;
}
/* FIXME: should allow other character types... */
- if (!X509V3_NAME_from_section(nm, sk, MBSTRING_ASC))
+ if (!X509V3_NAME_from_section(nm, sk, MBSTRING_ASC)) {
goto err;
+ }
gen->d.dirn = nm;
ret = 1;
err:
- if (!ret)
+ if (!ret) {
X509_NAME_free(nm);
+ }
X509V3_section_free(ctx, sk);
return ret;
}
diff --git a/crypto/x509v3/v3_bcons.c b/crypto/x509v3/v3_bcons.c
index 0458a23..db55f06 100644
--- a/crypto/x509v3/v3_bcons.c
+++ b/crypto/x509v3/v3_bcons.c
@@ -116,11 +116,13 @@
for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
val = sk_CONF_VALUE_value(values, i);
if (!strcmp(val->name, "CA")) {
- if (!X509V3_get_value_bool(val, &bcons->ca))
+ if (!X509V3_get_value_bool(val, &bcons->ca)) {
goto err;
+ }
} else if (!strcmp(val->name, "pathlen")) {
- if (!X509V3_get_value_int(val, &bcons->pathlen))
+ if (!X509V3_get_value_int(val, &bcons->pathlen)) {
goto err;
+ }
} else {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NAME);
X509V3_conf_err(val);
diff --git a/crypto/x509v3/v3_bitst.c b/crypto/x509v3/v3_bitst.c
index 2579d3a..9562826 100644
--- a/crypto/x509v3/v3_bitst.c
+++ b/crypto/x509v3/v3_bitst.c
@@ -94,8 +94,9 @@
const ASN1_BIT_STRING *bits = ext;
const BIT_STRING_BITNAME *bnam;
for (bnam = method->usr_data; bnam->lname; bnam++) {
- if (ASN1_BIT_STRING_get_bit(bits, bnam->bitnum))
+ if (ASN1_BIT_STRING_get_bit(bits, bnam->bitnum)) {
X509V3_add_value(bnam->lname, NULL, &ret);
+ }
}
return ret;
}
diff --git a/crypto/x509v3/v3_conf.c b/crypto/x509v3/v3_conf.c
index 92d1240..1c10158 100644
--- a/crypto/x509v3/v3_conf.c
+++ b/crypto/x509v3/v3_conf.c
@@ -92,8 +92,9 @@
int ext_type;
X509_EXTENSION *ret;
crit = v3_check_critical(&value);
- if ((ext_type = v3_check_generic(&value)))
+ if ((ext_type = v3_check_generic(&value))) {
return v3_generic_extension(name, value, crit, ext_type, ctx);
+ }
ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value);
if (!ret) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_ERROR_IN_EXTENSION);
@@ -109,9 +110,10 @@
int crit;
int ext_type;
crit = v3_check_critical(&value);
- if ((ext_type = v3_check_generic(&value)))
+ if ((ext_type = v3_check_generic(&value))) {
return v3_generic_extension(OBJ_nid2sn(ext_nid), value, crit, ext_type,
ctx);
+ }
return do_ext_nconf(conf, ctx, ext_nid, crit, value);
}
@@ -133,32 +135,38 @@
}
/* Now get internal extension representation based on type */
if (method->v2i) {
- if (*value == '@')
+ if (*value == '@') {
nval = NCONF_get_section(conf, value + 1);
- else
+ } else {
nval = X509V3_parse_list(value);
+ }
if (nval == NULL || sk_CONF_VALUE_num(nval) <= 0) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_EXTENSION_STRING);
ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=", value);
- if (*value != '@')
+ if (*value != '@') {
sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
+ }
return NULL;
}
ext_struc = method->v2i(method, ctx, nval);
- if (*value != '@')
+ if (*value != '@') {
sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
- if (!ext_struc)
+ }
+ if (!ext_struc) {
return NULL;
+ }
} else if (method->s2i) {
- if (!(ext_struc = method->s2i(method, ctx, value)))
+ if (!(ext_struc = method->s2i(method, ctx, value))) {
return NULL;
+ }
} else if (method->r2i) {
if (!ctx->db || !ctx->db_meth) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_CONFIG_DATABASE);
return NULL;
}
- if (!(ext_struc = method->r2i(method, ctx, value)))
+ if (!(ext_struc = method->r2i(method, ctx, value))) {
return NULL;
+ }
} else {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
ERR_add_error_data(2, "name=", OBJ_nid2sn(ext_nid));
@@ -166,10 +174,11 @@
}
ext = do_ext_i2d(method, ext_nid, crit, ext_struc);
- if (method->it)
+ if (method->it) {
ASN1_item_free(ext_struc, ASN1_ITEM_ptr(method->it));
- else
+ } else {
method->ext_free(ext_struc);
+ }
return ext;
}
@@ -183,24 +192,28 @@
if (method->it) {
ext_der = NULL;
ext_len = ASN1_item_i2d(ext_struc, &ext_der, ASN1_ITEM_ptr(method->it));
- if (ext_len < 0)
+ if (ext_len < 0) {
goto merr;
+ }
} else {
unsigned char *p;
ext_len = method->i2d(ext_struc, NULL);
- if (!(ext_der = OPENSSL_malloc(ext_len)))
+ if (!(ext_der = OPENSSL_malloc(ext_len))) {
goto merr;
+ }
p = ext_der;
method->i2d(ext_struc, &p);
}
- if (!(ext_oct = ASN1_OCTET_STRING_new()))
+ if (!(ext_oct = ASN1_OCTET_STRING_new())) {
goto merr;
+ }
ext_oct->data = ext_der;
ext_oct->length = ext_len;
ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
- if (!ext)
+ if (!ext) {
goto merr;
+ }
ASN1_OCTET_STRING_free(ext_oct);
return ext;
@@ -224,11 +237,13 @@
/* Check the extension string for critical flag */
static int v3_check_critical(const char **value) {
const char *p = *value;
- if ((strlen(p) < 9) || strncmp(p, "critical,", 9))
+ if ((strlen(p) < 9) || strncmp(p, "critical,", 9)) {
return 0;
+ }
p += 9;
- while (isspace((unsigned char)*p))
+ while (isspace((unsigned char)*p)) {
p++;
+ }
*value = p;
return 1;
}
@@ -243,11 +258,13 @@
} else if ((strlen(p) >= 5) && !strncmp(p, "ASN1:", 5)) {
p += 5;
gen_type = 2;
- } else
+ } else {
return 0;
+ }
- while (isspace((unsigned char)*p))
+ while (isspace((unsigned char)*p)) {
p++;
+ }
*value = p;
return gen_type;
}
@@ -267,10 +284,11 @@
goto err;
}
- if (gen_type == 1)
+ if (gen_type == 1) {
ext_der = x509v3_hex_to_bytes(value, &ext_len);
- else if (gen_type == 2)
+ } else if (gen_type == 2) {
ext_der = generic_asn1(value, ctx, &ext_len);
+ }
if (ext_der == NULL) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_EXTENSION_VALUE_ERROR);
@@ -292,8 +310,9 @@
err:
ASN1_OBJECT_free(obj);
ASN1_OCTET_STRING_free(oct);
- if (ext_der)
+ if (ext_der) {
OPENSSL_free(ext_der);
+ }
return extension;
}
@@ -302,8 +321,9 @@
ASN1_TYPE *typ;
unsigned char *ext_der = NULL;
typ = ASN1_generate_v3(value, ctx);
- if (typ == NULL)
+ if (typ == NULL) {
return NULL;
+ }
*ext_len = i2d_ASN1_TYPE(typ, &ext_der);
ASN1_TYPE_free(typ);
return ext_der;
@@ -320,14 +340,17 @@
STACK_OF(CONF_VALUE) *nval;
CONF_VALUE *val;
size_t i;
- if (!(nval = NCONF_get_section(conf, section)))
+ if (!(nval = NCONF_get_section(conf, section))) {
return 0;
+ }
for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
val = sk_CONF_VALUE_value(nval, i);
- if (!(ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)))
+ if (!(ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value))) {
return 0;
- if (sk)
+ }
+ if (sk) {
X509v3_add_ext(sk, ext, -1);
+ }
X509_EXTENSION_free(ext);
}
return 1;
@@ -340,8 +363,9 @@
int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
X509 *cert) {
STACK_OF(X509_EXTENSION) **sk = NULL;
- if (cert)
+ if (cert) {
sk = &cert->cert_info->extensions;
+ }
return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
}
@@ -350,8 +374,9 @@
int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
X509_CRL *crl) {
STACK_OF(X509_EXTENSION) **sk = NULL;
- if (crl)
+ if (crl) {
sk = &crl->crl->extensions;
+ }
return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
}
@@ -361,11 +386,13 @@
X509_REQ *req) {
STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL;
int i;
- if (req)
+ if (req) {
sk = &extlist;
+ }
i = X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
- if (!i || !sk)
+ if (!i || !sk) {
return i;
+ }
i = X509_REQ_add_extensions(req, extlist);
sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
return i;
@@ -379,8 +406,9 @@
OPENSSL_PUT_ERROR(X509V3, X509V3_R_OPERATION_NOT_DEFINED);
return NULL;
}
- if (ctx->db_meth->get_string)
+ if (ctx->db_meth->get_string) {
return ctx->db_meth->get_string(ctx->db, name, section);
+ }
return NULL;
}
@@ -389,23 +417,28 @@
OPENSSL_PUT_ERROR(X509V3, X509V3_R_OPERATION_NOT_DEFINED);
return NULL;
}
- if (ctx->db_meth->get_section)
+ if (ctx->db_meth->get_section) {
return ctx->db_meth->get_section(ctx->db, section);
+ }
return NULL;
}
void X509V3_string_free(X509V3_CTX *ctx, char *str) {
- if (!str)
+ if (!str) {
return;
- if (ctx->db_meth->free_string)
+ }
+ if (ctx->db_meth->free_string) {
ctx->db_meth->free_string(ctx->db, str);
+ }
}
void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section) {
- if (!section)
+ if (!section) {
return;
- if (ctx->db_meth->free_section)
+ }
+ if (ctx->db_meth->free_section) {
ctx->db_meth->free_section(ctx->db, section);
+ }
}
static char *nconf_get_string(void *db, const char *section,
diff --git a/crypto/x509v3/v3_cpols.c b/crypto/x509v3/v3_cpols.c
index ecfef44..d2a6747 100644
--- a/crypto/x509v3/v3_cpols.c
+++ b/crypto/x509v3/v3_cpols.c
@@ -190,8 +190,9 @@
}
pol = policy_section(ctx, polsect, ia5org);
X509V3_section_free(ctx, polsect);
- if (!pol)
+ if (!pol) {
goto err;
+ }
} else {
if (!(pobj = OBJ_txt2obj(cnf->name, 0))) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OBJECT_IDENTIFIER);
@@ -226,8 +227,9 @@
CONF_VALUE *cnf;
POLICYINFO *pol;
POLICYQUALINFO *qual;
- if (!(pol = POLICYINFO_new()))
+ if (!(pol = POLICYINFO_new())) {
goto merr;
+ }
for (i = 0; i < sk_CONF_VALUE_num(polstrs); i++) {
cnf = sk_CONF_VALUE_value(polstrs, i);
if (!strcmp(cnf->name, "policyIdentifier")) {
@@ -240,12 +242,15 @@
pol->policyid = pobj;
} else if (!x509v3_name_cmp(cnf->name, "CPS")) {
- if (!pol->qualifiers)
+ if (!pol->qualifiers) {
pol->qualifiers = sk_POLICYQUALINFO_new_null();
- if (!(qual = POLICYQUALINFO_new()))
+ }
+ if (!(qual = POLICYQUALINFO_new())) {
goto merr;
- if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
+ }
+ if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) {
goto merr;
+ }
qual->pqualid = OBJ_nid2obj(NID_id_qt_cps);
if (qual->pqualid == NULL) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_INTERNAL_ERROR);
@@ -255,8 +260,9 @@
if (qual->d.cpsuri == NULL) {
goto err;
}
- if (!ASN1_STRING_set(qual->d.cpsuri, cnf->value, strlen(cnf->value)))
+ if (!ASN1_STRING_set(qual->d.cpsuri, cnf->value, strlen(cnf->value))) {
goto merr;
+ }
} else if (!x509v3_name_cmp(cnf->name, "userNotice")) {
STACK_OF(CONF_VALUE) *unot;
if (*cnf->value != '@') {
@@ -273,12 +279,15 @@
}
qual = notice_section(ctx, unot, ia5org);
X509V3_section_free(ctx, unot);
- if (!qual)
+ if (!qual) {
goto err;
- if (!pol->qualifiers)
+ }
+ if (!pol->qualifiers) {
pol->qualifiers = sk_POLICYQUALINFO_new_null();
- if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
+ }
+ if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) {
goto merr;
+ }
} else {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OPTION);
@@ -308,47 +317,58 @@
CONF_VALUE *cnf;
USERNOTICE * not ;
POLICYQUALINFO *qual;
- if (!(qual = POLICYQUALINFO_new()))
+ if (!(qual = POLICYQUALINFO_new())) {
goto merr;
+ }
qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice);
if (qual->pqualid == NULL) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_INTERNAL_ERROR);
goto err;
}
- if (!(not = USERNOTICE_new()))
+ if (!(not = USERNOTICE_new())) {
goto merr;
+ }
qual->d.usernotice = not ;
for (i = 0; i < sk_CONF_VALUE_num(unot); i++) {
cnf = sk_CONF_VALUE_value(unot, i);
if (!strcmp(cnf->name, "explicitText")) {
not ->exptext = ASN1_VISIBLESTRING_new();
- if (not ->exptext == NULL)
+ if (not ->exptext == NULL) {
goto merr;
- if (!ASN1_STRING_set(not ->exptext, cnf->value, strlen(cnf->value)))
+ }
+ if (!ASN1_STRING_set(not ->exptext, cnf->value, strlen(cnf->value))) {
goto merr;
+ }
} else if (!strcmp(cnf->name, "organization")) {
NOTICEREF *nref;
if (!not ->noticeref) {
- if (!(nref = NOTICEREF_new()))
+ if (!(nref = NOTICEREF_new())) {
goto merr;
+ }
not ->noticeref = nref;
- } else
+ } else {
nref = not ->noticeref;
- if (ia5org)
+ }
+ if (ia5org) {
nref->organization->type = V_ASN1_IA5STRING;
- else
+ } else {
nref->organization->type = V_ASN1_VISIBLESTRING;
- if (!ASN1_STRING_set(nref->organization, cnf->value, strlen(cnf->value)))
+ }
+ if (!ASN1_STRING_set(nref->organization, cnf->value,
+ strlen(cnf->value))) {
goto merr;
+ }
} else if (!strcmp(cnf->name, "noticeNumbers")) {
NOTICEREF *nref;
STACK_OF(CONF_VALUE) *nos;
if (!not ->noticeref) {
- if (!(nref = NOTICEREF_new()))
+ if (!(nref = NOTICEREF_new())) {
goto merr;
+ }
not ->noticeref = nref;
- } else
+ } else {
nref = not ->noticeref;
+ }
nos = X509V3_parse_list(cnf->value);
if (!nos || !sk_CONF_VALUE_num(nos)) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NUMBERS);
@@ -357,8 +377,9 @@
}
ret = nref_nos(nref->noticenos, nos);
sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
- if (!ret)
+ if (!ret) {
goto err;
+ }
} else {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OPTION);
X509V3_conf_err(cnf);
@@ -394,8 +415,9 @@
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NUMBER);
goto err;
}
- if (!sk_ASN1_INTEGER_push(nnums, aint))
+ if (!sk_ASN1_INTEGER_push(nnums, aint)) {
goto merr;
+ }
}
return 1;
@@ -416,8 +438,9 @@
BIO_printf(out, "%*sPolicy: ", indent, "");
i2a_ASN1_OBJECT(out, pinfo->policyid);
BIO_puts(out, "\n");
- if (pinfo->qualifiers)
+ if (pinfo->qualifiers) {
print_qualifiers(out, pinfo->qualifiers, indent + 2);
+ }
}
return 1;
}
@@ -459,23 +482,26 @@
ASN1_INTEGER *num;
char *tmp;
num = sk_ASN1_INTEGER_value(ref->noticenos, i);
- if (i)
+ if (i) {
BIO_puts(out, ", ");
- if (num == NULL)
+ }
+ if (num == NULL) {
BIO_puts(out, "(null)");
- else {
+ } else {
tmp = i2s_ASN1_INTEGER(NULL, num);
- if (tmp == NULL)
+ if (tmp == NULL) {
return;
+ }
BIO_puts(out, tmp);
OPENSSL_free(tmp);
}
}
BIO_puts(out, "\n");
}
- if (notice->exptext)
+ if (notice->exptext) {
BIO_printf(out, "%*sExplicit Text: %.*s\n", indent, "",
notice->exptext->length, notice->exptext->data);
+ }
}
void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent) {
@@ -487,8 +513,9 @@
BIO_puts(out, "\n");
BIO_printf(out, "%*s%s\n", indent + 2, "",
node_data_critical(dat) ? "Critical" : "Non Critical");
- if (dat->qualifier_set)
+ if (dat->qualifier_set) {
print_qualifiers(out, dat->qualifier_set, indent + 2);
- else
+ } else {
BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
+ }
}
diff --git a/crypto/x509v3/v3_crld.c b/crypto/x509v3/v3_crld.c
index 14278a0..a7b9ff3 100644
--- a/crypto/x509v3/v3_crld.c
+++ b/crypto/x509v3/v3_crld.c
@@ -113,19 +113,21 @@
char *sect) {
STACK_OF(CONF_VALUE) *gnsect;
STACK_OF(GENERAL_NAME) *gens;
- if (*sect == '@')
+ if (*sect == '@') {
gnsect = X509V3_get_section(ctx, sect + 1);
- else
+ } else {
gnsect = X509V3_parse_list(sect);
+ }
if (!gnsect) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_SECTION_NOT_FOUND);
return NULL;
}
gens = v2i_GENERAL_NAMES(NULL, ctx, gnsect);
- if (*sect == '@')
+ if (*sect == '@') {
X509V3_section_free(ctx, gnsect);
- else
+ } else {
sk_CONF_VALUE_pop_free(gnsect, X509V3_conf_free);
+ }
return gens;
}
@@ -135,15 +137,17 @@
STACK_OF(X509_NAME_ENTRY) *rnm = NULL;
if (!strncmp(cnf->name, "fullname", 9)) {
fnm = gnames_from_sectname(ctx, cnf->value);
- if (!fnm)
+ if (!fnm) {
goto err;
+ }
} else if (!strcmp(cnf->name, "relativename")) {
int ret;
STACK_OF(CONF_VALUE) *dnsect;
X509_NAME *nm;
nm = X509_NAME_new();
- if (!nm)
+ if (!nm) {
return -1;
+ }
dnsect = X509V3_get_section(ctx, cnf->value);
if (!dnsect) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_SECTION_NOT_FOUND);
@@ -154,8 +158,9 @@
rnm = nm->entries;
nm->entries = NULL;
X509_NAME_free(nm);
- if (!ret || sk_X509_NAME_ENTRY_num(rnm) <= 0)
+ if (!ret || sk_X509_NAME_ENTRY_num(rnm) <= 0) {
goto err;
+ }
/*
* Since its a name fragment can't have more than one RDNSequence
*/
@@ -163,8 +168,9 @@
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_MULTIPLE_RDNS);
goto err;
}
- } else
+ } else {
return 0;
+ }
if (*pdp) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_DISTPOINT_ALREADY_SET);
@@ -172,8 +178,9 @@
}
*pdp = DIST_POINT_NAME_new();
- if (!*pdp)
+ if (!*pdp) {
goto err;
+ }
if (fnm) {
(*pdp)->type = 0;
(*pdp)->name.fullname = fnm;
@@ -185,10 +192,12 @@
return 1;
err:
- if (fnm)
+ if (fnm) {
sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free);
- if (rnm)
+ }
+ if (rnm) {
sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free);
+ }
return -1;
}
@@ -211,26 +220,31 @@
size_t i;
int ret = 0;
rsk = X509V3_parse_list(value);
- if (!rsk)
+ if (!rsk) {
return 0;
- if (*preas)
+ }
+ if (*preas) {
return 0;
+ }
for (i = 0; i < sk_CONF_VALUE_num(rsk); i++) {
bnam = sk_CONF_VALUE_value(rsk, i)->name;
if (!*preas) {
*preas = ASN1_BIT_STRING_new();
- if (!*preas)
+ if (!*preas) {
goto err;
+ }
}
for (pbn = reason_flags; pbn->lname; pbn++) {
if (!strcmp(pbn->sname, bnam)) {
- if (!ASN1_BIT_STRING_set_bit(*preas, pbn->bitnum, 1))
+ if (!ASN1_BIT_STRING_set_bit(*preas, pbn->bitnum, 1)) {
goto err;
+ }
break;
}
}
- if (!pbn->lname)
+ if (!pbn->lname) {
goto err;
+ }
}
ret = 1;
@@ -246,17 +260,19 @@
BIO_printf(out, "%*s%s:\n%*s", indent, "", rname, indent + 2, "");
for (pbn = reason_flags; pbn->lname; pbn++) {
if (ASN1_BIT_STRING_get_bit(rflags, pbn->bitnum)) {
- if (first)
+ if (first) {
first = 0;
- else
+ } else {
BIO_puts(out, ", ");
+ }
BIO_puts(out, pbn->lname);
}
}
- if (first)
+ if (first) {
BIO_puts(out, "<EMPTY>\n");
- else
+ } else {
BIO_puts(out, "\n");
+ }
return 1;
}
@@ -266,31 +282,37 @@
CONF_VALUE *cnf;
DIST_POINT *point = NULL;
point = DIST_POINT_new();
- if (!point)
+ if (!point) {
goto err;
+ }
for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
int ret;
cnf = sk_CONF_VALUE_value(nval, i);
ret = set_dist_point_name(&point->distpoint, ctx, cnf);
- if (ret > 0)
+ if (ret > 0) {
continue;
- if (ret < 0)
+ }
+ if (ret < 0) {
goto err;
+ }
if (!strcmp(cnf->name, "reasons")) {
- if (!set_reasons(&point->reasons, cnf->value))
+ if (!set_reasons(&point->reasons, cnf->value)) {
goto err;
+ }
} else if (!strcmp(cnf->name, "CRLissuer")) {
point->CRLissuer = gnames_from_sectname(ctx, cnf->value);
- if (!point->CRLissuer)
+ if (!point->CRLissuer) {
goto err;
+ }
}
}
return point;
err:
- if (point)
+ if (point) {
DIST_POINT_free(point);
+ }
return NULL;
}
@@ -301,40 +323,48 @@
GENERAL_NAME *gen = NULL;
CONF_VALUE *cnf;
size_t i;
- if (!(crld = sk_DIST_POINT_new_null()))
+ if (!(crld = sk_DIST_POINT_new_null())) {
goto merr;
+ }
for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
DIST_POINT *point;
cnf = sk_CONF_VALUE_value(nval, i);
if (!cnf->value) {
STACK_OF(CONF_VALUE) *dpsect;
dpsect = X509V3_get_section(ctx, cnf->name);
- if (!dpsect)
+ if (!dpsect) {
goto err;
+ }
point = crldp_from_section(ctx, dpsect);
X509V3_section_free(ctx, dpsect);
- if (!point)
+ if (!point) {
goto err;
+ }
if (!sk_DIST_POINT_push(crld, point)) {
DIST_POINT_free(point);
goto merr;
}
} else {
- if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
+ if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) {
goto err;
- if (!(gens = GENERAL_NAMES_new()))
+ }
+ if (!(gens = GENERAL_NAMES_new())) {
goto merr;
- if (!sk_GENERAL_NAME_push(gens, gen))
+ }
+ if (!sk_GENERAL_NAME_push(gens, gen)) {
goto merr;
+ }
gen = NULL;
- if (!(point = DIST_POINT_new()))
+ if (!(point = DIST_POINT_new())) {
goto merr;
+ }
if (!sk_DIST_POINT_push(crld, point)) {
DIST_POINT_free(point);
goto merr;
}
- if (!(point->distpoint = DIST_POINT_NAME_new()))
+ if (!(point->distpoint = DIST_POINT_NAME_new())) {
goto merr;
+ }
point->distpoint->name.fullname = gens;
point->distpoint->type = 0;
gens = NULL;
@@ -361,8 +391,9 @@
break;
case ASN1_OP_FREE_POST:
- if (dpn->dpname)
+ if (dpn->dpname) {
X509_NAME_free(dpn->dpname);
+ }
break;
}
return 1;
@@ -433,32 +464,40 @@
size_t i;
int ret;
idp = ISSUING_DIST_POINT_new();
- if (!idp)
+ if (!idp) {
goto merr;
+ }
for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
cnf = sk_CONF_VALUE_value(nval, i);
name = cnf->name;
val = cnf->value;
ret = set_dist_point_name(&idp->distpoint, ctx, cnf);
- if (ret > 0)
+ if (ret > 0) {
continue;
- if (ret < 0)
+ }
+ if (ret < 0) {
goto err;
+ }
if (!strcmp(name, "onlyuser")) {
- if (!X509V3_get_value_bool(cnf, &idp->onlyuser))
+ if (!X509V3_get_value_bool(cnf, &idp->onlyuser)) {
goto err;
+ }
} else if (!strcmp(name, "onlyCA")) {
- if (!X509V3_get_value_bool(cnf, &idp->onlyCA))
+ if (!X509V3_get_value_bool(cnf, &idp->onlyCA)) {
goto err;
+ }
} else if (!strcmp(name, "onlyAA")) {
- if (!X509V3_get_value_bool(cnf, &idp->onlyattr))
+ if (!X509V3_get_value_bool(cnf, &idp->onlyattr)) {
goto err;
+ }
} else if (!strcmp(name, "indirectCRL")) {
- if (!X509V3_get_value_bool(cnf, &idp->indirectCRL))
+ if (!X509V3_get_value_bool(cnf, &idp->indirectCRL)) {
goto err;
+ }
} else if (!strcmp(name, "onlysomereasons")) {
- if (!set_reasons(&idp->onlysomereasons, val))
+ if (!set_reasons(&idp->onlysomereasons, val)) {
goto err;
+ }
} else {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NAME);
X509V3_conf_err(cnf);
@@ -501,21 +540,29 @@
static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
int indent) {
ISSUING_DIST_POINT *idp = pidp;
- if (idp->distpoint)
+ if (idp->distpoint) {
print_distpoint(out, idp->distpoint, indent);
- if (idp->onlyuser > 0)
+ }
+ if (idp->onlyuser > 0) {
BIO_printf(out, "%*sOnly User Certificates\n", indent, "");
- if (idp->onlyCA > 0)
+ }
+ if (idp->onlyCA > 0) {
BIO_printf(out, "%*sOnly CA Certificates\n", indent, "");
- if (idp->indirectCRL > 0)
+ }
+ if (idp->indirectCRL > 0) {
BIO_printf(out, "%*sIndirect CRL\n", indent, "");
- if (idp->onlysomereasons)
+ }
+ if (idp->onlysomereasons) {
print_reasons(out, "Only Some Reasons", idp->onlysomereasons, indent);
- if (idp->onlyattr > 0)
+ }
+ if (idp->onlyattr > 0) {
BIO_printf(out, "%*sOnly Attribute Certificates\n", indent, "");
+ }
if (!idp->distpoint && (idp->onlyuser <= 0) && (idp->onlyCA <= 0) &&
- (idp->indirectCRL <= 0) && !idp->onlysomereasons && (idp->onlyattr <= 0))
+ (idp->indirectCRL <= 0) && !idp->onlysomereasons &&
+ (idp->onlyattr <= 0)) {
BIO_printf(out, "%*s<EMPTY>\n", indent, "");
+ }
return 1;
}
@@ -528,10 +575,12 @@
for (i = 0; i < sk_DIST_POINT_num(crld); i++) {
BIO_puts(out, "\n");
point = sk_DIST_POINT_value(crld, i);
- if (point->distpoint)
+ if (point->distpoint) {
print_distpoint(out, point->distpoint, indent);
- if (point->reasons)
+ }
+ if (point->reasons) {
print_reasons(out, "Reasons", point->reasons, indent);
+ }
if (point->CRLissuer) {
BIO_printf(out, "%*sCRL Issuer:\n", indent, "");
print_gens(out, point->CRLissuer, indent);
@@ -544,12 +593,14 @@
size_t i;
STACK_OF(X509_NAME_ENTRY) *frag;
X509_NAME_ENTRY *ne;
- if (!dpn || (dpn->type != 1))
+ if (!dpn || (dpn->type != 1)) {
return 1;
+ }
frag = dpn->name.relativename;
dpn->dpname = X509_NAME_dup(iname);
- if (!dpn->dpname)
+ if (!dpn->dpname) {
return 0;
+ }
for (i = 0; i < sk_X509_NAME_ENTRY_num(frag); i++) {
ne = sk_X509_NAME_ENTRY_value(frag, i);
if (!X509_NAME_add_entry(dpn->dpname, ne, -1, i ? 0 : 1)) {
diff --git a/crypto/x509v3/v3_enum.c b/crypto/x509v3/v3_enum.c
index de89855..cd93f30 100644
--- a/crypto/x509v3/v3_enum.c
+++ b/crypto/x509v3/v3_enum.c
@@ -87,8 +87,9 @@
const ASN1_ENUMERATED *e = ext;
long strval = ASN1_ENUMERATED_get(e);
for (const ENUMERATED_NAMES *enam = method->usr_data; enam->lname; enam++) {
- if (strval == enam->bitnum)
+ if (strval == enam->bitnum) {
return OPENSSL_strdup(enam->lname);
+ }
}
return i2s_ASN1_ENUMERATED(method, e);
}
diff --git a/crypto/x509v3/v3_extku.c b/crypto/x509v3/v3_extku.c
index 59a8a16..9d43b0f 100644
--- a/crypto/x509v3/v3_extku.c
+++ b/crypto/x509v3/v3_extku.c
@@ -140,10 +140,11 @@
for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
val = sk_CONF_VALUE_value(nval, i);
- if (val->value)
+ if (val->value) {
extval = val->value;
- else
+ } else {
extval = val->name;
+ }
if (!(objtmp = OBJ_txt2obj(extval, 0))) {
sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OBJECT_IDENTIFIER);
diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
index 4050bc3..4b37fc9 100644
--- a/crypto/x509v3/v3_genn.c
+++ b/crypto/x509v3/v3_genn.c
@@ -124,8 +124,9 @@
/* Returns 0 if they are equal, != 0 otherwise. */
int GENERAL_NAME_cmp(const GENERAL_NAME *a, const GENERAL_NAME *b) {
- if (!a || !b || a->type != b->type)
+ if (!a || !b || a->type != b->type) {
return -1;
+ }
switch (a->type) {
case GEN_X400:
@@ -159,11 +160,13 @@
int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b) {
int result = -1;
- if (!a || !b)
+ if (!a || !b) {
return -1;
+ }
/* Check their type first. */
- if ((result = OBJ_cmp(a->type_id, b->type_id)) != 0)
+ if ((result = OBJ_cmp(a->type_id, b->type_id)) != 0) {
return result;
+ }
/* Check the value. */
result = ASN1_TYPE_cmp(a->value, b->value);
return result;
@@ -205,8 +208,9 @@
}
void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype) {
- if (ptype)
+ if (ptype) {
*ptype = a->type;
+ }
switch (a->type) {
case GEN_X400:
return a->d.x400Address;
@@ -240,8 +244,9 @@
ASN1_TYPE *value) {
OTHERNAME *oth;
oth = OTHERNAME_new();
- if (!oth)
+ if (!oth) {
return 0;
+ }
ASN1_TYPE_free(oth->value);
oth->type_id = oid;
oth->value = value;
@@ -251,11 +256,14 @@
int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen, ASN1_OBJECT **poid,
ASN1_TYPE **pvalue) {
- if (gen->type != GEN_OTHERNAME)
+ if (gen->type != GEN_OTHERNAME) {
return 0;
- if (poid)
+ }
+ if (poid) {
*poid = gen->d.otherName->type_id;
- if (pvalue)
+ }
+ if (pvalue) {
*pvalue = gen->d.otherName->value;
+ }
return 1;
}
diff --git a/crypto/x509v3/v3_ia5.c b/crypto/x509v3/v3_ia5.c
index 0d3d821..8abf40c 100644
--- a/crypto/x509v3/v3_ia5.c
+++ b/crypto/x509v3/v3_ia5.c
@@ -73,8 +73,9 @@
static char *i2s_ASN1_IA5STRING(const X509V3_EXT_METHOD *method, void *ext) {
const ASN1_IA5STRING *ia5 = ext;
char *tmp;
- if (!ia5 || !ia5->length)
+ if (!ia5 || !ia5->length) {
return NULL;
+ }
if (!(tmp = OPENSSL_malloc(ia5->length + 1))) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
return NULL;
@@ -91,8 +92,9 @@
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_ARGUMENT);
return NULL;
}
- if (!(ia5 = ASN1_IA5STRING_new()))
+ if (!(ia5 = ASN1_IA5STRING_new())) {
goto err;
+ }
if (!ASN1_STRING_set(ia5, str, strlen(str))) {
ASN1_IA5STRING_free(ia5);
goto err;
diff --git a/crypto/x509v3/v3_info.c b/crypto/x509v3/v3_info.c
index f9526a5..872346a 100644
--- a/crypto/x509v3/v3_info.c
+++ b/crypto/x509v3/v3_info.c
@@ -135,29 +135,33 @@
desc = sk_ACCESS_DESCRIPTION_value(ainfo, i);
tmp = i2v_GENERAL_NAME(method, desc->location, tret);
- if (tmp == NULL)
+ if (tmp == NULL) {
goto err;
+ }
tret = tmp;
vtmp = sk_CONF_VALUE_value(tret, i);
i2t_ASN1_OBJECT(objtmp, sizeof objtmp, desc->method);
nlen = strlen(objtmp) + strlen(vtmp->name) + 5;
ntmp = OPENSSL_malloc(nlen);
- if (ntmp == NULL)
+ if (ntmp == NULL) {
goto err;
+ }
OPENSSL_strlcpy(ntmp, objtmp, nlen);
OPENSSL_strlcat(ntmp, " - ", nlen);
OPENSSL_strlcat(ntmp, vtmp->name, nlen);
OPENSSL_free(vtmp->name);
vtmp->name = ntmp;
}
- if (ret == NULL && tret == NULL)
+ if (ret == NULL && tret == NULL) {
return sk_CONF_VALUE_new_null();
+ }
return tret;
err:
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
- if (ret == NULL && tret != NULL)
+ if (ret == NULL && tret != NULL) {
sk_CONF_VALUE_pop_free(tret, X509V3_conf_free);
+ }
return NULL;
}
@@ -187,8 +191,9 @@
CONF_VALUE ctmp;
ctmp.name = ptmp + 1;
ctmp.value = cnf->value;
- if (!v2i_GENERAL_NAME_ex(acc->location, method, ctx, &ctmp, 0))
+ if (!v2i_GENERAL_NAME_ex(acc->location, method, ctx, &ctmp, 0)) {
goto err;
+ }
if (!(objtmp = OPENSSL_malloc(objlen + 1))) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
goto err;
diff --git a/crypto/x509v3/v3_lib.c b/crypto/x509v3/v3_lib.c
index 9dacd2c..9434d37 100644
--- a/crypto/x509v3/v3_lib.c
+++ b/crypto/x509v3/v3_lib.c
@@ -103,26 +103,31 @@
const X509V3_EXT_METHOD *t = &tmp, *const * ret;
size_t idx;
- if (nid < 0)
+ if (nid < 0) {
return NULL;
+ }
tmp.ext_nid = nid;
ret = bsearch(&t, standard_exts, STANDARD_EXTENSION_COUNT,
sizeof(X509V3_EXT_METHOD *), ext_cmp);
- if (ret)
+ if (ret) {
return *ret;
- if (!ext_list)
+ }
+ if (!ext_list) {
return NULL;
+ }
sk_X509V3_EXT_METHOD_sort(ext_list);
- if (!sk_X509V3_EXT_METHOD_find(ext_list, &idx, &tmp))
+ if (!sk_X509V3_EXT_METHOD_find(ext_list, &idx, &tmp)) {
return NULL;
+ }
return sk_X509V3_EXT_METHOD_value(ext_list, idx);
}
const X509V3_EXT_METHOD *X509V3_EXT_get(const X509_EXTENSION *ext) {
int nid;
- if ((nid = OBJ_obj2nid(ext->object)) == NID_undef)
+ if ((nid = OBJ_obj2nid(ext->object)) == NID_undef) {
return NULL;
+ }
return X509V3_EXT_get_nid(nid);
}
@@ -133,11 +138,11 @@
return 0;
}
- if (ext_method->it != NULL)
+ if (ext_method->it != NULL) {
ASN1_item_free(ext_data, ASN1_ITEM_ptr(ext_method->it));
- else if (ext_method->ext_free != NULL)
+ } else if (ext_method->ext_free != NULL) {
ext_method->ext_free(ext_data);
- else {
+ } else {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_CANNOT_FIND_FREE_FUNCTION);
return 0;
}
@@ -146,9 +151,11 @@
}
int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist) {
- for (; extlist->ext_nid != -1; extlist++)
- if (!X509V3_EXT_add(extlist))
+ for (; extlist->ext_nid != -1; extlist++) {
+ if (!X509V3_EXT_add(extlist)) {
return 0;
+ }
+ }
return 1;
}
@@ -177,8 +184,9 @@
}
static void ext_list_free(X509V3_EXT_METHOD *ext) {
- if (ext->ext_flags & X509V3_EXT_DYNAMIC)
+ if (ext->ext_flags & X509V3_EXT_DYNAMIC) {
OPENSSL_free(ext);
+ }
}
/*
@@ -194,8 +202,9 @@
const X509V3_EXT_METHOD *method;
const unsigned char *p;
- if (!(method = X509V3_EXT_get(ext)))
+ if (!(method = X509V3_EXT_get(ext))) {
return NULL;
+ }
p = ext->value->data;
void *ret;
if (method->it) {
@@ -226,18 +235,22 @@
size_t i;
X509_EXTENSION *ex, *found_ex = NULL;
if (!extensions) {
- if (out_idx)
+ if (out_idx) {
*out_idx = -1;
- if (out_critical)
+ }
+ if (out_critical) {
*out_critical = -1;
+ }
return NULL;
}
- if (out_idx)
+ if (out_idx) {
lastpos = *out_idx + 1;
- else
+ } else {
lastpos = 0;
- if (lastpos < 0)
+ }
+ if (lastpos < 0) {
lastpos = 0;
+ }
for (i = lastpos; i < sk_X509_EXTENSION_num(extensions); i++) {
ex = sk_X509_EXTENSION_value(extensions, i);
if (OBJ_obj2nid(ex->object) == nid) {
@@ -249,8 +262,9 @@
break;
} else if (found_ex) {
/* Found more than one */
- if (out_critical)
+ if (out_critical) {
*out_critical = -2;
+ }
return NULL;
}
found_ex = ex;
@@ -258,16 +272,19 @@
}
if (found_ex) {
/* Found it */
- if (out_critical)
+ if (out_critical) {
*out_critical = X509_EXTENSION_get_critical(found_ex);
+ }
return X509V3_EXT_d2i(found_ex);
}
/* Extension not found */
- if (out_idx)
+ if (out_idx) {
*out_idx = -1;
- if (out_critical)
+ }
+ if (out_critical) {
*out_critical = -1;
+ }
return NULL;
}
@@ -288,14 +305,16 @@
* If appending we don't care if it exists, otherwise look for existing
* extension.
*/
- if (ext_op != X509V3_ADD_APPEND)
+ if (ext_op != X509V3_ADD_APPEND) {
extidx = X509v3_get_ext_by_NID(*x, nid, -1);
+ }
/* See if extension exists */
if (extidx >= 0) {
/* If keep existing, nothing to do */
- if (ext_op == X509V3_ADD_KEEP_EXISTING)
+ if (ext_op == X509V3_ADD_KEEP_EXISTING) {
return 1;
+ }
/* If default then its an error */
if (ext_op == X509V3_ADD_DEFAULT) {
errcode = X509V3_R_EXTENSION_EXISTS;
@@ -303,8 +322,9 @@
}
/* If delete, just delete it */
if (ext_op == X509V3_ADD_DELETE) {
- if (!sk_X509_EXTENSION_delete(*x, extidx))
+ if (!sk_X509_EXTENSION_delete(*x, extidx)) {
return -1;
+ }
return 1;
}
} else {
@@ -334,27 +354,32 @@
if (extidx >= 0) {
extmp = sk_X509_EXTENSION_value(*x, extidx);
X509_EXTENSION_free(extmp);
- if (!sk_X509_EXTENSION_set(*x, extidx, ext))
+ if (!sk_X509_EXTENSION_set(*x, extidx, ext)) {
return -1;
+ }
return 1;
}
- if ((ret = *x) == NULL && (ret = sk_X509_EXTENSION_new_null()) == NULL)
+ if ((ret = *x) == NULL && (ret = sk_X509_EXTENSION_new_null()) == NULL) {
goto m_fail;
- if (!sk_X509_EXTENSION_push(ret, ext))
+ }
+ if (!sk_X509_EXTENSION_push(ret, ext)) {
goto m_fail;
+ }
*x = ret;
return 1;
m_fail:
- if (ret != *x)
+ if (ret != *x) {
sk_X509_EXTENSION_free(ret);
+ }
X509_EXTENSION_free(ext);
return -1;
err:
- if (!(flags & X509V3_ADD_SILENT))
+ if (!(flags & X509V3_ADD_SILENT)) {
OPENSSL_PUT_ERROR(X509V3, errcode);
+ }
return 0;
}
diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c
index 069166a..ce1c82e 100644
--- a/crypto/x509v3/v3_ncons.c
+++ b/crypto/x509v3/v3_ncons.c
@@ -127,8 +127,9 @@
NAME_CONSTRAINTS *ncons = NULL;
GENERAL_SUBTREE *sub = NULL;
ncons = NAME_CONSTRAINTS_new();
- if (!ncons)
+ if (!ncons) {
goto memerr;
+ }
for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
val = sk_CONF_VALUE_value(nval, i);
if (!strncmp(val->name, "permitted", 9) && val->name[9]) {
@@ -143,12 +144,15 @@
}
tval.value = val->value;
sub = GENERAL_SUBTREE_new();
- if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
+ if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1)) {
goto err;
- if (!*ptree)
+ }
+ if (!*ptree) {
*ptree = sk_GENERAL_SUBTREE_new_null();
- if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub))
+ }
+ if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub)) {
goto memerr;
+ }
sub = NULL;
}
@@ -157,10 +161,12 @@
memerr:
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
err:
- if (ncons)
+ if (ncons) {
NAME_CONSTRAINTS_free(ncons);
- if (sub)
+ }
+ if (sub) {
GENERAL_SUBTREE_free(sub);
+ }
return NULL;
}
@@ -179,15 +185,17 @@
int ind, const char *name) {
GENERAL_SUBTREE *tree;
size_t i;
- if (sk_GENERAL_SUBTREE_num(trees) > 0)
+ if (sk_GENERAL_SUBTREE_num(trees) > 0) {
BIO_printf(bp, "%*s%s:\n", ind, "", name);
+ }
for (i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++) {
tree = sk_GENERAL_SUBTREE_value(trees, i);
BIO_printf(bp, "%*s", ind + 2, "");
- if (tree->base->type == GEN_IPADD)
+ if (tree->base->type == GEN_IPADD) {
print_nc_ipadd(bp, tree->base->d.ip);
- else
+ } else {
GENERAL_NAME_print(bp, tree->base);
+ }
BIO_puts(bp, "\n");
}
return 1;
@@ -207,13 +215,15 @@
uint16_t v = ((uint16_t)p[0] << 8) | p[1];
BIO_printf(bp, "%X", v);
p += 2;
- if (i == 7)
+ if (i == 7) {
BIO_puts(bp, "/");
- else if (i != 15)
+ } else if (i != 15) {
BIO_puts(bp, ":");
+ }
}
- } else
+ } else {
BIO_printf(bp, "IP Address:<invalid>");
+ }
return 1;
}
@@ -260,8 +270,9 @@
r = nc_match(&gntmp, nc);
- if (r != X509_V_OK)
+ if (r != X509_V_OK) {
return r;
+ }
gntmp.type = GEN_EMAIL;
@@ -270,25 +281,29 @@
for (i = -1;;) {
X509_NAME_ENTRY *ne;
i = X509_NAME_get_index_by_NID(nm, NID_pkcs9_emailAddress, i);
- if (i == -1)
+ if (i == -1) {
break;
+ }
ne = X509_NAME_get_entry(nm, i);
gntmp.d.rfc822Name = X509_NAME_ENTRY_get_data(ne);
- if (gntmp.d.rfc822Name->type != V_ASN1_IA5STRING)
+ if (gntmp.d.rfc822Name->type != V_ASN1_IA5STRING) {
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
+ }
r = nc_match(&gntmp, nc);
- if (r != X509_V_OK)
+ if (r != X509_V_OK) {
return r;
+ }
}
}
for (j = 0; j < sk_GENERAL_NAME_num(x->altname); j++) {
GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, j);
r = nc_match(gen, nc);
- if (r != X509_V_OK)
+ if (r != X509_V_OK) {
return r;
+ }
}
return X509_V_OK;
@@ -306,39 +321,48 @@
for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) {
sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
- if (gen->type != sub->base->type)
+ if (gen->type != sub->base->type) {
continue;
- if (sub->minimum || sub->maximum)
+ }
+ if (sub->minimum || sub->maximum) {
return X509_V_ERR_SUBTREE_MINMAX;
+ }
/* If we already have a match don't bother trying any more */
- if (match == 2)
+ if (match == 2) {
continue;
- if (match == 0)
+ }
+ if (match == 0) {
match = 1;
+ }
r = nc_match_single(gen, sub->base);
- if (r == X509_V_OK)
+ if (r == X509_V_OK) {
match = 2;
- else if (r != X509_V_ERR_PERMITTED_VIOLATION)
+ } else if (r != X509_V_ERR_PERMITTED_VIOLATION) {
return r;
+ }
}
- if (match == 1)
+ if (match == 1) {
return X509_V_ERR_PERMITTED_VIOLATION;
+ }
/* Excluded subtrees: must not match any of these */
for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) {
sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
- if (gen->type != sub->base->type)
+ if (gen->type != sub->base->type) {
continue;
- if (sub->minimum || sub->maximum)
+ }
+ if (sub->minimum || sub->maximum) {
return X509_V_ERR_SUBTREE_MINMAX;
+ }
r = nc_match_single(gen, sub->base);
- if (r == X509_V_OK)
+ if (r == X509_V_OK) {
return X509_V_ERR_EXCLUDED_VIOLATION;
- else if (r != X509_V_ERR_PERMITTED_VIOLATION)
+ } else if (r != X509_V_ERR_PERMITTED_VIOLATION) {
return r;
+ }
}
return X509_V_OK;
@@ -372,14 +396,18 @@
static int nc_dn(X509_NAME *nm, X509_NAME *base) {
/* Ensure canonical encodings are up to date. */
- if (nm->modified && i2d_X509_NAME(nm, NULL) < 0)
+ if (nm->modified && i2d_X509_NAME(nm, NULL) < 0) {
return X509_V_ERR_OUT_OF_MEM;
- if (base->modified && i2d_X509_NAME(base, NULL) < 0)
+ }
+ if (base->modified && i2d_X509_NAME(base, NULL) < 0) {
return X509_V_ERR_OUT_OF_MEM;
- if (base->canon_enclen > nm->canon_enclen)
+ }
+ if (base->canon_enclen > nm->canon_enclen) {
return X509_V_ERR_PERMITTED_VIOLATION;
- if (OPENSSL_memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen))
+ }
+ if (OPENSSL_memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen)) {
return X509_V_ERR_PERMITTED_VIOLATION;
+ }
return X509_V_OK;
}
diff --git a/crypto/x509v3/v3_ocsp.c b/crypto/x509v3/v3_ocsp.c
index 7a9dc77..9d648f6 100644
--- a/crypto/x509v3/v3_ocsp.c
+++ b/crypto/x509v3/v3_ocsp.c
@@ -61,10 +61,12 @@
static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff,
BIO *bp, int ind) {
- if (BIO_printf(bp, "%*s", ind, "") <= 0)
+ if (BIO_printf(bp, "%*s", ind, "") <= 0) {
return 0;
- if (!ASN1_GENERALIZEDTIME_print(bp, cutoff))
+ }
+ if (!ASN1_GENERALIZEDTIME_print(bp, cutoff)) {
return 0;
+ }
return 1;
}
diff --git a/crypto/x509v3/v3_pci.c b/crypto/x509v3/v3_pci.c
index 6d4b502..95fda03 100644
--- a/crypto/x509v3/v3_pci.c
+++ b/crypto/x509v3/v3_pci.c
@@ -73,18 +73,20 @@
int indent) {
const PROXY_CERT_INFO_EXTENSION *pci = ext;
BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
- if (pci->pcPathLengthConstraint)
+ if (pci->pcPathLengthConstraint) {
i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
- else
+ } else {
BIO_printf(out, "infinite");
+ }
BIO_puts(out, "\n");
BIO_printf(out, "%*sPolicy Language: ", indent, "");
i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
BIO_puts(out, "\n");
- if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
+ if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data) {
BIO_printf(out, "%*sPolicy Text: %.*s\n", indent, "",
pci->proxyPolicy->policy->length,
pci->proxyPolicy->policy->data);
+ }
return 1;
}
@@ -230,8 +232,9 @@
&pathlen, &policy);
}
X509V3_section_free(ctx, sect);
- if (!success_p)
+ if (!success_p) {
goto err;
+ }
} else {
if (!process_pci_value(cnf, &language, &pathlen, &policy)) {
X509V3_conf_err(cnf);
diff --git a/crypto/x509v3/v3_pcons.c b/crypto/x509v3/v3_pcons.c
index 3514dde..7ed778b 100644
--- a/crypto/x509v3/v3_pcons.c
+++ b/crypto/x509v3/v3_pcons.c
@@ -118,11 +118,13 @@
for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
val = sk_CONF_VALUE_value(values, i);
if (!strcmp(val->name, "requireExplicitPolicy")) {
- if (!X509V3_get_value_int(val, &pcons->requireExplicitPolicy))
+ if (!X509V3_get_value_int(val, &pcons->requireExplicitPolicy)) {
goto err;
+ }
} else if (!strcmp(val->name, "inhibitPolicyMapping")) {
- if (!X509V3_get_value_int(val, &pcons->inhibitPolicyMapping))
+ if (!X509V3_get_value_int(val, &pcons->inhibitPolicyMapping)) {
goto err;
+ }
} else {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NAME);
X509V3_conf_err(val);
diff --git a/crypto/x509v3/v3_prn.c b/crypto/x509v3/v3_prn.c
index c2442ef..ba56c87 100644
--- a/crypto/x509v3/v3_prn.c
+++ b/crypto/x509v3/v3_prn.c
@@ -75,27 +75,32 @@
int ml) {
size_t i;
CONF_VALUE *nval;
- if (!val)
+ if (!val) {
return;
+ }
if (!ml || !sk_CONF_VALUE_num(val)) {
BIO_printf(out, "%*s", indent, "");
- if (!sk_CONF_VALUE_num(val))
+ if (!sk_CONF_VALUE_num(val)) {
BIO_puts(out, "<EMPTY>\n");
+ }
}
for (i = 0; i < sk_CONF_VALUE_num(val); i++) {
- if (ml)
+ if (ml) {
BIO_printf(out, "%*s", indent, "");
- else if (i > 0)
+ } else if (i > 0) {
BIO_printf(out, ", ");
+ }
nval = sk_CONF_VALUE_value(val, i);
- if (!nval->name)
+ if (!nval->name) {
BIO_puts(out, nval->value);
- else if (!nval->value)
+ } else if (!nval->value) {
BIO_puts(out, nval->name);
- else
+ } else {
BIO_printf(out, "%s:%s", nval->name, nval->value);
- if (ml)
+ }
+ if (ml) {
BIO_puts(out, "\n");
+ }
}
}
@@ -109,8 +114,9 @@
STACK_OF(CONF_VALUE) *nval = NULL;
int ok = 1;
- if (!(method = X509V3_EXT_get(ext)))
+ if (!(method = X509V3_EXT_get(ext))) {
return unknown_ext_print(out, ext, flag, indent, 0);
+ }
const ASN1_STRING *ext_data = X509_EXTENSION_get_data(ext);
const unsigned char *p = ASN1_STRING_get0_data(ext_data);
if (method->it) {
@@ -120,8 +126,9 @@
ext_str = method->d2i(NULL, &p, ASN1_STRING_length(ext_data));
}
- if (!ext_str)
+ if (!ext_str) {
return unknown_ext_print(out, ext, flag, indent, 1);
+ }
if (method->i2s) {
if (!(value = method->i2s(method, ext_str))) {
@@ -137,19 +144,23 @@
X509V3_EXT_val_prn(out, nval, indent,
method->ext_flags & X509V3_EXT_MULTILINE);
} else if (method->i2r) {
- if (!method->i2r(method, ext_str, out, indent))
+ if (!method->i2r(method, ext_str, out, indent)) {
ok = 0;
- } else
+ }
+ } else {
ok = 0;
+ }
err:
sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
- if (value)
+ if (value) {
OPENSSL_free(value);
- if (method->it)
+ }
+ if (method->it) {
ASN1_item_free(ext_str, ASN1_ITEM_ptr(method->it));
- else
+ } else {
method->ext_free(ext_str);
+ }
return ok;
}
@@ -159,8 +170,9 @@
size_t i;
int j;
- if (sk_X509_EXTENSION_num(exts) <= 0)
+ if (sk_X509_EXTENSION_num(exts) <= 0) {
return 1;
+ }
if (title) {
BIO_printf(bp, "%*s%s:\n", indent, "", title);
@@ -171,19 +183,22 @@
ASN1_OBJECT *obj;
X509_EXTENSION *ex;
ex = sk_X509_EXTENSION_value(exts, i);
- if (indent && BIO_printf(bp, "%*s", indent, "") <= 0)
+ if (indent && BIO_printf(bp, "%*s", indent, "") <= 0) {
return 0;
+ }
obj = X509_EXTENSION_get_object(ex);
i2a_ASN1_OBJECT(bp, obj);
j = X509_EXTENSION_get_critical(ex);
- if (BIO_printf(bp, ": %s\n", j ? "critical" : "") <= 0)
+ if (BIO_printf(bp, ": %s\n", j ? "critical" : "") <= 0) {
return 0;
+ }
if (!X509V3_EXT_print(bp, ex, flag, indent + 4)) {
BIO_printf(bp, "%*s", indent + 4, "");
ASN1_STRING_print(bp, X509_EXTENSION_get_data(ex));
}
- if (BIO_write(bp, "\n", 1) <= 0)
+ if (BIO_write(bp, "\n", 1) <= 0) {
return 0;
+ }
}
return 1;
}
@@ -195,10 +210,11 @@
return 0;
case X509V3_EXT_ERROR_UNKNOWN:
- if (supported)
+ if (supported) {
BIO_printf(out, "%*s<Parse Error>", indent, "");
- else
+ } else {
BIO_printf(out, "%*s<Not Supported>", indent, "");
+ }
return 1;
case X509V3_EXT_PARSE_UNKNOWN:
@@ -216,8 +232,9 @@
int X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent) {
BIO *bio_tmp;
int ret;
- if (!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE)))
+ if (!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE))) {
return 0;
+ }
ret = X509V3_EXT_print(bio_tmp, ext, flag, indent);
BIO_free(bio_tmp);
return ret;
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index d53d8eb..0b51a07 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -143,11 +143,13 @@
return -1;
}
- if (id == -1)
+ if (id == -1) {
return 1;
+ }
idx = X509_PURPOSE_get_by_id(id);
- if (idx == -1)
+ if (idx == -1) {
return -1;
+ }
pt = X509_PURPOSE_get0(idx);
return pt->check_purpose(pt, x, ca);
}
@@ -162,16 +164,19 @@
}
int X509_PURPOSE_get_count(void) {
- if (!xptable)
+ if (!xptable) {
return X509_PURPOSE_COUNT;
+ }
return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
}
X509_PURPOSE *X509_PURPOSE_get0(int idx) {
- if (idx < 0)
+ if (idx < 0) {
return NULL;
- if (idx < (int)X509_PURPOSE_COUNT)
+ }
+ if (idx < (int)X509_PURPOSE_COUNT) {
return xstandard + idx;
+ }
return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
}
@@ -180,8 +185,9 @@
X509_PURPOSE *xptmp;
for (i = 0; i < X509_PURPOSE_get_count(); i++) {
xptmp = X509_PURPOSE_get0(i);
- if (!strcmp(xptmp->sname, sname))
+ if (!strcmp(xptmp->sname, sname)) {
return i;
+ }
}
return -1;
}
@@ -190,15 +196,18 @@
X509_PURPOSE tmp;
size_t idx;
- if ((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
+ if ((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX)) {
return purpose - X509_PURPOSE_MIN;
+ }
tmp.purpose = purpose;
- if (!xptable)
+ if (!xptable) {
return -1;
+ }
sk_X509_PURPOSE_sort(xptable);
- if (!sk_X509_PURPOSE_find(xptable, &idx, &tmp))
+ if (!sk_X509_PURPOSE_find(xptable, &idx, &tmp)) {
return -1;
+ }
return idx + X509_PURPOSE_COUNT;
}
@@ -224,20 +233,24 @@
return 0;
}
ptmp->flags = X509_PURPOSE_DYNAMIC;
- } else
+ } else {
ptmp = X509_PURPOSE_get0(idx);
+ }
/* Duplicate the supplied names. */
name_dup = OPENSSL_strdup(name);
sname_dup = OPENSSL_strdup(sname);
if (name_dup == NULL || sname_dup == NULL) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
- if (name_dup != NULL)
+ if (name_dup != NULL) {
OPENSSL_free(name_dup);
- if (sname_dup != NULL)
+ }
+ if (sname_dup != NULL) {
OPENSSL_free(sname_dup);
- if (idx == -1)
+ }
+ if (idx == -1) {
OPENSSL_free(ptmp);
+ }
return 0;
}
@@ -276,8 +289,9 @@
}
static void xptable_free(X509_PURPOSE *p) {
- if (!p)
+ if (!p) {
return;
+ }
if (p->flags & X509_PURPOSE_DYNAMIC) {
if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
OPENSSL_free(p->name);
@@ -290,8 +304,9 @@
void X509_PURPOSE_cleanup(void) {
unsigned int i;
sk_X509_PURPOSE_pop_free(xptable, xptable_free);
- for (i = 0; i < X509_PURPOSE_COUNT; i++)
+ for (i = 0; i < X509_PURPOSE_COUNT; i++) {
xptable_free(xstandard + i);
+ }
xptable = NULL;
}
@@ -334,12 +349,14 @@
int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
- if (ex_nid == NID_undef)
+ if (ex_nid == NID_undef) {
return 0;
+ }
if (bsearch(&ex_nid, supported_nids, sizeof(supported_nids) / sizeof(int),
- sizeof(int), nid_cmp) != NULL)
+ sizeof(int), nid_cmp) != NULL) {
return 1;
+ }
return 0;
}
@@ -347,15 +364,19 @@
X509_NAME *iname = NULL;
size_t i;
if (dp->reasons) {
- if (dp->reasons->length > 0)
+ if (dp->reasons->length > 0) {
dp->dp_reasons = dp->reasons->data[0];
- if (dp->reasons->length > 1)
+ }
+ if (dp->reasons->length > 1) {
dp->dp_reasons |= (dp->reasons->data[1] << 8);
+ }
dp->dp_reasons &= CRLDP_ALL_REASONS;
- } else
+ } else {
dp->dp_reasons = CRLDP_ALL_REASONS;
- if (!dp->distpoint || (dp->distpoint->type != 1))
+ }
+ if (!dp->distpoint || (dp->distpoint->type != 1)) {
return 1;
+ }
for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
if (gen->type == GEN_DIRNAME) {
@@ -363,8 +384,9 @@
break;
}
}
- if (!iname)
+ if (!iname) {
iname = X509_get_issuer_name(x);
+ }
return DIST_POINT_set_dpname(dp->distpoint, iname);
}
@@ -407,15 +429,18 @@
return (x->ex_flags & EXFLAG_INVALID) == 0;
}
- if (!X509_digest(x, EVP_sha256(), x->cert_hash, NULL))
+ if (!X509_digest(x, EVP_sha256(), x->cert_hash, NULL)) {
x->ex_flags |= EXFLAG_INVALID;
+ }
/* V1 should mean no extensions ... */
- if (X509_get_version(x) == X509_VERSION_1)
+ if (X509_get_version(x) == X509_VERSION_1) {
x->ex_flags |= EXFLAG_V1;
+ }
/* Handle basic constraints */
if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, &j, NULL))) {
- if (bs->ca)
+ if (bs->ca) {
x->ex_flags |= EXFLAG_CA;
+ }
if (bs->pathlen) {
if ((bs->pathlen->type == V_ASN1_NEG_INTEGER) || !bs->ca) {
x->ex_flags |= EXFLAG_INVALID;
@@ -428,8 +453,9 @@
* 255 as an error. */
x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
}
- } else
+ } else {
x->ex_pathlen = -1;
+ }
BASIC_CONSTRAINTS_free(bs);
x->ex_flags |= EXFLAG_BCONS;
} else if (j != -1) {
@@ -444,8 +470,9 @@
}
if (pci->pcPathLengthConstraint) {
x->ex_pcpathlen = ASN1_INTEGER_get(pci->pcPathLengthConstraint);
- } else
+ } else {
x->ex_pcpathlen = -1;
+ }
PROXY_CERT_INFO_EXTENSION_free(pci);
x->ex_flags |= EXFLAG_PROXY;
} else if (j != -1) {
@@ -455,10 +482,12 @@
if ((usage = X509_get_ext_d2i(x, NID_key_usage, &j, NULL))) {
if (usage->length > 0) {
x->ex_kusage = usage->data[0];
- if (usage->length > 1)
+ if (usage->length > 1) {
x->ex_kusage |= usage->data[1] << 8;
- } else
+ }
+ } else {
x->ex_kusage = 0;
+ }
x->ex_flags |= EXFLAG_KUSAGE;
ASN1_BIT_STRING_free(usage);
} else if (j != -1) {
@@ -513,10 +542,11 @@
}
if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, &j, NULL))) {
- if (ns->length > 0)
+ if (ns->length > 0) {
x->ex_nscert = ns->data[0];
- else
+ } else {
x->ex_nscert = 0;
+ }
x->ex_flags |= EXFLAG_NSCERT;
ASN1_BIT_STRING_free(ns);
} else if (j != -1) {
@@ -535,8 +565,9 @@
x->ex_flags |= EXFLAG_SI;
/* If SKID matches AKID also indicate self signed */
if (X509_check_akid(x, x->akid) == X509_V_OK &&
- !ku_reject(x, KU_KEY_CERT_SIGN))
+ !ku_reject(x, KU_KEY_CERT_SIGN)) {
x->ex_flags |= EXFLAG_SS;
+ }
}
x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, &j, NULL);
if (x->altname == NULL && j != -1) {
@@ -552,10 +583,12 @@
for (j = 0; j < X509_get_ext_count(x); j++) {
ex = X509_get_ext(x, j);
- if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_freshest_crl)
+ if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_freshest_crl) {
x->ex_flags |= EXFLAG_FRESHEST;
- if (!X509_EXTENSION_get_critical(ex))
+ }
+ if (!X509_EXTENSION_get_critical(ex)) {
continue;
+ }
if (!X509_supported_extension(ex)) {
x->ex_flags |= EXFLAG_CRITICAL;
break;
@@ -571,8 +604,9 @@
* otherwise. */
static int check_ca(const X509 *x) {
/* keyUsage if present should allow cert signing */
- if (ku_reject(x, KU_KEY_CERT_SIGN))
+ if (ku_reject(x, KU_KEY_CERT_SIGN)) {
return 0;
+ }
/* Version 1 certificates are considered CAs and don't have extensions. */
if ((x->ex_flags & V1_ROOT) == V1_ROOT) {
return 1;
@@ -590,16 +624,20 @@
static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
int ca) {
- if (xku_reject(x, XKU_SSL_CLIENT))
+ if (xku_reject(x, XKU_SSL_CLIENT)) {
return 0;
- if (ca)
+ }
+ if (ca) {
return check_ca(x);
+ }
/* We need to do digital signatures or key agreement */
- if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT))
+ if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT)) {
return 0;
+ }
/* nsCertType if present should allow SSL client use */
- if (ns_reject(x, NS_SSL_CLIENT))
+ if (ns_reject(x, NS_SSL_CLIENT)) {
return 0;
+ }
return 1;
}
@@ -612,15 +650,19 @@
static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,
int ca) {
- if (xku_reject(x, XKU_SSL_SERVER))
+ if (xku_reject(x, XKU_SSL_SERVER)) {
return 0;
- if (ca)
+ }
+ if (ca) {
return check_ca(x);
+ }
- if (ns_reject(x, NS_SSL_SERVER))
+ if (ns_reject(x, NS_SSL_SERVER)) {
return 0;
- if (ku_reject(x, KU_TLS))
+ }
+ if (ku_reject(x, KU_TLS)) {
return 0;
+ }
return 1;
}
@@ -629,19 +671,22 @@
int ca) {
int ret;
ret = check_purpose_ssl_server(xp, x, ca);
- if (!ret || ca)
+ if (!ret || ca) {
return ret;
+ }
/* We need to encipher or Netscape complains */
- if (ku_reject(x, KU_KEY_ENCIPHERMENT))
+ if (ku_reject(x, KU_KEY_ENCIPHERMENT)) {
return 0;
+ }
return ret;
}
/* purpose_smime returns one if |x| is a valid S/MIME leaf (|ca| is zero) or CA
* (|ca| is one) certificate, and zero otherwise. */
static int purpose_smime(const X509 *x, int ca) {
- if (xku_reject(x, XKU_SMIME))
+ if (xku_reject(x, XKU_SMIME)) {
return 0;
+ }
if (ca) {
/* check nsCertType if present */
if ((x->ex_flags & EXFLAG_NSCERT) && (x->ex_nscert & NS_SMIME_CA) == 0) {
@@ -660,10 +705,12 @@
int ca) {
int ret;
ret = purpose_smime(x, ca);
- if (!ret || ca)
+ if (!ret || ca) {
return ret;
- if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_NON_REPUDIATION))
+ }
+ if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_NON_REPUDIATION)) {
return 0;
+ }
return ret;
}
@@ -671,10 +718,12 @@
int ca) {
int ret;
ret = purpose_smime(x, ca);
- if (!ret || ca)
+ if (!ret || ca) {
return ret;
- if (ku_reject(x, KU_KEY_ENCIPHERMENT))
+ }
+ if (ku_reject(x, KU_KEY_ENCIPHERMENT)) {
return 0;
+ }
return ret;
}
@@ -683,8 +732,9 @@
if (ca) {
return check_ca(x);
}
- if (ku_reject(x, KU_CRL_SIGN))
+ if (ku_reject(x, KU_CRL_SIGN)) {
return 0;
+ }
return 1;
}
@@ -694,8 +744,9 @@
*/
static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) {
- if (ca)
+ if (ca) {
return check_ca(x);
+ }
/* leaf certificate is checked in OCSP_verify() */
return 1;
}
@@ -705,8 +756,9 @@
int i_ext;
/* If ca is true we must return if this is a valid CA certificate. */
- if (ca)
+ if (ca) {
return check_ca(x);
+ }
/*
* Check the optional key usage field:
@@ -716,19 +768,22 @@
*/
if ((x->ex_flags & EXFLAG_KUSAGE) &&
((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
- !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE))))
+ !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)))) {
return 0;
+ }
/* Only time stamp key usage is permitted and it's required. */
- if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP)
+ if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP) {
return 0;
+ }
/* Extended Key Usage MUST be critical */
i_ext = X509_get_ext_by_NID((X509 *)x, NID_ext_key_usage, -1);
if (i_ext >= 0) {
X509_EXTENSION *ext = X509_get_ext((X509 *)x, i_ext);
- if (!X509_EXTENSION_get_critical(ext))
+ if (!X509_EXTENSION_get_critical(ext)) {
return 0;
+ }
}
return 1;
@@ -748,38 +803,45 @@
int X509_check_issued(X509 *issuer, X509 *subject) {
if (X509_NAME_cmp(X509_get_subject_name(issuer),
- X509_get_issuer_name(subject)))
+ X509_get_issuer_name(subject))) {
return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
+ }
if (!x509v3_cache_extensions(issuer) || !x509v3_cache_extensions(subject)) {
return X509_V_ERR_UNSPECIFIED;
}
if (subject->akid) {
int ret = X509_check_akid(issuer, subject->akid);
- if (ret != X509_V_OK)
+ if (ret != X509_V_OK) {
return ret;
+ }
}
if (subject->ex_flags & EXFLAG_PROXY) {
- if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
+ if (ku_reject(issuer, KU_DIGITAL_SIGNATURE)) {
return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
- } else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
+ }
+ } else if (ku_reject(issuer, KU_KEY_CERT_SIGN)) {
return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
+ }
return X509_V_OK;
}
int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) {
- if (!akid)
+ if (!akid) {
return X509_V_OK;
+ }
/* Check key ids (if present) */
if (akid->keyid && issuer->skid &&
- ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid))
+ ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid)) {
return X509_V_ERR_AKID_SKID_MISMATCH;
+ }
/* Check serial number */
if (akid->serial &&
- ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))
+ ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial)) {
return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
+ }
/* Check issuer name */
if (akid->issuer) {
/*
@@ -799,8 +861,9 @@
break;
}
}
- if (nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
+ if (nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer))) {
return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
+ }
}
return X509_V_OK;
}
@@ -816,8 +879,9 @@
if (!x509v3_cache_extensions(x)) {
return 0;
}
- if (x->ex_flags & EXFLAG_KUSAGE)
+ if (x->ex_flags & EXFLAG_KUSAGE) {
return x->ex_kusage;
+ }
return UINT32_MAX;
}
@@ -825,8 +889,9 @@
if (!x509v3_cache_extensions(x)) {
return 0;
}
- if (x->ex_flags & EXFLAG_XKUSAGE)
+ if (x->ex_flags & EXFLAG_XKUSAGE) {
return x->ex_xkusage;
+ }
return UINT32_MAX;
}
diff --git a/crypto/x509v3/v3_skey.c b/crypto/x509v3/v3_skey.c
index edbc61a..05c5050 100644
--- a/crypto/x509v3/v3_skey.c
+++ b/crypto/x509v3/v3_skey.c
@@ -104,34 +104,38 @@
unsigned char pkey_dig[EVP_MAX_MD_SIZE];
unsigned int diglen;
- if (strcmp(str, "hash"))
+ if (strcmp(str, "hash")) {
return s2i_ASN1_OCTET_STRING(method, ctx, str);
+ }
if (!(oct = ASN1_OCTET_STRING_new())) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
return NULL;
}
- if (ctx && (ctx->flags == CTX_TEST))
+ if (ctx && (ctx->flags == CTX_TEST)) {
return oct;
+ }
if (!ctx || (!ctx->subject_req && !ctx->subject_cert)) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_PUBLIC_KEY);
goto err;
}
- if (ctx->subject_req)
+ if (ctx->subject_req) {
pk = ctx->subject_req->req_info->pubkey->public_key;
- else
+ } else {
pk = ctx->subject_cert->cert_info->key->public_key;
+ }
if (!pk) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_PUBLIC_KEY);
goto err;
}
- if (!EVP_Digest(pk->data, pk->length, pkey_dig, &diglen, EVP_sha1(), NULL))
+ if (!EVP_Digest(pk->data, pk->length, pkey_dig, &diglen, EVP_sha1(), NULL)) {
goto err;
+ }
if (!ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index a60dda9..bd443c3 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -95,8 +95,9 @@
CONF_VALUE *vtmp = NULL;
char *tname = NULL, *tvalue = NULL;
int extlist_was_null = *extlist == NULL;
- if (name && !(tname = OPENSSL_strdup(name)))
+ if (name && !(tname = OPENSSL_strdup(name))) {
goto malloc_err;
+ }
if (!omit_value) {
/* |CONF_VALUE| cannot represent strings with NULs. */
if (OPENSSL_memchr(value, 0, value_len)) {
@@ -108,15 +109,18 @@
goto malloc_err;
}
}
- if (!(vtmp = CONF_VALUE_new()))
+ if (!(vtmp = CONF_VALUE_new())) {
goto malloc_err;
- if (!*extlist && !(*extlist = sk_CONF_VALUE_new_null()))
+ }
+ if (!*extlist && !(*extlist = sk_CONF_VALUE_new_null())) {
goto malloc_err;
+ }
vtmp->section = NULL;
vtmp->name = tname;
vtmp->value = tvalue;
- if (!sk_CONF_VALUE_push(*extlist, vtmp))
+ if (!sk_CONF_VALUE_push(*extlist, vtmp)) {
goto malloc_err;
+ }
return 1;
malloc_err:
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
@@ -151,28 +155,34 @@
/* Free function for STACK_OF(CONF_VALUE) */
void X509V3_conf_free(CONF_VALUE *conf) {
- if (!conf)
+ if (!conf) {
return;
- if (conf->name)
+ }
+ if (conf->name) {
OPENSSL_free(conf->name);
- if (conf->value)
+ }
+ if (conf->value) {
OPENSSL_free(conf->value);
- if (conf->section)
+ }
+ if (conf->section) {
OPENSSL_free(conf->section);
+ }
OPENSSL_free(conf);
}
int X509V3_add_value_bool(const char *name, int asn1_bool,
STACK_OF(CONF_VALUE) **extlist) {
- if (asn1_bool)
+ if (asn1_bool) {
return X509V3_add_value(name, "TRUE", extlist);
+ }
return X509V3_add_value(name, "FALSE", extlist);
}
int X509V3_add_value_bool_nf(const char *name, int asn1_bool,
STACK_OF(CONF_VALUE) **extlist) {
- if (asn1_bool)
+ if (asn1_bool) {
return X509V3_add_value(name, "TRUE", extlist);
+ }
return 1;
}
@@ -218,11 +228,13 @@
const ASN1_ENUMERATED *a) {
BIGNUM *bntmp = NULL;
char *strtmp = NULL;
- if (!a)
+ if (!a) {
return NULL;
+ }
if (!(bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) ||
- !(strtmp = bignum_to_string(bntmp)))
+ !(strtmp = bignum_to_string(bntmp))) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
+ }
BN_free(bntmp);
return strtmp;
}
@@ -230,11 +242,13 @@
char *i2s_ASN1_INTEGER(const X509V3_EXT_METHOD *method, const ASN1_INTEGER *a) {
BIGNUM *bntmp = NULL;
char *strtmp = NULL;
- if (!a)
+ if (!a) {
return NULL;
+ }
if (!(bntmp = ASN1_INTEGER_to_BN(a, NULL)) ||
- !(strtmp = bignum_to_string(bntmp)))
+ !(strtmp = bignum_to_string(bntmp))) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
+ }
BN_free(bntmp);
return strtmp;
}
@@ -253,19 +267,22 @@
if (value[0] == '-') {
value++;
isneg = 1;
- } else
+ } else {
isneg = 0;
+ }
if (value[0] == '0' && ((value[1] == 'x') || (value[1] == 'X'))) {
value += 2;
ishex = 1;
- } else
+ } else {
ishex = 0;
+ }
- if (ishex)
+ if (ishex) {
ret = BN_hex2bn(&bn, value);
- else
+ } else {
ret = BN_dec2bn(&bn, value);
+ }
if (!ret || value[ret]) {
BN_free(bn);
@@ -273,8 +290,9 @@
return 0;
}
- if (isneg && BN_is_zero(bn))
+ if (isneg && BN_is_zero(bn)) {
isneg = 0;
+ }
aint = BN_to_ASN1_INTEGER(bn, NULL);
BN_free(bn);
@@ -282,8 +300,9 @@
OPENSSL_PUT_ERROR(X509V3, X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
return 0;
}
- if (isneg)
+ if (isneg) {
aint->type |= V_ASN1_NEG;
+ }
return aint;
}
@@ -291,10 +310,12 @@
STACK_OF(CONF_VALUE) **extlist) {
char *strtmp;
int ret;
- if (!aint)
+ if (!aint) {
return 1;
- if (!(strtmp = i2s_ASN1_INTEGER(NULL, aint)))
+ }
+ if (!(strtmp = i2s_ASN1_INTEGER(NULL, aint))) {
return 0;
+ }
ret = X509V3_add_value(name, strtmp, extlist);
OPENSSL_free(strtmp);
return ret;
@@ -302,8 +323,9 @@
int X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool) {
char *btmp;
- if (!(btmp = value->value))
+ if (!(btmp = value->value)) {
goto err;
+ }
if (!strcmp(btmp, "TRUE") || !strcmp(btmp, "true") || !strcmp(btmp, "Y") ||
!strcmp(btmp, "y") || !strcmp(btmp, "YES") || !strcmp(btmp, "yes")) {
*asn1_bool = 0xff;
@@ -433,17 +455,22 @@
char *p, *q;
/* Skip over leading spaces */
p = name;
- while (*p && isspace((unsigned char)*p))
+ while (*p && isspace((unsigned char)*p)) {
p++;
- if (!*p)
+ }
+ if (!*p) {
return NULL;
+ }
q = p + strlen(p) - 1;
- while ((q != p) && isspace((unsigned char)*q))
+ while ((q != p) && isspace((unsigned char)*q)) {
q--;
- if (p != q)
+ }
+ if (p != q) {
q[1] = 0;
- if (!*p)
+ }
+ if (!*p) {
return NULL;
+ }
return p;
}
@@ -483,12 +510,14 @@
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_ARGUMENT);
return NULL;
}
- if (!(hexbuf = OPENSSL_malloc(strlen(str) >> 1)))
+ if (!(hexbuf = OPENSSL_malloc(strlen(str) >> 1))) {
goto err;
+ }
for (p = (unsigned char *)str, q = hexbuf; *p;) {
ch = *p++;
- if (ch == ':')
+ if (ch == ':') {
continue;
+ }
cl = *p++;
if (!cl) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_ODD_NUMBER_OF_DIGITS);
@@ -496,35 +525,39 @@
return NULL;
}
- if ((ch >= '0') && (ch <= '9'))
+ if ((ch >= '0') && (ch <= '9')) {
ch -= '0';
- else if ((ch >= 'a') && (ch <= 'f'))
+ } else if ((ch >= 'a') && (ch <= 'f')) {
ch -= 'a' - 10;
- else if ((ch >= 'A') && (ch <= 'F'))
+ } else if ((ch >= 'A') && (ch <= 'F')) {
ch -= 'A' - 10;
- else
+ } else {
goto badhex;
+ }
- if ((cl >= '0') && (cl <= '9'))
+ if ((cl >= '0') && (cl <= '9')) {
cl -= '0';
- else if ((cl >= 'a') && (cl <= 'f'))
+ } else if ((cl >= 'a') && (cl <= 'f')) {
cl -= 'a' - 10;
- else if ((cl >= 'A') && (cl <= 'F'))
+ } else if ((cl >= 'A') && (cl <= 'F')) {
cl -= 'A' - 10;
- else
+ } else {
goto badhex;
+ }
*q++ = (ch << 4) | cl;
}
- if (len)
+ if (len) {
*len = q - hexbuf;
+ }
return hexbuf;
err:
- if (hexbuf)
+ if (hexbuf) {
OPENSSL_free(hexbuf);
+ }
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
return NULL;
@@ -538,11 +571,13 @@
int len, ret;
char c;
len = strlen(cmp);
- if ((ret = strncmp(name, cmp, len)))
+ if ((ret = strncmp(name, cmp, len))) {
return ret;
+ }
c = name[len];
- if (!c || (c == '.'))
+ if (!c || (c == '.')) {
return 0;
+ }
return 1;
}
@@ -564,14 +599,16 @@
size_t i;
info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
- if (!info)
+ if (!info) {
return NULL;
+ }
for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
if (OBJ_obj2nid(ad->method) == NID_ad_OCSP) {
if (ad->location->type == GEN_URI) {
- if (!append_ia5(&ret, ad->location->d.uniformResourceIdentifier))
+ if (!append_ia5(&ret, ad->location->d.uniformResourceIdentifier)) {
break;
+ }
}
}
}
@@ -607,15 +644,18 @@
0) {
ne = X509_NAME_get_entry(name, i);
email = X509_NAME_ENTRY_get_data(ne);
- if (!append_ia5(&ret, email))
+ if (!append_ia5(&ret, email)) {
return NULL;
+ }
}
for (j = 0; j < sk_GENERAL_NAME_num(gens); j++) {
gen = sk_GENERAL_NAME_value(gens, j);
- if (gen->type != GEN_EMAIL)
+ if (gen->type != GEN_EMAIL) {
continue;
- if (!append_ia5(&ret, gen->d.ia5))
+ }
+ if (!append_ia5(&ret, gen->d.ia5)) {
return NULL;
+ }
}
return ret;
}
@@ -624,20 +664,25 @@
static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email) {
/* First some sanity checks */
- if (email->type != V_ASN1_IA5STRING)
+ if (email->type != V_ASN1_IA5STRING) {
return 1;
- if (email->data == NULL || email->length == 0)
+ }
+ if (email->data == NULL || email->length == 0) {
return 1;
+ }
/* |OPENSSL_STRING| cannot represent strings with embedded NULs. Do not
* report them as outputs. */
- if (OPENSSL_memchr(email->data, 0, email->length) != NULL)
+ if (OPENSSL_memchr(email->data, 0, email->length) != NULL) {
return 1;
+ }
char *emtmp = NULL;
- if (!*sk)
+ if (!*sk) {
*sk = sk_OPENSSL_STRING_new(sk_strcmp);
- if (!*sk)
+ }
+ if (!*sk) {
goto err;
+ }
emtmp = OPENSSL_strndup((char *)email->data, email->length);
if (emtmp == NULL) {
@@ -676,21 +721,26 @@
static int equal_nocase(const unsigned char *pattern, size_t pattern_len,
const unsigned char *subject, size_t subject_len,
unsigned int flags) {
- if (pattern_len != subject_len)
+ if (pattern_len != subject_len) {
return 0;
+ }
while (pattern_len) {
unsigned char l = *pattern;
unsigned char r = *subject;
/* The pattern must not contain NUL characters. */
- if (l == 0)
+ if (l == 0) {
return 0;
+ }
if (l != r) {
- if ('A' <= l && l <= 'Z')
+ if ('A' <= l && l <= 'Z') {
l = (l - 'A') + 'a';
- if ('A' <= r && r <= 'Z')
+ }
+ if ('A' <= r && r <= 'Z') {
r = (r - 'A') + 'a';
- if (l != r)
+ }
+ if (l != r) {
return 0;
+ }
}
++pattern;
++subject;
@@ -703,8 +753,9 @@
static int equal_case(const unsigned char *pattern, size_t pattern_len,
const unsigned char *subject, size_t subject_len,
unsigned int flags) {
- if (pattern_len != subject_len)
+ if (pattern_len != subject_len) {
return 0;
+ }
return !OPENSSL_memcmp(pattern, subject, pattern_len);
}
@@ -716,8 +767,9 @@
const unsigned char *b, size_t b_len,
unsigned int unused_flags) {
size_t i = a_len;
- if (a_len != b_len)
+ if (a_len != b_len) {
return 0;
+ }
/*
* We search backwards for the '@' character, so that we do not have to
* deal with quoted local-parts. The domain part is compared in a
@@ -726,13 +778,15 @@
while (i > 0) {
--i;
if (a[i] == '@' || b[i] == '@') {
- if (!equal_nocase(a + i, a_len - i, b + i, a_len - i, 0))
+ if (!equal_nocase(a + i, a_len - i, b + i, a_len - i, 0)) {
return 0;
+ }
break;
}
}
- if (i == 0)
+ if (i == 0) {
i = a_len;
+ }
return equal_case(a, i, b, i, 0);
}
@@ -749,38 +803,46 @@
const unsigned char *p;
int allow_idna = 0;
- if (subject_len < prefix_len + suffix_len)
+ if (subject_len < prefix_len + suffix_len) {
return 0;
- if (!equal_nocase(prefix, prefix_len, subject, prefix_len, flags))
+ }
+ if (!equal_nocase(prefix, prefix_len, subject, prefix_len, flags)) {
return 0;
+ }
wildcard_start = subject + prefix_len;
wildcard_end = subject + (subject_len - suffix_len);
- if (!equal_nocase(wildcard_end, suffix_len, suffix, suffix_len, flags))
+ if (!equal_nocase(wildcard_end, suffix_len, suffix, suffix_len, flags)) {
return 0;
+ }
/*
* If the wildcard makes up the entire first label, it must match at
* least one character.
*/
if (prefix_len == 0 && *suffix == '.') {
- if (wildcard_start == wildcard_end)
+ if (wildcard_start == wildcard_end) {
return 0;
+ }
allow_idna = 1;
}
/* IDNA labels cannot match partial wildcards */
if (!allow_idna && subject_len >= 4 &&
- OPENSSL_strncasecmp((char *)subject, "xn--", 4) == 0)
+ OPENSSL_strncasecmp((char *)subject, "xn--", 4) == 0) {
return 0;
+ }
/* The wildcard may match a literal '*' */
- if (wildcard_end == wildcard_start + 1 && *wildcard_start == '*')
+ if (wildcard_end == wildcard_start + 1 && *wildcard_start == '*') {
return 1;
+ }
/*
* Check that the part matched by the wildcard contains only
* permitted characters and only matches a single label.
*/
- for (p = wildcard_start; p != wildcard_end; ++p)
+ for (p = wildcard_start; p != wildcard_end; ++p) {
if (!(('0' <= *p && *p <= '9') || ('A' <= *p && *p <= 'Z') ||
- ('a' <= *p && *p <= 'z') || *p == '-'))
+ ('a' <= *p && *p <= 'z') || *p == '-')) {
return 0;
+ }
+ }
return 1;
}
@@ -808,39 +870,46 @@
* No wildcards in IDNA labels.
* No wildcards after the first label.
*/
- if (star != NULL || (state & LABEL_IDNA) != 0 || dots)
+ if (star != NULL || (state & LABEL_IDNA) != 0 || dots) {
return NULL;
+ }
/* Only full-label '*.example.com' wildcards. */
- if (!atstart || !atend)
+ if (!atstart || !atend) {
return NULL;
+ }
star = &p[i];
state &= ~LABEL_START;
} else if (('a' <= p[i] && p[i] <= 'z') || ('A' <= p[i] && p[i] <= 'Z') ||
('0' <= p[i] && p[i] <= '9')) {
if ((state & LABEL_START) != 0 && len - i >= 4 &&
- OPENSSL_strncasecmp((char *)&p[i], "xn--", 4) == 0)
+ OPENSSL_strncasecmp((char *)&p[i], "xn--", 4) == 0) {
state |= LABEL_IDNA;
+ }
state &= ~(LABEL_HYPHEN | LABEL_START);
} else if (p[i] == '.') {
- if ((state & (LABEL_HYPHEN | LABEL_START)) != 0)
+ if ((state & (LABEL_HYPHEN | LABEL_START)) != 0) {
return NULL;
+ }
state = LABEL_START;
++dots;
} else if (p[i] == '-') {
/* no domain/subdomain starts with '-' */
- if ((state & LABEL_START) != 0)
+ if ((state & LABEL_START) != 0) {
return NULL;
+ }
state |= LABEL_HYPHEN;
- } else
+ } else {
return NULL;
+ }
}
/*
* The final label must not end in a hyphen or ".", and
* there must be at least two dots after the star.
*/
- if ((state & (LABEL_START | LABEL_HYPHEN)) != 0 || dots < 2)
+ if ((state & (LABEL_START | LABEL_HYPHEN)) != 0 || dots < 2) {
return NULL;
+ }
return star;
}
@@ -854,10 +923,12 @@
* Subject names starting with '.' can only match a wildcard pattern
* via a subject sub-domain pattern suffix match.
*/
- if (!(subject_len > 1 && subject[0] == '.'))
+ if (!(subject_len > 1 && subject[0] == '.')) {
star = valid_star(pattern, pattern_len, flags);
- if (star == NULL)
+ }
+ if (star == NULL) {
return equal_nocase(pattern, pattern_len, subject, subject_len, flags);
+ }
return wildcard_match(pattern, star - pattern, star + 1,
(pattern + pattern_len) - star - 1, subject,
subject_len, flags);
@@ -918,23 +989,28 @@
size_t blen, char **peername) {
int rv = 0;
- if (!a->data || !a->length)
+ if (!a->data || !a->length) {
return 0;
+ }
if (cmp_type > 0) {
- if (cmp_type != a->type)
+ if (cmp_type != a->type) {
return 0;
- if (cmp_type == V_ASN1_IA5STRING)
+ }
+ if (cmp_type == V_ASN1_IA5STRING) {
rv = equal(a->data, a->length, (unsigned char *)b, blen, flags);
- else if (a->length == (int)blen && !OPENSSL_memcmp(a->data, b, blen))
+ } else if (a->length == (int)blen && !OPENSSL_memcmp(a->data, b, blen)) {
rv = 1;
- if (rv > 0 && peername)
+ }
+ if (rv > 0 && peername) {
*peername = OPENSSL_strndup((char *)a->data, a->length);
+ }
} else {
int astrlen;
unsigned char *astr;
astrlen = ASN1_STRING_to_UTF8(&astr, a);
- if (astrlen < 0)
+ if (astrlen < 0) {
return -1;
+ }
/*
* We check the common name against DNS name constraints if it passes
* |x509v3_looks_like_dns_name|. Thus we must not consider common names
@@ -945,8 +1021,9 @@
} else {
rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
}
- if (rv > 0 && peername)
+ if (rv > 0 && peername) {
*peername = OPENSSL_strndup((char *)astr, astrlen);
+ }
OPENSSL_free(astr);
}
return rv;
@@ -970,10 +1047,11 @@
} else if (check_type == GEN_DNS) {
cnid = NID_commonName;
alt_type = V_ASN1_IA5STRING;
- if (flags & X509_CHECK_FLAG_NO_WILDCARDS)
+ if (flags & X509_CHECK_FLAG_NO_WILDCARDS) {
equal = equal_nocase;
- else
+ } else {
equal = equal_wildcard;
+ }
} else {
alt_type = V_ASN1_OCTET_STRING;
equal = equal_case;
@@ -985,26 +1063,30 @@
GENERAL_NAME *gen;
ASN1_STRING *cstr;
gen = sk_GENERAL_NAME_value(gens, i);
- if (gen->type != check_type)
+ if (gen->type != check_type) {
continue;
- if (check_type == GEN_EMAIL)
+ }
+ if (check_type == GEN_EMAIL) {
cstr = gen->d.rfc822Name;
- else if (check_type == GEN_DNS)
+ } else if (check_type == GEN_DNS) {
cstr = gen->d.dNSName;
- else
+ } else {
cstr = gen->d.iPAddress;
+ }
/* Positive on success, negative on error! */
if ((rv = do_check_string(cstr, alt_type, equal, flags, check_type, chk,
- chklen, peername)) != 0)
+ chklen, peername)) != 0) {
break;
+ }
}
GENERAL_NAMES_free(gens);
return rv;
}
/* We're done if CN-ID is not pertinent */
- if (cnid == NID_undef || (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT))
+ if (cnid == NID_undef || (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT)) {
return 0;
+ }
j = -1;
name = X509_get_subject_name(x);
@@ -1015,34 +1097,40 @@
str = X509_NAME_ENTRY_get_data(ne);
/* Positive on success, negative on error! */
if ((rv = do_check_string(str, -1, equal, flags, check_type, chk, chklen,
- peername)) != 0)
+ peername)) != 0) {
return rv;
+ }
}
return 0;
}
int X509_check_host(X509 *x, const char *chk, size_t chklen, unsigned int flags,
char **peername) {
- if (chk == NULL)
+ if (chk == NULL) {
return -2;
- if (OPENSSL_memchr(chk, '\0', chklen))
+ }
+ if (OPENSSL_memchr(chk, '\0', chklen)) {
return -2;
+ }
return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername);
}
int X509_check_email(X509 *x, const char *chk, size_t chklen,
unsigned int flags) {
- if (chk == NULL)
+ if (chk == NULL) {
return -2;
- if (OPENSSL_memchr(chk, '\0', chklen))
+ }
+ if (OPENSSL_memchr(chk, '\0', chklen)) {
return -2;
+ }
return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL);
}
int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
unsigned int flags) {
- if (chk == NULL)
+ if (chk == NULL) {
return -2;
+ }
return do_x509_check(x, (char *)chk, chklen, flags, GEN_IPADD, NULL);
}
@@ -1050,11 +1138,13 @@
unsigned char ipout[16];
size_t iplen;
- if (ipasc == NULL)
+ if (ipasc == NULL) {
return -2;
+ }
iplen = (size_t)x509v3_a2i_ipadd(ipout, ipasc);
- if (iplen == 0)
+ if (iplen == 0) {
return -2;
+ }
return do_x509_check(x, (char *)ipout, iplen, flags, GEN_IPADD, NULL);
}
@@ -1069,12 +1159,14 @@
int iplen;
iplen = x509v3_a2i_ipadd(ipout, ipasc);
- if (!iplen)
+ if (!iplen) {
return NULL;
+ }
ret = ASN1_OCTET_STRING_new();
- if (!ret)
+ if (!ret) {
return NULL;
+ }
if (!ASN1_OCTET_STRING_set(ret, ipout, iplen)) {
ASN1_OCTET_STRING_free(ret);
return NULL;
@@ -1088,40 +1180,48 @@
char *iptmp = NULL, *p;
int iplen1, iplen2;
p = strchr(ipasc, '/');
- if (!p)
+ if (!p) {
return NULL;
+ }
iptmp = OPENSSL_strdup(ipasc);
- if (!iptmp)
+ if (!iptmp) {
return NULL;
+ }
p = iptmp + (p - ipasc);
*p++ = 0;
iplen1 = x509v3_a2i_ipadd(ipout, iptmp);
- if (!iplen1)
+ if (!iplen1) {
goto err;
+ }
iplen2 = x509v3_a2i_ipadd(ipout + iplen1, p);
OPENSSL_free(iptmp);
iptmp = NULL;
- if (!iplen2 || (iplen1 != iplen2))
+ if (!iplen2 || (iplen1 != iplen2)) {
goto err;
+ }
ret = ASN1_OCTET_STRING_new();
- if (!ret)
+ if (!ret) {
goto err;
- if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2))
+ }
+ if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2)) {
goto err;
+ }
return ret;
err:
- if (iptmp)
+ if (iptmp) {
OPENSSL_free(iptmp);
- if (ret)
+ }
+ if (ret) {
ASN1_OCTET_STRING_free(ret);
+ }
return NULL;
}
@@ -1129,23 +1229,27 @@
/* If string contains a ':' assume IPv6 */
if (strchr(ipasc, ':')) {
- if (!ipv6_from_asc(ipout, ipasc))
+ if (!ipv6_from_asc(ipout, ipasc)) {
return 0;
+ }
return 16;
} else {
- if (!ipv4_from_asc(ipout, ipasc))
+ if (!ipv4_from_asc(ipout, ipasc)) {
return 0;
+ }
return 4;
}
}
static int ipv4_from_asc(unsigned char v4[4], const char *in) {
int a0, a1, a2, a3;
- if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
+ if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4) {
return 0;
+ }
if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255) || (a2 < 0) ||
- (a2 > 255) || (a3 < 0) || (a3 > 255))
+ (a2 > 255) || (a3 < 0) || (a3 > 255)) {
return 0;
+ }
v4[0] = a0;
v4[1] = a1;
v4[2] = a2;
@@ -1174,36 +1278,43 @@
* The presence of a '::' will parse as one, two or three zero length
* elements.
*/
- if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat))
+ if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat)) {
return 0;
+ }
/* Now for some sanity checks */
if (v6stat.zero_pos == -1) {
/* If no '::' must have exactly 16 bytes */
- if (v6stat.total != 16)
+ if (v6stat.total != 16) {
return 0;
+ }
} else {
/* If '::' must have less than 16 bytes */
- if (v6stat.total == 16)
+ if (v6stat.total == 16) {
return 0;
+ }
/* More than three zeroes is an error */
- if (v6stat.zero_cnt > 3)
+ if (v6stat.zero_cnt > 3) {
return 0;
+ }
/* Can only have three zeroes if nothing else present */
else if (v6stat.zero_cnt == 3) {
- if (v6stat.total > 0)
+ if (v6stat.total > 0) {
return 0;
+ }
}
/* Can only have two zeroes if at start or end */
else if (v6stat.zero_cnt == 2) {
- if ((v6stat.zero_pos != 0) && (v6stat.zero_pos != v6stat.total))
+ if ((v6stat.zero_pos != 0) && (v6stat.zero_pos != v6stat.total)) {
return 0;
+ }
} else
/* Can only have one zero if *not* start or end */
{
- if ((v6stat.zero_pos == 0) || (v6stat.zero_pos == v6stat.total))
+ if ((v6stat.zero_pos == 0) || (v6stat.zero_pos == v6stat.total)) {
return 0;
+ }
}
}
@@ -1215,12 +1326,14 @@
/* Zero middle */
OPENSSL_memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
/* Copy final part */
- if (v6stat.total != v6stat.zero_pos)
+ if (v6stat.total != v6stat.zero_pos) {
OPENSSL_memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
v6stat.tmp + v6stat.zero_pos,
v6stat.total - v6stat.zero_pos);
- } else
+ }
+ } else {
OPENSSL_memcpy(v6, v6stat.tmp, 16);
+ }
return 1;
}
@@ -1228,31 +1341,38 @@
static int ipv6_cb(const char *elem, int len, void *usr) {
IPV6_STAT *s = usr;
/* Error if 16 bytes written */
- if (s->total == 16)
+ if (s->total == 16) {
return 0;
+ }
if (len == 0) {
/* Zero length element, corresponds to '::' */
- if (s->zero_pos == -1)
+ if (s->zero_pos == -1) {
s->zero_pos = s->total;
+ }
/* If we've already got a :: its an error */
- else if (s->zero_pos != s->total)
+ else if (s->zero_pos != s->total) {
return 0;
+ }
s->zero_cnt++;
} else {
/* If more than 4 characters could be final a.b.c.d form */
if (len > 4) {
/* Need at least 4 bytes left */
- if (s->total > 12)
+ if (s->total > 12) {
return 0;
+ }
/* Must be end of string */
- if (elem[len])
+ if (elem[len]) {
return 0;
- if (!ipv4_from_asc(s->tmp + s->total, elem))
+ }
+ if (!ipv4_from_asc(s->tmp + s->total, elem)) {
return 0;
+ }
s->total += 4;
} else {
- if (!ipv6_hex(s->tmp + s->total, elem, len))
+ if (!ipv6_hex(s->tmp + s->total, elem, len)) {
return 0;
+ }
s->total += 2;
}
}
@@ -1266,19 +1386,21 @@
static int ipv6_hex(unsigned char *out, const char *in, int inlen) {
unsigned char c;
unsigned int num = 0;
- if (inlen > 4)
+ if (inlen > 4) {
return 0;
+ }
while (inlen--) {
c = *in++;
num <<= 4;
- if ((c >= '0') && (c <= '9'))
+ if ((c >= '0') && (c <= '9')) {
num |= c - '0';
- else if ((c >= 'A') && (c <= 'F'))
+ } else if ((c >= 'A') && (c <= 'F')) {
num |= c - 'A' + 10;
- else if ((c >= 'a') && (c <= 'f'))
+ } else if ((c >= 'a') && (c <= 'f')) {
num |= c - 'a' + 10;
- else
+ } else {
return 0;
+ }
}
out[0] = num >> 8;
out[1] = num & 0xff;
@@ -1291,8 +1413,9 @@
int mval;
size_t i;
char *p, *type;
- if (!nm)
+ if (!nm) {
return 0;
+ }
for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
v = sk_CONF_VALUE_value(dn_sk, i);
@@ -1300,21 +1423,25 @@
/*
* Skip past any leading X. X: X, etc to allow for multiple instances
*/
- for (p = type; *p; p++)
+ for (p = type; *p; p++) {
if ((*p == ':') || (*p == ',') || (*p == '.')) {
p++;
- if (*p)
+ if (*p) {
type = p;
+ }
break;
}
+ }
if (*type == '+') {
mval = -1;
type++;
- } else
+ } else {
mval = 0;
+ }
if (!X509_NAME_add_entry_by_txt(nm, type, chtype, (unsigned char *)v->value,
- -1, -1, mval))
+ -1, -1, mval)) {
return 0;
+ }
}
return 1;
}
