Added intermediate casts to void* to prevent spurious warnings (with Clang and -Wcast...

[BearSSL] / src / x509 / x509_minimal.t0

diff --git a/src/x509/x509_minimal.t0 b/src/x509/x509_minimal.t0
index f8c7f25..bce37ad 100644 (file)
--- a/src/x509/x509_minimal.t0
+++ b/src/x509/x509_minimal.t0
@@ -171,8 +171,13 @@ preamble {
 #include <windows.h>
 #endif
 
 #include <windows.h>
 #endif
 

+/*
+ * The T0 compiler will produce these prototypes declarations in the
+ * header.
+ *

 void br_x509_minimal_init_main(void *ctx);
 void br_x509_minimal_run(void *ctx);
 void br_x509_minimal_init_main(void *ctx);
 void br_x509_minimal_run(void *ctx);

+ */

 
 /* see bearssl_x509.h */
 void
 
 /* see bearssl_x509.h */
 void


@@ -300,7 +305,7 @@ const br_x509_class br_x509_minimal_vtable = {
        xm_get_pkey
 };
 
        xm_get_pkey
 };
 

-#define CTX   ((br_x509_minimal_context *)((unsigned char *)t0ctx - offsetof(br_x509_minimal_context, cpu)))
+#define CTX   ((br_x509_minimal_context *)(void *)((unsigned char *)t0ctx - offsetof(br_x509_minimal_context, cpu)))

 #define CONTEXT_NAME   br_x509_minimal_context
 
 #define DNHASH_LEN   ((CTX->dn_hash_impl->desc >> BR_HASHDESC_OUT_OFF) & BR_HASHDESC_OUT_MASK)
 #define CONTEXT_NAME   br_x509_minimal_context
 
 #define DNHASH_LEN   ((CTX->dn_hash_impl->desc >> BR_HASHDESC_OUT_OFF) & BR_HASHDESC_OUT_MASK)


@@ -341,6 +346,42 @@ eqbigint(const unsigned char *b1, size_t len1,
        return memcmp(b1, b2, len1) == 0;
 }
 
        return memcmp(b1, b2, len1) == 0;
 }
 

+/*
+ * Compare two strings for equality, in a case-insensitive way. This
+ * function handles casing only for ASCII letters.
+ */
+static int
+eqnocase(const void *s1, const void *s2, size_t len)
+{
+       const unsigned char *buf1, *buf2;
+
+       buf1 = s1;
+       buf2 = s2;
+       while (len -- > 0) {
+               int x1, x2;
+
+               x1 = *buf1 ++;
+               x2 = *buf2 ++;
+               if (x1 >= 'A' && x1 <= 'Z') {
+                       x1 += 'a' - 'A';
+               }
+               if (x2 >= 'A' && x2 <= 'Z') {
+                       x2 += 'a' - 'A';
+               }
+               if (x1 != x2) {
+                       return 0;
+               }
+       }
+       return 1;
+}
+
+static int verify_signature(br_x509_minimal_context *ctx,
+       const br_x509_pkey *pk);
+
+}
+
+postamble {
+

 /*
  * Verify the signature on the certificate with the provided public key.
  * This function checks the public key type with regards to the expected
 /*
  * Verify the signature on the certificate with the provided public key.
  * This function checks the public key type with regards to the expected


@@ -390,35 +431,6 @@ verify_signature(br_x509_minimal_context *ctx, const br_x509_pkey *pk)
        }
 }
 
        }
 }
 

-/*
- * Compare two strings for equality, in a case-insensitive way. This
- * function handles casing only for ASCII letters.
- */
-static int
-eqnocase(const void *s1, const void *s2, size_t len)
-{
-       const unsigned char *buf1, *buf2;
-
-       buf1 = s1;
-       buf2 = s2;
-       while (len -- > 0) {
-               int x1, x2;
-
-               x1 = *buf1 ++;
-               x2 = *buf2 ++;
-               if (x1 >= 'A' && x1 <= 'Z') {
-                       x1 += 'a' - 'A';
-               }
-               if (x2 >= 'A' && x2 <= 'Z') {
-                       x2 += 'a' - 'A';
-               }
-               if (x1 != x2) {
-                       return 0;
-               }
-       }
-       return 1;
-}
-

 }
 
 cc: read8-low ( -- x ) {
 }
 
 cc: read8-low ( -- x ) {


@@ -967,9 +979,13 @@ cc: printOID ( -- ) {
 }
 
 \ Extensions with specific processing.
 }
 
 \ Extensions with specific processing.

-OID: basicConstraints    2.5.29.19
-OID: keyUsage            2.5.29.15
-OID: subjectAltName      2.5.29.17
+OID: basicConstraints      2.5.29.19
+OID: keyUsage              2.5.29.15
+OID: subjectAltName        2.5.29.17
+OID: certificatePolicies   2.5.29.32
+
+\ Policy qualifier "pointer to CPS"
+OID: id-qt-cps             1.3.6.1.5.5.7.2.1

 
 \ Extensions which are ignored when encountered, even if critical.
 OID: authorityKeyIdentifier        2.5.29.35
 
 \ Extensions which are ignored when encountered, even if critical.
 OID: authorityKeyIdentifier        2.5.29.35


@@ -1043,6 +1059,49 @@ OID: subjectInfoAccess             1.3.6.1.5.5.7.1.11
        \ We don't care about subsequent bytes.
        skip-close-elt ;
 
        \ We don't care about subsequent bytes.
        skip-close-elt ;
 

+\ Process a Certificate Policies extension.
+\
+\ Since we don't actually support full policies processing, this function
+\ only checks that the extension contents can be safely ignored. Indeed,
+\ we don't validate against a specific set of policies (in RFC 5280
+\ terminology, user-initial-policy-set only contains the special value
+\ any-policy). Moreover, we don't support policy constraints (if a
+\ critical Policy Constraints extension is encountered, the validation
+\ will fail). Therefore, we can safely ignore the contents of this
+\ extension, except if it is critical AND one of the policy OID has a
+\ qualifier which is distinct from id-qt-cps (because id-qt-cps is
+\ specially designated by RFC 5280 has having no mandated action).
+\
+\ This function is called only if the extension is critical.
+: process-certPolicies ( lim -- lim )
+       \ Extension value is a SEQUENCE OF PolicyInformation.
+       read-sequence-open
+       begin dup while
+               \ PolicyInformation ::= SEQUENCE {
+               \    policyIdentifier  OBJECT IDENTIFIER,
+               \    policyQualifiers  SEQUENCE OF PolicyQualifierInfo OPTIONAL
+               \ }
+               read-sequence-open
+               read-OID drop
+               dup if
+                       read-sequence-open
+                       begin dup while
+                               \ PolicyQualifierInfo ::= SEQUENCE {
+                               \    policyQualifierId  OBJECT IDENTIFIER,
+                               \    qualifier          ANY
+                               \ }
+                               read-sequence-open
+                               read-OID drop id-qt-cps eqOID ifnot
+                                       ERR_X509_CRITICAL_EXTENSION fail
+                               then
+                               skip-close-elt
+                       repeat
+                       close-elt
+               then
+               close-elt
+       repeat
+       close-elt ;
+

 \ Process a Subject Alt Name extension. Returned value is a boolean set
 \ to true if the expected server name was matched against a dNSName in
 \ the extension.
 \ Process a Subject Alt Name extension. Returned value is a boolean set
 \ to true if the expected server name was matched against a dNSName in
 \ the extension.


@@ -1297,6 +1356,18 @@ OID: subjectInfoAccess             1.3.6.1.5.5.7.1.11
                                        then
                                enduf
 
                                        then
                                enduf
 

+                               \ We don't implement full processing of
+                               \ policies. The call below mostly checks
+                               \ that the contents of the Certificate
+                               \ Policies extension can be safely ignored.
+                               certificatePolicies eqOID uf
+                                       critical if
+                                               process-certPolicies
+                                       else
+                                               skip-remaining
+                                       then
+                               enduf
+

                                \ Extensions which are always ignored,
                                \ even if critical.
                                authorityKeyIdentifier     eqOID uf
                                \ Extensions which are always ignored,
                                \ even if critical.
                                authorityKeyIdentifier     eqOID uf