RFC 3779: stop pretending we support AFIs other than IPv4 and IPv6

This code is a complete bug fest and using it with any other AFI is downright dangerous. Such don't arise in this context in practice. ok claudio jsing
author: tb <> 2023-09-27 11:29:22 +0000
committer: tb <> 2023-09-27 11:29:22 +0000
commit: 88b042abdd67bf11258f99d6edfcb9a876738804 (patch)
tree: 214dff2532d57aaf86e2313a0eead2eef4e39220
parent: 7d90a600d0797645d480c64312d7b1bfa6fd7659 (diff)
download: openbsd-88b042abdd67bf11258f99d6edfcb9a876738804.tar.gz
openbsd-88b042abdd67bf11258f99d6edfcb9a876738804.tar.bz2
openbsd-88b042abdd67bf11258f99d6edfcb9a876738804.zip
1 files changed, 28 insertions, 19 deletions
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index a0da2af6f6..5e4223ce2b 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_addr.c,v 1.89 2023/09/11 00:50:47 job Exp $ */
+/*      $OpenBSD: x509_addr.c,v 1.90 2023/09/27 11:29:22 tb Exp $ */
 /*
 * Contributed to the OpenSSL Project by the American Registry for
 * Internet Numbers ("ARIN").
@@ -388,14 +388,17 @@ IPAddressFamily_set_inheritance(IPAddressFamily *af)
 * What's the address length associated with this AFI?
 */
 static int
-length_from_afi(const unsigned afi)
+length_from_afi(const unsigned afi, int *length)
 {
        switch (afi) {
        case IANA_AFI_IPV4:
-                return 4;
+                *length = 4;
+                return 1;
        case IANA_AFI_IPV6:
-                return 16;
+                *length = 16;
+                return 1;
        default:
+                *length = 0;
                return 0;
        }
 }
@@ -425,6 +428,9 @@ IPAddressFamily_afi_safi(const IPAddressFamily *af, uint16_t *out_afi,
        if (!CBS_get_u16(&cbs, &afi))
                return 0;
+        if (afi != IANA_AFI_IPV4 && afi != IANA_AFI_IPV6)
+                return 0;
        /* Fetch the optional SAFI. */
        if (CBS_len(&cbs) != 0) {
                if (!CBS_get_u8(&cbs, &safi))
@@ -471,9 +477,7 @@ IPAddressFamily_afi_length(const IPAddressFamily *af, int *out_length)
        if (!IPAddressFamily_afi(af, &afi))
                return 0;
-        *out_length = length_from_afi(afi);
+        return length_from_afi(afi, out_length);
-        return 1;
 }
 #define MINIMUM(a, b) (((a) < (b)) ? (a) : (b))
@@ -879,16 +883,15 @@ make_addressPrefix(IPAddressOrRange **out_aor, uint8_t *addr, uint32_t afi,
    int prefix_len)
 {
        IPAddressOrRange *aor = NULL;
-        int afi_len, max_len, num_bits, num_octets;
+        int afi_len, num_bits, num_octets;
        uint8_t unused_bits;
        if (prefix_len < 0)
                goto err;
-        max_len = 16;
+        if (!length_from_afi(afi, &afi_len))
-        if ((afi_len = length_from_afi(afi)) > 0)
+                goto err;
-                max_len = afi_len;
+        if (prefix_len > 8 * afi_len)
-        if (prefix_len > 8 * max_len)
                goto err;
        num_octets = (prefix_len + 7) / 8;
@@ -1062,11 +1065,14 @@ make_IPAddressFamily(IPAddrBlocks *addr, const unsigned afi,
        if (!CBB_init(&cbb, 0))
                goto err;
-        /* XXX - should afi <= 65535 and *safi <= 255 be checked here? */
+        if (afi != IANA_AFI_IPV4 && afi != IANA_AFI_IPV6)
+                goto err;
        if (!CBB_add_u16(&cbb, afi))
                goto err;
        if (safi != NULL) {
+                if (*safi > 255)
+                        goto err;
                if (!CBB_add_u8(&cbb, *safi))
                        goto err;
        }
@@ -1197,7 +1203,8 @@ X509v3_addr_add_range(IPAddrBlocks *addr, const unsigned afi,
        if ((aors = make_prefix_or_range(addr, afi, safi)) == NULL)
                return 0;
-        length = length_from_afi(afi);
+        if (!length_from_afi(afi, &length))
+                return 0;
        if (!make_addressRange(&aor, min, max, afi, length))
                return 0;
@@ -1258,7 +1265,7 @@ X509v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
 {
        int afi_len;
-        if ((afi_len = length_from_afi(afi)) == 0)
+        if (!length_from_afi(afi, &afi_len))
                return 0;
        if (length < afi_len)
@@ -1401,7 +1408,8 @@ IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi)
        unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
        int i, j, length;
-        length = length_from_afi(afi);
+        if (!length_from_afi(afi, &length))
+                return 0;
        /*
         * Sort the IPAddressOrRanges sequence.
@@ -1548,7 +1556,8 @@ v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
                        break;
                }
-                length = length_from_afi(afi);
+                if (!length_from_afi(afi, &length))
+                        goto err;
                /*
                 * Handle SAFI, if any, and strdup() so we can null-terminate
@@ -1658,7 +1667,7 @@ v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
                                X509V3_conf_err(val);
                                goto err;
                        }
-                        if (memcmp(min, max, length_from_afi(afi)) > 0) {
+                        if (memcmp(min, max, length) > 0) {
                                X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
                                X509V3_conf_err(val);
                                goto err;
author	tb <>	2023-09-27 11:29:22 +0000
committer	tb <>	2023-09-27 11:29:22 +0000
commit	88b042abdd67bf11258f99d6edfcb9a876738804 (patch)
tree	214dff2532d57aaf86e2313a0eead2eef4e39220
parent	7d90a600d0797645d480c64312d7b1bfa6fd7659 (diff)
download	openbsd-88b042abdd67bf11258f99d6edfcb9a876738804.tar.gz openbsd-88b042abdd67bf11258f99d6edfcb9a876738804.tar.bz2 openbsd-88b042abdd67bf11258f99d6edfcb9a876738804.zip

diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c index a0da2af6f6..5e4223ce2b 100644 --- a/src/lib/libcrypto/x509/x509_addr.c +++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_addr.c,v 1.89 2023/09/11 00:50:47 job Exp $ */	1	/* $OpenBSD: x509_addr.c,v 1.90 2023/09/27 11:29:22 tb Exp $ */
2	/*	2	/*
3	* Contributed to the OpenSSL Project by the American Registry for	3	* Contributed to the OpenSSL Project by the American Registry for
4	* Internet Numbers ("ARIN").	4	* Internet Numbers ("ARIN").
@@ -388,14 +388,17 @@ IPAddressFamily_set_inheritance(IPAddressFamily *af)
388	* What's the address length associated with this AFI?	388	* What's the address length associated with this AFI?
389	*/	389	*/
390	static int	390	static int
391	length_from_afi(const unsigned afi)	391	length_from_afi(const unsigned afi, int *length)
392	{	392	{
393	switch (afi) {	393	switch (afi) {
394	case IANA_AFI_IPV4:	394	case IANA_AFI_IPV4:
395	return 4;	395	*length = 4;
		396	return 1;
396	case IANA_AFI_IPV6:	397	case IANA_AFI_IPV6:
397	return 16;	398	*length = 16;
		399	return 1;
398	default:	400	default:
		401	*length = 0;
399	return 0;	402	return 0;
400	}	403	}
401	}	404	}
@@ -425,6 +428,9 @@ IPAddressFamily_afi_safi(const IPAddressFamily af, uint16_t out_afi,
425	if (!CBS_get_u16(&cbs, &afi))	428	if (!CBS_get_u16(&cbs, &afi))
426	return 0;	429	return 0;
427		430
		431	if (afi != IANA_AFI_IPV4 && afi != IANA_AFI_IPV6)
		432	return 0;
		433
428	/* Fetch the optional SAFI. */	434	/* Fetch the optional SAFI. */
429	if (CBS_len(&cbs) != 0) {	435	if (CBS_len(&cbs) != 0) {
430	if (!CBS_get_u8(&cbs, &safi))	436	if (!CBS_get_u8(&cbs, &safi))
@@ -471,9 +477,7 @@ IPAddressFamily_afi_length(const IPAddressFamily af, int out_length)
471	if (!IPAddressFamily_afi(af, &afi))	477	if (!IPAddressFamily_afi(af, &afi))
472	return 0;	478	return 0;
473		479
474	*out_length = length_from_afi(afi);	480	return length_from_afi(afi, out_length);
475
476	return 1;
477	}	481	}
478		482
479	#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b))	483	#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b))
@@ -879,16 +883,15 @@ make_addressPrefix(IPAddressOrRange *out_aor, uint8_t addr, uint32_t afi,
879	int prefix_len)	883	int prefix_len)
880	{	884	{
881	IPAddressOrRange *aor = NULL;	885	IPAddressOrRange *aor = NULL;
882	int afi_len, max_len, num_bits, num_octets;	886	int afi_len, num_bits, num_octets;
883	uint8_t unused_bits;	887	uint8_t unused_bits;
884		888
885	if (prefix_len < 0)	889	if (prefix_len < 0)
886	goto err;	890	goto err;
887		891
888	max_len = 16;	892	if (!length_from_afi(afi, &afi_len))
889	if ((afi_len = length_from_afi(afi)) > 0)	893	goto err;
890	max_len = afi_len;	894	if (prefix_len > 8 * afi_len)
891	if (prefix_len > 8 * max_len)
892	goto err;	895	goto err;
893		896
894	num_octets = (prefix_len + 7) / 8;	897	num_octets = (prefix_len + 7) / 8;
@@ -1062,11 +1065,14 @@ make_IPAddressFamily(IPAddrBlocks *addr, const unsigned afi,
1062	if (!CBB_init(&cbb, 0))	1065	if (!CBB_init(&cbb, 0))
1063	goto err;	1066	goto err;
1064		1067
1065	/* XXX - should afi <= 65535 and safi <= 255 be checked here? /	1068	if (afi != IANA_AFI_IPV4 && afi != IANA_AFI_IPV6)
1066		1069	goto err;
1067	if (!CBB_add_u16(&cbb, afi))	1070	if (!CBB_add_u16(&cbb, afi))
1068	goto err;	1071	goto err;
		1072
1069	if (safi != NULL) {	1073	if (safi != NULL) {
		1074	if (*safi > 255)
		1075	goto err;
1070	if (!CBB_add_u8(&cbb, *safi))	1076	if (!CBB_add_u8(&cbb, *safi))
1071	goto err;	1077	goto err;
1072	}	1078	}
@@ -1197,7 +1203,8 @@ X509v3_addr_add_range(IPAddrBlocks *addr, const unsigned afi,
1197	if ((aors = make_prefix_or_range(addr, afi, safi)) == NULL)	1203	if ((aors = make_prefix_or_range(addr, afi, safi)) == NULL)
1198	return 0;	1204	return 0;
1199		1205
1200	length = length_from_afi(afi);	1206	if (!length_from_afi(afi, &length))
		1207	return 0;
1201		1208
1202	if (!make_addressRange(&aor, min, max, afi, length))	1209	if (!make_addressRange(&aor, min, max, afi, length))
1203	return 0;	1210	return 0;
@@ -1258,7 +1265,7 @@ X509v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
1258	{	1265	{
1259	int afi_len;	1266	int afi_len;
1260		1267
1261	if ((afi_len = length_from_afi(afi)) == 0)	1268	if (!length_from_afi(afi, &afi_len))
1262	return 0;	1269	return 0;
1263		1270
1264	if (length < afi_len)	1271	if (length < afi_len)
@@ -1401,7 +1408,8 @@ IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi)
1401	unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];	1408	unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
1402	int i, j, length;	1409	int i, j, length;
1403		1410
1404	length = length_from_afi(afi);	1411	if (!length_from_afi(afi, &length))
		1412	return 0;
1405		1413
1406	/*	1414	/*
1407	* Sort the IPAddressOrRanges sequence.	1415	* Sort the IPAddressOrRanges sequence.
@@ -1548,7 +1556,8 @@ v2i_IPAddrBlocks(const struct v3_ext_method method, struct v3_ext_ctx ctx,
1548	break;	1556	break;
1549	}	1557	}
1550		1558
1551	length = length_from_afi(afi);	1559	if (!length_from_afi(afi, &length))
		1560	goto err;
1552		1561
1553	/*	1562	/*
1554	* Handle SAFI, if any, and strdup() so we can null-terminate	1563	* Handle SAFI, if any, and strdup() so we can null-terminate
@@ -1658,7 +1667,7 @@ v2i_IPAddrBlocks(const struct v3_ext_method method, struct v3_ext_ctx ctx,
1658	X509V3_conf_err(val);	1667	X509V3_conf_err(val);
1659	goto err;	1668	goto err;
1660	}	1669	}
1661	if (memcmp(min, max, length_from_afi(afi)) > 0) {	1670	if (memcmp(min, max, length) > 0) {
1662	X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);	1671	X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
1663	X509V3_conf_err(val);	1672	X509V3_conf_err(val);
1664	goto err;	1673	goto err;