summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509/x509_addr.c
diff options
context:
space:
mode:
authorjob <>2021-09-07 10:24:51 +0000
committerjob <>2021-09-07 10:24:51 +0000
commit332d783e39d5ca2e8e2567053bb948d21c726c17 (patch)
tree7e6ebe604bd9a651a41bcb4629762742384dfe26 /src/lib/libcrypto/x509/x509_addr.c
parentb5224f0b8edbb0671c0257b56baee589c711702b (diff)
downloadopenbsd-332d783e39d5ca2e8e2567053bb948d21c726c17.tar.gz
openbsd-332d783e39d5ca2e8e2567053bb948d21c726c17.tar.bz2
openbsd-332d783e39d5ca2e8e2567053bb948d21c726c17.zip
KNF
OK tb@ jsing@ beck@
Diffstat (limited to 'src/lib/libcrypto/x509/x509_addr.c')
-rw-r--r--src/lib/libcrypto/x509/x509_addr.c1844
1 files changed, 941 insertions, 903 deletions
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index d23981b033..1c13e361ee 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -191,7 +191,7 @@ d2i_IPAddressOrRange(IPAddressOrRange **a, const unsigned char **in, long len)
191} 191}
192 192
193int 193int
194i2d_IPAddressOrRange(IPAddressOrRange *a, unsigned char ** out) 194i2d_IPAddressOrRange(IPAddressOrRange *a, unsigned char **out)
195{ 195{
196 return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(IPAddressOrRange_it))); 196 return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(IPAddressOrRange_it)));
197} 197}
@@ -203,7 +203,8 @@ IPAddressOrRange_new(void)
203} 203}
204 204
205void 205void
206IPAddressOrRange_free(IPAddressOrRange *a) { 206IPAddressOrRange_free(IPAddressOrRange *a)
207{
207 ASN1_item_free((ASN1_VALUE *)a, (&(IPAddressOrRange_it))); 208 ASN1_item_free((ASN1_VALUE *)a, (&(IPAddressOrRange_it)));
208} 209}
209 210
@@ -224,7 +225,6 @@ IPAddressChoice *
224IPAddressChoice_new(void) 225IPAddressChoice_new(void)
225{ 226{
226 return (IPAddressChoice *)ASN1_item_new((&(IPAddressChoice_it))); 227 return (IPAddressChoice *)ASN1_item_new((&(IPAddressChoice_it)));
227
228} 228}
229 229
230void 230void
@@ -266,53 +266,55 @@ IPAddressFamily_free(IPAddressFamily *a)
266/* 266/*
267 * What's the address length associated with this AFI? 267 * What's the address length associated with this AFI?
268 */ 268 */
269static int length_from_afi(const unsigned afi) 269static int
270length_from_afi(const unsigned afi)
270{ 271{
271 switch (afi) { 272 switch (afi) {
272 case IANA_AFI_IPV4: 273 case IANA_AFI_IPV4:
273 return 4; 274 return 4;
274 case IANA_AFI_IPV6: 275 case IANA_AFI_IPV6:
275 return 16; 276 return 16;
276 default: 277 default:
277 return 0; 278 return 0;
278 } 279 }
279} 280}
280 281
281/* 282/*
282 * Extract the AFI from an IPAddressFamily. 283 * Extract the AFI from an IPAddressFamily.
283 */ 284 */
284unsigned int X509v3_addr_get_afi(const IPAddressFamily *f) 285unsigned int
286X509v3_addr_get_afi(const IPAddressFamily *f)
285{ 287{
286 if (f == NULL 288 if (f == NULL ||
287 || f->addressFamily == NULL 289 f->addressFamily == NULL ||
288 || f->addressFamily->data == NULL 290 f->addressFamily->data == NULL ||
289 || f->addressFamily->length < 2) 291 f->addressFamily->length < 2)
290 return 0; 292 return 0;
291 return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1]; 293 return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1];
292} 294}
293 295
294/* 296/*
295 * Expand the bitstring form of an address into a raw byte array. 297 * Expand the bitstring form of an address into a raw byte array.
296 * At the moment this is coded for simplicity, not speed. 298 * At the moment this is coded for simplicity, not speed.
297 */ 299 */
298static int addr_expand(unsigned char *addr, 300static int
299 const ASN1_BIT_STRING *bs, 301addr_expand(unsigned char *addr, const ASN1_BIT_STRING *bs, const int length,
300 const int length, const unsigned char fill) 302 const unsigned char fill)
301{ 303{
302 if (bs->length < 0 || bs->length > length) 304 if (bs->length < 0 || bs->length > length)
303 return 0; 305 return 0;
304 if (bs->length > 0) { 306 if (bs->length > 0) {
305 memcpy(addr, bs->data, bs->length); 307 memcpy(addr, bs->data, bs->length);
306 if ((bs->flags & 7) != 0) { 308 if ((bs->flags & 7) != 0) {
307 unsigned char mask = 0xFF >> (8 - (bs->flags & 7)); 309 unsigned char mask = 0xFF >> (8 - (bs->flags & 7));
308 if (fill == 0) 310 if (fill == 0)
309 addr[bs->length - 1] &= ~mask; 311 addr[bs->length - 1] &= ~mask;
310 else 312 else
311 addr[bs->length - 1] |= mask; 313 addr[bs->length - 1] |= mask;
312 } 314 }
313 } 315 }
314 memset(addr + bs->length, fill, length - bs->length); 316 memset(addr + bs->length, fill, length - bs->length);
315 return 1; 317 return 1;
316} 318}
317 319
318/* 320/*
@@ -323,143 +325,149 @@ static int addr_expand(unsigned char *addr,
323/* 325/*
324 * i2r handler for one address bitstring. 326 * i2r handler for one address bitstring.
325 */ 327 */
326static int i2r_address(BIO *out, 328static int
327 const unsigned afi, 329i2r_address(BIO *out, const unsigned afi, const unsigned char fill,
328 const unsigned char fill, const ASN1_BIT_STRING *bs) 330 const ASN1_BIT_STRING *bs)
329{ 331{
330 unsigned char addr[ADDR_RAW_BUF_LEN]; 332 unsigned char addr[ADDR_RAW_BUF_LEN];
331 int i, n; 333 int i, n;
332 334
333 if (bs->length < 0) 335 if (bs->length < 0)
334 return 0; 336 return 0;
335 switch (afi) { 337 switch (afi) {
336 case IANA_AFI_IPV4: 338 case IANA_AFI_IPV4:
337 if (!addr_expand(addr, bs, 4, fill)) 339 if (!addr_expand(addr, bs, 4, fill))
338 return 0; 340 return 0;
339 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]); 341 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2],
340 break; 342 addr[3]);
341 case IANA_AFI_IPV6: 343 break;
342 if (!addr_expand(addr, bs, 16, fill)) 344 case IANA_AFI_IPV6:
343 return 0; 345 if (!addr_expand(addr, bs, 16, fill))
344 for (n = 16; n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00; 346 return 0;
345 n -= 2) ; 347 for (n = 16;
346 for (i = 0; i < n; i += 2) 348 n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00; n -= 2)
347 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1], 349 ;
348 (i < 14 ? ":" : "")); 350 for (i = 0; i < n; i += 2)
349 if (i < 16) 351 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1],
350 BIO_puts(out, ":"); 352 (i < 14 ? ":" : ""));
351 if (i == 0) 353 if (i < 16)
352 BIO_puts(out, ":"); 354 BIO_puts(out, ":");
353 break; 355 if (i == 0)
354 default: 356 BIO_puts(out, ":");
355 for (i = 0; i < bs->length; i++) 357 break;
356 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]); 358 default:
357 BIO_printf(out, "[%d]", (int)(bs->flags & 7)); 359 for (i = 0; i < bs->length; i++)
358 break; 360 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""),
359 } 361 bs->data[i]);
360 return 1; 362 BIO_printf(out, "[%d]", (int)(bs->flags & 7));
363 break;
364 }
365 return 1;
361} 366}
362 367
363/* 368/*
364 * i2r handler for a sequence of addresses and ranges. 369 * i2r handler for a sequence of addresses and ranges.
365 */ 370 */
366static int i2r_IPAddressOrRanges(BIO *out, 371static int
367 const int indent, 372i2r_IPAddressOrRanges(BIO *out, const int indent,
368 const IPAddressOrRanges *aors, 373 const IPAddressOrRanges *aors, const unsigned afi)
369 const unsigned afi)
370{ 374{
371 int i; 375 int i;
372 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) { 376 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) {
373 const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i); 377 const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i);
374 BIO_printf(out, "%*s", indent, ""); 378 BIO_printf(out, "%*s", indent, "");
375 switch (aor->type) { 379 switch (aor->type) {
376 case IPAddressOrRange_addressPrefix: 380 case IPAddressOrRange_addressPrefix:
377 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix)) 381 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix))
378 return 0; 382 return 0;
379 BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix)); 383 BIO_printf(out, "/%d\n",
380 continue; 384 addr_prefixlen(aor->u.addressPrefix));
381 case IPAddressOrRange_addressRange: 385 continue;
382 if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min)) 386 case IPAddressOrRange_addressRange:
383 return 0; 387 if (!i2r_address(out, afi, 0x00,
384 BIO_puts(out, "-"); 388 aor->u.addressRange->min))
385 if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max)) 389 return 0;
386 return 0; 390 BIO_puts(out, "-");
387 BIO_puts(out, "\n"); 391 if (!i2r_address(out, afi, 0xFF,
388 continue; 392 aor->u.addressRange->max))
389 } 393 return 0;
390 } 394 BIO_puts(out, "\n");
391 return 1; 395 continue;
396 }
397 }
398 return 1;
392} 399}
393 400
394/* 401/*
395 * i2r handler for an IPAddrBlocks extension. 402 * i2r handler for an IPAddrBlocks extension.
396 */ 403 */
397static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, 404static int
398 void *ext, BIO *out, int indent) 405i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, void *ext, BIO *out,
406 int indent)
399{ 407{
400 const IPAddrBlocks *addr = ext; 408 const IPAddrBlocks *addr = ext;
401 int i; 409 int i;
402 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 410 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
403 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 411 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
404 const unsigned int afi = X509v3_addr_get_afi(f); 412 const unsigned int afi = X509v3_addr_get_afi(f);
405 switch (afi) { 413 switch (afi) {
406 case IANA_AFI_IPV4: 414 case IANA_AFI_IPV4:
407 BIO_printf(out, "%*sIPv4", indent, ""); 415 BIO_printf(out, "%*sIPv4", indent, "");
408 break; 416 break;
409 case IANA_AFI_IPV6: 417 case IANA_AFI_IPV6:
410 BIO_printf(out, "%*sIPv6", indent, ""); 418 BIO_printf(out, "%*sIPv6", indent, "");
411 break; 419 break;
412 default: 420 default:
413 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi); 421 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi);
414 break; 422 break;
415 } 423 }
416 if (f->addressFamily->length > 2) { 424 if (f->addressFamily->length > 2) {
417 switch (f->addressFamily->data[2]) { 425 switch (f->addressFamily->data[2]) {
418 case 1: 426 case 1:
419 BIO_puts(out, " (Unicast)"); 427 BIO_puts(out, " (Unicast)");
420 break; 428 break;
421 case 2: 429 case 2:
422 BIO_puts(out, " (Multicast)"); 430 BIO_puts(out, " (Multicast)");
423 break; 431 break;
424 case 3: 432 case 3:
425 BIO_puts(out, " (Unicast/Multicast)"); 433 BIO_puts(out, " (Unicast/Multicast)");
426 break; 434 break;
427 case 4: 435 case 4:
428 BIO_puts(out, " (MPLS)"); 436 BIO_puts(out, " (MPLS)");
429 break; 437 break;
430 case 64: 438 case 64:
431 BIO_puts(out, " (Tunnel)"); 439 BIO_puts(out, " (Tunnel)");
432 break; 440 break;
433 case 65: 441 case 65:
434 BIO_puts(out, " (VPLS)"); 442 BIO_puts(out, " (VPLS)");
435 break; 443 break;
436 case 66: 444 case 66:
437 BIO_puts(out, " (BGP MDT)"); 445 BIO_puts(out, " (BGP MDT)");
438 break; 446 break;
439 case 128: 447 case 128:
440 BIO_puts(out, " (MPLS-labeled VPN)"); 448 BIO_puts(out, " (MPLS-labeled VPN)");
441 break; 449 break;
442 default: 450 default:
443 BIO_printf(out, " (Unknown SAFI %u)", 451 BIO_printf(out, " (Unknown SAFI %u)",
444 (unsigned)f->addressFamily->data[2]); 452 (unsigned)f->addressFamily->data[2]);
445 break; 453 break;
446 } 454 }
447 } 455 }
448 switch (f->ipAddressChoice->type) { 456 switch (f->ipAddressChoice->type) {
449 case IPAddressChoice_inherit: 457 case IPAddressChoice_inherit:
450 BIO_puts(out, ": inherit\n"); 458 BIO_puts(out, ": inherit\n");
451 break; 459 break;
452 case IPAddressChoice_addressesOrRanges: 460 case IPAddressChoice_addressesOrRanges:
453 BIO_puts(out, ":\n"); 461 BIO_puts(out, ":\n");
454 if (!i2r_IPAddressOrRanges(out, 462 if (!i2r_IPAddressOrRanges(out,
455 indent + 2, 463 indent + 2,
456 f->ipAddressChoice-> 464 f->ipAddressChoice->
457 u.addressesOrRanges, afi)) 465 u.addressesOrRanges, afi))
458 return 0; 466 return 0;
459 break; 467 break;
460 } 468 }
461 } 469 }
462 return 1; 470 return 1;
463} 471}
464 472
465/* 473/*
@@ -472,145 +480,152 @@ static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
472 * function returns -1. If this messes up your preferred sort order 480 * function returns -1. If this messes up your preferred sort order
473 * for garbage input, tough noogies. 481 * for garbage input, tough noogies.
474 */ 482 */
475static int IPAddressOrRange_cmp(const IPAddressOrRange *a, 483static int
476 const IPAddressOrRange *b, const int length) 484IPAddressOrRange_cmp(const IPAddressOrRange *a, const IPAddressOrRange *b,
485 const int length)
477{ 486{
478 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN]; 487 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN];
479 int prefixlen_a = 0, prefixlen_b = 0; 488 int prefixlen_a = 0, prefixlen_b = 0;
480 int r; 489 int r;
481 490
482 switch (a->type) { 491 switch (a->type) {
483 case IPAddressOrRange_addressPrefix: 492 case IPAddressOrRange_addressPrefix:
484 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00)) 493 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
485 return -1; 494 return -1;
486 prefixlen_a = addr_prefixlen(a->u.addressPrefix); 495 prefixlen_a = addr_prefixlen(a->u.addressPrefix);
487 break; 496 break;
488 case IPAddressOrRange_addressRange: 497 case IPAddressOrRange_addressRange:
489 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00)) 498 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
490 return -1; 499 return -1;
491 prefixlen_a = length * 8; 500 prefixlen_a = length * 8;
492 break; 501 break;
493 } 502 }
494 503
495 switch (b->type) { 504 switch (b->type) {
496 case IPAddressOrRange_addressPrefix: 505 case IPAddressOrRange_addressPrefix:
497 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00)) 506 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
498 return -1; 507 return -1;
499 prefixlen_b = addr_prefixlen(b->u.addressPrefix); 508 prefixlen_b = addr_prefixlen(b->u.addressPrefix);
500 break; 509 break;
501 case IPAddressOrRange_addressRange: 510 case IPAddressOrRange_addressRange:
502 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00)) 511 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
503 return -1; 512 return -1;
504 prefixlen_b = length * 8; 513 prefixlen_b = length * 8;
505 break; 514 break;
506 } 515 }
507 516
508 if ((r = memcmp(addr_a, addr_b, length)) != 0) 517 if ((r = memcmp(addr_a, addr_b, length)) != 0)
509 return r; 518 return r;
510 else 519 else
511 return prefixlen_a - prefixlen_b; 520 return prefixlen_a - prefixlen_b;
512} 521}
513 522
514/* 523/*
515 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort() 524 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()
516 * comparison routines are only allowed two arguments. 525 * comparison routines are only allowed two arguments.
517 */ 526 */
518static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a, 527static int
519 const IPAddressOrRange *const *b) 528v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
529 const IPAddressOrRange *const *b)
520{ 530{
521 return IPAddressOrRange_cmp(*a, *b, 4); 531 return IPAddressOrRange_cmp(*a, *b, 4);
522} 532}
523 533
524/* 534/*
525 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort() 535 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()
526 * comparison routines are only allowed two arguments. 536 * comparison routines are only allowed two arguments.
527 */ 537 */
528static int v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a, 538static int
529 const IPAddressOrRange *const *b) 539v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
540 const IPAddressOrRange *const *b)
530{ 541{
531 return IPAddressOrRange_cmp(*a, *b, 16); 542 return IPAddressOrRange_cmp(*a, *b, 16);
532} 543}
533 544
534/* 545/*
535 * Calculate whether a range collapses to a prefix. 546 * Calculate whether a range collapses to a prefix.
536 * See last paragraph of RFC 3779 2.2.3.7. 547 * See last paragraph of RFC 3779 2.2.3.7.
537 */ 548 */
538static int range_should_be_prefix(const unsigned char *min, 549static int
539 const unsigned char *max, const int length) 550range_should_be_prefix(const unsigned char *min, const unsigned char *max,
551 const int length)
540{ 552{
541 unsigned char mask; 553 unsigned char mask;
542 int i, j; 554 int i, j;
543 555
544 if (memcmp(min, max, length) <= 0) 556 if (memcmp(min, max, length) <= 0)
545 return -1; 557 return -1;
546 for (i = 0; i < length && min[i] == max[i]; i++) ; 558 for (i = 0; i < length && min[i] == max[i]; i++)
547 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ; 559 ;
548 if (i < j) 560 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--)
549 return -1; 561 ;
550 if (i > j) 562 if (i < j)
551 return i * 8; 563 return -1;
552 mask = min[i] ^ max[i]; 564 if (i > j)
553 switch (mask) { 565 return i * 8;
554 case 0x01: 566 mask = min[i] ^ max[i];
555 j = 7; 567 switch (mask) {
556 break; 568 case 0x01:
557 case 0x03: 569 j = 7;
558 j = 6; 570 break;
559 break; 571 case 0x03:
560 case 0x07: 572 j = 6;
561 j = 5; 573 break;
562 break; 574 case 0x07:
563 case 0x0F: 575 j = 5;
564 j = 4; 576 break;
565 break; 577 case 0x0F:
566 case 0x1F: 578 j = 4;
567 j = 3; 579 break;
568 break; 580 case 0x1F:
569 case 0x3F: 581 j = 3;
570 j = 2; 582 break;
571 break; 583 case 0x3F:
572 case 0x7F: 584 j = 2;
573 j = 1; 585 break;
574 break; 586 case 0x7F:
575 default: 587 j = 1;
576 return -1; 588 break;
577 } 589 default:
578 if ((min[i] & mask) != 0 || (max[i] & mask) != mask) 590 return -1;
579 return -1; 591 }
580 else 592 if ((min[i] & mask) != 0 || (max[i] & mask) != mask)
581 return i * 8 + j; 593 return -1;
594 else
595 return i * 8 + j;
582} 596}
583 597
584/* 598/*
585 * Construct a prefix. 599 * Construct a prefix.
586 */ 600 */
587static int make_addressPrefix(IPAddressOrRange **result, 601static int
588 unsigned char *addr, const int prefixlen) 602make_addressPrefix(IPAddressOrRange **result, unsigned char *addr,
603 const int prefixlen)
589{ 604{
590 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8; 605 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;
591 IPAddressOrRange *aor = IPAddressOrRange_new(); 606 IPAddressOrRange *aor = IPAddressOrRange_new();
592 607
593 if (aor == NULL) 608 if (aor == NULL)
594 return 0; 609 return 0;
595 aor->type = IPAddressOrRange_addressPrefix; 610 aor->type = IPAddressOrRange_addressPrefix;
596 if (aor->u.addressPrefix == NULL && 611 if (aor->u.addressPrefix == NULL &&
597 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL) 612 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL)
598 goto err; 613 goto err;
599 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen)) 614 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen))
600 goto err; 615 goto err;
601 aor->u.addressPrefix->flags &= ~7; 616 aor->u.addressPrefix->flags &= ~7;
602 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT; 617 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT;
603 if (bitlen > 0) { 618 if (bitlen > 0) {
604 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen); 619 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen);
605 aor->u.addressPrefix->flags |= 8 - bitlen; 620 aor->u.addressPrefix->flags |= 8 - bitlen;
606 } 621 }
607 622
608 *result = aor; 623 *result = aor;
609 return 1; 624 return 1;
610 625
611 err: 626err:
612 IPAddressOrRange_free(aor); 627 IPAddressOrRange_free(aor);
613 return 0; 628 return 0;
614} 629}
615 630
616/* 631/*
@@ -618,241 +633,245 @@ static int make_addressPrefix(IPAddressOrRange **result,
618 * return a prefix instead. Doing this here simplifies 633 * return a prefix instead. Doing this here simplifies
619 * the rest of the code considerably. 634 * the rest of the code considerably.
620 */ 635 */
621static int make_addressRange(IPAddressOrRange **result, 636static int
622 unsigned char *min, 637make_addressRange(IPAddressOrRange **result, unsigned char *min,
623 unsigned char *max, const int length) 638 unsigned char *max, const int length)
624{ 639{
625 IPAddressOrRange *aor; 640 IPAddressOrRange *aor;
626 int i, prefixlen; 641 int i, prefixlen;
627 642
628 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0) 643 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
629 return make_addressPrefix(result, min, prefixlen); 644 return make_addressPrefix(result, min, prefixlen);
630 645
631 if ((aor = IPAddressOrRange_new()) == NULL) 646 if ((aor = IPAddressOrRange_new()) == NULL)
632 return 0; 647 return 0;
633 aor->type = IPAddressOrRange_addressRange; 648 aor->type = IPAddressOrRange_addressRange;
634 if ((aor->u.addressRange = IPAddressRange_new()) == NULL) 649 if ((aor->u.addressRange = IPAddressRange_new()) == NULL)
635 goto err; 650 goto err;
636 if (aor->u.addressRange->min == NULL && 651 if (aor->u.addressRange->min == NULL &&
637 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL) 652 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL)
638 goto err; 653 goto err;
639 if (aor->u.addressRange->max == NULL && 654 if (aor->u.addressRange->max == NULL &&
640 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL) 655 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL)
641 goto err; 656 goto err;
642 657
643 for (i = length; i > 0 && min[i - 1] == 0x00; --i) ; 658 for (i = length; i > 0 && min[i - 1] == 0x00; --i)
644 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i)) 659 ;
645 goto err; 660 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i))
646 aor->u.addressRange->min->flags &= ~7; 661 goto err;
647 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT; 662 aor->u.addressRange->min->flags &= ~7;
648 if (i > 0) { 663 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT;
649 unsigned char b = min[i - 1]; 664 if (i > 0) {
650 int j = 1; 665 unsigned char b = min[i - 1];
651 while ((b & (0xFFU >> j)) != 0) 666 int j = 1;
652 ++j; 667 while ((b & (0xFFU >> j)) != 0)
653 aor->u.addressRange->min->flags |= 8 - j; 668 ++j;
654 } 669 aor->u.addressRange->min->flags |= 8 - j;
655 670 }
656 for (i = length; i > 0 && max[i - 1] == 0xFF; --i) ; 671
657 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i)) 672 for (i = length; i > 0 && max[i - 1] == 0xFF; --i)
658 goto err; 673 ;
659 aor->u.addressRange->max->flags &= ~7; 674 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i))
660 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT; 675 goto err;
661 if (i > 0) { 676 aor->u.addressRange->max->flags &= ~7;
662 unsigned char b = max[i - 1]; 677 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT;
663 int j = 1; 678 if (i > 0) {
664 while ((b & (0xFFU >> j)) != (0xFFU >> j)) 679 unsigned char b = max[i - 1];
665 ++j; 680 int j = 1;
666 aor->u.addressRange->max->flags |= 8 - j; 681 while ((b & (0xFFU >> j)) != (0xFFU >> j))
667 } 682 ++j;
668 683 aor->u.addressRange->max->flags |= 8 - j;
669 *result = aor; 684 }
670 return 1; 685
671 686 *result = aor;
672 err: 687 return 1;
673 IPAddressOrRange_free(aor); 688
674 return 0; 689err:
690 IPAddressOrRange_free(aor);
691 return 0;
675} 692}
676 693
677/* 694/*
678 * Construct a new address family or find an existing one. 695 * Construct a new address family or find an existing one.
679 */ 696 */
680static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr, 697static IPAddressFamily *
681 const unsigned afi, 698make_IPAddressFamily(IPAddrBlocks *addr, const unsigned afi,
682 const unsigned *safi) 699 const unsigned *safi)
683{ 700{
684 IPAddressFamily *f; 701 IPAddressFamily *f;
685 unsigned char key[3]; 702 unsigned char key[3];
686 int keylen; 703 int keylen;
687 int i; 704 int i;
688 705
689 key[0] = (afi >> 8) & 0xFF; 706 key[0] = (afi >> 8) & 0xFF;
690 key[1] = afi & 0xFF; 707 key[1] = afi & 0xFF;
691 if (safi != NULL) { 708 if (safi != NULL) {
692 key[2] = *safi & 0xFF; 709 key[2] = *safi & 0xFF;
693 keylen = 3; 710 keylen = 3;
694 } else { 711 } else {
695 keylen = 2; 712 keylen = 2;
696 } 713 }
697 714
698 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 715 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
699 f = sk_IPAddressFamily_value(addr, i); 716 f = sk_IPAddressFamily_value(addr, i);
700 if (f->addressFamily->length == keylen && 717 if (f->addressFamily->length == keylen &&
701 !memcmp(f->addressFamily->data, key, keylen)) 718 !memcmp(f->addressFamily->data, key, keylen))
702 return f; 719 return f;
703 } 720 }
704 721
705 if ((f = IPAddressFamily_new()) == NULL) 722 if ((f = IPAddressFamily_new()) == NULL)
706 goto err; 723 goto err;
707 if (f->ipAddressChoice == NULL && 724 if (f->ipAddressChoice == NULL &&
708 (f->ipAddressChoice = IPAddressChoice_new()) == NULL) 725 (f->ipAddressChoice = IPAddressChoice_new()) == NULL)
709 goto err; 726 goto err;
710 if (f->addressFamily == NULL && 727 if (f->addressFamily == NULL &&
711 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL) 728 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL)
712 goto err; 729 goto err;
713 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen)) 730 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen))
714 goto err; 731 goto err;
715 if (!sk_IPAddressFamily_push(addr, f)) 732 if (!sk_IPAddressFamily_push(addr, f))
716 goto err; 733 goto err;
717 734
718 return f; 735 return f;
719 736
720 err: 737err:
721 IPAddressFamily_free(f); 738 IPAddressFamily_free(f);
722 return NULL; 739 return NULL;
723} 740}
724 741
725/* 742/*
726 * Add an inheritance element. 743 * Add an inheritance element.
727 */ 744 */
728int X509v3_addr_add_inherit(IPAddrBlocks *addr, 745int
729 const unsigned afi, const unsigned *safi) 746X509v3_addr_add_inherit(IPAddrBlocks *addr, const unsigned afi,
747 const unsigned *safi)
730{ 748{
731 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); 749 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
732 if (f == NULL || 750 if (f == NULL ||
733 f->ipAddressChoice == NULL || 751 f->ipAddressChoice == NULL ||
734 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && 752 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
735 f->ipAddressChoice->u.addressesOrRanges != NULL)) 753 f->ipAddressChoice->u.addressesOrRanges != NULL))
736 return 0; 754 return 0;
737 if (f->ipAddressChoice->type == IPAddressChoice_inherit && 755 if (f->ipAddressChoice->type == IPAddressChoice_inherit &&
738 f->ipAddressChoice->u.inherit != NULL) 756 f->ipAddressChoice->u.inherit != NULL)
739 return 1; 757 return 1;
740 if (f->ipAddressChoice->u.inherit == NULL && 758 if (f->ipAddressChoice->u.inherit == NULL &&
741 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL) 759 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL)
742 return 0; 760 return 0;
743 f->ipAddressChoice->type = IPAddressChoice_inherit; 761 f->ipAddressChoice->type = IPAddressChoice_inherit;
744 return 1; 762 return 1;
745} 763}
746 764
747/* 765/*
748 * Construct an IPAddressOrRange sequence, or return an existing one. 766 * Construct an IPAddressOrRange sequence, or return an existing one.
749 */ 767 */
750static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr, 768static IPAddressOrRanges *
751 const unsigned afi, 769make_prefix_or_range(IPAddrBlocks *addr, const unsigned afi,
752 const unsigned *safi) 770 const unsigned *safi)
753{ 771{
754 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); 772 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
755 IPAddressOrRanges *aors = NULL; 773 IPAddressOrRanges *aors = NULL;
756 774
757 if (f == NULL || 775 if (f == NULL ||
758 f->ipAddressChoice == NULL || 776 f->ipAddressChoice == NULL ||
759 (f->ipAddressChoice->type == IPAddressChoice_inherit && 777 (f->ipAddressChoice->type == IPAddressChoice_inherit &&
760 f->ipAddressChoice->u.inherit != NULL)) 778 f->ipAddressChoice->u.inherit != NULL))
761 return NULL; 779 return NULL;
762 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) 780 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges)
763 aors = f->ipAddressChoice->u.addressesOrRanges; 781 aors = f->ipAddressChoice->u.addressesOrRanges;
764 if (aors != NULL) 782 if (aors != NULL)
765 return aors; 783 return aors;
766 if ((aors = sk_IPAddressOrRange_new_null()) == NULL) 784 if ((aors = sk_IPAddressOrRange_new_null()) == NULL)
767 return NULL; 785 return NULL;
768 switch (afi) { 786 switch (afi) {
769 case IANA_AFI_IPV4: 787 case IANA_AFI_IPV4:
770 (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp); 788 (void)sk_IPAddressOrRange_set_cmp_func(aors,
771 break; 789 v4IPAddressOrRange_cmp);
772 case IANA_AFI_IPV6: 790 break;
773 (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp); 791 case IANA_AFI_IPV6:
774 break; 792 (void)sk_IPAddressOrRange_set_cmp_func(aors,
775 } 793 v6IPAddressOrRange_cmp);
776 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; 794 break;
777 f->ipAddressChoice->u.addressesOrRanges = aors; 795 }
778 return aors; 796 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
797 f->ipAddressChoice->u.addressesOrRanges = aors;
798 return aors;
779} 799}
780 800
781/* 801/*
782 * Add a prefix. 802 * Add a prefix.
783 */ 803 */
784int X509v3_addr_add_prefix(IPAddrBlocks *addr, 804int
785 const unsigned afi, 805X509v3_addr_add_prefix(IPAddrBlocks *addr, const unsigned afi,
786 const unsigned *safi, 806 const unsigned *safi, unsigned char *a, const int prefixlen)
787 unsigned char *a, const int prefixlen)
788{ 807{
789 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); 808 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
790 IPAddressOrRange *aor; 809 IPAddressOrRange *aor;
791 if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen)) 810 if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen))
792 return 0; 811 return 0;
793 if (sk_IPAddressOrRange_push(aors, aor)) 812 if (sk_IPAddressOrRange_push(aors, aor))
794 return 1; 813 return 1;
795 IPAddressOrRange_free(aor); 814 IPAddressOrRange_free(aor);
796 return 0; 815 return 0;
797} 816}
798 817
799/* 818/*
800 * Add a range. 819 * Add a range.
801 */ 820 */
802int X509v3_addr_add_range(IPAddrBlocks *addr, 821int
803 const unsigned afi, 822X509v3_addr_add_range(IPAddrBlocks *addr, const unsigned afi,
804 const unsigned *safi, 823 const unsigned *safi, unsigned char *min, unsigned char *max)
805 unsigned char *min, unsigned char *max)
806{ 824{
807 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); 825 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
808 IPAddressOrRange *aor; 826 IPAddressOrRange *aor;
809 int length = length_from_afi(afi); 827 int length = length_from_afi(afi);
810 if (aors == NULL) 828 if (aors == NULL)
811 return 0; 829 return 0;
812 if (!make_addressRange(&aor, min, max, length)) 830 if (!make_addressRange(&aor, min, max, length))
813 return 0; 831 return 0;
814 if (sk_IPAddressOrRange_push(aors, aor)) 832 if (sk_IPAddressOrRange_push(aors, aor))
815 return 1; 833 return 1;
816 IPAddressOrRange_free(aor); 834 IPAddressOrRange_free(aor);
817 return 0; 835 return 0;
818} 836}
819 837
820/* 838/*
821 * Extract min and max values from an IPAddressOrRange. 839 * Extract min and max values from an IPAddressOrRange.
822 */ 840 */
823static int extract_min_max(IPAddressOrRange *aor, 841static int
824 unsigned char *min, unsigned char *max, int length) 842extract_min_max(IPAddressOrRange *aor, unsigned char *min, unsigned char *max,
843 int length)
825{ 844{
826 if (aor == NULL || min == NULL || max == NULL) 845 if (aor == NULL || min == NULL || max == NULL)
827 return 0; 846 return 0;
828 switch (aor->type) { 847 switch (aor->type) {
829 case IPAddressOrRange_addressPrefix: 848 case IPAddressOrRange_addressPrefix:
830 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) && 849 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
831 addr_expand(max, aor->u.addressPrefix, length, 0xFF)); 850 addr_expand(max, aor->u.addressPrefix, length, 0xFF));
832 case IPAddressOrRange_addressRange: 851 case IPAddressOrRange_addressRange:
833 return (addr_expand(min, aor->u.addressRange->min, length, 0x00) && 852 return (addr_expand(min, aor->u.addressRange->min, length,
834 addr_expand(max, aor->u.addressRange->max, length, 0xFF)); 853 0x00) &&
835 } 854 addr_expand(max, aor->u.addressRange->max, length, 0xFF));
836 return 0; 855 }
856 return 0;
837} 857}
838 858
839/* 859/*
840 * Public wrapper for extract_min_max(). 860 * Public wrapper for extract_min_max().
841 */ 861 */
842int X509v3_addr_get_range(IPAddressOrRange *aor, 862int
843 const unsigned afi, 863X509v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
844 unsigned char *min, 864 unsigned char *min, unsigned char *max, const int length)
845 unsigned char *max, const int length)
846{ 865{
847 int afi_length = length_from_afi(afi); 866 int afi_length = length_from_afi(afi);
848 if (aor == NULL || min == NULL || max == NULL || 867 if (aor == NULL || min == NULL || max == NULL ||
849 afi_length == 0 || length < afi_length || 868 afi_length == 0 || length < afi_length ||
850 (aor->type != IPAddressOrRange_addressPrefix && 869 (aor->type != IPAddressOrRange_addressPrefix &&
851 aor->type != IPAddressOrRange_addressRange) || 870 aor->type != IPAddressOrRange_addressRange) ||
852 !extract_min_max(aor, min, max, afi_length)) 871 !extract_min_max(aor, min, max, afi_length))
853 return 0; 872 return 0;
854 873
855 return afi_length; 874 return afi_length;
856} 875}
857 876
858/* 877/*
@@ -865,479 +884,492 @@ int X509v3_addr_get_range(IPAddressOrRange *aor,
865 * null-SAFI rule to apply only within a single AFI, which is what I 884 * null-SAFI rule to apply only within a single AFI, which is what I
866 * would have expected and is what the following code implements. 885 * would have expected and is what the following code implements.
867 */ 886 */
868static int IPAddressFamily_cmp(const IPAddressFamily *const *a_, 887static int
869 const IPAddressFamily *const *b_) 888IPAddressFamily_cmp(const IPAddressFamily *const *a_,
889 const IPAddressFamily *const *b_)
870{ 890{
871 const ASN1_OCTET_STRING *a = (*a_)->addressFamily; 891 const ASN1_OCTET_STRING *a = (*a_)->addressFamily;
872 const ASN1_OCTET_STRING *b = (*b_)->addressFamily; 892 const ASN1_OCTET_STRING *b = (*b_)->addressFamily;
873 int len = ((a->length <= b->length) ? a->length : b->length); 893 int len = ((a->length <= b->length) ? a->length : b->length);
874 int cmp = memcmp(a->data, b->data, len); 894 int cmp = memcmp(a->data, b->data, len);
875 return cmp ? cmp : a->length - b->length; 895 return cmp ? cmp : a->length - b->length;
876} 896}
877 897
878/* 898/*
879 * Check whether an IPAddrBLocks is in canonical form. 899 * Check whether an IPAddrBLocks is in canonical form.
880 */ 900 */
881int X509v3_addr_is_canonical(IPAddrBlocks *addr) 901int
902X509v3_addr_is_canonical(IPAddrBlocks *addr)
882{ 903{
883 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 904 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
884 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 905 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
885 IPAddressOrRanges *aors; 906 IPAddressOrRanges *aors;
886 int i, j, k; 907 int i, j, k;
887 908
888 /* 909 /*
889 * Empty extension is canonical. 910 * Empty extension is canonical.
890 */ 911 */
891 if (addr == NULL) 912 if (addr == NULL)
892 return 1; 913 return 1;
893 914
894 /* 915 /*
895 * Check whether the top-level list is in order. 916 * Check whether the top-level list is in order.
896 */ 917 */
897 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) { 918 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {
898 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i); 919 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i);
899 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1); 920 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1);
900 if (IPAddressFamily_cmp(&a, &b) >= 0) 921 if (IPAddressFamily_cmp(&a, &b) >= 0)
901 return 0; 922 return 0;
902 } 923 }
903 924
904 /* 925 /*
905 * Top level's ok, now check each address family. 926 * Top level's ok, now check each address family.
906 */ 927 */
907 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 928 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
908 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 929 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
909 int length = length_from_afi(X509v3_addr_get_afi(f)); 930 int length = length_from_afi(X509v3_addr_get_afi(f));
910 931
911 /* 932 /*
912 * Inheritance is canonical. Anything other than inheritance or 933 * Inheritance is canonical. Anything other than inheritance or
913 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something. 934 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something.
914 */ 935 */
915 if (f == NULL || f->ipAddressChoice == NULL) 936 if (f == NULL || f->ipAddressChoice == NULL)
916 return 0; 937 return 0;
917 switch (f->ipAddressChoice->type) { 938 switch (f->ipAddressChoice->type) {
918 case IPAddressChoice_inherit: 939 case IPAddressChoice_inherit:
919 continue; 940 continue;
920 case IPAddressChoice_addressesOrRanges: 941 case IPAddressChoice_addressesOrRanges:
921 break; 942 break;
922 default: 943 default:
923 return 0; 944 return 0;
924 } 945 }
925 946
926 /* 947 /*
927 * It's an IPAddressOrRanges sequence, check it. 948 * It's an IPAddressOrRanges sequence, check it.
928 */ 949 */
929 aors = f->ipAddressChoice->u.addressesOrRanges; 950 aors = f->ipAddressChoice->u.addressesOrRanges;
930 if (sk_IPAddressOrRange_num(aors) == 0) 951 if (sk_IPAddressOrRange_num(aors) == 0)
931 return 0; 952 return 0;
932 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) { 953 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
933 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 954 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
934 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1); 955 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors,
935 956 j + 1);
936 if (!extract_min_max(a, a_min, a_max, length) || 957
937 !extract_min_max(b, b_min, b_max, length)) 958 if (!extract_min_max(a, a_min, a_max, length) ||
938 return 0; 959 !extract_min_max(b, b_min, b_max, length))
960 return 0;
939 961
940 /* 962 /*
941 * Punt misordered list, overlapping start, or inverted range. 963 * Punt misordered list, overlapping start, or inverted range.
942 */ 964 */
943 if (memcmp(a_min, b_min, length) >= 0 || 965 if (memcmp(a_min, b_min, length) >= 0 ||
944 memcmp(a_min, a_max, length) > 0 || 966 memcmp(a_min, a_max, length) > 0 ||
945 memcmp(b_min, b_max, length) > 0) 967 memcmp(b_min, b_max, length) > 0)
946 return 0; 968 return 0;
947 969
948 /* 970 /*
949 * Punt if adjacent or overlapping. Check for adjacency by 971 * Punt if adjacent or overlapping. Check for adjacency by
950 * subtracting one from b_min first. 972 * subtracting one from b_min first.
951 */ 973 */
952 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) ; 974 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--)
953 if (memcmp(a_max, b_min, length) >= 0) 975 ;
954 return 0; 976 if (memcmp(a_max, b_min, length) >= 0)
977 return 0;
955 978
956 /* 979 /*
957 * Check for range that should be expressed as a prefix. 980 * Check for range that should be expressed as a prefix.
958 */ 981 */
959 if (a->type == IPAddressOrRange_addressRange && 982 if (a->type == IPAddressOrRange_addressRange &&
960 range_should_be_prefix(a_min, a_max, length) >= 0) 983 range_should_be_prefix(a_min, a_max, length) >= 0)
961 return 0; 984 return 0;
962 } 985 }
963 986
964 /* 987 /*
965 * Check range to see if it's inverted or should be a 988 * Check range to see if it's inverted or should be a
966 * prefix. 989 * prefix.
967 */ 990 */
968 j = sk_IPAddressOrRange_num(aors) - 1; 991 j = sk_IPAddressOrRange_num(aors) - 1;
969 { 992 {
970 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 993 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
971 if (a != NULL && a->type == IPAddressOrRange_addressRange) { 994 if (a != NULL &&
972 if (!extract_min_max(a, a_min, a_max, length)) 995 a->type == IPAddressOrRange_addressRange) {
973 return 0; 996 if (!extract_min_max(a, a_min, a_max, length))
974 if (memcmp(a_min, a_max, length) > 0 || 997 return 0;
975 range_should_be_prefix(a_min, a_max, length) >= 0) 998 if (memcmp(a_min, a_max, length) > 0 ||
976 return 0; 999 range_should_be_prefix(a_min, a_max,
977 } 1000 length) >= 0)
978 } 1001 return 0;
979 } 1002 }
1003 }
1004 }
980 1005
981 /* 1006 /*
982 * If we made it through all that, we're happy. 1007 * If we made it through all that, we're happy.
983 */ 1008 */
984 return 1; 1009 return 1;
985} 1010}
986 1011
987/* 1012/*
988 * Whack an IPAddressOrRanges into canonical form. 1013 * Whack an IPAddressOrRanges into canonical form.
989 */ 1014 */
990static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors, 1015static int
991 const unsigned afi) 1016IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi)
992{ 1017{
993 int i, j, length = length_from_afi(afi); 1018 int i, j, length = length_from_afi(afi);
994 1019
995 /* 1020 /*
996 * Sort the IPAddressOrRanges sequence. 1021 * Sort the IPAddressOrRanges sequence.
997 */ 1022 */
998 sk_IPAddressOrRange_sort(aors); 1023 sk_IPAddressOrRange_sort(aors);
999 1024
1000 /* 1025 /*
1001 * Clean up representation issues, punt on duplicates or overlaps. 1026 * Clean up representation issues, punt on duplicates or overlaps.
1002 */ 1027 */
1003 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) { 1028 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
1004 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i); 1029 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);
1005 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1); 1030 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
1006 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 1031 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
1007 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 1032 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
1008 1033
1009 if (!extract_min_max(a, a_min, a_max, length) || 1034 if (!extract_min_max(a, a_min, a_max, length) ||
1010 !extract_min_max(b, b_min, b_max, length)) 1035 !extract_min_max(b, b_min, b_max, length))
1011 return 0; 1036 return 0;
1012 1037
1013 /* 1038 /*
1014 * Punt inverted ranges. 1039 * Punt inverted ranges.
1015 */ 1040 */
1016 if (memcmp(a_min, a_max, length) > 0 || 1041 if (memcmp(a_min, a_max, length) > 0 ||
1017 memcmp(b_min, b_max, length) > 0) 1042 memcmp(b_min, b_max, length) > 0)
1018 return 0; 1043 return 0;
1019 1044
1020 /* 1045 /*
1021 * Punt overlaps. 1046 * Punt overlaps.
1022 */ 1047 */
1023 if (memcmp(a_max, b_min, length) >= 0) 1048 if (memcmp(a_max, b_min, length) >= 0)
1024 return 0; 1049 return 0;
1025 1050
1026 /* 1051 /*
1027 * Merge if a and b are adjacent. We check for 1052 * Merge if a and b are adjacent. We check for
1028 * adjacency by subtracting one from b_min first. 1053 * adjacency by subtracting one from b_min first.
1029 */ 1054 */
1030 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) ; 1055 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--)
1031 if (memcmp(a_max, b_min, length) == 0) { 1056 ;
1032 IPAddressOrRange *merged; 1057 if (memcmp(a_max, b_min, length) == 0) {
1033 if (!make_addressRange(&merged, a_min, b_max, length)) 1058 IPAddressOrRange *merged;
1034 return 0; 1059 if (!make_addressRange(&merged, a_min, b_max, length))
1035 (void)sk_IPAddressOrRange_set(aors, i, merged); 1060 return 0;
1036 (void)sk_IPAddressOrRange_delete(aors, i + 1); 1061 (void)sk_IPAddressOrRange_set(aors, i, merged);
1037 IPAddressOrRange_free(a); 1062 (void)sk_IPAddressOrRange_delete(aors, i + 1);
1038 IPAddressOrRange_free(b); 1063 IPAddressOrRange_free(a);
1039 --i; 1064 IPAddressOrRange_free(b);
1040 continue; 1065 --i;
1041 } 1066 continue;
1042 } 1067 }
1068 }
1043 1069
1044 /* 1070 /*
1045 * Check for inverted final range. 1071 * Check for inverted final range.
1046 */ 1072 */
1047 j = sk_IPAddressOrRange_num(aors) - 1; 1073 j = sk_IPAddressOrRange_num(aors) - 1;
1048 { 1074 {
1049 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 1075 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
1050 if (a != NULL && a->type == IPAddressOrRange_addressRange) { 1076 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
1051 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 1077 unsigned char a_min[ADDR_RAW_BUF_LEN],
1052 if (!extract_min_max(a, a_min, a_max, length)) 1078 a_max[ADDR_RAW_BUF_LEN];
1053 return 0; 1079 if (!extract_min_max(a, a_min, a_max, length))
1054 if (memcmp(a_min, a_max, length) > 0) 1080 return 0;
1055 return 0; 1081 if (memcmp(a_min, a_max, length) > 0)
1056 } 1082 return 0;
1057 } 1083 }
1058 1084 }
1059 return 1; 1085
1086 return 1;
1060} 1087}
1061 1088
1062/* 1089/*
1063 * Whack an IPAddrBlocks extension into canonical form. 1090 * Whack an IPAddrBlocks extension into canonical form.
1064 */ 1091 */
1065int X509v3_addr_canonize(IPAddrBlocks *addr) 1092int
1093X509v3_addr_canonize(IPAddrBlocks *addr)
1066{ 1094{
1067 int i; 1095 int i;
1068 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 1096 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1069 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 1097 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1070 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && 1098 if (f->ipAddressChoice->type ==
1071 !IPAddressOrRanges_canonize(f->ipAddressChoice-> 1099 IPAddressChoice_addressesOrRanges &&
1072 u.addressesOrRanges, 1100 !IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges,
1073 X509v3_addr_get_afi(f))) 1101 X509v3_addr_get_afi(f)))
1074 return 0; 1102 return 0;
1075 } 1103 }
1076 (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); 1104 (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
1077 sk_IPAddressFamily_sort(addr); 1105 sk_IPAddressFamily_sort(addr);
1078 OPENSSL_assert(X509v3_addr_is_canonical(addr)); 1106 OPENSSL_assert(X509v3_addr_is_canonical(addr));
1079 return 1; 1107 return 1;
1080} 1108}
1081 1109
1082/* 1110/*
1083 * v2i handler for the IPAddrBlocks extension. 1111 * v2i handler for the IPAddrBlocks extension.
1084 */ 1112 */
1085static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, 1113static void *
1086 struct v3_ext_ctx *ctx, 1114v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
1087 STACK_OF(CONF_VALUE) *values) 1115 STACK_OF(CONF_VALUE)*values)
1088{ 1116{
1089 static const char v4addr_chars[] = "0123456789."; 1117 static const char v4addr_chars[] = "0123456789.";
1090 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF"; 1118 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF";
1091 IPAddrBlocks *addr = NULL; 1119 IPAddrBlocks *addr = NULL;
1092 char *s = NULL, *t; 1120 char *s = NULL, *t;
1093 int i; 1121 int i;
1094 1122
1095 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) { 1123 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) {
1096 X509V3error(ERR_R_MALLOC_FAILURE); 1124 X509V3error(ERR_R_MALLOC_FAILURE);
1097 return NULL; 1125 return NULL;
1098 } 1126 }
1099 1127
1100 for (i = 0; i < sk_CONF_VALUE_num(values); i++) { 1128 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
1101 CONF_VALUE *val = sk_CONF_VALUE_value(values, i); 1129 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
1102 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN]; 1130 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN];
1103 unsigned afi, *safi = NULL, safi_; 1131 unsigned afi, *safi = NULL, safi_;
1104 const char *addr_chars = NULL; 1132 const char *addr_chars = NULL;
1105 int prefixlen, i1, i2, delim, length; 1133 int prefixlen, i1, i2, delim, length;
1106 1134
1107 if (!name_cmp(val->name, "IPv4")) { 1135 if (!name_cmp(val->name, "IPv4")) {
1108 afi = IANA_AFI_IPV4; 1136 afi = IANA_AFI_IPV4;
1109 } else if (!name_cmp(val->name, "IPv6")) { 1137 } else if (!name_cmp(val->name, "IPv6")) {
1110 afi = IANA_AFI_IPV6; 1138 afi = IANA_AFI_IPV6;
1111 } else if (!name_cmp(val->name, "IPv4-SAFI")) { 1139 } else if (!name_cmp(val->name, "IPv4-SAFI")) {
1112 afi = IANA_AFI_IPV4; 1140 afi = IANA_AFI_IPV4;
1113 safi = &safi_; 1141 safi = &safi_;
1114 } else if (!name_cmp(val->name, "IPv6-SAFI")) { 1142 } else if (!name_cmp(val->name, "IPv6-SAFI")) {
1115 afi = IANA_AFI_IPV6; 1143 afi = IANA_AFI_IPV6;
1116 safi = &safi_; 1144 safi = &safi_;
1117 } else { 1145 } else {
1118 X509V3error(X509V3_R_EXTENSION_NAME_ERROR); 1146 X509V3error(X509V3_R_EXTENSION_NAME_ERROR);
1119 X509V3_conf_err(val); 1147 X509V3_conf_err(val);
1120 goto err; 1148 goto err;
1121 } 1149 }
1122 1150
1123 switch (afi) { 1151 switch (afi) {
1124 case IANA_AFI_IPV4: 1152 case IANA_AFI_IPV4:
1125 addr_chars = v4addr_chars; 1153 addr_chars = v4addr_chars;
1126 break; 1154 break;
1127 case IANA_AFI_IPV6: 1155 case IANA_AFI_IPV6:
1128 addr_chars = v6addr_chars; 1156 addr_chars = v6addr_chars;
1129 break; 1157 break;
1130 } 1158 }
1131 1159
1132 length = length_from_afi(afi); 1160 length = length_from_afi(afi);
1133 1161
1134 /* 1162 /*
1135 * Handle SAFI, if any, and strdup() so we can null-terminate 1163 * Handle SAFI, if any, and strdup() so we can null-terminate
1136 * the other input values. 1164 * the other input values.
1137 */ 1165 */
1138 if (safi != NULL) { 1166 if (safi != NULL) {
1139 *safi = strtoul(val->value, &t, 0); 1167 *safi = strtoul(val->value, &t, 0);
1140 t += strspn(t, " \t"); 1168 t += strspn(t, " \t");
1141 if (*safi > 0xFF || *t++ != ':') { 1169 if (*safi > 0xFF || *t++ != ':') {
1142 X509V3error(X509V3_R_INVALID_SAFI); 1170 X509V3error(X509V3_R_INVALID_SAFI);
1143 X509V3_conf_err(val); 1171 X509V3_conf_err(val);
1144 goto err; 1172 goto err;
1145 } 1173 }
1146 t += strspn(t, " \t"); 1174 t += strspn(t, " \t");
1147 s = strdup(t); 1175 s = strdup(t);
1148 } else { 1176 } else {
1149 s = strdup(val->value); 1177 s = strdup(val->value);
1150 } 1178 }
1151 if (s == NULL) { 1179 if (s == NULL) {
1152 X509V3error(ERR_R_MALLOC_FAILURE); 1180 X509V3error(ERR_R_MALLOC_FAILURE);
1153 goto err; 1181 goto err;
1154 } 1182 }
1155 1183
1156 /* 1184 /*
1157 * Check for inheritance. Not worth additional complexity to 1185 * Check for inheritance. Not worth additional complexity to
1158 * optimize this (seldom-used) case. 1186 * optimize this (seldom-used) case.
1159 */ 1187 */
1160 if (strcmp(s, "inherit") == 0) { 1188 if (strcmp(s, "inherit") == 0) {
1161 if (!X509v3_addr_add_inherit(addr, afi, safi)) { 1189 if (!X509v3_addr_add_inherit(addr, afi, safi)) {
1162 X509V3error(X509V3_R_INVALID_INHERITANCE); 1190 X509V3error(X509V3_R_INVALID_INHERITANCE);
1163 X509V3_conf_err(val); 1191 X509V3_conf_err(val);
1164 goto err; 1192 goto err;
1165 } 1193 }
1166 free(s); 1194 free(s);
1167 s = NULL; 1195 s = NULL;
1168 continue; 1196 continue;
1169 } 1197 }
1170 1198
1171 i1 = strspn(s, addr_chars); 1199 i1 = strspn(s, addr_chars);
1172 i2 = i1 + strspn(s + i1, " \t"); 1200 i2 = i1 + strspn(s + i1, " \t");
1173 delim = s[i2++]; 1201 delim = s[i2++];
1174 s[i1] = '\0'; 1202 s[i1] = '\0';
1175 1203
1176 if (a2i_ipadd(min, s) != length) { 1204 if (a2i_ipadd(min, s) != length) {
1177 X509V3error(X509V3_R_INVALID_IPADDRESS); 1205 X509V3error(X509V3_R_INVALID_IPADDRESS);
1178 X509V3_conf_err(val); 1206 X509V3_conf_err(val);
1179 goto err; 1207 goto err;
1180 } 1208 }
1181 1209
1182 switch (delim) { 1210 switch (delim) {
1183 case '/': 1211 case '/':
1184 prefixlen = (int)strtoul(s + i2, &t, 10); 1212 prefixlen = (int)strtoul(s + i2, &t, 10);
1185 if (t == s + i2 || *t != '\0') { 1213 if (t == s + i2 || *t != '\0') {
1186 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1214 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
1187 X509V3_conf_err(val); 1215 X509V3_conf_err(val);
1188 goto err; 1216 goto err;
1189 } 1217 }
1190 if (!X509v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) { 1218 if (!X509v3_addr_add_prefix(addr, afi, safi, min,
1191 X509V3error(ERR_R_MALLOC_FAILURE); 1219 prefixlen)) {
1192 goto err; 1220 X509V3error(ERR_R_MALLOC_FAILURE);
1193 } 1221 goto err;
1194 break; 1222 }
1195 case '-': 1223 break;
1196 i1 = i2 + strspn(s + i2, " \t"); 1224 case '-':
1197 i2 = i1 + strspn(s + i1, addr_chars); 1225 i1 = i2 + strspn(s + i2, " \t");
1198 if (i1 == i2 || s[i2] != '\0') { 1226 i2 = i1 + strspn(s + i1, addr_chars);
1199 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1227 if (i1 == i2 || s[i2] != '\0') {
1200 X509V3_conf_err(val); 1228 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
1201 goto err; 1229 X509V3_conf_err(val);
1202 } 1230 goto err;
1203 if (a2i_ipadd(max, s + i1) != length) { 1231 }
1204 X509V3error(X509V3_R_INVALID_IPADDRESS); 1232 if (a2i_ipadd(max, s + i1) != length) {
1205 X509V3_conf_err(val); 1233 X509V3error(X509V3_R_INVALID_IPADDRESS);
1206 goto err; 1234 X509V3_conf_err(val);
1207 } 1235 goto err;
1208 if (memcmp(min, max, length_from_afi(afi)) > 0) { 1236 }
1209 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1237 if (memcmp(min, max, length_from_afi(afi)) > 0) {
1210 X509V3_conf_err(val); 1238 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
1211 goto err; 1239 X509V3_conf_err(val);
1212 } 1240 goto err;
1213 if (!X509v3_addr_add_range(addr, afi, safi, min, max)) { 1241 }
1214 X509V3error(ERR_R_MALLOC_FAILURE); 1242 if (!X509v3_addr_add_range(addr, afi, safi, min, max)) {
1215 goto err; 1243 X509V3error(ERR_R_MALLOC_FAILURE);
1216 } 1244 goto err;
1217 break; 1245 }
1218 case '\0': 1246 break;
1219 if (!X509v3_addr_add_prefix(addr, afi, safi, min, length * 8)) { 1247 case '\0':
1220 X509V3error(ERR_R_MALLOC_FAILURE); 1248 if (!X509v3_addr_add_prefix(addr, afi, safi, min,
1221 goto err; 1249 length * 8)) {
1222 } 1250 X509V3error(ERR_R_MALLOC_FAILURE);
1223 break; 1251 goto err;
1224 default: 1252 }
1225 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1253 break;
1226 X509V3_conf_err(val); 1254 default:
1227 goto err; 1255 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
1228 } 1256 X509V3_conf_err(val);
1229 1257 goto err;
1230 free(s); 1258 }
1231 s = NULL; 1259
1232 } 1260 free(s);
1261 s = NULL;
1262 }
1233 1263
1234 /* 1264 /*
1235 * Canonize the result, then we're done. 1265 * Canonize the result, then we're done.
1236 */ 1266 */
1237 if (!X509v3_addr_canonize(addr)) 1267 if (!X509v3_addr_canonize(addr))
1238 goto err; 1268 goto err;
1239 return addr; 1269 return addr;
1240 1270
1241 err: 1271err:
1242 free(s); 1272 free(s);
1243 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); 1273 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
1244 return NULL; 1274 return NULL;
1245} 1275}
1246 1276
1247/* 1277/*
1248 * OpenSSL dispatch 1278 * OpenSSL dispatch
1249 */ 1279 */
1250const X509V3_EXT_METHOD v3_addr = { 1280const X509V3_EXT_METHOD v3_addr = {
1251 NID_sbgp_ipAddrBlock, /* nid */ 1281 NID_sbgp_ipAddrBlock, /* nid */
1252 0, /* flags */ 1282 0, /* flags */
1253 &IPAddrBlocks_it, 1283 &IPAddrBlocks_it,
1254 0, 0, 0, 0, /* old functions, ignored */ 1284 0, 0, 0, 0, /* old functions, ignored */
1255 0, /* i2s */ 1285 0, /* i2s */
1256 0, /* s2i */ 1286 0, /* s2i */
1257 0, /* i2v */ 1287 0, /* i2v */
1258 v2i_IPAddrBlocks, /* v2i */ 1288 v2i_IPAddrBlocks, /* v2i */
1259 i2r_IPAddrBlocks, /* i2r */ 1289 i2r_IPAddrBlocks, /* i2r */
1260 0, /* r2i */ 1290 0, /* r2i */
1261 NULL /* extension-specific data */ 1291 NULL /* extension-specific data */
1262}; 1292};
1263 1293
1264/* 1294/*
1265 * Figure out whether extension sues inheritance. 1295 * Figure out whether extension sues inheritance.
1266 */ 1296 */
1267int X509v3_addr_inherits(IPAddrBlocks *addr) 1297int
1298X509v3_addr_inherits(IPAddrBlocks *addr)
1268{ 1299{
1269 int i; 1300 int i;
1270 if (addr == NULL) 1301 if (addr == NULL)
1271 return 0; 1302 return 0;
1272 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 1303 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1273 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 1304 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1274 if (f->ipAddressChoice->type == IPAddressChoice_inherit) 1305 if (f->ipAddressChoice->type == IPAddressChoice_inherit)
1275 return 1; 1306 return 1;
1276 } 1307 }
1277 return 0; 1308 return 0;
1278} 1309}
1279 1310
1280/* 1311/*
1281 * Figure out whether parent contains child. 1312 * Figure out whether parent contains child.
1282 */ 1313 */
1283static int addr_contains(IPAddressOrRanges *parent, 1314static int
1284 IPAddressOrRanges *child, int length) 1315addr_contains(IPAddressOrRanges *parent, IPAddressOrRanges *child, int length)
1285{ 1316{
1286 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN]; 1317 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN];
1287 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN]; 1318 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN];
1288 int p, c; 1319 int p, c;
1289 1320
1290 if (child == NULL || parent == child) 1321 if (child == NULL || parent == child)
1291 return 1; 1322 return 1;
1292 if (parent == NULL) 1323 if (parent == NULL)
1293 return 0; 1324 return 0;
1294 1325
1295 p = 0; 1326 p = 0;
1296 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) { 1327 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
1297 if (!extract_min_max(sk_IPAddressOrRange_value(child, c), 1328 if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
1298 c_min, c_max, length)) 1329 c_min, c_max, length))
1299 return -1; 1330 return -1;
1300 for (;; p++) { 1331 for (;; p++) {
1301 if (p >= sk_IPAddressOrRange_num(parent)) 1332 if (p >= sk_IPAddressOrRange_num(parent))
1302 return 0; 1333 return 0;
1303 if (!extract_min_max(sk_IPAddressOrRange_value(parent, p), 1334 if (!extract_min_max(sk_IPAddressOrRange_value(parent,
1304 p_min, p_max, length)) 1335 p), p_min, p_max, length))
1305 return 0; 1336 return 0;
1306 if (memcmp(p_max, c_max, length) < 0) 1337 if (memcmp(p_max, c_max, length) < 0)
1307 continue; 1338 continue;
1308 if (memcmp(p_min, c_min, length) > 0) 1339 if (memcmp(p_min, c_min, length) > 0)
1309 return 0; 1340 return 0;
1310 break; 1341 break;
1311 } 1342 }
1312 } 1343 }
1313 1344
1314 return 1; 1345 return 1;
1315} 1346}
1316 1347
1317/* 1348/*
1318 * Test whether a is a subset of b. 1349 * Test whether a is a subset of b.
1319 */ 1350 */
1320int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) 1351int
1352X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
1321{ 1353{
1322 int i; 1354 int i;
1323 if (a == NULL || a == b) 1355 if (a == NULL || a == b)
1324 return 1; 1356 return 1;
1325 if (b == NULL || X509v3_addr_inherits(a) || X509v3_addr_inherits(b)) 1357 if (b == NULL || X509v3_addr_inherits(a) || X509v3_addr_inherits(b))
1326 return 0; 1358 return 0;
1327 (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); 1359 (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
1328 for (i = 0; i < sk_IPAddressFamily_num(a); i++) { 1360 for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
1329 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); 1361 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
1330 int j = sk_IPAddressFamily_find(b, fa); 1362 int j = sk_IPAddressFamily_find(b, fa);
1331 IPAddressFamily *fb; 1363 IPAddressFamily *fb;
1332 fb = sk_IPAddressFamily_value(b, j); 1364 fb = sk_IPAddressFamily_value(b, j);
1333 if (fb == NULL) 1365 if (fb == NULL)
1334 return 0; 1366 return 0;
1335 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, 1367 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
1336 fa->ipAddressChoice->u.addressesOrRanges, 1368 fa->ipAddressChoice->u.addressesOrRanges,
1337 length_from_afi(X509v3_addr_get_afi(fb)))) 1369 length_from_afi(X509v3_addr_get_afi(fb))))
1338 return 0; 1370 return 0;
1339 } 1371 }
1340 return 1; 1372 return 1;
1341} 1373}
1342 1374
1343/* 1375/*
@@ -1365,105 +1397,109 @@ int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
1365 * When returning 0, ctx->error MUST be set to an appropriate value other than 1397 * When returning 0, ctx->error MUST be set to an appropriate value other than
1366 * X509_V_OK. 1398 * X509_V_OK.
1367 */ 1399 */
1368static int addr_validate_path_internal(X509_STORE_CTX *ctx, 1400static int
1369 STACK_OF(X509) *chain, 1401addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
1370 IPAddrBlocks *ext) 1402 IPAddrBlocks *ext)
1371{ 1403{
1372 IPAddrBlocks *child = NULL; 1404 IPAddrBlocks *child = NULL;
1373 int i, j, ret = 1; 1405 int i, j, ret = 1;
1374 X509 *x; 1406 X509 *x;
1375 1407
1376 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); 1408 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
1377 OPENSSL_assert(ctx != NULL || ext != NULL); 1409 OPENSSL_assert(ctx != NULL || ext != NULL);
1378 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); 1410 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
1379 1411
1380 /* 1412 /*
1381 * Figure out where to start. If we don't have an extension to 1413 * Figure out where to start. If we don't have an extension to
1382 * check, we're done. Otherwise, check canonical form and 1414 * check, we're done. Otherwise, check canonical form and
1383 * set up for walking up the chain. 1415 * set up for walking up the chain.
1384 */ 1416 */
1385 if (ext != NULL) { 1417 if (ext != NULL) {
1386 i = -1; 1418 i = -1;
1387 x = NULL; 1419 x = NULL;
1388 } else { 1420 } else {
1389 i = 0; 1421 i = 0;
1390 x = sk_X509_value(chain, i); 1422 x = sk_X509_value(chain, i);
1391 if ((ext = x->rfc3779_addr) == NULL) 1423 if ((ext = x->rfc3779_addr) == NULL)
1392 goto done; 1424 goto done;
1393 } 1425 }
1394 if (!X509v3_addr_is_canonical(ext)) 1426 if (!X509v3_addr_is_canonical(ext))
1395 validation_err(X509_V_ERR_INVALID_EXTENSION); 1427 validation_err(X509_V_ERR_INVALID_EXTENSION);
1396 (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); 1428 (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
1397 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { 1429 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
1398 X509V3error(ERR_R_MALLOC_FAILURE); 1430 X509V3error(ERR_R_MALLOC_FAILURE);
1399 if (ctx != NULL) 1431 if (ctx != NULL)
1400 ctx->error = X509_V_ERR_OUT_OF_MEM; 1432 ctx->error = X509_V_ERR_OUT_OF_MEM;
1401 ret = 0; 1433 ret = 0;
1402 goto done; 1434 goto done;
1403 } 1435 }
1404 1436
1405 /* 1437 /*
1406 * Now walk up the chain. No cert may list resources that its 1438 * Now walk up the chain. No cert may list resources that its
1407 * parent doesn't list. 1439 * parent doesn't list.
1408 */ 1440 */
1409 for (i++; i < sk_X509_num(chain); i++) { 1441 for (i++; i < sk_X509_num(chain); i++) {
1410 x = sk_X509_value(chain, i); 1442 x = sk_X509_value(chain, i);
1411 if (!X509v3_addr_is_canonical(x->rfc3779_addr)) 1443 if (!X509v3_addr_is_canonical(x->rfc3779_addr))
1412 validation_err(X509_V_ERR_INVALID_EXTENSION); 1444 validation_err(X509_V_ERR_INVALID_EXTENSION);
1413 if (x->rfc3779_addr == NULL) { 1445 if (x->rfc3779_addr == NULL) {
1414 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { 1446 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1415 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); 1447 IPAddressFamily *fc = sk_IPAddressFamily_value(child,
1416 if (fc->ipAddressChoice->type != IPAddressChoice_inherit) { 1448 j);
1417 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1449 if (fc->ipAddressChoice->type !=
1418 break; 1450 IPAddressChoice_inherit) {
1419 } 1451 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1420 } 1452 break;
1421 continue; 1453 }
1422 } 1454 }
1423 (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, 1455 continue;
1424 IPAddressFamily_cmp); 1456 }
1425 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { 1457 (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr,
1426 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); 1458 IPAddressFamily_cmp);
1427 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc); 1459 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1428 IPAddressFamily *fp = 1460 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1429 sk_IPAddressFamily_value(x->rfc3779_addr, k); 1461 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
1430 if (fp == NULL) { 1462 IPAddressFamily *fp =
1431 if (fc->ipAddressChoice->type == 1463 sk_IPAddressFamily_value(x->rfc3779_addr, k);
1432 IPAddressChoice_addressesOrRanges) { 1464 if (fp == NULL) {
1433 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1465 if (fc->ipAddressChoice->type ==
1434 break; 1466 IPAddressChoice_addressesOrRanges) {
1435 } 1467 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1436 continue; 1468 break;
1437 } 1469 }
1438 if (fp->ipAddressChoice->type == 1470 continue;
1439 IPAddressChoice_addressesOrRanges) { 1471 }
1440 if (fc->ipAddressChoice->type == IPAddressChoice_inherit 1472 if (fp->ipAddressChoice->type ==
1441 || addr_contains(fp->ipAddressChoice->u.addressesOrRanges, 1473 IPAddressChoice_addressesOrRanges) {
1442 fc->ipAddressChoice->u.addressesOrRanges, 1474 if (fc->ipAddressChoice->type ==
1443 length_from_afi(X509v3_addr_get_afi(fc)))) 1475 IPAddressChoice_inherit ||
1444 sk_IPAddressFamily_set(child, j, fp); 1476 addr_contains(fp->ipAddressChoice->u.addressesOrRanges,
1445 else 1477 fc->ipAddressChoice->u.addressesOrRanges,
1446 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1478 length_from_afi(X509v3_addr_get_afi(fc))))
1447 } 1479 sk_IPAddressFamily_set(child, j, fp);
1448 } 1480 else
1449 } 1481 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1482 }
1483 }
1484 }
1450 1485
1451 /* 1486 /*
1452 * Trust anchor can't inherit. 1487 * Trust anchor can't inherit.
1453 */ 1488 */
1454 if (x->rfc3779_addr != NULL) { 1489 if (x->rfc3779_addr != NULL) {
1455 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) { 1490 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
1456 IPAddressFamily *fp = 1491 IPAddressFamily *fp =
1457 sk_IPAddressFamily_value(x->rfc3779_addr, j); 1492 sk_IPAddressFamily_value(x->rfc3779_addr, j);
1458 if (fp->ipAddressChoice->type == IPAddressChoice_inherit 1493 if (fp->ipAddressChoice->type ==
1459 && sk_IPAddressFamily_find(child, fp) >= 0) 1494 IPAddressChoice_inherit &&
1460 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1495 sk_IPAddressFamily_find(child, fp) >= 0)
1461 } 1496 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1462 } 1497 }
1463 1498 }
1464 done: 1499
1465 sk_IPAddressFamily_free(child); 1500done:
1466 return ret; 1501 sk_IPAddressFamily_free(child);
1502 return ret;
1467} 1503}
1468 1504
1469#undef validation_err 1505#undef validation_err
@@ -1471,31 +1507,33 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx,
1471/* 1507/*
1472 * RFC 3779 2.3 path validation -- called from X509_verify_cert(). 1508 * RFC 3779 2.3 path validation -- called from X509_verify_cert().
1473 */ 1509 */
1474int X509v3_addr_validate_path(X509_STORE_CTX *ctx) 1510int
1511X509v3_addr_validate_path(X509_STORE_CTX *ctx)
1475{ 1512{
1476 if (ctx->chain == NULL 1513 if (ctx->chain == NULL ||
1477 || sk_X509_num(ctx->chain) == 0 1514 sk_X509_num(ctx->chain) == 0 ||
1478 || ctx->verify_cb == NULL) { 1515 ctx->verify_cb == NULL) {
1479 ctx->error = X509_V_ERR_UNSPECIFIED; 1516 ctx->error = X509_V_ERR_UNSPECIFIED;
1480 return 0; 1517 return 0;
1481 } 1518 }
1482 return addr_validate_path_internal(ctx, ctx->chain, NULL); 1519 return addr_validate_path_internal(ctx, ctx->chain, NULL);
1483} 1520}
1484 1521
1485/* 1522/*
1486 * RFC 3779 2.3 path validation of an extension. 1523 * RFC 3779 2.3 path validation of an extension.
1487 * Test whether chain covers extension. 1524 * Test whether chain covers extension.
1488 */ 1525 */
1489int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain, 1526int
1490 IPAddrBlocks *ext, int allow_inheritance) 1527X509v3_addr_validate_resource_set(STACK_OF(X509)*chain, IPAddrBlocks *ext,
1528 int allow_inheritance)
1491{ 1529{
1492 if (ext == NULL) 1530 if (ext == NULL)
1493 return 1; 1531 return 1;
1494 if (chain == NULL || sk_X509_num(chain) == 0) 1532 if (chain == NULL || sk_X509_num(chain) == 0)
1495 return 0; 1533 return 0;
1496 if (!allow_inheritance && X509v3_addr_inherits(ext)) 1534 if (!allow_inheritance && X509v3_addr_inherits(ext))
1497 return 0; 1535 return 0;
1498 return addr_validate_path_internal(NULL, chain, ext); 1536 return addr_validate_path_internal(NULL, chain, ext);
1499} 1537}
1500 1538
1501#endif /* OPENSSL_NO_RFC3779 */ 1539#endif /* OPENSSL_NO_RFC3779 */
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-16 00:12:37 +0000