Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360). Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf) This changeset is a no-op, as there are 10+ issues and at least 2 security issues. Work will continue in-tree. OK tb@, discussed with beck@
author: job <> 2021-09-02 12:41:44 +0000
committer: job <> 2021-09-02 12:41:44 +0000
commit: 3ed206d7bde4191b37ba53a167ddc2090f5e4860 (patch)
tree: 68881b07659cc9e2b17902a5156f430f2154ecf8 /src/lib/libcrypto/x509/x509v3.h
parent: e62cf7c0e3daad29f81cae909a92d8769558bd57 (diff)
download: openbsd-3ed206d7bde4191b37ba53a167ddc2090f5e4860.tar.gz
openbsd-3ed206d7bde4191b37ba53a167ddc2090f5e4860.tar.bz2
openbsd-3ed206d7bde4191b37ba53a167ddc2090f5e4860.zip
1 files changed, 144 insertions, 1 deletions
diff --git a/src/lib/libcrypto/x509/x509v3.h b/src/lib/libcrypto/x509/x509v3.h
index d2754fa624..3cccf86242 100644
--- a/src/lib/libcrypto/x509/x509v3.h
+++ b/src/lib/libcrypto/x509/x509v3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509v3.h,v 1.2 2020/09/13 15:06:17 beck Exp $ */
+/* $OpenBSD: x509v3.h,v 1.3 2021/09/02 12:41:44 job Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -842,6 +842,149 @@ int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
 void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
 DECLARE_STACK_OF(X509_POLICY_NODE)
+#if defined(LIBRESSL_INTERNAL)
+#ifndef OPENSSL_NO_RFC3779
+typedef struct ASRange_st {
+        ASN1_INTEGER *min, *max;
+} ASRange;
+# define ASIdOrRange_id          0
+# define ASIdOrRange_range       1
+typedef struct ASIdOrRange_st {
+    int type;
+    union {
+        ASN1_INTEGER *id;
+        ASRange *range;
+    } u;
+} ASIdOrRange;
+typedef STACK_OF(ASIdOrRange) ASIdOrRanges;
+DEFINE_STACK_OF(ASIdOrRange)
+# define ASIdentifierChoice_inherit              0
+# define ASIdentifierChoice_asIdsOrRanges        1
+typedef struct ASIdentifierChoice_st {
+    int type;
+    union {
+        ASN1_NULL *inherit;
+        ASIdOrRanges *asIdsOrRanges;
+    } u;
+} ASIdentifierChoice;
+typedef struct ASIdentifiers_st {
+    ASIdentifierChoice *asnum, *rdi;
+} ASIdentifiers;
+DECLARE_ASN1_FUNCTIONS(ASRange)
+DECLARE_ASN1_FUNCTIONS(ASIdOrRange)
+DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice)
+DECLARE_ASN1_FUNCTIONS(ASIdentifiers)
+typedef struct IPAddressRange_st {
+    ASN1_BIT_STRING *min, *max;
+} IPAddressRange;
+# define IPAddressOrRange_addressPrefix  0
+# define IPAddressOrRange_addressRange   1
+typedef struct IPAddressOrRange_st {
+    int type;
+    union {
+        ASN1_BIT_STRING *addressPrefix;
+        IPAddressRange *addressRange;
+    } u;
+} IPAddressOrRange;
+typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges;
+DEFINE_STACK_OF(IPAddressOrRange)
+# define IPAddressChoice_inherit                 0
+# define IPAddressChoice_addressesOrRanges       1
+typedef struct IPAddressChoice_st {
+    int type;
+    union {
+        ASN1_NULL *inherit;
+        IPAddressOrRanges *addressesOrRanges;
+    } u;
+} IPAddressChoice;
+typedef struct IPAddressFamily_st {
+    ASN1_OCTET_STRING *addressFamily;
+    IPAddressChoice *ipAddressChoice;
+} IPAddressFamily;
+typedef STACK_OF(IPAddressFamily) IPAddrBlocks;
+DEFINE_STACK_OF(IPAddressFamily)
+DECLARE_ASN1_FUNCTIONS(IPAddressRange)
+DECLARE_ASN1_FUNCTIONS(IPAddressOrRange)
+DECLARE_ASN1_FUNCTIONS(IPAddressChoice)
+DECLARE_ASN1_FUNCTIONS(IPAddressFamily)
+/*
+ * API tag for elements of the ASIdentifer SEQUENCE.
+ */
+# define V3_ASID_ASNUM   0
+# define V3_ASID_RDI     1
+/*
+ * AFI values, assigned by IANA.  It'd be nice to make the AFI
+ * handling code totally generic, but there are too many little things
+ * that would need to be defined for other address families for it to
+ * be worth the trouble.
+ */
+# define IANA_AFI_IPV4   1
+# define IANA_AFI_IPV6   2
+/*
+ * Utilities to construct and extract values from RFC3779 extensions,
+ * since some of the encodings (particularly for IP address prefixes
+ * and ranges) are a bit tedious to work with directly.
+ */
+int X509v3_asid_add_inherit(ASIdentifiers *asid, int which);
+int X509v3_asid_add_id_or_range(ASIdentifiers *asid, int which,
+                                ASN1_INTEGER *min, ASN1_INTEGER *max);
+int X509v3_addr_add_inherit(IPAddrBlocks *addr,
+                            const unsigned afi, const unsigned *safi);
+int X509v3_addr_add_prefix(IPAddrBlocks *addr,
+                           const unsigned afi, const unsigned *safi,
+                           unsigned char *a, const int prefixlen);
+int X509v3_addr_add_range(IPAddrBlocks *addr,
+                          const unsigned afi, const unsigned *safi,
+                          unsigned char *min, unsigned char *max);
+unsigned X509v3_addr_get_afi(const IPAddressFamily *f);
+int X509v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
+                          unsigned char *min, unsigned char *max,
+                          const int length);
+/*
+ * Canonical forms.
+ */
+int X509v3_asid_is_canonical(ASIdentifiers *asid);
+int X509v3_addr_is_canonical(IPAddrBlocks *addr);
+int X509v3_asid_canonize(ASIdentifiers *asid);
+int X509v3_addr_canonize(IPAddrBlocks *addr);
+/*
+ * Tests for inheritance and containment.
+ */
+int X509v3_asid_inherits(ASIdentifiers *asid);
+int X509v3_addr_inherits(IPAddrBlocks *addr);
+int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b);
+int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b);
+/*
+ * Check whether RFC 3779 extensions nest properly in chains.
+ */
+int X509v3_asid_validate_path(X509_STORE_CTX *);
+int X509v3_addr_validate_path(X509_STORE_CTX *);
+int X509v3_asid_validate_resource_set(STACK_OF(X509) *chain,
+                                      ASIdentifiers *ext,
+                                      int allow_inheritance);
+int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain,
+                                      IPAddrBlocks *ext, int allow_inheritance);
+#endif                         /* OPENSSL_NO_RFC3779 */
+#endif
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
author	job <>	2021-09-02 12:41:44 +0000
committer	job <>	2021-09-02 12:41:44 +0000
commit	3ed206d7bde4191b37ba53a167ddc2090f5e4860 (patch)
tree	68881b07659cc9e2b17902a5156f430f2154ecf8 /src/lib/libcrypto/x509/x509v3.h
parent	e62cf7c0e3daad29f81cae909a92d8769558bd57 (diff)
download	openbsd-3ed206d7bde4191b37ba53a167ddc2090f5e4860.tar.gz openbsd-3ed206d7bde4191b37ba53a167ddc2090f5e4860.tar.bz2 openbsd-3ed206d7bde4191b37ba53a167ddc2090f5e4860.zip

diff --git a/src/lib/libcrypto/x509/x509v3.h b/src/lib/libcrypto/x509/x509v3.h index d2754fa624..3cccf86242 100644 --- a/src/lib/libcrypto/x509/x509v3.h +++ b/src/lib/libcrypto/x509/x509v3.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509v3.h,v 1.2 2020/09/13 15:06:17 beck Exp $ */	1	/* $OpenBSD: x509v3.h,v 1.3 2021/09/02 12:41:44 job Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 1999.	3	* project 1999.
4	*/	4	*/
@@ -842,6 +842,149 @@ int X509V3_NAME_from_section(X509_NAME nm, STACK_OF(CONF_VALUE)dn_sk,
842	void X509_POLICY_NODE_print(BIO out, X509_POLICY_NODE node, int indent);	842	void X509_POLICY_NODE_print(BIO out, X509_POLICY_NODE node, int indent);
843	DECLARE_STACK_OF(X509_POLICY_NODE)	843	DECLARE_STACK_OF(X509_POLICY_NODE)
844		844
		845	#if defined(LIBRESSL_INTERNAL)
		846	#ifndef OPENSSL_NO_RFC3779
		847	typedef struct ASRange_st {
		848	ASN1_INTEGER min, max;
		849	} ASRange;
		850
		851	# define ASIdOrRange_id 0
		852	# define ASIdOrRange_range 1
		853
		854	typedef struct ASIdOrRange_st {
		855	int type;
		856	union {
		857	ASN1_INTEGER *id;
		858	ASRange *range;
		859	} u;
		860	} ASIdOrRange;
		861
		862	typedef STACK_OF(ASIdOrRange) ASIdOrRanges;
		863	DEFINE_STACK_OF(ASIdOrRange)
		864
		865	# define ASIdentifierChoice_inherit 0
		866	# define ASIdentifierChoice_asIdsOrRanges 1
		867
		868	typedef struct ASIdentifierChoice_st {
		869	int type;
		870	union {
		871	ASN1_NULL *inherit;
		872	ASIdOrRanges *asIdsOrRanges;
		873	} u;
		874	} ASIdentifierChoice;
		875
		876	typedef struct ASIdentifiers_st {
		877	ASIdentifierChoice asnum, rdi;
		878	} ASIdentifiers;
		879
		880	DECLARE_ASN1_FUNCTIONS(ASRange)
		881	DECLARE_ASN1_FUNCTIONS(ASIdOrRange)
		882	DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice)
		883	DECLARE_ASN1_FUNCTIONS(ASIdentifiers)
		884	typedef struct IPAddressRange_st {
		885	ASN1_BIT_STRING min, max;
		886	} IPAddressRange;
		887
		888	# define IPAddressOrRange_addressPrefix 0
		889	# define IPAddressOrRange_addressRange 1
		890
		891	typedef struct IPAddressOrRange_st {
		892	int type;
		893	union {
		894	ASN1_BIT_STRING *addressPrefix;
		895	IPAddressRange *addressRange;
		896	} u;
		897	} IPAddressOrRange;
		898
		899	typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges;
		900	DEFINE_STACK_OF(IPAddressOrRange)
		901
		902	# define IPAddressChoice_inherit 0
		903	# define IPAddressChoice_addressesOrRanges 1
		904
		905	typedef struct IPAddressChoice_st {
		906	int type;
		907	union {
		908	ASN1_NULL *inherit;
		909	IPAddressOrRanges *addressesOrRanges;
		910	} u;
		911	} IPAddressChoice;
		912
		913	typedef struct IPAddressFamily_st {
		914	ASN1_OCTET_STRING *addressFamily;
		915	IPAddressChoice *ipAddressChoice;
		916	} IPAddressFamily;
		917
		918	typedef STACK_OF(IPAddressFamily) IPAddrBlocks;
		919	DEFINE_STACK_OF(IPAddressFamily)
		920	DECLARE_ASN1_FUNCTIONS(IPAddressRange)
		921	DECLARE_ASN1_FUNCTIONS(IPAddressOrRange)
		922	DECLARE_ASN1_FUNCTIONS(IPAddressChoice)
		923	DECLARE_ASN1_FUNCTIONS(IPAddressFamily)
		924
		925	/*
		926	* API tag for elements of the ASIdentifer SEQUENCE.
		927	*/
		928	# define V3_ASID_ASNUM 0
		929	# define V3_ASID_RDI 1
		930
		931	/*
		932	* AFI values, assigned by IANA. It'd be nice to make the AFI
		933	* handling code totally generic, but there are too many little things
		934	* that would need to be defined for other address families for it to
		935	* be worth the trouble.
		936	*/
		937	# define IANA_AFI_IPV4 1
		938	# define IANA_AFI_IPV6 2
		939	/*
		940	* Utilities to construct and extract values from RFC3779 extensions,
		941	* since some of the encodings (particularly for IP address prefixes
		942	* and ranges) are a bit tedious to work with directly.
		943	*/
		944	int X509v3_asid_add_inherit(ASIdentifiers *asid, int which);
		945	int X509v3_asid_add_id_or_range(ASIdentifiers *asid, int which,
		946	ASN1_INTEGER min, ASN1_INTEGER max);
		947	int X509v3_addr_add_inherit(IPAddrBlocks *addr,
		948	const unsigned afi, const unsigned *safi);
		949	int X509v3_addr_add_prefix(IPAddrBlocks *addr,
		950	const unsigned afi, const unsigned *safi,
		951	unsigned char *a, const int prefixlen);
		952	int X509v3_addr_add_range(IPAddrBlocks *addr,
		953	const unsigned afi, const unsigned *safi,
		954	unsigned char min, unsigned char max);
		955	unsigned X509v3_addr_get_afi(const IPAddressFamily *f);
		956	int X509v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
		957	unsigned char min, unsigned char max,
		958	const int length);
		959	/*
		960	* Canonical forms.
		961	*/
		962	int X509v3_asid_is_canonical(ASIdentifiers *asid);
		963	int X509v3_addr_is_canonical(IPAddrBlocks *addr);
		964	int X509v3_asid_canonize(ASIdentifiers *asid);
		965	int X509v3_addr_canonize(IPAddrBlocks *addr);
		966
		967	/*
		968	* Tests for inheritance and containment.
		969	*/
		970	int X509v3_asid_inherits(ASIdentifiers *asid);
		971	int X509v3_addr_inherits(IPAddrBlocks *addr);
		972	int X509v3_asid_subset(ASIdentifiers a, ASIdentifiers b);
		973	int X509v3_addr_subset(IPAddrBlocks a, IPAddrBlocks b);
		974
		975	/*
		976	* Check whether RFC 3779 extensions nest properly in chains.
		977	*/
		978	int X509v3_asid_validate_path(X509_STORE_CTX *);
		979	int X509v3_addr_validate_path(X509_STORE_CTX *);
		980	int X509v3_asid_validate_resource_set(STACK_OF(X509) *chain,
		981	ASIdentifiers *ext,
		982	int allow_inheritance);
		983	int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain,
		984	IPAddrBlocks *ext, int allow_inheritance);
		985
		986	#endif /* OPENSSL_NO_RFC3779 */
		987	#endif
845		988
846	/* BEGIN ERROR CODES */	989	/* BEGIN ERROR CODES */
847	/* The following lines are auto generated by the script mkerr.pl. Any changes	990	/* The following lines are auto generated by the script mkerr.pl. Any changes