summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509v3/v3_addr.c
diff options
context:
space:
mode:
authorjsing <>2014-04-21 13:04:02 +0000
committerjsing <>2014-04-21 13:04:02 +0000
commit3a880eb2ba098077540eaaad8bae436dc2f546bb (patch)
tree07783cfbbde55bf969ec5774593a54462ebe763a /src/lib/libcrypto/x509v3/v3_addr.c
parenta13698710d1bf0bac4832733da5c86886601b5d4 (diff)
downloadopenbsd-3a880eb2ba098077540eaaad8bae436dc2f546bb.tar.gz
openbsd-3a880eb2ba098077540eaaad8bae436dc2f546bb.tar.bz2
openbsd-3a880eb2ba098077540eaaad8bae436dc2f546bb.zip
KNF.
Diffstat (limited to 'src/lib/libcrypto/x509v3/v3_addr.c')
-rw-r--r--src/lib/libcrypto/x509v3/v3_addr.c2068
1 files changed, 1068 insertions, 1000 deletions
diff --git a/src/lib/libcrypto/x509v3/v3_addr.c b/src/lib/libcrypto/x509v3/v3_addr.c
index 179f08d222..084209f5a1 100644
--- a/src/lib/libcrypto/x509v3/v3_addr.c
+++ b/src/lib/libcrypto/x509v3/v3_addr.c
@@ -10,7 +10,7 @@
10 * are met: 10 * are met:
11 * 11 *
12 * 1. Redistributions of source code must retain the above copyright 12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer. 13 * notice, this list of conditions and the following disclaimer.
14 * 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright 15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in 16 * notice, this list of conditions and the following disclaimer in
@@ -76,28 +76,28 @@
76 */ 76 */
77 77
78ASN1_SEQUENCE(IPAddressRange) = { 78ASN1_SEQUENCE(IPAddressRange) = {
79 ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING), 79 ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING),
80 ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING) 80 ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING)
81} ASN1_SEQUENCE_END(IPAddressRange) 81} ASN1_SEQUENCE_END(IPAddressRange)
82 82
83ASN1_CHOICE(IPAddressOrRange) = { 83ASN1_CHOICE(IPAddressOrRange) = {
84 ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING), 84 ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING),
85 ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange) 85 ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange)
86} ASN1_CHOICE_END(IPAddressOrRange) 86} ASN1_CHOICE_END(IPAddressOrRange)
87 87
88ASN1_CHOICE(IPAddressChoice) = { 88ASN1_CHOICE(IPAddressChoice) = {
89 ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL), 89 ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL),
90 ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange) 90 ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange)
91} ASN1_CHOICE_END(IPAddressChoice) 91} ASN1_CHOICE_END(IPAddressChoice)
92 92
93ASN1_SEQUENCE(IPAddressFamily) = { 93ASN1_SEQUENCE(IPAddressFamily) = {
94 ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING), 94 ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING),
95 ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice) 95 ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice)
96} ASN1_SEQUENCE_END(IPAddressFamily) 96} ASN1_SEQUENCE_END(IPAddressFamily)
97 97
98ASN1_ITEM_TEMPLATE(IPAddrBlocks) = 98ASN1_ITEM_TEMPLATE(IPAddrBlocks) =
99 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, 99 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
100 IPAddrBlocks, IPAddressFamily) 100 IPAddrBlocks, IPAddressFamily)
101ASN1_ITEM_TEMPLATE_END(IPAddrBlocks) 101ASN1_ITEM_TEMPLATE_END(IPAddrBlocks)
102 102
103IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange) 103IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange)
@@ -113,54 +113,53 @@ IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily)
113/* 113/*
114 * What's the address length associated with this AFI? 114 * What's the address length associated with this AFI?
115 */ 115 */
116static int length_from_afi(const unsigned afi) 116static int
117length_from_afi(const unsigned afi)
117{ 118{
118 switch (afi) { 119 switch (afi) {
119 case IANA_AFI_IPV4: 120 case IANA_AFI_IPV4:
120 return 4; 121 return 4;
121 case IANA_AFI_IPV6: 122 case IANA_AFI_IPV6:
122 return 16; 123 return 16;
123 default: 124 default:
124 return 0; 125 return 0;
125 } 126 }
126} 127}
127 128
128/* 129/*
129 * Extract the AFI from an IPAddressFamily. 130 * Extract the AFI from an IPAddressFamily.
130 */ 131 */
131unsigned int v3_addr_get_afi(const IPAddressFamily *f) 132unsigned int
133v3_addr_get_afi(const IPAddressFamily *f)
132{ 134{
133 return ((f != NULL && 135 return ((f != NULL && f->addressFamily != NULL &&
134 f->addressFamily != NULL && 136 f->addressFamily->data != NULL) ?
135 f->addressFamily->data != NULL) 137 ((f->addressFamily->data[0] << 8) | (f->addressFamily->data[1])) :
136 ? ((f->addressFamily->data[0] << 8) | 138 0);
137 (f->addressFamily->data[1]))
138 : 0);
139} 139}
140 140
141/* 141/*
142 * Expand the bitstring form of an address into a raw byte array. 142 * Expand the bitstring form of an address into a raw byte array.
143 * At the moment this is coded for simplicity, not speed. 143 * At the moment this is coded for simplicity, not speed.
144 */ 144 */
145static int addr_expand(unsigned char *addr, 145static int
146 const ASN1_BIT_STRING *bs, 146addr_expand(unsigned char *addr, const ASN1_BIT_STRING *bs, const int length,
147 const int length, 147 const unsigned char fill)
148 const unsigned char fill)
149{ 148{
150 if (bs->length < 0 || bs->length > length) 149 if (bs->length < 0 || bs->length > length)
151 return 0; 150 return 0;
152 if (bs->length > 0) { 151 if (bs->length > 0) {
153 memcpy(addr, bs->data, bs->length); 152 memcpy(addr, bs->data, bs->length);
154 if ((bs->flags & 7) != 0) { 153 if ((bs->flags & 7) != 0) {
155 unsigned char mask = 0xFF >> (8 - (bs->flags & 7)); 154 unsigned char mask = 0xFF >> (8 - (bs->flags & 7));
156 if (fill == 0) 155 if (fill == 0)
157 addr[bs->length - 1] &= ~mask; 156 addr[bs->length - 1] &= ~mask;
158 else 157 else
159 addr[bs->length - 1] |= mask; 158 addr[bs->length - 1] |= mask;
160 } 159 }
161 } 160 }
162 memset(addr + bs->length, fill, length - bs->length); 161 memset(addr + bs->length, fill, length - bs->length);
163 return 1; 162 return 1;
164} 163}
165 164
166/* 165/*
@@ -171,145 +170,150 @@ static int addr_expand(unsigned char *addr,
171/* 170/*
172 * i2r handler for one address bitstring. 171 * i2r handler for one address bitstring.
173 */ 172 */
174static int i2r_address(BIO *out, 173static int
175 const unsigned afi, 174i2r_address(BIO *out, const unsigned afi, const unsigned char fill,
176 const unsigned char fill, 175 const ASN1_BIT_STRING *bs)
177 const ASN1_BIT_STRING *bs)
178{ 176{
179 unsigned char addr[ADDR_RAW_BUF_LEN]; 177 unsigned char addr[ADDR_RAW_BUF_LEN];
180 int i, n; 178 int i, n;
181 179
182 if (bs->length < 0) 180 if (bs->length < 0)
183 return 0; 181 return 0;
184 switch (afi) { 182 switch (afi) {
185 case IANA_AFI_IPV4: 183 case IANA_AFI_IPV4:
186 if (!addr_expand(addr, bs, 4, fill)) 184 if (!addr_expand(addr, bs, 4, fill))
187 return 0; 185 return 0;
188 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]); 186 BIO_printf(out, "%d.%d.%d.%d",
189 break; 187 addr[0], addr[1], addr[2], addr[3]);
190 case IANA_AFI_IPV6: 188 break;
191 if (!addr_expand(addr, bs, 16, fill)) 189 case IANA_AFI_IPV6:
192 return 0; 190 if (!addr_expand(addr, bs, 16, fill))
193 for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2) 191 return 0;
194 ; 192 for (n = 16;
195 for (i = 0; i < n; i += 2) 193 n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00; n -= 2)
196 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i+1], (i < 14 ? ":" : "")); 194 ;
197 if (i < 16) 195 for (i = 0; i < n; i += 2)
198 BIO_puts(out, ":"); 196 BIO_printf(out, "%x%s",
199 if (i == 0) 197 (addr[i] << 8) | addr[i + 1], (i < 14 ? ":" : ""));
200 BIO_puts(out, ":"); 198 if (i < 16)
201 break; 199 BIO_puts(out, ":");
202 default: 200 if (i == 0)
203 for (i = 0; i < bs->length; i++) 201 BIO_puts(out, ":");
204 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]); 202 break;
205 BIO_printf(out, "[%d]", (int) (bs->flags & 7)); 203 default:
206 break; 204 for (i = 0; i < bs->length; i++)
207 } 205 BIO_printf(out, "%s%02x",
208 return 1; 206 (i > 0 ? ":" : ""), bs->data[i]);
207 BIO_printf(out, "[%d]", (int)(bs->flags & 7));
208 break;
209 }
210 return 1;
209} 211}
210 212
211/* 213/*
212 * i2r handler for a sequence of addresses and ranges. 214 * i2r handler for a sequence of addresses and ranges.
213 */ 215 */
214static int i2r_IPAddressOrRanges(BIO *out, 216static int
215 const int indent, 217i2r_IPAddressOrRanges(BIO *out, const int indent, const IPAddressOrRanges *aors,
216 const IPAddressOrRanges *aors, 218 const unsigned afi)
217 const unsigned afi)
218{ 219{
219 int i; 220 int i;
220 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) { 221
221 const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i); 222 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) {
222 BIO_printf(out, "%*s", indent, ""); 223 const IPAddressOrRange *aor =
223 switch (aor->type) { 224 sk_IPAddressOrRange_value(aors, i);
224 case IPAddressOrRange_addressPrefix: 225 BIO_printf(out, "%*s", indent, "");
225 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix)) 226 switch (aor->type) {
226 return 0; 227 case IPAddressOrRange_addressPrefix:
227 BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix)); 228 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix))
228 continue; 229 return 0;
229 case IPAddressOrRange_addressRange: 230 BIO_printf(out, "/%d\n",
230 if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min)) 231 addr_prefixlen(aor->u.addressPrefix));
231 return 0; 232 continue;
232 BIO_puts(out, "-"); 233 case IPAddressOrRange_addressRange:
233 if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max)) 234 if (!i2r_address(out, afi, 0x00,
234 return 0; 235 aor->u.addressRange->min))
235 BIO_puts(out, "\n"); 236 return 0;
236 continue; 237 BIO_puts(out, "-");
237 } 238 if (!i2r_address(out, afi, 0xFF,
238 } 239 aor->u.addressRange->max))
239 return 1; 240 return 0;
241 BIO_puts(out, "\n");
242 continue;
243 }
244 }
245 return 1;
240} 246}
241 247
242/* 248/*
243 * i2r handler for an IPAddrBlocks extension. 249 * i2r handler for an IPAddrBlocks extension.
244 */ 250 */
245static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, 251static int
246 void *ext, 252i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, void *ext, BIO *out,
247 BIO *out, 253 int indent)
248 int indent)
249{ 254{
250 const IPAddrBlocks *addr = ext; 255 const IPAddrBlocks *addr = ext;
251 int i; 256 int i;
252 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 257
253 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 258 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
254 const unsigned int afi = v3_addr_get_afi(f); 259 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
255 switch (afi) { 260 const unsigned int afi = v3_addr_get_afi(f);
256 case IANA_AFI_IPV4: 261 switch (afi) {
257 BIO_printf(out, "%*sIPv4", indent, ""); 262 case IANA_AFI_IPV4:
258 break; 263 BIO_printf(out, "%*sIPv4", indent, "");
259 case IANA_AFI_IPV6: 264 break;
260 BIO_printf(out, "%*sIPv6", indent, ""); 265 case IANA_AFI_IPV6:
261 break; 266 BIO_printf(out, "%*sIPv6", indent, "");
262 default: 267 break;
263 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi); 268 default:
264 break; 269 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi);
265 } 270 break;
266 if (f->addressFamily->length > 2) { 271 }
267 switch (f->addressFamily->data[2]) { 272 if (f->addressFamily->length > 2) {
268 case 1: 273 switch (f->addressFamily->data[2]) {
269 BIO_puts(out, " (Unicast)"); 274 case 1:
270 break; 275 BIO_puts(out, " (Unicast)");
271 case 2: 276 break;
272 BIO_puts(out, " (Multicast)"); 277 case 2:
273 break; 278 BIO_puts(out, " (Multicast)");
274 case 3: 279 break;
275 BIO_puts(out, " (Unicast/Multicast)"); 280 case 3:
276 break; 281 BIO_puts(out, " (Unicast/Multicast)");
277 case 4: 282 break;
278 BIO_puts(out, " (MPLS)"); 283 case 4:
279 break; 284 BIO_puts(out, " (MPLS)");
280 case 64: 285 break;
281 BIO_puts(out, " (Tunnel)"); 286 case 64:
282 break; 287 BIO_puts(out, " (Tunnel)");
283 case 65: 288 break;
284 BIO_puts(out, " (VPLS)"); 289 case 65:
285 break; 290 BIO_puts(out, " (VPLS)");
286 case 66: 291 break;
287 BIO_puts(out, " (BGP MDT)"); 292 case 66:
288 break; 293 BIO_puts(out, " (BGP MDT)");
289 case 128: 294 break;
290 BIO_puts(out, " (MPLS-labeled VPN)"); 295 case 128:
291 break; 296 BIO_puts(out, " (MPLS-labeled VPN)");
292 default: 297 break;
293 BIO_printf(out, " (Unknown SAFI %u)", 298 default:
294 (unsigned) f->addressFamily->data[2]); 299 BIO_printf(out, " (Unknown SAFI %u)",
295 break; 300 (unsigned)f->addressFamily->data[2]);
296 } 301 break;
297 } 302 }
298 switch (f->ipAddressChoice->type) { 303 }
299 case IPAddressChoice_inherit: 304 switch (f->ipAddressChoice->type) {
300 BIO_puts(out, ": inherit\n"); 305 case IPAddressChoice_inherit:
301 break; 306 BIO_puts(out, ": inherit\n");
302 case IPAddressChoice_addressesOrRanges: 307 break;
303 BIO_puts(out, ":\n"); 308 case IPAddressChoice_addressesOrRanges:
304 if (!i2r_IPAddressOrRanges(out, 309 BIO_puts(out, ":\n");
305 indent + 2, 310 if (!i2r_IPAddressOrRanges(out, indent + 2,
306 f->ipAddressChoice->u.addressesOrRanges, 311 f->ipAddressChoice->u.addressesOrRanges, afi))
307 afi)) 312 return 0;
308 return 0; 313 break;
309 break; 314 }
310 } 315 }
311 } 316 return 1;
312 return 1;
313} 317}
314 318
315/* 319/*
@@ -322,134 +326,151 @@ static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
322 * function returns -1. If this messes up your preferred sort order 326 * function returns -1. If this messes up your preferred sort order
323 * for garbage input, tough noogies. 327 * for garbage input, tough noogies.
324 */ 328 */
325static int IPAddressOrRange_cmp(const IPAddressOrRange *a, 329static int
326 const IPAddressOrRange *b, 330IPAddressOrRange_cmp(const IPAddressOrRange *a, const IPAddressOrRange *b,
327 const int length) 331 const int length)
328{ 332{
329 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN]; 333 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN];
330 int prefixlen_a = 0, prefixlen_b = 0; 334 int prefixlen_a = 0, prefixlen_b = 0;
331 int r; 335 int r;
332 336
333 switch (a->type) { 337 switch (a->type) {
334 case IPAddressOrRange_addressPrefix: 338 case IPAddressOrRange_addressPrefix:
335 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00)) 339 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
336 return -1; 340 return -1;
337 prefixlen_a = addr_prefixlen(a->u.addressPrefix); 341 prefixlen_a = addr_prefixlen(a->u.addressPrefix);
338 break; 342 break;
339 case IPAddressOrRange_addressRange: 343 case IPAddressOrRange_addressRange:
340 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00)) 344 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
341 return -1; 345 return -1;
342 prefixlen_a = length * 8; 346 prefixlen_a = length * 8;
343 break; 347 break;
344 } 348 }
345 349
346 switch (b->type) { 350 switch (b->type) {
347 case IPAddressOrRange_addressPrefix: 351 case IPAddressOrRange_addressPrefix:
348 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00)) 352 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
349 return -1; 353 return -1;
350 prefixlen_b = addr_prefixlen(b->u.addressPrefix); 354 prefixlen_b = addr_prefixlen(b->u.addressPrefix);
351 break; 355 break;
352 case IPAddressOrRange_addressRange: 356 case IPAddressOrRange_addressRange:
353 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00)) 357 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
354 return -1; 358 return -1;
355 prefixlen_b = length * 8; 359 prefixlen_b = length * 8;
356 break; 360 break;
357 } 361 }
358 362
359 if ((r = memcmp(addr_a, addr_b, length)) != 0) 363 if ((r = memcmp(addr_a, addr_b, length)) != 0)
360 return r; 364 return r;
361 else 365 else
362 return prefixlen_a - prefixlen_b; 366 return prefixlen_a - prefixlen_b;
363} 367}
364 368
365/* 369/*
366 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort() 370 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()
367 * comparision routines are only allowed two arguments. 371 * comparision routines are only allowed two arguments.
368 */ 372 */
369static int v4IPAddressOrRange_cmp(const IPAddressOrRange * const *a, 373static int
370 const IPAddressOrRange * const *b) 374v4IPAddressOrRange_cmp(const IPAddressOrRange * const *a,
375 const IPAddressOrRange * const *b)
371{ 376{
372 return IPAddressOrRange_cmp(*a, *b, 4); 377 return IPAddressOrRange_cmp(*a, *b, 4);
373} 378}
374 379
375/* 380/*
376 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort() 381 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()
377 * comparision routines are only allowed two arguments. 382 * comparision routines are only allowed two arguments.
378 */ 383 */
379static int v6IPAddressOrRange_cmp(const IPAddressOrRange * const *a, 384static int
380 const IPAddressOrRange * const *b) 385v6IPAddressOrRange_cmp(const IPAddressOrRange * const *a,
386 const IPAddressOrRange * const *b)
381{ 387{
382 return IPAddressOrRange_cmp(*a, *b, 16); 388 return IPAddressOrRange_cmp(*a, *b, 16);
383} 389}
384 390
385/* 391/*
386 * Calculate whether a range collapses to a prefix. 392 * Calculate whether a range collapses to a prefix.
387 * See last paragraph of RFC 3779 2.2.3.7. 393 * See last paragraph of RFC 3779 2.2.3.7.
388 */ 394 */
389static int range_should_be_prefix(const unsigned char *min, 395static int
390 const unsigned char *max, 396range_should_be_prefix(const unsigned char *min, const unsigned char *max,
391 const int length) 397 const int length)
392{ 398{
393 unsigned char mask; 399 unsigned char mask;
394 int i, j; 400 int i, j;
395 401
396 OPENSSL_assert(memcmp(min, max, length) <= 0); 402 OPENSSL_assert(memcmp(min, max, length) <= 0);
397 for (i = 0; i < length && min[i] == max[i]; i++) 403 for (i = 0; i < length && min[i] == max[i]; i++)
398 ; 404 ;
399 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) 405 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--)
400 ; 406 ;
401 if (i < j) 407 if (i < j)
402 return -1; 408 return -1;
403 if (i > j) 409 if (i > j)
404 return i * 8; 410 return i * 8;
405 mask = min[i] ^ max[i]; 411 mask = min[i] ^ max[i];
406 switch (mask) { 412 switch (mask) {
407 case 0x01: j = 7; break; 413 case 0x01:
408 case 0x03: j = 6; break; 414 j = 7;
409 case 0x07: j = 5; break; 415 break;
410 case 0x0F: j = 4; break; 416 case 0x03:
411 case 0x1F: j = 3; break; 417 j = 6;
412 case 0x3F: j = 2; break; 418 break;
413 case 0x7F: j = 1; break; 419 case 0x07:
414 default: return -1; 420 j = 5;
415 } 421 break;
416 if ((min[i] & mask) != 0 || (max[i] & mask) != mask) 422 case 0x0F:
417 return -1; 423 j = 4;
418 else 424 break;
419 return i * 8 + j; 425 case 0x1F:
426 j = 3;
427 break;
428 case 0x3F:
429 j = 2;
430 break;
431 case 0x7F:
432 j = 1;
433 break;
434 default:
435 return -1;
436 }
437 if ((min[i] & mask) != 0 || (max[i] & mask) != mask)
438 return -1;
439 else
440 return i * 8 + j;
420} 441}
421 442
422/* 443/*
423 * Construct a prefix. 444 * Construct a prefix.
424 */ 445 */
425static int make_addressPrefix(IPAddressOrRange **result, 446static int
426 unsigned char *addr, 447make_addressPrefix(IPAddressOrRange **result, unsigned char *addr,
427 const int prefixlen) 448 const int prefixlen)
428{ 449{
429 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8; 450 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;
430 IPAddressOrRange *aor = IPAddressOrRange_new(); 451 IPAddressOrRange *aor = IPAddressOrRange_new();
431 452
432 if (aor == NULL) 453 if (aor == NULL)
433 return 0; 454 return 0;
434 aor->type = IPAddressOrRange_addressPrefix; 455 aor->type = IPAddressOrRange_addressPrefix;
435 if (aor->u.addressPrefix == NULL && 456 if (aor->u.addressPrefix == NULL &&
436 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL) 457 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL)
437 goto err; 458 goto err;
438 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen)) 459 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen))
439 goto err; 460 goto err;
440 aor->u.addressPrefix->flags &= ~7; 461 aor->u.addressPrefix->flags &= ~7;
441 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT; 462 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT;
442 if (bitlen > 0) { 463 if (bitlen > 0) {
443 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen); 464 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen);
444 aor->u.addressPrefix->flags |= 8 - bitlen; 465 aor->u.addressPrefix->flags |= 8 - bitlen;
445 } 466 }
446 467
447 *result = aor; 468 *result = aor;
448 return 1; 469 return 1;
449 470
450 err: 471err:
451 IPAddressOrRange_free(aor); 472 IPAddressOrRange_free(aor);
452 return 0; 473 return 0;
453} 474}
454 475
455/* 476/*
@@ -457,252 +478,251 @@ static int make_addressPrefix(IPAddressOrRange **result,
457 * return a prefix instead. Doing this here simplifies 478 * return a prefix instead. Doing this here simplifies
458 * the rest of the code considerably. 479 * the rest of the code considerably.
459 */ 480 */
460static int make_addressRange(IPAddressOrRange **result, 481static int
461 unsigned char *min, 482make_addressRange(IPAddressOrRange **result, unsigned char *min,
462 unsigned char *max, 483 unsigned char *max, const int length)
463 const int length)
464{ 484{
465 IPAddressOrRange *aor; 485 IPAddressOrRange *aor;
466 int i, prefixlen; 486 int i, prefixlen;
467 487
468 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0) 488 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
469 return make_addressPrefix(result, min, prefixlen); 489 return make_addressPrefix(result, min, prefixlen);
470 490
471 if ((aor = IPAddressOrRange_new()) == NULL) 491 if ((aor = IPAddressOrRange_new()) == NULL)
472 return 0; 492 return 0;
473 aor->type = IPAddressOrRange_addressRange; 493 aor->type = IPAddressOrRange_addressRange;
474 OPENSSL_assert(aor->u.addressRange == NULL); 494 OPENSSL_assert(aor->u.addressRange == NULL);
475 if ((aor->u.addressRange = IPAddressRange_new()) == NULL) 495 if ((aor->u.addressRange = IPAddressRange_new()) == NULL)
476 goto err; 496 goto err;
477 if (aor->u.addressRange->min == NULL && 497 if (aor->u.addressRange->min == NULL &&
478 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL) 498 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL)
479 goto err; 499 goto err;
480 if (aor->u.addressRange->max == NULL && 500 if (aor->u.addressRange->max == NULL &&
481 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL) 501 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL)
482 goto err; 502 goto err;
483 503
484 for (i = length; i > 0 && min[i - 1] == 0x00; --i) 504 for (i = length; i > 0 && min[i - 1] == 0x00; --i)
485 ; 505 ;
486 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i)) 506 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i))
487 goto err; 507 goto err;
488 aor->u.addressRange->min->flags &= ~7; 508 aor->u.addressRange->min->flags &= ~7;
489 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT; 509 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT;
490 if (i > 0) { 510 if (i > 0) {
491 unsigned char b = min[i - 1]; 511 unsigned char b = min[i - 1];
492 int j = 1; 512 int j = 1;
493 while ((b & (0xFFU >> j)) != 0) 513 while ((b & (0xFFU >> j)) != 0)
494 ++j; 514 ++j;
495 aor->u.addressRange->min->flags |= 8 - j; 515 aor->u.addressRange->min->flags |= 8 - j;
496 } 516 }
497 517
498 for (i = length; i > 0 && max[i - 1] == 0xFF; --i) 518 for (i = length; i > 0 && max[i - 1] == 0xFF; --i)
499 ; 519 ;
500 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i)) 520 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i))
501 goto err; 521 goto err;
502 aor->u.addressRange->max->flags &= ~7; 522 aor->u.addressRange->max->flags &= ~7;
503 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT; 523 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT;
504 if (i > 0) { 524 if (i > 0) {
505 unsigned char b = max[i - 1]; 525 unsigned char b = max[i - 1];
506 int j = 1; 526 int j = 1;
507 while ((b & (0xFFU >> j)) != (0xFFU >> j)) 527 while ((b & (0xFFU >> j)) != (0xFFU >> j))
508 ++j; 528 ++j;
509 aor->u.addressRange->max->flags |= 8 - j; 529 aor->u.addressRange->max->flags |= 8 - j;
510 } 530 }
511 531
512 *result = aor; 532 *result = aor;
513 return 1; 533 return 1;
514 534
515 err: 535err:
516 IPAddressOrRange_free(aor); 536 IPAddressOrRange_free(aor);
517 return 0; 537 return 0;
518} 538}
519 539
520/* 540/*
521 * Construct a new address family or find an existing one. 541 * Construct a new address family or find an existing one.
522 */ 542 */
523static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr, 543static IPAddressFamily *
524 const unsigned afi, 544make_IPAddressFamily(IPAddrBlocks *addr, const unsigned afi,
525 const unsigned *safi) 545 const unsigned *safi)
526{ 546{
527 IPAddressFamily *f; 547 IPAddressFamily *f;
528 unsigned char key[3]; 548 unsigned char key[3];
529 unsigned keylen; 549 unsigned keylen;
530 int i; 550 int i;
531 551
532 key[0] = (afi >> 8) & 0xFF; 552 key[0] = (afi >> 8) & 0xFF;
533 key[1] = afi & 0xFF; 553 key[1] = afi & 0xFF;
534 if (safi != NULL) { 554 if (safi != NULL) {
535 key[2] = *safi & 0xFF; 555 key[2] = *safi & 0xFF;
536 keylen = 3; 556 keylen = 3;
537 } else { 557 } else {
538 keylen = 2; 558 keylen = 2;
539 } 559 }
540 560
541 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 561 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
542 f = sk_IPAddressFamily_value(addr, i); 562 f = sk_IPAddressFamily_value(addr, i);
543 OPENSSL_assert(f->addressFamily->data != NULL); 563 OPENSSL_assert(f->addressFamily->data != NULL);
544 if (f->addressFamily->length == keylen && 564 if (f->addressFamily->length == keylen &&
545 !memcmp(f->addressFamily->data, key, keylen)) 565 !memcmp(f->addressFamily->data, key, keylen))
546 return f; 566 return f;
547 } 567 }
548 568
549 if ((f = IPAddressFamily_new()) == NULL) 569 if ((f = IPAddressFamily_new()) == NULL)
550 goto err; 570 goto err;
551 if (f->ipAddressChoice == NULL && 571 if (f->ipAddressChoice == NULL &&
552 (f->ipAddressChoice = IPAddressChoice_new()) == NULL) 572 (f->ipAddressChoice = IPAddressChoice_new()) == NULL)
553 goto err; 573 goto err;
554 if (f->addressFamily == NULL && 574 if (f->addressFamily == NULL &&
555 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL) 575 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL)
556 goto err; 576 goto err;
557 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen)) 577 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen))
558 goto err; 578 goto err;
559 if (!sk_IPAddressFamily_push(addr, f)) 579 if (!sk_IPAddressFamily_push(addr, f))
560 goto err; 580 goto err;
561 581
562 return f; 582 return f;
563 583
564 err: 584err:
565 IPAddressFamily_free(f); 585 IPAddressFamily_free(f);
566 return NULL; 586 return NULL;
567} 587}
568 588
569/* 589/*
570 * Add an inheritance element. 590 * Add an inheritance element.
571 */ 591 */
572int v3_addr_add_inherit(IPAddrBlocks *addr, 592int
573 const unsigned afi, 593v3_addr_add_inherit(IPAddrBlocks *addr, const unsigned afi,
574 const unsigned *safi) 594 const unsigned *safi)
575{ 595{
576 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); 596 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
577 if (f == NULL || 597
578 f->ipAddressChoice == NULL || 598 if (f == NULL ||
579 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && 599 f->ipAddressChoice == NULL ||
580 f->ipAddressChoice->u.addressesOrRanges != NULL)) 600 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
581 return 0; 601 f->ipAddressChoice->u.addressesOrRanges != NULL))
582 if (f->ipAddressChoice->type == IPAddressChoice_inherit && 602 return 0;
583 f->ipAddressChoice->u.inherit != NULL) 603 if (f->ipAddressChoice->type == IPAddressChoice_inherit &&
584 return 1; 604 f->ipAddressChoice->u.inherit != NULL)
585 if (f->ipAddressChoice->u.inherit == NULL && 605 return 1;
586 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL) 606 if (f->ipAddressChoice->u.inherit == NULL &&
587 return 0; 607 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL)
588 f->ipAddressChoice->type = IPAddressChoice_inherit; 608 return 0;
589 return 1; 609 f->ipAddressChoice->type = IPAddressChoice_inherit;
610 return 1;
590} 611}
591 612
592/* 613/*
593 * Construct an IPAddressOrRange sequence, or return an existing one. 614 * Construct an IPAddressOrRange sequence, or return an existing one.
594 */ 615 */
595static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr, 616static IPAddressOrRanges *
596 const unsigned afi, 617make_prefix_or_range(IPAddrBlocks *addr, const unsigned afi,
597 const unsigned *safi) 618 const unsigned *safi)
598{ 619{
599 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); 620 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
600 IPAddressOrRanges *aors = NULL; 621 IPAddressOrRanges *aors = NULL;
601 622
602 if (f == NULL || 623 if (f == NULL ||
603 f->ipAddressChoice == NULL || 624 f->ipAddressChoice == NULL ||
604 (f->ipAddressChoice->type == IPAddressChoice_inherit && 625 (f->ipAddressChoice->type == IPAddressChoice_inherit &&
605 f->ipAddressChoice->u.inherit != NULL)) 626 f->ipAddressChoice->u.inherit != NULL))
606 return NULL; 627 return NULL;
607 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) 628 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges)
608 aors = f->ipAddressChoice->u.addressesOrRanges; 629 aors = f->ipAddressChoice->u.addressesOrRanges;
609 if (aors != NULL) 630 if (aors != NULL)
610 return aors; 631 return aors;
611 if ((aors = sk_IPAddressOrRange_new_null()) == NULL) 632 if ((aors = sk_IPAddressOrRange_new_null()) == NULL)
612 return NULL; 633 return NULL;
613 switch (afi) { 634 switch (afi) {
614 case IANA_AFI_IPV4: 635 case IANA_AFI_IPV4:
615 (void) sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp); 636 (void) sk_IPAddressOrRange_set_cmp_func(aors,
616 break; 637 v4IPAddressOrRange_cmp);
617 case IANA_AFI_IPV6: 638 break;
618 (void) sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp); 639 case IANA_AFI_IPV6:
619 break; 640 (void) sk_IPAddressOrRange_set_cmp_func(aors,
620 } 641 v6IPAddressOrRange_cmp);
621 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; 642 break;
622 f->ipAddressChoice->u.addressesOrRanges = aors; 643 }
623 return aors; 644 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
645 f->ipAddressChoice->u.addressesOrRanges = aors;
646 return aors;
624} 647}
625 648
626/* 649/*
627 * Add a prefix. 650 * Add a prefix.
628 */ 651 */
629int v3_addr_add_prefix(IPAddrBlocks *addr, 652int
630 const unsigned afi, 653v3_addr_add_prefix(IPAddrBlocks *addr, const unsigned afi,
631 const unsigned *safi, 654 const unsigned *safi, unsigned char *a, const int prefixlen)
632 unsigned char *a,
633 const int prefixlen)
634{ 655{
635 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); 656 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
636 IPAddressOrRange *aor; 657 IPAddressOrRange *aor;
637 if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen)) 658
638 return 0; 659 if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen))
639 if (sk_IPAddressOrRange_push(aors, aor)) 660 return 0;
640 return 1; 661 if (sk_IPAddressOrRange_push(aors, aor))
641 IPAddressOrRange_free(aor); 662 return 1;
642 return 0; 663 IPAddressOrRange_free(aor);
664 return 0;
643} 665}
644 666
645/* 667/*
646 * Add a range. 668 * Add a range.
647 */ 669 */
648int v3_addr_add_range(IPAddrBlocks *addr, 670int
649 const unsigned afi, 671v3_addr_add_range(IPAddrBlocks *addr, const unsigned afi, const unsigned *safi,
650 const unsigned *safi, 672 unsigned char *min, unsigned char *max)
651 unsigned char *min,
652 unsigned char *max)
653{ 673{
654 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); 674 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
655 IPAddressOrRange *aor; 675 IPAddressOrRange *aor;
656 int length = length_from_afi(afi); 676 int length = length_from_afi(afi);
657 if (aors == NULL) 677
658 return 0; 678 if (aors == NULL)
659 if (!make_addressRange(&aor, min, max, length)) 679 return 0;
660 return 0; 680 if (!make_addressRange(&aor, min, max, length))
661 if (sk_IPAddressOrRange_push(aors, aor)) 681 return 0;
662 return 1; 682 if (sk_IPAddressOrRange_push(aors, aor))
663 IPAddressOrRange_free(aor); 683 return 1;
664 return 0; 684 IPAddressOrRange_free(aor);
685 return 0;
665} 686}
666 687
667/* 688/*
668 * Extract min and max values from an IPAddressOrRange. 689 * Extract min and max values from an IPAddressOrRange.
669 */ 690 */
670static int extract_min_max(IPAddressOrRange *aor, 691static int
671 unsigned char *min, 692extract_min_max(IPAddressOrRange *aor, unsigned char *min, unsigned char *max,
672 unsigned char *max, 693 int length)
673 int length)
674{ 694{
675 if (aor == NULL || min == NULL || max == NULL) 695 if (aor == NULL || min == NULL || max == NULL)
676 return 0; 696 return 0;
677 switch (aor->type) { 697 switch (aor->type) {
678 case IPAddressOrRange_addressPrefix: 698 case IPAddressOrRange_addressPrefix:
679 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) && 699 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
680 addr_expand(max, aor->u.addressPrefix, length, 0xFF)); 700 addr_expand(max, aor->u.addressPrefix, length, 0xFF));
681 case IPAddressOrRange_addressRange: 701 case IPAddressOrRange_addressRange:
682 return (addr_expand(min, aor->u.addressRange->min, length, 0x00) && 702 return (
683 addr_expand(max, aor->u.addressRange->max, length, 0xFF)); 703 addr_expand(min, aor->u.addressRange->min, length, 0x00) &&
684 } 704 addr_expand(max, aor->u.addressRange->max, length, 0xFF));
685 return 0; 705 }
706 return 0;
686} 707}
687 708
688/* 709/*
689 * Public wrapper for extract_min_max(). 710 * Public wrapper for extract_min_max().
690 */ 711 */
691int v3_addr_get_range(IPAddressOrRange *aor, 712int
692 const unsigned afi, 713v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
693 unsigned char *min, 714 unsigned char *min, unsigned char *max, const int length)
694 unsigned char *max,
695 const int length)
696{ 715{
697 int afi_length = length_from_afi(afi); 716 int afi_length = length_from_afi(afi);
698 if (aor == NULL || min == NULL || max == NULL || 717
699 afi_length == 0 || length < afi_length || 718 if (aor == NULL || min == NULL || max == NULL ||
700 (aor->type != IPAddressOrRange_addressPrefix && 719 afi_length == 0 || length < afi_length ||
701 aor->type != IPAddressOrRange_addressRange) || 720 (aor->type != IPAddressOrRange_addressPrefix &&
702 !extract_min_max(aor, min, max, afi_length)) 721 aor->type != IPAddressOrRange_addressRange) ||
703 return 0; 722 !extract_min_max(aor, min, max, afi_length))
704 723 return 0;
705 return afi_length; 724
725 return afi_length;
706} 726}
707 727
708/* 728/*
@@ -715,480 +735,513 @@ int v3_addr_get_range(IPAddressOrRange *aor,
715 * null-SAFI rule to apply only within a single AFI, which is what I 735 * null-SAFI rule to apply only within a single AFI, which is what I
716 * would have expected and is what the following code implements. 736 * would have expected and is what the following code implements.
717 */ 737 */
718static int IPAddressFamily_cmp(const IPAddressFamily * const *a_, 738static int
719 const IPAddressFamily * const *b_) 739IPAddressFamily_cmp(const IPAddressFamily * const *a_,
740 const IPAddressFamily * const *b_)
720{ 741{
721 const ASN1_OCTET_STRING *a = (*a_)->addressFamily; 742 const ASN1_OCTET_STRING *a = (*a_)->addressFamily;
722 const ASN1_OCTET_STRING *b = (*b_)->addressFamily; 743 const ASN1_OCTET_STRING *b = (*b_)->addressFamily;
723 int len = ((a->length <= b->length) ? a->length : b->length); 744 int len = ((a->length <= b->length) ? a->length : b->length);
724 int cmp = memcmp(a->data, b->data, len); 745 int cmp = memcmp(a->data, b->data, len);
725 return cmp ? cmp : a->length - b->length; 746
747 return cmp ? cmp : a->length - b->length;
726} 748}
727 749
728/* 750/*
729 * Check whether an IPAddrBLocks is in canonical form. 751 * Check whether an IPAddrBLocks is in canonical form.
730 */ 752 */
731int v3_addr_is_canonical(IPAddrBlocks *addr) 753int
754v3_addr_is_canonical(IPAddrBlocks *addr)
732{ 755{
733 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 756 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
734 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 757 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
735 IPAddressOrRanges *aors; 758 IPAddressOrRanges *aors;
736 int i, j, k; 759 int i, j, k;
737 760
738 /* 761 /*
739 * Empty extension is cannonical. 762 * Empty extension is cannonical.
740 */ 763 */
741 if (addr == NULL) 764 if (addr == NULL)
742 return 1; 765 return 1;
743 766
744 /* 767 /*
745 * Check whether the top-level list is in order. 768 * Check whether the top-level list is in order.
746 */ 769 */
747 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) { 770 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {
748 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i); 771 const IPAddressFamily *a =
749 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1); 772 sk_IPAddressFamily_value(addr, i);
750 if (IPAddressFamily_cmp(&a, &b) >= 0) 773 const IPAddressFamily *b =
751 return 0; 774 sk_IPAddressFamily_value(addr, i + 1);
752 } 775 if (IPAddressFamily_cmp(&a, &b) >= 0)
753 776 return 0;
754 /* 777 }
755 * Top level's ok, now check each address family.
756 */
757 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
758 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
759 int length = length_from_afi(v3_addr_get_afi(f));
760
761 /*
762 * Inheritance is canonical. Anything other than inheritance or
763 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something.
764 */
765 if (f == NULL || f->ipAddressChoice == NULL)
766 return 0;
767 switch (f->ipAddressChoice->type) {
768 case IPAddressChoice_inherit:
769 continue;
770 case IPAddressChoice_addressesOrRanges:
771 break;
772 default:
773 return 0;
774 }
775
776 /*
777 * It's an IPAddressOrRanges sequence, check it.
778 */
779 aors = f->ipAddressChoice->u.addressesOrRanges;
780 if (sk_IPAddressOrRange_num(aors) == 0)
781 return 0;
782 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
783 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
784 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);
785
786 if (!extract_min_max(a, a_min, a_max, length) ||
787 !extract_min_max(b, b_min, b_max, length))
788 return 0;
789
790 /*
791 * Punt misordered list, overlapping start, or inverted range.
792 */
793 if (memcmp(a_min, b_min, length) >= 0 ||
794 memcmp(a_min, a_max, length) > 0 ||
795 memcmp(b_min, b_max, length) > 0)
796 return 0;
797 778
798 /* 779 /*
799 * Punt if adjacent or overlapping. Check for adjacency by 780 * Top level's ok, now check each address family.
800 * subtracting one from b_min first. 781 */
801 */ 782 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
802 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) 783 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
803 ; 784 int length = length_from_afi(v3_addr_get_afi(f));
804 if (memcmp(a_max, b_min, length) >= 0) 785
805 return 0; 786 /*
787 * Inheritance is canonical. Anything other than inheritance or
788 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something.
789 */
790 if (f == NULL || f->ipAddressChoice == NULL)
791 return 0;
792 switch (f->ipAddressChoice->type) {
793 case IPAddressChoice_inherit:
794 continue;
795 case IPAddressChoice_addressesOrRanges:
796 break;
797 default:
798 return 0;
799 }
800
801 /*
802 * It's an IPAddressOrRanges sequence, check it.
803 */
804 aors = f->ipAddressChoice->u.addressesOrRanges;
805 if (sk_IPAddressOrRange_num(aors) == 0)
806 return 0;
807 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
808 IPAddressOrRange *a =
809 sk_IPAddressOrRange_value(aors, j);
810 IPAddressOrRange *b =
811 sk_IPAddressOrRange_value(aors, j + 1);
812
813 if (!extract_min_max(a, a_min, a_max, length) ||
814 !extract_min_max(b, b_min, b_max, length))
815 return 0;
816
817 /*
818 * Punt misordered list, overlapping start, or inverted range.
819 */
820 if (memcmp(a_min, b_min, length) >= 0 ||
821 memcmp(a_min, a_max, length) > 0 ||
822 memcmp(b_min, b_max, length) > 0)
823 return 0;
824
825 /*
826 * Punt if adjacent or overlapping. Check for adjacency by
827 * subtracting one from b_min first.
828 */
829 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--)
830 ;
831 if (memcmp(a_max, b_min, length) >= 0)
832 return 0;
833
834 /*
835 * Check for range that should be expressed as a prefix.
836 */
837 if (a->type == IPAddressOrRange_addressRange &&
838 range_should_be_prefix(a_min, a_max, length) >= 0)
839 return 0;
840 }
841
842 /*
843 * Check range to see if it's inverted or should be a
844 * prefix.
845 */
846 j = sk_IPAddressOrRange_num(aors) - 1;
847 {
848 IPAddressOrRange *a =
849 sk_IPAddressOrRange_value(aors, j);
850 if (a != NULL &&
851 a->type == IPAddressOrRange_addressRange) {
852 if (!extract_min_max(a, a_min, a_max, length))
853 return 0;
854 if (memcmp(a_min, a_max, length) > 0 ||
855 range_should_be_prefix(a_min, a_max,
856 length) >= 0)
857 return 0;
858 }
859 }
860 }
806 861
807 /* 862 /*
808 * Check for range that should be expressed as a prefix. 863 * If we made it through all that, we're happy.
809 */ 864 */
810 if (a->type == IPAddressOrRange_addressRange && 865 return 1;
811 range_should_be_prefix(a_min, a_max, length) >= 0)
812 return 0;
813 }
814
815 /*
816 * Check range to see if it's inverted or should be a
817 * prefix.
818 */
819 j = sk_IPAddressOrRange_num(aors) - 1;
820 {
821 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
822 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
823 if (!extract_min_max(a, a_min, a_max, length))
824 return 0;
825 if (memcmp(a_min, a_max, length) > 0 ||
826 range_should_be_prefix(a_min, a_max, length) >= 0)
827 return 0;
828 }
829 }
830 }
831
832 /*
833 * If we made it through all that, we're happy.
834 */
835 return 1;
836} 866}
837 867
838/* 868/*
839 * Whack an IPAddressOrRanges into canonical form. 869 * Whack an IPAddressOrRanges into canonical form.
840 */ 870 */
841static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors, 871static int
842 const unsigned afi) 872IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi)
843{ 873{
844 int i, j, length = length_from_afi(afi); 874 int i, j, length = length_from_afi(afi);
845 875
846 /* 876 /*
847 * Sort the IPAddressOrRanges sequence. 877 * Sort the IPAddressOrRanges sequence.
848 */ 878 */
849 sk_IPAddressOrRange_sort(aors); 879 sk_IPAddressOrRange_sort(aors);
850 880
851 /* 881 /*
852 * Clean up representation issues, punt on duplicates or overlaps. 882 * Clean up representation issues, punt on duplicates or overlaps.
853 */ 883 */
854 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) { 884 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
855 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i); 885 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);
856 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1); 886 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
857 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 887 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
858 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 888 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
859 889
860 if (!extract_min_max(a, a_min, a_max, length) || 890 if (!extract_min_max(a, a_min, a_max, length) ||
861 !extract_min_max(b, b_min, b_max, length)) 891 !extract_min_max(b, b_min, b_max, length))
862 return 0; 892 return 0;
863 893
864 /* 894 /*
865 * Punt inverted ranges. 895 * Punt inverted ranges.
866 */ 896 */
867 if (memcmp(a_min, a_max, length) > 0 || 897 if (memcmp(a_min, a_max, length) > 0 ||
868 memcmp(b_min, b_max, length) > 0) 898 memcmp(b_min, b_max, length) > 0)
869 return 0; 899 return 0;
870 900
871 /* 901 /*
872 * Punt overlaps. 902 * Punt overlaps.
873 */ 903 */
874 if (memcmp(a_max, b_min, length) >= 0) 904 if (memcmp(a_max, b_min, length) >= 0)
875 return 0; 905 return 0;
876 906
877 /* 907 /*
878 * Merge if a and b are adjacent. We check for 908 * Merge if a and b are adjacent. We check for
879 * adjacency by subtracting one from b_min first. 909 * adjacency by subtracting one from b_min first.
880 */ 910 */
881 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) 911 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--)
882 ; 912 ;
883 if (memcmp(a_max, b_min, length) == 0) { 913 if (memcmp(a_max, b_min, length) == 0) {
884 IPAddressOrRange *merged; 914 IPAddressOrRange *merged;
885 if (!make_addressRange(&merged, a_min, b_max, length)) 915 if (!make_addressRange(&merged, a_min, b_max, length))
886 return 0; 916 return 0;
887 (void) sk_IPAddressOrRange_set(aors, i, merged); 917 (void) sk_IPAddressOrRange_set(aors, i, merged);
888 (void) sk_IPAddressOrRange_delete(aors, i + 1); 918 (void) sk_IPAddressOrRange_delete(aors, i + 1);
889 IPAddressOrRange_free(a); 919 IPAddressOrRange_free(a);
890 IPAddressOrRange_free(b); 920 IPAddressOrRange_free(b);
891 --i; 921 --i;
892 continue; 922 continue;
893 } 923 }
894 } 924 }
895 925
896 /* 926 /*
897 * Check for inverted final range. 927 * Check for inverted final range.
898 */ 928 */
899 j = sk_IPAddressOrRange_num(aors) - 1; 929 j = sk_IPAddressOrRange_num(aors) - 1;
900 { 930 {
901 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 931 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
902 if (a != NULL && a->type == IPAddressOrRange_addressRange) { 932 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
903 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 933 unsigned char a_min[ADDR_RAW_BUF_LEN],
904 extract_min_max(a, a_min, a_max, length); 934 a_max[ADDR_RAW_BUF_LEN];
905 if (memcmp(a_min, a_max, length) > 0) 935 extract_min_max(a, a_min, a_max, length);
906 return 0; 936 if (memcmp(a_min, a_max, length) > 0)
907 } 937 return 0;
908 } 938 }
939 }
909 940
910 return 1; 941 return 1;
911} 942}
912 943
913/* 944/*
914 * Whack an IPAddrBlocks extension into canonical form. 945 * Whack an IPAddrBlocks extension into canonical form.
915 */ 946 */
916int v3_addr_canonize(IPAddrBlocks *addr) 947int
948v3_addr_canonize(IPAddrBlocks *addr)
917{ 949{
918 int i; 950 int i;
919 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 951 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
920 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 952 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
921 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && 953 if (f->ipAddressChoice->type ==
922 !IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges, 954 IPAddressChoice_addressesOrRanges &&
923 v3_addr_get_afi(f))) 955 !IPAddressOrRanges_canonize(
924 return 0; 956 f->ipAddressChoice->u.addressesOrRanges,
925 } 957 v3_addr_get_afi(f)))
926 (void) sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); 958 return 0;
927 sk_IPAddressFamily_sort(addr); 959 }
928 OPENSSL_assert(v3_addr_is_canonical(addr)); 960 (void) sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
929 return 1; 961 sk_IPAddressFamily_sort(addr);
962 OPENSSL_assert(v3_addr_is_canonical(addr));
963 return 1;
930} 964}
931 965
932/* 966/*
933 * v2i handler for the IPAddrBlocks extension. 967 * v2i handler for the IPAddrBlocks extension.
934 */ 968 */
935static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, 969static void *
936 struct v3_ext_ctx *ctx, 970v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
937 STACK_OF(CONF_VALUE) *values) 971 STACK_OF(CONF_VALUE) *values)
938{ 972{
939 static const char v4addr_chars[] = "0123456789."; 973 static const char v4addr_chars[] = "0123456789.";
940 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF"; 974 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF";
941 IPAddrBlocks *addr = NULL; 975 IPAddrBlocks *addr = NULL;
942 char *s = NULL, *t; 976 char *s = NULL, *t;
943 int i; 977 int i;
944 978
945 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) { 979 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) {
946 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 980 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
947 return NULL; 981 return NULL;
948 } 982 }
949 983
950 for (i = 0; i < sk_CONF_VALUE_num(values); i++) { 984 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
951 CONF_VALUE *val = sk_CONF_VALUE_value(values, i); 985 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
952 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN]; 986 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN];
953 unsigned afi, *safi = NULL, safi_; 987 unsigned afi, *safi = NULL, safi_;
954 const char *addr_chars; 988 const char *addr_chars;
955 int prefixlen, i1, i2, delim, length; 989 int prefixlen, i1, i2, delim, length;
956 990
957 if ( !name_cmp(val->name, "IPv4")) { 991 if (!name_cmp(val->name, "IPv4")) {
958 afi = IANA_AFI_IPV4; 992 afi = IANA_AFI_IPV4;
959 } else if (!name_cmp(val->name, "IPv6")) { 993 } else if (!name_cmp(val->name, "IPv6")) {
960 afi = IANA_AFI_IPV6; 994 afi = IANA_AFI_IPV6;
961 } else if (!name_cmp(val->name, "IPv4-SAFI")) { 995 } else if (!name_cmp(val->name, "IPv4-SAFI")) {
962 afi = IANA_AFI_IPV4; 996 afi = IANA_AFI_IPV4;
963 safi = &safi_; 997 safi = &safi_;
964 } else if (!name_cmp(val->name, "IPv6-SAFI")) { 998 } else if (!name_cmp(val->name, "IPv6-SAFI")) {
965 afi = IANA_AFI_IPV6; 999 afi = IANA_AFI_IPV6;
966 safi = &safi_; 1000 safi = &safi_;
967 } else { 1001 } else {
968 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_NAME_ERROR); 1002 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
969 X509V3_conf_err(val); 1003 X509V3_R_EXTENSION_NAME_ERROR);
970 goto err; 1004 X509V3_conf_err(val);
971 } 1005 goto err;
972 1006 }
973 switch (afi) { 1007
974 case IANA_AFI_IPV4: 1008 switch (afi) {
975 addr_chars = v4addr_chars; 1009 case IANA_AFI_IPV4:
976 break; 1010 addr_chars = v4addr_chars;
977 case IANA_AFI_IPV6: 1011 break;
978 addr_chars = v6addr_chars; 1012 case IANA_AFI_IPV6:
979 break; 1013 addr_chars = v6addr_chars;
980 } 1014 break;
981 1015 }
982 length = length_from_afi(afi); 1016
983 1017 length = length_from_afi(afi);
984 /* 1018
985 * Handle SAFI, if any, and BUF_strdup() so we can null-terminate 1019 /*
986 * the other input values. 1020 * Handle SAFI, if any, and BUF_strdup() so we can null-terminate
987 */ 1021 * the other input values.
988 if (safi != NULL) { 1022 */
989 *safi = strtoul(val->value, &t, 0); 1023 if (safi != NULL) {
990 t += strspn(t, " \t"); 1024 *safi = strtoul(val->value, &t, 0);
991 if (*safi > 0xFF || *t++ != ':') { 1025 t += strspn(t, " \t");
992 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_SAFI); 1026 if (*safi > 0xFF || *t++ != ':') {
993 X509V3_conf_err(val); 1027 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
994 goto err; 1028 X509V3_R_INVALID_SAFI);
995 } 1029 X509V3_conf_err(val);
996 t += strspn(t, " \t"); 1030 goto err;
997 s = BUF_strdup(t); 1031 }
998 } else { 1032 t += strspn(t, " \t");
999 s = BUF_strdup(val->value); 1033 s = BUF_strdup(t);
1000 } 1034 } else {
1001 if (s == NULL) { 1035 s = BUF_strdup(val->value);
1002 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 1036 }
1003 goto err; 1037 if (s == NULL) {
1004 } 1038 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1005 1039 ERR_R_MALLOC_FAILURE);
1006 /* 1040 goto err;
1007 * Check for inheritance. Not worth additional complexity to 1041 }
1008 * optimize this (seldom-used) case. 1042
1009 */ 1043 /*
1010 if (!strcmp(s, "inherit")) { 1044 * Check for inheritance. Not worth additional complexity to
1011 if (!v3_addr_add_inherit(addr, afi, safi)) { 1045 * optimize this (seldom-used) case.
1012 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_INHERITANCE); 1046 */
1013 X509V3_conf_err(val); 1047 if (!strcmp(s, "inherit")) {
1014 goto err; 1048 if (!v3_addr_add_inherit(addr, afi, safi)) {
1015 } 1049 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1016 free(s); 1050 X509V3_R_INVALID_INHERITANCE);
1017 s = NULL; 1051 X509V3_conf_err(val);
1018 continue; 1052 goto err;
1019 } 1053 }
1020 1054 free(s);
1021 i1 = strspn(s, addr_chars); 1055 s = NULL;
1022 i2 = i1 + strspn(s + i1, " \t"); 1056 continue;
1023 delim = s[i2++]; 1057 }
1024 s[i1] = '\0'; 1058
1025 1059 i1 = strspn(s, addr_chars);
1026 if (a2i_ipadd(min, s) != length) { 1060 i2 = i1 + strspn(s + i1, " \t");
1027 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS); 1061 delim = s[i2++];
1028 X509V3_conf_err(val); 1062 s[i1] = '\0';
1029 goto err; 1063
1030 } 1064 if (a2i_ipadd(min, s) != length) {
1031 1065 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1032 switch (delim) { 1066 X509V3_R_INVALID_IPADDRESS);
1033 case '/': 1067 X509V3_conf_err(val);
1034 prefixlen = (int) strtoul(s + i2, &t, 10); 1068 goto err;
1035 if (t == s + i2 || *t != '\0') { 1069 }
1036 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); 1070
1037 X509V3_conf_err(val); 1071 switch (delim) {
1038 goto err; 1072 case '/':
1039 } 1073 prefixlen = (int) strtoul(s + i2, &t, 10);
1040 if (!v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) { 1074 if (t == s + i2 || *t != '\0') {
1041 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 1075 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1042 goto err; 1076 X509V3_R_EXTENSION_VALUE_ERROR);
1043 } 1077 X509V3_conf_err(val);
1044 break; 1078 goto err;
1045 case '-': 1079 }
1046 i1 = i2 + strspn(s + i2, " \t"); 1080 if (!v3_addr_add_prefix(addr, afi, safi, min,
1047 i2 = i1 + strspn(s + i1, addr_chars); 1081 prefixlen)) {
1048 if (i1 == i2 || s[i2] != '\0') { 1082 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1049 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); 1083 ERR_R_MALLOC_FAILURE);
1050 X509V3_conf_err(val); 1084 goto err;
1051 goto err; 1085 }
1052 } 1086 break;
1053 if (a2i_ipadd(max, s + i1) != length) { 1087 case '-':
1054 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS); 1088 i1 = i2 + strspn(s + i2, " \t");
1055 X509V3_conf_err(val); 1089 i2 = i1 + strspn(s + i1, addr_chars);
1056 goto err; 1090 if (i1 == i2 || s[i2] != '\0') {
1057 } 1091 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1058 if (memcmp(min, max, length_from_afi(afi)) > 0) { 1092 X509V3_R_EXTENSION_VALUE_ERROR);
1059 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); 1093 X509V3_conf_err(val);
1060 X509V3_conf_err(val); 1094 goto err;
1061 goto err; 1095 }
1062 } 1096 if (a2i_ipadd(max, s + i1) != length) {
1063 if (!v3_addr_add_range(addr, afi, safi, min, max)) { 1097 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1064 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 1098 X509V3_R_INVALID_IPADDRESS);
1065 goto err; 1099 X509V3_conf_err(val);
1066 } 1100 goto err;
1067 break; 1101 }
1068 case '\0': 1102 if (memcmp(min, max, length_from_afi(afi)) > 0) {
1069 if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) { 1103 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1070 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 1104 X509V3_R_EXTENSION_VALUE_ERROR);
1071 goto err; 1105 X509V3_conf_err(val);
1072 } 1106 goto err;
1073 break; 1107 }
1074 default: 1108 if (!v3_addr_add_range(addr, afi, safi, min, max)) {
1075 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); 1109 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1076 X509V3_conf_err(val); 1110 ERR_R_MALLOC_FAILURE);
1077 goto err; 1111 goto err;
1078 } 1112 }
1079 1113 break;
1080 free(s); 1114 case '\0':
1081 s = NULL; 1115 if (!v3_addr_add_prefix(addr, afi, safi, min,
1082 } 1116 length * 8)) {
1083 1117 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1084 /* 1118 ERR_R_MALLOC_FAILURE);
1085 * Canonize the result, then we're done. 1119 goto err;
1086 */ 1120 }
1087 if (!v3_addr_canonize(addr)) 1121 break;
1088 goto err; 1122 default:
1089 return addr; 1123 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1090 1124 X509V3_R_EXTENSION_VALUE_ERROR);
1091 err: 1125 X509V3_conf_err(val);
1092 free(s); 1126 goto err;
1093 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); 1127 }
1094 return NULL; 1128
1129 free(s);
1130 s = NULL;
1131 }
1132
1133 /*
1134 * Canonize the result, then we're done.
1135 */
1136 if (!v3_addr_canonize(addr))
1137 goto err;
1138 return addr;
1139
1140err:
1141 free(s);
1142 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
1143 return NULL;
1095} 1144}
1096 1145
1097/* 1146/*
1098 * OpenSSL dispatch 1147 * OpenSSL dispatch
1099 */ 1148 */
1100const X509V3_EXT_METHOD v3_addr = { 1149const X509V3_EXT_METHOD v3_addr = {
1101 NID_sbgp_ipAddrBlock, /* nid */ 1150 NID_sbgp_ipAddrBlock, /* nid */
1102 0, /* flags */ 1151 0, /* flags */
1103 ASN1_ITEM_ref(IPAddrBlocks), /* template */ 1152 ASN1_ITEM_ref(IPAddrBlocks), /* template */
1104 0, 0, 0, 0, /* old functions, ignored */ 1153 0, 0, 0, 0, /* old functions, ignored */
1105 0, /* i2s */ 1154 0, /* i2s */
1106 0, /* s2i */ 1155 0, /* s2i */
1107 0, /* i2v */ 1156 0, /* i2v */
1108 v2i_IPAddrBlocks, /* v2i */ 1157 v2i_IPAddrBlocks, /* v2i */
1109 i2r_IPAddrBlocks, /* i2r */ 1158 i2r_IPAddrBlocks, /* i2r */
1110 0, /* r2i */ 1159 0, /* r2i */
1111 NULL /* extension-specific data */ 1160 NULL /* extension-specific data */
1112}; 1161};
1113 1162
1114/* 1163/*
1115 * Figure out whether extension sues inheritance. 1164 * Figure out whether extension sues inheritance.
1116 */ 1165 */
1117int v3_addr_inherits(IPAddrBlocks *addr) 1166int
1167v3_addr_inherits(IPAddrBlocks *addr)
1118{ 1168{
1119 int i; 1169 int i;
1120 if (addr == NULL) 1170
1121 return 0; 1171 if (addr == NULL)
1122 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 1172 return 0;
1123 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 1173 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1124 if (f->ipAddressChoice->type == IPAddressChoice_inherit) 1174 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1125 return 1; 1175 if (f->ipAddressChoice->type == IPAddressChoice_inherit)
1126 } 1176 return 1;
1127 return 0; 1177 }
1178 return 0;
1128} 1179}
1129 1180
1130/* 1181/*
1131 * Figure out whether parent contains child. 1182 * Figure out whether parent contains child.
1132 */ 1183 */
1133static int addr_contains(IPAddressOrRanges *parent, 1184static int
1134 IPAddressOrRanges *child, 1185addr_contains(IPAddressOrRanges *parent, IPAddressOrRanges *child, int length)
1135 int length)
1136{ 1186{
1137 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN]; 1187 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN];
1138 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN]; 1188 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN];
1139 int p, c; 1189 int p, c;
1140 1190
1141 if (child == NULL || parent == child) 1191 if (child == NULL || parent == child)
1142 return 1; 1192 return 1;
1143 if (parent == NULL) 1193 if (parent == NULL)
1144 return 0; 1194 return 0;
1145 1195
1146 p = 0; 1196 p = 0;
1147 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) { 1197 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
1148 if (!extract_min_max(sk_IPAddressOrRange_value(child, c), 1198 if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
1149 c_min, c_max, length)) 1199 c_min, c_max, length))
1150 return -1; 1200 return -1;
1151 for (;; p++) { 1201 for (; ; p++) {
1152 if (p >= sk_IPAddressOrRange_num(parent)) 1202 if (p >= sk_IPAddressOrRange_num(parent))
1153 return 0; 1203 return 0;
1154 if (!extract_min_max(sk_IPAddressOrRange_value(parent, p), 1204 if (!extract_min_max(
1155 p_min, p_max, length)) 1205 sk_IPAddressOrRange_value(parent, p),
1156 return 0; 1206 p_min, p_max, length))
1157 if (memcmp(p_max, c_max, length) < 0) 1207 return 0;
1158 continue; 1208 if (memcmp(p_max, c_max, length) < 0)
1159 if (memcmp(p_min, c_min, length) > 0) 1209 continue;
1160 return 0; 1210 if (memcmp(p_min, c_min, length) > 0)
1161 break; 1211 return 0;
1162 } 1212 break;
1163 } 1213 }
1214 }
1164 1215
1165 return 1; 1216 return 1;
1166} 1217}
1167 1218
1168/* 1219/*
1169 * Test whether a is a subset of b. 1220 * Test whether a is a subset of b.
1170 */ 1221 */
1171int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) 1222int
1223v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
1172{ 1224{
1173 int i; 1225 int i;
1174 if (a == NULL || a == b) 1226
1175 return 1; 1227 if (a == NULL || a == b)
1176 if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b)) 1228 return 1;
1177 return 0; 1229 if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
1178 (void) sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); 1230 return 0;
1179 for (i = 0; i < sk_IPAddressFamily_num(a); i++) { 1231 (void) sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
1180 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); 1232 for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
1181 int j = sk_IPAddressFamily_find(b, fa); 1233 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
1182 IPAddressFamily *fb; 1234 int j = sk_IPAddressFamily_find(b, fa);
1183 fb = sk_IPAddressFamily_value(b, j); 1235 IPAddressFamily *fb;
1184 if (fb == NULL) 1236 fb = sk_IPAddressFamily_value(b, j);
1185 return 0; 1237 if (fb == NULL)
1186 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, 1238 return 0;
1187 fa->ipAddressChoice->u.addressesOrRanges, 1239 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
1188 length_from_afi(v3_addr_get_afi(fb)))) 1240 fa->ipAddressChoice->u.addressesOrRanges,
1189 return 0; 1241 length_from_afi(v3_addr_get_afi(fb))))
1190 } 1242 return 0;
1191 return 1; 1243 }
1244 return 1;
1192} 1245}
1193 1246
1194/* 1247/*
@@ -1211,101 +1264,115 @@ int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
1211/* 1264/*
1212 * Core code for RFC 3779 2.3 path validation. 1265 * Core code for RFC 3779 2.3 path validation.
1213 */ 1266 */
1214static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, 1267static int
1215 STACK_OF(X509) *chain, 1268v3_addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
1216 IPAddrBlocks *ext) 1269 IPAddrBlocks *ext)
1217{ 1270{
1218 IPAddrBlocks *child = NULL; 1271 IPAddrBlocks *child = NULL;
1219 int i, j, ret = 1; 1272 int i, j, ret = 1;
1220 X509 *x; 1273 X509 *x;
1221 1274
1222 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); 1275 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
1223 OPENSSL_assert(ctx != NULL || ext != NULL); 1276 OPENSSL_assert(ctx != NULL || ext != NULL);
1224 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); 1277 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
1225 1278
1226 /* 1279 /*
1227 * Figure out where to start. If we don't have an extension to 1280 * Figure out where to start. If we don't have an extension to
1228 * check, we're done. Otherwise, check canonical form and 1281 * check, we're done. Otherwise, check canonical form and
1229 * set up for walking up the chain. 1282 * set up for walking up the chain.
1230 */ 1283 */
1231 if (ext != NULL) { 1284 if (ext != NULL) {
1232 i = -1; 1285 i = -1;
1233 x = NULL; 1286 x = NULL;
1234 } else { 1287 } else {
1235 i = 0; 1288 i = 0;
1236 x = sk_X509_value(chain, i); 1289 x = sk_X509_value(chain, i);
1237 OPENSSL_assert(x != NULL); 1290 OPENSSL_assert(x != NULL);
1238 if ((ext = x->rfc3779_addr) == NULL) 1291 if ((ext = x->rfc3779_addr) == NULL)
1239 goto done; 1292 goto done;
1240 }
1241 if (!v3_addr_is_canonical(ext))
1242 validation_err(X509_V_ERR_INVALID_EXTENSION);
1243 (void) sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
1244 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
1245 X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE);
1246 ret = 0;
1247 goto done;
1248 }
1249
1250 /*
1251 * Now walk up the chain. No cert may list resources that its
1252 * parent doesn't list.
1253 */
1254 for (i++; i < sk_X509_num(chain); i++) {
1255 x = sk_X509_value(chain, i);
1256 OPENSSL_assert(x != NULL);
1257 if (!v3_addr_is_canonical(x->rfc3779_addr))
1258 validation_err(X509_V_ERR_INVALID_EXTENSION);
1259 if (x->rfc3779_addr == NULL) {
1260 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1261 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1262 if (fc->ipAddressChoice->type != IPAddressChoice_inherit) {
1263 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1264 break;
1265 } 1293 }
1266 } 1294 if (!v3_addr_is_canonical(ext))
1267 continue; 1295 validation_err(X509_V_ERR_INVALID_EXTENSION);
1268 } 1296 (void) sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
1269 (void) sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp); 1297 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
1270 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { 1298 X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL,
1271 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); 1299 ERR_R_MALLOC_FAILURE);
1272 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc); 1300 ret = 0;
1273 IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, k); 1301 goto done;
1274 if (fp == NULL) {
1275 if (fc->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) {
1276 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1277 break;
1278 } 1302 }
1279 continue; 1303
1280 } 1304 /*
1281 if (fp->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) { 1305 * Now walk up the chain. No cert may list resources that its
1282 if (fc->ipAddressChoice->type == IPAddressChoice_inherit || 1306 * parent doesn't list.
1283 addr_contains(fp->ipAddressChoice->u.addressesOrRanges, 1307 */
1284 fc->ipAddressChoice->u.addressesOrRanges, 1308 for (i++; i < sk_X509_num(chain); i++) {
1285 length_from_afi(v3_addr_get_afi(fc)))) 1309 x = sk_X509_value(chain, i);
1286 sk_IPAddressFamily_set(child, j, fp); 1310 OPENSSL_assert(x != NULL);
1287 else 1311 if (!v3_addr_is_canonical(x->rfc3779_addr))
1288 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1312 validation_err(X509_V_ERR_INVALID_EXTENSION);
1289 } 1313 if (x->rfc3779_addr == NULL) {
1290 } 1314 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1291 } 1315 IPAddressFamily *fc =
1292 1316 sk_IPAddressFamily_value(child, j);
1293 /* 1317 if (fc->ipAddressChoice->type !=
1294 * Trust anchor can't inherit. 1318 IPAddressChoice_inherit) {
1295 */ 1319 validation_err(
1296 OPENSSL_assert(x != NULL); 1320 X509_V_ERR_UNNESTED_RESOURCE);
1297 if (x->rfc3779_addr != NULL) { 1321 break;
1298 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) { 1322 }
1299 IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, j); 1323 }
1300 if (fp->ipAddressChoice->type == IPAddressChoice_inherit && 1324 continue;
1301 sk_IPAddressFamily_find(child, fp) >= 0) 1325 }
1302 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1326 (void) sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr,
1303 } 1327 IPAddressFamily_cmp);
1304 } 1328 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1305 1329 IPAddressFamily *fc =
1306 done: 1330 sk_IPAddressFamily_value(child, j);
1307 sk_IPAddressFamily_free(child); 1331 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
1308 return ret; 1332 IPAddressFamily *fp =
1333 sk_IPAddressFamily_value(x->rfc3779_addr, k);
1334 if (fp == NULL) {
1335 if (fc->ipAddressChoice->type ==
1336 IPAddressChoice_addressesOrRanges) {
1337 validation_err(
1338 X509_V_ERR_UNNESTED_RESOURCE);
1339 break;
1340 }
1341 continue;
1342 }
1343 if (fp->ipAddressChoice->type ==
1344 IPAddressChoice_addressesOrRanges) {
1345 if (fc->ipAddressChoice->type ==
1346 IPAddressChoice_inherit || addr_contains(
1347 fp->ipAddressChoice->u.addressesOrRanges,
1348 fc->ipAddressChoice->u.addressesOrRanges,
1349 length_from_afi(v3_addr_get_afi(fc))))
1350 sk_IPAddressFamily_set(child, j, fp);
1351 else
1352 validation_err(
1353 X509_V_ERR_UNNESTED_RESOURCE);
1354 }
1355 }
1356 }
1357
1358 /*
1359 * Trust anchor can't inherit.
1360 */
1361 OPENSSL_assert(x != NULL);
1362 if (x->rfc3779_addr != NULL) {
1363 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
1364 IPAddressFamily *fp =
1365 sk_IPAddressFamily_value(x->rfc3779_addr, j);
1366 if (fp->ipAddressChoice->type ==
1367 IPAddressChoice_inherit &&
1368 sk_IPAddressFamily_find(child, fp) >= 0)
1369 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1370 }
1371 }
1372
1373done:
1374 sk_IPAddressFamily_free(child);
1375 return ret;
1309} 1376}
1310 1377
1311#undef validation_err 1378#undef validation_err
@@ -1313,26 +1380,27 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
1313/* 1380/*
1314 * RFC 3779 2.3 path validation -- called from X509_verify_cert(). 1381 * RFC 3779 2.3 path validation -- called from X509_verify_cert().
1315 */ 1382 */
1316int v3_addr_validate_path(X509_STORE_CTX *ctx) 1383int
1384v3_addr_validate_path(X509_STORE_CTX *ctx)
1317{ 1385{
1318 return v3_addr_validate_path_internal(ctx, ctx->chain, NULL); 1386 return v3_addr_validate_path_internal(ctx, ctx->chain, NULL);
1319} 1387}
1320 1388
1321/* 1389/*
1322 * RFC 3779 2.3 path validation of an extension. 1390 * RFC 3779 2.3 path validation of an extension.
1323 * Test whether chain covers extension. 1391 * Test whether chain covers extension.
1324 */ 1392 */
1325int v3_addr_validate_resource_set(STACK_OF(X509) *chain, 1393int
1326 IPAddrBlocks *ext, 1394v3_addr_validate_resource_set(STACK_OF(X509) *chain, IPAddrBlocks *ext,
1327 int allow_inheritance) 1395 int allow_inheritance)
1328{ 1396{
1329 if (ext == NULL) 1397 if (ext == NULL)
1330 return 1; 1398 return 1;
1331 if (chain == NULL || sk_X509_num(chain) == 0) 1399 if (chain == NULL || sk_X509_num(chain) == 0)
1332 return 0; 1400 return 0;
1333 if (!allow_inheritance && v3_addr_inherits(ext)) 1401 if (!allow_inheritance && v3_addr_inherits(ext))
1334 return 0; 1402 return 0;
1335 return v3_addr_validate_path_internal(NULL, chain, ext); 1403 return v3_addr_validate_path_internal(NULL, chain, ext);
1336} 1404}
1337 1405
1338#endif /* OPENSSL_NO_RFC3779 */ 1406#endif /* OPENSSL_NO_RFC3779 */
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 20:46:00 +0000