summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509v3/v3_addr.c
diff options
context:
space:
mode:
authorjsing <>2015-02-10 13:28:17 +0000
committerjsing <>2015-02-10 13:28:17 +0000
commit9c50482953bc7e90189e0ffe451dbeb6de65ff10 (patch)
tree8a4aa3005e423a450906e3e3dfcfaa9b514f6aed /src/lib/libcrypto/x509v3/v3_addr.c
parentb76138809e995e34fc681e084f108b341f20c1e2 (diff)
downloadopenbsd-9c50482953bc7e90189e0ffe451dbeb6de65ff10.tar.gz
openbsd-9c50482953bc7e90189e0ffe451dbeb6de65ff10.tar.bz2
openbsd-9c50482953bc7e90189e0ffe451dbeb6de65ff10.zip
unifdef OPENSSL_NO_RFC3779 - this is currently disabled and unlikely to
be enabled, mostly since people use SANs instead. ok beck@ guenther@
Diffstat (limited to 'src/lib/libcrypto/x509v3/v3_addr.c')
-rw-r--r--src/lib/libcrypto/x509v3/v3_addr.c1504
1 files changed, 0 insertions, 1504 deletions
diff --git a/src/lib/libcrypto/x509v3/v3_addr.c b/src/lib/libcrypto/x509v3/v3_addr.c
deleted file mode 100644
index 4073aeeaa6..0000000000
--- a/src/lib/libcrypto/x509v3/v3_addr.c
+++ /dev/null
@@ -1,1504 +0,0 @@
1/* $OpenBSD: v3_addr.c,v 1.15 2015/02/09 16:03:11 jsing Exp $ */
2/*
3 * Contributed to the OpenSSL Project by the American Registry for
4 * Internet Numbers ("ARIN").
5 */
6/* ====================================================================
7 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
19 * distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * licensing@OpenSSL.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 * acknowledgment:
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 */
58
59/*
60 * Implementation of RFC 3779 section 2.2.
61 */
62
63#include <stdio.h>
64#include <stdlib.h>
65
66#include <openssl/opensslconf.h>
67
68#include <openssl/asn1.h>
69#include <openssl/asn1t.h>
70#include <openssl/buffer.h>
71#include <openssl/conf.h>
72#include <openssl/x509v3.h>
73
74#ifndef OPENSSL_NO_RFC3779
75
76/*
77 * OpenSSL ASN.1 template translation of RFC 3779 2.2.3.
78 */
79
80ASN1_SEQUENCE(IPAddressRange) = {
81 ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING),
82 ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING)
83} ASN1_SEQUENCE_END(IPAddressRange)
84
85ASN1_CHOICE(IPAddressOrRange) = {
86 ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING),
87 ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange)
88} ASN1_CHOICE_END(IPAddressOrRange)
89
90ASN1_CHOICE(IPAddressChoice) = {
91 ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL),
92 ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange)
93} ASN1_CHOICE_END(IPAddressChoice)
94
95ASN1_SEQUENCE(IPAddressFamily) = {
96 ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING),
97 ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice)
98} ASN1_SEQUENCE_END(IPAddressFamily)
99
100ASN1_ITEM_TEMPLATE(IPAddrBlocks) =
101 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
102 IPAddrBlocks, IPAddressFamily)
103ASN1_ITEM_TEMPLATE_END(IPAddrBlocks)
104
105
106IPAddressRange *
107d2i_IPAddressRange(IPAddressRange **a, const unsigned char **in, long len)
108{
109 return (IPAddressRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
110 &IPAddressRange_it);
111}
112
113int
114i2d_IPAddressRange(IPAddressRange *a, unsigned char **out)
115{
116 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressRange_it);
117}
118
119IPAddressRange *
120IPAddressRange_new(void)
121{
122 return (IPAddressRange *)ASN1_item_new(&IPAddressRange_it);
123}
124
125void
126IPAddressRange_free(IPAddressRange *a)
127{
128 ASN1_item_free((ASN1_VALUE *)a, &IPAddressRange_it);
129}
130
131IPAddressOrRange *
132d2i_IPAddressOrRange(IPAddressOrRange **a, const unsigned char **in, long len)
133{
134 return (IPAddressOrRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
135 &IPAddressOrRange_it);
136}
137
138int
139i2d_IPAddressOrRange(IPAddressOrRange *a, unsigned char **out)
140{
141 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressOrRange_it);
142}
143
144IPAddressOrRange *
145IPAddressOrRange_new(void)
146{
147 return (IPAddressOrRange *)ASN1_item_new(&IPAddressOrRange_it);
148}
149
150void
151IPAddressOrRange_free(IPAddressOrRange *a)
152{
153 ASN1_item_free((ASN1_VALUE *)a, &IPAddressOrRange_it);
154}
155
156IPAddressChoice *
157d2i_IPAddressChoice(IPAddressChoice **a, const unsigned char **in, long len)
158{
159 return (IPAddressChoice *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
160 &IPAddressChoice_it);
161}
162
163int
164i2d_IPAddressChoice(IPAddressChoice *a, unsigned char **out)
165{
166 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressChoice_it);
167}
168
169IPAddressChoice *
170IPAddressChoice_new(void)
171{
172 return (IPAddressChoice *)ASN1_item_new(&IPAddressChoice_it);
173}
174
175void
176IPAddressChoice_free(IPAddressChoice *a)
177{
178 ASN1_item_free((ASN1_VALUE *)a, &IPAddressChoice_it);
179}
180
181IPAddressFamily *
182d2i_IPAddressFamily(IPAddressFamily **a, const unsigned char **in, long len)
183{
184 return (IPAddressFamily *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
185 &IPAddressFamily_it);
186}
187
188int
189i2d_IPAddressFamily(IPAddressFamily *a, unsigned char **out)
190{
191 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressFamily_it);
192}
193
194IPAddressFamily *
195IPAddressFamily_new(void)
196{
197 return (IPAddressFamily *)ASN1_item_new(&IPAddressFamily_it);
198}
199
200void
201IPAddressFamily_free(IPAddressFamily *a)
202{
203 ASN1_item_free((ASN1_VALUE *)a, &IPAddressFamily_it);
204}
205
206/*
207 * How much buffer space do we need for a raw address?
208 */
209#define ADDR_RAW_BUF_LEN 16
210
211/*
212 * What's the address length associated with this AFI?
213 */
214static int
215length_from_afi(const unsigned afi)
216{
217 switch (afi) {
218 case IANA_AFI_IPV4:
219 return 4;
220 case IANA_AFI_IPV6:
221 return 16;
222 default:
223 return 0;
224 }
225}
226
227/*
228 * Extract the AFI from an IPAddressFamily.
229 */
230unsigned int
231v3_addr_get_afi(const IPAddressFamily *f)
232{
233 return ((f != NULL && f->addressFamily != NULL &&
234 f->addressFamily->data != NULL) ?
235 ((f->addressFamily->data[0] << 8) | (f->addressFamily->data[1])) :
236 0);
237}
238
239/*
240 * Expand the bitstring form of an address into a raw byte array.
241 * At the moment this is coded for simplicity, not speed.
242 */
243static int
244addr_expand(unsigned char *addr, const ASN1_BIT_STRING *bs, const int length,
245 const unsigned char fill)
246{
247 if (bs->length < 0 || bs->length > length)
248 return 0;
249 if (bs->length > 0) {
250 memcpy(addr, bs->data, bs->length);
251 if ((bs->flags & 7) != 0) {
252 unsigned char mask = 0xFF >> (8 - (bs->flags & 7));
253 if (fill == 0)
254 addr[bs->length - 1] &= ~mask;
255 else
256 addr[bs->length - 1] |= mask;
257 }
258 }
259 memset(addr + bs->length, fill, length - bs->length);
260 return 1;
261}
262
263/*
264 * Extract the prefix length from a bitstring.
265 */
266#define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7)))
267
268/*
269 * i2r handler for one address bitstring.
270 */
271static int
272i2r_address(BIO *out, const unsigned afi, const unsigned char fill,
273 const ASN1_BIT_STRING *bs)
274{
275 unsigned char addr[ADDR_RAW_BUF_LEN];
276 int i, n;
277
278 if (bs->length < 0)
279 return 0;
280 switch (afi) {
281 case IANA_AFI_IPV4:
282 if (!addr_expand(addr, bs, 4, fill))
283 return 0;
284 BIO_printf(out, "%d.%d.%d.%d",
285 addr[0], addr[1], addr[2], addr[3]);
286 break;
287 case IANA_AFI_IPV6:
288 if (!addr_expand(addr, bs, 16, fill))
289 return 0;
290 for (n = 16;
291 n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00; n -= 2)
292 ;
293 for (i = 0; i < n; i += 2)
294 BIO_printf(out, "%x%s",
295 (addr[i] << 8) | addr[i + 1], (i < 14 ? ":" : ""));
296 if (i < 16)
297 BIO_puts(out, ":");
298 if (i == 0)
299 BIO_puts(out, ":");
300 break;
301 default:
302 for (i = 0; i < bs->length; i++)
303 BIO_printf(out, "%s%02x",
304 (i > 0 ? ":" : ""), bs->data[i]);
305 BIO_printf(out, "[%d]", (int)(bs->flags & 7));
306 break;
307 }
308 return 1;
309}
310
311/*
312 * i2r handler for a sequence of addresses and ranges.
313 */
314static int
315i2r_IPAddressOrRanges(BIO *out, const int indent, const IPAddressOrRanges *aors,
316 const unsigned afi)
317{
318 int i;
319
320 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) {
321 const IPAddressOrRange *aor =
322 sk_IPAddressOrRange_value(aors, i);
323 BIO_printf(out, "%*s", indent, "");
324 switch (aor->type) {
325 case IPAddressOrRange_addressPrefix:
326 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix))
327 return 0;
328 BIO_printf(out, "/%d\n",
329 addr_prefixlen(aor->u.addressPrefix));
330 continue;
331 case IPAddressOrRange_addressRange:
332 if (!i2r_address(out, afi, 0x00,
333 aor->u.addressRange->min))
334 return 0;
335 BIO_puts(out, "-");
336 if (!i2r_address(out, afi, 0xFF,
337 aor->u.addressRange->max))
338 return 0;
339 BIO_puts(out, "\n");
340 continue;
341 }
342 }
343 return 1;
344}
345
346/*
347 * i2r handler for an IPAddrBlocks extension.
348 */
349static int
350i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, void *ext, BIO *out,
351 int indent)
352{
353 const IPAddrBlocks *addr = ext;
354 int i;
355
356 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
357 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
358 const unsigned int afi = v3_addr_get_afi(f);
359 switch (afi) {
360 case IANA_AFI_IPV4:
361 BIO_printf(out, "%*sIPv4", indent, "");
362 break;
363 case IANA_AFI_IPV6:
364 BIO_printf(out, "%*sIPv6", indent, "");
365 break;
366 default:
367 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi);
368 break;
369 }
370 if (f->addressFamily->length > 2) {
371 switch (f->addressFamily->data[2]) {
372 case 1:
373 BIO_puts(out, " (Unicast)");
374 break;
375 case 2:
376 BIO_puts(out, " (Multicast)");
377 break;
378 case 3:
379 BIO_puts(out, " (Unicast/Multicast)");
380 break;
381 case 4:
382 BIO_puts(out, " (MPLS)");
383 break;
384 case 64:
385 BIO_puts(out, " (Tunnel)");
386 break;
387 case 65:
388 BIO_puts(out, " (VPLS)");
389 break;
390 case 66:
391 BIO_puts(out, " (BGP MDT)");
392 break;
393 case 128:
394 BIO_puts(out, " (MPLS-labeled VPN)");
395 break;
396 default:
397 BIO_printf(out, " (Unknown SAFI %u)",
398 (unsigned)f->addressFamily->data[2]);
399 break;
400 }
401 }
402 switch (f->ipAddressChoice->type) {
403 case IPAddressChoice_inherit:
404 BIO_puts(out, ": inherit\n");
405 break;
406 case IPAddressChoice_addressesOrRanges:
407 BIO_puts(out, ":\n");
408 if (!i2r_IPAddressOrRanges(out, indent + 2,
409 f->ipAddressChoice->u.addressesOrRanges, afi))
410 return 0;
411 break;
412 }
413 }
414 return 1;
415}
416
417/*
418 * Sort comparison function for a sequence of IPAddressOrRange
419 * elements.
420 *
421 * There's no sane answer we can give if addr_expand() fails, and an
422 * assertion failure on externally supplied data is seriously uncool,
423 * so we just arbitrarily declare that if given invalid inputs this
424 * function returns -1. If this messes up your preferred sort order
425 * for garbage input, tough noogies.
426 */
427static int
428IPAddressOrRange_cmp(const IPAddressOrRange *a, const IPAddressOrRange *b,
429 const int length)
430{
431 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN];
432 int prefixlen_a = 0, prefixlen_b = 0;
433 int r;
434
435 switch (a->type) {
436 case IPAddressOrRange_addressPrefix:
437 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
438 return -1;
439 prefixlen_a = addr_prefixlen(a->u.addressPrefix);
440 break;
441 case IPAddressOrRange_addressRange:
442 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
443 return -1;
444 prefixlen_a = length * 8;
445 break;
446 }
447
448 switch (b->type) {
449 case IPAddressOrRange_addressPrefix:
450 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
451 return -1;
452 prefixlen_b = addr_prefixlen(b->u.addressPrefix);
453 break;
454 case IPAddressOrRange_addressRange:
455 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
456 return -1;
457 prefixlen_b = length * 8;
458 break;
459 }
460
461 if ((r = memcmp(addr_a, addr_b, length)) != 0)
462 return r;
463 else
464 return prefixlen_a - prefixlen_b;
465}
466
467/*
468 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()
469 * comparision routines are only allowed two arguments.
470 */
471static int
472v4IPAddressOrRange_cmp(const IPAddressOrRange * const *a,
473 const IPAddressOrRange * const *b)
474{
475 return IPAddressOrRange_cmp(*a, *b, 4);
476}
477
478/*
479 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()
480 * comparision routines are only allowed two arguments.
481 */
482static int
483v6IPAddressOrRange_cmp(const IPAddressOrRange * const *a,
484 const IPAddressOrRange * const *b)
485{
486 return IPAddressOrRange_cmp(*a, *b, 16);
487}
488
489/*
490 * Calculate whether a range collapses to a prefix.
491 * See last paragraph of RFC 3779 2.2.3.7.
492 */
493static int
494range_should_be_prefix(const unsigned char *min, const unsigned char *max,
495 const int length)
496{
497 unsigned char mask;
498 int i, j;
499
500 OPENSSL_assert(memcmp(min, max, length) <= 0);
501 for (i = 0; i < length && min[i] == max[i]; i++)
502 ;
503 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--)
504 ;
505 if (i < j)
506 return -1;
507 if (i > j)
508 return i * 8;
509 mask = min[i] ^ max[i];
510 switch (mask) {
511 case 0x01:
512 j = 7;
513 break;
514 case 0x03:
515 j = 6;
516 break;
517 case 0x07:
518 j = 5;
519 break;
520 case 0x0F:
521 j = 4;
522 break;
523 case 0x1F:
524 j = 3;
525 break;
526 case 0x3F:
527 j = 2;
528 break;
529 case 0x7F:
530 j = 1;
531 break;
532 default:
533 return -1;
534 }
535 if ((min[i] & mask) != 0 || (max[i] & mask) != mask)
536 return -1;
537 else
538 return i * 8 + j;
539}
540
541/*
542 * Construct a prefix.
543 */
544static int
545make_addressPrefix(IPAddressOrRange **result, unsigned char *addr,
546 const int prefixlen)
547{
548 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;
549 IPAddressOrRange *aor = IPAddressOrRange_new();
550
551 if (aor == NULL)
552 return 0;
553 aor->type = IPAddressOrRange_addressPrefix;
554 if (aor->u.addressPrefix == NULL &&
555 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL)
556 goto err;
557 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen))
558 goto err;
559 aor->u.addressPrefix->flags &= ~7;
560 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT;
561 if (bitlen > 0) {
562 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen);
563 aor->u.addressPrefix->flags |= 8 - bitlen;
564 }
565
566 *result = aor;
567 return 1;
568
569err:
570 IPAddressOrRange_free(aor);
571 return 0;
572}
573
574/*
575 * Construct a range. If it can be expressed as a prefix,
576 * return a prefix instead. Doing this here simplifies
577 * the rest of the code considerably.
578 */
579static int
580make_addressRange(IPAddressOrRange **result, unsigned char *min,
581 unsigned char *max, const int length)
582{
583 IPAddressOrRange *aor;
584 int i, prefixlen;
585
586 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
587 return make_addressPrefix(result, min, prefixlen);
588
589 if ((aor = IPAddressOrRange_new()) == NULL)
590 return 0;
591 aor->type = IPAddressOrRange_addressRange;
592 OPENSSL_assert(aor->u.addressRange == NULL);
593 if ((aor->u.addressRange = IPAddressRange_new()) == NULL)
594 goto err;
595 if (aor->u.addressRange->min == NULL &&
596 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL)
597 goto err;
598 if (aor->u.addressRange->max == NULL &&
599 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL)
600 goto err;
601
602 for (i = length; i > 0 && min[i - 1] == 0x00; --i)
603 ;
604 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i))
605 goto err;
606 aor->u.addressRange->min->flags &= ~7;
607 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT;
608 if (i > 0) {
609 unsigned char b = min[i - 1];
610 int j = 1;
611 while ((b & (0xFFU >> j)) != 0)
612 ++j;
613 aor->u.addressRange->min->flags |= 8 - j;
614 }
615
616 for (i = length; i > 0 && max[i - 1] == 0xFF; --i)
617 ;
618 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i))
619 goto err;
620 aor->u.addressRange->max->flags &= ~7;
621 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT;
622 if (i > 0) {
623 unsigned char b = max[i - 1];
624 int j = 1;
625 while ((b & (0xFFU >> j)) != (0xFFU >> j))
626 ++j;
627 aor->u.addressRange->max->flags |= 8 - j;
628 }
629
630 *result = aor;
631 return 1;
632
633err:
634 IPAddressOrRange_free(aor);
635 return 0;
636}
637
638/*
639 * Construct a new address family or find an existing one.
640 */
641static IPAddressFamily *
642make_IPAddressFamily(IPAddrBlocks *addr, const unsigned afi,
643 const unsigned *safi)
644{
645 IPAddressFamily *f;
646 unsigned char key[3];
647 unsigned keylen;
648 int i;
649
650 key[0] = (afi >> 8) & 0xFF;
651 key[1] = afi & 0xFF;
652 if (safi != NULL) {
653 key[2] = *safi & 0xFF;
654 keylen = 3;
655 } else {
656 keylen = 2;
657 }
658
659 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
660 f = sk_IPAddressFamily_value(addr, i);
661 OPENSSL_assert(f->addressFamily->data != NULL);
662 if (f->addressFamily->length == keylen &&
663 !memcmp(f->addressFamily->data, key, keylen))
664 return f;
665 }
666
667 if ((f = IPAddressFamily_new()) == NULL)
668 goto err;
669 if (f->ipAddressChoice == NULL &&
670 (f->ipAddressChoice = IPAddressChoice_new()) == NULL)
671 goto err;
672 if (f->addressFamily == NULL &&
673 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL)
674 goto err;
675 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen))
676 goto err;
677 if (!sk_IPAddressFamily_push(addr, f))
678 goto err;
679
680 return f;
681
682err:
683 IPAddressFamily_free(f);
684 return NULL;
685}
686
687/*
688 * Add an inheritance element.
689 */
690int
691v3_addr_add_inherit(IPAddrBlocks *addr, const unsigned afi,
692 const unsigned *safi)
693{
694 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
695
696 if (f == NULL ||
697 f->ipAddressChoice == NULL ||
698 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
699 f->ipAddressChoice->u.addressesOrRanges != NULL))
700 return 0;
701 if (f->ipAddressChoice->type == IPAddressChoice_inherit &&
702 f->ipAddressChoice->u.inherit != NULL)
703 return 1;
704 if (f->ipAddressChoice->u.inherit == NULL &&
705 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL)
706 return 0;
707 f->ipAddressChoice->type = IPAddressChoice_inherit;
708 return 1;
709}
710
711/*
712 * Construct an IPAddressOrRange sequence, or return an existing one.
713 */
714static IPAddressOrRanges *
715make_prefix_or_range(IPAddrBlocks *addr, const unsigned afi,
716 const unsigned *safi)
717{
718 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
719 IPAddressOrRanges *aors = NULL;
720
721 if (f == NULL ||
722 f->ipAddressChoice == NULL ||
723 (f->ipAddressChoice->type == IPAddressChoice_inherit &&
724 f->ipAddressChoice->u.inherit != NULL))
725 return NULL;
726 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges)
727 aors = f->ipAddressChoice->u.addressesOrRanges;
728 if (aors != NULL)
729 return aors;
730 if ((aors = sk_IPAddressOrRange_new_null()) == NULL)
731 return NULL;
732 switch (afi) {
733 case IANA_AFI_IPV4:
734 (void) sk_IPAddressOrRange_set_cmp_func(aors,
735 v4IPAddressOrRange_cmp);
736 break;
737 case IANA_AFI_IPV6:
738 (void) sk_IPAddressOrRange_set_cmp_func(aors,
739 v6IPAddressOrRange_cmp);
740 break;
741 }
742 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
743 f->ipAddressChoice->u.addressesOrRanges = aors;
744 return aors;
745}
746
747/*
748 * Add a prefix.
749 */
750int
751v3_addr_add_prefix(IPAddrBlocks *addr, const unsigned afi,
752 const unsigned *safi, unsigned char *a, const int prefixlen)
753{
754 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
755 IPAddressOrRange *aor;
756
757 if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen))
758 return 0;
759 if (sk_IPAddressOrRange_push(aors, aor))
760 return 1;
761 IPAddressOrRange_free(aor);
762 return 0;
763}
764
765/*
766 * Add a range.
767 */
768int
769v3_addr_add_range(IPAddrBlocks *addr, const unsigned afi, const unsigned *safi,
770 unsigned char *min, unsigned char *max)
771{
772 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
773 IPAddressOrRange *aor;
774 int length = length_from_afi(afi);
775
776 if (aors == NULL)
777 return 0;
778 if (!make_addressRange(&aor, min, max, length))
779 return 0;
780 if (sk_IPAddressOrRange_push(aors, aor))
781 return 1;
782 IPAddressOrRange_free(aor);
783 return 0;
784}
785
786/*
787 * Extract min and max values from an IPAddressOrRange.
788 */
789static int
790extract_min_max(IPAddressOrRange *aor, unsigned char *min, unsigned char *max,
791 int length)
792{
793 if (aor == NULL || min == NULL || max == NULL)
794 return 0;
795 switch (aor->type) {
796 case IPAddressOrRange_addressPrefix:
797 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
798 addr_expand(max, aor->u.addressPrefix, length, 0xFF));
799 case IPAddressOrRange_addressRange:
800 return (
801 addr_expand(min, aor->u.addressRange->min, length, 0x00) &&
802 addr_expand(max, aor->u.addressRange->max, length, 0xFF));
803 }
804 return 0;
805}
806
807/*
808 * Public wrapper for extract_min_max().
809 */
810int
811v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
812 unsigned char *min, unsigned char *max, const int length)
813{
814 int afi_length = length_from_afi(afi);
815
816 if (aor == NULL || min == NULL || max == NULL ||
817 afi_length == 0 || length < afi_length ||
818 (aor->type != IPAddressOrRange_addressPrefix &&
819 aor->type != IPAddressOrRange_addressRange) ||
820 !extract_min_max(aor, min, max, afi_length))
821 return 0;
822
823 return afi_length;
824}
825
826/*
827 * Sort comparision function for a sequence of IPAddressFamily.
828 *
829 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about
830 * the ordering: I can read it as meaning that IPv6 without a SAFI
831 * comes before IPv4 with a SAFI, which seems pretty weird. The
832 * examples in appendix B suggest that the author intended the
833 * null-SAFI rule to apply only within a single AFI, which is what I
834 * would have expected and is what the following code implements.
835 */
836static int
837IPAddressFamily_cmp(const IPAddressFamily * const *a_,
838 const IPAddressFamily * const *b_)
839{
840 const ASN1_OCTET_STRING *a = (*a_)->addressFamily;
841 const ASN1_OCTET_STRING *b = (*b_)->addressFamily;
842 int len = ((a->length <= b->length) ? a->length : b->length);
843 int cmp = memcmp(a->data, b->data, len);
844
845 return cmp ? cmp : a->length - b->length;
846}
847
848/*
849 * Check whether an IPAddrBLocks is in canonical form.
850 */
851int
852v3_addr_is_canonical(IPAddrBlocks *addr)
853{
854 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
855 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
856 IPAddressOrRanges *aors;
857 int i, j, k;
858
859 /*
860 * Empty extension is cannonical.
861 */
862 if (addr == NULL)
863 return 1;
864
865 /*
866 * Check whether the top-level list is in order.
867 */
868 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {
869 const IPAddressFamily *a =
870 sk_IPAddressFamily_value(addr, i);
871 const IPAddressFamily *b =
872 sk_IPAddressFamily_value(addr, i + 1);
873 if (IPAddressFamily_cmp(&a, &b) >= 0)
874 return 0;
875 }
876
877 /*
878 * Top level's ok, now check each address family.
879 */
880 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
881 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
882 int length = length_from_afi(v3_addr_get_afi(f));
883
884 /*
885 * Inheritance is canonical. Anything other than inheritance or
886 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something.
887 */
888 if (f == NULL || f->ipAddressChoice == NULL)
889 return 0;
890 switch (f->ipAddressChoice->type) {
891 case IPAddressChoice_inherit:
892 continue;
893 case IPAddressChoice_addressesOrRanges:
894 break;
895 default:
896 return 0;
897 }
898
899 /*
900 * It's an IPAddressOrRanges sequence, check it.
901 */
902 aors = f->ipAddressChoice->u.addressesOrRanges;
903 if (sk_IPAddressOrRange_num(aors) == 0)
904 return 0;
905 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
906 IPAddressOrRange *a =
907 sk_IPAddressOrRange_value(aors, j);
908 IPAddressOrRange *b =
909 sk_IPAddressOrRange_value(aors, j + 1);
910
911 if (!extract_min_max(a, a_min, a_max, length) ||
912 !extract_min_max(b, b_min, b_max, length))
913 return 0;
914
915 /*
916 * Punt misordered list, overlapping start, or inverted range.
917 */
918 if (memcmp(a_min, b_min, length) >= 0 ||
919 memcmp(a_min, a_max, length) > 0 ||
920 memcmp(b_min, b_max, length) > 0)
921 return 0;
922
923 /*
924 * Punt if adjacent or overlapping. Check for adjacency by
925 * subtracting one from b_min first.
926 */
927 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--)
928 ;
929 if (memcmp(a_max, b_min, length) >= 0)
930 return 0;
931
932 /*
933 * Check for range that should be expressed as a prefix.
934 */
935 if (a->type == IPAddressOrRange_addressRange &&
936 range_should_be_prefix(a_min, a_max, length) >= 0)
937 return 0;
938 }
939
940 /*
941 * Check range to see if it's inverted or should be a
942 * prefix.
943 */
944 j = sk_IPAddressOrRange_num(aors) - 1;
945 {
946 IPAddressOrRange *a =
947 sk_IPAddressOrRange_value(aors, j);
948 if (a != NULL &&
949 a->type == IPAddressOrRange_addressRange) {
950 if (!extract_min_max(a, a_min, a_max, length))
951 return 0;
952 if (memcmp(a_min, a_max, length) > 0 ||
953 range_should_be_prefix(a_min, a_max,
954 length) >= 0)
955 return 0;
956 }
957 }
958 }
959
960 /*
961 * If we made it through all that, we're happy.
962 */
963 return 1;
964}
965
966/*
967 * Whack an IPAddressOrRanges into canonical form.
968 */
969static int
970IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi)
971{
972 int i, j, length = length_from_afi(afi);
973
974 /*
975 * Sort the IPAddressOrRanges sequence.
976 */
977 sk_IPAddressOrRange_sort(aors);
978
979 /*
980 * Clean up representation issues, punt on duplicates or overlaps.
981 */
982 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
983 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);
984 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
985 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
986 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
987
988 if (!extract_min_max(a, a_min, a_max, length) ||
989 !extract_min_max(b, b_min, b_max, length))
990 return 0;
991
992 /*
993 * Punt inverted ranges.
994 */
995 if (memcmp(a_min, a_max, length) > 0 ||
996 memcmp(b_min, b_max, length) > 0)
997 return 0;
998
999 /*
1000 * Punt overlaps.
1001 */
1002 if (memcmp(a_max, b_min, length) >= 0)
1003 return 0;
1004
1005 /*
1006 * Merge if a and b are adjacent. We check for
1007 * adjacency by subtracting one from b_min first.
1008 */
1009 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--)
1010 ;
1011 if (memcmp(a_max, b_min, length) == 0) {
1012 IPAddressOrRange *merged;
1013 if (!make_addressRange(&merged, a_min, b_max, length))
1014 return 0;
1015 (void) sk_IPAddressOrRange_set(aors, i, merged);
1016 (void) sk_IPAddressOrRange_delete(aors, i + 1);
1017 IPAddressOrRange_free(a);
1018 IPAddressOrRange_free(b);
1019 --i;
1020 continue;
1021 }
1022 }
1023
1024 /*
1025 * Check for inverted final range.
1026 */
1027 j = sk_IPAddressOrRange_num(aors) - 1;
1028 {
1029 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
1030 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
1031 unsigned char a_min[ADDR_RAW_BUF_LEN],
1032 a_max[ADDR_RAW_BUF_LEN];
1033 extract_min_max(a, a_min, a_max, length);
1034 if (memcmp(a_min, a_max, length) > 0)
1035 return 0;
1036 }
1037 }
1038
1039 return 1;
1040}
1041
1042/*
1043 * Whack an IPAddrBlocks extension into canonical form.
1044 */
1045int
1046v3_addr_canonize(IPAddrBlocks *addr)
1047{
1048 int i;
1049 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1050 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1051 if (f->ipAddressChoice->type ==
1052 IPAddressChoice_addressesOrRanges &&
1053 !IPAddressOrRanges_canonize(
1054 f->ipAddressChoice->u.addressesOrRanges,
1055 v3_addr_get_afi(f)))
1056 return 0;
1057 }
1058 (void) sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
1059 sk_IPAddressFamily_sort(addr);
1060 OPENSSL_assert(v3_addr_is_canonical(addr));
1061 return 1;
1062}
1063
1064/*
1065 * v2i handler for the IPAddrBlocks extension.
1066 */
1067static void *
1068v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
1069 STACK_OF(CONF_VALUE) *values)
1070{
1071 static const char v4addr_chars[] = "0123456789.";
1072 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF";
1073 IPAddrBlocks *addr = NULL;
1074 char *s = NULL, *t;
1075 int i;
1076
1077 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) {
1078 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1079 return NULL;
1080 }
1081
1082 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
1083 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
1084 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN];
1085 unsigned afi, *safi = NULL, safi_;
1086 const char *addr_chars;
1087 int prefixlen, i1, i2, delim, length;
1088
1089 if (!name_cmp(val->name, "IPv4")) {
1090 afi = IANA_AFI_IPV4;
1091 } else if (!name_cmp(val->name, "IPv6")) {
1092 afi = IANA_AFI_IPV6;
1093 } else if (!name_cmp(val->name, "IPv4-SAFI")) {
1094 afi = IANA_AFI_IPV4;
1095 safi = &safi_;
1096 } else if (!name_cmp(val->name, "IPv6-SAFI")) {
1097 afi = IANA_AFI_IPV6;
1098 safi = &safi_;
1099 } else {
1100 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1101 X509V3_R_EXTENSION_NAME_ERROR);
1102 X509V3_conf_err(val);
1103 goto err;
1104 }
1105
1106 switch (afi) {
1107 case IANA_AFI_IPV4:
1108 addr_chars = v4addr_chars;
1109 break;
1110 case IANA_AFI_IPV6:
1111 addr_chars = v6addr_chars;
1112 break;
1113 }
1114
1115 length = length_from_afi(afi);
1116
1117 /*
1118 * Handle SAFI, if any, and strdup() so we can null-terminate
1119 * the other input values.
1120 */
1121 if (safi != NULL) {
1122 *safi = strtoul(val->value, &t, 0);
1123 t += strspn(t, " \t");
1124 if (*safi > 0xFF || *t++ != ':') {
1125 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1126 X509V3_R_INVALID_SAFI);
1127 X509V3_conf_err(val);
1128 goto err;
1129 }
1130 t += strspn(t, " \t");
1131 s = strdup(t);
1132 } else {
1133 s = strdup(val->value);
1134 }
1135 if (s == NULL) {
1136 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1137 ERR_R_MALLOC_FAILURE);
1138 goto err;
1139 }
1140
1141 /*
1142 * Check for inheritance. Not worth additional complexity to
1143 * optimize this (seldom-used) case.
1144 */
1145 if (!strcmp(s, "inherit")) {
1146 if (!v3_addr_add_inherit(addr, afi, safi)) {
1147 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1148 X509V3_R_INVALID_INHERITANCE);
1149 X509V3_conf_err(val);
1150 goto err;
1151 }
1152 free(s);
1153 s = NULL;
1154 continue;
1155 }
1156
1157 i1 = strspn(s, addr_chars);
1158 i2 = i1 + strspn(s + i1, " \t");
1159 delim = s[i2++];
1160 s[i1] = '\0';
1161
1162 if (a2i_ipadd(min, s) != length) {
1163 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1164 X509V3_R_INVALID_IPADDRESS);
1165 X509V3_conf_err(val);
1166 goto err;
1167 }
1168
1169 switch (delim) {
1170 case '/':
1171 prefixlen = (int) strtoul(s + i2, &t, 10);
1172 if (t == s + i2 || *t != '\0') {
1173 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1174 X509V3_R_EXTENSION_VALUE_ERROR);
1175 X509V3_conf_err(val);
1176 goto err;
1177 }
1178 if (!v3_addr_add_prefix(addr, afi, safi, min,
1179 prefixlen)) {
1180 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1181 ERR_R_MALLOC_FAILURE);
1182 goto err;
1183 }
1184 break;
1185 case '-':
1186 i1 = i2 + strspn(s + i2, " \t");
1187 i2 = i1 + strspn(s + i1, addr_chars);
1188 if (i1 == i2 || s[i2] != '\0') {
1189 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1190 X509V3_R_EXTENSION_VALUE_ERROR);
1191 X509V3_conf_err(val);
1192 goto err;
1193 }
1194 if (a2i_ipadd(max, s + i1) != length) {
1195 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1196 X509V3_R_INVALID_IPADDRESS);
1197 X509V3_conf_err(val);
1198 goto err;
1199 }
1200 if (memcmp(min, max, length_from_afi(afi)) > 0) {
1201 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1202 X509V3_R_EXTENSION_VALUE_ERROR);
1203 X509V3_conf_err(val);
1204 goto err;
1205 }
1206 if (!v3_addr_add_range(addr, afi, safi, min, max)) {
1207 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1208 ERR_R_MALLOC_FAILURE);
1209 goto err;
1210 }
1211 break;
1212 case '\0':
1213 if (!v3_addr_add_prefix(addr, afi, safi, min,
1214 length * 8)) {
1215 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1216 ERR_R_MALLOC_FAILURE);
1217 goto err;
1218 }
1219 break;
1220 default:
1221 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1222 X509V3_R_EXTENSION_VALUE_ERROR);
1223 X509V3_conf_err(val);
1224 goto err;
1225 }
1226
1227 free(s);
1228 s = NULL;
1229 }
1230
1231 /*
1232 * Canonize the result, then we're done.
1233 */
1234 if (!v3_addr_canonize(addr))
1235 goto err;
1236 return addr;
1237
1238err:
1239 free(s);
1240 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
1241 return NULL;
1242}
1243
1244/*
1245 * OpenSSL dispatch
1246 */
1247const X509V3_EXT_METHOD v3_addr = {
1248 NID_sbgp_ipAddrBlock, /* nid */
1249 0, /* flags */
1250 ASN1_ITEM_ref(IPAddrBlocks), /* template */
1251 0, 0, 0, 0, /* old functions, ignored */
1252 0, /* i2s */
1253 0, /* s2i */
1254 0, /* i2v */
1255 v2i_IPAddrBlocks, /* v2i */
1256 i2r_IPAddrBlocks, /* i2r */
1257 0, /* r2i */
1258 NULL /* extension-specific data */
1259};
1260
1261/*
1262 * Figure out whether extension sues inheritance.
1263 */
1264int
1265v3_addr_inherits(IPAddrBlocks *addr)
1266{
1267 int i;
1268
1269 if (addr == NULL)
1270 return 0;
1271 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1272 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1273 if (f->ipAddressChoice->type == IPAddressChoice_inherit)
1274 return 1;
1275 }
1276 return 0;
1277}
1278
1279/*
1280 * Figure out whether parent contains child.
1281 */
1282static int
1283addr_contains(IPAddressOrRanges *parent, IPAddressOrRanges *child, int length)
1284{
1285 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN];
1286 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN];
1287 int p, c;
1288
1289 if (child == NULL || parent == child)
1290 return 1;
1291 if (parent == NULL)
1292 return 0;
1293
1294 p = 0;
1295 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
1296 if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
1297 c_min, c_max, length))
1298 return -1;
1299 for (; ; p++) {
1300 if (p >= sk_IPAddressOrRange_num(parent))
1301 return 0;
1302 if (!extract_min_max(
1303 sk_IPAddressOrRange_value(parent, p),
1304 p_min, p_max, length))
1305 return 0;
1306 if (memcmp(p_max, c_max, length) < 0)
1307 continue;
1308 if (memcmp(p_min, c_min, length) > 0)
1309 return 0;
1310 break;
1311 }
1312 }
1313
1314 return 1;
1315}
1316
1317/*
1318 * Test whether a is a subset of b.
1319 */
1320int
1321v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
1322{
1323 int i;
1324
1325 if (a == NULL || a == b)
1326 return 1;
1327 if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
1328 return 0;
1329 (void) sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
1330 for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
1331 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
1332 int j = sk_IPAddressFamily_find(b, fa);
1333 IPAddressFamily *fb;
1334 fb = sk_IPAddressFamily_value(b, j);
1335 if (fb == NULL)
1336 return 0;
1337 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
1338 fa->ipAddressChoice->u.addressesOrRanges,
1339 length_from_afi(v3_addr_get_afi(fb))))
1340 return 0;
1341 }
1342 return 1;
1343}
1344
1345/*
1346 * Validation error handling via callback.
1347 */
1348#define validation_err(_err_) \
1349 do { \
1350 if (ctx != NULL) { \
1351 ctx->error = _err_; \
1352 ctx->error_depth = i; \
1353 ctx->current_cert = x; \
1354 ret = ctx->verify_cb(0, ctx); \
1355 } else { \
1356 ret = 0; \
1357 } \
1358 if (!ret) \
1359 goto done; \
1360 } while (0)
1361
1362/*
1363 * Core code for RFC 3779 2.3 path validation.
1364 */
1365static int
1366v3_addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
1367 IPAddrBlocks *ext)
1368{
1369 IPAddrBlocks *child = NULL;
1370 int i, j, ret = 1;
1371 X509 *x;
1372
1373 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
1374 OPENSSL_assert(ctx != NULL || ext != NULL);
1375 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
1376
1377 /*
1378 * Figure out where to start. If we don't have an extension to
1379 * check, we're done. Otherwise, check canonical form and
1380 * set up for walking up the chain.
1381 */
1382 if (ext != NULL) {
1383 i = -1;
1384 x = NULL;
1385 } else {
1386 i = 0;
1387 x = sk_X509_value(chain, i);
1388 OPENSSL_assert(x != NULL);
1389 if ((ext = x->rfc3779_addr) == NULL)
1390 goto done;
1391 }
1392 if (!v3_addr_is_canonical(ext))
1393 validation_err(X509_V_ERR_INVALID_EXTENSION);
1394 (void) sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
1395 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
1396 X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL,
1397 ERR_R_MALLOC_FAILURE);
1398 ret = 0;
1399 goto done;
1400 }
1401
1402 /*
1403 * Now walk up the chain. No cert may list resources that its
1404 * parent doesn't list.
1405 */
1406 for (i++; i < sk_X509_num(chain); i++) {
1407 x = sk_X509_value(chain, i);
1408 OPENSSL_assert(x != NULL);
1409 if (!v3_addr_is_canonical(x->rfc3779_addr))
1410 validation_err(X509_V_ERR_INVALID_EXTENSION);
1411 if (x->rfc3779_addr == NULL) {
1412 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1413 IPAddressFamily *fc =
1414 sk_IPAddressFamily_value(child, j);
1415 if (fc->ipAddressChoice->type !=
1416 IPAddressChoice_inherit) {
1417 validation_err(
1418 X509_V_ERR_UNNESTED_RESOURCE);
1419 break;
1420 }
1421 }
1422 continue;
1423 }
1424 (void) sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr,
1425 IPAddressFamily_cmp);
1426 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1427 IPAddressFamily *fc =
1428 sk_IPAddressFamily_value(child, j);
1429 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
1430 IPAddressFamily *fp =
1431 sk_IPAddressFamily_value(x->rfc3779_addr, k);
1432 if (fp == NULL) {
1433 if (fc->ipAddressChoice->type ==
1434 IPAddressChoice_addressesOrRanges) {
1435 validation_err(
1436 X509_V_ERR_UNNESTED_RESOURCE);
1437 break;
1438 }
1439 continue;
1440 }
1441 if (fp->ipAddressChoice->type ==
1442 IPAddressChoice_addressesOrRanges) {
1443 if (fc->ipAddressChoice->type ==
1444 IPAddressChoice_inherit || addr_contains(
1445 fp->ipAddressChoice->u.addressesOrRanges,
1446 fc->ipAddressChoice->u.addressesOrRanges,
1447 length_from_afi(v3_addr_get_afi(fc))))
1448 sk_IPAddressFamily_set(child, j, fp);
1449 else
1450 validation_err(
1451 X509_V_ERR_UNNESTED_RESOURCE);
1452 }
1453 }
1454 }
1455
1456 /*
1457 * Trust anchor can't inherit.
1458 */
1459 OPENSSL_assert(x != NULL);
1460 if (x->rfc3779_addr != NULL) {
1461 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
1462 IPAddressFamily *fp =
1463 sk_IPAddressFamily_value(x->rfc3779_addr, j);
1464 if (fp->ipAddressChoice->type ==
1465 IPAddressChoice_inherit &&
1466 sk_IPAddressFamily_find(child, fp) >= 0)
1467 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1468 }
1469 }
1470
1471done:
1472 sk_IPAddressFamily_free(child);
1473 return ret;
1474}
1475
1476#undef validation_err
1477
1478/*
1479 * RFC 3779 2.3 path validation -- called from X509_verify_cert().
1480 */
1481int
1482v3_addr_validate_path(X509_STORE_CTX *ctx)
1483{
1484 return v3_addr_validate_path_internal(ctx, ctx->chain, NULL);
1485}
1486
1487/*
1488 * RFC 3779 2.3 path validation of an extension.
1489 * Test whether chain covers extension.
1490 */
1491int
1492v3_addr_validate_resource_set(STACK_OF(X509) *chain, IPAddrBlocks *ext,
1493 int allow_inheritance)
1494{
1495 if (ext == NULL)
1496 return 1;
1497 if (chain == NULL || sk_X509_num(chain) == 0)
1498 return 0;
1499 if (!allow_inheritance && v3_addr_inherits(ext))
1500 return 0;
1501 return v3_addr_validate_path_internal(NULL, chain, ext);
1502}
1503
1504#endif /* OPENSSL_NO_RFC3779 */
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 21:07:38 +0000