summaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
authorjob <>2021-09-02 12:41:44 +0000
committerjob <>2021-09-02 12:41:44 +0000
commita9cb954f2cf630ab74009f5641622ac0d175bc58 (patch)
tree68881b07659cc9e2b17902a5156f430f2154ecf8 /src/lib
parente7198b4ee0ece23326da3c1f771171a6ca285eca (diff)
downloadopenbsd-a9cb954f2cf630ab74009f5641622ac0d175bc58.tar.gz
openbsd-a9cb954f2cf630ab74009f5641622ac0d175bc58.tar.bz2
openbsd-a9cb954f2cf630ab74009f5641622ac0d175bc58.zip
Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers
These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360). Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf) This changeset is a no-op, as there are 10+ issues and at least 2 security issues. Work will continue in-tree. OK tb@, discussed with beck@
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/libcrypto/asn1/x_x509.c10
-rw-r--r--src/lib/libcrypto/x509/ext_dat.h6
-rw-r--r--src/lib/libcrypto/x509/x509.h6
-rw-r--r--src/lib/libcrypto/x509/x509_addr.c1315
-rw-r--r--src/lib/libcrypto/x509/x509_asid.c894
-rw-r--r--src/lib/libcrypto/x509/x509_purp.c15
-rw-r--r--src/lib/libcrypto/x509/x509v3.h145
7 files changed, 2386 insertions, 5 deletions
diff --git a/src/lib/libcrypto/asn1/x_x509.c b/src/lib/libcrypto/asn1/x_x509.c
index 6a56a795c0..422f6256f7 100644
--- a/src/lib/libcrypto/asn1/x_x509.c
+++ b/src/lib/libcrypto/asn1/x_x509.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x_x509.c,v 1.26 2018/02/17 15:50:42 jsing Exp $ */ 1/* $OpenBSD: x_x509.c,v 1.27 2021/09/02 12:41:44 job Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -185,6 +185,10 @@ x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
185 ret->akid = NULL; 185 ret->akid = NULL;
186 ret->aux = NULL; 186 ret->aux = NULL;
187 ret->crldp = NULL; 187 ret->crldp = NULL;
188#ifndef OPENSSL_NO_RFC3779
189 ret->rfc3779_addr = NULL;
190 ret->rfc3779_asid = NULL;
191#endif
188 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data); 192 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
189 break; 193 break;
190 194
@@ -202,6 +206,10 @@ x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
202 policy_cache_free(ret->policy_cache); 206 policy_cache_free(ret->policy_cache);
203 GENERAL_NAMES_free(ret->altname); 207 GENERAL_NAMES_free(ret->altname);
204 NAME_CONSTRAINTS_free(ret->nc); 208 NAME_CONSTRAINTS_free(ret->nc);
209#ifndef OPENSSL_NO_RFC3779
210 sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free);
211 ASIdentifiers_free(ret->rfc3779_asid);
212#endif
205 free(ret->name); 213 free(ret->name);
206 ret->name = NULL; 214 ret->name = NULL;
207 break; 215 break;
diff --git a/src/lib/libcrypto/x509/ext_dat.h b/src/lib/libcrypto/x509/ext_dat.h
index 1a7ae6e1ae..53f8eb94e8 100644
--- a/src/lib/libcrypto/x509/ext_dat.h
+++ b/src/lib/libcrypto/x509/ext_dat.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ext_dat.h,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ 1/* $OpenBSD: ext_dat.h,v 1.2 2021/09/02 12:41:44 job Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -105,6 +105,10 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
105#endif 105#endif
106 &v3_sxnet, 106 &v3_sxnet,
107 &v3_info, 107 &v3_info,
108#ifndef OPENSSL_NO_RFC3779
109 &v3_addr,
110 &v3_asid,
111#endif
108#ifndef OPENSSL_NO_OCSP 112#ifndef OPENSSL_NO_OCSP
109 &v3_ocsp_nonce, 113 &v3_ocsp_nonce,
110 &v3_ocsp_crlid, 114 &v3_ocsp_crlid,
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index f135ee9a86..5b25c6e4b1 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509.h,v 1.75 2021/03/31 16:51:06 tb Exp $ */ 1/* $OpenBSD: x509.h,v 1.76 2021/09/02 12:41:44 job Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -287,6 +287,10 @@ struct x509_st
287 STACK_OF(DIST_POINT) *crldp; 287 STACK_OF(DIST_POINT) *crldp;
288 STACK_OF(GENERAL_NAME) *altname; 288 STACK_OF(GENERAL_NAME) *altname;
289 NAME_CONSTRAINTS *nc; 289 NAME_CONSTRAINTS *nc;
290#ifndef OPENSSL_NO_RFC3779
291 STACK_OF(IPAddressFamily) *rfc3779_addr;
292 struct ASIdentifiers_st *rfc3779_asid;
293#endif
290#ifndef OPENSSL_NO_SHA 294#ifndef OPENSSL_NO_SHA
291 unsigned char sha1_hash[SHA_DIGEST_LENGTH]; 295 unsigned char sha1_hash[SHA_DIGEST_LENGTH];
292#endif 296#endif
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
new file mode 100644
index 0000000000..4258dbc40c
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -0,0 +1,1315 @@
1/*
2 * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10/*
11 * Implementation of RFC 3779 section 2.2.
12 */
13
14#include <stdio.h>
15#include <stdlib.h>
16
17#include "internal/cryptlib.h"
18#include <openssl/conf.h>
19#include <openssl/asn1.h>
20#include <openssl/asn1t.h>
21#include <openssl/buffer.h>
22#include <openssl/x509v3.h>
23#include "crypto/x509.h"
24#include "ext_dat.h"
25
26#ifndef OPENSSL_NO_RFC3779
27
28/*
29 * OpenSSL ASN.1 template translation of RFC 3779 2.2.3.
30 */
31
32ASN1_SEQUENCE(IPAddressRange) = {
33 ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING),
34 ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING)
35} ASN1_SEQUENCE_END(IPAddressRange)
36
37ASN1_CHOICE(IPAddressOrRange) = {
38 ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING),
39 ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange)
40} ASN1_CHOICE_END(IPAddressOrRange)
41
42ASN1_CHOICE(IPAddressChoice) = {
43 ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL),
44 ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange)
45} ASN1_CHOICE_END(IPAddressChoice)
46
47ASN1_SEQUENCE(IPAddressFamily) = {
48 ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING),
49 ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice)
50} ASN1_SEQUENCE_END(IPAddressFamily)
51
52ASN1_ITEM_TEMPLATE(IPAddrBlocks) =
53 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
54 IPAddrBlocks, IPAddressFamily)
55static_ASN1_ITEM_TEMPLATE_END(IPAddrBlocks)
56
57IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange)
58IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange)
59IMPLEMENT_ASN1_FUNCTIONS(IPAddressChoice)
60IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily)
61
62/*
63 * How much buffer space do we need for a raw address?
64 */
65#define ADDR_RAW_BUF_LEN 16
66
67/*
68 * What's the address length associated with this AFI?
69 */
70static int length_from_afi(const unsigned afi)
71{
72 switch (afi) {
73 case IANA_AFI_IPV4:
74 return 4;
75 case IANA_AFI_IPV6:
76 return 16;
77 default:
78 return 0;
79 }
80}
81
82/*
83 * Extract the AFI from an IPAddressFamily.
84 */
85unsigned int X509v3_addr_get_afi(const IPAddressFamily *f)
86{
87 if (f == NULL
88 || f->addressFamily == NULL
89 || f->addressFamily->data == NULL
90 || f->addressFamily->length < 2)
91 return 0;
92 return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1];
93}
94
95/*
96 * Expand the bitstring form of an address into a raw byte array.
97 * At the moment this is coded for simplicity, not speed.
98 */
99static int addr_expand(unsigned char *addr,
100 const ASN1_BIT_STRING *bs,
101 const int length, const unsigned char fill)
102{
103 if (bs->length < 0 || bs->length > length)
104 return 0;
105 if (bs->length > 0) {
106 memcpy(addr, bs->data, bs->length);
107 if ((bs->flags & 7) != 0) {
108 unsigned char mask = 0xFF >> (8 - (bs->flags & 7));
109 if (fill == 0)
110 addr[bs->length - 1] &= ~mask;
111 else
112 addr[bs->length - 1] |= mask;
113 }
114 }
115 memset(addr + bs->length, fill, length - bs->length);
116 return 1;
117}
118
119/*
120 * Extract the prefix length from a bitstring.
121 */
122#define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7)))
123
124/*
125 * i2r handler for one address bitstring.
126 */
127static int i2r_address(BIO *out,
128 const unsigned afi,
129 const unsigned char fill, const ASN1_BIT_STRING *bs)
130{
131 unsigned char addr[ADDR_RAW_BUF_LEN];
132 int i, n;
133
134 if (bs->length < 0)
135 return 0;
136 switch (afi) {
137 case IANA_AFI_IPV4:
138 if (!addr_expand(addr, bs, 4, fill))
139 return 0;
140 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
141 break;
142 case IANA_AFI_IPV6:
143 if (!addr_expand(addr, bs, 16, fill))
144 return 0;
145 for (n = 16; n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00;
146 n -= 2) ;
147 for (i = 0; i < n; i += 2)
148 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1],
149 (i < 14 ? ":" : ""));
150 if (i < 16)
151 BIO_puts(out, ":");
152 if (i == 0)
153 BIO_puts(out, ":");
154 break;
155 default:
156 for (i = 0; i < bs->length; i++)
157 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]);
158 BIO_printf(out, "[%d]", (int)(bs->flags & 7));
159 break;
160 }
161 return 1;
162}
163
164/*
165 * i2r handler for a sequence of addresses and ranges.
166 */
167static int i2r_IPAddressOrRanges(BIO *out,
168 const int indent,
169 const IPAddressOrRanges *aors,
170 const unsigned afi)
171{
172 int i;
173 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) {
174 const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i);
175 BIO_printf(out, "%*s", indent, "");
176 switch (aor->type) {
177 case IPAddressOrRange_addressPrefix:
178 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix))
179 return 0;
180 BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix));
181 continue;
182 case IPAddressOrRange_addressRange:
183 if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min))
184 return 0;
185 BIO_puts(out, "-");
186 if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max))
187 return 0;
188 BIO_puts(out, "\n");
189 continue;
190 }
191 }
192 return 1;
193}
194
195/*
196 * i2r handler for an IPAddrBlocks extension.
197 */
198static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
199 void *ext, BIO *out, int indent)
200{
201 const IPAddrBlocks *addr = ext;
202 int i;
203 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
204 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
205 const unsigned int afi = X509v3_addr_get_afi(f);
206 switch (afi) {
207 case IANA_AFI_IPV4:
208 BIO_printf(out, "%*sIPv4", indent, "");
209 break;
210 case IANA_AFI_IPV6:
211 BIO_printf(out, "%*sIPv6", indent, "");
212 break;
213 default:
214 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi);
215 break;
216 }
217 if (f->addressFamily->length > 2) {
218 switch (f->addressFamily->data[2]) {
219 case 1:
220 BIO_puts(out, " (Unicast)");
221 break;
222 case 2:
223 BIO_puts(out, " (Multicast)");
224 break;
225 case 3:
226 BIO_puts(out, " (Unicast/Multicast)");
227 break;
228 case 4:
229 BIO_puts(out, " (MPLS)");
230 break;
231 case 64:
232 BIO_puts(out, " (Tunnel)");
233 break;
234 case 65:
235 BIO_puts(out, " (VPLS)");
236 break;
237 case 66:
238 BIO_puts(out, " (BGP MDT)");
239 break;
240 case 128:
241 BIO_puts(out, " (MPLS-labeled VPN)");
242 break;
243 default:
244 BIO_printf(out, " (Unknown SAFI %u)",
245 (unsigned)f->addressFamily->data[2]);
246 break;
247 }
248 }
249 switch (f->ipAddressChoice->type) {
250 case IPAddressChoice_inherit:
251 BIO_puts(out, ": inherit\n");
252 break;
253 case IPAddressChoice_addressesOrRanges:
254 BIO_puts(out, ":\n");
255 if (!i2r_IPAddressOrRanges(out,
256 indent + 2,
257 f->ipAddressChoice->
258 u.addressesOrRanges, afi))
259 return 0;
260 break;
261 }
262 }
263 return 1;
264}
265
266/*
267 * Sort comparison function for a sequence of IPAddressOrRange
268 * elements.
269 *
270 * There's no sane answer we can give if addr_expand() fails, and an
271 * assertion failure on externally supplied data is seriously uncool,
272 * so we just arbitrarily declare that if given invalid inputs this
273 * function returns -1. If this messes up your preferred sort order
274 * for garbage input, tough noogies.
275 */
276static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
277 const IPAddressOrRange *b, const int length)
278{
279 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN];
280 int prefixlen_a = 0, prefixlen_b = 0;
281 int r;
282
283 switch (a->type) {
284 case IPAddressOrRange_addressPrefix:
285 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
286 return -1;
287 prefixlen_a = addr_prefixlen(a->u.addressPrefix);
288 break;
289 case IPAddressOrRange_addressRange:
290 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
291 return -1;
292 prefixlen_a = length * 8;
293 break;
294 }
295
296 switch (b->type) {
297 case IPAddressOrRange_addressPrefix:
298 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
299 return -1;
300 prefixlen_b = addr_prefixlen(b->u.addressPrefix);
301 break;
302 case IPAddressOrRange_addressRange:
303 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
304 return -1;
305 prefixlen_b = length * 8;
306 break;
307 }
308
309 if ((r = memcmp(addr_a, addr_b, length)) != 0)
310 return r;
311 else
312 return prefixlen_a - prefixlen_b;
313}
314
315/*
316 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()
317 * comparison routines are only allowed two arguments.
318 */
319static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
320 const IPAddressOrRange *const *b)
321{
322 return IPAddressOrRange_cmp(*a, *b, 4);
323}
324
325/*
326 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()
327 * comparison routines are only allowed two arguments.
328 */
329static int v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
330 const IPAddressOrRange *const *b)
331{
332 return IPAddressOrRange_cmp(*a, *b, 16);
333}
334
335/*
336 * Calculate whether a range collapses to a prefix.
337 * See last paragraph of RFC 3779 2.2.3.7.
338 */
339static int range_should_be_prefix(const unsigned char *min,
340 const unsigned char *max, const int length)
341{
342 unsigned char mask;
343 int i, j;
344
345 if (memcmp(min, max, length) <= 0)
346 return -1;
347 for (i = 0; i < length && min[i] == max[i]; i++) ;
348 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ;
349 if (i < j)
350 return -1;
351 if (i > j)
352 return i * 8;
353 mask = min[i] ^ max[i];
354 switch (mask) {
355 case 0x01:
356 j = 7;
357 break;
358 case 0x03:
359 j = 6;
360 break;
361 case 0x07:
362 j = 5;
363 break;
364 case 0x0F:
365 j = 4;
366 break;
367 case 0x1F:
368 j = 3;
369 break;
370 case 0x3F:
371 j = 2;
372 break;
373 case 0x7F:
374 j = 1;
375 break;
376 default:
377 return -1;
378 }
379 if ((min[i] & mask) != 0 || (max[i] & mask) != mask)
380 return -1;
381 else
382 return i * 8 + j;
383}
384
385/*
386 * Construct a prefix.
387 */
388static int make_addressPrefix(IPAddressOrRange **result,
389 unsigned char *addr, const int prefixlen)
390{
391 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;
392 IPAddressOrRange *aor = IPAddressOrRange_new();
393
394 if (aor == NULL)
395 return 0;
396 aor->type = IPAddressOrRange_addressPrefix;
397 if (aor->u.addressPrefix == NULL &&
398 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL)
399 goto err;
400 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen))
401 goto err;
402 aor->u.addressPrefix->flags &= ~7;
403 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT;
404 if (bitlen > 0) {
405 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen);
406 aor->u.addressPrefix->flags |= 8 - bitlen;
407 }
408
409 *result = aor;
410 return 1;
411
412 err:
413 IPAddressOrRange_free(aor);
414 return 0;
415}
416
417/*
418 * Construct a range. If it can be expressed as a prefix,
419 * return a prefix instead. Doing this here simplifies
420 * the rest of the code considerably.
421 */
422static int make_addressRange(IPAddressOrRange **result,
423 unsigned char *min,
424 unsigned char *max, const int length)
425{
426 IPAddressOrRange *aor;
427 int i, prefixlen;
428
429 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
430 return make_addressPrefix(result, min, prefixlen);
431
432 if ((aor = IPAddressOrRange_new()) == NULL)
433 return 0;
434 aor->type = IPAddressOrRange_addressRange;
435 if ((aor->u.addressRange = IPAddressRange_new()) == NULL)
436 goto err;
437 if (aor->u.addressRange->min == NULL &&
438 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL)
439 goto err;
440 if (aor->u.addressRange->max == NULL &&
441 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL)
442 goto err;
443
444 for (i = length; i > 0 && min[i - 1] == 0x00; --i) ;
445 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i))
446 goto err;
447 aor->u.addressRange->min->flags &= ~7;
448 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT;
449 if (i > 0) {
450 unsigned char b = min[i - 1];
451 int j = 1;
452 while ((b & (0xFFU >> j)) != 0)
453 ++j;
454 aor->u.addressRange->min->flags |= 8 - j;
455 }
456
457 for (i = length; i > 0 && max[i - 1] == 0xFF; --i) ;
458 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i))
459 goto err;
460 aor->u.addressRange->max->flags &= ~7;
461 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT;
462 if (i > 0) {
463 unsigned char b = max[i - 1];
464 int j = 1;
465 while ((b & (0xFFU >> j)) != (0xFFU >> j))
466 ++j;
467 aor->u.addressRange->max->flags |= 8 - j;
468 }
469
470 *result = aor;
471 return 1;
472
473 err:
474 IPAddressOrRange_free(aor);
475 return 0;
476}
477
478/*
479 * Construct a new address family or find an existing one.
480 */
481static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr,
482 const unsigned afi,
483 const unsigned *safi)
484{
485 IPAddressFamily *f;
486 unsigned char key[3];
487 int keylen;
488 int i;
489
490 key[0] = (afi >> 8) & 0xFF;
491 key[1] = afi & 0xFF;
492 if (safi != NULL) {
493 key[2] = *safi & 0xFF;
494 keylen = 3;
495 } else {
496 keylen = 2;
497 }
498
499 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
500 f = sk_IPAddressFamily_value(addr, i);
501 if (f->addressFamily->length == keylen &&
502 !memcmp(f->addressFamily->data, key, keylen))
503 return f;
504 }
505
506 if ((f = IPAddressFamily_new()) == NULL)
507 goto err;
508 if (f->ipAddressChoice == NULL &&
509 (f->ipAddressChoice = IPAddressChoice_new()) == NULL)
510 goto err;
511 if (f->addressFamily == NULL &&
512 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL)
513 goto err;
514 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen))
515 goto err;
516 if (!sk_IPAddressFamily_push(addr, f))
517 goto err;
518
519 return f;
520
521 err:
522 IPAddressFamily_free(f);
523 return NULL;
524}
525
526/*
527 * Add an inheritance element.
528 */
529int X509v3_addr_add_inherit(IPAddrBlocks *addr,
530 const unsigned afi, const unsigned *safi)
531{
532 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
533 if (f == NULL ||
534 f->ipAddressChoice == NULL ||
535 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
536 f->ipAddressChoice->u.addressesOrRanges != NULL))
537 return 0;
538 if (f->ipAddressChoice->type == IPAddressChoice_inherit &&
539 f->ipAddressChoice->u.inherit != NULL)
540 return 1;
541 if (f->ipAddressChoice->u.inherit == NULL &&
542 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL)
543 return 0;
544 f->ipAddressChoice->type = IPAddressChoice_inherit;
545 return 1;
546}
547
548/*
549 * Construct an IPAddressOrRange sequence, or return an existing one.
550 */
551static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
552 const unsigned afi,
553 const unsigned *safi)
554{
555 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
556 IPAddressOrRanges *aors = NULL;
557
558 if (f == NULL ||
559 f->ipAddressChoice == NULL ||
560 (f->ipAddressChoice->type == IPAddressChoice_inherit &&
561 f->ipAddressChoice->u.inherit != NULL))
562 return NULL;
563 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges)
564 aors = f->ipAddressChoice->u.addressesOrRanges;
565 if (aors != NULL)
566 return aors;
567 if ((aors = sk_IPAddressOrRange_new_null()) == NULL)
568 return NULL;
569 switch (afi) {
570 case IANA_AFI_IPV4:
571 (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
572 break;
573 case IANA_AFI_IPV6:
574 (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
575 break;
576 }
577 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
578 f->ipAddressChoice->u.addressesOrRanges = aors;
579 return aors;
580}
581
582/*
583 * Add a prefix.
584 */
585int X509v3_addr_add_prefix(IPAddrBlocks *addr,
586 const unsigned afi,
587 const unsigned *safi,
588 unsigned char *a, const int prefixlen)
589{
590 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
591 IPAddressOrRange *aor;
592 if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen))
593 return 0;
594 if (sk_IPAddressOrRange_push(aors, aor))
595 return 1;
596 IPAddressOrRange_free(aor);
597 return 0;
598}
599
600/*
601 * Add a range.
602 */
603int X509v3_addr_add_range(IPAddrBlocks *addr,
604 const unsigned afi,
605 const unsigned *safi,
606 unsigned char *min, unsigned char *max)
607{
608 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
609 IPAddressOrRange *aor;
610 int length = length_from_afi(afi);
611 if (aors == NULL)
612 return 0;
613 if (!make_addressRange(&aor, min, max, length))
614 return 0;
615 if (sk_IPAddressOrRange_push(aors, aor))
616 return 1;
617 IPAddressOrRange_free(aor);
618 return 0;
619}
620
621/*
622 * Extract min and max values from an IPAddressOrRange.
623 */
624static int extract_min_max(IPAddressOrRange *aor,
625 unsigned char *min, unsigned char *max, int length)
626{
627 if (aor == NULL || min == NULL || max == NULL)
628 return 0;
629 switch (aor->type) {
630 case IPAddressOrRange_addressPrefix:
631 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
632 addr_expand(max, aor->u.addressPrefix, length, 0xFF));
633 case IPAddressOrRange_addressRange:
634 return (addr_expand(min, aor->u.addressRange->min, length, 0x00) &&
635 addr_expand(max, aor->u.addressRange->max, length, 0xFF));
636 }
637 return 0;
638}
639
640/*
641 * Public wrapper for extract_min_max().
642 */
643int X509v3_addr_get_range(IPAddressOrRange *aor,
644 const unsigned afi,
645 unsigned char *min,
646 unsigned char *max, const int length)
647{
648 int afi_length = length_from_afi(afi);
649 if (aor == NULL || min == NULL || max == NULL ||
650 afi_length == 0 || length < afi_length ||
651 (aor->type != IPAddressOrRange_addressPrefix &&
652 aor->type != IPAddressOrRange_addressRange) ||
653 !extract_min_max(aor, min, max, afi_length))
654 return 0;
655
656 return afi_length;
657}
658
659/*
660 * Sort comparison function for a sequence of IPAddressFamily.
661 *
662 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about
663 * the ordering: I can read it as meaning that IPv6 without a SAFI
664 * comes before IPv4 with a SAFI, which seems pretty weird. The
665 * examples in appendix B suggest that the author intended the
666 * null-SAFI rule to apply only within a single AFI, which is what I
667 * would have expected and is what the following code implements.
668 */
669static int IPAddressFamily_cmp(const IPAddressFamily *const *a_,
670 const IPAddressFamily *const *b_)
671{
672 const ASN1_OCTET_STRING *a = (*a_)->addressFamily;
673 const ASN1_OCTET_STRING *b = (*b_)->addressFamily;
674 int len = ((a->length <= b->length) ? a->length : b->length);
675 int cmp = memcmp(a->data, b->data, len);
676 return cmp ? cmp : a->length - b->length;
677}
678
679/*
680 * Check whether an IPAddrBLocks is in canonical form.
681 */
682int X509v3_addr_is_canonical(IPAddrBlocks *addr)
683{
684 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
685 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
686 IPAddressOrRanges *aors;
687 int i, j, k;
688
689 /*
690 * Empty extension is canonical.
691 */
692 if (addr == NULL)
693 return 1;
694
695 /*
696 * Check whether the top-level list is in order.
697 */
698 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {
699 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i);
700 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1);
701 if (IPAddressFamily_cmp(&a, &b) >= 0)
702 return 0;
703 }
704
705 /*
706 * Top level's ok, now check each address family.
707 */
708 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
709 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
710 int length = length_from_afi(X509v3_addr_get_afi(f));
711
712 /*
713 * Inheritance is canonical. Anything other than inheritance or
714 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something.
715 */
716 if (f == NULL || f->ipAddressChoice == NULL)
717 return 0;
718 switch (f->ipAddressChoice->type) {
719 case IPAddressChoice_inherit:
720 continue;
721 case IPAddressChoice_addressesOrRanges:
722 break;
723 default:
724 return 0;
725 }
726
727 /*
728 * It's an IPAddressOrRanges sequence, check it.
729 */
730 aors = f->ipAddressChoice->u.addressesOrRanges;
731 if (sk_IPAddressOrRange_num(aors) == 0)
732 return 0;
733 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
734 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
735 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);
736
737 if (!extract_min_max(a, a_min, a_max, length) ||
738 !extract_min_max(b, b_min, b_max, length))
739 return 0;
740
741 /*
742 * Punt misordered list, overlapping start, or inverted range.
743 */
744 if (memcmp(a_min, b_min, length) >= 0 ||
745 memcmp(a_min, a_max, length) > 0 ||
746 memcmp(b_min, b_max, length) > 0)
747 return 0;
748
749 /*
750 * Punt if adjacent or overlapping. Check for adjacency by
751 * subtracting one from b_min first.
752 */
753 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) ;
754 if (memcmp(a_max, b_min, length) >= 0)
755 return 0;
756
757 /*
758 * Check for range that should be expressed as a prefix.
759 */
760 if (a->type == IPAddressOrRange_addressRange &&
761 range_should_be_prefix(a_min, a_max, length) >= 0)
762 return 0;
763 }
764
765 /*
766 * Check range to see if it's inverted or should be a
767 * prefix.
768 */
769 j = sk_IPAddressOrRange_num(aors) - 1;
770 {
771 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
772 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
773 if (!extract_min_max(a, a_min, a_max, length))
774 return 0;
775 if (memcmp(a_min, a_max, length) > 0 ||
776 range_should_be_prefix(a_min, a_max, length) >= 0)
777 return 0;
778 }
779 }
780 }
781
782 /*
783 * If we made it through all that, we're happy.
784 */
785 return 1;
786}
787
788/*
789 * Whack an IPAddressOrRanges into canonical form.
790 */
791static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
792 const unsigned afi)
793{
794 int i, j, length = length_from_afi(afi);
795
796 /*
797 * Sort the IPAddressOrRanges sequence.
798 */
799 sk_IPAddressOrRange_sort(aors);
800
801 /*
802 * Clean up representation issues, punt on duplicates or overlaps.
803 */
804 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
805 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);
806 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
807 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
808 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
809
810 if (!extract_min_max(a, a_min, a_max, length) ||
811 !extract_min_max(b, b_min, b_max, length))
812 return 0;
813
814 /*
815 * Punt inverted ranges.
816 */
817 if (memcmp(a_min, a_max, length) > 0 ||
818 memcmp(b_min, b_max, length) > 0)
819 return 0;
820
821 /*
822 * Punt overlaps.
823 */
824 if (memcmp(a_max, b_min, length) >= 0)
825 return 0;
826
827 /*
828 * Merge if a and b are adjacent. We check for
829 * adjacency by subtracting one from b_min first.
830 */
831 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) ;
832 if (memcmp(a_max, b_min, length) == 0) {
833 IPAddressOrRange *merged;
834 if (!make_addressRange(&merged, a_min, b_max, length))
835 return 0;
836 (void)sk_IPAddressOrRange_set(aors, i, merged);
837 (void)sk_IPAddressOrRange_delete(aors, i + 1);
838 IPAddressOrRange_free(a);
839 IPAddressOrRange_free(b);
840 --i;
841 continue;
842 }
843 }
844
845 /*
846 * Check for inverted final range.
847 */
848 j = sk_IPAddressOrRange_num(aors) - 1;
849 {
850 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
851 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
852 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
853 if (!extract_min_max(a, a_min, a_max, length))
854 return 0;
855 if (memcmp(a_min, a_max, length) > 0)
856 return 0;
857 }
858 }
859
860 return 1;
861}
862
863/*
864 * Whack an IPAddrBlocks extension into canonical form.
865 */
866int X509v3_addr_canonize(IPAddrBlocks *addr)
867{
868 int i;
869 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
870 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
871 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
872 !IPAddressOrRanges_canonize(f->ipAddressChoice->
873 u.addressesOrRanges,
874 X509v3_addr_get_afi(f)))
875 return 0;
876 }
877 (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
878 sk_IPAddressFamily_sort(addr);
879 if (!ossl_assert(X509v3_addr_is_canonical(addr)))
880 return 0;
881 return 1;
882}
883
884/*
885 * v2i handler for the IPAddrBlocks extension.
886 */
887static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
888 struct v3_ext_ctx *ctx,
889 STACK_OF(CONF_VALUE) *values)
890{
891 static const char v4addr_chars[] = "0123456789.";
892 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF";
893 IPAddrBlocks *addr = NULL;
894 char *s = NULL, *t;
895 int i;
896
897 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) {
898 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
899 return NULL;
900 }
901
902 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
903 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
904 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN];
905 unsigned afi, *safi = NULL, safi_;
906 const char *addr_chars = NULL;
907 int prefixlen, i1, i2, delim, length;
908
909 if (!name_cmp(val->name, "IPv4")) {
910 afi = IANA_AFI_IPV4;
911 } else if (!name_cmp(val->name, "IPv6")) {
912 afi = IANA_AFI_IPV6;
913 } else if (!name_cmp(val->name, "IPv4-SAFI")) {
914 afi = IANA_AFI_IPV4;
915 safi = &safi_;
916 } else if (!name_cmp(val->name, "IPv6-SAFI")) {
917 afi = IANA_AFI_IPV6;
918 safi = &safi_;
919 } else {
920 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
921 X509V3_R_EXTENSION_NAME_ERROR);
922 X509V3_conf_err(val);
923 goto err;
924 }
925
926 switch (afi) {
927 case IANA_AFI_IPV4:
928 addr_chars = v4addr_chars;
929 break;
930 case IANA_AFI_IPV6:
931 addr_chars = v6addr_chars;
932 break;
933 }
934
935 length = length_from_afi(afi);
936
937 /*
938 * Handle SAFI, if any, and OPENSSL_strdup() so we can null-terminate
939 * the other input values.
940 */
941 if (safi != NULL) {
942 *safi = strtoul(val->value, &t, 0);
943 t += strspn(t, " \t");
944 if (*safi > 0xFF || *t++ != ':') {
945 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_SAFI);
946 X509V3_conf_err(val);
947 goto err;
948 }
949 t += strspn(t, " \t");
950 s = OPENSSL_strdup(t);
951 } else {
952 s = OPENSSL_strdup(val->value);
953 }
954 if (s == NULL) {
955 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
956 goto err;
957 }
958
959 /*
960 * Check for inheritance. Not worth additional complexity to
961 * optimize this (seldom-used) case.
962 */
963 if (strcmp(s, "inherit") == 0) {
964 if (!X509v3_addr_add_inherit(addr, afi, safi)) {
965 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
966 X509V3_R_INVALID_INHERITANCE);
967 X509V3_conf_err(val);
968 goto err;
969 }
970 OPENSSL_free(s);
971 s = NULL;
972 continue;
973 }
974
975 i1 = strspn(s, addr_chars);
976 i2 = i1 + strspn(s + i1, " \t");
977 delim = s[i2++];
978 s[i1] = '\0';
979
980 if (a2i_ipadd(min, s) != length) {
981 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS);
982 X509V3_conf_err(val);
983 goto err;
984 }
985
986 switch (delim) {
987 case '/':
988 prefixlen = (int)strtoul(s + i2, &t, 10);
989 if (t == s + i2 || *t != '\0') {
990 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
991 X509V3_R_EXTENSION_VALUE_ERROR);
992 X509V3_conf_err(val);
993 goto err;
994 }
995 if (!X509v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) {
996 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
997 goto err;
998 }
999 break;
1000 case '-':
1001 i1 = i2 + strspn(s + i2, " \t");
1002 i2 = i1 + strspn(s + i1, addr_chars);
1003 if (i1 == i2 || s[i2] != '\0') {
1004 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1005 X509V3_R_EXTENSION_VALUE_ERROR);
1006 X509V3_conf_err(val);
1007 goto err;
1008 }
1009 if (a2i_ipadd(max, s + i1) != length) {
1010 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1011 X509V3_R_INVALID_IPADDRESS);
1012 X509V3_conf_err(val);
1013 goto err;
1014 }
1015 if (memcmp(min, max, length_from_afi(afi)) > 0) {
1016 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1017 X509V3_R_EXTENSION_VALUE_ERROR);
1018 X509V3_conf_err(val);
1019 goto err;
1020 }
1021 if (!X509v3_addr_add_range(addr, afi, safi, min, max)) {
1022 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1023 goto err;
1024 }
1025 break;
1026 case '\0':
1027 if (!X509v3_addr_add_prefix(addr, afi, safi, min, length * 8)) {
1028 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1029 goto err;
1030 }
1031 break;
1032 default:
1033 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1034 X509V3_R_EXTENSION_VALUE_ERROR);
1035 X509V3_conf_err(val);
1036 goto err;
1037 }
1038
1039 OPENSSL_free(s);
1040 s = NULL;
1041 }
1042
1043 /*
1044 * Canonize the result, then we're done.
1045 */
1046 if (!X509v3_addr_canonize(addr))
1047 goto err;
1048 return addr;
1049
1050 err:
1051 OPENSSL_free(s);
1052 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
1053 return NULL;
1054}
1055
1056/*
1057 * OpenSSL dispatch
1058 */
1059const X509V3_EXT_METHOD v3_addr = {
1060 NID_sbgp_ipAddrBlock, /* nid */
1061 0, /* flags */
1062 ASN1_ITEM_ref(IPAddrBlocks), /* template */
1063 0, 0, 0, 0, /* old functions, ignored */
1064 0, /* i2s */
1065 0, /* s2i */
1066 0, /* i2v */
1067 v2i_IPAddrBlocks, /* v2i */
1068 i2r_IPAddrBlocks, /* i2r */
1069 0, /* r2i */
1070 NULL /* extension-specific data */
1071};
1072
1073/*
1074 * Figure out whether extension sues inheritance.
1075 */
1076int X509v3_addr_inherits(IPAddrBlocks *addr)
1077{
1078 int i;
1079 if (addr == NULL)
1080 return 0;
1081 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1082 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1083 if (f->ipAddressChoice->type == IPAddressChoice_inherit)
1084 return 1;
1085 }
1086 return 0;
1087}
1088
1089/*
1090 * Figure out whether parent contains child.
1091 */
1092static int addr_contains(IPAddressOrRanges *parent,
1093 IPAddressOrRanges *child, int length)
1094{
1095 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN];
1096 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN];
1097 int p, c;
1098
1099 if (child == NULL || parent == child)
1100 return 1;
1101 if (parent == NULL)
1102 return 0;
1103
1104 p = 0;
1105 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
1106 if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
1107 c_min, c_max, length))
1108 return -1;
1109 for (;; p++) {
1110 if (p >= sk_IPAddressOrRange_num(parent))
1111 return 0;
1112 if (!extract_min_max(sk_IPAddressOrRange_value(parent, p),
1113 p_min, p_max, length))
1114 return 0;
1115 if (memcmp(p_max, c_max, length) < 0)
1116 continue;
1117 if (memcmp(p_min, c_min, length) > 0)
1118 return 0;
1119 break;
1120 }
1121 }
1122
1123 return 1;
1124}
1125
1126/*
1127 * Test whether a is a subset of b.
1128 */
1129int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
1130{
1131 int i;
1132 if (a == NULL || a == b)
1133 return 1;
1134 if (b == NULL || X509v3_addr_inherits(a) || X509v3_addr_inherits(b))
1135 return 0;
1136 (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
1137 for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
1138 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
1139 int j = sk_IPAddressFamily_find(b, fa);
1140 IPAddressFamily *fb;
1141 fb = sk_IPAddressFamily_value(b, j);
1142 if (fb == NULL)
1143 return 0;
1144 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
1145 fa->ipAddressChoice->u.addressesOrRanges,
1146 length_from_afi(X509v3_addr_get_afi(fb))))
1147 return 0;
1148 }
1149 return 1;
1150}
1151
1152/*
1153 * Validation error handling via callback.
1154 */
1155#define validation_err(_err_) \
1156 do { \
1157 if (ctx != NULL) { \
1158 ctx->error = _err_; \
1159 ctx->error_depth = i; \
1160 ctx->current_cert = x; \
1161 ret = ctx->verify_cb(0, ctx); \
1162 } else { \
1163 ret = 0; \
1164 } \
1165 if (!ret) \
1166 goto done; \
1167 } while (0)
1168
1169/*
1170 * Core code for RFC 3779 2.3 path validation.
1171 *
1172 * Returns 1 for success, 0 on error.
1173 *
1174 * When returning 0, ctx->error MUST be set to an appropriate value other than
1175 * X509_V_OK.
1176 */
1177static int addr_validate_path_internal(X509_STORE_CTX *ctx,
1178 STACK_OF(X509) *chain,
1179 IPAddrBlocks *ext)
1180{
1181 IPAddrBlocks *child = NULL;
1182 int i, j, ret = 1;
1183 X509 *x;
1184
1185 if (!ossl_assert(chain != NULL && sk_X509_num(chain) > 0)
1186 || !ossl_assert(ctx != NULL || ext != NULL)
1187 || !ossl_assert(ctx == NULL || ctx->verify_cb != NULL)) {
1188 if (ctx != NULL)
1189 ctx->error = X509_V_ERR_UNSPECIFIED;
1190 return 0;
1191 }
1192
1193 /*
1194 * Figure out where to start. If we don't have an extension to
1195 * check, we're done. Otherwise, check canonical form and
1196 * set up for walking up the chain.
1197 */
1198 if (ext != NULL) {
1199 i = -1;
1200 x = NULL;
1201 } else {
1202 i = 0;
1203 x = sk_X509_value(chain, i);
1204 if ((ext = x->rfc3779_addr) == NULL)
1205 goto done;
1206 }
1207 if (!X509v3_addr_is_canonical(ext))
1208 validation_err(X509_V_ERR_INVALID_EXTENSION);
1209 (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
1210 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
1211 X509V3err(X509V3_F_ADDR_VALIDATE_PATH_INTERNAL,
1212 ERR_R_MALLOC_FAILURE);
1213 if (ctx != NULL)
1214 ctx->error = X509_V_ERR_OUT_OF_MEM;
1215 ret = 0;
1216 goto done;
1217 }
1218
1219 /*
1220 * Now walk up the chain. No cert may list resources that its
1221 * parent doesn't list.
1222 */
1223 for (i++; i < sk_X509_num(chain); i++) {
1224 x = sk_X509_value(chain, i);
1225 if (!X509v3_addr_is_canonical(x->rfc3779_addr))
1226 validation_err(X509_V_ERR_INVALID_EXTENSION);
1227 if (x->rfc3779_addr == NULL) {
1228 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1229 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1230 if (fc->ipAddressChoice->type != IPAddressChoice_inherit) {
1231 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1232 break;
1233 }
1234 }
1235 continue;
1236 }
1237 (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr,
1238 IPAddressFamily_cmp);
1239 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1240 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1241 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
1242 IPAddressFamily *fp =
1243 sk_IPAddressFamily_value(x->rfc3779_addr, k);
1244 if (fp == NULL) {
1245 if (fc->ipAddressChoice->type ==
1246 IPAddressChoice_addressesOrRanges) {
1247 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1248 break;
1249 }
1250 continue;
1251 }
1252 if (fp->ipAddressChoice->type ==
1253 IPAddressChoice_addressesOrRanges) {
1254 if (fc->ipAddressChoice->type == IPAddressChoice_inherit
1255 || addr_contains(fp->ipAddressChoice->u.addressesOrRanges,
1256 fc->ipAddressChoice->u.addressesOrRanges,
1257 length_from_afi(X509v3_addr_get_afi(fc))))
1258 sk_IPAddressFamily_set(child, j, fp);
1259 else
1260 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1261 }
1262 }
1263 }
1264
1265 /*
1266 * Trust anchor can't inherit.
1267 */
1268 if (x->rfc3779_addr != NULL) {
1269 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
1270 IPAddressFamily *fp =
1271 sk_IPAddressFamily_value(x->rfc3779_addr, j);
1272 if (fp->ipAddressChoice->type == IPAddressChoice_inherit
1273 && sk_IPAddressFamily_find(child, fp) >= 0)
1274 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1275 }
1276 }
1277
1278 done:
1279 sk_IPAddressFamily_free(child);
1280 return ret;
1281}
1282
1283#undef validation_err
1284
1285/*
1286 * RFC 3779 2.3 path validation -- called from X509_verify_cert().
1287 */
1288int X509v3_addr_validate_path(X509_STORE_CTX *ctx)
1289{
1290 if (ctx->chain == NULL
1291 || sk_X509_num(ctx->chain) == 0
1292 || ctx->verify_cb == NULL) {
1293 ctx->error = X509_V_ERR_UNSPECIFIED;
1294 return 0;
1295 }
1296 return addr_validate_path_internal(ctx, ctx->chain, NULL);
1297}
1298
1299/*
1300 * RFC 3779 2.3 path validation of an extension.
1301 * Test whether chain covers extension.
1302 */
1303int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain,
1304 IPAddrBlocks *ext, int allow_inheritance)
1305{
1306 if (ext == NULL)
1307 return 1;
1308 if (chain == NULL || sk_X509_num(chain) == 0)
1309 return 0;
1310 if (!allow_inheritance && X509v3_addr_inherits(ext))
1311 return 0;
1312 return addr_validate_path_internal(NULL, chain, ext);
1313}
1314
1315#endif /* OPENSSL_NO_RFC3779 */
diff --git a/src/lib/libcrypto/x509/x509_asid.c b/src/lib/libcrypto/x509/x509_asid.c
new file mode 100644
index 0000000000..ac68572672
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_asid.c
@@ -0,0 +1,894 @@
1/*
2 * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10/*
11 * Implementation of RFC 3779 section 3.2.
12 */
13
14#include <assert.h>
15#include <stdio.h>
16#include <string.h>
17#include "internal/cryptlib.h"
18#include <openssl/conf.h>
19#include <openssl/asn1.h>
20#include <openssl/asn1t.h>
21#include <openssl/x509v3.h>
22#include <openssl/x509.h>
23#include "crypto/x509.h"
24#include <openssl/bn.h>
25#include "ext_dat.h"
26
27#ifndef OPENSSL_NO_RFC3779
28
29/*
30 * OpenSSL ASN.1 template translation of RFC 3779 3.2.3.
31 */
32
33ASN1_SEQUENCE(ASRange) = {
34 ASN1_SIMPLE(ASRange, min, ASN1_INTEGER),
35 ASN1_SIMPLE(ASRange, max, ASN1_INTEGER)
36} ASN1_SEQUENCE_END(ASRange)
37
38ASN1_CHOICE(ASIdOrRange) = {
39 ASN1_SIMPLE(ASIdOrRange, u.id, ASN1_INTEGER),
40 ASN1_SIMPLE(ASIdOrRange, u.range, ASRange)
41} ASN1_CHOICE_END(ASIdOrRange)
42
43ASN1_CHOICE(ASIdentifierChoice) = {
44 ASN1_SIMPLE(ASIdentifierChoice, u.inherit, ASN1_NULL),
45 ASN1_SEQUENCE_OF(ASIdentifierChoice, u.asIdsOrRanges, ASIdOrRange)
46} ASN1_CHOICE_END(ASIdentifierChoice)
47
48ASN1_SEQUENCE(ASIdentifiers) = {
49 ASN1_EXP_OPT(ASIdentifiers, asnum, ASIdentifierChoice, 0),
50 ASN1_EXP_OPT(ASIdentifiers, rdi, ASIdentifierChoice, 1)
51} ASN1_SEQUENCE_END(ASIdentifiers)
52
53IMPLEMENT_ASN1_FUNCTIONS(ASRange)
54IMPLEMENT_ASN1_FUNCTIONS(ASIdOrRange)
55IMPLEMENT_ASN1_FUNCTIONS(ASIdentifierChoice)
56IMPLEMENT_ASN1_FUNCTIONS(ASIdentifiers)
57
58/*
59 * i2r method for an ASIdentifierChoice.
60 */
61static int i2r_ASIdentifierChoice(BIO *out,
62 ASIdentifierChoice *choice,
63 int indent, const char *msg)
64{
65 int i;
66 char *s;
67 if (choice == NULL)
68 return 1;
69 BIO_printf(out, "%*s%s:\n", indent, "", msg);
70 switch (choice->type) {
71 case ASIdentifierChoice_inherit:
72 BIO_printf(out, "%*sinherit\n", indent + 2, "");
73 break;
74 case ASIdentifierChoice_asIdsOrRanges:
75 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges); i++) {
76 ASIdOrRange *aor =
77 sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
78 switch (aor->type) {
79 case ASIdOrRange_id:
80 if ((s = i2s_ASN1_INTEGER(NULL, aor->u.id)) == NULL)
81 return 0;
82 BIO_printf(out, "%*s%s\n", indent + 2, "", s);
83 OPENSSL_free(s);
84 break;
85 case ASIdOrRange_range:
86 if ((s = i2s_ASN1_INTEGER(NULL, aor->u.range->min)) == NULL)
87 return 0;
88 BIO_printf(out, "%*s%s-", indent + 2, "", s);
89 OPENSSL_free(s);
90 if ((s = i2s_ASN1_INTEGER(NULL, aor->u.range->max)) == NULL)
91 return 0;
92 BIO_printf(out, "%s\n", s);
93 OPENSSL_free(s);
94 break;
95 default:
96 return 0;
97 }
98 }
99 break;
100 default:
101 return 0;
102 }
103 return 1;
104}
105
106/*
107 * i2r method for an ASIdentifier extension.
108 */
109static int i2r_ASIdentifiers(const X509V3_EXT_METHOD *method,
110 void *ext, BIO *out, int indent)
111{
112 ASIdentifiers *asid = ext;
113 return (i2r_ASIdentifierChoice(out, asid->asnum, indent,
114 "Autonomous System Numbers") &&
115 i2r_ASIdentifierChoice(out, asid->rdi, indent,
116 "Routing Domain Identifiers"));
117}
118
119/*
120 * Sort comparison function for a sequence of ASIdOrRange elements.
121 */
122static int ASIdOrRange_cmp(const ASIdOrRange *const *a_,
123 const ASIdOrRange *const *b_)
124{
125 const ASIdOrRange *a = *a_, *b = *b_;
126
127 assert((a->type == ASIdOrRange_id && a->u.id != NULL) ||
128 (a->type == ASIdOrRange_range && a->u.range != NULL &&
129 a->u.range->min != NULL && a->u.range->max != NULL));
130
131 assert((b->type == ASIdOrRange_id && b->u.id != NULL) ||
132 (b->type == ASIdOrRange_range && b->u.range != NULL &&
133 b->u.range->min != NULL && b->u.range->max != NULL));
134
135 if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id)
136 return ASN1_INTEGER_cmp(a->u.id, b->u.id);
137
138 if (a->type == ASIdOrRange_range && b->type == ASIdOrRange_range) {
139 int r = ASN1_INTEGER_cmp(a->u.range->min, b->u.range->min);
140 return r != 0 ? r : ASN1_INTEGER_cmp(a->u.range->max,
141 b->u.range->max);
142 }
143
144 if (a->type == ASIdOrRange_id)
145 return ASN1_INTEGER_cmp(a->u.id, b->u.range->min);
146 else
147 return ASN1_INTEGER_cmp(a->u.range->min, b->u.id);
148}
149
150/*
151 * Add an inherit element.
152 */
153int X509v3_asid_add_inherit(ASIdentifiers *asid, int which)
154{
155 ASIdentifierChoice **choice;
156 if (asid == NULL)
157 return 0;
158 switch (which) {
159 case V3_ASID_ASNUM:
160 choice = &asid->asnum;
161 break;
162 case V3_ASID_RDI:
163 choice = &asid->rdi;
164 break;
165 default:
166 return 0;
167 }
168 if (*choice == NULL) {
169 if ((*choice = ASIdentifierChoice_new()) == NULL)
170 return 0;
171 if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL)
172 return 0;
173 (*choice)->type = ASIdentifierChoice_inherit;
174 }
175 return (*choice)->type == ASIdentifierChoice_inherit;
176}
177
178/*
179 * Add an ID or range to an ASIdentifierChoice.
180 */
181int X509v3_asid_add_id_or_range(ASIdentifiers *asid,
182 int which, ASN1_INTEGER *min, ASN1_INTEGER *max)
183{
184 ASIdentifierChoice **choice;
185 ASIdOrRange *aor;
186 if (asid == NULL)
187 return 0;
188 switch (which) {
189 case V3_ASID_ASNUM:
190 choice = &asid->asnum;
191 break;
192 case V3_ASID_RDI:
193 choice = &asid->rdi;
194 break;
195 default:
196 return 0;
197 }
198 if (*choice != NULL && (*choice)->type == ASIdentifierChoice_inherit)
199 return 0;
200 if (*choice == NULL) {
201 if ((*choice = ASIdentifierChoice_new()) == NULL)
202 return 0;
203 (*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp);
204 if ((*choice)->u.asIdsOrRanges == NULL)
205 return 0;
206 (*choice)->type = ASIdentifierChoice_asIdsOrRanges;
207 }
208 if ((aor = ASIdOrRange_new()) == NULL)
209 return 0;
210 if (max == NULL) {
211 aor->type = ASIdOrRange_id;
212 aor->u.id = min;
213 } else {
214 aor->type = ASIdOrRange_range;
215 if ((aor->u.range = ASRange_new()) == NULL)
216 goto err;
217 ASN1_INTEGER_free(aor->u.range->min);
218 aor->u.range->min = min;
219 ASN1_INTEGER_free(aor->u.range->max);
220 aor->u.range->max = max;
221 }
222 if (!(sk_ASIdOrRange_push((*choice)->u.asIdsOrRanges, aor)))
223 goto err;
224 return 1;
225
226 err:
227 ASIdOrRange_free(aor);
228 return 0;
229}
230
231/*
232 * Extract min and max values from an ASIdOrRange.
233 */
234static int extract_min_max(ASIdOrRange *aor,
235 ASN1_INTEGER **min, ASN1_INTEGER **max)
236{
237 if (!ossl_assert(aor != NULL))
238 return 0;
239 switch (aor->type) {
240 case ASIdOrRange_id:
241 *min = aor->u.id;
242 *max = aor->u.id;
243 return 1;
244 case ASIdOrRange_range:
245 *min = aor->u.range->min;
246 *max = aor->u.range->max;
247 return 1;
248 }
249
250 return 0;
251}
252
253/*
254 * Check whether an ASIdentifierChoice is in canonical form.
255 */
256static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
257{
258 ASN1_INTEGER *a_max_plus_one = NULL;
259 ASN1_INTEGER *orig;
260 BIGNUM *bn = NULL;
261 int i, ret = 0;
262
263 /*
264 * Empty element or inheritance is canonical.
265 */
266 if (choice == NULL || choice->type == ASIdentifierChoice_inherit)
267 return 1;
268
269 /*
270 * If not a list, or if empty list, it's broken.
271 */
272 if (choice->type != ASIdentifierChoice_asIdsOrRanges ||
273 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0)
274 return 0;
275
276 /*
277 * It's a list, check it.
278 */
279 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
280 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
281 ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1);
282 ASN1_INTEGER *a_min = NULL, *a_max = NULL, *b_min = NULL, *b_max =
283 NULL;
284
285 if (!extract_min_max(a, &a_min, &a_max)
286 || !extract_min_max(b, &b_min, &b_max))
287 goto done;
288
289 /*
290 * Punt misordered list, overlapping start, or inverted range.
291 */
292 if (ASN1_INTEGER_cmp(a_min, b_min) >= 0 ||
293 ASN1_INTEGER_cmp(a_min, a_max) > 0 ||
294 ASN1_INTEGER_cmp(b_min, b_max) > 0)
295 goto done;
296
297 /*
298 * Calculate a_max + 1 to check for adjacency.
299 */
300 if ((bn == NULL && (bn = BN_new()) == NULL) ||
301 ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
302 !BN_add_word(bn, 1)) {
303 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL,
304 ERR_R_MALLOC_FAILURE);
305 goto done;
306 }
307
308 if ((a_max_plus_one =
309 BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) {
310 a_max_plus_one = orig;
311 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL,
312 ERR_R_MALLOC_FAILURE);
313 goto done;
314 }
315
316 /*
317 * Punt if adjacent or overlapping.
318 */
319 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) >= 0)
320 goto done;
321 }
322
323 /*
324 * Check for inverted range.
325 */
326 i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1;
327 {
328 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
329 ASN1_INTEGER *a_min, *a_max;
330 if (a != NULL && a->type == ASIdOrRange_range) {
331 if (!extract_min_max(a, &a_min, &a_max)
332 || ASN1_INTEGER_cmp(a_min, a_max) > 0)
333 goto done;
334 }
335 }
336
337 ret = 1;
338
339 done:
340 ASN1_INTEGER_free(a_max_plus_one);
341 BN_free(bn);
342 return ret;
343}
344
345/*
346 * Check whether an ASIdentifier extension is in canonical form.
347 */
348int X509v3_asid_is_canonical(ASIdentifiers *asid)
349{
350 return (asid == NULL ||
351 (ASIdentifierChoice_is_canonical(asid->asnum) &&
352 ASIdentifierChoice_is_canonical(asid->rdi)));
353}
354
355/*
356 * Whack an ASIdentifierChoice into canonical form.
357 */
358static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
359{
360 ASN1_INTEGER *a_max_plus_one = NULL;
361 ASN1_INTEGER *orig;
362 BIGNUM *bn = NULL;
363 int i, ret = 0;
364
365 /*
366 * Nothing to do for empty element or inheritance.
367 */
368 if (choice == NULL || choice->type == ASIdentifierChoice_inherit)
369 return 1;
370
371 /*
372 * If not a list, or if empty list, it's broken.
373 */
374 if (choice->type != ASIdentifierChoice_asIdsOrRanges ||
375 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) {
376 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
377 X509V3_R_EXTENSION_VALUE_ERROR);
378 return 0;
379 }
380
381 /*
382 * We have a non-empty list. Sort it.
383 */
384 sk_ASIdOrRange_sort(choice->u.asIdsOrRanges);
385
386 /*
387 * Now check for errors and suboptimal encoding, rejecting the
388 * former and fixing the latter.
389 */
390 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
391 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
392 ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1);
393 ASN1_INTEGER *a_min = NULL, *a_max = NULL, *b_min = NULL, *b_max =
394 NULL;
395
396 if (!extract_min_max(a, &a_min, &a_max)
397 || !extract_min_max(b, &b_min, &b_max))
398 goto done;
399
400 /*
401 * Make sure we're properly sorted (paranoia).
402 */
403 if (!ossl_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0))
404 goto done;
405
406 /*
407 * Punt inverted ranges.
408 */
409 if (ASN1_INTEGER_cmp(a_min, a_max) > 0 ||
410 ASN1_INTEGER_cmp(b_min, b_max) > 0)
411 goto done;
412
413 /*
414 * Check for overlaps.
415 */
416 if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) {
417 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
418 X509V3_R_EXTENSION_VALUE_ERROR);
419 goto done;
420 }
421
422 /*
423 * Calculate a_max + 1 to check for adjacency.
424 */
425 if ((bn == NULL && (bn = BN_new()) == NULL) ||
426 ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
427 !BN_add_word(bn, 1)) {
428 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
429 ERR_R_MALLOC_FAILURE);
430 goto done;
431 }
432
433 if ((a_max_plus_one =
434 BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) {
435 a_max_plus_one = orig;
436 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
437 ERR_R_MALLOC_FAILURE);
438 goto done;
439 }
440
441 /*
442 * If a and b are adjacent, merge them.
443 */
444 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) == 0) {
445 ASRange *r;
446 switch (a->type) {
447 case ASIdOrRange_id:
448 if ((r = OPENSSL_malloc(sizeof(*r))) == NULL) {
449 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
450 ERR_R_MALLOC_FAILURE);
451 goto done;
452 }
453 r->min = a_min;
454 r->max = b_max;
455 a->type = ASIdOrRange_range;
456 a->u.range = r;
457 break;
458 case ASIdOrRange_range:
459 ASN1_INTEGER_free(a->u.range->max);
460 a->u.range->max = b_max;
461 break;
462 }
463 switch (b->type) {
464 case ASIdOrRange_id:
465 b->u.id = NULL;
466 break;
467 case ASIdOrRange_range:
468 b->u.range->max = NULL;
469 break;
470 }
471 ASIdOrRange_free(b);
472 (void)sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1);
473 i--;
474 continue;
475 }
476 }
477
478 /*
479 * Check for final inverted range.
480 */
481 i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1;
482 {
483 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
484 ASN1_INTEGER *a_min, *a_max;
485 if (a != NULL && a->type == ASIdOrRange_range) {
486 if (!extract_min_max(a, &a_min, &a_max)
487 || ASN1_INTEGER_cmp(a_min, a_max) > 0)
488 goto done;
489 }
490 }
491
492 /* Paranoia */
493 if (!ossl_assert(ASIdentifierChoice_is_canonical(choice)))
494 goto done;
495
496 ret = 1;
497
498 done:
499 ASN1_INTEGER_free(a_max_plus_one);
500 BN_free(bn);
501 return ret;
502}
503
504/*
505 * Whack an ASIdentifier extension into canonical form.
506 */
507int X509v3_asid_canonize(ASIdentifiers *asid)
508{
509 return (asid == NULL ||
510 (ASIdentifierChoice_canonize(asid->asnum) &&
511 ASIdentifierChoice_canonize(asid->rdi)));
512}
513
514/*
515 * v2i method for an ASIdentifier extension.
516 */
517static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
518 struct v3_ext_ctx *ctx,
519 STACK_OF(CONF_VALUE) *values)
520{
521 ASN1_INTEGER *min = NULL, *max = NULL;
522 ASIdentifiers *asid = NULL;
523 int i;
524
525 if ((asid = ASIdentifiers_new()) == NULL) {
526 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
527 return NULL;
528 }
529
530 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
531 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
532 int i1 = 0, i2 = 0, i3 = 0, is_range = 0, which = 0;
533
534 /*
535 * Figure out whether this is an AS or an RDI.
536 */
537 if (!name_cmp(val->name, "AS")) {
538 which = V3_ASID_ASNUM;
539 } else if (!name_cmp(val->name, "RDI")) {
540 which = V3_ASID_RDI;
541 } else {
542 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
543 X509V3_R_EXTENSION_NAME_ERROR);
544 X509V3_conf_err(val);
545 goto err;
546 }
547
548 /*
549 * Handle inheritance.
550 */
551 if (strcmp(val->value, "inherit") == 0) {
552 if (X509v3_asid_add_inherit(asid, which))
553 continue;
554 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
555 X509V3_R_INVALID_INHERITANCE);
556 X509V3_conf_err(val);
557 goto err;
558 }
559
560 /*
561 * Number, range, or mistake, pick it apart and figure out which.
562 */
563 i1 = strspn(val->value, "0123456789");
564 if (val->value[i1] == '\0') {
565 is_range = 0;
566 } else {
567 is_range = 1;
568 i2 = i1 + strspn(val->value + i1, " \t");
569 if (val->value[i2] != '-') {
570 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
571 X509V3_R_INVALID_ASNUMBER);
572 X509V3_conf_err(val);
573 goto err;
574 }
575 i2++;
576 i2 = i2 + strspn(val->value + i2, " \t");
577 i3 = i2 + strspn(val->value + i2, "0123456789");
578 if (val->value[i3] != '\0') {
579 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
580 X509V3_R_INVALID_ASRANGE);
581 X509V3_conf_err(val);
582 goto err;
583 }
584 }
585
586 /*
587 * Syntax is ok, read and add it.
588 */
589 if (!is_range) {
590 if (!X509V3_get_value_int(val, &min)) {
591 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
592 goto err;
593 }
594 } else {
595 char *s = OPENSSL_strdup(val->value);
596 if (s == NULL) {
597 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
598 goto err;
599 }
600 s[i1] = '\0';
601 min = s2i_ASN1_INTEGER(NULL, s);
602 max = s2i_ASN1_INTEGER(NULL, s + i2);
603 OPENSSL_free(s);
604 if (min == NULL || max == NULL) {
605 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
606 goto err;
607 }
608 if (ASN1_INTEGER_cmp(min, max) > 0) {
609 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
610 X509V3_R_EXTENSION_VALUE_ERROR);
611 goto err;
612 }
613 }
614 if (!X509v3_asid_add_id_or_range(asid, which, min, max)) {
615 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
616 goto err;
617 }
618 min = max = NULL;
619 }
620
621 /*
622 * Canonize the result, then we're done.
623 */
624 if (!X509v3_asid_canonize(asid))
625 goto err;
626 return asid;
627
628 err:
629 ASIdentifiers_free(asid);
630 ASN1_INTEGER_free(min);
631 ASN1_INTEGER_free(max);
632 return NULL;
633}
634
635/*
636 * OpenSSL dispatch.
637 */
638const X509V3_EXT_METHOD v3_asid = {
639 NID_sbgp_autonomousSysNum, /* nid */
640 0, /* flags */
641 ASN1_ITEM_ref(ASIdentifiers), /* template */
642 0, 0, 0, 0, /* old functions, ignored */
643 0, /* i2s */
644 0, /* s2i */
645 0, /* i2v */
646 v2i_ASIdentifiers, /* v2i */
647 i2r_ASIdentifiers, /* i2r */
648 0, /* r2i */
649 NULL /* extension-specific data */
650};
651
652/*
653 * Figure out whether extension uses inheritance.
654 */
655int X509v3_asid_inherits(ASIdentifiers *asid)
656{
657 return (asid != NULL &&
658 ((asid->asnum != NULL &&
659 asid->asnum->type == ASIdentifierChoice_inherit) ||
660 (asid->rdi != NULL &&
661 asid->rdi->type == ASIdentifierChoice_inherit)));
662}
663
664/*
665 * Figure out whether parent contains child.
666 */
667static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)
668{
669 ASN1_INTEGER *p_min = NULL, *p_max = NULL, *c_min = NULL, *c_max = NULL;
670 int p, c;
671
672 if (child == NULL || parent == child)
673 return 1;
674 if (parent == NULL)
675 return 0;
676
677 p = 0;
678 for (c = 0; c < sk_ASIdOrRange_num(child); c++) {
679 if (!extract_min_max(sk_ASIdOrRange_value(child, c), &c_min, &c_max))
680 return 0;
681 for (;; p++) {
682 if (p >= sk_ASIdOrRange_num(parent))
683 return 0;
684 if (!extract_min_max(sk_ASIdOrRange_value(parent, p), &p_min,
685 &p_max))
686 return 0;
687 if (ASN1_INTEGER_cmp(p_max, c_max) < 0)
688 continue;
689 if (ASN1_INTEGER_cmp(p_min, c_min) > 0)
690 return 0;
691 break;
692 }
693 }
694
695 return 1;
696}
697
698/*
699 * Test whether a is a subset of b.
700 */
701int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
702{
703 return (a == NULL ||
704 a == b ||
705 (b != NULL &&
706 !X509v3_asid_inherits(a) &&
707 !X509v3_asid_inherits(b) &&
708 asid_contains(b->asnum->u.asIdsOrRanges,
709 a->asnum->u.asIdsOrRanges) &&
710 asid_contains(b->rdi->u.asIdsOrRanges,
711 a->rdi->u.asIdsOrRanges)));
712}
713
714/*
715 * Validation error handling via callback.
716 */
717#define validation_err(_err_) \
718 do { \
719 if (ctx != NULL) { \
720 ctx->error = _err_; \
721 ctx->error_depth = i; \
722 ctx->current_cert = x; \
723 ret = ctx->verify_cb(0, ctx); \
724 } else { \
725 ret = 0; \
726 } \
727 if (!ret) \
728 goto done; \
729 } while (0)
730
731/*
732 * Core code for RFC 3779 3.3 path validation.
733 */
734static int asid_validate_path_internal(X509_STORE_CTX *ctx,
735 STACK_OF(X509) *chain,
736 ASIdentifiers *ext)
737{
738 ASIdOrRanges *child_as = NULL, *child_rdi = NULL;
739 int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
740 X509 *x;
741
742 if (!ossl_assert(chain != NULL && sk_X509_num(chain) > 0)
743 || !ossl_assert(ctx != NULL || ext != NULL)
744 || !ossl_assert(ctx == NULL || ctx->verify_cb != NULL)) {
745 if (ctx != NULL)
746 ctx->error = X509_V_ERR_UNSPECIFIED;
747 return 0;
748 }
749
750
751 /*
752 * Figure out where to start. If we don't have an extension to
753 * check, we're done. Otherwise, check canonical form and
754 * set up for walking up the chain.
755 */
756 if (ext != NULL) {
757 i = -1;
758 x = NULL;
759 } else {
760 i = 0;
761 x = sk_X509_value(chain, i);
762 if ((ext = x->rfc3779_asid) == NULL)
763 goto done;
764 }
765 if (!X509v3_asid_is_canonical(ext))
766 validation_err(X509_V_ERR_INVALID_EXTENSION);
767 if (ext->asnum != NULL) {
768 switch (ext->asnum->type) {
769 case ASIdentifierChoice_inherit:
770 inherit_as = 1;
771 break;
772 case ASIdentifierChoice_asIdsOrRanges:
773 child_as = ext->asnum->u.asIdsOrRanges;
774 break;
775 }
776 }
777 if (ext->rdi != NULL) {
778 switch (ext->rdi->type) {
779 case ASIdentifierChoice_inherit:
780 inherit_rdi = 1;
781 break;
782 case ASIdentifierChoice_asIdsOrRanges:
783 child_rdi = ext->rdi->u.asIdsOrRanges;
784 break;
785 }
786 }
787
788 /*
789 * Now walk up the chain. Extensions must be in canonical form, no
790 * cert may list resources that its parent doesn't list.
791 */
792 for (i++; i < sk_X509_num(chain); i++) {
793 x = sk_X509_value(chain, i);
794 if (!ossl_assert(x != NULL)) {
795 if (ctx != NULL)
796 ctx->error = X509_V_ERR_UNSPECIFIED;
797 return 0;
798 }
799 if (x->rfc3779_asid == NULL) {
800 if (child_as != NULL || child_rdi != NULL)
801 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
802 continue;
803 }
804 if (!X509v3_asid_is_canonical(x->rfc3779_asid))
805 validation_err(X509_V_ERR_INVALID_EXTENSION);
806 if (x->rfc3779_asid->asnum == NULL && child_as != NULL) {
807 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
808 child_as = NULL;
809 inherit_as = 0;
810 }
811 if (x->rfc3779_asid->asnum != NULL &&
812 x->rfc3779_asid->asnum->type ==
813 ASIdentifierChoice_asIdsOrRanges) {
814 if (inherit_as
815 || asid_contains(x->rfc3779_asid->asnum->u.asIdsOrRanges,
816 child_as)) {
817 child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges;
818 inherit_as = 0;
819 } else {
820 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
821 }
822 }
823 if (x->rfc3779_asid->rdi == NULL && child_rdi != NULL) {
824 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
825 child_rdi = NULL;
826 inherit_rdi = 0;
827 }
828 if (x->rfc3779_asid->rdi != NULL &&
829 x->rfc3779_asid->rdi->type == ASIdentifierChoice_asIdsOrRanges) {
830 if (inherit_rdi ||
831 asid_contains(x->rfc3779_asid->rdi->u.asIdsOrRanges,
832 child_rdi)) {
833 child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges;
834 inherit_rdi = 0;
835 } else {
836 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
837 }
838 }
839 }
840
841 /*
842 * Trust anchor can't inherit.
843 */
844 if (!ossl_assert(x != NULL)) {
845 if (ctx != NULL)
846 ctx->error = X509_V_ERR_UNSPECIFIED;
847 return 0;
848 }
849 if (x->rfc3779_asid != NULL) {
850 if (x->rfc3779_asid->asnum != NULL &&
851 x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit)
852 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
853 if (x->rfc3779_asid->rdi != NULL &&
854 x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit)
855 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
856 }
857
858 done:
859 return ret;
860}
861
862#undef validation_err
863
864/*
865 * RFC 3779 3.3 path validation -- called from X509_verify_cert().
866 */
867int X509v3_asid_validate_path(X509_STORE_CTX *ctx)
868{
869 if (ctx->chain == NULL
870 || sk_X509_num(ctx->chain) == 0
871 || ctx->verify_cb == NULL) {
872 ctx->error = X509_V_ERR_UNSPECIFIED;
873 return 0;
874 }
875 return asid_validate_path_internal(ctx, ctx->chain, NULL);
876}
877
878/*
879 * RFC 3779 3.3 path validation of an extension.
880 * Test whether chain covers extension.
881 */
882int X509v3_asid_validate_resource_set(STACK_OF(X509) *chain,
883 ASIdentifiers *ext, int allow_inheritance)
884{
885 if (ext == NULL)
886 return 1;
887 if (chain == NULL || sk_X509_num(chain) == 0)
888 return 0;
889 if (!allow_inheritance && X509v3_asid_inherits(ext))
890 return 0;
891 return asid_validate_path_internal(NULL, chain, ext);
892}
893
894#endif /* OPENSSL_NO_RFC3779 */
diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c
index aff9f607bc..3f0081fe40 100644
--- a/src/lib/libcrypto/x509/x509_purp.c
+++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_purp.c,v 1.5 2021/07/23 20:40:49 schwarze Exp $ */ 1/* $OpenBSD: x509_purp.c,v 1.6 2021/09/02 12:41:44 job Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001. 3 * project 2001.
4 */ 4 */
@@ -366,6 +366,10 @@ X509_supported_extension(X509_EXTENSION *ex)
366 NID_basic_constraints, /* 87 */ 366 NID_basic_constraints, /* 87 */
367 NID_certificate_policies, /* 89 */ 367 NID_certificate_policies, /* 89 */
368 NID_ext_key_usage, /* 126 */ 368 NID_ext_key_usage, /* 126 */
369#ifndef OPENSSL_NO_RFC3779
370 NID_sbgp_ipAddrBlock, /* 290 */
371 NID_sbgp_autonomousSysNum, /* 291 */
372#endif
369 NID_policy_constraints, /* 401 */ 373 NID_policy_constraints, /* 401 */
370 NID_proxyCertInfo, /* 663 */ 374 NID_proxyCertInfo, /* 663 */
371 NID_name_constraints, /* 666 */ 375 NID_name_constraints, /* 666 */
@@ -587,6 +591,15 @@ x509v3_cache_extensions(X509 *x)
587 x->ex_flags |= EXFLAG_INVALID; 591 x->ex_flags |= EXFLAG_INVALID;
588 setup_crldp(x); 592 setup_crldp(x);
589 593
594#ifndef OPENSSL_NO_RFC3779
595 x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, &i, NULL);
596 if (x->rfc3779_addr == NULL && i != -1)
597 x->ex_flags |= EXFLAG_INVALID;
598 x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, &i, NULL);
599 if (x->rfc3779_asid == NULL && i != -1)
600 x->ex_flags |= EXFLAG_INVALID;
601#endif
602
590 for (i = 0; i < X509_get_ext_count(x); i++) { 603 for (i = 0; i < X509_get_ext_count(x); i++) {
591 ex = X509_get_ext(x, i); 604 ex = X509_get_ext(x, i);
592 if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == 605 if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) ==
diff --git a/src/lib/libcrypto/x509/x509v3.h b/src/lib/libcrypto/x509/x509v3.h
index d2754fa624..3cccf86242 100644
--- a/src/lib/libcrypto/x509/x509v3.h
+++ b/src/lib/libcrypto/x509/x509v3.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509v3.h,v 1.2 2020/09/13 15:06:17 beck Exp $ */ 1/* $OpenBSD: x509v3.h,v 1.3 2021/09/02 12:41:44 job Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -842,6 +842,149 @@ int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
842void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent); 842void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
843DECLARE_STACK_OF(X509_POLICY_NODE) 843DECLARE_STACK_OF(X509_POLICY_NODE)
844 844
845#if defined(LIBRESSL_INTERNAL)
846#ifndef OPENSSL_NO_RFC3779
847typedef struct ASRange_st {
848 ASN1_INTEGER *min, *max;
849} ASRange;
850
851# define ASIdOrRange_id 0
852# define ASIdOrRange_range 1
853
854typedef struct ASIdOrRange_st {
855 int type;
856 union {
857 ASN1_INTEGER *id;
858 ASRange *range;
859 } u;
860} ASIdOrRange;
861
862typedef STACK_OF(ASIdOrRange) ASIdOrRanges;
863DEFINE_STACK_OF(ASIdOrRange)
864
865# define ASIdentifierChoice_inherit 0
866# define ASIdentifierChoice_asIdsOrRanges 1
867
868typedef struct ASIdentifierChoice_st {
869 int type;
870 union {
871 ASN1_NULL *inherit;
872 ASIdOrRanges *asIdsOrRanges;
873 } u;
874} ASIdentifierChoice;
875
876typedef struct ASIdentifiers_st {
877 ASIdentifierChoice *asnum, *rdi;
878} ASIdentifiers;
879
880DECLARE_ASN1_FUNCTIONS(ASRange)
881DECLARE_ASN1_FUNCTIONS(ASIdOrRange)
882DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice)
883DECLARE_ASN1_FUNCTIONS(ASIdentifiers)
884typedef struct IPAddressRange_st {
885 ASN1_BIT_STRING *min, *max;
886} IPAddressRange;
887
888# define IPAddressOrRange_addressPrefix 0
889# define IPAddressOrRange_addressRange 1
890
891typedef struct IPAddressOrRange_st {
892 int type;
893 union {
894 ASN1_BIT_STRING *addressPrefix;
895 IPAddressRange *addressRange;
896 } u;
897} IPAddressOrRange;
898
899typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges;
900DEFINE_STACK_OF(IPAddressOrRange)
901
902# define IPAddressChoice_inherit 0
903# define IPAddressChoice_addressesOrRanges 1
904
905typedef struct IPAddressChoice_st {
906 int type;
907 union {
908 ASN1_NULL *inherit;
909 IPAddressOrRanges *addressesOrRanges;
910 } u;
911} IPAddressChoice;
912
913typedef struct IPAddressFamily_st {
914 ASN1_OCTET_STRING *addressFamily;
915 IPAddressChoice *ipAddressChoice;
916} IPAddressFamily;
917
918typedef STACK_OF(IPAddressFamily) IPAddrBlocks;
919DEFINE_STACK_OF(IPAddressFamily)
920DECLARE_ASN1_FUNCTIONS(IPAddressRange)
921DECLARE_ASN1_FUNCTIONS(IPAddressOrRange)
922DECLARE_ASN1_FUNCTIONS(IPAddressChoice)
923DECLARE_ASN1_FUNCTIONS(IPAddressFamily)
924
925/*
926 * API tag for elements of the ASIdentifer SEQUENCE.
927 */
928# define V3_ASID_ASNUM 0
929# define V3_ASID_RDI 1
930
931/*
932 * AFI values, assigned by IANA. It'd be nice to make the AFI
933 * handling code totally generic, but there are too many little things
934 * that would need to be defined for other address families for it to
935 * be worth the trouble.
936 */
937# define IANA_AFI_IPV4 1
938# define IANA_AFI_IPV6 2
939/*
940 * Utilities to construct and extract values from RFC3779 extensions,
941 * since some of the encodings (particularly for IP address prefixes
942 * and ranges) are a bit tedious to work with directly.
943 */
944int X509v3_asid_add_inherit(ASIdentifiers *asid, int which);
945int X509v3_asid_add_id_or_range(ASIdentifiers *asid, int which,
946 ASN1_INTEGER *min, ASN1_INTEGER *max);
947int X509v3_addr_add_inherit(IPAddrBlocks *addr,
948 const unsigned afi, const unsigned *safi);
949int X509v3_addr_add_prefix(IPAddrBlocks *addr,
950 const unsigned afi, const unsigned *safi,
951 unsigned char *a, const int prefixlen);
952int X509v3_addr_add_range(IPAddrBlocks *addr,
953 const unsigned afi, const unsigned *safi,
954 unsigned char *min, unsigned char *max);
955unsigned X509v3_addr_get_afi(const IPAddressFamily *f);
956int X509v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
957 unsigned char *min, unsigned char *max,
958 const int length);
959/*
960 * Canonical forms.
961 */
962int X509v3_asid_is_canonical(ASIdentifiers *asid);
963int X509v3_addr_is_canonical(IPAddrBlocks *addr);
964int X509v3_asid_canonize(ASIdentifiers *asid);
965int X509v3_addr_canonize(IPAddrBlocks *addr);
966
967/*
968 * Tests for inheritance and containment.
969 */
970int X509v3_asid_inherits(ASIdentifiers *asid);
971int X509v3_addr_inherits(IPAddrBlocks *addr);
972int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b);
973int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b);
974
975/*
976 * Check whether RFC 3779 extensions nest properly in chains.
977 */
978int X509v3_asid_validate_path(X509_STORE_CTX *);
979int X509v3_addr_validate_path(X509_STORE_CTX *);
980int X509v3_asid_validate_resource_set(STACK_OF(X509) *chain,
981 ASIdentifiers *ext,
982 int allow_inheritance);
983int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain,
984 IPAddrBlocks *ext, int allow_inheritance);
985
986#endif /* OPENSSL_NO_RFC3779 */
987#endif
845 988
846/* BEGIN ERROR CODES */ 989/* BEGIN ERROR CODES */
847/* The following lines are auto generated by the script mkerr.pl. Any changes 990/* The following lines are auto generated by the script mkerr.pl. Any changes
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-23 00:56:36 +0000