Document X509v3_{addr,asid}_subset.3 take two (missed cvs add)

First RFC 3779 page without a BUG section. It could have one, but I'm in a lenient mood right now. Maybe it's just that this is bad but not quite as bad as EVP.
author: tb <> 2023-09-28 12:36:36 +0000
committer: tb <> 2023-09-28 12:36:36 +0000
commit: 360f94a206460065dc45d44d17c460390328cb15 (patch)
tree: 4b22e588237181102ed4e0ac10feb8b5b3aa608b /src
parent: f303397303b45a34025b87dcff0e9355c3dabcf4 (diff)
download: openbsd-360f94a206460065dc45d44d17c460390328cb15.tar.gz
openbsd-360f94a206460065dc45d44d17c460390328cb15.tar.bz2
openbsd-360f94a206460065dc45d44d17c460390328cb15.zip
1 files changed, 176 insertions, 0 deletions
diff --git a/src/lib/libcrypto/man/X509v3_addr_subset.3 b/src/lib/libcrypto/man/X509v3_addr_subset.3
new file mode 100644
index 0000000000..8107eb8884
--- /dev/null
+++ b/src/lib/libcrypto/man/X509v3_addr_subset.3
@@ -0,0 +1,176 @@
+.\" $OpenBSD: X509v3_addr_subset.3,v 1.1 2023/09/28 12:36:36 tb Exp $
+.\"
+.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: September 28 2023 $
+.Dt X509V3_ADDR_SUBSET 3
+.Os
+.Sh NAME
+.Nm X509v3_addr_subset ,
+.Nm X509v3_asid_subset
+.Nd RFC 3779 subset relationship
+.Sh SYNOPSIS
+.In openssl/x509v3.h
+.Ft int
+.Fn X509v3_addr_subset "IPAddrBlocks *child" "IPAddrBlocks *parent"
+.Ft int
+.Fn X509v3_asid_subset "ASIdentifiers *child" "ASIdentifiers *parent"
+.Sh DESCRIPTION
+.Fn X509v3_addr_subset
+determines if all IP address resources present in
+.Fa child
+are contained in the corresponding resources in
+.Fa parent .
+.Pp
+The implementation assumes but does not ensure that both
+.Fa child
+and
+.Fa parent
+are in canonical form as described in
+.Xr X509v3_addr_is_canonical 3 .
+In particular, both
+.Fa child
+and
+.Fa parent
+are sorted appropriately and they contain at most one
+.Vt IPAddressFamily
+object per address family identifier (AFI) and optional
+subsequent address family identifier (SAFI).
+.Pp
+The checks are, in order:
+.Bl -enum
+.It
+If
+.Fa child
+is
+.Dv NULL
+or identical to
+.Fa parent
+then
+.Fa child
+is a subset of
+.Fa parent .
+(In particular, a
+.Dv NULL
+.Fa parent
+is allowed for a
+.Dv NULL
+.Fa child Ns .)
+.It
+If
+.Fa parent
+is
+.Dv NULL
+then
+.Fa child
+is not a subset of
+.Fa parent .
+.It
+If
+.Xr X509v3_addr_inherits 3
+determines that
+.Fa child
+inherits or that
+.Fa parent
+inherits
+then
+.Fa child
+is not a subset of
+.Fa parent .
+.It
+Each address prefix or range in
+.Fa child
+must be a subset of an address prefix or range in the
+.Fa parent ,
+taking AFI and optional SAFI into account:
+.Bl -bullet -compact
+.It
+For each
+.Vt IPAddressFamily
+of
+.Fa child
+there must be an
+.Vt IPAddressFamily
+of
+.Fa parent
+with the same AFI and optional SAFI.
+.It
+Since the address prefixes and ranges in corresponding
+.Vt IPAddressFamily
+objects in
+.Fa child
+and
+.Fa parent
+are sorted in ascending order,
+and do not overlap,
+they can be traversed simultaneously in linear time.
+For each prefix or range in
+.Fa child
+there must be a prefix or range in
+.Fa parent
+whose minimal address is smaller
+and whose maximal address is larger.
+.El
+If any of these steps fails,
+.Fa child
+is not a subset of
+.Fa parent .
+.El
+.Pp
+.Fn X509v3_asid_subset
+determines if all AS identifier resources in
+.Fa child
+are contained in the corresponding resources in
+.Fa parent .
+.Pp
+The description for
+.Fn X509v3_addr_subset
+applies mutatis mutandis.
+In particular,
+.Fa child
+and
+.Fa parent
+must be in canonical form per
+.Xr X509v3_asid_is_canonical 3 ,
+but this is not enforced.
+.Sh RETURN VALUES
+.Fn X509v3_addr_subset
+and
+.Fn X509v3_asid_subset
+return 1 if and only if
+.Fa child
+is a subset of
+.Fa parent ,
+otherwise they return 0.
+If both
+.Fa child
+and
+.Fa parent
+are in canonical form,
+they cannot fail.
+.Sh SEE ALSO
+.Xr ASIdentifiers_new 3 ,
+.Xr ASRange_new 3 ,
+.Xr crypto 3 ,
+.Xr IPAddressRange_new 3 ,
+.Xr X509_new 3 ,
+.Xr X509v3_addr_add_inherit 3 ,
+.Xr X509v3_asid_add_inherit 3
+.Sh STANDARDS
+RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers.
+.Sh HISTORY
+These functions first appeared in OpenSSL 0.9.8e
+and have been available since
+.Ox 7.1 .
author	tb <>	2023-09-28 12:36:36 +0000
committer	tb <>	2023-09-28 12:36:36 +0000
commit	360f94a206460065dc45d44d17c460390328cb15 (patch)
tree	4b22e588237181102ed4e0ac10feb8b5b3aa608b /src
parent	f303397303b45a34025b87dcff0e9355c3dabcf4 (diff)
download	openbsd-360f94a206460065dc45d44d17c460390328cb15.tar.gz openbsd-360f94a206460065dc45d44d17c460390328cb15.tar.bz2 openbsd-360f94a206460065dc45d44d17c460390328cb15.zip

diff --git a/src/lib/libcrypto/man/X509v3_addr_subset.3 b/src/lib/libcrypto/man/X509v3_addr_subset.3 new file mode 100644 index 0000000000..8107eb8884 --- /dev/null +++ b/src/lib/libcrypto/man/X509v3_addr_subset.3
@@ -0,0 +1,176 @@
	1	.\" $OpenBSD: X509v3_addr_subset.3,v 1.1 2023/09/28 12:36:36 tb Exp $
	2	.\"
	3	.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
	4	.\"
	5	.\" Permission to use, copy, modify, and distribute this software for any
	6	.\" purpose with or without fee is hereby granted, provided that the above
	7	.\" copyright notice and this permission notice appear in all copies.
	8	.\"
	9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16	.\"
	17	.Dd $Mdocdate: September 28 2023 $
	18	.Dt X509V3_ADDR_SUBSET 3
	19	.Os
	20	.Sh NAME
	21	.Nm X509v3_addr_subset ,
	22	.Nm X509v3_asid_subset
	23	.Nd RFC 3779 subset relationship
	24	.Sh SYNOPSIS
	25	.In openssl/x509v3.h
	26	.Ft int
	27	.Fn X509v3_addr_subset "IPAddrBlocks child" "IPAddrBlocks parent"
	28	.Ft int
	29	.Fn X509v3_asid_subset "ASIdentifiers child" "ASIdentifiers parent"
	30	.Sh DESCRIPTION
	31	.Fn X509v3_addr_subset
	32	determines if all IP address resources present in
	33	.Fa child
	34	are contained in the corresponding resources in
	35	.Fa parent .
	36	.Pp
	37	The implementation assumes but does not ensure that both
	38	.Fa child
	39	and
	40	.Fa parent
	41	are in canonical form as described in
	42	.Xr X509v3_addr_is_canonical 3 .
	43	In particular, both
	44	.Fa child
	45	and
	46	.Fa parent
	47	are sorted appropriately and they contain at most one
	48	.Vt IPAddressFamily
	49	object per address family identifier (AFI) and optional
	50	subsequent address family identifier (SAFI).
	51	.Pp
	52	The checks are, in order:
	53	.Bl -enum
	54	.It
	55	If
	56	.Fa child
	57	is
	58	.Dv NULL
	59	or identical to
	60	.Fa parent
	61	then
	62	.Fa child
	63	is a subset of
	64	.Fa parent .
	65	(In particular, a
	66	.Dv NULL
	67	.Fa parent
	68	is allowed for a
	69	.Dv NULL
	70	.Fa child Ns .)
	71	.It
	72	If
	73	.Fa parent
	74	is
	75	.Dv NULL
	76	then
	77	.Fa child
	78	is not a subset of
	79	.Fa parent .
	80	.It
	81	If
	82	.Xr X509v3_addr_inherits 3
	83	determines that
	84	.Fa child
	85	inherits or that
	86	.Fa parent
	87	inherits
	88	then
	89	.Fa child
	90	is not a subset of
	91	.Fa parent .
	92	.It
	93	Each address prefix or range in
	94	.Fa child
	95	must be a subset of an address prefix or range in the
	96	.Fa parent ,
	97	taking AFI and optional SAFI into account:
	98	.Bl -bullet -compact
	99	.It
	100	For each
	101	.Vt IPAddressFamily
	102	of
	103	.Fa child
	104	there must be an
	105	.Vt IPAddressFamily
	106	of
	107	.Fa parent
	108	with the same AFI and optional SAFI.
	109	.It
	110	Since the address prefixes and ranges in corresponding
	111	.Vt IPAddressFamily
	112	objects in
	113	.Fa child
	114	and
	115	.Fa parent
	116	are sorted in ascending order,
	117	and do not overlap,
	118	they can be traversed simultaneously in linear time.
	119	For each prefix or range in
	120	.Fa child
	121	there must be a prefix or range in
	122	.Fa parent
	123	whose minimal address is smaller
	124	and whose maximal address is larger.
	125	.El
	126	If any of these steps fails,
	127	.Fa child
	128	is not a subset of
	129	.Fa parent .
	130	.El
	131	.Pp
	132	.Fn X509v3_asid_subset
	133	determines if all AS identifier resources in
	134	.Fa child
	135	are contained in the corresponding resources in
	136	.Fa parent .
	137	.Pp
	138	The description for
	139	.Fn X509v3_addr_subset
	140	applies mutatis mutandis.
	141	In particular,
	142	.Fa child
	143	and
	144	.Fa parent
	145	must be in canonical form per
	146	.Xr X509v3_asid_is_canonical 3 ,
	147	but this is not enforced.
	148	.Sh RETURN VALUES
	149	.Fn X509v3_addr_subset
	150	and
	151	.Fn X509v3_asid_subset
	152	return 1 if and only if
	153	.Fa child
	154	is a subset of
	155	.Fa parent ,
	156	otherwise they return 0.
	157	If both
	158	.Fa child
	159	and
	160	.Fa parent
	161	are in canonical form,
	162	they cannot fail.
	163	.Sh SEE ALSO
	164	.Xr ASIdentifiers_new 3 ,
	165	.Xr ASRange_new 3 ,
	166	.Xr crypto 3 ,
	167	.Xr IPAddressRange_new 3 ,
	168	.Xr X509_new 3 ,
	169	.Xr X509v3_addr_add_inherit 3 ,
	170	.Xr X509v3_asid_add_inherit 3
	171	.Sh STANDARDS
	172	RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers.
	173	.Sh HISTORY
	174	These functions first appeared in OpenSSL 0.9.8e
	175	and have been available since
	176	.Ox 7.1 .