1 files changed, 0 insertions, 525 deletions
diff --git a/src/lib/libcrypto/man/IPAddressRange_new.3 b/src/lib/libcrypto/man/IPAddressRange_new.3
deleted file mode 100644
index a812107cdf..0000000000
--- a/src/lib/libcrypto/man/IPAddressRange_new.3
+++ /dev/null
@@ -1,525 +0,0 @@
-.\" $OpenBSD: IPAddressRange_new.3,v 1.9 2023/10/03 09:58:06 tb Exp $
-.\"
-.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: October 3 2023 $
-.Dt IPADDRESSRANGE_NEW 3
-.Os
-.Sh NAME
-.Nm IPAddressRange_new ,
-.Nm IPAddressRange_free ,
-.Nm d2i_IPAddressRange ,
-.Nm i2d_IPAddressRange ,
-.Nm IPAddressOrRange_new ,
-.Nm IPAddressOrRange_free ,
-.Nm d2i_IPAddressOrRange ,
-.Nm i2d_IPAddressOrRange ,
-.Nm IPAddressChoice_new ,
-.Nm IPAddressChoice_free ,
-.Nm d2i_IPAddressChoice ,
-.Nm i2d_IPAddressChoice ,
-.Nm IPAddressFamily_new ,
-.Nm IPAddressFamily_free ,
-.Nm d2i_IPAddressFamily ,
-.Nm i2d_IPAddressFamily
-.Nd RFC 3779 IP address prefixes and ranges
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft "IPAddressRange *"
-.Fn IPAddressRange_new void
-.Ft void
-.Fn IPAddressRange_free "IPAddressRange *range"
-.Ft IPAddressRange *
-.Fo d2i_IPAddressRange
-.Fa "IPAddressRange **range"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_IPAddressRange
-.Fa "IPAddressRange *range"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft "IPAddressOrRange *"
-.Fn IPAddressOrRange_new void
-.Ft void
-.Fn IPAddressOrRange_free "IPAddressOrRange *aor"
-.Ft IPAddressOrRange *
-.Fo d2i_IPAddressOrRange
-.Fa "IPAddressOrRange **aor"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_IPAddressOrRange
-.Fa "IPAddressOrRange *aor"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft "IPAddressChoice *"
-.Fn IPAddressChoice_new void
-.Ft void
-.Fn IPAddressChoice_free "IPAddressChoice *ac"
-.Ft IPAddressChoice *
-.Fo d2i_IPAddressChoice
-.Fa "IPAddressChoice **ac"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_IPAddressChoice
-.Fa "IPAddressChoice *ac"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft "IPAddressFamily *"
-.Fn IPAddressFamily_new void
-.Ft void
-.Fn IPAddressFamily_free "IPAddressFamily *af"
-.Ft IPAddressFamily *
-.Fo d2i_IPAddressFamily
-.Fa "IPAddressFamily **af"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_IPAddressFamily
-.Fa "IPAddressFamily *af"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-.Vt IPAddressRange ,
-.Vt IPAddressOrRange ,
-.Vt IPAddressChoice ,
-and
-.Vt IPAddressFamily
-are building blocks of the
-.Vt IPAddrBlocks
-type representing the RFC 3779 IP address delegation extension.
-.Pp
-Per RFC 3779, section 2.1.1,
-an IPv4 or an IPv6 address is encoded in network byte order in an
-ASN.1 BIT STRING of bit size 32 or 128 bits, respectively.
-The bit size of a prefix is its prefix length;
-all insignificant zero bits are omitted
-from the encoding.
-Per section 2.1.2,
-an address range is expressed as a pair of BIT STRINGs
-where all the least significant zero bits of the lower bound
-and all the least significant one bits of the upper bound are omitted.
-.Pp
-The library provides no API for directly converting an IP address or
-prefix (in any form) to and from an
-.Vt ASN1_BIT_STRING .
-It also provides no API for directly handling ranges.
-The
-.Vt ASN1_BIT_STRING
-internals are subtle and directly manipulating them in the
-context of the RFC 3779 API is discouraged.
-The bit size of an
-.Vt ASN1_BIT_STRING
-representing an IP address prefix or range is eight times its
-.Fa length
-member minus the lowest three bits of its
-.Fa flags ,
-provided the
-.Dv ASN1_STRING_FLAG_BITS_LEFT
-flag is set.
-.Pp
-The
-.Vt IPAddressRange
-type defined in RFC 3779 section 2.2.3.9 is implemented as
-.Bd -literal -offset indent
-typedef struct IPAddressRange_st {
-        ASN1_BIT_STRING *min;
-        ASN1_BIT_STRING *max;
-} IPAddressRange;
-.Ed
-.Pp
-It represents the closed range [min,max] of IP addresses between
-.Fa min
-and
-.Fa max ,
-where
-.Fa min
-should be strictly smaller than
-.Fa max
-and the range should not be expressible as a prefix.
-.Pp
-.Fn IPAddressRange_new
-allocates a new
-.Vt IPAddressRange
-object with allocated, empty
-.Fa min
-and
-.Fa max ,
-thus representing the entire address space invalidly as a non-prefix.
-.Pp
-.Fn IPAddressRange_free
-frees
-.Fa range
-including any data contained in it.
-If
-.Fa range
-is
-.Dv NULL ,
-no action occurs.
-.Pp
-There is no dedicated type representing the
-.Vt IPAddress
-type defined in RFC 3779 section 2.2.3.8.
-The API uses
-.Vt ASN1_BIT_STRING
-for this.
-.Pp
-The
-.Vt IPAddressOrRange
-type defined in RFC 3779 section 2.2.3.7 is implemented as
-.Bd -literal -offset indent
-typedef struct IPAddressOrRange_st {
-        int type;
-        union {
-                ASN1_BIT_STRING *addressPrefix;
-                IPAddressRange *addressRange;
-        } u;
-} IPAddressOrRange;
-.Ed
-.Pp
-representing an individual address prefix or an address range.
-The
-.Fa type
-member should be set to
-.Dv IPAddressOrRange_addressPrefix
-or
-.Dv IPAddressOrRange_addressRange
-to indicate which member of the union
-.Fa u
-is valid.
-.Pp
-.Fn IPAddressOrRange_new
-returns a new
-.Vt IPAddressOrRange
-object with invalid type and
-.Dv NULL
-members of the union
-.Fa u .
-.Pp
-.Fn IPAddressOrRange_free
-frees
-.Fa aor
-including any data contained in it,
-provided
-.Fa type
-is set correctly.
-If
-.Fa aor
-is
-.Dv NULL ,
-no action occurs.
-.Pp
-In order to express a list of address prefixes and address ranges,
-RFC 3779 section 2.2.3.6
-uses an ASN.1 SEQUENCE,
-which is implemented via a
-.Xr STACK_OF 3
-construction over
-.Vt IPAddressOrRange :
-.Bd -literal -offset indent
-typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges;
-.Ed
-.Pp
-Since an
-.Vt IPAddressOrRanges
-object should be sorted in a specific way (see
-.Xr X509v3_addr_canonize 3 ) ,
-a comparison function is needed for a correct instantiation
-with
-.Xr sk_new 3 .
-The
-.Fn v4IPAddressOrRange_cmp
-and
-.Fn v6IPAddressOrRange_cmp
-functions are not directly exposed and not easily accessible
-from outside the library,
-and they are non-trivial to implement.
-It is therefore discouraged to use
-.Vt IPAddressOrRanges
-objects that are not part of an
-.Vt IPAddrBlocks
-object.
-.Pp
-The
-.Dq inherit
-marker from RFC 3779 section 2.2.3.5 is implemented as
-.Vt ASN1_NULL .
-It has no dedicated type or API and can be instantiated with
-.Xr ASN1_NULL_new 3 .
-.Pp
-The
-.Vt IPAddressChoice
-type defined in RFC 3779 section 2.2.3.4 is implemented as
-.Bd -literal -offset indent
-typedef struct IPAddressChoice_st {
-        int type;
-        union {
-                ASN1_NULL *inherit;
-                IPAddressOrRanges *addressesOrRanges;
-        } u;
-} IPAddressChoice;
-.Ed
-.Pp
-where the
-.Fa type
-member should be set to
-.Dv IPAddressChoice_inherit
-or
-.Dv IPAddressChoice_addressesOrRanges
-to indicate whether a given
-.Vt IPAddressChoice
-object represents an inherited list or an explicit list.
-.Pp
-.Fn IPAddressChoice_new
-returns a new
-.Vt IPAddressChoice
-object with invalid type and
-.Dv NULL
-members of the union
-.Fa u .
-.Pp
-.Fn IPAddressChoice_free
-frees
-.Fa ac
-including any data contained in it,
-provided
-.Fa type
-is set correctly.
-.Pp
-The
-.Fa addressFamily
-element defined in RFC 3779 section 2.2.3.3 is implemented as an
-.Vt ASN1_OCTET_STRING
-and it contains two or three octets.
-The first two octets are always present and represent the
-address family identifier (AFI)
-in network byte order.
-The optional subsequent address family identifier (SAFI)
-occupies the third octet.
-For IPv4 and IPv6,
-.Dv IANA_AFI_IPV4
-and
-.Dv IANA_AFI_IPV6
-are predefined.
-Other AFIs are not supported by this implementation.
-.Pp
-The
-.Vt IPAddressFamily
-type defined in RFC 3779 section 2.2.3.2 is implemented as
-.Bd -literal -offset indent
-typedef struct IPAddressFamily_st {
-        ASN1_OCTET_STRING *addressFamily;
-        IPAddressChoice *ipAddressChoice;
-} IPAddressFamily;
-.Ed
-.Pp
-The
-.Fa addressFamily
-member indicates the address family the
-.Fa ipAddressChoice
-represents.
-.Pp
-.Fn IPAddressFamily_new
-returns a new
-.Vt IPAddressFamily
-object with empty
-.Fa addressFamily
-and invalid
-.Fa ipAddressChoice
-members.
-.Pp
-.Fn IPAddressFamily_free
-frees
-.Fa af
-including any data contained in it.
-If
-.Fa af
-is
-.Dv NULL ,
-no action occurs.
-.Pp
-The
-.Vt IPAddrBlocks
-type defined in RFC 3779 section 2.2.3.1
-uses an ASN.1 SEQUENCE,
-which is implemented via a
-.Xr STACK_OF 3
-construction over
-.Vt IPAddressFamily :
-.Bd -literal -offset indent
-typedef STACK_OF(IPAddressFamily) IPAddrBlocks;
-.Ed
-.Pp
-It can be instantiated with
-.Fn sk_IPAddressFamily_new_null
-and the correct sorting function can be installed with
-.Xr X509v3_addr_canonize 3 .
-To populate it, use
-.Xr X509v3_addr_add_prefix 3
-and related functions.
-.Pp
-.Fn d2i_IPAddressRange ,
-.Fn i2d_IPAddressRange ,
-.Fn d2i_IPAddressOrRange ,
-.Fn i2d_IPAddressOrRange ,
-.Fn d2i_IPAddressChoice ,
-.Fn i2d_IPAddressChoice ,
-.Fn d2i_IPAddressFamily ,
-and
-.Fn i2d_IPAddressFamily
-decode and encode ASN.1
-.Vt IPAddressRange ,
-.Vt IPAddressOrRange ,
-.Vt IPAddressChoice ,
-and
-.Vt IPAddressFamily
-objects.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-There is no easy way of ensuring that the encodings generated by
-these functions are correct, unless they are applied to objects
-that are part of a canonical
-.Vt IPAddrBlocks
-structure, see
-.Xr X509v3_addr_is_canonical 3 .
-.Sh RETURN VALUES
-.Fn IPAddressRange_new
-returns a new
-.Vt IPAddressRange
-object with allocated, empty members, or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn IPAddressOrRange_new
-returns a new, empty
-.Vt IPAddressOrRange
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn IPAddressChoice_new
-returns a new, empty
-.Vt IPAddressChoice
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn IPAddressFamily_new
-returns a new
-.Vt IPAddressFamily
-object with allocated, empty members, or
-.Dv NULL
-if an error occurs.
-.Pp
-The decoding functions
-.Fn d2i_IPAddressRange ,
-.Fn d2i_IPAddressOrRange ,
-.Fn d2i_IPAddressChoice ,
-and
-.Fn d2i_IPAddressFamily
-return an
-.Vt IPAddressRange ,
-an
-.Vt IPAddressOrRange ,
-an
-.Vt IPAddressChoice ,
-or an
-.Vt IPAddressFamily
-object, respectively,
-or
-.Dv NULL
-if an error occurs.
-.Pp
-The encoding functions
-.Fn i2d_IPAddressRange ,
-.Fn i2d_IPAddressOrRange ,
-.Fn i2d_IPAddressChoice ,
-and
-.Fn i2d_IPAddressFamily
-return the number of bytes successfully encoded
-or a value <= 0 if an error occurs.
-.Sh SEE ALSO
-.Xr ASIdentifiers_new 3 ,
-.Xr ASN1_BIT_STRING_new 3 ,
-.Xr ASN1_OCTET_STRING_new 3 ,
-.Xr ASN1_OCTET_STRING_set 3 ,
-.Xr crypto 3 ,
-.Xr X509_new 3 ,
-.Xr X509v3_addr_add_inherit 3 ,
-.Xr X509v3_addr_inherits 3 ,
-.Xr X509v3_addr_subset 3
-.Sh STANDARDS
-RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
-.Bl -dash -compact
-.It
-section 2.1.1: Encoding of an IP Address or Prefix
-.It
-section 2.1.2: Encoding of a Range of IP Addresses
-.It
-section 2.2.3: Syntax
-.It
-section 2.2.3.1: Type IPAddrBlocks
-.It
-section 2.2.3.2: Type IPAddressFamily
-.It
-section 2.2.3.3: Element addressFamily
-.It
-section 2.2.3.4: Element ipAddressChoice and Type IPAddressChoice
-.It
-section 2.2.3.5: Element inherit
-.It
-section 2.2.3.6: Element addressesOrRanges
-.It
-section 2.2.3.7: Type IPAddressOrRange
-.It
-section 2.2.3.8: Element addressPrefix and Type IPAddress
-.It
-section 2.2.3.9: Element addressRange and Type IPAddressRange
-.El
-.Pp
-ITU-T Recommendation X.690, also known as ISO/IEC 8825-1:
-Information technology - ASN.1 encoding rules:
-Specification of Basic Encoding Rules (BER), Canonical Encoding
-Rules (CER) and Distinguished Encoding Rules (DER),
-section 8.6: Encoding of a bitstring value
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.8e
-and have been available since
-.Ox 7.1 .
-.Sh BUGS
-.\" The internals do not seem to consistently apply and check
-.\" .Dv ASN1_STRING_FLAG_BITS_LEFT
-.\" which may lead to incorrect encoding and misinterpretation
-As it stands, the API is barely usable
-due to missing convenience accessors, constructors and destructors
-and due to the complete absence of API that checks that the
-individual building blocks are correct.
-Extracting information from a given object can be done relatively
-safely.
-However, constructing objects is very error prone, be it
-by hand or using the bug-ridden
-.Xr X509v3_addr_add_inherit 3
-API.
-.Pp
-RFC 3779 has element
-.Dq addressesOrRanges .
-Its type in this API is
-.Vt IPAddressOrRanges .

diff --git a/src/lib/libcrypto/man/IPAddressRange_new.3 b/src/lib/libcrypto/man/IPAddressRange_new.3 deleted file mode 100644 index a812107cdf..0000000000 --- a/src/lib/libcrypto/man/IPAddressRange_new.3 +++ /dev/null
@@ -1,525 +0,0 @@
1	.\" $OpenBSD: IPAddressRange_new.3,v 1.9 2023/10/03 09:58:06 tb Exp $
2	.\"
3	.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
4	.\"
5	.\" Permission to use, copy, modify, and distribute this software for any
6	.\" purpose with or without fee is hereby granted, provided that the above
7	.\" copyright notice and this permission notice appear in all copies.
8	.\"
9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"
17	.Dd $Mdocdate: October 3 2023 $
18	.Dt IPADDRESSRANGE_NEW 3
19	.Os
20	.Sh NAME
21	.Nm IPAddressRange_new ,
22	.Nm IPAddressRange_free ,
23	.Nm d2i_IPAddressRange ,
24	.Nm i2d_IPAddressRange ,
25	.Nm IPAddressOrRange_new ,
26	.Nm IPAddressOrRange_free ,
27	.Nm d2i_IPAddressOrRange ,
28	.Nm i2d_IPAddressOrRange ,
29	.Nm IPAddressChoice_new ,
30	.Nm IPAddressChoice_free ,
31	.Nm d2i_IPAddressChoice ,
32	.Nm i2d_IPAddressChoice ,
33	.Nm IPAddressFamily_new ,
34	.Nm IPAddressFamily_free ,
35	.Nm d2i_IPAddressFamily ,
36	.Nm i2d_IPAddressFamily
37	.Nd RFC 3779 IP address prefixes and ranges
38	.Sh SYNOPSIS
39	.In openssl/x509v3.h
40	.Ft "IPAddressRange *"
41	.Fn IPAddressRange_new void
42	.Ft void
43	.Fn IPAddressRange_free "IPAddressRange *range"
44	.Ft IPAddressRange *
45	.Fo d2i_IPAddressRange
46	.Fa "IPAddressRange **range"
47	.Fa "const unsigned char **der_in"
48	.Fa "long length"
49	.Fc
50	.Ft int
51	.Fo i2d_IPAddressRange
52	.Fa "IPAddressRange *range"
53	.Fa "unsigned char **der_out"
54	.Fc
55	.Ft "IPAddressOrRange *"
56	.Fn IPAddressOrRange_new void
57	.Ft void
58	.Fn IPAddressOrRange_free "IPAddressOrRange *aor"
59	.Ft IPAddressOrRange *
60	.Fo d2i_IPAddressOrRange
61	.Fa "IPAddressOrRange **aor"
62	.Fa "const unsigned char **der_in"
63	.Fa "long length"
64	.Fc
65	.Ft int
66	.Fo i2d_IPAddressOrRange
67	.Fa "IPAddressOrRange *aor"
68	.Fa "unsigned char **der_out"
69	.Fc
70	.Ft "IPAddressChoice *"
71	.Fn IPAddressChoice_new void
72	.Ft void
73	.Fn IPAddressChoice_free "IPAddressChoice *ac"
74	.Ft IPAddressChoice *
75	.Fo d2i_IPAddressChoice
76	.Fa "IPAddressChoice **ac"
77	.Fa "const unsigned char **der_in"
78	.Fa "long length"
79	.Fc
80	.Ft int
81	.Fo i2d_IPAddressChoice
82	.Fa "IPAddressChoice *ac"
83	.Fa "unsigned char **der_out"
84	.Fc
85	.Ft "IPAddressFamily *"
86	.Fn IPAddressFamily_new void
87	.Ft void
88	.Fn IPAddressFamily_free "IPAddressFamily *af"
89	.Ft IPAddressFamily *
90	.Fo d2i_IPAddressFamily
91	.Fa "IPAddressFamily **af"
92	.Fa "const unsigned char **der_in"
93	.Fa "long length"
94	.Fc
95	.Ft int
96	.Fo i2d_IPAddressFamily
97	.Fa "IPAddressFamily *af"
98	.Fa "unsigned char **der_out"
99	.Fc
100	.Sh DESCRIPTION
101	.Vt IPAddressRange ,
102	.Vt IPAddressOrRange ,
103	.Vt IPAddressChoice ,
104	and
105	.Vt IPAddressFamily
106	are building blocks of the
107	.Vt IPAddrBlocks
108	type representing the RFC 3779 IP address delegation extension.
109	.Pp
110	Per RFC 3779, section 2.1.1,
111	an IPv4 or an IPv6 address is encoded in network byte order in an
112	ASN.1 BIT STRING of bit size 32 or 128 bits, respectively.
113	The bit size of a prefix is its prefix length;
114	all insignificant zero bits are omitted
115	from the encoding.
116	Per section 2.1.2,
117	an address range is expressed as a pair of BIT STRINGs
118	where all the least significant zero bits of the lower bound
119	and all the least significant one bits of the upper bound are omitted.
120	.Pp
121	The library provides no API for directly converting an IP address or
122	prefix (in any form) to and from an
123	.Vt ASN1_BIT_STRING .
124	It also provides no API for directly handling ranges.
125	The
126	.Vt ASN1_BIT_STRING
127	internals are subtle and directly manipulating them in the
128	context of the RFC 3779 API is discouraged.
129	The bit size of an
130	.Vt ASN1_BIT_STRING
131	representing an IP address prefix or range is eight times its
132	.Fa length
133	member minus the lowest three bits of its
134	.Fa flags ,
135	provided the
136	.Dv ASN1_STRING_FLAG_BITS_LEFT
137	flag is set.
138	.Pp
139	The
140	.Vt IPAddressRange
141	type defined in RFC 3779 section 2.2.3.9 is implemented as
142	.Bd -literal -offset indent
143	typedef struct IPAddressRange_st {
144	ASN1_BIT_STRING *min;
145	ASN1_BIT_STRING *max;
146	} IPAddressRange;
147	.Ed
148	.Pp
149	It represents the closed range [min,max] of IP addresses between
150	.Fa min
151	and
152	.Fa max ,
153	where
154	.Fa min
155	should be strictly smaller than
156	.Fa max
157	and the range should not be expressible as a prefix.
158	.Pp
159	.Fn IPAddressRange_new
160	allocates a new
161	.Vt IPAddressRange
162	object with allocated, empty
163	.Fa min
164	and
165	.Fa max ,
166	thus representing the entire address space invalidly as a non-prefix.
167	.Pp
168	.Fn IPAddressRange_free
169	frees
170	.Fa range
171	including any data contained in it.
172	If
173	.Fa range
174	is
175	.Dv NULL ,
176	no action occurs.
177	.Pp
178	There is no dedicated type representing the
179	.Vt IPAddress
180	type defined in RFC 3779 section 2.2.3.8.
181	The API uses
182	.Vt ASN1_BIT_STRING
183	for this.
184	.Pp
185	The
186	.Vt IPAddressOrRange
187	type defined in RFC 3779 section 2.2.3.7 is implemented as
188	.Bd -literal -offset indent
189	typedef struct IPAddressOrRange_st {
190	int type;
191	union {
192	ASN1_BIT_STRING *addressPrefix;
193	IPAddressRange *addressRange;
194	} u;
195	} IPAddressOrRange;
196	.Ed
197	.Pp
198	representing an individual address prefix or an address range.
199	The
200	.Fa type
201	member should be set to
202	.Dv IPAddressOrRange_addressPrefix
203	or
204	.Dv IPAddressOrRange_addressRange
205	to indicate which member of the union
206	.Fa u
207	is valid.
208	.Pp
209	.Fn IPAddressOrRange_new
210	returns a new
211	.Vt IPAddressOrRange
212	object with invalid type and
213	.Dv NULL
214	members of the union
215	.Fa u .
216	.Pp
217	.Fn IPAddressOrRange_free
218	frees
219	.Fa aor
220	including any data contained in it,
221	provided
222	.Fa type
223	is set correctly.
224	If
225	.Fa aor
226	is
227	.Dv NULL ,
228	no action occurs.
229	.Pp
230	In order to express a list of address prefixes and address ranges,
231	RFC 3779 section 2.2.3.6
232	uses an ASN.1 SEQUENCE,
233	which is implemented via a
234	.Xr STACK_OF 3
235	construction over
236	.Vt IPAddressOrRange :
237	.Bd -literal -offset indent
238	typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges;
239	.Ed
240	.Pp
241	Since an
242	.Vt IPAddressOrRanges
243	object should be sorted in a specific way (see
244	.Xr X509v3_addr_canonize 3 ) ,
245	a comparison function is needed for a correct instantiation
246	with
247	.Xr sk_new 3 .
248	The
249	.Fn v4IPAddressOrRange_cmp
250	and
251	.Fn v6IPAddressOrRange_cmp
252	functions are not directly exposed and not easily accessible
253	from outside the library,
254	and they are non-trivial to implement.
255	It is therefore discouraged to use
256	.Vt IPAddressOrRanges
257	objects that are not part of an
258	.Vt IPAddrBlocks
259	object.
260	.Pp
261	The
262	.Dq inherit
263	marker from RFC 3779 section 2.2.3.5 is implemented as
264	.Vt ASN1_NULL .
265	It has no dedicated type or API and can be instantiated with
266	.Xr ASN1_NULL_new 3 .
267	.Pp
268	The
269	.Vt IPAddressChoice
270	type defined in RFC 3779 section 2.2.3.4 is implemented as
271	.Bd -literal -offset indent
272	typedef struct IPAddressChoice_st {
273	int type;
274	union {
275	ASN1_NULL *inherit;
276	IPAddressOrRanges *addressesOrRanges;
277	} u;
278	} IPAddressChoice;
279	.Ed
280	.Pp
281	where the
282	.Fa type
283	member should be set to
284	.Dv IPAddressChoice_inherit
285	or
286	.Dv IPAddressChoice_addressesOrRanges
287	to indicate whether a given
288	.Vt IPAddressChoice
289	object represents an inherited list or an explicit list.
290	.Pp
291	.Fn IPAddressChoice_new
292	returns a new
293	.Vt IPAddressChoice
294	object with invalid type and
295	.Dv NULL
296	members of the union
297	.Fa u .
298	.Pp
299	.Fn IPAddressChoice_free
300	frees
301	.Fa ac
302	including any data contained in it,
303	provided
304	.Fa type
305	is set correctly.
306	.Pp
307	The
308	.Fa addressFamily
309	element defined in RFC 3779 section 2.2.3.3 is implemented as an
310	.Vt ASN1_OCTET_STRING
311	and it contains two or three octets.
312	The first two octets are always present and represent the
313	address family identifier (AFI)
314	in network byte order.
315	The optional subsequent address family identifier (SAFI)
316	occupies the third octet.
317	For IPv4 and IPv6,
318	.Dv IANA_AFI_IPV4
319	and
320	.Dv IANA_AFI_IPV6
321	are predefined.
322	Other AFIs are not supported by this implementation.
323	.Pp
324	The
325	.Vt IPAddressFamily
326	type defined in RFC 3779 section 2.2.3.2 is implemented as
327	.Bd -literal -offset indent
328	typedef struct IPAddressFamily_st {
329	ASN1_OCTET_STRING *addressFamily;
330	IPAddressChoice *ipAddressChoice;
331	} IPAddressFamily;
332	.Ed
333	.Pp
334	The
335	.Fa addressFamily
336	member indicates the address family the
337	.Fa ipAddressChoice
338	represents.
339	.Pp
340	.Fn IPAddressFamily_new
341	returns a new
342	.Vt IPAddressFamily
343	object with empty
344	.Fa addressFamily
345	and invalid
346	.Fa ipAddressChoice
347	members.
348	.Pp
349	.Fn IPAddressFamily_free
350	frees
351	.Fa af
352	including any data contained in it.
353	If
354	.Fa af
355	is
356	.Dv NULL ,
357	no action occurs.
358	.Pp
359	The
360	.Vt IPAddrBlocks
361	type defined in RFC 3779 section 2.2.3.1
362	uses an ASN.1 SEQUENCE,
363	which is implemented via a
364	.Xr STACK_OF 3
365	construction over
366	.Vt IPAddressFamily :
367	.Bd -literal -offset indent
368	typedef STACK_OF(IPAddressFamily) IPAddrBlocks;
369	.Ed
370	.Pp
371	It can be instantiated with
372	.Fn sk_IPAddressFamily_new_null
373	and the correct sorting function can be installed with
374	.Xr X509v3_addr_canonize 3 .
375	To populate it, use
376	.Xr X509v3_addr_add_prefix 3
377	and related functions.
378	.Pp
379	.Fn d2i_IPAddressRange ,
380	.Fn i2d_IPAddressRange ,
381	.Fn d2i_IPAddressOrRange ,
382	.Fn i2d_IPAddressOrRange ,
383	.Fn d2i_IPAddressChoice ,
384	.Fn i2d_IPAddressChoice ,
385	.Fn d2i_IPAddressFamily ,
386	and
387	.Fn i2d_IPAddressFamily
388	decode and encode ASN.1
389	.Vt IPAddressRange ,
390	.Vt IPAddressOrRange ,
391	.Vt IPAddressChoice ,
392	and
393	.Vt IPAddressFamily
394	objects.
395	For details about the semantics, examples, caveats, and bugs, see
396	.Xr ASN1_item_d2i 3 .
397	There is no easy way of ensuring that the encodings generated by
398	these functions are correct, unless they are applied to objects
399	that are part of a canonical
400	.Vt IPAddrBlocks
401	structure, see
402	.Xr X509v3_addr_is_canonical 3 .
403	.Sh RETURN VALUES
404	.Fn IPAddressRange_new
405	returns a new
406	.Vt IPAddressRange
407	object with allocated, empty members, or
408	.Dv NULL
409	if an error occurs.
410	.Pp
411	.Fn IPAddressOrRange_new
412	returns a new, empty
413	.Vt IPAddressOrRange
414	object or
415	.Dv NULL
416	if an error occurs.
417	.Pp
418	.Fn IPAddressChoice_new
419	returns a new, empty
420	.Vt IPAddressChoice
421	object or
422	.Dv NULL
423	if an error occurs.
424	.Pp
425	.Fn IPAddressFamily_new
426	returns a new
427	.Vt IPAddressFamily
428	object with allocated, empty members, or
429	.Dv NULL
430	if an error occurs.
431	.Pp
432	The decoding functions
433	.Fn d2i_IPAddressRange ,
434	.Fn d2i_IPAddressOrRange ,
435	.Fn d2i_IPAddressChoice ,
436	and
437	.Fn d2i_IPAddressFamily
438	return an
439	.Vt IPAddressRange ,
440	an
441	.Vt IPAddressOrRange ,
442	an
443	.Vt IPAddressChoice ,
444	or an
445	.Vt IPAddressFamily
446	object, respectively,
447	or
448	.Dv NULL
449	if an error occurs.
450	.Pp
451	The encoding functions
452	.Fn i2d_IPAddressRange ,
453	.Fn i2d_IPAddressOrRange ,
454	.Fn i2d_IPAddressChoice ,
455	and
456	.Fn i2d_IPAddressFamily
457	return the number of bytes successfully encoded
458	or a value <= 0 if an error occurs.
459	.Sh SEE ALSO
460	.Xr ASIdentifiers_new 3 ,
461	.Xr ASN1_BIT_STRING_new 3 ,
462	.Xr ASN1_OCTET_STRING_new 3 ,
463	.Xr ASN1_OCTET_STRING_set 3 ,
464	.Xr crypto 3 ,
465	.Xr X509_new 3 ,
466	.Xr X509v3_addr_add_inherit 3 ,
467	.Xr X509v3_addr_inherits 3 ,
468	.Xr X509v3_addr_subset 3
469	.Sh STANDARDS
470	RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
471	.Bl -dash -compact
472	.It
473	section 2.1.1: Encoding of an IP Address or Prefix
474	.It
475	section 2.1.2: Encoding of a Range of IP Addresses
476	.It
477	section 2.2.3: Syntax
478	.It
479	section 2.2.3.1: Type IPAddrBlocks
480	.It
481	section 2.2.3.2: Type IPAddressFamily
482	.It
483	section 2.2.3.3: Element addressFamily
484	.It
485	section 2.2.3.4: Element ipAddressChoice and Type IPAddressChoice
486	.It
487	section 2.2.3.5: Element inherit
488	.It
489	section 2.2.3.6: Element addressesOrRanges
490	.It
491	section 2.2.3.7: Type IPAddressOrRange
492	.It
493	section 2.2.3.8: Element addressPrefix and Type IPAddress
494	.It
495	section 2.2.3.9: Element addressRange and Type IPAddressRange
496	.El
497	.Pp
498	ITU-T Recommendation X.690, also known as ISO/IEC 8825-1:
499	Information technology - ASN.1 encoding rules:
500	Specification of Basic Encoding Rules (BER), Canonical Encoding
501	Rules (CER) and Distinguished Encoding Rules (DER),
502	section 8.6: Encoding of a bitstring value
503	.Sh HISTORY
504	These functions first appeared in OpenSSL 0.9.8e
505	and have been available since
506	.Ox 7.1 .
507	.Sh BUGS
508	.\" The internals do not seem to consistently apply and check
509	.\" .Dv ASN1_STRING_FLAG_BITS_LEFT
510	.\" which may lead to incorrect encoding and misinterpretation
511	As it stands, the API is barely usable
512	due to missing convenience accessors, constructors and destructors
513	and due to the complete absence of API that checks that the
514	individual building blocks are correct.
515	Extracting information from a given object can be done relatively
516	safely.
517	However, constructing objects is very error prone, be it
518	by hand or using the bug-ridden
519	.Xr X509v3_addr_add_inherit 3
520	API.
521	.Pp
522	RFC 3779 has element
523	.Dq addressesOrRanges .
524	Its type in this API is
525	.Vt IPAddressOrRanges .