6 files changed, 69 insertions, 58 deletions
diff --git a/src/lib/libcrypto/man/ASIdentifiers_new.3 b/src/lib/libcrypto/man/ASIdentifiers_new.3
index 613fd3ce80..4f6bf67f10 100644
--- a/src/lib/libcrypto/man/ASIdentifiers_new.3
+++ b/src/lib/libcrypto/man/ASIdentifiers_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASIdentifiers_new.3,v 1.6 2023/09/26 20:42:45 tb Exp $
+.\" $OpenBSD: ASIdentifiers_new.3,v 1.7 2023/09/27 08:46:46 tb Exp $
 .\"
 .\" Copyright (c) 2021 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 26 2023 $
+.Dd $Mdocdate: September 27 2023 $
 .Dt ASIDENTIFIERS_NEW 3
 .Os
 .Sh NAME
@@ -22,7 +22,7 @@
 .Nm ASIdentifiers_free ,
 .Nm d2i_ASIdentifiers ,
 .Nm i2d_ASIdentifiers
-.Nd X509v3 certificate extension for autonomous system identifier delegation
+.Nd RFC 3779 autonomous system identifier delegation extensions
 .Sh SYNOPSIS
 .In openssl/x509v3.h
 .Ft ASIdentifiers *
@@ -112,7 +112,7 @@ or a value <= 0 if an error occurs.
 .Xr crypto 3 ,
 .Xr IPAddressRange_new 3 ,
 .Xr X509_new 3 ,
-.Xr X509v3_asid_add_id_or_range 3
+.Xr X509v3_asid_add_id_or_range 3 ,
 .Xr X509v3_asid_inherits 3
 .Sh STANDARDS
 RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
diff --git a/src/lib/libcrypto/man/ASRange_new.3 b/src/lib/libcrypto/man/ASRange_new.3
index 75b911c588..12eff26792 100644
--- a/src/lib/libcrypto/man/ASRange_new.3
+++ b/src/lib/libcrypto/man/ASRange_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASRange_new.3,v 1.4 2023/09/26 15:34:23 tb Exp $
+.\" $OpenBSD: ASRange_new.3,v 1.5 2023/09/27 08:46:46 tb Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 26 2023 $
+.Dd $Mdocdate: September 27 2023 $
 .Dt ASRANGE_NEW 3
 .Os
 .Sh NAME
@@ -30,7 +30,7 @@
 .Nm ASIdentifierChoice_free ,
 .Nm d2i_ASIdentifierChoice ,
 .Nm i2d_ASIdentifierChoice
-.Nd Autonomous system identifiers and ranges
+.Nd RFC 3779 autonomous system identifiers and ranges
 .Sh SYNOPSIS
 .In openssl/x509v3.h
 .Ft "ASRange *"
@@ -87,21 +87,21 @@ are building blocks of the
 .Vt ASIdentifiers
 type representing the RFC 3779
 autonomous system identifier delegation extension.
-See
-.Xr ASIdentifiers_new 3
-and
-.Xr X509v3_asid_add_id_or_range 3
-for more details.
 .Pp
 All
 .Vt ASN1_INTEGER Ns s
 in this manual should be representable as unsigned 32-bit integers.
+The API performs no corresponding checks.
 The library provides no convenient way of setting the value of an
 .Vt ASN1_INTEGER
 directly.
 A detour via a
 .Vt BIGNUM
 or a string is unavoidable.
+To retrieve the value of an
+.Vt ASN1_INTEGER ,
+use
+.Xr ASN1_INTEGER_get_uint64 3 .
 .Pp
 The
 .Vt ASRange
@@ -310,7 +310,7 @@ object of
 .Fn ASRange_new
 returns a new
 .Vt ASRange
-object or
+object with allocated, empty members, or
 .Dv NULL
 if an error occurs.
 .Pp
diff --git a/src/lib/libcrypto/man/IPAddressRange_new.3 b/src/lib/libcrypto/man/IPAddressRange_new.3
index bee18bc0b4..07c57f3e5d 100644
--- a/src/lib/libcrypto/man/IPAddressRange_new.3
+++ b/src/lib/libcrypto/man/IPAddressRange_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: IPAddressRange_new.3,v 1.3 2023/09/26 20:42:45 tb Exp $
+.\" $OpenBSD: IPAddressRange_new.3,v 1.4 2023/09/27 08:46:46 tb Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 26 2023 $
+.Dd $Mdocdate: September 27 2023 $
 .Dt IPADDRESSRANGE_NEW 3
 .Os
 .Sh NAME
@@ -34,7 +34,7 @@
 .Nm IPAddressFamily_free ,
 .Nm d2i_IPAddressFamily ,
 .Nm i2d_IPAddressFamily
-.Nd IP address prefixes and ranges
+.Nd RFC 3779 IP address prefixes and ranges
 .Sh SYNOPSIS
 .In openssl/x509v3.h
 .Ft "IPAddressRange *"
@@ -106,25 +106,21 @@ and
 are building blocks of the RFC 3779
 .Vt IPAddrBlocks
 type representing the IP address delegation extension.
-See
-.Xr X509v3_addr_add_inherit 3
-for more details.
 .Pp
 Per RFC 3779, section 2.1.1,
 an IPv4 or an IPv6 address is encoded in network byte order in an
 ASN.1 BIT STRING of bit size 32 or 128 bits, respectively.
-The bit size of a prefix is its prefix length,
+The bit size of a prefix is its prefix length.
-in other words, all insignificant zero bits are omitted.
+In other words, all insignificant zero bits are omitted
+from the encoding.
 An address range is expressed as a pair of BIT STRINGs
 where all least significant zero bits of the lower bound
 and the all least significant one bits of the upper bound are omitted.
-Whether a prefix or a range represents a range of IPv4 address or
-an IPv6 address must be derived from the context.
 .Pp
 The library provides no API for directly converting an IP address or
 prefix (in any form) to and from an
-.Vt ASN1_BIT_STRING
+.Vt ASN1_BIT_STRING .
-and it also provides no API for directly handling ranges.
+It also provides no API for directly handling ranges.
 The
 .Vt ASN1_BIT_STRING
 internals are subtle and directly manipulating them in the
@@ -175,7 +171,7 @@ is
 .Dv NULL ,
 no action occurs.
 .Pp
-There is no dedicated type to represent the
+There is no dedicated type representing the
 .Vt IPAddress
 type defined in RFC 3779 section 2.2.3.8.
 The API uses
@@ -404,11 +400,11 @@ structure, see
 .Fn IPAddressRange_new
 returns a new
 .Vt IPAddressRange
-object or
+object with allocated, empty members, or
 .Dv NULL
 if an error occurs.
 .Pp
-.Fn IPAddressRange_new
+.Fn IPAddressOrRange_new
 returns a new, empty
 .Vt IPAddressOrRange
 object or
@@ -423,8 +419,8 @@ object or
 if an error occurs.
 .Pp
 .Fn IPAddressFamily_new
-returns a new,
+returns a new
-.Vt IPAddressChoice
+.Vt IPAddressFamily
 object with allocated, empty members, or
 .Dv NULL
 if an error occurs.
@@ -513,3 +509,8 @@ However, constructing objects is very error prone, be it
 by hand or using the bug-ridden
 .Xr X509v3_addr_add_inherit 3
 API.
+.Pp
+RFC 3779 has element
+.Dq addressesOrRanges .
+Its type in this API is
+.Vt IPAddressOrRanges .
diff --git a/src/lib/libcrypto/man/X509v3_addr_add_inherit.3 b/src/lib/libcrypto/man/X509v3_addr_add_inherit.3
index 887a5ecb21..3ca9bc59ae 100644
--- a/src/lib/libcrypto/man/X509v3_addr_add_inherit.3
+++ b/src/lib/libcrypto/man/X509v3_addr_add_inherit.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_addr_add_inherit.3,v 1.4 2023/09/26 18:35:34 tb Exp $
+.\" $OpenBSD: X509v3_addr_add_inherit.3,v 1.5 2023/09/27 08:46:46 tb Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 26 2023 $
+.Dd $Mdocdate: September 27 2023 $
 .Dt X509V3_ADDR_ADD_INHERIT 3
 .Os
 .Sh NAME
@@ -23,8 +23,7 @@
 .Nm X509v3_addr_add_range ,
 .Nm X509v3_addr_canonize ,
 .Nm X509v3_addr_is_canonical
-.Nd construct X509v3 IP address blocks extensions and
+.Nd RFC 3779 IP address delegation extensions
-bring them into canonical form
 .Sh SYNOPSIS
 .In openssl/x509v3.h
 .Ft int
@@ -63,15 +62,18 @@ An
 object represents the content of
 an X509v3 IP address blocks delegation extension
 as defined in RFC 3779, section 2.2.3.1.
-It can hold lists of delegated IP address prefixes and
+It holds lists of IP address prefixes and IP address ranges
-IP address ranges.
+delegated from the issuer to the subject of the certificate.
 It can be instantiated as explained in the EXAMPLES section
 and its internals are documented in
 .Xr IPAddressRange_new 3 .
-Each list is uniquely identified by
+.Pp
+Each list in a well-formed
+.Vt IPAddrBlocks
+object is uniquely identified by
 an address family identifier (AFI) and
 an optional subsequent address family identifier (SAFI).
-Each list can be absent or it can contain a single
+Lists can be absent or can contain an
 .Dq inherit
 marker to indicate that the resources are to be inherited
 from the corresponding list of the issuer certificate.
@@ -171,7 +173,7 @@ In case the range of IP addresses between
 .Fa min
 and
 .Fa max
-is a prefix, a prefix will be added.
+is a prefix, a prefix will be added instead of a range.
 It is the caller's responsibility to ensure that
 .Fa min
 is less than or equal to
@@ -190,7 +192,8 @@ An
 .Vt IPAddrBlocks
 object is said to be in canonical form if it conforms
 to the ordering specified in RFC 3779:
-section 2.2.3.3 requires that the lists be sorted first by increasing
+section 2.2.3.3 requires that
+the list of lists be sorted first by increasing
 .Fa afi
 and then by increasing
 .Fa safi ,
@@ -397,7 +400,7 @@ is desired.
 .Xr IPAddressRange_new 3 ,
 .Xr X509_new 3 ,
 .Xr X509v3_asid_add_id_or_range 3 ,
-.Xr X509v3_asid_get_range 3
+.Xr X509v3_addr_get_range 3
 .Sh STANDARDS
 RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
 .Bl -dash -compact
@@ -434,12 +437,12 @@ is not public.
 The above examples show how to implement the four missing functions
 with public API.
 .Pp
-.Fn X509v3_asid_add_range
+.Fn X509v3_addr_add_range
 should check for inverted range bounds and overlaps
 on insertion and fail instead of creating a nonsensical
-.Fa asid
+.Fa addr
 that fails to be canonized by
-.Fn X509v3_asid_canonize .
+.Fn X509v3_addr_canonize .
 .Pp
 If
 .Dv NULL
@@ -457,4 +460,13 @@ crashes with a
 .Dv NULL
 dereference.
 .Pp
-The only supported AFIs are IPv4 and IPv6, but this is not enforced.
+The code only supports the IPv4 and IPv6 AFIs.
+This is not consistently enforced across implementations.
+.Pp
+.Fn X509v3_addr_add_range
+fails to clear the unused bits set to 1 in the last octet of
+the
+.Vt ASN1_BIT_STRING
+representation of
+.Fa max .
+This confuses some software.
diff --git a/src/lib/libcrypto/man/X509v3_addr_inherits.3 b/src/lib/libcrypto/man/X509v3_addr_inherits.3
index a8465afb38..0c3c35d4a3 100644
--- a/src/lib/libcrypto/man/X509v3_addr_inherits.3
+++ b/src/lib/libcrypto/man/X509v3_addr_inherits.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_addr_inherits.3,v 1.1 2023/09/26 20:42:45 tb Exp $
+.\" $OpenBSD: X509v3_addr_inherits.3,v 1.2 2023/09/27 08:46:46 tb Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,13 +14,13 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 26 2023 $
+.Dd $Mdocdate: September 27 2023 $
 .Dt X509V3_ADDR_INHERITS 3
 .Os
 .Sh NAME
 .Nm X509v3_addr_inherits ,
 .Nm X509v3_asid_inherits
-.Nd inheritance for the IP address and AS number delegation extensions
+.Nd RFC 3779 inheritance
 .Sh SYNOPSIS
 .In openssl/x509v3.h
 .Ft int
@@ -96,7 +96,7 @@ and have been available since
 .Fn X509v3_asid_inherits
 ignores whether the
 .Fa inherit
-is present or absent in the list that is considered to use inheritance.
+element is present or absent in the list that is considered to use inheritance.
 .Pp
 There is no API that determines whether all lists contained in an
 .Vt ASIdentifiers
diff --git a/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 b/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
index 6d554e6a20..c9ff6bf13b 100644
--- a/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
+++ b/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.4 2023/09/26 20:42:45 tb Exp $
+.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.5 2023/09/27 08:46:46 tb Exp $
 .\"
 .\" Copyright (c) 2021-2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 26 2023 $
+.Dd $Mdocdate: September 27 2023 $
 .Dt X509V3_ASID_ADD_ID_OR_RANGE 3
 .Os
 .Sh NAME
@@ -22,8 +22,7 @@
 .Nm X509v3_asid_add_inherit ,
 .Nm X509v3_asid_canonize ,
 .Nm X509v3_asid_is_canonical
-.Nd construct and validate individual X509v3 certificate extensions for
+.Nd RFC 3779 autonomous system identifier delegation extension
-autonomous system identifier delegation
 .Sh SYNOPSIS
 .In openssl/x509v3.h
 .Ft int
@@ -57,7 +56,7 @@ and its internals are documented in
 .Xr ASRange_new 3 .
 .Pp
 An autonomous system is identified by an unsigned 32-bit integer,
-called an AS number.
+called an AS identifier or AS number.
 An
 .Vt ASIdentifiers
 object can hold two lists:
@@ -132,15 +131,14 @@ or
 .Dv V3_ASID_RDI )
 in
 .Fa asid
-and marks it
+if necessary and marks it
 .Dq inherit .
 This fails if
 .Fa asid
 already contains a list of
 .Fa type
-that isn't marked
+that is not marked
-.Dq inherit ,
+.Dq inherit .
-otherwise no action occurs.
 .Pp
 .Fn X509v3_asid_canonize
 attempts to bring both lists in

diff --git a/src/lib/libcrypto/man/ASIdentifiers_new.3 b/src/lib/libcrypto/man/ASIdentifiers_new.3 index 613fd3ce80..4f6bf67f10 100644 --- a/src/lib/libcrypto/man/ASIdentifiers_new.3 +++ b/src/lib/libcrypto/man/ASIdentifiers_new.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ASIdentifiers_new.3,v 1.6 2023/09/26 20:42:45 tb Exp $	1	.\" $OpenBSD: ASIdentifiers_new.3,v 1.7 2023/09/27 08:46:46 tb Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2021 Theo Buehler <tb@openbsd.org>	3	.\" Copyright (c) 2021 Theo Buehler <tb@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: September 26 2023 $	17	.Dd $Mdocdate: September 27 2023 $
18	.Dt ASIDENTIFIERS_NEW 3	18	.Dt ASIDENTIFIERS_NEW 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -22,7 +22,7 @@
22	.Nm ASIdentifiers_free ,	22	.Nm ASIdentifiers_free ,
23	.Nm d2i_ASIdentifiers ,	23	.Nm d2i_ASIdentifiers ,
24	.Nm i2d_ASIdentifiers	24	.Nm i2d_ASIdentifiers
25	.Nd X509v3 certificate extension for autonomous system identifier delegation	25	.Nd RFC 3779 autonomous system identifier delegation extensions
26	.Sh SYNOPSIS	26	.Sh SYNOPSIS
27	.In openssl/x509v3.h	27	.In openssl/x509v3.h
28	.Ft ASIdentifiers *	28	.Ft ASIdentifiers *
@@ -112,7 +112,7 @@ or a value <= 0 if an error occurs.
112	.Xr crypto 3 ,	112	.Xr crypto 3 ,
113	.Xr IPAddressRange_new 3 ,	113	.Xr IPAddressRange_new 3 ,
114	.Xr X509_new 3 ,	114	.Xr X509_new 3 ,
115	.Xr X509v3_asid_add_id_or_range 3	115	.Xr X509v3_asid_add_id_or_range 3 ,
116	.Xr X509v3_asid_inherits 3	116	.Xr X509v3_asid_inherits 3
117	.Sh STANDARDS	117	.Sh STANDARDS
118	RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:	118	RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:


diff --git a/src/lib/libcrypto/man/ASRange_new.3 b/src/lib/libcrypto/man/ASRange_new.3 index 75b911c588..12eff26792 100644 --- a/src/lib/libcrypto/man/ASRange_new.3 +++ b/src/lib/libcrypto/man/ASRange_new.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ASRange_new.3,v 1.4 2023/09/26 15:34:23 tb Exp $	1	.\" $OpenBSD: ASRange_new.3,v 1.5 2023/09/27 08:46:46 tb Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>	3	.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: September 26 2023 $	17	.Dd $Mdocdate: September 27 2023 $
18	.Dt ASRANGE_NEW 3	18	.Dt ASRANGE_NEW 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -30,7 +30,7 @@
30	.Nm ASIdentifierChoice_free ,	30	.Nm ASIdentifierChoice_free ,
31	.Nm d2i_ASIdentifierChoice ,	31	.Nm d2i_ASIdentifierChoice ,
32	.Nm i2d_ASIdentifierChoice	32	.Nm i2d_ASIdentifierChoice
33	.Nd Autonomous system identifiers and ranges	33	.Nd RFC 3779 autonomous system identifiers and ranges
34	.Sh SYNOPSIS	34	.Sh SYNOPSIS
35	.In openssl/x509v3.h	35	.In openssl/x509v3.h
36	.Ft "ASRange *"	36	.Ft "ASRange *"
@@ -87,21 +87,21 @@ are building blocks of the
87	.Vt ASIdentifiers	87	.Vt ASIdentifiers
88	type representing the RFC 3779	88	type representing the RFC 3779
89	autonomous system identifier delegation extension.	89	autonomous system identifier delegation extension.
90	See
91	.Xr ASIdentifiers_new 3
92	and
93	.Xr X509v3_asid_add_id_or_range 3
94	for more details.
95	.Pp	90	.Pp
96	All	91	All
97	.Vt ASN1_INTEGER Ns s	92	.Vt ASN1_INTEGER Ns s
98	in this manual should be representable as unsigned 32-bit integers.	93	in this manual should be representable as unsigned 32-bit integers.
		94	The API performs no corresponding checks.
99	The library provides no convenient way of setting the value of an	95	The library provides no convenient way of setting the value of an
100	.Vt ASN1_INTEGER	96	.Vt ASN1_INTEGER
101	directly.	97	directly.
102	A detour via a	98	A detour via a
103	.Vt BIGNUM	99	.Vt BIGNUM
104	or a string is unavoidable.	100	or a string is unavoidable.
		101	To retrieve the value of an
		102	.Vt ASN1_INTEGER ,
		103	use
		104	.Xr ASN1_INTEGER_get_uint64 3 .
105	.Pp	105	.Pp
106	The	106	The
107	.Vt ASRange	107	.Vt ASRange
@@ -310,7 +310,7 @@ object of
310	.Fn ASRange_new	310	.Fn ASRange_new
311	returns a new	311	returns a new
312	.Vt ASRange	312	.Vt ASRange
313	object or	313	object with allocated, empty members, or
314	.Dv NULL	314	.Dv NULL
315	if an error occurs.	315	if an error occurs.
316	.Pp	316	.Pp


diff --git a/src/lib/libcrypto/man/IPAddressRange_new.3 b/src/lib/libcrypto/man/IPAddressRange_new.3 index bee18bc0b4..07c57f3e5d 100644 --- a/src/lib/libcrypto/man/IPAddressRange_new.3 +++ b/src/lib/libcrypto/man/IPAddressRange_new.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: IPAddressRange_new.3,v 1.3 2023/09/26 20:42:45 tb Exp $	1	.\" $OpenBSD: IPAddressRange_new.3,v 1.4 2023/09/27 08:46:46 tb Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>	3	.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: September 26 2023 $	17	.Dd $Mdocdate: September 27 2023 $
18	.Dt IPADDRESSRANGE_NEW 3	18	.Dt IPADDRESSRANGE_NEW 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -34,7 +34,7 @@
34	.Nm IPAddressFamily_free ,	34	.Nm IPAddressFamily_free ,
35	.Nm d2i_IPAddressFamily ,	35	.Nm d2i_IPAddressFamily ,
36	.Nm i2d_IPAddressFamily	36	.Nm i2d_IPAddressFamily
37	.Nd IP address prefixes and ranges	37	.Nd RFC 3779 IP address prefixes and ranges
38	.Sh SYNOPSIS	38	.Sh SYNOPSIS
39	.In openssl/x509v3.h	39	.In openssl/x509v3.h
40	.Ft "IPAddressRange *"	40	.Ft "IPAddressRange *"
@@ -106,25 +106,21 @@ and
106	are building blocks of the RFC 3779	106	are building blocks of the RFC 3779
107	.Vt IPAddrBlocks	107	.Vt IPAddrBlocks
108	type representing the IP address delegation extension.	108	type representing the IP address delegation extension.
109	See
110	.Xr X509v3_addr_add_inherit 3
111	for more details.
112	.Pp	109	.Pp
113	Per RFC 3779, section 2.1.1,	110	Per RFC 3779, section 2.1.1,
114	an IPv4 or an IPv6 address is encoded in network byte order in an	111	an IPv4 or an IPv6 address is encoded in network byte order in an
115	ASN.1 BIT STRING of bit size 32 or 128 bits, respectively.	112	ASN.1 BIT STRING of bit size 32 or 128 bits, respectively.
116	The bit size of a prefix is its prefix length,	113	The bit size of a prefix is its prefix length.
117	in other words, all insignificant zero bits are omitted.	114	In other words, all insignificant zero bits are omitted
		115	from the encoding.
118	An address range is expressed as a pair of BIT STRINGs	116	An address range is expressed as a pair of BIT STRINGs
119	where all least significant zero bits of the lower bound	117	where all least significant zero bits of the lower bound
120	and the all least significant one bits of the upper bound are omitted.	118	and the all least significant one bits of the upper bound are omitted.
121	Whether a prefix or a range represents a range of IPv4 address or
122	an IPv6 address must be derived from the context.
123	.Pp	119	.Pp
124	The library provides no API for directly converting an IP address or	120	The library provides no API for directly converting an IP address or
125	prefix (in any form) to and from an	121	prefix (in any form) to and from an
126	.Vt ASN1_BIT_STRING	122	.Vt ASN1_BIT_STRING .
127	and it also provides no API for directly handling ranges.	123	It also provides no API for directly handling ranges.
128	The	124	The
129	.Vt ASN1_BIT_STRING	125	.Vt ASN1_BIT_STRING
130	internals are subtle and directly manipulating them in the	126	internals are subtle and directly manipulating them in the
@@ -175,7 +171,7 @@ is
175	.Dv NULL ,	171	.Dv NULL ,
176	no action occurs.	172	no action occurs.
177	.Pp	173	.Pp
178	There is no dedicated type to represent the	174	There is no dedicated type representing the
179	.Vt IPAddress	175	.Vt IPAddress
180	type defined in RFC 3779 section 2.2.3.8.	176	type defined in RFC 3779 section 2.2.3.8.
181	The API uses	177	The API uses
@@ -404,11 +400,11 @@ structure, see
404	.Fn IPAddressRange_new	400	.Fn IPAddressRange_new
405	returns a new	401	returns a new
406	.Vt IPAddressRange	402	.Vt IPAddressRange
407	object or	403	object with allocated, empty members, or
408	.Dv NULL	404	.Dv NULL
409	if an error occurs.	405	if an error occurs.
410	.Pp	406	.Pp
411	.Fn IPAddressRange_new	407	.Fn IPAddressOrRange_new
412	returns a new, empty	408	returns a new, empty
413	.Vt IPAddressOrRange	409	.Vt IPAddressOrRange
414	object or	410	object or
@@ -423,8 +419,8 @@ object or
423	if an error occurs.	419	if an error occurs.
424	.Pp	420	.Pp
425	.Fn IPAddressFamily_new	421	.Fn IPAddressFamily_new
426	returns a new,	422	returns a new
427	.Vt IPAddressChoice	423	.Vt IPAddressFamily
428	object with allocated, empty members, or	424	object with allocated, empty members, or
429	.Dv NULL	425	.Dv NULL
430	if an error occurs.	426	if an error occurs.
@@ -513,3 +509,8 @@ However, constructing objects is very error prone, be it
513	by hand or using the bug-ridden	509	by hand or using the bug-ridden
514	.Xr X509v3_addr_add_inherit 3	510	.Xr X509v3_addr_add_inherit 3
515	API.	511	API.
		512	.Pp
		513	RFC 3779 has element
		514	.Dq addressesOrRanges .
		515	Its type in this API is
		516	.Vt IPAddressOrRanges .


diff --git a/src/lib/libcrypto/man/X509v3_addr_add_inherit.3 b/src/lib/libcrypto/man/X509v3_addr_add_inherit.3 index 887a5ecb21..3ca9bc59ae 100644 --- a/src/lib/libcrypto/man/X509v3_addr_add_inherit.3 +++ b/src/lib/libcrypto/man/X509v3_addr_add_inherit.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509v3_addr_add_inherit.3,v 1.4 2023/09/26 18:35:34 tb Exp $	1	.\" $OpenBSD: X509v3_addr_add_inherit.3,v 1.5 2023/09/27 08:46:46 tb Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>	3	.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: September 26 2023 $	17	.Dd $Mdocdate: September 27 2023 $
18	.Dt X509V3_ADDR_ADD_INHERIT 3	18	.Dt X509V3_ADDR_ADD_INHERIT 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -23,8 +23,7 @@
23	.Nm X509v3_addr_add_range ,	23	.Nm X509v3_addr_add_range ,
24	.Nm X509v3_addr_canonize ,	24	.Nm X509v3_addr_canonize ,
25	.Nm X509v3_addr_is_canonical	25	.Nm X509v3_addr_is_canonical
26	.Nd construct X509v3 IP address blocks extensions and	26	.Nd RFC 3779 IP address delegation extensions
27	bring them into canonical form
28	.Sh SYNOPSIS	27	.Sh SYNOPSIS
29	.In openssl/x509v3.h	28	.In openssl/x509v3.h
30	.Ft int	29	.Ft int
@@ -63,15 +62,18 @@ An
63	object represents the content of	62	object represents the content of
64	an X509v3 IP address blocks delegation extension	63	an X509v3 IP address blocks delegation extension
65	as defined in RFC 3779, section 2.2.3.1.	64	as defined in RFC 3779, section 2.2.3.1.
66	It can hold lists of delegated IP address prefixes and	65	It holds lists of IP address prefixes and IP address ranges
67	IP address ranges.	66	delegated from the issuer to the subject of the certificate.
68	It can be instantiated as explained in the EXAMPLES section	67	It can be instantiated as explained in the EXAMPLES section
69	and its internals are documented in	68	and its internals are documented in
70	.Xr IPAddressRange_new 3 .	69	.Xr IPAddressRange_new 3 .
71	Each list is uniquely identified by	70	.Pp
		71	Each list in a well-formed
		72	.Vt IPAddrBlocks
		73	object is uniquely identified by
72	an address family identifier (AFI) and	74	an address family identifier (AFI) and
73	an optional subsequent address family identifier (SAFI).	75	an optional subsequent address family identifier (SAFI).
74	Each list can be absent or it can contain a single	76	Lists can be absent or can contain an
75	.Dq inherit	77	.Dq inherit
76	marker to indicate that the resources are to be inherited	78	marker to indicate that the resources are to be inherited
77	from the corresponding list of the issuer certificate.	79	from the corresponding list of the issuer certificate.
@@ -171,7 +173,7 @@ In case the range of IP addresses between
171	.Fa min	173	.Fa min
172	and	174	and
173	.Fa max	175	.Fa max
174	is a prefix, a prefix will be added.	176	is a prefix, a prefix will be added instead of a range.
175	It is the caller's responsibility to ensure that	177	It is the caller's responsibility to ensure that
176	.Fa min	178	.Fa min
177	is less than or equal to	179	is less than or equal to
@@ -190,7 +192,8 @@ An
190	.Vt IPAddrBlocks	192	.Vt IPAddrBlocks
191	object is said to be in canonical form if it conforms	193	object is said to be in canonical form if it conforms
192	to the ordering specified in RFC 3779:	194	to the ordering specified in RFC 3779:
193	section 2.2.3.3 requires that the lists be sorted first by increasing	195	section 2.2.3.3 requires that
		196	the list of lists be sorted first by increasing
194	.Fa afi	197	.Fa afi
195	and then by increasing	198	and then by increasing
196	.Fa safi ,	199	.Fa safi ,
@@ -397,7 +400,7 @@ is desired.
397	.Xr IPAddressRange_new 3 ,	400	.Xr IPAddressRange_new 3 ,
398	.Xr X509_new 3 ,	401	.Xr X509_new 3 ,
399	.Xr X509v3_asid_add_id_or_range 3 ,	402	.Xr X509v3_asid_add_id_or_range 3 ,
400	.Xr X509v3_asid_get_range 3	403	.Xr X509v3_addr_get_range 3
401	.Sh STANDARDS	404	.Sh STANDARDS
402	RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:	405	RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
403	.Bl -dash -compact	406	.Bl -dash -compact
@@ -434,12 +437,12 @@ is not public.
434	The above examples show how to implement the four missing functions	437	The above examples show how to implement the four missing functions
435	with public API.	438	with public API.
436	.Pp	439	.Pp
437	.Fn X509v3_asid_add_range	440	.Fn X509v3_addr_add_range
438	should check for inverted range bounds and overlaps	441	should check for inverted range bounds and overlaps
439	on insertion and fail instead of creating a nonsensical	442	on insertion and fail instead of creating a nonsensical
440	.Fa asid	443	.Fa addr
441	that fails to be canonized by	444	that fails to be canonized by
442	.Fn X509v3_asid_canonize .	445	.Fn X509v3_addr_canonize .
443	.Pp	446	.Pp
444	If	447	If
445	.Dv NULL	448	.Dv NULL
@@ -457,4 +460,13 @@ crashes with a
457	.Dv NULL	460	.Dv NULL
458	dereference.	461	dereference.
459	.Pp	462	.Pp
460	The only supported AFIs are IPv4 and IPv6, but this is not enforced.	463	The code only supports the IPv4 and IPv6 AFIs.
		464	This is not consistently enforced across implementations.
		465	.Pp
		466	.Fn X509v3_addr_add_range
		467	fails to clear the unused bits set to 1 in the last octet of
		468	the
		469	.Vt ASN1_BIT_STRING
		470	representation of
		471	.Fa max .
		472	This confuses some software.


diff --git a/src/lib/libcrypto/man/X509v3_addr_inherits.3 b/src/lib/libcrypto/man/X509v3_addr_inherits.3 index a8465afb38..0c3c35d4a3 100644 --- a/src/lib/libcrypto/man/X509v3_addr_inherits.3 +++ b/src/lib/libcrypto/man/X509v3_addr_inherits.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509v3_addr_inherits.3,v 1.1 2023/09/26 20:42:45 tb Exp $	1	.\" $OpenBSD: X509v3_addr_inherits.3,v 1.2 2023/09/27 08:46:46 tb Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>	3	.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
4	.\"	4	.\"
@@ -14,13 +14,13 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: September 26 2023 $	17	.Dd $Mdocdate: September 27 2023 $
18	.Dt X509V3_ADDR_INHERITS 3	18	.Dt X509V3_ADDR_INHERITS 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
21	.Nm X509v3_addr_inherits ,	21	.Nm X509v3_addr_inherits ,
22	.Nm X509v3_asid_inherits	22	.Nm X509v3_asid_inherits
23	.Nd inheritance for the IP address and AS number delegation extensions	23	.Nd RFC 3779 inheritance
24	.Sh SYNOPSIS	24	.Sh SYNOPSIS
25	.In openssl/x509v3.h	25	.In openssl/x509v3.h
26	.Ft int	26	.Ft int
@@ -96,7 +96,7 @@ and have been available since
96	.Fn X509v3_asid_inherits	96	.Fn X509v3_asid_inherits
97	ignores whether the	97	ignores whether the
98	.Fa inherit	98	.Fa inherit
99	is present or absent in the list that is considered to use inheritance.	99	element is present or absent in the list that is considered to use inheritance.
100	.Pp	100	.Pp
101	There is no API that determines whether all lists contained in an	101	There is no API that determines whether all lists contained in an
102	.Vt ASIdentifiers	102	.Vt ASIdentifiers


diff --git a/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 b/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 index 6d554e6a20..c9ff6bf13b 100644 --- a/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 +++ b/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.4 2023/09/26 20:42:45 tb Exp $	1	.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.5 2023/09/27 08:46:46 tb Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2021-2023 Theo Buehler <tb@openbsd.org>	3	.\" Copyright (c) 2021-2023 Theo Buehler <tb@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: September 26 2023 $	17	.Dd $Mdocdate: September 27 2023 $
18	.Dt X509V3_ASID_ADD_ID_OR_RANGE 3	18	.Dt X509V3_ASID_ADD_ID_OR_RANGE 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -22,8 +22,7 @@
22	.Nm X509v3_asid_add_inherit ,	22	.Nm X509v3_asid_add_inherit ,
23	.Nm X509v3_asid_canonize ,	23	.Nm X509v3_asid_canonize ,
24	.Nm X509v3_asid_is_canonical	24	.Nm X509v3_asid_is_canonical
25	.Nd construct and validate individual X509v3 certificate extensions for	25	.Nd RFC 3779 autonomous system identifier delegation extension
26	autonomous system identifier delegation
27	.Sh SYNOPSIS	26	.Sh SYNOPSIS
28	.In openssl/x509v3.h	27	.In openssl/x509v3.h
29	.Ft int	28	.Ft int
@@ -57,7 +56,7 @@ and its internals are documented in
57	.Xr ASRange_new 3 .	56	.Xr ASRange_new 3 .
58	.Pp	57	.Pp
59	An autonomous system is identified by an unsigned 32-bit integer,	58	An autonomous system is identified by an unsigned 32-bit integer,
60	called an AS number.	59	called an AS identifier or AS number.
61	An	60	An
62	.Vt ASIdentifiers	61	.Vt ASIdentifiers
63	object can hold two lists:	62	object can hold two lists:
@@ -132,15 +131,14 @@ or
132	.Dv V3_ASID_RDI )	131	.Dv V3_ASID_RDI )
133	in	132	in
134	.Fa asid	133	.Fa asid
135	and marks it	134	if necessary and marks it
136	.Dq inherit .	135	.Dq inherit .
137	This fails if	136	This fails if
138	.Fa asid	137	.Fa asid
139	already contains a list of	138	already contains a list of
140	.Fa type	139	.Fa type
141	that isn't marked	140	that is not marked
142	.Dq inherit ,	141	.Dq inherit .
143	otherwise no action occurs.
144	.Pp	142	.Pp
145	.Fn X509v3_asid_canonize	143	.Fn X509v3_asid_canonize
146	attempts to bring both lists in	144	attempts to bring both lists in