summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/libcrypto/asn1/x_x509.c10
-rw-r--r--src/lib/libcrypto/crypto/Makefile3
-rw-r--r--src/lib/libcrypto/x509v3/ext_dat.h6
-rw-r--r--src/lib/libcrypto/x509v3/v3_addr.c1504
-rw-r--r--src/lib/libcrypto/x509v3/v3_asid.c1027
-rw-r--r--src/lib/libcrypto/x509v3/v3_purp.c11
-rw-r--r--src/lib/libcrypto/x509v3/x509v3.h150
-rw-r--r--src/lib/libssl/src/crypto/asn1/x_x509.c10
-rw-r--r--src/lib/libssl/src/crypto/x509v3/ext_dat.h6
-rw-r--r--src/lib/libssl/src/crypto/x509v3/v3_addr.c1504
-rw-r--r--src/lib/libssl/src/crypto/x509v3/v3_asid.c1027
-rw-r--r--src/lib/libssl/src/crypto/x509v3/v3_purp.c11
-rw-r--r--src/lib/libssl/src/crypto/x509v3/x509v3.h150
13 files changed, 9 insertions, 5410 deletions
diff --git a/src/lib/libcrypto/asn1/x_x509.c b/src/lib/libcrypto/asn1/x_x509.c
index 77ec8c41cf..756848fe19 100644
--- a/src/lib/libcrypto/asn1/x_x509.c
+++ b/src/lib/libcrypto/asn1/x_x509.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x_x509.c,v 1.20 2015/02/10 05:25:45 jsing Exp $ */ 1/* $OpenBSD: x_x509.c,v 1.21 2015/02/10 13:28:17 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -121,10 +121,6 @@ x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
121 ret->ex_pathlen = -1; 121 ret->ex_pathlen = -1;
122 ret->skid = NULL; 122 ret->skid = NULL;
123 ret->akid = NULL; 123 ret->akid = NULL;
124#ifndef OPENSSL_NO_RFC3779
125 ret->rfc3779_addr = NULL;
126 ret->rfc3779_asid = NULL;
127#endif
128 ret->aux = NULL; 124 ret->aux = NULL;
129 ret->crldp = NULL; 125 ret->crldp = NULL;
130 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data); 126 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
@@ -144,10 +140,6 @@ x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
144 policy_cache_free(ret->policy_cache); 140 policy_cache_free(ret->policy_cache);
145 GENERAL_NAMES_free(ret->altname); 141 GENERAL_NAMES_free(ret->altname);
146 NAME_CONSTRAINTS_free(ret->nc); 142 NAME_CONSTRAINTS_free(ret->nc);
147#ifndef OPENSSL_NO_RFC3779
148 sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free);
149 ASIdentifiers_free(ret->rfc3779_asid);
150#endif
151 free(ret->name); 143 free(ret->name);
152 ret->name = NULL; 144 ret->name = NULL;
153 break; 145 break;
diff --git a/src/lib/libcrypto/crypto/Makefile b/src/lib/libcrypto/crypto/Makefile
index 478991c9b7..4e8f489c2d 100644
--- a/src/lib/libcrypto/crypto/Makefile
+++ b/src/lib/libcrypto/crypto/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.55 2015/02/10 11:37:58 jsing Exp $ 1# $OpenBSD: Makefile,v 1.56 2015/02/10 13:28:17 jsing Exp $
2 2
3LIB= crypto 3LIB= crypto
4 4
@@ -258,7 +258,6 @@ SRCS+= v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c
258SRCS+= v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c 258SRCS+= v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c
259SRCS+= v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c 259SRCS+= v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c
260SRCS+= pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c 260SRCS+= pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c
261SRCS+= v3_asid.c v3_addr.c
262 261
263.PATH: ${.CURDIR}/arch/${MACHINE_CPU} \ 262.PATH: ${.CURDIR}/arch/${MACHINE_CPU} \
264 ${LCRYPTO_SRC} \ 263 ${LCRYPTO_SRC} \
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h
index 1111af2108..f8bf7916b3 100644
--- a/src/lib/libcrypto/x509v3/ext_dat.h
+++ b/src/lib/libcrypto/x509v3/ext_dat.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ext_dat.h,v 1.11 2014/07/10 22:45:58 jsing Exp $ */ 1/* $OpenBSD: ext_dat.h,v 1.12 2015/02/10 13:28:17 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -103,10 +103,6 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
103#endif 103#endif
104 &v3_sxnet, 104 &v3_sxnet,
105 &v3_info, 105 &v3_info,
106#ifndef OPENSSL_NO_RFC3779
107 &v3_addr,
108 &v3_asid,
109#endif
110#ifndef OPENSSL_NO_OCSP 106#ifndef OPENSSL_NO_OCSP
111 &v3_ocsp_nonce, 107 &v3_ocsp_nonce,
112 &v3_ocsp_crlid, 108 &v3_ocsp_crlid,
diff --git a/src/lib/libcrypto/x509v3/v3_addr.c b/src/lib/libcrypto/x509v3/v3_addr.c
deleted file mode 100644
index 4073aeeaa6..0000000000
--- a/src/lib/libcrypto/x509v3/v3_addr.c
+++ /dev/null
@@ -1,1504 +0,0 @@
1/* $OpenBSD: v3_addr.c,v 1.15 2015/02/09 16:03:11 jsing Exp $ */
2/*
3 * Contributed to the OpenSSL Project by the American Registry for
4 * Internet Numbers ("ARIN").
5 */
6/* ====================================================================
7 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
19 * distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * licensing@OpenSSL.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 * acknowledgment:
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 */
58
59/*
60 * Implementation of RFC 3779 section 2.2.
61 */
62
63#include <stdio.h>
64#include <stdlib.h>
65
66#include <openssl/opensslconf.h>
67
68#include <openssl/asn1.h>
69#include <openssl/asn1t.h>
70#include <openssl/buffer.h>
71#include <openssl/conf.h>
72#include <openssl/x509v3.h>
73
74#ifndef OPENSSL_NO_RFC3779
75
76/*
77 * OpenSSL ASN.1 template translation of RFC 3779 2.2.3.
78 */
79
80ASN1_SEQUENCE(IPAddressRange) = {
81 ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING),
82 ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING)
83} ASN1_SEQUENCE_END(IPAddressRange)
84
85ASN1_CHOICE(IPAddressOrRange) = {
86 ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING),
87 ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange)
88} ASN1_CHOICE_END(IPAddressOrRange)
89
90ASN1_CHOICE(IPAddressChoice) = {
91 ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL),
92 ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange)
93} ASN1_CHOICE_END(IPAddressChoice)
94
95ASN1_SEQUENCE(IPAddressFamily) = {
96 ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING),
97 ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice)
98} ASN1_SEQUENCE_END(IPAddressFamily)
99
100ASN1_ITEM_TEMPLATE(IPAddrBlocks) =
101 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
102 IPAddrBlocks, IPAddressFamily)
103ASN1_ITEM_TEMPLATE_END(IPAddrBlocks)
104
105
106IPAddressRange *
107d2i_IPAddressRange(IPAddressRange **a, const unsigned char **in, long len)
108{
109 return (IPAddressRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
110 &IPAddressRange_it);
111}
112
113int
114i2d_IPAddressRange(IPAddressRange *a, unsigned char **out)
115{
116 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressRange_it);
117}
118
119IPAddressRange *
120IPAddressRange_new(void)
121{
122 return (IPAddressRange *)ASN1_item_new(&IPAddressRange_it);
123}
124
125void
126IPAddressRange_free(IPAddressRange *a)
127{
128 ASN1_item_free((ASN1_VALUE *)a, &IPAddressRange_it);
129}
130
131IPAddressOrRange *
132d2i_IPAddressOrRange(IPAddressOrRange **a, const unsigned char **in, long len)
133{
134 return (IPAddressOrRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
135 &IPAddressOrRange_it);
136}
137
138int
139i2d_IPAddressOrRange(IPAddressOrRange *a, unsigned char **out)
140{
141 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressOrRange_it);
142}
143
144IPAddressOrRange *
145IPAddressOrRange_new(void)
146{
147 return (IPAddressOrRange *)ASN1_item_new(&IPAddressOrRange_it);
148}
149
150void
151IPAddressOrRange_free(IPAddressOrRange *a)
152{
153 ASN1_item_free((ASN1_VALUE *)a, &IPAddressOrRange_it);
154}
155
156IPAddressChoice *
157d2i_IPAddressChoice(IPAddressChoice **a, const unsigned char **in, long len)
158{
159 return (IPAddressChoice *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
160 &IPAddressChoice_it);
161}
162
163int
164i2d_IPAddressChoice(IPAddressChoice *a, unsigned char **out)
165{
166 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressChoice_it);
167}
168
169IPAddressChoice *
170IPAddressChoice_new(void)
171{
172 return (IPAddressChoice *)ASN1_item_new(&IPAddressChoice_it);
173}
174
175void
176IPAddressChoice_free(IPAddressChoice *a)
177{
178 ASN1_item_free((ASN1_VALUE *)a, &IPAddressChoice_it);
179}
180
181IPAddressFamily *
182d2i_IPAddressFamily(IPAddressFamily **a, const unsigned char **in, long len)
183{
184 return (IPAddressFamily *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
185 &IPAddressFamily_it);
186}
187
188int
189i2d_IPAddressFamily(IPAddressFamily *a, unsigned char **out)
190{
191 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressFamily_it);
192}
193
194IPAddressFamily *
195IPAddressFamily_new(void)
196{
197 return (IPAddressFamily *)ASN1_item_new(&IPAddressFamily_it);
198}
199
200void
201IPAddressFamily_free(IPAddressFamily *a)
202{
203 ASN1_item_free((ASN1_VALUE *)a, &IPAddressFamily_it);
204}
205
206/*
207 * How much buffer space do we need for a raw address?
208 */
209#define ADDR_RAW_BUF_LEN 16
210
211/*
212 * What's the address length associated with this AFI?
213 */
214static int
215length_from_afi(const unsigned afi)
216{
217 switch (afi) {
218 case IANA_AFI_IPV4:
219 return 4;
220 case IANA_AFI_IPV6:
221 return 16;
222 default:
223 return 0;
224 }
225}
226
227/*
228 * Extract the AFI from an IPAddressFamily.
229 */
230unsigned int
231v3_addr_get_afi(const IPAddressFamily *f)
232{
233 return ((f != NULL && f->addressFamily != NULL &&
234 f->addressFamily->data != NULL) ?
235 ((f->addressFamily->data[0] << 8) | (f->addressFamily->data[1])) :
236 0);
237}
238
239/*
240 * Expand the bitstring form of an address into a raw byte array.
241 * At the moment this is coded for simplicity, not speed.
242 */
243static int
244addr_expand(unsigned char *addr, const ASN1_BIT_STRING *bs, const int length,
245 const unsigned char fill)
246{
247 if (bs->length < 0 || bs->length > length)
248 return 0;
249 if (bs->length > 0) {
250 memcpy(addr, bs->data, bs->length);
251 if ((bs->flags & 7) != 0) {
252 unsigned char mask = 0xFF >> (8 - (bs->flags & 7));
253 if (fill == 0)
254 addr[bs->length - 1] &= ~mask;
255 else
256 addr[bs->length - 1] |= mask;
257 }
258 }
259 memset(addr + bs->length, fill, length - bs->length);
260 return 1;
261}
262
263/*
264 * Extract the prefix length from a bitstring.
265 */
266#define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7)))
267
268/*
269 * i2r handler for one address bitstring.
270 */
271static int
272i2r_address(BIO *out, const unsigned afi, const unsigned char fill,
273 const ASN1_BIT_STRING *bs)
274{
275 unsigned char addr[ADDR_RAW_BUF_LEN];
276 int i, n;
277
278 if (bs->length < 0)
279 return 0;
280 switch (afi) {
281 case IANA_AFI_IPV4:
282 if (!addr_expand(addr, bs, 4, fill))
283 return 0;
284 BIO_printf(out, "%d.%d.%d.%d",
285 addr[0], addr[1], addr[2], addr[3]);
286 break;
287 case IANA_AFI_IPV6:
288 if (!addr_expand(addr, bs, 16, fill))
289 return 0;
290 for (n = 16;
291 n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00; n -= 2)
292 ;
293 for (i = 0; i < n; i += 2)
294 BIO_printf(out, "%x%s",
295 (addr[i] << 8) | addr[i + 1], (i < 14 ? ":" : ""));
296 if (i < 16)
297 BIO_puts(out, ":");
298 if (i == 0)
299 BIO_puts(out, ":");
300 break;
301 default:
302 for (i = 0; i < bs->length; i++)
303 BIO_printf(out, "%s%02x",
304 (i > 0 ? ":" : ""), bs->data[i]);
305 BIO_printf(out, "[%d]", (int)(bs->flags & 7));
306 break;
307 }
308 return 1;
309}
310
311/*
312 * i2r handler for a sequence of addresses and ranges.
313 */
314static int
315i2r_IPAddressOrRanges(BIO *out, const int indent, const IPAddressOrRanges *aors,
316 const unsigned afi)
317{
318 int i;
319
320 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) {
321 const IPAddressOrRange *aor =
322 sk_IPAddressOrRange_value(aors, i);
323 BIO_printf(out, "%*s", indent, "");
324 switch (aor->type) {
325 case IPAddressOrRange_addressPrefix:
326 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix))
327 return 0;
328 BIO_printf(out, "/%d\n",
329 addr_prefixlen(aor->u.addressPrefix));
330 continue;
331 case IPAddressOrRange_addressRange:
332 if (!i2r_address(out, afi, 0x00,
333 aor->u.addressRange->min))
334 return 0;
335 BIO_puts(out, "-");
336 if (!i2r_address(out, afi, 0xFF,
337 aor->u.addressRange->max))
338 return 0;
339 BIO_puts(out, "\n");
340 continue;
341 }
342 }
343 return 1;
344}
345
346/*
347 * i2r handler for an IPAddrBlocks extension.
348 */
349static int
350i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, void *ext, BIO *out,
351 int indent)
352{
353 const IPAddrBlocks *addr = ext;
354 int i;
355
356 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
357 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
358 const unsigned int afi = v3_addr_get_afi(f);
359 switch (afi) {
360 case IANA_AFI_IPV4:
361 BIO_printf(out, "%*sIPv4", indent, "");
362 break;
363 case IANA_AFI_IPV6:
364 BIO_printf(out, "%*sIPv6", indent, "");
365 break;
366 default:
367 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi);
368 break;
369 }
370 if (f->addressFamily->length > 2) {
371 switch (f->addressFamily->data[2]) {
372 case 1:
373 BIO_puts(out, " (Unicast)");
374 break;
375 case 2:
376 BIO_puts(out, " (Multicast)");
377 break;
378 case 3:
379 BIO_puts(out, " (Unicast/Multicast)");
380 break;
381 case 4:
382 BIO_puts(out, " (MPLS)");
383 break;
384 case 64:
385 BIO_puts(out, " (Tunnel)");
386 break;
387 case 65:
388 BIO_puts(out, " (VPLS)");
389 break;
390 case 66:
391 BIO_puts(out, " (BGP MDT)");
392 break;
393 case 128:
394 BIO_puts(out, " (MPLS-labeled VPN)");
395 break;
396 default:
397 BIO_printf(out, " (Unknown SAFI %u)",
398 (unsigned)f->addressFamily->data[2]);
399 break;
400 }
401 }
402 switch (f->ipAddressChoice->type) {
403 case IPAddressChoice_inherit:
404 BIO_puts(out, ": inherit\n");
405 break;
406 case IPAddressChoice_addressesOrRanges:
407 BIO_puts(out, ":\n");
408 if (!i2r_IPAddressOrRanges(out, indent + 2,
409 f->ipAddressChoice->u.addressesOrRanges, afi))
410 return 0;
411 break;
412 }
413 }
414 return 1;
415}
416
417/*
418 * Sort comparison function for a sequence of IPAddressOrRange
419 * elements.
420 *
421 * There's no sane answer we can give if addr_expand() fails, and an
422 * assertion failure on externally supplied data is seriously uncool,
423 * so we just arbitrarily declare that if given invalid inputs this
424 * function returns -1. If this messes up your preferred sort order
425 * for garbage input, tough noogies.
426 */
427static int
428IPAddressOrRange_cmp(const IPAddressOrRange *a, const IPAddressOrRange *b,
429 const int length)
430{
431 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN];
432 int prefixlen_a = 0, prefixlen_b = 0;
433 int r;
434
435 switch (a->type) {
436 case IPAddressOrRange_addressPrefix:
437 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
438 return -1;
439 prefixlen_a = addr_prefixlen(a->u.addressPrefix);
440 break;
441 case IPAddressOrRange_addressRange:
442 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
443 return -1;
444 prefixlen_a = length * 8;
445 break;
446 }
447
448 switch (b->type) {
449 case IPAddressOrRange_addressPrefix:
450 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
451 return -1;
452 prefixlen_b = addr_prefixlen(b->u.addressPrefix);
453 break;
454 case IPAddressOrRange_addressRange:
455 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
456 return -1;
457 prefixlen_b = length * 8;
458 break;
459 }
460
461 if ((r = memcmp(addr_a, addr_b, length)) != 0)
462 return r;
463 else
464 return prefixlen_a - prefixlen_b;
465}
466
467/*
468 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()
469 * comparision routines are only allowed two arguments.
470 */
471static int
472v4IPAddressOrRange_cmp(const IPAddressOrRange * const *a,
473 const IPAddressOrRange * const *b)
474{
475 return IPAddressOrRange_cmp(*a, *b, 4);
476}
477
478/*
479 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()
480 * comparision routines are only allowed two arguments.
481 */
482static int
483v6IPAddressOrRange_cmp(const IPAddressOrRange * const *a,
484 const IPAddressOrRange * const *b)
485{
486 return IPAddressOrRange_cmp(*a, *b, 16);
487}
488
489/*
490 * Calculate whether a range collapses to a prefix.
491 * See last paragraph of RFC 3779 2.2.3.7.
492 */
493static int
494range_should_be_prefix(const unsigned char *min, const unsigned char *max,
495 const int length)
496{
497 unsigned char mask;
498 int i, j;
499
500 OPENSSL_assert(memcmp(min, max, length) <= 0);
501 for (i = 0; i < length && min[i] == max[i]; i++)
502 ;
503 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--)
504 ;
505 if (i < j)
506 return -1;
507 if (i > j)
508 return i * 8;
509 mask = min[i] ^ max[i];
510 switch (mask) {
511 case 0x01:
512 j = 7;
513 break;
514 case 0x03:
515 j = 6;
516 break;
517 case 0x07:
518 j = 5;
519 break;
520 case 0x0F:
521 j = 4;
522 break;
523 case 0x1F:
524 j = 3;
525 break;
526 case 0x3F:
527 j = 2;
528 break;
529 case 0x7F:
530 j = 1;
531 break;
532 default:
533 return -1;
534 }
535 if ((min[i] & mask) != 0 || (max[i] & mask) != mask)
536 return -1;
537 else
538 return i * 8 + j;
539}
540
541/*
542 * Construct a prefix.
543 */
544static int
545make_addressPrefix(IPAddressOrRange **result, unsigned char *addr,
546 const int prefixlen)
547{
548 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;
549 IPAddressOrRange *aor = IPAddressOrRange_new();
550
551 if (aor == NULL)
552 return 0;
553 aor->type = IPAddressOrRange_addressPrefix;
554 if (aor->u.addressPrefix == NULL &&
555 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL)
556 goto err;
557 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen))
558 goto err;
559 aor->u.addressPrefix->flags &= ~7;
560 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT;
561 if (bitlen > 0) {
562 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen);
563 aor->u.addressPrefix->flags |= 8 - bitlen;
564 }
565
566 *result = aor;
567 return 1;
568
569err:
570 IPAddressOrRange_free(aor);
571 return 0;
572}
573
574/*
575 * Construct a range. If it can be expressed as a prefix,
576 * return a prefix instead. Doing this here simplifies
577 * the rest of the code considerably.
578 */
579static int
580make_addressRange(IPAddressOrRange **result, unsigned char *min,
581 unsigned char *max, const int length)
582{
583 IPAddressOrRange *aor;
584 int i, prefixlen;
585
586 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
587 return make_addressPrefix(result, min, prefixlen);
588
589 if ((aor = IPAddressOrRange_new()) == NULL)
590 return 0;
591 aor->type = IPAddressOrRange_addressRange;
592 OPENSSL_assert(aor->u.addressRange == NULL);
593 if ((aor->u.addressRange = IPAddressRange_new()) == NULL)
594 goto err;
595 if (aor->u.addressRange->min == NULL &&
596 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL)
597 goto err;
598 if (aor->u.addressRange->max == NULL &&
599 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL)
600 goto err;
601
602 for (i = length; i > 0 && min[i - 1] == 0x00; --i)
603 ;
604 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i))
605 goto err;
606 aor->u.addressRange->min->flags &= ~7;
607 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT;
608 if (i > 0) {
609 unsigned char b = min[i - 1];
610 int j = 1;
611 while ((b & (0xFFU >> j)) != 0)
612 ++j;
613 aor->u.addressRange->min->flags |= 8 - j;
614 }
615
616 for (i = length; i > 0 && max[i - 1] == 0xFF; --i)
617 ;
618 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i))
619 goto err;
620 aor->u.addressRange->max->flags &= ~7;
621 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT;
622 if (i > 0) {
623 unsigned char b = max[i - 1];
624 int j = 1;
625 while ((b & (0xFFU >> j)) != (0xFFU >> j))
626 ++j;
627 aor->u.addressRange->max->flags |= 8 - j;
628 }
629
630 *result = aor;
631 return 1;
632
633err:
634 IPAddressOrRange_free(aor);
635 return 0;
636}
637
638/*
639 * Construct a new address family or find an existing one.
640 */
641static IPAddressFamily *
642make_IPAddressFamily(IPAddrBlocks *addr, const unsigned afi,
643 const unsigned *safi)
644{
645 IPAddressFamily *f;
646 unsigned char key[3];
647 unsigned keylen;
648 int i;
649
650 key[0] = (afi >> 8) & 0xFF;
651 key[1] = afi & 0xFF;
652 if (safi != NULL) {
653 key[2] = *safi & 0xFF;
654 keylen = 3;
655 } else {
656 keylen = 2;
657 }
658
659 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
660 f = sk_IPAddressFamily_value(addr, i);
661 OPENSSL_assert(f->addressFamily->data != NULL);
662 if (f->addressFamily->length == keylen &&
663 !memcmp(f->addressFamily->data, key, keylen))
664 return f;
665 }
666
667 if ((f = IPAddressFamily_new()) == NULL)
668 goto err;
669 if (f->ipAddressChoice == NULL &&
670 (f->ipAddressChoice = IPAddressChoice_new()) == NULL)
671 goto err;
672 if (f->addressFamily == NULL &&
673 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL)
674 goto err;
675 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen))
676 goto err;
677 if (!sk_IPAddressFamily_push(addr, f))
678 goto err;
679
680 return f;
681
682err:
683 IPAddressFamily_free(f);
684 return NULL;
685}
686
687/*
688 * Add an inheritance element.
689 */
690int
691v3_addr_add_inherit(IPAddrBlocks *addr, const unsigned afi,
692 const unsigned *safi)
693{
694 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
695
696 if (f == NULL ||
697 f->ipAddressChoice == NULL ||
698 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
699 f->ipAddressChoice->u.addressesOrRanges != NULL))
700 return 0;
701 if (f->ipAddressChoice->type == IPAddressChoice_inherit &&
702 f->ipAddressChoice->u.inherit != NULL)
703 return 1;
704 if (f->ipAddressChoice->u.inherit == NULL &&
705 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL)
706 return 0;
707 f->ipAddressChoice->type = IPAddressChoice_inherit;
708 return 1;
709}
710
711/*
712 * Construct an IPAddressOrRange sequence, or return an existing one.
713 */
714static IPAddressOrRanges *
715make_prefix_or_range(IPAddrBlocks *addr, const unsigned afi,
716 const unsigned *safi)
717{
718 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
719 IPAddressOrRanges *aors = NULL;
720
721 if (f == NULL ||
722 f->ipAddressChoice == NULL ||
723 (f->ipAddressChoice->type == IPAddressChoice_inherit &&
724 f->ipAddressChoice->u.inherit != NULL))
725 return NULL;
726 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges)
727 aors = f->ipAddressChoice->u.addressesOrRanges;
728 if (aors != NULL)
729 return aors;
730 if ((aors = sk_IPAddressOrRange_new_null()) == NULL)
731 return NULL;
732 switch (afi) {
733 case IANA_AFI_IPV4:
734 (void) sk_IPAddressOrRange_set_cmp_func(aors,
735 v4IPAddressOrRange_cmp);
736 break;
737 case IANA_AFI_IPV6:
738 (void) sk_IPAddressOrRange_set_cmp_func(aors,
739 v6IPAddressOrRange_cmp);
740 break;
741 }
742 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
743 f->ipAddressChoice->u.addressesOrRanges = aors;
744 return aors;
745}
746
747/*
748 * Add a prefix.
749 */
750int
751v3_addr_add_prefix(IPAddrBlocks *addr, const unsigned afi,
752 const unsigned *safi, unsigned char *a, const int prefixlen)
753{
754 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
755 IPAddressOrRange *aor;
756
757 if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen))
758 return 0;
759 if (sk_IPAddressOrRange_push(aors, aor))
760 return 1;
761 IPAddressOrRange_free(aor);
762 return 0;
763}
764
765/*
766 * Add a range.
767 */
768int
769v3_addr_add_range(IPAddrBlocks *addr, const unsigned afi, const unsigned *safi,
770 unsigned char *min, unsigned char *max)
771{
772 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
773 IPAddressOrRange *aor;
774 int length = length_from_afi(afi);
775
776 if (aors == NULL)
777 return 0;
778 if (!make_addressRange(&aor, min, max, length))
779 return 0;
780 if (sk_IPAddressOrRange_push(aors, aor))
781 return 1;
782 IPAddressOrRange_free(aor);
783 return 0;
784}
785
786/*
787 * Extract min and max values from an IPAddressOrRange.
788 */
789static int
790extract_min_max(IPAddressOrRange *aor, unsigned char *min, unsigned char *max,
791 int length)
792{
793 if (aor == NULL || min == NULL || max == NULL)
794 return 0;
795 switch (aor->type) {
796 case IPAddressOrRange_addressPrefix:
797 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
798 addr_expand(max, aor->u.addressPrefix, length, 0xFF));
799 case IPAddressOrRange_addressRange:
800 return (
801 addr_expand(min, aor->u.addressRange->min, length, 0x00) &&
802 addr_expand(max, aor->u.addressRange->max, length, 0xFF));
803 }
804 return 0;
805}
806
807/*
808 * Public wrapper for extract_min_max().
809 */
810int
811v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
812 unsigned char *min, unsigned char *max, const int length)
813{
814 int afi_length = length_from_afi(afi);
815
816 if (aor == NULL || min == NULL || max == NULL ||
817 afi_length == 0 || length < afi_length ||
818 (aor->type != IPAddressOrRange_addressPrefix &&
819 aor->type != IPAddressOrRange_addressRange) ||
820 !extract_min_max(aor, min, max, afi_length))
821 return 0;
822
823 return afi_length;
824}
825
826/*
827 * Sort comparision function for a sequence of IPAddressFamily.
828 *
829 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about
830 * the ordering: I can read it as meaning that IPv6 without a SAFI
831 * comes before IPv4 with a SAFI, which seems pretty weird. The
832 * examples in appendix B suggest that the author intended the
833 * null-SAFI rule to apply only within a single AFI, which is what I
834 * would have expected and is what the following code implements.
835 */
836static int
837IPAddressFamily_cmp(const IPAddressFamily * const *a_,
838 const IPAddressFamily * const *b_)
839{
840 const ASN1_OCTET_STRING *a = (*a_)->addressFamily;
841 const ASN1_OCTET_STRING *b = (*b_)->addressFamily;
842 int len = ((a->length <= b->length) ? a->length : b->length);
843 int cmp = memcmp(a->data, b->data, len);
844
845 return cmp ? cmp : a->length - b->length;
846}
847
848/*
849 * Check whether an IPAddrBLocks is in canonical form.
850 */
851int
852v3_addr_is_canonical(IPAddrBlocks *addr)
853{
854 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
855 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
856 IPAddressOrRanges *aors;
857 int i, j, k;
858
859 /*
860 * Empty extension is cannonical.
861 */
862 if (addr == NULL)
863 return 1;
864
865 /*
866 * Check whether the top-level list is in order.
867 */
868 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {
869 const IPAddressFamily *a =
870 sk_IPAddressFamily_value(addr, i);
871 const IPAddressFamily *b =
872 sk_IPAddressFamily_value(addr, i + 1);
873 if (IPAddressFamily_cmp(&a, &b) >= 0)
874 return 0;
875 }
876
877 /*
878 * Top level's ok, now check each address family.
879 */
880 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
881 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
882 int length = length_from_afi(v3_addr_get_afi(f));
883
884 /*
885 * Inheritance is canonical. Anything other than inheritance or
886 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something.
887 */
888 if (f == NULL || f->ipAddressChoice == NULL)
889 return 0;
890 switch (f->ipAddressChoice->type) {
891 case IPAddressChoice_inherit:
892 continue;
893 case IPAddressChoice_addressesOrRanges:
894 break;
895 default:
896 return 0;
897 }
898
899 /*
900 * It's an IPAddressOrRanges sequence, check it.
901 */
902 aors = f->ipAddressChoice->u.addressesOrRanges;
903 if (sk_IPAddressOrRange_num(aors) == 0)
904 return 0;
905 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
906 IPAddressOrRange *a =
907 sk_IPAddressOrRange_value(aors, j);
908 IPAddressOrRange *b =
909 sk_IPAddressOrRange_value(aors, j + 1);
910
911 if (!extract_min_max(a, a_min, a_max, length) ||
912 !extract_min_max(b, b_min, b_max, length))
913 return 0;
914
915 /*
916 * Punt misordered list, overlapping start, or inverted range.
917 */
918 if (memcmp(a_min, b_min, length) >= 0 ||
919 memcmp(a_min, a_max, length) > 0 ||
920 memcmp(b_min, b_max, length) > 0)
921 return 0;
922
923 /*
924 * Punt if adjacent or overlapping. Check for adjacency by
925 * subtracting one from b_min first.
926 */
927 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--)
928 ;
929 if (memcmp(a_max, b_min, length) >= 0)
930 return 0;
931
932 /*
933 * Check for range that should be expressed as a prefix.
934 */
935 if (a->type == IPAddressOrRange_addressRange &&
936 range_should_be_prefix(a_min, a_max, length) >= 0)
937 return 0;
938 }
939
940 /*
941 * Check range to see if it's inverted or should be a
942 * prefix.
943 */
944 j = sk_IPAddressOrRange_num(aors) - 1;
945 {
946 IPAddressOrRange *a =
947 sk_IPAddressOrRange_value(aors, j);
948 if (a != NULL &&
949 a->type == IPAddressOrRange_addressRange) {
950 if (!extract_min_max(a, a_min, a_max, length))
951 return 0;
952 if (memcmp(a_min, a_max, length) > 0 ||
953 range_should_be_prefix(a_min, a_max,
954 length) >= 0)
955 return 0;
956 }
957 }
958 }
959
960 /*
961 * If we made it through all that, we're happy.
962 */
963 return 1;
964}
965
966/*
967 * Whack an IPAddressOrRanges into canonical form.
968 */
969static int
970IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi)
971{
972 int i, j, length = length_from_afi(afi);
973
974 /*
975 * Sort the IPAddressOrRanges sequence.
976 */
977 sk_IPAddressOrRange_sort(aors);
978
979 /*
980 * Clean up representation issues, punt on duplicates or overlaps.
981 */
982 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
983 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);
984 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
985 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
986 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
987
988 if (!extract_min_max(a, a_min, a_max, length) ||
989 !extract_min_max(b, b_min, b_max, length))
990 return 0;
991
992 /*
993 * Punt inverted ranges.
994 */
995 if (memcmp(a_min, a_max, length) > 0 ||
996 memcmp(b_min, b_max, length) > 0)
997 return 0;
998
999 /*
1000 * Punt overlaps.
1001 */
1002 if (memcmp(a_max, b_min, length) >= 0)
1003 return 0;
1004
1005 /*
1006 * Merge if a and b are adjacent. We check for
1007 * adjacency by subtracting one from b_min first.
1008 */
1009 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--)
1010 ;
1011 if (memcmp(a_max, b_min, length) == 0) {
1012 IPAddressOrRange *merged;
1013 if (!make_addressRange(&merged, a_min, b_max, length))
1014 return 0;
1015 (void) sk_IPAddressOrRange_set(aors, i, merged);
1016 (void) sk_IPAddressOrRange_delete(aors, i + 1);
1017 IPAddressOrRange_free(a);
1018 IPAddressOrRange_free(b);
1019 --i;
1020 continue;
1021 }
1022 }
1023
1024 /*
1025 * Check for inverted final range.
1026 */
1027 j = sk_IPAddressOrRange_num(aors) - 1;
1028 {
1029 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
1030 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
1031 unsigned char a_min[ADDR_RAW_BUF_LEN],
1032 a_max[ADDR_RAW_BUF_LEN];
1033 extract_min_max(a, a_min, a_max, length);
1034 if (memcmp(a_min, a_max, length) > 0)
1035 return 0;
1036 }
1037 }
1038
1039 return 1;
1040}
1041
1042/*
1043 * Whack an IPAddrBlocks extension into canonical form.
1044 */
1045int
1046v3_addr_canonize(IPAddrBlocks *addr)
1047{
1048 int i;
1049 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1050 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1051 if (f->ipAddressChoice->type ==
1052 IPAddressChoice_addressesOrRanges &&
1053 !IPAddressOrRanges_canonize(
1054 f->ipAddressChoice->u.addressesOrRanges,
1055 v3_addr_get_afi(f)))
1056 return 0;
1057 }
1058 (void) sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
1059 sk_IPAddressFamily_sort(addr);
1060 OPENSSL_assert(v3_addr_is_canonical(addr));
1061 return 1;
1062}
1063
1064/*
1065 * v2i handler for the IPAddrBlocks extension.
1066 */
1067static void *
1068v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
1069 STACK_OF(CONF_VALUE) *values)
1070{
1071 static const char v4addr_chars[] = "0123456789.";
1072 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF";
1073 IPAddrBlocks *addr = NULL;
1074 char *s = NULL, *t;
1075 int i;
1076
1077 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) {
1078 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1079 return NULL;
1080 }
1081
1082 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
1083 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
1084 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN];
1085 unsigned afi, *safi = NULL, safi_;
1086 const char *addr_chars;
1087 int prefixlen, i1, i2, delim, length;
1088
1089 if (!name_cmp(val->name, "IPv4")) {
1090 afi = IANA_AFI_IPV4;
1091 } else if (!name_cmp(val->name, "IPv6")) {
1092 afi = IANA_AFI_IPV6;
1093 } else if (!name_cmp(val->name, "IPv4-SAFI")) {
1094 afi = IANA_AFI_IPV4;
1095 safi = &safi_;
1096 } else if (!name_cmp(val->name, "IPv6-SAFI")) {
1097 afi = IANA_AFI_IPV6;
1098 safi = &safi_;
1099 } else {
1100 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1101 X509V3_R_EXTENSION_NAME_ERROR);
1102 X509V3_conf_err(val);
1103 goto err;
1104 }
1105
1106 switch (afi) {
1107 case IANA_AFI_IPV4:
1108 addr_chars = v4addr_chars;
1109 break;
1110 case IANA_AFI_IPV6:
1111 addr_chars = v6addr_chars;
1112 break;
1113 }
1114
1115 length = length_from_afi(afi);
1116
1117 /*
1118 * Handle SAFI, if any, and strdup() so we can null-terminate
1119 * the other input values.
1120 */
1121 if (safi != NULL) {
1122 *safi = strtoul(val->value, &t, 0);
1123 t += strspn(t, " \t");
1124 if (*safi > 0xFF || *t++ != ':') {
1125 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1126 X509V3_R_INVALID_SAFI);
1127 X509V3_conf_err(val);
1128 goto err;
1129 }
1130 t += strspn(t, " \t");
1131 s = strdup(t);
1132 } else {
1133 s = strdup(val->value);
1134 }
1135 if (s == NULL) {
1136 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1137 ERR_R_MALLOC_FAILURE);
1138 goto err;
1139 }
1140
1141 /*
1142 * Check for inheritance. Not worth additional complexity to
1143 * optimize this (seldom-used) case.
1144 */
1145 if (!strcmp(s, "inherit")) {
1146 if (!v3_addr_add_inherit(addr, afi, safi)) {
1147 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1148 X509V3_R_INVALID_INHERITANCE);
1149 X509V3_conf_err(val);
1150 goto err;
1151 }
1152 free(s);
1153 s = NULL;
1154 continue;
1155 }
1156
1157 i1 = strspn(s, addr_chars);
1158 i2 = i1 + strspn(s + i1, " \t");
1159 delim = s[i2++];
1160 s[i1] = '\0';
1161
1162 if (a2i_ipadd(min, s) != length) {
1163 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1164 X509V3_R_INVALID_IPADDRESS);
1165 X509V3_conf_err(val);
1166 goto err;
1167 }
1168
1169 switch (delim) {
1170 case '/':
1171 prefixlen = (int) strtoul(s + i2, &t, 10);
1172 if (t == s + i2 || *t != '\0') {
1173 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1174 X509V3_R_EXTENSION_VALUE_ERROR);
1175 X509V3_conf_err(val);
1176 goto err;
1177 }
1178 if (!v3_addr_add_prefix(addr, afi, safi, min,
1179 prefixlen)) {
1180 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1181 ERR_R_MALLOC_FAILURE);
1182 goto err;
1183 }
1184 break;
1185 case '-':
1186 i1 = i2 + strspn(s + i2, " \t");
1187 i2 = i1 + strspn(s + i1, addr_chars);
1188 if (i1 == i2 || s[i2] != '\0') {
1189 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1190 X509V3_R_EXTENSION_VALUE_ERROR);
1191 X509V3_conf_err(val);
1192 goto err;
1193 }
1194 if (a2i_ipadd(max, s + i1) != length) {
1195 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1196 X509V3_R_INVALID_IPADDRESS);
1197 X509V3_conf_err(val);
1198 goto err;
1199 }
1200 if (memcmp(min, max, length_from_afi(afi)) > 0) {
1201 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1202 X509V3_R_EXTENSION_VALUE_ERROR);
1203 X509V3_conf_err(val);
1204 goto err;
1205 }
1206 if (!v3_addr_add_range(addr, afi, safi, min, max)) {
1207 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1208 ERR_R_MALLOC_FAILURE);
1209 goto err;
1210 }
1211 break;
1212 case '\0':
1213 if (!v3_addr_add_prefix(addr, afi, safi, min,
1214 length * 8)) {
1215 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1216 ERR_R_MALLOC_FAILURE);
1217 goto err;
1218 }
1219 break;
1220 default:
1221 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1222 X509V3_R_EXTENSION_VALUE_ERROR);
1223 X509V3_conf_err(val);
1224 goto err;
1225 }
1226
1227 free(s);
1228 s = NULL;
1229 }
1230
1231 /*
1232 * Canonize the result, then we're done.
1233 */
1234 if (!v3_addr_canonize(addr))
1235 goto err;
1236 return addr;
1237
1238err:
1239 free(s);
1240 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
1241 return NULL;
1242}
1243
1244/*
1245 * OpenSSL dispatch
1246 */
1247const X509V3_EXT_METHOD v3_addr = {
1248 NID_sbgp_ipAddrBlock, /* nid */
1249 0, /* flags */
1250 ASN1_ITEM_ref(IPAddrBlocks), /* template */
1251 0, 0, 0, 0, /* old functions, ignored */
1252 0, /* i2s */
1253 0, /* s2i */
1254 0, /* i2v */
1255 v2i_IPAddrBlocks, /* v2i */
1256 i2r_IPAddrBlocks, /* i2r */
1257 0, /* r2i */
1258 NULL /* extension-specific data */
1259};
1260
1261/*
1262 * Figure out whether extension sues inheritance.
1263 */
1264int
1265v3_addr_inherits(IPAddrBlocks *addr)
1266{
1267 int i;
1268
1269 if (addr == NULL)
1270 return 0;
1271 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1272 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1273 if (f->ipAddressChoice->type == IPAddressChoice_inherit)
1274 return 1;
1275 }
1276 return 0;
1277}
1278
1279/*
1280 * Figure out whether parent contains child.
1281 */
1282static int
1283addr_contains(IPAddressOrRanges *parent, IPAddressOrRanges *child, int length)
1284{
1285 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN];
1286 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN];
1287 int p, c;
1288
1289 if (child == NULL || parent == child)
1290 return 1;
1291 if (parent == NULL)
1292 return 0;
1293
1294 p = 0;
1295 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
1296 if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
1297 c_min, c_max, length))
1298 return -1;
1299 for (; ; p++) {
1300 if (p >= sk_IPAddressOrRange_num(parent))
1301 return 0;
1302 if (!extract_min_max(
1303 sk_IPAddressOrRange_value(parent, p),
1304 p_min, p_max, length))
1305 return 0;
1306 if (memcmp(p_max, c_max, length) < 0)
1307 continue;
1308 if (memcmp(p_min, c_min, length) > 0)
1309 return 0;
1310 break;
1311 }
1312 }
1313
1314 return 1;
1315}
1316
1317/*
1318 * Test whether a is a subset of b.
1319 */
1320int
1321v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
1322{
1323 int i;
1324
1325 if (a == NULL || a == b)
1326 return 1;
1327 if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
1328 return 0;
1329 (void) sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
1330 for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
1331 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
1332 int j = sk_IPAddressFamily_find(b, fa);
1333 IPAddressFamily *fb;
1334 fb = sk_IPAddressFamily_value(b, j);
1335 if (fb == NULL)
1336 return 0;
1337 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
1338 fa->ipAddressChoice->u.addressesOrRanges,
1339 length_from_afi(v3_addr_get_afi(fb))))
1340 return 0;
1341 }
1342 return 1;
1343}
1344
1345/*
1346 * Validation error handling via callback.
1347 */
1348#define validation_err(_err_) \
1349 do { \
1350 if (ctx != NULL) { \
1351 ctx->error = _err_; \
1352 ctx->error_depth = i; \
1353 ctx->current_cert = x; \
1354 ret = ctx->verify_cb(0, ctx); \
1355 } else { \
1356 ret = 0; \
1357 } \
1358 if (!ret) \
1359 goto done; \
1360 } while (0)
1361
1362/*
1363 * Core code for RFC 3779 2.3 path validation.
1364 */
1365static int
1366v3_addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
1367 IPAddrBlocks *ext)
1368{
1369 IPAddrBlocks *child = NULL;
1370 int i, j, ret = 1;
1371 X509 *x;
1372
1373 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
1374 OPENSSL_assert(ctx != NULL || ext != NULL);
1375 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
1376
1377 /*
1378 * Figure out where to start. If we don't have an extension to
1379 * check, we're done. Otherwise, check canonical form and
1380 * set up for walking up the chain.
1381 */
1382 if (ext != NULL) {
1383 i = -1;
1384 x = NULL;
1385 } else {
1386 i = 0;
1387 x = sk_X509_value(chain, i);
1388 OPENSSL_assert(x != NULL);
1389 if ((ext = x->rfc3779_addr) == NULL)
1390 goto done;
1391 }
1392 if (!v3_addr_is_canonical(ext))
1393 validation_err(X509_V_ERR_INVALID_EXTENSION);
1394 (void) sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
1395 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
1396 X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL,
1397 ERR_R_MALLOC_FAILURE);
1398 ret = 0;
1399 goto done;
1400 }
1401
1402 /*
1403 * Now walk up the chain. No cert may list resources that its
1404 * parent doesn't list.
1405 */
1406 for (i++; i < sk_X509_num(chain); i++) {
1407 x = sk_X509_value(chain, i);
1408 OPENSSL_assert(x != NULL);
1409 if (!v3_addr_is_canonical(x->rfc3779_addr))
1410 validation_err(X509_V_ERR_INVALID_EXTENSION);
1411 if (x->rfc3779_addr == NULL) {
1412 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1413 IPAddressFamily *fc =
1414 sk_IPAddressFamily_value(child, j);
1415 if (fc->ipAddressChoice->type !=
1416 IPAddressChoice_inherit) {
1417 validation_err(
1418 X509_V_ERR_UNNESTED_RESOURCE);
1419 break;
1420 }
1421 }
1422 continue;
1423 }
1424 (void) sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr,
1425 IPAddressFamily_cmp);
1426 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1427 IPAddressFamily *fc =
1428 sk_IPAddressFamily_value(child, j);
1429 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
1430 IPAddressFamily *fp =
1431 sk_IPAddressFamily_value(x->rfc3779_addr, k);
1432 if (fp == NULL) {
1433 if (fc->ipAddressChoice->type ==
1434 IPAddressChoice_addressesOrRanges) {
1435 validation_err(
1436 X509_V_ERR_UNNESTED_RESOURCE);
1437 break;
1438 }
1439 continue;
1440 }
1441 if (fp->ipAddressChoice->type ==
1442 IPAddressChoice_addressesOrRanges) {
1443 if (fc->ipAddressChoice->type ==
1444 IPAddressChoice_inherit || addr_contains(
1445 fp->ipAddressChoice->u.addressesOrRanges,
1446 fc->ipAddressChoice->u.addressesOrRanges,
1447 length_from_afi(v3_addr_get_afi(fc))))
1448 sk_IPAddressFamily_set(child, j, fp);
1449 else
1450 validation_err(
1451 X509_V_ERR_UNNESTED_RESOURCE);
1452 }
1453 }
1454 }
1455
1456 /*
1457 * Trust anchor can't inherit.
1458 */
1459 OPENSSL_assert(x != NULL);
1460 if (x->rfc3779_addr != NULL) {
1461 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
1462 IPAddressFamily *fp =
1463 sk_IPAddressFamily_value(x->rfc3779_addr, j);
1464 if (fp->ipAddressChoice->type ==
1465 IPAddressChoice_inherit &&
1466 sk_IPAddressFamily_find(child, fp) >= 0)
1467 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1468 }
1469 }
1470
1471done:
1472 sk_IPAddressFamily_free(child);
1473 return ret;
1474}
1475
1476#undef validation_err
1477
1478/*
1479 * RFC 3779 2.3 path validation -- called from X509_verify_cert().
1480 */
1481int
1482v3_addr_validate_path(X509_STORE_CTX *ctx)
1483{
1484 return v3_addr_validate_path_internal(ctx, ctx->chain, NULL);
1485}
1486
1487/*
1488 * RFC 3779 2.3 path validation of an extension.
1489 * Test whether chain covers extension.
1490 */
1491int
1492v3_addr_validate_resource_set(STACK_OF(X509) *chain, IPAddrBlocks *ext,
1493 int allow_inheritance)
1494{
1495 if (ext == NULL)
1496 return 1;
1497 if (chain == NULL || sk_X509_num(chain) == 0)
1498 return 0;
1499 if (!allow_inheritance && v3_addr_inherits(ext))
1500 return 0;
1501 return v3_addr_validate_path_internal(NULL, chain, ext);
1502}
1503
1504#endif /* OPENSSL_NO_RFC3779 */
diff --git a/src/lib/libcrypto/x509v3/v3_asid.c b/src/lib/libcrypto/x509v3/v3_asid.c
deleted file mode 100644
index 10f82c573d..0000000000
--- a/src/lib/libcrypto/x509v3/v3_asid.c
+++ /dev/null
@@ -1,1027 +0,0 @@
1/* $OpenBSD: v3_asid.c,v 1.12 2015/02/09 16:03:11 jsing Exp $ */
2/*
3 * Contributed to the OpenSSL Project by the American Registry for
4 * Internet Numbers ("ARIN").
5 */
6/* ====================================================================
7 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
19 * distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * licensing@OpenSSL.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 * acknowledgment:
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 */
58
59/*
60 * Implementation of RFC 3779 section 3.2.
61 */
62
63#include <stdio.h>
64#include <string.h>
65
66#include <openssl/opensslconf.h>
67
68#include <openssl/asn1.h>
69#include <openssl/asn1t.h>
70#include <openssl/bn.h>
71#include <openssl/conf.h>
72#include <openssl/x509v3.h>
73#include <openssl/x509.h>
74
75#ifndef OPENSSL_NO_RFC3779
76
77/*
78 * OpenSSL ASN.1 template translation of RFC 3779 3.2.3.
79 */
80
81ASN1_SEQUENCE(ASRange) = {
82 ASN1_SIMPLE(ASRange, min, ASN1_INTEGER),
83 ASN1_SIMPLE(ASRange, max, ASN1_INTEGER)
84} ASN1_SEQUENCE_END(ASRange)
85
86ASN1_CHOICE(ASIdOrRange) = {
87 ASN1_SIMPLE(ASIdOrRange, u.id, ASN1_INTEGER),
88 ASN1_SIMPLE(ASIdOrRange, u.range, ASRange)
89} ASN1_CHOICE_END(ASIdOrRange)
90
91ASN1_CHOICE(ASIdentifierChoice) = {
92 ASN1_SIMPLE(ASIdentifierChoice, u.inherit, ASN1_NULL),
93 ASN1_SEQUENCE_OF(ASIdentifierChoice, u.asIdsOrRanges, ASIdOrRange)
94} ASN1_CHOICE_END(ASIdentifierChoice)
95
96ASN1_SEQUENCE(ASIdentifiers) = {
97 ASN1_EXP_OPT(ASIdentifiers, asnum, ASIdentifierChoice, 0),
98 ASN1_EXP_OPT(ASIdentifiers, rdi, ASIdentifierChoice, 1)
99} ASN1_SEQUENCE_END(ASIdentifiers)
100
101
102ASRange *
103d2i_ASRange(ASRange **a, const unsigned char **in, long len)
104{
105 return (ASRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
106 &ASRange_it);
107}
108
109int
110i2d_ASRange(ASRange *a, unsigned char **out)
111{
112 return ASN1_item_i2d((ASN1_VALUE *)a, out, &ASRange_it);
113}
114
115ASRange *
116ASRange_new(void)
117{
118 return (ASRange *)ASN1_item_new(&ASRange_it);
119}
120
121void
122ASRange_free(ASRange *a)
123{
124 ASN1_item_free((ASN1_VALUE *)a, &ASRange_it);
125}
126
127ASIdOrRange *
128d2i_ASIdOrRange(ASIdOrRange **a, const unsigned char **in, long len)
129{
130 return (ASIdOrRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
131 &ASIdOrRange_it);
132}
133
134int
135i2d_ASIdOrRange(ASIdOrRange *a, unsigned char **out)
136{
137 return ASN1_item_i2d((ASN1_VALUE *)a, out, &ASIdOrRange_it);
138}
139
140ASIdOrRange *
141ASIdOrRange_new(void)
142{
143 return (ASIdOrRange *)ASN1_item_new(&ASIdOrRange_it);
144}
145
146void
147ASIdOrRange_free(ASIdOrRange *a)
148{
149 ASN1_item_free((ASN1_VALUE *)a, &ASIdOrRange_it);
150}
151
152ASIdentifierChoice *
153d2i_ASIdentifierChoice(ASIdentifierChoice **a, const unsigned char **in, long len)
154{
155 return (ASIdentifierChoice *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
156 &ASIdentifierChoice_it);
157}
158
159int
160i2d_ASIdentifierChoice(ASIdentifierChoice *a, unsigned char **out)
161{
162 return ASN1_item_i2d((ASN1_VALUE *)a, out, &ASIdentifierChoice_it);
163}
164
165ASIdentifierChoice *
166ASIdentifierChoice_new(void)
167{
168 return (ASIdentifierChoice *)ASN1_item_new(&ASIdentifierChoice_it);
169}
170
171void
172ASIdentifierChoice_free(ASIdentifierChoice *a)
173{
174 ASN1_item_free((ASN1_VALUE *)a, &ASIdentifierChoice_it);
175}
176
177ASIdentifiers *
178d2i_ASIdentifiers(ASIdentifiers **a, const unsigned char **in, long len)
179{
180 return (ASIdentifiers *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
181 &ASIdentifiers_it);
182}
183
184int
185i2d_ASIdentifiers(ASIdentifiers *a, unsigned char **out)
186{
187 return ASN1_item_i2d((ASN1_VALUE *)a, out, &ASIdentifiers_it);
188}
189
190ASIdentifiers *
191ASIdentifiers_new(void)
192{
193 return (ASIdentifiers *)ASN1_item_new(&ASIdentifiers_it);
194}
195
196void
197ASIdentifiers_free(ASIdentifiers *a)
198{
199 ASN1_item_free((ASN1_VALUE *)a, &ASIdentifiers_it);
200}
201
202/*
203 * i2r method for an ASIdentifierChoice.
204 */
205static int
206i2r_ASIdentifierChoice(BIO *out, ASIdentifierChoice *choice, int indent,
207 const char *msg)
208{
209 int i;
210 char *s;
211
212 if (choice == NULL)
213 return 1;
214 BIO_printf(out, "%*s%s:\n", indent, "", msg);
215 switch (choice->type) {
216 case ASIdentifierChoice_inherit:
217 BIO_printf(out, "%*sinherit\n", indent + 2, "");
218 break;
219 case ASIdentifierChoice_asIdsOrRanges:
220 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges);
221 i++) {
222 ASIdOrRange *aor =
223 sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
224 switch (aor->type) {
225 case ASIdOrRange_id:
226 if ((s = i2s_ASN1_INTEGER(NULL, aor->u.id)) ==
227 NULL)
228 return 0;
229 BIO_printf(out, "%*s%s\n", indent + 2, "", s);
230 free(s);
231 break;
232 case ASIdOrRange_range:
233 if ((s = i2s_ASN1_INTEGER(NULL,
234 aor->u.range->min)) == NULL)
235 return 0;
236 BIO_printf(out, "%*s%s-", indent + 2, "", s);
237 free(s);
238 if ((s = i2s_ASN1_INTEGER(NULL,
239 aor->u.range->max)) == NULL)
240 return 0;
241 BIO_printf(out, "%s\n", s);
242 free(s);
243 break;
244 default:
245 return 0;
246 }
247 }
248 break;
249
250 default:
251 return 0;
252 }
253 return 1;
254}
255
256/*
257 * i2r method for an ASIdentifier extension.
258 */
259static int
260i2r_ASIdentifiers(const X509V3_EXT_METHOD *method, void *ext, BIO *out,
261 int indent)
262{
263 ASIdentifiers *asid = ext;
264
265 return (i2r_ASIdentifierChoice(out, asid->asnum, indent,
266 "Autonomous System Numbers") &&
267 i2r_ASIdentifierChoice(out, asid->rdi, indent,
268 "Routing Domain Identifiers"));
269}
270
271/*
272 * Sort comparision function for a sequence of ASIdOrRange elements.
273 */
274static int
275ASIdOrRange_cmp(const ASIdOrRange * const *a_, const ASIdOrRange * const *b_)
276{
277 const ASIdOrRange *a = *a_, *b = *b_;
278
279 OPENSSL_assert((a->type == ASIdOrRange_id && a->u.id != NULL) ||
280 (a->type == ASIdOrRange_range && a->u.range != NULL &&
281 a->u.range->min != NULL && a->u.range->max != NULL));
282
283 OPENSSL_assert((b->type == ASIdOrRange_id && b->u.id != NULL) ||
284 (b->type == ASIdOrRange_range && b->u.range != NULL &&
285 b->u.range->min != NULL && b->u.range->max != NULL));
286
287 if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id)
288 return ASN1_INTEGER_cmp(a->u.id, b->u.id);
289
290 if (a->type == ASIdOrRange_range && b->type == ASIdOrRange_range) {
291 int r = ASN1_INTEGER_cmp(a->u.range->min, b->u.range->min);
292 return r != 0 ? r :
293 ASN1_INTEGER_cmp(a->u.range->max, b->u.range->max);
294 }
295
296 if (a->type == ASIdOrRange_id)
297 return ASN1_INTEGER_cmp(a->u.id, b->u.range->min);
298 else
299 return ASN1_INTEGER_cmp(a->u.range->min, b->u.id);
300}
301
302/*
303 * Add an inherit element.
304 */
305int
306v3_asid_add_inherit(ASIdentifiers *asid, int which)
307{
308 ASIdentifierChoice **choice;
309
310 if (asid == NULL)
311 return 0;
312 switch (which) {
313 case V3_ASID_ASNUM:
314 choice = &asid->asnum;
315 break;
316 case V3_ASID_RDI:
317 choice = &asid->rdi;
318 break;
319 default:
320 return 0;
321 }
322 if (*choice == NULL) {
323 if ((*choice = ASIdentifierChoice_new()) == NULL)
324 return 0;
325 OPENSSL_assert((*choice)->u.inherit == NULL);
326 if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL)
327 return 0;
328 (*choice)->type = ASIdentifierChoice_inherit;
329 }
330 return (*choice)->type == ASIdentifierChoice_inherit;
331}
332
333/*
334 * Add an ID or range to an ASIdentifierChoice.
335 */
336int
337v3_asid_add_id_or_range(ASIdentifiers *asid, int which, ASN1_INTEGER *min,
338 ASN1_INTEGER *max)
339{
340 ASIdentifierChoice **choice;
341 ASIdOrRange *aor;
342
343 if (asid == NULL)
344 return 0;
345 switch (which) {
346 case V3_ASID_ASNUM:
347 choice = &asid->asnum;
348 break;
349 case V3_ASID_RDI:
350 choice = &asid->rdi;
351 break;
352 default:
353 return 0;
354 }
355 if (*choice != NULL && (*choice)->type == ASIdentifierChoice_inherit)
356 return 0;
357 if (*choice == NULL) {
358 if ((*choice = ASIdentifierChoice_new()) == NULL)
359 return 0;
360 OPENSSL_assert((*choice)->u.asIdsOrRanges == NULL);
361 (*choice)->u.asIdsOrRanges =
362 sk_ASIdOrRange_new(ASIdOrRange_cmp);
363 if ((*choice)->u.asIdsOrRanges == NULL)
364 return 0;
365 (*choice)->type = ASIdentifierChoice_asIdsOrRanges;
366 }
367 if ((aor = ASIdOrRange_new()) == NULL)
368 return 0;
369 if (max == NULL) {
370 aor->type = ASIdOrRange_id;
371 aor->u.id = min;
372 } else {
373 aor->type = ASIdOrRange_range;
374 if ((aor->u.range = ASRange_new()) == NULL)
375 goto err;
376 ASN1_INTEGER_free(aor->u.range->min);
377 aor->u.range->min = min;
378 ASN1_INTEGER_free(aor->u.range->max);
379 aor->u.range->max = max;
380 }
381 if (!(sk_ASIdOrRange_push((*choice)->u.asIdsOrRanges, aor)))
382 goto err;
383 return 1;
384
385err:
386 ASIdOrRange_free(aor);
387 return 0;
388}
389
390/*
391 * Extract min and max values from an ASIdOrRange.
392 */
393static void
394extract_min_max(ASIdOrRange *aor, ASN1_INTEGER **min, ASN1_INTEGER **max)
395{
396 OPENSSL_assert(aor != NULL && min != NULL && max != NULL);
397
398 switch (aor->type) {
399 case ASIdOrRange_id:
400 *min = aor->u.id;
401 *max = aor->u.id;
402 return;
403 case ASIdOrRange_range:
404 *min = aor->u.range->min;
405 *max = aor->u.range->max;
406 return;
407 }
408}
409
410/*
411 * Check whether an ASIdentifierChoice is in canonical form.
412 */
413static int
414ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
415{
416 ASN1_INTEGER *a_max_plus_one = NULL;
417 BIGNUM *bn = NULL;
418 int i, ret = 0;
419
420 /*
421 * Empty element or inheritance is canonical.
422 */
423 if (choice == NULL || choice->type == ASIdentifierChoice_inherit)
424 return 1;
425
426 /*
427 * If not a list, or if empty list, it's broken.
428 */
429 if (choice->type != ASIdentifierChoice_asIdsOrRanges ||
430 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0)
431 return 0;
432
433 /*
434 * It's a list, check it.
435 */
436 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
437 ASIdOrRange *a =
438 sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
439 ASIdOrRange *b =
440 sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1);
441 ASN1_INTEGER *a_min, *a_max, *b_min, *b_max;
442
443 extract_min_max(a, &a_min, &a_max);
444 extract_min_max(b, &b_min, &b_max);
445
446 /*
447 * Punt misordered list, overlapping start, or inverted range.
448 */
449 if (ASN1_INTEGER_cmp(a_min, b_min) >= 0 ||
450 ASN1_INTEGER_cmp(a_min, a_max) > 0 ||
451 ASN1_INTEGER_cmp(b_min, b_max) > 0)
452 goto done;
453
454 /*
455 * Calculate a_max + 1 to check for adjacency.
456 */
457 if ((bn == NULL && (bn = BN_new()) == NULL) ||
458 ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
459 !BN_add_word(bn, 1) || (a_max_plus_one =
460 BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {
461 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL,
462 ERR_R_MALLOC_FAILURE);
463 goto done;
464 }
465
466 /*
467 * Punt if adjacent or overlapping.
468 */
469 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) >= 0)
470 goto done;
471 }
472
473 /*
474 * Check for inverted range.
475 */
476 i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1;
477 {
478 ASIdOrRange *a =
479 sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
480 ASN1_INTEGER *a_min, *a_max;
481
482 if (a != NULL && a->type == ASIdOrRange_range) {
483 extract_min_max(a, &a_min, &a_max);
484 if (ASN1_INTEGER_cmp(a_min, a_max) > 0)
485 goto done;
486 }
487 }
488
489 ret = 1;
490
491done:
492 ASN1_INTEGER_free(a_max_plus_one);
493 BN_free(bn);
494 return ret;
495}
496
497/*
498 * Check whether an ASIdentifier extension is in canonical form.
499 */
500int
501v3_asid_is_canonical(ASIdentifiers *asid)
502{
503 return (asid == NULL ||
504 (ASIdentifierChoice_is_canonical(asid->asnum) &&
505 ASIdentifierChoice_is_canonical(asid->rdi)));
506}
507
508/*
509 * Whack an ASIdentifierChoice into canonical form.
510 */
511static int
512ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
513{
514 ASN1_INTEGER *a_max_plus_one = NULL;
515 BIGNUM *bn = NULL;
516 int i, ret = 0;
517
518 /*
519 * Nothing to do for empty element or inheritance.
520 */
521 if (choice == NULL || choice->type == ASIdentifierChoice_inherit)
522 return 1;
523
524 /*
525 * If not a list, or if empty list, it's broken.
526 */
527 if (choice->type != ASIdentifierChoice_asIdsOrRanges ||
528 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) {
529 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
530 X509V3_R_EXTENSION_VALUE_ERROR);
531 return 0;
532 }
533
534 /*
535 * We have a non-empty list. Sort it.
536 */
537 sk_ASIdOrRange_sort(choice->u.asIdsOrRanges);
538
539 /*
540 * Now check for errors and suboptimal encoding, rejecting the
541 * former and fixing the latter.
542 */
543 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
544 ASIdOrRange *a =
545 sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
546 ASIdOrRange *b =
547 sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1);
548 ASN1_INTEGER *a_min, *a_max, *b_min, *b_max;
549
550 extract_min_max(a, &a_min, &a_max);
551 extract_min_max(b, &b_min, &b_max);
552
553 /*
554 * Make sure we're properly sorted (paranoia).
555 */
556 OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
557
558 /*
559 * Punt inverted ranges.
560 */
561 if (ASN1_INTEGER_cmp(a_min, a_max) > 0 ||
562 ASN1_INTEGER_cmp(b_min, b_max) > 0)
563 goto done;
564
565 /*
566 * Check for overlaps.
567 */
568 if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) {
569 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
570 X509V3_R_EXTENSION_VALUE_ERROR);
571 goto done;
572 }
573
574 /*
575 * Calculate a_max + 1 to check for adjacency.
576 */
577 if ((bn == NULL && (bn = BN_new()) == NULL) ||
578 ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
579 !BN_add_word(bn, 1) || (a_max_plus_one =
580 BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {
581 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
582 ERR_R_MALLOC_FAILURE);
583 goto done;
584 }
585
586 /*
587 * If a and b are adjacent, merge them.
588 */
589 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) == 0) {
590 ASRange *r;
591 switch (a->type) {
592 case ASIdOrRange_id:
593 if ((r = malloc(sizeof(ASRange))) == NULL) {
594 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
595 ERR_R_MALLOC_FAILURE);
596 goto done;
597 }
598 r->min = a_min;
599 r->max = b_max;
600 a->type = ASIdOrRange_range;
601 a->u.range = r;
602 break;
603 case ASIdOrRange_range:
604 ASN1_INTEGER_free(a->u.range->max);
605 a->u.range->max = b_max;
606 break;
607 }
608 switch (b->type) {
609 case ASIdOrRange_id:
610 b->u.id = NULL;
611 break;
612 case ASIdOrRange_range:
613 b->u.range->max = NULL;
614 break;
615 }
616 ASIdOrRange_free(b);
617 (void) sk_ASIdOrRange_delete(
618 choice->u.asIdsOrRanges, i + 1);
619 i--;
620 continue;
621 }
622 }
623
624 /*
625 * Check for final inverted range.
626 */
627 i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1;
628 {
629 ASIdOrRange *a =
630 sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
631 ASN1_INTEGER *a_min, *a_max;
632 if (a != NULL && a->type == ASIdOrRange_range) {
633 extract_min_max(a, &a_min, &a_max);
634 if (ASN1_INTEGER_cmp(a_min, a_max) > 0)
635 goto done;
636 }
637 }
638
639 OPENSSL_assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */
640
641 ret = 1;
642
643done:
644 ASN1_INTEGER_free(a_max_plus_one);
645 BN_free(bn);
646 return ret;
647}
648
649/*
650 * Whack an ASIdentifier extension into canonical form.
651 */
652int
653v3_asid_canonize(ASIdentifiers *asid)
654{
655 return (asid == NULL ||
656 (ASIdentifierChoice_canonize(asid->asnum) &&
657 ASIdentifierChoice_canonize(asid->rdi)));
658}
659
660/*
661 * v2i method for an ASIdentifier extension.
662 */
663static void *
664v2i_ASIdentifiers(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
665 STACK_OF(CONF_VALUE) *values)
666{
667 ASN1_INTEGER *min = NULL, *max = NULL;
668 ASIdentifiers *asid = NULL;
669 int i;
670
671 if ((asid = ASIdentifiers_new()) == NULL) {
672 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
673 return NULL;
674 }
675
676 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
677 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
678 int i1, i2, i3, is_range, which;
679
680 /*
681 * Figure out whether this is an AS or an RDI.
682 */
683 if (!name_cmp(val->name, "AS")) {
684 which = V3_ASID_ASNUM;
685 } else if (!name_cmp(val->name, "RDI")) {
686 which = V3_ASID_RDI;
687 } else {
688 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
689 X509V3_R_EXTENSION_NAME_ERROR);
690 X509V3_conf_err(val);
691 goto err;
692 }
693
694 /*
695 * Handle inheritance.
696 */
697 if (!strcmp(val->value, "inherit")) {
698 if (v3_asid_add_inherit(asid, which))
699 continue;
700 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
701 X509V3_R_INVALID_INHERITANCE);
702 X509V3_conf_err(val);
703 goto err;
704 }
705
706 /*
707 * Number, range, or mistake, pick it apart and figure out which.
708 */
709 i1 = strspn(val->value, "0123456789");
710 if (val->value[i1] == '\0') {
711 is_range = 0;
712 } else {
713 is_range = 1;
714 i2 = i1 + strspn(val->value + i1, " \t");
715 if (val->value[i2] != '-') {
716 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
717 X509V3_R_INVALID_ASNUMBER);
718 X509V3_conf_err(val);
719 goto err;
720 }
721 i2++;
722 i2 = i2 + strspn(val->value + i2, " \t");
723 i3 = i2 + strspn(val->value + i2, "0123456789");
724 if (val->value[i3] != '\0') {
725 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
726 X509V3_R_INVALID_ASRANGE);
727 X509V3_conf_err(val);
728 goto err;
729 }
730 }
731
732 /*
733 * Syntax is ok, read and add it.
734 */
735 if (!is_range) {
736 if (!X509V3_get_value_int(val, &min)) {
737 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
738 ERR_R_MALLOC_FAILURE);
739 goto err;
740 }
741 } else {
742 char *s = strdup(val->value);
743 if (s == NULL) {
744 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
745 ERR_R_MALLOC_FAILURE);
746 goto err;
747 }
748 s[i1] = '\0';
749 min = s2i_ASN1_INTEGER(NULL, s);
750 max = s2i_ASN1_INTEGER(NULL, s + i2);
751 free(s);
752 if (min == NULL || max == NULL) {
753 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
754 ERR_R_MALLOC_FAILURE);
755 goto err;
756 }
757 if (ASN1_INTEGER_cmp(min, max) > 0) {
758 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
759 X509V3_R_EXTENSION_VALUE_ERROR);
760 goto err;
761 }
762 }
763 if (!v3_asid_add_id_or_range(asid, which, min, max)) {
764 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
765 ERR_R_MALLOC_FAILURE);
766 goto err;
767 }
768 min = max = NULL;
769 }
770
771 /*
772 * Canonize the result, then we're done.
773 */
774 if (!v3_asid_canonize(asid))
775 goto err;
776 return asid;
777
778err:
779 ASIdentifiers_free(asid);
780 ASN1_INTEGER_free(min);
781 ASN1_INTEGER_free(max);
782 return NULL;
783}
784
785/*
786 * OpenSSL dispatch.
787 */
788const X509V3_EXT_METHOD v3_asid = {
789 NID_sbgp_autonomousSysNum, /* nid */
790 0, /* flags */
791 ASN1_ITEM_ref(ASIdentifiers), /* template */
792 0, 0, 0, 0, /* old functions, ignored */
793 0, /* i2s */
794 0, /* s2i */
795 0, /* i2v */
796 v2i_ASIdentifiers, /* v2i */
797 i2r_ASIdentifiers, /* i2r */
798 0, /* r2i */
799 NULL /* extension-specific data */
800};
801
802/*
803 * Figure out whether extension uses inheritance.
804 */
805int
806v3_asid_inherits(ASIdentifiers *asid)
807{
808 return (asid != NULL &&
809 ((asid->asnum != NULL &&
810 asid->asnum->type == ASIdentifierChoice_inherit) ||
811 (asid->rdi != NULL &&
812 asid->rdi->type == ASIdentifierChoice_inherit)));
813}
814
815/*
816 * Figure out whether parent contains child.
817 */
818static int
819asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)
820{
821 ASN1_INTEGER *p_min, *p_max, *c_min, *c_max;
822 int p, c;
823
824 if (child == NULL || parent == child)
825 return 1;
826 if (parent == NULL)
827 return 0;
828
829 p = 0;
830 for (c = 0; c < sk_ASIdOrRange_num(child); c++) {
831 extract_min_max(sk_ASIdOrRange_value(child, c),
832 &c_min, &c_max);
833 for (; ; p++) {
834 if (p >= sk_ASIdOrRange_num(parent))
835 return 0;
836 extract_min_max(sk_ASIdOrRange_value(parent, p),
837 &p_min, &p_max);
838 if (ASN1_INTEGER_cmp(p_max, c_max) < 0)
839 continue;
840 if (ASN1_INTEGER_cmp(p_min, c_min) > 0)
841 return 0;
842 break;
843 }
844 }
845
846 return 1;
847}
848
849/*
850 * Test whether a is a subet of b.
851 */
852int
853v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
854{
855 return (a == NULL || a == b ||
856 (b != NULL && !v3_asid_inherits(a) && !v3_asid_inherits(b) &&
857 asid_contains(b->asnum->u.asIdsOrRanges,
858 a->asnum->u.asIdsOrRanges) &&
859 asid_contains(b->rdi->u.asIdsOrRanges,
860 a->rdi->u.asIdsOrRanges)));
861}
862
863/*
864 * Validation error handling via callback.
865 */
866#define validation_err(_err_) \
867 do { \
868 if (ctx != NULL) { \
869 ctx->error = _err_; \
870 ctx->error_depth = i; \
871 ctx->current_cert = x; \
872 ret = ctx->verify_cb(0, ctx); \
873 } else { \
874 ret = 0; \
875 } \
876 if (!ret) \
877 goto done; \
878 } while (0)
879
880/*
881 * Core code for RFC 3779 3.3 path validation.
882 */
883static int
884v3_asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
885 ASIdentifiers *ext)
886{
887 ASIdOrRanges *child_as = NULL, *child_rdi = NULL;
888 int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
889 X509 *x;
890
891 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
892 OPENSSL_assert(ctx != NULL || ext != NULL);
893 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
894
895 /*
896 * Figure out where to start. If we don't have an extension to
897 * check, we're done. Otherwise, check canonical form and
898 * set up for walking up the chain.
899 */
900 if (ext != NULL) {
901 i = -1;
902 x = NULL;
903 } else {
904 i = 0;
905 x = sk_X509_value(chain, i);
906 OPENSSL_assert(x != NULL);
907 if ((ext = x->rfc3779_asid) == NULL)
908 goto done;
909 }
910 if (!v3_asid_is_canonical(ext))
911 validation_err(X509_V_ERR_INVALID_EXTENSION);
912 if (ext->asnum != NULL) {
913 switch (ext->asnum->type) {
914 case ASIdentifierChoice_inherit:
915 inherit_as = 1;
916 break;
917 case ASIdentifierChoice_asIdsOrRanges:
918 child_as = ext->asnum->u.asIdsOrRanges;
919 break;
920 }
921 }
922 if (ext->rdi != NULL) {
923 switch (ext->rdi->type) {
924 case ASIdentifierChoice_inherit:
925 inherit_rdi = 1;
926 break;
927 case ASIdentifierChoice_asIdsOrRanges:
928 child_rdi = ext->rdi->u.asIdsOrRanges;
929 break;
930 }
931 }
932
933 /*
934 * Now walk up the chain. Extensions must be in canonical form, no
935 * cert may list resources that its parent doesn't list.
936 */
937 for (i++; i < sk_X509_num(chain); i++) {
938 x = sk_X509_value(chain, i);
939 OPENSSL_assert(x != NULL);
940 if (x->rfc3779_asid == NULL) {
941 if (child_as != NULL || child_rdi != NULL)
942 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
943 continue;
944 }
945 if (!v3_asid_is_canonical(x->rfc3779_asid))
946 validation_err(X509_V_ERR_INVALID_EXTENSION);
947 if (x->rfc3779_asid->asnum == NULL && child_as != NULL) {
948 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
949 child_as = NULL;
950 inherit_as = 0;
951 }
952 if (x->rfc3779_asid->asnum != NULL &&
953 x->rfc3779_asid->asnum->type ==
954 ASIdentifierChoice_asIdsOrRanges) {
955 if (inherit_as || asid_contains(
956 x->rfc3779_asid->asnum->u.asIdsOrRanges,
957 child_as)) {
958 child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges;
959 inherit_as = 0;
960 } else {
961 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
962 }
963 }
964 if (x->rfc3779_asid->rdi == NULL && child_rdi != NULL) {
965 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
966 child_rdi = NULL;
967 inherit_rdi = 0;
968 }
969 if (x->rfc3779_asid->rdi != NULL &&
970 x->rfc3779_asid->rdi->type ==
971 ASIdentifierChoice_asIdsOrRanges) {
972 if (inherit_rdi || asid_contains(
973 x->rfc3779_asid->rdi->u.asIdsOrRanges, child_rdi)) {
974 child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges;
975 inherit_rdi = 0;
976 } else {
977 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
978 }
979 }
980 }
981
982 /*
983 * Trust anchor can't inherit.
984 */
985 OPENSSL_assert(x != NULL);
986 if (x->rfc3779_asid != NULL) {
987 if (x->rfc3779_asid->asnum != NULL &&
988 x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit)
989 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
990 if (x->rfc3779_asid->rdi != NULL &&
991 x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit)
992 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
993 }
994
995done:
996 return ret;
997}
998
999#undef validation_err
1000
1001/*
1002 * RFC 3779 3.3 path validation -- called from X509_verify_cert().
1003 */
1004int
1005v3_asid_validate_path(X509_STORE_CTX *ctx)
1006{
1007 return v3_asid_validate_path_internal(ctx, ctx->chain, NULL);
1008}
1009
1010/*
1011 * RFC 3779 3.3 path validation of an extension.
1012 * Test whether chain covers extension.
1013 */
1014int
1015v3_asid_validate_resource_set(STACK_OF(X509) *chain, ASIdentifiers *ext,
1016 int allow_inheritance)
1017{
1018 if (ext == NULL)
1019 return 1;
1020 if (chain == NULL || sk_X509_num(chain) == 0)
1021 return 0;
1022 if (!allow_inheritance && v3_asid_inherits(ext))
1023 return 0;
1024 return v3_asid_validate_path_internal(NULL, chain, ext);
1025}
1026
1027#endif /* OPENSSL_NO_RFC3779 */
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
index d1e888482e..69a8d05f26 100644
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ b/src/lib/libcrypto/x509v3/v3_purp.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: v3_purp.c,v 1.25 2015/02/10 11:22:22 jsing Exp $ */ 1/* $OpenBSD: v3_purp.c,v 1.26 2015/02/10 13:28:17 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001. 3 * project 2001.
4 */ 4 */
@@ -346,10 +346,6 @@ X509_supported_extension(X509_EXTENSION *ex)
346 NID_basic_constraints, /* 87 */ 346 NID_basic_constraints, /* 87 */
347 NID_certificate_policies, /* 89 */ 347 NID_certificate_policies, /* 89 */
348 NID_ext_key_usage, /* 126 */ 348 NID_ext_key_usage, /* 126 */
349#ifndef OPENSSL_NO_RFC3779
350 NID_sbgp_ipAddrBlock, /* 290 */
351 NID_sbgp_autonomousSysNum, /* 291 */
352#endif
353 NID_policy_constraints, /* 401 */ 349 NID_policy_constraints, /* 401 */
354 NID_proxyCertInfo, /* 663 */ 350 NID_proxyCertInfo, /* 663 */
355 NID_name_constraints, /* 666 */ 351 NID_name_constraints, /* 666 */
@@ -531,11 +527,6 @@ x509v3_cache_extensions(X509 *x)
531 x->ex_flags |= EXFLAG_INVALID; 527 x->ex_flags |= EXFLAG_INVALID;
532 setup_crldp(x); 528 setup_crldp(x);
533 529
534#ifndef OPENSSL_NO_RFC3779
535 x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
536 x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,
537 NULL, NULL);
538#endif
539 for (i = 0; i < X509_get_ext_count(x); i++) { 530 for (i = 0; i < X509_get_ext_count(x); i++) {
540 ex = X509_get_ext(x, i); 531 ex = X509_get_ext(x, i);
541 if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == 532 if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) ==
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
index a88223cd9b..b45626a885 100644
--- a/src/lib/libcrypto/x509v3/x509v3.h
+++ b/src/lib/libcrypto/x509v3/x509v3.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509v3.h,v 1.15 2014/07/10 22:45:58 jsing Exp $ */ 1/* $OpenBSD: x509v3.h,v 1.16 2015/02/10 13:28:17 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -710,154 +710,6 @@ int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
710void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent); 710void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
711DECLARE_STACK_OF(X509_POLICY_NODE) 711DECLARE_STACK_OF(X509_POLICY_NODE)
712 712
713#ifndef OPENSSL_NO_RFC3779
714
715typedef struct ASRange_st {
716 ASN1_INTEGER *min, *max;
717} ASRange;
718
719#define ASIdOrRange_id 0
720#define ASIdOrRange_range 1
721
722typedef struct ASIdOrRange_st {
723 int type;
724 union {
725 ASN1_INTEGER *id;
726 ASRange *range;
727 } u;
728} ASIdOrRange;
729
730typedef STACK_OF(ASIdOrRange) ASIdOrRanges;
731DECLARE_STACK_OF(ASIdOrRange)
732
733#define ASIdentifierChoice_inherit 0
734#define ASIdentifierChoice_asIdsOrRanges 1
735
736typedef struct ASIdentifierChoice_st {
737 int type;
738 union {
739 ASN1_NULL *inherit;
740 ASIdOrRanges *asIdsOrRanges;
741 } u;
742} ASIdentifierChoice;
743
744typedef struct ASIdentifiers_st {
745 ASIdentifierChoice *asnum, *rdi;
746} ASIdentifiers;
747
748DECLARE_ASN1_FUNCTIONS(ASRange)
749DECLARE_ASN1_FUNCTIONS(ASIdOrRange)
750DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice)
751DECLARE_ASN1_FUNCTIONS(ASIdentifiers)
752
753
754typedef struct IPAddressRange_st {
755 ASN1_BIT_STRING *min, *max;
756} IPAddressRange;
757
758#define IPAddressOrRange_addressPrefix 0
759#define IPAddressOrRange_addressRange 1
760
761typedef struct IPAddressOrRange_st {
762 int type;
763 union {
764 ASN1_BIT_STRING *addressPrefix;
765 IPAddressRange *addressRange;
766 } u;
767} IPAddressOrRange;
768
769typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges;
770DECLARE_STACK_OF(IPAddressOrRange)
771
772#define IPAddressChoice_inherit 0
773#define IPAddressChoice_addressesOrRanges 1
774
775typedef struct IPAddressChoice_st {
776 int type;
777 union {
778 ASN1_NULL *inherit;
779 IPAddressOrRanges *addressesOrRanges;
780 } u;
781} IPAddressChoice;
782
783typedef struct IPAddressFamily_st {
784 ASN1_OCTET_STRING *addressFamily;
785 IPAddressChoice *ipAddressChoice;
786} IPAddressFamily;
787
788typedef STACK_OF(IPAddressFamily) IPAddrBlocks;
789DECLARE_STACK_OF(IPAddressFamily)
790
791DECLARE_ASN1_FUNCTIONS(IPAddressRange)
792DECLARE_ASN1_FUNCTIONS(IPAddressOrRange)
793DECLARE_ASN1_FUNCTIONS(IPAddressChoice)
794DECLARE_ASN1_FUNCTIONS(IPAddressFamily)
795
796/*
797 * API tag for elements of the ASIdentifer SEQUENCE.
798 */
799#define V3_ASID_ASNUM 0
800#define V3_ASID_RDI 1
801
802/*
803 * AFI values, assigned by IANA. It'd be nice to make the AFI
804 * handling code totally generic, but there are too many little things
805 * that would need to be defined for other address families for it to
806 * be worth the trouble.
807 */
808#define IANA_AFI_IPV4 1
809#define IANA_AFI_IPV6 2
810
811/*
812 * Utilities to construct and extract values from RFC3779 extensions,
813 * since some of the encodings (particularly for IP address prefixes
814 * and ranges) are a bit tedious to work with directly.
815 */
816int v3_asid_add_inherit(ASIdentifiers *asid, int which);
817int v3_asid_add_id_or_range(ASIdentifiers *asid, int which,
818 ASN1_INTEGER *min, ASN1_INTEGER *max);
819int v3_addr_add_inherit(IPAddrBlocks *addr,
820 const unsigned afi, const unsigned *safi);
821int v3_addr_add_prefix(IPAddrBlocks *addr,
822 const unsigned afi, const unsigned *safi,
823 unsigned char *a, const int prefixlen);
824int v3_addr_add_range(IPAddrBlocks *addr,
825 const unsigned afi, const unsigned *safi,
826 unsigned char *min, unsigned char *max);
827unsigned v3_addr_get_afi(const IPAddressFamily *f);
828int v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
829 unsigned char *min, unsigned char *max,
830 const int length);
831
832/*
833 * Canonical forms.
834 */
835int v3_asid_is_canonical(ASIdentifiers *asid);
836int v3_addr_is_canonical(IPAddrBlocks *addr);
837int v3_asid_canonize(ASIdentifiers *asid);
838int v3_addr_canonize(IPAddrBlocks *addr);
839
840/*
841 * Tests for inheritance and containment.
842 */
843int v3_asid_inherits(ASIdentifiers *asid);
844int v3_addr_inherits(IPAddrBlocks *addr);
845int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b);
846int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b);
847
848/*
849 * Check whether RFC 3779 extensions nest properly in chains.
850 */
851int v3_asid_validate_path(X509_STORE_CTX *);
852int v3_addr_validate_path(X509_STORE_CTX *);
853int v3_asid_validate_resource_set(STACK_OF(X509) *chain,
854 ASIdentifiers *ext,
855 int allow_inheritance);
856int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
857 IPAddrBlocks *ext,
858 int allow_inheritance);
859
860#endif /* OPENSSL_NO_RFC3779 */
861 713
862/* BEGIN ERROR CODES */ 714/* BEGIN ERROR CODES */
863/* The following lines are auto generated by the script mkerr.pl. Any changes 715/* The following lines are auto generated by the script mkerr.pl. Any changes
diff --git a/src/lib/libssl/src/crypto/asn1/x_x509.c b/src/lib/libssl/src/crypto/asn1/x_x509.c
index 77ec8c41cf..756848fe19 100644
--- a/src/lib/libssl/src/crypto/asn1/x_x509.c
+++ b/src/lib/libssl/src/crypto/asn1/x_x509.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x_x509.c,v 1.20 2015/02/10 05:25:45 jsing Exp $ */ 1/* $OpenBSD: x_x509.c,v 1.21 2015/02/10 13:28:17 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -121,10 +121,6 @@ x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
121 ret->ex_pathlen = -1; 121 ret->ex_pathlen = -1;
122 ret->skid = NULL; 122 ret->skid = NULL;
123 ret->akid = NULL; 123 ret->akid = NULL;
124#ifndef OPENSSL_NO_RFC3779
125 ret->rfc3779_addr = NULL;
126 ret->rfc3779_asid = NULL;
127#endif
128 ret->aux = NULL; 124 ret->aux = NULL;
129 ret->crldp = NULL; 125 ret->crldp = NULL;
130 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data); 126 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
@@ -144,10 +140,6 @@ x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
144 policy_cache_free(ret->policy_cache); 140 policy_cache_free(ret->policy_cache);
145 GENERAL_NAMES_free(ret->altname); 141 GENERAL_NAMES_free(ret->altname);
146 NAME_CONSTRAINTS_free(ret->nc); 142 NAME_CONSTRAINTS_free(ret->nc);
147#ifndef OPENSSL_NO_RFC3779
148 sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free);
149 ASIdentifiers_free(ret->rfc3779_asid);
150#endif
151 free(ret->name); 143 free(ret->name);
152 ret->name = NULL; 144 ret->name = NULL;
153 break; 145 break;
diff --git a/src/lib/libssl/src/crypto/x509v3/ext_dat.h b/src/lib/libssl/src/crypto/x509v3/ext_dat.h
index 1111af2108..f8bf7916b3 100644
--- a/src/lib/libssl/src/crypto/x509v3/ext_dat.h
+++ b/src/lib/libssl/src/crypto/x509v3/ext_dat.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ext_dat.h,v 1.11 2014/07/10 22:45:58 jsing Exp $ */ 1/* $OpenBSD: ext_dat.h,v 1.12 2015/02/10 13:28:17 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -103,10 +103,6 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
103#endif 103#endif
104 &v3_sxnet, 104 &v3_sxnet,
105 &v3_info, 105 &v3_info,
106#ifndef OPENSSL_NO_RFC3779
107 &v3_addr,
108 &v3_asid,
109#endif
110#ifndef OPENSSL_NO_OCSP 106#ifndef OPENSSL_NO_OCSP
111 &v3_ocsp_nonce, 107 &v3_ocsp_nonce,
112 &v3_ocsp_crlid, 108 &v3_ocsp_crlid,
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_addr.c b/src/lib/libssl/src/crypto/x509v3/v3_addr.c
deleted file mode 100644
index 4073aeeaa6..0000000000
--- a/src/lib/libssl/src/crypto/x509v3/v3_addr.c
+++ /dev/null
@@ -1,1504 +0,0 @@
1/* $OpenBSD: v3_addr.c,v 1.15 2015/02/09 16:03:11 jsing Exp $ */
2/*
3 * Contributed to the OpenSSL Project by the American Registry for
4 * Internet Numbers ("ARIN").
5 */
6/* ====================================================================
7 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
19 * distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * licensing@OpenSSL.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 * acknowledgment:
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 */
58
59/*
60 * Implementation of RFC 3779 section 2.2.
61 */
62
63#include <stdio.h>
64#include <stdlib.h>
65
66#include <openssl/opensslconf.h>
67
68#include <openssl/asn1.h>
69#include <openssl/asn1t.h>
70#include <openssl/buffer.h>
71#include <openssl/conf.h>
72#include <openssl/x509v3.h>
73
74#ifndef OPENSSL_NO_RFC3779
75
76/*
77 * OpenSSL ASN.1 template translation of RFC 3779 2.2.3.
78 */
79
80ASN1_SEQUENCE(IPAddressRange) = {
81 ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING),
82 ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING)
83} ASN1_SEQUENCE_END(IPAddressRange)
84
85ASN1_CHOICE(IPAddressOrRange) = {
86 ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING),
87 ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange)
88} ASN1_CHOICE_END(IPAddressOrRange)
89
90ASN1_CHOICE(IPAddressChoice) = {
91 ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL),
92 ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange)
93} ASN1_CHOICE_END(IPAddressChoice)
94
95ASN1_SEQUENCE(IPAddressFamily) = {
96 ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING),
97 ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice)
98} ASN1_SEQUENCE_END(IPAddressFamily)
99
100ASN1_ITEM_TEMPLATE(IPAddrBlocks) =
101 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
102 IPAddrBlocks, IPAddressFamily)
103ASN1_ITEM_TEMPLATE_END(IPAddrBlocks)
104
105
106IPAddressRange *
107d2i_IPAddressRange(IPAddressRange **a, const unsigned char **in, long len)
108{
109 return (IPAddressRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
110 &IPAddressRange_it);
111}
112
113int
114i2d_IPAddressRange(IPAddressRange *a, unsigned char **out)
115{
116 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressRange_it);
117}
118
119IPAddressRange *
120IPAddressRange_new(void)
121{
122 return (IPAddressRange *)ASN1_item_new(&IPAddressRange_it);
123}
124
125void
126IPAddressRange_free(IPAddressRange *a)
127{
128 ASN1_item_free((ASN1_VALUE *)a, &IPAddressRange_it);
129}
130
131IPAddressOrRange *
132d2i_IPAddressOrRange(IPAddressOrRange **a, const unsigned char **in, long len)
133{
134 return (IPAddressOrRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
135 &IPAddressOrRange_it);
136}
137
138int
139i2d_IPAddressOrRange(IPAddressOrRange *a, unsigned char **out)
140{
141 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressOrRange_it);
142}
143
144IPAddressOrRange *
145IPAddressOrRange_new(void)
146{
147 return (IPAddressOrRange *)ASN1_item_new(&IPAddressOrRange_it);
148}
149
150void
151IPAddressOrRange_free(IPAddressOrRange *a)
152{
153 ASN1_item_free((ASN1_VALUE *)a, &IPAddressOrRange_it);
154}
155
156IPAddressChoice *
157d2i_IPAddressChoice(IPAddressChoice **a, const unsigned char **in, long len)
158{
159 return (IPAddressChoice *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
160 &IPAddressChoice_it);
161}
162
163int
164i2d_IPAddressChoice(IPAddressChoice *a, unsigned char **out)
165{
166 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressChoice_it);
167}
168
169IPAddressChoice *
170IPAddressChoice_new(void)
171{
172 return (IPAddressChoice *)ASN1_item_new(&IPAddressChoice_it);
173}
174
175void
176IPAddressChoice_free(IPAddressChoice *a)
177{
178 ASN1_item_free((ASN1_VALUE *)a, &IPAddressChoice_it);
179}
180
181IPAddressFamily *
182d2i_IPAddressFamily(IPAddressFamily **a, const unsigned char **in, long len)
183{
184 return (IPAddressFamily *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
185 &IPAddressFamily_it);
186}
187
188int
189i2d_IPAddressFamily(IPAddressFamily *a, unsigned char **out)
190{
191 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressFamily_it);
192}
193
194IPAddressFamily *
195IPAddressFamily_new(void)
196{
197 return (IPAddressFamily *)ASN1_item_new(&IPAddressFamily_it);
198}
199
200void
201IPAddressFamily_free(IPAddressFamily *a)
202{
203 ASN1_item_free((ASN1_VALUE *)a, &IPAddressFamily_it);
204}
205
206/*
207 * How much buffer space do we need for a raw address?
208 */
209#define ADDR_RAW_BUF_LEN 16
210
211/*
212 * What's the address length associated with this AFI?
213 */
214static int
215length_from_afi(const unsigned afi)
216{
217 switch (afi) {
218 case IANA_AFI_IPV4:
219 return 4;
220 case IANA_AFI_IPV6:
221 return 16;
222 default:
223 return 0;
224 }
225}
226
227/*
228 * Extract the AFI from an IPAddressFamily.
229 */
230unsigned int
231v3_addr_get_afi(const IPAddressFamily *f)
232{
233 return ((f != NULL && f->addressFamily != NULL &&
234 f->addressFamily->data != NULL) ?
235 ((f->addressFamily->data[0] << 8) | (f->addressFamily->data[1])) :
236 0);
237}
238
239/*
240 * Expand the bitstring form of an address into a raw byte array.
241 * At the moment this is coded for simplicity, not speed.
242 */
243static int
244addr_expand(unsigned char *addr, const ASN1_BIT_STRING *bs, const int length,
245 const unsigned char fill)
246{
247 if (bs->length < 0 || bs->length > length)
248 return 0;
249 if (bs->length > 0) {
250 memcpy(addr, bs->data, bs->length);
251 if ((bs->flags & 7) != 0) {
252 unsigned char mask = 0xFF >> (8 - (bs->flags & 7));
253 if (fill == 0)
254 addr[bs->length - 1] &= ~mask;
255 else
256 addr[bs->length - 1] |= mask;
257 }
258 }
259 memset(addr + bs->length, fill, length - bs->length);
260 return 1;
261}
262
263/*
264 * Extract the prefix length from a bitstring.
265 */
266#define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7)))
267
268/*
269 * i2r handler for one address bitstring.
270 */
271static int
272i2r_address(BIO *out, const unsigned afi, const unsigned char fill,
273 const ASN1_BIT_STRING *bs)
274{
275 unsigned char addr[ADDR_RAW_BUF_LEN];
276 int i, n;
277
278 if (bs->length < 0)
279 return 0;
280 switch (afi) {
281 case IANA_AFI_IPV4:
282 if (!addr_expand(addr, bs, 4, fill))
283 return 0;
284 BIO_printf(out, "%d.%d.%d.%d",
285 addr[0], addr[1], addr[2], addr[3]);
286 break;
287 case IANA_AFI_IPV6:
288 if (!addr_expand(addr, bs, 16, fill))
289 return 0;
290 for (n = 16;
291 n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00; n -= 2)
292 ;
293 for (i = 0; i < n; i += 2)
294 BIO_printf(out, "%x%s",
295 (addr[i] << 8) | addr[i + 1], (i < 14 ? ":" : ""));
296 if (i < 16)
297 BIO_puts(out, ":");
298 if (i == 0)
299 BIO_puts(out, ":");
300 break;
301 default:
302 for (i = 0; i < bs->length; i++)
303 BIO_printf(out, "%s%02x",
304 (i > 0 ? ":" : ""), bs->data[i]);
305 BIO_printf(out, "[%d]", (int)(bs->flags & 7));
306 break;
307 }
308 return 1;
309}
310
311/*
312 * i2r handler for a sequence of addresses and ranges.
313 */
314static int
315i2r_IPAddressOrRanges(BIO *out, const int indent, const IPAddressOrRanges *aors,
316 const unsigned afi)
317{
318 int i;
319
320 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) {
321 const IPAddressOrRange *aor =
322 sk_IPAddressOrRange_value(aors, i);
323 BIO_printf(out, "%*s", indent, "");
324 switch (aor->type) {
325 case IPAddressOrRange_addressPrefix:
326 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix))
327 return 0;
328 BIO_printf(out, "/%d\n",
329 addr_prefixlen(aor->u.addressPrefix));
330 continue;
331 case IPAddressOrRange_addressRange:
332 if (!i2r_address(out, afi, 0x00,
333 aor->u.addressRange->min))
334 return 0;
335 BIO_puts(out, "-");
336 if (!i2r_address(out, afi, 0xFF,
337 aor->u.addressRange->max))
338 return 0;
339 BIO_puts(out, "\n");
340 continue;
341 }
342 }
343 return 1;
344}
345
346/*
347 * i2r handler for an IPAddrBlocks extension.
348 */
349static int
350i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, void *ext, BIO *out,
351 int indent)
352{
353 const IPAddrBlocks *addr = ext;
354 int i;
355
356 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
357 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
358 const unsigned int afi = v3_addr_get_afi(f);
359 switch (afi) {
360 case IANA_AFI_IPV4:
361 BIO_printf(out, "%*sIPv4", indent, "");
362 break;
363 case IANA_AFI_IPV6:
364 BIO_printf(out, "%*sIPv6", indent, "");
365 break;
366 default:
367 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi);
368 break;
369 }
370 if (f->addressFamily->length > 2) {
371 switch (f->addressFamily->data[2]) {
372 case 1:
373 BIO_puts(out, " (Unicast)");
374 break;
375 case 2:
376 BIO_puts(out, " (Multicast)");
377 break;
378 case 3:
379 BIO_puts(out, " (Unicast/Multicast)");
380 break;
381 case 4:
382 BIO_puts(out, " (MPLS)");
383 break;
384 case 64:
385 BIO_puts(out, " (Tunnel)");
386 break;
387 case 65:
388 BIO_puts(out, " (VPLS)");
389 break;
390 case 66:
391 BIO_puts(out, " (BGP MDT)");
392 break;
393 case 128:
394 BIO_puts(out, " (MPLS-labeled VPN)");
395 break;
396 default:
397 BIO_printf(out, " (Unknown SAFI %u)",
398 (unsigned)f->addressFamily->data[2]);
399 break;
400 }
401 }
402 switch (f->ipAddressChoice->type) {
403 case IPAddressChoice_inherit:
404 BIO_puts(out, ": inherit\n");
405 break;
406 case IPAddressChoice_addressesOrRanges:
407 BIO_puts(out, ":\n");
408 if (!i2r_IPAddressOrRanges(out, indent + 2,
409 f->ipAddressChoice->u.addressesOrRanges, afi))
410 return 0;
411 break;
412 }
413 }
414 return 1;
415}
416
417/*
418 * Sort comparison function for a sequence of IPAddressOrRange
419 * elements.
420 *
421 * There's no sane answer we can give if addr_expand() fails, and an
422 * assertion failure on externally supplied data is seriously uncool,
423 * so we just arbitrarily declare that if given invalid inputs this
424 * function returns -1. If this messes up your preferred sort order
425 * for garbage input, tough noogies.
426 */
427static int
428IPAddressOrRange_cmp(const IPAddressOrRange *a, const IPAddressOrRange *b,
429 const int length)
430{
431 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN];
432 int prefixlen_a = 0, prefixlen_b = 0;
433 int r;
434
435 switch (a->type) {
436 case IPAddressOrRange_addressPrefix:
437 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
438 return -1;
439 prefixlen_a = addr_prefixlen(a->u.addressPrefix);
440 break;
441 case IPAddressOrRange_addressRange:
442 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
443 return -1;
444 prefixlen_a = length * 8;
445 break;
446 }
447
448 switch (b->type) {
449 case IPAddressOrRange_addressPrefix:
450 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
451 return -1;
452 prefixlen_b = addr_prefixlen(b->u.addressPrefix);
453 break;
454 case IPAddressOrRange_addressRange:
455 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
456 return -1;
457 prefixlen_b = length * 8;
458 break;
459 }
460
461 if ((r = memcmp(addr_a, addr_b, length)) != 0)
462 return r;
463 else
464 return prefixlen_a - prefixlen_b;
465}
466
467/*
468 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()
469 * comparision routines are only allowed two arguments.
470 */
471static int
472v4IPAddressOrRange_cmp(const IPAddressOrRange * const *a,
473 const IPAddressOrRange * const *b)
474{
475 return IPAddressOrRange_cmp(*a, *b, 4);
476}
477
478/*
479 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()
480 * comparision routines are only allowed two arguments.
481 */
482static int
483v6IPAddressOrRange_cmp(const IPAddressOrRange * const *a,
484 const IPAddressOrRange * const *b)
485{
486 return IPAddressOrRange_cmp(*a, *b, 16);
487}
488
489/*
490 * Calculate whether a range collapses to a prefix.
491 * See last paragraph of RFC 3779 2.2.3.7.
492 */
493static int
494range_should_be_prefix(const unsigned char *min, const unsigned char *max,
495 const int length)
496{
497 unsigned char mask;
498 int i, j;
499
500 OPENSSL_assert(memcmp(min, max, length) <= 0);
501 for (i = 0; i < length && min[i] == max[i]; i++)
502 ;
503 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--)
504 ;
505 if (i < j)
506 return -1;
507 if (i > j)
508 return i * 8;
509 mask = min[i] ^ max[i];
510 switch (mask) {
511 case 0x01:
512 j = 7;
513 break;
514 case 0x03:
515 j = 6;
516 break;
517 case 0x07:
518 j = 5;
519 break;
520 case 0x0F:
521 j = 4;
522 break;
523 case 0x1F:
524 j = 3;
525 break;
526 case 0x3F:
527 j = 2;
528 break;
529 case 0x7F:
530 j = 1;
531 break;
532 default:
533 return -1;
534 }
535 if ((min[i] & mask) != 0 || (max[i] & mask) != mask)
536 return -1;
537 else
538 return i * 8 + j;
539}
540
541/*
542 * Construct a prefix.
543 */
544static int
545make_addressPrefix(IPAddressOrRange **result, unsigned char *addr,
546 const int prefixlen)
547{
548 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;
549 IPAddressOrRange *aor = IPAddressOrRange_new();
550
551 if (aor == NULL)
552 return 0;
553 aor->type = IPAddressOrRange_addressPrefix;
554 if (aor->u.addressPrefix == NULL &&
555 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL)
556 goto err;
557 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen))
558 goto err;
559 aor->u.addressPrefix->flags &= ~7;
560 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT;
561 if (bitlen > 0) {
562 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen);
563 aor->u.addressPrefix->flags |= 8 - bitlen;
564 }
565
566 *result = aor;
567 return 1;
568
569err:
570 IPAddressOrRange_free(aor);
571 return 0;
572}
573
574/*
575 * Construct a range. If it can be expressed as a prefix,
576 * return a prefix instead. Doing this here simplifies
577 * the rest of the code considerably.
578 */
579static int
580make_addressRange(IPAddressOrRange **result, unsigned char *min,
581 unsigned char *max, const int length)
582{
583 IPAddressOrRange *aor;
584 int i, prefixlen;
585
586 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
587 return make_addressPrefix(result, min, prefixlen);
588
589 if ((aor = IPAddressOrRange_new()) == NULL)
590 return 0;
591 aor->type = IPAddressOrRange_addressRange;
592 OPENSSL_assert(aor->u.addressRange == NULL);
593 if ((aor->u.addressRange = IPAddressRange_new()) == NULL)
594 goto err;
595 if (aor->u.addressRange->min == NULL &&
596 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL)
597 goto err;
598 if (aor->u.addressRange->max == NULL &&
599 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL)
600 goto err;
601
602 for (i = length; i > 0 && min[i - 1] == 0x00; --i)
603 ;
604 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i))
605 goto err;
606 aor->u.addressRange->min->flags &= ~7;
607 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT;
608 if (i > 0) {
609 unsigned char b = min[i - 1];
610 int j = 1;
611 while ((b & (0xFFU >> j)) != 0)
612 ++j;
613 aor->u.addressRange->min->flags |= 8 - j;
614 }
615
616 for (i = length; i > 0 && max[i - 1] == 0xFF; --i)
617 ;
618 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i))
619 goto err;
620 aor->u.addressRange->max->flags &= ~7;
621 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT;
622 if (i > 0) {
623 unsigned char b = max[i - 1];
624 int j = 1;
625 while ((b & (0xFFU >> j)) != (0xFFU >> j))
626 ++j;
627 aor->u.addressRange->max->flags |= 8 - j;
628 }
629
630 *result = aor;
631 return 1;
632
633err:
634 IPAddressOrRange_free(aor);
635 return 0;
636}
637
638/*
639 * Construct a new address family or find an existing one.
640 */
641static IPAddressFamily *
642make_IPAddressFamily(IPAddrBlocks *addr, const unsigned afi,
643 const unsigned *safi)
644{
645 IPAddressFamily *f;
646 unsigned char key[3];
647 unsigned keylen;
648 int i;
649
650 key[0] = (afi >> 8) & 0xFF;
651 key[1] = afi & 0xFF;
652 if (safi != NULL) {
653 key[2] = *safi & 0xFF;
654 keylen = 3;
655 } else {
656 keylen = 2;
657 }
658
659 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
660 f = sk_IPAddressFamily_value(addr, i);
661 OPENSSL_assert(f->addressFamily->data != NULL);
662 if (f->addressFamily->length == keylen &&
663 !memcmp(f->addressFamily->data, key, keylen))
664 return f;
665 }
666
667 if ((f = IPAddressFamily_new()) == NULL)
668 goto err;
669 if (f->ipAddressChoice == NULL &&
670 (f->ipAddressChoice = IPAddressChoice_new()) == NULL)
671 goto err;
672 if (f->addressFamily == NULL &&
673 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL)
674 goto err;
675 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen))
676 goto err;
677 if (!sk_IPAddressFamily_push(addr, f))
678 goto err;
679
680 return f;
681
682err:
683 IPAddressFamily_free(f);
684 return NULL;
685}
686
687/*
688 * Add an inheritance element.
689 */
690int
691v3_addr_add_inherit(IPAddrBlocks *addr, const unsigned afi,
692 const unsigned *safi)
693{
694 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
695
696 if (f == NULL ||
697 f->ipAddressChoice == NULL ||
698 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
699 f->ipAddressChoice->u.addressesOrRanges != NULL))
700 return 0;
701 if (f->ipAddressChoice->type == IPAddressChoice_inherit &&
702 f->ipAddressChoice->u.inherit != NULL)
703 return 1;
704 if (f->ipAddressChoice->u.inherit == NULL &&
705 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL)
706 return 0;
707 f->ipAddressChoice->type = IPAddressChoice_inherit;
708 return 1;
709}
710
711/*
712 * Construct an IPAddressOrRange sequence, or return an existing one.
713 */
714static IPAddressOrRanges *
715make_prefix_or_range(IPAddrBlocks *addr, const unsigned afi,
716 const unsigned *safi)
717{
718 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
719 IPAddressOrRanges *aors = NULL;
720
721 if (f == NULL ||
722 f->ipAddressChoice == NULL ||
723 (f->ipAddressChoice->type == IPAddressChoice_inherit &&
724 f->ipAddressChoice->u.inherit != NULL))
725 return NULL;
726 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges)
727 aors = f->ipAddressChoice->u.addressesOrRanges;
728 if (aors != NULL)
729 return aors;
730 if ((aors = sk_IPAddressOrRange_new_null()) == NULL)
731 return NULL;
732 switch (afi) {
733 case IANA_AFI_IPV4:
734 (void) sk_IPAddressOrRange_set_cmp_func(aors,
735 v4IPAddressOrRange_cmp);
736 break;
737 case IANA_AFI_IPV6:
738 (void) sk_IPAddressOrRange_set_cmp_func(aors,
739 v6IPAddressOrRange_cmp);
740 break;
741 }
742 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
743 f->ipAddressChoice->u.addressesOrRanges = aors;
744 return aors;
745}
746
747/*
748 * Add a prefix.
749 */
750int
751v3_addr_add_prefix(IPAddrBlocks *addr, const unsigned afi,
752 const unsigned *safi, unsigned char *a, const int prefixlen)
753{
754 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
755 IPAddressOrRange *aor;
756
757 if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen))
758 return 0;
759 if (sk_IPAddressOrRange_push(aors, aor))
760 return 1;
761 IPAddressOrRange_free(aor);
762 return 0;
763}
764
765/*
766 * Add a range.
767 */
768int
769v3_addr_add_range(IPAddrBlocks *addr, const unsigned afi, const unsigned *safi,
770 unsigned char *min, unsigned char *max)
771{
772 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
773 IPAddressOrRange *aor;
774 int length = length_from_afi(afi);
775
776 if (aors == NULL)
777 return 0;
778 if (!make_addressRange(&aor, min, max, length))
779 return 0;
780 if (sk_IPAddressOrRange_push(aors, aor))
781 return 1;
782 IPAddressOrRange_free(aor);
783 return 0;
784}
785
786/*
787 * Extract min and max values from an IPAddressOrRange.
788 */
789static int
790extract_min_max(IPAddressOrRange *aor, unsigned char *min, unsigned char *max,
791 int length)
792{
793 if (aor == NULL || min == NULL || max == NULL)
794 return 0;
795 switch (aor->type) {
796 case IPAddressOrRange_addressPrefix:
797 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
798 addr_expand(max, aor->u.addressPrefix, length, 0xFF));
799 case IPAddressOrRange_addressRange:
800 return (
801 addr_expand(min, aor->u.addressRange->min, length, 0x00) &&
802 addr_expand(max, aor->u.addressRange->max, length, 0xFF));
803 }
804 return 0;
805}
806
807/*
808 * Public wrapper for extract_min_max().
809 */
810int
811v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
812 unsigned char *min, unsigned char *max, const int length)
813{
814 int afi_length = length_from_afi(afi);
815
816 if (aor == NULL || min == NULL || max == NULL ||
817 afi_length == 0 || length < afi_length ||
818 (aor->type != IPAddressOrRange_addressPrefix &&
819 aor->type != IPAddressOrRange_addressRange) ||
820 !extract_min_max(aor, min, max, afi_length))
821 return 0;
822
823 return afi_length;
824}
825
826/*
827 * Sort comparision function for a sequence of IPAddressFamily.
828 *
829 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about
830 * the ordering: I can read it as meaning that IPv6 without a SAFI
831 * comes before IPv4 with a SAFI, which seems pretty weird. The
832 * examples in appendix B suggest that the author intended the
833 * null-SAFI rule to apply only within a single AFI, which is what I
834 * would have expected and is what the following code implements.
835 */
836static int
837IPAddressFamily_cmp(const IPAddressFamily * const *a_,
838 const IPAddressFamily * const *b_)
839{
840 const ASN1_OCTET_STRING *a = (*a_)->addressFamily;
841 const ASN1_OCTET_STRING *b = (*b_)->addressFamily;
842 int len = ((a->length <= b->length) ? a->length : b->length);
843 int cmp = memcmp(a->data, b->data, len);
844
845 return cmp ? cmp : a->length - b->length;
846}
847
848/*
849 * Check whether an IPAddrBLocks is in canonical form.
850 */
851int
852v3_addr_is_canonical(IPAddrBlocks *addr)
853{
854 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
855 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
856 IPAddressOrRanges *aors;
857 int i, j, k;
858
859 /*
860 * Empty extension is cannonical.
861 */
862 if (addr == NULL)
863 return 1;
864
865 /*
866 * Check whether the top-level list is in order.
867 */
868 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {
869 const IPAddressFamily *a =
870 sk_IPAddressFamily_value(addr, i);
871 const IPAddressFamily *b =
872 sk_IPAddressFamily_value(addr, i + 1);
873 if (IPAddressFamily_cmp(&a, &b) >= 0)
874 return 0;
875 }
876
877 /*
878 * Top level's ok, now check each address family.
879 */
880 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
881 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
882 int length = length_from_afi(v3_addr_get_afi(f));
883
884 /*
885 * Inheritance is canonical. Anything other than inheritance or
886 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something.
887 */
888 if (f == NULL || f->ipAddressChoice == NULL)
889 return 0;
890 switch (f->ipAddressChoice->type) {
891 case IPAddressChoice_inherit:
892 continue;
893 case IPAddressChoice_addressesOrRanges:
894 break;
895 default:
896 return 0;
897 }
898
899 /*
900 * It's an IPAddressOrRanges sequence, check it.
901 */
902 aors = f->ipAddressChoice->u.addressesOrRanges;
903 if (sk_IPAddressOrRange_num(aors) == 0)
904 return 0;
905 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
906 IPAddressOrRange *a =
907 sk_IPAddressOrRange_value(aors, j);
908 IPAddressOrRange *b =
909 sk_IPAddressOrRange_value(aors, j + 1);
910
911 if (!extract_min_max(a, a_min, a_max, length) ||
912 !extract_min_max(b, b_min, b_max, length))
913 return 0;
914
915 /*
916 * Punt misordered list, overlapping start, or inverted range.
917 */
918 if (memcmp(a_min, b_min, length) >= 0 ||
919 memcmp(a_min, a_max, length) > 0 ||
920 memcmp(b_min, b_max, length) > 0)
921 return 0;
922
923 /*
924 * Punt if adjacent or overlapping. Check for adjacency by
925 * subtracting one from b_min first.
926 */
927 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--)
928 ;
929 if (memcmp(a_max, b_min, length) >= 0)
930 return 0;
931
932 /*
933 * Check for range that should be expressed as a prefix.
934 */
935 if (a->type == IPAddressOrRange_addressRange &&
936 range_should_be_prefix(a_min, a_max, length) >= 0)
937 return 0;
938 }
939
940 /*
941 * Check range to see if it's inverted or should be a
942 * prefix.
943 */
944 j = sk_IPAddressOrRange_num(aors) - 1;
945 {
946 IPAddressOrRange *a =
947 sk_IPAddressOrRange_value(aors, j);
948 if (a != NULL &&
949 a->type == IPAddressOrRange_addressRange) {
950 if (!extract_min_max(a, a_min, a_max, length))
951 return 0;
952 if (memcmp(a_min, a_max, length) > 0 ||
953 range_should_be_prefix(a_min, a_max,
954 length) >= 0)
955 return 0;
956 }
957 }
958 }
959
960 /*
961 * If we made it through all that, we're happy.
962 */
963 return 1;
964}
965
966/*
967 * Whack an IPAddressOrRanges into canonical form.
968 */
969static int
970IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi)
971{
972 int i, j, length = length_from_afi(afi);
973
974 /*
975 * Sort the IPAddressOrRanges sequence.
976 */
977 sk_IPAddressOrRange_sort(aors);
978
979 /*
980 * Clean up representation issues, punt on duplicates or overlaps.
981 */
982 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
983 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);
984 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
985 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
986 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
987
988 if (!extract_min_max(a, a_min, a_max, length) ||
989 !extract_min_max(b, b_min, b_max, length))
990 return 0;
991
992 /*
993 * Punt inverted ranges.
994 */
995 if (memcmp(a_min, a_max, length) > 0 ||
996 memcmp(b_min, b_max, length) > 0)
997 return 0;
998
999 /*
1000 * Punt overlaps.
1001 */
1002 if (memcmp(a_max, b_min, length) >= 0)
1003 return 0;
1004
1005 /*
1006 * Merge if a and b are adjacent. We check for
1007 * adjacency by subtracting one from b_min first.
1008 */
1009 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--)
1010 ;
1011 if (memcmp(a_max, b_min, length) == 0) {
1012 IPAddressOrRange *merged;
1013 if (!make_addressRange(&merged, a_min, b_max, length))
1014 return 0;
1015 (void) sk_IPAddressOrRange_set(aors, i, merged);
1016 (void) sk_IPAddressOrRange_delete(aors, i + 1);
1017 IPAddressOrRange_free(a);
1018 IPAddressOrRange_free(b);
1019 --i;
1020 continue;
1021 }
1022 }
1023
1024 /*
1025 * Check for inverted final range.
1026 */
1027 j = sk_IPAddressOrRange_num(aors) - 1;
1028 {
1029 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
1030 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
1031 unsigned char a_min[ADDR_RAW_BUF_LEN],
1032 a_max[ADDR_RAW_BUF_LEN];
1033 extract_min_max(a, a_min, a_max, length);
1034 if (memcmp(a_min, a_max, length) > 0)
1035 return 0;
1036 }
1037 }
1038
1039 return 1;
1040}
1041
1042/*
1043 * Whack an IPAddrBlocks extension into canonical form.
1044 */
1045int
1046v3_addr_canonize(IPAddrBlocks *addr)
1047{
1048 int i;
1049 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1050 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1051 if (f->ipAddressChoice->type ==
1052 IPAddressChoice_addressesOrRanges &&
1053 !IPAddressOrRanges_canonize(
1054 f->ipAddressChoice->u.addressesOrRanges,
1055 v3_addr_get_afi(f)))
1056 return 0;
1057 }
1058 (void) sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
1059 sk_IPAddressFamily_sort(addr);
1060 OPENSSL_assert(v3_addr_is_canonical(addr));
1061 return 1;
1062}
1063
1064/*
1065 * v2i handler for the IPAddrBlocks extension.
1066 */
1067static void *
1068v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
1069 STACK_OF(CONF_VALUE) *values)
1070{
1071 static const char v4addr_chars[] = "0123456789.";
1072 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF";
1073 IPAddrBlocks *addr = NULL;
1074 char *s = NULL, *t;
1075 int i;
1076
1077 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) {
1078 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1079 return NULL;
1080 }
1081
1082 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
1083 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
1084 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN];
1085 unsigned afi, *safi = NULL, safi_;
1086 const char *addr_chars;
1087 int prefixlen, i1, i2, delim, length;
1088
1089 if (!name_cmp(val->name, "IPv4")) {
1090 afi = IANA_AFI_IPV4;
1091 } else if (!name_cmp(val->name, "IPv6")) {
1092 afi = IANA_AFI_IPV6;
1093 } else if (!name_cmp(val->name, "IPv4-SAFI")) {
1094 afi = IANA_AFI_IPV4;
1095 safi = &safi_;
1096 } else if (!name_cmp(val->name, "IPv6-SAFI")) {
1097 afi = IANA_AFI_IPV6;
1098 safi = &safi_;
1099 } else {
1100 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1101 X509V3_R_EXTENSION_NAME_ERROR);
1102 X509V3_conf_err(val);
1103 goto err;
1104 }
1105
1106 switch (afi) {
1107 case IANA_AFI_IPV4:
1108 addr_chars = v4addr_chars;
1109 break;
1110 case IANA_AFI_IPV6:
1111 addr_chars = v6addr_chars;
1112 break;
1113 }
1114
1115 length = length_from_afi(afi);
1116
1117 /*
1118 * Handle SAFI, if any, and strdup() so we can null-terminate
1119 * the other input values.
1120 */
1121 if (safi != NULL) {
1122 *safi = strtoul(val->value, &t, 0);
1123 t += strspn(t, " \t");
1124 if (*safi > 0xFF || *t++ != ':') {
1125 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1126 X509V3_R_INVALID_SAFI);
1127 X509V3_conf_err(val);
1128 goto err;
1129 }
1130 t += strspn(t, " \t");
1131 s = strdup(t);
1132 } else {
1133 s = strdup(val->value);
1134 }
1135 if (s == NULL) {
1136 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1137 ERR_R_MALLOC_FAILURE);
1138 goto err;
1139 }
1140
1141 /*
1142 * Check for inheritance. Not worth additional complexity to
1143 * optimize this (seldom-used) case.
1144 */
1145 if (!strcmp(s, "inherit")) {
1146 if (!v3_addr_add_inherit(addr, afi, safi)) {
1147 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1148 X509V3_R_INVALID_INHERITANCE);
1149 X509V3_conf_err(val);
1150 goto err;
1151 }
1152 free(s);
1153 s = NULL;
1154 continue;
1155 }
1156
1157 i1 = strspn(s, addr_chars);
1158 i2 = i1 + strspn(s + i1, " \t");
1159 delim = s[i2++];
1160 s[i1] = '\0';
1161
1162 if (a2i_ipadd(min, s) != length) {
1163 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1164 X509V3_R_INVALID_IPADDRESS);
1165 X509V3_conf_err(val);
1166 goto err;
1167 }
1168
1169 switch (delim) {
1170 case '/':
1171 prefixlen = (int) strtoul(s + i2, &t, 10);
1172 if (t == s + i2 || *t != '\0') {
1173 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1174 X509V3_R_EXTENSION_VALUE_ERROR);
1175 X509V3_conf_err(val);
1176 goto err;
1177 }
1178 if (!v3_addr_add_prefix(addr, afi, safi, min,
1179 prefixlen)) {
1180 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1181 ERR_R_MALLOC_FAILURE);
1182 goto err;
1183 }
1184 break;
1185 case '-':
1186 i1 = i2 + strspn(s + i2, " \t");
1187 i2 = i1 + strspn(s + i1, addr_chars);
1188 if (i1 == i2 || s[i2] != '\0') {
1189 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1190 X509V3_R_EXTENSION_VALUE_ERROR);
1191 X509V3_conf_err(val);
1192 goto err;
1193 }
1194 if (a2i_ipadd(max, s + i1) != length) {
1195 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1196 X509V3_R_INVALID_IPADDRESS);
1197 X509V3_conf_err(val);
1198 goto err;
1199 }
1200 if (memcmp(min, max, length_from_afi(afi)) > 0) {
1201 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1202 X509V3_R_EXTENSION_VALUE_ERROR);
1203 X509V3_conf_err(val);
1204 goto err;
1205 }
1206 if (!v3_addr_add_range(addr, afi, safi, min, max)) {
1207 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1208 ERR_R_MALLOC_FAILURE);
1209 goto err;
1210 }
1211 break;
1212 case '\0':
1213 if (!v3_addr_add_prefix(addr, afi, safi, min,
1214 length * 8)) {
1215 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1216 ERR_R_MALLOC_FAILURE);
1217 goto err;
1218 }
1219 break;
1220 default:
1221 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1222 X509V3_R_EXTENSION_VALUE_ERROR);
1223 X509V3_conf_err(val);
1224 goto err;
1225 }
1226
1227 free(s);
1228 s = NULL;
1229 }
1230
1231 /*
1232 * Canonize the result, then we're done.
1233 */
1234 if (!v3_addr_canonize(addr))
1235 goto err;
1236 return addr;
1237
1238err:
1239 free(s);
1240 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
1241 return NULL;
1242}
1243
1244/*
1245 * OpenSSL dispatch
1246 */
1247const X509V3_EXT_METHOD v3_addr = {
1248 NID_sbgp_ipAddrBlock, /* nid */
1249 0, /* flags */
1250 ASN1_ITEM_ref(IPAddrBlocks), /* template */
1251 0, 0, 0, 0, /* old functions, ignored */
1252 0, /* i2s */
1253 0, /* s2i */
1254 0, /* i2v */
1255 v2i_IPAddrBlocks, /* v2i */
1256 i2r_IPAddrBlocks, /* i2r */
1257 0, /* r2i */
1258 NULL /* extension-specific data */
1259};
1260
1261/*
1262 * Figure out whether extension sues inheritance.
1263 */
1264int
1265v3_addr_inherits(IPAddrBlocks *addr)
1266{
1267 int i;
1268
1269 if (addr == NULL)
1270 return 0;
1271 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1272 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1273 if (f->ipAddressChoice->type == IPAddressChoice_inherit)
1274 return 1;
1275 }
1276 return 0;
1277}
1278
1279/*
1280 * Figure out whether parent contains child.
1281 */
1282static int
1283addr_contains(IPAddressOrRanges *parent, IPAddressOrRanges *child, int length)
1284{
1285 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN];
1286 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN];
1287 int p, c;
1288
1289 if (child == NULL || parent == child)
1290 return 1;
1291 if (parent == NULL)
1292 return 0;
1293
1294 p = 0;
1295 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
1296 if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
1297 c_min, c_max, length))
1298 return -1;
1299 for (; ; p++) {
1300 if (p >= sk_IPAddressOrRange_num(parent))
1301 return 0;
1302 if (!extract_min_max(
1303 sk_IPAddressOrRange_value(parent, p),
1304 p_min, p_max, length))
1305 return 0;
1306 if (memcmp(p_max, c_max, length) < 0)
1307 continue;
1308 if (memcmp(p_min, c_min, length) > 0)
1309 return 0;
1310 break;
1311 }
1312 }
1313
1314 return 1;
1315}
1316
1317/*
1318 * Test whether a is a subset of b.
1319 */
1320int
1321v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
1322{
1323 int i;
1324
1325 if (a == NULL || a == b)
1326 return 1;
1327 if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
1328 return 0;
1329 (void) sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
1330 for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
1331 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
1332 int j = sk_IPAddressFamily_find(b, fa);
1333 IPAddressFamily *fb;
1334 fb = sk_IPAddressFamily_value(b, j);
1335 if (fb == NULL)
1336 return 0;
1337 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
1338 fa->ipAddressChoice->u.addressesOrRanges,
1339 length_from_afi(v3_addr_get_afi(fb))))
1340 return 0;
1341 }
1342 return 1;
1343}
1344
1345/*
1346 * Validation error handling via callback.
1347 */
1348#define validation_err(_err_) \
1349 do { \
1350 if (ctx != NULL) { \
1351 ctx->error = _err_; \
1352 ctx->error_depth = i; \
1353 ctx->current_cert = x; \
1354 ret = ctx->verify_cb(0, ctx); \
1355 } else { \
1356 ret = 0; \
1357 } \
1358 if (!ret) \
1359 goto done; \
1360 } while (0)
1361
1362/*
1363 * Core code for RFC 3779 2.3 path validation.
1364 */
1365static int
1366v3_addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
1367 IPAddrBlocks *ext)
1368{
1369 IPAddrBlocks *child = NULL;
1370 int i, j, ret = 1;
1371 X509 *x;
1372
1373 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
1374 OPENSSL_assert(ctx != NULL || ext != NULL);
1375 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
1376
1377 /*
1378 * Figure out where to start. If we don't have an extension to
1379 * check, we're done. Otherwise, check canonical form and
1380 * set up for walking up the chain.
1381 */
1382 if (ext != NULL) {
1383 i = -1;
1384 x = NULL;
1385 } else {
1386 i = 0;
1387 x = sk_X509_value(chain, i);
1388 OPENSSL_assert(x != NULL);
1389 if ((ext = x->rfc3779_addr) == NULL)
1390 goto done;
1391 }
1392 if (!v3_addr_is_canonical(ext))
1393 validation_err(X509_V_ERR_INVALID_EXTENSION);
1394 (void) sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
1395 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
1396 X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL,
1397 ERR_R_MALLOC_FAILURE);
1398 ret = 0;
1399 goto done;
1400 }
1401
1402 /*
1403 * Now walk up the chain. No cert may list resources that its
1404 * parent doesn't list.
1405 */
1406 for (i++; i < sk_X509_num(chain); i++) {
1407 x = sk_X509_value(chain, i);
1408 OPENSSL_assert(x != NULL);
1409 if (!v3_addr_is_canonical(x->rfc3779_addr))
1410 validation_err(X509_V_ERR_INVALID_EXTENSION);
1411 if (x->rfc3779_addr == NULL) {
1412 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1413 IPAddressFamily *fc =
1414 sk_IPAddressFamily_value(child, j);
1415 if (fc->ipAddressChoice->type !=
1416 IPAddressChoice_inherit) {
1417 validation_err(
1418 X509_V_ERR_UNNESTED_RESOURCE);
1419 break;
1420 }
1421 }
1422 continue;
1423 }
1424 (void) sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr,
1425 IPAddressFamily_cmp);
1426 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1427 IPAddressFamily *fc =
1428 sk_IPAddressFamily_value(child, j);
1429 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
1430 IPAddressFamily *fp =
1431 sk_IPAddressFamily_value(x->rfc3779_addr, k);
1432 if (fp == NULL) {
1433 if (fc->ipAddressChoice->type ==
1434 IPAddressChoice_addressesOrRanges) {
1435 validation_err(
1436 X509_V_ERR_UNNESTED_RESOURCE);
1437 break;
1438 }
1439 continue;
1440 }
1441 if (fp->ipAddressChoice->type ==
1442 IPAddressChoice_addressesOrRanges) {
1443 if (fc->ipAddressChoice->type ==
1444 IPAddressChoice_inherit || addr_contains(
1445 fp->ipAddressChoice->u.addressesOrRanges,
1446 fc->ipAddressChoice->u.addressesOrRanges,
1447 length_from_afi(v3_addr_get_afi(fc))))
1448 sk_IPAddressFamily_set(child, j, fp);
1449 else
1450 validation_err(
1451 X509_V_ERR_UNNESTED_RESOURCE);
1452 }
1453 }
1454 }
1455
1456 /*
1457 * Trust anchor can't inherit.
1458 */
1459 OPENSSL_assert(x != NULL);
1460 if (x->rfc3779_addr != NULL) {
1461 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
1462 IPAddressFamily *fp =
1463 sk_IPAddressFamily_value(x->rfc3779_addr, j);
1464 if (fp->ipAddressChoice->type ==
1465 IPAddressChoice_inherit &&
1466 sk_IPAddressFamily_find(child, fp) >= 0)
1467 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1468 }
1469 }
1470
1471done:
1472 sk_IPAddressFamily_free(child);
1473 return ret;
1474}
1475
1476#undef validation_err
1477
1478/*
1479 * RFC 3779 2.3 path validation -- called from X509_verify_cert().
1480 */
1481int
1482v3_addr_validate_path(X509_STORE_CTX *ctx)
1483{
1484 return v3_addr_validate_path_internal(ctx, ctx->chain, NULL);
1485}
1486
1487/*
1488 * RFC 3779 2.3 path validation of an extension.
1489 * Test whether chain covers extension.
1490 */
1491int
1492v3_addr_validate_resource_set(STACK_OF(X509) *chain, IPAddrBlocks *ext,
1493 int allow_inheritance)
1494{
1495 if (ext == NULL)
1496 return 1;
1497 if (chain == NULL || sk_X509_num(chain) == 0)
1498 return 0;
1499 if (!allow_inheritance && v3_addr_inherits(ext))
1500 return 0;
1501 return v3_addr_validate_path_internal(NULL, chain, ext);
1502}
1503
1504#endif /* OPENSSL_NO_RFC3779 */
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_asid.c b/src/lib/libssl/src/crypto/x509v3/v3_asid.c
deleted file mode 100644
index 10f82c573d..0000000000
--- a/src/lib/libssl/src/crypto/x509v3/v3_asid.c
+++ /dev/null
@@ -1,1027 +0,0 @@
1/* $OpenBSD: v3_asid.c,v 1.12 2015/02/09 16:03:11 jsing Exp $ */
2/*
3 * Contributed to the OpenSSL Project by the American Registry for
4 * Internet Numbers ("ARIN").
5 */
6/* ====================================================================
7 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
19 * distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * licensing@OpenSSL.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 * acknowledgment:
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 */
58
59/*
60 * Implementation of RFC 3779 section 3.2.
61 */
62
63#include <stdio.h>
64#include <string.h>
65
66#include <openssl/opensslconf.h>
67
68#include <openssl/asn1.h>
69#include <openssl/asn1t.h>
70#include <openssl/bn.h>
71#include <openssl/conf.h>
72#include <openssl/x509v3.h>
73#include <openssl/x509.h>
74
75#ifndef OPENSSL_NO_RFC3779
76
77/*
78 * OpenSSL ASN.1 template translation of RFC 3779 3.2.3.
79 */
80
81ASN1_SEQUENCE(ASRange) = {
82 ASN1_SIMPLE(ASRange, min, ASN1_INTEGER),
83 ASN1_SIMPLE(ASRange, max, ASN1_INTEGER)
84} ASN1_SEQUENCE_END(ASRange)
85
86ASN1_CHOICE(ASIdOrRange) = {
87 ASN1_SIMPLE(ASIdOrRange, u.id, ASN1_INTEGER),
88 ASN1_SIMPLE(ASIdOrRange, u.range, ASRange)
89} ASN1_CHOICE_END(ASIdOrRange)
90
91ASN1_CHOICE(ASIdentifierChoice) = {
92 ASN1_SIMPLE(ASIdentifierChoice, u.inherit, ASN1_NULL),
93 ASN1_SEQUENCE_OF(ASIdentifierChoice, u.asIdsOrRanges, ASIdOrRange)
94} ASN1_CHOICE_END(ASIdentifierChoice)
95
96ASN1_SEQUENCE(ASIdentifiers) = {
97 ASN1_EXP_OPT(ASIdentifiers, asnum, ASIdentifierChoice, 0),
98 ASN1_EXP_OPT(ASIdentifiers, rdi, ASIdentifierChoice, 1)
99} ASN1_SEQUENCE_END(ASIdentifiers)
100
101
102ASRange *
103d2i_ASRange(ASRange **a, const unsigned char **in, long len)
104{
105 return (ASRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
106 &ASRange_it);
107}
108
109int
110i2d_ASRange(ASRange *a, unsigned char **out)
111{
112 return ASN1_item_i2d((ASN1_VALUE *)a, out, &ASRange_it);
113}
114
115ASRange *
116ASRange_new(void)
117{
118 return (ASRange *)ASN1_item_new(&ASRange_it);
119}
120
121void
122ASRange_free(ASRange *a)
123{
124 ASN1_item_free((ASN1_VALUE *)a, &ASRange_it);
125}
126
127ASIdOrRange *
128d2i_ASIdOrRange(ASIdOrRange **a, const unsigned char **in, long len)
129{
130 return (ASIdOrRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
131 &ASIdOrRange_it);
132}
133
134int
135i2d_ASIdOrRange(ASIdOrRange *a, unsigned char **out)
136{
137 return ASN1_item_i2d((ASN1_VALUE *)a, out, &ASIdOrRange_it);
138}
139
140ASIdOrRange *
141ASIdOrRange_new(void)
142{
143 return (ASIdOrRange *)ASN1_item_new(&ASIdOrRange_it);
144}
145
146void
147ASIdOrRange_free(ASIdOrRange *a)
148{
149 ASN1_item_free((ASN1_VALUE *)a, &ASIdOrRange_it);
150}
151
152ASIdentifierChoice *
153d2i_ASIdentifierChoice(ASIdentifierChoice **a, const unsigned char **in, long len)
154{
155 return (ASIdentifierChoice *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
156 &ASIdentifierChoice_it);
157}
158
159int
160i2d_ASIdentifierChoice(ASIdentifierChoice *a, unsigned char **out)
161{
162 return ASN1_item_i2d((ASN1_VALUE *)a, out, &ASIdentifierChoice_it);
163}
164
165ASIdentifierChoice *
166ASIdentifierChoice_new(void)
167{
168 return (ASIdentifierChoice *)ASN1_item_new(&ASIdentifierChoice_it);
169}
170
171void
172ASIdentifierChoice_free(ASIdentifierChoice *a)
173{
174 ASN1_item_free((ASN1_VALUE *)a, &ASIdentifierChoice_it);
175}
176
177ASIdentifiers *
178d2i_ASIdentifiers(ASIdentifiers **a, const unsigned char **in, long len)
179{
180 return (ASIdentifiers *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
181 &ASIdentifiers_it);
182}
183
184int
185i2d_ASIdentifiers(ASIdentifiers *a, unsigned char **out)
186{
187 return ASN1_item_i2d((ASN1_VALUE *)a, out, &ASIdentifiers_it);
188}
189
190ASIdentifiers *
191ASIdentifiers_new(void)
192{
193 return (ASIdentifiers *)ASN1_item_new(&ASIdentifiers_it);
194}
195
196void
197ASIdentifiers_free(ASIdentifiers *a)
198{
199 ASN1_item_free((ASN1_VALUE *)a, &ASIdentifiers_it);
200}
201
202/*
203 * i2r method for an ASIdentifierChoice.
204 */
205static int
206i2r_ASIdentifierChoice(BIO *out, ASIdentifierChoice *choice, int indent,
207 const char *msg)
208{
209 int i;
210 char *s;
211
212 if (choice == NULL)
213 return 1;
214 BIO_printf(out, "%*s%s:\n", indent, "", msg);
215 switch (choice->type) {
216 case ASIdentifierChoice_inherit:
217 BIO_printf(out, "%*sinherit\n", indent + 2, "");
218 break;
219 case ASIdentifierChoice_asIdsOrRanges:
220 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges);
221 i++) {
222 ASIdOrRange *aor =
223 sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
224 switch (aor->type) {
225 case ASIdOrRange_id:
226 if ((s = i2s_ASN1_INTEGER(NULL, aor->u.id)) ==
227 NULL)
228 return 0;
229 BIO_printf(out, "%*s%s\n", indent + 2, "", s);
230 free(s);
231 break;
232 case ASIdOrRange_range:
233 if ((s = i2s_ASN1_INTEGER(NULL,
234 aor->u.range->min)) == NULL)
235 return 0;
236 BIO_printf(out, "%*s%s-", indent + 2, "", s);
237 free(s);
238 if ((s = i2s_ASN1_INTEGER(NULL,
239 aor->u.range->max)) == NULL)
240 return 0;
241 BIO_printf(out, "%s\n", s);
242 free(s);
243 break;
244 default:
245 return 0;
246 }
247 }
248 break;
249
250 default:
251 return 0;
252 }
253 return 1;
254}
255
256/*
257 * i2r method for an ASIdentifier extension.
258 */
259static int
260i2r_ASIdentifiers(const X509V3_EXT_METHOD *method, void *ext, BIO *out,
261 int indent)
262{
263 ASIdentifiers *asid = ext;
264
265 return (i2r_ASIdentifierChoice(out, asid->asnum, indent,
266 "Autonomous System Numbers") &&
267 i2r_ASIdentifierChoice(out, asid->rdi, indent,
268 "Routing Domain Identifiers"));
269}
270
271/*
272 * Sort comparision function for a sequence of ASIdOrRange elements.
273 */
274static int
275ASIdOrRange_cmp(const ASIdOrRange * const *a_, const ASIdOrRange * const *b_)
276{
277 const ASIdOrRange *a = *a_, *b = *b_;
278
279 OPENSSL_assert((a->type == ASIdOrRange_id && a->u.id != NULL) ||
280 (a->type == ASIdOrRange_range && a->u.range != NULL &&
281 a->u.range->min != NULL && a->u.range->max != NULL));
282
283 OPENSSL_assert((b->type == ASIdOrRange_id && b->u.id != NULL) ||
284 (b->type == ASIdOrRange_range && b->u.range != NULL &&
285 b->u.range->min != NULL && b->u.range->max != NULL));
286
287 if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id)
288 return ASN1_INTEGER_cmp(a->u.id, b->u.id);
289
290 if (a->type == ASIdOrRange_range && b->type == ASIdOrRange_range) {
291 int r = ASN1_INTEGER_cmp(a->u.range->min, b->u.range->min);
292 return r != 0 ? r :
293 ASN1_INTEGER_cmp(a->u.range->max, b->u.range->max);
294 }
295
296 if (a->type == ASIdOrRange_id)
297 return ASN1_INTEGER_cmp(a->u.id, b->u.range->min);
298 else
299 return ASN1_INTEGER_cmp(a->u.range->min, b->u.id);
300}
301
302/*
303 * Add an inherit element.
304 */
305int
306v3_asid_add_inherit(ASIdentifiers *asid, int which)
307{
308 ASIdentifierChoice **choice;
309
310 if (asid == NULL)
311 return 0;
312 switch (which) {
313 case V3_ASID_ASNUM:
314 choice = &asid->asnum;
315 break;
316 case V3_ASID_RDI:
317 choice = &asid->rdi;
318 break;
319 default:
320 return 0;
321 }
322 if (*choice == NULL) {
323 if ((*choice = ASIdentifierChoice_new()) == NULL)
324 return 0;
325 OPENSSL_assert((*choice)->u.inherit == NULL);
326 if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL)
327 return 0;
328 (*choice)->type = ASIdentifierChoice_inherit;
329 }
330 return (*choice)->type == ASIdentifierChoice_inherit;
331}
332
333/*
334 * Add an ID or range to an ASIdentifierChoice.
335 */
336int
337v3_asid_add_id_or_range(ASIdentifiers *asid, int which, ASN1_INTEGER *min,
338 ASN1_INTEGER *max)
339{
340 ASIdentifierChoice **choice;
341 ASIdOrRange *aor;
342
343 if (asid == NULL)
344 return 0;
345 switch (which) {
346 case V3_ASID_ASNUM:
347 choice = &asid->asnum;
348 break;
349 case V3_ASID_RDI:
350 choice = &asid->rdi;
351 break;
352 default:
353 return 0;
354 }
355 if (*choice != NULL && (*choice)->type == ASIdentifierChoice_inherit)
356 return 0;
357 if (*choice == NULL) {
358 if ((*choice = ASIdentifierChoice_new()) == NULL)
359 return 0;
360 OPENSSL_assert((*choice)->u.asIdsOrRanges == NULL);
361 (*choice)->u.asIdsOrRanges =
362 sk_ASIdOrRange_new(ASIdOrRange_cmp);
363 if ((*choice)->u.asIdsOrRanges == NULL)
364 return 0;
365 (*choice)->type = ASIdentifierChoice_asIdsOrRanges;
366 }
367 if ((aor = ASIdOrRange_new()) == NULL)
368 return 0;
369 if (max == NULL) {
370 aor->type = ASIdOrRange_id;
371 aor->u.id = min;
372 } else {
373 aor->type = ASIdOrRange_range;
374 if ((aor->u.range = ASRange_new()) == NULL)
375 goto err;
376 ASN1_INTEGER_free(aor->u.range->min);
377 aor->u.range->min = min;
378 ASN1_INTEGER_free(aor->u.range->max);
379 aor->u.range->max = max;
380 }
381 if (!(sk_ASIdOrRange_push((*choice)->u.asIdsOrRanges, aor)))
382 goto err;
383 return 1;
384
385err:
386 ASIdOrRange_free(aor);
387 return 0;
388}
389
390/*
391 * Extract min and max values from an ASIdOrRange.
392 */
393static void
394extract_min_max(ASIdOrRange *aor, ASN1_INTEGER **min, ASN1_INTEGER **max)
395{
396 OPENSSL_assert(aor != NULL && min != NULL && max != NULL);
397
398 switch (aor->type) {
399 case ASIdOrRange_id:
400 *min = aor->u.id;
401 *max = aor->u.id;
402 return;
403 case ASIdOrRange_range:
404 *min = aor->u.range->min;
405 *max = aor->u.range->max;
406 return;
407 }
408}
409
410/*
411 * Check whether an ASIdentifierChoice is in canonical form.
412 */
413static int
414ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
415{
416 ASN1_INTEGER *a_max_plus_one = NULL;
417 BIGNUM *bn = NULL;
418 int i, ret = 0;
419
420 /*
421 * Empty element or inheritance is canonical.
422 */
423 if (choice == NULL || choice->type == ASIdentifierChoice_inherit)
424 return 1;
425
426 /*
427 * If not a list, or if empty list, it's broken.
428 */
429 if (choice->type != ASIdentifierChoice_asIdsOrRanges ||
430 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0)
431 return 0;
432
433 /*
434 * It's a list, check it.
435 */
436 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
437 ASIdOrRange *a =
438 sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
439 ASIdOrRange *b =
440 sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1);
441 ASN1_INTEGER *a_min, *a_max, *b_min, *b_max;
442
443 extract_min_max(a, &a_min, &a_max);
444 extract_min_max(b, &b_min, &b_max);
445
446 /*
447 * Punt misordered list, overlapping start, or inverted range.
448 */
449 if (ASN1_INTEGER_cmp(a_min, b_min) >= 0 ||
450 ASN1_INTEGER_cmp(a_min, a_max) > 0 ||
451 ASN1_INTEGER_cmp(b_min, b_max) > 0)
452 goto done;
453
454 /*
455 * Calculate a_max + 1 to check for adjacency.
456 */
457 if ((bn == NULL && (bn = BN_new()) == NULL) ||
458 ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
459 !BN_add_word(bn, 1) || (a_max_plus_one =
460 BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {
461 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL,
462 ERR_R_MALLOC_FAILURE);
463 goto done;
464 }
465
466 /*
467 * Punt if adjacent or overlapping.
468 */
469 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) >= 0)
470 goto done;
471 }
472
473 /*
474 * Check for inverted range.
475 */
476 i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1;
477 {
478 ASIdOrRange *a =
479 sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
480 ASN1_INTEGER *a_min, *a_max;
481
482 if (a != NULL && a->type == ASIdOrRange_range) {
483 extract_min_max(a, &a_min, &a_max);
484 if (ASN1_INTEGER_cmp(a_min, a_max) > 0)
485 goto done;
486 }
487 }
488
489 ret = 1;
490
491done:
492 ASN1_INTEGER_free(a_max_plus_one);
493 BN_free(bn);
494 return ret;
495}
496
497/*
498 * Check whether an ASIdentifier extension is in canonical form.
499 */
500int
501v3_asid_is_canonical(ASIdentifiers *asid)
502{
503 return (asid == NULL ||
504 (ASIdentifierChoice_is_canonical(asid->asnum) &&
505 ASIdentifierChoice_is_canonical(asid->rdi)));
506}
507
508/*
509 * Whack an ASIdentifierChoice into canonical form.
510 */
511static int
512ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
513{
514 ASN1_INTEGER *a_max_plus_one = NULL;
515 BIGNUM *bn = NULL;
516 int i, ret = 0;
517
518 /*
519 * Nothing to do for empty element or inheritance.
520 */
521 if (choice == NULL || choice->type == ASIdentifierChoice_inherit)
522 return 1;
523
524 /*
525 * If not a list, or if empty list, it's broken.
526 */
527 if (choice->type != ASIdentifierChoice_asIdsOrRanges ||
528 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) {
529 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
530 X509V3_R_EXTENSION_VALUE_ERROR);
531 return 0;
532 }
533
534 /*
535 * We have a non-empty list. Sort it.
536 */
537 sk_ASIdOrRange_sort(choice->u.asIdsOrRanges);
538
539 /*
540 * Now check for errors and suboptimal encoding, rejecting the
541 * former and fixing the latter.
542 */
543 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
544 ASIdOrRange *a =
545 sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
546 ASIdOrRange *b =
547 sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1);
548 ASN1_INTEGER *a_min, *a_max, *b_min, *b_max;
549
550 extract_min_max(a, &a_min, &a_max);
551 extract_min_max(b, &b_min, &b_max);
552
553 /*
554 * Make sure we're properly sorted (paranoia).
555 */
556 OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
557
558 /*
559 * Punt inverted ranges.
560 */
561 if (ASN1_INTEGER_cmp(a_min, a_max) > 0 ||
562 ASN1_INTEGER_cmp(b_min, b_max) > 0)
563 goto done;
564
565 /*
566 * Check for overlaps.
567 */
568 if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) {
569 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
570 X509V3_R_EXTENSION_VALUE_ERROR);
571 goto done;
572 }
573
574 /*
575 * Calculate a_max + 1 to check for adjacency.
576 */
577 if ((bn == NULL && (bn = BN_new()) == NULL) ||
578 ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
579 !BN_add_word(bn, 1) || (a_max_plus_one =
580 BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {
581 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
582 ERR_R_MALLOC_FAILURE);
583 goto done;
584 }
585
586 /*
587 * If a and b are adjacent, merge them.
588 */
589 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) == 0) {
590 ASRange *r;
591 switch (a->type) {
592 case ASIdOrRange_id:
593 if ((r = malloc(sizeof(ASRange))) == NULL) {
594 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
595 ERR_R_MALLOC_FAILURE);
596 goto done;
597 }
598 r->min = a_min;
599 r->max = b_max;
600 a->type = ASIdOrRange_range;
601 a->u.range = r;
602 break;
603 case ASIdOrRange_range:
604 ASN1_INTEGER_free(a->u.range->max);
605 a->u.range->max = b_max;
606 break;
607 }
608 switch (b->type) {
609 case ASIdOrRange_id:
610 b->u.id = NULL;
611 break;
612 case ASIdOrRange_range:
613 b->u.range->max = NULL;
614 break;
615 }
616 ASIdOrRange_free(b);
617 (void) sk_ASIdOrRange_delete(
618 choice->u.asIdsOrRanges, i + 1);
619 i--;
620 continue;
621 }
622 }
623
624 /*
625 * Check for final inverted range.
626 */
627 i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1;
628 {
629 ASIdOrRange *a =
630 sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
631 ASN1_INTEGER *a_min, *a_max;
632 if (a != NULL && a->type == ASIdOrRange_range) {
633 extract_min_max(a, &a_min, &a_max);
634 if (ASN1_INTEGER_cmp(a_min, a_max) > 0)
635 goto done;
636 }
637 }
638
639 OPENSSL_assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */
640
641 ret = 1;
642
643done:
644 ASN1_INTEGER_free(a_max_plus_one);
645 BN_free(bn);
646 return ret;
647}
648
649/*
650 * Whack an ASIdentifier extension into canonical form.
651 */
652int
653v3_asid_canonize(ASIdentifiers *asid)
654{
655 return (asid == NULL ||
656 (ASIdentifierChoice_canonize(asid->asnum) &&
657 ASIdentifierChoice_canonize(asid->rdi)));
658}
659
660/*
661 * v2i method for an ASIdentifier extension.
662 */
663static void *
664v2i_ASIdentifiers(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
665 STACK_OF(CONF_VALUE) *values)
666{
667 ASN1_INTEGER *min = NULL, *max = NULL;
668 ASIdentifiers *asid = NULL;
669 int i;
670
671 if ((asid = ASIdentifiers_new()) == NULL) {
672 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
673 return NULL;
674 }
675
676 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
677 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
678 int i1, i2, i3, is_range, which;
679
680 /*
681 * Figure out whether this is an AS or an RDI.
682 */
683 if (!name_cmp(val->name, "AS")) {
684 which = V3_ASID_ASNUM;
685 } else if (!name_cmp(val->name, "RDI")) {
686 which = V3_ASID_RDI;
687 } else {
688 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
689 X509V3_R_EXTENSION_NAME_ERROR);
690 X509V3_conf_err(val);
691 goto err;
692 }
693
694 /*
695 * Handle inheritance.
696 */
697 if (!strcmp(val->value, "inherit")) {
698 if (v3_asid_add_inherit(asid, which))
699 continue;
700 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
701 X509V3_R_INVALID_INHERITANCE);
702 X509V3_conf_err(val);
703 goto err;
704 }
705
706 /*
707 * Number, range, or mistake, pick it apart and figure out which.
708 */
709 i1 = strspn(val->value, "0123456789");
710 if (val->value[i1] == '\0') {
711 is_range = 0;
712 } else {
713 is_range = 1;
714 i2 = i1 + strspn(val->value + i1, " \t");
715 if (val->value[i2] != '-') {
716 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
717 X509V3_R_INVALID_ASNUMBER);
718 X509V3_conf_err(val);
719 goto err;
720 }
721 i2++;
722 i2 = i2 + strspn(val->value + i2, " \t");
723 i3 = i2 + strspn(val->value + i2, "0123456789");
724 if (val->value[i3] != '\0') {
725 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
726 X509V3_R_INVALID_ASRANGE);
727 X509V3_conf_err(val);
728 goto err;
729 }
730 }
731
732 /*
733 * Syntax is ok, read and add it.
734 */
735 if (!is_range) {
736 if (!X509V3_get_value_int(val, &min)) {
737 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
738 ERR_R_MALLOC_FAILURE);
739 goto err;
740 }
741 } else {
742 char *s = strdup(val->value);
743 if (s == NULL) {
744 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
745 ERR_R_MALLOC_FAILURE);
746 goto err;
747 }
748 s[i1] = '\0';
749 min = s2i_ASN1_INTEGER(NULL, s);
750 max = s2i_ASN1_INTEGER(NULL, s + i2);
751 free(s);
752 if (min == NULL || max == NULL) {
753 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
754 ERR_R_MALLOC_FAILURE);
755 goto err;
756 }
757 if (ASN1_INTEGER_cmp(min, max) > 0) {
758 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
759 X509V3_R_EXTENSION_VALUE_ERROR);
760 goto err;
761 }
762 }
763 if (!v3_asid_add_id_or_range(asid, which, min, max)) {
764 X509V3err(X509V3_F_V2I_ASIDENTIFIERS,
765 ERR_R_MALLOC_FAILURE);
766 goto err;
767 }
768 min = max = NULL;
769 }
770
771 /*
772 * Canonize the result, then we're done.
773 */
774 if (!v3_asid_canonize(asid))
775 goto err;
776 return asid;
777
778err:
779 ASIdentifiers_free(asid);
780 ASN1_INTEGER_free(min);
781 ASN1_INTEGER_free(max);
782 return NULL;
783}
784
785/*
786 * OpenSSL dispatch.
787 */
788const X509V3_EXT_METHOD v3_asid = {
789 NID_sbgp_autonomousSysNum, /* nid */
790 0, /* flags */
791 ASN1_ITEM_ref(ASIdentifiers), /* template */
792 0, 0, 0, 0, /* old functions, ignored */
793 0, /* i2s */
794 0, /* s2i */
795 0, /* i2v */
796 v2i_ASIdentifiers, /* v2i */
797 i2r_ASIdentifiers, /* i2r */
798 0, /* r2i */
799 NULL /* extension-specific data */
800};
801
802/*
803 * Figure out whether extension uses inheritance.
804 */
805int
806v3_asid_inherits(ASIdentifiers *asid)
807{
808 return (asid != NULL &&
809 ((asid->asnum != NULL &&
810 asid->asnum->type == ASIdentifierChoice_inherit) ||
811 (asid->rdi != NULL &&
812 asid->rdi->type == ASIdentifierChoice_inherit)));
813}
814
815/*
816 * Figure out whether parent contains child.
817 */
818static int
819asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)
820{
821 ASN1_INTEGER *p_min, *p_max, *c_min, *c_max;
822 int p, c;
823
824 if (child == NULL || parent == child)
825 return 1;
826 if (parent == NULL)
827 return 0;
828
829 p = 0;
830 for (c = 0; c < sk_ASIdOrRange_num(child); c++) {
831 extract_min_max(sk_ASIdOrRange_value(child, c),
832 &c_min, &c_max);
833 for (; ; p++) {
834 if (p >= sk_ASIdOrRange_num(parent))
835 return 0;
836 extract_min_max(sk_ASIdOrRange_value(parent, p),
837 &p_min, &p_max);
838 if (ASN1_INTEGER_cmp(p_max, c_max) < 0)
839 continue;
840 if (ASN1_INTEGER_cmp(p_min, c_min) > 0)
841 return 0;
842 break;
843 }
844 }
845
846 return 1;
847}
848
849/*
850 * Test whether a is a subet of b.
851 */
852int
853v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
854{
855 return (a == NULL || a == b ||
856 (b != NULL && !v3_asid_inherits(a) && !v3_asid_inherits(b) &&
857 asid_contains(b->asnum->u.asIdsOrRanges,
858 a->asnum->u.asIdsOrRanges) &&
859 asid_contains(b->rdi->u.asIdsOrRanges,
860 a->rdi->u.asIdsOrRanges)));
861}
862
863/*
864 * Validation error handling via callback.
865 */
866#define validation_err(_err_) \
867 do { \
868 if (ctx != NULL) { \
869 ctx->error = _err_; \
870 ctx->error_depth = i; \
871 ctx->current_cert = x; \
872 ret = ctx->verify_cb(0, ctx); \
873 } else { \
874 ret = 0; \
875 } \
876 if (!ret) \
877 goto done; \
878 } while (0)
879
880/*
881 * Core code for RFC 3779 3.3 path validation.
882 */
883static int
884v3_asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
885 ASIdentifiers *ext)
886{
887 ASIdOrRanges *child_as = NULL, *child_rdi = NULL;
888 int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
889 X509 *x;
890
891 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
892 OPENSSL_assert(ctx != NULL || ext != NULL);
893 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
894
895 /*
896 * Figure out where to start. If we don't have an extension to
897 * check, we're done. Otherwise, check canonical form and
898 * set up for walking up the chain.
899 */
900 if (ext != NULL) {
901 i = -1;
902 x = NULL;
903 } else {
904 i = 0;
905 x = sk_X509_value(chain, i);
906 OPENSSL_assert(x != NULL);
907 if ((ext = x->rfc3779_asid) == NULL)
908 goto done;
909 }
910 if (!v3_asid_is_canonical(ext))
911 validation_err(X509_V_ERR_INVALID_EXTENSION);
912 if (ext->asnum != NULL) {
913 switch (ext->asnum->type) {
914 case ASIdentifierChoice_inherit:
915 inherit_as = 1;
916 break;
917 case ASIdentifierChoice_asIdsOrRanges:
918 child_as = ext->asnum->u.asIdsOrRanges;
919 break;
920 }
921 }
922 if (ext->rdi != NULL) {
923 switch (ext->rdi->type) {
924 case ASIdentifierChoice_inherit:
925 inherit_rdi = 1;
926 break;
927 case ASIdentifierChoice_asIdsOrRanges:
928 child_rdi = ext->rdi->u.asIdsOrRanges;
929 break;
930 }
931 }
932
933 /*
934 * Now walk up the chain. Extensions must be in canonical form, no
935 * cert may list resources that its parent doesn't list.
936 */
937 for (i++; i < sk_X509_num(chain); i++) {
938 x = sk_X509_value(chain, i);
939 OPENSSL_assert(x != NULL);
940 if (x->rfc3779_asid == NULL) {
941 if (child_as != NULL || child_rdi != NULL)
942 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
943 continue;
944 }
945 if (!v3_asid_is_canonical(x->rfc3779_asid))
946 validation_err(X509_V_ERR_INVALID_EXTENSION);
947 if (x->rfc3779_asid->asnum == NULL && child_as != NULL) {
948 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
949 child_as = NULL;
950 inherit_as = 0;
951 }
952 if (x->rfc3779_asid->asnum != NULL &&
953 x->rfc3779_asid->asnum->type ==
954 ASIdentifierChoice_asIdsOrRanges) {
955 if (inherit_as || asid_contains(
956 x->rfc3779_asid->asnum->u.asIdsOrRanges,
957 child_as)) {
958 child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges;
959 inherit_as = 0;
960 } else {
961 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
962 }
963 }
964 if (x->rfc3779_asid->rdi == NULL && child_rdi != NULL) {
965 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
966 child_rdi = NULL;
967 inherit_rdi = 0;
968 }
969 if (x->rfc3779_asid->rdi != NULL &&
970 x->rfc3779_asid->rdi->type ==
971 ASIdentifierChoice_asIdsOrRanges) {
972 if (inherit_rdi || asid_contains(
973 x->rfc3779_asid->rdi->u.asIdsOrRanges, child_rdi)) {
974 child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges;
975 inherit_rdi = 0;
976 } else {
977 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
978 }
979 }
980 }
981
982 /*
983 * Trust anchor can't inherit.
984 */
985 OPENSSL_assert(x != NULL);
986 if (x->rfc3779_asid != NULL) {
987 if (x->rfc3779_asid->asnum != NULL &&
988 x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit)
989 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
990 if (x->rfc3779_asid->rdi != NULL &&
991 x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit)
992 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
993 }
994
995done:
996 return ret;
997}
998
999#undef validation_err
1000
1001/*
1002 * RFC 3779 3.3 path validation -- called from X509_verify_cert().
1003 */
1004int
1005v3_asid_validate_path(X509_STORE_CTX *ctx)
1006{
1007 return v3_asid_validate_path_internal(ctx, ctx->chain, NULL);
1008}
1009
1010/*
1011 * RFC 3779 3.3 path validation of an extension.
1012 * Test whether chain covers extension.
1013 */
1014int
1015v3_asid_validate_resource_set(STACK_OF(X509) *chain, ASIdentifiers *ext,
1016 int allow_inheritance)
1017{
1018 if (ext == NULL)
1019 return 1;
1020 if (chain == NULL || sk_X509_num(chain) == 0)
1021 return 0;
1022 if (!allow_inheritance && v3_asid_inherits(ext))
1023 return 0;
1024 return v3_asid_validate_path_internal(NULL, chain, ext);
1025}
1026
1027#endif /* OPENSSL_NO_RFC3779 */
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_purp.c b/src/lib/libssl/src/crypto/x509v3/v3_purp.c
index d1e888482e..69a8d05f26 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_purp.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_purp.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: v3_purp.c,v 1.25 2015/02/10 11:22:22 jsing Exp $ */ 1/* $OpenBSD: v3_purp.c,v 1.26 2015/02/10 13:28:17 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001. 3 * project 2001.
4 */ 4 */
@@ -346,10 +346,6 @@ X509_supported_extension(X509_EXTENSION *ex)
346 NID_basic_constraints, /* 87 */ 346 NID_basic_constraints, /* 87 */
347 NID_certificate_policies, /* 89 */ 347 NID_certificate_policies, /* 89 */
348 NID_ext_key_usage, /* 126 */ 348 NID_ext_key_usage, /* 126 */
349#ifndef OPENSSL_NO_RFC3779
350 NID_sbgp_ipAddrBlock, /* 290 */
351 NID_sbgp_autonomousSysNum, /* 291 */
352#endif
353 NID_policy_constraints, /* 401 */ 349 NID_policy_constraints, /* 401 */
354 NID_proxyCertInfo, /* 663 */ 350 NID_proxyCertInfo, /* 663 */
355 NID_name_constraints, /* 666 */ 351 NID_name_constraints, /* 666 */
@@ -531,11 +527,6 @@ x509v3_cache_extensions(X509 *x)
531 x->ex_flags |= EXFLAG_INVALID; 527 x->ex_flags |= EXFLAG_INVALID;
532 setup_crldp(x); 528 setup_crldp(x);
533 529
534#ifndef OPENSSL_NO_RFC3779
535 x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL);
536 x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum,
537 NULL, NULL);
538#endif
539 for (i = 0; i < X509_get_ext_count(x); i++) { 530 for (i = 0; i < X509_get_ext_count(x); i++) {
540 ex = X509_get_ext(x, i); 531 ex = X509_get_ext(x, i);
541 if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == 532 if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) ==
diff --git a/src/lib/libssl/src/crypto/x509v3/x509v3.h b/src/lib/libssl/src/crypto/x509v3/x509v3.h
index a88223cd9b..b45626a885 100644
--- a/src/lib/libssl/src/crypto/x509v3/x509v3.h
+++ b/src/lib/libssl/src/crypto/x509v3/x509v3.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509v3.h,v 1.15 2014/07/10 22:45:58 jsing Exp $ */ 1/* $OpenBSD: x509v3.h,v 1.16 2015/02/10 13:28:17 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 1999. 3 * project 1999.
4 */ 4 */
@@ -710,154 +710,6 @@ int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
710void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent); 710void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
711DECLARE_STACK_OF(X509_POLICY_NODE) 711DECLARE_STACK_OF(X509_POLICY_NODE)
712 712
713#ifndef OPENSSL_NO_RFC3779
714
715typedef struct ASRange_st {
716 ASN1_INTEGER *min, *max;
717} ASRange;
718
719#define ASIdOrRange_id 0
720#define ASIdOrRange_range 1
721
722typedef struct ASIdOrRange_st {
723 int type;
724 union {
725 ASN1_INTEGER *id;
726 ASRange *range;
727 } u;
728} ASIdOrRange;
729
730typedef STACK_OF(ASIdOrRange) ASIdOrRanges;
731DECLARE_STACK_OF(ASIdOrRange)
732
733#define ASIdentifierChoice_inherit 0
734#define ASIdentifierChoice_asIdsOrRanges 1
735
736typedef struct ASIdentifierChoice_st {
737 int type;
738 union {
739 ASN1_NULL *inherit;
740 ASIdOrRanges *asIdsOrRanges;
741 } u;
742} ASIdentifierChoice;
743
744typedef struct ASIdentifiers_st {
745 ASIdentifierChoice *asnum, *rdi;
746} ASIdentifiers;
747
748DECLARE_ASN1_FUNCTIONS(ASRange)
749DECLARE_ASN1_FUNCTIONS(ASIdOrRange)
750DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice)
751DECLARE_ASN1_FUNCTIONS(ASIdentifiers)
752
753
754typedef struct IPAddressRange_st {
755 ASN1_BIT_STRING *min, *max;
756} IPAddressRange;
757
758#define IPAddressOrRange_addressPrefix 0
759#define IPAddressOrRange_addressRange 1
760
761typedef struct IPAddressOrRange_st {
762 int type;
763 union {
764 ASN1_BIT_STRING *addressPrefix;
765 IPAddressRange *addressRange;
766 } u;
767} IPAddressOrRange;
768
769typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges;
770DECLARE_STACK_OF(IPAddressOrRange)
771
772#define IPAddressChoice_inherit 0
773#define IPAddressChoice_addressesOrRanges 1
774
775typedef struct IPAddressChoice_st {
776 int type;
777 union {
778 ASN1_NULL *inherit;
779 IPAddressOrRanges *addressesOrRanges;
780 } u;
781} IPAddressChoice;
782
783typedef struct IPAddressFamily_st {
784 ASN1_OCTET_STRING *addressFamily;
785 IPAddressChoice *ipAddressChoice;
786} IPAddressFamily;
787
788typedef STACK_OF(IPAddressFamily) IPAddrBlocks;
789DECLARE_STACK_OF(IPAddressFamily)
790
791DECLARE_ASN1_FUNCTIONS(IPAddressRange)
792DECLARE_ASN1_FUNCTIONS(IPAddressOrRange)
793DECLARE_ASN1_FUNCTIONS(IPAddressChoice)
794DECLARE_ASN1_FUNCTIONS(IPAddressFamily)
795
796/*
797 * API tag for elements of the ASIdentifer SEQUENCE.
798 */
799#define V3_ASID_ASNUM 0
800#define V3_ASID_RDI 1
801
802/*
803 * AFI values, assigned by IANA. It'd be nice to make the AFI
804 * handling code totally generic, but there are too many little things
805 * that would need to be defined for other address families for it to
806 * be worth the trouble.
807 */
808#define IANA_AFI_IPV4 1
809#define IANA_AFI_IPV6 2
810
811/*
812 * Utilities to construct and extract values from RFC3779 extensions,
813 * since some of the encodings (particularly for IP address prefixes
814 * and ranges) are a bit tedious to work with directly.
815 */
816int v3_asid_add_inherit(ASIdentifiers *asid, int which);
817int v3_asid_add_id_or_range(ASIdentifiers *asid, int which,
818 ASN1_INTEGER *min, ASN1_INTEGER *max);
819int v3_addr_add_inherit(IPAddrBlocks *addr,
820 const unsigned afi, const unsigned *safi);
821int v3_addr_add_prefix(IPAddrBlocks *addr,
822 const unsigned afi, const unsigned *safi,
823 unsigned char *a, const int prefixlen);
824int v3_addr_add_range(IPAddrBlocks *addr,
825 const unsigned afi, const unsigned *safi,
826 unsigned char *min, unsigned char *max);
827unsigned v3_addr_get_afi(const IPAddressFamily *f);
828int v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
829 unsigned char *min, unsigned char *max,
830 const int length);
831
832/*
833 * Canonical forms.
834 */
835int v3_asid_is_canonical(ASIdentifiers *asid);
836int v3_addr_is_canonical(IPAddrBlocks *addr);
837int v3_asid_canonize(ASIdentifiers *asid);
838int v3_addr_canonize(IPAddrBlocks *addr);
839
840/*
841 * Tests for inheritance and containment.
842 */
843int v3_asid_inherits(ASIdentifiers *asid);
844int v3_addr_inherits(IPAddrBlocks *addr);
845int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b);
846int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b);
847
848/*
849 * Check whether RFC 3779 extensions nest properly in chains.
850 */
851int v3_asid_validate_path(X509_STORE_CTX *);
852int v3_addr_validate_path(X509_STORE_CTX *);
853int v3_asid_validate_resource_set(STACK_OF(X509) *chain,
854 ASIdentifiers *ext,
855 int allow_inheritance);
856int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
857 IPAddrBlocks *ext,
858 int allow_inheritance);
859
860#endif /* OPENSSL_NO_RFC3779 */
861 713
862/* BEGIN ERROR CODES */ 714/* BEGIN ERROR CODES */
863/* The following lines are auto generated by the script mkerr.pl. Any changes 715/* The following lines are auto generated by the script mkerr.pl. Any changes
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 19:50:15 +0000