]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/x509v3/v3_addr.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Digest cached records if not sending a certificate.
[thirdparty/openssl.git] / crypto / x509v3 / v3_addr.c
CommitLineData
96ea4ae9
BL		 1/*
2 * Contributed to the OpenSSL Project by the American Registry for
3 * Internet Numbers ("ARIN").
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
0f113f3e 13 * notice, this list of conditions and the following disclaimer.
96ea4ae9
BL		 14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 */
57
58/*
59 * Implementation of RFC 3779 section 2.2.
60 */
61
62#include <stdio.h>
63#include <stdlib.h>
a0b76569 64
96ea4ae9
BL		 65#include "cryptlib.h"
66#include <openssl/conf.h>
67#include <openssl/asn1.h>
68#include <openssl/asn1t.h>
ea46f5e0 69#include <openssl/buffer.h>
96ea4ae9
BL		 70#include <openssl/x509v3.h>
71
96ea4ae9
BL		 72
73/*
74 * OpenSSL ASN.1 template translation of RFC 3779 2.2.3.
75 */
76
77ASN1_SEQUENCE(IPAddressRange) = {
78 ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING),
79 ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING)
80} ASN1_SEQUENCE_END(IPAddressRange)
81
82ASN1_CHOICE(IPAddressOrRange) = {
83 ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING),
84 ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange)
85} ASN1_CHOICE_END(IPAddressOrRange)
86
87ASN1_CHOICE(IPAddressChoice) = {
88 ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL),
89 ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange)
90} ASN1_CHOICE_END(IPAddressChoice)
91
92ASN1_SEQUENCE(IPAddressFamily) = {
93 ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING),
94 ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice)
95} ASN1_SEQUENCE_END(IPAddressFamily)
96
0f113f3e 97ASN1_ITEM_TEMPLATE(IPAddrBlocks) =
96ea4ae9 98 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
0f113f3e 99 IPAddrBlocks, IPAddressFamily)
96ea4ae9
BL		 100ASN1_ITEM_TEMPLATE_END(IPAddrBlocks)
101
102IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange)
103IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange)
104IMPLEMENT_ASN1_FUNCTIONS(IPAddressChoice)
105IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily)
106
107/*
108 * How much buffer space do we need for a raw address?
109 */
c73ad690 110#define ADDR_RAW_BUF_LEN 16
96ea4ae9
BL		 111
112/*
113 * What's the address length associated with this AFI?
114 */
115static int length_from_afi(const unsigned afi)
116{
0f113f3e
MC		 117 switch (afi) {
118 case IANA_AFI_IPV4:
119 return 4;
120 case IANA_AFI_IPV6:
121 return 16;
122 default:
123 return 0;
124 }
96ea4ae9
BL		 125}
126
127/*
128 * Extract the AFI from an IPAddressFamily.
129 */
a0b76569 130unsigned int v3_addr_get_afi(const IPAddressFamily *f)
96ea4ae9 131{
0f113f3e
MC		 132 return ((f != NULL &&
133 f->addressFamily != NULL && f->addressFamily->data != NULL)
134 ? ((f->addressFamily->data[0] << 8) | (f->addressFamily->data[1]))
135 : 0);
96ea4ae9
BL		 136}
137
138/*
139 * Expand the bitstring form of an address into a raw byte array.
140 * At the moment this is coded for simplicity, not speed.
141 */
be71c372 142static int addr_expand(unsigned char *addr,
0f113f3e
MC		 143 const ASN1_BIT_STRING *bs,
144 const int length, const unsigned char fill)
96ea4ae9 145{
0f113f3e
MC		 146 if (bs->length < 0 || bs->length > length)
147 return 0;
148 if (bs->length > 0) {
149 memcpy(addr, bs->data, bs->length);
150 if ((bs->flags & 7) != 0) {
151 unsigned char mask = 0xFF >> (8 - (bs->flags & 7));
152 if (fill == 0)
153 addr[bs->length - 1] &= ~mask;
154 else
155 addr[bs->length - 1] |= mask;
156 }
96ea4ae9 157 }
0f113f3e
MC		 158 memset(addr + bs->length, fill, length - bs->length);
159 return 1;
96ea4ae9
BL		 160}
161
162/*
163 * Extract the prefix length from a bitstring.
164 */
c73ad690 165#define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7)))
96ea4ae9
BL		 166
167/*
168 * i2r handler for one address bitstring.
169 */
170static int i2r_address(BIO *out,
0f113f3e
MC		 171 const unsigned afi,
172 const unsigned char fill, const ASN1_BIT_STRING *bs)
96ea4ae9 173{
0f113f3e
MC		 174 unsigned char addr[ADDR_RAW_BUF_LEN];
175 int i, n;
96ea4ae9 176
0f113f3e
MC		 177 if (bs->length < 0)
178 return 0;
179 switch (afi) {
180 case IANA_AFI_IPV4:
181 if (!addr_expand(addr, bs, 4, fill))
182 return 0;
183 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
184 break;
185 case IANA_AFI_IPV6:
186 if (!addr_expand(addr, bs, 16, fill))
187 return 0;
188 for (n = 16; n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00;
189 n -= 2) ;
190 for (i = 0; i < n; i += 2)
191 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1],
192 (i < 14 ? ":" : ""));
193 if (i < 16)
194 BIO_puts(out, ":");
195 if (i == 0)
196 BIO_puts(out, ":");
197 break;
198 default:
199 for (i = 0; i < bs->length; i++)
200 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]);
201 BIO_printf(out, "[%d]", (int)(bs->flags & 7));
202 break;
203 }
204 return 1;
96ea4ae9
BL		 205}
206
207/*
208 * i2r handler for a sequence of addresses and ranges.
209 */
210static int i2r_IPAddressOrRanges(BIO *out,
0f113f3e
MC		 211 const int indent,
212 const IPAddressOrRanges *aors,
213 const unsigned afi)
96ea4ae9 214{
0f113f3e
MC		 215 int i;
216 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) {
217 const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i);
218 BIO_printf(out, "%*s", indent, "");
219 switch (aor->type) {
220 case IPAddressOrRange_addressPrefix:
221 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix))
222 return 0;
223 BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix));
224 continue;
225 case IPAddressOrRange_addressRange:
226 if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min))
227 return 0;
228 BIO_puts(out, "-");
229 if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max))
230 return 0;
231 BIO_puts(out, "\n");
232 continue;
233 }
96ea4ae9 234 }
0f113f3e 235 return 1;
96ea4ae9
BL		 236}
237
238/*
239 * i2r handler for an IPAddrBlocks extension.
240 */
2e6a7b3e 241static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
0f113f3e 242 void *ext, BIO *out, int indent)
96ea4ae9 243{
0f113f3e
MC		 244 const IPAddrBlocks *addr = ext;
245 int i;
246 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
247 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
248 const unsigned int afi = v3_addr_get_afi(f);
249 switch (afi) {
250 case IANA_AFI_IPV4:
251 BIO_printf(out, "%*sIPv4", indent, "");
252 break;
253 case IANA_AFI_IPV6:
254 BIO_printf(out, "%*sIPv6", indent, "");
255 break;
256 default:
257 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi);
258 break;
259 }
260 if (f->addressFamily->length > 2) {
261 switch (f->addressFamily->data[2]) {
262 case 1:
263 BIO_puts(out, " (Unicast)");
264 break;
265 case 2:
266 BIO_puts(out, " (Multicast)");
267 break;
268 case 3:
269 BIO_puts(out, " (Unicast/Multicast)");
270 break;
271 case 4:
272 BIO_puts(out, " (MPLS)");
273 break;
274 case 64:
275 BIO_puts(out, " (Tunnel)");
276 break;
277 case 65:
278 BIO_puts(out, " (VPLS)");
279 break;
280 case 66:
281 BIO_puts(out, " (BGP MDT)");
282 break;
283 case 128:
284 BIO_puts(out, " (MPLS-labeled VPN)");
285 break;
286 default:
287 BIO_printf(out, " (Unknown SAFI %u)",
288 (unsigned)f->addressFamily->data[2]);
289 break;
290 }
291 }
292 switch (f->ipAddressChoice->type) {
293 case IPAddressChoice_inherit:
294 BIO_puts(out, ": inherit\n");
295 break;
296 case IPAddressChoice_addressesOrRanges:
297 BIO_puts(out, ":\n");
298 if (!i2r_IPAddressOrRanges(out,
299 indent + 2,
300 f->ipAddressChoice->
301 u.addressesOrRanges, afi))
302 return 0;
303 break;
304 }
96ea4ae9 305 }
0f113f3e 306 return 1;
96ea4ae9
BL		 307}
308
309/*
310 * Sort comparison function for a sequence of IPAddressOrRange
311 * elements.
be71c372
DSH		 312 *
313 * There's no sane answer we can give if addr_expand() fails, and an
314 * assertion failure on externally supplied data is seriously uncool,
315 * so we just arbitrarily declare that if given invalid inputs this
316 * function returns -1. If this messes up your preferred sort order
317 * for garbage input, tough noogies.
96ea4ae9
BL		 318 */
319static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
0f113f3e 320 const IPAddressOrRange *b, const int length)
96ea4ae9 321{
0f113f3e
MC		 322 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN];
323 int prefixlen_a = 0, prefixlen_b = 0;
324 int r;
325
326 switch (a->type) {
327 case IPAddressOrRange_addressPrefix:
328 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
329 return -1;
330 prefixlen_a = addr_prefixlen(a->u.addressPrefix);
331 break;
332 case IPAddressOrRange_addressRange:
333 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
334 return -1;
335 prefixlen_a = length * 8;
336 break;
337 }
338
339 switch (b->type) {
340 case IPAddressOrRange_addressPrefix:
341 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
342 return -1;
343 prefixlen_b = addr_prefixlen(b->u.addressPrefix);
344 break;
345 case IPAddressOrRange_addressRange:
346 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
347 return -1;
348 prefixlen_b = length * 8;
349 break;
350 }
351
352 if ((r = memcmp(addr_a, addr_b, length)) != 0)
353 return r;
354 else
355 return prefixlen_a - prefixlen_b;
96ea4ae9
BL		 356}
357
358/*
359 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()
360 * comparision routines are only allowed two arguments.
361 */
0f113f3e
MC		 362static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
363 const IPAddressOrRange *const *b)
96ea4ae9 364{
0f113f3e 365 return IPAddressOrRange_cmp(*a, *b, 4);
96ea4ae9
BL		 366}
367
368/*
369 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()
370 * comparision routines are only allowed two arguments.
371 */
0f113f3e
MC		 372static int v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
373 const IPAddressOrRange *const *b)
96ea4ae9 374{
0f113f3e 375 return IPAddressOrRange_cmp(*a, *b, 16);
96ea4ae9
BL		 376}
377
378/*
379 * Calculate whether a range collapses to a prefix.
380 * See last paragraph of RFC 3779 2.2.3.7.
381 */
382static int range_should_be_prefix(const unsigned char *min,
0f113f3e 383 const unsigned char *max, const int length)
96ea4ae9 384{
0f113f3e
MC		 385 unsigned char mask;
386 int i, j;
387
388 OPENSSL_assert(memcmp(min, max, length) <= 0);
389 for (i = 0; i < length && min[i] == max[i]; i++) ;
390 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ;
391 if (i < j)
392 return -1;
393 if (i > j)
394 return i * 8;
395 mask = min[i] ^ max[i];
396 switch (mask) {
397 case 0x01:
398 j = 7;
399 break;
400 case 0x03:
401 j = 6;
402 break;
403 case 0x07:
404 j = 5;
405 break;
406 case 0x0F:
407 j = 4;
408 break;
409 case 0x1F:
410 j = 3;
411 break;
412 case 0x3F:
413 j = 2;
414 break;
415 case 0x7F:
416 j = 1;
417 break;
418 default:
419 return -1;
420 }
421 if ((min[i] & mask) != 0 || (max[i] & mask) != mask)
422 return -1;
423 else
424 return i * 8 + j;
96ea4ae9
BL		 425}
426
427/*
428 * Construct a prefix.
429 */
430static int make_addressPrefix(IPAddressOrRange **result,
0f113f3e 431 unsigned char *addr, const int prefixlen)
96ea4ae9 432{
0f113f3e
MC		 433 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;
434 IPAddressOrRange *aor = IPAddressOrRange_new();
435
436 if (aor == NULL)
437 return 0;
438 aor->type = IPAddressOrRange_addressPrefix;
439 if (aor->u.addressPrefix == NULL &&
440 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL)
441 goto err;
442 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen))
443 goto err;
444 aor->u.addressPrefix->flags &= ~7;
445 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT;
446 if (bitlen > 0) {
447 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen);
448 aor->u.addressPrefix->flags |= 8 - bitlen;
449 }
96ea4ae9 450
0f113f3e
MC		 451 *result = aor;
452 return 1;
96ea4ae9
BL		 453
454 err:
0f113f3e
MC		 455 IPAddressOrRange_free(aor);
456 return 0;
96ea4ae9
BL		 457}
458
459/*
460 * Construct a range. If it can be expressed as a prefix,
461 * return a prefix instead. Doing this here simplifies
462 * the rest of the code considerably.
463 */
464static int make_addressRange(IPAddressOrRange **result,
0f113f3e
MC		 465 unsigned char *min,
466 unsigned char *max, const int length)
96ea4ae9 467{
0f113f3e
MC		 468 IPAddressOrRange *aor;
469 int i, prefixlen;
470
471 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
472 return make_addressPrefix(result, min, prefixlen);
473
474 if ((aor = IPAddressOrRange_new()) == NULL)
475 return 0;
476 aor->type = IPAddressOrRange_addressRange;
477 OPENSSL_assert(aor->u.addressRange == NULL);
478 if ((aor->u.addressRange = IPAddressRange_new()) == NULL)
479 goto err;
480 if (aor->u.addressRange->min == NULL &&
481 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL)
482 goto err;
483 if (aor->u.addressRange->max == NULL &&
484 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL)
485 goto err;
486
487 for (i = length; i > 0 && min[i - 1] == 0x00; --i) ;
488 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i))
489 goto err;
490 aor->u.addressRange->min->flags &= ~7;
491 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT;
492 if (i > 0) {
493 unsigned char b = min[i - 1];
494 int j = 1;
495 while ((b & (0xFFU >> j)) != 0)
496 ++j;
497 aor->u.addressRange->min->flags |= 8 - j;
498 }
96ea4ae9 499
0f113f3e
MC		 500 for (i = length; i > 0 && max[i - 1] == 0xFF; --i) ;
501 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i))
502 goto err;
503 aor->u.addressRange->max->flags &= ~7;
504 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT;
505 if (i > 0) {
506 unsigned char b = max[i - 1];
507 int j = 1;
508 while ((b & (0xFFU >> j)) != (0xFFU >> j))
509 ++j;
510 aor->u.addressRange->max->flags |= 8 - j;
511 }
96ea4ae9 512
0f113f3e
MC		 513 *result = aor;
514 return 1;
96ea4ae9
BL		 515
516 err:
0f113f3e
MC		 517 IPAddressOrRange_free(aor);
518 return 0;
96ea4ae9
BL		 519}
520
521/*
522 * Construct a new address family or find an existing one.
523 */
524static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr,
0f113f3e
MC		 525 const unsigned afi,
526 const unsigned *safi)
96ea4ae9 527{
0f113f3e
MC		 528 IPAddressFamily *f;
529 unsigned char key[3];
537bf438 530 int keylen;
0f113f3e
MC		 531 int i;
532
533 key[0] = (afi >> 8) & 0xFF;
534 key[1] = afi & 0xFF;
535 if (safi != NULL) {
536 key[2] = *safi & 0xFF;
537 keylen = 3;
538 } else {
539 keylen = 2;
540 }
541
542 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
543 f = sk_IPAddressFamily_value(addr, i);
544 OPENSSL_assert(f->addressFamily->data != NULL);
545 if (f->addressFamily->length == keylen &&
546 !memcmp(f->addressFamily->data, key, keylen))
547 return f;
548 }
549
550 if ((f = IPAddressFamily_new()) == NULL)
551 goto err;
552 if (f->ipAddressChoice == NULL &&
553 (f->ipAddressChoice = IPAddressChoice_new()) == NULL)
554 goto err;
555 if (f->addressFamily == NULL &&
556 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL)
557 goto err;
558 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen))
559 goto err;
560 if (!sk_IPAddressFamily_push(addr, f))
561 goto err;
562
563 return f;
96ea4ae9
BL		 564
565 err:
0f113f3e
MC		 566 IPAddressFamily_free(f);
567 return NULL;
96ea4ae9
BL		 568}
569
570/*
571 * Add an inheritance element.
572 */
573int v3_addr_add_inherit(IPAddrBlocks *addr,
0f113f3e 574 const unsigned afi, const unsigned *safi)
96ea4ae9 575{
0f113f3e
MC		 576 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
577 if (f == NULL ||
578 f->ipAddressChoice == NULL ||
579 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
580 f->ipAddressChoice->u.addressesOrRanges != NULL))
581 return 0;
582 if (f->ipAddressChoice->type == IPAddressChoice_inherit &&
583 f->ipAddressChoice->u.inherit != NULL)
584 return 1;
585 if (f->ipAddressChoice->u.inherit == NULL &&
586 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL)
587 return 0;
588 f->ipAddressChoice->type = IPAddressChoice_inherit;
96ea4ae9 589 return 1;
96ea4ae9
BL		 590}
591
592/*
593 * Construct an IPAddressOrRange sequence, or return an existing one.
594 */
595static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
0f113f3e
MC		 596 const unsigned afi,
597 const unsigned *safi)
96ea4ae9 598{
0f113f3e
MC		 599 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
600 IPAddressOrRanges *aors = NULL;
601
602 if (f == NULL ||
603 f->ipAddressChoice == NULL ||
604 (f->ipAddressChoice->type == IPAddressChoice_inherit &&
605 f->ipAddressChoice->u.inherit != NULL))
606 return NULL;
607 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges)
608 aors = f->ipAddressChoice->u.addressesOrRanges;
609 if (aors != NULL)
610 return aors;
611 if ((aors = sk_IPAddressOrRange_new_null()) == NULL)
612 return NULL;
613 switch (afi) {
614 case IANA_AFI_IPV4:
615 (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
616 break;
617 case IANA_AFI_IPV6:
618 (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
619 break;
620 }
621 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
622 f->ipAddressChoice->u.addressesOrRanges = aors;
96ea4ae9 623 return aors;
96ea4ae9
BL		 624}
625
626/*
627 * Add a prefix.
628 */
629int v3_addr_add_prefix(IPAddrBlocks *addr,
0f113f3e
MC		 630 const unsigned afi,
631 const unsigned *safi,
632 unsigned char *a, const int prefixlen)
96ea4ae9 633{
0f113f3e
MC		 634 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
635 IPAddressOrRange *aor;
636 if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen))
637 return 0;
638 if (sk_IPAddressOrRange_push(aors, aor))
639 return 1;
640 IPAddressOrRange_free(aor);
96ea4ae9 641 return 0;
96ea4ae9
BL		 642}
643
644/*
645 * Add a range.
646 */
647int v3_addr_add_range(IPAddrBlocks *addr,
0f113f3e
MC		 648 const unsigned afi,
649 const unsigned *safi,
650 unsigned char *min, unsigned char *max)
96ea4ae9 651{
0f113f3e
MC		 652 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
653 IPAddressOrRange *aor;
654 int length = length_from_afi(afi);
655 if (aors == NULL)
656 return 0;
657 if (!make_addressRange(&aor, min, max, length))
658 return 0;
659 if (sk_IPAddressOrRange_push(aors, aor))
660 return 1;
661 IPAddressOrRange_free(aor);
96ea4ae9 662 return 0;
96ea4ae9
BL		 663}
664
665/*
666 * Extract min and max values from an IPAddressOrRange.
667 */
be71c372 668static int extract_min_max(IPAddressOrRange *aor,
0f113f3e 669 unsigned char *min, unsigned char *max, int length)
96ea4ae9 670{
0f113f3e
MC		 671 if (aor == NULL || min == NULL || max == NULL)
672 return 0;
673 switch (aor->type) {
674 case IPAddressOrRange_addressPrefix:
675 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
676 addr_expand(max, aor->u.addressPrefix, length, 0xFF));
677 case IPAddressOrRange_addressRange:
678 return (addr_expand(min, aor->u.addressRange->min, length, 0x00) &&
679 addr_expand(max, aor->u.addressRange->max, length, 0xFF));
680 }
be71c372 681 return 0;
96ea4ae9
BL		 682}
683
684/*
685 * Public wrapper for extract_min_max().
686 */
687int v3_addr_get_range(IPAddressOrRange *aor,
0f113f3e
MC		 688 const unsigned afi,
689 unsigned char *min,
690 unsigned char *max, const int length)
96ea4ae9 691{
0f113f3e
MC		 692 int afi_length = length_from_afi(afi);
693 if (aor == NULL || min == NULL || max == NULL ||
694 afi_length == 0 || length < afi_length ||
695 (aor->type != IPAddressOrRange_addressPrefix &&
696 aor->type != IPAddressOrRange_addressRange) ||
697 !extract_min_max(aor, min, max, afi_length))
698 return 0;
699
700 return afi_length;
96ea4ae9
BL		 701}
702
703/*
704 * Sort comparision function for a sequence of IPAddressFamily.
705 *
706 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about
707 * the ordering: I can read it as meaning that IPv6 without a SAFI
708 * comes before IPv4 with a SAFI, which seems pretty weird. The
709 * examples in appendix B suggest that the author intended the
710 * null-SAFI rule to apply only within a single AFI, which is what I
711 * would have expected and is what the following code implements.
712 */
0f113f3e
MC		 713static int IPAddressFamily_cmp(const IPAddressFamily *const *a_,
714 const IPAddressFamily *const *b_)
96ea4ae9 715{
0f113f3e
MC		 716 const ASN1_OCTET_STRING *a = (*a_)->addressFamily;
717 const ASN1_OCTET_STRING *b = (*b_)->addressFamily;
718 int len = ((a->length <= b->length) ? a->length : b->length);
719 int cmp = memcmp(a->data, b->data, len);
720 return cmp ? cmp : a->length - b->length;
96ea4ae9
BL		 721}
722
723/*
724 * Check whether an IPAddrBLocks is in canonical form.
725 */
726int v3_addr_is_canonical(IPAddrBlocks *addr)
727{
0f113f3e
MC		 728 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
729 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
730 IPAddressOrRanges *aors;
731 int i, j, k;
96ea4ae9
BL		 732
733 /*
0f113f3e 734 * Empty extension is cannonical.
96ea4ae9 735 */
0f113f3e
MC		 736 if (addr == NULL)
737 return 1;
96ea4ae9
BL		 738
739 /*
0f113f3e 740 * Check whether the top-level list is in order.
96ea4ae9 741 */
0f113f3e
MC		 742 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {
743 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i);
744 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1);
745 if (IPAddressFamily_cmp(&a, &b) >= 0)
746 return 0;
96ea4ae9
BL		 747 }
748
749 /*
0f113f3e 750 * Top level's ok, now check each address family.
96ea4ae9 751 */
0f113f3e
MC		 752 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
753 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
754 int length = length_from_afi(v3_addr_get_afi(f));
755
756 /*
757 * Inheritance is canonical. Anything other than inheritance or
758 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something.
759 */
760 if (f == NULL || f->ipAddressChoice == NULL)
761 return 0;
762 switch (f->ipAddressChoice->type) {
763 case IPAddressChoice_inherit:
764 continue;
765 case IPAddressChoice_addressesOrRanges:
766 break;
767 default:
768 return 0;
769 }
770
771 /*
772 * It's an IPAddressOrRanges sequence, check it.
773 */
774 aors = f->ipAddressChoice->u.addressesOrRanges;
775 if (sk_IPAddressOrRange_num(aors) == 0)
776 return 0;
777 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
778 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
779 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);
780
781 if (!extract_min_max(a, a_min, a_max, length) ||
782 !extract_min_max(b, b_min, b_max, length))
783 return 0;
784
785 /*
786 * Punt misordered list, overlapping start, or inverted range.
787 */
788 if (memcmp(a_min, b_min, length) >= 0 ||
789 memcmp(a_min, a_max, length) > 0 ||
790 memcmp(b_min, b_max, length) > 0)
791 return 0;
792
793 /*
794 * Punt if adjacent or overlapping. Check for adjacency by
795 * subtracting one from b_min first.
796 */
797 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) ;
798 if (memcmp(a_max, b_min, length) >= 0)
799 return 0;
800
801 /*
802 * Check for range that should be expressed as a prefix.
803 */
804 if (a->type == IPAddressOrRange_addressRange &&
805 range_should_be_prefix(a_min, a_max, length) >= 0)
806 return 0;
807 }
808
809 /*
810 * Check range to see if it's inverted or should be a
811 * prefix.
812 */
813 j = sk_IPAddressOrRange_num(aors) - 1;
814 {
815 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
816 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
817 if (!extract_min_max(a, a_min, a_max, length))
818 return 0;
819 if (memcmp(a_min, a_max, length) > 0 ||
820 range_should_be_prefix(a_min, a_max, length) >= 0)
821 return 0;
822 }
823 }
96ea4ae9 824 }
96ea4ae9 825
0f113f3e
MC		 826 /*
827 * If we made it through all that, we're happy.
828 */
829 return 1;
96ea4ae9
BL		 830}
831
832/*
833 * Whack an IPAddressOrRanges into canonical form.
834 */
835static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
0f113f3e 836 const unsigned afi)
96ea4ae9 837{
0f113f3e 838 int i, j, length = length_from_afi(afi);
96ea4ae9 839
58b75e9c 840 /*
0f113f3e 841 * Sort the IPAddressOrRanges sequence.
58b75e9c 842 */
0f113f3e 843 sk_IPAddressOrRange_sort(aors);
58b75e9c 844
96ea4ae9 845 /*
0f113f3e 846 * Clean up representation issues, punt on duplicates or overlaps.
96ea4ae9 847 */
0f113f3e
MC		 848 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
849 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);
850 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
851 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
852 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
853
854 if (!extract_min_max(a, a_min, a_max, length) ||
855 !extract_min_max(b, b_min, b_max, length))
856 return 0;
857
858 /*
859 * Punt inverted ranges.
860 */
861 if (memcmp(a_min, a_max, length) > 0 ||
862 memcmp(b_min, b_max, length) > 0)
863 return 0;
864
865 /*
866 * Punt overlaps.
867 */
868 if (memcmp(a_max, b_min, length) >= 0)
869 return 0;
870
871 /*
872 * Merge if a and b are adjacent. We check for
873 * adjacency by subtracting one from b_min first.
874 */
875 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) ;
876 if (memcmp(a_max, b_min, length) == 0) {
877 IPAddressOrRange *merged;
878 if (!make_addressRange(&merged, a_min, b_max, length))
879 return 0;
880 (void)sk_IPAddressOrRange_set(aors, i, merged);
881 (void)sk_IPAddressOrRange_delete(aors, i + 1);
882 IPAddressOrRange_free(a);
883 IPAddressOrRange_free(b);
884 --i;
885 continue;
886 }
887 }
96ea4ae9
BL		 888
889 /*
0f113f3e 890 * Check for inverted final range.
96ea4ae9 891 */
0f113f3e
MC		 892 j = sk_IPAddressOrRange_num(aors) - 1;
893 {
894 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
895 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
896 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
897 extract_min_max(a, a_min, a_max, length);
898 if (memcmp(a_min, a_max, length) > 0)
899 return 0;
900 }
58b75e9c 901 }
58b75e9c 902
0f113f3e 903 return 1;
96ea4ae9
BL		 904}
905
906/*
907 * Whack an IPAddrBlocks extension into canonical form.
908 */
909int v3_addr_canonize(IPAddrBlocks *addr)
910{
0f113f3e
MC		 911 int i;
912 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
913 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
914 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
915 !IPAddressOrRanges_canonize(f->ipAddressChoice->
916 u.addressesOrRanges,
917 v3_addr_get_afi(f)))
918 return 0;
919 }
920 (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
921 sk_IPAddressFamily_sort(addr);
922 OPENSSL_assert(v3_addr_is_canonical(addr));
923 return 1;
96ea4ae9
BL		 924}
925
926/*
927 * v2i handler for the IPAddrBlocks extension.
928 */
2e6a7b3e 929static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
0f113f3e
MC		 930 struct v3_ext_ctx *ctx,
931 STACK_OF(CONF_VALUE) *values)
96ea4ae9 932{
0f113f3e
MC		 933 static const char v4addr_chars[] = "0123456789.";
934 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF";
935 IPAddrBlocks *addr = NULL;
936 char *s = NULL, *t;
937 int i;
938
939 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) {
940 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
941 return NULL;
96ea4ae9
BL		 942 }
943
0f113f3e
MC		 944 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
945 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
946 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN];
947 unsigned afi, *safi = NULL, safi_;
4c9b0a03 948 const char *addr_chars = NULL;
0f113f3e
MC		 949 int prefixlen, i1, i2, delim, length;
950
951 if (!name_cmp(val->name, "IPv4")) {
952 afi = IANA_AFI_IPV4;
953 } else if (!name_cmp(val->name, "IPv6")) {
954 afi = IANA_AFI_IPV6;
955 } else if (!name_cmp(val->name, "IPv4-SAFI")) {
956 afi = IANA_AFI_IPV4;
957 safi = &safi_;
958 } else if (!name_cmp(val->name, "IPv6-SAFI")) {
959 afi = IANA_AFI_IPV6;
960 safi = &safi_;
961 } else {
962 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
963 X509V3_R_EXTENSION_NAME_ERROR);
964 X509V3_conf_err(val);
965 goto err;
966 }
967
968 switch (afi) {
969 case IANA_AFI_IPV4:
970 addr_chars = v4addr_chars;
971 break;
972 case IANA_AFI_IPV6:
973 addr_chars = v6addr_chars;
974 break;
975 }
976
977 length = length_from_afi(afi);
978
979 /*
980 * Handle SAFI, if any, and BUF_strdup() so we can null-terminate
981 * the other input values.
982 */
983 if (safi != NULL) {
984 *safi = strtoul(val->value, &t, 0);
985 t += strspn(t, " \t");
986 if (*safi > 0xFF || *t++ != ':') {
987 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_SAFI);
988 X509V3_conf_err(val);
989 goto err;
990 }
991 t += strspn(t, " \t");
992 s = BUF_strdup(t);
993 } else {
994 s = BUF_strdup(val->value);
995 }
996 if (s == NULL) {
997 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
998 goto err;
999 }
1000
1001 /*
1002 * Check for inheritance. Not worth additional complexity to
1003 * optimize this (seldom-used) case.
1004 */
1005 if (!strcmp(s, "inherit")) {
1006 if (!v3_addr_add_inherit(addr, afi, safi)) {
1007 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1008 X509V3_R_INVALID_INHERITANCE);
1009 X509V3_conf_err(val);
1010 goto err;
1011 }
1012 OPENSSL_free(s);
1013 s = NULL;
1014 continue;
1015 }
1016
1017 i1 = strspn(s, addr_chars);
1018 i2 = i1 + strspn(s + i1, " \t");
1019 delim = s[i2++];
1020 s[i1] = '\0';
1021
1022 if (a2i_ipadd(min, s) != length) {
1023 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS);
1024 X509V3_conf_err(val);
1025 goto err;
1026 }
1027
1028 switch (delim) {
1029 case '/':
1030 prefixlen = (int)strtoul(s + i2, &t, 10);
1031 if (t == s + i2 || *t != '\0') {
1032 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1033 X509V3_R_EXTENSION_VALUE_ERROR);
1034 X509V3_conf_err(val);
1035 goto err;
1036 }
1037 if (!v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) {
1038 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1039 goto err;
1040 }
1041 break;
1042 case '-':
1043 i1 = i2 + strspn(s + i2, " \t");
1044 i2 = i1 + strspn(s + i1, addr_chars);
1045 if (i1 == i2 || s[i2] != '\0') {
1046 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1047 X509V3_R_EXTENSION_VALUE_ERROR);
1048 X509V3_conf_err(val);
1049 goto err;
1050 }
1051 if (a2i_ipadd(max, s + i1) != length) {
1052 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1053 X509V3_R_INVALID_IPADDRESS);
1054 X509V3_conf_err(val);
1055 goto err;
1056 }
1057 if (memcmp(min, max, length_from_afi(afi)) > 0) {
1058 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1059 X509V3_R_EXTENSION_VALUE_ERROR);
1060 X509V3_conf_err(val);
1061 goto err;
1062 }
1063 if (!v3_addr_add_range(addr, afi, safi, min, max)) {
1064 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1065 goto err;
1066 }
1067 break;
1068 case '\0':
1069 if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) {
1070 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1071 goto err;
1072 }
1073 break;
1074 default:
1075 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1076 X509V3_R_EXTENSION_VALUE_ERROR);
1077 X509V3_conf_err(val);
1078 goto err;
1079 }
1080
1081 OPENSSL_free(s);
1082 s = NULL;
96ea4ae9
BL		 1083 }
1084
1085 /*
0f113f3e 1086 * Canonize the result, then we're done.
96ea4ae9 1087 */
0f113f3e
MC		 1088 if (!v3_addr_canonize(addr))
1089 goto err;
1090 return addr;
96ea4ae9
BL		 1091
1092 err:
0f113f3e
MC		 1093 OPENSSL_free(s);
1094 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
1095 return NULL;
96ea4ae9
BL		 1096}
1097
1098/*
1099 * OpenSSL dispatch
1100 */
560b79cb 1101const X509V3_EXT_METHOD v3_addr = {
0f113f3e
MC		 1102 NID_sbgp_ipAddrBlock, /* nid */
1103 0, /* flags */
1104 ASN1_ITEM_ref(IPAddrBlocks), /* template */
1105 0, 0, 0, 0, /* old functions, ignored */
1106 0, /* i2s */
1107 0, /* s2i */
1108 0, /* i2v */
1109 v2i_IPAddrBlocks, /* v2i */
1110 i2r_IPAddrBlocks, /* i2r */
1111 0, /* r2i */
1112 NULL /* extension-specific data */
96ea4ae9
BL		 1113};
1114
1115/*
1116 * Figure out whether extension sues inheritance.
1117 */
1118int v3_addr_inherits(IPAddrBlocks *addr)
1119{
0f113f3e
MC		 1120 int i;
1121 if (addr == NULL)
1122 return 0;
1123 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1124 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1125 if (f->ipAddressChoice->type == IPAddressChoice_inherit)
1126 return 1;
1127 }
96ea4ae9 1128 return 0;
96ea4ae9
BL		 1129}
1130
1131/*
1132 * Figure out whether parent contains child.
1133 */
1134static int addr_contains(IPAddressOrRanges *parent,
0f113f3e 1135 IPAddressOrRanges *child, int length)
96ea4ae9 1136{
0f113f3e
MC		 1137 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN];
1138 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN];
1139 int p, c;
1140
1141 if (child == NULL || parent == child)
1142 return 1;
1143 if (parent == NULL)
1144 return 0;
1145
1146 p = 0;
1147 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
1148 if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
1149 c_min, c_max, length))
1150 return -1;
1151 for (;; p++) {
1152 if (p >= sk_IPAddressOrRange_num(parent))
1153 return 0;
1154 if (!extract_min_max(sk_IPAddressOrRange_value(parent, p),
1155 p_min, p_max, length))
1156 return 0;
1157 if (memcmp(p_max, c_max, length) < 0)
1158 continue;
1159 if (memcmp(p_min, c_min, length) > 0)
1160 return 0;
1161 break;
1162 }
96ea4ae9 1163 }
96ea4ae9 1164
0f113f3e 1165 return 1;
96ea4ae9
BL		 1166}
1167
1168/*
1169 * Test whether a is a subset of b.
1170 */
1171int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
1172{
0f113f3e
MC		 1173 int i;
1174 if (a == NULL || a == b)
1175 return 1;
1176 if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
1177 return 0;
1178 (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
1179 for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
1180 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
1181 int j = sk_IPAddressFamily_find(b, fa);
1182 IPAddressFamily *fb;
1183 fb = sk_IPAddressFamily_value(b, j);
1184 if (fb == NULL)
1185 return 0;
1186 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
1187 fa->ipAddressChoice->u.addressesOrRanges,
1188 length_from_afi(v3_addr_get_afi(fb))))
1189 return 0;
1190 }
96ea4ae9 1191 return 1;
96ea4ae9
BL		 1192}
1193
1194/*
1195 * Validation error handling via callback.
1196 */
c73ad690 1197#define validation_err(_err_) \
0f113f3e
MC		 1198 do { \
1199 if (ctx != NULL) { \
1200 ctx->error = _err_; \
1201 ctx->error_depth = i; \
1202 ctx->current_cert = x; \
1203 ret = ctx->verify_cb(0, ctx); \
1204 } else { \
1205 ret = 0; \
1206 } \
1207 if (!ret) \
1208 goto done; \
96ea4ae9
BL		 1209 } while (0)
1210
1211/*
1212 * Core code for RFC 3779 2.3 path validation.
1213 */
1214static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
0f113f3e
MC		 1215 STACK_OF(X509) *chain,
1216 IPAddrBlocks *ext)
96ea4ae9 1217{
0f113f3e
MC		 1218 IPAddrBlocks *child = NULL;
1219 int i, j, ret = 1;
1220 X509 *x;
1221
1222 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
1223 OPENSSL_assert(ctx != NULL || ext != NULL);
1224 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
1225
1226 /*
1227 * Figure out where to start. If we don't have an extension to
1228 * check, we're done. Otherwise, check canonical form and
1229 * set up for walking up the chain.
1230 */
1231 if (ext != NULL) {
1232 i = -1;
1233 x = NULL;
1234 } else {
1235 i = 0;
1236 x = sk_X509_value(chain, i);
1237 OPENSSL_assert(x != NULL);
1238 if ((ext = x->rfc3779_addr) == NULL)
1239 goto done;
96ea4ae9 1240 }
0f113f3e
MC		 1241 if (!v3_addr_is_canonical(ext))
1242 validation_err(X509_V_ERR_INVALID_EXTENSION);
1243 (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
1244 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
1245 X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL,
1246 ERR_R_MALLOC_FAILURE);
1247 ret = 0;
1248 goto done;
1249 }
1250
1251 /*
1252 * Now walk up the chain. No cert may list resources that its
1253 * parent doesn't list.
1254 */
1255 for (i++; i < sk_X509_num(chain); i++) {
1256 x = sk_X509_value(chain, i);
1257 OPENSSL_assert(x != NULL);
1258 if (!v3_addr_is_canonical(x->rfc3779_addr))
1259 validation_err(X509_V_ERR_INVALID_EXTENSION);
1260 if (x->rfc3779_addr == NULL) {
1261 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1262 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1263 if (fc->ipAddressChoice->type != IPAddressChoice_inherit) {
1264 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1265 break;
1266 }
1267 }
1268 continue;
1269 }
1270 (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr,
1271 IPAddressFamily_cmp);
1272 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1273 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1274 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
1275 IPAddressFamily *fp =
1276 sk_IPAddressFamily_value(x->rfc3779_addr, k);
1277 if (fp == NULL) {
1278 if (fc->ipAddressChoice->type ==
1279 IPAddressChoice_addressesOrRanges) {
1280 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1281 break;
1282 }
1283 continue;
1284 }
1285 if (fp->ipAddressChoice->type ==
1286 IPAddressChoice_addressesOrRanges) {
1287 if (fc->ipAddressChoice->type == IPAddressChoice_inherit
1288 || addr_contains(fp->ipAddressChoice->u.addressesOrRanges,
1289 fc->ipAddressChoice->u.addressesOrRanges,
1290 length_from_afi(v3_addr_get_afi(fc))))
1291 sk_IPAddressFamily_set(child, j, fp);
1292 else
1293 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1294 }
1295 }
96ea4ae9 1296 }
0f113f3e
MC		 1297
1298 /*
1299 * Trust anchor can't inherit.
1300 */
1301 OPENSSL_assert(x != NULL);
1302 if (x->rfc3779_addr != NULL) {
1303 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
1304 IPAddressFamily *fp =
1305 sk_IPAddressFamily_value(x->rfc3779_addr, j);
1306 if (fp->ipAddressChoice->type == IPAddressChoice_inherit
1307 && sk_IPAddressFamily_find(child, fp) >= 0)
1308 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1309 }
96ea4ae9 1310 }
96ea4ae9
BL		 1311
1312 done:
0f113f3e
MC		 1313 sk_IPAddressFamily_free(child);
1314 return ret;
96ea4ae9
BL		 1315}
1316
c73ad690 1317#undef validation_err
96ea4ae9
BL		 1318
1319/*
1320 * RFC 3779 2.3 path validation -- called from X509_verify_cert().
1321 */
1322int v3_addr_validate_path(X509_STORE_CTX *ctx)
1323{
0f113f3e 1324 return v3_addr_validate_path_internal(ctx, ctx->chain, NULL);
96ea4ae9
BL		 1325}
1326
1327/*
1328 * RFC 3779 2.3 path validation of an extension.
1329 * Test whether chain covers extension.
1330 */
1331int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
0f113f3e 1332 IPAddrBlocks *ext, int allow_inheritance)
96ea4ae9 1333{
0f113f3e
MC		 1334 if (ext == NULL)
1335 return 1;
1336 if (chain == NULL || sk_X509_num(chain) == 0)
1337 return 0;
1338 if (!allow_inheritance && v3_addr_inherits(ext))
1339 return 0;
1340 return v3_addr_validate_path_internal(NULL, chain, ext);
96ea4ae9 1341}
A mirror of the official openssl repository