]>
Commit | Line | Data |
---|---|---|
96ea4ae9 BL |
1 | /* |
2 | * Contributed to the OpenSSL Project by the American Registry for | |
3 | * Internet Numbers ("ARIN"). | |
4 | */ | |
5 | /* ==================================================================== | |
6 | * Copyright (c) 2006 The OpenSSL Project. All rights reserved. | |
7 | * | |
8 | * Redistribution and use in source and binary forms, with or without | |
9 | * modification, are permitted provided that the following conditions | |
10 | * are met: | |
11 | * | |
12 | * 1. Redistributions of source code must retain the above copyright | |
0f113f3e | 13 | * notice, this list of conditions and the following disclaimer. |
96ea4ae9 BL |
14 | * |
15 | * 2. Redistributions in binary form must reproduce the above copyright | |
16 | * notice, this list of conditions and the following disclaimer in | |
17 | * the documentation and/or other materials provided with the | |
18 | * distribution. | |
19 | * | |
20 | * 3. All advertising materials mentioning features or use of this | |
21 | * software must display the following acknowledgment: | |
22 | * "This product includes software developed by the OpenSSL Project | |
23 | * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" | |
24 | * | |
25 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
26 | * endorse or promote products derived from this software without | |
27 | * prior written permission. For written permission, please contact | |
28 | * licensing@OpenSSL.org. | |
29 | * | |
30 | * 5. Products derived from this software may not be called "OpenSSL" | |
31 | * nor may "OpenSSL" appear in their names without prior written | |
32 | * permission of the OpenSSL Project. | |
33 | * | |
34 | * 6. Redistributions of any form whatsoever must retain the following | |
35 | * acknowledgment: | |
36 | * "This product includes software developed by the OpenSSL Project | |
37 | * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" | |
38 | * | |
39 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
40 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
41 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
42 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
43 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
44 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
45 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
46 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
47 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
48 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
49 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
50 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
51 | * ==================================================================== | |
52 | * | |
53 | * This product includes cryptographic software written by Eric Young | |
54 | * (eay@cryptsoft.com). This product includes software written by Tim | |
55 | * Hudson (tjh@cryptsoft.com). | |
56 | */ | |
57 | ||
58 | /* | |
59 | * Implementation of RFC 3779 section 2.2. | |
60 | */ | |
61 | ||
62 | #include <stdio.h> | |
63 | #include <stdlib.h> | |
a0b76569 | 64 | |
96ea4ae9 BL |
65 | #include "cryptlib.h" |
66 | #include <openssl/conf.h> | |
67 | #include <openssl/asn1.h> | |
68 | #include <openssl/asn1t.h> | |
ea46f5e0 | 69 | #include <openssl/buffer.h> |
96ea4ae9 BL |
70 | #include <openssl/x509v3.h> |
71 | ||
96ea4ae9 BL |
72 | |
73 | /* | |
74 | * OpenSSL ASN.1 template translation of RFC 3779 2.2.3. | |
75 | */ | |
76 | ||
77 | ASN1_SEQUENCE(IPAddressRange) = { | |
78 | ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING), | |
79 | ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING) | |
80 | } ASN1_SEQUENCE_END(IPAddressRange) | |
81 | ||
82 | ASN1_CHOICE(IPAddressOrRange) = { | |
83 | ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING), | |
84 | ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange) | |
85 | } ASN1_CHOICE_END(IPAddressOrRange) | |
86 | ||
87 | ASN1_CHOICE(IPAddressChoice) = { | |
88 | ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL), | |
89 | ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange) | |
90 | } ASN1_CHOICE_END(IPAddressChoice) | |
91 | ||
92 | ASN1_SEQUENCE(IPAddressFamily) = { | |
93 | ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING), | |
94 | ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice) | |
95 | } ASN1_SEQUENCE_END(IPAddressFamily) | |
96 | ||
0f113f3e | 97 | ASN1_ITEM_TEMPLATE(IPAddrBlocks) = |
96ea4ae9 | 98 | ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, |
0f113f3e | 99 | IPAddrBlocks, IPAddressFamily) |
96ea4ae9 BL |
100 | ASN1_ITEM_TEMPLATE_END(IPAddrBlocks) |
101 | ||
102 | IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange) | |
103 | IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange) | |
104 | IMPLEMENT_ASN1_FUNCTIONS(IPAddressChoice) | |
105 | IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily) | |
106 | ||
107 | /* | |
108 | * How much buffer space do we need for a raw address? | |
109 | */ | |
c73ad690 | 110 | #define ADDR_RAW_BUF_LEN 16 |
96ea4ae9 BL |
111 | |
112 | /* | |
113 | * What's the address length associated with this AFI? | |
114 | */ | |
115 | static int length_from_afi(const unsigned afi) | |
116 | { | |
0f113f3e MC |
117 | switch (afi) { |
118 | case IANA_AFI_IPV4: | |
119 | return 4; | |
120 | case IANA_AFI_IPV6: | |
121 | return 16; | |
122 | default: | |
123 | return 0; | |
124 | } | |
96ea4ae9 BL |
125 | } |
126 | ||
127 | /* | |
128 | * Extract the AFI from an IPAddressFamily. | |
129 | */ | |
a0b76569 | 130 | unsigned int v3_addr_get_afi(const IPAddressFamily *f) |
96ea4ae9 | 131 | { |
0f113f3e MC |
132 | return ((f != NULL && |
133 | f->addressFamily != NULL && f->addressFamily->data != NULL) | |
134 | ? ((f->addressFamily->data[0] << 8) | (f->addressFamily->data[1])) | |
135 | : 0); | |
96ea4ae9 BL |
136 | } |
137 | ||
138 | /* | |
139 | * Expand the bitstring form of an address into a raw byte array. | |
140 | * At the moment this is coded for simplicity, not speed. | |
141 | */ | |
be71c372 | 142 | static int addr_expand(unsigned char *addr, |
0f113f3e MC |
143 | const ASN1_BIT_STRING *bs, |
144 | const int length, const unsigned char fill) | |
96ea4ae9 | 145 | { |
0f113f3e MC |
146 | if (bs->length < 0 || bs->length > length) |
147 | return 0; | |
148 | if (bs->length > 0) { | |
149 | memcpy(addr, bs->data, bs->length); | |
150 | if ((bs->flags & 7) != 0) { | |
151 | unsigned char mask = 0xFF >> (8 - (bs->flags & 7)); | |
152 | if (fill == 0) | |
153 | addr[bs->length - 1] &= ~mask; | |
154 | else | |
155 | addr[bs->length - 1] |= mask; | |
156 | } | |
96ea4ae9 | 157 | } |
0f113f3e MC |
158 | memset(addr + bs->length, fill, length - bs->length); |
159 | return 1; | |
96ea4ae9 BL |
160 | } |
161 | ||
162 | /* | |
163 | * Extract the prefix length from a bitstring. | |
164 | */ | |
c73ad690 | 165 | #define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7))) |
96ea4ae9 BL |
166 | |
167 | /* | |
168 | * i2r handler for one address bitstring. | |
169 | */ | |
170 | static int i2r_address(BIO *out, | |
0f113f3e MC |
171 | const unsigned afi, |
172 | const unsigned char fill, const ASN1_BIT_STRING *bs) | |
96ea4ae9 | 173 | { |
0f113f3e MC |
174 | unsigned char addr[ADDR_RAW_BUF_LEN]; |
175 | int i, n; | |
96ea4ae9 | 176 | |
0f113f3e MC |
177 | if (bs->length < 0) |
178 | return 0; | |
179 | switch (afi) { | |
180 | case IANA_AFI_IPV4: | |
181 | if (!addr_expand(addr, bs, 4, fill)) | |
182 | return 0; | |
183 | BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]); | |
184 | break; | |
185 | case IANA_AFI_IPV6: | |
186 | if (!addr_expand(addr, bs, 16, fill)) | |
187 | return 0; | |
188 | for (n = 16; n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00; | |
189 | n -= 2) ; | |
190 | for (i = 0; i < n; i += 2) | |
191 | BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1], | |
192 | (i < 14 ? ":" : "")); | |
193 | if (i < 16) | |
194 | BIO_puts(out, ":"); | |
195 | if (i == 0) | |
196 | BIO_puts(out, ":"); | |
197 | break; | |
198 | default: | |
199 | for (i = 0; i < bs->length; i++) | |
200 | BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]); | |
201 | BIO_printf(out, "[%d]", (int)(bs->flags & 7)); | |
202 | break; | |
203 | } | |
204 | return 1; | |
96ea4ae9 BL |
205 | } |
206 | ||
207 | /* | |
208 | * i2r handler for a sequence of addresses and ranges. | |
209 | */ | |
210 | static int i2r_IPAddressOrRanges(BIO *out, | |
0f113f3e MC |
211 | const int indent, |
212 | const IPAddressOrRanges *aors, | |
213 | const unsigned afi) | |
96ea4ae9 | 214 | { |
0f113f3e MC |
215 | int i; |
216 | for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) { | |
217 | const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i); | |
218 | BIO_printf(out, "%*s", indent, ""); | |
219 | switch (aor->type) { | |
220 | case IPAddressOrRange_addressPrefix: | |
221 | if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix)) | |
222 | return 0; | |
223 | BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix)); | |
224 | continue; | |
225 | case IPAddressOrRange_addressRange: | |
226 | if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min)) | |
227 | return 0; | |
228 | BIO_puts(out, "-"); | |
229 | if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max)) | |
230 | return 0; | |
231 | BIO_puts(out, "\n"); | |
232 | continue; | |
233 | } | |
96ea4ae9 | 234 | } |
0f113f3e | 235 | return 1; |
96ea4ae9 BL |
236 | } |
237 | ||
238 | /* | |
239 | * i2r handler for an IPAddrBlocks extension. | |
240 | */ | |
2e6a7b3e | 241 | static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, |
0f113f3e | 242 | void *ext, BIO *out, int indent) |
96ea4ae9 | 243 | { |
0f113f3e MC |
244 | const IPAddrBlocks *addr = ext; |
245 | int i; | |
246 | for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { | |
247 | IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); | |
248 | const unsigned int afi = v3_addr_get_afi(f); | |
249 | switch (afi) { | |
250 | case IANA_AFI_IPV4: | |
251 | BIO_printf(out, "%*sIPv4", indent, ""); | |
252 | break; | |
253 | case IANA_AFI_IPV6: | |
254 | BIO_printf(out, "%*sIPv6", indent, ""); | |
255 | break; | |
256 | default: | |
257 | BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi); | |
258 | break; | |
259 | } | |
260 | if (f->addressFamily->length > 2) { | |
261 | switch (f->addressFamily->data[2]) { | |
262 | case 1: | |
263 | BIO_puts(out, " (Unicast)"); | |
264 | break; | |
265 | case 2: | |
266 | BIO_puts(out, " (Multicast)"); | |
267 | break; | |
268 | case 3: | |
269 | BIO_puts(out, " (Unicast/Multicast)"); | |
270 | break; | |
271 | case 4: | |
272 | BIO_puts(out, " (MPLS)"); | |
273 | break; | |
274 | case 64: | |
275 | BIO_puts(out, " (Tunnel)"); | |
276 | break; | |
277 | case 65: | |
278 | BIO_puts(out, " (VPLS)"); | |
279 | break; | |
280 | case 66: | |
281 | BIO_puts(out, " (BGP MDT)"); | |
282 | break; | |
283 | case 128: | |
284 | BIO_puts(out, " (MPLS-labeled VPN)"); | |
285 | break; | |
286 | default: | |
287 | BIO_printf(out, " (Unknown SAFI %u)", | |
288 | (unsigned)f->addressFamily->data[2]); | |
289 | break; | |
290 | } | |
291 | } | |
292 | switch (f->ipAddressChoice->type) { | |
293 | case IPAddressChoice_inherit: | |
294 | BIO_puts(out, ": inherit\n"); | |
295 | break; | |
296 | case IPAddressChoice_addressesOrRanges: | |
297 | BIO_puts(out, ":\n"); | |
298 | if (!i2r_IPAddressOrRanges(out, | |
299 | indent + 2, | |
300 | f->ipAddressChoice-> | |
301 | u.addressesOrRanges, afi)) | |
302 | return 0; | |
303 | break; | |
304 | } | |
96ea4ae9 | 305 | } |
0f113f3e | 306 | return 1; |
96ea4ae9 BL |
307 | } |
308 | ||
309 | /* | |
310 | * Sort comparison function for a sequence of IPAddressOrRange | |
311 | * elements. | |
be71c372 DSH |
312 | * |
313 | * There's no sane answer we can give if addr_expand() fails, and an | |
314 | * assertion failure on externally supplied data is seriously uncool, | |
315 | * so we just arbitrarily declare that if given invalid inputs this | |
316 | * function returns -1. If this messes up your preferred sort order | |
317 | * for garbage input, tough noogies. | |
96ea4ae9 BL |
318 | */ |
319 | static int IPAddressOrRange_cmp(const IPAddressOrRange *a, | |
0f113f3e | 320 | const IPAddressOrRange *b, const int length) |
96ea4ae9 | 321 | { |
0f113f3e MC |
322 | unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN]; |
323 | int prefixlen_a = 0, prefixlen_b = 0; | |
324 | int r; | |
325 | ||
326 | switch (a->type) { | |
327 | case IPAddressOrRange_addressPrefix: | |
328 | if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00)) | |
329 | return -1; | |
330 | prefixlen_a = addr_prefixlen(a->u.addressPrefix); | |
331 | break; | |
332 | case IPAddressOrRange_addressRange: | |
333 | if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00)) | |
334 | return -1; | |
335 | prefixlen_a = length * 8; | |
336 | break; | |
337 | } | |
338 | ||
339 | switch (b->type) { | |
340 | case IPAddressOrRange_addressPrefix: | |
341 | if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00)) | |
342 | return -1; | |
343 | prefixlen_b = addr_prefixlen(b->u.addressPrefix); | |
344 | break; | |
345 | case IPAddressOrRange_addressRange: | |
346 | if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00)) | |
347 | return -1; | |
348 | prefixlen_b = length * 8; | |
349 | break; | |
350 | } | |
351 | ||
352 | if ((r = memcmp(addr_a, addr_b, length)) != 0) | |
353 | return r; | |
354 | else | |
355 | return prefixlen_a - prefixlen_b; | |
96ea4ae9 BL |
356 | } |
357 | ||
358 | /* | |
359 | * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort() | |
360 | * comparision routines are only allowed two arguments. | |
361 | */ | |
0f113f3e MC |
362 | static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a, |
363 | const IPAddressOrRange *const *b) | |
96ea4ae9 | 364 | { |
0f113f3e | 365 | return IPAddressOrRange_cmp(*a, *b, 4); |
96ea4ae9 BL |
366 | } |
367 | ||
368 | /* | |
369 | * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort() | |
370 | * comparision routines are only allowed two arguments. | |
371 | */ | |
0f113f3e MC |
372 | static int v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a, |
373 | const IPAddressOrRange *const *b) | |
96ea4ae9 | 374 | { |
0f113f3e | 375 | return IPAddressOrRange_cmp(*a, *b, 16); |
96ea4ae9 BL |
376 | } |
377 | ||
378 | /* | |
379 | * Calculate whether a range collapses to a prefix. | |
380 | * See last paragraph of RFC 3779 2.2.3.7. | |
381 | */ | |
382 | static int range_should_be_prefix(const unsigned char *min, | |
0f113f3e | 383 | const unsigned char *max, const int length) |
96ea4ae9 | 384 | { |
0f113f3e MC |
385 | unsigned char mask; |
386 | int i, j; | |
387 | ||
388 | OPENSSL_assert(memcmp(min, max, length) <= 0); | |
389 | for (i = 0; i < length && min[i] == max[i]; i++) ; | |
390 | for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ; | |
391 | if (i < j) | |
392 | return -1; | |
393 | if (i > j) | |
394 | return i * 8; | |
395 | mask = min[i] ^ max[i]; | |
396 | switch (mask) { | |
397 | case 0x01: | |
398 | j = 7; | |
399 | break; | |
400 | case 0x03: | |
401 | j = 6; | |
402 | break; | |
403 | case 0x07: | |
404 | j = 5; | |
405 | break; | |
406 | case 0x0F: | |
407 | j = 4; | |
408 | break; | |
409 | case 0x1F: | |
410 | j = 3; | |
411 | break; | |
412 | case 0x3F: | |
413 | j = 2; | |
414 | break; | |
415 | case 0x7F: | |
416 | j = 1; | |
417 | break; | |
418 | default: | |
419 | return -1; | |
420 | } | |
421 | if ((min[i] & mask) != 0 || (max[i] & mask) != mask) | |
422 | return -1; | |
423 | else | |
424 | return i * 8 + j; | |
96ea4ae9 BL |
425 | } |
426 | ||
427 | /* | |
428 | * Construct a prefix. | |
429 | */ | |
430 | static int make_addressPrefix(IPAddressOrRange **result, | |
0f113f3e | 431 | unsigned char *addr, const int prefixlen) |
96ea4ae9 | 432 | { |
0f113f3e MC |
433 | int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8; |
434 | IPAddressOrRange *aor = IPAddressOrRange_new(); | |
435 | ||
436 | if (aor == NULL) | |
437 | return 0; | |
438 | aor->type = IPAddressOrRange_addressPrefix; | |
439 | if (aor->u.addressPrefix == NULL && | |
440 | (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL) | |
441 | goto err; | |
442 | if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen)) | |
443 | goto err; | |
444 | aor->u.addressPrefix->flags &= ~7; | |
445 | aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT; | |
446 | if (bitlen > 0) { | |
447 | aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen); | |
448 | aor->u.addressPrefix->flags |= 8 - bitlen; | |
449 | } | |
96ea4ae9 | 450 | |
0f113f3e MC |
451 | *result = aor; |
452 | return 1; | |
96ea4ae9 BL |
453 | |
454 | err: | |
0f113f3e MC |
455 | IPAddressOrRange_free(aor); |
456 | return 0; | |
96ea4ae9 BL |
457 | } |
458 | ||
459 | /* | |
460 | * Construct a range. If it can be expressed as a prefix, | |
461 | * return a prefix instead. Doing this here simplifies | |
462 | * the rest of the code considerably. | |
463 | */ | |
464 | static int make_addressRange(IPAddressOrRange **result, | |
0f113f3e MC |
465 | unsigned char *min, |
466 | unsigned char *max, const int length) | |
96ea4ae9 | 467 | { |
0f113f3e MC |
468 | IPAddressOrRange *aor; |
469 | int i, prefixlen; | |
470 | ||
471 | if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0) | |
472 | return make_addressPrefix(result, min, prefixlen); | |
473 | ||
474 | if ((aor = IPAddressOrRange_new()) == NULL) | |
475 | return 0; | |
476 | aor->type = IPAddressOrRange_addressRange; | |
477 | OPENSSL_assert(aor->u.addressRange == NULL); | |
478 | if ((aor->u.addressRange = IPAddressRange_new()) == NULL) | |
479 | goto err; | |
480 | if (aor->u.addressRange->min == NULL && | |
481 | (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL) | |
482 | goto err; | |
483 | if (aor->u.addressRange->max == NULL && | |
484 | (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL) | |
485 | goto err; | |
486 | ||
487 | for (i = length; i > 0 && min[i - 1] == 0x00; --i) ; | |
488 | if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i)) | |
489 | goto err; | |
490 | aor->u.addressRange->min->flags &= ~7; | |
491 | aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT; | |
492 | if (i > 0) { | |
493 | unsigned char b = min[i - 1]; | |
494 | int j = 1; | |
495 | while ((b & (0xFFU >> j)) != 0) | |
496 | ++j; | |
497 | aor->u.addressRange->min->flags |= 8 - j; | |
498 | } | |
96ea4ae9 | 499 | |
0f113f3e MC |
500 | for (i = length; i > 0 && max[i - 1] == 0xFF; --i) ; |
501 | if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i)) | |
502 | goto err; | |
503 | aor->u.addressRange->max->flags &= ~7; | |
504 | aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT; | |
505 | if (i > 0) { | |
506 | unsigned char b = max[i - 1]; | |
507 | int j = 1; | |
508 | while ((b & (0xFFU >> j)) != (0xFFU >> j)) | |
509 | ++j; | |
510 | aor->u.addressRange->max->flags |= 8 - j; | |
511 | } | |
96ea4ae9 | 512 | |
0f113f3e MC |
513 | *result = aor; |
514 | return 1; | |
96ea4ae9 BL |
515 | |
516 | err: | |
0f113f3e MC |
517 | IPAddressOrRange_free(aor); |
518 | return 0; | |
96ea4ae9 BL |
519 | } |
520 | ||
521 | /* | |
522 | * Construct a new address family or find an existing one. | |
523 | */ | |
524 | static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr, | |
0f113f3e MC |
525 | const unsigned afi, |
526 | const unsigned *safi) | |
96ea4ae9 | 527 | { |
0f113f3e MC |
528 | IPAddressFamily *f; |
529 | unsigned char key[3]; | |
537bf438 | 530 | int keylen; |
0f113f3e MC |
531 | int i; |
532 | ||
533 | key[0] = (afi >> 8) & 0xFF; | |
534 | key[1] = afi & 0xFF; | |
535 | if (safi != NULL) { | |
536 | key[2] = *safi & 0xFF; | |
537 | keylen = 3; | |
538 | } else { | |
539 | keylen = 2; | |
540 | } | |
541 | ||
542 | for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { | |
543 | f = sk_IPAddressFamily_value(addr, i); | |
544 | OPENSSL_assert(f->addressFamily->data != NULL); | |
545 | if (f->addressFamily->length == keylen && | |
546 | !memcmp(f->addressFamily->data, key, keylen)) | |
547 | return f; | |
548 | } | |
549 | ||
550 | if ((f = IPAddressFamily_new()) == NULL) | |
551 | goto err; | |
552 | if (f->ipAddressChoice == NULL && | |
553 | (f->ipAddressChoice = IPAddressChoice_new()) == NULL) | |
554 | goto err; | |
555 | if (f->addressFamily == NULL && | |
556 | (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL) | |
557 | goto err; | |
558 | if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen)) | |
559 | goto err; | |
560 | if (!sk_IPAddressFamily_push(addr, f)) | |
561 | goto err; | |
562 | ||
563 | return f; | |
96ea4ae9 BL |
564 | |
565 | err: | |
0f113f3e MC |
566 | IPAddressFamily_free(f); |
567 | return NULL; | |
96ea4ae9 BL |
568 | } |
569 | ||
570 | /* | |
571 | * Add an inheritance element. | |
572 | */ | |
573 | int v3_addr_add_inherit(IPAddrBlocks *addr, | |
0f113f3e | 574 | const unsigned afi, const unsigned *safi) |
96ea4ae9 | 575 | { |
0f113f3e MC |
576 | IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); |
577 | if (f == NULL || | |
578 | f->ipAddressChoice == NULL || | |
579 | (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && | |
580 | f->ipAddressChoice->u.addressesOrRanges != NULL)) | |
581 | return 0; | |
582 | if (f->ipAddressChoice->type == IPAddressChoice_inherit && | |
583 | f->ipAddressChoice->u.inherit != NULL) | |
584 | return 1; | |
585 | if (f->ipAddressChoice->u.inherit == NULL && | |
586 | (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL) | |
587 | return 0; | |
588 | f->ipAddressChoice->type = IPAddressChoice_inherit; | |
96ea4ae9 | 589 | return 1; |
96ea4ae9 BL |
590 | } |
591 | ||
592 | /* | |
593 | * Construct an IPAddressOrRange sequence, or return an existing one. | |
594 | */ | |
595 | static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr, | |
0f113f3e MC |
596 | const unsigned afi, |
597 | const unsigned *safi) | |
96ea4ae9 | 598 | { |
0f113f3e MC |
599 | IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); |
600 | IPAddressOrRanges *aors = NULL; | |
601 | ||
602 | if (f == NULL || | |
603 | f->ipAddressChoice == NULL || | |
604 | (f->ipAddressChoice->type == IPAddressChoice_inherit && | |
605 | f->ipAddressChoice->u.inherit != NULL)) | |
606 | return NULL; | |
607 | if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) | |
608 | aors = f->ipAddressChoice->u.addressesOrRanges; | |
609 | if (aors != NULL) | |
610 | return aors; | |
611 | if ((aors = sk_IPAddressOrRange_new_null()) == NULL) | |
612 | return NULL; | |
613 | switch (afi) { | |
614 | case IANA_AFI_IPV4: | |
615 | (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp); | |
616 | break; | |
617 | case IANA_AFI_IPV6: | |
618 | (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp); | |
619 | break; | |
620 | } | |
621 | f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; | |
622 | f->ipAddressChoice->u.addressesOrRanges = aors; | |
96ea4ae9 | 623 | return aors; |
96ea4ae9 BL |
624 | } |
625 | ||
626 | /* | |
627 | * Add a prefix. | |
628 | */ | |
629 | int v3_addr_add_prefix(IPAddrBlocks *addr, | |
0f113f3e MC |
630 | const unsigned afi, |
631 | const unsigned *safi, | |
632 | unsigned char *a, const int prefixlen) | |
96ea4ae9 | 633 | { |
0f113f3e MC |
634 | IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); |
635 | IPAddressOrRange *aor; | |
636 | if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen)) | |
637 | return 0; | |
638 | if (sk_IPAddressOrRange_push(aors, aor)) | |
639 | return 1; | |
640 | IPAddressOrRange_free(aor); | |
96ea4ae9 | 641 | return 0; |
96ea4ae9 BL |
642 | } |
643 | ||
644 | /* | |
645 | * Add a range. | |
646 | */ | |
647 | int v3_addr_add_range(IPAddrBlocks *addr, | |
0f113f3e MC |
648 | const unsigned afi, |
649 | const unsigned *safi, | |
650 | unsigned char *min, unsigned char *max) | |
96ea4ae9 | 651 | { |
0f113f3e MC |
652 | IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); |
653 | IPAddressOrRange *aor; | |
654 | int length = length_from_afi(afi); | |
655 | if (aors == NULL) | |
656 | return 0; | |
657 | if (!make_addressRange(&aor, min, max, length)) | |
658 | return 0; | |
659 | if (sk_IPAddressOrRange_push(aors, aor)) | |
660 | return 1; | |
661 | IPAddressOrRange_free(aor); | |
96ea4ae9 | 662 | return 0; |
96ea4ae9 BL |
663 | } |
664 | ||
665 | /* | |
666 | * Extract min and max values from an IPAddressOrRange. | |
667 | */ | |
be71c372 | 668 | static int extract_min_max(IPAddressOrRange *aor, |
0f113f3e | 669 | unsigned char *min, unsigned char *max, int length) |
96ea4ae9 | 670 | { |
0f113f3e MC |
671 | if (aor == NULL || min == NULL || max == NULL) |
672 | return 0; | |
673 | switch (aor->type) { | |
674 | case IPAddressOrRange_addressPrefix: | |
675 | return (addr_expand(min, aor->u.addressPrefix, length, 0x00) && | |
676 | addr_expand(max, aor->u.addressPrefix, length, 0xFF)); | |
677 | case IPAddressOrRange_addressRange: | |
678 | return (addr_expand(min, aor->u.addressRange->min, length, 0x00) && | |
679 | addr_expand(max, aor->u.addressRange->max, length, 0xFF)); | |
680 | } | |
be71c372 | 681 | return 0; |
96ea4ae9 BL |
682 | } |
683 | ||
684 | /* | |
685 | * Public wrapper for extract_min_max(). | |
686 | */ | |
687 | int v3_addr_get_range(IPAddressOrRange *aor, | |
0f113f3e MC |
688 | const unsigned afi, |
689 | unsigned char *min, | |
690 | unsigned char *max, const int length) | |
96ea4ae9 | 691 | { |
0f113f3e MC |
692 | int afi_length = length_from_afi(afi); |
693 | if (aor == NULL || min == NULL || max == NULL || | |
694 | afi_length == 0 || length < afi_length || | |
695 | (aor->type != IPAddressOrRange_addressPrefix && | |
696 | aor->type != IPAddressOrRange_addressRange) || | |
697 | !extract_min_max(aor, min, max, afi_length)) | |
698 | return 0; | |
699 | ||
700 | return afi_length; | |
96ea4ae9 BL |
701 | } |
702 | ||
703 | /* | |
704 | * Sort comparision function for a sequence of IPAddressFamily. | |
705 | * | |
706 | * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about | |
707 | * the ordering: I can read it as meaning that IPv6 without a SAFI | |
708 | * comes before IPv4 with a SAFI, which seems pretty weird. The | |
709 | * examples in appendix B suggest that the author intended the | |
710 | * null-SAFI rule to apply only within a single AFI, which is what I | |
711 | * would have expected and is what the following code implements. | |
712 | */ | |
0f113f3e MC |
713 | static int IPAddressFamily_cmp(const IPAddressFamily *const *a_, |
714 | const IPAddressFamily *const *b_) | |
96ea4ae9 | 715 | { |
0f113f3e MC |
716 | const ASN1_OCTET_STRING *a = (*a_)->addressFamily; |
717 | const ASN1_OCTET_STRING *b = (*b_)->addressFamily; | |
718 | int len = ((a->length <= b->length) ? a->length : b->length); | |
719 | int cmp = memcmp(a->data, b->data, len); | |
720 | return cmp ? cmp : a->length - b->length; | |
96ea4ae9 BL |
721 | } |
722 | ||
723 | /* | |
724 | * Check whether an IPAddrBLocks is in canonical form. | |
725 | */ | |
726 | int v3_addr_is_canonical(IPAddrBlocks *addr) | |
727 | { | |
0f113f3e MC |
728 | unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; |
729 | unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; | |
730 | IPAddressOrRanges *aors; | |
731 | int i, j, k; | |
96ea4ae9 BL |
732 | |
733 | /* | |
0f113f3e | 734 | * Empty extension is cannonical. |
96ea4ae9 | 735 | */ |
0f113f3e MC |
736 | if (addr == NULL) |
737 | return 1; | |
96ea4ae9 BL |
738 | |
739 | /* | |
0f113f3e | 740 | * Check whether the top-level list is in order. |
96ea4ae9 | 741 | */ |
0f113f3e MC |
742 | for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) { |
743 | const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i); | |
744 | const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1); | |
745 | if (IPAddressFamily_cmp(&a, &b) >= 0) | |
746 | return 0; | |
96ea4ae9 BL |
747 | } |
748 | ||
749 | /* | |
0f113f3e | 750 | * Top level's ok, now check each address family. |
96ea4ae9 | 751 | */ |
0f113f3e MC |
752 | for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { |
753 | IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); | |
754 | int length = length_from_afi(v3_addr_get_afi(f)); | |
755 | ||
756 | /* | |
757 | * Inheritance is canonical. Anything other than inheritance or | |
758 | * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something. | |
759 | */ | |
760 | if (f == NULL || f->ipAddressChoice == NULL) | |
761 | return 0; | |
762 | switch (f->ipAddressChoice->type) { | |
763 | case IPAddressChoice_inherit: | |
764 | continue; | |
765 | case IPAddressChoice_addressesOrRanges: | |
766 | break; | |
767 | default: | |
768 | return 0; | |
769 | } | |
770 | ||
771 | /* | |
772 | * It's an IPAddressOrRanges sequence, check it. | |
773 | */ | |
774 | aors = f->ipAddressChoice->u.addressesOrRanges; | |
775 | if (sk_IPAddressOrRange_num(aors) == 0) | |
776 | return 0; | |
777 | for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) { | |
778 | IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); | |
779 | IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1); | |
780 | ||
781 | if (!extract_min_max(a, a_min, a_max, length) || | |
782 | !extract_min_max(b, b_min, b_max, length)) | |
783 | return 0; | |
784 | ||
785 | /* | |
786 | * Punt misordered list, overlapping start, or inverted range. | |
787 | */ | |
788 | if (memcmp(a_min, b_min, length) >= 0 || | |
789 | memcmp(a_min, a_max, length) > 0 || | |
790 | memcmp(b_min, b_max, length) > 0) | |
791 | return 0; | |
792 | ||
793 | /* | |
794 | * Punt if adjacent or overlapping. Check for adjacency by | |
795 | * subtracting one from b_min first. | |
796 | */ | |
797 | for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) ; | |
798 | if (memcmp(a_max, b_min, length) >= 0) | |
799 | return 0; | |
800 | ||
801 | /* | |
802 | * Check for range that should be expressed as a prefix. | |
803 | */ | |
804 | if (a->type == IPAddressOrRange_addressRange && | |
805 | range_should_be_prefix(a_min, a_max, length) >= 0) | |
806 | return 0; | |
807 | } | |
808 | ||
809 | /* | |
810 | * Check range to see if it's inverted or should be a | |
811 | * prefix. | |
812 | */ | |
813 | j = sk_IPAddressOrRange_num(aors) - 1; | |
814 | { | |
815 | IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); | |
816 | if (a != NULL && a->type == IPAddressOrRange_addressRange) { | |
817 | if (!extract_min_max(a, a_min, a_max, length)) | |
818 | return 0; | |
819 | if (memcmp(a_min, a_max, length) > 0 || | |
820 | range_should_be_prefix(a_min, a_max, length) >= 0) | |
821 | return 0; | |
822 | } | |
823 | } | |
96ea4ae9 | 824 | } |
96ea4ae9 | 825 | |
0f113f3e MC |
826 | /* |
827 | * If we made it through all that, we're happy. | |
828 | */ | |
829 | return 1; | |
96ea4ae9 BL |
830 | } |
831 | ||
832 | /* | |
833 | * Whack an IPAddressOrRanges into canonical form. | |
834 | */ | |
835 | static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors, | |
0f113f3e | 836 | const unsigned afi) |
96ea4ae9 | 837 | { |
0f113f3e | 838 | int i, j, length = length_from_afi(afi); |
96ea4ae9 | 839 | |
58b75e9c | 840 | /* |
0f113f3e | 841 | * Sort the IPAddressOrRanges sequence. |
58b75e9c | 842 | */ |
0f113f3e | 843 | sk_IPAddressOrRange_sort(aors); |
58b75e9c | 844 | |
96ea4ae9 | 845 | /* |
0f113f3e | 846 | * Clean up representation issues, punt on duplicates or overlaps. |
96ea4ae9 | 847 | */ |
0f113f3e MC |
848 | for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) { |
849 | IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i); | |
850 | IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1); | |
851 | unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; | |
852 | unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; | |
853 | ||
854 | if (!extract_min_max(a, a_min, a_max, length) || | |
855 | !extract_min_max(b, b_min, b_max, length)) | |
856 | return 0; | |
857 | ||
858 | /* | |
859 | * Punt inverted ranges. | |
860 | */ | |
861 | if (memcmp(a_min, a_max, length) > 0 || | |
862 | memcmp(b_min, b_max, length) > 0) | |
863 | return 0; | |
864 | ||
865 | /* | |
866 | * Punt overlaps. | |
867 | */ | |
868 | if (memcmp(a_max, b_min, length) >= 0) | |
869 | return 0; | |
870 | ||
871 | /* | |
872 | * Merge if a and b are adjacent. We check for | |
873 | * adjacency by subtracting one from b_min first. | |
874 | */ | |
875 | for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) ; | |
876 | if (memcmp(a_max, b_min, length) == 0) { | |
877 | IPAddressOrRange *merged; | |
878 | if (!make_addressRange(&merged, a_min, b_max, length)) | |
879 | return 0; | |
880 | (void)sk_IPAddressOrRange_set(aors, i, merged); | |
881 | (void)sk_IPAddressOrRange_delete(aors, i + 1); | |
882 | IPAddressOrRange_free(a); | |
883 | IPAddressOrRange_free(b); | |
884 | --i; | |
885 | continue; | |
886 | } | |
887 | } | |
96ea4ae9 BL |
888 | |
889 | /* | |
0f113f3e | 890 | * Check for inverted final range. |
96ea4ae9 | 891 | */ |
0f113f3e MC |
892 | j = sk_IPAddressOrRange_num(aors) - 1; |
893 | { | |
894 | IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); | |
895 | if (a != NULL && a->type == IPAddressOrRange_addressRange) { | |
896 | unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; | |
897 | extract_min_max(a, a_min, a_max, length); | |
898 | if (memcmp(a_min, a_max, length) > 0) | |
899 | return 0; | |
900 | } | |
58b75e9c | 901 | } |
58b75e9c | 902 | |
0f113f3e | 903 | return 1; |
96ea4ae9 BL |
904 | } |
905 | ||
906 | /* | |
907 | * Whack an IPAddrBlocks extension into canonical form. | |
908 | */ | |
909 | int v3_addr_canonize(IPAddrBlocks *addr) | |
910 | { | |
0f113f3e MC |
911 | int i; |
912 | for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { | |
913 | IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); | |
914 | if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && | |
915 | !IPAddressOrRanges_canonize(f->ipAddressChoice-> | |
916 | u.addressesOrRanges, | |
917 | v3_addr_get_afi(f))) | |
918 | return 0; | |
919 | } | |
920 | (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); | |
921 | sk_IPAddressFamily_sort(addr); | |
922 | OPENSSL_assert(v3_addr_is_canonical(addr)); | |
923 | return 1; | |
96ea4ae9 BL |
924 | } |
925 | ||
926 | /* | |
927 | * v2i handler for the IPAddrBlocks extension. | |
928 | */ | |
2e6a7b3e | 929 | static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, |
0f113f3e MC |
930 | struct v3_ext_ctx *ctx, |
931 | STACK_OF(CONF_VALUE) *values) | |
96ea4ae9 | 932 | { |
0f113f3e MC |
933 | static const char v4addr_chars[] = "0123456789."; |
934 | static const char v6addr_chars[] = "0123456789.:abcdefABCDEF"; | |
935 | IPAddrBlocks *addr = NULL; | |
936 | char *s = NULL, *t; | |
937 | int i; | |
938 | ||
939 | if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) { | |
940 | X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); | |
941 | return NULL; | |
96ea4ae9 BL |
942 | } |
943 | ||
0f113f3e MC |
944 | for (i = 0; i < sk_CONF_VALUE_num(values); i++) { |
945 | CONF_VALUE *val = sk_CONF_VALUE_value(values, i); | |
946 | unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN]; | |
947 | unsigned afi, *safi = NULL, safi_; | |
4c9b0a03 | 948 | const char *addr_chars = NULL; |
0f113f3e MC |
949 | int prefixlen, i1, i2, delim, length; |
950 | ||
951 | if (!name_cmp(val->name, "IPv4")) { | |
952 | afi = IANA_AFI_IPV4; | |
953 | } else if (!name_cmp(val->name, "IPv6")) { | |
954 | afi = IANA_AFI_IPV6; | |
955 | } else if (!name_cmp(val->name, "IPv4-SAFI")) { | |
956 | afi = IANA_AFI_IPV4; | |
957 | safi = &safi_; | |
958 | } else if (!name_cmp(val->name, "IPv6-SAFI")) { | |
959 | afi = IANA_AFI_IPV6; | |
960 | safi = &safi_; | |
961 | } else { | |
962 | X509V3err(X509V3_F_V2I_IPADDRBLOCKS, | |
963 | X509V3_R_EXTENSION_NAME_ERROR); | |
964 | X509V3_conf_err(val); | |
965 | goto err; | |
966 | } | |
967 | ||
968 | switch (afi) { | |
969 | case IANA_AFI_IPV4: | |
970 | addr_chars = v4addr_chars; | |
971 | break; | |
972 | case IANA_AFI_IPV6: | |
973 | addr_chars = v6addr_chars; | |
974 | break; | |
975 | } | |
976 | ||
977 | length = length_from_afi(afi); | |
978 | ||
979 | /* | |
980 | * Handle SAFI, if any, and BUF_strdup() so we can null-terminate | |
981 | * the other input values. | |
982 | */ | |
983 | if (safi != NULL) { | |
984 | *safi = strtoul(val->value, &t, 0); | |
985 | t += strspn(t, " \t"); | |
986 | if (*safi > 0xFF || *t++ != ':') { | |
987 | X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_SAFI); | |
988 | X509V3_conf_err(val); | |
989 | goto err; | |
990 | } | |
991 | t += strspn(t, " \t"); | |
992 | s = BUF_strdup(t); | |
993 | } else { | |
994 | s = BUF_strdup(val->value); | |
995 | } | |
996 | if (s == NULL) { | |
997 | X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); | |
998 | goto err; | |
999 | } | |
1000 | ||
1001 | /* | |
1002 | * Check for inheritance. Not worth additional complexity to | |
1003 | * optimize this (seldom-used) case. | |
1004 | */ | |
1005 | if (!strcmp(s, "inherit")) { | |
1006 | if (!v3_addr_add_inherit(addr, afi, safi)) { | |
1007 | X509V3err(X509V3_F_V2I_IPADDRBLOCKS, | |
1008 | X509V3_R_INVALID_INHERITANCE); | |
1009 | X509V3_conf_err(val); | |
1010 | goto err; | |
1011 | } | |
1012 | OPENSSL_free(s); | |
1013 | s = NULL; | |
1014 | continue; | |
1015 | } | |
1016 | ||
1017 | i1 = strspn(s, addr_chars); | |
1018 | i2 = i1 + strspn(s + i1, " \t"); | |
1019 | delim = s[i2++]; | |
1020 | s[i1] = '\0'; | |
1021 | ||
1022 | if (a2i_ipadd(min, s) != length) { | |
1023 | X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS); | |
1024 | X509V3_conf_err(val); | |
1025 | goto err; | |
1026 | } | |
1027 | ||
1028 | switch (delim) { | |
1029 | case '/': | |
1030 | prefixlen = (int)strtoul(s + i2, &t, 10); | |
1031 | if (t == s + i2 || *t != '\0') { | |
1032 | X509V3err(X509V3_F_V2I_IPADDRBLOCKS, | |
1033 | X509V3_R_EXTENSION_VALUE_ERROR); | |
1034 | X509V3_conf_err(val); | |
1035 | goto err; | |
1036 | } | |
1037 | if (!v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) { | |
1038 | X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); | |
1039 | goto err; | |
1040 | } | |
1041 | break; | |
1042 | case '-': | |
1043 | i1 = i2 + strspn(s + i2, " \t"); | |
1044 | i2 = i1 + strspn(s + i1, addr_chars); | |
1045 | if (i1 == i2 || s[i2] != '\0') { | |
1046 | X509V3err(X509V3_F_V2I_IPADDRBLOCKS, | |
1047 | X509V3_R_EXTENSION_VALUE_ERROR); | |
1048 | X509V3_conf_err(val); | |
1049 | goto err; | |
1050 | } | |
1051 | if (a2i_ipadd(max, s + i1) != length) { | |
1052 | X509V3err(X509V3_F_V2I_IPADDRBLOCKS, | |
1053 | X509V3_R_INVALID_IPADDRESS); | |
1054 | X509V3_conf_err(val); | |
1055 | goto err; | |
1056 | } | |
1057 | if (memcmp(min, max, length_from_afi(afi)) > 0) { | |
1058 | X509V3err(X509V3_F_V2I_IPADDRBLOCKS, | |
1059 | X509V3_R_EXTENSION_VALUE_ERROR); | |
1060 | X509V3_conf_err(val); | |
1061 | goto err; | |
1062 | } | |
1063 | if (!v3_addr_add_range(addr, afi, safi, min, max)) { | |
1064 | X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); | |
1065 | goto err; | |
1066 | } | |
1067 | break; | |
1068 | case '\0': | |
1069 | if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) { | |
1070 | X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); | |
1071 | goto err; | |
1072 | } | |
1073 | break; | |
1074 | default: | |
1075 | X509V3err(X509V3_F_V2I_IPADDRBLOCKS, | |
1076 | X509V3_R_EXTENSION_VALUE_ERROR); | |
1077 | X509V3_conf_err(val); | |
1078 | goto err; | |
1079 | } | |
1080 | ||
1081 | OPENSSL_free(s); | |
1082 | s = NULL; | |
96ea4ae9 BL |
1083 | } |
1084 | ||
1085 | /* | |
0f113f3e | 1086 | * Canonize the result, then we're done. |
96ea4ae9 | 1087 | */ |
0f113f3e MC |
1088 | if (!v3_addr_canonize(addr)) |
1089 | goto err; | |
1090 | return addr; | |
96ea4ae9 BL |
1091 | |
1092 | err: | |
0f113f3e MC |
1093 | OPENSSL_free(s); |
1094 | sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); | |
1095 | return NULL; | |
96ea4ae9 BL |
1096 | } |
1097 | ||
1098 | /* | |
1099 | * OpenSSL dispatch | |
1100 | */ | |
560b79cb | 1101 | const X509V3_EXT_METHOD v3_addr = { |
0f113f3e MC |
1102 | NID_sbgp_ipAddrBlock, /* nid */ |
1103 | 0, /* flags */ | |
1104 | ASN1_ITEM_ref(IPAddrBlocks), /* template */ | |
1105 | 0, 0, 0, 0, /* old functions, ignored */ | |
1106 | 0, /* i2s */ | |
1107 | 0, /* s2i */ | |
1108 | 0, /* i2v */ | |
1109 | v2i_IPAddrBlocks, /* v2i */ | |
1110 | i2r_IPAddrBlocks, /* i2r */ | |
1111 | 0, /* r2i */ | |
1112 | NULL /* extension-specific data */ | |
96ea4ae9 BL |
1113 | }; |
1114 | ||
1115 | /* | |
1116 | * Figure out whether extension sues inheritance. | |
1117 | */ | |
1118 | int v3_addr_inherits(IPAddrBlocks *addr) | |
1119 | { | |
0f113f3e MC |
1120 | int i; |
1121 | if (addr == NULL) | |
1122 | return 0; | |
1123 | for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { | |
1124 | IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); | |
1125 | if (f->ipAddressChoice->type == IPAddressChoice_inherit) | |
1126 | return 1; | |
1127 | } | |
96ea4ae9 | 1128 | return 0; |
96ea4ae9 BL |
1129 | } |
1130 | ||
1131 | /* | |
1132 | * Figure out whether parent contains child. | |
1133 | */ | |
1134 | static int addr_contains(IPAddressOrRanges *parent, | |
0f113f3e | 1135 | IPAddressOrRanges *child, int length) |
96ea4ae9 | 1136 | { |
0f113f3e MC |
1137 | unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN]; |
1138 | unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN]; | |
1139 | int p, c; | |
1140 | ||
1141 | if (child == NULL || parent == child) | |
1142 | return 1; | |
1143 | if (parent == NULL) | |
1144 | return 0; | |
1145 | ||
1146 | p = 0; | |
1147 | for (c = 0; c < sk_IPAddressOrRange_num(child); c++) { | |
1148 | if (!extract_min_max(sk_IPAddressOrRange_value(child, c), | |
1149 | c_min, c_max, length)) | |
1150 | return -1; | |
1151 | for (;; p++) { | |
1152 | if (p >= sk_IPAddressOrRange_num(parent)) | |
1153 | return 0; | |
1154 | if (!extract_min_max(sk_IPAddressOrRange_value(parent, p), | |
1155 | p_min, p_max, length)) | |
1156 | return 0; | |
1157 | if (memcmp(p_max, c_max, length) < 0) | |
1158 | continue; | |
1159 | if (memcmp(p_min, c_min, length) > 0) | |
1160 | return 0; | |
1161 | break; | |
1162 | } | |
96ea4ae9 | 1163 | } |
96ea4ae9 | 1164 | |
0f113f3e | 1165 | return 1; |
96ea4ae9 BL |
1166 | } |
1167 | ||
1168 | /* | |
1169 | * Test whether a is a subset of b. | |
1170 | */ | |
1171 | int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) | |
1172 | { | |
0f113f3e MC |
1173 | int i; |
1174 | if (a == NULL || a == b) | |
1175 | return 1; | |
1176 | if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b)) | |
1177 | return 0; | |
1178 | (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); | |
1179 | for (i = 0; i < sk_IPAddressFamily_num(a); i++) { | |
1180 | IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); | |
1181 | int j = sk_IPAddressFamily_find(b, fa); | |
1182 | IPAddressFamily *fb; | |
1183 | fb = sk_IPAddressFamily_value(b, j); | |
1184 | if (fb == NULL) | |
1185 | return 0; | |
1186 | if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, | |
1187 | fa->ipAddressChoice->u.addressesOrRanges, | |
1188 | length_from_afi(v3_addr_get_afi(fb)))) | |
1189 | return 0; | |
1190 | } | |
96ea4ae9 | 1191 | return 1; |
96ea4ae9 BL |
1192 | } |
1193 | ||
1194 | /* | |
1195 | * Validation error handling via callback. | |
1196 | */ | |
c73ad690 | 1197 | #define validation_err(_err_) \ |
0f113f3e MC |
1198 | do { \ |
1199 | if (ctx != NULL) { \ | |
1200 | ctx->error = _err_; \ | |
1201 | ctx->error_depth = i; \ | |
1202 | ctx->current_cert = x; \ | |
1203 | ret = ctx->verify_cb(0, ctx); \ | |
1204 | } else { \ | |
1205 | ret = 0; \ | |
1206 | } \ | |
1207 | if (!ret) \ | |
1208 | goto done; \ | |
96ea4ae9 BL |
1209 | } while (0) |
1210 | ||
1211 | /* | |
1212 | * Core code for RFC 3779 2.3 path validation. | |
1213 | */ | |
1214 | static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, | |
0f113f3e MC |
1215 | STACK_OF(X509) *chain, |
1216 | IPAddrBlocks *ext) | |
96ea4ae9 | 1217 | { |
0f113f3e MC |
1218 | IPAddrBlocks *child = NULL; |
1219 | int i, j, ret = 1; | |
1220 | X509 *x; | |
1221 | ||
1222 | OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); | |
1223 | OPENSSL_assert(ctx != NULL || ext != NULL); | |
1224 | OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); | |
1225 | ||
1226 | /* | |
1227 | * Figure out where to start. If we don't have an extension to | |
1228 | * check, we're done. Otherwise, check canonical form and | |
1229 | * set up for walking up the chain. | |
1230 | */ | |
1231 | if (ext != NULL) { | |
1232 | i = -1; | |
1233 | x = NULL; | |
1234 | } else { | |
1235 | i = 0; | |
1236 | x = sk_X509_value(chain, i); | |
1237 | OPENSSL_assert(x != NULL); | |
1238 | if ((ext = x->rfc3779_addr) == NULL) | |
1239 | goto done; | |
96ea4ae9 | 1240 | } |
0f113f3e MC |
1241 | if (!v3_addr_is_canonical(ext)) |
1242 | validation_err(X509_V_ERR_INVALID_EXTENSION); | |
1243 | (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); | |
1244 | if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { | |
1245 | X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, | |
1246 | ERR_R_MALLOC_FAILURE); | |
1247 | ret = 0; | |
1248 | goto done; | |
1249 | } | |
1250 | ||
1251 | /* | |
1252 | * Now walk up the chain. No cert may list resources that its | |
1253 | * parent doesn't list. | |
1254 | */ | |
1255 | for (i++; i < sk_X509_num(chain); i++) { | |
1256 | x = sk_X509_value(chain, i); | |
1257 | OPENSSL_assert(x != NULL); | |
1258 | if (!v3_addr_is_canonical(x->rfc3779_addr)) | |
1259 | validation_err(X509_V_ERR_INVALID_EXTENSION); | |
1260 | if (x->rfc3779_addr == NULL) { | |
1261 | for (j = 0; j < sk_IPAddressFamily_num(child); j++) { | |
1262 | IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); | |
1263 | if (fc->ipAddressChoice->type != IPAddressChoice_inherit) { | |
1264 | validation_err(X509_V_ERR_UNNESTED_RESOURCE); | |
1265 | break; | |
1266 | } | |
1267 | } | |
1268 | continue; | |
1269 | } | |
1270 | (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, | |
1271 | IPAddressFamily_cmp); | |
1272 | for (j = 0; j < sk_IPAddressFamily_num(child); j++) { | |
1273 | IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); | |
1274 | int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc); | |
1275 | IPAddressFamily *fp = | |
1276 | sk_IPAddressFamily_value(x->rfc3779_addr, k); | |
1277 | if (fp == NULL) { | |
1278 | if (fc->ipAddressChoice->type == | |
1279 | IPAddressChoice_addressesOrRanges) { | |
1280 | validation_err(X509_V_ERR_UNNESTED_RESOURCE); | |
1281 | break; | |
1282 | } | |
1283 | continue; | |
1284 | } | |
1285 | if (fp->ipAddressChoice->type == | |
1286 | IPAddressChoice_addressesOrRanges) { | |
1287 | if (fc->ipAddressChoice->type == IPAddressChoice_inherit | |
1288 | || addr_contains(fp->ipAddressChoice->u.addressesOrRanges, | |
1289 | fc->ipAddressChoice->u.addressesOrRanges, | |
1290 | length_from_afi(v3_addr_get_afi(fc)))) | |
1291 | sk_IPAddressFamily_set(child, j, fp); | |
1292 | else | |
1293 | validation_err(X509_V_ERR_UNNESTED_RESOURCE); | |
1294 | } | |
1295 | } | |
96ea4ae9 | 1296 | } |
0f113f3e MC |
1297 | |
1298 | /* | |
1299 | * Trust anchor can't inherit. | |
1300 | */ | |
1301 | OPENSSL_assert(x != NULL); | |
1302 | if (x->rfc3779_addr != NULL) { | |
1303 | for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) { | |
1304 | IPAddressFamily *fp = | |
1305 | sk_IPAddressFamily_value(x->rfc3779_addr, j); | |
1306 | if (fp->ipAddressChoice->type == IPAddressChoice_inherit | |
1307 | && sk_IPAddressFamily_find(child, fp) >= 0) | |
1308 | validation_err(X509_V_ERR_UNNESTED_RESOURCE); | |
1309 | } | |
96ea4ae9 | 1310 | } |
96ea4ae9 BL |
1311 | |
1312 | done: | |
0f113f3e MC |
1313 | sk_IPAddressFamily_free(child); |
1314 | return ret; | |
96ea4ae9 BL |
1315 | } |
1316 | ||
c73ad690 | 1317 | #undef validation_err |
96ea4ae9 BL |
1318 | |
1319 | /* | |
1320 | * RFC 3779 2.3 path validation -- called from X509_verify_cert(). | |
1321 | */ | |
1322 | int v3_addr_validate_path(X509_STORE_CTX *ctx) | |
1323 | { | |
0f113f3e | 1324 | return v3_addr_validate_path_internal(ctx, ctx->chain, NULL); |
96ea4ae9 BL |
1325 | } |
1326 | ||
1327 | /* | |
1328 | * RFC 3779 2.3 path validation of an extension. | |
1329 | * Test whether chain covers extension. | |
1330 | */ | |
1331 | int v3_addr_validate_resource_set(STACK_OF(X509) *chain, | |
0f113f3e | 1332 | IPAddrBlocks *ext, int allow_inheritance) |
96ea4ae9 | 1333 | { |
0f113f3e MC |
1334 | if (ext == NULL) |
1335 | return 1; | |
1336 | if (chain == NULL || sk_X509_num(chain) == 0) | |
1337 | return 0; | |
1338 | if (!allow_inheritance && v3_addr_inherits(ext)) | |
1339 | return 0; | |
1340 | return v3_addr_validate_path_internal(NULL, chain, ext); | |
96ea4ae9 | 1341 | } |