From: Graham Woodward <graham.woodward@ibm.com>
Date: Mon, 14 Nov 2022 21:15:27 +0000 (+0000)
Subject: Add test to confirm IPAddressFamily_check_len catches invalid len
X-Git-Tag: openssl-3.2.0-alpha1~1710
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7489ada9f3fd902c5bc3c58cc03a90de2800d0ab;p=thirdparty%2Fopenssl.git

Add test to confirm IPAddressFamily_check_len catches invalid len

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19273)
---

diff --git a/test/v3ext.c b/test/v3ext.c
index 7e214cf9101..1f54e31f554 100644
--- a/test/v3ext.c
+++ b/test/v3ext.c
@@ -226,6 +226,92 @@ static int test_addr_ranges(void)
     return testresult;
 }
 
+static int test_addr_fam_len(void)
+{
+    int testresult = 0;
+    IPAddrBlocks *addr = NULL;
+    IPAddressFamily *f1 = NULL;
+    ASN1_OCTET_STRING *ip1 = NULL, *ip2 = NULL;
+    unsigned char key[6];
+    unsigned int keylen;
+    unsigned afi = IANA_AFI_IPV4;
+
+    /* Create the IPAddrBlocks with a good IPAddressFamily */
+    addr = sk_IPAddressFamily_new_null();
+    if (!TEST_ptr(addr))
+        goto end;
+    ip1 = a2i_IPADDRESS(ranges[0].ip1);
+    if (!TEST_ptr(ip1))
+        goto end;
+    ip2 = a2i_IPADDRESS(ranges[0].ip2);
+    if (!TEST_ptr(ip2))
+        goto end;
+    if (!TEST_true(X509v3_addr_add_range(addr, ranges[0].afi, NULL, ip1->data, ip2->data)))
+        goto end;
+    if (!TEST_true(X509v3_addr_is_canonical(addr)))
+        goto end;
+
+    /* Create our malformed IPAddressFamily */
+    key[0] = (afi >> 8) & 0xFF;
+    key[1] = afi & 0xFF;
+    key[2] = 0xD;
+    key[3] = 0xE;
+    key[4] = 0xA;
+    key[5] = 0xD;
+    keylen = 6;
+    if ((f1 = IPAddressFamily_new()) == NULL)
+        goto end;
+    if (f1->ipAddressChoice == NULL &&
+        (f1->ipAddressChoice = IPAddressChoice_new()) == NULL)
+        goto end;
+    if (f1->addressFamily == NULL &&
+        (f1->addressFamily = ASN1_OCTET_STRING_new()) == NULL)
+        goto end;
+    if (!ASN1_OCTET_STRING_set(f1->addressFamily, key, keylen))
+        goto end;
+    if (!sk_IPAddressFamily_push(addr, f1))
+        goto end;
+
+    /* Shouldn't be able to canonize this as the len is > 3*/
+    if (!TEST_false(X509v3_addr_canonize(addr)))
+        goto end;
+
+    /* Create a well formed IPAddressFamily */
+    f1 = sk_IPAddressFamily_pop(addr);
+    IPAddressFamily_free(f1);
+
+    key[0] = (afi >> 8) & 0xFF;
+    key[1] = afi & 0xFF;
+    key[2] = 0x1;
+    keylen = 3;
+    if ((f1 = IPAddressFamily_new()) == NULL)
+        goto end;
+    if (f1->ipAddressChoice == NULL &&
+        (f1->ipAddressChoice = IPAddressChoice_new()) == NULL)
+        goto end;
+    if (f1->addressFamily == NULL &&
+        (f1->addressFamily = ASN1_OCTET_STRING_new()) == NULL)
+        goto end;
+    if (!ASN1_OCTET_STRING_set(f1->addressFamily, key, keylen))
+        goto end;
+
+    /* Mark this as inheritance so we skip some of the is_canonize checks */
+    f1->ipAddressChoice->type = IPAddressChoice_inherit;
+    if (!sk_IPAddressFamily_push(addr, f1))
+        goto end;
+
+    /* Should be able to canonize now */
+    if (!TEST_true(X509v3_addr_canonize(addr)))
+        goto end;
+
+    testresult = 1;
+  end:
+    sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
+    ASN1_OCTET_STRING_free(ip1);
+    ASN1_OCTET_STRING_free(ip2);
+    return testresult;
+}
+
 static struct extvalues_st {
     const char *value;
     int pass;
@@ -342,6 +428,7 @@ int setup_tests(void)
     ADD_TEST(test_asid);
     ADD_TEST(test_addr_ranges);
     ADD_TEST(test_ext_syntax);
+    ADD_TEST(test_addr_fam_len);
 #endif /* OPENSSL_NO_RFC3779 */
     return 1;
 }