1c7da899bSchristos /*
2*0e2e28bcSchristos * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
3c7da899bSchristos *
4b0d17251Schristos * Licensed under the Apache License 2.0 (the "License"). You may not use
5c7da899bSchristos * this file except in compliance with the License. You can obtain a copy
6c7da899bSchristos * in the file LICENSE in the source distribution or at
7c7da899bSchristos * https://www.openssl.org/source/license.html
8c7da899bSchristos */
9c7da899bSchristos
10c7da899bSchristos #include <stdio.h>
116f6db51eSchristos #include <string.h>
12c7da899bSchristos #include <openssl/x509.h>
13c7da899bSchristos #include <openssl/x509v3.h>
14c7da899bSchristos #include <openssl/pem.h>
15c7da899bSchristos #include <openssl/err.h>
166f6db51eSchristos #include "internal/nelem.h"
17c7da899bSchristos
1813d40330Schristos #include "testutil.h"
1913d40330Schristos
2013d40330Schristos static const char *infile;
2113d40330Schristos
test_pathlen(void)2213d40330Schristos static int test_pathlen(void)
23c7da899bSchristos {
24c7da899bSchristos X509 *x = NULL;
25c7da899bSchristos BIO *b = NULL;
26c7da899bSchristos long pathlen;
2713d40330Schristos int ret = 0;
28c7da899bSchristos
2913d40330Schristos if (!TEST_ptr(b = BIO_new_file(infile, "r"))
3013d40330Schristos || !TEST_ptr(x = PEM_read_bio_X509(b, NULL, NULL, NULL))
3113d40330Schristos || !TEST_int_eq(pathlen = X509_get_pathlen(x), 6))
32c7da899bSchristos goto end;
3313d40330Schristos
3413d40330Schristos ret = 1;
35c7da899bSchristos
36c7da899bSchristos end:
37c7da899bSchristos BIO_free(b);
38c7da899bSchristos X509_free(x);
39c7da899bSchristos return ret;
40c7da899bSchristos }
4113d40330Schristos
426f6db51eSchristos #ifndef OPENSSL_NO_RFC3779
test_asid(void)436f6db51eSchristos static int test_asid(void)
446f6db51eSchristos {
456f6db51eSchristos ASN1_INTEGER *val1 = NULL, *val2 = NULL;
466f6db51eSchristos ASIdentifiers *asid1 = ASIdentifiers_new(), *asid2 = ASIdentifiers_new(),
476f6db51eSchristos *asid3 = ASIdentifiers_new(), *asid4 = ASIdentifiers_new();
486f6db51eSchristos int testresult = 0;
496f6db51eSchristos
506f6db51eSchristos if (!TEST_ptr(asid1)
516f6db51eSchristos || !TEST_ptr(asid2)
526f6db51eSchristos || !TEST_ptr(asid3))
536f6db51eSchristos goto err;
546f6db51eSchristos
556f6db51eSchristos if (!TEST_ptr(val1 = ASN1_INTEGER_new())
566f6db51eSchristos || !TEST_true(ASN1_INTEGER_set_int64(val1, 64496)))
576f6db51eSchristos goto err;
586f6db51eSchristos
596f6db51eSchristos if (!TEST_true(X509v3_asid_add_id_or_range(asid1, V3_ASID_ASNUM, val1, NULL)))
606f6db51eSchristos goto err;
616f6db51eSchristos
626f6db51eSchristos val1 = NULL;
636f6db51eSchristos if (!TEST_ptr(val2 = ASN1_INTEGER_new())
646f6db51eSchristos || !TEST_true(ASN1_INTEGER_set_int64(val2, 64497)))
656f6db51eSchristos goto err;
666f6db51eSchristos
676f6db51eSchristos if (!TEST_true(X509v3_asid_add_id_or_range(asid2, V3_ASID_ASNUM, val2, NULL)))
686f6db51eSchristos goto err;
696f6db51eSchristos
706f6db51eSchristos val2 = NULL;
716f6db51eSchristos if (!TEST_ptr(val1 = ASN1_INTEGER_new())
726f6db51eSchristos || !TEST_true(ASN1_INTEGER_set_int64(val1, 64496))
736f6db51eSchristos || !TEST_ptr(val2 = ASN1_INTEGER_new())
746f6db51eSchristos || !TEST_true(ASN1_INTEGER_set_int64(val2, 64497)))
756f6db51eSchristos goto err;
766f6db51eSchristos
776f6db51eSchristos /*
786f6db51eSchristos * Just tests V3_ASID_ASNUM for now. Could be extended at some point to also
796f6db51eSchristos * test V3_ASID_RDI if we think it is worth it.
806f6db51eSchristos */
816f6db51eSchristos if (!TEST_true(X509v3_asid_add_id_or_range(asid3, V3_ASID_ASNUM, val1, val2)))
826f6db51eSchristos goto err;
836f6db51eSchristos val1 = val2 = NULL;
846f6db51eSchristos
856f6db51eSchristos /* Actual subsets */
866f6db51eSchristos if (!TEST_true(X509v3_asid_subset(NULL, NULL))
876f6db51eSchristos || !TEST_true(X509v3_asid_subset(NULL, asid1))
886f6db51eSchristos || !TEST_true(X509v3_asid_subset(asid1, asid1))
896f6db51eSchristos || !TEST_true(X509v3_asid_subset(asid2, asid2))
906f6db51eSchristos || !TEST_true(X509v3_asid_subset(asid1, asid3))
916f6db51eSchristos || !TEST_true(X509v3_asid_subset(asid2, asid3))
926f6db51eSchristos || !TEST_true(X509v3_asid_subset(asid3, asid3))
936f6db51eSchristos || !TEST_true(X509v3_asid_subset(asid4, asid1))
946f6db51eSchristos || !TEST_true(X509v3_asid_subset(asid4, asid2))
956f6db51eSchristos || !TEST_true(X509v3_asid_subset(asid4, asid3)))
966f6db51eSchristos goto err;
976f6db51eSchristos
986f6db51eSchristos /* Not subsets */
996f6db51eSchristos if (!TEST_false(X509v3_asid_subset(asid1, NULL))
1006f6db51eSchristos || !TEST_false(X509v3_asid_subset(asid1, asid2))
1016f6db51eSchristos || !TEST_false(X509v3_asid_subset(asid2, asid1))
1026f6db51eSchristos || !TEST_false(X509v3_asid_subset(asid3, asid1))
1036f6db51eSchristos || !TEST_false(X509v3_asid_subset(asid3, asid2))
1046f6db51eSchristos || !TEST_false(X509v3_asid_subset(asid1, asid4))
1056f6db51eSchristos || !TEST_false(X509v3_asid_subset(asid2, asid4))
1066f6db51eSchristos || !TEST_false(X509v3_asid_subset(asid3, asid4)))
1076f6db51eSchristos goto err;
1086f6db51eSchristos
1096f6db51eSchristos testresult = 1;
1106f6db51eSchristos err:
1116f6db51eSchristos ASN1_INTEGER_free(val1);
1126f6db51eSchristos ASN1_INTEGER_free(val2);
1136f6db51eSchristos ASIdentifiers_free(asid1);
1146f6db51eSchristos ASIdentifiers_free(asid2);
1156f6db51eSchristos ASIdentifiers_free(asid3);
1166f6db51eSchristos ASIdentifiers_free(asid4);
1176f6db51eSchristos return testresult;
1186f6db51eSchristos }
1196f6db51eSchristos
1206f6db51eSchristos static struct ip_ranges_st {
1216f6db51eSchristos const unsigned int afi;
1226f6db51eSchristos const char *ip1;
1236f6db51eSchristos const char *ip2;
1246f6db51eSchristos int rorp;
1256f6db51eSchristos } ranges[] = {
1266f6db51eSchristos { IANA_AFI_IPV4, "192.168.0.0", "192.168.0.1", IPAddressOrRange_addressPrefix},
1276f6db51eSchristos { IANA_AFI_IPV4, "192.168.0.0", "192.168.0.2", IPAddressOrRange_addressRange},
1286f6db51eSchristos { IANA_AFI_IPV4, "192.168.0.0", "192.168.0.3", IPAddressOrRange_addressPrefix},
1296f6db51eSchristos { IANA_AFI_IPV4, "192.168.0.0", "192.168.0.254", IPAddressOrRange_addressRange},
1306f6db51eSchristos { IANA_AFI_IPV4, "192.168.0.0", "192.168.0.255", IPAddressOrRange_addressPrefix},
1316f6db51eSchristos { IANA_AFI_IPV4, "192.168.0.1", "192.168.0.255", IPAddressOrRange_addressRange},
1326f6db51eSchristos { IANA_AFI_IPV4, "192.168.0.1", "192.168.0.1", IPAddressOrRange_addressPrefix},
1336f6db51eSchristos { IANA_AFI_IPV4, "192.168.0.0", "192.168.255.255", IPAddressOrRange_addressPrefix},
1346f6db51eSchristos { IANA_AFI_IPV4, "192.168.1.0", "192.168.255.255", IPAddressOrRange_addressRange},
1356f6db51eSchristos { IANA_AFI_IPV6, "2001:0db8::0", "2001:0db8::1", IPAddressOrRange_addressPrefix},
1366f6db51eSchristos { IANA_AFI_IPV6, "2001:0db8::0", "2001:0db8::2", IPAddressOrRange_addressRange},
1376f6db51eSchristos { IANA_AFI_IPV6, "2001:0db8::0", "2001:0db8::3", IPAddressOrRange_addressPrefix},
1386f6db51eSchristos { IANA_AFI_IPV6, "2001:0db8::0", "2001:0db8::fffe", IPAddressOrRange_addressRange},
1396f6db51eSchristos { IANA_AFI_IPV6, "2001:0db8::0", "2001:0db8::ffff", IPAddressOrRange_addressPrefix},
1406f6db51eSchristos { IANA_AFI_IPV6, "2001:0db8::1", "2001:0db8::ffff", IPAddressOrRange_addressRange},
1416f6db51eSchristos { IANA_AFI_IPV6, "2001:0db8::1", "2001:0db8::1", IPAddressOrRange_addressPrefix},
1426f6db51eSchristos { IANA_AFI_IPV6, "2001:0db8::0:0", "2001:0db8::ffff:ffff", IPAddressOrRange_addressPrefix},
1436f6db51eSchristos { IANA_AFI_IPV6, "2001:0db8::1:0", "2001:0db8::ffff:ffff", IPAddressOrRange_addressRange}
1446f6db51eSchristos };
1456f6db51eSchristos
check_addr(IPAddrBlocks * addr,int type)1466f6db51eSchristos static int check_addr(IPAddrBlocks *addr, int type)
1476f6db51eSchristos {
1486f6db51eSchristos IPAddressFamily *fam;
1496f6db51eSchristos IPAddressOrRange *aorr;
1506f6db51eSchristos
1516f6db51eSchristos if (!TEST_int_eq(sk_IPAddressFamily_num(addr), 1))
1526f6db51eSchristos return 0;
1536f6db51eSchristos
1546f6db51eSchristos fam = sk_IPAddressFamily_value(addr, 0);
1556f6db51eSchristos if (!TEST_ptr(fam))
1566f6db51eSchristos return 0;
1576f6db51eSchristos
1586f6db51eSchristos if (!TEST_int_eq(fam->ipAddressChoice->type, IPAddressChoice_addressesOrRanges))
1596f6db51eSchristos return 0;
1606f6db51eSchristos
1616f6db51eSchristos if (!TEST_int_eq(sk_IPAddressOrRange_num(fam->ipAddressChoice->u.addressesOrRanges), 1))
1626f6db51eSchristos return 0;
1636f6db51eSchristos
1646f6db51eSchristos aorr = sk_IPAddressOrRange_value(fam->ipAddressChoice->u.addressesOrRanges, 0);
1656f6db51eSchristos if (!TEST_ptr(aorr))
1666f6db51eSchristos return 0;
1676f6db51eSchristos
1686f6db51eSchristos if (!TEST_int_eq(aorr->type, type))
1696f6db51eSchristos return 0;
1706f6db51eSchristos
1716f6db51eSchristos return 1;
1726f6db51eSchristos }
1736f6db51eSchristos
test_addr_ranges(void)1746f6db51eSchristos static int test_addr_ranges(void)
1756f6db51eSchristos {
1766f6db51eSchristos IPAddrBlocks *addr = NULL;
1776f6db51eSchristos ASN1_OCTET_STRING *ip1 = NULL, *ip2 = NULL;
1786f6db51eSchristos size_t i;
1796f6db51eSchristos int testresult = 0;
1806f6db51eSchristos
1816f6db51eSchristos for (i = 0; i < OSSL_NELEM(ranges); i++) {
1826f6db51eSchristos addr = sk_IPAddressFamily_new_null();
1836f6db51eSchristos if (!TEST_ptr(addr))
1846f6db51eSchristos goto end;
1856f6db51eSchristos /*
1866f6db51eSchristos * Has the side effect of installing the comparison function onto the
1876f6db51eSchristos * stack.
1886f6db51eSchristos */
1896f6db51eSchristos if (!TEST_true(X509v3_addr_canonize(addr)))
1906f6db51eSchristos goto end;
1916f6db51eSchristos
1926f6db51eSchristos ip1 = a2i_IPADDRESS(ranges[i].ip1);
1936f6db51eSchristos if (!TEST_ptr(ip1))
1946f6db51eSchristos goto end;
1956f6db51eSchristos if (!TEST_true(ip1->length == 4 || ip1->length == 16))
1966f6db51eSchristos goto end;
1976f6db51eSchristos ip2 = a2i_IPADDRESS(ranges[i].ip2);
1986f6db51eSchristos if (!TEST_ptr(ip2))
1996f6db51eSchristos goto end;
2006f6db51eSchristos if (!TEST_int_eq(ip2->length, ip1->length))
2016f6db51eSchristos goto end;
2026f6db51eSchristos if (!TEST_true(memcmp(ip1->data, ip2->data, ip1->length) <= 0))
2036f6db51eSchristos goto end;
2046f6db51eSchristos
2056f6db51eSchristos if (!TEST_true(X509v3_addr_add_range(addr, ranges[i].afi, NULL, ip1->data, ip2->data)))
2066f6db51eSchristos goto end;
2076f6db51eSchristos
2086f6db51eSchristos if (!TEST_true(X509v3_addr_is_canonical(addr)))
2096f6db51eSchristos goto end;
2106f6db51eSchristos
2116f6db51eSchristos if (!check_addr(addr, ranges[i].rorp))
2126f6db51eSchristos goto end;
2136f6db51eSchristos
2146f6db51eSchristos sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
2156f6db51eSchristos addr = NULL;
2166f6db51eSchristos ASN1_OCTET_STRING_free(ip1);
2176f6db51eSchristos ASN1_OCTET_STRING_free(ip2);
2186f6db51eSchristos ip1 = ip2 = NULL;
2196f6db51eSchristos }
2206f6db51eSchristos
2216f6db51eSchristos testresult = 1;
2226f6db51eSchristos end:
2236f6db51eSchristos sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
2246f6db51eSchristos ASN1_OCTET_STRING_free(ip1);
2256f6db51eSchristos ASN1_OCTET_STRING_free(ip2);
2266f6db51eSchristos return testresult;
2276f6db51eSchristos }
2286f6db51eSchristos
test_addr_fam_len(void)229b0d17251Schristos static int test_addr_fam_len(void)
230b0d17251Schristos {
231b0d17251Schristos int testresult = 0;
232b0d17251Schristos IPAddrBlocks *addr = NULL;
233b0d17251Schristos IPAddressFamily *f1 = NULL;
234b0d17251Schristos ASN1_OCTET_STRING *ip1 = NULL, *ip2 = NULL;
235b0d17251Schristos unsigned char key[6];
236b0d17251Schristos unsigned int keylen;
237b0d17251Schristos unsigned afi = IANA_AFI_IPV4;
238b0d17251Schristos
239b0d17251Schristos /* Create the IPAddrBlocks with a good IPAddressFamily */
240b0d17251Schristos addr = sk_IPAddressFamily_new_null();
241b0d17251Schristos if (!TEST_ptr(addr))
242b0d17251Schristos goto end;
243b0d17251Schristos ip1 = a2i_IPADDRESS(ranges[0].ip1);
244b0d17251Schristos if (!TEST_ptr(ip1))
245b0d17251Schristos goto end;
246b0d17251Schristos ip2 = a2i_IPADDRESS(ranges[0].ip2);
247b0d17251Schristos if (!TEST_ptr(ip2))
248b0d17251Schristos goto end;
249b0d17251Schristos if (!TEST_true(X509v3_addr_add_range(addr, ranges[0].afi, NULL, ip1->data, ip2->data)))
250b0d17251Schristos goto end;
251b0d17251Schristos if (!TEST_true(X509v3_addr_is_canonical(addr)))
252b0d17251Schristos goto end;
253b0d17251Schristos
254b0d17251Schristos /* Create our malformed IPAddressFamily */
255b0d17251Schristos key[0] = (afi >> 8) & 0xFF;
256b0d17251Schristos key[1] = afi & 0xFF;
257b0d17251Schristos key[2] = 0xD;
258b0d17251Schristos key[3] = 0xE;
259b0d17251Schristos key[4] = 0xA;
260b0d17251Schristos key[5] = 0xD;
261b0d17251Schristos keylen = 6;
262b0d17251Schristos if ((f1 = IPAddressFamily_new()) == NULL)
263b0d17251Schristos goto end;
264b0d17251Schristos if (f1->ipAddressChoice == NULL &&
265b0d17251Schristos (f1->ipAddressChoice = IPAddressChoice_new()) == NULL)
266b0d17251Schristos goto end;
267b0d17251Schristos if (f1->addressFamily == NULL &&
268b0d17251Schristos (f1->addressFamily = ASN1_OCTET_STRING_new()) == NULL)
269b0d17251Schristos goto end;
270b0d17251Schristos if (!ASN1_OCTET_STRING_set(f1->addressFamily, key, keylen))
271b0d17251Schristos goto end;
272*0e2e28bcSchristos
273*0e2e28bcSchristos /* Push and transfer memory ownership to stack */
274b0d17251Schristos if (!sk_IPAddressFamily_push(addr, f1))
275b0d17251Schristos goto end;
276*0e2e28bcSchristos f1 = NULL;
277b0d17251Schristos
278b0d17251Schristos /* Shouldn't be able to canonize this as the len is > 3*/
279b0d17251Schristos if (!TEST_false(X509v3_addr_canonize(addr)))
280b0d17251Schristos goto end;
281b0d17251Schristos
282*0e2e28bcSchristos /* Pop and free the new stack element */
283*0e2e28bcSchristos IPAddressFamily_free(sk_IPAddressFamily_pop(addr));
284b0d17251Schristos
285*0e2e28bcSchristos /* Create a well-formed IPAddressFamily */
286b0d17251Schristos key[0] = (afi >> 8) & 0xFF;
287b0d17251Schristos key[1] = afi & 0xFF;
288b0d17251Schristos key[2] = 0x1;
289b0d17251Schristos keylen = 3;
290b0d17251Schristos if ((f1 = IPAddressFamily_new()) == NULL)
291b0d17251Schristos goto end;
292b0d17251Schristos if (f1->ipAddressChoice == NULL &&
293b0d17251Schristos (f1->ipAddressChoice = IPAddressChoice_new()) == NULL)
294b0d17251Schristos goto end;
295b0d17251Schristos if (f1->addressFamily == NULL &&
296b0d17251Schristos (f1->addressFamily = ASN1_OCTET_STRING_new()) == NULL)
297b0d17251Schristos goto end;
298b0d17251Schristos if (!ASN1_OCTET_STRING_set(f1->addressFamily, key, keylen))
299b0d17251Schristos goto end;
300b0d17251Schristos
301b0d17251Schristos /* Mark this as inheritance so we skip some of the is_canonize checks */
302b0d17251Schristos f1->ipAddressChoice->type = IPAddressChoice_inherit;
303*0e2e28bcSchristos
304*0e2e28bcSchristos /* Push and transfer memory ownership to stack */
305b0d17251Schristos if (!sk_IPAddressFamily_push(addr, f1))
306b0d17251Schristos goto end;
307*0e2e28bcSchristos f1 = NULL;
308b0d17251Schristos
309b0d17251Schristos /* Should be able to canonize now */
310b0d17251Schristos if (!TEST_true(X509v3_addr_canonize(addr)))
311b0d17251Schristos goto end;
312b0d17251Schristos
313b0d17251Schristos testresult = 1;
314b0d17251Schristos end:
315*0e2e28bcSchristos /* Free stack and any memory owned by detached element */
316*0e2e28bcSchristos IPAddressFamily_free(f1);
317b0d17251Schristos sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
318*0e2e28bcSchristos
319b0d17251Schristos ASN1_OCTET_STRING_free(ip1);
320b0d17251Schristos ASN1_OCTET_STRING_free(ip2);
321b0d17251Schristos return testresult;
322b0d17251Schristos }
323b0d17251Schristos
3246f6db51eSchristos static struct extvalues_st {
3256f6db51eSchristos const char *value;
3266f6db51eSchristos int pass;
3276f6db51eSchristos } extvalues[] = {
3286f6db51eSchristos /* No prefix is ok */
3296f6db51eSchristos { "sbgp-ipAddrBlock = IPv4:192.0.0.1\n", 1 },
3306f6db51eSchristos { "sbgp-ipAddrBlock = IPv4:192.0.0.0/0\n", 1 },
3316f6db51eSchristos { "sbgp-ipAddrBlock = IPv4:192.0.0.0/1\n", 1 },
3326f6db51eSchristos { "sbgp-ipAddrBlock = IPv4:192.0.0.0/32\n", 1 },
3336f6db51eSchristos /* Prefix is too long */
3346f6db51eSchristos { "sbgp-ipAddrBlock = IPv4:192.0.0.0/33\n", 0 },
3356f6db51eSchristos /* Unreasonably large prefix */
3366f6db51eSchristos { "sbgp-ipAddrBlock = IPv4:192.0.0.0/12341234\n", 0 },
3376f6db51eSchristos /* Invalid IP addresses */
3386f6db51eSchristos { "sbgp-ipAddrBlock = IPv4:192.0.0\n", 0 },
3396f6db51eSchristos { "sbgp-ipAddrBlock = IPv4:256.0.0.0\n", 0 },
3406f6db51eSchristos { "sbgp-ipAddrBlock = IPv4:-1.0.0.0\n", 0 },
3416f6db51eSchristos { "sbgp-ipAddrBlock = IPv4:192.0.0.0.0\n", 0 },
3426f6db51eSchristos { "sbgp-ipAddrBlock = IPv3:192.0.0.0\n", 0 },
3436f6db51eSchristos
3446f6db51eSchristos /* IPv6 */
3456f6db51eSchristos /* No prefix is ok */
3466f6db51eSchristos { "sbgp-ipAddrBlock = IPv6:2001:db8::\n", 1 },
3476f6db51eSchristos { "sbgp-ipAddrBlock = IPv6:2001::db8\n", 1 },
3486f6db51eSchristos { "sbgp-ipAddrBlock = IPv6:2001:0db8:0000:0000:0000:0000:0000:0000\n", 1 },
3496f6db51eSchristos { "sbgp-ipAddrBlock = IPv6:2001:db8::/0\n", 1 },
3506f6db51eSchristos { "sbgp-ipAddrBlock = IPv6:2001:db8::/1\n", 1 },
3516f6db51eSchristos { "sbgp-ipAddrBlock = IPv6:2001:db8::/32\n", 1 },
3526f6db51eSchristos { "sbgp-ipAddrBlock = IPv6:2001:0db8:0000:0000:0000:0000:0000:0000/32\n", 1 },
3536f6db51eSchristos { "sbgp-ipAddrBlock = IPv6:2001:db8::/128\n", 1 },
3546f6db51eSchristos /* Prefix is too long */
3556f6db51eSchristos { "sbgp-ipAddrBlock = IPv6:2001:db8::/129\n", 0 },
3566f6db51eSchristos /* Unreasonably large prefix */
3576f6db51eSchristos { "sbgp-ipAddrBlock = IPv6:2001:db8::/12341234\n", 0 },
3586f6db51eSchristos /* Invalid IP addresses */
3596f6db51eSchristos /* Not enough blocks of numbers */
3606f6db51eSchristos { "sbgp-ipAddrBlock = IPv6:2001:0db8:0000:0000:0000:0000:0000\n", 0 },
3616f6db51eSchristos /* Too many blocks of numbers */
3626f6db51eSchristos { "sbgp-ipAddrBlock = IPv6:2001:0db8:0000:0000:0000:0000:0000:0000:0000\n", 0 },
3636f6db51eSchristos /* First value too large */
3646f6db51eSchristos { "sbgp-ipAddrBlock = IPv6:1ffff:0db8:0000:0000:0000:0000:0000:0000\n", 0 },
3656f6db51eSchristos /* First value with invalid characters */
3666f6db51eSchristos { "sbgp-ipAddrBlock = IPv6:fffg:0db8:0000:0000:0000:0000:0000:0000\n", 0 },
3676f6db51eSchristos /* First value is negative */
3686f6db51eSchristos { "sbgp-ipAddrBlock = IPv6:-1:0db8:0000:0000:0000:0000:0000:0000\n", 0 }
3696f6db51eSchristos };
3706f6db51eSchristos
test_ext_syntax(void)3716f6db51eSchristos static int test_ext_syntax(void)
3726f6db51eSchristos {
3736f6db51eSchristos size_t i;
3746f6db51eSchristos int testresult = 1;
3756f6db51eSchristos
3766f6db51eSchristos for (i = 0; i < OSSL_NELEM(extvalues); i++) {
3776f6db51eSchristos X509V3_CTX ctx;
3786f6db51eSchristos BIO *extbio = BIO_new_mem_buf(extvalues[i].value,
3796f6db51eSchristos strlen(extvalues[i].value));
3806f6db51eSchristos CONF *conf;
3816f6db51eSchristos long eline;
3826f6db51eSchristos
3836f6db51eSchristos if (!TEST_ptr(extbio))
3846f6db51eSchristos return 0 ;
3856f6db51eSchristos
386b0d17251Schristos conf = NCONF_new_ex(NULL, NULL);
3876f6db51eSchristos if (!TEST_ptr(conf)) {
3886f6db51eSchristos BIO_free(extbio);
3896f6db51eSchristos return 0;
3906f6db51eSchristos }
3916f6db51eSchristos if (!TEST_long_gt(NCONF_load_bio(conf, extbio, &eline), 0)) {
3926f6db51eSchristos testresult = 0;
3936f6db51eSchristos } else {
3946f6db51eSchristos X509V3_set_ctx_test(&ctx);
3956f6db51eSchristos X509V3_set_nconf(&ctx, conf);
3966f6db51eSchristos
3976f6db51eSchristos if (extvalues[i].pass) {
3986f6db51eSchristos if (!TEST_true(X509V3_EXT_add_nconf(conf, &ctx, "default",
3996f6db51eSchristos NULL))) {
4006f6db51eSchristos TEST_info("Value: %s", extvalues[i].value);
4016f6db51eSchristos testresult = 0;
4026f6db51eSchristos }
4036f6db51eSchristos } else {
4046f6db51eSchristos ERR_set_mark();
4056f6db51eSchristos if (!TEST_false(X509V3_EXT_add_nconf(conf, &ctx, "default",
4066f6db51eSchristos NULL))) {
4076f6db51eSchristos testresult = 0;
4086f6db51eSchristos TEST_info("Value: %s", extvalues[i].value);
4096f6db51eSchristos ERR_clear_last_mark();
4106f6db51eSchristos } else {
4116f6db51eSchristos ERR_pop_to_mark();
4126f6db51eSchristos }
4136f6db51eSchristos }
4146f6db51eSchristos }
4156f6db51eSchristos BIO_free(extbio);
4166f6db51eSchristos NCONF_free(conf);
4176f6db51eSchristos }
4186f6db51eSchristos
4196f6db51eSchristos return testresult;
4206f6db51eSchristos }
421b0d17251Schristos
test_addr_subset(void)422b0d17251Schristos static int test_addr_subset(void)
423b0d17251Schristos {
424b0d17251Schristos int i;
425b0d17251Schristos int ret = 0;
426b0d17251Schristos IPAddrBlocks *addrEmpty = NULL;
427b0d17251Schristos IPAddrBlocks *addr[3] = { NULL, NULL };
428b0d17251Schristos ASN1_OCTET_STRING *ip1[3] = { NULL, NULL };
429b0d17251Schristos ASN1_OCTET_STRING *ip2[3] = { NULL, NULL };
430b0d17251Schristos int sz = OSSL_NELEM(addr);
431b0d17251Schristos
432b0d17251Schristos for (i = 0; i < sz; ++i) {
433b0d17251Schristos /* Create the IPAddrBlocks with a good IPAddressFamily */
434b0d17251Schristos if (!TEST_ptr(addr[i] = sk_IPAddressFamily_new_null())
435b0d17251Schristos || !TEST_ptr(ip1[i] = a2i_IPADDRESS(ranges[i].ip1))
436b0d17251Schristos || !TEST_ptr(ip2[i] = a2i_IPADDRESS(ranges[i].ip2))
437b0d17251Schristos || !TEST_true(X509v3_addr_add_range(addr[i], ranges[i].afi, NULL,
438b0d17251Schristos ip1[i]->data, ip2[i]->data)))
439b0d17251Schristos goto end;
440b0d17251Schristos }
441b0d17251Schristos
442b0d17251Schristos ret = TEST_ptr(addrEmpty = sk_IPAddressFamily_new_null())
443b0d17251Schristos && TEST_true(X509v3_addr_subset(NULL, NULL))
444b0d17251Schristos && TEST_true(X509v3_addr_subset(NULL, addr[0]))
445b0d17251Schristos && TEST_true(X509v3_addr_subset(addrEmpty, addr[0]))
446b0d17251Schristos && TEST_true(X509v3_addr_subset(addr[0], addr[0]))
447b0d17251Schristos && TEST_true(X509v3_addr_subset(addr[0], addr[1]))
448b0d17251Schristos && TEST_true(X509v3_addr_subset(addr[0], addr[2]))
449b0d17251Schristos && TEST_true(X509v3_addr_subset(addr[1], addr[2]))
450b0d17251Schristos && TEST_false(X509v3_addr_subset(addr[0], NULL))
451b0d17251Schristos && TEST_false(X509v3_addr_subset(addr[1], addr[0]))
452b0d17251Schristos && TEST_false(X509v3_addr_subset(addr[2], addr[1]))
453b0d17251Schristos && TEST_false(X509v3_addr_subset(addr[0], addrEmpty));
454b0d17251Schristos end:
455b0d17251Schristos sk_IPAddressFamily_pop_free(addrEmpty, IPAddressFamily_free);
456b0d17251Schristos for (i = 0; i < sz; ++i) {
457b0d17251Schristos sk_IPAddressFamily_pop_free(addr[i], IPAddressFamily_free);
458b0d17251Schristos ASN1_OCTET_STRING_free(ip1[i]);
459b0d17251Schristos ASN1_OCTET_STRING_free(ip2[i]);
460b0d17251Schristos }
461b0d17251Schristos return ret;
462b0d17251Schristos }
463b0d17251Schristos
4646f6db51eSchristos #endif /* OPENSSL_NO_RFC3779 */
4656f6db51eSchristos
466b0d17251Schristos OPT_TEST_DECLARE_USAGE("cert.pem\n")
467b0d17251Schristos
setup_tests(void)46813d40330Schristos int setup_tests(void)
46913d40330Schristos {
470b0d17251Schristos if (!test_skip_common_options()) {
471b0d17251Schristos TEST_error("Error parsing test options\n");
472b0d17251Schristos return 0;
473b0d17251Schristos }
474b0d17251Schristos
47513d40330Schristos if (!TEST_ptr(infile = test_get_argument(0)))
47613d40330Schristos return 0;
47713d40330Schristos
47813d40330Schristos ADD_TEST(test_pathlen);
4796f6db51eSchristos #ifndef OPENSSL_NO_RFC3779
4806f6db51eSchristos ADD_TEST(test_asid);
4816f6db51eSchristos ADD_TEST(test_addr_ranges);
4826f6db51eSchristos ADD_TEST(test_ext_syntax);
483b0d17251Schristos ADD_TEST(test_addr_fam_len);
484b0d17251Schristos ADD_TEST(test_addr_subset);
4856f6db51eSchristos #endif /* OPENSSL_NO_RFC3779 */
48613d40330Schristos return 1;
48713d40330Schristos }
488