1 /* 2 * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * Implementation of RFC 3779 section 2.2. 12 */ 13 14 #include <stdio.h> 15 #include <stdlib.h> 16 #include <string.h> 17 18 #include <openssl/asn1.h> 19 #include <openssl/asn1t.h> 20 #include <openssl/buffer.h> 21 #include <openssl/conf.h> 22 #include <openssl/err.h> 23 #include <openssl/x509.h> 24 #include <openssl/x509v3.h> 25 26 #include "ext_dat.h" 27 28 #ifndef OPENSSL_NO_RFC3779 29 30 /* 31 * OpenSSL ASN.1 template translation of RFC 3779 2.2.3. 32 */ 33 34 static const ASN1_TEMPLATE IPAddressRange_seq_tt[] = { 35 { 36 .flags = 0, 37 .tag = 0, 38 .offset = offsetof(IPAddressRange, min), 39 .field_name = "min", 40 .item = &ASN1_BIT_STRING_it, 41 }, 42 { 43 .flags = 0, 44 .tag = 0, 45 .offset = offsetof(IPAddressRange, max), 46 .field_name = "max", 47 .item = &ASN1_BIT_STRING_it, 48 }, 49 }; 50 51 const ASN1_ITEM IPAddressRange_it = { 52 .itype = ASN1_ITYPE_SEQUENCE, 53 .utype = V_ASN1_SEQUENCE, 54 .templates = IPAddressRange_seq_tt, 55 .tcount = sizeof(IPAddressRange_seq_tt) / sizeof(ASN1_TEMPLATE), 56 .funcs = NULL, 57 .size = sizeof(IPAddressRange), 58 .sname = "IPAddressRange", 59 }; 60 61 static const ASN1_TEMPLATE IPAddressOrRange_ch_tt[] = { 62 { 63 .flags = 0, 64 .tag = 0, 65 .offset = offsetof(IPAddressOrRange, u.addressPrefix), 66 .field_name = "u.addressPrefix", 67 .item = &ASN1_BIT_STRING_it, 68 }, 69 { 70 .flags = 0, 71 .tag = 0, 72 .offset = offsetof(IPAddressOrRange, u.addressRange), 73 .field_name = "u.addressRange", 74 .item = &IPAddressRange_it, 75 }, 76 }; 77 78 const ASN1_ITEM IPAddressOrRange_it = { 79 .itype = ASN1_ITYPE_CHOICE, 80 .utype = offsetof(IPAddressOrRange, type), 81 .templates = IPAddressOrRange_ch_tt, 82 .tcount = sizeof(IPAddressOrRange_ch_tt) / sizeof(ASN1_TEMPLATE), 83 .funcs = NULL, 84 .size = sizeof(IPAddressOrRange), 85 .sname = "IPAddressOrRange", 86 }; 87 88 static const ASN1_TEMPLATE IPAddressChoice_ch_tt[] = { 89 { 90 .flags = 0, 91 .tag = 0, 92 .offset = offsetof(IPAddressChoice, u.inherit), 93 .field_name = "u.inherit", 94 .item = &ASN1_NULL_it, 95 }, 96 { 97 .flags = ASN1_TFLG_SEQUENCE_OF, 98 .tag = 0, 99 .offset = offsetof(IPAddressChoice, u.addressesOrRanges), 100 .field_name = "u.addressesOrRanges", 101 .item = &IPAddressOrRange_it, 102 }, 103 }; 104 105 const ASN1_ITEM IPAddressChoice_it = { 106 .itype = ASN1_ITYPE_CHOICE, 107 .utype = offsetof(IPAddressChoice, type), 108 .templates = IPAddressChoice_ch_tt, 109 .tcount = sizeof(IPAddressChoice_ch_tt) / sizeof(ASN1_TEMPLATE), 110 .funcs = NULL, 111 .size = sizeof(IPAddressChoice), 112 .sname = "IPAddressChoice", 113 }; 114 115 static const ASN1_TEMPLATE IPAddressFamily_seq_tt[] = { 116 { 117 .flags = 0, 118 .tag = 0, 119 .offset = offsetof(IPAddressFamily, addressFamily), 120 .field_name = "addressFamily", 121 .item = &ASN1_OCTET_STRING_it, 122 }, 123 { 124 .flags = 0, 125 .tag = 0, 126 .offset = offsetof(IPAddressFamily, ipAddressChoice), 127 .field_name = "ipAddressChoice", 128 .item = &IPAddressChoice_it, 129 }, 130 }; 131 132 const ASN1_ITEM IPAddressFamily_it = { 133 .itype = ASN1_ITYPE_SEQUENCE, 134 .utype = V_ASN1_SEQUENCE, 135 .templates = IPAddressFamily_seq_tt, 136 .tcount = sizeof(IPAddressFamily_seq_tt) / sizeof(ASN1_TEMPLATE), 137 .funcs = NULL, 138 .size = sizeof(IPAddressFamily), 139 .sname = "IPAddressFamily", 140 }; 141 142 static const ASN1_TEMPLATE IPAddrBlocks_item_tt = { 143 .flags = ASN1_TFLG_SEQUENCE_OF, 144 .tag = 0, 145 .offset = 0, 146 .field_name = "IPAddrBlocks", 147 .item = &IPAddressFamily_it, 148 }; 149 150 /* XXX: maybe special? */ 151 static const ASN1_ITEM IPAddrBlocks_it = { 152 .itype = ASN1_ITYPE_PRIMITIVE, 153 .utype = -1, 154 .templates = &IPAddrBlocks_item_tt, 155 .tcount = 0, 156 .funcs = NULL, 157 .size = 0, 158 .sname = "IPAddrBlocks", 159 }; 160 161 IPAddressRange * 162 d2i_IPAddressRange(IPAddressRange **a, const unsigned char **in, long len) 163 { 164 return (IPAddressRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 165 (&(IPAddressRange_it))); 166 } 167 168 int 169 i2d_IPAddressRange(IPAddressRange *a, unsigned char **out) 170 { 171 return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(IPAddressRange_it))); 172 } 173 174 IPAddressRange * 175 IPAddressRange_new(void) 176 { 177 return (IPAddressRange *)ASN1_item_new((&(IPAddressRange_it))); 178 } 179 180 void 181 IPAddressRange_free(IPAddressRange *a) 182 { 183 ASN1_item_free((ASN1_VALUE *)a, (&(IPAddressRange_it))); 184 } 185 186 IPAddressOrRange * 187 d2i_IPAddressOrRange(IPAddressOrRange **a, const unsigned char **in, long len) 188 { 189 return (IPAddressOrRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 190 (&(IPAddressOrRange_it))); 191 } 192 193 int 194 i2d_IPAddressOrRange(IPAddressOrRange *a, unsigned char ** out) 195 { 196 return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(IPAddressOrRange_it))); 197 } 198 199 IPAddressOrRange * 200 IPAddressOrRange_new(void) 201 { 202 return (IPAddressOrRange *)ASN1_item_new((&(IPAddressOrRange_it))); 203 } 204 205 void 206 IPAddressOrRange_free(IPAddressOrRange *a) { 207 ASN1_item_free((ASN1_VALUE *)a, (&(IPAddressOrRange_it))); 208 } 209 210 IPAddressChoice * 211 d2i_IPAddressChoice(IPAddressChoice **a, const unsigned char **in, long len) 212 { 213 return (IPAddressChoice *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 214 (&(IPAddressChoice_it))); 215 } 216 217 int 218 i2d_IPAddressChoice(IPAddressChoice *a, unsigned char **out) 219 { 220 return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(IPAddressChoice_it))); 221 } 222 223 IPAddressChoice * 224 IPAddressChoice_new(void) 225 { 226 return (IPAddressChoice *)ASN1_item_new((&(IPAddressChoice_it))); 227 228 } 229 230 void 231 IPAddressChoice_free(IPAddressChoice *a) 232 { 233 ASN1_item_free((ASN1_VALUE *)a, (&(IPAddressChoice_it))); 234 } 235 236 IPAddressFamily * 237 d2i_IPAddressFamily(IPAddressFamily **a, const unsigned char **in, long len) 238 { 239 return (IPAddressFamily *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 240 (&(IPAddressFamily_it))); 241 } 242 243 int 244 i2d_IPAddressFamily(IPAddressFamily *a, unsigned char **out) 245 { 246 return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(IPAddressFamily_it))); 247 } 248 249 IPAddressFamily * 250 IPAddressFamily_new(void) 251 { 252 return (IPAddressFamily *)ASN1_item_new((&(IPAddressFamily_it))); 253 } 254 255 void 256 IPAddressFamily_free(IPAddressFamily *a) 257 { 258 ASN1_item_free((ASN1_VALUE *)a, (&(IPAddressFamily_it))); 259 } 260 261 /* 262 * How much buffer space do we need for a raw address? 263 */ 264 #define ADDR_RAW_BUF_LEN 16 265 266 /* 267 * What's the address length associated with this AFI? 268 */ 269 static int length_from_afi(const unsigned afi) 270 { 271 switch (afi) { 272 case IANA_AFI_IPV4: 273 return 4; 274 case IANA_AFI_IPV6: 275 return 16; 276 default: 277 return 0; 278 } 279 } 280 281 /* 282 * Extract the AFI from an IPAddressFamily. 283 */ 284 unsigned int X509v3_addr_get_afi(const IPAddressFamily *f) 285 { 286 if (f == NULL 287 || f->addressFamily == NULL 288 || f->addressFamily->data == NULL 289 || f->addressFamily->length < 2) 290 return 0; 291 return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1]; 292 } 293 294 /* 295 * Expand the bitstring form of an address into a raw byte array. 296 * At the moment this is coded for simplicity, not speed. 297 */ 298 static int addr_expand(unsigned char *addr, 299 const ASN1_BIT_STRING *bs, 300 const int length, const unsigned char fill) 301 { 302 if (bs->length < 0 || bs->length > length) 303 return 0; 304 if (bs->length > 0) { 305 memcpy(addr, bs->data, bs->length); 306 if ((bs->flags & 7) != 0) { 307 unsigned char mask = 0xFF >> (8 - (bs->flags & 7)); 308 if (fill == 0) 309 addr[bs->length - 1] &= ~mask; 310 else 311 addr[bs->length - 1] |= mask; 312 } 313 } 314 memset(addr + bs->length, fill, length - bs->length); 315 return 1; 316 } 317 318 /* 319 * Extract the prefix length from a bitstring. 320 */ 321 #define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7))) 322 323 /* 324 * i2r handler for one address bitstring. 325 */ 326 static int i2r_address(BIO *out, 327 const unsigned afi, 328 const unsigned char fill, const ASN1_BIT_STRING *bs) 329 { 330 unsigned char addr[ADDR_RAW_BUF_LEN]; 331 int i, n; 332 333 if (bs->length < 0) 334 return 0; 335 switch (afi) { 336 case IANA_AFI_IPV4: 337 if (!addr_expand(addr, bs, 4, fill)) 338 return 0; 339 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]); 340 break; 341 case IANA_AFI_IPV6: 342 if (!addr_expand(addr, bs, 16, fill)) 343 return 0; 344 for (n = 16; n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00; 345 n -= 2) ; 346 for (i = 0; i < n; i += 2) 347 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1], 348 (i < 14 ? ":" : "")); 349 if (i < 16) 350 BIO_puts(out, ":"); 351 if (i == 0) 352 BIO_puts(out, ":"); 353 break; 354 default: 355 for (i = 0; i < bs->length; i++) 356 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]); 357 BIO_printf(out, "[%d]", (int)(bs->flags & 7)); 358 break; 359 } 360 return 1; 361 } 362 363 /* 364 * i2r handler for a sequence of addresses and ranges. 365 */ 366 static int i2r_IPAddressOrRanges(BIO *out, 367 const int indent, 368 const IPAddressOrRanges *aors, 369 const unsigned afi) 370 { 371 int i; 372 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) { 373 const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i); 374 BIO_printf(out, "%*s", indent, ""); 375 switch (aor->type) { 376 case IPAddressOrRange_addressPrefix: 377 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix)) 378 return 0; 379 BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix)); 380 continue; 381 case IPAddressOrRange_addressRange: 382 if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min)) 383 return 0; 384 BIO_puts(out, "-"); 385 if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max)) 386 return 0; 387 BIO_puts(out, "\n"); 388 continue; 389 } 390 } 391 return 1; 392 } 393 394 /* 395 * i2r handler for an IPAddrBlocks extension. 396 */ 397 static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, 398 void *ext, BIO *out, int indent) 399 { 400 const IPAddrBlocks *addr = ext; 401 int i; 402 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 403 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 404 const unsigned int afi = X509v3_addr_get_afi(f); 405 switch (afi) { 406 case IANA_AFI_IPV4: 407 BIO_printf(out, "%*sIPv4", indent, ""); 408 break; 409 case IANA_AFI_IPV6: 410 BIO_printf(out, "%*sIPv6", indent, ""); 411 break; 412 default: 413 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi); 414 break; 415 } 416 if (f->addressFamily->length > 2) { 417 switch (f->addressFamily->data[2]) { 418 case 1: 419 BIO_puts(out, " (Unicast)"); 420 break; 421 case 2: 422 BIO_puts(out, " (Multicast)"); 423 break; 424 case 3: 425 BIO_puts(out, " (Unicast/Multicast)"); 426 break; 427 case 4: 428 BIO_puts(out, " (MPLS)"); 429 break; 430 case 64: 431 BIO_puts(out, " (Tunnel)"); 432 break; 433 case 65: 434 BIO_puts(out, " (VPLS)"); 435 break; 436 case 66: 437 BIO_puts(out, " (BGP MDT)"); 438 break; 439 case 128: 440 BIO_puts(out, " (MPLS-labeled VPN)"); 441 break; 442 default: 443 BIO_printf(out, " (Unknown SAFI %u)", 444 (unsigned)f->addressFamily->data[2]); 445 break; 446 } 447 } 448 switch (f->ipAddressChoice->type) { 449 case IPAddressChoice_inherit: 450 BIO_puts(out, ": inherit\n"); 451 break; 452 case IPAddressChoice_addressesOrRanges: 453 BIO_puts(out, ":\n"); 454 if (!i2r_IPAddressOrRanges(out, 455 indent + 2, 456 f->ipAddressChoice-> 457 u.addressesOrRanges, afi)) 458 return 0; 459 break; 460 } 461 } 462 return 1; 463 } 464 465 /* 466 * Sort comparison function for a sequence of IPAddressOrRange 467 * elements. 468 * 469 * There's no sane answer we can give if addr_expand() fails, and an 470 * assertion failure on externally supplied data is seriously uncool, 471 * so we just arbitrarily declare that if given invalid inputs this 472 * function returns -1. If this messes up your preferred sort order 473 * for garbage input, tough noogies. 474 */ 475 static int IPAddressOrRange_cmp(const IPAddressOrRange *a, 476 const IPAddressOrRange *b, const int length) 477 { 478 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN]; 479 int prefixlen_a = 0, prefixlen_b = 0; 480 int r; 481 482 switch (a->type) { 483 case IPAddressOrRange_addressPrefix: 484 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00)) 485 return -1; 486 prefixlen_a = addr_prefixlen(a->u.addressPrefix); 487 break; 488 case IPAddressOrRange_addressRange: 489 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00)) 490 return -1; 491 prefixlen_a = length * 8; 492 break; 493 } 494 495 switch (b->type) { 496 case IPAddressOrRange_addressPrefix: 497 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00)) 498 return -1; 499 prefixlen_b = addr_prefixlen(b->u.addressPrefix); 500 break; 501 case IPAddressOrRange_addressRange: 502 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00)) 503 return -1; 504 prefixlen_b = length * 8; 505 break; 506 } 507 508 if ((r = memcmp(addr_a, addr_b, length)) != 0) 509 return r; 510 else 511 return prefixlen_a - prefixlen_b; 512 } 513 514 /* 515 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort() 516 * comparison routines are only allowed two arguments. 517 */ 518 static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a, 519 const IPAddressOrRange *const *b) 520 { 521 return IPAddressOrRange_cmp(*a, *b, 4); 522 } 523 524 /* 525 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort() 526 * comparison routines are only allowed two arguments. 527 */ 528 static int v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a, 529 const IPAddressOrRange *const *b) 530 { 531 return IPAddressOrRange_cmp(*a, *b, 16); 532 } 533 534 /* 535 * Calculate whether a range collapses to a prefix. 536 * See last paragraph of RFC 3779 2.2.3.7. 537 */ 538 static int range_should_be_prefix(const unsigned char *min, 539 const unsigned char *max, const int length) 540 { 541 unsigned char mask; 542 int i, j; 543 544 if (memcmp(min, max, length) <= 0) 545 return -1; 546 for (i = 0; i < length && min[i] == max[i]; i++) ; 547 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ; 548 if (i < j) 549 return -1; 550 if (i > j) 551 return i * 8; 552 mask = min[i] ^ max[i]; 553 switch (mask) { 554 case 0x01: 555 j = 7; 556 break; 557 case 0x03: 558 j = 6; 559 break; 560 case 0x07: 561 j = 5; 562 break; 563 case 0x0F: 564 j = 4; 565 break; 566 case 0x1F: 567 j = 3; 568 break; 569 case 0x3F: 570 j = 2; 571 break; 572 case 0x7F: 573 j = 1; 574 break; 575 default: 576 return -1; 577 } 578 if ((min[i] & mask) != 0 || (max[i] & mask) != mask) 579 return -1; 580 else 581 return i * 8 + j; 582 } 583 584 /* 585 * Construct a prefix. 586 */ 587 static int make_addressPrefix(IPAddressOrRange **result, 588 unsigned char *addr, const int prefixlen) 589 { 590 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8; 591 IPAddressOrRange *aor = IPAddressOrRange_new(); 592 593 if (aor == NULL) 594 return 0; 595 aor->type = IPAddressOrRange_addressPrefix; 596 if (aor->u.addressPrefix == NULL && 597 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL) 598 goto err; 599 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen)) 600 goto err; 601 aor->u.addressPrefix->flags &= ~7; 602 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT; 603 if (bitlen > 0) { 604 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen); 605 aor->u.addressPrefix->flags |= 8 - bitlen; 606 } 607 608 *result = aor; 609 return 1; 610 611 err: 612 IPAddressOrRange_free(aor); 613 return 0; 614 } 615 616 /* 617 * Construct a range. If it can be expressed as a prefix, 618 * return a prefix instead. Doing this here simplifies 619 * the rest of the code considerably. 620 */ 621 static int make_addressRange(IPAddressOrRange **result, 622 unsigned char *min, 623 unsigned char *max, const int length) 624 { 625 IPAddressOrRange *aor; 626 int i, prefixlen; 627 628 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0) 629 return make_addressPrefix(result, min, prefixlen); 630 631 if ((aor = IPAddressOrRange_new()) == NULL) 632 return 0; 633 aor->type = IPAddressOrRange_addressRange; 634 if ((aor->u.addressRange = IPAddressRange_new()) == NULL) 635 goto err; 636 if (aor->u.addressRange->min == NULL && 637 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL) 638 goto err; 639 if (aor->u.addressRange->max == NULL && 640 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL) 641 goto err; 642 643 for (i = length; i > 0 && min[i - 1] == 0x00; --i) ; 644 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i)) 645 goto err; 646 aor->u.addressRange->min->flags &= ~7; 647 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT; 648 if (i > 0) { 649 unsigned char b = min[i - 1]; 650 int j = 1; 651 while ((b & (0xFFU >> j)) != 0) 652 ++j; 653 aor->u.addressRange->min->flags |= 8 - j; 654 } 655 656 for (i = length; i > 0 && max[i - 1] == 0xFF; --i) ; 657 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i)) 658 goto err; 659 aor->u.addressRange->max->flags &= ~7; 660 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT; 661 if (i > 0) { 662 unsigned char b = max[i - 1]; 663 int j = 1; 664 while ((b & (0xFFU >> j)) != (0xFFU >> j)) 665 ++j; 666 aor->u.addressRange->max->flags |= 8 - j; 667 } 668 669 *result = aor; 670 return 1; 671 672 err: 673 IPAddressOrRange_free(aor); 674 return 0; 675 } 676 677 /* 678 * Construct a new address family or find an existing one. 679 */ 680 static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr, 681 const unsigned afi, 682 const unsigned *safi) 683 { 684 IPAddressFamily *f; 685 unsigned char key[3]; 686 int keylen; 687 int i; 688 689 key[0] = (afi >> 8) & 0xFF; 690 key[1] = afi & 0xFF; 691 if (safi != NULL) { 692 key[2] = *safi & 0xFF; 693 keylen = 3; 694 } else { 695 keylen = 2; 696 } 697 698 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 699 f = sk_IPAddressFamily_value(addr, i); 700 if (f->addressFamily->length == keylen && 701 !memcmp(f->addressFamily->data, key, keylen)) 702 return f; 703 } 704 705 if ((f = IPAddressFamily_new()) == NULL) 706 goto err; 707 if (f->ipAddressChoice == NULL && 708 (f->ipAddressChoice = IPAddressChoice_new()) == NULL) 709 goto err; 710 if (f->addressFamily == NULL && 711 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL) 712 goto err; 713 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen)) 714 goto err; 715 if (!sk_IPAddressFamily_push(addr, f)) 716 goto err; 717 718 return f; 719 720 err: 721 IPAddressFamily_free(f); 722 return NULL; 723 } 724 725 /* 726 * Add an inheritance element. 727 */ 728 int X509v3_addr_add_inherit(IPAddrBlocks *addr, 729 const unsigned afi, const unsigned *safi) 730 { 731 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); 732 if (f == NULL || 733 f->ipAddressChoice == NULL || 734 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && 735 f->ipAddressChoice->u.addressesOrRanges != NULL)) 736 return 0; 737 if (f->ipAddressChoice->type == IPAddressChoice_inherit && 738 f->ipAddressChoice->u.inherit != NULL) 739 return 1; 740 if (f->ipAddressChoice->u.inherit == NULL && 741 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL) 742 return 0; 743 f->ipAddressChoice->type = IPAddressChoice_inherit; 744 return 1; 745 } 746 747 /* 748 * Construct an IPAddressOrRange sequence, or return an existing one. 749 */ 750 static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr, 751 const unsigned afi, 752 const unsigned *safi) 753 { 754 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); 755 IPAddressOrRanges *aors = NULL; 756 757 if (f == NULL || 758 f->ipAddressChoice == NULL || 759 (f->ipAddressChoice->type == IPAddressChoice_inherit && 760 f->ipAddressChoice->u.inherit != NULL)) 761 return NULL; 762 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) 763 aors = f->ipAddressChoice->u.addressesOrRanges; 764 if (aors != NULL) 765 return aors; 766 if ((aors = sk_IPAddressOrRange_new_null()) == NULL) 767 return NULL; 768 switch (afi) { 769 case IANA_AFI_IPV4: 770 (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp); 771 break; 772 case IANA_AFI_IPV6: 773 (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp); 774 break; 775 } 776 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; 777 f->ipAddressChoice->u.addressesOrRanges = aors; 778 return aors; 779 } 780 781 /* 782 * Add a prefix. 783 */ 784 int X509v3_addr_add_prefix(IPAddrBlocks *addr, 785 const unsigned afi, 786 const unsigned *safi, 787 unsigned char *a, const int prefixlen) 788 { 789 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); 790 IPAddressOrRange *aor; 791 if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen)) 792 return 0; 793 if (sk_IPAddressOrRange_push(aors, aor)) 794 return 1; 795 IPAddressOrRange_free(aor); 796 return 0; 797 } 798 799 /* 800 * Add a range. 801 */ 802 int X509v3_addr_add_range(IPAddrBlocks *addr, 803 const unsigned afi, 804 const unsigned *safi, 805 unsigned char *min, unsigned char *max) 806 { 807 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); 808 IPAddressOrRange *aor; 809 int length = length_from_afi(afi); 810 if (aors == NULL) 811 return 0; 812 if (!make_addressRange(&aor, min, max, length)) 813 return 0; 814 if (sk_IPAddressOrRange_push(aors, aor)) 815 return 1; 816 IPAddressOrRange_free(aor); 817 return 0; 818 } 819 820 /* 821 * Extract min and max values from an IPAddressOrRange. 822 */ 823 static int extract_min_max(IPAddressOrRange *aor, 824 unsigned char *min, unsigned char *max, int length) 825 { 826 if (aor == NULL || min == NULL || max == NULL) 827 return 0; 828 switch (aor->type) { 829 case IPAddressOrRange_addressPrefix: 830 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) && 831 addr_expand(max, aor->u.addressPrefix, length, 0xFF)); 832 case IPAddressOrRange_addressRange: 833 return (addr_expand(min, aor->u.addressRange->min, length, 0x00) && 834 addr_expand(max, aor->u.addressRange->max, length, 0xFF)); 835 } 836 return 0; 837 } 838 839 /* 840 * Public wrapper for extract_min_max(). 841 */ 842 int X509v3_addr_get_range(IPAddressOrRange *aor, 843 const unsigned afi, 844 unsigned char *min, 845 unsigned char *max, const int length) 846 { 847 int afi_length = length_from_afi(afi); 848 if (aor == NULL || min == NULL || max == NULL || 849 afi_length == 0 || length < afi_length || 850 (aor->type != IPAddressOrRange_addressPrefix && 851 aor->type != IPAddressOrRange_addressRange) || 852 !extract_min_max(aor, min, max, afi_length)) 853 return 0; 854 855 return afi_length; 856 } 857 858 /* 859 * Sort comparison function for a sequence of IPAddressFamily. 860 * 861 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about 862 * the ordering: I can read it as meaning that IPv6 without a SAFI 863 * comes before IPv4 with a SAFI, which seems pretty weird. The 864 * examples in appendix B suggest that the author intended the 865 * null-SAFI rule to apply only within a single AFI, which is what I 866 * would have expected and is what the following code implements. 867 */ 868 static int IPAddressFamily_cmp(const IPAddressFamily *const *a_, 869 const IPAddressFamily *const *b_) 870 { 871 const ASN1_OCTET_STRING *a = (*a_)->addressFamily; 872 const ASN1_OCTET_STRING *b = (*b_)->addressFamily; 873 int len = ((a->length <= b->length) ? a->length : b->length); 874 int cmp = memcmp(a->data, b->data, len); 875 return cmp ? cmp : a->length - b->length; 876 } 877 878 /* 879 * Check whether an IPAddrBLocks is in canonical form. 880 */ 881 int X509v3_addr_is_canonical(IPAddrBlocks *addr) 882 { 883 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 884 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 885 IPAddressOrRanges *aors; 886 int i, j, k; 887 888 /* 889 * Empty extension is canonical. 890 */ 891 if (addr == NULL) 892 return 1; 893 894 /* 895 * Check whether the top-level list is in order. 896 */ 897 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) { 898 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i); 899 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1); 900 if (IPAddressFamily_cmp(&a, &b) >= 0) 901 return 0; 902 } 903 904 /* 905 * Top level's ok, now check each address family. 906 */ 907 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 908 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 909 int length = length_from_afi(X509v3_addr_get_afi(f)); 910 911 /* 912 * Inheritance is canonical. Anything other than inheritance or 913 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something. 914 */ 915 if (f == NULL || f->ipAddressChoice == NULL) 916 return 0; 917 switch (f->ipAddressChoice->type) { 918 case IPAddressChoice_inherit: 919 continue; 920 case IPAddressChoice_addressesOrRanges: 921 break; 922 default: 923 return 0; 924 } 925 926 /* 927 * It's an IPAddressOrRanges sequence, check it. 928 */ 929 aors = f->ipAddressChoice->u.addressesOrRanges; 930 if (sk_IPAddressOrRange_num(aors) == 0) 931 return 0; 932 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) { 933 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 934 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1); 935 936 if (!extract_min_max(a, a_min, a_max, length) || 937 !extract_min_max(b, b_min, b_max, length)) 938 return 0; 939 940 /* 941 * Punt misordered list, overlapping start, or inverted range. 942 */ 943 if (memcmp(a_min, b_min, length) >= 0 || 944 memcmp(a_min, a_max, length) > 0 || 945 memcmp(b_min, b_max, length) > 0) 946 return 0; 947 948 /* 949 * Punt if adjacent or overlapping. Check for adjacency by 950 * subtracting one from b_min first. 951 */ 952 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) ; 953 if (memcmp(a_max, b_min, length) >= 0) 954 return 0; 955 956 /* 957 * Check for range that should be expressed as a prefix. 958 */ 959 if (a->type == IPAddressOrRange_addressRange && 960 range_should_be_prefix(a_min, a_max, length) >= 0) 961 return 0; 962 } 963 964 /* 965 * Check range to see if it's inverted or should be a 966 * prefix. 967 */ 968 j = sk_IPAddressOrRange_num(aors) - 1; 969 { 970 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 971 if (a != NULL && a->type == IPAddressOrRange_addressRange) { 972 if (!extract_min_max(a, a_min, a_max, length)) 973 return 0; 974 if (memcmp(a_min, a_max, length) > 0 || 975 range_should_be_prefix(a_min, a_max, length) >= 0) 976 return 0; 977 } 978 } 979 } 980 981 /* 982 * If we made it through all that, we're happy. 983 */ 984 return 1; 985 } 986 987 /* 988 * Whack an IPAddressOrRanges into canonical form. 989 */ 990 static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors, 991 const unsigned afi) 992 { 993 int i, j, length = length_from_afi(afi); 994 995 /* 996 * Sort the IPAddressOrRanges sequence. 997 */ 998 sk_IPAddressOrRange_sort(aors); 999 1000 /* 1001 * Clean up representation issues, punt on duplicates or overlaps. 1002 */ 1003 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) { 1004 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i); 1005 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1); 1006 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 1007 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 1008 1009 if (!extract_min_max(a, a_min, a_max, length) || 1010 !extract_min_max(b, b_min, b_max, length)) 1011 return 0; 1012 1013 /* 1014 * Punt inverted ranges. 1015 */ 1016 if (memcmp(a_min, a_max, length) > 0 || 1017 memcmp(b_min, b_max, length) > 0) 1018 return 0; 1019 1020 /* 1021 * Punt overlaps. 1022 */ 1023 if (memcmp(a_max, b_min, length) >= 0) 1024 return 0; 1025 1026 /* 1027 * Merge if a and b are adjacent. We check for 1028 * adjacency by subtracting one from b_min first. 1029 */ 1030 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) ; 1031 if (memcmp(a_max, b_min, length) == 0) { 1032 IPAddressOrRange *merged; 1033 if (!make_addressRange(&merged, a_min, b_max, length)) 1034 return 0; 1035 (void)sk_IPAddressOrRange_set(aors, i, merged); 1036 (void)sk_IPAddressOrRange_delete(aors, i + 1); 1037 IPAddressOrRange_free(a); 1038 IPAddressOrRange_free(b); 1039 --i; 1040 continue; 1041 } 1042 } 1043 1044 /* 1045 * Check for inverted final range. 1046 */ 1047 j = sk_IPAddressOrRange_num(aors) - 1; 1048 { 1049 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 1050 if (a != NULL && a->type == IPAddressOrRange_addressRange) { 1051 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 1052 if (!extract_min_max(a, a_min, a_max, length)) 1053 return 0; 1054 if (memcmp(a_min, a_max, length) > 0) 1055 return 0; 1056 } 1057 } 1058 1059 return 1; 1060 } 1061 1062 /* 1063 * Whack an IPAddrBlocks extension into canonical form. 1064 */ 1065 int X509v3_addr_canonize(IPAddrBlocks *addr) 1066 { 1067 int i; 1068 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 1069 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 1070 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && 1071 !IPAddressOrRanges_canonize(f->ipAddressChoice-> 1072 u.addressesOrRanges, 1073 X509v3_addr_get_afi(f))) 1074 return 0; 1075 } 1076 (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); 1077 sk_IPAddressFamily_sort(addr); 1078 OPENSSL_assert(X509v3_addr_is_canonical(addr)); 1079 return 1; 1080 } 1081 1082 /* 1083 * v2i handler for the IPAddrBlocks extension. 1084 */ 1085 static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, 1086 struct v3_ext_ctx *ctx, 1087 STACK_OF(CONF_VALUE) *values) 1088 { 1089 static const char v4addr_chars[] = "0123456789."; 1090 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF"; 1091 IPAddrBlocks *addr = NULL; 1092 char *s = NULL, *t; 1093 int i; 1094 1095 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) { 1096 X509V3error(ERR_R_MALLOC_FAILURE); 1097 return NULL; 1098 } 1099 1100 for (i = 0; i < sk_CONF_VALUE_num(values); i++) { 1101 CONF_VALUE *val = sk_CONF_VALUE_value(values, i); 1102 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN]; 1103 unsigned afi, *safi = NULL, safi_; 1104 const char *addr_chars = NULL; 1105 int prefixlen, i1, i2, delim, length; 1106 1107 if (!name_cmp(val->name, "IPv4")) { 1108 afi = IANA_AFI_IPV4; 1109 } else if (!name_cmp(val->name, "IPv6")) { 1110 afi = IANA_AFI_IPV6; 1111 } else if (!name_cmp(val->name, "IPv4-SAFI")) { 1112 afi = IANA_AFI_IPV4; 1113 safi = &safi_; 1114 } else if (!name_cmp(val->name, "IPv6-SAFI")) { 1115 afi = IANA_AFI_IPV6; 1116 safi = &safi_; 1117 } else { 1118 X509V3error(X509V3_R_EXTENSION_NAME_ERROR); 1119 X509V3_conf_err(val); 1120 goto err; 1121 } 1122 1123 switch (afi) { 1124 case IANA_AFI_IPV4: 1125 addr_chars = v4addr_chars; 1126 break; 1127 case IANA_AFI_IPV6: 1128 addr_chars = v6addr_chars; 1129 break; 1130 } 1131 1132 length = length_from_afi(afi); 1133 1134 /* 1135 * Handle SAFI, if any, and strdup() so we can null-terminate 1136 * the other input values. 1137 */ 1138 if (safi != NULL) { 1139 *safi = strtoul(val->value, &t, 0); 1140 t += strspn(t, " \t"); 1141 if (*safi > 0xFF || *t++ != ':') { 1142 X509V3error(X509V3_R_INVALID_SAFI); 1143 X509V3_conf_err(val); 1144 goto err; 1145 } 1146 t += strspn(t, " \t"); 1147 s = strdup(t); 1148 } else { 1149 s = strdup(val->value); 1150 } 1151 if (s == NULL) { 1152 X509V3error(ERR_R_MALLOC_FAILURE); 1153 goto err; 1154 } 1155 1156 /* 1157 * Check for inheritance. Not worth additional complexity to 1158 * optimize this (seldom-used) case. 1159 */ 1160 if (strcmp(s, "inherit") == 0) { 1161 if (!X509v3_addr_add_inherit(addr, afi, safi)) { 1162 X509V3error(X509V3_R_INVALID_INHERITANCE); 1163 X509V3_conf_err(val); 1164 goto err; 1165 } 1166 free(s); 1167 s = NULL; 1168 continue; 1169 } 1170 1171 i1 = strspn(s, addr_chars); 1172 i2 = i1 + strspn(s + i1, " \t"); 1173 delim = s[i2++]; 1174 s[i1] = '\0'; 1175 1176 if (a2i_ipadd(min, s) != length) { 1177 X509V3error(X509V3_R_INVALID_IPADDRESS); 1178 X509V3_conf_err(val); 1179 goto err; 1180 } 1181 1182 switch (delim) { 1183 case '/': 1184 prefixlen = (int)strtoul(s + i2, &t, 10); 1185 if (t == s + i2 || *t != '\0') { 1186 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1187 X509V3_conf_err(val); 1188 goto err; 1189 } 1190 if (!X509v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) { 1191 X509V3error(ERR_R_MALLOC_FAILURE); 1192 goto err; 1193 } 1194 break; 1195 case '-': 1196 i1 = i2 + strspn(s + i2, " \t"); 1197 i2 = i1 + strspn(s + i1, addr_chars); 1198 if (i1 == i2 || s[i2] != '\0') { 1199 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1200 X509V3_conf_err(val); 1201 goto err; 1202 } 1203 if (a2i_ipadd(max, s + i1) != length) { 1204 X509V3error(X509V3_R_INVALID_IPADDRESS); 1205 X509V3_conf_err(val); 1206 goto err; 1207 } 1208 if (memcmp(min, max, length_from_afi(afi)) > 0) { 1209 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1210 X509V3_conf_err(val); 1211 goto err; 1212 } 1213 if (!X509v3_addr_add_range(addr, afi, safi, min, max)) { 1214 X509V3error(ERR_R_MALLOC_FAILURE); 1215 goto err; 1216 } 1217 break; 1218 case '\0': 1219 if (!X509v3_addr_add_prefix(addr, afi, safi, min, length * 8)) { 1220 X509V3error(ERR_R_MALLOC_FAILURE); 1221 goto err; 1222 } 1223 break; 1224 default: 1225 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1226 X509V3_conf_err(val); 1227 goto err; 1228 } 1229 1230 free(s); 1231 s = NULL; 1232 } 1233 1234 /* 1235 * Canonize the result, then we're done. 1236 */ 1237 if (!X509v3_addr_canonize(addr)) 1238 goto err; 1239 return addr; 1240 1241 err: 1242 free(s); 1243 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); 1244 return NULL; 1245 } 1246 1247 /* 1248 * OpenSSL dispatch 1249 */ 1250 const X509V3_EXT_METHOD v3_addr = { 1251 NID_sbgp_ipAddrBlock, /* nid */ 1252 0, /* flags */ 1253 &IPAddrBlocks_it, 1254 0, 0, 0, 0, /* old functions, ignored */ 1255 0, /* i2s */ 1256 0, /* s2i */ 1257 0, /* i2v */ 1258 v2i_IPAddrBlocks, /* v2i */ 1259 i2r_IPAddrBlocks, /* i2r */ 1260 0, /* r2i */ 1261 NULL /* extension-specific data */ 1262 }; 1263 1264 /* 1265 * Figure out whether extension sues inheritance. 1266 */ 1267 int X509v3_addr_inherits(IPAddrBlocks *addr) 1268 { 1269 int i; 1270 if (addr == NULL) 1271 return 0; 1272 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 1273 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 1274 if (f->ipAddressChoice->type == IPAddressChoice_inherit) 1275 return 1; 1276 } 1277 return 0; 1278 } 1279 1280 /* 1281 * Figure out whether parent contains child. 1282 */ 1283 static int addr_contains(IPAddressOrRanges *parent, 1284 IPAddressOrRanges *child, int length) 1285 { 1286 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN]; 1287 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN]; 1288 int p, c; 1289 1290 if (child == NULL || parent == child) 1291 return 1; 1292 if (parent == NULL) 1293 return 0; 1294 1295 p = 0; 1296 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) { 1297 if (!extract_min_max(sk_IPAddressOrRange_value(child, c), 1298 c_min, c_max, length)) 1299 return -1; 1300 for (;; p++) { 1301 if (p >= sk_IPAddressOrRange_num(parent)) 1302 return 0; 1303 if (!extract_min_max(sk_IPAddressOrRange_value(parent, p), 1304 p_min, p_max, length)) 1305 return 0; 1306 if (memcmp(p_max, c_max, length) < 0) 1307 continue; 1308 if (memcmp(p_min, c_min, length) > 0) 1309 return 0; 1310 break; 1311 } 1312 } 1313 1314 return 1; 1315 } 1316 1317 /* 1318 * Test whether a is a subset of b. 1319 */ 1320 int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) 1321 { 1322 int i; 1323 if (a == NULL || a == b) 1324 return 1; 1325 if (b == NULL || X509v3_addr_inherits(a) || X509v3_addr_inherits(b)) 1326 return 0; 1327 (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); 1328 for (i = 0; i < sk_IPAddressFamily_num(a); i++) { 1329 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); 1330 int j = sk_IPAddressFamily_find(b, fa); 1331 IPAddressFamily *fb; 1332 fb = sk_IPAddressFamily_value(b, j); 1333 if (fb == NULL) 1334 return 0; 1335 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, 1336 fa->ipAddressChoice->u.addressesOrRanges, 1337 length_from_afi(X509v3_addr_get_afi(fb)))) 1338 return 0; 1339 } 1340 return 1; 1341 } 1342 1343 /* 1344 * Validation error handling via callback. 1345 */ 1346 #define validation_err(_err_) \ 1347 do { \ 1348 if (ctx != NULL) { \ 1349 ctx->error = _err_; \ 1350 ctx->error_depth = i; \ 1351 ctx->current_cert = x; \ 1352 ret = ctx->verify_cb(0, ctx); \ 1353 } else { \ 1354 ret = 0; \ 1355 } \ 1356 if (!ret) \ 1357 goto done; \ 1358 } while (0) 1359 1360 /* 1361 * Core code for RFC 3779 2.3 path validation. 1362 * 1363 * Returns 1 for success, 0 on error. 1364 * 1365 * When returning 0, ctx->error MUST be set to an appropriate value other than 1366 * X509_V_OK. 1367 */ 1368 static int addr_validate_path_internal(X509_STORE_CTX *ctx, 1369 STACK_OF(X509) *chain, 1370 IPAddrBlocks *ext) 1371 { 1372 IPAddrBlocks *child = NULL; 1373 int i, j, ret = 1; 1374 X509 *x; 1375 1376 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); 1377 OPENSSL_assert(ctx != NULL || ext != NULL); 1378 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); 1379 1380 /* 1381 * Figure out where to start. If we don't have an extension to 1382 * check, we're done. Otherwise, check canonical form and 1383 * set up for walking up the chain. 1384 */ 1385 if (ext != NULL) { 1386 i = -1; 1387 x = NULL; 1388 } else { 1389 i = 0; 1390 x = sk_X509_value(chain, i); 1391 if ((ext = x->rfc3779_addr) == NULL) 1392 goto done; 1393 } 1394 if (!X509v3_addr_is_canonical(ext)) 1395 validation_err(X509_V_ERR_INVALID_EXTENSION); 1396 (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); 1397 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { 1398 X509V3error(ERR_R_MALLOC_FAILURE); 1399 if (ctx != NULL) 1400 ctx->error = X509_V_ERR_OUT_OF_MEM; 1401 ret = 0; 1402 goto done; 1403 } 1404 1405 /* 1406 * Now walk up the chain. No cert may list resources that its 1407 * parent doesn't list. 1408 */ 1409 for (i++; i < sk_X509_num(chain); i++) { 1410 x = sk_X509_value(chain, i); 1411 if (!X509v3_addr_is_canonical(x->rfc3779_addr)) 1412 validation_err(X509_V_ERR_INVALID_EXTENSION); 1413 if (x->rfc3779_addr == NULL) { 1414 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { 1415 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); 1416 if (fc->ipAddressChoice->type != IPAddressChoice_inherit) { 1417 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1418 break; 1419 } 1420 } 1421 continue; 1422 } 1423 (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, 1424 IPAddressFamily_cmp); 1425 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { 1426 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); 1427 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc); 1428 IPAddressFamily *fp = 1429 sk_IPAddressFamily_value(x->rfc3779_addr, k); 1430 if (fp == NULL) { 1431 if (fc->ipAddressChoice->type == 1432 IPAddressChoice_addressesOrRanges) { 1433 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1434 break; 1435 } 1436 continue; 1437 } 1438 if (fp->ipAddressChoice->type == 1439 IPAddressChoice_addressesOrRanges) { 1440 if (fc->ipAddressChoice->type == IPAddressChoice_inherit 1441 || addr_contains(fp->ipAddressChoice->u.addressesOrRanges, 1442 fc->ipAddressChoice->u.addressesOrRanges, 1443 length_from_afi(X509v3_addr_get_afi(fc)))) 1444 sk_IPAddressFamily_set(child, j, fp); 1445 else 1446 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1447 } 1448 } 1449 } 1450 1451 /* 1452 * Trust anchor can't inherit. 1453 */ 1454 if (x->rfc3779_addr != NULL) { 1455 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) { 1456 IPAddressFamily *fp = 1457 sk_IPAddressFamily_value(x->rfc3779_addr, j); 1458 if (fp->ipAddressChoice->type == IPAddressChoice_inherit 1459 && sk_IPAddressFamily_find(child, fp) >= 0) 1460 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1461 } 1462 } 1463 1464 done: 1465 sk_IPAddressFamily_free(child); 1466 return ret; 1467 } 1468 1469 #undef validation_err 1470 1471 /* 1472 * RFC 3779 2.3 path validation -- called from X509_verify_cert(). 1473 */ 1474 int X509v3_addr_validate_path(X509_STORE_CTX *ctx) 1475 { 1476 if (ctx->chain == NULL 1477 || sk_X509_num(ctx->chain) == 0 1478 || ctx->verify_cb == NULL) { 1479 ctx->error = X509_V_ERR_UNSPECIFIED; 1480 return 0; 1481 } 1482 return addr_validate_path_internal(ctx, ctx->chain, NULL); 1483 } 1484 1485 /* 1486 * RFC 3779 2.3 path validation of an extension. 1487 * Test whether chain covers extension. 1488 */ 1489 int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain, 1490 IPAddrBlocks *ext, int allow_inheritance) 1491 { 1492 if (ext == NULL) 1493 return 1; 1494 if (chain == NULL || sk_X509_num(chain) == 0) 1495 return 0; 1496 if (!allow_inheritance && X509v3_addr_inherits(ext)) 1497 return 0; 1498 return addr_validate_path_internal(NULL, chain, ext); 1499 } 1500 1501 #endif /* OPENSSL_NO_RFC3779 */ 1502