1 /* $OpenBSD: x509_addr.c,v 1.19 2021/11/01 20:53:08 tb Exp $ */ 2 /* 3 * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. 4 * 5 * Licensed under the OpenSSL license (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11 /* 12 * Implementation of RFC 3779 section 2.2. 13 */ 14 15 #include <stdio.h> 16 #include <stdlib.h> 17 #include <string.h> 18 19 #include <openssl/asn1.h> 20 #include <openssl/asn1t.h> 21 #include <openssl/buffer.h> 22 #include <openssl/conf.h> 23 #include <openssl/err.h> 24 #include <openssl/x509.h> 25 #include <openssl/x509v3.h> 26 27 #include "x509_lcl.h" 28 29 #ifndef OPENSSL_NO_RFC3779 30 31 /* 32 * OpenSSL ASN.1 template translation of RFC 3779 2.2.3. 33 */ 34 35 static const ASN1_TEMPLATE IPAddressRange_seq_tt[] = { 36 { 37 .flags = 0, 38 .tag = 0, 39 .offset = offsetof(IPAddressRange, min), 40 .field_name = "min", 41 .item = &ASN1_BIT_STRING_it, 42 }, 43 { 44 .flags = 0, 45 .tag = 0, 46 .offset = offsetof(IPAddressRange, max), 47 .field_name = "max", 48 .item = &ASN1_BIT_STRING_it, 49 }, 50 }; 51 52 const ASN1_ITEM IPAddressRange_it = { 53 .itype = ASN1_ITYPE_SEQUENCE, 54 .utype = V_ASN1_SEQUENCE, 55 .templates = IPAddressRange_seq_tt, 56 .tcount = sizeof(IPAddressRange_seq_tt) / sizeof(ASN1_TEMPLATE), 57 .funcs = NULL, 58 .size = sizeof(IPAddressRange), 59 .sname = "IPAddressRange", 60 }; 61 62 static const ASN1_TEMPLATE IPAddressOrRange_ch_tt[] = { 63 { 64 .flags = 0, 65 .tag = 0, 66 .offset = offsetof(IPAddressOrRange, u.addressPrefix), 67 .field_name = "u.addressPrefix", 68 .item = &ASN1_BIT_STRING_it, 69 }, 70 { 71 .flags = 0, 72 .tag = 0, 73 .offset = offsetof(IPAddressOrRange, u.addressRange), 74 .field_name = "u.addressRange", 75 .item = &IPAddressRange_it, 76 }, 77 }; 78 79 const ASN1_ITEM IPAddressOrRange_it = { 80 .itype = ASN1_ITYPE_CHOICE, 81 .utype = offsetof(IPAddressOrRange, type), 82 .templates = IPAddressOrRange_ch_tt, 83 .tcount = sizeof(IPAddressOrRange_ch_tt) / sizeof(ASN1_TEMPLATE), 84 .funcs = NULL, 85 .size = sizeof(IPAddressOrRange), 86 .sname = "IPAddressOrRange", 87 }; 88 89 static const ASN1_TEMPLATE IPAddressChoice_ch_tt[] = { 90 { 91 .flags = 0, 92 .tag = 0, 93 .offset = offsetof(IPAddressChoice, u.inherit), 94 .field_name = "u.inherit", 95 .item = &ASN1_NULL_it, 96 }, 97 { 98 .flags = ASN1_TFLG_SEQUENCE_OF, 99 .tag = 0, 100 .offset = offsetof(IPAddressChoice, u.addressesOrRanges), 101 .field_name = "u.addressesOrRanges", 102 .item = &IPAddressOrRange_it, 103 }, 104 }; 105 106 const ASN1_ITEM IPAddressChoice_it = { 107 .itype = ASN1_ITYPE_CHOICE, 108 .utype = offsetof(IPAddressChoice, type), 109 .templates = IPAddressChoice_ch_tt, 110 .tcount = sizeof(IPAddressChoice_ch_tt) / sizeof(ASN1_TEMPLATE), 111 .funcs = NULL, 112 .size = sizeof(IPAddressChoice), 113 .sname = "IPAddressChoice", 114 }; 115 116 static const ASN1_TEMPLATE IPAddressFamily_seq_tt[] = { 117 { 118 .flags = 0, 119 .tag = 0, 120 .offset = offsetof(IPAddressFamily, addressFamily), 121 .field_name = "addressFamily", 122 .item = &ASN1_OCTET_STRING_it, 123 }, 124 { 125 .flags = 0, 126 .tag = 0, 127 .offset = offsetof(IPAddressFamily, ipAddressChoice), 128 .field_name = "ipAddressChoice", 129 .item = &IPAddressChoice_it, 130 }, 131 }; 132 133 const ASN1_ITEM IPAddressFamily_it = { 134 .itype = ASN1_ITYPE_SEQUENCE, 135 .utype = V_ASN1_SEQUENCE, 136 .templates = IPAddressFamily_seq_tt, 137 .tcount = sizeof(IPAddressFamily_seq_tt) / sizeof(ASN1_TEMPLATE), 138 .funcs = NULL, 139 .size = sizeof(IPAddressFamily), 140 .sname = "IPAddressFamily", 141 }; 142 143 static const ASN1_TEMPLATE IPAddrBlocks_item_tt = { 144 .flags = ASN1_TFLG_SEQUENCE_OF, 145 .tag = 0, 146 .offset = 0, 147 .field_name = "IPAddrBlocks", 148 .item = &IPAddressFamily_it, 149 }; 150 151 /* XXX: maybe special? */ 152 static const ASN1_ITEM IPAddrBlocks_it = { 153 .itype = ASN1_ITYPE_PRIMITIVE, 154 .utype = -1, 155 .templates = &IPAddrBlocks_item_tt, 156 .tcount = 0, 157 .funcs = NULL, 158 .size = 0, 159 .sname = "IPAddrBlocks", 160 }; 161 162 IPAddressRange * 163 d2i_IPAddressRange(IPAddressRange **a, const unsigned char **in, long len) 164 { 165 return (IPAddressRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 166 &IPAddressRange_it); 167 } 168 169 int 170 i2d_IPAddressRange(IPAddressRange *a, unsigned char **out) 171 { 172 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressRange_it); 173 } 174 175 IPAddressRange * 176 IPAddressRange_new(void) 177 { 178 return (IPAddressRange *)ASN1_item_new(&IPAddressRange_it); 179 } 180 181 void 182 IPAddressRange_free(IPAddressRange *a) 183 { 184 ASN1_item_free((ASN1_VALUE *)a, &IPAddressRange_it); 185 } 186 187 IPAddressOrRange * 188 d2i_IPAddressOrRange(IPAddressOrRange **a, const unsigned char **in, long len) 189 { 190 return (IPAddressOrRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 191 &IPAddressOrRange_it); 192 } 193 194 int 195 i2d_IPAddressOrRange(IPAddressOrRange *a, unsigned char **out) 196 { 197 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressOrRange_it); 198 } 199 200 IPAddressOrRange * 201 IPAddressOrRange_new(void) 202 { 203 return (IPAddressOrRange *)ASN1_item_new(&IPAddressOrRange_it); 204 } 205 206 void 207 IPAddressOrRange_free(IPAddressOrRange *a) 208 { 209 ASN1_item_free((ASN1_VALUE *)a, &IPAddressOrRange_it); 210 } 211 212 IPAddressChoice * 213 d2i_IPAddressChoice(IPAddressChoice **a, const unsigned char **in, long len) 214 { 215 return (IPAddressChoice *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 216 &IPAddressChoice_it); 217 } 218 219 int 220 i2d_IPAddressChoice(IPAddressChoice *a, unsigned char **out) 221 { 222 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressChoice_it); 223 } 224 225 IPAddressChoice * 226 IPAddressChoice_new(void) 227 { 228 return (IPAddressChoice *)ASN1_item_new(&IPAddressChoice_it); 229 } 230 231 void 232 IPAddressChoice_free(IPAddressChoice *a) 233 { 234 ASN1_item_free((ASN1_VALUE *)a, &IPAddressChoice_it); 235 } 236 237 IPAddressFamily * 238 d2i_IPAddressFamily(IPAddressFamily **a, const unsigned char **in, long len) 239 { 240 return (IPAddressFamily *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 241 &IPAddressFamily_it); 242 } 243 244 int 245 i2d_IPAddressFamily(IPAddressFamily *a, unsigned char **out) 246 { 247 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressFamily_it); 248 } 249 250 IPAddressFamily * 251 IPAddressFamily_new(void) 252 { 253 return (IPAddressFamily *)ASN1_item_new(&IPAddressFamily_it); 254 } 255 256 void 257 IPAddressFamily_free(IPAddressFamily *a) 258 { 259 ASN1_item_free((ASN1_VALUE *)a, &IPAddressFamily_it); 260 } 261 262 /* 263 * How much buffer space do we need for a raw address? 264 */ 265 #define ADDR_RAW_BUF_LEN 16 266 267 /* 268 * What's the address length associated with this AFI? 269 */ 270 static int 271 length_from_afi(const unsigned afi) 272 { 273 switch (afi) { 274 case IANA_AFI_IPV4: 275 return 4; 276 case IANA_AFI_IPV6: 277 return 16; 278 default: 279 return 0; 280 } 281 } 282 283 /* 284 * Extract the AFI from an IPAddressFamily. 285 */ 286 unsigned int 287 X509v3_addr_get_afi(const IPAddressFamily *f) 288 { 289 if (f == NULL || 290 f->addressFamily == NULL || 291 f->addressFamily->data == NULL || 292 f->addressFamily->length < 2) 293 return 0; 294 return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1]; 295 } 296 297 /* 298 * Expand the bitstring form of an address into a raw byte array. 299 * At the moment this is coded for simplicity, not speed. 300 */ 301 static int 302 addr_expand(unsigned char *addr, const ASN1_BIT_STRING *bs, const int length, 303 const unsigned char fill) 304 { 305 if (bs->length < 0 || bs->length > length) 306 return 0; 307 if (bs->length > 0) { 308 memcpy(addr, bs->data, bs->length); 309 if ((bs->flags & 7) != 0) { 310 unsigned char mask = 0xFF >> (8 - (bs->flags & 7)); 311 if (fill == 0) 312 addr[bs->length - 1] &= ~mask; 313 else 314 addr[bs->length - 1] |= mask; 315 } 316 } 317 memset(addr + bs->length, fill, length - bs->length); 318 return 1; 319 } 320 321 /* 322 * Extract the prefix length from a bitstring. 323 */ 324 #define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7))) 325 326 /* 327 * i2r handler for one address bitstring. 328 */ 329 static int 330 i2r_address(BIO *out, const unsigned afi, const unsigned char fill, 331 const ASN1_BIT_STRING *bs) 332 { 333 unsigned char addr[ADDR_RAW_BUF_LEN]; 334 int i, n; 335 336 if (bs->length < 0) 337 return 0; 338 switch (afi) { 339 case IANA_AFI_IPV4: 340 if (!addr_expand(addr, bs, 4, fill)) 341 return 0; 342 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], 343 addr[3]); 344 break; 345 case IANA_AFI_IPV6: 346 if (!addr_expand(addr, bs, 16, fill)) 347 return 0; 348 for (n = 16; 349 n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00; n -= 2) 350 continue; 351 for (i = 0; i < n; i += 2) 352 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1], 353 (i < 14 ? ":" : "")); 354 if (i < 16) 355 BIO_puts(out, ":"); 356 if (i == 0) 357 BIO_puts(out, ":"); 358 break; 359 default: 360 for (i = 0; i < bs->length; i++) 361 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), 362 bs->data[i]); 363 BIO_printf(out, "[%d]", (int)(bs->flags & 7)); 364 break; 365 } 366 return 1; 367 } 368 369 /* 370 * i2r handler for a sequence of addresses and ranges. 371 */ 372 static int 373 i2r_IPAddressOrRanges(BIO *out, const int indent, 374 const IPAddressOrRanges *aors, const unsigned afi) 375 { 376 int i; 377 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) { 378 const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i); 379 BIO_printf(out, "%*s", indent, ""); 380 switch (aor->type) { 381 case IPAddressOrRange_addressPrefix: 382 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix)) 383 return 0; 384 BIO_printf(out, "/%d\n", 385 addr_prefixlen(aor->u.addressPrefix)); 386 continue; 387 case IPAddressOrRange_addressRange: 388 if (!i2r_address(out, afi, 0x00, 389 aor->u.addressRange->min)) 390 return 0; 391 BIO_puts(out, "-"); 392 if (!i2r_address(out, afi, 0xFF, 393 aor->u.addressRange->max)) 394 return 0; 395 BIO_puts(out, "\n"); 396 continue; 397 } 398 } 399 return 1; 400 } 401 402 /* 403 * i2r handler for an IPAddrBlocks extension. 404 */ 405 static int 406 i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, void *ext, BIO *out, 407 int indent) 408 { 409 const IPAddrBlocks *addr = ext; 410 int i; 411 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 412 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 413 const unsigned int afi = X509v3_addr_get_afi(f); 414 switch (afi) { 415 case IANA_AFI_IPV4: 416 BIO_printf(out, "%*sIPv4", indent, ""); 417 break; 418 case IANA_AFI_IPV6: 419 BIO_printf(out, "%*sIPv6", indent, ""); 420 break; 421 default: 422 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi); 423 break; 424 } 425 if (f->addressFamily->length > 2) { 426 switch (f->addressFamily->data[2]) { 427 case 1: 428 BIO_puts(out, " (Unicast)"); 429 break; 430 case 2: 431 BIO_puts(out, " (Multicast)"); 432 break; 433 case 3: 434 BIO_puts(out, " (Unicast/Multicast)"); 435 break; 436 case 4: 437 BIO_puts(out, " (MPLS)"); 438 break; 439 case 64: 440 BIO_puts(out, " (Tunnel)"); 441 break; 442 case 65: 443 BIO_puts(out, " (VPLS)"); 444 break; 445 case 66: 446 BIO_puts(out, " (BGP MDT)"); 447 break; 448 case 128: 449 BIO_puts(out, " (MPLS-labeled VPN)"); 450 break; 451 default: 452 BIO_printf(out, " (Unknown SAFI %u)", 453 (unsigned)f->addressFamily->data[2]); 454 break; 455 } 456 } 457 switch (f->ipAddressChoice->type) { 458 case IPAddressChoice_inherit: 459 BIO_puts(out, ": inherit\n"); 460 break; 461 case IPAddressChoice_addressesOrRanges: 462 BIO_puts(out, ":\n"); 463 if (!i2r_IPAddressOrRanges(out, 464 indent + 2, 465 f->ipAddressChoice-> 466 u.addressesOrRanges, afi)) 467 return 0; 468 break; 469 } 470 } 471 return 1; 472 } 473 474 /* 475 * Sort comparison function for a sequence of IPAddressOrRange 476 * elements. 477 * 478 * There's no sane answer we can give if addr_expand() fails, and an 479 * assertion failure on externally supplied data is seriously uncool, 480 * so we just arbitrarily declare that if given invalid inputs this 481 * function returns -1. If this messes up your preferred sort order 482 * for garbage input, tough noogies. 483 */ 484 static int 485 IPAddressOrRange_cmp(const IPAddressOrRange *a, const IPAddressOrRange *b, 486 const int length) 487 { 488 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN]; 489 int prefixlen_a = 0, prefixlen_b = 0; 490 int r; 491 492 switch (a->type) { 493 case IPAddressOrRange_addressPrefix: 494 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00)) 495 return -1; 496 prefixlen_a = addr_prefixlen(a->u.addressPrefix); 497 break; 498 case IPAddressOrRange_addressRange: 499 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00)) 500 return -1; 501 prefixlen_a = length * 8; 502 break; 503 } 504 505 switch (b->type) { 506 case IPAddressOrRange_addressPrefix: 507 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00)) 508 return -1; 509 prefixlen_b = addr_prefixlen(b->u.addressPrefix); 510 break; 511 case IPAddressOrRange_addressRange: 512 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00)) 513 return -1; 514 prefixlen_b = length * 8; 515 break; 516 } 517 518 if ((r = memcmp(addr_a, addr_b, length)) != 0) 519 return r; 520 else 521 return prefixlen_a - prefixlen_b; 522 } 523 524 /* 525 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort() 526 * comparison routines are only allowed two arguments. 527 */ 528 static int 529 v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a, 530 const IPAddressOrRange *const *b) 531 { 532 return IPAddressOrRange_cmp(*a, *b, 4); 533 } 534 535 /* 536 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort() 537 * comparison routines are only allowed two arguments. 538 */ 539 static int 540 v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a, 541 const IPAddressOrRange *const *b) 542 { 543 return IPAddressOrRange_cmp(*a, *b, 16); 544 } 545 546 /* 547 * Calculate whether a range collapses to a prefix. 548 * See last paragraph of RFC 3779 2.2.3.7. 549 */ 550 static int 551 range_should_be_prefix(const unsigned char *min, const unsigned char *max, 552 const int length) 553 { 554 unsigned char mask; 555 int i, j; 556 557 if (memcmp(min, max, length) <= 0) 558 return -1; 559 for (i = 0; i < length && min[i] == max[i]; i++) 560 continue; 561 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) 562 continue; 563 if (i < j) 564 return -1; 565 if (i > j) 566 return i * 8; 567 mask = min[i] ^ max[i]; 568 switch (mask) { 569 case 0x01: 570 j = 7; 571 break; 572 case 0x03: 573 j = 6; 574 break; 575 case 0x07: 576 j = 5; 577 break; 578 case 0x0F: 579 j = 4; 580 break; 581 case 0x1F: 582 j = 3; 583 break; 584 case 0x3F: 585 j = 2; 586 break; 587 case 0x7F: 588 j = 1; 589 break; 590 default: 591 return -1; 592 } 593 if ((min[i] & mask) != 0 || (max[i] & mask) != mask) 594 return -1; 595 else 596 return i * 8 + j; 597 } 598 599 /* 600 * Construct a prefix. 601 */ 602 static int 603 make_addressPrefix(IPAddressOrRange **result, unsigned char *addr, 604 const int prefixlen) 605 { 606 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8; 607 IPAddressOrRange *aor = IPAddressOrRange_new(); 608 609 if (aor == NULL) 610 return 0; 611 aor->type = IPAddressOrRange_addressPrefix; 612 if (aor->u.addressPrefix == NULL && 613 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL) 614 goto err; 615 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen)) 616 goto err; 617 aor->u.addressPrefix->flags &= ~7; 618 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT; 619 if (bitlen > 0) { 620 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen); 621 aor->u.addressPrefix->flags |= 8 - bitlen; 622 } 623 624 *result = aor; 625 return 1; 626 627 err: 628 IPAddressOrRange_free(aor); 629 return 0; 630 } 631 632 /* 633 * Construct a range. If it can be expressed as a prefix, 634 * return a prefix instead. Doing this here simplifies 635 * the rest of the code considerably. 636 */ 637 static int 638 make_addressRange(IPAddressOrRange **result, unsigned char *min, 639 unsigned char *max, const int length) 640 { 641 IPAddressOrRange *aor; 642 int i, prefixlen; 643 644 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0) 645 return make_addressPrefix(result, min, prefixlen); 646 647 if ((aor = IPAddressOrRange_new()) == NULL) 648 return 0; 649 aor->type = IPAddressOrRange_addressRange; 650 if ((aor->u.addressRange = IPAddressRange_new()) == NULL) 651 goto err; 652 if (aor->u.addressRange->min == NULL && 653 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL) 654 goto err; 655 if (aor->u.addressRange->max == NULL && 656 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL) 657 goto err; 658 659 for (i = length; i > 0 && min[i - 1] == 0x00; --i) 660 continue; 661 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i)) 662 goto err; 663 aor->u.addressRange->min->flags &= ~7; 664 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT; 665 if (i > 0) { 666 unsigned char b = min[i - 1]; 667 int j = 1; 668 while ((b & (0xFFU >> j)) != 0) 669 ++j; 670 aor->u.addressRange->min->flags |= 8 - j; 671 } 672 673 for (i = length; i > 0 && max[i - 1] == 0xFF; --i) 674 continue; 675 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i)) 676 goto err; 677 aor->u.addressRange->max->flags &= ~7; 678 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT; 679 if (i > 0) { 680 unsigned char b = max[i - 1]; 681 int j = 1; 682 while ((b & (0xFFU >> j)) != (0xFFU >> j)) 683 ++j; 684 aor->u.addressRange->max->flags |= 8 - j; 685 } 686 687 *result = aor; 688 return 1; 689 690 err: 691 IPAddressOrRange_free(aor); 692 return 0; 693 } 694 695 /* 696 * Construct a new address family or find an existing one. 697 */ 698 static IPAddressFamily * 699 make_IPAddressFamily(IPAddrBlocks *addr, const unsigned afi, 700 const unsigned *safi) 701 { 702 IPAddressFamily *f; 703 unsigned char key[3]; 704 int keylen; 705 int i; 706 707 key[0] = (afi >> 8) & 0xFF; 708 key[1] = afi & 0xFF; 709 if (safi != NULL) { 710 key[2] = *safi & 0xFF; 711 keylen = 3; 712 } else { 713 keylen = 2; 714 } 715 716 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 717 f = sk_IPAddressFamily_value(addr, i); 718 if (f->addressFamily->length == keylen && 719 !memcmp(f->addressFamily->data, key, keylen)) 720 return f; 721 } 722 723 if ((f = IPAddressFamily_new()) == NULL) 724 goto err; 725 if (f->ipAddressChoice == NULL && 726 (f->ipAddressChoice = IPAddressChoice_new()) == NULL) 727 goto err; 728 if (f->addressFamily == NULL && 729 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL) 730 goto err; 731 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen)) 732 goto err; 733 if (!sk_IPAddressFamily_push(addr, f)) 734 goto err; 735 736 return f; 737 738 err: 739 IPAddressFamily_free(f); 740 return NULL; 741 } 742 743 /* 744 * Add an inheritance element. 745 */ 746 int 747 X509v3_addr_add_inherit(IPAddrBlocks *addr, const unsigned afi, 748 const unsigned *safi) 749 { 750 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); 751 if (f == NULL || 752 f->ipAddressChoice == NULL || 753 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && 754 f->ipAddressChoice->u.addressesOrRanges != NULL)) 755 return 0; 756 if (f->ipAddressChoice->type == IPAddressChoice_inherit && 757 f->ipAddressChoice->u.inherit != NULL) 758 return 1; 759 if (f->ipAddressChoice->u.inherit == NULL && 760 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL) 761 return 0; 762 f->ipAddressChoice->type = IPAddressChoice_inherit; 763 return 1; 764 } 765 766 /* 767 * Construct an IPAddressOrRange sequence, or return an existing one. 768 */ 769 static IPAddressOrRanges * 770 make_prefix_or_range(IPAddrBlocks *addr, const unsigned afi, 771 const unsigned *safi) 772 { 773 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); 774 IPAddressOrRanges *aors = NULL; 775 776 if (f == NULL || 777 f->ipAddressChoice == NULL || 778 (f->ipAddressChoice->type == IPAddressChoice_inherit && 779 f->ipAddressChoice->u.inherit != NULL)) 780 return NULL; 781 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) 782 aors = f->ipAddressChoice->u.addressesOrRanges; 783 if (aors != NULL) 784 return aors; 785 if ((aors = sk_IPAddressOrRange_new_null()) == NULL) 786 return NULL; 787 switch (afi) { 788 case IANA_AFI_IPV4: 789 (void)sk_IPAddressOrRange_set_cmp_func(aors, 790 v4IPAddressOrRange_cmp); 791 break; 792 case IANA_AFI_IPV6: 793 (void)sk_IPAddressOrRange_set_cmp_func(aors, 794 v6IPAddressOrRange_cmp); 795 break; 796 } 797 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; 798 f->ipAddressChoice->u.addressesOrRanges = aors; 799 return aors; 800 } 801 802 /* 803 * Add a prefix. 804 */ 805 int 806 X509v3_addr_add_prefix(IPAddrBlocks *addr, const unsigned afi, 807 const unsigned *safi, unsigned char *a, const int prefixlen) 808 { 809 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); 810 IPAddressOrRange *aor; 811 if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen)) 812 return 0; 813 if (sk_IPAddressOrRange_push(aors, aor)) 814 return 1; 815 IPAddressOrRange_free(aor); 816 return 0; 817 } 818 819 /* 820 * Add a range. 821 */ 822 int 823 X509v3_addr_add_range(IPAddrBlocks *addr, const unsigned afi, 824 const unsigned *safi, unsigned char *min, unsigned char *max) 825 { 826 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); 827 IPAddressOrRange *aor; 828 int length = length_from_afi(afi); 829 if (aors == NULL) 830 return 0; 831 if (!make_addressRange(&aor, min, max, length)) 832 return 0; 833 if (sk_IPAddressOrRange_push(aors, aor)) 834 return 1; 835 IPAddressOrRange_free(aor); 836 return 0; 837 } 838 839 /* 840 * Extract min and max values from an IPAddressOrRange. 841 */ 842 static int 843 extract_min_max(IPAddressOrRange *aor, unsigned char *min, unsigned char *max, 844 int length) 845 { 846 if (aor == NULL || min == NULL || max == NULL) 847 return 0; 848 switch (aor->type) { 849 case IPAddressOrRange_addressPrefix: 850 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) && 851 addr_expand(max, aor->u.addressPrefix, length, 0xFF)); 852 case IPAddressOrRange_addressRange: 853 return (addr_expand(min, aor->u.addressRange->min, length, 854 0x00) && 855 addr_expand(max, aor->u.addressRange->max, length, 0xFF)); 856 } 857 return 0; 858 } 859 860 /* 861 * Public wrapper for extract_min_max(). 862 */ 863 int 864 X509v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi, 865 unsigned char *min, unsigned char *max, const int length) 866 { 867 int afi_length = length_from_afi(afi); 868 if (aor == NULL || min == NULL || max == NULL || 869 afi_length == 0 || length < afi_length || 870 (aor->type != IPAddressOrRange_addressPrefix && 871 aor->type != IPAddressOrRange_addressRange) || 872 !extract_min_max(aor, min, max, afi_length)) 873 return 0; 874 875 return afi_length; 876 } 877 878 /* 879 * Sort comparison function for a sequence of IPAddressFamily. 880 * 881 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about 882 * the ordering: I can read it as meaning that IPv6 without a SAFI 883 * comes before IPv4 with a SAFI, which seems pretty weird. The 884 * examples in appendix B suggest that the author intended the 885 * null-SAFI rule to apply only within a single AFI, which is what I 886 * would have expected and is what the following code implements. 887 */ 888 static int 889 IPAddressFamily_cmp(const IPAddressFamily *const *a_, 890 const IPAddressFamily *const *b_) 891 { 892 const ASN1_OCTET_STRING *a = (*a_)->addressFamily; 893 const ASN1_OCTET_STRING *b = (*b_)->addressFamily; 894 int len = ((a->length <= b->length) ? a->length : b->length); 895 int cmp = memcmp(a->data, b->data, len); 896 return cmp ? cmp : a->length - b->length; 897 } 898 899 /* 900 * Check whether an IPAddrBLocks is in canonical form. 901 */ 902 int 903 X509v3_addr_is_canonical(IPAddrBlocks *addr) 904 { 905 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 906 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 907 IPAddressOrRanges *aors; 908 int i, j, k; 909 910 /* 911 * Empty extension is canonical. 912 */ 913 if (addr == NULL) 914 return 1; 915 916 /* 917 * Check whether the top-level list is in order. 918 */ 919 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) { 920 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i); 921 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1); 922 if (IPAddressFamily_cmp(&a, &b) >= 0) 923 return 0; 924 } 925 926 /* 927 * Top level's ok, now check each address family. 928 */ 929 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 930 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 931 int length = length_from_afi(X509v3_addr_get_afi(f)); 932 933 /* 934 * Inheritance is canonical. Anything other than inheritance 935 * or a SEQUENCE OF IPAddressOrRange is an ASN.1 error or 936 * something. 937 */ 938 if (f == NULL || f->ipAddressChoice == NULL) 939 return 0; 940 switch (f->ipAddressChoice->type) { 941 case IPAddressChoice_inherit: 942 continue; 943 case IPAddressChoice_addressesOrRanges: 944 break; 945 default: 946 return 0; 947 } 948 949 /* 950 * It's an IPAddressOrRanges sequence, check it. 951 */ 952 aors = f->ipAddressChoice->u.addressesOrRanges; 953 if (sk_IPAddressOrRange_num(aors) == 0) 954 return 0; 955 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) { 956 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 957 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, 958 j + 1); 959 960 if (!extract_min_max(a, a_min, a_max, length) || 961 !extract_min_max(b, b_min, b_max, length)) 962 return 0; 963 964 /* 965 * Punt misordered list, overlapping start, or inverted 966 * range. 967 */ 968 if (memcmp(a_min, b_min, length) >= 0 || 969 memcmp(a_min, a_max, length) > 0 || 970 memcmp(b_min, b_max, length) > 0) 971 return 0; 972 973 /* 974 * Punt if adjacent or overlapping. Check for adjacency by 975 * subtracting one from b_min first. 976 */ 977 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) 978 continue; 979 if (memcmp(a_max, b_min, length) >= 0) 980 return 0; 981 982 /* 983 * Check for range that should be expressed as a prefix. 984 */ 985 if (a->type == IPAddressOrRange_addressRange && 986 range_should_be_prefix(a_min, a_max, length) >= 0) 987 return 0; 988 } 989 990 /* 991 * Check range to see if it's inverted or should be a 992 * prefix. 993 */ 994 j = sk_IPAddressOrRange_num(aors) - 1; 995 { 996 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 997 if (a != NULL && 998 a->type == IPAddressOrRange_addressRange) { 999 if (!extract_min_max(a, a_min, a_max, length)) 1000 return 0; 1001 if (memcmp(a_min, a_max, length) > 0 || 1002 range_should_be_prefix(a_min, a_max, 1003 length) >= 0) 1004 return 0; 1005 } 1006 } 1007 } 1008 1009 /* 1010 * If we made it through all that, we're happy. 1011 */ 1012 return 1; 1013 } 1014 1015 /* 1016 * Whack an IPAddressOrRanges into canonical form. 1017 */ 1018 static int 1019 IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi) 1020 { 1021 int i, j, length = length_from_afi(afi); 1022 1023 /* 1024 * Sort the IPAddressOrRanges sequence. 1025 */ 1026 sk_IPAddressOrRange_sort(aors); 1027 1028 /* 1029 * Clean up representation issues, punt on duplicates or overlaps. 1030 */ 1031 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) { 1032 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i); 1033 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1); 1034 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 1035 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 1036 1037 if (!extract_min_max(a, a_min, a_max, length) || 1038 !extract_min_max(b, b_min, b_max, length)) 1039 return 0; 1040 1041 /* 1042 * Punt inverted ranges. 1043 */ 1044 if (memcmp(a_min, a_max, length) > 0 || 1045 memcmp(b_min, b_max, length) > 0) 1046 return 0; 1047 1048 /* 1049 * Punt overlaps. 1050 */ 1051 if (memcmp(a_max, b_min, length) >= 0) 1052 return 0; 1053 1054 /* 1055 * Merge if a and b are adjacent. We check for 1056 * adjacency by subtracting one from b_min first. 1057 */ 1058 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) 1059 continue; 1060 if (memcmp(a_max, b_min, length) == 0) { 1061 IPAddressOrRange *merged; 1062 if (!make_addressRange(&merged, a_min, b_max, length)) 1063 return 0; 1064 (void)sk_IPAddressOrRange_set(aors, i, merged); 1065 (void)sk_IPAddressOrRange_delete(aors, i + 1); 1066 IPAddressOrRange_free(a); 1067 IPAddressOrRange_free(b); 1068 --i; 1069 continue; 1070 } 1071 } 1072 1073 /* 1074 * Check for inverted final range. 1075 */ 1076 j = sk_IPAddressOrRange_num(aors) - 1; 1077 { 1078 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 1079 if (a != NULL && a->type == IPAddressOrRange_addressRange) { 1080 unsigned char a_min[ADDR_RAW_BUF_LEN], 1081 a_max[ADDR_RAW_BUF_LEN]; 1082 if (!extract_min_max(a, a_min, a_max, length)) 1083 return 0; 1084 if (memcmp(a_min, a_max, length) > 0) 1085 return 0; 1086 } 1087 } 1088 1089 return 1; 1090 } 1091 1092 /* 1093 * Whack an IPAddrBlocks extension into canonical form. 1094 */ 1095 int 1096 X509v3_addr_canonize(IPAddrBlocks *addr) 1097 { 1098 int i; 1099 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 1100 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 1101 if (f->ipAddressChoice->type == 1102 IPAddressChoice_addressesOrRanges && 1103 !IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges, 1104 X509v3_addr_get_afi(f))) 1105 return 0; 1106 } 1107 (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); 1108 sk_IPAddressFamily_sort(addr); 1109 OPENSSL_assert(X509v3_addr_is_canonical(addr)); 1110 return 1; 1111 } 1112 1113 /* 1114 * v2i handler for the IPAddrBlocks extension. 1115 */ 1116 static void * 1117 v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx, 1118 STACK_OF(CONF_VALUE)*values) 1119 { 1120 static const char v4addr_chars[] = "0123456789."; 1121 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF"; 1122 IPAddrBlocks *addr = NULL; 1123 char *s = NULL, *t; 1124 int i; 1125 1126 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) { 1127 X509V3error(ERR_R_MALLOC_FAILURE); 1128 return NULL; 1129 } 1130 1131 for (i = 0; i < sk_CONF_VALUE_num(values); i++) { 1132 CONF_VALUE *val = sk_CONF_VALUE_value(values, i); 1133 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN]; 1134 unsigned afi, *safi = NULL, safi_; 1135 const char *addr_chars = NULL; 1136 int prefixlen, i1, i2, delim, length; 1137 1138 if (!name_cmp(val->name, "IPv4")) { 1139 afi = IANA_AFI_IPV4; 1140 } else if (!name_cmp(val->name, "IPv6")) { 1141 afi = IANA_AFI_IPV6; 1142 } else if (!name_cmp(val->name, "IPv4-SAFI")) { 1143 afi = IANA_AFI_IPV4; 1144 safi = &safi_; 1145 } else if (!name_cmp(val->name, "IPv6-SAFI")) { 1146 afi = IANA_AFI_IPV6; 1147 safi = &safi_; 1148 } else { 1149 X509V3error(X509V3_R_EXTENSION_NAME_ERROR); 1150 X509V3_conf_err(val); 1151 goto err; 1152 } 1153 1154 switch (afi) { 1155 case IANA_AFI_IPV4: 1156 addr_chars = v4addr_chars; 1157 break; 1158 case IANA_AFI_IPV6: 1159 addr_chars = v6addr_chars; 1160 break; 1161 } 1162 1163 length = length_from_afi(afi); 1164 1165 /* 1166 * Handle SAFI, if any, and strdup() so we can null-terminate 1167 * the other input values. 1168 */ 1169 if (safi != NULL) { 1170 *safi = strtoul(val->value, &t, 0); 1171 t += strspn(t, " \t"); 1172 if (*safi > 0xFF || *t++ != ':') { 1173 X509V3error(X509V3_R_INVALID_SAFI); 1174 X509V3_conf_err(val); 1175 goto err; 1176 } 1177 t += strspn(t, " \t"); 1178 s = strdup(t); 1179 } else { 1180 s = strdup(val->value); 1181 } 1182 if (s == NULL) { 1183 X509V3error(ERR_R_MALLOC_FAILURE); 1184 goto err; 1185 } 1186 1187 /* 1188 * Check for inheritance. Not worth additional complexity to 1189 * optimize this (seldom-used) case. 1190 */ 1191 if (strcmp(s, "inherit") == 0) { 1192 if (!X509v3_addr_add_inherit(addr, afi, safi)) { 1193 X509V3error(X509V3_R_INVALID_INHERITANCE); 1194 X509V3_conf_err(val); 1195 goto err; 1196 } 1197 free(s); 1198 s = NULL; 1199 continue; 1200 } 1201 1202 i1 = strspn(s, addr_chars); 1203 i2 = i1 + strspn(s + i1, " \t"); 1204 delim = s[i2++]; 1205 s[i1] = '\0'; 1206 1207 if (a2i_ipadd(min, s) != length) { 1208 X509V3error(X509V3_R_INVALID_IPADDRESS); 1209 X509V3_conf_err(val); 1210 goto err; 1211 } 1212 1213 switch (delim) { 1214 case '/': 1215 prefixlen = (int)strtoul(s + i2, &t, 10); 1216 if (t == s + i2 || *t != '\0') { 1217 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1218 X509V3_conf_err(val); 1219 goto err; 1220 } 1221 if (!X509v3_addr_add_prefix(addr, afi, safi, min, 1222 prefixlen)) { 1223 X509V3error(ERR_R_MALLOC_FAILURE); 1224 goto err; 1225 } 1226 break; 1227 case '-': 1228 i1 = i2 + strspn(s + i2, " \t"); 1229 i2 = i1 + strspn(s + i1, addr_chars); 1230 if (i1 == i2 || s[i2] != '\0') { 1231 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1232 X509V3_conf_err(val); 1233 goto err; 1234 } 1235 if (a2i_ipadd(max, s + i1) != length) { 1236 X509V3error(X509V3_R_INVALID_IPADDRESS); 1237 X509V3_conf_err(val); 1238 goto err; 1239 } 1240 if (memcmp(min, max, length_from_afi(afi)) > 0) { 1241 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1242 X509V3_conf_err(val); 1243 goto err; 1244 } 1245 if (!X509v3_addr_add_range(addr, afi, safi, min, max)) { 1246 X509V3error(ERR_R_MALLOC_FAILURE); 1247 goto err; 1248 } 1249 break; 1250 case '\0': 1251 if (!X509v3_addr_add_prefix(addr, afi, safi, min, 1252 length * 8)) { 1253 X509V3error(ERR_R_MALLOC_FAILURE); 1254 goto err; 1255 } 1256 break; 1257 default: 1258 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1259 X509V3_conf_err(val); 1260 goto err; 1261 } 1262 1263 free(s); 1264 s = NULL; 1265 } 1266 1267 /* 1268 * Canonize the result, then we're done. 1269 */ 1270 if (!X509v3_addr_canonize(addr)) 1271 goto err; 1272 return addr; 1273 1274 err: 1275 free(s); 1276 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); 1277 return NULL; 1278 } 1279 1280 /* 1281 * OpenSSL dispatch 1282 */ 1283 const X509V3_EXT_METHOD v3_addr = { 1284 NID_sbgp_ipAddrBlock, /* nid */ 1285 0, /* flags */ 1286 &IPAddrBlocks_it, 1287 0, 0, 0, 0, /* old functions, ignored */ 1288 0, /* i2s */ 1289 0, /* s2i */ 1290 0, /* i2v */ 1291 v2i_IPAddrBlocks, /* v2i */ 1292 i2r_IPAddrBlocks, /* i2r */ 1293 0, /* r2i */ 1294 NULL /* extension-specific data */ 1295 }; 1296 1297 /* 1298 * Figure out whether extension sues inheritance. 1299 */ 1300 int 1301 X509v3_addr_inherits(IPAddrBlocks *addr) 1302 { 1303 int i; 1304 if (addr == NULL) 1305 return 0; 1306 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 1307 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 1308 if (f->ipAddressChoice->type == IPAddressChoice_inherit) 1309 return 1; 1310 } 1311 return 0; 1312 } 1313 1314 /* 1315 * Figure out whether parent contains child. 1316 */ 1317 static int 1318 addr_contains(IPAddressOrRanges *parent, IPAddressOrRanges *child, int length) 1319 { 1320 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN]; 1321 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN]; 1322 int p, c; 1323 1324 if (child == NULL || parent == child) 1325 return 1; 1326 if (parent == NULL) 1327 return 0; 1328 1329 p = 0; 1330 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) { 1331 if (!extract_min_max(sk_IPAddressOrRange_value(child, c), 1332 c_min, c_max, length)) 1333 return -1; 1334 for (;; p++) { 1335 if (p >= sk_IPAddressOrRange_num(parent)) 1336 return 0; 1337 if (!extract_min_max(sk_IPAddressOrRange_value(parent, 1338 p), p_min, p_max, length)) 1339 return 0; 1340 if (memcmp(p_max, c_max, length) < 0) 1341 continue; 1342 if (memcmp(p_min, c_min, length) > 0) 1343 return 0; 1344 break; 1345 } 1346 } 1347 1348 return 1; 1349 } 1350 1351 /* 1352 * Test whether a is a subset of b. 1353 */ 1354 int 1355 X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) 1356 { 1357 int i; 1358 if (a == NULL || a == b) 1359 return 1; 1360 if (b == NULL || X509v3_addr_inherits(a) || X509v3_addr_inherits(b)) 1361 return 0; 1362 (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); 1363 for (i = 0; i < sk_IPAddressFamily_num(a); i++) { 1364 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); 1365 int j = sk_IPAddressFamily_find(b, fa); 1366 IPAddressFamily *fb; 1367 fb = sk_IPAddressFamily_value(b, j); 1368 if (fb == NULL) 1369 return 0; 1370 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, 1371 fa->ipAddressChoice->u.addressesOrRanges, 1372 length_from_afi(X509v3_addr_get_afi(fb)))) 1373 return 0; 1374 } 1375 return 1; 1376 } 1377 1378 /* 1379 * Validation error handling via callback. 1380 */ 1381 #define validation_err(_err_) \ 1382 do { \ 1383 if (ctx != NULL) { \ 1384 ctx->error = _err_; \ 1385 ctx->error_depth = i; \ 1386 ctx->current_cert = x; \ 1387 ret = ctx->verify_cb(0, ctx); \ 1388 } else { \ 1389 ret = 0; \ 1390 } \ 1391 if (!ret) \ 1392 goto done; \ 1393 } while (0) 1394 1395 /* 1396 * Core code for RFC 3779 2.3 path validation. 1397 * 1398 * Returns 1 for success, 0 on error. 1399 * 1400 * When returning 0, ctx->error MUST be set to an appropriate value other than 1401 * X509_V_OK. 1402 */ 1403 static int 1404 addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain, 1405 IPAddrBlocks *ext) 1406 { 1407 IPAddrBlocks *child = NULL; 1408 int i, j, ret = 1; 1409 X509 *x; 1410 1411 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); 1412 OPENSSL_assert(ctx != NULL || ext != NULL); 1413 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); 1414 1415 /* 1416 * Figure out where to start. If we don't have an extension to check, 1417 * we're done. Otherwise, check canonical form and set up for walking 1418 * up the chain. 1419 */ 1420 if (ext != NULL) { 1421 i = -1; 1422 x = NULL; 1423 } else { 1424 i = 0; 1425 x = sk_X509_value(chain, i); 1426 if ((ext = x->rfc3779_addr) == NULL) 1427 goto done; 1428 } 1429 if (!X509v3_addr_is_canonical(ext)) 1430 validation_err(X509_V_ERR_INVALID_EXTENSION); 1431 (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); 1432 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { 1433 X509V3error(ERR_R_MALLOC_FAILURE); 1434 if (ctx != NULL) 1435 ctx->error = X509_V_ERR_OUT_OF_MEM; 1436 ret = 0; 1437 goto done; 1438 } 1439 1440 /* 1441 * Now walk up the chain. No cert may list resources that its parent 1442 * doesn't list. 1443 */ 1444 for (i++; i < sk_X509_num(chain); i++) { 1445 x = sk_X509_value(chain, i); 1446 if (!X509v3_addr_is_canonical(x->rfc3779_addr)) 1447 validation_err(X509_V_ERR_INVALID_EXTENSION); 1448 if (x->rfc3779_addr == NULL) { 1449 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { 1450 IPAddressFamily *fc = sk_IPAddressFamily_value(child, 1451 j); 1452 if (fc->ipAddressChoice->type != 1453 IPAddressChoice_inherit) { 1454 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1455 break; 1456 } 1457 } 1458 continue; 1459 } 1460 (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, 1461 IPAddressFamily_cmp); 1462 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { 1463 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); 1464 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc); 1465 IPAddressFamily *fp = 1466 sk_IPAddressFamily_value(x->rfc3779_addr, k); 1467 if (fp == NULL) { 1468 if (fc->ipAddressChoice->type == 1469 IPAddressChoice_addressesOrRanges) { 1470 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1471 break; 1472 } 1473 continue; 1474 } 1475 if (fp->ipAddressChoice->type == 1476 IPAddressChoice_addressesOrRanges) { 1477 if (fc->ipAddressChoice->type == 1478 IPAddressChoice_inherit || 1479 addr_contains(fp->ipAddressChoice->u.addressesOrRanges, 1480 fc->ipAddressChoice->u.addressesOrRanges, 1481 length_from_afi(X509v3_addr_get_afi(fc)))) 1482 sk_IPAddressFamily_set(child, j, fp); 1483 else 1484 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1485 } 1486 } 1487 } 1488 1489 /* 1490 * Trust anchor can't inherit. 1491 */ 1492 if (x->rfc3779_addr != NULL) { 1493 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) { 1494 IPAddressFamily *fp = 1495 sk_IPAddressFamily_value(x->rfc3779_addr, j); 1496 if (fp->ipAddressChoice->type == 1497 IPAddressChoice_inherit && 1498 sk_IPAddressFamily_find(child, fp) >= 0) 1499 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1500 } 1501 } 1502 1503 done: 1504 sk_IPAddressFamily_free(child); 1505 return ret; 1506 } 1507 1508 #undef validation_err 1509 1510 /* 1511 * RFC 3779 2.3 path validation -- called from X509_verify_cert(). 1512 */ 1513 int 1514 X509v3_addr_validate_path(X509_STORE_CTX *ctx) 1515 { 1516 if (ctx->chain == NULL || 1517 sk_X509_num(ctx->chain) == 0 || 1518 ctx->verify_cb == NULL) { 1519 ctx->error = X509_V_ERR_UNSPECIFIED; 1520 return 0; 1521 } 1522 return addr_validate_path_internal(ctx, ctx->chain, NULL); 1523 } 1524 1525 /* 1526 * RFC 3779 2.3 path validation of an extension. 1527 * Test whether chain covers extension. 1528 */ 1529 int 1530 X509v3_addr_validate_resource_set(STACK_OF(X509)*chain, IPAddrBlocks *ext, 1531 int allow_inheritance) 1532 { 1533 if (ext == NULL) 1534 return 1; 1535 if (chain == NULL || sk_X509_num(chain) == 0) 1536 return 0; 1537 if (!allow_inheritance && X509v3_addr_inherits(ext)) 1538 return 0; 1539 return addr_validate_path_internal(NULL, chain, ext); 1540 } 1541 1542 #endif /* OPENSSL_NO_RFC3779 */ 1543