1 /* 2 * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * Implementation of RFC 3779 section 2.2. 12 */ 13 14 #include <stdio.h> 15 #include <stdlib.h> 16 #include <string.h> 17 18 #include <openssl/asn1.h> 19 #include <openssl/asn1t.h> 20 #include <openssl/buffer.h> 21 #include <openssl/conf.h> 22 #include <openssl/err.h> 23 #include <openssl/x509.h> 24 #include <openssl/x509v3.h> 25 26 #include "ext_dat.h" 27 28 #ifndef OPENSSL_NO_RFC3779 29 30 /* 31 * OpenSSL ASN.1 template translation of RFC 3779 2.2.3. 32 */ 33 34 static const ASN1_TEMPLATE IPAddressRange_seq_tt[] = { 35 { 36 .flags = 0, 37 .tag = 0, 38 .offset = offsetof(IPAddressRange, min), 39 .field_name = "min", 40 .item = &ASN1_BIT_STRING_it, 41 }, 42 { 43 .flags = 0, 44 .tag = 0, 45 .offset = offsetof(IPAddressRange, max), 46 .field_name = "max", 47 .item = &ASN1_BIT_STRING_it, 48 }, 49 }; 50 51 const ASN1_ITEM IPAddressRange_it = { 52 .itype = ASN1_ITYPE_SEQUENCE, 53 .utype = V_ASN1_SEQUENCE, 54 .templates = IPAddressRange_seq_tt, 55 .tcount = sizeof(IPAddressRange_seq_tt) / sizeof(ASN1_TEMPLATE), 56 .funcs = NULL, 57 .size = sizeof(IPAddressRange), 58 .sname = "IPAddressRange", 59 }; 60 61 static const ASN1_TEMPLATE IPAddressOrRange_ch_tt[] = { 62 { 63 .flags = 0, 64 .tag = 0, 65 .offset = offsetof(IPAddressOrRange, u.addressPrefix), 66 .field_name = "u.addressPrefix", 67 .item = &ASN1_BIT_STRING_it, 68 }, 69 { 70 .flags = 0, 71 .tag = 0, 72 .offset = offsetof(IPAddressOrRange, u.addressRange), 73 .field_name = "u.addressRange", 74 .item = &IPAddressRange_it, 75 }, 76 }; 77 78 const ASN1_ITEM IPAddressOrRange_it = { 79 .itype = ASN1_ITYPE_CHOICE, 80 .utype = offsetof(IPAddressOrRange, type), 81 .templates = IPAddressOrRange_ch_tt, 82 .tcount = sizeof(IPAddressOrRange_ch_tt) / sizeof(ASN1_TEMPLATE), 83 .funcs = NULL, 84 .size = sizeof(IPAddressOrRange), 85 .sname = "IPAddressOrRange", 86 }; 87 88 static const ASN1_TEMPLATE IPAddressChoice_ch_tt[] = { 89 { 90 .flags = 0, 91 .tag = 0, 92 .offset = offsetof(IPAddressChoice, u.inherit), 93 .field_name = "u.inherit", 94 .item = &ASN1_NULL_it, 95 }, 96 { 97 .flags = ASN1_TFLG_SEQUENCE_OF, 98 .tag = 0, 99 .offset = offsetof(IPAddressChoice, u.addressesOrRanges), 100 .field_name = "u.addressesOrRanges", 101 .item = &IPAddressOrRange_it, 102 }, 103 }; 104 105 const ASN1_ITEM IPAddressChoice_it = { 106 .itype = ASN1_ITYPE_CHOICE, 107 .utype = offsetof(IPAddressChoice, type), 108 .templates = IPAddressChoice_ch_tt, 109 .tcount = sizeof(IPAddressChoice_ch_tt) / sizeof(ASN1_TEMPLATE), 110 .funcs = NULL, 111 .size = sizeof(IPAddressChoice), 112 .sname = "IPAddressChoice", 113 }; 114 115 static const ASN1_TEMPLATE IPAddressFamily_seq_tt[] = { 116 { 117 .flags = 0, 118 .tag = 0, 119 .offset = offsetof(IPAddressFamily, addressFamily), 120 .field_name = "addressFamily", 121 .item = &ASN1_OCTET_STRING_it, 122 }, 123 { 124 .flags = 0, 125 .tag = 0, 126 .offset = offsetof(IPAddressFamily, ipAddressChoice), 127 .field_name = "ipAddressChoice", 128 .item = &IPAddressChoice_it, 129 }, 130 }; 131 132 const ASN1_ITEM IPAddressFamily_it = { 133 .itype = ASN1_ITYPE_SEQUENCE, 134 .utype = V_ASN1_SEQUENCE, 135 .templates = IPAddressFamily_seq_tt, 136 .tcount = sizeof(IPAddressFamily_seq_tt) / sizeof(ASN1_TEMPLATE), 137 .funcs = NULL, 138 .size = sizeof(IPAddressFamily), 139 .sname = "IPAddressFamily", 140 }; 141 142 static const ASN1_TEMPLATE IPAddrBlocks_item_tt = { 143 .flags = ASN1_TFLG_SEQUENCE_OF, 144 .tag = 0, 145 .offset = 0, 146 .field_name = "IPAddrBlocks", 147 .item = &IPAddressFamily_it, 148 }; 149 150 /* XXX: maybe special? */ 151 static const ASN1_ITEM IPAddrBlocks_it = { 152 .itype = ASN1_ITYPE_PRIMITIVE, 153 .utype = -1, 154 .templates = &IPAddrBlocks_item_tt, 155 .tcount = 0, 156 .funcs = NULL, 157 .size = 0, 158 .sname = "IPAddrBlocks", 159 }; 160 161 IPAddressRange * 162 d2i_IPAddressRange(IPAddressRange **a, const unsigned char **in, long len) 163 { 164 return (IPAddressRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 165 &IPAddressRange_it); 166 } 167 168 int 169 i2d_IPAddressRange(IPAddressRange *a, unsigned char **out) 170 { 171 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressRange_it); 172 } 173 174 IPAddressRange * 175 IPAddressRange_new(void) 176 { 177 return (IPAddressRange *)ASN1_item_new(&IPAddressRange_it); 178 } 179 180 void 181 IPAddressRange_free(IPAddressRange *a) 182 { 183 ASN1_item_free((ASN1_VALUE *)a, &IPAddressRange_it); 184 } 185 186 IPAddressOrRange * 187 d2i_IPAddressOrRange(IPAddressOrRange **a, const unsigned char **in, long len) 188 { 189 return (IPAddressOrRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 190 &IPAddressOrRange_it); 191 } 192 193 int 194 i2d_IPAddressOrRange(IPAddressOrRange *a, unsigned char **out) 195 { 196 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressOrRange_it); 197 } 198 199 IPAddressOrRange * 200 IPAddressOrRange_new(void) 201 { 202 return (IPAddressOrRange *)ASN1_item_new(&IPAddressOrRange_it); 203 } 204 205 void 206 IPAddressOrRange_free(IPAddressOrRange *a) 207 { 208 ASN1_item_free((ASN1_VALUE *)a, &IPAddressOrRange_it); 209 } 210 211 IPAddressChoice * 212 d2i_IPAddressChoice(IPAddressChoice **a, const unsigned char **in, long len) 213 { 214 return (IPAddressChoice *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 215 &IPAddressChoice_it); 216 } 217 218 int 219 i2d_IPAddressChoice(IPAddressChoice *a, unsigned char **out) 220 { 221 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressChoice_it); 222 } 223 224 IPAddressChoice * 225 IPAddressChoice_new(void) 226 { 227 return (IPAddressChoice *)ASN1_item_new(&IPAddressChoice_it); 228 } 229 230 void 231 IPAddressChoice_free(IPAddressChoice *a) 232 { 233 ASN1_item_free((ASN1_VALUE *)a, &IPAddressChoice_it); 234 } 235 236 IPAddressFamily * 237 d2i_IPAddressFamily(IPAddressFamily **a, const unsigned char **in, long len) 238 { 239 return (IPAddressFamily *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 240 &IPAddressFamily_it); 241 } 242 243 int 244 i2d_IPAddressFamily(IPAddressFamily *a, unsigned char **out) 245 { 246 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressFamily_it); 247 } 248 249 IPAddressFamily * 250 IPAddressFamily_new(void) 251 { 252 return (IPAddressFamily *)ASN1_item_new(&IPAddressFamily_it); 253 } 254 255 void 256 IPAddressFamily_free(IPAddressFamily *a) 257 { 258 ASN1_item_free((ASN1_VALUE *)a, &IPAddressFamily_it); 259 } 260 261 /* 262 * How much buffer space do we need for a raw address? 263 */ 264 #define ADDR_RAW_BUF_LEN 16 265 266 /* 267 * What's the address length associated with this AFI? 268 */ 269 static int 270 length_from_afi(const unsigned afi) 271 { 272 switch (afi) { 273 case IANA_AFI_IPV4: 274 return 4; 275 case IANA_AFI_IPV6: 276 return 16; 277 default: 278 return 0; 279 } 280 } 281 282 /* 283 * Extract the AFI from an IPAddressFamily. 284 */ 285 unsigned int 286 X509v3_addr_get_afi(const IPAddressFamily *f) 287 { 288 if (f == NULL || 289 f->addressFamily == NULL || 290 f->addressFamily->data == NULL || 291 f->addressFamily->length < 2) 292 return 0; 293 return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1]; 294 } 295 296 /* 297 * Expand the bitstring form of an address into a raw byte array. 298 * At the moment this is coded for simplicity, not speed. 299 */ 300 static int 301 addr_expand(unsigned char *addr, const ASN1_BIT_STRING *bs, const int length, 302 const unsigned char fill) 303 { 304 if (bs->length < 0 || bs->length > length) 305 return 0; 306 if (bs->length > 0) { 307 memcpy(addr, bs->data, bs->length); 308 if ((bs->flags & 7) != 0) { 309 unsigned char mask = 0xFF >> (8 - (bs->flags & 7)); 310 if (fill == 0) 311 addr[bs->length - 1] &= ~mask; 312 else 313 addr[bs->length - 1] |= mask; 314 } 315 } 316 memset(addr + bs->length, fill, length - bs->length); 317 return 1; 318 } 319 320 /* 321 * Extract the prefix length from a bitstring. 322 */ 323 #define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7))) 324 325 /* 326 * i2r handler for one address bitstring. 327 */ 328 static int 329 i2r_address(BIO *out, const unsigned afi, const unsigned char fill, 330 const ASN1_BIT_STRING *bs) 331 { 332 unsigned char addr[ADDR_RAW_BUF_LEN]; 333 int i, n; 334 335 if (bs->length < 0) 336 return 0; 337 switch (afi) { 338 case IANA_AFI_IPV4: 339 if (!addr_expand(addr, bs, 4, fill)) 340 return 0; 341 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], 342 addr[3]); 343 break; 344 case IANA_AFI_IPV6: 345 if (!addr_expand(addr, bs, 16, fill)) 346 return 0; 347 for (n = 16; 348 n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00; n -= 2) 349 continue; 350 for (i = 0; i < n; i += 2) 351 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1], 352 (i < 14 ? ":" : "")); 353 if (i < 16) 354 BIO_puts(out, ":"); 355 if (i == 0) 356 BIO_puts(out, ":"); 357 break; 358 default: 359 for (i = 0; i < bs->length; i++) 360 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), 361 bs->data[i]); 362 BIO_printf(out, "[%d]", (int)(bs->flags & 7)); 363 break; 364 } 365 return 1; 366 } 367 368 /* 369 * i2r handler for a sequence of addresses and ranges. 370 */ 371 static int 372 i2r_IPAddressOrRanges(BIO *out, const int indent, 373 const IPAddressOrRanges *aors, const unsigned afi) 374 { 375 int i; 376 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) { 377 const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i); 378 BIO_printf(out, "%*s", indent, ""); 379 switch (aor->type) { 380 case IPAddressOrRange_addressPrefix: 381 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix)) 382 return 0; 383 BIO_printf(out, "/%d\n", 384 addr_prefixlen(aor->u.addressPrefix)); 385 continue; 386 case IPAddressOrRange_addressRange: 387 if (!i2r_address(out, afi, 0x00, 388 aor->u.addressRange->min)) 389 return 0; 390 BIO_puts(out, "-"); 391 if (!i2r_address(out, afi, 0xFF, 392 aor->u.addressRange->max)) 393 return 0; 394 BIO_puts(out, "\n"); 395 continue; 396 } 397 } 398 return 1; 399 } 400 401 /* 402 * i2r handler for an IPAddrBlocks extension. 403 */ 404 static int 405 i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, void *ext, BIO *out, 406 int indent) 407 { 408 const IPAddrBlocks *addr = ext; 409 int i; 410 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 411 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 412 const unsigned int afi = X509v3_addr_get_afi(f); 413 switch (afi) { 414 case IANA_AFI_IPV4: 415 BIO_printf(out, "%*sIPv4", indent, ""); 416 break; 417 case IANA_AFI_IPV6: 418 BIO_printf(out, "%*sIPv6", indent, ""); 419 break; 420 default: 421 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi); 422 break; 423 } 424 if (f->addressFamily->length > 2) { 425 switch (f->addressFamily->data[2]) { 426 case 1: 427 BIO_puts(out, " (Unicast)"); 428 break; 429 case 2: 430 BIO_puts(out, " (Multicast)"); 431 break; 432 case 3: 433 BIO_puts(out, " (Unicast/Multicast)"); 434 break; 435 case 4: 436 BIO_puts(out, " (MPLS)"); 437 break; 438 case 64: 439 BIO_puts(out, " (Tunnel)"); 440 break; 441 case 65: 442 BIO_puts(out, " (VPLS)"); 443 break; 444 case 66: 445 BIO_puts(out, " (BGP MDT)"); 446 break; 447 case 128: 448 BIO_puts(out, " (MPLS-labeled VPN)"); 449 break; 450 default: 451 BIO_printf(out, " (Unknown SAFI %u)", 452 (unsigned)f->addressFamily->data[2]); 453 break; 454 } 455 } 456 switch (f->ipAddressChoice->type) { 457 case IPAddressChoice_inherit: 458 BIO_puts(out, ": inherit\n"); 459 break; 460 case IPAddressChoice_addressesOrRanges: 461 BIO_puts(out, ":\n"); 462 if (!i2r_IPAddressOrRanges(out, 463 indent + 2, 464 f->ipAddressChoice-> 465 u.addressesOrRanges, afi)) 466 return 0; 467 break; 468 } 469 } 470 return 1; 471 } 472 473 /* 474 * Sort comparison function for a sequence of IPAddressOrRange 475 * elements. 476 * 477 * There's no sane answer we can give if addr_expand() fails, and an 478 * assertion failure on externally supplied data is seriously uncool, 479 * so we just arbitrarily declare that if given invalid inputs this 480 * function returns -1. If this messes up your preferred sort order 481 * for garbage input, tough noogies. 482 */ 483 static int 484 IPAddressOrRange_cmp(const IPAddressOrRange *a, const IPAddressOrRange *b, 485 const int length) 486 { 487 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN]; 488 int prefixlen_a = 0, prefixlen_b = 0; 489 int r; 490 491 switch (a->type) { 492 case IPAddressOrRange_addressPrefix: 493 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00)) 494 return -1; 495 prefixlen_a = addr_prefixlen(a->u.addressPrefix); 496 break; 497 case IPAddressOrRange_addressRange: 498 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00)) 499 return -1; 500 prefixlen_a = length * 8; 501 break; 502 } 503 504 switch (b->type) { 505 case IPAddressOrRange_addressPrefix: 506 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00)) 507 return -1; 508 prefixlen_b = addr_prefixlen(b->u.addressPrefix); 509 break; 510 case IPAddressOrRange_addressRange: 511 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00)) 512 return -1; 513 prefixlen_b = length * 8; 514 break; 515 } 516 517 if ((r = memcmp(addr_a, addr_b, length)) != 0) 518 return r; 519 else 520 return prefixlen_a - prefixlen_b; 521 } 522 523 /* 524 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort() 525 * comparison routines are only allowed two arguments. 526 */ 527 static int 528 v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a, 529 const IPAddressOrRange *const *b) 530 { 531 return IPAddressOrRange_cmp(*a, *b, 4); 532 } 533 534 /* 535 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort() 536 * comparison routines are only allowed two arguments. 537 */ 538 static int 539 v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a, 540 const IPAddressOrRange *const *b) 541 { 542 return IPAddressOrRange_cmp(*a, *b, 16); 543 } 544 545 /* 546 * Calculate whether a range collapses to a prefix. 547 * See last paragraph of RFC 3779 2.2.3.7. 548 */ 549 static int 550 range_should_be_prefix(const unsigned char *min, const unsigned char *max, 551 const int length) 552 { 553 unsigned char mask; 554 int i, j; 555 556 if (memcmp(min, max, length) <= 0) 557 return -1; 558 for (i = 0; i < length && min[i] == max[i]; i++) 559 continue; 560 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) 561 continue; 562 if (i < j) 563 return -1; 564 if (i > j) 565 return i * 8; 566 mask = min[i] ^ max[i]; 567 switch (mask) { 568 case 0x01: 569 j = 7; 570 break; 571 case 0x03: 572 j = 6; 573 break; 574 case 0x07: 575 j = 5; 576 break; 577 case 0x0F: 578 j = 4; 579 break; 580 case 0x1F: 581 j = 3; 582 break; 583 case 0x3F: 584 j = 2; 585 break; 586 case 0x7F: 587 j = 1; 588 break; 589 default: 590 return -1; 591 } 592 if ((min[i] & mask) != 0 || (max[i] & mask) != mask) 593 return -1; 594 else 595 return i * 8 + j; 596 } 597 598 /* 599 * Construct a prefix. 600 */ 601 static int 602 make_addressPrefix(IPAddressOrRange **result, unsigned char *addr, 603 const int prefixlen) 604 { 605 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8; 606 IPAddressOrRange *aor = IPAddressOrRange_new(); 607 608 if (aor == NULL) 609 return 0; 610 aor->type = IPAddressOrRange_addressPrefix; 611 if (aor->u.addressPrefix == NULL && 612 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL) 613 goto err; 614 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen)) 615 goto err; 616 aor->u.addressPrefix->flags &= ~7; 617 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT; 618 if (bitlen > 0) { 619 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen); 620 aor->u.addressPrefix->flags |= 8 - bitlen; 621 } 622 623 *result = aor; 624 return 1; 625 626 err: 627 IPAddressOrRange_free(aor); 628 return 0; 629 } 630 631 /* 632 * Construct a range. If it can be expressed as a prefix, 633 * return a prefix instead. Doing this here simplifies 634 * the rest of the code considerably. 635 */ 636 static int 637 make_addressRange(IPAddressOrRange **result, unsigned char *min, 638 unsigned char *max, const int length) 639 { 640 IPAddressOrRange *aor; 641 int i, prefixlen; 642 643 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0) 644 return make_addressPrefix(result, min, prefixlen); 645 646 if ((aor = IPAddressOrRange_new()) == NULL) 647 return 0; 648 aor->type = IPAddressOrRange_addressRange; 649 if ((aor->u.addressRange = IPAddressRange_new()) == NULL) 650 goto err; 651 if (aor->u.addressRange->min == NULL && 652 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL) 653 goto err; 654 if (aor->u.addressRange->max == NULL && 655 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL) 656 goto err; 657 658 for (i = length; i > 0 && min[i - 1] == 0x00; --i) 659 continue; 660 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i)) 661 goto err; 662 aor->u.addressRange->min->flags &= ~7; 663 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT; 664 if (i > 0) { 665 unsigned char b = min[i - 1]; 666 int j = 1; 667 while ((b & (0xFFU >> j)) != 0) 668 ++j; 669 aor->u.addressRange->min->flags |= 8 - j; 670 } 671 672 for (i = length; i > 0 && max[i - 1] == 0xFF; --i) 673 continue; 674 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i)) 675 goto err; 676 aor->u.addressRange->max->flags &= ~7; 677 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT; 678 if (i > 0) { 679 unsigned char b = max[i - 1]; 680 int j = 1; 681 while ((b & (0xFFU >> j)) != (0xFFU >> j)) 682 ++j; 683 aor->u.addressRange->max->flags |= 8 - j; 684 } 685 686 *result = aor; 687 return 1; 688 689 err: 690 IPAddressOrRange_free(aor); 691 return 0; 692 } 693 694 /* 695 * Construct a new address family or find an existing one. 696 */ 697 static IPAddressFamily * 698 make_IPAddressFamily(IPAddrBlocks *addr, const unsigned afi, 699 const unsigned *safi) 700 { 701 IPAddressFamily *f; 702 unsigned char key[3]; 703 int keylen; 704 int i; 705 706 key[0] = (afi >> 8) & 0xFF; 707 key[1] = afi & 0xFF; 708 if (safi != NULL) { 709 key[2] = *safi & 0xFF; 710 keylen = 3; 711 } else { 712 keylen = 2; 713 } 714 715 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 716 f = sk_IPAddressFamily_value(addr, i); 717 if (f->addressFamily->length == keylen && 718 !memcmp(f->addressFamily->data, key, keylen)) 719 return f; 720 } 721 722 if ((f = IPAddressFamily_new()) == NULL) 723 goto err; 724 if (f->ipAddressChoice == NULL && 725 (f->ipAddressChoice = IPAddressChoice_new()) == NULL) 726 goto err; 727 if (f->addressFamily == NULL && 728 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL) 729 goto err; 730 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen)) 731 goto err; 732 if (!sk_IPAddressFamily_push(addr, f)) 733 goto err; 734 735 return f; 736 737 err: 738 IPAddressFamily_free(f); 739 return NULL; 740 } 741 742 /* 743 * Add an inheritance element. 744 */ 745 int 746 X509v3_addr_add_inherit(IPAddrBlocks *addr, const unsigned afi, 747 const unsigned *safi) 748 { 749 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); 750 if (f == NULL || 751 f->ipAddressChoice == NULL || 752 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && 753 f->ipAddressChoice->u.addressesOrRanges != NULL)) 754 return 0; 755 if (f->ipAddressChoice->type == IPAddressChoice_inherit && 756 f->ipAddressChoice->u.inherit != NULL) 757 return 1; 758 if (f->ipAddressChoice->u.inherit == NULL && 759 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL) 760 return 0; 761 f->ipAddressChoice->type = IPAddressChoice_inherit; 762 return 1; 763 } 764 765 /* 766 * Construct an IPAddressOrRange sequence, or return an existing one. 767 */ 768 static IPAddressOrRanges * 769 make_prefix_or_range(IPAddrBlocks *addr, const unsigned afi, 770 const unsigned *safi) 771 { 772 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); 773 IPAddressOrRanges *aors = NULL; 774 775 if (f == NULL || 776 f->ipAddressChoice == NULL || 777 (f->ipAddressChoice->type == IPAddressChoice_inherit && 778 f->ipAddressChoice->u.inherit != NULL)) 779 return NULL; 780 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) 781 aors = f->ipAddressChoice->u.addressesOrRanges; 782 if (aors != NULL) 783 return aors; 784 if ((aors = sk_IPAddressOrRange_new_null()) == NULL) 785 return NULL; 786 switch (afi) { 787 case IANA_AFI_IPV4: 788 (void)sk_IPAddressOrRange_set_cmp_func(aors, 789 v4IPAddressOrRange_cmp); 790 break; 791 case IANA_AFI_IPV6: 792 (void)sk_IPAddressOrRange_set_cmp_func(aors, 793 v6IPAddressOrRange_cmp); 794 break; 795 } 796 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; 797 f->ipAddressChoice->u.addressesOrRanges = aors; 798 return aors; 799 } 800 801 /* 802 * Add a prefix. 803 */ 804 int 805 X509v3_addr_add_prefix(IPAddrBlocks *addr, const unsigned afi, 806 const unsigned *safi, unsigned char *a, const int prefixlen) 807 { 808 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); 809 IPAddressOrRange *aor; 810 if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen)) 811 return 0; 812 if (sk_IPAddressOrRange_push(aors, aor)) 813 return 1; 814 IPAddressOrRange_free(aor); 815 return 0; 816 } 817 818 /* 819 * Add a range. 820 */ 821 int 822 X509v3_addr_add_range(IPAddrBlocks *addr, const unsigned afi, 823 const unsigned *safi, unsigned char *min, unsigned char *max) 824 { 825 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); 826 IPAddressOrRange *aor; 827 int length = length_from_afi(afi); 828 if (aors == NULL) 829 return 0; 830 if (!make_addressRange(&aor, min, max, length)) 831 return 0; 832 if (sk_IPAddressOrRange_push(aors, aor)) 833 return 1; 834 IPAddressOrRange_free(aor); 835 return 0; 836 } 837 838 /* 839 * Extract min and max values from an IPAddressOrRange. 840 */ 841 static int 842 extract_min_max(IPAddressOrRange *aor, unsigned char *min, unsigned char *max, 843 int length) 844 { 845 if (aor == NULL || min == NULL || max == NULL) 846 return 0; 847 switch (aor->type) { 848 case IPAddressOrRange_addressPrefix: 849 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) && 850 addr_expand(max, aor->u.addressPrefix, length, 0xFF)); 851 case IPAddressOrRange_addressRange: 852 return (addr_expand(min, aor->u.addressRange->min, length, 853 0x00) && 854 addr_expand(max, aor->u.addressRange->max, length, 0xFF)); 855 } 856 return 0; 857 } 858 859 /* 860 * Public wrapper for extract_min_max(). 861 */ 862 int 863 X509v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi, 864 unsigned char *min, unsigned char *max, const int length) 865 { 866 int afi_length = length_from_afi(afi); 867 if (aor == NULL || min == NULL || max == NULL || 868 afi_length == 0 || length < afi_length || 869 (aor->type != IPAddressOrRange_addressPrefix && 870 aor->type != IPAddressOrRange_addressRange) || 871 !extract_min_max(aor, min, max, afi_length)) 872 return 0; 873 874 return afi_length; 875 } 876 877 /* 878 * Sort comparison function for a sequence of IPAddressFamily. 879 * 880 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about 881 * the ordering: I can read it as meaning that IPv6 without a SAFI 882 * comes before IPv4 with a SAFI, which seems pretty weird. The 883 * examples in appendix B suggest that the author intended the 884 * null-SAFI rule to apply only within a single AFI, which is what I 885 * would have expected and is what the following code implements. 886 */ 887 static int 888 IPAddressFamily_cmp(const IPAddressFamily *const *a_, 889 const IPAddressFamily *const *b_) 890 { 891 const ASN1_OCTET_STRING *a = (*a_)->addressFamily; 892 const ASN1_OCTET_STRING *b = (*b_)->addressFamily; 893 int len = ((a->length <= b->length) ? a->length : b->length); 894 int cmp = memcmp(a->data, b->data, len); 895 return cmp ? cmp : a->length - b->length; 896 } 897 898 /* 899 * Check whether an IPAddrBLocks is in canonical form. 900 */ 901 int 902 X509v3_addr_is_canonical(IPAddrBlocks *addr) 903 { 904 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 905 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 906 IPAddressOrRanges *aors; 907 int i, j, k; 908 909 /* 910 * Empty extension is canonical. 911 */ 912 if (addr == NULL) 913 return 1; 914 915 /* 916 * Check whether the top-level list is in order. 917 */ 918 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) { 919 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i); 920 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1); 921 if (IPAddressFamily_cmp(&a, &b) >= 0) 922 return 0; 923 } 924 925 /* 926 * Top level's ok, now check each address family. 927 */ 928 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 929 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 930 int length = length_from_afi(X509v3_addr_get_afi(f)); 931 932 /* 933 * Inheritance is canonical. Anything other than inheritance 934 * or a SEQUENCE OF IPAddressOrRange is an ASN.1 error or 935 * something. 936 */ 937 if (f == NULL || f->ipAddressChoice == NULL) 938 return 0; 939 switch (f->ipAddressChoice->type) { 940 case IPAddressChoice_inherit: 941 continue; 942 case IPAddressChoice_addressesOrRanges: 943 break; 944 default: 945 return 0; 946 } 947 948 /* 949 * It's an IPAddressOrRanges sequence, check it. 950 */ 951 aors = f->ipAddressChoice->u.addressesOrRanges; 952 if (sk_IPAddressOrRange_num(aors) == 0) 953 return 0; 954 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) { 955 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 956 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, 957 j + 1); 958 959 if (!extract_min_max(a, a_min, a_max, length) || 960 !extract_min_max(b, b_min, b_max, length)) 961 return 0; 962 963 /* 964 * Punt misordered list, overlapping start, or inverted 965 * range. 966 */ 967 if (memcmp(a_min, b_min, length) >= 0 || 968 memcmp(a_min, a_max, length) > 0 || 969 memcmp(b_min, b_max, length) > 0) 970 return 0; 971 972 /* 973 * Punt if adjacent or overlapping. Check for adjacency by 974 * subtracting one from b_min first. 975 */ 976 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) 977 continue; 978 if (memcmp(a_max, b_min, length) >= 0) 979 return 0; 980 981 /* 982 * Check for range that should be expressed as a prefix. 983 */ 984 if (a->type == IPAddressOrRange_addressRange && 985 range_should_be_prefix(a_min, a_max, length) >= 0) 986 return 0; 987 } 988 989 /* 990 * Check range to see if it's inverted or should be a 991 * prefix. 992 */ 993 j = sk_IPAddressOrRange_num(aors) - 1; 994 { 995 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 996 if (a != NULL && 997 a->type == IPAddressOrRange_addressRange) { 998 if (!extract_min_max(a, a_min, a_max, length)) 999 return 0; 1000 if (memcmp(a_min, a_max, length) > 0 || 1001 range_should_be_prefix(a_min, a_max, 1002 length) >= 0) 1003 return 0; 1004 } 1005 } 1006 } 1007 1008 /* 1009 * If we made it through all that, we're happy. 1010 */ 1011 return 1; 1012 } 1013 1014 /* 1015 * Whack an IPAddressOrRanges into canonical form. 1016 */ 1017 static int 1018 IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi) 1019 { 1020 int i, j, length = length_from_afi(afi); 1021 1022 /* 1023 * Sort the IPAddressOrRanges sequence. 1024 */ 1025 sk_IPAddressOrRange_sort(aors); 1026 1027 /* 1028 * Clean up representation issues, punt on duplicates or overlaps. 1029 */ 1030 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) { 1031 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i); 1032 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1); 1033 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 1034 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 1035 1036 if (!extract_min_max(a, a_min, a_max, length) || 1037 !extract_min_max(b, b_min, b_max, length)) 1038 return 0; 1039 1040 /* 1041 * Punt inverted ranges. 1042 */ 1043 if (memcmp(a_min, a_max, length) > 0 || 1044 memcmp(b_min, b_max, length) > 0) 1045 return 0; 1046 1047 /* 1048 * Punt overlaps. 1049 */ 1050 if (memcmp(a_max, b_min, length) >= 0) 1051 return 0; 1052 1053 /* 1054 * Merge if a and b are adjacent. We check for 1055 * adjacency by subtracting one from b_min first. 1056 */ 1057 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) 1058 continue; 1059 if (memcmp(a_max, b_min, length) == 0) { 1060 IPAddressOrRange *merged; 1061 if (!make_addressRange(&merged, a_min, b_max, length)) 1062 return 0; 1063 (void)sk_IPAddressOrRange_set(aors, i, merged); 1064 (void)sk_IPAddressOrRange_delete(aors, i + 1); 1065 IPAddressOrRange_free(a); 1066 IPAddressOrRange_free(b); 1067 --i; 1068 continue; 1069 } 1070 } 1071 1072 /* 1073 * Check for inverted final range. 1074 */ 1075 j = sk_IPAddressOrRange_num(aors) - 1; 1076 { 1077 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 1078 if (a != NULL && a->type == IPAddressOrRange_addressRange) { 1079 unsigned char a_min[ADDR_RAW_BUF_LEN], 1080 a_max[ADDR_RAW_BUF_LEN]; 1081 if (!extract_min_max(a, a_min, a_max, length)) 1082 return 0; 1083 if (memcmp(a_min, a_max, length) > 0) 1084 return 0; 1085 } 1086 } 1087 1088 return 1; 1089 } 1090 1091 /* 1092 * Whack an IPAddrBlocks extension into canonical form. 1093 */ 1094 int 1095 X509v3_addr_canonize(IPAddrBlocks *addr) 1096 { 1097 int i; 1098 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 1099 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 1100 if (f->ipAddressChoice->type == 1101 IPAddressChoice_addressesOrRanges && 1102 !IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges, 1103 X509v3_addr_get_afi(f))) 1104 return 0; 1105 } 1106 (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); 1107 sk_IPAddressFamily_sort(addr); 1108 OPENSSL_assert(X509v3_addr_is_canonical(addr)); 1109 return 1; 1110 } 1111 1112 /* 1113 * v2i handler for the IPAddrBlocks extension. 1114 */ 1115 static void * 1116 v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx, 1117 STACK_OF(CONF_VALUE)*values) 1118 { 1119 static const char v4addr_chars[] = "0123456789."; 1120 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF"; 1121 IPAddrBlocks *addr = NULL; 1122 char *s = NULL, *t; 1123 int i; 1124 1125 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) { 1126 X509V3error(ERR_R_MALLOC_FAILURE); 1127 return NULL; 1128 } 1129 1130 for (i = 0; i < sk_CONF_VALUE_num(values); i++) { 1131 CONF_VALUE *val = sk_CONF_VALUE_value(values, i); 1132 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN]; 1133 unsigned afi, *safi = NULL, safi_; 1134 const char *addr_chars = NULL; 1135 int prefixlen, i1, i2, delim, length; 1136 1137 if (!name_cmp(val->name, "IPv4")) { 1138 afi = IANA_AFI_IPV4; 1139 } else if (!name_cmp(val->name, "IPv6")) { 1140 afi = IANA_AFI_IPV6; 1141 } else if (!name_cmp(val->name, "IPv4-SAFI")) { 1142 afi = IANA_AFI_IPV4; 1143 safi = &safi_; 1144 } else if (!name_cmp(val->name, "IPv6-SAFI")) { 1145 afi = IANA_AFI_IPV6; 1146 safi = &safi_; 1147 } else { 1148 X509V3error(X509V3_R_EXTENSION_NAME_ERROR); 1149 X509V3_conf_err(val); 1150 goto err; 1151 } 1152 1153 switch (afi) { 1154 case IANA_AFI_IPV4: 1155 addr_chars = v4addr_chars; 1156 break; 1157 case IANA_AFI_IPV6: 1158 addr_chars = v6addr_chars; 1159 break; 1160 } 1161 1162 length = length_from_afi(afi); 1163 1164 /* 1165 * Handle SAFI, if any, and strdup() so we can null-terminate 1166 * the other input values. 1167 */ 1168 if (safi != NULL) { 1169 *safi = strtoul(val->value, &t, 0); 1170 t += strspn(t, " \t"); 1171 if (*safi > 0xFF || *t++ != ':') { 1172 X509V3error(X509V3_R_INVALID_SAFI); 1173 X509V3_conf_err(val); 1174 goto err; 1175 } 1176 t += strspn(t, " \t"); 1177 s = strdup(t); 1178 } else { 1179 s = strdup(val->value); 1180 } 1181 if (s == NULL) { 1182 X509V3error(ERR_R_MALLOC_FAILURE); 1183 goto err; 1184 } 1185 1186 /* 1187 * Check for inheritance. Not worth additional complexity to 1188 * optimize this (seldom-used) case. 1189 */ 1190 if (strcmp(s, "inherit") == 0) { 1191 if (!X509v3_addr_add_inherit(addr, afi, safi)) { 1192 X509V3error(X509V3_R_INVALID_INHERITANCE); 1193 X509V3_conf_err(val); 1194 goto err; 1195 } 1196 free(s); 1197 s = NULL; 1198 continue; 1199 } 1200 1201 i1 = strspn(s, addr_chars); 1202 i2 = i1 + strspn(s + i1, " \t"); 1203 delim = s[i2++]; 1204 s[i1] = '\0'; 1205 1206 if (a2i_ipadd(min, s) != length) { 1207 X509V3error(X509V3_R_INVALID_IPADDRESS); 1208 X509V3_conf_err(val); 1209 goto err; 1210 } 1211 1212 switch (delim) { 1213 case '/': 1214 prefixlen = (int)strtoul(s + i2, &t, 10); 1215 if (t == s + i2 || *t != '\0') { 1216 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1217 X509V3_conf_err(val); 1218 goto err; 1219 } 1220 if (!X509v3_addr_add_prefix(addr, afi, safi, min, 1221 prefixlen)) { 1222 X509V3error(ERR_R_MALLOC_FAILURE); 1223 goto err; 1224 } 1225 break; 1226 case '-': 1227 i1 = i2 + strspn(s + i2, " \t"); 1228 i2 = i1 + strspn(s + i1, addr_chars); 1229 if (i1 == i2 || s[i2] != '\0') { 1230 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1231 X509V3_conf_err(val); 1232 goto err; 1233 } 1234 if (a2i_ipadd(max, s + i1) != length) { 1235 X509V3error(X509V3_R_INVALID_IPADDRESS); 1236 X509V3_conf_err(val); 1237 goto err; 1238 } 1239 if (memcmp(min, max, length_from_afi(afi)) > 0) { 1240 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1241 X509V3_conf_err(val); 1242 goto err; 1243 } 1244 if (!X509v3_addr_add_range(addr, afi, safi, min, max)) { 1245 X509V3error(ERR_R_MALLOC_FAILURE); 1246 goto err; 1247 } 1248 break; 1249 case '\0': 1250 if (!X509v3_addr_add_prefix(addr, afi, safi, min, 1251 length * 8)) { 1252 X509V3error(ERR_R_MALLOC_FAILURE); 1253 goto err; 1254 } 1255 break; 1256 default: 1257 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1258 X509V3_conf_err(val); 1259 goto err; 1260 } 1261 1262 free(s); 1263 s = NULL; 1264 } 1265 1266 /* 1267 * Canonize the result, then we're done. 1268 */ 1269 if (!X509v3_addr_canonize(addr)) 1270 goto err; 1271 return addr; 1272 1273 err: 1274 free(s); 1275 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); 1276 return NULL; 1277 } 1278 1279 /* 1280 * OpenSSL dispatch 1281 */ 1282 const X509V3_EXT_METHOD v3_addr = { 1283 NID_sbgp_ipAddrBlock, /* nid */ 1284 0, /* flags */ 1285 &IPAddrBlocks_it, 1286 0, 0, 0, 0, /* old functions, ignored */ 1287 0, /* i2s */ 1288 0, /* s2i */ 1289 0, /* i2v */ 1290 v2i_IPAddrBlocks, /* v2i */ 1291 i2r_IPAddrBlocks, /* i2r */ 1292 0, /* r2i */ 1293 NULL /* extension-specific data */ 1294 }; 1295 1296 /* 1297 * Figure out whether extension sues inheritance. 1298 */ 1299 int 1300 X509v3_addr_inherits(IPAddrBlocks *addr) 1301 { 1302 int i; 1303 if (addr == NULL) 1304 return 0; 1305 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 1306 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 1307 if (f->ipAddressChoice->type == IPAddressChoice_inherit) 1308 return 1; 1309 } 1310 return 0; 1311 } 1312 1313 /* 1314 * Figure out whether parent contains child. 1315 */ 1316 static int 1317 addr_contains(IPAddressOrRanges *parent, IPAddressOrRanges *child, int length) 1318 { 1319 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN]; 1320 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN]; 1321 int p, c; 1322 1323 if (child == NULL || parent == child) 1324 return 1; 1325 if (parent == NULL) 1326 return 0; 1327 1328 p = 0; 1329 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) { 1330 if (!extract_min_max(sk_IPAddressOrRange_value(child, c), 1331 c_min, c_max, length)) 1332 return -1; 1333 for (;; p++) { 1334 if (p >= sk_IPAddressOrRange_num(parent)) 1335 return 0; 1336 if (!extract_min_max(sk_IPAddressOrRange_value(parent, 1337 p), p_min, p_max, length)) 1338 return 0; 1339 if (memcmp(p_max, c_max, length) < 0) 1340 continue; 1341 if (memcmp(p_min, c_min, length) > 0) 1342 return 0; 1343 break; 1344 } 1345 } 1346 1347 return 1; 1348 } 1349 1350 /* 1351 * Test whether a is a subset of b. 1352 */ 1353 int 1354 X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) 1355 { 1356 int i; 1357 if (a == NULL || a == b) 1358 return 1; 1359 if (b == NULL || X509v3_addr_inherits(a) || X509v3_addr_inherits(b)) 1360 return 0; 1361 (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); 1362 for (i = 0; i < sk_IPAddressFamily_num(a); i++) { 1363 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); 1364 int j = sk_IPAddressFamily_find(b, fa); 1365 IPAddressFamily *fb; 1366 fb = sk_IPAddressFamily_value(b, j); 1367 if (fb == NULL) 1368 return 0; 1369 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, 1370 fa->ipAddressChoice->u.addressesOrRanges, 1371 length_from_afi(X509v3_addr_get_afi(fb)))) 1372 return 0; 1373 } 1374 return 1; 1375 } 1376 1377 /* 1378 * Validation error handling via callback. 1379 */ 1380 #define validation_err(_err_) \ 1381 do { \ 1382 if (ctx != NULL) { \ 1383 ctx->error = _err_; \ 1384 ctx->error_depth = i; \ 1385 ctx->current_cert = x; \ 1386 ret = ctx->verify_cb(0, ctx); \ 1387 } else { \ 1388 ret = 0; \ 1389 } \ 1390 if (!ret) \ 1391 goto done; \ 1392 } while (0) 1393 1394 /* 1395 * Core code for RFC 3779 2.3 path validation. 1396 * 1397 * Returns 1 for success, 0 on error. 1398 * 1399 * When returning 0, ctx->error MUST be set to an appropriate value other than 1400 * X509_V_OK. 1401 */ 1402 static int 1403 addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain, 1404 IPAddrBlocks *ext) 1405 { 1406 IPAddrBlocks *child = NULL; 1407 int i, j, ret = 1; 1408 X509 *x; 1409 1410 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); 1411 OPENSSL_assert(ctx != NULL || ext != NULL); 1412 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); 1413 1414 /* 1415 * Figure out where to start. If we don't have an extension to check, 1416 * we're done. Otherwise, check canonical form and set up for walking 1417 * up the chain. 1418 */ 1419 if (ext != NULL) { 1420 i = -1; 1421 x = NULL; 1422 } else { 1423 i = 0; 1424 x = sk_X509_value(chain, i); 1425 if ((ext = x->rfc3779_addr) == NULL) 1426 goto done; 1427 } 1428 if (!X509v3_addr_is_canonical(ext)) 1429 validation_err(X509_V_ERR_INVALID_EXTENSION); 1430 (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); 1431 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { 1432 X509V3error(ERR_R_MALLOC_FAILURE); 1433 if (ctx != NULL) 1434 ctx->error = X509_V_ERR_OUT_OF_MEM; 1435 ret = 0; 1436 goto done; 1437 } 1438 1439 /* 1440 * Now walk up the chain. No cert may list resources that its parent 1441 * doesn't list. 1442 */ 1443 for (i++; i < sk_X509_num(chain); i++) { 1444 x = sk_X509_value(chain, i); 1445 if (!X509v3_addr_is_canonical(x->rfc3779_addr)) 1446 validation_err(X509_V_ERR_INVALID_EXTENSION); 1447 if (x->rfc3779_addr == NULL) { 1448 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { 1449 IPAddressFamily *fc = sk_IPAddressFamily_value(child, 1450 j); 1451 if (fc->ipAddressChoice->type != 1452 IPAddressChoice_inherit) { 1453 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1454 break; 1455 } 1456 } 1457 continue; 1458 } 1459 (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, 1460 IPAddressFamily_cmp); 1461 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { 1462 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); 1463 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc); 1464 IPAddressFamily *fp = 1465 sk_IPAddressFamily_value(x->rfc3779_addr, k); 1466 if (fp == NULL) { 1467 if (fc->ipAddressChoice->type == 1468 IPAddressChoice_addressesOrRanges) { 1469 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1470 break; 1471 } 1472 continue; 1473 } 1474 if (fp->ipAddressChoice->type == 1475 IPAddressChoice_addressesOrRanges) { 1476 if (fc->ipAddressChoice->type == 1477 IPAddressChoice_inherit || 1478 addr_contains(fp->ipAddressChoice->u.addressesOrRanges, 1479 fc->ipAddressChoice->u.addressesOrRanges, 1480 length_from_afi(X509v3_addr_get_afi(fc)))) 1481 sk_IPAddressFamily_set(child, j, fp); 1482 else 1483 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1484 } 1485 } 1486 } 1487 1488 /* 1489 * Trust anchor can't inherit. 1490 */ 1491 if (x->rfc3779_addr != NULL) { 1492 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) { 1493 IPAddressFamily *fp = 1494 sk_IPAddressFamily_value(x->rfc3779_addr, j); 1495 if (fp->ipAddressChoice->type == 1496 IPAddressChoice_inherit && 1497 sk_IPAddressFamily_find(child, fp) >= 0) 1498 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1499 } 1500 } 1501 1502 done: 1503 sk_IPAddressFamily_free(child); 1504 return ret; 1505 } 1506 1507 #undef validation_err 1508 1509 /* 1510 * RFC 3779 2.3 path validation -- called from X509_verify_cert(). 1511 */ 1512 int 1513 X509v3_addr_validate_path(X509_STORE_CTX *ctx) 1514 { 1515 if (ctx->chain == NULL || 1516 sk_X509_num(ctx->chain) == 0 || 1517 ctx->verify_cb == NULL) { 1518 ctx->error = X509_V_ERR_UNSPECIFIED; 1519 return 0; 1520 } 1521 return addr_validate_path_internal(ctx, ctx->chain, NULL); 1522 } 1523 1524 /* 1525 * RFC 3779 2.3 path validation of an extension. 1526 * Test whether chain covers extension. 1527 */ 1528 int 1529 X509v3_addr_validate_resource_set(STACK_OF(X509)*chain, IPAddrBlocks *ext, 1530 int allow_inheritance) 1531 { 1532 if (ext == NULL) 1533 return 1; 1534 if (chain == NULL || sk_X509_num(chain) == 0) 1535 return 0; 1536 if (!allow_inheritance && X509v3_addr_inherits(ext)) 1537 return 0; 1538 return addr_validate_path_internal(NULL, chain, ext); 1539 } 1540 1541 #endif /* OPENSSL_NO_RFC3779 */ 1542