1 /* $OpenBSD: x509_addr.c,v 1.80 2022/04/21 05:06:07 tb Exp $ */ 2 /* 3 * Contributed to the OpenSSL Project by the American Registry for 4 * Internet Numbers ("ARIN"). 5 */ 6 /* ==================================================================== 7 * Copyright (c) 2006-2016 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * licensing@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 */ 58 59 /* 60 * Implementation of RFC 3779 section 2.2. 61 */ 62 63 #include <limits.h> 64 #include <stdio.h> 65 #include <stdlib.h> 66 #include <string.h> 67 68 #include <openssl/asn1.h> 69 #include <openssl/asn1t.h> 70 #include <openssl/buffer.h> 71 #include <openssl/conf.h> 72 #include <openssl/err.h> 73 #include <openssl/x509.h> 74 #include <openssl/x509v3.h> 75 76 #include "bytestring.h" 77 #include "x509_lcl.h" 78 79 #ifndef OPENSSL_NO_RFC3779 80 81 /* 82 * OpenSSL ASN.1 template translation of RFC 3779 2.2.3. 83 */ 84 85 static const ASN1_TEMPLATE IPAddressRange_seq_tt[] = { 86 { 87 .flags = 0, 88 .tag = 0, 89 .offset = offsetof(IPAddressRange, min), 90 .field_name = "min", 91 .item = &ASN1_BIT_STRING_it, 92 }, 93 { 94 .flags = 0, 95 .tag = 0, 96 .offset = offsetof(IPAddressRange, max), 97 .field_name = "max", 98 .item = &ASN1_BIT_STRING_it, 99 }, 100 }; 101 102 const ASN1_ITEM IPAddressRange_it = { 103 .itype = ASN1_ITYPE_SEQUENCE, 104 .utype = V_ASN1_SEQUENCE, 105 .templates = IPAddressRange_seq_tt, 106 .tcount = sizeof(IPAddressRange_seq_tt) / sizeof(ASN1_TEMPLATE), 107 .funcs = NULL, 108 .size = sizeof(IPAddressRange), 109 .sname = "IPAddressRange", 110 }; 111 112 static const ASN1_TEMPLATE IPAddressOrRange_ch_tt[] = { 113 { 114 .flags = 0, 115 .tag = 0, 116 .offset = offsetof(IPAddressOrRange, u.addressPrefix), 117 .field_name = "u.addressPrefix", 118 .item = &ASN1_BIT_STRING_it, 119 }, 120 { 121 .flags = 0, 122 .tag = 0, 123 .offset = offsetof(IPAddressOrRange, u.addressRange), 124 .field_name = "u.addressRange", 125 .item = &IPAddressRange_it, 126 }, 127 }; 128 129 const ASN1_ITEM IPAddressOrRange_it = { 130 .itype = ASN1_ITYPE_CHOICE, 131 .utype = offsetof(IPAddressOrRange, type), 132 .templates = IPAddressOrRange_ch_tt, 133 .tcount = sizeof(IPAddressOrRange_ch_tt) / sizeof(ASN1_TEMPLATE), 134 .funcs = NULL, 135 .size = sizeof(IPAddressOrRange), 136 .sname = "IPAddressOrRange", 137 }; 138 139 static const ASN1_TEMPLATE IPAddressChoice_ch_tt[] = { 140 { 141 .flags = 0, 142 .tag = 0, 143 .offset = offsetof(IPAddressChoice, u.inherit), 144 .field_name = "u.inherit", 145 .item = &ASN1_NULL_it, 146 }, 147 { 148 .flags = ASN1_TFLG_SEQUENCE_OF, 149 .tag = 0, 150 .offset = offsetof(IPAddressChoice, u.addressesOrRanges), 151 .field_name = "u.addressesOrRanges", 152 .item = &IPAddressOrRange_it, 153 }, 154 }; 155 156 const ASN1_ITEM IPAddressChoice_it = { 157 .itype = ASN1_ITYPE_CHOICE, 158 .utype = offsetof(IPAddressChoice, type), 159 .templates = IPAddressChoice_ch_tt, 160 .tcount = sizeof(IPAddressChoice_ch_tt) / sizeof(ASN1_TEMPLATE), 161 .funcs = NULL, 162 .size = sizeof(IPAddressChoice), 163 .sname = "IPAddressChoice", 164 }; 165 166 static const ASN1_TEMPLATE IPAddressFamily_seq_tt[] = { 167 { 168 .flags = 0, 169 .tag = 0, 170 .offset = offsetof(IPAddressFamily, addressFamily), 171 .field_name = "addressFamily", 172 .item = &ASN1_OCTET_STRING_it, 173 }, 174 { 175 .flags = 0, 176 .tag = 0, 177 .offset = offsetof(IPAddressFamily, ipAddressChoice), 178 .field_name = "ipAddressChoice", 179 .item = &IPAddressChoice_it, 180 }, 181 }; 182 183 const ASN1_ITEM IPAddressFamily_it = { 184 .itype = ASN1_ITYPE_SEQUENCE, 185 .utype = V_ASN1_SEQUENCE, 186 .templates = IPAddressFamily_seq_tt, 187 .tcount = sizeof(IPAddressFamily_seq_tt) / sizeof(ASN1_TEMPLATE), 188 .funcs = NULL, 189 .size = sizeof(IPAddressFamily), 190 .sname = "IPAddressFamily", 191 }; 192 193 static const ASN1_TEMPLATE IPAddrBlocks_item_tt = { 194 .flags = ASN1_TFLG_SEQUENCE_OF, 195 .tag = 0, 196 .offset = 0, 197 .field_name = "IPAddrBlocks", 198 .item = &IPAddressFamily_it, 199 }; 200 201 static const ASN1_ITEM IPAddrBlocks_it = { 202 .itype = ASN1_ITYPE_PRIMITIVE, 203 .utype = -1, 204 .templates = &IPAddrBlocks_item_tt, 205 .tcount = 0, 206 .funcs = NULL, 207 .size = 0, 208 .sname = "IPAddrBlocks", 209 }; 210 211 IPAddressRange * 212 d2i_IPAddressRange(IPAddressRange **a, const unsigned char **in, long len) 213 { 214 return (IPAddressRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 215 &IPAddressRange_it); 216 } 217 218 int 219 i2d_IPAddressRange(IPAddressRange *a, unsigned char **out) 220 { 221 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressRange_it); 222 } 223 224 IPAddressRange * 225 IPAddressRange_new(void) 226 { 227 return (IPAddressRange *)ASN1_item_new(&IPAddressRange_it); 228 } 229 230 void 231 IPAddressRange_free(IPAddressRange *a) 232 { 233 ASN1_item_free((ASN1_VALUE *)a, &IPAddressRange_it); 234 } 235 236 IPAddressOrRange * 237 d2i_IPAddressOrRange(IPAddressOrRange **a, const unsigned char **in, long len) 238 { 239 return (IPAddressOrRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 240 &IPAddressOrRange_it); 241 } 242 243 int 244 i2d_IPAddressOrRange(IPAddressOrRange *a, unsigned char **out) 245 { 246 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressOrRange_it); 247 } 248 249 IPAddressOrRange * 250 IPAddressOrRange_new(void) 251 { 252 return (IPAddressOrRange *)ASN1_item_new(&IPAddressOrRange_it); 253 } 254 255 void 256 IPAddressOrRange_free(IPAddressOrRange *a) 257 { 258 ASN1_item_free((ASN1_VALUE *)a, &IPAddressOrRange_it); 259 } 260 261 IPAddressChoice * 262 d2i_IPAddressChoice(IPAddressChoice **a, const unsigned char **in, long len) 263 { 264 return (IPAddressChoice *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 265 &IPAddressChoice_it); 266 } 267 268 int 269 i2d_IPAddressChoice(IPAddressChoice *a, unsigned char **out) 270 { 271 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressChoice_it); 272 } 273 274 IPAddressChoice * 275 IPAddressChoice_new(void) 276 { 277 return (IPAddressChoice *)ASN1_item_new(&IPAddressChoice_it); 278 } 279 280 void 281 IPAddressChoice_free(IPAddressChoice *a) 282 { 283 ASN1_item_free((ASN1_VALUE *)a, &IPAddressChoice_it); 284 } 285 286 IPAddressFamily * 287 d2i_IPAddressFamily(IPAddressFamily **a, const unsigned char **in, long len) 288 { 289 return (IPAddressFamily *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 290 &IPAddressFamily_it); 291 } 292 293 int 294 i2d_IPAddressFamily(IPAddressFamily *a, unsigned char **out) 295 { 296 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressFamily_it); 297 } 298 299 IPAddressFamily * 300 IPAddressFamily_new(void) 301 { 302 return (IPAddressFamily *)ASN1_item_new(&IPAddressFamily_it); 303 } 304 305 void 306 IPAddressFamily_free(IPAddressFamily *a) 307 { 308 ASN1_item_free((ASN1_VALUE *)a, &IPAddressFamily_it); 309 } 310 311 /* 312 * Convenience accessors for IPAddressFamily. 313 */ 314 315 static int 316 IPAddressFamily_type(IPAddressFamily *af) 317 { 318 /* XXX - can af->ipAddressChoice == NULL actually happen? */ 319 if (af == NULL || af->ipAddressChoice == NULL) 320 return -1; 321 322 switch (af->ipAddressChoice->type) { 323 case IPAddressChoice_inherit: 324 case IPAddressChoice_addressesOrRanges: 325 return af->ipAddressChoice->type; 326 default: 327 return -1; 328 } 329 } 330 331 static IPAddressOrRanges * 332 IPAddressFamily_addressesOrRanges(IPAddressFamily *af) 333 { 334 if (IPAddressFamily_type(af) == IPAddressChoice_addressesOrRanges) 335 return af->ipAddressChoice->u.addressesOrRanges; 336 337 return NULL; 338 } 339 340 static ASN1_NULL * 341 IPAddressFamily_inheritance(IPAddressFamily *af) 342 { 343 if (IPAddressFamily_type(af) == IPAddressChoice_inherit) 344 return af->ipAddressChoice->u.inherit; 345 346 return NULL; 347 } 348 349 static int 350 IPAddressFamily_set_inheritance(IPAddressFamily *af) 351 { 352 if (IPAddressFamily_addressesOrRanges(af) != NULL) 353 return 0; 354 355 if (IPAddressFamily_inheritance(af) != NULL) 356 return 1; 357 358 if ((af->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL) 359 return 0; 360 af->ipAddressChoice->type = IPAddressChoice_inherit; 361 362 return 1; 363 } 364 365 /* 366 * How much buffer space do we need for a raw address? 367 */ 368 #define ADDR_RAW_BUF_LEN 16 369 370 /* 371 * What's the address length associated with this AFI? 372 */ 373 static int 374 length_from_afi(const unsigned afi) 375 { 376 switch (afi) { 377 case IANA_AFI_IPV4: 378 return 4; 379 case IANA_AFI_IPV6: 380 return 16; 381 default: 382 return 0; 383 } 384 } 385 386 /* 387 * Get AFI and optional SAFI from an IPAddressFamily. All three out arguments 388 * are optional; if |out_safi| is non-NULL, |safi_is_set| must be non-NULL. 389 */ 390 static int 391 IPAddressFamily_afi_safi(const IPAddressFamily *af, uint16_t *out_afi, 392 uint8_t *out_safi, int *safi_is_set) 393 { 394 CBS cbs; 395 uint16_t afi; 396 uint8_t safi = 0; 397 int got_safi = 0; 398 399 CBS_init(&cbs, af->addressFamily->data, af->addressFamily->length); 400 401 if (!CBS_get_u16(&cbs, &afi)) 402 return 0; 403 404 /* Fetch the optional SAFI. */ 405 if (CBS_len(&cbs) != 0) { 406 if (!CBS_get_u8(&cbs, &safi)) 407 return 0; 408 got_safi = 1; 409 } 410 411 /* If there's anything left, it's garbage. */ 412 if (CBS_len(&cbs) != 0) 413 return 0; 414 415 /* XXX - error on reserved AFI/SAFI? */ 416 417 if (out_afi != NULL) 418 *out_afi = afi; 419 420 if (out_safi != NULL) { 421 *out_safi = safi; 422 *safi_is_set = got_safi; 423 } 424 425 return 1; 426 } 427 428 static int 429 IPAddressFamily_afi(const IPAddressFamily *af, uint16_t *out_afi) 430 { 431 return IPAddressFamily_afi_safi(af, out_afi, NULL, NULL); 432 } 433 434 static int 435 IPAddressFamily_afi_is_valid(const IPAddressFamily *af) 436 { 437 return IPAddressFamily_afi_safi(af, NULL, NULL, NULL); 438 } 439 440 static int 441 IPAddressFamily_afi_length(const IPAddressFamily *af, int *out_length) 442 { 443 uint16_t afi; 444 445 *out_length = 0; 446 447 if (!IPAddressFamily_afi(af, &afi)) 448 return 0; 449 450 *out_length = length_from_afi(afi); 451 452 return 1; 453 } 454 455 #define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) 456 457 /* 458 * Sort comparison function for a sequence of IPAddressFamily. 459 * 460 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about 461 * the ordering: I can read it as meaning that IPv6 without a SAFI 462 * comes before IPv4 with a SAFI, which seems pretty weird. The 463 * examples in appendix B suggest that the author intended the 464 * null-SAFI rule to apply only within a single AFI, which is what I 465 * would have expected and is what the following code implements. 466 */ 467 static int 468 IPAddressFamily_cmp(const IPAddressFamily *const *a_, 469 const IPAddressFamily *const *b_) 470 { 471 const ASN1_OCTET_STRING *a = (*a_)->addressFamily; 472 const ASN1_OCTET_STRING *b = (*b_)->addressFamily; 473 int len, cmp; 474 475 len = MINIMUM(a->length, b->length); 476 477 if ((cmp = memcmp(a->data, b->data, len)) != 0) 478 return cmp; 479 480 return a->length - b->length; 481 } 482 483 static IPAddressFamily * 484 IPAddressFamily_find_in_parent(IPAddrBlocks *parent, IPAddressFamily *child_af) 485 { 486 int index; 487 488 (void)sk_IPAddressFamily_set_cmp_func(parent, IPAddressFamily_cmp); 489 490 if ((index = sk_IPAddressFamily_find(parent, child_af)) < 0) 491 return NULL; 492 493 return sk_IPAddressFamily_value(parent, index); 494 } 495 496 /* 497 * Extract the AFI from an IPAddressFamily. 498 * 499 * This is public API. It uses the reserved AFI 0 as an in-band error 500 * while it doesn't care about the reserved AFI 65535... 501 */ 502 unsigned int 503 X509v3_addr_get_afi(const IPAddressFamily *af) 504 { 505 uint16_t afi; 506 507 /* 508 * XXX are these NULL checks really sensible? If af is non-NULL, it 509 * should have both addressFamily and ipAddressChoice... 510 */ 511 if (af == NULL || af->addressFamily == NULL || 512 af->addressFamily->data == NULL) 513 return 0; 514 515 if (!IPAddressFamily_afi(af, &afi)) 516 return 0; 517 518 return afi; 519 } 520 521 /* 522 * Expand the bitstring form (RFC 3779, section 2.1.2) of an address into 523 * a raw byte array. At the moment this is coded for simplicity, not speed. 524 * 525 * Unused bits in the last octet of |bs| and all bits in subsequent bytes 526 * of |addr| are set to 0 or 1 depending on whether |fill| is 0 or not. 527 */ 528 static int 529 addr_expand(unsigned char *addr, const ASN1_BIT_STRING *bs, const int length, 530 uint8_t fill) 531 { 532 if (bs->length < 0 || bs->length > length) 533 return 0; 534 535 if (fill != 0) 536 fill = 0xff; 537 538 if (bs->length > 0) { 539 /* XXX - shouldn't this check ASN1_STRING_FLAG_BITS_LEFT? */ 540 uint8_t unused_bits = bs->flags & 7; 541 uint8_t mask = (1 << unused_bits) - 1; 542 543 memcpy(addr, bs->data, bs->length); 544 545 if (fill == 0) 546 addr[bs->length - 1] &= ~mask; 547 else 548 addr[bs->length - 1] |= mask; 549 } 550 551 memset(addr + bs->length, fill, length - bs->length); 552 553 return 1; 554 } 555 556 /* 557 * Extract the prefix length from a bitstring: 8 * length - unused bits. 558 */ 559 #define addr_prefix_len(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7))) 560 561 /* 562 * i2r handler for one address bitstring. 563 */ 564 static int 565 i2r_address(BIO *out, const unsigned afi, const unsigned char fill, 566 const ASN1_BIT_STRING *bs) 567 { 568 unsigned char addr[ADDR_RAW_BUF_LEN]; 569 int i, n; 570 571 if (bs->length < 0) 572 return 0; 573 switch (afi) { 574 case IANA_AFI_IPV4: 575 if (!addr_expand(addr, bs, 4, fill)) 576 return 0; 577 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], 578 addr[3]); 579 break; 580 case IANA_AFI_IPV6: 581 if (!addr_expand(addr, bs, 16, fill)) 582 return 0; 583 for (n = 16; 584 n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00; n -= 2) 585 continue; 586 for (i = 0; i < n; i += 2) 587 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1], 588 (i < 14 ? ":" : "")); 589 if (i < 16) 590 BIO_puts(out, ":"); 591 if (i == 0) 592 BIO_puts(out, ":"); 593 break; 594 default: 595 for (i = 0; i < bs->length; i++) 596 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), 597 bs->data[i]); 598 BIO_printf(out, "[%d]", (int)(bs->flags & 7)); 599 break; 600 } 601 return 1; 602 } 603 604 /* 605 * i2r handler for a sequence of addresses and ranges. 606 */ 607 static int 608 i2r_IPAddressOrRanges(BIO *out, const int indent, 609 const IPAddressOrRanges *aors, const unsigned afi) 610 { 611 const IPAddressOrRange *aor; 612 const ASN1_BIT_STRING *prefix; 613 const IPAddressRange *range; 614 int i; 615 616 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) { 617 aor = sk_IPAddressOrRange_value(aors, i); 618 619 BIO_printf(out, "%*s", indent, ""); 620 621 switch (aor->type) { 622 case IPAddressOrRange_addressPrefix: 623 prefix = aor->u.addressPrefix; 624 625 if (!i2r_address(out, afi, 0x00, prefix)) 626 return 0; 627 BIO_printf(out, "/%d\n", addr_prefix_len(prefix)); 628 continue; 629 case IPAddressOrRange_addressRange: 630 range = aor->u.addressRange; 631 632 if (!i2r_address(out, afi, 0x00, range->min)) 633 return 0; 634 BIO_puts(out, "-"); 635 if (!i2r_address(out, afi, 0xff, range->max)) 636 return 0; 637 BIO_puts(out, "\n"); 638 continue; 639 } 640 } 641 642 return 1; 643 } 644 645 /* 646 * i2r handler for an IPAddrBlocks extension. 647 */ 648 static int 649 i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, void *ext, BIO *out, 650 int indent) 651 { 652 const IPAddrBlocks *addr = ext; 653 IPAddressFamily *af; 654 uint16_t afi; 655 uint8_t safi; 656 int i, safi_is_set; 657 658 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 659 af = sk_IPAddressFamily_value(addr, i); 660 661 if (!IPAddressFamily_afi_safi(af, &afi, &safi, &safi_is_set)) 662 goto print_addresses; 663 664 switch (afi) { 665 case IANA_AFI_IPV4: 666 BIO_printf(out, "%*sIPv4", indent, ""); 667 break; 668 case IANA_AFI_IPV6: 669 BIO_printf(out, "%*sIPv6", indent, ""); 670 break; 671 default: 672 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi); 673 break; 674 } 675 if (safi_is_set) { 676 switch (safi) { 677 case 1: 678 BIO_puts(out, " (Unicast)"); 679 break; 680 case 2: 681 BIO_puts(out, " (Multicast)"); 682 break; 683 case 3: 684 BIO_puts(out, " (Unicast/Multicast)"); 685 break; 686 case 4: 687 BIO_puts(out, " (MPLS)"); 688 break; 689 case 64: 690 BIO_puts(out, " (Tunnel)"); 691 break; 692 case 65: 693 BIO_puts(out, " (VPLS)"); 694 break; 695 case 66: 696 BIO_puts(out, " (BGP MDT)"); 697 break; 698 case 128: 699 BIO_puts(out, " (MPLS-labeled VPN)"); 700 break; 701 default: 702 BIO_printf(out, " (Unknown SAFI %u)", safi); 703 break; 704 } 705 } 706 707 print_addresses: 708 switch (IPAddressFamily_type(af)) { 709 case IPAddressChoice_inherit: 710 BIO_puts(out, ": inherit\n"); 711 break; 712 case IPAddressChoice_addressesOrRanges: 713 BIO_puts(out, ":\n"); 714 if (!i2r_IPAddressOrRanges(out, indent + 2, 715 IPAddressFamily_addressesOrRanges(af), afi)) 716 return 0; 717 break; 718 /* XXX - how should we handle -1 here? */ 719 } 720 } 721 return 1; 722 } 723 724 /* 725 * Sort comparison function for a sequence of IPAddressOrRange 726 * elements. 727 * 728 * There's no sane answer we can give if addr_expand() fails, and an 729 * assertion failure on externally supplied data is seriously uncool, 730 * so we just arbitrarily declare that if given invalid inputs this 731 * function returns -1. If this messes up your preferred sort order 732 * for garbage input, tough noogies. 733 */ 734 static int 735 IPAddressOrRange_cmp(const IPAddressOrRange *a, const IPAddressOrRange *b, 736 const int length) 737 { 738 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN]; 739 int prefix_len_a = 0, prefix_len_b = 0; 740 int r; 741 742 switch (a->type) { 743 case IPAddressOrRange_addressPrefix: 744 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00)) 745 return -1; 746 prefix_len_a = addr_prefix_len(a->u.addressPrefix); 747 break; 748 case IPAddressOrRange_addressRange: 749 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00)) 750 return -1; 751 prefix_len_a = length * 8; 752 break; 753 } 754 755 switch (b->type) { 756 case IPAddressOrRange_addressPrefix: 757 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00)) 758 return -1; 759 prefix_len_b = addr_prefix_len(b->u.addressPrefix); 760 break; 761 case IPAddressOrRange_addressRange: 762 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00)) 763 return -1; 764 prefix_len_b = length * 8; 765 break; 766 } 767 768 if ((r = memcmp(addr_a, addr_b, length)) != 0) 769 return r; 770 else 771 return prefix_len_a - prefix_len_b; 772 } 773 774 /* 775 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort() 776 * comparison routines are only allowed two arguments. 777 */ 778 static int 779 v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a, 780 const IPAddressOrRange *const *b) 781 { 782 return IPAddressOrRange_cmp(*a, *b, 4); 783 } 784 785 /* 786 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort() 787 * comparison routines are only allowed two arguments. 788 */ 789 static int 790 v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a, 791 const IPAddressOrRange *const *b) 792 { 793 return IPAddressOrRange_cmp(*a, *b, 16); 794 } 795 796 /* 797 * Calculate whether a range collapses to a prefix. 798 * See last paragraph of RFC 3779 2.2.3.7. 799 * 800 * It's the caller's responsibility to ensure that min <= max. 801 */ 802 static int 803 range_should_be_prefix(const unsigned char *min, const unsigned char *max, 804 const int length) 805 { 806 unsigned char mask; 807 int i, j; 808 809 for (i = 0; i < length && min[i] == max[i]; i++) 810 continue; 811 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xff; j--) 812 continue; 813 if (i < j) 814 return -1; 815 if (i > j) 816 return i * 8; 817 mask = min[i] ^ max[i]; 818 switch (mask) { 819 case 0x01: 820 j = 7; 821 break; 822 case 0x03: 823 j = 6; 824 break; 825 case 0x07: 826 j = 5; 827 break; 828 case 0x0f: 829 j = 4; 830 break; 831 case 0x1f: 832 j = 3; 833 break; 834 case 0x3f: 835 j = 2; 836 break; 837 case 0x7f: 838 j = 1; 839 break; 840 default: 841 return -1; 842 } 843 if ((min[i] & mask) != 0 || (max[i] & mask) != mask) 844 return -1; 845 else 846 return i * 8 + j; 847 } 848 849 /* 850 * Construct a prefix. 851 */ 852 static int 853 make_addressPrefix(IPAddressOrRange **result, unsigned char *addr, 854 unsigned int afi, int prefix_len) 855 { 856 IPAddressOrRange *aor; 857 int afi_len, byte_len, bit_len, max_len; 858 859 if (prefix_len < 0) 860 return 0; 861 862 max_len = 16; 863 if ((afi_len = length_from_afi(afi)) > 0) 864 max_len = afi_len; 865 if (prefix_len > 8 * max_len) 866 return 0; 867 868 byte_len = (prefix_len + 7) / 8; 869 bit_len = prefix_len % 8; 870 871 if ((aor = IPAddressOrRange_new()) == NULL) 872 return 0; 873 aor->type = IPAddressOrRange_addressPrefix; 874 if ((aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL) 875 goto err; 876 877 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, byte_len)) 878 goto err; 879 880 aor->u.addressPrefix->flags &= ~7; 881 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT; 882 if (bit_len > 0) { 883 aor->u.addressPrefix->data[byte_len - 1] &= ~(0xff >> bit_len); 884 aor->u.addressPrefix->flags |= 8 - bit_len; 885 } 886 887 *result = aor; 888 return 1; 889 890 err: 891 IPAddressOrRange_free(aor); 892 return 0; 893 } 894 895 /* 896 * Construct a range. If it can be expressed as a prefix, 897 * return a prefix instead. Doing this here simplifies 898 * the rest of the code considerably. 899 */ 900 static int 901 make_addressRange(IPAddressOrRange **result, unsigned char *min, 902 unsigned char *max, unsigned int afi, int length) 903 { 904 IPAddressOrRange *aor; 905 int i, prefix_len; 906 907 if (memcmp(min, max, length) > 0) 908 return 0; 909 910 if ((prefix_len = range_should_be_prefix(min, max, length)) >= 0) 911 return make_addressPrefix(result, min, afi, prefix_len); 912 913 if ((aor = IPAddressOrRange_new()) == NULL) 914 return 0; 915 aor->type = IPAddressOrRange_addressRange; 916 if ((aor->u.addressRange = IPAddressRange_new()) == NULL) 917 goto err; 918 919 for (i = length; i > 0 && min[i - 1] == 0x00; --i) 920 continue; 921 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i)) 922 goto err; 923 aor->u.addressRange->min->flags &= ~7; 924 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT; 925 if (i > 0) { 926 unsigned char b = min[i - 1]; 927 int j = 1; 928 while ((b & (0xffU >> j)) != 0) 929 ++j; 930 aor->u.addressRange->min->flags |= 8 - j; 931 } 932 933 for (i = length; i > 0 && max[i - 1] == 0xff; --i) 934 continue; 935 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i)) 936 goto err; 937 aor->u.addressRange->max->flags &= ~7; 938 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT; 939 if (i > 0) { 940 unsigned char b = max[i - 1]; 941 int j = 1; 942 while ((b & (0xffU >> j)) != (0xffU >> j)) 943 ++j; 944 aor->u.addressRange->max->flags |= 8 - j; 945 } 946 947 *result = aor; 948 return 1; 949 950 err: 951 IPAddressOrRange_free(aor); 952 return 0; 953 } 954 955 /* 956 * Construct a new address family or find an existing one. 957 */ 958 static IPAddressFamily * 959 make_IPAddressFamily(IPAddrBlocks *addr, const unsigned afi, 960 const unsigned *safi) 961 { 962 IPAddressFamily *af = NULL; 963 CBB cbb; 964 CBS cbs; 965 uint8_t *key = NULL; 966 size_t keylen; 967 int i; 968 969 if (!CBB_init(&cbb, 0)) 970 goto err; 971 972 /* XXX - should afi <= 65535 and *safi <= 255 be checked here? */ 973 974 if (!CBB_add_u16(&cbb, afi)) 975 goto err; 976 if (safi != NULL) { 977 if (!CBB_add_u8(&cbb, *safi)) 978 goto err; 979 } 980 981 if (!CBB_finish(&cbb, &key, &keylen)) 982 goto err; 983 984 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 985 af = sk_IPAddressFamily_value(addr, i); 986 987 CBS_init(&cbs, af->addressFamily->data, 988 af->addressFamily->length); 989 if (CBS_mem_equal(&cbs, key, keylen)) 990 goto done; 991 } 992 993 if ((af = IPAddressFamily_new()) == NULL) 994 goto err; 995 if (!ASN1_OCTET_STRING_set(af->addressFamily, key, keylen)) 996 goto err; 997 if (!sk_IPAddressFamily_push(addr, af)) 998 goto err; 999 1000 done: 1001 free(key); 1002 1003 return af; 1004 1005 err: 1006 CBB_cleanup(&cbb); 1007 free(key); 1008 IPAddressFamily_free(af); 1009 1010 return NULL; 1011 } 1012 1013 /* 1014 * Add an inheritance element. 1015 */ 1016 int 1017 X509v3_addr_add_inherit(IPAddrBlocks *addr, const unsigned afi, 1018 const unsigned *safi) 1019 { 1020 IPAddressFamily *af; 1021 1022 if ((af = make_IPAddressFamily(addr, afi, safi)) == NULL) 1023 return 0; 1024 1025 return IPAddressFamily_set_inheritance(af); 1026 } 1027 1028 /* 1029 * Construct an IPAddressOrRange sequence, or return an existing one. 1030 */ 1031 static IPAddressOrRanges * 1032 make_prefix_or_range(IPAddrBlocks *addr, const unsigned afi, 1033 const unsigned *safi) 1034 { 1035 IPAddressFamily *af; 1036 IPAddressOrRanges *aors = NULL; 1037 1038 if ((af = make_IPAddressFamily(addr, afi, safi)) == NULL) 1039 return NULL; 1040 1041 if (IPAddressFamily_inheritance(af) != NULL) 1042 return NULL; 1043 1044 if ((aors = IPAddressFamily_addressesOrRanges(af)) != NULL) 1045 return aors; 1046 1047 if ((aors = sk_IPAddressOrRange_new_null()) == NULL) 1048 return NULL; 1049 1050 switch (afi) { 1051 case IANA_AFI_IPV4: 1052 (void)sk_IPAddressOrRange_set_cmp_func(aors, 1053 v4IPAddressOrRange_cmp); 1054 break; 1055 case IANA_AFI_IPV6: 1056 (void)sk_IPAddressOrRange_set_cmp_func(aors, 1057 v6IPAddressOrRange_cmp); 1058 break; 1059 } 1060 1061 af->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; 1062 af->ipAddressChoice->u.addressesOrRanges = aors; 1063 1064 return aors; 1065 } 1066 1067 /* 1068 * Add a prefix. 1069 */ 1070 int 1071 X509v3_addr_add_prefix(IPAddrBlocks *addr, const unsigned afi, 1072 const unsigned *safi, unsigned char *a, const int prefix_len) 1073 { 1074 IPAddressOrRanges *aors; 1075 IPAddressOrRange *aor; 1076 1077 if ((aors = make_prefix_or_range(addr, afi, safi)) == NULL) 1078 return 0; 1079 1080 if (!make_addressPrefix(&aor, a, afi, prefix_len)) 1081 return 0; 1082 1083 if (sk_IPAddressOrRange_push(aors, aor) <= 0) { 1084 IPAddressOrRange_free(aor); 1085 return 0; 1086 } 1087 1088 return 1; 1089 } 1090 1091 /* 1092 * Add a range. 1093 */ 1094 int 1095 X509v3_addr_add_range(IPAddrBlocks *addr, const unsigned afi, 1096 const unsigned *safi, unsigned char *min, unsigned char *max) 1097 { 1098 IPAddressOrRanges *aors; 1099 IPAddressOrRange *aor; 1100 int length; 1101 1102 if ((aors = make_prefix_or_range(addr, afi, safi)) == NULL) 1103 return 0; 1104 1105 length = length_from_afi(afi); 1106 1107 if (!make_addressRange(&aor, min, max, afi, length)) 1108 return 0; 1109 1110 if (sk_IPAddressOrRange_push(aors, aor) <= 0) { 1111 IPAddressOrRange_free(aor); 1112 return 0; 1113 } 1114 1115 return 1; 1116 } 1117 1118 static int 1119 extract_min_max_bitstr(IPAddressOrRange *aor, ASN1_BIT_STRING **out_min, 1120 ASN1_BIT_STRING **out_max) 1121 { 1122 switch (aor->type) { 1123 case IPAddressOrRange_addressPrefix: 1124 *out_min = *out_max = aor->u.addressPrefix; 1125 return 1; 1126 case IPAddressOrRange_addressRange: 1127 *out_min = aor->u.addressRange->min; 1128 *out_max = aor->u.addressRange->max; 1129 return 1; 1130 default: 1131 return 0; 1132 } 1133 } 1134 1135 /* 1136 * Extract min and max values from an IPAddressOrRange. 1137 */ 1138 static int 1139 extract_min_max(IPAddressOrRange *aor, unsigned char *min, unsigned char *max, 1140 int length) 1141 { 1142 ASN1_BIT_STRING *min_bitstr, *max_bitstr; 1143 1144 if (aor == NULL || min == NULL || max == NULL) 1145 return 0; 1146 1147 if (!extract_min_max_bitstr(aor, &min_bitstr, &max_bitstr)) 1148 return 0; 1149 1150 if (!addr_expand(min, min_bitstr, length, 0)) 1151 return 0; 1152 1153 return addr_expand(max, max_bitstr, length, 1); 1154 } 1155 1156 /* 1157 * Public wrapper for extract_min_max(). 1158 */ 1159 int 1160 X509v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi, 1161 unsigned char *min, unsigned char *max, const int length) 1162 { 1163 int afi_len; 1164 1165 if ((afi_len = length_from_afi(afi)) == 0) 1166 return 0; 1167 1168 if (length < afi_len) 1169 return 0; 1170 1171 if (!extract_min_max(aor, min, max, afi_len)) 1172 return 0; 1173 1174 return afi_len; 1175 } 1176 1177 /* 1178 * Check whether an IPAddrBLocks is in canonical form. 1179 */ 1180 int 1181 X509v3_addr_is_canonical(IPAddrBlocks *addr) 1182 { 1183 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 1184 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 1185 IPAddressFamily *af; 1186 IPAddressOrRanges *aors; 1187 IPAddressOrRange *aor, *aor_a, *aor_b; 1188 int i, j, k, length; 1189 1190 /* 1191 * Empty extension is canonical. 1192 */ 1193 if (addr == NULL) 1194 return 1; 1195 1196 /* 1197 * Check whether the top-level list is in order. 1198 */ 1199 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) { 1200 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i); 1201 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1); 1202 1203 /* Check that both have valid AFIs before comparing them. */ 1204 if (!IPAddressFamily_afi_is_valid(a)) 1205 return 0; 1206 if (!IPAddressFamily_afi_is_valid(b)) 1207 return 0; 1208 1209 if (IPAddressFamily_cmp(&a, &b) >= 0) 1210 return 0; 1211 } 1212 1213 /* 1214 * Top level's ok, now check each address family. 1215 */ 1216 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 1217 af = sk_IPAddressFamily_value(addr, i); 1218 1219 if (!IPAddressFamily_afi_length(af, &length)) 1220 return 0; 1221 1222 /* 1223 * If this family has an inheritance element, it is canonical. 1224 */ 1225 if (IPAddressFamily_inheritance(af) != NULL) 1226 continue; 1227 1228 /* 1229 * If this family has neither an inheritance element nor an 1230 * addressesOrRanges, we don't know what this is. 1231 */ 1232 if ((aors = IPAddressFamily_addressesOrRanges(af)) == NULL) 1233 return 0; 1234 1235 if (sk_IPAddressOrRange_num(aors) == 0) 1236 return 0; 1237 1238 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) { 1239 aor_a = sk_IPAddressOrRange_value(aors, j); 1240 aor_b = sk_IPAddressOrRange_value(aors, j + 1); 1241 1242 /* 1243 * XXX - check that both are either a prefix or a range. 1244 */ 1245 1246 if (!extract_min_max(aor_a, a_min, a_max, length) || 1247 !extract_min_max(aor_b, b_min, b_max, length)) 1248 return 0; 1249 1250 /* 1251 * Punt misordered list, overlapping start, or inverted 1252 * range. 1253 */ 1254 if (memcmp(a_min, b_min, length) >= 0 || 1255 memcmp(a_min, a_max, length) > 0 || 1256 memcmp(b_min, b_max, length) > 0) 1257 return 0; 1258 1259 /* 1260 * Punt if adjacent or overlapping. Check for adjacency 1261 * by subtracting one from b_min first. 1262 */ 1263 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) 1264 continue; 1265 if (memcmp(a_max, b_min, length) >= 0) 1266 return 0; 1267 1268 /* 1269 * Check for range that should be expressed as a prefix. 1270 */ 1271 if (aor_a->type == IPAddressOrRange_addressPrefix) 1272 continue; 1273 1274 if (range_should_be_prefix(a_min, a_max, length) >= 0) 1275 return 0; 1276 } 1277 1278 /* 1279 * Check final range to see if it's inverted or should be a 1280 * prefix. 1281 */ 1282 aor = sk_IPAddressOrRange_value(aors, j); 1283 if (aor->type == IPAddressOrRange_addressRange) { 1284 if (!extract_min_max(aor, a_min, a_max, length)) 1285 return 0; 1286 if (memcmp(a_min, a_max, length) > 0) 1287 return 0; 1288 if (range_should_be_prefix(a_min, a_max, length) >= 0) 1289 return 0; 1290 } 1291 } 1292 1293 /* 1294 * If we made it through all that, we're happy. 1295 */ 1296 return 1; 1297 } 1298 1299 /* 1300 * Whack an IPAddressOrRanges into canonical form. 1301 */ 1302 static int 1303 IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi) 1304 { 1305 IPAddressOrRange *a, *b, *merged; 1306 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 1307 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 1308 int i, j, length; 1309 1310 length = length_from_afi(afi); 1311 1312 /* 1313 * Sort the IPAddressOrRanges sequence. 1314 */ 1315 sk_IPAddressOrRange_sort(aors); 1316 1317 /* 1318 * Clean up representation issues, punt on duplicates or overlaps. 1319 */ 1320 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) { 1321 a = sk_IPAddressOrRange_value(aors, i); 1322 b = sk_IPAddressOrRange_value(aors, i + 1); 1323 1324 if (!extract_min_max(a, a_min, a_max, length) || 1325 !extract_min_max(b, b_min, b_max, length)) 1326 return 0; 1327 1328 /* 1329 * Punt inverted ranges. 1330 */ 1331 if (memcmp(a_min, a_max, length) > 0 || 1332 memcmp(b_min, b_max, length) > 0) 1333 return 0; 1334 1335 /* 1336 * Punt overlaps. 1337 */ 1338 if (memcmp(a_max, b_min, length) >= 0) 1339 return 0; 1340 1341 /* 1342 * Merge if a and b are adjacent. We check for 1343 * adjacency by subtracting one from b_min first. 1344 */ 1345 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) 1346 continue; 1347 1348 if (memcmp(a_max, b_min, length) != 0) 1349 continue; 1350 1351 if (!make_addressRange(&merged, a_min, b_max, afi, length)) 1352 return 0; 1353 sk_IPAddressOrRange_set(aors, i, merged); 1354 (void)sk_IPAddressOrRange_delete(aors, i + 1); 1355 IPAddressOrRange_free(a); 1356 IPAddressOrRange_free(b); 1357 i--; 1358 } 1359 1360 /* 1361 * Check for inverted final range. 1362 */ 1363 a = sk_IPAddressOrRange_value(aors, i); 1364 if (a != NULL && a->type == IPAddressOrRange_addressRange) { 1365 if (!extract_min_max(a, a_min, a_max, length)) 1366 return 0; 1367 if (memcmp(a_min, a_max, length) > 0) 1368 return 0; 1369 } 1370 1371 return 1; 1372 } 1373 1374 /* 1375 * Whack an IPAddrBlocks extension into canonical form. 1376 */ 1377 int 1378 X509v3_addr_canonize(IPAddrBlocks *addr) 1379 { 1380 IPAddressFamily *af; 1381 IPAddressOrRanges *aors; 1382 uint16_t afi; 1383 int i; 1384 1385 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 1386 af = sk_IPAddressFamily_value(addr, i); 1387 1388 /* Check AFI/SAFI here - IPAddressFamily_cmp() can't error. */ 1389 if (!IPAddressFamily_afi(af, &afi)) 1390 return 0; 1391 1392 if ((aors = IPAddressFamily_addressesOrRanges(af)) == NULL) 1393 continue; 1394 1395 if (!IPAddressOrRanges_canonize(aors, afi)) 1396 return 0; 1397 } 1398 1399 (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); 1400 sk_IPAddressFamily_sort(addr); 1401 1402 return X509v3_addr_is_canonical(addr); 1403 } 1404 1405 /* 1406 * v2i handler for the IPAddrBlocks extension. 1407 */ 1408 static void * 1409 v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx, 1410 STACK_OF(CONF_VALUE)*values) 1411 { 1412 static const char v4addr_chars[] = "0123456789."; 1413 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF"; 1414 IPAddrBlocks *addr = NULL; 1415 char *s = NULL, *t; 1416 int i; 1417 1418 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) { 1419 X509V3error(ERR_R_MALLOC_FAILURE); 1420 return NULL; 1421 } 1422 1423 for (i = 0; i < sk_CONF_VALUE_num(values); i++) { 1424 CONF_VALUE *val = sk_CONF_VALUE_value(values, i); 1425 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN]; 1426 unsigned afi, *safi = NULL, safi_; 1427 const char *addr_chars = NULL; 1428 const char *errstr; 1429 int prefix_len, i1, i2, delim, length; 1430 1431 if (!name_cmp(val->name, "IPv4")) { 1432 afi = IANA_AFI_IPV4; 1433 } else if (!name_cmp(val->name, "IPv6")) { 1434 afi = IANA_AFI_IPV6; 1435 } else if (!name_cmp(val->name, "IPv4-SAFI")) { 1436 afi = IANA_AFI_IPV4; 1437 safi = &safi_; 1438 } else if (!name_cmp(val->name, "IPv6-SAFI")) { 1439 afi = IANA_AFI_IPV6; 1440 safi = &safi_; 1441 } else { 1442 X509V3error(X509V3_R_EXTENSION_NAME_ERROR); 1443 X509V3_conf_err(val); 1444 goto err; 1445 } 1446 1447 switch (afi) { 1448 case IANA_AFI_IPV4: 1449 addr_chars = v4addr_chars; 1450 break; 1451 case IANA_AFI_IPV6: 1452 addr_chars = v6addr_chars; 1453 break; 1454 } 1455 1456 length = length_from_afi(afi); 1457 1458 /* 1459 * Handle SAFI, if any, and strdup() so we can null-terminate 1460 * the other input values. 1461 */ 1462 if (safi != NULL) { 1463 unsigned long parsed_safi; 1464 int saved_errno = errno; 1465 1466 errno = 0; 1467 parsed_safi = strtoul(val->value, &t, 0); 1468 1469 /* Value must be present, then a tab, space or colon. */ 1470 if (val->value[0] == '\0' || 1471 (*t != '\t' && *t != ' ' && *t != ':')) { 1472 X509V3error(X509V3_R_INVALID_SAFI); 1473 X509V3_conf_err(val); 1474 goto err; 1475 } 1476 /* Range and overflow check. */ 1477 if ((errno == ERANGE && parsed_safi == ULONG_MAX) || 1478 parsed_safi > 0xff) { 1479 X509V3error(X509V3_R_INVALID_SAFI); 1480 X509V3_conf_err(val); 1481 goto err; 1482 } 1483 errno = saved_errno; 1484 1485 *safi = parsed_safi; 1486 1487 /* Check possible whitespace is followed by a colon. */ 1488 t += strspn(t, " \t"); 1489 if (*t != ':') { 1490 X509V3error(X509V3_R_INVALID_SAFI); 1491 X509V3_conf_err(val); 1492 goto err; 1493 } 1494 1495 /* Skip over colon. */ 1496 t++; 1497 1498 /* Then over any trailing whitespace. */ 1499 t += strspn(t, " \t"); 1500 1501 s = strdup(t); 1502 } else { 1503 s = strdup(val->value); 1504 } 1505 if (s == NULL) { 1506 X509V3error(ERR_R_MALLOC_FAILURE); 1507 goto err; 1508 } 1509 1510 /* 1511 * Check for inheritance. Not worth additional complexity to 1512 * optimize this (seldom-used) case. 1513 */ 1514 if (strcmp(s, "inherit") == 0) { 1515 if (!X509v3_addr_add_inherit(addr, afi, safi)) { 1516 X509V3error(X509V3_R_INVALID_INHERITANCE); 1517 X509V3_conf_err(val); 1518 goto err; 1519 } 1520 free(s); 1521 s = NULL; 1522 continue; 1523 } 1524 1525 i1 = strspn(s, addr_chars); 1526 i2 = i1 + strspn(s + i1, " \t"); 1527 delim = s[i2++]; 1528 s[i1] = '\0'; 1529 1530 if (a2i_ipadd(min, s) != length) { 1531 X509V3error(X509V3_R_INVALID_IPADDRESS); 1532 X509V3_conf_err(val); 1533 goto err; 1534 } 1535 1536 switch (delim) { 1537 case '/': 1538 /* length contains the size of the address in bytes. */ 1539 if (length != 4 && length != 16) 1540 goto err; 1541 prefix_len = strtonum(s + i2, 0, 8 * length, &errstr); 1542 if (errstr != NULL) { 1543 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1544 X509V3_conf_err(val); 1545 goto err; 1546 } 1547 if (!X509v3_addr_add_prefix(addr, afi, safi, min, 1548 prefix_len)) { 1549 X509V3error(ERR_R_MALLOC_FAILURE); 1550 goto err; 1551 } 1552 break; 1553 case '-': 1554 i1 = i2 + strspn(s + i2, " \t"); 1555 i2 = i1 + strspn(s + i1, addr_chars); 1556 if (i1 == i2 || s[i2] != '\0') { 1557 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1558 X509V3_conf_err(val); 1559 goto err; 1560 } 1561 if (a2i_ipadd(max, s + i1) != length) { 1562 X509V3error(X509V3_R_INVALID_IPADDRESS); 1563 X509V3_conf_err(val); 1564 goto err; 1565 } 1566 if (memcmp(min, max, length_from_afi(afi)) > 0) { 1567 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1568 X509V3_conf_err(val); 1569 goto err; 1570 } 1571 if (!X509v3_addr_add_range(addr, afi, safi, min, max)) { 1572 X509V3error(ERR_R_MALLOC_FAILURE); 1573 goto err; 1574 } 1575 break; 1576 case '\0': 1577 if (!X509v3_addr_add_prefix(addr, afi, safi, min, 1578 length * 8)) { 1579 X509V3error(ERR_R_MALLOC_FAILURE); 1580 goto err; 1581 } 1582 break; 1583 default: 1584 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1585 X509V3_conf_err(val); 1586 goto err; 1587 } 1588 1589 free(s); 1590 s = NULL; 1591 } 1592 1593 /* 1594 * Canonize the result, then we're done. 1595 */ 1596 if (!X509v3_addr_canonize(addr)) 1597 goto err; 1598 return addr; 1599 1600 err: 1601 free(s); 1602 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); 1603 return NULL; 1604 } 1605 1606 /* 1607 * OpenSSL dispatch 1608 */ 1609 const X509V3_EXT_METHOD v3_addr = { 1610 .ext_nid = NID_sbgp_ipAddrBlock, 1611 .ext_flags = 0, 1612 .it = &IPAddrBlocks_it, 1613 .ext_new = NULL, 1614 .ext_free = NULL, 1615 .d2i = NULL, 1616 .i2d = NULL, 1617 .i2s = NULL, 1618 .s2i = NULL, 1619 .i2v = NULL, 1620 .v2i = v2i_IPAddrBlocks, 1621 .i2r = i2r_IPAddrBlocks, 1622 .r2i = NULL, 1623 .usr_data = NULL, 1624 }; 1625 1626 /* 1627 * Figure out whether extension uses inheritance. 1628 */ 1629 int 1630 X509v3_addr_inherits(IPAddrBlocks *addr) 1631 { 1632 IPAddressFamily *af; 1633 int i; 1634 1635 if (addr == NULL) 1636 return 0; 1637 1638 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 1639 af = sk_IPAddressFamily_value(addr, i); 1640 1641 if (IPAddressFamily_inheritance(af) != NULL) 1642 return 1; 1643 } 1644 1645 return 0; 1646 } 1647 1648 /* 1649 * Figure out whether parent contains child. 1650 * 1651 * This only works correctly if both parent and child are in canonical form. 1652 */ 1653 static int 1654 addr_contains(IPAddressOrRanges *parent, IPAddressOrRanges *child, int length) 1655 { 1656 IPAddressOrRange *child_aor, *parent_aor; 1657 uint8_t parent_min[ADDR_RAW_BUF_LEN], parent_max[ADDR_RAW_BUF_LEN]; 1658 uint8_t child_min[ADDR_RAW_BUF_LEN], child_max[ADDR_RAW_BUF_LEN]; 1659 int p, c; 1660 1661 if (child == NULL || parent == child) 1662 return 1; 1663 if (parent == NULL) 1664 return 0; 1665 1666 p = 0; 1667 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) { 1668 child_aor = sk_IPAddressOrRange_value(child, c); 1669 1670 if (!extract_min_max(child_aor, child_min, child_max, length)) 1671 return 0; 1672 1673 for (;; p++) { 1674 if (p >= sk_IPAddressOrRange_num(parent)) 1675 return 0; 1676 1677 parent_aor = sk_IPAddressOrRange_value(parent, p); 1678 1679 if (!extract_min_max(parent_aor, parent_min, parent_max, 1680 length)) 1681 return 0; 1682 1683 if (memcmp(parent_max, child_max, length) < 0) 1684 continue; 1685 if (memcmp(parent_min, child_min, length) > 0) 1686 return 0; 1687 break; 1688 } 1689 } 1690 1691 return 1; 1692 } 1693 1694 /* 1695 * Test whether |child| is a subset of |parent|. 1696 */ 1697 int 1698 X509v3_addr_subset(IPAddrBlocks *child, IPAddrBlocks *parent) 1699 { 1700 IPAddressFamily *child_af, *parent_af; 1701 IPAddressOrRanges *child_aor, *parent_aor; 1702 int i, length; 1703 1704 if (child == NULL || child == parent) 1705 return 1; 1706 if (parent == NULL) 1707 return 0; 1708 1709 if (X509v3_addr_inherits(child) || X509v3_addr_inherits(parent)) 1710 return 0; 1711 1712 for (i = 0; i < sk_IPAddressFamily_num(child); i++) { 1713 child_af = sk_IPAddressFamily_value(child, i); 1714 1715 parent_af = IPAddressFamily_find_in_parent(parent, child_af); 1716 if (parent_af == NULL) 1717 return 0; 1718 1719 if (!IPAddressFamily_afi_length(parent_af, &length)) 1720 return 0; 1721 1722 child_aor = IPAddressFamily_addressesOrRanges(child_af); 1723 parent_aor = IPAddressFamily_addressesOrRanges(parent_af); 1724 1725 if (!addr_contains(parent_aor, child_aor, length)) 1726 return 0; 1727 } 1728 return 1; 1729 } 1730 1731 static int 1732 verify_error(X509_STORE_CTX *ctx, X509 *cert, int error, int depth) 1733 { 1734 if (ctx == NULL) 1735 return 0; 1736 1737 ctx->current_cert = cert; 1738 ctx->error = error; 1739 ctx->error_depth = depth; 1740 1741 return ctx->verify_cb(0, ctx); 1742 } 1743 1744 /* 1745 * Core code for RFC 3779 2.3 path validation. 1746 * 1747 * Returns 1 for success, 0 on error. 1748 * 1749 * When returning 0, ctx->error MUST be set to an appropriate value other than 1750 * X509_V_OK. 1751 */ 1752 static int 1753 addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, 1754 IPAddrBlocks *ext) 1755 { 1756 IPAddrBlocks *child = NULL, *parent = NULL; 1757 IPAddressFamily *child_af, *parent_af; 1758 IPAddressOrRanges *child_aor, *parent_aor; 1759 X509 *cert = NULL; 1760 int depth = -1; 1761 int i; 1762 unsigned int length; 1763 int ret = 1; 1764 1765 /* We need a non-empty chain to test against. */ 1766 if (sk_X509_num(chain) <= 0) 1767 goto err; 1768 /* We need either a store ctx or an extension to work with. */ 1769 if (ctx == NULL && ext == NULL) 1770 goto err; 1771 /* If there is a store ctx, it needs a verify_cb. */ 1772 if (ctx != NULL && ctx->verify_cb == NULL) 1773 goto err; 1774 1775 /* 1776 * Figure out where to start. If we don't have an extension to check, 1777 * (either extracted from the leaf or passed by the caller), we're done. 1778 * Otherwise, check canonical form and set up for walking up the chain. 1779 */ 1780 if (ext == NULL) { 1781 depth = 0; 1782 cert = sk_X509_value(chain, depth); 1783 if ((X509_get_extension_flags(cert) & EXFLAG_INVALID) != 0) 1784 goto done; 1785 if ((ext = cert->rfc3779_addr) == NULL) 1786 goto done; 1787 } else if (!X509v3_addr_is_canonical(ext)) { 1788 if ((ret = verify_error(ctx, cert, 1789 X509_V_ERR_INVALID_EXTENSION, depth)) == 0) 1790 goto done; 1791 } 1792 1793 (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); 1794 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { 1795 X509V3error(ERR_R_MALLOC_FAILURE); 1796 if (ctx != NULL) 1797 ctx->error = X509_V_ERR_OUT_OF_MEM; 1798 ret = 0; 1799 goto done; 1800 } 1801 1802 /* 1803 * Now walk up the chain. No cert may list resources that its parent 1804 * doesn't list. 1805 */ 1806 for (depth++; depth < sk_X509_num(chain); depth++) { 1807 cert = sk_X509_value(chain, depth); 1808 1809 if ((X509_get_extension_flags(cert) & EXFLAG_INVALID) != 0) { 1810 if ((ret = verify_error(ctx, cert, 1811 X509_V_ERR_INVALID_EXTENSION, depth)) == 0) 1812 goto done; 1813 } 1814 1815 if ((parent = cert->rfc3779_addr) == NULL) { 1816 for (i = 0; i < sk_IPAddressFamily_num(child); i++) { 1817 child_af = sk_IPAddressFamily_value(child, i); 1818 1819 if (IPAddressFamily_inheritance(child_af) != 1820 NULL) 1821 continue; 1822 1823 if ((ret = verify_error(ctx, cert, 1824 X509_V_ERR_UNNESTED_RESOURCE, depth)) == 0) 1825 goto done; 1826 break; 1827 } 1828 continue; 1829 } 1830 1831 /* 1832 * Check that the child's resources are covered by the parent. 1833 * Each covered resource is replaced with the parent's resource 1834 * covering it, so the next iteration will check that the 1835 * parent's resources are covered by the grandparent. 1836 */ 1837 for (i = 0; i < sk_IPAddressFamily_num(child); i++) { 1838 child_af = sk_IPAddressFamily_value(child, i); 1839 1840 if ((parent_af = IPAddressFamily_find_in_parent(parent, 1841 child_af)) == NULL) { 1842 /* 1843 * If we have no match in the parent and the 1844 * child inherits, that's fine. 1845 */ 1846 if (IPAddressFamily_inheritance(child_af) != 1847 NULL) 1848 continue; 1849 1850 /* Otherwise the child isn't covered. */ 1851 if ((ret = verify_error(ctx, cert, 1852 X509_V_ERR_UNNESTED_RESOURCE, depth)) == 0) 1853 goto done; 1854 break; 1855 } 1856 1857 /* Parent inherits, nothing to do. */ 1858 if (IPAddressFamily_inheritance(parent_af) != NULL) 1859 continue; 1860 1861 /* Child inherits. Use parent's address family. */ 1862 if (IPAddressFamily_inheritance(child_af) != NULL) { 1863 sk_IPAddressFamily_set(child, i, parent_af); 1864 continue; 1865 } 1866 1867 child_aor = IPAddressFamily_addressesOrRanges(child_af); 1868 parent_aor = 1869 IPAddressFamily_addressesOrRanges(parent_af); 1870 1871 /* 1872 * Child and parent are canonical and neither inherits. 1873 * If either addressesOrRanges is NULL, something's 1874 * very wrong. 1875 */ 1876 if (child_aor == NULL || parent_aor == NULL) 1877 goto err; 1878 1879 if (!IPAddressFamily_afi_length(child_af, &length)) 1880 goto err; 1881 1882 /* Now check containment and replace or error. */ 1883 if (addr_contains(parent_aor, child_aor, length)) { 1884 sk_IPAddressFamily_set(child, i, parent_af); 1885 continue; 1886 } 1887 1888 if ((ret = verify_error(ctx, cert, 1889 X509_V_ERR_UNNESTED_RESOURCE, depth)) == 0) 1890 goto done; 1891 } 1892 } 1893 1894 /* 1895 * Trust anchor can't inherit. 1896 */ 1897 if ((parent = cert->rfc3779_addr) != NULL) { 1898 for (i = 0; i < sk_IPAddressFamily_num(parent); i++) { 1899 parent_af = sk_IPAddressFamily_value(parent, i); 1900 1901 if (IPAddressFamily_inheritance(parent_af) == NULL) 1902 continue; 1903 1904 if ((ret = verify_error(ctx, cert, 1905 X509_V_ERR_UNNESTED_RESOURCE, depth)) == 0) 1906 goto done; 1907 } 1908 } 1909 1910 done: 1911 sk_IPAddressFamily_free(child); 1912 return ret; 1913 1914 err: 1915 sk_IPAddressFamily_free(child); 1916 1917 if (ctx != NULL) 1918 ctx->error = X509_V_ERR_UNSPECIFIED; 1919 1920 return 0; 1921 } 1922 1923 /* 1924 * RFC 3779 2.3 path validation -- called from X509_verify_cert(). 1925 */ 1926 int 1927 X509v3_addr_validate_path(X509_STORE_CTX *ctx) 1928 { 1929 if (sk_X509_num(ctx->chain) <= 0 || ctx->verify_cb == NULL) { 1930 ctx->error = X509_V_ERR_UNSPECIFIED; 1931 return 0; 1932 } 1933 return addr_validate_path_internal(ctx, ctx->chain, NULL); 1934 } 1935 1936 /* 1937 * RFC 3779 2.3 path validation of an extension. 1938 * Test whether chain covers extension. 1939 */ 1940 int 1941 X509v3_addr_validate_resource_set(STACK_OF(X509) *chain, IPAddrBlocks *ext, 1942 int allow_inheritance) 1943 { 1944 if (ext == NULL) 1945 return 1; 1946 if (sk_X509_num(chain) <= 0) 1947 return 0; 1948 if (!allow_inheritance && X509v3_addr_inherits(ext)) 1949 return 0; 1950 return addr_validate_path_internal(NULL, chain, ext); 1951 } 1952 1953 #endif /* OPENSSL_NO_RFC3779 */ 1954