1 /* 2 * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * Implementation of RFC 3779 section 3.2. 12 */ 13 14 #include <assert.h> 15 #include <stdio.h> 16 #include <string.h> 17 #include "internal/cryptlib.h" 18 #include <openssl/conf.h> 19 #include <openssl/asn1.h> 20 #include <openssl/asn1t.h> 21 #include <openssl/x509v3.h> 22 #include <openssl/x509.h> 23 #include "crypto/x509.h" 24 #include <openssl/bn.h> 25 #include "ext_dat.h" 26 27 #ifndef OPENSSL_NO_RFC3779 28 29 /* 30 * OpenSSL ASN.1 template translation of RFC 3779 3.2.3. 31 */ 32 33 ASN1_SEQUENCE(ASRange) = { 34 ASN1_SIMPLE(ASRange, min, ASN1_INTEGER), 35 ASN1_SIMPLE(ASRange, max, ASN1_INTEGER) 36 } ASN1_SEQUENCE_END(ASRange) 37 38 ASN1_CHOICE(ASIdOrRange) = { 39 ASN1_SIMPLE(ASIdOrRange, u.id, ASN1_INTEGER), 40 ASN1_SIMPLE(ASIdOrRange, u.range, ASRange) 41 } ASN1_CHOICE_END(ASIdOrRange) 42 43 ASN1_CHOICE(ASIdentifierChoice) = { 44 ASN1_SIMPLE(ASIdentifierChoice, u.inherit, ASN1_NULL), 45 ASN1_SEQUENCE_OF(ASIdentifierChoice, u.asIdsOrRanges, ASIdOrRange) 46 } ASN1_CHOICE_END(ASIdentifierChoice) 47 48 ASN1_SEQUENCE(ASIdentifiers) = { 49 ASN1_EXP_OPT(ASIdentifiers, asnum, ASIdentifierChoice, 0), 50 ASN1_EXP_OPT(ASIdentifiers, rdi, ASIdentifierChoice, 1) 51 } ASN1_SEQUENCE_END(ASIdentifiers) 52 53 ASRange * 54 d2i_ASRange(ASRange **a, const unsigned char **in, long len) 55 { 56 return (ASRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 57 (&(ASRange_it))); 58 } 59 60 int 61 i2d_ASRange(ASRange *a, unsigned char **out) 62 { 63 return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(ASRange_it))); 64 } 65 66 ASRange * 67 ASRange_new(void) 68 { 69 return (ASRange *)ASN1_item_new((&(ASRange_it))); 70 } 71 72 void 73 ASRange_free(ASRange *a) 74 { 75 ASN1_item_free((ASN1_VALUE *)a, (&(ASRange_it))); 76 } 77 78 ASIdOrRange * 79 d2i_ASIdOrRange(ASIdOrRange **a, const unsigned char **in, long len) 80 { 81 return (ASIdOrRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 82 (&(ASIdOrRange_it))); 83 } 84 85 int 86 i2d_ASIdOrRange(ASIdOrRange *a, unsigned char **out) 87 { 88 return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(ASIdOrRange_it))); 89 } 90 91 ASIdOrRange * 92 ASIdOrRange_new(void) 93 { 94 return (ASIdOrRange *)ASN1_item_new((&(ASIdOrRange_it))); 95 } 96 97 void 98 ASIdOrRange_free(ASIdOrRange *a) 99 { 100 ASN1_item_free((ASN1_VALUE *)a, (&(ASIdOrRange_it))); 101 } 102 103 ASIdentifierChoice * 104 d2i_ASIdentifierChoice(ASIdentifierChoice **a, const unsigned char **in, long len) 105 { 106 return (ASIdentifierChoice *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 107 (&(ASIdentifierChoice_it))); 108 } 109 110 int 111 i2d_ASIdentifierChoice(ASIdentifierChoice *a, unsigned char **out) 112 { 113 return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(ASIdentifierChoice_it))); 114 115 } 116 117 ASIdentifierChoice * 118 ASIdentifierChoice_new(void) 119 { 120 return (ASIdentifierChoice *)ASN1_item_new((&(ASIdentifierChoice_it))); 121 } 122 123 void 124 ASIdentifierChoice_free(ASIdentifierChoice *a) 125 { 126 ASN1_item_free((ASN1_VALUE *)a, (&(ASIdentifierChoice_it))); 127 } 128 129 ASIdentifiers * 130 d2i_ASIdentifiers(ASIdentifiers **a, const unsigned char **in, long len) 131 { 132 return (ASIdentifiers *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 133 (&(ASIdentifiers_it))); 134 } 135 136 int 137 i2d_ASIdentifiers(ASIdentifiers *a, unsigned char **out) 138 { 139 return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(ASIdentifiers_it))); 140 } 141 142 ASIdentifiers *ASIdentifiers_new(void) 143 { 144 return (ASIdentifiers *)ASN1_item_new((&(ASIdentifiers_it))); 145 } 146 147 void ASIdentifiers_free(ASIdentifiers *a) 148 { 149 ASN1_item_free((ASN1_VALUE *)a, (&(ASIdentifiers_it))); 150 } 151 152 /* 153 * i2r method for an ASIdentifierChoice. 154 */ 155 static int i2r_ASIdentifierChoice(BIO *out, 156 ASIdentifierChoice *choice, 157 int indent, const char *msg) 158 { 159 int i; 160 char *s; 161 if (choice == NULL) 162 return 1; 163 BIO_printf(out, "%*s%s:\n", indent, "", msg); 164 switch (choice->type) { 165 case ASIdentifierChoice_inherit: 166 BIO_printf(out, "%*sinherit\n", indent + 2, ""); 167 break; 168 case ASIdentifierChoice_asIdsOrRanges: 169 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges); i++) { 170 ASIdOrRange *aor = 171 sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); 172 switch (aor->type) { 173 case ASIdOrRange_id: 174 if ((s = i2s_ASN1_INTEGER(NULL, aor->u.id)) == NULL) 175 return 0; 176 BIO_printf(out, "%*s%s\n", indent + 2, "", s); 177 free(s); 178 break; 179 case ASIdOrRange_range: 180 if ((s = i2s_ASN1_INTEGER(NULL, aor->u.range->min)) == NULL) 181 return 0; 182 BIO_printf(out, "%*s%s-", indent + 2, "", s); 183 free(s); 184 if ((s = i2s_ASN1_INTEGER(NULL, aor->u.range->max)) == NULL) 185 return 0; 186 BIO_printf(out, "%s\n", s); 187 free(s); 188 break; 189 default: 190 return 0; 191 } 192 } 193 break; 194 default: 195 return 0; 196 } 197 return 1; 198 } 199 200 /* 201 * i2r method for an ASIdentifier extension. 202 */ 203 static int i2r_ASIdentifiers(const X509V3_EXT_METHOD *method, 204 void *ext, BIO *out, int indent) 205 { 206 ASIdentifiers *asid = ext; 207 return (i2r_ASIdentifierChoice(out, asid->asnum, indent, 208 "Autonomous System Numbers") && 209 i2r_ASIdentifierChoice(out, asid->rdi, indent, 210 "Routing Domain Identifiers")); 211 } 212 213 /* 214 * Sort comparison function for a sequence of ASIdOrRange elements. 215 */ 216 static int ASIdOrRange_cmp(const ASIdOrRange *const *a_, 217 const ASIdOrRange *const *b_) 218 { 219 const ASIdOrRange *a = *a_, *b = *b_; 220 221 /* XXX: these asserts need to be replaced */ 222 assert((a->type == ASIdOrRange_id && a->u.id != NULL) || 223 (a->type == ASIdOrRange_range && a->u.range != NULL && 224 a->u.range->min != NULL && a->u.range->max != NULL)); 225 226 assert((b->type == ASIdOrRange_id && b->u.id != NULL) || 227 (b->type == ASIdOrRange_range && b->u.range != NULL && 228 b->u.range->min != NULL && b->u.range->max != NULL)); 229 230 if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id) 231 return ASN1_INTEGER_cmp(a->u.id, b->u.id); 232 233 if (a->type == ASIdOrRange_range && b->type == ASIdOrRange_range) { 234 int r = ASN1_INTEGER_cmp(a->u.range->min, b->u.range->min); 235 return r != 0 ? r : ASN1_INTEGER_cmp(a->u.range->max, 236 b->u.range->max); 237 } 238 239 if (a->type == ASIdOrRange_id) 240 return ASN1_INTEGER_cmp(a->u.id, b->u.range->min); 241 else 242 return ASN1_INTEGER_cmp(a->u.range->min, b->u.id); 243 } 244 245 /* 246 * Add an inherit element. 247 */ 248 int X509v3_asid_add_inherit(ASIdentifiers *asid, int which) 249 { 250 ASIdentifierChoice **choice; 251 if (asid == NULL) 252 return 0; 253 switch (which) { 254 case V3_ASID_ASNUM: 255 choice = &asid->asnum; 256 break; 257 case V3_ASID_RDI: 258 choice = &asid->rdi; 259 break; 260 default: 261 return 0; 262 } 263 if (*choice == NULL) { 264 if ((*choice = ASIdentifierChoice_new()) == NULL) 265 return 0; 266 if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL) 267 return 0; 268 (*choice)->type = ASIdentifierChoice_inherit; 269 } 270 return (*choice)->type == ASIdentifierChoice_inherit; 271 } 272 273 /* 274 * Add an ID or range to an ASIdentifierChoice. 275 */ 276 int X509v3_asid_add_id_or_range(ASIdentifiers *asid, 277 int which, ASN1_INTEGER *min, ASN1_INTEGER *max) 278 { 279 ASIdentifierChoice **choice; 280 ASIdOrRange *aor; 281 if (asid == NULL) 282 return 0; 283 switch (which) { 284 case V3_ASID_ASNUM: 285 choice = &asid->asnum; 286 break; 287 case V3_ASID_RDI: 288 choice = &asid->rdi; 289 break; 290 default: 291 return 0; 292 } 293 if (*choice != NULL && (*choice)->type == ASIdentifierChoice_inherit) 294 return 0; 295 if (*choice == NULL) { 296 if ((*choice = ASIdentifierChoice_new()) == NULL) 297 return 0; 298 (*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp); 299 if ((*choice)->u.asIdsOrRanges == NULL) 300 return 0; 301 (*choice)->type = ASIdentifierChoice_asIdsOrRanges; 302 } 303 if ((aor = ASIdOrRange_new()) == NULL) 304 return 0; 305 if (max == NULL) { 306 aor->type = ASIdOrRange_id; 307 aor->u.id = min; 308 } else { 309 aor->type = ASIdOrRange_range; 310 if ((aor->u.range = ASRange_new()) == NULL) 311 goto err; 312 ASN1_INTEGER_free(aor->u.range->min); 313 aor->u.range->min = min; 314 ASN1_INTEGER_free(aor->u.range->max); 315 aor->u.range->max = max; 316 } 317 if (!(sk_ASIdOrRange_push((*choice)->u.asIdsOrRanges, aor))) 318 goto err; 319 return 1; 320 321 err: 322 ASIdOrRange_free(aor); 323 return 0; 324 } 325 326 /* 327 * Extract min and max values from an ASIdOrRange. 328 */ 329 static int extract_min_max(ASIdOrRange *aor, 330 ASN1_INTEGER **min, ASN1_INTEGER **max) 331 { 332 if (!OPENSSL_assert(aor != NULL)) 333 return 0; 334 switch (aor->type) { 335 case ASIdOrRange_id: 336 *min = aor->u.id; 337 *max = aor->u.id; 338 return 1; 339 case ASIdOrRange_range: 340 *min = aor->u.range->min; 341 *max = aor->u.range->max; 342 return 1; 343 } 344 345 return 0; 346 } 347 348 /* 349 * Check whether an ASIdentifierChoice is in canonical form. 350 */ 351 static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice) 352 { 353 ASN1_INTEGER *a_max_plus_one = NULL; 354 ASN1_INTEGER *orig; 355 BIGNUM *bn = NULL; 356 int i, ret = 0; 357 358 /* 359 * Empty element or inheritance is canonical. 360 */ 361 if (choice == NULL || choice->type == ASIdentifierChoice_inherit) 362 return 1; 363 364 /* 365 * If not a list, or if empty list, it's broken. 366 */ 367 if (choice->type != ASIdentifierChoice_asIdsOrRanges || 368 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) 369 return 0; 370 371 /* 372 * It's a list, check it. 373 */ 374 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) { 375 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); 376 ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1); 377 ASN1_INTEGER *a_min = NULL, *a_max = NULL, *b_min = NULL, *b_max = 378 NULL; 379 380 if (!extract_min_max(a, &a_min, &a_max) 381 || !extract_min_max(b, &b_min, &b_max)) 382 goto done; 383 384 /* 385 * Punt misordered list, overlapping start, or inverted range. 386 */ 387 if (ASN1_INTEGER_cmp(a_min, b_min) >= 0 || 388 ASN1_INTEGER_cmp(a_min, a_max) > 0 || 389 ASN1_INTEGER_cmp(b_min, b_max) > 0) 390 goto done; 391 392 /* 393 * Calculate a_max + 1 to check for adjacency. 394 */ 395 if ((bn == NULL && (bn = BN_new()) == NULL) || 396 ASN1_INTEGER_to_BN(a_max, bn) == NULL || 397 !BN_add_word(bn, 1)) { 398 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL, 399 ERR_R_MALLOC_FAILURE); 400 goto done; 401 } 402 403 if ((a_max_plus_one = 404 BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) { 405 a_max_plus_one = orig; 406 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL, 407 ERR_R_MALLOC_FAILURE); 408 goto done; 409 } 410 411 /* 412 * Punt if adjacent or overlapping. 413 */ 414 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) >= 0) 415 goto done; 416 } 417 418 /* 419 * Check for inverted range. 420 */ 421 i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; 422 { 423 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); 424 ASN1_INTEGER *a_min, *a_max; 425 if (a != NULL && a->type == ASIdOrRange_range) { 426 if (!extract_min_max(a, &a_min, &a_max) 427 || ASN1_INTEGER_cmp(a_min, a_max) > 0) 428 goto done; 429 } 430 } 431 432 ret = 1; 433 434 done: 435 ASN1_INTEGER_free(a_max_plus_one); 436 BN_free(bn); 437 return ret; 438 } 439 440 /* 441 * Check whether an ASIdentifier extension is in canonical form. 442 */ 443 int X509v3_asid_is_canonical(ASIdentifiers *asid) 444 { 445 return (asid == NULL || 446 (ASIdentifierChoice_is_canonical(asid->asnum) && 447 ASIdentifierChoice_is_canonical(asid->rdi))); 448 } 449 450 /* 451 * Whack an ASIdentifierChoice into canonical form. 452 */ 453 static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice) 454 { 455 ASN1_INTEGER *a_max_plus_one = NULL; 456 ASN1_INTEGER *orig; 457 BIGNUM *bn = NULL; 458 int i, ret = 0; 459 460 /* 461 * Nothing to do for empty element or inheritance. 462 */ 463 if (choice == NULL || choice->type == ASIdentifierChoice_inherit) 464 return 1; 465 466 /* 467 * If not a list, or if empty list, it's broken. 468 */ 469 if (choice->type != ASIdentifierChoice_asIdsOrRanges || 470 sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) { 471 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, 472 X509V3_R_EXTENSION_VALUE_ERROR); 473 return 0; 474 } 475 476 /* 477 * We have a non-empty list. Sort it. 478 */ 479 sk_ASIdOrRange_sort(choice->u.asIdsOrRanges); 480 481 /* 482 * Now check for errors and suboptimal encoding, rejecting the 483 * former and fixing the latter. 484 */ 485 for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) { 486 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); 487 ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1); 488 ASN1_INTEGER *a_min = NULL, *a_max = NULL, *b_min = NULL, *b_max = 489 NULL; 490 491 if (!extract_min_max(a, &a_min, &a_max) 492 || !extract_min_max(b, &b_min, &b_max)) 493 goto done; 494 495 /* 496 * Make sure we're properly sorted (paranoia). 497 */ 498 if (!OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0)) 499 goto done; 500 501 /* 502 * Punt inverted ranges. 503 */ 504 if (ASN1_INTEGER_cmp(a_min, a_max) > 0 || 505 ASN1_INTEGER_cmp(b_min, b_max) > 0) 506 goto done; 507 508 /* 509 * Check for overlaps. 510 */ 511 if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) { 512 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, 513 X509V3_R_EXTENSION_VALUE_ERROR); 514 goto done; 515 } 516 517 /* 518 * Calculate a_max + 1 to check for adjacency. 519 */ 520 if ((bn == NULL && (bn = BN_new()) == NULL) || 521 ASN1_INTEGER_to_BN(a_max, bn) == NULL || 522 !BN_add_word(bn, 1)) { 523 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, 524 ERR_R_MALLOC_FAILURE); 525 goto done; 526 } 527 528 if ((a_max_plus_one = 529 BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) { 530 a_max_plus_one = orig; 531 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, 532 ERR_R_MALLOC_FAILURE); 533 goto done; 534 } 535 536 /* 537 * If a and b are adjacent, merge them. 538 */ 539 if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) == 0) { 540 ASRange *r; 541 switch (a->type) { 542 case ASIdOrRange_id: 543 if ((r = OPENSSL_malloc(sizeof(*r))) == NULL) { 544 X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, 545 ERR_R_MALLOC_FAILURE); 546 goto done; 547 } 548 r->min = a_min; 549 r->max = b_max; 550 a->type = ASIdOrRange_range; 551 a->u.range = r; 552 break; 553 case ASIdOrRange_range: 554 ASN1_INTEGER_free(a->u.range->max); 555 a->u.range->max = b_max; 556 break; 557 } 558 switch (b->type) { 559 case ASIdOrRange_id: 560 b->u.id = NULL; 561 break; 562 case ASIdOrRange_range: 563 b->u.range->max = NULL; 564 break; 565 } 566 ASIdOrRange_free(b); 567 (void)sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1); 568 i--; 569 continue; 570 } 571 } 572 573 /* 574 * Check for final inverted range. 575 */ 576 i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; 577 { 578 ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); 579 ASN1_INTEGER *a_min, *a_max; 580 if (a != NULL && a->type == ASIdOrRange_range) { 581 if (!extract_min_max(a, &a_min, &a_max) 582 || ASN1_INTEGER_cmp(a_min, a_max) > 0) 583 goto done; 584 } 585 } 586 587 /* Paranoia */ 588 if (!OPENSSL_assert(ASIdentifierChoice_is_canonical(choice))) 589 goto done; 590 591 ret = 1; 592 593 done: 594 ASN1_INTEGER_free(a_max_plus_one); 595 BN_free(bn); 596 return ret; 597 } 598 599 /* 600 * Whack an ASIdentifier extension into canonical form. 601 */ 602 int X509v3_asid_canonize(ASIdentifiers *asid) 603 { 604 return (asid == NULL || 605 (ASIdentifierChoice_canonize(asid->asnum) && 606 ASIdentifierChoice_canonize(asid->rdi))); 607 } 608 609 /* 610 * v2i method for an ASIdentifier extension. 611 */ 612 static void *v2i_ASIdentifiers(const struct v3_ext_method *method, 613 struct v3_ext_ctx *ctx, 614 STACK_OF(CONF_VALUE) *values) 615 { 616 ASN1_INTEGER *min = NULL, *max = NULL; 617 ASIdentifiers *asid = NULL; 618 int i; 619 620 if ((asid = ASIdentifiers_new()) == NULL) { 621 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); 622 return NULL; 623 } 624 625 for (i = 0; i < sk_CONF_VALUE_num(values); i++) { 626 CONF_VALUE *val = sk_CONF_VALUE_value(values, i); 627 int i1 = 0, i2 = 0, i3 = 0, is_range = 0, which = 0; 628 629 /* 630 * Figure out whether this is an AS or an RDI. 631 */ 632 if (!name_cmp(val->name, "AS")) { 633 which = V3_ASID_ASNUM; 634 } else if (!name_cmp(val->name, "RDI")) { 635 which = V3_ASID_RDI; 636 } else { 637 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, 638 X509V3_R_EXTENSION_NAME_ERROR); 639 X509V3_conf_err(val); 640 goto err; 641 } 642 643 /* 644 * Handle inheritance. 645 */ 646 if (strcmp(val->value, "inherit") == 0) { 647 if (X509v3_asid_add_inherit(asid, which)) 648 continue; 649 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, 650 X509V3_R_INVALID_INHERITANCE); 651 X509V3_conf_err(val); 652 goto err; 653 } 654 655 /* 656 * Number, range, or mistake, pick it apart and figure out which. 657 */ 658 i1 = strspn(val->value, "0123456789"); 659 if (val->value[i1] == '\0') { 660 is_range = 0; 661 } else { 662 is_range = 1; 663 i2 = i1 + strspn(val->value + i1, " \t"); 664 if (val->value[i2] != '-') { 665 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, 666 X509V3_R_INVALID_ASNUMBER); 667 X509V3_conf_err(val); 668 goto err; 669 } 670 i2++; 671 i2 = i2 + strspn(val->value + i2, " \t"); 672 i3 = i2 + strspn(val->value + i2, "0123456789"); 673 if (val->value[i3] != '\0') { 674 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, 675 X509V3_R_INVALID_ASRANGE); 676 X509V3_conf_err(val); 677 goto err; 678 } 679 } 680 681 /* 682 * Syntax is ok, read and add it. 683 */ 684 if (!is_range) { 685 if (!X509V3_get_value_int(val, &min)) { 686 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); 687 goto err; 688 } 689 } else { 690 char *s = OPENSSL_strdup(val->value); 691 if (s == NULL) { 692 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); 693 goto err; 694 } 695 s[i1] = '\0'; 696 min = s2i_ASN1_INTEGER(NULL, s); 697 max = s2i_ASN1_INTEGER(NULL, s + i2); 698 free(s); 699 if (min == NULL || max == NULL) { 700 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); 701 goto err; 702 } 703 if (ASN1_INTEGER_cmp(min, max) > 0) { 704 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, 705 X509V3_R_EXTENSION_VALUE_ERROR); 706 goto err; 707 } 708 } 709 if (!X509v3_asid_add_id_or_range(asid, which, min, max)) { 710 X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); 711 goto err; 712 } 713 min = max = NULL; 714 } 715 716 /* 717 * Canonize the result, then we're done. 718 */ 719 if (!X509v3_asid_canonize(asid)) 720 goto err; 721 return asid; 722 723 err: 724 ASIdentifiers_free(asid); 725 ASN1_INTEGER_free(min); 726 ASN1_INTEGER_free(max); 727 return NULL; 728 } 729 730 /* 731 * OpenSSL dispatch. 732 */ 733 const X509V3_EXT_METHOD v3_asid = { 734 NID_sbgp_autonomousSysNum, /* nid */ 735 0, /* flags */ 736 ASN1_ITEM_ref(ASIdentifiers), /* template */ 737 0, 0, 0, 0, /* old functions, ignored */ 738 0, /* i2s */ 739 0, /* s2i */ 740 0, /* i2v */ 741 v2i_ASIdentifiers, /* v2i */ 742 i2r_ASIdentifiers, /* i2r */ 743 0, /* r2i */ 744 NULL /* extension-specific data */ 745 }; 746 747 /* 748 * Figure out whether extension uses inheritance. 749 */ 750 int X509v3_asid_inherits(ASIdentifiers *asid) 751 { 752 return (asid != NULL && 753 ((asid->asnum != NULL && 754 asid->asnum->type == ASIdentifierChoice_inherit) || 755 (asid->rdi != NULL && 756 asid->rdi->type == ASIdentifierChoice_inherit))); 757 } 758 759 /* 760 * Figure out whether parent contains child. 761 */ 762 static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child) 763 { 764 ASN1_INTEGER *p_min = NULL, *p_max = NULL, *c_min = NULL, *c_max = NULL; 765 int p, c; 766 767 if (child == NULL || parent == child) 768 return 1; 769 if (parent == NULL) 770 return 0; 771 772 p = 0; 773 for (c = 0; c < sk_ASIdOrRange_num(child); c++) { 774 if (!extract_min_max(sk_ASIdOrRange_value(child, c), &c_min, &c_max)) 775 return 0; 776 for (;; p++) { 777 if (p >= sk_ASIdOrRange_num(parent)) 778 return 0; 779 if (!extract_min_max(sk_ASIdOrRange_value(parent, p), &p_min, 780 &p_max)) 781 return 0; 782 if (ASN1_INTEGER_cmp(p_max, c_max) < 0) 783 continue; 784 if (ASN1_INTEGER_cmp(p_min, c_min) > 0) 785 return 0; 786 break; 787 } 788 } 789 790 return 1; 791 } 792 793 /* 794 * Test whether a is a subset of b. 795 */ 796 int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b) 797 { 798 return (a == NULL || 799 a == b || 800 (b != NULL && 801 !X509v3_asid_inherits(a) && 802 !X509v3_asid_inherits(b) && 803 asid_contains(b->asnum->u.asIdsOrRanges, 804 a->asnum->u.asIdsOrRanges) && 805 asid_contains(b->rdi->u.asIdsOrRanges, 806 a->rdi->u.asIdsOrRanges))); 807 } 808 809 /* 810 * Validation error handling via callback. 811 */ 812 #define validation_err(_err_) \ 813 do { \ 814 if (ctx != NULL) { \ 815 ctx->error = _err_; \ 816 ctx->error_depth = i; \ 817 ctx->current_cert = x; \ 818 ret = ctx->verify_cb(0, ctx); \ 819 } else { \ 820 ret = 0; \ 821 } \ 822 if (!ret) \ 823 goto done; \ 824 } while (0) 825 826 /* 827 * Core code for RFC 3779 3.3 path validation. 828 */ 829 static int asid_validate_path_internal(X509_STORE_CTX *ctx, 830 STACK_OF(X509) *chain, 831 ASIdentifiers *ext) 832 { 833 ASIdOrRanges *child_as = NULL, *child_rdi = NULL; 834 int i, ret = 1, inherit_as = 0, inherit_rdi = 0; 835 X509 *x; 836 837 if (!OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0) 838 || !OPENSSL_assert(ctx != NULL || ext != NULL) 839 || !OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL)) { 840 if (ctx != NULL) 841 ctx->error = X509_V_ERR_UNSPECIFIED; 842 return 0; 843 } 844 845 846 /* 847 * Figure out where to start. If we don't have an extension to 848 * check, we're done. Otherwise, check canonical form and 849 * set up for walking up the chain. 850 */ 851 if (ext != NULL) { 852 i = -1; 853 x = NULL; 854 } else { 855 i = 0; 856 x = sk_X509_value(chain, i); 857 if ((ext = x->rfc3779_asid) == NULL) 858 goto done; 859 } 860 if (!X509v3_asid_is_canonical(ext)) 861 validation_err(X509_V_ERR_INVALID_EXTENSION); 862 if (ext->asnum != NULL) { 863 switch (ext->asnum->type) { 864 case ASIdentifierChoice_inherit: 865 inherit_as = 1; 866 break; 867 case ASIdentifierChoice_asIdsOrRanges: 868 child_as = ext->asnum->u.asIdsOrRanges; 869 break; 870 } 871 } 872 if (ext->rdi != NULL) { 873 switch (ext->rdi->type) { 874 case ASIdentifierChoice_inherit: 875 inherit_rdi = 1; 876 break; 877 case ASIdentifierChoice_asIdsOrRanges: 878 child_rdi = ext->rdi->u.asIdsOrRanges; 879 break; 880 } 881 } 882 883 /* 884 * Now walk up the chain. Extensions must be in canonical form, no 885 * cert may list resources that its parent doesn't list. 886 */ 887 for (i++; i < sk_X509_num(chain); i++) { 888 x = sk_X509_value(chain, i); 889 if (!OPENSSL_assert(x != NULL)) { 890 if (ctx != NULL) 891 ctx->error = X509_V_ERR_UNSPECIFIED; 892 return 0; 893 } 894 if (x->rfc3779_asid == NULL) { 895 if (child_as != NULL || child_rdi != NULL) 896 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 897 continue; 898 } 899 if (!X509v3_asid_is_canonical(x->rfc3779_asid)) 900 validation_err(X509_V_ERR_INVALID_EXTENSION); 901 if (x->rfc3779_asid->asnum == NULL && child_as != NULL) { 902 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 903 child_as = NULL; 904 inherit_as = 0; 905 } 906 if (x->rfc3779_asid->asnum != NULL && 907 x->rfc3779_asid->asnum->type == 908 ASIdentifierChoice_asIdsOrRanges) { 909 if (inherit_as 910 || asid_contains(x->rfc3779_asid->asnum->u.asIdsOrRanges, 911 child_as)) { 912 child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges; 913 inherit_as = 0; 914 } else { 915 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 916 } 917 } 918 if (x->rfc3779_asid->rdi == NULL && child_rdi != NULL) { 919 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 920 child_rdi = NULL; 921 inherit_rdi = 0; 922 } 923 if (x->rfc3779_asid->rdi != NULL && 924 x->rfc3779_asid->rdi->type == ASIdentifierChoice_asIdsOrRanges) { 925 if (inherit_rdi || 926 asid_contains(x->rfc3779_asid->rdi->u.asIdsOrRanges, 927 child_rdi)) { 928 child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges; 929 inherit_rdi = 0; 930 } else { 931 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 932 } 933 } 934 } 935 936 /* 937 * Trust anchor can't inherit. 938 */ 939 if (!OPENSSL_assert(x != NULL)) { 940 if (ctx != NULL) 941 ctx->error = X509_V_ERR_UNSPECIFIED; 942 return 0; 943 } 944 if (x->rfc3779_asid != NULL) { 945 if (x->rfc3779_asid->asnum != NULL && 946 x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit) 947 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 948 if (x->rfc3779_asid->rdi != NULL && 949 x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit) 950 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 951 } 952 953 done: 954 return ret; 955 } 956 957 #undef validation_err 958 959 /* 960 * RFC 3779 3.3 path validation -- called from X509_verify_cert(). 961 */ 962 int X509v3_asid_validate_path(X509_STORE_CTX *ctx) 963 { 964 if (ctx->chain == NULL 965 || sk_X509_num(ctx->chain) == 0 966 || ctx->verify_cb == NULL) { 967 ctx->error = X509_V_ERR_UNSPECIFIED; 968 return 0; 969 } 970 return asid_validate_path_internal(ctx, ctx->chain, NULL); 971 } 972 973 /* 974 * RFC 3779 3.3 path validation of an extension. 975 * Test whether chain covers extension. 976 */ 977 int X509v3_asid_validate_resource_set(STACK_OF(X509) *chain, 978 ASIdentifiers *ext, int allow_inheritance) 979 { 980 if (ext == NULL) 981 return 1; 982 if (chain == NULL || sk_X509_num(chain) == 0) 983 return 0; 984 if (!allow_inheritance && X509v3_asid_inherits(ext)) 985 return 0; 986 return asid_validate_path_internal(NULL, chain, ext); 987 } 988 989 #endif /* OPENSSL_NO_RFC3779 */ 990