2 * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * Implementation of RFC 3779 section 2.2.
17 #include "internal/cryptlib.h"
18 #include <openssl/conf.h>
19 #include <openssl/asn1.h>
20 #include <openssl/asn1t.h>
21 #include <openssl/buffer.h>
22 #include <openssl/x509v3.h>
23 #include "internal/x509_int.h"
26 #ifndef OPENSSL_NO_RFC3779
29 * OpenSSL ASN.1 template translation of RFC 3779 2.2.3.
32 ASN1_SEQUENCE(IPAddressRange) = {
33 ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING),
34 ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING)
35 } ASN1_SEQUENCE_END(IPAddressRange)
37 ASN1_CHOICE(IPAddressOrRange) = {
38 ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING),
39 ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange)
40 } ASN1_CHOICE_END(IPAddressOrRange)
42 ASN1_CHOICE(IPAddressChoice) = {
43 ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL),
44 ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange)
45 } ASN1_CHOICE_END(IPAddressChoice)
47 ASN1_SEQUENCE(IPAddressFamily) = {
48 ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING),
49 ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice)
50 } ASN1_SEQUENCE_END(IPAddressFamily)
52 ASN1_ITEM_TEMPLATE(IPAddrBlocks) =
53 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
54 IPAddrBlocks, IPAddressFamily)
55 static_ASN1_ITEM_TEMPLATE_END(IPAddrBlocks)
57 IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange)
58 IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange)
59 IMPLEMENT_ASN1_FUNCTIONS(IPAddressChoice)
60 IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily)
63 * How much buffer space do we need for a raw address?
65 #define ADDR_RAW_BUF_LEN 16
68 * What's the address length associated with this AFI?
70 static int length_from_afi(const unsigned afi)
83 * Extract the AFI from an IPAddressFamily.
85 unsigned int X509v3_addr_get_afi(const IPAddressFamily *f)
88 f->addressFamily != NULL && f->addressFamily->data != NULL)
89 ? ((f->addressFamily->data[0] << 8) | (f->addressFamily->data[1]))
94 * Expand the bitstring form of an address into a raw byte array.
95 * At the moment this is coded for simplicity, not speed.
97 static int addr_expand(unsigned char *addr,
98 const ASN1_BIT_STRING *bs,
99 const int length, const unsigned char fill)
101 if (bs->length < 0 || bs->length > length)
103 if (bs->length > 0) {
104 memcpy(addr, bs->data, bs->length);
105 if ((bs->flags & 7) != 0) {
106 unsigned char mask = 0xFF >> (8 - (bs->flags & 7));
108 addr[bs->length - 1] &= ~mask;
110 addr[bs->length - 1] |= mask;
113 memset(addr + bs->length, fill, length - bs->length);
118 * Extract the prefix length from a bitstring.
120 #define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7)))
123 * i2r handler for one address bitstring.
125 static int i2r_address(BIO *out,
127 const unsigned char fill, const ASN1_BIT_STRING *bs)
129 unsigned char addr[ADDR_RAW_BUF_LEN];
136 if (!addr_expand(addr, bs, 4, fill))
138 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
141 if (!addr_expand(addr, bs, 16, fill))
143 for (n = 16; n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00;
145 for (i = 0; i < n; i += 2)
146 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1],
147 (i < 14 ? ":" : ""));
154 for (i = 0; i < bs->length; i++)
155 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]);
156 BIO_printf(out, "[%d]", (int)(bs->flags & 7));
163 * i2r handler for a sequence of addresses and ranges.
165 static int i2r_IPAddressOrRanges(BIO *out,
167 const IPAddressOrRanges *aors,
171 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) {
172 const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i);
173 BIO_printf(out, "%*s", indent, "");
175 case IPAddressOrRange_addressPrefix:
176 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix))
178 BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix));
180 case IPAddressOrRange_addressRange:
181 if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min))
184 if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max))
194 * i2r handler for an IPAddrBlocks extension.
196 static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
197 void *ext, BIO *out, int indent)
199 const IPAddrBlocks *addr = ext;
201 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
202 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
203 const unsigned int afi = X509v3_addr_get_afi(f);
206 BIO_printf(out, "%*sIPv4", indent, "");
209 BIO_printf(out, "%*sIPv6", indent, "");
212 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi);
215 if (f->addressFamily->length > 2) {
216 switch (f->addressFamily->data[2]) {
218 BIO_puts(out, " (Unicast)");
221 BIO_puts(out, " (Multicast)");
224 BIO_puts(out, " (Unicast/Multicast)");
227 BIO_puts(out, " (MPLS)");
230 BIO_puts(out, " (Tunnel)");
233 BIO_puts(out, " (VPLS)");
236 BIO_puts(out, " (BGP MDT)");
239 BIO_puts(out, " (MPLS-labeled VPN)");
242 BIO_printf(out, " (Unknown SAFI %u)",
243 (unsigned)f->addressFamily->data[2]);
247 switch (f->ipAddressChoice->type) {
248 case IPAddressChoice_inherit:
249 BIO_puts(out, ": inherit\n");
251 case IPAddressChoice_addressesOrRanges:
252 BIO_puts(out, ":\n");
253 if (!i2r_IPAddressOrRanges(out,
256 u.addressesOrRanges, afi))
265 * Sort comparison function for a sequence of IPAddressOrRange
268 * There's no sane answer we can give if addr_expand() fails, and an
269 * assertion failure on externally supplied data is seriously uncool,
270 * so we just arbitrarily declare that if given invalid inputs this
271 * function returns -1. If this messes up your preferred sort order
272 * for garbage input, tough noogies.
274 static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
275 const IPAddressOrRange *b, const int length)
277 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN];
278 int prefixlen_a = 0, prefixlen_b = 0;
282 case IPAddressOrRange_addressPrefix:
283 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
285 prefixlen_a = addr_prefixlen(a->u.addressPrefix);
287 case IPAddressOrRange_addressRange:
288 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
290 prefixlen_a = length * 8;
295 case IPAddressOrRange_addressPrefix:
296 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
298 prefixlen_b = addr_prefixlen(b->u.addressPrefix);
300 case IPAddressOrRange_addressRange:
301 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
303 prefixlen_b = length * 8;
307 if ((r = memcmp(addr_a, addr_b, length)) != 0)
310 return prefixlen_a - prefixlen_b;
314 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()
315 * comparison routines are only allowed two arguments.
317 static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
318 const IPAddressOrRange *const *b)
320 return IPAddressOrRange_cmp(*a, *b, 4);
324 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()
325 * comparison routines are only allowed two arguments.
327 static int v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
328 const IPAddressOrRange *const *b)
330 return IPAddressOrRange_cmp(*a, *b, 16);
334 * Calculate whether a range collapses to a prefix.
335 * See last paragraph of RFC 3779 2.2.3.7.
337 static int range_should_be_prefix(const unsigned char *min,
338 const unsigned char *max, const int length)
343 if (memcmp(min, max, length) <= 0)
345 for (i = 0; i < length && min[i] == max[i]; i++) ;
346 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ;
351 mask = min[i] ^ max[i];
377 if ((min[i] & mask) != 0 || (max[i] & mask) != mask)
384 * Construct a prefix.
386 static int make_addressPrefix(IPAddressOrRange **result,
387 unsigned char *addr, const int prefixlen)
389 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;
390 IPAddressOrRange *aor = IPAddressOrRange_new();
394 aor->type = IPAddressOrRange_addressPrefix;
395 if (aor->u.addressPrefix == NULL &&
396 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL)
398 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen))
400 aor->u.addressPrefix->flags &= ~7;
401 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT;
403 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen);
404 aor->u.addressPrefix->flags |= 8 - bitlen;
411 IPAddressOrRange_free(aor);
416 * Construct a range. If it can be expressed as a prefix,
417 * return a prefix instead. Doing this here simplifies
418 * the rest of the code considerably.
420 static int make_addressRange(IPAddressOrRange **result,
422 unsigned char *max, const int length)
424 IPAddressOrRange *aor;
427 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
428 return make_addressPrefix(result, min, prefixlen);
430 if ((aor = IPAddressOrRange_new()) == NULL)
432 aor->type = IPAddressOrRange_addressRange;
433 if ((aor->u.addressRange = IPAddressRange_new()) == NULL)
435 if (aor->u.addressRange->min == NULL &&
436 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL)
438 if (aor->u.addressRange->max == NULL &&
439 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL)
442 for (i = length; i > 0 && min[i - 1] == 0x00; --i) ;
443 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i))
445 aor->u.addressRange->min->flags &= ~7;
446 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT;
448 unsigned char b = min[i - 1];
450 while ((b & (0xFFU >> j)) != 0)
452 aor->u.addressRange->min->flags |= 8 - j;
455 for (i = length; i > 0 && max[i - 1] == 0xFF; --i) ;
456 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i))
458 aor->u.addressRange->max->flags &= ~7;
459 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT;
461 unsigned char b = max[i - 1];
463 while ((b & (0xFFU >> j)) != (0xFFU >> j))
465 aor->u.addressRange->max->flags |= 8 - j;
472 IPAddressOrRange_free(aor);
477 * Construct a new address family or find an existing one.
479 static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr,
481 const unsigned *safi)
484 unsigned char key[3];
488 key[0] = (afi >> 8) & 0xFF;
491 key[2] = *safi & 0xFF;
497 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
498 f = sk_IPAddressFamily_value(addr, i);
499 if (f->addressFamily->length == keylen &&
500 !memcmp(f->addressFamily->data, key, keylen))
504 if ((f = IPAddressFamily_new()) == NULL)
506 if (f->ipAddressChoice == NULL &&
507 (f->ipAddressChoice = IPAddressChoice_new()) == NULL)
509 if (f->addressFamily == NULL &&
510 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL)
512 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen))
514 if (!sk_IPAddressFamily_push(addr, f))
520 IPAddressFamily_free(f);
525 * Add an inheritance element.
527 int X509v3_addr_add_inherit(IPAddrBlocks *addr,
528 const unsigned afi, const unsigned *safi)
530 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
532 f->ipAddressChoice == NULL ||
533 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
534 f->ipAddressChoice->u.addressesOrRanges != NULL))
536 if (f->ipAddressChoice->type == IPAddressChoice_inherit &&
537 f->ipAddressChoice->u.inherit != NULL)
539 if (f->ipAddressChoice->u.inherit == NULL &&
540 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL)
542 f->ipAddressChoice->type = IPAddressChoice_inherit;
547 * Construct an IPAddressOrRange sequence, or return an existing one.
549 static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
551 const unsigned *safi)
553 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
554 IPAddressOrRanges *aors = NULL;
557 f->ipAddressChoice == NULL ||
558 (f->ipAddressChoice->type == IPAddressChoice_inherit &&
559 f->ipAddressChoice->u.inherit != NULL))
561 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges)
562 aors = f->ipAddressChoice->u.addressesOrRanges;
565 if ((aors = sk_IPAddressOrRange_new_null()) == NULL)
569 (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
572 (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
575 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
576 f->ipAddressChoice->u.addressesOrRanges = aors;
583 int X509v3_addr_add_prefix(IPAddrBlocks *addr,
585 const unsigned *safi,
586 unsigned char *a, const int prefixlen)
588 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
589 IPAddressOrRange *aor;
590 if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen))
592 if (sk_IPAddressOrRange_push(aors, aor))
594 IPAddressOrRange_free(aor);
601 int X509v3_addr_add_range(IPAddrBlocks *addr,
603 const unsigned *safi,
604 unsigned char *min, unsigned char *max)
606 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
607 IPAddressOrRange *aor;
608 int length = length_from_afi(afi);
611 if (!make_addressRange(&aor, min, max, length))
613 if (sk_IPAddressOrRange_push(aors, aor))
615 IPAddressOrRange_free(aor);
620 * Extract min and max values from an IPAddressOrRange.
622 static int extract_min_max(IPAddressOrRange *aor,
623 unsigned char *min, unsigned char *max, int length)
625 if (aor == NULL || min == NULL || max == NULL)
628 case IPAddressOrRange_addressPrefix:
629 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
630 addr_expand(max, aor->u.addressPrefix, length, 0xFF));
631 case IPAddressOrRange_addressRange:
632 return (addr_expand(min, aor->u.addressRange->min, length, 0x00) &&
633 addr_expand(max, aor->u.addressRange->max, length, 0xFF));
639 * Public wrapper for extract_min_max().
641 int X509v3_addr_get_range(IPAddressOrRange *aor,
644 unsigned char *max, const int length)
646 int afi_length = length_from_afi(afi);
647 if (aor == NULL || min == NULL || max == NULL ||
648 afi_length == 0 || length < afi_length ||
649 (aor->type != IPAddressOrRange_addressPrefix &&
650 aor->type != IPAddressOrRange_addressRange) ||
651 !extract_min_max(aor, min, max, afi_length))
658 * Sort comparison function for a sequence of IPAddressFamily.
660 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about
661 * the ordering: I can read it as meaning that IPv6 without a SAFI
662 * comes before IPv4 with a SAFI, which seems pretty weird. The
663 * examples in appendix B suggest that the author intended the
664 * null-SAFI rule to apply only within a single AFI, which is what I
665 * would have expected and is what the following code implements.
667 static int IPAddressFamily_cmp(const IPAddressFamily *const *a_,
668 const IPAddressFamily *const *b_)
670 const ASN1_OCTET_STRING *a = (*a_)->addressFamily;
671 const ASN1_OCTET_STRING *b = (*b_)->addressFamily;
672 int len = ((a->length <= b->length) ? a->length : b->length);
673 int cmp = memcmp(a->data, b->data, len);
674 return cmp ? cmp : a->length - b->length;
678 * Check whether an IPAddrBLocks is in canonical form.
680 int X509v3_addr_is_canonical(IPAddrBlocks *addr)
682 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
683 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
684 IPAddressOrRanges *aors;
688 * Empty extension is canonical.
694 * Check whether the top-level list is in order.
696 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {
697 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i);
698 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1);
699 if (IPAddressFamily_cmp(&a, &b) >= 0)
704 * Top level's ok, now check each address family.
706 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
707 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
708 int length = length_from_afi(X509v3_addr_get_afi(f));
711 * Inheritance is canonical. Anything other than inheritance or
712 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something.
714 if (f == NULL || f->ipAddressChoice == NULL)
716 switch (f->ipAddressChoice->type) {
717 case IPAddressChoice_inherit:
719 case IPAddressChoice_addressesOrRanges:
726 * It's an IPAddressOrRanges sequence, check it.
728 aors = f->ipAddressChoice->u.addressesOrRanges;
729 if (sk_IPAddressOrRange_num(aors) == 0)
731 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
732 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
733 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);
735 if (!extract_min_max(a, a_min, a_max, length) ||
736 !extract_min_max(b, b_min, b_max, length))
740 * Punt misordered list, overlapping start, or inverted range.
742 if (memcmp(a_min, b_min, length) >= 0 ||
743 memcmp(a_min, a_max, length) > 0 ||
744 memcmp(b_min, b_max, length) > 0)
748 * Punt if adjacent or overlapping. Check for adjacency by
749 * subtracting one from b_min first.
751 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) ;
752 if (memcmp(a_max, b_min, length) >= 0)
756 * Check for range that should be expressed as a prefix.
758 if (a->type == IPAddressOrRange_addressRange &&
759 range_should_be_prefix(a_min, a_max, length) >= 0)
764 * Check range to see if it's inverted or should be a
767 j = sk_IPAddressOrRange_num(aors) - 1;
769 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
770 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
771 if (!extract_min_max(a, a_min, a_max, length))
773 if (memcmp(a_min, a_max, length) > 0 ||
774 range_should_be_prefix(a_min, a_max, length) >= 0)
781 * If we made it through all that, we're happy.
787 * Whack an IPAddressOrRanges into canonical form.
789 static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
792 int i, j, length = length_from_afi(afi);
795 * Sort the IPAddressOrRanges sequence.
797 sk_IPAddressOrRange_sort(aors);
800 * Clean up representation issues, punt on duplicates or overlaps.
802 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
803 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);
804 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
805 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
806 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
808 if (!extract_min_max(a, a_min, a_max, length) ||
809 !extract_min_max(b, b_min, b_max, length))
813 * Punt inverted ranges.
815 if (memcmp(a_min, a_max, length) > 0 ||
816 memcmp(b_min, b_max, length) > 0)
822 if (memcmp(a_max, b_min, length) >= 0)
826 * Merge if a and b are adjacent. We check for
827 * adjacency by subtracting one from b_min first.
829 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) ;
830 if (memcmp(a_max, b_min, length) == 0) {
831 IPAddressOrRange *merged;
832 if (!make_addressRange(&merged, a_min, b_max, length))
834 (void)sk_IPAddressOrRange_set(aors, i, merged);
835 (void)sk_IPAddressOrRange_delete(aors, i + 1);
836 IPAddressOrRange_free(a);
837 IPAddressOrRange_free(b);
844 * Check for inverted final range.
846 j = sk_IPAddressOrRange_num(aors) - 1;
848 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
849 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
850 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
851 if (!extract_min_max(a, a_min, a_max, length))
853 if (memcmp(a_min, a_max, length) > 0)
862 * Whack an IPAddrBlocks extension into canonical form.
864 int X509v3_addr_canonize(IPAddrBlocks *addr)
867 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
868 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
869 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
870 !IPAddressOrRanges_canonize(f->ipAddressChoice->
872 X509v3_addr_get_afi(f)))
875 (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
876 sk_IPAddressFamily_sort(addr);
877 if (!ossl_assert(X509v3_addr_is_canonical(addr)))
883 * v2i handler for the IPAddrBlocks extension.
885 static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
886 struct v3_ext_ctx *ctx,
887 STACK_OF(CONF_VALUE) *values)
889 static const char v4addr_chars[] = "0123456789.";
890 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF";
891 IPAddrBlocks *addr = NULL;
895 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) {
896 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
900 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
901 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
902 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN];
903 unsigned afi, *safi = NULL, safi_;
904 const char *addr_chars = NULL;
905 int prefixlen, i1, i2, delim, length;
907 if (!name_cmp(val->name, "IPv4")) {
909 } else if (!name_cmp(val->name, "IPv6")) {
911 } else if (!name_cmp(val->name, "IPv4-SAFI")) {
914 } else if (!name_cmp(val->name, "IPv6-SAFI")) {
918 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
919 X509V3_R_EXTENSION_NAME_ERROR);
920 X509V3_conf_err(val);
926 addr_chars = v4addr_chars;
929 addr_chars = v6addr_chars;
933 length = length_from_afi(afi);
936 * Handle SAFI, if any, and OPENSSL_strdup() so we can null-terminate
937 * the other input values.
940 *safi = strtoul(val->value, &t, 0);
941 t += strspn(t, " \t");
942 if (*safi > 0xFF || *t++ != ':') {
943 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_SAFI);
944 X509V3_conf_err(val);
947 t += strspn(t, " \t");
948 s = OPENSSL_strdup(t);
950 s = OPENSSL_strdup(val->value);
953 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
958 * Check for inheritance. Not worth additional complexity to
959 * optimize this (seldom-used) case.
961 if (strcmp(s, "inherit") == 0) {
962 if (!X509v3_addr_add_inherit(addr, afi, safi)) {
963 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
964 X509V3_R_INVALID_INHERITANCE);
965 X509V3_conf_err(val);
973 i1 = strspn(s, addr_chars);
974 i2 = i1 + strspn(s + i1, " \t");
978 if (a2i_ipadd(min, s) != length) {
979 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS);
980 X509V3_conf_err(val);
986 prefixlen = (int)strtoul(s + i2, &t, 10);
987 if (t == s + i2 || *t != '\0') {
988 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
989 X509V3_R_EXTENSION_VALUE_ERROR);
990 X509V3_conf_err(val);
993 if (!X509v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) {
994 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
999 i1 = i2 + strspn(s + i2, " \t");
1000 i2 = i1 + strspn(s + i1, addr_chars);
1001 if (i1 == i2 || s[i2] != '\0') {
1002 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1003 X509V3_R_EXTENSION_VALUE_ERROR);
1004 X509V3_conf_err(val);
1007 if (a2i_ipadd(max, s + i1) != length) {
1008 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1009 X509V3_R_INVALID_IPADDRESS);
1010 X509V3_conf_err(val);
1013 if (memcmp(min, max, length_from_afi(afi)) > 0) {
1014 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1015 X509V3_R_EXTENSION_VALUE_ERROR);
1016 X509V3_conf_err(val);
1019 if (!X509v3_addr_add_range(addr, afi, safi, min, max)) {
1020 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1025 if (!X509v3_addr_add_prefix(addr, afi, safi, min, length * 8)) {
1026 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1031 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,
1032 X509V3_R_EXTENSION_VALUE_ERROR);
1033 X509V3_conf_err(val);
1042 * Canonize the result, then we're done.
1044 if (!X509v3_addr_canonize(addr))
1050 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
1057 const X509V3_EXT_METHOD v3_addr = {
1058 NID_sbgp_ipAddrBlock, /* nid */
1060 ASN1_ITEM_ref(IPAddrBlocks), /* template */
1061 0, 0, 0, 0, /* old functions, ignored */
1065 v2i_IPAddrBlocks, /* v2i */
1066 i2r_IPAddrBlocks, /* i2r */
1068 NULL /* extension-specific data */
1072 * Figure out whether extension sues inheritance.
1074 int X509v3_addr_inherits(IPAddrBlocks *addr)
1079 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1080 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1081 if (f->ipAddressChoice->type == IPAddressChoice_inherit)
1088 * Figure out whether parent contains child.
1090 static int addr_contains(IPAddressOrRanges *parent,
1091 IPAddressOrRanges *child, int length)
1093 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN];
1094 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN];
1097 if (child == NULL || parent == child)
1103 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
1104 if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
1105 c_min, c_max, length))
1108 if (p >= sk_IPAddressOrRange_num(parent))
1110 if (!extract_min_max(sk_IPAddressOrRange_value(parent, p),
1111 p_min, p_max, length))
1113 if (memcmp(p_max, c_max, length) < 0)
1115 if (memcmp(p_min, c_min, length) > 0)
1125 * Test whether a is a subset of b.
1127 int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
1130 if (a == NULL || a == b)
1132 if (b == NULL || X509v3_addr_inherits(a) || X509v3_addr_inherits(b))
1134 (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
1135 for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
1136 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
1137 int j = sk_IPAddressFamily_find(b, fa);
1138 IPAddressFamily *fb;
1139 fb = sk_IPAddressFamily_value(b, j);
1142 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
1143 fa->ipAddressChoice->u.addressesOrRanges,
1144 length_from_afi(X509v3_addr_get_afi(fb))))
1151 * Validation error handling via callback.
1153 #define validation_err(_err_) \
1155 if (ctx != NULL) { \
1156 ctx->error = _err_; \
1157 ctx->error_depth = i; \
1158 ctx->current_cert = x; \
1159 ret = ctx->verify_cb(0, ctx); \
1168 * Core code for RFC 3779 2.3 path validation.
1170 * Returns 1 for success, 0 on error.
1172 * When returning 0, ctx->error MUST be set to an appropriate value other than
1175 static int addr_validate_path_internal(X509_STORE_CTX *ctx,
1176 STACK_OF(X509) *chain,
1179 IPAddrBlocks *child = NULL;
1183 if (!ossl_assert(chain != NULL && sk_X509_num(chain) > 0)
1184 || !ossl_assert(ctx != NULL || ext != NULL)
1185 || !ossl_assert(ctx == NULL || ctx->verify_cb != NULL)) {
1187 ctx->error = X509_V_ERR_UNSPECIFIED;
1192 * Figure out where to start. If we don't have an extension to
1193 * check, we're done. Otherwise, check canonical form and
1194 * set up for walking up the chain.
1201 x = sk_X509_value(chain, i);
1202 if ((ext = x->rfc3779_addr) == NULL)
1205 if (!X509v3_addr_is_canonical(ext))
1206 validation_err(X509_V_ERR_INVALID_EXTENSION);
1207 (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
1208 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
1209 X509V3err(X509V3_F_ADDR_VALIDATE_PATH_INTERNAL,
1210 ERR_R_MALLOC_FAILURE);
1212 ctx->error = X509_V_ERR_OUT_OF_MEM;
1218 * Now walk up the chain. No cert may list resources that its
1219 * parent doesn't list.
1221 for (i++; i < sk_X509_num(chain); i++) {
1222 x = sk_X509_value(chain, i);
1223 if (!X509v3_addr_is_canonical(x->rfc3779_addr))
1224 validation_err(X509_V_ERR_INVALID_EXTENSION);
1225 if (x->rfc3779_addr == NULL) {
1226 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1227 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1228 if (fc->ipAddressChoice->type != IPAddressChoice_inherit) {
1229 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1235 (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr,
1236 IPAddressFamily_cmp);
1237 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1238 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1239 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
1240 IPAddressFamily *fp =
1241 sk_IPAddressFamily_value(x->rfc3779_addr, k);
1243 if (fc->ipAddressChoice->type ==
1244 IPAddressChoice_addressesOrRanges) {
1245 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1250 if (fp->ipAddressChoice->type ==
1251 IPAddressChoice_addressesOrRanges) {
1252 if (fc->ipAddressChoice->type == IPAddressChoice_inherit
1253 || addr_contains(fp->ipAddressChoice->u.addressesOrRanges,
1254 fc->ipAddressChoice->u.addressesOrRanges,
1255 length_from_afi(X509v3_addr_get_afi(fc))))
1256 sk_IPAddressFamily_set(child, j, fp);
1258 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1264 * Trust anchor can't inherit.
1266 if (x->rfc3779_addr != NULL) {
1267 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
1268 IPAddressFamily *fp =
1269 sk_IPAddressFamily_value(x->rfc3779_addr, j);
1270 if (fp->ipAddressChoice->type == IPAddressChoice_inherit
1271 && sk_IPAddressFamily_find(child, fp) >= 0)
1272 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1277 sk_IPAddressFamily_free(child);
1281 #undef validation_err
1284 * RFC 3779 2.3 path validation -- called from X509_verify_cert().
1286 int X509v3_addr_validate_path(X509_STORE_CTX *ctx)
1288 if (ctx->chain == NULL
1289 || sk_X509_num(ctx->chain) == 0
1290 || ctx->verify_cb == NULL) {
1291 ctx->error = X509_V_ERR_UNSPECIFIED;
1294 return addr_validate_path_internal(ctx, ctx->chain, NULL);
1298 * RFC 3779 2.3 path validation of an extension.
1299 * Test whether chain covers extension.
1301 int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain,
1302 IPAddrBlocks *ext, int allow_inheritance)
1306 if (chain == NULL || sk_X509_num(chain) == 0)
1308 if (!allow_inheritance && X509v3_addr_inherits(ext))
1310 return addr_validate_path_internal(NULL, chain, ext);
1313 #endif /* OPENSSL_NO_RFC3779 */