X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=crypto%2Fx509v3%2Fv3_addr.c;h=ef1d775ac938acf96b8d3343ee1321d9f80a8bf7;hb=2d13250fd695eba777fe7e2af4beb1b7d356bd8f;hp=cdc1346ee1aab910544c88628bb7c1af9cb446d1;hpb=4c9b0a0314c8bab3c9faeac06d0aa734836b2f81;p=oweals%2Fopenssl.git diff --git a/crypto/x509v3/v3_addr.c b/crypto/x509v3/v3_addr.c index cdc1346ee1..ef1d775ac9 100644 --- a/crypto/x509v3/v3_addr.c +++ b/crypto/x509v3/v3_addr.c @@ -1,58 +1,10 @@ /* - * Contributed to the OpenSSL Project by the American Registry for - * Internet Numbers ("ARIN"). - */ -/* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. + * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html */ /* @@ -62,13 +14,16 @@ #include #include -#include "cryptlib.h" +#include "internal/cryptlib.h" #include #include #include #include #include +#include "internal/x509_int.h" +#include "ext_dat.h" +#ifndef OPENSSL_NO_RFC3779 /* * OpenSSL ASN.1 template translation of RFC 3779 2.2.3. @@ -97,7 +52,7 @@ ASN1_SEQUENCE(IPAddressFamily) = { ASN1_ITEM_TEMPLATE(IPAddrBlocks) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, IPAddrBlocks, IPAddressFamily) -ASN1_ITEM_TEMPLATE_END(IPAddrBlocks) +static_ASN1_ITEM_TEMPLATE_END(IPAddrBlocks) IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange) IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange) @@ -127,7 +82,7 @@ static int length_from_afi(const unsigned afi) /* * Extract the AFI from an IPAddressFamily. */ -unsigned int v3_addr_get_afi(const IPAddressFamily *f) +unsigned int X509v3_addr_get_afi(const IPAddressFamily *f) { return ((f != NULL && f->addressFamily != NULL && f->addressFamily->data != NULL) @@ -245,7 +200,7 @@ static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, int i; for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); - const unsigned int afi = v3_addr_get_afi(f); + const unsigned int afi = X509v3_addr_get_afi(f); switch (afi) { case IANA_AFI_IPV4: BIO_printf(out, "%*sIPv4", indent, ""); @@ -357,7 +312,7 @@ static int IPAddressOrRange_cmp(const IPAddressOrRange *a, /* * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort() - * comparision routines are only allowed two arguments. + * comparison routines are only allowed two arguments. */ static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a, const IPAddressOrRange *const *b) @@ -367,7 +322,7 @@ static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a, /* * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort() - * comparision routines are only allowed two arguments. + * comparison routines are only allowed two arguments. */ static int v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a, const IPAddressOrRange *const *b) @@ -570,8 +525,8 @@ static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr, /* * Add an inheritance element. */ -int v3_addr_add_inherit(IPAddrBlocks *addr, - const unsigned afi, const unsigned *safi) +int X509v3_addr_add_inherit(IPAddrBlocks *addr, + const unsigned afi, const unsigned *safi) { IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); if (f == NULL || @@ -626,10 +581,10 @@ static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr, /* * Add a prefix. */ -int v3_addr_add_prefix(IPAddrBlocks *addr, - const unsigned afi, - const unsigned *safi, - unsigned char *a, const int prefixlen) +int X509v3_addr_add_prefix(IPAddrBlocks *addr, + const unsigned afi, + const unsigned *safi, + unsigned char *a, const int prefixlen) { IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); IPAddressOrRange *aor; @@ -644,10 +599,10 @@ int v3_addr_add_prefix(IPAddrBlocks *addr, /* * Add a range. */ -int v3_addr_add_range(IPAddrBlocks *addr, - const unsigned afi, - const unsigned *safi, - unsigned char *min, unsigned char *max) +int X509v3_addr_add_range(IPAddrBlocks *addr, + const unsigned afi, + const unsigned *safi, + unsigned char *min, unsigned char *max) { IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); IPAddressOrRange *aor; @@ -684,10 +639,10 @@ static int extract_min_max(IPAddressOrRange *aor, /* * Public wrapper for extract_min_max(). */ -int v3_addr_get_range(IPAddressOrRange *aor, - const unsigned afi, - unsigned char *min, - unsigned char *max, const int length) +int X509v3_addr_get_range(IPAddressOrRange *aor, + const unsigned afi, + unsigned char *min, + unsigned char *max, const int length) { int afi_length = length_from_afi(afi); if (aor == NULL || min == NULL || max == NULL || @@ -701,7 +656,7 @@ int v3_addr_get_range(IPAddressOrRange *aor, } /* - * Sort comparision function for a sequence of IPAddressFamily. + * Sort comparison function for a sequence of IPAddressFamily. * * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about * the ordering: I can read it as meaning that IPv6 without a SAFI @@ -723,7 +678,7 @@ static int IPAddressFamily_cmp(const IPAddressFamily *const *a_, /* * Check whether an IPAddrBLocks is in canonical form. */ -int v3_addr_is_canonical(IPAddrBlocks *addr) +int X509v3_addr_is_canonical(IPAddrBlocks *addr) { unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; @@ -731,7 +686,7 @@ int v3_addr_is_canonical(IPAddrBlocks *addr) int i, j, k; /* - * Empty extension is cannonical. + * Empty extension is canonical. */ if (addr == NULL) return 1; @@ -751,7 +706,7 @@ int v3_addr_is_canonical(IPAddrBlocks *addr) */ for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); - int length = length_from_afi(v3_addr_get_afi(f)); + int length = length_from_afi(X509v3_addr_get_afi(f)); /* * Inheritance is canonical. Anything other than inheritance or @@ -894,7 +849,8 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors, IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); if (a != NULL && a->type == IPAddressOrRange_addressRange) { unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; - extract_min_max(a, a_min, a_max, length); + if (!extract_min_max(a, a_min, a_max, length)) + return 0; if (memcmp(a_min, a_max, length) > 0) return 0; } @@ -906,7 +862,7 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors, /* * Whack an IPAddrBlocks extension into canonical form. */ -int v3_addr_canonize(IPAddrBlocks *addr) +int X509v3_addr_canonize(IPAddrBlocks *addr) { int i; for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { @@ -914,12 +870,12 @@ int v3_addr_canonize(IPAddrBlocks *addr) if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && !IPAddressOrRanges_canonize(f->ipAddressChoice-> u.addressesOrRanges, - v3_addr_get_afi(f))) + X509v3_addr_get_afi(f))) return 0; } (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); sk_IPAddressFamily_sort(addr); - OPENSSL_assert(v3_addr_is_canonical(addr)); + OPENSSL_assert(X509v3_addr_is_canonical(addr)); return 1; } @@ -977,7 +933,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, length = length_from_afi(afi); /* - * Handle SAFI, if any, and BUF_strdup() so we can null-terminate + * Handle SAFI, if any, and OPENSSL_strdup() so we can null-terminate * the other input values. */ if (safi != NULL) { @@ -989,9 +945,9 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, goto err; } t += strspn(t, " \t"); - s = BUF_strdup(t); + s = OPENSSL_strdup(t); } else { - s = BUF_strdup(val->value); + s = OPENSSL_strdup(val->value); } if (s == NULL) { X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); @@ -1002,8 +958,8 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, * Check for inheritance. Not worth additional complexity to * optimize this (seldom-used) case. */ - if (!strcmp(s, "inherit")) { - if (!v3_addr_add_inherit(addr, afi, safi)) { + if (strcmp(s, "inherit") == 0) { + if (!X509v3_addr_add_inherit(addr, afi, safi)) { X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_INHERITANCE); X509V3_conf_err(val); @@ -1034,7 +990,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, X509V3_conf_err(val); goto err; } - if (!v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) { + if (!X509v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) { X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); goto err; } @@ -1060,13 +1016,13 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, X509V3_conf_err(val); goto err; } - if (!v3_addr_add_range(addr, afi, safi, min, max)) { + if (!X509v3_addr_add_range(addr, afi, safi, min, max)) { X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); goto err; } break; case '\0': - if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) { + if (!X509v3_addr_add_prefix(addr, afi, safi, min, length * 8)) { X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); goto err; } @@ -1085,7 +1041,7 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, /* * Canonize the result, then we're done. */ - if (!v3_addr_canonize(addr)) + if (!X509v3_addr_canonize(addr)) goto err; return addr; @@ -1115,7 +1071,7 @@ const X509V3_EXT_METHOD v3_addr = { /* * Figure out whether extension sues inheritance. */ -int v3_addr_inherits(IPAddrBlocks *addr) +int X509v3_addr_inherits(IPAddrBlocks *addr) { int i; if (addr == NULL) @@ -1168,12 +1124,12 @@ static int addr_contains(IPAddressOrRanges *parent, /* * Test whether a is a subset of b. */ -int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) +int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) { int i; if (a == NULL || a == b) return 1; - if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b)) + if (b == NULL || X509v3_addr_inherits(a) || X509v3_addr_inherits(b)) return 0; (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); for (i = 0; i < sk_IPAddressFamily_num(a); i++) { @@ -1185,7 +1141,7 @@ int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) return 0; if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, fa->ipAddressChoice->u.addressesOrRanges, - length_from_afi(v3_addr_get_afi(fb)))) + length_from_afi(X509v3_addr_get_afi(fb)))) return 0; } return 1; @@ -1210,10 +1166,15 @@ int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) /* * Core code for RFC 3779 2.3 path validation. + * + * Returns 1 for success, 0 on error. + * + * When returning 0, ctx->error MUST be set to an appropriate value other than + * X509_V_OK. */ -static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, - STACK_OF(X509) *chain, - IPAddrBlocks *ext) +static int addr_validate_path_internal(X509_STORE_CTX *ctx, + STACK_OF(X509) *chain, + IPAddrBlocks *ext) { IPAddrBlocks *child = NULL; int i, j, ret = 1; @@ -1238,12 +1199,13 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, if ((ext = x->rfc3779_addr) == NULL) goto done; } - if (!v3_addr_is_canonical(ext)) + if (!X509v3_addr_is_canonical(ext)) validation_err(X509_V_ERR_INVALID_EXTENSION); (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { - X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, + X509V3err(X509V3_F_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE); + ctx->error = X509_V_ERR_OUT_OF_MEM; ret = 0; goto done; } @@ -1255,7 +1217,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, for (i++; i < sk_X509_num(chain); i++) { x = sk_X509_value(chain, i); OPENSSL_assert(x != NULL); - if (!v3_addr_is_canonical(x->rfc3779_addr)) + if (!X509v3_addr_is_canonical(x->rfc3779_addr)) validation_err(X509_V_ERR_INVALID_EXTENSION); if (x->rfc3779_addr == NULL) { for (j = 0; j < sk_IPAddressFamily_num(child); j++) { @@ -1287,7 +1249,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, if (fc->ipAddressChoice->type == IPAddressChoice_inherit || addr_contains(fp->ipAddressChoice->u.addressesOrRanges, fc->ipAddressChoice->u.addressesOrRanges, - length_from_afi(v3_addr_get_afi(fc)))) + length_from_afi(X509v3_addr_get_afi(fc)))) sk_IPAddressFamily_set(child, j, fp); else validation_err(X509_V_ERR_UNNESTED_RESOURCE); @@ -1319,23 +1281,25 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, /* * RFC 3779 2.3 path validation -- called from X509_verify_cert(). */ -int v3_addr_validate_path(X509_STORE_CTX *ctx) +int X509v3_addr_validate_path(X509_STORE_CTX *ctx) { - return v3_addr_validate_path_internal(ctx, ctx->chain, NULL); + return addr_validate_path_internal(ctx, ctx->chain, NULL); } /* * RFC 3779 2.3 path validation of an extension. * Test whether chain covers extension. */ -int v3_addr_validate_resource_set(STACK_OF(X509) *chain, +int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain, IPAddrBlocks *ext, int allow_inheritance) { if (ext == NULL) return 1; if (chain == NULL || sk_X509_num(chain) == 0) return 0; - if (!allow_inheritance && v3_addr_inherits(ext)) + if (!allow_inheritance && X509v3_addr_inherits(ext)) return 0; - return v3_addr_validate_path_internal(NULL, chain, ext); + return addr_validate_path_internal(NULL, chain, ext); } + +#endif /* OPENSSL_NO_RFC3779 */