1 /*
2 * Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * Implementation of RFC 3779 section 2.2.
12 */
13
14 #include <stdio.h>
15 #include <stdlib.h>
16 #include <assert.h>
17 #include <string.h>
18
19 #include <openssl/conf.h>
20 #include <openssl/asn1.h>
21 #include <openssl/asn1t.h>
22 #include <openssl/buffer.h>
23 #include <openssl/x509v3.h>
24 #include "internal/cryptlib.h"
25 #include "crypto/asn1.h"
26 #include "crypto/x509.h"
27 #include "ext_dat.h"
28 #include "x509_local.h"
29
30 #ifndef OPENSSL_NO_RFC3779
31
32 /*
33 * OpenSSL ASN.1 template translation of RFC 3779 2.2.3.
34 */
35
36 ASN1_SEQUENCE(IPAddressRange) = {
37 ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING),
38 ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING)
39 } ASN1_SEQUENCE_END(IPAddressRange)
40
41 ASN1_CHOICE(IPAddressOrRange) = {
42 ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING),
43 ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange)
44 } ASN1_CHOICE_END(IPAddressOrRange)
45
46 ASN1_CHOICE(IPAddressChoice) = {
47 ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL),
48 ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange)
49 } ASN1_CHOICE_END(IPAddressChoice)
50
51 ASN1_SEQUENCE(IPAddressFamily) = {
52 ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING),
53 ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice)
54 } ASN1_SEQUENCE_END(IPAddressFamily)
55
56 ASN1_ITEM_TEMPLATE(IPAddrBlocks) =
57 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
58 IPAddrBlocks, IPAddressFamily)
59 static_ASN1_ITEM_TEMPLATE_END(IPAddrBlocks)
60
61 IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange)
62 IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange)
63 IMPLEMENT_ASN1_FUNCTIONS(IPAddressChoice)
64 IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily)
65
66 /*
67 * How much buffer space do we need for a raw address?
68 */
69 # define ADDR_RAW_BUF_LEN 16
70
71 /*
72 * What's the address length associated with this AFI?
73 */
74 static int length_from_afi(const unsigned afi)
75 {
76 switch (afi) {
77 case IANA_AFI_IPV4:
78 return 4;
79 case IANA_AFI_IPV6:
80 return 16;
81 default:
82 return 0;
83 }
84 }
85
86 /*
87 * Extract the AFI from an IPAddressFamily.
88 */
X509v3_addr_get_afi(const IPAddressFamily * f)89 unsigned int X509v3_addr_get_afi(const IPAddressFamily *f)
90 {
91 if (f == NULL
92 || f->addressFamily == NULL
93 || f->addressFamily->data == NULL
94 || f->addressFamily->length < 2)
95 return 0;
96 return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1];
97 }
98
99 /*
100 * Expand the bitstring form of an address into a raw byte array.
101 * At the moment this is coded for simplicity, not speed.
102 */
addr_expand(unsigned char * addr,const ASN1_BIT_STRING * bs,const int length,const unsigned char fill)103 static int addr_expand(unsigned char *addr,
104 const ASN1_BIT_STRING *bs,
105 const int length, const unsigned char fill)
106 {
107 if (bs->length < 0 || bs->length > length)
108 return 0;
109 if (bs->length > 0) {
110 memcpy(addr, bs->data, bs->length);
111 if ((bs->flags & 7) != 0) {
112 unsigned char mask = 0xFF >> (8 - (bs->flags & 7));
113
114 if (fill == 0)
115 addr[bs->length - 1] &= ~mask;
116 else
117 addr[bs->length - 1] |= mask;
118 }
119 }
120 memset(addr + bs->length, fill, length - bs->length);
121 return 1;
122 }
123
124 /*
125 * Extract the prefix length from a bitstring.
126 */
127 # define addr_prefixlen(bs) ((int)((bs)->length * 8 - ((bs)->flags & 7)))
128
129 /*
130 * i2r handler for one address bitstring.
131 */
i2r_address(BIO * out,const unsigned afi,const unsigned char fill,const ASN1_BIT_STRING * bs)132 static int i2r_address(BIO *out,
133 const unsigned afi,
134 const unsigned char fill, const ASN1_BIT_STRING *bs)
135 {
136 unsigned char addr[ADDR_RAW_BUF_LEN];
137 int i, n;
138
139 if (bs->length < 0)
140 return 0;
141 switch (afi) {
142 case IANA_AFI_IPV4:
143 if (!addr_expand(addr, bs, 4, fill))
144 return 0;
145 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
146 break;
147 case IANA_AFI_IPV6:
148 if (!addr_expand(addr, bs, 16, fill))
149 return 0;
150 for (n = 16; n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00;
151 n -= 2) ;
152 for (i = 0; i < n; i += 2)
153 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1],
154 (i < 14 ? ":" : ""));
155 if (i < 16)
156 BIO_puts(out, ":");
157 if (i == 0)
158 BIO_puts(out, ":");
159 break;
160 default:
161 for (i = 0; i < bs->length; i++)
162 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]);
163 BIO_printf(out, "[%d]", (int)(bs->flags & 7));
164 break;
165 }
166 return 1;
167 }
168
169 /*
170 * i2r handler for a sequence of addresses and ranges.
171 */
i2r_IPAddressOrRanges(BIO * out,const int indent,const IPAddressOrRanges * aors,const unsigned afi)172 static int i2r_IPAddressOrRanges(BIO *out,
173 const int indent,
174 const IPAddressOrRanges *aors,
175 const unsigned afi)
176 {
177 int i;
178
179 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) {
180 const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i);
181
182 BIO_printf(out, "%*s", indent, "");
183 switch (aor->type) {
184 case IPAddressOrRange_addressPrefix:
185 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix))
186 return 0;
187 BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix));
188 continue;
189 case IPAddressOrRange_addressRange:
190 if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min))
191 return 0;
192 BIO_puts(out, "-");
193 if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max))
194 return 0;
195 BIO_puts(out, "\n");
196 continue;
197 }
198 }
199 return 1;
200 }
201
202 /*
203 * i2r handler for an IPAddrBlocks extension.
204 */
i2r_IPAddrBlocks(const X509V3_EXT_METHOD * method,void * ext,BIO * out,int indent)205 static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
206 void *ext, BIO *out, int indent)
207 {
208 const IPAddrBlocks *addr = ext;
209 int i;
210
211 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
212 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
213 const unsigned int afi = X509v3_addr_get_afi(f);
214
215 switch (afi) {
216 case IANA_AFI_IPV4:
217 BIO_printf(out, "%*sIPv4", indent, "");
218 break;
219 case IANA_AFI_IPV6:
220 BIO_printf(out, "%*sIPv6", indent, "");
221 break;
222 default:
223 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi);
224 break;
225 }
226 if (f->addressFamily->length > 2) {
227 switch (f->addressFamily->data[2]) {
228 case 1:
229 BIO_puts(out, " (Unicast)");
230 break;
231 case 2:
232 BIO_puts(out, " (Multicast)");
233 break;
234 case 3:
235 BIO_puts(out, " (Unicast/Multicast)");
236 break;
237 case 4:
238 BIO_puts(out, " (MPLS)");
239 break;
240 case 64:
241 BIO_puts(out, " (Tunnel)");
242 break;
243 case 65:
244 BIO_puts(out, " (VPLS)");
245 break;
246 case 66:
247 BIO_puts(out, " (BGP MDT)");
248 break;
249 case 128:
250 BIO_puts(out, " (MPLS-labeled VPN)");
251 break;
252 default:
253 BIO_printf(out, " (Unknown SAFI %u)",
254 (unsigned)f->addressFamily->data[2]);
255 break;
256 }
257 }
258 switch (f->ipAddressChoice->type) {
259 case IPAddressChoice_inherit:
260 BIO_puts(out, ": inherit\n");
261 break;
262 case IPAddressChoice_addressesOrRanges:
263 BIO_puts(out, ":\n");
264 if (!i2r_IPAddressOrRanges(out,
265 indent + 2,
266 f->ipAddressChoice->
267 u.addressesOrRanges, afi))
268 return 0;
269 break;
270 }
271 }
272 return 1;
273 }
274
275 /*
276 * Sort comparison function for a sequence of IPAddressOrRange
277 * elements.
278 *
279 * There's no sane answer we can give if addr_expand() fails, and an
280 * assertion failure on externally supplied data is seriously uncool,
281 * so we just arbitrarily declare that if given invalid inputs this
282 * function returns -1. If this messes up your preferred sort order
283 * for garbage input, tough noogies.
284 */
IPAddressOrRange_cmp(const IPAddressOrRange * a,const IPAddressOrRange * b,const int length)285 static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
286 const IPAddressOrRange *b, const int length)
287 {
288 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN];
289 int prefixlen_a = 0, prefixlen_b = 0;
290 int r;
291
292 switch (a->type) {
293 case IPAddressOrRange_addressPrefix:
294 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
295 return -1;
296 prefixlen_a = addr_prefixlen(a->u.addressPrefix);
297 break;
298 case IPAddressOrRange_addressRange:
299 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
300 return -1;
301 prefixlen_a = length * 8;
302 break;
303 default:
304 return -1;
305 }
306
307 switch (b->type) {
308 case IPAddressOrRange_addressPrefix:
309 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
310 return -1;
311 prefixlen_b = addr_prefixlen(b->u.addressPrefix);
312 break;
313 case IPAddressOrRange_addressRange:
314 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
315 return -1;
316 prefixlen_b = length * 8;
317 break;
318 default:
319 return -1;
320 }
321
322 if ((r = memcmp(addr_a, addr_b, length)) != 0)
323 return r;
324 else
325 return prefixlen_a - prefixlen_b;
326 }
327
328 /*
329 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()
330 * comparison routines are only allowed two arguments.
331 */
v4IPAddressOrRange_cmp(const IPAddressOrRange * const * a,const IPAddressOrRange * const * b)332 static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
333 const IPAddressOrRange *const *b)
334 {
335 return IPAddressOrRange_cmp(*a, *b, 4);
336 }
337
338 /*
339 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()
340 * comparison routines are only allowed two arguments.
341 */
v6IPAddressOrRange_cmp(const IPAddressOrRange * const * a,const IPAddressOrRange * const * b)342 static int v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
343 const IPAddressOrRange *const *b)
344 {
345 return IPAddressOrRange_cmp(*a, *b, 16);
346 }
347
348 /*
349 * Calculate whether a range collapses to a prefix.
350 * See last paragraph of RFC 3779 2.2.3.7.
351 */
range_should_be_prefix(const unsigned char * min,const unsigned char * max,const int length)352 static int range_should_be_prefix(const unsigned char *min,
353 const unsigned char *max, const int length)
354 {
355 unsigned char mask;
356 int i, j;
357
358 /*
359 * It is the responsibility of the caller to confirm min <= max. We don't
360 * use ossl_assert() here since we have no way of signalling an error from
361 * this function - so we just use a plain assert instead.
362 */
363 assert(memcmp(min, max, length) <= 0);
364
365 for (i = 0; i < length && min[i] == max[i]; i++) ;
366 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ;
367 if (i < j)
368 return -1;
369 if (i > j)
370 return i * 8;
371 mask = min[i] ^ max[i];
372 switch (mask) {
373 case 0x01:
374 j = 7;
375 break;
376 case 0x03:
377 j = 6;
378 break;
379 case 0x07:
380 j = 5;
381 break;
382 case 0x0F:
383 j = 4;
384 break;
385 case 0x1F:
386 j = 3;
387 break;
388 case 0x3F:
389 j = 2;
390 break;
391 case 0x7F:
392 j = 1;
393 break;
394 default:
395 return -1;
396 }
397 if ((min[i] & mask) != 0 || (max[i] & mask) != mask)
398 return -1;
399 else
400 return i * 8 + j;
401 }
402
403 /*
404 * Construct a prefix.
405 */
make_addressPrefix(IPAddressOrRange ** result,unsigned char * addr,const int prefixlen,const int afilen)406 static int make_addressPrefix(IPAddressOrRange **result, unsigned char *addr,
407 const int prefixlen, const int afilen)
408 {
409 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;
410 IPAddressOrRange *aor;
411
412 if (prefixlen < 0 || prefixlen > (afilen * 8))
413 return 0;
414 if ((aor = IPAddressOrRange_new()) == NULL)
415 return 0;
416 aor->type = IPAddressOrRange_addressPrefix;
417 if (aor->u.addressPrefix == NULL &&
418 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL)
419 goto err;
420 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen))
421 goto err;
422 if (bitlen > 0)
423 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen);
424 ossl_asn1_string_set_bits_left(aor->u.addressPrefix, 8 - bitlen);
425
426 *result = aor;
427 return 1;
428
429 err:
430 IPAddressOrRange_free(aor);
431 return 0;
432 }
433
434 /*
435 * Construct a range. If it can be expressed as a prefix,
436 * return a prefix instead. Doing this here simplifies
437 * the rest of the code considerably.
438 */
make_addressRange(IPAddressOrRange ** result,unsigned char * min,unsigned char * max,const int length)439 static int make_addressRange(IPAddressOrRange **result,
440 unsigned char *min,
441 unsigned char *max, const int length)
442 {
443 IPAddressOrRange *aor;
444 int i, prefixlen;
445
446 if (memcmp(min, max, length) > 0)
447 return 0;
448
449 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
450 return make_addressPrefix(result, min, prefixlen, length);
451
452 if ((aor = IPAddressOrRange_new()) == NULL)
453 return 0;
454 aor->type = IPAddressOrRange_addressRange;
455 if ((aor->u.addressRange = IPAddressRange_new()) == NULL)
456 goto err;
457 if (aor->u.addressRange->min == NULL &&
458 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL)
459 goto err;
460 if (aor->u.addressRange->max == NULL &&
461 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL)
462 goto err;
463
464 for (i = length; i > 0 && min[i - 1] == 0x00; --i) ;
465 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i))
466 goto err;
467 ossl_asn1_string_set_bits_left(aor->u.addressRange->min, 0);
468 if (i > 0) {
469 unsigned char b = min[i - 1];
470 int j = 1;
471
472 while ((b & (0xFFU >> j)) != 0)
473 ++j;
474 aor->u.addressRange->min->flags |= 8 - j;
475 }
476
477 for (i = length; i > 0 && max[i - 1] == 0xFF; --i) ;
478 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i))
479 goto err;
480 ossl_asn1_string_set_bits_left(aor->u.addressRange->max, 0);
481 if (i > 0) {
482 unsigned char b = max[i - 1];
483 int j = 1;
484
485 while ((b & (0xFFU >> j)) != (0xFFU >> j))
486 ++j;
487 aor->u.addressRange->max->flags |= 8 - j;
488 }
489
490 *result = aor;
491 return 1;
492
493 err:
494 IPAddressOrRange_free(aor);
495 return 0;
496 }
497
498 /*
499 * Construct a new address family or find an existing one.
500 */
make_IPAddressFamily(IPAddrBlocks * addr,const unsigned afi,const unsigned * safi)501 static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr,
502 const unsigned afi,
503 const unsigned *safi)
504 {
505 IPAddressFamily *f;
506 unsigned char key[3];
507 int keylen;
508 int i;
509
510 key[0] = (afi >> 8) & 0xFF;
511 key[1] = afi & 0xFF;
512 if (safi != NULL) {
513 key[2] = *safi & 0xFF;
514 keylen = 3;
515 } else {
516 keylen = 2;
517 }
518
519 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
520 f = sk_IPAddressFamily_value(addr, i);
521 if (f->addressFamily->length == keylen &&
522 !memcmp(f->addressFamily->data, key, keylen))
523 return f;
524 }
525
526 if ((f = IPAddressFamily_new()) == NULL)
527 goto err;
528 if (f->ipAddressChoice == NULL &&
529 (f->ipAddressChoice = IPAddressChoice_new()) == NULL)
530 goto err;
531 if (f->addressFamily == NULL &&
532 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL)
533 goto err;
534 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen))
535 goto err;
536 if (!sk_IPAddressFamily_push(addr, f))
537 goto err;
538
539 return f;
540
541 err:
542 IPAddressFamily_free(f);
543 return NULL;
544 }
545
546 /*
547 * Add an inheritance element.
548 */
X509v3_addr_add_inherit(IPAddrBlocks * addr,const unsigned afi,const unsigned * safi)549 int X509v3_addr_add_inherit(IPAddrBlocks *addr,
550 const unsigned afi, const unsigned *safi)
551 {
552 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
553
554 if (f == NULL ||
555 f->ipAddressChoice == NULL ||
556 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
557 f->ipAddressChoice->u.addressesOrRanges != NULL))
558 return 0;
559 if (f->ipAddressChoice->type == IPAddressChoice_inherit &&
560 f->ipAddressChoice->u.inherit != NULL)
561 return 1;
562 if (f->ipAddressChoice->u.inherit == NULL &&
563 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL)
564 return 0;
565 f->ipAddressChoice->type = IPAddressChoice_inherit;
566 return 1;
567 }
568
569 /*
570 * Construct an IPAddressOrRange sequence, or return an existing one.
571 */
make_prefix_or_range(IPAddrBlocks * addr,const unsigned afi,const unsigned * safi)572 static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
573 const unsigned afi,
574 const unsigned *safi)
575 {
576 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
577 IPAddressOrRanges *aors = NULL;
578
579 if (f == NULL ||
580 f->ipAddressChoice == NULL ||
581 (f->ipAddressChoice->type == IPAddressChoice_inherit &&
582 f->ipAddressChoice->u.inherit != NULL))
583 return NULL;
584 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges)
585 aors = f->ipAddressChoice->u.addressesOrRanges;
586 if (aors != NULL)
587 return aors;
588 if ((aors = sk_IPAddressOrRange_new_null()) == NULL)
589 return NULL;
590 switch (afi) {
591 case IANA_AFI_IPV4:
592 (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
593 break;
594 case IANA_AFI_IPV6:
595 (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
596 break;
597 }
598 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
599 f->ipAddressChoice->u.addressesOrRanges = aors;
600 return aors;
601 }
602
603 /*
604 * Add a prefix.
605 */
X509v3_addr_add_prefix(IPAddrBlocks * addr,const unsigned afi,const unsigned * safi,unsigned char * a,const int prefixlen)606 int X509v3_addr_add_prefix(IPAddrBlocks *addr,
607 const unsigned afi,
608 const unsigned *safi,
609 unsigned char *a, const int prefixlen)
610 {
611 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
612 IPAddressOrRange *aor;
613
614 if (aors == NULL
615 || !make_addressPrefix(&aor, a, prefixlen, length_from_afi(afi)))
616 return 0;
617 if (sk_IPAddressOrRange_push(aors, aor))
618 return 1;
619 IPAddressOrRange_free(aor);
620 return 0;
621 }
622
623 /*
624 * Add a range.
625 */
X509v3_addr_add_range(IPAddrBlocks * addr,const unsigned afi,const unsigned * safi,unsigned char * min,unsigned char * max)626 int X509v3_addr_add_range(IPAddrBlocks *addr,
627 const unsigned afi,
628 const unsigned *safi,
629 unsigned char *min, unsigned char *max)
630 {
631 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
632 IPAddressOrRange *aor;
633 int length = length_from_afi(afi);
634
635 if (aors == NULL)
636 return 0;
637 if (!make_addressRange(&aor, min, max, length))
638 return 0;
639 if (sk_IPAddressOrRange_push(aors, aor))
640 return 1;
641 IPAddressOrRange_free(aor);
642 return 0;
643 }
644
645 /*
646 * Extract min and max values from an IPAddressOrRange.
647 */
extract_min_max(IPAddressOrRange * aor,unsigned char * min,unsigned char * max,int length)648 static int extract_min_max(IPAddressOrRange *aor,
649 unsigned char *min, unsigned char *max, int length)
650 {
651 if (aor == NULL || min == NULL || max == NULL)
652 return 0;
653 switch (aor->type) {
654 case IPAddressOrRange_addressPrefix:
655 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
656 addr_expand(max, aor->u.addressPrefix, length, 0xFF));
657 case IPAddressOrRange_addressRange:
658 return (addr_expand(min, aor->u.addressRange->min, length, 0x00) &&
659 addr_expand(max, aor->u.addressRange->max, length, 0xFF));
660 }
661 return 0;
662 }
663
664 /*
665 * Public wrapper for extract_min_max().
666 */
X509v3_addr_get_range(IPAddressOrRange * aor,const unsigned afi,unsigned char * min,unsigned char * max,const int length)667 int X509v3_addr_get_range(IPAddressOrRange *aor,
668 const unsigned afi,
669 unsigned char *min,
670 unsigned char *max, const int length)
671 {
672 int afi_length = length_from_afi(afi);
673
674 if (aor == NULL || min == NULL || max == NULL ||
675 afi_length == 0 || length < afi_length ||
676 (aor->type != IPAddressOrRange_addressPrefix &&
677 aor->type != IPAddressOrRange_addressRange) ||
678 !extract_min_max(aor, min, max, afi_length))
679 return 0;
680
681 return afi_length;
682 }
683
684 /*
685 * Sort comparison function for a sequence of IPAddressFamily.
686 *
687 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about
688 * the ordering: I can read it as meaning that IPv6 without a SAFI
689 * comes before IPv4 with a SAFI, which seems pretty weird. The
690 * examples in appendix B suggest that the author intended the
691 * null-SAFI rule to apply only within a single AFI, which is what I
692 * would have expected and is what the following code implements.
693 */
IPAddressFamily_cmp(const IPAddressFamily * const * a_,const IPAddressFamily * const * b_)694 static int IPAddressFamily_cmp(const IPAddressFamily *const *a_,
695 const IPAddressFamily *const *b_)
696 {
697 const ASN1_OCTET_STRING *a = (*a_)->addressFamily;
698 const ASN1_OCTET_STRING *b = (*b_)->addressFamily;
699 int len = ((a->length <= b->length) ? a->length : b->length);
700 int cmp = memcmp(a->data, b->data, len);
701
702 return cmp ? cmp : a->length - b->length;
703 }
704
IPAddressFamily_check_len(const IPAddressFamily * f)705 static int IPAddressFamily_check_len(const IPAddressFamily *f)
706 {
707 if (f->addressFamily->length < 2 || f->addressFamily->length > 3)
708 return 0;
709 else
710 return 1;
711 }
712
713 /*
714 * Check whether an IPAddrBLocks is in canonical form.
715 */
X509v3_addr_is_canonical(IPAddrBlocks * addr)716 int X509v3_addr_is_canonical(IPAddrBlocks *addr)
717 {
718 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
719 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
720 IPAddressOrRanges *aors;
721 int i, j, k;
722
723 /*
724 * Empty extension is canonical.
725 */
726 if (addr == NULL)
727 return 1;
728
729 /*
730 * Check whether the top-level list is in order.
731 */
732 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {
733 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i);
734 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1);
735
736 if (!IPAddressFamily_check_len(a) || !IPAddressFamily_check_len(b))
737 return 0;
738
739 if (IPAddressFamily_cmp(&a, &b) >= 0)
740 return 0;
741 }
742
743 /*
744 * Top level's ok, now check each address family.
745 */
746 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
747 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
748 int length = length_from_afi(X509v3_addr_get_afi(f));
749
750 /*
751 * Inheritance is canonical. Anything other than inheritance or
752 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something.
753 */
754 if (f == NULL || f->ipAddressChoice == NULL)
755 return 0;
756 switch (f->ipAddressChoice->type) {
757 case IPAddressChoice_inherit:
758 continue;
759 case IPAddressChoice_addressesOrRanges:
760 break;
761 default:
762 return 0;
763 }
764
765 if (!IPAddressFamily_check_len(f))
766 return 0;
767
768 /*
769 * It's an IPAddressOrRanges sequence, check it.
770 */
771 aors = f->ipAddressChoice->u.addressesOrRanges;
772 if (sk_IPAddressOrRange_num(aors) == 0)
773 return 0;
774 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
775 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
776 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);
777
778 if (!extract_min_max(a, a_min, a_max, length) ||
779 !extract_min_max(b, b_min, b_max, length))
780 return 0;
781
782 /*
783 * Punt misordered list, overlapping start, or inverted range.
784 */
785 if (memcmp(a_min, b_min, length) >= 0 ||
786 memcmp(a_min, a_max, length) > 0 ||
787 memcmp(b_min, b_max, length) > 0)
788 return 0;
789
790 /*
791 * Punt if adjacent or overlapping. Check for adjacency by
792 * subtracting one from b_min first.
793 */
794 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) ;
795 if (memcmp(a_max, b_min, length) >= 0)
796 return 0;
797
798 /*
799 * Check for range that should be expressed as a prefix.
800 */
801 if (a->type == IPAddressOrRange_addressRange &&
802 range_should_be_prefix(a_min, a_max, length) >= 0)
803 return 0;
804 }
805
806 /*
807 * Check range to see if it's inverted or should be a
808 * prefix.
809 */
810 j = sk_IPAddressOrRange_num(aors) - 1;
811 {
812 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
813
814 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
815 if (!extract_min_max(a, a_min, a_max, length))
816 return 0;
817 if (memcmp(a_min, a_max, length) > 0 ||
818 range_should_be_prefix(a_min, a_max, length) >= 0)
819 return 0;
820 }
821 }
822 }
823
824 /*
825 * If we made it through all that, we're happy.
826 */
827 return 1;
828 }
829
830 /*
831 * Whack an IPAddressOrRanges into canonical form.
832 */
IPAddressOrRanges_canonize(IPAddressOrRanges * aors,const unsigned afi)833 static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
834 const unsigned afi)
835 {
836 int i, j, length = length_from_afi(afi);
837
838 /*
839 * Sort the IPAddressOrRanges sequence.
840 */
841 sk_IPAddressOrRange_sort(aors);
842
843 /*
844 * Clean up representation issues, punt on duplicates or overlaps.
845 */
846 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
847 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);
848 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
849 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
850 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
851
852 if (!extract_min_max(a, a_min, a_max, length) ||
853 !extract_min_max(b, b_min, b_max, length))
854 return 0;
855
856 /*
857 * Punt inverted ranges.
858 */
859 if (memcmp(a_min, a_max, length) > 0 ||
860 memcmp(b_min, b_max, length) > 0)
861 return 0;
862
863 /*
864 * Punt overlaps.
865 */
866 if (memcmp(a_max, b_min, length) >= 0)
867 return 0;
868
869 /*
870 * Merge if a and b are adjacent. We check for
871 * adjacency by subtracting one from b_min first.
872 */
873 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) ;
874 if (memcmp(a_max, b_min, length) == 0) {
875 IPAddressOrRange *merged;
876
877 if (!make_addressRange(&merged, a_min, b_max, length))
878 return 0;
879 (void)sk_IPAddressOrRange_set(aors, i, merged);
880 (void)sk_IPAddressOrRange_delete(aors, i + 1);
881 IPAddressOrRange_free(a);
882 IPAddressOrRange_free(b);
883 --i;
884 continue;
885 }
886 }
887
888 /*
889 * Check for inverted final range.
890 */
891 j = sk_IPAddressOrRange_num(aors) - 1;
892 {
893 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
894
895 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
896 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
897
898 if (!extract_min_max(a, a_min, a_max, length))
899 return 0;
900 if (memcmp(a_min, a_max, length) > 0)
901 return 0;
902 }
903 }
904
905 return 1;
906 }
907
908 /*
909 * Whack an IPAddrBlocks extension into canonical form.
910 */
X509v3_addr_canonize(IPAddrBlocks * addr)911 int X509v3_addr_canonize(IPAddrBlocks *addr)
912 {
913 int i;
914
915 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
916 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
917
918 if (!IPAddressFamily_check_len(f))
919 return 0;
920
921 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
922 !IPAddressOrRanges_canonize(f->ipAddressChoice->
923 u.addressesOrRanges,
924 X509v3_addr_get_afi(f)))
925 return 0;
926 }
927 (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
928 sk_IPAddressFamily_sort(addr);
929 if (!ossl_assert(X509v3_addr_is_canonical(addr)))
930 return 0;
931 return 1;
932 }
933
934 /*
935 * v2i handler for the IPAddrBlocks extension.
936 */
v2i_IPAddrBlocks(const struct v3_ext_method * method,struct v3_ext_ctx * ctx,STACK_OF (CONF_VALUE)* values)937 static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
938 struct v3_ext_ctx *ctx,
939 STACK_OF(CONF_VALUE) *values)
940 {
941 static const char v4addr_chars[] = "0123456789.";
942 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF";
943 IPAddrBlocks *addr = NULL;
944 char *s = NULL, *t;
945 int i;
946
947 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) {
948 ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
949 return NULL;
950 }
951
952 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
953 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
954 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN];
955 unsigned afi, *safi = NULL, safi_;
956 const char *addr_chars = NULL;
957 int prefixlen, i1, i2, delim, length;
958
959 if (!ossl_v3_name_cmp(val->name, "IPv4")) {
960 afi = IANA_AFI_IPV4;
961 } else if (!ossl_v3_name_cmp(val->name, "IPv6")) {
962 afi = IANA_AFI_IPV6;
963 } else if (!ossl_v3_name_cmp(val->name, "IPv4-SAFI")) {
964 afi = IANA_AFI_IPV4;
965 safi = &safi_;
966 } else if (!ossl_v3_name_cmp(val->name, "IPv6-SAFI")) {
967 afi = IANA_AFI_IPV6;
968 safi = &safi_;
969 } else {
970 ERR_raise_data(ERR_LIB_X509V3, X509V3_R_EXTENSION_NAME_ERROR,
971 "%s", val->name);
972 goto err;
973 }
974
975 switch (afi) {
976 case IANA_AFI_IPV4:
977 addr_chars = v4addr_chars;
978 break;
979 case IANA_AFI_IPV6:
980 addr_chars = v6addr_chars;
981 break;
982 }
983
984 length = length_from_afi(afi);
985
986 /*
987 * Handle SAFI, if any, and OPENSSL_strdup() so we can null-terminate
988 * the other input values.
989 */
990 if (safi != NULL) {
991 if (val->value == NULL) {
992 ERR_raise(ERR_LIB_X509V3, X509V3_R_MISSING_VALUE);
993 goto err;
994 }
995 *safi = strtoul(val->value, &t, 0);
996 t += strspn(t, " \t");
997 if (*safi > 0xFF || *t++ != ':') {
998 ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_SAFI);
999 X509V3_conf_add_error_name_value(val);
1000 goto err;
1001 }
1002 t += strspn(t, " \t");
1003 s = OPENSSL_strdup(t);
1004 } else {
1005 s = OPENSSL_strdup(val->value);
1006 }
1007 if (s == NULL)
1008 goto err;
1009
1010 /*
1011 * Check for inheritance. Not worth additional complexity to
1012 * optimize this (seldom-used) case.
1013 */
1014 if (strcmp(s, "inherit") == 0) {
1015 if (!X509v3_addr_add_inherit(addr, afi, safi)) {
1016 ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_INHERITANCE);
1017 X509V3_conf_add_error_name_value(val);
1018 goto err;
1019 }
1020 OPENSSL_free(s);
1021 s = NULL;
1022 continue;
1023 }
1024
1025 i1 = strspn(s, addr_chars);
1026 i2 = i1 + strspn(s + i1, " \t");
1027 delim = s[i2++];
1028 s[i1] = '\0';
1029
1030 if (ossl_a2i_ipadd(min, s) != length) {
1031 ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_IPADDRESS);
1032 X509V3_conf_add_error_name_value(val);
1033 goto err;
1034 }
1035
1036 switch (delim) {
1037 case '/':
1038 prefixlen = (int)strtoul(s + i2, &t, 10);
1039 if (t == s + i2
1040 || *t != '\0'
1041 || prefixlen > (length * 8)
1042 || prefixlen < 0) {
1043 ERR_raise(ERR_LIB_X509V3, X509V3_R_EXTENSION_VALUE_ERROR);
1044 X509V3_conf_add_error_name_value(val);
1045 goto err;
1046 }
1047 if (!X509v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) {
1048 ERR_raise(ERR_LIB_X509V3, ERR_R_X509V3_LIB);
1049 goto err;
1050 }
1051 break;
1052 case '-':
1053 i1 = i2 + strspn(s + i2, " \t");
1054 i2 = i1 + strspn(s + i1, addr_chars);
1055 if (i1 == i2 || s[i2] != '\0') {
1056 ERR_raise(ERR_LIB_X509V3, X509V3_R_EXTENSION_VALUE_ERROR);
1057 X509V3_conf_add_error_name_value(val);
1058 goto err;
1059 }
1060 if (ossl_a2i_ipadd(max, s + i1) != length) {
1061 ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_IPADDRESS);
1062 X509V3_conf_add_error_name_value(val);
1063 goto err;
1064 }
1065 if (memcmp(min, max, length_from_afi(afi)) > 0) {
1066 ERR_raise(ERR_LIB_X509V3, X509V3_R_EXTENSION_VALUE_ERROR);
1067 X509V3_conf_add_error_name_value(val);
1068 goto err;
1069 }
1070 if (!X509v3_addr_add_range(addr, afi, safi, min, max)) {
1071 ERR_raise(ERR_LIB_X509V3, ERR_R_X509V3_LIB);
1072 goto err;
1073 }
1074 break;
1075 case '\0':
1076 if (!X509v3_addr_add_prefix(addr, afi, safi, min, length * 8)) {
1077 ERR_raise(ERR_LIB_X509V3, ERR_R_X509V3_LIB);
1078 goto err;
1079 }
1080 break;
1081 default:
1082 ERR_raise(ERR_LIB_X509V3, X509V3_R_EXTENSION_VALUE_ERROR);
1083 X509V3_conf_add_error_name_value(val);
1084 goto err;
1085 }
1086
1087 OPENSSL_free(s);
1088 s = NULL;
1089 }
1090
1091 /*
1092 * Canonize the result, then we're done.
1093 */
1094 if (!X509v3_addr_canonize(addr))
1095 goto err;
1096 return addr;
1097
1098 err:
1099 OPENSSL_free(s);
1100 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
1101 return NULL;
1102 }
1103
1104 /*
1105 * OpenSSL dispatch
1106 */
1107 const X509V3_EXT_METHOD ossl_v3_addr = {
1108 NID_sbgp_ipAddrBlock, /* nid */
1109 0, /* flags */
1110 ASN1_ITEM_ref(IPAddrBlocks), /* template */
1111 0, 0, 0, 0, /* old functions, ignored */
1112 0, /* i2s */
1113 0, /* s2i */
1114 0, /* i2v */
1115 v2i_IPAddrBlocks, /* v2i */
1116 i2r_IPAddrBlocks, /* i2r */
1117 0, /* r2i */
1118 NULL /* extension-specific data */
1119 };
1120
1121 /*
1122 * Figure out whether extension sues inheritance.
1123 */
X509v3_addr_inherits(IPAddrBlocks * addr)1124 int X509v3_addr_inherits(IPAddrBlocks *addr)
1125 {
1126 int i;
1127
1128 if (addr == NULL)
1129 return 0;
1130 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1131 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1132
1133 if (f->ipAddressChoice->type == IPAddressChoice_inherit)
1134 return 1;
1135 }
1136 return 0;
1137 }
1138
1139 /*
1140 * Figure out whether parent contains child.
1141 */
addr_contains(IPAddressOrRanges * parent,IPAddressOrRanges * child,int length)1142 static int addr_contains(IPAddressOrRanges *parent,
1143 IPAddressOrRanges *child, int length)
1144 {
1145 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN];
1146 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN];
1147 int p, c;
1148
1149 if (child == NULL || parent == child)
1150 return 1;
1151 if (parent == NULL)
1152 return 0;
1153
1154 p = 0;
1155 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
1156 if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
1157 c_min, c_max, length))
1158 return 0;
1159 for (;; p++) {
1160 if (p >= sk_IPAddressOrRange_num(parent))
1161 return 0;
1162 if (!extract_min_max(sk_IPAddressOrRange_value(parent, p),
1163 p_min, p_max, length))
1164 return 0;
1165 if (memcmp(p_max, c_max, length) < 0)
1166 continue;
1167 if (memcmp(p_min, c_min, length) > 0)
1168 return 0;
1169 break;
1170 }
1171 }
1172
1173 return 1;
1174 }
1175
1176 /*
1177 * Test whether a is a subset of b.
1178 */
X509v3_addr_subset(IPAddrBlocks * a,IPAddrBlocks * b)1179 int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
1180 {
1181 int i;
1182
1183 if (a == NULL || a == b)
1184 return 1;
1185 if (b == NULL || X509v3_addr_inherits(a) || X509v3_addr_inherits(b))
1186 return 0;
1187 (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
1188 sk_IPAddressFamily_sort(b);
1189 /* Could sort a here too and get O(|a|) running time instead of O(|a| ln |b|) */
1190 for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
1191 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
1192 int j = sk_IPAddressFamily_find(b, fa);
1193 IPAddressFamily *fb = sk_IPAddressFamily_value(b, j);
1194
1195 if (fb == NULL)
1196 return 0;
1197 if (!IPAddressFamily_check_len(fa) || !IPAddressFamily_check_len(fb))
1198 return 0;
1199 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
1200 fa->ipAddressChoice->u.addressesOrRanges,
1201 length_from_afi(X509v3_addr_get_afi(fb))))
1202 return 0;
1203 }
1204 return 1;
1205 }
1206
1207 /*
1208 * Validation error handling via callback.
1209 */
1210 # define validation_err(_err_) \
1211 do { \
1212 if (ctx != NULL) { \
1213 ctx->error = _err_; \
1214 ctx->error_depth = i; \
1215 ctx->current_cert = x; \
1216 rv = ctx->verify_cb(0, ctx); \
1217 } else { \
1218 rv = 0; \
1219 } \
1220 if (rv == 0) \
1221 goto done; \
1222 } while (0)
1223
1224 /*
1225 * Core code for RFC 3779 2.3 path validation.
1226 *
1227 * Returns 1 for success, 0 on error.
1228 *
1229 * When returning 0, ctx->error MUST be set to an appropriate value other than
1230 * X509_V_OK.
1231 */
addr_validate_path_internal(X509_STORE_CTX * ctx,STACK_OF (X509)* chain,IPAddrBlocks * ext)1232 static int addr_validate_path_internal(X509_STORE_CTX *ctx,
1233 STACK_OF(X509) *chain,
1234 IPAddrBlocks *ext)
1235 {
1236 IPAddrBlocks *child = NULL;
1237 int i, j, ret = 0, rv;
1238 X509 *x;
1239
1240 if (!ossl_assert(chain != NULL && sk_X509_num(chain) > 0)
1241 || !ossl_assert(ctx != NULL || ext != NULL)
1242 || !ossl_assert(ctx == NULL || ctx->verify_cb != NULL)) {
1243 if (ctx != NULL)
1244 ctx->error = X509_V_ERR_UNSPECIFIED;
1245 return 0;
1246 }
1247
1248 /*
1249 * Figure out where to start. If we don't have an extension to
1250 * check, we're done. Otherwise, check canonical form and
1251 * set up for walking up the chain.
1252 */
1253 if (ext != NULL) {
1254 i = -1;
1255 x = NULL;
1256 } else {
1257 i = 0;
1258 x = sk_X509_value(chain, i);
1259 if ((ext = x->rfc3779_addr) == NULL)
1260 return 1; /* Return success */
1261 }
1262 if (!X509v3_addr_is_canonical(ext))
1263 validation_err(X509_V_ERR_INVALID_EXTENSION);
1264 (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
1265 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
1266 ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
1267 if (ctx != NULL)
1268 ctx->error = X509_V_ERR_OUT_OF_MEM;
1269 goto done;
1270 }
1271 sk_IPAddressFamily_sort(child);
1272
1273 /*
1274 * Now walk up the chain. No cert may list resources that its
1275 * parent doesn't list.
1276 */
1277 for (i++; i < sk_X509_num(chain); i++) {
1278 x = sk_X509_value(chain, i);
1279 if (!X509v3_addr_is_canonical(x->rfc3779_addr))
1280 validation_err(X509_V_ERR_INVALID_EXTENSION);
1281 if (x->rfc3779_addr == NULL) {
1282 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1283 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1284
1285 if (!IPAddressFamily_check_len(fc))
1286 goto done;
1287
1288 if (fc->ipAddressChoice->type != IPAddressChoice_inherit) {
1289 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1290 break;
1291 }
1292 }
1293 continue;
1294 }
1295 (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr,
1296 IPAddressFamily_cmp);
1297 sk_IPAddressFamily_sort(x->rfc3779_addr);
1298 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1299 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1300 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
1301 IPAddressFamily *fp =
1302 sk_IPAddressFamily_value(x->rfc3779_addr, k);
1303
1304 if (fp == NULL) {
1305 if (fc->ipAddressChoice->type ==
1306 IPAddressChoice_addressesOrRanges) {
1307 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1308 break;
1309 }
1310 continue;
1311 }
1312
1313 if (!IPAddressFamily_check_len(fc) || !IPAddressFamily_check_len(fp))
1314 goto done;
1315
1316 if (fp->ipAddressChoice->type ==
1317 IPAddressChoice_addressesOrRanges) {
1318 if (fc->ipAddressChoice->type == IPAddressChoice_inherit
1319 || addr_contains(fp->ipAddressChoice->u.addressesOrRanges,
1320 fc->ipAddressChoice->u.addressesOrRanges,
1321 length_from_afi(X509v3_addr_get_afi(fc))))
1322 (void)sk_IPAddressFamily_set(child, j, fp);
1323 else
1324 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1325 }
1326 }
1327 }
1328
1329 /*
1330 * Trust anchor can't inherit.
1331 */
1332 if (x->rfc3779_addr != NULL) {
1333 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
1334 IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, j);
1335
1336 if (!IPAddressFamily_check_len(fp))
1337 goto done;
1338
1339 if (fp->ipAddressChoice->type == IPAddressChoice_inherit
1340 && sk_IPAddressFamily_find(child, fp) >= 0)
1341 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1342 }
1343 }
1344 ret = 1;
1345 done:
1346 sk_IPAddressFamily_free(child);
1347 return ret;
1348 }
1349
1350 # undef validation_err
1351
1352 /*
1353 * RFC 3779 2.3 path validation -- called from X509_verify_cert().
1354 */
X509v3_addr_validate_path(X509_STORE_CTX * ctx)1355 int X509v3_addr_validate_path(X509_STORE_CTX *ctx)
1356 {
1357 if (ctx->chain == NULL
1358 || sk_X509_num(ctx->chain) == 0
1359 || ctx->verify_cb == NULL) {
1360 ctx->error = X509_V_ERR_UNSPECIFIED;
1361 return 0;
1362 }
1363 return addr_validate_path_internal(ctx, ctx->chain, NULL);
1364 }
1365
1366 /*
1367 * RFC 3779 2.3 path validation of an extension.
1368 * Test whether chain covers extension.
1369 */
X509v3_addr_validate_resource_set(STACK_OF (X509)* chain,IPAddrBlocks * ext,int allow_inheritance)1370 int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain,
1371 IPAddrBlocks *ext, int allow_inheritance)
1372 {
1373 if (ext == NULL)
1374 return 1;
1375 if (chain == NULL || sk_X509_num(chain) == 0)
1376 return 0;
1377 if (!allow_inheritance && X509v3_addr_inherits(ext))
1378 return 0;
1379 return addr_validate_path_internal(NULL, chain, ext);
1380 }
1381
1382 #endif /* OPENSSL_NO_RFC3779 */
1383
