1 /* 2 * Contributed to the OpenSSL Project by the American Registry for 3 * Internet Numbers ("ARIN"). 4 */ 5 /* ==================================================================== 6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing (at) OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay (at) cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh (at) cryptsoft.com). 56 */ 57 58 /* 59 * Implementation of RFC 3779 section 2.2. 60 */ 61 62 #include <stdio.h> 63 #include <stdlib.h> 64 65 #include "cryptlib.h" 66 #include <openssl/conf.h> 67 #include <openssl/asn1.h> 68 #include <openssl/asn1t.h> 69 #include <openssl/buffer.h> 70 #include <openssl/x509v3.h> 71 72 #ifndef OPENSSL_NO_RFC3779 73 74 /* 75 * OpenSSL ASN.1 template translation of RFC 3779 2.2.3. 76 */ 77 78 ASN1_SEQUENCE(IPAddressRange) = { 79 ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING), 80 ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING) 81 } ASN1_SEQUENCE_END(IPAddressRange) 82 83 ASN1_CHOICE(IPAddressOrRange) = { 84 ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING), 85 ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange) 86 } ASN1_CHOICE_END(IPAddressOrRange) 87 88 ASN1_CHOICE(IPAddressChoice) = { 89 ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL), 90 ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange) 91 } ASN1_CHOICE_END(IPAddressChoice) 92 93 ASN1_SEQUENCE(IPAddressFamily) = { 94 ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING), 95 ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice) 96 } ASN1_SEQUENCE_END(IPAddressFamily) 97 98 ASN1_ITEM_TEMPLATE(IPAddrBlocks) = 99 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, 100 IPAddrBlocks, IPAddressFamily) 101 ASN1_ITEM_TEMPLATE_END(IPAddrBlocks) 102 103 IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange) 104 IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange) 105 IMPLEMENT_ASN1_FUNCTIONS(IPAddressChoice) 106 IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily) 107 108 /* 109 * How much buffer space do we need for a raw address? 110 */ 111 #define ADDR_RAW_BUF_LEN 16 112 113 /* 114 * What's the address length associated with this AFI? 115 */ 116 static int length_from_afi(const unsigned afi) 117 { 118 switch (afi) { 119 case IANA_AFI_IPV4: 120 return 4; 121 case IANA_AFI_IPV6: 122 return 16; 123 default: 124 return 0; 125 } 126 } 127 128 /* 129 * Extract the AFI from an IPAddressFamily. 130 */ 131 unsigned int v3_addr_get_afi(const IPAddressFamily *f) 132 { 133 return ((f != NULL && 134 f->addressFamily != NULL && 135 f->addressFamily->data != NULL) 136 ? ((f->addressFamily->data[0] << 8) | 137 (f->addressFamily->data[1])) 138 : 0); 139 } 140 141 /* 142 * Expand the bitstring form of an address into a raw byte array. 143 * At the moment this is coded for simplicity, not speed. 144 */ 145 static void addr_expand(unsigned char *addr, 146 const ASN1_BIT_STRING *bs, 147 const int length, 148 const unsigned char fill) 149 { 150 OPENSSL_assert(bs->length >= 0 && bs->length <= length); 151 if (bs->length > 0) { 152 memcpy(addr, bs->data, bs->length); 153 if ((bs->flags & 7) != 0) { 154 unsigned char mask = 0xFF >> (8 - (bs->flags & 7)); 155 if (fill == 0) 156 addr[bs->length - 1] &= ~mask; 157 else 158 addr[bs->length - 1] |= mask; 159 } 160 } 161 memset(addr + bs->length, fill, length - bs->length); 162 } 163 164 /* 165 * Extract the prefix length from a bitstring. 166 */ 167 #define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7))) 168 169 /* 170 * i2r handler for one address bitstring. 171 */ 172 static int i2r_address(BIO *out, 173 const unsigned afi, 174 const unsigned char fill, 175 const ASN1_BIT_STRING *bs) 176 { 177 unsigned char addr[ADDR_RAW_BUF_LEN]; 178 int i, n; 179 180 switch (afi) { 181 case IANA_AFI_IPV4: 182 addr_expand(addr, bs, 4, fill); 183 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]); 184 break; 185 case IANA_AFI_IPV6: 186 addr_expand(addr, bs, 16, fill); 187 for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2) 188 ; 189 for (i = 0; i < n; i += 2) 190 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i+1], (i < 14 ? ":" : "")); 191 if (i < 16) 192 BIO_puts(out, ":"); 193 if (i == 0) 194 BIO_puts(out, ":"); 195 break; 196 default: 197 for (i = 0; i < bs->length; i++) 198 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]); 199 BIO_printf(out, "[%d]", (int) (bs->flags & 7)); 200 break; 201 } 202 return 1; 203 } 204 205 /* 206 * i2r handler for a sequence of addresses and ranges. 207 */ 208 static int i2r_IPAddressOrRanges(BIO *out, 209 const int indent, 210 const IPAddressOrRanges *aors, 211 const unsigned afi) 212 { 213 int i; 214 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) { 215 const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i); 216 BIO_printf(out, "%*s", indent, ""); 217 switch (aor->type) { 218 case IPAddressOrRange_addressPrefix: 219 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix)) 220 return 0; 221 BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix)); 222 continue; 223 case IPAddressOrRange_addressRange: 224 if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min)) 225 return 0; 226 BIO_puts(out, "-"); 227 if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max)) 228 return 0; 229 BIO_puts(out, "\n"); 230 continue; 231 } 232 } 233 return 1; 234 } 235 236 /* 237 * i2r handler for an IPAddrBlocks extension. 238 */ 239 static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, 240 void *ext, 241 BIO *out, 242 int indent) 243 { 244 const IPAddrBlocks *addr = ext; 245 int i; 246 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 247 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 248 const unsigned int afi = v3_addr_get_afi(f); 249 switch (afi) { 250 case IANA_AFI_IPV4: 251 BIO_printf(out, "%*sIPv4", indent, ""); 252 break; 253 case IANA_AFI_IPV6: 254 BIO_printf(out, "%*sIPv6", indent, ""); 255 break; 256 default: 257 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi); 258 break; 259 } 260 if (f->addressFamily->length > 2) { 261 switch (f->addressFamily->data[2]) { 262 case 1: 263 BIO_puts(out, " (Unicast)"); 264 break; 265 case 2: 266 BIO_puts(out, " (Multicast)"); 267 break; 268 case 3: 269 BIO_puts(out, " (Unicast/Multicast)"); 270 break; 271 case 4: 272 BIO_puts(out, " (MPLS)"); 273 break; 274 case 64: 275 BIO_puts(out, " (Tunnel)"); 276 break; 277 case 65: 278 BIO_puts(out, " (VPLS)"); 279 break; 280 case 66: 281 BIO_puts(out, " (BGP MDT)"); 282 break; 283 case 128: 284 BIO_puts(out, " (MPLS-labeled VPN)"); 285 break; 286 default: 287 BIO_printf(out, " (Unknown SAFI %u)", 288 (unsigned) f->addressFamily->data[2]); 289 break; 290 } 291 } 292 switch (f->ipAddressChoice->type) { 293 case IPAddressChoice_inherit: 294 BIO_puts(out, ": inherit\n"); 295 break; 296 case IPAddressChoice_addressesOrRanges: 297 BIO_puts(out, ":\n"); 298 if (!i2r_IPAddressOrRanges(out, 299 indent + 2, 300 f->ipAddressChoice->u.addressesOrRanges, 301 afi)) 302 return 0; 303 break; 304 } 305 } 306 return 1; 307 } 308 309 /* 310 * Sort comparison function for a sequence of IPAddressOrRange 311 * elements. 312 */ 313 static int IPAddressOrRange_cmp(const IPAddressOrRange *a, 314 const IPAddressOrRange *b, 315 const int length) 316 { 317 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN]; 318 int prefixlen_a = 0, prefixlen_b = 0; 319 int r; 320 321 switch (a->type) { 322 case IPAddressOrRange_addressPrefix: 323 addr_expand(addr_a, a->u.addressPrefix, length, 0x00); 324 prefixlen_a = addr_prefixlen(a->u.addressPrefix); 325 break; 326 case IPAddressOrRange_addressRange: 327 addr_expand(addr_a, a->u.addressRange->min, length, 0x00); 328 prefixlen_a = length * 8; 329 break; 330 } 331 332 switch (b->type) { 333 case IPAddressOrRange_addressPrefix: 334 addr_expand(addr_b, b->u.addressPrefix, length, 0x00); 335 prefixlen_b = addr_prefixlen(b->u.addressPrefix); 336 break; 337 case IPAddressOrRange_addressRange: 338 addr_expand(addr_b, b->u.addressRange->min, length, 0x00); 339 prefixlen_b = length * 8; 340 break; 341 } 342 343 if ((r = memcmp(addr_a, addr_b, length)) != 0) 344 return r; 345 else 346 return prefixlen_a - prefixlen_b; 347 } 348 349 /* 350 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort() 351 * comparision routines are only allowed two arguments. 352 */ 353 static int v4IPAddressOrRange_cmp(const IPAddressOrRange * const *a, 354 const IPAddressOrRange * const *b) 355 { 356 return IPAddressOrRange_cmp(*a, *b, 4); 357 } 358 359 /* 360 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort() 361 * comparision routines are only allowed two arguments. 362 */ 363 static int v6IPAddressOrRange_cmp(const IPAddressOrRange * const *a, 364 const IPAddressOrRange * const *b) 365 { 366 return IPAddressOrRange_cmp(*a, *b, 16); 367 } 368 369 /* 370 * Calculate whether a range collapses to a prefix. 371 * See last paragraph of RFC 3779 2.2.3.7. 372 */ 373 static int range_should_be_prefix(const unsigned char *min, 374 const unsigned char *max, 375 const int length) 376 { 377 unsigned char mask; 378 int i, j; 379 380 for (i = 0; i < length && min[i] == max[i]; i++) 381 ; 382 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) 383 ; 384 if (i < j) 385 return -1; 386 if (i > j) 387 return i * 8; 388 mask = min[i] ^ max[i]; 389 switch (mask) { 390 case 0x01: j = 7; break; 391 case 0x03: j = 6; break; 392 case 0x07: j = 5; break; 393 case 0x0F: j = 4; break; 394 case 0x1F: j = 3; break; 395 case 0x3F: j = 2; break; 396 case 0x7F: j = 1; break; 397 default: return -1; 398 } 399 if ((min[i] & mask) != 0 || (max[i] & mask) != mask) 400 return -1; 401 else 402 return i * 8 + j; 403 } 404 405 /* 406 * Construct a prefix. 407 */ 408 static int make_addressPrefix(IPAddressOrRange **result, 409 unsigned char *addr, 410 const int prefixlen) 411 { 412 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8; 413 IPAddressOrRange *aor = IPAddressOrRange_new(); 414 415 if (aor == NULL) 416 return 0; 417 aor->type = IPAddressOrRange_addressPrefix; 418 if (aor->u.addressPrefix == NULL && 419 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL) 420 goto err; 421 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen)) 422 goto err; 423 aor->u.addressPrefix->flags &= ~7; 424 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT; 425 if (bitlen > 0) { 426 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen); 427 aor->u.addressPrefix->flags |= 8 - bitlen; 428 } 429 430 *result = aor; 431 return 1; 432 433 err: 434 IPAddressOrRange_free(aor); 435 return 0; 436 } 437 438 /* 439 * Construct a range. If it can be expressed as a prefix, 440 * return a prefix instead. Doing this here simplifies 441 * the rest of the code considerably. 442 */ 443 static int make_addressRange(IPAddressOrRange **result, 444 unsigned char *min, 445 unsigned char *max, 446 const int length) 447 { 448 IPAddressOrRange *aor; 449 int i, prefixlen; 450 451 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0) 452 return make_addressPrefix(result, min, prefixlen); 453 454 if ((aor = IPAddressOrRange_new()) == NULL) 455 return 0; 456 aor->type = IPAddressOrRange_addressRange; 457 OPENSSL_assert(aor->u.addressRange == NULL); 458 if ((aor->u.addressRange = IPAddressRange_new()) == NULL) 459 goto err; 460 if (aor->u.addressRange->min == NULL && 461 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL) 462 goto err; 463 if (aor->u.addressRange->max == NULL && 464 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL) 465 goto err; 466 467 for (i = length; i > 0 && min[i - 1] == 0x00; --i) 468 ; 469 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i)) 470 goto err; 471 aor->u.addressRange->min->flags &= ~7; 472 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT; 473 if (i > 0) { 474 unsigned char b = min[i - 1]; 475 int j = 1; 476 while ((b & (0xFFU >> j)) != 0) 477 ++j; 478 aor->u.addressRange->min->flags |= 8 - j; 479 } 480 481 for (i = length; i > 0 && max[i - 1] == 0xFF; --i) 482 ; 483 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i)) 484 goto err; 485 aor->u.addressRange->max->flags &= ~7; 486 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT; 487 if (i > 0) { 488 unsigned char b = max[i - 1]; 489 int j = 1; 490 while ((b & (0xFFU >> j)) != (0xFFU >> j)) 491 ++j; 492 aor->u.addressRange->max->flags |= 8 - j; 493 } 494 495 *result = aor; 496 return 1; 497 498 err: 499 IPAddressOrRange_free(aor); 500 return 0; 501 } 502 503 /* 504 * Construct a new address family or find an existing one. 505 */ 506 static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr, 507 const unsigned afi, 508 const unsigned *safi) 509 { 510 IPAddressFamily *f; 511 unsigned char key[3]; 512 unsigned keylen; 513 int i; 514 515 key[0] = (afi >> 8) & 0xFF; 516 key[1] = afi & 0xFF; 517 if (safi != NULL) { 518 key[2] = *safi & 0xFF; 519 keylen = 3; 520 } else { 521 keylen = 2; 522 } 523 524 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 525 f = sk_IPAddressFamily_value(addr, i); 526 OPENSSL_assert(f->addressFamily->data != NULL); 527 if (f->addressFamily->length == keylen && 528 !memcmp(f->addressFamily->data, key, keylen)) 529 return f; 530 } 531 532 if ((f = IPAddressFamily_new()) == NULL) 533 goto err; 534 if (f->ipAddressChoice == NULL && 535 (f->ipAddressChoice = IPAddressChoice_new()) == NULL) 536 goto err; 537 if (f->addressFamily == NULL && 538 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL) 539 goto err; 540 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen)) 541 goto err; 542 if (!sk_IPAddressFamily_push(addr, f)) 543 goto err; 544 545 return f; 546 547 err: 548 IPAddressFamily_free(f); 549 return NULL; 550 } 551 552 /* 553 * Add an inheritance element. 554 */ 555 int v3_addr_add_inherit(IPAddrBlocks *addr, 556 const unsigned afi, 557 const unsigned *safi) 558 { 559 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); 560 if (f == NULL || 561 f->ipAddressChoice == NULL || 562 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && 563 f->ipAddressChoice->u.addressesOrRanges != NULL)) 564 return 0; 565 if (f->ipAddressChoice->type == IPAddressChoice_inherit && 566 f->ipAddressChoice->u.inherit != NULL) 567 return 1; 568 if (f->ipAddressChoice->u.inherit == NULL && 569 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL) 570 return 0; 571 f->ipAddressChoice->type = IPAddressChoice_inherit; 572 return 1; 573 } 574 575 /* 576 * Construct an IPAddressOrRange sequence, or return an existing one. 577 */ 578 static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr, 579 const unsigned afi, 580 const unsigned *safi) 581 { 582 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); 583 IPAddressOrRanges *aors = NULL; 584 585 if (f == NULL || 586 f->ipAddressChoice == NULL || 587 (f->ipAddressChoice->type == IPAddressChoice_inherit && 588 f->ipAddressChoice->u.inherit != NULL)) 589 return NULL; 590 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) 591 aors = f->ipAddressChoice->u.addressesOrRanges; 592 if (aors != NULL) 593 return aors; 594 if ((aors = sk_IPAddressOrRange_new_null()) == NULL) 595 return NULL; 596 switch (afi) { 597 case IANA_AFI_IPV4: 598 sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp); 599 break; 600 case IANA_AFI_IPV6: 601 sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp); 602 break; 603 } 604 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; 605 f->ipAddressChoice->u.addressesOrRanges = aors; 606 return aors; 607 } 608 609 /* 610 * Add a prefix. 611 */ 612 int v3_addr_add_prefix(IPAddrBlocks *addr, 613 const unsigned afi, 614 const unsigned *safi, 615 unsigned char *a, 616 const int prefixlen) 617 { 618 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); 619 IPAddressOrRange *aor; 620 if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen)) 621 return 0; 622 if (sk_IPAddressOrRange_push(aors, aor)) 623 return 1; 624 IPAddressOrRange_free(aor); 625 return 0; 626 } 627 628 /* 629 * Add a range. 630 */ 631 int v3_addr_add_range(IPAddrBlocks *addr, 632 const unsigned afi, 633 const unsigned *safi, 634 unsigned char *min, 635 unsigned char *max) 636 { 637 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); 638 IPAddressOrRange *aor; 639 int length = length_from_afi(afi); 640 if (aors == NULL) 641 return 0; 642 if (!make_addressRange(&aor, min, max, length)) 643 return 0; 644 if (sk_IPAddressOrRange_push(aors, aor)) 645 return 1; 646 IPAddressOrRange_free(aor); 647 return 0; 648 } 649 650 /* 651 * Extract min and max values from an IPAddressOrRange. 652 */ 653 static void extract_min_max(IPAddressOrRange *aor, 654 unsigned char *min, 655 unsigned char *max, 656 int length) 657 { 658 OPENSSL_assert(aor != NULL && min != NULL && max != NULL); 659 switch (aor->type) { 660 case IPAddressOrRange_addressPrefix: 661 addr_expand(min, aor->u.addressPrefix, length, 0x00); 662 addr_expand(max, aor->u.addressPrefix, length, 0xFF); 663 return; 664 case IPAddressOrRange_addressRange: 665 addr_expand(min, aor->u.addressRange->min, length, 0x00); 666 addr_expand(max, aor->u.addressRange->max, length, 0xFF); 667 return; 668 } 669 } 670 671 /* 672 * Public wrapper for extract_min_max(). 673 */ 674 int v3_addr_get_range(IPAddressOrRange *aor, 675 const unsigned afi, 676 unsigned char *min, 677 unsigned char *max, 678 const int length) 679 { 680 int afi_length = length_from_afi(afi); 681 if (aor == NULL || min == NULL || max == NULL || 682 afi_length == 0 || length < afi_length || 683 (aor->type != IPAddressOrRange_addressPrefix && 684 aor->type != IPAddressOrRange_addressRange)) 685 return 0; 686 extract_min_max(aor, min, max, afi_length); 687 return afi_length; 688 } 689 690 /* 691 * Sort comparision function for a sequence of IPAddressFamily. 692 * 693 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about 694 * the ordering: I can read it as meaning that IPv6 without a SAFI 695 * comes before IPv4 with a SAFI, which seems pretty weird. The 696 * examples in appendix B suggest that the author intended the 697 * null-SAFI rule to apply only within a single AFI, which is what I 698 * would have expected and is what the following code implements. 699 */ 700 static int IPAddressFamily_cmp(const IPAddressFamily * const *a_, 701 const IPAddressFamily * const *b_) 702 { 703 const ASN1_OCTET_STRING *a = (*a_)->addressFamily; 704 const ASN1_OCTET_STRING *b = (*b_)->addressFamily; 705 int len = ((a->length <= b->length) ? a->length : b->length); 706 int cmp = memcmp(a->data, b->data, len); 707 return cmp ? cmp : a->length - b->length; 708 } 709 710 /* 711 * Check whether an IPAddrBLocks is in canonical form. 712 */ 713 int v3_addr_is_canonical(IPAddrBlocks *addr) 714 { 715 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 716 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 717 IPAddressOrRanges *aors; 718 int i, j, k; 719 720 /* 721 * Empty extension is cannonical. 722 */ 723 if (addr == NULL) 724 return 1; 725 726 /* 727 * Check whether the top-level list is in order. 728 */ 729 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) { 730 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i); 731 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1); 732 if (IPAddressFamily_cmp(&a, &b) >= 0) 733 return 0; 734 } 735 736 /* 737 * Top level's ok, now check each address family. 738 */ 739 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 740 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 741 int length = length_from_afi(v3_addr_get_afi(f)); 742 743 /* 744 * Inheritance is canonical. Anything other than inheritance or 745 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something. 746 */ 747 if (f == NULL || f->ipAddressChoice == NULL) 748 return 0; 749 switch (f->ipAddressChoice->type) { 750 case IPAddressChoice_inherit: 751 continue; 752 case IPAddressChoice_addressesOrRanges: 753 break; 754 default: 755 return 0; 756 } 757 758 /* 759 * It's an IPAddressOrRanges sequence, check it. 760 */ 761 aors = f->ipAddressChoice->u.addressesOrRanges; 762 if (sk_IPAddressOrRange_num(aors) == 0) 763 return 0; 764 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) { 765 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 766 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1); 767 768 extract_min_max(a, a_min, a_max, length); 769 extract_min_max(b, b_min, b_max, length); 770 771 /* 772 * Punt misordered list, overlapping start, or inverted range. 773 */ 774 if (memcmp(a_min, b_min, length) >= 0 || 775 memcmp(a_min, a_max, length) > 0 || 776 memcmp(b_min, b_max, length) > 0) 777 return 0; 778 779 /* 780 * Punt if adjacent or overlapping. Check for adjacency by 781 * subtracting one from b_min first. 782 */ 783 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) 784 ; 785 if (memcmp(a_max, b_min, length) >= 0) 786 return 0; 787 788 /* 789 * Check for range that should be expressed as a prefix. 790 */ 791 if (a->type == IPAddressOrRange_addressRange && 792 range_should_be_prefix(a_min, a_max, length) >= 0) 793 return 0; 794 } 795 796 /* 797 * Check final range to see if it should be a prefix. 798 */ 799 j = sk_IPAddressOrRange_num(aors) - 1; 800 { 801 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 802 if (a->type == IPAddressOrRange_addressRange) { 803 extract_min_max(a, a_min, a_max, length); 804 if (range_should_be_prefix(a_min, a_max, length) >= 0) 805 return 0; 806 } 807 } 808 } 809 810 /* 811 * If we made it through all that, we're happy. 812 */ 813 return 1; 814 } 815 816 /* 817 * Whack an IPAddressOrRanges into canonical form. 818 */ 819 static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors, 820 const unsigned afi) 821 { 822 int i, j, length = length_from_afi(afi); 823 824 /* 825 * Sort the IPAddressOrRanges sequence. 826 */ 827 sk_IPAddressOrRange_sort(aors); 828 829 /* 830 * Clean up representation issues, punt on duplicates or overlaps. 831 */ 832 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) { 833 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i); 834 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1); 835 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 836 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 837 838 extract_min_max(a, a_min, a_max, length); 839 extract_min_max(b, b_min, b_max, length); 840 841 /* 842 * Punt overlaps. 843 */ 844 if (memcmp(a_max, b_min, length) >= 0) 845 return 0; 846 847 /* 848 * Merge if a and b are adjacent. We check for 849 * adjacency by subtracting one from b_min first. 850 */ 851 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) 852 ; 853 if (memcmp(a_max, b_min, length) == 0) { 854 IPAddressOrRange *merged; 855 if (!make_addressRange(&merged, a_min, b_max, length)) 856 return 0; 857 sk_IPAddressOrRange_set(aors, i, merged); 858 sk_IPAddressOrRange_delete(aors, i + 1); 859 IPAddressOrRange_free(a); 860 IPAddressOrRange_free(b); 861 --i; 862 continue; 863 } 864 } 865 866 return 1; 867 } 868 869 /* 870 * Whack an IPAddrBlocks extension into canonical form. 871 */ 872 int v3_addr_canonize(IPAddrBlocks *addr) 873 { 874 int i; 875 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 876 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 877 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && 878 !IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges, 879 v3_addr_get_afi(f))) 880 return 0; 881 } 882 sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); 883 sk_IPAddressFamily_sort(addr); 884 OPENSSL_assert(v3_addr_is_canonical(addr)); 885 return 1; 886 } 887 888 /* 889 * v2i handler for the IPAddrBlocks extension. 890 */ 891 static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, 892 struct v3_ext_ctx *ctx, 893 STACK_OF(CONF_VALUE) *values) 894 { 895 static const char v4addr_chars[] = "0123456789."; 896 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF"; 897 IPAddrBlocks *addr = NULL; 898 char *s = NULL, *t; 899 int i; 900 901 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) { 902 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 903 return NULL; 904 } 905 906 for (i = 0; i < sk_CONF_VALUE_num(values); i++) { 907 CONF_VALUE *val = sk_CONF_VALUE_value(values, i); 908 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN]; 909 unsigned afi, *safi = NULL, safi_; 910 const char *addr_chars; 911 int prefixlen, i1, i2, delim, length; 912 913 if ( !name_cmp(val->name, "IPv4")) { 914 afi = IANA_AFI_IPV4; 915 } else if (!name_cmp(val->name, "IPv6")) { 916 afi = IANA_AFI_IPV6; 917 } else if (!name_cmp(val->name, "IPv4-SAFI")) { 918 afi = IANA_AFI_IPV4; 919 safi = &safi_; 920 } else if (!name_cmp(val->name, "IPv6-SAFI")) { 921 afi = IANA_AFI_IPV6; 922 safi = &safi_; 923 } else { 924 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_NAME_ERROR); 925 X509V3_conf_err(val); 926 goto err; 927 } 928 929 switch (afi) { 930 case IANA_AFI_IPV4: 931 addr_chars = v4addr_chars; 932 break; 933 case IANA_AFI_IPV6: 934 addr_chars = v6addr_chars; 935 break; 936 } 937 938 length = length_from_afi(afi); 939 940 /* 941 * Handle SAFI, if any, and BUF_strdup() so we can null-terminate 942 * the other input values. 943 */ 944 if (safi != NULL) { 945 *safi = strtoul(val->value, &t, 0); 946 t += strspn(t, " \t"); 947 if (*safi > 0xFF || *t++ != ':') { 948 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_SAFI); 949 X509V3_conf_err(val); 950 goto err; 951 } 952 t += strspn(t, " \t"); 953 s = BUF_strdup(t); 954 } else { 955 s = BUF_strdup(val->value); 956 } 957 if (s == NULL) { 958 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 959 goto err; 960 } 961 962 /* 963 * Check for inheritance. Not worth additional complexity to 964 * optimize this (seldom-used) case. 965 */ 966 if (!strcmp(s, "inherit")) { 967 if (!v3_addr_add_inherit(addr, afi, safi)) { 968 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_INHERITANCE); 969 X509V3_conf_err(val); 970 goto err; 971 } 972 OPENSSL_free(s); 973 s = NULL; 974 continue; 975 } 976 977 i1 = strspn(s, addr_chars); 978 i2 = i1 + strspn(s + i1, " \t"); 979 delim = s[i2++]; 980 s[i1] = '\0'; 981 982 if (a2i_ipadd(min, s) != length) { 983 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS); 984 X509V3_conf_err(val); 985 goto err; 986 } 987 988 switch (delim) { 989 case '/': 990 prefixlen = (int) strtoul(s + i2, &t, 10); 991 if (t == s + i2 || *t != '\0') { 992 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); 993 X509V3_conf_err(val); 994 goto err; 995 } 996 if (!v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) { 997 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 998 goto err; 999 } 1000 break; 1001 case '-': 1002 i1 = i2 + strspn(s + i2, " \t"); 1003 i2 = i1 + strspn(s + i1, addr_chars); 1004 if (i1 == i2 || s[i2] != '\0') { 1005 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); 1006 X509V3_conf_err(val); 1007 goto err; 1008 } 1009 if (a2i_ipadd(max, s + i1) != length) { 1010 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS); 1011 X509V3_conf_err(val); 1012 goto err; 1013 } 1014 if (!v3_addr_add_range(addr, afi, safi, min, max)) { 1015 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 1016 goto err; 1017 } 1018 break; 1019 case '\0': 1020 if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) { 1021 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 1022 goto err; 1023 } 1024 break; 1025 default: 1026 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); 1027 X509V3_conf_err(val); 1028 goto err; 1029 } 1030 1031 OPENSSL_free(s); 1032 s = NULL; 1033 } 1034 1035 /* 1036 * Canonize the result, then we're done. 1037 */ 1038 if (!v3_addr_canonize(addr)) 1039 goto err; 1040 return addr; 1041 1042 err: 1043 OPENSSL_free(s); 1044 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); 1045 return NULL; 1046 } 1047 1048 /* 1049 * OpenSSL dispatch 1050 */ 1051 const X509V3_EXT_METHOD v3_addr = { 1052 NID_sbgp_ipAddrBlock, /* nid */ 1053 0, /* flags */ 1054 ASN1_ITEM_ref(IPAddrBlocks), /* template */ 1055 0, 0, 0, 0, /* old functions, ignored */ 1056 0, /* i2s */ 1057 0, /* s2i */ 1058 0, /* i2v */ 1059 v2i_IPAddrBlocks, /* v2i */ 1060 i2r_IPAddrBlocks, /* i2r */ 1061 0, /* r2i */ 1062 NULL /* extension-specific data */ 1063 }; 1064 1065 /* 1066 * Figure out whether extension sues inheritance. 1067 */ 1068 int v3_addr_inherits(IPAddrBlocks *addr) 1069 { 1070 int i; 1071 if (addr == NULL) 1072 return 0; 1073 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 1074 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 1075 if (f->ipAddressChoice->type == IPAddressChoice_inherit) 1076 return 1; 1077 } 1078 return 0; 1079 } 1080 1081 /* 1082 * Figure out whether parent contains child. 1083 */ 1084 static int addr_contains(IPAddressOrRanges *parent, 1085 IPAddressOrRanges *child, 1086 int length) 1087 { 1088 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN]; 1089 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN]; 1090 int p, c; 1091 1092 if (child == NULL || parent == child) 1093 return 1; 1094 if (parent == NULL) 1095 return 0; 1096 1097 p = 0; 1098 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) { 1099 extract_min_max(sk_IPAddressOrRange_value(child, c), 1100 c_min, c_max, length); 1101 for (;; p++) { 1102 if (p >= sk_IPAddressOrRange_num(parent)) 1103 return 0; 1104 extract_min_max(sk_IPAddressOrRange_value(parent, p), 1105 p_min, p_max, length); 1106 if (memcmp(p_max, c_max, length) < 0) 1107 continue; 1108 if (memcmp(p_min, c_min, length) > 0) 1109 return 0; 1110 break; 1111 } 1112 } 1113 1114 return 1; 1115 } 1116 1117 /* 1118 * Test whether a is a subset of b. 1119 */ 1120 int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) 1121 { 1122 int i; 1123 if (a == NULL || a == b) 1124 return 1; 1125 if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b)) 1126 return 0; 1127 sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); 1128 for (i = 0; i < sk_IPAddressFamily_num(a); i++) { 1129 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); 1130 int j = sk_IPAddressFamily_find(b, fa); 1131 IPAddressFamily *fb; 1132 fb = sk_IPAddressFamily_value(b, j); 1133 if (fb == NULL) 1134 return 0; 1135 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, 1136 fa->ipAddressChoice->u.addressesOrRanges, 1137 length_from_afi(v3_addr_get_afi(fb)))) 1138 return 0; 1139 } 1140 return 1; 1141 } 1142 1143 /* 1144 * Validation error handling via callback. 1145 */ 1146 #define validation_err(_err_) \ 1147 do { \ 1148 if (ctx != NULL) { \ 1149 ctx->error = _err_; \ 1150 ctx->error_depth = i; \ 1151 ctx->current_cert = x; \ 1152 ret = ctx->verify_cb(0, ctx); \ 1153 } else { \ 1154 ret = 0; \ 1155 } \ 1156 if (!ret) \ 1157 goto done; \ 1158 } while (0) 1159 1160 /* 1161 * Core code for RFC 3779 2.3 path validation. 1162 */ 1163 static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, 1164 STACK_OF(X509) *chain, 1165 IPAddrBlocks *ext) 1166 { 1167 IPAddrBlocks *child = NULL; 1168 int i, j, ret = 1; 1169 X509 *x; 1170 1171 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); 1172 OPENSSL_assert(ctx != NULL || ext != NULL); 1173 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); 1174 1175 /* 1176 * Figure out where to start. If we don't have an extension to 1177 * check, we're done. Otherwise, check canonical form and 1178 * set up for walking up the chain. 1179 */ 1180 if (ext != NULL) { 1181 i = -1; 1182 x = NULL; 1183 } else { 1184 i = 0; 1185 x = sk_X509_value(chain, i); 1186 OPENSSL_assert(x != NULL); 1187 if ((ext = x->rfc3779_addr) == NULL) 1188 goto done; 1189 } 1190 if (!v3_addr_is_canonical(ext)) 1191 validation_err(X509_V_ERR_INVALID_EXTENSION); 1192 sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); 1193 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { 1194 X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE); 1195 ret = 0; 1196 goto done; 1197 } 1198 1199 /* 1200 * Now walk up the chain. No cert may list resources that its 1201 * parent doesn't list. 1202 */ 1203 for (i++; i < sk_X509_num(chain); i++) { 1204 x = sk_X509_value(chain, i); 1205 OPENSSL_assert(x != NULL); 1206 if (!v3_addr_is_canonical(x->rfc3779_addr)) 1207 validation_err(X509_V_ERR_INVALID_EXTENSION); 1208 if (x->rfc3779_addr == NULL) { 1209 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { 1210 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); 1211 if (fc->ipAddressChoice->type != IPAddressChoice_inherit) { 1212 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1213 break; 1214 } 1215 } 1216 continue; 1217 } 1218 sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp); 1219 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { 1220 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); 1221 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc); 1222 IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, k); 1223 if (fp == NULL) { 1224 if (fc->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) { 1225 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1226 break; 1227 } 1228 continue; 1229 } 1230 if (fp->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) { 1231 if (fc->ipAddressChoice->type == IPAddressChoice_inherit || 1232 addr_contains(fp->ipAddressChoice->u.addressesOrRanges, 1233 fc->ipAddressChoice->u.addressesOrRanges, 1234 length_from_afi(v3_addr_get_afi(fc)))) 1235 sk_IPAddressFamily_set(child, j, fp); 1236 else 1237 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1238 } 1239 } 1240 } 1241 1242 /* 1243 * Trust anchor can't inherit. 1244 */ 1245 OPENSSL_assert(x != NULL); 1246 if (x->rfc3779_addr != NULL) { 1247 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) { 1248 IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, j); 1249 if (fp->ipAddressChoice->type == IPAddressChoice_inherit && 1250 sk_IPAddressFamily_find(child, fp) >= 0) 1251 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1252 } 1253 } 1254 1255 done: 1256 sk_IPAddressFamily_free(child); 1257 return ret; 1258 } 1259 1260 #undef validation_err 1261 1262 /* 1263 * RFC 3779 2.3 path validation -- called from X509_verify_cert(). 1264 */ 1265 int v3_addr_validate_path(X509_STORE_CTX *ctx) 1266 { 1267 return v3_addr_validate_path_internal(ctx, ctx->chain, NULL); 1268 } 1269 1270 /* 1271 * RFC 3779 2.3 path validation of an extension. 1272 * Test whether chain covers extension. 1273 */ 1274 int v3_addr_validate_resource_set(STACK_OF(X509) *chain, 1275 IPAddrBlocks *ext, 1276 int allow_inheritance) 1277 { 1278 if (ext == NULL) 1279 return 1; 1280 if (chain == NULL || sk_X509_num(chain) == 0) 1281 return 0; 1282 if (!allow_inheritance && v3_addr_inherits(ext)) 1283 return 0; 1284 return v3_addr_validate_path_internal(NULL, chain, ext); 1285 } 1286 1287 #endif /* OPENSSL_NO_RFC3779 */ 1288
