1 /* 2 * Contributed to the OpenSSL Project by the American Registry for 3 * Internet Numbers ("ARIN"). 4 */ 5 /* ==================================================================== 6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing (at) OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay (at) cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh (at) cryptsoft.com). 56 */ 57 58 /* 59 * Implementation of RFC 3779 section 2.2. 60 */ 61 62 #include <stdio.h> 63 #include <stdlib.h> 64 65 #include "cryptlib.h" 66 #include <openssl/conf.h> 67 #include <openssl/asn1.h> 68 #include <openssl/asn1t.h> 69 #include <openssl/buffer.h> 70 #include <openssl/x509v3.h> 71 72 #ifndef OPENSSL_NO_RFC3779 73 74 /* 75 * OpenSSL ASN.1 template translation of RFC 3779 2.2.3. 76 */ 77 78 ASN1_SEQUENCE(IPAddressRange) = { 79 ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING), 80 ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING) 81 } ASN1_SEQUENCE_END(IPAddressRange) 82 83 ASN1_CHOICE(IPAddressOrRange) = { 84 ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING), 85 ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange) 86 } ASN1_CHOICE_END(IPAddressOrRange) 87 88 ASN1_CHOICE(IPAddressChoice) = { 89 ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL), 90 ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange) 91 } ASN1_CHOICE_END(IPAddressChoice) 92 93 ASN1_SEQUENCE(IPAddressFamily) = { 94 ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING), 95 ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice) 96 } ASN1_SEQUENCE_END(IPAddressFamily) 97 98 ASN1_ITEM_TEMPLATE(IPAddrBlocks) = 99 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, 100 IPAddrBlocks, IPAddressFamily) 101 ASN1_ITEM_TEMPLATE_END(IPAddrBlocks) 102 103 IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange) 104 IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange) 105 IMPLEMENT_ASN1_FUNCTIONS(IPAddressChoice) 106 IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily) 107 108 /* 109 * How much buffer space do we need for a raw address? 110 */ 111 #define ADDR_RAW_BUF_LEN 16 112 113 /* 114 * What's the address length associated with this AFI? 115 */ 116 static int length_from_afi(const unsigned afi) 117 { 118 switch (afi) { 119 case IANA_AFI_IPV4: 120 return 4; 121 case IANA_AFI_IPV6: 122 return 16; 123 default: 124 return 0; 125 } 126 } 127 128 /* 129 * Extract the AFI from an IPAddressFamily. 130 */ 131 unsigned int v3_addr_get_afi(const IPAddressFamily *f) 132 { 133 return ((f != NULL && 134 f->addressFamily != NULL && 135 f->addressFamily->data != NULL) 136 ? ((f->addressFamily->data[0] << 8) | 137 (f->addressFamily->data[1])) 138 : 0); 139 } 140 141 /* 142 * Expand the bitstring form of an address into a raw byte array. 143 * At the moment this is coded for simplicity, not speed. 144 */ 145 static int addr_expand(unsigned char *addr, 146 const ASN1_BIT_STRING *bs, 147 const int length, 148 const unsigned char fill) 149 { 150 if (bs->length < 0 || bs->length > length) 151 return 0; 152 if (bs->length > 0) { 153 memcpy(addr, bs->data, bs->length); 154 if ((bs->flags & 7) != 0) { 155 unsigned char mask = 0xFF >> (8 - (bs->flags & 7)); 156 if (fill == 0) 157 addr[bs->length - 1] &= ~mask; 158 else 159 addr[bs->length - 1] |= mask; 160 } 161 } 162 memset(addr + bs->length, fill, length - bs->length); 163 return 1; 164 } 165 166 /* 167 * Extract the prefix length from a bitstring. 168 */ 169 #define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7))) 170 171 /* 172 * i2r handler for one address bitstring. 173 */ 174 static int i2r_address(BIO *out, 175 const unsigned afi, 176 const unsigned char fill, 177 const ASN1_BIT_STRING *bs) 178 { 179 unsigned char addr[ADDR_RAW_BUF_LEN]; 180 int i, n; 181 182 if (bs->length < 0) 183 return 0; 184 switch (afi) { 185 case IANA_AFI_IPV4: 186 if (!addr_expand(addr, bs, 4, fill)) 187 return 0; 188 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]); 189 break; 190 case IANA_AFI_IPV6: 191 if (!addr_expand(addr, bs, 16, fill)) 192 return 0; 193 for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2) 194 ; 195 for (i = 0; i < n; i += 2) 196 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i+1], (i < 14 ? ":" : "")); 197 if (i < 16) 198 BIO_puts(out, ":"); 199 if (i == 0) 200 BIO_puts(out, ":"); 201 break; 202 default: 203 for (i = 0; i < bs->length; i++) 204 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]); 205 BIO_printf(out, "[%d]", (int) (bs->flags & 7)); 206 break; 207 } 208 return 1; 209 } 210 211 /* 212 * i2r handler for a sequence of addresses and ranges. 213 */ 214 static int i2r_IPAddressOrRanges(BIO *out, 215 const int indent, 216 const IPAddressOrRanges *aors, 217 const unsigned afi) 218 { 219 int i; 220 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) { 221 const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i); 222 BIO_printf(out, "%*s", indent, ""); 223 switch (aor->type) { 224 case IPAddressOrRange_addressPrefix: 225 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix)) 226 return 0; 227 BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix)); 228 continue; 229 case IPAddressOrRange_addressRange: 230 if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min)) 231 return 0; 232 BIO_puts(out, "-"); 233 if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max)) 234 return 0; 235 BIO_puts(out, "\n"); 236 continue; 237 } 238 } 239 return 1; 240 } 241 242 /* 243 * i2r handler for an IPAddrBlocks extension. 244 */ 245 static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, 246 void *ext, 247 BIO *out, 248 int indent) 249 { 250 const IPAddrBlocks *addr = ext; 251 int i; 252 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 253 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 254 const unsigned int afi = v3_addr_get_afi(f); 255 switch (afi) { 256 case IANA_AFI_IPV4: 257 BIO_printf(out, "%*sIPv4", indent, ""); 258 break; 259 case IANA_AFI_IPV6: 260 BIO_printf(out, "%*sIPv6", indent, ""); 261 break; 262 default: 263 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi); 264 break; 265 } 266 if (f->addressFamily->length > 2) { 267 switch (f->addressFamily->data[2]) { 268 case 1: 269 BIO_puts(out, " (Unicast)"); 270 break; 271 case 2: 272 BIO_puts(out, " (Multicast)"); 273 break; 274 case 3: 275 BIO_puts(out, " (Unicast/Multicast)"); 276 break; 277 case 4: 278 BIO_puts(out, " (MPLS)"); 279 break; 280 case 64: 281 BIO_puts(out, " (Tunnel)"); 282 break; 283 case 65: 284 BIO_puts(out, " (VPLS)"); 285 break; 286 case 66: 287 BIO_puts(out, " (BGP MDT)"); 288 break; 289 case 128: 290 BIO_puts(out, " (MPLS-labeled VPN)"); 291 break; 292 default: 293 BIO_printf(out, " (Unknown SAFI %u)", 294 (unsigned) f->addressFamily->data[2]); 295 break; 296 } 297 } 298 switch (f->ipAddressChoice->type) { 299 case IPAddressChoice_inherit: 300 BIO_puts(out, ": inherit\n"); 301 break; 302 case IPAddressChoice_addressesOrRanges: 303 BIO_puts(out, ":\n"); 304 if (!i2r_IPAddressOrRanges(out, 305 indent + 2, 306 f->ipAddressChoice->u.addressesOrRanges, 307 afi)) 308 return 0; 309 break; 310 } 311 } 312 return 1; 313 } 314 315 /* 316 * Sort comparison function for a sequence of IPAddressOrRange 317 * elements. 318 * 319 * There's no sane answer we can give if addr_expand() fails, and an 320 * assertion failure on externally supplied data is seriously uncool, 321 * so we just arbitrarily declare that if given invalid inputs this 322 * function returns -1. If this messes up your preferred sort order 323 * for garbage input, tough noogies. 324 */ 325 static int IPAddressOrRange_cmp(const IPAddressOrRange *a, 326 const IPAddressOrRange *b, 327 const int length) 328 { 329 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN]; 330 int prefixlen_a = 0, prefixlen_b = 0; 331 int r; 332 333 switch (a->type) { 334 case IPAddressOrRange_addressPrefix: 335 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00)) 336 return -1; 337 prefixlen_a = addr_prefixlen(a->u.addressPrefix); 338 break; 339 case IPAddressOrRange_addressRange: 340 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00)) 341 return -1; 342 prefixlen_a = length * 8; 343 break; 344 } 345 346 switch (b->type) { 347 case IPAddressOrRange_addressPrefix: 348 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00)) 349 return -1; 350 prefixlen_b = addr_prefixlen(b->u.addressPrefix); 351 break; 352 case IPAddressOrRange_addressRange: 353 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00)) 354 return -1; 355 prefixlen_b = length * 8; 356 break; 357 } 358 359 if ((r = memcmp(addr_a, addr_b, length)) != 0) 360 return r; 361 else 362 return prefixlen_a - prefixlen_b; 363 } 364 365 /* 366 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort() 367 * comparision routines are only allowed two arguments. 368 */ 369 static int v4IPAddressOrRange_cmp(const IPAddressOrRange * const *a, 370 const IPAddressOrRange * const *b) 371 { 372 return IPAddressOrRange_cmp(*a, *b, 4); 373 } 374 375 /* 376 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort() 377 * comparision routines are only allowed two arguments. 378 */ 379 static int v6IPAddressOrRange_cmp(const IPAddressOrRange * const *a, 380 const IPAddressOrRange * const *b) 381 { 382 return IPAddressOrRange_cmp(*a, *b, 16); 383 } 384 385 /* 386 * Calculate whether a range collapses to a prefix. 387 * See last paragraph of RFC 3779 2.2.3.7. 388 */ 389 static int range_should_be_prefix(const unsigned char *min, 390 const unsigned char *max, 391 const int length) 392 { 393 unsigned char mask; 394 int i, j; 395 396 OPENSSL_assert(memcmp(min, max, length) <= 0); 397 for (i = 0; i < length && min[i] == max[i]; i++) 398 ; 399 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) 400 ; 401 if (i < j) 402 return -1; 403 if (i > j) 404 return i * 8; 405 mask = min[i] ^ max[i]; 406 switch (mask) { 407 case 0x01: j = 7; break; 408 case 0x03: j = 6; break; 409 case 0x07: j = 5; break; 410 case 0x0F: j = 4; break; 411 case 0x1F: j = 3; break; 412 case 0x3F: j = 2; break; 413 case 0x7F: j = 1; break; 414 default: return -1; 415 } 416 if ((min[i] & mask) != 0 || (max[i] & mask) != mask) 417 return -1; 418 else 419 return i * 8 + j; 420 } 421 422 /* 423 * Construct a prefix. 424 */ 425 static int make_addressPrefix(IPAddressOrRange **result, 426 unsigned char *addr, 427 const int prefixlen) 428 { 429 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8; 430 IPAddressOrRange *aor = IPAddressOrRange_new(); 431 432 if (aor == NULL) 433 return 0; 434 aor->type = IPAddressOrRange_addressPrefix; 435 if (aor->u.addressPrefix == NULL && 436 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL) 437 goto err; 438 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen)) 439 goto err; 440 aor->u.addressPrefix->flags &= ~7; 441 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT; 442 if (bitlen > 0) { 443 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen); 444 aor->u.addressPrefix->flags |= 8 - bitlen; 445 } 446 447 *result = aor; 448 return 1; 449 450 err: 451 IPAddressOrRange_free(aor); 452 return 0; 453 } 454 455 /* 456 * Construct a range. If it can be expressed as a prefix, 457 * return a prefix instead. Doing this here simplifies 458 * the rest of the code considerably. 459 */ 460 static int make_addressRange(IPAddressOrRange **result, 461 unsigned char *min, 462 unsigned char *max, 463 const int length) 464 { 465 IPAddressOrRange *aor; 466 int i, prefixlen; 467 468 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0) 469 return make_addressPrefix(result, min, prefixlen); 470 471 if ((aor = IPAddressOrRange_new()) == NULL) 472 return 0; 473 aor->type = IPAddressOrRange_addressRange; 474 OPENSSL_assert(aor->u.addressRange == NULL); 475 if ((aor->u.addressRange = IPAddressRange_new()) == NULL) 476 goto err; 477 if (aor->u.addressRange->min == NULL && 478 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL) 479 goto err; 480 if (aor->u.addressRange->max == NULL && 481 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL) 482 goto err; 483 484 for (i = length; i > 0 && min[i - 1] == 0x00; --i) 485 ; 486 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i)) 487 goto err; 488 aor->u.addressRange->min->flags &= ~7; 489 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT; 490 if (i > 0) { 491 unsigned char b = min[i - 1]; 492 int j = 1; 493 while ((b & (0xFFU >> j)) != 0) 494 ++j; 495 aor->u.addressRange->min->flags |= 8 - j; 496 } 497 498 for (i = length; i > 0 && max[i - 1] == 0xFF; --i) 499 ; 500 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i)) 501 goto err; 502 aor->u.addressRange->max->flags &= ~7; 503 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT; 504 if (i > 0) { 505 unsigned char b = max[i - 1]; 506 int j = 1; 507 while ((b & (0xFFU >> j)) != (0xFFU >> j)) 508 ++j; 509 aor->u.addressRange->max->flags |= 8 - j; 510 } 511 512 *result = aor; 513 return 1; 514 515 err: 516 IPAddressOrRange_free(aor); 517 return 0; 518 } 519 520 /* 521 * Construct a new address family or find an existing one. 522 */ 523 static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr, 524 const unsigned afi, 525 const unsigned *safi) 526 { 527 IPAddressFamily *f; 528 unsigned char key[3]; 529 unsigned keylen; 530 int i; 531 532 key[0] = (afi >> 8) & 0xFF; 533 key[1] = afi & 0xFF; 534 if (safi != NULL) { 535 key[2] = *safi & 0xFF; 536 keylen = 3; 537 } else { 538 keylen = 2; 539 } 540 541 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 542 f = sk_IPAddressFamily_value(addr, i); 543 OPENSSL_assert(f->addressFamily->data != NULL); 544 if (f->addressFamily->length == keylen && 545 !memcmp(f->addressFamily->data, key, keylen)) 546 return f; 547 } 548 549 if ((f = IPAddressFamily_new()) == NULL) 550 goto err; 551 if (f->ipAddressChoice == NULL && 552 (f->ipAddressChoice = IPAddressChoice_new()) == NULL) 553 goto err; 554 if (f->addressFamily == NULL && 555 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL) 556 goto err; 557 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen)) 558 goto err; 559 if (!sk_IPAddressFamily_push(addr, f)) 560 goto err; 561 562 return f; 563 564 err: 565 IPAddressFamily_free(f); 566 return NULL; 567 } 568 569 /* 570 * Add an inheritance element. 571 */ 572 int v3_addr_add_inherit(IPAddrBlocks *addr, 573 const unsigned afi, 574 const unsigned *safi) 575 { 576 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); 577 if (f == NULL || 578 f->ipAddressChoice == NULL || 579 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && 580 f->ipAddressChoice->u.addressesOrRanges != NULL)) 581 return 0; 582 if (f->ipAddressChoice->type == IPAddressChoice_inherit && 583 f->ipAddressChoice->u.inherit != NULL) 584 return 1; 585 if (f->ipAddressChoice->u.inherit == NULL && 586 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL) 587 return 0; 588 f->ipAddressChoice->type = IPAddressChoice_inherit; 589 return 1; 590 } 591 592 /* 593 * Construct an IPAddressOrRange sequence, or return an existing one. 594 */ 595 static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr, 596 const unsigned afi, 597 const unsigned *safi) 598 { 599 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); 600 IPAddressOrRanges *aors = NULL; 601 602 if (f == NULL || 603 f->ipAddressChoice == NULL || 604 (f->ipAddressChoice->type == IPAddressChoice_inherit && 605 f->ipAddressChoice->u.inherit != NULL)) 606 return NULL; 607 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) 608 aors = f->ipAddressChoice->u.addressesOrRanges; 609 if (aors != NULL) 610 return aors; 611 if ((aors = sk_IPAddressOrRange_new_null()) == NULL) 612 return NULL; 613 switch (afi) { 614 case IANA_AFI_IPV4: 615 (void) sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp); 616 break; 617 case IANA_AFI_IPV6: 618 (void) sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp); 619 break; 620 } 621 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; 622 f->ipAddressChoice->u.addressesOrRanges = aors; 623 return aors; 624 } 625 626 /* 627 * Add a prefix. 628 */ 629 int v3_addr_add_prefix(IPAddrBlocks *addr, 630 const unsigned afi, 631 const unsigned *safi, 632 unsigned char *a, 633 const int prefixlen) 634 { 635 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); 636 IPAddressOrRange *aor; 637 if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen)) 638 return 0; 639 if (sk_IPAddressOrRange_push(aors, aor)) 640 return 1; 641 IPAddressOrRange_free(aor); 642 return 0; 643 } 644 645 /* 646 * Add a range. 647 */ 648 int v3_addr_add_range(IPAddrBlocks *addr, 649 const unsigned afi, 650 const unsigned *safi, 651 unsigned char *min, 652 unsigned char *max) 653 { 654 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); 655 IPAddressOrRange *aor; 656 int length = length_from_afi(afi); 657 if (aors == NULL) 658 return 0; 659 if (!make_addressRange(&aor, min, max, length)) 660 return 0; 661 if (sk_IPAddressOrRange_push(aors, aor)) 662 return 1; 663 IPAddressOrRange_free(aor); 664 return 0; 665 } 666 667 /* 668 * Extract min and max values from an IPAddressOrRange. 669 */ 670 static int extract_min_max(IPAddressOrRange *aor, 671 unsigned char *min, 672 unsigned char *max, 673 int length) 674 { 675 if (aor == NULL || min == NULL || max == NULL) 676 return 0; 677 switch (aor->type) { 678 case IPAddressOrRange_addressPrefix: 679 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) && 680 addr_expand(max, aor->u.addressPrefix, length, 0xFF)); 681 case IPAddressOrRange_addressRange: 682 return (addr_expand(min, aor->u.addressRange->min, length, 0x00) && 683 addr_expand(max, aor->u.addressRange->max, length, 0xFF)); 684 } 685 return 0; 686 } 687 688 /* 689 * Public wrapper for extract_min_max(). 690 */ 691 int v3_addr_get_range(IPAddressOrRange *aor, 692 const unsigned afi, 693 unsigned char *min, 694 unsigned char *max, 695 const int length) 696 { 697 int afi_length = length_from_afi(afi); 698 if (aor == NULL || min == NULL || max == NULL || 699 afi_length == 0 || length < afi_length || 700 (aor->type != IPAddressOrRange_addressPrefix && 701 aor->type != IPAddressOrRange_addressRange) || 702 !extract_min_max(aor, min, max, afi_length)) 703 return 0; 704 705 return afi_length; 706 } 707 708 /* 709 * Sort comparision function for a sequence of IPAddressFamily. 710 * 711 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about 712 * the ordering: I can read it as meaning that IPv6 without a SAFI 713 * comes before IPv4 with a SAFI, which seems pretty weird. The 714 * examples in appendix B suggest that the author intended the 715 * null-SAFI rule to apply only within a single AFI, which is what I 716 * would have expected and is what the following code implements. 717 */ 718 static int IPAddressFamily_cmp(const IPAddressFamily * const *a_, 719 const IPAddressFamily * const *b_) 720 { 721 const ASN1_OCTET_STRING *a = (*a_)->addressFamily; 722 const ASN1_OCTET_STRING *b = (*b_)->addressFamily; 723 int len = ((a->length <= b->length) ? a->length : b->length); 724 int cmp = memcmp(a->data, b->data, len); 725 return cmp ? cmp : a->length - b->length; 726 } 727 728 /* 729 * Check whether an IPAddrBLocks is in canonical form. 730 */ 731 int v3_addr_is_canonical(IPAddrBlocks *addr) 732 { 733 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 734 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 735 IPAddressOrRanges *aors; 736 int i, j, k; 737 738 /* 739 * Empty extension is cannonical. 740 */ 741 if (addr == NULL) 742 return 1; 743 744 /* 745 * Check whether the top-level list is in order. 746 */ 747 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) { 748 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i); 749 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1); 750 if (IPAddressFamily_cmp(&a, &b) >= 0) 751 return 0; 752 } 753 754 /* 755 * Top level's ok, now check each address family. 756 */ 757 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 758 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 759 int length = length_from_afi(v3_addr_get_afi(f)); 760 761 /* 762 * Inheritance is canonical. Anything other than inheritance or 763 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something. 764 */ 765 if (f == NULL || f->ipAddressChoice == NULL) 766 return 0; 767 switch (f->ipAddressChoice->type) { 768 case IPAddressChoice_inherit: 769 continue; 770 case IPAddressChoice_addressesOrRanges: 771 break; 772 default: 773 return 0; 774 } 775 776 /* 777 * It's an IPAddressOrRanges sequence, check it. 778 */ 779 aors = f->ipAddressChoice->u.addressesOrRanges; 780 if (sk_IPAddressOrRange_num(aors) == 0) 781 return 0; 782 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) { 783 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 784 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1); 785 786 if (!extract_min_max(a, a_min, a_max, length) || 787 !extract_min_max(b, b_min, b_max, length)) 788 return 0; 789 790 /* 791 * Punt misordered list, overlapping start, or inverted range. 792 */ 793 if (memcmp(a_min, b_min, length) >= 0 || 794 memcmp(a_min, a_max, length) > 0 || 795 memcmp(b_min, b_max, length) > 0) 796 return 0; 797 798 /* 799 * Punt if adjacent or overlapping. Check for adjacency by 800 * subtracting one from b_min first. 801 */ 802 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) 803 ; 804 if (memcmp(a_max, b_min, length) >= 0) 805 return 0; 806 807 /* 808 * Check for range that should be expressed as a prefix. 809 */ 810 if (a->type == IPAddressOrRange_addressRange && 811 range_should_be_prefix(a_min, a_max, length) >= 0) 812 return 0; 813 } 814 815 /* 816 * Check range to see if it's inverted or should be a 817 * prefix. 818 */ 819 j = sk_IPAddressOrRange_num(aors) - 1; 820 { 821 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 822 if (a != NULL && a->type == IPAddressOrRange_addressRange) { 823 if (!extract_min_max(a, a_min, a_max, length)) 824 return 0; 825 if (memcmp(a_min, a_max, length) > 0 || 826 range_should_be_prefix(a_min, a_max, length) >= 0) 827 return 0; 828 } 829 } 830 } 831 832 /* 833 * If we made it through all that, we're happy. 834 */ 835 return 1; 836 } 837 838 /* 839 * Whack an IPAddressOrRanges into canonical form. 840 */ 841 static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors, 842 const unsigned afi) 843 { 844 int i, j, length = length_from_afi(afi); 845 846 /* 847 * Sort the IPAddressOrRanges sequence. 848 */ 849 sk_IPAddressOrRange_sort(aors); 850 851 /* 852 * Clean up representation issues, punt on duplicates or overlaps. 853 */ 854 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) { 855 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i); 856 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1); 857 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 858 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 859 860 if (!extract_min_max(a, a_min, a_max, length) || 861 !extract_min_max(b, b_min, b_max, length)) 862 return 0; 863 864 /* 865 * Punt inverted ranges. 866 */ 867 if (memcmp(a_min, a_max, length) > 0 || 868 memcmp(b_min, b_max, length) > 0) 869 return 0; 870 871 /* 872 * Punt overlaps. 873 */ 874 if (memcmp(a_max, b_min, length) >= 0) 875 return 0; 876 877 /* 878 * Merge if a and b are adjacent. We check for 879 * adjacency by subtracting one from b_min first. 880 */ 881 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) 882 ; 883 if (memcmp(a_max, b_min, length) == 0) { 884 IPAddressOrRange *merged; 885 if (!make_addressRange(&merged, a_min, b_max, length)) 886 return 0; 887 (void) sk_IPAddressOrRange_set(aors, i, merged); 888 (void) sk_IPAddressOrRange_delete(aors, i + 1); 889 IPAddressOrRange_free(a); 890 IPAddressOrRange_free(b); 891 --i; 892 continue; 893 } 894 } 895 896 /* 897 * Check for inverted final range. 898 */ 899 j = sk_IPAddressOrRange_num(aors) - 1; 900 { 901 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 902 if (a != NULL && a->type == IPAddressOrRange_addressRange) { 903 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 904 extract_min_max(a, a_min, a_max, length); 905 if (memcmp(a_min, a_max, length) > 0) 906 return 0; 907 } 908 } 909 910 return 1; 911 } 912 913 /* 914 * Whack an IPAddrBlocks extension into canonical form. 915 */ 916 int v3_addr_canonize(IPAddrBlocks *addr) 917 { 918 int i; 919 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 920 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 921 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && 922 !IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges, 923 v3_addr_get_afi(f))) 924 return 0; 925 } 926 (void) sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); 927 sk_IPAddressFamily_sort(addr); 928 OPENSSL_assert(v3_addr_is_canonical(addr)); 929 return 1; 930 } 931 932 /* 933 * v2i handler for the IPAddrBlocks extension. 934 */ 935 static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, 936 struct v3_ext_ctx *ctx, 937 STACK_OF(CONF_VALUE) *values) 938 { 939 static const char v4addr_chars[] = "0123456789."; 940 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF"; 941 IPAddrBlocks *addr = NULL; 942 char *s = NULL, *t; 943 int i; 944 945 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) { 946 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 947 return NULL; 948 } 949 950 for (i = 0; i < sk_CONF_VALUE_num(values); i++) { 951 CONF_VALUE *val = sk_CONF_VALUE_value(values, i); 952 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN]; 953 unsigned afi, *safi = NULL, safi_; 954 const char *addr_chars; 955 int prefixlen, i1, i2, delim, length; 956 957 if ( !name_cmp(val->name, "IPv4")) { 958 afi = IANA_AFI_IPV4; 959 } else if (!name_cmp(val->name, "IPv6")) { 960 afi = IANA_AFI_IPV6; 961 } else if (!name_cmp(val->name, "IPv4-SAFI")) { 962 afi = IANA_AFI_IPV4; 963 safi = &safi_; 964 } else if (!name_cmp(val->name, "IPv6-SAFI")) { 965 afi = IANA_AFI_IPV6; 966 safi = &safi_; 967 } else { 968 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_NAME_ERROR); 969 X509V3_conf_err(val); 970 goto err; 971 } 972 973 switch (afi) { 974 case IANA_AFI_IPV4: 975 addr_chars = v4addr_chars; 976 break; 977 case IANA_AFI_IPV6: 978 addr_chars = v6addr_chars; 979 break; 980 } 981 982 length = length_from_afi(afi); 983 984 /* 985 * Handle SAFI, if any, and BUF_strdup() so we can null-terminate 986 * the other input values. 987 */ 988 if (safi != NULL) { 989 *safi = strtoul(val->value, &t, 0); 990 t += strspn(t, " \t"); 991 if (*safi > 0xFF || *t++ != ':') { 992 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_SAFI); 993 X509V3_conf_err(val); 994 goto err; 995 } 996 t += strspn(t, " \t"); 997 s = BUF_strdup(t); 998 } else { 999 s = BUF_strdup(val->value); 1000 } 1001 if (s == NULL) { 1002 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 1003 goto err; 1004 } 1005 1006 /* 1007 * Check for inheritance. Not worth additional complexity to 1008 * optimize this (seldom-used) case. 1009 */ 1010 if (!strcmp(s, "inherit")) { 1011 if (!v3_addr_add_inherit(addr, afi, safi)) { 1012 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_INHERITANCE); 1013 X509V3_conf_err(val); 1014 goto err; 1015 } 1016 OPENSSL_free(s); 1017 s = NULL; 1018 continue; 1019 } 1020 1021 i1 = strspn(s, addr_chars); 1022 i2 = i1 + strspn(s + i1, " \t"); 1023 delim = s[i2++]; 1024 s[i1] = '\0'; 1025 1026 if (a2i_ipadd(min, s) != length) { 1027 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS); 1028 X509V3_conf_err(val); 1029 goto err; 1030 } 1031 1032 switch (delim) { 1033 case '/': 1034 prefixlen = (int) strtoul(s + i2, &t, 10); 1035 if (t == s + i2 || *t != '\0') { 1036 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); 1037 X509V3_conf_err(val); 1038 goto err; 1039 } 1040 if (!v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) { 1041 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 1042 goto err; 1043 } 1044 break; 1045 case '-': 1046 i1 = i2 + strspn(s + i2, " \t"); 1047 i2 = i1 + strspn(s + i1, addr_chars); 1048 if (i1 == i2 || s[i2] != '\0') { 1049 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); 1050 X509V3_conf_err(val); 1051 goto err; 1052 } 1053 if (a2i_ipadd(max, s + i1) != length) { 1054 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS); 1055 X509V3_conf_err(val); 1056 goto err; 1057 } 1058 if (memcmp(min, max, length_from_afi(afi)) > 0) { 1059 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); 1060 X509V3_conf_err(val); 1061 goto err; 1062 } 1063 if (!v3_addr_add_range(addr, afi, safi, min, max)) { 1064 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 1065 goto err; 1066 } 1067 break; 1068 case '\0': 1069 if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) { 1070 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 1071 goto err; 1072 } 1073 break; 1074 default: 1075 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); 1076 X509V3_conf_err(val); 1077 goto err; 1078 } 1079 1080 OPENSSL_free(s); 1081 s = NULL; 1082 } 1083 1084 /* 1085 * Canonize the result, then we're done. 1086 */ 1087 if (!v3_addr_canonize(addr)) 1088 goto err; 1089 return addr; 1090 1091 err: 1092 OPENSSL_free(s); 1093 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); 1094 return NULL; 1095 } 1096 1097 /* 1098 * OpenSSL dispatch 1099 */ 1100 const X509V3_EXT_METHOD v3_addr = { 1101 NID_sbgp_ipAddrBlock, /* nid */ 1102 0, /* flags */ 1103 ASN1_ITEM_ref(IPAddrBlocks), /* template */ 1104 0, 0, 0, 0, /* old functions, ignored */ 1105 0, /* i2s */ 1106 0, /* s2i */ 1107 0, /* i2v */ 1108 v2i_IPAddrBlocks, /* v2i */ 1109 i2r_IPAddrBlocks, /* i2r */ 1110 0, /* r2i */ 1111 NULL /* extension-specific data */ 1112 }; 1113 1114 /* 1115 * Figure out whether extension sues inheritance. 1116 */ 1117 int v3_addr_inherits(IPAddrBlocks *addr) 1118 { 1119 int i; 1120 if (addr == NULL) 1121 return 0; 1122 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 1123 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 1124 if (f->ipAddressChoice->type == IPAddressChoice_inherit) 1125 return 1; 1126 } 1127 return 0; 1128 } 1129 1130 /* 1131 * Figure out whether parent contains child. 1132 */ 1133 static int addr_contains(IPAddressOrRanges *parent, 1134 IPAddressOrRanges *child, 1135 int length) 1136 { 1137 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN]; 1138 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN]; 1139 int p, c; 1140 1141 if (child == NULL || parent == child) 1142 return 1; 1143 if (parent == NULL) 1144 return 0; 1145 1146 p = 0; 1147 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) { 1148 if (!extract_min_max(sk_IPAddressOrRange_value(child, c), 1149 c_min, c_max, length)) 1150 return -1; 1151 for (;; p++) { 1152 if (p >= sk_IPAddressOrRange_num(parent)) 1153 return 0; 1154 if (!extract_min_max(sk_IPAddressOrRange_value(parent, p), 1155 p_min, p_max, length)) 1156 return 0; 1157 if (memcmp(p_max, c_max, length) < 0) 1158 continue; 1159 if (memcmp(p_min, c_min, length) > 0) 1160 return 0; 1161 break; 1162 } 1163 } 1164 1165 return 1; 1166 } 1167 1168 /* 1169 * Test whether a is a subset of b. 1170 */ 1171 int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) 1172 { 1173 int i; 1174 if (a == NULL || a == b) 1175 return 1; 1176 if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b)) 1177 return 0; 1178 (void) sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); 1179 for (i = 0; i < sk_IPAddressFamily_num(a); i++) { 1180 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); 1181 int j = sk_IPAddressFamily_find(b, fa); 1182 IPAddressFamily *fb; 1183 fb = sk_IPAddressFamily_value(b, j); 1184 if (fb == NULL) 1185 return 0; 1186 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, 1187 fa->ipAddressChoice->u.addressesOrRanges, 1188 length_from_afi(v3_addr_get_afi(fb)))) 1189 return 0; 1190 } 1191 return 1; 1192 } 1193 1194 /* 1195 * Validation error handling via callback. 1196 */ 1197 #define validation_err(_err_) \ 1198 do { \ 1199 if (ctx != NULL) { \ 1200 ctx->error = _err_; \ 1201 ctx->error_depth = i; \ 1202 ctx->current_cert = x; \ 1203 ret = ctx->verify_cb(0, ctx); \ 1204 } else { \ 1205 ret = 0; \ 1206 } \ 1207 if (!ret) \ 1208 goto done; \ 1209 } while (0) 1210 1211 /* 1212 * Core code for RFC 3779 2.3 path validation. 1213 */ 1214 static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, 1215 STACK_OF(X509) *chain, 1216 IPAddrBlocks *ext) 1217 { 1218 IPAddrBlocks *child = NULL; 1219 int i, j, ret = 1; 1220 X509 *x; 1221 1222 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); 1223 OPENSSL_assert(ctx != NULL || ext != NULL); 1224 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); 1225 1226 /* 1227 * Figure out where to start. If we don't have an extension to 1228 * check, we're done. Otherwise, check canonical form and 1229 * set up for walking up the chain. 1230 */ 1231 if (ext != NULL) { 1232 i = -1; 1233 x = NULL; 1234 } else { 1235 i = 0; 1236 x = sk_X509_value(chain, i); 1237 OPENSSL_assert(x != NULL); 1238 if ((ext = x->rfc3779_addr) == NULL) 1239 goto done; 1240 } 1241 if (!v3_addr_is_canonical(ext)) 1242 validation_err(X509_V_ERR_INVALID_EXTENSION); 1243 (void) sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); 1244 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { 1245 X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE); 1246 ret = 0; 1247 goto done; 1248 } 1249 1250 /* 1251 * Now walk up the chain. No cert may list resources that its 1252 * parent doesn't list. 1253 */ 1254 for (i++; i < sk_X509_num(chain); i++) { 1255 x = sk_X509_value(chain, i); 1256 OPENSSL_assert(x != NULL); 1257 if (!v3_addr_is_canonical(x->rfc3779_addr)) 1258 validation_err(X509_V_ERR_INVALID_EXTENSION); 1259 if (x->rfc3779_addr == NULL) { 1260 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { 1261 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); 1262 if (fc->ipAddressChoice->type != IPAddressChoice_inherit) { 1263 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1264 break; 1265 } 1266 } 1267 continue; 1268 } 1269 (void) sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp); 1270 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { 1271 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); 1272 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc); 1273 IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, k); 1274 if (fp == NULL) { 1275 if (fc->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) { 1276 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1277 break; 1278 } 1279 continue; 1280 } 1281 if (fp->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) { 1282 if (fc->ipAddressChoice->type == IPAddressChoice_inherit || 1283 addr_contains(fp->ipAddressChoice->u.addressesOrRanges, 1284 fc->ipAddressChoice->u.addressesOrRanges, 1285 length_from_afi(v3_addr_get_afi(fc)))) 1286 sk_IPAddressFamily_set(child, j, fp); 1287 else 1288 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1289 } 1290 } 1291 } 1292 1293 /* 1294 * Trust anchor can't inherit. 1295 */ 1296 OPENSSL_assert(x != NULL); 1297 if (x->rfc3779_addr != NULL) { 1298 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) { 1299 IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, j); 1300 if (fp->ipAddressChoice->type == IPAddressChoice_inherit && 1301 sk_IPAddressFamily_find(child, fp) >= 0) 1302 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1303 } 1304 } 1305 1306 done: 1307 sk_IPAddressFamily_free(child); 1308 return ret; 1309 } 1310 1311 #undef validation_err 1312 1313 /* 1314 * RFC 3779 2.3 path validation -- called from X509_verify_cert(). 1315 */ 1316 int v3_addr_validate_path(X509_STORE_CTX *ctx) 1317 { 1318 return v3_addr_validate_path_internal(ctx, ctx->chain, NULL); 1319 } 1320 1321 /* 1322 * RFC 3779 2.3 path validation of an extension. 1323 * Test whether chain covers extension. 1324 */ 1325 int v3_addr_validate_resource_set(STACK_OF(X509) *chain, 1326 IPAddrBlocks *ext, 1327 int allow_inheritance) 1328 { 1329 if (ext == NULL) 1330 return 1; 1331 if (chain == NULL || sk_X509_num(chain) == 0) 1332 return 0; 1333 if (!allow_inheritance && v3_addr_inherits(ext)) 1334 return 0; 1335 return v3_addr_validate_path_internal(NULL, chain, ext); 1336 } 1337 1338 #endif /* OPENSSL_NO_RFC3779 */ 1339
