1 /*
2 * Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * Implementation of RFC 3779 section 2.2.
12 */
13
14 #include <stdio.h>
15 #include <stdlib.h>
16 #include <assert.h>
17 #include <string.h>
18
19 #include <openssl/conf.h>
20 #include <openssl/asn1.h>
21 #include <openssl/asn1t.h>
22 #include <openssl/buffer.h>
23 #include <openssl/x509v3.h>
24 #include "internal/cryptlib.h"
25 #include "crypto/asn1.h"
26 #include "crypto/x509.h"
27 #include "ext_dat.h"
28 #include "x509_local.h"
29
30 #ifndef OPENSSL_NO_RFC3779
31
32 /*
33 * OpenSSL ASN.1 template translation of RFC 3779 2.2.3.
34 */
35
36 ASN1_SEQUENCE(IPAddressRange) = {
37 ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING),
38 ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING)
39 } ASN1_SEQUENCE_END(IPAddressRange)
40
41 ASN1_CHOICE(IPAddressOrRange) = {
42 ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING),
43 ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange)
44 } ASN1_CHOICE_END(IPAddressOrRange)
45
46 ASN1_CHOICE(IPAddressChoice) = {
47 ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL),
48 ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange)
49 } ASN1_CHOICE_END(IPAddressChoice)
50
51 ASN1_SEQUENCE(IPAddressFamily) = {
52 ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING),
53 ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice)
54 } ASN1_SEQUENCE_END(IPAddressFamily)
55
56 ASN1_ITEM_TEMPLATE(IPAddrBlocks) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
57 IPAddrBlocks, IPAddressFamily)
58 static_ASN1_ITEM_TEMPLATE_END(IPAddrBlocks)
59
60 IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange)
61 IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange)
62 IMPLEMENT_ASN1_FUNCTIONS(IPAddressChoice)
63 IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily)
64
65 /*
66 * How much buffer space do we need for a raw address?
67 */
68 #define ADDR_RAW_BUF_LEN 16
69
70 /*
71 * What's the address length associated with this AFI?
72 */
73 static int length_from_afi(const unsigned afi)
74 {
75 switch (afi) {
76 case IANA_AFI_IPV4:
77 return 4;
78 case IANA_AFI_IPV6:
79 return 16;
80 default:
81 return 0;
82 }
83 }
84
85 /*
86 * Extract the AFI from an IPAddressFamily.
87 */
X509v3_addr_get_afi(const IPAddressFamily * f)88 unsigned int X509v3_addr_get_afi(const IPAddressFamily *f)
89 {
90 if (f == NULL
91 || f->addressFamily == NULL
92 || f->addressFamily->data == NULL
93 || f->addressFamily->length < 2)
94 return 0;
95 return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1];
96 }
97
98 /*
99 * Expand the bitstring form of an address into a raw byte array.
100 * At the moment this is coded for simplicity, not speed.
101 */
addr_expand(unsigned char * addr,const ASN1_BIT_STRING * bs,const int length,const unsigned char fill)102 static int addr_expand(unsigned char *addr,
103 const ASN1_BIT_STRING *bs,
104 const int length, const unsigned char fill)
105 {
106 if (bs->length < 0 || bs->length > length)
107 return 0;
108 if (bs->length > 0) {
109 memcpy(addr, bs->data, bs->length);
110 if ((bs->flags & 7) != 0) {
111 unsigned char mask = 0xFF >> (8 - (bs->flags & 7));
112
113 if (fill == 0)
114 addr[bs->length - 1] &= ~mask;
115 else
116 addr[bs->length - 1] |= mask;
117 }
118 }
119 memset(addr + bs->length, fill, length - bs->length);
120 return 1;
121 }
122
123 /*
124 * Extract the prefix length from a bitstring.
125 */
126 #define addr_prefixlen(bs) ((int)((bs)->length * 8 - ((bs)->flags & 7)))
127
128 /*
129 * i2r handler for one address bitstring.
130 */
i2r_address(BIO * out,const unsigned afi,const unsigned char fill,const ASN1_BIT_STRING * bs)131 static int i2r_address(BIO *out,
132 const unsigned afi,
133 const unsigned char fill, const ASN1_BIT_STRING *bs)
134 {
135 unsigned char addr[ADDR_RAW_BUF_LEN];
136 int i, n;
137
138 if (bs->length < 0)
139 return 0;
140 switch (afi) {
141 case IANA_AFI_IPV4:
142 if (!addr_expand(addr, bs, 4, fill))
143 return 0;
144 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
145 break;
146 case IANA_AFI_IPV6:
147 if (!addr_expand(addr, bs, 16, fill))
148 return 0;
149 for (n = 16; n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00;
150 n -= 2)
151 ;
152 for (i = 0; i < n; i += 2)
153 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1],
154 (i < 14 ? ":" : ""));
155 if (i < 16)
156 BIO_puts(out, ":");
157 if (i == 0)
158 BIO_puts(out, ":");
159 break;
160 default:
161 for (i = 0; i < bs->length; i++)
162 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]);
163 BIO_printf(out, "[%d]", (int)(bs->flags & 7));
164 break;
165 }
166 return 1;
167 }
168
169 /*
170 * i2r handler for a sequence of addresses and ranges.
171 */
i2r_IPAddressOrRanges(BIO * out,const int indent,const IPAddressOrRanges * aors,const unsigned afi)172 static int i2r_IPAddressOrRanges(BIO *out,
173 const int indent,
174 const IPAddressOrRanges *aors,
175 const unsigned afi)
176 {
177 int i;
178
179 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) {
180 const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i);
181
182 BIO_printf(out, "%*s", indent, "");
183 switch (aor->type) {
184 case IPAddressOrRange_addressPrefix:
185 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix))
186 return 0;
187 BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix));
188 continue;
189 case IPAddressOrRange_addressRange:
190 if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min))
191 return 0;
192 BIO_puts(out, "-");
193 if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max))
194 return 0;
195 BIO_puts(out, "\n");
196 continue;
197 }
198 }
199 return 1;
200 }
201
202 /*
203 * i2r handler for an IPAddrBlocks extension.
204 */
i2r_IPAddrBlocks(const X509V3_EXT_METHOD * method,void * ext,BIO * out,int indent)205 static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
206 void *ext, BIO *out, int indent)
207 {
208 const IPAddrBlocks *addr = ext;
209 int i;
210
211 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
212 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
213 const unsigned int afi = X509v3_addr_get_afi(f);
214
215 switch (afi) {
216 case IANA_AFI_IPV4:
217 BIO_printf(out, "%*sIPv4", indent, "");
218 break;
219 case IANA_AFI_IPV6:
220 BIO_printf(out, "%*sIPv6", indent, "");
221 break;
222 default:
223 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi);
224 break;
225 }
226 if (f->addressFamily->length > 2) {
227 switch (f->addressFamily->data[2]) {
228 case 1:
229 BIO_puts(out, " (Unicast)");
230 break;
231 case 2:
232 BIO_puts(out, " (Multicast)");
233 break;
234 case 3:
235 BIO_puts(out, " (Unicast/Multicast)");
236 break;
237 case 4:
238 BIO_puts(out, " (MPLS)");
239 break;
240 case 64:
241 BIO_puts(out, " (Tunnel)");
242 break;
243 case 65:
244 BIO_puts(out, " (VPLS)");
245 break;
246 case 66:
247 BIO_puts(out, " (BGP MDT)");
248 break;
249 case 128:
250 BIO_puts(out, " (MPLS-labeled VPN)");
251 break;
252 default:
253 BIO_printf(out, " (Unknown SAFI %u)",
254 (unsigned)f->addressFamily->data[2]);
255 break;
256 }
257 }
258 switch (f->ipAddressChoice->type) {
259 case IPAddressChoice_inherit:
260 BIO_puts(out, ": inherit\n");
261 break;
262 case IPAddressChoice_addressesOrRanges:
263 BIO_puts(out, ":\n");
264 if (!i2r_IPAddressOrRanges(out,
265 indent + 2,
266 f->ipAddressChoice->u.addressesOrRanges, afi))
267 return 0;
268 break;
269 }
270 }
271 return 1;
272 }
273
274 /*
275 * Sort comparison function for a sequence of IPAddressOrRange
276 * elements.
277 *
278 * There's no sane answer we can give if addr_expand() fails, and an
279 * assertion failure on externally supplied data is seriously uncool,
280 * so we just arbitrarily declare that if given invalid inputs this
281 * function returns -1. If this messes up your preferred sort order
282 * for garbage input, tough noogies.
283 */
IPAddressOrRange_cmp(const IPAddressOrRange * a,const IPAddressOrRange * b,const int length)284 static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
285 const IPAddressOrRange *b, const int length)
286 {
287 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN];
288 int prefixlen_a = 0, prefixlen_b = 0;
289 int r;
290
291 switch (a->type) {
292 case IPAddressOrRange_addressPrefix:
293 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
294 return -1;
295 prefixlen_a = addr_prefixlen(a->u.addressPrefix);
296 break;
297 case IPAddressOrRange_addressRange:
298 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
299 return -1;
300 prefixlen_a = length * 8;
301 break;
302 default:
303 return -1;
304 }
305
306 switch (b->type) {
307 case IPAddressOrRange_addressPrefix:
308 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
309 return -1;
310 prefixlen_b = addr_prefixlen(b->u.addressPrefix);
311 break;
312 case IPAddressOrRange_addressRange:
313 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
314 return -1;
315 prefixlen_b = length * 8;
316 break;
317 default:
318 return -1;
319 }
320
321 if ((r = memcmp(addr_a, addr_b, length)) != 0)
322 return r;
323 else
324 return prefixlen_a - prefixlen_b;
325 }
326
327 /*
328 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()
329 * comparison routines are only allowed two arguments.
330 */
v4IPAddressOrRange_cmp(const IPAddressOrRange * const * a,const IPAddressOrRange * const * b)331 static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
332 const IPAddressOrRange *const *b)
333 {
334 return IPAddressOrRange_cmp(*a, *b, 4);
335 }
336
337 /*
338 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()
339 * comparison routines are only allowed two arguments.
340 */
v6IPAddressOrRange_cmp(const IPAddressOrRange * const * a,const IPAddressOrRange * const * b)341 static int v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
342 const IPAddressOrRange *const *b)
343 {
344 return IPAddressOrRange_cmp(*a, *b, 16);
345 }
346
347 /*
348 * Calculate whether a range collapses to a prefix.
349 * See last paragraph of RFC 3779 2.2.3.7.
350 */
range_should_be_prefix(const unsigned char * min,const unsigned char * max,const int length)351 static int range_should_be_prefix(const unsigned char *min,
352 const unsigned char *max, const int length)
353 {
354 unsigned char mask;
355 int i, j;
356
357 /*
358 * It is the responsibility of the caller to confirm min <= max. We don't
359 * use ossl_assert() here since we have no way of signalling an error from
360 * this function - so we just use a plain assert instead.
361 */
362 assert(memcmp(min, max, length) <= 0);
363
364 for (i = 0; i < length && min[i] == max[i]; i++)
365 ;
366 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--)
367 ;
368 if (i < j)
369 return -1;
370 if (i > j)
371 return i * 8;
372 mask = min[i] ^ max[i];
373 switch (mask) {
374 case 0x01:
375 j = 7;
376 break;
377 case 0x03:
378 j = 6;
379 break;
380 case 0x07:
381 j = 5;
382 break;
383 case 0x0F:
384 j = 4;
385 break;
386 case 0x1F:
387 j = 3;
388 break;
389 case 0x3F:
390 j = 2;
391 break;
392 case 0x7F:
393 j = 1;
394 break;
395 default:
396 return -1;
397 }
398 if ((min[i] & mask) != 0 || (max[i] & mask) != mask)
399 return -1;
400 else
401 return i * 8 + j;
402 }
403
404 /*
405 * Construct a prefix.
406 */
make_addressPrefix(IPAddressOrRange ** result,unsigned char * addr,const int prefixlen,const int afilen)407 static int make_addressPrefix(IPAddressOrRange **result, unsigned char *addr,
408 const int prefixlen, const int afilen)
409 {
410 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;
411 IPAddressOrRange *aor;
412
413 if (prefixlen < 0 || prefixlen > (afilen * 8))
414 return 0;
415 if ((aor = IPAddressOrRange_new()) == NULL)
416 return 0;
417 aor->type = IPAddressOrRange_addressPrefix;
418 if (aor->u.addressPrefix == NULL && (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL)
419 goto err;
420 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen))
421 goto err;
422 if (bitlen > 0)
423 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen);
424 ossl_asn1_string_set_bits_left(aor->u.addressPrefix, 8 - bitlen);
425
426 *result = aor;
427 return 1;
428
429 err:
430 IPAddressOrRange_free(aor);
431 return 0;
432 }
433
434 /*
435 * Construct a range. If it can be expressed as a prefix,
436 * return a prefix instead. Doing this here simplifies
437 * the rest of the code considerably.
438 */
make_addressRange(IPAddressOrRange ** result,unsigned char * min,unsigned char * max,const int length)439 static int make_addressRange(IPAddressOrRange **result,
440 unsigned char *min,
441 unsigned char *max, const int length)
442 {
443 IPAddressOrRange *aor;
444 int i, prefixlen;
445
446 if (memcmp(min, max, length) > 0)
447 return 0;
448
449 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
450 return make_addressPrefix(result, min, prefixlen, length);
451
452 if ((aor = IPAddressOrRange_new()) == NULL)
453 return 0;
454 aor->type = IPAddressOrRange_addressRange;
455 if ((aor->u.addressRange = IPAddressRange_new()) == NULL)
456 goto err;
457 if (aor->u.addressRange->min == NULL && (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL)
458 goto err;
459 if (aor->u.addressRange->max == NULL && (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL)
460 goto err;
461
462 for (i = length; i > 0 && min[i - 1] == 0x00; --i)
463 ;
464 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i))
465 goto err;
466 ossl_asn1_string_set_bits_left(aor->u.addressRange->min, 0);
467 if (i > 0) {
468 unsigned char b = min[i - 1];
469 int j = 1;
470
471 while ((b & (0xFFU >> j)) != 0)
472 ++j;
473 aor->u.addressRange->min->flags |= 8 - j;
474 }
475
476 for (i = length; i > 0 && max[i - 1] == 0xFF; --i)
477 ;
478 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i))
479 goto err;
480 ossl_asn1_string_set_bits_left(aor->u.addressRange->max, 0);
481 if (i > 0) {
482 unsigned char b = max[i - 1];
483 int j = 1;
484
485 while ((b & (0xFFU >> j)) != (0xFFU >> j))
486 ++j;
487 aor->u.addressRange->max->flags |= 8 - j;
488 }
489
490 *result = aor;
491 return 1;
492
493 err:
494 IPAddressOrRange_free(aor);
495 return 0;
496 }
497
498 /*
499 * Construct a new address family or find an existing one.
500 */
make_IPAddressFamily(IPAddrBlocks * addr,const unsigned afi,const unsigned * safi)501 static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr,
502 const unsigned afi,
503 const unsigned *safi)
504 {
505 IPAddressFamily *f;
506 unsigned char key[3];
507 int keylen;
508 int i;
509
510 key[0] = (afi >> 8) & 0xFF;
511 key[1] = afi & 0xFF;
512 if (safi != NULL) {
513 key[2] = *safi & 0xFF;
514 keylen = 3;
515 } else {
516 keylen = 2;
517 }
518
519 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
520 f = sk_IPAddressFamily_value(addr, i);
521 if (f->addressFamily->length == keylen && !memcmp(f->addressFamily->data, key, keylen))
522 return f;
523 }
524
525 if ((f = IPAddressFamily_new()) == NULL)
526 goto err;
527 if (f->ipAddressChoice == NULL && (f->ipAddressChoice = IPAddressChoice_new()) == NULL)
528 goto err;
529 if (f->addressFamily == NULL && (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL)
530 goto err;
531 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen))
532 goto err;
533 if (!sk_IPAddressFamily_push(addr, f))
534 goto err;
535
536 return f;
537
538 err:
539 IPAddressFamily_free(f);
540 return NULL;
541 }
542
543 /*
544 * Add an inheritance element.
545 */
X509v3_addr_add_inherit(IPAddrBlocks * addr,const unsigned afi,const unsigned * safi)546 int X509v3_addr_add_inherit(IPAddrBlocks *addr,
547 const unsigned afi, const unsigned *safi)
548 {
549 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
550
551 if (f == NULL || f->ipAddressChoice == NULL || (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && f->ipAddressChoice->u.addressesOrRanges != NULL))
552 return 0;
553 if (f->ipAddressChoice->type == IPAddressChoice_inherit && f->ipAddressChoice->u.inherit != NULL)
554 return 1;
555 if (f->ipAddressChoice->u.inherit == NULL && (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL)
556 return 0;
557 f->ipAddressChoice->type = IPAddressChoice_inherit;
558 return 1;
559 }
560
561 /*
562 * Construct an IPAddressOrRange sequence, or return an existing one.
563 */
make_prefix_or_range(IPAddrBlocks * addr,const unsigned afi,const unsigned * safi)564 static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
565 const unsigned afi,
566 const unsigned *safi)
567 {
568 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
569 IPAddressOrRanges *aors = NULL;
570
571 if (f == NULL || f->ipAddressChoice == NULL || (f->ipAddressChoice->type == IPAddressChoice_inherit && f->ipAddressChoice->u.inherit != NULL))
572 return NULL;
573 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges)
574 aors = f->ipAddressChoice->u.addressesOrRanges;
575 if (aors != NULL)
576 return aors;
577 if ((aors = sk_IPAddressOrRange_new_null()) == NULL)
578 return NULL;
579 switch (afi) {
580 case IANA_AFI_IPV4:
581 (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
582 break;
583 case IANA_AFI_IPV6:
584 (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
585 break;
586 }
587 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
588 f->ipAddressChoice->u.addressesOrRanges = aors;
589 return aors;
590 }
591
592 /*
593 * Add a prefix.
594 */
X509v3_addr_add_prefix(IPAddrBlocks * addr,const unsigned afi,const unsigned * safi,unsigned char * a,const int prefixlen)595 int X509v3_addr_add_prefix(IPAddrBlocks *addr,
596 const unsigned afi,
597 const unsigned *safi,
598 unsigned char *a, const int prefixlen)
599 {
600 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
601 IPAddressOrRange *aor;
602
603 if (aors == NULL
604 || !make_addressPrefix(&aor, a, prefixlen, length_from_afi(afi)))
605 return 0;
606 if (sk_IPAddressOrRange_push(aors, aor))
607 return 1;
608 IPAddressOrRange_free(aor);
609 return 0;
610 }
611
612 /*
613 * Add a range.
614 */
X509v3_addr_add_range(IPAddrBlocks * addr,const unsigned afi,const unsigned * safi,unsigned char * min,unsigned char * max)615 int X509v3_addr_add_range(IPAddrBlocks *addr,
616 const unsigned afi,
617 const unsigned *safi,
618 unsigned char *min, unsigned char *max)
619 {
620 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
621 IPAddressOrRange *aor;
622 int length = length_from_afi(afi);
623
624 if (aors == NULL)
625 return 0;
626 if (!make_addressRange(&aor, min, max, length))
627 return 0;
628 if (sk_IPAddressOrRange_push(aors, aor))
629 return 1;
630 IPAddressOrRange_free(aor);
631 return 0;
632 }
633
634 /*
635 * Extract min and max values from an IPAddressOrRange.
636 */
extract_min_max(IPAddressOrRange * aor,unsigned char * min,unsigned char * max,int length)637 static int extract_min_max(IPAddressOrRange *aor,
638 unsigned char *min, unsigned char *max, int length)
639 {
640 if (aor == NULL || min == NULL || max == NULL)
641 return 0;
642 switch (aor->type) {
643 case IPAddressOrRange_addressPrefix:
644 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) && addr_expand(max, aor->u.addressPrefix, length, 0xFF));
645 case IPAddressOrRange_addressRange:
646 return (addr_expand(min, aor->u.addressRange->min, length, 0x00) && addr_expand(max, aor->u.addressRange->max, length, 0xFF));
647 }
648 return 0;
649 }
650
651 /*
652 * Public wrapper for extract_min_max().
653 */
X509v3_addr_get_range(IPAddressOrRange * aor,const unsigned afi,unsigned char * min,unsigned char * max,const int length)654 int X509v3_addr_get_range(IPAddressOrRange *aor,
655 const unsigned afi,
656 unsigned char *min,
657 unsigned char *max, const int length)
658 {
659 int afi_length = length_from_afi(afi);
660
661 if (aor == NULL || min == NULL || max == NULL || afi_length == 0 || length < afi_length || (aor->type != IPAddressOrRange_addressPrefix && aor->type != IPAddressOrRange_addressRange) || !extract_min_max(aor, min, max, afi_length))
662 return 0;
663
664 return afi_length;
665 }
666
667 /*
668 * Sort comparison function for a sequence of IPAddressFamily.
669 *
670 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about
671 * the ordering: I can read it as meaning that IPv6 without a SAFI
672 * comes before IPv4 with a SAFI, which seems pretty weird. The
673 * examples in appendix B suggest that the author intended the
674 * null-SAFI rule to apply only within a single AFI, which is what I
675 * would have expected and is what the following code implements.
676 */
IPAddressFamily_cmp(const IPAddressFamily * const * a_,const IPAddressFamily * const * b_)677 static int IPAddressFamily_cmp(const IPAddressFamily *const *a_,
678 const IPAddressFamily *const *b_)
679 {
680 const ASN1_OCTET_STRING *a = (*a_)->addressFamily;
681 const ASN1_OCTET_STRING *b = (*b_)->addressFamily;
682 int len = ((a->length <= b->length) ? a->length : b->length);
683 int cmp = memcmp(a->data, b->data, len);
684
685 return cmp ? cmp : a->length - b->length;
686 }
687
IPAddressFamily_check_len(const IPAddressFamily * f)688 static int IPAddressFamily_check_len(const IPAddressFamily *f)
689 {
690 if (f->addressFamily->length < 2 || f->addressFamily->length > 3)
691 return 0;
692 else
693 return 1;
694 }
695
696 /*
697 * Check whether an IPAddrBLocks is in canonical form.
698 */
X509v3_addr_is_canonical(IPAddrBlocks * addr)699 int X509v3_addr_is_canonical(IPAddrBlocks *addr)
700 {
701 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
702 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
703 IPAddressOrRanges *aors;
704 int i, j, k;
705
706 /*
707 * Empty extension is canonical.
708 */
709 if (addr == NULL)
710 return 1;
711
712 /*
713 * Check whether the top-level list is in order.
714 */
715 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {
716 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i);
717 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1);
718
719 if (!IPAddressFamily_check_len(a) || !IPAddressFamily_check_len(b))
720 return 0;
721
722 if (IPAddressFamily_cmp(&a, &b) >= 0)
723 return 0;
724 }
725
726 /*
727 * Top level's ok, now check each address family.
728 */
729 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
730 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
731 int length = length_from_afi(X509v3_addr_get_afi(f));
732
733 /*
734 * Inheritance is canonical. Anything other than inheritance or
735 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something.
736 */
737 if (f == NULL || f->ipAddressChoice == NULL)
738 return 0;
739 switch (f->ipAddressChoice->type) {
740 case IPAddressChoice_inherit:
741 continue;
742 case IPAddressChoice_addressesOrRanges:
743 break;
744 default:
745 return 0;
746 }
747
748 if (!IPAddressFamily_check_len(f))
749 return 0;
750
751 /*
752 * It's an IPAddressOrRanges sequence, check it.
753 */
754 aors = f->ipAddressChoice->u.addressesOrRanges;
755 if (sk_IPAddressOrRange_num(aors) == 0)
756 return 0;
757 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
758 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
759 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);
760
761 if (!extract_min_max(a, a_min, a_max, length) || !extract_min_max(b, b_min, b_max, length))
762 return 0;
763
764 /*
765 * Punt misordered list, overlapping start, or inverted range.
766 */
767 if (memcmp(a_min, b_min, length) >= 0 || memcmp(a_min, a_max, length) > 0 || memcmp(b_min, b_max, length) > 0)
768 return 0;
769
770 /*
771 * Punt if adjacent or overlapping. Check for adjacency by
772 * subtracting one from b_min first.
773 */
774 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--)
775 ;
776 if (memcmp(a_max, b_min, length) >= 0)
777 return 0;
778
779 /*
780 * Check for range that should be expressed as a prefix.
781 */
782 if (a->type == IPAddressOrRange_addressRange && range_should_be_prefix(a_min, a_max, length) >= 0)
783 return 0;
784 }
785
786 /*
787 * Check range to see if it's inverted or should be a
788 * prefix.
789 */
790 j = sk_IPAddressOrRange_num(aors) - 1;
791 {
792 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
793
794 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
795 if (!extract_min_max(a, a_min, a_max, length))
796 return 0;
797 if (memcmp(a_min, a_max, length) > 0 || range_should_be_prefix(a_min, a_max, length) >= 0)
798 return 0;
799 }
800 }
801 }
802
803 /*
804 * If we made it through all that, we're happy.
805 */
806 return 1;
807 }
808
809 /*
810 * Whack an IPAddressOrRanges into canonical form.
811 */
IPAddressOrRanges_canonize(IPAddressOrRanges * aors,const unsigned afi)812 static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
813 const unsigned afi)
814 {
815 int i, j, length = length_from_afi(afi);
816
817 /*
818 * Sort the IPAddressOrRanges sequence.
819 */
820 sk_IPAddressOrRange_sort(aors);
821
822 /*
823 * Clean up representation issues, punt on duplicates or overlaps.
824 */
825 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
826 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);
827 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
828 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
829 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
830
831 if (!extract_min_max(a, a_min, a_max, length) || !extract_min_max(b, b_min, b_max, length))
832 return 0;
833
834 /*
835 * Punt inverted ranges.
836 */
837 if (memcmp(a_min, a_max, length) > 0 || memcmp(b_min, b_max, length) > 0)
838 return 0;
839
840 /*
841 * Punt overlaps.
842 */
843 if (memcmp(a_max, b_min, length) >= 0)
844 return 0;
845
846 /*
847 * Merge if a and b are adjacent. We check for
848 * adjacency by subtracting one from b_min first.
849 */
850 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--)
851 ;
852 if (memcmp(a_max, b_min, length) == 0) {
853 IPAddressOrRange *merged;
854
855 if (!make_addressRange(&merged, a_min, b_max, length))
856 return 0;
857 (void)sk_IPAddressOrRange_set(aors, i, merged);
858 (void)sk_IPAddressOrRange_delete(aors, i + 1);
859 IPAddressOrRange_free(a);
860 IPAddressOrRange_free(b);
861 --i;
862 continue;
863 }
864 }
865
866 /*
867 * Check for inverted final range.
868 */
869 j = sk_IPAddressOrRange_num(aors) - 1;
870 {
871 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
872
873 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
874 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
875
876 if (!extract_min_max(a, a_min, a_max, length))
877 return 0;
878 if (memcmp(a_min, a_max, length) > 0)
879 return 0;
880 }
881 }
882
883 return 1;
884 }
885
886 /*
887 * Whack an IPAddrBlocks extension into canonical form.
888 */
X509v3_addr_canonize(IPAddrBlocks * addr)889 int X509v3_addr_canonize(IPAddrBlocks *addr)
890 {
891 int i;
892
893 if (addr == NULL) {
894 ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_NULL_ARGUMENT);
895 return 0;
896 }
897
898 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
899 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
900
901 if (!IPAddressFamily_check_len(f))
902 return 0;
903
904 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && !IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges, X509v3_addr_get_afi(f)))
905 return 0;
906 }
907 (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
908 sk_IPAddressFamily_sort(addr);
909 if (!ossl_assert(X509v3_addr_is_canonical(addr)))
910 return 0;
911 return 1;
912 }
913
914 /*
915 * v2i handler for the IPAddrBlocks extension.
916 */
v2i_IPAddrBlocks(const struct v3_ext_method * method,struct v3_ext_ctx * ctx,STACK_OF (CONF_VALUE)* values)917 static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
918 struct v3_ext_ctx *ctx,
919 STACK_OF(CONF_VALUE) *values)
920 {
921 static const char v4addr_chars[] = "0123456789.";
922 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF";
923 IPAddrBlocks *addr = NULL;
924 char *s = NULL, *t;
925 int i;
926
927 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) {
928 ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
929 return NULL;
930 }
931
932 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
933 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
934 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN];
935 unsigned afi, *safi = NULL, safi_;
936 const char *addr_chars = NULL;
937 int prefixlen, i1, i2, delim, length;
938
939 if (!ossl_v3_name_cmp(val->name, "IPv4")) {
940 afi = IANA_AFI_IPV4;
941 } else if (!ossl_v3_name_cmp(val->name, "IPv6")) {
942 afi = IANA_AFI_IPV6;
943 } else if (!ossl_v3_name_cmp(val->name, "IPv4-SAFI")) {
944 afi = IANA_AFI_IPV4;
945 safi = &safi_;
946 } else if (!ossl_v3_name_cmp(val->name, "IPv6-SAFI")) {
947 afi = IANA_AFI_IPV6;
948 safi = &safi_;
949 } else {
950 ERR_raise_data(ERR_LIB_X509V3, X509V3_R_EXTENSION_NAME_ERROR,
951 "%s", val->name);
952 goto err;
953 }
954
955 switch (afi) {
956 case IANA_AFI_IPV4:
957 addr_chars = v4addr_chars;
958 break;
959 case IANA_AFI_IPV6:
960 addr_chars = v6addr_chars;
961 break;
962 }
963
964 length = length_from_afi(afi);
965
966 /*
967 * Handle SAFI, if any, and OPENSSL_strdup() so we can null-terminate
968 * the other input values.
969 */
970 if (safi != NULL) {
971 if (val->value == NULL) {
972 ERR_raise(ERR_LIB_X509V3, X509V3_R_MISSING_VALUE);
973 goto err;
974 }
975 *safi = strtoul(val->value, &t, 0);
976 t += strspn(t, " \t");
977 if (*safi > 0xFF || *t++ != ':') {
978 ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_SAFI);
979 X509V3_conf_add_error_name_value(val);
980 goto err;
981 }
982 t += strspn(t, " \t");
983 s = OPENSSL_strdup(t);
984 } else {
985 s = OPENSSL_strdup(val->value);
986 }
987 if (s == NULL)
988 goto err;
989
990 /*
991 * Check for inheritance. Not worth additional complexity to
992 * optimize this (seldom-used) case.
993 */
994 if (strcmp(s, "inherit") == 0) {
995 if (!X509v3_addr_add_inherit(addr, afi, safi)) {
996 ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_INHERITANCE);
997 X509V3_conf_add_error_name_value(val);
998 goto err;
999 }
1000 OPENSSL_free(s);
1001 s = NULL;
1002 continue;
1003 }
1004
1005 i1 = strspn(s, addr_chars);
1006 i2 = i1 + strspn(s + i1, " \t");
1007 delim = s[i2++];
1008 s[i1] = '\0';
1009
1010 if (ossl_a2i_ipadd(min, s) != length) {
1011 ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_IPADDRESS);
1012 X509V3_conf_add_error_name_value(val);
1013 goto err;
1014 }
1015
1016 switch (delim) {
1017 case '/':
1018 prefixlen = (int)strtoul(s + i2, &t, 10);
1019 if (t == s + i2
1020 || *t != '\0'
1021 || prefixlen > (length * 8)
1022 || prefixlen < 0) {
1023 ERR_raise(ERR_LIB_X509V3, X509V3_R_EXTENSION_VALUE_ERROR);
1024 X509V3_conf_add_error_name_value(val);
1025 goto err;
1026 }
1027 if (!X509v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) {
1028 ERR_raise(ERR_LIB_X509V3, ERR_R_X509V3_LIB);
1029 goto err;
1030 }
1031 break;
1032 case '-':
1033 i1 = i2 + strspn(s + i2, " \t");
1034 i2 = i1 + strspn(s + i1, addr_chars);
1035 if (i1 == i2 || s[i2] != '\0') {
1036 ERR_raise(ERR_LIB_X509V3, X509V3_R_EXTENSION_VALUE_ERROR);
1037 X509V3_conf_add_error_name_value(val);
1038 goto err;
1039 }
1040 if (ossl_a2i_ipadd(max, s + i1) != length) {
1041 ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_IPADDRESS);
1042 X509V3_conf_add_error_name_value(val);
1043 goto err;
1044 }
1045 if (memcmp(min, max, length_from_afi(afi)) > 0) {
1046 ERR_raise(ERR_LIB_X509V3, X509V3_R_EXTENSION_VALUE_ERROR);
1047 X509V3_conf_add_error_name_value(val);
1048 goto err;
1049 }
1050 if (!X509v3_addr_add_range(addr, afi, safi, min, max)) {
1051 ERR_raise(ERR_LIB_X509V3, ERR_R_X509V3_LIB);
1052 goto err;
1053 }
1054 break;
1055 case '\0':
1056 if (!X509v3_addr_add_prefix(addr, afi, safi, min, length * 8)) {
1057 ERR_raise(ERR_LIB_X509V3, ERR_R_X509V3_LIB);
1058 goto err;
1059 }
1060 break;
1061 default:
1062 ERR_raise(ERR_LIB_X509V3, X509V3_R_EXTENSION_VALUE_ERROR);
1063 X509V3_conf_add_error_name_value(val);
1064 goto err;
1065 }
1066
1067 OPENSSL_free(s);
1068 s = NULL;
1069 }
1070
1071 /*
1072 * Canonize the result, then we're done.
1073 */
1074 if (!X509v3_addr_canonize(addr))
1075 goto err;
1076 return addr;
1077
1078 err:
1079 OPENSSL_free(s);
1080 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
1081 return NULL;
1082 }
1083
1084 /*
1085 * OpenSSL dispatch
1086 */
1087 const X509V3_EXT_METHOD ossl_v3_addr = {
1088 NID_sbgp_ipAddrBlock, /* nid */
1089 0, /* flags */
1090 ASN1_ITEM_ref(IPAddrBlocks), /* template */
1091 0, 0, 0, 0, /* old functions, ignored */
1092 0, /* i2s */
1093 0, /* s2i */
1094 0, /* i2v */
1095 v2i_IPAddrBlocks, /* v2i */
1096 i2r_IPAddrBlocks, /* i2r */
1097 0, /* r2i */
1098 NULL /* extension-specific data */
1099 };
1100
1101 /*
1102 * Figure out whether extension sues inheritance.
1103 */
X509v3_addr_inherits(IPAddrBlocks * addr)1104 int X509v3_addr_inherits(IPAddrBlocks *addr)
1105 {
1106 int i;
1107
1108 if (addr == NULL)
1109 return 0;
1110 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1111 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1112
1113 if (f->ipAddressChoice->type == IPAddressChoice_inherit)
1114 return 1;
1115 }
1116 return 0;
1117 }
1118
1119 /*
1120 * Figure out whether parent contains child.
1121 */
addr_contains(IPAddressOrRanges * parent,IPAddressOrRanges * child,int length)1122 static int addr_contains(IPAddressOrRanges *parent,
1123 IPAddressOrRanges *child, int length)
1124 {
1125 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN];
1126 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN];
1127 int p, c;
1128
1129 if (child == NULL || parent == child)
1130 return 1;
1131 if (parent == NULL)
1132 return 0;
1133
1134 p = 0;
1135 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
1136 if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
1137 c_min, c_max, length))
1138 return 0;
1139 for (;; p++) {
1140 if (p >= sk_IPAddressOrRange_num(parent))
1141 return 0;
1142 if (!extract_min_max(sk_IPAddressOrRange_value(parent, p),
1143 p_min, p_max, length))
1144 return 0;
1145 if (memcmp(p_max, c_max, length) < 0)
1146 continue;
1147 if (memcmp(p_min, c_min, length) > 0)
1148 return 0;
1149 break;
1150 }
1151 }
1152
1153 return 1;
1154 }
1155
1156 /*
1157 * Test whether a is a subset of b.
1158 */
X509v3_addr_subset(IPAddrBlocks * a,IPAddrBlocks * b)1159 int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
1160 {
1161 int i;
1162
1163 if (a == NULL || a == b)
1164 return 1;
1165 if (b == NULL || X509v3_addr_inherits(a) || X509v3_addr_inherits(b))
1166 return 0;
1167 (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
1168 sk_IPAddressFamily_sort(b);
1169 /* Could sort a here too and get O(|a|) running time instead of O(|a| ln |b|) */
1170 for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
1171 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
1172 int j = sk_IPAddressFamily_find(b, fa);
1173 IPAddressFamily *fb = sk_IPAddressFamily_value(b, j);
1174
1175 if (fb == NULL)
1176 return 0;
1177 if (!IPAddressFamily_check_len(fa) || !IPAddressFamily_check_len(fb))
1178 return 0;
1179 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
1180 fa->ipAddressChoice->u.addressesOrRanges,
1181 length_from_afi(X509v3_addr_get_afi(fb))))
1182 return 0;
1183 }
1184 return 1;
1185 }
1186
1187 /*
1188 * Validation error handling via callback.
1189 */
1190 #define validation_err(_err_) \
1191 do { \
1192 if (ctx != NULL) { \
1193 ctx->error = _err_; \
1194 ctx->error_depth = i; \
1195 ctx->current_cert = x; \
1196 rv = ctx->verify_cb(0, ctx); \
1197 } else { \
1198 rv = 0; \
1199 } \
1200 if (rv == 0) \
1201 goto done; \
1202 } while (0)
1203
1204 /*
1205 * Core code for RFC 3779 2.3 path validation.
1206 *
1207 * Returns 1 for success, 0 on error.
1208 *
1209 * When returning 0, ctx->error MUST be set to an appropriate value other than
1210 * X509_V_OK.
1211 */
addr_validate_path_internal(X509_STORE_CTX * ctx,STACK_OF (X509)* chain,IPAddrBlocks * ext)1212 static int addr_validate_path_internal(X509_STORE_CTX *ctx,
1213 STACK_OF(X509) *chain,
1214 IPAddrBlocks *ext)
1215 {
1216 IPAddrBlocks *child = NULL;
1217 int i, j, ret = 0, rv;
1218 X509 *x;
1219
1220 if (!ossl_assert(chain != NULL && sk_X509_num(chain) > 0)
1221 || !ossl_assert(ctx != NULL || ext != NULL)
1222 || !ossl_assert(ctx == NULL || ctx->verify_cb != NULL)) {
1223 if (ctx != NULL)
1224 ctx->error = X509_V_ERR_UNSPECIFIED;
1225 return 0;
1226 }
1227
1228 /*
1229 * Figure out where to start. If we don't have an extension to
1230 * check, we're done. Otherwise, check canonical form and
1231 * set up for walking up the chain.
1232 */
1233 if (ext != NULL) {
1234 i = -1;
1235 x = NULL;
1236 } else {
1237 i = 0;
1238 x = sk_X509_value(chain, i);
1239 if ((ext = x->rfc3779_addr) == NULL)
1240 return 1; /* Return success */
1241 }
1242 if (!X509v3_addr_is_canonical(ext))
1243 validation_err(X509_V_ERR_INVALID_EXTENSION);
1244 (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
1245 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
1246 ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
1247 if (ctx != NULL)
1248 ctx->error = X509_V_ERR_OUT_OF_MEM;
1249 goto done;
1250 }
1251 sk_IPAddressFamily_sort(child);
1252
1253 /*
1254 * Now walk up the chain. No cert may list resources that its
1255 * parent doesn't list.
1256 */
1257 for (i++; i < sk_X509_num(chain); i++) {
1258 x = sk_X509_value(chain, i);
1259 if (!X509v3_addr_is_canonical(x->rfc3779_addr))
1260 validation_err(X509_V_ERR_INVALID_EXTENSION);
1261 if (x->rfc3779_addr == NULL) {
1262 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1263 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1264
1265 if (!IPAddressFamily_check_len(fc))
1266 goto done;
1267
1268 if (fc->ipAddressChoice->type != IPAddressChoice_inherit) {
1269 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1270 break;
1271 }
1272 }
1273 continue;
1274 }
1275 (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr,
1276 IPAddressFamily_cmp);
1277 sk_IPAddressFamily_sort(x->rfc3779_addr);
1278 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1279 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1280 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
1281 IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, k);
1282
1283 if (fp == NULL) {
1284 if (fc->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) {
1285 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1286 break;
1287 }
1288 continue;
1289 }
1290
1291 if (!IPAddressFamily_check_len(fc) || !IPAddressFamily_check_len(fp))
1292 goto done;
1293
1294 if (fp->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) {
1295 if (fc->ipAddressChoice->type == IPAddressChoice_inherit
1296 || addr_contains(fp->ipAddressChoice->u.addressesOrRanges,
1297 fc->ipAddressChoice->u.addressesOrRanges,
1298 length_from_afi(X509v3_addr_get_afi(fc))))
1299 (void)sk_IPAddressFamily_set(child, j, fp);
1300 else
1301 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1302 }
1303 }
1304 }
1305
1306 /*
1307 * Trust anchor can't inherit.
1308 */
1309 if (x->rfc3779_addr != NULL) {
1310 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
1311 IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, j);
1312
1313 if (!IPAddressFamily_check_len(fp))
1314 goto done;
1315
1316 if (fp->ipAddressChoice->type == IPAddressChoice_inherit
1317 && sk_IPAddressFamily_find(child, fp) >= 0)
1318 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1319 }
1320 }
1321 ret = 1;
1322 done:
1323 sk_IPAddressFamily_free(child);
1324 return ret;
1325 }
1326
1327 #undef validation_err
1328
1329 /*
1330 * RFC 3779 2.3 path validation -- called from X509_verify_cert().
1331 */
X509v3_addr_validate_path(X509_STORE_CTX * ctx)1332 int X509v3_addr_validate_path(X509_STORE_CTX *ctx)
1333 {
1334 if (ctx->chain == NULL
1335 || sk_X509_num(ctx->chain) == 0
1336 || ctx->verify_cb == NULL) {
1337 ctx->error = X509_V_ERR_UNSPECIFIED;
1338 return 0;
1339 }
1340 return addr_validate_path_internal(ctx, ctx->chain, NULL);
1341 }
1342
1343 /*
1344 * RFC 3779 2.3 path validation of an extension.
1345 * Test whether chain covers extension.
1346 */
X509v3_addr_validate_resource_set(STACK_OF (X509)* chain,IPAddrBlocks * ext,int allow_inheritance)1347 int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain,
1348 IPAddrBlocks *ext, int allow_inheritance)
1349 {
1350 if (ext == NULL)
1351 return 1;
1352 if (chain == NULL || sk_X509_num(chain) == 0)
1353 return 0;
1354 if (!allow_inheritance && X509v3_addr_inherits(ext))
1355 return 0;
1356 return addr_validate_path_internal(NULL, chain, ext);
1357 }
1358
1359 #endif /* OPENSSL_NO_RFC3779 */
1360