xref: /freebsd/crypto/openssl/crypto/x509/v3_addr.c (revision e7be843b4a162e68651d3911f0357ed464915629)
1 /*
2  * Copyright 2006-2025 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * Implementation of RFC 3779 section 2.2.
12  */
13 
14 #include <stdio.h>
15 #include <stdlib.h>
16 #include <assert.h>
17 #include <string.h>
18 
19 #include <openssl/conf.h>
20 #include <openssl/asn1.h>
21 #include <openssl/asn1t.h>
22 #include <openssl/buffer.h>
23 #include <openssl/x509v3.h>
24 #include "internal/cryptlib.h"
25 #include "crypto/asn1.h"
26 #include "crypto/x509.h"
27 #include "ext_dat.h"
28 #include "x509_local.h"
29 
30 #ifndef OPENSSL_NO_RFC3779
31 
32 /*
33  * OpenSSL ASN.1 template translation of RFC 3779 2.2.3.
34  */
35 
36 ASN1_SEQUENCE(IPAddressRange) = {
37     ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING),
38     ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING)
39 } ASN1_SEQUENCE_END(IPAddressRange)
40 
41 ASN1_CHOICE(IPAddressOrRange) = {
42     ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING),
43     ASN1_SIMPLE(IPAddressOrRange, u.addressRange,  IPAddressRange)
44 } ASN1_CHOICE_END(IPAddressOrRange)
45 
46 ASN1_CHOICE(IPAddressChoice) = {
47     ASN1_SIMPLE(IPAddressChoice,      u.inherit,           ASN1_NULL),
48     ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange)
49 } ASN1_CHOICE_END(IPAddressChoice)
50 
51 ASN1_SEQUENCE(IPAddressFamily) = {
52     ASN1_SIMPLE(IPAddressFamily, addressFamily,   ASN1_OCTET_STRING),
53     ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice)
54 } ASN1_SEQUENCE_END(IPAddressFamily)
55 
56 ASN1_ITEM_TEMPLATE(IPAddrBlocks) =
57     ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
58                           IPAddrBlocks, IPAddressFamily)
59 static_ASN1_ITEM_TEMPLATE_END(IPAddrBlocks)
60 
61 IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange)
62 IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange)
63 IMPLEMENT_ASN1_FUNCTIONS(IPAddressChoice)
64 IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily)
65 
66 /*
67  * How much buffer space do we need for a raw address?
68  */
69 # define ADDR_RAW_BUF_LEN 16
70 
71 /*
72  * What's the address length associated with this AFI?
73  */
74 static int length_from_afi(const unsigned afi)
75 {
76     switch (afi) {
77     case IANA_AFI_IPV4:
78         return 4;
79     case IANA_AFI_IPV6:
80         return 16;
81     default:
82         return 0;
83     }
84 }
85 
86 /*
87  * Extract the AFI from an IPAddressFamily.
88  */
X509v3_addr_get_afi(const IPAddressFamily * f)89 unsigned int X509v3_addr_get_afi(const IPAddressFamily *f)
90 {
91     if (f == NULL
92             || f->addressFamily == NULL
93             || f->addressFamily->data == NULL
94             || f->addressFamily->length < 2)
95         return 0;
96     return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1];
97 }
98 
99 /*
100  * Expand the bitstring form of an address into a raw byte array.
101  * At the moment this is coded for simplicity, not speed.
102  */
addr_expand(unsigned char * addr,const ASN1_BIT_STRING * bs,const int length,const unsigned char fill)103 static int addr_expand(unsigned char *addr,
104                        const ASN1_BIT_STRING *bs,
105                        const int length, const unsigned char fill)
106 {
107     if (bs->length < 0 || bs->length > length)
108         return 0;
109     if (bs->length > 0) {
110         memcpy(addr, bs->data, bs->length);
111         if ((bs->flags & 7) != 0) {
112             unsigned char mask = 0xFF >> (8 - (bs->flags & 7));
113 
114             if (fill == 0)
115                 addr[bs->length - 1] &= ~mask;
116             else
117                 addr[bs->length - 1] |= mask;
118         }
119     }
120     memset(addr + bs->length, fill, length - bs->length);
121     return 1;
122 }
123 
124 /*
125  * Extract the prefix length from a bitstring.
126  */
127 # define addr_prefixlen(bs) ((int)((bs)->length * 8 - ((bs)->flags & 7)))
128 
129 /*
130  * i2r handler for one address bitstring.
131  */
i2r_address(BIO * out,const unsigned afi,const unsigned char fill,const ASN1_BIT_STRING * bs)132 static int i2r_address(BIO *out,
133                        const unsigned afi,
134                        const unsigned char fill, const ASN1_BIT_STRING *bs)
135 {
136     unsigned char addr[ADDR_RAW_BUF_LEN];
137     int i, n;
138 
139     if (bs->length < 0)
140         return 0;
141     switch (afi) {
142     case IANA_AFI_IPV4:
143         if (!addr_expand(addr, bs, 4, fill))
144             return 0;
145         BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
146         break;
147     case IANA_AFI_IPV6:
148         if (!addr_expand(addr, bs, 16, fill))
149             return 0;
150         for (n = 16; n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00;
151              n -= 2) ;
152         for (i = 0; i < n; i += 2)
153             BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1],
154                        (i < 14 ? ":" : ""));
155         if (i < 16)
156             BIO_puts(out, ":");
157         if (i == 0)
158             BIO_puts(out, ":");
159         break;
160     default:
161         for (i = 0; i < bs->length; i++)
162             BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]);
163         BIO_printf(out, "[%d]", (int)(bs->flags & 7));
164         break;
165     }
166     return 1;
167 }
168 
169 /*
170  * i2r handler for a sequence of addresses and ranges.
171  */
i2r_IPAddressOrRanges(BIO * out,const int indent,const IPAddressOrRanges * aors,const unsigned afi)172 static int i2r_IPAddressOrRanges(BIO *out,
173                                  const int indent,
174                                  const IPAddressOrRanges *aors,
175                                  const unsigned afi)
176 {
177     int i;
178 
179     for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) {
180         const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i);
181 
182         BIO_printf(out, "%*s", indent, "");
183         switch (aor->type) {
184         case IPAddressOrRange_addressPrefix:
185             if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix))
186                 return 0;
187             BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix));
188             continue;
189         case IPAddressOrRange_addressRange:
190             if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min))
191                 return 0;
192             BIO_puts(out, "-");
193             if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max))
194                 return 0;
195             BIO_puts(out, "\n");
196             continue;
197         }
198     }
199     return 1;
200 }
201 
202 /*
203  * i2r handler for an IPAddrBlocks extension.
204  */
i2r_IPAddrBlocks(const X509V3_EXT_METHOD * method,void * ext,BIO * out,int indent)205 static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
206                             void *ext, BIO *out, int indent)
207 {
208     const IPAddrBlocks *addr = ext;
209     int i;
210 
211     for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
212         IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
213         const unsigned int afi = X509v3_addr_get_afi(f);
214 
215         switch (afi) {
216         case IANA_AFI_IPV4:
217             BIO_printf(out, "%*sIPv4", indent, "");
218             break;
219         case IANA_AFI_IPV6:
220             BIO_printf(out, "%*sIPv6", indent, "");
221             break;
222         default:
223             BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi);
224             break;
225         }
226         if (f->addressFamily->length > 2) {
227             switch (f->addressFamily->data[2]) {
228             case 1:
229                 BIO_puts(out, " (Unicast)");
230                 break;
231             case 2:
232                 BIO_puts(out, " (Multicast)");
233                 break;
234             case 3:
235                 BIO_puts(out, " (Unicast/Multicast)");
236                 break;
237             case 4:
238                 BIO_puts(out, " (MPLS)");
239                 break;
240             case 64:
241                 BIO_puts(out, " (Tunnel)");
242                 break;
243             case 65:
244                 BIO_puts(out, " (VPLS)");
245                 break;
246             case 66:
247                 BIO_puts(out, " (BGP MDT)");
248                 break;
249             case 128:
250                 BIO_puts(out, " (MPLS-labeled VPN)");
251                 break;
252             default:
253                 BIO_printf(out, " (Unknown SAFI %u)",
254                            (unsigned)f->addressFamily->data[2]);
255                 break;
256             }
257         }
258         switch (f->ipAddressChoice->type) {
259         case IPAddressChoice_inherit:
260             BIO_puts(out, ": inherit\n");
261             break;
262         case IPAddressChoice_addressesOrRanges:
263             BIO_puts(out, ":\n");
264             if (!i2r_IPAddressOrRanges(out,
265                                        indent + 2,
266                                        f->ipAddressChoice->
267                                        u.addressesOrRanges, afi))
268                 return 0;
269             break;
270         }
271     }
272     return 1;
273 }
274 
275 /*
276  * Sort comparison function for a sequence of IPAddressOrRange
277  * elements.
278  *
279  * There's no sane answer we can give if addr_expand() fails, and an
280  * assertion failure on externally supplied data is seriously uncool,
281  * so we just arbitrarily declare that if given invalid inputs this
282  * function returns -1.  If this messes up your preferred sort order
283  * for garbage input, tough noogies.
284  */
IPAddressOrRange_cmp(const IPAddressOrRange * a,const IPAddressOrRange * b,const int length)285 static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
286                                 const IPAddressOrRange *b, const int length)
287 {
288     unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN];
289     int prefixlen_a = 0, prefixlen_b = 0;
290     int r;
291 
292     switch (a->type) {
293     case IPAddressOrRange_addressPrefix:
294         if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
295             return -1;
296         prefixlen_a = addr_prefixlen(a->u.addressPrefix);
297         break;
298     case IPAddressOrRange_addressRange:
299         if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
300             return -1;
301         prefixlen_a = length * 8;
302         break;
303     default:
304         return -1;
305     }
306 
307     switch (b->type) {
308     case IPAddressOrRange_addressPrefix:
309         if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
310             return -1;
311         prefixlen_b = addr_prefixlen(b->u.addressPrefix);
312         break;
313     case IPAddressOrRange_addressRange:
314         if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
315             return -1;
316         prefixlen_b = length * 8;
317         break;
318     default:
319         return -1;
320     }
321 
322     if ((r = memcmp(addr_a, addr_b, length)) != 0)
323         return r;
324     else
325         return prefixlen_a - prefixlen_b;
326 }
327 
328 /*
329  * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()
330  * comparison routines are only allowed two arguments.
331  */
v4IPAddressOrRange_cmp(const IPAddressOrRange * const * a,const IPAddressOrRange * const * b)332 static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
333                                   const IPAddressOrRange *const *b)
334 {
335     return IPAddressOrRange_cmp(*a, *b, 4);
336 }
337 
338 /*
339  * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()
340  * comparison routines are only allowed two arguments.
341  */
v6IPAddressOrRange_cmp(const IPAddressOrRange * const * a,const IPAddressOrRange * const * b)342 static int v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
343                                   const IPAddressOrRange *const *b)
344 {
345     return IPAddressOrRange_cmp(*a, *b, 16);
346 }
347 
348 /*
349  * Calculate whether a range collapses to a prefix.
350  * See last paragraph of RFC 3779 2.2.3.7.
351  */
range_should_be_prefix(const unsigned char * min,const unsigned char * max,const int length)352 static int range_should_be_prefix(const unsigned char *min,
353                                   const unsigned char *max, const int length)
354 {
355     unsigned char mask;
356     int i, j;
357 
358     /*
359      * It is the responsibility of the caller to confirm min <= max. We don't
360      * use ossl_assert() here since we have no way of signalling an error from
361      * this function - so we just use a plain assert instead.
362      */
363     assert(memcmp(min, max, length) <= 0);
364 
365     for (i = 0; i < length && min[i] == max[i]; i++) ;
366     for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ;
367     if (i < j)
368         return -1;
369     if (i > j)
370         return i * 8;
371     mask = min[i] ^ max[i];
372     switch (mask) {
373     case 0x01:
374         j = 7;
375         break;
376     case 0x03:
377         j = 6;
378         break;
379     case 0x07:
380         j = 5;
381         break;
382     case 0x0F:
383         j = 4;
384         break;
385     case 0x1F:
386         j = 3;
387         break;
388     case 0x3F:
389         j = 2;
390         break;
391     case 0x7F:
392         j = 1;
393         break;
394     default:
395         return -1;
396     }
397     if ((min[i] & mask) != 0 || (max[i] & mask) != mask)
398         return -1;
399     else
400         return i * 8 + j;
401 }
402 
403 /*
404  * Construct a prefix.
405  */
make_addressPrefix(IPAddressOrRange ** result,unsigned char * addr,const int prefixlen,const int afilen)406 static int make_addressPrefix(IPAddressOrRange **result, unsigned char *addr,
407                               const int prefixlen, const int afilen)
408 {
409     int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;
410     IPAddressOrRange *aor;
411 
412     if (prefixlen < 0 || prefixlen > (afilen * 8))
413         return 0;
414     if ((aor = IPAddressOrRange_new()) == NULL)
415         return 0;
416     aor->type = IPAddressOrRange_addressPrefix;
417     if (aor->u.addressPrefix == NULL &&
418         (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL)
419         goto err;
420     if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen))
421         goto err;
422     if (bitlen > 0)
423         aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen);
424     ossl_asn1_string_set_bits_left(aor->u.addressPrefix, 8 - bitlen);
425 
426     *result = aor;
427     return 1;
428 
429  err:
430     IPAddressOrRange_free(aor);
431     return 0;
432 }
433 
434 /*
435  * Construct a range.  If it can be expressed as a prefix,
436  * return a prefix instead.  Doing this here simplifies
437  * the rest of the code considerably.
438  */
make_addressRange(IPAddressOrRange ** result,unsigned char * min,unsigned char * max,const int length)439 static int make_addressRange(IPAddressOrRange **result,
440                              unsigned char *min,
441                              unsigned char *max, const int length)
442 {
443     IPAddressOrRange *aor;
444     int i, prefixlen;
445 
446     if (memcmp(min, max, length) > 0)
447         return 0;
448 
449     if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
450         return make_addressPrefix(result, min, prefixlen, length);
451 
452     if ((aor = IPAddressOrRange_new()) == NULL)
453         return 0;
454     aor->type = IPAddressOrRange_addressRange;
455     if ((aor->u.addressRange = IPAddressRange_new()) == NULL)
456         goto err;
457     if (aor->u.addressRange->min == NULL &&
458         (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL)
459         goto err;
460     if (aor->u.addressRange->max == NULL &&
461         (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL)
462         goto err;
463 
464     for (i = length; i > 0 && min[i - 1] == 0x00; --i) ;
465     if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i))
466         goto err;
467     ossl_asn1_string_set_bits_left(aor->u.addressRange->min, 0);
468     if (i > 0) {
469         unsigned char b = min[i - 1];
470         int j = 1;
471 
472         while ((b & (0xFFU >> j)) != 0)
473             ++j;
474         aor->u.addressRange->min->flags |= 8 - j;
475     }
476 
477     for (i = length; i > 0 && max[i - 1] == 0xFF; --i) ;
478     if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i))
479         goto err;
480     ossl_asn1_string_set_bits_left(aor->u.addressRange->max, 0);
481     if (i > 0) {
482         unsigned char b = max[i - 1];
483         int j = 1;
484 
485         while ((b & (0xFFU >> j)) != (0xFFU >> j))
486             ++j;
487         aor->u.addressRange->max->flags |= 8 - j;
488     }
489 
490     *result = aor;
491     return 1;
492 
493  err:
494     IPAddressOrRange_free(aor);
495     return 0;
496 }
497 
498 /*
499  * Construct a new address family or find an existing one.
500  */
make_IPAddressFamily(IPAddrBlocks * addr,const unsigned afi,const unsigned * safi)501 static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr,
502                                              const unsigned afi,
503                                              const unsigned *safi)
504 {
505     IPAddressFamily *f;
506     unsigned char key[3];
507     int keylen;
508     int i;
509 
510     key[0] = (afi >> 8) & 0xFF;
511     key[1] = afi & 0xFF;
512     if (safi != NULL) {
513         key[2] = *safi & 0xFF;
514         keylen = 3;
515     } else {
516         keylen = 2;
517     }
518 
519     for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
520         f = sk_IPAddressFamily_value(addr, i);
521         if (f->addressFamily->length == keylen &&
522             !memcmp(f->addressFamily->data, key, keylen))
523             return f;
524     }
525 
526     if ((f = IPAddressFamily_new()) == NULL)
527         goto err;
528     if (f->ipAddressChoice == NULL &&
529         (f->ipAddressChoice = IPAddressChoice_new()) == NULL)
530         goto err;
531     if (f->addressFamily == NULL &&
532         (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL)
533         goto err;
534     if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen))
535         goto err;
536     if (!sk_IPAddressFamily_push(addr, f))
537         goto err;
538 
539     return f;
540 
541  err:
542     IPAddressFamily_free(f);
543     return NULL;
544 }
545 
546 /*
547  * Add an inheritance element.
548  */
X509v3_addr_add_inherit(IPAddrBlocks * addr,const unsigned afi,const unsigned * safi)549 int X509v3_addr_add_inherit(IPAddrBlocks *addr,
550                             const unsigned afi, const unsigned *safi)
551 {
552     IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
553 
554     if (f == NULL ||
555         f->ipAddressChoice == NULL ||
556         (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
557          f->ipAddressChoice->u.addressesOrRanges != NULL))
558         return 0;
559     if (f->ipAddressChoice->type == IPAddressChoice_inherit &&
560         f->ipAddressChoice->u.inherit != NULL)
561         return 1;
562     if (f->ipAddressChoice->u.inherit == NULL &&
563         (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL)
564         return 0;
565     f->ipAddressChoice->type = IPAddressChoice_inherit;
566     return 1;
567 }
568 
569 /*
570  * Construct an IPAddressOrRange sequence, or return an existing one.
571  */
make_prefix_or_range(IPAddrBlocks * addr,const unsigned afi,const unsigned * safi)572 static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
573                                                const unsigned afi,
574                                                const unsigned *safi)
575 {
576     IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
577     IPAddressOrRanges *aors = NULL;
578 
579     if (f == NULL ||
580         f->ipAddressChoice == NULL ||
581         (f->ipAddressChoice->type == IPAddressChoice_inherit &&
582          f->ipAddressChoice->u.inherit != NULL))
583         return NULL;
584     if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges)
585         aors = f->ipAddressChoice->u.addressesOrRanges;
586     if (aors != NULL)
587         return aors;
588     if ((aors = sk_IPAddressOrRange_new_null()) == NULL)
589         return NULL;
590     switch (afi) {
591     case IANA_AFI_IPV4:
592         (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
593         break;
594     case IANA_AFI_IPV6:
595         (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
596         break;
597     }
598     f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
599     f->ipAddressChoice->u.addressesOrRanges = aors;
600     return aors;
601 }
602 
603 /*
604  * Add a prefix.
605  */
X509v3_addr_add_prefix(IPAddrBlocks * addr,const unsigned afi,const unsigned * safi,unsigned char * a,const int prefixlen)606 int X509v3_addr_add_prefix(IPAddrBlocks *addr,
607                            const unsigned afi,
608                            const unsigned *safi,
609                            unsigned char *a, const int prefixlen)
610 {
611     IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
612     IPAddressOrRange *aor;
613 
614     if (aors == NULL
615             || !make_addressPrefix(&aor, a, prefixlen, length_from_afi(afi)))
616         return 0;
617     if (sk_IPAddressOrRange_push(aors, aor))
618         return 1;
619     IPAddressOrRange_free(aor);
620     return 0;
621 }
622 
623 /*
624  * Add a range.
625  */
X509v3_addr_add_range(IPAddrBlocks * addr,const unsigned afi,const unsigned * safi,unsigned char * min,unsigned char * max)626 int X509v3_addr_add_range(IPAddrBlocks *addr,
627                           const unsigned afi,
628                           const unsigned *safi,
629                           unsigned char *min, unsigned char *max)
630 {
631     IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
632     IPAddressOrRange *aor;
633     int length = length_from_afi(afi);
634 
635     if (aors == NULL)
636         return 0;
637     if (!make_addressRange(&aor, min, max, length))
638         return 0;
639     if (sk_IPAddressOrRange_push(aors, aor))
640         return 1;
641     IPAddressOrRange_free(aor);
642     return 0;
643 }
644 
645 /*
646  * Extract min and max values from an IPAddressOrRange.
647  */
extract_min_max(IPAddressOrRange * aor,unsigned char * min,unsigned char * max,int length)648 static int extract_min_max(IPAddressOrRange *aor,
649                            unsigned char *min, unsigned char *max, int length)
650 {
651     if (aor == NULL || min == NULL || max == NULL)
652         return 0;
653     switch (aor->type) {
654     case IPAddressOrRange_addressPrefix:
655         return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
656                 addr_expand(max, aor->u.addressPrefix, length, 0xFF));
657     case IPAddressOrRange_addressRange:
658         return (addr_expand(min, aor->u.addressRange->min, length, 0x00) &&
659                 addr_expand(max, aor->u.addressRange->max, length, 0xFF));
660     }
661     return 0;
662 }
663 
664 /*
665  * Public wrapper for extract_min_max().
666  */
X509v3_addr_get_range(IPAddressOrRange * aor,const unsigned afi,unsigned char * min,unsigned char * max,const int length)667 int X509v3_addr_get_range(IPAddressOrRange *aor,
668                           const unsigned afi,
669                           unsigned char *min,
670                           unsigned char *max, const int length)
671 {
672     int afi_length = length_from_afi(afi);
673 
674     if (aor == NULL || min == NULL || max == NULL ||
675         afi_length == 0 || length < afi_length ||
676         (aor->type != IPAddressOrRange_addressPrefix &&
677          aor->type != IPAddressOrRange_addressRange) ||
678         !extract_min_max(aor, min, max, afi_length))
679         return 0;
680 
681     return afi_length;
682 }
683 
684 /*
685  * Sort comparison function for a sequence of IPAddressFamily.
686  *
687  * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about
688  * the ordering: I can read it as meaning that IPv6 without a SAFI
689  * comes before IPv4 with a SAFI, which seems pretty weird.  The
690  * examples in appendix B suggest that the author intended the
691  * null-SAFI rule to apply only within a single AFI, which is what I
692  * would have expected and is what the following code implements.
693  */
IPAddressFamily_cmp(const IPAddressFamily * const * a_,const IPAddressFamily * const * b_)694 static int IPAddressFamily_cmp(const IPAddressFamily *const *a_,
695                                const IPAddressFamily *const *b_)
696 {
697     const ASN1_OCTET_STRING *a = (*a_)->addressFamily;
698     const ASN1_OCTET_STRING *b = (*b_)->addressFamily;
699     int len = ((a->length <= b->length) ? a->length : b->length);
700     int cmp = memcmp(a->data, b->data, len);
701 
702     return cmp ? cmp : a->length - b->length;
703 }
704 
IPAddressFamily_check_len(const IPAddressFamily * f)705 static int IPAddressFamily_check_len(const IPAddressFamily *f)
706 {
707     if (f->addressFamily->length < 2 || f->addressFamily->length > 3)
708         return 0;
709     else
710         return 1;
711 }
712 
713 /*
714  * Check whether an IPAddrBLocks is in canonical form.
715  */
X509v3_addr_is_canonical(IPAddrBlocks * addr)716 int X509v3_addr_is_canonical(IPAddrBlocks *addr)
717 {
718     unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
719     unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
720     IPAddressOrRanges *aors;
721     int i, j, k;
722 
723     /*
724      * Empty extension is canonical.
725      */
726     if (addr == NULL)
727         return 1;
728 
729     /*
730      * Check whether the top-level list is in order.
731      */
732     for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {
733         const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i);
734         const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1);
735 
736         if (!IPAddressFamily_check_len(a) || !IPAddressFamily_check_len(b))
737             return 0;
738 
739         if (IPAddressFamily_cmp(&a, &b) >= 0)
740             return 0;
741     }
742 
743     /*
744      * Top level's ok, now check each address family.
745      */
746     for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
747         IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
748         int length = length_from_afi(X509v3_addr_get_afi(f));
749 
750         /*
751          * Inheritance is canonical.  Anything other than inheritance or
752          * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something.
753          */
754         if (f == NULL || f->ipAddressChoice == NULL)
755             return 0;
756         switch (f->ipAddressChoice->type) {
757         case IPAddressChoice_inherit:
758             continue;
759         case IPAddressChoice_addressesOrRanges:
760             break;
761         default:
762             return 0;
763         }
764 
765         if (!IPAddressFamily_check_len(f))
766             return 0;
767 
768         /*
769          * It's an IPAddressOrRanges sequence, check it.
770          */
771         aors = f->ipAddressChoice->u.addressesOrRanges;
772         if (sk_IPAddressOrRange_num(aors) == 0)
773             return 0;
774         for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
775             IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
776             IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);
777 
778             if (!extract_min_max(a, a_min, a_max, length) ||
779                 !extract_min_max(b, b_min, b_max, length))
780                 return 0;
781 
782             /*
783              * Punt misordered list, overlapping start, or inverted range.
784              */
785             if (memcmp(a_min, b_min, length) >= 0 ||
786                 memcmp(a_min, a_max, length) > 0 ||
787                 memcmp(b_min, b_max, length) > 0)
788                 return 0;
789 
790             /*
791              * Punt if adjacent or overlapping.  Check for adjacency by
792              * subtracting one from b_min first.
793              */
794             for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) ;
795             if (memcmp(a_max, b_min, length) >= 0)
796                 return 0;
797 
798             /*
799              * Check for range that should be expressed as a prefix.
800              */
801             if (a->type == IPAddressOrRange_addressRange &&
802                 range_should_be_prefix(a_min, a_max, length) >= 0)
803                 return 0;
804         }
805 
806         /*
807          * Check range to see if it's inverted or should be a
808          * prefix.
809          */
810         j = sk_IPAddressOrRange_num(aors) - 1;
811         {
812             IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
813 
814             if (a != NULL && a->type == IPAddressOrRange_addressRange) {
815                 if (!extract_min_max(a, a_min, a_max, length))
816                     return 0;
817                 if (memcmp(a_min, a_max, length) > 0 ||
818                     range_should_be_prefix(a_min, a_max, length) >= 0)
819                     return 0;
820             }
821         }
822     }
823 
824     /*
825      * If we made it through all that, we're happy.
826      */
827     return 1;
828 }
829 
830 /*
831  * Whack an IPAddressOrRanges into canonical form.
832  */
IPAddressOrRanges_canonize(IPAddressOrRanges * aors,const unsigned afi)833 static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
834                                       const unsigned afi)
835 {
836     int i, j, length = length_from_afi(afi);
837 
838     /*
839      * Sort the IPAddressOrRanges sequence.
840      */
841     sk_IPAddressOrRange_sort(aors);
842 
843     /*
844      * Clean up representation issues, punt on duplicates or overlaps.
845      */
846     for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
847         IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);
848         IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
849         unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
850         unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
851 
852         if (!extract_min_max(a, a_min, a_max, length) ||
853             !extract_min_max(b, b_min, b_max, length))
854             return 0;
855 
856         /*
857          * Punt inverted ranges.
858          */
859         if (memcmp(a_min, a_max, length) > 0 ||
860             memcmp(b_min, b_max, length) > 0)
861             return 0;
862 
863         /*
864          * Punt overlaps.
865          */
866         if (memcmp(a_max, b_min, length) >= 0)
867             return 0;
868 
869         /*
870          * Merge if a and b are adjacent.  We check for
871          * adjacency by subtracting one from b_min first.
872          */
873         for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) ;
874         if (memcmp(a_max, b_min, length) == 0) {
875             IPAddressOrRange *merged;
876 
877             if (!make_addressRange(&merged, a_min, b_max, length))
878                 return 0;
879             (void)sk_IPAddressOrRange_set(aors, i, merged);
880             (void)sk_IPAddressOrRange_delete(aors, i + 1);
881             IPAddressOrRange_free(a);
882             IPAddressOrRange_free(b);
883             --i;
884             continue;
885         }
886     }
887 
888     /*
889      * Check for inverted final range.
890      */
891     j = sk_IPAddressOrRange_num(aors) - 1;
892     {
893         IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
894 
895         if (a != NULL && a->type == IPAddressOrRange_addressRange) {
896             unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
897 
898             if (!extract_min_max(a, a_min, a_max, length))
899                 return 0;
900             if (memcmp(a_min, a_max, length) > 0)
901                 return 0;
902         }
903     }
904 
905     return 1;
906 }
907 
908 /*
909  * Whack an IPAddrBlocks extension into canonical form.
910  */
X509v3_addr_canonize(IPAddrBlocks * addr)911 int X509v3_addr_canonize(IPAddrBlocks *addr)
912 {
913     int i;
914 
915     if (addr == NULL) {
916         ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_NULL_ARGUMENT);
917         return 0;
918     }
919 
920     for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
921         IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
922 
923         if (!IPAddressFamily_check_len(f))
924             return 0;
925 
926         if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
927             !IPAddressOrRanges_canonize(f->ipAddressChoice->
928                                         u.addressesOrRanges,
929                                         X509v3_addr_get_afi(f)))
930             return 0;
931     }
932     (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
933     sk_IPAddressFamily_sort(addr);
934     if (!ossl_assert(X509v3_addr_is_canonical(addr)))
935         return 0;
936     return 1;
937 }
938 
939 /*
940  * v2i handler for the IPAddrBlocks extension.
941  */
v2i_IPAddrBlocks(const struct v3_ext_method * method,struct v3_ext_ctx * ctx,STACK_OF (CONF_VALUE)* values)942 static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
943                               struct v3_ext_ctx *ctx,
944                               STACK_OF(CONF_VALUE) *values)
945 {
946     static const char v4addr_chars[] = "0123456789.";
947     static const char v6addr_chars[] = "0123456789.:abcdefABCDEF";
948     IPAddrBlocks *addr = NULL;
949     char *s = NULL, *t;
950     int i;
951 
952     if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) {
953         ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
954         return NULL;
955     }
956 
957     for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
958         CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
959         unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN];
960         unsigned afi, *safi = NULL, safi_;
961         const char *addr_chars = NULL;
962         int prefixlen, i1, i2, delim, length;
963 
964         if (!ossl_v3_name_cmp(val->name, "IPv4")) {
965             afi = IANA_AFI_IPV4;
966         } else if (!ossl_v3_name_cmp(val->name, "IPv6")) {
967             afi = IANA_AFI_IPV6;
968         } else if (!ossl_v3_name_cmp(val->name, "IPv4-SAFI")) {
969             afi = IANA_AFI_IPV4;
970             safi = &safi_;
971         } else if (!ossl_v3_name_cmp(val->name, "IPv6-SAFI")) {
972             afi = IANA_AFI_IPV6;
973             safi = &safi_;
974         } else {
975             ERR_raise_data(ERR_LIB_X509V3, X509V3_R_EXTENSION_NAME_ERROR,
976                            "%s", val->name);
977             goto err;
978         }
979 
980         switch (afi) {
981         case IANA_AFI_IPV4:
982             addr_chars = v4addr_chars;
983             break;
984         case IANA_AFI_IPV6:
985             addr_chars = v6addr_chars;
986             break;
987         }
988 
989         length = length_from_afi(afi);
990 
991         /*
992          * Handle SAFI, if any, and OPENSSL_strdup() so we can null-terminate
993          * the other input values.
994          */
995         if (safi != NULL) {
996             if (val->value == NULL) {
997                 ERR_raise(ERR_LIB_X509V3, X509V3_R_MISSING_VALUE);
998                 goto err;
999             }
1000             *safi = strtoul(val->value, &t, 0);
1001             t += strspn(t, " \t");
1002             if (*safi > 0xFF || *t++ != ':') {
1003                 ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_SAFI);
1004                 X509V3_conf_add_error_name_value(val);
1005                 goto err;
1006             }
1007             t += strspn(t, " \t");
1008             s = OPENSSL_strdup(t);
1009         } else {
1010             s = OPENSSL_strdup(val->value);
1011         }
1012         if (s == NULL)
1013             goto err;
1014 
1015         /*
1016          * Check for inheritance.  Not worth additional complexity to
1017          * optimize this (seldom-used) case.
1018          */
1019         if (strcmp(s, "inherit") == 0) {
1020             if (!X509v3_addr_add_inherit(addr, afi, safi)) {
1021                 ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_INHERITANCE);
1022                 X509V3_conf_add_error_name_value(val);
1023                 goto err;
1024             }
1025             OPENSSL_free(s);
1026             s = NULL;
1027             continue;
1028         }
1029 
1030         i1 = strspn(s, addr_chars);
1031         i2 = i1 + strspn(s + i1, " \t");
1032         delim = s[i2++];
1033         s[i1] = '\0';
1034 
1035         if (ossl_a2i_ipadd(min, s) != length) {
1036             ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_IPADDRESS);
1037             X509V3_conf_add_error_name_value(val);
1038             goto err;
1039         }
1040 
1041         switch (delim) {
1042         case '/':
1043             prefixlen = (int)strtoul(s + i2, &t, 10);
1044             if (t == s + i2
1045                     || *t != '\0'
1046                     || prefixlen > (length * 8)
1047                     || prefixlen < 0) {
1048                 ERR_raise(ERR_LIB_X509V3, X509V3_R_EXTENSION_VALUE_ERROR);
1049                 X509V3_conf_add_error_name_value(val);
1050                 goto err;
1051             }
1052             if (!X509v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) {
1053                 ERR_raise(ERR_LIB_X509V3, ERR_R_X509V3_LIB);
1054                 goto err;
1055             }
1056             break;
1057         case '-':
1058             i1 = i2 + strspn(s + i2, " \t");
1059             i2 = i1 + strspn(s + i1, addr_chars);
1060             if (i1 == i2 || s[i2] != '\0') {
1061                 ERR_raise(ERR_LIB_X509V3, X509V3_R_EXTENSION_VALUE_ERROR);
1062                 X509V3_conf_add_error_name_value(val);
1063                 goto err;
1064             }
1065             if (ossl_a2i_ipadd(max, s + i1) != length) {
1066                 ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_IPADDRESS);
1067                 X509V3_conf_add_error_name_value(val);
1068                 goto err;
1069             }
1070             if (memcmp(min, max, length_from_afi(afi)) > 0) {
1071                 ERR_raise(ERR_LIB_X509V3, X509V3_R_EXTENSION_VALUE_ERROR);
1072                 X509V3_conf_add_error_name_value(val);
1073                 goto err;
1074             }
1075             if (!X509v3_addr_add_range(addr, afi, safi, min, max)) {
1076                 ERR_raise(ERR_LIB_X509V3, ERR_R_X509V3_LIB);
1077                 goto err;
1078             }
1079             break;
1080         case '\0':
1081             if (!X509v3_addr_add_prefix(addr, afi, safi, min, length * 8)) {
1082                 ERR_raise(ERR_LIB_X509V3, ERR_R_X509V3_LIB);
1083                 goto err;
1084             }
1085             break;
1086         default:
1087             ERR_raise(ERR_LIB_X509V3, X509V3_R_EXTENSION_VALUE_ERROR);
1088             X509V3_conf_add_error_name_value(val);
1089             goto err;
1090         }
1091 
1092         OPENSSL_free(s);
1093         s = NULL;
1094     }
1095 
1096     /*
1097      * Canonize the result, then we're done.
1098      */
1099     if (!X509v3_addr_canonize(addr))
1100         goto err;
1101     return addr;
1102 
1103  err:
1104     OPENSSL_free(s);
1105     sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
1106     return NULL;
1107 }
1108 
1109 /*
1110  * OpenSSL dispatch
1111  */
1112 const X509V3_EXT_METHOD ossl_v3_addr = {
1113     NID_sbgp_ipAddrBlock,       /* nid */
1114     0,                          /* flags */
1115     ASN1_ITEM_ref(IPAddrBlocks), /* template */
1116     0, 0, 0, 0,                 /* old functions, ignored */
1117     0,                          /* i2s */
1118     0,                          /* s2i */
1119     0,                          /* i2v */
1120     v2i_IPAddrBlocks,           /* v2i */
1121     i2r_IPAddrBlocks,           /* i2r */
1122     0,                          /* r2i */
1123     NULL                        /* extension-specific data */
1124 };
1125 
1126 /*
1127  * Figure out whether extension sues inheritance.
1128  */
X509v3_addr_inherits(IPAddrBlocks * addr)1129 int X509v3_addr_inherits(IPAddrBlocks *addr)
1130 {
1131     int i;
1132 
1133     if (addr == NULL)
1134         return 0;
1135     for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1136         IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1137 
1138         if (f->ipAddressChoice->type == IPAddressChoice_inherit)
1139             return 1;
1140     }
1141     return 0;
1142 }
1143 
1144 /*
1145  * Figure out whether parent contains child.
1146  */
addr_contains(IPAddressOrRanges * parent,IPAddressOrRanges * child,int length)1147 static int addr_contains(IPAddressOrRanges *parent,
1148                          IPAddressOrRanges *child, int length)
1149 {
1150     unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN];
1151     unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN];
1152     int p, c;
1153 
1154     if (child == NULL || parent == child)
1155         return 1;
1156     if (parent == NULL)
1157         return 0;
1158 
1159     p = 0;
1160     for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
1161         if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
1162                              c_min, c_max, length))
1163             return 0;
1164         for (;; p++) {
1165             if (p >= sk_IPAddressOrRange_num(parent))
1166                 return 0;
1167             if (!extract_min_max(sk_IPAddressOrRange_value(parent, p),
1168                                  p_min, p_max, length))
1169                 return 0;
1170             if (memcmp(p_max, c_max, length) < 0)
1171                 continue;
1172             if (memcmp(p_min, c_min, length) > 0)
1173                 return 0;
1174             break;
1175         }
1176     }
1177 
1178     return 1;
1179 }
1180 
1181 /*
1182  * Test whether a is a subset of b.
1183  */
X509v3_addr_subset(IPAddrBlocks * a,IPAddrBlocks * b)1184 int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
1185 {
1186     int i;
1187 
1188     if (a == NULL || a == b)
1189         return 1;
1190     if (b == NULL || X509v3_addr_inherits(a) || X509v3_addr_inherits(b))
1191         return 0;
1192     (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
1193     sk_IPAddressFamily_sort(b);
1194     /* Could sort a here too and get O(|a|) running time instead of O(|a| ln |b|) */
1195     for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
1196         IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
1197         int j = sk_IPAddressFamily_find(b, fa);
1198         IPAddressFamily *fb = sk_IPAddressFamily_value(b, j);
1199 
1200         if (fb == NULL)
1201             return 0;
1202         if (!IPAddressFamily_check_len(fa) || !IPAddressFamily_check_len(fb))
1203             return 0;
1204         if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
1205                            fa->ipAddressChoice->u.addressesOrRanges,
1206                            length_from_afi(X509v3_addr_get_afi(fb))))
1207             return 0;
1208     }
1209     return 1;
1210 }
1211 
1212 /*
1213  * Validation error handling via callback.
1214  */
1215 # define validation_err(_err_)            \
1216     do {                                  \
1217         if (ctx != NULL) {                \
1218             ctx->error = _err_;           \
1219             ctx->error_depth = i;         \
1220             ctx->current_cert = x;        \
1221             rv = ctx->verify_cb(0, ctx);  \
1222         } else {                          \
1223             rv = 0;                       \
1224         }                                 \
1225         if (rv == 0)                      \
1226             goto done;                    \
1227     } while (0)
1228 
1229 /*
1230  * Core code for RFC 3779 2.3 path validation.
1231  *
1232  * Returns 1 for success, 0 on error.
1233  *
1234  * When returning 0, ctx->error MUST be set to an appropriate value other than
1235  * X509_V_OK.
1236  */
addr_validate_path_internal(X509_STORE_CTX * ctx,STACK_OF (X509)* chain,IPAddrBlocks * ext)1237 static int addr_validate_path_internal(X509_STORE_CTX *ctx,
1238                                        STACK_OF(X509) *chain,
1239                                        IPAddrBlocks *ext)
1240 {
1241     IPAddrBlocks *child = NULL;
1242     int i, j, ret = 0, rv;
1243     X509 *x;
1244 
1245     if (!ossl_assert(chain != NULL && sk_X509_num(chain) > 0)
1246             || !ossl_assert(ctx != NULL || ext != NULL)
1247             || !ossl_assert(ctx == NULL || ctx->verify_cb != NULL)) {
1248         if (ctx != NULL)
1249             ctx->error = X509_V_ERR_UNSPECIFIED;
1250         return 0;
1251     }
1252 
1253     /*
1254      * Figure out where to start.  If we don't have an extension to
1255      * check, we're done.  Otherwise, check canonical form and
1256      * set up for walking up the chain.
1257      */
1258     if (ext != NULL) {
1259         i = -1;
1260         x = NULL;
1261     } else {
1262         i = 0;
1263         x = sk_X509_value(chain, i);
1264         if ((ext = x->rfc3779_addr) == NULL)
1265             return 1; /* Return success */
1266     }
1267     if (!X509v3_addr_is_canonical(ext))
1268         validation_err(X509_V_ERR_INVALID_EXTENSION);
1269     (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
1270     if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
1271         ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
1272         if (ctx != NULL)
1273             ctx->error = X509_V_ERR_OUT_OF_MEM;
1274         goto done;
1275     }
1276     sk_IPAddressFamily_sort(child);
1277 
1278     /*
1279      * Now walk up the chain.  No cert may list resources that its
1280      * parent doesn't list.
1281      */
1282     for (i++; i < sk_X509_num(chain); i++) {
1283         x = sk_X509_value(chain, i);
1284         if (!X509v3_addr_is_canonical(x->rfc3779_addr))
1285             validation_err(X509_V_ERR_INVALID_EXTENSION);
1286         if (x->rfc3779_addr == NULL) {
1287             for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1288                 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1289 
1290                 if (!IPAddressFamily_check_len(fc))
1291                     goto done;
1292 
1293                 if (fc->ipAddressChoice->type != IPAddressChoice_inherit) {
1294                     validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1295                     break;
1296                 }
1297             }
1298             continue;
1299         }
1300         (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr,
1301                                               IPAddressFamily_cmp);
1302         sk_IPAddressFamily_sort(x->rfc3779_addr);
1303         for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1304             IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1305             int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
1306             IPAddressFamily *fp =
1307                 sk_IPAddressFamily_value(x->rfc3779_addr, k);
1308 
1309             if (fp == NULL) {
1310                 if (fc->ipAddressChoice->type ==
1311                     IPAddressChoice_addressesOrRanges) {
1312                     validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1313                     break;
1314                 }
1315                 continue;
1316             }
1317 
1318             if (!IPAddressFamily_check_len(fc) || !IPAddressFamily_check_len(fp))
1319                 goto done;
1320 
1321             if (fp->ipAddressChoice->type ==
1322                 IPAddressChoice_addressesOrRanges) {
1323                 if (fc->ipAddressChoice->type == IPAddressChoice_inherit
1324                     || addr_contains(fp->ipAddressChoice->u.addressesOrRanges,
1325                                      fc->ipAddressChoice->u.addressesOrRanges,
1326                                      length_from_afi(X509v3_addr_get_afi(fc))))
1327                     (void)sk_IPAddressFamily_set(child, j, fp);
1328                 else
1329                     validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1330             }
1331         }
1332     }
1333 
1334     /*
1335      * Trust anchor can't inherit.
1336      */
1337     if (x->rfc3779_addr != NULL) {
1338         for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
1339             IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, j);
1340 
1341             if (!IPAddressFamily_check_len(fp))
1342                 goto done;
1343 
1344             if (fp->ipAddressChoice->type == IPAddressChoice_inherit
1345                 && sk_IPAddressFamily_find(child, fp) >= 0)
1346                 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1347         }
1348     }
1349     ret = 1;
1350  done:
1351     sk_IPAddressFamily_free(child);
1352     return ret;
1353 }
1354 
1355 # undef validation_err
1356 
1357 /*
1358  * RFC 3779 2.3 path validation -- called from X509_verify_cert().
1359  */
X509v3_addr_validate_path(X509_STORE_CTX * ctx)1360 int X509v3_addr_validate_path(X509_STORE_CTX *ctx)
1361 {
1362     if (ctx->chain == NULL
1363             || sk_X509_num(ctx->chain) == 0
1364             || ctx->verify_cb == NULL) {
1365         ctx->error = X509_V_ERR_UNSPECIFIED;
1366         return 0;
1367     }
1368     return addr_validate_path_internal(ctx, ctx->chain, NULL);
1369 }
1370 
1371 /*
1372  * RFC 3779 2.3 path validation of an extension.
1373  * Test whether chain covers extension.
1374  */
X509v3_addr_validate_resource_set(STACK_OF (X509)* chain,IPAddrBlocks * ext,int allow_inheritance)1375 int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain,
1376                                       IPAddrBlocks *ext, int allow_inheritance)
1377 {
1378     if (ext == NULL)
1379         return 1;
1380     if (chain == NULL || sk_X509_num(chain) == 0)
1381         return 0;
1382     if (!allow_inheritance && X509v3_addr_inherits(ext))
1383         return 0;
1384     return addr_validate_path_internal(NULL, chain, ext);
1385 }
1386 
1387 #endif /* OPENSSL_NO_RFC3779 */
1388