1*e0c4386eSCy Schubert /* 2*e0c4386eSCy Schubert * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. 3*e0c4386eSCy Schubert * 4*e0c4386eSCy Schubert * Licensed under the Apache License 2.0 (the "License"). You may not use 5*e0c4386eSCy Schubert * this file except in compliance with the License. You can obtain a copy 6*e0c4386eSCy Schubert * in the file LICENSE in the source distribution or at 7*e0c4386eSCy Schubert * https://www.openssl.org/source/license.html 8*e0c4386eSCy Schubert */ 9*e0c4386eSCy Schubert 10*e0c4386eSCy Schubert #include <stdio.h> 11*e0c4386eSCy Schubert #include <string.h> 12*e0c4386eSCy Schubert #include <openssl/x509.h> 13*e0c4386eSCy Schubert #include <openssl/x509v3.h> 14*e0c4386eSCy Schubert #include <openssl/pem.h> 15*e0c4386eSCy Schubert #include <openssl/err.h> 16*e0c4386eSCy Schubert #include "internal/nelem.h" 17*e0c4386eSCy Schubert 18*e0c4386eSCy Schubert #include "testutil.h" 19*e0c4386eSCy Schubert 20*e0c4386eSCy Schubert static const char *infile; 21*e0c4386eSCy Schubert 22*e0c4386eSCy Schubert static int test_pathlen(void) 23*e0c4386eSCy Schubert { 24*e0c4386eSCy Schubert X509 *x = NULL; 25*e0c4386eSCy Schubert BIO *b = NULL; 26*e0c4386eSCy Schubert long pathlen; 27*e0c4386eSCy Schubert int ret = 0; 28*e0c4386eSCy Schubert 29*e0c4386eSCy Schubert if (!TEST_ptr(b = BIO_new_file(infile, "r")) 30*e0c4386eSCy Schubert || !TEST_ptr(x = PEM_read_bio_X509(b, NULL, NULL, NULL)) 31*e0c4386eSCy Schubert || !TEST_int_eq(pathlen = X509_get_pathlen(x), 6)) 32*e0c4386eSCy Schubert goto end; 33*e0c4386eSCy Schubert 34*e0c4386eSCy Schubert ret = 1; 35*e0c4386eSCy Schubert 36*e0c4386eSCy Schubert end: 37*e0c4386eSCy Schubert BIO_free(b); 38*e0c4386eSCy Schubert X509_free(x); 39*e0c4386eSCy Schubert return ret; 40*e0c4386eSCy Schubert } 41*e0c4386eSCy Schubert 42*e0c4386eSCy Schubert #ifndef OPENSSL_NO_RFC3779 43*e0c4386eSCy Schubert static int test_asid(void) 44*e0c4386eSCy Schubert { 45*e0c4386eSCy Schubert ASN1_INTEGER *val1 = NULL, *val2 = NULL; 46*e0c4386eSCy Schubert ASIdentifiers *asid1 = ASIdentifiers_new(), *asid2 = ASIdentifiers_new(), 47*e0c4386eSCy Schubert *asid3 = ASIdentifiers_new(), *asid4 = ASIdentifiers_new(); 48*e0c4386eSCy Schubert int testresult = 0; 49*e0c4386eSCy Schubert 50*e0c4386eSCy Schubert if (!TEST_ptr(asid1) 51*e0c4386eSCy Schubert || !TEST_ptr(asid2) 52*e0c4386eSCy Schubert || !TEST_ptr(asid3)) 53*e0c4386eSCy Schubert goto err; 54*e0c4386eSCy Schubert 55*e0c4386eSCy Schubert if (!TEST_ptr(val1 = ASN1_INTEGER_new()) 56*e0c4386eSCy Schubert || !TEST_true(ASN1_INTEGER_set_int64(val1, 64496))) 57*e0c4386eSCy Schubert goto err; 58*e0c4386eSCy Schubert 59*e0c4386eSCy Schubert if (!TEST_true(X509v3_asid_add_id_or_range(asid1, V3_ASID_ASNUM, val1, NULL))) 60*e0c4386eSCy Schubert goto err; 61*e0c4386eSCy Schubert 62*e0c4386eSCy Schubert val1 = NULL; 63*e0c4386eSCy Schubert if (!TEST_ptr(val2 = ASN1_INTEGER_new()) 64*e0c4386eSCy Schubert || !TEST_true(ASN1_INTEGER_set_int64(val2, 64497))) 65*e0c4386eSCy Schubert goto err; 66*e0c4386eSCy Schubert 67*e0c4386eSCy Schubert if (!TEST_true(X509v3_asid_add_id_or_range(asid2, V3_ASID_ASNUM, val2, NULL))) 68*e0c4386eSCy Schubert goto err; 69*e0c4386eSCy Schubert 70*e0c4386eSCy Schubert val2 = NULL; 71*e0c4386eSCy Schubert if (!TEST_ptr(val1 = ASN1_INTEGER_new()) 72*e0c4386eSCy Schubert || !TEST_true(ASN1_INTEGER_set_int64(val1, 64496)) 73*e0c4386eSCy Schubert || !TEST_ptr(val2 = ASN1_INTEGER_new()) 74*e0c4386eSCy Schubert || !TEST_true(ASN1_INTEGER_set_int64(val2, 64497))) 75*e0c4386eSCy Schubert goto err; 76*e0c4386eSCy Schubert 77*e0c4386eSCy Schubert /* 78*e0c4386eSCy Schubert * Just tests V3_ASID_ASNUM for now. Could be extended at some point to also 79*e0c4386eSCy Schubert * test V3_ASID_RDI if we think it is worth it. 80*e0c4386eSCy Schubert */ 81*e0c4386eSCy Schubert if (!TEST_true(X509v3_asid_add_id_or_range(asid3, V3_ASID_ASNUM, val1, val2))) 82*e0c4386eSCy Schubert goto err; 83*e0c4386eSCy Schubert val1 = val2 = NULL; 84*e0c4386eSCy Schubert 85*e0c4386eSCy Schubert /* Actual subsets */ 86*e0c4386eSCy Schubert if (!TEST_true(X509v3_asid_subset(NULL, NULL)) 87*e0c4386eSCy Schubert || !TEST_true(X509v3_asid_subset(NULL, asid1)) 88*e0c4386eSCy Schubert || !TEST_true(X509v3_asid_subset(asid1, asid1)) 89*e0c4386eSCy Schubert || !TEST_true(X509v3_asid_subset(asid2, asid2)) 90*e0c4386eSCy Schubert || !TEST_true(X509v3_asid_subset(asid1, asid3)) 91*e0c4386eSCy Schubert || !TEST_true(X509v3_asid_subset(asid2, asid3)) 92*e0c4386eSCy Schubert || !TEST_true(X509v3_asid_subset(asid3, asid3)) 93*e0c4386eSCy Schubert || !TEST_true(X509v3_asid_subset(asid4, asid1)) 94*e0c4386eSCy Schubert || !TEST_true(X509v3_asid_subset(asid4, asid2)) 95*e0c4386eSCy Schubert || !TEST_true(X509v3_asid_subset(asid4, asid3))) 96*e0c4386eSCy Schubert goto err; 97*e0c4386eSCy Schubert 98*e0c4386eSCy Schubert /* Not subsets */ 99*e0c4386eSCy Schubert if (!TEST_false(X509v3_asid_subset(asid1, NULL)) 100*e0c4386eSCy Schubert || !TEST_false(X509v3_asid_subset(asid1, asid2)) 101*e0c4386eSCy Schubert || !TEST_false(X509v3_asid_subset(asid2, asid1)) 102*e0c4386eSCy Schubert || !TEST_false(X509v3_asid_subset(asid3, asid1)) 103*e0c4386eSCy Schubert || !TEST_false(X509v3_asid_subset(asid3, asid2)) 104*e0c4386eSCy Schubert || !TEST_false(X509v3_asid_subset(asid1, asid4)) 105*e0c4386eSCy Schubert || !TEST_false(X509v3_asid_subset(asid2, asid4)) 106*e0c4386eSCy Schubert || !TEST_false(X509v3_asid_subset(asid3, asid4))) 107*e0c4386eSCy Schubert goto err; 108*e0c4386eSCy Schubert 109*e0c4386eSCy Schubert testresult = 1; 110*e0c4386eSCy Schubert err: 111*e0c4386eSCy Schubert ASN1_INTEGER_free(val1); 112*e0c4386eSCy Schubert ASN1_INTEGER_free(val2); 113*e0c4386eSCy Schubert ASIdentifiers_free(asid1); 114*e0c4386eSCy Schubert ASIdentifiers_free(asid2); 115*e0c4386eSCy Schubert ASIdentifiers_free(asid3); 116*e0c4386eSCy Schubert ASIdentifiers_free(asid4); 117*e0c4386eSCy Schubert return testresult; 118*e0c4386eSCy Schubert } 119*e0c4386eSCy Schubert 120*e0c4386eSCy Schubert static struct ip_ranges_st { 121*e0c4386eSCy Schubert const unsigned int afi; 122*e0c4386eSCy Schubert const char *ip1; 123*e0c4386eSCy Schubert const char *ip2; 124*e0c4386eSCy Schubert int rorp; 125*e0c4386eSCy Schubert } ranges[] = { 126*e0c4386eSCy Schubert { IANA_AFI_IPV4, "192.168.0.0", "192.168.0.1", IPAddressOrRange_addressPrefix}, 127*e0c4386eSCy Schubert { IANA_AFI_IPV4, "192.168.0.0", "192.168.0.2", IPAddressOrRange_addressRange}, 128*e0c4386eSCy Schubert { IANA_AFI_IPV4, "192.168.0.0", "192.168.0.3", IPAddressOrRange_addressPrefix}, 129*e0c4386eSCy Schubert { IANA_AFI_IPV4, "192.168.0.0", "192.168.0.254", IPAddressOrRange_addressRange}, 130*e0c4386eSCy Schubert { IANA_AFI_IPV4, "192.168.0.0", "192.168.0.255", IPAddressOrRange_addressPrefix}, 131*e0c4386eSCy Schubert { IANA_AFI_IPV4, "192.168.0.1", "192.168.0.255", IPAddressOrRange_addressRange}, 132*e0c4386eSCy Schubert { IANA_AFI_IPV4, "192.168.0.1", "192.168.0.1", IPAddressOrRange_addressPrefix}, 133*e0c4386eSCy Schubert { IANA_AFI_IPV4, "192.168.0.0", "192.168.255.255", IPAddressOrRange_addressPrefix}, 134*e0c4386eSCy Schubert { IANA_AFI_IPV4, "192.168.1.0", "192.168.255.255", IPAddressOrRange_addressRange}, 135*e0c4386eSCy Schubert { IANA_AFI_IPV6, "2001:0db8::0", "2001:0db8::1", IPAddressOrRange_addressPrefix}, 136*e0c4386eSCy Schubert { IANA_AFI_IPV6, "2001:0db8::0", "2001:0db8::2", IPAddressOrRange_addressRange}, 137*e0c4386eSCy Schubert { IANA_AFI_IPV6, "2001:0db8::0", "2001:0db8::3", IPAddressOrRange_addressPrefix}, 138*e0c4386eSCy Schubert { IANA_AFI_IPV6, "2001:0db8::0", "2001:0db8::fffe", IPAddressOrRange_addressRange}, 139*e0c4386eSCy Schubert { IANA_AFI_IPV6, "2001:0db8::0", "2001:0db8::ffff", IPAddressOrRange_addressPrefix}, 140*e0c4386eSCy Schubert { IANA_AFI_IPV6, "2001:0db8::1", "2001:0db8::ffff", IPAddressOrRange_addressRange}, 141*e0c4386eSCy Schubert { IANA_AFI_IPV6, "2001:0db8::1", "2001:0db8::1", IPAddressOrRange_addressPrefix}, 142*e0c4386eSCy Schubert { IANA_AFI_IPV6, "2001:0db8::0:0", "2001:0db8::ffff:ffff", IPAddressOrRange_addressPrefix}, 143*e0c4386eSCy Schubert { IANA_AFI_IPV6, "2001:0db8::1:0", "2001:0db8::ffff:ffff", IPAddressOrRange_addressRange} 144*e0c4386eSCy Schubert }; 145*e0c4386eSCy Schubert 146*e0c4386eSCy Schubert static int check_addr(IPAddrBlocks *addr, int type) 147*e0c4386eSCy Schubert { 148*e0c4386eSCy Schubert IPAddressFamily *fam; 149*e0c4386eSCy Schubert IPAddressOrRange *aorr; 150*e0c4386eSCy Schubert 151*e0c4386eSCy Schubert if (!TEST_int_eq(sk_IPAddressFamily_num(addr), 1)) 152*e0c4386eSCy Schubert return 0; 153*e0c4386eSCy Schubert 154*e0c4386eSCy Schubert fam = sk_IPAddressFamily_value(addr, 0); 155*e0c4386eSCy Schubert if (!TEST_ptr(fam)) 156*e0c4386eSCy Schubert return 0; 157*e0c4386eSCy Schubert 158*e0c4386eSCy Schubert if (!TEST_int_eq(fam->ipAddressChoice->type, IPAddressChoice_addressesOrRanges)) 159*e0c4386eSCy Schubert return 0; 160*e0c4386eSCy Schubert 161*e0c4386eSCy Schubert if (!TEST_int_eq(sk_IPAddressOrRange_num(fam->ipAddressChoice->u.addressesOrRanges), 1)) 162*e0c4386eSCy Schubert return 0; 163*e0c4386eSCy Schubert 164*e0c4386eSCy Schubert aorr = sk_IPAddressOrRange_value(fam->ipAddressChoice->u.addressesOrRanges, 0); 165*e0c4386eSCy Schubert if (!TEST_ptr(aorr)) 166*e0c4386eSCy Schubert return 0; 167*e0c4386eSCy Schubert 168*e0c4386eSCy Schubert if (!TEST_int_eq(aorr->type, type)) 169*e0c4386eSCy Schubert return 0; 170*e0c4386eSCy Schubert 171*e0c4386eSCy Schubert return 1; 172*e0c4386eSCy Schubert } 173*e0c4386eSCy Schubert 174*e0c4386eSCy Schubert static int test_addr_ranges(void) 175*e0c4386eSCy Schubert { 176*e0c4386eSCy Schubert IPAddrBlocks *addr = NULL; 177*e0c4386eSCy Schubert ASN1_OCTET_STRING *ip1 = NULL, *ip2 = NULL; 178*e0c4386eSCy Schubert size_t i; 179*e0c4386eSCy Schubert int testresult = 0; 180*e0c4386eSCy Schubert 181*e0c4386eSCy Schubert for (i = 0; i < OSSL_NELEM(ranges); i++) { 182*e0c4386eSCy Schubert addr = sk_IPAddressFamily_new_null(); 183*e0c4386eSCy Schubert if (!TEST_ptr(addr)) 184*e0c4386eSCy Schubert goto end; 185*e0c4386eSCy Schubert /* 186*e0c4386eSCy Schubert * Has the side effect of installing the comparison function onto the 187*e0c4386eSCy Schubert * stack. 188*e0c4386eSCy Schubert */ 189*e0c4386eSCy Schubert if (!TEST_true(X509v3_addr_canonize(addr))) 190*e0c4386eSCy Schubert goto end; 191*e0c4386eSCy Schubert 192*e0c4386eSCy Schubert ip1 = a2i_IPADDRESS(ranges[i].ip1); 193*e0c4386eSCy Schubert if (!TEST_ptr(ip1)) 194*e0c4386eSCy Schubert goto end; 195*e0c4386eSCy Schubert if (!TEST_true(ip1->length == 4 || ip1->length == 16)) 196*e0c4386eSCy Schubert goto end; 197*e0c4386eSCy Schubert ip2 = a2i_IPADDRESS(ranges[i].ip2); 198*e0c4386eSCy Schubert if (!TEST_ptr(ip2)) 199*e0c4386eSCy Schubert goto end; 200*e0c4386eSCy Schubert if (!TEST_int_eq(ip2->length, ip1->length)) 201*e0c4386eSCy Schubert goto end; 202*e0c4386eSCy Schubert if (!TEST_true(memcmp(ip1->data, ip2->data, ip1->length) <= 0)) 203*e0c4386eSCy Schubert goto end; 204*e0c4386eSCy Schubert 205*e0c4386eSCy Schubert if (!TEST_true(X509v3_addr_add_range(addr, ranges[i].afi, NULL, ip1->data, ip2->data))) 206*e0c4386eSCy Schubert goto end; 207*e0c4386eSCy Schubert 208*e0c4386eSCy Schubert if (!TEST_true(X509v3_addr_is_canonical(addr))) 209*e0c4386eSCy Schubert goto end; 210*e0c4386eSCy Schubert 211*e0c4386eSCy Schubert if (!check_addr(addr, ranges[i].rorp)) 212*e0c4386eSCy Schubert goto end; 213*e0c4386eSCy Schubert 214*e0c4386eSCy Schubert sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); 215*e0c4386eSCy Schubert addr = NULL; 216*e0c4386eSCy Schubert ASN1_OCTET_STRING_free(ip1); 217*e0c4386eSCy Schubert ASN1_OCTET_STRING_free(ip2); 218*e0c4386eSCy Schubert ip1 = ip2 = NULL; 219*e0c4386eSCy Schubert } 220*e0c4386eSCy Schubert 221*e0c4386eSCy Schubert testresult = 1; 222*e0c4386eSCy Schubert end: 223*e0c4386eSCy Schubert sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); 224*e0c4386eSCy Schubert ASN1_OCTET_STRING_free(ip1); 225*e0c4386eSCy Schubert ASN1_OCTET_STRING_free(ip2); 226*e0c4386eSCy Schubert return testresult; 227*e0c4386eSCy Schubert } 228*e0c4386eSCy Schubert 229*e0c4386eSCy Schubert static int test_addr_fam_len(void) 230*e0c4386eSCy Schubert { 231*e0c4386eSCy Schubert int testresult = 0; 232*e0c4386eSCy Schubert IPAddrBlocks *addr = NULL; 233*e0c4386eSCy Schubert IPAddressFamily *f1 = NULL; 234*e0c4386eSCy Schubert ASN1_OCTET_STRING *ip1 = NULL, *ip2 = NULL; 235*e0c4386eSCy Schubert unsigned char key[6]; 236*e0c4386eSCy Schubert unsigned int keylen; 237*e0c4386eSCy Schubert unsigned afi = IANA_AFI_IPV4; 238*e0c4386eSCy Schubert 239*e0c4386eSCy Schubert /* Create the IPAddrBlocks with a good IPAddressFamily */ 240*e0c4386eSCy Schubert addr = sk_IPAddressFamily_new_null(); 241*e0c4386eSCy Schubert if (!TEST_ptr(addr)) 242*e0c4386eSCy Schubert goto end; 243*e0c4386eSCy Schubert ip1 = a2i_IPADDRESS(ranges[0].ip1); 244*e0c4386eSCy Schubert if (!TEST_ptr(ip1)) 245*e0c4386eSCy Schubert goto end; 246*e0c4386eSCy Schubert ip2 = a2i_IPADDRESS(ranges[0].ip2); 247*e0c4386eSCy Schubert if (!TEST_ptr(ip2)) 248*e0c4386eSCy Schubert goto end; 249*e0c4386eSCy Schubert if (!TEST_true(X509v3_addr_add_range(addr, ranges[0].afi, NULL, ip1->data, ip2->data))) 250*e0c4386eSCy Schubert goto end; 251*e0c4386eSCy Schubert if (!TEST_true(X509v3_addr_is_canonical(addr))) 252*e0c4386eSCy Schubert goto end; 253*e0c4386eSCy Schubert 254*e0c4386eSCy Schubert /* Create our malformed IPAddressFamily */ 255*e0c4386eSCy Schubert key[0] = (afi >> 8) & 0xFF; 256*e0c4386eSCy Schubert key[1] = afi & 0xFF; 257*e0c4386eSCy Schubert key[2] = 0xD; 258*e0c4386eSCy Schubert key[3] = 0xE; 259*e0c4386eSCy Schubert key[4] = 0xA; 260*e0c4386eSCy Schubert key[5] = 0xD; 261*e0c4386eSCy Schubert keylen = 6; 262*e0c4386eSCy Schubert if ((f1 = IPAddressFamily_new()) == NULL) 263*e0c4386eSCy Schubert goto end; 264*e0c4386eSCy Schubert if (f1->ipAddressChoice == NULL && 265*e0c4386eSCy Schubert (f1->ipAddressChoice = IPAddressChoice_new()) == NULL) 266*e0c4386eSCy Schubert goto end; 267*e0c4386eSCy Schubert if (f1->addressFamily == NULL && 268*e0c4386eSCy Schubert (f1->addressFamily = ASN1_OCTET_STRING_new()) == NULL) 269*e0c4386eSCy Schubert goto end; 270*e0c4386eSCy Schubert if (!ASN1_OCTET_STRING_set(f1->addressFamily, key, keylen)) 271*e0c4386eSCy Schubert goto end; 272*e0c4386eSCy Schubert if (!sk_IPAddressFamily_push(addr, f1)) 273*e0c4386eSCy Schubert goto end; 274*e0c4386eSCy Schubert 275*e0c4386eSCy Schubert /* Shouldn't be able to canonize this as the len is > 3*/ 276*e0c4386eSCy Schubert if (!TEST_false(X509v3_addr_canonize(addr))) 277*e0c4386eSCy Schubert goto end; 278*e0c4386eSCy Schubert 279*e0c4386eSCy Schubert /* Create a well formed IPAddressFamily */ 280*e0c4386eSCy Schubert f1 = sk_IPAddressFamily_pop(addr); 281*e0c4386eSCy Schubert IPAddressFamily_free(f1); 282*e0c4386eSCy Schubert 283*e0c4386eSCy Schubert key[0] = (afi >> 8) & 0xFF; 284*e0c4386eSCy Schubert key[1] = afi & 0xFF; 285*e0c4386eSCy Schubert key[2] = 0x1; 286*e0c4386eSCy Schubert keylen = 3; 287*e0c4386eSCy Schubert if ((f1 = IPAddressFamily_new()) == NULL) 288*e0c4386eSCy Schubert goto end; 289*e0c4386eSCy Schubert if (f1->ipAddressChoice == NULL && 290*e0c4386eSCy Schubert (f1->ipAddressChoice = IPAddressChoice_new()) == NULL) 291*e0c4386eSCy Schubert goto end; 292*e0c4386eSCy Schubert if (f1->addressFamily == NULL && 293*e0c4386eSCy Schubert (f1->addressFamily = ASN1_OCTET_STRING_new()) == NULL) 294*e0c4386eSCy Schubert goto end; 295*e0c4386eSCy Schubert if (!ASN1_OCTET_STRING_set(f1->addressFamily, key, keylen)) 296*e0c4386eSCy Schubert goto end; 297*e0c4386eSCy Schubert 298*e0c4386eSCy Schubert /* Mark this as inheritance so we skip some of the is_canonize checks */ 299*e0c4386eSCy Schubert f1->ipAddressChoice->type = IPAddressChoice_inherit; 300*e0c4386eSCy Schubert if (!sk_IPAddressFamily_push(addr, f1)) 301*e0c4386eSCy Schubert goto end; 302*e0c4386eSCy Schubert 303*e0c4386eSCy Schubert /* Should be able to canonize now */ 304*e0c4386eSCy Schubert if (!TEST_true(X509v3_addr_canonize(addr))) 305*e0c4386eSCy Schubert goto end; 306*e0c4386eSCy Schubert 307*e0c4386eSCy Schubert testresult = 1; 308*e0c4386eSCy Schubert end: 309*e0c4386eSCy Schubert sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); 310*e0c4386eSCy Schubert ASN1_OCTET_STRING_free(ip1); 311*e0c4386eSCy Schubert ASN1_OCTET_STRING_free(ip2); 312*e0c4386eSCy Schubert return testresult; 313*e0c4386eSCy Schubert } 314*e0c4386eSCy Schubert 315*e0c4386eSCy Schubert static struct extvalues_st { 316*e0c4386eSCy Schubert const char *value; 317*e0c4386eSCy Schubert int pass; 318*e0c4386eSCy Schubert } extvalues[] = { 319*e0c4386eSCy Schubert /* No prefix is ok */ 320*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv4:192.0.0.1\n", 1 }, 321*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv4:192.0.0.0/0\n", 1 }, 322*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv4:192.0.0.0/1\n", 1 }, 323*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv4:192.0.0.0/32\n", 1 }, 324*e0c4386eSCy Schubert /* Prefix is too long */ 325*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv4:192.0.0.0/33\n", 0 }, 326*e0c4386eSCy Schubert /* Unreasonably large prefix */ 327*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv4:192.0.0.0/12341234\n", 0 }, 328*e0c4386eSCy Schubert /* Invalid IP addresses */ 329*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv4:192.0.0\n", 0 }, 330*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv4:256.0.0.0\n", 0 }, 331*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv4:-1.0.0.0\n", 0 }, 332*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv4:192.0.0.0.0\n", 0 }, 333*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv3:192.0.0.0\n", 0 }, 334*e0c4386eSCy Schubert 335*e0c4386eSCy Schubert /* IPv6 */ 336*e0c4386eSCy Schubert /* No prefix is ok */ 337*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv6:2001:db8::\n", 1 }, 338*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv6:2001::db8\n", 1 }, 339*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv6:2001:0db8:0000:0000:0000:0000:0000:0000\n", 1 }, 340*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv6:2001:db8::/0\n", 1 }, 341*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv6:2001:db8::/1\n", 1 }, 342*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv6:2001:db8::/32\n", 1 }, 343*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv6:2001:0db8:0000:0000:0000:0000:0000:0000/32\n", 1 }, 344*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv6:2001:db8::/128\n", 1 }, 345*e0c4386eSCy Schubert /* Prefix is too long */ 346*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv6:2001:db8::/129\n", 0 }, 347*e0c4386eSCy Schubert /* Unreasonably large prefix */ 348*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv6:2001:db8::/12341234\n", 0 }, 349*e0c4386eSCy Schubert /* Invalid IP addresses */ 350*e0c4386eSCy Schubert /* Not enough blocks of numbers */ 351*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv6:2001:0db8:0000:0000:0000:0000:0000\n", 0 }, 352*e0c4386eSCy Schubert /* Too many blocks of numbers */ 353*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv6:2001:0db8:0000:0000:0000:0000:0000:0000:0000\n", 0 }, 354*e0c4386eSCy Schubert /* First value too large */ 355*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv6:1ffff:0db8:0000:0000:0000:0000:0000:0000\n", 0 }, 356*e0c4386eSCy Schubert /* First value with invalid characters */ 357*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv6:fffg:0db8:0000:0000:0000:0000:0000:0000\n", 0 }, 358*e0c4386eSCy Schubert /* First value is negative */ 359*e0c4386eSCy Schubert { "sbgp-ipAddrBlock = IPv6:-1:0db8:0000:0000:0000:0000:0000:0000\n", 0 } 360*e0c4386eSCy Schubert }; 361*e0c4386eSCy Schubert 362*e0c4386eSCy Schubert static int test_ext_syntax(void) 363*e0c4386eSCy Schubert { 364*e0c4386eSCy Schubert size_t i; 365*e0c4386eSCy Schubert int testresult = 1; 366*e0c4386eSCy Schubert 367*e0c4386eSCy Schubert for (i = 0; i < OSSL_NELEM(extvalues); i++) { 368*e0c4386eSCy Schubert X509V3_CTX ctx; 369*e0c4386eSCy Schubert BIO *extbio = BIO_new_mem_buf(extvalues[i].value, 370*e0c4386eSCy Schubert strlen(extvalues[i].value)); 371*e0c4386eSCy Schubert CONF *conf; 372*e0c4386eSCy Schubert long eline; 373*e0c4386eSCy Schubert 374*e0c4386eSCy Schubert if (!TEST_ptr(extbio)) 375*e0c4386eSCy Schubert return 0 ; 376*e0c4386eSCy Schubert 377*e0c4386eSCy Schubert conf = NCONF_new_ex(NULL, NULL); 378*e0c4386eSCy Schubert if (!TEST_ptr(conf)) { 379*e0c4386eSCy Schubert BIO_free(extbio); 380*e0c4386eSCy Schubert return 0; 381*e0c4386eSCy Schubert } 382*e0c4386eSCy Schubert if (!TEST_long_gt(NCONF_load_bio(conf, extbio, &eline), 0)) { 383*e0c4386eSCy Schubert testresult = 0; 384*e0c4386eSCy Schubert } else { 385*e0c4386eSCy Schubert X509V3_set_ctx_test(&ctx); 386*e0c4386eSCy Schubert X509V3_set_nconf(&ctx, conf); 387*e0c4386eSCy Schubert 388*e0c4386eSCy Schubert if (extvalues[i].pass) { 389*e0c4386eSCy Schubert if (!TEST_true(X509V3_EXT_add_nconf(conf, &ctx, "default", 390*e0c4386eSCy Schubert NULL))) { 391*e0c4386eSCy Schubert TEST_info("Value: %s", extvalues[i].value); 392*e0c4386eSCy Schubert testresult = 0; 393*e0c4386eSCy Schubert } 394*e0c4386eSCy Schubert } else { 395*e0c4386eSCy Schubert ERR_set_mark(); 396*e0c4386eSCy Schubert if (!TEST_false(X509V3_EXT_add_nconf(conf, &ctx, "default", 397*e0c4386eSCy Schubert NULL))) { 398*e0c4386eSCy Schubert testresult = 0; 399*e0c4386eSCy Schubert TEST_info("Value: %s", extvalues[i].value); 400*e0c4386eSCy Schubert ERR_clear_last_mark(); 401*e0c4386eSCy Schubert } else { 402*e0c4386eSCy Schubert ERR_pop_to_mark(); 403*e0c4386eSCy Schubert } 404*e0c4386eSCy Schubert } 405*e0c4386eSCy Schubert } 406*e0c4386eSCy Schubert BIO_free(extbio); 407*e0c4386eSCy Schubert NCONF_free(conf); 408*e0c4386eSCy Schubert } 409*e0c4386eSCy Schubert 410*e0c4386eSCy Schubert return testresult; 411*e0c4386eSCy Schubert } 412*e0c4386eSCy Schubert 413*e0c4386eSCy Schubert static int test_addr_subset(void) 414*e0c4386eSCy Schubert { 415*e0c4386eSCy Schubert int i; 416*e0c4386eSCy Schubert int ret = 0; 417*e0c4386eSCy Schubert IPAddrBlocks *addrEmpty = NULL; 418*e0c4386eSCy Schubert IPAddrBlocks *addr[3] = { NULL, NULL }; 419*e0c4386eSCy Schubert ASN1_OCTET_STRING *ip1[3] = { NULL, NULL }; 420*e0c4386eSCy Schubert ASN1_OCTET_STRING *ip2[3] = { NULL, NULL }; 421*e0c4386eSCy Schubert int sz = OSSL_NELEM(addr); 422*e0c4386eSCy Schubert 423*e0c4386eSCy Schubert for (i = 0; i < sz; ++i) { 424*e0c4386eSCy Schubert /* Create the IPAddrBlocks with a good IPAddressFamily */ 425*e0c4386eSCy Schubert if (!TEST_ptr(addr[i] = sk_IPAddressFamily_new_null()) 426*e0c4386eSCy Schubert || !TEST_ptr(ip1[i] = a2i_IPADDRESS(ranges[i].ip1)) 427*e0c4386eSCy Schubert || !TEST_ptr(ip2[i] = a2i_IPADDRESS(ranges[i].ip2)) 428*e0c4386eSCy Schubert || !TEST_true(X509v3_addr_add_range(addr[i], ranges[i].afi, NULL, 429*e0c4386eSCy Schubert ip1[i]->data, ip2[i]->data))) 430*e0c4386eSCy Schubert goto end; 431*e0c4386eSCy Schubert } 432*e0c4386eSCy Schubert 433*e0c4386eSCy Schubert ret = TEST_ptr(addrEmpty = sk_IPAddressFamily_new_null()) 434*e0c4386eSCy Schubert && TEST_true(X509v3_addr_subset(NULL, NULL)) 435*e0c4386eSCy Schubert && TEST_true(X509v3_addr_subset(NULL, addr[0])) 436*e0c4386eSCy Schubert && TEST_true(X509v3_addr_subset(addrEmpty, addr[0])) 437*e0c4386eSCy Schubert && TEST_true(X509v3_addr_subset(addr[0], addr[0])) 438*e0c4386eSCy Schubert && TEST_true(X509v3_addr_subset(addr[0], addr[1])) 439*e0c4386eSCy Schubert && TEST_true(X509v3_addr_subset(addr[0], addr[2])) 440*e0c4386eSCy Schubert && TEST_true(X509v3_addr_subset(addr[1], addr[2])) 441*e0c4386eSCy Schubert && TEST_false(X509v3_addr_subset(addr[0], NULL)) 442*e0c4386eSCy Schubert && TEST_false(X509v3_addr_subset(addr[1], addr[0])) 443*e0c4386eSCy Schubert && TEST_false(X509v3_addr_subset(addr[2], addr[1])) 444*e0c4386eSCy Schubert && TEST_false(X509v3_addr_subset(addr[0], addrEmpty)); 445*e0c4386eSCy Schubert end: 446*e0c4386eSCy Schubert sk_IPAddressFamily_pop_free(addrEmpty, IPAddressFamily_free); 447*e0c4386eSCy Schubert for (i = 0; i < sz; ++i) { 448*e0c4386eSCy Schubert sk_IPAddressFamily_pop_free(addr[i], IPAddressFamily_free); 449*e0c4386eSCy Schubert ASN1_OCTET_STRING_free(ip1[i]); 450*e0c4386eSCy Schubert ASN1_OCTET_STRING_free(ip2[i]); 451*e0c4386eSCy Schubert } 452*e0c4386eSCy Schubert return ret; 453*e0c4386eSCy Schubert } 454*e0c4386eSCy Schubert 455*e0c4386eSCy Schubert #endif /* OPENSSL_NO_RFC3779 */ 456*e0c4386eSCy Schubert 457*e0c4386eSCy Schubert OPT_TEST_DECLARE_USAGE("cert.pem\n") 458*e0c4386eSCy Schubert 459*e0c4386eSCy Schubert int setup_tests(void) 460*e0c4386eSCy Schubert { 461*e0c4386eSCy Schubert if (!test_skip_common_options()) { 462*e0c4386eSCy Schubert TEST_error("Error parsing test options\n"); 463*e0c4386eSCy Schubert return 0; 464*e0c4386eSCy Schubert } 465*e0c4386eSCy Schubert 466*e0c4386eSCy Schubert if (!TEST_ptr(infile = test_get_argument(0))) 467*e0c4386eSCy Schubert return 0; 468*e0c4386eSCy Schubert 469*e0c4386eSCy Schubert ADD_TEST(test_pathlen); 470*e0c4386eSCy Schubert #ifndef OPENSSL_NO_RFC3779 471*e0c4386eSCy Schubert ADD_TEST(test_asid); 472*e0c4386eSCy Schubert ADD_TEST(test_addr_ranges); 473*e0c4386eSCy Schubert ADD_TEST(test_ext_syntax); 474*e0c4386eSCy Schubert ADD_TEST(test_addr_fam_len); 475*e0c4386eSCy Schubert ADD_TEST(test_addr_subset); 476*e0c4386eSCy Schubert #endif /* OPENSSL_NO_RFC3779 */ 477*e0c4386eSCy Schubert return 1; 478*e0c4386eSCy Schubert } 479