v3_addr.c revision 306195
1/* 2 * Contributed to the OpenSSL Project by the American Registry for 3 * Internet Numbers ("ARIN"). 4 */ 5/* ==================================================================== 6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 */ 57 58/* 59 * Implementation of RFC 3779 section 2.2. 60 */ 61 62#include <stdio.h> 63#include <stdlib.h> 64 65#include "cryptlib.h" 66#include <openssl/conf.h> 67#include <openssl/asn1.h> 68#include <openssl/asn1t.h> 69#include <openssl/buffer.h> 70#include <openssl/x509v3.h> 71 72#ifndef OPENSSL_NO_RFC3779 73 74/* 75 * OpenSSL ASN.1 template translation of RFC 3779 2.2.3. 76 */ 77 78ASN1_SEQUENCE(IPAddressRange) = { 79 ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING), 80 ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING) 81} ASN1_SEQUENCE_END(IPAddressRange) 82 83ASN1_CHOICE(IPAddressOrRange) = { 84 ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING), 85 ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange) 86} ASN1_CHOICE_END(IPAddressOrRange) 87 88ASN1_CHOICE(IPAddressChoice) = { 89 ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL), 90 ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange) 91} ASN1_CHOICE_END(IPAddressChoice) 92 93ASN1_SEQUENCE(IPAddressFamily) = { 94 ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING), 95 ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice) 96} ASN1_SEQUENCE_END(IPAddressFamily) 97 98ASN1_ITEM_TEMPLATE(IPAddrBlocks) = 99 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, 100 IPAddrBlocks, IPAddressFamily) 101ASN1_ITEM_TEMPLATE_END(IPAddrBlocks) 102 103IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange) 104IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange) 105IMPLEMENT_ASN1_FUNCTIONS(IPAddressChoice) 106IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily) 107 108/* 109 * How much buffer space do we need for a raw address? 110 */ 111# define ADDR_RAW_BUF_LEN 16 112 113/* 114 * What's the address length associated with this AFI? 115 */ 116static int length_from_afi(const unsigned afi) 117{ 118 switch (afi) { 119 case IANA_AFI_IPV4: 120 return 4; 121 case IANA_AFI_IPV6: 122 return 16; 123 default: 124 return 0; 125 } 126} 127 128/* 129 * Extract the AFI from an IPAddressFamily. 130 */ 131unsigned int v3_addr_get_afi(const IPAddressFamily *f) 132{ 133 return ((f != NULL && 134 f->addressFamily != NULL && f->addressFamily->data != NULL) 135 ? ((f->addressFamily->data[0] << 8) | (f->addressFamily->data[1])) 136 : 0); 137} 138 139/* 140 * Expand the bitstring form of an address into a raw byte array. 141 * At the moment this is coded for simplicity, not speed. 142 */ 143static int addr_expand(unsigned char *addr, 144 const ASN1_BIT_STRING *bs, 145 const int length, const unsigned char fill) 146{ 147 if (bs->length < 0 || bs->length > length) 148 return 0; 149 if (bs->length > 0) { 150 memcpy(addr, bs->data, bs->length); 151 if ((bs->flags & 7) != 0) { 152 unsigned char mask = 0xFF >> (8 - (bs->flags & 7)); 153 if (fill == 0) 154 addr[bs->length - 1] &= ~mask; 155 else 156 addr[bs->length - 1] |= mask; 157 } 158 } 159 memset(addr + bs->length, fill, length - bs->length); 160 return 1; 161} 162 163/* 164 * Extract the prefix length from a bitstring. 165 */ 166# define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7))) 167 168/* 169 * i2r handler for one address bitstring. 170 */ 171static int i2r_address(BIO *out, 172 const unsigned afi, 173 const unsigned char fill, const ASN1_BIT_STRING *bs) 174{ 175 unsigned char addr[ADDR_RAW_BUF_LEN]; 176 int i, n; 177 178 if (bs->length < 0) 179 return 0; 180 switch (afi) { 181 case IANA_AFI_IPV4: 182 if (!addr_expand(addr, bs, 4, fill)) 183 return 0; 184 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]); 185 break; 186 case IANA_AFI_IPV6: 187 if (!addr_expand(addr, bs, 16, fill)) 188 return 0; 189 for (n = 16; n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00; 190 n -= 2) ; 191 for (i = 0; i < n; i += 2) 192 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1], 193 (i < 14 ? ":" : "")); 194 if (i < 16) 195 BIO_puts(out, ":"); 196 if (i == 0) 197 BIO_puts(out, ":"); 198 break; 199 default: 200 for (i = 0; i < bs->length; i++) 201 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]); 202 BIO_printf(out, "[%d]", (int)(bs->flags & 7)); 203 break; 204 } 205 return 1; 206} 207 208/* 209 * i2r handler for a sequence of addresses and ranges. 210 */ 211static int i2r_IPAddressOrRanges(BIO *out, 212 const int indent, 213 const IPAddressOrRanges *aors, 214 const unsigned afi) 215{ 216 int i; 217 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) { 218 const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i); 219 BIO_printf(out, "%*s", indent, ""); 220 switch (aor->type) { 221 case IPAddressOrRange_addressPrefix: 222 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix)) 223 return 0; 224 BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix)); 225 continue; 226 case IPAddressOrRange_addressRange: 227 if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min)) 228 return 0; 229 BIO_puts(out, "-"); 230 if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max)) 231 return 0; 232 BIO_puts(out, "\n"); 233 continue; 234 } 235 } 236 return 1; 237} 238 239/* 240 * i2r handler for an IPAddrBlocks extension. 241 */ 242static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, 243 void *ext, BIO *out, int indent) 244{ 245 const IPAddrBlocks *addr = ext; 246 int i; 247 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 248 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 249 const unsigned int afi = v3_addr_get_afi(f); 250 switch (afi) { 251 case IANA_AFI_IPV4: 252 BIO_printf(out, "%*sIPv4", indent, ""); 253 break; 254 case IANA_AFI_IPV6: 255 BIO_printf(out, "%*sIPv6", indent, ""); 256 break; 257 default: 258 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi); 259 break; 260 } 261 if (f->addressFamily->length > 2) { 262 switch (f->addressFamily->data[2]) { 263 case 1: 264 BIO_puts(out, " (Unicast)"); 265 break; 266 case 2: 267 BIO_puts(out, " (Multicast)"); 268 break; 269 case 3: 270 BIO_puts(out, " (Unicast/Multicast)"); 271 break; 272 case 4: 273 BIO_puts(out, " (MPLS)"); 274 break; 275 case 64: 276 BIO_puts(out, " (Tunnel)"); 277 break; 278 case 65: 279 BIO_puts(out, " (VPLS)"); 280 break; 281 case 66: 282 BIO_puts(out, " (BGP MDT)"); 283 break; 284 case 128: 285 BIO_puts(out, " (MPLS-labeled VPN)"); 286 break; 287 default: 288 BIO_printf(out, " (Unknown SAFI %u)", 289 (unsigned)f->addressFamily->data[2]); 290 break; 291 } 292 } 293 switch (f->ipAddressChoice->type) { 294 case IPAddressChoice_inherit: 295 BIO_puts(out, ": inherit\n"); 296 break; 297 case IPAddressChoice_addressesOrRanges: 298 BIO_puts(out, ":\n"); 299 if (!i2r_IPAddressOrRanges(out, 300 indent + 2, 301 f->ipAddressChoice-> 302 u.addressesOrRanges, afi)) 303 return 0; 304 break; 305 } 306 } 307 return 1; 308} 309 310/* 311 * Sort comparison function for a sequence of IPAddressOrRange 312 * elements. 313 * 314 * There's no sane answer we can give if addr_expand() fails, and an 315 * assertion failure on externally supplied data is seriously uncool, 316 * so we just arbitrarily declare that if given invalid inputs this 317 * function returns -1. If this messes up your preferred sort order 318 * for garbage input, tough noogies. 319 */ 320static int IPAddressOrRange_cmp(const IPAddressOrRange *a, 321 const IPAddressOrRange *b, const int length) 322{ 323 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN]; 324 int prefixlen_a = 0, prefixlen_b = 0; 325 int r; 326 327 switch (a->type) { 328 case IPAddressOrRange_addressPrefix: 329 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00)) 330 return -1; 331 prefixlen_a = addr_prefixlen(a->u.addressPrefix); 332 break; 333 case IPAddressOrRange_addressRange: 334 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00)) 335 return -1; 336 prefixlen_a = length * 8; 337 break; 338 } 339 340 switch (b->type) { 341 case IPAddressOrRange_addressPrefix: 342 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00)) 343 return -1; 344 prefixlen_b = addr_prefixlen(b->u.addressPrefix); 345 break; 346 case IPAddressOrRange_addressRange: 347 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00)) 348 return -1; 349 prefixlen_b = length * 8; 350 break; 351 } 352 353 if ((r = memcmp(addr_a, addr_b, length)) != 0) 354 return r; 355 else 356 return prefixlen_a - prefixlen_b; 357} 358 359/* 360 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort() 361 * comparision routines are only allowed two arguments. 362 */ 363static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a, 364 const IPAddressOrRange *const *b) 365{ 366 return IPAddressOrRange_cmp(*a, *b, 4); 367} 368 369/* 370 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort() 371 * comparision routines are only allowed two arguments. 372 */ 373static int v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a, 374 const IPAddressOrRange *const *b) 375{ 376 return IPAddressOrRange_cmp(*a, *b, 16); 377} 378 379/* 380 * Calculate whether a range collapses to a prefix. 381 * See last paragraph of RFC 3779 2.2.3.7. 382 */ 383static int range_should_be_prefix(const unsigned char *min, 384 const unsigned char *max, const int length) 385{ 386 unsigned char mask; 387 int i, j; 388 389 OPENSSL_assert(memcmp(min, max, length) <= 0); 390 for (i = 0; i < length && min[i] == max[i]; i++) ; 391 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ; 392 if (i < j) 393 return -1; 394 if (i > j) 395 return i * 8; 396 mask = min[i] ^ max[i]; 397 switch (mask) { 398 case 0x01: 399 j = 7; 400 break; 401 case 0x03: 402 j = 6; 403 break; 404 case 0x07: 405 j = 5; 406 break; 407 case 0x0F: 408 j = 4; 409 break; 410 case 0x1F: 411 j = 3; 412 break; 413 case 0x3F: 414 j = 2; 415 break; 416 case 0x7F: 417 j = 1; 418 break; 419 default: 420 return -1; 421 } 422 if ((min[i] & mask) != 0 || (max[i] & mask) != mask) 423 return -1; 424 else 425 return i * 8 + j; 426} 427 428/* 429 * Construct a prefix. 430 */ 431static int make_addressPrefix(IPAddressOrRange **result, 432 unsigned char *addr, const int prefixlen) 433{ 434 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8; 435 IPAddressOrRange *aor = IPAddressOrRange_new(); 436 437 if (aor == NULL) 438 return 0; 439 aor->type = IPAddressOrRange_addressPrefix; 440 if (aor->u.addressPrefix == NULL && 441 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL) 442 goto err; 443 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen)) 444 goto err; 445 aor->u.addressPrefix->flags &= ~7; 446 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT; 447 if (bitlen > 0) { 448 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen); 449 aor->u.addressPrefix->flags |= 8 - bitlen; 450 } 451 452 *result = aor; 453 return 1; 454 455 err: 456 IPAddressOrRange_free(aor); 457 return 0; 458} 459 460/* 461 * Construct a range. If it can be expressed as a prefix, 462 * return a prefix instead. Doing this here simplifies 463 * the rest of the code considerably. 464 */ 465static int make_addressRange(IPAddressOrRange **result, 466 unsigned char *min, 467 unsigned char *max, const int length) 468{ 469 IPAddressOrRange *aor; 470 int i, prefixlen; 471 472 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0) 473 return make_addressPrefix(result, min, prefixlen); 474 475 if ((aor = IPAddressOrRange_new()) == NULL) 476 return 0; 477 aor->type = IPAddressOrRange_addressRange; 478 OPENSSL_assert(aor->u.addressRange == NULL); 479 if ((aor->u.addressRange = IPAddressRange_new()) == NULL) 480 goto err; 481 if (aor->u.addressRange->min == NULL && 482 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL) 483 goto err; 484 if (aor->u.addressRange->max == NULL && 485 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL) 486 goto err; 487 488 for (i = length; i > 0 && min[i - 1] == 0x00; --i) ; 489 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i)) 490 goto err; 491 aor->u.addressRange->min->flags &= ~7; 492 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT; 493 if (i > 0) { 494 unsigned char b = min[i - 1]; 495 int j = 1; 496 while ((b & (0xFFU >> j)) != 0) 497 ++j; 498 aor->u.addressRange->min->flags |= 8 - j; 499 } 500 501 for (i = length; i > 0 && max[i - 1] == 0xFF; --i) ; 502 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i)) 503 goto err; 504 aor->u.addressRange->max->flags &= ~7; 505 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT; 506 if (i > 0) { 507 unsigned char b = max[i - 1]; 508 int j = 1; 509 while ((b & (0xFFU >> j)) != (0xFFU >> j)) 510 ++j; 511 aor->u.addressRange->max->flags |= 8 - j; 512 } 513 514 *result = aor; 515 return 1; 516 517 err: 518 IPAddressOrRange_free(aor); 519 return 0; 520} 521 522/* 523 * Construct a new address family or find an existing one. 524 */ 525static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr, 526 const unsigned afi, 527 const unsigned *safi) 528{ 529 IPAddressFamily *f; 530 unsigned char key[3]; 531 unsigned keylen; 532 int i; 533 534 key[0] = (afi >> 8) & 0xFF; 535 key[1] = afi & 0xFF; 536 if (safi != NULL) { 537 key[2] = *safi & 0xFF; 538 keylen = 3; 539 } else { 540 keylen = 2; 541 } 542 543 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 544 f = sk_IPAddressFamily_value(addr, i); 545 OPENSSL_assert(f->addressFamily->data != NULL); 546 if (f->addressFamily->length == keylen && 547 !memcmp(f->addressFamily->data, key, keylen)) 548 return f; 549 } 550 551 if ((f = IPAddressFamily_new()) == NULL) 552 goto err; 553 if (f->ipAddressChoice == NULL && 554 (f->ipAddressChoice = IPAddressChoice_new()) == NULL) 555 goto err; 556 if (f->addressFamily == NULL && 557 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL) 558 goto err; 559 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen)) 560 goto err; 561 if (!sk_IPAddressFamily_push(addr, f)) 562 goto err; 563 564 return f; 565 566 err: 567 IPAddressFamily_free(f); 568 return NULL; 569} 570 571/* 572 * Add an inheritance element. 573 */ 574int v3_addr_add_inherit(IPAddrBlocks *addr, 575 const unsigned afi, const unsigned *safi) 576{ 577 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); 578 if (f == NULL || 579 f->ipAddressChoice == NULL || 580 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && 581 f->ipAddressChoice->u.addressesOrRanges != NULL)) 582 return 0; 583 if (f->ipAddressChoice->type == IPAddressChoice_inherit && 584 f->ipAddressChoice->u.inherit != NULL) 585 return 1; 586 if (f->ipAddressChoice->u.inherit == NULL && 587 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL) 588 return 0; 589 f->ipAddressChoice->type = IPAddressChoice_inherit; 590 return 1; 591} 592 593/* 594 * Construct an IPAddressOrRange sequence, or return an existing one. 595 */ 596static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr, 597 const unsigned afi, 598 const unsigned *safi) 599{ 600 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); 601 IPAddressOrRanges *aors = NULL; 602 603 if (f == NULL || 604 f->ipAddressChoice == NULL || 605 (f->ipAddressChoice->type == IPAddressChoice_inherit && 606 f->ipAddressChoice->u.inherit != NULL)) 607 return NULL; 608 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) 609 aors = f->ipAddressChoice->u.addressesOrRanges; 610 if (aors != NULL) 611 return aors; 612 if ((aors = sk_IPAddressOrRange_new_null()) == NULL) 613 return NULL; 614 switch (afi) { 615 case IANA_AFI_IPV4: 616 (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp); 617 break; 618 case IANA_AFI_IPV6: 619 (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp); 620 break; 621 } 622 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; 623 f->ipAddressChoice->u.addressesOrRanges = aors; 624 return aors; 625} 626 627/* 628 * Add a prefix. 629 */ 630int v3_addr_add_prefix(IPAddrBlocks *addr, 631 const unsigned afi, 632 const unsigned *safi, 633 unsigned char *a, const int prefixlen) 634{ 635 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); 636 IPAddressOrRange *aor; 637 if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen)) 638 return 0; 639 if (sk_IPAddressOrRange_push(aors, aor)) 640 return 1; 641 IPAddressOrRange_free(aor); 642 return 0; 643} 644 645/* 646 * Add a range. 647 */ 648int v3_addr_add_range(IPAddrBlocks *addr, 649 const unsigned afi, 650 const unsigned *safi, 651 unsigned char *min, unsigned char *max) 652{ 653 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); 654 IPAddressOrRange *aor; 655 int length = length_from_afi(afi); 656 if (aors == NULL) 657 return 0; 658 if (!make_addressRange(&aor, min, max, length)) 659 return 0; 660 if (sk_IPAddressOrRange_push(aors, aor)) 661 return 1; 662 IPAddressOrRange_free(aor); 663 return 0; 664} 665 666/* 667 * Extract min and max values from an IPAddressOrRange. 668 */ 669static int extract_min_max(IPAddressOrRange *aor, 670 unsigned char *min, unsigned char *max, int length) 671{ 672 if (aor == NULL || min == NULL || max == NULL) 673 return 0; 674 switch (aor->type) { 675 case IPAddressOrRange_addressPrefix: 676 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) && 677 addr_expand(max, aor->u.addressPrefix, length, 0xFF)); 678 case IPAddressOrRange_addressRange: 679 return (addr_expand(min, aor->u.addressRange->min, length, 0x00) && 680 addr_expand(max, aor->u.addressRange->max, length, 0xFF)); 681 } 682 return 0; 683} 684 685/* 686 * Public wrapper for extract_min_max(). 687 */ 688int v3_addr_get_range(IPAddressOrRange *aor, 689 const unsigned afi, 690 unsigned char *min, 691 unsigned char *max, const int length) 692{ 693 int afi_length = length_from_afi(afi); 694 if (aor == NULL || min == NULL || max == NULL || 695 afi_length == 0 || length < afi_length || 696 (aor->type != IPAddressOrRange_addressPrefix && 697 aor->type != IPAddressOrRange_addressRange) || 698 !extract_min_max(aor, min, max, afi_length)) 699 return 0; 700 701 return afi_length; 702} 703 704/* 705 * Sort comparision function for a sequence of IPAddressFamily. 706 * 707 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about 708 * the ordering: I can read it as meaning that IPv6 without a SAFI 709 * comes before IPv4 with a SAFI, which seems pretty weird. The 710 * examples in appendix B suggest that the author intended the 711 * null-SAFI rule to apply only within a single AFI, which is what I 712 * would have expected and is what the following code implements. 713 */ 714static int IPAddressFamily_cmp(const IPAddressFamily *const *a_, 715 const IPAddressFamily *const *b_) 716{ 717 const ASN1_OCTET_STRING *a = (*a_)->addressFamily; 718 const ASN1_OCTET_STRING *b = (*b_)->addressFamily; 719 int len = ((a->length <= b->length) ? a->length : b->length); 720 int cmp = memcmp(a->data, b->data, len); 721 return cmp ? cmp : a->length - b->length; 722} 723 724/* 725 * Check whether an IPAddrBLocks is in canonical form. 726 */ 727int v3_addr_is_canonical(IPAddrBlocks *addr) 728{ 729 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 730 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 731 IPAddressOrRanges *aors; 732 int i, j, k; 733 734 /* 735 * Empty extension is cannonical. 736 */ 737 if (addr == NULL) 738 return 1; 739 740 /* 741 * Check whether the top-level list is in order. 742 */ 743 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) { 744 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i); 745 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1); 746 if (IPAddressFamily_cmp(&a, &b) >= 0) 747 return 0; 748 } 749 750 /* 751 * Top level's ok, now check each address family. 752 */ 753 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 754 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 755 int length = length_from_afi(v3_addr_get_afi(f)); 756 757 /* 758 * Inheritance is canonical. Anything other than inheritance or 759 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something. 760 */ 761 if (f == NULL || f->ipAddressChoice == NULL) 762 return 0; 763 switch (f->ipAddressChoice->type) { 764 case IPAddressChoice_inherit: 765 continue; 766 case IPAddressChoice_addressesOrRanges: 767 break; 768 default: 769 return 0; 770 } 771 772 /* 773 * It's an IPAddressOrRanges sequence, check it. 774 */ 775 aors = f->ipAddressChoice->u.addressesOrRanges; 776 if (sk_IPAddressOrRange_num(aors) == 0) 777 return 0; 778 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) { 779 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 780 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1); 781 782 if (!extract_min_max(a, a_min, a_max, length) || 783 !extract_min_max(b, b_min, b_max, length)) 784 return 0; 785 786 /* 787 * Punt misordered list, overlapping start, or inverted range. 788 */ 789 if (memcmp(a_min, b_min, length) >= 0 || 790 memcmp(a_min, a_max, length) > 0 || 791 memcmp(b_min, b_max, length) > 0) 792 return 0; 793 794 /* 795 * Punt if adjacent or overlapping. Check for adjacency by 796 * subtracting one from b_min first. 797 */ 798 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) ; 799 if (memcmp(a_max, b_min, length) >= 0) 800 return 0; 801 802 /* 803 * Check for range that should be expressed as a prefix. 804 */ 805 if (a->type == IPAddressOrRange_addressRange && 806 range_should_be_prefix(a_min, a_max, length) >= 0) 807 return 0; 808 } 809 810 /* 811 * Check range to see if it's inverted or should be a 812 * prefix. 813 */ 814 j = sk_IPAddressOrRange_num(aors) - 1; 815 { 816 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 817 if (a != NULL && a->type == IPAddressOrRange_addressRange) { 818 if (!extract_min_max(a, a_min, a_max, length)) 819 return 0; 820 if (memcmp(a_min, a_max, length) > 0 || 821 range_should_be_prefix(a_min, a_max, length) >= 0) 822 return 0; 823 } 824 } 825 } 826 827 /* 828 * If we made it through all that, we're happy. 829 */ 830 return 1; 831} 832 833/* 834 * Whack an IPAddressOrRanges into canonical form. 835 */ 836static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors, 837 const unsigned afi) 838{ 839 int i, j, length = length_from_afi(afi); 840 841 /* 842 * Sort the IPAddressOrRanges sequence. 843 */ 844 sk_IPAddressOrRange_sort(aors); 845 846 /* 847 * Clean up representation issues, punt on duplicates or overlaps. 848 */ 849 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) { 850 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i); 851 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1); 852 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 853 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 854 855 if (!extract_min_max(a, a_min, a_max, length) || 856 !extract_min_max(b, b_min, b_max, length)) 857 return 0; 858 859 /* 860 * Punt inverted ranges. 861 */ 862 if (memcmp(a_min, a_max, length) > 0 || 863 memcmp(b_min, b_max, length) > 0) 864 return 0; 865 866 /* 867 * Punt overlaps. 868 */ 869 if (memcmp(a_max, b_min, length) >= 0) 870 return 0; 871 872 /* 873 * Merge if a and b are adjacent. We check for 874 * adjacency by subtracting one from b_min first. 875 */ 876 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) ; 877 if (memcmp(a_max, b_min, length) == 0) { 878 IPAddressOrRange *merged; 879 if (!make_addressRange(&merged, a_min, b_max, length)) 880 return 0; 881 (void)sk_IPAddressOrRange_set(aors, i, merged); 882 (void)sk_IPAddressOrRange_delete(aors, i + 1); 883 IPAddressOrRange_free(a); 884 IPAddressOrRange_free(b); 885 --i; 886 continue; 887 } 888 } 889 890 /* 891 * Check for inverted final range. 892 */ 893 j = sk_IPAddressOrRange_num(aors) - 1; 894 { 895 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 896 if (a != NULL && a->type == IPAddressOrRange_addressRange) { 897 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 898 extract_min_max(a, a_min, a_max, length); 899 if (memcmp(a_min, a_max, length) > 0) 900 return 0; 901 } 902 } 903 904 return 1; 905} 906 907/* 908 * Whack an IPAddrBlocks extension into canonical form. 909 */ 910int v3_addr_canonize(IPAddrBlocks *addr) 911{ 912 int i; 913 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 914 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 915 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && 916 !IPAddressOrRanges_canonize(f->ipAddressChoice-> 917 u.addressesOrRanges, 918 v3_addr_get_afi(f))) 919 return 0; 920 } 921 (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); 922 sk_IPAddressFamily_sort(addr); 923 OPENSSL_assert(v3_addr_is_canonical(addr)); 924 return 1; 925} 926 927/* 928 * v2i handler for the IPAddrBlocks extension. 929 */ 930static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, 931 struct v3_ext_ctx *ctx, 932 STACK_OF(CONF_VALUE) *values) 933{ 934 static const char v4addr_chars[] = "0123456789."; 935 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF"; 936 IPAddrBlocks *addr = NULL; 937 char *s = NULL, *t; 938 int i; 939 940 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) { 941 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 942 return NULL; 943 } 944 945 for (i = 0; i < sk_CONF_VALUE_num(values); i++) { 946 CONF_VALUE *val = sk_CONF_VALUE_value(values, i); 947 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN]; 948 unsigned afi, *safi = NULL, safi_; 949 const char *addr_chars; 950 int prefixlen, i1, i2, delim, length; 951 952 if (!name_cmp(val->name, "IPv4")) { 953 afi = IANA_AFI_IPV4; 954 } else if (!name_cmp(val->name, "IPv6")) { 955 afi = IANA_AFI_IPV6; 956 } else if (!name_cmp(val->name, "IPv4-SAFI")) { 957 afi = IANA_AFI_IPV4; 958 safi = &safi_; 959 } else if (!name_cmp(val->name, "IPv6-SAFI")) { 960 afi = IANA_AFI_IPV6; 961 safi = &safi_; 962 } else { 963 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, 964 X509V3_R_EXTENSION_NAME_ERROR); 965 X509V3_conf_err(val); 966 goto err; 967 } 968 969 switch (afi) { 970 case IANA_AFI_IPV4: 971 addr_chars = v4addr_chars; 972 break; 973 case IANA_AFI_IPV6: 974 addr_chars = v6addr_chars; 975 break; 976 } 977 978 length = length_from_afi(afi); 979 980 /* 981 * Handle SAFI, if any, and BUF_strdup() so we can null-terminate 982 * the other input values. 983 */ 984 if (safi != NULL) { 985 *safi = strtoul(val->value, &t, 0); 986 t += strspn(t, " \t"); 987 if (*safi > 0xFF || *t++ != ':') { 988 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_SAFI); 989 X509V3_conf_err(val); 990 goto err; 991 } 992 t += strspn(t, " \t"); 993 s = BUF_strdup(t); 994 } else { 995 s = BUF_strdup(val->value); 996 } 997 if (s == NULL) { 998 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 999 goto err; 1000 } 1001 1002 /* 1003 * Check for inheritance. Not worth additional complexity to 1004 * optimize this (seldom-used) case. 1005 */ 1006 if (!strcmp(s, "inherit")) { 1007 if (!v3_addr_add_inherit(addr, afi, safi)) { 1008 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, 1009 X509V3_R_INVALID_INHERITANCE); 1010 X509V3_conf_err(val); 1011 goto err; 1012 } 1013 OPENSSL_free(s); 1014 s = NULL; 1015 continue; 1016 } 1017 1018 i1 = strspn(s, addr_chars); 1019 i2 = i1 + strspn(s + i1, " \t"); 1020 delim = s[i2++]; 1021 s[i1] = '\0'; 1022 1023 if (a2i_ipadd(min, s) != length) { 1024 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS); 1025 X509V3_conf_err(val); 1026 goto err; 1027 } 1028 1029 switch (delim) { 1030 case '/': 1031 prefixlen = (int)strtoul(s + i2, &t, 10); 1032 if (t == s + i2 || *t != '\0') { 1033 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, 1034 X509V3_R_EXTENSION_VALUE_ERROR); 1035 X509V3_conf_err(val); 1036 goto err; 1037 } 1038 if (!v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) { 1039 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 1040 goto err; 1041 } 1042 break; 1043 case '-': 1044 i1 = i2 + strspn(s + i2, " \t"); 1045 i2 = i1 + strspn(s + i1, addr_chars); 1046 if (i1 == i2 || s[i2] != '\0') { 1047 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, 1048 X509V3_R_EXTENSION_VALUE_ERROR); 1049 X509V3_conf_err(val); 1050 goto err; 1051 } 1052 if (a2i_ipadd(max, s + i1) != length) { 1053 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, 1054 X509V3_R_INVALID_IPADDRESS); 1055 X509V3_conf_err(val); 1056 goto err; 1057 } 1058 if (memcmp(min, max, length_from_afi(afi)) > 0) { 1059 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, 1060 X509V3_R_EXTENSION_VALUE_ERROR); 1061 X509V3_conf_err(val); 1062 goto err; 1063 } 1064 if (!v3_addr_add_range(addr, afi, safi, min, max)) { 1065 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 1066 goto err; 1067 } 1068 break; 1069 case '\0': 1070 if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) { 1071 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 1072 goto err; 1073 } 1074 break; 1075 default: 1076 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, 1077 X509V3_R_EXTENSION_VALUE_ERROR); 1078 X509V3_conf_err(val); 1079 goto err; 1080 } 1081 1082 OPENSSL_free(s); 1083 s = NULL; 1084 } 1085 1086 /* 1087 * Canonize the result, then we're done. 1088 */ 1089 if (!v3_addr_canonize(addr)) 1090 goto err; 1091 return addr; 1092 1093 err: 1094 OPENSSL_free(s); 1095 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); 1096 return NULL; 1097} 1098 1099/* 1100 * OpenSSL dispatch 1101 */ 1102const X509V3_EXT_METHOD v3_addr = { 1103 NID_sbgp_ipAddrBlock, /* nid */ 1104 0, /* flags */ 1105 ASN1_ITEM_ref(IPAddrBlocks), /* template */ 1106 0, 0, 0, 0, /* old functions, ignored */ 1107 0, /* i2s */ 1108 0, /* s2i */ 1109 0, /* i2v */ 1110 v2i_IPAddrBlocks, /* v2i */ 1111 i2r_IPAddrBlocks, /* i2r */ 1112 0, /* r2i */ 1113 NULL /* extension-specific data */ 1114}; 1115 1116/* 1117 * Figure out whether extension sues inheritance. 1118 */ 1119int v3_addr_inherits(IPAddrBlocks *addr) 1120{ 1121 int i; 1122 if (addr == NULL) 1123 return 0; 1124 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 1125 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 1126 if (f->ipAddressChoice->type == IPAddressChoice_inherit) 1127 return 1; 1128 } 1129 return 0; 1130} 1131 1132/* 1133 * Figure out whether parent contains child. 1134 */ 1135static int addr_contains(IPAddressOrRanges *parent, 1136 IPAddressOrRanges *child, int length) 1137{ 1138 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN]; 1139 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN]; 1140 int p, c; 1141 1142 if (child == NULL || parent == child) 1143 return 1; 1144 if (parent == NULL) 1145 return 0; 1146 1147 p = 0; 1148 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) { 1149 if (!extract_min_max(sk_IPAddressOrRange_value(child, c), 1150 c_min, c_max, length)) 1151 return -1; 1152 for (;; p++) { 1153 if (p >= sk_IPAddressOrRange_num(parent)) 1154 return 0; 1155 if (!extract_min_max(sk_IPAddressOrRange_value(parent, p), 1156 p_min, p_max, length)) 1157 return 0; 1158 if (memcmp(p_max, c_max, length) < 0) 1159 continue; 1160 if (memcmp(p_min, c_min, length) > 0) 1161 return 0; 1162 break; 1163 } 1164 } 1165 1166 return 1; 1167} 1168 1169/* 1170 * Test whether a is a subset of b. 1171 */ 1172int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) 1173{ 1174 int i; 1175 if (a == NULL || a == b) 1176 return 1; 1177 if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b)) 1178 return 0; 1179 (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); 1180 for (i = 0; i < sk_IPAddressFamily_num(a); i++) { 1181 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); 1182 int j = sk_IPAddressFamily_find(b, fa); 1183 IPAddressFamily *fb; 1184 fb = sk_IPAddressFamily_value(b, j); 1185 if (fb == NULL) 1186 return 0; 1187 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, 1188 fa->ipAddressChoice->u.addressesOrRanges, 1189 length_from_afi(v3_addr_get_afi(fb)))) 1190 return 0; 1191 } 1192 return 1; 1193} 1194 1195/* 1196 * Validation error handling via callback. 1197 */ 1198# define validation_err(_err_) \ 1199 do { \ 1200 if (ctx != NULL) { \ 1201 ctx->error = _err_; \ 1202 ctx->error_depth = i; \ 1203 ctx->current_cert = x; \ 1204 ret = ctx->verify_cb(0, ctx); \ 1205 } else { \ 1206 ret = 0; \ 1207 } \ 1208 if (!ret) \ 1209 goto done; \ 1210 } while (0) 1211 1212/* 1213 * Core code for RFC 3779 2.3 path validation. 1214 * 1215 * Returns 1 for success, 0 on error. 1216 * 1217 * When returning 0, ctx->error MUST be set to an appropriate value other than 1218 * X509_V_OK. 1219 */ 1220static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, 1221 STACK_OF(X509) *chain, 1222 IPAddrBlocks *ext) 1223{ 1224 IPAddrBlocks *child = NULL; 1225 int i, j, ret = 1; 1226 X509 *x; 1227 1228 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); 1229 OPENSSL_assert(ctx != NULL || ext != NULL); 1230 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); 1231 1232 /* 1233 * Figure out where to start. If we don't have an extension to 1234 * check, we're done. Otherwise, check canonical form and 1235 * set up for walking up the chain. 1236 */ 1237 if (ext != NULL) { 1238 i = -1; 1239 x = NULL; 1240 } else { 1241 i = 0; 1242 x = sk_X509_value(chain, i); 1243 OPENSSL_assert(x != NULL); 1244 if ((ext = x->rfc3779_addr) == NULL) 1245 goto done; 1246 } 1247 if (!v3_addr_is_canonical(ext)) 1248 validation_err(X509_V_ERR_INVALID_EXTENSION); 1249 (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); 1250 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { 1251 X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, 1252 ERR_R_MALLOC_FAILURE); 1253 ctx->error = X509_V_ERR_OUT_OF_MEM; 1254 ret = 0; 1255 goto done; 1256 } 1257 1258 /* 1259 * Now walk up the chain. No cert may list resources that its 1260 * parent doesn't list. 1261 */ 1262 for (i++; i < sk_X509_num(chain); i++) { 1263 x = sk_X509_value(chain, i); 1264 OPENSSL_assert(x != NULL); 1265 if (!v3_addr_is_canonical(x->rfc3779_addr)) 1266 validation_err(X509_V_ERR_INVALID_EXTENSION); 1267 if (x->rfc3779_addr == NULL) { 1268 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { 1269 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); 1270 if (fc->ipAddressChoice->type != IPAddressChoice_inherit) { 1271 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1272 break; 1273 } 1274 } 1275 continue; 1276 } 1277 (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, 1278 IPAddressFamily_cmp); 1279 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { 1280 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); 1281 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc); 1282 IPAddressFamily *fp = 1283 sk_IPAddressFamily_value(x->rfc3779_addr, k); 1284 if (fp == NULL) { 1285 if (fc->ipAddressChoice->type == 1286 IPAddressChoice_addressesOrRanges) { 1287 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1288 break; 1289 } 1290 continue; 1291 } 1292 if (fp->ipAddressChoice->type == 1293 IPAddressChoice_addressesOrRanges) { 1294 if (fc->ipAddressChoice->type == IPAddressChoice_inherit 1295 || addr_contains(fp->ipAddressChoice->u.addressesOrRanges, 1296 fc->ipAddressChoice->u.addressesOrRanges, 1297 length_from_afi(v3_addr_get_afi(fc)))) 1298 sk_IPAddressFamily_set(child, j, fp); 1299 else 1300 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1301 } 1302 } 1303 } 1304 1305 /* 1306 * Trust anchor can't inherit. 1307 */ 1308 OPENSSL_assert(x != NULL); 1309 if (x->rfc3779_addr != NULL) { 1310 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) { 1311 IPAddressFamily *fp = 1312 sk_IPAddressFamily_value(x->rfc3779_addr, j); 1313 if (fp->ipAddressChoice->type == IPAddressChoice_inherit 1314 && sk_IPAddressFamily_find(child, fp) >= 0) 1315 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1316 } 1317 } 1318 1319 done: 1320 sk_IPAddressFamily_free(child); 1321 return ret; 1322} 1323 1324# undef validation_err 1325 1326/* 1327 * RFC 3779 2.3 path validation -- called from X509_verify_cert(). 1328 */ 1329int v3_addr_validate_path(X509_STORE_CTX *ctx) 1330{ 1331 return v3_addr_validate_path_internal(ctx, ctx->chain, NULL); 1332} 1333 1334/* 1335 * RFC 3779 2.3 path validation of an extension. 1336 * Test whether chain covers extension. 1337 */ 1338int v3_addr_validate_resource_set(STACK_OF(X509) *chain, 1339 IPAddrBlocks *ext, int allow_inheritance) 1340{ 1341 if (ext == NULL) 1342 return 1; 1343 if (chain == NULL || sk_X509_num(chain) == 0) 1344 return 0; 1345 if (!allow_inheritance && v3_addr_inherits(ext)) 1346 return 0; 1347 return v3_addr_validate_path_internal(NULL, chain, ext); 1348} 1349 1350#endif /* OPENSSL_NO_RFC3779 */ 1351