v3_addr.c revision 296465
1/* 2 * Contributed to the OpenSSL Project by the American Registry for 3 * Internet Numbers ("ARIN"). 4 */ 5/* ==================================================================== 6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 */ 57 58/* 59 * Implementation of RFC 3779 section 2.2. 60 */ 61 62#include <stdio.h> 63#include <stdlib.h> 64 65#include "cryptlib.h" 66#include <openssl/conf.h> 67#include <openssl/asn1.h> 68#include <openssl/asn1t.h> 69#include <openssl/buffer.h> 70#include <openssl/x509v3.h> 71 72#ifndef OPENSSL_NO_RFC3779 73 74/* 75 * OpenSSL ASN.1 template translation of RFC 3779 2.2.3. 76 */ 77 78ASN1_SEQUENCE(IPAddressRange) = { 79 ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING), 80 ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING) 81} ASN1_SEQUENCE_END(IPAddressRange) 82 83ASN1_CHOICE(IPAddressOrRange) = { 84 ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING), 85 ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange) 86} ASN1_CHOICE_END(IPAddressOrRange) 87 88ASN1_CHOICE(IPAddressChoice) = { 89 ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL), 90 ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange) 91} ASN1_CHOICE_END(IPAddressChoice) 92 93ASN1_SEQUENCE(IPAddressFamily) = { 94 ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING), 95 ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice) 96} ASN1_SEQUENCE_END(IPAddressFamily) 97 98ASN1_ITEM_TEMPLATE(IPAddrBlocks) = 99 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, 100 IPAddrBlocks, IPAddressFamily) 101ASN1_ITEM_TEMPLATE_END(IPAddrBlocks) 102 103IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange) 104IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange) 105IMPLEMENT_ASN1_FUNCTIONS(IPAddressChoice) 106IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily) 107 108/* 109 * How much buffer space do we need for a raw address? 110 */ 111# define ADDR_RAW_BUF_LEN 16 112 113/* 114 * What's the address length associated with this AFI? 115 */ 116static int length_from_afi(const unsigned afi) 117{ 118 switch (afi) { 119 case IANA_AFI_IPV4: 120 return 4; 121 case IANA_AFI_IPV6: 122 return 16; 123 default: 124 return 0; 125 } 126} 127 128/* 129 * Extract the AFI from an IPAddressFamily. 130 */ 131unsigned int v3_addr_get_afi(const IPAddressFamily *f) 132{ 133 return ((f != NULL && 134 f->addressFamily != NULL && f->addressFamily->data != NULL) 135 ? ((f->addressFamily->data[0] << 8) | (f->addressFamily->data[1])) 136 : 0); 137} 138 139/* 140 * Expand the bitstring form of an address into a raw byte array. 141 * At the moment this is coded for simplicity, not speed. 142 */ 143static int addr_expand(unsigned char *addr, 144 const ASN1_BIT_STRING *bs, 145 const int length, const unsigned char fill) 146{ 147 if (bs->length < 0 || bs->length > length) 148 return 0; 149 if (bs->length > 0) { 150 memcpy(addr, bs->data, bs->length); 151 if ((bs->flags & 7) != 0) { 152 unsigned char mask = 0xFF >> (8 - (bs->flags & 7)); 153 if (fill == 0) 154 addr[bs->length - 1] &= ~mask; 155 else 156 addr[bs->length - 1] |= mask; 157 } 158 } 159 memset(addr + bs->length, fill, length - bs->length); 160 return 1; 161} 162 163/* 164 * Extract the prefix length from a bitstring. 165 */ 166# define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7))) 167 168/* 169 * i2r handler for one address bitstring. 170 */ 171static int i2r_address(BIO *out, 172 const unsigned afi, 173 const unsigned char fill, const ASN1_BIT_STRING *bs) 174{ 175 unsigned char addr[ADDR_RAW_BUF_LEN]; 176 int i, n; 177 178 if (bs->length < 0) 179 return 0; 180 switch (afi) { 181 case IANA_AFI_IPV4: 182 if (!addr_expand(addr, bs, 4, fill)) 183 return 0; 184 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]); 185 break; 186 case IANA_AFI_IPV6: 187 if (!addr_expand(addr, bs, 16, fill)) 188 return 0; 189 for (n = 16; n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00; 190 n -= 2) ; 191 for (i = 0; i < n; i += 2) 192 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1], 193 (i < 14 ? ":" : "")); 194 if (i < 16) 195 BIO_puts(out, ":"); 196 if (i == 0) 197 BIO_puts(out, ":"); 198 break; 199 default: 200 for (i = 0; i < bs->length; i++) 201 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]); 202 BIO_printf(out, "[%d]", (int)(bs->flags & 7)); 203 break; 204 } 205 return 1; 206} 207 208/* 209 * i2r handler for a sequence of addresses and ranges. 210 */ 211static int i2r_IPAddressOrRanges(BIO *out, 212 const int indent, 213 const IPAddressOrRanges *aors, 214 const unsigned afi) 215{ 216 int i; 217 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) { 218 const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i); 219 BIO_printf(out, "%*s", indent, ""); 220 switch (aor->type) { 221 case IPAddressOrRange_addressPrefix: 222 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix)) 223 return 0; 224 BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix)); 225 continue; 226 case IPAddressOrRange_addressRange: 227 if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min)) 228 return 0; 229 BIO_puts(out, "-"); 230 if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max)) 231 return 0; 232 BIO_puts(out, "\n"); 233 continue; 234 } 235 } 236 return 1; 237} 238 239/* 240 * i2r handler for an IPAddrBlocks extension. 241 */ 242static int i2r_IPAddrBlocks(X509V3_EXT_METHOD *method, 243 void *ext, BIO *out, int indent) 244{ 245 const IPAddrBlocks *addr = ext; 246 int i; 247 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 248 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 249 const unsigned int afi = v3_addr_get_afi(f); 250 switch (afi) { 251 case IANA_AFI_IPV4: 252 BIO_printf(out, "%*sIPv4", indent, ""); 253 break; 254 case IANA_AFI_IPV6: 255 BIO_printf(out, "%*sIPv6", indent, ""); 256 break; 257 default: 258 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi); 259 break; 260 } 261 if (f->addressFamily->length > 2) { 262 switch (f->addressFamily->data[2]) { 263 case 1: 264 BIO_puts(out, " (Unicast)"); 265 break; 266 case 2: 267 BIO_puts(out, " (Multicast)"); 268 break; 269 case 3: 270 BIO_puts(out, " (Unicast/Multicast)"); 271 break; 272 case 4: 273 BIO_puts(out, " (MPLS)"); 274 break; 275 case 64: 276 BIO_puts(out, " (Tunnel)"); 277 break; 278 case 65: 279 BIO_puts(out, " (VPLS)"); 280 break; 281 case 66: 282 BIO_puts(out, " (BGP MDT)"); 283 break; 284 case 128: 285 BIO_puts(out, " (MPLS-labeled VPN)"); 286 break; 287 default: 288 BIO_printf(out, " (Unknown SAFI %u)", 289 (unsigned)f->addressFamily->data[2]); 290 break; 291 } 292 } 293 switch (f->ipAddressChoice->type) { 294 case IPAddressChoice_inherit: 295 BIO_puts(out, ": inherit\n"); 296 break; 297 case IPAddressChoice_addressesOrRanges: 298 BIO_puts(out, ":\n"); 299 if (!i2r_IPAddressOrRanges(out, 300 indent + 2, 301 f->ipAddressChoice-> 302 u.addressesOrRanges, afi)) 303 return 0; 304 break; 305 } 306 } 307 return 1; 308} 309 310/* 311 * Sort comparison function for a sequence of IPAddressOrRange 312 * elements. 313 * 314 * There's no sane answer we can give if addr_expand() fails, and an 315 * assertion failure on externally supplied data is seriously uncool, 316 * so we just arbitrarily declare that if given invalid inputs this 317 * function returns -1. If this messes up your preferred sort order 318 * for garbage input, tough noogies. 319 */ 320static int IPAddressOrRange_cmp(const IPAddressOrRange *a, 321 const IPAddressOrRange *b, const int length) 322{ 323 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN]; 324 int prefixlen_a = 0; 325 int prefixlen_b = 0; 326 int r; 327 328 switch (a->type) { 329 case IPAddressOrRange_addressPrefix: 330 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00)) 331 return -1; 332 prefixlen_a = addr_prefixlen(a->u.addressPrefix); 333 break; 334 case IPAddressOrRange_addressRange: 335 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00)) 336 return -1; 337 prefixlen_a = length * 8; 338 break; 339 } 340 341 switch (b->type) { 342 case IPAddressOrRange_addressPrefix: 343 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00)) 344 return -1; 345 prefixlen_b = addr_prefixlen(b->u.addressPrefix); 346 break; 347 case IPAddressOrRange_addressRange: 348 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00)) 349 return -1; 350 prefixlen_b = length * 8; 351 break; 352 } 353 354 if ((r = memcmp(addr_a, addr_b, length)) != 0) 355 return r; 356 else 357 return prefixlen_a - prefixlen_b; 358} 359 360/* 361 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort() 362 * comparision routines are only allowed two arguments. 363 */ 364static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a, 365 const IPAddressOrRange *const *b) 366{ 367 return IPAddressOrRange_cmp(*a, *b, 4); 368} 369 370/* 371 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort() 372 * comparision routines are only allowed two arguments. 373 */ 374static int v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a, 375 const IPAddressOrRange *const *b) 376{ 377 return IPAddressOrRange_cmp(*a, *b, 16); 378} 379 380/* 381 * Calculate whether a range collapses to a prefix. 382 * See last paragraph of RFC 3779 2.2.3.7. 383 */ 384static int range_should_be_prefix(const unsigned char *min, 385 const unsigned char *max, const int length) 386{ 387 unsigned char mask; 388 int i, j; 389 390 OPENSSL_assert(memcmp(min, max, length) <= 0); 391 for (i = 0; i < length && min[i] == max[i]; i++) ; 392 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ; 393 if (i < j) 394 return -1; 395 if (i > j) 396 return i * 8; 397 mask = min[i] ^ max[i]; 398 switch (mask) { 399 case 0x01: 400 j = 7; 401 break; 402 case 0x03: 403 j = 6; 404 break; 405 case 0x07: 406 j = 5; 407 break; 408 case 0x0F: 409 j = 4; 410 break; 411 case 0x1F: 412 j = 3; 413 break; 414 case 0x3F: 415 j = 2; 416 break; 417 case 0x7F: 418 j = 1; 419 break; 420 default: 421 return -1; 422 } 423 if ((min[i] & mask) != 0 || (max[i] & mask) != mask) 424 return -1; 425 else 426 return i * 8 + j; 427} 428 429/* 430 * Construct a prefix. 431 */ 432static int make_addressPrefix(IPAddressOrRange **result, 433 unsigned char *addr, const int prefixlen) 434{ 435 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8; 436 IPAddressOrRange *aor = IPAddressOrRange_new(); 437 438 if (aor == NULL) 439 return 0; 440 aor->type = IPAddressOrRange_addressPrefix; 441 if (aor->u.addressPrefix == NULL && 442 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL) 443 goto err; 444 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen)) 445 goto err; 446 aor->u.addressPrefix->flags &= ~7; 447 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT; 448 if (bitlen > 0) { 449 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen); 450 aor->u.addressPrefix->flags |= 8 - bitlen; 451 } 452 453 *result = aor; 454 return 1; 455 456 err: 457 IPAddressOrRange_free(aor); 458 return 0; 459} 460 461/* 462 * Construct a range. If it can be expressed as a prefix, 463 * return a prefix instead. Doing this here simplifies 464 * the rest of the code considerably. 465 */ 466static int make_addressRange(IPAddressOrRange **result, 467 unsigned char *min, 468 unsigned char *max, const int length) 469{ 470 IPAddressOrRange *aor; 471 int i, prefixlen; 472 473 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0) 474 return make_addressPrefix(result, min, prefixlen); 475 476 if ((aor = IPAddressOrRange_new()) == NULL) 477 return 0; 478 aor->type = IPAddressOrRange_addressRange; 479 OPENSSL_assert(aor->u.addressRange == NULL); 480 if ((aor->u.addressRange = IPAddressRange_new()) == NULL) 481 goto err; 482 if (aor->u.addressRange->min == NULL && 483 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL) 484 goto err; 485 if (aor->u.addressRange->max == NULL && 486 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL) 487 goto err; 488 489 for (i = length; i > 0 && min[i - 1] == 0x00; --i) ; 490 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i)) 491 goto err; 492 aor->u.addressRange->min->flags &= ~7; 493 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT; 494 if (i > 0) { 495 unsigned char b = min[i - 1]; 496 int j = 1; 497 while ((b & (0xFFU >> j)) != 0) 498 ++j; 499 aor->u.addressRange->min->flags |= 8 - j; 500 } 501 502 for (i = length; i > 0 && max[i - 1] == 0xFF; --i) ; 503 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i)) 504 goto err; 505 aor->u.addressRange->max->flags &= ~7; 506 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT; 507 if (i > 0) { 508 unsigned char b = max[i - 1]; 509 int j = 1; 510 while ((b & (0xFFU >> j)) != (0xFFU >> j)) 511 ++j; 512 aor->u.addressRange->max->flags |= 8 - j; 513 } 514 515 *result = aor; 516 return 1; 517 518 err: 519 IPAddressOrRange_free(aor); 520 return 0; 521} 522 523/* 524 * Construct a new address family or find an existing one. 525 */ 526static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr, 527 const unsigned afi, 528 const unsigned *safi) 529{ 530 IPAddressFamily *f; 531 unsigned char key[3]; 532 unsigned keylen; 533 int i; 534 535 key[0] = (afi >> 8) & 0xFF; 536 key[1] = afi & 0xFF; 537 if (safi != NULL) { 538 key[2] = *safi & 0xFF; 539 keylen = 3; 540 } else { 541 keylen = 2; 542 } 543 544 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 545 f = sk_IPAddressFamily_value(addr, i); 546 OPENSSL_assert(f->addressFamily->data != NULL); 547 if (f->addressFamily->length == keylen && 548 !memcmp(f->addressFamily->data, key, keylen)) 549 return f; 550 } 551 552 if ((f = IPAddressFamily_new()) == NULL) 553 goto err; 554 if (f->ipAddressChoice == NULL && 555 (f->ipAddressChoice = IPAddressChoice_new()) == NULL) 556 goto err; 557 if (f->addressFamily == NULL && 558 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL) 559 goto err; 560 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen)) 561 goto err; 562 if (!sk_IPAddressFamily_push(addr, f)) 563 goto err; 564 565 return f; 566 567 err: 568 IPAddressFamily_free(f); 569 return NULL; 570} 571 572/* 573 * Add an inheritance element. 574 */ 575int v3_addr_add_inherit(IPAddrBlocks *addr, 576 const unsigned afi, const unsigned *safi) 577{ 578 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); 579 if (f == NULL || 580 f->ipAddressChoice == NULL || 581 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && 582 f->ipAddressChoice->u.addressesOrRanges != NULL)) 583 return 0; 584 if (f->ipAddressChoice->type == IPAddressChoice_inherit && 585 f->ipAddressChoice->u.inherit != NULL) 586 return 1; 587 if (f->ipAddressChoice->u.inherit == NULL && 588 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL) 589 return 0; 590 f->ipAddressChoice->type = IPAddressChoice_inherit; 591 return 1; 592} 593 594/* 595 * Construct an IPAddressOrRange sequence, or return an existing one. 596 */ 597static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr, 598 const unsigned afi, 599 const unsigned *safi) 600{ 601 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); 602 IPAddressOrRanges *aors = NULL; 603 604 if (f == NULL || 605 f->ipAddressChoice == NULL || 606 (f->ipAddressChoice->type == IPAddressChoice_inherit && 607 f->ipAddressChoice->u.inherit != NULL)) 608 return NULL; 609 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) 610 aors = f->ipAddressChoice->u.addressesOrRanges; 611 if (aors != NULL) 612 return aors; 613 if ((aors = sk_IPAddressOrRange_new_null()) == NULL) 614 return NULL; 615 switch (afi) { 616 case IANA_AFI_IPV4: 617 (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp); 618 break; 619 case IANA_AFI_IPV6: 620 (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp); 621 break; 622 } 623 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; 624 f->ipAddressChoice->u.addressesOrRanges = aors; 625 return aors; 626} 627 628/* 629 * Add a prefix. 630 */ 631int v3_addr_add_prefix(IPAddrBlocks *addr, 632 const unsigned afi, 633 const unsigned *safi, 634 unsigned char *a, const int prefixlen) 635{ 636 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); 637 IPAddressOrRange *aor; 638 if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen)) 639 return 0; 640 if (sk_IPAddressOrRange_push(aors, aor)) 641 return 1; 642 IPAddressOrRange_free(aor); 643 return 0; 644} 645 646/* 647 * Add a range. 648 */ 649int v3_addr_add_range(IPAddrBlocks *addr, 650 const unsigned afi, 651 const unsigned *safi, 652 unsigned char *min, unsigned char *max) 653{ 654 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); 655 IPAddressOrRange *aor; 656 int length = length_from_afi(afi); 657 if (aors == NULL) 658 return 0; 659 if (!make_addressRange(&aor, min, max, length)) 660 return 0; 661 if (sk_IPAddressOrRange_push(aors, aor)) 662 return 1; 663 IPAddressOrRange_free(aor); 664 return 0; 665} 666 667/* 668 * Extract min and max values from an IPAddressOrRange. 669 */ 670static int extract_min_max(IPAddressOrRange *aor, 671 unsigned char *min, unsigned char *max, int length) 672{ 673 if (aor == NULL || min == NULL || max == NULL) 674 return 0; 675 switch (aor->type) { 676 case IPAddressOrRange_addressPrefix: 677 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) && 678 addr_expand(max, aor->u.addressPrefix, length, 0xFF)); 679 case IPAddressOrRange_addressRange: 680 return (addr_expand(min, aor->u.addressRange->min, length, 0x00) && 681 addr_expand(max, aor->u.addressRange->max, length, 0xFF)); 682 } 683 return 0; 684} 685 686/* 687 * Public wrapper for extract_min_max(). 688 */ 689int v3_addr_get_range(IPAddressOrRange *aor, 690 const unsigned afi, 691 unsigned char *min, 692 unsigned char *max, const int length) 693{ 694 int afi_length = length_from_afi(afi); 695 if (aor == NULL || min == NULL || max == NULL || 696 afi_length == 0 || length < afi_length || 697 (aor->type != IPAddressOrRange_addressPrefix && 698 aor->type != IPAddressOrRange_addressRange) || 699 !extract_min_max(aor, min, max, afi_length)) 700 return 0; 701 702 return afi_length; 703} 704 705/* 706 * Sort comparision function for a sequence of IPAddressFamily. 707 * 708 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about 709 * the ordering: I can read it as meaning that IPv6 without a SAFI 710 * comes before IPv4 with a SAFI, which seems pretty weird. The 711 * examples in appendix B suggest that the author intended the 712 * null-SAFI rule to apply only within a single AFI, which is what I 713 * would have expected and is what the following code implements. 714 */ 715static int IPAddressFamily_cmp(const IPAddressFamily *const *a_, 716 const IPAddressFamily *const *b_) 717{ 718 const ASN1_OCTET_STRING *a = (*a_)->addressFamily; 719 const ASN1_OCTET_STRING *b = (*b_)->addressFamily; 720 int len = ((a->length <= b->length) ? a->length : b->length); 721 int cmp = memcmp(a->data, b->data, len); 722 return cmp ? cmp : a->length - b->length; 723} 724 725/* 726 * Check whether an IPAddrBLocks is in canonical form. 727 */ 728int v3_addr_is_canonical(IPAddrBlocks *addr) 729{ 730 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 731 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 732 IPAddressOrRanges *aors; 733 int i, j, k; 734 735 /* 736 * Empty extension is cannonical. 737 */ 738 if (addr == NULL) 739 return 1; 740 741 /* 742 * Check whether the top-level list is in order. 743 */ 744 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) { 745 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i); 746 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1); 747 if (IPAddressFamily_cmp(&a, &b) >= 0) 748 return 0; 749 } 750 751 /* 752 * Top level's ok, now check each address family. 753 */ 754 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 755 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 756 int length = length_from_afi(v3_addr_get_afi(f)); 757 758 /* 759 * Inheritance is canonical. Anything other than inheritance or 760 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something. 761 */ 762 if (f == NULL || f->ipAddressChoice == NULL) 763 return 0; 764 switch (f->ipAddressChoice->type) { 765 case IPAddressChoice_inherit: 766 continue; 767 case IPAddressChoice_addressesOrRanges: 768 break; 769 default: 770 return 0; 771 } 772 773 /* 774 * It's an IPAddressOrRanges sequence, check it. 775 */ 776 aors = f->ipAddressChoice->u.addressesOrRanges; 777 if (sk_IPAddressOrRange_num(aors) == 0) 778 return 0; 779 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) { 780 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 781 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1); 782 783 if (!extract_min_max(a, a_min, a_max, length) || 784 !extract_min_max(b, b_min, b_max, length)) 785 return 0; 786 787 /* 788 * Punt misordered list, overlapping start, or inverted range. 789 */ 790 if (memcmp(a_min, b_min, length) >= 0 || 791 memcmp(a_min, a_max, length) > 0 || 792 memcmp(b_min, b_max, length) > 0) 793 return 0; 794 795 /* 796 * Punt if adjacent or overlapping. Check for adjacency by 797 * subtracting one from b_min first. 798 */ 799 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) ; 800 if (memcmp(a_max, b_min, length) >= 0) 801 return 0; 802 803 /* 804 * Check for range that should be expressed as a prefix. 805 */ 806 if (a->type == IPAddressOrRange_addressRange && 807 range_should_be_prefix(a_min, a_max, length) >= 0) 808 return 0; 809 } 810 811 /* 812 * Check range to see if it's inverted or should be a 813 * prefix. 814 */ 815 j = sk_IPAddressOrRange_num(aors) - 1; 816 { 817 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 818 if (a != NULL && a->type == IPAddressOrRange_addressRange) { 819 if (!extract_min_max(a, a_min, a_max, length)) 820 return 0; 821 if (memcmp(a_min, a_max, length) > 0 || 822 range_should_be_prefix(a_min, a_max, length) >= 0) 823 return 0; 824 } 825 } 826 } 827 828 /* 829 * If we made it through all that, we're happy. 830 */ 831 return 1; 832} 833 834/* 835 * Whack an IPAddressOrRanges into canonical form. 836 */ 837static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors, 838 const unsigned afi) 839{ 840 int i, j, length = length_from_afi(afi); 841 842 /* 843 * Sort the IPAddressOrRanges sequence. 844 */ 845 sk_IPAddressOrRange_sort(aors); 846 847 /* 848 * Clean up representation issues, punt on duplicates or overlaps. 849 */ 850 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) { 851 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i); 852 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1); 853 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 854 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 855 856 if (!extract_min_max(a, a_min, a_max, length) || 857 !extract_min_max(b, b_min, b_max, length)) 858 return 0; 859 860 /* 861 * Punt inverted ranges. 862 */ 863 if (memcmp(a_min, a_max, length) > 0 || 864 memcmp(b_min, b_max, length) > 0) 865 return 0; 866 867 /* 868 * Punt overlaps. 869 */ 870 if (memcmp(a_max, b_min, length) >= 0) 871 return 0; 872 873 /* 874 * Merge if a and b are adjacent. We check for 875 * adjacency by subtracting one from b_min first. 876 */ 877 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) ; 878 if (memcmp(a_max, b_min, length) == 0) { 879 IPAddressOrRange *merged; 880 if (!make_addressRange(&merged, a_min, b_max, length)) 881 return 0; 882 sk_IPAddressOrRange_set(aors, i, merged); 883 (void)sk_IPAddressOrRange_delete(aors, i + 1); 884 IPAddressOrRange_free(a); 885 IPAddressOrRange_free(b); 886 --i; 887 continue; 888 } 889 } 890 891 /* 892 * Check for inverted final range. 893 */ 894 j = sk_IPAddressOrRange_num(aors) - 1; 895 { 896 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 897 if (a != NULL && a->type == IPAddressOrRange_addressRange) { 898 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 899 extract_min_max(a, a_min, a_max, length); 900 if (memcmp(a_min, a_max, length) > 0) 901 return 0; 902 } 903 } 904 905 return 1; 906} 907 908/* 909 * Whack an IPAddrBlocks extension into canonical form. 910 */ 911int v3_addr_canonize(IPAddrBlocks *addr) 912{ 913 int i; 914 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 915 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 916 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && 917 !IPAddressOrRanges_canonize(f->ipAddressChoice-> 918 u.addressesOrRanges, 919 v3_addr_get_afi(f))) 920 return 0; 921 } 922 (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); 923 sk_IPAddressFamily_sort(addr); 924 OPENSSL_assert(v3_addr_is_canonical(addr)); 925 return 1; 926} 927 928/* 929 * v2i handler for the IPAddrBlocks extension. 930 */ 931static void *v2i_IPAddrBlocks(struct v3_ext_method *method, 932 struct v3_ext_ctx *ctx, 933 STACK_OF(CONF_VALUE) *values) 934{ 935 static const char v4addr_chars[] = "0123456789."; 936 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF"; 937 IPAddrBlocks *addr = NULL; 938 char *s = NULL, *t; 939 int i; 940 941 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) { 942 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 943 return NULL; 944 } 945 946 for (i = 0; i < sk_CONF_VALUE_num(values); i++) { 947 CONF_VALUE *val = sk_CONF_VALUE_value(values, i); 948 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN]; 949 unsigned afi, *safi = NULL, safi_; 950 const char *addr_chars; 951 int prefixlen, i1, i2, delim, length; 952 953 if (!name_cmp(val->name, "IPv4")) { 954 afi = IANA_AFI_IPV4; 955 } else if (!name_cmp(val->name, "IPv6")) { 956 afi = IANA_AFI_IPV6; 957 } else if (!name_cmp(val->name, "IPv4-SAFI")) { 958 afi = IANA_AFI_IPV4; 959 safi = &safi_; 960 } else if (!name_cmp(val->name, "IPv6-SAFI")) { 961 afi = IANA_AFI_IPV6; 962 safi = &safi_; 963 } else { 964 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, 965 X509V3_R_EXTENSION_NAME_ERROR); 966 X509V3_conf_err(val); 967 goto err; 968 } 969 970 switch (afi) { 971 case IANA_AFI_IPV4: 972 addr_chars = v4addr_chars; 973 break; 974 case IANA_AFI_IPV6: 975 addr_chars = v6addr_chars; 976 break; 977 } 978 979 length = length_from_afi(afi); 980 981 /* 982 * Handle SAFI, if any, and BUF_strdup() so we can null-terminate 983 * the other input values. 984 */ 985 if (safi != NULL) { 986 *safi = strtoul(val->value, &t, 0); 987 t += strspn(t, " \t"); 988 if (*safi > 0xFF || *t++ != ':') { 989 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_SAFI); 990 X509V3_conf_err(val); 991 goto err; 992 } 993 t += strspn(t, " \t"); 994 s = BUF_strdup(t); 995 } else { 996 s = BUF_strdup(val->value); 997 } 998 if (s == NULL) { 999 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 1000 goto err; 1001 } 1002 1003 /* 1004 * Check for inheritance. Not worth additional complexity to 1005 * optimize this (seldom-used) case. 1006 */ 1007 if (!strcmp(s, "inherit")) { 1008 if (!v3_addr_add_inherit(addr, afi, safi)) { 1009 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, 1010 X509V3_R_INVALID_INHERITANCE); 1011 X509V3_conf_err(val); 1012 goto err; 1013 } 1014 OPENSSL_free(s); 1015 s = NULL; 1016 continue; 1017 } 1018 1019 i1 = strspn(s, addr_chars); 1020 i2 = i1 + strspn(s + i1, " \t"); 1021 delim = s[i2++]; 1022 s[i1] = '\0'; 1023 1024 if (a2i_ipadd(min, s) != length) { 1025 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS); 1026 X509V3_conf_err(val); 1027 goto err; 1028 } 1029 1030 switch (delim) { 1031 case '/': 1032 prefixlen = (int)strtoul(s + i2, &t, 10); 1033 if (t == s + i2 || *t != '\0') { 1034 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, 1035 X509V3_R_EXTENSION_VALUE_ERROR); 1036 X509V3_conf_err(val); 1037 goto err; 1038 } 1039 if (!v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) { 1040 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 1041 goto err; 1042 } 1043 break; 1044 case '-': 1045 i1 = i2 + strspn(s + i2, " \t"); 1046 i2 = i1 + strspn(s + i1, addr_chars); 1047 if (i1 == i2 || s[i2] != '\0') { 1048 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, 1049 X509V3_R_EXTENSION_VALUE_ERROR); 1050 X509V3_conf_err(val); 1051 goto err; 1052 } 1053 if (a2i_ipadd(max, s + i1) != length) { 1054 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, 1055 X509V3_R_INVALID_IPADDRESS); 1056 X509V3_conf_err(val); 1057 goto err; 1058 } 1059 if (memcmp(min, max, length_from_afi(afi)) > 0) { 1060 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, 1061 X509V3_R_EXTENSION_VALUE_ERROR); 1062 X509V3_conf_err(val); 1063 goto err; 1064 } 1065 if (!v3_addr_add_range(addr, afi, safi, min, max)) { 1066 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 1067 goto err; 1068 } 1069 break; 1070 case '\0': 1071 if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) { 1072 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 1073 goto err; 1074 } 1075 break; 1076 default: 1077 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, 1078 X509V3_R_EXTENSION_VALUE_ERROR); 1079 X509V3_conf_err(val); 1080 goto err; 1081 } 1082 1083 OPENSSL_free(s); 1084 s = NULL; 1085 } 1086 1087 /* 1088 * Canonize the result, then we're done. 1089 */ 1090 if (!v3_addr_canonize(addr)) 1091 goto err; 1092 return addr; 1093 1094 err: 1095 OPENSSL_free(s); 1096 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); 1097 return NULL; 1098} 1099 1100/* 1101 * OpenSSL dispatch 1102 */ 1103const X509V3_EXT_METHOD v3_addr = { 1104 NID_sbgp_ipAddrBlock, /* nid */ 1105 0, /* flags */ 1106 ASN1_ITEM_ref(IPAddrBlocks), /* template */ 1107 0, 0, 0, 0, /* old functions, ignored */ 1108 0, /* i2s */ 1109 0, /* s2i */ 1110 0, /* i2v */ 1111 v2i_IPAddrBlocks, /* v2i */ 1112 i2r_IPAddrBlocks, /* i2r */ 1113 0, /* r2i */ 1114 NULL /* extension-specific data */ 1115}; 1116 1117/* 1118 * Figure out whether extension sues inheritance. 1119 */ 1120int v3_addr_inherits(IPAddrBlocks *addr) 1121{ 1122 int i; 1123 if (addr == NULL) 1124 return 0; 1125 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 1126 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); 1127 if (f->ipAddressChoice->type == IPAddressChoice_inherit) 1128 return 1; 1129 } 1130 return 0; 1131} 1132 1133/* 1134 * Figure out whether parent contains child. 1135 */ 1136static int addr_contains(IPAddressOrRanges *parent, 1137 IPAddressOrRanges *child, int length) 1138{ 1139 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN]; 1140 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN]; 1141 int p, c; 1142 1143 if (child == NULL || parent == child) 1144 return 1; 1145 if (parent == NULL) 1146 return 0; 1147 1148 p = 0; 1149 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) { 1150 if (!extract_min_max(sk_IPAddressOrRange_value(child, c), 1151 c_min, c_max, length)) 1152 return -1; 1153 for (;; p++) { 1154 if (p >= sk_IPAddressOrRange_num(parent)) 1155 return 0; 1156 if (!extract_min_max(sk_IPAddressOrRange_value(parent, p), 1157 p_min, p_max, length)) 1158 return 0; 1159 if (memcmp(p_max, c_max, length) < 0) 1160 continue; 1161 if (memcmp(p_min, c_min, length) > 0) 1162 return 0; 1163 break; 1164 } 1165 } 1166 1167 return 1; 1168} 1169 1170/* 1171 * Test whether a is a subset of b. 1172 */ 1173int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) 1174{ 1175 int i; 1176 if (a == NULL || a == b) 1177 return 1; 1178 if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b)) 1179 return 0; 1180 (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); 1181 for (i = 0; i < sk_IPAddressFamily_num(a); i++) { 1182 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); 1183 int j = sk_IPAddressFamily_find(b, fa); 1184 IPAddressFamily *fb; 1185 fb = sk_IPAddressFamily_value(b, j); 1186 if (fb == NULL) 1187 return 0; 1188 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, 1189 fa->ipAddressChoice->u.addressesOrRanges, 1190 length_from_afi(v3_addr_get_afi(fb)))) 1191 return 0; 1192 } 1193 return 1; 1194} 1195 1196/* 1197 * Validation error handling via callback. 1198 */ 1199# define validation_err(_err_) \ 1200 do { \ 1201 if (ctx != NULL) { \ 1202 ctx->error = _err_; \ 1203 ctx->error_depth = i; \ 1204 ctx->current_cert = x; \ 1205 ret = ctx->verify_cb(0, ctx); \ 1206 } else { \ 1207 ret = 0; \ 1208 } \ 1209 if (!ret) \ 1210 goto done; \ 1211 } while (0) 1212 1213/* 1214 * Core code for RFC 3779 2.3 path validation. 1215 */ 1216static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, 1217 STACK_OF(X509) *chain, 1218 IPAddrBlocks *ext) 1219{ 1220 IPAddrBlocks *child = NULL; 1221 int i, j, ret = 1; 1222 X509 *x = NULL; 1223 1224 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); 1225 OPENSSL_assert(ctx != NULL || ext != NULL); 1226 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); 1227 1228 /* 1229 * Figure out where to start. If we don't have an extension to 1230 * check, we're done. Otherwise, check canonical form and 1231 * set up for walking up the chain. 1232 */ 1233 if (ext != NULL) { 1234 i = -1; 1235 } else { 1236 i = 0; 1237 x = sk_X509_value(chain, i); 1238 OPENSSL_assert(x != NULL); 1239 if ((ext = x->rfc3779_addr) == NULL) 1240 goto done; 1241 } 1242 if (!v3_addr_is_canonical(ext)) 1243 validation_err(X509_V_ERR_INVALID_EXTENSION); 1244 (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); 1245 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { 1246 X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, 1247 ERR_R_MALLOC_FAILURE); 1248 ret = 0; 1249 goto done; 1250 } 1251 1252 /* 1253 * Now walk up the chain. No cert may list resources that its 1254 * parent doesn't list. 1255 */ 1256 for (i++; i < sk_X509_num(chain); i++) { 1257 x = sk_X509_value(chain, i); 1258 OPENSSL_assert(x != NULL); 1259 if (!v3_addr_is_canonical(x->rfc3779_addr)) 1260 validation_err(X509_V_ERR_INVALID_EXTENSION); 1261 if (x->rfc3779_addr == NULL) { 1262 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { 1263 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); 1264 if (fc->ipAddressChoice->type != IPAddressChoice_inherit) { 1265 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1266 break; 1267 } 1268 } 1269 continue; 1270 } 1271 (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, 1272 IPAddressFamily_cmp); 1273 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { 1274 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); 1275 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc); 1276 IPAddressFamily *fp = 1277 sk_IPAddressFamily_value(x->rfc3779_addr, k); 1278 if (fp == NULL) { 1279 if (fc->ipAddressChoice->type == 1280 IPAddressChoice_addressesOrRanges) { 1281 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1282 break; 1283 } 1284 continue; 1285 } 1286 if (fp->ipAddressChoice->type == 1287 IPAddressChoice_addressesOrRanges) { 1288 if (fc->ipAddressChoice->type == IPAddressChoice_inherit 1289 || addr_contains(fp->ipAddressChoice->u.addressesOrRanges, 1290 fc->ipAddressChoice->u.addressesOrRanges, 1291 length_from_afi(v3_addr_get_afi(fc)))) 1292 sk_IPAddressFamily_set(child, j, fp); 1293 else 1294 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1295 } 1296 } 1297 } 1298 1299 /* 1300 * Trust anchor can't inherit. 1301 */ 1302 if (x->rfc3779_addr != NULL) { 1303 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) { 1304 IPAddressFamily *fp = 1305 sk_IPAddressFamily_value(x->rfc3779_addr, j); 1306 if (fp->ipAddressChoice->type == IPAddressChoice_inherit 1307 && sk_IPAddressFamily_find(child, fp) >= 0) 1308 validation_err(X509_V_ERR_UNNESTED_RESOURCE); 1309 } 1310 } 1311 1312 done: 1313 sk_IPAddressFamily_free(child); 1314 return ret; 1315} 1316 1317# undef validation_err 1318 1319/* 1320 * RFC 3779 2.3 path validation -- called from X509_verify_cert(). 1321 */ 1322int v3_addr_validate_path(X509_STORE_CTX *ctx) 1323{ 1324 return v3_addr_validate_path_internal(ctx, ctx->chain, NULL); 1325} 1326 1327/* 1328 * RFC 3779 2.3 path validation of an extension. 1329 * Test whether chain covers extension. 1330 */ 1331int v3_addr_validate_resource_set(STACK_OF(X509) *chain, 1332 IPAddrBlocks *ext, int allow_inheritance) 1333{ 1334 if (ext == NULL) 1335 return 1; 1336 if (chain == NULL || sk_X509_num(chain) == 0) 1337 return 0; 1338 if (!allow_inheritance && v3_addr_inherits(ext)) 1339 return 0; 1340 return v3_addr_validate_path_internal(NULL, chain, ext); 1341} 1342 1343#endif /* OPENSSL_NO_RFC3779 */ 1344