ip.c revision 1.9
1/* $OpenBSD: ip.c,v 1.9 2019/11/27 17:18:24 deraadt Exp $ */ 2/* 3 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18#include <sys/socket.h> 19#include <arpa/inet.h> 20 21#include <assert.h> 22#include <err.h> 23#include <stdarg.h> 24#include <stdlib.h> 25#include <string.h> 26#include <unistd.h> 27 28#include <openssl/ssl.h> 29 30#include "extern.h" 31 32#define PREFIX_SIZE(x) (((x) + 7) / 8) 33 34/* 35 * Parse an IP address family. 36 * This is defined in different places in the ROA/X509 standards, but 37 * it's the same thing. 38 * We prohibit all but IPv4 and IPv6, without SAFI. 39 * Return zero on failure, non-zero on success. 40 */ 41int 42ip_addr_afi_parse(const char *fn, const ASN1_OCTET_STRING *p, enum afi *afi) 43{ 44 char buf[2]; 45 short v; 46 47 if (p->length == 0 || p->length > 3) { 48 warnx("%s: invalid field length, want 1--3, have %d", 49 fn, p->length); 50 return 0; 51 } 52 53 memcpy(buf, p->data, sizeof(uint16_t)); 54 v = ntohs(*(uint16_t *)buf); 55 56 /* Only accept IPv4 and IPv6 AFIs. */ 57 58 if (v != AFI_IPV4 && v != AFI_IPV6) { 59 warnx("%s: only AFI for IPV4 (1) and IPV6 (2) allowed: " 60 "have %hd", fn, v); 61 return 0; 62 } 63 64 /* Disallow the optional SAFI. */ 65 66 if (p->length == 3) { 67 warnx("%s: SAFI not allowed", fn); 68 return 0; 69 } 70 71 *afi = v; 72 return 1; 73} 74 75/* 76 * See if a given IP prefix is covered by the IP prefixes or ranges 77 * specified in the "ips" array. 78 * This means that the IP prefix must be strictly within the ranges or 79 * singletons given in the array. 80 * Return 0 if we're inheriting from the parent, >0 if we're covered, 81 * or <0 if we're not covered. 82 */ 83int 84ip_addr_check_covered(enum afi afi, 85 const unsigned char *min, const unsigned char *max, 86 const struct cert_ip *ips, size_t ipsz) 87{ 88 size_t i, sz = AFI_IPV4 == afi ? 4 : 16; 89 90 for (i = 0; i < ipsz; i++) { 91 if (ips[i].afi != afi) 92 continue; 93 if (ips[i].type == CERT_IP_INHERIT) 94 return 0; 95 if (memcmp(ips[i].min, min, sz) <= 0 && 96 memcmp(ips[i].max, max, sz) >= 0) 97 return 1; 98 } 99 100 return -1; 101} 102 103/* 104 * Given a newly-parsed IP address or range "ip", make sure that "ip" 105 * does not overlap with any addresses or ranges in the "ips" array. 106 * This is defined by RFC 3779 section 2.2.3.6. 107 * Returns zero on failure, non-zero on success. 108 */ 109int 110ip_addr_check_overlap(const struct cert_ip *ip, const char *fn, 111 const struct cert_ip *ips, size_t ipsz) 112{ 113 size_t i, sz = ip->afi == AFI_IPV4 ? 4 : 16; 114 int inherit_v4 = 0, inherit_v6 = 0; 115 int has_v4 = 0, has_v6 = 0, socktype; 116 char buf[64]; 117 118 /* 119 * FIXME: cache this by having a flag on the cert_ip, else we're 120 * going to need to do a lot of scanning for big allocations. 121 */ 122 123 for (i = 0; i < ipsz; i++) 124 if (ips[i].type == CERT_IP_INHERIT) { 125 if (ips[i].afi == AFI_IPV4) 126 inherit_v4 = 1; 127 else 128 inherit_v6 = 1; 129 } else { 130 if (ips[i].afi == AFI_IPV4) 131 has_v4 = 1; 132 else 133 has_v6 = 1; 134 } 135 136 /* Disallow multiple inheritence per type. */ 137 138 if ((inherit_v4 && ip->afi == AFI_IPV4) || 139 (inherit_v6 && ip->afi == AFI_IPV6) || 140 (has_v4 && ip->afi == AFI_IPV4 && 141 ip->type == CERT_IP_INHERIT) || 142 (has_v6 && ip->afi == AFI_IPV6 && 143 ip->type == CERT_IP_INHERIT)) { 144 warnx("%s: RFC 3779 section 2.2.3.5: " 145 "cannot have multiple inheritence or inheritence and " 146 "addresses of the same class", fn); 147 return 0; 148 } 149 150 /* Check our ranges. */ 151 152 for (i = 0; i < ipsz; i++) { 153 if (ips[i].afi != ip->afi) 154 continue; 155 if (memcmp(ips[i].max, ip->min, sz) <= 0 || 156 memcmp(ips[i].min, ip->max, sz) >= 0) 157 continue; 158 socktype = (ips[i].afi == AFI_IPV4) ? AF_INET : AF_INET6, 159 warnx("%s: RFC 3779 section 2.2.3.5: " 160 "cannot have overlapping IP addresses", fn); 161 ip_addr_print(&ip->ip, ip->afi, buf, sizeof(buf)); 162 warnx("%s: certificate IP: %s", fn, buf); 163 inet_ntop(socktype, ip->min, buf, sizeof(buf)); 164 warnx("%s: certificate IP minimum: %s", fn, buf); 165 inet_ntop(socktype, ip->max, buf, sizeof(buf)); 166 warnx("%s: certificate IP maximum: %s", fn, buf); 167 inet_ntop(socktype, ips[i].min, buf, sizeof(buf)); 168 warnx("%s: offending IP minimum: %s", fn, buf); 169 inet_ntop(socktype, ips[i].max, buf, sizeof(buf)); 170 warnx("%s: offending IP maximum: %s", fn, buf); 171 return 0; 172 } 173 174 return 1; 175} 176 177/* 178 * Parse an IP address, RFC 3779, 2.2.3.8. 179 * Return zero on failure, non-zero on success. 180 */ 181int 182ip_addr_parse(const ASN1_BIT_STRING *p, 183 enum afi afi, const char *fn, struct ip_addr *addr) 184{ 185 long unused = 0; 186 187 /* Weird OpenSSL-ism to get unused bit count. */ 188 189 if ((p->flags & ASN1_STRING_FLAG_BITS_LEFT)) 190 unused = p->flags & ~ASN1_STRING_FLAG_BITS_LEFT; 191 192 if (unused < 0) { 193 warnx("%s: RFC 3779 section 2.2.3.8: " 194 "unused bit count must be non-negative", fn); 195 return 0; 196 } else if (unused >= 8) { 197 warnx("%s: RFC 3779 section 2.2.3.8: " 198 "unused bit count must mask an unsigned char", fn); 199 return 0; 200 } else if (p->length == 0 && unused != 0) { 201 warnx("%s: RFC 3779 section 2.2.3.8: " 202 "unused bit count must be zero if length is zero", fn); 203 return 0; 204 } 205 206 /* 207 * Check that the unused bits are set to zero. 208 * If we don't do this, stray bits will corrupt our composition 209 * of the [minimum] address ranges. 210 */ 211 212 if (p->length != 0 && 213 (p->data[p->length - 1] & ((1 << unused) - 1))) { 214 warnx("%s: RFC 3779 section 2.2.3.8: " 215 "unused bits must be set to zero", fn); 216 return 0; 217 } 218 219 /* Limit possible sizes of addresses. */ 220 221 if ((afi == AFI_IPV4 && p->length > 4) || 222 (afi == AFI_IPV6 && p->length > 16)) { 223 warnx("%s: RFC 3779 section 2.2.3.8: " 224 "IP address too long", fn); 225 return 0; 226 } 227 228 memset (addr, 0, sizeof(struct ip_addr)); 229 addr->prefixlen = p->length * 8 - unused; 230 memcpy(addr->addr, p->data, p->length); 231 return 1; 232} 233 234/* 235 * Convert the IPv4 address into CIDR notation conforming to RFC 4632. 236 * Buffer should be able to hold xxx.yyy.zzz.www/nn. 237 */ 238static void 239ip4_addr2str(const struct ip_addr *addr, char *b, size_t bsz) 240{ 241 char buf[16]; 242 243 snprintf(b, bsz, "%s/%hhu", inet_ntop(AF_INET, addr->addr, buf, 244 sizeof(buf)), addr->prefixlen); 245} 246 247/* 248 * Convert the IPv6 address into CIDR notation conforming to RFC 4291. 249 * See also RFC 5952. 250 * Must hold 0000:0000:0000:0000:0000:0000:0000:0000/nn. 251 */ 252static void 253ip6_addr2str(const struct ip_addr *addr, char *b, size_t bsz) 254{ 255 char buf[44]; 256 257 snprintf(b, bsz, "%s/%hhu", inet_ntop(AF_INET6, addr->addr, buf, 258 sizeof(buf)), addr->prefixlen); 259} 260 261/* 262 * Convert a ip_addr into a NUL-terminated CIDR notation string 263 * conforming to RFC 4632 or 4291. 264 * The size of the buffer must be at least 64 (inclusive). 265 */ 266void 267ip_addr_print(const struct ip_addr *addr, 268 enum afi afi, char *buf, size_t bufsz) 269{ 270 271 if (afi == AFI_IPV4) 272 ip4_addr2str(addr, buf, bufsz); 273 else 274 ip6_addr2str(addr, buf, bufsz); 275} 276 277/* 278 * Serialise an ip_addr for sending over the wire. 279 * Matched with ip_addr_read(). 280 */ 281void 282ip_addr_buffer(char **b, size_t *bsz, size_t *bmax, const struct ip_addr *p) 283{ 284 size_t sz = PREFIX_SIZE(p->prefixlen); 285 286 assert(sz <= 16); 287 io_simple_buffer(b, bsz, bmax, &p->prefixlen, sizeof(unsigned char)); 288 io_simple_buffer(b, bsz, bmax, p->addr, sz); 289} 290 291/* 292 * Serialise an ip_addr_range for sending over the wire. 293 * Matched with ip_addr_range_read(). 294 */ 295void 296ip_addr_range_buffer(char **b, size_t *bsz, size_t *bmax, 297 const struct ip_addr_range *p) 298{ 299 300 ip_addr_buffer(b, bsz, bmax, &p->min); 301 ip_addr_buffer(b, bsz, bmax, &p->max); 302} 303 304/* 305 * Read an ip_addr from the wire. 306 * Matched with ip_addr_buffer(). 307 */ 308void 309ip_addr_read(int fd, struct ip_addr *p) 310{ 311 size_t sz; 312 313 io_simple_read(fd, &p->prefixlen, sizeof(unsigned char)); 314 sz = PREFIX_SIZE(p->prefixlen); 315 assert(sz <= 16); 316 io_simple_read(fd, p->addr, sz); 317} 318 319/* 320 * Read an ip_addr_range from the wire. 321 * Matched with ip_addr_range_buffer(). 322 */ 323void 324ip_addr_range_read(int fd, struct ip_addr_range *p) 325{ 326 327 ip_addr_read(fd, &p->min); 328 ip_addr_read(fd, &p->max); 329} 330 331/* 332 * Given the addresses (range or IP) in cert_ip, fill in the "min" and 333 * "max" fields with the minimum and maximum possible IP addresses given 334 * those ranges (or singleton prefixed range). 335 * This does nothing if CERT_IP_INHERIT. 336 * Returns zero on failure (misordered ranges), non-zero on success. 337 */ 338int 339ip_cert_compose_ranges(struct cert_ip *p) 340{ 341 size_t sz; 342 343 switch (p->type) { 344 case CERT_IP_ADDR: 345 sz = PREFIX_SIZE(p->ip.prefixlen); 346 memset(p->min, 0x0, sizeof(p->min)); 347 memcpy(p->min, p->ip.addr, sz); 348 memset(p->max, 0xff, sizeof(p->max)); 349 memcpy(p->max, p->ip.addr, sz); 350 if (sz > 0 && p->ip.prefixlen % 8 != 0) 351 p->max[sz - 1] |= (1 << (8 - p->ip.prefixlen % 8)) - 1; 352 break; 353 case CERT_IP_RANGE: 354 memset(p->min, 0x0, sizeof(p->min)); 355 sz = PREFIX_SIZE(p->range.min.prefixlen); 356 memcpy(p->min, p->range.min.addr, sz); 357 memset(p->max, 0xff, sizeof(p->max)); 358 sz = PREFIX_SIZE(p->range.max.prefixlen); 359 memcpy(p->max, p->range.max.addr, sz); 360 if (sz > 0 && p->range.max.prefixlen % 8 != 0) 361 p->max[sz - 1] |= 362 (1 << (8 - p->range.max.prefixlen % 8)) - 1; 363 break; 364 default: 365 return 1; 366 } 367 368 sz = AFI_IPV4 == p->afi ? 4 : 16; 369 return memcmp(p->min, p->max, sz) <= 0; 370} 371 372/* 373 * Given the ROA's acceptable prefix, compute the minimum and maximum 374 * address accepted by the prefix. 375 */ 376void 377ip_roa_compose_ranges(struct roa_ip *p) 378{ 379 size_t sz = PREFIX_SIZE(p->addr.prefixlen); 380 381 memset(p->min, 0x0, sizeof(p->min)); 382 memcpy(p->min, p->addr.addr, sz); 383 memset(p->max, 0xff, sizeof(p->max)); 384 memcpy(p->max, p->addr.addr, sz); 385 if (sz > 0 && p->addr.prefixlen % 8 != 0) 386 p->max[sz - 1] |= (1 << (8 - p->addr.prefixlen % 8)) - 1; 387} 388