1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/os/ossrv/ssl/libcrypto/src/crypto/x509v3/v3_addr.c Fri Jun 15 03:10:57 2012 +0200
1.3 @@ -0,0 +1,1280 @@
1.4 +/*
1.5 + * Contributed to the OpenSSL Project by the American Registry for
1.6 + * Internet Numbers ("ARIN").
1.7 + */
1.8 +/* ====================================================================
1.9 + * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
1.10 + *
1.11 + * Redistribution and use in source and binary forms, with or without
1.12 + * modification, are permitted provided that the following conditions
1.13 + * are met:
1.14 + *
1.15 + * 1. Redistributions of source code must retain the above copyright
1.16 + * notice, this list of conditions and the following disclaimer.
1.17 + *
1.18 + * 2. Redistributions in binary form must reproduce the above copyright
1.19 + * notice, this list of conditions and the following disclaimer in
1.20 + * the documentation and/or other materials provided with the
1.21 + * distribution.
1.22 + *
1.23 + * 3. All advertising materials mentioning features or use of this
1.24 + * software must display the following acknowledgment:
1.25 + * "This product includes software developed by the OpenSSL Project
1.26 + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
1.27 + *
1.28 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
1.29 + * endorse or promote products derived from this software without
1.30 + * prior written permission. For written permission, please contact
1.31 + * licensing@OpenSSL.org.
1.32 + *
1.33 + * 5. Products derived from this software may not be called "OpenSSL"
1.34 + * nor may "OpenSSL" appear in their names without prior written
1.35 + * permission of the OpenSSL Project.
1.36 + *
1.37 + * 6. Redistributions of any form whatsoever must retain the following
1.38 + * acknowledgment:
1.39 + * "This product includes software developed by the OpenSSL Project
1.40 + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
1.41 + *
1.42 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
1.43 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.44 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
1.45 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
1.46 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1.47 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1.48 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
1.49 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.50 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
1.51 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1.52 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
1.53 + * OF THE POSSIBILITY OF SUCH DAMAGE.
1.54 + * ====================================================================
1.55 + *
1.56 + * This product includes cryptographic software written by Eric Young
1.57 + * (eay@cryptsoft.com). This product includes software written by Tim
1.58 + * Hudson (tjh@cryptsoft.com).
1.59 + */
1.60 +
1.61 +/*
1.62 + * Implementation of RFC 3779 section 2.2.
1.63 + */
1.64 +
1.65 +#include <stdio.h>
1.66 +#include <stdlib.h>
1.67 +#include <assert.h>
1.68 +#include "cryptlib.h"
1.69 +#include <openssl/conf.h>
1.70 +#include <openssl/asn1.h>
1.71 +#include <openssl/asn1t.h>
1.72 +#include <openssl/buffer.h>
1.73 +#include <openssl/x509v3.h>
1.74 +
1.75 +#ifndef OPENSSL_NO_RFC3779
1.76 +
1.77 +/*
1.78 + * OpenSSL ASN.1 template translation of RFC 3779 2.2.3.
1.79 + */
1.80 +
1.81 +ASN1_SEQUENCE(IPAddressRange) = {
1.82 + ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING),
1.83 + ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING)
1.84 +} ASN1_SEQUENCE_END(IPAddressRange)
1.85 +
1.86 +ASN1_CHOICE(IPAddressOrRange) = {
1.87 + ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING),
1.88 + ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange)
1.89 +} ASN1_CHOICE_END(IPAddressOrRange)
1.90 +
1.91 +ASN1_CHOICE(IPAddressChoice) = {
1.92 + ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL),
1.93 + ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange)
1.94 +} ASN1_CHOICE_END(IPAddressChoice)
1.95 +
1.96 +ASN1_SEQUENCE(IPAddressFamily) = {
1.97 + ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING),
1.98 + ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice)
1.99 +} ASN1_SEQUENCE_END(IPAddressFamily)
1.100 +
1.101 +ASN1_ITEM_TEMPLATE(IPAddrBlocks) =
1.102 + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
1.103 + IPAddrBlocks, IPAddressFamily)
1.104 +ASN1_ITEM_TEMPLATE_END(IPAddrBlocks)
1.105 +
1.106 +IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange)
1.107 +IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange)
1.108 +IMPLEMENT_ASN1_FUNCTIONS(IPAddressChoice)
1.109 +IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily)
1.110 +
1.111 +/*
1.112 + * How much buffer space do we need for a raw address?
1.113 + */
1.114 +#define ADDR_RAW_BUF_LEN 16
1.115 +
1.116 +/*
1.117 + * What's the address length associated with this AFI?
1.118 + */
1.119 +static int length_from_afi(const unsigned afi)
1.120 +{
1.121 + switch (afi) {
1.122 + case IANA_AFI_IPV4:
1.123 + return 4;
1.124 + case IANA_AFI_IPV6:
1.125 + return 16;
1.126 + default:
1.127 + return 0;
1.128 + }
1.129 +}
1.130 +
1.131 +/*
1.132 + * Extract the AFI from an IPAddressFamily.
1.133 + */
1.134 +unsigned v3_addr_get_afi(const IPAddressFamily *f)
1.135 +{
1.136 + return ((f != NULL &&
1.137 + f->addressFamily != NULL &&
1.138 + f->addressFamily->data != NULL)
1.139 + ? ((f->addressFamily->data[0] << 8) |
1.140 + (f->addressFamily->data[1]))
1.141 + : 0);
1.142 +}
1.143 +
1.144 +/*
1.145 + * Expand the bitstring form of an address into a raw byte array.
1.146 + * At the moment this is coded for simplicity, not speed.
1.147 + */
1.148 +static void addr_expand(unsigned char *addr,
1.149 + const ASN1_BIT_STRING *bs,
1.150 + const int length,
1.151 + const unsigned char fill)
1.152 +{
1.153 + assert(bs->length >= 0 && bs->length <= length);
1.154 + if (bs->length > 0) {
1.155 + memcpy(addr, bs->data, bs->length);
1.156 + if ((bs->flags & 7) != 0) {
1.157 + unsigned char mask = 0xFF >> (8 - (bs->flags & 7));
1.158 + if (fill == 0)
1.159 + addr[bs->length - 1] &= ~mask;
1.160 + else
1.161 + addr[bs->length - 1] |= mask;
1.162 + }
1.163 + }
1.164 + memset(addr + bs->length, fill, length - bs->length);
1.165 +}
1.166 +
1.167 +/*
1.168 + * Extract the prefix length from a bitstring.
1.169 + */
1.170 +#define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7)))
1.171 +
1.172 +/*
1.173 + * i2r handler for one address bitstring.
1.174 + */
1.175 +static int i2r_address(BIO *out,
1.176 + const unsigned afi,
1.177 + const unsigned char fill,
1.178 + const ASN1_BIT_STRING *bs)
1.179 +{
1.180 + unsigned char addr[ADDR_RAW_BUF_LEN];
1.181 + int i, n;
1.182 +
1.183 + switch (afi) {
1.184 + case IANA_AFI_IPV4:
1.185 + addr_expand(addr, bs, 4, fill);
1.186 + BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
1.187 + break;
1.188 + case IANA_AFI_IPV6:
1.189 + addr_expand(addr, bs, 16, fill);
1.190 + for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2)
1.191 + ;
1.192 + for (i = 0; i < n; i += 2)
1.193 + BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i+1], (i < 14 ? ":" : ""));
1.194 + if (i < 16)
1.195 + BIO_puts(out, ":");
1.196 + break;
1.197 + default:
1.198 + for (i = 0; i < bs->length; i++)
1.199 + BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]);
1.200 + BIO_printf(out, "[%d]", (int) (bs->flags & 7));
1.201 + break;
1.202 + }
1.203 + return 1;
1.204 +}
1.205 +
1.206 +/*
1.207 + * i2r handler for a sequence of addresses and ranges.
1.208 + */
1.209 +static int i2r_IPAddressOrRanges(BIO *out,
1.210 + const int indent,
1.211 + const IPAddressOrRanges *aors,
1.212 + const unsigned afi)
1.213 +{
1.214 + int i;
1.215 + for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) {
1.216 + const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i);
1.217 + BIO_printf(out, "%*s", indent, "");
1.218 + switch (aor->type) {
1.219 + case IPAddressOrRange_addressPrefix:
1.220 + if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix))
1.221 + return 0;
1.222 + BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix));
1.223 + continue;
1.224 + case IPAddressOrRange_addressRange:
1.225 + if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min))
1.226 + return 0;
1.227 + BIO_puts(out, "-");
1.228 + if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max))
1.229 + return 0;
1.230 + BIO_puts(out, "\n");
1.231 + continue;
1.232 + }
1.233 + }
1.234 + return 1;
1.235 +}
1.236 +
1.237 +/*
1.238 + * i2r handler for an IPAddrBlocks extension.
1.239 + */
1.240 +static int i2r_IPAddrBlocks(X509V3_EXT_METHOD *method,
1.241 + void *ext,
1.242 + BIO *out,
1.243 + int indent)
1.244 +{
1.245 + const IPAddrBlocks *addr = ext;
1.246 + int i;
1.247 + for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1.248 + IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1.249 + const unsigned afi = v3_addr_get_afi(f);
1.250 + switch (afi) {
1.251 + case IANA_AFI_IPV4:
1.252 + BIO_printf(out, "%*sIPv4", indent, "");
1.253 + break;
1.254 + case IANA_AFI_IPV6:
1.255 + BIO_printf(out, "%*sIPv6", indent, "");
1.256 + break;
1.257 + default:
1.258 + BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi);
1.259 + break;
1.260 + }
1.261 + if (f->addressFamily->length > 2) {
1.262 + switch (f->addressFamily->data[2]) {
1.263 + case 1:
1.264 + BIO_puts(out, " (Unicast)");
1.265 + break;
1.266 + case 2:
1.267 + BIO_puts(out, " (Multicast)");
1.268 + break;
1.269 + case 3:
1.270 + BIO_puts(out, " (Unicast/Multicast)");
1.271 + break;
1.272 + case 4:
1.273 + BIO_puts(out, " (MPLS)");
1.274 + break;
1.275 + case 64:
1.276 + BIO_puts(out, " (Tunnel)");
1.277 + break;
1.278 + case 65:
1.279 + BIO_puts(out, " (VPLS)");
1.280 + break;
1.281 + case 66:
1.282 + BIO_puts(out, " (BGP MDT)");
1.283 + break;
1.284 + case 128:
1.285 + BIO_puts(out, " (MPLS-labeled VPN)");
1.286 + break;
1.287 + default:
1.288 + BIO_printf(out, " (Unknown SAFI %u)",
1.289 + (unsigned) f->addressFamily->data[2]);
1.290 + break;
1.291 + }
1.292 + }
1.293 + switch (f->ipAddressChoice->type) {
1.294 + case IPAddressChoice_inherit:
1.295 + BIO_puts(out, ": inherit\n");
1.296 + break;
1.297 + case IPAddressChoice_addressesOrRanges:
1.298 + BIO_puts(out, ":\n");
1.299 + if (!i2r_IPAddressOrRanges(out,
1.300 + indent + 2,
1.301 + f->ipAddressChoice->u.addressesOrRanges,
1.302 + afi))
1.303 + return 0;
1.304 + break;
1.305 + }
1.306 + }
1.307 + return 1;
1.308 +}
1.309 +
1.310 +/*
1.311 + * Sort comparison function for a sequence of IPAddressOrRange
1.312 + * elements.
1.313 + */
1.314 +static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
1.315 + const IPAddressOrRange *b,
1.316 + const int length)
1.317 +{
1.318 + unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN];
1.319 + int prefixlen_a = 0;
1.320 + int prefixlen_b = 0;
1.321 + int r;
1.322 +
1.323 + switch (a->type) {
1.324 + case IPAddressOrRange_addressPrefix:
1.325 + addr_expand(addr_a, a->u.addressPrefix, length, 0x00);
1.326 + prefixlen_a = addr_prefixlen(a->u.addressPrefix);
1.327 + break;
1.328 + case IPAddressOrRange_addressRange:
1.329 + addr_expand(addr_a, a->u.addressRange->min, length, 0x00);
1.330 + prefixlen_a = length * 8;
1.331 + break;
1.332 + }
1.333 +
1.334 + switch (b->type) {
1.335 + case IPAddressOrRange_addressPrefix:
1.336 + addr_expand(addr_b, b->u.addressPrefix, length, 0x00);
1.337 + prefixlen_b = addr_prefixlen(b->u.addressPrefix);
1.338 + break;
1.339 + case IPAddressOrRange_addressRange:
1.340 + addr_expand(addr_b, b->u.addressRange->min, length, 0x00);
1.341 + prefixlen_b = length * 8;
1.342 + break;
1.343 + }
1.344 +
1.345 + if ((r = memcmp(addr_a, addr_b, length)) != 0)
1.346 + return r;
1.347 + else
1.348 + return prefixlen_a - prefixlen_b;
1.349 +}
1.350 +
1.351 +/*
1.352 + * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()
1.353 + * comparision routines are only allowed two arguments.
1.354 + */
1.355 +static int v4IPAddressOrRange_cmp(const IPAddressOrRange * const *a,
1.356 + const IPAddressOrRange * const *b)
1.357 +{
1.358 + return IPAddressOrRange_cmp(*a, *b, 4);
1.359 +}
1.360 +
1.361 +/*
1.362 + * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()
1.363 + * comparision routines are only allowed two arguments.
1.364 + */
1.365 +static int v6IPAddressOrRange_cmp(const IPAddressOrRange * const *a,
1.366 + const IPAddressOrRange * const *b)
1.367 +{
1.368 + return IPAddressOrRange_cmp(*a, *b, 16);
1.369 +}
1.370 +
1.371 +/*
1.372 + * Calculate whether a range collapses to a prefix.
1.373 + * See last paragraph of RFC 3779 2.2.3.7.
1.374 + */
1.375 +static int range_should_be_prefix(const unsigned char *min,
1.376 + const unsigned char *max,
1.377 + const int length)
1.378 +{
1.379 + unsigned char mask;
1.380 + int i, j;
1.381 +
1.382 + for (i = 0; i < length && min[i] == max[i]; i++)
1.383 + ;
1.384 + for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--)
1.385 + ;
1.386 + if (i < j)
1.387 + return -1;
1.388 + if (i > j)
1.389 + return i * 8;
1.390 + mask = min[i] ^ max[i];
1.391 + switch (mask) {
1.392 + case 0x01: j = 7; break;
1.393 + case 0x03: j = 6; break;
1.394 + case 0x07: j = 5; break;
1.395 + case 0x0F: j = 4; break;
1.396 + case 0x1F: j = 3; break;
1.397 + case 0x3F: j = 2; break;
1.398 + case 0x7F: j = 1; break;
1.399 + default: return -1;
1.400 + }
1.401 + if ((min[i] & mask) != 0 || (max[i] & mask) != mask)
1.402 + return -1;
1.403 + else
1.404 + return i * 8 + j;
1.405 +}
1.406 +
1.407 +/*
1.408 + * Construct a prefix.
1.409 + */
1.410 +static int make_addressPrefix(IPAddressOrRange **result,
1.411 + unsigned char *addr,
1.412 + const int prefixlen)
1.413 +{
1.414 + int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;
1.415 + IPAddressOrRange *aor = IPAddressOrRange_new();
1.416 +
1.417 + if (aor == NULL)
1.418 + return 0;
1.419 + aor->type = IPAddressOrRange_addressPrefix;
1.420 + if (aor->u.addressPrefix == NULL &&
1.421 + (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL)
1.422 + goto err;
1.423 + if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen))
1.424 + goto err;
1.425 + aor->u.addressPrefix->flags &= ~7;
1.426 + aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT;
1.427 + if (bitlen > 0) {
1.428 + aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen);
1.429 + aor->u.addressPrefix->flags |= 8 - bitlen;
1.430 + }
1.431 +
1.432 + *result = aor;
1.433 + return 1;
1.434 +
1.435 + err:
1.436 + IPAddressOrRange_free(aor);
1.437 + return 0;
1.438 +}
1.439 +
1.440 +/*
1.441 + * Construct a range. If it can be expressed as a prefix,
1.442 + * return a prefix instead. Doing this here simplifies
1.443 + * the rest of the code considerably.
1.444 + */
1.445 +static int make_addressRange(IPAddressOrRange **result,
1.446 + unsigned char *min,
1.447 + unsigned char *max,
1.448 + const int length)
1.449 +{
1.450 + IPAddressOrRange *aor;
1.451 + int i, prefixlen;
1.452 +
1.453 + if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
1.454 + return make_addressPrefix(result, min, prefixlen);
1.455 +
1.456 + if ((aor = IPAddressOrRange_new()) == NULL)
1.457 + return 0;
1.458 + aor->type = IPAddressOrRange_addressRange;
1.459 + assert(aor->u.addressRange == NULL);
1.460 + if ((aor->u.addressRange = IPAddressRange_new()) == NULL)
1.461 + goto err;
1.462 + if (aor->u.addressRange->min == NULL &&
1.463 + (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL)
1.464 + goto err;
1.465 + if (aor->u.addressRange->max == NULL &&
1.466 + (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL)
1.467 + goto err;
1.468 +
1.469 + for (i = length; i > 0 && min[i - 1] == 0x00; --i)
1.470 + ;
1.471 + if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i))
1.472 + goto err;
1.473 + aor->u.addressRange->min->flags &= ~7;
1.474 + aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT;
1.475 + if (i > 0) {
1.476 + unsigned char b = min[i - 1];
1.477 + int j = 1;
1.478 + while ((b & (0xFFU >> j)) != 0)
1.479 + ++j;
1.480 + aor->u.addressRange->min->flags |= 8 - j;
1.481 + }
1.482 +
1.483 + for (i = length; i > 0 && max[i - 1] == 0xFF; --i)
1.484 + ;
1.485 + if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i))
1.486 + goto err;
1.487 + aor->u.addressRange->max->flags &= ~7;
1.488 + aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT;
1.489 + if (i > 0) {
1.490 + unsigned char b = max[i - 1];
1.491 + int j = 1;
1.492 + while ((b & (0xFFU >> j)) != (0xFFU >> j))
1.493 + ++j;
1.494 + aor->u.addressRange->max->flags |= 8 - j;
1.495 + }
1.496 +
1.497 + *result = aor;
1.498 + return 1;
1.499 +
1.500 + err:
1.501 + IPAddressOrRange_free(aor);
1.502 + return 0;
1.503 +}
1.504 +
1.505 +/*
1.506 + * Construct a new address family or find an existing one.
1.507 + */
1.508 +static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr,
1.509 + const unsigned afi,
1.510 + const unsigned *safi)
1.511 +{
1.512 + IPAddressFamily *f;
1.513 + unsigned char key[3];
1.514 + unsigned keylen;
1.515 + int i;
1.516 +
1.517 + key[0] = (afi >> 8) & 0xFF;
1.518 + key[1] = afi & 0xFF;
1.519 + if (safi != NULL) {
1.520 + key[2] = *safi & 0xFF;
1.521 + keylen = 3;
1.522 + } else {
1.523 + keylen = 2;
1.524 + }
1.525 +
1.526 + for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1.527 + f = sk_IPAddressFamily_value(addr, i);
1.528 + assert(f->addressFamily->data != NULL);
1.529 + if (f->addressFamily->length == keylen &&
1.530 + !memcmp(f->addressFamily->data, key, keylen))
1.531 + return f;
1.532 + }
1.533 +
1.534 + if ((f = IPAddressFamily_new()) == NULL)
1.535 + goto err;
1.536 + if (f->ipAddressChoice == NULL &&
1.537 + (f->ipAddressChoice = IPAddressChoice_new()) == NULL)
1.538 + goto err;
1.539 + if (f->addressFamily == NULL &&
1.540 + (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL)
1.541 + goto err;
1.542 + if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen))
1.543 + goto err;
1.544 + if (!sk_IPAddressFamily_push(addr, f))
1.545 + goto err;
1.546 +
1.547 + return f;
1.548 +
1.549 + err:
1.550 + IPAddressFamily_free(f);
1.551 + return NULL;
1.552 +}
1.553 +
1.554 +/*
1.555 + * Add an inheritance element.
1.556 + */
1.557 +int v3_addr_add_inherit(IPAddrBlocks *addr,
1.558 + const unsigned afi,
1.559 + const unsigned *safi)
1.560 +{
1.561 + IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
1.562 + if (f == NULL ||
1.563 + f->ipAddressChoice == NULL ||
1.564 + (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
1.565 + f->ipAddressChoice->u.addressesOrRanges != NULL))
1.566 + return 0;
1.567 + if (f->ipAddressChoice->type == IPAddressChoice_inherit &&
1.568 + f->ipAddressChoice->u.inherit != NULL)
1.569 + return 1;
1.570 + if (f->ipAddressChoice->u.inherit == NULL &&
1.571 + (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL)
1.572 + return 0;
1.573 + f->ipAddressChoice->type = IPAddressChoice_inherit;
1.574 + return 1;
1.575 +}
1.576 +
1.577 +/*
1.578 + * Construct an IPAddressOrRange sequence, or return an existing one.
1.579 + */
1.580 +static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
1.581 + const unsigned afi,
1.582 + const unsigned *safi)
1.583 +{
1.584 + IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
1.585 + IPAddressOrRanges *aors = NULL;
1.586 +
1.587 + if (f == NULL ||
1.588 + f->ipAddressChoice == NULL ||
1.589 + (f->ipAddressChoice->type == IPAddressChoice_inherit &&
1.590 + f->ipAddressChoice->u.inherit != NULL))
1.591 + return NULL;
1.592 + if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges)
1.593 + aors = f->ipAddressChoice->u.addressesOrRanges;
1.594 + if (aors != NULL)
1.595 + return aors;
1.596 + if ((aors = sk_IPAddressOrRange_new_null()) == NULL)
1.597 + return NULL;
1.598 + switch (afi) {
1.599 + case IANA_AFI_IPV4:
1.600 + sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
1.601 + break;
1.602 + case IANA_AFI_IPV6:
1.603 + sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
1.604 + break;
1.605 + }
1.606 + f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
1.607 + f->ipAddressChoice->u.addressesOrRanges = aors;
1.608 + return aors;
1.609 +}
1.610 +
1.611 +/*
1.612 + * Add a prefix.
1.613 + */
1.614 +int v3_addr_add_prefix(IPAddrBlocks *addr,
1.615 + const unsigned afi,
1.616 + const unsigned *safi,
1.617 + unsigned char *a,
1.618 + const int prefixlen)
1.619 +{
1.620 + IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
1.621 + IPAddressOrRange *aor;
1.622 + if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen))
1.623 + return 0;
1.624 + if (sk_IPAddressOrRange_push(aors, aor))
1.625 + return 1;
1.626 + IPAddressOrRange_free(aor);
1.627 + return 0;
1.628 +}
1.629 +
1.630 +/*
1.631 + * Add a range.
1.632 + */
1.633 +int v3_addr_add_range(IPAddrBlocks *addr,
1.634 + const unsigned afi,
1.635 + const unsigned *safi,
1.636 + unsigned char *min,
1.637 + unsigned char *max)
1.638 +{
1.639 + IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
1.640 + IPAddressOrRange *aor;
1.641 + int length = length_from_afi(afi);
1.642 + if (aors == NULL)
1.643 + return 0;
1.644 + if (!make_addressRange(&aor, min, max, length))
1.645 + return 0;
1.646 + if (sk_IPAddressOrRange_push(aors, aor))
1.647 + return 1;
1.648 + IPAddressOrRange_free(aor);
1.649 + return 0;
1.650 +}
1.651 +
1.652 +/*
1.653 + * Extract min and max values from an IPAddressOrRange.
1.654 + */
1.655 +static void extract_min_max(IPAddressOrRange *aor,
1.656 + unsigned char *min,
1.657 + unsigned char *max,
1.658 + int length)
1.659 +{
1.660 + assert(aor != NULL && min != NULL && max != NULL);
1.661 + switch (aor->type) {
1.662 + case IPAddressOrRange_addressPrefix:
1.663 + addr_expand(min, aor->u.addressPrefix, length, 0x00);
1.664 + addr_expand(max, aor->u.addressPrefix, length, 0xFF);
1.665 + return;
1.666 + case IPAddressOrRange_addressRange:
1.667 + addr_expand(min, aor->u.addressRange->min, length, 0x00);
1.668 + addr_expand(max, aor->u.addressRange->max, length, 0xFF);
1.669 + return;
1.670 + }
1.671 +}
1.672 +
1.673 +/*
1.674 + * Public wrapper for extract_min_max().
1.675 + */
1.676 +int v3_addr_get_range(IPAddressOrRange *aor,
1.677 + const unsigned afi,
1.678 + unsigned char *min,
1.679 + unsigned char *max,
1.680 + const int length)
1.681 +{
1.682 + int afi_length = length_from_afi(afi);
1.683 + if (aor == NULL || min == NULL || max == NULL ||
1.684 + afi_length == 0 || length < afi_length ||
1.685 + (aor->type != IPAddressOrRange_addressPrefix &&
1.686 + aor->type != IPAddressOrRange_addressRange))
1.687 + return 0;
1.688 + extract_min_max(aor, min, max, afi_length);
1.689 + return afi_length;
1.690 +}
1.691 +
1.692 +/*
1.693 + * Sort comparision function for a sequence of IPAddressFamily.
1.694 + *
1.695 + * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about
1.696 + * the ordering: I can read it as meaning that IPv6 without a SAFI
1.697 + * comes before IPv4 with a SAFI, which seems pretty weird. The
1.698 + * examples in appendix B suggest that the author intended the
1.699 + * null-SAFI rule to apply only within a single AFI, which is what I
1.700 + * would have expected and is what the following code implements.
1.701 + */
1.702 +static int IPAddressFamily_cmp(const IPAddressFamily * const *a_,
1.703 + const IPAddressFamily * const *b_)
1.704 +{
1.705 + const ASN1_OCTET_STRING *a = (*a_)->addressFamily;
1.706 + const ASN1_OCTET_STRING *b = (*b_)->addressFamily;
1.707 + int len = ((a->length <= b->length) ? a->length : b->length);
1.708 + int cmp = memcmp(a->data, b->data, len);
1.709 + return cmp ? cmp : a->length - b->length;
1.710 +}
1.711 +
1.712 +/*
1.713 + * Check whether an IPAddrBLocks is in canonical form.
1.714 + */
1.715 +int v3_addr_is_canonical(IPAddrBlocks *addr)
1.716 +{
1.717 + unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
1.718 + unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
1.719 + IPAddressOrRanges *aors;
1.720 + int i, j, k;
1.721 +
1.722 + /*
1.723 + * Empty extension is cannonical.
1.724 + */
1.725 + if (addr == NULL)
1.726 + return 1;
1.727 +
1.728 + /*
1.729 + * Check whether the top-level list is in order.
1.730 + */
1.731 + for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {
1.732 + const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i);
1.733 + const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1);
1.734 + if (IPAddressFamily_cmp(&a, &b) >= 0)
1.735 + return 0;
1.736 + }
1.737 +
1.738 + /*
1.739 + * Top level's ok, now check each address family.
1.740 + */
1.741 + for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1.742 + IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1.743 + int length = length_from_afi(v3_addr_get_afi(f));
1.744 +
1.745 + /*
1.746 + * Inheritance is canonical. Anything other than inheritance or
1.747 + * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something.
1.748 + */
1.749 + if (f == NULL || f->ipAddressChoice == NULL)
1.750 + return 0;
1.751 + switch (f->ipAddressChoice->type) {
1.752 + case IPAddressChoice_inherit:
1.753 + continue;
1.754 + case IPAddressChoice_addressesOrRanges:
1.755 + break;
1.756 + default:
1.757 + return 0;
1.758 + }
1.759 +
1.760 + /*
1.761 + * It's an IPAddressOrRanges sequence, check it.
1.762 + */
1.763 + aors = f->ipAddressChoice->u.addressesOrRanges;
1.764 + if (sk_IPAddressOrRange_num(aors) == 0)
1.765 + return 0;
1.766 + for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
1.767 + IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
1.768 + IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);
1.769 +
1.770 + extract_min_max(a, a_min, a_max, length);
1.771 + extract_min_max(b, b_min, b_max, length);
1.772 +
1.773 + /*
1.774 + * Punt misordered list, overlapping start, or inverted range.
1.775 + */
1.776 + if (memcmp(a_min, b_min, length) >= 0 ||
1.777 + memcmp(a_min, a_max, length) > 0 ||
1.778 + memcmp(b_min, b_max, length) > 0)
1.779 + return 0;
1.780 +
1.781 + /*
1.782 + * Punt if adjacent or overlapping. Check for adjacency by
1.783 + * subtracting one from b_min first.
1.784 + */
1.785 + for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--)
1.786 + ;
1.787 + if (memcmp(a_max, b_min, length) >= 0)
1.788 + return 0;
1.789 +
1.790 + /*
1.791 + * Check for range that should be expressed as a prefix.
1.792 + */
1.793 + if (a->type == IPAddressOrRange_addressRange &&
1.794 + range_should_be_prefix(a_min, a_max, length) >= 0)
1.795 + return 0;
1.796 + }
1.797 +
1.798 + /*
1.799 + * Check final range to see if it should be a prefix.
1.800 + */
1.801 + j = sk_IPAddressOrRange_num(aors) - 1;
1.802 + {
1.803 + IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
1.804 + if (a->type == IPAddressOrRange_addressRange) {
1.805 + extract_min_max(a, a_min, a_max, length);
1.806 + if (range_should_be_prefix(a_min, a_max, length) >= 0)
1.807 + return 0;
1.808 + }
1.809 + }
1.810 + }
1.811 +
1.812 + /*
1.813 + * If we made it through all that, we're happy.
1.814 + */
1.815 + return 1;
1.816 +}
1.817 +
1.818 +/*
1.819 + * Whack an IPAddressOrRanges into canonical form.
1.820 + */
1.821 +static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
1.822 + const unsigned afi)
1.823 +{
1.824 + int i, j, length = length_from_afi(afi);
1.825 +
1.826 + /*
1.827 + * Sort the IPAddressOrRanges sequence.
1.828 + */
1.829 + sk_IPAddressOrRange_sort(aors);
1.830 +
1.831 + /*
1.832 + * Clean up representation issues, punt on duplicates or overlaps.
1.833 + */
1.834 + for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
1.835 + IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);
1.836 + IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
1.837 + unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
1.838 + unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
1.839 +
1.840 + extract_min_max(a, a_min, a_max, length);
1.841 + extract_min_max(b, b_min, b_max, length);
1.842 +
1.843 + /*
1.844 + * Punt overlaps.
1.845 + */
1.846 + if (memcmp(a_max, b_min, length) >= 0)
1.847 + return 0;
1.848 +
1.849 + /*
1.850 + * Merge if a and b are adjacent. We check for
1.851 + * adjacency by subtracting one from b_min first.
1.852 + */
1.853 + for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--)
1.854 + ;
1.855 + if (memcmp(a_max, b_min, length) == 0) {
1.856 + IPAddressOrRange *merged;
1.857 + if (!make_addressRange(&merged, a_min, b_max, length))
1.858 + return 0;
1.859 + sk_IPAddressOrRange_set(aors, i, merged);
1.860 + sk_IPAddressOrRange_delete(aors, i + 1);
1.861 + IPAddressOrRange_free(a);
1.862 + IPAddressOrRange_free(b);
1.863 + --i;
1.864 + continue;
1.865 + }
1.866 + }
1.867 +
1.868 + return 1;
1.869 +}
1.870 +
1.871 +/*
1.872 + * Whack an IPAddrBlocks extension into canonical form.
1.873 + */
1.874 +int v3_addr_canonize(IPAddrBlocks *addr)
1.875 +{
1.876 + int i;
1.877 + for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1.878 + IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1.879 + if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
1.880 + !IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges,
1.881 + v3_addr_get_afi(f)))
1.882 + return 0;
1.883 + }
1.884 + sk_IPAddressFamily_sort(addr);
1.885 + assert(v3_addr_is_canonical(addr));
1.886 + return 1;
1.887 +}
1.888 +
1.889 +/*
1.890 + * v2i handler for the IPAddrBlocks extension.
1.891 + */
1.892 +static void *v2i_IPAddrBlocks(struct v3_ext_method *method,
1.893 + struct v3_ext_ctx *ctx,
1.894 + STACK_OF(CONF_VALUE) *values)
1.895 +{
1.896 + static const char v4addr_chars[] = "0123456789.";
1.897 + static const char v6addr_chars[] = "0123456789.:abcdefABCDEF";
1.898 + IPAddrBlocks *addr = NULL;
1.899 + char *s = NULL, *t;
1.900 + int i;
1.901 +
1.902 + if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) {
1.903 + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1.904 + return NULL;
1.905 + }
1.906 +
1.907 + for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
1.908 + CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
1.909 + unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN];
1.910 + unsigned afi, *safi = NULL, safi_;
1.911 + const char *addr_chars;
1.912 + int prefixlen, i1, i2, delim, length;
1.913 +
1.914 + if ( !name_cmp(val->name, "IPv4")) {
1.915 + afi = IANA_AFI_IPV4;
1.916 + } else if (!name_cmp(val->name, "IPv6")) {
1.917 + afi = IANA_AFI_IPV6;
1.918 + } else if (!name_cmp(val->name, "IPv4-SAFI")) {
1.919 + afi = IANA_AFI_IPV4;
1.920 + safi = &safi_;
1.921 + } else if (!name_cmp(val->name, "IPv6-SAFI")) {
1.922 + afi = IANA_AFI_IPV6;
1.923 + safi = &safi_;
1.924 + } else {
1.925 + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_NAME_ERROR);
1.926 + X509V3_conf_err(val);
1.927 + goto err;
1.928 + }
1.929 +
1.930 + switch (afi) {
1.931 + case IANA_AFI_IPV4:
1.932 + addr_chars = v4addr_chars;
1.933 + break;
1.934 + case IANA_AFI_IPV6:
1.935 + addr_chars = v6addr_chars;
1.936 + break;
1.937 + }
1.938 +
1.939 + length = length_from_afi(afi);
1.940 +
1.941 + /*
1.942 + * Handle SAFI, if any, and BUF_strdup() so we can null-terminate
1.943 + * the other input values.
1.944 + */
1.945 + if (safi != NULL) {
1.946 + *safi = strtoul(val->value, &t, 0);
1.947 + t += strspn(t, " \t");
1.948 + if (*safi > 0xFF || *t++ != ':') {
1.949 + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_SAFI);
1.950 + X509V3_conf_err(val);
1.951 + goto err;
1.952 + }
1.953 + t += strspn(t, " \t");
1.954 + s = BUF_strdup(t);
1.955 + } else {
1.956 + s = BUF_strdup(val->value);
1.957 + }
1.958 + if (s == NULL) {
1.959 + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1.960 + goto err;
1.961 + }
1.962 +
1.963 + /*
1.964 + * Check for inheritance. Not worth additional complexity to
1.965 + * optimize this (seldom-used) case.
1.966 + */
1.967 + if (!strcmp(s, "inherit")) {
1.968 + if (!v3_addr_add_inherit(addr, afi, safi)) {
1.969 + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_INHERITANCE);
1.970 + X509V3_conf_err(val);
1.971 + goto err;
1.972 + }
1.973 + OPENSSL_free(s);
1.974 + s = NULL;
1.975 + continue;
1.976 + }
1.977 +
1.978 + i1 = strspn(s, addr_chars);
1.979 + i2 = i1 + strspn(s + i1, " \t");
1.980 + delim = s[i2++];
1.981 + s[i1] = '\0';
1.982 +
1.983 + if (a2i_ipadd(min, s) != length) {
1.984 + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS);
1.985 + X509V3_conf_err(val);
1.986 + goto err;
1.987 + }
1.988 +
1.989 + switch (delim) {
1.990 + case '/':
1.991 + prefixlen = (int) strtoul(s + i2, &t, 10);
1.992 + if (t == s + i2 || *t != '\0') {
1.993 + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
1.994 + X509V3_conf_err(val);
1.995 + goto err;
1.996 + }
1.997 + if (!v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) {
1.998 + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1.999 + goto err;
1.1000 + }
1.1001 + break;
1.1002 + case '-':
1.1003 + i1 = i2 + strspn(s + i2, " \t");
1.1004 + i2 = i1 + strspn(s + i1, addr_chars);
1.1005 + if (i1 == i2 || s[i2] != '\0') {
1.1006 + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
1.1007 + X509V3_conf_err(val);
1.1008 + goto err;
1.1009 + }
1.1010 + if (a2i_ipadd(max, s + i1) != length) {
1.1011 + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS);
1.1012 + X509V3_conf_err(val);
1.1013 + goto err;
1.1014 + }
1.1015 + if (!v3_addr_add_range(addr, afi, safi, min, max)) {
1.1016 + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1.1017 + goto err;
1.1018 + }
1.1019 + break;
1.1020 + case '\0':
1.1021 + if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) {
1.1022 + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1.1023 + goto err;
1.1024 + }
1.1025 + break;
1.1026 + default:
1.1027 + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
1.1028 + X509V3_conf_err(val);
1.1029 + goto err;
1.1030 + }
1.1031 +
1.1032 + OPENSSL_free(s);
1.1033 + s = NULL;
1.1034 + }
1.1035 +
1.1036 + /*
1.1037 + * Canonize the result, then we're done.
1.1038 + */
1.1039 + if (!v3_addr_canonize(addr))
1.1040 + goto err;
1.1041 + return addr;
1.1042 +
1.1043 + err:
1.1044 + OPENSSL_free(s);
1.1045 + sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
1.1046 + return NULL;
1.1047 +}
1.1048 +
1.1049 +/*
1.1050 + * OpenSSL dispatch
1.1051 + */
1.1052 +const X509V3_EXT_METHOD v3_addr = {
1.1053 + NID_sbgp_ipAddrBlock, /* nid */
1.1054 + 0, /* flags */
1.1055 + ASN1_ITEM_ref(IPAddrBlocks), /* template */
1.1056 + 0, 0, 0, 0, /* old functions, ignored */
1.1057 + 0, /* i2s */
1.1058 + 0, /* s2i */
1.1059 + 0, /* i2v */
1.1060 + v2i_IPAddrBlocks, /* v2i */
1.1061 + i2r_IPAddrBlocks, /* i2r */
1.1062 + 0, /* r2i */
1.1063 + NULL /* extension-specific data */
1.1064 +};
1.1065 +
1.1066 +/*
1.1067 + * Figure out whether extension sues inheritance.
1.1068 + */
1.1069 +int v3_addr_inherits(IPAddrBlocks *addr)
1.1070 +{
1.1071 + int i;
1.1072 + if (addr == NULL)
1.1073 + return 0;
1.1074 + for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1.1075 + IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1.1076 + if (f->ipAddressChoice->type == IPAddressChoice_inherit)
1.1077 + return 1;
1.1078 + }
1.1079 + return 0;
1.1080 +}
1.1081 +
1.1082 +/*
1.1083 + * Figure out whether parent contains child.
1.1084 + */
1.1085 +static int addr_contains(IPAddressOrRanges *parent,
1.1086 + IPAddressOrRanges *child,
1.1087 + int length)
1.1088 +{
1.1089 + unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN];
1.1090 + unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN];
1.1091 + int p, c;
1.1092 +
1.1093 + if (child == NULL || parent == child)
1.1094 + return 1;
1.1095 + if (parent == NULL)
1.1096 + return 0;
1.1097 +
1.1098 + p = 0;
1.1099 + for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
1.1100 + extract_min_max(sk_IPAddressOrRange_value(child, c),
1.1101 + c_min, c_max, length);
1.1102 + for (;; p++) {
1.1103 + if (p >= sk_IPAddressOrRange_num(parent))
1.1104 + return 0;
1.1105 + extract_min_max(sk_IPAddressOrRange_value(parent, p),
1.1106 + p_min, p_max, length);
1.1107 + if (memcmp(p_max, c_max, length) < 0)
1.1108 + continue;
1.1109 + if (memcmp(p_min, c_min, length) > 0)
1.1110 + return 0;
1.1111 + break;
1.1112 + }
1.1113 + }
1.1114 +
1.1115 + return 1;
1.1116 +}
1.1117 +
1.1118 +/*
1.1119 + * Test whether a is a subset of b.
1.1120 + */
1.1121 +int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
1.1122 +{
1.1123 + int i;
1.1124 + if (a == NULL || a == b)
1.1125 + return 1;
1.1126 + if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
1.1127 + return 0;
1.1128 + sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
1.1129 + for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
1.1130 + IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
1.1131 + int j = sk_IPAddressFamily_find(b, fa);
1.1132 + IPAddressFamily *fb = sk_IPAddressFamily_value(b, j);
1.1133 + if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
1.1134 + fa->ipAddressChoice->u.addressesOrRanges,
1.1135 + length_from_afi(v3_addr_get_afi(fb))))
1.1136 + return 0;
1.1137 + }
1.1138 + return 1;
1.1139 +}
1.1140 +
1.1141 +/*
1.1142 + * Validation error handling via callback.
1.1143 + */
1.1144 +#define validation_err(_err_) \
1.1145 + do { \
1.1146 + if (ctx != NULL) { \
1.1147 + ctx->error = _err_; \
1.1148 + ctx->error_depth = i; \
1.1149 + ctx->current_cert = x; \
1.1150 + ret = ctx->verify_cb(0, ctx); \
1.1151 + } else { \
1.1152 + ret = 0; \
1.1153 + } \
1.1154 + if (!ret) \
1.1155 + goto done; \
1.1156 + } while (0)
1.1157 +
1.1158 +/*
1.1159 + * Core code for RFC 3779 2.3 path validation.
1.1160 + */
1.1161 +static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
1.1162 + STACK_OF(X509) *chain,
1.1163 + IPAddrBlocks *ext)
1.1164 +{
1.1165 + IPAddrBlocks *child = NULL;
1.1166 + int i, j, ret = 1;
1.1167 + X509 *x = NULL;
1.1168 +
1.1169 + assert(chain != NULL && sk_X509_num(chain) > 0);
1.1170 + assert(ctx != NULL || ext != NULL);
1.1171 + assert(ctx == NULL || ctx->verify_cb != NULL);
1.1172 +
1.1173 + /*
1.1174 + * Figure out where to start. If we don't have an extension to
1.1175 + * check, we're done. Otherwise, check canonical form and
1.1176 + * set up for walking up the chain.
1.1177 + */
1.1178 + if (ext != NULL) {
1.1179 + i = -1;
1.1180 + } else {
1.1181 + i = 0;
1.1182 + x = sk_X509_value(chain, i);
1.1183 + assert(x != NULL);
1.1184 + if ((ext = x->rfc3779_addr) == NULL)
1.1185 + goto done;
1.1186 + }
1.1187 + if (!v3_addr_is_canonical(ext))
1.1188 + validation_err(X509_V_ERR_INVALID_EXTENSION);
1.1189 + sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
1.1190 + if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
1.1191 + X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE);
1.1192 + ret = 0;
1.1193 + goto done;
1.1194 + }
1.1195 +
1.1196 + /*
1.1197 + * Now walk up the chain. No cert may list resources that its
1.1198 + * parent doesn't list.
1.1199 + */
1.1200 + for (i++; i < sk_X509_num(chain); i++) {
1.1201 + x = sk_X509_value(chain, i);
1.1202 + assert(x != NULL);
1.1203 + if (!v3_addr_is_canonical(x->rfc3779_addr))
1.1204 + validation_err(X509_V_ERR_INVALID_EXTENSION);
1.1205 + if (x->rfc3779_addr == NULL) {
1.1206 + for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1.1207 + IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1.1208 + if (fc->ipAddressChoice->type != IPAddressChoice_inherit) {
1.1209 + validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1.1210 + break;
1.1211 + }
1.1212 + }
1.1213 + continue;
1.1214 + }
1.1215 + sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
1.1216 + for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1.1217 + IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1.1218 + int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
1.1219 + IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, k);
1.1220 + if (fp == NULL) {
1.1221 + if (fc->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) {
1.1222 + validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1.1223 + break;
1.1224 + }
1.1225 + continue;
1.1226 + }
1.1227 + if (fp->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) {
1.1228 + if (fc->ipAddressChoice->type == IPAddressChoice_inherit ||
1.1229 + addr_contains(fp->ipAddressChoice->u.addressesOrRanges,
1.1230 + fc->ipAddressChoice->u.addressesOrRanges,
1.1231 + length_from_afi(v3_addr_get_afi(fc))))
1.1232 + sk_IPAddressFamily_set(child, j, fp);
1.1233 + else
1.1234 + validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1.1235 + }
1.1236 + }
1.1237 + }
1.1238 +
1.1239 + /*
1.1240 + * Trust anchor can't inherit.
1.1241 + */
1.1242 + if (x->rfc3779_addr != NULL) {
1.1243 + for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
1.1244 + IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, j);
1.1245 + if (fp->ipAddressChoice->type == IPAddressChoice_inherit &&
1.1246 + sk_IPAddressFamily_find(child, fp) >= 0)
1.1247 + validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1.1248 + }
1.1249 + }
1.1250 +
1.1251 + done:
1.1252 + sk_IPAddressFamily_free(child);
1.1253 + return ret;
1.1254 +}
1.1255 +
1.1256 +#undef validation_err
1.1257 +
1.1258 +/*
1.1259 + * RFC 3779 2.3 path validation -- called from X509_verify_cert().
1.1260 + */
1.1261 +int v3_addr_validate_path(X509_STORE_CTX *ctx)
1.1262 +{
1.1263 + return v3_addr_validate_path_internal(ctx, ctx->chain, NULL);
1.1264 +}
1.1265 +
1.1266 +/*
1.1267 + * RFC 3779 2.3 path validation of an extension.
1.1268 + * Test whether chain covers extension.
1.1269 + */
1.1270 +int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
1.1271 + IPAddrBlocks *ext,
1.1272 + int allow_inheritance)
1.1273 +{
1.1274 + if (ext == NULL)
1.1275 + return 1;
1.1276 + if (chain == NULL || sk_X509_num(chain) == 0)
1.1277 + return 0;
1.1278 + if (!allow_inheritance && v3_addr_inherits(ext))
1.1279 + return 0;
1.1280 + return v3_addr_validate_path_internal(NULL, chain, ext);
1.1281 +}
1.1282 +
1.1283 +#endif /* OPENSSL_NO_RFC3779 */