1 /* $OpenBSD: x509_addr.c,v 1.83 2022/05/25 17:10:30 tb Exp $ */ 2 /* 3 * Contributed to the OpenSSL Project by the American Registry for 4 * Internet Numbers ("ARIN"). 5 */ 6 /* ==================================================================== 7 * Copyright (c) 2006-2016 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * licensing@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 */ 58 59 /* 60 * Implementation of RFC 3779 section 2.2. 61 */ 62 63 #include <limits.h> 64 #include <stdio.h> 65 #include <stdlib.h> 66 #include <string.h> 67 68 #include <openssl/asn1.h> 69 #include <openssl/asn1t.h> 70 #include <openssl/buffer.h> 71 #include <openssl/conf.h> 72 #include <openssl/err.h> 73 #include <openssl/x509.h> 74 #include <openssl/x509v3.h> 75 76 #include "asn1_locl.h" 77 #include "bytestring.h" 78 #include "x509_lcl.h" 79 80 #ifndef OPENSSL_NO_RFC3779 81 82 /* 83 * OpenSSL ASN.1 template translation of RFC 3779 2.2.3. 84 */ 85 86 static const ASN1_TEMPLATE IPAddressRange_seq_tt[] = { 87 { 88 .flags = 0, 89 .tag = 0, 90 .offset = offsetof(IPAddressRange, min), 91 .field_name = "min", 92 .item = &ASN1_BIT_STRING_it, 93 }, 94 { 95 .flags = 0, 96 .tag = 0, 97 .offset = offsetof(IPAddressRange, max), 98 .field_name = "max", 99 .item = &ASN1_BIT_STRING_it, 100 }, 101 }; 102 103 const ASN1_ITEM IPAddressRange_it = { 104 .itype = ASN1_ITYPE_SEQUENCE, 105 .utype = V_ASN1_SEQUENCE, 106 .templates = IPAddressRange_seq_tt, 107 .tcount = sizeof(IPAddressRange_seq_tt) / sizeof(ASN1_TEMPLATE), 108 .funcs = NULL, 109 .size = sizeof(IPAddressRange), 110 .sname = "IPAddressRange", 111 }; 112 113 static const ASN1_TEMPLATE IPAddressOrRange_ch_tt[] = { 114 { 115 .flags = 0, 116 .tag = 0, 117 .offset = offsetof(IPAddressOrRange, u.addressPrefix), 118 .field_name = "u.addressPrefix", 119 .item = &ASN1_BIT_STRING_it, 120 }, 121 { 122 .flags = 0, 123 .tag = 0, 124 .offset = offsetof(IPAddressOrRange, u.addressRange), 125 .field_name = "u.addressRange", 126 .item = &IPAddressRange_it, 127 }, 128 }; 129 130 const ASN1_ITEM IPAddressOrRange_it = { 131 .itype = ASN1_ITYPE_CHOICE, 132 .utype = offsetof(IPAddressOrRange, type), 133 .templates = IPAddressOrRange_ch_tt, 134 .tcount = sizeof(IPAddressOrRange_ch_tt) / sizeof(ASN1_TEMPLATE), 135 .funcs = NULL, 136 .size = sizeof(IPAddressOrRange), 137 .sname = "IPAddressOrRange", 138 }; 139 140 static const ASN1_TEMPLATE IPAddressChoice_ch_tt[] = { 141 { 142 .flags = 0, 143 .tag = 0, 144 .offset = offsetof(IPAddressChoice, u.inherit), 145 .field_name = "u.inherit", 146 .item = &ASN1_NULL_it, 147 }, 148 { 149 .flags = ASN1_TFLG_SEQUENCE_OF, 150 .tag = 0, 151 .offset = offsetof(IPAddressChoice, u.addressesOrRanges), 152 .field_name = "u.addressesOrRanges", 153 .item = &IPAddressOrRange_it, 154 }, 155 }; 156 157 const ASN1_ITEM IPAddressChoice_it = { 158 .itype = ASN1_ITYPE_CHOICE, 159 .utype = offsetof(IPAddressChoice, type), 160 .templates = IPAddressChoice_ch_tt, 161 .tcount = sizeof(IPAddressChoice_ch_tt) / sizeof(ASN1_TEMPLATE), 162 .funcs = NULL, 163 .size = sizeof(IPAddressChoice), 164 .sname = "IPAddressChoice", 165 }; 166 167 static const ASN1_TEMPLATE IPAddressFamily_seq_tt[] = { 168 { 169 .flags = 0, 170 .tag = 0, 171 .offset = offsetof(IPAddressFamily, addressFamily), 172 .field_name = "addressFamily", 173 .item = &ASN1_OCTET_STRING_it, 174 }, 175 { 176 .flags = 0, 177 .tag = 0, 178 .offset = offsetof(IPAddressFamily, ipAddressChoice), 179 .field_name = "ipAddressChoice", 180 .item = &IPAddressChoice_it, 181 }, 182 }; 183 184 const ASN1_ITEM IPAddressFamily_it = { 185 .itype = ASN1_ITYPE_SEQUENCE, 186 .utype = V_ASN1_SEQUENCE, 187 .templates = IPAddressFamily_seq_tt, 188 .tcount = sizeof(IPAddressFamily_seq_tt) / sizeof(ASN1_TEMPLATE), 189 .funcs = NULL, 190 .size = sizeof(IPAddressFamily), 191 .sname = "IPAddressFamily", 192 }; 193 194 static const ASN1_TEMPLATE IPAddrBlocks_item_tt = { 195 .flags = ASN1_TFLG_SEQUENCE_OF, 196 .tag = 0, 197 .offset = 0, 198 .field_name = "IPAddrBlocks", 199 .item = &IPAddressFamily_it, 200 }; 201 202 static const ASN1_ITEM IPAddrBlocks_it = { 203 .itype = ASN1_ITYPE_PRIMITIVE, 204 .utype = -1, 205 .templates = &IPAddrBlocks_item_tt, 206 .tcount = 0, 207 .funcs = NULL, 208 .size = 0, 209 .sname = "IPAddrBlocks", 210 }; 211 212 IPAddressRange * 213 d2i_IPAddressRange(IPAddressRange **a, const unsigned char **in, long len) 214 { 215 return (IPAddressRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 216 &IPAddressRange_it); 217 } 218 219 int 220 i2d_IPAddressRange(IPAddressRange *a, unsigned char **out) 221 { 222 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressRange_it); 223 } 224 225 IPAddressRange * 226 IPAddressRange_new(void) 227 { 228 return (IPAddressRange *)ASN1_item_new(&IPAddressRange_it); 229 } 230 231 void 232 IPAddressRange_free(IPAddressRange *a) 233 { 234 ASN1_item_free((ASN1_VALUE *)a, &IPAddressRange_it); 235 } 236 237 IPAddressOrRange * 238 d2i_IPAddressOrRange(IPAddressOrRange **a, const unsigned char **in, long len) 239 { 240 return (IPAddressOrRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 241 &IPAddressOrRange_it); 242 } 243 244 int 245 i2d_IPAddressOrRange(IPAddressOrRange *a, unsigned char **out) 246 { 247 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressOrRange_it); 248 } 249 250 IPAddressOrRange * 251 IPAddressOrRange_new(void) 252 { 253 return (IPAddressOrRange *)ASN1_item_new(&IPAddressOrRange_it); 254 } 255 256 void 257 IPAddressOrRange_free(IPAddressOrRange *a) 258 { 259 ASN1_item_free((ASN1_VALUE *)a, &IPAddressOrRange_it); 260 } 261 262 IPAddressChoice * 263 d2i_IPAddressChoice(IPAddressChoice **a, const unsigned char **in, long len) 264 { 265 return (IPAddressChoice *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 266 &IPAddressChoice_it); 267 } 268 269 int 270 i2d_IPAddressChoice(IPAddressChoice *a, unsigned char **out) 271 { 272 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressChoice_it); 273 } 274 275 IPAddressChoice * 276 IPAddressChoice_new(void) 277 { 278 return (IPAddressChoice *)ASN1_item_new(&IPAddressChoice_it); 279 } 280 281 void 282 IPAddressChoice_free(IPAddressChoice *a) 283 { 284 ASN1_item_free((ASN1_VALUE *)a, &IPAddressChoice_it); 285 } 286 287 IPAddressFamily * 288 d2i_IPAddressFamily(IPAddressFamily **a, const unsigned char **in, long len) 289 { 290 return (IPAddressFamily *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 291 &IPAddressFamily_it); 292 } 293 294 int 295 i2d_IPAddressFamily(IPAddressFamily *a, unsigned char **out) 296 { 297 return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressFamily_it); 298 } 299 300 IPAddressFamily * 301 IPAddressFamily_new(void) 302 { 303 return (IPAddressFamily *)ASN1_item_new(&IPAddressFamily_it); 304 } 305 306 void 307 IPAddressFamily_free(IPAddressFamily *a) 308 { 309 ASN1_item_free((ASN1_VALUE *)a, &IPAddressFamily_it); 310 } 311 312 /* 313 * Convenience accessors for IPAddressFamily. 314 */ 315 316 static int 317 IPAddressFamily_type(IPAddressFamily *af) 318 { 319 /* XXX - can af->ipAddressChoice == NULL actually happen? */ 320 if (af == NULL || af->ipAddressChoice == NULL) 321 return -1; 322 323 switch (af->ipAddressChoice->type) { 324 case IPAddressChoice_inherit: 325 case IPAddressChoice_addressesOrRanges: 326 return af->ipAddressChoice->type; 327 default: 328 return -1; 329 } 330 } 331 332 static IPAddressOrRanges * 333 IPAddressFamily_addressesOrRanges(IPAddressFamily *af) 334 { 335 if (IPAddressFamily_type(af) == IPAddressChoice_addressesOrRanges) 336 return af->ipAddressChoice->u.addressesOrRanges; 337 338 return NULL; 339 } 340 341 static ASN1_NULL * 342 IPAddressFamily_inheritance(IPAddressFamily *af) 343 { 344 if (IPAddressFamily_type(af) == IPAddressChoice_inherit) 345 return af->ipAddressChoice->u.inherit; 346 347 return NULL; 348 } 349 350 static int 351 IPAddressFamily_set_inheritance(IPAddressFamily *af) 352 { 353 if (IPAddressFamily_addressesOrRanges(af) != NULL) 354 return 0; 355 356 if (IPAddressFamily_inheritance(af) != NULL) 357 return 1; 358 359 if ((af->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL) 360 return 0; 361 af->ipAddressChoice->type = IPAddressChoice_inherit; 362 363 return 1; 364 } 365 366 /* 367 * How much buffer space do we need for a raw address? 368 */ 369 #define ADDR_RAW_BUF_LEN 16 370 371 /* 372 * What's the address length associated with this AFI? 373 */ 374 static int 375 length_from_afi(const unsigned afi) 376 { 377 switch (afi) { 378 case IANA_AFI_IPV4: 379 return 4; 380 case IANA_AFI_IPV6: 381 return 16; 382 default: 383 return 0; 384 } 385 } 386 387 /* 388 * Get AFI and optional SAFI from an IPAddressFamily. All three out arguments 389 * are optional; if |out_safi| is non-NULL, |safi_is_set| must be non-NULL. 390 */ 391 static int 392 IPAddressFamily_afi_safi(const IPAddressFamily *af, uint16_t *out_afi, 393 uint8_t *out_safi, int *safi_is_set) 394 { 395 CBS cbs; 396 uint16_t afi; 397 uint8_t safi = 0; 398 int got_safi = 0; 399 400 CBS_init(&cbs, af->addressFamily->data, af->addressFamily->length); 401 402 if (!CBS_get_u16(&cbs, &afi)) 403 return 0; 404 405 /* Fetch the optional SAFI. */ 406 if (CBS_len(&cbs) != 0) { 407 if (!CBS_get_u8(&cbs, &safi)) 408 return 0; 409 got_safi = 1; 410 } 411 412 /* If there's anything left, it's garbage. */ 413 if (CBS_len(&cbs) != 0) 414 return 0; 415 416 /* XXX - error on reserved AFI/SAFI? */ 417 418 if (out_afi != NULL) 419 *out_afi = afi; 420 421 if (out_safi != NULL) { 422 *out_safi = safi; 423 *safi_is_set = got_safi; 424 } 425 426 return 1; 427 } 428 429 static int 430 IPAddressFamily_afi(const IPAddressFamily *af, uint16_t *out_afi) 431 { 432 return IPAddressFamily_afi_safi(af, out_afi, NULL, NULL); 433 } 434 435 static int 436 IPAddressFamily_afi_is_valid(const IPAddressFamily *af) 437 { 438 return IPAddressFamily_afi_safi(af, NULL, NULL, NULL); 439 } 440 441 static int 442 IPAddressFamily_afi_length(const IPAddressFamily *af, int *out_length) 443 { 444 uint16_t afi; 445 446 *out_length = 0; 447 448 if (!IPAddressFamily_afi(af, &afi)) 449 return 0; 450 451 *out_length = length_from_afi(afi); 452 453 return 1; 454 } 455 456 #define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) 457 458 /* 459 * Sort comparison function for a sequence of IPAddressFamily. 460 * 461 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about 462 * the ordering: I can read it as meaning that IPv6 without a SAFI 463 * comes before IPv4 with a SAFI, which seems pretty weird. The 464 * examples in appendix B suggest that the author intended the 465 * null-SAFI rule to apply only within a single AFI, which is what I 466 * would have expected and is what the following code implements. 467 */ 468 static int 469 IPAddressFamily_cmp(const IPAddressFamily *const *a_, 470 const IPAddressFamily *const *b_) 471 { 472 const ASN1_OCTET_STRING *a = (*a_)->addressFamily; 473 const ASN1_OCTET_STRING *b = (*b_)->addressFamily; 474 int len, cmp; 475 476 len = MINIMUM(a->length, b->length); 477 478 if ((cmp = memcmp(a->data, b->data, len)) != 0) 479 return cmp; 480 481 return a->length - b->length; 482 } 483 484 static IPAddressFamily * 485 IPAddressFamily_find_in_parent(IPAddrBlocks *parent, IPAddressFamily *child_af) 486 { 487 int index; 488 489 (void)sk_IPAddressFamily_set_cmp_func(parent, IPAddressFamily_cmp); 490 491 if ((index = sk_IPAddressFamily_find(parent, child_af)) < 0) 492 return NULL; 493 494 return sk_IPAddressFamily_value(parent, index); 495 } 496 497 /* 498 * Extract the AFI from an IPAddressFamily. 499 * 500 * This is public API. It uses the reserved AFI 0 as an in-band error 501 * while it doesn't care about the reserved AFI 65535... 502 */ 503 unsigned int 504 X509v3_addr_get_afi(const IPAddressFamily *af) 505 { 506 uint16_t afi; 507 508 /* 509 * XXX are these NULL checks really sensible? If af is non-NULL, it 510 * should have both addressFamily and ipAddressChoice... 511 */ 512 if (af == NULL || af->addressFamily == NULL || 513 af->addressFamily->data == NULL) 514 return 0; 515 516 if (!IPAddressFamily_afi(af, &afi)) 517 return 0; 518 519 return afi; 520 } 521 522 /* 523 * Expand the bitstring form (RFC 3779, section 2.1.2) of an address into 524 * a raw byte array. At the moment this is coded for simplicity, not speed. 525 * 526 * Unused bits in the last octet of |bs| and all bits in subsequent bytes 527 * of |addr| are set to 0 or 1 depending on whether |fill| is 0 or not. 528 */ 529 static int 530 addr_expand(unsigned char *addr, const ASN1_BIT_STRING *bs, const int length, 531 uint8_t fill) 532 { 533 if (bs->length < 0 || bs->length > length) 534 return 0; 535 536 if (fill != 0) 537 fill = 0xff; 538 539 if (bs->length > 0) { 540 /* XXX - shouldn't this check ASN1_STRING_FLAG_BITS_LEFT? */ 541 uint8_t unused_bits = bs->flags & 7; 542 uint8_t mask = (1 << unused_bits) - 1; 543 544 memcpy(addr, bs->data, bs->length); 545 546 if (fill == 0) 547 addr[bs->length - 1] &= ~mask; 548 else 549 addr[bs->length - 1] |= mask; 550 } 551 552 memset(addr + bs->length, fill, length - bs->length); 553 554 return 1; 555 } 556 557 /* 558 * Extract the prefix length from a bitstring: 8 * length - unused bits. 559 */ 560 #define addr_prefix_len(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7))) 561 562 /* 563 * i2r handler for one address bitstring. 564 */ 565 static int 566 i2r_address(BIO *out, const unsigned afi, const unsigned char fill, 567 const ASN1_BIT_STRING *bs) 568 { 569 unsigned char addr[ADDR_RAW_BUF_LEN]; 570 int i, n; 571 572 if (bs->length < 0) 573 return 0; 574 switch (afi) { 575 case IANA_AFI_IPV4: 576 if (!addr_expand(addr, bs, 4, fill)) 577 return 0; 578 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], 579 addr[3]); 580 break; 581 case IANA_AFI_IPV6: 582 if (!addr_expand(addr, bs, 16, fill)) 583 return 0; 584 for (n = 16; 585 n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00; n -= 2) 586 continue; 587 for (i = 0; i < n; i += 2) 588 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1], 589 (i < 14 ? ":" : "")); 590 if (i < 16) 591 BIO_puts(out, ":"); 592 if (i == 0) 593 BIO_puts(out, ":"); 594 break; 595 default: 596 for (i = 0; i < bs->length; i++) 597 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), 598 bs->data[i]); 599 BIO_printf(out, "[%d]", (int)(bs->flags & 7)); 600 break; 601 } 602 return 1; 603 } 604 605 /* 606 * i2r handler for a sequence of addresses and ranges. 607 */ 608 static int 609 i2r_IPAddressOrRanges(BIO *out, const int indent, 610 const IPAddressOrRanges *aors, const unsigned afi) 611 { 612 const IPAddressOrRange *aor; 613 const ASN1_BIT_STRING *prefix; 614 const IPAddressRange *range; 615 int i; 616 617 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) { 618 aor = sk_IPAddressOrRange_value(aors, i); 619 620 BIO_printf(out, "%*s", indent, ""); 621 622 switch (aor->type) { 623 case IPAddressOrRange_addressPrefix: 624 prefix = aor->u.addressPrefix; 625 626 if (!i2r_address(out, afi, 0x00, prefix)) 627 return 0; 628 BIO_printf(out, "/%d\n", addr_prefix_len(prefix)); 629 continue; 630 case IPAddressOrRange_addressRange: 631 range = aor->u.addressRange; 632 633 if (!i2r_address(out, afi, 0x00, range->min)) 634 return 0; 635 BIO_puts(out, "-"); 636 if (!i2r_address(out, afi, 0xff, range->max)) 637 return 0; 638 BIO_puts(out, "\n"); 639 continue; 640 } 641 } 642 643 return 1; 644 } 645 646 /* 647 * i2r handler for an IPAddrBlocks extension. 648 */ 649 static int 650 i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, void *ext, BIO *out, 651 int indent) 652 { 653 const IPAddrBlocks *addr = ext; 654 IPAddressFamily *af; 655 uint16_t afi; 656 uint8_t safi; 657 int i, safi_is_set; 658 659 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 660 af = sk_IPAddressFamily_value(addr, i); 661 662 if (!IPAddressFamily_afi_safi(af, &afi, &safi, &safi_is_set)) 663 goto print_addresses; 664 665 switch (afi) { 666 case IANA_AFI_IPV4: 667 BIO_printf(out, "%*sIPv4", indent, ""); 668 break; 669 case IANA_AFI_IPV6: 670 BIO_printf(out, "%*sIPv6", indent, ""); 671 break; 672 default: 673 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi); 674 break; 675 } 676 if (safi_is_set) { 677 switch (safi) { 678 case 1: 679 BIO_puts(out, " (Unicast)"); 680 break; 681 case 2: 682 BIO_puts(out, " (Multicast)"); 683 break; 684 case 3: 685 BIO_puts(out, " (Unicast/Multicast)"); 686 break; 687 case 4: 688 BIO_puts(out, " (MPLS)"); 689 break; 690 case 64: 691 BIO_puts(out, " (Tunnel)"); 692 break; 693 case 65: 694 BIO_puts(out, " (VPLS)"); 695 break; 696 case 66: 697 BIO_puts(out, " (BGP MDT)"); 698 break; 699 case 128: 700 BIO_puts(out, " (MPLS-labeled VPN)"); 701 break; 702 default: 703 BIO_printf(out, " (Unknown SAFI %u)", safi); 704 break; 705 } 706 } 707 708 print_addresses: 709 switch (IPAddressFamily_type(af)) { 710 case IPAddressChoice_inherit: 711 BIO_puts(out, ": inherit\n"); 712 break; 713 case IPAddressChoice_addressesOrRanges: 714 BIO_puts(out, ":\n"); 715 if (!i2r_IPAddressOrRanges(out, indent + 2, 716 IPAddressFamily_addressesOrRanges(af), afi)) 717 return 0; 718 break; 719 /* XXX - how should we handle -1 here? */ 720 } 721 } 722 return 1; 723 } 724 725 /* 726 * Sort comparison function for a sequence of IPAddressOrRange 727 * elements. 728 * 729 * There's no sane answer we can give if addr_expand() fails, and an 730 * assertion failure on externally supplied data is seriously uncool, 731 * so we just arbitrarily declare that if given invalid inputs this 732 * function returns -1. If this messes up your preferred sort order 733 * for garbage input, tough noogies. 734 */ 735 static int 736 IPAddressOrRange_cmp(const IPAddressOrRange *a, const IPAddressOrRange *b, 737 const int length) 738 { 739 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN]; 740 int prefix_len_a = 0, prefix_len_b = 0; 741 int r; 742 743 switch (a->type) { 744 case IPAddressOrRange_addressPrefix: 745 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00)) 746 return -1; 747 prefix_len_a = addr_prefix_len(a->u.addressPrefix); 748 break; 749 case IPAddressOrRange_addressRange: 750 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00)) 751 return -1; 752 prefix_len_a = length * 8; 753 break; 754 } 755 756 switch (b->type) { 757 case IPAddressOrRange_addressPrefix: 758 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00)) 759 return -1; 760 prefix_len_b = addr_prefix_len(b->u.addressPrefix); 761 break; 762 case IPAddressOrRange_addressRange: 763 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00)) 764 return -1; 765 prefix_len_b = length * 8; 766 break; 767 } 768 769 if ((r = memcmp(addr_a, addr_b, length)) != 0) 770 return r; 771 else 772 return prefix_len_a - prefix_len_b; 773 } 774 775 /* 776 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort() 777 * comparison routines are only allowed two arguments. 778 */ 779 static int 780 v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a, 781 const IPAddressOrRange *const *b) 782 { 783 return IPAddressOrRange_cmp(*a, *b, 4); 784 } 785 786 /* 787 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort() 788 * comparison routines are only allowed two arguments. 789 */ 790 static int 791 v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a, 792 const IPAddressOrRange *const *b) 793 { 794 return IPAddressOrRange_cmp(*a, *b, 16); 795 } 796 797 /* 798 * Calculate whether a range collapses to a prefix. 799 * See last paragraph of RFC 3779 2.2.3.7. 800 * 801 * It's the caller's responsibility to ensure that min <= max. 802 */ 803 static int 804 range_should_be_prefix(const unsigned char *min, const unsigned char *max, 805 const int length) 806 { 807 unsigned char mask; 808 int i, j; 809 810 for (i = 0; i < length && min[i] == max[i]; i++) 811 continue; 812 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xff; j--) 813 continue; 814 if (i < j) 815 return -1; 816 if (i > j) 817 return i * 8; 818 mask = min[i] ^ max[i]; 819 switch (mask) { 820 case 0x01: 821 j = 7; 822 break; 823 case 0x03: 824 j = 6; 825 break; 826 case 0x07: 827 j = 5; 828 break; 829 case 0x0f: 830 j = 4; 831 break; 832 case 0x1f: 833 j = 3; 834 break; 835 case 0x3f: 836 j = 2; 837 break; 838 case 0x7f: 839 j = 1; 840 break; 841 default: 842 return -1; 843 } 844 if ((min[i] & mask) != 0 || (max[i] & mask) != mask) 845 return -1; 846 else 847 return i * 8 + j; 848 } 849 850 /* 851 * Fill IPAddressOrRange with bit string encoding of a prefix - RFC 3779, 2.1.1. 852 */ 853 static int 854 make_addressPrefix(IPAddressOrRange **out_aor, uint8_t *addr, uint32_t afi, 855 int prefix_len) 856 { 857 IPAddressOrRange *aor = NULL; 858 int afi_len, max_len, num_bits, num_octets; 859 uint8_t unused_bits; 860 861 if (prefix_len < 0) 862 goto err; 863 864 max_len = 16; 865 if ((afi_len = length_from_afi(afi)) > 0) 866 max_len = afi_len; 867 if (prefix_len > 8 * max_len) 868 goto err; 869 870 num_octets = (prefix_len + 7) / 8; 871 num_bits = prefix_len % 8; 872 873 unused_bits = 0; 874 if (num_bits > 0) 875 unused_bits = 8 - num_bits; 876 877 if ((aor = IPAddressOrRange_new()) == NULL) 878 goto err; 879 880 aor->type = IPAddressOrRange_addressPrefix; 881 882 if ((aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL) 883 goto err; 884 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, num_octets)) 885 goto err; 886 if (!asn1_abs_set_unused_bits(aor->u.addressPrefix, unused_bits)) 887 goto err; 888 889 *out_aor = aor; 890 return 1; 891 892 err: 893 IPAddressOrRange_free(aor); 894 return 0; 895 } 896 897 static uint8_t 898 count_trailing_zeroes(uint8_t octet) 899 { 900 uint8_t count = 0; 901 902 if (octet == 0) 903 return 8; 904 905 while ((octet & (1 << count)) == 0) 906 count++; 907 908 return count; 909 } 910 911 static int 912 trim_end_u8(CBS *cbs, uint8_t trim) 913 { 914 uint8_t octet; 915 916 while (CBS_len(cbs) > 0) { 917 if (!CBS_peek_last_u8(cbs, &octet)) 918 return 0; 919 if (octet != trim) 920 return 1; 921 if (!CBS_get_last_u8(cbs, &octet)) 922 return 0; 923 } 924 925 return 1; 926 } 927 928 /* 929 * Populate IPAddressOrRange with bit string encoding of a range, see 930 * RFC 3779, 2.1.2. 931 */ 932 static int 933 make_addressRange(IPAddressOrRange **out_aor, uint8_t *min, uint8_t *max, 934 uint32_t afi, int length) 935 { 936 IPAddressOrRange *aor = NULL; 937 IPAddressRange *range; 938 int prefix_len; 939 CBS cbs; 940 size_t max_len, min_len; 941 uint8_t unused_bits_min, unused_bits_max; 942 uint8_t octet; 943 944 if (memcmp(min, max, length) > 0) 945 goto err; 946 947 /* 948 * RFC 3779, 2.2.3.6 - a range that can be expressed as a prefix 949 * must be encoded as a prefix. 950 */ 951 952 if ((prefix_len = range_should_be_prefix(min, max, length)) >= 0) 953 return make_addressPrefix(out_aor, min, afi, prefix_len); 954 955 /* 956 * The bit string representing min is formed by removing all its 957 * trailing zero bits, so remove all trailing zero octets and count 958 * the trailing zero bits of the last octet. 959 */ 960 961 CBS_init(&cbs, min, length); 962 963 if (!trim_end_u8(&cbs, 0x00)) 964 goto err; 965 966 unused_bits_min = 0; 967 if ((min_len = CBS_len(&cbs)) > 0) { 968 if (!CBS_peek_last_u8(&cbs, &octet)) 969 goto err; 970 971 unused_bits_min = count_trailing_zeroes(octet); 972 } 973 974 /* 975 * The bit string representing max is formed by removing all its 976 * trailing one bits, so remove all trailing 0xff octets and count 977 * the trailing ones of the last octet. 978 */ 979 980 CBS_init(&cbs, max, length); 981 982 if (!trim_end_u8(&cbs, 0xff)) 983 goto err; 984 985 unused_bits_max = 0; 986 if ((max_len = CBS_len(&cbs)) > 0) { 987 if (!CBS_peek_last_u8(&cbs, &octet)) 988 goto err; 989 990 unused_bits_max = count_trailing_zeroes(octet + 1); 991 } 992 993 /* 994 * Populate IPAddressOrRange. 995 */ 996 997 if ((aor = IPAddressOrRange_new()) == NULL) 998 goto err; 999 1000 aor->type = IPAddressOrRange_addressRange; 1001 1002 if ((range = aor->u.addressRange = IPAddressRange_new()) == NULL) 1003 goto err; 1004 1005 if (!ASN1_BIT_STRING_set(range->min, min, min_len)) 1006 goto err; 1007 if (!asn1_abs_set_unused_bits(range->min, unused_bits_min)) 1008 goto err; 1009 1010 if (!ASN1_BIT_STRING_set(range->max, max, max_len)) 1011 goto err; 1012 if (!asn1_abs_set_unused_bits(range->max, unused_bits_max)) 1013 goto err; 1014 1015 *out_aor = aor; 1016 1017 return 1; 1018 1019 err: 1020 IPAddressOrRange_free(aor); 1021 return 0; 1022 } 1023 1024 /* 1025 * Construct a new address family or find an existing one. 1026 */ 1027 static IPAddressFamily * 1028 make_IPAddressFamily(IPAddrBlocks *addr, const unsigned afi, 1029 const unsigned *safi) 1030 { 1031 IPAddressFamily *af = NULL; 1032 CBB cbb; 1033 CBS cbs; 1034 uint8_t *key = NULL; 1035 size_t keylen; 1036 int i; 1037 1038 if (!CBB_init(&cbb, 0)) 1039 goto err; 1040 1041 /* XXX - should afi <= 65535 and *safi <= 255 be checked here? */ 1042 1043 if (!CBB_add_u16(&cbb, afi)) 1044 goto err; 1045 if (safi != NULL) { 1046 if (!CBB_add_u8(&cbb, *safi)) 1047 goto err; 1048 } 1049 1050 if (!CBB_finish(&cbb, &key, &keylen)) 1051 goto err; 1052 1053 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 1054 af = sk_IPAddressFamily_value(addr, i); 1055 1056 CBS_init(&cbs, af->addressFamily->data, 1057 af->addressFamily->length); 1058 if (CBS_mem_equal(&cbs, key, keylen)) 1059 goto done; 1060 } 1061 1062 if ((af = IPAddressFamily_new()) == NULL) 1063 goto err; 1064 if (!ASN1_OCTET_STRING_set(af->addressFamily, key, keylen)) 1065 goto err; 1066 if (!sk_IPAddressFamily_push(addr, af)) 1067 goto err; 1068 1069 done: 1070 free(key); 1071 1072 return af; 1073 1074 err: 1075 CBB_cleanup(&cbb); 1076 free(key); 1077 IPAddressFamily_free(af); 1078 1079 return NULL; 1080 } 1081 1082 /* 1083 * Add an inheritance element. 1084 */ 1085 int 1086 X509v3_addr_add_inherit(IPAddrBlocks *addr, const unsigned afi, 1087 const unsigned *safi) 1088 { 1089 IPAddressFamily *af; 1090 1091 if ((af = make_IPAddressFamily(addr, afi, safi)) == NULL) 1092 return 0; 1093 1094 return IPAddressFamily_set_inheritance(af); 1095 } 1096 1097 /* 1098 * Construct an IPAddressOrRange sequence, or return an existing one. 1099 */ 1100 static IPAddressOrRanges * 1101 make_prefix_or_range(IPAddrBlocks *addr, const unsigned afi, 1102 const unsigned *safi) 1103 { 1104 IPAddressFamily *af; 1105 IPAddressOrRanges *aors = NULL; 1106 1107 if ((af = make_IPAddressFamily(addr, afi, safi)) == NULL) 1108 return NULL; 1109 1110 if (IPAddressFamily_inheritance(af) != NULL) 1111 return NULL; 1112 1113 if ((aors = IPAddressFamily_addressesOrRanges(af)) != NULL) 1114 return aors; 1115 1116 if ((aors = sk_IPAddressOrRange_new_null()) == NULL) 1117 return NULL; 1118 1119 switch (afi) { 1120 case IANA_AFI_IPV4: 1121 (void)sk_IPAddressOrRange_set_cmp_func(aors, 1122 v4IPAddressOrRange_cmp); 1123 break; 1124 case IANA_AFI_IPV6: 1125 (void)sk_IPAddressOrRange_set_cmp_func(aors, 1126 v6IPAddressOrRange_cmp); 1127 break; 1128 } 1129 1130 af->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; 1131 af->ipAddressChoice->u.addressesOrRanges = aors; 1132 1133 return aors; 1134 } 1135 1136 /* 1137 * Add a prefix. 1138 */ 1139 int 1140 X509v3_addr_add_prefix(IPAddrBlocks *addr, const unsigned afi, 1141 const unsigned *safi, unsigned char *a, const int prefix_len) 1142 { 1143 IPAddressOrRanges *aors; 1144 IPAddressOrRange *aor; 1145 1146 if ((aors = make_prefix_or_range(addr, afi, safi)) == NULL) 1147 return 0; 1148 1149 if (!make_addressPrefix(&aor, a, afi, prefix_len)) 1150 return 0; 1151 1152 if (sk_IPAddressOrRange_push(aors, aor) <= 0) { 1153 IPAddressOrRange_free(aor); 1154 return 0; 1155 } 1156 1157 return 1; 1158 } 1159 1160 /* 1161 * Add a range. 1162 */ 1163 int 1164 X509v3_addr_add_range(IPAddrBlocks *addr, const unsigned afi, 1165 const unsigned *safi, unsigned char *min, unsigned char *max) 1166 { 1167 IPAddressOrRanges *aors; 1168 IPAddressOrRange *aor; 1169 int length; 1170 1171 if ((aors = make_prefix_or_range(addr, afi, safi)) == NULL) 1172 return 0; 1173 1174 length = length_from_afi(afi); 1175 1176 if (!make_addressRange(&aor, min, max, afi, length)) 1177 return 0; 1178 1179 if (sk_IPAddressOrRange_push(aors, aor) <= 0) { 1180 IPAddressOrRange_free(aor); 1181 return 0; 1182 } 1183 1184 return 1; 1185 } 1186 1187 static int 1188 extract_min_max_bitstr(IPAddressOrRange *aor, ASN1_BIT_STRING **out_min, 1189 ASN1_BIT_STRING **out_max) 1190 { 1191 switch (aor->type) { 1192 case IPAddressOrRange_addressPrefix: 1193 *out_min = *out_max = aor->u.addressPrefix; 1194 return 1; 1195 case IPAddressOrRange_addressRange: 1196 *out_min = aor->u.addressRange->min; 1197 *out_max = aor->u.addressRange->max; 1198 return 1; 1199 default: 1200 return 0; 1201 } 1202 } 1203 1204 /* 1205 * Extract min and max values from an IPAddressOrRange. 1206 */ 1207 static int 1208 extract_min_max(IPAddressOrRange *aor, unsigned char *min, unsigned char *max, 1209 int length) 1210 { 1211 ASN1_BIT_STRING *min_bitstr, *max_bitstr; 1212 1213 if (aor == NULL || min == NULL || max == NULL) 1214 return 0; 1215 1216 if (!extract_min_max_bitstr(aor, &min_bitstr, &max_bitstr)) 1217 return 0; 1218 1219 if (!addr_expand(min, min_bitstr, length, 0)) 1220 return 0; 1221 1222 return addr_expand(max, max_bitstr, length, 1); 1223 } 1224 1225 /* 1226 * Public wrapper for extract_min_max(). 1227 */ 1228 int 1229 X509v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi, 1230 unsigned char *min, unsigned char *max, const int length) 1231 { 1232 int afi_len; 1233 1234 if ((afi_len = length_from_afi(afi)) == 0) 1235 return 0; 1236 1237 if (length < afi_len) 1238 return 0; 1239 1240 if (!extract_min_max(aor, min, max, afi_len)) 1241 return 0; 1242 1243 return afi_len; 1244 } 1245 1246 /* 1247 * Check whether an IPAddrBLocks is in canonical form. 1248 */ 1249 int 1250 X509v3_addr_is_canonical(IPAddrBlocks *addr) 1251 { 1252 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 1253 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 1254 IPAddressFamily *af; 1255 IPAddressOrRanges *aors; 1256 IPAddressOrRange *aor, *aor_a, *aor_b; 1257 int i, j, k, length; 1258 1259 /* 1260 * Empty extension is canonical. 1261 */ 1262 if (addr == NULL) 1263 return 1; 1264 1265 /* 1266 * Check whether the top-level list is in order. 1267 */ 1268 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) { 1269 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i); 1270 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1); 1271 1272 /* Check that both have valid AFIs before comparing them. */ 1273 if (!IPAddressFamily_afi_is_valid(a)) 1274 return 0; 1275 if (!IPAddressFamily_afi_is_valid(b)) 1276 return 0; 1277 1278 if (IPAddressFamily_cmp(&a, &b) >= 0) 1279 return 0; 1280 } 1281 1282 /* 1283 * Top level's ok, now check each address family. 1284 */ 1285 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 1286 af = sk_IPAddressFamily_value(addr, i); 1287 1288 if (!IPAddressFamily_afi_length(af, &length)) 1289 return 0; 1290 1291 /* 1292 * If this family has an inheritance element, it is canonical. 1293 */ 1294 if (IPAddressFamily_inheritance(af) != NULL) 1295 continue; 1296 1297 /* 1298 * If this family has neither an inheritance element nor an 1299 * addressesOrRanges, we don't know what this is. 1300 */ 1301 if ((aors = IPAddressFamily_addressesOrRanges(af)) == NULL) 1302 return 0; 1303 1304 if (sk_IPAddressOrRange_num(aors) == 0) 1305 return 0; 1306 1307 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) { 1308 aor_a = sk_IPAddressOrRange_value(aors, j); 1309 aor_b = sk_IPAddressOrRange_value(aors, j + 1); 1310 1311 if (!extract_min_max(aor_a, a_min, a_max, length) || 1312 !extract_min_max(aor_b, b_min, b_max, length)) 1313 return 0; 1314 1315 /* 1316 * Punt misordered list, overlapping start, or inverted 1317 * range. 1318 */ 1319 if (memcmp(a_min, b_min, length) >= 0 || 1320 memcmp(a_min, a_max, length) > 0 || 1321 memcmp(b_min, b_max, length) > 0) 1322 return 0; 1323 1324 /* 1325 * Punt if adjacent or overlapping. Check for adjacency 1326 * by subtracting one from b_min first. 1327 */ 1328 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) 1329 continue; 1330 if (memcmp(a_max, b_min, length) >= 0) 1331 return 0; 1332 1333 /* 1334 * Check for range that should be expressed as a prefix. 1335 */ 1336 if (aor_a->type == IPAddressOrRange_addressPrefix) 1337 continue; 1338 1339 if (range_should_be_prefix(a_min, a_max, length) >= 0) 1340 return 0; 1341 } 1342 1343 /* 1344 * Check final range to see if it's inverted or should be a 1345 * prefix. 1346 */ 1347 aor = sk_IPAddressOrRange_value(aors, j); 1348 if (aor->type == IPAddressOrRange_addressRange) { 1349 if (!extract_min_max(aor, a_min, a_max, length)) 1350 return 0; 1351 if (memcmp(a_min, a_max, length) > 0) 1352 return 0; 1353 if (range_should_be_prefix(a_min, a_max, length) >= 0) 1354 return 0; 1355 } 1356 } 1357 1358 /* 1359 * If we made it through all that, we're happy. 1360 */ 1361 return 1; 1362 } 1363 1364 /* 1365 * Whack an IPAddressOrRanges into canonical form. 1366 */ 1367 static int 1368 IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi) 1369 { 1370 IPAddressOrRange *a, *b, *merged; 1371 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 1372 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 1373 int i, j, length; 1374 1375 length = length_from_afi(afi); 1376 1377 /* 1378 * Sort the IPAddressOrRanges sequence. 1379 */ 1380 sk_IPAddressOrRange_sort(aors); 1381 1382 /* 1383 * Clean up representation issues, punt on duplicates or overlaps. 1384 */ 1385 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) { 1386 a = sk_IPAddressOrRange_value(aors, i); 1387 b = sk_IPAddressOrRange_value(aors, i + 1); 1388 1389 if (!extract_min_max(a, a_min, a_max, length) || 1390 !extract_min_max(b, b_min, b_max, length)) 1391 return 0; 1392 1393 /* 1394 * Punt inverted ranges. 1395 */ 1396 if (memcmp(a_min, a_max, length) > 0 || 1397 memcmp(b_min, b_max, length) > 0) 1398 return 0; 1399 1400 /* 1401 * Punt overlaps. 1402 */ 1403 if (memcmp(a_max, b_min, length) >= 0) 1404 return 0; 1405 1406 /* 1407 * Merge if a and b are adjacent. We check for 1408 * adjacency by subtracting one from b_min first. 1409 */ 1410 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) 1411 continue; 1412 1413 if (memcmp(a_max, b_min, length) != 0) 1414 continue; 1415 1416 if (!make_addressRange(&merged, a_min, b_max, afi, length)) 1417 return 0; 1418 sk_IPAddressOrRange_set(aors, i, merged); 1419 (void)sk_IPAddressOrRange_delete(aors, i + 1); 1420 IPAddressOrRange_free(a); 1421 IPAddressOrRange_free(b); 1422 i--; 1423 } 1424 1425 /* 1426 * Check for inverted final range. 1427 */ 1428 a = sk_IPAddressOrRange_value(aors, i); 1429 if (a != NULL && a->type == IPAddressOrRange_addressRange) { 1430 if (!extract_min_max(a, a_min, a_max, length)) 1431 return 0; 1432 if (memcmp(a_min, a_max, length) > 0) 1433 return 0; 1434 } 1435 1436 return 1; 1437 } 1438 1439 /* 1440 * Whack an IPAddrBlocks extension into canonical form. 1441 */ 1442 int 1443 X509v3_addr_canonize(IPAddrBlocks *addr) 1444 { 1445 IPAddressFamily *af; 1446 IPAddressOrRanges *aors; 1447 uint16_t afi; 1448 int i; 1449 1450 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 1451 af = sk_IPAddressFamily_value(addr, i); 1452 1453 /* Check AFI/SAFI here - IPAddressFamily_cmp() can't error. */ 1454 if (!IPAddressFamily_afi(af, &afi)) 1455 return 0; 1456 1457 if ((aors = IPAddressFamily_addressesOrRanges(af)) == NULL) 1458 continue; 1459 1460 if (!IPAddressOrRanges_canonize(aors, afi)) 1461 return 0; 1462 } 1463 1464 (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); 1465 sk_IPAddressFamily_sort(addr); 1466 1467 return X509v3_addr_is_canonical(addr); 1468 } 1469 1470 /* 1471 * v2i handler for the IPAddrBlocks extension. 1472 */ 1473 static void * 1474 v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx, 1475 STACK_OF(CONF_VALUE)*values) 1476 { 1477 static const char v4addr_chars[] = "0123456789."; 1478 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF"; 1479 IPAddrBlocks *addr = NULL; 1480 char *s = NULL, *t; 1481 int i; 1482 1483 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) { 1484 X509V3error(ERR_R_MALLOC_FAILURE); 1485 return NULL; 1486 } 1487 1488 for (i = 0; i < sk_CONF_VALUE_num(values); i++) { 1489 CONF_VALUE *val = sk_CONF_VALUE_value(values, i); 1490 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN]; 1491 unsigned afi, *safi = NULL, safi_; 1492 const char *addr_chars = NULL; 1493 const char *errstr; 1494 int prefix_len, i1, i2, delim, length; 1495 1496 if (!name_cmp(val->name, "IPv4")) { 1497 afi = IANA_AFI_IPV4; 1498 } else if (!name_cmp(val->name, "IPv6")) { 1499 afi = IANA_AFI_IPV6; 1500 } else if (!name_cmp(val->name, "IPv4-SAFI")) { 1501 afi = IANA_AFI_IPV4; 1502 safi = &safi_; 1503 } else if (!name_cmp(val->name, "IPv6-SAFI")) { 1504 afi = IANA_AFI_IPV6; 1505 safi = &safi_; 1506 } else { 1507 X509V3error(X509V3_R_EXTENSION_NAME_ERROR); 1508 X509V3_conf_err(val); 1509 goto err; 1510 } 1511 1512 switch (afi) { 1513 case IANA_AFI_IPV4: 1514 addr_chars = v4addr_chars; 1515 break; 1516 case IANA_AFI_IPV6: 1517 addr_chars = v6addr_chars; 1518 break; 1519 } 1520 1521 length = length_from_afi(afi); 1522 1523 /* 1524 * Handle SAFI, if any, and strdup() so we can null-terminate 1525 * the other input values. 1526 */ 1527 if (safi != NULL) { 1528 unsigned long parsed_safi; 1529 int saved_errno = errno; 1530 1531 errno = 0; 1532 parsed_safi = strtoul(val->value, &t, 0); 1533 1534 /* Value must be present, then a tab, space or colon. */ 1535 if (val->value[0] == '\0' || 1536 (*t != '\t' && *t != ' ' && *t != ':')) { 1537 X509V3error(X509V3_R_INVALID_SAFI); 1538 X509V3_conf_err(val); 1539 goto err; 1540 } 1541 /* Range and overflow check. */ 1542 if ((errno == ERANGE && parsed_safi == ULONG_MAX) || 1543 parsed_safi > 0xff) { 1544 X509V3error(X509V3_R_INVALID_SAFI); 1545 X509V3_conf_err(val); 1546 goto err; 1547 } 1548 errno = saved_errno; 1549 1550 *safi = parsed_safi; 1551 1552 /* Check possible whitespace is followed by a colon. */ 1553 t += strspn(t, " \t"); 1554 if (*t != ':') { 1555 X509V3error(X509V3_R_INVALID_SAFI); 1556 X509V3_conf_err(val); 1557 goto err; 1558 } 1559 1560 /* Skip over colon. */ 1561 t++; 1562 1563 /* Then over any trailing whitespace. */ 1564 t += strspn(t, " \t"); 1565 1566 s = strdup(t); 1567 } else { 1568 s = strdup(val->value); 1569 } 1570 if (s == NULL) { 1571 X509V3error(ERR_R_MALLOC_FAILURE); 1572 goto err; 1573 } 1574 1575 /* 1576 * Check for inheritance. Not worth additional complexity to 1577 * optimize this (seldom-used) case. 1578 */ 1579 if (strcmp(s, "inherit") == 0) { 1580 if (!X509v3_addr_add_inherit(addr, afi, safi)) { 1581 X509V3error(X509V3_R_INVALID_INHERITANCE); 1582 X509V3_conf_err(val); 1583 goto err; 1584 } 1585 free(s); 1586 s = NULL; 1587 continue; 1588 } 1589 1590 i1 = strspn(s, addr_chars); 1591 i2 = i1 + strspn(s + i1, " \t"); 1592 delim = s[i2++]; 1593 s[i1] = '\0'; 1594 1595 if (a2i_ipadd(min, s) != length) { 1596 X509V3error(X509V3_R_INVALID_IPADDRESS); 1597 X509V3_conf_err(val); 1598 goto err; 1599 } 1600 1601 switch (delim) { 1602 case '/': 1603 /* length contains the size of the address in bytes. */ 1604 if (length != 4 && length != 16) 1605 goto err; 1606 prefix_len = strtonum(s + i2, 0, 8 * length, &errstr); 1607 if (errstr != NULL) { 1608 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1609 X509V3_conf_err(val); 1610 goto err; 1611 } 1612 if (!X509v3_addr_add_prefix(addr, afi, safi, min, 1613 prefix_len)) { 1614 X509V3error(ERR_R_MALLOC_FAILURE); 1615 goto err; 1616 } 1617 break; 1618 case '-': 1619 i1 = i2 + strspn(s + i2, " \t"); 1620 i2 = i1 + strspn(s + i1, addr_chars); 1621 if (i1 == i2 || s[i2] != '\0') { 1622 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1623 X509V3_conf_err(val); 1624 goto err; 1625 } 1626 if (a2i_ipadd(max, s + i1) != length) { 1627 X509V3error(X509V3_R_INVALID_IPADDRESS); 1628 X509V3_conf_err(val); 1629 goto err; 1630 } 1631 if (memcmp(min, max, length_from_afi(afi)) > 0) { 1632 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1633 X509V3_conf_err(val); 1634 goto err; 1635 } 1636 if (!X509v3_addr_add_range(addr, afi, safi, min, max)) { 1637 X509V3error(ERR_R_MALLOC_FAILURE); 1638 goto err; 1639 } 1640 break; 1641 case '\0': 1642 if (!X509v3_addr_add_prefix(addr, afi, safi, min, 1643 length * 8)) { 1644 X509V3error(ERR_R_MALLOC_FAILURE); 1645 goto err; 1646 } 1647 break; 1648 default: 1649 X509V3error(X509V3_R_EXTENSION_VALUE_ERROR); 1650 X509V3_conf_err(val); 1651 goto err; 1652 } 1653 1654 free(s); 1655 s = NULL; 1656 } 1657 1658 /* 1659 * Canonize the result, then we're done. 1660 */ 1661 if (!X509v3_addr_canonize(addr)) 1662 goto err; 1663 return addr; 1664 1665 err: 1666 free(s); 1667 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); 1668 return NULL; 1669 } 1670 1671 /* 1672 * OpenSSL dispatch 1673 */ 1674 const X509V3_EXT_METHOD v3_addr = { 1675 .ext_nid = NID_sbgp_ipAddrBlock, 1676 .ext_flags = 0, 1677 .it = &IPAddrBlocks_it, 1678 .ext_new = NULL, 1679 .ext_free = NULL, 1680 .d2i = NULL, 1681 .i2d = NULL, 1682 .i2s = NULL, 1683 .s2i = NULL, 1684 .i2v = NULL, 1685 .v2i = v2i_IPAddrBlocks, 1686 .i2r = i2r_IPAddrBlocks, 1687 .r2i = NULL, 1688 .usr_data = NULL, 1689 }; 1690 1691 /* 1692 * Figure out whether extension uses inheritance. 1693 */ 1694 int 1695 X509v3_addr_inherits(IPAddrBlocks *addr) 1696 { 1697 IPAddressFamily *af; 1698 int i; 1699 1700 if (addr == NULL) 1701 return 0; 1702 1703 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { 1704 af = sk_IPAddressFamily_value(addr, i); 1705 1706 if (IPAddressFamily_inheritance(af) != NULL) 1707 return 1; 1708 } 1709 1710 return 0; 1711 } 1712 1713 /* 1714 * Figure out whether parent contains child. 1715 * 1716 * This only works correctly if both parent and child are in canonical form. 1717 */ 1718 static int 1719 addr_contains(IPAddressOrRanges *parent, IPAddressOrRanges *child, int length) 1720 { 1721 IPAddressOrRange *child_aor, *parent_aor; 1722 uint8_t parent_min[ADDR_RAW_BUF_LEN], parent_max[ADDR_RAW_BUF_LEN]; 1723 uint8_t child_min[ADDR_RAW_BUF_LEN], child_max[ADDR_RAW_BUF_LEN]; 1724 int p, c; 1725 1726 if (child == NULL || parent == child) 1727 return 1; 1728 if (parent == NULL) 1729 return 0; 1730 1731 p = 0; 1732 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) { 1733 child_aor = sk_IPAddressOrRange_value(child, c); 1734 1735 if (!extract_min_max(child_aor, child_min, child_max, length)) 1736 return 0; 1737 1738 for (;; p++) { 1739 if (p >= sk_IPAddressOrRange_num(parent)) 1740 return 0; 1741 1742 parent_aor = sk_IPAddressOrRange_value(parent, p); 1743 1744 if (!extract_min_max(parent_aor, parent_min, parent_max, 1745 length)) 1746 return 0; 1747 1748 if (memcmp(parent_max, child_max, length) < 0) 1749 continue; 1750 if (memcmp(parent_min, child_min, length) > 0) 1751 return 0; 1752 break; 1753 } 1754 } 1755 1756 return 1; 1757 } 1758 1759 /* 1760 * Test whether |child| is a subset of |parent|. 1761 */ 1762 int 1763 X509v3_addr_subset(IPAddrBlocks *child, IPAddrBlocks *parent) 1764 { 1765 IPAddressFamily *child_af, *parent_af; 1766 IPAddressOrRanges *child_aor, *parent_aor; 1767 int i, length; 1768 1769 if (child == NULL || child == parent) 1770 return 1; 1771 if (parent == NULL) 1772 return 0; 1773 1774 if (X509v3_addr_inherits(child) || X509v3_addr_inherits(parent)) 1775 return 0; 1776 1777 for (i = 0; i < sk_IPAddressFamily_num(child); i++) { 1778 child_af = sk_IPAddressFamily_value(child, i); 1779 1780 parent_af = IPAddressFamily_find_in_parent(parent, child_af); 1781 if (parent_af == NULL) 1782 return 0; 1783 1784 if (!IPAddressFamily_afi_length(parent_af, &length)) 1785 return 0; 1786 1787 child_aor = IPAddressFamily_addressesOrRanges(child_af); 1788 parent_aor = IPAddressFamily_addressesOrRanges(parent_af); 1789 1790 if (!addr_contains(parent_aor, child_aor, length)) 1791 return 0; 1792 } 1793 return 1; 1794 } 1795 1796 static int 1797 verify_error(X509_STORE_CTX *ctx, X509 *cert, int error, int depth) 1798 { 1799 if (ctx == NULL) 1800 return 0; 1801 1802 ctx->current_cert = cert; 1803 ctx->error = error; 1804 ctx->error_depth = depth; 1805 1806 return ctx->verify_cb(0, ctx); 1807 } 1808 1809 /* 1810 * Core code for RFC 3779 2.3 path validation. 1811 * 1812 * Returns 1 for success, 0 on error. 1813 * 1814 * When returning 0, ctx->error MUST be set to an appropriate value other than 1815 * X509_V_OK. 1816 */ 1817 static int 1818 addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, 1819 IPAddrBlocks *ext) 1820 { 1821 IPAddrBlocks *child = NULL, *parent = NULL; 1822 IPAddressFamily *child_af, *parent_af; 1823 IPAddressOrRanges *child_aor, *parent_aor; 1824 X509 *cert = NULL; 1825 int depth = -1; 1826 int i; 1827 unsigned int length; 1828 int ret = 1; 1829 1830 /* We need a non-empty chain to test against. */ 1831 if (sk_X509_num(chain) <= 0) 1832 goto err; 1833 /* We need either a store ctx or an extension to work with. */ 1834 if (ctx == NULL && ext == NULL) 1835 goto err; 1836 /* If there is a store ctx, it needs a verify_cb. */ 1837 if (ctx != NULL && ctx->verify_cb == NULL) 1838 goto err; 1839 1840 /* 1841 * Figure out where to start. If we don't have an extension to check, 1842 * (either extracted from the leaf or passed by the caller), we're done. 1843 * Otherwise, check canonical form and set up for walking up the chain. 1844 */ 1845 if (ext == NULL) { 1846 depth = 0; 1847 cert = sk_X509_value(chain, depth); 1848 if ((X509_get_extension_flags(cert) & EXFLAG_INVALID) != 0) 1849 goto done; 1850 if ((ext = cert->rfc3779_addr) == NULL) 1851 goto done; 1852 } else if (!X509v3_addr_is_canonical(ext)) { 1853 if ((ret = verify_error(ctx, cert, 1854 X509_V_ERR_INVALID_EXTENSION, depth)) == 0) 1855 goto done; 1856 } 1857 1858 (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); 1859 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { 1860 X509V3error(ERR_R_MALLOC_FAILURE); 1861 if (ctx != NULL) 1862 ctx->error = X509_V_ERR_OUT_OF_MEM; 1863 ret = 0; 1864 goto done; 1865 } 1866 1867 /* 1868 * Now walk up the chain. No cert may list resources that its parent 1869 * doesn't list. 1870 */ 1871 for (depth++; depth < sk_X509_num(chain); depth++) { 1872 cert = sk_X509_value(chain, depth); 1873 1874 if ((X509_get_extension_flags(cert) & EXFLAG_INVALID) != 0) { 1875 if ((ret = verify_error(ctx, cert, 1876 X509_V_ERR_INVALID_EXTENSION, depth)) == 0) 1877 goto done; 1878 } 1879 1880 if ((parent = cert->rfc3779_addr) == NULL) { 1881 for (i = 0; i < sk_IPAddressFamily_num(child); i++) { 1882 child_af = sk_IPAddressFamily_value(child, i); 1883 1884 if (IPAddressFamily_inheritance(child_af) != 1885 NULL) 1886 continue; 1887 1888 if ((ret = verify_error(ctx, cert, 1889 X509_V_ERR_UNNESTED_RESOURCE, depth)) == 0) 1890 goto done; 1891 break; 1892 } 1893 continue; 1894 } 1895 1896 /* 1897 * Check that the child's resources are covered by the parent. 1898 * Each covered resource is replaced with the parent's resource 1899 * covering it, so the next iteration will check that the 1900 * parent's resources are covered by the grandparent. 1901 */ 1902 for (i = 0; i < sk_IPAddressFamily_num(child); i++) { 1903 child_af = sk_IPAddressFamily_value(child, i); 1904 1905 if ((parent_af = IPAddressFamily_find_in_parent(parent, 1906 child_af)) == NULL) { 1907 /* 1908 * If we have no match in the parent and the 1909 * child inherits, that's fine. 1910 */ 1911 if (IPAddressFamily_inheritance(child_af) != 1912 NULL) 1913 continue; 1914 1915 /* Otherwise the child isn't covered. */ 1916 if ((ret = verify_error(ctx, cert, 1917 X509_V_ERR_UNNESTED_RESOURCE, depth)) == 0) 1918 goto done; 1919 break; 1920 } 1921 1922 /* Parent inherits, nothing to do. */ 1923 if (IPAddressFamily_inheritance(parent_af) != NULL) 1924 continue; 1925 1926 /* Child inherits. Use parent's address family. */ 1927 if (IPAddressFamily_inheritance(child_af) != NULL) { 1928 sk_IPAddressFamily_set(child, i, parent_af); 1929 continue; 1930 } 1931 1932 child_aor = IPAddressFamily_addressesOrRanges(child_af); 1933 parent_aor = 1934 IPAddressFamily_addressesOrRanges(parent_af); 1935 1936 /* 1937 * Child and parent are canonical and neither inherits. 1938 * If either addressesOrRanges is NULL, something's 1939 * very wrong. 1940 */ 1941 if (child_aor == NULL || parent_aor == NULL) 1942 goto err; 1943 1944 if (!IPAddressFamily_afi_length(child_af, &length)) 1945 goto err; 1946 1947 /* Now check containment and replace or error. */ 1948 if (addr_contains(parent_aor, child_aor, length)) { 1949 sk_IPAddressFamily_set(child, i, parent_af); 1950 continue; 1951 } 1952 1953 if ((ret = verify_error(ctx, cert, 1954 X509_V_ERR_UNNESTED_RESOURCE, depth)) == 0) 1955 goto done; 1956 } 1957 } 1958 1959 /* 1960 * Trust anchor can't inherit. 1961 */ 1962 if ((parent = cert->rfc3779_addr) != NULL) { 1963 for (i = 0; i < sk_IPAddressFamily_num(parent); i++) { 1964 parent_af = sk_IPAddressFamily_value(parent, i); 1965 1966 if (IPAddressFamily_inheritance(parent_af) == NULL) 1967 continue; 1968 1969 if ((ret = verify_error(ctx, cert, 1970 X509_V_ERR_UNNESTED_RESOURCE, depth)) == 0) 1971 goto done; 1972 } 1973 } 1974 1975 done: 1976 sk_IPAddressFamily_free(child); 1977 return ret; 1978 1979 err: 1980 sk_IPAddressFamily_free(child); 1981 1982 if (ctx != NULL) 1983 ctx->error = X509_V_ERR_UNSPECIFIED; 1984 1985 return 0; 1986 } 1987 1988 /* 1989 * RFC 3779 2.3 path validation -- called from X509_verify_cert(). 1990 */ 1991 int 1992 X509v3_addr_validate_path(X509_STORE_CTX *ctx) 1993 { 1994 if (sk_X509_num(ctx->chain) <= 0 || ctx->verify_cb == NULL) { 1995 ctx->error = X509_V_ERR_UNSPECIFIED; 1996 return 0; 1997 } 1998 return addr_validate_path_internal(ctx, ctx->chain, NULL); 1999 } 2000 2001 /* 2002 * RFC 3779 2.3 path validation of an extension. 2003 * Test whether chain covers extension. 2004 */ 2005 int 2006 X509v3_addr_validate_resource_set(STACK_OF(X509) *chain, IPAddrBlocks *ext, 2007 int allow_inheritance) 2008 { 2009 if (ext == NULL) 2010 return 1; 2011 if (sk_X509_num(chain) <= 0) 2012 return 0; 2013 if (!allow_inheritance && X509v3_addr_inherits(ext)) 2014 return 0; 2015 return addr_validate_path_internal(NULL, chain, ext); 2016 } 2017 2018 #endif /* OPENSSL_NO_RFC3779 */ 2019