OpenSSL  1.0.1c
 All Classes Files Functions Variables Typedefs Enumerations Enumerator Macros
v3_addr.c
Go to the documentation of this file.
1 /*
2  * Contributed to the OpenSSL Project by the American Registry for
3  * Internet Numbers ("ARIN").
4  */
5 /* ====================================================================
6  * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  * notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  * notice, this list of conditions and the following disclaimer in
17  * the documentation and/or other materials provided with the
18  * distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  * software must display the following acknowledgment:
22  * "This product includes software developed by the OpenSSL Project
23  * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  * endorse or promote products derived from this software without
27  * prior written permission. For written permission, please contact
28  * [email protected].
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  * nor may "OpenSSL" appear in their names without prior written
32  * permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  * acknowledgment:
36  * "This product includes software developed by the OpenSSL Project
37  * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  *
53  * This product includes cryptographic software written by Eric Young
54  * ([email protected]). This product includes software written by Tim
55  * Hudson ([email protected]).
56  */
57 
58 /*
59  * Implementation of RFC 3779 section 2.2.
60  */
61 
62 #include <stdio.h>
63 #include <stdlib.h>
64 
65 #include "cryptlib.h"
66 #include <openssl/conf.h>
67 #include <openssl/asn1.h>
68 #include <openssl/asn1t.h>
69 #include <openssl/buffer.h>
70 #include <openssl/x509v3.h>
71 
72 #ifndef OPENSSL_NO_RFC3779
73 
74 /*
75  * OpenSSL ASN.1 template translation of RFC 3779 2.2.3.
76  */
77 
78 ASN1_SEQUENCE(IPAddressRange) = {
79  ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING),
80  ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING)
81 } ASN1_SEQUENCE_END(IPAddressRange)
82 
83 ASN1_CHOICE(IPAddressOrRange) = {
84  ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING),
85  ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange)
86 } ASN1_CHOICE_END(IPAddressOrRange)
87 
88 ASN1_CHOICE(IPAddressChoice) = {
89  ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL),
90  ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange)
91 } ASN1_CHOICE_END(IPAddressChoice)
92 
93 ASN1_SEQUENCE(IPAddressFamily) = {
94  ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING),
95  ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice)
96 } ASN1_SEQUENCE_END(IPAddressFamily)
97 
98 ASN1_ITEM_TEMPLATE(IPAddrBlocks) =
99  ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
100  IPAddrBlocks, IPAddressFamily)
101 ASN1_ITEM_TEMPLATE_END(IPAddrBlocks)
102 
103 IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange)
104 IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange)
105 IMPLEMENT_ASN1_FUNCTIONS(IPAddressChoice)
106 IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily)
107 
108 /*
109  * How much buffer space do we need for a raw address?
110  */
111 #define ADDR_RAW_BUF_LEN 16
112 
113 /*
114  * What's the address length associated with this AFI?
115  */
116 static int length_from_afi(const unsigned afi)
117 {
118  switch (afi) {
119  case IANA_AFI_IPV4:
120  return 4;
121  case IANA_AFI_IPV6:
122  return 16;
123  default:
124  return 0;
125  }
126 }
127 
128 /*
129  * Extract the AFI from an IPAddressFamily.
130  */
131 unsigned int v3_addr_get_afi(const IPAddressFamily *f)
132 {
133  return ((f != NULL &&
134  f->addressFamily != NULL &&
135  f->addressFamily->data != NULL)
136  ? ((f->addressFamily->data[0] << 8) |
137  (f->addressFamily->data[1]))
138  : 0);
139 }
140 
141 /*
142  * Expand the bitstring form of an address into a raw byte array.
143  * At the moment this is coded for simplicity, not speed.
144  */
145 static int addr_expand(unsigned char *addr,
146  const ASN1_BIT_STRING *bs,
147  const int length,
148  const unsigned char fill)
149 {
150  if (bs->length < 0 || bs->length > length)
151  return 0;
152  if (bs->length > 0) {
153  memcpy(addr, bs->data, bs->length);
154  if ((bs->flags & 7) != 0) {
155  unsigned char mask = 0xFF >> (8 - (bs->flags & 7));
156  if (fill == 0)
157  addr[bs->length - 1] &= ~mask;
158  else
159  addr[bs->length - 1] |= mask;
160  }
161  }
162  memset(addr + bs->length, fill, length - bs->length);
163  return 1;
164 }
165 
166 /*
167  * Extract the prefix length from a bitstring.
168  */
169 #define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7)))
170 
171 /*
172  * i2r handler for one address bitstring.
173  */
174 static int i2r_address(BIO *out,
175  const unsigned afi,
176  const unsigned char fill,
177  const ASN1_BIT_STRING *bs)
178 {
179  unsigned char addr[ADDR_RAW_BUF_LEN];
180  int i, n;
181 
182  if (bs->length < 0)
183  return 0;
184  switch (afi) {
185  case IANA_AFI_IPV4:
186  if (!addr_expand(addr, bs, 4, fill))
187  return 0;
188  BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
189  break;
190  case IANA_AFI_IPV6:
191  if (!addr_expand(addr, bs, 16, fill))
192  return 0;
193  for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2)
194  ;
195  for (i = 0; i < n; i += 2)
196  BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i+1], (i < 14 ? ":" : ""));
197  if (i < 16)
198  BIO_puts(out, ":");
199  if (i == 0)
200  BIO_puts(out, ":");
201  break;
202  default:
203  for (i = 0; i < bs->length; i++)
204  BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]);
205  BIO_printf(out, "[%d]", (int) (bs->flags & 7));
206  break;
207  }
208  return 1;
209 }
210 
211 /*
212  * i2r handler for a sequence of addresses and ranges.
213  */
214 static int i2r_IPAddressOrRanges(BIO *out,
215  const int indent,
216  const IPAddressOrRanges *aors,
217  const unsigned afi)
218 {
219  int i;
220  for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) {
221  const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i);
222  BIO_printf(out, "%*s", indent, "");
223  switch (aor->type) {
224  case IPAddressOrRange_addressPrefix:
225  if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix))
226  return 0;
227  BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix));
228  continue;
229  case IPAddressOrRange_addressRange:
230  if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min))
231  return 0;
232  BIO_puts(out, "-");
233  if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max))
234  return 0;
235  BIO_puts(out, "\n");
236  continue;
237  }
238  }
239  return 1;
240 }
241 
242 /*
243  * i2r handler for an IPAddrBlocks extension.
244  */
245 static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
246  void *ext,
247  BIO *out,
248  int indent)
249 {
250  const IPAddrBlocks *addr = ext;
251  int i;
252  for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
253  IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
254  const unsigned int afi = v3_addr_get_afi(f);
255  switch (afi) {
256  case IANA_AFI_IPV4:
257  BIO_printf(out, "%*sIPv4", indent, "");
258  break;
259  case IANA_AFI_IPV6:
260  BIO_printf(out, "%*sIPv6", indent, "");
261  break;
262  default:
263  BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi);
264  break;
265  }
266  if (f->addressFamily->length > 2) {
267  switch (f->addressFamily->data[2]) {
268  case 1:
269  BIO_puts(out, " (Unicast)");
270  break;
271  case 2:
272  BIO_puts(out, " (Multicast)");
273  break;
274  case 3:
275  BIO_puts(out, " (Unicast/Multicast)");
276  break;
277  case 4:
278  BIO_puts(out, " (MPLS)");
279  break;
280  case 64:
281  BIO_puts(out, " (Tunnel)");
282  break;
283  case 65:
284  BIO_puts(out, " (VPLS)");
285  break;
286  case 66:
287  BIO_puts(out, " (BGP MDT)");
288  break;
289  case 128:
290  BIO_puts(out, " (MPLS-labeled VPN)");
291  break;
292  default:
293  BIO_printf(out, " (Unknown SAFI %u)",
294  (unsigned) f->addressFamily->data[2]);
295  break;
296  }
297  }
298  switch (f->ipAddressChoice->type) {
299  case IPAddressChoice_inherit:
300  BIO_puts(out, ": inherit\n");
301  break;
302  case IPAddressChoice_addressesOrRanges:
303  BIO_puts(out, ":\n");
304  if (!i2r_IPAddressOrRanges(out,
305  indent + 2,
306  f->ipAddressChoice->u.addressesOrRanges,
307  afi))
308  return 0;
309  break;
310  }
311  }
312  return 1;
313 }
314 
315 /*
316  * Sort comparison function for a sequence of IPAddressOrRange
317  * elements.
318  *
319  * There's no sane answer we can give if addr_expand() fails, and an
320  * assertion failure on externally supplied data is seriously uncool,
321  * so we just arbitrarily declare that if given invalid inputs this
322  * function returns -1. If this messes up your preferred sort order
323  * for garbage input, tough noogies.
324  */
325 static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
326  const IPAddressOrRange *b,
327  const int length)
328 {
329  unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN];
330  int prefixlen_a = 0, prefixlen_b = 0;
331  int r;
332 
333  switch (a->type) {
334  case IPAddressOrRange_addressPrefix:
335  if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
336  return -1;
337  prefixlen_a = addr_prefixlen(a->u.addressPrefix);
338  break;
339  case IPAddressOrRange_addressRange:
340  if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
341  return -1;
342  prefixlen_a = length * 8;
343  break;
344  }
345 
346  switch (b->type) {
347  case IPAddressOrRange_addressPrefix:
348  if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
349  return -1;
350  prefixlen_b = addr_prefixlen(b->u.addressPrefix);
351  break;
352  case IPAddressOrRange_addressRange:
353  if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
354  return -1;
355  prefixlen_b = length * 8;
356  break;
357  }
358 
359  if ((r = memcmp(addr_a, addr_b, length)) != 0)
360  return r;
361  else
362  return prefixlen_a - prefixlen_b;
363 }
364 
365 /*
366  * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()
367  * comparision routines are only allowed two arguments.
368  */
369 static int v4IPAddressOrRange_cmp(const IPAddressOrRange * const *a,
370  const IPAddressOrRange * const *b)
371 {
372  return IPAddressOrRange_cmp(*a, *b, 4);
373 }
374 
375 /*
376  * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()
377  * comparision routines are only allowed two arguments.
378  */
379 static int v6IPAddressOrRange_cmp(const IPAddressOrRange * const *a,
380  const IPAddressOrRange * const *b)
381 {
382  return IPAddressOrRange_cmp(*a, *b, 16);
383 }
384 
385 /*
386  * Calculate whether a range collapses to a prefix.
387  * See last paragraph of RFC 3779 2.2.3.7.
388  */
389 static int range_should_be_prefix(const unsigned char *min,
390  const unsigned char *max,
391  const int length)
392 {
393  unsigned char mask;
394  int i, j;
395 
396  OPENSSL_assert(memcmp(min, max, length) <= 0);
397  for (i = 0; i < length && min[i] == max[i]; i++)
398  ;
399  for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--)
400  ;
401  if (i < j)
402  return -1;
403  if (i > j)
404  return i * 8;
405  mask = min[i] ^ max[i];
406  switch (mask) {
407  case 0x01: j = 7; break;
408  case 0x03: j = 6; break;
409  case 0x07: j = 5; break;
410  case 0x0F: j = 4; break;
411  case 0x1F: j = 3; break;
412  case 0x3F: j = 2; break;
413  case 0x7F: j = 1; break;
414  default: return -1;
415  }
416  if ((min[i] & mask) != 0 || (max[i] & mask) != mask)
417  return -1;
418  else
419  return i * 8 + j;
420 }
421 
422 /*
423  * Construct a prefix.
424  */
425 static int make_addressPrefix(IPAddressOrRange **result,
426  unsigned char *addr,
427  const int prefixlen)
428 {
429  int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;
430  IPAddressOrRange *aor = IPAddressOrRange_new();
431 
432  if (aor == NULL)
433  return 0;
434  aor->type = IPAddressOrRange_addressPrefix;
435  if (aor->u.addressPrefix == NULL &&
436  (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL)
437  goto err;
438  if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen))
439  goto err;
440  aor->u.addressPrefix->flags &= ~7;
441  aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT;
442  if (bitlen > 0) {
443  aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen);
444  aor->u.addressPrefix->flags |= 8 - bitlen;
445  }
446 
447  *result = aor;
448  return 1;
449 
450  err:
451  IPAddressOrRange_free(aor);
452  return 0;
453 }
454 
455 /*
456  * Construct a range. If it can be expressed as a prefix,
457  * return a prefix instead. Doing this here simplifies
458  * the rest of the code considerably.
459  */
460 static int make_addressRange(IPAddressOrRange **result,
461  unsigned char *min,
462  unsigned char *max,
463  const int length)
464 {
465  IPAddressOrRange *aor;
466  int i, prefixlen;
467 
468  if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
469  return make_addressPrefix(result, min, prefixlen);
470 
471  if ((aor = IPAddressOrRange_new()) == NULL)
472  return 0;
473  aor->type = IPAddressOrRange_addressRange;
474  OPENSSL_assert(aor->u.addressRange == NULL);
475  if ((aor->u.addressRange = IPAddressRange_new()) == NULL)
476  goto err;
477  if (aor->u.addressRange->min == NULL &&
478  (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL)
479  goto err;
480  if (aor->u.addressRange->max == NULL &&
481  (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL)
482  goto err;
483 
484  for (i = length; i > 0 && min[i - 1] == 0x00; --i)
485  ;
486  if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i))
487  goto err;
488  aor->u.addressRange->min->flags &= ~7;
489  aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT;
490  if (i > 0) {
491  unsigned char b = min[i - 1];
492  int j = 1;
493  while ((b & (0xFFU >> j)) != 0)
494  ++j;
495  aor->u.addressRange->min->flags |= 8 - j;
496  }
497 
498  for (i = length; i > 0 && max[i - 1] == 0xFF; --i)
499  ;
500  if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i))
501  goto err;
502  aor->u.addressRange->max->flags &= ~7;
503  aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT;
504  if (i > 0) {
505  unsigned char b = max[i - 1];
506  int j = 1;
507  while ((b & (0xFFU >> j)) != (0xFFU >> j))
508  ++j;
509  aor->u.addressRange->max->flags |= 8 - j;
510  }
511 
512  *result = aor;
513  return 1;
514 
515  err:
516  IPAddressOrRange_free(aor);
517  return 0;
518 }
519 
520 /*
521  * Construct a new address family or find an existing one.
522  */
523 static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr,
524  const unsigned afi,
525  const unsigned *safi)
526 {
527  IPAddressFamily *f;
528  unsigned char key[3];
529  unsigned keylen;
530  int i;
531 
532  key[0] = (afi >> 8) & 0xFF;
533  key[1] = afi & 0xFF;
534  if (safi != NULL) {
535  key[2] = *safi & 0xFF;
536  keylen = 3;
537  } else {
538  keylen = 2;
539  }
540 
541  for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
542  f = sk_IPAddressFamily_value(addr, i);
543  OPENSSL_assert(f->addressFamily->data != NULL);
544  if (f->addressFamily->length == keylen &&
545  !memcmp(f->addressFamily->data, key, keylen))
546  return f;
547  }
548 
549  if ((f = IPAddressFamily_new()) == NULL)
550  goto err;
551  if (f->ipAddressChoice == NULL &&
552  (f->ipAddressChoice = IPAddressChoice_new()) == NULL)
553  goto err;
554  if (f->addressFamily == NULL &&
555  (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL)
556  goto err;
557  if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen))
558  goto err;
559  if (!sk_IPAddressFamily_push(addr, f))
560  goto err;
561 
562  return f;
563 
564  err:
565  IPAddressFamily_free(f);
566  return NULL;
567 }
568 
569 /*
570  * Add an inheritance element.
571  */
572 int v3_addr_add_inherit(IPAddrBlocks *addr,
573  const unsigned afi,
574  const unsigned *safi)
575 {
576  IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
577  if (f == NULL ||
578  f->ipAddressChoice == NULL ||
579  (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
580  f->ipAddressChoice->u.addressesOrRanges != NULL))
581  return 0;
582  if (f->ipAddressChoice->type == IPAddressChoice_inherit &&
583  f->ipAddressChoice->u.inherit != NULL)
584  return 1;
585  if (f->ipAddressChoice->u.inherit == NULL &&
586  (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL)
587  return 0;
588  f->ipAddressChoice->type = IPAddressChoice_inherit;
589  return 1;
590 }
591 
592 /*
593  * Construct an IPAddressOrRange sequence, or return an existing one.
594  */
595 static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
596  const unsigned afi,
597  const unsigned *safi)
598 {
599  IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);
600  IPAddressOrRanges *aors = NULL;
601 
602  if (f == NULL ||
603  f->ipAddressChoice == NULL ||
604  (f->ipAddressChoice->type == IPAddressChoice_inherit &&
605  f->ipAddressChoice->u.inherit != NULL))
606  return NULL;
607  if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges)
608  aors = f->ipAddressChoice->u.addressesOrRanges;
609  if (aors != NULL)
610  return aors;
611  if ((aors = sk_IPAddressOrRange_new_null()) == NULL)
612  return NULL;
613  switch (afi) {
614  case IANA_AFI_IPV4:
615  (void) sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
616  break;
617  case IANA_AFI_IPV6:
618  (void) sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
619  break;
620  }
621  f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
622  f->ipAddressChoice->u.addressesOrRanges = aors;
623  return aors;
624 }
625 
626 /*
627  * Add a prefix.
628  */
629 int v3_addr_add_prefix(IPAddrBlocks *addr,
630  const unsigned afi,
631  const unsigned *safi,
632  unsigned char *a,
633  const int prefixlen)
634 {
635  IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
636  IPAddressOrRange *aor;
637  if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen))
638  return 0;
639  if (sk_IPAddressOrRange_push(aors, aor))
640  return 1;
641  IPAddressOrRange_free(aor);
642  return 0;
643 }
644 
645 /*
646  * Add a range.
647  */
648 int v3_addr_add_range(IPAddrBlocks *addr,
649  const unsigned afi,
650  const unsigned *safi,
651  unsigned char *min,
652  unsigned char *max)
653 {
654  IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);
655  IPAddressOrRange *aor;
656  int length = length_from_afi(afi);
657  if (aors == NULL)
658  return 0;
659  if (!make_addressRange(&aor, min, max, length))
660  return 0;
661  if (sk_IPAddressOrRange_push(aors, aor))
662  return 1;
663  IPAddressOrRange_free(aor);
664  return 0;
665 }
666 
667 /*
668  * Extract min and max values from an IPAddressOrRange.
669  */
670 static int extract_min_max(IPAddressOrRange *aor,
671  unsigned char *min,
672  unsigned char *max,
673  int length)
674 {
675  if (aor == NULL || min == NULL || max == NULL)
676  return 0;
677  switch (aor->type) {
678  case IPAddressOrRange_addressPrefix:
679  return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
680  addr_expand(max, aor->u.addressPrefix, length, 0xFF));
681  case IPAddressOrRange_addressRange:
682  return (addr_expand(min, aor->u.addressRange->min, length, 0x00) &&
683  addr_expand(max, aor->u.addressRange->max, length, 0xFF));
684  }
685  return 0;
686 }
687 
688 /*
689  * Public wrapper for extract_min_max().
690  */
691 int v3_addr_get_range(IPAddressOrRange *aor,
692  const unsigned afi,
693  unsigned char *min,
694  unsigned char *max,
695  const int length)
696 {
697  int afi_length = length_from_afi(afi);
698  if (aor == NULL || min == NULL || max == NULL ||
699  afi_length == 0 || length < afi_length ||
700  (aor->type != IPAddressOrRange_addressPrefix &&
701  aor->type != IPAddressOrRange_addressRange) ||
702  !extract_min_max(aor, min, max, afi_length))
703  return 0;
704 
705  return afi_length;
706 }
707 
708 /*
709  * Sort comparision function for a sequence of IPAddressFamily.
710  *
711  * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about
712  * the ordering: I can read it as meaning that IPv6 without a SAFI
713  * comes before IPv4 with a SAFI, which seems pretty weird. The
714  * examples in appendix B suggest that the author intended the
715  * null-SAFI rule to apply only within a single AFI, which is what I
716  * would have expected and is what the following code implements.
717  */
718 static int IPAddressFamily_cmp(const IPAddressFamily * const *a_,
719  const IPAddressFamily * const *b_)
720 {
721  const ASN1_OCTET_STRING *a = (*a_)->addressFamily;
722  const ASN1_OCTET_STRING *b = (*b_)->addressFamily;
723  int len = ((a->length <= b->length) ? a->length : b->length);
724  int cmp = memcmp(a->data, b->data, len);
725  return cmp ? cmp : a->length - b->length;
726 }
727 
728 /*
729  * Check whether an IPAddrBLocks is in canonical form.
730  */
731 int v3_addr_is_canonical(IPAddrBlocks *addr)
732 {
733  unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
734  unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
735  IPAddressOrRanges *aors;
736  int i, j, k;
737 
738  /*
739  * Empty extension is cannonical.
740  */
741  if (addr == NULL)
742  return 1;
743 
744  /*
745  * Check whether the top-level list is in order.
746  */
747  for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {
748  const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i);
749  const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1);
750  if (IPAddressFamily_cmp(&a, &b) >= 0)
751  return 0;
752  }
753 
754  /*
755  * Top level's ok, now check each address family.
756  */
757  for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
758  IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
759  int length = length_from_afi(v3_addr_get_afi(f));
760 
761  /*
762  * Inheritance is canonical. Anything other than inheritance or
763  * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something.
764  */
765  if (f == NULL || f->ipAddressChoice == NULL)
766  return 0;
767  switch (f->ipAddressChoice->type) {
768  case IPAddressChoice_inherit:
769  continue;
770  case IPAddressChoice_addressesOrRanges:
771  break;
772  default:
773  return 0;
774  }
775 
776  /*
777  * It's an IPAddressOrRanges sequence, check it.
778  */
779  aors = f->ipAddressChoice->u.addressesOrRanges;
780  if (sk_IPAddressOrRange_num(aors) == 0)
781  return 0;
782  for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
783  IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
784  IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);
785 
786  if (!extract_min_max(a, a_min, a_max, length) ||
787  !extract_min_max(b, b_min, b_max, length))
788  return 0;
789 
790  /*
791  * Punt misordered list, overlapping start, or inverted range.
792  */
793  if (memcmp(a_min, b_min, length) >= 0 ||
794  memcmp(a_min, a_max, length) > 0 ||
795  memcmp(b_min, b_max, length) > 0)
796  return 0;
797 
798  /*
799  * Punt if adjacent or overlapping. Check for adjacency by
800  * subtracting one from b_min first.
801  */
802  for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--)
803  ;
804  if (memcmp(a_max, b_min, length) >= 0)
805  return 0;
806 
807  /*
808  * Check for range that should be expressed as a prefix.
809  */
810  if (a->type == IPAddressOrRange_addressRange &&
811  range_should_be_prefix(a_min, a_max, length) >= 0)
812  return 0;
813  }
814 
815  /*
816  * Check range to see if it's inverted or should be a
817  * prefix.
818  */
819  j = sk_IPAddressOrRange_num(aors) - 1;
820  {
821  IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
822  if (a != NULL && a->type == IPAddressOrRange_addressRange) {
823  if (!extract_min_max(a, a_min, a_max, length))
824  return 0;
825  if (memcmp(a_min, a_max, length) > 0 ||
826  range_should_be_prefix(a_min, a_max, length) >= 0)
827  return 0;
828  }
829  }
830  }
831 
832  /*
833  * If we made it through all that, we're happy.
834  */
835  return 1;
836 }
837 
838 /*
839  * Whack an IPAddressOrRanges into canonical form.
840  */
841 static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
842  const unsigned afi)
843 {
844  int i, j, length = length_from_afi(afi);
845 
846  /*
847  * Sort the IPAddressOrRanges sequence.
848  */
849  sk_IPAddressOrRange_sort(aors);
850 
851  /*
852  * Clean up representation issues, punt on duplicates or overlaps.
853  */
854  for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
855  IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);
856  IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);
857  unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
858  unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
859 
860  if (!extract_min_max(a, a_min, a_max, length) ||
861  !extract_min_max(b, b_min, b_max, length))
862  return 0;
863 
864  /*
865  * Punt inverted ranges.
866  */
867  if (memcmp(a_min, a_max, length) > 0 ||
868  memcmp(b_min, b_max, length) > 0)
869  return 0;
870 
871  /*
872  * Punt overlaps.
873  */
874  if (memcmp(a_max, b_min, length) >= 0)
875  return 0;
876 
877  /*
878  * Merge if a and b are adjacent. We check for
879  * adjacency by subtracting one from b_min first.
880  */
881  for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--)
882  ;
883  if (memcmp(a_max, b_min, length) == 0) {
884  IPAddressOrRange *merged;
885  if (!make_addressRange(&merged, a_min, b_max, length))
886  return 0;
887  (void) sk_IPAddressOrRange_set(aors, i, merged);
888  (void) sk_IPAddressOrRange_delete(aors, i + 1);
889  IPAddressOrRange_free(a);
890  IPAddressOrRange_free(b);
891  --i;
892  continue;
893  }
894  }
895 
896  /*
897  * Check for inverted final range.
898  */
899  j = sk_IPAddressOrRange_num(aors) - 1;
900  {
901  IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
902  if (a != NULL && a->type == IPAddressOrRange_addressRange) {
903  unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
904  extract_min_max(a, a_min, a_max, length);
905  if (memcmp(a_min, a_max, length) > 0)
906  return 0;
907  }
908  }
909 
910  return 1;
911 }
912 
913 /*
914  * Whack an IPAddrBlocks extension into canonical form.
915  */
916 int v3_addr_canonize(IPAddrBlocks *addr)
917 {
918  int i;
919  for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
920  IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
921  if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
922  !IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges,
923  v3_addr_get_afi(f)))
924  return 0;
925  }
926  (void) sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
927  sk_IPAddressFamily_sort(addr);
928  OPENSSL_assert(v3_addr_is_canonical(addr));
929  return 1;
930 }
931 
932 /*
933  * v2i handler for the IPAddrBlocks extension.
934  */
935 static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
936  struct v3_ext_ctx *ctx,
937  STACK_OF(CONF_VALUE) *values)
938 {
939  static const char v4addr_chars[] = "0123456789.";
940  static const char v6addr_chars[] = "0123456789.:abcdefABCDEF";
941  IPAddrBlocks *addr = NULL;
942  char *s = NULL, *t;
943  int i;
944 
945  if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) {
946  X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
947  return NULL;
948  }
949 
950  for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
951  CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
952  unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN];
953  unsigned afi, *safi = NULL, safi_;
954  const char *addr_chars;
955  int prefixlen, i1, i2, delim, length;
956 
957  if ( !name_cmp(val->name, "IPv4")) {
958  afi = IANA_AFI_IPV4;
959  } else if (!name_cmp(val->name, "IPv6")) {
960  afi = IANA_AFI_IPV6;
961  } else if (!name_cmp(val->name, "IPv4-SAFI")) {
962  afi = IANA_AFI_IPV4;
963  safi = &safi_;
964  } else if (!name_cmp(val->name, "IPv6-SAFI")) {
965  afi = IANA_AFI_IPV6;
966  safi = &safi_;
967  } else {
968  X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_NAME_ERROR);
969  X509V3_conf_err(val);
970  goto err;
971  }
972 
973  switch (afi) {
974  case IANA_AFI_IPV4:
975  addr_chars = v4addr_chars;
976  break;
977  case IANA_AFI_IPV6:
978  addr_chars = v6addr_chars;
979  break;
980  }
981 
982  length = length_from_afi(afi);
983 
984  /*
985  * Handle SAFI, if any, and BUF_strdup() so we can null-terminate
986  * the other input values.
987  */
988  if (safi != NULL) {
989  *safi = strtoul(val->value, &t, 0);
990  t += strspn(t, " \t");
991  if (*safi > 0xFF || *t++ != ':') {
992  X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_SAFI);
993  X509V3_conf_err(val);
994  goto err;
995  }
996  t += strspn(t, " \t");
997  s = BUF_strdup(t);
998  } else {
999  s = BUF_strdup(val->value);
1000  }
1001  if (s == NULL) {
1002  X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1003  goto err;
1004  }
1005 
1006  /*
1007  * Check for inheritance. Not worth additional complexity to
1008  * optimize this (seldom-used) case.
1009  */
1010  if (!strcmp(s, "inherit")) {
1011  if (!v3_addr_add_inherit(addr, afi, safi)) {
1012  X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_INHERITANCE);
1013  X509V3_conf_err(val);
1014  goto err;
1015  }
1016  OPENSSL_free(s);
1017  s = NULL;
1018  continue;
1019  }
1020 
1021  i1 = strspn(s, addr_chars);
1022  i2 = i1 + strspn(s + i1, " \t");
1023  delim = s[i2++];
1024  s[i1] = '\0';
1025 
1026  if (a2i_ipadd(min, s) != length) {
1027  X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS);
1028  X509V3_conf_err(val);
1029  goto err;
1030  }
1031 
1032  switch (delim) {
1033  case '/':
1034  prefixlen = (int) strtoul(s + i2, &t, 10);
1035  if (t == s + i2 || *t != '\0') {
1036  X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
1037  X509V3_conf_err(val);
1038  goto err;
1039  }
1040  if (!v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) {
1041  X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1042  goto err;
1043  }
1044  break;
1045  case '-':
1046  i1 = i2 + strspn(s + i2, " \t");
1047  i2 = i1 + strspn(s + i1, addr_chars);
1048  if (i1 == i2 || s[i2] != '\0') {
1049  X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
1050  X509V3_conf_err(val);
1051  goto err;
1052  }
1053  if (a2i_ipadd(max, s + i1) != length) {
1054  X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS);
1055  X509V3_conf_err(val);
1056  goto err;
1057  }
1058  if (memcmp(min, max, length_from_afi(afi)) > 0) {
1059  X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
1060  X509V3_conf_err(val);
1061  goto err;
1062  }
1063  if (!v3_addr_add_range(addr, afi, safi, min, max)) {
1064  X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1065  goto err;
1066  }
1067  break;
1068  case '\0':
1069  if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) {
1070  X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1071  goto err;
1072  }
1073  break;
1074  default:
1075  X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
1076  X509V3_conf_err(val);
1077  goto err;
1078  }
1079 
1080  OPENSSL_free(s);
1081  s = NULL;
1082  }
1083 
1084  /*
1085  * Canonize the result, then we're done.
1086  */
1087  if (!v3_addr_canonize(addr))
1088  goto err;
1089  return addr;
1090 
1091  err:
1092  OPENSSL_free(s);
1093  sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
1094  return NULL;
1095 }
1096 
1097 /*
1098  * OpenSSL dispatch
1099  */
1100 const X509V3_EXT_METHOD v3_addr = {
1101  NID_sbgp_ipAddrBlock, /* nid */
1102  0, /* flags */
1103  ASN1_ITEM_ref(IPAddrBlocks), /* template */
1104  0, 0, 0, 0, /* old functions, ignored */
1105  0, /* i2s */
1106  0, /* s2i */
1107  0, /* i2v */
1108  v2i_IPAddrBlocks, /* v2i */
1109  i2r_IPAddrBlocks, /* i2r */
1110  0, /* r2i */
1111  NULL /* extension-specific data */
1112 };
1113 
1114 /*
1115  * Figure out whether extension sues inheritance.
1116  */
1117 int v3_addr_inherits(IPAddrBlocks *addr)
1118 {
1119  int i;
1120  if (addr == NULL)
1121  return 0;
1122  for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
1123  IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
1124  if (f->ipAddressChoice->type == IPAddressChoice_inherit)
1125  return 1;
1126  }
1127  return 0;
1128 }
1129 
1130 /*
1131  * Figure out whether parent contains child.
1132  */
1133 static int addr_contains(IPAddressOrRanges *parent,
1134  IPAddressOrRanges *child,
1135  int length)
1136 {
1137  unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN];
1138  unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN];
1139  int p, c;
1140 
1141  if (child == NULL || parent == child)
1142  return 1;
1143  if (parent == NULL)
1144  return 0;
1145 
1146  p = 0;
1147  for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
1148  if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
1149  c_min, c_max, length))
1150  return -1;
1151  for (;; p++) {
1152  if (p >= sk_IPAddressOrRange_num(parent))
1153  return 0;
1154  if (!extract_min_max(sk_IPAddressOrRange_value(parent, p),
1155  p_min, p_max, length))
1156  return 0;
1157  if (memcmp(p_max, c_max, length) < 0)
1158  continue;
1159  if (memcmp(p_min, c_min, length) > 0)
1160  return 0;
1161  break;
1162  }
1163  }
1164 
1165  return 1;
1166 }
1167 
1168 /*
1169  * Test whether a is a subset of b.
1170  */
1171 int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
1172 {
1173  int i;
1174  if (a == NULL || a == b)
1175  return 1;
1176  if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
1177  return 0;
1178  (void) sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
1179  for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
1180  IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
1181  int j = sk_IPAddressFamily_find(b, fa);
1182  IPAddressFamily *fb;
1183  fb = sk_IPAddressFamily_value(b, j);
1184  if (fb == NULL)
1185  return 0;
1186  if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
1187  fa->ipAddressChoice->u.addressesOrRanges,
1188  length_from_afi(v3_addr_get_afi(fb))))
1189  return 0;
1190  }
1191  return 1;
1192 }
1193 
1194 /*
1195  * Validation error handling via callback.
1196  */
1197 #define validation_err(_err_) \
1198  do { \
1199  if (ctx != NULL) { \
1200  ctx->error = _err_; \
1201  ctx->error_depth = i; \
1202  ctx->current_cert = x; \
1203  ret = ctx->verify_cb(0, ctx); \
1204  } else { \
1205  ret = 0; \
1206  } \
1207  if (!ret) \
1208  goto done; \
1209  } while (0)
1210 
1211 /*
1212  * Core code for RFC 3779 2.3 path validation.
1213  */
1214 static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
1215  STACK_OF(X509) *chain,
1216  IPAddrBlocks *ext)
1217 {
1218  IPAddrBlocks *child = NULL;
1219  int i, j, ret = 1;
1220  X509 *x;
1221 
1222  OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
1223  OPENSSL_assert(ctx != NULL || ext != NULL);
1224  OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
1225 
1226  /*
1227  * Figure out where to start. If we don't have an extension to
1228  * check, we're done. Otherwise, check canonical form and
1229  * set up for walking up the chain.
1230  */
1231  if (ext != NULL) {
1232  i = -1;
1233  x = NULL;
1234  } else {
1235  i = 0;
1236  x = sk_X509_value(chain, i);
1237  OPENSSL_assert(x != NULL);
1238  if ((ext = x->rfc3779_addr) == NULL)
1239  goto done;
1240  }
1241  if (!v3_addr_is_canonical(ext))
1242  validation_err(X509_V_ERR_INVALID_EXTENSION);
1243  (void) sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
1244  if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
1245  X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE);
1246  ret = 0;
1247  goto done;
1248  }
1249 
1250  /*
1251  * Now walk up the chain. No cert may list resources that its
1252  * parent doesn't list.
1253  */
1254  for (i++; i < sk_X509_num(chain); i++) {
1255  x = sk_X509_value(chain, i);
1256  OPENSSL_assert(x != NULL);
1257  if (!v3_addr_is_canonical(x->rfc3779_addr))
1258  validation_err(X509_V_ERR_INVALID_EXTENSION);
1259  if (x->rfc3779_addr == NULL) {
1260  for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1261  IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1262  if (fc->ipAddressChoice->type != IPAddressChoice_inherit) {
1263  validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1264  break;
1265  }
1266  }
1267  continue;
1268  }
1269  (void) sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
1270  for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1271  IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1272  int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
1273  IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, k);
1274  if (fp == NULL) {
1275  if (fc->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) {
1276  validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1277  break;
1278  }
1279  continue;
1280  }
1281  if (fp->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) {
1282  if (fc->ipAddressChoice->type == IPAddressChoice_inherit ||
1283  addr_contains(fp->ipAddressChoice->u.addressesOrRanges,
1284  fc->ipAddressChoice->u.addressesOrRanges,
1285  length_from_afi(v3_addr_get_afi(fc))))
1286  sk_IPAddressFamily_set(child, j, fp);
1287  else
1288  validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1289  }
1290  }
1291  }
1292 
1293  /*
1294  * Trust anchor can't inherit.
1295  */
1296  OPENSSL_assert(x != NULL);
1297  if (x->rfc3779_addr != NULL) {
1298  for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
1299  IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, j);
1300  if (fp->ipAddressChoice->type == IPAddressChoice_inherit &&
1301  sk_IPAddressFamily_find(child, fp) >= 0)
1302  validation_err(X509_V_ERR_UNNESTED_RESOURCE);
1303  }
1304  }
1305 
1306  done:
1307  sk_IPAddressFamily_free(child);
1308  return ret;
1309 }
1310 
1311 #undef validation_err
1312 
1313 /*
1314  * RFC 3779 2.3 path validation -- called from X509_verify_cert().
1315  */
1316 int v3_addr_validate_path(X509_STORE_CTX *ctx)
1317 {
1318  return v3_addr_validate_path_internal(ctx, ctx->chain, NULL);
1319 }
1320 
1321 /*
1322  * RFC 3779 2.3 path validation of an extension.
1323  * Test whether chain covers extension.
1324  */
1325 int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
1326  IPAddrBlocks *ext,
1327  int allow_inheritance)
1328 {
1329  if (ext == NULL)
1330  return 1;
1331  if (chain == NULL || sk_X509_num(chain) == 0)
1332  return 0;
1333  if (!allow_inheritance && v3_addr_inherits(ext))
1334  return 0;
1335  return v3_addr_validate_path_internal(NULL, chain, ext);
1336 }
1337 
1338 #endif /* OPENSSL_NO_RFC3779 */
Generated on Thu Jan 10 2013 09:53:40 for OpenSSL by   doxygen 1.8.2