OLD | NEW |
1 /* | 1 /* |
2 * Contributed to the OpenSSL Project by the American Registry for | 2 * Contributed to the OpenSSL Project by the American Registry for |
3 * Internet Numbers ("ARIN"). | 3 * Internet Numbers ("ARIN"). |
4 */ | 4 */ |
5 /* ==================================================================== | 5 /* ==================================================================== |
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. | 6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved. |
7 * | 7 * |
8 * Redistribution and use in source and binary forms, with or without | 8 * Redistribution and use in source and binary forms, with or without |
9 * modification, are permitted provided that the following conditions | 9 * modification, are permitted provided that the following conditions |
10 * are met: | 10 * are met: |
(...skipping 124 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
135 f->addressFamily->data != NULL) | 135 f->addressFamily->data != NULL) |
136 ? ((f->addressFamily->data[0] << 8) | | 136 ? ((f->addressFamily->data[0] << 8) | |
137 (f->addressFamily->data[1])) | 137 (f->addressFamily->data[1])) |
138 : 0); | 138 : 0); |
139 } | 139 } |
140 | 140 |
141 /* | 141 /* |
142 * Expand the bitstring form of an address into a raw byte array. | 142 * Expand the bitstring form of an address into a raw byte array. |
143 * At the moment this is coded for simplicity, not speed. | 143 * At the moment this is coded for simplicity, not speed. |
144 */ | 144 */ |
145 static void addr_expand(unsigned char *addr, | 145 static int addr_expand(unsigned char *addr, |
146 const ASN1_BIT_STRING *bs, | 146 const ASN1_BIT_STRING *bs, |
147 const int length, | 147 const int length, |
148 const unsigned char fill) | 148 const unsigned char fill) |
149 { | 149 { |
150 OPENSSL_assert(bs->length >= 0 && bs->length <= length); | 150 if (bs->length < 0 || bs->length > length) |
| 151 return 0; |
151 if (bs->length > 0) { | 152 if (bs->length > 0) { |
152 memcpy(addr, bs->data, bs->length); | 153 memcpy(addr, bs->data, bs->length); |
153 if ((bs->flags & 7) != 0) { | 154 if ((bs->flags & 7) != 0) { |
154 unsigned char mask = 0xFF >> (8 - (bs->flags & 7)); | 155 unsigned char mask = 0xFF >> (8 - (bs->flags & 7)); |
155 if (fill == 0) | 156 if (fill == 0) |
156 addr[bs->length - 1] &= ~mask; | 157 addr[bs->length - 1] &= ~mask; |
157 else | 158 else |
158 addr[bs->length - 1] |= mask; | 159 addr[bs->length - 1] |= mask; |
159 } | 160 } |
160 } | 161 } |
161 memset(addr + bs->length, fill, length - bs->length); | 162 memset(addr + bs->length, fill, length - bs->length); |
| 163 return 1; |
162 } | 164 } |
163 | 165 |
164 /* | 166 /* |
165 * Extract the prefix length from a bitstring. | 167 * Extract the prefix length from a bitstring. |
166 */ | 168 */ |
167 #define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7))) | 169 #define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7))) |
168 | 170 |
169 /* | 171 /* |
170 * i2r handler for one address bitstring. | 172 * i2r handler for one address bitstring. |
171 */ | 173 */ |
172 static int i2r_address(BIO *out, | 174 static int i2r_address(BIO *out, |
173 const unsigned afi, | 175 const unsigned afi, |
174 const unsigned char fill, | 176 const unsigned char fill, |
175 const ASN1_BIT_STRING *bs) | 177 const ASN1_BIT_STRING *bs) |
176 { | 178 { |
177 unsigned char addr[ADDR_RAW_BUF_LEN]; | 179 unsigned char addr[ADDR_RAW_BUF_LEN]; |
178 int i, n; | 180 int i, n; |
179 | 181 |
| 182 if (bs->length < 0) |
| 183 return 0; |
180 switch (afi) { | 184 switch (afi) { |
181 case IANA_AFI_IPV4: | 185 case IANA_AFI_IPV4: |
182 addr_expand(addr, bs, 4, fill); | 186 if (!addr_expand(addr, bs, 4, fill)) |
| 187 return 0; |
183 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]); | 188 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]); |
184 break; | 189 break; |
185 case IANA_AFI_IPV6: | 190 case IANA_AFI_IPV6: |
186 addr_expand(addr, bs, 16, fill); | 191 if (!addr_expand(addr, bs, 16, fill)) |
| 192 return 0; |
187 for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2) | 193 for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2) |
188 ; | 194 ; |
189 for (i = 0; i < n; i += 2) | 195 for (i = 0; i < n; i += 2) |
190 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i+1], (i < 14 ? ":" : "")); | 196 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i+1], (i < 14 ? ":" : "")); |
191 if (i < 16) | 197 if (i < 16) |
192 BIO_puts(out, ":"); | 198 BIO_puts(out, ":"); |
193 if (i == 0) | 199 if (i == 0) |
194 BIO_puts(out, ":"); | 200 BIO_puts(out, ":"); |
195 break; | 201 break; |
196 default: | 202 default: |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
229 BIO_puts(out, "\n"); | 235 BIO_puts(out, "\n"); |
230 continue; | 236 continue; |
231 } | 237 } |
232 } | 238 } |
233 return 1; | 239 return 1; |
234 } | 240 } |
235 | 241 |
236 /* | 242 /* |
237 * i2r handler for an IPAddrBlocks extension. | 243 * i2r handler for an IPAddrBlocks extension. |
238 */ | 244 */ |
239 static int i2r_IPAddrBlocks(X509V3_EXT_METHOD *method, | 245 static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, |
240 void *ext, | 246 void *ext, |
241 BIO *out, | 247 BIO *out, |
242 int indent) | 248 int indent) |
243 { | 249 { |
244 const IPAddrBlocks *addr = ext; | 250 const IPAddrBlocks *addr = ext; |
245 int i; | 251 int i; |
246 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { | 252 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { |
247 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); | 253 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); |
248 const unsigned int afi = v3_addr_get_afi(f); | 254 const unsigned int afi = v3_addr_get_afi(f); |
249 switch (afi) { | 255 switch (afi) { |
(...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
302 return 0; | 308 return 0; |
303 break; | 309 break; |
304 } | 310 } |
305 } | 311 } |
306 return 1; | 312 return 1; |
307 } | 313 } |
308 | 314 |
309 /* | 315 /* |
310 * Sort comparison function for a sequence of IPAddressOrRange | 316 * Sort comparison function for a sequence of IPAddressOrRange |
311 * elements. | 317 * elements. |
| 318 * |
| 319 * There's no sane answer we can give if addr_expand() fails, and an |
| 320 * assertion failure on externally supplied data is seriously uncool, |
| 321 * so we just arbitrarily declare that if given invalid inputs this |
| 322 * function returns -1. If this messes up your preferred sort order |
| 323 * for garbage input, tough noogies. |
312 */ | 324 */ |
313 static int IPAddressOrRange_cmp(const IPAddressOrRange *a, | 325 static int IPAddressOrRange_cmp(const IPAddressOrRange *a, |
314 const IPAddressOrRange *b, | 326 const IPAddressOrRange *b, |
315 const int length) | 327 const int length) |
316 { | 328 { |
317 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN]; | 329 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN]; |
318 int prefixlen_a = 0; | 330 int prefixlen_a = 0, prefixlen_b = 0; |
319 int prefixlen_b = 0; | |
320 int r; | 331 int r; |
321 | 332 |
322 switch (a->type) { | 333 switch (a->type) { |
323 case IPAddressOrRange_addressPrefix: | 334 case IPAddressOrRange_addressPrefix: |
324 addr_expand(addr_a, a->u.addressPrefix, length, 0x00); | 335 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00)) |
| 336 return -1; |
325 prefixlen_a = addr_prefixlen(a->u.addressPrefix); | 337 prefixlen_a = addr_prefixlen(a->u.addressPrefix); |
326 break; | 338 break; |
327 case IPAddressOrRange_addressRange: | 339 case IPAddressOrRange_addressRange: |
328 addr_expand(addr_a, a->u.addressRange->min, length, 0x00); | 340 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00)) |
| 341 return -1; |
329 prefixlen_a = length * 8; | 342 prefixlen_a = length * 8; |
330 break; | 343 break; |
331 } | 344 } |
332 | 345 |
333 switch (b->type) { | 346 switch (b->type) { |
334 case IPAddressOrRange_addressPrefix: | 347 case IPAddressOrRange_addressPrefix: |
335 addr_expand(addr_b, b->u.addressPrefix, length, 0x00); | 348 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00)) |
| 349 return -1; |
336 prefixlen_b = addr_prefixlen(b->u.addressPrefix); | 350 prefixlen_b = addr_prefixlen(b->u.addressPrefix); |
337 break; | 351 break; |
338 case IPAddressOrRange_addressRange: | 352 case IPAddressOrRange_addressRange: |
339 addr_expand(addr_b, b->u.addressRange->min, length, 0x00); | 353 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00)) |
| 354 return -1; |
340 prefixlen_b = length * 8; | 355 prefixlen_b = length * 8; |
341 break; | 356 break; |
342 } | 357 } |
343 | 358 |
344 if ((r = memcmp(addr_a, addr_b, length)) != 0) | 359 if ((r = memcmp(addr_a, addr_b, length)) != 0) |
345 return r; | 360 return r; |
346 else | 361 else |
347 return prefixlen_a - prefixlen_b; | 362 return prefixlen_a - prefixlen_b; |
348 } | 363 } |
349 | 364 |
(...skipping 21 matching lines...) Expand all Loading... |
371 * Calculate whether a range collapses to a prefix. | 386 * Calculate whether a range collapses to a prefix. |
372 * See last paragraph of RFC 3779 2.2.3.7. | 387 * See last paragraph of RFC 3779 2.2.3.7. |
373 */ | 388 */ |
374 static int range_should_be_prefix(const unsigned char *min, | 389 static int range_should_be_prefix(const unsigned char *min, |
375 const unsigned char *max, | 390 const unsigned char *max, |
376 const int length) | 391 const int length) |
377 { | 392 { |
378 unsigned char mask; | 393 unsigned char mask; |
379 int i, j; | 394 int i, j; |
380 | 395 |
| 396 OPENSSL_assert(memcmp(min, max, length) <= 0); |
381 for (i = 0; i < length && min[i] == max[i]; i++) | 397 for (i = 0; i < length && min[i] == max[i]; i++) |
382 ; | 398 ; |
383 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) | 399 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) |
384 ; | 400 ; |
385 if (i < j) | 401 if (i < j) |
386 return -1; | 402 return -1; |
387 if (i > j) | 403 if (i > j) |
388 return i * 8; | 404 return i * 8; |
389 mask = min[i] ^ max[i]; | 405 mask = min[i] ^ max[i]; |
390 switch (mask) { | 406 switch (mask) { |
(...skipping 198 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
589 f->ipAddressChoice->u.inherit != NULL)) | 605 f->ipAddressChoice->u.inherit != NULL)) |
590 return NULL; | 606 return NULL; |
591 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) | 607 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) |
592 aors = f->ipAddressChoice->u.addressesOrRanges; | 608 aors = f->ipAddressChoice->u.addressesOrRanges; |
593 if (aors != NULL) | 609 if (aors != NULL) |
594 return aors; | 610 return aors; |
595 if ((aors = sk_IPAddressOrRange_new_null()) == NULL) | 611 if ((aors = sk_IPAddressOrRange_new_null()) == NULL) |
596 return NULL; | 612 return NULL; |
597 switch (afi) { | 613 switch (afi) { |
598 case IANA_AFI_IPV4: | 614 case IANA_AFI_IPV4: |
599 (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp); | 615 (void) sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp); |
600 break; | 616 break; |
601 case IANA_AFI_IPV6: | 617 case IANA_AFI_IPV6: |
602 (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp); | 618 (void) sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp); |
603 break; | 619 break; |
604 } | 620 } |
605 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; | 621 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; |
606 f->ipAddressChoice->u.addressesOrRanges = aors; | 622 f->ipAddressChoice->u.addressesOrRanges = aors; |
607 return aors; | 623 return aors; |
608 } | 624 } |
609 | 625 |
610 /* | 626 /* |
611 * Add a prefix. | 627 * Add a prefix. |
612 */ | 628 */ |
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
644 return 0; | 660 return 0; |
645 if (sk_IPAddressOrRange_push(aors, aor)) | 661 if (sk_IPAddressOrRange_push(aors, aor)) |
646 return 1; | 662 return 1; |
647 IPAddressOrRange_free(aor); | 663 IPAddressOrRange_free(aor); |
648 return 0; | 664 return 0; |
649 } | 665 } |
650 | 666 |
651 /* | 667 /* |
652 * Extract min and max values from an IPAddressOrRange. | 668 * Extract min and max values from an IPAddressOrRange. |
653 */ | 669 */ |
654 static void extract_min_max(IPAddressOrRange *aor, | 670 static int extract_min_max(IPAddressOrRange *aor, |
655 unsigned char *min, | 671 unsigned char *min, |
656 unsigned char *max, | 672 unsigned char *max, |
657 int length) | 673 int length) |
658 { | 674 { |
659 OPENSSL_assert(aor != NULL && min != NULL && max != NULL); | 675 if (aor == NULL || min == NULL || max == NULL) |
| 676 return 0; |
660 switch (aor->type) { | 677 switch (aor->type) { |
661 case IPAddressOrRange_addressPrefix: | 678 case IPAddressOrRange_addressPrefix: |
662 addr_expand(min, aor->u.addressPrefix, length, 0x00); | 679 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) && |
663 addr_expand(max, aor->u.addressPrefix, length, 0xFF); | 680 » addr_expand(max, aor->u.addressPrefix, length, 0xFF)); |
664 return; | |
665 case IPAddressOrRange_addressRange: | 681 case IPAddressOrRange_addressRange: |
666 addr_expand(min, aor->u.addressRange->min, length, 0x00); | 682 return (addr_expand(min, aor->u.addressRange->min, length, 0x00) && |
667 addr_expand(max, aor->u.addressRange->max, length, 0xFF); | 683 » addr_expand(max, aor->u.addressRange->max, length, 0xFF)); |
668 return; | |
669 } | 684 } |
| 685 return 0; |
670 } | 686 } |
671 | 687 |
672 /* | 688 /* |
673 * Public wrapper for extract_min_max(). | 689 * Public wrapper for extract_min_max(). |
674 */ | 690 */ |
675 int v3_addr_get_range(IPAddressOrRange *aor, | 691 int v3_addr_get_range(IPAddressOrRange *aor, |
676 const unsigned afi, | 692 const unsigned afi, |
677 unsigned char *min, | 693 unsigned char *min, |
678 unsigned char *max, | 694 unsigned char *max, |
679 const int length) | 695 const int length) |
680 { | 696 { |
681 int afi_length = length_from_afi(afi); | 697 int afi_length = length_from_afi(afi); |
682 if (aor == NULL || min == NULL || max == NULL || | 698 if (aor == NULL || min == NULL || max == NULL || |
683 afi_length == 0 || length < afi_length || | 699 afi_length == 0 || length < afi_length || |
684 (aor->type != IPAddressOrRange_addressPrefix && | 700 (aor->type != IPAddressOrRange_addressPrefix && |
685 aor->type != IPAddressOrRange_addressRange)) | 701 aor->type != IPAddressOrRange_addressRange) || |
| 702 !extract_min_max(aor, min, max, afi_length)) |
686 return 0; | 703 return 0; |
687 extract_min_max(aor, min, max, afi_length); | 704 |
688 return afi_length; | 705 return afi_length; |
689 } | 706 } |
690 | 707 |
691 /* | 708 /* |
692 * Sort comparision function for a sequence of IPAddressFamily. | 709 * Sort comparision function for a sequence of IPAddressFamily. |
693 * | 710 * |
694 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about | 711 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about |
695 * the ordering: I can read it as meaning that IPv6 without a SAFI | 712 * the ordering: I can read it as meaning that IPv6 without a SAFI |
696 * comes before IPv4 with a SAFI, which seems pretty weird. The | 713 * comes before IPv4 with a SAFI, which seems pretty weird. The |
697 * examples in appendix B suggest that the author intended the | 714 * examples in appendix B suggest that the author intended the |
(...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
759 /* | 776 /* |
760 * It's an IPAddressOrRanges sequence, check it. | 777 * It's an IPAddressOrRanges sequence, check it. |
761 */ | 778 */ |
762 aors = f->ipAddressChoice->u.addressesOrRanges; | 779 aors = f->ipAddressChoice->u.addressesOrRanges; |
763 if (sk_IPAddressOrRange_num(aors) == 0) | 780 if (sk_IPAddressOrRange_num(aors) == 0) |
764 return 0; | 781 return 0; |
765 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) { | 782 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) { |
766 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); | 783 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); |
767 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1); | 784 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1); |
768 | 785 |
769 extract_min_max(a, a_min, a_max, length); | 786 if (!extract_min_max(a, a_min, a_max, length) || |
770 extract_min_max(b, b_min, b_max, length); | 787 » !extract_min_max(b, b_min, b_max, length)) |
| 788 » return 0; |
771 | 789 |
772 /* | 790 /* |
773 * Punt misordered list, overlapping start, or inverted range. | 791 * Punt misordered list, overlapping start, or inverted range. |
774 */ | 792 */ |
775 if (memcmp(a_min, b_min, length) >= 0 || | 793 if (memcmp(a_min, b_min, length) >= 0 || |
776 memcmp(a_min, a_max, length) > 0 || | 794 memcmp(a_min, a_max, length) > 0 || |
777 memcmp(b_min, b_max, length) > 0) | 795 memcmp(b_min, b_max, length) > 0) |
778 return 0; | 796 return 0; |
779 | 797 |
780 /* | 798 /* |
781 * Punt if adjacent or overlapping. Check for adjacency by | 799 * Punt if adjacent or overlapping. Check for adjacency by |
782 * subtracting one from b_min first. | 800 * subtracting one from b_min first. |
783 */ | 801 */ |
784 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) | 802 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) |
785 ; | 803 ; |
786 if (memcmp(a_max, b_min, length) >= 0) | 804 if (memcmp(a_max, b_min, length) >= 0) |
787 return 0; | 805 return 0; |
788 | 806 |
789 /* | 807 /* |
790 * Check for range that should be expressed as a prefix. | 808 * Check for range that should be expressed as a prefix. |
791 */ | 809 */ |
792 if (a->type == IPAddressOrRange_addressRange && | 810 if (a->type == IPAddressOrRange_addressRange && |
793 range_should_be_prefix(a_min, a_max, length) >= 0) | 811 range_should_be_prefix(a_min, a_max, length) >= 0) |
794 return 0; | 812 return 0; |
795 } | 813 } |
796 | 814 |
797 /* | 815 /* |
798 * Check final range to see if it should be a prefix. | 816 * Check range to see if it's inverted or should be a |
| 817 * prefix. |
799 */ | 818 */ |
800 j = sk_IPAddressOrRange_num(aors) - 1; | 819 j = sk_IPAddressOrRange_num(aors) - 1; |
801 { | 820 { |
802 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); | 821 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); |
803 if (a->type == IPAddressOrRange_addressRange) { | 822 if (a != NULL && a->type == IPAddressOrRange_addressRange) { |
804 » extract_min_max(a, a_min, a_max, length); | 823 » if (!extract_min_max(a, a_min, a_max, length)) |
805 » if (range_should_be_prefix(a_min, a_max, length) >= 0) | 824 » return 0; |
| 825 » if (memcmp(a_min, a_max, length) > 0 || |
| 826 » range_should_be_prefix(a_min, a_max, length) >= 0) |
806 return 0; | 827 return 0; |
807 } | 828 } |
808 } | 829 } |
809 } | 830 } |
810 | 831 |
811 /* | 832 /* |
812 * If we made it through all that, we're happy. | 833 * If we made it through all that, we're happy. |
813 */ | 834 */ |
814 return 1; | 835 return 1; |
815 } | 836 } |
(...skipping 13 matching lines...) Expand all Loading... |
829 | 850 |
830 /* | 851 /* |
831 * Clean up representation issues, punt on duplicates or overlaps. | 852 * Clean up representation issues, punt on duplicates or overlaps. |
832 */ | 853 */ |
833 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) { | 854 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) { |
834 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i); | 855 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i); |
835 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1); | 856 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1); |
836 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; | 857 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; |
837 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; | 858 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; |
838 | 859 |
839 extract_min_max(a, a_min, a_max, length); | 860 if (!extract_min_max(a, a_min, a_max, length) || |
840 extract_min_max(b, b_min, b_max, length); | 861 » !extract_min_max(b, b_min, b_max, length)) |
| 862 return 0; |
| 863 |
| 864 /* |
| 865 * Punt inverted ranges. |
| 866 */ |
| 867 if (memcmp(a_min, a_max, length) > 0 || |
| 868 » memcmp(b_min, b_max, length) > 0) |
| 869 return 0; |
841 | 870 |
842 /* | 871 /* |
843 * Punt overlaps. | 872 * Punt overlaps. |
844 */ | 873 */ |
845 if (memcmp(a_max, b_min, length) >= 0) | 874 if (memcmp(a_max, b_min, length) >= 0) |
846 return 0; | 875 return 0; |
847 | 876 |
848 /* | 877 /* |
849 * Merge if a and b are adjacent. We check for | 878 * Merge if a and b are adjacent. We check for |
850 * adjacency by subtracting one from b_min first. | 879 * adjacency by subtracting one from b_min first. |
851 */ | 880 */ |
852 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) | 881 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) |
853 ; | 882 ; |
854 if (memcmp(a_max, b_min, length) == 0) { | 883 if (memcmp(a_max, b_min, length) == 0) { |
855 IPAddressOrRange *merged; | 884 IPAddressOrRange *merged; |
856 if (!make_addressRange(&merged, a_min, b_max, length)) | 885 if (!make_addressRange(&merged, a_min, b_max, length)) |
857 return 0; | 886 return 0; |
858 sk_IPAddressOrRange_set(aors, i, merged); | 887 (void) sk_IPAddressOrRange_set(aors, i, merged); |
859 (void)sk_IPAddressOrRange_delete(aors, i + 1); | 888 (void) sk_IPAddressOrRange_delete(aors, i + 1); |
860 IPAddressOrRange_free(a); | 889 IPAddressOrRange_free(a); |
861 IPAddressOrRange_free(b); | 890 IPAddressOrRange_free(b); |
862 --i; | 891 --i; |
863 continue; | 892 continue; |
864 } | 893 } |
865 } | 894 } |
866 | 895 |
| 896 /* |
| 897 * Check for inverted final range. |
| 898 */ |
| 899 j = sk_IPAddressOrRange_num(aors) - 1; |
| 900 { |
| 901 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); |
| 902 if (a != NULL && a->type == IPAddressOrRange_addressRange) { |
| 903 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; |
| 904 extract_min_max(a, a_min, a_max, length); |
| 905 if (memcmp(a_min, a_max, length) > 0) |
| 906 return 0; |
| 907 } |
| 908 } |
| 909 |
867 return 1; | 910 return 1; |
868 } | 911 } |
869 | 912 |
870 /* | 913 /* |
871 * Whack an IPAddrBlocks extension into canonical form. | 914 * Whack an IPAddrBlocks extension into canonical form. |
872 */ | 915 */ |
873 int v3_addr_canonize(IPAddrBlocks *addr) | 916 int v3_addr_canonize(IPAddrBlocks *addr) |
874 { | 917 { |
875 int i; | 918 int i; |
876 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { | 919 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { |
877 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); | 920 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); |
878 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && | 921 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && |
879 !IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges, | 922 !IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges, |
880 v3_addr_get_afi(f))) | 923 v3_addr_get_afi(f))) |
881 return 0; | 924 return 0; |
882 } | 925 } |
883 (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); | 926 (void) sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); |
884 sk_IPAddressFamily_sort(addr); | 927 sk_IPAddressFamily_sort(addr); |
885 OPENSSL_assert(v3_addr_is_canonical(addr)); | 928 OPENSSL_assert(v3_addr_is_canonical(addr)); |
886 return 1; | 929 return 1; |
887 } | 930 } |
888 | 931 |
889 /* | 932 /* |
890 * v2i handler for the IPAddrBlocks extension. | 933 * v2i handler for the IPAddrBlocks extension. |
891 */ | 934 */ |
892 static void *v2i_IPAddrBlocks(struct v3_ext_method *method, | 935 static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, |
893 struct v3_ext_ctx *ctx, | 936 struct v3_ext_ctx *ctx, |
894 STACK_OF(CONF_VALUE) *values) | 937 STACK_OF(CONF_VALUE) *values) |
895 { | 938 { |
896 static const char v4addr_chars[] = "0123456789."; | 939 static const char v4addr_chars[] = "0123456789."; |
897 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF"; | 940 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF"; |
898 IPAddrBlocks *addr = NULL; | 941 IPAddrBlocks *addr = NULL; |
899 char *s = NULL, *t; | 942 char *s = NULL, *t; |
900 int i; | 943 int i; |
901 | 944 |
902 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) { | 945 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) { |
(...skipping 102 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1005 if (i1 == i2 || s[i2] != '\0') { | 1048 if (i1 == i2 || s[i2] != '\0') { |
1006 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); | 1049 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); |
1007 X509V3_conf_err(val); | 1050 X509V3_conf_err(val); |
1008 goto err; | 1051 goto err; |
1009 } | 1052 } |
1010 if (a2i_ipadd(max, s + i1) != length) { | 1053 if (a2i_ipadd(max, s + i1) != length) { |
1011 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS); | 1054 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS); |
1012 X509V3_conf_err(val); | 1055 X509V3_conf_err(val); |
1013 goto err; | 1056 goto err; |
1014 } | 1057 } |
| 1058 if (memcmp(min, max, length_from_afi(afi)) > 0) { |
| 1059 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); |
| 1060 X509V3_conf_err(val); |
| 1061 goto err; |
| 1062 } |
1015 if (!v3_addr_add_range(addr, afi, safi, min, max)) { | 1063 if (!v3_addr_add_range(addr, afi, safi, min, max)) { |
1016 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); | 1064 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); |
1017 goto err; | 1065 goto err; |
1018 } | 1066 } |
1019 break; | 1067 break; |
1020 case '\0': | 1068 case '\0': |
1021 if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) { | 1069 if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) { |
1022 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); | 1070 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); |
1023 goto err; | 1071 goto err; |
1024 } | 1072 } |
(...skipping 65 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1090 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN]; | 1138 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN]; |
1091 int p, c; | 1139 int p, c; |
1092 | 1140 |
1093 if (child == NULL || parent == child) | 1141 if (child == NULL || parent == child) |
1094 return 1; | 1142 return 1; |
1095 if (parent == NULL) | 1143 if (parent == NULL) |
1096 return 0; | 1144 return 0; |
1097 | 1145 |
1098 p = 0; | 1146 p = 0; |
1099 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) { | 1147 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) { |
1100 extract_min_max(sk_IPAddressOrRange_value(child, c), | 1148 if (!extract_min_max(sk_IPAddressOrRange_value(child, c), |
1101 » » c_min, c_max, length); | 1149 » » » c_min, c_max, length)) |
| 1150 return -1; |
1102 for (;; p++) { | 1151 for (;; p++) { |
1103 if (p >= sk_IPAddressOrRange_num(parent)) | 1152 if (p >= sk_IPAddressOrRange_num(parent)) |
1104 return 0; | 1153 return 0; |
1105 extract_min_max(sk_IPAddressOrRange_value(parent, p), | 1154 if (!extract_min_max(sk_IPAddressOrRange_value(parent, p), |
1106 » » p_min, p_max, length); | 1155 » » » p_min, p_max, length)) |
| 1156 » return 0; |
1107 if (memcmp(p_max, c_max, length) < 0) | 1157 if (memcmp(p_max, c_max, length) < 0) |
1108 continue; | 1158 continue; |
1109 if (memcmp(p_min, c_min, length) > 0) | 1159 if (memcmp(p_min, c_min, length) > 0) |
1110 return 0; | 1160 return 0; |
1111 break; | 1161 break; |
1112 } | 1162 } |
1113 } | 1163 } |
1114 | 1164 |
1115 return 1; | 1165 return 1; |
1116 } | 1166 } |
1117 | 1167 |
1118 /* | 1168 /* |
1119 * Test whether a is a subset of b. | 1169 * Test whether a is a subset of b. |
1120 */ | 1170 */ |
1121 int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) | 1171 int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) |
1122 { | 1172 { |
1123 int i; | 1173 int i; |
1124 if (a == NULL || a == b) | 1174 if (a == NULL || a == b) |
1125 return 1; | 1175 return 1; |
1126 if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b)) | 1176 if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b)) |
1127 return 0; | 1177 return 0; |
1128 (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); | 1178 (void) sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); |
1129 for (i = 0; i < sk_IPAddressFamily_num(a); i++) { | 1179 for (i = 0; i < sk_IPAddressFamily_num(a); i++) { |
1130 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); | 1180 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); |
1131 int j = sk_IPAddressFamily_find(b, fa); | 1181 int j = sk_IPAddressFamily_find(b, fa); |
1132 IPAddressFamily *fb; | 1182 IPAddressFamily *fb; |
1133 fb = sk_IPAddressFamily_value(b, j); | 1183 fb = sk_IPAddressFamily_value(b, j); |
1134 if (fb == NULL) | 1184 if (fb == NULL) |
1135 return 0; | 1185 return 0; |
1136 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, | 1186 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, |
1137 fa->ipAddressChoice->u.addressesOrRanges, | 1187 fa->ipAddressChoice->u.addressesOrRanges, |
1138 length_from_afi(v3_addr_get_afi(fb)))) | 1188 length_from_afi(v3_addr_get_afi(fb)))) |
(...skipping 21 matching lines...) Expand all Loading... |
1160 | 1210 |
1161 /* | 1211 /* |
1162 * Core code for RFC 3779 2.3 path validation. | 1212 * Core code for RFC 3779 2.3 path validation. |
1163 */ | 1213 */ |
1164 static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, | 1214 static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, |
1165 STACK_OF(X509) *chain, | 1215 STACK_OF(X509) *chain, |
1166 IPAddrBlocks *ext) | 1216 IPAddrBlocks *ext) |
1167 { | 1217 { |
1168 IPAddrBlocks *child = NULL; | 1218 IPAddrBlocks *child = NULL; |
1169 int i, j, ret = 1; | 1219 int i, j, ret = 1; |
1170 X509 *x = NULL; | 1220 X509 *x; |
1171 | 1221 |
1172 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); | 1222 OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); |
1173 OPENSSL_assert(ctx != NULL || ext != NULL); | 1223 OPENSSL_assert(ctx != NULL || ext != NULL); |
1174 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); | 1224 OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); |
1175 | 1225 |
1176 /* | 1226 /* |
1177 * Figure out where to start. If we don't have an extension to | 1227 * Figure out where to start. If we don't have an extension to |
1178 * check, we're done. Otherwise, check canonical form and | 1228 * check, we're done. Otherwise, check canonical form and |
1179 * set up for walking up the chain. | 1229 * set up for walking up the chain. |
1180 */ | 1230 */ |
1181 if (ext != NULL) { | 1231 if (ext != NULL) { |
1182 i = -1; | 1232 i = -1; |
| 1233 x = NULL; |
1183 } else { | 1234 } else { |
1184 i = 0; | 1235 i = 0; |
1185 x = sk_X509_value(chain, i); | 1236 x = sk_X509_value(chain, i); |
1186 OPENSSL_assert(x != NULL); | 1237 OPENSSL_assert(x != NULL); |
1187 if ((ext = x->rfc3779_addr) == NULL) | 1238 if ((ext = x->rfc3779_addr) == NULL) |
1188 goto done; | 1239 goto done; |
1189 } | 1240 } |
1190 if (!v3_addr_is_canonical(ext)) | 1241 if (!v3_addr_is_canonical(ext)) |
1191 validation_err(X509_V_ERR_INVALID_EXTENSION); | 1242 validation_err(X509_V_ERR_INVALID_EXTENSION); |
1192 (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); | 1243 (void) sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); |
1193 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { | 1244 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { |
1194 X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE); | 1245 X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE); |
1195 ret = 0; | 1246 ret = 0; |
1196 goto done; | 1247 goto done; |
1197 } | 1248 } |
1198 | 1249 |
1199 /* | 1250 /* |
1200 * Now walk up the chain. No cert may list resources that its | 1251 * Now walk up the chain. No cert may list resources that its |
1201 * parent doesn't list. | 1252 * parent doesn't list. |
1202 */ | 1253 */ |
1203 for (i++; i < sk_X509_num(chain); i++) { | 1254 for (i++; i < sk_X509_num(chain); i++) { |
1204 x = sk_X509_value(chain, i); | 1255 x = sk_X509_value(chain, i); |
1205 OPENSSL_assert(x != NULL); | 1256 OPENSSL_assert(x != NULL); |
1206 if (!v3_addr_is_canonical(x->rfc3779_addr)) | 1257 if (!v3_addr_is_canonical(x->rfc3779_addr)) |
1207 validation_err(X509_V_ERR_INVALID_EXTENSION); | 1258 validation_err(X509_V_ERR_INVALID_EXTENSION); |
1208 if (x->rfc3779_addr == NULL) { | 1259 if (x->rfc3779_addr == NULL) { |
1209 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { | 1260 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { |
1210 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); | 1261 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); |
1211 if (fc->ipAddressChoice->type != IPAddressChoice_inherit) { | 1262 if (fc->ipAddressChoice->type != IPAddressChoice_inherit) { |
1212 validation_err(X509_V_ERR_UNNESTED_RESOURCE); | 1263 validation_err(X509_V_ERR_UNNESTED_RESOURCE); |
1213 break; | 1264 break; |
1214 } | 1265 } |
1215 } | 1266 } |
1216 continue; | 1267 continue; |
1217 } | 1268 } |
1218 (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp); | 1269 (void) sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp)
; |
1219 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { | 1270 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { |
1220 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); | 1271 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); |
1221 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc); | 1272 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc); |
1222 IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, k); | 1273 IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, k); |
1223 if (fp == NULL) { | 1274 if (fp == NULL) { |
1224 if (fc->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) { | 1275 if (fc->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) { |
1225 validation_err(X509_V_ERR_UNNESTED_RESOURCE); | 1276 validation_err(X509_V_ERR_UNNESTED_RESOURCE); |
1226 break; | 1277 break; |
1227 } | 1278 } |
1228 continue; | 1279 continue; |
1229 } | 1280 } |
1230 if (fp->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) { | 1281 if (fp->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) { |
1231 if (fc->ipAddressChoice->type == IPAddressChoice_inherit || | 1282 if (fc->ipAddressChoice->type == IPAddressChoice_inherit || |
1232 addr_contains(fp->ipAddressChoice->u.addressesOrRanges, | 1283 addr_contains(fp->ipAddressChoice->u.addressesOrRanges, |
1233 fc->ipAddressChoice->u.addressesOrRanges, | 1284 fc->ipAddressChoice->u.addressesOrRanges, |
1234 length_from_afi(v3_addr_get_afi(fc)))) | 1285 length_from_afi(v3_addr_get_afi(fc)))) |
1235 sk_IPAddressFamily_set(child, j, fp); | 1286 sk_IPAddressFamily_set(child, j, fp); |
1236 else | 1287 else |
1237 validation_err(X509_V_ERR_UNNESTED_RESOURCE); | 1288 validation_err(X509_V_ERR_UNNESTED_RESOURCE); |
1238 } | 1289 } |
1239 } | 1290 } |
1240 } | 1291 } |
1241 | 1292 |
1242 /* | 1293 /* |
1243 * Trust anchor can't inherit. | 1294 * Trust anchor can't inherit. |
1244 */ | 1295 */ |
| 1296 OPENSSL_assert(x != NULL); |
1245 if (x->rfc3779_addr != NULL) { | 1297 if (x->rfc3779_addr != NULL) { |
1246 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) { | 1298 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) { |
1247 IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, j); | 1299 IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, j); |
1248 if (fp->ipAddressChoice->type == IPAddressChoice_inherit && | 1300 if (fp->ipAddressChoice->type == IPAddressChoice_inherit && |
1249 sk_IPAddressFamily_find(child, fp) >= 0) | 1301 sk_IPAddressFamily_find(child, fp) >= 0) |
1250 validation_err(X509_V_ERR_UNNESTED_RESOURCE); | 1302 validation_err(X509_V_ERR_UNNESTED_RESOURCE); |
1251 } | 1303 } |
1252 } | 1304 } |
1253 | 1305 |
1254 done: | 1306 done: |
(...skipping 22 matching lines...) Expand all Loading... |
1277 if (ext == NULL) | 1329 if (ext == NULL) |
1278 return 1; | 1330 return 1; |
1279 if (chain == NULL || sk_X509_num(chain) == 0) | 1331 if (chain == NULL || sk_X509_num(chain) == 0) |
1280 return 0; | 1332 return 0; |
1281 if (!allow_inheritance && v3_addr_inherits(ext)) | 1333 if (!allow_inheritance && v3_addr_inherits(ext)) |
1282 return 0; | 1334 return 0; |
1283 return v3_addr_validate_path_internal(NULL, chain, ext); | 1335 return v3_addr_validate_path_internal(NULL, chain, ext); |
1284 } | 1336 } |
1285 | 1337 |
1286 #endif /* OPENSSL_NO_RFC3779 */ | 1338 #endif /* OPENSSL_NO_RFC3779 */ |
OLD | NEW |