v3_asid.c@ 95218

Last change on this file since 95218 was 94320, checked in by vboxsync, 3 years ago
libs/openssl-3.0.1: Export to OSE and fix copyright headers in Makefiles, bugref:10128
File size: 26.0 KB

Line
1	/*
2	* Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the Apache License 2.0 (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	/*
11	* Implementation of RFC 3779 section 3.2.
12	*/
13
14	#include <assert.h>
15	#include <stdio.h>
16	#include <string.h>
17	#include "internal/cryptlib.h"
18	#include <openssl/conf.h>
19	#include <openssl/asn1.h>
20	#include <openssl/asn1t.h>
21	#include <openssl/x509v3.h>
22	#include <openssl/x509.h>
23	#include "crypto/x509.h"
24	#include <openssl/bn.h>
25	#include "ext_dat.h"
26	#include "x509_local.h"
27
28	#ifndef OPENSSL_NO_RFC3779
29
30	/*
31	* OpenSSL ASN.1 template translation of RFC 3779 3.2.3.
32	*/
33
34	ASN1_SEQUENCE(ASRange) = {
35	ASN1_SIMPLE(ASRange, min, ASN1_INTEGER),
36	ASN1_SIMPLE(ASRange, max, ASN1_INTEGER)
37	} ASN1_SEQUENCE_END(ASRange)
38
39	ASN1_CHOICE(ASIdOrRange) = {
40	ASN1_SIMPLE(ASIdOrRange, u.id, ASN1_INTEGER),
41	ASN1_SIMPLE(ASIdOrRange, u.range, ASRange)
42	} ASN1_CHOICE_END(ASIdOrRange)
43
44	ASN1_CHOICE(ASIdentifierChoice) = {
45	ASN1_SIMPLE(ASIdentifierChoice, u.inherit, ASN1_NULL),
46	ASN1_SEQUENCE_OF(ASIdentifierChoice, u.asIdsOrRanges, ASIdOrRange)
47	} ASN1_CHOICE_END(ASIdentifierChoice)
48
49	ASN1_SEQUENCE(ASIdentifiers) = {
50	ASN1_EXP_OPT(ASIdentifiers, asnum, ASIdentifierChoice, 0),
51	ASN1_EXP_OPT(ASIdentifiers, rdi, ASIdentifierChoice, 1)
52	} ASN1_SEQUENCE_END(ASIdentifiers)
53
54	IMPLEMENT_ASN1_FUNCTIONS(ASRange)
55	IMPLEMENT_ASN1_FUNCTIONS(ASIdOrRange)
56	IMPLEMENT_ASN1_FUNCTIONS(ASIdentifierChoice)
57	IMPLEMENT_ASN1_FUNCTIONS(ASIdentifiers)
58
59	/*
60	* i2r method for an ASIdentifierChoice.
61	*/
62	static int i2r_ASIdentifierChoice(BIO *out,
63	ASIdentifierChoice *choice,
64	int indent, const char *msg)
65	{
66	int i;
67	char *s;
68	if (choice == NULL)
69	return 1;
70	BIO_printf(out, "%*s%s:\n", indent, "", msg);
71	switch (choice->type) {
72	case ASIdentifierChoice_inherit:
73	BIO_printf(out, "%*sinherit\n", indent + 2, "");
74	break;
75	case ASIdentifierChoice_asIdsOrRanges:
76	for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges); i++) {
77	ASIdOrRange *aor =
78	sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
79	switch (aor->type) {
80	case ASIdOrRange_id:
81	if ((s = i2s_ASN1_INTEGER(NULL, aor->u.id)) == NULL)
82	return 0;
83	BIO_printf(out, "%*s%s\n", indent + 2, "", s);
84	OPENSSL_free(s);
85	break;
86	case ASIdOrRange_range:
87	if ((s = i2s_ASN1_INTEGER(NULL, aor->u.range->min)) == NULL)
88	return 0;
89	BIO_printf(out, "%*s%s-", indent + 2, "", s);
90	OPENSSL_free(s);
91	if ((s = i2s_ASN1_INTEGER(NULL, aor->u.range->max)) == NULL)
92	return 0;
93	BIO_printf(out, "%s\n", s);
94	OPENSSL_free(s);
95	break;
96	default:
97	return 0;
98	}
99	}
100	break;
101	default:
102	return 0;
103	}
104	return 1;
105	}
106
107	/*
108	* i2r method for an ASIdentifier extension.
109	*/
110	static int i2r_ASIdentifiers(const X509V3_EXT_METHOD *method,
111	void ext, BIO out, int indent)
112	{
113	ASIdentifiers *asid = ext;
114	return (i2r_ASIdentifierChoice(out, asid->asnum, indent,
115	"Autonomous System Numbers") &&
116	i2r_ASIdentifierChoice(out, asid->rdi, indent,
117	"Routing Domain Identifiers"));
118	}
119
120	/*
121	* Sort comparison function for a sequence of ASIdOrRange elements.
122	*/
123	static int ASIdOrRange_cmp(const ASIdOrRange const a_,
124	const ASIdOrRange const b_)
125	{
126	const ASIdOrRange a = a_, b = b_;
127
128	assert((a->type == ASIdOrRange_id && a->u.id != NULL) \|\|
129	(a->type == ASIdOrRange_range && a->u.range != NULL &&
130	a->u.range->min != NULL && a->u.range->max != NULL));
131
132	assert((b->type == ASIdOrRange_id && b->u.id != NULL) \|\|
133	(b->type == ASIdOrRange_range && b->u.range != NULL &&
134	b->u.range->min != NULL && b->u.range->max != NULL));
135
136	if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id)
137	return ASN1_INTEGER_cmp(a->u.id, b->u.id);
138
139	if (a->type == ASIdOrRange_range && b->type == ASIdOrRange_range) {
140	int r = ASN1_INTEGER_cmp(a->u.range->min, b->u.range->min);
141	return r != 0 ? r : ASN1_INTEGER_cmp(a->u.range->max,
142	b->u.range->max);
143	}
144
145	if (a->type == ASIdOrRange_id)
146	return ASN1_INTEGER_cmp(a->u.id, b->u.range->min);
147	else
148	return ASN1_INTEGER_cmp(a->u.range->min, b->u.id);
149	}
150
151	/*
152	* Add an inherit element.
153	*/
154	int X509v3_asid_add_inherit(ASIdentifiers *asid, int which)
155	{
156	ASIdentifierChoice **choice;
157	if (asid == NULL)
158	return 0;
159	switch (which) {
160	case V3_ASID_ASNUM:
161	choice = &asid->asnum;
162	break;
163	case V3_ASID_RDI:
164	choice = &asid->rdi;
165	break;
166	default:
167	return 0;
168	}
169	if (*choice == NULL) {
170	if ((*choice = ASIdentifierChoice_new()) == NULL)
171	return 0;
172	if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL)
173	return 0;
174	(*choice)->type = ASIdentifierChoice_inherit;
175	}
176	return (*choice)->type == ASIdentifierChoice_inherit;
177	}
178
179	/*
180	* Add an ID or range to an ASIdentifierChoice.
181	*/
182	int X509v3_asid_add_id_or_range(ASIdentifiers *asid,
183	int which, ASN1_INTEGER min, ASN1_INTEGER max)
184	{
185	ASIdentifierChoice **choice;
186	ASIdOrRange *aor;
187	if (asid == NULL)
188	return 0;
189	switch (which) {
190	case V3_ASID_ASNUM:
191	choice = &asid->asnum;
192	break;
193	case V3_ASID_RDI:
194	choice = &asid->rdi;
195	break;
196	default:
197	return 0;
198	}
199	if (choice != NULL && (choice)->type == ASIdentifierChoice_inherit)
200	return 0;
201	if (*choice == NULL) {
202	if ((*choice = ASIdentifierChoice_new()) == NULL)
203	return 0;
204	(*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp);
205	if ((*choice)->u.asIdsOrRanges == NULL)
206	return 0;
207	(*choice)->type = ASIdentifierChoice_asIdsOrRanges;
208	}
209	if ((aor = ASIdOrRange_new()) == NULL)
210	return 0;
211	if (max == NULL) {
212	aor->type = ASIdOrRange_id;
213	aor->u.id = min;
214	} else {
215	aor->type = ASIdOrRange_range;
216	if ((aor->u.range = ASRange_new()) == NULL)
217	goto err;
218	ASN1_INTEGER_free(aor->u.range->min);
219	aor->u.range->min = min;
220	ASN1_INTEGER_free(aor->u.range->max);
221	aor->u.range->max = max;
222	}
223	if (!(sk_ASIdOrRange_push((*choice)->u.asIdsOrRanges, aor)))
224	goto err;
225	return 1;
226
227	err:
228	ASIdOrRange_free(aor);
229	return 0;
230	}
231
232	/*
233	* Extract min and max values from an ASIdOrRange.
234	*/
235	static int extract_min_max(ASIdOrRange *aor,
236	ASN1_INTEGER min, ASN1_INTEGER max)
237	{
238	if (!ossl_assert(aor != NULL))
239	return 0;
240	switch (aor->type) {
241	case ASIdOrRange_id:
242	*min = aor->u.id;
243	*max = aor->u.id;
244	return 1;
245	case ASIdOrRange_range:
246	*min = aor->u.range->min;
247	*max = aor->u.range->max;
248	return 1;
249	}
250
251	return 0;
252	}
253
254	/*
255	* Check whether an ASIdentifierChoice is in canonical form.
256	*/
257	static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
258	{
259	ASN1_INTEGER *a_max_plus_one = NULL;
260	ASN1_INTEGER *orig;
261	BIGNUM *bn = NULL;
262	int i, ret = 0;
263
264	/*
265	* Empty element or inheritance is canonical.
266	*/
267	if (choice == NULL \|\| choice->type == ASIdentifierChoice_inherit)
268	return 1;
269
270	/*
271	* If not a list, or if empty list, it's broken.
272	*/
273	if (choice->type != ASIdentifierChoice_asIdsOrRanges \|\|
274	sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0)
275	return 0;
276
277	/*
278	* It's a list, check it.
279	*/
280	for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
281	ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
282	ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1);
283	ASN1_INTEGER a_min = NULL, a_max = NULL, b_min = NULL, b_max =
284	NULL;
285
286	if (!extract_min_max(a, &a_min, &a_max)
287	\|\| !extract_min_max(b, &b_min, &b_max))
288	goto done;
289
290	/*
291	* Punt misordered list, overlapping start, or inverted range.
292	*/
293	if (ASN1_INTEGER_cmp(a_min, b_min) >= 0 \|\|
294	ASN1_INTEGER_cmp(a_min, a_max) > 0 \|\|
295	ASN1_INTEGER_cmp(b_min, b_max) > 0)
296	goto done;
297
298	/*
299	* Calculate a_max + 1 to check for adjacency.
300	*/
301	if ((bn == NULL && (bn = BN_new()) == NULL) \|\|
302	ASN1_INTEGER_to_BN(a_max, bn) == NULL \|\|
303	!BN_add_word(bn, 1)) {
304	ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
305	goto done;
306	}
307
308	if ((a_max_plus_one =
309	BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) {
310	a_max_plus_one = orig;
311	ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
312	goto done;
313	}
314
315	/*
316	* Punt if adjacent or overlapping.
317	*/
318	if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) >= 0)
319	goto done;
320	}
321
322	/*
323	* Check for inverted range.
324	*/
325	i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1;
326	{
327	ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
328	ASN1_INTEGER a_min, a_max;
329	if (a != NULL && a->type == ASIdOrRange_range) {
330	if (!extract_min_max(a, &a_min, &a_max)
331	\|\| ASN1_INTEGER_cmp(a_min, a_max) > 0)
332	goto done;
333	}
334	}
335
336	ret = 1;
337
338	done:
339	ASN1_INTEGER_free(a_max_plus_one);
340	BN_free(bn);
341	return ret;
342	}
343
344	/*
345	* Check whether an ASIdentifier extension is in canonical form.
346	*/
347	int X509v3_asid_is_canonical(ASIdentifiers *asid)
348	{
349	return (asid == NULL \|\|
350	(ASIdentifierChoice_is_canonical(asid->asnum) &&
351	ASIdentifierChoice_is_canonical(asid->rdi)));
352	}
353
354	/*
355	* Whack an ASIdentifierChoice into canonical form.
356	*/
357	static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
358	{
359	ASN1_INTEGER *a_max_plus_one = NULL;
360	ASN1_INTEGER *orig;
361	BIGNUM *bn = NULL;
362	int i, ret = 0;
363
364	/*
365	* Nothing to do for empty element or inheritance.
366	*/
367	if (choice == NULL \|\| choice->type == ASIdentifierChoice_inherit)
368	return 1;
369
370	/*
371	* If not a list, or if empty list, it's broken.
372	*/
373	if (choice->type != ASIdentifierChoice_asIdsOrRanges \|\|
374	sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) {
375	ERR_raise(ERR_LIB_X509V3, X509V3_R_EXTENSION_VALUE_ERROR);
376	return 0;
377	}
378
379	/*
380	* We have a non-empty list. Sort it.
381	*/
382	sk_ASIdOrRange_sort(choice->u.asIdsOrRanges);
383
384	/*
385	* Now check for errors and suboptimal encoding, rejecting the
386	* former and fixing the latter.
387	*/
388	for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) {
389	ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
390	ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1);
391	ASN1_INTEGER a_min = NULL, a_max = NULL, b_min = NULL, b_max =
392	NULL;
393
394	if (!extract_min_max(a, &a_min, &a_max)
395	\|\| !extract_min_max(b, &b_min, &b_max))
396	goto done;
397
398	/*
399	* Make sure we're properly sorted (paranoia).
400	*/
401	if (!ossl_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0))
402	goto done;
403
404	/*
405	* Punt inverted ranges.
406	*/
407	if (ASN1_INTEGER_cmp(a_min, a_max) > 0 \|\|
408	ASN1_INTEGER_cmp(b_min, b_max) > 0)
409	goto done;
410
411	/*
412	* Check for overlaps.
413	*/
414	if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) {
415	ERR_raise(ERR_LIB_X509V3, X509V3_R_EXTENSION_VALUE_ERROR);
416	goto done;
417	}
418
419	/*
420	* Calculate a_max + 1 to check for adjacency.
421	*/
422	if ((bn == NULL && (bn = BN_new()) == NULL) \|\|
423	ASN1_INTEGER_to_BN(a_max, bn) == NULL \|\|
424	!BN_add_word(bn, 1)) {
425	ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
426	goto done;
427	}
428
429	if ((a_max_plus_one =
430	BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) {
431	a_max_plus_one = orig;
432	ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
433	goto done;
434	}
435
436	/*
437	* If a and b are adjacent, merge them.
438	*/
439	if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) == 0) {
440	ASRange *r;
441	switch (a->type) {
442	case ASIdOrRange_id:
443	if ((r = OPENSSL_malloc(sizeof(*r))) == NULL) {
444	ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
445	goto done;
446	}
447	r->min = a_min;
448	r->max = b_max;
449	a->type = ASIdOrRange_range;
450	a->u.range = r;
451	break;
452	case ASIdOrRange_range:
453	ASN1_INTEGER_free(a->u.range->max);
454	a->u.range->max = b_max;
455	break;
456	}
457	switch (b->type) {
458	case ASIdOrRange_id:
459	b->u.id = NULL;
460	break;
461	case ASIdOrRange_range:
462	b->u.range->max = NULL;
463	break;
464	}
465	ASIdOrRange_free(b);
466	(void)sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1);
467	i--;
468	continue;
469	}
470	}
471
472	/*
473	* Check for final inverted range.
474	*/
475	i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1;
476	{
477	ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
478	ASN1_INTEGER a_min, a_max;
479	if (a != NULL && a->type == ASIdOrRange_range) {
480	if (!extract_min_max(a, &a_min, &a_max)
481	\|\| ASN1_INTEGER_cmp(a_min, a_max) > 0)
482	goto done;
483	}
484	}
485
486	/* Paranoia */
487	if (!ossl_assert(ASIdentifierChoice_is_canonical(choice)))
488	goto done;
489
490	ret = 1;
491
492	done:
493	ASN1_INTEGER_free(a_max_plus_one);
494	BN_free(bn);
495	return ret;
496	}
497
498	/*
499	* Whack an ASIdentifier extension into canonical form.
500	*/
501	int X509v3_asid_canonize(ASIdentifiers *asid)
502	{
503	return (asid == NULL \|\|
504	(ASIdentifierChoice_canonize(asid->asnum) &&
505	ASIdentifierChoice_canonize(asid->rdi)));
506	}
507
508	/*
509	* v2i method for an ASIdentifier extension.
510	*/
511	static void v2i_ASIdentifiers(const struct v3_ext_method method,
512	struct v3_ext_ctx *ctx,
513	STACK_OF(CONF_VALUE) *values)
514	{
515	ASN1_INTEGER min = NULL, max = NULL;
516	ASIdentifiers *asid = NULL;
517	int i;
518
519	if ((asid = ASIdentifiers_new()) == NULL) {
520	ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
521	return NULL;
522	}
523
524	for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
525	CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
526	int i1 = 0, i2 = 0, i3 = 0, is_range = 0, which = 0;
527
528	/*
529	* Figure out whether this is an AS or an RDI.
530	*/
531	if (!ossl_v3_name_cmp(val->name, "AS")) {
532	which = V3_ASID_ASNUM;
533	} else if (!ossl_v3_name_cmp(val->name, "RDI")) {
534	which = V3_ASID_RDI;
535	} else {
536	ERR_raise(ERR_LIB_X509V3, X509V3_R_EXTENSION_NAME_ERROR);
537	X509V3_conf_add_error_name_value(val);
538	goto err;
539	}
540
541	/*
542	* Handle inheritance.
543	*/
544	if (strcmp(val->value, "inherit") == 0) {
545	if (X509v3_asid_add_inherit(asid, which))
546	continue;
547	ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_INHERITANCE);
548	X509V3_conf_add_error_name_value(val);
549	goto err;
550	}
551
552	/*
553	* Number, range, or mistake, pick it apart and figure out which.
554	*/
555	i1 = strspn(val->value, "0123456789");
556	if (val->value[i1] == '\0') {
557	is_range = 0;
558	} else {
559	is_range = 1;
560	i2 = i1 + strspn(val->value + i1, " \t");
561	if (val->value[i2] != '-') {
562	ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_ASNUMBER);
563	X509V3_conf_add_error_name_value(val);
564	goto err;
565	}
566	i2++;
567	i2 = i2 + strspn(val->value + i2, " \t");
568	i3 = i2 + strspn(val->value + i2, "0123456789");
569	if (val->value[i3] != '\0') {
570	ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_ASRANGE);
571	X509V3_conf_add_error_name_value(val);
572	goto err;
573	}
574	}
575
576	/*
577	* Syntax is ok, read and add it.
578	*/
579	if (!is_range) {
580	if (!X509V3_get_value_int(val, &min)) {
581	ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
582	goto err;
583	}
584	} else {
585	char *s = OPENSSL_strdup(val->value);
586	if (s == NULL) {
587	ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
588	goto err;
589	}
590	s[i1] = '\0';
591	min = s2i_ASN1_INTEGER(NULL, s);
592	max = s2i_ASN1_INTEGER(NULL, s + i2);
593	OPENSSL_free(s);
594	if (min == NULL \|\| max == NULL) {
595	ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
596	goto err;
597	}
598	if (ASN1_INTEGER_cmp(min, max) > 0) {
599	ERR_raise(ERR_LIB_X509V3, X509V3_R_EXTENSION_VALUE_ERROR);
600	goto err;
601	}
602	}
603	if (!X509v3_asid_add_id_or_range(asid, which, min, max)) {
604	ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
605	goto err;
606	}
607	min = max = NULL;
608	}
609
610	/*
611	* Canonize the result, then we're done.
612	*/
613	if (!X509v3_asid_canonize(asid))
614	goto err;
615	return asid;
616
617	err:
618	ASIdentifiers_free(asid);
619	ASN1_INTEGER_free(min);
620	ASN1_INTEGER_free(max);
621	return NULL;
622	}
623
624	/*
625	* OpenSSL dispatch.
626	*/
627	const X509V3_EXT_METHOD ossl_v3_asid = {
628	NID_sbgp_autonomousSysNum, /* nid */
629	0, /* flags */
630	ASN1_ITEM_ref(ASIdentifiers), /* template */
631	0, 0, 0, 0, /* old functions, ignored */
632	0, /* i2s */
633	0, /* s2i */
634	0, /* i2v */
635	v2i_ASIdentifiers, /* v2i */
636	i2r_ASIdentifiers, /* i2r */
637	0, /* r2i */
638	NULL /* extension-specific data */
639	};
640
641	/*
642	* Figure out whether extension uses inheritance.
643	*/
644	int X509v3_asid_inherits(ASIdentifiers *asid)
645	{
646	return (asid != NULL &&
647	((asid->asnum != NULL &&
648	asid->asnum->type == ASIdentifierChoice_inherit) \|\|
649	(asid->rdi != NULL &&
650	asid->rdi->type == ASIdentifierChoice_inherit)));
651	}
652
653	/*
654	* Figure out whether parent contains child.
655	*/
656	static int asid_contains(ASIdOrRanges parent, ASIdOrRanges child)
657	{
658	ASN1_INTEGER p_min = NULL, p_max = NULL, c_min = NULL, c_max = NULL;
659	int p, c;
660
661	if (child == NULL \|\| parent == child)
662	return 1;
663	if (parent == NULL)
664	return 0;
665
666	p = 0;
667	for (c = 0; c < sk_ASIdOrRange_num(child); c++) {
668	if (!extract_min_max(sk_ASIdOrRange_value(child, c), &c_min, &c_max))
669	return 0;
670	for (;; p++) {
671	if (p >= sk_ASIdOrRange_num(parent))
672	return 0;
673	if (!extract_min_max(sk_ASIdOrRange_value(parent, p), &p_min,
674	&p_max))
675	return 0;
676	if (ASN1_INTEGER_cmp(p_max, c_max) < 0)
677	continue;
678	if (ASN1_INTEGER_cmp(p_min, c_min) > 0)
679	return 0;
680	break;
681	}
682	}
683
684	return 1;
685	}
686
687	/*
688	* Test whether a is a subset of b.
689	*/
690	int X509v3_asid_subset(ASIdentifiers a, ASIdentifiers b)
691	{
692	return (a == NULL \|\|
693	a == b \|\|
694	(b != NULL &&
695	!X509v3_asid_inherits(a) &&
696	!X509v3_asid_inherits(b) &&
697	asid_contains(b->asnum->u.asIdsOrRanges,
698	a->asnum->u.asIdsOrRanges) &&
699	asid_contains(b->rdi->u.asIdsOrRanges,
700	a->rdi->u.asIdsOrRanges)));
701	}
702
703	/*
704	* Validation error handling via callback.
705	*/
706	#define validation_err(_err_) \
707	do { \
708	if (ctx != NULL) { \
709	ctx->error = _err_; \
710	ctx->error_depth = i; \
711	ctx->current_cert = x; \
712	ret = ctx->verify_cb(0, ctx); \
713	} else { \
714	ret = 0; \
715	} \
716	if (!ret) \
717	goto done; \
718	} while (0)
719
720	/*
721	* Core code for RFC 3779 3.3 path validation.
722	*/
723	static int asid_validate_path_internal(X509_STORE_CTX *ctx,
724	STACK_OF(X509) *chain,
725	ASIdentifiers *ext)
726	{
727	ASIdOrRanges child_as = NULL, child_rdi = NULL;
728	int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
729	X509 *x;
730
731	if (!ossl_assert(chain != NULL && sk_X509_num(chain) > 0)
732	\|\| !ossl_assert(ctx != NULL \|\| ext != NULL)
733	\|\| !ossl_assert(ctx == NULL \|\| ctx->verify_cb != NULL)) {
734	if (ctx != NULL)
735	ctx->error = X509_V_ERR_UNSPECIFIED;
736	return 0;
737	}
738
739
740	/*
741	* Figure out where to start. If we don't have an extension to
742	* check, we're done. Otherwise, check canonical form and
743	* set up for walking up the chain.
744	*/
745	if (ext != NULL) {
746	i = -1;
747	x = NULL;
748	} else {
749	i = 0;
750	x = sk_X509_value(chain, i);
751	if ((ext = x->rfc3779_asid) == NULL)
752	goto done;
753	}
754	if (!X509v3_asid_is_canonical(ext))
755	validation_err(X509_V_ERR_INVALID_EXTENSION);
756	if (ext->asnum != NULL) {
757	switch (ext->asnum->type) {
758	case ASIdentifierChoice_inherit:
759	inherit_as = 1;
760	break;
761	case ASIdentifierChoice_asIdsOrRanges:
762	child_as = ext->asnum->u.asIdsOrRanges;
763	break;
764	}
765	}
766	if (ext->rdi != NULL) {
767	switch (ext->rdi->type) {
768	case ASIdentifierChoice_inherit:
769	inherit_rdi = 1;
770	break;
771	case ASIdentifierChoice_asIdsOrRanges:
772	child_rdi = ext->rdi->u.asIdsOrRanges;
773	break;
774	}
775	}
776
777	/*
778	* Now walk up the chain. Extensions must be in canonical form, no
779	* cert may list resources that its parent doesn't list.
780	*/
781	for (i++; i < sk_X509_num(chain); i++) {
782	x = sk_X509_value(chain, i);
783	if (!ossl_assert(x != NULL)) {
784	if (ctx != NULL)
785	ctx->error = X509_V_ERR_UNSPECIFIED;
786	return 0;
787	}
788	if (x->rfc3779_asid == NULL) {
789	if (child_as != NULL \|\| child_rdi != NULL)
790	validation_err(X509_V_ERR_UNNESTED_RESOURCE);
791	continue;
792	}
793	if (!X509v3_asid_is_canonical(x->rfc3779_asid))
794	validation_err(X509_V_ERR_INVALID_EXTENSION);
795	if (x->rfc3779_asid->asnum == NULL && child_as != NULL) {
796	validation_err(X509_V_ERR_UNNESTED_RESOURCE);
797	child_as = NULL;
798	inherit_as = 0;
799	}
800	if (x->rfc3779_asid->asnum != NULL &&
801	x->rfc3779_asid->asnum->type ==
802	ASIdentifierChoice_asIdsOrRanges) {
803	if (inherit_as
804	\|\| asid_contains(x->rfc3779_asid->asnum->u.asIdsOrRanges,
805	child_as)) {
806	child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges;
807	inherit_as = 0;
808	} else {
809	validation_err(X509_V_ERR_UNNESTED_RESOURCE);
810	}
811	}
812	if (x->rfc3779_asid->rdi == NULL && child_rdi != NULL) {
813	validation_err(X509_V_ERR_UNNESTED_RESOURCE);
814	child_rdi = NULL;
815	inherit_rdi = 0;
816	}
817	if (x->rfc3779_asid->rdi != NULL &&
818	x->rfc3779_asid->rdi->type == ASIdentifierChoice_asIdsOrRanges) {
819	if (inherit_rdi \|\|
820	asid_contains(x->rfc3779_asid->rdi->u.asIdsOrRanges,
821	child_rdi)) {
822	child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges;
823	inherit_rdi = 0;
824	} else {
825	validation_err(X509_V_ERR_UNNESTED_RESOURCE);
826	}
827	}
828	}
829
830	/*
831	* Trust anchor can't inherit.
832	*/
833	if (!ossl_assert(x != NULL)) {
834	if (ctx != NULL)
835	ctx->error = X509_V_ERR_UNSPECIFIED;
836	return 0;
837	}
838	if (x->rfc3779_asid != NULL) {
839	if (x->rfc3779_asid->asnum != NULL &&
840	x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit)
841	validation_err(X509_V_ERR_UNNESTED_RESOURCE);
842	if (x->rfc3779_asid->rdi != NULL &&
843	x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit)
844	validation_err(X509_V_ERR_UNNESTED_RESOURCE);
845	}
846
847	done:
848	return ret;
849	}
850
851	#undef validation_err
852
853	/*
854	* RFC 3779 3.3 path validation -- called from X509_verify_cert().
855	*/
856	int X509v3_asid_validate_path(X509_STORE_CTX *ctx)
857	{
858	if (ctx->chain == NULL
859	\|\| sk_X509_num(ctx->chain) == 0
860	\|\| ctx->verify_cb == NULL) {
861	ctx->error = X509_V_ERR_UNSPECIFIED;
862	return 0;
863	}
864	return asid_validate_path_internal(ctx, ctx->chain, NULL);
865	}
866
867	/*
868	* RFC 3779 3.3 path validation of an extension.
869	* Test whether chain covers extension.
870	*/
871	int X509v3_asid_validate_resource_set(STACK_OF(X509) *chain,
872	ASIdentifiers *ext, int allow_inheritance)
873	{
874	if (ext == NULL)
875	return 1;
876	if (chain == NULL \|\| sk_X509_num(chain) == 0)
877	return 0;
878	if (!allow_inheritance && X509v3_asid_inherits(ext))
879	return 0;
880	return asid_validate_path_internal(NULL, chain, ext);
881	}
882
883	#endif /* OPENSSL_NO_RFC3779 */

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/libs/openssl-3.0.3/crypto/x509/v3_asid.c@ 95218

Download in other formats: