OpenCoverage

v3_addr.c

Absolute File Name:/home/opencoverage/opencoverage/guest-scripts/openssl/src/crypto/x509v3/v3_addr.c
Source codeSwitch to Preprocessed file
LineSourceCount
1/*-
2 * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.-
3 *-
4 * Licensed under the OpenSSL license (the "License"). You may not use-
5 * this file except in compliance with the License. You can obtain a copy-
6 * in the file LICENSE in the source distribution or at-
7 * https://www.openssl.org/source/license.html-
8 */-
9-
10/*-
11 * Implementation of RFC 3779 section 2.2.-
12 */-
13-
14#include <stdio.h>-
15#include <stdlib.h>-
16-
17#include "internal/cryptlib.h"-
18#include <openssl/conf.h>-
19#include <openssl/asn1.h>-
20#include <openssl/asn1t.h>-
21#include <openssl/buffer.h>-
22#include <openssl/x509v3.h>-
23#include "internal/x509_int.h"-
24#include "ext_dat.h"-
25-
26#ifndef OPENSSL_NO_RFC3779-
27-
28/*-
29 * OpenSSL ASN.1 template translation of RFC 3779 2.2.3.-
30 */-
31-
32ASN1_SEQUENCE(IPAddressRange) = {-
33 ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING),-
34 ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING)-
35} ASN1_SEQUENCE_END(IPAddressRange)-
36-
37ASN1_CHOICE(IPAddressOrRange) = {-
38 ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING),-
39 ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange)-
40} ASN1_CHOICE_END(IPAddressOrRange)-
41-
42ASN1_CHOICE(IPAddressChoice) = {-
43 ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL),-
44 ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange)-
45} ASN1_CHOICE_END(IPAddressChoice)-
46-
47ASN1_SEQUENCE(IPAddressFamily) = {-
48 ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING),-
49 ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice)-
50} ASN1_SEQUENCE_END(IPAddressFamily)-
51-
52ASN1_ITEM_TEMPLATE(IPAddrBlocks) =-
53 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,-
54 IPAddrBlocks, IPAddressFamily)-
55static_ASN1_ITEM_TEMPLATE_END(IPAddrBlocks)-
56-
57IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange)
never executed: end of block
never executed: return (IPAddressRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, (&(IPAddressRange_it)));
never executed: return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(IPAddressRange_it)));
never executed: return (IPAddressRange *)ASN1_item_new((&(IPAddressRange_it)));
0
58IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange)
never executed: end of block
never executed: return (IPAddressOrRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, (&(IPAddressOrRange_it)));
never executed: return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(IPAddressOrRange_it)));
never executed: return (IPAddressOrRange *)ASN1_item_new((&(IPAddressOrRange_it)));
0
59IMPLEMENT_ASN1_FUNCTIONS(IPAddressChoice)
never executed: end of block
never executed: return (IPAddressChoice *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, (&(IPAddressChoice_it)));
never executed: return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(IPAddressChoice_it)));
never executed: return (IPAddressChoice *)ASN1_item_new((&(IPAddressChoice_it)));
0
60IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily)
never executed: end of block
never executed: return (IPAddressFamily *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, (&(IPAddressFamily_it)));
never executed: return ASN1_item_i2d((ASN1_VALUE *)a, out, (&(IPAddressFamily_it)));
never executed: return (IPAddressFamily *)ASN1_item_new((&(IPAddressFamily_it)));
0
61-
62/*-
63 * How much buffer space do we need for a raw address?-
64 */-
65#define ADDR_RAW_BUF_LEN 16-
66-
67/*-
68 * What's the address length associated with this AFI?-
69 */-
70static int length_from_afi(const unsigned afi)-
71{-
72 switch (afi) {-
73 case IANA_AFI_IPV4:
never executed: case 1:
0
74 return 4;
never executed: return 4;
0
75 case IANA_AFI_IPV6:
never executed: case 2:
0
76 return 16;
never executed: return 16;
0
77 default:
never executed: default:
0
78 return 0;
never executed: return 0;
0
79 }-
80}-
81-
82/*-
83 * Extract the AFI from an IPAddressFamily.-
84 */-
85unsigned int X509v3_addr_get_afi(const IPAddressFamily *f)-
86{-
87 if (f == NULL
f == ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 360 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-360
88 || f->addressFamily == NULL
f->addressFami...== ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 360 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-360
89 || f->addressFamily->data == NULL
f->addressFami...== ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 360 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-360
90 || f->addressFamily->length < 2)
f->addressFamily->length < 2Description
TRUEevaluated 10 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 350 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
10-350
91 return 0;
executed 10 times by 1 test: return 0;
Executed by:
  • libcrypto.so.1.1
10
92 return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1];
executed 350 times by 1 test: return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1];
Executed by:
  • libcrypto.so.1.1
350
93}-
94-
95/*-
96 * Expand the bitstring form of an address into a raw byte array.-
97 * At the moment this is coded for simplicity, not speed.-
98 */-
99static int addr_expand(unsigned char *addr,-
100 const ASN1_BIT_STRING *bs,-
101 const int length, const unsigned char fill)-
102{-
103 if (bs->length < 0 || bs->length > length)
bs->length < 0Description
TRUEnever evaluated
FALSEevaluated 458 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
bs->length > lengthDescription
TRUEevaluated 21 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 437 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-458
104 return 0;
executed 21 times by 1 test: return 0;
Executed by:
  • libcrypto.so.1.1
21
105 if (bs->length > 0) {
bs->length > 0Description
TRUEevaluated 423 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 14 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
14-423
106 memcpy(addr, bs->data, bs->length);-
107 if ((bs->flags & 7) != 0) {
(bs->flags & 7) != 0Description
TRUEevaluated 293 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 130 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
130-293
108 unsigned char mask = 0xFF >> (8 - (bs->flags & 7));-
109 if (fill == 0)
fill == 0Description
TRUEevaluated 276 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 17 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
17-276
110 addr[bs->length - 1] &= ~mask;
executed 276 times by 1 test: addr[bs->length - 1] &= ~mask;
Executed by:
  • libcrypto.so.1.1
276
111 else-
112 addr[bs->length - 1] |= mask;
executed 17 times by 1 test: addr[bs->length - 1] |= mask;
Executed by:
  • libcrypto.so.1.1
17
113 }-
114 }
executed 423 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
423
115 memset(addr + bs->length, fill, length - bs->length);-
116 return 1;
executed 437 times by 1 test: return 1;
Executed by:
  • libcrypto.so.1.1
437
117}-
118-
119/*-
120 * Extract the prefix length from a bitstring.-
121 */-
122#define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7)))-
123-
124/*-
125 * i2r handler for one address bitstring.-
126 */-
127static int i2r_address(BIO *out,-
128 const unsigned afi,-
129 const unsigned char fill, const ASN1_BIT_STRING *bs)-
130{-
131 unsigned char addr[ADDR_RAW_BUF_LEN];-
132 int i, n;-
133-
134 if (bs->length < 0)
bs->length < 0Description
TRUEnever evaluated
FALSEevaluated 679 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-679
135 return 0;
never executed: return 0;
0
136 switch (afi) {-
137 case IANA_AFI_IPV4:
executed 88 times by 1 test: case 1:
Executed by:
  • libcrypto.so.1.1
88
138 if (!addr_expand(addr, bs, 4, fill))
!addr_expand(a..., bs, 4, fill)Description
TRUEevaluated 11 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 77 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
11-77
139 return 0;
executed 11 times by 1 test: return 0;
Executed by:
  • libcrypto.so.1.1
11
140 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);-
141 break;
executed 77 times by 1 test: break;
Executed by:
  • libcrypto.so.1.1
77
142 case IANA_AFI_IPV6:
executed 370 times by 1 test: case 2:
Executed by:
  • libcrypto.so.1.1
370
143 if (!addr_expand(addr, bs, 16, fill))
!addr_expand(a... bs, 16, fill)Description
TRUEevaluated 10 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 360 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
10-360
144 return 0;
executed 10 times by 1 test: return 0;
Executed by:
  • libcrypto.so.1.1
10
145 for (n = 16; n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00;
n > 1Description
TRUEevaluated 1969 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 22 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
addr[n - 1] == 0x00Description
TRUEevaluated 1774 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 195 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
addr[n - 2] == 0x00Description
TRUEevaluated 1631 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 143 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
22-1969
146 n -= 2) ;
executed 1631 times by 1 test: ;
Executed by:
  • libcrypto.so.1.1
1631
147 for (i = 0; i < n; i += 2)
i < nDescription
TRUEevaluated 1249 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 360 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
360-1249
148 BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1],
executed 1249 times by 1 test: BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1], (i < 14 ? ":" : ""));
Executed by:
  • libcrypto.so.1.1
1249
149 (i < 14 ? ":" : ""));
executed 1249 times by 1 test: BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1], (i < 14 ? ":" : ""));
Executed by:
  • libcrypto.so.1.1
1249
150 if (i < 16)
i < 16Description
TRUEevaluated 317 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 43 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
43-317
151 BIO_puts(out, ":");
executed 317 times by 1 test: BIO_puts(out, ":");
Executed by:
  • libcrypto.so.1.1
317
152 if (i == 0)
i == 0Description
TRUEevaluated 22 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 338 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
22-338
153 BIO_puts(out, ":");
executed 22 times by 1 test: BIO_puts(out, ":");
Executed by:
  • libcrypto.so.1.1
22
154 break;
executed 360 times by 1 test: break;
Executed by:
  • libcrypto.so.1.1
360
155 default:
executed 221 times by 1 test: default:
Executed by:
  • libcrypto.so.1.1
221
156 for (i = 0; i < bs->length; i++)
i < bs->lengthDescription
TRUEevaluated 1433 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 221 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
221-1433
157 BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]);
executed 1433 times by 1 test: BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]);
Executed by:
  • libcrypto.so.1.1
1433
158 BIO_printf(out, "[%d]", (int)(bs->flags & 7));-
159 break;
executed 221 times by 1 test: break;
Executed by:
  • libcrypto.so.1.1
221
160 }-
161 return 1;
executed 658 times by 1 test: return 1;
Executed by:
  • libcrypto.so.1.1
658
162}-
163-
164/*-
165 * i2r handler for a sequence of addresses and ranges.-
166 */-
167static int i2r_IPAddressOrRanges(BIO *out,-
168 const int indent,-
169 const IPAddressOrRanges *aors,-
170 const unsigned afi)-
171{-
172 int i;-
173 for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) {
i < sk_IPAddre...ange_num(aors)Description
TRUEevaluated 574 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 292 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
292-574
174 const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i);-
175 BIO_printf(out, "%*s", indent, "");-
176 switch (aor->type) {-
177 case IPAddressOrRange_addressPrefix:
executed 464 times by 1 test: case 0:
Executed by:
  • libcrypto.so.1.1
464
178 if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix))
!i2r_address(o...addressPrefix)Description
TRUEevaluated 13 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 451 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
13-451
179 return 0;
executed 13 times by 1 test: return 0;
Executed by:
  • libcrypto.so.1.1
13
180 BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix));-
181 continue;
executed 451 times by 1 test: continue;
Executed by:
  • libcrypto.so.1.1
451
182 case IPAddressOrRange_addressRange:
executed 110 times by 1 test: case 1:
Executed by:
  • libcrypto.so.1.1
110
183 if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min))
!i2r_address(o...essRange->min)Description
TRUEevaluated 5 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 105 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
5-105
184 return 0;
executed 5 times by 1 test: return 0;
Executed by:
  • libcrypto.so.1.1
5
185 BIO_puts(out, "-");-
186 if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max))
!i2r_address(o...essRange->max)Description
TRUEevaluated 3 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 102 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
3-102
187 return 0;
executed 3 times by 1 test: return 0;
Executed by:
  • libcrypto.so.1.1
3
188 BIO_puts(out, "\n");-
189 continue;
executed 102 times by 1 test: continue;
Executed by:
  • libcrypto.so.1.1
102
190 }-
191 }
never executed: end of block
0
192 return 1;
executed 292 times by 1 test: return 1;
Executed by:
  • libcrypto.so.1.1
292
193}-
194-
195/*-
196 * i2r handler for an IPAddrBlocks extension.-
197 */-
198static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,-
199 void *ext, BIO *out, int indent)-
200{-
201 const IPAddrBlocks *addr = ext;-
202 int i;-
203 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
i < sk_IPAddre...mily_num(addr)Description
TRUEevaluated 360 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 159 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
159-360
204 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);-
205 const unsigned int afi = X509v3_addr_get_afi(f);-
206 switch (afi) {-
207 case IANA_AFI_IPV4:
executed 35 times by 1 test: case 1:
Executed by:
  • libcrypto.so.1.1
35
208 BIO_printf(out, "%*sIPv4", indent, "");-
209 break;
executed 35 times by 1 test: break;
Executed by:
  • libcrypto.so.1.1
35
210 case IANA_AFI_IPV6:
executed 205 times by 1 test: case 2:
Executed by:
  • libcrypto.so.1.1
205
211 BIO_printf(out, "%*sIPv6", indent, "");-
212 break;
executed 205 times by 1 test: break;
Executed by:
  • libcrypto.so.1.1
205
213 default:
executed 120 times by 1 test: default:
Executed by:
  • libcrypto.so.1.1
120
214 BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi);-
215 break;
executed 120 times by 1 test: break;
Executed by:
  • libcrypto.so.1.1
120
216 }-
217 if (f->addressFamily->length > 2) {
f->addressFamily->length > 2Description
TRUEevaluated 195 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 165 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
165-195
218 switch (f->addressFamily->data[2]) {-
219 case 1:
executed 11 times by 1 test: case 1:
Executed by:
  • libcrypto.so.1.1
11
220 BIO_puts(out, " (Unicast)");-
221 break;
executed 11 times by 1 test: break;
Executed by:
  • libcrypto.so.1.1
11
222 case 2:
executed 13 times by 1 test: case 2:
Executed by:
  • libcrypto.so.1.1
13
223 BIO_puts(out, " (Multicast)");-
224 break;
executed 13 times by 1 test: break;
Executed by:
  • libcrypto.so.1.1
13
225 case 3:
executed 16 times by 1 test: case 3:
Executed by:
  • libcrypto.so.1.1
16
226 BIO_puts(out, " (Unicast/Multicast)");-
227 break;
executed 16 times by 1 test: break;
Executed by:
  • libcrypto.so.1.1
16
228 case 4:
executed 46 times by 1 test: case 4:
Executed by:
  • libcrypto.so.1.1
46
229 BIO_puts(out, " (MPLS)");-
230 break;
executed 46 times by 1 test: break;
Executed by:
  • libcrypto.so.1.1
46
231 case 64:
executed 10 times by 1 test: case 64:
Executed by:
  • libcrypto.so.1.1
10
232 BIO_puts(out, " (Tunnel)");-
233 break;
executed 10 times by 1 test: break;
Executed by:
  • libcrypto.so.1.1
10
234 case 65:
executed 24 times by 1 test: case 65:
Executed by:
  • libcrypto.so.1.1
24
235 BIO_puts(out, " (VPLS)");-
236 break;
executed 24 times by 1 test: break;
Executed by:
  • libcrypto.so.1.1
24
237 case 66:
executed 10 times by 1 test: case 66:
Executed by:
  • libcrypto.so.1.1
10
238 BIO_puts(out, " (BGP MDT)");-
239 break;
executed 10 times by 1 test: break;
Executed by:
  • libcrypto.so.1.1
10
240 case 128:
executed 10 times by 1 test: case 128:
Executed by:
  • libcrypto.so.1.1
10
241 BIO_puts(out, " (MPLS-labeled VPN)");-
242 break;
executed 10 times by 1 test: break;
Executed by:
  • libcrypto.so.1.1
10
243 default:
executed 55 times by 1 test: default:
Executed by:
  • libcrypto.so.1.1
55
244 BIO_printf(out, " (Unknown SAFI %u)",-
245 (unsigned)f->addressFamily->data[2]);-
246 break;
executed 55 times by 1 test: break;
Executed by:
  • libcrypto.so.1.1
55
247 }-
248 }-
249 switch (f->ipAddressChoice->type) {-
250 case IPAddressChoice_inherit:
executed 47 times by 1 test: case 0:
Executed by:
  • libcrypto.so.1.1
47
251 BIO_puts(out, ": inherit\n");-
252 break;
executed 47 times by 1 test: break;
Executed by:
  • libcrypto.so.1.1
47
253 case IPAddressChoice_addressesOrRanges:
executed 313 times by 1 test: case 1:
Executed by:
  • libcrypto.so.1.1
313
254 BIO_puts(out, ":\n");-
255 if (!i2r_IPAddressOrRanges(out,
!i2r_IPAddress...OrRanges, afi)Description
TRUEevaluated 21 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 292 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
21-292
256 indent + 2,
!i2r_IPAddress...OrRanges, afi)Description
TRUEevaluated 21 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 292 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
21-292
257 f->ipAddressChoice->
!i2r_IPAddress...OrRanges, afi)Description
TRUEevaluated 21 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 292 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
21-292
258 u.addressesOrRanges, afi))
!i2r_IPAddress...OrRanges, afi)Description
TRUEevaluated 21 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEevaluated 292 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
21-292
259 return 0;
executed 21 times by 1 test: return 0;
Executed by:
  • libcrypto.so.1.1
21
260 break;
executed 292 times by 1 test: break;
Executed by:
  • libcrypto.so.1.1
292
261 }-
262 }
executed 339 times by 1 test: end of block
Executed by:
  • libcrypto.so.1.1
339
263 return 1;
executed 159 times by 1 test: return 1;
Executed by:
  • libcrypto.so.1.1
159
264}-
265-
266/*-
267 * Sort comparison function for a sequence of IPAddressOrRange-
268 * elements.-
269 *-
270 * There's no sane answer we can give if addr_expand() fails, and an-
271 * assertion failure on externally supplied data is seriously uncool,-
272 * so we just arbitrarily declare that if given invalid inputs this-
273 * function returns -1. If this messes up your preferred sort order-
274 * for garbage input, tough noogies.-
275 */-
276static int IPAddressOrRange_cmp(const IPAddressOrRange *a,-
277 const IPAddressOrRange *b, const int length)-
278{-
279 unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN];-
280 int prefixlen_a = 0, prefixlen_b = 0;-
281 int r;-
282-
283 switch (a->type) {-
284 case IPAddressOrRange_addressPrefix:
never executed: case 0:
0
285 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
!addr_expand(a... length, 0x00)Description
TRUEnever evaluated
FALSEnever evaluated
0
286 return -1;
never executed: return -1;
0
287 prefixlen_a = addr_prefixlen(a->u.addressPrefix);-
288 break;
never executed: break;
0
289 case IPAddressOrRange_addressRange:
never executed: case 1:
0
290 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
!addr_expand(a... length, 0x00)Description
TRUEnever evaluated
FALSEnever evaluated
0
291 return -1;
never executed: return -1;
0
292 prefixlen_a = length * 8;-
293 break;
never executed: break;
0
294 }-
295-
296 switch (b->type) {-
297 case IPAddressOrRange_addressPrefix:
never executed: case 0:
0
298 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
!addr_expand(a... length, 0x00)Description
TRUEnever evaluated
FALSEnever evaluated
0
299 return -1;
never executed: return -1;
0
300 prefixlen_b = addr_prefixlen(b->u.addressPrefix);-
301 break;
never executed: break;
0
302 case IPAddressOrRange_addressRange:
never executed: case 1:
0
303 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
!addr_expand(a... length, 0x00)Description
TRUEnever evaluated
FALSEnever evaluated
0
304 return -1;
never executed: return -1;
0
305 prefixlen_b = length * 8;-
306 break;
never executed: break;
0
307 }-
308-
309 if ((r = memcmp(addr_a, addr_b, length)) != 0)
(r = memcmp(ad... length)) != 0Description
TRUEnever evaluated
FALSEnever evaluated
0
310 return r;
never executed: return r;
0
311 else-
312 return prefixlen_a - prefixlen_b;
never executed: return prefixlen_a - prefixlen_b;
0
313}-
314-
315/*-
316 * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()-
317 * comparison routines are only allowed two arguments.-
318 */-
319static int v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a,-
320 const IPAddressOrRange *const *b)-
321{-
322 return IPAddressOrRange_cmp(*a, *b, 4);
never executed: return IPAddressOrRange_cmp(*a, *b, 4);
0
323}-
324-
325/*-
326 * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()-
327 * comparison routines are only allowed two arguments.-
328 */-
329static int v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a,-
330 const IPAddressOrRange *const *b)-
331{-
332 return IPAddressOrRange_cmp(*a, *b, 16);
never executed: return IPAddressOrRange_cmp(*a, *b, 16);
0
333}-
334-
335/*-
336 * Calculate whether a range collapses to a prefix.-
337 * See last paragraph of RFC 3779 2.2.3.7.-
338 */-
339static int range_should_be_prefix(const unsigned char *min,-
340 const unsigned char *max, const int length)-
341{-
342 unsigned char mask;-
343 int i, j;-
344-
345 if (memcmp(min, max, length) <= 0)
memcmp(min, max, length) <= 0Description
TRUEnever evaluated
FALSEnever evaluated
0
346 return -1;
never executed: return -1;
0
347 for (i = 0; i < length && min[i] == max[i]; i++) ;
never executed: ;
i < lengthDescription
TRUEnever evaluated
FALSEnever evaluated
min[i] == max[i]Description
TRUEnever evaluated
FALSEnever evaluated
0
348 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) ;
never executed: ;
j >= 0Description
TRUEnever evaluated
FALSEnever evaluated
min[j] == 0x00Description
TRUEnever evaluated
FALSEnever evaluated
max[j] == 0xFFDescription
TRUEnever evaluated
FALSEnever evaluated
0
349 if (i < j)
i < jDescription
TRUEnever evaluated
FALSEnever evaluated
0
350 return -1;
never executed: return -1;
0
351 if (i > j)
i > jDescription
TRUEnever evaluated
FALSEnever evaluated
0
352 return i * 8;
never executed: return i * 8;
0
353 mask = min[i] ^ max[i];-
354 switch (mask) {-
355 case 0x01:
never executed: case 0x01:
0
356 j = 7;-
357 break;
never executed: break;
0
358 case 0x03:
never executed: case 0x03:
0
359 j = 6;-
360 break;
never executed: break;
0
361 case 0x07:
never executed: case 0x07:
0
362 j = 5;-
363 break;
never executed: break;
0
364 case 0x0F:
never executed: case 0x0F:
0
365 j = 4;-
366 break;
never executed: break;
0
367 case 0x1F:
never executed: case 0x1F:
0
368 j = 3;-
369 break;
never executed: break;
0
370 case 0x3F:
never executed: case 0x3F:
0
371 j = 2;-
372 break;
never executed: break;
0
373 case 0x7F:
never executed: case 0x7F:
0
374 j = 1;-
375 break;
never executed: break;
0
376 default:
never executed: default:
0
377 return -1;
never executed: return -1;
0
378 }-
379 if ((min[i] & mask) != 0 || (max[i] & mask) != mask)
(min[i] & mask) != 0Description
TRUEnever evaluated
FALSEnever evaluated
(max[i] & mask) != maskDescription
TRUEnever evaluated
FALSEnever evaluated
0
380 return -1;
never executed: return -1;
0
381 else-
382 return i * 8 + j;
never executed: return i * 8 + j;
0
383}-
384-
385/*-
386 * Construct a prefix.-
387 */-
388static int make_addressPrefix(IPAddressOrRange **result,-
389 unsigned char *addr, const int prefixlen)-
390{-
391 int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8;-
392 IPAddressOrRange *aor = IPAddressOrRange_new();-
393-
394 if (aor == NULL)
aor == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
395 return 0;
never executed: return 0;
0
396 aor->type = IPAddressOrRange_addressPrefix;-
397 if (aor->u.addressPrefix == NULL &&
aor->u.address...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
398 (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL)
(aor->u.addres...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
399 goto err;
never executed: goto err;
0
400 if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen))
!ASN1_BIT_STRI...addr, bytelen)Description
TRUEnever evaluated
FALSEnever evaluated
0
401 goto err;
never executed: goto err;
0
402 aor->u.addressPrefix->flags &= ~7;-
403 aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT;-
404 if (bitlen > 0) {
bitlen > 0Description
TRUEnever evaluated
FALSEnever evaluated
0
405 aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen);-
406 aor->u.addressPrefix->flags |= 8 - bitlen;-
407 }
never executed: end of block
0
408-
409 *result = aor;-
410 return 1;
never executed: return 1;
0
411-
412 err:-
413 IPAddressOrRange_free(aor);-
414 return 0;
never executed: return 0;
0
415}-
416-
417/*-
418 * Construct a range. If it can be expressed as a prefix,-
419 * return a prefix instead. Doing this here simplifies-
420 * the rest of the code considerably.-
421 */-
422static int make_addressRange(IPAddressOrRange **result,-
423 unsigned char *min,-
424 unsigned char *max, const int length)-
425{-
426 IPAddressOrRange *aor;-
427 int i, prefixlen;-
428-
429 if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0)
(prefixlen = r... length)) >= 0Description
TRUEnever evaluated
FALSEnever evaluated
0
430 return make_addressPrefix(result, min, prefixlen);
never executed: return make_addressPrefix(result, min, prefixlen);
0
431-
432 if ((aor = IPAddressOrRange_new()) == NULL)
(aor = IPAddre...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
433 return 0;
never executed: return 0;
0
434 aor->type = IPAddressOrRange_addressRange;-
435 if ((aor->u.addressRange = IPAddressRange_new()) == NULL)
(aor->u.addres...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
436 goto err;
never executed: goto err;
0
437 if (aor->u.addressRange->min == NULL &&
aor->u.address...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
438 (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL)
(aor->u.addres...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
439 goto err;
never executed: goto err;
0
440 if (aor->u.addressRange->max == NULL &&
aor->u.address...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
441 (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL)
(aor->u.addres...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
442 goto err;
never executed: goto err;
0
443-
444 for (i = length; i > 0 && min[i - 1] == 0x00; --i) ;
never executed: ;
i > 0Description
TRUEnever evaluated
FALSEnever evaluated
min[i - 1] == 0x00Description
TRUEnever evaluated
FALSEnever evaluated
0
445 if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i))
!ASN1_BIT_STRI...->min, min, i)Description
TRUEnever evaluated
FALSEnever evaluated
0
446 goto err;
never executed: goto err;
0
447 aor->u.addressRange->min->flags &= ~7;-
448 aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT;-
449 if (i > 0) {
i > 0Description
TRUEnever evaluated
FALSEnever evaluated
0
450 unsigned char b = min[i - 1];-
451 int j = 1;-
452 while ((b & (0xFFU >> j)) != 0)
(b & (0xFFU >> j)) != 0Description
TRUEnever evaluated
FALSEnever evaluated
0
453 ++j;
never executed: ++j;
0
454 aor->u.addressRange->min->flags |= 8 - j;-
455 }
never executed: end of block
0
456-
457 for (i = length; i > 0 && max[i - 1] == 0xFF; --i) ;
never executed: ;
i > 0Description
TRUEnever evaluated
FALSEnever evaluated
max[i - 1] == 0xFFDescription
TRUEnever evaluated
FALSEnever evaluated
0
458 if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i))
!ASN1_BIT_STRI...->max, max, i)Description
TRUEnever evaluated
FALSEnever evaluated
0
459 goto err;
never executed: goto err;
0
460 aor->u.addressRange->max->flags &= ~7;-
461 aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT;-
462 if (i > 0) {
i > 0Description
TRUEnever evaluated
FALSEnever evaluated
0
463 unsigned char b = max[i - 1];-
464 int j = 1;-
465 while ((b & (0xFFU >> j)) != (0xFFU >> j))
(b & (0xFFU >>...= (0xFFU >> j)Description
TRUEnever evaluated
FALSEnever evaluated
0
466 ++j;
never executed: ++j;
0
467 aor->u.addressRange->max->flags |= 8 - j;-
468 }
never executed: end of block
0
469-
470 *result = aor;-
471 return 1;
never executed: return 1;
0
472-
473 err:-
474 IPAddressOrRange_free(aor);-
475 return 0;
never executed: return 0;
0
476}-
477-
478/*-
479 * Construct a new address family or find an existing one.-
480 */-
481static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr,-
482 const unsigned afi,-
483 const unsigned *safi)-
484{-
485 IPAddressFamily *f;-
486 unsigned char key[3];-
487 int keylen;-
488 int i;-
489-
490 key[0] = (afi >> 8) & 0xFF;-
491 key[1] = afi & 0xFF;-
492 if (safi != NULL) {
safi != ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
493 key[2] = *safi & 0xFF;-
494 keylen = 3;-
495 } else {
never executed: end of block
0
496 keylen = 2;-
497 }
never executed: end of block
0
498-
499 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
i < sk_IPAddre...mily_num(addr)Description
TRUEnever evaluated
FALSEnever evaluated
0
500 f = sk_IPAddressFamily_value(addr, i);-
501 if (f->addressFamily->length == keylen &&
f->addressFami...ngth == keylenDescription
TRUEnever evaluated
FALSEnever evaluated
0
502 !memcmp(f->addressFamily->data, key, keylen))
!memcmp(f->add..., key, keylen)Description
TRUEnever evaluated
FALSEnever evaluated
0
503 return f;
never executed: return f;
0
504 }
never executed: end of block
0
505-
506 if ((f = IPAddressFamily_new()) == NULL)
(f = IPAddress...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
507 goto err;
never executed: goto err;
0
508 if (f->ipAddressChoice == NULL &&
f->ipAddressCh...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
509 (f->ipAddressChoice = IPAddressChoice_new()) == NULL)
(f->ipAddressC...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
510 goto err;
never executed: goto err;
0
511 if (f->addressFamily == NULL &&
f->addressFami...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
512 (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL)
(f->addressFam...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
513 goto err;
never executed: goto err;
0
514 if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen))
!ASN1_OCTET_ST..., key, keylen)Description
TRUEnever evaluated
FALSEnever evaluated
0
515 goto err;
never executed: goto err;
0
516 if (!sk_IPAddressFamily_push(addr, f))
!sk_IPAddressF..._push(addr, f)Description
TRUEnever evaluated
FALSEnever evaluated
0
517 goto err;
never executed: goto err;
0
518-
519 return f;
never executed: return f;
0
520-
521 err:-
522 IPAddressFamily_free(f);-
523 return NULL;
never executed: return ((void *)0) ;
0
524}-
525-
526/*-
527 * Add an inheritance element.-
528 */-
529int X509v3_addr_add_inherit(IPAddrBlocks *addr,-
530 const unsigned afi, const unsigned *safi)-
531{-
532 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);-
533 if (f == NULL ||
f == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
534 f->ipAddressChoice == NULL ||
f->ipAddressCh...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
535 (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
f->ipAddressChoice->type == 1Description
TRUEnever evaluated
FALSEnever evaluated
0
536 f->ipAddressChoice->u.addressesOrRanges != NULL))
f->ipAddressCh...!= ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
537 return 0;
never executed: return 0;
0
538 if (f->ipAddressChoice->type == IPAddressChoice_inherit &&
f->ipAddressChoice->type == 0Description
TRUEnever evaluated
FALSEnever evaluated
0
539 f->ipAddressChoice->u.inherit != NULL)
f->ipAddressCh...!= ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
540 return 1;
never executed: return 1;
0
541 if (f->ipAddressChoice->u.inherit == NULL &&
f->ipAddressCh...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
542 (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL)
(f->ipAddressC...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
543 return 0;
never executed: return 0;
0
544 f->ipAddressChoice->type = IPAddressChoice_inherit;-
545 return 1;
never executed: return 1;
0
546}-
547-
548/*-
549 * Construct an IPAddressOrRange sequence, or return an existing one.-
550 */-
551static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,-
552 const unsigned afi,-
553 const unsigned *safi)-
554{-
555 IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi);-
556 IPAddressOrRanges *aors = NULL;-
557-
558 if (f == NULL ||
f == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
559 f->ipAddressChoice == NULL ||
f->ipAddressCh...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
560 (f->ipAddressChoice->type == IPAddressChoice_inherit &&
f->ipAddressChoice->type == 0Description
TRUEnever evaluated
FALSEnever evaluated
0
561 f->ipAddressChoice->u.inherit != NULL))
f->ipAddressCh...!= ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
562 return NULL;
never executed: return ((void *)0) ;
0
563 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges)
f->ipAddressChoice->type == 1Description
TRUEnever evaluated
FALSEnever evaluated
0
564 aors = f->ipAddressChoice->u.addressesOrRanges;
never executed: aors = f->ipAddressChoice->u.addressesOrRanges;
0
565 if (aors != NULL)
aors != ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
566 return aors;
never executed: return aors;
0
567 if ((aors = sk_IPAddressOrRange_new_null()) == NULL)
(aors = sk_IPA...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
568 return NULL;
never executed: return ((void *)0) ;
0
569 switch (afi) {-
570 case IANA_AFI_IPV4:
never executed: case 1:
0
571 (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);-
572 break;
never executed: break;
0
573 case IANA_AFI_IPV6:
never executed: case 2:
0
574 (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);-
575 break;
never executed: break;
0
576 }-
577 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;-
578 f->ipAddressChoice->u.addressesOrRanges = aors;-
579 return aors;
never executed: return aors;
0
580}-
581-
582/*-
583 * Add a prefix.-
584 */-
585int X509v3_addr_add_prefix(IPAddrBlocks *addr,-
586 const unsigned afi,-
587 const unsigned *safi,-
588 unsigned char *a, const int prefixlen)-
589{-
590 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);-
591 IPAddressOrRange *aor;-
592 if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen))
aors == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
!make_addressP... a, prefixlen)Description
TRUEnever evaluated
FALSEnever evaluated
0
593 return 0;
never executed: return 0;
0
594 if (sk_IPAddressOrRange_push(aors, aor))
sk_IPAddressOr...ush(aors, aor)Description
TRUEnever evaluated
FALSEnever evaluated
0
595 return 1;
never executed: return 1;
0
596 IPAddressOrRange_free(aor);-
597 return 0;
never executed: return 0;
0
598}-
599-
600/*-
601 * Add a range.-
602 */-
603int X509v3_addr_add_range(IPAddrBlocks *addr,-
604 const unsigned afi,-
605 const unsigned *safi,-
606 unsigned char *min, unsigned char *max)-
607{-
608 IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi);-
609 IPAddressOrRange *aor;-
610 int length = length_from_afi(afi);-
611 if (aors == NULL)
aors == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
612 return 0;
never executed: return 0;
0
613 if (!make_addressRange(&aor, min, max, length))
!make_addressR..., max, length)Description
TRUEnever evaluated
FALSEnever evaluated
0
614 return 0;
never executed: return 0;
0
615 if (sk_IPAddressOrRange_push(aors, aor))
sk_IPAddressOr...ush(aors, aor)Description
TRUEnever evaluated
FALSEnever evaluated
0
616 return 1;
never executed: return 1;
0
617 IPAddressOrRange_free(aor);-
618 return 0;
never executed: return 0;
0
619}-
620-
621/*-
622 * Extract min and max values from an IPAddressOrRange.-
623 */-
624static int extract_min_max(IPAddressOrRange *aor,-
625 unsigned char *min, unsigned char *max, int length)-
626{-
627 if (aor == NULL || min == NULL || max == NULL)
aor == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
min == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
max == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
628 return 0;
never executed: return 0;
0
629 switch (aor->type) {-
630 case IPAddressOrRange_addressPrefix:
never executed: case 0:
0
631 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
never executed: return (addr_expand(min, aor->u.addressPrefix, length, 0x00) && addr_expand(max, aor->u.addressPrefix, length, 0xFF));
addr_expand(mi... length, 0x00)Description
TRUEnever evaluated
FALSEnever evaluated
0
632 addr_expand(max, aor->u.addressPrefix, length, 0xFF));
never executed: return (addr_expand(min, aor->u.addressPrefix, length, 0x00) && addr_expand(max, aor->u.addressPrefix, length, 0xFF));
addr_expand(ma... length, 0xFF)Description
TRUEnever evaluated
FALSEnever evaluated
0
633 case IPAddressOrRange_addressRange:
never executed: case 1:
0
634 return (addr_expand(min, aor->u.addressRange->min, length, 0x00) &&
never executed: return (addr_expand(min, aor->u.addressRange->min, length, 0x00) && addr_expand(max, aor->u.addressRange->max, length, 0xFF));
addr_expand(mi... length, 0x00)Description
TRUEnever evaluated
FALSEnever evaluated
0
635 addr_expand(max, aor->u.addressRange->max, length, 0xFF));
never executed: return (addr_expand(min, aor->u.addressRange->min, length, 0x00) && addr_expand(max, aor->u.addressRange->max, length, 0xFF));
addr_expand(ma... length, 0xFF)Description
TRUEnever evaluated
FALSEnever evaluated
0
636 }-
637 return 0;
never executed: return 0;
0
638}-
639-
640/*-
641 * Public wrapper for extract_min_max().-
642 */-
643int X509v3_addr_get_range(IPAddressOrRange *aor,-
644 const unsigned afi,-
645 unsigned char *min,-
646 unsigned char *max, const int length)-
647{-
648 int afi_length = length_from_afi(afi);-
649 if (aor == NULL || min == NULL || max == NULL ||
aor == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
min == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
max == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
650 afi_length == 0 || length < afi_length ||
afi_length == 0Description
TRUEnever evaluated
FALSEnever evaluated
length < afi_lengthDescription
TRUEnever evaluated
FALSEnever evaluated
0
651 (aor->type != IPAddressOrRange_addressPrefix &&
aor->type != 0Description
TRUEnever evaluated
FALSEnever evaluated
0
652 aor->type != IPAddressOrRange_addressRange) ||
aor->type != 1Description
TRUEnever evaluated
FALSEnever evaluated
0
653 !extract_min_max(aor, min, max, afi_length))
!extract_min_m...x, afi_length)Description
TRUEnever evaluated
FALSEnever evaluated
0
654 return 0;
never executed: return 0;
0
655-
656 return afi_length;
never executed: return afi_length;
0
657}-
658-
659/*-
660 * Sort comparison function for a sequence of IPAddressFamily.-
661 *-
662 * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about-
663 * the ordering: I can read it as meaning that IPv6 without a SAFI-
664 * comes before IPv4 with a SAFI, which seems pretty weird. The-
665 * examples in appendix B suggest that the author intended the-
666 * null-SAFI rule to apply only within a single AFI, which is what I-
667 * would have expected and is what the following code implements.-
668 */-
669static int IPAddressFamily_cmp(const IPAddressFamily *const *a_,-
670 const IPAddressFamily *const *b_)-
671{-
672 const ASN1_OCTET_STRING *a = (*a_)->addressFamily;-
673 const ASN1_OCTET_STRING *b = (*b_)->addressFamily;-
674 int len = ((a->length <= b->length) ? a->length : b->length);
(a->length <= b->length)Description
TRUEnever evaluated
FALSEnever evaluated
0
675 int cmp = memcmp(a->data, b->data, len);-
676 return cmp ? cmp : a->length - b->length;
never executed: return cmp ? cmp : a->length - b->length;
cmpDescription
TRUEnever evaluated
FALSEnever evaluated
0
677}-
678-
679/*-
680 * Check whether an IPAddrBLocks is in canonical form.-
681 */-
682int X509v3_addr_is_canonical(IPAddrBlocks *addr)-
683{-
684 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];-
685 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];-
686 IPAddressOrRanges *aors;-
687 int i, j, k;-
688-
689 /*-
690 * Empty extension is canonical.-
691 */-
692 if (addr == NULL)
addr == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
693 return 1;
never executed: return 1;
0
694-
695 /*-
696 * Check whether the top-level list is in order.-
697 */-
698 for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {
i < sk_IPAddre..._num(addr) - 1Description
TRUEnever evaluated
FALSEnever evaluated
0
699 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i);-
700 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1);-
701 if (IPAddressFamily_cmp(&a, &b) >= 0)
IPAddressFamil...p(&a, &b) >= 0Description
TRUEnever evaluated
FALSEnever evaluated
0
702 return 0;
never executed: return 0;
0
703 }
never executed: end of block
0
704-
705 /*-
706 * Top level's ok, now check each address family.-
707 */-
708 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
i < sk_IPAddre...mily_num(addr)Description
TRUEnever evaluated
FALSEnever evaluated
0
709 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);-
710 int length = length_from_afi(X509v3_addr_get_afi(f));-
711-
712 /*-
713 * Inheritance is canonical. Anything other than inheritance or-
714 * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something.-
715 */-
716 if (f == NULL || f->ipAddressChoice == NULL)
f == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
f->ipAddressCh...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
717 return 0;
never executed: return 0;
0
718 switch (f->ipAddressChoice->type) {-
719 case IPAddressChoice_inherit:
never executed: case 0:
0
720 continue;
never executed: continue;
0
721 case IPAddressChoice_addressesOrRanges:
never executed: case 1:
0
722 break;
never executed: break;
0
723 default:
never executed: default:
0
724 return 0;
never executed: return 0;
0
725 }-
726-
727 /*-
728 * It's an IPAddressOrRanges sequence, check it.-
729 */-
730 aors = f->ipAddressChoice->u.addressesOrRanges;-
731 if (sk_IPAddressOrRange_num(aors) == 0)
sk_IPAddressOr...num(aors) == 0Description
TRUEnever evaluated
FALSEnever evaluated
0
732 return 0;
never executed: return 0;
0
733 for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) {
j < sk_IPAddre..._num(aors) - 1Description
TRUEnever evaluated
FALSEnever evaluated
0
734 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);-
735 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);-
736-
737 if (!extract_min_max(a, a_min, a_max, length) ||
!extract_min_m...a_max, length)Description
TRUEnever evaluated
FALSEnever evaluated
0
738 !extract_min_max(b, b_min, b_max, length))
!extract_min_m...b_max, length)Description
TRUEnever evaluated
FALSEnever evaluated
0
739 return 0;
never executed: return 0;
0
740-
741 /*-
742 * Punt misordered list, overlapping start, or inverted range.-
743 */-
744 if (memcmp(a_min, b_min, length) >= 0 ||
memcmp(a_min, ..., length) >= 0Description
TRUEnever evaluated
FALSEnever evaluated
0
745 memcmp(a_min, a_max, length) > 0 ||
memcmp(a_min, ...x, length) > 0Description
TRUEnever evaluated
FALSEnever evaluated
0
746 memcmp(b_min, b_max, length) > 0)
memcmp(b_min, ...x, length) > 0Description
TRUEnever evaluated
FALSEnever evaluated
0
747 return 0;
never executed: return 0;
0
748-
749 /*-
750 * Punt if adjacent or overlapping. Check for adjacency by-
751 * subtracting one from b_min first.-
752 */-
753 for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) ;
never executed: ;
k >= 0Description
TRUEnever evaluated
FALSEnever evaluated
b_min[k]-- == 0x00Description
TRUEnever evaluated
FALSEnever evaluated
0
754 if (memcmp(a_max, b_min, length) >= 0)
memcmp(a_max, ..., length) >= 0Description
TRUEnever evaluated
FALSEnever evaluated
0
755 return 0;
never executed: return 0;
0
756-
757 /*-
758 * Check for range that should be expressed as a prefix.-
759 */-
760 if (a->type == IPAddressOrRange_addressRange &&
a->type == 1Description
TRUEnever evaluated
FALSEnever evaluated
0
761 range_should_be_prefix(a_min, a_max, length) >= 0)
range_should_b..., length) >= 0Description
TRUEnever evaluated
FALSEnever evaluated
0
762 return 0;
never executed: return 0;
0
763 }
never executed: end of block
0
764-
765 /*-
766 * Check range to see if it's inverted or should be a-
767 * prefix.-
768 */-
769 j = sk_IPAddressOrRange_num(aors) - 1;-
770 {-
771 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);-
772 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
a != ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
a->type == 1Description
TRUEnever evaluated
FALSEnever evaluated
0
773 if (!extract_min_max(a, a_min, a_max, length))
!extract_min_m...a_max, length)Description
TRUEnever evaluated
FALSEnever evaluated
0
774 return 0;
never executed: return 0;
0
775 if (memcmp(a_min, a_max, length) > 0 ||
memcmp(a_min, ...x, length) > 0Description
TRUEnever evaluated
FALSEnever evaluated
0
776 range_should_be_prefix(a_min, a_max, length) >= 0)
range_should_b..., length) >= 0Description
TRUEnever evaluated
FALSEnever evaluated
0
777 return 0;
never executed: return 0;
0
778 }
never executed: end of block
0
779 }-
780 }
never executed: end of block
0
781-
782 /*-
783 * If we made it through all that, we're happy.-
784 */-
785 return 1;
never executed: return 1;
0
786}-
787-
788/*-
789 * Whack an IPAddressOrRanges into canonical form.-
790 */-
791static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,-
792 const unsigned afi)-
793{-
794 int i, j, length = length_from_afi(afi);-
795-
796 /*-
797 * Sort the IPAddressOrRanges sequence.-
798 */-
799 sk_IPAddressOrRange_sort(aors);-
800-
801 /*-
802 * Clean up representation issues, punt on duplicates or overlaps.-
803 */-
804 for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) {
i < sk_IPAddre..._num(aors) - 1Description
TRUEnever evaluated
FALSEnever evaluated
0
805 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i);-
806 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1);-
807 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];-
808 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];-
809-
810 if (!extract_min_max(a, a_min, a_max, length) ||
!extract_min_m...a_max, length)Description
TRUEnever evaluated
FALSEnever evaluated
0
811 !extract_min_max(b, b_min, b_max, length))
!extract_min_m...b_max, length)Description
TRUEnever evaluated
FALSEnever evaluated
0
812 return 0;
never executed: return 0;
0
813-
814 /*-
815 * Punt inverted ranges.-
816 */-
817 if (memcmp(a_min, a_max, length) > 0 ||
memcmp(a_min, ...x, length) > 0Description
TRUEnever evaluated
FALSEnever evaluated
0
818 memcmp(b_min, b_max, length) > 0)
memcmp(b_min, ...x, length) > 0Description
TRUEnever evaluated
FALSEnever evaluated
0
819 return 0;
never executed: return 0;
0
820-
821 /*-
822 * Punt overlaps.-
823 */-
824 if (memcmp(a_max, b_min, length) >= 0)
memcmp(a_max, ..., length) >= 0Description
TRUEnever evaluated
FALSEnever evaluated
0
825 return 0;
never executed: return 0;
0
826-
827 /*-
828 * Merge if a and b are adjacent. We check for-
829 * adjacency by subtracting one from b_min first.-
830 */-
831 for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) ;
never executed: ;
j >= 0Description
TRUEnever evaluated
FALSEnever evaluated
b_min[j]-- == 0x00Description
TRUEnever evaluated
FALSEnever evaluated
0
832 if (memcmp(a_max, b_min, length) == 0) {
memcmp(a_max, ..., length) == 0Description
TRUEnever evaluated
FALSEnever evaluated
0
833 IPAddressOrRange *merged;-
834 if (!make_addressRange(&merged, a_min, b_max, length))
!make_addressR...b_max, length)Description
TRUEnever evaluated
FALSEnever evaluated
0
835 return 0;
never executed: return 0;
0
836 (void)sk_IPAddressOrRange_set(aors, i, merged);-
837 (void)sk_IPAddressOrRange_delete(aors, i + 1);-
838 IPAddressOrRange_free(a);-
839 IPAddressOrRange_free(b);-
840 --i;-
841 continue;
never executed: continue;
0
842 }-
843 }
never executed: end of block
0
844-
845 /*-
846 * Check for inverted final range.-
847 */-
848 j = sk_IPAddressOrRange_num(aors) - 1;-
849 {-
850 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);-
851 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
a != ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
a->type == 1Description
TRUEnever evaluated
FALSEnever evaluated
0
852 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];-
853 if (!extract_min_max(a, a_min, a_max, length))
!extract_min_m...a_max, length)Description
TRUEnever evaluated
FALSEnever evaluated
0
854 return 0;
never executed: return 0;
0
855 if (memcmp(a_min, a_max, length) > 0)
memcmp(a_min, ...x, length) > 0Description
TRUEnever evaluated
FALSEnever evaluated
0
856 return 0;
never executed: return 0;
0
857 }
never executed: end of block
0
858 }-
859-
860 return 1;
never executed: return 1;
0
861}-
862-
863/*-
864 * Whack an IPAddrBlocks extension into canonical form.-
865 */-
866int X509v3_addr_canonize(IPAddrBlocks *addr)-
867{-
868 int i;-
869 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
i < sk_IPAddre...mily_num(addr)Description
TRUEnever evaluated
FALSEnever evaluated
0
870 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);-
871 if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
f->ipAddressChoice->type == 1Description
TRUEnever evaluated
FALSEnever evaluated
0
872 !IPAddressOrRanges_canonize(f->ipAddressChoice->
!IPAddressOrRa...dr_get_afi(f))Description
TRUEnever evaluated
FALSEnever evaluated
0
873 u.addressesOrRanges,
!IPAddressOrRa...dr_get_afi(f))Description
TRUEnever evaluated
FALSEnever evaluated
0
874 X509v3_addr_get_afi(f)))
!IPAddressOrRa...dr_get_afi(f))Description
TRUEnever evaluated
FALSEnever evaluated
0
875 return 0;
never executed: return 0;
0
876 }
never executed: end of block
0
877 (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);-
878 sk_IPAddressFamily_sort(addr);-
879 if (!ossl_assert(X509v3_addr_is_canonical(addr)))
!((X509v3_addr...l(addr)) != 0)Description
TRUEnever evaluated
FALSEnever evaluated
0
880 return 0;
never executed: return 0;
0
881 return 1;
never executed: return 1;
0
882}-
883-
884/*-
885 * v2i handler for the IPAddrBlocks extension.-
886 */-
887static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,-
888 struct v3_ext_ctx *ctx,-
889 STACK_OF(CONF_VALUE) *values)-
890{-
891 static const char v4addr_chars[] = "0123456789.";-
892 static const char v6addr_chars[] = "0123456789.:abcdefABCDEF";-
893 IPAddrBlocks *addr = NULL;-
894 char *s = NULL, *t;-
895 int i;-
896-
897 if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) {
(addr = sk_IPA...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
898 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);-
899 return NULL;
never executed: return ((void *)0) ;
0
900 }-
901-
902 for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
i < sk_CONF_VALUE_num(values)Description
TRUEnever evaluated
FALSEnever evaluated
0
903 CONF_VALUE *val = sk_CONF_VALUE_value(values, i);-
904 unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN];-
905 unsigned afi, *safi = NULL, safi_;-
906 const char *addr_chars = NULL;-
907 int prefixlen, i1, i2, delim, length;-
908-
909 if (!name_cmp(val->name, "IPv4")) {
!name_cmp(val->name, "IPv4")Description
TRUEnever evaluated
FALSEnever evaluated
0
910 afi = IANA_AFI_IPV4;-
911 } else if (!name_cmp(val->name, "IPv6")) {
never executed: end of block
!name_cmp(val->name, "IPv6")Description
TRUEnever evaluated
FALSEnever evaluated
0
912 afi = IANA_AFI_IPV6;-
913 } else if (!name_cmp(val->name, "IPv4-SAFI")) {
never executed: end of block
!name_cmp(val-..., "IPv4-SAFI")Description
TRUEnever evaluated
FALSEnever evaluated
0
914 afi = IANA_AFI_IPV4;-
915 safi = &safi_;-
916 } else if (!name_cmp(val->name, "IPv6-SAFI")) {
never executed: end of block
!name_cmp(val-..., "IPv6-SAFI")Description
TRUEnever evaluated
FALSEnever evaluated
0
917 afi = IANA_AFI_IPV6;-
918 safi = &safi_;-
919 } else {
never executed: end of block
0
920 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,-
921 X509V3_R_EXTENSION_NAME_ERROR);-
922 X509V3_conf_err(val);-
923 goto err;
never executed: goto err;
0
924 }-
925-
926 switch (afi) {-
927 case IANA_AFI_IPV4:
never executed: case 1:
0
928 addr_chars = v4addr_chars;-
929 break;
never executed: break;
0
930 case IANA_AFI_IPV6:
never executed: case 2:
0
931 addr_chars = v6addr_chars;-
932 break;
never executed: break;
0
933 }-
934-
935 length = length_from_afi(afi);-
936-
937 /*-
938 * Handle SAFI, if any, and OPENSSL_strdup() so we can null-terminate-
939 * the other input values.-
940 */-
941 if (safi != NULL) {
safi != ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
942 *safi = strtoul(val->value, &t, 0);-
943 t += strspn(t, " \t");-
944 if (*safi > 0xFF || *t++ != ':') {
*safi > 0xFFDescription
TRUEnever evaluated
FALSEnever evaluated
*t++ != ':'Description
TRUEnever evaluated
FALSEnever evaluated
0
945 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_SAFI);-
946 X509V3_conf_err(val);-
947 goto err;
never executed: goto err;
0
948 }-
949 t += strspn(t, " \t");-
950 s = OPENSSL_strdup(t);-
951 } else {
never executed: end of block
0
952 s = OPENSSL_strdup(val->value);-
953 }
never executed: end of block
0
954 if (s == NULL) {
s == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
955 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);-
956 goto err;
never executed: goto err;
0
957 }-
958-
959 /*-
960 * Check for inheritance. Not worth additional complexity to-
961 * optimize this (seldom-used) case.-
962 */-
963 if (strcmp(s, "inherit") == 0) {
never executed: __result = (((const unsigned char *) (const char *) ( s ))[3] - __s2[3]);
never executed: end of block
never executed: end of block
never executed: __result = (((const unsigned char *) (const char *) ( "inherit" ))[3] - __s2[3]);
never executed: end of block
never executed: end of block
__extension__ ... )))); }) == 0Description
TRUEnever evaluated
FALSEnever evaluated
__s1_len > 0Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
__s1_len > 1Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
__s1_len > 2Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
__s2_len > 0Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
__s2_len > 1Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
__s2_len > 2Description
TRUEnever evaluated
FALSEnever evaluated
__result == 0Description
TRUEnever evaluated
FALSEnever evaluated
0
964 if (!X509v3_addr_add_inherit(addr, afi, safi)) {
!X509v3_addr_a...dr, afi, safi)Description
TRUEnever evaluated
FALSEnever evaluated
0
965 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,-
966 X509V3_R_INVALID_INHERITANCE);-
967 X509V3_conf_err(val);-
968 goto err;
never executed: goto err;
0
969 }-
970 OPENSSL_free(s);-
971 s = NULL;-
972 continue;
never executed: continue;
0
973 }-
974-
975 i1 = strspn(s, addr_chars);-
976 i2 = i1 + strspn(s + i1, " \t");-
977 delim = s[i2++];-
978 s[i1] = '\0';-
979-
980 if (a2i_ipadd(min, s) != length) {
a2i_ipadd(min, s) != lengthDescription
TRUEnever evaluated
FALSEnever evaluated
0
981 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS);-
982 X509V3_conf_err(val);-
983 goto err;
never executed: goto err;
0
984 }-
985-
986 switch (delim) {-
987 case '/':
never executed: case '/':
0
988 prefixlen = (int)strtoul(s + i2, &t, 10);-
989 if (t == s + i2 || *t != '\0') {
t == s + i2Description
TRUEnever evaluated
FALSEnever evaluated
*t != '\0'Description
TRUEnever evaluated
FALSEnever evaluated
0
990 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,-
991 X509V3_R_EXTENSION_VALUE_ERROR);-
992 X509V3_conf_err(val);-
993 goto err;
never executed: goto err;
0
994 }-
995 if (!X509v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) {
!X509v3_addr_a...in, prefixlen)Description
TRUEnever evaluated
FALSEnever evaluated
0
996 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);-
997 goto err;
never executed: goto err;
0
998 }-
999 break;
never executed: break;
0
1000 case '-':
never executed: case '-':
0
1001 i1 = i2 + strspn(s + i2, " \t");-
1002 i2 = i1 + strspn(s + i1, addr_chars);-
1003 if (i1 == i2 || s[i2] != '\0') {
i1 == i2Description
TRUEnever evaluated
FALSEnever evaluated
s[i2] != '\0'Description
TRUEnever evaluated
FALSEnever evaluated
0
1004 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,-
1005 X509V3_R_EXTENSION_VALUE_ERROR);-
1006 X509V3_conf_err(val);-
1007 goto err;
never executed: goto err;
0
1008 }-
1009 if (a2i_ipadd(max, s + i1) != length) {
a2i_ipadd(max,... i1) != lengthDescription
TRUEnever evaluated
FALSEnever evaluated
0
1010 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,-
1011 X509V3_R_INVALID_IPADDRESS);-
1012 X509V3_conf_err(val);-
1013 goto err;
never executed: goto err;
0
1014 }-
1015 if (memcmp(min, max, length_from_afi(afi)) > 0) {
memcmp(min, ma..._afi(afi)) > 0Description
TRUEnever evaluated
FALSEnever evaluated
0
1016 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,-
1017 X509V3_R_EXTENSION_VALUE_ERROR);-
1018 X509V3_conf_err(val);-
1019 goto err;
never executed: goto err;
0
1020 }-
1021 if (!X509v3_addr_add_range(addr, afi, safi, min, max)) {
!X509v3_addr_a...afi, min, max)Description
TRUEnever evaluated
FALSEnever evaluated
0
1022 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);-
1023 goto err;
never executed: goto err;
0
1024 }-
1025 break;
never executed: break;
0
1026 case '\0':
never executed: case '\0':
0
1027 if (!X509v3_addr_add_prefix(addr, afi, safi, min, length * 8)) {
!X509v3_addr_a...n, length * 8)Description
TRUEnever evaluated
FALSEnever evaluated
0
1028 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);-
1029 goto err;
never executed: goto err;
0
1030 }-
1031 break;
never executed: break;
0
1032 default:
never executed: default:
0
1033 X509V3err(X509V3_F_V2I_IPADDRBLOCKS,-
1034 X509V3_R_EXTENSION_VALUE_ERROR);-
1035 X509V3_conf_err(val);-
1036 goto err;
never executed: goto err;
0
1037 }-
1038-
1039 OPENSSL_free(s);-
1040 s = NULL;-
1041 }
never executed: end of block
0
1042-
1043 /*-
1044 * Canonize the result, then we're done.-
1045 */-
1046 if (!X509v3_addr_canonize(addr))
!X509v3_addr_canonize(addr)Description
TRUEnever evaluated
FALSEnever evaluated
0
1047 goto err;
never executed: goto err;
0
1048 return addr;
never executed: return addr;
0
1049-
1050 err:-
1051 OPENSSL_free(s);-
1052 sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);-
1053 return NULL;
never executed: return ((void *)0) ;
0
1054}-
1055-
1056/*-
1057 * OpenSSL dispatch-
1058 */-
1059const X509V3_EXT_METHOD v3_addr = {-
1060 NID_sbgp_ipAddrBlock, /* nid */-
1061 0, /* flags */-
1062 ASN1_ITEM_ref(IPAddrBlocks), /* template */-
1063 0, 0, 0, 0, /* old functions, ignored */-
1064 0, /* i2s */-
1065 0, /* s2i */-
1066 0, /* i2v */-
1067 v2i_IPAddrBlocks, /* v2i */-
1068 i2r_IPAddrBlocks, /* i2r */-
1069 0, /* r2i */-
1070 NULL /* extension-specific data */-
1071};-
1072-
1073/*-
1074 * Figure out whether extension sues inheritance.-
1075 */-
1076int X509v3_addr_inherits(IPAddrBlocks *addr)-
1077{-
1078 int i;-
1079 if (addr == NULL)
addr == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
1080 return 0;
never executed: return 0;
0
1081 for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
i < sk_IPAddre...mily_num(addr)Description
TRUEnever evaluated
FALSEnever evaluated
0
1082 IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);-
1083 if (f->ipAddressChoice->type == IPAddressChoice_inherit)
f->ipAddressChoice->type == 0Description
TRUEnever evaluated
FALSEnever evaluated
0
1084 return 1;
never executed: return 1;
0
1085 }
never executed: end of block
0
1086 return 0;
never executed: return 0;
0
1087}-
1088-
1089/*-
1090 * Figure out whether parent contains child.-
1091 */-
1092static int addr_contains(IPAddressOrRanges *parent,-
1093 IPAddressOrRanges *child, int length)-
1094{-
1095 unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN];-
1096 unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN];-
1097 int p, c;-
1098-
1099 if (child == NULL || parent == child)
child == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
parent == childDescription
TRUEnever evaluated
FALSEnever evaluated
0
1100 return 1;
never executed: return 1;
0
1101 if (parent == NULL)
parent == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
1102 return 0;
never executed: return 0;
0
1103-
1104 p = 0;-
1105 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
c < sk_IPAddre...nge_num(child)Description
TRUEnever evaluated
FALSEnever evaluated
0
1106 if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
!extract_min_m...c_max, length)Description
TRUEnever evaluated
FALSEnever evaluated
0
1107 c_min, c_max, length))
!extract_min_m...c_max, length)Description
TRUEnever evaluated
FALSEnever evaluated
0
1108 return -1;
never executed: return -1;
0
1109 for (;; p++) {-
1110 if (p >= sk_IPAddressOrRange_num(parent))
p >= sk_IPAddr...ge_num(parent)Description
TRUEnever evaluated
FALSEnever evaluated
0
1111 return 0;
never executed: return 0;
0
1112 if (!extract_min_max(sk_IPAddressOrRange_value(parent, p),
!extract_min_m...p_max, length)Description
TRUEnever evaluated
FALSEnever evaluated
0
1113 p_min, p_max, length))
!extract_min_m...p_max, length)Description
TRUEnever evaluated
FALSEnever evaluated
0
1114 return 0;
never executed: return 0;
0
1115 if (memcmp(p_max, c_max, length) < 0)
memcmp(p_max, ...x, length) < 0Description
TRUEnever evaluated
FALSEnever evaluated
0
1116 continue;
never executed: continue;
0
1117 if (memcmp(p_min, c_min, length) > 0)
memcmp(p_min, ...n, length) > 0Description
TRUEnever evaluated
FALSEnever evaluated
0
1118 return 0;
never executed: return 0;
0
1119 break;
never executed: break;
0
1120 }-
1121 }
never executed: end of block
0
1122-
1123 return 1;
never executed: return 1;
0
1124}-
1125-
1126/*-
1127 * Test whether a is a subset of b.-
1128 */-
1129int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)-
1130{-
1131 int i;-
1132 if (a == NULL || a == b)
a == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
a == bDescription
TRUEnever evaluated
FALSEnever evaluated
0
1133 return 1;
never executed: return 1;
0
1134 if (b == NULL || X509v3_addr_inherits(a) || X509v3_addr_inherits(b))
b == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
X509v3_addr_inherits(a)Description
TRUEnever evaluated
FALSEnever evaluated
X509v3_addr_inherits(b)Description
TRUEnever evaluated
FALSEnever evaluated
0
1135 return 0;
never executed: return 0;
0
1136 (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);-
1137 for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
i < sk_IPAddressFamily_num(a)Description
TRUEnever evaluated
FALSEnever evaluated
0
1138 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);-
1139 int j = sk_IPAddressFamily_find(b, fa);-
1140 IPAddressFamily *fb;-
1141 fb = sk_IPAddressFamily_value(b, j);-
1142 if (fb == NULL)
fb == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
1143 return 0;
never executed: return 0;
0
1144 if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges,
!addr_contains..._get_afi(fb)))Description
TRUEnever evaluated
FALSEnever evaluated
0
1145 fa->ipAddressChoice->u.addressesOrRanges,
!addr_contains..._get_afi(fb)))Description
TRUEnever evaluated
FALSEnever evaluated
0
1146 length_from_afi(X509v3_addr_get_afi(fb))))
!addr_contains..._get_afi(fb)))Description
TRUEnever evaluated
FALSEnever evaluated
0
1147 return 0;
never executed: return 0;
0
1148 }
never executed: end of block
0
1149 return 1;
never executed: return 1;
0
1150}-
1151-
1152/*-
1153 * Validation error handling via callback.-
1154 */-
1155#define validation_err(_err_) \-
1156 do { \-
1157 if (ctx != NULL) { \-
1158 ctx->error = _err_; \-
1159 ctx->error_depth = i; \-
1160 ctx->current_cert = x; \-
1161 ret = ctx->verify_cb(0, ctx); \-
1162 } else { \-
1163 ret = 0; \-
1164 } \-
1165 if (!ret) \-
1166 goto done; \-
1167 } while (0)-
1168-
1169/*-
1170 * Core code for RFC 3779 2.3 path validation.-
1171 *-
1172 * Returns 1 for success, 0 on error.-
1173 *-
1174 * When returning 0, ctx->error MUST be set to an appropriate value other than-
1175 * X509_V_OK.-
1176 */-
1177static int addr_validate_path_internal(X509_STORE_CTX *ctx,-
1178 STACK_OF(X509) *chain,-
1179 IPAddrBlocks *ext)-
1180{-
1181 IPAddrBlocks *child = NULL;-
1182 int i, j, ret = 1;-
1183 X509 *x;-
1184-
1185 if (!ossl_assert(chain != NULL && sk_X509_num(chain) > 0)
!((chain != ((...in) > 0) != 0)Description
TRUEnever evaluated
FALSEevaluated 1305 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
chain != ((void *)0)Description
TRUEevaluated 1305 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
sk_X509_num(chain) > 0Description
TRUEevaluated 1305 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
0-1305
1186 || !ossl_assert(ctx != NULL || ext != NULL)
!((ctx != ((vo...d *)0) ) != 0)Description
TRUEnever evaluated
FALSEevaluated 1305 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
ctx != ((void *)0)Description
TRUEevaluated 1305 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
ext != ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0-1305
1187 || !ossl_assert(ctx == NULL || ctx->verify_cb != NULL)) {
!((ctx == ((vo...d *)0) ) != 0)Description
TRUEnever evaluated
FALSEevaluated 1305 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
ctx == ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 1305 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
ctx->verify_cb != ((void *)0)Description
TRUEevaluated 1305 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
0-1305
1188 if (ctx != NULL)
ctx != ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
1189 ctx->error = X509_V_ERR_UNSPECIFIED;
never executed: ctx->error = 1;
0
1190 return 0;
never executed: return 0;
0
1191 }-
1192-
1193 /*-
1194 * Figure out where to start. If we don't have an extension to-
1195 * check, we're done. Otherwise, check canonical form and-
1196 * set up for walking up the chain.-
1197 */-
1198 if (ext != NULL) {
ext != ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 1305 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-1305
1199 i = -1;-
1200 x = NULL;-
1201 } else {
never executed: end of block
0
1202 i = 0;-
1203 x = sk_X509_value(chain, i);-
1204 if ((ext = x->rfc3779_addr) == NULL)
(ext = x->rfc3...== ((void *)0)Description
TRUEevaluated 1305 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
FALSEnever evaluated
0-1305
1205 goto done;
executed 1305 times by 1 test: goto done;
Executed by:
  • libcrypto.so.1.1
1305
1206 }
never executed: end of block
0
1207 if (!X509v3_addr_is_canonical(ext))
!X509v3_addr_is_canonical(ext)Description
TRUEnever evaluated
FALSEnever evaluated
0
1208 validation_err(X509_V_ERR_INVALID_EXTENSION);
never executed: end of block
never executed: end of block
never executed: goto done;
never executed: end of block
!retDescription
TRUEnever evaluated
FALSEnever evaluated
ctx != ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
1209 (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);-
1210 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
(child = sk_IP...== ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
1211 X509V3err(X509V3_F_ADDR_VALIDATE_PATH_INTERNAL,-
1212 ERR_R_MALLOC_FAILURE);-
1213 if (ctx != NULL)
ctx != ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
1214 ctx->error = X509_V_ERR_OUT_OF_MEM;
never executed: ctx->error = 17;
0
1215 ret = 0;-
1216 goto done;
never executed: goto done;
0
1217 }-
1218-
1219 /*-
1220 * Now walk up the chain. No cert may list resources that its-
1221 * parent doesn't list.-
1222 */-
1223 for (i++; i < sk_X509_num(chain); i++) {
i < sk_X509_num(chain)Description
TRUEnever evaluated
FALSEnever evaluated
0
1224 x = sk_X509_value(chain, i);-
1225 if (!X509v3_addr_is_canonical(x->rfc3779_addr))
!X509v3_addr_i...>rfc3779_addr)Description
TRUEnever evaluated
FALSEnever evaluated
0
1226 validation_err(X509_V_ERR_INVALID_EXTENSION);
never executed: end of block
never executed: end of block
never executed: goto done;
never executed: end of block
!retDescription
TRUEnever evaluated
FALSEnever evaluated
ctx != ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
1227 if (x->rfc3779_addr == NULL) {
x->rfc3779_addr == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
1228 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
j < sk_IPAddre...ily_num(child)Description
TRUEnever evaluated
FALSEnever evaluated
0
1229 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);-
1230 if (fc->ipAddressChoice->type != IPAddressChoice_inherit) {
fc->ipAddressChoice->type != 0Description
TRUEnever evaluated
FALSEnever evaluated
0
1231 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
never executed: end of block
never executed: end of block
never executed: goto done;
!retDescription
TRUEnever evaluated
FALSEnever evaluated
ctx != ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
1232 break;
never executed: break;
0
1233 }-
1234 }
never executed: end of block
0
1235 continue;
never executed: continue;
0
1236 }-
1237 (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr,-
1238 IPAddressFamily_cmp);-
1239 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
j < sk_IPAddre...ily_num(child)Description
TRUEnever evaluated
FALSEnever evaluated
0
1240 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);-
1241 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);-
1242 IPAddressFamily *fp =-
1243 sk_IPAddressFamily_value(x->rfc3779_addr, k);-
1244 if (fp == NULL) {
fp == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
1245 if (fc->ipAddressChoice->type ==
fc->ipAddressChoice->type == 1Description
TRUEnever evaluated
FALSEnever evaluated
0
1246 IPAddressChoice_addressesOrRanges) {
fc->ipAddressChoice->type == 1Description
TRUEnever evaluated
FALSEnever evaluated
0
1247 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
never executed: end of block
never executed: end of block
never executed: goto done;
!retDescription
TRUEnever evaluated
FALSEnever evaluated
ctx != ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
1248 break;
never executed: break;
0
1249 }-
1250 continue;
never executed: continue;
0
1251 }-
1252 if (fp->ipAddressChoice->type ==
fp->ipAddressChoice->type == 1Description
TRUEnever evaluated
FALSEnever evaluated
0
1253 IPAddressChoice_addressesOrRanges) {
fp->ipAddressChoice->type == 1Description
TRUEnever evaluated
FALSEnever evaluated
0
1254 if (fc->ipAddressChoice->type == IPAddressChoice_inherit
fc->ipAddressChoice->type == 0Description
TRUEnever evaluated
FALSEnever evaluated
0
1255 || addr_contains(fp->ipAddressChoice->u.addressesOrRanges,
addr_contains(..._get_afi(fc)))Description
TRUEnever evaluated
FALSEnever evaluated
0
1256 fc->ipAddressChoice->u.addressesOrRanges,
addr_contains(..._get_afi(fc)))Description
TRUEnever evaluated
FALSEnever evaluated
0
1257 length_from_afi(X509v3_addr_get_afi(fc))))
addr_contains(..._get_afi(fc)))Description
TRUEnever evaluated
FALSEnever evaluated
0
1258 sk_IPAddressFamily_set(child, j, fp);
never executed: sk_IPAddressFamily_set(child, j, fp);
0
1259 else-
1260 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
never executed: end of block
never executed: end of block
never executed: goto done;
never executed: end of block
!retDescription
TRUEnever evaluated
FALSEnever evaluated
ctx != ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
1261 }-
1262 }
never executed: end of block
0
1263 }
never executed: end of block
0
1264-
1265 /*-
1266 * Trust anchor can't inherit.-
1267 */-
1268 if (x->rfc3779_addr != NULL) {
x->rfc3779_addr != ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
1269 for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) {
j < sk_IPAddre...>rfc3779_addr)Description
TRUEnever evaluated
FALSEnever evaluated
0
1270 IPAddressFamily *fp =-
1271 sk_IPAddressFamily_value(x->rfc3779_addr, j);-
1272 if (fp->ipAddressChoice->type == IPAddressChoice_inherit
fp->ipAddressChoice->type == 0Description
TRUEnever evaluated
FALSEnever evaluated
0
1273 && sk_IPAddressFamily_find(child, fp) >= 0)
sk_IPAddressFa...hild, fp) >= 0Description
TRUEnever evaluated
FALSEnever evaluated
0
1274 validation_err(X509_V_ERR_UNNESTED_RESOURCE);
never executed: end of block
never executed: end of block
never executed: goto done;
never executed: end of block
!retDescription
TRUEnever evaluated
FALSEnever evaluated
ctx != ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
1275 }
never executed: end of block
0
1276 }
never executed: end of block
0
1277-
1278 done:
code before this statement never executed: done:
0
1279 sk_IPAddressFamily_free(child);-
1280 return ret;
executed 1305 times by 1 test: return ret;
Executed by:
  • libcrypto.so.1.1
1305
1281}-
1282-
1283#undef validation_err-
1284-
1285/*-
1286 * RFC 3779 2.3 path validation -- called from X509_verify_cert().-
1287 */-
1288int X509v3_addr_validate_path(X509_STORE_CTX *ctx)-
1289{-
1290 if (ctx->chain == NULL
ctx->chain == ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 1305 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-1305
1291 || sk_X509_num(ctx->chain) == 0
sk_X509_num(ctx->chain) == 0Description
TRUEnever evaluated
FALSEevaluated 1305 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-1305
1292 || ctx->verify_cb == NULL) {
ctx->verify_cb == ((void *)0)Description
TRUEnever evaluated
FALSEevaluated 1305 times by 1 test
Evaluated by:
  • libcrypto.so.1.1
0-1305
1293 ctx->error = X509_V_ERR_UNSPECIFIED;-
1294 return 0;
never executed: return 0;
0
1295 }-
1296 return addr_validate_path_internal(ctx, ctx->chain, NULL);
executed 1305 times by 1 test: return addr_validate_path_internal(ctx, ctx->chain, ((void *)0) );
Executed by:
  • libcrypto.so.1.1
1305
1297}-
1298-
1299/*-
1300 * RFC 3779 2.3 path validation of an extension.-
1301 * Test whether chain covers extension.-
1302 */-
1303int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain,-
1304 IPAddrBlocks *ext, int allow_inheritance)-
1305{-
1306 if (ext == NULL)
ext == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
0
1307 return 1;
never executed: return 1;
0
1308 if (chain == NULL || sk_X509_num(chain) == 0)
chain == ((void *)0)Description
TRUEnever evaluated
FALSEnever evaluated
sk_X509_num(chain) == 0Description
TRUEnever evaluated
FALSEnever evaluated
0
1309 return 0;
never executed: return 0;
0
1310 if (!allow_inheritance && X509v3_addr_inherits(ext))
!allow_inheritanceDescription
TRUEnever evaluated
FALSEnever evaluated
X509v3_addr_inherits(ext)Description
TRUEnever evaluated
FALSEnever evaluated
0
1311 return 0;
never executed: return 0;
0
1312 return addr_validate_path_internal(NULL, chain, ext);
never executed: return addr_validate_path_internal( ((void *)0) , chain, ext);
0
1313}-
1314-
1315#endif /* OPENSSL_NO_RFC3779 */-
Source codeSwitch to Preprocessed file
Generated by Squish Coco 4.2.2