File: [local] / src / usr.sbin / rpki-client / ip.c (download)
Revision 1.33, Tue Mar 19 05:04:13 2024 UTC (2 months, 2 weeks ago) by tb
Branch: MAIN
CVS Tags: HEAD
Changes since 1.32: +2 -2 lines
Rename parent to issuer in struct auth
Parent is confusing and issuer is the appropriate terminology. This is
a mechanical diff. The only remaining uses of 'parent' in this code
base now mean 'parent process'.
discussed with beck and job
ok job
|
/* $OpenBSD: ip.c,v 1.33 2024/03/19 05:04:13 tb Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <sys/socket.h>
#include <arpa/inet.h>
#include <err.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "extern.h"
#define PREFIX_SIZE(x) (((x) + 7) / 8)
/*
* Parse an IP address family.
* This is defined in different places in the ROA/X509 standards, but
* it's the same thing.
* We prohibit all but IPv4 and IPv6, without SAFI.
* Return zero on failure, non-zero on success.
*/
int
ip_addr_afi_parse(const char *fn, const ASN1_OCTET_STRING *p, enum afi *afi)
{
uint16_t v;
if (p->length == 0 || p->length > 3) {
warnx("%s: invalid field length, want 1--3, have %d",
fn, p->length);
return 0;
}
memcpy(&v, p->data, sizeof(v));
v = ntohs(v);
/* Only accept IPv4 and IPv6 AFIs. */
if (v != AFI_IPV4 && v != AFI_IPV6) {
warnx("%s: only AFI for IPV4 (1) and IPV6 (2) allowed: "
"have %hd", fn, v);
return 0;
}
/* Disallow the optional SAFI. */
if (p->length == 3) {
warnx("%s: SAFI not allowed", fn);
return 0;
}
*afi = v;
return 1;
}
/*
* See if a given IP prefix is covered by the IP prefixes or ranges
* specified in the "ips" array.
* This means that the IP prefix must be strictly within the ranges or
* singletons given in the array.
* Return 0 if we're inheriting from the issuer, >0 if we're covered,
* or <0 if we're not covered.
*/
int
ip_addr_check_covered(enum afi afi,
const unsigned char *min, const unsigned char *max,
const struct cert_ip *ips, size_t ipsz)
{
size_t i, sz = AFI_IPV4 == afi ? 4 : 16;
for (i = 0; i < ipsz; i++) {
if (ips[i].afi != afi)
continue;
if (ips[i].type == CERT_IP_INHERIT)
return 0;
if (memcmp(ips[i].min, min, sz) <= 0 &&
memcmp(ips[i].max, max, sz) >= 0)
return 1;
}
return -1;
}
/*
* Given a newly-parsed IP address or range "ip", make sure that "ip"
* does not overlap with any addresses or ranges in the "ips" array.
* This is defined by RFC 3779 section 2.2.3.6.
* Returns zero on failure, non-zero on success.
*/
int
ip_addr_check_overlap(const struct cert_ip *ip, const char *fn,
const struct cert_ip *ips, size_t ipsz, int quiet)
{
size_t i, sz = ip->afi == AFI_IPV4 ? 4 : 16;
int inherit_v4 = 0, inherit_v6 = 0;
int has_v4 = 0, has_v6 = 0;
/*
* FIXME: cache this by having a flag on the cert_ip, else we're
* going to need to do a lot of scanning for big allocations.
*/
for (i = 0; i < ipsz; i++)
if (ips[i].type == CERT_IP_INHERIT) {
if (ips[i].afi == AFI_IPV4)
inherit_v4 = 1;
else
inherit_v6 = 1;
} else {
if (ips[i].afi == AFI_IPV4)
has_v4 = 1;
else
has_v6 = 1;
}
/* Disallow multiple inheritance per type. */
if ((inherit_v4 && ip->afi == AFI_IPV4) ||
(inherit_v6 && ip->afi == AFI_IPV6) ||
(has_v4 && ip->afi == AFI_IPV4 &&
ip->type == CERT_IP_INHERIT) ||
(has_v6 && ip->afi == AFI_IPV6 &&
ip->type == CERT_IP_INHERIT)) {
if (!quiet) {
warnx("%s: RFC 3779 section 2.2.3.5: "
"cannot have multiple inheritance or inheritance "
"and addresses of the same class", fn);
}
return 0;
}
/* Check our ranges. */
for (i = 0; i < ipsz; i++) {
if (ips[i].afi != ip->afi)
continue;
if (memcmp(ips[i].max, ip->min, sz) <= 0 ||
memcmp(ips[i].min, ip->max, sz) >= 0)
continue;
if (!quiet) {
warnx("%s: RFC 3779 section 2.2.3.5: "
"cannot have overlapping IP addresses", fn);
ip_warn(fn, "certificate IP", ip);
ip_warn(fn, "offending IP", &ips[i]);
}
return 0;
}
return 1;
}
/*
* Parse an IP address, RFC 3779, 2.2.3.8.
* Return zero on failure, non-zero on success.
*/
int
ip_addr_parse(const ASN1_BIT_STRING *p,
enum afi afi, const char *fn, struct ip_addr *addr)
{
long unused = 0;
/* Weird OpenSSL-ism to get unused bit count. */
if ((p->flags & ASN1_STRING_FLAG_BITS_LEFT))
unused = p->flags & 0x07;
if (p->length == 0 && unused != 0) {
warnx("%s: RFC 3779 section 2.2.3.8: "
"unused bit count must be zero if length is zero", fn);
return 0;
}
/*
* Check that the unused bits are set to zero.
* If we don't do this, stray bits will corrupt our composition
* of the [minimum] address ranges.
*/
if (p->length != 0 &&
(p->data[p->length - 1] & ((1 << unused) - 1))) {
warnx("%s: RFC 3779 section 2.2.3.8: "
"unused bits must be set to zero", fn);
return 0;
}
/* Limit possible sizes of addresses. */
if ((afi == AFI_IPV4 && p->length > 4) ||
(afi == AFI_IPV6 && p->length > 16)) {
warnx("%s: RFC 3779 section 2.2.3.8: "
"IP address too long", fn);
return 0;
}
memset(addr, 0, sizeof(struct ip_addr));
addr->prefixlen = p->length * 8 - unused;
memcpy(addr->addr, p->data, p->length);
return 1;
}
/*
* Convert a ip_addr into a NUL-terminated CIDR notation string
* conforming to RFC 4632 or 4291.
* The size of the buffer must be at least 64 (inclusive).
*/
void
ip_addr_print(const struct ip_addr *addr,
enum afi afi, char *buf, size_t bufsz)
{
char ipbuf[INET6_ADDRSTRLEN];
int ret, af;
switch (afi) {
case AFI_IPV4:
af = AF_INET;
break;
case AFI_IPV6:
af = AF_INET6;
break;
default:
errx(1, "unsupported address family identifier");
}
if (inet_ntop(af, addr->addr, ipbuf, sizeof(ipbuf)) == NULL)
err(1, "inet_ntop");
ret = snprintf(buf, bufsz, "%s/%hhu", ipbuf, addr->prefixlen);
if (ret < 0 || (size_t)ret >= bufsz)
err(1, "malformed IP address");
}
/*
* Convert a ip_addr into a NUL-terminated range notation string.
* The size of the buffer must be at least 95 (inclusive).
*/
static void
ip_addr_range_print(const struct ip_addr_range *range,
enum afi afi, char *buf, size_t bufsz)
{
struct cert_ip ip;
char min[INET6_ADDRSTRLEN], max[INET6_ADDRSTRLEN];
int ret, af;
switch (afi) {
case AFI_IPV4:
af = AF_INET;
break;
case AFI_IPV6:
af = AF_INET6;
break;
default:
errx(1, "unsupported address family identifier");
}
memset(&ip, 0, sizeof(ip));
ip.afi = afi;
ip.type = CERT_IP_RANGE;
ip.range = *range;
if (!ip_cert_compose_ranges(&ip))
errx(1, "failed to compose ranges");
if (inet_ntop(af, ip.min, min, sizeof(min)) == NULL)
err(1, "inet_ntop");
if (inet_ntop(af, ip.max, max, sizeof(max)) == NULL)
err(1, "inet_ntop");
ret = snprintf(buf, bufsz, "%s--%s", min, max);
if (ret < 0 || (size_t)ret >= bufsz)
err(1, "malformed IP address");
}
/*
* Given the addresses (range or IP) in cert_ip, fill in the "min" and
* "max" fields with the minimum and maximum possible IP addresses given
* those ranges (or singleton prefixed range).
* This does nothing if CERT_IP_INHERIT.
* Returns zero on failure (misordered ranges), non-zero on success.
*/
int
ip_cert_compose_ranges(struct cert_ip *p)
{
size_t sz;
switch (p->type) {
case CERT_IP_ADDR:
sz = PREFIX_SIZE(p->ip.prefixlen);
memset(p->min, 0x0, sizeof(p->min));
memcpy(p->min, p->ip.addr, sz);
memset(p->max, 0xff, sizeof(p->max));
memcpy(p->max, p->ip.addr, sz);
if (sz > 0 && p->ip.prefixlen % 8 != 0)
p->max[sz - 1] |= (1 << (8 - p->ip.prefixlen % 8)) - 1;
break;
case CERT_IP_RANGE:
memset(p->min, 0x0, sizeof(p->min));
sz = PREFIX_SIZE(p->range.min.prefixlen);
memcpy(p->min, p->range.min.addr, sz);
memset(p->max, 0xff, sizeof(p->max));
sz = PREFIX_SIZE(p->range.max.prefixlen);
memcpy(p->max, p->range.max.addr, sz);
if (sz > 0 && p->range.max.prefixlen % 8 != 0)
p->max[sz - 1] |=
(1 << (8 - p->range.max.prefixlen % 8)) - 1;
break;
default:
return 1;
}
sz = p->afi == AFI_IPV4 ? 4 : 16;
return memcmp(p->min, p->max, sz) <= 0;
}
/*
* Given the ROA's acceptable prefix, compute the minimum and maximum
* address accepted by the prefix.
*/
void
ip_roa_compose_ranges(struct roa_ip *p)
{
size_t sz = PREFIX_SIZE(p->addr.prefixlen);
memset(p->min, 0x0, sizeof(p->min));
memcpy(p->min, p->addr.addr, sz);
memset(p->max, 0xff, sizeof(p->max));
memcpy(p->max, p->addr.addr, sz);
if (sz > 0 && p->addr.prefixlen % 8 != 0)
p->max[sz - 1] |= (1 << (8 - p->addr.prefixlen % 8)) - 1;
}
void
ip_warn(const char *fn, const char *msg, const struct cert_ip *ip)
{
char buf[128];
switch (ip->type) {
case CERT_IP_ADDR:
ip_addr_print(&ip->ip, ip->afi, buf, sizeof(buf));
warnx("%s: %s: %s", fn, msg, buf);
break;
case CERT_IP_RANGE:
ip_addr_range_print(&ip->range, ip->afi, buf, sizeof(buf));
warnx("%s: %s: %s", fn, msg, buf);
break;
case CERT_IP_INHERIT:
warnx("%s: %s: IP (inherit)", fn, msg);
break;
default:
warnx("%s: corrupt cert", fn);
break;
}
}
![[BACK]](/icons/back.gif){kind=icon}
Return to ip.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.sbin / rpki-client