Chiebot-Mirror
/
boringssl
mirror of https://gitee.com/mirrors/boringssl.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Sync pki to chromium 1ef93e346424a24fa27ee55a36254b6ee0f96e86

Browse Source 
Bug: chromium:1322914
Change-Id: Ic9b93a733290c40ac7c64e67d1e4f611f2f8b46c
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62966
Auto-Submit: Bob Beck <bbe@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
chromium-stable
Bob Beck 1 year ago committed by Boringssl LUCI CQ
parent fa343af32b
commit 8e7025e3df
13 changed files with 358 additions and 370 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 171
      pki/fillins/ip_address.cc
  2. 62
      pki/fillins/ip_address.h
  3. 46
      pki/general_names.cc
  4. 22
      pki/general_names.h
  5. 9
      pki/general_names_unittest.cc
  6. 13
      pki/import_spec.json
  7. 50
      pki/ip_util.cc
  8. 29
      pki/ip_util.h
  9. 107
      pki/ip_util_unittest.cc
  10. 13
      pki/name_constraints.cc
  11. 5
      pki/name_constraints.h
  12. 198
      pki/name_constraints_unittest.cc
  13. 3
      sources.cmake

171
pki/fillins/ip_address.cc
Unescape View File

@ -1,171 +0,0 @@
// Copyright 2023 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "ip_address.h"
#include <stdlib.h>
#include <string.h>
#include <climits>
#include <openssl/base.h>
namespace bssl {
namespace fillins {
IPAddress::IPAddress() {}
IPAddress::IPAddress(const uint8_t *address, size_t address_len)
: addr_(reinterpret_cast<const char *>(address), address_len) {}
IPAddress::IPAddress(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3) {
addr_.reserve(4);
addr_.push_back(b0);
addr_.push_back(b1);
addr_.push_back(b2);
addr_.push_back(b3);
}
IPAddress::IPAddress(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4,
uint8_t b5, uint8_t b6, uint8_t b7, uint8_t b8, uint8_t b9,
uint8_t b10, uint8_t b11, uint8_t b12, uint8_t b13,
uint8_t b14, uint8_t b15) {
addr_.reserve(16);
addr_.push_back(b0);
addr_.push_back(b1);
addr_.push_back(b2);
addr_.push_back(b3);
addr_.push_back(b4);
addr_.push_back(b5);
addr_.push_back(b6);
addr_.push_back(b7);
addr_.push_back(b8);
addr_.push_back(b9);
addr_.push_back(b10);
addr_.push_back(b11);
addr_.push_back(b12);
addr_.push_back(b13);
addr_.push_back(b14);
addr_.push_back(b15);
}
// static
IPAddress IPAddress::AllZeros(size_t num_zero_bytes) {
BSSL_CHECK(num_zero_bytes <= 16u);
IPAddress result;
result.addr_.reserve(num_zero_bytes);
for (size_t i = 0; i < num_zero_bytes; ++i) {
result.addr_.push_back(0u);
}
return result;
}
// static
IPAddress IPAddress::IPv4AllZeros() { return AllZeros(kIPv4AddressSize); }
bool IPAddress::IsIPv4() const { return addr_.size() == kIPv4AddressSize; }
bool IPAddress::IsIPv6() const { return addr_.size() == kIPv6AddressSize; }
bool IPAddress::IsValid() const { return IsIPv4() || IsIPv6(); }
const uint8_t *IPAddress::data() const {
return reinterpret_cast<const uint8_t *>(addr_.data());
}
size_t IPAddress::size() const { return addr_.size(); }
const IPAddressBytes &IPAddress::bytes() const { return addr_; }
static IPAddress ConvertIPv4ToIPv4MappedIPv6(const IPAddress &address) {
BSSL_CHECK(address.IsIPv4());
// IPv4-mapped addresses are formed by:
// <80 bits of zeros> + <16 bits of ones> + <32-bit IPv4 address>.
uint8_t bytes[16];
memset(bytes, 0, 10);
memset(bytes + 10, 0xff, 2);
memcpy(bytes + 12, address.data(), address.size());
return IPAddress(bytes, sizeof(bytes));
}
// Note that this function assumes:
// * |ip_address| is at least |prefix_length_in_bits| (bits) long;
// * |ip_prefix| is at least |prefix_length_in_bits| (bits) long.
static bool IPAddressPrefixCheck(const uint8_t *ip_address,
const uint8_t *ip_prefix,
size_t prefix_length_in_bits) {
// Compare all the bytes that fall entirely within the prefix.
size_t num_entire_bytes_in_prefix = prefix_length_in_bits / 8;
for (size_t i = 0; i < num_entire_bytes_in_prefix; ++i) {
if (ip_address[i] != ip_prefix[i]) {
return false;
}
}
// In case the prefix was not a multiple of 8, there will be 1 byte
// which is only partially masked.
size_t remaining_bits = prefix_length_in_bits % 8;
if (remaining_bits != 0) {
uint8_t mask = 0xFF << (8 - remaining_bits);
size_t i = num_entire_bytes_in_prefix;
if ((ip_address[i] & mask) != (ip_prefix[i] & mask)) {
return false;
}
}
return true;
}
bool IPAddressMatchesPrefix(const IPAddress &ip_address,
const IPAddress &ip_prefix,
size_t prefix_length_in_bits) {
// Both the input IP address and the prefix IP address should be either IPv4
// or IPv6.
BSSL_CHECK(ip_address.IsValid());
BSSL_CHECK(ip_prefix.IsValid());
BSSL_CHECK(prefix_length_in_bits <= ip_prefix.size() * 8);
// In case we have an IPv6 / IPv4 mismatch, convert the IPv4 addresses to
// IPv6 addresses in order to do the comparison.
if (ip_address.size() != ip_prefix.size()) {
if (ip_address.IsIPv4()) {
return IPAddressMatchesPrefix(ConvertIPv4ToIPv4MappedIPv6(ip_address),
ip_prefix, prefix_length_in_bits);
}
return IPAddressMatchesPrefix(ip_address,
ConvertIPv4ToIPv4MappedIPv6(ip_prefix),
96 + prefix_length_in_bits);
}
return IPAddressPrefixCheck(ip_address.data(), ip_prefix.data(),
prefix_length_in_bits);
}
static unsigned CommonPrefixLength(const IPAddress &a1, const IPAddress &a2) {
BSSL_CHECK(a1.size() == a2.size());
for (size_t i = 0; i < a1.size(); ++i) {
uint8_t diff = a1.bytes()[i] ^ a2.bytes()[i];
if (!diff)
continue;
for (unsigned j = 0; j < CHAR_BIT; ++j) {
if (diff & (1 << (CHAR_BIT - 1)))
return i * CHAR_BIT + j;
diff <<= 1;
}
abort();
}
return a1.size() * CHAR_BIT;
}
unsigned MaskPrefixLength(const IPAddress &mask) {
uint8_t all_ones[16];
const size_t mask_len = std::min(mask.size(), sizeof(all_ones));
memset(all_ones, 0xff, mask_len);
return CommonPrefixLength(mask, IPAddress(all_ones, mask_len));
}
} // namespace fillins
} // namespace bssl

62
pki/fillins/ip_address.h
Unescape View File

@ -1,62 +0,0 @@
// Copyright 2023 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef BSSL_FILLINS_IP_ADDRESS
#define BSSL_FILLINS_IP_ADDRESS
#include <openssl/base.h>
#include <stddef.h>
#include <stdint.h>
#include <string>
namespace bssl {
namespace fillins {
typedef std::string IPAddressBytes;
class OPENSSL_EXPORT IPAddress {
public:
enum : size_t { kIPv4AddressSize = 4, kIPv6AddressSize = 16 };
IPAddress();
IPAddress(const uint8_t *address, size_t address_len);
IPAddress(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3);
IPAddress(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3,
uint8_t b4, uint8_t b5, uint8_t b6, uint8_t b7,
uint8_t b8, uint8_t b9, uint8_t b10, uint8_t b11,
uint8_t b12, uint8_t b13, uint8_t b14, uint8_t b15);
static IPAddress IPv4AllZeros();
bool IsIPv4() const;
bool IsIPv6() const;
bool IsValid() const;
const uint8_t *data() const;
size_t size() const;
const IPAddressBytes &bytes() const;
bool operator==(const IPAddress &other) const {
return addr_ == other.addr_;
}
private:
static IPAddress AllZeros(size_t num_zero_bytes);
std::string addr_;
};
OPENSSL_EXPORT bool IPAddressMatchesPrefix(const IPAddress &ip_address,
const IPAddress &ip_prefix,
size_t prefix_length_in_bits);
OPENSSL_EXPORT unsigned MaskPrefixLength(const IPAddress &mask);
} // namespace fillins
} // namespace bssl
#endif // BSSL_FILLINS_IP_ADDRESS

46
pki/general_names.cc
Unescape View File

@ -11,6 +11,7 @@
#include "cert_error_params.h"
#include "cert_errors.h"
#include "ip_util.h"
#include "string_util.h"
#include "input.h"
#include "parser.h"
@ -36,29 +37,6 @@ DEFINE_CERT_ERROR_ID(kGeneralNamesEmpty,
DEFINE_CERT_ERROR_ID(kFailedReadingGeneralName,
"Failed reading GeneralName TLV");
// Return true if the bitmask |mask| contains only zeros after the first
// |prefix_length| bits.
bool IsSuffixZero(const fillins::IPAddressBytes& mask, unsigned prefix_length) {
size_t zero_bits = mask.size() * CHAR_BIT - prefix_length;
size_t zero_bytes = zero_bits / CHAR_BIT;
// We allocate the vector one byte bigger than needed to ensure there is a
// valid pointer to pass to memcmp for a zero length comparison.
std::vector<uint8_t> zeros(zero_bytes + 1, 0);
if (memcmp(zeros.data(), mask.data() + mask.size() - zero_bytes,
zero_bytes)) {
return false;
}
size_t leftover_bits = zero_bits % CHAR_BIT;
if (leftover_bits) {
uint8_t b = mask[mask.size() - zero_bytes - 1];
for (size_t i = 0; i < leftover_bits; ++i) {
if (b & (1 << i))
return false;
}
}
return true;
}
} // namespace
GeneralNames::GeneralNames() = default;
@ -193,12 +171,12 @@ std::unique_ptr<GeneralNames> GeneralNames::CreateFromValue(
// version 4, as specified in [RFC791], the octet string MUST contain
// exactly four octets. For IP version 6, as specified in [RFC2460],
// the octet string MUST contain exactly sixteen octets.
if ((value.Length() != fillins::IPAddress::kIPv4AddressSize &&
value.Length() != fillins::IPAddress::kIPv6AddressSize)) {
if ((value.Length() != kIPv4AddressSize &&
value.Length() != kIPv6AddressSize)) {
errors->AddError(kFailedParsingIp);
return false;
}
subtrees->ip_addresses.emplace_back(value.UnsafeData(), value.Length());
subtrees->ip_addresses.push_back(value);
} else {
BSSL_CHECK(ip_address_type == GeneralNames::IP_ADDRESS_AND_NETMASK);
// RFC 5280 section 4.2.1.10:
@ -211,21 +189,19 @@ std::unique_ptr<GeneralNames> GeneralNames::CreateFromValue(
// constraint for "class C" subnet 192.0.2.0 is represented as the
// octets C0 00 02 00 FF FF FF 00, representing the CIDR notation
// 192.0.2.0/24 (mask 255.255.255.0).
if (value.Length() != fillins::IPAddress::kIPv4AddressSize * 2 &&
value.Length() != fillins::IPAddress::kIPv6AddressSize * 2) {
if (value.Length() != kIPv4AddressSize * 2 &&
value.Length() != kIPv6AddressSize * 2) {
errors->AddError(kFailedParsingIp);
return false;
}
const fillins::IPAddress mask(value.UnsafeData() + value.Length() / 2,
value.Length() / 2);
const unsigned mask_prefix_length = MaskPrefixLength(mask);
if (!IsSuffixZero(mask.bytes(), mask_prefix_length)) {
der::Input addr(value.UnsafeData(), value.Length() / 2);
der::Input mask(value.UnsafeData() + value.Length() / 2,
value.Length() / 2);
if (!IsValidNetmask(mask)) {
errors->AddError(kFailedParsingIp);
return false;
}
subtrees->ip_address_ranges.emplace_back(
fillins::IPAddress(value.UnsafeData(), value.Length() / 2),
mask_prefix_length);
subtrees->ip_address_ranges.emplace_back(addr, mask);
}
} else if (tag == der::ContextSpecificPrimitive(8)) {
// registeredID [8] OBJECT IDENTIFIER }

22
pki/general_names.h
Unescape View File

@ -9,7 +9,6 @@
#include <memory>
#include <vector>
#include "fillins/ip_address.h"
#include "cert_error_id.h"
@ -94,12 +93,21 @@ struct OPENSSL_EXPORT GeneralNames {
std::vector<std::string_view> uniform_resource_identifiers;
// iPAddresses as sequences of octets in network byte order. This will be
// populated if the GeneralNames represents a Subject Alternative Name.
std::vector<fillins::IPAddress> ip_addresses;
// iPAddress ranges, as <IP, prefix length> pairs. This will be populated
// if the GeneralNames represents a Name Constraints.
std::vector<std::pair<fillins::IPAddress, unsigned>> ip_address_ranges;
// populated if the GeneralNames represents a Subject Alternative Name. Each
// address is guaranteed to be either 4 bytes (IPv4) or 16 bytes (IPv6) long.
std::vector<der::Input> ip_addresses;
// iPAddress ranges, as <IP, mask> pairs. This will be populated
// if the GeneralNames represents a Name Constraints. Each address is
// guaranteed to be either 4 bytes (IPv4) or 16 bytes (IPv6) long. The mask
// half is guaranteed to be the same size, and consist of some number of 1
// bits, followed by some number of 0 bits.
//
// WARNING: It is not guaranteed that the masked portions of the address are
// zero.
//
// TODO(davidben): Should addresses with non-zero masked portions be rejected?
std::vector<std::pair<der::Input, der::Input>> ip_address_ranges;
// DER-encoded OBJECT IDENTIFIERs.
std::vector<der::Input> registered_ids;

9
pki/general_names_unittest.cc
Unescape View File

@ -182,7 +182,8 @@ TEST(GeneralNames, IPAddress_v4) {
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_IP_ADDRESS, general_names->present_name_types);
ASSERT_EQ(1U, general_names->ip_addresses.size());
EXPECT_EQ(fillins::IPAddress(192, 168, 6, 7), general_names->ip_addresses[0]);
static const uint8_t kIP[] = {192, 168, 6, 7};
EXPECT_EQ(der::Input(kIP), general_names->ip_addresses[0]);
EXPECT_EQ(0U, general_names->ip_address_ranges.size());
}
@ -196,9 +197,9 @@ TEST(GeneralNames, IPAddress_v6) {
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_IP_ADDRESS, general_names->present_name_types);
ASSERT_EQ(1U, general_names->ip_addresses.size());
EXPECT_EQ(
fillins::IPAddress(0xFE, 0x80, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14),
general_names->ip_addresses[0]);
static const uint8_t kIP[] = {0xFE, 0x80, 1, 2, 3, 4, 5, 6,
7, 8, 9, 10, 11, 12, 13, 14};
EXPECT_EQ(der::Input(kIP), general_names->ip_addresses[0]);
EXPECT_EQ(0U, general_names->ip_address_ranges.size());
}

13
pki/import_spec.json
Unescape View File

@ -51,16 +51,6 @@
"replace": ""},
{"match": "^#include \"crypto/openssl_util.h\"",
"replace": "#include \"fillins/openssl_util.h\""},
{"match": "^#include \"net/base/ip_address.h\"",
"replace": "#include \"fillins/ip_address.h\"",
"using": ["bssl::fillins::IPAddress",
"bssl::fillins::IPAddressBytes"]},
{"match": "\\bIPAddressMatchesPrefix\\b",
"replace": "fillins::IPAddressMatchesPrefix"},
{"match": "\\bIPAddressBytes\\b",
"replace": "fillins::IPAddressBytes"},
{"match": "\\bIPAddress\\b",
"replace": "fillins::IPAddress"},
{"match": "\"net/data/",
"replace": "\"testdata/"},
{"match": "\"net/third_party/nist-pkits",
@ -266,6 +256,9 @@
"net/cert/pki/general_names.h",
"net/cert/pki/general_names.cc",
"net/cert/pki/general_names_unittest.cc",
"net/cert/pki/ip_util.h",
"net/cert/pki/ip_util.cc",
"net/cert/pki/ip_util_unittest.cc",
"net/cert/pki/mock_signature_verify_cache.h",
"net/cert/pki/mock_signature_verify_cache.cc",
"net/cert/pki/name_constraints.cc",

50
pki/ip_util.cc
Unescape View File

@ -0,0 +1,50 @@
// Copyright 2023 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "ip_util.h"
namespace bssl {
bool IsValidNetmask(der::Input mask) {
if (mask.Length() != kIPv4AddressSize && mask.Length() != kIPv6AddressSize) {
return false;
}
for (size_t i = 0; i < mask.Length(); i++) {
uint8_t b = mask[i];
if (b != 0xff) {
// b must be all ones followed by all zeros, so ~b must be all zeros
// followed by all ones.
uint8_t inv = ~b;
if ((inv & (inv + 1)) != 0) {
return false;
}
// The remaining bytes must be all zeros.
for (size_t j = i + 1; j < mask.Length(); j++) {
if (mask[j] != 0) {
return false;
}
}
return true;
}
}
return true;
}
bool IPAddressMatchesWithNetmask(der::Input addr1,
der::Input addr2,
der::Input mask) {
if (addr1.Length() != addr2.Length() || addr1.Length() != mask.Length()) {
return false;
}
for (size_t i = 0; i < addr1.Length(); i++) {
if ((addr1[i] & mask[i]) != (addr2[i] & mask[i])) {
return false;
}
}
return true;
}
} // namespace net

29
pki/ip_util.h
Unescape View File

@ -0,0 +1,29 @@
// Copyright 2023 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef BSSL_PKI_IP_UTIL_H_
#define BSSL_PKI_IP_UTIL_H_
#include "fillins/openssl_util.h"
#include "input.h"
namespace bssl {
inline constexpr size_t kIPv4AddressSize = 4;
inline constexpr size_t kIPv6AddressSize = 16;
// Returns whether `mask` is a valid netmask. I.e., whether it the length of an
// IPv4 or IPv6 address, and is some number of ones, followed by some number of
// zeros.
OPENSSL_EXPORT bool IsValidNetmask(der::Input mask);
// Returns whether `addr1` and `addr2` are equal under the netmask `mask`.
OPENSSL_EXPORT bool IPAddressMatchesWithNetmask(der::Input addr1,
der::Input addr2,
der::Input mask);
} // namespace net
#endif // BSSL_PKI_IP_UTIL_H_

107
pki/ip_util_unittest.cc
Unescape View File

@ -0,0 +1,107 @@
// Copyright 2023 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "ip_util.h"
#include <string.h>
#include "input.h"
#include <gtest/gtest.h>
namespace bssl {
TEST(IPUtilTest, IsValidNetmask) {
uint8_t kWrongSize[3] = {0xff, 0xff, 0xff};
EXPECT_FALSE(IsValidNetmask(der::Input(kWrongSize)));
// All zeros is a valid netmask.
uint8_t kZeroIPv4[4] = {0};
EXPECT_TRUE(IsValidNetmask(der::Input(kZeroIPv4)));
uint8_t kZeroIPv6[16] = {0};
EXPECT_TRUE(IsValidNetmask(der::Input(kZeroIPv6)));
// Test all valid non-zero IPv4 netmasks.
for (int i = 0; i < 4; i++) {
uint8_t addr[4] = {0};
memset(addr, 0xff, i);
for (int shift = 0; shift < 8; shift++) {
addr[i] = 0xff << shift;
EXPECT_TRUE(IsValidNetmask(der::Input(addr)));
}
}
// Test all valid non-zero IPv6 netmasks.
for (int i = 0; i < 16; i++) {
uint8_t addr[16] = {0};
memset(addr, 0xff, i);
for (int shift = 0; shift < 8; shift++) {
addr[i] = 0xff << shift;
EXPECT_TRUE(IsValidNetmask(der::Input(addr)));
}
}
// Error within a byte.
uint8_t kInvalidIPv4[4] = {0xff, 0xff, 0x81, 0x00};
EXPECT_FALSE(IsValidNetmask(der::Input(kInvalidIPv4)));
uint8_t kInvalidIPv6[16] = {0xff, 0xff, 0x81, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
EXPECT_FALSE(IsValidNetmask(der::Input(kInvalidIPv6)));
// Error at the end.
uint8_t kInvalidIPv4_2[4] = {0xff, 0xff, 0x80, 0x01};
EXPECT_FALSE(IsValidNetmask(der::Input(kInvalidIPv4_2)));
uint8_t kInvalidIPv6_2[16] = {0xff, 0xff, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01};
EXPECT_FALSE(IsValidNetmask(der::Input(kInvalidIPv6_2)));
// Leading zero.
uint8_t kInvalidIPv4_3[4] = {0x00, 0xff, 0x80, 0x00};
EXPECT_FALSE(IsValidNetmask(der::Input(kInvalidIPv4_3)));
uint8_t kInvalidIPv6_3[16] = {0x00, 0xff, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01};
EXPECT_FALSE(IsValidNetmask(der::Input(kInvalidIPv6_3)));
}
TEST(IPUtilTest, IPAddressMatchesWithNetmask) {
// Under a zero mask, any two addresses are equal.
{
uint8_t kMask[4] = {0};
uint8_t kAddr1[4] = {1, 2, 3, 4};
uint8_t kAddr2[4] = {255, 254, 253, 252};
EXPECT_TRUE(IPAddressMatchesWithNetmask(
der::Input(kAddr1), der::Input(kAddr1), der::Input(kMask)));
EXPECT_TRUE(IPAddressMatchesWithNetmask(
der::Input(kAddr1), der::Input(kAddr2), der::Input(kMask)));
}
// Under an all ones mask, all bits of the address are checked.
{
uint8_t kMask[4] = {0xff, 0xff, 0xff, 0xff};
uint8_t kAddr1[4] = {1, 2, 3, 4};
uint8_t kAddr2[4] = {255, 254, 253, 252};
uint8_t kAddr3[4] = {1, 2, 3, 5};
EXPECT_TRUE(IPAddressMatchesWithNetmask(
der::Input(kAddr1), der::Input(kAddr1), der::Input(kMask)));
EXPECT_FALSE(IPAddressMatchesWithNetmask(
der::Input(kAddr1), der::Input(kAddr2), der::Input(kMask)));
EXPECT_FALSE(IPAddressMatchesWithNetmask(
der::Input(kAddr1), der::Input(kAddr3), der::Input(kMask)));
}
// In general, only masked bits are considered.
{
uint8_t kMask[4] = {0xff, 0xff, 0x80, 0x00};
uint8_t kAddr1[4] = {1, 2, 3, 4};
uint8_t kAddr2[4] = {1, 2, 0x7f, 0xff};
uint8_t kAddr3[4] = {2, 2, 3, 4};
EXPECT_TRUE(IPAddressMatchesWithNetmask(
der::Input(kAddr1), der::Input(kAddr1), der::Input(kMask)));
EXPECT_TRUE(IPAddressMatchesWithNetmask(
der::Input(kAddr1), der::Input(kAddr2), der::Input(kMask)));
EXPECT_FALSE(IPAddressMatchesWithNetmask(
der::Input(kAddr1), der::Input(kAddr3), der::Input(kMask)));
}
}
} // namespace net

13
pki/name_constraints.cc
Unescape View File

@ -11,6 +11,7 @@
#include "cert_errors.h"
#include "common_cert_errors.h"
#include "general_names.h"
#include "ip_util.h"
#include "string_util.h"
#include "verify_name_match.h"
#include "input.h"
@ -653,12 +654,10 @@ bool NameConstraints::IsPermittedDirectoryName(
return false;
}
bool NameConstraints::IsPermittedIP(const fillins::IPAddress& ip) const {
// fillins::IPAddressMatchesPrefix internally maps v4 addresses to/from v6 on type
// mismatch. We don't wish to do this, so check the sizes match first.
bool NameConstraints::IsPermittedIP(const der::Input& ip) const {
for (const auto& excluded_ip : excluded_subtrees_.ip_address_ranges) {
if (ip.size() == excluded_ip.first.size() &&
fillins::IPAddressMatchesPrefix(ip, excluded_ip.first, excluded_ip.second)) {
if (IPAddressMatchesWithNetmask(ip, excluded_ip.first,
excluded_ip.second)) {
return false;
}
}
@ -670,8 +669,8 @@ bool NameConstraints::IsPermittedIP(const fillins::IPAddress& ip) const {
}
for (const auto& permitted_ip : permitted_subtrees_.ip_address_ranges) {
if (ip.size() == permitted_ip.first.size() &&
fillins::IPAddressMatchesPrefix(ip, permitted_ip.first, permitted_ip.second)) {
if (IPAddressMatchesWithNetmask(ip, permitted_ip.first,
permitted_ip.second)) {
return true;
}
}

5
pki/name_constraints.h
Unescape View File

@ -6,11 +6,8 @@
#define BSSL_PKI_NAME_CONSTRAINTS_H_
#include "fillins/openssl_util.h"
#include <stdint.h>
#include <memory>
#include "fillins/ip_address.h"
#include "general_names.h"
@ -70,7 +67,7 @@ class OPENSSL_EXPORT NameConstraints {
bool IsPermittedDirectoryName(const der::Input& name_rdn_sequence) const;
// Returns true if the iPAddress |ip| is permitted.
bool IsPermittedIP(const fillins::IPAddress& ip) const;
bool IsPermittedIP(const der::Input& ip) const;
// Returns a bitfield of GeneralNameTypes of all the types constrained by this
// NameConstraints. Name types that aren't supported will only be present if

198
pki/name_constraints_unittest.cc
Unescape View File

@ -4,9 +4,9 @@
#include "name_constraints.h"
#include <array>
#include <memory>
#include "fillins/ip_address.h"
#include "common_cert_errors.h"
#include "test_helpers.h"
#include <gtest/gtest.h>
@ -73,6 +73,31 @@ namespace {
return ::testing::AssertionFailure();
}
std::array<uint8_t, 4> IPAddress(uint8_t b0,
uint8_t b1,
uint8_t b2,
uint8_t b3) {
return {b0, b1, b2, b3};
}
std::array<uint8_t, 16> IPAddress(uint8_t b0,
uint8_t b1,
uint8_t b2,
uint8_t b3,
uint8_t b4,
uint8_t b5,
uint8_t b6,
uint8_t b7,
uint8_t b8,
uint8_t b9,
uint8_t b10,
uint8_t b11,
uint8_t b12,
uint8_t b13,
uint8_t b14,
uint8_t b15) {
return {b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15};
}
} // namespace
class ParseNameConstraints
@ -488,56 +513,65 @@ TEST_P(ParseNameConstraints, IPAddresses) {
// IPv4 tests:
// Not in any permitted range.
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 169, 0, 1)));
EXPECT_FALSE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 169, 0, 1))));
// Within the permitted 192.168.0.0/255.255.0.0 range.
EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 0, 1)));
EXPECT_TRUE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 0, 1))));
// Within the permitted 192.168.0.0/255.255.0.0 range, however the
// excluded 192.168.5.0/255.255.255.0 takes priority.
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 5, 1)));
EXPECT_FALSE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 5, 1))));
// Within the permitted 192.168.0.0/255.255.0.0 range as well as the
// permitted 192.168.5.32/255.255.255.224 range, however the excluded
// 192.168.5.0/255.255.255.0 still takes priority.
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 5, 33)));
EXPECT_FALSE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 5, 33))));
// Not in any permitted range. (Just outside the
// 192.167.5.32/255.255.255.224 range.)
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 167, 5, 31)));
EXPECT_FALSE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 167, 5, 31))));
// Within the permitted 192.167.5.32/255.255.255.224 range.
EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 167, 5, 32)));
EXPECT_TRUE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 167, 5, 32))));
// Within the permitted 192.167.5.32/255.255.255.224 range.
EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 167, 5, 63)));
EXPECT_TRUE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 167, 5, 63))));
// Not in any permitted range. (Just outside the
// 192.167.5.32/255.255.255.224 range.)
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 167, 5, 64)));
EXPECT_FALSE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 167, 5, 64))));
// Not in any permitted range, and also inside the extraneous excluded
// 192.166.5.32/255.255.255.224 range.
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 166, 5, 32)));
EXPECT_FALSE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 166, 5, 32))));
// IPv6 tests:
// Not in any permitted range.
EXPECT_FALSE(name_constraints->IsPermittedIP(
fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1)));
EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))));
// Within the permitted
// 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: range.
EXPECT_TRUE(name_constraints->IsPermittedIP(
fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 0, 0, 0, 1)));
EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 0, 0, 0, 1))));
// Within the permitted
// 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: range, however
// the excluded
// 102:304:506:708:90a:b0c:500:0/ffff:ffff:ffff:ffff:ffff:ffff:ff00:0 takes
// priority.
EXPECT_FALSE(name_constraints->IsPermittedIP(
fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 5, 0, 0, 1)));
EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 5, 0, 0, 1))));
// Within the permitted
// 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: range as well
@ -546,35 +580,35 @@ TEST_P(ParseNameConstraints, IPAddresses) {
// however the excluded
// 102:304:506:708:90a:b0c:500:0/ffff:ffff:ffff:ffff:ffff:ffff:ff00:0 takes
// priority.
EXPECT_FALSE(name_constraints->IsPermittedIP(
fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 5, 33, 0, 1)));
EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 5, 33, 0, 1))));
// Not in any permitted range. (Just outside the
// 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0
// range.)
EXPECT_FALSE(name_constraints->IsPermittedIP(
fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 31, 255, 255)));
EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 31, 255, 255))));
// Within the permitted
// 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0 range.
EXPECT_TRUE(name_constraints->IsPermittedIP(
fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 32, 0, 0)));
EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 32, 0, 0))));
// Within the permitted
// 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0 range.
EXPECT_TRUE(name_constraints->IsPermittedIP(
fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 63, 255, 255)));
EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 63, 255, 255))));
// Not in any permitted range. (Just outside the
// 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0
// range.)
EXPECT_FALSE(name_constraints->IsPermittedIP(
fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 64, 0, 0)));
EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 64, 0, 0))));
// Not in any permitted range, and also inside the extraneous excluded
// 102:304:506:708:90a:b0a:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0 range.
EXPECT_FALSE(name_constraints->IsPermittedIP(
fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 10, 5, 33, 0, 1)));
EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 10, 5, 33, 0, 1))));
EXPECT_EQ(GENERAL_NAME_IP_ADDRESS,
name_constraints->constrained_name_types());
@ -609,10 +643,12 @@ TEST_P(ParseNameConstraints, IPAddressesExcludeOnly) {
// Only 192.168.5.0/255.255.255.0 is excluded, and since permitted is empty,
// any iPAddress outside that is allowed.
EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 0, 1)));
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 5, 1)));
EXPECT_TRUE(name_constraints->IsPermittedIP(
fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1)));
EXPECT_TRUE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 0, 1))));
EXPECT_FALSE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 5, 1))));
EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))));
}
TEST_P(ParseNameConstraints, IPAddressesExcludeAll) {
@ -627,12 +663,14 @@ TEST_P(ParseNameConstraints, IPAddressesExcludeAll) {
// 192.168.0.0/255.255.0.0 and
// 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: are permitted,
// but since 0.0.0.0/0 and ::/0 are excluded nothing is permitted.
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 0, 1)));
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(1, 1, 1, 1)));
EXPECT_FALSE(name_constraints->IsPermittedIP(
fillins::IPAddress(2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1)));
EXPECT_FALSE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 0, 1))));
EXPECT_FALSE(
name_constraints->IsPermittedIP(der::Input(IPAddress(1, 1, 1, 1))));
EXPECT_FALSE(name_constraints->IsPermittedIP(
fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1)));
der::Input(IPAddress(2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1))));
EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))));
}
TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitSingleHost) {
@ -644,12 +682,18 @@ TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitSingleHost) {
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros()));
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 1)));
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 2)));
EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 3)));
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 4)));
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(255, 255, 255, 255)));
EXPECT_FALSE(
name_constraints->IsPermittedIP(der::Input(IPAddress(0, 0, 0, 0))));
EXPECT_FALSE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 1))));
EXPECT_FALSE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 2))));
EXPECT_TRUE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 3))));
EXPECT_FALSE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 4))));
EXPECT_FALSE(name_constraints->IsPermittedIP(
der::Input(IPAddress(255, 255, 255, 255))));
}
TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitPrefixLen31) {
@ -661,13 +705,20 @@ TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitPrefixLen31) {
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros()));
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 1)));
EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 2)));
EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 3)));
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 4)));
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 5)));
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(255, 255, 255, 255)));
EXPECT_FALSE(
name_constraints->IsPermittedIP(der::Input(IPAddress(0, 0, 0, 0))));
EXPECT_FALSE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 1))));
EXPECT_TRUE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 2))));
EXPECT_TRUE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 3))));
EXPECT_FALSE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 4))));
EXPECT_FALSE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 5))));
EXPECT_FALSE(name_constraints->IsPermittedIP(
der::Input(IPAddress(255, 255, 255, 255))));
}
TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitPrefixLen1) {
@ -679,12 +730,14 @@ TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitPrefixLen1) {
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros()));
EXPECT_FALSE(
name_constraints->IsPermittedIP(fillins::IPAddress(0x7F, 0xFF, 0xFF, 0xFF)));
EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(0x80, 0, 0, 0)));
name_constraints->IsPermittedIP(der::Input(IPAddress(0, 0, 0, 0))));
EXPECT_FALSE(name_constraints->IsPermittedIP(
der::Input(IPAddress(0x7F, 0xFF, 0xFF, 0xFF))));
EXPECT_TRUE(
name_constraints->IsPermittedIP(fillins::IPAddress(0xFF, 0xFF, 0xFF, 0xFF)));
name_constraints->IsPermittedIP(der::Input(IPAddress(0x80, 0, 0, 0))));
EXPECT_TRUE(name_constraints->IsPermittedIP(
der::Input(IPAddress(0xFF, 0xFF, 0xFF, 0xFF))));
}
TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitAll) {
@ -696,9 +749,12 @@ TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitAll) {
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros()));
EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 1)));
EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(255, 255, 255, 255)));
EXPECT_TRUE(
name_constraints->IsPermittedIP(der::Input(IPAddress(0, 0, 0, 0))));
EXPECT_TRUE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 1))));
EXPECT_TRUE(name_constraints->IsPermittedIP(
der::Input(IPAddress(255, 255, 255, 255))));
}
TEST_P(ParseNameConstraints, IPAddressesFailOnInvalidAddr) {
@ -740,26 +796,30 @@ TEST_P(ParseNameConstraints, IPAddressesMapped) {
ASSERT_TRUE(name_constraints);
// 192.168.1.0/24 is a permitted subtree.
EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 0)));
EXPECT_TRUE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 0))));
// This does not cover ::ffff:192.168.1.0.
EXPECT_FALSE(name_constraints->IsPermittedIP(
fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 1, 0)));
EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 1, 0))));
// 192.168.1.1 is excluded.
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 1)));
EXPECT_FALSE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 1))));
// ::ffff:192.168.1.2 is excluded, but that does not exclude 192.168.1.2.
EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 2)));
EXPECT_TRUE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 2))));
// ::ffff:192.168.2.0/120 is a permitted subtree.
EXPECT_TRUE(name_constraints->IsPermittedIP(
fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 0)));
EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 0))));
// This does not cover 192.168.2.0.
EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 2, 0)));
EXPECT_FALSE(
name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 2, 0))));
// ::ffff:192.168.2.1 is excluded.
EXPECT_FALSE(name_constraints->IsPermittedIP(
fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 1)));
EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 1))));
// 192.168.2.2 is excluded, but that does not exclude ::ffff:192.168.2.2.
EXPECT_TRUE(name_constraints->IsPermittedIP(
fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 2)));
EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 2))));
}
TEST_P(ParseNameConstraints, OtherNamesInPermitted) {

3
sources.cmake
Unescape View File

@ -354,12 +354,12 @@ set(
pki/encode_values.cc
pki/extended_key_usage.cc
pki/fillins/fillins_base64.cc
pki/fillins/ip_address.cc
pki/fillins/openssl_util.cc
pki/fillins/fillins_string_util.cc
pki/fillins/utf_string_conversions.cc
pki/general_names.cc
pki/input.cc
pki/ip_util.cc
pki/name_constraints.cc
pki/ocsp.cc
pki/ocsp_verify_result.cc
@ -396,6 +396,7 @@ set(
pki/fillins/path_service.cc
pki/general_names_unittest.cc
pki/input_unittest.cc
pki/ip_util_unittest.cc
pki/mock_signature_verify_cache.cc
pki/name_constraints_unittest.cc
pki/nist_pkits_unittest.cc

Write Preview
Loading…
Cancel
Save