IP address range parsing

Author: nomick

openssl-sys/src/handwritten/x509_sbgp.rs

@@ -33,7 +33,155 @@ pub struct _ASIdentifiers {
     pub rdi: *mut ASIdentifierChoice,
 }
 
+#[repr(C)]
+pub struct IPAddressRange {
+    pub min: *mut ASN1_BIT_STRING,
+    pub max: *mut ASN1_BIT_STRING,
+}
+
+#[repr(C)]
+pub struct _IPAddressOrRange {
+    pub type_: c_int,
+    pub u: IPAddressOrRange_st_anon_union,
+}
+#[repr(C)]
+pub union IPAddressOrRange_st_anon_union {
+    pub addressPrefix: *mut ASN1_BIT_STRING,
+    pub addressRange: *mut IPAddressRange,
+}
+
+stack!(stack_st_IPAddressOrRange);
+type IPAddressOrRanges = stack_st_IPAddressOrRange;
+
+#[repr(C)]
+pub struct IPAddressChoice {
+    pub type_: c_int,
+    pub addressesOrRanges: *mut IPAddressOrRanges,
+}
+
+#[repr(C)]
+pub struct _IPAddressFamily {
+    pub addressFamily: *mut ASN1_OCTET_STRING,
+    pub ipAddressChoice: *mut IPAddressChoice,
+}
+
+stack!(stack_st_IPAddressFamily);
+type IPAddrBlocks = stack_st_IPAddressFamily;
+
 extern "C" {
     pub fn ASIdentifiers_free(asi: *mut _ASIdentifiers);
     pub fn ASIdOrRange_free(asi: *mut _ASIdOrRange);
+    pub fn IPAddressFamily_free(asi: *mut _IPAddressFamily);
+    pub fn IPAddressOrRange_free(asi: *mut _IPAddressOrRange);
+}
+
+pub fn X509v3_addr_get_afi(f: *mut _IPAddressFamily) -> c_int {
+    unsafe {
+        if f.is_null() {
+            0
+        } else {
+            let d = (*f).addressFamily as *mut ASN1_STRING;
+            if d.is_null() || ASN1_STRING_length(d) < 2 || ASN1_STRING_get0_data(d).is_null() {
+                0
+            } else {
+                let raw = ASN1_STRING_get0_data(d);
+                ((*raw.offset(0) as i32) << 8) | *raw.offset(1) as i32
+            }
+        }
+    }
+}
+
+fn length_from_afi(afi: c_int) -> isize {
+    match afi {
+        IANA_AFI_IPV4 => 4,
+        IANA_AFI_IPV6 => 16,
+        _ => 0,
+    }
+}
+
+struct ASN1_STRING_internal {
+    length: c_int,
+    type_: c_int,
+    data: *mut u8,
+    /*
+     * The value of the following field depends on the type being held.  It
+     * is mostly being used for BIT_STRING so if the input data has a
+     * non-zero 'unused bits' value, it will be handled correctly
+     */
+    flags: c_int,
+}
+/*
+ * Expand the bitstring form of an address into a raw byte array.
+ * At the moment this is coded for simplicity, not speed.
+ */
+fn addr_expand(addr: *mut u8, bs: *const ASN1_BIT_STRING, length: isize, fill: u8) -> bool {
+    unsafe {
+        let str = bs as *mut ASN1_STRING;
+        let str_len = ASN1_STRING_length(str);
+        if str_len < 0 || str_len as isize > length {
+            return false;
+        }
+
+        if str_len > 0 {
+            // copy bytes
+            let d = ASN1_STRING_get0_data(str);
+            for i in 0..(str_len as isize) {
+                *addr.offset(i) = *d.offset(i);
+            }
+
+            let internal_str = bs as *mut ASN1_STRING_internal;
+            if ((*internal_str).flags & 7) != 0 {
+                let mask = 0xFF >> (8 - ((*internal_str).flags & 7));
+                let val = if fill == 0 {
+                    *d.offset(str_len as isize - 1) & !mask
+                } else {
+                    *d.offset(str_len as isize - 1) | mask
+                };
+                *addr.offset(str_len as isize - 1) = val;
+            }
+        }
+
+        // fill up bytes
+        for i in (str_len as isize)..(length as isize) {
+            *addr.offset(i) = fill;
+        }
+    }
+
+    true
+}
+
+/*
+ * Extract min and max values from an IPAddressOrRange.
+ */
+fn extract_min_max(aor: *mut _IPAddressOrRange, min: *mut u8, max: *mut u8, length: isize) -> bool {
+    unsafe {
+        match (*aor).type_ {
+            IPAddressOrRange_addressPrefix => {
+                return addr_expand(min, (*aor).u.addressPrefix, length, 0x00)
+                    && addr_expand(max, (*aor).u.addressPrefix, length, 0xFF)
+            }
+            IPAddressOrRange_addressRange => {
+                return addr_expand(min, (*(*aor).u.addressRange).min, length, 0x00)
+                    && addr_expand(max, (*(*aor).u.addressRange).max, length, 0xFF)
+            }
+            _ => false,
+        }
+    }
+}
+
+pub fn X509v3_addr_get_range(
+    aor: *mut _IPAddressOrRange,
+    afi: c_int,
+    min: *mut u8,
+    max: *mut u8,
+    length: isize,
+) -> isize {
+    let afi_length = length_from_afi(afi);
+    if aor.is_null() || min.is_null() || max.is_null() || afi_length == 0 || length < afi_length {
+        return 0;
+    }
+    if !extract_min_max(aor, min, max, afi_length) {
+        return 0;
+    }
+    afi_length
 }

openssl-sys/src/x509_sbgp.rs

@@ -7,3 +7,12 @@ pub const ASIdOrRange_range: c_int = 1;
 
 pub const ASIdentifierChoice_inherit: c_int = 0;
 pub const ASIdentifierChoice_asIdsOrRanges: c_int = 1;
+
+pub const IPAddressOrRange_addressPrefix: c_int = 0;
+pub const IPAddressOrRange_addressRange: c_int = 1;
+
+pub const IPAddressChoice_inherit: c_int = 0;
+pub const IPAddressChoice_addressesOrRanges: c_int = 1;
+
+pub const IANA_AFI_IPV4: c_int = 1;
+pub const IANA_AFI_IPV6: c_int = 2;

openssl/src/x509/sbgp.rs

@@ -1,12 +1,15 @@
+use std::mem::MaybeUninit;
+
 use ffi::{
     ASIdOrRange_id, ASIdOrRange_range, ASIdentifierChoice_asIdsOrRanges,
-    ASIdentifierChoice_inherit, ASN1_INTEGER,
+    ASIdentifierChoice_inherit, IPAddressChoice_addressesOrRanges, X509v3_addr_get_afi,
+    X509v3_addr_get_range, ASN1_INTEGER, IANA_AFI_IPV4, IANA_AFI_IPV6,
 };
 use foreign_types::{ForeignType, ForeignTypeRef};
 
 use crate::{
     asn1::Asn1IntegerRef,
-    stack::{StackRef, Stackable},
+    stack::{Stack, StackRef, Stackable},
     util::{ForeignTypeExt, ForeignTypeRefExt},
 };
 
@@ -47,25 +50,27 @@ impl ASIdentifiers {
 
     pub fn ranges(&self) -> Option<Vec<(u32, u32)>> {
         let mut r = Vec::new();
+        let asptr = self.0;
         unsafe {
-            let asptr = self.0;
             let asnum = (*asptr).asnum;
-            if (*asnum).type_ == ASIdentifierChoice_asIdsOrRanges {
-                if let Some(s) = StackRef::<ASIdOrRange>::from_const_ptr_opt((*asnum).asIdsOrRanges)
-                {
-                    for a_ptr in s {
-                        let a = a_ptr.as_ptr();
-                        if (*a).type_ == ASIdOrRange_id {
-                            let asn = Self::parse_asn1_integer((*a).u.id)?;
-                            r.push((asn, asn));
-                        } else if (*a).type_ == ASIdOrRange_range {
-                            let range = (*a).u.range;
-                            let asn1 = Self::parse_asn1_integer((*range).min)?;
-                            let asn2 = Self::parse_asn1_integer((*range).max)?;
-                            r.push((asn1, asn2));
-                        }
+            if (*asnum).type_ != ASIdentifierChoice_asIdsOrRanges {
+                return None;
+            }
+            if let Some(s) = StackRef::<ASIdOrRange>::from_const_ptr_opt((*asnum).asIdsOrRanges) {
+                for a_ptr in s {
+                    let a = a_ptr.as_ptr();
+                    if (*a).type_ == ASIdOrRange_id {
+                        let asn = Self::parse_asn1_integer((*a).u.id)?;
+                        r.push((asn, asn));
+                    } else if (*a).type_ == ASIdOrRange_range {
+                        let range = (*a).u.range;
+                        let asn1 = Self::parse_asn1_integer((*range).min)?;
+                        let asn2 = Self::parse_asn1_integer((*range).max)?;
+                        r.push((asn1, asn2));
                     }
                 }
+            } else {
+                return None;
             }
         }
         Some(r)
@@ -80,11 +85,105 @@ impl ASIdentifiers {
     }
 }
 
-pub trait ExtractASN {
+foreign_type_and_impl_send_sync! {
+    type CType = ffi::_IPAddressOrRange;
+    fn drop = ffi::IPAddressOrRange_free;
+
+    /// The AS number extension of an `X509` certificate.
+    pub struct IPAddressOrRange;
+    /// Reference to `IPAddressOrRange`.
+    pub struct IPAddressOrRangeRef;
+}
+
+impl Stackable for IPAddressOrRange {
+    type StackType = ffi::stack_st_IPAddressOrRange;
+}
+
+foreign_type_and_impl_send_sync! {
+    type CType = ffi::_IPAddressFamily;
+    fn drop = ffi::IPAddressFamily_free;
+
+    /// The AS number extension of an `X509` certificate.
+    pub struct IPAddressFamily;
+    /// Reference to `IPAddressFamily`.
+    pub struct IPAddressFamilyRef;
+}
+
+impl Stackable for IPAddressFamily {
+    type StackType = ffi::stack_st_IPAddressFamily;
+}
+
+#[derive(PartialEq, Eq, Debug)]
+pub enum IPVersion {
+    V4,
+    V6,
+}
+
+impl IPAddressFamily {
+    pub fn fam(&self) -> Option<IPVersion> {
+        let ptr = self.0;
+        match X509v3_addr_get_afi(ptr) {
+            IANA_AFI_IPV4 => Some(IPVersion::V4),
+            IANA_AFI_IPV6 => Some(IPVersion::V6),
+            _ => None,
+        }
+    }
+
+    pub fn range(&self) -> Option<Vec<(std::net::IpAddr, std::net::IpAddr)>> {
+        let ptr = self.0;
+        let mut r = Vec::new();
+        unsafe {
+            let choice = (*ptr).ipAddressChoice;
+            if (*choice).type_ != IPAddressChoice_addressesOrRanges {
+                return None;
+            }
+            let stack =
+                StackRef::<IPAddressOrRange>::from_const_ptr_opt((*choice).addressesOrRanges)?;
+            for e in stack {
+                let mut min = MaybeUninit::<[u8; 16]>::uninit();
+                let mut max = MaybeUninit::<[u8; 16]>::uninit();
+                let size = X509v3_addr_get_range(
+                    e.as_ptr(),
+                    X509v3_addr_get_afi(ptr),
+                    min.as_mut_ptr() as *mut u8,
+                    max.as_mut_ptr() as *mut u8,
+                    16,
+                );
+                r.push((
+                    Self::data_to_ip_addr(min.assume_init(), size)?,
+                    Self::data_to_ip_addr(max.assume_init(), size)?,
+                ))
+            }
+        }
+        Some(r)
+    }
+
+    fn data_to_ip_addr(data: [u8; 16], len: isize) -> Option<std::net::IpAddr> {
+        match len {
+            4 => Some(std::net::IpAddr::V4(std::net::Ipv4Addr::new(
+                data[0], data[1], data[2], data[3],
+            ))),
+            16 => Some(std::net::IpAddr::V6(std::net::Ipv6Addr::new(
+                (data[0] as u16) << 8 | data[1] as u16,
+                (data[2] as u16) << 8 | data[3] as u16,
+                (data[4] as u16) << 8 | data[5] as u16,
+                (data[6] as u16) << 8 | data[7] as u16,
+                (data[8] as u16) << 8 | data[9] as u16,
+                (data[10] as u16) << 8 | data[11] as u16,
+                (data[12] as u16) << 8 | data[13] as u16,
+                (data[14] as u16) << 8 | data[15] as u16,
+            ))),
+            _ => None,
+        }
+    }
+}
+
+pub trait ExtractSBGPInfo {
     fn asn(&self) -> Option<ASIdentifiers>;
+    fn ip_addresses(&self) -> Option<Stack<IPAddressFamily>>;
 }
 
-impl ExtractASN for X509 {
+impl ExtractSBGPInfo for X509 {
     fn asn(&self) -> Option<ASIdentifiers> {
         unsafe {
             let asn = ffi::X509_get_ext_d2i(
@@ -96,4 +195,16 @@ impl ExtractASN for X509 {
             ASIdentifiers::from_ptr_opt(asn as *mut _)
         }
     }
+
+    fn ip_addresses(&self) -> Option<Stack<IPAddressFamily>> {
+        unsafe {
+            let asn = ffi::X509_get_ext_d2i(
+                self.as_ptr(),
+                ffi::NID_sbgp_ipAddrBlock,
+                std::ptr::null_mut(),
+                std::ptr::null_mut(),
+            );
+            Stack::from_ptr_opt(asn as *mut _)
+        }
+    }
 }