traffic_selector supports RFC 3779 address range format
authorAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 21 Dec 2009 20:28:45 +0000 (21:28 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 21 Dec 2009 20:29:01 +0000 (21:29 +0100)
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/selectors/traffic_selector.c
src/libstrongswan/selectors/traffic_selector.h

index f2f7db4..74a2967 100644 (file)
@@ -688,19 +688,60 @@ static const asn1Object_t ipAddrBlocksObjects[] = {
        { 0, "end loop",                                ASN1_EOC,                       ASN1_END                        }, /* 13 */
        { 0, "exit",                                    ASN1_EOC,                       ASN1_EXIT                       }
 };
-#define IP_ADDR_BLOCKS_FAMILY   2
-#define IP_ADDR_BLOCKS_INHERIT  3
-#define IP_ADDR_BLOCKS_PREFIX   6
-#define IP_ADDR_BLOCKS_MIN              9
-#define IP_ADDR_BLOCKS_MAX             10
+#define IP_ADDR_BLOCKS_FAMILY       2
+#define IP_ADDR_BLOCKS_INHERIT      3
+#define IP_ADDR_BLOCKS_PREFIX       6
+#define IP_ADDR_BLOCKS_MIN          9
+#define IP_ADDR_BLOCKS_MAX         10
+
+static bool check_address_object(ts_type_t ts_type, chunk_t object)
+{
+       switch (ts_type)
+       {
+               case TS_IPV4_ADDR_RANGE:
+                       if (object.len > 5)
+                       {
+                               DBG1("IPv4 address object is larger than 5 octets");
+                               return FALSE;
+                       }
+                       break;
+               case TS_IPV6_ADDR_RANGE:
+                       if (object.len > 17)
+                       {
+                               DBG1("IPv6 address object is larger than 17 octets");
+                               return FALSE;
+                       }
+                       break;
+               default:
+                       DBG1("unknown address family");
+                       return FALSE;
+       }
+       if (object.len == 0)
+       {
+               DBG1("An ASN.1 bit string must contain at least the initial octet");
+               return FALSE;
+       }
+       if (object.len == 1 && object.ptr[0] != 0)
+       {
+               DBG1("An empty ASN.1 bit string must contain a zero initial octet");
+               return FALSE;
+       }
+       if (object.ptr[0] > 7)
+       {
+               DBG1("number of unused bits is too large");
+               return FALSE;
+       }
+       return TRUE;
+}
 
 static void parse_ipAddrBlocks(chunk_t blob, int level0,
                                                           private_x509_cert_t *this)
 {
        asn1_parser_t *parser;
-       chunk_t object;
-       int objectID;
+       chunk_t object, min_object;
        ts_type_t ts_type;
+       traffic_selector_t *ts;
+       int objectID;
 
        parser = asn1_parser_create(ipAddrBlocksObjects, blob);
        parser->set_top_level(parser, level0);
@@ -721,6 +762,10 @@ static void parse_ipAddrBlocks(chunk_t blob, int level0,
                                        {
                                                ts_type = TS_IPV6_ADDR_RANGE;
                                        }
+                                       else
+                                       {
+                                               break;
+                                       }
                                        DBG2("  %N", ts_type_name, ts_type);
                                }
                                break;
@@ -728,15 +773,38 @@ static void parse_ipAddrBlocks(chunk_t blob, int level0,
                                DBG1("inherit choice is not supported");
                                break;
                        case IP_ADDR_BLOCKS_PREFIX:
+                               if (!check_address_object(ts_type, object))
+                               {
+                                       goto end;
+                               }
+                               ts = traffic_selector_create_from_rfc3779_format(ts_type,
+                                                                                                       object, object);
+                               DBG2("  %R", ts);
+                               this->ipAddrBlocks->insert_last(this->ipAddrBlocks, ts);
                                break;
                        case IP_ADDR_BLOCKS_MIN:
+                               if (!check_address_object(ts_type, object))
+                               {
+                                       goto end;
+                               }
+                               min_object = object;
                                break;
                        case IP_ADDR_BLOCKS_MAX:
+                               if (!check_address_object(ts_type, object))
+                               {
+                                       goto end;
+                               }
+                               ts = traffic_selector_create_from_rfc3779_format(ts_type,
+                                                                                                       min_object, object);
+                               DBG2("  %R", ts);
+                               this->ipAddrBlocks->insert_last(this->ipAddrBlocks, ts);
                                break;
                        default:
                                break;
                }
        }
+
+end:
        parser->destroy(parser);
 }
 
index ef463e2..aa762e9 100644 (file)
@@ -25,6 +25,8 @@
 #include <utils/linked_list.h>
 #include <utils/identification.h>
 
+#define NON_SUBNET_ADDRESS_RANGE       255
+
 ENUM(ts_type_name, TS_IPV4_ADDR_RANGE, TS_IPV6_ADDR_RANGE,
        "TS_IPV4_ADDR_RANGE",
        "TS_IPV6_ADDR_RANGE",
@@ -59,6 +61,11 @@ struct private_traffic_selector_t {
        bool dynamic;
 
        /**
+        * subnet size in CIDR notation, 255 means a non-subnet address range 
+        */
+       u_int8_t netbits;
+
+       /**
         * begin of address range, network order
         */
        union {
@@ -94,17 +101,19 @@ struct private_traffic_selector_t {
 };
 
 /**
- * calculate to "to"-address for the "from" address and a subnet size
+ * calculate the "to"-address for the "from" address and a subnet size
  */
 static void calc_range(private_traffic_selector_t *this, u_int8_t netbits)
 {
        int byte;
        size_t size = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
 
+       this->netbits = netbits;
+       
        /* go through the from address, starting at the tail. While we
         * have not processed the bits belonging to the host, set them to 1 on
         * the to address. If we reach the bits for the net, copy them from "from". */
-       for (byte = size - 1; byte >=0; byte--)
+       for (byte = size - 1; byte >= 0; byte--)
        {
                u_char mask = 0x00;
                int shift;
@@ -124,28 +133,50 @@ static void calc_range(private_traffic_selector_t *this, u_int8_t netbits)
 }
 
 /**
- * calculate to subnet size from "to"- and "from"-address
+ * calculate the subnet size from the "to" and "from" addresses
  */
 static u_int8_t calc_netbits(private_traffic_selector_t *this)
 {
        int byte, bit;
+       u_int8_t netbits; 
        size_t size = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
+       bool prefix = TRUE;
+       
+       /* a perfect match results in a single address with a /32 or /128 netmask */
+       netbits = (size * 8); 
+       this->netbits = netbits;
 
-       /* go trough all bits of the addresses, beginning in the front.
+       /* go through all bits of the addresses, beginning in the front.
         * as long as they are equal, the subnet gets larger
         */
        for (byte = 0; byte < size; byte++)
        {
                for (bit = 7; bit >= 0; bit--)
                {
-                       if ((1<<bit & this->from[byte]) != (1<<bit & this->to[byte]))
+                       u_int8_t bitmask = 1 << bit;
+
+                       if (prefix)
                        {
-                               return ((7 - bit) + (byte * 8));
+                               if ((bitmask & this->from[byte]) != (bitmask & this->to[byte]))
+                               {
+                                       /* store the common prefix which might be a true subnet */
+                                       netbits = (7 - bit) + (byte * 8);
+                                       this->netbits = netbits; 
+                                       prefix = FALSE;
+                               }
                        }
+                       else
+                       {
+                               if ((bitmask & this->from[byte]) || !(bitmask & this->to[byte]))
+                               {
+                                       this->netbits = NON_SUBNET_ADDRESS_RANGE;
+                                       return netbits;  /* return a pseudo subnet */
+
+                               }
+                       }                                       
                }
        }
-       /* single host, netmask is 32/128 */
-       return (size * 8);
+       return netbits;  /* return a true subnet */
 }
 
 /**
@@ -162,9 +193,9 @@ int traffic_selector_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec
        private_traffic_selector_t *this = *((private_traffic_selector_t**)(args[0]));
        linked_list_t *list = *((linked_list_t**)(args[0]));
        iterator_t *iterator;
-       char addr_str[INET6_ADDRSTRLEN] = "";
+       char from_str[INET6_ADDRSTRLEN] = "";
+       char to_str[INET6_ADDRSTRLEN] = "";
        char *serv_proto = NULL;
-       u_int8_t mask;
        bool has_proto;
        bool has_ports;
        size_t written = 0;
@@ -199,14 +230,28 @@ int traffic_selector_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec
        {
                if (this->type == TS_IPV4_ADDR_RANGE)
                {
-                       inet_ntop(AF_INET, &this->from4, addr_str, sizeof(addr_str));
+                       inet_ntop(AF_INET, &this->from4, from_str, sizeof(from_str));
+               }
+               else
+               {
+                       inet_ntop(AF_INET6, &this->from6, from_str, sizeof(from_str));
+               }
+               if (this->netbits == NON_SUBNET_ADDRESS_RANGE)
+               {
+                       if (this->type == TS_IPV4_ADDR_RANGE)
+                       {
+                               inet_ntop(AF_INET, &this->to4, to_str, sizeof(to_str));
+                       }
+                       else
+                       {
+                               inet_ntop(AF_INET6, &this->to6, to_str, sizeof(to_str));
+                       }
+                       written += print_in_hook(dst, len, "%s..%s", from_str, to_str);
                }
                else
                {
-                       inet_ntop(AF_INET6, &this->from6, addr_str, sizeof(addr_str));
+                       written += print_in_hook(dst, len, "%s/%d", from_str, this->netbits);
                }
-               mask = calc_netbits(this);
-               written += print_in_hook(dst, len, "%s/%d", addr_str, mask);
        }
 
        /* check if we have protocol and/or port selectors */
@@ -333,7 +378,7 @@ static traffic_selector_t *get_subset(private_traffic_selector_t *this, private_
                new_ts->dynamic = this->dynamic || other->dynamic;
                memcpy(new_ts->from, from, size);
                memcpy(new_ts->to, to, size);
-
+               calc_netbits(new_ts);
                return &new_ts->public;
        }
        return NULL;
@@ -568,22 +613,16 @@ static void to_subnet(private_traffic_selector_t *this, host_t **net, u_int8_t *
        switch (this->type)
        {
                case TS_IPV4_ADDR_RANGE:
-               {
                        family = AF_INET;
                        net_chunk.len = sizeof(this->from4);
                        break;
-               }
                case TS_IPV6_ADDR_RANGE:
-               {
                        family = AF_INET6;
                        net_chunk.len = sizeof(this->from6);
                        break;
-               }
                default:
-               {
                        /* unreachable */
                        return;
-               }
        }
 
        net_chunk.ptr = malloc(net_chunk.len);
@@ -618,22 +657,16 @@ static traffic_selector_t *clone_(private_traffic_selector_t *this)
        switch (clone->type)
        {
                case TS_IPV4_ADDR_RANGE:
-               {
                        memcpy(clone->from4, this->from4, sizeof(this->from4));
                        memcpy(clone->to4, this->to4, sizeof(this->to4));
                        return &clone->public;
-               }
                case TS_IPV6_ADDR_RANGE:
-               {
                        memcpy(clone->from6, this->from6, sizeof(this->from6));
                        memcpy(clone->to6, this->to6, sizeof(this->to6));
                        return &clone->public;
-               }
                default:
-               {
                        /* unreachable */
                        return &clone->public;
-               }
        }
 }
 
@@ -659,7 +692,6 @@ traffic_selector_t *traffic_selector_create_from_bytes(u_int8_t protocol,
        switch (type)
        {
                case TS_IPV4_ADDR_RANGE:
-               {
                        if (from.len != 4 || to.len != 4)
                        {
                                free(this);
@@ -668,9 +700,7 @@ traffic_selector_t *traffic_selector_create_from_bytes(u_int8_t protocol,
                        memcpy(this->from4, from.ptr, from.len);
                        memcpy(this->to4, to.ptr, to.len);
                        break;
-               }
                case TS_IPV6_ADDR_RANGE:
-               {
                        if (from.len != 16 || to.len != 16)
                        {
                                free(this);
@@ -679,13 +709,49 @@ traffic_selector_t *traffic_selector_create_from_bytes(u_int8_t protocol,
                        memcpy(this->from6, from.ptr, from.len);
                        memcpy(this->to6, to.ptr, to.len);
                        break;
-               }
                default:
-               {
                        free(this);
                        return NULL;
-               }
        }
+       calc_netbits(this);
+       return (&this->public);
+}
+
+/*
+ * see header
+ */
+traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type,
+                                                                                               chunk_t from, chunk_t to)
+{
+       size_t len;
+       private_traffic_selector_t *this = traffic_selector_create(0, type, 0, 65535);
+
+       switch (type)
+       {
+               case TS_IPV4_ADDR_RANGE:
+                       len = 4;
+                       break;
+               case TS_IPV6_ADDR_RANGE:
+                       len = 16;
+                       break;
+               default:
+                       free(this);
+                       return NULL;
+       }
+       memset(this->from, 0x00, len);
+       memset(this->to  , 0xff, len);
+
+       if (from.len > 1)
+       {
+               memcpy(this->from, from.ptr+1, from.len-1);
+       }
+       if (to.len > 1)
+       {
+               memcpy(this->to, to.ptr+1, to.len-1);
+               this->to[to.len-2] |= to.ptr[0] ? (1 << to.ptr[0]) - 1 : 0;
+       }
+       this->netbits = chunk_equals(from, to) ? (from.len-1)*8 - from.ptr[0]
+                                                                                  : NON_SUBNET_ADDRESS_RANGE;
        return (&this->public);
 }
 
@@ -710,6 +776,7 @@ traffic_selector_t *traffic_selector_create_from_subnet(host_t *net,
                        {
                                /* use /0 for 0.0.0.0 */
                                this->to4[0] = ~0;
+                               this->netbits = 0;
                        }
                        else
                        {
@@ -732,6 +799,7 @@ traffic_selector_t *traffic_selector_create_from_subnet(host_t *net,
                                this->to6[1] = ~0;
                                this->to6[2] = ~0;
                                this->to6[3] = ~0;
+                               this->netbits = 0;
                        }
                        else
                        {
@@ -769,7 +837,6 @@ traffic_selector_t *traffic_selector_create_from_string(
        switch (type)
        {
                case TS_IPV4_ADDR_RANGE:
-               {
                        if (inet_pton(AF_INET, from_addr, (struct in_addr*)this->from4) < 0)
                        {
                                free(this);
@@ -781,9 +848,7 @@ traffic_selector_t *traffic_selector_create_from_string(
                                return NULL;
                        }
                        break;
-               }
                case TS_IPV6_ADDR_RANGE:
-               {
                        if (inet_pton(AF_INET6, from_addr, (struct in6_addr*)this->from6) < 0)
                        {
                                free(this);
@@ -795,8 +860,8 @@ traffic_selector_t *traffic_selector_create_from_string(
                                return NULL;
                        }
                        break;
-               }
        }
+       calc_netbits(this);
        return (&this->public);
 }
 
index 900212d..b5964b5 100644 (file)
@@ -239,9 +239,9 @@ traffic_selector_t *traffic_selector_create_from_string(
  *
  * @param protocol             protocol for this ts, such as TCP or UDP
  * @param type                 type of following addresses, such as TS_IPV4_ADDR_RANGE
- * @param from_address start of address range, network order
+ * @param from_addr            start of address range, network order
  * @param from_port            port number, host order
- * @param to_address   end of address range, network order
+ * @param to_addr              end of address range, network order
  * @param to_port              port number, host order
  * @return                             traffic_selector_t object
  */
@@ -251,6 +251,17 @@ traffic_selector_t *traffic_selector_create_from_bytes(
                                                                chunk_t to_address, u_int16_t to_port);
 
 /**
+ * Create a new traffic selector using the RFC 3779 ASN.1 min/max address format
+ *
+ * @param type                 type of following addresses, such as TS_IPV4_ADDR_RANGE
+ * @param from_addr            start of address range in RFC 3779 ASN.1 BIT STRING format
+ * @param to_addr              end of address range in RFC 3779 ASN.1 BIT STRING format
+ * @return                             traffic_selector_t object
+ */
+traffic_selector_t *traffic_selector_create_from_rfc3779_format(ts_type_t type,
+                                                               chunk_t from_addr, chunk_t to_addr);
+
+/**
  * Create a new traffic selector defining a whole subnet.
  *
  * In most cases, definition of a traffic selector for full subnets