Sync pki to chromium 1ef93e346424a24fa27ee55a36254b6ee0f96e86
Bug: chromium:1322914
Change-Id: Ic9b93a733290c40ac7c64e67d1e4f611f2f8b46c
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/62966
Auto-Submit: Bob Beck <bbe@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
diff --git a/pki/fillins/ip_address.cc b/pki/fillins/ip_address.cc
deleted file mode 100644
index f93df77..0000000
--- a/pki/fillins/ip_address.cc
+++ /dev/null
@@ -1,171 +0,0 @@
-// Copyright 2023 The Chromium Authors
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "ip_address.h"
-
-#include <stdlib.h>
-#include <string.h>
-#include <climits>
-
-#include <openssl/base.h>
-
-namespace bssl {
-
-namespace fillins {
-
-IPAddress::IPAddress() {}
-
-IPAddress::IPAddress(const uint8_t *address, size_t address_len)
- : addr_(reinterpret_cast<const char *>(address), address_len) {}
-
-IPAddress::IPAddress(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3) {
- addr_.reserve(4);
- addr_.push_back(b0);
- addr_.push_back(b1);
- addr_.push_back(b2);
- addr_.push_back(b3);
-}
-
-IPAddress::IPAddress(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3, uint8_t b4,
- uint8_t b5, uint8_t b6, uint8_t b7, uint8_t b8, uint8_t b9,
- uint8_t b10, uint8_t b11, uint8_t b12, uint8_t b13,
- uint8_t b14, uint8_t b15) {
- addr_.reserve(16);
- addr_.push_back(b0);
- addr_.push_back(b1);
- addr_.push_back(b2);
- addr_.push_back(b3);
- addr_.push_back(b4);
- addr_.push_back(b5);
- addr_.push_back(b6);
- addr_.push_back(b7);
- addr_.push_back(b8);
- addr_.push_back(b9);
- addr_.push_back(b10);
- addr_.push_back(b11);
- addr_.push_back(b12);
- addr_.push_back(b13);
- addr_.push_back(b14);
- addr_.push_back(b15);
-}
-
-// static
-IPAddress IPAddress::AllZeros(size_t num_zero_bytes) {
- BSSL_CHECK(num_zero_bytes <= 16u);
- IPAddress result;
- result.addr_.reserve(num_zero_bytes);
- for (size_t i = 0; i < num_zero_bytes; ++i) {
- result.addr_.push_back(0u);
- }
- return result;
-}
-
-// static
-IPAddress IPAddress::IPv4AllZeros() { return AllZeros(kIPv4AddressSize); }
-
-bool IPAddress::IsIPv4() const { return addr_.size() == kIPv4AddressSize; }
-
-bool IPAddress::IsIPv6() const { return addr_.size() == kIPv6AddressSize; }
-
-bool IPAddress::IsValid() const { return IsIPv4() || IsIPv6(); }
-
-const uint8_t *IPAddress::data() const {
- return reinterpret_cast<const uint8_t *>(addr_.data());
-}
-
-size_t IPAddress::size() const { return addr_.size(); }
-
-const IPAddressBytes &IPAddress::bytes() const { return addr_; }
-
-static IPAddress ConvertIPv4ToIPv4MappedIPv6(const IPAddress &address) {
- BSSL_CHECK(address.IsIPv4());
- // IPv4-mapped addresses are formed by:
- // <80 bits of zeros> + <16 bits of ones> + <32-bit IPv4 address>.
- uint8_t bytes[16];
- memset(bytes, 0, 10);
- memset(bytes + 10, 0xff, 2);
- memcpy(bytes + 12, address.data(), address.size());
- return IPAddress(bytes, sizeof(bytes));
-}
-
-// Note that this function assumes:
-// * |ip_address| is at least |prefix_length_in_bits| (bits) long;
-// * |ip_prefix| is at least |prefix_length_in_bits| (bits) long.
-static bool IPAddressPrefixCheck(const uint8_t *ip_address,
- const uint8_t *ip_prefix,
- size_t prefix_length_in_bits) {
- // Compare all the bytes that fall entirely within the prefix.
- size_t num_entire_bytes_in_prefix = prefix_length_in_bits / 8;
- for (size_t i = 0; i < num_entire_bytes_in_prefix; ++i) {
- if (ip_address[i] != ip_prefix[i]) {
- return false;
- }
- }
-
- // In case the prefix was not a multiple of 8, there will be 1 byte
- // which is only partially masked.
- size_t remaining_bits = prefix_length_in_bits % 8;
- if (remaining_bits != 0) {
- uint8_t mask = 0xFF << (8 - remaining_bits);
- size_t i = num_entire_bytes_in_prefix;
- if ((ip_address[i] & mask) != (ip_prefix[i] & mask)) {
- return false;
- }
- }
-
- return true;
-}
-
-bool IPAddressMatchesPrefix(const IPAddress &ip_address,
- const IPAddress &ip_prefix,
- size_t prefix_length_in_bits) {
- // Both the input IP address and the prefix IP address should be either IPv4
- // or IPv6.
- BSSL_CHECK(ip_address.IsValid());
- BSSL_CHECK(ip_prefix.IsValid());
-
- BSSL_CHECK(prefix_length_in_bits <= ip_prefix.size() * 8);
-
- // In case we have an IPv6 / IPv4 mismatch, convert the IPv4 addresses to
- // IPv6 addresses in order to do the comparison.
- if (ip_address.size() != ip_prefix.size()) {
- if (ip_address.IsIPv4()) {
- return IPAddressMatchesPrefix(ConvertIPv4ToIPv4MappedIPv6(ip_address),
- ip_prefix, prefix_length_in_bits);
- }
- return IPAddressMatchesPrefix(ip_address,
- ConvertIPv4ToIPv4MappedIPv6(ip_prefix),
- 96 + prefix_length_in_bits);
- }
-
- return IPAddressPrefixCheck(ip_address.data(), ip_prefix.data(),
- prefix_length_in_bits);
-}
-
-static unsigned CommonPrefixLength(const IPAddress &a1, const IPAddress &a2) {
- BSSL_CHECK(a1.size() == a2.size());
- for (size_t i = 0; i < a1.size(); ++i) {
- uint8_t diff = a1.bytes()[i] ^ a2.bytes()[i];
- if (!diff)
- continue;
- for (unsigned j = 0; j < CHAR_BIT; ++j) {
- if (diff & (1 << (CHAR_BIT - 1)))
- return i * CHAR_BIT + j;
- diff <<= 1;
- }
- abort();
- }
- return a1.size() * CHAR_BIT;
-}
-
-unsigned MaskPrefixLength(const IPAddress &mask) {
- uint8_t all_ones[16];
- const size_t mask_len = std::min(mask.size(), sizeof(all_ones));
- memset(all_ones, 0xff, mask_len);
- return CommonPrefixLength(mask, IPAddress(all_ones, mask_len));
-}
-
-} // namespace fillins
-
-} // namespace bssl
diff --git a/pki/fillins/ip_address.h b/pki/fillins/ip_address.h
deleted file mode 100644
index 1a92adc..0000000
--- a/pki/fillins/ip_address.h
+++ /dev/null
@@ -1,62 +0,0 @@
-// Copyright 2023 The Chromium Authors
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BSSL_FILLINS_IP_ADDRESS
-#define BSSL_FILLINS_IP_ADDRESS
-
-#include <openssl/base.h>
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <string>
-
-namespace bssl {
-
-namespace fillins {
-
-typedef std::string IPAddressBytes;
-
-class OPENSSL_EXPORT IPAddress {
- public:
- enum : size_t { kIPv4AddressSize = 4, kIPv6AddressSize = 16 };
-
- IPAddress();
- IPAddress(const uint8_t *address, size_t address_len);
- IPAddress(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3);
- IPAddress(uint8_t b0, uint8_t b1, uint8_t b2, uint8_t b3,
- uint8_t b4, uint8_t b5, uint8_t b6, uint8_t b7,
- uint8_t b8, uint8_t b9, uint8_t b10, uint8_t b11,
- uint8_t b12, uint8_t b13, uint8_t b14, uint8_t b15);
-
- static IPAddress IPv4AllZeros();
-
- bool IsIPv4() const;
- bool IsIPv6() const;
- bool IsValid() const;
-
- const uint8_t *data() const;
- size_t size() const;
- const IPAddressBytes &bytes() const;
-
- bool operator==(const IPAddress &other) const {
- return addr_ == other.addr_;
- }
-
- private:
- static IPAddress AllZeros(size_t num_zero_bytes);
- std::string addr_;
-};
-
-OPENSSL_EXPORT bool IPAddressMatchesPrefix(const IPAddress &ip_address,
- const IPAddress &ip_prefix,
- size_t prefix_length_in_bits);
-
-OPENSSL_EXPORT unsigned MaskPrefixLength(const IPAddress &mask);
-
-} // namespace fillins
-
-} // namespace bssl
-
-#endif // BSSL_FILLINS_IP_ADDRESS
diff --git a/pki/general_names.cc b/pki/general_names.cc
index 818356e..2ffb24b 100644
--- a/pki/general_names.cc
+++ b/pki/general_names.cc
@@ -11,6 +11,7 @@
#include "cert_error_params.h"
#include "cert_errors.h"
+#include "ip_util.h"
#include "string_util.h"
#include "input.h"
#include "parser.h"
@@ -36,29 +37,6 @@
DEFINE_CERT_ERROR_ID(kFailedReadingGeneralName,
"Failed reading GeneralName TLV");
-// Return true if the bitmask |mask| contains only zeros after the first
-// |prefix_length| bits.
-bool IsSuffixZero(const fillins::IPAddressBytes& mask, unsigned prefix_length) {
- size_t zero_bits = mask.size() * CHAR_BIT - prefix_length;
- size_t zero_bytes = zero_bits / CHAR_BIT;
- // We allocate the vector one byte bigger than needed to ensure there is a
- // valid pointer to pass to memcmp for a zero length comparison.
- std::vector<uint8_t> zeros(zero_bytes + 1, 0);
- if (memcmp(zeros.data(), mask.data() + mask.size() - zero_bytes,
- zero_bytes)) {
- return false;
- }
- size_t leftover_bits = zero_bits % CHAR_BIT;
- if (leftover_bits) {
- uint8_t b = mask[mask.size() - zero_bytes - 1];
- for (size_t i = 0; i < leftover_bits; ++i) {
- if (b & (1 << i))
- return false;
- }
- }
- return true;
-}
-
} // namespace
GeneralNames::GeneralNames() = default;
@@ -193,12 +171,12 @@
// version 4, as specified in [RFC791], the octet string MUST contain
// exactly four octets. For IP version 6, as specified in [RFC2460],
// the octet string MUST contain exactly sixteen octets.
- if ((value.Length() != fillins::IPAddress::kIPv4AddressSize &&
- value.Length() != fillins::IPAddress::kIPv6AddressSize)) {
+ if ((value.Length() != kIPv4AddressSize &&
+ value.Length() != kIPv6AddressSize)) {
errors->AddError(kFailedParsingIp);
return false;
}
- subtrees->ip_addresses.emplace_back(value.UnsafeData(), value.Length());
+ subtrees->ip_addresses.push_back(value);
} else {
BSSL_CHECK(ip_address_type == GeneralNames::IP_ADDRESS_AND_NETMASK);
// RFC 5280 section 4.2.1.10:
@@ -211,21 +189,19 @@
// constraint for "class C" subnet 192.0.2.0 is represented as the
// octets C0 00 02 00 FF FF FF 00, representing the CIDR notation
// 192.0.2.0/24 (mask 255.255.255.0).
- if (value.Length() != fillins::IPAddress::kIPv4AddressSize * 2 &&
- value.Length() != fillins::IPAddress::kIPv6AddressSize * 2) {
+ if (value.Length() != kIPv4AddressSize * 2 &&
+ value.Length() != kIPv6AddressSize * 2) {
errors->AddError(kFailedParsingIp);
return false;
}
- const fillins::IPAddress mask(value.UnsafeData() + value.Length() / 2,
- value.Length() / 2);
- const unsigned mask_prefix_length = MaskPrefixLength(mask);
- if (!IsSuffixZero(mask.bytes(), mask_prefix_length)) {
+ der::Input addr(value.UnsafeData(), value.Length() / 2);
+ der::Input mask(value.UnsafeData() + value.Length() / 2,
+ value.Length() / 2);
+ if (!IsValidNetmask(mask)) {
errors->AddError(kFailedParsingIp);
return false;
}
- subtrees->ip_address_ranges.emplace_back(
- fillins::IPAddress(value.UnsafeData(), value.Length() / 2),
- mask_prefix_length);
+ subtrees->ip_address_ranges.emplace_back(addr, mask);
}
} else if (tag == der::ContextSpecificPrimitive(8)) {
// registeredID [8] OBJECT IDENTIFIER }
diff --git a/pki/general_names.h b/pki/general_names.h
index b9aa0ce..75833b0 100644
--- a/pki/general_names.h
+++ b/pki/general_names.h
@@ -9,7 +9,6 @@
#include <memory>
#include <vector>
-#include "fillins/ip_address.h"
#include "cert_error_id.h"
@@ -94,12 +93,21 @@
std::vector<std::string_view> uniform_resource_identifiers;
// iPAddresses as sequences of octets in network byte order. This will be
- // populated if the GeneralNames represents a Subject Alternative Name.
- std::vector<fillins::IPAddress> ip_addresses;
+ // populated if the GeneralNames represents a Subject Alternative Name. Each
+ // address is guaranteed to be either 4 bytes (IPv4) or 16 bytes (IPv6) long.
+ std::vector<der::Input> ip_addresses;
- // iPAddress ranges, as <IP, prefix length> pairs. This will be populated
- // if the GeneralNames represents a Name Constraints.
- std::vector<std::pair<fillins::IPAddress, unsigned>> ip_address_ranges;
+ // iPAddress ranges, as <IP, mask> pairs. This will be populated
+ // if the GeneralNames represents a Name Constraints. Each address is
+ // guaranteed to be either 4 bytes (IPv4) or 16 bytes (IPv6) long. The mask
+ // half is guaranteed to be the same size, and consist of some number of 1
+ // bits, followed by some number of 0 bits.
+ //
+ // WARNING: It is not guaranteed that the masked portions of the address are
+ // zero.
+ //
+ // TODO(davidben): Should addresses with non-zero masked portions be rejected?
+ std::vector<std::pair<der::Input, der::Input>> ip_address_ranges;
// DER-encoded OBJECT IDENTIFIERs.
std::vector<der::Input> registered_ids;
diff --git a/pki/general_names_unittest.cc b/pki/general_names_unittest.cc
index 2c04e7b..a3e5368 100644
--- a/pki/general_names_unittest.cc
+++ b/pki/general_names_unittest.cc
@@ -182,7 +182,8 @@
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_IP_ADDRESS, general_names->present_name_types);
ASSERT_EQ(1U, general_names->ip_addresses.size());
- EXPECT_EQ(fillins::IPAddress(192, 168, 6, 7), general_names->ip_addresses[0]);
+ static const uint8_t kIP[] = {192, 168, 6, 7};
+ EXPECT_EQ(der::Input(kIP), general_names->ip_addresses[0]);
EXPECT_EQ(0U, general_names->ip_address_ranges.size());
}
@@ -196,9 +197,9 @@
ASSERT_TRUE(general_names);
EXPECT_EQ(GENERAL_NAME_IP_ADDRESS, general_names->present_name_types);
ASSERT_EQ(1U, general_names->ip_addresses.size());
- EXPECT_EQ(
- fillins::IPAddress(0xFE, 0x80, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14),
- general_names->ip_addresses[0]);
+ static const uint8_t kIP[] = {0xFE, 0x80, 1, 2, 3, 4, 5, 6,
+ 7, 8, 9, 10, 11, 12, 13, 14};
+ EXPECT_EQ(der::Input(kIP), general_names->ip_addresses[0]);
EXPECT_EQ(0U, general_names->ip_address_ranges.size());
}
diff --git a/pki/import_spec.json b/pki/import_spec.json
index 129f9fa..2fc97e5 100644
--- a/pki/import_spec.json
+++ b/pki/import_spec.json
@@ -51,16 +51,6 @@
"replace": ""},
{"match": "^#include \"crypto/openssl_util.h\"",
"replace": "#include \"fillins/openssl_util.h\""},
- {"match": "^#include \"net/base/ip_address.h\"",
- "replace": "#include \"fillins/ip_address.h\"",
- "using": ["bssl::fillins::IPAddress",
- "bssl::fillins::IPAddressBytes"]},
- {"match": "\\bIPAddressMatchesPrefix\\b",
- "replace": "fillins::IPAddressMatchesPrefix"},
- {"match": "\\bIPAddressBytes\\b",
- "replace": "fillins::IPAddressBytes"},
- {"match": "\\bIPAddress\\b",
- "replace": "fillins::IPAddress"},
{"match": "\"net/data/",
"replace": "\"testdata/"},
{"match": "\"net/third_party/nist-pkits",
@@ -266,6 +256,9 @@
"net/cert/pki/general_names.h",
"net/cert/pki/general_names.cc",
"net/cert/pki/general_names_unittest.cc",
+ "net/cert/pki/ip_util.h",
+ "net/cert/pki/ip_util.cc",
+ "net/cert/pki/ip_util_unittest.cc",
"net/cert/pki/mock_signature_verify_cache.h",
"net/cert/pki/mock_signature_verify_cache.cc",
"net/cert/pki/name_constraints.cc",
diff --git a/pki/ip_util.cc b/pki/ip_util.cc
new file mode 100644
index 0000000..75b77ca
--- /dev/null
+++ b/pki/ip_util.cc
@@ -0,0 +1,50 @@
+// Copyright 2023 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "ip_util.h"
+
+namespace bssl {
+
+bool IsValidNetmask(der::Input mask) {
+ if (mask.Length() != kIPv4AddressSize && mask.Length() != kIPv6AddressSize) {
+ return false;
+ }
+
+ for (size_t i = 0; i < mask.Length(); i++) {
+ uint8_t b = mask[i];
+ if (b != 0xff) {
+ // b must be all ones followed by all zeros, so ~b must be all zeros
+ // followed by all ones.
+ uint8_t inv = ~b;
+ if ((inv & (inv + 1)) != 0) {
+ return false;
+ }
+ // The remaining bytes must be all zeros.
+ for (size_t j = i + 1; j < mask.Length(); j++) {
+ if (mask[j] != 0) {
+ return false;
+ }
+ }
+ return true;
+ }
+ }
+
+ return true;
+}
+
+bool IPAddressMatchesWithNetmask(der::Input addr1,
+ der::Input addr2,
+ der::Input mask) {
+ if (addr1.Length() != addr2.Length() || addr1.Length() != mask.Length()) {
+ return false;
+ }
+ for (size_t i = 0; i < addr1.Length(); i++) {
+ if ((addr1[i] & mask[i]) != (addr2[i] & mask[i])) {
+ return false;
+ }
+ }
+ return true;
+}
+
+} // namespace net
diff --git a/pki/ip_util.h b/pki/ip_util.h
new file mode 100644
index 0000000..a29f6e9
--- /dev/null
+++ b/pki/ip_util.h
@@ -0,0 +1,29 @@
+// Copyright 2023 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef BSSL_PKI_IP_UTIL_H_
+#define BSSL_PKI_IP_UTIL_H_
+
+#include "fillins/openssl_util.h"
+
+#include "input.h"
+
+namespace bssl {
+
+inline constexpr size_t kIPv4AddressSize = 4;
+inline constexpr size_t kIPv6AddressSize = 16;
+
+// Returns whether `mask` is a valid netmask. I.e., whether it the length of an
+// IPv4 or IPv6 address, and is some number of ones, followed by some number of
+// zeros.
+OPENSSL_EXPORT bool IsValidNetmask(der::Input mask);
+
+// Returns whether `addr1` and `addr2` are equal under the netmask `mask`.
+OPENSSL_EXPORT bool IPAddressMatchesWithNetmask(der::Input addr1,
+ der::Input addr2,
+ der::Input mask);
+
+} // namespace net
+
+#endif // BSSL_PKI_IP_UTIL_H_
diff --git a/pki/ip_util_unittest.cc b/pki/ip_util_unittest.cc
new file mode 100644
index 0000000..8ec7452
--- /dev/null
+++ b/pki/ip_util_unittest.cc
@@ -0,0 +1,107 @@
+// Copyright 2023 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "ip_util.h"
+
+#include <string.h>
+
+#include "input.h"
+#include <gtest/gtest.h>
+
+namespace bssl {
+
+TEST(IPUtilTest, IsValidNetmask) {
+ uint8_t kWrongSize[3] = {0xff, 0xff, 0xff};
+ EXPECT_FALSE(IsValidNetmask(der::Input(kWrongSize)));
+
+ // All zeros is a valid netmask.
+ uint8_t kZeroIPv4[4] = {0};
+ EXPECT_TRUE(IsValidNetmask(der::Input(kZeroIPv4)));
+ uint8_t kZeroIPv6[16] = {0};
+ EXPECT_TRUE(IsValidNetmask(der::Input(kZeroIPv6)));
+
+ // Test all valid non-zero IPv4 netmasks.
+ for (int i = 0; i < 4; i++) {
+ uint8_t addr[4] = {0};
+ memset(addr, 0xff, i);
+ for (int shift = 0; shift < 8; shift++) {
+ addr[i] = 0xff << shift;
+ EXPECT_TRUE(IsValidNetmask(der::Input(addr)));
+ }
+ }
+
+ // Test all valid non-zero IPv6 netmasks.
+ for (int i = 0; i < 16; i++) {
+ uint8_t addr[16] = {0};
+ memset(addr, 0xff, i);
+ for (int shift = 0; shift < 8; shift++) {
+ addr[i] = 0xff << shift;
+ EXPECT_TRUE(IsValidNetmask(der::Input(addr)));
+ }
+ }
+
+ // Error within a byte.
+ uint8_t kInvalidIPv4[4] = {0xff, 0xff, 0x81, 0x00};
+ EXPECT_FALSE(IsValidNetmask(der::Input(kInvalidIPv4)));
+ uint8_t kInvalidIPv6[16] = {0xff, 0xff, 0x81, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
+ EXPECT_FALSE(IsValidNetmask(der::Input(kInvalidIPv6)));
+
+ // Error at the end.
+ uint8_t kInvalidIPv4_2[4] = {0xff, 0xff, 0x80, 0x01};
+ EXPECT_FALSE(IsValidNetmask(der::Input(kInvalidIPv4_2)));
+ uint8_t kInvalidIPv6_2[16] = {0xff, 0xff, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01};
+ EXPECT_FALSE(IsValidNetmask(der::Input(kInvalidIPv6_2)));
+
+ // Leading zero.
+ uint8_t kInvalidIPv4_3[4] = {0x00, 0xff, 0x80, 0x00};
+ EXPECT_FALSE(IsValidNetmask(der::Input(kInvalidIPv4_3)));
+ uint8_t kInvalidIPv6_3[16] = {0x00, 0xff, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01};
+ EXPECT_FALSE(IsValidNetmask(der::Input(kInvalidIPv6_3)));
+}
+
+TEST(IPUtilTest, IPAddressMatchesWithNetmask) {
+ // Under a zero mask, any two addresses are equal.
+ {
+ uint8_t kMask[4] = {0};
+ uint8_t kAddr1[4] = {1, 2, 3, 4};
+ uint8_t kAddr2[4] = {255, 254, 253, 252};
+ EXPECT_TRUE(IPAddressMatchesWithNetmask(
+ der::Input(kAddr1), der::Input(kAddr1), der::Input(kMask)));
+ EXPECT_TRUE(IPAddressMatchesWithNetmask(
+ der::Input(kAddr1), der::Input(kAddr2), der::Input(kMask)));
+ }
+
+ // Under an all ones mask, all bits of the address are checked.
+ {
+ uint8_t kMask[4] = {0xff, 0xff, 0xff, 0xff};
+ uint8_t kAddr1[4] = {1, 2, 3, 4};
+ uint8_t kAddr2[4] = {255, 254, 253, 252};
+ uint8_t kAddr3[4] = {1, 2, 3, 5};
+ EXPECT_TRUE(IPAddressMatchesWithNetmask(
+ der::Input(kAddr1), der::Input(kAddr1), der::Input(kMask)));
+ EXPECT_FALSE(IPAddressMatchesWithNetmask(
+ der::Input(kAddr1), der::Input(kAddr2), der::Input(kMask)));
+ EXPECT_FALSE(IPAddressMatchesWithNetmask(
+ der::Input(kAddr1), der::Input(kAddr3), der::Input(kMask)));
+ }
+
+ // In general, only masked bits are considered.
+ {
+ uint8_t kMask[4] = {0xff, 0xff, 0x80, 0x00};
+ uint8_t kAddr1[4] = {1, 2, 3, 4};
+ uint8_t kAddr2[4] = {1, 2, 0x7f, 0xff};
+ uint8_t kAddr3[4] = {2, 2, 3, 4};
+ EXPECT_TRUE(IPAddressMatchesWithNetmask(
+ der::Input(kAddr1), der::Input(kAddr1), der::Input(kMask)));
+ EXPECT_TRUE(IPAddressMatchesWithNetmask(
+ der::Input(kAddr1), der::Input(kAddr2), der::Input(kMask)));
+ EXPECT_FALSE(IPAddressMatchesWithNetmask(
+ der::Input(kAddr1), der::Input(kAddr3), der::Input(kMask)));
+ }
+}
+
+} // namespace net
diff --git a/pki/name_constraints.cc b/pki/name_constraints.cc
index c629346..aa03a96 100644
--- a/pki/name_constraints.cc
+++ b/pki/name_constraints.cc
@@ -11,6 +11,7 @@
#include "cert_errors.h"
#include "common_cert_errors.h"
#include "general_names.h"
+#include "ip_util.h"
#include "string_util.h"
#include "verify_name_match.h"
#include "input.h"
@@ -653,12 +654,10 @@
return false;
}
-bool NameConstraints::IsPermittedIP(const fillins::IPAddress& ip) const {
- // fillins::IPAddressMatchesPrefix internally maps v4 addresses to/from v6 on type
- // mismatch. We don't wish to do this, so check the sizes match first.
+bool NameConstraints::IsPermittedIP(const der::Input& ip) const {
for (const auto& excluded_ip : excluded_subtrees_.ip_address_ranges) {
- if (ip.size() == excluded_ip.first.size() &&
- fillins::IPAddressMatchesPrefix(ip, excluded_ip.first, excluded_ip.second)) {
+ if (IPAddressMatchesWithNetmask(ip, excluded_ip.first,
+ excluded_ip.second)) {
return false;
}
}
@@ -670,8 +669,8 @@
}
for (const auto& permitted_ip : permitted_subtrees_.ip_address_ranges) {
- if (ip.size() == permitted_ip.first.size() &&
- fillins::IPAddressMatchesPrefix(ip, permitted_ip.first, permitted_ip.second)) {
+ if (IPAddressMatchesWithNetmask(ip, permitted_ip.first,
+ permitted_ip.second)) {
return true;
}
}
diff --git a/pki/name_constraints.h b/pki/name_constraints.h
index 6de9c41..6bf780c 100644
--- a/pki/name_constraints.h
+++ b/pki/name_constraints.h
@@ -6,11 +6,8 @@
#define BSSL_PKI_NAME_CONSTRAINTS_H_
#include "fillins/openssl_util.h"
-#include <stdint.h>
-
#include <memory>
-#include "fillins/ip_address.h"
#include "general_names.h"
@@ -70,7 +67,7 @@
bool IsPermittedDirectoryName(const der::Input& name_rdn_sequence) const;
// Returns true if the iPAddress |ip| is permitted.
- bool IsPermittedIP(const fillins::IPAddress& ip) const;
+ bool IsPermittedIP(const der::Input& ip) const;
// Returns a bitfield of GeneralNameTypes of all the types constrained by this
// NameConstraints. Name types that aren't supported will only be present if
diff --git a/pki/name_constraints_unittest.cc b/pki/name_constraints_unittest.cc
index 1fe58ed..5de90e5 100644
--- a/pki/name_constraints_unittest.cc
+++ b/pki/name_constraints_unittest.cc
@@ -4,9 +4,9 @@
#include "name_constraints.h"
+#include <array>
#include <memory>
-#include "fillins/ip_address.h"
#include "common_cert_errors.h"
#include "test_helpers.h"
#include <gtest/gtest.h>
@@ -73,6 +73,31 @@
return ::testing::AssertionFailure();
}
+std::array<uint8_t, 4> IPAddress(uint8_t b0,
+ uint8_t b1,
+ uint8_t b2,
+ uint8_t b3) {
+ return {b0, b1, b2, b3};
+}
+std::array<uint8_t, 16> IPAddress(uint8_t b0,
+ uint8_t b1,
+ uint8_t b2,
+ uint8_t b3,
+ uint8_t b4,
+ uint8_t b5,
+ uint8_t b6,
+ uint8_t b7,
+ uint8_t b8,
+ uint8_t b9,
+ uint8_t b10,
+ uint8_t b11,
+ uint8_t b12,
+ uint8_t b13,
+ uint8_t b14,
+ uint8_t b15) {
+ return {b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15};
+}
+
} // namespace
class ParseNameConstraints
@@ -488,56 +513,65 @@
// IPv4 tests:
// Not in any permitted range.
- EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 169, 0, 1)));
+ EXPECT_FALSE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 169, 0, 1))));
// Within the permitted 192.168.0.0/255.255.0.0 range.
- EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 0, 1)));
+ EXPECT_TRUE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 0, 1))));
// Within the permitted 192.168.0.0/255.255.0.0 range, however the
// excluded 192.168.5.0/255.255.255.0 takes priority.
- EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 5, 1)));
+ EXPECT_FALSE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 5, 1))));
// Within the permitted 192.168.0.0/255.255.0.0 range as well as the
// permitted 192.168.5.32/255.255.255.224 range, however the excluded
// 192.168.5.0/255.255.255.0 still takes priority.
- EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 5, 33)));
+ EXPECT_FALSE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 5, 33))));
// Not in any permitted range. (Just outside the
// 192.167.5.32/255.255.255.224 range.)
- EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 167, 5, 31)));
+ EXPECT_FALSE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 167, 5, 31))));
// Within the permitted 192.167.5.32/255.255.255.224 range.
- EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 167, 5, 32)));
+ EXPECT_TRUE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 167, 5, 32))));
// Within the permitted 192.167.5.32/255.255.255.224 range.
- EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 167, 5, 63)));
+ EXPECT_TRUE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 167, 5, 63))));
// Not in any permitted range. (Just outside the
// 192.167.5.32/255.255.255.224 range.)
- EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 167, 5, 64)));
+ EXPECT_FALSE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 167, 5, 64))));
// Not in any permitted range, and also inside the extraneous excluded
// 192.166.5.32/255.255.255.224 range.
- EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 166, 5, 32)));
+ EXPECT_FALSE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 166, 5, 32))));
// IPv6 tests:
// Not in any permitted range.
- EXPECT_FALSE(name_constraints->IsPermittedIP(
- fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1)));
+ EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
+ IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))));
// Within the permitted
// 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: range.
- EXPECT_TRUE(name_constraints->IsPermittedIP(
- fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 0, 0, 0, 1)));
+ EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
+ IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 0, 0, 0, 1))));
// Within the permitted
// 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: range, however
// the excluded
// 102:304:506:708:90a:b0c:500:0/ffff:ffff:ffff:ffff:ffff:ffff:ff00:0 takes
// priority.
- EXPECT_FALSE(name_constraints->IsPermittedIP(
- fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 5, 0, 0, 1)));
+ EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
+ IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 5, 0, 0, 1))));
// Within the permitted
// 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: range as well
@@ -546,35 +580,35 @@
// however the excluded
// 102:304:506:708:90a:b0c:500:0/ffff:ffff:ffff:ffff:ffff:ffff:ff00:0 takes
// priority.
- EXPECT_FALSE(name_constraints->IsPermittedIP(
- fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 5, 33, 0, 1)));
+ EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
+ IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 5, 33, 0, 1))));
// Not in any permitted range. (Just outside the
// 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0
// range.)
- EXPECT_FALSE(name_constraints->IsPermittedIP(
- fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 31, 255, 255)));
+ EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
+ IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 31, 255, 255))));
// Within the permitted
// 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0 range.
- EXPECT_TRUE(name_constraints->IsPermittedIP(
- fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 32, 0, 0)));
+ EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
+ IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 32, 0, 0))));
// Within the permitted
// 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0 range.
- EXPECT_TRUE(name_constraints->IsPermittedIP(
- fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 63, 255, 255)));
+ EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
+ IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 63, 255, 255))));
// Not in any permitted range. (Just outside the
// 102:304:506:708:90a:b0b:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0
// range.)
- EXPECT_FALSE(name_constraints->IsPermittedIP(
- fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 64, 0, 0)));
+ EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
+ IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 11, 5, 64, 0, 0))));
// Not in any permitted range, and also inside the extraneous excluded
// 102:304:506:708:90a:b0a:520:0/ffff:ffff:ffff:ffff:ffff:ffff:ff60:0 range.
- EXPECT_FALSE(name_constraints->IsPermittedIP(
- fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 10, 5, 33, 0, 1)));
+ EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
+ IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 10, 5, 33, 0, 1))));
EXPECT_EQ(GENERAL_NAME_IP_ADDRESS,
name_constraints->constrained_name_types());
@@ -609,10 +643,12 @@
// Only 192.168.5.0/255.255.255.0 is excluded, and since permitted is empty,
// any iPAddress outside that is allowed.
- EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 0, 1)));
- EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 5, 1)));
- EXPECT_TRUE(name_constraints->IsPermittedIP(
- fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1)));
+ EXPECT_TRUE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 0, 1))));
+ EXPECT_FALSE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 5, 1))));
+ EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
+ IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))));
}
TEST_P(ParseNameConstraints, IPAddressesExcludeAll) {
@@ -627,12 +663,14 @@
// 192.168.0.0/255.255.0.0 and
// 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: are permitted,
// but since 0.0.0.0/0 and ::/0 are excluded nothing is permitted.
- EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 0, 1)));
- EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(1, 1, 1, 1)));
+ EXPECT_FALSE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 0, 1))));
+ EXPECT_FALSE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(1, 1, 1, 1))));
EXPECT_FALSE(name_constraints->IsPermittedIP(
- fillins::IPAddress(2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1)));
- EXPECT_FALSE(name_constraints->IsPermittedIP(
- fillins::IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1)));
+ der::Input(IPAddress(2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1))));
+ EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
+ IPAddress(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1))));
}
TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitSingleHost) {
@@ -644,12 +682,18 @@
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
- EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros()));
- EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 1)));
- EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 2)));
- EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 3)));
- EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 4)));
- EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(255, 255, 255, 255)));
+ EXPECT_FALSE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(0, 0, 0, 0))));
+ EXPECT_FALSE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 1))));
+ EXPECT_FALSE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 2))));
+ EXPECT_TRUE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 3))));
+ EXPECT_FALSE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 4))));
+ EXPECT_FALSE(name_constraints->IsPermittedIP(
+ der::Input(IPAddress(255, 255, 255, 255))));
}
TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitPrefixLen31) {
@@ -661,13 +705,20 @@
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
- EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros()));
- EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 1)));
- EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 2)));
- EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 3)));
- EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 4)));
- EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 5)));
- EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(255, 255, 255, 255)));
+ EXPECT_FALSE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(0, 0, 0, 0))));
+ EXPECT_FALSE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 1))));
+ EXPECT_TRUE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 2))));
+ EXPECT_TRUE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 3))));
+ EXPECT_FALSE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 4))));
+ EXPECT_FALSE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 5))));
+ EXPECT_FALSE(name_constraints->IsPermittedIP(
+ der::Input(IPAddress(255, 255, 255, 255))));
}
TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitPrefixLen1) {
@@ -679,12 +730,14 @@
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
- EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros()));
EXPECT_FALSE(
- name_constraints->IsPermittedIP(fillins::IPAddress(0x7F, 0xFF, 0xFF, 0xFF)));
- EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(0x80, 0, 0, 0)));
+ name_constraints->IsPermittedIP(der::Input(IPAddress(0, 0, 0, 0))));
+ EXPECT_FALSE(name_constraints->IsPermittedIP(
+ der::Input(IPAddress(0x7F, 0xFF, 0xFF, 0xFF))));
EXPECT_TRUE(
- name_constraints->IsPermittedIP(fillins::IPAddress(0xFF, 0xFF, 0xFF, 0xFF)));
+ name_constraints->IsPermittedIP(der::Input(IPAddress(0x80, 0, 0, 0))));
+ EXPECT_TRUE(name_constraints->IsPermittedIP(
+ der::Input(IPAddress(0xFF, 0xFF, 0xFF, 0xFF))));
}
TEST_P(ParseNameConstraints, IPAddressesNetmaskPermitAll) {
@@ -696,9 +749,12 @@
NameConstraints::Create(der::Input(a), is_critical(), &errors));
ASSERT_TRUE(name_constraints);
- EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress::IPv4AllZeros()));
- EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 1)));
- EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(255, 255, 255, 255)));
+ EXPECT_TRUE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(0, 0, 0, 0))));
+ EXPECT_TRUE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 1))));
+ EXPECT_TRUE(name_constraints->IsPermittedIP(
+ der::Input(IPAddress(255, 255, 255, 255))));
}
TEST_P(ParseNameConstraints, IPAddressesFailOnInvalidAddr) {
@@ -740,26 +796,30 @@
ASSERT_TRUE(name_constraints);
// 192.168.1.0/24 is a permitted subtree.
- EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 0)));
+ EXPECT_TRUE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 0))));
// This does not cover ::ffff:192.168.1.0.
- EXPECT_FALSE(name_constraints->IsPermittedIP(
- fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 1, 0)));
+ EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
+ IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 1, 0))));
// 192.168.1.1 is excluded.
- EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 1)));
+ EXPECT_FALSE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 1))));
// ::ffff:192.168.1.2 is excluded, but that does not exclude 192.168.1.2.
- EXPECT_TRUE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 1, 2)));
+ EXPECT_TRUE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 1, 2))));
// ::ffff:192.168.2.0/120 is a permitted subtree.
- EXPECT_TRUE(name_constraints->IsPermittedIP(
- fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 0)));
+ EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
+ IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 0))));
// This does not cover 192.168.2.0.
- EXPECT_FALSE(name_constraints->IsPermittedIP(fillins::IPAddress(192, 168, 2, 0)));
+ EXPECT_FALSE(
+ name_constraints->IsPermittedIP(der::Input(IPAddress(192, 168, 2, 0))));
// ::ffff:192.168.2.1 is excluded.
- EXPECT_FALSE(name_constraints->IsPermittedIP(
- fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 1)));
+ EXPECT_FALSE(name_constraints->IsPermittedIP(der::Input(
+ IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 1))));
// 192.168.2.2 is excluded, but that does not exclude ::ffff:192.168.2.2.
- EXPECT_TRUE(name_constraints->IsPermittedIP(
- fillins::IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 2)));
+ EXPECT_TRUE(name_constraints->IsPermittedIP(der::Input(
+ IPAddress(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 192, 168, 2, 2))));
}
TEST_P(ParseNameConstraints, OtherNamesInPermitted) {
diff --git a/sources.cmake b/sources.cmake
index 72a8a0f..0fab297 100644
--- a/sources.cmake
+++ b/sources.cmake
@@ -354,12 +354,12 @@
pki/encode_values.cc
pki/extended_key_usage.cc
pki/fillins/fillins_base64.cc
- pki/fillins/ip_address.cc
pki/fillins/openssl_util.cc
pki/fillins/fillins_string_util.cc
pki/fillins/utf_string_conversions.cc
pki/general_names.cc
pki/input.cc
+ pki/ip_util.cc
pki/name_constraints.cc
pki/ocsp.cc
pki/ocsp_verify_result.cc
@@ -396,6 +396,7 @@
pki/fillins/path_service.cc
pki/general_names_unittest.cc
pki/input_unittest.cc
+ pki/ip_util_unittest.cc
pki/mock_signature_verify_cache.cc
pki/name_constraints_unittest.cc
pki/nist_pkits_unittest.cc
