Normalize IPs in matchIPConstraint

2 years ago · 89b6aa924a
parent 3f58f30b21
commit 89b6aa924a
2 changed files with 16 additions and 6 deletions
--- a/authority/internal/constraints/constraints_test.go
+++ b/authority/internal/constraints/constraints_test.go
@ -105,7 +105,7 @@ func TestEngine_Validate(t *testing.T) {
 	}{
 		{"ok", fields{hasNameConstraints: false}, args{
 			dnsNames:       []string{"example.com", "host.example.com"},
-			ipAddresses:    []net.IP{{192, 168, 1, 1}, {0x26, 0x00, 0x1f, 0x1c, 0x47, 0x1, 0x9d, 0x00, 0xc3, 0xa7, 0x66, 0x94, 0x87, 0x0f, 0x20, 0x72}},
+			ipAddresses:    []net.IP{{192, 168, 1, 1}, {0x26, 0x00, 0x1f, 0x1c, 0x47, 0x01, 0x9d, 0x00, 0xc3, 0xa7, 0x66, 0x94, 0x87, 0x0f, 0x20, 0x72}},
 			emailAddresses: []string{"root@example.com"},
 			uris:           []*url.URL{{Scheme: "https", Host: "example.com", Path: "/uuid/c6d1a755-0c12-431e-9136-b64cb3173ec7"}},
 		}, false},
@ -120,14 +120,15 @@ func TestEngine_Validate(t *testing.T) {
 		{"ok permitted ip", fields{
 			hasNameConstraints: true,
 			permittedIPRanges: []*net.IPNet{
-				{IP: net.ParseIP("192.168.1.0").To4(), Mask: net.IPMask{255, 255, 255, 0}},
+				{IP: net.ParseIP("192.168.1.0"), Mask: net.IPMask{255, 255, 255, 0}},
 				{IP: net.ParseIP("192.168.2.1").To4(), Mask: net.IPMask{255, 255, 255, 255}},
+				{IP: net.ParseIP("2600:1700:22f8:2600:e559:bd88:350a:34d6"), Mask: net.IPMask{255, 255, 255, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}},
 			},
-		}, args{ipAddresses: []net.IP{{192, 168, 1, 10}, {192, 168, 2, 1}}}, false},
+		}, args{ipAddresses: []net.IP{{192, 168, 1, 10}, {192, 168, 2, 1}, {0x26, 0x0, 0x17, 0x00, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb, 0xc}}}, false},
 		{"ok not excluded ip", fields{
 			hasNameConstraints: true,
 			excludedIPRanges: []*net.IPNet{
-				{IP: net.ParseIP("192.168.1.0").To4(), Mask: net.IPMask{255, 255, 255, 0}},
+				{IP: net.ParseIP("192.168.1.0"), Mask: net.IPMask{255, 255, 255, 0}},
 				{IP: net.ParseIP("192.168.2.1").To4(), Mask: net.IPMask{255, 255, 255, 255}},
 			},
 		}, args{ipAddresses: []net.IP{{192, 168, 2, 2}, {192, 168, 3, 1}}}, false},
--- a/authority/internal/constraints/verify.go
+++ b/authority/internal/constraints/verify.go
@ -131,13 +131,22 @@ func matchDomainConstraint(domain, constraint string) (bool, error) {
 	return true, nil
 }

+func normalizeIP(ip net.IP) net.IP {
+	if ip4 := ip.To4(); ip4 != nil {
+		return ip4
+	}
+	return ip
+}
+
 func matchIPConstraint(ip net.IP, constraint *net.IPNet) (bool, error) {
-	if len(ip) != len(constraint.IP) {
+	ip = normalizeIP(ip)
+	constraintIP := normalizeIP(constraint.IP)
+	if len(ip) != len(constraintIP) {
 		return false, nil
 	}

 	for i := range ip {
-		if mask := constraint.Mask[i]; ip[i]&mask != constraint.IP[i]&mask {
+		if mask := constraint.Mask[i]; ip[i]&mask != constraintIP[i]&mask {
 			return false, nil
 		}
 	}