From 89b6aa924a8700c3275edd1173500b63d29b3d07 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Tue, 20 Sep 2022 18:44:15 -0700 Subject: [PATCH] Normalize IPs in matchIPConstraint --- authority/internal/constraints/constraints_test.go | 9 +++++---- authority/internal/constraints/verify.go | 13 +++++++++++-- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/authority/internal/constraints/constraints_test.go b/authority/internal/constraints/constraints_test.go index 8070e8ad..d6d13eb4 100644 --- a/authority/internal/constraints/constraints_test.go +++ b/authority/internal/constraints/constraints_test.go @@ -105,7 +105,7 @@ func TestEngine_Validate(t *testing.T) { }{ {"ok", fields{hasNameConstraints: false}, args{ dnsNames: []string{"example.com", "host.example.com"}, - ipAddresses: []net.IP{{192, 168, 1, 1}, {0x26, 0x00, 0x1f, 0x1c, 0x47, 0x1, 0x9d, 0x00, 0xc3, 0xa7, 0x66, 0x94, 0x87, 0x0f, 0x20, 0x72}}, + ipAddresses: []net.IP{{192, 168, 1, 1}, {0x26, 0x00, 0x1f, 0x1c, 0x47, 0x01, 0x9d, 0x00, 0xc3, 0xa7, 0x66, 0x94, 0x87, 0x0f, 0x20, 0x72}}, emailAddresses: []string{"root@example.com"}, uris: []*url.URL{{Scheme: "https", Host: "example.com", Path: "/uuid/c6d1a755-0c12-431e-9136-b64cb3173ec7"}}, }, false}, @@ -120,14 +120,15 @@ func TestEngine_Validate(t *testing.T) { {"ok permitted ip", fields{ hasNameConstraints: true, permittedIPRanges: []*net.IPNet{ - {IP: net.ParseIP("192.168.1.0").To4(), Mask: net.IPMask{255, 255, 255, 0}}, + {IP: net.ParseIP("192.168.1.0"), Mask: net.IPMask{255, 255, 255, 0}}, {IP: net.ParseIP("192.168.2.1").To4(), Mask: net.IPMask{255, 255, 255, 255}}, + {IP: net.ParseIP("2600:1700:22f8:2600:e559:bd88:350a:34d6"), Mask: net.IPMask{255, 255, 255, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}, }, - }, args{ipAddresses: []net.IP{{192, 168, 1, 10}, {192, 168, 2, 1}}}, false}, + }, args{ipAddresses: []net.IP{{192, 168, 1, 10}, {192, 168, 2, 1}, {0x26, 0x0, 0x17, 0x00, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb, 0xc}}}, false}, {"ok not excluded ip", fields{ hasNameConstraints: true, excludedIPRanges: []*net.IPNet{ - {IP: net.ParseIP("192.168.1.0").To4(), Mask: net.IPMask{255, 255, 255, 0}}, + {IP: net.ParseIP("192.168.1.0"), Mask: net.IPMask{255, 255, 255, 0}}, {IP: net.ParseIP("192.168.2.1").To4(), Mask: net.IPMask{255, 255, 255, 255}}, }, }, args{ipAddresses: []net.IP{{192, 168, 2, 2}, {192, 168, 3, 1}}}, false}, diff --git a/authority/internal/constraints/verify.go b/authority/internal/constraints/verify.go index 552c5ea2..120942b6 100644 --- a/authority/internal/constraints/verify.go +++ b/authority/internal/constraints/verify.go @@ -131,13 +131,22 @@ func matchDomainConstraint(domain, constraint string) (bool, error) { return true, nil } +func normalizeIP(ip net.IP) net.IP { + if ip4 := ip.To4(); ip4 != nil { + return ip4 + } + return ip +} + func matchIPConstraint(ip net.IP, constraint *net.IPNet) (bool, error) { - if len(ip) != len(constraint.IP) { + ip = normalizeIP(ip) + constraintIP := normalizeIP(constraint.IP) + if len(ip) != len(constraintIP) { return false, nil } for i := range ip { - if mask := constraint.Mask[i]; ip[i]&mask != constraint.IP[i]&mask { + if mask := constraint.Mask[i]; ip[i]&mask != constraintIP[i]&mask { return false, nil } }