Manual Page Search Parameters
X509V3_ADDR_SUBSET(3) Library Functions Manual X509V3_ADDR_SUBSET(3)

X509v3_addr_subset, X509v3_asid_subsetRFC 3779 subset relationship

#include <openssl/x509v3.h>

int
X509v3_addr_subset(IPAddrBlocks *child, IPAddrBlocks *parent);

int
X509v3_asid_subset(ASIdentifiers *child, ASIdentifiers *parent);

() determines if all IP address resources present in child are contained in the corresponding resources in parent.

The implementation assumes but does not ensure that both child and parent are in canonical form as described in X509v3_addr_is_canonical(3). In particular, both child and parent are sorted appropriately and they contain at most one IPAddressFamily object per address family identifier (AFI) and optional subsequent address family identifier (SAFI).

The checks are, in order:

  1. If child is NULL or identical to parent then child is a subset of parent. In particular, a NULL parent is allowed for a NULL child.
  2. If parent is NULL then child is not a subset of parent.
  3. If X509v3_addr_inherits(3) determines that child inherits or that parent inherits then child is not a subset of parent.
  4. Each address prefix or range in child must be a subset of an address prefix or range in the parent, taking AFI and optional SAFI into account:
    • For each IPAddressFamily of child there must be an IPAddressFamily of parent with the same AFI and optional SAFI.
    • Since the address prefixes and ranges in corresponding IPAddressFamily objects in child and parent are sorted in ascending order, and do not overlap, they can be traversed simultaneously in linear time. For each prefix or range in child there must be a prefix or range in parent whose minimal address is smaller and whose maximal address is larger.
    If any of these steps fails, child is not a subset of parent.

() determines if all AS identifier resources in child are contained in the corresponding resources in parent.

The description for () applies mutatis mutandis. In particular, child and parent must be in canonical form per X509v3_asid_is_canonical(3), but this is not enforced.

X509v3_addr_subset() and X509v3_asid_subset() return 1 if and only if child is a subset of parent, otherwise they return 0. If both child and parent are in canonical form, these functions cannot fail.

ASIdentifiers_new(3), ASRange_new(3), crypto(3), IPAddressRange_new(3), X509_new(3), X509v3_addr_add_inherit(3), X509v3_asid_add_inherit(3)

RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers.

These functions first appeared in OpenSSL 0.9.8e and have been available since OpenBSD 7.1.

September 30, 2023 openbsd