1 /* ber-decoder.c - Basic Encoding Rules Decoder
2 * Copyright (C) 2001, 2004, 2006, 2012, 2015 g10 Code GmbH
3 *
4 * This file is part of KSBA.
5 *
6 * KSBA is free software; you can redistribute it and/or modify
7 * it under the terms of either
8 *
9 * - the GNU Lesser General Public License as published by the Free
10 * Software Foundation; either version 3 of the License, or (at
11 * your option) any later version.
12 *
13 * or
14 *
15 * - the GNU General Public License as published by the Free
16 * Software Foundation; either version 2 of the License, or (at
17 * your option) any later version.
18 *
19 * or both in parallel, as here.
20 *
21 * KSBA is distributed in the hope that it will be useful, but WITHOUT
22 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
23 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
24 * License for more details.
25 *
26 * You should have received a copies of the GNU General Public License
27 * and the GNU Lesser General Public License along with this program;
28 * if not, see <http://www.gnu.org/licenses/>.
29 */
30
31 #include <config.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <assert.h>
36 #include "util.h"
37
38 #include "util.h"
39 #include "ksba.h"
40 #include "asn1-func.h"
41 #include "ber-decoder.h"
42 #include "ber-help.h"
43
44
45 /* The maximum length we allow for an image, that is for a BER encoded
46 * object. */
47 #define MAX_IMAGE_LENGTH (16 * 1024 * 1024)
48
49
50 struct decoder_state_item_s {
51 AsnNode node;
52 int went_up;
53 int in_seq_of;
54 int in_any; /* actually in a constructed any */
55 int again;
56 int next_tag;
57 int length; /* length of the value */
58 int ndef_length; /* the length is of indefinite length */
59 int nread; /* number of value bytes processed */
60 };
61 typedef struct decoder_state_item_s DECODER_STATE_ITEM;
62
63 struct decoder_state_s {
64 DECODER_STATE_ITEM cur; /* current state */
65 int stacksize;
66 int idx;
67 DECODER_STATE_ITEM stack[1];
68 };
69 typedef struct decoder_state_s *DECODER_STATE;
70
71
72 /* Context for a decoder. */
73 struct ber_decoder_s
74 {
75 AsnNode module; /* the ASN.1 structure */
76 ksba_reader_t reader;
77 const char *last_errdesc; /* string with the error description */
78 int non_der; /* set if the encoding is not DER conform */
79 AsnNode root; /* of the expanded parse tree */
80 DECODER_STATE ds;
81 int bypass;
82
83 /* Because some certificates actually come with trailing garbage, we
84 use a hack to ignore this garbage. This hack is enabled for data
85 starting with a fixed length sequence and this variable takes the
86 length of this sequence. If it is 0, the hack is not
87 activated. */
88 unsigned long outer_sequence_length;
89 int ignore_garbage; /* Set to indicate that garbage should be
90 ignored. */
91 int fast_stop; /* Yet another hack. */
92
93 int first_tag_seen; /* Indicates whether the first tag of a decoder
94 run has been read. */
95
96 int honor_module_end;
97 int debug;
98 int use_image;
99 struct
100 {
101 unsigned char *buf;
102 size_t used;
103 size_t length;
104 } image;
105 struct
106 {
107 int primitive; /* current value is a primitive one */
108 size_t length; /* length of the primitive one */
109 int nhdr; /* length of the header */
110 int tag;
111 int is_endtag;
112 AsnNode node; /* NULL or matching node */
113 } val;
114 };
115
116
117
118 /* Evaluate with overflow check: A1 + A2 > B */
119 static inline int
sum_a1_a2_gt_b(size_t a1,size_t a2,size_t b)120 sum_a1_a2_gt_b (size_t a1, size_t a2, size_t b)
121 {
122 size_t sum = a1 + a2;
123 return (sum < a1 || sum > b);
124 }
125
126 /* Evaluate with overflow check: A1 + A2 >= B */
127 static inline int
sum_a1_a2_ge_b(size_t a1,size_t a2,size_t b)128 sum_a1_a2_ge_b (size_t a1, size_t a2, size_t b)
129 {
130 size_t sum = a1 + a2;
131 return (sum < a1 || sum >= b);
132 }
133
134
135
136 static DECODER_STATE
new_decoder_state(void)137 new_decoder_state (void)
138 {
139 DECODER_STATE ds;
140
141 ds = xmalloc (sizeof (*ds) + 99*sizeof(DECODER_STATE_ITEM));
142 ds->stacksize = 100;
143 ds->idx = 0;
144 ds->cur.node = NULL;
145 ds->cur.went_up = 0;
146 ds->cur.in_seq_of = 0;
147 ds->cur.in_any = 0;
148 ds->cur.again = 0;
149 ds->cur.next_tag = 0;
150 ds->cur.length = 0;
151 ds->cur.ndef_length = 1;
152 ds->cur.nread = 0;
153 return ds;
154 }
155
156 static void
release_decoder_state(DECODER_STATE ds)157 release_decoder_state (DECODER_STATE ds)
158 {
159 xfree (ds);
160 }
161
162 static void
dump_decoder_state(DECODER_STATE ds)163 dump_decoder_state (DECODER_STATE ds)
164 {
165 int i;
166
167 for (i=0; i < ds->idx; i++)
168 {
169 fprintf (stderr," ds stack[%d] (", i);
170 if (ds->stack[i].node)
171 _ksba_asn_node_dump (ds->stack[i].node, stderr);
172 else
173 fprintf (stderr, "Null");
174 fprintf (stderr,") %s%d (%d)%s\n",
175 ds->stack[i].ndef_length? "ndef ":"",
176 ds->stack[i].length,
177 ds->stack[i].nread,
178 ds->stack[i].in_seq_of? " in_seq_of":"");
179 }
180 }
181
182 /* Push ITEM onto the stack */
183 static gpg_error_t
push_decoder_state(DECODER_STATE ds)184 push_decoder_state (DECODER_STATE ds)
185 {
186 if (ds->idx >= ds->stacksize)
187 {
188 fprintf (stderr, "ksba: ber-decoder: stack overflow!\n");
189 return gpg_error (GPG_ERR_LIMIT_REACHED);
190 }
191 ds->stack[ds->idx++] = ds->cur;
192 return 0;
193 }
194
195 static gpg_error_t
pop_decoder_state(DECODER_STATE ds)196 pop_decoder_state (DECODER_STATE ds)
197 {
198 if (!ds->idx)
199 {
200 fprintf (stderr, "ksba: ber-decoder: stack underflow!\n");
201 return gpg_error (GPG_ERR_INTERNAL);
202 }
203 ds->cur = ds->stack[--ds->idx];
204 return 0;
205 }
206
207
208
209 static int
set_error(BerDecoder d,AsnNode node,const char * text)210 set_error (BerDecoder d, AsnNode node, const char *text)
211 {
212 fprintf (stderr,"ksba: ber-decoder: node `%s': %s\n",
213 node? node->name:"?", text);
214 d->last_errdesc = text;
215 return gpg_error (GPG_ERR_BAD_BER);
216 }
217
218
219 static int
eof_or_error(BerDecoder d,int premature)220 eof_or_error (BerDecoder d, int premature)
221 {
222 gpg_error_t err;
223
224 err = ksba_reader_error (d->reader);
225 if (err)
226 {
227 set_error (d, NULL, "read error");
228 return err;
229 }
230 if (premature)
231 return set_error (d, NULL, "premature EOF");
232 return gpg_error (GPG_ERR_EOF);
233 }
234
235 static const char *
universal_tag_name(unsigned long no)236 universal_tag_name (unsigned long no)
237 {
238 static const char * const names[31] = {
239 "[End Tag]",
240 "BOOLEAN",
241 "INTEGER",
242 "BIT STRING",
243 "OCTECT STRING",
244 "NULL",
245 "OBJECT IDENTIFIER",
246 "ObjectDescriptor",
247 "EXTERNAL",
248 "REAL",
249 "ENUMERATED",
250 "EMBEDDED PDV",
251 "UTF8String",
252 "RELATIVE-OID",
253 "[UNIVERSAL 14]",
254 "[UNIVERSAL 15]",
255 "SEQUENCE",
256 "SET",
257 "NumericString",
258 "PrintableString",
259 "TeletexString",
260 "VideotexString",
261 "IA5String",
262 "UTCTime",
263 "GeneralizedTime",
264 "GraphicString",
265 "VisibleString",
266 "GeneralString",
267 "UniversalString",
268 "CHARACTER STRING",
269 "BMPString"
270 };
271
272 return no < DIM(names)? names[no]:NULL;
273 }
274
275
276 static void
dump_tlv(const struct tag_info * ti,FILE * fp)277 dump_tlv (const struct tag_info *ti, FILE *fp)
278 {
279 const char *tagname = NULL;
280
281 if (ti->class == CLASS_UNIVERSAL)
282 tagname = universal_tag_name (ti->tag);
283
284 if (tagname)
285 fputs (tagname, fp);
286 else
287 fprintf (fp, "[%s %lu]",
288 ti->class == CLASS_UNIVERSAL? "UNIVERSAL" :
289 ti->class == CLASS_APPLICATION? "APPLICATION" :
290 ti->class == CLASS_CONTEXT? "CONTEXT-SPECIFIC" : "PRIVATE",
291 ti->tag);
292 fprintf (fp, " %c hdr=%lu len=",
293 ti->is_constructed? 'c':'p',
294 (unsigned long)ti->nhdr);
295 if (ti->ndef)
296 fputs ("ndef", fp);
297 else
298 fprintf (fp, "%lu", ti->length);
299 }
300
301
302 static void
clear_help_flags(AsnNode node)303 clear_help_flags (AsnNode node)
304 {
305 AsnNode p;
306
307 for (p=node; p; p = _ksba_asn_walk_tree (node, p))
308 {
309 if (p->type == TYPE_TAG)
310 {
311 p->flags.tag_seen = 0;
312 }
313 p->flags.skip_this = 0;
314 }
315
316 }
317
318 static void
prepare_copied_tree(AsnNode node)319 prepare_copied_tree (AsnNode node)
320 {
321 AsnNode p;
322
323 clear_help_flags (node);
324 for (p=node; p; p = _ksba_asn_walk_tree (node, p))
325 p->off = -1;
326
327 }
328
329 static void
fixup_type_any(AsnNode node)330 fixup_type_any (AsnNode node)
331 {
332 AsnNode p;
333
334 for (p=node; p; p = _ksba_asn_walk_tree (node, p))
335 {
336 if (p->type == TYPE_ANY && p->off != -1)
337 p->type = p->actual_type;
338 }
339 }
340
341
342
343 BerDecoder
_ksba_ber_decoder_new(void)344 _ksba_ber_decoder_new (void)
345 {
346 BerDecoder d;
347
348 d = xtrycalloc (1, sizeof *d);
349 if (!d)
350 return NULL;
351
352 return d;
353 }
354
355 void
_ksba_ber_decoder_release(BerDecoder d)356 _ksba_ber_decoder_release (BerDecoder d)
357 {
358 xfree (d);
359 }
360
361 /**
362 * _ksba_ber_decoder_set_module:
363 * @d: Decoder object
364 * @module: ASN.1 Parse tree
365 *
366 * Initialize the decoder with the ASN.1 module. Note, that this is a
367 * shallow copy of the module. Hmmm: What about ref-counting of
368 * AsnNodes?
369 *
370 * Return value: 0 on success or an error code
371 **/
372 gpg_error_t
_ksba_ber_decoder_set_module(BerDecoder d,ksba_asn_tree_t module)373 _ksba_ber_decoder_set_module (BerDecoder d, ksba_asn_tree_t module)
374 {
375 if (!d || !module)
376 return gpg_error (GPG_ERR_INV_VALUE);
377 if (d->module)
378 return gpg_error (GPG_ERR_CONFLICT); /* module already set */
379
380 d->module = module->parse_tree;
381 return 0;
382 }
383
384
385 gpg_error_t
_ksba_ber_decoder_set_reader(BerDecoder d,ksba_reader_t r)386 _ksba_ber_decoder_set_reader (BerDecoder d, ksba_reader_t r)
387 {
388 if (!d || !r)
389 return gpg_error (GPG_ERR_INV_VALUE);
390 if (d->reader)
391 return gpg_error (GPG_ERR_CONFLICT); /* reader already set */
392
393 d->reader = r;
394 return 0;
395 }
396
397
398 /**********************************************
399 *********** decoding machinery *************
400 **********************************************/
401
402 /* Read one byte, return that byte or -1 on error or EOF. */
403 static int
read_byte(ksba_reader_t reader)404 read_byte (ksba_reader_t reader)
405 {
406 unsigned char buf;
407 size_t nread;
408 int rc;
409
410 do
411 rc = ksba_reader_read (reader, &buf, 1, &nread);
412 while (!rc && !nread);
413 return rc? -1: buf;
414 }
415
416 /* Read COUNT bytes into buffer. BUFFER may be NULL to skip over
417 COUNT bytes. Return 0 on success or -1 on error. */
418 static int
read_buffer(ksba_reader_t reader,char * buffer,size_t count)419 read_buffer (ksba_reader_t reader, char *buffer, size_t count)
420 {
421 size_t nread;
422
423 if (buffer)
424 {
425 while (count)
426 {
427 if (ksba_reader_read (reader, buffer, count, &nread))
428 return -1;
429 buffer += nread;
430 count -= nread;
431 }
432 }
433 else
434 {
435 char dummy[256];
436 size_t n;
437
438 while (count)
439 {
440 n = count > DIM(dummy) ? DIM(dummy): count;
441 if (ksba_reader_read (reader, dummy, n, &nread))
442 return -1;
443 count -= nread;
444 }
445 }
446 return 0;
447 }
448
449 /* Return 0 for no match, 1 for a match and 2 for an ANY match of an
450 constructed type */
451 static int
cmp_tag(AsnNode node,const struct tag_info * ti)452 cmp_tag (AsnNode node, const struct tag_info *ti)
453 {
454 if (node->flags.class != ti->class)
455 {
456 if (node->flags.class == CLASS_UNIVERSAL && node->type == TYPE_ANY)
457 return ti->is_constructed? 2:1;
458 return 0;
459 }
460 if (node->type == TYPE_TAG)
461 {
462 return_val_if_fail (node->valuetype == VALTYPE_ULONG, 0);
463 return node->value.v_ulong == ti->tag;
464 }
465 if (node->type == ti->tag)
466 return 1;
467 if (ti->class == CLASS_UNIVERSAL)
468 {
469 if (node->type == TYPE_SEQUENCE_OF && ti->tag == TYPE_SEQUENCE)
470 return 1;
471 if (node->type == TYPE_SET_OF && ti->tag == TYPE_SET)
472 return 1;
473 if (node->type == TYPE_ANY)
474 return _ksba_asn_is_primitive (ti->tag)? 1:2;
475 }
476
477 return 0;
478 }
479
480 /* Find the node in the tree ROOT corresponding to TI and return that
481 node. Returns NULL if the node was not found */
482 static AsnNode
find_anchor_node(AsnNode root,const struct tag_info * ti)483 find_anchor_node (AsnNode root, const struct tag_info *ti)
484 {
485 AsnNode node = root;
486 AsnNode n;
487
488 while (node)
489 {
490 if (node->type == TYPE_CHOICE)
491 {
492 for (n = node->down; n; n = n->right)
493 {
494 if (cmp_tag (n, ti))
495 {
496 return n; /* found */
497 }
498 }
499 }
500 else
501 {
502 if (cmp_tag (node, ti))
503 {
504 return node; /* found */
505 }
506 }
507
508 if (node->down)
509 node = node->down;
510 else if (node == root)
511 return NULL; /* not found */
512 else if (node->right)
513 node = node->right;
514 else
515 { /* go up and right */
516 do
517 {
518 while (node->left && node->left->right == node)
519 node = node->left;
520 node = node->left;
521
522 if (!node || node == root)
523 return NULL; /* back at the root -> not found */
524 }
525 while (!node->right);
526 node = node->right;
527 }
528 }
529
530 return NULL;
531 }
532
533 static int
match_der(AsnNode root,const struct tag_info * ti,DECODER_STATE ds,AsnNode * retnode,int debug)534 match_der (AsnNode root, const struct tag_info *ti,
535 DECODER_STATE ds, AsnNode *retnode, int debug)
536 {
537 int rc;
538 AsnNode node;
539
540 *retnode = NULL;
541 node = ds->cur.node;
542 if (!node)
543 {
544 if (debug)
545 fputs (" looking for anchor\n", stderr);
546 node = find_anchor_node (root, ti);
547 if (!node)
548 fputs (" anchor node not found\n", stderr);
549 }
550 else if (ds->cur.again)
551 {
552 if (debug)
553 fputs (" doing last again\n", stderr);
554 ds->cur.again = 0;
555 }
556 else if (_ksba_asn_is_primitive (node->type) || node->type == TYPE_ANY
557 || node->type == TYPE_SIZE || node->type == TYPE_DEFAULT )
558 {
559 if (debug)
560 fputs (" primitive type - get next\n", stderr);
561 if (node->right)
562 node = node->right;
563 else if (!node->flags.in_choice)
564 {
565 if (node->flags.is_implicit)
566 {
567 if (debug)
568 fputs (" node was implicit - advancing\n", stderr);
569 while (node->left && node->left->right == node)
570 node = node->left;
571 node = node->left; /* this is the up pointer */
572 if (node)
573 node = node->right;
574 }
575 else
576 node = NULL;
577 }
578 else /* in choice */
579 {
580 if (debug)
581 fputs (" going up after choice - get next\n", stderr);
582 while (node->left && node->left->right == node)
583 node = node->left;
584 node = node->left; /* this is the up pointer */
585 if (node)
586 node = node->right;
587 }
588 }
589 else if (node->type == TYPE_SEQUENCE_OF || node->type == TYPE_SET_OF)
590 {
591 if (debug)
592 {
593 fprintf (stderr, " prepare for seq/set_of (%d %d) ",
594 ds->cur.length, ds->cur.nread);
595 fprintf (stderr, " cur: ("); _ksba_asn_node_dump (node, stderr);
596 fprintf (stderr, ")\n");
597 if (ds->cur.node->flags.in_array)
598 fputs (" This is in an array!\n", stderr);
599 if (ds->cur.went_up)
600 fputs (" And we are going up!\n", stderr);
601 }
602 if ((ds->cur.went_up && !ds->cur.node->flags.in_array) ||
603 (ds->idx && ds->cur.nread >= ds->stack[ds->idx-1].length))
604 {
605 if (debug)
606 fprintf (stderr, " advancing\n");
607 if (node->right)
608 node = node->right;
609 else
610 {
611 for (;;)
612 {
613 while (node->left && node->left->right == node)
614 node = node->left;
615 node = node->left; /* this is the up pointer */
616 if (!node)
617 break;
618 if (node->right)
619 {
620 node = node->right;
621 break;
622 }
623 }
624 }
625 }
626 else if (ds->cur.node->flags.in_array
627 && ds->cur.went_up)
628 {
629 if (debug)
630 fputs (" Reiterating\n", stderr);
631 node = _ksba_asn_insert_copy (node);
632 if (node)
633 prepare_copied_tree (node);
634 }
635 else
636 node = node->down;
637 }
638 else /* constructed */
639 {
640 if (debug)
641 {
642 fprintf (stderr, " prepare for constructed (%d %d) ",
643 ds->cur.length, ds->cur.nread);
644 fprintf (stderr, " cur: ("); _ksba_asn_node_dump (node, stderr);
645 fprintf (stderr, ")\n");
646 if (ds->cur.node->flags.in_array)
647 fputs (" This is in an array!\n", stderr);
648 if (ds->cur.went_up)
649 fputs (" And we are going up!\n", stderr);
650 }
651 ds->cur.in_seq_of = 0;
652
653 if (ds->cur.node->flags.in_array
654 && ds->cur.went_up)
655 {
656 if (debug)
657 fputs (" Reiterating this\n", stderr);
658 node = _ksba_asn_insert_copy (node);
659 if (node)
660 prepare_copied_tree (node);
661 }
662 else if (ds->cur.went_up || ds->cur.next_tag || ds->cur.node->flags.skip_this)
663 {
664 if (node->right)
665 node = node->right;
666 else
667 {
668 for (;;)
669 {
670 while (node->left && node->left->right == node)
671 node = node->left;
672 node = node->left; /* this is the up pointer */
673 if (!node)
674 break;
675 if (node->right)
676 {
677 node = node->right;
678 break;
679 }
680 }
681 }
682 }
683 else
684 node = node->down;
685
686 }
687 if (!node)
688 return -1;
689 ds->cur.node = node;
690 ds->cur.went_up = 0;
691 ds->cur.next_tag = 0;
692
693 if (debug)
694 {
695 fprintf (stderr, " Expect ("); _ksba_asn_node_dump (node,stderr); fprintf (stderr, ")\n");
696 }
697
698 if (node->flags.skip_this)
699 {
700 if (debug)
701 fprintf (stderr, " skipping this\n");
702 return 1;
703 }
704
705 if (node->type == TYPE_SIZE)
706 {
707 if (debug)
708 fprintf (stderr, " skipping size tag\n");
709 return 1;
710 }
711 if (node->type == TYPE_DEFAULT)
712 {
713 if (debug)
714 fprintf (stderr, " skipping default tag\n");
715 return 1;
716 }
717
718 if (node->flags.is_implicit)
719 {
720 if (debug)
721 fprintf (stderr, " dummy accept for implicit tag\n");
722 return 1; /* again */
723 }
724
725 if ( (rc=cmp_tag (node, ti)))
726 {
727 *retnode = node;
728 return rc==2? 4:3;
729 }
730
731 if (node->type == TYPE_CHOICE)
732 {
733 if (debug)
734 fprintf (stderr, " testing choice...\n");
735 for (node = node->down; node; node = node->right)
736 {
737 if (debug)
738 {
739 fprintf (stderr, " %s (", node->flags.skip_this? "skip":" cmp");
740 _ksba_asn_node_dump (node, stderr);
741 fprintf (stderr, ")\n");
742 }
743
744 if (!node->flags.skip_this && cmp_tag (node, ti) == 1)
745 {
746 if (debug)
747 {
748 fprintf (stderr, " choice match <"); dump_tlv (ti, stderr);
749 fprintf (stderr, ">\n");
750 }
751 /* mark the remaining as done */
752 for (node=node->right; node; node = node->right)
753 node->flags.skip_this = 1;
754 return 1;
755 }
756 node->flags.skip_this = 1;
757
758 }
759 node = ds->cur.node; /* reset */
760 }
761
762 if (node->flags.in_choice)
763 {
764 if (debug)
765 fprintf (stderr, " skipping non matching choice\n");
766 return 1;
767 }
768
769 if (node->flags.is_optional)
770 {
771 if (debug)
772 fprintf (stderr, " skipping optional element\n");
773 if (node->type == TYPE_TAG)
774 ds->cur.next_tag = 1;
775 return 1;
776 }
777
778 if (node->flags.has_default)
779 {
780 if (debug)
781 fprintf (stderr, " use default value\n");
782 if (node->type == TYPE_TAG)
783 ds->cur.next_tag = 1;
784 *retnode = node;
785 return 2;
786 }
787
788 return -1;
789 }
790
791
792 static gpg_error_t
decoder_init(BerDecoder d,const char * start_name)793 decoder_init (BerDecoder d, const char *start_name)
794 {
795 d->ds = new_decoder_state ();
796
797 d->root = _ksba_asn_expand_tree (d->module, start_name);
798 clear_help_flags (d->root);
799 d->bypass = 0;
800 if (d->debug)
801 fprintf (stderr, "DECODER_INIT for `%s'\n", start_name? start_name: "[root]");
802 return 0;
803 }
804
805 static void
decoder_deinit(BerDecoder d)806 decoder_deinit (BerDecoder d)
807 {
808 release_decoder_state (d->ds);
809 d->ds = NULL;
810 d->val.node = NULL;
811 if (d->debug)
812 fprintf (stderr, "DECODER_DEINIT\n");
813 }
814
815
816 static gpg_error_t
decoder_next(BerDecoder d)817 decoder_next (BerDecoder d)
818 {
819 struct tag_info ti;
820 AsnNode node = NULL;
821 gpg_error_t err;
822 DECODER_STATE ds = d->ds;
823 int debug = d->debug;
824
825 if (d->ignore_garbage && d->fast_stop)
826 {
827 /* I am not anymore sure why we have this ignore_garbage
828 machinery: The whole decoder needs and overhaul; it seems not
829 to honor the length specification and runs for longer than
830 expected.
831
832 This here is another hack to not eat up an end tag - this is
833 required in in some cases and in theory should be used always
834 but we want to avoid any regression, thus this flag. */
835 return gpg_error (GPG_ERR_EOF);
836 }
837
838 err = _ksba_ber_read_tl (d->reader, &ti);
839 if (err)
840 {
841 if (debug)
842 fprintf (stderr, "ber_read_tl error: %s (%s)\n",
843 gpg_strerror (err), ti.err_string? ti.err_string:"");
844 /* This is our actual hack to cope with some trailing garbage:
845 Only if we get an premature EOF and we know that we have read
846 the complete certificate we change the error to EOF. This
847 won't help with all kinds of garbage but it fixes the case
848 where just one byte is appended. This is for example the
849 case with current Siemens certificates. This approach seems
850 to be the least intrusive one. */
851 if (gpg_err_code (err) == GPG_ERR_BAD_BER
852 && d->ignore_garbage
853 && ti.err_string && !strcmp (ti.err_string, "premature EOF"))
854 err = gpg_error (GPG_ERR_EOF);
855 return err;
856 }
857
858 if (debug)
859 {
860 fprintf (stderr, "ReadTLV <");
861 dump_tlv (&ti, stderr);
862 fprintf (stderr, ">\n");
863 }
864
865 /* Check whether the trailing garbage hack is required. */
866 if (!d->first_tag_seen)
867 {
868 d->first_tag_seen = 1;
869 if (ti.tag == TYPE_SEQUENCE && ti.length && !ti.ndef)
870 d->outer_sequence_length = ti.length;
871 else if (ti.class == CLASS_CONTEXT && ti.is_constructed
872 && ti.length && !ti.ndef)
873 d->outer_sequence_length = ti.length;
874 }
875
876 /* Store stuff in the image buffer. */
877 if (d->use_image)
878 {
879 if (!d->image.buf)
880 {
881 /* We need some extra bytes to store the stuff we read ahead
882 * at the end of the module which is later pushed back. We
883 * also clear the buffer because there is no guarantee that
884 * we will copy data to all bytes of the buffer: A broken
885 * ASN.1 encoding may thus lead to access of uninitialized
886 * data even if we make sure that that access is not our of
887 * bounds. */
888 d->image.used = 0;
889 d->image.length = ti.length + 100;
890 if (d->image.length < ti.length)
891 return gpg_error (GPG_ERR_BAD_BER);
892 if (d->image.length > MAX_IMAGE_LENGTH)
893 return gpg_error (GPG_ERR_TOO_LARGE);
894 d->image.buf = xtrycalloc (1, d->image.length);
895 if (!d->image.buf)
896 return gpg_error (GPG_ERR_ENOMEM);
897 }
898
899 if (sum_a1_a2_ge_b (ti.nhdr, d->image.used, d->image.length))
900 return set_error (d, NULL, "image buffer too short to store the tag");
901
902 memcpy (d->image.buf + d->image.used, ti.buf, ti.nhdr);
903 d->image.used += ti.nhdr;
904 }
905
906
907 if (!d->bypass)
908 {
909 int again, endtag;
910
911 do
912 {
913 again = endtag = 0;
914 switch ( ds->cur.in_any? 4
915 : (ti.class == CLASS_UNIVERSAL && !ti.tag)? (endtag=1,5)
916 : match_der (d->root, &ti, ds, &node, debug))
917 {
918 case -1:
919 if (debug)
920 {
921 fprintf (stderr, " FAIL <");
922 dump_tlv (&ti, stderr);
923 fprintf (stderr, ">\n");
924 }
925 if (d->honor_module_end)
926 {
927 /* We must push back the stuff we already read */
928 ksba_reader_unread (d->reader, ti.buf, ti.nhdr);
929 return gpg_error (GPG_ERR_EOF);
930 }
931 else
932 d->bypass = 1;
933 break;
934 case 0:
935 if (debug)
936 fputs (" End of description\n", stderr);
937 d->bypass = 1;
938 break;
939 case 1: /* again */
940 if (debug)
941 fprintf (stderr, " Again\n");
942 again = 1;
943 break;
944 case 2: /* Use default value + again */
945 if (debug)
946 fprintf (stderr, " Using default\n");
947 again = 1;
948 break;
949 case 4: /* Match of ANY on a constructed type */
950 if (debug)
951 fprintf (stderr, " ANY");
952 ds->cur.in_any = 1;
953 /* FALLTHROUGH */
954 case 3: /* match */
955 case 5: /* end tag */
956 if (debug)
957 {
958 fprintf (stderr, " Match <");
959 dump_tlv (&ti, stderr);
960 fprintf (stderr, ">\n");
961 }
962 /* Increment by the header length */
963 ds->cur.nread += ti.nhdr;
964
965 if (!ti.is_constructed)
966 ds->cur.nread += ti.length;
967
968 ds->cur.went_up = 0;
969 do
970 {
971 if (debug)
972 fprintf (stderr, " (length %d nread %d) %s\n",
973 ds->idx? ds->stack[ds->idx-1].length:-1,
974 ds->cur.nread,
975 ti.is_constructed? "con":"pri");
976 if (d->outer_sequence_length
977 && ds->idx == 1
978 && ds->cur.nread == d->outer_sequence_length)
979 {
980 if (debug)
981 fprintf (stderr, " Need to stop now\n");
982 d->ignore_garbage = 1;
983 }
984
985 if ( ds->idx
986 && !ds->stack[ds->idx-1].ndef_length
987 && (ds->cur.nread
988 > ds->stack[ds->idx-1].length))
989 {
990 fprintf (stderr, "ksba: ERROR: object length field "
991 "%d octects too large\n",
992 ds->cur.nread - ds->cur.length);
993 ds->cur.nread = ds->cur.length;
994 }
995 if ( ds->idx
996 && (endtag
997 || (!ds->stack[ds->idx-1].ndef_length
998 && (ds->cur.nread
999 >= ds->stack[ds->idx-1].length))))
1000 {
1001 int n = ds->cur.nread;
1002 err = pop_decoder_state (ds);
1003 if (err)
1004 return err;
1005 ds->cur.nread += n;
1006 ds->cur.went_up++;
1007 }
1008 endtag = 0;
1009 }
1010 while ( ds->idx
1011 && !ds->stack[ds->idx-1].ndef_length
1012 && (ds->cur.nread
1013 >= ds->stack[ds->idx-1].length));
1014
1015 if (ti.is_constructed && (ti.length || ti.ndef))
1016 {
1017 /* prepare for the next level */
1018 ds->cur.length = ti.length;
1019 ds->cur.ndef_length = ti.ndef;
1020 err = push_decoder_state (ds);
1021 if (err)
1022 return err;
1023 ds->cur.length = 0;
1024 ds->cur.ndef_length = 0;
1025 ds->cur.nread = 0;
1026 }
1027 if (debug)
1028 fprintf (stderr, " (length %d nread %d) end\n",
1029 ds->idx? ds->stack[ds->idx-1].length:-1,
1030 ds->cur.nread);
1031 break;
1032 default:
1033 never_reached ();
1034 abort ();
1035 break;
1036 }
1037 }
1038 while (again);
1039 }
1040
1041 d->val.primitive = !ti.is_constructed;
1042 d->val.length = ti.length;
1043 d->val.nhdr = ti.nhdr;
1044 d->val.tag = ti.tag; /* kludge to fix TYPE_ANY probs */
1045 d->val.is_endtag = (ti.class == CLASS_UNIVERSAL && !ti.tag);
1046 d->val.node = d->bypass? NULL : node;
1047 if (debug)
1048 dump_decoder_state (ds);
1049
1050 return 0;
1051 }
1052
1053 static gpg_error_t
decoder_skip(BerDecoder d)1054 decoder_skip (BerDecoder d)
1055 {
1056 if (d->val.primitive)
1057 {
1058 if (read_buffer (d->reader, NULL, d->val.length))
1059 return eof_or_error (d, 1);
1060 }
1061 return 0;
1062 }
1063
1064
1065
1066 /* Calculate the distance between the 2 nodes */
1067 static int
distance(AsnNode root,AsnNode node)1068 distance (AsnNode root, AsnNode node)
1069 {
1070 int n=0;
1071
1072 while (node && node != root)
1073 {
1074 while (node->left && node->left->right == node)
1075 node = node->left;
1076 node = node->left;
1077 n++;
1078 }
1079
1080 return n;
1081 }
1082
1083
1084 /**
1085 * _ksba_ber_decoder_dump:
1086 * @d: Decoder object
1087 *
1088 * Dump a textual representation of the encoding to the given stream.
1089 *
1090 * Return value:
1091 **/
1092 gpg_error_t
_ksba_ber_decoder_dump(BerDecoder d,FILE * fp)1093 _ksba_ber_decoder_dump (BerDecoder d, FILE *fp)
1094 {
1095 gpg_error_t err;
1096 int depth = 0;
1097 AsnNode node;
1098 unsigned char *buf = NULL;
1099 size_t buflen = 0;
1100
1101 if (!d)
1102 return gpg_error (GPG_ERR_INV_VALUE);
1103
1104 #ifdef HAVE_GETENV
1105 d->debug = !!getenv("KSBA_DEBUG_BER_DECODER");
1106 #else
1107 d->debug = 0;
1108 #endif
1109 d->use_image = 0;
1110 d->image.buf = NULL;
1111 err = decoder_init (d, NULL);
1112 if (err)
1113 return err;
1114
1115 while (!(err = decoder_next (d)))
1116 {
1117 node = d->val.node;
1118 if (node)
1119 depth = distance (d->root, node);
1120
1121 fprintf (fp, "%4lu %4lu:%*s",
1122 ksba_reader_tell (d->reader) - d->val.nhdr,
1123 (unsigned long)d->val.length,
1124 depth*2, "");
1125 if (node)
1126 _ksba_asn_node_dump (node, fp);
1127 else
1128 fputs ("[No matching node]", fp);
1129
1130 if (node && d->val.primitive)
1131 {
1132 size_t n;
1133 int i, c;
1134 char *p;
1135
1136 if (!buf || buflen < d->val.length)
1137 {
1138 xfree (buf);
1139 buf = NULL;
1140 buflen = d->val.length + 100;
1141 if (buflen < d->val.length)
1142 err = gpg_error (GPG_ERR_BAD_BER); /* Overflow */
1143 else if (buflen > MAX_IMAGE_LENGTH)
1144 err = gpg_error (GPG_ERR_TOO_LARGE);
1145 else
1146 {
1147 buf = xtrymalloc (buflen);
1148 if (!buf)
1149 err = gpg_error_from_syserror ();
1150 }
1151 }
1152
1153 for (n=0; !err && n < d->val.length; n++)
1154 {
1155 if ( (c=read_byte (d->reader)) == -1)
1156 err = eof_or_error (d, 1);
1157 buf[n] = c;
1158 }
1159 if (err)
1160 break;
1161 fputs (" (", fp);
1162 p = NULL;
1163 switch (node->type)
1164 {
1165 case TYPE_OBJECT_ID:
1166 p = ksba_oid_to_str (buf, n);
1167 break;
1168 default:
1169 for (i=0; i < n && (d->debug || i < 20); i++)
1170 fprintf (fp,"%02x", buf[i]);
1171 if (i < n)
1172 fputs ("..more..", fp);
1173 break;
1174 }
1175 if (p)
1176 {
1177 fputs (p, fp);
1178 xfree (p);
1179 }
1180 fputs (")\n", fp);
1181 }
1182 else
1183 {
1184 err = decoder_skip (d);
1185 putc ('\n', fp);
1186 }
1187 if (err)
1188 break;
1189
1190 }
1191 if (gpg_err_code (err) == GPG_ERR_EOF)
1192 err = 0;
1193
1194 decoder_deinit (d);
1195 xfree (buf);
1196 return err;
1197 }
1198
1199
1200
1201
1202 gpg_error_t
_ksba_ber_decoder_decode(BerDecoder d,const char * start_name,unsigned int flags,AsnNode * r_root,unsigned char ** r_image,size_t * r_imagelen)1203 _ksba_ber_decoder_decode (BerDecoder d, const char *start_name,
1204 unsigned int flags,
1205 AsnNode *r_root,
1206 unsigned char **r_image, size_t *r_imagelen)
1207 {
1208 gpg_error_t err;
1209 AsnNode node;
1210 unsigned char *buf = NULL;
1211 size_t buflen = 0;
1212 unsigned long startoff;
1213
1214 if (!d)
1215 return gpg_error (GPG_ERR_INV_VALUE);
1216
1217 if (r_root)
1218 *r_root = NULL;
1219
1220 #ifdef HAVE_GETENV
1221 d->debug = !!getenv("KSBA_DEBUG_BER_DECODER");
1222 #else
1223 d->debug = 0;
1224 #endif
1225 d->honor_module_end = 1;
1226 d->use_image = 1;
1227 d->image.buf = NULL;
1228 d->fast_stop = !!(flags & BER_DECODER_FLAG_FAST_STOP);
1229
1230 startoff = ksba_reader_tell (d->reader);
1231
1232 err = decoder_init (d, start_name);
1233 if (err)
1234 return err;
1235
1236 while (!(err = decoder_next (d)))
1237 {
1238 node = d->val.node;
1239 /* Fixme: USE_IMAGE is only not used with the ber-dump utility
1240 and thus of no big use. We should remove the other code
1241 paths and dump ber-dump.c. */
1242 if (d->use_image)
1243 {
1244 if (node && !d->val.is_endtag)
1245 { /* We don't have nodes for the end tag - so don't store it */
1246 node->off = (ksba_reader_tell (d->reader)
1247 - d->val.nhdr - startoff);
1248 node->nhdr = d->val.nhdr;
1249 node->len = d->val.length;
1250 if (node->type == TYPE_ANY)
1251 node->actual_type = d->val.tag;
1252 }
1253 if (sum_a1_a2_gt_b (d->image.used, d->val.length, d->image.length))
1254 err = set_error(d, NULL, "TLV length too large");
1255 else if (d->val.primitive)
1256 {
1257 if( read_buffer (d->reader,
1258 d->image.buf + d->image.used, d->val.length))
1259 err = eof_or_error (d, 1);
1260 else
1261 {
1262 size_t sum = d->image.used + d->val.length;
1263 if (sum < d->image.used)
1264 err = gpg_error (GPG_ERR_BAD_BER);
1265 else
1266 d->image.used = sum;
1267 }
1268 }
1269 }
1270 else if (node && d->val.primitive)
1271 {
1272 size_t n;
1273 int c;
1274
1275 if (!buf || buflen < d->val.length)
1276 {
1277 xfree (buf);
1278 buf = NULL;
1279 buflen = d->val.length + 100;
1280 if (buflen < d->val.length)
1281 err = gpg_error (GPG_ERR_BAD_BER);
1282 else if (buflen > MAX_IMAGE_LENGTH)
1283 err = gpg_error (GPG_ERR_TOO_LARGE);
1284 else
1285 {
1286 buf = xtrymalloc (buflen);
1287 if (!buf)
1288 err = gpg_error_from_syserror ();
1289 }
1290 }
1291
1292 for (n=0; !err && n < d->val.length; n++)
1293 {
1294 if ( (c=read_byte (d->reader)) == -1)
1295 err = eof_or_error (d, 1);
1296 buf[n] = c;
1297 }
1298 if (err)
1299 break;
1300
1301 switch (node->type)
1302 {
1303 default:
1304 _ksba_asn_set_value (node, VALTYPE_MEM, buf, n);
1305 break;
1306 }
1307 }
1308 else
1309 {
1310 err = decoder_skip (d);
1311 }
1312 if (err)
1313 break;
1314 }
1315 if (gpg_err_code (err) == GPG_ERR_EOF)
1316 err = 0;
1317
1318 if (err)
1319 xfree (d->image.buf);
1320
1321 if (r_root && !err)
1322 {
1323 if (!d->image.buf)
1324 { /* Not even the first node available - return eof */
1325 _ksba_asn_release_nodes (d->root);
1326 d->root = NULL;
1327 err = gpg_error (GPG_ERR_EOF);
1328 }
1329
1330 fixup_type_any (d->root);
1331 *r_root = d->root;
1332 d->root = NULL;
1333 *r_image = d->image.buf;
1334 d->image.buf = NULL;
1335 *r_imagelen = d->image.used;
1336 if (d->debug)
1337 {
1338 fputs ("Value Tree:\n", stderr);
1339 _ksba_asn_node_dump_all (*r_root, stderr);
1340 }
1341 }
1342
1343 decoder_deinit (d);
1344 xfree (buf);
1345 return err;
1346 }
1347