1 /* $OpenBSD: tasn_dec.c,v 1.24 2014/06/12 15:49:27 deraadt Exp $ */ 2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3 * project 2000. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58 59 60 #include <stddef.h> 61 #include <string.h> 62 #include <openssl/asn1.h> 63 #include <openssl/asn1t.h> 64 #include <openssl/objects.h> 65 #include <openssl/buffer.h> 66 #include <openssl/err.h> 67 68 static int asn1_check_eoc(const unsigned char **in, long len); 69 static int asn1_find_end(const unsigned char **in, long len, char inf); 70 71 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, 72 char inf, int tag, int aclass, int depth); 73 74 static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen); 75 76 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, 77 char *inf, char *cst, const unsigned char **in, long len, int exptag, 78 int expclass, char opt, ASN1_TLC *ctx); 79 80 static int asn1_template_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, 81 long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx); 82 static int asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, 83 long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx); 84 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, const unsigned char **in, 85 long len, const ASN1_ITEM *it, int tag, int aclass, char opt, 86 ASN1_TLC *ctx); 87 88 /* Table to convert tags to bit values, used for MSTRING type */ 89 static const unsigned long tag2bit[32] = { 90 0, 0, 0, B_ASN1_BIT_STRING, /* tags 0 - 3 */ 91 B_ASN1_OCTET_STRING, 0, 0, B_ASN1_UNKNOWN,/* tags 4- 7 */ 92 B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN,/* tags 8-11 */ 93 B_ASN1_UTF8STRING,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,/* tags 12-15 */ 94 B_ASN1_SEQUENCE,0,B_ASN1_NUMERICSTRING,B_ASN1_PRINTABLESTRING, /* tags 16-19 */ 95 B_ASN1_T61STRING,B_ASN1_VIDEOTEXSTRING,B_ASN1_IA5STRING, /* tags 20-22 */ 96 B_ASN1_UTCTIME, B_ASN1_GENERALIZEDTIME, /* tags 23-24 */ 97 B_ASN1_GRAPHICSTRING,B_ASN1_ISO64STRING,B_ASN1_GENERALSTRING, /* tags 25-27 */ 98 B_ASN1_UNIVERSALSTRING,B_ASN1_UNKNOWN,B_ASN1_BMPSTRING,B_ASN1_UNKNOWN, /* tags 28-31 */ 99 }; 100 101 unsigned long 102 ASN1_tag2bit(int tag) 103 { 104 if ((tag < 0) || (tag > 30)) 105 return 0; 106 return tag2bit[tag]; 107 } 108 109 /* Macro to initialize and invalidate the cache */ 110 111 #define asn1_tlc_clear(c) if (c) (c)->valid = 0 112 /* Version to avoid compiler warning about 'c' always non-NULL */ 113 #define asn1_tlc_clear_nc(c) (c)->valid = 0 114 115 /* Decode an ASN1 item, this currently behaves just 116 * like a standard 'd2i' function. 'in' points to 117 * a buffer to read the data from, in future we will 118 * have more advanced versions that can input data 119 * a piece at a time and this will simply be a special 120 * case. 121 */ 122 123 ASN1_VALUE * 124 ASN1_item_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, 125 const ASN1_ITEM *it) 126 { 127 ASN1_TLC c; 128 ASN1_VALUE *ptmpval = NULL; 129 130 if (!pval) 131 pval = &ptmpval; 132 asn1_tlc_clear_nc(&c); 133 if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) 134 return *pval; 135 return NULL; 136 } 137 138 int 139 ASN1_template_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, 140 const ASN1_TEMPLATE *tt) 141 { 142 ASN1_TLC c; 143 144 asn1_tlc_clear_nc(&c); 145 return asn1_template_ex_d2i(pval, in, len, tt, 0, &c); 146 } 147 148 149 /* Decode an item, taking care of IMPLICIT tagging, if any. 150 * If 'opt' set and tag mismatch return -1 to handle OPTIONAL 151 */ 152 153 int 154 ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, 155 const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx) 156 { 157 const ASN1_TEMPLATE *tt, *errtt = NULL; 158 const ASN1_COMPAT_FUNCS *cf; 159 const ASN1_EXTERN_FUNCS *ef; 160 const ASN1_AUX *aux = it->funcs; 161 ASN1_aux_cb *asn1_cb; 162 const unsigned char *p = NULL, *q; 163 unsigned char *wp = NULL; /* BIG FAT WARNING! BREAKS CONST WHERE USED */ 164 unsigned char imphack = 0, oclass; 165 char seq_eoc, seq_nolen, cst, isopt; 166 long tmplen; 167 int i; 168 int otag; 169 int ret = 0; 170 ASN1_VALUE **pchptr, *ptmpval; 171 172 if (!pval) 173 return 0; 174 175 if (aux && aux->asn1_cb) 176 asn1_cb = aux->asn1_cb; 177 else 178 asn1_cb = 0; 179 180 switch (it->itype) { 181 case ASN1_ITYPE_PRIMITIVE: 182 if (it->templates) { 183 /* tagging or OPTIONAL is currently illegal on an item 184 * template because the flags can't get passed down. 185 * In practice this isn't a problem: we include the 186 * relevant flags from the item template in the 187 * template itself. 188 */ 189 if ((tag != -1) || opt) { 190 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 191 ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE); 192 goto err; 193 } 194 return asn1_template_ex_d2i(pval, in, len, 195 it->templates, opt, ctx); 196 } 197 return asn1_d2i_ex_primitive(pval, in, len, it, 198 tag, aclass, opt, ctx); 199 break; 200 201 case ASN1_ITYPE_MSTRING: 202 p = *in; 203 /* Just read in tag and class */ 204 ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, 205 &p, len, -1, 0, 1, ctx); 206 if (!ret) { 207 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 208 ERR_R_NESTED_ASN1_ERROR); 209 goto err; 210 } 211 212 /* Must be UNIVERSAL class */ 213 if (oclass != V_ASN1_UNIVERSAL) { 214 /* If OPTIONAL, assume this is OK */ 215 if (opt) 216 return -1; 217 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 218 ASN1_R_MSTRING_NOT_UNIVERSAL); 219 goto err; 220 } 221 /* Check tag matches bit map */ 222 if (!(ASN1_tag2bit(otag) & it->utype)) { 223 /* If OPTIONAL, assume this is OK */ 224 if (opt) 225 return -1; 226 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 227 ASN1_R_MSTRING_WRONG_TAG); 228 goto err; 229 } 230 return asn1_d2i_ex_primitive(pval, in, len, 231 it, otag, 0, 0, ctx); 232 233 case ASN1_ITYPE_EXTERN: 234 /* Use new style d2i */ 235 ef = it->funcs; 236 return ef->asn1_ex_d2i(pval, in, len, 237 it, tag, aclass, opt, ctx); 238 239 case ASN1_ITYPE_COMPAT: 240 /* we must resort to old style evil hackery */ 241 cf = it->funcs; 242 243 /* If OPTIONAL see if it is there */ 244 if (opt) { 245 int exptag; 246 p = *in; 247 if (tag == -1) 248 exptag = it->utype; 249 else 250 exptag = tag; 251 /* Don't care about anything other than presence 252 * of expected tag */ 253 254 ret = asn1_check_tlen(NULL, NULL, NULL, NULL, NULL, 255 &p, len, exptag, aclass, 1, ctx); 256 if (!ret) { 257 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 258 ERR_R_NESTED_ASN1_ERROR); 259 goto err; 260 } 261 if (ret == -1) 262 return -1; 263 } 264 265 /* This is the old style evil hack IMPLICIT handling: 266 * since the underlying code is expecting a tag and 267 * class other than the one present we change the 268 * buffer temporarily then change it back afterwards. 269 * This doesn't and never did work for tags > 30. 270 * 271 * Yes this is *horrible* but it is only needed for 272 * old style d2i which will hopefully not be around 273 * for much longer. 274 * FIXME: should copy the buffer then modify it so 275 * the input buffer can be const: we should *always* 276 * copy because the old style d2i might modify the 277 * buffer. 278 */ 279 280 if (tag != -1) { 281 wp = *(unsigned char **)in; 282 imphack = *wp; 283 if (p == NULL) { 284 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 285 ERR_R_NESTED_ASN1_ERROR); 286 goto err; 287 } 288 *wp = (unsigned char)((*p & V_ASN1_CONSTRUCTED) | 289 it->utype); 290 } 291 292 ptmpval = cf->asn1_d2i(pval, in, len); 293 294 if (tag != -1) 295 *wp = imphack; 296 297 if (ptmpval) 298 return 1; 299 300 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); 301 goto err; 302 303 case ASN1_ITYPE_CHOICE: 304 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) 305 goto auxerr; 306 307 /* Allocate structure */ 308 if (!*pval && !ASN1_item_ex_new(pval, it)) { 309 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 310 ERR_R_NESTED_ASN1_ERROR); 311 goto err; 312 } 313 /* CHOICE type, try each possibility in turn */ 314 p = *in; 315 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { 316 pchptr = asn1_get_field_ptr(pval, tt); 317 /* We mark field as OPTIONAL so its absence 318 * can be recognised. 319 */ 320 ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx); 321 /* If field not present, try the next one */ 322 if (ret == -1) 323 continue; 324 /* If positive return, read OK, break loop */ 325 if (ret > 0) 326 break; 327 /* Otherwise must be an ASN1 parsing error */ 328 errtt = tt; 329 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 330 ERR_R_NESTED_ASN1_ERROR); 331 goto err; 332 } 333 334 /* Did we fall off the end without reading anything? */ 335 if (i == it->tcount) { 336 /* If OPTIONAL, this is OK */ 337 if (opt) { 338 /* Free and zero it */ 339 ASN1_item_ex_free(pval, it); 340 return -1; 341 } 342 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 343 ASN1_R_NO_MATCHING_CHOICE_TYPE); 344 goto err; 345 } 346 347 asn1_set_choice_selector(pval, i, it); 348 *in = p; 349 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) 350 goto auxerr; 351 return 1; 352 353 case ASN1_ITYPE_NDEF_SEQUENCE: 354 case ASN1_ITYPE_SEQUENCE: 355 p = *in; 356 tmplen = len; 357 358 /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */ 359 if (tag == -1) { 360 tag = V_ASN1_SEQUENCE; 361 aclass = V_ASN1_UNIVERSAL; 362 } 363 /* Get SEQUENCE length and update len, p */ 364 ret = asn1_check_tlen(&len, NULL, NULL, &seq_eoc, &cst, 365 &p, len, tag, aclass, opt, ctx); 366 if (!ret) { 367 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 368 ERR_R_NESTED_ASN1_ERROR); 369 goto err; 370 } else if (ret == -1) 371 return -1; 372 if (aux && (aux->flags & ASN1_AFLG_BROKEN)) { 373 len = tmplen - (p - *in); 374 seq_nolen = 1; 375 } 376 /* If indefinite we don't do a length check */ 377 else 378 seq_nolen = seq_eoc; 379 if (!cst) { 380 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 381 ASN1_R_SEQUENCE_NOT_CONSTRUCTED); 382 goto err; 383 } 384 385 if (!*pval && !ASN1_item_ex_new(pval, it)) { 386 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 387 ERR_R_NESTED_ASN1_ERROR); 388 goto err; 389 } 390 391 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) 392 goto auxerr; 393 394 /* Get each field entry */ 395 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { 396 const ASN1_TEMPLATE *seqtt; 397 ASN1_VALUE **pseqval; 398 seqtt = asn1_do_adb(pval, tt, 1); 399 if (!seqtt) 400 goto err; 401 pseqval = asn1_get_field_ptr(pval, seqtt); 402 /* Have we ran out of data? */ 403 if (!len) 404 break; 405 q = p; 406 if (asn1_check_eoc(&p, len)) { 407 if (!seq_eoc) { 408 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 409 ASN1_R_UNEXPECTED_EOC); 410 goto err; 411 } 412 len -= p - q; 413 seq_eoc = 0; 414 q = p; 415 break; 416 } 417 /* This determines the OPTIONAL flag value. The field 418 * cannot be omitted if it is the last of a SEQUENCE 419 * and there is still data to be read. This isn't 420 * strictly necessary but it increases efficiency in 421 * some cases. 422 */ 423 if (i == (it->tcount - 1)) 424 isopt = 0; 425 else 426 isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL); 427 /* attempt to read in field, allowing each to be 428 * OPTIONAL */ 429 430 ret = asn1_template_ex_d2i(pseqval, &p, len, 431 seqtt, isopt, ctx); 432 if (!ret) { 433 errtt = seqtt; 434 goto err; 435 } else if (ret == -1) { 436 /* OPTIONAL component absent. 437 * Free and zero the field. 438 */ 439 ASN1_template_free(pseqval, seqtt); 440 continue; 441 } 442 /* Update length */ 443 len -= p - q; 444 } 445 446 /* Check for EOC if expecting one */ 447 if (seq_eoc && !asn1_check_eoc(&p, len)) { 448 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MISSING_EOC); 449 goto err; 450 } 451 /* Check all data read */ 452 if (!seq_nolen && len) { 453 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 454 ASN1_R_SEQUENCE_LENGTH_MISMATCH); 455 goto err; 456 } 457 458 /* If we get here we've got no more data in the SEQUENCE, 459 * however we may not have read all fields so check all 460 * remaining are OPTIONAL and clear any that are. 461 */ 462 for (; i < it->tcount; tt++, i++) { 463 const ASN1_TEMPLATE *seqtt; 464 seqtt = asn1_do_adb(pval, tt, 1); 465 if (!seqtt) 466 goto err; 467 if (seqtt->flags & ASN1_TFLG_OPTIONAL) { 468 ASN1_VALUE **pseqval; 469 pseqval = asn1_get_field_ptr(pval, seqtt); 470 ASN1_template_free(pseqval, seqtt); 471 } else { 472 errtt = seqtt; 473 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 474 ASN1_R_FIELD_MISSING); 475 goto err; 476 } 477 } 478 /* Save encoding */ 479 if (!asn1_enc_save(pval, *in, p - *in, it)) 480 goto auxerr; 481 *in = p; 482 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) 483 goto auxerr; 484 return 1; 485 486 default: 487 return 0; 488 } 489 490 auxerr: 491 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); 492 err: 493 ASN1_item_ex_free(pval, it); 494 if (errtt) 495 ERR_asprintf_error_data("Field=%s, Type=%s", errtt->field_name, 496 it->sname); 497 else 498 ERR_asprintf_error_data("Type=%s", it->sname); 499 return 0; 500 } 501 502 /* Templates are handled with two separate functions. 503 * One handles any EXPLICIT tag and the other handles the rest. 504 */ 505 506 static int 507 asn1_template_ex_d2i(ASN1_VALUE **val, const unsigned char **in, long inlen, 508 const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx) 509 { 510 int flags, aclass; 511 int ret; 512 long len; 513 const unsigned char *p, *q; 514 char exp_eoc; 515 516 if (!val) 517 return 0; 518 flags = tt->flags; 519 aclass = flags & ASN1_TFLG_TAG_CLASS; 520 521 p = *in; 522 523 /* Check if EXPLICIT tag expected */ 524 if (flags & ASN1_TFLG_EXPTAG) { 525 char cst; 526 /* Need to work out amount of data available to the inner 527 * content and where it starts: so read in EXPLICIT header to 528 * get the info. 529 */ 530 ret = asn1_check_tlen(&len, NULL, NULL, &exp_eoc, &cst, 531 &p, inlen, tt->tag, aclass, opt, ctx); 532 q = p; 533 if (!ret) { 534 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, 535 ERR_R_NESTED_ASN1_ERROR); 536 return 0; 537 } else if (ret == -1) 538 return -1; 539 if (!cst) { 540 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, 541 ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED); 542 return 0; 543 } 544 /* We've found the field so it can't be OPTIONAL now */ 545 ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx); 546 if (!ret) { 547 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, 548 ERR_R_NESTED_ASN1_ERROR); 549 return 0; 550 } 551 /* We read the field in OK so update length */ 552 len -= p - q; 553 if (exp_eoc) { 554 /* If NDEF we must have an EOC here */ 555 if (!asn1_check_eoc(&p, len)) { 556 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, 557 ASN1_R_MISSING_EOC); 558 goto err; 559 } 560 } else { 561 /* Otherwise we must hit the EXPLICIT tag end or its 562 * an error */ 563 if (len) { 564 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, 565 ASN1_R_EXPLICIT_LENGTH_MISMATCH); 566 goto err; 567 } 568 } 569 } else 570 return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx); 571 572 *in = p; 573 return 1; 574 575 err: 576 ASN1_template_free(val, tt); 577 return 0; 578 } 579 580 static int 581 asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, long len, 582 const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx) 583 { 584 int flags, aclass; 585 int ret; 586 const unsigned char *p, *q; 587 588 if (!val) 589 return 0; 590 flags = tt->flags; 591 aclass = flags & ASN1_TFLG_TAG_CLASS; 592 593 p = *in; 594 q = p; 595 596 if (flags & ASN1_TFLG_SK_MASK) { 597 /* SET OF, SEQUENCE OF */ 598 int sktag, skaclass; 599 char sk_eoc; 600 /* First work out expected inner tag value */ 601 if (flags & ASN1_TFLG_IMPTAG) { 602 sktag = tt->tag; 603 skaclass = aclass; 604 } else { 605 skaclass = V_ASN1_UNIVERSAL; 606 if (flags & ASN1_TFLG_SET_OF) 607 sktag = V_ASN1_SET; 608 else 609 sktag = V_ASN1_SEQUENCE; 610 } 611 /* Get the tag */ 612 ret = asn1_check_tlen(&len, NULL, NULL, &sk_eoc, NULL, 613 &p, len, sktag, skaclass, opt, ctx); 614 if (!ret) { 615 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 616 ERR_R_NESTED_ASN1_ERROR); 617 return 0; 618 } else if (ret == -1) 619 return -1; 620 if (!*val) 621 *val = (ASN1_VALUE *)sk_new_null(); 622 else { 623 /* We've got a valid STACK: free up any items present */ 624 STACK_OF(ASN1_VALUE) *sktmp = 625 (STACK_OF(ASN1_VALUE) *)*val; 626 ASN1_VALUE *vtmp; 627 while (sk_ASN1_VALUE_num(sktmp) > 0) { 628 vtmp = sk_ASN1_VALUE_pop(sktmp); 629 ASN1_item_ex_free(&vtmp, 630 ASN1_ITEM_ptr(tt->item)); 631 } 632 } 633 634 if (!*val) { 635 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 636 ERR_R_MALLOC_FAILURE); 637 goto err; 638 } 639 640 /* Read as many items as we can */ 641 while (len > 0) { 642 ASN1_VALUE *skfield; 643 q = p; 644 /* See if EOC found */ 645 if (asn1_check_eoc(&p, len)) { 646 if (!sk_eoc) { 647 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 648 ASN1_R_UNEXPECTED_EOC); 649 goto err; 650 } 651 len -= p - q; 652 sk_eoc = 0; 653 break; 654 } 655 skfield = NULL; 656 if (!ASN1_item_ex_d2i(&skfield, &p, len, 657 ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx)) { 658 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 659 ERR_R_NESTED_ASN1_ERROR); 660 goto err; 661 } 662 len -= p - q; 663 if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE) *)*val, 664 skfield)) { 665 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 666 ERR_R_MALLOC_FAILURE); 667 goto err; 668 } 669 } 670 if (sk_eoc) { 671 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 672 ASN1_R_MISSING_EOC); 673 goto err; 674 } 675 } else if (flags & ASN1_TFLG_IMPTAG) { 676 /* IMPLICIT tagging */ 677 ret = ASN1_item_ex_d2i(val, &p, len, 678 ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, ctx); 679 if (!ret) { 680 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 681 ERR_R_NESTED_ASN1_ERROR); 682 goto err; 683 } else if (ret == -1) 684 return -1; 685 } else { 686 /* Nothing special */ 687 ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), 688 -1, 0, opt, ctx); 689 if (!ret) { 690 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 691 ERR_R_NESTED_ASN1_ERROR); 692 goto err; 693 } else if (ret == -1) 694 return -1; 695 } 696 697 *in = p; 698 return 1; 699 700 err: 701 ASN1_template_free(val, tt); 702 return 0; 703 } 704 705 static int 706 asn1_d2i_ex_primitive(ASN1_VALUE **pval, const unsigned char **in, long inlen, 707 const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx) 708 { 709 int ret = 0, utype; 710 long plen; 711 char cst, inf, free_cont = 0; 712 const unsigned char *p; 713 BUF_MEM buf; 714 const unsigned char *cont = NULL; 715 long len; 716 717 if (!pval) { 718 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_NULL); 719 return 0; /* Should never happen */ 720 } 721 722 if (it->itype == ASN1_ITYPE_MSTRING) { 723 utype = tag; 724 tag = -1; 725 } else 726 utype = it->utype; 727 728 if (utype == V_ASN1_ANY) { 729 /* If type is ANY need to figure out type from tag */ 730 unsigned char oclass; 731 if (tag >= 0) { 732 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, 733 ASN1_R_ILLEGAL_TAGGED_ANY); 734 return 0; 735 } 736 if (opt) { 737 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, 738 ASN1_R_ILLEGAL_OPTIONAL_ANY); 739 return 0; 740 } 741 p = *in; 742 ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, NULL, 743 &p, inlen, -1, 0, 0, ctx); 744 if (!ret) { 745 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, 746 ERR_R_NESTED_ASN1_ERROR); 747 return 0; 748 } 749 if (oclass != V_ASN1_UNIVERSAL) 750 utype = V_ASN1_OTHER; 751 } 752 if (tag == -1) { 753 tag = utype; 754 aclass = V_ASN1_UNIVERSAL; 755 } 756 p = *in; 757 /* Check header */ 758 ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst, 759 &p, inlen, tag, aclass, opt, ctx); 760 if (!ret) { 761 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR); 762 return 0; 763 } else if (ret == -1) 764 return -1; 765 ret = 0; 766 /* SEQUENCE, SET and "OTHER" are left in encoded form */ 767 if ((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) || 768 (utype == V_ASN1_OTHER)) { 769 /* Clear context cache for type OTHER because the auto clear 770 * when we have a exact match wont work 771 */ 772 if (utype == V_ASN1_OTHER) { 773 asn1_tlc_clear(ctx); 774 } 775 /* SEQUENCE and SET must be constructed */ 776 else if (!cst) { 777 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, 778 ASN1_R_TYPE_NOT_CONSTRUCTED); 779 return 0; 780 } 781 782 cont = *in; 783 /* If indefinite length constructed find the real end */ 784 if (inf) { 785 if (!asn1_find_end(&p, plen, inf)) 786 goto err; 787 len = p - cont; 788 } else { 789 len = p - cont + plen; 790 p += plen; 791 buf.data = NULL; 792 } 793 } else if (cst) { 794 buf.length = 0; 795 buf.max = 0; 796 buf.data = NULL; 797 /* Should really check the internal tags are correct but 798 * some things may get this wrong. The relevant specs 799 * say that constructed string types should be OCTET STRINGs 800 * internally irrespective of the type. So instead just check 801 * for UNIVERSAL class and ignore the tag. 802 */ 803 if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL, 0)) { 804 free_cont = 1; 805 goto err; 806 } 807 len = buf.length; 808 /* Append a final null to string */ 809 if (!BUF_MEM_grow_clean(&buf, len + 1)) { 810 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, 811 ERR_R_MALLOC_FAILURE); 812 return 0; 813 } 814 buf.data[len] = 0; 815 cont = (const unsigned char *)buf.data; 816 free_cont = 1; 817 } else { 818 cont = p; 819 len = plen; 820 p += plen; 821 } 822 823 /* We now have content length and type: translate into a structure */ 824 if (!asn1_ex_c2i(pval, cont, len, utype, &free_cont, it)) 825 goto err; 826 827 *in = p; 828 ret = 1; 829 830 err: 831 if (free_cont && buf.data) 832 free(buf.data); 833 return ret; 834 } 835 836 /* Translate ASN1 content octets into a structure */ 837 838 int 839 asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, 840 char *free_cont, const ASN1_ITEM *it) 841 { 842 ASN1_VALUE **opval = NULL; 843 ASN1_STRING *stmp; 844 ASN1_TYPE *typ = NULL; 845 int ret = 0; 846 const ASN1_PRIMITIVE_FUNCS *pf; 847 ASN1_INTEGER **tint; 848 849 pf = it->funcs; 850 851 if (pf && pf->prim_c2i) 852 return pf->prim_c2i(pval, cont, len, utype, free_cont, it); 853 /* If ANY type clear type and set pointer to internal value */ 854 if (it->utype == V_ASN1_ANY) { 855 if (!*pval) { 856 typ = ASN1_TYPE_new(); 857 if (typ == NULL) 858 goto err; 859 *pval = (ASN1_VALUE *)typ; 860 } else 861 typ = (ASN1_TYPE *)*pval; 862 863 if (utype != typ->type) 864 ASN1_TYPE_set(typ, utype, NULL); 865 opval = pval; 866 pval = &typ->value.asn1_value; 867 } 868 switch (utype) { 869 case V_ASN1_OBJECT: 870 if (!c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len)) 871 goto err; 872 break; 873 874 case V_ASN1_NULL: 875 if (len) { 876 ASN1err(ASN1_F_ASN1_EX_C2I, 877 ASN1_R_NULL_IS_WRONG_LENGTH); 878 goto err; 879 } 880 *pval = (ASN1_VALUE *)1; 881 break; 882 883 case V_ASN1_BOOLEAN: 884 if (len != 1) { 885 ASN1err(ASN1_F_ASN1_EX_C2I, 886 ASN1_R_BOOLEAN_IS_WRONG_LENGTH); 887 goto err; 888 } else { 889 ASN1_BOOLEAN *tbool; 890 tbool = (ASN1_BOOLEAN *)pval; 891 *tbool = *cont; 892 } 893 break; 894 895 case V_ASN1_BIT_STRING: 896 if (!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &cont, len)) 897 goto err; 898 break; 899 900 case V_ASN1_INTEGER: 901 case V_ASN1_NEG_INTEGER: 902 case V_ASN1_ENUMERATED: 903 case V_ASN1_NEG_ENUMERATED: 904 tint = (ASN1_INTEGER **)pval; 905 if (!c2i_ASN1_INTEGER(tint, &cont, len)) 906 goto err; 907 /* Fixup type to match the expected form */ 908 (*tint)->type = utype | ((*tint)->type & V_ASN1_NEG); 909 break; 910 911 case V_ASN1_OCTET_STRING: 912 case V_ASN1_NUMERICSTRING: 913 case V_ASN1_PRINTABLESTRING: 914 case V_ASN1_T61STRING: 915 case V_ASN1_VIDEOTEXSTRING: 916 case V_ASN1_IA5STRING: 917 case V_ASN1_UTCTIME: 918 case V_ASN1_GENERALIZEDTIME: 919 case V_ASN1_GRAPHICSTRING: 920 case V_ASN1_VISIBLESTRING: 921 case V_ASN1_GENERALSTRING: 922 case V_ASN1_UNIVERSALSTRING: 923 case V_ASN1_BMPSTRING: 924 case V_ASN1_UTF8STRING: 925 case V_ASN1_OTHER: 926 case V_ASN1_SET: 927 case V_ASN1_SEQUENCE: 928 default: 929 if (utype == V_ASN1_BMPSTRING && (len & 1)) { 930 ASN1err(ASN1_F_ASN1_EX_C2I, 931 ASN1_R_BMPSTRING_IS_WRONG_LENGTH); 932 goto err; 933 } 934 if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) { 935 ASN1err(ASN1_F_ASN1_EX_C2I, 936 ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); 937 goto err; 938 } 939 /* All based on ASN1_STRING and handled the same */ 940 if (!*pval) { 941 stmp = ASN1_STRING_type_new(utype); 942 if (!stmp) { 943 ASN1err(ASN1_F_ASN1_EX_C2I, 944 ERR_R_MALLOC_FAILURE); 945 goto err; 946 } 947 *pval = (ASN1_VALUE *)stmp; 948 } else { 949 stmp = (ASN1_STRING *)*pval; 950 stmp->type = utype; 951 } 952 /* If we've already allocated a buffer use it */ 953 if (*free_cont) { 954 free(stmp->data); 955 stmp->data = (unsigned char *)cont; /* UGLY CAST! RL */ 956 stmp->length = len; 957 *free_cont = 0; 958 } else { 959 if (!ASN1_STRING_set(stmp, cont, len)) { 960 ASN1err(ASN1_F_ASN1_EX_C2I, 961 ERR_R_MALLOC_FAILURE); 962 ASN1_STRING_free(stmp); 963 *pval = NULL; 964 goto err; 965 } 966 } 967 break; 968 } 969 /* If ASN1_ANY and NULL type fix up value */ 970 if (typ && (utype == V_ASN1_NULL)) 971 typ->value.ptr = NULL; 972 973 ret = 1; 974 975 err: 976 if (!ret) { 977 ASN1_TYPE_free(typ); 978 if (opval) 979 *opval = NULL; 980 } 981 return ret; 982 } 983 984 985 /* This function finds the end of an ASN1 structure when passed its maximum 986 * length, whether it is indefinite length and a pointer to the content. 987 * This is more efficient than calling asn1_collect because it does not 988 * recurse on each indefinite length header. 989 */ 990 991 static int 992 asn1_find_end(const unsigned char **in, long len, char inf) 993 { 994 int expected_eoc; 995 long plen; 996 const unsigned char *p = *in, *q; 997 998 /* If not indefinite length constructed just add length */ 999 if (inf == 0) { 1000 *in += len; 1001 return 1; 1002 } 1003 expected_eoc = 1; 1004 /* Indefinite length constructed form. Find the end when enough EOCs 1005 * are found. If more indefinite length constructed headers 1006 * are encountered increment the expected eoc count otherwise just 1007 * skip to the end of the data. 1008 */ 1009 while (len > 0) { 1010 if (asn1_check_eoc(&p, len)) { 1011 expected_eoc--; 1012 if (expected_eoc == 0) 1013 break; 1014 len -= 2; 1015 continue; 1016 } 1017 q = p; 1018 /* Just read in a header: only care about the length */ 1019 if (!asn1_check_tlen(&plen, NULL, NULL, &inf, NULL, &p, len, 1020 -1, 0, 0, NULL)) { 1021 ASN1err(ASN1_F_ASN1_FIND_END, ERR_R_NESTED_ASN1_ERROR); 1022 return 0; 1023 } 1024 if (inf) 1025 expected_eoc++; 1026 else 1027 p += plen; 1028 len -= p - q; 1029 } 1030 if (expected_eoc) { 1031 ASN1err(ASN1_F_ASN1_FIND_END, ASN1_R_MISSING_EOC); 1032 return 0; 1033 } 1034 *in = p; 1035 return 1; 1036 } 1037 /* This function collects the asn1 data from a constructred string 1038 * type into a buffer. The values of 'in' and 'len' should refer 1039 * to the contents of the constructed type and 'inf' should be set 1040 * if it is indefinite length. 1041 */ 1042 1043 #ifndef ASN1_MAX_STRING_NEST 1044 /* This determines how many levels of recursion are permitted in ASN1 1045 * string types. If it is not limited stack overflows can occur. If set 1046 * to zero no recursion is allowed at all. Although zero should be adequate 1047 * examples exist that require a value of 1. So 5 should be more than enough. 1048 */ 1049 #define ASN1_MAX_STRING_NEST 5 1050 #endif 1051 1052 static int 1053 asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, char inf, 1054 int tag, int aclass, int depth) 1055 { 1056 const unsigned char *p, *q; 1057 long plen; 1058 char cst, ininf; 1059 1060 p = *in; 1061 inf &= 1; 1062 /* If no buffer and not indefinite length constructed just pass over 1063 * the encoded data */ 1064 if (!buf && !inf) { 1065 *in += len; 1066 return 1; 1067 } 1068 while (len > 0) { 1069 q = p; 1070 /* Check for EOC */ 1071 if (asn1_check_eoc(&p, len)) { 1072 /* EOC is illegal outside indefinite length 1073 * constructed form */ 1074 if (!inf) { 1075 ASN1err(ASN1_F_ASN1_COLLECT, 1076 ASN1_R_UNEXPECTED_EOC); 1077 return 0; 1078 } 1079 inf = 0; 1080 break; 1081 } 1082 1083 if (!asn1_check_tlen(&plen, NULL, NULL, &ininf, &cst, &p, 1084 len, tag, aclass, 0, NULL)) { 1085 ASN1err(ASN1_F_ASN1_COLLECT, ERR_R_NESTED_ASN1_ERROR); 1086 return 0; 1087 } 1088 1089 /* If indefinite length constructed update max length */ 1090 if (cst) { 1091 if (depth >= ASN1_MAX_STRING_NEST) { 1092 ASN1err(ASN1_F_ASN1_COLLECT, 1093 ASN1_R_NESTED_ASN1_STRING); 1094 return 0; 1095 } 1096 if (!asn1_collect(buf, &p, plen, ininf, tag, aclass, 1097 depth + 1)) 1098 return 0; 1099 } else if (plen && !collect_data(buf, &p, plen)) 1100 return 0; 1101 len -= p - q; 1102 } 1103 if (inf) { 1104 ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_MISSING_EOC); 1105 return 0; 1106 } 1107 *in = p; 1108 return 1; 1109 } 1110 1111 static int 1112 collect_data(BUF_MEM *buf, const unsigned char **p, long plen) 1113 { 1114 int len; 1115 if (buf) { 1116 len = buf->length; 1117 if (!BUF_MEM_grow_clean(buf, len + plen)) { 1118 ASN1err(ASN1_F_COLLECT_DATA, ERR_R_MALLOC_FAILURE); 1119 return 0; 1120 } 1121 memcpy(buf->data + len, *p, plen); 1122 } 1123 *p += plen; 1124 return 1; 1125 } 1126 1127 /* Check for ASN1 EOC and swallow it if found */ 1128 1129 static int 1130 asn1_check_eoc(const unsigned char **in, long len) 1131 { 1132 const unsigned char *p; 1133 1134 if (len < 2) 1135 return 0; 1136 p = *in; 1137 if (!p[0] && !p[1]) { 1138 *in += 2; 1139 return 1; 1140 } 1141 return 0; 1142 } 1143 1144 /* Check an ASN1 tag and length: a bit like ASN1_get_object 1145 * but it sets the length for indefinite length constructed 1146 * form, we don't know the exact length but we can set an 1147 * upper bound to the amount of data available minus the 1148 * header length just read. 1149 */ 1150 1151 static int 1152 asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, char *inf, 1153 char *cst, const unsigned char **in, long len, int exptag, int expclass, 1154 char opt, ASN1_TLC *ctx) 1155 { 1156 int i; 1157 int ptag, pclass; 1158 long plen; 1159 const unsigned char *p, *q; 1160 1161 p = *in; 1162 q = p; 1163 1164 if (ctx && ctx->valid) { 1165 i = ctx->ret; 1166 plen = ctx->plen; 1167 pclass = ctx->pclass; 1168 ptag = ctx->ptag; 1169 p += ctx->hdrlen; 1170 } else { 1171 i = ASN1_get_object(&p, &plen, &ptag, &pclass, len); 1172 if (ctx) { 1173 ctx->ret = i; 1174 ctx->plen = plen; 1175 ctx->pclass = pclass; 1176 ctx->ptag = ptag; 1177 ctx->hdrlen = p - q; 1178 ctx->valid = 1; 1179 /* If definite length, and no error, length + 1180 * header can't exceed total amount of data available. 1181 */ 1182 if (!(i & 0x81) && ((plen + ctx->hdrlen) > len)) { 1183 ASN1err(ASN1_F_ASN1_CHECK_TLEN, 1184 ASN1_R_TOO_LONG); 1185 asn1_tlc_clear(ctx); 1186 return 0; 1187 } 1188 } 1189 } 1190 1191 if (i & 0x80) { 1192 ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_BAD_OBJECT_HEADER); 1193 asn1_tlc_clear(ctx); 1194 return 0; 1195 } 1196 if (exptag >= 0) { 1197 if ((exptag != ptag) || (expclass != pclass)) { 1198 /* If type is OPTIONAL, not an error: 1199 * indicate missing type. 1200 */ 1201 if (opt) 1202 return -1; 1203 asn1_tlc_clear(ctx); 1204 ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_WRONG_TAG); 1205 return 0; 1206 } 1207 /* We have a tag and class match: 1208 * assume we are going to do something with it */ 1209 asn1_tlc_clear(ctx); 1210 } 1211 1212 if (i & 1) 1213 plen = len - (p - q); 1214 if (inf) 1215 *inf = i & 1; 1216 if (cst) 1217 *cst = i & V_ASN1_CONSTRUCTED; 1218 if (olen) 1219 *olen = plen; 1220 if (oclass) 1221 *oclass = pclass; 1222 if (otag) 1223 *otag = ptag; 1224 1225 *in = p; 1226 return 1; 1227 } 1228