]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/asn1/tasn_dec.c
projects / thirdparty / openssl.git / blob
? search:


9a210e221f7d6e7be6639a128b69a7665eda37c7
[thirdparty/openssl.git] / crypto / asn1 / tasn_dec.c
1 /*
2 * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stddef.h>
11 #include <string.h>
12 #include <openssl/asn1.h>
13 #include <openssl/asn1t.h>
14 #include <openssl/objects.h>
15 #include <openssl/buffer.h>
16 #include <openssl/err.h>
17 #include "internal/numbers.h"
18 #include "asn1_local.h"
19
20 /*
21 * Constructed types with a recursive definition (such as can be found in PKCS7)
22 * could eventually exceed the stack given malicious input with excessive
23 * recursion. Therefore we limit the stack depth. This is the maximum number of
24 * recursive invocations of asn1_item_embed_d2i().
25 */
26 #define ASN1_MAX_CONSTRUCTED_NEST 30
27
28 static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
29 long len, const ASN1_ITEM *it,
30 int tag, int aclass, char opt, ASN1_TLC *ctx,
31 int depth);
32
33 static int asn1_check_eoc(const unsigned char **in, long len);
34 static int asn1_find_end(const unsigned char **in, long len, char inf);
35
36 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
37 char inf, int tag, int aclass, int depth);
38
39 static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen);
40
41 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
42 char *inf, char *cst,
43 const unsigned char **in, long len,
44 int exptag, int expclass, char opt, ASN1_TLC *ctx);
45
46 static int asn1_template_ex_d2i(ASN1_VALUE **pval,
47 const unsigned char **in, long len,
48 const ASN1_TEMPLATE *tt, char opt,
49 ASN1_TLC *ctx, int depth);
50 static int asn1_template_noexp_d2i(ASN1_VALUE **val,
51 const unsigned char **in, long len,
52 const ASN1_TEMPLATE *tt, char opt,
53 ASN1_TLC *ctx, int depth);
54 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
55 const unsigned char **in, long len,
56 const ASN1_ITEM *it,
57 int tag, int aclass, char opt,
58 ASN1_TLC *ctx);
59 static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
60 int utype, char *free_cont, const ASN1_ITEM *it);
61
62 /* Table to convert tags to bit values, used for MSTRING type */
63 static const unsigned long tag2bit[32] = {
64 /* tags 0 - 3 */
65 0, 0, 0, B_ASN1_BIT_STRING,
66 /* tags 4- 7 */
67 B_ASN1_OCTET_STRING, 0, 0, B_ASN1_UNKNOWN,
68 /* tags 8-11 */
69 B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN,
70 /* tags 12-15 */
71 B_ASN1_UTF8STRING, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN,
72 /* tags 16-19 */
73 B_ASN1_SEQUENCE, 0, B_ASN1_NUMERICSTRING, B_ASN1_PRINTABLESTRING,
74 /* tags 20-22 */
75 B_ASN1_T61STRING, B_ASN1_VIDEOTEXSTRING, B_ASN1_IA5STRING,
76 /* tags 23-24 */
77 B_ASN1_UTCTIME, B_ASN1_GENERALIZEDTIME,
78 /* tags 25-27 */
79 B_ASN1_GRAPHICSTRING, B_ASN1_ISO64STRING, B_ASN1_GENERALSTRING,
80 /* tags 28-31 */
81 B_ASN1_UNIVERSALSTRING, B_ASN1_UNKNOWN, B_ASN1_BMPSTRING, B_ASN1_UNKNOWN,
82 };
83
84 unsigned long ASN1_tag2bit(int tag)
85 {
86 if ((tag < 0) || (tag > 30))
87 return 0;
88 return tag2bit[tag];
89 }
90
91 /* Macro to initialize and invalidate the cache */
92
93 #define asn1_tlc_clear(c) if (c) (c)->valid = 0
94 /* Version to avoid compiler warning about 'c' always non-NULL */
95 #define asn1_tlc_clear_nc(c) (c)->valid = 0
96
97 /*
98 * Decode an ASN1 item, this currently behaves just like a standard 'd2i'
99 * function. 'in' points to a buffer to read the data from, in future we
100 * will have more advanced versions that can input data a piece at a time and
101 * this will simply be a special case.
102 */
103
104 ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval,
105 const unsigned char **in, long len,
106 const ASN1_ITEM *it)
107 {
108 ASN1_TLC c;
109 ASN1_VALUE *ptmpval = NULL;
110
111 if (pval == NULL)
112 pval = &ptmpval;
113 asn1_tlc_clear_nc(&c);
114 if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0)
115 return *pval;
116 return NULL;
117 }
118
119 int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
120 const ASN1_ITEM *it,
121 int tag, int aclass, char opt, ASN1_TLC *ctx)
122 {
123 int rv;
124 rv = asn1_item_embed_d2i(pval, in, len, it, tag, aclass, opt, ctx, 0);
125 if (rv <= 0)
126 ASN1_item_ex_free(pval, it);
127 return rv;
128 }
129
130 /*
131 * Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and
132 * tag mismatch return -1 to handle OPTIONAL
133 */
134
135 static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
136 long len, const ASN1_ITEM *it,
137 int tag, int aclass, char opt, ASN1_TLC *ctx,
138 int depth)
139 {
140 const ASN1_TEMPLATE *tt, *errtt = NULL;
141 const ASN1_EXTERN_FUNCS *ef;
142 const ASN1_AUX *aux = it->funcs;
143 ASN1_aux_cb *asn1_cb;
144 const unsigned char *p = NULL, *q;
145 unsigned char oclass;
146 char seq_eoc, seq_nolen, cst, isopt;
147 long tmplen;
148 int i;
149 int otag;
150 int ret = 0;
151 ASN1_VALUE **pchptr;
152
153 if (pval == NULL)
154 return 0;
155 if (aux && aux->asn1_cb)
156 asn1_cb = aux->asn1_cb;
157 else
158 asn1_cb = 0;
159
160 if (++depth > ASN1_MAX_CONSTRUCTED_NEST) {
161 ERR_raise(ERR_LIB_ASN1, ASN1_R_NESTED_TOO_DEEP);
162 goto err;
163 }
164
165 switch (it->itype) {
166 case ASN1_ITYPE_PRIMITIVE:
167 if (it->templates) {
168 /*
169 * tagging or OPTIONAL is currently illegal on an item template
170 * because the flags can't get passed down. In practice this
171 * isn't a problem: we include the relevant flags from the item
172 * template in the template itself.
173 */
174 if ((tag != -1) || opt) {
175 ERR_raise(ERR_LIB_ASN1,
176 ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
177 goto err;
178 }
179 return asn1_template_ex_d2i(pval, in, len,
180 it->templates, opt, ctx, depth);
181 }
182 return asn1_d2i_ex_primitive(pval, in, len, it,
183 tag, aclass, opt, ctx);
184
185 case ASN1_ITYPE_MSTRING:
186 /*
187 * It never makes sense for multi-strings to have implicit tagging, so
188 * if tag != -1, then this looks like an error in the template.
189 */
190 if (tag != -1) {
191 ERR_raise(ERR_LIB_ASN1, ASN1_R_BAD_TEMPLATE);
192 goto err;
193 }
194
195 p = *in;
196 /* Just read in tag and class */
197 ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
198 &p, len, -1, 0, 1, ctx);
199 if (!ret) {
200 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
201 goto err;
202 }
203
204 /* Must be UNIVERSAL class */
205 if (oclass != V_ASN1_UNIVERSAL) {
206 /* If OPTIONAL, assume this is OK */
207 if (opt)
208 return -1;
209 ERR_raise(ERR_LIB_ASN1, ASN1_R_MSTRING_NOT_UNIVERSAL);
210 goto err;
211 }
212
213 /* Check tag matches bit map */
214 if (!(ASN1_tag2bit(otag) & it->utype)) {
215 /* If OPTIONAL, assume this is OK */
216 if (opt)
217 return -1;
218 ERR_raise(ERR_LIB_ASN1, ASN1_R_MSTRING_WRONG_TAG);
219 goto err;
220 }
221 return asn1_d2i_ex_primitive(pval, in, len, it, otag, 0, 0, ctx);
222
223 case ASN1_ITYPE_EXTERN:
224 /* Use new style d2i */
225 ef = it->funcs;
226 return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx);
227
228 case ASN1_ITYPE_CHOICE:
229 /*
230 * It never makes sense for CHOICE types to have implicit tagging, so
231 * if tag != -1, then this looks like an error in the template.
232 */
233 if (tag != -1) {
234 ERR_raise(ERR_LIB_ASN1, ASN1_R_BAD_TEMPLATE);
235 goto err;
236 }
237
238 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
239 goto auxerr;
240 if (*pval) {
241 /* Free up and zero CHOICE value if initialised */
242 i = asn1_get_choice_selector(pval, it);
243 if ((i >= 0) && (i < it->tcount)) {
244 tt = it->templates + i;
245 pchptr = asn1_get_field_ptr(pval, tt);
246 asn1_template_free(pchptr, tt);
247 asn1_set_choice_selector(pval, -1, it);
248 }
249 } else if (!ASN1_item_ex_new(pval, it)) {
250 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
251 goto err;
252 }
253 /* CHOICE type, try each possibility in turn */
254 p = *in;
255 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
256 pchptr = asn1_get_field_ptr(pval, tt);
257 /*
258 * We mark field as OPTIONAL so its absence can be recognised.
259 */
260 ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx, depth);
261 /* If field not present, try the next one */
262 if (ret == -1)
263 continue;
264 /* If positive return, read OK, break loop */
265 if (ret > 0)
266 break;
267 /*
268 * Must be an ASN1 parsing error.
269 * Free up any partial choice value
270 */
271 asn1_template_free(pchptr, tt);
272 errtt = tt;
273 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
274 goto err;
275 }
276
277 /* Did we fall off the end without reading anything? */
278 if (i == it->tcount) {
279 /* If OPTIONAL, this is OK */
280 if (opt) {
281 /* Free and zero it */
282 ASN1_item_ex_free(pval, it);
283 return -1;
284 }
285 ERR_raise(ERR_LIB_ASN1, ASN1_R_NO_MATCHING_CHOICE_TYPE);
286 goto err;
287 }
288
289 asn1_set_choice_selector(pval, i, it);
290
291 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL))
292 goto auxerr;
293 *in = p;
294 return 1;
295
296 case ASN1_ITYPE_NDEF_SEQUENCE:
297 case ASN1_ITYPE_SEQUENCE:
298 p = *in;
299 tmplen = len;
300
301 /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */
302 if (tag == -1) {
303 tag = V_ASN1_SEQUENCE;
304 aclass = V_ASN1_UNIVERSAL;
305 }
306 /* Get SEQUENCE length and update len, p */
307 ret = asn1_check_tlen(&len, NULL, NULL, &seq_eoc, &cst,
308 &p, len, tag, aclass, opt, ctx);
309 if (!ret) {
310 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
311 goto err;
312 } else if (ret == -1)
313 return -1;
314 if (aux && (aux->flags & ASN1_AFLG_BROKEN)) {
315 len = tmplen - (p - *in);
316 seq_nolen = 1;
317 }
318 /* If indefinite we don't do a length check */
319 else
320 seq_nolen = seq_eoc;
321 if (!cst) {
322 ERR_raise(ERR_LIB_ASN1, ASN1_R_SEQUENCE_NOT_CONSTRUCTED);
323 goto err;
324 }
325
326 if (*pval == NULL && !ASN1_item_ex_new(pval, it)) {
327 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
328 goto err;
329 }
330
331 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
332 goto auxerr;
333
334 /* Free up and zero any ADB found */
335 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
336 if (tt->flags & ASN1_TFLG_ADB_MASK) {
337 const ASN1_TEMPLATE *seqtt;
338 ASN1_VALUE **pseqval;
339 seqtt = asn1_do_adb(*pval, tt, 0);
340 if (seqtt == NULL)
341 continue;
342 pseqval = asn1_get_field_ptr(pval, seqtt);
343 asn1_template_free(pseqval, seqtt);
344 }
345 }
346
347 /* Get each field entry */
348 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
349 const ASN1_TEMPLATE *seqtt;
350 ASN1_VALUE **pseqval;
351 seqtt = asn1_do_adb(*pval, tt, 1);
352 if (seqtt == NULL)
353 goto err;
354 pseqval = asn1_get_field_ptr(pval, seqtt);
355 /* Have we ran out of data? */
356 if (!len)
357 break;
358 q = p;
359 if (asn1_check_eoc(&p, len)) {
360 if (!seq_eoc) {
361 ERR_raise(ERR_LIB_ASN1, ASN1_R_UNEXPECTED_EOC);
362 goto err;
363 }
364 len -= p - q;
365 seq_eoc = 0;
366 break;
367 }
368 /*
369 * This determines the OPTIONAL flag value. The field cannot be
370 * omitted if it is the last of a SEQUENCE and there is still
371 * data to be read. This isn't strictly necessary but it
372 * increases efficiency in some cases.
373 */
374 if (i == (it->tcount - 1))
375 isopt = 0;
376 else
377 isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL);
378 /*
379 * attempt to read in field, allowing each to be OPTIONAL
380 */
381
382 ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx,
383 depth);
384 if (!ret) {
385 errtt = seqtt;
386 goto err;
387 } else if (ret == -1) {
388 /*
389 * OPTIONAL component absent. Free and zero the field.
390 */
391 asn1_template_free(pseqval, seqtt);
392 continue;
393 }
394 /* Update length */
395 len -= p - q;
396 }
397
398 /* Check for EOC if expecting one */
399 if (seq_eoc && !asn1_check_eoc(&p, len)) {
400 ERR_raise(ERR_LIB_ASN1, ASN1_R_MISSING_EOC);
401 goto err;
402 }
403 /* Check all data read */
404 if (!seq_nolen && len) {
405 ERR_raise(ERR_LIB_ASN1, ASN1_R_SEQUENCE_LENGTH_MISMATCH);
406 goto err;
407 }
408
409 /*
410 * If we get here we've got no more data in the SEQUENCE, however we
411 * may not have read all fields so check all remaining are OPTIONAL
412 * and clear any that are.
413 */
414 for (; i < it->tcount; tt++, i++) {
415 const ASN1_TEMPLATE *seqtt;
416 seqtt = asn1_do_adb(*pval, tt, 1);
417 if (seqtt == NULL)
418 goto err;
419 if (seqtt->flags & ASN1_TFLG_OPTIONAL) {
420 ASN1_VALUE **pseqval;
421 pseqval = asn1_get_field_ptr(pval, seqtt);
422 asn1_template_free(pseqval, seqtt);
423 } else {
424 errtt = seqtt;
425 ERR_raise(ERR_LIB_ASN1, ASN1_R_FIELD_MISSING);
426 goto err;
427 }
428 }
429 /* Save encoding */
430 if (!asn1_enc_save(pval, *in, p - *in, it))
431 goto auxerr;
432 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL))
433 goto auxerr;
434 *in = p;
435 return 1;
436
437 default:
438 return 0;
439 }
440 auxerr:
441 ERR_raise(ERR_LIB_ASN1, ASN1_R_AUX_ERROR);
442 err:
443 if (errtt)
444 ERR_add_error_data(4, "Field=", errtt->field_name,
445 ", Type=", it->sname);
446 else
447 ERR_add_error_data(2, "Type=", it->sname);
448 return 0;
449 }
450
451 /*
452 * Templates are handled with two separate functions. One handles any
453 * EXPLICIT tag and the other handles the rest.
454 */
455
456 static int asn1_template_ex_d2i(ASN1_VALUE **val,
457 const unsigned char **in, long inlen,
458 const ASN1_TEMPLATE *tt, char opt,
459 ASN1_TLC *ctx, int depth)
460 {
461 int flags, aclass;
462 int ret;
463 long len;
464 const unsigned char *p, *q;
465 char exp_eoc;
466 if (!val)
467 return 0;
468 flags = tt->flags;
469 aclass = flags & ASN1_TFLG_TAG_CLASS;
470
471 p = *in;
472
473 /* Check if EXPLICIT tag expected */
474 if (flags & ASN1_TFLG_EXPTAG) {
475 char cst;
476 /*
477 * Need to work out amount of data available to the inner content and
478 * where it starts: so read in EXPLICIT header to get the info.
479 */
480 ret = asn1_check_tlen(&len, NULL, NULL, &exp_eoc, &cst,
481 &p, inlen, tt->tag, aclass, opt, ctx);
482 q = p;
483 if (!ret) {
484 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
485 return 0;
486 } else if (ret == -1)
487 return -1;
488 if (!cst) {
489 ERR_raise(ERR_LIB_ASN1, ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED);
490 return 0;
491 }
492 /* We've found the field so it can't be OPTIONAL now */
493 ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx, depth);
494 if (!ret) {
495 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
496 return 0;
497 }
498 /* We read the field in OK so update length */
499 len -= p - q;
500 if (exp_eoc) {
501 /* If NDEF we must have an EOC here */
502 if (!asn1_check_eoc(&p, len)) {
503 ERR_raise(ERR_LIB_ASN1, ASN1_R_MISSING_EOC);
504 goto err;
505 }
506 } else {
507 /*
508 * Otherwise we must hit the EXPLICIT tag end or its an error
509 */
510 if (len) {
511 ERR_raise(ERR_LIB_ASN1, ASN1_R_EXPLICIT_LENGTH_MISMATCH);
512 goto err;
513 }
514 }
515 } else
516 return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx, depth);
517
518 *in = p;
519 return 1;
520
521 err:
522 return 0;
523 }
524
525 static int asn1_template_noexp_d2i(ASN1_VALUE **val,
526 const unsigned char **in, long len,
527 const ASN1_TEMPLATE *tt, char opt,
528 ASN1_TLC *ctx, int depth)
529 {
530 int flags, aclass;
531 int ret;
532 ASN1_VALUE *tval;
533 const unsigned char *p, *q;
534 if (!val)
535 return 0;
536 flags = tt->flags;
537 aclass = flags & ASN1_TFLG_TAG_CLASS;
538
539 p = *in;
540
541 /*
542 * If field is embedded then val needs fixing so it is a pointer to
543 * a pointer to a field.
544 */
545 if (tt->flags & ASN1_TFLG_EMBED) {
546 tval = (ASN1_VALUE *)val;
547 val = &tval;
548 }
549
550 if (flags & ASN1_TFLG_SK_MASK) {
551 /* SET OF, SEQUENCE OF */
552 int sktag, skaclass;
553 char sk_eoc;
554 /* First work out expected inner tag value */
555 if (flags & ASN1_TFLG_IMPTAG) {
556 sktag = tt->tag;
557 skaclass = aclass;
558 } else {
559 skaclass = V_ASN1_UNIVERSAL;
560 if (flags & ASN1_TFLG_SET_OF)
561 sktag = V_ASN1_SET;
562 else
563 sktag = V_ASN1_SEQUENCE;
564 }
565 /* Get the tag */
566 ret = asn1_check_tlen(&len, NULL, NULL, &sk_eoc, NULL,
567 &p, len, sktag, skaclass, opt, ctx);
568 if (!ret) {
569 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
570 return 0;
571 } else if (ret == -1)
572 return -1;
573 if (*val == NULL)
574 *val = (ASN1_VALUE *)sk_ASN1_VALUE_new_null();
575 else {
576 /*
577 * We've got a valid STACK: free up any items present
578 */
579 STACK_OF(ASN1_VALUE) *sktmp = (STACK_OF(ASN1_VALUE) *)*val;
580 ASN1_VALUE *vtmp;
581 while (sk_ASN1_VALUE_num(sktmp) > 0) {
582 vtmp = sk_ASN1_VALUE_pop(sktmp);
583 ASN1_item_ex_free(&vtmp, ASN1_ITEM_ptr(tt->item));
584 }
585 }
586
587 if (*val == NULL) {
588 ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
589 goto err;
590 }
591
592 /* Read as many items as we can */
593 while (len > 0) {
594 ASN1_VALUE *skfield;
595 q = p;
596 /* See if EOC found */
597 if (asn1_check_eoc(&p, len)) {
598 if (!sk_eoc) {
599 ERR_raise(ERR_LIB_ASN1, ASN1_R_UNEXPECTED_EOC);
600 goto err;
601 }
602 len -= p - q;
603 sk_eoc = 0;
604 break;
605 }
606 skfield = NULL;
607 if (!asn1_item_embed_d2i(&skfield, &p, len,
608 ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx,
609 depth)) {
610 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
611 /* |skfield| may be partially allocated despite failure. */
612 ASN1_item_free(skfield, ASN1_ITEM_ptr(tt->item));
613 goto err;
614 }
615 len -= p - q;
616 if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE) *)*val, skfield)) {
617 ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
618 ASN1_item_free(skfield, ASN1_ITEM_ptr(tt->item));
619 goto err;
620 }
621 }
622 if (sk_eoc) {
623 ERR_raise(ERR_LIB_ASN1, ASN1_R_MISSING_EOC);
624 goto err;
625 }
626 } else if (flags & ASN1_TFLG_IMPTAG) {
627 /* IMPLICIT tagging */
628 ret = asn1_item_embed_d2i(val, &p, len,
629 ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt,
630 ctx, depth);
631 if (!ret) {
632 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
633 goto err;
634 } else if (ret == -1)
635 return -1;
636 } else {
637 /* Nothing special */
638 ret = asn1_item_embed_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
639 -1, 0, opt, ctx, depth);
640 if (!ret) {
641 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
642 goto err;
643 } else if (ret == -1)
644 return -1;
645 }
646
647 *in = p;
648 return 1;
649
650 err:
651 return 0;
652 }
653
654 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
655 const unsigned char **in, long inlen,
656 const ASN1_ITEM *it,
657 int tag, int aclass, char opt, ASN1_TLC *ctx)
658 {
659 int ret = 0, utype;
660 long plen;
661 char cst, inf, free_cont = 0;
662 const unsigned char *p;
663 BUF_MEM buf = { 0, NULL, 0, 0 };
664 const unsigned char *cont = NULL;
665 long len;
666
667 if (pval == NULL) {
668 ERR_raise(ERR_LIB_ASN1, ASN1_R_ILLEGAL_NULL);
669 return 0; /* Should never happen */
670 }
671
672 if (it->itype == ASN1_ITYPE_MSTRING) {
673 utype = tag;
674 tag = -1;
675 } else
676 utype = it->utype;
677
678 if (utype == V_ASN1_ANY) {
679 /* If type is ANY need to figure out type from tag */
680 unsigned char oclass;
681 if (tag >= 0) {
682 ERR_raise(ERR_LIB_ASN1, ASN1_R_ILLEGAL_TAGGED_ANY);
683 return 0;
684 }
685 if (opt) {
686 ERR_raise(ERR_LIB_ASN1, ASN1_R_ILLEGAL_OPTIONAL_ANY);
687 return 0;
688 }
689 p = *in;
690 ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, NULL,
691 &p, inlen, -1, 0, 0, ctx);
692 if (!ret) {
693 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
694 return 0;
695 }
696 if (oclass != V_ASN1_UNIVERSAL)
697 utype = V_ASN1_OTHER;
698 }
699 if (tag == -1) {
700 tag = utype;
701 aclass = V_ASN1_UNIVERSAL;
702 }
703 p = *in;
704 /* Check header */
705 ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst,
706 &p, inlen, tag, aclass, opt, ctx);
707 if (!ret) {
708 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
709 return 0;
710 } else if (ret == -1)
711 return -1;
712 ret = 0;
713 /* SEQUENCE, SET and "OTHER" are left in encoded form */
714 if ((utype == V_ASN1_SEQUENCE)
715 || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) {
716 /*
717 * Clear context cache for type OTHER because the auto clear when we
718 * have a exact match won't work
719 */
720 if (utype == V_ASN1_OTHER) {
721 asn1_tlc_clear(ctx);
722 }
723 /* SEQUENCE and SET must be constructed */
724 else if (!cst) {
725 ERR_raise(ERR_LIB_ASN1, ASN1_R_TYPE_NOT_CONSTRUCTED);
726 return 0;
727 }
728
729 cont = *in;
730 /* If indefinite length constructed find the real end */
731 if (inf) {
732 if (!asn1_find_end(&p, plen, inf))
733 goto err;
734 len = p - cont;
735 } else {
736 len = p - cont + plen;
737 p += plen;
738 }
739 } else if (cst) {
740 if (utype == V_ASN1_NULL || utype == V_ASN1_BOOLEAN
741 || utype == V_ASN1_OBJECT || utype == V_ASN1_INTEGER
742 || utype == V_ASN1_ENUMERATED) {
743 ERR_raise(ERR_LIB_ASN1, ASN1_R_TYPE_NOT_PRIMITIVE);
744 return 0;
745 }
746
747 /* Free any returned 'buf' content */
748 free_cont = 1;
749 /*
750 * Should really check the internal tags are correct but some things
751 * may get this wrong. The relevant specs say that constructed string
752 * types should be OCTET STRINGs internally irrespective of the type.
753 * So instead just check for UNIVERSAL class and ignore the tag.
754 */
755 if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL, 0)) {
756 goto err;
757 }
758 len = buf.length;
759 /* Append a final null to string */
760 if (!BUF_MEM_grow_clean(&buf, len + 1)) {
761 ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
762 goto err;
763 }
764 buf.data[len] = 0;
765 cont = (const unsigned char *)buf.data;
766 } else {
767 cont = p;
768 len = plen;
769 p += plen;
770 }
771
772 /* We now have content length and type: translate into a structure */
773 /* asn1_ex_c2i may reuse allocated buffer, and so sets free_cont to 0 */
774 if (!asn1_ex_c2i(pval, cont, len, utype, &free_cont, it))
775 goto err;
776
777 *in = p;
778 ret = 1;
779 err:
780 if (free_cont)
781 OPENSSL_free(buf.data);
782 return ret;
783 }
784
785 /* Translate ASN1 content octets into a structure */
786
787 static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
788 int utype, char *free_cont, const ASN1_ITEM *it)
789 {
790 ASN1_VALUE **opval = NULL;
791 ASN1_STRING *stmp;
792 ASN1_TYPE *typ = NULL;
793 int ret = 0;
794 const ASN1_PRIMITIVE_FUNCS *pf;
795 ASN1_INTEGER **tint;
796 pf = it->funcs;
797
798 if (pf && pf->prim_c2i)
799 return pf->prim_c2i(pval, cont, len, utype, free_cont, it);
800 /* If ANY type clear type and set pointer to internal value */
801 if (it->utype == V_ASN1_ANY) {
802 if (*pval == NULL) {
803 typ = ASN1_TYPE_new();
804 if (typ == NULL)
805 goto err;
806 *pval = (ASN1_VALUE *)typ;
807 } else
808 typ = (ASN1_TYPE *)*pval;
809
810 if (utype != typ->type)
811 ASN1_TYPE_set(typ, utype, NULL);
812 opval = pval;
813 pval = &typ->value.asn1_value;
814 }
815 switch (utype) {
816 case V_ASN1_OBJECT:
817 if (!c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len))
818 goto err;
819 break;
820
821 case V_ASN1_NULL:
822 if (len) {
823 ERR_raise(ERR_LIB_ASN1, ASN1_R_NULL_IS_WRONG_LENGTH);
824 goto err;
825 }
826 *pval = (ASN1_VALUE *)1;
827 break;
828
829 case V_ASN1_BOOLEAN:
830 if (len != 1) {
831 ERR_raise(ERR_LIB_ASN1, ASN1_R_BOOLEAN_IS_WRONG_LENGTH);
832 goto err;
833 } else {
834 ASN1_BOOLEAN *tbool;
835 tbool = (ASN1_BOOLEAN *)pval;
836 *tbool = *cont;
837 }
838 break;
839
840 case V_ASN1_BIT_STRING:
841 if (!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &cont, len))
842 goto err;
843 break;
844
845 case V_ASN1_INTEGER:
846 case V_ASN1_ENUMERATED:
847 tint = (ASN1_INTEGER **)pval;
848 if (!c2i_ASN1_INTEGER(tint, &cont, len))
849 goto err;
850 /* Fixup type to match the expected form */
851 (*tint)->type = utype | ((*tint)->type & V_ASN1_NEG);
852 break;
853
854 case V_ASN1_OCTET_STRING:
855 case V_ASN1_NUMERICSTRING:
856 case V_ASN1_PRINTABLESTRING:
857 case V_ASN1_T61STRING:
858 case V_ASN1_VIDEOTEXSTRING:
859 case V_ASN1_IA5STRING:
860 case V_ASN1_UTCTIME:
861 case V_ASN1_GENERALIZEDTIME:
862 case V_ASN1_GRAPHICSTRING:
863 case V_ASN1_VISIBLESTRING:
864 case V_ASN1_GENERALSTRING:
865 case V_ASN1_UNIVERSALSTRING:
866 case V_ASN1_BMPSTRING:
867 case V_ASN1_UTF8STRING:
868 case V_ASN1_OTHER:
869 case V_ASN1_SET:
870 case V_ASN1_SEQUENCE:
871 default:
872 if (utype == V_ASN1_BMPSTRING && (len & 1)) {
873 ERR_raise(ERR_LIB_ASN1, ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
874 goto err;
875 }
876 if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) {
877 ERR_raise(ERR_LIB_ASN1, ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);
878 goto err;
879 }
880 /* All based on ASN1_STRING and handled the same */
881 if (*pval == NULL) {
882 stmp = ASN1_STRING_type_new(utype);
883 if (stmp == NULL) {
884 ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
885 goto err;
886 }
887 *pval = (ASN1_VALUE *)stmp;
888 } else {
889 stmp = (ASN1_STRING *)*pval;
890 stmp->type = utype;
891 }
892 /* If we've already allocated a buffer use it */
893 if (*free_cont) {
894 OPENSSL_free(stmp->data);
895 stmp->data = (unsigned char *)cont; /* UGLY CAST! RL */
896 stmp->length = len;
897 *free_cont = 0;
898 } else {
899 if (!ASN1_STRING_set(stmp, cont, len)) {
900 ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
901 ASN1_STRING_free(stmp);
902 *pval = NULL;
903 goto err;
904 }
905 }
906 break;
907 }
908 /* If ASN1_ANY and NULL type fix up value */
909 if (typ && (utype == V_ASN1_NULL))
910 typ->value.ptr = NULL;
911
912 ret = 1;
913 err:
914 if (!ret) {
915 ASN1_TYPE_free(typ);
916 if (opval)
917 *opval = NULL;
918 }
919 return ret;
920 }
921
922 /*
923 * This function finds the end of an ASN1 structure when passed its maximum
924 * length, whether it is indefinite length and a pointer to the content. This
925 * is more efficient than calling asn1_collect because it does not recurse on
926 * each indefinite length header.
927 */
928
929 static int asn1_find_end(const unsigned char **in, long len, char inf)
930 {
931 uint32_t expected_eoc;
932 long plen;
933 const unsigned char *p = *in, *q;
934 /* If not indefinite length constructed just add length */
935 if (inf == 0) {
936 *in += len;
937 return 1;
938 }
939 expected_eoc = 1;
940 /*
941 * Indefinite length constructed form. Find the end when enough EOCs are
942 * found. If more indefinite length constructed headers are encountered
943 * increment the expected eoc count otherwise just skip to the end of the
944 * data.
945 */
946 while (len > 0) {
947 if (asn1_check_eoc(&p, len)) {
948 expected_eoc--;
949 if (expected_eoc == 0)
950 break;
951 len -= 2;
952 continue;
953 }
954 q = p;
955 /* Just read in a header: only care about the length */
956 if (!asn1_check_tlen(&plen, NULL, NULL, &inf, NULL, &p, len,
957 -1, 0, 0, NULL)) {
958 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
959 return 0;
960 }
961 if (inf) {
962 if (expected_eoc == UINT32_MAX) {
963 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
964 return 0;
965 }
966 expected_eoc++;
967 } else {
968 p += plen;
969 }
970 len -= p - q;
971 }
972 if (expected_eoc) {
973 ERR_raise(ERR_LIB_ASN1, ASN1_R_MISSING_EOC);
974 return 0;
975 }
976 *in = p;
977 return 1;
978 }
979
980 /*
981 * This function collects the asn1 data from a constructed string type into
982 * a buffer. The values of 'in' and 'len' should refer to the contents of the
983 * constructed type and 'inf' should be set if it is indefinite length.
984 */
985
986 #ifndef ASN1_MAX_STRING_NEST
987 /*
988 * This determines how many levels of recursion are permitted in ASN1 string
989 * types. If it is not limited stack overflows can occur. If set to zero no
990 * recursion is allowed at all. Although zero should be adequate examples
991 * exist that require a value of 1. So 5 should be more than enough.
992 */
993 # define ASN1_MAX_STRING_NEST 5
994 #endif
995
996 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
997 char inf, int tag, int aclass, int depth)
998 {
999 const unsigned char *p, *q;
1000 long plen;
1001 char cst, ininf;
1002 p = *in;
1003 inf &= 1;
1004 /*
1005 * If no buffer and not indefinite length constructed just pass over the
1006 * encoded data
1007 */
1008 if (!buf && !inf) {
1009 *in += len;
1010 return 1;
1011 }
1012 while (len > 0) {
1013 q = p;
1014 /* Check for EOC */
1015 if (asn1_check_eoc(&p, len)) {
1016 /*
1017 * EOC is illegal outside indefinite length constructed form
1018 */
1019 if (!inf) {
1020 ERR_raise(ERR_LIB_ASN1, ASN1_R_UNEXPECTED_EOC);
1021 return 0;
1022 }
1023 inf = 0;
1024 break;
1025 }
1026
1027 if (!asn1_check_tlen(&plen, NULL, NULL, &ininf, &cst, &p,
1028 len, tag, aclass, 0, NULL)) {
1029 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
1030 return 0;
1031 }
1032
1033 /* If indefinite length constructed update max length */
1034 if (cst) {
1035 if (depth >= ASN1_MAX_STRING_NEST) {
1036 ERR_raise(ERR_LIB_ASN1, ASN1_R_NESTED_ASN1_STRING);
1037 return 0;
1038 }
1039 if (!asn1_collect(buf, &p, plen, ininf, tag, aclass, depth + 1))
1040 return 0;
1041 } else if (plen && !collect_data(buf, &p, plen))
1042 return 0;
1043 len -= p - q;
1044 }
1045 if (inf) {
1046 ERR_raise(ERR_LIB_ASN1, ASN1_R_MISSING_EOC);
1047 return 0;
1048 }
1049 *in = p;
1050 return 1;
1051 }
1052
1053 static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen)
1054 {
1055 int len;
1056 if (buf) {
1057 len = buf->length;
1058 if (!BUF_MEM_grow_clean(buf, len + plen)) {
1059 ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
1060 return 0;
1061 }
1062 memcpy(buf->data + len, *p, plen);
1063 }
1064 *p += plen;
1065 return 1;
1066 }
1067
1068 /* Check for ASN1 EOC and swallow it if found */
1069
1070 static int asn1_check_eoc(const unsigned char **in, long len)
1071 {
1072 const unsigned char *p;
1073
1074 if (len < 2)
1075 return 0;
1076 p = *in;
1077 if (p[0] == '\0' && p[1] == '\0') {
1078 *in += 2;
1079 return 1;
1080 }
1081 return 0;
1082 }
1083
1084 /*
1085 * Check an ASN1 tag and length: a bit like ASN1_get_object but it sets the
1086 * length for indefinite length constructed form, we don't know the exact
1087 * length but we can set an upper bound to the amount of data available minus
1088 * the header length just read.
1089 */
1090
1091 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
1092 char *inf, char *cst,
1093 const unsigned char **in, long len,
1094 int exptag, int expclass, char opt, ASN1_TLC *ctx)
1095 {
1096 int i;
1097 int ptag, pclass;
1098 long plen;
1099 const unsigned char *p, *q;
1100 p = *in;
1101 q = p;
1102
1103 if (ctx && ctx->valid) {
1104 i = ctx->ret;
1105 plen = ctx->plen;
1106 pclass = ctx->pclass;
1107 ptag = ctx->ptag;
1108 p += ctx->hdrlen;
1109 } else {
1110 i = ASN1_get_object(&p, &plen, &ptag, &pclass, len);
1111 if (ctx) {
1112 ctx->ret = i;
1113 ctx->plen = plen;
1114 ctx->pclass = pclass;
1115 ctx->ptag = ptag;
1116 ctx->hdrlen = p - q;
1117 ctx->valid = 1;
1118 /*
1119 * If definite length, and no error, length + header can't exceed
1120 * total amount of data available.
1121 */
1122 if (!(i & 0x81) && ((plen + ctx->hdrlen) > len)) {
1123 ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
1124 asn1_tlc_clear(ctx);
1125 return 0;
1126 }
1127 }
1128 }
1129
1130 if (i & 0x80) {
1131 ERR_raise(ERR_LIB_ASN1, ASN1_R_BAD_OBJECT_HEADER);
1132 asn1_tlc_clear(ctx);
1133 return 0;
1134 }
1135 if (exptag >= 0) {
1136 if ((exptag != ptag) || (expclass != pclass)) {
1137 /*
1138 * If type is OPTIONAL, not an error: indicate missing type.
1139 */
1140 if (opt)
1141 return -1;
1142 asn1_tlc_clear(ctx);
1143 ERR_raise(ERR_LIB_ASN1, ASN1_R_WRONG_TAG);
1144 return 0;
1145 }
1146 /*
1147 * We have a tag and class match: assume we are going to do something
1148 * with it
1149 */
1150 asn1_tlc_clear(ctx);
1151 }
1152
1153 if (i & 1)
1154 plen = len - (p - q);
1155
1156 if (inf)
1157 *inf = i & 1;
1158
1159 if (cst)
1160 *cst = i & V_ASN1_CONSTRUCTED;
1161
1162 if (olen)
1163 *olen = plen;
1164
1165 if (oclass)
1166 *oclass = pclass;
1167
1168 if (otag)
1169 *otag = ptag;
1170
1171 *in = p;
1172 return 1;
1173 }
A mirror of the official openssl repository