2 * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/asn1.h>
13 #include <openssl/asn1t.h>
14 #include <openssl/objects.h>
15 #include <openssl/buffer.h>
16 #include <openssl/err.h>
17 #include "internal/numbers.h"
18 #include "asn1_local.h"
21 * Constructed types with a recursive definition (such as can be found in PKCS7)
22 * could eventually exceed the stack given malicious input with excessive
23 * recursion. Therefore we limit the stack depth. This is the maximum number of
24 * recursive invocations of asn1_item_embed_d2i().
26 #define ASN1_MAX_CONSTRUCTED_NEST 30
28 static int asn1_item_embed_d2i(ASN1_VALUE
**pval
, const unsigned char **in
,
29 long len
, const ASN1_ITEM
*it
,
30 int tag
, int aclass
, char opt
, ASN1_TLC
*ctx
,
33 static int asn1_check_eoc(const unsigned char **in
, long len
);
34 static int asn1_find_end(const unsigned char **in
, long len
, char inf
);
36 static int asn1_collect(BUF_MEM
*buf
, const unsigned char **in
, long len
,
37 char inf
, int tag
, int aclass
, int depth
);
39 static int collect_data(BUF_MEM
*buf
, const unsigned char **p
, long plen
);
41 static int asn1_check_tlen(long *olen
, int *otag
, unsigned char *oclass
,
43 const unsigned char **in
, long len
,
44 int exptag
, int expclass
, char opt
, ASN1_TLC
*ctx
);
46 static int asn1_template_ex_d2i(ASN1_VALUE
**pval
,
47 const unsigned char **in
, long len
,
48 const ASN1_TEMPLATE
*tt
, char opt
,
49 ASN1_TLC
*ctx
, int depth
);
50 static int asn1_template_noexp_d2i(ASN1_VALUE
**val
,
51 const unsigned char **in
, long len
,
52 const ASN1_TEMPLATE
*tt
, char opt
,
53 ASN1_TLC
*ctx
, int depth
);
54 static int asn1_d2i_ex_primitive(ASN1_VALUE
**pval
,
55 const unsigned char **in
, long len
,
57 int tag
, int aclass
, char opt
,
59 static int asn1_ex_c2i(ASN1_VALUE
**pval
, const unsigned char *cont
, int len
,
60 int utype
, char *free_cont
, const ASN1_ITEM
*it
);
62 /* Table to convert tags to bit values, used for MSTRING type */
63 static const unsigned long tag2bit
[32] = {
65 0, 0, 0, B_ASN1_BIT_STRING
,
67 B_ASN1_OCTET_STRING
, 0, 0, B_ASN1_UNKNOWN
,
69 B_ASN1_UNKNOWN
, B_ASN1_UNKNOWN
, B_ASN1_UNKNOWN
, B_ASN1_UNKNOWN
,
71 B_ASN1_UTF8STRING
, B_ASN1_UNKNOWN
, B_ASN1_UNKNOWN
, B_ASN1_UNKNOWN
,
73 B_ASN1_SEQUENCE
, 0, B_ASN1_NUMERICSTRING
, B_ASN1_PRINTABLESTRING
,
75 B_ASN1_T61STRING
, B_ASN1_VIDEOTEXSTRING
, B_ASN1_IA5STRING
,
77 B_ASN1_UTCTIME
, B_ASN1_GENERALIZEDTIME
,
79 B_ASN1_GRAPHICSTRING
, B_ASN1_ISO64STRING
, B_ASN1_GENERALSTRING
,
81 B_ASN1_UNIVERSALSTRING
, B_ASN1_UNKNOWN
, B_ASN1_BMPSTRING
, B_ASN1_UNKNOWN
,
84 unsigned long ASN1_tag2bit(int tag
)
86 if ((tag
< 0) || (tag
> 30))
91 /* Macro to initialize and invalidate the cache */
93 #define asn1_tlc_clear(c) if (c) (c)->valid = 0
94 /* Version to avoid compiler warning about 'c' always non-NULL */
95 #define asn1_tlc_clear_nc(c) (c)->valid = 0
98 * Decode an ASN1 item, this currently behaves just like a standard 'd2i'
99 * function. 'in' points to a buffer to read the data from, in future we
100 * will have more advanced versions that can input data a piece at a time and
101 * this will simply be a special case.
104 ASN1_VALUE
*ASN1_item_d2i(ASN1_VALUE
**pval
,
105 const unsigned char **in
, long len
,
109 ASN1_VALUE
*ptmpval
= NULL
;
113 asn1_tlc_clear_nc(&c
);
114 if (ASN1_item_ex_d2i(pval
, in
, len
, it
, -1, 0, 0, &c
) > 0)
119 int ASN1_item_ex_d2i(ASN1_VALUE
**pval
, const unsigned char **in
, long len
,
121 int tag
, int aclass
, char opt
, ASN1_TLC
*ctx
)
124 rv
= asn1_item_embed_d2i(pval
, in
, len
, it
, tag
, aclass
, opt
, ctx
, 0);
126 ASN1_item_ex_free(pval
, it
);
131 * Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and
132 * tag mismatch return -1 to handle OPTIONAL
135 static int asn1_item_embed_d2i(ASN1_VALUE
**pval
, const unsigned char **in
,
136 long len
, const ASN1_ITEM
*it
,
137 int tag
, int aclass
, char opt
, ASN1_TLC
*ctx
,
140 const ASN1_TEMPLATE
*tt
, *errtt
= NULL
;
141 const ASN1_EXTERN_FUNCS
*ef
;
142 const ASN1_AUX
*aux
= it
->funcs
;
143 ASN1_aux_cb
*asn1_cb
;
144 const unsigned char *p
= NULL
, *q
;
145 unsigned char oclass
;
146 char seq_eoc
, seq_nolen
, cst
, isopt
;
155 if (aux
&& aux
->asn1_cb
)
156 asn1_cb
= aux
->asn1_cb
;
160 if (++depth
> ASN1_MAX_CONSTRUCTED_NEST
) {
161 ERR_raise(ERR_LIB_ASN1
, ASN1_R_NESTED_TOO_DEEP
);
166 case ASN1_ITYPE_PRIMITIVE
:
169 * tagging or OPTIONAL is currently illegal on an item template
170 * because the flags can't get passed down. In practice this
171 * isn't a problem: we include the relevant flags from the item
172 * template in the template itself.
174 if ((tag
!= -1) || opt
) {
175 ERR_raise(ERR_LIB_ASN1
,
176 ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE
);
179 return asn1_template_ex_d2i(pval
, in
, len
,
180 it
->templates
, opt
, ctx
, depth
);
182 return asn1_d2i_ex_primitive(pval
, in
, len
, it
,
183 tag
, aclass
, opt
, ctx
);
185 case ASN1_ITYPE_MSTRING
:
187 * It never makes sense for multi-strings to have implicit tagging, so
188 * if tag != -1, then this looks like an error in the template.
191 ERR_raise(ERR_LIB_ASN1
, ASN1_R_BAD_TEMPLATE
);
196 /* Just read in tag and class */
197 ret
= asn1_check_tlen(NULL
, &otag
, &oclass
, NULL
, NULL
,
198 &p
, len
, -1, 0, 1, ctx
);
200 ERR_raise(ERR_LIB_ASN1
, ERR_R_NESTED_ASN1_ERROR
);
204 /* Must be UNIVERSAL class */
205 if (oclass
!= V_ASN1_UNIVERSAL
) {
206 /* If OPTIONAL, assume this is OK */
209 ERR_raise(ERR_LIB_ASN1
, ASN1_R_MSTRING_NOT_UNIVERSAL
);
213 /* Check tag matches bit map */
214 if (!(ASN1_tag2bit(otag
) & it
->utype
)) {
215 /* If OPTIONAL, assume this is OK */
218 ERR_raise(ERR_LIB_ASN1
, ASN1_R_MSTRING_WRONG_TAG
);
221 return asn1_d2i_ex_primitive(pval
, in
, len
, it
, otag
, 0, 0, ctx
);
223 case ASN1_ITYPE_EXTERN
:
224 /* Use new style d2i */
226 return ef
->asn1_ex_d2i(pval
, in
, len
, it
, tag
, aclass
, opt
, ctx
);
228 case ASN1_ITYPE_CHOICE
:
230 * It never makes sense for CHOICE types to have implicit tagging, so
231 * if tag != -1, then this looks like an error in the template.
234 ERR_raise(ERR_LIB_ASN1
, ASN1_R_BAD_TEMPLATE
);
238 if (asn1_cb
&& !asn1_cb(ASN1_OP_D2I_PRE
, pval
, it
, NULL
))
241 /* Free up and zero CHOICE value if initialised */
242 i
= asn1_get_choice_selector(pval
, it
);
243 if ((i
>= 0) && (i
< it
->tcount
)) {
244 tt
= it
->templates
+ i
;
245 pchptr
= asn1_get_field_ptr(pval
, tt
);
246 asn1_template_free(pchptr
, tt
);
247 asn1_set_choice_selector(pval
, -1, it
);
249 } else if (!ASN1_item_ex_new(pval
, it
)) {
250 ERR_raise(ERR_LIB_ASN1
, ERR_R_NESTED_ASN1_ERROR
);
253 /* CHOICE type, try each possibility in turn */
255 for (i
= 0, tt
= it
->templates
; i
< it
->tcount
; i
++, tt
++) {
256 pchptr
= asn1_get_field_ptr(pval
, tt
);
258 * We mark field as OPTIONAL so its absence can be recognised.
260 ret
= asn1_template_ex_d2i(pchptr
, &p
, len
, tt
, 1, ctx
, depth
);
261 /* If field not present, try the next one */
264 /* If positive return, read OK, break loop */
268 * Must be an ASN1 parsing error.
269 * Free up any partial choice value
271 asn1_template_free(pchptr
, tt
);
273 ERR_raise(ERR_LIB_ASN1
, ERR_R_NESTED_ASN1_ERROR
);
277 /* Did we fall off the end without reading anything? */
278 if (i
== it
->tcount
) {
279 /* If OPTIONAL, this is OK */
281 /* Free and zero it */
282 ASN1_item_ex_free(pval
, it
);
285 ERR_raise(ERR_LIB_ASN1
, ASN1_R_NO_MATCHING_CHOICE_TYPE
);
289 asn1_set_choice_selector(pval
, i
, it
);
291 if (asn1_cb
&& !asn1_cb(ASN1_OP_D2I_POST
, pval
, it
, NULL
))
296 case ASN1_ITYPE_NDEF_SEQUENCE
:
297 case ASN1_ITYPE_SEQUENCE
:
301 /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */
303 tag
= V_ASN1_SEQUENCE
;
304 aclass
= V_ASN1_UNIVERSAL
;
306 /* Get SEQUENCE length and update len, p */
307 ret
= asn1_check_tlen(&len
, NULL
, NULL
, &seq_eoc
, &cst
,
308 &p
, len
, tag
, aclass
, opt
, ctx
);
310 ERR_raise(ERR_LIB_ASN1
, ERR_R_NESTED_ASN1_ERROR
);
312 } else if (ret
== -1)
314 if (aux
&& (aux
->flags
& ASN1_AFLG_BROKEN
)) {
315 len
= tmplen
- (p
- *in
);
318 /* If indefinite we don't do a length check */
322 ERR_raise(ERR_LIB_ASN1
, ASN1_R_SEQUENCE_NOT_CONSTRUCTED
);
326 if (*pval
== NULL
&& !ASN1_item_ex_new(pval
, it
)) {
327 ERR_raise(ERR_LIB_ASN1
, ERR_R_NESTED_ASN1_ERROR
);
331 if (asn1_cb
&& !asn1_cb(ASN1_OP_D2I_PRE
, pval
, it
, NULL
))
334 /* Free up and zero any ADB found */
335 for (i
= 0, tt
= it
->templates
; i
< it
->tcount
; i
++, tt
++) {
336 if (tt
->flags
& ASN1_TFLG_ADB_MASK
) {
337 const ASN1_TEMPLATE
*seqtt
;
338 ASN1_VALUE
**pseqval
;
339 seqtt
= asn1_do_adb(*pval
, tt
, 0);
342 pseqval
= asn1_get_field_ptr(pval
, seqtt
);
343 asn1_template_free(pseqval
, seqtt
);
347 /* Get each field entry */
348 for (i
= 0, tt
= it
->templates
; i
< it
->tcount
; i
++, tt
++) {
349 const ASN1_TEMPLATE
*seqtt
;
350 ASN1_VALUE
**pseqval
;
351 seqtt
= asn1_do_adb(*pval
, tt
, 1);
354 pseqval
= asn1_get_field_ptr(pval
, seqtt
);
355 /* Have we ran out of data? */
359 if (asn1_check_eoc(&p
, len
)) {
361 ERR_raise(ERR_LIB_ASN1
, ASN1_R_UNEXPECTED_EOC
);
369 * This determines the OPTIONAL flag value. The field cannot be
370 * omitted if it is the last of a SEQUENCE and there is still
371 * data to be read. This isn't strictly necessary but it
372 * increases efficiency in some cases.
374 if (i
== (it
->tcount
- 1))
377 isopt
= (char)(seqtt
->flags
& ASN1_TFLG_OPTIONAL
);
379 * attempt to read in field, allowing each to be OPTIONAL
382 ret
= asn1_template_ex_d2i(pseqval
, &p
, len
, seqtt
, isopt
, ctx
,
387 } else if (ret
== -1) {
389 * OPTIONAL component absent. Free and zero the field.
391 asn1_template_free(pseqval
, seqtt
);
398 /* Check for EOC if expecting one */
399 if (seq_eoc
&& !asn1_check_eoc(&p
, len
)) {
400 ERR_raise(ERR_LIB_ASN1
, ASN1_R_MISSING_EOC
);
403 /* Check all data read */
404 if (!seq_nolen
&& len
) {
405 ERR_raise(ERR_LIB_ASN1
, ASN1_R_SEQUENCE_LENGTH_MISMATCH
);
410 * If we get here we've got no more data in the SEQUENCE, however we
411 * may not have read all fields so check all remaining are OPTIONAL
412 * and clear any that are.
414 for (; i
< it
->tcount
; tt
++, i
++) {
415 const ASN1_TEMPLATE
*seqtt
;
416 seqtt
= asn1_do_adb(*pval
, tt
, 1);
419 if (seqtt
->flags
& ASN1_TFLG_OPTIONAL
) {
420 ASN1_VALUE
**pseqval
;
421 pseqval
= asn1_get_field_ptr(pval
, seqtt
);
422 asn1_template_free(pseqval
, seqtt
);
425 ERR_raise(ERR_LIB_ASN1
, ASN1_R_FIELD_MISSING
);
430 if (!asn1_enc_save(pval
, *in
, p
- *in
, it
))
432 if (asn1_cb
&& !asn1_cb(ASN1_OP_D2I_POST
, pval
, it
, NULL
))
441 ERR_raise(ERR_LIB_ASN1
, ASN1_R_AUX_ERROR
);
444 ERR_add_error_data(4, "Field=", errtt
->field_name
,
445 ", Type=", it
->sname
);
447 ERR_add_error_data(2, "Type=", it
->sname
);
452 * Templates are handled with two separate functions. One handles any
453 * EXPLICIT tag and the other handles the rest.
456 static int asn1_template_ex_d2i(ASN1_VALUE
**val
,
457 const unsigned char **in
, long inlen
,
458 const ASN1_TEMPLATE
*tt
, char opt
,
459 ASN1_TLC
*ctx
, int depth
)
464 const unsigned char *p
, *q
;
469 aclass
= flags
& ASN1_TFLG_TAG_CLASS
;
473 /* Check if EXPLICIT tag expected */
474 if (flags
& ASN1_TFLG_EXPTAG
) {
477 * Need to work out amount of data available to the inner content and
478 * where it starts: so read in EXPLICIT header to get the info.
480 ret
= asn1_check_tlen(&len
, NULL
, NULL
, &exp_eoc
, &cst
,
481 &p
, inlen
, tt
->tag
, aclass
, opt
, ctx
);
484 ERR_raise(ERR_LIB_ASN1
, ERR_R_NESTED_ASN1_ERROR
);
486 } else if (ret
== -1)
489 ERR_raise(ERR_LIB_ASN1
, ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED
);
492 /* We've found the field so it can't be OPTIONAL now */
493 ret
= asn1_template_noexp_d2i(val
, &p
, len
, tt
, 0, ctx
, depth
);
495 ERR_raise(ERR_LIB_ASN1
, ERR_R_NESTED_ASN1_ERROR
);
498 /* We read the field in OK so update length */
501 /* If NDEF we must have an EOC here */
502 if (!asn1_check_eoc(&p
, len
)) {
503 ERR_raise(ERR_LIB_ASN1
, ASN1_R_MISSING_EOC
);
508 * Otherwise we must hit the EXPLICIT tag end or its an error
511 ERR_raise(ERR_LIB_ASN1
, ASN1_R_EXPLICIT_LENGTH_MISMATCH
);
516 return asn1_template_noexp_d2i(val
, in
, inlen
, tt
, opt
, ctx
, depth
);
525 static int asn1_template_noexp_d2i(ASN1_VALUE
**val
,
526 const unsigned char **in
, long len
,
527 const ASN1_TEMPLATE
*tt
, char opt
,
528 ASN1_TLC
*ctx
, int depth
)
533 const unsigned char *p
, *q
;
537 aclass
= flags
& ASN1_TFLG_TAG_CLASS
;
542 * If field is embedded then val needs fixing so it is a pointer to
543 * a pointer to a field.
545 if (tt
->flags
& ASN1_TFLG_EMBED
) {
546 tval
= (ASN1_VALUE
*)val
;
550 if (flags
& ASN1_TFLG_SK_MASK
) {
551 /* SET OF, SEQUENCE OF */
554 /* First work out expected inner tag value */
555 if (flags
& ASN1_TFLG_IMPTAG
) {
559 skaclass
= V_ASN1_UNIVERSAL
;
560 if (flags
& ASN1_TFLG_SET_OF
)
563 sktag
= V_ASN1_SEQUENCE
;
566 ret
= asn1_check_tlen(&len
, NULL
, NULL
, &sk_eoc
, NULL
,
567 &p
, len
, sktag
, skaclass
, opt
, ctx
);
569 ERR_raise(ERR_LIB_ASN1
, ERR_R_NESTED_ASN1_ERROR
);
571 } else if (ret
== -1)
574 *val
= (ASN1_VALUE
*)sk_ASN1_VALUE_new_null();
577 * We've got a valid STACK: free up any items present
579 STACK_OF(ASN1_VALUE
) *sktmp
= (STACK_OF(ASN1_VALUE
) *)*val
;
581 while (sk_ASN1_VALUE_num(sktmp
) > 0) {
582 vtmp
= sk_ASN1_VALUE_pop(sktmp
);
583 ASN1_item_ex_free(&vtmp
, ASN1_ITEM_ptr(tt
->item
));
588 ERR_raise(ERR_LIB_ASN1
, ERR_R_MALLOC_FAILURE
);
592 /* Read as many items as we can */
596 /* See if EOC found */
597 if (asn1_check_eoc(&p
, len
)) {
599 ERR_raise(ERR_LIB_ASN1
, ASN1_R_UNEXPECTED_EOC
);
607 if (!asn1_item_embed_d2i(&skfield
, &p
, len
,
608 ASN1_ITEM_ptr(tt
->item
), -1, 0, 0, ctx
,
610 ERR_raise(ERR_LIB_ASN1
, ERR_R_NESTED_ASN1_ERROR
);
611 /* |skfield| may be partially allocated despite failure. */
612 ASN1_item_free(skfield
, ASN1_ITEM_ptr(tt
->item
));
616 if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE
) *)*val
, skfield
)) {
617 ERR_raise(ERR_LIB_ASN1
, ERR_R_MALLOC_FAILURE
);
618 ASN1_item_free(skfield
, ASN1_ITEM_ptr(tt
->item
));
623 ERR_raise(ERR_LIB_ASN1
, ASN1_R_MISSING_EOC
);
626 } else if (flags
& ASN1_TFLG_IMPTAG
) {
627 /* IMPLICIT tagging */
628 ret
= asn1_item_embed_d2i(val
, &p
, len
,
629 ASN1_ITEM_ptr(tt
->item
), tt
->tag
, aclass
, opt
,
632 ERR_raise(ERR_LIB_ASN1
, ERR_R_NESTED_ASN1_ERROR
);
634 } else if (ret
== -1)
637 /* Nothing special */
638 ret
= asn1_item_embed_d2i(val
, &p
, len
, ASN1_ITEM_ptr(tt
->item
),
639 -1, 0, opt
, ctx
, depth
);
641 ERR_raise(ERR_LIB_ASN1
, ERR_R_NESTED_ASN1_ERROR
);
643 } else if (ret
== -1)
654 static int asn1_d2i_ex_primitive(ASN1_VALUE
**pval
,
655 const unsigned char **in
, long inlen
,
657 int tag
, int aclass
, char opt
, ASN1_TLC
*ctx
)
661 char cst
, inf
, free_cont
= 0;
662 const unsigned char *p
;
663 BUF_MEM buf
= { 0, NULL
, 0, 0 };
664 const unsigned char *cont
= NULL
;
668 ERR_raise(ERR_LIB_ASN1
, ASN1_R_ILLEGAL_NULL
);
669 return 0; /* Should never happen */
672 if (it
->itype
== ASN1_ITYPE_MSTRING
) {
678 if (utype
== V_ASN1_ANY
) {
679 /* If type is ANY need to figure out type from tag */
680 unsigned char oclass
;
682 ERR_raise(ERR_LIB_ASN1
, ASN1_R_ILLEGAL_TAGGED_ANY
);
686 ERR_raise(ERR_LIB_ASN1
, ASN1_R_ILLEGAL_OPTIONAL_ANY
);
690 ret
= asn1_check_tlen(NULL
, &utype
, &oclass
, NULL
, NULL
,
691 &p
, inlen
, -1, 0, 0, ctx
);
693 ERR_raise(ERR_LIB_ASN1
, ERR_R_NESTED_ASN1_ERROR
);
696 if (oclass
!= V_ASN1_UNIVERSAL
)
697 utype
= V_ASN1_OTHER
;
701 aclass
= V_ASN1_UNIVERSAL
;
705 ret
= asn1_check_tlen(&plen
, NULL
, NULL
, &inf
, &cst
,
706 &p
, inlen
, tag
, aclass
, opt
, ctx
);
708 ERR_raise(ERR_LIB_ASN1
, ERR_R_NESTED_ASN1_ERROR
);
710 } else if (ret
== -1)
713 /* SEQUENCE, SET and "OTHER" are left in encoded form */
714 if ((utype
== V_ASN1_SEQUENCE
)
715 || (utype
== V_ASN1_SET
) || (utype
== V_ASN1_OTHER
)) {
717 * Clear context cache for type OTHER because the auto clear when we
718 * have a exact match won't work
720 if (utype
== V_ASN1_OTHER
) {
723 /* SEQUENCE and SET must be constructed */
725 ERR_raise(ERR_LIB_ASN1
, ASN1_R_TYPE_NOT_CONSTRUCTED
);
730 /* If indefinite length constructed find the real end */
732 if (!asn1_find_end(&p
, plen
, inf
))
736 len
= p
- cont
+ plen
;
740 if (utype
== V_ASN1_NULL
|| utype
== V_ASN1_BOOLEAN
741 || utype
== V_ASN1_OBJECT
|| utype
== V_ASN1_INTEGER
742 || utype
== V_ASN1_ENUMERATED
) {
743 ERR_raise(ERR_LIB_ASN1
, ASN1_R_TYPE_NOT_PRIMITIVE
);
747 /* Free any returned 'buf' content */
750 * Should really check the internal tags are correct but some things
751 * may get this wrong. The relevant specs say that constructed string
752 * types should be OCTET STRINGs internally irrespective of the type.
753 * So instead just check for UNIVERSAL class and ignore the tag.
755 if (!asn1_collect(&buf
, &p
, plen
, inf
, -1, V_ASN1_UNIVERSAL
, 0)) {
759 /* Append a final null to string */
760 if (!BUF_MEM_grow_clean(&buf
, len
+ 1)) {
761 ERR_raise(ERR_LIB_ASN1
, ERR_R_MALLOC_FAILURE
);
765 cont
= (const unsigned char *)buf
.data
;
772 /* We now have content length and type: translate into a structure */
773 /* asn1_ex_c2i may reuse allocated buffer, and so sets free_cont to 0 */
774 if (!asn1_ex_c2i(pval
, cont
, len
, utype
, &free_cont
, it
))
781 OPENSSL_free(buf
.data
);
785 /* Translate ASN1 content octets into a structure */
787 static int asn1_ex_c2i(ASN1_VALUE
**pval
, const unsigned char *cont
, int len
,
788 int utype
, char *free_cont
, const ASN1_ITEM
*it
)
790 ASN1_VALUE
**opval
= NULL
;
792 ASN1_TYPE
*typ
= NULL
;
794 const ASN1_PRIMITIVE_FUNCS
*pf
;
798 if (pf
&& pf
->prim_c2i
)
799 return pf
->prim_c2i(pval
, cont
, len
, utype
, free_cont
, it
);
800 /* If ANY type clear type and set pointer to internal value */
801 if (it
->utype
== V_ASN1_ANY
) {
803 typ
= ASN1_TYPE_new();
806 *pval
= (ASN1_VALUE
*)typ
;
808 typ
= (ASN1_TYPE
*)*pval
;
810 if (utype
!= typ
->type
)
811 ASN1_TYPE_set(typ
, utype
, NULL
);
813 pval
= &typ
->value
.asn1_value
;
817 if (!c2i_ASN1_OBJECT((ASN1_OBJECT
**)pval
, &cont
, len
))
823 ERR_raise(ERR_LIB_ASN1
, ASN1_R_NULL_IS_WRONG_LENGTH
);
826 *pval
= (ASN1_VALUE
*)1;
831 ERR_raise(ERR_LIB_ASN1
, ASN1_R_BOOLEAN_IS_WRONG_LENGTH
);
835 tbool
= (ASN1_BOOLEAN
*)pval
;
840 case V_ASN1_BIT_STRING
:
841 if (!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING
**)pval
, &cont
, len
))
846 case V_ASN1_ENUMERATED
:
847 tint
= (ASN1_INTEGER
**)pval
;
848 if (!c2i_ASN1_INTEGER(tint
, &cont
, len
))
850 /* Fixup type to match the expected form */
851 (*tint
)->type
= utype
| ((*tint
)->type
& V_ASN1_NEG
);
854 case V_ASN1_OCTET_STRING
:
855 case V_ASN1_NUMERICSTRING
:
856 case V_ASN1_PRINTABLESTRING
:
857 case V_ASN1_T61STRING
:
858 case V_ASN1_VIDEOTEXSTRING
:
859 case V_ASN1_IA5STRING
:
861 case V_ASN1_GENERALIZEDTIME
:
862 case V_ASN1_GRAPHICSTRING
:
863 case V_ASN1_VISIBLESTRING
:
864 case V_ASN1_GENERALSTRING
:
865 case V_ASN1_UNIVERSALSTRING
:
866 case V_ASN1_BMPSTRING
:
867 case V_ASN1_UTF8STRING
:
870 case V_ASN1_SEQUENCE
:
872 if (utype
== V_ASN1_BMPSTRING
&& (len
& 1)) {
873 ERR_raise(ERR_LIB_ASN1
, ASN1_R_BMPSTRING_IS_WRONG_LENGTH
);
876 if (utype
== V_ASN1_UNIVERSALSTRING
&& (len
& 3)) {
877 ERR_raise(ERR_LIB_ASN1
, ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH
);
880 /* All based on ASN1_STRING and handled the same */
882 stmp
= ASN1_STRING_type_new(utype
);
884 ERR_raise(ERR_LIB_ASN1
, ERR_R_MALLOC_FAILURE
);
887 *pval
= (ASN1_VALUE
*)stmp
;
889 stmp
= (ASN1_STRING
*)*pval
;
892 /* If we've already allocated a buffer use it */
894 OPENSSL_free(stmp
->data
);
895 stmp
->data
= (unsigned char *)cont
; /* UGLY CAST! RL */
899 if (!ASN1_STRING_set(stmp
, cont
, len
)) {
900 ERR_raise(ERR_LIB_ASN1
, ERR_R_MALLOC_FAILURE
);
901 ASN1_STRING_free(stmp
);
908 /* If ASN1_ANY and NULL type fix up value */
909 if (typ
&& (utype
== V_ASN1_NULL
))
910 typ
->value
.ptr
= NULL
;
923 * This function finds the end of an ASN1 structure when passed its maximum
924 * length, whether it is indefinite length and a pointer to the content. This
925 * is more efficient than calling asn1_collect because it does not recurse on
926 * each indefinite length header.
929 static int asn1_find_end(const unsigned char **in
, long len
, char inf
)
931 uint32_t expected_eoc
;
933 const unsigned char *p
= *in
, *q
;
934 /* If not indefinite length constructed just add length */
941 * Indefinite length constructed form. Find the end when enough EOCs are
942 * found. If more indefinite length constructed headers are encountered
943 * increment the expected eoc count otherwise just skip to the end of the
947 if (asn1_check_eoc(&p
, len
)) {
949 if (expected_eoc
== 0)
955 /* Just read in a header: only care about the length */
956 if (!asn1_check_tlen(&plen
, NULL
, NULL
, &inf
, NULL
, &p
, len
,
958 ERR_raise(ERR_LIB_ASN1
, ERR_R_NESTED_ASN1_ERROR
);
962 if (expected_eoc
== UINT32_MAX
) {
963 ERR_raise(ERR_LIB_ASN1
, ERR_R_NESTED_ASN1_ERROR
);
973 ERR_raise(ERR_LIB_ASN1
, ASN1_R_MISSING_EOC
);
981 * This function collects the asn1 data from a constructed string type into
982 * a buffer. The values of 'in' and 'len' should refer to the contents of the
983 * constructed type and 'inf' should be set if it is indefinite length.
986 #ifndef ASN1_MAX_STRING_NEST
988 * This determines how many levels of recursion are permitted in ASN1 string
989 * types. If it is not limited stack overflows can occur. If set to zero no
990 * recursion is allowed at all. Although zero should be adequate examples
991 * exist that require a value of 1. So 5 should be more than enough.
993 # define ASN1_MAX_STRING_NEST 5
996 static int asn1_collect(BUF_MEM
*buf
, const unsigned char **in
, long len
,
997 char inf
, int tag
, int aclass
, int depth
)
999 const unsigned char *p
, *q
;
1005 * If no buffer and not indefinite length constructed just pass over the
1015 if (asn1_check_eoc(&p
, len
)) {
1017 * EOC is illegal outside indefinite length constructed form
1020 ERR_raise(ERR_LIB_ASN1
, ASN1_R_UNEXPECTED_EOC
);
1027 if (!asn1_check_tlen(&plen
, NULL
, NULL
, &ininf
, &cst
, &p
,
1028 len
, tag
, aclass
, 0, NULL
)) {
1029 ERR_raise(ERR_LIB_ASN1
, ERR_R_NESTED_ASN1_ERROR
);
1033 /* If indefinite length constructed update max length */
1035 if (depth
>= ASN1_MAX_STRING_NEST
) {
1036 ERR_raise(ERR_LIB_ASN1
, ASN1_R_NESTED_ASN1_STRING
);
1039 if (!asn1_collect(buf
, &p
, plen
, ininf
, tag
, aclass
, depth
+ 1))
1041 } else if (plen
&& !collect_data(buf
, &p
, plen
))
1046 ERR_raise(ERR_LIB_ASN1
, ASN1_R_MISSING_EOC
);
1053 static int collect_data(BUF_MEM
*buf
, const unsigned char **p
, long plen
)
1058 if (!BUF_MEM_grow_clean(buf
, len
+ plen
)) {
1059 ERR_raise(ERR_LIB_ASN1
, ERR_R_MALLOC_FAILURE
);
1062 memcpy(buf
->data
+ len
, *p
, plen
);
1068 /* Check for ASN1 EOC and swallow it if found */
1070 static int asn1_check_eoc(const unsigned char **in
, long len
)
1072 const unsigned char *p
;
1077 if (p
[0] == '\0' && p
[1] == '\0') {
1085 * Check an ASN1 tag and length: a bit like ASN1_get_object but it sets the
1086 * length for indefinite length constructed form, we don't know the exact
1087 * length but we can set an upper bound to the amount of data available minus
1088 * the header length just read.
1091 static int asn1_check_tlen(long *olen
, int *otag
, unsigned char *oclass
,
1092 char *inf
, char *cst
,
1093 const unsigned char **in
, long len
,
1094 int exptag
, int expclass
, char opt
, ASN1_TLC
*ctx
)
1099 const unsigned char *p
, *q
;
1103 if (ctx
&& ctx
->valid
) {
1106 pclass
= ctx
->pclass
;
1110 i
= ASN1_get_object(&p
, &plen
, &ptag
, &pclass
, len
);
1114 ctx
->pclass
= pclass
;
1116 ctx
->hdrlen
= p
- q
;
1119 * If definite length, and no error, length + header can't exceed
1120 * total amount of data available.
1122 if (!(i
& 0x81) && ((plen
+ ctx
->hdrlen
) > len
)) {
1123 ERR_raise(ERR_LIB_ASN1
, ASN1_R_TOO_LONG
);
1124 asn1_tlc_clear(ctx
);
1131 ERR_raise(ERR_LIB_ASN1
, ASN1_R_BAD_OBJECT_HEADER
);
1132 asn1_tlc_clear(ctx
);
1136 if ((exptag
!= ptag
) || (expclass
!= pclass
)) {
1138 * If type is OPTIONAL, not an error: indicate missing type.
1142 asn1_tlc_clear(ctx
);
1143 ERR_raise(ERR_LIB_ASN1
, ASN1_R_WRONG_TAG
);
1147 * We have a tag and class match: assume we are going to do something
1150 asn1_tlc_clear(ctx
);
1154 plen
= len
- (p
- q
);
1160 *cst
= i
& V_ASN1_CONSTRUCTED
;