]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/asn1/a_object.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Check for integer overflow in i2a_ASN1_OBJECT and error out if found.
[thirdparty/openssl.git] / crypto / asn1 / a_object.c
1 /*
2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stdio.h>
11 #include <limits.h>
12 #include "crypto/ctype.h"
13 #include "internal/cryptlib.h"
14 #include <openssl/buffer.h>
15 #include <openssl/asn1.h>
16 #include <openssl/objects.h>
17 #include <openssl/bn.h>
18 #include "crypto/asn1.h"
19 #include "asn1_local.h"
20
21 int i2d_ASN1_OBJECT(const ASN1_OBJECT *a, unsigned char **pp)
22 {
23 unsigned char *p, *allocated = NULL;
24 int objsize;
25
26 if ((a == NULL) || (a->data == NULL))
27 return 0;
28
29 objsize = ASN1_object_size(0, a->length, V_ASN1_OBJECT);
30 if (pp == NULL || objsize == -1)
31 return objsize;
32
33 if (*pp == NULL) {
34 if ((p = allocated = OPENSSL_malloc(objsize)) == NULL) {
35 ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
36 return 0;
37 }
38 } else {
39 p = *pp;
40 }
41
42 ASN1_put_object(&p, 0, a->length, V_ASN1_OBJECT, V_ASN1_UNIVERSAL);
43 memcpy(p, a->data, a->length);
44
45 /*
46 * If a new buffer was allocated, just return it back.
47 * If not, return the incremented buffer pointer.
48 */
49 *pp = allocated != NULL ? allocated : p + a->length;
50 return objsize;
51 }
52
53 int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
54 {
55 int i, first, len = 0, c, use_bn;
56 char ftmp[24], *tmp = ftmp;
57 int tmpsize = sizeof(ftmp);
58 const char *p;
59 unsigned long l;
60 BIGNUM *bl = NULL;
61
62 if (num == 0)
63 return 0;
64 else if (num == -1)
65 num = strlen(buf);
66
67 p = buf;
68 c = *(p++);
69 num--;
70 if ((c >= '0') && (c <= '2')) {
71 first = c - '0';
72 } else {
73 ERR_raise(ERR_LIB_ASN1, ASN1_R_FIRST_NUM_TOO_LARGE);
74 goto err;
75 }
76
77 if (num <= 0) {
78 ERR_raise(ERR_LIB_ASN1, ASN1_R_MISSING_SECOND_NUMBER);
79 goto err;
80 }
81 c = *(p++);
82 num--;
83 for (;;) {
84 if (num <= 0)
85 break;
86 if ((c != '.') && (c != ' ')) {
87 ERR_raise(ERR_LIB_ASN1, ASN1_R_INVALID_SEPARATOR);
88 goto err;
89 }
90 l = 0;
91 use_bn = 0;
92 for (;;) {
93 if (num <= 0)
94 break;
95 num--;
96 c = *(p++);
97 if ((c == ' ') || (c == '.'))
98 break;
99 if (!ossl_isdigit(c)) {
100 ERR_raise(ERR_LIB_ASN1, ASN1_R_INVALID_DIGIT);
101 goto err;
102 }
103 if (!use_bn && l >= ((ULONG_MAX - 80) / 10L)) {
104 use_bn = 1;
105 if (bl == NULL)
106 bl = BN_new();
107 if (bl == NULL || !BN_set_word(bl, l))
108 goto err;
109 }
110 if (use_bn) {
111 if (!BN_mul_word(bl, 10L)
112 || !BN_add_word(bl, c - '0'))
113 goto err;
114 } else
115 l = l * 10L + (long)(c - '0');
116 }
117 if (len == 0) {
118 if ((first < 2) && (l >= 40)) {
119 ERR_raise(ERR_LIB_ASN1, ASN1_R_SECOND_NUMBER_TOO_LARGE);
120 goto err;
121 }
122 if (use_bn) {
123 if (!BN_add_word(bl, first * 40))
124 goto err;
125 } else
126 l += (long)first *40;
127 }
128 i = 0;
129 if (use_bn) {
130 int blsize;
131 blsize = BN_num_bits(bl);
132 blsize = (blsize + 6) / 7;
133 if (blsize > tmpsize) {
134 if (tmp != ftmp)
135 OPENSSL_free(tmp);
136 tmpsize = blsize + 32;
137 tmp = OPENSSL_malloc(tmpsize);
138 if (tmp == NULL)
139 goto err;
140 }
141 while (blsize--) {
142 BN_ULONG t = BN_div_word(bl, 0x80L);
143 if (t == (BN_ULONG)-1)
144 goto err;
145 tmp[i++] = (unsigned char)t;
146 }
147 } else {
148
149 for (;;) {
150 tmp[i++] = (unsigned char)l & 0x7f;
151 l >>= 7L;
152 if (l == 0L)
153 break;
154 }
155
156 }
157 if (out != NULL) {
158 if (len + i > olen) {
159 ERR_raise(ERR_LIB_ASN1, ASN1_R_BUFFER_TOO_SMALL);
160 goto err;
161 }
162 while (--i > 0)
163 out[len++] = tmp[i] | 0x80;
164 out[len++] = tmp[0];
165 } else
166 len += i;
167 }
168 if (tmp != ftmp)
169 OPENSSL_free(tmp);
170 BN_free(bl);
171 return len;
172 err:
173 if (tmp != ftmp)
174 OPENSSL_free(tmp);
175 BN_free(bl);
176 return 0;
177 }
178
179 int i2t_ASN1_OBJECT(char *buf, int buf_len, const ASN1_OBJECT *a)
180 {
181 return OBJ_obj2txt(buf, buf_len, a, 0);
182 }
183
184 int i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *a)
185 {
186 char buf[80], *p = buf;
187 int i;
188
189 if ((a == NULL) || (a->data == NULL))
190 return BIO_write(bp, "NULL", 4);
191 i = i2t_ASN1_OBJECT(buf, sizeof(buf), a);
192 if (i > (int)(sizeof(buf) - 1)) {
193 if (i > INT_MAX - 1) { /* catch an integer overflow */
194 ERR_raise(ERR_LIB_ASN1, ASN1_R_LENGTH_TOO_LONG);
195 return -1;
196 }
197 if ((p = OPENSSL_malloc(i + 1)) == NULL) {
198 ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
199 return -1;
200 }
201 i2t_ASN1_OBJECT(p, i + 1, a);
202 }
203 if (i <= 0) {
204 i = BIO_write(bp, "<INVALID>", 9);
205 i += BIO_dump(bp, (const char *)a->data, a->length);
206 return i;
207 }
208 BIO_write(bp, p, i);
209 if (p != buf)
210 OPENSSL_free(p);
211 return i;
212 }
213
214 ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
215 long length)
216 {
217 const unsigned char *p;
218 long len;
219 int tag, xclass;
220 int inf, i;
221 ASN1_OBJECT *ret = NULL;
222 p = *pp;
223 inf = ASN1_get_object(&p, &len, &tag, &xclass, length);
224 if (inf & 0x80) {
225 i = ASN1_R_BAD_OBJECT_HEADER;
226 goto err;
227 }
228
229 if (tag != V_ASN1_OBJECT) {
230 i = ASN1_R_EXPECTING_AN_OBJECT;
231 goto err;
232 }
233 ret = ossl_c2i_ASN1_OBJECT(a, &p, len);
234 if (ret)
235 *pp = p;
236 return ret;
237 err:
238 ERR_raise(ERR_LIB_ASN1, i);
239 return NULL;
240 }
241
242 ASN1_OBJECT *ossl_c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
243 long len)
244 {
245 ASN1_OBJECT *ret = NULL, tobj;
246 const unsigned char *p;
247 unsigned char *data;
248 int i, length;
249
250 /*
251 * Sanity check OID encoding. Need at least one content octet. MSB must
252 * be clear in the last octet. can't have leading 0x80 in subidentifiers,
253 * see: X.690 8.19.2
254 */
255 if (len <= 0 || len > INT_MAX || pp == NULL || (p = *pp) == NULL ||
256 p[len - 1] & 0x80) {
257 ERR_raise(ERR_LIB_ASN1, ASN1_R_INVALID_OBJECT_ENCODING);
258 return NULL;
259 }
260 /* Now 0 < len <= INT_MAX, so the cast is safe. */
261 length = (int)len;
262 /*
263 * Try to lookup OID in table: these are all valid encodings so if we get
264 * a match we know the OID is valid.
265 */
266 tobj.nid = NID_undef;
267 tobj.data = p;
268 tobj.length = length;
269 tobj.flags = 0;
270 i = OBJ_obj2nid(&tobj);
271 if (i != NID_undef) {
272 /*
273 * Return shared registered OID object: this improves efficiency
274 * because we don't have to return a dynamically allocated OID
275 * and NID lookups can use the cached value.
276 */
277 ret = OBJ_nid2obj(i);
278 if (a) {
279 ASN1_OBJECT_free(*a);
280 *a = ret;
281 }
282 *pp += len;
283 return ret;
284 }
285 for (i = 0; i < length; i++, p++) {
286 if (*p == 0x80 && (!i || !(p[-1] & 0x80))) {
287 ERR_raise(ERR_LIB_ASN1, ASN1_R_INVALID_OBJECT_ENCODING);
288 return NULL;
289 }
290 }
291
292 /*
293 * only the ASN1_OBJECTs from the 'table' will have values for ->sn or
294 * ->ln
295 */
296 if ((a == NULL) || ((*a) == NULL) ||
297 !((*a)->flags & ASN1_OBJECT_FLAG_DYNAMIC)) {
298 if ((ret = ASN1_OBJECT_new()) == NULL)
299 return NULL;
300 } else
301 ret = (*a);
302
303 p = *pp;
304 /* detach data from object */
305 data = (unsigned char *)ret->data;
306 ret->data = NULL;
307 /* once detached we can change it */
308 if ((data == NULL) || (ret->length < length)) {
309 ret->length = 0;
310 OPENSSL_free(data);
311 data = OPENSSL_malloc(length);
312 if (data == NULL) {
313 i = ERR_R_MALLOC_FAILURE;
314 goto err;
315 }
316 ret->flags |= ASN1_OBJECT_FLAG_DYNAMIC_DATA;
317 }
318 memcpy(data, p, length);
319 /* reattach data to object, after which it remains const */
320 ret->data = data;
321 ret->length = length;
322 ret->sn = NULL;
323 ret->ln = NULL;
324 /* ret->flags=ASN1_OBJECT_FLAG_DYNAMIC; we know it is dynamic */
325 p += length;
326
327 if (a != NULL)
328 (*a) = ret;
329 *pp = p;
330 return ret;
331 err:
332 ERR_raise(ERR_LIB_ASN1, i);
333 if ((a == NULL) || (*a != ret))
334 ASN1_OBJECT_free(ret);
335 return NULL;
336 }
337
338 ASN1_OBJECT *ASN1_OBJECT_new(void)
339 {
340 ASN1_OBJECT *ret;
341
342 ret = OPENSSL_zalloc(sizeof(*ret));
343 if (ret == NULL) {
344 ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
345 return NULL;
346 }
347 ret->flags = ASN1_OBJECT_FLAG_DYNAMIC;
348 return ret;
349 }
350
351 void ASN1_OBJECT_free(ASN1_OBJECT *a)
352 {
353 if (a == NULL)
354 return;
355 if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC_STRINGS) {
356 #ifndef CONST_STRICT
357 /*
358 * Disable purely for compile-time strict const checking. Doing this
359 * on a "real" compile will cause memory leaks
360 */
361 OPENSSL_free((void*)a->sn);
362 OPENSSL_free((void*)a->ln);
363 #endif
364 a->sn = a->ln = NULL;
365 }
366 if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC_DATA) {
367 OPENSSL_free((void*)a->data);
368 a->data = NULL;
369 a->length = 0;
370 }
371 if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC)
372 OPENSSL_free(a);
373 }
374
375 ASN1_OBJECT *ASN1_OBJECT_create(int nid, unsigned char *data, int len,
376 const char *sn, const char *ln)
377 {
378 ASN1_OBJECT o;
379
380 o.sn = sn;
381 o.ln = ln;
382 o.data = data;
383 o.nid = nid;
384 o.length = len;
385 o.flags = ASN1_OBJECT_FLAG_DYNAMIC | ASN1_OBJECT_FLAG_DYNAMIC_STRINGS |
386 ASN1_OBJECT_FLAG_DYNAMIC_DATA;
387 return OBJ_dup(&o);
388 }
A mirror of the official openssl repository