From: Martin Willi <martin@revosec.ch>
Date: Tue, 9 Dec 2014 13:19:39 +0000 (+0100)
Subject: pem: Handle BER indefinite length encoding as binary ASN.1
X-Git-Tag: 5.2.2rc1~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=58cacf0a74b6aeee38e92768b7d352e7747285af;p=thirdparty%2Fstrongswan.git

pem: Handle BER indefinite length encoding as binary ASN.1

While our ASN.1 parser can't handle BER indefinite length encoding, the OpenSSL
backend can. Some PKCS#12 containers get encoded this way, so we should
support loading such files in the pem plugin.
---

diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c
index 62780c3841..f0e508abf9 100644
--- a/src/libstrongswan/plugins/pem/pem_builder.c
+++ b/src/libstrongswan/plugins/pem/pem_builder.c
@@ -364,6 +364,29 @@ static status_t pem_to_bin(chunk_t *blob, bool *pgp)
 	return status;
 }
 
+/**
+ * Check if a blob looks like an ASN1 SEQUENCE or SET with BER indefinite length
+ */
+static bool is_ber_indefinite_length(chunk_t blob)
+{
+	if (blob.len >= 4)
+	{
+		switch (blob.ptr[0])
+		{
+			case ASN1_SEQUENCE:
+			case ASN1_SET:
+				/* BER indefinite length uses 0x80, and is terminated with
+				 * end-of-content using 0x00,0x00 */
+				return blob.ptr[1] == 0x80 &&
+					   blob.ptr[blob.len - 2] == 0 &&
+					   blob.ptr[blob.len - 1] == 0;
+			default:
+				break;
+		}
+	}
+	return FALSE;
+}
+
 /**
  * load the credential from a blob
  */
@@ -374,7 +397,7 @@ static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype,
 	bool pgp = FALSE;
 
 	blob = chunk_clone(blob);
-	if (!is_asn1(blob))
+	if (!is_ber_indefinite_length(blob) && !is_asn1(blob))
 	{
 		if (pem_to_bin(&blob, &pgp) != SUCCESS)
 		{