| 1 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
|---|---|
| 2 | * All rights reserved. |
| 3 | * |
| 4 | * This package is an SSL implementation written |
| 5 | * by Eric Young (eay@cryptsoft.com). |
| 6 | * The implementation was written so as to conform with Netscapes SSL. |
| 7 | * |
| 8 | * This library is free for commercial and non-commercial use as long as |
| 9 | * the following conditions are aheared to. The following conditions |
| 10 | * apply to all code found in this distribution, be it the RC4, RSA, |
| 11 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
| 12 | * included with this distribution is covered by the same copyright terms |
| 13 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
| 14 | * |
| 15 | * Copyright remains Eric Young's, and as such any Copyright notices in |
| 16 | * the code are not to be removed. |
| 17 | * If this package is used in a product, Eric Young should be given attribution |
| 18 | * as the author of the parts of the library used. |
| 19 | * This can be in the form of a textual message at program startup or |
| 20 | * in documentation (online or textual) provided with the package. |
| 21 | * |
| 22 | * Redistribution and use in source and binary forms, with or without |
| 23 | * modification, are permitted provided that the following conditions |
| 24 | * are met: |
| 25 | * 1. Redistributions of source code must retain the copyright |
| 26 | * notice, this list of conditions and the following disclaimer. |
| 27 | * 2. Redistributions in binary form must reproduce the above copyright |
| 28 | * notice, this list of conditions and the following disclaimer in the |
| 29 | * documentation and/or other materials provided with the distribution. |
| 30 | * 3. All advertising materials mentioning features or use of this software |
| 31 | * must display the following acknowledgement: |
| 32 | * "This product includes cryptographic software written by |
| 33 | * Eric Young (eay@cryptsoft.com)" |
| 34 | * The word 'cryptographic' can be left out if the rouines from the library |
| 35 | * being used are not cryptographic related :-). |
| 36 | * 4. If you include any Windows specific code (or a derivative thereof) from |
| 37 | * the apps directory (application code) you must include an acknowledgement: |
| 38 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
| 39 | * |
| 40 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
| 41 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 42 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| 43 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
| 44 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 45 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| 46 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 47 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| 48 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| 49 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 50 | * SUCH DAMAGE. |
| 51 | * |
| 52 | * The licence and distribution terms for any publically available version or |
| 53 | * derivative of this code cannot be changed. i.e. this code cannot simply be |
| 54 | * copied and put under another distribution licence |
| 55 | * [including the GNU Public Licence.] */ |
| 56 | |
| 57 | #include <openssl/asn1.h> |
| 58 | |
| 59 | #include <limits.h> |
| 60 | #include <string.h> |
| 61 | |
| 62 | #include <openssl/asn1t.h> |
| 63 | #include <openssl/buf.h> |
| 64 | #include <openssl/err.h> |
| 65 | #include <openssl/mem.h> |
| 66 | |
| 67 | #include "../internal.h" |
| 68 | |
| 69 | /* |
| 70 | * Constructed types with a recursive definition (such as can be found in PKCS7) |
| 71 | * could eventually exceed the stack given malicious input with excessive |
| 72 | * recursion. Therefore we limit the stack depth. This is the maximum number of |
| 73 | * recursive invocations of asn1_item_embed_d2i(). |
| 74 | */ |
| 75 | #define ASN1_MAX_CONSTRUCTED_NEST 30 |
| 76 | |
| 77 | static int asn1_check_eoc(const unsigned char **in, long len); |
| 78 | static int asn1_find_end(const unsigned char **in, long len, char inf); |
| 79 | |
| 80 | static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, |
| 81 | char inf, int tag, int aclass, int depth); |
| 82 | |
| 83 | static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen); |
| 84 | |
| 85 | static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, |
| 86 | char *inf, char *cst, |
| 87 | const unsigned char **in, long len, |
| 88 | int exptag, int expclass, char opt, ASN1_TLC *ctx); |
| 89 | |
| 90 | static int asn1_template_ex_d2i(ASN1_VALUE **pval, |
| 91 | const unsigned char **in, long len, |
| 92 | const ASN1_TEMPLATE *tt, char opt, |
| 93 | ASN1_TLC *ctx, int depth); |
| 94 | static int asn1_template_noexp_d2i(ASN1_VALUE **val, |
| 95 | const unsigned char **in, long len, |
| 96 | const ASN1_TEMPLATE *tt, char opt, |
| 97 | ASN1_TLC *ctx, int depth); |
| 98 | static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, |
| 99 | const unsigned char **in, long len, |
| 100 | const ASN1_ITEM *it, |
| 101 | int tag, int aclass, char opt, |
| 102 | ASN1_TLC *ctx); |
| 103 | |
| 104 | /* Table to convert tags to bit values, used for MSTRING type */ |
| 105 | static const unsigned long tag2bit[32] = { |
| 106 | 0, 0, 0, B_ASN1_BIT_STRING, /* tags 0 - 3 */ |
| 107 | B_ASN1_OCTET_STRING, 0, 0, B_ASN1_UNKNOWN, /* tags 4- 7 */ |
| 108 | B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, /* tags |
| 109 | * 8-11 */ |
| 110 | B_ASN1_UTF8STRING, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, /* tags |
| 111 | * 12-15 |
| 112 | */ |
| 113 | B_ASN1_SEQUENCE, 0, B_ASN1_NUMERICSTRING, B_ASN1_PRINTABLESTRING, /* tags |
| 114 | * 16-19 |
| 115 | */ |
| 116 | B_ASN1_T61STRING, B_ASN1_VIDEOTEXSTRING, B_ASN1_IA5STRING, /* tags 20-22 */ |
| 117 | B_ASN1_UTCTIME, B_ASN1_GENERALIZEDTIME, /* tags 23-24 */ |
| 118 | B_ASN1_GRAPHICSTRING, B_ASN1_ISO64STRING, B_ASN1_GENERALSTRING, /* tags |
| 119 | * 25-27 */ |
| 120 | B_ASN1_UNIVERSALSTRING, B_ASN1_UNKNOWN, B_ASN1_BMPSTRING, B_ASN1_UNKNOWN, /* tags |
| 121 | * 28-31 |
| 122 | */ |
| 123 | }; |
| 124 | |
| 125 | unsigned long ASN1_tag2bit(int tag) |
| 126 | { |
| 127 | if ((tag < 0) || (tag > 30)) |
| 128 | return 0; |
| 129 | return tag2bit[tag]; |
| 130 | } |
| 131 | |
| 132 | /* Macro to initialize and invalidate the cache */ |
| 133 | |
| 134 | #define asn1_tlc_clear(c) if (c) (c)->valid = 0 |
| 135 | /* Version to avoid compiler warning about 'c' always non-NULL */ |
| 136 | #define asn1_tlc_clear_nc(c) (c)->valid = 0 |
| 137 | |
| 138 | /* |
| 139 | * Decode an ASN1 item, this currently behaves just like a standard 'd2i' |
| 140 | * function. 'in' points to a buffer to read the data from, in future we |
| 141 | * will have more advanced versions that can input data a piece at a time and |
| 142 | * this will simply be a special case. |
| 143 | */ |
| 144 | |
| 145 | ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, |
| 146 | const unsigned char **in, long len, |
| 147 | const ASN1_ITEM *it) |
| 148 | { |
| 149 | ASN1_TLC c; |
| 150 | ASN1_VALUE *ptmpval = NULL; |
| 151 | if (!pval) |
| 152 | pval = &ptmpval; |
| 153 | asn1_tlc_clear_nc(&c); |
| 154 | if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) |
| 155 | return *pval; |
| 156 | return NULL; |
| 157 | } |
| 158 | |
| 159 | /* |
| 160 | * Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and |
| 161 | * tag mismatch return -1 to handle OPTIONAL |
| 162 | */ |
| 163 | |
| 164 | static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, |
| 165 | long len, const ASN1_ITEM *it, int tag, int aclass, |
| 166 | char opt, ASN1_TLC *ctx, int depth) |
| 167 | { |
| 168 | const ASN1_TEMPLATE *tt, *errtt = NULL; |
| 169 | const ASN1_COMPAT_FUNCS *cf; |
| 170 | const ASN1_EXTERN_FUNCS *ef; |
| 171 | const ASN1_AUX *aux = it->funcs; |
| 172 | ASN1_aux_cb *asn1_cb; |
| 173 | const unsigned char *p = NULL, *q; |
| 174 | unsigned char *wp = NULL; /* BIG FAT WARNING! BREAKS CONST WHERE USED */ |
| 175 | unsigned char imphack = 0, oclass; |
| 176 | char seq_eoc, seq_nolen, cst, isopt; |
| 177 | long tmplen; |
| 178 | int i; |
| 179 | int otag; |
| 180 | int ret = 0; |
| 181 | ASN1_VALUE **pchptr, *ptmpval; |
| 182 | int combine = aclass & ASN1_TFLG_COMBINE; |
| 183 | aclass &= ~ASN1_TFLG_COMBINE; |
| 184 | if (!pval) |
| 185 | return 0; |
| 186 | if (aux && aux->asn1_cb) |
| 187 | asn1_cb = aux->asn1_cb; |
| 188 | else |
| 189 | asn1_cb = 0; |
| 190 | |
| 191 | /* |
| 192 | * Bound |len| to comfortably fit in an int. Lengths in this module often |
| 193 | * switch between int and long without overflow checks. |
| 194 | */ |
| 195 | if (len > INT_MAX/2) { |
| 196 | len = INT_MAX/2; |
| 197 | } |
| 198 | |
| 199 | if (++depth > ASN1_MAX_CONSTRUCTED_NEST) { |
| 200 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_TOO_DEEP); |
| 201 | goto err; |
| 202 | } |
| 203 | |
| 204 | switch (it->itype) { |
| 205 | case ASN1_ITYPE_PRIMITIVE: |
| 206 | if (it->templates) { |
| 207 | /* |
| 208 | * tagging or OPTIONAL is currently illegal on an item template |
| 209 | * because the flags can't get passed down. In practice this |
| 210 | * isn't a problem: we include the relevant flags from the item |
| 211 | * template in the template itself. |
| 212 | */ |
| 213 | if ((tag != -1) || opt) { |
| 214 | OPENSSL_PUT_ERROR(ASN1, |
| 215 | ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE); |
| 216 | goto err; |
| 217 | } |
| 218 | return asn1_template_ex_d2i(pval, in, len, |
| 219 | it->templates, opt, ctx, depth); |
| 220 | } |
| 221 | return asn1_d2i_ex_primitive(pval, in, len, it, |
| 222 | tag, aclass, opt, ctx); |
| 223 | break; |
| 224 | |
| 225 | case ASN1_ITYPE_MSTRING: |
| 226 | p = *in; |
| 227 | /* Just read in tag and class */ |
| 228 | ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, |
| 229 | &p, len, -1, 0, 1, ctx); |
| 230 | if (!ret) { |
| 231 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); |
| 232 | goto err; |
| 233 | } |
| 234 | |
| 235 | /* Must be UNIVERSAL class */ |
| 236 | if (oclass != V_ASN1_UNIVERSAL) { |
| 237 | /* If OPTIONAL, assume this is OK */ |
| 238 | if (opt) |
| 239 | return -1; |
| 240 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_MSTRING_NOT_UNIVERSAL); |
| 241 | goto err; |
| 242 | } |
| 243 | /* Check tag matches bit map */ |
| 244 | if (!(ASN1_tag2bit(otag) & it->utype)) { |
| 245 | /* If OPTIONAL, assume this is OK */ |
| 246 | if (opt) |
| 247 | return -1; |
| 248 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_MSTRING_WRONG_TAG); |
| 249 | goto err; |
| 250 | } |
| 251 | return asn1_d2i_ex_primitive(pval, in, len, it, otag, 0, 0, ctx); |
| 252 | |
| 253 | case ASN1_ITYPE_EXTERN: |
| 254 | /* Use new style d2i */ |
| 255 | ef = it->funcs; |
| 256 | return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx); |
| 257 | |
| 258 | case ASN1_ITYPE_COMPAT: |
| 259 | /* we must resort to old style evil hackery */ |
| 260 | cf = it->funcs; |
| 261 | |
| 262 | /* If OPTIONAL see if it is there */ |
| 263 | if (opt) { |
| 264 | int exptag; |
| 265 | p = *in; |
| 266 | if (tag == -1) |
| 267 | exptag = it->utype; |
| 268 | else |
| 269 | exptag = tag; |
| 270 | /* |
| 271 | * Don't care about anything other than presence of expected tag |
| 272 | */ |
| 273 | |
| 274 | ret = asn1_check_tlen(NULL, NULL, NULL, NULL, NULL, |
| 275 | &p, len, exptag, aclass, 1, ctx); |
| 276 | if (!ret) { |
| 277 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); |
| 278 | goto err; |
| 279 | } |
| 280 | if (ret == -1) |
| 281 | return -1; |
| 282 | } |
| 283 | |
| 284 | /* |
| 285 | * This is the old style evil hack IMPLICIT handling: since the |
| 286 | * underlying code is expecting a tag and class other than the one |
| 287 | * present we change the buffer temporarily then change it back |
| 288 | * afterwards. This doesn't and never did work for tags > 30. Yes |
| 289 | * this is *horrible* but it is only needed for old style d2i which |
| 290 | * will hopefully not be around for much longer. FIXME: should copy |
| 291 | * the buffer then modify it so the input buffer can be const: we |
| 292 | * should *always* copy because the old style d2i might modify the |
| 293 | * buffer. |
| 294 | */ |
| 295 | |
| 296 | if (tag != -1) { |
| 297 | wp = *(unsigned char **)in; |
| 298 | imphack = *wp; |
| 299 | if (p == NULL) { |
| 300 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); |
| 301 | goto err; |
| 302 | } |
| 303 | *wp = (unsigned char)((*p & V_ASN1_CONSTRUCTED) |
| 304 | | it->utype); |
| 305 | } |
| 306 | |
| 307 | ptmpval = cf->asn1_d2i(pval, in, len); |
| 308 | |
| 309 | if (tag != -1) |
| 310 | *wp = imphack; |
| 311 | |
| 312 | if (ptmpval) |
| 313 | return 1; |
| 314 | |
| 315 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); |
| 316 | goto err; |
| 317 | |
| 318 | case ASN1_ITYPE_CHOICE: |
| 319 | if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) |
| 320 | goto auxerr; |
| 321 | |
| 322 | if (*pval) { |
| 323 | /* Free up and zero CHOICE value if initialised */ |
| 324 | i = asn1_get_choice_selector(pval, it); |
| 325 | if ((i >= 0) && (i < it->tcount)) { |
| 326 | tt = it->templates + i; |
| 327 | pchptr = asn1_get_field_ptr(pval, tt); |
| 328 | ASN1_template_free(pchptr, tt); |
| 329 | asn1_set_choice_selector(pval, -1, it); |
| 330 | } |
| 331 | } else if (!ASN1_item_ex_new(pval, it)) { |
| 332 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); |
| 333 | goto err; |
| 334 | } |
| 335 | /* CHOICE type, try each possibility in turn */ |
| 336 | p = *in; |
| 337 | for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { |
| 338 | pchptr = asn1_get_field_ptr(pval, tt); |
| 339 | /* |
| 340 | * We mark field as OPTIONAL so its absence can be recognised. |
| 341 | */ |
| 342 | ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx, depth); |
| 343 | /* If field not present, try the next one */ |
| 344 | if (ret == -1) |
| 345 | continue; |
| 346 | /* If positive return, read OK, break loop */ |
| 347 | if (ret > 0) |
| 348 | break; |
| 349 | /* Otherwise must be an ASN1 parsing error */ |
| 350 | errtt = tt; |
| 351 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); |
| 352 | goto err; |
| 353 | } |
| 354 | |
| 355 | /* Did we fall off the end without reading anything? */ |
| 356 | if (i == it->tcount) { |
| 357 | /* If OPTIONAL, this is OK */ |
| 358 | if (opt) { |
| 359 | /* Free and zero it */ |
| 360 | ASN1_item_ex_free(pval, it); |
| 361 | return -1; |
| 362 | } |
| 363 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_NO_MATCHING_CHOICE_TYPE); |
| 364 | goto err; |
| 365 | } |
| 366 | |
| 367 | asn1_set_choice_selector(pval, i, it); |
| 368 | if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) |
| 369 | goto auxerr; |
| 370 | *in = p; |
| 371 | return 1; |
| 372 | |
| 373 | case ASN1_ITYPE_NDEF_SEQUENCE: |
| 374 | case ASN1_ITYPE_SEQUENCE: |
| 375 | p = *in; |
| 376 | tmplen = len; |
| 377 | |
| 378 | /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */ |
| 379 | if (tag == -1) { |
| 380 | tag = V_ASN1_SEQUENCE; |
| 381 | aclass = V_ASN1_UNIVERSAL; |
| 382 | } |
| 383 | /* Get SEQUENCE length and update len, p */ |
| 384 | ret = asn1_check_tlen(&len, NULL, NULL, &seq_eoc, &cst, |
| 385 | &p, len, tag, aclass, opt, ctx); |
| 386 | if (!ret) { |
| 387 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); |
| 388 | goto err; |
| 389 | } else if (ret == -1) |
| 390 | return -1; |
| 391 | if (aux && (aux->flags & ASN1_AFLG_BROKEN)) { |
| 392 | len = tmplen - (p - *in); |
| 393 | seq_nolen = 1; |
| 394 | } |
| 395 | /* If indefinite we don't do a length check */ |
| 396 | else |
| 397 | seq_nolen = seq_eoc; |
| 398 | if (!cst) { |
| 399 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_SEQUENCE_NOT_CONSTRUCTED); |
| 400 | goto err; |
| 401 | } |
| 402 | |
| 403 | if (!*pval && !ASN1_item_ex_new(pval, it)) { |
| 404 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); |
| 405 | goto err; |
| 406 | } |
| 407 | |
| 408 | if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) |
| 409 | goto auxerr; |
| 410 | |
| 411 | /* Free up and zero any ADB found */ |
| 412 | for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { |
| 413 | if (tt->flags & ASN1_TFLG_ADB_MASK) { |
| 414 | const ASN1_TEMPLATE *seqtt; |
| 415 | ASN1_VALUE **pseqval; |
| 416 | seqtt = asn1_do_adb(pval, tt, 0); |
| 417 | if (seqtt == NULL) |
| 418 | continue; |
| 419 | pseqval = asn1_get_field_ptr(pval, seqtt); |
| 420 | ASN1_template_free(pseqval, seqtt); |
| 421 | } |
| 422 | } |
| 423 | |
| 424 | /* Get each field entry */ |
| 425 | for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { |
| 426 | const ASN1_TEMPLATE *seqtt; |
| 427 | ASN1_VALUE **pseqval; |
| 428 | seqtt = asn1_do_adb(pval, tt, 1); |
| 429 | if (seqtt == NULL) |
| 430 | goto err; |
| 431 | pseqval = asn1_get_field_ptr(pval, seqtt); |
| 432 | /* Have we ran out of data? */ |
| 433 | if (!len) |
| 434 | break; |
| 435 | q = p; |
| 436 | if (asn1_check_eoc(&p, len)) { |
| 437 | if (!seq_eoc) { |
| 438 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC); |
| 439 | goto err; |
| 440 | } |
| 441 | len -= p - q; |
| 442 | seq_eoc = 0; |
| 443 | q = p; |
| 444 | break; |
| 445 | } |
| 446 | /* |
| 447 | * This determines the OPTIONAL flag value. The field cannot be |
| 448 | * omitted if it is the last of a SEQUENCE and there is still |
| 449 | * data to be read. This isn't strictly necessary but it |
| 450 | * increases efficiency in some cases. |
| 451 | */ |
| 452 | if (i == (it->tcount - 1)) |
| 453 | isopt = 0; |
| 454 | else |
| 455 | isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL); |
| 456 | /* |
| 457 | * attempt to read in field, allowing each to be OPTIONAL |
| 458 | */ |
| 459 | |
| 460 | ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx, |
| 461 | depth); |
| 462 | if (!ret) { |
| 463 | errtt = seqtt; |
| 464 | goto err; |
| 465 | } else if (ret == -1) { |
| 466 | /* |
| 467 | * OPTIONAL component absent. Free and zero the field. |
| 468 | */ |
| 469 | ASN1_template_free(pseqval, seqtt); |
| 470 | continue; |
| 471 | } |
| 472 | /* Update length */ |
| 473 | len -= p - q; |
| 474 | } |
| 475 | |
| 476 | /* Check for EOC if expecting one */ |
| 477 | if (seq_eoc && !asn1_check_eoc(&p, len)) { |
| 478 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC); |
| 479 | goto err; |
| 480 | } |
| 481 | /* Check all data read */ |
| 482 | if (!seq_nolen && len) { |
| 483 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_SEQUENCE_LENGTH_MISMATCH); |
| 484 | goto err; |
| 485 | } |
| 486 | |
| 487 | /* |
| 488 | * If we get here we've got no more data in the SEQUENCE, however we |
| 489 | * may not have read all fields so check all remaining are OPTIONAL |
| 490 | * and clear any that are. |
| 491 | */ |
| 492 | for (; i < it->tcount; tt++, i++) { |
| 493 | const ASN1_TEMPLATE *seqtt; |
| 494 | seqtt = asn1_do_adb(pval, tt, 1); |
| 495 | if (seqtt == NULL) |
| 496 | goto err; |
| 497 | if (seqtt->flags & ASN1_TFLG_OPTIONAL) { |
| 498 | ASN1_VALUE **pseqval; |
| 499 | pseqval = asn1_get_field_ptr(pval, seqtt); |
| 500 | ASN1_template_free(pseqval, seqtt); |
| 501 | } else { |
| 502 | errtt = seqtt; |
| 503 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_FIELD_MISSING); |
| 504 | goto err; |
| 505 | } |
| 506 | } |
| 507 | /* Save encoding */ |
| 508 | if (!asn1_enc_save(pval, *in, p - *in, it)) |
| 509 | goto auxerr; |
| 510 | if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) |
| 511 | goto auxerr; |
| 512 | *in = p; |
| 513 | return 1; |
| 514 | |
| 515 | default: |
| 516 | return 0; |
| 517 | } |
| 518 | auxerr: |
| 519 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_AUX_ERROR); |
| 520 | err: |
| 521 | if (combine == 0) |
| 522 | ASN1_item_ex_free(pval, it); |
| 523 | if (errtt) |
| 524 | ERR_add_error_data(4, "Field=", errtt->field_name, |
| 525 | ", Type=", it->sname); |
| 526 | else |
| 527 | ERR_add_error_data(2, "Type=", it->sname); |
| 528 | return 0; |
| 529 | } |
| 530 | |
| 531 | int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, |
| 532 | const ASN1_ITEM *it, |
| 533 | int tag, int aclass, char opt, ASN1_TLC *ctx) |
| 534 | { |
| 535 | return asn1_item_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx, 0); |
| 536 | } |
| 537 | |
| 538 | /* |
| 539 | * Templates are handled with two separate functions. One handles any |
| 540 | * EXPLICIT tag and the other handles the rest. |
| 541 | */ |
| 542 | |
| 543 | static int asn1_template_ex_d2i(ASN1_VALUE **val, |
| 544 | const unsigned char **in, long inlen, |
| 545 | const ASN1_TEMPLATE *tt, char opt, |
| 546 | ASN1_TLC *ctx, int depth) |
| 547 | { |
| 548 | int flags, aclass; |
| 549 | int ret; |
| 550 | long len; |
| 551 | const unsigned char *p, *q; |
| 552 | char exp_eoc; |
| 553 | if (!val) |
| 554 | return 0; |
| 555 | flags = tt->flags; |
| 556 | aclass = flags & ASN1_TFLG_TAG_CLASS; |
| 557 | |
| 558 | p = *in; |
| 559 | |
| 560 | /* Check if EXPLICIT tag expected */ |
| 561 | if (flags & ASN1_TFLG_EXPTAG) { |
| 562 | char cst; |
| 563 | /* |
| 564 | * Need to work out amount of data available to the inner content and |
| 565 | * where it starts: so read in EXPLICIT header to get the info. |
| 566 | */ |
| 567 | ret = asn1_check_tlen(&len, NULL, NULL, &exp_eoc, &cst, |
| 568 | &p, inlen, tt->tag, aclass, opt, ctx); |
| 569 | q = p; |
| 570 | if (!ret) { |
| 571 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); |
| 572 | return 0; |
| 573 | } else if (ret == -1) |
| 574 | return -1; |
| 575 | if (!cst) { |
| 576 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED); |
| 577 | return 0; |
| 578 | } |
| 579 | /* We've found the field so it can't be OPTIONAL now */ |
| 580 | ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx, depth); |
| 581 | if (!ret) { |
| 582 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); |
| 583 | return 0; |
| 584 | } |
| 585 | /* We read the field in OK so update length */ |
| 586 | len -= p - q; |
| 587 | if (exp_eoc) { |
| 588 | /* If NDEF we must have an EOC here */ |
| 589 | if (!asn1_check_eoc(&p, len)) { |
| 590 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC); |
| 591 | goto err; |
| 592 | } |
| 593 | } else { |
| 594 | /* |
| 595 | * Otherwise we must hit the EXPLICIT tag end or its an error |
| 596 | */ |
| 597 | if (len) { |
| 598 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_EXPLICIT_LENGTH_MISMATCH); |
| 599 | goto err; |
| 600 | } |
| 601 | } |
| 602 | } else |
| 603 | return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx, depth); |
| 604 | |
| 605 | *in = p; |
| 606 | return 1; |
| 607 | |
| 608 | err: |
| 609 | ASN1_template_free(val, tt); |
| 610 | return 0; |
| 611 | } |
| 612 | |
| 613 | static int asn1_template_noexp_d2i(ASN1_VALUE **val, |
| 614 | const unsigned char **in, long len, |
| 615 | const ASN1_TEMPLATE *tt, char opt, |
| 616 | ASN1_TLC *ctx, int depth) |
| 617 | { |
| 618 | int flags, aclass; |
| 619 | int ret; |
| 620 | const unsigned char *p; |
| 621 | if (!val) |
| 622 | return 0; |
| 623 | flags = tt->flags; |
| 624 | aclass = flags & ASN1_TFLG_TAG_CLASS; |
| 625 | |
| 626 | p = *in; |
| 627 | |
| 628 | if (flags & ASN1_TFLG_SK_MASK) { |
| 629 | /* SET OF, SEQUENCE OF */ |
| 630 | int sktag, skaclass; |
| 631 | char sk_eoc; |
| 632 | /* First work out expected inner tag value */ |
| 633 | if (flags & ASN1_TFLG_IMPTAG) { |
| 634 | sktag = tt->tag; |
| 635 | skaclass = aclass; |
| 636 | } else { |
| 637 | skaclass = V_ASN1_UNIVERSAL; |
| 638 | if (flags & ASN1_TFLG_SET_OF) |
| 639 | sktag = V_ASN1_SET; |
| 640 | else |
| 641 | sktag = V_ASN1_SEQUENCE; |
| 642 | } |
| 643 | /* Get the tag */ |
| 644 | ret = asn1_check_tlen(&len, NULL, NULL, &sk_eoc, NULL, |
| 645 | &p, len, sktag, skaclass, opt, ctx); |
| 646 | if (!ret) { |
| 647 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); |
| 648 | return 0; |
| 649 | } else if (ret == -1) |
| 650 | return -1; |
| 651 | if (!*val) |
| 652 | *val = (ASN1_VALUE *)sk_new_null(); |
| 653 | else { |
| 654 | /* |
| 655 | * We've got a valid STACK: free up any items present |
| 656 | */ |
| 657 | STACK_OF(ASN1_VALUE) *sktmp = (STACK_OF(ASN1_VALUE) *)*val; |
| 658 | ASN1_VALUE *vtmp; |
| 659 | while (sk_ASN1_VALUE_num(sktmp) > 0) { |
| 660 | vtmp = sk_ASN1_VALUE_pop(sktmp); |
| 661 | ASN1_item_ex_free(&vtmp, ASN1_ITEM_ptr(tt->item)); |
| 662 | } |
| 663 | } |
| 664 | |
| 665 | if (!*val) { |
| 666 | OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); |
| 667 | goto err; |
| 668 | } |
| 669 | |
| 670 | /* Read as many items as we can */ |
| 671 | while (len > 0) { |
| 672 | ASN1_VALUE *skfield; |
| 673 | const unsigned char *q = p; |
| 674 | /* See if EOC found */ |
| 675 | if (asn1_check_eoc(&p, len)) { |
| 676 | if (!sk_eoc) { |
| 677 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC); |
| 678 | goto err; |
| 679 | } |
| 680 | len -= p - q; |
| 681 | sk_eoc = 0; |
| 682 | break; |
| 683 | } |
| 684 | skfield = NULL; |
| 685 | if (!asn1_item_ex_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item), |
| 686 | -1, 0, 0, ctx, depth)) { |
| 687 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); |
| 688 | goto err; |
| 689 | } |
| 690 | len -= p - q; |
| 691 | if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE) *)*val, skfield)) { |
| 692 | ASN1_item_ex_free(&skfield, ASN1_ITEM_ptr(tt->item)); |
| 693 | OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); |
| 694 | goto err; |
| 695 | } |
| 696 | } |
| 697 | if (sk_eoc) { |
| 698 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC); |
| 699 | goto err; |
| 700 | } |
| 701 | } else if (flags & ASN1_TFLG_IMPTAG) { |
| 702 | /* IMPLICIT tagging */ |
| 703 | ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag, |
| 704 | aclass, opt, ctx, depth); |
| 705 | if (!ret) { |
| 706 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); |
| 707 | goto err; |
| 708 | } else if (ret == -1) |
| 709 | return -1; |
| 710 | } else { |
| 711 | /* Nothing special */ |
| 712 | ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), |
| 713 | -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx, |
| 714 | depth); |
| 715 | if (!ret) { |
| 716 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); |
| 717 | goto err; |
| 718 | } else if (ret == -1) |
| 719 | return -1; |
| 720 | } |
| 721 | |
| 722 | *in = p; |
| 723 | return 1; |
| 724 | |
| 725 | err: |
| 726 | ASN1_template_free(val, tt); |
| 727 | return 0; |
| 728 | } |
| 729 | |
| 730 | static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, |
| 731 | const unsigned char **in, long inlen, |
| 732 | const ASN1_ITEM *it, |
| 733 | int tag, int aclass, char opt, ASN1_TLC *ctx) |
| 734 | { |
| 735 | int ret = 0, utype; |
| 736 | long plen; |
| 737 | char cst, inf, free_cont = 0; |
| 738 | const unsigned char *p; |
| 739 | BUF_MEM buf = {0, NULL, 0 }; |
| 740 | const unsigned char *cont = NULL; |
| 741 | long len; |
| 742 | if (!pval) { |
| 743 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_NULL); |
| 744 | return 0; /* Should never happen */ |
| 745 | } |
| 746 | |
| 747 | if (it->itype == ASN1_ITYPE_MSTRING) { |
| 748 | utype = tag; |
| 749 | tag = -1; |
| 750 | } else |
| 751 | utype = it->utype; |
| 752 | |
| 753 | if (utype == V_ASN1_ANY) { |
| 754 | /* If type is ANY need to figure out type from tag */ |
| 755 | unsigned char oclass; |
| 756 | if (tag >= 0) { |
| 757 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_TAGGED_ANY); |
| 758 | return 0; |
| 759 | } |
| 760 | if (opt) { |
| 761 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_OPTIONAL_ANY); |
| 762 | return 0; |
| 763 | } |
| 764 | p = *in; |
| 765 | ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, NULL, |
| 766 | &p, inlen, -1, 0, 0, ctx); |
| 767 | if (!ret) { |
| 768 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); |
| 769 | return 0; |
| 770 | } |
| 771 | if (oclass != V_ASN1_UNIVERSAL) |
| 772 | utype = V_ASN1_OTHER; |
| 773 | } |
| 774 | if (tag == -1) { |
| 775 | tag = utype; |
| 776 | aclass = V_ASN1_UNIVERSAL; |
| 777 | } |
| 778 | p = *in; |
| 779 | /* Check header */ |
| 780 | ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst, |
| 781 | &p, inlen, tag, aclass, opt, ctx); |
| 782 | if (!ret) { |
| 783 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); |
| 784 | return 0; |
| 785 | } else if (ret == -1) |
| 786 | return -1; |
| 787 | ret = 0; |
| 788 | /* SEQUENCE, SET and "OTHER" are left in encoded form */ |
| 789 | if ((utype == V_ASN1_SEQUENCE) |
| 790 | || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) { |
| 791 | /* |
| 792 | * Clear context cache for type OTHER because the auto clear when we |
| 793 | * have a exact match wont work |
| 794 | */ |
| 795 | if (utype == V_ASN1_OTHER) { |
| 796 | asn1_tlc_clear(ctx); |
| 797 | } |
| 798 | /* SEQUENCE and SET must be constructed */ |
| 799 | else if (!cst) { |
| 800 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_TYPE_NOT_CONSTRUCTED); |
| 801 | return 0; |
| 802 | } |
| 803 | |
| 804 | cont = *in; |
| 805 | /* If indefinite length constructed find the real end */ |
| 806 | if (inf) { |
| 807 | if (!asn1_find_end(&p, plen, inf)) |
| 808 | goto err; |
| 809 | len = p - cont; |
| 810 | } else { |
| 811 | len = p - cont + plen; |
| 812 | p += plen; |
| 813 | } |
| 814 | } else if (cst) { |
| 815 | if (utype == V_ASN1_NULL || utype == V_ASN1_BOOLEAN |
| 816 | || utype == V_ASN1_OBJECT || utype == V_ASN1_INTEGER |
| 817 | || utype == V_ASN1_ENUMERATED) { |
| 818 | /* These types only have primitive encodings. */ |
| 819 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_TYPE_NOT_PRIMITIVE); |
| 820 | return 0; |
| 821 | } |
| 822 | |
| 823 | /* Free any returned 'buf' content */ |
| 824 | free_cont = 1; |
| 825 | /* |
| 826 | * Should really check the internal tags are correct but some things |
| 827 | * may get this wrong. The relevant specs say that constructed string |
| 828 | * types should be OCTET STRINGs internally irrespective of the type. |
| 829 | * So instead just check for UNIVERSAL class and ignore the tag. |
| 830 | */ |
| 831 | if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL, 0)) { |
| 832 | goto err; |
| 833 | } |
| 834 | len = buf.length; |
| 835 | /* Append a final null to string */ |
| 836 | if (!BUF_MEM_grow_clean(&buf, len + 1)) { |
| 837 | OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); |
| 838 | goto err; |
| 839 | } |
| 840 | buf.data[len] = 0; |
| 841 | cont = (const unsigned char *)buf.data; |
| 842 | } else { |
| 843 | cont = p; |
| 844 | len = plen; |
| 845 | p += plen; |
| 846 | } |
| 847 | |
| 848 | /* We now have content length and type: translate into a structure */ |
| 849 | /* asn1_ex_c2i may reuse allocated buffer, and so sets free_cont to 0 */ |
| 850 | if (!asn1_ex_c2i(pval, cont, len, utype, &free_cont, it)) |
| 851 | goto err; |
| 852 | |
| 853 | *in = p; |
| 854 | ret = 1; |
| 855 | err: |
| 856 | if (free_cont && buf.data) |
| 857 | OPENSSL_free(buf.data); |
| 858 | return ret; |
| 859 | } |
| 860 | |
| 861 | /* Translate ASN1 content octets into a structure */ |
| 862 | |
| 863 | int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, |
| 864 | int utype, char *free_cont, const ASN1_ITEM *it) |
| 865 | { |
| 866 | ASN1_VALUE **opval = NULL; |
| 867 | ASN1_STRING *stmp; |
| 868 | ASN1_TYPE *typ = NULL; |
| 869 | int ret = 0; |
| 870 | const ASN1_PRIMITIVE_FUNCS *pf; |
| 871 | ASN1_INTEGER **tint; |
| 872 | pf = it->funcs; |
| 873 | |
| 874 | if (pf && pf->prim_c2i) |
| 875 | return pf->prim_c2i(pval, cont, len, utype, free_cont, it); |
| 876 | /* If ANY type clear type and set pointer to internal value */ |
| 877 | if (it->utype == V_ASN1_ANY) { |
| 878 | if (!*pval) { |
| 879 | typ = ASN1_TYPE_new(); |
| 880 | if (typ == NULL) |
| 881 | goto err; |
| 882 | *pval = (ASN1_VALUE *)typ; |
| 883 | } else |
| 884 | typ = (ASN1_TYPE *)*pval; |
| 885 | |
| 886 | if (utype != typ->type) |
| 887 | ASN1_TYPE_set(typ, utype, NULL); |
| 888 | opval = pval; |
| 889 | pval = &typ->value.asn1_value; |
| 890 | } |
| 891 | switch (utype) { |
| 892 | case V_ASN1_OBJECT: |
| 893 | if (!c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len)) |
| 894 | goto err; |
| 895 | break; |
| 896 | |
| 897 | case V_ASN1_NULL: |
| 898 | if (len) { |
| 899 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_NULL_IS_WRONG_LENGTH); |
| 900 | goto err; |
| 901 | } |
| 902 | *pval = (ASN1_VALUE *)1; |
| 903 | break; |
| 904 | |
| 905 | case V_ASN1_BOOLEAN: |
| 906 | if (len != 1) { |
| 907 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_BOOLEAN_IS_WRONG_LENGTH); |
| 908 | goto err; |
| 909 | } else { |
| 910 | ASN1_BOOLEAN *tbool; |
| 911 | tbool = (ASN1_BOOLEAN *)pval; |
| 912 | *tbool = *cont; |
| 913 | } |
| 914 | break; |
| 915 | |
| 916 | case V_ASN1_BIT_STRING: |
| 917 | if (!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &cont, len)) |
| 918 | goto err; |
| 919 | break; |
| 920 | |
| 921 | case V_ASN1_INTEGER: |
| 922 | case V_ASN1_ENUMERATED: |
| 923 | tint = (ASN1_INTEGER **)pval; |
| 924 | if (!c2i_ASN1_INTEGER(tint, &cont, len)) |
| 925 | goto err; |
| 926 | /* Fixup type to match the expected form */ |
| 927 | (*tint)->type = utype | ((*tint)->type & V_ASN1_NEG); |
| 928 | break; |
| 929 | |
| 930 | case V_ASN1_OCTET_STRING: |
| 931 | case V_ASN1_NUMERICSTRING: |
| 932 | case V_ASN1_PRINTABLESTRING: |
| 933 | case V_ASN1_T61STRING: |
| 934 | case V_ASN1_VIDEOTEXSTRING: |
| 935 | case V_ASN1_IA5STRING: |
| 936 | case V_ASN1_UTCTIME: |
| 937 | case V_ASN1_GENERALIZEDTIME: |
| 938 | case V_ASN1_GRAPHICSTRING: |
| 939 | case V_ASN1_VISIBLESTRING: |
| 940 | case V_ASN1_GENERALSTRING: |
| 941 | case V_ASN1_UNIVERSALSTRING: |
| 942 | case V_ASN1_BMPSTRING: |
| 943 | case V_ASN1_UTF8STRING: |
| 944 | case V_ASN1_OTHER: |
| 945 | case V_ASN1_SET: |
| 946 | case V_ASN1_SEQUENCE: |
| 947 | default: |
| 948 | if (utype == V_ASN1_BMPSTRING && (len & 1)) { |
| 949 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_BMPSTRING_IS_WRONG_LENGTH); |
| 950 | goto err; |
| 951 | } |
| 952 | if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) { |
| 953 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); |
| 954 | goto err; |
| 955 | } |
| 956 | /* All based on ASN1_STRING and handled the same */ |
| 957 | if (!*pval) { |
| 958 | stmp = ASN1_STRING_type_new(utype); |
| 959 | if (!stmp) { |
| 960 | OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); |
| 961 | goto err; |
| 962 | } |
| 963 | *pval = (ASN1_VALUE *)stmp; |
| 964 | } else { |
| 965 | stmp = (ASN1_STRING *)*pval; |
| 966 | stmp->type = utype; |
| 967 | } |
| 968 | /* If we've already allocated a buffer use it */ |
| 969 | if (*free_cont) { |
| 970 | if (stmp->data) |
| 971 | OPENSSL_free(stmp->data); |
| 972 | stmp->data = (unsigned char *)cont; /* UGLY CAST! RL */ |
| 973 | stmp->length = len; |
| 974 | *free_cont = 0; |
| 975 | } else { |
| 976 | if (!ASN1_STRING_set(stmp, cont, len)) { |
| 977 | OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); |
| 978 | ASN1_STRING_free(stmp); |
| 979 | *pval = NULL; |
| 980 | goto err; |
| 981 | } |
| 982 | } |
| 983 | break; |
| 984 | } |
| 985 | /* If ASN1_ANY and NULL type fix up value */ |
| 986 | if (typ && (utype == V_ASN1_NULL)) |
| 987 | typ->value.ptr = NULL; |
| 988 | |
| 989 | ret = 1; |
| 990 | err: |
| 991 | if (!ret) { |
| 992 | ASN1_TYPE_free(typ); |
| 993 | if (opval) |
| 994 | *opval = NULL; |
| 995 | } |
| 996 | return ret; |
| 997 | } |
| 998 | |
| 999 | /* |
| 1000 | * This function finds the end of an ASN1 structure when passed its maximum |
| 1001 | * length, whether it is indefinite length and a pointer to the content. This |
| 1002 | * is more efficient than calling asn1_collect because it does not recurse on |
| 1003 | * each indefinite length header. |
| 1004 | */ |
| 1005 | |
| 1006 | static int asn1_find_end(const unsigned char **in, long len, char inf) |
| 1007 | { |
| 1008 | int expected_eoc; |
| 1009 | long plen; |
| 1010 | const unsigned char *p = *in, *q; |
| 1011 | /* If not indefinite length constructed just add length */ |
| 1012 | if (inf == 0) { |
| 1013 | *in += len; |
| 1014 | return 1; |
| 1015 | } |
| 1016 | expected_eoc = 1; |
| 1017 | /* |
| 1018 | * Indefinite length constructed form. Find the end when enough EOCs are |
| 1019 | * found. If more indefinite length constructed headers are encountered |
| 1020 | * increment the expected eoc count otherwise just skip to the end of the |
| 1021 | * data. |
| 1022 | */ |
| 1023 | while (len > 0) { |
| 1024 | if (asn1_check_eoc(&p, len)) { |
| 1025 | expected_eoc--; |
| 1026 | if (expected_eoc == 0) |
| 1027 | break; |
| 1028 | len -= 2; |
| 1029 | continue; |
| 1030 | } |
| 1031 | q = p; |
| 1032 | /* Just read in a header: only care about the length */ |
| 1033 | if (!asn1_check_tlen(&plen, NULL, NULL, &inf, NULL, &p, len, |
| 1034 | -1, 0, 0, NULL)) { |
| 1035 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); |
| 1036 | return 0; |
| 1037 | } |
| 1038 | if (inf) |
| 1039 | expected_eoc++; |
| 1040 | else |
| 1041 | p += plen; |
| 1042 | len -= p - q; |
| 1043 | } |
| 1044 | if (expected_eoc) { |
| 1045 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC); |
| 1046 | return 0; |
| 1047 | } |
| 1048 | *in = p; |
| 1049 | return 1; |
| 1050 | } |
| 1051 | |
| 1052 | /* |
| 1053 | * This function collects the asn1 data from a constructred string type into |
| 1054 | * a buffer. The values of 'in' and 'len' should refer to the contents of the |
| 1055 | * constructed type and 'inf' should be set if it is indefinite length. |
| 1056 | */ |
| 1057 | |
| 1058 | #ifndef ASN1_MAX_STRING_NEST |
| 1059 | /* |
| 1060 | * This determines how many levels of recursion are permitted in ASN1 string |
| 1061 | * types. If it is not limited stack overflows can occur. If set to zero no |
| 1062 | * recursion is allowed at all. Although zero should be adequate examples |
| 1063 | * exist that require a value of 1. So 5 should be more than enough. |
| 1064 | */ |
| 1065 | # define ASN1_MAX_STRING_NEST 5 |
| 1066 | #endif |
| 1067 | |
| 1068 | static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, |
| 1069 | char inf, int tag, int aclass, int depth) |
| 1070 | { |
| 1071 | const unsigned char *p, *q; |
| 1072 | long plen; |
| 1073 | char cst, ininf; |
| 1074 | p = *in; |
| 1075 | inf &= 1; |
| 1076 | /* |
| 1077 | * If no buffer and not indefinite length constructed just pass over the |
| 1078 | * encoded data |
| 1079 | */ |
| 1080 | if (!buf && !inf) { |
| 1081 | *in += len; |
| 1082 | return 1; |
| 1083 | } |
| 1084 | while (len > 0) { |
| 1085 | q = p; |
| 1086 | /* Check for EOC */ |
| 1087 | if (asn1_check_eoc(&p, len)) { |
| 1088 | /* |
| 1089 | * EOC is illegal outside indefinite length constructed form |
| 1090 | */ |
| 1091 | if (!inf) { |
| 1092 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC); |
| 1093 | return 0; |
| 1094 | } |
| 1095 | inf = 0; |
| 1096 | break; |
| 1097 | } |
| 1098 | |
| 1099 | if (!asn1_check_tlen(&plen, NULL, NULL, &ininf, &cst, &p, |
| 1100 | len, tag, aclass, 0, NULL)) { |
| 1101 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); |
| 1102 | return 0; |
| 1103 | } |
| 1104 | |
| 1105 | /* If indefinite length constructed update max length */ |
| 1106 | if (cst) { |
| 1107 | if (depth >= ASN1_MAX_STRING_NEST) { |
| 1108 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_STRING); |
| 1109 | return 0; |
| 1110 | } |
| 1111 | if (!asn1_collect(buf, &p, plen, ininf, tag, aclass, depth + 1)) |
| 1112 | return 0; |
| 1113 | } else if (plen && !collect_data(buf, &p, plen)) |
| 1114 | return 0; |
| 1115 | len -= p - q; |
| 1116 | } |
| 1117 | if (inf) { |
| 1118 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC); |
| 1119 | return 0; |
| 1120 | } |
| 1121 | *in = p; |
| 1122 | return 1; |
| 1123 | } |
| 1124 | |
| 1125 | static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen) |
| 1126 | { |
| 1127 | int len; |
| 1128 | if (buf) { |
| 1129 | len = buf->length; |
| 1130 | if (!BUF_MEM_grow_clean(buf, len + plen)) { |
| 1131 | OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); |
| 1132 | return 0; |
| 1133 | } |
| 1134 | OPENSSL_memcpy(buf->data + len, *p, plen); |
| 1135 | } |
| 1136 | *p += plen; |
| 1137 | return 1; |
| 1138 | } |
| 1139 | |
| 1140 | /* Check for ASN1 EOC and swallow it if found */ |
| 1141 | |
| 1142 | static int asn1_check_eoc(const unsigned char **in, long len) |
| 1143 | { |
| 1144 | const unsigned char *p; |
| 1145 | if (len < 2) |
| 1146 | return 0; |
| 1147 | p = *in; |
| 1148 | if (!p[0] && !p[1]) { |
| 1149 | *in += 2; |
| 1150 | return 1; |
| 1151 | } |
| 1152 | return 0; |
| 1153 | } |
| 1154 | |
| 1155 | /* |
| 1156 | * Check an ASN1 tag and length: a bit like ASN1_get_object but it sets the |
| 1157 | * length for indefinite length constructed form, we don't know the exact |
| 1158 | * length but we can set an upper bound to the amount of data available minus |
| 1159 | * the header length just read. |
| 1160 | */ |
| 1161 | |
| 1162 | static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, |
| 1163 | char *inf, char *cst, |
| 1164 | const unsigned char **in, long len, |
| 1165 | int exptag, int expclass, char opt, ASN1_TLC *ctx) |
| 1166 | { |
| 1167 | int i; |
| 1168 | int ptag, pclass; |
| 1169 | long plen; |
| 1170 | const unsigned char *p, *q; |
| 1171 | p = *in; |
| 1172 | q = p; |
| 1173 | |
| 1174 | if (ctx && ctx->valid) { |
| 1175 | i = ctx->ret; |
| 1176 | plen = ctx->plen; |
| 1177 | pclass = ctx->pclass; |
| 1178 | ptag = ctx->ptag; |
| 1179 | p += ctx->hdrlen; |
| 1180 | } else { |
| 1181 | i = ASN1_get_object(&p, &plen, &ptag, &pclass, len); |
| 1182 | if (ctx) { |
| 1183 | ctx->ret = i; |
| 1184 | ctx->plen = plen; |
| 1185 | ctx->pclass = pclass; |
| 1186 | ctx->ptag = ptag; |
| 1187 | ctx->hdrlen = p - q; |
| 1188 | ctx->valid = 1; |
| 1189 | /* |
| 1190 | * If definite length, and no error, length + header can't exceed |
| 1191 | * total amount of data available. |
| 1192 | */ |
| 1193 | if (!(i & 0x81) && ((plen + ctx->hdrlen) > len)) { |
| 1194 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG); |
| 1195 | asn1_tlc_clear(ctx); |
| 1196 | return 0; |
| 1197 | } |
| 1198 | } |
| 1199 | } |
| 1200 | |
| 1201 | if (i & 0x80) { |
| 1202 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_OBJECT_HEADER); |
| 1203 | asn1_tlc_clear(ctx); |
| 1204 | return 0; |
| 1205 | } |
| 1206 | if (exptag >= 0) { |
| 1207 | if ((exptag != ptag) || (expclass != pclass)) { |
| 1208 | /* |
| 1209 | * If type is OPTIONAL, not an error: indicate missing type. |
| 1210 | */ |
| 1211 | if (opt) |
| 1212 | return -1; |
| 1213 | asn1_tlc_clear(ctx); |
| 1214 | OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_TAG); |
| 1215 | return 0; |
| 1216 | } |
| 1217 | /* |
| 1218 | * We have a tag and class match: assume we are going to do something |
| 1219 | * with it |
| 1220 | */ |
| 1221 | asn1_tlc_clear(ctx); |
| 1222 | } |
| 1223 | |
| 1224 | if (i & 1) |
| 1225 | plen = len - (p - q); |
| 1226 | |
| 1227 | if (inf) |
| 1228 | *inf = i & 1; |
| 1229 | |
| 1230 | if (cst) |
| 1231 | *cst = i & V_ASN1_CONSTRUCTED; |
| 1232 | |
| 1233 | if (olen) |
| 1234 | *olen = plen; |
| 1235 | |
| 1236 | if (oclass) |
| 1237 | *oclass = pclass; |
| 1238 | |
| 1239 | if (otag) |
| 1240 | *otag = ptag; |
| 1241 | |
| 1242 | *in = p; |
| 1243 | return 1; |
| 1244 | } |
| 1245 |
Generated on 2020-Aug-16 from project engine revision 1.21
Powered by 
Code Browser 2.1
Generator usage only permitted with license.