1 /* tasn_dec.c */ 2 /* Written by Dr Stephen N Henson (steve (at) openssl.org) for the OpenSSL 3 * project 2000. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing (at) OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay (at) cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh (at) cryptsoft.com). 56 * 57 */ 58 59 60 #include <stddef.h> 61 #include <string.h> 62 #include <openssl/asn1.h> 63 #include <openssl/asn1t.h> 64 #include <openssl/objects.h> 65 #include <openssl/buffer.h> 66 #include <openssl/err.h> 67 68 static int asn1_check_eoc(const unsigned char **in, long len); 69 static int asn1_find_end(const unsigned char **in, long len, char inf); 70 71 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, 72 char inf, int tag, int aclass, int depth); 73 74 static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen); 75 76 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, 77 char *inf, char *cst, 78 const unsigned char **in, long len, 79 int exptag, int expclass, char opt, 80 ASN1_TLC *ctx); 81 82 static int asn1_template_ex_d2i(ASN1_VALUE **pval, 83 const unsigned char **in, long len, 84 const ASN1_TEMPLATE *tt, char opt, 85 ASN1_TLC *ctx); 86 static int asn1_template_noexp_d2i(ASN1_VALUE **val, 87 const unsigned char **in, long len, 88 const ASN1_TEMPLATE *tt, char opt, 89 ASN1_TLC *ctx); 90 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, 91 const unsigned char **in, long len, 92 const ASN1_ITEM *it, 93 int tag, int aclass, char opt, ASN1_TLC *ctx); 94 95 /* Table to convert tags to bit values, used for MSTRING type */ 96 static const unsigned long tag2bit[32] = { 97 0, 0, 0, B_ASN1_BIT_STRING, /* tags 0 - 3 */ 98 B_ASN1_OCTET_STRING, 0, 0, B_ASN1_UNKNOWN,/* tags 4- 7 */ 99 B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN,/* tags 8-11 */ 100 B_ASN1_UTF8STRING,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,/* tags 12-15 */ 101 B_ASN1_SEQUENCE,0,B_ASN1_NUMERICSTRING,B_ASN1_PRINTABLESTRING, /* tags 16-19 */ 102 B_ASN1_T61STRING,B_ASN1_VIDEOTEXSTRING,B_ASN1_IA5STRING, /* tags 20-22 */ 103 B_ASN1_UTCTIME, B_ASN1_GENERALIZEDTIME, /* tags 23-24 */ 104 B_ASN1_GRAPHICSTRING,B_ASN1_ISO64STRING,B_ASN1_GENERALSTRING, /* tags 25-27 */ 105 B_ASN1_UNIVERSALSTRING,B_ASN1_UNKNOWN,B_ASN1_BMPSTRING,B_ASN1_UNKNOWN, /* tags 28-31 */ 106 }; 107 108 unsigned long ASN1_tag2bit(int tag) 109 { 110 if ((tag < 0) || (tag > 30)) return 0; 111 return tag2bit[tag]; 112 } 113 114 /* Macro to initialize and invalidate the cache */ 115 116 #define asn1_tlc_clear(c) if (c) (c)->valid = 0 117 118 /* Decode an ASN1 item, this currently behaves just 119 * like a standard 'd2i' function. 'in' points to 120 * a buffer to read the data from, in future we will 121 * have more advanced versions that can input data 122 * a piece at a time and this will simply be a special 123 * case. 124 */ 125 126 ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, 127 const unsigned char **in, long len, const ASN1_ITEM *it) 128 { 129 ASN1_TLC c; 130 ASN1_VALUE *ptmpval = NULL; 131 if (!pval) 132 pval = &ptmpval; 133 c.valid = 0; 134 if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) 135 return *pval; 136 return NULL; 137 } 138 139 int ASN1_template_d2i(ASN1_VALUE **pval, 140 const unsigned char **in, long len, const ASN1_TEMPLATE *tt) 141 { 142 ASN1_TLC c; 143 c.valid = 0; 144 return asn1_template_ex_d2i(pval, in, len, tt, 0, &c); 145 } 146 147 148 /* Decode an item, taking care of IMPLICIT tagging, if any. 149 * If 'opt' set and tag mismatch return -1 to handle OPTIONAL 150 */ 151 152 int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, 153 const ASN1_ITEM *it, 154 int tag, int aclass, char opt, ASN1_TLC *ctx) 155 { 156 const ASN1_TEMPLATE *tt, *errtt = NULL; 157 const ASN1_COMPAT_FUNCS *cf; 158 const ASN1_EXTERN_FUNCS *ef; 159 const ASN1_AUX *aux = it->funcs; 160 ASN1_aux_cb *asn1_cb; 161 const unsigned char *p = NULL, *q; 162 unsigned char *wp=NULL; /* BIG FAT WARNING! BREAKS CONST WHERE USED */ 163 unsigned char imphack = 0, oclass; 164 char seq_eoc, seq_nolen, cst, isopt; 165 long tmplen; 166 int i; 167 int otag; 168 int ret = 0; 169 ASN1_VALUE *pchval, **pchptr, *ptmpval; 170 if (!pval) 171 return 0; 172 if (aux && aux->asn1_cb) 173 asn1_cb = aux->asn1_cb; 174 else asn1_cb = 0; 175 176 switch(it->itype) 177 { 178 case ASN1_ITYPE_PRIMITIVE: 179 if (it->templates) 180 { 181 /* tagging or OPTIONAL is currently illegal on an item 182 * template because the flags can't get passed down. 183 * In practice this isn't a problem: we include the 184 * relevant flags from the item template in the 185 * template itself. 186 */ 187 if ((tag != -1) || opt) 188 { 189 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 190 ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE); 191 goto err; 192 } 193 return asn1_template_ex_d2i(pval, in, len, 194 it->templates, opt, ctx); 195 } 196 return asn1_d2i_ex_primitive(pval, in, len, it, 197 tag, aclass, opt, ctx); 198 break; 199 200 case ASN1_ITYPE_MSTRING: 201 p = *in; 202 /* Just read in tag and class */ 203 ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, 204 &p, len, -1, 0, 1, ctx); 205 if (!ret) 206 { 207 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 208 ERR_R_NESTED_ASN1_ERROR); 209 goto err; 210 } 211 212 /* Must be UNIVERSAL class */ 213 if (oclass != V_ASN1_UNIVERSAL) 214 { 215 /* If OPTIONAL, assume this is OK */ 216 if (opt) return -1; 217 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 218 ASN1_R_MSTRING_NOT_UNIVERSAL); 219 goto err; 220 } 221 /* Check tag matches bit map */ 222 if (!(ASN1_tag2bit(otag) & it->utype)) 223 { 224 /* If OPTIONAL, assume this is OK */ 225 if (opt) 226 return -1; 227 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 228 ASN1_R_MSTRING_WRONG_TAG); 229 goto err; 230 } 231 return asn1_d2i_ex_primitive(pval, in, len, 232 it, otag, 0, 0, ctx); 233 234 case ASN1_ITYPE_EXTERN: 235 /* Use new style d2i */ 236 ef = it->funcs; 237 return ef->asn1_ex_d2i(pval, in, len, 238 it, tag, aclass, opt, ctx); 239 240 case ASN1_ITYPE_COMPAT: 241 /* we must resort to old style evil hackery */ 242 cf = it->funcs; 243 244 /* If OPTIONAL see if it is there */ 245 if (opt) 246 { 247 int exptag; 248 p = *in; 249 if (tag == -1) 250 exptag = it->utype; 251 else exptag = tag; 252 /* Don't care about anything other than presence 253 * of expected tag */ 254 255 ret = asn1_check_tlen(NULL, NULL, NULL, NULL, NULL, 256 &p, len, exptag, aclass, 1, ctx); 257 if (!ret) 258 { 259 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 260 ERR_R_NESTED_ASN1_ERROR); 261 goto err; 262 } 263 if (ret == -1) 264 return -1; 265 } 266 267 /* This is the old style evil hack IMPLICIT handling: 268 * since the underlying code is expecting a tag and 269 * class other than the one present we change the 270 * buffer temporarily then change it back afterwards. 271 * This doesn't and never did work for tags > 30. 272 * 273 * Yes this is *horrible* but it is only needed for 274 * old style d2i which will hopefully not be around 275 * for much longer. 276 * FIXME: should copy the buffer then modify it so 277 * the input buffer can be const: we should *always* 278 * copy because the old style d2i might modify the 279 * buffer. 280 */ 281 282 if (tag != -1) 283 { 284 wp = *(unsigned char **)in; 285 imphack = *wp; 286 if (p == NULL) 287 { 288 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 289 ERR_R_NESTED_ASN1_ERROR); 290 goto err; 291 } 292 *wp = (unsigned char)((*p & V_ASN1_CONSTRUCTED) 293 | it->utype); 294 } 295 296 ptmpval = cf->asn1_d2i(pval, in, len); 297 298 if (tag != -1) 299 *wp = imphack; 300 301 if (ptmpval) 302 return 1; 303 304 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); 305 goto err; 306 307 308 case ASN1_ITYPE_CHOICE: 309 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it)) 310 goto auxerr; 311 312 /* Allocate structure */ 313 if (!*pval && !ASN1_item_ex_new(pval, it)) 314 { 315 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 316 ERR_R_NESTED_ASN1_ERROR); 317 goto err; 318 } 319 /* CHOICE type, try each possibility in turn */ 320 pchval = NULL; 321 p = *in; 322 for (i = 0, tt=it->templates; i < it->tcount; i++, tt++) 323 { 324 pchptr = asn1_get_field_ptr(pval, tt); 325 /* We mark field as OPTIONAL so its absence 326 * can be recognised. 327 */ 328 ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx); 329 /* If field not present, try the next one */ 330 if (ret == -1) 331 continue; 332 /* If positive return, read OK, break loop */ 333 if (ret > 0) 334 break; 335 /* Otherwise must be an ASN1 parsing error */ 336 errtt = tt; 337 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 338 ERR_R_NESTED_ASN1_ERROR); 339 goto err; 340 } 341 342 /* Did we fall off the end without reading anything? */ 343 if (i == it->tcount) 344 { 345 /* If OPTIONAL, this is OK */ 346 if (opt) 347 { 348 /* Free and zero it */ 349 ASN1_item_ex_free(pval, it); 350 return -1; 351 } 352 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 353 ASN1_R_NO_MATCHING_CHOICE_TYPE); 354 goto err; 355 } 356 357 asn1_set_choice_selector(pval, i, it); 358 *in = p; 359 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it)) 360 goto auxerr; 361 return 1; 362 363 case ASN1_ITYPE_NDEF_SEQUENCE: 364 case ASN1_ITYPE_SEQUENCE: 365 p = *in; 366 tmplen = len; 367 368 /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */ 369 if (tag == -1) 370 { 371 tag = V_ASN1_SEQUENCE; 372 aclass = V_ASN1_UNIVERSAL; 373 } 374 /* Get SEQUENCE length and update len, p */ 375 ret = asn1_check_tlen(&len, NULL, NULL, &seq_eoc, &cst, 376 &p, len, tag, aclass, opt, ctx); 377 if (!ret) 378 { 379 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 380 ERR_R_NESTED_ASN1_ERROR); 381 goto err; 382 } 383 else if (ret == -1) 384 return -1; 385 if (aux && (aux->flags & ASN1_AFLG_BROKEN)) 386 { 387 len = tmplen - (p - *in); 388 seq_nolen = 1; 389 } 390 /* If indefinite we don't do a length check */ 391 else seq_nolen = seq_eoc; 392 if (!cst) 393 { 394 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 395 ASN1_R_SEQUENCE_NOT_CONSTRUCTED); 396 goto err; 397 } 398 399 if (!*pval && !ASN1_item_ex_new(pval, it)) 400 { 401 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 402 ERR_R_NESTED_ASN1_ERROR); 403 goto err; 404 } 405 406 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it)) 407 goto auxerr; 408 409 /* Get each field entry */ 410 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) 411 { 412 const ASN1_TEMPLATE *seqtt; 413 ASN1_VALUE **pseqval; 414 seqtt = asn1_do_adb(pval, tt, 1); 415 if (!seqtt) 416 goto err; 417 pseqval = asn1_get_field_ptr(pval, seqtt); 418 /* Have we ran out of data? */ 419 if (!len) 420 break; 421 q = p; 422 if (asn1_check_eoc(&p, len)) 423 { 424 if (!seq_eoc) 425 { 426 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 427 ASN1_R_UNEXPECTED_EOC); 428 goto err; 429 } 430 len -= p - q; 431 seq_eoc = 0; 432 q = p; 433 break; 434 } 435 /* This determines the OPTIONAL flag value. The field 436 * cannot be omitted if it is the last of a SEQUENCE 437 * and there is still data to be read. This isn't 438 * strictly necessary but it increases efficiency in 439 * some cases. 440 */ 441 if (i == (it->tcount - 1)) 442 isopt = 0; 443 else isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL); 444 /* attempt to read in field, allowing each to be 445 * OPTIONAL */ 446 447 ret = asn1_template_ex_d2i(pseqval, &p, len, 448 seqtt, isopt, ctx); 449 if (!ret) 450 { 451 errtt = seqtt; 452 goto err; 453 } 454 else if (ret == -1) 455 { 456 /* OPTIONAL component absent. 457 * Free and zero the field. 458 */ 459 ASN1_template_free(pseqval, seqtt); 460 continue; 461 } 462 /* Update length */ 463 len -= p - q; 464 } 465 466 /* Check for EOC if expecting one */ 467 if (seq_eoc && !asn1_check_eoc(&p, len)) 468 { 469 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MISSING_EOC); 470 goto err; 471 } 472 /* Check all data read */ 473 if (!seq_nolen && len) 474 { 475 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 476 ASN1_R_SEQUENCE_LENGTH_MISMATCH); 477 goto err; 478 } 479 480 /* If we get here we've got no more data in the SEQUENCE, 481 * however we may not have read all fields so check all 482 * remaining are OPTIONAL and clear any that are. 483 */ 484 for (; i < it->tcount; tt++, i++) 485 { 486 const ASN1_TEMPLATE *seqtt; 487 seqtt = asn1_do_adb(pval, tt, 1); 488 if (!seqtt) 489 goto err; 490 if (seqtt->flags & ASN1_TFLG_OPTIONAL) 491 { 492 ASN1_VALUE **pseqval; 493 pseqval = asn1_get_field_ptr(pval, seqtt); 494 ASN1_template_free(pseqval, seqtt); 495 } 496 else 497 { 498 errtt = seqtt; 499 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 500 ASN1_R_FIELD_MISSING); 501 goto err; 502 } 503 } 504 /* Save encoding */ 505 if (!asn1_enc_save(pval, *in, p - *in, it)) 506 goto auxerr; 507 *in = p; 508 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it)) 509 goto auxerr; 510 return 1; 511 512 default: 513 return 0; 514 } 515 auxerr: 516 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); 517 err: 518 ASN1_item_ex_free(pval, it); 519 if (errtt) 520 ERR_add_error_data(4, "Field=", errtt->field_name, 521 ", Type=", it->sname); 522 else 523 ERR_add_error_data(2, "Type=", it->sname); 524 return 0; 525 } 526 527 /* Templates are handled with two separate functions. 528 * One handles any EXPLICIT tag and the other handles the rest. 529 */ 530 531 static int asn1_template_ex_d2i(ASN1_VALUE **val, 532 const unsigned char **in, long inlen, 533 const ASN1_TEMPLATE *tt, char opt, 534 ASN1_TLC *ctx) 535 { 536 int flags, aclass; 537 int ret; 538 long len; 539 const unsigned char *p, *q; 540 char exp_eoc; 541 if (!val) 542 return 0; 543 flags = tt->flags; 544 aclass = flags & ASN1_TFLG_TAG_CLASS; 545 546 p = *in; 547 548 /* Check if EXPLICIT tag expected */ 549 if (flags & ASN1_TFLG_EXPTAG) 550 { 551 char cst; 552 /* Need to work out amount of data available to the inner 553 * content and where it starts: so read in EXPLICIT header to 554 * get the info. 555 */ 556 ret = asn1_check_tlen(&len, NULL, NULL, &exp_eoc, &cst, 557 &p, inlen, tt->tag, aclass, opt, ctx); 558 q = p; 559 if (!ret) 560 { 561 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, 562 ERR_R_NESTED_ASN1_ERROR); 563 return 0; 564 } 565 else if (ret == -1) 566 return -1; 567 if (!cst) 568 { 569 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, 570 ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED); 571 return 0; 572 } 573 /* We've found the field so it can't be OPTIONAL now */ 574 ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx); 575 if (!ret) 576 { 577 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, 578 ERR_R_NESTED_ASN1_ERROR); 579 return 0; 580 } 581 /* We read the field in OK so update length */ 582 len -= p - q; 583 if (exp_eoc) 584 { 585 /* If NDEF we must have an EOC here */ 586 if (!asn1_check_eoc(&p, len)) 587 { 588 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, 589 ASN1_R_MISSING_EOC); 590 goto err; 591 } 592 } 593 else 594 { 595 /* Otherwise we must hit the EXPLICIT tag end or its 596 * an error */ 597 if (len) 598 { 599 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, 600 ASN1_R_EXPLICIT_LENGTH_MISMATCH); 601 goto err; 602 } 603 } 604 } 605 else 606 return asn1_template_noexp_d2i(val, in, inlen, 607 tt, opt, ctx); 608 609 *in = p; 610 return 1; 611 612 err: 613 ASN1_template_free(val, tt); 614 return 0; 615 } 616 617 static int asn1_template_noexp_d2i(ASN1_VALUE **val, 618 const unsigned char **in, long len, 619 const ASN1_TEMPLATE *tt, char opt, 620 ASN1_TLC *ctx) 621 { 622 int flags, aclass; 623 int ret; 624 const unsigned char *p, *q; 625 if (!val) 626 return 0; 627 flags = tt->flags; 628 aclass = flags & ASN1_TFLG_TAG_CLASS; 629 630 p = *in; 631 q = p; 632 633 if (flags & ASN1_TFLG_SK_MASK) 634 { 635 /* SET OF, SEQUENCE OF */ 636 int sktag, skaclass; 637 char sk_eoc; 638 /* First work out expected inner tag value */ 639 if (flags & ASN1_TFLG_IMPTAG) 640 { 641 sktag = tt->tag; 642 skaclass = aclass; 643 } 644 else 645 { 646 skaclass = V_ASN1_UNIVERSAL; 647 if (flags & ASN1_TFLG_SET_OF) 648 sktag = V_ASN1_SET; 649 else 650 sktag = V_ASN1_SEQUENCE; 651 } 652 /* Get the tag */ 653 ret = asn1_check_tlen(&len, NULL, NULL, &sk_eoc, NULL, 654 &p, len, sktag, skaclass, opt, ctx); 655 if (!ret) 656 { 657 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 658 ERR_R_NESTED_ASN1_ERROR); 659 return 0; 660 } 661 else if (ret == -1) 662 return -1; 663 if (!*val) 664 *val = (ASN1_VALUE *)sk_new_null(); 665 else 666 { 667 /* We've got a valid STACK: free up any items present */ 668 STACK *sktmp = (STACK *)*val; 669 ASN1_VALUE *vtmp; 670 while(sk_num(sktmp) > 0) 671 { 672 vtmp = (ASN1_VALUE *)sk_pop(sktmp); 673 ASN1_item_ex_free(&vtmp, 674 ASN1_ITEM_ptr(tt->item)); 675 } 676 } 677 678 if (!*val) 679 { 680 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 681 ERR_R_MALLOC_FAILURE); 682 goto err; 683 } 684 685 /* Read as many items as we can */ 686 while(len > 0) 687 { 688 ASN1_VALUE *skfield; 689 q = p; 690 /* See if EOC found */ 691 if (asn1_check_eoc(&p, len)) 692 { 693 if (!sk_eoc) 694 { 695 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 696 ASN1_R_UNEXPECTED_EOC); 697 goto err; 698 } 699 len -= p - q; 700 sk_eoc = 0; 701 break; 702 } 703 skfield = NULL; 704 if (!ASN1_item_ex_d2i(&skfield, &p, len, 705 ASN1_ITEM_ptr(tt->item), 706 -1, 0, 0, ctx)) 707 { 708 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 709 ERR_R_NESTED_ASN1_ERROR); 710 goto err; 711 } 712 len -= p - q; 713 if (!sk_push((STACK *)*val, (char *)skfield)) 714 { 715 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 716 ERR_R_MALLOC_FAILURE); 717 goto err; 718 } 719 } 720 if (sk_eoc) 721 { 722 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ASN1_R_MISSING_EOC); 723 goto err; 724 } 725 } 726 else if (flags & ASN1_TFLG_IMPTAG) 727 { 728 /* IMPLICIT tagging */ 729 ret = ASN1_item_ex_d2i(val, &p, len, 730 ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, ctx); 731 if (!ret) 732 { 733 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 734 ERR_R_NESTED_ASN1_ERROR); 735 goto err; 736 } 737 else if (ret == -1) 738 return -1; 739 } 740 else 741 { 742 /* Nothing special */ 743 ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), 744 -1, 0, opt, ctx); 745 if (!ret) 746 { 747 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 748 ERR_R_NESTED_ASN1_ERROR); 749 goto err; 750 } 751 else if (ret == -1) 752 return -1; 753 } 754 755 *in = p; 756 return 1; 757 758 err: 759 ASN1_template_free(val, tt); 760 return 0; 761 } 762 763 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, 764 const unsigned char **in, long inlen, 765 const ASN1_ITEM *it, 766 int tag, int aclass, char opt, ASN1_TLC *ctx) 767 { 768 int ret = 0, utype; 769 long plen; 770 char cst, inf, free_cont = 0; 771 const unsigned char *p; 772 BUF_MEM buf; 773 const unsigned char *cont = NULL; 774 long len; 775 if (!pval) 776 { 777 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_NULL); 778 return 0; /* Should never happen */ 779 } 780 781 if (it->itype == ASN1_ITYPE_MSTRING) 782 { 783 utype = tag; 784 tag = -1; 785 } 786 else 787 utype = it->utype; 788 789 if (utype == V_ASN1_ANY) 790 { 791 /* If type is ANY need to figure out type from tag */ 792 unsigned char oclass; 793 if (tag >= 0) 794 { 795 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, 796 ASN1_R_ILLEGAL_TAGGED_ANY); 797 return 0; 798 } 799 if (opt) 800 { 801 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, 802 ASN1_R_ILLEGAL_OPTIONAL_ANY); 803 return 0; 804 } 805 p = *in; 806 ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, NULL, 807 &p, inlen, -1, 0, 0, ctx); 808 if (!ret) 809 { 810 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, 811 ERR_R_NESTED_ASN1_ERROR); 812 return 0; 813 } 814 if (oclass != V_ASN1_UNIVERSAL) 815 utype = V_ASN1_OTHER; 816 } 817 if (tag == -1) 818 { 819 tag = utype; 820 aclass = V_ASN1_UNIVERSAL; 821 } 822 p = *in; 823 /* Check header */ 824 ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst, 825 &p, inlen, tag, aclass, opt, ctx); 826 if (!ret) 827 { 828 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR); 829 return 0; 830 } 831 else if (ret == -1) 832 return -1; 833 ret = 0; 834 /* SEQUENCE, SET and "OTHER" are left in encoded form */ 835 if ((utype == V_ASN1_SEQUENCE) 836 || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) 837 { 838 /* Clear context cache for type OTHER because the auto clear 839 * when we have a exact match wont work 840 */ 841 if (utype == V_ASN1_OTHER) 842 { 843 asn1_tlc_clear(ctx); 844 } 845 /* SEQUENCE and SET must be constructed */ 846 else if (!cst) 847 { 848 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, 849 ASN1_R_TYPE_NOT_CONSTRUCTED); 850 return 0; 851 } 852 853 cont = *in; 854 /* If indefinite length constructed find the real end */ 855 if (inf) 856 { 857 if (!asn1_find_end(&p, plen, inf)) 858 goto err; 859 len = p - cont; 860 } 861 else 862 { 863 len = p - cont + plen; 864 p += plen; 865 buf.data = NULL; 866 } 867 } 868 else if (cst) 869 { 870 buf.length = 0; 871 buf.max = 0; 872 buf.data = NULL; 873 /* Should really check the internal tags are correct but 874 * some things may get this wrong. The relevant specs 875 * say that constructed string types should be OCTET STRINGs 876 * internally irrespective of the type. So instead just check 877 * for UNIVERSAL class and ignore the tag. 878 */ 879 if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL, 0)) 880 { 881 free_cont = 1; 882 goto err; 883 } 884 len = buf.length; 885 /* Append a final null to string */ 886 if (!BUF_MEM_grow_clean(&buf, len + 1)) 887 { 888 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, 889 ERR_R_MALLOC_FAILURE); 890 return 0; 891 } 892 buf.data[len] = 0; 893 cont = (const unsigned char *)buf.data; 894 free_cont = 1; 895 } 896 else 897 { 898 cont = p; 899 len = plen; 900 p += plen; 901 } 902 903 /* We now have content length and type: translate into a structure */ 904 if (!asn1_ex_c2i(pval, cont, len, utype, &free_cont, it)) 905 goto err; 906 907 *in = p; 908 ret = 1; 909 err: 910 if (free_cont && buf.data) OPENSSL_free(buf.data); 911 return ret; 912 } 913 914 /* Translate ASN1 content octets into a structure */ 915 916 int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, 917 int utype, char *free_cont, const ASN1_ITEM *it) 918 { 919 ASN1_VALUE **opval = NULL; 920 ASN1_STRING *stmp; 921 ASN1_TYPE *typ = NULL; 922 int ret = 0; 923 const ASN1_PRIMITIVE_FUNCS *pf; 924 ASN1_INTEGER **tint; 925 pf = it->funcs; 926 927 if (pf && pf->prim_c2i) 928 return pf->prim_c2i(pval, cont, len, utype, free_cont, it); 929 /* If ANY type clear type and set pointer to internal value */ 930 if (it->utype == V_ASN1_ANY) 931 { 932 if (!*pval) 933 { 934 typ = ASN1_TYPE_new(); 935 if (typ == NULL) 936 goto err; 937 *pval = (ASN1_VALUE *)typ; 938 } 939 else 940 typ = (ASN1_TYPE *)*pval; 941 942 if (utype != typ->type) 943 ASN1_TYPE_set(typ, utype, NULL); 944 opval = pval; 945 pval = &typ->value.asn1_value; 946 } 947 switch(utype) 948 { 949 case V_ASN1_OBJECT: 950 if (!c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len)) 951 goto err; 952 break; 953 954 case V_ASN1_NULL: 955 if (len) 956 { 957 ASN1err(ASN1_F_ASN1_EX_C2I, 958 ASN1_R_NULL_IS_WRONG_LENGTH); 959 goto err; 960 } 961 *pval = (ASN1_VALUE *)1; 962 break; 963 964 case V_ASN1_BOOLEAN: 965 if (len != 1) 966 { 967 ASN1err(ASN1_F_ASN1_EX_C2I, 968 ASN1_R_BOOLEAN_IS_WRONG_LENGTH); 969 goto err; 970 } 971 else 972 { 973 ASN1_BOOLEAN *tbool; 974 tbool = (ASN1_BOOLEAN *)pval; 975 *tbool = *cont; 976 } 977 break; 978 979 case V_ASN1_BIT_STRING: 980 if (!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &cont, len)) 981 goto err; 982 break; 983 984 case V_ASN1_INTEGER: 985 case V_ASN1_NEG_INTEGER: 986 case V_ASN1_ENUMERATED: 987 case V_ASN1_NEG_ENUMERATED: 988 tint = (ASN1_INTEGER **)pval; 989 if (!c2i_ASN1_INTEGER(tint, &cont, len)) 990 goto err; 991 /* Fixup type to match the expected form */ 992 (*tint)->type = utype | ((*tint)->type & V_ASN1_NEG); 993 break; 994 995 case V_ASN1_OCTET_STRING: 996 case V_ASN1_NUMERICSTRING: 997 case V_ASN1_PRINTABLESTRING: 998 case V_ASN1_T61STRING: 999 case V_ASN1_VIDEOTEXSTRING: 1000 case V_ASN1_IA5STRING: 1001 case V_ASN1_UTCTIME: 1002 case V_ASN1_GENERALIZEDTIME: 1003 case V_ASN1_GRAPHICSTRING: 1004 case V_ASN1_VISIBLESTRING: 1005 case V_ASN1_GENERALSTRING: 1006 case V_ASN1_UNIVERSALSTRING: 1007 case V_ASN1_BMPSTRING: 1008 case V_ASN1_UTF8STRING: 1009 case V_ASN1_OTHER: 1010 case V_ASN1_SET: 1011 case V_ASN1_SEQUENCE: 1012 default: 1013 if (utype == V_ASN1_BMPSTRING && (len & 1)) 1014 { 1015 ASN1err(ASN1_F_ASN1_EX_C2I, 1016 ASN1_R_BMPSTRING_IS_WRONG_LENGTH); 1017 goto err; 1018 } 1019 if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) 1020 { 1021 ASN1err(ASN1_F_ASN1_EX_C2I, 1022 ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); 1023 goto err; 1024 } 1025 /* All based on ASN1_STRING and handled the same */ 1026 if (!*pval) 1027 { 1028 stmp = ASN1_STRING_type_new(utype); 1029 if (!stmp) 1030 { 1031 ASN1err(ASN1_F_ASN1_EX_C2I, 1032 ERR_R_MALLOC_FAILURE); 1033 goto err; 1034 } 1035 *pval = (ASN1_VALUE *)stmp; 1036 } 1037 else 1038 { 1039 stmp = (ASN1_STRING *)*pval; 1040 stmp->type = utype; 1041 } 1042 /* If we've already allocated a buffer use it */ 1043 if (*free_cont) 1044 { 1045 if (stmp->data) 1046 OPENSSL_free(stmp->data); 1047 stmp->data = (unsigned char *)cont; /* UGLY CAST! RL */ 1048 stmp->length = len; 1049 *free_cont = 0; 1050 } 1051 else 1052 { 1053 if (!ASN1_STRING_set(stmp, cont, len)) 1054 { 1055 ASN1err(ASN1_F_ASN1_EX_C2I, 1056 ERR_R_MALLOC_FAILURE); 1057 ASN1_STRING_free(stmp); 1058 *pval = NULL; 1059 goto err; 1060 } 1061 } 1062 break; 1063 } 1064 /* If ASN1_ANY and NULL type fix up value */ 1065 if (typ && (utype == V_ASN1_NULL)) 1066 typ->value.ptr = NULL; 1067 1068 ret = 1; 1069 err: 1070 if (!ret) 1071 { 1072 ASN1_TYPE_free(typ); 1073 if (opval) 1074 *opval = NULL; 1075 } 1076 return ret; 1077 } 1078 1079 1080 /* This function finds the end of an ASN1 structure when passed its maximum 1081 * length, whether it is indefinite length and a pointer to the content. 1082 * This is more efficient than calling asn1_collect because it does not 1083 * recurse on each indefinite length header. 1084 */ 1085 1086 static int asn1_find_end(const unsigned char **in, long len, char inf) 1087 { 1088 int expected_eoc; 1089 long plen; 1090 const unsigned char *p = *in, *q; 1091 /* If not indefinite length constructed just add length */ 1092 if (inf == 0) 1093 { 1094 *in += len; 1095 return 1; 1096 } 1097 expected_eoc = 1; 1098 /* Indefinite length constructed form. Find the end when enough EOCs 1099 * are found. If more indefinite length constructed headers 1100 * are encountered increment the expected eoc count otherwise just 1101 * skip to the end of the data. 1102 */ 1103 while (len > 0) 1104 { 1105 if(asn1_check_eoc(&p, len)) 1106 { 1107 expected_eoc--; 1108 if (expected_eoc == 0) 1109 break; 1110 len -= 2; 1111 continue; 1112 } 1113 q = p; 1114 /* Just read in a header: only care about the length */ 1115 if(!asn1_check_tlen(&plen, NULL, NULL, &inf, NULL, &p, len, 1116 -1, 0, 0, NULL)) 1117 { 1118 ASN1err(ASN1_F_ASN1_FIND_END, ERR_R_NESTED_ASN1_ERROR); 1119 return 0; 1120 } 1121 if (inf) 1122 expected_eoc++; 1123 else 1124 p += plen; 1125 len -= p - q; 1126 } 1127 if (expected_eoc) 1128 { 1129 ASN1err(ASN1_F_ASN1_FIND_END, ASN1_R_MISSING_EOC); 1130 return 0; 1131 } 1132 *in = p; 1133 return 1; 1134 } 1135 /* This function collects the asn1 data from a constructred string 1136 * type into a buffer. The values of 'in' and 'len' should refer 1137 * to the contents of the constructed type and 'inf' should be set 1138 * if it is indefinite length. 1139 */ 1140 1141 #ifndef ASN1_MAX_STRING_NEST 1142 /* This determines how many levels of recursion are permitted in ASN1 1143 * string types. If it is not limited stack overflows can occur. If set 1144 * to zero no recursion is allowed at all. Although zero should be adequate 1145 * examples exist that require a value of 1. So 5 should be more than enough. 1146 */ 1147 #define ASN1_MAX_STRING_NEST 5 1148 #endif 1149 1150 1151 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, 1152 char inf, int tag, int aclass, int depth) 1153 { 1154 const unsigned char *p, *q; 1155 long plen; 1156 char cst, ininf; 1157 p = *in; 1158 inf &= 1; 1159 /* If no buffer and not indefinite length constructed just pass over 1160 * the encoded data */ 1161 if (!buf && !inf) 1162 { 1163 *in += len; 1164 return 1; 1165 } 1166 while(len > 0) 1167 { 1168 q = p; 1169 /* Check for EOC */ 1170 if (asn1_check_eoc(&p, len)) 1171 { 1172 /* EOC is illegal outside indefinite length 1173 * constructed form */ 1174 if (!inf) 1175 { 1176 ASN1err(ASN1_F_ASN1_COLLECT, 1177 ASN1_R_UNEXPECTED_EOC); 1178 return 0; 1179 } 1180 inf = 0; 1181 break; 1182 } 1183 1184 if (!asn1_check_tlen(&plen, NULL, NULL, &ininf, &cst, &p, 1185 len, tag, aclass, 0, NULL)) 1186 { 1187 ASN1err(ASN1_F_ASN1_COLLECT, ERR_R_NESTED_ASN1_ERROR); 1188 return 0; 1189 } 1190 1191 /* If indefinite length constructed update max length */ 1192 if (cst) 1193 { 1194 if (depth >= ASN1_MAX_STRING_NEST) 1195 { 1196 ASN1err(ASN1_F_ASN1_COLLECT, 1197 ASN1_R_NESTED_ASN1_STRING); 1198 return 0; 1199 } 1200 if (!asn1_collect(buf, &p, plen, ininf, tag, aclass, 1201 depth + 1)) 1202 return 0; 1203 } 1204 else if (plen && !collect_data(buf, &p, plen)) 1205 return 0; 1206 len -= p - q; 1207 } 1208 if (inf) 1209 { 1210 ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_MISSING_EOC); 1211 return 0; 1212 } 1213 *in = p; 1214 return 1; 1215 } 1216 1217 static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen) 1218 { 1219 int len; 1220 if (buf) 1221 { 1222 len = buf->length; 1223 if (!BUF_MEM_grow_clean(buf, len + plen)) 1224 { 1225 ASN1err(ASN1_F_COLLECT_DATA, ERR_R_MALLOC_FAILURE); 1226 return 0; 1227 } 1228 memcpy(buf->data + len, *p, plen); 1229 } 1230 *p += plen; 1231 return 1; 1232 } 1233 1234 /* Check for ASN1 EOC and swallow it if found */ 1235 1236 static int asn1_check_eoc(const unsigned char **in, long len) 1237 { 1238 const unsigned char *p; 1239 if (len < 2) return 0; 1240 p = *in; 1241 if (!p[0] && !p[1]) 1242 { 1243 *in += 2; 1244 return 1; 1245 } 1246 return 0; 1247 } 1248 1249 /* Check an ASN1 tag and length: a bit like ASN1_get_object 1250 * but it sets the length for indefinite length constructed 1251 * form, we don't know the exact length but we can set an 1252 * upper bound to the amount of data available minus the 1253 * header length just read. 1254 */ 1255 1256 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, 1257 char *inf, char *cst, 1258 const unsigned char **in, long len, 1259 int exptag, int expclass, char opt, 1260 ASN1_TLC *ctx) 1261 { 1262 int i; 1263 int ptag, pclass; 1264 long plen; 1265 const unsigned char *p, *q; 1266 p = *in; 1267 q = p; 1268 1269 if (ctx && ctx->valid) 1270 { 1271 i = ctx->ret; 1272 plen = ctx->plen; 1273 pclass = ctx->pclass; 1274 ptag = ctx->ptag; 1275 p += ctx->hdrlen; 1276 } 1277 else 1278 { 1279 i = ASN1_get_object(&p, &plen, &ptag, &pclass, len); 1280 if (ctx) 1281 { 1282 ctx->ret = i; 1283 ctx->plen = plen; 1284 ctx->pclass = pclass; 1285 ctx->ptag = ptag; 1286 ctx->hdrlen = p - q; 1287 ctx->valid = 1; 1288 /* If definite length, and no error, length + 1289 * header can't exceed total amount of data available. 1290 */ 1291 if (!(i & 0x81) && ((plen + ctx->hdrlen) > len)) 1292 { 1293 ASN1err(ASN1_F_ASN1_CHECK_TLEN, 1294 ASN1_R_TOO_LONG); 1295 asn1_tlc_clear(ctx); 1296 return 0; 1297 } 1298 } 1299 } 1300 1301 if (i & 0x80) 1302 { 1303 ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_BAD_OBJECT_HEADER); 1304 asn1_tlc_clear(ctx); 1305 return 0; 1306 } 1307 if (exptag >= 0) 1308 { 1309 if ((exptag != ptag) || (expclass != pclass)) 1310 { 1311 /* If type is OPTIONAL, not an error: 1312 * indicate missing type. 1313 */ 1314 if (opt) return -1; 1315 asn1_tlc_clear(ctx); 1316 ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_WRONG_TAG); 1317 return 0; 1318 } 1319 /* We have a tag and class match: 1320 * assume we are going to do something with it */ 1321 asn1_tlc_clear(ctx); 1322 } 1323 1324 if (i & 1) 1325 plen = len - (p - q); 1326 1327 if (inf) 1328 *inf = i & 1; 1329 1330 if (cst) 1331 *cst = i & V_ASN1_CONSTRUCTED; 1332 1333 if (olen) 1334 *olen = plen; 1335 1336 if (oclass) 1337 *oclass = pclass; 1338 1339 if (otag) 1340 *otag = ptag; 1341 1342 *in = p; 1343 return 1; 1344 } 1345
