1 /* tasn_dec.c */ 2 /* Written by Dr Stephen N Henson (steve (at) openssl.org) for the OpenSSL 3 * project 2000. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing (at) OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay (at) cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh (at) cryptsoft.com). 56 * 57 */ 58 59 60 #include <stddef.h> 61 #include <string.h> 62 #include <openssl/asn1.h> 63 #include <openssl/asn1t.h> 64 #include <openssl/objects.h> 65 #include <openssl/buffer.h> 66 #include <openssl/err.h> 67 68 static int asn1_check_eoc(const unsigned char **in, long len); 69 static int asn1_find_end(const unsigned char **in, long len, char inf); 70 71 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, 72 char inf, int tag, int aclass, int depth); 73 74 static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen); 75 76 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, 77 char *inf, char *cst, 78 const unsigned char **in, long len, 79 int exptag, int expclass, char opt, 80 ASN1_TLC *ctx); 81 82 static int asn1_template_ex_d2i(ASN1_VALUE **pval, 83 const unsigned char **in, long len, 84 const ASN1_TEMPLATE *tt, char opt, 85 ASN1_TLC *ctx); 86 static int asn1_template_noexp_d2i(ASN1_VALUE **val, 87 const unsigned char **in, long len, 88 const ASN1_TEMPLATE *tt, char opt, 89 ASN1_TLC *ctx); 90 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, 91 const unsigned char **in, long len, 92 const ASN1_ITEM *it, 93 int tag, int aclass, char opt, ASN1_TLC *ctx); 94 95 /* Table to convert tags to bit values, used for MSTRING type */ 96 static const unsigned long tag2bit[32] = { 97 0, 0, 0, B_ASN1_BIT_STRING, /* tags 0 - 3 */ 98 B_ASN1_OCTET_STRING, 0, 0, B_ASN1_UNKNOWN,/* tags 4- 7 */ 99 B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN,/* tags 8-11 */ 100 B_ASN1_UTF8STRING,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,/* tags 12-15 */ 101 B_ASN1_SEQUENCE,0,B_ASN1_NUMERICSTRING,B_ASN1_PRINTABLESTRING, /* tags 16-19 */ 102 B_ASN1_T61STRING,B_ASN1_VIDEOTEXSTRING,B_ASN1_IA5STRING, /* tags 20-22 */ 103 B_ASN1_UTCTIME, B_ASN1_GENERALIZEDTIME, /* tags 23-24 */ 104 B_ASN1_GRAPHICSTRING,B_ASN1_ISO64STRING,B_ASN1_GENERALSTRING, /* tags 25-27 */ 105 B_ASN1_UNIVERSALSTRING,B_ASN1_UNKNOWN,B_ASN1_BMPSTRING,B_ASN1_UNKNOWN, /* tags 28-31 */ 106 }; 107 108 unsigned long ASN1_tag2bit(int tag) 109 { 110 if ((tag < 0) || (tag > 30)) return 0; 111 return tag2bit[tag]; 112 } 113 114 /* Macro to initialize and invalidate the cache */ 115 116 #define asn1_tlc_clear(c) if (c) (c)->valid = 0 117 /* Version to avoid compiler warning about 'c' always non-NULL */ 118 #define asn1_tlc_clear_nc(c) (c)->valid = 0 119 120 /* Decode an ASN1 item, this currently behaves just 121 * like a standard 'd2i' function. 'in' points to 122 * a buffer to read the data from, in future we will 123 * have more advanced versions that can input data 124 * a piece at a time and this will simply be a special 125 * case. 126 */ 127 128 ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, 129 const unsigned char **in, long len, const ASN1_ITEM *it) 130 { 131 ASN1_TLC c; 132 ASN1_VALUE *ptmpval = NULL; 133 if (!pval) 134 pval = &ptmpval; 135 asn1_tlc_clear_nc(&c); 136 if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) 137 return *pval; 138 return NULL; 139 } 140 141 int ASN1_template_d2i(ASN1_VALUE **pval, 142 const unsigned char **in, long len, const ASN1_TEMPLATE *tt) 143 { 144 ASN1_TLC c; 145 asn1_tlc_clear_nc(&c); 146 return asn1_template_ex_d2i(pval, in, len, tt, 0, &c); 147 } 148 149 150 /* Decode an item, taking care of IMPLICIT tagging, if any. 151 * If 'opt' set and tag mismatch return -1 to handle OPTIONAL 152 */ 153 154 int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, 155 const ASN1_ITEM *it, 156 int tag, int aclass, char opt, ASN1_TLC *ctx) 157 { 158 const ASN1_TEMPLATE *tt, *errtt = NULL; 159 const ASN1_COMPAT_FUNCS *cf; 160 const ASN1_EXTERN_FUNCS *ef; 161 const ASN1_AUX *aux = it->funcs; 162 ASN1_aux_cb *asn1_cb; 163 const unsigned char *p = NULL, *q; 164 unsigned char *wp=NULL; /* BIG FAT WARNING! BREAKS CONST WHERE USED */ 165 unsigned char imphack = 0, oclass; 166 char seq_eoc, seq_nolen, cst, isopt; 167 long tmplen; 168 int i; 169 int otag; 170 int ret = 0; 171 ASN1_VALUE *pchval, **pchptr, *ptmpval; 172 if (!pval) 173 return 0; 174 if (aux && aux->asn1_cb) 175 asn1_cb = aux->asn1_cb; 176 else asn1_cb = 0; 177 178 switch(it->itype) 179 { 180 case ASN1_ITYPE_PRIMITIVE: 181 if (it->templates) 182 { 183 /* tagging or OPTIONAL is currently illegal on an item 184 * template because the flags can't get passed down. 185 * In practice this isn't a problem: we include the 186 * relevant flags from the item template in the 187 * template itself. 188 */ 189 if ((tag != -1) || opt) 190 { 191 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 192 ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE); 193 goto err; 194 } 195 return asn1_template_ex_d2i(pval, in, len, 196 it->templates, opt, ctx); 197 } 198 return asn1_d2i_ex_primitive(pval, in, len, it, 199 tag, aclass, opt, ctx); 200 break; 201 202 case ASN1_ITYPE_MSTRING: 203 p = *in; 204 /* Just read in tag and class */ 205 ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, 206 &p, len, -1, 0, 1, ctx); 207 if (!ret) 208 { 209 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 210 ERR_R_NESTED_ASN1_ERROR); 211 goto err; 212 } 213 214 /* Must be UNIVERSAL class */ 215 if (oclass != V_ASN1_UNIVERSAL) 216 { 217 /* If OPTIONAL, assume this is OK */ 218 if (opt) return -1; 219 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 220 ASN1_R_MSTRING_NOT_UNIVERSAL); 221 goto err; 222 } 223 /* Check tag matches bit map */ 224 if (!(ASN1_tag2bit(otag) & it->utype)) 225 { 226 /* If OPTIONAL, assume this is OK */ 227 if (opt) 228 return -1; 229 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 230 ASN1_R_MSTRING_WRONG_TAG); 231 goto err; 232 } 233 return asn1_d2i_ex_primitive(pval, in, len, 234 it, otag, 0, 0, ctx); 235 236 case ASN1_ITYPE_EXTERN: 237 /* Use new style d2i */ 238 ef = it->funcs; 239 return ef->asn1_ex_d2i(pval, in, len, 240 it, tag, aclass, opt, ctx); 241 242 case ASN1_ITYPE_COMPAT: 243 /* we must resort to old style evil hackery */ 244 cf = it->funcs; 245 246 /* If OPTIONAL see if it is there */ 247 if (opt) 248 { 249 int exptag; 250 p = *in; 251 if (tag == -1) 252 exptag = it->utype; 253 else exptag = tag; 254 /* Don't care about anything other than presence 255 * of expected tag */ 256 257 ret = asn1_check_tlen(NULL, NULL, NULL, NULL, NULL, 258 &p, len, exptag, aclass, 1, ctx); 259 if (!ret) 260 { 261 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 262 ERR_R_NESTED_ASN1_ERROR); 263 goto err; 264 } 265 if (ret == -1) 266 return -1; 267 } 268 269 /* This is the old style evil hack IMPLICIT handling: 270 * since the underlying code is expecting a tag and 271 * class other than the one present we change the 272 * buffer temporarily then change it back afterwards. 273 * This doesn't and never did work for tags > 30. 274 * 275 * Yes this is *horrible* but it is only needed for 276 * old style d2i which will hopefully not be around 277 * for much longer. 278 * FIXME: should copy the buffer then modify it so 279 * the input buffer can be const: we should *always* 280 * copy because the old style d2i might modify the 281 * buffer. 282 */ 283 284 if (tag != -1) 285 { 286 wp = *(unsigned char **)in; 287 imphack = *wp; 288 if (p == NULL) 289 { 290 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 291 ERR_R_NESTED_ASN1_ERROR); 292 goto err; 293 } 294 *wp = (unsigned char)((*p & V_ASN1_CONSTRUCTED) 295 | it->utype); 296 } 297 298 ptmpval = cf->asn1_d2i(pval, in, len); 299 300 if (tag != -1) 301 *wp = imphack; 302 303 if (ptmpval) 304 return 1; 305 306 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); 307 goto err; 308 309 310 case ASN1_ITYPE_CHOICE: 311 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) 312 goto auxerr; 313 314 /* Allocate structure */ 315 if (!*pval && !ASN1_item_ex_new(pval, it)) 316 { 317 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 318 ERR_R_NESTED_ASN1_ERROR); 319 goto err; 320 } 321 /* CHOICE type, try each possibility in turn */ 322 pchval = NULL; 323 p = *in; 324 for (i = 0, tt=it->templates; i < it->tcount; i++, tt++) 325 { 326 pchptr = asn1_get_field_ptr(pval, tt); 327 /* We mark field as OPTIONAL so its absence 328 * can be recognised. 329 */ 330 ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx); 331 /* If field not present, try the next one */ 332 if (ret == -1) 333 continue; 334 /* If positive return, read OK, break loop */ 335 if (ret > 0) 336 break; 337 /* Otherwise must be an ASN1 parsing error */ 338 errtt = tt; 339 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 340 ERR_R_NESTED_ASN1_ERROR); 341 goto err; 342 } 343 344 /* Did we fall off the end without reading anything? */ 345 if (i == it->tcount) 346 { 347 /* If OPTIONAL, this is OK */ 348 if (opt) 349 { 350 /* Free and zero it */ 351 ASN1_item_ex_free(pval, it); 352 return -1; 353 } 354 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 355 ASN1_R_NO_MATCHING_CHOICE_TYPE); 356 goto err; 357 } 358 359 asn1_set_choice_selector(pval, i, it); 360 *in = p; 361 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) 362 goto auxerr; 363 return 1; 364 365 case ASN1_ITYPE_NDEF_SEQUENCE: 366 case ASN1_ITYPE_SEQUENCE: 367 p = *in; 368 tmplen = len; 369 370 /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */ 371 if (tag == -1) 372 { 373 tag = V_ASN1_SEQUENCE; 374 aclass = V_ASN1_UNIVERSAL; 375 } 376 /* Get SEQUENCE length and update len, p */ 377 ret = asn1_check_tlen(&len, NULL, NULL, &seq_eoc, &cst, 378 &p, len, tag, aclass, opt, ctx); 379 if (!ret) 380 { 381 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 382 ERR_R_NESTED_ASN1_ERROR); 383 goto err; 384 } 385 else if (ret == -1) 386 return -1; 387 if (aux && (aux->flags & ASN1_AFLG_BROKEN)) 388 { 389 len = tmplen - (p - *in); 390 seq_nolen = 1; 391 } 392 /* If indefinite we don't do a length check */ 393 else seq_nolen = seq_eoc; 394 if (!cst) 395 { 396 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 397 ASN1_R_SEQUENCE_NOT_CONSTRUCTED); 398 goto err; 399 } 400 401 if (!*pval && !ASN1_item_ex_new(pval, it)) 402 { 403 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 404 ERR_R_NESTED_ASN1_ERROR); 405 goto err; 406 } 407 408 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) 409 goto auxerr; 410 411 /* Get each field entry */ 412 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) 413 { 414 const ASN1_TEMPLATE *seqtt; 415 ASN1_VALUE **pseqval; 416 seqtt = asn1_do_adb(pval, tt, 1); 417 if (!seqtt) 418 goto err; 419 pseqval = asn1_get_field_ptr(pval, seqtt); 420 /* Have we ran out of data? */ 421 if (!len) 422 break; 423 q = p; 424 if (asn1_check_eoc(&p, len)) 425 { 426 if (!seq_eoc) 427 { 428 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 429 ASN1_R_UNEXPECTED_EOC); 430 goto err; 431 } 432 len -= p - q; 433 seq_eoc = 0; 434 q = p; 435 break; 436 } 437 /* This determines the OPTIONAL flag value. The field 438 * cannot be omitted if it is the last of a SEQUENCE 439 * and there is still data to be read. This isn't 440 * strictly necessary but it increases efficiency in 441 * some cases. 442 */ 443 if (i == (it->tcount - 1)) 444 isopt = 0; 445 else isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL); 446 /* attempt to read in field, allowing each to be 447 * OPTIONAL */ 448 449 ret = asn1_template_ex_d2i(pseqval, &p, len, 450 seqtt, isopt, ctx); 451 if (!ret) 452 { 453 errtt = seqtt; 454 goto err; 455 } 456 else if (ret == -1) 457 { 458 /* OPTIONAL component absent. 459 * Free and zero the field. 460 */ 461 ASN1_template_free(pseqval, seqtt); 462 continue; 463 } 464 /* Update length */ 465 len -= p - q; 466 } 467 468 /* Check for EOC if expecting one */ 469 if (seq_eoc && !asn1_check_eoc(&p, len)) 470 { 471 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MISSING_EOC); 472 goto err; 473 } 474 /* Check all data read */ 475 if (!seq_nolen && len) 476 { 477 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 478 ASN1_R_SEQUENCE_LENGTH_MISMATCH); 479 goto err; 480 } 481 482 /* If we get here we've got no more data in the SEQUENCE, 483 * however we may not have read all fields so check all 484 * remaining are OPTIONAL and clear any that are. 485 */ 486 for (; i < it->tcount; tt++, i++) 487 { 488 const ASN1_TEMPLATE *seqtt; 489 seqtt = asn1_do_adb(pval, tt, 1); 490 if (!seqtt) 491 goto err; 492 if (seqtt->flags & ASN1_TFLG_OPTIONAL) 493 { 494 ASN1_VALUE **pseqval; 495 pseqval = asn1_get_field_ptr(pval, seqtt); 496 ASN1_template_free(pseqval, seqtt); 497 } 498 else 499 { 500 errtt = seqtt; 501 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 502 ASN1_R_FIELD_MISSING); 503 goto err; 504 } 505 } 506 /* Save encoding */ 507 if (!asn1_enc_save(pval, *in, p - *in, it)) 508 goto auxerr; 509 *in = p; 510 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) 511 goto auxerr; 512 return 1; 513 514 default: 515 return 0; 516 } 517 auxerr: 518 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); 519 err: 520 ASN1_item_ex_free(pval, it); 521 if (errtt) 522 ERR_add_error_data(4, "Field=", errtt->field_name, 523 ", Type=", it->sname); 524 else 525 ERR_add_error_data(2, "Type=", it->sname); 526 return 0; 527 } 528 529 /* Templates are handled with two separate functions. 530 * One handles any EXPLICIT tag and the other handles the rest. 531 */ 532 533 static int asn1_template_ex_d2i(ASN1_VALUE **val, 534 const unsigned char **in, long inlen, 535 const ASN1_TEMPLATE *tt, char opt, 536 ASN1_TLC *ctx) 537 { 538 int flags, aclass; 539 int ret; 540 long len; 541 const unsigned char *p, *q; 542 char exp_eoc; 543 if (!val) 544 return 0; 545 flags = tt->flags; 546 aclass = flags & ASN1_TFLG_TAG_CLASS; 547 548 p = *in; 549 550 /* Check if EXPLICIT tag expected */ 551 if (flags & ASN1_TFLG_EXPTAG) 552 { 553 char cst; 554 /* Need to work out amount of data available to the inner 555 * content and where it starts: so read in EXPLICIT header to 556 * get the info. 557 */ 558 ret = asn1_check_tlen(&len, NULL, NULL, &exp_eoc, &cst, 559 &p, inlen, tt->tag, aclass, opt, ctx); 560 q = p; 561 if (!ret) 562 { 563 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, 564 ERR_R_NESTED_ASN1_ERROR); 565 return 0; 566 } 567 else if (ret == -1) 568 return -1; 569 if (!cst) 570 { 571 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, 572 ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED); 573 return 0; 574 } 575 /* We've found the field so it can't be OPTIONAL now */ 576 ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx); 577 if (!ret) 578 { 579 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, 580 ERR_R_NESTED_ASN1_ERROR); 581 return 0; 582 } 583 /* We read the field in OK so update length */ 584 len -= p - q; 585 if (exp_eoc) 586 { 587 /* If NDEF we must have an EOC here */ 588 if (!asn1_check_eoc(&p, len)) 589 { 590 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, 591 ASN1_R_MISSING_EOC); 592 goto err; 593 } 594 } 595 else 596 { 597 /* Otherwise we must hit the EXPLICIT tag end or its 598 * an error */ 599 if (len) 600 { 601 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, 602 ASN1_R_EXPLICIT_LENGTH_MISMATCH); 603 goto err; 604 } 605 } 606 } 607 else 608 return asn1_template_noexp_d2i(val, in, inlen, 609 tt, opt, ctx); 610 611 *in = p; 612 return 1; 613 614 err: 615 ASN1_template_free(val, tt); 616 return 0; 617 } 618 619 static int asn1_template_noexp_d2i(ASN1_VALUE **val, 620 const unsigned char **in, long len, 621 const ASN1_TEMPLATE *tt, char opt, 622 ASN1_TLC *ctx) 623 { 624 int flags, aclass; 625 int ret; 626 const unsigned char *p, *q; 627 if (!val) 628 return 0; 629 flags = tt->flags; 630 aclass = flags & ASN1_TFLG_TAG_CLASS; 631 632 p = *in; 633 q = p; 634 635 if (flags & ASN1_TFLG_SK_MASK) 636 { 637 /* SET OF, SEQUENCE OF */ 638 int sktag, skaclass; 639 char sk_eoc; 640 /* First work out expected inner tag value */ 641 if (flags & ASN1_TFLG_IMPTAG) 642 { 643 sktag = tt->tag; 644 skaclass = aclass; 645 } 646 else 647 { 648 skaclass = V_ASN1_UNIVERSAL; 649 if (flags & ASN1_TFLG_SET_OF) 650 sktag = V_ASN1_SET; 651 else 652 sktag = V_ASN1_SEQUENCE; 653 } 654 /* Get the tag */ 655 ret = asn1_check_tlen(&len, NULL, NULL, &sk_eoc, NULL, 656 &p, len, sktag, skaclass, opt, ctx); 657 if (!ret) 658 { 659 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 660 ERR_R_NESTED_ASN1_ERROR); 661 return 0; 662 } 663 else if (ret == -1) 664 return -1; 665 if (!*val) 666 *val = (ASN1_VALUE *)sk_new_null(); 667 else 668 { 669 /* We've got a valid STACK: free up any items present */ 670 STACK_OF(ASN1_VALUE) *sktmp 671 = (STACK_OF(ASN1_VALUE) *)*val; 672 ASN1_VALUE *vtmp; 673 while(sk_ASN1_VALUE_num(sktmp) > 0) 674 { 675 vtmp = sk_ASN1_VALUE_pop(sktmp); 676 ASN1_item_ex_free(&vtmp, 677 ASN1_ITEM_ptr(tt->item)); 678 } 679 } 680 681 if (!*val) 682 { 683 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 684 ERR_R_MALLOC_FAILURE); 685 goto err; 686 } 687 688 /* Read as many items as we can */ 689 while(len > 0) 690 { 691 ASN1_VALUE *skfield; 692 q = p; 693 /* See if EOC found */ 694 if (asn1_check_eoc(&p, len)) 695 { 696 if (!sk_eoc) 697 { 698 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 699 ASN1_R_UNEXPECTED_EOC); 700 goto err; 701 } 702 len -= p - q; 703 sk_eoc = 0; 704 break; 705 } 706 skfield = NULL; 707 if (!ASN1_item_ex_d2i(&skfield, &p, len, 708 ASN1_ITEM_ptr(tt->item), 709 -1, 0, 0, ctx)) 710 { 711 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 712 ERR_R_NESTED_ASN1_ERROR); 713 goto err; 714 } 715 len -= p - q; 716 if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE) *)*val, 717 skfield)) 718 { 719 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 720 ERR_R_MALLOC_FAILURE); 721 goto err; 722 } 723 } 724 if (sk_eoc) 725 { 726 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ASN1_R_MISSING_EOC); 727 goto err; 728 } 729 } 730 else if (flags & ASN1_TFLG_IMPTAG) 731 { 732 /* IMPLICIT tagging */ 733 ret = ASN1_item_ex_d2i(val, &p, len, 734 ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, ctx); 735 if (!ret) 736 { 737 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 738 ERR_R_NESTED_ASN1_ERROR); 739 goto err; 740 } 741 else if (ret == -1) 742 return -1; 743 } 744 else 745 { 746 /* Nothing special */ 747 ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), 748 -1, 0, opt, ctx); 749 if (!ret) 750 { 751 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 752 ERR_R_NESTED_ASN1_ERROR); 753 goto err; 754 } 755 else if (ret == -1) 756 return -1; 757 } 758 759 *in = p; 760 return 1; 761 762 err: 763 ASN1_template_free(val, tt); 764 return 0; 765 } 766 767 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, 768 const unsigned char **in, long inlen, 769 const ASN1_ITEM *it, 770 int tag, int aclass, char opt, ASN1_TLC *ctx) 771 { 772 int ret = 0, utype; 773 long plen; 774 char cst, inf, free_cont = 0; 775 const unsigned char *p; 776 BUF_MEM buf; 777 const unsigned char *cont = NULL; 778 long len; 779 if (!pval) 780 { 781 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_NULL); 782 return 0; /* Should never happen */ 783 } 784 785 if (it->itype == ASN1_ITYPE_MSTRING) 786 { 787 utype = tag; 788 tag = -1; 789 } 790 else 791 utype = it->utype; 792 793 if (utype == V_ASN1_ANY) 794 { 795 /* If type is ANY need to figure out type from tag */ 796 unsigned char oclass; 797 if (tag >= 0) 798 { 799 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, 800 ASN1_R_ILLEGAL_TAGGED_ANY); 801 return 0; 802 } 803 if (opt) 804 { 805 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, 806 ASN1_R_ILLEGAL_OPTIONAL_ANY); 807 return 0; 808 } 809 p = *in; 810 ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, NULL, 811 &p, inlen, -1, 0, 0, ctx); 812 if (!ret) 813 { 814 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, 815 ERR_R_NESTED_ASN1_ERROR); 816 return 0; 817 } 818 if (oclass != V_ASN1_UNIVERSAL) 819 utype = V_ASN1_OTHER; 820 } 821 if (tag == -1) 822 { 823 tag = utype; 824 aclass = V_ASN1_UNIVERSAL; 825 } 826 p = *in; 827 /* Check header */ 828 ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst, 829 &p, inlen, tag, aclass, opt, ctx); 830 if (!ret) 831 { 832 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR); 833 return 0; 834 } 835 else if (ret == -1) 836 return -1; 837 ret = 0; 838 /* SEQUENCE, SET and "OTHER" are left in encoded form */ 839 if ((utype == V_ASN1_SEQUENCE) 840 || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) 841 { 842 /* Clear context cache for type OTHER because the auto clear 843 * when we have a exact match wont work 844 */ 845 if (utype == V_ASN1_OTHER) 846 { 847 asn1_tlc_clear(ctx); 848 } 849 /* SEQUENCE and SET must be constructed */ 850 else if (!cst) 851 { 852 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, 853 ASN1_R_TYPE_NOT_CONSTRUCTED); 854 return 0; 855 } 856 857 cont = *in; 858 /* If indefinite length constructed find the real end */ 859 if (inf) 860 { 861 if (!asn1_find_end(&p, plen, inf)) 862 goto err; 863 len = p - cont; 864 } 865 else 866 { 867 len = p - cont + plen; 868 p += plen; 869 buf.data = NULL; 870 } 871 } 872 else if (cst) 873 { 874 buf.length = 0; 875 buf.max = 0; 876 buf.data = NULL; 877 /* Should really check the internal tags are correct but 878 * some things may get this wrong. The relevant specs 879 * say that constructed string types should be OCTET STRINGs 880 * internally irrespective of the type. So instead just check 881 * for UNIVERSAL class and ignore the tag. 882 */ 883 if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL, 0)) 884 { 885 free_cont = 1; 886 goto err; 887 } 888 len = buf.length; 889 /* Append a final null to string */ 890 if (!BUF_MEM_grow_clean(&buf, len + 1)) 891 { 892 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, 893 ERR_R_MALLOC_FAILURE); 894 return 0; 895 } 896 buf.data[len] = 0; 897 cont = (const unsigned char *)buf.data; 898 free_cont = 1; 899 } 900 else 901 { 902 cont = p; 903 len = plen; 904 p += plen; 905 } 906 907 /* We now have content length and type: translate into a structure */ 908 if (!asn1_ex_c2i(pval, cont, len, utype, &free_cont, it)) 909 goto err; 910 911 *in = p; 912 ret = 1; 913 err: 914 if (free_cont && buf.data) OPENSSL_free(buf.data); 915 return ret; 916 } 917 918 /* Translate ASN1 content octets into a structure */ 919 920 int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, 921 int utype, char *free_cont, const ASN1_ITEM *it) 922 { 923 ASN1_VALUE **opval = NULL; 924 ASN1_STRING *stmp; 925 ASN1_TYPE *typ = NULL; 926 int ret = 0; 927 const ASN1_PRIMITIVE_FUNCS *pf; 928 ASN1_INTEGER **tint; 929 pf = it->funcs; 930 931 if (pf && pf->prim_c2i) 932 return pf->prim_c2i(pval, cont, len, utype, free_cont, it); 933 /* If ANY type clear type and set pointer to internal value */ 934 if (it->utype == V_ASN1_ANY) 935 { 936 if (!*pval) 937 { 938 typ = ASN1_TYPE_new(); 939 if (typ == NULL) 940 goto err; 941 *pval = (ASN1_VALUE *)typ; 942 } 943 else 944 typ = (ASN1_TYPE *)*pval; 945 946 if (utype != typ->type) 947 ASN1_TYPE_set(typ, utype, NULL); 948 opval = pval; 949 pval = &typ->value.asn1_value; 950 } 951 switch(utype) 952 { 953 case V_ASN1_OBJECT: 954 if (!c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len)) 955 goto err; 956 break; 957 958 case V_ASN1_NULL: 959 if (len) 960 { 961 ASN1err(ASN1_F_ASN1_EX_C2I, 962 ASN1_R_NULL_IS_WRONG_LENGTH); 963 goto err; 964 } 965 *pval = (ASN1_VALUE *)1; 966 break; 967 968 case V_ASN1_BOOLEAN: 969 if (len != 1) 970 { 971 ASN1err(ASN1_F_ASN1_EX_C2I, 972 ASN1_R_BOOLEAN_IS_WRONG_LENGTH); 973 goto err; 974 } 975 else 976 { 977 ASN1_BOOLEAN *tbool; 978 tbool = (ASN1_BOOLEAN *)pval; 979 *tbool = *cont; 980 } 981 break; 982 983 case V_ASN1_BIT_STRING: 984 if (!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &cont, len)) 985 goto err; 986 break; 987 988 case V_ASN1_INTEGER: 989 case V_ASN1_NEG_INTEGER: 990 case V_ASN1_ENUMERATED: 991 case V_ASN1_NEG_ENUMERATED: 992 tint = (ASN1_INTEGER **)pval; 993 if (!c2i_ASN1_INTEGER(tint, &cont, len)) 994 goto err; 995 /* Fixup type to match the expected form */ 996 (*tint)->type = utype | ((*tint)->type & V_ASN1_NEG); 997 break; 998 999 case V_ASN1_OCTET_STRING: 1000 case V_ASN1_NUMERICSTRING: 1001 case V_ASN1_PRINTABLESTRING: 1002 case V_ASN1_T61STRING: 1003 case V_ASN1_VIDEOTEXSTRING: 1004 case V_ASN1_IA5STRING: 1005 case V_ASN1_UTCTIME: 1006 case V_ASN1_GENERALIZEDTIME: 1007 case V_ASN1_GRAPHICSTRING: 1008 case V_ASN1_VISIBLESTRING: 1009 case V_ASN1_GENERALSTRING: 1010 case V_ASN1_UNIVERSALSTRING: 1011 case V_ASN1_BMPSTRING: 1012 case V_ASN1_UTF8STRING: 1013 case V_ASN1_OTHER: 1014 case V_ASN1_SET: 1015 case V_ASN1_SEQUENCE: 1016 default: 1017 if (utype == V_ASN1_BMPSTRING && (len & 1)) 1018 { 1019 ASN1err(ASN1_F_ASN1_EX_C2I, 1020 ASN1_R_BMPSTRING_IS_WRONG_LENGTH); 1021 goto err; 1022 } 1023 if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) 1024 { 1025 ASN1err(ASN1_F_ASN1_EX_C2I, 1026 ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); 1027 goto err; 1028 } 1029 /* All based on ASN1_STRING and handled the same */ 1030 if (!*pval) 1031 { 1032 stmp = ASN1_STRING_type_new(utype); 1033 if (!stmp) 1034 { 1035 ASN1err(ASN1_F_ASN1_EX_C2I, 1036 ERR_R_MALLOC_FAILURE); 1037 goto err; 1038 } 1039 *pval = (ASN1_VALUE *)stmp; 1040 } 1041 else 1042 { 1043 stmp = (ASN1_STRING *)*pval; 1044 stmp->type = utype; 1045 } 1046 /* If we've already allocated a buffer use it */ 1047 if (*free_cont) 1048 { 1049 if (stmp->data) 1050 OPENSSL_free(stmp->data); 1051 stmp->data = (unsigned char *)cont; /* UGLY CAST! RL */ 1052 stmp->length = len; 1053 *free_cont = 0; 1054 } 1055 else 1056 { 1057 if (!ASN1_STRING_set(stmp, cont, len)) 1058 { 1059 ASN1err(ASN1_F_ASN1_EX_C2I, 1060 ERR_R_MALLOC_FAILURE); 1061 ASN1_STRING_free(stmp); 1062 *pval = NULL; 1063 goto err; 1064 } 1065 } 1066 break; 1067 } 1068 /* If ASN1_ANY and NULL type fix up value */ 1069 if (typ && (utype == V_ASN1_NULL)) 1070 typ->value.ptr = NULL; 1071 1072 ret = 1; 1073 err: 1074 if (!ret) 1075 { 1076 ASN1_TYPE_free(typ); 1077 if (opval) 1078 *opval = NULL; 1079 } 1080 return ret; 1081 } 1082 1083 1084 /* This function finds the end of an ASN1 structure when passed its maximum 1085 * length, whether it is indefinite length and a pointer to the content. 1086 * This is more efficient than calling asn1_collect because it does not 1087 * recurse on each indefinite length header. 1088 */ 1089 1090 static int asn1_find_end(const unsigned char **in, long len, char inf) 1091 { 1092 int expected_eoc; 1093 long plen; 1094 const unsigned char *p = *in, *q; 1095 /* If not indefinite length constructed just add length */ 1096 if (inf == 0) 1097 { 1098 *in += len; 1099 return 1; 1100 } 1101 expected_eoc = 1; 1102 /* Indefinite length constructed form. Find the end when enough EOCs 1103 * are found. If more indefinite length constructed headers 1104 * are encountered increment the expected eoc count otherwise just 1105 * skip to the end of the data. 1106 */ 1107 while (len > 0) 1108 { 1109 if(asn1_check_eoc(&p, len)) 1110 { 1111 expected_eoc--; 1112 if (expected_eoc == 0) 1113 break; 1114 len -= 2; 1115 continue; 1116 } 1117 q = p; 1118 /* Just read in a header: only care about the length */ 1119 if(!asn1_check_tlen(&plen, NULL, NULL, &inf, NULL, &p, len, 1120 -1, 0, 0, NULL)) 1121 { 1122 ASN1err(ASN1_F_ASN1_FIND_END, ERR_R_NESTED_ASN1_ERROR); 1123 return 0; 1124 } 1125 if (inf) 1126 expected_eoc++; 1127 else 1128 p += plen; 1129 len -= p - q; 1130 } 1131 if (expected_eoc) 1132 { 1133 ASN1err(ASN1_F_ASN1_FIND_END, ASN1_R_MISSING_EOC); 1134 return 0; 1135 } 1136 *in = p; 1137 return 1; 1138 } 1139 /* This function collects the asn1 data from a constructred string 1140 * type into a buffer. The values of 'in' and 'len' should refer 1141 * to the contents of the constructed type and 'inf' should be set 1142 * if it is indefinite length. 1143 */ 1144 1145 #ifndef ASN1_MAX_STRING_NEST 1146 /* This determines how many levels of recursion are permitted in ASN1 1147 * string types. If it is not limited stack overflows can occur. If set 1148 * to zero no recursion is allowed at all. Although zero should be adequate 1149 * examples exist that require a value of 1. So 5 should be more than enough. 1150 */ 1151 #define ASN1_MAX_STRING_NEST 5 1152 #endif 1153 1154 1155 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, 1156 char inf, int tag, int aclass, int depth) 1157 { 1158 const unsigned char *p, *q; 1159 long plen; 1160 char cst, ininf; 1161 p = *in; 1162 inf &= 1; 1163 /* If no buffer and not indefinite length constructed just pass over 1164 * the encoded data */ 1165 if (!buf && !inf) 1166 { 1167 *in += len; 1168 return 1; 1169 } 1170 while(len > 0) 1171 { 1172 q = p; 1173 /* Check for EOC */ 1174 if (asn1_check_eoc(&p, len)) 1175 { 1176 /* EOC is illegal outside indefinite length 1177 * constructed form */ 1178 if (!inf) 1179 { 1180 ASN1err(ASN1_F_ASN1_COLLECT, 1181 ASN1_R_UNEXPECTED_EOC); 1182 return 0; 1183 } 1184 inf = 0; 1185 break; 1186 } 1187 1188 if (!asn1_check_tlen(&plen, NULL, NULL, &ininf, &cst, &p, 1189 len, tag, aclass, 0, NULL)) 1190 { 1191 ASN1err(ASN1_F_ASN1_COLLECT, ERR_R_NESTED_ASN1_ERROR); 1192 return 0; 1193 } 1194 1195 /* If indefinite length constructed update max length */ 1196 if (cst) 1197 { 1198 if (depth >= ASN1_MAX_STRING_NEST) 1199 { 1200 ASN1err(ASN1_F_ASN1_COLLECT, 1201 ASN1_R_NESTED_ASN1_STRING); 1202 return 0; 1203 } 1204 if (!asn1_collect(buf, &p, plen, ininf, tag, aclass, 1205 depth + 1)) 1206 return 0; 1207 } 1208 else if (plen && !collect_data(buf, &p, plen)) 1209 return 0; 1210 len -= p - q; 1211 } 1212 if (inf) 1213 { 1214 ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_MISSING_EOC); 1215 return 0; 1216 } 1217 *in = p; 1218 return 1; 1219 } 1220 1221 static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen) 1222 { 1223 int len; 1224 if (buf) 1225 { 1226 len = buf->length; 1227 if (!BUF_MEM_grow_clean(buf, len + plen)) 1228 { 1229 ASN1err(ASN1_F_COLLECT_DATA, ERR_R_MALLOC_FAILURE); 1230 return 0; 1231 } 1232 memcpy(buf->data + len, *p, plen); 1233 } 1234 *p += plen; 1235 return 1; 1236 } 1237 1238 /* Check for ASN1 EOC and swallow it if found */ 1239 1240 static int asn1_check_eoc(const unsigned char **in, long len) 1241 { 1242 const unsigned char *p; 1243 if (len < 2) return 0; 1244 p = *in; 1245 if (!p[0] && !p[1]) 1246 { 1247 *in += 2; 1248 return 1; 1249 } 1250 return 0; 1251 } 1252 1253 /* Check an ASN1 tag and length: a bit like ASN1_get_object 1254 * but it sets the length for indefinite length constructed 1255 * form, we don't know the exact length but we can set an 1256 * upper bound to the amount of data available minus the 1257 * header length just read. 1258 */ 1259 1260 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, 1261 char *inf, char *cst, 1262 const unsigned char **in, long len, 1263 int exptag, int expclass, char opt, 1264 ASN1_TLC *ctx) 1265 { 1266 int i; 1267 int ptag, pclass; 1268 long plen; 1269 const unsigned char *p, *q; 1270 p = *in; 1271 q = p; 1272 1273 if (ctx && ctx->valid) 1274 { 1275 i = ctx->ret; 1276 plen = ctx->plen; 1277 pclass = ctx->pclass; 1278 ptag = ctx->ptag; 1279 p += ctx->hdrlen; 1280 } 1281 else 1282 { 1283 i = ASN1_get_object(&p, &plen, &ptag, &pclass, len); 1284 if (ctx) 1285 { 1286 ctx->ret = i; 1287 ctx->plen = plen; 1288 ctx->pclass = pclass; 1289 ctx->ptag = ptag; 1290 ctx->hdrlen = p - q; 1291 ctx->valid = 1; 1292 /* If definite length, and no error, length + 1293 * header can't exceed total amount of data available. 1294 */ 1295 if (!(i & 0x81) && ((plen + ctx->hdrlen) > len)) 1296 { 1297 ASN1err(ASN1_F_ASN1_CHECK_TLEN, 1298 ASN1_R_TOO_LONG); 1299 asn1_tlc_clear(ctx); 1300 return 0; 1301 } 1302 } 1303 } 1304 1305 if (i & 0x80) 1306 { 1307 ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_BAD_OBJECT_HEADER); 1308 asn1_tlc_clear(ctx); 1309 return 0; 1310 } 1311 if (exptag >= 0) 1312 { 1313 if ((exptag != ptag) || (expclass != pclass)) 1314 { 1315 /* If type is OPTIONAL, not an error: 1316 * indicate missing type. 1317 */ 1318 if (opt) return -1; 1319 asn1_tlc_clear(ctx); 1320 ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_WRONG_TAG); 1321 return 0; 1322 } 1323 /* We have a tag and class match: 1324 * assume we are going to do something with it */ 1325 asn1_tlc_clear(ctx); 1326 } 1327 1328 if (i & 1) 1329 plen = len - (p - q); 1330 1331 if (inf) 1332 *inf = i & 1; 1333 1334 if (cst) 1335 *cst = i & V_ASN1_CONSTRUCTED; 1336 1337 if (olen) 1338 *olen = plen; 1339 1340 if (oclass) 1341 *oclass = pclass; 1342 1343 if (otag) 1344 *otag = ptag; 1345 1346 *in = p; 1347 return 1; 1348 } 1349