1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] */ 56 57 #include <openssl/asn1.h> 58 59 #include <string.h> 60 61 #include <openssl/asn1t.h> 62 #include <openssl/buf.h> 63 #include <openssl/err.h> 64 #include <openssl/mem.h> 65 66 #include "../internal.h" 67 68 69 static int asn1_check_eoc(const unsigned char **in, long len); 70 static int asn1_find_end(const unsigned char **in, long len, char inf); 71 72 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, 73 char inf, int tag, int aclass, int depth); 74 75 static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen); 76 77 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, 78 char *inf, char *cst, 79 const unsigned char **in, long len, 80 int exptag, int expclass, char opt, 81 ASN1_TLC *ctx); 82 83 static int asn1_template_ex_d2i(ASN1_VALUE **pval, 84 const unsigned char **in, long len, 85 const ASN1_TEMPLATE *tt, char opt, 86 ASN1_TLC *ctx); 87 static int asn1_template_noexp_d2i(ASN1_VALUE **val, 88 const unsigned char **in, long len, 89 const ASN1_TEMPLATE *tt, char opt, 90 ASN1_TLC *ctx); 91 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, 92 const unsigned char **in, long len, 93 const ASN1_ITEM *it, 94 int tag, int aclass, char opt, ASN1_TLC *ctx); 95 96 /* Table to convert tags to bit values, used for MSTRING type */ 97 static const unsigned long tag2bit[32] = { 98 0, 0, 0, B_ASN1_BIT_STRING, /* tags 0 - 3 */ 99 B_ASN1_OCTET_STRING, 0, 0, B_ASN1_UNKNOWN,/* tags 4- 7 */ 100 B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN,/* tags 8-11 */ 101 B_ASN1_UTF8STRING,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,/* tags 12-15 */ 102 B_ASN1_SEQUENCE,0,B_ASN1_NUMERICSTRING,B_ASN1_PRINTABLESTRING, /* tags 16-19 */ 103 B_ASN1_T61STRING,B_ASN1_VIDEOTEXSTRING,B_ASN1_IA5STRING, /* tags 20-22 */ 104 B_ASN1_UTCTIME, B_ASN1_GENERALIZEDTIME, /* tags 23-24 */ 105 B_ASN1_GRAPHICSTRING,B_ASN1_ISO64STRING,B_ASN1_GENERALSTRING, /* tags 25-27 */ 106 B_ASN1_UNIVERSALSTRING,B_ASN1_UNKNOWN,B_ASN1_BMPSTRING,B_ASN1_UNKNOWN, /* tags 28-31 */ 107 }; 108 109 unsigned long ASN1_tag2bit(int tag) 110 { 111 if ((tag < 0) || (tag > 30)) return 0; 112 return tag2bit[tag]; 113 } 114 115 /* Macro to initialize and invalidate the cache */ 116 117 #define asn1_tlc_clear(c) if (c) (c)->valid = 0 118 /* Version to avoid compiler warning about 'c' always non-NULL */ 119 #define asn1_tlc_clear_nc(c) (c)->valid = 0 120 121 /* Decode an ASN1 item, this currently behaves just 122 * like a standard 'd2i' function. 'in' points to 123 * a buffer to read the data from, in future we will 124 * have more advanced versions that can input data 125 * a piece at a time and this will simply be a special 126 * case. 127 */ 128 129 ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, 130 const unsigned char **in, long len, const ASN1_ITEM *it) 131 { 132 ASN1_TLC c; 133 ASN1_VALUE *ptmpval = NULL; 134 if (!pval) 135 pval = &ptmpval; 136 asn1_tlc_clear_nc(&c); 137 if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) 138 return *pval; 139 return NULL; 140 } 141 142 int ASN1_template_d2i(ASN1_VALUE **pval, 143 const unsigned char **in, long len, const ASN1_TEMPLATE *tt) 144 { 145 ASN1_TLC c; 146 asn1_tlc_clear_nc(&c); 147 return asn1_template_ex_d2i(pval, in, len, tt, 0, &c); 148 } 149 150 151 /* Decode an item, taking care of IMPLICIT tagging, if any. 152 * If 'opt' set and tag mismatch return -1 to handle OPTIONAL 153 */ 154 155 int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, 156 const ASN1_ITEM *it, 157 int tag, int aclass, char opt, ASN1_TLC *ctx) 158 { 159 const ASN1_TEMPLATE *tt, *errtt = NULL; 160 const ASN1_COMPAT_FUNCS *cf; 161 const ASN1_EXTERN_FUNCS *ef; 162 const ASN1_AUX *aux = it->funcs; 163 ASN1_aux_cb *asn1_cb; 164 const unsigned char *p = NULL, *q; 165 unsigned char *wp=NULL; /* BIG FAT WARNING! BREAKS CONST WHERE USED */ 166 unsigned char imphack = 0, oclass; 167 char seq_eoc, seq_nolen, cst, isopt; 168 long tmplen; 169 int i; 170 int otag; 171 int ret = 0; 172 ASN1_VALUE **pchptr, *ptmpval; 173 int combine = aclass & ASN1_TFLG_COMBINE; 174 if (!pval) 175 return 0; 176 if (aux && aux->asn1_cb) 177 asn1_cb = aux->asn1_cb; 178 else asn1_cb = 0; 179 180 switch(it->itype) 181 { 182 case ASN1_ITYPE_PRIMITIVE: 183 if (it->templates) 184 { 185 /* tagging or OPTIONAL is currently illegal on an item 186 * template because the flags can't get passed down. 187 * In practice this isn't a problem: we include the 188 * relevant flags from the item template in the 189 * template itself. 190 */ 191 if ((tag != -1) || opt) 192 { 193 OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE); 194 goto err; 195 } 196 return asn1_template_ex_d2i(pval, in, len, 197 it->templates, opt, ctx); 198 } 199 return asn1_d2i_ex_primitive(pval, in, len, it, 200 tag, aclass, opt, ctx); 201 break; 202 203 case ASN1_ITYPE_MSTRING: 204 p = *in; 205 /* Just read in tag and class */ 206 ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, 207 &p, len, -1, 0, 1, ctx); 208 if (!ret) 209 { 210 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); 211 goto err; 212 } 213 214 /* Must be UNIVERSAL class */ 215 if (oclass != V_ASN1_UNIVERSAL) 216 { 217 /* If OPTIONAL, assume this is OK */ 218 if (opt) return -1; 219 OPENSSL_PUT_ERROR(ASN1, ASN1_R_MSTRING_NOT_UNIVERSAL); 220 goto err; 221 } 222 /* Check tag matches bit map */ 223 if (!(ASN1_tag2bit(otag) & it->utype)) 224 { 225 /* If OPTIONAL, assume this is OK */ 226 if (opt) 227 return -1; 228 OPENSSL_PUT_ERROR(ASN1, ASN1_R_MSTRING_WRONG_TAG); 229 goto err; 230 } 231 return asn1_d2i_ex_primitive(pval, in, len, 232 it, otag, 0, 0, ctx); 233 234 case ASN1_ITYPE_EXTERN: 235 /* Use new style d2i */ 236 ef = it->funcs; 237 return ef->asn1_ex_d2i(pval, in, len, 238 it, tag, aclass, opt, ctx); 239 240 case ASN1_ITYPE_COMPAT: 241 /* we must resort to old style evil hackery */ 242 cf = it->funcs; 243 244 /* If OPTIONAL see if it is there */ 245 if (opt) 246 { 247 int exptag; 248 p = *in; 249 if (tag == -1) 250 exptag = it->utype; 251 else exptag = tag; 252 /* Don't care about anything other than presence 253 * of expected tag */ 254 255 ret = asn1_check_tlen(NULL, NULL, NULL, NULL, NULL, 256 &p, len, exptag, aclass, 1, ctx); 257 if (!ret) 258 { 259 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); 260 goto err; 261 } 262 if (ret == -1) 263 return -1; 264 } 265 266 /* This is the old style evil hack IMPLICIT handling: 267 * since the underlying code is expecting a tag and 268 * class other than the one present we change the 269 * buffer temporarily then change it back afterwards. 270 * This doesn't and never did work for tags > 30. 271 * 272 * Yes this is *horrible* but it is only needed for 273 * old style d2i which will hopefully not be around 274 * for much longer. 275 * FIXME: should copy the buffer then modify it so 276 * the input buffer can be const: we should *always* 277 * copy because the old style d2i might modify the 278 * buffer. 279 */ 280 281 if (tag != -1) 282 { 283 wp = *(unsigned char **)in; 284 imphack = *wp; 285 if (p == NULL) 286 { 287 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); 288 goto err; 289 } 290 *wp = (unsigned char)((*p & V_ASN1_CONSTRUCTED) 291 | it->utype); 292 } 293 294 ptmpval = cf->asn1_d2i(pval, in, len); 295 296 if (tag != -1) 297 *wp = imphack; 298 299 if (ptmpval) 300 return 1; 301 302 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); 303 goto err; 304 305 306 case ASN1_ITYPE_CHOICE: 307 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) 308 goto auxerr; 309 310 if (*pval) 311 { 312 /* Free up and zero CHOICE value if initialised */ 313 i = asn1_get_choice_selector(pval, it); 314 if ((i >= 0) && (i < it->tcount)) 315 { 316 tt = it->templates + i; 317 pchptr = asn1_get_field_ptr(pval, tt); 318 ASN1_template_free(pchptr, tt); 319 asn1_set_choice_selector(pval, -1, it); 320 } 321 } 322 else if (!ASN1_item_ex_new(pval, it)) 323 { 324 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); 325 goto err; 326 } 327 /* CHOICE type, try each possibility in turn */ 328 p = *in; 329 for (i = 0, tt=it->templates; i < it->tcount; i++, tt++) 330 { 331 pchptr = asn1_get_field_ptr(pval, tt); 332 /* We mark field as OPTIONAL so its absence 333 * can be recognised. 334 */ 335 ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx); 336 /* If field not present, try the next one */ 337 if (ret == -1) 338 continue; 339 /* If positive return, read OK, break loop */ 340 if (ret > 0) 341 break; 342 /* Otherwise must be an ASN1 parsing error */ 343 errtt = tt; 344 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); 345 goto err; 346 } 347 348 /* Did we fall off the end without reading anything? */ 349 if (i == it->tcount) 350 { 351 /* If OPTIONAL, this is OK */ 352 if (opt) 353 { 354 /* Free and zero it */ 355 ASN1_item_ex_free(pval, it); 356 return -1; 357 } 358 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NO_MATCHING_CHOICE_TYPE); 359 goto err; 360 } 361 362 asn1_set_choice_selector(pval, i, it); 363 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) 364 goto auxerr; 365 *in = p; 366 return 1; 367 368 case ASN1_ITYPE_NDEF_SEQUENCE: 369 case ASN1_ITYPE_SEQUENCE: 370 p = *in; 371 tmplen = len; 372 373 /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */ 374 if (tag == -1) 375 { 376 tag = V_ASN1_SEQUENCE; 377 aclass = V_ASN1_UNIVERSAL; 378 } 379 /* Get SEQUENCE length and update len, p */ 380 ret = asn1_check_tlen(&len, NULL, NULL, &seq_eoc, &cst, 381 &p, len, tag, aclass, opt, ctx); 382 if (!ret) 383 { 384 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); 385 goto err; 386 } 387 else if (ret == -1) 388 return -1; 389 if (aux && (aux->flags & ASN1_AFLG_BROKEN)) 390 { 391 len = tmplen - (p - *in); 392 seq_nolen = 1; 393 } 394 /* If indefinite we don't do a length check */ 395 else seq_nolen = seq_eoc; 396 if (!cst) 397 { 398 OPENSSL_PUT_ERROR(ASN1, ASN1_R_SEQUENCE_NOT_CONSTRUCTED); 399 goto err; 400 } 401 402 if (!*pval && !ASN1_item_ex_new(pval, it)) 403 { 404 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); 405 goto err; 406 } 407 408 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) 409 goto auxerr; 410 411 /* Free up and zero any ADB found */ 412 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) 413 { 414 if (tt->flags & ASN1_TFLG_ADB_MASK) 415 { 416 const ASN1_TEMPLATE *seqtt; 417 ASN1_VALUE **pseqval; 418 seqtt = asn1_do_adb(pval, tt, 1); 419 pseqval = asn1_get_field_ptr(pval, seqtt); 420 ASN1_template_free(pseqval, seqtt); 421 } 422 } 423 424 /* Get each field entry */ 425 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) 426 { 427 const ASN1_TEMPLATE *seqtt; 428 ASN1_VALUE **pseqval; 429 seqtt = asn1_do_adb(pval, tt, 1); 430 if (!seqtt) 431 goto err; 432 pseqval = asn1_get_field_ptr(pval, seqtt); 433 /* Have we ran out of data? */ 434 if (!len) 435 break; 436 q = p; 437 if (asn1_check_eoc(&p, len)) 438 { 439 if (!seq_eoc) 440 { 441 OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC); 442 goto err; 443 } 444 len -= p - q; 445 seq_eoc = 0; 446 q = p; 447 break; 448 } 449 /* This determines the OPTIONAL flag value. The field 450 * cannot be omitted if it is the last of a SEQUENCE 451 * and there is still data to be read. This isn't 452 * strictly necessary but it increases efficiency in 453 * some cases. 454 */ 455 if (i == (it->tcount - 1)) 456 isopt = 0; 457 else isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL); 458 /* attempt to read in field, allowing each to be 459 * OPTIONAL */ 460 461 ret = asn1_template_ex_d2i(pseqval, &p, len, 462 seqtt, isopt, ctx); 463 if (!ret) 464 { 465 errtt = seqtt; 466 goto err; 467 } 468 else if (ret == -1) 469 { 470 /* OPTIONAL component absent. 471 * Free and zero the field. 472 */ 473 ASN1_template_free(pseqval, seqtt); 474 continue; 475 } 476 /* Update length */ 477 len -= p - q; 478 } 479 480 /* Check for EOC if expecting one */ 481 if (seq_eoc && !asn1_check_eoc(&p, len)) 482 { 483 OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC); 484 goto err; 485 } 486 /* Check all data read */ 487 if (!seq_nolen && len) 488 { 489 OPENSSL_PUT_ERROR(ASN1, ASN1_R_SEQUENCE_LENGTH_MISMATCH); 490 goto err; 491 } 492 493 /* If we get here we've got no more data in the SEQUENCE, 494 * however we may not have read all fields so check all 495 * remaining are OPTIONAL and clear any that are. 496 */ 497 for (; i < it->tcount; tt++, i++) 498 { 499 const ASN1_TEMPLATE *seqtt; 500 seqtt = asn1_do_adb(pval, tt, 1); 501 if (!seqtt) 502 goto err; 503 if (seqtt->flags & ASN1_TFLG_OPTIONAL) 504 { 505 ASN1_VALUE **pseqval; 506 pseqval = asn1_get_field_ptr(pval, seqtt); 507 ASN1_template_free(pseqval, seqtt); 508 } 509 else 510 { 511 errtt = seqtt; 512 OPENSSL_PUT_ERROR(ASN1, ASN1_R_FIELD_MISSING); 513 goto err; 514 } 515 } 516 /* Save encoding */ 517 if (!asn1_enc_save(pval, *in, p - *in, it)) 518 goto auxerr; 519 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) 520 goto auxerr; 521 *in = p; 522 return 1; 523 524 default: 525 return 0; 526 } 527 auxerr: 528 OPENSSL_PUT_ERROR(ASN1, ASN1_R_AUX_ERROR); 529 err: 530 if (combine == 0) 531 ASN1_item_ex_free(pval, it); 532 if (errtt) 533 ERR_add_error_data(4, "Field=", errtt->field_name, 534 ", Type=", it->sname); 535 else 536 ERR_add_error_data(2, "Type=", it->sname); 537 return 0; 538 } 539 540 /* Templates are handled with two separate functions. 541 * One handles any EXPLICIT tag and the other handles the rest. 542 */ 543 544 static int asn1_template_ex_d2i(ASN1_VALUE **val, 545 const unsigned char **in, long inlen, 546 const ASN1_TEMPLATE *tt, char opt, 547 ASN1_TLC *ctx) 548 { 549 int flags, aclass; 550 int ret; 551 long len; 552 const unsigned char *p, *q; 553 char exp_eoc; 554 if (!val) 555 return 0; 556 flags = tt->flags; 557 aclass = flags & ASN1_TFLG_TAG_CLASS; 558 559 p = *in; 560 561 /* Check if EXPLICIT tag expected */ 562 if (flags & ASN1_TFLG_EXPTAG) 563 { 564 char cst; 565 /* Need to work out amount of data available to the inner 566 * content and where it starts: so read in EXPLICIT header to 567 * get the info. 568 */ 569 ret = asn1_check_tlen(&len, NULL, NULL, &exp_eoc, &cst, 570 &p, inlen, tt->tag, aclass, opt, ctx); 571 q = p; 572 if (!ret) 573 { 574 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); 575 return 0; 576 } 577 else if (ret == -1) 578 return -1; 579 if (!cst) 580 { 581 OPENSSL_PUT_ERROR(ASN1, ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED); 582 return 0; 583 } 584 /* We've found the field so it can't be OPTIONAL now */ 585 ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx); 586 if (!ret) 587 { 588 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); 589 return 0; 590 } 591 /* We read the field in OK so update length */ 592 len -= p - q; 593 if (exp_eoc) 594 { 595 /* If NDEF we must have an EOC here */ 596 if (!asn1_check_eoc(&p, len)) 597 { 598 OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC); 599 goto err; 600 } 601 } 602 else 603 { 604 /* Otherwise we must hit the EXPLICIT tag end or its 605 * an error */ 606 if (len) 607 { 608 OPENSSL_PUT_ERROR(ASN1, ASN1_R_EXPLICIT_LENGTH_MISMATCH); 609 goto err; 610 } 611 } 612 } 613 else 614 return asn1_template_noexp_d2i(val, in, inlen, 615 tt, opt, ctx); 616 617 *in = p; 618 return 1; 619 620 err: 621 ASN1_template_free(val, tt); 622 return 0; 623 } 624 625 static int asn1_template_noexp_d2i(ASN1_VALUE **val, 626 const unsigned char **in, long len, 627 const ASN1_TEMPLATE *tt, char opt, 628 ASN1_TLC *ctx) 629 { 630 int flags, aclass; 631 int ret; 632 const unsigned char *p; 633 if (!val) 634 return 0; 635 flags = tt->flags; 636 aclass = flags & ASN1_TFLG_TAG_CLASS; 637 638 p = *in; 639 640 if (flags & ASN1_TFLG_SK_MASK) 641 { 642 /* SET OF, SEQUENCE OF */ 643 int sktag, skaclass; 644 char sk_eoc; 645 /* First work out expected inner tag value */ 646 if (flags & ASN1_TFLG_IMPTAG) 647 { 648 sktag = tt->tag; 649 skaclass = aclass; 650 } 651 else 652 { 653 skaclass = V_ASN1_UNIVERSAL; 654 if (flags & ASN1_TFLG_SET_OF) 655 sktag = V_ASN1_SET; 656 else 657 sktag = V_ASN1_SEQUENCE; 658 } 659 /* Get the tag */ 660 ret = asn1_check_tlen(&len, NULL, NULL, &sk_eoc, NULL, 661 &p, len, sktag, skaclass, opt, ctx); 662 if (!ret) 663 { 664 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); 665 return 0; 666 } 667 else if (ret == -1) 668 return -1; 669 if (!*val) 670 *val = (ASN1_VALUE *)sk_new_null(); 671 else 672 { 673 /* We've got a valid STACK: free up any items present */ 674 STACK_OF(ASN1_VALUE) *sktmp 675 = (STACK_OF(ASN1_VALUE) *)*val; 676 ASN1_VALUE *vtmp; 677 while(sk_ASN1_VALUE_num(sktmp) > 0) 678 { 679 vtmp = sk_ASN1_VALUE_pop(sktmp); 680 ASN1_item_ex_free(&vtmp, 681 ASN1_ITEM_ptr(tt->item)); 682 } 683 } 684 685 if (!*val) 686 { 687 OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); 688 goto err; 689 } 690 691 /* Read as many items as we can */ 692 while(len > 0) 693 { 694 ASN1_VALUE *skfield; 695 const unsigned char *q = p; 696 /* See if EOC found */ 697 if (asn1_check_eoc(&p, len)) 698 { 699 if (!sk_eoc) 700 { 701 OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC); 702 goto err; 703 } 704 len -= p - q; 705 sk_eoc = 0; 706 break; 707 } 708 skfield = NULL; 709 if (!ASN1_item_ex_d2i(&skfield, &p, len, 710 ASN1_ITEM_ptr(tt->item), 711 -1, 0, 0, ctx)) 712 { 713 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); 714 goto err; 715 } 716 len -= p - q; 717 if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE) *)*val, 718 skfield)) 719 { 720 OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); 721 goto err; 722 } 723 } 724 if (sk_eoc) 725 { 726 OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC); 727 goto err; 728 } 729 } 730 else if (flags & ASN1_TFLG_IMPTAG) 731 { 732 /* IMPLICIT tagging */ 733 ret = ASN1_item_ex_d2i(val, &p, len, 734 ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, ctx); 735 if (!ret) 736 { 737 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); 738 goto err; 739 } 740 else if (ret == -1) 741 return -1; 742 } 743 else 744 { 745 /* Nothing special */ 746 ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), 747 -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); 748 if (!ret) 749 { 750 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); 751 goto err; 752 } 753 else if (ret == -1) 754 return -1; 755 } 756 757 *in = p; 758 return 1; 759 760 err: 761 ASN1_template_free(val, tt); 762 return 0; 763 } 764 765 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, 766 const unsigned char **in, long inlen, 767 const ASN1_ITEM *it, 768 int tag, int aclass, char opt, ASN1_TLC *ctx) 769 OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS 770 { 771 int ret = 0, utype; 772 long plen; 773 char cst, inf, free_cont = 0; 774 const unsigned char *p; 775 BUF_MEM buf; 776 const unsigned char *cont = NULL; 777 long len; 778 if (!pval) 779 { 780 OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_NULL); 781 return 0; /* Should never happen */ 782 } 783 784 if (it->itype == ASN1_ITYPE_MSTRING) 785 { 786 utype = tag; 787 tag = -1; 788 } 789 else 790 utype = it->utype; 791 792 if (utype == V_ASN1_ANY) 793 { 794 /* If type is ANY need to figure out type from tag */ 795 unsigned char oclass; 796 if (tag >= 0) 797 { 798 OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_TAGGED_ANY); 799 return 0; 800 } 801 if (opt) 802 { 803 OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_OPTIONAL_ANY); 804 return 0; 805 } 806 p = *in; 807 ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, NULL, 808 &p, inlen, -1, 0, 0, ctx); 809 if (!ret) 810 { 811 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); 812 return 0; 813 } 814 if (oclass != V_ASN1_UNIVERSAL) 815 utype = V_ASN1_OTHER; 816 } 817 if (tag == -1) 818 { 819 tag = utype; 820 aclass = V_ASN1_UNIVERSAL; 821 } 822 p = *in; 823 /* Check header */ 824 ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst, 825 &p, inlen, tag, aclass, opt, ctx); 826 if (!ret) 827 { 828 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); 829 return 0; 830 } 831 else if (ret == -1) 832 return -1; 833 ret = 0; 834 /* SEQUENCE, SET and "OTHER" are left in encoded form */ 835 if ((utype == V_ASN1_SEQUENCE) 836 || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) 837 { 838 /* Clear context cache for type OTHER because the auto clear 839 * when we have a exact match wont work 840 */ 841 if (utype == V_ASN1_OTHER) 842 { 843 asn1_tlc_clear(ctx); 844 } 845 /* SEQUENCE and SET must be constructed */ 846 else if (!cst) 847 { 848 OPENSSL_PUT_ERROR(ASN1, ASN1_R_TYPE_NOT_CONSTRUCTED); 849 return 0; 850 } 851 852 cont = *in; 853 /* If indefinite length constructed find the real end */ 854 if (inf) 855 { 856 if (!asn1_find_end(&p, plen, inf)) 857 goto err; 858 len = p - cont; 859 } 860 else 861 { 862 len = p - cont + plen; 863 p += plen; 864 buf.data = NULL; 865 } 866 } 867 else if (cst) 868 { 869 if (utype == V_ASN1_NULL || utype == V_ASN1_BOOLEAN 870 || utype == V_ASN1_OBJECT || utype == V_ASN1_INTEGER 871 || utype == V_ASN1_ENUMERATED) 872 { 873 /* These types only have primitive encodings. */ 874 OPENSSL_PUT_ERROR(ASN1, ASN1_R_TYPE_NOT_PRIMITIVE); 875 return 0; 876 } 877 878 buf.length = 0; 879 buf.max = 0; 880 buf.data = NULL; 881 /* Should really check the internal tags are correct but 882 * some things may get this wrong. The relevant specs 883 * say that constructed string types should be OCTET STRINGs 884 * internally irrespective of the type. So instead just check 885 * for UNIVERSAL class and ignore the tag. 886 */ 887 if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL, 0)) 888 { 889 free_cont = 1; 890 goto err; 891 } 892 len = buf.length; 893 /* Append a final null to string */ 894 if (!BUF_MEM_grow_clean(&buf, len + 1)) 895 { 896 OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); 897 return 0; 898 } 899 buf.data[len] = 0; 900 cont = (const unsigned char *)buf.data; 901 free_cont = 1; 902 } 903 else 904 { 905 cont = p; 906 len = plen; 907 p += plen; 908 } 909 910 /* We now have content length and type: translate into a structure */ 911 if (!asn1_ex_c2i(pval, cont, len, utype, &free_cont, it)) 912 goto err; 913 914 *in = p; 915 ret = 1; 916 err: 917 if (free_cont && buf.data) OPENSSL_free(buf.data); 918 return ret; 919 } 920 921 /* Translate ASN1 content octets into a structure */ 922 923 int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, 924 int utype, char *free_cont, const ASN1_ITEM *it) 925 { 926 ASN1_VALUE **opval = NULL; 927 ASN1_STRING *stmp; 928 ASN1_TYPE *typ = NULL; 929 int ret = 0; 930 const ASN1_PRIMITIVE_FUNCS *pf; 931 ASN1_INTEGER **tint; 932 pf = it->funcs; 933 934 if (pf && pf->prim_c2i) 935 return pf->prim_c2i(pval, cont, len, utype, free_cont, it); 936 /* If ANY type clear type and set pointer to internal value */ 937 if (it->utype == V_ASN1_ANY) 938 { 939 if (!*pval) 940 { 941 typ = ASN1_TYPE_new(); 942 if (typ == NULL) 943 goto err; 944 *pval = (ASN1_VALUE *)typ; 945 } 946 else 947 typ = (ASN1_TYPE *)*pval; 948 949 if (utype != typ->type) 950 ASN1_TYPE_set(typ, utype, NULL); 951 opval = pval; 952 pval = &typ->value.asn1_value; 953 } 954 switch(utype) 955 { 956 case V_ASN1_OBJECT: 957 if (!c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len)) 958 goto err; 959 break; 960 961 case V_ASN1_NULL: 962 if (len) 963 { 964 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NULL_IS_WRONG_LENGTH); 965 goto err; 966 } 967 *pval = (ASN1_VALUE *)1; 968 break; 969 970 case V_ASN1_BOOLEAN: 971 if (len != 1) 972 { 973 OPENSSL_PUT_ERROR(ASN1, ASN1_R_BOOLEAN_IS_WRONG_LENGTH); 974 goto err; 975 } 976 else 977 { 978 ASN1_BOOLEAN *tbool; 979 tbool = (ASN1_BOOLEAN *)pval; 980 *tbool = *cont; 981 } 982 break; 983 984 case V_ASN1_BIT_STRING: 985 if (!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &cont, len)) 986 goto err; 987 break; 988 989 case V_ASN1_INTEGER: 990 case V_ASN1_NEG_INTEGER: 991 case V_ASN1_ENUMERATED: 992 case V_ASN1_NEG_ENUMERATED: 993 tint = (ASN1_INTEGER **)pval; 994 if (!c2i_ASN1_INTEGER(tint, &cont, len)) 995 goto err; 996 /* Fixup type to match the expected form */ 997 (*tint)->type = utype | ((*tint)->type & V_ASN1_NEG); 998 break; 999 1000 case V_ASN1_OCTET_STRING: 1001 case V_ASN1_NUMERICSTRING: 1002 case V_ASN1_PRINTABLESTRING: 1003 case V_ASN1_T61STRING: 1004 case V_ASN1_VIDEOTEXSTRING: 1005 case V_ASN1_IA5STRING: 1006 case V_ASN1_UTCTIME: 1007 case V_ASN1_GENERALIZEDTIME: 1008 case V_ASN1_GRAPHICSTRING: 1009 case V_ASN1_VISIBLESTRING: 1010 case V_ASN1_GENERALSTRING: 1011 case V_ASN1_UNIVERSALSTRING: 1012 case V_ASN1_BMPSTRING: 1013 case V_ASN1_UTF8STRING: 1014 case V_ASN1_OTHER: 1015 case V_ASN1_SET: 1016 case V_ASN1_SEQUENCE: 1017 default: 1018 if (utype == V_ASN1_BMPSTRING && (len & 1)) 1019 { 1020 OPENSSL_PUT_ERROR(ASN1, ASN1_R_BMPSTRING_IS_WRONG_LENGTH); 1021 goto err; 1022 } 1023 if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) 1024 { 1025 OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); 1026 goto err; 1027 } 1028 /* All based on ASN1_STRING and handled the same */ 1029 if (!*pval) 1030 { 1031 stmp = ASN1_STRING_type_new(utype); 1032 if (!stmp) 1033 { 1034 OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); 1035 goto err; 1036 } 1037 *pval = (ASN1_VALUE *)stmp; 1038 } 1039 else 1040 { 1041 stmp = (ASN1_STRING *)*pval; 1042 stmp->type = utype; 1043 } 1044 /* If we've already allocated a buffer use it */ 1045 if (*free_cont) 1046 { 1047 if (stmp->data) 1048 OPENSSL_free(stmp->data); 1049 stmp->data = (unsigned char *)cont; /* UGLY CAST! RL */ 1050 stmp->length = len; 1051 *free_cont = 0; 1052 } 1053 else 1054 { 1055 if (!ASN1_STRING_set(stmp, cont, len)) 1056 { 1057 OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); 1058 ASN1_STRING_free(stmp); 1059 *pval = NULL; 1060 goto err; 1061 } 1062 } 1063 break; 1064 } 1065 /* If ASN1_ANY and NULL type fix up value */ 1066 if (typ && (utype == V_ASN1_NULL)) 1067 typ->value.ptr = NULL; 1068 1069 ret = 1; 1070 err: 1071 if (!ret) 1072 { 1073 ASN1_TYPE_free(typ); 1074 if (opval) 1075 *opval = NULL; 1076 } 1077 return ret; 1078 } 1079 1080 1081 /* This function finds the end of an ASN1 structure when passed its maximum 1082 * length, whether it is indefinite length and a pointer to the content. 1083 * This is more efficient than calling asn1_collect because it does not 1084 * recurse on each indefinite length header. 1085 */ 1086 1087 static int asn1_find_end(const unsigned char **in, long len, char inf) 1088 { 1089 int expected_eoc; 1090 long plen; 1091 const unsigned char *p = *in, *q; 1092 /* If not indefinite length constructed just add length */ 1093 if (inf == 0) 1094 { 1095 *in += len; 1096 return 1; 1097 } 1098 expected_eoc = 1; 1099 /* Indefinite length constructed form. Find the end when enough EOCs 1100 * are found. If more indefinite length constructed headers 1101 * are encountered increment the expected eoc count otherwise just 1102 * skip to the end of the data. 1103 */ 1104 while (len > 0) 1105 { 1106 if(asn1_check_eoc(&p, len)) 1107 { 1108 expected_eoc--; 1109 if (expected_eoc == 0) 1110 break; 1111 len -= 2; 1112 continue; 1113 } 1114 q = p; 1115 /* Just read in a header: only care about the length */ 1116 if(!asn1_check_tlen(&plen, NULL, NULL, &inf, NULL, &p, len, 1117 -1, 0, 0, NULL)) 1118 { 1119 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); 1120 return 0; 1121 } 1122 if (inf) 1123 expected_eoc++; 1124 else 1125 p += plen; 1126 len -= p - q; 1127 } 1128 if (expected_eoc) 1129 { 1130 OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC); 1131 return 0; 1132 } 1133 *in = p; 1134 return 1; 1135 } 1136 /* This function collects the asn1 data from a constructred string 1137 * type into a buffer. The values of 'in' and 'len' should refer 1138 * to the contents of the constructed type and 'inf' should be set 1139 * if it is indefinite length. 1140 */ 1141 1142 #ifndef ASN1_MAX_STRING_NEST 1143 /* This determines how many levels of recursion are permitted in ASN1 1144 * string types. If it is not limited stack overflows can occur. If set 1145 * to zero no recursion is allowed at all. Although zero should be adequate 1146 * examples exist that require a value of 1. So 5 should be more than enough. 1147 */ 1148 #define ASN1_MAX_STRING_NEST 5 1149 #endif 1150 1151 1152 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, 1153 char inf, int tag, int aclass, int depth) 1154 { 1155 const unsigned char *p, *q; 1156 long plen; 1157 char cst, ininf; 1158 p = *in; 1159 inf &= 1; 1160 /* If no buffer and not indefinite length constructed just pass over 1161 * the encoded data */ 1162 if (!buf && !inf) 1163 { 1164 *in += len; 1165 return 1; 1166 } 1167 while(len > 0) 1168 { 1169 q = p; 1170 /* Check for EOC */ 1171 if (asn1_check_eoc(&p, len)) 1172 { 1173 /* EOC is illegal outside indefinite length 1174 * constructed form */ 1175 if (!inf) 1176 { 1177 OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC); 1178 return 0; 1179 } 1180 inf = 0; 1181 break; 1182 } 1183 1184 if (!asn1_check_tlen(&plen, NULL, NULL, &ininf, &cst, &p, 1185 len, tag, aclass, 0, NULL)) 1186 { 1187 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); 1188 return 0; 1189 } 1190 1191 /* If indefinite length constructed update max length */ 1192 if (cst) 1193 { 1194 if (depth >= ASN1_MAX_STRING_NEST) 1195 { 1196 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_STRING); 1197 return 0; 1198 } 1199 if (!asn1_collect(buf, &p, plen, ininf, tag, aclass, 1200 depth + 1)) 1201 return 0; 1202 } 1203 else if (plen && !collect_data(buf, &p, plen)) 1204 return 0; 1205 len -= p - q; 1206 } 1207 if (inf) 1208 { 1209 OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC); 1210 return 0; 1211 } 1212 *in = p; 1213 return 1; 1214 } 1215 1216 static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen) 1217 { 1218 int len; 1219 if (buf) 1220 { 1221 len = buf->length; 1222 if (!BUF_MEM_grow_clean(buf, len + plen)) 1223 { 1224 OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); 1225 return 0; 1226 } 1227 memcpy(buf->data + len, *p, plen); 1228 } 1229 *p += plen; 1230 return 1; 1231 } 1232 1233 /* Check for ASN1 EOC and swallow it if found */ 1234 1235 static int asn1_check_eoc(const unsigned char **in, long len) 1236 { 1237 const unsigned char *p; 1238 if (len < 2) return 0; 1239 p = *in; 1240 if (!p[0] && !p[1]) 1241 { 1242 *in += 2; 1243 return 1; 1244 } 1245 return 0; 1246 } 1247 1248 /* Check an ASN1 tag and length: a bit like ASN1_get_object 1249 * but it sets the length for indefinite length constructed 1250 * form, we don't know the exact length but we can set an 1251 * upper bound to the amount of data available minus the 1252 * header length just read. 1253 */ 1254 1255 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, 1256 char *inf, char *cst, 1257 const unsigned char **in, long len, 1258 int exptag, int expclass, char opt, 1259 ASN1_TLC *ctx) 1260 { 1261 int i; 1262 int ptag, pclass; 1263 long plen; 1264 const unsigned char *p, *q; 1265 p = *in; 1266 q = p; 1267 1268 if (ctx && ctx->valid) 1269 { 1270 i = ctx->ret; 1271 plen = ctx->plen; 1272 pclass = ctx->pclass; 1273 ptag = ctx->ptag; 1274 p += ctx->hdrlen; 1275 } 1276 else 1277 { 1278 i = ASN1_get_object(&p, &plen, &ptag, &pclass, len); 1279 if (ctx) 1280 { 1281 ctx->ret = i; 1282 ctx->plen = plen; 1283 ctx->pclass = pclass; 1284 ctx->ptag = ptag; 1285 ctx->hdrlen = p - q; 1286 ctx->valid = 1; 1287 /* If definite length, and no error, length + 1288 * header can't exceed total amount of data available. 1289 */ 1290 if (!(i & 0x81) && ((plen + ctx->hdrlen) > len)) 1291 { 1292 OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG); 1293 asn1_tlc_clear(ctx); 1294 return 0; 1295 } 1296 } 1297 } 1298 1299 if (i & 0x80) 1300 { 1301 OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_OBJECT_HEADER); 1302 asn1_tlc_clear(ctx); 1303 return 0; 1304 } 1305 if (exptag >= 0) 1306 { 1307 if ((exptag != ptag) || (expclass != pclass)) 1308 { 1309 /* If type is OPTIONAL, not an error: 1310 * indicate missing type. 1311 */ 1312 if (opt) return -1; 1313 asn1_tlc_clear(ctx); 1314 OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_TAG); 1315 return 0; 1316 } 1317 /* We have a tag and class match: 1318 * assume we are going to do something with it */ 1319 asn1_tlc_clear(ctx); 1320 } 1321 1322 if (i & 1) 1323 plen = len - (p - q); 1324 1325 if (inf) 1326 *inf = i & 1; 1327 1328 if (cst) 1329 *cst = i & V_ASN1_CONSTRUCTED; 1330 1331 if (olen) 1332 *olen = plen; 1333 1334 if (oclass) 1335 *oclass = pclass; 1336 1337 if (otag) 1338 *otag = ptag; 1339 1340 *in = p; 1341 return 1; 1342 } 1343
