1 /*
2 * Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stddef.h>
11 #include <string.h>
12 #include <openssl/asn1.h>
13 #include <openssl/asn1t.h>
14 #include <openssl/objects.h>
15 #include <openssl/buffer.h>
16 #include <openssl/err.h>
17 #include "crypto/asn1.h"
18 #include "internal/numbers.h"
19 #include "asn1_local.h"
20
21 /*
22 * Constructed types with a recursive definition (such as can be found in PKCS7)
23 * could eventually exceed the stack given malicious input with excessive
24 * recursion. Therefore we limit the stack depth. This is the maximum number of
25 * recursive invocations of asn1_item_embed_d2i().
26 */
27 #define ASN1_MAX_CONSTRUCTED_NEST 30
28
29 static int asn1_check_eoc(const unsigned char **in, long len);
30 static int asn1_find_end(const unsigned char **in, long len, char inf);
31
32 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
33 char inf, int tag, int aclass, int depth);
34
35 static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen);
36
37 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
38 char *inf, char *cst,
39 const unsigned char **in, long len,
40 int exptag, int expclass, char opt, ASN1_TLC *ctx);
41
42 static int asn1_template_ex_d2i(ASN1_VALUE **pval,
43 const unsigned char **in, long len,
44 const ASN1_TEMPLATE *tt, char opt,
45 ASN1_TLC *ctx, int depth, OSSL_LIB_CTX *libctx,
46 const char *propq);
47 static int asn1_template_noexp_d2i(ASN1_VALUE **val,
48 const unsigned char **in, long len,
49 const ASN1_TEMPLATE *tt, char opt,
50 ASN1_TLC *ctx, int depth,
51 OSSL_LIB_CTX *libctx, const char *propq);
52 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
53 const unsigned char **in, long len,
54 const ASN1_ITEM *it,
55 int tag, int aclass, char opt,
56 ASN1_TLC *ctx);
57 static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
58 int utype, char *free_cont, const ASN1_ITEM *it);
59
60 /* Table to convert tags to bit values, used for MSTRING type */
61 static const unsigned long tag2bit[32] = {
62 /* tags 0 - 3 */
63 0,
64 0,
65 0,
66 B_ASN1_BIT_STRING,
67 /* tags 4- 7 */
68 B_ASN1_OCTET_STRING,
69 0,
70 0,
71 B_ASN1_UNKNOWN,
72 /* tags 8-11 */
73 B_ASN1_UNKNOWN,
74 B_ASN1_UNKNOWN,
75 0,
76 B_ASN1_UNKNOWN,
77 /* tags 12-15 */
78 B_ASN1_UTF8STRING,
79 B_ASN1_UNKNOWN,
80 B_ASN1_UNKNOWN,
81 B_ASN1_UNKNOWN,
82 /* tags 16-19 */
83 B_ASN1_SEQUENCE,
84 0,
85 B_ASN1_NUMERICSTRING,
86 B_ASN1_PRINTABLESTRING,
87 /* tags 20-22 */
88 B_ASN1_T61STRING,
89 B_ASN1_VIDEOTEXSTRING,
90 B_ASN1_IA5STRING,
91 /* tags 23-24 */
92 B_ASN1_UTCTIME,
93 B_ASN1_GENERALIZEDTIME,
94 /* tags 25-27 */
95 B_ASN1_GRAPHICSTRING,
96 B_ASN1_ISO64STRING,
97 B_ASN1_GENERALSTRING,
98 /* tags 28-31 */
99 B_ASN1_UNIVERSALSTRING,
100 B_ASN1_UNKNOWN,
101 B_ASN1_BMPSTRING,
102 B_ASN1_UNKNOWN,
103 };
104
ASN1_tag2bit(int tag)105 unsigned long ASN1_tag2bit(int tag)
106 {
107 if ((tag < 0) || (tag > 30))
108 return 0;
109 return tag2bit[tag];
110 }
111
112 /* Macro to initialize and invalidate the cache */
113
114 #define asn1_tlc_clear(c) \
115 do { \
116 if ((c) != NULL) \
117 (c)->valid = 0; \
118 } while (0)
119 /* Version to avoid compiler warning about 'c' always non-NULL */
120 #define asn1_tlc_clear_nc(c) \
121 do { \
122 (c)->valid = 0; \
123 } while (0)
124
125 /*
126 * Decode an ASN1 item, this currently behaves just like a standard 'd2i'
127 * function. 'in' points to a buffer to read the data from, in future we
128 * will have more advanced versions that can input data a piece at a time and
129 * this will simply be a special case.
130 */
131
asn1_item_ex_d2i_intern(ASN1_VALUE ** pval,const unsigned char ** in,long len,const ASN1_ITEM * it,int tag,int aclass,char opt,ASN1_TLC * ctx,OSSL_LIB_CTX * libctx,const char * propq)132 static int asn1_item_ex_d2i_intern(ASN1_VALUE **pval, const unsigned char **in,
133 long len, const ASN1_ITEM *it, int tag,
134 int aclass, char opt, ASN1_TLC *ctx,
135 OSSL_LIB_CTX *libctx, const char *propq)
136 {
137 int rv;
138
139 if (pval == NULL || it == NULL) {
140 ERR_raise(ERR_LIB_ASN1, ERR_R_PASSED_NULL_PARAMETER);
141 return 0;
142 }
143 rv = asn1_item_embed_d2i(pval, in, len, it, tag, aclass, opt, ctx, 0,
144 libctx, propq);
145 if (rv <= 0)
146 ASN1_item_ex_free(pval, it);
147 return rv;
148 }
149
ASN1_item_ex_d2i(ASN1_VALUE ** pval,const unsigned char ** in,long len,const ASN1_ITEM * it,int tag,int aclass,char opt,ASN1_TLC * ctx)150 int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
151 const ASN1_ITEM *it,
152 int tag, int aclass, char opt, ASN1_TLC *ctx)
153 {
154 return asn1_item_ex_d2i_intern(pval, in, len, it, tag, aclass, opt, ctx,
155 NULL, NULL);
156 }
157
ASN1_item_d2i_ex(ASN1_VALUE ** pval,const unsigned char ** in,long len,const ASN1_ITEM * it,OSSL_LIB_CTX * libctx,const char * propq)158 ASN1_VALUE *ASN1_item_d2i_ex(ASN1_VALUE **pval,
159 const unsigned char **in, long len,
160 const ASN1_ITEM *it, OSSL_LIB_CTX *libctx,
161 const char *propq)
162 {
163 ASN1_TLC c;
164 ASN1_VALUE *ptmpval = NULL;
165
166 if (pval == NULL)
167 pval = &ptmpval;
168 asn1_tlc_clear_nc(&c);
169 if (asn1_item_ex_d2i_intern(pval, in, len, it, -1, 0, 0, &c, libctx,
170 propq)
171 > 0)
172 return *pval;
173 return NULL;
174 }
175
ASN1_item_d2i(ASN1_VALUE ** pval,const unsigned char ** in,long len,const ASN1_ITEM * it)176 ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval,
177 const unsigned char **in, long len,
178 const ASN1_ITEM *it)
179 {
180 return ASN1_item_d2i_ex(pval, in, len, it, NULL, NULL);
181 }
182
183 /*
184 * Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and
185 * tag mismatch return -1 to handle OPTIONAL
186 */
187
asn1_item_embed_d2i(ASN1_VALUE ** pval,const unsigned char ** in,long len,const ASN1_ITEM * it,int tag,int aclass,char opt,ASN1_TLC * ctx,int depth,OSSL_LIB_CTX * libctx,const char * propq)188 int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
189 long len, const ASN1_ITEM *it,
190 int tag, int aclass, char opt, ASN1_TLC *ctx,
191 int depth, OSSL_LIB_CTX *libctx,
192 const char *propq)
193 {
194 const ASN1_TEMPLATE *tt, *errtt = NULL;
195 const ASN1_EXTERN_FUNCS *ef;
196 const ASN1_AUX *aux;
197 ASN1_aux_cb *asn1_cb;
198 const unsigned char *p = NULL, *q;
199 unsigned char oclass;
200 char seq_eoc, seq_nolen, cst, isopt;
201 long tmplen;
202 int i;
203 int otag;
204 int ret = 0;
205 ASN1_VALUE **pchptr;
206
207 if (pval == NULL || it == NULL) {
208 ERR_raise(ERR_LIB_ASN1, ERR_R_PASSED_NULL_PARAMETER);
209 return 0;
210 }
211 if (len <= 0) {
212 ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_SMALL);
213 return 0;
214 }
215 aux = it->funcs;
216 if (aux && aux->asn1_cb)
217 asn1_cb = aux->asn1_cb;
218 else
219 asn1_cb = 0;
220
221 if (++depth > ASN1_MAX_CONSTRUCTED_NEST) {
222 ERR_raise(ERR_LIB_ASN1, ASN1_R_NESTED_TOO_DEEP);
223 goto err;
224 }
225
226 switch (it->itype) {
227 case ASN1_ITYPE_PRIMITIVE:
228 if (it->templates) {
229 /*
230 * tagging or OPTIONAL is currently illegal on an item template
231 * because the flags can't get passed down. In practice this
232 * isn't a problem: we include the relevant flags from the item
233 * template in the template itself.
234 */
235 if ((tag != -1) || opt) {
236 ERR_raise(ERR_LIB_ASN1,
237 ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
238 goto err;
239 }
240 return asn1_template_ex_d2i(pval, in, len, it->templates, opt, ctx,
241 depth, libctx, propq);
242 }
243 return asn1_d2i_ex_primitive(pval, in, len, it,
244 tag, aclass, opt, ctx);
245
246 case ASN1_ITYPE_MSTRING:
247 /*
248 * It never makes sense for multi-strings to have implicit tagging, so
249 * if tag != -1, then this looks like an error in the template.
250 */
251 if (tag != -1) {
252 ERR_raise(ERR_LIB_ASN1, ASN1_R_BAD_TEMPLATE);
253 goto err;
254 }
255
256 p = *in;
257 /* Just read in tag and class */
258 ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
259 &p, len, -1, 0, 1, ctx);
260 if (!ret) {
261 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
262 goto err;
263 }
264
265 /* Must be UNIVERSAL class */
266 if (oclass != V_ASN1_UNIVERSAL) {
267 /* If OPTIONAL, assume this is OK */
268 if (opt)
269 return -1;
270 ERR_raise(ERR_LIB_ASN1, ASN1_R_MSTRING_NOT_UNIVERSAL);
271 goto err;
272 }
273
274 /* Check tag matches bit map */
275 if (!(ASN1_tag2bit(otag) & it->utype)) {
276 /* If OPTIONAL, assume this is OK */
277 if (opt)
278 return -1;
279 ERR_raise(ERR_LIB_ASN1, ASN1_R_MSTRING_WRONG_TAG);
280 goto err;
281 }
282 return asn1_d2i_ex_primitive(pval, in, len, it, otag, 0, 0, ctx);
283
284 case ASN1_ITYPE_EXTERN:
285 /* Use new style d2i */
286 ef = it->funcs;
287 if (ef->asn1_ex_d2i_ex != NULL)
288 return ef->asn1_ex_d2i_ex(pval, in, len, it, tag, aclass, opt, ctx,
289 libctx, propq);
290 return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx);
291
292 case ASN1_ITYPE_CHOICE:
293 /*
294 * It never makes sense for CHOICE types to have implicit tagging, so
295 * if tag != -1, then this looks like an error in the template.
296 */
297 if (tag != -1) {
298 ERR_raise(ERR_LIB_ASN1, ASN1_R_BAD_TEMPLATE);
299 goto err;
300 }
301
302 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
303 goto auxerr;
304 if (*pval) {
305 /* Free up and zero CHOICE value if initialised */
306 i = ossl_asn1_get_choice_selector(pval, it);
307 if ((i >= 0) && (i < it->tcount)) {
308 tt = it->templates + i;
309 pchptr = ossl_asn1_get_field_ptr(pval, tt);
310 ossl_asn1_template_free(pchptr, tt);
311 ossl_asn1_set_choice_selector(pval, -1, it);
312 }
313 } else if (!ossl_asn1_item_ex_new_intern(pval, it, libctx, propq)) {
314 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
315 goto err;
316 }
317 /* CHOICE type, try each possibility in turn */
318 p = *in;
319 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
320 pchptr = ossl_asn1_get_field_ptr(pval, tt);
321 /*
322 * We mark field as OPTIONAL so its absence can be recognised.
323 */
324 ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx, depth,
325 libctx, propq);
326 /* If field not present, try the next one */
327 if (ret == -1)
328 continue;
329 /* If positive return, read OK, break loop */
330 if (ret > 0)
331 break;
332 /*
333 * Must be an ASN1 parsing error.
334 * Free up any partial choice value
335 */
336 ossl_asn1_template_free(pchptr, tt);
337 errtt = tt;
338 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
339 goto err;
340 }
341
342 /* Did we fall off the end without reading anything? */
343 if (i == it->tcount) {
344 /* If OPTIONAL, this is OK */
345 if (opt) {
346 /* Free and zero it */
347 ASN1_item_ex_free(pval, it);
348 return -1;
349 }
350 ERR_raise(ERR_LIB_ASN1, ASN1_R_NO_MATCHING_CHOICE_TYPE);
351 goto err;
352 }
353
354 ossl_asn1_set_choice_selector(pval, i, it);
355
356 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL))
357 goto auxerr;
358 *in = p;
359 return 1;
360
361 case ASN1_ITYPE_NDEF_SEQUENCE:
362 case ASN1_ITYPE_SEQUENCE:
363 p = *in;
364 tmplen = len;
365
366 /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */
367 if (tag == -1) {
368 tag = V_ASN1_SEQUENCE;
369 aclass = V_ASN1_UNIVERSAL;
370 }
371 /* Get SEQUENCE length and update len, p */
372 ret = asn1_check_tlen(&len, NULL, NULL, &seq_eoc, &cst,
373 &p, len, tag, aclass, opt, ctx);
374 if (!ret) {
375 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
376 goto err;
377 } else if (ret == -1)
378 return -1;
379 if (aux && (aux->flags & ASN1_AFLG_BROKEN)) {
380 len = tmplen - (p - *in);
381 seq_nolen = 1;
382 }
383 /* If indefinite we don't do a length check */
384 else
385 seq_nolen = seq_eoc;
386 if (!cst) {
387 ERR_raise(ERR_LIB_ASN1, ASN1_R_SEQUENCE_NOT_CONSTRUCTED);
388 goto err;
389 }
390
391 if (*pval == NULL
392 && !ossl_asn1_item_ex_new_intern(pval, it, libctx, propq)) {
393 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
394 goto err;
395 }
396
397 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
398 goto auxerr;
399
400 /* Free up and zero any ADB found */
401 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
402 if (tt->flags & ASN1_TFLG_ADB_MASK) {
403 const ASN1_TEMPLATE *seqtt;
404 ASN1_VALUE **pseqval;
405 seqtt = ossl_asn1_do_adb(*pval, tt, 0);
406 if (seqtt == NULL)
407 continue;
408 pseqval = ossl_asn1_get_field_ptr(pval, seqtt);
409 ossl_asn1_template_free(pseqval, seqtt);
410 }
411 }
412
413 /* Get each field entry */
414 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
415 const ASN1_TEMPLATE *seqtt;
416 ASN1_VALUE **pseqval;
417 seqtt = ossl_asn1_do_adb(*pval, tt, 1);
418 if (seqtt == NULL)
419 goto err;
420 pseqval = ossl_asn1_get_field_ptr(pval, seqtt);
421 /* Have we ran out of data? */
422 if (!len)
423 break;
424 q = p;
425 if (asn1_check_eoc(&p, len)) {
426 if (!seq_eoc) {
427 ERR_raise(ERR_LIB_ASN1, ASN1_R_UNEXPECTED_EOC);
428 goto err;
429 }
430 len -= p - q;
431 seq_eoc = 0;
432 break;
433 }
434 /*
435 * This determines the OPTIONAL flag value. The field cannot be
436 * omitted if it is the last of a SEQUENCE and there is still
437 * data to be read. This isn't strictly necessary but it
438 * increases efficiency in some cases.
439 */
440 if (i == (it->tcount - 1))
441 isopt = 0;
442 else
443 isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL);
444 /*
445 * attempt to read in field, allowing each to be OPTIONAL
446 */
447
448 ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx,
449 depth, libctx, propq);
450 if (!ret) {
451 errtt = seqtt;
452 goto err;
453 } else if (ret == -1) {
454 /*
455 * OPTIONAL component absent. Free and zero the field.
456 */
457 ossl_asn1_template_free(pseqval, seqtt);
458 continue;
459 }
460 /* Update length */
461 len -= p - q;
462 }
463
464 /* Check for EOC if expecting one */
465 if (seq_eoc && !asn1_check_eoc(&p, len)) {
466 ERR_raise(ERR_LIB_ASN1, ASN1_R_MISSING_EOC);
467 goto err;
468 }
469 /* Check all data read */
470 if (!seq_nolen && len) {
471 ERR_raise(ERR_LIB_ASN1, ASN1_R_SEQUENCE_LENGTH_MISMATCH);
472 goto err;
473 }
474
475 /*
476 * If we get here we've got no more data in the SEQUENCE, however we
477 * may not have read all fields so check all remaining are OPTIONAL
478 * and clear any that are.
479 */
480 for (; i < it->tcount; tt++, i++) {
481 const ASN1_TEMPLATE *seqtt;
482 seqtt = ossl_asn1_do_adb(*pval, tt, 1);
483 if (seqtt == NULL)
484 goto err;
485 if (seqtt->flags & ASN1_TFLG_OPTIONAL) {
486 ASN1_VALUE **pseqval;
487 pseqval = ossl_asn1_get_field_ptr(pval, seqtt);
488 ossl_asn1_template_free(pseqval, seqtt);
489 } else {
490 errtt = seqtt;
491 ERR_raise(ERR_LIB_ASN1, ASN1_R_FIELD_MISSING);
492 goto err;
493 }
494 }
495 /* Save encoding */
496 if (!ossl_asn1_enc_save(pval, *in, p - *in, it))
497 goto auxerr;
498 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL))
499 goto auxerr;
500 *in = p;
501 return 1;
502
503 default:
504 return 0;
505 }
506 auxerr:
507 ERR_raise(ERR_LIB_ASN1, ASN1_R_AUX_ERROR);
508 err:
509 if (errtt)
510 ERR_add_error_data(4, "Field=", errtt->field_name,
511 ", Type=", it->sname);
512 else
513 ERR_add_error_data(2, "Type=", it->sname);
514 return 0;
515 }
516
517 /*
518 * Templates are handled with two separate functions. One handles any
519 * EXPLICIT tag and the other handles the rest.
520 */
521
asn1_template_ex_d2i(ASN1_VALUE ** val,const unsigned char ** in,long inlen,const ASN1_TEMPLATE * tt,char opt,ASN1_TLC * ctx,int depth,OSSL_LIB_CTX * libctx,const char * propq)522 static int asn1_template_ex_d2i(ASN1_VALUE **val,
523 const unsigned char **in, long inlen,
524 const ASN1_TEMPLATE *tt, char opt,
525 ASN1_TLC *ctx, int depth,
526 OSSL_LIB_CTX *libctx, const char *propq)
527 {
528 int flags, aclass;
529 int ret;
530 long len;
531 const unsigned char *p, *q;
532 char exp_eoc;
533 if (!val)
534 return 0;
535 flags = tt->flags;
536 aclass = flags & ASN1_TFLG_TAG_CLASS;
537
538 p = *in;
539
540 /* Check if EXPLICIT tag expected */
541 if (flags & ASN1_TFLG_EXPTAG) {
542 char cst;
543 /*
544 * Need to work out amount of data available to the inner content and
545 * where it starts: so read in EXPLICIT header to get the info.
546 */
547 ret = asn1_check_tlen(&len, NULL, NULL, &exp_eoc, &cst,
548 &p, inlen, tt->tag, aclass, opt, ctx);
549 q = p;
550 if (!ret) {
551 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
552 return 0;
553 } else if (ret == -1)
554 return -1;
555 if (!cst) {
556 ERR_raise(ERR_LIB_ASN1, ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED);
557 return 0;
558 }
559 /* We've found the field so it can't be OPTIONAL now */
560 ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx, depth, libctx,
561 propq);
562 if (!ret) {
563 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
564 return 0;
565 }
566 /* We read the field in OK so update length */
567 len -= p - q;
568 if (exp_eoc) {
569 /* If NDEF we must have an EOC here */
570 if (!asn1_check_eoc(&p, len)) {
571 ERR_raise(ERR_LIB_ASN1, ASN1_R_MISSING_EOC);
572 goto err;
573 }
574 } else {
575 /*
576 * Otherwise we must hit the EXPLICIT tag end or its an error
577 */
578 if (len) {
579 ERR_raise(ERR_LIB_ASN1, ASN1_R_EXPLICIT_LENGTH_MISMATCH);
580 goto err;
581 }
582 }
583 } else
584 return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx, depth,
585 libctx, propq);
586
587 *in = p;
588 return 1;
589
590 err:
591 return 0;
592 }
593
asn1_template_noexp_d2i(ASN1_VALUE ** val,const unsigned char ** in,long len,const ASN1_TEMPLATE * tt,char opt,ASN1_TLC * ctx,int depth,OSSL_LIB_CTX * libctx,const char * propq)594 static int asn1_template_noexp_d2i(ASN1_VALUE **val,
595 const unsigned char **in, long len,
596 const ASN1_TEMPLATE *tt, char opt,
597 ASN1_TLC *ctx, int depth,
598 OSSL_LIB_CTX *libctx, const char *propq)
599 {
600 int flags, aclass;
601 int ret;
602 ASN1_VALUE *tval;
603 const unsigned char *p, *q;
604 if (!val)
605 return 0;
606 flags = tt->flags;
607 aclass = flags & ASN1_TFLG_TAG_CLASS;
608
609 p = *in;
610
611 /*
612 * If field is embedded then val needs fixing so it is a pointer to
613 * a pointer to a field.
614 */
615 if (tt->flags & ASN1_TFLG_EMBED) {
616 tval = (ASN1_VALUE *)val;
617 val = &tval;
618 }
619
620 if (flags & ASN1_TFLG_SK_MASK) {
621 /* SET OF, SEQUENCE OF */
622 int sktag, skaclass;
623 char sk_eoc;
624 /* First work out expected inner tag value */
625 if (flags & ASN1_TFLG_IMPTAG) {
626 sktag = tt->tag;
627 skaclass = aclass;
628 } else {
629 skaclass = V_ASN1_UNIVERSAL;
630 if (flags & ASN1_TFLG_SET_OF)
631 sktag = V_ASN1_SET;
632 else
633 sktag = V_ASN1_SEQUENCE;
634 }
635 /* Get the tag */
636 ret = asn1_check_tlen(&len, NULL, NULL, &sk_eoc, NULL,
637 &p, len, sktag, skaclass, opt, ctx);
638 if (!ret) {
639 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
640 return 0;
641 } else if (ret == -1)
642 return -1;
643 if (*val == NULL)
644 *val = (ASN1_VALUE *)sk_ASN1_VALUE_new_null();
645 else {
646 /*
647 * We've got a valid STACK: free up any items present
648 */
649 STACK_OF(ASN1_VALUE) *sktmp = (STACK_OF(ASN1_VALUE) *)*val;
650 ASN1_VALUE *vtmp;
651 while (sk_ASN1_VALUE_num(sktmp) > 0) {
652 vtmp = sk_ASN1_VALUE_pop(sktmp);
653 ASN1_item_ex_free(&vtmp, ASN1_ITEM_ptr(tt->item));
654 }
655 }
656
657 if (*val == NULL) {
658 ERR_raise(ERR_LIB_ASN1, ERR_R_CRYPTO_LIB);
659 goto err;
660 }
661
662 /* Read as many items as we can */
663 while (len > 0) {
664 ASN1_VALUE *skfield;
665 q = p;
666 /* See if EOC found */
667 if (asn1_check_eoc(&p, len)) {
668 if (!sk_eoc) {
669 ERR_raise(ERR_LIB_ASN1, ASN1_R_UNEXPECTED_EOC);
670 goto err;
671 }
672 len -= p - q;
673 sk_eoc = 0;
674 break;
675 }
676 skfield = NULL;
677 if (asn1_item_embed_d2i(&skfield, &p, len,
678 ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx,
679 depth, libctx, propq)
680 <= 0) {
681 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
682 /* |skfield| may be partially allocated despite failure. */
683 ASN1_item_free(skfield, ASN1_ITEM_ptr(tt->item));
684 goto err;
685 }
686 len -= p - q;
687 if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE) *)*val, skfield)) {
688 ERR_raise(ERR_LIB_ASN1, ERR_R_CRYPTO_LIB);
689 ASN1_item_free(skfield, ASN1_ITEM_ptr(tt->item));
690 goto err;
691 }
692 }
693 if (sk_eoc) {
694 ERR_raise(ERR_LIB_ASN1, ASN1_R_MISSING_EOC);
695 goto err;
696 }
697 } else if (flags & ASN1_TFLG_IMPTAG) {
698 /* IMPLICIT tagging */
699 ret = asn1_item_embed_d2i(val, &p, len,
700 ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt,
701 ctx, depth, libctx, propq);
702 if (!ret) {
703 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
704 goto err;
705 } else if (ret == -1)
706 return -1;
707 } else {
708 /* Nothing special */
709 ret = asn1_item_embed_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
710 -1, 0, opt, ctx, depth, libctx, propq);
711 if (!ret) {
712 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
713 goto err;
714 } else if (ret == -1)
715 return -1;
716 }
717
718 *in = p;
719 return 1;
720
721 err:
722 return 0;
723 }
724
asn1_d2i_ex_primitive(ASN1_VALUE ** pval,const unsigned char ** in,long inlen,const ASN1_ITEM * it,int tag,int aclass,char opt,ASN1_TLC * ctx)725 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
726 const unsigned char **in, long inlen,
727 const ASN1_ITEM *it,
728 int tag, int aclass, char opt, ASN1_TLC *ctx)
729 {
730 int ret = 0, utype;
731 long plen;
732 char cst, inf, free_cont = 0;
733 const unsigned char *p;
734 BUF_MEM buf = { 0, NULL, 0, 0 };
735 const unsigned char *cont = NULL;
736 long len;
737
738 if (pval == NULL) {
739 ERR_raise(ERR_LIB_ASN1, ASN1_R_ILLEGAL_NULL);
740 return 0; /* Should never happen */
741 }
742
743 if (it->itype == ASN1_ITYPE_MSTRING) {
744 utype = tag;
745 tag = -1;
746 } else
747 utype = it->utype;
748
749 if (utype == V_ASN1_ANY) {
750 /* If type is ANY need to figure out type from tag */
751 unsigned char oclass;
752 if (tag >= 0) {
753 ERR_raise(ERR_LIB_ASN1, ASN1_R_ILLEGAL_TAGGED_ANY);
754 return 0;
755 }
756 if (opt) {
757 ERR_raise(ERR_LIB_ASN1, ASN1_R_ILLEGAL_OPTIONAL_ANY);
758 return 0;
759 }
760 p = *in;
761 ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, NULL,
762 &p, inlen, -1, 0, 0, ctx);
763 if (!ret) {
764 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
765 return 0;
766 }
767 if (oclass != V_ASN1_UNIVERSAL)
768 utype = V_ASN1_OTHER;
769 }
770 if (tag == -1) {
771 tag = utype;
772 aclass = V_ASN1_UNIVERSAL;
773 }
774 p = *in;
775 /* Check header */
776 ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst,
777 &p, inlen, tag, aclass, opt, ctx);
778 if (!ret) {
779 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
780 return 0;
781 } else if (ret == -1)
782 return -1;
783 ret = 0;
784 /* SEQUENCE, SET and "OTHER" are left in encoded form */
785 if ((utype == V_ASN1_SEQUENCE)
786 || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) {
787 /*
788 * Clear context cache for type OTHER because the auto clear when we
789 * have a exact match won't work
790 */
791 if (utype == V_ASN1_OTHER) {
792 asn1_tlc_clear(ctx);
793 }
794 /* SEQUENCE and SET must be constructed */
795 else if (!cst) {
796 ERR_raise(ERR_LIB_ASN1, ASN1_R_TYPE_NOT_CONSTRUCTED);
797 return 0;
798 }
799
800 cont = *in;
801 /* If indefinite length constructed find the real end */
802 if (inf) {
803 if (!asn1_find_end(&p, plen, inf))
804 goto err;
805 len = p - cont;
806 } else {
807 len = p - cont + plen;
808 p += plen;
809 }
810 } else if (cst) {
811 if (utype == V_ASN1_NULL || utype == V_ASN1_BOOLEAN
812 || utype == V_ASN1_OBJECT || utype == V_ASN1_INTEGER
813 || utype == V_ASN1_ENUMERATED) {
814 ERR_raise(ERR_LIB_ASN1, ASN1_R_TYPE_NOT_PRIMITIVE);
815 return 0;
816 }
817
818 /* Free any returned 'buf' content */
819 free_cont = 1;
820 /*
821 * Should really check the internal tags are correct but some things
822 * may get this wrong. The relevant specs say that constructed string
823 * types should be OCTET STRINGs internally irrespective of the type.
824 * So instead just check for UNIVERSAL class and ignore the tag.
825 */
826 if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL, 0)) {
827 goto err;
828 }
829 len = buf.length;
830 /* Append a final null to string */
831 if (!BUF_MEM_grow_clean(&buf, len + 1)) {
832 ERR_raise(ERR_LIB_ASN1, ERR_R_BUF_LIB);
833 goto err;
834 }
835 buf.data[len] = 0;
836 cont = (const unsigned char *)buf.data;
837 } else {
838 cont = p;
839 len = plen;
840 p += plen;
841 }
842
843 /* We now have content length and type: translate into a structure */
844 /* asn1_ex_c2i may reuse allocated buffer, and so sets free_cont to 0 */
845 if (!asn1_ex_c2i(pval, cont, len, utype, &free_cont, it))
846 goto err;
847
848 *in = p;
849 ret = 1;
850 err:
851 if (free_cont)
852 OPENSSL_free(buf.data);
853 return ret;
854 }
855
856 /* Translate ASN1 content octets into a structure */
857
asn1_ex_c2i(ASN1_VALUE ** pval,const unsigned char * cont,int len,int utype,char * free_cont,const ASN1_ITEM * it)858 static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
859 int utype, char *free_cont, const ASN1_ITEM *it)
860 {
861 ASN1_VALUE **opval = NULL;
862 ASN1_STRING *stmp;
863 ASN1_TYPE *typ = NULL;
864 int ret = 0;
865 const ASN1_PRIMITIVE_FUNCS *pf;
866 ASN1_INTEGER **tint;
867 pf = it->funcs;
868
869 if (pf && pf->prim_c2i)
870 return pf->prim_c2i(pval, cont, len, utype, free_cont, it);
871 /* If ANY type clear type and set pointer to internal value */
872 if (it->utype == V_ASN1_ANY) {
873 if (*pval == NULL) {
874 typ = ASN1_TYPE_new();
875 if (typ == NULL)
876 goto err;
877 *pval = (ASN1_VALUE *)typ;
878 } else
879 typ = (ASN1_TYPE *)*pval;
880
881 if (utype != typ->type)
882 ASN1_TYPE_set(typ, utype, NULL);
883 opval = pval;
884 pval = &typ->value.asn1_value;
885 }
886 switch (utype) {
887 case V_ASN1_OBJECT:
888 if (!ossl_c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len))
889 goto err;
890 break;
891
892 case V_ASN1_NULL:
893 if (len) {
894 ERR_raise(ERR_LIB_ASN1, ASN1_R_NULL_IS_WRONG_LENGTH);
895 goto err;
896 }
897 *pval = (ASN1_VALUE *)1;
898 break;
899
900 case V_ASN1_BOOLEAN:
901 if (len != 1) {
902 ERR_raise(ERR_LIB_ASN1, ASN1_R_BOOLEAN_IS_WRONG_LENGTH);
903 goto err;
904 } else {
905 ASN1_BOOLEAN *tbool;
906 tbool = (ASN1_BOOLEAN *)pval;
907 *tbool = *cont;
908 }
909 break;
910
911 case V_ASN1_BIT_STRING:
912 if (!ossl_c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &cont, len))
913 goto err;
914 break;
915
916 case V_ASN1_INTEGER:
917 case V_ASN1_ENUMERATED:
918 tint = (ASN1_INTEGER **)pval;
919 if (!ossl_c2i_ASN1_INTEGER(tint, &cont, len))
920 goto err;
921 /* Fixup type to match the expected form */
922 (*tint)->type = utype | ((*tint)->type & V_ASN1_NEG);
923 break;
924
925 case V_ASN1_OCTET_STRING:
926 case V_ASN1_NUMERICSTRING:
927 case V_ASN1_PRINTABLESTRING:
928 case V_ASN1_T61STRING:
929 case V_ASN1_VIDEOTEXSTRING:
930 case V_ASN1_IA5STRING:
931 case V_ASN1_UTCTIME:
932 case V_ASN1_GENERALIZEDTIME:
933 case V_ASN1_GRAPHICSTRING:
934 case V_ASN1_VISIBLESTRING:
935 case V_ASN1_GENERALSTRING:
936 case V_ASN1_UNIVERSALSTRING:
937 case V_ASN1_BMPSTRING:
938 case V_ASN1_UTF8STRING:
939 case V_ASN1_OTHER:
940 case V_ASN1_SET:
941 case V_ASN1_SEQUENCE:
942 default:
943 if (utype == V_ASN1_BMPSTRING && (len & 1)) {
944 ERR_raise(ERR_LIB_ASN1, ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
945 goto err;
946 }
947 if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) {
948 ERR_raise(ERR_LIB_ASN1, ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);
949 goto err;
950 }
951 if (utype == V_ASN1_GENERALIZEDTIME && (len < 15)) {
952 ERR_raise(ERR_LIB_ASN1, ASN1_R_GENERALIZEDTIME_IS_TOO_SHORT);
953 goto err;
954 }
955 if (utype == V_ASN1_UTCTIME && (len < 13)) {
956 ERR_raise(ERR_LIB_ASN1, ASN1_R_UTCTIME_IS_TOO_SHORT);
957 goto err;
958 }
959 /* All based on ASN1_STRING and handled the same */
960 if (*pval == NULL) {
961 stmp = ASN1_STRING_type_new(utype);
962 if (stmp == NULL) {
963 ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB);
964 goto err;
965 }
966 *pval = (ASN1_VALUE *)stmp;
967 } else {
968 stmp = (ASN1_STRING *)*pval;
969 stmp->type = utype;
970 }
971 /* If we've already allocated a buffer use it */
972 if (*free_cont) {
973 ASN1_STRING_set0(stmp, (unsigned char *)cont /* UGLY CAST! */, len);
974 *free_cont = 0;
975 } else {
976 if (!ASN1_STRING_set(stmp, cont, len)) {
977 ERR_raise(ERR_LIB_ASN1, ERR_R_ASN1_LIB);
978 ASN1_STRING_free(stmp);
979 *pval = NULL;
980 goto err;
981 }
982 }
983 break;
984 }
985 /* If ASN1_ANY and NULL type fix up value */
986 if (typ && (utype == V_ASN1_NULL))
987 typ->value.ptr = NULL;
988
989 ret = 1;
990 err:
991 if (!ret) {
992 ASN1_TYPE_free(typ);
993 if (opval)
994 *opval = NULL;
995 }
996 return ret;
997 }
998
999 /*
1000 * This function finds the end of an ASN1 structure when passed its maximum
1001 * length, whether it is indefinite length and a pointer to the content. This
1002 * is more efficient than calling asn1_collect because it does not recurse on
1003 * each indefinite length header.
1004 */
1005
asn1_find_end(const unsigned char ** in,long len,char inf)1006 static int asn1_find_end(const unsigned char **in, long len, char inf)
1007 {
1008 uint32_t expected_eoc;
1009 long plen;
1010 const unsigned char *p = *in, *q;
1011 /* If not indefinite length constructed just add length */
1012 if (inf == 0) {
1013 *in += len;
1014 return 1;
1015 }
1016 expected_eoc = 1;
1017 /*
1018 * Indefinite length constructed form. Find the end when enough EOCs are
1019 * found. If more indefinite length constructed headers are encountered
1020 * increment the expected eoc count otherwise just skip to the end of the
1021 * data.
1022 */
1023 while (len > 0) {
1024 if (asn1_check_eoc(&p, len)) {
1025 expected_eoc--;
1026 if (expected_eoc == 0)
1027 break;
1028 len -= 2;
1029 continue;
1030 }
1031 q = p;
1032 /* Just read in a header: only care about the length */
1033 if (!asn1_check_tlen(&plen, NULL, NULL, &inf, NULL, &p, len,
1034 -1, 0, 0, NULL)) {
1035 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
1036 return 0;
1037 }
1038 if (inf) {
1039 if (expected_eoc == UINT32_MAX) {
1040 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
1041 return 0;
1042 }
1043 expected_eoc++;
1044 } else {
1045 p += plen;
1046 }
1047 len -= p - q;
1048 }
1049 if (expected_eoc) {
1050 ERR_raise(ERR_LIB_ASN1, ASN1_R_MISSING_EOC);
1051 return 0;
1052 }
1053 *in = p;
1054 return 1;
1055 }
1056
1057 /*
1058 * This function collects the asn1 data from a constructed string type into
1059 * a buffer. The values of 'in' and 'len' should refer to the contents of the
1060 * constructed type and 'inf' should be set if it is indefinite length.
1061 */
1062
1063 #ifndef ASN1_MAX_STRING_NEST
1064 /*
1065 * This determines how many levels of recursion are permitted in ASN1 string
1066 * types. If it is not limited stack overflows can occur. If set to zero no
1067 * recursion is allowed at all. Although zero should be adequate examples
1068 * exist that require a value of 1. So 5 should be more than enough.
1069 */
1070 #define ASN1_MAX_STRING_NEST 5
1071 #endif
1072
asn1_collect(BUF_MEM * buf,const unsigned char ** in,long len,char inf,int tag,int aclass,int depth)1073 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
1074 char inf, int tag, int aclass, int depth)
1075 {
1076 const unsigned char *p, *q;
1077 long plen;
1078 char cst, ininf;
1079 p = *in;
1080 inf &= 1;
1081 /*
1082 * If no buffer and not indefinite length constructed just pass over the
1083 * encoded data
1084 */
1085 if (!buf && !inf) {
1086 *in += len;
1087 return 1;
1088 }
1089 while (len > 0) {
1090 q = p;
1091 /* Check for EOC */
1092 if (asn1_check_eoc(&p, len)) {
1093 /*
1094 * EOC is illegal outside indefinite length constructed form
1095 */
1096 if (!inf) {
1097 ERR_raise(ERR_LIB_ASN1, ASN1_R_UNEXPECTED_EOC);
1098 return 0;
1099 }
1100 inf = 0;
1101 break;
1102 }
1103
1104 if (!asn1_check_tlen(&plen, NULL, NULL, &ininf, &cst, &p,
1105 len, tag, aclass, 0, NULL)) {
1106 ERR_raise(ERR_LIB_ASN1, ERR_R_NESTED_ASN1_ERROR);
1107 return 0;
1108 }
1109
1110 /* If indefinite length constructed update max length */
1111 if (cst) {
1112 if (depth >= ASN1_MAX_STRING_NEST) {
1113 ERR_raise(ERR_LIB_ASN1, ASN1_R_NESTED_ASN1_STRING);
1114 return 0;
1115 }
1116 if (!asn1_collect(buf, &p, plen, ininf, tag, aclass, depth + 1))
1117 return 0;
1118 } else if (plen && !collect_data(buf, &p, plen))
1119 return 0;
1120 len -= p - q;
1121 }
1122 if (inf) {
1123 ERR_raise(ERR_LIB_ASN1, ASN1_R_MISSING_EOC);
1124 return 0;
1125 }
1126 *in = p;
1127 return 1;
1128 }
1129
collect_data(BUF_MEM * buf,const unsigned char ** p,long plen)1130 static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen)
1131 {
1132 int len;
1133 if (buf) {
1134 len = buf->length;
1135 if (!BUF_MEM_grow_clean(buf, len + plen)) {
1136 ERR_raise(ERR_LIB_ASN1, ERR_R_BUF_LIB);
1137 return 0;
1138 }
1139 memcpy(buf->data + len, *p, plen);
1140 }
1141 *p += plen;
1142 return 1;
1143 }
1144
1145 /* Check for ASN1 EOC and swallow it if found */
1146
asn1_check_eoc(const unsigned char ** in,long len)1147 static int asn1_check_eoc(const unsigned char **in, long len)
1148 {
1149 const unsigned char *p;
1150
1151 if (len < 2)
1152 return 0;
1153 p = *in;
1154 if (p[0] == '\0' && p[1] == '\0') {
1155 *in += 2;
1156 return 1;
1157 }
1158 return 0;
1159 }
1160
1161 /*
1162 * Check an ASN1 tag and length: a bit like ASN1_get_object but it sets the
1163 * length for indefinite length constructed form, we don't know the exact
1164 * length but we can set an upper bound to the amount of data available minus
1165 * the header length just read.
1166 */
1167
asn1_check_tlen(long * olen,int * otag,unsigned char * oclass,char * inf,char * cst,const unsigned char ** in,long len,int exptag,int expclass,char opt,ASN1_TLC * ctx)1168 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
1169 char *inf, char *cst,
1170 const unsigned char **in, long len,
1171 int exptag, int expclass, char opt, ASN1_TLC *ctx)
1172 {
1173 int i;
1174 int ptag, pclass;
1175 long plen;
1176 const unsigned char *p, *q;
1177 p = *in;
1178 q = p;
1179
1180 if (len <= 0) {
1181 ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_SMALL);
1182 goto err;
1183 }
1184 if (ctx != NULL && ctx->valid) {
1185 i = ctx->ret;
1186 plen = ctx->plen;
1187 pclass = ctx->pclass;
1188 ptag = ctx->ptag;
1189 p += ctx->hdrlen;
1190 } else {
1191 i = ASN1_get_object(&p, &plen, &ptag, &pclass, len);
1192 if (ctx != NULL) {
1193 ctx->ret = i;
1194 ctx->plen = plen;
1195 ctx->pclass = pclass;
1196 ctx->ptag = ptag;
1197 ctx->hdrlen = p - q;
1198 ctx->valid = 1;
1199 /*
1200 * If definite length, and no error, length + header can't exceed
1201 * total amount of data available.
1202 */
1203 if ((i & 0x81) == 0 && (plen + ctx->hdrlen) > len) {
1204 ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
1205 goto err;
1206 }
1207 }
1208 }
1209
1210 if ((i & 0x80) != 0) {
1211 ERR_raise(ERR_LIB_ASN1, ASN1_R_BAD_OBJECT_HEADER);
1212 goto err;
1213 }
1214 if (exptag >= 0) {
1215 if (exptag != ptag || expclass != pclass) {
1216 /*
1217 * If type is OPTIONAL, not an error: indicate missing type.
1218 */
1219 if (opt != 0)
1220 return -1;
1221 ERR_raise(ERR_LIB_ASN1, ASN1_R_WRONG_TAG);
1222 goto err;
1223 }
1224 /*
1225 * We have a tag and class match: assume we are going to do something
1226 * with it
1227 */
1228 asn1_tlc_clear(ctx);
1229 }
1230
1231 if ((i & 1) != 0)
1232 plen = len - (p - q);
1233
1234 if (inf != NULL)
1235 *inf = i & 1;
1236
1237 if (cst != NULL)
1238 *cst = i & V_ASN1_CONSTRUCTED;
1239
1240 if (olen != NULL)
1241 *olen = plen;
1242
1243 if (oclass != NULL)
1244 *oclass = pclass;
1245
1246 if (otag != NULL)
1247 *otag = ptag;
1248
1249 *in = p;
1250 return 1;
1251
1252 err:
1253 asn1_tlc_clear(ctx);
1254 return 0;
1255 }
1256