xref: /freebsd/crypto/heimdal/lib/asn1/der_get.c (revision 40a8ac8f62b535d30349faf28cf47106b7041b83)
1 /*
2  * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "der_locl.h"
35 
36 /*
37  * All decoding functions take a pointer `p' to first position in
38  * which to read, from the left, `len' which means the maximum number
39  * of characters we are able to read, `ret' were the value will be
40  * returned and `size' where the number of used bytes is stored.
41  * Either 0 or an error code is returned.
42  */
43 
44 int
45 der_get_unsigned (const unsigned char *p, size_t len,
46 		  unsigned *ret, size_t *size)
47 {
48     unsigned val = 0;
49     size_t oldlen = len;
50 
51     if (len == sizeof(unsigned) + 1 && p[0] == 0)
52 	;
53     else if (len > sizeof(unsigned))
54 	return ASN1_OVERRUN;
55 
56     while (len--)
57 	val = val * 256 + *p++;
58     *ret = val;
59     if(size) *size = oldlen;
60     return 0;
61 }
62 
63 int
64 der_get_integer (const unsigned char *p, size_t len,
65 		 int *ret, size_t *size)
66 {
67     int val = 0;
68     size_t oldlen = len;
69 
70     if (len > sizeof(int))
71 	return ASN1_OVERRUN;
72 
73     if (len > 0) {
74 	val = (signed char)*p++;
75 	while (--len)
76 	    val = val * 256 + *p++;
77     }
78     *ret = val;
79     if(size) *size = oldlen;
80     return 0;
81 }
82 
83 int
84 der_get_length (const unsigned char *p, size_t len,
85 		size_t *val, size_t *size)
86 {
87     size_t v;
88 
89     if (len <= 0)
90 	return ASN1_OVERRUN;
91     --len;
92     v = *p++;
93     if (v < 128) {
94 	*val = v;
95 	if(size) *size = 1;
96     } else {
97 	int e;
98 	size_t l;
99 	unsigned tmp;
100 
101 	if(v == 0x80){
102 	    *val = ASN1_INDEFINITE;
103 	    if(size) *size = 1;
104 	    return 0;
105 	}
106 	v &= 0x7F;
107 	if (len < v)
108 	    return ASN1_OVERRUN;
109 	e = der_get_unsigned (p, v, &tmp, &l);
110 	if(e) return e;
111 	*val = tmp;
112 	if(size) *size = l + 1;
113     }
114     return 0;
115 }
116 
117 int
118 der_get_boolean(const unsigned char *p, size_t len, int *data, size_t *size)
119 {
120     if(len < 1)
121 	return ASN1_OVERRUN;
122     if(*p != 0)
123 	*data = 1;
124     else
125 	*data = 0;
126     *size = 1;
127     return 0;
128 }
129 
130 int
131 der_get_general_string (const unsigned char *p, size_t len,
132 			heim_general_string *str, size_t *size)
133 {
134     const unsigned char *p1;
135     char *s;
136 
137     p1 = memchr(p, 0, len);
138     if (p1 != NULL) {
139 	/*
140 	 * Allow trailing NULs. We allow this since MIT Kerberos sends
141 	 * an strings in the NEED_PREAUTH case that includes a
142 	 * trailing NUL.
143 	 */
144 	while ((size_t)(p1 - p) < len && *p1 == '\0')
145 	    p1++;
146        if ((size_t)(p1 - p) != len)
147 	    return ASN1_BAD_CHARACTER;
148     }
149     if (len > len + 1)
150 	return ASN1_BAD_LENGTH;
151 
152     s = malloc (len + 1);
153     if (s == NULL)
154 	return ENOMEM;
155     memcpy (s, p, len);
156     s[len] = '\0';
157     *str = s;
158     if(size) *size = len;
159     return 0;
160 }
161 
162 int
163 der_get_utf8string (const unsigned char *p, size_t len,
164 		    heim_utf8_string *str, size_t *size)
165 {
166     return der_get_general_string(p, len, str, size);
167 }
168 
169 int
170 der_get_printable_string(const unsigned char *p, size_t len,
171 			 heim_printable_string *str, size_t *size)
172 {
173     str->length = len;
174     str->data = malloc(len + 1);
175     if (str->data == NULL)
176 	return ENOMEM;
177     memcpy(str->data, p, len);
178     ((char *)str->data)[len] = '\0';
179     if(size) *size = len;
180     return 0;
181 }
182 
183 int
184 der_get_ia5_string(const unsigned char *p, size_t len,
185 		   heim_ia5_string *str, size_t *size)
186 {
187     return der_get_printable_string(p, len, str, size);
188 }
189 
190 int
191 der_get_bmp_string (const unsigned char *p, size_t len,
192 		    heim_bmp_string *data, size_t *size)
193 {
194     size_t i;
195 
196     if (len & 1)
197 	return ASN1_BAD_FORMAT;
198     data->length = len / 2;
199     if (data->length > UINT_MAX/sizeof(data->data[0]))
200 	return ERANGE;
201     data->data = malloc(data->length * sizeof(data->data[0]));
202     if (data->data == NULL && data->length != 0)
203 	return ENOMEM;
204 
205     for (i = 0; i < data->length; i++) {
206 	data->data[i] = (p[0] << 8) | p[1];
207 	p += 2;
208 	/* check for NUL in the middle of the string */
209 	if (data->data[i] == 0 && i != (data->length - 1)) {
210 	    free(data->data);
211 	    data->data = NULL;
212 	    data->length = 0;
213 	    return ASN1_BAD_CHARACTER;
214 	}
215     }
216     if (size) *size = len;
217 
218     return 0;
219 }
220 
221 int
222 der_get_universal_string (const unsigned char *p, size_t len,
223 			  heim_universal_string *data, size_t *size)
224 {
225     size_t i;
226 
227     if (len & 3)
228 	return ASN1_BAD_FORMAT;
229     data->length = len / 4;
230     if (data->length > UINT_MAX/sizeof(data->data[0]))
231 	return ERANGE;
232     data->data = malloc(data->length * sizeof(data->data[0]));
233     if (data->data == NULL && data->length != 0)
234 	return ENOMEM;
235 
236     for (i = 0; i < data->length; i++) {
237 	data->data[i] = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
238 	p += 4;
239 	/* check for NUL in the middle of the string */
240 	if (data->data[i] == 0 && i != (data->length - 1)) {
241 	    free(data->data);
242 	    data->data = NULL;
243 	    data->length = 0;
244 	    return ASN1_BAD_CHARACTER;
245 	}
246     }
247     if (size) *size = len;
248     return 0;
249 }
250 
251 int
252 der_get_visible_string (const unsigned char *p, size_t len,
253 			heim_visible_string *str, size_t *size)
254 {
255     return der_get_general_string(p, len, str, size);
256 }
257 
258 int
259 der_get_octet_string (const unsigned char *p, size_t len,
260 		      heim_octet_string *data, size_t *size)
261 {
262     data->length = len;
263     data->data = malloc(len);
264     if (data->data == NULL && data->length != 0)
265 	return ENOMEM;
266     memcpy (data->data, p, len);
267     if(size) *size = len;
268     return 0;
269 }
270 
271 int
272 der_get_octet_string_ber (const unsigned char *p, size_t len,
273 			  heim_octet_string *data, size_t *size)
274 {
275     int e;
276     Der_type type;
277     Der_class class;
278     unsigned int tag, depth = 0;
279     size_t l, datalen, oldlen = len;
280 
281     data->length = 0;
282     data->data = NULL;
283 
284     while (len) {
285 	e = der_get_tag (p, len, &class, &type, &tag, &l);
286 	if (e) goto out;
287 	if (class != ASN1_C_UNIV) {
288 	    e = ASN1_BAD_ID;
289 	    goto out;
290 	}
291 	if (type == PRIM && tag == UT_EndOfContent) {
292 	    if (depth == 0)
293 		break;
294 	    depth--;
295 	}
296 	if (tag != UT_OctetString) {
297 	    e = ASN1_BAD_ID;
298 	    goto out;
299 	}
300 
301 	p += l;
302 	len -= l;
303 	e = der_get_length (p, len, &datalen, &l);
304 	if (e) goto out;
305 	p += l;
306 	len -= l;
307 
308 	if (datalen > len)
309 	    return ASN1_OVERRUN;
310 
311 	if (type == PRIM) {
312 	    void *ptr;
313 
314 	    ptr = realloc(data->data, data->length + datalen);
315 	    if (ptr == NULL) {
316 		e = ENOMEM;
317 		goto out;
318 	    }
319 	    data->data = ptr;
320 	    memcpy(((unsigned char *)data->data) + data->length, p, datalen);
321 	    data->length += datalen;
322 	} else
323 	    depth++;
324 
325 	p += datalen;
326 	len -= datalen;
327     }
328     if (depth != 0)
329 	return ASN1_INDEF_OVERRUN;
330     if(size) *size = oldlen - len;
331     return 0;
332  out:
333     free(data->data);
334     data->data = NULL;
335     data->length = 0;
336     return e;
337 }
338 
339 
340 int
341 der_get_heim_integer (const unsigned char *p, size_t len,
342 		      heim_integer *data, size_t *size)
343 {
344     data->length = 0;
345     data->negative = 0;
346     data->data = NULL;
347 
348     if (len == 0) {
349 	if (size)
350 	    *size = 0;
351 	return 0;
352     }
353     if (p[0] & 0x80) {
354 	unsigned char *q;
355 	int carry = 1;
356 	data->negative = 1;
357 
358 	data->length = len;
359 
360 	if (p[0] == 0xff) {
361 	    p++;
362 	    data->length--;
363 	}
364 	data->data = malloc(data->length);
365 	if (data->data == NULL) {
366 	    data->length = 0;
367 	    if (size)
368 		*size = 0;
369 	    return ENOMEM;
370 	}
371 	q = &((unsigned char*)data->data)[data->length - 1];
372 	p += data->length - 1;
373 	while (q >= (unsigned char*)data->data) {
374 	    *q = *p ^ 0xff;
375 	    if (carry)
376 		carry = !++*q;
377 	    p--;
378 	    q--;
379 	}
380     } else {
381 	data->negative = 0;
382 	data->length = len;
383 
384 	if (p[0] == 0) {
385 	    p++;
386 	    data->length--;
387 	}
388 	data->data = malloc(data->length);
389 	if (data->data == NULL && data->length != 0) {
390 	    data->length = 0;
391 	    if (size)
392 		*size = 0;
393 	    return ENOMEM;
394 	}
395 	memcpy(data->data, p, data->length);
396     }
397     if (size)
398 	*size = len;
399     return 0;
400 }
401 
402 static int
403 generalizedtime2time (const char *s, time_t *t)
404 {
405     struct tm tm;
406 
407     memset(&tm, 0, sizeof(tm));
408     if (sscanf (s, "%04d%02d%02d%02d%02d%02dZ",
409 		&tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour,
410 		&tm.tm_min, &tm.tm_sec) != 6) {
411 	if (sscanf (s, "%02d%02d%02d%02d%02d%02dZ",
412 		    &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour,
413 		    &tm.tm_min, &tm.tm_sec) != 6)
414 	    return ASN1_BAD_TIMEFORMAT;
415 	if (tm.tm_year < 50)
416 	    tm.tm_year += 2000;
417 	else
418 	    tm.tm_year += 1900;
419     }
420     tm.tm_year -= 1900;
421     tm.tm_mon -= 1;
422     *t = _der_timegm (&tm);
423     return 0;
424 }
425 
426 static int
427 der_get_time (const unsigned char *p, size_t len,
428 	      time_t *data, size_t *size)
429 {
430     char *times;
431     int e;
432 
433     if (len > len + 1 || len == 0)
434 	return ASN1_BAD_LENGTH;
435 
436     times = malloc(len + 1);
437     if (times == NULL)
438 	return ENOMEM;
439     memcpy(times, p, len);
440     times[len] = '\0';
441     e = generalizedtime2time(times, data);
442     free (times);
443     if(size) *size = len;
444     return e;
445 }
446 
447 int
448 der_get_generalized_time (const unsigned char *p, size_t len,
449 			  time_t *data, size_t *size)
450 {
451     return der_get_time(p, len, data, size);
452 }
453 
454 int
455 der_get_utctime (const unsigned char *p, size_t len,
456 			  time_t *data, size_t *size)
457 {
458     return der_get_time(p, len, data, size);
459 }
460 
461 int
462 der_get_oid (const unsigned char *p, size_t len,
463 	     heim_oid *data, size_t *size)
464 {
465     size_t n;
466     size_t oldlen = len;
467 
468     if (len < 1)
469 	return ASN1_OVERRUN;
470 
471     if (len > len + 1)
472 	return ASN1_BAD_LENGTH;
473 
474     if (len + 1 > UINT_MAX/sizeof(data->components[0]))
475 	return ERANGE;
476 
477     data->components = malloc((len + 1) * sizeof(data->components[0]));
478     if (data->components == NULL)
479 	return ENOMEM;
480     data->components[0] = (*p) / 40;
481     data->components[1] = (*p) % 40;
482     --len;
483     ++p;
484     for (n = 2; len > 0; ++n) {
485 	unsigned u = 0, u1;
486 
487 	do {
488 	    --len;
489 	    u1 = u * 128 + (*p++ % 128);
490 	    /* check that we don't overflow the element */
491 	    if (u1 < u) {
492 		der_free_oid(data);
493 		return ASN1_OVERRUN;
494 	    }
495 	    u = u1;
496 	} while (len > 0 && p[-1] & 0x80);
497 	data->components[n] = u;
498     }
499     if (n > 2 && p[-1] & 0x80) {
500 	der_free_oid (data);
501 	return ASN1_OVERRUN;
502     }
503     data->length = n;
504     if (size)
505 	*size = oldlen;
506     return 0;
507 }
508 
509 int
510 der_get_tag (const unsigned char *p, size_t len,
511 	     Der_class *class, Der_type *type,
512 	     unsigned int *tag, size_t *size)
513 {
514     size_t ret = 0;
515     if (len < 1)
516 	return ASN1_OVERRUN;
517     *class = (Der_class)(((*p) >> 6) & 0x03);
518     *type = (Der_type)(((*p) >> 5) & 0x01);
519     *tag = (*p) & 0x1f;
520     p++; len--; ret++;
521     if(*tag == 0x1f) {
522 	unsigned int continuation;
523 	unsigned int tag1;
524 	*tag = 0;
525 	do {
526 	    if(len < 1)
527 		return ASN1_OVERRUN;
528 	    continuation = *p & 128;
529 	    tag1 = *tag * 128 + (*p % 128);
530 	    /* check that we don't overflow the tag */
531 	    if (tag1 < *tag)
532 		return ASN1_OVERFLOW;
533 	    *tag = tag1;
534 	    p++; len--; ret++;
535 	} while(continuation);
536     }
537     if(size) *size = ret;
538     return 0;
539 }
540 
541 int
542 der_match_tag (const unsigned char *p, size_t len,
543 	       Der_class class, Der_type type,
544 	       unsigned int tag, size_t *size)
545 {
546     Der_type thistype;
547     int e;
548 
549     e = der_match_tag2(p, len, class, &thistype, tag, size);
550     if (e) return e;
551     if (thistype != type) return ASN1_BAD_ID;
552     return 0;
553 }
554 
555 int
556 der_match_tag2 (const unsigned char *p, size_t len,
557 		Der_class class, Der_type *type,
558 		unsigned int tag, size_t *size)
559 {
560     size_t l;
561     Der_class thisclass;
562     unsigned int thistag;
563     int e;
564 
565     e = der_get_tag (p, len, &thisclass, type, &thistag, &l);
566     if (e) return e;
567     if (class != thisclass)
568 	return ASN1_BAD_ID;
569     if(tag > thistag)
570 	return ASN1_MISPLACED_FIELD;
571     if(tag < thistag)
572 	return ASN1_MISSING_FIELD;
573     if(size) *size = l;
574     return 0;
575 }
576 
577 int
578 der_match_tag_and_length (const unsigned char *p, size_t len,
579 			  Der_class class, Der_type *type, unsigned int tag,
580 			  size_t *length_ret, size_t *size)
581 {
582     size_t l, ret = 0;
583     int e;
584 
585     e = der_match_tag2 (p, len, class, type, tag, &l);
586     if (e) return e;
587     p += l;
588     len -= l;
589     ret += l;
590     e = der_get_length (p, len, length_ret, &l);
591     if (e) return e;
592     if(size) *size = ret + l;
593     return 0;
594 }
595 
596 
597 
598 /*
599  * Old versions of DCE was based on a very early beta of the MIT code,
600  * which used MAVROS for ASN.1 encoding. MAVROS had the interesting
601  * feature that it encoded data in the forward direction, which has
602  * it's problems, since you have no idea how long the data will be
603  * until after you're done. MAVROS solved this by reserving one byte
604  * for length, and later, if the actual length was longer, it reverted
605  * to indefinite, BER style, lengths. The version of MAVROS used by
606  * the DCE people could apparently generate correct X.509 DER encodings, and
607  * did this by making space for the length after encoding, but
608  * unfortunately this feature wasn't used with Kerberos.
609  */
610 
611 int
612 _heim_fix_dce(size_t reallen, size_t *len)
613 {
614     if(reallen == ASN1_INDEFINITE)
615 	return 1;
616     if(*len < reallen)
617 	return -1;
618     *len = reallen;
619     return 0;
620 }
621 
622 int
623 der_get_bit_string (const unsigned char *p, size_t len,
624 		    heim_bit_string *data, size_t *size)
625 {
626     if (len < 1)
627 	return ASN1_OVERRUN;
628     if (p[0] > 7)
629 	return ASN1_BAD_FORMAT;
630     if (len - 1 == 0 && p[0] != 0)
631 	return ASN1_BAD_FORMAT;
632     /* check if any of the three upper bits are set
633      * any of them will cause a interger overrun */
634     if ((len - 1) >> (sizeof(len) * 8 - 3))
635 	return ASN1_OVERRUN;
636     data->length = (len - 1) * 8;
637     data->data = malloc(len - 1);
638     if (data->data == NULL && (len - 1) != 0)
639 	return ENOMEM;
640     /* copy data is there is data to copy */
641     if (len - 1 != 0) {
642       memcpy (data->data, p + 1, len - 1);
643       data->length -= p[0];
644     }
645     if(size) *size = len;
646     return 0;
647 }
648