1 /* tasn_dec.c */ 2 /* 3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project 4 * 2000. 5 */ 6 /* ==================================================================== 7 * Copyright (c) 2000-2018 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * licensing@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 * 58 */ 59 60 #include <stddef.h> 61 #include <string.h> 62 #include <openssl/asn1.h> 63 #include <openssl/asn1t.h> 64 #include <openssl/objects.h> 65 #include <openssl/buffer.h> 66 #include <openssl/err.h> 67 68 /* 69 * Constructed types with a recursive definition (such as can be found in PKCS7) 70 * could eventually exceed the stack given malicious input with excessive 71 * recursion. Therefore we limit the stack depth. This is the maximum number of 72 * recursive invocations of asn1_item_embed_d2i(). 73 */ 74 #define ASN1_MAX_CONSTRUCTED_NEST 30 75 76 static int asn1_check_eoc(const unsigned char **in, long len); 77 static int asn1_find_end(const unsigned char **in, long len, char inf); 78 79 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, 80 char inf, int tag, int aclass, int depth); 81 82 static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen); 83 84 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, 85 char *inf, char *cst, 86 const unsigned char **in, long len, 87 int exptag, int expclass, char opt, ASN1_TLC *ctx); 88 89 static int asn1_template_ex_d2i(ASN1_VALUE **pval, 90 const unsigned char **in, long len, 91 const ASN1_TEMPLATE *tt, char opt, 92 ASN1_TLC *ctx, int depth); 93 static int asn1_template_noexp_d2i(ASN1_VALUE **val, 94 const unsigned char **in, long len, 95 const ASN1_TEMPLATE *tt, char opt, 96 ASN1_TLC *ctx, int depth); 97 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, 98 const unsigned char **in, long len, 99 const ASN1_ITEM *it, 100 int tag, int aclass, char opt, 101 ASN1_TLC *ctx); 102 103 /* Table to convert tags to bit values, used for MSTRING type */ 104 static const unsigned long tag2bit[32] = { 105 /* tags 0 - 3 */ 106 0, 0, 0, B_ASN1_BIT_STRING, 107 /* tags 4- 7 */ 108 B_ASN1_OCTET_STRING, 0, 0, B_ASN1_UNKNOWN, 109 /* tags 8-11 */ 110 B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, 111 /* tags 12-15 */ 112 B_ASN1_UTF8STRING, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, 113 /* tags 16-19 */ 114 B_ASN1_SEQUENCE, 0, B_ASN1_NUMERICSTRING, B_ASN1_PRINTABLESTRING, 115 /* tags 20-22 */ 116 B_ASN1_T61STRING, B_ASN1_VIDEOTEXSTRING, B_ASN1_IA5STRING, 117 /* tags 23-24 */ 118 B_ASN1_UTCTIME, B_ASN1_GENERALIZEDTIME, 119 /* tags 25-27 */ 120 B_ASN1_GRAPHICSTRING, B_ASN1_ISO64STRING, B_ASN1_GENERALSTRING, 121 /* tags 28-31 */ 122 B_ASN1_UNIVERSALSTRING, B_ASN1_UNKNOWN, B_ASN1_BMPSTRING, B_ASN1_UNKNOWN, 123 }; 124 125 unsigned long ASN1_tag2bit(int tag) 126 { 127 if ((tag < 0) || (tag > 30)) 128 return 0; 129 return tag2bit[tag]; 130 } 131 132 /* Macro to initialize and invalidate the cache */ 133 134 #define asn1_tlc_clear(c) if (c) (c)->valid = 0 135 /* Version to avoid compiler warning about 'c' always non-NULL */ 136 #define asn1_tlc_clear_nc(c) (c)->valid = 0 137 138 /* 139 * Decode an ASN1 item, this currently behaves just like a standard 'd2i' 140 * function. 'in' points to a buffer to read the data from, in future we 141 * will have more advanced versions that can input data a piece at a time and 142 * this will simply be a special case. 143 */ 144 145 ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, 146 const unsigned char **in, long len, 147 const ASN1_ITEM *it) 148 { 149 ASN1_TLC c; 150 ASN1_VALUE *ptmpval = NULL; 151 if (!pval) 152 pval = &ptmpval; 153 asn1_tlc_clear_nc(&c); 154 if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) 155 return *pval; 156 return NULL; 157 } 158 159 int ASN1_template_d2i(ASN1_VALUE **pval, 160 const unsigned char **in, long len, 161 const ASN1_TEMPLATE *tt) 162 { 163 ASN1_TLC c; 164 asn1_tlc_clear_nc(&c); 165 return asn1_template_ex_d2i(pval, in, len, tt, 0, &c, 0); 166 } 167 168 /* 169 * Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and 170 * tag mismatch return -1 to handle OPTIONAL 171 */ 172 static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, 173 long len, const ASN1_ITEM *it, int tag, int aclass, 174 char opt, ASN1_TLC *ctx, int depth) 175 { 176 const ASN1_TEMPLATE *tt, *errtt = NULL; 177 const ASN1_COMPAT_FUNCS *cf; 178 const ASN1_EXTERN_FUNCS *ef; 179 const ASN1_AUX *aux = it->funcs; 180 ASN1_aux_cb *asn1_cb; 181 const unsigned char *p = NULL, *q; 182 unsigned char *wp = NULL; /* BIG FAT WARNING! BREAKS CONST WHERE USED */ 183 unsigned char imphack = 0, oclass; 184 char seq_eoc, seq_nolen, cst, isopt; 185 long tmplen; 186 int i; 187 int otag; 188 int ret = 0; 189 ASN1_VALUE **pchptr, *ptmpval; 190 int combine = aclass & ASN1_TFLG_COMBINE; 191 aclass &= ~ASN1_TFLG_COMBINE; 192 if (!pval) 193 return 0; 194 if (aux && aux->asn1_cb) 195 asn1_cb = aux->asn1_cb; 196 else 197 asn1_cb = 0; 198 199 if (++depth > ASN1_MAX_CONSTRUCTED_NEST) { 200 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_NESTED_TOO_DEEP); 201 goto err; 202 } 203 204 switch (it->itype) { 205 case ASN1_ITYPE_PRIMITIVE: 206 if (it->templates) { 207 /* 208 * tagging or OPTIONAL is currently illegal on an item template 209 * because the flags can't get passed down. In practice this 210 * isn't a problem: we include the relevant flags from the item 211 * template in the template itself. 212 */ 213 if ((tag != -1) || opt) { 214 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 215 ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE); 216 goto err; 217 } 218 return asn1_template_ex_d2i(pval, in, len, 219 it->templates, opt, ctx, depth); 220 } 221 return asn1_d2i_ex_primitive(pval, in, len, it, 222 tag, aclass, opt, ctx); 223 break; 224 225 case ASN1_ITYPE_MSTRING: 226 p = *in; 227 /* Just read in tag and class */ 228 ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, 229 &p, len, -1, 0, 1, ctx); 230 if (!ret) { 231 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); 232 goto err; 233 } 234 235 /* Must be UNIVERSAL class */ 236 if (oclass != V_ASN1_UNIVERSAL) { 237 /* If OPTIONAL, assume this is OK */ 238 if (opt) 239 return -1; 240 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL); 241 goto err; 242 } 243 /* Check tag matches bit map */ 244 if (!(ASN1_tag2bit(otag) & it->utype)) { 245 /* If OPTIONAL, assume this is OK */ 246 if (opt) 247 return -1; 248 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MSTRING_WRONG_TAG); 249 goto err; 250 } 251 return asn1_d2i_ex_primitive(pval, in, len, it, otag, 0, 0, ctx); 252 253 case ASN1_ITYPE_EXTERN: 254 /* Use new style d2i */ 255 ef = it->funcs; 256 return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx); 257 258 case ASN1_ITYPE_COMPAT: 259 /* we must resort to old style evil hackery */ 260 cf = it->funcs; 261 262 /* If OPTIONAL see if it is there */ 263 if (opt) { 264 int exptag; 265 p = *in; 266 if (tag == -1) 267 exptag = it->utype; 268 else 269 exptag = tag; 270 /* 271 * Don't care about anything other than presence of expected tag 272 */ 273 274 ret = asn1_check_tlen(NULL, NULL, NULL, NULL, NULL, 275 &p, len, exptag, aclass, 1, ctx); 276 if (!ret) { 277 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); 278 goto err; 279 } 280 if (ret == -1) 281 return -1; 282 } 283 284 /* 285 * This is the old style evil hack IMPLICIT handling: since the 286 * underlying code is expecting a tag and class other than the one 287 * present we change the buffer temporarily then change it back 288 * afterwards. This doesn't and never did work for tags > 30. Yes 289 * this is *horrible* but it is only needed for old style d2i which 290 * will hopefully not be around for much longer. FIXME: should copy 291 * the buffer then modify it so the input buffer can be const: we 292 * should *always* copy because the old style d2i might modify the 293 * buffer. 294 */ 295 296 if (tag != -1) { 297 wp = *(unsigned char **)in; 298 imphack = *wp; 299 if (p == NULL) { 300 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); 301 goto err; 302 } 303 *wp = (unsigned char)((*p & V_ASN1_CONSTRUCTED) 304 | it->utype); 305 } 306 307 ptmpval = cf->asn1_d2i(pval, in, len); 308 309 if (tag != -1) 310 *wp = imphack; 311 312 if (ptmpval) 313 return 1; 314 315 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); 316 goto err; 317 318 case ASN1_ITYPE_CHOICE: 319 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) 320 goto auxerr; 321 if (*pval) { 322 /* Free up and zero CHOICE value if initialised */ 323 i = asn1_get_choice_selector(pval, it); 324 if ((i >= 0) && (i < it->tcount)) { 325 tt = it->templates + i; 326 pchptr = asn1_get_field_ptr(pval, tt); 327 ASN1_template_free(pchptr, tt); 328 asn1_set_choice_selector(pval, -1, it); 329 } 330 } else if (!ASN1_item_ex_new(pval, it)) { 331 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); 332 goto err; 333 } 334 /* CHOICE type, try each possibility in turn */ 335 p = *in; 336 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { 337 pchptr = asn1_get_field_ptr(pval, tt); 338 /* 339 * We mark field as OPTIONAL so its absence can be recognised. 340 */ 341 ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx, depth); 342 /* If field not present, try the next one */ 343 if (ret == -1) 344 continue; 345 /* If positive return, read OK, break loop */ 346 if (ret > 0) 347 break; 348 /* Otherwise must be an ASN1 parsing error */ 349 errtt = tt; 350 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); 351 goto err; 352 } 353 354 /* Did we fall off the end without reading anything? */ 355 if (i == it->tcount) { 356 /* If OPTIONAL, this is OK */ 357 if (opt) { 358 /* Free and zero it */ 359 ASN1_item_ex_free(pval, it); 360 return -1; 361 } 362 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_NO_MATCHING_CHOICE_TYPE); 363 goto err; 364 } 365 366 asn1_set_choice_selector(pval, i, it); 367 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) 368 goto auxerr; 369 *in = p; 370 return 1; 371 372 case ASN1_ITYPE_NDEF_SEQUENCE: 373 case ASN1_ITYPE_SEQUENCE: 374 p = *in; 375 tmplen = len; 376 377 /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */ 378 if (tag == -1) { 379 tag = V_ASN1_SEQUENCE; 380 aclass = V_ASN1_UNIVERSAL; 381 } 382 /* Get SEQUENCE length and update len, p */ 383 ret = asn1_check_tlen(&len, NULL, NULL, &seq_eoc, &cst, 384 &p, len, tag, aclass, opt, ctx); 385 if (!ret) { 386 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); 387 goto err; 388 } else if (ret == -1) 389 return -1; 390 if (aux && (aux->flags & ASN1_AFLG_BROKEN)) { 391 len = tmplen - (p - *in); 392 seq_nolen = 1; 393 } 394 /* If indefinite we don't do a length check */ 395 else 396 seq_nolen = seq_eoc; 397 if (!cst) { 398 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_SEQUENCE_NOT_CONSTRUCTED); 399 goto err; 400 } 401 402 if (!*pval && !ASN1_item_ex_new(pval, it)) { 403 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); 404 goto err; 405 } 406 407 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) 408 goto auxerr; 409 410 /* Free up and zero any ADB found */ 411 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { 412 if (tt->flags & ASN1_TFLG_ADB_MASK) { 413 const ASN1_TEMPLATE *seqtt; 414 ASN1_VALUE **pseqval; 415 seqtt = asn1_do_adb(pval, tt, 0); 416 if (seqtt == NULL) 417 continue; 418 pseqval = asn1_get_field_ptr(pval, seqtt); 419 ASN1_template_free(pseqval, seqtt); 420 } 421 } 422 423 /* Get each field entry */ 424 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { 425 const ASN1_TEMPLATE *seqtt; 426 ASN1_VALUE **pseqval; 427 seqtt = asn1_do_adb(pval, tt, 1); 428 if (seqtt == NULL) 429 goto err; 430 pseqval = asn1_get_field_ptr(pval, seqtt); 431 /* Have we ran out of data? */ 432 if (!len) 433 break; 434 q = p; 435 if (asn1_check_eoc(&p, len)) { 436 if (!seq_eoc) { 437 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_UNEXPECTED_EOC); 438 goto err; 439 } 440 len -= p - q; 441 seq_eoc = 0; 442 q = p; 443 break; 444 } 445 /* 446 * This determines the OPTIONAL flag value. The field cannot be 447 * omitted if it is the last of a SEQUENCE and there is still 448 * data to be read. This isn't strictly necessary but it 449 * increases efficiency in some cases. 450 */ 451 if (i == (it->tcount - 1)) 452 isopt = 0; 453 else 454 isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL); 455 /* 456 * attempt to read in field, allowing each to be OPTIONAL 457 */ 458 459 ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx, 460 depth); 461 if (!ret) { 462 errtt = seqtt; 463 goto err; 464 } else if (ret == -1) { 465 /* 466 * OPTIONAL component absent. Free and zero the field. 467 */ 468 ASN1_template_free(pseqval, seqtt); 469 continue; 470 } 471 /* Update length */ 472 len -= p - q; 473 } 474 475 /* Check for EOC if expecting one */ 476 if (seq_eoc && !asn1_check_eoc(&p, len)) { 477 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MISSING_EOC); 478 goto err; 479 } 480 /* Check all data read */ 481 if (!seq_nolen && len) { 482 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_SEQUENCE_LENGTH_MISMATCH); 483 goto err; 484 } 485 486 /* 487 * If we get here we've got no more data in the SEQUENCE, however we 488 * may not have read all fields so check all remaining are OPTIONAL 489 * and clear any that are. 490 */ 491 for (; i < it->tcount; tt++, i++) { 492 const ASN1_TEMPLATE *seqtt; 493 seqtt = asn1_do_adb(pval, tt, 1); 494 if (seqtt == NULL) 495 goto err; 496 if (seqtt->flags & ASN1_TFLG_OPTIONAL) { 497 ASN1_VALUE **pseqval; 498 pseqval = asn1_get_field_ptr(pval, seqtt); 499 ASN1_template_free(pseqval, seqtt); 500 } else { 501 errtt = seqtt; 502 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_FIELD_MISSING); 503 goto err; 504 } 505 } 506 /* Save encoding */ 507 if (!asn1_enc_save(pval, *in, p - *in, it)) 508 goto auxerr; 509 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) 510 goto auxerr; 511 *in = p; 512 return 1; 513 514 default: 515 return 0; 516 } 517 auxerr: 518 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); 519 err: 520 if (combine == 0) 521 ASN1_item_ex_free(pval, it); 522 if (errtt) 523 ERR_add_error_data(4, "Field=", errtt->field_name, 524 ", Type=", it->sname); 525 else 526 ERR_add_error_data(2, "Type=", it->sname); 527 return 0; 528 } 529 530 int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, 531 const ASN1_ITEM *it, 532 int tag, int aclass, char opt, ASN1_TLC *ctx) 533 { 534 return asn1_item_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx, 0); 535 } 536 537 /* 538 * Templates are handled with two separate functions. One handles any 539 * EXPLICIT tag and the other handles the rest. 540 */ 541 542 static int asn1_template_ex_d2i(ASN1_VALUE **val, 543 const unsigned char **in, long inlen, 544 const ASN1_TEMPLATE *tt, char opt, 545 ASN1_TLC *ctx, int depth) 546 { 547 int flags, aclass; 548 int ret; 549 long len; 550 const unsigned char *p, *q; 551 char exp_eoc; 552 if (!val) 553 return 0; 554 flags = tt->flags; 555 aclass = flags & ASN1_TFLG_TAG_CLASS; 556 557 p = *in; 558 559 /* Check if EXPLICIT tag expected */ 560 if (flags & ASN1_TFLG_EXPTAG) { 561 char cst; 562 /* 563 * Need to work out amount of data available to the inner content and 564 * where it starts: so read in EXPLICIT header to get the info. 565 */ 566 ret = asn1_check_tlen(&len, NULL, NULL, &exp_eoc, &cst, 567 &p, inlen, tt->tag, aclass, opt, ctx); 568 q = p; 569 if (!ret) { 570 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR); 571 return 0; 572 } else if (ret == -1) 573 return -1; 574 if (!cst) { 575 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, 576 ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED); 577 return 0; 578 } 579 /* We've found the field so it can't be OPTIONAL now */ 580 ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx, depth); 581 if (!ret) { 582 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR); 583 return 0; 584 } 585 /* We read the field in OK so update length */ 586 len -= p - q; 587 if (exp_eoc) { 588 /* If NDEF we must have an EOC here */ 589 if (!asn1_check_eoc(&p, len)) { 590 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ASN1_R_MISSING_EOC); 591 goto err; 592 } 593 } else { 594 /* 595 * Otherwise we must hit the EXPLICIT tag end or its an error 596 */ 597 if (len) { 598 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, 599 ASN1_R_EXPLICIT_LENGTH_MISMATCH); 600 goto err; 601 } 602 } 603 } else 604 return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx, depth); 605 606 *in = p; 607 return 1; 608 609 err: 610 ASN1_template_free(val, tt); 611 return 0; 612 } 613 614 static int asn1_template_noexp_d2i(ASN1_VALUE **val, 615 const unsigned char **in, long len, 616 const ASN1_TEMPLATE *tt, char opt, 617 ASN1_TLC *ctx, int depth) 618 { 619 int flags, aclass; 620 int ret; 621 const unsigned char *p, *q; 622 if (!val) 623 return 0; 624 flags = tt->flags; 625 aclass = flags & ASN1_TFLG_TAG_CLASS; 626 627 p = *in; 628 q = p; 629 630 if (flags & ASN1_TFLG_SK_MASK) { 631 /* SET OF, SEQUENCE OF */ 632 int sktag, skaclass; 633 char sk_eoc; 634 /* First work out expected inner tag value */ 635 if (flags & ASN1_TFLG_IMPTAG) { 636 sktag = tt->tag; 637 skaclass = aclass; 638 } else { 639 skaclass = V_ASN1_UNIVERSAL; 640 if (flags & ASN1_TFLG_SET_OF) 641 sktag = V_ASN1_SET; 642 else 643 sktag = V_ASN1_SEQUENCE; 644 } 645 /* Get the tag */ 646 ret = asn1_check_tlen(&len, NULL, NULL, &sk_eoc, NULL, 647 &p, len, sktag, skaclass, opt, ctx); 648 if (!ret) { 649 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); 650 return 0; 651 } else if (ret == -1) 652 return -1; 653 if (!*val) 654 *val = (ASN1_VALUE *)sk_new_null(); 655 else { 656 /* 657 * We've got a valid STACK: free up any items present 658 */ 659 STACK_OF(ASN1_VALUE) *sktmp = (STACK_OF(ASN1_VALUE) *)*val; 660 ASN1_VALUE *vtmp; 661 while (sk_ASN1_VALUE_num(sktmp) > 0) { 662 vtmp = sk_ASN1_VALUE_pop(sktmp); 663 ASN1_item_ex_free(&vtmp, ASN1_ITEM_ptr(tt->item)); 664 } 665 } 666 667 if (!*val) { 668 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_MALLOC_FAILURE); 669 goto err; 670 } 671 672 /* Read as many items as we can */ 673 while (len > 0) { 674 ASN1_VALUE *skfield; 675 q = p; 676 /* See if EOC found */ 677 if (asn1_check_eoc(&p, len)) { 678 if (!sk_eoc) { 679 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 680 ASN1_R_UNEXPECTED_EOC); 681 goto err; 682 } 683 len -= p - q; 684 sk_eoc = 0; 685 break; 686 } 687 skfield = NULL; 688 if (!asn1_item_ex_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item), 689 -1, 0, 0, ctx, depth)) { 690 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 691 ERR_R_NESTED_ASN1_ERROR); 692 goto err; 693 } 694 len -= p - q; 695 if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE) *)*val, skfield)) { 696 ASN1_item_ex_free(&skfield, ASN1_ITEM_ptr(tt->item)); 697 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_MALLOC_FAILURE); 698 goto err; 699 } 700 } 701 if (sk_eoc) { 702 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ASN1_R_MISSING_EOC); 703 goto err; 704 } 705 } else if (flags & ASN1_TFLG_IMPTAG) { 706 /* IMPLICIT tagging */ 707 ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag, 708 aclass, opt, ctx, depth); 709 if (!ret) { 710 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); 711 goto err; 712 } else if (ret == -1) 713 return -1; 714 } else { 715 /* Nothing special */ 716 ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), 717 -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx, 718 depth); 719 if (!ret) { 720 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); 721 goto err; 722 } else if (ret == -1) 723 return -1; 724 } 725 726 *in = p; 727 return 1; 728 729 err: 730 ASN1_template_free(val, tt); 731 return 0; 732 } 733 734 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, 735 const unsigned char **in, long inlen, 736 const ASN1_ITEM *it, 737 int tag, int aclass, char opt, ASN1_TLC *ctx) 738 { 739 int ret = 0, utype; 740 long plen; 741 char cst, inf, free_cont = 0; 742 const unsigned char *p; 743 BUF_MEM buf = { 0, NULL, 0 }; 744 const unsigned char *cont = NULL; 745 long len; 746 if (!pval) { 747 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_NULL); 748 return 0; /* Should never happen */ 749 } 750 751 if (it->itype == ASN1_ITYPE_MSTRING) { 752 utype = tag; 753 tag = -1; 754 } else 755 utype = it->utype; 756 757 if (utype == V_ASN1_ANY) { 758 /* If type is ANY need to figure out type from tag */ 759 unsigned char oclass; 760 if (tag >= 0) { 761 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_TAGGED_ANY); 762 return 0; 763 } 764 if (opt) { 765 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, 766 ASN1_R_ILLEGAL_OPTIONAL_ANY); 767 return 0; 768 } 769 p = *in; 770 ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, NULL, 771 &p, inlen, -1, 0, 0, ctx); 772 if (!ret) { 773 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR); 774 return 0; 775 } 776 if (oclass != V_ASN1_UNIVERSAL) 777 utype = V_ASN1_OTHER; 778 } 779 if (tag == -1) { 780 tag = utype; 781 aclass = V_ASN1_UNIVERSAL; 782 } 783 p = *in; 784 /* Check header */ 785 ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst, 786 &p, inlen, tag, aclass, opt, ctx); 787 if (!ret) { 788 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR); 789 return 0; 790 } else if (ret == -1) 791 return -1; 792 ret = 0; 793 /* SEQUENCE, SET and "OTHER" are left in encoded form */ 794 if ((utype == V_ASN1_SEQUENCE) 795 || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) { 796 /* 797 * Clear context cache for type OTHER because the auto clear when we 798 * have a exact match wont work 799 */ 800 if (utype == V_ASN1_OTHER) { 801 asn1_tlc_clear(ctx); 802 } 803 /* SEQUENCE and SET must be constructed */ 804 else if (!cst) { 805 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, 806 ASN1_R_TYPE_NOT_CONSTRUCTED); 807 return 0; 808 } 809 810 cont = *in; 811 /* If indefinite length constructed find the real end */ 812 if (inf) { 813 if (!asn1_find_end(&p, plen, inf)) 814 goto err; 815 len = p - cont; 816 } else { 817 len = p - cont + plen; 818 p += plen; 819 } 820 } else if (cst) { 821 if (utype == V_ASN1_NULL || utype == V_ASN1_BOOLEAN 822 || utype == V_ASN1_OBJECT || utype == V_ASN1_INTEGER 823 || utype == V_ASN1_ENUMERATED) { 824 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_TYPE_NOT_PRIMITIVE); 825 return 0; 826 } 827 828 /* Free any returned 'buf' content */ 829 free_cont = 1; 830 /* 831 * Should really check the internal tags are correct but some things 832 * may get this wrong. The relevant specs say that constructed string 833 * types should be OCTET STRINGs internally irrespective of the type. 834 * So instead just check for UNIVERSAL class and ignore the tag. 835 */ 836 if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL, 0)) { 837 goto err; 838 } 839 len = buf.length; 840 /* Append a final null to string */ 841 if (!BUF_MEM_grow_clean(&buf, len + 1)) { 842 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_MALLOC_FAILURE); 843 goto err; 844 } 845 buf.data[len] = 0; 846 cont = (const unsigned char *)buf.data; 847 } else { 848 cont = p; 849 len = plen; 850 p += plen; 851 } 852 853 /* We now have content length and type: translate into a structure */ 854 /* asn1_ex_c2i may reuse allocated buffer, and so sets free_cont to 0 */ 855 if (!asn1_ex_c2i(pval, cont, len, utype, &free_cont, it)) 856 goto err; 857 858 *in = p; 859 ret = 1; 860 err: 861 if (free_cont && buf.data) 862 OPENSSL_free(buf.data); 863 return ret; 864 } 865 866 /* Translate ASN1 content octets into a structure */ 867 868 int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, 869 int utype, char *free_cont, const ASN1_ITEM *it) 870 { 871 ASN1_VALUE **opval = NULL; 872 ASN1_STRING *stmp; 873 ASN1_TYPE *typ = NULL; 874 int ret = 0; 875 const ASN1_PRIMITIVE_FUNCS *pf; 876 ASN1_INTEGER **tint; 877 pf = it->funcs; 878 879 if (pf && pf->prim_c2i) 880 return pf->prim_c2i(pval, cont, len, utype, free_cont, it); 881 /* If ANY type clear type and set pointer to internal value */ 882 if (it->utype == V_ASN1_ANY) { 883 if (!*pval) { 884 typ = ASN1_TYPE_new(); 885 if (typ == NULL) 886 goto err; 887 *pval = (ASN1_VALUE *)typ; 888 } else 889 typ = (ASN1_TYPE *)*pval; 890 891 if (utype != typ->type) 892 ASN1_TYPE_set(typ, utype, NULL); 893 opval = pval; 894 pval = &typ->value.asn1_value; 895 } 896 switch (utype) { 897 case V_ASN1_OBJECT: 898 if (!c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len)) 899 goto err; 900 break; 901 902 case V_ASN1_NULL: 903 if (len) { 904 ASN1err(ASN1_F_ASN1_EX_C2I, ASN1_R_NULL_IS_WRONG_LENGTH); 905 goto err; 906 } 907 *pval = (ASN1_VALUE *)1; 908 break; 909 910 case V_ASN1_BOOLEAN: 911 if (len != 1) { 912 ASN1err(ASN1_F_ASN1_EX_C2I, ASN1_R_BOOLEAN_IS_WRONG_LENGTH); 913 goto err; 914 } else { 915 ASN1_BOOLEAN *tbool; 916 tbool = (ASN1_BOOLEAN *)pval; 917 *tbool = *cont; 918 } 919 break; 920 921 case V_ASN1_BIT_STRING: 922 if (!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &cont, len)) 923 goto err; 924 break; 925 926 case V_ASN1_INTEGER: 927 case V_ASN1_ENUMERATED: 928 tint = (ASN1_INTEGER **)pval; 929 if (!c2i_ASN1_INTEGER(tint, &cont, len)) 930 goto err; 931 /* Fixup type to match the expected form */ 932 (*tint)->type = utype | ((*tint)->type & V_ASN1_NEG); 933 break; 934 935 case V_ASN1_OCTET_STRING: 936 case V_ASN1_NUMERICSTRING: 937 case V_ASN1_PRINTABLESTRING: 938 case V_ASN1_T61STRING: 939 case V_ASN1_VIDEOTEXSTRING: 940 case V_ASN1_IA5STRING: 941 case V_ASN1_UTCTIME: 942 case V_ASN1_GENERALIZEDTIME: 943 case V_ASN1_GRAPHICSTRING: 944 case V_ASN1_VISIBLESTRING: 945 case V_ASN1_GENERALSTRING: 946 case V_ASN1_UNIVERSALSTRING: 947 case V_ASN1_BMPSTRING: 948 case V_ASN1_UTF8STRING: 949 case V_ASN1_OTHER: 950 case V_ASN1_SET: 951 case V_ASN1_SEQUENCE: 952 default: 953 if (utype == V_ASN1_BMPSTRING && (len & 1)) { 954 ASN1err(ASN1_F_ASN1_EX_C2I, ASN1_R_BMPSTRING_IS_WRONG_LENGTH); 955 goto err; 956 } 957 if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) { 958 ASN1err(ASN1_F_ASN1_EX_C2I, 959 ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); 960 goto err; 961 } 962 /* All based on ASN1_STRING and handled the same */ 963 if (!*pval) { 964 stmp = ASN1_STRING_type_new(utype); 965 if (!stmp) { 966 ASN1err(ASN1_F_ASN1_EX_C2I, ERR_R_MALLOC_FAILURE); 967 goto err; 968 } 969 *pval = (ASN1_VALUE *)stmp; 970 } else { 971 stmp = (ASN1_STRING *)*pval; 972 stmp->type = utype; 973 } 974 /* If we've already allocated a buffer use it */ 975 if (*free_cont) { 976 if (stmp->data) 977 OPENSSL_free(stmp->data); 978 stmp->data = (unsigned char *)cont; /* UGLY CAST! RL */ 979 stmp->length = len; 980 *free_cont = 0; 981 } else { 982 if (!ASN1_STRING_set(stmp, cont, len)) { 983 ASN1err(ASN1_F_ASN1_EX_C2I, ERR_R_MALLOC_FAILURE); 984 ASN1_STRING_free(stmp); 985 *pval = NULL; 986 goto err; 987 } 988 } 989 break; 990 } 991 /* If ASN1_ANY and NULL type fix up value */ 992 if (typ && (utype == V_ASN1_NULL)) 993 typ->value.ptr = NULL; 994 995 ret = 1; 996 err: 997 if (!ret) { 998 ASN1_TYPE_free(typ); 999 if (opval) 1000 *opval = NULL; 1001 } 1002 return ret; 1003 } 1004 1005 /* 1006 * This function finds the end of an ASN1 structure when passed its maximum 1007 * length, whether it is indefinite length and a pointer to the content. This 1008 * is more efficient than calling asn1_collect because it does not recurse on 1009 * each indefinite length header. 1010 */ 1011 1012 static int asn1_find_end(const unsigned char **in, long len, char inf) 1013 { 1014 int expected_eoc; 1015 long plen; 1016 const unsigned char *p = *in, *q; 1017 /* If not indefinite length constructed just add length */ 1018 if (inf == 0) { 1019 *in += len; 1020 return 1; 1021 } 1022 expected_eoc = 1; 1023 /* 1024 * Indefinite length constructed form. Find the end when enough EOCs are 1025 * found. If more indefinite length constructed headers are encountered 1026 * increment the expected eoc count otherwise just skip to the end of the 1027 * data. 1028 */ 1029 while (len > 0) { 1030 if (asn1_check_eoc(&p, len)) { 1031 expected_eoc--; 1032 if (expected_eoc == 0) 1033 break; 1034 len -= 2; 1035 continue; 1036 } 1037 q = p; 1038 /* Just read in a header: only care about the length */ 1039 if (!asn1_check_tlen(&plen, NULL, NULL, &inf, NULL, &p, len, 1040 -1, 0, 0, NULL)) { 1041 ASN1err(ASN1_F_ASN1_FIND_END, ERR_R_NESTED_ASN1_ERROR); 1042 return 0; 1043 } 1044 if (inf) 1045 expected_eoc++; 1046 else 1047 p += plen; 1048 len -= p - q; 1049 } 1050 if (expected_eoc) { 1051 ASN1err(ASN1_F_ASN1_FIND_END, ASN1_R_MISSING_EOC); 1052 return 0; 1053 } 1054 *in = p; 1055 return 1; 1056 } 1057 1058 /* 1059 * This function collects the asn1 data from a constructred string type into 1060 * a buffer. The values of 'in' and 'len' should refer to the contents of the 1061 * constructed type and 'inf' should be set if it is indefinite length. 1062 */ 1063 1064 #ifndef ASN1_MAX_STRING_NEST 1065 /* 1066 * This determines how many levels of recursion are permitted in ASN1 string 1067 * types. If it is not limited stack overflows can occur. If set to zero no 1068 * recursion is allowed at all. Although zero should be adequate examples 1069 * exist that require a value of 1. So 5 should be more than enough. 1070 */ 1071 # define ASN1_MAX_STRING_NEST 5 1072 #endif 1073 1074 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, 1075 char inf, int tag, int aclass, int depth) 1076 { 1077 const unsigned char *p, *q; 1078 long plen; 1079 char cst, ininf; 1080 p = *in; 1081 inf &= 1; 1082 /* 1083 * If no buffer and not indefinite length constructed just pass over the 1084 * encoded data 1085 */ 1086 if (!buf && !inf) { 1087 *in += len; 1088 return 1; 1089 } 1090 while (len > 0) { 1091 q = p; 1092 /* Check for EOC */ 1093 if (asn1_check_eoc(&p, len)) { 1094 /* 1095 * EOC is illegal outside indefinite length constructed form 1096 */ 1097 if (!inf) { 1098 ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_UNEXPECTED_EOC); 1099 return 0; 1100 } 1101 inf = 0; 1102 break; 1103 } 1104 1105 if (!asn1_check_tlen(&plen, NULL, NULL, &ininf, &cst, &p, 1106 len, tag, aclass, 0, NULL)) { 1107 ASN1err(ASN1_F_ASN1_COLLECT, ERR_R_NESTED_ASN1_ERROR); 1108 return 0; 1109 } 1110 1111 /* If indefinite length constructed update max length */ 1112 if (cst) { 1113 if (depth >= ASN1_MAX_STRING_NEST) { 1114 ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_NESTED_ASN1_STRING); 1115 return 0; 1116 } 1117 if (!asn1_collect(buf, &p, plen, ininf, tag, aclass, depth + 1)) 1118 return 0; 1119 } else if (plen && !collect_data(buf, &p, plen)) 1120 return 0; 1121 len -= p - q; 1122 } 1123 if (inf) { 1124 ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_MISSING_EOC); 1125 return 0; 1126 } 1127 *in = p; 1128 return 1; 1129 } 1130 1131 static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen) 1132 { 1133 int len; 1134 if (buf) { 1135 len = buf->length; 1136 if (!BUF_MEM_grow_clean(buf, len + plen)) { 1137 ASN1err(ASN1_F_COLLECT_DATA, ERR_R_MALLOC_FAILURE); 1138 return 0; 1139 } 1140 memcpy(buf->data + len, *p, plen); 1141 } 1142 *p += plen; 1143 return 1; 1144 } 1145 1146 /* Check for ASN1 EOC and swallow it if found */ 1147 1148 static int asn1_check_eoc(const unsigned char **in, long len) 1149 { 1150 const unsigned char *p; 1151 if (len < 2) 1152 return 0; 1153 p = *in; 1154 if (!p[0] && !p[1]) { 1155 *in += 2; 1156 return 1; 1157 } 1158 return 0; 1159 } 1160 1161 /* 1162 * Check an ASN1 tag and length: a bit like ASN1_get_object but it sets the 1163 * length for indefinite length constructed form, we don't know the exact 1164 * length but we can set an upper bound to the amount of data available minus 1165 * the header length just read. 1166 */ 1167 1168 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, 1169 char *inf, char *cst, 1170 const unsigned char **in, long len, 1171 int exptag, int expclass, char opt, ASN1_TLC *ctx) 1172 { 1173 int i; 1174 int ptag, pclass; 1175 long plen; 1176 const unsigned char *p, *q; 1177 p = *in; 1178 q = p; 1179 1180 if (ctx && ctx->valid) { 1181 i = ctx->ret; 1182 plen = ctx->plen; 1183 pclass = ctx->pclass; 1184 ptag = ctx->ptag; 1185 p += ctx->hdrlen; 1186 } else { 1187 i = ASN1_get_object(&p, &plen, &ptag, &pclass, len); 1188 if (ctx) { 1189 ctx->ret = i; 1190 ctx->plen = plen; 1191 ctx->pclass = pclass; 1192 ctx->ptag = ptag; 1193 ctx->hdrlen = p - q; 1194 ctx->valid = 1; 1195 /* 1196 * If definite length, and no error, length + header can't exceed 1197 * total amount of data available. 1198 */ 1199 if (!(i & 0x81) && ((plen + ctx->hdrlen) > len)) { 1200 ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_TOO_LONG); 1201 asn1_tlc_clear(ctx); 1202 return 0; 1203 } 1204 } 1205 } 1206 1207 if (i & 0x80) { 1208 ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_BAD_OBJECT_HEADER); 1209 asn1_tlc_clear(ctx); 1210 return 0; 1211 } 1212 if (exptag >= 0) { 1213 if ((exptag != ptag) || (expclass != pclass)) { 1214 /* 1215 * If type is OPTIONAL, not an error: indicate missing type. 1216 */ 1217 if (opt) 1218 return -1; 1219 asn1_tlc_clear(ctx); 1220 ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_WRONG_TAG); 1221 return 0; 1222 } 1223 /* 1224 * We have a tag and class match: assume we are going to do something 1225 * with it 1226 */ 1227 asn1_tlc_clear(ctx); 1228 } 1229 1230 if (i & 1) 1231 plen = len - (p - q); 1232 1233 if (inf) 1234 *inf = i & 1; 1235 1236 if (cst) 1237 *cst = i & V_ASN1_CONSTRUCTED; 1238 1239 if (olen) 1240 *olen = plen; 1241 1242 if (oclass) 1243 *oclass = pclass; 1244 1245 if (otag) 1246 *otag = ptag; 1247 1248 *in = p; 1249 return 1; 1250 } 1251