1 /* tasn_dec.c */ 2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3 * project 2000. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay@cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh@cryptsoft.com). 56 * 57 */ 58 59 60 #include <stddef.h> 61 #include <string.h> 62 #include <openssl/asn1.h> 63 #include <openssl/asn1t.h> 64 #include <openssl/objects.h> 65 #include <openssl/buffer.h> 66 #include <openssl/err.h> 67 68 static int asn1_check_eoc(const unsigned char **in, long len); 69 static int asn1_find_end(const unsigned char **in, long len, char inf); 70 71 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, 72 char inf, int tag, int aclass, int depth); 73 74 static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen); 75 76 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, 77 char *inf, char *cst, 78 const unsigned char **in, long len, 79 int exptag, int expclass, char opt, 80 ASN1_TLC *ctx); 81 82 static int asn1_template_ex_d2i(ASN1_VALUE **pval, 83 const unsigned char **in, long len, 84 const ASN1_TEMPLATE *tt, char opt, 85 ASN1_TLC *ctx); 86 static int asn1_template_noexp_d2i(ASN1_VALUE **val, 87 const unsigned char **in, long len, 88 const ASN1_TEMPLATE *tt, char opt, 89 ASN1_TLC *ctx); 90 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, 91 const unsigned char **in, long len, 92 const ASN1_ITEM *it, 93 int tag, int aclass, char opt, ASN1_TLC *ctx); 94 95 /* Table to convert tags to bit values, used for MSTRING type */ 96 static const unsigned long tag2bit[32] = { 97 0, 0, 0, B_ASN1_BIT_STRING, /* tags 0 - 3 */ 98 B_ASN1_OCTET_STRING, 0, 0, B_ASN1_UNKNOWN,/* tags 4- 7 */ 99 B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN,/* tags 8-11 */ 100 B_ASN1_UTF8STRING,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,/* tags 12-15 */ 101 B_ASN1_SEQUENCE,0,B_ASN1_NUMERICSTRING,B_ASN1_PRINTABLESTRING, /* tags 16-19 */ 102 B_ASN1_T61STRING,B_ASN1_VIDEOTEXSTRING,B_ASN1_IA5STRING, /* tags 20-22 */ 103 B_ASN1_UTCTIME, B_ASN1_GENERALIZEDTIME, /* tags 23-24 */ 104 B_ASN1_GRAPHICSTRING,B_ASN1_ISO64STRING,B_ASN1_GENERALSTRING, /* tags 25-27 */ 105 B_ASN1_UNIVERSALSTRING,B_ASN1_UNKNOWN,B_ASN1_BMPSTRING,B_ASN1_UNKNOWN, /* tags 28-31 */ 106 }; 107 108 unsigned long ASN1_tag2bit(int tag) 109 { 110 if ((tag < 0) || (tag > 30)) return 0; 111 return tag2bit[tag]; 112 } 113 114 /* Macro to initialize and invalidate the cache */ 115 116 #define asn1_tlc_clear(c) if (c) (c)->valid = 0 117 118 /* Decode an ASN1 item, this currently behaves just 119 * like a standard 'd2i' function. 'in' points to 120 * a buffer to read the data from, in future we will 121 * have more advanced versions that can input data 122 * a piece at a time and this will simply be a special 123 * case. 124 */ 125 126 ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, 127 const unsigned char **in, long len, const ASN1_ITEM *it) 128 { 129 ASN1_TLC c; 130 ASN1_VALUE *ptmpval = NULL; 131 if (!pval) 132 pval = &ptmpval; 133 c.valid = 0; 134 if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) 135 return *pval; 136 return NULL; 137 } 138 139 int ASN1_template_d2i(ASN1_VALUE **pval, 140 const unsigned char **in, long len, const ASN1_TEMPLATE *tt) 141 { 142 ASN1_TLC c; 143 c.valid = 0; 144 return asn1_template_ex_d2i(pval, in, len, tt, 0, &c); 145 } 146 147 148 /* Decode an item, taking care of IMPLICIT tagging, if any. 149 * If 'opt' set and tag mismatch return -1 to handle OPTIONAL 150 */ 151 152 int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, 153 const ASN1_ITEM *it, 154 int tag, int aclass, char opt, ASN1_TLC *ctx) 155 { 156 const ASN1_TEMPLATE *tt, *errtt = NULL; 157 const ASN1_COMPAT_FUNCS *cf; 158 const ASN1_EXTERN_FUNCS *ef; 159 const ASN1_AUX *aux = it->funcs; 160 ASN1_aux_cb *asn1_cb; 161 const unsigned char *p = NULL, *q; 162 unsigned char *wp=NULL; /* BIG FAT WARNING! BREAKS CONST WHERE USED */ 163 unsigned char imphack = 0, oclass; 164 char seq_eoc, seq_nolen, cst, isopt; 165 long tmplen; 166 int i; 167 int otag; 168 int ret = 0; 169 ASN1_VALUE **pchptr, *ptmpval; 170 if (!pval) 171 return 0; 172 if (aux && aux->asn1_cb) 173 asn1_cb = aux->asn1_cb; 174 else asn1_cb = 0; 175 176 switch(it->itype) 177 { 178 case ASN1_ITYPE_PRIMITIVE: 179 if (it->templates) 180 { 181 /* tagging or OPTIONAL is currently illegal on an item 182 * template because the flags can't get passed down. 183 * In practice this isn't a problem: we include the 184 * relevant flags from the item template in the 185 * template itself. 186 */ 187 if ((tag != -1) || opt) 188 { 189 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 190 ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE); 191 goto err; 192 } 193 return asn1_template_ex_d2i(pval, in, len, 194 it->templates, opt, ctx); 195 } 196 return asn1_d2i_ex_primitive(pval, in, len, it, 197 tag, aclass, opt, ctx); 198 break; 199 200 case ASN1_ITYPE_MSTRING: 201 p = *in; 202 /* Just read in tag and class */ 203 ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, 204 &p, len, -1, 0, 1, ctx); 205 if (!ret) 206 { 207 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 208 ERR_R_NESTED_ASN1_ERROR); 209 goto err; 210 } 211 212 /* Must be UNIVERSAL class */ 213 if (oclass != V_ASN1_UNIVERSAL) 214 { 215 /* If OPTIONAL, assume this is OK */ 216 if (opt) return -1; 217 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 218 ASN1_R_MSTRING_NOT_UNIVERSAL); 219 goto err; 220 } 221 /* Check tag matches bit map */ 222 if (!(ASN1_tag2bit(otag) & it->utype)) 223 { 224 /* If OPTIONAL, assume this is OK */ 225 if (opt) 226 return -1; 227 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 228 ASN1_R_MSTRING_WRONG_TAG); 229 goto err; 230 } 231 return asn1_d2i_ex_primitive(pval, in, len, 232 it, otag, 0, 0, ctx); 233 234 case ASN1_ITYPE_EXTERN: 235 /* Use new style d2i */ 236 ef = it->funcs; 237 return ef->asn1_ex_d2i(pval, in, len, 238 it, tag, aclass, opt, ctx); 239 240 case ASN1_ITYPE_COMPAT: 241 /* we must resort to old style evil hackery */ 242 cf = it->funcs; 243 244 /* If OPTIONAL see if it is there */ 245 if (opt) 246 { 247 int exptag; 248 p = *in; 249 if (tag == -1) 250 exptag = it->utype; 251 else exptag = tag; 252 /* Don't care about anything other than presence 253 * of expected tag */ 254 255 ret = asn1_check_tlen(NULL, NULL, NULL, NULL, NULL, 256 &p, len, exptag, aclass, 1, ctx); 257 if (!ret) 258 { 259 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 260 ERR_R_NESTED_ASN1_ERROR); 261 goto err; 262 } 263 if (ret == -1) 264 return -1; 265 } 266 267 /* This is the old style evil hack IMPLICIT handling: 268 * since the underlying code is expecting a tag and 269 * class other than the one present we change the 270 * buffer temporarily then change it back afterwards. 271 * This doesn't and never did work for tags > 30. 272 * 273 * Yes this is *horrible* but it is only needed for 274 * old style d2i which will hopefully not be around 275 * for much longer. 276 * FIXME: should copy the buffer then modify it so 277 * the input buffer can be const: we should *always* 278 * copy because the old style d2i might modify the 279 * buffer. 280 */ 281 282 if (tag != -1) 283 { 284 wp = *(unsigned char **)in; 285 imphack = *wp; 286 if (p == NULL) 287 { 288 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 289 ERR_R_NESTED_ASN1_ERROR); 290 goto err; 291 } 292 *wp = (unsigned char)((*p & V_ASN1_CONSTRUCTED) 293 | it->utype); 294 } 295 296 ptmpval = cf->asn1_d2i(pval, in, len); 297 298 if (tag != -1) 299 *wp = imphack; 300 301 if (ptmpval) 302 return 1; 303 304 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); 305 goto err; 306 307 308 case ASN1_ITYPE_CHOICE: 309 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it)) 310 goto auxerr; 311 312 /* Allocate structure */ 313 if (!*pval && !ASN1_item_ex_new(pval, it)) 314 { 315 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 316 ERR_R_NESTED_ASN1_ERROR); 317 goto err; 318 } 319 /* CHOICE type, try each possibility in turn */ 320 p = *in; 321 for (i = 0, tt=it->templates; i < it->tcount; i++, tt++) 322 { 323 pchptr = asn1_get_field_ptr(pval, tt); 324 /* We mark field as OPTIONAL so its absence 325 * can be recognised. 326 */ 327 ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx); 328 /* If field not present, try the next one */ 329 if (ret == -1) 330 continue; 331 /* If positive return, read OK, break loop */ 332 if (ret > 0) 333 break; 334 /* Otherwise must be an ASN1 parsing error */ 335 errtt = tt; 336 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 337 ERR_R_NESTED_ASN1_ERROR); 338 goto err; 339 } 340 341 /* Did we fall off the end without reading anything? */ 342 if (i == it->tcount) 343 { 344 /* If OPTIONAL, this is OK */ 345 if (opt) 346 { 347 /* Free and zero it */ 348 ASN1_item_ex_free(pval, it); 349 return -1; 350 } 351 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 352 ASN1_R_NO_MATCHING_CHOICE_TYPE); 353 goto err; 354 } 355 356 asn1_set_choice_selector(pval, i, it); 357 *in = p; 358 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it)) 359 goto auxerr; 360 return 1; 361 362 case ASN1_ITYPE_NDEF_SEQUENCE: 363 case ASN1_ITYPE_SEQUENCE: 364 p = *in; 365 tmplen = len; 366 367 /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */ 368 if (tag == -1) 369 { 370 tag = V_ASN1_SEQUENCE; 371 aclass = V_ASN1_UNIVERSAL; 372 } 373 /* Get SEQUENCE length and update len, p */ 374 ret = asn1_check_tlen(&len, NULL, NULL, &seq_eoc, &cst, 375 &p, len, tag, aclass, opt, ctx); 376 if (!ret) 377 { 378 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 379 ERR_R_NESTED_ASN1_ERROR); 380 goto err; 381 } 382 else if (ret == -1) 383 return -1; 384 if (aux && (aux->flags & ASN1_AFLG_BROKEN)) 385 { 386 len = tmplen - (p - *in); 387 seq_nolen = 1; 388 } 389 /* If indefinite we don't do a length check */ 390 else seq_nolen = seq_eoc; 391 if (!cst) 392 { 393 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 394 ASN1_R_SEQUENCE_NOT_CONSTRUCTED); 395 goto err; 396 } 397 398 if (!*pval && !ASN1_item_ex_new(pval, it)) 399 { 400 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 401 ERR_R_NESTED_ASN1_ERROR); 402 goto err; 403 } 404 405 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it)) 406 goto auxerr; 407 408 /* Get each field entry */ 409 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) 410 { 411 const ASN1_TEMPLATE *seqtt; 412 ASN1_VALUE **pseqval; 413 seqtt = asn1_do_adb(pval, tt, 1); 414 if (!seqtt) 415 goto err; 416 pseqval = asn1_get_field_ptr(pval, seqtt); 417 /* Have we ran out of data? */ 418 if (!len) 419 break; 420 q = p; 421 if (asn1_check_eoc(&p, len)) 422 { 423 if (!seq_eoc) 424 { 425 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 426 ASN1_R_UNEXPECTED_EOC); 427 goto err; 428 } 429 len -= p - q; 430 seq_eoc = 0; 431 q = p; 432 break; 433 } 434 /* This determines the OPTIONAL flag value. The field 435 * cannot be omitted if it is the last of a SEQUENCE 436 * and there is still data to be read. This isn't 437 * strictly necessary but it increases efficiency in 438 * some cases. 439 */ 440 if (i == (it->tcount - 1)) 441 isopt = 0; 442 else isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL); 443 /* attempt to read in field, allowing each to be 444 * OPTIONAL */ 445 446 ret = asn1_template_ex_d2i(pseqval, &p, len, 447 seqtt, isopt, ctx); 448 if (!ret) 449 { 450 errtt = seqtt; 451 goto err; 452 } 453 else if (ret == -1) 454 { 455 /* OPTIONAL component absent. 456 * Free and zero the field. 457 */ 458 ASN1_template_free(pseqval, seqtt); 459 continue; 460 } 461 /* Update length */ 462 len -= p - q; 463 } 464 465 /* Check for EOC if expecting one */ 466 if (seq_eoc && !asn1_check_eoc(&p, len)) 467 { 468 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MISSING_EOC); 469 goto err; 470 } 471 /* Check all data read */ 472 if (!seq_nolen && len) 473 { 474 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 475 ASN1_R_SEQUENCE_LENGTH_MISMATCH); 476 goto err; 477 } 478 479 /* If we get here we've got no more data in the SEQUENCE, 480 * however we may not have read all fields so check all 481 * remaining are OPTIONAL and clear any that are. 482 */ 483 for (; i < it->tcount; tt++, i++) 484 { 485 const ASN1_TEMPLATE *seqtt; 486 seqtt = asn1_do_adb(pval, tt, 1); 487 if (!seqtt) 488 goto err; 489 if (seqtt->flags & ASN1_TFLG_OPTIONAL) 490 { 491 ASN1_VALUE **pseqval; 492 pseqval = asn1_get_field_ptr(pval, seqtt); 493 ASN1_template_free(pseqval, seqtt); 494 } 495 else 496 { 497 errtt = seqtt; 498 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, 499 ASN1_R_FIELD_MISSING); 500 goto err; 501 } 502 } 503 /* Save encoding */ 504 if (!asn1_enc_save(pval, *in, p - *in, it)) 505 goto auxerr; 506 *in = p; 507 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it)) 508 goto auxerr; 509 return 1; 510 511 default: 512 return 0; 513 } 514 auxerr: 515 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); 516 err: 517 ASN1_item_ex_free(pval, it); 518 if (errtt) 519 ERR_add_error_data(4, "Field=", errtt->field_name, 520 ", Type=", it->sname); 521 else 522 ERR_add_error_data(2, "Type=", it->sname); 523 return 0; 524 } 525 526 /* Templates are handled with two separate functions. 527 * One handles any EXPLICIT tag and the other handles the rest. 528 */ 529 530 static int asn1_template_ex_d2i(ASN1_VALUE **val, 531 const unsigned char **in, long inlen, 532 const ASN1_TEMPLATE *tt, char opt, 533 ASN1_TLC *ctx) 534 { 535 int flags, aclass; 536 int ret; 537 long len; 538 const unsigned char *p, *q; 539 char exp_eoc; 540 if (!val) 541 return 0; 542 flags = tt->flags; 543 aclass = flags & ASN1_TFLG_TAG_CLASS; 544 545 p = *in; 546 547 /* Check if EXPLICIT tag expected */ 548 if (flags & ASN1_TFLG_EXPTAG) 549 { 550 char cst; 551 /* Need to work out amount of data available to the inner 552 * content and where it starts: so read in EXPLICIT header to 553 * get the info. 554 */ 555 ret = asn1_check_tlen(&len, NULL, NULL, &exp_eoc, &cst, 556 &p, inlen, tt->tag, aclass, opt, ctx); 557 q = p; 558 if (!ret) 559 { 560 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, 561 ERR_R_NESTED_ASN1_ERROR); 562 return 0; 563 } 564 else if (ret == -1) 565 return -1; 566 if (!cst) 567 { 568 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, 569 ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED); 570 return 0; 571 } 572 /* We've found the field so it can't be OPTIONAL now */ 573 ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx); 574 if (!ret) 575 { 576 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, 577 ERR_R_NESTED_ASN1_ERROR); 578 return 0; 579 } 580 /* We read the field in OK so update length */ 581 len -= p - q; 582 if (exp_eoc) 583 { 584 /* If NDEF we must have an EOC here */ 585 if (!asn1_check_eoc(&p, len)) 586 { 587 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, 588 ASN1_R_MISSING_EOC); 589 goto err; 590 } 591 } 592 else 593 { 594 /* Otherwise we must hit the EXPLICIT tag end or its 595 * an error */ 596 if (len) 597 { 598 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, 599 ASN1_R_EXPLICIT_LENGTH_MISMATCH); 600 goto err; 601 } 602 } 603 } 604 else 605 return asn1_template_noexp_d2i(val, in, inlen, 606 tt, opt, ctx); 607 608 *in = p; 609 return 1; 610 611 err: 612 ASN1_template_free(val, tt); 613 return 0; 614 } 615 616 static int asn1_template_noexp_d2i(ASN1_VALUE **val, 617 const unsigned char **in, long len, 618 const ASN1_TEMPLATE *tt, char opt, 619 ASN1_TLC *ctx) 620 { 621 int flags, aclass; 622 int ret; 623 const unsigned char *p, *q; 624 if (!val) 625 return 0; 626 flags = tt->flags; 627 aclass = flags & ASN1_TFLG_TAG_CLASS; 628 629 p = *in; 630 q = p; 631 632 if (flags & ASN1_TFLG_SK_MASK) 633 { 634 /* SET OF, SEQUENCE OF */ 635 int sktag, skaclass; 636 char sk_eoc; 637 /* First work out expected inner tag value */ 638 if (flags & ASN1_TFLG_IMPTAG) 639 { 640 sktag = tt->tag; 641 skaclass = aclass; 642 } 643 else 644 { 645 skaclass = V_ASN1_UNIVERSAL; 646 if (flags & ASN1_TFLG_SET_OF) 647 sktag = V_ASN1_SET; 648 else 649 sktag = V_ASN1_SEQUENCE; 650 } 651 /* Get the tag */ 652 ret = asn1_check_tlen(&len, NULL, NULL, &sk_eoc, NULL, 653 &p, len, sktag, skaclass, opt, ctx); 654 if (!ret) 655 { 656 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 657 ERR_R_NESTED_ASN1_ERROR); 658 return 0; 659 } 660 else if (ret == -1) 661 return -1; 662 if (!*val) 663 *val = (ASN1_VALUE *)sk_new_null(); 664 else 665 { 666 /* We've got a valid STACK: free up any items present */ 667 STACK *sktmp = (STACK *)*val; 668 ASN1_VALUE *vtmp; 669 while(sk_num(sktmp) > 0) 670 { 671 vtmp = (ASN1_VALUE *)sk_pop(sktmp); 672 ASN1_item_ex_free(&vtmp, 673 ASN1_ITEM_ptr(tt->item)); 674 } 675 } 676 677 if (!*val) 678 { 679 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 680 ERR_R_MALLOC_FAILURE); 681 goto err; 682 } 683 684 /* Read as many items as we can */ 685 while(len > 0) 686 { 687 ASN1_VALUE *skfield; 688 q = p; 689 /* See if EOC found */ 690 if (asn1_check_eoc(&p, len)) 691 { 692 if (!sk_eoc) 693 { 694 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 695 ASN1_R_UNEXPECTED_EOC); 696 goto err; 697 } 698 len -= p - q; 699 sk_eoc = 0; 700 break; 701 } 702 skfield = NULL; 703 if (!ASN1_item_ex_d2i(&skfield, &p, len, 704 ASN1_ITEM_ptr(tt->item), 705 -1, 0, 0, ctx)) 706 { 707 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 708 ERR_R_NESTED_ASN1_ERROR); 709 goto err; 710 } 711 len -= p - q; 712 if (!sk_push((STACK *)*val, (char *)skfield)) 713 { 714 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 715 ERR_R_MALLOC_FAILURE); 716 goto err; 717 } 718 } 719 if (sk_eoc) 720 { 721 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ASN1_R_MISSING_EOC); 722 goto err; 723 } 724 } 725 else if (flags & ASN1_TFLG_IMPTAG) 726 { 727 /* IMPLICIT tagging */ 728 ret = ASN1_item_ex_d2i(val, &p, len, 729 ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, ctx); 730 if (!ret) 731 { 732 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 733 ERR_R_NESTED_ASN1_ERROR); 734 goto err; 735 } 736 else if (ret == -1) 737 return -1; 738 } 739 else 740 { 741 /* Nothing special */ 742 ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), 743 -1, 0, opt, ctx); 744 if (!ret) 745 { 746 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, 747 ERR_R_NESTED_ASN1_ERROR); 748 goto err; 749 } 750 else if (ret == -1) 751 return -1; 752 } 753 754 *in = p; 755 return 1; 756 757 err: 758 ASN1_template_free(val, tt); 759 return 0; 760 } 761 762 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, 763 const unsigned char **in, long inlen, 764 const ASN1_ITEM *it, 765 int tag, int aclass, char opt, ASN1_TLC *ctx) 766 { 767 int ret = 0, utype; 768 long plen; 769 char cst, inf, free_cont = 0; 770 const unsigned char *p; 771 BUF_MEM buf; 772 const unsigned char *cont = NULL; 773 long len; 774 if (!pval) 775 { 776 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_NULL); 777 return 0; /* Should never happen */ 778 } 779 780 if (it->itype == ASN1_ITYPE_MSTRING) 781 { 782 utype = tag; 783 tag = -1; 784 } 785 else 786 utype = it->utype; 787 788 if (utype == V_ASN1_ANY) 789 { 790 /* If type is ANY need to figure out type from tag */ 791 unsigned char oclass; 792 if (tag >= 0) 793 { 794 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, 795 ASN1_R_ILLEGAL_TAGGED_ANY); 796 return 0; 797 } 798 if (opt) 799 { 800 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, 801 ASN1_R_ILLEGAL_OPTIONAL_ANY); 802 return 0; 803 } 804 p = *in; 805 ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, NULL, 806 &p, inlen, -1, 0, 0, ctx); 807 if (!ret) 808 { 809 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, 810 ERR_R_NESTED_ASN1_ERROR); 811 return 0; 812 } 813 if (oclass != V_ASN1_UNIVERSAL) 814 utype = V_ASN1_OTHER; 815 } 816 if (tag == -1) 817 { 818 tag = utype; 819 aclass = V_ASN1_UNIVERSAL; 820 } 821 p = *in; 822 /* Check header */ 823 ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst, 824 &p, inlen, tag, aclass, opt, ctx); 825 if (!ret) 826 { 827 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR); 828 return 0; 829 } 830 else if (ret == -1) 831 return -1; 832 ret = 0; 833 /* SEQUENCE, SET and "OTHER" are left in encoded form */ 834 if ((utype == V_ASN1_SEQUENCE) 835 || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) 836 { 837 /* Clear context cache for type OTHER because the auto clear 838 * when we have a exact match wont work 839 */ 840 if (utype == V_ASN1_OTHER) 841 { 842 asn1_tlc_clear(ctx); 843 } 844 /* SEQUENCE and SET must be constructed */ 845 else if (!cst) 846 { 847 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, 848 ASN1_R_TYPE_NOT_CONSTRUCTED); 849 return 0; 850 } 851 852 cont = *in; 853 /* If indefinite length constructed find the real end */ 854 if (inf) 855 { 856 if (!asn1_find_end(&p, plen, inf)) 857 goto err; 858 len = p - cont; 859 } 860 else 861 { 862 len = p - cont + plen; 863 p += plen; 864 buf.data = NULL; 865 } 866 } 867 else if (cst) 868 { 869 buf.length = 0; 870 buf.max = 0; 871 buf.data = NULL; 872 /* Should really check the internal tags are correct but 873 * some things may get this wrong. The relevant specs 874 * say that constructed string types should be OCTET STRINGs 875 * internally irrespective of the type. So instead just check 876 * for UNIVERSAL class and ignore the tag. 877 */ 878 if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL, 0)) 879 { 880 free_cont = 1; 881 goto err; 882 } 883 len = buf.length; 884 /* Append a final null to string */ 885 if (!BUF_MEM_grow_clean(&buf, len + 1)) 886 { 887 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, 888 ERR_R_MALLOC_FAILURE); 889 return 0; 890 } 891 buf.data[len] = 0; 892 cont = (const unsigned char *)buf.data; 893 free_cont = 1; 894 } 895 else 896 { 897 cont = p; 898 len = plen; 899 p += plen; 900 } 901 902 /* We now have content length and type: translate into a structure */ 903 if (!asn1_ex_c2i(pval, cont, len, utype, &free_cont, it)) 904 goto err; 905 906 *in = p; 907 ret = 1; 908 err: 909 if (free_cont && buf.data) OPENSSL_free(buf.data); 910 return ret; 911 } 912 913 /* Translate ASN1 content octets into a structure */ 914 915 int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, 916 int utype, char *free_cont, const ASN1_ITEM *it) 917 { 918 ASN1_VALUE **opval = NULL; 919 ASN1_STRING *stmp; 920 ASN1_TYPE *typ = NULL; 921 int ret = 0; 922 const ASN1_PRIMITIVE_FUNCS *pf; 923 ASN1_INTEGER **tint; 924 pf = it->funcs; 925 926 if (pf && pf->prim_c2i) 927 return pf->prim_c2i(pval, cont, len, utype, free_cont, it); 928 /* If ANY type clear type and set pointer to internal value */ 929 if (it->utype == V_ASN1_ANY) 930 { 931 if (!*pval) 932 { 933 typ = ASN1_TYPE_new(); 934 if (typ == NULL) 935 goto err; 936 *pval = (ASN1_VALUE *)typ; 937 } 938 else 939 typ = (ASN1_TYPE *)*pval; 940 941 if (utype != typ->type) 942 ASN1_TYPE_set(typ, utype, NULL); 943 opval = pval; 944 pval = &typ->value.asn1_value; 945 } 946 switch(utype) 947 { 948 case V_ASN1_OBJECT: 949 if (!c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len)) 950 goto err; 951 break; 952 953 case V_ASN1_NULL: 954 if (len) 955 { 956 ASN1err(ASN1_F_ASN1_EX_C2I, 957 ASN1_R_NULL_IS_WRONG_LENGTH); 958 goto err; 959 } 960 *pval = (ASN1_VALUE *)1; 961 break; 962 963 case V_ASN1_BOOLEAN: 964 if (len != 1) 965 { 966 ASN1err(ASN1_F_ASN1_EX_C2I, 967 ASN1_R_BOOLEAN_IS_WRONG_LENGTH); 968 goto err; 969 } 970 else 971 { 972 ASN1_BOOLEAN *tbool; 973 tbool = (ASN1_BOOLEAN *)pval; 974 *tbool = *cont; 975 } 976 break; 977 978 case V_ASN1_BIT_STRING: 979 if (!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &cont, len)) 980 goto err; 981 break; 982 983 case V_ASN1_INTEGER: 984 case V_ASN1_NEG_INTEGER: 985 case V_ASN1_ENUMERATED: 986 case V_ASN1_NEG_ENUMERATED: 987 tint = (ASN1_INTEGER **)pval; 988 if (!c2i_ASN1_INTEGER(tint, &cont, len)) 989 goto err; 990 /* Fixup type to match the expected form */ 991 (*tint)->type = utype | ((*tint)->type & V_ASN1_NEG); 992 break; 993 994 case V_ASN1_OCTET_STRING: 995 case V_ASN1_NUMERICSTRING: 996 case V_ASN1_PRINTABLESTRING: 997 case V_ASN1_T61STRING: 998 case V_ASN1_VIDEOTEXSTRING: 999 case V_ASN1_IA5STRING: 1000 case V_ASN1_UTCTIME: 1001 case V_ASN1_GENERALIZEDTIME: 1002 case V_ASN1_GRAPHICSTRING: 1003 case V_ASN1_VISIBLESTRING: 1004 case V_ASN1_GENERALSTRING: 1005 case V_ASN1_UNIVERSALSTRING: 1006 case V_ASN1_BMPSTRING: 1007 case V_ASN1_UTF8STRING: 1008 case V_ASN1_OTHER: 1009 case V_ASN1_SET: 1010 case V_ASN1_SEQUENCE: 1011 default: 1012 if (utype == V_ASN1_BMPSTRING && (len & 1)) 1013 { 1014 ASN1err(ASN1_F_ASN1_EX_C2I, 1015 ASN1_R_BMPSTRING_IS_WRONG_LENGTH); 1016 goto err; 1017 } 1018 if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) 1019 { 1020 ASN1err(ASN1_F_ASN1_EX_C2I, 1021 ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); 1022 goto err; 1023 } 1024 /* All based on ASN1_STRING and handled the same */ 1025 if (!*pval) 1026 { 1027 stmp = ASN1_STRING_type_new(utype); 1028 if (!stmp) 1029 { 1030 ASN1err(ASN1_F_ASN1_EX_C2I, 1031 ERR_R_MALLOC_FAILURE); 1032 goto err; 1033 } 1034 *pval = (ASN1_VALUE *)stmp; 1035 } 1036 else 1037 { 1038 stmp = (ASN1_STRING *)*pval; 1039 stmp->type = utype; 1040 } 1041 /* If we've already allocated a buffer use it */ 1042 if (*free_cont) 1043 { 1044 if (stmp->data) 1045 OPENSSL_free(stmp->data); 1046 stmp->data = (unsigned char *)cont; /* UGLY CAST! RL */ 1047 stmp->length = len; 1048 *free_cont = 0; 1049 } 1050 else 1051 { 1052 if (!ASN1_STRING_set(stmp, cont, len)) 1053 { 1054 ASN1err(ASN1_F_ASN1_EX_C2I, 1055 ERR_R_MALLOC_FAILURE); 1056 ASN1_STRING_free(stmp); 1057 *pval = NULL; 1058 goto err; 1059 } 1060 } 1061 break; 1062 } 1063 /* If ASN1_ANY and NULL type fix up value */ 1064 if (typ && (utype == V_ASN1_NULL)) 1065 typ->value.ptr = NULL; 1066 1067 ret = 1; 1068 err: 1069 if (!ret) 1070 { 1071 ASN1_TYPE_free(typ); 1072 if (opval) 1073 *opval = NULL; 1074 } 1075 return ret; 1076 } 1077 1078 1079 /* This function finds the end of an ASN1 structure when passed its maximum 1080 * length, whether it is indefinite length and a pointer to the content. 1081 * This is more efficient than calling asn1_collect because it does not 1082 * recurse on each indefinite length header. 1083 */ 1084 1085 static int asn1_find_end(const unsigned char **in, long len, char inf) 1086 { 1087 int expected_eoc; 1088 long plen; 1089 const unsigned char *p = *in, *q; 1090 /* If not indefinite length constructed just add length */ 1091 if (inf == 0) 1092 { 1093 *in += len; 1094 return 1; 1095 } 1096 expected_eoc = 1; 1097 /* Indefinite length constructed form. Find the end when enough EOCs 1098 * are found. If more indefinite length constructed headers 1099 * are encountered increment the expected eoc count otherwise just 1100 * skip to the end of the data. 1101 */ 1102 while (len > 0) 1103 { 1104 if(asn1_check_eoc(&p, len)) 1105 { 1106 expected_eoc--; 1107 if (expected_eoc == 0) 1108 break; 1109 len -= 2; 1110 continue; 1111 } 1112 q = p; 1113 /* Just read in a header: only care about the length */ 1114 if(!asn1_check_tlen(&plen, NULL, NULL, &inf, NULL, &p, len, 1115 -1, 0, 0, NULL)) 1116 { 1117 ASN1err(ASN1_F_ASN1_FIND_END, ERR_R_NESTED_ASN1_ERROR); 1118 return 0; 1119 } 1120 if (inf) 1121 expected_eoc++; 1122 else 1123 p += plen; 1124 len -= p - q; 1125 } 1126 if (expected_eoc) 1127 { 1128 ASN1err(ASN1_F_ASN1_FIND_END, ASN1_R_MISSING_EOC); 1129 return 0; 1130 } 1131 *in = p; 1132 return 1; 1133 } 1134 /* This function collects the asn1 data from a constructred string 1135 * type into a buffer. The values of 'in' and 'len' should refer 1136 * to the contents of the constructed type and 'inf' should be set 1137 * if it is indefinite length. 1138 */ 1139 1140 #ifndef ASN1_MAX_STRING_NEST 1141 /* This determines how many levels of recursion are permitted in ASN1 1142 * string types. If it is not limited stack overflows can occur. If set 1143 * to zero no recursion is allowed at all. Although zero should be adequate 1144 * examples exist that require a value of 1. So 5 should be more than enough. 1145 */ 1146 #define ASN1_MAX_STRING_NEST 5 1147 #endif 1148 1149 1150 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, 1151 char inf, int tag, int aclass, int depth) 1152 { 1153 const unsigned char *p, *q; 1154 long plen; 1155 char cst, ininf; 1156 p = *in; 1157 inf &= 1; 1158 /* If no buffer and not indefinite length constructed just pass over 1159 * the encoded data */ 1160 if (!buf && !inf) 1161 { 1162 *in += len; 1163 return 1; 1164 } 1165 while(len > 0) 1166 { 1167 q = p; 1168 /* Check for EOC */ 1169 if (asn1_check_eoc(&p, len)) 1170 { 1171 /* EOC is illegal outside indefinite length 1172 * constructed form */ 1173 if (!inf) 1174 { 1175 ASN1err(ASN1_F_ASN1_COLLECT, 1176 ASN1_R_UNEXPECTED_EOC); 1177 return 0; 1178 } 1179 inf = 0; 1180 break; 1181 } 1182 1183 if (!asn1_check_tlen(&plen, NULL, NULL, &ininf, &cst, &p, 1184 len, tag, aclass, 0, NULL)) 1185 { 1186 ASN1err(ASN1_F_ASN1_COLLECT, ERR_R_NESTED_ASN1_ERROR); 1187 return 0; 1188 } 1189 1190 /* If indefinite length constructed update max length */ 1191 if (cst) 1192 { 1193 if (depth >= ASN1_MAX_STRING_NEST) 1194 { 1195 ASN1err(ASN1_F_ASN1_COLLECT, 1196 ASN1_R_NESTED_ASN1_STRING); 1197 return 0; 1198 } 1199 if (!asn1_collect(buf, &p, plen, ininf, tag, aclass, 1200 depth + 1)) 1201 return 0; 1202 } 1203 else if (plen && !collect_data(buf, &p, plen)) 1204 return 0; 1205 len -= p - q; 1206 } 1207 if (inf) 1208 { 1209 ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_MISSING_EOC); 1210 return 0; 1211 } 1212 *in = p; 1213 return 1; 1214 } 1215 1216 static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen) 1217 { 1218 int len; 1219 if (buf) 1220 { 1221 len = buf->length; 1222 if (!BUF_MEM_grow_clean(buf, len + plen)) 1223 { 1224 ASN1err(ASN1_F_COLLECT_DATA, ERR_R_MALLOC_FAILURE); 1225 return 0; 1226 } 1227 memcpy(buf->data + len, *p, plen); 1228 } 1229 *p += plen; 1230 return 1; 1231 } 1232 1233 /* Check for ASN1 EOC and swallow it if found */ 1234 1235 static int asn1_check_eoc(const unsigned char **in, long len) 1236 { 1237 const unsigned char *p; 1238 if (len < 2) return 0; 1239 p = *in; 1240 if (!p[0] && !p[1]) 1241 { 1242 *in += 2; 1243 return 1; 1244 } 1245 return 0; 1246 } 1247 1248 /* Check an ASN1 tag and length: a bit like ASN1_get_object 1249 * but it sets the length for indefinite length constructed 1250 * form, we don't know the exact length but we can set an 1251 * upper bound to the amount of data available minus the 1252 * header length just read. 1253 */ 1254 1255 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, 1256 char *inf, char *cst, 1257 const unsigned char **in, long len, 1258 int exptag, int expclass, char opt, 1259 ASN1_TLC *ctx) 1260 { 1261 int i; 1262 int ptag, pclass; 1263 long plen; 1264 const unsigned char *p, *q; 1265 p = *in; 1266 q = p; 1267 1268 if (ctx && ctx->valid) 1269 { 1270 i = ctx->ret; 1271 plen = ctx->plen; 1272 pclass = ctx->pclass; 1273 ptag = ctx->ptag; 1274 p += ctx->hdrlen; 1275 } 1276 else 1277 { 1278 i = ASN1_get_object(&p, &plen, &ptag, &pclass, len); 1279 if (ctx) 1280 { 1281 ctx->ret = i; 1282 ctx->plen = plen; 1283 ctx->pclass = pclass; 1284 ctx->ptag = ptag; 1285 ctx->hdrlen = p - q; 1286 ctx->valid = 1; 1287 /* If definite length, and no error, length + 1288 * header can't exceed total amount of data available. 1289 */ 1290 if (!(i & 0x81) && ((plen + ctx->hdrlen) > len)) 1291 { 1292 ASN1err(ASN1_F_ASN1_CHECK_TLEN, 1293 ASN1_R_TOO_LONG); 1294 asn1_tlc_clear(ctx); 1295 return 0; 1296 } 1297 } 1298 } 1299 1300 if (i & 0x80) 1301 { 1302 ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_BAD_OBJECT_HEADER); 1303 asn1_tlc_clear(ctx); 1304 return 0; 1305 } 1306 if (exptag >= 0) 1307 { 1308 if ((exptag != ptag) || (expclass != pclass)) 1309 { 1310 /* If type is OPTIONAL, not an error: 1311 * indicate missing type. 1312 */ 1313 if (opt) return -1; 1314 asn1_tlc_clear(ctx); 1315 ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_WRONG_TAG); 1316 return 0; 1317 } 1318 /* We have a tag and class match: 1319 * assume we are going to do something with it */ 1320 asn1_tlc_clear(ctx); 1321 } 1322 1323 if (i & 1) 1324 plen = len - (p - q); 1325 1326 if (inf) 1327 *inf = i & 1; 1328 1329 if (cst) 1330 *cst = i & V_ASN1_CONSTRUCTED; 1331 1332 if (olen) 1333 *olen = plen; 1334 1335 if (oclass) 1336 *oclass = pclass; 1337 1338 if (otag) 1339 *otag = ptag; 1340 1341 *in = p; 1342 return 1; 1343 } 1344