lib/asn1/der_get.c

   1 /*
   2  * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "der_locl.h"
  35
  36 /*
  37  * All decoding functions take a pointer `p' to first position in
  38  * which to read, from the left, `len' which means the maximum number
  39  * of characters we are able to read, `ret' were the value will be
  40  * returned and `size' where the number of used bytes is stored.
  41  * Either 0 or an error code is returned.
  42  */
  43
  44 int
  45 der_get_unsigned (const unsigned char *p, size_t len,
  46                   unsigned *ret, size_t *size)
  47 {
  48     unsigned val = 0;
  49     size_t oldlen = len;
  50
  51     if (len == sizeof(val) + 1 && p[0] == 0)
  52         ;
  53     else if (len > sizeof(val))
  54         return ASN1_OVERRUN;
  55
  56     while (len--)
  57         val = val * 256 + *p++;
  58     *ret = val;
  59     if(size) *size = oldlen;
  60     return 0;
  61 }
  62
  63 int
  64 der_get_unsigned64 (const unsigned char *p, size_t len,
  65                    uint64_t *ret, size_t *size)
  66 {
  67     uint64_t val = 0;
  68     size_t oldlen = len;
  69
  70     if (len == sizeof(val) + 1 && p[0] == 0)
  71        ;
  72     else if (len > sizeof(val))
  73         return ASN1_OVERRUN;
  74
  75     while (len--)
  76         val = val * 256 + *p++;
  77     *ret = val;
  78     if(size) *size = oldlen;
  79     return 0;
  80 }
  81
  82 int
  83 der_get_integer (const unsigned char *p, size_t len,
  84                  int *ret, size_t *size)
  85 {
  86     int val = 0;
  87     size_t oldlen = len;
  88
  89     if (len > sizeof(val))
  90         return ASN1_OVERRUN;
  91
  92     if (len > 0) {
  93         val = (signed char)*p++;
  94         while (--len)
  95             val = val * 256 + *p++;
  96     }
  97     *ret = val;
  98     if(size) *size = oldlen;
  99     return 0;
 100 }
 101
 102 int
 103 der_get_integer64 (const unsigned char *p, size_t len,
 104                    int64_t *ret, size_t *size)
 105 {
 106     int64_t val = 0;
 107     size_t oldlen = len;
 108
 109     if (len > sizeof(val))
 110         return ASN1_OVERRUN;
 111
 112     if (len > 0) {
 113        val = (signed char)*p++;
 114        while (--len)
 115            val = val * 256 + *p++;
 116     }
 117     *ret = val;
 118     if(size) *size = oldlen;
 119     return 0;
 120 }
 121
 122
 123 int
 124 der_get_length (const unsigned char *p, size_t len,
 125                 size_t *val, size_t *size)
 126 {
 127     size_t v;
 128
 129     if (len <= 0)
 130         return ASN1_OVERRUN;
 131     --len;
 132     v = *p++;
 133     if (v < 128) {
 134         *val = v;
 135         if(size) *size = 1;
 136     } else {
 137         int e;
 138         size_t l;
 139         unsigned tmp;
 140
 141         if(v == 0x80){
 142             *val = ASN1_INDEFINITE;
 143             if(size) *size = 1;
 144             return 0;
 145         }
 146         v &= 0x7F;
 147         if (len < v)
 148             return ASN1_OVERRUN;
 149         e = der_get_unsigned (p, v, &tmp, &l);
 150         if(e) return e;
 151         *val = tmp;
 152         if(size) *size = l + 1;
 153     }
 154     return 0;
 155 }
 156
 157 int
 158 der_get_boolean(const unsigned char *p, size_t len, int *data, size_t *size)
 159 {
 160     if(len < 1)
 161         return ASN1_OVERRUN;
 162     if(*p != 0)
 163         *data = 1;
 164     else
 165         *data = 0;
 166     *size = 1;
 167     return 0;
 168 }
 169
 170 int
 171 der_get_general_string (const unsigned char *p, size_t len,
 172                         heim_general_string *str, size_t *size)
 173 {
 174     const unsigned char *p1;
 175     char *s;
 176
 177     p1 = memchr(p, 0, len);
 178     if (p1 != NULL) {
 179         /*
 180          * Allow trailing NULs. We allow this since MIT Kerberos sends
 181          * an strings in the NEED_PREAUTH case that includes a
 182          * trailing NUL.
 183          */
 184         while ((size_t)(p1 - p) < len && *p1 == '\0')
 185             p1++;
 186         if ((size_t)(p1 - p) != len) {
 187             *str = NULL;
 188             return ASN1_BAD_CHARACTER;
 189         }
 190     }
 191     if (len > len + 1) {
 192         *str = NULL;
 193         return ASN1_BAD_LENGTH;
 194     }
 195
 196     *str = s = malloc (len + 1);
 197     if (s == NULL)
 198         return ENOMEM;
 199     memcpy (s, p, len);
 200     s[len] = '\0';
 201
 202     if(size) *size = len;
 203     return 0;
 204 }
 205
 206 int
 207 der_get_utf8string (const unsigned char *p, size_t len,
 208                     heim_utf8_string *str, size_t *size)
 209 {
 210     return der_get_general_string(p, len, str, size);
 211 }
 212
 213 #define gen_data_zero(_data) \
 214         do { (_data)->length = 0; (_data)->data = NULL; } while(0)
 215
 216 int
 217 der_get_printable_string(const unsigned char *p, size_t len,
 218                          heim_printable_string *str, size_t *size)
 219 {
 220     if (len > len + 1) {
 221         gen_data_zero(str);
 222         return ASN1_BAD_LENGTH;
 223     }
 224     str->length = len;
 225     str->data = malloc(len + 1);
 226     if (str->data == NULL) {
 227         gen_data_zero(str);
 228         return ENOMEM;
 229     }
 230     memcpy(str->data, p, len);
 231     ((char *)str->data)[len] = '\0';
 232     if(size) *size = len;
 233     return 0;
 234 }
 235
 236 int
 237 der_get_ia5_string(const unsigned char *p, size_t len,
 238                    heim_ia5_string *str, size_t *size)
 239 {
 240     return der_get_printable_string(p, len, str, size);
 241 }
 242
 243 int
 244 der_get_bmp_string (const unsigned char *p, size_t len,
 245                     heim_bmp_string *data, size_t *size)
 246 {
 247     size_t i;
 248
 249     if (len & 1) {
 250         gen_data_zero(data);
 251         return ASN1_BAD_FORMAT;
 252     }
 253     data->length = len / 2;
 254     if (data->length > UINT_MAX/sizeof(data->data[0])) {
 255         gen_data_zero(data);
 256         return ERANGE;
 257     }
 258     data->data = malloc(data->length * sizeof(data->data[0]));
 259     if (data->data == NULL && data->length != 0) {
 260         gen_data_zero(data);
 261         return ENOMEM;
 262     }
 263
 264     for (i = 0; i < data->length; i++) {
 265         data->data[i] = (p[0] << 8) | p[1];
 266         p += 2;
 267         /* check for NUL in the middle of the string */
 268         if (data->data[i] == 0 && i != (data->length - 1)) {
 269             free(data->data);
 270             gen_data_zero(data);
 271             return ASN1_BAD_CHARACTER;
 272         }
 273     }
 274     if (size) *size = len;
 275
 276     return 0;
 277 }
 278
 279 int
 280 der_get_universal_string (const unsigned char *p, size_t len,
 281                           heim_universal_string *data, size_t *size)
 282 {
 283     size_t i;
 284
 285     if (len & 3) {
 286         gen_data_zero(data);
 287         return ASN1_BAD_FORMAT;
 288     }
 289     data->length = len / 4;
 290     if (data->length > UINT_MAX/sizeof(data->data[0])) {
 291         gen_data_zero(data);
 292         return ERANGE;
 293     }
 294     data->data = malloc(data->length * sizeof(data->data[0]));
 295     if (data->data == NULL && data->length != 0) {
 296         gen_data_zero(data);
 297         return ENOMEM;
 298     }
 299
 300     for (i = 0; i < data->length; i++) {
 301         data->data[i] = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
 302         p += 4;
 303         /* check for NUL in the middle of the string */
 304         if (data->data[i] == 0 && i != (data->length - 1)) {
 305             free(data->data);
 306             gen_data_zero(data);
 307             return ASN1_BAD_CHARACTER;
 308         }
 309     }
 310     if (size) *size = len;
 311     return 0;
 312 }
 313
 314 int
 315 der_get_visible_string (const unsigned char *p, size_t len,
 316                         heim_visible_string *str, size_t *size)
 317 {
 318     return der_get_general_string(p, len, str, size);
 319 }
 320
 321 int
 322 der_get_octet_string (const unsigned char *p, size_t len,
 323                       heim_octet_string *data, size_t *size)
 324 {
 325     data->length = len;
 326     data->data = malloc(len);
 327     if (data->data == NULL && data->length != 0)
 328         return ENOMEM;
 329     memcpy (data->data, p, len);
 330     if(size) *size = len;
 331     return 0;
 332 }
 333
 334 int
 335 der_get_octet_string_ber (const unsigned char *p, size_t len,
 336                           heim_octet_string *data, size_t *size)
 337 {
 338     int e;
 339     Der_type type;
 340     Der_class cls;
 341     unsigned int tag, depth = 0;
 342     size_t l, datalen, oldlen = len;
 343
 344     data->length = 0;
 345     data->data = NULL;
 346
 347     while (len) {
 348         e = der_get_tag (p, len, &cls, &type, &tag, &l);
 349         if (e) goto out;
 350         if (cls != ASN1_C_UNIV) {
 351             e = ASN1_BAD_ID;
 352             goto out;
 353         }
 354         if (type == PRIM && tag == UT_EndOfContent) {
 355             if (depth == 0)
 356                 break;
 357             depth--;
 358         }
 359         if (tag != UT_OctetString) {
 360             e = ASN1_BAD_ID;
 361             goto out;
 362         }
 363
 364         p += l;
 365         len -= l;
 366         e = der_get_length (p, len, &datalen, &l);
 367         if (e) goto out;
 368         p += l;
 369         len -= l;
 370
 371         if (datalen > len)
 372             return ASN1_OVERRUN;
 373
 374         if (type == PRIM) {
 375             void *ptr;
 376
 377             ptr = realloc(data->data, data->length + datalen);
 378             if (ptr == NULL) {
 379                 e = ENOMEM;
 380                 goto out;
 381             }
 382             data->data = ptr;
 383             memcpy(((unsigned char *)data->data) + data->length, p, datalen);
 384             data->length += datalen;
 385         } else
 386             depth++;
 387
 388         p += datalen;
 389         len -= datalen;
 390     }
 391     if (depth != 0)
 392         return ASN1_INDEF_OVERRUN;
 393     if(size) *size = oldlen - len;
 394     return 0;
 395  out:
 396     free(data->data);
 397     data->data = NULL;
 398     data->length = 0;
 399     return e;
 400 }
 401
 402
 403 int
 404 der_get_heim_integer (const unsigned char *p, size_t len,
 405                       heim_integer *data, size_t *size)
 406 {
 407     data->length = 0;
 408     data->negative = 0;
 409     data->data = NULL;
 410
 411     if (len == 0) {
 412         if (size)
 413             *size = 0;
 414         return 0;
 415     }
 416     if (p[0] & 0x80) {
 417         unsigned char *q;
 418         int carry = 1;
 419         data->negative = 1;
 420
 421         data->length = len;
 422
 423         if (p[0] == 0xff) {
 424             p++;
 425             data->length--;
 426         }
 427         data->data = malloc(data->length);
 428         if (data->data == NULL) {
 429             data->length = 0;
 430             if (size)
 431                 *size = 0;
 432             return ENOMEM;
 433         }
 434         q = &((unsigned char*)data->data)[data->length - 1];
 435         p += data->length - 1;
 436         while (q >= (unsigned char*)data->data) {
 437             *q = *p ^ 0xff;
 438             if (carry)
 439                 carry = !++*q;
 440             p--;
 441             q--;
 442         }
 443     } else {
 444         data->negative = 0;
 445         data->length = len;
 446
 447         if (p[0] == 0) {
 448             p++;
 449             data->length--;
 450         }
 451         data->data = malloc(data->length);
 452         if (data->data == NULL && data->length != 0) {
 453             data->length = 0;
 454             if (size)
 455                 *size = 0;
 456             return ENOMEM;
 457         }
 458         memcpy(data->data, p, data->length);
 459     }
 460     if (size)
 461         *size = len;
 462     return 0;
 463 }
 464
 465 static int
 466 generalizedtime2time (const char *s, time_t *t)
 467 {
 468     struct tm tm;
 469
 470     memset(&tm, 0, sizeof(tm));
 471     if (sscanf (s, "%04d%02d%02d%02d%02d%02dZ",
 472                 &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour,
 473                 &tm.tm_min, &tm.tm_sec) != 6) {
 474         if (sscanf (s, "%02d%02d%02d%02d%02d%02dZ",
 475                     &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour,
 476                     &tm.tm_min, &tm.tm_sec) != 6)
 477             return ASN1_BAD_TIMEFORMAT;
 478         if (tm.tm_year < 50)
 479             tm.tm_year += 2000;
 480         else
 481             tm.tm_year += 1900;
 482     }
 483     tm.tm_year -= 1900;
 484     tm.tm_mon -= 1;
 485     *t = _der_timegm (&tm);
 486     return 0;
 487 }
 488
 489 static int
 490 der_get_time (const unsigned char *p, size_t len,
 491               time_t *data, size_t *size)
 492 {
 493     char *times;
 494     int e;
 495
 496     if (len > len + 1 || len == 0)
 497         return ASN1_BAD_LENGTH;
 498
 499     times = malloc(len + 1);
 500     if (times == NULL)
 501         return ENOMEM;
 502     memcpy(times, p, len);
 503     times[len] = '\0';
 504     e = generalizedtime2time(times, data);
 505     free (times);
 506     if(size) *size = len;
 507     return e;
 508 }
 509
 510 int
 511 der_get_generalized_time (const unsigned char *p, size_t len,
 512                           time_t *data, size_t *size)
 513 {
 514     return der_get_time(p, len, data, size);
 515 }
 516
 517 int
 518 der_get_utctime (const unsigned char *p, size_t len,
 519                           time_t *data, size_t *size)
 520 {
 521     return der_get_time(p, len, data, size);
 522 }
 523
 524 int
 525 der_get_oid (const unsigned char *p, size_t len,
 526              heim_oid *data, size_t *size)
 527 {
 528     size_t n;
 529     size_t oldlen = len;
 530
 531     if (len < 1)
 532         return ASN1_OVERRUN;
 533
 534     if (len > len + 1)
 535         return ASN1_BAD_LENGTH;
 536
 537     if (len + 1 > UINT_MAX/sizeof(data->components[0]))
 538         return ERANGE;
 539
 540     data->components = malloc((len + 1) * sizeof(data->components[0]));
 541     if (data->components == NULL)
 542         return ENOMEM;
 543     data->components[0] = (*p) / 40;
 544     data->components[1] = (*p) % 40;
 545     --len;
 546     ++p;
 547     for (n = 2; len > 0; ++n) {
 548         unsigned u = 0, u1;
 549
 550         do {
 551             --len;
 552             u1 = u * 128 + (*p++ % 128);
 553             /* check that we don't overflow the element */
 554             if (u1 < u) {
 555                 der_free_oid(data);
 556                 return ASN1_OVERRUN;
 557             }
 558             u = u1;
 559         } while (len > 0 && p[-1] & 0x80);
 560         data->components[n] = u;
 561     }
 562     if (n > 2 && p[-1] & 0x80) {
 563         der_free_oid (data);
 564         return ASN1_OVERRUN;
 565     }
 566     data->length = n;
 567     if (size)
 568         *size = oldlen;
 569     return 0;
 570 }
 571
 572 int
 573 der_get_tag (const unsigned char *p, size_t len,
 574              Der_class *cls, Der_type *type,
 575              unsigned int *tag, size_t *size)
 576 {
 577     size_t ret = 0;
 578     if (len < 1)
 579         return ASN1_OVERRUN;
 580     *cls = (Der_class)(((*p) >> 6) & 0x03);
 581     *type = (Der_type)(((*p) >> 5) & 0x01);
 582     *tag = (*p) & 0x1f;
 583     p++; len--; ret++;
 584     if(*tag == 0x1f) {
 585         unsigned int continuation;
 586         unsigned int tag1;
 587         *tag = 0;
 588         do {
 589             if(len < 1)
 590                 return ASN1_OVERRUN;
 591             continuation = *p & 128;
 592             tag1 = *tag * 128 + (*p % 128);
 593             /* check that we don't overflow the tag */
 594             if (tag1 < *tag)
 595                 return ASN1_OVERFLOW;
 596             *tag = tag1;
 597             p++; len--; ret++;
 598         } while(continuation);
 599     }
 600     if(size) *size = ret;
 601     return 0;
 602 }
 603
 604 int
 605 der_match_tag (const unsigned char *p, size_t len,
 606                Der_class cls, Der_type type,
 607                unsigned int tag, size_t *size)
 608 {
 609     Der_type thistype;
 610     int e;
 611
 612     e = der_match_tag2(p, len, cls, &thistype, tag, size);
 613     if (e) return e;
 614     if (thistype != type) return ASN1_BAD_ID;
 615     return 0;
 616 }
 617
 618 int
 619 der_match_tag2 (const unsigned char *p, size_t len,
 620                 Der_class cls, Der_type *type,
 621                 unsigned int tag, size_t *size)
 622 {
 623     size_t l;
 624     Der_class thisclass;
 625     unsigned int thistag;
 626     int e;
 627
 628     e = der_get_tag (p, len, &thisclass, type, &thistag, &l);
 629     if (e) return e;
 630     if (cls != thisclass)
 631         return ASN1_BAD_ID;
 632     if(tag > thistag)
 633         return ASN1_MISPLACED_FIELD;
 634     if(tag < thistag)
 635         return ASN1_MISSING_FIELD;
 636     if(size) *size = l;
 637     return 0;
 638 }
 639
 640 int
 641 der_match_tag_and_length (const unsigned char *p, size_t len,
 642                           Der_class cls, Der_type *type, unsigned int tag,
 643                           size_t *length_ret, size_t *size)
 644 {
 645     size_t l, ret = 0;
 646     int e;
 647
 648     e = der_match_tag2 (p, len, cls, type, tag, &l);
 649     if (e) return e;
 650     p += l;
 651     len -= l;
 652     ret += l;
 653     e = der_get_length (p, len, length_ret, &l);
 654     if (e) return e;
 655     if(size) *size = ret + l;
 656     return 0;
 657 }
 658
 659
 660
 661 /*
 662  * Old versions of DCE was based on a very early beta of the MIT code,
 663  * which used MAVROS for ASN.1 encoding. MAVROS had the interesting
 664  * feature that it encoded data in the forward direction, which has
 665  * it's problems, since you have no idea how long the data will be
 666  * until after you're done. MAVROS solved this by reserving one byte
 667  * for length, and later, if the actual length was longer, it reverted
 668  * to indefinite, BER style, lengths. The version of MAVROS used by
 669  * the DCE people could apparently generate correct X.509 DER encodings, and
 670  * did this by making space for the length after encoding, but
 671  * unfortunately this feature wasn't used with Kerberos.
 672  */
 673
 674 int
 675 _heim_fix_dce(size_t reallen, size_t *len)
 676 {
 677     if(reallen == ASN1_INDEFINITE)
 678         return 1;
 679     if(*len < reallen)
 680         return -1;
 681     *len = reallen;
 682     return 0;
 683 }
 684
 685 int
 686 der_get_bit_string (const unsigned char *p, size_t len,
 687                     heim_bit_string *data, size_t *size)
 688 {
 689     if (len < 1)
 690         return ASN1_OVERRUN;
 691     if (p[0] > 7)
 692         return ASN1_BAD_FORMAT;
 693     if (len - 1 == 0 && p[0] != 0)
 694         return ASN1_BAD_FORMAT;
 695     /* check if any of the three upper bits are set
 696      * any of them will cause a interger overrun */
 697     if ((len - 1) >> (sizeof(len) * 8 - 3))
 698         return ASN1_OVERRUN;
 699     /*
 700      * If there is data to copy, do that now.
 701      */
 702     if (len - 1 > 0) {
 703         data->length = (len - 1) * 8;
 704         data->data = malloc(len - 1);
 705         if (data->data == NULL)
 706             return ENOMEM;
 707         memcpy (data->data, p + 1, len - 1);
 708         data->length -= p[0];
 709     } else {
 710         data->data = NULL;
 711         data->length = 0;
 712     }
 713     if(size) *size = len;
 714     return 0;
 715 }