oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
Files
9c2351eb25e8be4fec2de14562d4dfbc1e7823f2
heimdal/lib/asn1/der_get.c
Jeffrey Altman a5da5bcb96 asn1: check overflow against SIZE_MAX not +1 
A comparison of (len > len + 1) is permitted to be optimized out
as dead code because it can't be true.  Overflowing is an exceptional
condition that results in undefined behavior.  The correct conditional
is (len == SIZE_MAX) when len is size_t.

Change-Id: Ia5586556a973d9fa5228430c4304ea9792c996bb
2014-06-20 20:15:13 -04:00

716 lines
16 KiB
C
Raw Blame History

/*
* Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "der_locl.h"
/*
* All decoding functions take a pointer `p' to first position in
* which to read, from the left, `len' which means the maximum number
* of characters we are able to read, `ret' were the value will be
* returned and `size' where the number of used bytes is stored.
* Either 0 or an error code is returned.
*/
int
der_get_unsigned (const unsigned char *p, size_t len,
unsigned *ret, size_t *size)
{
unsigned val = 0;
size_t oldlen = len;
if (len == sizeof(val) + 1 && p[0] == 0)
;
else if (len > sizeof(val))
return ASN1_OVERRUN;
while (len--)
val = val * 256 + *p++;
*ret = val;
if(size) *size = oldlen;
return 0;
}
int
der_get_unsigned64 (const unsigned char *p, size_t len,
uint64_t *ret, size_t *size)
{
uint64_t val = 0;
size_t oldlen = len;
if (len == sizeof(val) + 1 && p[0] == 0)
;
else if (len > sizeof(val))
return ASN1_OVERRUN;
while (len--)
val = val * 256 + *p++;
*ret = val;
if(size) *size = oldlen;
return 0;
}
int
der_get_integer (const unsigned char *p, size_t len,
int *ret, size_t *size)
{
int val = 0;
size_t oldlen = len;
if (len > sizeof(val))
return ASN1_OVERRUN;
if (len > 0) {
val = (signed char)*p++;
while (--len)
val = val * 256 + *p++;
}
*ret = val;
if(size) *size = oldlen;
return 0;
}
int
der_get_integer64 (const unsigned char *p, size_t len,
int64_t *ret, size_t *size)
{
int64_t val = 0;
size_t oldlen = len;
if (len > sizeof(val))
return ASN1_OVERRUN;
if (len > 0) {
val = (signed char)*p++;
while (--len)
val = val * 256 + *p++;
}
*ret = val;
if(size) *size = oldlen;
return 0;
}
int
der_get_length (const unsigned char *p, size_t len,
size_t *val, size_t *size)
{
size_t v;
if (len <= 0)
return ASN1_OVERRUN;
--len;
v = *p++;
if (v < 128) {
*val = v;
if(size) *size = 1;
} else {
int e;
size_t l;
unsigned tmp;
if(v == 0x80){
*val = ASN1_INDEFINITE;
if(size) *size = 1;
return 0;
}
v &= 0x7F;
if (len < v)
return ASN1_OVERRUN;
e = der_get_unsigned (p, v, &tmp, &l);
if(e) return e;
*val = tmp;
if(size) *size = l + 1;
}
return 0;
}
int
der_get_boolean(const unsigned char *p, size_t len, int *data, size_t *size)
{
if(len < 1)
return ASN1_OVERRUN;
if(*p != 0)
*data = 1;
else
*data = 0;
*size = 1;
return 0;
}
int
der_get_general_string (const unsigned char *p, size_t len,
heim_general_string *str, size_t *size)
{
const unsigned char *p1;
char *s;
p1 = memchr(p, 0, len);
if (p1 != NULL) {
/*
* Allow trailing NULs. We allow this since MIT Kerberos sends
* an strings in the NEED_PREAUTH case that includes a
* trailing NUL.
*/
while ((size_t)(p1 - p) < len && *p1 == '\0')
p1++;
if ((size_t)(p1 - p) != len) {
*str = NULL;
return ASN1_BAD_CHARACTER;
}
}
if (len == SIZE_MAX) {
*str = NULL;
return ASN1_BAD_LENGTH;
}
*str = s = malloc (len + 1);
if (s == NULL)
return ENOMEM;
memcpy (s, p, len);
s[len] = '\0';
if(size) *size = len;
return 0;
}
int
der_get_utf8string (const unsigned char *p, size_t len,
heim_utf8_string *str, size_t *size)
{
return der_get_general_string(p, len, str, size);
}
#define gen_data_zero(_data) \
do { (_data)->length = 0; (_data)->data = NULL; } while(0)
int
der_get_printable_string(const unsigned char *p, size_t len,
heim_printable_string *str, size_t *size)
{
if (len == SIZE_MAX) {
gen_data_zero(str);
return ASN1_BAD_LENGTH;
}
str->length = len;
str->data = malloc(len + 1);
if (str->data == NULL) {
gen_data_zero(str);
return ENOMEM;
}
memcpy(str->data, p, len);
((char *)str->data)[len] = '\0';
if(size) *size = len;
return 0;
}
int
der_get_ia5_string(const unsigned char *p, size_t len,
heim_ia5_string *str, size_t *size)
{
return der_get_printable_string(p, len, str, size);
}
int
der_get_bmp_string (const unsigned char *p, size_t len,
heim_bmp_string *data, size_t *size)
{
size_t i;
if (len & 1) {
gen_data_zero(data);
return ASN1_BAD_FORMAT;
}
data->length = len / 2;
if (data->length > UINT_MAX/sizeof(data->data[0])) {
gen_data_zero(data);
return ERANGE;
}
data->data = malloc(data->length * sizeof(data->data[0]));
if (data->data == NULL && data->length != 0) {
gen_data_zero(data);
return ENOMEM;
}
for (i = 0; i < data->length; i++) {
data->data[i] = (p[0] << 8) | p[1];
p += 2;
/* check for NUL in the middle of the string */
if (data->data[i] == 0 && i != (data->length - 1)) {
free(data->data);
gen_data_zero(data);
return ASN1_BAD_CHARACTER;
}
}
if (size) *size = len;
return 0;
}
int
der_get_universal_string (const unsigned char *p, size_t len,
heim_universal_string *data, size_t *size)
{
size_t i;
if (len & 3) {
gen_data_zero(data);
return ASN1_BAD_FORMAT;
}
data->length = len / 4;
if (data->length > UINT_MAX/sizeof(data->data[0])) {
gen_data_zero(data);
return ERANGE;
}
data->data = malloc(data->length * sizeof(data->data[0]));
if (data->data == NULL && data->length != 0) {
gen_data_zero(data);
return ENOMEM;
}
for (i = 0; i < data->length; i++) {
data->data[i] = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
p += 4;
/* check for NUL in the middle of the string */
if (data->data[i] == 0 && i != (data->length - 1)) {
free(data->data);
gen_data_zero(data);
return ASN1_BAD_CHARACTER;
}
}
if (size) *size = len;
return 0;
}
int
der_get_visible_string (const unsigned char *p, size_t len,
heim_visible_string *str, size_t *size)
{
return der_get_general_string(p, len, str, size);
}
int
der_get_octet_string (const unsigned char *p, size_t len,
heim_octet_string *data, size_t *size)
{
data->length = len;
data->data = malloc(len);
if (data->data == NULL && data->length != 0)
return ENOMEM;
memcpy (data->data, p, len);
if(size) *size = len;
return 0;
}
int
der_get_octet_string_ber (const unsigned char *p, size_t len,
heim_octet_string *data, size_t *size)
{
int e;
Der_type type;
Der_class cls;
unsigned int tag, depth = 0;
size_t l, datalen, oldlen = len;
data->length = 0;
data->data = NULL;
while (len) {
e = der_get_tag (p, len, &cls, &type, &tag, &l);
if (e) goto out;
if (cls != ASN1_C_UNIV) {
e = ASN1_BAD_ID;
goto out;
}
if (type == PRIM && tag == UT_EndOfContent) {
if (depth == 0)
break;
depth--;
}
if (tag != UT_OctetString) {
e = ASN1_BAD_ID;
goto out;
}
p += l;
len -= l;
e = der_get_length (p, len, &datalen, &l);
if (e) goto out;
p += l;
len -= l;
if (datalen > len)
return ASN1_OVERRUN;
if (type == PRIM) {
void *ptr;
ptr = realloc(data->data, data->length + datalen);
if (ptr == NULL) {
e = ENOMEM;
goto out;
}
data->data = ptr;
memcpy(((unsigned char *)data->data) + data->length, p, datalen);
data->length += datalen;
} else
depth++;
p += datalen;
len -= datalen;
}
if (depth != 0)
return ASN1_INDEF_OVERRUN;
if(size) *size = oldlen - len;
return 0;
out:
free(data->data);
data->data = NULL;
data->length = 0;
return e;
}
int
der_get_heim_integer (const unsigned char *p, size_t len,
heim_integer *data, size_t *size)
{
data->length = 0;
data->negative = 0;
data->data = NULL;
if (len == 0) {
if (size)
*size = 0;
return 0;
}
if (p[0] & 0x80) {
unsigned char *q;
int carry = 1;
data->negative = 1;
data->length = len;
if (p[0] == 0xff) {
p++;
data->length--;
}
data->data = malloc(data->length);
if (data->data == NULL) {
data->length = 0;
if (size)
*size = 0;
return ENOMEM;
}
q = &((unsigned char*)data->data)[data->length - 1];
p += data->length - 1;
while (q >= (unsigned char*)data->data) {
*q = *p ^ 0xff;
if (carry)
carry = !++*q;
p--;
q--;
}
} else {
data->negative = 0;
data->length = len;
if (p[0] == 0) {
p++;
data->length--;
}
data->data = malloc(data->length);
if (data->data == NULL && data->length != 0) {
data->length = 0;
if (size)
*size = 0;
return ENOMEM;
}
memcpy(data->data, p, data->length);
}
if (size)
*size = len;
return 0;
}
static int
generalizedtime2time (const char *s, time_t *t)
{
struct tm tm;
memset(&tm, 0, sizeof(tm));
if (sscanf (s, "%04d%02d%02d%02d%02d%02dZ",
&tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour,
&tm.tm_min, &tm.tm_sec) != 6) {
if (sscanf (s, "%02d%02d%02d%02d%02d%02dZ",
&tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour,
&tm.tm_min, &tm.tm_sec) != 6)
return ASN1_BAD_TIMEFORMAT;
if (tm.tm_year < 50)
tm.tm_year += 2000;
else
tm.tm_year += 1900;
}
tm.tm_year -= 1900;
tm.tm_mon -= 1;
*t = _der_timegm (&tm);
return 0;
}
static int
der_get_time (const unsigned char *p, size_t len,
time_t *data, size_t *size)
{
char *times;
int e;
if (len == SIZE_MAX || len == 0)
return ASN1_BAD_LENGTH;
times = malloc(len + 1);
if (times == NULL)
return ENOMEM;
memcpy(times, p, len);
times[len] = '\0';
e = generalizedtime2time(times, data);
free (times);
if(size) *size = len;
return e;
}
int
der_get_generalized_time (const unsigned char *p, size_t len,
time_t *data, size_t *size)
{
return der_get_time(p, len, data, size);
}
int
der_get_utctime (const unsigned char *p, size_t len,
time_t *data, size_t *size)
{
return der_get_time(p, len, data, size);
}
int
der_get_oid (const unsigned char *p, size_t len,
heim_oid *data, size_t *size)
{
size_t n;
size_t oldlen = len;
if (len < 1)
return ASN1_OVERRUN;
if (len == SIZE_MAX)
return ASN1_BAD_LENGTH;
if (len + 1 > UINT_MAX/sizeof(data->components[0]))
return ERANGE;
data->components = malloc((len + 1) * sizeof(data->components[0]));
if (data->components == NULL)
return ENOMEM;
data->components[0] = (*p) / 40;
data->components[1] = (*p) % 40;
--len;
++p;
for (n = 2; len > 0; ++n) {
unsigned u = 0, u1;
do {
--len;
u1 = u * 128 + (*p++ % 128);
/* check that we don't overflow the element */
if (u1 < u) {
der_free_oid(data);
return ASN1_OVERRUN;
}
u = u1;
} while (len > 0 && p[-1] & 0x80);
data->components[n] = u;
}
if (n > 2 && p[-1] & 0x80) {
der_free_oid (data);
return ASN1_OVERRUN;
}
data->length = n;
if (size)
*size = oldlen;
return 0;
}
int
der_get_tag (const unsigned char *p, size_t len,
Der_class *cls, Der_type *type,
unsigned int *tag, size_t *size)
{
size_t ret = 0;
if (len < 1)
return ASN1_OVERRUN;
*cls = (Der_class)(((*p) >> 6) & 0x03);
*type = (Der_type)(((*p) >> 5) & 0x01);
*tag = (*p) & 0x1f;
p++; len--; ret++;
if(*tag == 0x1f) {
unsigned int continuation;
unsigned int tag1;
*tag = 0;
do {
if(len < 1)
return ASN1_OVERRUN;
continuation = *p & 128;
tag1 = *tag * 128 + (*p % 128);
/* check that we don't overflow the tag */
if (tag1 < *tag)
return ASN1_OVERFLOW;
*tag = tag1;
p++; len--; ret++;
} while(continuation);
}
if(size) *size = ret;
return 0;
}
int
der_match_tag (const unsigned char *p, size_t len,
Der_class cls, Der_type type,
unsigned int tag, size_t *size)
{
Der_type thistype;
int e;
e = der_match_tag2(p, len, cls, &thistype, tag, size);
if (e) return e;
if (thistype != type) return ASN1_BAD_ID;
return 0;
}
int
der_match_tag2 (const unsigned char *p, size_t len,
Der_class cls, Der_type *type,
unsigned int tag, size_t *size)
{
size_t l;
Der_class thisclass;
unsigned int thistag;
int e;
e = der_get_tag (p, len, &thisclass, type, &thistag, &l);
if (e) return e;
if (cls != thisclass)
return ASN1_BAD_ID;
if(tag > thistag)
return ASN1_MISPLACED_FIELD;
if(tag < thistag)
return ASN1_MISSING_FIELD;
if(size) *size = l;
return 0;
}
int
der_match_tag_and_length (const unsigned char *p, size_t len,
Der_class cls, Der_type *type, unsigned int tag,
size_t *length_ret, size_t *size)
{
size_t l, ret = 0;
int e;
e = der_match_tag2 (p, len, cls, type, tag, &l);
if (e) return e;
p += l;
len -= l;
ret += l;
e = der_get_length (p, len, length_ret, &l);
if (e) return e;
if(size) *size = ret + l;
return 0;
}
/*
* Old versions of DCE was based on a very early beta of the MIT code,
* which used MAVROS for ASN.1 encoding. MAVROS had the interesting
* feature that it encoded data in the forward direction, which has
* it's problems, since you have no idea how long the data will be
* until after you're done. MAVROS solved this by reserving one byte
* for length, and later, if the actual length was longer, it reverted
* to indefinite, BER style, lengths. The version of MAVROS used by
* the DCE people could apparently generate correct X.509 DER encodings, and
* did this by making space for the length after encoding, but
* unfortunately this feature wasn't used with Kerberos.
*/
int
_heim_fix_dce(size_t reallen, size_t *len)
{
if(reallen == ASN1_INDEFINITE)
return 1;
if(*len < reallen)
return -1;
*len = reallen;
return 0;
}
int
der_get_bit_string (const unsigned char *p, size_t len,
heim_bit_string *data, size_t *size)
{
if (len < 1)
return ASN1_OVERRUN;
if (p[0] > 7)
return ASN1_BAD_FORMAT;
if (len - 1 == 0 && p[0] != 0)
return ASN1_BAD_FORMAT;
/* check if any of the three upper bits are set
* any of them will cause a interger overrun */
if ((len - 1) >> (sizeof(len) * 8 - 3))
return ASN1_OVERRUN;
/*
* If there is data to copy, do that now.
*/
if (len - 1 > 0) {
data->length = (len - 1) * 8;
data->data = malloc(len - 1);
if (data->data == NULL)
return ENOMEM;
memcpy (data->data, p + 1, len - 1);
data->length -= p[0];
} else {
data->data = NULL;
data->length = 0;
}
if(size) *size = len;
return 0;
}
Reference in New Issue View Git Blame Copy Permalink