diff options
Diffstat (limited to 'crypto/heimdal/lib/asn1/der_get.c')
-rw-r--r-- | crypto/heimdal/lib/asn1/der_get.c | 575 |
1 files changed, 319 insertions, 256 deletions
diff --git a/crypto/heimdal/lib/asn1/der_get.c b/crypto/heimdal/lib/asn1/der_get.c index 429fd66..f232ce9 100644 --- a/crypto/heimdal/lib/asn1/der_get.c +++ b/crypto/heimdal/lib/asn1/der_get.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "der_locl.h" -RCSID("$Id: der_get.c,v 1.33 2002/09/03 16:21:49 nectar Exp $"); +RCSID("$Id: der_get.c 21369 2007-06-27 10:14:39Z lha $"); #include <version.h> @@ -45,13 +45,18 @@ RCSID("$Id: der_get.c,v 1.33 2002/09/03 16:21:49 nectar Exp $"); * Either 0 or an error code is returned. */ -static int +int der_get_unsigned (const unsigned char *p, size_t len, unsigned *ret, size_t *size) { unsigned val = 0; size_t oldlen = len; + if (len == sizeof(unsigned) + 1 && p[0] == 0) + ; + else if (len > sizeof(unsigned)) + return ASN1_OVERRUN; + while (len--) val = val * 256 + *p++; *ret = val; @@ -60,12 +65,15 @@ der_get_unsigned (const unsigned char *p, size_t len, } int -der_get_int (const unsigned char *p, size_t len, - int *ret, size_t *size) +der_get_integer (const unsigned char *p, size_t len, + int *ret, size_t *size) { int val = 0; size_t oldlen = len; + if (len > sizeof(int)) + return ASN1_OVERRUN; + if (len > 0) { val = (signed char)*p++; while (--len) @@ -111,11 +119,40 @@ der_get_length (const unsigned char *p, size_t len, } int +der_get_boolean(const unsigned char *p, size_t len, int *data, size_t *size) +{ + if(len < 1) + return ASN1_OVERRUN; + if(*p != 0) + *data = 1; + else + *data = 0; + *size = 1; + return 0; +} + +int der_get_general_string (const unsigned char *p, size_t len, - general_string *str, size_t *size) + heim_general_string *str, size_t *size) { + const unsigned char *p1; char *s; + p1 = memchr(p, 0, len); + if (p1 != NULL) { + /* + * Allow trailing NULs. We allow this since MIT Kerberos sends + * an strings in the NEED_PREAUTH case that includes a + * trailing NUL. + */ + while (p1 - p < len && *p1 == '\0') + p1++; + if (p1 - p != len) + return ASN1_BAD_CHARACTER; + } + if (len > len + 1) + return ASN1_BAD_LENGTH; + s = malloc (len + 1); if (s == NULL) return ENOMEM; @@ -127,8 +164,83 @@ der_get_general_string (const unsigned char *p, size_t len, } int +der_get_utf8string (const unsigned char *p, size_t len, + heim_utf8_string *str, size_t *size) +{ + return der_get_general_string(p, len, str, size); +} + +int +der_get_printable_string (const unsigned char *p, size_t len, + heim_printable_string *str, size_t *size) +{ + return der_get_general_string(p, len, str, size); +} + +int +der_get_ia5_string (const unsigned char *p, size_t len, + heim_ia5_string *str, size_t *size) +{ + return der_get_general_string(p, len, str, size); +} + +int +der_get_bmp_string (const unsigned char *p, size_t len, + heim_bmp_string *data, size_t *size) +{ + size_t i; + + if (len & 1) + return ASN1_BAD_FORMAT; + data->length = len / 2; + if (data->length > UINT_MAX/sizeof(data->data[0])) + return ERANGE; + data->data = malloc(data->length * sizeof(data->data[0])); + if (data->data == NULL && data->length != 0) + return ENOMEM; + + for (i = 0; i < data->length; i++) { + data->data[i] = (p[0] << 8) | p[1]; + p += 2; + } + if (size) *size = len; + + return 0; +} + +int +der_get_universal_string (const unsigned char *p, size_t len, + heim_universal_string *data, size_t *size) +{ + size_t i; + + if (len & 3) + return ASN1_BAD_FORMAT; + data->length = len / 4; + if (data->length > UINT_MAX/sizeof(data->data[0])) + return ERANGE; + data->data = malloc(data->length * sizeof(data->data[0])); + if (data->data == NULL && data->length != 0) + return ENOMEM; + + for (i = 0; i < data->length; i++) { + data->data[i] = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; + p += 4; + } + if (size) *size = len; + return 0; +} + +int +der_get_visible_string (const unsigned char *p, size_t len, + heim_visible_string *str, size_t *size) +{ + return der_get_general_string(p, len, str, size); +} + +int der_get_octet_string (const unsigned char *p, size_t len, - octet_string *data, size_t *size) + heim_octet_string *data, size_t *size) { data->length = len; data->data = malloc(len); @@ -140,33 +252,166 @@ der_get_octet_string (const unsigned char *p, size_t len, } int +der_get_heim_integer (const unsigned char *p, size_t len, + heim_integer *data, size_t *size) +{ + data->length = 0; + data->negative = 0; + data->data = NULL; + + if (len == 0) { + if (size) + *size = 0; + return 0; + } + if (p[0] & 0x80) { + unsigned char *q; + int carry = 1; + data->negative = 1; + + data->length = len; + + if (p[0] == 0xff) { + p++; + data->length--; + } + data->data = malloc(data->length); + if (data->data == NULL) { + data->length = 0; + if (size) + *size = 0; + return ENOMEM; + } + q = &((unsigned char*)data->data)[data->length - 1]; + p += data->length - 1; + while (q >= (unsigned char*)data->data) { + *q = *p ^ 0xff; + if (carry) + carry = !++*q; + p--; + q--; + } + } else { + data->negative = 0; + data->length = len; + + if (p[0] == 0) { + p++; + data->length--; + } + data->data = malloc(data->length); + if (data->data == NULL && data->length != 0) { + data->length = 0; + if (size) + *size = 0; + return ENOMEM; + } + memcpy(data->data, p, data->length); + } + if (size) + *size = len; + return 0; +} + +static int +generalizedtime2time (const char *s, time_t *t) +{ + struct tm tm; + + memset(&tm, 0, sizeof(tm)); + if (sscanf (s, "%04d%02d%02d%02d%02d%02dZ", + &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, + &tm.tm_min, &tm.tm_sec) != 6) { + if (sscanf (s, "%02d%02d%02d%02d%02d%02dZ", + &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, + &tm.tm_min, &tm.tm_sec) != 6) + return ASN1_BAD_TIMEFORMAT; + if (tm.tm_year < 50) + tm.tm_year += 2000; + else + tm.tm_year += 1900; + } + tm.tm_year -= 1900; + tm.tm_mon -= 1; + *t = _der_timegm (&tm); + return 0; +} + +static int +der_get_time (const unsigned char *p, size_t len, + time_t *data, size_t *size) +{ + char *times; + int e; + + if (len > len + 1 || len == 0) + return ASN1_BAD_LENGTH; + + times = malloc(len + 1); + if (times == NULL) + return ENOMEM; + memcpy(times, p, len); + times[len] = '\0'; + e = generalizedtime2time(times, data); + free (times); + if(size) *size = len; + return e; +} + +int +der_get_generalized_time (const unsigned char *p, size_t len, + time_t *data, size_t *size) +{ + return der_get_time(p, len, data, size); +} + +int +der_get_utctime (const unsigned char *p, size_t len, + time_t *data, size_t *size) +{ + return der_get_time(p, len, data, size); +} + +int der_get_oid (const unsigned char *p, size_t len, - oid *data, size_t *size) + heim_oid *data, size_t *size) { - int n; + size_t n; size_t oldlen = len; if (len < 1) return ASN1_OVERRUN; - data->components = malloc(len * sizeof(*data->components)); - if (data->components == NULL && len != 0) + if (len > len + 1) + return ASN1_BAD_LENGTH; + + if (len + 1 > UINT_MAX/sizeof(data->components[0])) + return ERANGE; + + data->components = malloc((len + 1) * sizeof(data->components[0])); + if (data->components == NULL) return ENOMEM; data->components[0] = (*p) / 40; data->components[1] = (*p) % 40; --len; ++p; for (n = 2; len > 0; ++n) { - unsigned u = 0; - + unsigned u = 0, u1; + do { --len; - u = u * 128 + (*p++ % 128); + u1 = u * 128 + (*p++ % 128); + /* check that we don't overflow the element */ + if (u1 < u) { + der_free_oid(data); + return ASN1_OVERRUN; + } + u = u1; } while (len > 0 && p[-1] & 0x80); data->components[n] = u; } - if (p[-1] & 0x80) { - free_oid (data); + if (n > 2 && p[-1] & 0x80) { + der_free_oid (data); return ASN1_OVERRUN; } data->length = n; @@ -178,26 +423,44 @@ der_get_oid (const unsigned char *p, size_t len, int der_get_tag (const unsigned char *p, size_t len, Der_class *class, Der_type *type, - int *tag, size_t *size) + unsigned int *tag, size_t *size) { + size_t ret = 0; if (len < 1) return ASN1_OVERRUN; *class = (Der_class)(((*p) >> 6) & 0x03); *type = (Der_type)(((*p) >> 5) & 0x01); - *tag = (*p) & 0x1F; - if(size) *size = 1; + *tag = (*p) & 0x1f; + p++; len--; ret++; + if(*tag == 0x1f) { + unsigned int continuation; + unsigned int tag1; + *tag = 0; + do { + if(len < 1) + return ASN1_OVERRUN; + continuation = *p & 128; + tag1 = *tag * 128 + (*p % 128); + /* check that we don't overflow the tag */ + if (tag1 < *tag) + return ASN1_OVERFLOW; + *tag = tag1; + p++; len--; ret++; + } while(continuation); + } + if(size) *size = ret; return 0; } int der_match_tag (const unsigned char *p, size_t len, Der_class class, Der_type type, - int tag, size_t *size) + unsigned int tag, size_t *size) { size_t l; Der_class thisclass; Der_type thistype; - int thistag; + unsigned int thistag; int e; e = der_get_tag (p, len, &thisclass, &thistype, &thistag, &l); @@ -214,7 +477,7 @@ der_match_tag (const unsigned char *p, size_t len, int der_match_tag_and_length (const unsigned char *p, size_t len, - Der_class class, Der_type type, int tag, + Der_class class, Der_type type, unsigned int tag, size_t *length_ret, size_t *size) { size_t l, ret = 0; @@ -234,250 +497,50 @@ der_match_tag_and_length (const unsigned char *p, size_t len, return 0; } -int -decode_integer (const unsigned char *p, size_t len, - int *num, size_t *size) -{ - size_t ret = 0; - size_t l, reallen; - int e; - - e = der_match_tag (p, len, UNIV, PRIM, UT_Integer, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - e = der_get_length (p, len, &reallen, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if (reallen > len) - return ASN1_OVERRUN; - e = der_get_int (p, reallen, num, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if(size) *size = ret; - return 0; -} - -int -decode_unsigned (const unsigned char *p, size_t len, - unsigned *num, size_t *size) -{ - size_t ret = 0; - size_t l, reallen; - int e; - - e = der_match_tag (p, len, UNIV, PRIM, UT_Integer, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - e = der_get_length (p, len, &reallen, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if (reallen > len) - return ASN1_OVERRUN; - e = der_get_unsigned (p, reallen, num, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if(size) *size = ret; - return 0; -} - -int -decode_enumerated (const unsigned char *p, size_t len, - unsigned *num, size_t *size) -{ - size_t ret = 0; - size_t l, reallen; - int e; - - e = der_match_tag (p, len, UNIV, PRIM, UT_Enumerated, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - e = der_get_length (p, len, &reallen, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - e = der_get_int (p, reallen, num, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if(size) *size = ret; - return 0; -} - -int -decode_general_string (const unsigned char *p, size_t len, - general_string *str, size_t *size) -{ - size_t ret = 0; - size_t l; - int e; - size_t slen; - - e = der_match_tag (p, len, UNIV, PRIM, UT_GeneralString, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - - e = der_get_length (p, len, &slen, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if (len < slen) - return ASN1_OVERRUN; - - e = der_get_general_string (p, slen, str, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if(size) *size = ret; - return 0; -} +/* + * Old versions of DCE was based on a very early beta of the MIT code, + * which used MAVROS for ASN.1 encoding. MAVROS had the interesting + * feature that it encoded data in the forward direction, which has + * it's problems, since you have no idea how long the data will be + * until after you're done. MAVROS solved this by reserving one byte + * for length, and later, if the actual length was longer, it reverted + * to indefinite, BER style, lengths. The version of MAVROS used by + * the DCE people could apparently generate correct X.509 DER encodings, and + * did this by making space for the length after encoding, but + * unfortunately this feature wasn't used with Kerberos. + */ int -decode_octet_string (const unsigned char *p, size_t len, - octet_string *k, size_t *size) +_heim_fix_dce(size_t reallen, size_t *len) { - size_t ret = 0; - size_t l; - int e; - size_t slen; - - e = der_match_tag (p, len, UNIV, PRIM, UT_OctetString, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - - e = der_get_length (p, len, &slen, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if (len < slen) - return ASN1_OVERRUN; - - e = der_get_octet_string (p, slen, k, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if(size) *size = ret; + if(reallen == ASN1_INDEFINITE) + return 1; + if(*len < reallen) + return -1; + *len = reallen; return 0; } int -decode_oid (const unsigned char *p, size_t len, - oid *k, size_t *size) +der_get_bit_string (const unsigned char *p, size_t len, + heim_bit_string *data, size_t *size) { - size_t ret = 0; - size_t l; - int e; - size_t slen; - - e = der_match_tag (p, len, UNIV, PRIM, UT_OID, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - - e = der_get_length (p, len, &slen, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if (len < slen) + if (len < 1) return ASN1_OVERRUN; - - e = der_get_oid (p, slen, k, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if(size) *size = ret; - return 0; -} - -static void -generalizedtime2time (const char *s, time_t *t) -{ - struct tm tm; - - memset(&tm, 0, sizeof(tm)); - sscanf (s, "%04d%02d%02d%02d%02d%02dZ", - &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, - &tm.tm_min, &tm.tm_sec); - tm.tm_year -= 1900; - tm.tm_mon -= 1; - *t = timegm (&tm); -} - -int -decode_generalized_time (const unsigned char *p, size_t len, - time_t *t, size_t *size) -{ - octet_string k; - char *times; - size_t ret = 0; - size_t l; - int e; - size_t slen; - - e = der_match_tag (p, len, UNIV, PRIM, UT_GeneralizedTime, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - - e = der_get_length (p, len, &slen, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - if (len < slen) + if (p[0] > 7) + return ASN1_BAD_FORMAT; + if (len - 1 == 0 && p[0] != 0) + return ASN1_BAD_FORMAT; + /* check if any of the three upper bits are set + * any of them will cause a interger overrun */ + if ((len - 1) >> (sizeof(len) * 8 - 3)) return ASN1_OVERRUN; - e = der_get_octet_string (p, slen, &k, &l); - if (e) return e; - p += l; - len -= l; - ret += l; - times = realloc(k.data, k.length + 1); - if (times == NULL){ - free(k.data); + data->length = (len - 1) * 8; + data->data = malloc(len - 1); + if (data->data == NULL && (len - 1) != 0) return ENOMEM; - } - times[k.length] = 0; - generalizedtime2time (times, t); - free (times); - if(size) *size = ret; - return 0; -} - - -int -fix_dce(size_t reallen, size_t *len) -{ - if(reallen == ASN1_INDEFINITE) - return 1; - if(*len < reallen) - return -1; - *len = reallen; + memcpy (data->data, p + 1, len - 1); + data->length -= p[0]; + if(size) *size = len; return 0; } |