2 * Copyright (c) 2001-2003
3 * Fraunhofer Institute for Open Communication Systems (FhG Fokus).
6 * Author: Harti Brandt <harti@freebsd.org>
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * $Begemot: bsnmp/lib/asn1.c,v 1.31 2005/10/06 07:14:58 brandt_h Exp $
33 #include <sys/types.h>
40 #elif defined(HAVE_INTTYPES_H)
48 static void asn_error_func(const struct asn_buf *, const char *, ...);
50 void (*asn_error)(const struct asn_buf *, const char *, ...) = asn_error_func;
53 * Read the next header. This reads the tag (note, that only single
54 * byte tags are supported for now) and the length field. The length field
55 * is restricted to a 32-bit value.
56 * All errors of this function stop the decoding.
59 asn_get_header(struct asn_buf *b, u_char *type, asn_len_t *len)
63 if (b->asn_len == 0) {
64 asn_error(b, "no identifier for header");
65 return (ASN_ERR_EOBUF);
68 if ((*type & ASN_TYPE_MASK) > 0x1e) {
69 asn_error(b, "tags > 0x1e not supported (%#x)",
70 *type & ASN_TYPE_MASK);
71 return (ASN_ERR_FAILED);
75 if (b->asn_len == 0) {
76 asn_error(b, "no length field");
77 return (ASN_ERR_EOBUF);
79 if (*b->asn_cptr & 0x80) {
80 length = *b->asn_cptr++ & 0x7f;
83 asn_error(b, "indefinite length not supported");
84 return (ASN_ERR_FAILED);
86 if (length > ASN_MAXLENLEN) {
87 asn_error(b, "long length too long (%u)", length);
88 return (ASN_ERR_FAILED);
90 if (length > b->asn_len) {
91 asn_error(b, "long length truncated");
92 return (ASN_ERR_EOBUF);
96 *len = (*len << 8) | *b->asn_cptr++;
100 *len = *b->asn_cptr++;
104 #ifdef BOGUS_CVE_2019_5610_FIX
106 * This is the fix from CVE-2019-5610.
108 * This is the wrong place. Each of the asn functions should check
109 * that it has enough info for its own work.
111 if (*len > b->asn_len) {
112 asn_error(b, "lenen %u exceeding asn_len %u", *len, b->asn_len);
113 return (ASN_ERR_EOBUF);
120 * Write a length field (restricted to values < 2^32-1) and return the
121 * number of bytes this field takes. If ptr is NULL, the length is computed
122 * but nothing is written. If the length would be too large return 0.
125 asn_put_len(u_char *ptr, asn_len_t len)
127 u_int lenlen, lenlen1;
130 if (len > ASN_MAXLEN) {
131 asn_error(NULL, "encoding length too long: (%u)", len);
137 *ptr++ = (u_char)len;
141 /* compute number of bytes for value (is at least 1) */
142 for (tmp = len; tmp != 0; tmp >>= 8)
145 *ptr++ = (u_char)lenlen | 0x80;
147 while (lenlen1-- > 0) {
148 ptr[lenlen1] = len & 0xff;
157 * Write a header (tag and length fields).
158 * Tags are restricted to one byte tags (value <= 0x1e) and the
159 * lenght field to 16-bit. All errors stop the encoding.
162 asn_put_header(struct asn_buf *b, u_char type, asn_len_t len)
167 if ((type & ASN_TYPE_MASK) > 0x1e) {
168 asn_error(NULL, "types > 0x1e not supported (%#x)",
169 type & ASN_TYPE_MASK);
170 return (ASN_ERR_FAILED);
173 return (ASN_ERR_EOBUF);
175 *b->asn_ptr++ = type;
179 if ((lenlen = asn_put_len(NULL, len)) == 0)
180 return (ASN_ERR_FAILED);
181 if (b->asn_len < lenlen)
182 return (ASN_ERR_EOBUF);
184 (void)asn_put_len(b->asn_ptr, len);
185 b->asn_ptr += lenlen;
186 b->asn_len -= lenlen;
192 * This constructs a temporary sequence header with space for the maximum
193 * length field (three byte). Set the pointer that ptr points to to the
194 * start of the encoded header. This is used for a later call to
195 * asn_commit_header which will fix-up the length field and move the
196 * value if needed. All errors should stop the encoding.
198 #define TEMP_LEN (1 + ASN_MAXLENLEN + 1)
200 asn_put_temp_header(struct asn_buf *b, u_char type, u_char **ptr)
204 if (b->asn_len < TEMP_LEN)
205 return (ASN_ERR_EOBUF);
207 if ((ret = asn_put_header(b, type, ASN_MAXLEN)) == ASN_ERR_OK)
208 assert(b->asn_ptr == *ptr + TEMP_LEN);
212 asn_commit_header(struct asn_buf *b, u_char *ptr, size_t *moved)
217 /* compute length of encoded value without header */
218 len = b->asn_ptr - (ptr + TEMP_LEN);
220 /* insert length. may not fail. */
221 lenlen = asn_put_len(ptr + 1, len);
222 if (lenlen > TEMP_LEN - 1)
223 return (ASN_ERR_FAILED);
225 if (lenlen < TEMP_LEN - 1) {
226 /* shift value down */
227 shift = (TEMP_LEN - 1) - lenlen;
228 memmove(ptr + 1 + lenlen, ptr + TEMP_LEN, len);
239 * BER integer. This may be used to get a signed 64 bit integer at maximum.
240 * The maximum length should be checked by the caller. This cannot overflow
241 * if the caller ensures that len is at maximum 8.
246 asn_get_real_integer(struct asn_buf *b, asn_len_t len, int64_t *vp)
252 if (b->asn_len < len) {
253 asn_error(b, "truncated integer");
254 return (ASN_ERR_EOBUF);
257 asn_error(b, "zero-length integer");
259 return (ASN_ERR_BADLEN);
263 asn_error(b, "integer too long");
265 } else if (len > 1 &&
266 ((*b->asn_cptr == 0x00 && (b->asn_cptr[1] & 0x80) == 0) ||
267 (*b->asn_cptr == 0xff && (b->asn_cptr[1] & 0x80) == 0x80))) {
268 asn_error(b, "non-minimal integer");
269 err = ASN_ERR_BADLEN;
272 if (*b->asn_cptr & 0x80)
277 val |= neg ? (u_char)~*b->asn_cptr : *b->asn_cptr;
282 *vp = -(int64_t)val - 1;
289 * Write a signed integer with the given type. The caller has to ensure
290 * that the actual value is ok for this type.
293 asn_put_real_integer(struct asn_buf *b, u_char type, int64_t ival)
302 /* this may fail if |INT64_MIN| > |INT64_MAX| and
303 * the value is between * INT64_MIN <= ival < -(INT64_MAX+1) */
304 val = (uint64_t)-(ival + 1);
307 val = (uint64_t)ival;
309 /* split the value into octets */
310 for (i = OCTETS - 1; i >= 0; i--) {
316 /* no leading 9 zeroes or ones */
317 for (i = 0; i < OCTETS - 1; i++)
318 if (!((buf[i] == 0xff && (buf[i + 1] & 0x80) != 0) ||
319 (buf[i] == 0x00 && (buf[i + 1] & 0x80) == 0)))
321 if ((ret = asn_put_header(b, type, OCTETS - i)))
323 if (OCTETS - (u_int)i > b->asn_len)
324 return (ASN_ERR_EOBUF);
327 *b->asn_ptr++ = buf[i++];
336 * The same for unsigned 64-bitters. Here we have the problem, that overflow
337 * can happen, because the value maybe 9 bytes long. In this case the
338 * first byte must be 0.
341 asn_get_real_unsigned(struct asn_buf *b, asn_len_t len, uint64_t *vp)
344 if (b->asn_len < len) {
345 asn_error(b, "truncated integer");
346 return (ASN_ERR_EOBUF);
350 asn_error(b, "zero-length integer");
351 return (ASN_ERR_BADLEN);
353 if (len > 1 && *b->asn_cptr == 0x00 && (b->asn_cptr[1] & 0x80) == 0) {
355 asn_error(b, "non-minimal unsigned");
358 return (ASN_ERR_BADLEN);
362 enum asn_err err = ASN_ERR_OK;
364 if ((*b->asn_cptr & 0x80) || len > 9 ||
365 (len == 9 && *b->asn_cptr != 0)) {
366 /* negative integer or too larger */
367 *vp = 0xffffffffffffffffULL;
368 asn_error(b, "unsigned too large or negative");
371 return (ASN_ERR_RANGE);
375 *vp = (*vp << 8) | *b->asn_cptr++;
383 * Values with the msb on need 9 octets.
386 asn_put_real_unsigned(struct asn_buf *b, u_char type, uint64_t val)
393 /* split the value into octets */
394 for (i = OCTETS - 1; i >= 0; i--) {
398 /* no leading 9 zeroes */
399 for (i = 0; i < OCTETS - 1; i++)
400 if (!(buf[i] == 0x00 && (buf[i + 1] & 0x80) == 0))
402 if ((ret = asn_put_header(b, type, OCTETS - i)))
404 if (OCTETS - (u_int)i > b->asn_len)
405 return (ASN_ERR_EOBUF);
408 *b->asn_ptr++ = buf[i++];
416 * The ASN.1 INTEGER type is restricted to 32-bit signed by the SMI.
419 asn_get_integer_raw(struct asn_buf *b, asn_len_t len, int32_t *vp)
424 if ((ret = asn_get_real_integer(b, len, &val)) == ASN_ERR_OK) {
426 asn_error(b, "integer too long");
427 ret = ASN_ERR_BADLEN;
428 } else if (val > INT32_MAX || val < INT32_MIN) {
430 asn_error(b, "integer out of range");
439 asn_get_integer(struct asn_buf *b, int32_t *vp)
445 if ((err = asn_get_header(b, &type, &len)) != ASN_ERR_OK)
447 if (type != ASN_TYPE_INTEGER) {
448 asn_error(b, "bad type for integer (%u)", type);
449 return (ASN_ERR_TAG);
452 return (asn_get_integer_raw(b, len, vp));
456 asn_put_integer(struct asn_buf *b, int32_t val)
458 return (asn_put_real_integer(b, ASN_TYPE_INTEGER, val));
464 * <0x04> <len> <data ...>
466 * Get an octetstring. noctets must point to the buffer size and on
467 * return will contain the size of the octetstring, regardless of the
471 asn_get_octetstring_raw(struct asn_buf *b, asn_len_t len, u_char *octets,
474 enum asn_err err = ASN_ERR_OK;
476 if (*noctets < len) {
477 asn_error(b, "octetstring truncated");
480 if (b->asn_len < len) {
481 asn_error(b, "truncatet octetstring");
482 return (ASN_ERR_EOBUF);
485 memcpy(octets, b->asn_cptr, *noctets);
487 memcpy(octets, b->asn_cptr, len);
495 asn_get_octetstring(struct asn_buf *b, u_char *octets, u_int *noctets)
501 if ((err = asn_get_header(b, &type, &len)) != ASN_ERR_OK)
503 if (type != ASN_TYPE_OCTETSTRING) {
504 asn_error(b, "bad type for octetstring (%u)", type);
505 return (ASN_ERR_TAG);
507 return (asn_get_octetstring_raw(b, len, octets, noctets));
511 asn_put_octetstring(struct asn_buf *b, const u_char *octets, u_int noctets)
515 if ((ret = asn_put_header(b, ASN_TYPE_OCTETSTRING, noctets)) != ASN_ERR_OK)
517 if (b->asn_len < noctets)
518 return (ASN_ERR_EOBUF);
520 memcpy(b->asn_ptr, octets, noctets);
521 b->asn_ptr += noctets;
522 b->asn_len -= noctets;
532 asn_get_null_raw(struct asn_buf *b, asn_len_t len)
535 if (b->asn_len < len) {
536 asn_error(b, "truncated NULL");
537 return (ASN_ERR_EOBUF);
539 asn_error(b, "bad length for NULL (%u)", len);
542 return (ASN_ERR_BADLEN);
548 asn_get_null(struct asn_buf *b)
554 if ((err = asn_get_header(b, &type, &len)) != ASN_ERR_OK)
556 if (type != ASN_TYPE_NULL) {
557 asn_error(b, "bad type for NULL (%u)", type);
558 return (ASN_ERR_TAG);
560 return (asn_get_null_raw(b, len));
564 asn_put_null(struct asn_buf *b)
566 return (asn_put_header(b, ASN_TYPE_NULL, 0));
570 asn_put_exception(struct asn_buf *b, u_int except)
572 return (asn_put_header(b, ASN_CLASS_CONTEXT | except, 0));
578 * <0x06> <len> <subid...>
581 asn_get_objid_raw(struct asn_buf *b, asn_len_t len, struct asn_oid *oid)
586 if (b->asn_len < len) {
587 asn_error(b, "truncated OBJID");
588 return (ASN_ERR_EOBUF);
592 asn_error(b, "short OBJID");
593 oid->subs[oid->len++] = 0;
594 oid->subs[oid->len++] = 0;
595 return (ASN_ERR_BADLEN);
599 if (oid->len == ASN_MAXOIDLEN) {
600 asn_error(b, "OID too long (%u)", oid->len);
603 return (ASN_ERR_BADLEN);
608 asn_error(b, "unterminated subid");
609 return (ASN_ERR_EOBUF);
611 if (subid > (ASN_MAXID >> 7)) {
612 asn_error(b, "OID subid too larger");
615 subid = (subid << 7) | (*b->asn_cptr & 0x7f);
618 } while (*b->asn_cptr++ & 0x80);
621 oid->subs[oid->len++] = subid / 40;
622 oid->subs[oid->len++] = subid % 40;
624 oid->subs[oid->len++] = 2;
625 oid->subs[oid->len++] = subid - 80;
628 oid->subs[oid->len++] = subid;
636 asn_get_objid(struct asn_buf *b, struct asn_oid *oid)
642 if ((err = asn_get_header(b, &type, &len)) != ASN_ERR_OK)
644 if (type != ASN_TYPE_OBJID) {
645 asn_error(b, "bad type for OBJID (%u)", type);
646 return (ASN_ERR_TAG);
648 return (asn_get_objid_raw(b, len, oid));
652 asn_put_objid(struct asn_buf *b, const struct asn_oid *oid)
654 asn_subid_t first, sub;
655 enum asn_err err, err1;
662 asn_error(NULL, "short oid");
666 } else if (oid->len == 1) {
668 asn_error(NULL, "short oid");
669 if (oid->subs[0] > 2)
670 asn_error(NULL, "oid[0] too large (%u)", oid->subs[0]);
672 first = oid->subs[0] * 40;
675 if (oid->len > ASN_MAXOIDLEN) {
676 asn_error(NULL, "oid too long %u", oid->len);
679 if (oid->subs[0] > 2 ||
680 (oid->subs[0] < 2 && oid->subs[1] >= 40) ||
681 (oid->subs[0] == 2 && oid->subs[1] > ASN_MAXID - 2 * 40)) {
682 asn_error(NULL, "oid out of range (%u,%u)",
683 oid->subs[0], oid->subs[1]);
686 first = 40 * oid->subs[0] + oid->subs[1];
690 for (i = 1; i < oidlen; i++) {
691 sub = (i == 1) ? first : oid->subs[i];
692 if (sub > ASN_MAXID) {
693 asn_error(NULL, "oid subid too large");
696 len += (sub <= 0x7f) ? 1
697 : (sub <= 0x3fff) ? 2
698 : (sub <= 0x1fffff) ? 3
699 : (sub <= 0xfffffff) ? 4
702 if ((err1 = asn_put_header(b, ASN_TYPE_OBJID, len)) != ASN_ERR_OK)
704 if (b->asn_len < len)
705 return (ASN_ERR_EOBUF);
707 for (i = 1; i < oidlen; i++) {
708 sub = (i == 1) ? first : oid->subs[i];
712 } else if (sub <= 0x3fff) {
713 *b->asn_ptr++ = (sub >> 7) | 0x80;
714 *b->asn_ptr++ = sub & 0x7f;
716 } else if (sub <= 0x1fffff) {
717 *b->asn_ptr++ = (sub >> 14) | 0x80;
718 *b->asn_ptr++ = ((sub >> 7) & 0x7f) | 0x80;
719 *b->asn_ptr++ = sub & 0x7f;
721 } else if (sub <= 0xfffffff) {
722 *b->asn_ptr++ = (sub >> 21) | 0x80;
723 *b->asn_ptr++ = ((sub >> 14) & 0x7f) | 0x80;
724 *b->asn_ptr++ = ((sub >> 7) & 0x7f) | 0x80;
725 *b->asn_ptr++ = sub & 0x7f;
728 *b->asn_ptr++ = (sub >> 28) | 0x80;
729 *b->asn_ptr++ = ((sub >> 21) & 0x7f) | 0x80;
730 *b->asn_ptr++ = ((sub >> 14) & 0x7f) | 0x80;
731 *b->asn_ptr++ = ((sub >> 7) & 0x7f) | 0x80;
732 *b->asn_ptr++ = sub & 0x7f;
741 * <0x10|0x20> <len> <data...>
744 asn_get_sequence(struct asn_buf *b, asn_len_t *len)
749 if ((err = asn_get_header(b, &type, len)) != ASN_ERR_OK)
751 if (type != (ASN_TYPE_SEQUENCE|ASN_TYPE_CONSTRUCTED)) {
752 asn_error(b, "bad sequence type %u", type);
753 return (ASN_ERR_TAG);
755 if (*len > b->asn_len) {
756 asn_error(b, "truncated sequence");
757 return (ASN_ERR_EOBUF);
765 * 0x40 4 MSB 2MSB 2LSB LSB
768 asn_get_ipaddress_raw(struct asn_buf *b, asn_len_t len, u_char *addr)
772 if (b->asn_len < len) {
773 asn_error(b, "truncated ip-address");
774 return (ASN_ERR_EOBUF);
777 asn_error(b, "short length for ip-Address %u", len);
778 for (i = 0; i < len; i++)
779 *addr++ = *b->asn_cptr++;
783 return (ASN_ERR_BADLEN);
785 for (i = 0; i < 4; i++)
786 *addr++ = *b->asn_cptr++;
787 b->asn_cptr += len - 4;
793 asn_get_ipaddress(struct asn_buf *b, u_char *addr)
799 if ((err = asn_get_header(b, &type, &len)) != ASN_ERR_OK)
801 if (type != (ASN_CLASS_APPLICATION|ASN_APP_IPADDRESS)) {
802 asn_error(b, "bad type for ip-address %u", type);
803 return (ASN_ERR_TAG);
805 return (asn_get_ipaddress_raw(b, len, addr));
809 asn_put_ipaddress(struct asn_buf *b, const u_char *addr)
813 if ((err = asn_put_header(b, ASN_CLASS_APPLICATION|ASN_APP_IPADDRESS,
817 return (ASN_ERR_EOBUF);
819 memcpy(b->asn_ptr, addr, 4);
829 * 0x42|0x41 <len> ...
832 asn_get_uint32_raw(struct asn_buf *b, asn_len_t len, uint32_t *vp)
837 if ((err = asn_get_real_unsigned(b, len, &v)) == ASN_ERR_OK) {
838 if (v > UINT32_MAX) {
839 asn_error(b, "uint32 too large %llu", v);
848 asn_put_uint32(struct asn_buf *b, u_char type, uint32_t val)
852 return (asn_put_real_unsigned(b, ASN_CLASS_APPLICATION|type, v));
860 asn_get_counter64_raw(struct asn_buf *b, asn_len_t len, uint64_t *vp)
862 return (asn_get_real_unsigned(b, len, vp));
866 asn_put_counter64(struct asn_buf *b, uint64_t val)
868 return (asn_put_real_unsigned(b,
869 ASN_CLASS_APPLICATION | ASN_APP_COUNTER64, val));
877 asn_get_timeticks(struct asn_buf *b, uint32_t *vp)
883 if ((err = asn_get_header(b, &type, &len)) != ASN_ERR_OK)
885 if (type != (ASN_CLASS_APPLICATION|ASN_APP_TIMETICKS)) {
886 asn_error(b, "bad type for timeticks %u", type);
887 return (ASN_ERR_TAG);
889 return (asn_get_uint32_raw(b, len, vp));
893 asn_put_timeticks(struct asn_buf *b, uint32_t val)
897 return (asn_put_real_unsigned(b,
898 ASN_CLASS_APPLICATION | ASN_APP_TIMETICKS, v));
902 * Construct a new OID by taking a range of sub ids of the original oid.
905 asn_slice_oid(struct asn_oid *dest, const struct asn_oid *src,
906 u_int from, u_int to)
912 dest->len = to - from;
913 memcpy(dest->subs, &src->subs[from], dest->len * sizeof(dest->subs[0]));
920 asn_append_oid(struct asn_oid *to, const struct asn_oid *from)
922 memcpy(&to->subs[to->len], &from->subs[0],
923 from->len * sizeof(from->subs[0]));
924 to->len += from->len;
931 asn_skip(struct asn_buf *b, asn_len_t len)
933 if (b->asn_len < len)
934 return (ASN_ERR_EOBUF);
944 asn_pad(struct asn_buf *b, asn_len_t len)
946 if (b->asn_len < len)
947 return (ASN_ERR_EOBUF);
962 asn_compare_oid(const struct asn_oid *o1, const struct asn_oid *o2)
966 for (i = 0; i < o1->len && i < o2->len; i++) {
967 if (o1->subs[i] < o2->subs[i])
969 if (o1->subs[i] > o2->subs[i])
972 if (o1->len < o2->len)
974 if (o1->len > o2->len)
980 * Check whether an OID is a sub-string of another OID.
983 asn_is_suboid(const struct asn_oid *o1, const struct asn_oid *o2)
987 for (i = 0; i < o1->len; i++)
988 if (i >= o2->len || o1->subs[i] != o2->subs[i])
994 * Put a string representation of an oid into a user buffer. This buffer
995 * is assumed to be at least ASN_OIDSTRLEN characters long.
997 * sprintf is assumed not to fail here.
1000 asn_oid2str_r(const struct asn_oid *oid, char *buf)
1005 if ((len = oid->len) > ASN_MAXOIDLEN)
1006 len = ASN_MAXOIDLEN;
1008 for (i = 0, ptr = buf; i < len; i++) {
1011 ptr += sprintf(ptr, "%u", oid->subs[i]);
1017 * Make a string from an OID in a private buffer.
1020 asn_oid2str(const struct asn_oid *oid)
1022 __thread static char str[ASN_OIDSTRLEN];
1024 return (asn_oid2str_r(oid, str));
1029 asn_error_func(const struct asn_buf *b, const char *err, ...)
1034 fprintf(stderr, "ASN.1: ");
1036 vfprintf(stderr, err, ap);
1040 fprintf(stderr, " at");
1041 for (i = 0; b->asn_len > i; i++)
1042 fprintf(stderr, " %02x", b->asn_cptr[i]);
1044 fprintf(stderr, "\n");