2 * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include <openssl/asn1.h>
13 #include <openssl/asn1t.h>
14 #include <openssl/objects.h>
15 #include <openssl/buffer.h>
16 #include <openssl/err.h>
17 #include "internal/numbers.h"
18 #include "asn1_locl.h"
22 * Constructed types with a recursive definition (such as can be found in PKCS7)
23 * could eventually exceed the stack given malicious input with excessive
24 * recursion. Therefore we limit the stack depth. This is the maximum number of
25 * recursive invocations of asn1_item_embed_d2i().
27 #define ASN1_MAX_CONSTRUCTED_NEST 30
29 static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
30 long len, const ASN1_ITEM *it,
31 int tag, int aclass, char opt, ASN1_TLC *ctx,
34 static int asn1_check_eoc(const unsigned char **in, long len);
35 static int asn1_find_end(const unsigned char **in, long len, char inf);
37 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
38 char inf, int tag, int aclass, int depth);
40 static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen);
42 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
44 const unsigned char **in, long len,
45 int exptag, int expclass, char opt, ASN1_TLC *ctx);
47 static int asn1_template_ex_d2i(ASN1_VALUE **pval,
48 const unsigned char **in, long len,
49 const ASN1_TEMPLATE *tt, char opt,
50 ASN1_TLC *ctx, int depth);
51 static int asn1_template_noexp_d2i(ASN1_VALUE **val,
52 const unsigned char **in, long len,
53 const ASN1_TEMPLATE *tt, char opt,
54 ASN1_TLC *ctx, int depth);
55 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
56 const unsigned char **in, long len,
58 int tag, int aclass, char opt,
60 static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
61 int utype, char *free_cont, const ASN1_ITEM *it);
63 /* Table to convert tags to bit values, used for MSTRING type */
64 static const unsigned long tag2bit[32] = {
66 0, 0, 0, B_ASN1_BIT_STRING,
68 B_ASN1_OCTET_STRING, 0, 0, B_ASN1_UNKNOWN,
70 B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN,
72 B_ASN1_UTF8STRING, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN,
74 B_ASN1_SEQUENCE, 0, B_ASN1_NUMERICSTRING, B_ASN1_PRINTABLESTRING,
76 B_ASN1_T61STRING, B_ASN1_VIDEOTEXSTRING, B_ASN1_IA5STRING,
78 B_ASN1_UTCTIME, B_ASN1_GENERALIZEDTIME,
80 B_ASN1_GRAPHICSTRING, B_ASN1_ISO64STRING, B_ASN1_GENERALSTRING,
82 B_ASN1_UNIVERSALSTRING, B_ASN1_UNKNOWN, B_ASN1_BMPSTRING, B_ASN1_UNKNOWN,
85 unsigned long ASN1_tag2bit(int tag)
87 if ((tag < 0) || (tag > 30))
92 /* Macro to initialize and invalidate the cache */
94 #define asn1_tlc_clear(c) if (c) (c)->valid = 0
95 /* Version to avoid compiler warning about 'c' always non-NULL */
96 #define asn1_tlc_clear_nc(c) (c)->valid = 0
99 * Decode an ASN1 item, this currently behaves just like a standard 'd2i'
100 * function. 'in' points to a buffer to read the data from, in future we
101 * will have more advanced versions that can input data a piece at a time and
102 * this will simply be a special case.
105 ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval,
106 const unsigned char **in, long len,
110 ASN1_VALUE *ptmpval = NULL;
113 asn1_tlc_clear_nc(&c);
114 if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0)
119 int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
121 int tag, int aclass, char opt, ASN1_TLC *ctx)
124 rv = asn1_item_embed_d2i(pval, in, len, it, tag, aclass, opt, ctx, 0);
126 ASN1_item_ex_free(pval, it);
131 * Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and
132 * tag mismatch return -1 to handle OPTIONAL
135 static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
136 long len, const ASN1_ITEM *it,
137 int tag, int aclass, char opt, ASN1_TLC *ctx,
140 const ASN1_TEMPLATE *tt, *errtt = NULL;
141 const ASN1_EXTERN_FUNCS *ef;
142 const ASN1_AUX *aux = it->funcs;
143 ASN1_aux_cb *asn1_cb;
144 const unsigned char *p = NULL, *q;
145 unsigned char oclass;
146 char seq_eoc, seq_nolen, cst, isopt;
154 if (aux && aux->asn1_cb)
155 asn1_cb = aux->asn1_cb;
159 if (++depth > ASN1_MAX_CONSTRUCTED_NEST) {
160 ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_NESTED_TOO_DEEP);
165 case ASN1_ITYPE_PRIMITIVE:
168 * tagging or OPTIONAL is currently illegal on an item template
169 * because the flags can't get passed down. In practice this
170 * isn't a problem: we include the relevant flags from the item
171 * template in the template itself.
173 if ((tag != -1) || opt) {
174 ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I,
175 ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
178 return asn1_template_ex_d2i(pval, in, len,
179 it->templates, opt, ctx, depth);
181 return asn1_d2i_ex_primitive(pval, in, len, it,
182 tag, aclass, opt, ctx);
184 case ASN1_ITYPE_MSTRING:
186 * It never makes sense for multi-strings to have implicit tagging, so
187 * if tag != -1, then this looks like an error in the template.
190 ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_BAD_TEMPLATE);
195 /* Just read in tag and class */
196 ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
197 &p, len, -1, 0, 1, ctx);
199 ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR);
203 /* Must be UNIVERSAL class */
204 if (oclass != V_ASN1_UNIVERSAL) {
205 /* If OPTIONAL, assume this is OK */
208 ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL);
212 /* Check tag matches bit map */
213 if (!(ASN1_tag2bit(otag) & it->utype)) {
214 /* If OPTIONAL, assume this is OK */
217 ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_MSTRING_WRONG_TAG);
220 return asn1_d2i_ex_primitive(pval, in, len, it, otag, 0, 0, ctx);
222 case ASN1_ITYPE_EXTERN:
223 /* Use new style d2i */
225 return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx);
227 case ASN1_ITYPE_CHOICE:
229 * It never makes sense for CHOICE types to have implicit tagging, so
230 * if tag != -1, then this looks like an error in the template.
233 ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_BAD_TEMPLATE);
237 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
240 /* Free up and zero CHOICE value if initialised */
241 i = asn1_get_choice_selector(pval, it);
242 if ((i >= 0) && (i < it->tcount)) {
243 tt = it->templates + i;
244 pchptr = asn1_get_field_ptr(pval, tt);
245 asn1_template_free(pchptr, tt);
246 asn1_set_choice_selector(pval, -1, it);
248 } else if (!ASN1_item_ex_new(pval, it)) {
249 ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR);
252 /* CHOICE type, try each possibility in turn */
254 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
255 pchptr = asn1_get_field_ptr(pval, tt);
257 * We mark field as OPTIONAL so its absence can be recognised.
259 ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx, depth);
260 /* If field not present, try the next one */
263 /* If positive return, read OK, break loop */
267 * Must be an ASN1 parsing error.
268 * Free up any partial choice value
270 asn1_template_free(pchptr, tt);
272 ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR);
276 /* Did we fall off the end without reading anything? */
277 if (i == it->tcount) {
278 /* If OPTIONAL, this is OK */
280 /* Free and zero it */
281 ASN1_item_ex_free(pval, it);
284 ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_NO_MATCHING_CHOICE_TYPE);
288 asn1_set_choice_selector(pval, i, it);
290 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL))
295 case ASN1_ITYPE_NDEF_SEQUENCE:
296 case ASN1_ITYPE_SEQUENCE:
300 /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */
302 tag = V_ASN1_SEQUENCE;
303 aclass = V_ASN1_UNIVERSAL;
305 /* Get SEQUENCE length and update len, p */
306 ret = asn1_check_tlen(&len, NULL, NULL, &seq_eoc, &cst,
307 &p, len, tag, aclass, opt, ctx);
309 ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR);
311 } else if (ret == -1)
313 if (aux && (aux->flags & ASN1_AFLG_BROKEN)) {
314 len = tmplen - (p - *in);
317 /* If indefinite we don't do a length check */
321 ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_SEQUENCE_NOT_CONSTRUCTED);
325 if (!*pval && !ASN1_item_ex_new(pval, it)) {
326 ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR);
330 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
333 /* Free up and zero any ADB found */
334 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
335 if (tt->flags & ASN1_TFLG_ADB_MASK) {
336 const ASN1_TEMPLATE *seqtt;
337 ASN1_VALUE **pseqval;
338 seqtt = asn1_do_adb(pval, tt, 0);
341 pseqval = asn1_get_field_ptr(pval, seqtt);
342 asn1_template_free(pseqval, seqtt);
346 /* Get each field entry */
347 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
348 const ASN1_TEMPLATE *seqtt;
349 ASN1_VALUE **pseqval;
350 seqtt = asn1_do_adb(pval, tt, 1);
353 pseqval = asn1_get_field_ptr(pval, seqtt);
354 /* Have we ran out of data? */
358 if (asn1_check_eoc(&p, len)) {
360 ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_UNEXPECTED_EOC);
369 * This determines the OPTIONAL flag value. The field cannot be
370 * omitted if it is the last of a SEQUENCE and there is still
371 * data to be read. This isn't strictly necessary but it
372 * increases efficiency in some cases.
374 if (i == (it->tcount - 1))
377 isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL);
379 * attempt to read in field, allowing each to be OPTIONAL
382 ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx,
387 } else if (ret == -1) {
389 * OPTIONAL component absent. Free and zero the field.
391 asn1_template_free(pseqval, seqtt);
398 /* Check for EOC if expecting one */
399 if (seq_eoc && !asn1_check_eoc(&p, len)) {
400 ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_MISSING_EOC);
403 /* Check all data read */
404 if (!seq_nolen && len) {
405 ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_SEQUENCE_LENGTH_MISMATCH);
410 * If we get here we've got no more data in the SEQUENCE, however we
411 * may not have read all fields so check all remaining are OPTIONAL
412 * and clear any that are.
414 for (; i < it->tcount; tt++, i++) {
415 const ASN1_TEMPLATE *seqtt;
416 seqtt = asn1_do_adb(pval, tt, 1);
419 if (seqtt->flags & ASN1_TFLG_OPTIONAL) {
420 ASN1_VALUE **pseqval;
421 pseqval = asn1_get_field_ptr(pval, seqtt);
422 asn1_template_free(pseqval, seqtt);
425 ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_FIELD_MISSING);
430 if (!asn1_enc_save(pval, *in, p - *in, it))
432 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL))
441 ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_AUX_ERROR);
444 ERR_add_error_data(4, "Field=", errtt->field_name,
445 ", Type=", it->sname);
447 ERR_add_error_data(2, "Type=", it->sname);
452 * Templates are handled with two separate functions. One handles any
453 * EXPLICIT tag and the other handles the rest.
456 static int asn1_template_ex_d2i(ASN1_VALUE **val,
457 const unsigned char **in, long inlen,
458 const ASN1_TEMPLATE *tt, char opt,
459 ASN1_TLC *ctx, int depth)
464 const unsigned char *p, *q;
469 aclass = flags & ASN1_TFLG_TAG_CLASS;
473 /* Check if EXPLICIT tag expected */
474 if (flags & ASN1_TFLG_EXPTAG) {
477 * Need to work out amount of data available to the inner content and
478 * where it starts: so read in EXPLICIT header to get the info.
480 ret = asn1_check_tlen(&len, NULL, NULL, &exp_eoc, &cst,
481 &p, inlen, tt->tag, aclass, opt, ctx);
484 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
486 } else if (ret == -1)
489 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I,
490 ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED);
493 /* We've found the field so it can't be OPTIONAL now */
494 ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx, depth);
496 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
499 /* We read the field in OK so update length */
502 /* If NDEF we must have an EOC here */
503 if (!asn1_check_eoc(&p, len)) {
504 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ASN1_R_MISSING_EOC);
509 * Otherwise we must hit the EXPLICIT tag end or its an error
512 ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I,
513 ASN1_R_EXPLICIT_LENGTH_MISMATCH);
518 return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx, depth);
527 static int asn1_template_noexp_d2i(ASN1_VALUE **val,
528 const unsigned char **in, long len,
529 const ASN1_TEMPLATE *tt, char opt,
530 ASN1_TLC *ctx, int depth)
535 const unsigned char *p, *q;
539 aclass = flags & ASN1_TFLG_TAG_CLASS;
545 * If field is embedded then val needs fixing so it is a pointer to
546 * a pointer to a field.
548 if (tt->flags & ASN1_TFLG_EMBED) {
549 tval = (ASN1_VALUE *)val;
553 if (flags & ASN1_TFLG_SK_MASK) {
554 /* SET OF, SEQUENCE OF */
557 /* First work out expected inner tag value */
558 if (flags & ASN1_TFLG_IMPTAG) {
562 skaclass = V_ASN1_UNIVERSAL;
563 if (flags & ASN1_TFLG_SET_OF)
566 sktag = V_ASN1_SEQUENCE;
569 ret = asn1_check_tlen(&len, NULL, NULL, &sk_eoc, NULL,
570 &p, len, sktag, skaclass, opt, ctx);
572 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
574 } else if (ret == -1)
577 *val = (ASN1_VALUE *)sk_ASN1_VALUE_new_null();
580 * We've got a valid STACK: free up any items present
582 STACK_OF(ASN1_VALUE) *sktmp = (STACK_OF(ASN1_VALUE) *)*val;
584 while (sk_ASN1_VALUE_num(sktmp) > 0) {
585 vtmp = sk_ASN1_VALUE_pop(sktmp);
586 ASN1_item_ex_free(&vtmp, ASN1_ITEM_ptr(tt->item));
591 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_MALLOC_FAILURE);
595 /* Read as many items as we can */
599 /* See if EOC found */
600 if (asn1_check_eoc(&p, len)) {
602 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
603 ASN1_R_UNEXPECTED_EOC);
611 if (!asn1_item_embed_d2i(&skfield, &p, len,
612 ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx,
614 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
615 ERR_R_NESTED_ASN1_ERROR);
616 /* |skfield| may be partially allocated despite failure. */
617 ASN1_item_free(skfield, ASN1_ITEM_ptr(tt->item));
621 if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE) *)*val, skfield)) {
622 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_MALLOC_FAILURE);
623 ASN1_item_free(skfield, ASN1_ITEM_ptr(tt->item));
628 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ASN1_R_MISSING_EOC);
631 } else if (flags & ASN1_TFLG_IMPTAG) {
632 /* IMPLICIT tagging */
633 ret = asn1_item_embed_d2i(val, &p, len,
634 ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt,
637 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
639 } else if (ret == -1)
642 /* Nothing special */
643 ret = asn1_item_embed_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
644 -1, 0, opt, ctx, depth);
646 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
648 } else if (ret == -1)
659 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
660 const unsigned char **in, long inlen,
662 int tag, int aclass, char opt, ASN1_TLC *ctx)
666 char cst, inf, free_cont = 0;
667 const unsigned char *p;
668 BUF_MEM buf = { 0, NULL, 0, 0 };
669 const unsigned char *cont = NULL;
672 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_NULL);
673 return 0; /* Should never happen */
676 if (it->itype == ASN1_ITYPE_MSTRING) {
682 if (utype == V_ASN1_ANY) {
683 /* If type is ANY need to figure out type from tag */
684 unsigned char oclass;
686 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_TAGGED_ANY);
690 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
691 ASN1_R_ILLEGAL_OPTIONAL_ANY);
695 ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, NULL,
696 &p, inlen, -1, 0, 0, ctx);
698 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR);
701 if (oclass != V_ASN1_UNIVERSAL)
702 utype = V_ASN1_OTHER;
706 aclass = V_ASN1_UNIVERSAL;
710 ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst,
711 &p, inlen, tag, aclass, opt, ctx);
713 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR);
715 } else if (ret == -1)
718 /* SEQUENCE, SET and "OTHER" are left in encoded form */
719 if ((utype == V_ASN1_SEQUENCE)
720 || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) {
722 * Clear context cache for type OTHER because the auto clear when we
723 * have a exact match won't work
725 if (utype == V_ASN1_OTHER) {
728 /* SEQUENCE and SET must be constructed */
730 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
731 ASN1_R_TYPE_NOT_CONSTRUCTED);
736 /* If indefinite length constructed find the real end */
738 if (!asn1_find_end(&p, plen, inf))
742 len = p - cont + plen;
746 if (utype == V_ASN1_NULL || utype == V_ASN1_BOOLEAN
747 || utype == V_ASN1_OBJECT || utype == V_ASN1_INTEGER
748 || utype == V_ASN1_ENUMERATED) {
749 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_TYPE_NOT_PRIMITIVE);
753 /* Free any returned 'buf' content */
756 * Should really check the internal tags are correct but some things
757 * may get this wrong. The relevant specs say that constructed string
758 * types should be OCTET STRINGs internally irrespective of the type.
759 * So instead just check for UNIVERSAL class and ignore the tag.
761 if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL, 0)) {
765 /* Append a final null to string */
766 if (!BUF_MEM_grow_clean(&buf, len + 1)) {
767 ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_MALLOC_FAILURE);
771 cont = (const unsigned char *)buf.data;
778 /* We now have content length and type: translate into a structure */
779 /* asn1_ex_c2i may reuse allocated buffer, and so sets free_cont to 0 */
780 if (!asn1_ex_c2i(pval, cont, len, utype, &free_cont, it))
787 OPENSSL_free(buf.data);
791 /* Translate ASN1 content octets into a structure */
793 static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
794 int utype, char *free_cont, const ASN1_ITEM *it)
796 ASN1_VALUE **opval = NULL;
798 ASN1_TYPE *typ = NULL;
800 const ASN1_PRIMITIVE_FUNCS *pf;
804 if (pf && pf->prim_c2i)
805 return pf->prim_c2i(pval, cont, len, utype, free_cont, it);
806 /* If ANY type clear type and set pointer to internal value */
807 if (it->utype == V_ASN1_ANY) {
809 typ = ASN1_TYPE_new();
812 *pval = (ASN1_VALUE *)typ;
814 typ = (ASN1_TYPE *)*pval;
816 if (utype != typ->type)
817 ASN1_TYPE_set(typ, utype, NULL);
819 pval = &typ->value.asn1_value;
823 if (!c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len))
829 ASN1err(ASN1_F_ASN1_EX_C2I, ASN1_R_NULL_IS_WRONG_LENGTH);
832 *pval = (ASN1_VALUE *)1;
837 ASN1err(ASN1_F_ASN1_EX_C2I, ASN1_R_BOOLEAN_IS_WRONG_LENGTH);
841 tbool = (ASN1_BOOLEAN *)pval;
846 case V_ASN1_BIT_STRING:
847 if (!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &cont, len))
852 case V_ASN1_ENUMERATED:
853 tint = (ASN1_INTEGER **)pval;
854 if (!c2i_ASN1_INTEGER(tint, &cont, len))
856 /* Fixup type to match the expected form */
857 (*tint)->type = utype | ((*tint)->type & V_ASN1_NEG);
860 case V_ASN1_OCTET_STRING:
861 case V_ASN1_NUMERICSTRING:
862 case V_ASN1_PRINTABLESTRING:
863 case V_ASN1_T61STRING:
864 case V_ASN1_VIDEOTEXSTRING:
865 case V_ASN1_IA5STRING:
867 case V_ASN1_GENERALIZEDTIME:
868 case V_ASN1_GRAPHICSTRING:
869 case V_ASN1_VISIBLESTRING:
870 case V_ASN1_GENERALSTRING:
871 case V_ASN1_UNIVERSALSTRING:
872 case V_ASN1_BMPSTRING:
873 case V_ASN1_UTF8STRING:
876 case V_ASN1_SEQUENCE:
878 if (utype == V_ASN1_BMPSTRING && (len & 1)) {
879 ASN1err(ASN1_F_ASN1_EX_C2I, ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
882 if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) {
883 ASN1err(ASN1_F_ASN1_EX_C2I,
884 ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);
887 /* All based on ASN1_STRING and handled the same */
889 stmp = ASN1_STRING_type_new(utype);
891 ASN1err(ASN1_F_ASN1_EX_C2I, ERR_R_MALLOC_FAILURE);
894 *pval = (ASN1_VALUE *)stmp;
896 stmp = (ASN1_STRING *)*pval;
899 /* If we've already allocated a buffer use it */
901 OPENSSL_free(stmp->data);
902 stmp->data = (unsigned char *)cont; /* UGLY CAST! RL */
906 if (!ASN1_STRING_set(stmp, cont, len)) {
907 ASN1err(ASN1_F_ASN1_EX_C2I, ERR_R_MALLOC_FAILURE);
908 ASN1_STRING_free(stmp);
915 /* If ASN1_ANY and NULL type fix up value */
916 if (typ && (utype == V_ASN1_NULL))
917 typ->value.ptr = NULL;
930 * This function finds the end of an ASN1 structure when passed its maximum
931 * length, whether it is indefinite length and a pointer to the content. This
932 * is more efficient than calling asn1_collect because it does not recurse on
933 * each indefinite length header.
936 static int asn1_find_end(const unsigned char **in, long len, char inf)
938 uint32_t expected_eoc;
940 const unsigned char *p = *in, *q;
941 /* If not indefinite length constructed just add length */
948 * Indefinite length constructed form. Find the end when enough EOCs are
949 * found. If more indefinite length constructed headers are encountered
950 * increment the expected eoc count otherwise just skip to the end of the
954 if (asn1_check_eoc(&p, len)) {
956 if (expected_eoc == 0)
962 /* Just read in a header: only care about the length */
963 if (!asn1_check_tlen(&plen, NULL, NULL, &inf, NULL, &p, len,
965 ASN1err(ASN1_F_ASN1_FIND_END, ERR_R_NESTED_ASN1_ERROR);
969 if (expected_eoc == UINT32_MAX) {
970 ASN1err(ASN1_F_ASN1_FIND_END, ERR_R_NESTED_ASN1_ERROR);
980 ASN1err(ASN1_F_ASN1_FIND_END, ASN1_R_MISSING_EOC);
988 * This function collects the asn1 data from a constructed string type into
989 * a buffer. The values of 'in' and 'len' should refer to the contents of the
990 * constructed type and 'inf' should be set if it is indefinite length.
993 #ifndef ASN1_MAX_STRING_NEST
995 * This determines how many levels of recursion are permitted in ASN1 string
996 * types. If it is not limited stack overflows can occur. If set to zero no
997 * recursion is allowed at all. Although zero should be adequate examples
998 * exist that require a value of 1. So 5 should be more than enough.
1000 # define ASN1_MAX_STRING_NEST 5
1003 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
1004 char inf, int tag, int aclass, int depth)
1006 const unsigned char *p, *q;
1012 * If no buffer and not indefinite length constructed just pass over the
1022 if (asn1_check_eoc(&p, len)) {
1024 * EOC is illegal outside indefinite length constructed form
1027 ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_UNEXPECTED_EOC);
1034 if (!asn1_check_tlen(&plen, NULL, NULL, &ininf, &cst, &p,
1035 len, tag, aclass, 0, NULL)) {
1036 ASN1err(ASN1_F_ASN1_COLLECT, ERR_R_NESTED_ASN1_ERROR);
1040 /* If indefinite length constructed update max length */
1042 if (depth >= ASN1_MAX_STRING_NEST) {
1043 ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_NESTED_ASN1_STRING);
1046 if (!asn1_collect(buf, &p, plen, ininf, tag, aclass, depth + 1))
1048 } else if (plen && !collect_data(buf, &p, plen))
1053 ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_MISSING_EOC);
1060 static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen)
1065 if (!BUF_MEM_grow_clean(buf, len + plen)) {
1066 ASN1err(ASN1_F_COLLECT_DATA, ERR_R_MALLOC_FAILURE);
1069 memcpy(buf->data + len, *p, plen);
1075 /* Check for ASN1 EOC and swallow it if found */
1077 static int asn1_check_eoc(const unsigned char **in, long len)
1079 const unsigned char *p;
1083 if (!p[0] && !p[1]) {
1091 * Check an ASN1 tag and length: a bit like ASN1_get_object but it sets the
1092 * length for indefinite length constructed form, we don't know the exact
1093 * length but we can set an upper bound to the amount of data available minus
1094 * the header length just read.
1097 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
1098 char *inf, char *cst,
1099 const unsigned char **in, long len,
1100 int exptag, int expclass, char opt, ASN1_TLC *ctx)
1105 const unsigned char *p, *q;
1109 if (ctx && ctx->valid) {
1112 pclass = ctx->pclass;
1116 i = ASN1_get_object(&p, &plen, &ptag, &pclass, len);
1120 ctx->pclass = pclass;
1122 ctx->hdrlen = p - q;
1125 * If definite length, and no error, length + header can't exceed
1126 * total amount of data available.
1128 if (!(i & 0x81) && ((plen + ctx->hdrlen) > len)) {
1129 ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_TOO_LONG);
1130 asn1_tlc_clear(ctx);
1137 ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_BAD_OBJECT_HEADER);
1138 asn1_tlc_clear(ctx);
1142 if ((exptag != ptag) || (expclass != pclass)) {
1144 * If type is OPTIONAL, not an error: indicate missing type.
1148 asn1_tlc_clear(ctx);
1149 ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_WRONG_TAG);
1153 * We have a tag and class match: assume we are going to do something
1156 asn1_tlc_clear(ctx);
1160 plen = len - (p - q);
1166 *cst = i & V_ASN1_CONSTRUCTED;