LCOV - code coverage report
Current view: top level - third_party/heimdal/lib/asn1 - der_get.c (source / functions) Hit Total Coverage
Test: coverage report for master 98b443d9 Lines: 241 460 52.4 %
Date: 2024-05-31 13:13:24 Functions: 19 27 70.4 %

          Line data    Source code
       1             : /*
       2             :  * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
       3             :  * (Royal Institute of Technology, Stockholm, Sweden).
       4             :  * All rights reserved.
       5             :  *
       6             :  * Redistribution and use in source and binary forms, with or without
       7             :  * modification, are permitted provided that the following conditions
       8             :  * are met:
       9             :  *
      10             :  * 1. Redistributions of source code must retain the above copyright
      11             :  *    notice, this list of conditions and the following disclaimer.
      12             :  *
      13             :  * 2. Redistributions in binary form must reproduce the above copyright
      14             :  *    notice, this list of conditions and the following disclaimer in the
      15             :  *    documentation and/or other materials provided with the distribution.
      16             :  *
      17             :  * 3. Neither the name of the Institute nor the names of its contributors
      18             :  *    may be used to endorse or promote products derived from this software
      19             :  *    without specific prior written permission.
      20             :  *
      21             :  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
      22             :  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
      23             :  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
      24             :  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
      25             :  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
      26             :  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
      27             :  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
      28             :  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
      29             :  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
      30             :  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
      31             :  * SUCH DAMAGE.
      32             :  */
      33             : 
      34             : #include "der_locl.h"
      35             : 
      36             : /*
      37             :  * All decoding functions take a pointer `p' to first position in
      38             :  * which to read, from the left, `len' which means the maximum number
      39             :  * of characters we are able to read, `ret' were the value will be
      40             :  * returned and `size' where the number of used bytes is stored.
      41             :  * Either 0 or an error code is returned.
      42             :  */
      43             : 
      44             : int ASN1CALL
      45     7250380 : der_get_unsigned (const unsigned char *p, size_t len,
      46             :                   unsigned *ret, size_t *size)
      47             : {
      48     7250380 :     unsigned val = 0;
      49     7250380 :     size_t oldlen = len;
      50             : 
      51     7250380 :     if (len == sizeof(val) + 1 && p[0] == 0)
      52             :         ;
      53     7226318 :     else if (len > sizeof(val))
      54           0 :         return ASN1_OVERRUN;
      55             : 
      56    19982312 :     while (len--)
      57    12731932 :         val = val * 256 + *p++;
      58     7250380 :     *ret = val;
      59     7250380 :     if(size) *size = oldlen;
      60     6994024 :     return 0;
      61             : }
      62             : 
      63             : int ASN1CALL
      64           0 : der_get_unsigned64 (const unsigned char *p, size_t len,
      65             :                    uint64_t *ret, size_t *size)
      66             : {
      67           0 :     uint64_t val = 0;
      68           0 :     size_t oldlen = len;
      69             : 
      70           0 :     if (len == sizeof(val) + 1 && p[0] == 0)
      71             :        ;
      72           0 :     else if (len > sizeof(val))
      73           0 :         return ASN1_OVERRUN;
      74             : 
      75           0 :     while (len--)
      76           0 :         val = val * 256 + *p++;
      77           0 :     *ret = val;
      78           0 :     if(size) *size = oldlen;
      79           0 :     return 0;
      80             : }
      81             : 
      82             : int ASN1CALL
      83     5872395 : der_get_integer (const unsigned char *p, size_t len,
      84             :                  int *ret, size_t *size)
      85             : {
      86     5872395 :     int val = 0;
      87     5872395 :     size_t oldlen = len;
      88             : 
      89     5872395 :     if (len == sizeof(val) + 1 && (p[0] == 0 || p[0] == 0xff))
      90             :         ;
      91     5872395 :     else if (len > sizeof(val))
      92           0 :         return ASN1_OVERRUN;
      93             : 
      94             :     /* We assume we're on a twos-complement platform */
      95     5872395 :     if (len > 0) {
      96     5872395 :         val = (signed char)*p++;
      97     7636015 :         while (--len)
      98     1763620 :             val = val * 256 + *p++;
      99             :     }
     100     5872395 :     *ret = val;
     101     5872395 :     if(size) *size = oldlen;
     102     5659786 :     return 0;
     103             : }
     104             : 
     105             : int ASN1CALL
     106           0 : der_get_integer64 (const unsigned char *p, size_t len,
     107             :                    int64_t *ret, size_t *size)
     108             : {
     109           0 :     int64_t val = 0;
     110           0 :     size_t oldlen = len;
     111             : 
     112           0 :     if (len > sizeof(val))
     113           0 :         return ASN1_OVERRUN;
     114             : 
     115             :     /* We assume we're on a twos-complement platform */
     116           0 :     if (len > 0) {
     117           0 :        val = (signed char)*p++;
     118           0 :        while (--len)
     119           0 :            val = val * 256 + *p++;
     120             :     }
     121           0 :     *ret = val;
     122           0 :     if(size) *size = oldlen;
     123           0 :     return 0;
     124             : }
     125             : 
     126             : 
     127             : int ASN1CALL
     128    33412061 : der_get_length (const unsigned char *p, size_t len,
     129             :                 size_t *val, size_t *size)
     130             : {
     131     1201059 :     size_t v;
     132             : 
     133    33412061 :     if (len <= 0)
     134           0 :         return ASN1_OVERRUN;
     135    33412061 :     --len;
     136    33412061 :     v = *p++;
     137    33412061 :     if (v < 128) {
     138    26261151 :         *val = v;
     139    26261151 :         if(size) *size = 1;
     140             :     } else {
     141      252805 :         int e;
     142      252805 :         size_t l;
     143      252805 :         unsigned tmp;
     144             : 
     145     7150910 :         if(v == 0x80){
     146           0 :             *val = ASN1_INDEFINITE;
     147           0 :             if(size) *size = 1;
     148           0 :             return 0;
     149             :         }
     150     7150910 :         v &= 0x7F;
     151     7150910 :         if (len < v)
     152           0 :             return ASN1_OVERRUN;
     153     7150910 :         e = der_get_unsigned (p, v, &tmp, &l);
     154     7150910 :         if(e) return e;
     155     7150910 :         *val = tmp;
     156     7150910 :         if(size) *size = l + 1;
     157             :     }
     158    32211002 :     return 0;
     159             : }
     160             : 
     161             : int ASN1CALL
     162        1296 : der_get_boolean(const unsigned char *p, size_t len, int *data, size_t *size)
     163             : {
     164        1296 :     if(len < 1)
     165           0 :         return ASN1_OVERRUN;
     166        1296 :     if(*p != 0)
     167        1287 :         *data = 1;
     168             :     else
     169           9 :         *data = 0;
     170        1296 :     *size = 1;
     171        1296 :     return 0;
     172             : }
     173             : 
     174             : int ASN1CALL
     175     2435435 : der_get_general_string (const unsigned char *p, size_t len,
     176             :                         heim_general_string *str, size_t *size)
     177             : {
     178       89165 :     const unsigned char *p1;
     179       89165 :     char *s;
     180             : 
     181     2435435 :     assert(p != NULL);
     182             : 
     183     2435435 :     if (size)
     184     2435435 :         *size = 0;
     185             : 
     186     2435435 :     p1 = memchr(p, 0, len);
     187     2435435 :     if (p1 != NULL) {
     188             :         /*
     189             :          * Allow trailing NULs. We allow this since MIT Kerberos sends
     190             :          * an strings in the NEED_PREAUTH case that includes a
     191             :          * trailing NUL.
     192             :          */
     193           0 :         while ((size_t)(p1 - p) < len && *p1 == '\0')
     194           0 :             p1++;
     195           0 :         if ((size_t)(p1 - p) != len) {
     196           0 :             *str = NULL;
     197           0 :             return ASN1_BAD_CHARACTER;
     198             :         }
     199             :     }
     200     2435435 :     if (len == SIZE_MAX) {
     201           0 :         *str = NULL;
     202           0 :         return ASN1_BAD_LENGTH;
     203             :     }
     204             : 
     205     2435435 :     *str = s = malloc (len + 1);
     206     2435435 :     if (s == NULL)
     207           0 :         return ENOMEM;
     208     2435435 :     memcpy (s, p, len);
     209     2435435 :     s[len] = '\0';
     210             : 
     211     2435435 :     if(size) *size = len;
     212     2346270 :     return 0;
     213             : }
     214             : 
     215             : int ASN1CALL
     216        3069 : der_get_utf8string (const unsigned char *p, size_t len,
     217             :                     heim_utf8_string *str, size_t *size)
     218             : {
     219        3069 :     return der_get_general_string(p, len, str, size);
     220             : }
     221             : 
     222             : #define gen_data_zero(_data) \
     223             :         do { (_data)->length = 0; (_data)->data = NULL; } while(0)
     224             : 
     225             : int ASN1CALL
     226        2246 : der_get_printable_string(const unsigned char *p, size_t len,
     227             :                          heim_printable_string *str, size_t *size)
     228             : {
     229        2246 :     assert(p != NULL);
     230             : 
     231        2246 :     if (size)
     232        2246 :         *size = 0;
     233             : 
     234        2246 :     if (len == SIZE_MAX) {
     235           0 :         gen_data_zero(str);
     236           0 :         return ASN1_BAD_LENGTH;
     237             :     }
     238        2246 :     str->length = len;
     239        2246 :     str->data = malloc(len + 1);
     240        2246 :     if (str->data == NULL) {
     241           0 :         gen_data_zero(str);
     242           0 :         return ENOMEM;
     243             :     }
     244             : 
     245        2246 :     memcpy(str->data, p, len);
     246        2246 :     ((char *)str->data)[len] = '\0';
     247        2246 :     if(size) *size = len;
     248        2110 :     return 0;
     249             : }
     250             : 
     251             : int ASN1CALL
     252        1293 : der_get_ia5_string(const unsigned char *p, size_t len,
     253             :                    heim_ia5_string *str, size_t *size)
     254             : {
     255        1293 :     return der_get_printable_string(p, len, str, size);
     256             : }
     257             : 
     258             : int ASN1CALL
     259           0 : der_get_bmp_string (const unsigned char *p, size_t len,
     260             :                     heim_bmp_string *data, size_t *size)
     261             : {
     262           0 :     size_t i;
     263             : 
     264           0 :     assert(p != NULL);
     265             : 
     266           0 :     if (size)
     267           0 :         *size = 0;
     268             : 
     269           0 :     if (len & 1) {
     270           0 :         gen_data_zero(data);
     271           0 :         return ASN1_BAD_FORMAT;
     272             :     }
     273           0 :     data->length = len / 2;
     274           0 :     if (data->length > UINT_MAX/sizeof(data->data[0])) {
     275           0 :         gen_data_zero(data);
     276           0 :         return ERANGE;
     277             :     }
     278           0 :     data->data = malloc(data->length * sizeof(data->data[0]));
     279           0 :     if (data->data == NULL && data->length != 0) {
     280           0 :         gen_data_zero(data);
     281           0 :         return ENOMEM;
     282             :     }
     283             : 
     284           0 :     for (i = 0; i < data->length; i++) {
     285           0 :         data->data[i] = (p[0] << 8) | p[1];
     286           0 :         p += 2;
     287             :         /* check for NUL in the middle of the string */
     288           0 :         if (data->data[i] == 0 && i != (data->length - 1)) {
     289           0 :             free(data->data);
     290           0 :             gen_data_zero(data);
     291           0 :             return ASN1_BAD_CHARACTER;
     292             :         }
     293             :     }
     294           0 :     if (size) *size = len;
     295             : 
     296           0 :     return 0;
     297             : }
     298             : 
     299             : int ASN1CALL
     300           0 : der_get_universal_string (const unsigned char *p, size_t len,
     301             :                           heim_universal_string *data, size_t *size)
     302             : {
     303           0 :     size_t i;
     304             : 
     305           0 :     assert(p != NULL);
     306             : 
     307           0 :     if (size)
     308           0 :         *size = 0;
     309             : 
     310           0 :     if (len & 3) {
     311           0 :         gen_data_zero(data);
     312           0 :         return ASN1_BAD_FORMAT;
     313             :     }
     314           0 :     data->length = len / 4;
     315           0 :     if (data->length > UINT_MAX/sizeof(data->data[0])) {
     316           0 :         gen_data_zero(data);
     317           0 :         return ERANGE;
     318             :     }
     319           0 :     data->data = malloc(data->length * sizeof(data->data[0]));
     320           0 :     if (data->data == NULL && data->length != 0) {
     321           0 :         gen_data_zero(data);
     322           0 :         return ENOMEM;
     323             :     }
     324             : 
     325           0 :     for (i = 0; i < data->length; i++) {
     326           0 :         data->data[i] = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
     327           0 :         p += 4;
     328             :         /* check for NUL in the middle of the string */
     329           0 :         if (data->data[i] == 0 && i != (data->length - 1)) {
     330           0 :             free(data->data);
     331           0 :             gen_data_zero(data);
     332           0 :             return ASN1_BAD_CHARACTER;
     333             :         }
     334             :     }
     335           0 :     if (size) *size = len;
     336           0 :     return 0;
     337             : }
     338             : 
     339             : int ASN1CALL
     340           0 : der_get_visible_string (const unsigned char *p, size_t len,
     341             :                         heim_visible_string *str, size_t *size)
     342             : {
     343           0 :     return der_get_general_string(p, len, str, size);
     344             : }
     345             : 
     346             : int ASN1CALL
     347     2191037 : der_get_octet_string (const unsigned char *p, size_t len,
     348             :                       heim_octet_string *data, size_t *size)
     349             : {
     350     2191037 :     assert(p != NULL);
     351             : 
     352     2191037 :     if (size)
     353     2191037 :         *size = 0;
     354             : 
     355     2191037 :     if (len == 0)
     356      237949 :         data->data = malloc(1);
     357             :     else
     358     1953088 :         data->data = malloc(len);
     359     2191037 :     if (data->data == NULL) {
     360           0 :         data->length = 0;
     361           0 :         return ENOMEM;
     362             :     }
     363     2191037 :     data->length = len;
     364     2191037 :     memcpy (data->data, p, len);
     365     2191037 :     if (size)
     366     2191037 :         *size = len;
     367     2111942 :     return 0;
     368             : }
     369             : 
     370             : int ASN1CALL
     371           0 : der_get_octet_string_ber (const unsigned char *p, size_t len,
     372             :                           heim_octet_string *data, size_t *size)
     373             : {
     374           0 :     int e;
     375           0 :     Der_type type;
     376           0 :     Der_class cls;
     377           0 :     unsigned int tag, depth = 0;
     378           0 :     size_t l, datalen, oldlen = len;
     379             : 
     380           0 :     assert(p != NULL);
     381             : 
     382           0 :     if (size)
     383           0 :         *size = 0;
     384             : 
     385           0 :     data->length = 0;
     386           0 :     data->data = NULL;
     387             : 
     388           0 :     while (len) {
     389           0 :         e = der_get_tag (p, len, &cls, &type, &tag, &l);
     390           0 :         if (e) goto out;
     391           0 :         if (cls != ASN1_C_UNIV) {
     392           0 :             e = ASN1_BAD_ID;
     393           0 :             goto out;
     394             :         }
     395           0 :         if (type == PRIM && tag == UT_EndOfContent) {
     396           0 :             if (depth == 0)
     397           0 :                 break;
     398           0 :             depth--;
     399             :         }
     400           0 :         if (tag != UT_OctetString) {
     401           0 :             e = ASN1_BAD_ID;
     402           0 :             goto out;
     403             :         }
     404             : 
     405           0 :         p += l;
     406           0 :         len -= l;
     407           0 :         e = der_get_length (p, len, &datalen, &l);
     408           0 :         if (e) goto out;
     409           0 :         p += l;
     410           0 :         len -= l;
     411             : 
     412           0 :         if (datalen > len)
     413           0 :             return ASN1_OVERRUN;
     414             : 
     415           0 :         if (type == PRIM && datalen) {
     416           0 :             void *ptr;
     417             : 
     418           0 :             ptr = realloc(data->data, data->length + datalen);
     419           0 :             if (ptr == NULL) {
     420           0 :                 e = ENOMEM;
     421           0 :                 goto out;
     422             :             }
     423           0 :             data->data = ptr;
     424           0 :             memcpy(((unsigned char *)data->data) + data->length, p, datalen);
     425           0 :             data->length += datalen;
     426           0 :         } else if (type != PRIM)
     427           0 :             depth++;
     428             : 
     429           0 :         p += datalen;
     430           0 :         len -= datalen;
     431             :     }
     432           0 :     if (depth != 0)
     433           0 :         return ASN1_INDEF_OVERRUN;
     434           0 :     if(size) *size = oldlen - len;
     435           0 :     return 0;
     436           0 :  out:
     437           0 :     free(data->data);
     438           0 :     data->data = NULL;
     439           0 :     data->length = 0;
     440           0 :     return e;
     441             : }
     442             : 
     443             : 
     444             : int ASN1CALL
     445        1766 : der_get_heim_integer (const unsigned char *p, size_t len,
     446             :                       heim_integer *data, size_t *size)
     447             : {
     448        1766 :     data->length = 0;
     449        1766 :     data->negative = 0;
     450        1766 :     data->data = NULL;
     451             : 
     452        1766 :     if (size)
     453        1766 :         *size = 0;
     454             : 
     455        1766 :     if (len == 0)
     456           0 :         return 0;
     457             : 
     458        1766 :     assert(p != NULL);
     459             : 
     460        1766 :     if (p[0] & 0x80) {
     461           0 :         unsigned char *q;
     462          30 :         int carry = 1;
     463             : 
     464             : 
     465             :         /*
     466             :          * A negative number.  It's going to be a twos complement byte array.
     467             :          * We're going to leave the positive value in `data->data', but set the
     468             :          * `data->negative' flag.  That means we need to negate the
     469             :          * twos-complement integer received.
     470             :          */
     471          30 :         data->negative = 1;
     472          30 :         data->length = len;
     473             : 
     474          30 :         if (p[0] == 0xff) {
     475           0 :             if (data->length == 1) {
     476             :                 /* One byte of all ones == -1 */
     477           0 :                 q = data->data = malloc(1);
     478           0 :                 *q = 1;
     479           0 :                 data->length = 1;
     480           0 :                 if (size)
     481           0 :                     *size = 1;
     482           0 :                 return 0;
     483             :             }
     484             : 
     485           0 :             p++;
     486           0 :             data->length--;
     487             : 
     488             :             /*
     489             :              * We could check if the next byte's high bit is set, which would
     490             :              * be an error ("illegal padding" in OpenSSL).  However, this would
     491             :              * mean failing to accept certificates made by certain CAs that
     492             :              * would read 8 bytes of RNG into a buffer, slap on length 8, then
     493             :              * slap on the tag [UNIVERSAL INTEGER], and make that the
     494             :              * serialNumber field's encoding, which then fails to parse in
     495             :              * around 1 in 256 certificates.
     496             :              *
     497             :              * So let's not.
     498             :              *
     499             :              * if (p[0] & 0x80)
     500             :              *     return ASN1_PARSE_ERROR; // or a new error code
     501             :              */
     502             :         }
     503          30 :         data->data = malloc(data->length);
     504          30 :         if (data->data == NULL) {
     505           0 :             data->length = 0;
     506           0 :             if (size)
     507           0 :                 *size = 0;
     508           0 :             return ENOMEM;
     509             :         }
     510             : 
     511             :         /*
     512             :          * Note that if `data->length' were zero, this would be UB because we
     513             :          * underflow if data->length is zero even though we wouldn't actually
     514             :          * dereference the byte before data->data.  Thus we check above for
     515             :          * that.
     516             :          */
     517          30 :         q = &((unsigned char*)data->data)[data->length - 1];
     518          30 :         p += data->length - 1;
     519         150 :         while (q >= (unsigned char*)data->data) {
     520             :             /* *p XOR 0xff -> ~*p; we're dealing with twos complement */
     521         120 :             *q = *p ^ 0xff;
     522         120 :             if (carry)
     523          30 :                 carry = !++*q;
     524         120 :             p--;
     525         120 :             q--;
     526             :         }
     527             :     } else {
     528        1736 :         data->negative = 0;
     529        1736 :         data->length = len;
     530             : 
     531        1736 :         if (p[0] == 0) {
     532         772 :             p++;
     533         772 :             data->length--;
     534             :         }
     535        1736 :         data->data = malloc(data->length);
     536        1736 :         if (data->data == NULL && data->length != 0) {
     537           0 :             data->length = 0;
     538           0 :             if (size)
     539           0 :                 *size = 0;
     540           0 :             return ENOMEM;
     541             :         }
     542        1736 :         memcpy(data->data, p, data->length);
     543             :     }
     544        1766 :     if (size)
     545        1766 :         *size = len;
     546        1670 :     return 0;
     547             : }
     548             : 
     549             : static int
     550     1018050 : generalizedtime2time (const char *s, time_t *t)
     551             : {
     552       36109 :     struct tm tm;
     553             : 
     554     1018050 :     memset(&tm, 0, sizeof(tm));
     555     1018050 :     if (sscanf (s, "%04d%02d%02d%02d%02d%02dZ",
     556             :                 &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour,
     557             :                 &tm.tm_min, &tm.tm_sec) != 6) {
     558         760 :         if (sscanf (s, "%02d%02d%02d%02d%02d%02dZ",
     559             :                     &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour,
     560             :                     &tm.tm_min, &tm.tm_sec) != 6)
     561           0 :             return ASN1_BAD_TIMEFORMAT;
     562         760 :         if (tm.tm_year < 50)
     563         760 :             tm.tm_year += 2000;
     564             :         else
     565           0 :             tm.tm_year += 1900;
     566             :     }
     567     1018050 :     tm.tm_year -= 1900;
     568     1018050 :     tm.tm_mon -= 1;
     569     1018050 :     *t = _der_timegm (&tm);
     570     1018050 :     return 0;
     571             : }
     572             : 
     573             : static int ASN1CALL
     574     1018050 : der_get_time (const unsigned char *p, size_t len,
     575             :               time_t *data, size_t *size)
     576             : {
     577       36109 :     char *times;
     578       36109 :     int e;
     579             : 
     580     1018050 :     assert(p != NULL);
     581             : 
     582     1018050 :     if (size)
     583     1018050 :         *size = 0;
     584             : 
     585     1018050 :     if (len == SIZE_MAX || len == 0)
     586           0 :         return ASN1_BAD_LENGTH;
     587             : 
     588     1018050 :     times = malloc(len + 1);
     589     1018050 :     if (times == NULL)
     590           0 :         return ENOMEM;
     591     1018050 :     memcpy(times, p, len);
     592     1018050 :     times[len] = '\0';
     593     1018050 :     e = generalizedtime2time(times, data);
     594     1018050 :     free (times);
     595     1018050 :     if(size) *size = len;
     596      981941 :     return e;
     597             : }
     598             : 
     599             : int ASN1CALL
     600     1017290 : der_get_generalized_time (const unsigned char *p, size_t len,
     601             :                           time_t *data, size_t *size)
     602             : {
     603     1017290 :     return der_get_time(p, len, data, size);
     604             : }
     605             : 
     606             : int ASN1CALL
     607         760 : der_get_utctime (const unsigned char *p, size_t len,
     608             :                           time_t *data, size_t *size)
     609             : {
     610         760 :     return der_get_time(p, len, data, size);
     611             : }
     612             : 
     613             : int ASN1CALL
     614       77754 : der_get_oid (const unsigned char *p, size_t len,
     615             :              heim_oid *data, size_t *size)
     616             : {
     617        3136 :     size_t n;
     618       77754 :     size_t oldlen = len;
     619             : 
     620       77754 :     assert(p != NULL);
     621             : 
     622       77754 :     if (size)
     623       30198 :         *size = 0;
     624             : 
     625       77754 :     if (len < 1)
     626           0 :         return ASN1_OVERRUN;
     627             : 
     628       77754 :     if (len == SIZE_MAX)
     629           0 :         return ASN1_BAD_LENGTH;
     630             : 
     631       77754 :     if (len + 1 > UINT_MAX/sizeof(data->components[0]))
     632           0 :         return ERANGE;
     633             : 
     634       77754 :     data->components = malloc((len + 1) * sizeof(data->components[0]));
     635       77754 :     if (data->components == NULL) {
     636           0 :         data->length = 0;
     637           0 :         return ENOMEM;
     638             :     }
     639       77754 :     data->components[0] = (*p) / 40;
     640       77754 :     data->components[1] = (*p) % 40;
     641       77754 :     --len;
     642       77754 :     ++p;
     643      427176 :     for (n = 2; len > 0; ++n) {
     644      335662 :         unsigned u = 0, u1;
     645             : 
     646       19216 :         do {
     647      489952 :             --len;
     648      489952 :             u1 = u * 128 + (*p++ % 128);
     649             :             /* check that we don't overflow the element */
     650      489952 :             if (u1 < u) {
     651           0 :                 der_free_oid(data);
     652           0 :                 return ASN1_OVERRUN;
     653             :             }
     654      489952 :             u = u1;
     655      489952 :         } while (len > 0 && p[-1] & 0x80);
     656      349422 :         data->components[n] = u;
     657             :     }
     658       77754 :     if (n > 2 && p[-1] & 0x80) {
     659           0 :         der_free_oid (data);
     660           0 :         return ASN1_OVERRUN;
     661             :     }
     662       77754 :     data->length = n;
     663       77754 :     if (size)
     664       30198 :         *size = oldlen;
     665       74618 :     return 0;
     666             : }
     667             : 
     668             : int ASN1CALL
     669    35051094 : der_get_tag (const unsigned char *p, size_t len,
     670             :              Der_class *cls, Der_type *type,
     671             :              unsigned int *tag, size_t *size)
     672             : {
     673    35051094 :     size_t ret = 0;
     674             : 
     675    35051094 :     if (size)
     676    35051094 :         *size = 0;
     677             : 
     678    35051094 :     if (len < 1)
     679      504149 :         return ASN1_MISSING_FIELD;
     680             : 
     681    34529475 :     assert(p != NULL);
     682             : 
     683    34529475 :     *cls = (Der_class)(((*p) >> 6) & 0x03);
     684    34529475 :     *type = (Der_type)(((*p) >> 5) & 0x01);
     685    34529475 :     *tag = (*p) & 0x1f;
     686    34529475 :     p++; len--; ret++;
     687    34529475 :     if(*tag == 0x1f) {
     688           0 :         unsigned int continuation;
     689           0 :         unsigned int tag1;
     690           0 :         *tag = 0;
     691           0 :         do {
     692           0 :             if(len < 1)
     693           0 :                 return ASN1_OVERRUN;
     694           0 :             continuation = *p & 128;
     695           0 :             tag1 = *tag * 128 + (*p % 128);
     696             :             /* check that we don't overflow the tag */
     697           0 :             if (tag1 < *tag)
     698           0 :                 return ASN1_OVERFLOW;
     699           0 :             *tag = tag1;
     700           0 :             p++; len--; ret++;
     701           0 :         } while(continuation);
     702             :     }
     703    34529475 :     if(size) *size = ret;
     704    33283680 :     return 0;
     705             : }
     706             : 
     707             : int ASN1CALL
     708           0 : der_match_tag (const unsigned char *p, size_t len,
     709             :                Der_class cls, Der_type type,
     710             :                unsigned int tag, size_t *size)
     711             : {
     712           0 :     Der_type thistype;
     713           0 :     int e;
     714             : 
     715           0 :     e = der_match_tag2(p, len, cls, &thistype, tag, size);
     716           0 :     if (e) return e;
     717           0 :     if (thistype != type) return ASN1_BAD_ID;
     718           0 :     return 0;
     719             : }
     720             : 
     721             : int ASN1CALL
     722    35048272 : der_match_tag2 (const unsigned char *p, size_t len,
     723             :                 Der_class cls, Der_type *type,
     724             :                 unsigned int tag, size_t *size)
     725             : {
     726     1263193 :     size_t l;
     727     1263193 :     Der_class thisclass;
     728     1263193 :     unsigned int thistag;
     729     1263193 :     int e;
     730             : 
     731    35048272 :     if (size)
     732    35048272 :         *size = 0;
     733             : 
     734    35048272 :     e = der_get_tag(p, len, &thisclass, type, &thistag, &l);
     735    35048272 :     if (e) return e;
     736             :     /*
     737             :      * We do depend on ASN1_BAD_ID being returned in places where we're
     738             :      * essentially implementing an application-level CHOICE where we try to
     739             :      * decode one way then the other.  In Heimdal this happens only in lib/hdb/
     740             :      * where we try to decode a blob as an hdb_entry, then as an
     741             :      * hdb_entry_alias.  Applications should really not depend on this.
     742             :      */
     743    34526887 :     if (cls != thisclass && (cls == ASN1_C_APPL || thisclass == ASN1_C_APPL))
     744           0 :         return ASN1_BAD_ID;
     745    34526887 :     if (cls != thisclass || tag != thistag)
     746     1294007 :         return ASN1_MISSING_FIELD;
     747    33184161 :     if (size) *size = l;
     748    31987157 :     return 0;
     749             : }
     750             : 
     751             : /*
     752             :  * Returns 0 if the encoded data at `p' of length `len' starts with the tag of
     753             :  * class `cls`, type `type', and tag value `tag', and puts the length of the
     754             :  * payload (i.e., the length of V in TLV, not the length of TLV) in
     755             :  * `*length_ret', and the size of the whole thing (the TLV) in `*size' if
     756             :  * `size' is not NULL.
     757             :  *
     758             :  * Else returns an error.
     759             :  */
     760             : int ASN1CALL
     761    35048272 : der_match_tag_and_length (const unsigned char *p, size_t len,
     762             :                           Der_class cls, Der_type *type, unsigned int tag,
     763             :                           size_t *length_ret, size_t *size)
     764             : {
     765    35048272 :     size_t l, ret = 0;
     766     1263193 :     int e;
     767             : 
     768    35048272 :     e = der_match_tag2 (p, len, cls, type, tag, &l);
     769    35048272 :     if (e) return e;
     770    33184161 :     p += l;
     771    33184161 :     len -= l;
     772    33184161 :     ret += l;
     773    33184161 :     e = der_get_length (p, len, length_ret, &l);
     774    33184161 :     if (e) return e;
     775    33184161 :     if(size) *size = ret + l;
     776    31987157 :     return 0;
     777             : }
     778             : 
     779             : 
     780             : 
     781             : /*
     782             :  * Old versions of DCE was based on a very early beta of the MIT code,
     783             :  * which used MAVROS for ASN.1 encoding. MAVROS had the interesting
     784             :  * feature that it encoded data in the forward direction, which has
     785             :  * it's problems, since you have no idea how long the data will be
     786             :  * until after you're done. MAVROS solved this by reserving one byte
     787             :  * for length, and later, if the actual length was longer, it reverted
     788             :  * to indefinite, BER style, lengths. The version of MAVROS used by
     789             :  * the DCE people could apparently generate correct X.509 DER encodings, and
     790             :  * did this by making space for the length after encoding, but
     791             :  * unfortunately this feature wasn't used with Kerberos.
     792             :  */
     793             : 
     794             : int
     795           0 : _heim_fix_dce(size_t reallen, size_t *len)
     796             : {
     797           0 :     if(reallen == ASN1_INDEFINITE)
     798           0 :         return 1;
     799           0 :     if(*len < reallen)
     800           0 :         return -1;
     801           0 :     *len = reallen;
     802           0 :     return 0;
     803             : }
     804             : 
     805             : int ASN1CALL
     806         747 : der_get_bit_string (const unsigned char *p, size_t len,
     807             :                     heim_bit_string *data, size_t *size)
     808             : {
     809         747 :     assert(p != NULL);
     810             : 
     811         747 :     if (size)
     812         747 :         *size = 0;
     813             : 
     814         747 :     if (len < 1)
     815           0 :         return ASN1_OVERRUN;
     816         747 :     if (p[0] > 7)
     817           0 :         return ASN1_BAD_FORMAT;
     818         747 :     if (len - 1 == 0 && p[0] != 0)
     819           0 :         return ASN1_BAD_FORMAT;
     820             :     /* check if any of the three upper bits are set
     821             :      * any of them will cause a interger overrun */
     822         747 :     if ((len - 1) >> (sizeof(len) * 8 - 3))
     823           0 :         return ASN1_OVERRUN;
     824             :     /*
     825             :      * If there is data to copy, do that now.
     826             :      */
     827         747 :     if (len - 1 > 0) {
     828         747 :         data->length = (len - 1) * 8;
     829         747 :         data->data = malloc(len - 1);
     830         747 :         if (data->data == NULL) {
     831           0 :             data->length = 0;
     832           0 :             return ENOMEM;
     833             :         }
     834         747 :         memcpy (data->data, p + 1, len - 1);
     835         747 :         data->length -= p[0];
     836             :     } else {
     837           0 :         data->data = NULL;
     838           0 :         data->length = 0;
     839             :     }
     840         747 :     if(size) *size = len;
     841         707 :     return 0;
     842             : }

Generated by: LCOV version 1.14