1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <openssl/asn1.h>
58
59 #include <limits.h>
60 #include <string.h>
61
62 #include <openssl/asn1t.h>
63 #include <openssl/buf.h>
64 #include <openssl/err.h>
65 #include <openssl/mem.h>
66
67 #include "../internal.h"
68
69 /*
70 * Constructed types with a recursive definition (such as can be found in PKCS7)
71 * could eventually exceed the stack given malicious input with excessive
72 * recursion. Therefore we limit the stack depth. This is the maximum number of
73 * recursive invocations of asn1_item_embed_d2i().
74 */
75 #define ASN1_MAX_CONSTRUCTED_NEST 30
76
77 static int asn1_check_eoc(const unsigned char **in, long len);
78 static int asn1_find_end(const unsigned char **in, long len, char inf);
79
80 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
81 char inf, int tag, int aclass, int depth);
82
83 static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen);
84
85 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
86 char *inf, char *cst,
87 const unsigned char **in, long len,
88 int exptag, int expclass, char opt, ASN1_TLC *ctx);
89
90 static int asn1_template_ex_d2i(ASN1_VALUE **pval,
91 const unsigned char **in, long len,
92 const ASN1_TEMPLATE *tt, char opt,
93 ASN1_TLC *ctx, int depth);
94 static int asn1_template_noexp_d2i(ASN1_VALUE **val,
95 const unsigned char **in, long len,
96 const ASN1_TEMPLATE *tt, char opt,
97 ASN1_TLC *ctx, int depth);
98 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
99 const unsigned char **in, long len,
100 const ASN1_ITEM *it,
101 int tag, int aclass, char opt,
102 ASN1_TLC *ctx);
103
104 /* Table to convert tags to bit values, used for MSTRING type */
105 static const unsigned long tag2bit[32] = {
106 0, 0, 0, B_ASN1_BIT_STRING, /* tags 0 - 3 */
107 B_ASN1_OCTET_STRING, 0, 0, B_ASN1_UNKNOWN, /* tags 4- 7 */
108 B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, /* tags
109 * 8-11 */
110 B_ASN1_UTF8STRING, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, /* tags
111 * 12-15
112 */
113 B_ASN1_SEQUENCE, 0, B_ASN1_NUMERICSTRING, B_ASN1_PRINTABLESTRING, /* tags
114 * 16-19
115 */
116 B_ASN1_T61STRING, B_ASN1_VIDEOTEXSTRING, B_ASN1_IA5STRING, /* tags 20-22 */
117 B_ASN1_UTCTIME, B_ASN1_GENERALIZEDTIME, /* tags 23-24 */
118 B_ASN1_GRAPHICSTRING, B_ASN1_ISO64STRING, B_ASN1_GENERALSTRING, /* tags
119 * 25-27 */
120 B_ASN1_UNIVERSALSTRING, B_ASN1_UNKNOWN, B_ASN1_BMPSTRING, B_ASN1_UNKNOWN, /* tags
121 * 28-31
122 */
123 };
124
ASN1_tag2bit(int tag)125 unsigned long ASN1_tag2bit(int tag)
126 {
127 if ((tag < 0) || (tag > 30))
128 return 0;
129 return tag2bit[tag];
130 }
131
132 /* Macro to initialize and invalidate the cache */
133
134 #define asn1_tlc_clear(c) if (c) (c)->valid = 0
135 /* Version to avoid compiler warning about 'c' always non-NULL */
136 #define asn1_tlc_clear_nc(c) (c)->valid = 0
137
138 /*
139 * Decode an ASN1 item, this currently behaves just like a standard 'd2i'
140 * function. 'in' points to a buffer to read the data from, in future we
141 * will have more advanced versions that can input data a piece at a time and
142 * this will simply be a special case.
143 */
144
ASN1_item_d2i(ASN1_VALUE ** pval,const unsigned char ** in,long len,const ASN1_ITEM * it)145 ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval,
146 const unsigned char **in, long len,
147 const ASN1_ITEM *it)
148 {
149 ASN1_TLC c;
150 ASN1_VALUE *ptmpval = NULL;
151 if (!pval)
152 pval = &ptmpval;
153 asn1_tlc_clear_nc(&c);
154 if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0)
155 return *pval;
156 return NULL;
157 }
158
159 /*
160 * Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and
161 * tag mismatch return -1 to handle OPTIONAL
162 */
163
asn1_item_ex_d2i(ASN1_VALUE ** pval,const unsigned char ** in,long len,const ASN1_ITEM * it,int tag,int aclass,char opt,ASN1_TLC * ctx,int depth)164 static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in,
165 long len, const ASN1_ITEM *it, int tag, int aclass,
166 char opt, ASN1_TLC *ctx, int depth)
167 {
168 const ASN1_TEMPLATE *tt, *errtt = NULL;
169 const ASN1_COMPAT_FUNCS *cf;
170 const ASN1_EXTERN_FUNCS *ef;
171 const ASN1_AUX *aux = it->funcs;
172 ASN1_aux_cb *asn1_cb;
173 const unsigned char *p = NULL, *q;
174 unsigned char *wp = NULL; /* BIG FAT WARNING! BREAKS CONST WHERE USED */
175 unsigned char imphack = 0, oclass;
176 char seq_eoc, seq_nolen, cst, isopt;
177 long tmplen;
178 int i;
179 int otag;
180 int ret = 0;
181 ASN1_VALUE **pchptr, *ptmpval;
182 int combine = aclass & ASN1_TFLG_COMBINE;
183 aclass &= ~ASN1_TFLG_COMBINE;
184 if (!pval)
185 return 0;
186 if (aux && aux->asn1_cb)
187 asn1_cb = aux->asn1_cb;
188 else
189 asn1_cb = 0;
190
191 /*
192 * Bound |len| to comfortably fit in an int. Lengths in this module often
193 * switch between int and long without overflow checks.
194 */
195 if (len > INT_MAX/2) {
196 len = INT_MAX/2;
197 }
198
199 if (++depth > ASN1_MAX_CONSTRUCTED_NEST) {
200 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_TOO_DEEP);
201 goto err;
202 }
203
204 switch (it->itype) {
205 case ASN1_ITYPE_PRIMITIVE:
206 if (it->templates) {
207 /*
208 * tagging or OPTIONAL is currently illegal on an item template
209 * because the flags can't get passed down. In practice this
210 * isn't a problem: we include the relevant flags from the item
211 * template in the template itself.
212 */
213 if ((tag != -1) || opt) {
214 OPENSSL_PUT_ERROR(ASN1,
215 ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
216 goto err;
217 }
218 return asn1_template_ex_d2i(pval, in, len,
219 it->templates, opt, ctx, depth);
220 }
221 return asn1_d2i_ex_primitive(pval, in, len, it,
222 tag, aclass, opt, ctx);
223 break;
224
225 case ASN1_ITYPE_MSTRING:
226 p = *in;
227 /* Just read in tag and class */
228 ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
229 &p, len, -1, 0, 1, ctx);
230 if (!ret) {
231 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
232 goto err;
233 }
234
235 /* Must be UNIVERSAL class */
236 if (oclass != V_ASN1_UNIVERSAL) {
237 /* If OPTIONAL, assume this is OK */
238 if (opt)
239 return -1;
240 OPENSSL_PUT_ERROR(ASN1, ASN1_R_MSTRING_NOT_UNIVERSAL);
241 goto err;
242 }
243 /* Check tag matches bit map */
244 if (!(ASN1_tag2bit(otag) & it->utype)) {
245 /* If OPTIONAL, assume this is OK */
246 if (opt)
247 return -1;
248 OPENSSL_PUT_ERROR(ASN1, ASN1_R_MSTRING_WRONG_TAG);
249 goto err;
250 }
251 return asn1_d2i_ex_primitive(pval, in, len, it, otag, 0, 0, ctx);
252
253 case ASN1_ITYPE_EXTERN:
254 /* Use new style d2i */
255 ef = it->funcs;
256 return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx);
257
258 case ASN1_ITYPE_COMPAT:
259 /* we must resort to old style evil hackery */
260 cf = it->funcs;
261
262 /* If OPTIONAL see if it is there */
263 if (opt) {
264 int exptag;
265 p = *in;
266 if (tag == -1)
267 exptag = it->utype;
268 else
269 exptag = tag;
270 /*
271 * Don't care about anything other than presence of expected tag
272 */
273
274 ret = asn1_check_tlen(NULL, NULL, NULL, NULL, NULL,
275 &p, len, exptag, aclass, 1, ctx);
276 if (!ret) {
277 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
278 goto err;
279 }
280 if (ret == -1)
281 return -1;
282 }
283
284 /*
285 * This is the old style evil hack IMPLICIT handling: since the
286 * underlying code is expecting a tag and class other than the one
287 * present we change the buffer temporarily then change it back
288 * afterwards. This doesn't and never did work for tags > 30. Yes
289 * this is *horrible* but it is only needed for old style d2i which
290 * will hopefully not be around for much longer. FIXME: should copy
291 * the buffer then modify it so the input buffer can be const: we
292 * should *always* copy because the old style d2i might modify the
293 * buffer.
294 */
295
296 if (tag != -1) {
297 wp = *(unsigned char **)in;
298 imphack = *wp;
299 if (p == NULL) {
300 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
301 goto err;
302 }
303 *wp = (unsigned char)((*p & V_ASN1_CONSTRUCTED)
304 | it->utype);
305 }
306
307 ptmpval = cf->asn1_d2i(pval, in, len);
308
309 if (tag != -1)
310 *wp = imphack;
311
312 if (ptmpval)
313 return 1;
314
315 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
316 goto err;
317
318 case ASN1_ITYPE_CHOICE:
319 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
320 goto auxerr;
321
322 if (*pval) {
323 /* Free up and zero CHOICE value if initialised */
324 i = asn1_get_choice_selector(pval, it);
325 if ((i >= 0) && (i < it->tcount)) {
326 tt = it->templates + i;
327 pchptr = asn1_get_field_ptr(pval, tt);
328 ASN1_template_free(pchptr, tt);
329 asn1_set_choice_selector(pval, -1, it);
330 }
331 } else if (!ASN1_item_ex_new(pval, it)) {
332 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
333 goto err;
334 }
335 /* CHOICE type, try each possibility in turn */
336 p = *in;
337 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
338 pchptr = asn1_get_field_ptr(pval, tt);
339 /*
340 * We mark field as OPTIONAL so its absence can be recognised.
341 */
342 ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx, depth);
343 /* If field not present, try the next one */
344 if (ret == -1)
345 continue;
346 /* If positive return, read OK, break loop */
347 if (ret > 0)
348 break;
349 /* Otherwise must be an ASN1 parsing error */
350 errtt = tt;
351 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
352 goto err;
353 }
354
355 /* Did we fall off the end without reading anything? */
356 if (i == it->tcount) {
357 /* If OPTIONAL, this is OK */
358 if (opt) {
359 /* Free and zero it */
360 ASN1_item_ex_free(pval, it);
361 return -1;
362 }
363 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NO_MATCHING_CHOICE_TYPE);
364 goto err;
365 }
366
367 asn1_set_choice_selector(pval, i, it);
368 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL))
369 goto auxerr;
370 *in = p;
371 return 1;
372
373 case ASN1_ITYPE_NDEF_SEQUENCE:
374 case ASN1_ITYPE_SEQUENCE:
375 p = *in;
376 tmplen = len;
377
378 /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */
379 if (tag == -1) {
380 tag = V_ASN1_SEQUENCE;
381 aclass = V_ASN1_UNIVERSAL;
382 }
383 /* Get SEQUENCE length and update len, p */
384 ret = asn1_check_tlen(&len, NULL, NULL, &seq_eoc, &cst,
385 &p, len, tag, aclass, opt, ctx);
386 if (!ret) {
387 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
388 goto err;
389 } else if (ret == -1)
390 return -1;
391 if (aux && (aux->flags & ASN1_AFLG_BROKEN)) {
392 len = tmplen - (p - *in);
393 seq_nolen = 1;
394 }
395 /* If indefinite we don't do a length check */
396 else
397 seq_nolen = seq_eoc;
398 if (!cst) {
399 OPENSSL_PUT_ERROR(ASN1, ASN1_R_SEQUENCE_NOT_CONSTRUCTED);
400 goto err;
401 }
402
403 if (!*pval && !ASN1_item_ex_new(pval, it)) {
404 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
405 goto err;
406 }
407
408 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
409 goto auxerr;
410
411 /* Free up and zero any ADB found */
412 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
413 if (tt->flags & ASN1_TFLG_ADB_MASK) {
414 const ASN1_TEMPLATE *seqtt;
415 ASN1_VALUE **pseqval;
416 seqtt = asn1_do_adb(pval, tt, 0);
417 if (seqtt == NULL)
418 continue;
419 pseqval = asn1_get_field_ptr(pval, seqtt);
420 ASN1_template_free(pseqval, seqtt);
421 }
422 }
423
424 /* Get each field entry */
425 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
426 const ASN1_TEMPLATE *seqtt;
427 ASN1_VALUE **pseqval;
428 seqtt = asn1_do_adb(pval, tt, 1);
429 if (seqtt == NULL)
430 goto err;
431 pseqval = asn1_get_field_ptr(pval, seqtt);
432 /* Have we ran out of data? */
433 if (!len)
434 break;
435 q = p;
436 if (asn1_check_eoc(&p, len)) {
437 if (!seq_eoc) {
438 OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC);
439 goto err;
440 }
441 len -= p - q;
442 seq_eoc = 0;
443 q = p;
444 break;
445 }
446 /*
447 * This determines the OPTIONAL flag value. The field cannot be
448 * omitted if it is the last of a SEQUENCE and there is still
449 * data to be read. This isn't strictly necessary but it
450 * increases efficiency in some cases.
451 */
452 if (i == (it->tcount - 1))
453 isopt = 0;
454 else
455 isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL);
456 /*
457 * attempt to read in field, allowing each to be OPTIONAL
458 */
459
460 ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx,
461 depth);
462 if (!ret) {
463 errtt = seqtt;
464 goto err;
465 } else if (ret == -1) {
466 /*
467 * OPTIONAL component absent. Free and zero the field.
468 */
469 ASN1_template_free(pseqval, seqtt);
470 continue;
471 }
472 /* Update length */
473 len -= p - q;
474 }
475
476 /* Check for EOC if expecting one */
477 if (seq_eoc && !asn1_check_eoc(&p, len)) {
478 OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC);
479 goto err;
480 }
481 /* Check all data read */
482 if (!seq_nolen && len) {
483 OPENSSL_PUT_ERROR(ASN1, ASN1_R_SEQUENCE_LENGTH_MISMATCH);
484 goto err;
485 }
486
487 /*
488 * If we get here we've got no more data in the SEQUENCE, however we
489 * may not have read all fields so check all remaining are OPTIONAL
490 * and clear any that are.
491 */
492 for (; i < it->tcount; tt++, i++) {
493 const ASN1_TEMPLATE *seqtt;
494 seqtt = asn1_do_adb(pval, tt, 1);
495 if (seqtt == NULL)
496 goto err;
497 if (seqtt->flags & ASN1_TFLG_OPTIONAL) {
498 ASN1_VALUE **pseqval;
499 pseqval = asn1_get_field_ptr(pval, seqtt);
500 ASN1_template_free(pseqval, seqtt);
501 } else {
502 errtt = seqtt;
503 OPENSSL_PUT_ERROR(ASN1, ASN1_R_FIELD_MISSING);
504 goto err;
505 }
506 }
507 /* Save encoding */
508 if (!asn1_enc_save(pval, *in, p - *in, it))
509 goto auxerr;
510 if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL))
511 goto auxerr;
512 *in = p;
513 return 1;
514
515 default:
516 return 0;
517 }
518 auxerr:
519 OPENSSL_PUT_ERROR(ASN1, ASN1_R_AUX_ERROR);
520 err:
521 if (combine == 0)
522 ASN1_item_ex_free(pval, it);
523 if (errtt)
524 ERR_add_error_data(4, "Field=", errtt->field_name,
525 ", Type=", it->sname);
526 else
527 ERR_add_error_data(2, "Type=", it->sname);
528 return 0;
529 }
530
ASN1_item_ex_d2i(ASN1_VALUE ** pval,const unsigned char ** in,long len,const ASN1_ITEM * it,int tag,int aclass,char opt,ASN1_TLC * ctx)531 int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
532 const ASN1_ITEM *it,
533 int tag, int aclass, char opt, ASN1_TLC *ctx)
534 {
535 return asn1_item_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx, 0);
536 }
537
538 /*
539 * Templates are handled with two separate functions. One handles any
540 * EXPLICIT tag and the other handles the rest.
541 */
542
asn1_template_ex_d2i(ASN1_VALUE ** val,const unsigned char ** in,long inlen,const ASN1_TEMPLATE * tt,char opt,ASN1_TLC * ctx,int depth)543 static int asn1_template_ex_d2i(ASN1_VALUE **val,
544 const unsigned char **in, long inlen,
545 const ASN1_TEMPLATE *tt, char opt,
546 ASN1_TLC *ctx, int depth)
547 {
548 int flags, aclass;
549 int ret;
550 long len;
551 const unsigned char *p, *q;
552 char exp_eoc;
553 if (!val)
554 return 0;
555 flags = tt->flags;
556 aclass = flags & ASN1_TFLG_TAG_CLASS;
557
558 p = *in;
559
560 /* Check if EXPLICIT tag expected */
561 if (flags & ASN1_TFLG_EXPTAG) {
562 char cst;
563 /*
564 * Need to work out amount of data available to the inner content and
565 * where it starts: so read in EXPLICIT header to get the info.
566 */
567 ret = asn1_check_tlen(&len, NULL, NULL, &exp_eoc, &cst,
568 &p, inlen, tt->tag, aclass, opt, ctx);
569 q = p;
570 if (!ret) {
571 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
572 return 0;
573 } else if (ret == -1)
574 return -1;
575 if (!cst) {
576 OPENSSL_PUT_ERROR(ASN1, ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED);
577 return 0;
578 }
579 /* We've found the field so it can't be OPTIONAL now */
580 ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx, depth);
581 if (!ret) {
582 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
583 return 0;
584 }
585 /* We read the field in OK so update length */
586 len -= p - q;
587 if (exp_eoc) {
588 /* If NDEF we must have an EOC here */
589 if (!asn1_check_eoc(&p, len)) {
590 OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC);
591 goto err;
592 }
593 } else {
594 /*
595 * Otherwise we must hit the EXPLICIT tag end or its an error
596 */
597 if (len) {
598 OPENSSL_PUT_ERROR(ASN1, ASN1_R_EXPLICIT_LENGTH_MISMATCH);
599 goto err;
600 }
601 }
602 } else
603 return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx, depth);
604
605 *in = p;
606 return 1;
607
608 err:
609 ASN1_template_free(val, tt);
610 return 0;
611 }
612
asn1_template_noexp_d2i(ASN1_VALUE ** val,const unsigned char ** in,long len,const ASN1_TEMPLATE * tt,char opt,ASN1_TLC * ctx,int depth)613 static int asn1_template_noexp_d2i(ASN1_VALUE **val,
614 const unsigned char **in, long len,
615 const ASN1_TEMPLATE *tt, char opt,
616 ASN1_TLC *ctx, int depth)
617 {
618 int flags, aclass;
619 int ret;
620 const unsigned char *p;
621 if (!val)
622 return 0;
623 flags = tt->flags;
624 aclass = flags & ASN1_TFLG_TAG_CLASS;
625
626 p = *in;
627
628 if (flags & ASN1_TFLG_SK_MASK) {
629 /* SET OF, SEQUENCE OF */
630 int sktag, skaclass;
631 char sk_eoc;
632 /* First work out expected inner tag value */
633 if (flags & ASN1_TFLG_IMPTAG) {
634 sktag = tt->tag;
635 skaclass = aclass;
636 } else {
637 skaclass = V_ASN1_UNIVERSAL;
638 if (flags & ASN1_TFLG_SET_OF)
639 sktag = V_ASN1_SET;
640 else
641 sktag = V_ASN1_SEQUENCE;
642 }
643 /* Get the tag */
644 ret = asn1_check_tlen(&len, NULL, NULL, &sk_eoc, NULL,
645 &p, len, sktag, skaclass, opt, ctx);
646 if (!ret) {
647 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
648 return 0;
649 } else if (ret == -1)
650 return -1;
651 if (!*val)
652 *val = (ASN1_VALUE *)sk_new_null();
653 else {
654 /*
655 * We've got a valid STACK: free up any items present
656 */
657 STACK_OF(ASN1_VALUE) *sktmp = (STACK_OF(ASN1_VALUE) *)*val;
658 ASN1_VALUE *vtmp;
659 while (sk_ASN1_VALUE_num(sktmp) > 0) {
660 vtmp = sk_ASN1_VALUE_pop(sktmp);
661 ASN1_item_ex_free(&vtmp, ASN1_ITEM_ptr(tt->item));
662 }
663 }
664
665 if (!*val) {
666 OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
667 goto err;
668 }
669
670 /* Read as many items as we can */
671 while (len > 0) {
672 ASN1_VALUE *skfield;
673 const unsigned char *q = p;
674 /* See if EOC found */
675 if (asn1_check_eoc(&p, len)) {
676 if (!sk_eoc) {
677 OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC);
678 goto err;
679 }
680 len -= p - q;
681 sk_eoc = 0;
682 break;
683 }
684 skfield = NULL;
685 if (!asn1_item_ex_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item),
686 -1, 0, 0, ctx, depth)) {
687 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
688 goto err;
689 }
690 len -= p - q;
691 if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE) *)*val, skfield)) {
692 ASN1_item_ex_free(&skfield, ASN1_ITEM_ptr(tt->item));
693 OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
694 goto err;
695 }
696 }
697 if (sk_eoc) {
698 OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC);
699 goto err;
700 }
701 } else if (flags & ASN1_TFLG_IMPTAG) {
702 /* IMPLICIT tagging */
703 ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag,
704 aclass, opt, ctx, depth);
705 if (!ret) {
706 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
707 goto err;
708 } else if (ret == -1)
709 return -1;
710 } else {
711 /* Nothing special */
712 ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
713 -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx,
714 depth);
715 if (!ret) {
716 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
717 goto err;
718 } else if (ret == -1)
719 return -1;
720 }
721
722 *in = p;
723 return 1;
724
725 err:
726 ASN1_template_free(val, tt);
727 return 0;
728 }
729
asn1_d2i_ex_primitive(ASN1_VALUE ** pval,const unsigned char ** in,long inlen,const ASN1_ITEM * it,int tag,int aclass,char opt,ASN1_TLC * ctx)730 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
731 const unsigned char **in, long inlen,
732 const ASN1_ITEM *it,
733 int tag, int aclass, char opt, ASN1_TLC *ctx)
734 {
735 int ret = 0, utype;
736 long plen;
737 char cst, inf, free_cont = 0;
738 const unsigned char *p;
739 BUF_MEM buf = {0, NULL, 0 };
740 const unsigned char *cont = NULL;
741 long len;
742 if (!pval) {
743 OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_NULL);
744 return 0; /* Should never happen */
745 }
746
747 if (it->itype == ASN1_ITYPE_MSTRING) {
748 utype = tag;
749 tag = -1;
750 } else
751 utype = it->utype;
752
753 if (utype == V_ASN1_ANY) {
754 /* If type is ANY need to figure out type from tag */
755 unsigned char oclass;
756 if (tag >= 0) {
757 OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_TAGGED_ANY);
758 return 0;
759 }
760 if (opt) {
761 OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_OPTIONAL_ANY);
762 return 0;
763 }
764 p = *in;
765 ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, NULL,
766 &p, inlen, -1, 0, 0, ctx);
767 if (!ret) {
768 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
769 return 0;
770 }
771 if (oclass != V_ASN1_UNIVERSAL)
772 utype = V_ASN1_OTHER;
773 }
774 if (tag == -1) {
775 tag = utype;
776 aclass = V_ASN1_UNIVERSAL;
777 }
778 p = *in;
779 /* Check header */
780 ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst,
781 &p, inlen, tag, aclass, opt, ctx);
782 if (!ret) {
783 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
784 return 0;
785 } else if (ret == -1)
786 return -1;
787 ret = 0;
788 /* SEQUENCE, SET and "OTHER" are left in encoded form */
789 if ((utype == V_ASN1_SEQUENCE)
790 || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) {
791 /*
792 * Clear context cache for type OTHER because the auto clear when we
793 * have a exact match wont work
794 */
795 if (utype == V_ASN1_OTHER) {
796 asn1_tlc_clear(ctx);
797 }
798 /* SEQUENCE and SET must be constructed */
799 else if (!cst) {
800 OPENSSL_PUT_ERROR(ASN1, ASN1_R_TYPE_NOT_CONSTRUCTED);
801 return 0;
802 }
803
804 cont = *in;
805 /* If indefinite length constructed find the real end */
806 if (inf) {
807 if (!asn1_find_end(&p, plen, inf))
808 goto err;
809 len = p - cont;
810 } else {
811 len = p - cont + plen;
812 p += plen;
813 }
814 } else if (cst) {
815 if (utype == V_ASN1_NULL || utype == V_ASN1_BOOLEAN
816 || utype == V_ASN1_OBJECT || utype == V_ASN1_INTEGER
817 || utype == V_ASN1_ENUMERATED) {
818 /* These types only have primitive encodings. */
819 OPENSSL_PUT_ERROR(ASN1, ASN1_R_TYPE_NOT_PRIMITIVE);
820 return 0;
821 }
822
823 /* Free any returned 'buf' content */
824 free_cont = 1;
825 /*
826 * Should really check the internal tags are correct but some things
827 * may get this wrong. The relevant specs say that constructed string
828 * types should be OCTET STRINGs internally irrespective of the type.
829 * So instead just check for UNIVERSAL class and ignore the tag.
830 */
831 if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL, 0)) {
832 goto err;
833 }
834 len = buf.length;
835 /* Append a final null to string */
836 if (!BUF_MEM_grow_clean(&buf, len + 1)) {
837 OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
838 goto err;
839 }
840 buf.data[len] = 0;
841 cont = (const unsigned char *)buf.data;
842 } else {
843 cont = p;
844 len = plen;
845 p += plen;
846 }
847
848 /* We now have content length and type: translate into a structure */
849 /* asn1_ex_c2i may reuse allocated buffer, and so sets free_cont to 0 */
850 if (!asn1_ex_c2i(pval, cont, len, utype, &free_cont, it))
851 goto err;
852
853 *in = p;
854 ret = 1;
855 err:
856 if (free_cont && buf.data)
857 OPENSSL_free(buf.data);
858 return ret;
859 }
860
861 /* Translate ASN1 content octets into a structure */
862
asn1_ex_c2i(ASN1_VALUE ** pval,const unsigned char * cont,int len,int utype,char * free_cont,const ASN1_ITEM * it)863 int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
864 int utype, char *free_cont, const ASN1_ITEM *it)
865 {
866 ASN1_VALUE **opval = NULL;
867 ASN1_STRING *stmp;
868 ASN1_TYPE *typ = NULL;
869 int ret = 0;
870 const ASN1_PRIMITIVE_FUNCS *pf;
871 ASN1_INTEGER **tint;
872 pf = it->funcs;
873
874 if (pf && pf->prim_c2i)
875 return pf->prim_c2i(pval, cont, len, utype, free_cont, it);
876 /* If ANY type clear type and set pointer to internal value */
877 if (it->utype == V_ASN1_ANY) {
878 if (!*pval) {
879 typ = ASN1_TYPE_new();
880 if (typ == NULL)
881 goto err;
882 *pval = (ASN1_VALUE *)typ;
883 } else
884 typ = (ASN1_TYPE *)*pval;
885
886 if (utype != typ->type)
887 ASN1_TYPE_set(typ, utype, NULL);
888 opval = pval;
889 pval = &typ->value.asn1_value;
890 }
891 switch (utype) {
892 case V_ASN1_OBJECT:
893 if (!c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len))
894 goto err;
895 break;
896
897 case V_ASN1_NULL:
898 if (len) {
899 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NULL_IS_WRONG_LENGTH);
900 goto err;
901 }
902 *pval = (ASN1_VALUE *)1;
903 break;
904
905 case V_ASN1_BOOLEAN:
906 if (len != 1) {
907 OPENSSL_PUT_ERROR(ASN1, ASN1_R_BOOLEAN_IS_WRONG_LENGTH);
908 goto err;
909 } else {
910 ASN1_BOOLEAN *tbool;
911 tbool = (ASN1_BOOLEAN *)pval;
912 *tbool = *cont;
913 }
914 break;
915
916 case V_ASN1_BIT_STRING:
917 if (!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &cont, len))
918 goto err;
919 break;
920
921 case V_ASN1_INTEGER:
922 case V_ASN1_ENUMERATED:
923 tint = (ASN1_INTEGER **)pval;
924 if (!c2i_ASN1_INTEGER(tint, &cont, len))
925 goto err;
926 /* Fixup type to match the expected form */
927 (*tint)->type = utype | ((*tint)->type & V_ASN1_NEG);
928 break;
929
930 case V_ASN1_OCTET_STRING:
931 case V_ASN1_NUMERICSTRING:
932 case V_ASN1_PRINTABLESTRING:
933 case V_ASN1_T61STRING:
934 case V_ASN1_VIDEOTEXSTRING:
935 case V_ASN1_IA5STRING:
936 case V_ASN1_UTCTIME:
937 case V_ASN1_GENERALIZEDTIME:
938 case V_ASN1_GRAPHICSTRING:
939 case V_ASN1_VISIBLESTRING:
940 case V_ASN1_GENERALSTRING:
941 case V_ASN1_UNIVERSALSTRING:
942 case V_ASN1_BMPSTRING:
943 case V_ASN1_UTF8STRING:
944 case V_ASN1_OTHER:
945 case V_ASN1_SET:
946 case V_ASN1_SEQUENCE:
947 default:
948 if (utype == V_ASN1_BMPSTRING && (len & 1)) {
949 OPENSSL_PUT_ERROR(ASN1, ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
950 goto err;
951 }
952 if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) {
953 OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);
954 goto err;
955 }
956 /* All based on ASN1_STRING and handled the same */
957 if (!*pval) {
958 stmp = ASN1_STRING_type_new(utype);
959 if (!stmp) {
960 OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
961 goto err;
962 }
963 *pval = (ASN1_VALUE *)stmp;
964 } else {
965 stmp = (ASN1_STRING *)*pval;
966 stmp->type = utype;
967 }
968 /* If we've already allocated a buffer use it */
969 if (*free_cont) {
970 if (stmp->data)
971 OPENSSL_free(stmp->data);
972 stmp->data = (unsigned char *)cont; /* UGLY CAST! RL */
973 stmp->length = len;
974 *free_cont = 0;
975 } else {
976 if (!ASN1_STRING_set(stmp, cont, len)) {
977 OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
978 ASN1_STRING_free(stmp);
979 *pval = NULL;
980 goto err;
981 }
982 }
983 break;
984 }
985 /* If ASN1_ANY and NULL type fix up value */
986 if (typ && (utype == V_ASN1_NULL))
987 typ->value.ptr = NULL;
988
989 ret = 1;
990 err:
991 if (!ret) {
992 ASN1_TYPE_free(typ);
993 if (opval)
994 *opval = NULL;
995 }
996 return ret;
997 }
998
999 /*
1000 * This function finds the end of an ASN1 structure when passed its maximum
1001 * length, whether it is indefinite length and a pointer to the content. This
1002 * is more efficient than calling asn1_collect because it does not recurse on
1003 * each indefinite length header.
1004 */
1005
asn1_find_end(const unsigned char ** in,long len,char inf)1006 static int asn1_find_end(const unsigned char **in, long len, char inf)
1007 {
1008 int expected_eoc;
1009 long plen;
1010 const unsigned char *p = *in, *q;
1011 /* If not indefinite length constructed just add length */
1012 if (inf == 0) {
1013 *in += len;
1014 return 1;
1015 }
1016 expected_eoc = 1;
1017 /*
1018 * Indefinite length constructed form. Find the end when enough EOCs are
1019 * found. If more indefinite length constructed headers are encountered
1020 * increment the expected eoc count otherwise just skip to the end of the
1021 * data.
1022 */
1023 while (len > 0) {
1024 if (asn1_check_eoc(&p, len)) {
1025 expected_eoc--;
1026 if (expected_eoc == 0)
1027 break;
1028 len -= 2;
1029 continue;
1030 }
1031 q = p;
1032 /* Just read in a header: only care about the length */
1033 if (!asn1_check_tlen(&plen, NULL, NULL, &inf, NULL, &p, len,
1034 -1, 0, 0, NULL)) {
1035 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
1036 return 0;
1037 }
1038 if (inf)
1039 expected_eoc++;
1040 else
1041 p += plen;
1042 len -= p - q;
1043 }
1044 if (expected_eoc) {
1045 OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC);
1046 return 0;
1047 }
1048 *in = p;
1049 return 1;
1050 }
1051
1052 /*
1053 * This function collects the asn1 data from a constructred string type into
1054 * a buffer. The values of 'in' and 'len' should refer to the contents of the
1055 * constructed type and 'inf' should be set if it is indefinite length.
1056 */
1057
1058 #ifndef ASN1_MAX_STRING_NEST
1059 /*
1060 * This determines how many levels of recursion are permitted in ASN1 string
1061 * types. If it is not limited stack overflows can occur. If set to zero no
1062 * recursion is allowed at all. Although zero should be adequate examples
1063 * exist that require a value of 1. So 5 should be more than enough.
1064 */
1065 # define ASN1_MAX_STRING_NEST 5
1066 #endif
1067
asn1_collect(BUF_MEM * buf,const unsigned char ** in,long len,char inf,int tag,int aclass,int depth)1068 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
1069 char inf, int tag, int aclass, int depth)
1070 {
1071 const unsigned char *p, *q;
1072 long plen;
1073 char cst, ininf;
1074 p = *in;
1075 inf &= 1;
1076 /*
1077 * If no buffer and not indefinite length constructed just pass over the
1078 * encoded data
1079 */
1080 if (!buf && !inf) {
1081 *in += len;
1082 return 1;
1083 }
1084 while (len > 0) {
1085 q = p;
1086 /* Check for EOC */
1087 if (asn1_check_eoc(&p, len)) {
1088 /*
1089 * EOC is illegal outside indefinite length constructed form
1090 */
1091 if (!inf) {
1092 OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC);
1093 return 0;
1094 }
1095 inf = 0;
1096 break;
1097 }
1098
1099 if (!asn1_check_tlen(&plen, NULL, NULL, &ininf, &cst, &p,
1100 len, tag, aclass, 0, NULL)) {
1101 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
1102 return 0;
1103 }
1104
1105 /* If indefinite length constructed update max length */
1106 if (cst) {
1107 if (depth >= ASN1_MAX_STRING_NEST) {
1108 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_STRING);
1109 return 0;
1110 }
1111 if (!asn1_collect(buf, &p, plen, ininf, tag, aclass, depth + 1))
1112 return 0;
1113 } else if (plen && !collect_data(buf, &p, plen))
1114 return 0;
1115 len -= p - q;
1116 }
1117 if (inf) {
1118 OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC);
1119 return 0;
1120 }
1121 *in = p;
1122 return 1;
1123 }
1124
collect_data(BUF_MEM * buf,const unsigned char ** p,long plen)1125 static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen)
1126 {
1127 int len;
1128 if (buf) {
1129 len = buf->length;
1130 if (!BUF_MEM_grow_clean(buf, len + plen)) {
1131 OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
1132 return 0;
1133 }
1134 OPENSSL_memcpy(buf->data + len, *p, plen);
1135 }
1136 *p += plen;
1137 return 1;
1138 }
1139
1140 /* Check for ASN1 EOC and swallow it if found */
1141
asn1_check_eoc(const unsigned char ** in,long len)1142 static int asn1_check_eoc(const unsigned char **in, long len)
1143 {
1144 const unsigned char *p;
1145 if (len < 2)
1146 return 0;
1147 p = *in;
1148 if (!p[0] && !p[1]) {
1149 *in += 2;
1150 return 1;
1151 }
1152 return 0;
1153 }
1154
1155 /*
1156 * Check an ASN1 tag and length: a bit like ASN1_get_object but it sets the
1157 * length for indefinite length constructed form, we don't know the exact
1158 * length but we can set an upper bound to the amount of data available minus
1159 * the header length just read.
1160 */
1161
asn1_check_tlen(long * olen,int * otag,unsigned char * oclass,char * inf,char * cst,const unsigned char ** in,long len,int exptag,int expclass,char opt,ASN1_TLC * ctx)1162 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
1163 char *inf, char *cst,
1164 const unsigned char **in, long len,
1165 int exptag, int expclass, char opt, ASN1_TLC *ctx)
1166 {
1167 int i;
1168 int ptag, pclass;
1169 long plen;
1170 const unsigned char *p, *q;
1171 p = *in;
1172 q = p;
1173
1174 if (ctx && ctx->valid) {
1175 i = ctx->ret;
1176 plen = ctx->plen;
1177 pclass = ctx->pclass;
1178 ptag = ctx->ptag;
1179 p += ctx->hdrlen;
1180 } else {
1181 i = ASN1_get_object(&p, &plen, &ptag, &pclass, len);
1182 if (ctx) {
1183 ctx->ret = i;
1184 ctx->plen = plen;
1185 ctx->pclass = pclass;
1186 ctx->ptag = ptag;
1187 ctx->hdrlen = p - q;
1188 ctx->valid = 1;
1189 /*
1190 * If definite length, and no error, length + header can't exceed
1191 * total amount of data available.
1192 */
1193 if (!(i & 0x81) && ((plen + ctx->hdrlen) > len)) {
1194 OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
1195 asn1_tlc_clear(ctx);
1196 return 0;
1197 }
1198 }
1199 }
1200
1201 if (i & 0x80) {
1202 OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_OBJECT_HEADER);
1203 asn1_tlc_clear(ctx);
1204 return 0;
1205 }
1206 if (exptag >= 0) {
1207 if ((exptag != ptag) || (expclass != pclass)) {
1208 /*
1209 * If type is OPTIONAL, not an error: indicate missing type.
1210 */
1211 if (opt)
1212 return -1;
1213 asn1_tlc_clear(ctx);
1214 OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_TAG);
1215 return 0;
1216 }
1217 /*
1218 * We have a tag and class match: assume we are going to do something
1219 * with it
1220 */
1221 asn1_tlc_clear(ctx);
1222 }
1223
1224 if (i & 1)
1225 plen = len - (p - q);
1226
1227 if (inf)
1228 *inf = i & 1;
1229
1230 if (cst)
1231 *cst = i & V_ASN1_CONSTRUCTED;
1232
1233 if (olen)
1234 *olen = plen;
1235
1236 if (oclass)
1237 *oclass = pclass;
1238
1239 if (otag)
1240 *otag = ptag;
1241
1242 *in = p;
1243 return 1;
1244 }
1245