1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2  * All rights reserved.
3  *
4  * This package is an SSL implementation written
5  * by Eric Young (eay@cryptsoft.com).
6  * The implementation was written so as to conform with Netscapes SSL.
7  *
8  * This library is free for commercial and non-commercial use as long as
9  * the following conditions are aheared to.  The following conditions
10  * apply to all code found in this distribution, be it the RC4, RSA,
11  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12  * included with this distribution is covered by the same copyright terms
13  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14  *
15  * Copyright remains Eric Young's, and as such any Copyright notices in
16  * the code are not to be removed.
17  * If this package is used in a product, Eric Young should be given attribution
18  * as the author of the parts of the library used.
19  * This can be in the form of a textual message at program startup or
20  * in documentation (online or textual) provided with the package.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  * 1. Redistributions of source code must retain the copyright
26  *    notice, this list of conditions and the following disclaimer.
27  * 2. Redistributions in binary form must reproduce the above copyright
28  *    notice, this list of conditions and the following disclaimer in the
29  *    documentation and/or other materials provided with the distribution.
30  * 3. All advertising materials mentioning features or use of this software
31  *    must display the following acknowledgement:
32  *    "This product includes cryptographic software written by
33  *     Eric Young (eay@cryptsoft.com)"
34  *    The word 'cryptographic' can be left out if the rouines from the library
35  *    being used are not cryptographic related :-).
36  * 4. If you include any Windows specific code (or a derivative thereof) from
37  *    the apps directory (application code) you must include an acknowledgement:
38  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50  * SUCH DAMAGE.
51  *
52  * The licence and distribution terms for any publically available version or
53  * derivative of this code cannot be changed.  i.e. this code cannot simply be
54  * copied and put under another distribution licence
55  * [including the GNU Public Licence.] */
56 
57 #include <openssl/asn1.h>
58 
59 #include <string.h>
60 
61 #include <openssl/asn1t.h>
62 #include <openssl/buf.h>
63 #include <openssl/err.h>
64 #include <openssl/mem.h>
65 
66 #include "../internal.h"
67 
68 
69 static int asn1_check_eoc(const unsigned char **in, long len);
70 static int asn1_find_end(const unsigned char **in, long len, char inf);
71 
72 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
73 			char inf, int tag, int aclass, int depth);
74 
75 static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen);
76 
77 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
78 				char *inf, char *cst,
79 				const unsigned char **in, long len,
80 				int exptag, int expclass, char opt,
81 				ASN1_TLC *ctx);
82 
83 static int asn1_template_ex_d2i(ASN1_VALUE **pval,
84 				const unsigned char **in, long len,
85 				const ASN1_TEMPLATE *tt, char opt,
86 				ASN1_TLC *ctx);
87 static int asn1_template_noexp_d2i(ASN1_VALUE **val,
88 				const unsigned char **in, long len,
89 				const ASN1_TEMPLATE *tt, char opt,
90 				ASN1_TLC *ctx);
91 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
92 				const unsigned char **in, long len,
93 				const ASN1_ITEM *it,
94 				int tag, int aclass, char opt, ASN1_TLC *ctx);
95 
96 /* Table to convert tags to bit values, used for MSTRING type */
97 static const unsigned long tag2bit[32] = {
98 0,	0,	0,	B_ASN1_BIT_STRING,	/* tags  0 -  3 */
99 B_ASN1_OCTET_STRING,	0,	0,		B_ASN1_UNKNOWN,/* tags  4- 7 */
100 B_ASN1_UNKNOWN,	B_ASN1_UNKNOWN,	B_ASN1_UNKNOWN,	B_ASN1_UNKNOWN,/* tags  8-11 */
101 B_ASN1_UTF8STRING,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,/* tags 12-15 */
102 B_ASN1_SEQUENCE,0,B_ASN1_NUMERICSTRING,B_ASN1_PRINTABLESTRING, /* tags 16-19 */
103 B_ASN1_T61STRING,B_ASN1_VIDEOTEXSTRING,B_ASN1_IA5STRING,       /* tags 20-22 */
104 B_ASN1_UTCTIME, B_ASN1_GENERALIZEDTIME,			       /* tags 23-24 */
105 B_ASN1_GRAPHICSTRING,B_ASN1_ISO64STRING,B_ASN1_GENERALSTRING,  /* tags 25-27 */
106 B_ASN1_UNIVERSALSTRING,B_ASN1_UNKNOWN,B_ASN1_BMPSTRING,B_ASN1_UNKNOWN, /* tags 28-31 */
107 	};
108 
ASN1_tag2bit(int tag)109 unsigned long ASN1_tag2bit(int tag)
110 	{
111 	if ((tag < 0) || (tag > 30)) return 0;
112 	return tag2bit[tag];
113 	}
114 
115 /* Macro to initialize and invalidate the cache */
116 
117 #define asn1_tlc_clear(c)	if (c) (c)->valid = 0
118 /* Version to avoid compiler warning about 'c' always non-NULL */
119 #define asn1_tlc_clear_nc(c)	(c)->valid = 0
120 
121 /* Decode an ASN1 item, this currently behaves just
122  * like a standard 'd2i' function. 'in' points to
123  * a buffer to read the data from, in future we will
124  * have more advanced versions that can input data
125  * a piece at a time and this will simply be a special
126  * case.
127  */
128 
ASN1_item_d2i(ASN1_VALUE ** pval,const unsigned char ** in,long len,const ASN1_ITEM * it)129 ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval,
130 		const unsigned char **in, long len, const ASN1_ITEM *it)
131 	{
132 	ASN1_TLC c;
133 	ASN1_VALUE *ptmpval = NULL;
134 	if (!pval)
135 		pval = &ptmpval;
136 	asn1_tlc_clear_nc(&c);
137 	if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0)
138 		return *pval;
139 	return NULL;
140 	}
141 
ASN1_template_d2i(ASN1_VALUE ** pval,const unsigned char ** in,long len,const ASN1_TEMPLATE * tt)142 int ASN1_template_d2i(ASN1_VALUE **pval,
143 		const unsigned char **in, long len, const ASN1_TEMPLATE *tt)
144 	{
145 	ASN1_TLC c;
146 	asn1_tlc_clear_nc(&c);
147 	return asn1_template_ex_d2i(pval, in, len, tt, 0, &c);
148 	}
149 
150 
151 /* Decode an item, taking care of IMPLICIT tagging, if any.
152  * If 'opt' set and tag mismatch return -1 to handle OPTIONAL
153  */
154 
ASN1_item_ex_d2i(ASN1_VALUE ** pval,const unsigned char ** in,long len,const ASN1_ITEM * it,int tag,int aclass,char opt,ASN1_TLC * ctx)155 int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
156 			const ASN1_ITEM *it,
157 			int tag, int aclass, char opt, ASN1_TLC *ctx)
158 	{
159 	const ASN1_TEMPLATE *tt, *errtt = NULL;
160 	const ASN1_COMPAT_FUNCS *cf;
161 	const ASN1_EXTERN_FUNCS *ef;
162 	const ASN1_AUX *aux = it->funcs;
163 	ASN1_aux_cb *asn1_cb;
164 	const unsigned char *p = NULL, *q;
165 	unsigned char *wp=NULL;	/* BIG FAT WARNING!  BREAKS CONST WHERE USED */
166 	unsigned char imphack = 0, oclass;
167 	char seq_eoc, seq_nolen, cst, isopt;
168 	long tmplen;
169 	int i;
170 	int otag;
171 	int ret = 0;
172 	ASN1_VALUE **pchptr, *ptmpval;
173 	int combine = aclass & ASN1_TFLG_COMBINE;
174 	if (!pval)
175 		return 0;
176 	if (aux && aux->asn1_cb)
177 		asn1_cb = aux->asn1_cb;
178 	else asn1_cb = 0;
179 
180 	switch(it->itype)
181 		{
182 		case ASN1_ITYPE_PRIMITIVE:
183 		if (it->templates)
184 			{
185 			/* tagging or OPTIONAL is currently illegal on an item
186 			 * template because the flags can't get passed down.
187 			 * In practice this isn't a problem: we include the
188 			 * relevant flags from the item template in the
189 			 * template itself.
190 			 */
191 			if ((tag != -1) || opt)
192 				{
193 				OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
194 				goto err;
195 				}
196 			return asn1_template_ex_d2i(pval, in, len,
197 					it->templates, opt, ctx);
198 		}
199 		return asn1_d2i_ex_primitive(pval, in, len, it,
200 						tag, aclass, opt, ctx);
201 		break;
202 
203 		case ASN1_ITYPE_MSTRING:
204 		p = *in;
205 		/* Just read in tag and class */
206 		ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
207 						&p, len, -1, 0, 1, ctx);
208 		if (!ret)
209 			{
210 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
211 			goto err;
212 			}
213 
214 		/* Must be UNIVERSAL class */
215 		if (oclass != V_ASN1_UNIVERSAL)
216 			{
217 			/* If OPTIONAL, assume this is OK */
218 			if (opt) return -1;
219 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_MSTRING_NOT_UNIVERSAL);
220 			goto err;
221 			}
222 		/* Check tag matches bit map */
223 		if (!(ASN1_tag2bit(otag) & it->utype))
224 			{
225 			/* If OPTIONAL, assume this is OK */
226 			if (opt)
227 				return -1;
228 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_MSTRING_WRONG_TAG);
229 			goto err;
230 			}
231 		return asn1_d2i_ex_primitive(pval, in, len,
232 						it, otag, 0, 0, ctx);
233 
234 		case ASN1_ITYPE_EXTERN:
235 		/* Use new style d2i */
236 		ef = it->funcs;
237 		return ef->asn1_ex_d2i(pval, in, len,
238 						it, tag, aclass, opt, ctx);
239 
240 		case ASN1_ITYPE_COMPAT:
241 		/* we must resort to old style evil hackery */
242 		cf = it->funcs;
243 
244 		/* If OPTIONAL see if it is there */
245 		if (opt)
246 			{
247 			int exptag;
248 			p = *in;
249 			if (tag == -1)
250 				exptag = it->utype;
251 			else exptag = tag;
252 			/* Don't care about anything other than presence
253 			 * of expected tag */
254 
255 			ret = asn1_check_tlen(NULL, NULL, NULL, NULL, NULL,
256 					&p, len, exptag, aclass, 1, ctx);
257 			if (!ret)
258 				{
259 				OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
260 				goto err;
261 				}
262 			if (ret == -1)
263 				return -1;
264 			}
265 
266 		/* This is the old style evil hack IMPLICIT handling:
267 		 * since the underlying code is expecting a tag and
268 		 * class other than the one present we change the
269 		 * buffer temporarily then change it back afterwards.
270 		 * This doesn't and never did work for tags > 30.
271 		 *
272 		 * Yes this is *horrible* but it is only needed for
273 		 * old style d2i which will hopefully not be around
274 		 * for much longer.
275 		 * FIXME: should copy the buffer then modify it so
276 		 * the input buffer can be const: we should *always*
277 		 * copy because the old style d2i might modify the
278 		 * buffer.
279 		 */
280 
281 		if (tag != -1)
282 			{
283 			wp = *(unsigned char **)in;
284 			imphack = *wp;
285 			if (p == NULL)
286 				{
287 				OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
288 				goto err;
289 				}
290 			*wp = (unsigned char)((*p & V_ASN1_CONSTRUCTED)
291 								| it->utype);
292 			}
293 
294 		ptmpval = cf->asn1_d2i(pval, in, len);
295 
296 		if (tag != -1)
297 			*wp = imphack;
298 
299 		if (ptmpval)
300 			return 1;
301 
302 		OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
303 		goto err;
304 
305 
306 		case ASN1_ITYPE_CHOICE:
307 		if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
308 				goto auxerr;
309 
310 		if (*pval)
311 			{
312 			/* Free up and zero CHOICE value if initialised */
313 			i = asn1_get_choice_selector(pval, it);
314 			if ((i >= 0) && (i < it->tcount))
315 				{
316 				tt = it->templates + i;
317 				pchptr = asn1_get_field_ptr(pval, tt);
318 				ASN1_template_free(pchptr, tt);
319 				asn1_set_choice_selector(pval, -1, it);
320 				}
321 			}
322 		else if (!ASN1_item_ex_new(pval, it))
323 			{
324 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
325 			goto err;
326 			}
327 		/* CHOICE type, try each possibility in turn */
328 		p = *in;
329 		for (i = 0, tt=it->templates; i < it->tcount; i++, tt++)
330 			{
331 			pchptr = asn1_get_field_ptr(pval, tt);
332 			/* We mark field as OPTIONAL so its absence
333 			 * can be recognised.
334 			 */
335 			ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx);
336 			/* If field not present, try the next one */
337 			if (ret == -1)
338 				continue;
339 			/* If positive return, read OK, break loop */
340 			if (ret > 0)
341 				break;
342 			/* Otherwise must be an ASN1 parsing error */
343 			errtt = tt;
344 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
345 			goto err;
346 			}
347 
348 		/* Did we fall off the end without reading anything? */
349 		if (i == it->tcount)
350 			{
351 			/* If OPTIONAL, this is OK */
352 			if (opt)
353 				{
354 				/* Free and zero it */
355 				ASN1_item_ex_free(pval, it);
356 				return -1;
357 				}
358 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NO_MATCHING_CHOICE_TYPE);
359 			goto err;
360 			}
361 
362 		asn1_set_choice_selector(pval, i, it);
363 		if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL))
364 				goto auxerr;
365 		*in = p;
366 		return 1;
367 
368 		case ASN1_ITYPE_NDEF_SEQUENCE:
369 		case ASN1_ITYPE_SEQUENCE:
370 		p = *in;
371 		tmplen = len;
372 
373 		/* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */
374 		if (tag == -1)
375 			{
376 			tag = V_ASN1_SEQUENCE;
377 			aclass = V_ASN1_UNIVERSAL;
378 			}
379 		/* Get SEQUENCE length and update len, p */
380 		ret = asn1_check_tlen(&len, NULL, NULL, &seq_eoc, &cst,
381 					&p, len, tag, aclass, opt, ctx);
382 		if (!ret)
383 			{
384 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
385 			goto err;
386 			}
387 		else if (ret == -1)
388 			return -1;
389 		if (aux && (aux->flags & ASN1_AFLG_BROKEN))
390 			{
391 			len = tmplen - (p - *in);
392 			seq_nolen = 1;
393 			}
394 		/* If indefinite we don't do a length check */
395 		else seq_nolen = seq_eoc;
396 		if (!cst)
397 			{
398 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_SEQUENCE_NOT_CONSTRUCTED);
399 			goto err;
400 			}
401 
402 		if (!*pval && !ASN1_item_ex_new(pval, it))
403 			{
404 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
405 			goto err;
406 			}
407 
408 		if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
409 				goto auxerr;
410 
411 		/* Free up and zero any ADB found */
412 		for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
413 			{
414 			if (tt->flags & ASN1_TFLG_ADB_MASK)
415 				{
416 				const ASN1_TEMPLATE *seqtt;
417 				ASN1_VALUE **pseqval;
418 				seqtt = asn1_do_adb(pval, tt, 1);
419 				pseqval = asn1_get_field_ptr(pval, seqtt);
420 				ASN1_template_free(pseqval, seqtt);
421 				}
422 			}
423 
424 		/* Get each field entry */
425 		for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
426 			{
427 			const ASN1_TEMPLATE *seqtt;
428 			ASN1_VALUE **pseqval;
429 			seqtt = asn1_do_adb(pval, tt, 1);
430 			if (!seqtt)
431 				goto err;
432 			pseqval = asn1_get_field_ptr(pval, seqtt);
433 			/* Have we ran out of data? */
434 			if (!len)
435 				break;
436 			q = p;
437 			if (asn1_check_eoc(&p, len))
438 				{
439 				if (!seq_eoc)
440 					{
441 					OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC);
442 					goto err;
443 					}
444 				len -= p - q;
445 				seq_eoc = 0;
446 				q = p;
447 				break;
448 				}
449 			/* This determines the OPTIONAL flag value. The field
450 			 * cannot be omitted if it is the last of a SEQUENCE
451 			 * and there is still data to be read. This isn't
452 			 * strictly necessary but it increases efficiency in
453 			 * some cases.
454 			 */
455 			if (i == (it->tcount - 1))
456 				isopt = 0;
457 			else isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL);
458 			/* attempt to read in field, allowing each to be
459 			 * OPTIONAL */
460 
461 			ret = asn1_template_ex_d2i(pseqval, &p, len,
462 							seqtt, isopt, ctx);
463 			if (!ret)
464 				{
465 				errtt = seqtt;
466 				goto err;
467 				}
468 			else if (ret == -1)
469 				{
470 				/* OPTIONAL component absent.
471 				 * Free and zero the field.
472 				 */
473 				ASN1_template_free(pseqval, seqtt);
474 				continue;
475 				}
476 			/* Update length */
477 			len -= p - q;
478 			}
479 
480 		/* Check for EOC if expecting one */
481 		if (seq_eoc && !asn1_check_eoc(&p, len))
482 			{
483 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC);
484 			goto err;
485 			}
486 		/* Check all data read */
487 		if (!seq_nolen && len)
488 			{
489 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_SEQUENCE_LENGTH_MISMATCH);
490 			goto err;
491 			}
492 
493 		/* If we get here we've got no more data in the SEQUENCE,
494 		 * however we may not have read all fields so check all
495 		 * remaining are OPTIONAL and clear any that are.
496 		 */
497 		for (; i < it->tcount; tt++, i++)
498 			{
499 			const ASN1_TEMPLATE *seqtt;
500 			seqtt = asn1_do_adb(pval, tt, 1);
501 			if (!seqtt)
502 				goto err;
503 			if (seqtt->flags & ASN1_TFLG_OPTIONAL)
504 				{
505 				ASN1_VALUE **pseqval;
506 				pseqval = asn1_get_field_ptr(pval, seqtt);
507 				ASN1_template_free(pseqval, seqtt);
508 				}
509 			else
510 				{
511 				errtt = seqtt;
512 				OPENSSL_PUT_ERROR(ASN1, ASN1_R_FIELD_MISSING);
513 				goto err;
514 				}
515 			}
516 		/* Save encoding */
517 		if (!asn1_enc_save(pval, *in, p - *in, it))
518 			goto auxerr;
519 		if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL))
520 				goto auxerr;
521 		*in = p;
522 		return 1;
523 
524 		default:
525 		return 0;
526 		}
527 	auxerr:
528 	OPENSSL_PUT_ERROR(ASN1, ASN1_R_AUX_ERROR);
529 	err:
530 	if (combine == 0)
531 		ASN1_item_ex_free(pval, it);
532 	if (errtt)
533 		ERR_add_error_data(4, "Field=", errtt->field_name,
534 					", Type=", it->sname);
535 	else
536 		ERR_add_error_data(2, "Type=", it->sname);
537 	return 0;
538 	}
539 
540 /* Templates are handled with two separate functions.
541  * One handles any EXPLICIT tag and the other handles the rest.
542  */
543 
asn1_template_ex_d2i(ASN1_VALUE ** val,const unsigned char ** in,long inlen,const ASN1_TEMPLATE * tt,char opt,ASN1_TLC * ctx)544 static int asn1_template_ex_d2i(ASN1_VALUE **val,
545 				const unsigned char **in, long inlen,
546 				const ASN1_TEMPLATE *tt, char opt,
547 							ASN1_TLC *ctx)
548 	{
549 	int flags, aclass;
550 	int ret;
551 	long len;
552 	const unsigned char *p, *q;
553 	char exp_eoc;
554 	if (!val)
555 		return 0;
556 	flags = tt->flags;
557 	aclass = flags & ASN1_TFLG_TAG_CLASS;
558 
559 	p = *in;
560 
561 	/* Check if EXPLICIT tag expected */
562 	if (flags & ASN1_TFLG_EXPTAG)
563 		{
564 		char cst;
565 		/* Need to work out amount of data available to the inner
566 		 * content and where it starts: so read in EXPLICIT header to
567 		 * get the info.
568 		 */
569 		ret = asn1_check_tlen(&len, NULL, NULL, &exp_eoc, &cst,
570 					&p, inlen, tt->tag, aclass, opt, ctx);
571 		q = p;
572 		if (!ret)
573 			{
574 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
575 			return 0;
576 			}
577 		else if (ret == -1)
578 			return -1;
579 		if (!cst)
580 			{
581 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED);
582 			return 0;
583 			}
584 		/* We've found the field so it can't be OPTIONAL now */
585 		ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx);
586 		if (!ret)
587 			{
588 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
589 			return 0;
590 			}
591 		/* We read the field in OK so update length */
592 		len -= p - q;
593 		if (exp_eoc)
594 			{
595 			/* If NDEF we must have an EOC here */
596 			if (!asn1_check_eoc(&p, len))
597 				{
598 				OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC);
599 				goto err;
600 				}
601 			}
602 		else
603 			{
604 			/* Otherwise we must hit the EXPLICIT tag end or its
605 			 * an error */
606 			if (len)
607 				{
608 				OPENSSL_PUT_ERROR(ASN1, ASN1_R_EXPLICIT_LENGTH_MISMATCH);
609 				goto err;
610 				}
611 			}
612 		}
613 		else
614 			return asn1_template_noexp_d2i(val, in, inlen,
615 								tt, opt, ctx);
616 
617 	*in = p;
618 	return 1;
619 
620 	err:
621 	ASN1_template_free(val, tt);
622 	return 0;
623 	}
624 
asn1_template_noexp_d2i(ASN1_VALUE ** val,const unsigned char ** in,long len,const ASN1_TEMPLATE * tt,char opt,ASN1_TLC * ctx)625 static int asn1_template_noexp_d2i(ASN1_VALUE **val,
626 				const unsigned char **in, long len,
627 				const ASN1_TEMPLATE *tt, char opt,
628 				ASN1_TLC *ctx)
629 	{
630 	int flags, aclass;
631 	int ret;
632 	const unsigned char *p;
633 	if (!val)
634 		return 0;
635 	flags = tt->flags;
636 	aclass = flags & ASN1_TFLG_TAG_CLASS;
637 
638 	p = *in;
639 
640 	if (flags & ASN1_TFLG_SK_MASK)
641 		{
642 		/* SET OF, SEQUENCE OF */
643 		int sktag, skaclass;
644 		char sk_eoc;
645 		/* First work out expected inner tag value */
646 		if (flags & ASN1_TFLG_IMPTAG)
647 			{
648 			sktag = tt->tag;
649 			skaclass = aclass;
650 			}
651 		else
652 			{
653 			skaclass = V_ASN1_UNIVERSAL;
654 			if (flags & ASN1_TFLG_SET_OF)
655 				sktag = V_ASN1_SET;
656 			else
657 				sktag = V_ASN1_SEQUENCE;
658 			}
659 		/* Get the tag */
660 		ret = asn1_check_tlen(&len, NULL, NULL, &sk_eoc, NULL,
661 					&p, len, sktag, skaclass, opt, ctx);
662 		if (!ret)
663 			{
664 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
665 			return 0;
666 			}
667 		else if (ret == -1)
668 			return -1;
669 		if (!*val)
670 			*val = (ASN1_VALUE *)sk_new_null();
671 		else
672 			{
673 			/* We've got a valid STACK: free up any items present */
674 			STACK_OF(ASN1_VALUE) *sktmp
675 			    = (STACK_OF(ASN1_VALUE) *)*val;
676 			ASN1_VALUE *vtmp;
677 			while(sk_ASN1_VALUE_num(sktmp) > 0)
678 				{
679 				vtmp = sk_ASN1_VALUE_pop(sktmp);
680 				ASN1_item_ex_free(&vtmp,
681 						ASN1_ITEM_ptr(tt->item));
682 				}
683 			}
684 
685 		if (!*val)
686 			{
687 			OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
688 			goto err;
689 			}
690 
691 		/* Read as many items as we can */
692 		while(len > 0)
693 			{
694 			ASN1_VALUE *skfield;
695 			const unsigned char *q = p;
696 			/* See if EOC found */
697 			if (asn1_check_eoc(&p, len))
698 				{
699 				if (!sk_eoc)
700 					{
701 					OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC);
702 					goto err;
703 					}
704 				len -= p - q;
705 				sk_eoc = 0;
706 				break;
707 				}
708 			skfield = NULL;
709 			if (!ASN1_item_ex_d2i(&skfield, &p, len,
710 						ASN1_ITEM_ptr(tt->item),
711 						-1, 0, 0, ctx))
712 				{
713 				OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
714 				goto err;
715 				}
716 			len -= p - q;
717 			if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE) *)*val,
718 						skfield))
719 				{
720 				OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
721 				goto err;
722 				}
723 			}
724 		if (sk_eoc)
725 			{
726 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC);
727 			goto err;
728 			}
729 		}
730 	else if (flags & ASN1_TFLG_IMPTAG)
731 		{
732 		/* IMPLICIT tagging */
733 		ret = ASN1_item_ex_d2i(val, &p, len,
734 			ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, ctx);
735 		if (!ret)
736 			{
737 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
738 			goto err;
739 			}
740 		else if (ret == -1)
741 			return -1;
742 		}
743 	else
744 		{
745 		/* Nothing special */
746 		ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
747 							-1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
748 		if (!ret)
749 			{
750 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
751 			goto err;
752 			}
753 		else if (ret == -1)
754 			return -1;
755 		}
756 
757 	*in = p;
758 	return 1;
759 
760 	err:
761 	ASN1_template_free(val, tt);
762 	return 0;
763 	}
764 
asn1_d2i_ex_primitive(ASN1_VALUE ** pval,const unsigned char ** in,long inlen,const ASN1_ITEM * it,int tag,int aclass,char opt,ASN1_TLC * ctx)765 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
766 				const unsigned char **in, long inlen,
767 				const ASN1_ITEM *it,
768 				int tag, int aclass, char opt, ASN1_TLC *ctx)
769         OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS
770 	{
771 	int ret = 0, utype;
772 	long plen;
773 	char cst, inf, free_cont = 0;
774 	const unsigned char *p;
775 	BUF_MEM buf;
776 	const unsigned char *cont = NULL;
777 	long len;
778 	if (!pval)
779 		{
780 		OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_NULL);
781 		return 0; /* Should never happen */
782 		}
783 
784 	if (it->itype == ASN1_ITYPE_MSTRING)
785 		{
786 		utype = tag;
787 		tag = -1;
788 		}
789 	else
790 		utype = it->utype;
791 
792 	if (utype == V_ASN1_ANY)
793 		{
794 		/* If type is ANY need to figure out type from tag */
795 		unsigned char oclass;
796 		if (tag >= 0)
797 			{
798 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_TAGGED_ANY);
799 			return 0;
800 			}
801 		if (opt)
802 			{
803 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_OPTIONAL_ANY);
804 			return 0;
805 			}
806 		p = *in;
807 		ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, NULL,
808 					&p, inlen, -1, 0, 0, ctx);
809 		if (!ret)
810 			{
811 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
812 			return 0;
813 			}
814 		if (oclass != V_ASN1_UNIVERSAL)
815 			utype = V_ASN1_OTHER;
816 		}
817 	if (tag == -1)
818 		{
819 		tag = utype;
820 		aclass = V_ASN1_UNIVERSAL;
821 		}
822 	p = *in;
823 	/* Check header */
824 	ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst,
825 				&p, inlen, tag, aclass, opt, ctx);
826 	if (!ret)
827 		{
828 		OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
829 		return 0;
830 		}
831 	else if (ret == -1)
832 		return -1;
833         ret = 0;
834 	/* SEQUENCE, SET and "OTHER" are left in encoded form */
835 	if ((utype == V_ASN1_SEQUENCE)
836 		|| (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER))
837 		{
838 		/* Clear context cache for type OTHER because the auto clear
839 		 * when we have a exact match wont work
840 		 */
841 		if (utype == V_ASN1_OTHER)
842 			{
843 			asn1_tlc_clear(ctx);
844 			}
845 		/* SEQUENCE and SET must be constructed */
846 		else if (!cst)
847 			{
848 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_TYPE_NOT_CONSTRUCTED);
849 			return 0;
850 			}
851 
852 		cont = *in;
853 		/* If indefinite length constructed find the real end */
854 		if (inf)
855 			{
856 			if (!asn1_find_end(&p, plen, inf))
857 				 goto err;
858 			len = p - cont;
859 			}
860 		else
861 			{
862 			len = p - cont + plen;
863 			p += plen;
864 			buf.data = NULL;
865 			}
866 		}
867 	else if (cst)
868 		{
869 		if (utype == V_ASN1_NULL || utype == V_ASN1_BOOLEAN
870 			|| utype == V_ASN1_OBJECT || utype == V_ASN1_INTEGER
871 			|| utype == V_ASN1_ENUMERATED)
872 			{
873 			/* These types only have primitive encodings. */
874 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_TYPE_NOT_PRIMITIVE);
875 			return 0;
876 			}
877 
878 		buf.length = 0;
879 		buf.max = 0;
880 		buf.data = NULL;
881 		/* Should really check the internal tags are correct but
882 		 * some things may get this wrong. The relevant specs
883 		 * say that constructed string types should be OCTET STRINGs
884 		 * internally irrespective of the type. So instead just check
885 		 * for UNIVERSAL class and ignore the tag.
886 		 */
887 		if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL, 0))
888 			{
889 			free_cont = 1;
890 			goto err;
891 			}
892 		len = buf.length;
893 		/* Append a final null to string */
894 		if (!BUF_MEM_grow_clean(&buf, len + 1))
895 			{
896 			OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
897 			return 0;
898 			}
899 		buf.data[len] = 0;
900 		cont = (const unsigned char *)buf.data;
901 		free_cont = 1;
902 		}
903 	else
904 		{
905 		cont = p;
906 		len = plen;
907 		p += plen;
908 		}
909 
910 	/* We now have content length and type: translate into a structure */
911 	if (!asn1_ex_c2i(pval, cont, len, utype, &free_cont, it))
912 		goto err;
913 
914 	*in = p;
915 	ret = 1;
916 	err:
917 	if (free_cont && buf.data) OPENSSL_free(buf.data);
918 	return ret;
919 	}
920 
921 /* Translate ASN1 content octets into a structure */
922 
asn1_ex_c2i(ASN1_VALUE ** pval,const unsigned char * cont,int len,int utype,char * free_cont,const ASN1_ITEM * it)923 int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
924 			int utype, char *free_cont, const ASN1_ITEM *it)
925 	{
926 	ASN1_VALUE **opval = NULL;
927 	ASN1_STRING *stmp;
928 	ASN1_TYPE *typ = NULL;
929 	int ret = 0;
930 	const ASN1_PRIMITIVE_FUNCS *pf;
931 	ASN1_INTEGER **tint;
932 	pf = it->funcs;
933 
934 	if (pf && pf->prim_c2i)
935 		return pf->prim_c2i(pval, cont, len, utype, free_cont, it);
936 	/* If ANY type clear type and set pointer to internal value */
937 	if (it->utype == V_ASN1_ANY)
938 		{
939 		if (!*pval)
940 			{
941 			typ = ASN1_TYPE_new();
942 			if (typ == NULL)
943 				goto err;
944 			*pval = (ASN1_VALUE *)typ;
945 			}
946 		else
947 			typ = (ASN1_TYPE *)*pval;
948 
949 		if (utype != typ->type)
950 			ASN1_TYPE_set(typ, utype, NULL);
951 		opval = pval;
952 		pval = &typ->value.asn1_value;
953 		}
954 	switch(utype)
955 		{
956 		case V_ASN1_OBJECT:
957 		if (!c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len))
958 			goto err;
959 		break;
960 
961 		case V_ASN1_NULL:
962 		if (len)
963 			{
964 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NULL_IS_WRONG_LENGTH);
965 			goto err;
966 			}
967 		*pval = (ASN1_VALUE *)1;
968 		break;
969 
970 		case V_ASN1_BOOLEAN:
971 		if (len != 1)
972 			{
973 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_BOOLEAN_IS_WRONG_LENGTH);
974 			goto err;
975 			}
976 		else
977 			{
978 			ASN1_BOOLEAN *tbool;
979 			tbool = (ASN1_BOOLEAN *)pval;
980 			*tbool = *cont;
981 			}
982 		break;
983 
984 		case V_ASN1_BIT_STRING:
985 		if (!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &cont, len))
986 			goto err;
987 		break;
988 
989 		case V_ASN1_INTEGER:
990 		case V_ASN1_NEG_INTEGER:
991 		case V_ASN1_ENUMERATED:
992 		case V_ASN1_NEG_ENUMERATED:
993 		tint = (ASN1_INTEGER **)pval;
994 		if (!c2i_ASN1_INTEGER(tint, &cont, len))
995 			goto err;
996 		/* Fixup type to match the expected form */
997 		(*tint)->type = utype | ((*tint)->type & V_ASN1_NEG);
998 		break;
999 
1000 		case V_ASN1_OCTET_STRING:
1001 		case V_ASN1_NUMERICSTRING:
1002 		case V_ASN1_PRINTABLESTRING:
1003 		case V_ASN1_T61STRING:
1004 		case V_ASN1_VIDEOTEXSTRING:
1005 		case V_ASN1_IA5STRING:
1006 		case V_ASN1_UTCTIME:
1007 		case V_ASN1_GENERALIZEDTIME:
1008 		case V_ASN1_GRAPHICSTRING:
1009 		case V_ASN1_VISIBLESTRING:
1010 		case V_ASN1_GENERALSTRING:
1011 		case V_ASN1_UNIVERSALSTRING:
1012 		case V_ASN1_BMPSTRING:
1013 		case V_ASN1_UTF8STRING:
1014 		case V_ASN1_OTHER:
1015 		case V_ASN1_SET:
1016 		case V_ASN1_SEQUENCE:
1017 		default:
1018 		if (utype == V_ASN1_BMPSTRING && (len & 1))
1019 			{
1020 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
1021 			goto err;
1022 			}
1023 		if (utype == V_ASN1_UNIVERSALSTRING && (len & 3))
1024 			{
1025 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);
1026 			goto err;
1027 			}
1028 		/* All based on ASN1_STRING and handled the same */
1029 		if (!*pval)
1030 			{
1031 			stmp = ASN1_STRING_type_new(utype);
1032 			if (!stmp)
1033 				{
1034 				OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
1035 				goto err;
1036 				}
1037 			*pval = (ASN1_VALUE *)stmp;
1038 			}
1039 		else
1040 			{
1041 			stmp = (ASN1_STRING *)*pval;
1042 			stmp->type = utype;
1043 			}
1044 		/* If we've already allocated a buffer use it */
1045 		if (*free_cont)
1046 			{
1047 			if (stmp->data)
1048 				OPENSSL_free(stmp->data);
1049 			stmp->data = (unsigned char *)cont; /* UGLY CAST! RL */
1050 			stmp->length = len;
1051 			*free_cont = 0;
1052 			}
1053 		else
1054 			{
1055 			if (!ASN1_STRING_set(stmp, cont, len))
1056 				{
1057 				OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
1058 				ASN1_STRING_free(stmp);
1059 				*pval = NULL;
1060 				goto err;
1061 				}
1062 			}
1063 		break;
1064 		}
1065 	/* If ASN1_ANY and NULL type fix up value */
1066 	if (typ && (utype == V_ASN1_NULL))
1067 		 typ->value.ptr = NULL;
1068 
1069 	ret = 1;
1070 	err:
1071 	if (!ret)
1072 		{
1073 		ASN1_TYPE_free(typ);
1074 		if (opval)
1075 			*opval = NULL;
1076 		}
1077 	return ret;
1078 	}
1079 
1080 
1081 /* This function finds the end of an ASN1 structure when passed its maximum
1082  * length, whether it is indefinite length and a pointer to the content.
1083  * This is more efficient than calling asn1_collect because it does not
1084  * recurse on each indefinite length header.
1085  */
1086 
asn1_find_end(const unsigned char ** in,long len,char inf)1087 static int asn1_find_end(const unsigned char **in, long len, char inf)
1088 	{
1089 	int expected_eoc;
1090 	long plen;
1091 	const unsigned char *p = *in, *q;
1092 	/* If not indefinite length constructed just add length */
1093 	if (inf == 0)
1094 		{
1095 		*in += len;
1096 		return 1;
1097 		}
1098 	expected_eoc = 1;
1099 	/* Indefinite length constructed form. Find the end when enough EOCs
1100 	 * are found. If more indefinite length constructed headers
1101 	 * are encountered increment the expected eoc count otherwise just
1102 	 * skip to the end of the data.
1103 	 */
1104 	while (len > 0)
1105 		{
1106 		if(asn1_check_eoc(&p, len))
1107 			{
1108 			expected_eoc--;
1109 			if (expected_eoc == 0)
1110 				break;
1111 			len -= 2;
1112 			continue;
1113 			}
1114 		q = p;
1115 		/* Just read in a header: only care about the length */
1116 		if(!asn1_check_tlen(&plen, NULL, NULL, &inf, NULL, &p, len,
1117 				-1, 0, 0, NULL))
1118 			{
1119 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
1120 			return 0;
1121 			}
1122 		if (inf)
1123 			expected_eoc++;
1124 		else
1125 			p += plen;
1126 		len -= p - q;
1127 		}
1128 	if (expected_eoc)
1129 		{
1130 		OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC);
1131 		return 0;
1132 		}
1133 	*in = p;
1134 	return 1;
1135 	}
1136 /* This function collects the asn1 data from a constructred string
1137  * type into a buffer. The values of 'in' and 'len' should refer
1138  * to the contents of the constructed type and 'inf' should be set
1139  * if it is indefinite length.
1140  */
1141 
1142 #ifndef ASN1_MAX_STRING_NEST
1143 /* This determines how many levels of recursion are permitted in ASN1
1144  * string types. If it is not limited stack overflows can occur. If set
1145  * to zero no recursion is allowed at all. Although zero should be adequate
1146  * examples exist that require a value of 1. So 5 should be more than enough.
1147  */
1148 #define ASN1_MAX_STRING_NEST 5
1149 #endif
1150 
1151 
asn1_collect(BUF_MEM * buf,const unsigned char ** in,long len,char inf,int tag,int aclass,int depth)1152 static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
1153 			char inf, int tag, int aclass, int depth)
1154 	{
1155 	const unsigned char *p, *q;
1156 	long plen;
1157 	char cst, ininf;
1158 	p = *in;
1159 	inf &= 1;
1160 	/* If no buffer and not indefinite length constructed just pass over
1161 	 * the encoded data */
1162 	if (!buf && !inf)
1163 		{
1164 		*in += len;
1165 		return 1;
1166 		}
1167 	while(len > 0)
1168 		{
1169 		q = p;
1170 		/* Check for EOC */
1171 		if (asn1_check_eoc(&p, len))
1172 			{
1173 			/* EOC is illegal outside indefinite length
1174 			 * constructed form */
1175 			if (!inf)
1176 				{
1177 				OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC);
1178 				return 0;
1179 				}
1180 			inf = 0;
1181 			break;
1182 			}
1183 
1184 		if (!asn1_check_tlen(&plen, NULL, NULL, &ininf, &cst, &p,
1185 					len, tag, aclass, 0, NULL))
1186 			{
1187 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
1188 			return 0;
1189 			}
1190 
1191 		/* If indefinite length constructed update max length */
1192 		if (cst)
1193 			{
1194 			if (depth >= ASN1_MAX_STRING_NEST)
1195 				{
1196 				OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_STRING);
1197 				return 0;
1198 				}
1199 			if (!asn1_collect(buf, &p, plen, ininf, tag, aclass,
1200 						depth + 1))
1201 				return 0;
1202 			}
1203 		else if (plen && !collect_data(buf, &p, plen))
1204 			return 0;
1205 		len -= p - q;
1206 		}
1207 	if (inf)
1208 		{
1209 		OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC);
1210 		return 0;
1211 		}
1212 	*in = p;
1213 	return 1;
1214 	}
1215 
collect_data(BUF_MEM * buf,const unsigned char ** p,long plen)1216 static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen)
1217 	{
1218 	int len;
1219 	if (buf)
1220 		{
1221 		len = buf->length;
1222 		if (!BUF_MEM_grow_clean(buf, len + plen))
1223 			{
1224 			OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
1225 			return 0;
1226 			}
1227 		memcpy(buf->data + len, *p, plen);
1228 		}
1229 	*p += plen;
1230 	return 1;
1231 	}
1232 
1233 /* Check for ASN1 EOC and swallow it if found */
1234 
asn1_check_eoc(const unsigned char ** in,long len)1235 static int asn1_check_eoc(const unsigned char **in, long len)
1236 	{
1237 	const unsigned char *p;
1238 	if (len < 2) return 0;
1239 	p = *in;
1240 	if (!p[0] && !p[1])
1241 		{
1242 		*in += 2;
1243 		return 1;
1244 		}
1245 	return 0;
1246 	}
1247 
1248 /* Check an ASN1 tag and length: a bit like ASN1_get_object
1249  * but it sets the length for indefinite length constructed
1250  * form, we don't know the exact length but we can set an
1251  * upper bound to the amount of data available minus the
1252  * header length just read.
1253  */
1254 
asn1_check_tlen(long * olen,int * otag,unsigned char * oclass,char * inf,char * cst,const unsigned char ** in,long len,int exptag,int expclass,char opt,ASN1_TLC * ctx)1255 static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
1256 				char *inf, char *cst,
1257 				const unsigned char **in, long len,
1258 				int exptag, int expclass, char opt,
1259 				ASN1_TLC *ctx)
1260 	{
1261 	int i;
1262 	int ptag, pclass;
1263 	long plen;
1264 	const unsigned char *p, *q;
1265 	p = *in;
1266 	q = p;
1267 
1268 	if (ctx && ctx->valid)
1269 		{
1270 		i = ctx->ret;
1271 		plen = ctx->plen;
1272 		pclass = ctx->pclass;
1273 		ptag = ctx->ptag;
1274 		p += ctx->hdrlen;
1275 		}
1276 	else
1277 		{
1278 		i = ASN1_get_object(&p, &plen, &ptag, &pclass, len);
1279 		if (ctx)
1280 			{
1281 			ctx->ret = i;
1282 			ctx->plen = plen;
1283 			ctx->pclass = pclass;
1284 			ctx->ptag = ptag;
1285 			ctx->hdrlen = p - q;
1286 			ctx->valid = 1;
1287 			/* If definite length, and no error, length +
1288 			 * header can't exceed total amount of data available.
1289 			 */
1290 			if (!(i & 0x81) && ((plen + ctx->hdrlen) > len))
1291 				{
1292 				OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
1293 				asn1_tlc_clear(ctx);
1294 				return 0;
1295 				}
1296 			}
1297 		}
1298 
1299 	if (i & 0x80)
1300 		{
1301 		OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_OBJECT_HEADER);
1302 		asn1_tlc_clear(ctx);
1303 		return 0;
1304 		}
1305 	if (exptag >= 0)
1306 		{
1307 		if ((exptag != ptag) || (expclass != pclass))
1308 			{
1309 			/* If type is OPTIONAL, not an error:
1310 			 * indicate missing type.
1311 			 */
1312 			if (opt) return -1;
1313 			asn1_tlc_clear(ctx);
1314 			OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_TAG);
1315 			return 0;
1316 			}
1317 		/* We have a tag and class match:
1318 		 * assume we are going to do something with it */
1319 		asn1_tlc_clear(ctx);
1320 		}
1321 
1322 	if (i & 1)
1323 		plen = len - (p - q);
1324 
1325 	if (inf)
1326 		*inf = i & 1;
1327 
1328 	if (cst)
1329 		*cst = i & V_ASN1_CONSTRUCTED;
1330 
1331 	if (olen)
1332 		*olen = plen;
1333 
1334 	if (oclass)
1335 		*oclass = pclass;
1336 
1337 	if (otag)
1338 		*otag = ptag;
1339 
1340 	*in = p;
1341 	return 1;
1342 	}
1343