1 // Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include <openssl/asn1.h>
16
17 #include <assert.h>
18 #include <limits.h>
19 #include <string.h>
20
21 #include <openssl/bytestring.h>
22 #include <openssl/err.h>
23 #include <openssl/mem.h>
24
25 #include "../internal.h"
26 #include "internal.h"
27
28
ASN1_INTEGER_dup(const ASN1_INTEGER * x)29 ASN1_INTEGER *ASN1_INTEGER_dup(const ASN1_INTEGER *x) {
30 return ASN1_STRING_dup(x);
31 }
32
ASN1_INTEGER_cmp(const ASN1_INTEGER * x,const ASN1_INTEGER * y)33 int ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y) {
34 // Compare signs.
35 int neg = x->type & V_ASN1_NEG;
36 if (neg != (y->type & V_ASN1_NEG)) {
37 return neg ? -1 : 1;
38 }
39
40 int ret = ASN1_STRING_cmp(x, y);
41 if (neg) {
42 // This could be |-ret|, but |ASN1_STRING_cmp| is not forbidden from
43 // returning |INT_MIN|.
44 if (ret < 0) {
45 return 1;
46 } else if (ret > 0) {
47 return -1;
48 } else {
49 return 0;
50 }
51 }
52
53 return ret;
54 }
55
56 // negate_twos_complement negates |len| bytes from |buf| in-place, interpreted
57 // as a signed, big-endian two's complement value.
negate_twos_complement(uint8_t * buf,size_t len)58 static void negate_twos_complement(uint8_t *buf, size_t len) {
59 uint8_t borrow = 0;
60 for (size_t i = len - 1; i < len; i--) {
61 uint8_t t = buf[i];
62 buf[i] = 0u - borrow - t;
63 borrow |= t != 0;
64 }
65 }
66
is_all_zeros(const uint8_t * in,size_t len)67 static int is_all_zeros(const uint8_t *in, size_t len) {
68 for (size_t i = 0; i < len; i++) {
69 if (in[i] != 0) {
70 return 0;
71 }
72 }
73 return 1;
74 }
75
asn1_marshal_integer(CBB * out,const ASN1_INTEGER * in,CBS_ASN1_TAG tag)76 int asn1_marshal_integer(CBB *out, const ASN1_INTEGER *in, CBS_ASN1_TAG tag) {
77 int len = i2c_ASN1_INTEGER(in, nullptr);
78 if (len <= 0) {
79 return 0;
80 }
81 tag = tag == 0 ? CBS_ASN1_INTEGER : tag;
82 CBB child;
83 uint8_t *ptr;
84 return CBB_add_asn1(out, &child, tag) && //
85 CBB_add_space(&child, &ptr, static_cast<size_t>(len)) && //
86 i2c_ASN1_INTEGER(in, &ptr) == len && //
87 CBB_flush(out);
88 }
89
i2c_ASN1_INTEGER(const ASN1_INTEGER * in,unsigned char ** outp)90 int i2c_ASN1_INTEGER(const ASN1_INTEGER *in, unsigned char **outp) {
91 if (in == NULL) {
92 return 0;
93 }
94
95 // |ASN1_INTEGER|s should be represented minimally, but it is possible to
96 // construct invalid ones. Skip leading zeros so this does not produce an
97 // invalid encoding or break invariants.
98 CBS cbs;
99 CBS_init(&cbs, in->data, in->length);
100 while (CBS_len(&cbs) > 0 && CBS_data(&cbs)[0] == 0) {
101 CBS_skip(&cbs, 1);
102 }
103
104 int is_negative = (in->type & V_ASN1_NEG) != 0;
105 size_t pad;
106 CBS copy = cbs;
107 uint8_t msb;
108 if (!CBS_get_u8(©, &msb)) {
109 // Zero is represented as a single byte.
110 is_negative = 0;
111 pad = 1;
112 } else if (is_negative) {
113 // 0x80...01 through 0xff...ff have a two's complement of 0x7f...ff
114 // through 0x00...01 and need an extra byte to be negative.
115 // 0x01...00 through 0x80...00 have a two's complement of 0xfe...ff
116 // through 0x80...00 and can be negated as-is.
117 pad = msb > 0x80 ||
118 (msb == 0x80 && !is_all_zeros(CBS_data(©), CBS_len(©)));
119 } else {
120 // If the high bit is set, the signed representation needs an extra
121 // byte to be positive.
122 pad = (msb & 0x80) != 0;
123 }
124
125 if (CBS_len(&cbs) > INT_MAX - pad) {
126 OPENSSL_PUT_ERROR(ASN1, ERR_R_OVERFLOW);
127 return 0;
128 }
129 int len = (int)(pad + CBS_len(&cbs));
130 assert(len > 0);
131 if (outp == NULL) {
132 return len;
133 }
134
135 if (pad) {
136 (*outp)[0] = 0;
137 }
138 OPENSSL_memcpy(*outp + pad, CBS_data(&cbs), CBS_len(&cbs));
139 if (is_negative) {
140 negate_twos_complement(*outp, len);
141 assert((*outp)[0] >= 0x80);
142 } else {
143 assert((*outp)[0] < 0x80);
144 }
145 *outp += len;
146 return len;
147 }
148
c2i_ASN1_INTEGER(ASN1_INTEGER ** out,const unsigned char ** inp,long len)149 ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **out, const unsigned char **inp,
150 long len) {
151 // This function can handle lengths up to INT_MAX - 1, but the rest of the
152 // legacy ASN.1 code mixes integer types, so avoid exposing it to
153 // ASN1_INTEGERS with larger lengths.
154 if (len < 0 || len > INT_MAX / 2) {
155 OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
156 return NULL;
157 }
158
159 CBS cbs;
160 CBS_init(&cbs, *inp, (size_t)len);
161 int is_negative;
162 if (!CBS_is_valid_asn1_integer(&cbs, &is_negative)) {
163 OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_INTEGER);
164 return NULL;
165 }
166
167 ASN1_INTEGER *ret = NULL;
168 if (out == NULL || *out == NULL) {
169 ret = ASN1_INTEGER_new();
170 if (ret == NULL) {
171 return NULL;
172 }
173 } else {
174 ret = *out;
175 }
176
177 // Convert to |ASN1_INTEGER|'s sign-and-magnitude representation. First,
178 // determine the size needed for a minimal result.
179 if (is_negative) {
180 // 0xff00...01 through 0xff7f..ff have a two's complement of 0x00ff...ff
181 // through 0x000100...001 and need one leading zero removed. 0x8000...00
182 // through 0xff00...00 have a two's complement of 0x8000...00 through
183 // 0x0100...00 and will be minimally-encoded as-is.
184 if (CBS_len(&cbs) > 0 && CBS_data(&cbs)[0] == 0xff &&
185 !is_all_zeros(CBS_data(&cbs) + 1, CBS_len(&cbs) - 1)) {
186 CBS_skip(&cbs, 1);
187 }
188 } else {
189 // Remove the leading zero byte, if any.
190 if (CBS_len(&cbs) > 0 && CBS_data(&cbs)[0] == 0x00) {
191 CBS_skip(&cbs, 1);
192 }
193 }
194
195 if (!ASN1_STRING_set(ret, CBS_data(&cbs), CBS_len(&cbs))) {
196 goto err;
197 }
198
199 if (is_negative) {
200 ret->type = V_ASN1_NEG_INTEGER;
201 negate_twos_complement(ret->data, ret->length);
202 } else {
203 ret->type = V_ASN1_INTEGER;
204 }
205
206 // The value should be minimally-encoded.
207 assert(ret->length == 0 || ret->data[0] != 0);
208 // Zero is not negative.
209 assert(!is_negative || ret->length > 0);
210
211 *inp += len;
212 if (out != NULL) {
213 *out = ret;
214 }
215 return ret;
216
217 err:
218 if (ret != NULL && (out == NULL || *out != ret)) {
219 ASN1_INTEGER_free(ret);
220 }
221 return NULL;
222 }
223
ASN1_INTEGER_set_int64(ASN1_INTEGER * a,int64_t v)224 int ASN1_INTEGER_set_int64(ASN1_INTEGER *a, int64_t v) {
225 if (v >= 0) {
226 return ASN1_INTEGER_set_uint64(a, (uint64_t)v);
227 }
228
229 if (!ASN1_INTEGER_set_uint64(a, 0 - (uint64_t)v)) {
230 return 0;
231 }
232
233 a->type = V_ASN1_NEG_INTEGER;
234 return 1;
235 }
236
ASN1_ENUMERATED_set_int64(ASN1_ENUMERATED * a,int64_t v)237 int ASN1_ENUMERATED_set_int64(ASN1_ENUMERATED *a, int64_t v) {
238 if (v >= 0) {
239 return ASN1_ENUMERATED_set_uint64(a, (uint64_t)v);
240 }
241
242 if (!ASN1_ENUMERATED_set_uint64(a, 0 - (uint64_t)v)) {
243 return 0;
244 }
245
246 a->type = V_ASN1_NEG_ENUMERATED;
247 return 1;
248 }
249
ASN1_INTEGER_set(ASN1_INTEGER * a,long v)250 int ASN1_INTEGER_set(ASN1_INTEGER *a, long v) {
251 static_assert(sizeof(long) <= sizeof(int64_t), "long fits in int64_t");
252 return ASN1_INTEGER_set_int64(a, v);
253 }
254
ASN1_ENUMERATED_set(ASN1_ENUMERATED * a,long v)255 int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v) {
256 static_assert(sizeof(long) <= sizeof(int64_t), "long fits in int64_t");
257 return ASN1_ENUMERATED_set_int64(a, v);
258 }
259
asn1_string_set_uint64(ASN1_STRING * out,uint64_t v,int type)260 static int asn1_string_set_uint64(ASN1_STRING *out, uint64_t v, int type) {
261 uint8_t buf[sizeof(uint64_t)];
262 CRYPTO_store_u64_be(buf, v);
263 size_t leading_zeros;
264 for (leading_zeros = 0; leading_zeros < sizeof(buf); leading_zeros++) {
265 if (buf[leading_zeros] != 0) {
266 break;
267 }
268 }
269
270 if (!ASN1_STRING_set(out, buf + leading_zeros, sizeof(buf) - leading_zeros)) {
271 return 0;
272 }
273 out->type = type;
274 return 1;
275 }
276
ASN1_INTEGER_set_uint64(ASN1_INTEGER * out,uint64_t v)277 int ASN1_INTEGER_set_uint64(ASN1_INTEGER *out, uint64_t v) {
278 return asn1_string_set_uint64(out, v, V_ASN1_INTEGER);
279 }
280
ASN1_ENUMERATED_set_uint64(ASN1_ENUMERATED * out,uint64_t v)281 int ASN1_ENUMERATED_set_uint64(ASN1_ENUMERATED *out, uint64_t v) {
282 return asn1_string_set_uint64(out, v, V_ASN1_ENUMERATED);
283 }
284
asn1_string_get_abs_uint64(uint64_t * out,const ASN1_STRING * a,int type)285 static int asn1_string_get_abs_uint64(uint64_t *out, const ASN1_STRING *a,
286 int type) {
287 if ((a->type & ~V_ASN1_NEG) != type) {
288 OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_INTEGER_TYPE);
289 return 0;
290 }
291 uint8_t buf[sizeof(uint64_t)] = {0};
292 if (a->length > (int)sizeof(buf)) {
293 OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_INTEGER);
294 return 0;
295 }
296 OPENSSL_memcpy(buf + sizeof(buf) - a->length, a->data, a->length);
297 *out = CRYPTO_load_u64_be(buf);
298 return 1;
299 }
300
asn1_string_get_uint64(uint64_t * out,const ASN1_STRING * a,int type)301 static int asn1_string_get_uint64(uint64_t *out, const ASN1_STRING *a,
302 int type) {
303 if (!asn1_string_get_abs_uint64(out, a, type)) {
304 return 0;
305 }
306 if (a->type & V_ASN1_NEG) {
307 OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_INTEGER);
308 return 0;
309 }
310 return 1;
311 }
312
ASN1_INTEGER_get_uint64(uint64_t * out,const ASN1_INTEGER * a)313 int ASN1_INTEGER_get_uint64(uint64_t *out, const ASN1_INTEGER *a) {
314 return asn1_string_get_uint64(out, a, V_ASN1_INTEGER);
315 }
316
ASN1_ENUMERATED_get_uint64(uint64_t * out,const ASN1_ENUMERATED * a)317 int ASN1_ENUMERATED_get_uint64(uint64_t *out, const ASN1_ENUMERATED *a) {
318 return asn1_string_get_uint64(out, a, V_ASN1_ENUMERATED);
319 }
320
asn1_string_get_int64(int64_t * out,const ASN1_STRING * a,int type)321 static int asn1_string_get_int64(int64_t *out, const ASN1_STRING *a, int type) {
322 uint64_t v;
323 if (!asn1_string_get_abs_uint64(&v, a, type)) {
324 return 0;
325 }
326 int64_t i64;
327 int fits_in_i64;
328 // Check |v != 0| to handle manually-constructed negative zeros.
329 if ((a->type & V_ASN1_NEG) && v != 0) {
330 i64 = (int64_t)(0u - v);
331 fits_in_i64 = i64 < 0;
332 } else {
333 i64 = (int64_t)v;
334 fits_in_i64 = i64 >= 0;
335 }
336 if (!fits_in_i64) {
337 OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_INTEGER);
338 return 0;
339 }
340 *out = i64;
341 return 1;
342 }
343
ASN1_INTEGER_get_int64(int64_t * out,const ASN1_INTEGER * a)344 int ASN1_INTEGER_get_int64(int64_t *out, const ASN1_INTEGER *a) {
345 return asn1_string_get_int64(out, a, V_ASN1_INTEGER);
346 }
347
ASN1_ENUMERATED_get_int64(int64_t * out,const ASN1_ENUMERATED * a)348 int ASN1_ENUMERATED_get_int64(int64_t *out, const ASN1_ENUMERATED *a) {
349 return asn1_string_get_int64(out, a, V_ASN1_ENUMERATED);
350 }
351
asn1_string_get_long(const ASN1_STRING * a,int type)352 static long asn1_string_get_long(const ASN1_STRING *a, int type) {
353 if (a == NULL) {
354 return 0;
355 }
356
357 int64_t v;
358 if (!asn1_string_get_int64(&v, a, type) || //
359 v < LONG_MIN || v > LONG_MAX) {
360 // This function's return value does not distinguish overflow from -1.
361 ERR_clear_error();
362 return -1;
363 }
364
365 return (long)v;
366 }
367
ASN1_INTEGER_get(const ASN1_INTEGER * a)368 long ASN1_INTEGER_get(const ASN1_INTEGER *a) {
369 return asn1_string_get_long(a, V_ASN1_INTEGER);
370 }
371
ASN1_ENUMERATED_get(const ASN1_ENUMERATED * a)372 long ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a) {
373 return asn1_string_get_long(a, V_ASN1_ENUMERATED);
374 }
375
bn_to_asn1_string(const BIGNUM * bn,ASN1_STRING * ai,int type)376 static ASN1_STRING *bn_to_asn1_string(const BIGNUM *bn, ASN1_STRING *ai,
377 int type) {
378 ASN1_INTEGER *ret;
379 if (ai == NULL) {
380 ret = ASN1_STRING_type_new(type);
381 } else {
382 ret = ai;
383 }
384 int len;
385 if (ret == NULL) {
386 OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
387 goto err;
388 }
389
390 if (BN_is_negative(bn) && !BN_is_zero(bn)) {
391 ret->type = type | V_ASN1_NEG;
392 } else {
393 ret->type = type;
394 }
395
396 len = BN_num_bytes(bn);
397 if (!ASN1_STRING_set(ret, NULL, len) ||
398 !BN_bn2bin_padded(ret->data, len, bn)) {
399 goto err;
400 }
401 return ret;
402
403 err:
404 if (ret != ai) {
405 ASN1_STRING_free(ret);
406 }
407 return NULL;
408 }
409
BN_to_ASN1_INTEGER(const BIGNUM * bn,ASN1_INTEGER * ai)410 ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai) {
411 return bn_to_asn1_string(bn, ai, V_ASN1_INTEGER);
412 }
413
BN_to_ASN1_ENUMERATED(const BIGNUM * bn,ASN1_ENUMERATED * ai)414 ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(const BIGNUM *bn, ASN1_ENUMERATED *ai) {
415 return bn_to_asn1_string(bn, ai, V_ASN1_ENUMERATED);
416 }
417
asn1_string_to_bn(const ASN1_STRING * ai,BIGNUM * bn,int type)418 static BIGNUM *asn1_string_to_bn(const ASN1_STRING *ai, BIGNUM *bn, int type) {
419 if ((ai->type & ~V_ASN1_NEG) != type) {
420 OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_INTEGER_TYPE);
421 return NULL;
422 }
423
424 BIGNUM *ret;
425 if ((ret = BN_bin2bn(ai->data, ai->length, bn)) == NULL) {
426 OPENSSL_PUT_ERROR(ASN1, ASN1_R_BN_LIB);
427 } else if (ai->type & V_ASN1_NEG) {
428 BN_set_negative(ret, 1);
429 }
430 return ret;
431 }
432
ASN1_INTEGER_to_BN(const ASN1_INTEGER * ai,BIGNUM * bn)433 BIGNUM *ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn) {
434 return asn1_string_to_bn(ai, bn, V_ASN1_INTEGER);
435 }
436
ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED * ai,BIGNUM * bn)437 BIGNUM *ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai, BIGNUM *bn) {
438 return asn1_string_to_bn(ai, bn, V_ASN1_ENUMERATED);
439 }
440