/src/boringssl/crypto/base64/base64.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
2 | | * All rights reserved. |
3 | | * |
4 | | * This package is an SSL implementation written |
5 | | * by Eric Young (eay@cryptsoft.com). |
6 | | * The implementation was written so as to conform with Netscapes SSL. |
7 | | * |
8 | | * This library is free for commercial and non-commercial use as long as |
9 | | * the following conditions are aheared to. The following conditions |
10 | | * apply to all code found in this distribution, be it the RC4, RSA, |
11 | | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
12 | | * included with this distribution is covered by the same copyright terms |
13 | | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
14 | | * |
15 | | * Copyright remains Eric Young's, and as such any Copyright notices in |
16 | | * the code are not to be removed. |
17 | | * If this package is used in a product, Eric Young should be given attribution |
18 | | * as the author of the parts of the library used. |
19 | | * This can be in the form of a textual message at program startup or |
20 | | * in documentation (online or textual) provided with the package. |
21 | | * |
22 | | * Redistribution and use in source and binary forms, with or without |
23 | | * modification, are permitted provided that the following conditions |
24 | | * are met: |
25 | | * 1. Redistributions of source code must retain the copyright |
26 | | * notice, this list of conditions and the following disclaimer. |
27 | | * 2. Redistributions in binary form must reproduce the above copyright |
28 | | * notice, this list of conditions and the following disclaimer in the |
29 | | * documentation and/or other materials provided with the distribution. |
30 | | * 3. All advertising materials mentioning features or use of this software |
31 | | * must display the following acknowledgement: |
32 | | * "This product includes cryptographic software written by |
33 | | * Eric Young (eay@cryptsoft.com)" |
34 | | * The word 'cryptographic' can be left out if the rouines from the library |
35 | | * being used are not cryptographic related :-). |
36 | | * 4. If you include any Windows specific code (or a derivative thereof) from |
37 | | * the apps directory (application code) you must include an acknowledgement: |
38 | | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
39 | | * |
40 | | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
41 | | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
42 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
43 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
44 | | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
45 | | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
46 | | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
47 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
48 | | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
49 | | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
50 | | * SUCH DAMAGE. |
51 | | * |
52 | | * The licence and distribution terms for any publically available version or |
53 | | * derivative of this code cannot be changed. i.e. this code cannot simply be |
54 | | * copied and put under another distribution licence |
55 | | * [including the GNU Public Licence.] */ |
56 | | |
57 | | #include <openssl/base64.h> |
58 | | |
59 | | #include <assert.h> |
60 | | #include <limits.h> |
61 | | #include <string.h> |
62 | | |
63 | | #include "../internal.h" |
64 | | |
65 | | |
66 | | // constant_time_lt_args_8 behaves like |constant_time_lt_8| but takes |uint8_t| |
67 | | // arguments for a slightly simpler implementation. |
68 | 4.77M | static inline uint8_t constant_time_lt_args_8(uint8_t a, uint8_t b) { |
69 | 4.77M | crypto_word_t aw = a; |
70 | 4.77M | crypto_word_t bw = b; |
71 | | // |crypto_word_t| is larger than |uint8_t|, so |aw| and |bw| have the same |
72 | | // MSB. |aw| < |bw| iff MSB(|aw| - |bw|) is 1. |
73 | 4.77M | return constant_time_msb_w(aw - bw); |
74 | 4.77M | } |
75 | | |
76 | | // constant_time_in_range_8 returns |CONSTTIME_TRUE_8| if |min| <= |a| <= |max| |
77 | | // and |CONSTTIME_FALSE_8| otherwise. |
78 | | static inline uint8_t constant_time_in_range_8(uint8_t a, uint8_t min, |
79 | 4.77M | uint8_t max) { |
80 | 4.77M | a -= min; |
81 | 4.77M | return constant_time_lt_args_8(a, max - min + 1); |
82 | 4.77M | } |
83 | | |
84 | | // Encoding. |
85 | | |
86 | 0 | static uint8_t conv_bin2ascii(uint8_t a) { |
87 | | // Since PEM is sometimes used to carry private keys, we encode base64 data |
88 | | // itself in constant-time. |
89 | 0 | a &= 0x3f; |
90 | 0 | uint8_t ret = constant_time_select_8(constant_time_eq_8(a, 62), '+', '/'); |
91 | 0 | ret = |
92 | 0 | constant_time_select_8(constant_time_lt_args_8(a, 62), a - 52 + '0', ret); |
93 | 0 | ret = |
94 | 0 | constant_time_select_8(constant_time_lt_args_8(a, 52), a - 26 + 'a', ret); |
95 | 0 | ret = constant_time_select_8(constant_time_lt_args_8(a, 26), a + 'A', ret); |
96 | 0 | return ret; |
97 | 0 | } |
98 | | |
99 | | static_assert(sizeof(((EVP_ENCODE_CTX *)(NULL))->data) % 3 == 0, |
100 | | "data length must be a multiple of base64 chunk size"); |
101 | | |
102 | 0 | int EVP_EncodedLength(size_t *out_len, size_t len) { |
103 | 0 | if (len + 2 < len) { |
104 | 0 | return 0; |
105 | 0 | } |
106 | 0 | len += 2; |
107 | 0 | len /= 3; |
108 | |
|
109 | 0 | if (((len << 2) >> 2) != len) { |
110 | 0 | return 0; |
111 | 0 | } |
112 | 0 | len <<= 2; |
113 | |
|
114 | 0 | if (len + 1 < len) { |
115 | 0 | return 0; |
116 | 0 | } |
117 | 0 | len++; |
118 | |
|
119 | 0 | *out_len = len; |
120 | 0 | return 1; |
121 | 0 | } |
122 | | |
123 | 0 | EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void) { |
124 | 0 | EVP_ENCODE_CTX *ret = OPENSSL_malloc(sizeof(EVP_ENCODE_CTX)); |
125 | 0 | if (ret == NULL) { |
126 | 0 | return NULL; |
127 | 0 | } |
128 | 0 | OPENSSL_memset(ret, 0, sizeof(EVP_ENCODE_CTX)); |
129 | 0 | return ret; |
130 | 0 | } |
131 | | |
132 | 0 | void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx) { |
133 | 0 | OPENSSL_free(ctx); |
134 | 0 | } |
135 | | |
136 | 0 | void EVP_EncodeInit(EVP_ENCODE_CTX *ctx) { |
137 | 0 | OPENSSL_memset(ctx, 0, sizeof(EVP_ENCODE_CTX)); |
138 | 0 | } |
139 | | |
140 | | void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len, |
141 | 0 | const uint8_t *in, size_t in_len) { |
142 | 0 | size_t total = 0; |
143 | |
|
144 | 0 | *out_len = 0; |
145 | 0 | if (in_len == 0) { |
146 | 0 | return; |
147 | 0 | } |
148 | | |
149 | 0 | assert(ctx->data_used < sizeof(ctx->data)); |
150 | | |
151 | 0 | if (sizeof(ctx->data) - ctx->data_used > in_len) { |
152 | 0 | OPENSSL_memcpy(&ctx->data[ctx->data_used], in, in_len); |
153 | 0 | ctx->data_used += (unsigned)in_len; |
154 | 0 | return; |
155 | 0 | } |
156 | | |
157 | 0 | if (ctx->data_used != 0) { |
158 | 0 | const size_t todo = sizeof(ctx->data) - ctx->data_used; |
159 | 0 | OPENSSL_memcpy(&ctx->data[ctx->data_used], in, todo); |
160 | 0 | in += todo; |
161 | 0 | in_len -= todo; |
162 | |
|
163 | 0 | size_t encoded = EVP_EncodeBlock(out, ctx->data, sizeof(ctx->data)); |
164 | 0 | ctx->data_used = 0; |
165 | |
|
166 | 0 | out += encoded; |
167 | 0 | *(out++) = '\n'; |
168 | 0 | *out = '\0'; |
169 | |
|
170 | 0 | total = encoded + 1; |
171 | 0 | } |
172 | |
|
173 | 0 | while (in_len >= sizeof(ctx->data)) { |
174 | 0 | size_t encoded = EVP_EncodeBlock(out, in, sizeof(ctx->data)); |
175 | 0 | in += sizeof(ctx->data); |
176 | 0 | in_len -= sizeof(ctx->data); |
177 | |
|
178 | 0 | out += encoded; |
179 | 0 | *(out++) = '\n'; |
180 | 0 | *out = '\0'; |
181 | |
|
182 | 0 | if (total + encoded + 1 < total) { |
183 | 0 | *out_len = 0; |
184 | 0 | return; |
185 | 0 | } |
186 | | |
187 | 0 | total += encoded + 1; |
188 | 0 | } |
189 | | |
190 | 0 | if (in_len != 0) { |
191 | 0 | OPENSSL_memcpy(ctx->data, in, in_len); |
192 | 0 | } |
193 | |
|
194 | 0 | ctx->data_used = (unsigned)in_len; |
195 | |
|
196 | 0 | if (total > INT_MAX) { |
197 | | // We cannot signal an error, but we can at least avoid making *out_len |
198 | | // negative. |
199 | 0 | total = 0; |
200 | 0 | } |
201 | 0 | *out_len = (int)total; |
202 | 0 | } |
203 | | |
204 | 0 | void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len) { |
205 | 0 | if (ctx->data_used == 0) { |
206 | 0 | *out_len = 0; |
207 | 0 | return; |
208 | 0 | } |
209 | | |
210 | 0 | size_t encoded = EVP_EncodeBlock(out, ctx->data, ctx->data_used); |
211 | 0 | out[encoded++] = '\n'; |
212 | 0 | out[encoded] = '\0'; |
213 | 0 | ctx->data_used = 0; |
214 | | |
215 | | // ctx->data_used is bounded by sizeof(ctx->data), so this does not |
216 | | // overflow. |
217 | 0 | assert(encoded <= INT_MAX); |
218 | 0 | *out_len = (int)encoded; |
219 | 0 | } |
220 | | |
221 | 0 | size_t EVP_EncodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len) { |
222 | 0 | uint32_t l; |
223 | 0 | size_t remaining = src_len, ret = 0; |
224 | |
|
225 | 0 | while (remaining) { |
226 | 0 | if (remaining >= 3) { |
227 | 0 | l = (((uint32_t)src[0]) << 16L) | (((uint32_t)src[1]) << 8L) | src[2]; |
228 | 0 | *(dst++) = conv_bin2ascii(l >> 18L); |
229 | 0 | *(dst++) = conv_bin2ascii(l >> 12L); |
230 | 0 | *(dst++) = conv_bin2ascii(l >> 6L); |
231 | 0 | *(dst++) = conv_bin2ascii(l); |
232 | 0 | remaining -= 3; |
233 | 0 | } else { |
234 | 0 | l = ((uint32_t)src[0]) << 16L; |
235 | 0 | if (remaining == 2) { |
236 | 0 | l |= ((uint32_t)src[1] << 8L); |
237 | 0 | } |
238 | |
|
239 | 0 | *(dst++) = conv_bin2ascii(l >> 18L); |
240 | 0 | *(dst++) = conv_bin2ascii(l >> 12L); |
241 | 0 | *(dst++) = (remaining == 1) ? '=' : conv_bin2ascii(l >> 6L); |
242 | 0 | *(dst++) = '='; |
243 | 0 | remaining = 0; |
244 | 0 | } |
245 | 0 | ret += 4; |
246 | 0 | src += 3; |
247 | 0 | } |
248 | |
|
249 | 0 | *dst = '\0'; |
250 | 0 | return ret; |
251 | 0 | } |
252 | | |
253 | | |
254 | | // Decoding. |
255 | | |
256 | 0 | int EVP_DecodedLength(size_t *out_len, size_t len) { |
257 | 0 | if (len % 4 != 0) { |
258 | 0 | return 0; |
259 | 0 | } |
260 | | |
261 | 0 | *out_len = (len / 4) * 3; |
262 | 0 | return 1; |
263 | 0 | } |
264 | | |
265 | 166 | void EVP_DecodeInit(EVP_ENCODE_CTX *ctx) { |
266 | 166 | OPENSSL_memset(ctx, 0, sizeof(EVP_ENCODE_CTX)); |
267 | 166 | } |
268 | | |
269 | 1.59M | static uint8_t base64_ascii_to_bin(uint8_t a) { |
270 | | // Since PEM is sometimes used to carry private keys, we decode base64 data |
271 | | // itself in constant-time. |
272 | 1.59M | const uint8_t is_upper = constant_time_in_range_8(a, 'A', 'Z'); |
273 | 1.59M | const uint8_t is_lower = constant_time_in_range_8(a, 'a', 'z'); |
274 | 1.59M | const uint8_t is_digit = constant_time_in_range_8(a, '0', '9'); |
275 | 1.59M | const uint8_t is_plus = constant_time_eq_8(a, '+'); |
276 | 1.59M | const uint8_t is_slash = constant_time_eq_8(a, '/'); |
277 | 1.59M | const uint8_t is_equals = constant_time_eq_8(a, '='); |
278 | | |
279 | 1.59M | uint8_t ret = 0; |
280 | 1.59M | ret |= is_upper & (a - 'A'); // [0,26) |
281 | 1.59M | ret |= is_lower & (a - 'a' + 26); // [26,52) |
282 | 1.59M | ret |= is_digit & (a - '0' + 52); // [52,62) |
283 | 1.59M | ret |= is_plus & 62; |
284 | 1.59M | ret |= is_slash & 63; |
285 | | // Invalid inputs, 'A', and '=' have all been mapped to zero. Map invalid |
286 | | // inputs to 0xff. Note '=' is padding and handled separately by the caller. |
287 | 1.59M | const uint8_t is_valid = |
288 | 1.59M | is_upper | is_lower | is_digit | is_plus | is_slash | is_equals; |
289 | 1.59M | ret |= ~is_valid; |
290 | 1.59M | return ret; |
291 | 1.59M | } |
292 | | |
293 | | // base64_decode_quad decodes a single “quad” (i.e. four characters) of base64 |
294 | | // data and writes up to three bytes to |out|. It sets |*out_num_bytes| to the |
295 | | // number of bytes written, which will be less than three if the quad ended |
296 | | // with padding. It returns one on success or zero on error. |
297 | | static int base64_decode_quad(uint8_t *out, size_t *out_num_bytes, |
298 | 398k | const uint8_t *in) { |
299 | 398k | const uint8_t a = base64_ascii_to_bin(in[0]); |
300 | 398k | const uint8_t b = base64_ascii_to_bin(in[1]); |
301 | 398k | const uint8_t c = base64_ascii_to_bin(in[2]); |
302 | 398k | const uint8_t d = base64_ascii_to_bin(in[3]); |
303 | 398k | if (a == 0xff || b == 0xff || c == 0xff || d == 0xff) { |
304 | 60 | return 0; |
305 | 60 | } |
306 | | |
307 | 398k | const uint32_t v = ((uint32_t)a) << 18 | ((uint32_t)b) << 12 | |
308 | 398k | ((uint32_t)c) << 6 | (uint32_t)d; |
309 | | |
310 | 398k | const unsigned padding_pattern = (in[0] == '=') << 3 | |
311 | 398k | (in[1] == '=') << 2 | |
312 | 398k | (in[2] == '=') << 1 | |
313 | 398k | (in[3] == '='); |
314 | | |
315 | 398k | switch (padding_pattern) { |
316 | 398k | case 0: |
317 | | // The common case of no padding. |
318 | 398k | *out_num_bytes = 3; |
319 | 398k | out[0] = v >> 16; |
320 | 398k | out[1] = v >> 8; |
321 | 398k | out[2] = v; |
322 | 398k | break; |
323 | | |
324 | 4 | case 1: // xxx= |
325 | 4 | *out_num_bytes = 2; |
326 | 4 | out[0] = v >> 16; |
327 | 4 | out[1] = v >> 8; |
328 | 4 | break; |
329 | | |
330 | 10 | case 3: // xx== |
331 | 10 | *out_num_bytes = 1; |
332 | 10 | out[0] = v >> 16; |
333 | 10 | break; |
334 | | |
335 | 7 | default: |
336 | 7 | return 0; |
337 | 398k | } |
338 | | |
339 | 398k | return 1; |
340 | 398k | } |
341 | | |
342 | | int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len, |
343 | 166 | const uint8_t *in, size_t in_len) { |
344 | 166 | *out_len = 0; |
345 | | |
346 | 166 | if (ctx->error_encountered) { |
347 | 0 | return -1; |
348 | 0 | } |
349 | | |
350 | 166 | size_t bytes_out = 0, i; |
351 | 1.60M | for (i = 0; i < in_len; i++) { |
352 | 1.60M | const char c = in[i]; |
353 | 1.60M | switch (c) { |
354 | 385 | case ' ': |
355 | 630 | case '\t': |
356 | 849 | case '\r': |
357 | 7.42k | case '\n': |
358 | 7.42k | continue; |
359 | 1.60M | } |
360 | | |
361 | 1.59M | if (ctx->eof_seen) { |
362 | 1 | ctx->error_encountered = 1; |
363 | 1 | return -1; |
364 | 1 | } |
365 | | |
366 | 1.59M | ctx->data[ctx->data_used++] = c; |
367 | 1.59M | if (ctx->data_used == 4) { |
368 | 398k | size_t num_bytes_resulting; |
369 | 398k | if (!base64_decode_quad(out, &num_bytes_resulting, ctx->data)) { |
370 | 67 | ctx->error_encountered = 1; |
371 | 67 | return -1; |
372 | 67 | } |
373 | | |
374 | 398k | ctx->data_used = 0; |
375 | 398k | bytes_out += num_bytes_resulting; |
376 | 398k | out += num_bytes_resulting; |
377 | | |
378 | 398k | if (num_bytes_resulting < 3) { |
379 | 14 | ctx->eof_seen = 1; |
380 | 14 | } |
381 | 398k | } |
382 | 1.59M | } |
383 | | |
384 | 98 | if (bytes_out > INT_MAX) { |
385 | 0 | ctx->error_encountered = 1; |
386 | 0 | *out_len = 0; |
387 | 0 | return -1; |
388 | 0 | } |
389 | 98 | *out_len = (int)bytes_out; |
390 | | |
391 | 98 | if (ctx->eof_seen) { |
392 | 13 | return 0; |
393 | 13 | } |
394 | | |
395 | 85 | return 1; |
396 | 98 | } |
397 | | |
398 | 98 | int EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len) { |
399 | 98 | *out_len = 0; |
400 | 98 | if (ctx->error_encountered || ctx->data_used != 0) { |
401 | 43 | return -1; |
402 | 43 | } |
403 | | |
404 | 55 | return 1; |
405 | 98 | } |
406 | | |
407 | | int EVP_DecodeBase64(uint8_t *out, size_t *out_len, size_t max_out, |
408 | 0 | const uint8_t *in, size_t in_len) { |
409 | 0 | *out_len = 0; |
410 | |
|
411 | 0 | if (in_len % 4 != 0) { |
412 | 0 | return 0; |
413 | 0 | } |
414 | | |
415 | 0 | size_t max_len; |
416 | 0 | if (!EVP_DecodedLength(&max_len, in_len) || |
417 | 0 | max_out < max_len) { |
418 | 0 | return 0; |
419 | 0 | } |
420 | | |
421 | 0 | size_t i, bytes_out = 0; |
422 | 0 | for (i = 0; i < in_len; i += 4) { |
423 | 0 | size_t num_bytes_resulting; |
424 | |
|
425 | 0 | if (!base64_decode_quad(out, &num_bytes_resulting, &in[i])) { |
426 | 0 | return 0; |
427 | 0 | } |
428 | | |
429 | 0 | bytes_out += num_bytes_resulting; |
430 | 0 | out += num_bytes_resulting; |
431 | 0 | if (num_bytes_resulting != 3 && i != in_len - 4) { |
432 | 0 | return 0; |
433 | 0 | } |
434 | 0 | } |
435 | | |
436 | 0 | *out_len = bytes_out; |
437 | 0 | return 1; |
438 | 0 | } |
439 | | |
440 | 0 | int EVP_DecodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len) { |
441 | | // Trim spaces and tabs from the beginning of the input. |
442 | 0 | while (src_len > 0) { |
443 | 0 | if (src[0] != ' ' && src[0] != '\t') { |
444 | 0 | break; |
445 | 0 | } |
446 | | |
447 | 0 | src++; |
448 | 0 | src_len--; |
449 | 0 | } |
450 | | |
451 | | // Trim newlines, spaces and tabs from the end of the line. |
452 | 0 | while (src_len > 0) { |
453 | 0 | switch (src[src_len-1]) { |
454 | 0 | case ' ': |
455 | 0 | case '\t': |
456 | 0 | case '\r': |
457 | 0 | case '\n': |
458 | 0 | src_len--; |
459 | 0 | continue; |
460 | 0 | } |
461 | | |
462 | 0 | break; |
463 | 0 | } |
464 | | |
465 | 0 | size_t dst_len; |
466 | 0 | if (!EVP_DecodedLength(&dst_len, src_len) || |
467 | 0 | dst_len > INT_MAX || |
468 | 0 | !EVP_DecodeBase64(dst, &dst_len, dst_len, src, src_len)) { |
469 | 0 | return -1; |
470 | 0 | } |
471 | | |
472 | | // EVP_DecodeBlock does not take padding into account, so put the |
473 | | // NULs back in... so the caller can strip them back out. |
474 | 0 | while (dst_len % 3 != 0) { |
475 | 0 | dst[dst_len++] = '\0'; |
476 | 0 | } |
477 | 0 | assert(dst_len <= INT_MAX); |
478 | | |
479 | 0 | return (int)dst_len; |
480 | 0 | } |