Coverage Report

Created: 2020-05-23 13:54

/src/botan/src/lib/asn1/ber_dec.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* BER Decoder
3
* (C) 1999-2008,2015,2017,2018 Jack Lloyd
4
*
5
* Botan is released under the Simplified BSD License (see license.txt)
6
*/
7
8
#include <botan/ber_dec.h>
9
#include <botan/bigint.h>
10
#include <botan/loadstor.h>
11
#include <botan/internal/safeint.h>
12
13
namespace Botan {
14
15
namespace {
16
17
/*
18
* This value is somewhat arbitrary. OpenSSL allows up to 128 nested
19
* indefinite length sequences. If you increase this, also increase the
20
* limit in the test in test_asn1.cpp
21
*/
22
const size_t ALLOWED_EOC_NESTINGS = 16;
23
24
/*
25
* BER decode an ASN.1 type tag
26
*/
27
size_t decode_tag(DataSource* ber, ASN1_Tag& type_tag, ASN1_Tag& class_tag)
28
2.13M
   {
29
2.13M
   uint8_t b;
30
2.13M
   if(!ber->read_byte(b))
31
167k
      {
32
167k
      class_tag = type_tag = NO_OBJECT;
33
167k
      return 0;
34
167k
      }
35
1.97M
36
1.97M
   if((b & 0x1F) != 0x1F)
37
1.94M
      {
38
1.94M
      type_tag = ASN1_Tag(b & 0x1F);
39
1.94M
      class_tag = ASN1_Tag(b & 0xE0);
40
1.94M
      return 1;
41
1.94M
      }
42
29.1k
43
29.1k
   size_t tag_bytes = 1;
44
29.1k
   class_tag = ASN1_Tag(b & 0xE0);
45
29.1k
46
29.1k
   size_t tag_buf = 0;
47
46.7k
   while(true)
48
46.7k
      {
49
46.7k
      if(!ber->read_byte(b))
50
658
         throw BER_Decoding_Error("Long-form tag truncated");
51
46.1k
      if(tag_buf & 0xFF000000)
52
323
         throw BER_Decoding_Error("Long-form tag overflowed 32 bits");
53
45.8k
      ++tag_bytes;
54
45.8k
      tag_buf = (tag_buf << 7) | (b & 0x7F);
55
45.8k
      if((b & 0x80) == 0) break;
56
45.8k
      }
57
29.1k
   type_tag = ASN1_Tag(tag_buf);
58
28.2k
   return tag_bytes;
59
29.1k
   }
60
61
/*
62
* Find the EOC marker
63
*/
64
size_t find_eoc(DataSource* src, size_t allow_indef);
65
66
/*
67
* BER decode an ASN.1 length field
68
*/
69
size_t decode_length(DataSource* ber, size_t& field_size, size_t allow_indef)
70
1.96M
   {
71
1.96M
   uint8_t b;
72
1.96M
   if(!ber->read_byte(b))
73
1.86k
      throw BER_Decoding_Error("Length field not found");
74
1.96M
   field_size = 1;
75
1.96M
   if((b & 0x80) == 0)
76
1.66M
      return b;
77
301k
78
301k
   field_size += (b & 0x7F);
79
301k
   if(field_size > 5)
80
2.44k
      throw BER_Decoding_Error("Length field is too large");
81
299k
82
299k
   if(field_size == 1)
83
188k
      {
84
188k
      if(allow_indef == 0)
85
233
         {
86
233
         throw BER_Decoding_Error("Nested EOC markers too deep, rejecting to avoid stack exhaustion");
87
233
         }
88
188k
      else
89
188k
         {
90
188k
         return find_eoc(ber, allow_indef - 1);
91
188k
         }
92
110k
      }
93
110k
94
110k
   size_t length = 0;
95
110k
96
308k
   for(size_t i = 0; i != field_size - 1; ++i)
97
197k
      {
98
197k
      if(get_byte(0, length) != 0)
99
0
         throw BER_Decoding_Error("Field length overflow");
100
197k
      if(!ber->read_byte(b))
101
364
         throw BER_Decoding_Error("Corrupted length field");
102
197k
      length = (length << 8) | b;
103
197k
      }
104
110k
   return length;
105
110k
   }
106
107
/*
108
* Find the EOC marker
109
*/
110
size_t find_eoc(DataSource* ber, size_t allow_indef)
111
188k
   {
112
188k
   secure_vector<uint8_t> buffer(BOTAN_DEFAULT_BUFFER_SIZE), data;
113
188k
114
415k
   while(true)
115
415k
      {
116
415k
      const size_t got = ber->peek(buffer.data(), buffer.size(), data.size());
117
415k
      if(got == 0)
118
188k
         break;
119
227k
120
227k
      data += std::make_pair(buffer.data(), got);
121
227k
      }
122
188k
123
188k
   DataSource_Memory source(data);
124
188k
   data.clear();
125
188k
126
188k
   size_t length = 0;
127
869k
   while(true)
128
863k
      {
129
863k
      ASN1_Tag type_tag, class_tag;
130
863k
      size_t tag_size = decode_tag(&source, type_tag, class_tag);
131
863k
      if(type_tag == NO_OBJECT)
132
126k
         break;
133
736k
134
736k
      size_t length_size = 0;
135
736k
      size_t item_size = decode_length(&source, length_size, allow_indef);
136
736k
      source.discard_next(item_size);
137
736k
138
736k
      length = BOTAN_CHECKED_ADD(length, item_size);
139
736k
      length = BOTAN_CHECKED_ADD(length, tag_size);
140
736k
      length = BOTAN_CHECKED_ADD(length, length_size);
141
736k
142
736k
      if(type_tag == EOC && class_tag == UNIVERSAL)
143
56.4k
         break;
144
736k
      }
145
188k
   return length;
146
188k
   }
147
148
class DataSource_BERObject final : public DataSource
149
   {
150
   public:
151
      size_t read(uint8_t out[], size_t length) override
152
13.1M
         {
153
13.1M
         BOTAN_ASSERT_NOMSG(m_offset <= m_obj.length());
154
13.1M
         const size_t got = std::min<size_t>(m_obj.length() - m_offset, length);
155
13.1M
         copy_mem(out, m_obj.bits() + m_offset, got);
156
13.1M
         m_offset += got;
157
13.1M
         return got;
158
13.1M
         }
159
160
      size_t peek(uint8_t out[], size_t length, size_t peek_offset) const override
161
41.1k
         {
162
41.1k
         BOTAN_ASSERT_NOMSG(m_offset <= m_obj.length());
163
41.1k
         const size_t bytes_left = m_obj.length() - m_offset;
164
41.1k
165
41.1k
         if(peek_offset >= bytes_left)
166
19.9k
            return 0;
167
21.2k
168
21.2k
         const size_t got = std::min(bytes_left - peek_offset, length);
169
21.2k
         copy_mem(out, m_obj.bits() + peek_offset, got);
170
21.2k
         return got;
171
21.2k
         }
172
173
      bool check_available(size_t n) override
174
774k
         {
175
774k
         BOTAN_ASSERT_NOMSG(m_offset <= m_obj.length());
176
774k
         return (n <= (m_obj.length() - m_offset));
177
774k
         }
178
179
      bool end_of_data() const override
180
759k
         {
181
759k
         return get_bytes_read() == m_obj.length();
182
759k
         }
183
184
759k
      size_t get_bytes_read() const override { return m_offset; }
185
186
471k
      explicit DataSource_BERObject(BER_Object&& obj) : m_obj(std::move(obj)), m_offset(0) {}
187
188
   private:
189
      BER_Object m_obj;
190
      size_t m_offset;
191
   };
192
193
}
194
195
/*
196
* Check if more objects are there
197
*/
198
bool BER_Decoder::more_items() const
199
464k
   {
200
464k
   if(m_source->end_of_data() && !m_pushed.is_set())
201
155k
      return false;
202
309k
   return true;
203
309k
   }
204
205
/*
206
* Verify that no bytes remain in the source
207
*/
208
BER_Decoder& BER_Decoder::verify_end()
209
22.4k
   {
210
22.4k
   return verify_end("BER_Decoder::verify_end called, but data remains");
211
22.4k
   }
212
213
/*
214
* Verify that no bytes remain in the source
215
*/
216
BER_Decoder& BER_Decoder::verify_end(const std::string& err)
217
136k
   {
218
136k
   if(!m_source->end_of_data() || m_pushed.is_set())
219
277
      throw Decoding_Error(err);
220
136k
   return (*this);
221
136k
   }
222
223
/*
224
* Discard all the bytes remaining in the source
225
*/
226
BER_Decoder& BER_Decoder::discard_remaining()
227
14.2k
   {
228
14.2k
   uint8_t buf;
229
2.27M
   while(m_source->read_byte(buf))
230
2.26M
      {}
231
14.2k
   return (*this);
232
14.2k
   }
233
234
/*
235
* Return the BER encoding of the next object
236
*/
237
BER_Object BER_Decoder::get_next_object()
238
1.25M
   {
239
1.25M
   BER_Object next;
240
1.25M
241
1.25M
   if(m_pushed.is_set())
242
61.4k
      {
243
61.4k
      std::swap(next, m_pushed);
244
61.4k
      return next;
245
61.4k
      }
246
1.19M
247
1.19M
   for(;;)
248
1.27M
      {
249
1.27M
      ASN1_Tag type_tag, class_tag;
250
1.27M
      decode_tag(m_source, type_tag, class_tag);
251
1.27M
      next.set_tagging(type_tag, class_tag);
252
1.27M
      if(next.is_set() == false) // no more objects
253
41.0k
         return next;
254
1.23M
255
1.23M
      size_t field_size;
256
1.23M
      const size_t length = decode_length(m_source, field_size, ALLOWED_EOC_NESTINGS);
257
1.23M
      if(!m_source->check_available(length))
258
4.61k
         throw BER_Decoding_Error("Value truncated");
259
1.22M
260
1.22M
      uint8_t* out = next.mutable_bits(length);
261
1.22M
      if(m_source->read(out, length) != length)
262
0
         throw BER_Decoding_Error("Value truncated");
263
1.22M
264
1.22M
      if(next.tagging() == EOC)
265
79.3k
         continue;
266
1.14M
      else
267
1.14M
         break;
268
1.22M
      }
269
1.19M
270
1.19M
   return next;
271
1.19M
   }
272
273
/*
274
* Push a object back into the stream
275
*/
276
void BER_Decoder::push_back(const BER_Object& obj)
277
5.20k
   {
278
5.20k
   if(m_pushed.is_set())
279
0
      throw Invalid_State("BER_Decoder: Only one push back is allowed");
280
5.20k
   m_pushed = obj;
281
5.20k
   }
282
283
void BER_Decoder::push_back(BER_Object&& obj)
284
77.8k
   {
285
77.8k
   if(m_pushed.is_set())
286
0
      throw Invalid_State("BER_Decoder: Only one push back is allowed");
287
77.8k
   m_pushed = std::move(obj);
288
77.8k
   }
289
290
BER_Decoder BER_Decoder::start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag)
291
473k
   {
292
473k
   BER_Object obj = get_next_object();
293
473k
   obj.assert_is_a(type_tag, ASN1_Tag(class_tag | CONSTRUCTED));
294
473k
   return BER_Decoder(std::move(obj), this);
295
473k
   }
296
297
/*
298
* Finish decoding a CONSTRUCTED type
299
*/
300
BER_Decoder& BER_Decoder::end_cons()
301
318k
   {
302
318k
   if(!m_parent)
303
0
      throw Invalid_State("BER_Decoder::end_cons called with null parent");
304
318k
   if(!m_source->end_of_data())
305
591
      throw Decoding_Error("BER_Decoder::end_cons called with data left");
306
317k
   return (*m_parent);
307
317k
   }
308
309
BER_Decoder::BER_Decoder(BER_Object&& obj, BER_Decoder* parent)
310
471k
   {
311
471k
   m_data_src.reset(new DataSource_BERObject(std::move(obj)));
312
471k
   m_source = m_data_src.get();
313
471k
   m_parent = parent;
314
471k
   }
315
316
/*
317
* BER_Decoder Constructor
318
*/
319
BER_Decoder::BER_Decoder(DataSource& src)
320
26.0k
   {
321
26.0k
   m_source = &src;
322
26.0k
   }
323
324
/*
325
* BER_Decoder Constructor
326
 */
327
BER_Decoder::BER_Decoder(const uint8_t data[], size_t length)
328
41.7k
   {
329
41.7k
   m_data_src.reset(new DataSource_Memory(data, length));
330
41.7k
   m_source = m_data_src.get();
331
41.7k
   }
332
333
/*
334
* BER_Decoder Constructor
335
*/
336
BER_Decoder::BER_Decoder(const secure_vector<uint8_t>& data)
337
4.06k
   {
338
4.06k
   m_data_src.reset(new DataSource_Memory(data));
339
4.06k
   m_source = m_data_src.get();
340
4.06k
   }
341
342
/*
343
* BER_Decoder Constructor
344
*/
345
BER_Decoder::BER_Decoder(const std::vector<uint8_t>& data)
346
173k
   {
347
173k
   m_data_src.reset(new DataSource_Memory(data.data(), data.size()));
348
173k
   m_source = m_data_src.get();
349
173k
   }
350
351
/*
352
* BER_Decoder Copy Constructor
353
*/
354
BER_Decoder::BER_Decoder(const BER_Decoder& other)
355
0
   {
356
0
   m_source = other.m_source;
357
0
358
0
   // take ownership
359
0
   std::swap(m_data_src, other.m_data_src);
360
0
   m_parent = other.m_parent;
361
0
   }
362
363
/*
364
* Request for an object to decode itself
365
*/
366
BER_Decoder& BER_Decoder::decode(ASN1_Object& obj,
367
                                 ASN1_Tag, ASN1_Tag)
368
506k
   {
369
506k
   obj.decode_from(*this);
370
506k
   return (*this);
371
506k
   }
372
373
/*
374
* Decode a BER encoded NULL
375
*/
376
BER_Decoder& BER_Decoder::decode_null()
377
0
   {
378
0
   BER_Object obj = get_next_object();
379
0
   obj.assert_is_a(NULL_TAG, UNIVERSAL);
380
0
   if(obj.length() > 0)
381
0
      throw BER_Decoding_Error("NULL object had nonzero size");
382
0
   return (*this);
383
0
   }
384
385
BER_Decoder& BER_Decoder::decode_octet_string_bigint(BigInt& out)
386
1.64k
   {
387
1.64k
   secure_vector<uint8_t> out_vec;
388
1.64k
   decode(out_vec, OCTET_STRING);
389
1.64k
   out = BigInt::decode(out_vec.data(), out_vec.size());
390
1.64k
   return (*this);
391
1.64k
   }
392
393
/*
394
* Decode a BER encoded BOOLEAN
395
*/
396
BER_Decoder& BER_Decoder::decode(bool& out,
397
                                 ASN1_Tag type_tag, ASN1_Tag class_tag)
398
4.54k
   {
399
4.54k
   BER_Object obj = get_next_object();
400
4.54k
   obj.assert_is_a(type_tag, class_tag);
401
4.54k
402
4.54k
   if(obj.length() != 1)
403
302
      throw BER_Decoding_Error("BER boolean value had invalid size");
404
4.23k
405
4.23k
   out = (obj.bits()[0]) ? true : false;
406
4.23k
   return (*this);
407
4.23k
   }
408
409
/*
410
* Decode a small BER encoded INTEGER
411
*/
412
BER_Decoder& BER_Decoder::decode(size_t& out,
413
                                 ASN1_Tag type_tag,
414
                                 ASN1_Tag class_tag)
415
16.8k
   {
416
16.8k
   BigInt integer;
417
16.8k
   decode(integer, type_tag, class_tag);
418
16.8k
419
16.8k
   if(integer.is_negative())
420
299
      throw BER_Decoding_Error("Decoded small integer value was negative");
421
16.5k
422
16.5k
   if(integer.bits() > 32)
423
190
      throw BER_Decoding_Error("Decoded integer value larger than expected");
424
16.3k
425
16.3k
   out = 0;
426
74.4k
   for(size_t i = 0; i != 4; ++i)
427
58.0k
      out = (out << 8) | integer.byte_at(3-i);
428
16.3k
429
16.3k
   return (*this);
430
16.3k
   }
431
432
/*
433
* Decode a small BER encoded INTEGER
434
*/
435
uint64_t BER_Decoder::decode_constrained_integer(ASN1_Tag type_tag,
436
                                                 ASN1_Tag class_tag,
437
                                                 size_t T_bytes)
438
0
   {
439
0
   if(T_bytes > 8)
440
0
      throw BER_Decoding_Error("Can't decode small integer over 8 bytes");
441
0
442
0
   BigInt integer;
443
0
   decode(integer, type_tag, class_tag);
444
0
445
0
   if(integer.bits() > 8*T_bytes)
446
0
      throw BER_Decoding_Error("Decoded integer value larger than expected");
447
0
448
0
   uint64_t out = 0;
449
0
   for(size_t i = 0; i != 8; ++i)
450
0
      out = (out << 8) | integer.byte_at(7-i);
451
0
452
0
   return out;
453
0
   }
454
455
/*
456
* Decode a BER encoded INTEGER
457
*/
458
BER_Decoder& BER_Decoder::decode(BigInt& out,
459
                                 ASN1_Tag type_tag,
460
                                 ASN1_Tag class_tag)
461
60.3k
   {
462
60.3k
   BER_Object obj = get_next_object();
463
60.3k
   obj.assert_is_a(type_tag, class_tag);
464
60.3k
465
60.3k
   if(obj.length() == 0)
466
7.02k
      {
467
7.02k
      out = 0;
468
7.02k
      }
469
53.3k
   else
470
53.3k
      {
471
53.3k
      const bool negative = (obj.bits()[0] & 0x80) ? true : false;
472
53.3k
473
53.3k
      if(negative)
474
3.65k
         {
475
3.65k
         secure_vector<uint8_t> vec(obj.bits(), obj.bits() + obj.length());
476
7.41k
         for(size_t i = obj.length(); i > 0; --i)
477
7.41k
            if(vec[i-1]--)
478
3.65k
               break;
479
219k
         for(size_t i = 0; i != obj.length(); ++i)
480
215k
            vec[i] = ~vec[i];
481
3.65k
         out = BigInt(vec.data(), vec.size());
482
3.65k
         out.flip_sign();
483
3.65k
         }
484
49.6k
      else
485
49.6k
         {
486
49.6k
         out = BigInt(obj.bits(), obj.length());
487
49.6k
         }
488
53.3k
      }
489
60.3k
490
60.3k
   return (*this);
491
60.3k
   }
492
493
namespace {
494
495
template<typename Alloc>
496
void asn1_decode_binary_string(std::vector<uint8_t, Alloc>& buffer,
497
                               const BER_Object& obj,
498
                               ASN1_Tag real_type,
499
                               ASN1_Tag type_tag,
500
                               ASN1_Tag class_tag)
501
96.4k
   {
502
96.4k
   obj.assert_is_a(type_tag, class_tag);
503
96.4k
504
96.4k
   if(real_type == OCTET_STRING)
505
53.7k
      {
506
53.7k
      buffer.assign(obj.bits(), obj.bits() + obj.length());
507
53.7k
      }
508
42.6k
   else
509
42.6k
      {
510
42.6k
      if(obj.length() == 0)
511
303
         throw BER_Decoding_Error("Invalid BIT STRING");
512
42.3k
      if(obj.bits()[0] >= 8)
513
254
         throw BER_Decoding_Error("Bad number of unused bits in BIT STRING");
514
42.0k
515
42.0k
      buffer.resize(obj.length() - 1);
516
42.0k
517
42.0k
      if(obj.length() > 1)
518
35.4k
         copy_mem(buffer.data(), obj.bits() + 1, obj.length() - 1);
519
42.0k
      }
520
96.4k
   }
ber_dec.cpp:void Botan::(anonymous namespace)::asn1_decode_binary_string<Botan::secure_allocator<unsigned char> >(std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> >&, Botan::BER_Object const&, Botan::ASN1_Tag, Botan::ASN1_Tag, Botan::ASN1_Tag)
Line
Count
Source
501
4.30k
   {
502
4.30k
   obj.assert_is_a(type_tag, class_tag);
503
4.30k
504
4.30k
   if(real_type == OCTET_STRING)
505
3.48k
      {
506
3.48k
      buffer.assign(obj.bits(), obj.bits() + obj.length());
507
3.48k
      }
508
822
   else
509
822
      {
510
822
      if(obj.length() == 0)
511
1
         throw BER_Decoding_Error("Invalid BIT STRING");
512
821
      if(obj.bits()[0] >= 8)
513
6
         throw BER_Decoding_Error("Bad number of unused bits in BIT STRING");
514
815
515
815
      buffer.resize(obj.length() - 1);
516
815
517
815
      if(obj.length() > 1)
518
666
         copy_mem(buffer.data(), obj.bits() + 1, obj.length() - 1);
519
815
      }
520
4.30k
   }
ber_dec.cpp:void Botan::(anonymous namespace)::asn1_decode_binary_string<std::__1::allocator<unsigned char> >(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> >&, Botan::BER_Object const&, Botan::ASN1_Tag, Botan::ASN1_Tag, Botan::ASN1_Tag)
Line
Count
Source
501
92.1k
   {
502
92.1k
   obj.assert_is_a(type_tag, class_tag);
503
92.1k
504
92.1k
   if(real_type == OCTET_STRING)
505
50.2k
      {
506
50.2k
      buffer.assign(obj.bits(), obj.bits() + obj.length());
507
50.2k
      }
508
41.8k
   else
509
41.8k
      {
510
41.8k
      if(obj.length() == 0)
511
302
         throw BER_Decoding_Error("Invalid BIT STRING");
512
41.5k
      if(obj.bits()[0] >= 8)
513
248
         throw BER_Decoding_Error("Bad number of unused bits in BIT STRING");
514
41.2k
515
41.2k
      buffer.resize(obj.length() - 1);
516
41.2k
517
41.2k
      if(obj.length() > 1)
518
34.8k
         copy_mem(buffer.data(), obj.bits() + 1, obj.length() - 1);
519
41.2k
      }
520
92.1k
   }
521
522
}
523
524
/*
525
* BER decode a BIT STRING or OCTET STRING
526
*/
527
BER_Decoder& BER_Decoder::decode(secure_vector<uint8_t>& buffer,
528
                                 ASN1_Tag real_type,
529
                                 ASN1_Tag type_tag, ASN1_Tag class_tag)
530
4.30k
   {
531
4.30k
   if(real_type != OCTET_STRING && real_type != BIT_STRING)
532
0
      throw BER_Bad_Tag("Bad tag for {BIT,OCTET} STRING", real_type);
533
4.30k
534
4.30k
   asn1_decode_binary_string(buffer, get_next_object(), real_type, type_tag, class_tag);
535
4.30k
   return (*this);
536
4.30k
   }
537
538
BER_Decoder& BER_Decoder::decode(std::vector<uint8_t>& buffer,
539
                                 ASN1_Tag real_type,
540
                                 ASN1_Tag type_tag, ASN1_Tag class_tag)
541
93.6k
   {
542
93.6k
   if(real_type != OCTET_STRING && real_type != BIT_STRING)
543
1.22k
      throw BER_Bad_Tag("Bad tag for {BIT,OCTET} STRING", real_type);
544
92.4k
545
92.4k
   asn1_decode_binary_string(buffer, get_next_object(), real_type, type_tag, class_tag);
546
92.4k
   return (*this);
547
92.4k
   }
548
549
}