/src/gnupg/common/tlv.c

Source (jump to first uncovered line)
/* tlv.c - Tag-Length-Value Utilities
 *  Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc.
 *
 * This file is part of GnuPG.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of either
 *
 *   - the GNU Lesser General Public License as published by the Free
 *     Software Foundation; either version 3 of the License, or (at
 *     your option) any later version.
 *
 * or
 *
 *   - the GNU General Public License as published by the Free
 *     Software Foundation; either version 2 of the License, or (at
 *     your option) any later version.
 *
 * or both in parallel, as here.
 *
 * This file is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, see <https://www.gnu.org/licenses/>.
 */

#include <config.h>

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <gpg-error.h>


#include "util.h"
#include "tlv.h"


static const unsigned char *
do_find_tlv (const unsigned char *buffer, size_t length,
             int tag, size_t *nbytes, int nestlevel)
{
  const unsigned char *s = buffer;
  size_t n = length;
  size_t len;
  int this_tag;
  int composite;

  for (;;)
    {
      if (n < 2)
        return NULL; /* Buffer definitely too short for tag and length. */
      if (!*s || *s == 0xff)
        { /* Skip optional filler between TLV objects. */
          s++;
          n--;
          continue;
        }
      composite = !!(*s & 0x20);
      if ((*s & 0x1f) == 0x1f)
        { /* more tag bytes to follow */
          s++;
          n--;
          if (n < 2)
            return NULL; /* buffer definitely too short for tag and length. */
          if ((*s & 0x1f) == 0x1f)
            return NULL; /* We support only up to 2 bytes. */
          this_tag = (s[-1] << 8) | (s[0] & 0x7f);
        }
      else
        this_tag = s[0];
      len = s[1];
      s += 2; n -= 2;
      if (len < 0x80)
        ;
      else if (len == 0x81)
        { /* One byte length follows. */
          if (!n)
            return NULL; /* we expected 1 more bytes with the length. */
          len = s[0];
          s++; n--;
        }
      else if (len == 0x82)
        { /* Two byte length follows. */
          if (n < 2)
            return NULL; /* We expected 2 more bytes with the length. */
          len = ((size_t)s[0] << 8) | s[1];
          s += 2; n -= 2;
        }
      else
        return NULL; /* APDU limit is 65535, thus it does not make
                        sense to assume longer length fields. */

      if (composite && nestlevel < 100)
        { /* Dive into this composite DO after checking for a too deep
             nesting. */
          const unsigned char *tmp_s;
          size_t tmp_len;

          tmp_s = do_find_tlv (s, len, tag, &tmp_len, nestlevel+1);
          if (tmp_s)
            {
              *nbytes = tmp_len;
              return tmp_s;
            }
        }

      if (this_tag == tag)
        {
          *nbytes = len;
          return s;
        }
      if (len > n)
        return NULL; /* Buffer too short to skip to the next tag. */
      s += len; n -= len;
    }
}


/* Locate a TLV encoded data object in BUFFER of LENGTH and
   return a pointer to value as well as its length in NBYTES.  Return
   NULL if it was not found or if the object does not fit into the buffer. */
const unsigned char *
find_tlv (const unsigned char *buffer, size_t length,
          int tag, size_t *nbytes)
{
  const unsigned char *p;

  p = do_find_tlv (buffer, length, tag, nbytes, 0);
  if (p && *nbytes > (length - (p-buffer)))
    p = NULL; /* Object longer than buffer. */
  return p;
}



/* Locate a TLV encoded data object in BUFFER of LENGTH and
   return a pointer to value as well as its length in NBYTES.  Return
   NULL if it was not found.  Note, that the function does not check
   whether the value fits into the provided buffer. */
const unsigned char *
find_tlv_unchecked (const unsigned char *buffer, size_t length,
                    int tag, size_t *nbytes)
{
  return do_find_tlv (buffer, length, tag, nbytes, 0);
}


/* ASN.1 BER parser: Parse BUFFER of length SIZE and return the tag
   and the length part from the TLV triplet.  Update BUFFER and SIZE
   on success. */
gpg_error_t
parse_ber_header (unsigned char const **buffer, size_t *size,
                  int *r_class, int *r_tag,
                  int *r_constructed, int *r_ndef,
                  size_t *r_length, size_t *r_nhdr)
{
  int c;
  unsigned long tag;
  const unsigned char *buf = *buffer;
  size_t length = *size;

  *r_ndef = 0;
  *r_length = 0;
  *r_nhdr = 0;

  /* Get the tag. */
  if (!length)
    return gpg_err_make (default_errsource, GPG_ERR_EOF);
  c = *buf++; length--; ++*r_nhdr;

  *r_class = (c & 0xc0) >> 6;
  *r_constructed = !!(c & 0x20);
  tag = c & 0x1f;

  if (tag == 0x1f)
    {
      tag = 0;
      do
        {
          tag <<= 7;
          if (!length)
            return gpg_err_make (default_errsource, GPG_ERR_EOF);
          c = *buf++; length--; ++*r_nhdr;
          tag |= c & 0x7f;

        }
      while (c & 0x80);
    }
  *r_tag = tag;

  /* Get the length. */
  if (!length)
    return gpg_err_make (default_errsource, GPG_ERR_EOF);
  c = *buf++; length--; ++*r_nhdr;

  if ( !(c & 0x80) )
    *r_length = c;
  else if (c == 0x80)
    *r_ndef = 1;
  else if (c == 0xff)
    return gpg_err_make (default_errsource, GPG_ERR_BAD_BER);
  else
    {
      unsigned long len = 0;
      int count = (c & 0x7f);

      if (count > (sizeof(len)<sizeof(size_t)?sizeof(len):sizeof(size_t)))
        return gpg_err_make (default_errsource, GPG_ERR_BAD_BER);

      for (; count; count--)
        {
          len <<= 8;
          if (!length)
            return gpg_err_make (default_errsource, GPG_ERR_EOF);
          c = *buf++; length--; ++*r_nhdr;
          len |= c & 0xff;
        }
      *r_length = len;
    }

  if (*r_length > *r_nhdr && (*r_nhdr + *r_length) < *r_length)
    {
      return gpg_err_make (default_errsource, GPG_ERR_EOVERFLOW);
    }

  /* Without this kludge some example certs can't be parsed. */
  if (*r_class == CLASS_UNIVERSAL && !*r_tag)
    *r_length = 0;

  *buffer = buf;
  *size = length;
  return 0;
}


/* FIXME: The following function should not go into this file but for
   now it is easier to keep it here. */

/* Return the next token of an canonical encoded S-expression.  BUF
   is the pointer to the S-expression and BUFLEN is a pointer to the
   length of this S-expression (used to validate the syntax).  Both
   are updated to reflect the new position.  The token itself is
   returned as a pointer into the original buffer at TOK and TOKLEN.
   If a parentheses is the next token, TOK will be set to NULL.
   TOKLEN is checked to be within the bounds.  On error an error code
   is returned and pointers are not guaranteed to point to
   meaningful values.  DEPTH should be initialized to 0 and will
   reflect on return the actual depth of the tree. To detect the end
   of the S-expression it is advisable to check DEPTH after a
   successful return.

   depth = 0;
   while (!(err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen))
          && depth)
     process_token (tok, toklen);
   if (err)
     handle_error ();
 */
gpg_error_t
parse_sexp (unsigned char const **buf, size_t *buflen,
            int *depth, unsigned char const **tok, size_t *toklen)
{
  const unsigned char *s;
  size_t n, vlen;

  s = *buf;
  n = *buflen;
  *tok = NULL;
  *toklen = 0;
  if (!n)
    return *depth ? gpg_err_make (default_errsource, GPG_ERR_INV_SEXP) : 0;
  if (*s == '(')
    {
      s++; n--;
      (*depth)++;
      *buf = s;
      *buflen = n;
      return 0;
    }
  if (*s == ')')
    {
      if (!*depth)
        return gpg_err_make (default_errsource, GPG_ERR_INV_SEXP);
      *toklen = 1;
      s++; n--;
      (*depth)--;
      *buf = s;
      *buflen = n;
      return 0;
    }
  for (vlen=0; n && *s && *s != ':' && (*s >= '0' && *s <= '9'); s++, n--)
    vlen = vlen*10 + (*s - '0');
  if (!n || *s != ':')
    return gpg_err_make (default_errsource, GPG_ERR_INV_SEXP);
  s++; n--;
  if (vlen > n)
    return gpg_err_make (default_errsource, GPG_ERR_INV_SEXP);
  *tok = s;
  *toklen = vlen;
  s += vlen;
  n -= vlen;
  *buf = s;
  *buflen = n;
  return 0;
}

Coverage Report

Created: 2022-12-08 06:10

Line	Count	Source (jump to first uncovered line)
1		/* tlv.c - Tag-Length-Value Utilities
2		* Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc.
3		*
4		* This file is part of GnuPG.
5		*
6		* This file is free software; you can redistribute it and/or modify
7		* it under the terms of either
8		*
9		* - the GNU Lesser General Public License as published by the Free
10		* Software Foundation; either version 3 of the License, or (at
11		* your option) any later version.
12		*
13		* or
14		*
15		* - the GNU General Public License as published by the Free
16		* Software Foundation; either version 2 of the License, or (at
17		* your option) any later version.
18		*
19		* or both in parallel, as here.
20		*
21		* This file is distributed in the hope that it will be useful,
22		* but WITHOUT ANY WARRANTY; without even the implied warranty of
23		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24		* GNU General Public License for more details.
25		*
26		* You should have received a copy of the GNU General Public License
27		* along with this program; if not, see <https://www.gnu.org/licenses/>.
28		*/
29
30		#include <config.h>
31
32		#include <stdio.h>
33		#include <stdlib.h>
34		#include <string.h>
35		#include <gpg-error.h>
36
37
38		#include "util.h"
39		#include "tlv.h"
40
41
42		static const unsigned char *
43		do_find_tlv (const unsigned char *buffer, size_t length,
44		int tag, size_t *nbytes, int nestlevel)
45	0	{
46	0	const unsigned char *s = buffer;
47	0	size_t n = length;
48	0	size_t len;
49	0	int this_tag;
50	0	int composite;
51
52	0	for (;;)
53	0	{
54	0	if (n < 2)
55	0	return NULL; /* Buffer definitely too short for tag and length. */
56	0	if (!s \|\| s == 0xff)
57	0	{ /* Skip optional filler between TLV objects. */
58	0	s++;
59	0	n--;
60	0	continue;
61	0	}
62	0	composite = !!(*s & 0x20);
63	0	if ((*s & 0x1f) == 0x1f)
64	0	{ /* more tag bytes to follow */
65	0	s++;
66	0	n--;
67	0	if (n < 2)
68	0	return NULL; /* buffer definitely too short for tag and length. */
69	0	if ((*s & 0x1f) == 0x1f)
70	0	return NULL; /* We support only up to 2 bytes. */
71	0	this_tag = (s[-1] << 8) \| (s[0] & 0x7f);
72	0	}
73	0	else
74	0	this_tag = s[0];
75	0	len = s[1];
76	0	s += 2; n -= 2;
77	0	if (len < 0x80)
78	0	;
79	0	else if (len == 0x81)
80	0	{ /* One byte length follows. */
81	0	if (!n)
82	0	return NULL; /* we expected 1 more bytes with the length. */
83	0	len = s[0];
84	0	s++; n--;
85	0	}
86	0	else if (len == 0x82)
87	0	{ /* Two byte length follows. */
88	0	if (n < 2)
89	0	return NULL; /* We expected 2 more bytes with the length. */
90	0	len = ((size_t)s[0] << 8) \| s[1];
91	0	s += 2; n -= 2;
92	0	}
93	0	else
94	0	return NULL; /* APDU limit is 65535, thus it does not make
95		sense to assume longer length fields. */
96
97	0	if (composite && nestlevel < 100)
98	0	{ /* Dive into this composite DO after checking for a too deep
99		nesting. */
100	0	const unsigned char *tmp_s;
101	0	size_t tmp_len;
102
103	0	tmp_s = do_find_tlv (s, len, tag, &tmp_len, nestlevel+1);
104	0	if (tmp_s)
105	0	{
106	0	*nbytes = tmp_len;
107	0	return tmp_s;
108	0	}
109	0	}
110
111	0	if (this_tag == tag)
112	0	{
113	0	*nbytes = len;
114	0	return s;
115	0	}
116	0	if (len > n)
117	0	return NULL; /* Buffer too short to skip to the next tag. */
118	0	s += len; n -= len;
119	0	}
120	0	}
121
122
123		/* Locate a TLV encoded data object in BUFFER of LENGTH and
124		return a pointer to value as well as its length in NBYTES. Return
125		NULL if it was not found or if the object does not fit into the buffer. */
126		const unsigned char *
127		find_tlv (const unsigned char *buffer, size_t length,
128		int tag, size_t *nbytes)
129	0	{
130	0	const unsigned char *p;
131
132	0	p = do_find_tlv (buffer, length, tag, nbytes, 0);
133	0	if (p && *nbytes > (length - (p-buffer)))
134	0	p = NULL; /* Object longer than buffer. */
135	0	return p;
136	0	}
137
138
139
140		/* Locate a TLV encoded data object in BUFFER of LENGTH and
141		return a pointer to value as well as its length in NBYTES. Return
142		NULL if it was not found. Note, that the function does not check
143		whether the value fits into the provided buffer. */
144		const unsigned char *
145		find_tlv_unchecked (const unsigned char *buffer, size_t length,
146		int tag, size_t *nbytes)
147	0	{
148	0	return do_find_tlv (buffer, length, tag, nbytes, 0);
149	0	}
150
151
152		/* ASN.1 BER parser: Parse BUFFER of length SIZE and return the tag
153		and the length part from the TLV triplet. Update BUFFER and SIZE
154		on success. */
155		gpg_error_t
156		parse_ber_header (unsigned char const *buffer, size_t size,
157		int r_class, int r_tag,
158		int r_constructed, int r_ndef,
159		size_t r_length, size_t r_nhdr)
160	0	{
161	0	int c;
162	0	unsigned long tag;
163	0	const unsigned char buf = buffer;
164	0	size_t length = *size;
165
166	0	*r_ndef = 0;
167	0	*r_length = 0;
168	0	*r_nhdr = 0;
169
170		/* Get the tag. */
171	0	if (!length)
172	0	return gpg_err_make (default_errsource, GPG_ERR_EOF);
173	0	c = buf++; length--; ++r_nhdr;
174
175	0	*r_class = (c & 0xc0) >> 6;
176	0	*r_constructed = !!(c & 0x20);
177	0	tag = c & 0x1f;
178
179	0	if (tag == 0x1f)
180	0	{
181	0	tag = 0;
182	0	do
183	0	{
184	0	tag <<= 7;
185	0	if (!length)
186	0	return gpg_err_make (default_errsource, GPG_ERR_EOF);
187	0	c = buf++; length--; ++r_nhdr;
188	0	tag \|= c & 0x7f;
189
190	0	}
191	0	while (c & 0x80);
192	0	}
193	0	*r_tag = tag;
194
195		/* Get the length. */
196	0	if (!length)
197	0	return gpg_err_make (default_errsource, GPG_ERR_EOF);
198	0	c = buf++; length--; ++r_nhdr;
199
200	0	if ( !(c & 0x80) )
201	0	*r_length = c;
202	0	else if (c == 0x80)
203	0	*r_ndef = 1;
204	0	else if (c == 0xff)
205	0	return gpg_err_make (default_errsource, GPG_ERR_BAD_BER);
206	0	else
207	0	{
208	0	unsigned long len = 0;
209	0	int count = (c & 0x7f);
210
211	0	if (count > (sizeof(len)<sizeof(size_t)?sizeof(len):sizeof(size_t)))
212	0	return gpg_err_make (default_errsource, GPG_ERR_BAD_BER);
213
214	0	for (; count; count--)
215	0	{
216	0	len <<= 8;
217	0	if (!length)
218	0	return gpg_err_make (default_errsource, GPG_ERR_EOF);
219	0	c = buf++; length--; ++r_nhdr;
220	0	len \|= c & 0xff;
221	0	}
222	0	*r_length = len;
223	0	}
224
225	0	if (r_length > r_nhdr && (r_nhdr + r_length) < *r_length)
226	0	{
227	0	return gpg_err_make (default_errsource, GPG_ERR_EOVERFLOW);
228	0	}
229
230		/* Without this kludge some example certs can't be parsed. */
231	0	if (r_class == CLASS_UNIVERSAL && !r_tag)
232	0	*r_length = 0;
233
234	0	*buffer = buf;
235	0	*size = length;
236	0	return 0;
237	0	}
238
239
240		/* FIXME: The following function should not go into this file but for
241		now it is easier to keep it here. */
242
243		/* Return the next token of an canonical encoded S-expression. BUF
244		is the pointer to the S-expression and BUFLEN is a pointer to the
245		length of this S-expression (used to validate the syntax). Both
246		are updated to reflect the new position. The token itself is
247		returned as a pointer into the original buffer at TOK and TOKLEN.
248		If a parentheses is the next token, TOK will be set to NULL.
249		TOKLEN is checked to be within the bounds. On error an error code
250		is returned and pointers are not guaranteed to point to
251		meaningful values. DEPTH should be initialized to 0 and will
252		reflect on return the actual depth of the tree. To detect the end
253		of the S-expression it is advisable to check DEPTH after a
254		successful return.
255
256		depth = 0;
257		while (!(err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen))
258		&& depth)
259		process_token (tok, toklen);
260		if (err)
261		handle_error ();
262		*/
263		gpg_error_t
264		parse_sexp (unsigned char const *buf, size_t buflen,
265		int depth, unsigned char const tok, size_t toklen)
266	0	{
267	0	const unsigned char *s;
268	0	size_t n, vlen;
269
270	0	s = *buf;
271	0	n = *buflen;
272	0	*tok = NULL;
273	0	*toklen = 0;
274	0	if (!n)
275	0	return *depth ? gpg_err_make (default_errsource, GPG_ERR_INV_SEXP) : 0;
276	0	if (*s == '(')
277	0	{
278	0	s++; n--;
279	0	(*depth)++;
280	0	*buf = s;
281	0	*buflen = n;
282	0	return 0;
283	0	}
284	0	if (*s == ')')
285	0	{
286	0	if (!*depth)
287	0	return gpg_err_make (default_errsource, GPG_ERR_INV_SEXP);
288	0	*toklen = 1;
289	0	s++; n--;
290	0	(*depth)--;
291	0	*buf = s;
292	0	*buflen = n;
293	0	return 0;
294	0	}
295	0	for (vlen=0; n && s && s != ':' && (s >= '0' && s <= '9'); s++, n--)
296	0	vlen = vlen10 + (s - '0');
297	0	if (!n \|\| *s != ':')
298	0	return gpg_err_make (default_errsource, GPG_ERR_INV_SEXP);
299	0	s++; n--;
300	0	if (vlen > n)
301	0	return gpg_err_make (default_errsource, GPG_ERR_INV_SEXP);
302	0	*tok = s;
303	0	*toklen = vlen;
304	0	s += vlen;
305	0	n -= vlen;
306	0	*buf = s;
307	0	*buflen = n;
308	0	return 0;
309	0	}