/src/gnupg/common/tlv.c

Source
/* tlv.c - Tag-Length-Value Utilities
 *  Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc.
 *
 * This file is part of GnuPG.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of either
 *
 *   - the GNU Lesser General Public License as published by the Free
 *     Software Foundation; either version 3 of the License, or (at
 *     your option) any later version.
 *
 * or
 *
 *   - the GNU General Public License as published by the Free
 *     Software Foundation; either version 2 of the License, or (at
 *     your option) any later version.
 *
 * or both in parallel, as here.
 *
 * This file is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, see <https://www.gnu.org/licenses/>.
 */

#include <config.h>

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <gpg-error.h>


#include "util.h"
#include "tlv.h"


static const unsigned char *
do_find_tlv (const unsigned char *buffer, size_t length,
             int tag, size_t *nbytes, int nestlevel)
{
  const unsigned char *s = buffer;
  size_t n = length;
  size_t len;
  int this_tag;
  int composite;

  for (;;)
    {
      if (n < 2)
        return NULL; /* Buffer definitely too short for tag and length. */
      if (!*s || *s == 0xff)
        { /* Skip optional filler between TLV objects. */
          s++;
          n--;
          continue;
        }
      composite = !!(*s & 0x20);
      if ((*s & 0x1f) == 0x1f)
        { /* more tag bytes to follow */
          s++;
          n--;
          if (n < 2)
            return NULL; /* buffer definitely too short for tag and length. */
          if ((*s & 0x1f) == 0x1f)
            return NULL; /* We support only up to 2 bytes. */
          this_tag = (s[-1] << 8) | (s[0] & 0x7f);
        }
      else
        this_tag = s[0];
      len = s[1];
      s += 2; n -= 2;
      if (len < 0x80)
        ;
      else if (len == 0x81)
        { /* One byte length follows. */
          if (!n)
            return NULL; /* we expected 1 more bytes with the length. */
          len = s[0];
          s++; n--;
        }
      else if (len == 0x82)
        { /* Two byte length follows. */
          if (n < 2)
            return NULL; /* We expected 2 more bytes with the length. */
          len = ((size_t)s[0] << 8) | s[1];
          s += 2; n -= 2;
        }
      else
        return NULL; /* APDU limit is 65535, thus it does not make
                        sense to assume longer length fields. */

      if (composite && nestlevel < 100)
        { /* Dive into this composite DO after checking for a too deep
             nesting. */
          const unsigned char *tmp_s;
          size_t tmp_len;

          tmp_s = do_find_tlv (s, len, tag, &tmp_len, nestlevel+1);
          if (tmp_s)
            {
              *nbytes = tmp_len;
              return tmp_s;
            }
        }

      if (this_tag == tag)
        {
          *nbytes = len;
          return s;
        }
      if (len > n)
        return NULL; /* Buffer too short to skip to the next tag. */
      s += len; n -= len;
    }
}


/* Locate a TLV encoded data object in BUFFER of LENGTH and
   return a pointer to value as well as its length in NBYTES.  Return
   NULL if it was not found or if the object does not fit into the buffer. */
const unsigned char *
find_tlv (const unsigned char *buffer, size_t length,
          int tag, size_t *nbytes)
{
  const unsigned char *p;

  p = do_find_tlv (buffer, length, tag, nbytes, 0);
  if (p && *nbytes > (length - (p-buffer)))
    p = NULL; /* Object longer than buffer. */
  return p;
}



/* Locate a TLV encoded data object in BUFFER of LENGTH and
   return a pointer to value as well as its length in NBYTES.  Return
   NULL if it was not found.  Note, that the function does not check
   whether the value fits into the provided buffer. */
const unsigned char *
find_tlv_unchecked (const unsigned char *buffer, size_t length,
                    int tag, size_t *nbytes)
{
  return do_find_tlv (buffer, length, tag, nbytes, 0);
}


/* ASN.1 BER parser: Parse BUFFER of length SIZE and return the tag
 * and the length part from the TLV triplet.  Update BUFFER and SIZE
 * on success.  Note that this function does not check that the value
 * fits into the provided buffer; this allows one to work on the TL part
 * of a TLV. */
gpg_error_t
parse_ber_header (unsigned char const **buffer, size_t *size,
                  int *r_class, int *r_tag,
                  int *r_constructed, int *r_ndef,
                  size_t *r_length, size_t *r_nhdr)
{
  int c;
  unsigned long tag;
  const unsigned char *buf = *buffer;
  size_t length = *size;

  *r_ndef = 0;
  *r_length = 0;
  *r_nhdr = 0;

  /* Get the tag. */
  if (!length)
    return gpg_err_make (default_errsource, GPG_ERR_EOF);
  c = *buf++; length--; ++*r_nhdr;

  *r_class = (c & 0xc0) >> 6;
  *r_constructed = !!(c & 0x20);
  tag = c & 0x1f;

  if (tag == 0x1f)
    {
      tag = 0;
      do
        {
          tag <<= 7;
          if (!length)
            return gpg_err_make (default_errsource, GPG_ERR_EOF);
          c = *buf++; length--; ++*r_nhdr;
          tag |= c & 0x7f;

        }
      while (c & 0x80);
    }
  *r_tag = tag;

  /* Get the length. */
  if (!length)
    return gpg_err_make (default_errsource, GPG_ERR_EOF);
  c = *buf++; length--; ++*r_nhdr;

  if ( !(c & 0x80) )
    *r_length = c;
  else if (c == 0x80)
    *r_ndef = 1;
  else if (c == 0xff)
    return gpg_err_make (default_errsource, GPG_ERR_BAD_BER);
  else
    {
      unsigned long len = 0;
      int count = (c & 0x7f);

      if (count > (sizeof(len)<sizeof(size_t)?sizeof(len):sizeof(size_t)))
        return gpg_err_make (default_errsource, GPG_ERR_BAD_BER);

      for (; count; count--)
        {
          len <<= 8;
          if (!length)
            return gpg_err_make (default_errsource, GPG_ERR_EOF);
          c = *buf++; length--; ++*r_nhdr;
          len |= c & 0xff;
        }
      *r_length = len;
    }

  if (*r_length > *r_nhdr && (*r_nhdr + *r_length) < *r_length)
    {
      return gpg_err_make (default_errsource, GPG_ERR_EOVERFLOW);
    }

  /* Without this kludge some example certs can't be parsed. */
  if (*r_class == CLASS_UNIVERSAL && !*r_tag)
    *r_length = 0;

  *buffer = buf;
  *size = length;
  return 0;
}


/* FIXME: The following function should not go into this file but for
   now it is easier to keep it here. */

/* Return the next token of an canonical encoded S-expression.  BUF
   is the pointer to the S-expression and BUFLEN is a pointer to the
   length of this S-expression (used to validate the syntax).  Both
   are updated to reflect the new position.  The token itself is
   returned as a pointer into the original buffer at TOK and TOKLEN.
   If a parentheses is the next token, TOK will be set to NULL.
   TOKLEN is checked to be within the bounds.  On error an error code
   is returned and pointers are not guaranteed to point to
   meaningful values.  DEPTH should be initialized to 0 and will
   reflect on return the actual depth of the tree. To detect the end
   of the S-expression it is advisable to check DEPTH after a
   successful return.

   depth = 0;
   while (!(err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen))
          && depth)
     process_token (tok, toklen);
   if (err)
     handle_error ();
 */
gpg_error_t
parse_sexp (unsigned char const **buf, size_t *buflen,
            int *depth, unsigned char const **tok, size_t *toklen)
{
  const unsigned char *s;
  size_t n, vlen;

  s = *buf;
  n = *buflen;
  *tok = NULL;
  *toklen = 0;
  if (!n)
    return *depth ? gpg_err_make (default_errsource, GPG_ERR_INV_SEXP) : 0;
  if (*s == '(')
    {
      s++; n--;
      (*depth)++;
      *buf = s;
      *buflen = n;
      return 0;
    }
  if (*s == ')')
    {
      if (!*depth)
        return gpg_err_make (default_errsource, GPG_ERR_INV_SEXP);
      *toklen = 1;
      s++; n--;
      (*depth)--;
      *buf = s;
      *buflen = n;
      return 0;
    }
  for (vlen=0; n && *s && *s != ':' && (*s >= '0' && *s <= '9'); s++, n--)
    vlen = vlen*10 + (*s - '0');
  if (!n || *s != ':')
    return gpg_err_make (default_errsource, GPG_ERR_INV_SEXP);
  s++; n--;
  if (vlen > n)
    return gpg_err_make (default_errsource, GPG_ERR_INV_SEXP);
  *tok = s;
  *toklen = vlen;
  s += vlen;
  n -= vlen;
  *buf = s;
  *buflen = n;
  return 0;
}

Coverage Report

Created: 2026-01-09 06:48

Line	Count	Source
1		/* tlv.c - Tag-Length-Value Utilities
2		* Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc.
3		*
4		* This file is part of GnuPG.
5		*
6		* This file is free software; you can redistribute it and/or modify
7		* it under the terms of either
8		*
9		* - the GNU Lesser General Public License as published by the Free
10		* Software Foundation; either version 3 of the License, or (at
11		* your option) any later version.
12		*
13		* or
14		*
15		* - the GNU General Public License as published by the Free
16		* Software Foundation; either version 2 of the License, or (at
17		* your option) any later version.
18		*
19		* or both in parallel, as here.
20		*
21		* This file is distributed in the hope that it will be useful,
22		* but WITHOUT ANY WARRANTY; without even the implied warranty of
23		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24		* GNU General Public License for more details.
25		*
26		* You should have received a copy of the GNU General Public License
27		* along with this program; if not, see <https://www.gnu.org/licenses/>.
28		*/
29
30		#include <config.h>
31
32		#include <stdio.h>
33		#include <stdlib.h>
34		#include <string.h>
35		#include <gpg-error.h>
36
37
38		#include "util.h"
39		#include "tlv.h"
40
41
42		static const unsigned char *
43		do_find_tlv (const unsigned char *buffer, size_t length,
44		int tag, size_t *nbytes, int nestlevel)
45	0	{
46	0	const unsigned char *s = buffer;
47	0	size_t n = length;
48	0	size_t len;
49	0	int this_tag;
50	0	int composite;
51
52	0	for (;;)
53	0	{
54	0	if (n < 2)
55	0	return NULL; /* Buffer definitely too short for tag and length. */
56	0	if (!s \|\| s == 0xff)
57	0	{ /* Skip optional filler between TLV objects. */
58	0	s++;
59	0	n--;
60	0	continue;
61	0	}
62	0	composite = !!(*s & 0x20);
63	0	if ((*s & 0x1f) == 0x1f)
64	0	{ /* more tag bytes to follow */
65	0	s++;
66	0	n--;
67	0	if (n < 2)
68	0	return NULL; /* buffer definitely too short for tag and length. */
69	0	if ((*s & 0x1f) == 0x1f)
70	0	return NULL; /* We support only up to 2 bytes. */
71	0	this_tag = (s[-1] << 8) \| (s[0] & 0x7f);
72	0	}
73	0	else
74	0	this_tag = s[0];
75	0	len = s[1];
76	0	s += 2; n -= 2;
77	0	if (len < 0x80)
78	0	;
79	0	else if (len == 0x81)
80	0	{ /* One byte length follows. */
81	0	if (!n)
82	0	return NULL; /* we expected 1 more bytes with the length. */
83	0	len = s[0];
84	0	s++; n--;
85	0	}
86	0	else if (len == 0x82)
87	0	{ /* Two byte length follows. */
88	0	if (n < 2)
89	0	return NULL; /* We expected 2 more bytes with the length. */
90	0	len = ((size_t)s[0] << 8) \| s[1];
91	0	s += 2; n -= 2;
92	0	}
93	0	else
94	0	return NULL; /* APDU limit is 65535, thus it does not make
95		sense to assume longer length fields. */
96
97	0	if (composite && nestlevel < 100)
98	0	{ /* Dive into this composite DO after checking for a too deep
99		nesting. */
100	0	const unsigned char *tmp_s;
101	0	size_t tmp_len;
102
103	0	tmp_s = do_find_tlv (s, len, tag, &tmp_len, nestlevel+1);
104	0	if (tmp_s)
105	0	{
106	0	*nbytes = tmp_len;
107	0	return tmp_s;
108	0	}
109	0	}
110
111	0	if (this_tag == tag)
112	0	{
113	0	*nbytes = len;
114	0	return s;
115	0	}
116	0	if (len > n)
117	0	return NULL; /* Buffer too short to skip to the next tag. */
118	0	s += len; n -= len;
119	0	}
120	0	}
121
122
123		/* Locate a TLV encoded data object in BUFFER of LENGTH and
124		return a pointer to value as well as its length in NBYTES. Return
125		NULL if it was not found or if the object does not fit into the buffer. */
126		const unsigned char *
127		find_tlv (const unsigned char *buffer, size_t length,
128		int tag, size_t *nbytes)
129	0	{
130	0	const unsigned char *p;
131
132	0	p = do_find_tlv (buffer, length, tag, nbytes, 0);
133	0	if (p && *nbytes > (length - (p-buffer)))
134	0	p = NULL; /* Object longer than buffer. */
135	0	return p;
136	0	}
137
138
139
140		/* Locate a TLV encoded data object in BUFFER of LENGTH and
141		return a pointer to value as well as its length in NBYTES. Return
142		NULL if it was not found. Note, that the function does not check
143		whether the value fits into the provided buffer. */
144		const unsigned char *
145		find_tlv_unchecked (const unsigned char *buffer, size_t length,
146		int tag, size_t *nbytes)
147	0	{
148	0	return do_find_tlv (buffer, length, tag, nbytes, 0);
149	0	}
150
151
152		/* ASN.1 BER parser: Parse BUFFER of length SIZE and return the tag
153		* and the length part from the TLV triplet. Update BUFFER and SIZE
154		* on success. Note that this function does not check that the value
155		* fits into the provided buffer; this allows one to work on the TL part
156		* of a TLV. */
157		gpg_error_t
158		parse_ber_header (unsigned char const *buffer, size_t size,
159		int r_class, int r_tag,
160		int r_constructed, int r_ndef,
161		size_t r_length, size_t r_nhdr)
162	0	{
163	0	int c;
164	0	unsigned long tag;
165	0	const unsigned char buf = buffer;
166	0	size_t length = *size;
167
168	0	*r_ndef = 0;
169	0	*r_length = 0;
170	0	*r_nhdr = 0;
171
172		/* Get the tag. */
173	0	if (!length)
174	0	return gpg_err_make (default_errsource, GPG_ERR_EOF);
175	0	c = buf++; length--; ++r_nhdr;
176
177	0	*r_class = (c & 0xc0) >> 6;
178	0	*r_constructed = !!(c & 0x20);
179	0	tag = c & 0x1f;
180
181	0	if (tag == 0x1f)
182	0	{
183	0	tag = 0;
184	0	do
185	0	{
186	0	tag <<= 7;
187	0	if (!length)
188	0	return gpg_err_make (default_errsource, GPG_ERR_EOF);
189	0	c = buf++; length--; ++r_nhdr;
190	0	tag \|= c & 0x7f;
191
192	0	}
193	0	while (c & 0x80);
194	0	}
195	0	*r_tag = tag;
196
197		/* Get the length. */
198	0	if (!length)
199	0	return gpg_err_make (default_errsource, GPG_ERR_EOF);
200	0	c = buf++; length--; ++r_nhdr;
201
202	0	if ( !(c & 0x80) )
203	0	*r_length = c;
204	0	else if (c == 0x80)
205	0	*r_ndef = 1;
206	0	else if (c == 0xff)
207	0	return gpg_err_make (default_errsource, GPG_ERR_BAD_BER);
208	0	else
209	0	{
210	0	unsigned long len = 0;
211	0	int count = (c & 0x7f);
212
213	0	if (count > (sizeof(len)<sizeof(size_t)?sizeof(len):sizeof(size_t)))
214	0	return gpg_err_make (default_errsource, GPG_ERR_BAD_BER);
215
216	0	for (; count; count--)
217	0	{
218	0	len <<= 8;
219	0	if (!length)
220	0	return gpg_err_make (default_errsource, GPG_ERR_EOF);
221	0	c = buf++; length--; ++r_nhdr;
222	0	len \|= c & 0xff;
223	0	}
224	0	*r_length = len;
225	0	}
226
227	0	if (r_length > r_nhdr && (r_nhdr + r_length) < *r_length)
228	0	{
229	0	return gpg_err_make (default_errsource, GPG_ERR_EOVERFLOW);
230	0	}
231
232		/* Without this kludge some example certs can't be parsed. */
233	0	if (r_class == CLASS_UNIVERSAL && !r_tag)
234	0	*r_length = 0;
235
236	0	*buffer = buf;
237	0	*size = length;
238	0	return 0;
239	0	}
240
241
242		/* FIXME: The following function should not go into this file but for
243		now it is easier to keep it here. */
244
245		/* Return the next token of an canonical encoded S-expression. BUF
246		is the pointer to the S-expression and BUFLEN is a pointer to the
247		length of this S-expression (used to validate the syntax). Both
248		are updated to reflect the new position. The token itself is
249		returned as a pointer into the original buffer at TOK and TOKLEN.
250		If a parentheses is the next token, TOK will be set to NULL.
251		TOKLEN is checked to be within the bounds. On error an error code
252		is returned and pointers are not guaranteed to point to
253		meaningful values. DEPTH should be initialized to 0 and will
254		reflect on return the actual depth of the tree. To detect the end
255		of the S-expression it is advisable to check DEPTH after a
256		successful return.
257
258		depth = 0;
259		while (!(err = parse_sexp (&buf, &buflen, &depth, &tok, &toklen))
260		&& depth)
261		process_token (tok, toklen);
262		if (err)
263		handle_error ();
264		*/
265		gpg_error_t
266		parse_sexp (unsigned char const *buf, size_t buflen,
267		int depth, unsigned char const tok, size_t toklen)
268	0	{
269	0	const unsigned char *s;
270	0	size_t n, vlen;
271
272	0	s = *buf;
273	0	n = *buflen;
274	0	*tok = NULL;
275	0	*toklen = 0;
276	0	if (!n)
277	0	return *depth ? gpg_err_make (default_errsource, GPG_ERR_INV_SEXP) : 0;
278	0	if (*s == '(')
279	0	{
280	0	s++; n--;
281	0	(*depth)++;
282	0	*buf = s;
283	0	*buflen = n;
284	0	return 0;
285	0	}
286	0	if (*s == ')')
287	0	{
288	0	if (!*depth)
289	0	return gpg_err_make (default_errsource, GPG_ERR_INV_SEXP);
290	0	*toklen = 1;
291	0	s++; n--;
292	0	(*depth)--;
293	0	*buf = s;
294	0	*buflen = n;
295	0	return 0;
296	0	}
297	0	for (vlen=0; n && s && s != ':' && (s >= '0' && s <= '9'); s++, n--)
298	0	vlen = vlen10 + (s - '0');
299	0	if (!n \|\| *s != ':')
300	0	return gpg_err_make (default_errsource, GPG_ERR_INV_SEXP);
301	0	s++; n--;
302	0	if (vlen > n)
303	0	return gpg_err_make (default_errsource, GPG_ERR_INV_SEXP);
304	0	*tok = s;
305	0	*toklen = vlen;
306	0	s += vlen;
307	0	n -= vlen;
308	0	*buf = s;
309	0	*buflen = n;
310	0	return 0;
311	0	}