/src/openssl/crypto/asn1/a_d2i_fp.c

Source
/*
 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include <limits.h>
#include "internal/cryptlib.h"
#include "internal/numbers.h"
#include <openssl/buffer.h>
#include <openssl/asn1.h>
#include "internal/asn1.h"
#include "crypto/asn1.h"

#ifndef NO_OLD_ASN1
#ifndef OPENSSL_NO_STDIO

void *ASN1_d2i_fp(void *(*xnew)(void), d2i_of_void *d2i, FILE *in, void **x)
{
    BIO *b;
    void *ret;

    if ((b = BIO_new(BIO_s_file())) == NULL) {
        ERR_raise(ERR_LIB_ASN1, ERR_R_BUF_LIB);
        return NULL;
    }
    BIO_set_fp(b, in, BIO_NOCLOSE);
    ret = ASN1_d2i_bio(xnew, d2i, b, x);
    BIO_free(b);
    return ret;
}
#endif

void *ASN1_d2i_bio(void *(*xnew)(void), d2i_of_void *d2i, BIO *in, void **x)
{
    BUF_MEM *b = NULL;
    const unsigned char *p;
    void *ret = NULL;
    int len;

    len = asn1_d2i_read_bio(in, &b);
    if (len < 0)
        goto err;

    p = (unsigned char *)b->data;
    ret = d2i(x, &p, len);
err:
    BUF_MEM_free(b);
    return ret;
}

#endif

void *ASN1_item_d2i_bio_ex(const ASN1_ITEM *it, BIO *in, void *x,
    OSSL_LIB_CTX *libctx, const char *propq)
{
    BUF_MEM *b = NULL;
    const unsigned char *p;
    void *ret = NULL;
    int len;

    if (in == NULL)
        return NULL;
    len = asn1_d2i_read_bio(in, &b);
    if (len < 0)
        goto err;

    p = (const unsigned char *)b->data;
    ret = ASN1_item_d2i_ex(x, &p, len, it, libctx, propq);
err:
    BUF_MEM_free(b);
    return ret;
}

void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x)
{
    return ASN1_item_d2i_bio_ex(it, in, x, NULL, NULL);
}

#ifndef OPENSSL_NO_STDIO
void *ASN1_item_d2i_fp_ex(const ASN1_ITEM *it, FILE *in, void *x,
    OSSL_LIB_CTX *libctx, const char *propq)
{
    BIO *b;
    void *ret;

    if ((b = BIO_new(BIO_s_file())) == NULL) {
        ERR_raise(ERR_LIB_ASN1, ERR_R_BUF_LIB);
        return NULL;
    }
    BIO_set_fp(b, in, BIO_NOCLOSE);
    ret = ASN1_item_d2i_bio_ex(it, b, x, libctx, propq);
    BIO_free(b);
    return ret;
}

void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x)
{
    return ASN1_item_d2i_fp_ex(it, in, x, NULL, NULL);
}
#endif

#define HEADER_SIZE 2
#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
{
    BUF_MEM *b;
    unsigned char *p;
    size_t want = HEADER_SIZE;
    uint32_t eos = 0;
    size_t off = 0;
    size_t len = 0;
    size_t diff;

    const unsigned char *q;
    long slen;
    int inf, tag, xclass;

    b = BUF_MEM_new();
    if (b == NULL) {
        ERR_raise(ERR_LIB_ASN1, ERR_R_BUF_LIB);
        return -1;
    }

    ERR_set_mark();
    for (;;) {
        diff = len - off;
        if (want >= diff) {
            int i;

            want -= diff;

            if (len + want < len || !BUF_MEM_grow_clean(b, len + want)) {
                ERR_raise(ERR_LIB_ASN1, ERR_R_BUF_LIB);
                goto err;
            }
            i = BIO_read(in, &(b->data[len]), (int)want);

            if (i <= 0) {
                ERR_raise(ERR_LIB_ASN1, ASN1_R_NOT_ENOUGH_DATA);
                goto err;
            }

            if (i > 0) {
                if (len + i < len) {
                    ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
                    goto err;
                }
                len += i;
                if ((size_t)i < want)
                    continue;
            }
        }
        /* else data already loaded */

        /* make sure there is enough data for a complete header */
        p = (unsigned char *)&(b->data[off]);
        q = p;
        diff = len - off;
        if (diff < 2) {
            /* Failed sanity check */
            ERR_raise(ERR_LIB_ASN1, ASN1_R_NOT_ENOUGH_DATA);
            goto err;
        }

        diff--;
        if ((*(q++) & V_ASN1_PRIMITIVE_TAG) == V_ASN1_PRIMITIVE_TAG) {
            unsigned int i = 0;
            /* Multi-byte tag.  See if we have the whole thing yet */
            do {
                if (i > 4) {
                    /* The tag value must fit into int */
                    ERR_raise(ERR_LIB_ASN1, ASN1_R_HEADER_TOO_LONG);
                    goto err;
                }
                ++i;
                diff--;
            } while (diff > 0 && *(q++) & 0x80);

            if (diff == 0) {
                /*
                 * End of current data, will need at least 1 more byte for
                 * length.  2 if the tag is still incomplete
                 */
                want = q - p + 2;
                if (*q & 0x80) {
                    want++;
                }
                continue;
            }
        }

        /* Check the length.  This should also work for indefinite length */
        diff--;
        if (*q & 0x80) {
            unsigned int i = *q & 0x7f;

            if (i > sizeof(long)) {
                ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
                goto err;
            }
            if (i > diff) {
                want = q - p + i + 1;
                continue;
            }
        }

        /*
         * We have a complete header now, assuming we didn't hit EOF. Parse the
         * tag and length
         */
        q = p;
        diff = len - off;
        inf = ASN1_get_object(&q, &slen, &tag, &xclass, (int)diff);
        if (inf & 0x80) {
            unsigned long e;

            e = ERR_GET_REASON(ERR_peek_last_error());
            if (e != ASN1_R_TOO_LONG)
                goto err;
            ERR_pop_to_mark();
            ERR_set_mark();
        }
        off += q - p; /* end of data */

        if (inf & 1) {
            /* no data body so go round again */
            if (eos == UINT32_MAX) {
                ERR_raise(ERR_LIB_ASN1, ASN1_R_HEADER_TOO_LONG);
                goto err;
            }
            eos++;
            want = HEADER_SIZE;
        } else if (eos && (slen == 0) && (tag == V_ASN1_EOC)) {
            /* eos value, so go back and read another header */
            eos--;
            if (eos == 0)
                break;
            else
                want = HEADER_SIZE;
        } else {
            /* suck in slen bytes of data */
            want = slen;
            if (want > (len - off)) {
                size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;

                want -= (len - off);
                if (want > INT_MAX /* BIO_read takes an int length */ || len + want < len) {
                    ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
                    goto err;
                }
                while (want > 0) {
                    /*
                     * Read content in chunks of increasing size
                     * so we can return an error for EOF without
                     * having to allocate the entire content length
                     * in one go.
                     */
                    size_t chunk = want > chunk_max ? chunk_max : want;
                    int i;

                    if (!BUF_MEM_grow_clean(b, len + chunk)) {
                        ERR_raise(ERR_LIB_ASN1, ERR_R_BUF_LIB);
                        goto err;
                    }
                    want -= chunk;
                    while (chunk > 0) {
                        i = BIO_read(in, &(b->data[len]), (int)chunk);
                        if (i <= 0) {
                            ERR_raise(ERR_LIB_ASN1, ASN1_R_NOT_ENOUGH_DATA);
                            goto err;
                        }
                        /*
                         * This can't overflow because |len+want| didn't
                         * overflow.
                         */
                        len += i;
                        chunk -= i;
                    }
                    if (chunk_max < INT_MAX / 2)
                        chunk_max *= 2;
                }
            }
            if (off + slen < off) {
                ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
                goto err;
            }
            off += slen;
            if (eos == 0) {
                break;
            } else
                want = HEADER_SIZE;
        }
    }

    if (off > INT_MAX) {
        ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
        goto err;
    }

    *pb = b;
    ERR_clear_last_mark();
    return (int)off;
err:
    ERR_clear_last_mark();
    BUF_MEM_free(b);
    return -1;
}

Coverage Report

Created: 2026-05-24 07:14

Line	Count	Source
1		/*
2		* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include <stdio.h>
11		#include <limits.h>
12		#include "internal/cryptlib.h"
13		#include "internal/numbers.h"
14		#include <openssl/buffer.h>
15		#include <openssl/asn1.h>
16		#include "internal/asn1.h"
17		#include "crypto/asn1.h"
18
19		#ifndef NO_OLD_ASN1
20		#ifndef OPENSSL_NO_STDIO
21
22		void ASN1_d2i_fp(void (xnew)(void), d2i_of_void d2i, FILE in, void *x)
23	0	{
24	0	BIO *b;
25	0	void *ret;
26
27	0	if ((b = BIO_new(BIO_s_file())) == NULL) {
28	0	ERR_raise(ERR_LIB_ASN1, ERR_R_BUF_LIB);
29	0	return NULL;
30	0	}
31	0	BIO_set_fp(b, in, BIO_NOCLOSE);
32	0	ret = ASN1_d2i_bio(xnew, d2i, b, x);
33	0	BIO_free(b);
34	0	return ret;
35	0	}
36		#endif
37
38		void ASN1_d2i_bio(void (xnew)(void), d2i_of_void d2i, BIO in, void *x)
39	0	{
40	0	BUF_MEM *b = NULL;
41	0	const unsigned char *p;
42	0	void *ret = NULL;
43	0	int len;
44
45	0	len = asn1_d2i_read_bio(in, &b);
46	0	if (len < 0)
47	0	goto err;
48
49	0	p = (unsigned char *)b->data;
50	0	ret = d2i(x, &p, len);
51	0	err:
52	0	BUF_MEM_free(b);
53	0	return ret;
54	0	}
55
56		#endif
57
58		void ASN1_item_d2i_bio_ex(const ASN1_ITEM it, BIO in, void x,
59		OSSL_LIB_CTX libctx, const char propq)
60	130k	{
61	130k	BUF_MEM *b = NULL;
62	130k	const unsigned char *p;
63	130k	void *ret = NULL;
64	130k	int len;
65
66	130k	if (in == NULL)
67	0	return NULL;
68	130k	len = asn1_d2i_read_bio(in, &b);
69	130k	if (len < 0)
70	11.4k	goto err;
71
72	119k	p = (const unsigned char *)b->data;
73	119k	ret = ASN1_item_d2i_ex(x, &p, len, it, libctx, propq);
74	130k	err:
75	130k	BUF_MEM_free(b);
76	130k	return ret;
77	119k	}
78
79		void ASN1_item_d2i_bio(const ASN1_ITEM it, BIO in, void x)
80	0	{
81	0	return ASN1_item_d2i_bio_ex(it, in, x, NULL, NULL);
82	0	}
83
84		#ifndef OPENSSL_NO_STDIO
85		void ASN1_item_d2i_fp_ex(const ASN1_ITEM it, FILE in, void x,
86		OSSL_LIB_CTX libctx, const char propq)
87	0	{
88	0	BIO *b;
89	0	void *ret;
90
91	0	if ((b = BIO_new(BIO_s_file())) == NULL) {
92	0	ERR_raise(ERR_LIB_ASN1, ERR_R_BUF_LIB);
93	0	return NULL;
94	0	}
95	0	BIO_set_fp(b, in, BIO_NOCLOSE);
96	0	ret = ASN1_item_d2i_bio_ex(it, b, x, libctx, propq);
97	0	BIO_free(b);
98	0	return ret;
99	0	}
100
101		void ASN1_item_d2i_fp(const ASN1_ITEM it, FILE in, void x)
102	0	{
103	0	return ASN1_item_d2i_fp_ex(it, in, x, NULL, NULL);
104	0	}
105		#endif
106
107	1.54G	#define HEADER_SIZE 2
108	437M	#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
109		int asn1_d2i_read_bio(BIO in, BUF_MEM *pb)
110	5.58M	{
111	5.58M	BUF_MEM *b;
112	5.58M	unsigned char *p;
113	5.58M	size_t want = HEADER_SIZE;
114	5.58M	uint32_t eos = 0;
115	5.58M	size_t off = 0;
116	5.58M	size_t len = 0;
117	5.58M	size_t diff;
118
119	5.58M	const unsigned char *q;
120	5.58M	long slen;
121	5.58M	int inf, tag, xclass;
122
123	5.58M	b = BUF_MEM_new();
124	5.58M	if (b == NULL) {
125	0	ERR_raise(ERR_LIB_ASN1, ERR_R_BUF_LIB);
126	0	return -1;
127	0	}
128
129	5.58M	ERR_set_mark();
130	1.57G	for (;;) {
131	1.57G	diff = len - off;
132	1.57G	if (want >= diff) {
133	1.57G	int i;
134
135	1.57G	want -= diff;
136
137	1.57G	if (len + want < len \|\| !BUF_MEM_grow_clean(b, len + want)) {
138	0	ERR_raise(ERR_LIB_ASN1, ERR_R_BUF_LIB);
139	0	goto err;
140	0	}
141	1.57G	i = BIO_read(in, &(b->data[len]), (int)want);
142
143	1.57G	if (i <= 0) {
144	264k	ERR_raise(ERR_LIB_ASN1, ASN1_R_NOT_ENOUGH_DATA);
145	264k	goto err;
146	264k	}
147
148	1.57G	if (i > 0) {
149	1.57G	if (len + i < len) {
150	0	ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
151	0	goto err;
152	0	}
153	1.57G	len += i;
154	1.57G	if ((size_t)i < want)
155	79.9k	continue;
156	1.57G	}
157	1.57G	}
158		/* else data already loaded */
159
160		/* make sure there is enough data for a complete header */
161	1.57G	p = (unsigned char *)&(b->data[off]);
162	1.57G	q = p;
163	1.57G	diff = len - off;
164	1.57G	if (diff < 2) {
165		/* Failed sanity check */
166	0	ERR_raise(ERR_LIB_ASN1, ASN1_R_NOT_ENOUGH_DATA);
167	0	goto err;
168	0	}
169
170	1.57G	diff--;
171	1.57G	if ((*(q++) & V_ASN1_PRIMITIVE_TAG) == V_ASN1_PRIMITIVE_TAG) {
172	23.6M	unsigned int i = 0;
173		/* Multi-byte tag. See if we have the whole thing yet */
174	28.8M	do {
175	28.8M	if (i > 4) {
176		/* The tag value must fit into int */
177	14.1k	ERR_raise(ERR_LIB_ASN1, ASN1_R_HEADER_TOO_LONG);
178	14.1k	goto err;
179	14.1k	}
180	28.8M	++i;
181	28.8M	diff--;
182	28.8M	} while (diff > 0 && *(q++) & 0x80);
183
184	23.6M	if (diff == 0) {
185		/*
186		* End of current data, will need at least 1 more byte for
187		* length. 2 if the tag is still incomplete
188		*/
189	12.0M	want = q - p + 2;
190	12.0M	if (*q & 0x80) {
191	3.66M	want++;
192	3.66M	}
193	12.0M	continue;
194	12.0M	}
195	23.6M	}
196
197		/* Check the length. This should also work for indefinite length */
198	1.56G	diff--;
199	1.56G	if (*q & 0x80) {
200	531M	unsigned int i = *q & 0x7f;
201
202	531M	if (i > sizeof(long)) {
203	82.9k	ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
204	82.9k	goto err;
205	82.9k	}
206	531M	if (i > diff) {
207	20.0M	want = q - p + i + 1;
208	20.0M	continue;
209	20.0M	}
210	531M	}
211
212		/*
213		* We have a complete header now, assuming we didn't hit EOF. Parse the
214		* tag and length
215		*/
216	1.54G	q = p;
217	1.54G	diff = len - off;
218	1.54G	inf = ASN1_get_object(&q, &slen, &tag, &xclass, (int)diff);
219	1.54G	if (inf & 0x80) {
220	437M	unsigned long e;
221
222	437M	e = ERR_GET_REASON(ERR_peek_last_error());
223	437M	if (e != ASN1_R_TOO_LONG)
224	23.2k	goto err;
225	437M	ERR_pop_to_mark();
226	437M	ERR_set_mark();
227	437M	}
228	1.54G	off += q - p; /* end of data */
229
230	1.54G	if (inf & 1) {
231		/* no data body so go round again */
232	491M	if (eos == UINT32_MAX) {
233	0	ERR_raise(ERR_LIB_ASN1, ASN1_R_HEADER_TOO_LONG);
234	0	goto err;
235	0	}
236	491M	eos++;
237	491M	want = HEADER_SIZE;
238	1.05G	} else if (eos && (slen == 0) && (tag == V_ASN1_EOC)) {
239		/* eos value, so go back and read another header */
240	115M	eos--;
241	115M	if (eos == 0)
242	2.87M	break;
243	112M	else
244	112M	want = HEADER_SIZE;
245	935M	} else {
246		/* suck in slen bytes of data */
247	935M	want = slen;
248	935M	if (want > (len - off)) {
249	437M	size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;
250
251	437M	want -= (len - off);
252	437M	if (want > INT_MAX /* BIO_read takes an int length */ \|\| len + want < len) {
253	48.1k	ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
254	48.1k	goto err;
255	48.1k	}
256	874M	while (want > 0) {
257		/*
258		* Read content in chunks of increasing size
259		* so we can return an error for EOF without
260		* having to allocate the entire content length
261		* in one go.
262		*/
263	437M	size_t chunk = want > chunk_max ? chunk_max : want;
264	437M	int i;
265
266	437M	if (!BUF_MEM_grow_clean(b, len + chunk)) {
267	0	ERR_raise(ERR_LIB_ASN1, ERR_R_BUF_LIB);
268	0	goto err;
269	0	}
270	437M	want -= chunk;
271	875M	while (chunk > 0) {
272	437M	i = BIO_read(in, &(b->data[len]), (int)chunk);
273	437M	if (i <= 0) {
274	222k	ERR_raise(ERR_LIB_ASN1, ASN1_R_NOT_ENOUGH_DATA);
275	222k	goto err;
276	222k	}
277		/*
278		* This can't overflow because \|len+want\| didn't
279		* overflow.
280		*/
281	437M	len += i;
282	437M	chunk -= i;
283	437M	}
284	437M	if (chunk_max < INT_MAX / 2)
285	437M	chunk_max *= 2;
286	437M	}
287	437M	}
288	934M	if (off + slen < off) {
289	0	ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
290	0	goto err;
291	0	}
292	934M	off += slen;
293	934M	if (eos == 0) {
294	2.04M	break;
295	2.04M	} else
296	932M	want = HEADER_SIZE;
297	934M	}
298	1.54G	}
299
300	4.92M	if (off > INT_MAX) {
301	0	ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
302	0	goto err;
303	0	}
304
305	4.92M	*pb = b;
306	4.92M	ERR_clear_last_mark();
307	4.92M	return (int)off;
308	655k	err:
309	655k	ERR_clear_last_mark();
310	655k	BUF_MEM_free(b);
311	655k	return -1;
312	4.92M	}