/src/openssl36/crypto/asn1/a_d2i_fp.c

Source
/*
 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include <limits.h>
#include "internal/cryptlib.h"
#include "internal/numbers.h"
#include <openssl/buffer.h>
#include <openssl/asn1.h>
#include "internal/asn1.h"
#include "crypto/asn1.h"

#ifndef NO_OLD_ASN1
#ifndef OPENSSL_NO_STDIO

void *ASN1_d2i_fp(void *(*xnew)(void), d2i_of_void *d2i, FILE *in, void **x)
{
    BIO *b;
    void *ret;

    if ((b = BIO_new(BIO_s_file())) == NULL) {
        ERR_raise(ERR_LIB_ASN1, ERR_R_BUF_LIB);
        return NULL;
    }
    BIO_set_fp(b, in, BIO_NOCLOSE);
    ret = ASN1_d2i_bio(xnew, d2i, b, x);
    BIO_free(b);
    return ret;
}
#endif

void *ASN1_d2i_bio(void *(*xnew)(void), d2i_of_void *d2i, BIO *in, void **x)
{
    BUF_MEM *b = NULL;
    const unsigned char *p;
    void *ret = NULL;
    int len;

    len = asn1_d2i_read_bio(in, &b);
    if (len < 0)
        goto err;

    p = (unsigned char *)b->data;
    ret = d2i(x, &p, len);
err:
    BUF_MEM_free(b);
    return ret;
}

#endif

void *ASN1_item_d2i_bio_ex(const ASN1_ITEM *it, BIO *in, void *x,
    OSSL_LIB_CTX *libctx, const char *propq)
{
    BUF_MEM *b = NULL;
    const unsigned char *p;
    void *ret = NULL;
    int len;

    if (in == NULL)
        return NULL;
    len = asn1_d2i_read_bio(in, &b);
    if (len < 0)
        goto err;

    p = (const unsigned char *)b->data;
    ret = ASN1_item_d2i_ex(x, &p, len, it, libctx, propq);
err:
    BUF_MEM_free(b);
    return ret;
}

void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x)
{
    return ASN1_item_d2i_bio_ex(it, in, x, NULL, NULL);
}

#ifndef OPENSSL_NO_STDIO
void *ASN1_item_d2i_fp_ex(const ASN1_ITEM *it, FILE *in, void *x,
    OSSL_LIB_CTX *libctx, const char *propq)
{
    BIO *b;
    char *ret;

    if ((b = BIO_new(BIO_s_file())) == NULL) {
        ERR_raise(ERR_LIB_ASN1, ERR_R_BUF_LIB);
        return NULL;
    }
    BIO_set_fp(b, in, BIO_NOCLOSE);
    ret = ASN1_item_d2i_bio_ex(it, b, x, libctx, propq);
    BIO_free(b);
    return ret;
}

void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x)
{
    return ASN1_item_d2i_fp_ex(it, in, x, NULL, NULL);
}
#endif

#define HEADER_SIZE 2
#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
{
    BUF_MEM *b;
    unsigned char *p;
    size_t want = HEADER_SIZE;
    uint32_t eos = 0;
    size_t off = 0;
    size_t len = 0;
    size_t diff;

    const unsigned char *q;
    long slen;
    int inf, tag, xclass;

    b = BUF_MEM_new();
    if (b == NULL) {
        ERR_raise(ERR_LIB_ASN1, ERR_R_BUF_LIB);
        return -1;
    }

    ERR_set_mark();
    for (;;) {
        diff = len - off;
        if (want >= diff) {
            int i;

            want -= diff;

            if (len + want < len || !BUF_MEM_grow_clean(b, len + want)) {
                ERR_raise(ERR_LIB_ASN1, ERR_R_BUF_LIB);
                goto err;
            }
            i = BIO_read(in, &(b->data[len]), (int)want);
            if (i <= 0) {
                ERR_raise(ERR_LIB_ASN1, ASN1_R_NOT_ENOUGH_DATA);
                goto err;
            }
            if (i > 0) {
                if (len + i < len) {
                    ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
                    goto err;
                }
                len += i;
                if ((size_t)i < want)
                    continue;
            }
        }
        /* else data already loaded */

        /* make sure there is enough data for a complete header */
        p = (unsigned char *)&(b->data[off]);
        q = p;
        diff = len - off;
        if (diff < 2) {
            /* Failed sanity check */
            ERR_raise(ERR_LIB_ASN1, ASN1_R_NOT_ENOUGH_DATA);
            goto err;
        }

        diff--;
        if ((*(q++) & V_ASN1_PRIMITIVE_TAG) == V_ASN1_PRIMITIVE_TAG) {
            unsigned int i = 0;
            /* Multi-byte tag.  See if we have the whole thing yet */
            do {
                if (i > 4) {
                    /* The tag value must fit into int */
                    ERR_raise(ERR_LIB_ASN1, ASN1_R_HEADER_TOO_LONG);
                    goto err;
                }
                ++i;
                diff--;
            } while (diff > 0 && *(q++) & 0x80);

            if (diff == 0) {
                /*
                 * End of current data, will need at least 1 more byte for
                 * length.  2 if the tag is still incomplete
                 */
                want = q - p + 2;
                if (*q & 0x80) {
                    want++;
                }
                continue;
            }
        }

        /* Check the length.  This should also work for indefinite length */
        diff--;
        if (*q & 0x80) {
            unsigned int i = *q & 0x7f;

            if (i > sizeof(long)) {
                ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
                goto err;
            }
            if (i > diff) {
                want = q - p + i + 1;
                continue;
            }
        }

        /*
         * We have a complete header now, assuming we didn't hit EOF. Parse the
         * tag and length
         */
        q = p;
        diff = len - off;
        inf = ASN1_get_object(&q, &slen, &tag, &xclass, (int)diff);
        if (inf & 0x80) {
            unsigned long e;

            e = ERR_GET_REASON(ERR_peek_last_error());
            if (e != ASN1_R_TOO_LONG)
                goto err;
            ERR_pop_to_mark();
            ERR_set_mark();
        }
        off += q - p; /* end of data */

        if (inf & 1) {
            /* no data body so go round again */
            if (eos == UINT32_MAX) {
                ERR_raise(ERR_LIB_ASN1, ASN1_R_HEADER_TOO_LONG);
                goto err;
            }
            eos++;
            want = HEADER_SIZE;
        } else if (eos && (slen == 0) && (tag == V_ASN1_EOC)) {
            /* eos value, so go back and read another header */
            eos--;
            if (eos == 0)
                break;
            else
                want = HEADER_SIZE;
        } else {
            /* suck in slen bytes of data */
            want = slen;
            if (want > (len - off)) {
                size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;

                want -= (len - off);
                if (want > INT_MAX /* BIO_read takes an int length */ || len + want < len) {
                    ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
                    goto err;
                }
                while (want > 0) {
                    /*
                     * Read content in chunks of increasing size
                     * so we can return an error for EOF without
                     * having to allocate the entire content length
                     * in one go.
                     */
                    size_t chunk = want > chunk_max ? chunk_max : want;
                    int i;

                    if (!BUF_MEM_grow_clean(b, len + chunk)) {
                        ERR_raise(ERR_LIB_ASN1, ERR_R_BUF_LIB);
                        goto err;
                    }
                    want -= chunk;
                    while (chunk > 0) {
                        i = BIO_read(in, &(b->data[len]), (int)chunk);
                        if (i <= 0) {
                            ERR_raise(ERR_LIB_ASN1, ASN1_R_NOT_ENOUGH_DATA);
                            goto err;
                        }
                        /*
                         * This can't overflow because |len+want| didn't
                         * overflow.
                         */
                        len += i;
                        chunk -= i;
                    }
                    if (chunk_max < INT_MAX / 2)
                        chunk_max *= 2;
                }
            }
            if (off + slen < off) {
                ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
                goto err;
            }
            off += slen;
            if (eos == 0) {
                break;
            } else
                want = HEADER_SIZE;
        }
    }

    if (off > INT_MAX) {
        ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
        goto err;
    }

    *pb = b;
    ERR_clear_last_mark();
    return (int)off;
err:
    ERR_clear_last_mark();
    BUF_MEM_free(b);
    return -1;
}

Coverage Report

Created: 2026-05-24 07:14

Line	Count	Source
1		/*
2		* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include <stdio.h>
11		#include <limits.h>
12		#include "internal/cryptlib.h"
13		#include "internal/numbers.h"
14		#include <openssl/buffer.h>
15		#include <openssl/asn1.h>
16		#include "internal/asn1.h"
17		#include "crypto/asn1.h"
18
19		#ifndef NO_OLD_ASN1
20		#ifndef OPENSSL_NO_STDIO
21
22		void ASN1_d2i_fp(void (xnew)(void), d2i_of_void d2i, FILE in, void *x)
23	0	{
24	0	BIO *b;
25	0	void *ret;
26
27	0	if ((b = BIO_new(BIO_s_file())) == NULL) {
28	0	ERR_raise(ERR_LIB_ASN1, ERR_R_BUF_LIB);
29	0	return NULL;
30	0	}
31	0	BIO_set_fp(b, in, BIO_NOCLOSE);
32	0	ret = ASN1_d2i_bio(xnew, d2i, b, x);
33	0	BIO_free(b);
34	0	return ret;
35	0	}
36		#endif
37
38		void ASN1_d2i_bio(void (xnew)(void), d2i_of_void d2i, BIO in, void *x)
39	0	{
40	0	BUF_MEM *b = NULL;
41	0	const unsigned char *p;
42	0	void *ret = NULL;
43	0	int len;
44
45	0	len = asn1_d2i_read_bio(in, &b);
46	0	if (len < 0)
47	0	goto err;
48
49	0	p = (unsigned char *)b->data;
50	0	ret = d2i(x, &p, len);
51	0	err:
52	0	BUF_MEM_free(b);
53	0	return ret;
54	0	}
55
56		#endif
57
58		void ASN1_item_d2i_bio_ex(const ASN1_ITEM it, BIO in, void x,
59		OSSL_LIB_CTX libctx, const char propq)
60	130k	{
61	130k	BUF_MEM *b = NULL;
62	130k	const unsigned char *p;
63	130k	void *ret = NULL;
64	130k	int len;
65
66	130k	if (in == NULL)
67	0	return NULL;
68	130k	len = asn1_d2i_read_bio(in, &b);
69	130k	if (len < 0)
70	11.4k	goto err;
71
72	119k	p = (const unsigned char *)b->data;
73	119k	ret = ASN1_item_d2i_ex(x, &p, len, it, libctx, propq);
74	130k	err:
75	130k	BUF_MEM_free(b);
76	130k	return ret;
77	119k	}
78
79		void ASN1_item_d2i_bio(const ASN1_ITEM it, BIO in, void x)
80	0	{
81	0	return ASN1_item_d2i_bio_ex(it, in, x, NULL, NULL);
82	0	}
83
84		#ifndef OPENSSL_NO_STDIO
85		void ASN1_item_d2i_fp_ex(const ASN1_ITEM it, FILE in, void x,
86		OSSL_LIB_CTX libctx, const char propq)
87	0	{
88	0	BIO *b;
89	0	char *ret;
90
91	0	if ((b = BIO_new(BIO_s_file())) == NULL) {
92	0	ERR_raise(ERR_LIB_ASN1, ERR_R_BUF_LIB);
93	0	return NULL;
94	0	}
95	0	BIO_set_fp(b, in, BIO_NOCLOSE);
96	0	ret = ASN1_item_d2i_bio_ex(it, b, x, libctx, propq);
97	0	BIO_free(b);
98	0	return ret;
99	0	}
100
101		void ASN1_item_d2i_fp(const ASN1_ITEM it, FILE in, void x)
102	0	{
103	0	return ASN1_item_d2i_fp_ex(it, in, x, NULL, NULL);
104	0	}
105		#endif
106
107	1.54G	#define HEADER_SIZE 2
108	437M	#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
109		int asn1_d2i_read_bio(BIO in, BUF_MEM *pb)
110	5.58M	{
111	5.58M	BUF_MEM *b;
112	5.58M	unsigned char *p;
113	5.58M	size_t want = HEADER_SIZE;
114	5.58M	uint32_t eos = 0;
115	5.58M	size_t off = 0;
116	5.58M	size_t len = 0;
117	5.58M	size_t diff;
118
119	5.58M	const unsigned char *q;
120	5.58M	long slen;
121	5.58M	int inf, tag, xclass;
122
123	5.58M	b = BUF_MEM_new();
124	5.58M	if (b == NULL) {
125	0	ERR_raise(ERR_LIB_ASN1, ERR_R_BUF_LIB);
126	0	return -1;
127	0	}
128
129	5.58M	ERR_set_mark();
130	1.57G	for (;;) {
131	1.57G	diff = len - off;
132	1.57G	if (want >= diff) {
133	1.57G	int i;
134
135	1.57G	want -= diff;
136
137	1.57G	if (len + want < len \|\| !BUF_MEM_grow_clean(b, len + want)) {
138	0	ERR_raise(ERR_LIB_ASN1, ERR_R_BUF_LIB);
139	0	goto err;
140	0	}
141	1.57G	i = BIO_read(in, &(b->data[len]), (int)want);
142	1.57G	if (i <= 0) {
143	264k	ERR_raise(ERR_LIB_ASN1, ASN1_R_NOT_ENOUGH_DATA);
144	264k	goto err;
145	264k	}
146	1.57G	if (i > 0) {
147	1.57G	if (len + i < len) {
148	0	ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
149	0	goto err;
150	0	}
151	1.57G	len += i;
152	1.57G	if ((size_t)i < want)
153	79.9k	continue;
154	1.57G	}
155	1.57G	}
156		/* else data already loaded */
157
158		/* make sure there is enough data for a complete header */
159	1.57G	p = (unsigned char *)&(b->data[off]);
160	1.57G	q = p;
161	1.57G	diff = len - off;
162	1.57G	if (diff < 2) {
163		/* Failed sanity check */
164	0	ERR_raise(ERR_LIB_ASN1, ASN1_R_NOT_ENOUGH_DATA);
165	0	goto err;
166	0	}
167
168	1.57G	diff--;
169	1.57G	if ((*(q++) & V_ASN1_PRIMITIVE_TAG) == V_ASN1_PRIMITIVE_TAG) {
170	23.6M	unsigned int i = 0;
171		/* Multi-byte tag. See if we have the whole thing yet */
172	28.8M	do {
173	28.8M	if (i > 4) {
174		/* The tag value must fit into int */
175	14.1k	ERR_raise(ERR_LIB_ASN1, ASN1_R_HEADER_TOO_LONG);
176	14.1k	goto err;
177	14.1k	}
178	28.8M	++i;
179	28.8M	diff--;
180	28.8M	} while (diff > 0 && *(q++) & 0x80);
181
182	23.6M	if (diff == 0) {
183		/*
184		* End of current data, will need at least 1 more byte for
185		* length. 2 if the tag is still incomplete
186		*/
187	12.0M	want = q - p + 2;
188	12.0M	if (*q & 0x80) {
189	3.66M	want++;
190	3.66M	}
191	12.0M	continue;
192	12.0M	}
193	23.6M	}
194
195		/* Check the length. This should also work for indefinite length */
196	1.56G	diff--;
197	1.56G	if (*q & 0x80) {
198	531M	unsigned int i = *q & 0x7f;
199
200	531M	if (i > sizeof(long)) {
201	82.9k	ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
202	82.9k	goto err;
203	82.9k	}
204	531M	if (i > diff) {
205	20.0M	want = q - p + i + 1;
206	20.0M	continue;
207	20.0M	}
208	531M	}
209
210		/*
211		* We have a complete header now, assuming we didn't hit EOF. Parse the
212		* tag and length
213		*/
214	1.54G	q = p;
215	1.54G	diff = len - off;
216	1.54G	inf = ASN1_get_object(&q, &slen, &tag, &xclass, (int)diff);
217	1.54G	if (inf & 0x80) {
218	437M	unsigned long e;
219
220	437M	e = ERR_GET_REASON(ERR_peek_last_error());
221	437M	if (e != ASN1_R_TOO_LONG)
222	23.2k	goto err;
223	437M	ERR_pop_to_mark();
224	437M	ERR_set_mark();
225	437M	}
226	1.54G	off += q - p; /* end of data */
227
228	1.54G	if (inf & 1) {
229		/* no data body so go round again */
230	491M	if (eos == UINT32_MAX) {
231	0	ERR_raise(ERR_LIB_ASN1, ASN1_R_HEADER_TOO_LONG);
232	0	goto err;
233	0	}
234	491M	eos++;
235	491M	want = HEADER_SIZE;
236	1.05G	} else if (eos && (slen == 0) && (tag == V_ASN1_EOC)) {
237		/* eos value, so go back and read another header */
238	115M	eos--;
239	115M	if (eos == 0)
240	2.87M	break;
241	112M	else
242	112M	want = HEADER_SIZE;
243	935M	} else {
244		/* suck in slen bytes of data */
245	935M	want = slen;
246	935M	if (want > (len - off)) {
247	437M	size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;
248
249	437M	want -= (len - off);
250	437M	if (want > INT_MAX /* BIO_read takes an int length */ \|\| len + want < len) {
251	48.1k	ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
252	48.1k	goto err;
253	48.1k	}
254	874M	while (want > 0) {
255		/*
256		* Read content in chunks of increasing size
257		* so we can return an error for EOF without
258		* having to allocate the entire content length
259		* in one go.
260		*/
261	437M	size_t chunk = want > chunk_max ? chunk_max : want;
262	437M	int i;
263
264	437M	if (!BUF_MEM_grow_clean(b, len + chunk)) {
265	0	ERR_raise(ERR_LIB_ASN1, ERR_R_BUF_LIB);
266	0	goto err;
267	0	}
268	437M	want -= chunk;
269	875M	while (chunk > 0) {
270	437M	i = BIO_read(in, &(b->data[len]), (int)chunk);
271	437M	if (i <= 0) {
272	222k	ERR_raise(ERR_LIB_ASN1, ASN1_R_NOT_ENOUGH_DATA);
273	222k	goto err;
274	222k	}
275		/*
276		* This can't overflow because \|len+want\| didn't
277		* overflow.
278		*/
279	437M	len += i;
280	437M	chunk -= i;
281	437M	}
282	437M	if (chunk_max < INT_MAX / 2)
283	437M	chunk_max *= 2;
284	437M	}
285	437M	}
286	934M	if (off + slen < off) {
287	0	ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
288	0	goto err;
289	0	}
290	934M	off += slen;
291	934M	if (eos == 0) {
292	2.04M	break;
293	2.04M	} else
294	932M	want = HEADER_SIZE;
295	934M	}
296	1.54G	}
297
298	4.92M	if (off > INT_MAX) {
299	0	ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
300	0	goto err;
301	0	}
302
303	4.92M	*pb = b;
304	4.92M	ERR_clear_last_mark();
305	4.92M	return (int)off;
306	655k	err:
307	655k	ERR_clear_last_mark();
308	655k	BUF_MEM_free(b);
309	655k	return -1;
310	4.92M	}