Explain the ASN.1 restriction that requires extra logic for encoding.

ok miod@ jsing@
author: doug <> 2015-06-13 09:16:42 +0000
committer: doug <> 2015-06-13 09:16:42 +0000
commit: fadd4ace92124dcbfa36fd97cb37e60b63a399fb (patch)
tree: a27b9ffad4907a498705967e72ae3f35806d8f93 /src
parent: 07704d0548b532c528371e46172c816801fe6b6d (diff)
download: openbsd-fadd4ace92124dcbfa36fd97cb37e60b63a399fb.tar.gz
openbsd-fadd4ace92124dcbfa36fd97cb37e60b63a399fb.tar.bz2
openbsd-fadd4ace92124dcbfa36fd97cb37e60b63a399fb.zip
2 files changed, 36 insertions, 4 deletions
diff --git a/src/lib/libssl/bs_cbb.c b/src/lib/libssl/bs_cbb.c
index 29312e104b..904edb9fb1 100644
--- a/src/lib/libssl/bs_cbb.c
+++ b/src/lib/libssl/bs_cbb.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bs_cbb.c,v 1.9 2015/06/13 09:11:57 doug Exp $ */
+/*      $OpenBSD: bs_cbb.c,v 1.10 2015/06/13 09:16:42 doug Exp $        */
 /*
 * Copyright (c) 2014, Google Inc.
 *
@@ -370,7 +370,23 @@ CBB_add_asn1_uint64(CBB *cbb, uint64_t value)
                return 0;
        for (i = 0; i < 8; i++) {
-                uint8_t byte = (value >> 8*(7-i)) & 0xff;
+                uint8_t byte = (value >> 8 * (7 - i)) & 0xff;
+                /*
+                 * ASN.1 restriction: first 9 bits cannot be all zeroes or
+                 * all ones.  Since this function only encodes unsigned
+                 * integers, the only concerns are not encoding leading
+                 * zeros and adding a padding byte if necessary.
+                 *
+                 * In practice, this means:
+                 * 1) Skip leading octets of all zero bits in the value
+                 * 2) After skipping the leading zero octets, if the next 9
+                 *    bits are all ones, add an all zero prefix octet (and
+                 *    set the high bit of the prefix octet if negative).
+                 *
+                 * Additionally, for an unsigned value, add an all zero
+                 * prefix if the high bit of the first octet would be one.
+                 */
                if (!started) {
                        if (byte == 0)
                                /* Don't encode leading zeros. */
diff --git a/src/lib/libssl/src/ssl/bs_cbb.c b/src/lib/libssl/src/ssl/bs_cbb.c
index 29312e104b..904edb9fb1 100644
--- a/src/lib/libssl/src/ssl/bs_cbb.c
+++ b/src/lib/libssl/src/ssl/bs_cbb.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bs_cbb.c,v 1.9 2015/06/13 09:11:57 doug Exp $ */
+/*      $OpenBSD: bs_cbb.c,v 1.10 2015/06/13 09:16:42 doug Exp $        */
 /*
 * Copyright (c) 2014, Google Inc.
 *
@@ -370,7 +370,23 @@ CBB_add_asn1_uint64(CBB *cbb, uint64_t value)
                return 0;
        for (i = 0; i < 8; i++) {
-                uint8_t byte = (value >> 8*(7-i)) & 0xff;
+                uint8_t byte = (value >> 8 * (7 - i)) & 0xff;
+                /*
+                 * ASN.1 restriction: first 9 bits cannot be all zeroes or
+                 * all ones.  Since this function only encodes unsigned
+                 * integers, the only concerns are not encoding leading
+                 * zeros and adding a padding byte if necessary.
+                 *
+                 * In practice, this means:
+                 * 1) Skip leading octets of all zero bits in the value
+                 * 2) After skipping the leading zero octets, if the next 9
+                 *    bits are all ones, add an all zero prefix octet (and
+                 *    set the high bit of the prefix octet if negative).
+                 *
+                 * Additionally, for an unsigned value, add an all zero
+                 * prefix if the high bit of the first octet would be one.
+                 */
                if (!started) {
                        if (byte == 0)
                                /* Don't encode leading zeros. */
author	doug <>	2015-06-13 09:16:42 +0000
committer	doug <>	2015-06-13 09:16:42 +0000
commit	fadd4ace92124dcbfa36fd97cb37e60b63a399fb (patch)
tree	a27b9ffad4907a498705967e72ae3f35806d8f93 /src
parent	07704d0548b532c528371e46172c816801fe6b6d (diff)
download	openbsd-fadd4ace92124dcbfa36fd97cb37e60b63a399fb.tar.gz openbsd-fadd4ace92124dcbfa36fd97cb37e60b63a399fb.tar.bz2 openbsd-fadd4ace92124dcbfa36fd97cb37e60b63a399fb.zip

diff --git a/src/lib/libssl/bs_cbb.c b/src/lib/libssl/bs_cbb.c index 29312e104b..904edb9fb1 100644 --- a/src/lib/libssl/bs_cbb.c +++ b/src/lib/libssl/bs_cbb.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bs_cbb.c,v 1.9 2015/06/13 09:11:57 doug Exp $ */	1	/* $OpenBSD: bs_cbb.c,v 1.10 2015/06/13 09:16:42 doug Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014, Google Inc.	3	* Copyright (c) 2014, Google Inc.
4	*	4	*
@@ -370,7 +370,23 @@ CBB_add_asn1_uint64(CBB *cbb, uint64_t value)
370	return 0;	370	return 0;
371		371
372	for (i = 0; i < 8; i++) {	372	for (i = 0; i < 8; i++) {
373	uint8_t byte = (value >> 8*(7-i)) & 0xff;	373	uint8_t byte = (value >> 8 * (7 - i)) & 0xff;
		374
		375	/*
		376	* ASN.1 restriction: first 9 bits cannot be all zeroes or
		377	* all ones. Since this function only encodes unsigned
		378	* integers, the only concerns are not encoding leading
		379	* zeros and adding a padding byte if necessary.
		380	*
		381	* In practice, this means:
		382	* 1) Skip leading octets of all zero bits in the value
		383	* 2) After skipping the leading zero octets, if the next 9
		384	* bits are all ones, add an all zero prefix octet (and
		385	* set the high bit of the prefix octet if negative).
		386	*
		387	* Additionally, for an unsigned value, add an all zero
		388	* prefix if the high bit of the first octet would be one.
		389	*/
374	if (!started) {	390	if (!started) {
375	if (byte == 0)	391	if (byte == 0)
376	/* Don't encode leading zeros. */	392	/* Don't encode leading zeros. */


diff --git a/src/lib/libssl/src/ssl/bs_cbb.c b/src/lib/libssl/src/ssl/bs_cbb.c index 29312e104b..904edb9fb1 100644 --- a/src/lib/libssl/src/ssl/bs_cbb.c +++ b/src/lib/libssl/src/ssl/bs_cbb.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bs_cbb.c,v 1.9 2015/06/13 09:11:57 doug Exp $ */	1	/* $OpenBSD: bs_cbb.c,v 1.10 2015/06/13 09:16:42 doug Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014, Google Inc.	3	* Copyright (c) 2014, Google Inc.
4	*	4	*
@@ -370,7 +370,23 @@ CBB_add_asn1_uint64(CBB *cbb, uint64_t value)
370	return 0;	370	return 0;
371		371
372	for (i = 0; i < 8; i++) {	372	for (i = 0; i < 8; i++) {
373	uint8_t byte = (value >> 8*(7-i)) & 0xff;	373	uint8_t byte = (value >> 8 * (7 - i)) & 0xff;
		374
		375	/*
		376	* ASN.1 restriction: first 9 bits cannot be all zeroes or
		377	* all ones. Since this function only encodes unsigned
		378	* integers, the only concerns are not encoding leading
		379	* zeros and adding a padding byte if necessary.
		380	*
		381	* In practice, this means:
		382	* 1) Skip leading octets of all zero bits in the value
		383	* 2) After skipping the leading zero octets, if the next 9
		384	* bits are all ones, add an all zero prefix octet (and
		385	* set the high bit of the prefix octet if negative).
		386	*
		387	* Additionally, for an unsigned value, add an all zero
		388	* prefix if the high bit of the first octet would be one.
		389	*/
374	if (!started) {	390	if (!started) {
375	if (byte == 0)	391	if (byte == 0)
376	/* Don't encode leading zeros. */	392	/* Don't encode leading zeros. */