1 files changed, 34 insertions, 21 deletions
diff --git a/src/lib/libcrypto/asn1/tasn_dec.c b/src/lib/libcrypto/asn1/tasn_dec.c
index d475c99676..76dceaabef 100644
--- a/src/lib/libcrypto/asn1/tasn_dec.c
+++ b/src/lib/libcrypto/asn1/tasn_dec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_dec.c,v 1.49 2022/03/13 14:58:14 jsing Exp $ */
+/* $OpenBSD: tasn_dec.c,v 1.50 2022/04/23 18:47:08 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -95,8 +95,8 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in,
 static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, const unsigned char **in,
    long len, const ASN1_ITEM *it, int tag, int aclass, char opt,
    ASN1_TLC *ctx);
-static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *content, int len,
+static int asn1_ex_c2i(ASN1_VALUE **pval, CBS *content, int utype,
-    int utype, const ASN1_ITEM *it);
+    const ASN1_ITEM *it);
 static void
 asn1_tlc_invalidate(ASN1_TLC *ctx)
@@ -669,6 +669,7 @@ asn1_d2i_ex_primitive(ASN1_VALUE **pval, const unsigned char **in, long inlen,
        const unsigned char *content = NULL;
        uint8_t *data = NULL;
        size_t data_len = 0;
+        CBS cbs;
        CBB cbb;
        long len;
@@ -771,7 +772,10 @@ asn1_d2i_ex_primitive(ASN1_VALUE **pval, const unsigned char **in, long inlen,
        }
        /* We now have content length and type: translate into a structure */
-        if (!asn1_ex_c2i(pval, content, len, utype, it))
+        if (len < 0)
+                goto err;
+        CBS_init(&cbs, content, len);
+        if (!asn1_ex_c2i(pval, &cbs, utype, it))
                goto err;
        *in = p;
@@ -784,25 +788,31 @@ asn1_d2i_ex_primitive(ASN1_VALUE **pval, const unsigned char **in, long inlen,
        return ret;
 }
-/* Translate ASN1 content octets into a structure */
+/* Translate ASN.1 content octets into a structure. */
 static int
-asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *content, int len, int utype,
+asn1_ex_c2i(ASN1_VALUE **pval, CBS *content, int utype, const ASN1_ITEM *it)
-    const ASN1_ITEM *it)
 {
        ASN1_VALUE **opval = NULL;
        ASN1_STRING *stmp;
        ASN1_TYPE *typ = NULL;
        ASN1_INTEGER **tint;
+        ASN1_BOOLEAN *tbool;
+        const uint8_t *p;
+        uint8_t u8val;
        int ret = 0;
+        if (CBS_len(content) > INT_MAX)
+                return 0;
        if (it->funcs != NULL) {
                const ASN1_PRIMITIVE_FUNCS *pf = it->funcs;
                char free_content = 0;
                if (pf->prim_c2i == NULL)
                        return 0;
-                return pf->prim_c2i(pval, content, len, utype, &free_content, it);
+                return pf->prim_c2i(pval, CBS_data(content), CBS_len(content),
+                    utype, &free_content, it);
        }
        /* If ANY type clear type and set pointer to internal value */
@@ -822,12 +832,12 @@ asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *content, int len, int utype,
        }
        switch (utype) {
        case V_ASN1_OBJECT:
-                if (!c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &content, len))
+                if (!c2i_ASN1_OBJECT_cbs((ASN1_OBJECT **)pval, content))
                        goto err;
                break;
        case V_ASN1_NULL:
-                if (len) {
+                if (CBS_len(content) != 0) {
                        ASN1error(ASN1_R_NULL_IS_WRONG_LENGTH);
                        goto err;
                }
@@ -835,25 +845,28 @@ asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *content, int len, int utype,
                break;
        case V_ASN1_BOOLEAN:
-                if (len != 1) {
+                tbool = (ASN1_BOOLEAN *)pval;
+                if (CBS_len(content) != 1) {
                        ASN1error(ASN1_R_BOOLEAN_IS_WRONG_LENGTH);
                        goto err;
-                } else {
-                        ASN1_BOOLEAN *tbool;
-                        tbool = (ASN1_BOOLEAN *)pval;
-                        *tbool = *content;
                }
+                if (!CBS_get_u8(content, &u8val))
+                        goto err;
+                *tbool = u8val;
                break;
        case V_ASN1_BIT_STRING:
-                if (!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &content, len))
+                p = CBS_data(content);
+                if (!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &p,
+                    CBS_len(content)))
                        goto err;
                break;
        case V_ASN1_INTEGER:
        case V_ASN1_ENUMERATED:
                tint = (ASN1_INTEGER **)pval;
-                if (!c2i_ASN1_INTEGER(tint, &content, len))
+                p = CBS_data(content);
+                if (!c2i_ASN1_INTEGER(tint, &p, CBS_len(content)))
                        goto err;
                /* Fixup type to match the expected form */
                (*tint)->type = utype | ((*tint)->type & V_ASN1_NEG);
@@ -877,11 +890,11 @@ asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *content, int len, int utype,
        case V_ASN1_SET:
        case V_ASN1_SEQUENCE:
        default:
-                if (utype == V_ASN1_BMPSTRING && (len & 1)) {
+                if (utype == V_ASN1_BMPSTRING && (CBS_len(content) & 1)) {
                        ASN1error(ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
                        goto err;
                }
-                if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) {
+                if (utype == V_ASN1_UNIVERSALSTRING && (CBS_len(content) & 3)) {
                        ASN1error(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);
                        goto err;
                }
@@ -896,7 +909,7 @@ asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *content, int len, int utype,
                        stmp = (ASN1_STRING *)*pval;
                        stmp->type = utype;
                }
-                if (!ASN1_STRING_set(stmp, content, len)) {
+                if (!ASN1_STRING_set(stmp, CBS_data(content), CBS_len(content))) {
                        ASN1_STRING_free(stmp);
                        *pval = NULL;
                        goto err;

diff --git a/src/lib/libcrypto/asn1/tasn_dec.c b/src/lib/libcrypto/asn1/tasn_dec.c index d475c99676..76dceaabef 100644 --- a/src/lib/libcrypto/asn1/tasn_dec.c +++ b/src/lib/libcrypto/asn1/tasn_dec.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tasn_dec.c,v 1.49 2022/03/13 14:58:14 jsing Exp $ */	1	/* $OpenBSD: tasn_dec.c,v 1.50 2022/04/23 18:47:08 jsing Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2000.	3	* project 2000.
4	*/	4	*/
@@ -95,8 +95,8 @@ static int asn1_template_noexp_d2i(ASN1_VALUE val, const unsigned char in,
95	static int asn1_d2i_ex_primitive(ASN1_VALUE pval, const unsigned char in,	95	static int asn1_d2i_ex_primitive(ASN1_VALUE pval, const unsigned char in,
96	long len, const ASN1_ITEM *it, int tag, int aclass, char opt,	96	long len, const ASN1_ITEM *it, int tag, int aclass, char opt,
97	ASN1_TLC *ctx);	97	ASN1_TLC *ctx);
98	static int asn1_ex_c2i(ASN1_VALUE *pval, const unsigned char content, int len,	98	static int asn1_ex_c2i(ASN1_VALUE *pval, CBS content, int utype,
99	int utype, const ASN1_ITEM *it);	99	const ASN1_ITEM *it);
100		100
101	static void	101	static void
102	asn1_tlc_invalidate(ASN1_TLC *ctx)	102	asn1_tlc_invalidate(ASN1_TLC *ctx)
@@ -669,6 +669,7 @@ asn1_d2i_ex_primitive(ASN1_VALUE pval, const unsigned char in, long inlen,
669	const unsigned char *content = NULL;	669	const unsigned char *content = NULL;
670	uint8_t *data = NULL;	670	uint8_t *data = NULL;
671	size_t data_len = 0;	671	size_t data_len = 0;
		672	CBS cbs;
672	CBB cbb;	673	CBB cbb;
673	long len;	674	long len;
674		675
@@ -771,7 +772,10 @@ asn1_d2i_ex_primitive(ASN1_VALUE pval, const unsigned char in, long inlen,
771	}	772	}
772		773
773	/* We now have content length and type: translate into a structure */	774	/* We now have content length and type: translate into a structure */
774	if (!asn1_ex_c2i(pval, content, len, utype, it))	775	if (len < 0)
		776	goto err;
		777	CBS_init(&cbs, content, len);
		778	if (!asn1_ex_c2i(pval, &cbs, utype, it))
775	goto err;	779	goto err;
776		780
777	*in = p;	781	*in = p;
@@ -784,25 +788,31 @@ asn1_d2i_ex_primitive(ASN1_VALUE pval, const unsigned char in, long inlen,
784	return ret;	788	return ret;
785	}	789	}
786		790
787	/* Translate ASN1 content octets into a structure */	791	/* Translate ASN.1 content octets into a structure. */
788
789	static int	792	static int
790	asn1_ex_c2i(ASN1_VALUE *pval, const unsigned char content, int len, int utype,	793	asn1_ex_c2i(ASN1_VALUE *pval, CBS content, int utype, const ASN1_ITEM *it)
791	const ASN1_ITEM *it)
792	{	794	{
793	ASN1_VALUE **opval = NULL;	795	ASN1_VALUE **opval = NULL;
794	ASN1_STRING *stmp;	796	ASN1_STRING *stmp;
795	ASN1_TYPE *typ = NULL;	797	ASN1_TYPE *typ = NULL;
796	ASN1_INTEGER **tint;	798	ASN1_INTEGER **tint;
		799	ASN1_BOOLEAN *tbool;
		800	const uint8_t *p;
		801	uint8_t u8val;
797	int ret = 0;	802	int ret = 0;
798		803
		804	if (CBS_len(content) > INT_MAX)
		805	return 0;
		806
799	if (it->funcs != NULL) {	807	if (it->funcs != NULL) {
800	const ASN1_PRIMITIVE_FUNCS *pf = it->funcs;	808	const ASN1_PRIMITIVE_FUNCS *pf = it->funcs;
801	char free_content = 0;	809	char free_content = 0;
802		810
803	if (pf->prim_c2i == NULL)	811	if (pf->prim_c2i == NULL)
804	return 0;	812	return 0;
805	return pf->prim_c2i(pval, content, len, utype, &free_content, it);	813
		814	return pf->prim_c2i(pval, CBS_data(content), CBS_len(content),
		815	utype, &free_content, it);
806	}	816	}
807		817
808	/* If ANY type clear type and set pointer to internal value */	818	/* If ANY type clear type and set pointer to internal value */
@@ -822,12 +832,12 @@ asn1_ex_c2i(ASN1_VALUE *pval, const unsigned char content, int len, int utype,
822	}	832	}
823	switch (utype) {	833	switch (utype) {
824	case V_ASN1_OBJECT:	834	case V_ASN1_OBJECT:
825	if (!c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &content, len))	835	if (!c2i_ASN1_OBJECT_cbs((ASN1_OBJECT **)pval, content))
826	goto err;	836	goto err;
827	break;	837	break;
828		838
829	case V_ASN1_NULL:	839	case V_ASN1_NULL:
830	if (len) {	840	if (CBS_len(content) != 0) {
831	ASN1error(ASN1_R_NULL_IS_WRONG_LENGTH);	841	ASN1error(ASN1_R_NULL_IS_WRONG_LENGTH);
832	goto err;	842	goto err;
833	}	843	}
@@ -835,25 +845,28 @@ asn1_ex_c2i(ASN1_VALUE *pval, const unsigned char content, int len, int utype,
835	break;	845	break;
836		846
837	case V_ASN1_BOOLEAN:	847	case V_ASN1_BOOLEAN:
838	if (len != 1) {	848	tbool = (ASN1_BOOLEAN *)pval;
		849	if (CBS_len(content) != 1) {
839	ASN1error(ASN1_R_BOOLEAN_IS_WRONG_LENGTH);	850	ASN1error(ASN1_R_BOOLEAN_IS_WRONG_LENGTH);
840	goto err;	851	goto err;
841	} else {
842	ASN1_BOOLEAN *tbool;
843	tbool = (ASN1_BOOLEAN *)pval;
844	tbool = content;
845	}	852	}
		853	if (!CBS_get_u8(content, &u8val))
		854	goto err;
		855	*tbool = u8val;
846	break;	856	break;
847		857
848	case V_ASN1_BIT_STRING:	858	case V_ASN1_BIT_STRING:
849	if (!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &content, len))	859	p = CBS_data(content);
		860	if (!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &p,
		861	CBS_len(content)))
850	goto err;	862	goto err;
851	break;	863	break;
852		864
853	case V_ASN1_INTEGER:	865	case V_ASN1_INTEGER:
854	case V_ASN1_ENUMERATED:	866	case V_ASN1_ENUMERATED:
855	tint = (ASN1_INTEGER **)pval;	867	tint = (ASN1_INTEGER **)pval;
856	if (!c2i_ASN1_INTEGER(tint, &content, len))	868	p = CBS_data(content);
		869	if (!c2i_ASN1_INTEGER(tint, &p, CBS_len(content)))
857	goto err;	870	goto err;
858	/* Fixup type to match the expected form */	871	/* Fixup type to match the expected form */
859	(tint)->type = utype \| ((tint)->type & V_ASN1_NEG);	872	(tint)->type = utype \| ((tint)->type & V_ASN1_NEG);
@@ -877,11 +890,11 @@ asn1_ex_c2i(ASN1_VALUE *pval, const unsigned char content, int len, int utype,
877	case V_ASN1_SET:	890	case V_ASN1_SET:
878	case V_ASN1_SEQUENCE:	891	case V_ASN1_SEQUENCE:
879	default:	892	default:
880	if (utype == V_ASN1_BMPSTRING && (len & 1)) {	893	if (utype == V_ASN1_BMPSTRING && (CBS_len(content) & 1)) {
881	ASN1error(ASN1_R_BMPSTRING_IS_WRONG_LENGTH);	894	ASN1error(ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
882	goto err;	895	goto err;
883	}	896	}
884	if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) {	897	if (utype == V_ASN1_UNIVERSALSTRING && (CBS_len(content) & 3)) {
885	ASN1error(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);	898	ASN1error(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);
886	goto err;	899	goto err;
887	}	900	}
@@ -896,7 +909,7 @@ asn1_ex_c2i(ASN1_VALUE *pval, const unsigned char content, int len, int utype,
896	stmp = (ASN1_STRING )pval;	909	stmp = (ASN1_STRING )pval;
897	stmp->type = utype;	910	stmp->type = utype;
898	}	911	}
899	if (!ASN1_STRING_set(stmp, content, len)) {	912	if (!ASN1_STRING_set(stmp, CBS_data(content), CBS_len(content))) {
900	ASN1_STRING_free(stmp);	913	ASN1_STRING_free(stmp);
901	*pval = NULL;	914	*pval = NULL;
902	goto err;	915	goto err;