#include <openssl/crypto.h>
#include <openssl/bn.h>
-#include "internal/asn1_dsa.h"
+#include "crypto/asn1_dsa.h"
+#include "internal/packet.h"
#define ID_SEQUENCE 0x30
#define ID_INTEGER 0x02
/*
* Outputs the encoding of the length octets for a DER value with a content
- * length of cont_len bytes to *ppout and, if successful, increments *ppout
- * past the data just written.
+ * length of cont_len bytes to pkt. The maximum supported content length is
+ * 65535 (0xffff) bytes.
*
- * The maximum supported content length is 65535 (0xffff) bytes.
- * The maximum returned length in bytes of the encoded output is 3.
- *
- * If ppout is NULL then the output size is calculated and returned but no
- * output is produced.
- * If ppout is not NULL then *ppout must not be NULL.
- *
- * An attempt to produce more than len bytes results in an error.
- * Returns the number of bytes of output produced (or that would be produced)
- * or 0 if an error occurs.
+ * Returns 1 on success or 0 on error.
*/
-size_t encode_der_length(size_t cont_len, unsigned char **ppout, size_t len)
+int encode_der_length(WPACKET *pkt, size_t cont_len)
{
- size_t encoded_len;
+ if (cont_len > 0xffff)
+ return 0; /* Too large for supported length encodings */
- if (cont_len <= 0x7f) {
- encoded_len = 1;
- } else if (cont_len <= 0xff) {
- encoded_len = 2;
- } else if (cont_len <= 0xffff) {
- encoded_len = 3;
+ if (cont_len > 0xff) {
+ if (!WPACKET_put_bytes_u8(pkt, 0x82)
+ || !WPACKET_put_bytes_u16(pkt, cont_len))
+ return 0;
} else {
- /* Too large for supported length encodings */
- return 0;
- }
- if (encoded_len > len)
- return 0;
- if (ppout != NULL) {
- unsigned char *out = *ppout;
- switch (encoded_len) {
- case 2:
- *out++ = 0x81;
- break;
- case 3:
- *out++ = 0x82;
- *out++ = (unsigned char)(cont_len >> 8);
- break;
- }
- *out++ = (unsigned char)cont_len;
- *ppout = out;
+ if (cont_len > 0x7f
+ && !WPACKET_put_bytes_u8(pkt, 0x81))
+ return 0;
+ if (!WPACKET_put_bytes_u8(pkt, cont_len))
+ return 0;
}
- return encoded_len;
+
+ return 1;
}
/*
- * Outputs the DER encoding of a positive ASN.1 INTEGER to *ppout and, if
- * successful, increments *ppout past the data just written.
+ * Outputs the DER encoding of a positive ASN.1 INTEGER to pkt.
*
- * If n is negative then an error results.
- * If ppout is NULL then the output size is calculated and returned but no
- * output is produced.
- * If ppout is not NULL then *ppout must not be NULL.
+ * Results in an error if n is negative or too large.
*
- * An attempt to produce more than len bytes results in an error.
- * Returns the number of bytes of output produced (or that would be produced)
- * or 0 if an error occurs.
+ * Returns 1 on success or 0 on error.
*/
-size_t encode_der_integer(const BIGNUM *n, unsigned char **ppout, size_t len)
+int encode_der_integer(WPACKET *pkt, const BIGNUM *n)
{
- unsigned char *out = NULL;
- unsigned char **pp = NULL;
- size_t produced;
- size_t c;
+ unsigned char *bnbytes;
size_t cont_len;
- if (len < 1 || BN_is_negative(n))
+ if (BN_is_negative(n))
return 0;
/*
*/
cont_len = BN_num_bits(n) / 8 + 1;
- if (ppout != NULL) {
- out = *ppout;
- pp = &out;
- *out++ = ID_INTEGER;
- }
- produced = 1;
- if ((c = encode_der_length(cont_len, pp, len - produced)) == 0)
+ if (!WPACKET_start_sub_packet(pkt)
+ || !WPACKET_put_bytes_u8(pkt, ID_INTEGER)
+ || !encode_der_length(pkt, cont_len)
+ || !WPACKET_allocate_bytes(pkt, cont_len, &bnbytes)
+ || !WPACKET_close(pkt))
return 0;
- produced += c;
- if (cont_len > len - produced)
+
+ if (bnbytes != NULL
+ && BN_bn2binpad(n, bnbytes, (int)cont_len) != (int)cont_len)
return 0;
- if (pp != NULL) {
- if (BN_bn2binpad(n, out, (int)cont_len) != (int)cont_len)
- return 0;
- out += cont_len;
- *ppout = out;
- }
- produced += cont_len;
- return produced;
+
+ return 1;
}
/*
- * Outputs the DER encoding of a DSA-Sig-Value or ECDSA-Sig-Value to *ppout
- * and increments *ppout past the data just written.
- *
- * If ppout is NULL then the output size is calculated and returned but no
- * output is produced.
- * If ppout is not NULL then *ppout must not be NULL.
+ * Outputs the DER encoding of a DSA-Sig-Value or ECDSA-Sig-Value to pkt. pkt
+ * may be initialised with a NULL buffer which enables pkt to be used to
+ * calculate how many bytes would be needed.
*
- * An attempt to produce more than len bytes results in an error.
- * Returns the number of bytes of output produced (or that would be produced)
- * or 0 if an error occurs.
+ * Returns 1 on success or 0 on error.
*/
-size_t encode_der_dsa_sig(const BIGNUM *r, const BIGNUM *s,
- unsigned char **ppout, size_t len)
+int encode_der_dsa_sig(WPACKET *pkt, const BIGNUM *r, const BIGNUM *s)
{
- unsigned char *out = NULL;
- unsigned char **pp = NULL;
- size_t produced;
- size_t c;
- size_t r_der_len;
- size_t s_der_len;
+ WPACKET tmppkt, *dummypkt;
size_t cont_len;
+ int isnull = WPACKET_is_null_buf(pkt);
- if (len < 1
- || (r_der_len = encode_der_integer(r, NULL, SIZE_MAX)) == 0
- || (s_der_len = encode_der_integer(s, NULL, SIZE_MAX)) == 0)
+ if (!WPACKET_start_sub_packet(pkt))
return 0;
- cont_len = r_der_len + s_der_len;
-
- if (ppout != NULL) {
- out = *ppout;
- pp = &out;
- *out++ = ID_SEQUENCE;
+ if (!isnull) {
+ if (!WPACKET_init_null(&tmppkt, 0))
+ return 0;
+ dummypkt = &tmppkt;
+ } else {
+ /* If the input packet has a NULL buffer, we don't need a dummy packet */
+ dummypkt = pkt;
}
- produced = 1;
- if ((c = encode_der_length(cont_len, pp, len - produced)) == 0)
- return 0;
- produced += c;
- if ((c = encode_der_integer(r, pp, len - produced)) == 0)
+
+ /* Calculate the content length */
+ if (!encode_der_integer(dummypkt, r)
+ || !encode_der_integer(dummypkt, s)
+ || !WPACKET_get_length(dummypkt, &cont_len)
+ || (!isnull && !WPACKET_finish(dummypkt))) {
+ if (!isnull)
+ WPACKET_cleanup(dummypkt);
return 0;
- produced += c;
- if ((c = encode_der_integer(s, pp, len - produced)) == 0)
+ }
+
+ /* Add the tag and length bytes */
+ if (!WPACKET_put_bytes_u8(pkt, ID_SEQUENCE)
+ || !encode_der_length(pkt, cont_len)
+ /*
+ * Really encode the integers. We already wrote to the main pkt
+ * if it had a NULL buffer, so don't do it again
+ */
+ || (!isnull && !encode_der_integer(pkt, r))
+ || (!isnull && !encode_der_integer(pkt, s))
+ || !WPACKET_close(pkt))
return 0;
- produced += c;
- if (pp != NULL)
- *ppout = out;
- return produced;
+
+ return 1;
}
/*
- * Decodes the DER length octets at *ppin, stores the decoded length to
- * *pcont_len and, if successful, increments *ppin past the data that was
- * consumed.
- *
- * pcont_len, ppin and *ppin must not be NULL.
+ * Decodes the DER length octets in pkt and initialises subpkt with the
+ * following bytes of that length.
*
- * An attempt to consume more than len bytes results in an error.
- * Returns the number of bytes of input consumed or 0 if an error occurs.
+ * Returns 1 on success or 0 on failure.
*/
-size_t decode_der_length(size_t *pcont_len, const unsigned char **ppin,
- size_t len)
+int decode_der_length(PACKET *pkt, PACKET *subpkt)
{
- const unsigned char *in = *ppin;
- size_t consumed;
- size_t n;
+ unsigned int byte;
- if (len < 1)
+ if (!PACKET_get_1(pkt, &byte))
return 0;
- n = *in++;
- consumed = 1;
- if (n > 0x7f) {
- if (n == 0x81 && len - consumed >= 1) {
- n = *in++;
- if (n <= 0x7f)
- return 0; /* Not DER. */
- ++consumed;
- } else if (n == 0x82 && len - consumed >= 2) {
- n = *in++ << 8;
- n |= *in++;
- if (n <= 0xff)
- return 0; /* Not DER. */
- consumed += 2;
- } else {
- return 0; /* Too large, invalid, or not DER. */
- }
- }
- *pcont_len = n;
- *ppin = in;
- return consumed;
+
+ if (byte < 0x80)
+ return PACKET_get_sub_packet(pkt, subpkt, (size_t)byte);
+ if (byte == 0x81)
+ return PACKET_get_length_prefixed_1(pkt, subpkt);
+ if (byte == 0x82)
+ return PACKET_get_length_prefixed_2(pkt, subpkt);
+
+ /* Too large, invalid, or not DER. */
+ return 0;
}
/*
- * Decodes a single ASN.1 INTEGER value from *ppin, which must be DER encoded,
- * updates n with the decoded value, and, if successful, increments *ppin past
- * the data that was consumed.
+ * Decodes a single ASN.1 INTEGER value from pkt, which must be DER encoded,
+ * and updates n with the decoded value.
*
* The BIGNUM, n, must have already been allocated by calling BN_new().
- * ppin and *ppin must not be NULL.
+ * pkt must not be NULL.
*
* An attempt to consume more than len bytes results in an error.
- * Returns the number of bytes of input consumed or 0 if an error occurs.
+ * Returns 1 on success or 0 on error.
*
- * If the buffer is supposed to only contain a single INTEGER value with no
+ * If the PACKET is supposed to only contain a single INTEGER value with no
* trailing garbage then it is up to the caller to verify that all bytes
* were consumed.
*/
-size_t decode_der_integer(BIGNUM *n, const unsigned char **ppin, size_t len)
+int decode_der_integer(PACKET *pkt, BIGNUM *n)
{
- const unsigned char *in = *ppin;
- size_t consumed;
- size_t c;
- size_t cont_len;
+ PACKET contpkt, tmppkt;
+ unsigned int tag, tmp;
- if (len < 1 || n == NULL || *in++ != ID_INTEGER)
+ /* Check we have an integer and get the content bytes */
+ if (!PACKET_get_1(pkt, &tag)
+ || tag != ID_INTEGER
+ || !decode_der_length(pkt, &contpkt))
return 0;
- consumed = 1;
- if ((c = decode_der_length(&cont_len, &in, len - consumed)) == 0)
- return 0;
- consumed += c;
- /* Check for a positive INTEGER with valid content encoding and decode. */
- if (cont_len > len - consumed || cont_len < 1 || (in[0] & 0x80) != 0
- || (cont_len >= 2 && in[0] == 0 && (in[1] & 0x80) == 0)
- || BN_bin2bn(in, (int)cont_len, n) == NULL)
- return 0;
- in += cont_len;
- consumed += cont_len;
- *ppin = in;
- return consumed;
-}
-
-static size_t decode_dsa_sig_content(BIGNUM *r, BIGNUM *s,
- const unsigned char **ppin, size_t len)
-{
- const unsigned char *in = *ppin;
- size_t consumed = 0;
- size_t c;
- if ((c = decode_der_integer(r, &in, len - consumed)) == 0)
+ /* Peek ahead at the first bytes to check for proper encoding */
+ tmppkt = contpkt;
+ /* The INTEGER must be positive */
+ if (!PACKET_get_1(&tmppkt, &tmp)
+ || (tmp & 0x80) != 0)
return 0;
- consumed += c;
- if ((c = decode_der_integer(s, &in, len - consumed)) == 0)
+ /* If there a zero padding byte the next byte must have the msb set */
+ if (PACKET_remaining(&tmppkt) > 0 && tmp == 0) {
+ if (!PACKET_get_1(&tmppkt, &tmp)
+ || (tmp & 0x80) == 0)
+ return 0;
+ }
+
+ if (BN_bin2bn(PACKET_data(&contpkt),
+ (int)PACKET_remaining(&contpkt), n) == NULL)
return 0;
- consumed += c;
- *ppin = in;
- return consumed;
+
+ return 1;
}
/*
size_t decode_der_dsa_sig(BIGNUM *r, BIGNUM *s, const unsigned char **ppin,
size_t len)
{
- const unsigned char *in = *ppin;
size_t consumed;
- size_t c;
- size_t cont_len;
+ PACKET pkt, contpkt;
+ unsigned int tag;
- if (len < 1 || *in++ != ID_SEQUENCE)
+ if (!PACKET_buf_init(&pkt, *ppin, len)
+ || !PACKET_get_1(&pkt, &tag)
+ || tag != ID_SEQUENCE
+ || !decode_der_length(&pkt, &contpkt)
+ || !decode_der_integer(&contpkt, r)
+ || !decode_der_integer(&contpkt, s)
+ || PACKET_remaining(&contpkt) != 0)
return 0;
- consumed = 1;
- if ((c = decode_der_length(&cont_len, &in, len - consumed)) == 0)
- return 0;
- consumed += c;
- if (cont_len > len - consumed
- || (c = decode_dsa_sig_content(r, s, &in, cont_len)) == 0
- || c != cont_len)
- return 0;
- consumed += c;
- *ppin = in;
+
+ consumed = PACKET_data(&pkt) - *ppin;
+ *ppin += consumed;
return consumed;
}
projects / openssl.git / blobdiff