2019-05-20 11:08:01 -06:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2012-09-24 10:11:16 -06:00
|
|
|
/* Decoder for ASN.1 BER/DER/CER encoded bytestream
|
|
|
|
|
*
|
|
|
|
|
* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
|
|
|
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <linux/export.h>
|
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
|
#include <linux/errno.h>
|
2016-04-29 08:48:08 -06:00
|
|
|
#include <linux/module.h>
|
2012-09-24 10:11:16 -06:00
|
|
|
#include <linux/asn1_decoder.h>
|
|
|
|
|
#include <linux/asn1_ber_bytecode.h>
|
|
|
|
|
|
|
|
|
|
static const unsigned char asn1_op_lengths[ASN1_OP__NR] = {
|
|
|
|
|
/* OPC TAG JMP ACT */
|
|
|
|
|
[ASN1_OP_MATCH] = 1 + 1,
|
|
|
|
|
[ASN1_OP_MATCH_OR_SKIP] = 1 + 1,
|
|
|
|
|
[ASN1_OP_MATCH_ACT] = 1 + 1 + 1,
|
|
|
|
|
[ASN1_OP_MATCH_ACT_OR_SKIP] = 1 + 1 + 1,
|
|
|
|
|
[ASN1_OP_MATCH_JUMP] = 1 + 1 + 1,
|
|
|
|
|
[ASN1_OP_MATCH_JUMP_OR_SKIP] = 1 + 1 + 1,
|
|
|
|
|
[ASN1_OP_MATCH_ANY] = 1,
|
2015-08-05 05:54:46 -06:00
|
|
|
[ASN1_OP_MATCH_ANY_OR_SKIP] = 1,
|
2012-09-24 10:11:16 -06:00
|
|
|
[ASN1_OP_MATCH_ANY_ACT] = 1 + 1,
|
2015-08-05 05:54:46 -06:00
|
|
|
[ASN1_OP_MATCH_ANY_ACT_OR_SKIP] = 1 + 1,
|
2012-09-24 10:11:16 -06:00
|
|
|
[ASN1_OP_COND_MATCH_OR_SKIP] = 1 + 1,
|
|
|
|
|
[ASN1_OP_COND_MATCH_ACT_OR_SKIP] = 1 + 1 + 1,
|
|
|
|
|
[ASN1_OP_COND_MATCH_JUMP_OR_SKIP] = 1 + 1 + 1,
|
|
|
|
|
[ASN1_OP_COND_MATCH_ANY] = 1,
|
2015-08-05 05:54:46 -06:00
|
|
|
[ASN1_OP_COND_MATCH_ANY_OR_SKIP] = 1,
|
2012-09-24 10:11:16 -06:00
|
|
|
[ASN1_OP_COND_MATCH_ANY_ACT] = 1 + 1,
|
2015-08-05 05:54:46 -06:00
|
|
|
[ASN1_OP_COND_MATCH_ANY_ACT_OR_SKIP] = 1 + 1,
|
2012-09-24 10:11:16 -06:00
|
|
|
[ASN1_OP_COND_FAIL] = 1,
|
|
|
|
|
[ASN1_OP_COMPLETE] = 1,
|
|
|
|
|
[ASN1_OP_ACT] = 1 + 1,
|
ASN.1: Fix actions on CHOICE elements with IMPLICIT tags
In an ASN.1 description where there is a CHOICE construct that contains
elements with IMPLICIT tags that refer to constructed types, actions to be
taken on those elements should be conditional on the corresponding element
actually being matched. Currently, however, such actions are performed
unconditionally in the middle of processing the CHOICE.
For example, look at elements 'b' and 'e' here:
A ::= SEQUENCE {
CHOICE {
b [0] IMPLICIT B ({ do_XXXXXXXXXXXX_b }),
c [1] EXPLICIT C ({ do_XXXXXXXXXXXX_c }),
d [2] EXPLICIT B ({ do_XXXXXXXXXXXX_d }),
e [3] IMPLICIT C ({ do_XXXXXXXXXXXX_e }),
f [4] IMPLICIT INTEGER ({ do_XXXXXXXXXXXX_f })
}
} ({ do_XXXXXXXXXXXX_A })
B ::= SET OF OBJECT IDENTIFIER ({ do_XXXXXXXXXXXX_oid })
C ::= SET OF INTEGER ({ do_XXXXXXXXXXXX_int })
They each have an action (do_XXXXXXXXXXXX_b and do_XXXXXXXXXXXX_e) that
should only be processed if that element is matched.
The problem is that there's no easy place to hang the action off in the
subclause (type B for element 'b' and type C for element 'e') because
subclause opcode sequences can be shared.
To fix this, introduce a conditional action opcode(ASN1_OP_MAYBE_ACT) that
the decoder only processes if the preceding match was successful. This can
be seen in an excerpt from the output of the fixed ASN.1 compiler for the
above ASN.1 description:
[ 13] = ASN1_OP_COND_MATCH_JUMP_OR_SKIP, // e
[ 14] = _tagn(CONT, CONS, 3),
[ 15] = _jump_target(45), // --> C
[ 16] = ASN1_OP_MAYBE_ACT,
[ 17] = _action(ACT_do_XXXXXXXXXXXX_e),
In this, if the op at [13] is matched (ie. element 'e' above) then the
action at [16] will be performed. However, if the op at [13] doesn't match
or is skipped because it is conditional and some previous op matched, then
the action at [16] will be ignored.
Note that to make this work in the decoder, the ASN1_OP_RETURN op must set
the flag to indicate that a match happened. This is necessary because the
_jump_target() seen above introduces a subclause (in this case an object of
type 'C') which is likely to alter the flag. Setting the flag here is okay
because to process a subclause, a match must have happened and caused a
jump.
This cannot be tested with the code as it stands, but rather affects future
code.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
2015-08-05 05:54:46 -06:00
|
|
|
[ASN1_OP_MAYBE_ACT] = 1 + 1,
|
2012-09-24 10:11:16 -06:00
|
|
|
[ASN1_OP_RETURN] = 1,
|
|
|
|
|
[ASN1_OP_END_SEQ] = 1,
|
|
|
|
|
[ASN1_OP_END_SEQ_OF] = 1 + 1,
|
|
|
|
|
[ASN1_OP_END_SET] = 1,
|
|
|
|
|
[ASN1_OP_END_SET_OF] = 1 + 1,
|
|
|
|
|
[ASN1_OP_END_SEQ_ACT] = 1 + 1,
|
|
|
|
|
[ASN1_OP_END_SEQ_OF_ACT] = 1 + 1 + 1,
|
|
|
|
|
[ASN1_OP_END_SET_ACT] = 1 + 1,
|
|
|
|
|
[ASN1_OP_END_SET_OF_ACT] = 1 + 1 + 1,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Find the length of an indefinite length object
|
2012-10-04 07:21:23 -06:00
|
|
|
* @data: The data buffer
|
|
|
|
|
* @datalen: The end of the innermost containing element in the buffer
|
|
|
|
|
* @_dp: The data parse cursor (updated before returning)
|
|
|
|
|
* @_len: Where to return the size of the element.
|
|
|
|
|
* @_errmsg: Where to return a pointer to an error message on error
|
2012-09-24 10:11:16 -06:00
|
|
|
*/
|
|
|
|
|
static int asn1_find_indefinite_length(const unsigned char *data, size_t datalen,
|
2012-10-04 07:21:23 -06:00
|
|
|
size_t *_dp, size_t *_len,
|
|
|
|
|
const char **_errmsg)
|
2012-09-24 10:11:16 -06:00
|
|
|
{
|
|
|
|
|
unsigned char tag, tmp;
|
2012-10-04 07:21:23 -06:00
|
|
|
size_t dp = *_dp, len, n;
|
2012-09-24 10:11:16 -06:00
|
|
|
int indef_level = 1;
|
|
|
|
|
|
|
|
|
|
next_tag:
|
|
|
|
|
if (unlikely(datalen - dp < 2)) {
|
|
|
|
|
if (datalen == dp)
|
|
|
|
|
goto missing_eoc;
|
|
|
|
|
goto data_overrun_error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Extract a tag from the data */
|
|
|
|
|
tag = data[dp++];
|
2016-02-23 04:03:12 -07:00
|
|
|
if (tag == ASN1_EOC) {
|
2012-09-24 10:11:16 -06:00
|
|
|
/* It appears to be an EOC. */
|
|
|
|
|
if (data[dp++] != 0)
|
|
|
|
|
goto invalid_eoc;
|
2012-10-04 07:21:23 -06:00
|
|
|
if (--indef_level <= 0) {
|
|
|
|
|
*_len = dp - *_dp;
|
|
|
|
|
*_dp = dp;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2012-09-24 10:11:16 -06:00
|
|
|
goto next_tag;
|
|
|
|
|
}
|
|
|
|
|
|
2012-12-04 18:25:30 -07:00
|
|
|
if (unlikely((tag & 0x1f) == ASN1_LONG_TAG)) {
|
2012-09-24 10:11:16 -06:00
|
|
|
do {
|
|
|
|
|
if (unlikely(datalen - dp < 2))
|
|
|
|
|
goto data_overrun_error;
|
|
|
|
|
tmp = data[dp++];
|
|
|
|
|
} while (tmp & 0x80);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Extract the length */
|
|
|
|
|
len = data[dp++];
|
2016-02-23 04:03:12 -07:00
|
|
|
if (len <= 0x7f)
|
|
|
|
|
goto check_length;
|
2012-09-24 10:11:16 -06:00
|
|
|
|
2012-12-04 18:25:30 -07:00
|
|
|
if (unlikely(len == ASN1_INDEFINITE_LENGTH)) {
|
2012-09-24 10:11:16 -06:00
|
|
|
/* Indefinite length */
|
|
|
|
|
if (unlikely((tag & ASN1_CONS_BIT) == ASN1_PRIM << 5))
|
|
|
|
|
goto indefinite_len_primitive;
|
|
|
|
|
indef_level++;
|
|
|
|
|
goto next_tag;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
n = len - 0x80;
|
2016-02-23 04:03:12 -07:00
|
|
|
if (unlikely(n > sizeof(len) - 1))
|
2012-09-24 10:11:16 -06:00
|
|
|
goto length_too_long;
|
|
|
|
|
if (unlikely(n > datalen - dp))
|
|
|
|
|
goto data_overrun_error;
|
2016-02-23 04:03:12 -07:00
|
|
|
len = 0;
|
|
|
|
|
for (; n > 0; n--) {
|
2012-09-24 10:11:16 -06:00
|
|
|
len <<= 8;
|
|
|
|
|
len |= data[dp++];
|
|
|
|
|
}
|
2016-02-23 04:03:12 -07:00
|
|
|
check_length:
|
|
|
|
|
if (len > datalen - dp)
|
|
|
|
|
goto data_overrun_error;
|
2012-09-24 10:11:16 -06:00
|
|
|
dp += len;
|
|
|
|
|
goto next_tag;
|
|
|
|
|
|
|
|
|
|
length_too_long:
|
|
|
|
|
*_errmsg = "Unsupported length";
|
|
|
|
|
goto error;
|
|
|
|
|
indefinite_len_primitive:
|
|
|
|
|
*_errmsg = "Indefinite len primitive not permitted";
|
|
|
|
|
goto error;
|
|
|
|
|
invalid_eoc:
|
|
|
|
|
*_errmsg = "Invalid length EOC";
|
|
|
|
|
goto error;
|
|
|
|
|
data_overrun_error:
|
|
|
|
|
*_errmsg = "Data overrun error";
|
|
|
|
|
goto error;
|
|
|
|
|
missing_eoc:
|
|
|
|
|
*_errmsg = "Missing EOC in indefinite len cons";
|
|
|
|
|
error:
|
2012-10-04 07:21:23 -06:00
|
|
|
*_dp = dp;
|
2012-09-24 10:11:16 -06:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* asn1_ber_decoder - Decoder BER/DER/CER ASN.1 according to pattern
|
|
|
|
|
* @decoder: The decoder definition (produced by asn1_compiler)
|
|
|
|
|
* @context: The caller's context (to be passed to the action functions)
|
|
|
|
|
* @data: The encoded data
|
2014-06-04 17:12:01 -06:00
|
|
|
* @datalen: The size of the encoded data
|
2012-09-24 10:11:16 -06:00
|
|
|
*
|
|
|
|
|
* Decode BER/DER/CER encoded ASN.1 data according to a bytecode pattern
|
|
|
|
|
* produced by asn1_compiler. Action functions are called on marked tags to
|
|
|
|
|
* allow the caller to retrieve significant data.
|
|
|
|
|
*
|
|
|
|
|
* LIMITATIONS:
|
|
|
|
|
*
|
|
|
|
|
* To keep down the amount of stack used by this function, the following limits
|
|
|
|
|
* have been imposed:
|
|
|
|
|
*
|
|
|
|
|
* (1) This won't handle datalen > 65535 without increasing the size of the
|
|
|
|
|
* cons stack elements and length_too_long checking.
|
|
|
|
|
*
|
|
|
|
|
* (2) The stack of constructed types is 10 deep. If the depth of non-leaf
|
|
|
|
|
* constructed types exceeds this, the decode will fail.
|
|
|
|
|
*
|
|
|
|
|
* (3) The SET type (not the SET OF type) isn't really supported as tracking
|
|
|
|
|
* what members of the set have been seen is a pain.
|
|
|
|
|
*/
|
|
|
|
|
int asn1_ber_decoder(const struct asn1_decoder *decoder,
|
|
|
|
|
void *context,
|
|
|
|
|
const unsigned char *data,
|
|
|
|
|
size_t datalen)
|
|
|
|
|
{
|
|
|
|
|
const unsigned char *machine = decoder->machine;
|
|
|
|
|
const asn1_action_t *actions = decoder->actions;
|
|
|
|
|
size_t machlen = decoder->machlen;
|
|
|
|
|
enum asn1_opcode op;
|
|
|
|
|
unsigned char tag = 0, csp = 0, jsp = 0, optag = 0, hdr = 0;
|
|
|
|
|
const char *errmsg;
|
|
|
|
|
size_t pc = 0, dp = 0, tdp = 0, len = 0;
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
unsigned char flags = 0;
|
|
|
|
|
#define FLAG_INDEFINITE_LENGTH 0x01
|
|
|
|
|
#define FLAG_MATCHED 0x02
|
ASN.1: Fix actions on CHOICE elements with IMPLICIT tags
In an ASN.1 description where there is a CHOICE construct that contains
elements with IMPLICIT tags that refer to constructed types, actions to be
taken on those elements should be conditional on the corresponding element
actually being matched. Currently, however, such actions are performed
unconditionally in the middle of processing the CHOICE.
For example, look at elements 'b' and 'e' here:
A ::= SEQUENCE {
CHOICE {
b [0] IMPLICIT B ({ do_XXXXXXXXXXXX_b }),
c [1] EXPLICIT C ({ do_XXXXXXXXXXXX_c }),
d [2] EXPLICIT B ({ do_XXXXXXXXXXXX_d }),
e [3] IMPLICIT C ({ do_XXXXXXXXXXXX_e }),
f [4] IMPLICIT INTEGER ({ do_XXXXXXXXXXXX_f })
}
} ({ do_XXXXXXXXXXXX_A })
B ::= SET OF OBJECT IDENTIFIER ({ do_XXXXXXXXXXXX_oid })
C ::= SET OF INTEGER ({ do_XXXXXXXXXXXX_int })
They each have an action (do_XXXXXXXXXXXX_b and do_XXXXXXXXXXXX_e) that
should only be processed if that element is matched.
The problem is that there's no easy place to hang the action off in the
subclause (type B for element 'b' and type C for element 'e') because
subclause opcode sequences can be shared.
To fix this, introduce a conditional action opcode(ASN1_OP_MAYBE_ACT) that
the decoder only processes if the preceding match was successful. This can
be seen in an excerpt from the output of the fixed ASN.1 compiler for the
above ASN.1 description:
[ 13] = ASN1_OP_COND_MATCH_JUMP_OR_SKIP, // e
[ 14] = _tagn(CONT, CONS, 3),
[ 15] = _jump_target(45), // --> C
[ 16] = ASN1_OP_MAYBE_ACT,
[ 17] = _action(ACT_do_XXXXXXXXXXXX_e),
In this, if the op at [13] is matched (ie. element 'e' above) then the
action at [16] will be performed. However, if the op at [13] doesn't match
or is skipped because it is conditional and some previous op matched, then
the action at [16] will be ignored.
Note that to make this work in the decoder, the ASN1_OP_RETURN op must set
the flag to indicate that a match happened. This is necessary because the
_jump_target() seen above introduces a subclause (in this case an object of
type 'C') which is likely to alter the flag. Setting the flag here is okay
because to process a subclause, a match must have happened and caused a
jump.
This cannot be tested with the code as it stands, but rather affects future
code.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
2015-08-05 05:54:46 -06:00
|
|
|
#define FLAG_LAST_MATCHED 0x04 /* Last tag matched */
|
2012-09-24 10:11:16 -06:00
|
|
|
#define FLAG_CONS 0x20 /* Corresponds to CONS bit in the opcode tag
|
|
|
|
|
* - ie. whether or not we are going to parse
|
|
|
|
|
* a compound type.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#define NR_CONS_STACK 10
|
|
|
|
|
unsigned short cons_dp_stack[NR_CONS_STACK];
|
|
|
|
|
unsigned short cons_datalen_stack[NR_CONS_STACK];
|
|
|
|
|
unsigned char cons_hdrlen_stack[NR_CONS_STACK];
|
|
|
|
|
#define NR_JUMP_STACK 10
|
|
|
|
|
unsigned char jump_stack[NR_JUMP_STACK];
|
|
|
|
|
|
|
|
|
|
if (datalen > 65535)
|
|
|
|
|
return -EMSGSIZE;
|
|
|
|
|
|
|
|
|
|
next_op:
|
|
|
|
|
pr_debug("next_op: pc=\e[32m%zu\e[m/%zu dp=\e[33m%zu\e[m/%zu C=%d J=%d\n",
|
|
|
|
|
pc, machlen, dp, datalen, csp, jsp);
|
|
|
|
|
if (unlikely(pc >= machlen))
|
|
|
|
|
goto machine_overrun_error;
|
|
|
|
|
op = machine[pc];
|
|
|
|
|
if (unlikely(pc + asn1_op_lengths[op] > machlen))
|
|
|
|
|
goto machine_overrun_error;
|
|
|
|
|
|
|
|
|
|
/* If this command is meant to match a tag, then do that before
|
|
|
|
|
* evaluating the command.
|
|
|
|
|
*/
|
|
|
|
|
if (op <= ASN1_OP__MATCHES_TAG) {
|
|
|
|
|
unsigned char tmp;
|
|
|
|
|
|
|
|
|
|
/* Skip conditional matches if possible */
|
ASN.1: Fix non-match detection failure on data overrun
If the ASN.1 decoder is asked to parse a sequence of objects, non-optional
matches get skipped if there's no more data to be had rather than a
data-overrun error being reported.
This is due to the code segment that decides whether to skip optional
matches (ie. matches that could get ignored because an element is marked
OPTIONAL in the grammar) due to a lack of data also skips non-optional
elements if the data pointer has reached the end of the buffer.
This can be tested with the data decoder for the new RSA akcipher algorithm
that takes three non-optional integers. Currently, it skips the last
integer if there is insufficient data.
Without the fix, #defining DEBUG in asn1_decoder.c will show something
like:
next_op: pc=0/13 dp=0/270 C=0 J=0
- match? 30 30 00
- TAG: 30 266 CONS
next_op: pc=2/13 dp=4/270 C=1 J=0
- match? 02 02 00
- TAG: 02 257
- LEAF: 257
next_op: pc=5/13 dp=265/270 C=1 J=0
- match? 02 02 00
- TAG: 02 3
- LEAF: 3
next_op: pc=8/13 dp=270/270 C=1 J=0
next_op: pc=11/13 dp=270/270 C=1 J=0
- end cons t=4 dp=270 l=270/270
The next_op line for pc=8/13 should be followed by a match line.
This is not exploitable for X.509 certificates by means of shortening the
message and fixing up the ASN.1 CONS tags because:
(1) The relevant records being built up are cleared before use.
(2) If the message is shortened sufficiently to remove the public key, the
ASN.1 parse of the RSA key will fail quickly due to a lack of data.
(3) Extracted signature data is either turned into MPIs (which cope with a
0 length) or is simpler integers specifying algoritms and suchlike
(which can validly be 0); and
(4) The AKID and SKID extensions are optional and their removal is handled
without risking passing a NULL to asymmetric_key_generate_id().
(5) If the certificate is truncated sufficiently to remove the subject,
issuer or serialNumber then the ASN.1 decoder will fail with a 'Cons
stack underflow' return.
This is not exploitable for PKCS#7 messages by means of removal of elements
from such a message from the tail end of a sequence:
(1) Any shortened X.509 certs embedded in the PKCS#7 message are survivable
as detailed above.
(2) The message digest content isn't used if it shows a NULL pointer,
similarly, the authattrs aren't used if that shows a NULL pointer.
(3) A missing signature results in a NULL MPI - which the MPI routines deal
with.
(4) If data is NULL, it is expected that the message has detached content and
that is handled appropriately.
(5) If the serialNumber is excised, the unconditional action associated
with it will pick up the containing SEQUENCE instead, so no NULL
pointer will be seen here.
If both the issuer and the serialNumber are excised, the ASN.1 decode
will fail with an 'Unexpected tag' return.
In either case, there's no way to get to asymmetric_key_generate_id()
with a NULL pointer.
(6) Other fields are decoded to simple integers. Shortening the message
to omit an algorithm ID field will cause checks on this to fail early
in the verification process.
This can also be tested by snipping objects off of the end of the ASN.1 stream
such that mandatory tags are removed - or even from the end of internal
SEQUENCEs. If any mandatory tag is missing, the error EBADMSG *should* be
produced. Without this patch ERANGE or ENOPKG might be produced or the parse
may apparently succeed, perhaps with ENOKEY or EKEYREJECTED being produced
later, depending on what gets snipped.
Just snipping off the final BIT_STRING or OCTET_STRING from either sample
should be a start since both are mandatory and neither will cause an EBADMSG
without the patches
Reported-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Marcel Holtmann <marcel@holtmann.org>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
2015-08-05 05:54:46 -06:00
|
|
|
if ((op & ASN1_OP_MATCH__COND && flags & FLAG_MATCHED) ||
|
|
|
|
|
(op & ASN1_OP_MATCH__SKIP && dp == datalen)) {
|
ASN.1: Fix actions on CHOICE elements with IMPLICIT tags
In an ASN.1 description where there is a CHOICE construct that contains
elements with IMPLICIT tags that refer to constructed types, actions to be
taken on those elements should be conditional on the corresponding element
actually being matched. Currently, however, such actions are performed
unconditionally in the middle of processing the CHOICE.
For example, look at elements 'b' and 'e' here:
A ::= SEQUENCE {
CHOICE {
b [0] IMPLICIT B ({ do_XXXXXXXXXXXX_b }),
c [1] EXPLICIT C ({ do_XXXXXXXXXXXX_c }),
d [2] EXPLICIT B ({ do_XXXXXXXXXXXX_d }),
e [3] IMPLICIT C ({ do_XXXXXXXXXXXX_e }),
f [4] IMPLICIT INTEGER ({ do_XXXXXXXXXXXX_f })
}
} ({ do_XXXXXXXXXXXX_A })
B ::= SET OF OBJECT IDENTIFIER ({ do_XXXXXXXXXXXX_oid })
C ::= SET OF INTEGER ({ do_XXXXXXXXXXXX_int })
They each have an action (do_XXXXXXXXXXXX_b and do_XXXXXXXXXXXX_e) that
should only be processed if that element is matched.
The problem is that there's no easy place to hang the action off in the
subclause (type B for element 'b' and type C for element 'e') because
subclause opcode sequences can be shared.
To fix this, introduce a conditional action opcode(ASN1_OP_MAYBE_ACT) that
the decoder only processes if the preceding match was successful. This can
be seen in an excerpt from the output of the fixed ASN.1 compiler for the
above ASN.1 description:
[ 13] = ASN1_OP_COND_MATCH_JUMP_OR_SKIP, // e
[ 14] = _tagn(CONT, CONS, 3),
[ 15] = _jump_target(45), // --> C
[ 16] = ASN1_OP_MAYBE_ACT,
[ 17] = _action(ACT_do_XXXXXXXXXXXX_e),
In this, if the op at [13] is matched (ie. element 'e' above) then the
action at [16] will be performed. However, if the op at [13] doesn't match
or is skipped because it is conditional and some previous op matched, then
the action at [16] will be ignored.
Note that to make this work in the decoder, the ASN1_OP_RETURN op must set
the flag to indicate that a match happened. This is necessary because the
_jump_target() seen above introduces a subclause (in this case an object of
type 'C') which is likely to alter the flag. Setting the flag here is okay
because to process a subclause, a match must have happened and caused a
jump.
This cannot be tested with the code as it stands, but rather affects future
code.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
2015-08-05 05:54:46 -06:00
|
|
|
flags &= ~FLAG_LAST_MATCHED;
|
2012-09-24 10:11:16 -06:00
|
|
|
pc += asn1_op_lengths[op];
|
|
|
|
|
goto next_op;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
flags = 0;
|
|
|
|
|
hdr = 2;
|
|
|
|
|
|
|
|
|
|
/* Extract a tag from the data */
|
2017-11-07 15:29:02 -07:00
|
|
|
if (unlikely(datalen - dp < 2))
|
2012-09-24 10:11:16 -06:00
|
|
|
goto data_overrun_error;
|
|
|
|
|
tag = data[dp++];
|
2012-12-04 18:25:30 -07:00
|
|
|
if (unlikely((tag & 0x1f) == ASN1_LONG_TAG))
|
2012-09-24 10:11:16 -06:00
|
|
|
goto long_tag_not_supported;
|
|
|
|
|
|
|
|
|
|
if (op & ASN1_OP_MATCH__ANY) {
|
|
|
|
|
pr_debug("- any %02x\n", tag);
|
|
|
|
|
} else {
|
|
|
|
|
/* Extract the tag from the machine
|
|
|
|
|
* - Either CONS or PRIM are permitted in the data if
|
|
|
|
|
* CONS is not set in the op stream, otherwise CONS
|
|
|
|
|
* is mandatory.
|
|
|
|
|
*/
|
|
|
|
|
optag = machine[pc + 1];
|
|
|
|
|
flags |= optag & FLAG_CONS;
|
|
|
|
|
|
|
|
|
|
/* Determine whether the tag matched */
|
|
|
|
|
tmp = optag ^ tag;
|
|
|
|
|
tmp &= ~(optag & ASN1_CONS_BIT);
|
|
|
|
|
pr_debug("- match? %02x %02x %02x\n", tag, optag, tmp);
|
|
|
|
|
if (tmp != 0) {
|
|
|
|
|
/* All odd-numbered tags are MATCH_OR_SKIP. */
|
|
|
|
|
if (op & ASN1_OP_MATCH__SKIP) {
|
|
|
|
|
pc += asn1_op_lengths[op];
|
|
|
|
|
dp--;
|
|
|
|
|
goto next_op;
|
|
|
|
|
}
|
|
|
|
|
goto tag_mismatch;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
flags |= FLAG_MATCHED;
|
|
|
|
|
|
|
|
|
|
len = data[dp++];
|
|
|
|
|
if (len > 0x7f) {
|
2012-12-04 18:25:30 -07:00
|
|
|
if (unlikely(len == ASN1_INDEFINITE_LENGTH)) {
|
2012-09-24 10:11:16 -06:00
|
|
|
/* Indefinite length */
|
|
|
|
|
if (unlikely(!(tag & ASN1_CONS_BIT)))
|
|
|
|
|
goto indefinite_len_primitive;
|
|
|
|
|
flags |= FLAG_INDEFINITE_LENGTH;
|
|
|
|
|
if (unlikely(2 > datalen - dp))
|
|
|
|
|
goto data_overrun_error;
|
|
|
|
|
} else {
|
|
|
|
|
int n = len - 0x80;
|
|
|
|
|
if (unlikely(n > 2))
|
|
|
|
|
goto length_too_long;
|
2017-11-07 15:29:02 -07:00
|
|
|
if (unlikely(n > datalen - dp))
|
2012-09-24 10:11:16 -06:00
|
|
|
goto data_overrun_error;
|
|
|
|
|
hdr += n;
|
|
|
|
|
for (len = 0; n > 0; n--) {
|
|
|
|
|
len <<= 8;
|
|
|
|
|
len |= data[dp++];
|
|
|
|
|
}
|
|
|
|
|
if (unlikely(len > datalen - dp))
|
|
|
|
|
goto data_overrun_error;
|
|
|
|
|
}
|
2017-11-01 18:47:19 -06:00
|
|
|
} else {
|
|
|
|
|
if (unlikely(len > datalen - dp))
|
|
|
|
|
goto data_overrun_error;
|
2012-09-24 10:11:16 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (flags & FLAG_CONS) {
|
|
|
|
|
/* For expected compound forms, we stack the positions
|
|
|
|
|
* of the start and end of the data.
|
|
|
|
|
*/
|
|
|
|
|
if (unlikely(csp >= NR_CONS_STACK))
|
|
|
|
|
goto cons_stack_overflow;
|
|
|
|
|
cons_dp_stack[csp] = dp;
|
|
|
|
|
cons_hdrlen_stack[csp] = hdr;
|
|
|
|
|
if (!(flags & FLAG_INDEFINITE_LENGTH)) {
|
|
|
|
|
cons_datalen_stack[csp] = datalen;
|
|
|
|
|
datalen = dp + len;
|
|
|
|
|
} else {
|
|
|
|
|
cons_datalen_stack[csp] = 0;
|
|
|
|
|
}
|
|
|
|
|
csp++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pr_debug("- TAG: %02x %zu%s\n",
|
|
|
|
|
tag, len, flags & FLAG_CONS ? " CONS" : "");
|
|
|
|
|
tdp = dp;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Decide how to handle the operation */
|
|
|
|
|
switch (op) {
|
|
|
|
|
case ASN1_OP_MATCH:
|
|
|
|
|
case ASN1_OP_MATCH_OR_SKIP:
|
2017-12-08 08:13:27 -07:00
|
|
|
case ASN1_OP_MATCH_ACT:
|
|
|
|
|
case ASN1_OP_MATCH_ACT_OR_SKIP:
|
2012-09-24 10:11:16 -06:00
|
|
|
case ASN1_OP_MATCH_ANY:
|
2015-08-05 05:54:46 -06:00
|
|
|
case ASN1_OP_MATCH_ANY_OR_SKIP:
|
2017-12-08 08:13:27 -07:00
|
|
|
case ASN1_OP_MATCH_ANY_ACT:
|
|
|
|
|
case ASN1_OP_MATCH_ANY_ACT_OR_SKIP:
|
2012-09-24 10:11:16 -06:00
|
|
|
case ASN1_OP_COND_MATCH_OR_SKIP:
|
2017-12-08 08:13:27 -07:00
|
|
|
case ASN1_OP_COND_MATCH_ACT_OR_SKIP:
|
2012-09-24 10:11:16 -06:00
|
|
|
case ASN1_OP_COND_MATCH_ANY:
|
2015-08-05 05:54:46 -06:00
|
|
|
case ASN1_OP_COND_MATCH_ANY_OR_SKIP:
|
2017-12-08 08:13:27 -07:00
|
|
|
case ASN1_OP_COND_MATCH_ANY_ACT:
|
|
|
|
|
case ASN1_OP_COND_MATCH_ANY_ACT_OR_SKIP:
|
|
|
|
|
|
2012-09-24 10:11:16 -06:00
|
|
|
if (!(flags & FLAG_CONS)) {
|
|
|
|
|
if (flags & FLAG_INDEFINITE_LENGTH) {
|
2017-12-08 08:13:27 -07:00
|
|
|
size_t tmp = dp;
|
|
|
|
|
|
2012-10-04 07:21:23 -06:00
|
|
|
ret = asn1_find_indefinite_length(
|
2017-12-08 08:13:27 -07:00
|
|
|
data, datalen, &tmp, &len, &errmsg);
|
2012-10-04 07:21:23 -06:00
|
|
|
if (ret < 0)
|
2012-09-24 10:11:16 -06:00
|
|
|
goto error;
|
|
|
|
|
}
|
|
|
|
|
pr_debug("- LEAF: %zu\n", len);
|
|
|
|
|
}
|
2017-12-08 08:13:27 -07:00
|
|
|
|
|
|
|
|
if (op & ASN1_OP_MATCH__ACT) {
|
|
|
|
|
unsigned char act;
|
|
|
|
|
|
|
|
|
|
if (op & ASN1_OP_MATCH__ANY)
|
|
|
|
|
act = machine[pc + 1];
|
|
|
|
|
else
|
|
|
|
|
act = machine[pc + 2];
|
|
|
|
|
ret = actions[act](context, hdr, tag, data + dp, len);
|
|
|
|
|
if (ret < 0)
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!(flags & FLAG_CONS))
|
|
|
|
|
dp += len;
|
2012-09-24 10:11:16 -06:00
|
|
|
pc += asn1_op_lengths[op];
|
|
|
|
|
goto next_op;
|
|
|
|
|
|
|
|
|
|
case ASN1_OP_MATCH_JUMP:
|
|
|
|
|
case ASN1_OP_MATCH_JUMP_OR_SKIP:
|
|
|
|
|
case ASN1_OP_COND_MATCH_JUMP_OR_SKIP:
|
|
|
|
|
pr_debug("- MATCH_JUMP\n");
|
|
|
|
|
if (unlikely(jsp == NR_JUMP_STACK))
|
|
|
|
|
goto jump_stack_overflow;
|
|
|
|
|
jump_stack[jsp++] = pc + asn1_op_lengths[op];
|
|
|
|
|
pc = machine[pc + 2];
|
|
|
|
|
goto next_op;
|
|
|
|
|
|
|
|
|
|
case ASN1_OP_COND_FAIL:
|
|
|
|
|
if (unlikely(!(flags & FLAG_MATCHED)))
|
|
|
|
|
goto tag_mismatch;
|
|
|
|
|
pc += asn1_op_lengths[op];
|
|
|
|
|
goto next_op;
|
|
|
|
|
|
|
|
|
|
case ASN1_OP_COMPLETE:
|
|
|
|
|
if (unlikely(jsp != 0 || csp != 0)) {
|
|
|
|
|
pr_err("ASN.1 decoder error: Stacks not empty at completion (%u, %u)\n",
|
|
|
|
|
jsp, csp);
|
|
|
|
|
return -EBADMSG;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
case ASN1_OP_END_SET:
|
|
|
|
|
case ASN1_OP_END_SET_ACT:
|
|
|
|
|
if (unlikely(!(flags & FLAG_MATCHED)))
|
|
|
|
|
goto tag_mismatch;
|
2019-01-25 13:46:46 -07:00
|
|
|
/* fall through */
|
|
|
|
|
|
2012-09-24 10:11:16 -06:00
|
|
|
case ASN1_OP_END_SEQ:
|
|
|
|
|
case ASN1_OP_END_SET_OF:
|
|
|
|
|
case ASN1_OP_END_SEQ_OF:
|
|
|
|
|
case ASN1_OP_END_SEQ_ACT:
|
|
|
|
|
case ASN1_OP_END_SET_OF_ACT:
|
|
|
|
|
case ASN1_OP_END_SEQ_OF_ACT:
|
|
|
|
|
if (unlikely(csp <= 0))
|
|
|
|
|
goto cons_stack_underflow;
|
|
|
|
|
csp--;
|
|
|
|
|
tdp = cons_dp_stack[csp];
|
|
|
|
|
hdr = cons_hdrlen_stack[csp];
|
|
|
|
|
len = datalen;
|
|
|
|
|
datalen = cons_datalen_stack[csp];
|
|
|
|
|
pr_debug("- end cons t=%zu dp=%zu l=%zu/%zu\n",
|
|
|
|
|
tdp, dp, len, datalen);
|
|
|
|
|
if (datalen == 0) {
|
|
|
|
|
/* Indefinite length - check for the EOC. */
|
|
|
|
|
datalen = len;
|
|
|
|
|
if (unlikely(datalen - dp < 2))
|
|
|
|
|
goto data_overrun_error;
|
|
|
|
|
if (data[dp++] != 0) {
|
|
|
|
|
if (op & ASN1_OP_END__OF) {
|
|
|
|
|
dp--;
|
|
|
|
|
csp++;
|
|
|
|
|
pc = machine[pc + 1];
|
|
|
|
|
pr_debug("- continue\n");
|
|
|
|
|
goto next_op;
|
|
|
|
|
}
|
|
|
|
|
goto missing_eoc;
|
|
|
|
|
}
|
|
|
|
|
if (data[dp++] != 0)
|
|
|
|
|
goto invalid_eoc;
|
|
|
|
|
len = dp - tdp - 2;
|
|
|
|
|
} else {
|
|
|
|
|
if (dp < len && (op & ASN1_OP_END__OF)) {
|
|
|
|
|
datalen = len;
|
|
|
|
|
csp++;
|
|
|
|
|
pc = machine[pc + 1];
|
|
|
|
|
pr_debug("- continue\n");
|
|
|
|
|
goto next_op;
|
|
|
|
|
}
|
|
|
|
|
if (dp != len)
|
|
|
|
|
goto cons_length_error;
|
|
|
|
|
len -= tdp;
|
|
|
|
|
pr_debug("- cons len l=%zu d=%zu\n", len, dp - tdp);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (op & ASN1_OP_END__ACT) {
|
|
|
|
|
unsigned char act;
|
|
|
|
|
if (op & ASN1_OP_END__OF)
|
|
|
|
|
act = machine[pc + 2];
|
|
|
|
|
else
|
|
|
|
|
act = machine[pc + 1];
|
|
|
|
|
ret = actions[act](context, hdr, 0, data + tdp, len);
|
2017-12-08 08:13:27 -07:00
|
|
|
if (ret < 0)
|
|
|
|
|
return ret;
|
2012-09-24 10:11:16 -06:00
|
|
|
}
|
|
|
|
|
pc += asn1_op_lengths[op];
|
|
|
|
|
goto next_op;
|
|
|
|
|
|
ASN.1: Fix actions on CHOICE elements with IMPLICIT tags
In an ASN.1 description where there is a CHOICE construct that contains
elements with IMPLICIT tags that refer to constructed types, actions to be
taken on those elements should be conditional on the corresponding element
actually being matched. Currently, however, such actions are performed
unconditionally in the middle of processing the CHOICE.
For example, look at elements 'b' and 'e' here:
A ::= SEQUENCE {
CHOICE {
b [0] IMPLICIT B ({ do_XXXXXXXXXXXX_b }),
c [1] EXPLICIT C ({ do_XXXXXXXXXXXX_c }),
d [2] EXPLICIT B ({ do_XXXXXXXXXXXX_d }),
e [3] IMPLICIT C ({ do_XXXXXXXXXXXX_e }),
f [4] IMPLICIT INTEGER ({ do_XXXXXXXXXXXX_f })
}
} ({ do_XXXXXXXXXXXX_A })
B ::= SET OF OBJECT IDENTIFIER ({ do_XXXXXXXXXXXX_oid })
C ::= SET OF INTEGER ({ do_XXXXXXXXXXXX_int })
They each have an action (do_XXXXXXXXXXXX_b and do_XXXXXXXXXXXX_e) that
should only be processed if that element is matched.
The problem is that there's no easy place to hang the action off in the
subclause (type B for element 'b' and type C for element 'e') because
subclause opcode sequences can be shared.
To fix this, introduce a conditional action opcode(ASN1_OP_MAYBE_ACT) that
the decoder only processes if the preceding match was successful. This can
be seen in an excerpt from the output of the fixed ASN.1 compiler for the
above ASN.1 description:
[ 13] = ASN1_OP_COND_MATCH_JUMP_OR_SKIP, // e
[ 14] = _tagn(CONT, CONS, 3),
[ 15] = _jump_target(45), // --> C
[ 16] = ASN1_OP_MAYBE_ACT,
[ 17] = _action(ACT_do_XXXXXXXXXXXX_e),
In this, if the op at [13] is matched (ie. element 'e' above) then the
action at [16] will be performed. However, if the op at [13] doesn't match
or is skipped because it is conditional and some previous op matched, then
the action at [16] will be ignored.
Note that to make this work in the decoder, the ASN1_OP_RETURN op must set
the flag to indicate that a match happened. This is necessary because the
_jump_target() seen above introduces a subclause (in this case an object of
type 'C') which is likely to alter the flag. Setting the flag here is okay
because to process a subclause, a match must have happened and caused a
jump.
This cannot be tested with the code as it stands, but rather affects future
code.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
2015-08-05 05:54:46 -06:00
|
|
|
case ASN1_OP_MAYBE_ACT:
|
|
|
|
|
if (!(flags & FLAG_LAST_MATCHED)) {
|
|
|
|
|
pc += asn1_op_lengths[op];
|
|
|
|
|
goto next_op;
|
|
|
|
|
}
|
2019-01-25 13:46:46 -07:00
|
|
|
/* fall through */
|
|
|
|
|
|
2012-09-24 10:11:16 -06:00
|
|
|
case ASN1_OP_ACT:
|
|
|
|
|
ret = actions[machine[pc + 1]](context, hdr, tag, data + tdp, len);
|
ASN.1: Fix actions on CHOICE elements with IMPLICIT tags
In an ASN.1 description where there is a CHOICE construct that contains
elements with IMPLICIT tags that refer to constructed types, actions to be
taken on those elements should be conditional on the corresponding element
actually being matched. Currently, however, such actions are performed
unconditionally in the middle of processing the CHOICE.
For example, look at elements 'b' and 'e' here:
A ::= SEQUENCE {
CHOICE {
b [0] IMPLICIT B ({ do_XXXXXXXXXXXX_b }),
c [1] EXPLICIT C ({ do_XXXXXXXXXXXX_c }),
d [2] EXPLICIT B ({ do_XXXXXXXXXXXX_d }),
e [3] IMPLICIT C ({ do_XXXXXXXXXXXX_e }),
f [4] IMPLICIT INTEGER ({ do_XXXXXXXXXXXX_f })
}
} ({ do_XXXXXXXXXXXX_A })
B ::= SET OF OBJECT IDENTIFIER ({ do_XXXXXXXXXXXX_oid })
C ::= SET OF INTEGER ({ do_XXXXXXXXXXXX_int })
They each have an action (do_XXXXXXXXXXXX_b and do_XXXXXXXXXXXX_e) that
should only be processed if that element is matched.
The problem is that there's no easy place to hang the action off in the
subclause (type B for element 'b' and type C for element 'e') because
subclause opcode sequences can be shared.
To fix this, introduce a conditional action opcode(ASN1_OP_MAYBE_ACT) that
the decoder only processes if the preceding match was successful. This can
be seen in an excerpt from the output of the fixed ASN.1 compiler for the
above ASN.1 description:
[ 13] = ASN1_OP_COND_MATCH_JUMP_OR_SKIP, // e
[ 14] = _tagn(CONT, CONS, 3),
[ 15] = _jump_target(45), // --> C
[ 16] = ASN1_OP_MAYBE_ACT,
[ 17] = _action(ACT_do_XXXXXXXXXXXX_e),
In this, if the op at [13] is matched (ie. element 'e' above) then the
action at [16] will be performed. However, if the op at [13] doesn't match
or is skipped because it is conditional and some previous op matched, then
the action at [16] will be ignored.
Note that to make this work in the decoder, the ASN1_OP_RETURN op must set
the flag to indicate that a match happened. This is necessary because the
_jump_target() seen above introduces a subclause (in this case an object of
type 'C') which is likely to alter the flag. Setting the flag here is okay
because to process a subclause, a match must have happened and caused a
jump.
This cannot be tested with the code as it stands, but rather affects future
code.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
2015-08-05 05:54:46 -06:00
|
|
|
if (ret < 0)
|
|
|
|
|
return ret;
|
2012-09-24 10:11:16 -06:00
|
|
|
pc += asn1_op_lengths[op];
|
|
|
|
|
goto next_op;
|
|
|
|
|
|
|
|
|
|
case ASN1_OP_RETURN:
|
|
|
|
|
if (unlikely(jsp <= 0))
|
|
|
|
|
goto jump_stack_underflow;
|
|
|
|
|
pc = jump_stack[--jsp];
|
ASN.1: Fix actions on CHOICE elements with IMPLICIT tags
In an ASN.1 description where there is a CHOICE construct that contains
elements with IMPLICIT tags that refer to constructed types, actions to be
taken on those elements should be conditional on the corresponding element
actually being matched. Currently, however, such actions are performed
unconditionally in the middle of processing the CHOICE.
For example, look at elements 'b' and 'e' here:
A ::= SEQUENCE {
CHOICE {
b [0] IMPLICIT B ({ do_XXXXXXXXXXXX_b }),
c [1] EXPLICIT C ({ do_XXXXXXXXXXXX_c }),
d [2] EXPLICIT B ({ do_XXXXXXXXXXXX_d }),
e [3] IMPLICIT C ({ do_XXXXXXXXXXXX_e }),
f [4] IMPLICIT INTEGER ({ do_XXXXXXXXXXXX_f })
}
} ({ do_XXXXXXXXXXXX_A })
B ::= SET OF OBJECT IDENTIFIER ({ do_XXXXXXXXXXXX_oid })
C ::= SET OF INTEGER ({ do_XXXXXXXXXXXX_int })
They each have an action (do_XXXXXXXXXXXX_b and do_XXXXXXXXXXXX_e) that
should only be processed if that element is matched.
The problem is that there's no easy place to hang the action off in the
subclause (type B for element 'b' and type C for element 'e') because
subclause opcode sequences can be shared.
To fix this, introduce a conditional action opcode(ASN1_OP_MAYBE_ACT) that
the decoder only processes if the preceding match was successful. This can
be seen in an excerpt from the output of the fixed ASN.1 compiler for the
above ASN.1 description:
[ 13] = ASN1_OP_COND_MATCH_JUMP_OR_SKIP, // e
[ 14] = _tagn(CONT, CONS, 3),
[ 15] = _jump_target(45), // --> C
[ 16] = ASN1_OP_MAYBE_ACT,
[ 17] = _action(ACT_do_XXXXXXXXXXXX_e),
In this, if the op at [13] is matched (ie. element 'e' above) then the
action at [16] will be performed. However, if the op at [13] doesn't match
or is skipped because it is conditional and some previous op matched, then
the action at [16] will be ignored.
Note that to make this work in the decoder, the ASN1_OP_RETURN op must set
the flag to indicate that a match happened. This is necessary because the
_jump_target() seen above introduces a subclause (in this case an object of
type 'C') which is likely to alter the flag. Setting the flag here is okay
because to process a subclause, a match must have happened and caused a
jump.
This cannot be tested with the code as it stands, but rather affects future
code.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
2015-08-05 05:54:46 -06:00
|
|
|
flags |= FLAG_MATCHED | FLAG_LAST_MATCHED;
|
2012-09-24 10:11:16 -06:00
|
|
|
goto next_op;
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Shouldn't reach here */
|
ASN.1: Fix actions on CHOICE elements with IMPLICIT tags
In an ASN.1 description where there is a CHOICE construct that contains
elements with IMPLICIT tags that refer to constructed types, actions to be
taken on those elements should be conditional on the corresponding element
actually being matched. Currently, however, such actions are performed
unconditionally in the middle of processing the CHOICE.
For example, look at elements 'b' and 'e' here:
A ::= SEQUENCE {
CHOICE {
b [0] IMPLICIT B ({ do_XXXXXXXXXXXX_b }),
c [1] EXPLICIT C ({ do_XXXXXXXXXXXX_c }),
d [2] EXPLICIT B ({ do_XXXXXXXXXXXX_d }),
e [3] IMPLICIT C ({ do_XXXXXXXXXXXX_e }),
f [4] IMPLICIT INTEGER ({ do_XXXXXXXXXXXX_f })
}
} ({ do_XXXXXXXXXXXX_A })
B ::= SET OF OBJECT IDENTIFIER ({ do_XXXXXXXXXXXX_oid })
C ::= SET OF INTEGER ({ do_XXXXXXXXXXXX_int })
They each have an action (do_XXXXXXXXXXXX_b and do_XXXXXXXXXXXX_e) that
should only be processed if that element is matched.
The problem is that there's no easy place to hang the action off in the
subclause (type B for element 'b' and type C for element 'e') because
subclause opcode sequences can be shared.
To fix this, introduce a conditional action opcode(ASN1_OP_MAYBE_ACT) that
the decoder only processes if the preceding match was successful. This can
be seen in an excerpt from the output of the fixed ASN.1 compiler for the
above ASN.1 description:
[ 13] = ASN1_OP_COND_MATCH_JUMP_OR_SKIP, // e
[ 14] = _tagn(CONT, CONS, 3),
[ 15] = _jump_target(45), // --> C
[ 16] = ASN1_OP_MAYBE_ACT,
[ 17] = _action(ACT_do_XXXXXXXXXXXX_e),
In this, if the op at [13] is matched (ie. element 'e' above) then the
action at [16] will be performed. However, if the op at [13] doesn't match
or is skipped because it is conditional and some previous op matched, then
the action at [16] will be ignored.
Note that to make this work in the decoder, the ASN1_OP_RETURN op must set
the flag to indicate that a match happened. This is necessary because the
_jump_target() seen above introduces a subclause (in this case an object of
type 'C') which is likely to alter the flag. Setting the flag here is okay
because to process a subclause, a match must have happened and caused a
jump.
This cannot be tested with the code as it stands, but rather affects future
code.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
2015-08-05 05:54:46 -06:00
|
|
|
pr_err("ASN.1 decoder error: Found reserved opcode (%u) pc=%zu\n",
|
|
|
|
|
op, pc);
|
2012-09-24 10:11:16 -06:00
|
|
|
return -EBADMSG;
|
|
|
|
|
|
|
|
|
|
data_overrun_error:
|
|
|
|
|
errmsg = "Data overrun error";
|
|
|
|
|
goto error;
|
|
|
|
|
machine_overrun_error:
|
|
|
|
|
errmsg = "Machine overrun error";
|
|
|
|
|
goto error;
|
|
|
|
|
jump_stack_underflow:
|
|
|
|
|
errmsg = "Jump stack underflow";
|
|
|
|
|
goto error;
|
|
|
|
|
jump_stack_overflow:
|
|
|
|
|
errmsg = "Jump stack overflow";
|
|
|
|
|
goto error;
|
|
|
|
|
cons_stack_underflow:
|
|
|
|
|
errmsg = "Cons stack underflow";
|
|
|
|
|
goto error;
|
|
|
|
|
cons_stack_overflow:
|
|
|
|
|
errmsg = "Cons stack overflow";
|
|
|
|
|
goto error;
|
|
|
|
|
cons_length_error:
|
|
|
|
|
errmsg = "Cons length error";
|
|
|
|
|
goto error;
|
|
|
|
|
missing_eoc:
|
|
|
|
|
errmsg = "Missing EOC in indefinite len cons";
|
|
|
|
|
goto error;
|
|
|
|
|
invalid_eoc:
|
|
|
|
|
errmsg = "Invalid length EOC";
|
|
|
|
|
goto error;
|
|
|
|
|
length_too_long:
|
|
|
|
|
errmsg = "Unsupported length";
|
|
|
|
|
goto error;
|
|
|
|
|
indefinite_len_primitive:
|
|
|
|
|
errmsg = "Indefinite len primitive not permitted";
|
|
|
|
|
goto error;
|
|
|
|
|
tag_mismatch:
|
|
|
|
|
errmsg = "Unexpected tag";
|
|
|
|
|
goto error;
|
|
|
|
|
long_tag_not_supported:
|
|
|
|
|
errmsg = "Long tag not supported";
|
|
|
|
|
error:
|
|
|
|
|
pr_debug("\nASN1: %s [m=%zu d=%zu ot=%02x t=%02x l=%zu]\n",
|
|
|
|
|
errmsg, pc, dp, optag, tag, len);
|
|
|
|
|
return -EBADMSG;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(asn1_ber_decoder);
|
2016-04-29 08:48:08 -06:00
|
|
|
|
|
|
|
|
MODULE_LICENSE("GPL");
|