2014-06-20 20:00:00 +01:00
|
|
|
/* Copyright (c) 2014, Google Inc.
|
|
|
|
|
*
|
|
|
|
|
* Permission to use, copy, modify, and/or distribute this software for any
|
|
|
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
|
|
|
* copyright notice and this permission notice appear in all copies.
|
|
|
|
|
*
|
|
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
|
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
|
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
|
|
|
|
|
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
|
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
|
|
|
|
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
|
|
|
|
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
|
|
|
|
|
|
|
|
|
#include <openssl/bytestring.h>
|
|
|
|
|
|
2014-08-07 00:01:44 +01:00
|
|
|
#include <assert.h>
|
2017-11-22 22:05:50 +00:00
|
|
|
#include <limits.h>
|
2015-01-31 01:08:37 +00:00
|
|
|
#include <string.h>
|
2014-08-07 00:01:44 +01:00
|
|
|
|
2017-12-22 05:12:27 +00:00
|
|
|
#include <openssl/buf.h>
|
2014-06-20 20:00:00 +01:00
|
|
|
#include <openssl/mem.h>
|
|
|
|
|
|
2016-12-13 06:07:13 +00:00
|
|
|
#include "../internal.h"
|
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2015-06-28 06:26:10 +01:00
|
|
|
void CBB_zero(CBB *cbb) {
|
2016-12-13 06:07:13 +00:00
|
|
|
OPENSSL_memset(cbb, 0, sizeof(CBB));
|
2015-06-28 06:26:10 +01:00
|
|
|
}
|
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
static int cbb_init(CBB *cbb, uint8_t *buf, size_t cap) {
|
2017-08-18 19:06:02 +01:00
|
|
|
// This assumes that |cbb| has already been zeroed.
|
2014-06-20 20:00:00 +01:00
|
|
|
struct cbb_buffer_st *base;
|
|
|
|
|
|
|
|
|
|
base = OPENSSL_malloc(sizeof(struct cbb_buffer_st));
|
|
|
|
|
if (base == NULL) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
base->buf = buf;
|
|
|
|
|
base->len = 0;
|
|
|
|
|
base->cap = cap;
|
|
|
|
|
base->can_resize = 1;
|
2016-07-19 06:08:24 +01:00
|
|
|
base->error = 0;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
|
cbb->base = base;
|
|
|
|
|
cbb->is_top_level = 1;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int CBB_init(CBB *cbb, size_t initial_capacity) {
|
2015-11-16 20:04:32 +00:00
|
|
|
CBB_zero(cbb);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2015-11-16 20:04:32 +00:00
|
|
|
uint8_t *buf = OPENSSL_malloc(initial_capacity);
|
2014-06-20 20:00:00 +01:00
|
|
|
if (initial_capacity > 0 && buf == NULL) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-02 03:46:09 +00:00
|
|
|
if (!cbb_init(cbb, buf, initial_capacity)) {
|
|
|
|
|
OPENSSL_free(buf);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 1;
|
2014-06-20 20:00:00 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int CBB_init_fixed(CBB *cbb, uint8_t *buf, size_t len) {
|
2015-11-16 20:04:32 +00:00
|
|
|
CBB_zero(cbb);
|
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
if (!cbb_init(cbb, buf, len)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cbb->base->can_resize = 0;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void CBB_cleanup(CBB *cbb) {
|
|
|
|
|
if (cbb->base) {
|
2017-08-18 19:06:02 +01:00
|
|
|
// Only top-level |CBB|s are cleaned up. Child |CBB|s are non-owning. They
|
|
|
|
|
// are implicitly discarded when the parent is flushed or cleaned up.
|
2015-09-24 18:49:03 +01:00
|
|
|
assert(cbb->is_top_level);
|
|
|
|
|
|
2015-04-22 18:50:28 +01:00
|
|
|
if (cbb->base->can_resize) {
|
2014-06-20 20:00:00 +01:00
|
|
|
OPENSSL_free(cbb->base->buf);
|
|
|
|
|
}
|
|
|
|
|
OPENSSL_free(cbb->base);
|
|
|
|
|
}
|
|
|
|
|
cbb->base = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2015-12-17 06:06:10 +00:00
|
|
|
static int cbb_buffer_reserve(struct cbb_buffer_st *base, uint8_t **out,
|
|
|
|
|
size_t len) {
|
2014-06-20 20:00:00 +01:00
|
|
|
size_t newlen;
|
|
|
|
|
|
|
|
|
|
if (base == NULL) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
newlen = base->len + len;
|
|
|
|
|
if (newlen < base->len) {
|
2017-08-18 19:06:02 +01:00
|
|
|
// Overflow
|
2016-07-19 06:08:24 +01:00
|
|
|
goto err;
|
2014-06-20 20:00:00 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (newlen > base->cap) {
|
|
|
|
|
size_t newcap = base->cap * 2;
|
|
|
|
|
uint8_t *newbuf;
|
|
|
|
|
|
|
|
|
|
if (!base->can_resize) {
|
2016-07-19 06:08:24 +01:00
|
|
|
goto err;
|
2014-06-20 20:00:00 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (newcap < base->cap || newcap < newlen) {
|
|
|
|
|
newcap = newlen;
|
|
|
|
|
}
|
|
|
|
|
newbuf = OPENSSL_realloc(base->buf, newcap);
|
|
|
|
|
if (newbuf == NULL) {
|
2016-07-19 06:08:24 +01:00
|
|
|
goto err;
|
2014-06-20 20:00:00 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
base->buf = newbuf;
|
|
|
|
|
base->cap = newcap;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (out) {
|
|
|
|
|
*out = base->buf + base->len;
|
|
|
|
|
}
|
2015-12-17 06:06:10 +00:00
|
|
|
|
|
|
|
|
return 1;
|
2016-07-19 06:08:24 +01:00
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
base->error = 1;
|
|
|
|
|
return 0;
|
2015-12-17 06:06:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int cbb_buffer_add(struct cbb_buffer_st *base, uint8_t **out,
|
|
|
|
|
size_t len) {
|
|
|
|
|
if (!cbb_buffer_reserve(base, out, len)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2017-08-18 19:06:02 +01:00
|
|
|
// This will not overflow or |cbb_buffer_reserve| would have failed.
|
2015-12-17 06:06:10 +00:00
|
|
|
base->len += len;
|
2014-06-20 20:00:00 +01:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int cbb_buffer_add_u(struct cbb_buffer_st *base, uint32_t v,
|
|
|
|
|
size_t len_len) {
|
|
|
|
|
if (len_len == 0) {
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
2016-09-05 17:47:25 +01:00
|
|
|
|
|
|
|
|
uint8_t *buf;
|
2014-06-20 20:00:00 +01:00
|
|
|
if (!cbb_buffer_add(base, &buf, len_len)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-05 17:47:25 +01:00
|
|
|
for (size_t i = len_len - 1; i < len_len; i--) {
|
2014-06-20 20:00:00 +01:00
|
|
|
buf[i] = v;
|
|
|
|
|
v >>= 8;
|
|
|
|
|
}
|
2016-07-26 13:28:44 +01:00
|
|
|
|
|
|
|
|
if (v != 0) {
|
|
|
|
|
base->error = 1;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int CBB_finish(CBB *cbb, uint8_t **out_data, size_t *out_len) {
|
|
|
|
|
if (!cbb->is_top_level) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!CBB_flush(cbb)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2014-08-08 18:24:34 +01:00
|
|
|
if (cbb->base->can_resize && (out_data == NULL || out_len == NULL)) {
|
2017-08-18 19:06:02 +01:00
|
|
|
// |out_data| and |out_len| can only be NULL if the CBB is fixed.
|
2014-08-08 18:24:34 +01:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (out_data != NULL) {
|
|
|
|
|
*out_data = cbb->base->buf;
|
|
|
|
|
}
|
|
|
|
|
if (out_len != NULL) {
|
|
|
|
|
*out_len = cbb->base->len;
|
|
|
|
|
}
|
2014-06-20 20:00:00 +01:00
|
|
|
cbb->base->buf = NULL;
|
|
|
|
|
CBB_cleanup(cbb);
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// CBB_flush recurses and then writes out any pending length prefix. The
|
|
|
|
|
// current length of the underlying base is taken to be the length of the
|
|
|
|
|
// length-prefixed data.
|
2014-06-20 20:00:00 +01:00
|
|
|
int CBB_flush(CBB *cbb) {
|
|
|
|
|
size_t child_start, i, len;
|
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// If |cbb->base| has hit an error, the buffer is in an undefined state, so
|
|
|
|
|
// fail all following calls. In particular, |cbb->child| may point to invalid
|
|
|
|
|
// memory.
|
2016-07-19 06:08:24 +01:00
|
|
|
if (cbb->base == NULL || cbb->base->error) {
|
2014-06-20 20:00:00 +01:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
Make CBB_len relative to its argument.
Rather than the length of the top-level CBB, which is kind of odd when ASN.1
length prefixes are not yet determined, return the number of bytes written to
the CBB so far. This can be computed without increasing the size of CBB at all.
Have offset and pending_*.
This means functions which take in a CBB as argument will not be sensitive to
whether the CBB is a top-level or child CBB. The extensions logic had to be
careful to only ever compare differences of lengths, which was awkward.
The reversal will also allow for the following pattern in the future, once
CBB_add_space is split into, say, CBB_reserve and CBB_did_write and we add a
CBB_data:
uint8_t *signature;
size_t signature_len = 0;
if (!CBB_add_asn1(out, &cert, CBB_ASN1_SEQUENCE) ||
/* Emit the TBSCertificate. */
!CBB_add_asn1(&cert, &tbs_cert, CBS_ASN1_SEQUENCE) ||
!CBB_add_tbs_cert_stuff(&tbs_cert, stuff) ||
!CBB_flush(&cert) ||
/* Feed it into md_ctx. */
!EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, pkey) ||
!EVP_DigestSignUpdate(&md_ctx, CBB_data(&cert), CBB_len(&cert)) ||
/* Emit the signature algorithm. */
!CBB_add_asn1(&cert, &sig_alg, CBS_ASN1_SEQUENCE) ||
!CBB_add_sigalg_stuff(&sig_alg, other_stuff) ||
/* Emit the signature. */
!EVP_DigestSignFinal(&md_ctx, NULL, &signature_len) ||
!CBB_reserve(&cert, &signature, signature_len) ||
!EVP_DigestSignFinal(&md_ctx, signature, &signature_len) ||
!CBB_did_write(&cert, signature_len)) {
goto err;
}
(Were TBSCertificate not the first field, we'd still have to sample
CBB_len(&cert), but at least that's reasonable straight-forward. The
alternative would be if CBB_data and CBB_len somehow worked on
recently-invalidated CBBs, but that would go wrong once the invalidated CBB's
parent flushed and possibly shifts everything.)
And similar for signing ServerKeyExchange.
Change-Id: I7761e492ae472d7632875b5666b6088970261b14
Reviewed-on: https://boringssl-review.googlesource.com/6681
Reviewed-by: Adam Langley <agl@google.com>
2015-12-08 23:56:31 +00:00
|
|
|
if (cbb->child == NULL || cbb->child->pending_len_len == 0) {
|
2014-06-20 20:00:00 +01:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
Make CBB_len relative to its argument.
Rather than the length of the top-level CBB, which is kind of odd when ASN.1
length prefixes are not yet determined, return the number of bytes written to
the CBB so far. This can be computed without increasing the size of CBB at all.
Have offset and pending_*.
This means functions which take in a CBB as argument will not be sensitive to
whether the CBB is a top-level or child CBB. The extensions logic had to be
careful to only ever compare differences of lengths, which was awkward.
The reversal will also allow for the following pattern in the future, once
CBB_add_space is split into, say, CBB_reserve and CBB_did_write and we add a
CBB_data:
uint8_t *signature;
size_t signature_len = 0;
if (!CBB_add_asn1(out, &cert, CBB_ASN1_SEQUENCE) ||
/* Emit the TBSCertificate. */
!CBB_add_asn1(&cert, &tbs_cert, CBS_ASN1_SEQUENCE) ||
!CBB_add_tbs_cert_stuff(&tbs_cert, stuff) ||
!CBB_flush(&cert) ||
/* Feed it into md_ctx. */
!EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, pkey) ||
!EVP_DigestSignUpdate(&md_ctx, CBB_data(&cert), CBB_len(&cert)) ||
/* Emit the signature algorithm. */
!CBB_add_asn1(&cert, &sig_alg, CBS_ASN1_SEQUENCE) ||
!CBB_add_sigalg_stuff(&sig_alg, other_stuff) ||
/* Emit the signature. */
!EVP_DigestSignFinal(&md_ctx, NULL, &signature_len) ||
!CBB_reserve(&cert, &signature, signature_len) ||
!EVP_DigestSignFinal(&md_ctx, signature, &signature_len) ||
!CBB_did_write(&cert, signature_len)) {
goto err;
}
(Were TBSCertificate not the first field, we'd still have to sample
CBB_len(&cert), but at least that's reasonable straight-forward. The
alternative would be if CBB_data and CBB_len somehow worked on
recently-invalidated CBBs, but that would go wrong once the invalidated CBB's
parent flushed and possibly shifts everything.)
And similar for signing ServerKeyExchange.
Change-Id: I7761e492ae472d7632875b5666b6088970261b14
Reviewed-on: https://boringssl-review.googlesource.com/6681
Reviewed-by: Adam Langley <agl@google.com>
2015-12-08 23:56:31 +00:00
|
|
|
child_start = cbb->child->offset + cbb->child->pending_len_len;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
|
if (!CBB_flush(cbb->child) ||
|
Make CBB_len relative to its argument.
Rather than the length of the top-level CBB, which is kind of odd when ASN.1
length prefixes are not yet determined, return the number of bytes written to
the CBB so far. This can be computed without increasing the size of CBB at all.
Have offset and pending_*.
This means functions which take in a CBB as argument will not be sensitive to
whether the CBB is a top-level or child CBB. The extensions logic had to be
careful to only ever compare differences of lengths, which was awkward.
The reversal will also allow for the following pattern in the future, once
CBB_add_space is split into, say, CBB_reserve and CBB_did_write and we add a
CBB_data:
uint8_t *signature;
size_t signature_len = 0;
if (!CBB_add_asn1(out, &cert, CBB_ASN1_SEQUENCE) ||
/* Emit the TBSCertificate. */
!CBB_add_asn1(&cert, &tbs_cert, CBS_ASN1_SEQUENCE) ||
!CBB_add_tbs_cert_stuff(&tbs_cert, stuff) ||
!CBB_flush(&cert) ||
/* Feed it into md_ctx. */
!EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, pkey) ||
!EVP_DigestSignUpdate(&md_ctx, CBB_data(&cert), CBB_len(&cert)) ||
/* Emit the signature algorithm. */
!CBB_add_asn1(&cert, &sig_alg, CBS_ASN1_SEQUENCE) ||
!CBB_add_sigalg_stuff(&sig_alg, other_stuff) ||
/* Emit the signature. */
!EVP_DigestSignFinal(&md_ctx, NULL, &signature_len) ||
!CBB_reserve(&cert, &signature, signature_len) ||
!EVP_DigestSignFinal(&md_ctx, signature, &signature_len) ||
!CBB_did_write(&cert, signature_len)) {
goto err;
}
(Were TBSCertificate not the first field, we'd still have to sample
CBB_len(&cert), but at least that's reasonable straight-forward. The
alternative would be if CBB_data and CBB_len somehow worked on
recently-invalidated CBBs, but that would go wrong once the invalidated CBB's
parent flushed and possibly shifts everything.)
And similar for signing ServerKeyExchange.
Change-Id: I7761e492ae472d7632875b5666b6088970261b14
Reviewed-on: https://boringssl-review.googlesource.com/6681
Reviewed-by: Adam Langley <agl@google.com>
2015-12-08 23:56:31 +00:00
|
|
|
child_start < cbb->child->offset ||
|
2014-06-20 20:00:00 +01:00
|
|
|
cbb->base->len < child_start) {
|
2016-07-19 06:08:24 +01:00
|
|
|
goto err;
|
2014-06-20 20:00:00 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
len = cbb->base->len - child_start;
|
|
|
|
|
|
Make CBB_len relative to its argument.
Rather than the length of the top-level CBB, which is kind of odd when ASN.1
length prefixes are not yet determined, return the number of bytes written to
the CBB so far. This can be computed without increasing the size of CBB at all.
Have offset and pending_*.
This means functions which take in a CBB as argument will not be sensitive to
whether the CBB is a top-level or child CBB. The extensions logic had to be
careful to only ever compare differences of lengths, which was awkward.
The reversal will also allow for the following pattern in the future, once
CBB_add_space is split into, say, CBB_reserve and CBB_did_write and we add a
CBB_data:
uint8_t *signature;
size_t signature_len = 0;
if (!CBB_add_asn1(out, &cert, CBB_ASN1_SEQUENCE) ||
/* Emit the TBSCertificate. */
!CBB_add_asn1(&cert, &tbs_cert, CBS_ASN1_SEQUENCE) ||
!CBB_add_tbs_cert_stuff(&tbs_cert, stuff) ||
!CBB_flush(&cert) ||
/* Feed it into md_ctx. */
!EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, pkey) ||
!EVP_DigestSignUpdate(&md_ctx, CBB_data(&cert), CBB_len(&cert)) ||
/* Emit the signature algorithm. */
!CBB_add_asn1(&cert, &sig_alg, CBS_ASN1_SEQUENCE) ||
!CBB_add_sigalg_stuff(&sig_alg, other_stuff) ||
/* Emit the signature. */
!EVP_DigestSignFinal(&md_ctx, NULL, &signature_len) ||
!CBB_reserve(&cert, &signature, signature_len) ||
!EVP_DigestSignFinal(&md_ctx, signature, &signature_len) ||
!CBB_did_write(&cert, signature_len)) {
goto err;
}
(Were TBSCertificate not the first field, we'd still have to sample
CBB_len(&cert), but at least that's reasonable straight-forward. The
alternative would be if CBB_data and CBB_len somehow worked on
recently-invalidated CBBs, but that would go wrong once the invalidated CBB's
parent flushed and possibly shifts everything.)
And similar for signing ServerKeyExchange.
Change-Id: I7761e492ae472d7632875b5666b6088970261b14
Reviewed-on: https://boringssl-review.googlesource.com/6681
Reviewed-by: Adam Langley <agl@google.com>
2015-12-08 23:56:31 +00:00
|
|
|
if (cbb->child->pending_is_asn1) {
|
2017-08-18 19:06:02 +01:00
|
|
|
// For ASN.1 we assume that we'll only need a single byte for the length.
|
|
|
|
|
// If that turned out to be incorrect, we have to move the contents along
|
|
|
|
|
// in order to make space.
|
2016-08-04 22:38:40 +01:00
|
|
|
uint8_t len_len;
|
2014-06-20 20:00:00 +01:00
|
|
|
uint8_t initial_length_byte;
|
|
|
|
|
|
Make CBB_len relative to its argument.
Rather than the length of the top-level CBB, which is kind of odd when ASN.1
length prefixes are not yet determined, return the number of bytes written to
the CBB so far. This can be computed without increasing the size of CBB at all.
Have offset and pending_*.
This means functions which take in a CBB as argument will not be sensitive to
whether the CBB is a top-level or child CBB. The extensions logic had to be
careful to only ever compare differences of lengths, which was awkward.
The reversal will also allow for the following pattern in the future, once
CBB_add_space is split into, say, CBB_reserve and CBB_did_write and we add a
CBB_data:
uint8_t *signature;
size_t signature_len = 0;
if (!CBB_add_asn1(out, &cert, CBB_ASN1_SEQUENCE) ||
/* Emit the TBSCertificate. */
!CBB_add_asn1(&cert, &tbs_cert, CBS_ASN1_SEQUENCE) ||
!CBB_add_tbs_cert_stuff(&tbs_cert, stuff) ||
!CBB_flush(&cert) ||
/* Feed it into md_ctx. */
!EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, pkey) ||
!EVP_DigestSignUpdate(&md_ctx, CBB_data(&cert), CBB_len(&cert)) ||
/* Emit the signature algorithm. */
!CBB_add_asn1(&cert, &sig_alg, CBS_ASN1_SEQUENCE) ||
!CBB_add_sigalg_stuff(&sig_alg, other_stuff) ||
/* Emit the signature. */
!EVP_DigestSignFinal(&md_ctx, NULL, &signature_len) ||
!CBB_reserve(&cert, &signature, signature_len) ||
!EVP_DigestSignFinal(&md_ctx, signature, &signature_len) ||
!CBB_did_write(&cert, signature_len)) {
goto err;
}
(Were TBSCertificate not the first field, we'd still have to sample
CBB_len(&cert), but at least that's reasonable straight-forward. The
alternative would be if CBB_data and CBB_len somehow worked on
recently-invalidated CBBs, but that would go wrong once the invalidated CBB's
parent flushed and possibly shifts everything.)
And similar for signing ServerKeyExchange.
Change-Id: I7761e492ae472d7632875b5666b6088970261b14
Reviewed-on: https://boringssl-review.googlesource.com/6681
Reviewed-by: Adam Langley <agl@google.com>
2015-12-08 23:56:31 +00:00
|
|
|
assert (cbb->child->pending_len_len == 1);
|
2014-08-07 00:01:44 +01:00
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
if (len > 0xfffffffe) {
|
2017-08-18 19:06:02 +01:00
|
|
|
// Too large.
|
2016-07-19 06:08:24 +01:00
|
|
|
goto err;
|
2014-06-20 20:00:00 +01:00
|
|
|
} else if (len > 0xffffff) {
|
|
|
|
|
len_len = 5;
|
|
|
|
|
initial_length_byte = 0x80 | 4;
|
|
|
|
|
} else if (len > 0xffff) {
|
|
|
|
|
len_len = 4;
|
|
|
|
|
initial_length_byte = 0x80 | 3;
|
|
|
|
|
} else if (len > 0xff) {
|
|
|
|
|
len_len = 3;
|
|
|
|
|
initial_length_byte = 0x80 | 2;
|
|
|
|
|
} else if (len > 0x7f) {
|
|
|
|
|
len_len = 2;
|
|
|
|
|
initial_length_byte = 0x80 | 1;
|
|
|
|
|
} else {
|
|
|
|
|
len_len = 1;
|
2016-08-04 22:38:40 +01:00
|
|
|
initial_length_byte = (uint8_t)len;
|
2014-06-20 20:00:00 +01:00
|
|
|
len = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (len_len != 1) {
|
2017-08-18 19:06:02 +01:00
|
|
|
// We need to move the contents along in order to make space.
|
2014-06-20 20:00:00 +01:00
|
|
|
size_t extra_bytes = len_len - 1;
|
|
|
|
|
if (!cbb_buffer_add(cbb->base, NULL, extra_bytes)) {
|
2016-07-19 06:08:24 +01:00
|
|
|
goto err;
|
2014-06-20 20:00:00 +01:00
|
|
|
}
|
2016-12-13 06:07:13 +00:00
|
|
|
OPENSSL_memmove(cbb->base->buf + child_start + extra_bytes,
|
|
|
|
|
cbb->base->buf + child_start, len);
|
2014-06-20 20:00:00 +01:00
|
|
|
}
|
Make CBB_len relative to its argument.
Rather than the length of the top-level CBB, which is kind of odd when ASN.1
length prefixes are not yet determined, return the number of bytes written to
the CBB so far. This can be computed without increasing the size of CBB at all.
Have offset and pending_*.
This means functions which take in a CBB as argument will not be sensitive to
whether the CBB is a top-level or child CBB. The extensions logic had to be
careful to only ever compare differences of lengths, which was awkward.
The reversal will also allow for the following pattern in the future, once
CBB_add_space is split into, say, CBB_reserve and CBB_did_write and we add a
CBB_data:
uint8_t *signature;
size_t signature_len = 0;
if (!CBB_add_asn1(out, &cert, CBB_ASN1_SEQUENCE) ||
/* Emit the TBSCertificate. */
!CBB_add_asn1(&cert, &tbs_cert, CBS_ASN1_SEQUENCE) ||
!CBB_add_tbs_cert_stuff(&tbs_cert, stuff) ||
!CBB_flush(&cert) ||
/* Feed it into md_ctx. */
!EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, pkey) ||
!EVP_DigestSignUpdate(&md_ctx, CBB_data(&cert), CBB_len(&cert)) ||
/* Emit the signature algorithm. */
!CBB_add_asn1(&cert, &sig_alg, CBS_ASN1_SEQUENCE) ||
!CBB_add_sigalg_stuff(&sig_alg, other_stuff) ||
/* Emit the signature. */
!EVP_DigestSignFinal(&md_ctx, NULL, &signature_len) ||
!CBB_reserve(&cert, &signature, signature_len) ||
!EVP_DigestSignFinal(&md_ctx, signature, &signature_len) ||
!CBB_did_write(&cert, signature_len)) {
goto err;
}
(Were TBSCertificate not the first field, we'd still have to sample
CBB_len(&cert), but at least that's reasonable straight-forward. The
alternative would be if CBB_data and CBB_len somehow worked on
recently-invalidated CBBs, but that would go wrong once the invalidated CBB's
parent flushed and possibly shifts everything.)
And similar for signing ServerKeyExchange.
Change-Id: I7761e492ae472d7632875b5666b6088970261b14
Reviewed-on: https://boringssl-review.googlesource.com/6681
Reviewed-by: Adam Langley <agl@google.com>
2015-12-08 23:56:31 +00:00
|
|
|
cbb->base->buf[cbb->child->offset++] = initial_length_byte;
|
|
|
|
|
cbb->child->pending_len_len = len_len - 1;
|
2014-06-20 20:00:00 +01:00
|
|
|
}
|
|
|
|
|
|
Make CBB_len relative to its argument.
Rather than the length of the top-level CBB, which is kind of odd when ASN.1
length prefixes are not yet determined, return the number of bytes written to
the CBB so far. This can be computed without increasing the size of CBB at all.
Have offset and pending_*.
This means functions which take in a CBB as argument will not be sensitive to
whether the CBB is a top-level or child CBB. The extensions logic had to be
careful to only ever compare differences of lengths, which was awkward.
The reversal will also allow for the following pattern in the future, once
CBB_add_space is split into, say, CBB_reserve and CBB_did_write and we add a
CBB_data:
uint8_t *signature;
size_t signature_len = 0;
if (!CBB_add_asn1(out, &cert, CBB_ASN1_SEQUENCE) ||
/* Emit the TBSCertificate. */
!CBB_add_asn1(&cert, &tbs_cert, CBS_ASN1_SEQUENCE) ||
!CBB_add_tbs_cert_stuff(&tbs_cert, stuff) ||
!CBB_flush(&cert) ||
/* Feed it into md_ctx. */
!EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, pkey) ||
!EVP_DigestSignUpdate(&md_ctx, CBB_data(&cert), CBB_len(&cert)) ||
/* Emit the signature algorithm. */
!CBB_add_asn1(&cert, &sig_alg, CBS_ASN1_SEQUENCE) ||
!CBB_add_sigalg_stuff(&sig_alg, other_stuff) ||
/* Emit the signature. */
!EVP_DigestSignFinal(&md_ctx, NULL, &signature_len) ||
!CBB_reserve(&cert, &signature, signature_len) ||
!EVP_DigestSignFinal(&md_ctx, signature, &signature_len) ||
!CBB_did_write(&cert, signature_len)) {
goto err;
}
(Were TBSCertificate not the first field, we'd still have to sample
CBB_len(&cert), but at least that's reasonable straight-forward. The
alternative would be if CBB_data and CBB_len somehow worked on
recently-invalidated CBBs, but that would go wrong once the invalidated CBB's
parent flushed and possibly shifts everything.)
And similar for signing ServerKeyExchange.
Change-Id: I7761e492ae472d7632875b5666b6088970261b14
Reviewed-on: https://boringssl-review.googlesource.com/6681
Reviewed-by: Adam Langley <agl@google.com>
2015-12-08 23:56:31 +00:00
|
|
|
for (i = cbb->child->pending_len_len - 1; i < cbb->child->pending_len_len;
|
|
|
|
|
i--) {
|
2016-08-04 22:38:40 +01:00
|
|
|
cbb->base->buf[cbb->child->offset + i] = (uint8_t)len;
|
2014-06-20 20:00:00 +01:00
|
|
|
len >>= 8;
|
|
|
|
|
}
|
|
|
|
|
if (len != 0) {
|
2016-07-19 06:08:24 +01:00
|
|
|
goto err;
|
2014-06-20 20:00:00 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cbb->child->base = NULL;
|
|
|
|
|
cbb->child = NULL;
|
|
|
|
|
|
|
|
|
|
return 1;
|
2016-07-19 06:08:24 +01:00
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
cbb->base->error = 1;
|
|
|
|
|
return 0;
|
2014-06-20 20:00:00 +01:00
|
|
|
}
|
|
|
|
|
|
2015-12-18 06:01:21 +00:00
|
|
|
const uint8_t *CBB_data(const CBB *cbb) {
|
|
|
|
|
assert(cbb->child == NULL);
|
|
|
|
|
return cbb->base->buf + cbb->offset + cbb->pending_len_len;
|
|
|
|
|
}
|
|
|
|
|
|
2015-06-12 23:26:58 +01:00
|
|
|
size_t CBB_len(const CBB *cbb) {
|
|
|
|
|
assert(cbb->child == NULL);
|
Make CBB_len relative to its argument.
Rather than the length of the top-level CBB, which is kind of odd when ASN.1
length prefixes are not yet determined, return the number of bytes written to
the CBB so far. This can be computed without increasing the size of CBB at all.
Have offset and pending_*.
This means functions which take in a CBB as argument will not be sensitive to
whether the CBB is a top-level or child CBB. The extensions logic had to be
careful to only ever compare differences of lengths, which was awkward.
The reversal will also allow for the following pattern in the future, once
CBB_add_space is split into, say, CBB_reserve and CBB_did_write and we add a
CBB_data:
uint8_t *signature;
size_t signature_len = 0;
if (!CBB_add_asn1(out, &cert, CBB_ASN1_SEQUENCE) ||
/* Emit the TBSCertificate. */
!CBB_add_asn1(&cert, &tbs_cert, CBS_ASN1_SEQUENCE) ||
!CBB_add_tbs_cert_stuff(&tbs_cert, stuff) ||
!CBB_flush(&cert) ||
/* Feed it into md_ctx. */
!EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, pkey) ||
!EVP_DigestSignUpdate(&md_ctx, CBB_data(&cert), CBB_len(&cert)) ||
/* Emit the signature algorithm. */
!CBB_add_asn1(&cert, &sig_alg, CBS_ASN1_SEQUENCE) ||
!CBB_add_sigalg_stuff(&sig_alg, other_stuff) ||
/* Emit the signature. */
!EVP_DigestSignFinal(&md_ctx, NULL, &signature_len) ||
!CBB_reserve(&cert, &signature, signature_len) ||
!EVP_DigestSignFinal(&md_ctx, signature, &signature_len) ||
!CBB_did_write(&cert, signature_len)) {
goto err;
}
(Were TBSCertificate not the first field, we'd still have to sample
CBB_len(&cert), but at least that's reasonable straight-forward. The
alternative would be if CBB_data and CBB_len somehow worked on
recently-invalidated CBBs, but that would go wrong once the invalidated CBB's
parent flushed and possibly shifts everything.)
And similar for signing ServerKeyExchange.
Change-Id: I7761e492ae472d7632875b5666b6088970261b14
Reviewed-on: https://boringssl-review.googlesource.com/6681
Reviewed-by: Adam Langley <agl@google.com>
2015-12-08 23:56:31 +00:00
|
|
|
assert(cbb->offset + cbb->pending_len_len <= cbb->base->len);
|
2015-06-12 23:26:58 +01:00
|
|
|
|
Make CBB_len relative to its argument.
Rather than the length of the top-level CBB, which is kind of odd when ASN.1
length prefixes are not yet determined, return the number of bytes written to
the CBB so far. This can be computed without increasing the size of CBB at all.
Have offset and pending_*.
This means functions which take in a CBB as argument will not be sensitive to
whether the CBB is a top-level or child CBB. The extensions logic had to be
careful to only ever compare differences of lengths, which was awkward.
The reversal will also allow for the following pattern in the future, once
CBB_add_space is split into, say, CBB_reserve and CBB_did_write and we add a
CBB_data:
uint8_t *signature;
size_t signature_len = 0;
if (!CBB_add_asn1(out, &cert, CBB_ASN1_SEQUENCE) ||
/* Emit the TBSCertificate. */
!CBB_add_asn1(&cert, &tbs_cert, CBS_ASN1_SEQUENCE) ||
!CBB_add_tbs_cert_stuff(&tbs_cert, stuff) ||
!CBB_flush(&cert) ||
/* Feed it into md_ctx. */
!EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, pkey) ||
!EVP_DigestSignUpdate(&md_ctx, CBB_data(&cert), CBB_len(&cert)) ||
/* Emit the signature algorithm. */
!CBB_add_asn1(&cert, &sig_alg, CBS_ASN1_SEQUENCE) ||
!CBB_add_sigalg_stuff(&sig_alg, other_stuff) ||
/* Emit the signature. */
!EVP_DigestSignFinal(&md_ctx, NULL, &signature_len) ||
!CBB_reserve(&cert, &signature, signature_len) ||
!EVP_DigestSignFinal(&md_ctx, signature, &signature_len) ||
!CBB_did_write(&cert, signature_len)) {
goto err;
}
(Were TBSCertificate not the first field, we'd still have to sample
CBB_len(&cert), but at least that's reasonable straight-forward. The
alternative would be if CBB_data and CBB_len somehow worked on
recently-invalidated CBBs, but that would go wrong once the invalidated CBB's
parent flushed and possibly shifts everything.)
And similar for signing ServerKeyExchange.
Change-Id: I7761e492ae472d7632875b5666b6088970261b14
Reviewed-on: https://boringssl-review.googlesource.com/6681
Reviewed-by: Adam Langley <agl@google.com>
2015-12-08 23:56:31 +00:00
|
|
|
return cbb->base->len - cbb->offset - cbb->pending_len_len;
|
2015-06-12 23:26:58 +01:00
|
|
|
}
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
|
static int cbb_add_length_prefixed(CBB *cbb, CBB *out_contents,
|
2016-08-04 22:38:40 +01:00
|
|
|
uint8_t len_len) {
|
2014-06-20 20:00:00 +01:00
|
|
|
uint8_t *prefix_bytes;
|
|
|
|
|
|
|
|
|
|
if (!CBB_flush(cbb)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
Make CBB_len relative to its argument.
Rather than the length of the top-level CBB, which is kind of odd when ASN.1
length prefixes are not yet determined, return the number of bytes written to
the CBB so far. This can be computed without increasing the size of CBB at all.
Have offset and pending_*.
This means functions which take in a CBB as argument will not be sensitive to
whether the CBB is a top-level or child CBB. The extensions logic had to be
careful to only ever compare differences of lengths, which was awkward.
The reversal will also allow for the following pattern in the future, once
CBB_add_space is split into, say, CBB_reserve and CBB_did_write and we add a
CBB_data:
uint8_t *signature;
size_t signature_len = 0;
if (!CBB_add_asn1(out, &cert, CBB_ASN1_SEQUENCE) ||
/* Emit the TBSCertificate. */
!CBB_add_asn1(&cert, &tbs_cert, CBS_ASN1_SEQUENCE) ||
!CBB_add_tbs_cert_stuff(&tbs_cert, stuff) ||
!CBB_flush(&cert) ||
/* Feed it into md_ctx. */
!EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, pkey) ||
!EVP_DigestSignUpdate(&md_ctx, CBB_data(&cert), CBB_len(&cert)) ||
/* Emit the signature algorithm. */
!CBB_add_asn1(&cert, &sig_alg, CBS_ASN1_SEQUENCE) ||
!CBB_add_sigalg_stuff(&sig_alg, other_stuff) ||
/* Emit the signature. */
!EVP_DigestSignFinal(&md_ctx, NULL, &signature_len) ||
!CBB_reserve(&cert, &signature, signature_len) ||
!EVP_DigestSignFinal(&md_ctx, signature, &signature_len) ||
!CBB_did_write(&cert, signature_len)) {
goto err;
}
(Were TBSCertificate not the first field, we'd still have to sample
CBB_len(&cert), but at least that's reasonable straight-forward. The
alternative would be if CBB_data and CBB_len somehow worked on
recently-invalidated CBBs, but that would go wrong once the invalidated CBB's
parent flushed and possibly shifts everything.)
And similar for signing ServerKeyExchange.
Change-Id: I7761e492ae472d7632875b5666b6088970261b14
Reviewed-on: https://boringssl-review.googlesource.com/6681
Reviewed-by: Adam Langley <agl@google.com>
2015-12-08 23:56:31 +00:00
|
|
|
size_t offset = cbb->base->len;
|
2014-06-20 20:00:00 +01:00
|
|
|
if (!cbb_buffer_add(cbb->base, &prefix_bytes, len_len)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2016-12-13 06:07:13 +00:00
|
|
|
OPENSSL_memset(prefix_bytes, 0, len_len);
|
|
|
|
|
OPENSSL_memset(out_contents, 0, sizeof(CBB));
|
2014-06-20 20:00:00 +01:00
|
|
|
out_contents->base = cbb->base;
|
|
|
|
|
cbb->child = out_contents;
|
Make CBB_len relative to its argument.
Rather than the length of the top-level CBB, which is kind of odd when ASN.1
length prefixes are not yet determined, return the number of bytes written to
the CBB so far. This can be computed without increasing the size of CBB at all.
Have offset and pending_*.
This means functions which take in a CBB as argument will not be sensitive to
whether the CBB is a top-level or child CBB. The extensions logic had to be
careful to only ever compare differences of lengths, which was awkward.
The reversal will also allow for the following pattern in the future, once
CBB_add_space is split into, say, CBB_reserve and CBB_did_write and we add a
CBB_data:
uint8_t *signature;
size_t signature_len = 0;
if (!CBB_add_asn1(out, &cert, CBB_ASN1_SEQUENCE) ||
/* Emit the TBSCertificate. */
!CBB_add_asn1(&cert, &tbs_cert, CBS_ASN1_SEQUENCE) ||
!CBB_add_tbs_cert_stuff(&tbs_cert, stuff) ||
!CBB_flush(&cert) ||
/* Feed it into md_ctx. */
!EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, pkey) ||
!EVP_DigestSignUpdate(&md_ctx, CBB_data(&cert), CBB_len(&cert)) ||
/* Emit the signature algorithm. */
!CBB_add_asn1(&cert, &sig_alg, CBS_ASN1_SEQUENCE) ||
!CBB_add_sigalg_stuff(&sig_alg, other_stuff) ||
/* Emit the signature. */
!EVP_DigestSignFinal(&md_ctx, NULL, &signature_len) ||
!CBB_reserve(&cert, &signature, signature_len) ||
!EVP_DigestSignFinal(&md_ctx, signature, &signature_len) ||
!CBB_did_write(&cert, signature_len)) {
goto err;
}
(Were TBSCertificate not the first field, we'd still have to sample
CBB_len(&cert), but at least that's reasonable straight-forward. The
alternative would be if CBB_data and CBB_len somehow worked on
recently-invalidated CBBs, but that would go wrong once the invalidated CBB's
parent flushed and possibly shifts everything.)
And similar for signing ServerKeyExchange.
Change-Id: I7761e492ae472d7632875b5666b6088970261b14
Reviewed-on: https://boringssl-review.googlesource.com/6681
Reviewed-by: Adam Langley <agl@google.com>
2015-12-08 23:56:31 +00:00
|
|
|
cbb->child->offset = offset;
|
|
|
|
|
cbb->child->pending_len_len = len_len;
|
|
|
|
|
cbb->child->pending_is_asn1 = 0;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int CBB_add_u8_length_prefixed(CBB *cbb, CBB *out_contents) {
|
|
|
|
|
return cbb_add_length_prefixed(cbb, out_contents, 1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int CBB_add_u16_length_prefixed(CBB *cbb, CBB *out_contents) {
|
|
|
|
|
return cbb_add_length_prefixed(cbb, out_contents, 2);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int CBB_add_u24_length_prefixed(CBB *cbb, CBB *out_contents) {
|
|
|
|
|
return cbb_add_length_prefixed(cbb, out_contents, 3);
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-22 22:05:50 +00:00
|
|
|
// add_base128_integer encodes |v| as a big-endian base-128 integer where the
|
|
|
|
|
// high bit of each byte indicates where there is more data. This is the
|
|
|
|
|
// encoding used in DER for both high tag number form and OID components.
|
2017-11-29 22:17:41 +00:00
|
|
|
static int add_base128_integer(CBB *cbb, uint64_t v) {
|
2017-11-22 22:05:50 +00:00
|
|
|
unsigned len_len = 0;
|
2017-11-29 22:17:41 +00:00
|
|
|
uint64_t copy = v;
|
2017-11-22 22:05:50 +00:00
|
|
|
while (copy > 0) {
|
|
|
|
|
len_len++;
|
|
|
|
|
copy >>= 7;
|
|
|
|
|
}
|
|
|
|
|
if (len_len == 0) {
|
|
|
|
|
len_len = 1; // Zero is encoded with one byte.
|
|
|
|
|
}
|
|
|
|
|
for (unsigned i = len_len - 1; i < len_len; i--) {
|
|
|
|
|
uint8_t byte = (v >> (7 * i)) & 0x7f;
|
|
|
|
|
if (i != 0) {
|
|
|
|
|
// The high bit denotes whether there is more data.
|
|
|
|
|
byte |= 0x80;
|
|
|
|
|
}
|
|
|
|
|
if (!CBB_add_u8(cbb, byte)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2016-08-19 21:08:45 +01:00
|
|
|
int CBB_add_asn1(CBB *cbb, CBB *out_contents, unsigned tag) {
|
2017-12-22 04:11:23 +00:00
|
|
|
if (!CBB_flush(cbb)) {
|
2015-02-02 08:40:21 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2017-12-22 04:11:23 +00:00
|
|
|
// Split the tag into leading bits and tag number.
|
|
|
|
|
uint8_t tag_bits = (tag >> CBS_ASN1_TAG_SHIFT) & 0xe0;
|
|
|
|
|
unsigned tag_number = tag & CBS_ASN1_TAG_NUMBER_MASK;
|
|
|
|
|
if (tag_number >= 0x1f) {
|
|
|
|
|
// Set all the bits in the tag number to signal high tag number form.
|
|
|
|
|
if (!CBB_add_u8(cbb, tag_bits | 0x1f) ||
|
|
|
|
|
!add_base128_integer(cbb, tag_number)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
} else if (!CBB_add_u8(cbb, tag_bits | tag_number)) {
|
2014-06-20 20:00:00 +01:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
Make CBB_len relative to its argument.
Rather than the length of the top-level CBB, which is kind of odd when ASN.1
length prefixes are not yet determined, return the number of bytes written to
the CBB so far. This can be computed without increasing the size of CBB at all.
Have offset and pending_*.
This means functions which take in a CBB as argument will not be sensitive to
whether the CBB is a top-level or child CBB. The extensions logic had to be
careful to only ever compare differences of lengths, which was awkward.
The reversal will also allow for the following pattern in the future, once
CBB_add_space is split into, say, CBB_reserve and CBB_did_write and we add a
CBB_data:
uint8_t *signature;
size_t signature_len = 0;
if (!CBB_add_asn1(out, &cert, CBB_ASN1_SEQUENCE) ||
/* Emit the TBSCertificate. */
!CBB_add_asn1(&cert, &tbs_cert, CBS_ASN1_SEQUENCE) ||
!CBB_add_tbs_cert_stuff(&tbs_cert, stuff) ||
!CBB_flush(&cert) ||
/* Feed it into md_ctx. */
!EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, pkey) ||
!EVP_DigestSignUpdate(&md_ctx, CBB_data(&cert), CBB_len(&cert)) ||
/* Emit the signature algorithm. */
!CBB_add_asn1(&cert, &sig_alg, CBS_ASN1_SEQUENCE) ||
!CBB_add_sigalg_stuff(&sig_alg, other_stuff) ||
/* Emit the signature. */
!EVP_DigestSignFinal(&md_ctx, NULL, &signature_len) ||
!CBB_reserve(&cert, &signature, signature_len) ||
!EVP_DigestSignFinal(&md_ctx, signature, &signature_len) ||
!CBB_did_write(&cert, signature_len)) {
goto err;
}
(Were TBSCertificate not the first field, we'd still have to sample
CBB_len(&cert), but at least that's reasonable straight-forward. The
alternative would be if CBB_data and CBB_len somehow worked on
recently-invalidated CBBs, but that would go wrong once the invalidated CBB's
parent flushed and possibly shifts everything.)
And similar for signing ServerKeyExchange.
Change-Id: I7761e492ae472d7632875b5666b6088970261b14
Reviewed-on: https://boringssl-review.googlesource.com/6681
Reviewed-by: Adam Langley <agl@google.com>
2015-12-08 23:56:31 +00:00
|
|
|
size_t offset = cbb->base->len;
|
2014-06-20 20:00:00 +01:00
|
|
|
if (!CBB_add_u8(cbb, 0)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2016-12-13 06:07:13 +00:00
|
|
|
OPENSSL_memset(out_contents, 0, sizeof(CBB));
|
2014-06-20 20:00:00 +01:00
|
|
|
out_contents->base = cbb->base;
|
|
|
|
|
cbb->child = out_contents;
|
Make CBB_len relative to its argument.
Rather than the length of the top-level CBB, which is kind of odd when ASN.1
length prefixes are not yet determined, return the number of bytes written to
the CBB so far. This can be computed without increasing the size of CBB at all.
Have offset and pending_*.
This means functions which take in a CBB as argument will not be sensitive to
whether the CBB is a top-level or child CBB. The extensions logic had to be
careful to only ever compare differences of lengths, which was awkward.
The reversal will also allow for the following pattern in the future, once
CBB_add_space is split into, say, CBB_reserve and CBB_did_write and we add a
CBB_data:
uint8_t *signature;
size_t signature_len = 0;
if (!CBB_add_asn1(out, &cert, CBB_ASN1_SEQUENCE) ||
/* Emit the TBSCertificate. */
!CBB_add_asn1(&cert, &tbs_cert, CBS_ASN1_SEQUENCE) ||
!CBB_add_tbs_cert_stuff(&tbs_cert, stuff) ||
!CBB_flush(&cert) ||
/* Feed it into md_ctx. */
!EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, pkey) ||
!EVP_DigestSignUpdate(&md_ctx, CBB_data(&cert), CBB_len(&cert)) ||
/* Emit the signature algorithm. */
!CBB_add_asn1(&cert, &sig_alg, CBS_ASN1_SEQUENCE) ||
!CBB_add_sigalg_stuff(&sig_alg, other_stuff) ||
/* Emit the signature. */
!EVP_DigestSignFinal(&md_ctx, NULL, &signature_len) ||
!CBB_reserve(&cert, &signature, signature_len) ||
!EVP_DigestSignFinal(&md_ctx, signature, &signature_len) ||
!CBB_did_write(&cert, signature_len)) {
goto err;
}
(Were TBSCertificate not the first field, we'd still have to sample
CBB_len(&cert), but at least that's reasonable straight-forward. The
alternative would be if CBB_data and CBB_len somehow worked on
recently-invalidated CBBs, but that would go wrong once the invalidated CBB's
parent flushed and possibly shifts everything.)
And similar for signing ServerKeyExchange.
Change-Id: I7761e492ae472d7632875b5666b6088970261b14
Reviewed-on: https://boringssl-review.googlesource.com/6681
Reviewed-by: Adam Langley <agl@google.com>
2015-12-08 23:56:31 +00:00
|
|
|
cbb->child->offset = offset;
|
|
|
|
|
cbb->child->pending_len_len = 1;
|
|
|
|
|
cbb->child->pending_is_asn1 = 1;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int CBB_add_bytes(CBB *cbb, const uint8_t *data, size_t len) {
|
|
|
|
|
uint8_t *dest;
|
|
|
|
|
|
|
|
|
|
if (!CBB_flush(cbb) ||
|
|
|
|
|
!cbb_buffer_add(cbb->base, &dest, len)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2016-12-13 06:07:13 +00:00
|
|
|
OPENSSL_memcpy(dest, data, len);
|
2014-06-20 20:00:00 +01:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2014-08-07 00:29:56 +01:00
|
|
|
int CBB_add_space(CBB *cbb, uint8_t **out_data, size_t len) {
|
|
|
|
|
if (!CBB_flush(cbb) ||
|
|
|
|
|
!cbb_buffer_add(cbb->base, out_data, len)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2015-12-17 06:06:10 +00:00
|
|
|
int CBB_reserve(CBB *cbb, uint8_t **out_data, size_t len) {
|
|
|
|
|
if (!CBB_flush(cbb) ||
|
|
|
|
|
!cbb_buffer_reserve(cbb->base, out_data, len)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int CBB_did_write(CBB *cbb, size_t len) {
|
|
|
|
|
size_t newlen = cbb->base->len + len;
|
|
|
|
|
if (cbb->child != NULL ||
|
|
|
|
|
newlen < cbb->base->len ||
|
|
|
|
|
newlen > cbb->base->cap) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
cbb->base->len = newlen;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
int CBB_add_u8(CBB *cbb, uint8_t value) {
|
|
|
|
|
if (!CBB_flush(cbb)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return cbb_buffer_add_u(cbb->base, value, 1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int CBB_add_u16(CBB *cbb, uint16_t value) {
|
|
|
|
|
if (!CBB_flush(cbb)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return cbb_buffer_add_u(cbb->base, value, 2);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int CBB_add_u24(CBB *cbb, uint32_t value) {
|
|
|
|
|
if (!CBB_flush(cbb)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return cbb_buffer_add_u(cbb->base, value, 3);
|
|
|
|
|
}
|
2014-10-19 18:14:30 +01:00
|
|
|
|
2016-06-22 04:13:10 +01:00
|
|
|
int CBB_add_u32(CBB *cbb, uint32_t value) {
|
|
|
|
|
if (!CBB_flush(cbb)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return cbb_buffer_add_u(cbb->base, value, 4);
|
|
|
|
|
}
|
|
|
|
|
|
2015-10-10 19:13:23 +01:00
|
|
|
void CBB_discard_child(CBB *cbb) {
|
|
|
|
|
if (cbb->child == NULL) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
Make CBB_len relative to its argument.
Rather than the length of the top-level CBB, which is kind of odd when ASN.1
length prefixes are not yet determined, return the number of bytes written to
the CBB so far. This can be computed without increasing the size of CBB at all.
Have offset and pending_*.
This means functions which take in a CBB as argument will not be sensitive to
whether the CBB is a top-level or child CBB. The extensions logic had to be
careful to only ever compare differences of lengths, which was awkward.
The reversal will also allow for the following pattern in the future, once
CBB_add_space is split into, say, CBB_reserve and CBB_did_write and we add a
CBB_data:
uint8_t *signature;
size_t signature_len = 0;
if (!CBB_add_asn1(out, &cert, CBB_ASN1_SEQUENCE) ||
/* Emit the TBSCertificate. */
!CBB_add_asn1(&cert, &tbs_cert, CBS_ASN1_SEQUENCE) ||
!CBB_add_tbs_cert_stuff(&tbs_cert, stuff) ||
!CBB_flush(&cert) ||
/* Feed it into md_ctx. */
!EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, pkey) ||
!EVP_DigestSignUpdate(&md_ctx, CBB_data(&cert), CBB_len(&cert)) ||
/* Emit the signature algorithm. */
!CBB_add_asn1(&cert, &sig_alg, CBS_ASN1_SEQUENCE) ||
!CBB_add_sigalg_stuff(&sig_alg, other_stuff) ||
/* Emit the signature. */
!EVP_DigestSignFinal(&md_ctx, NULL, &signature_len) ||
!CBB_reserve(&cert, &signature, signature_len) ||
!EVP_DigestSignFinal(&md_ctx, signature, &signature_len) ||
!CBB_did_write(&cert, signature_len)) {
goto err;
}
(Were TBSCertificate not the first field, we'd still have to sample
CBB_len(&cert), but at least that's reasonable straight-forward. The
alternative would be if CBB_data and CBB_len somehow worked on
recently-invalidated CBBs, but that would go wrong once the invalidated CBB's
parent flushed and possibly shifts everything.)
And similar for signing ServerKeyExchange.
Change-Id: I7761e492ae472d7632875b5666b6088970261b14
Reviewed-on: https://boringssl-review.googlesource.com/6681
Reviewed-by: Adam Langley <agl@google.com>
2015-12-08 23:56:31 +00:00
|
|
|
cbb->base->len = cbb->child->offset;
|
2015-10-10 19:13:23 +01:00
|
|
|
|
|
|
|
|
cbb->child->base = NULL;
|
|
|
|
|
cbb->child = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2014-10-19 18:14:30 +01:00
|
|
|
int CBB_add_asn1_uint64(CBB *cbb, uint64_t value) {
|
|
|
|
|
CBB child;
|
|
|
|
|
int started = 0;
|
|
|
|
|
|
|
|
|
|
if (!CBB_add_asn1(cbb, &child, CBS_ASN1_INTEGER)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-05 17:47:25 +01:00
|
|
|
for (size_t i = 0; i < 8; i++) {
|
2014-10-19 18:14:30 +01:00
|
|
|
uint8_t byte = (value >> 8*(7-i)) & 0xff;
|
|
|
|
|
if (!started) {
|
|
|
|
|
if (byte == 0) {
|
2017-08-18 19:06:02 +01:00
|
|
|
// Don't encode leading zeros.
|
2014-10-19 18:14:30 +01:00
|
|
|
continue;
|
|
|
|
|
}
|
2017-08-18 19:06:02 +01:00
|
|
|
// If the high bit is set, add a padding byte to make it
|
|
|
|
|
// unsigned.
|
2014-10-19 18:14:30 +01:00
|
|
|
if ((byte & 0x80) && !CBB_add_u8(&child, 0)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
started = 1;
|
|
|
|
|
}
|
|
|
|
|
if (!CBB_add_u8(&child, byte)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// 0 is encoded as a single 0, not the empty string.
|
2014-10-19 18:14:30 +01:00
|
|
|
if (!started && !CBB_add_u8(&child, 0)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return CBB_flush(cbb);
|
|
|
|
|
}
|
2017-11-22 22:05:50 +00:00
|
|
|
|
|
|
|
|
// parse_dotted_decimal parses one decimal component from |cbs|, where |cbs| is
|
|
|
|
|
// an OID literal, e.g., "1.2.840.113554.4.1.72585". It consumes both the
|
|
|
|
|
// component and the dot, so |cbs| may be passed into the function again for the
|
|
|
|
|
// next value.
|
2017-11-29 22:17:41 +00:00
|
|
|
static int parse_dotted_decimal(CBS *cbs, uint64_t *out) {
|
2017-11-22 22:05:50 +00:00
|
|
|
*out = 0;
|
|
|
|
|
int seen_digit = 0;
|
|
|
|
|
for (;;) {
|
|
|
|
|
// Valid terminators for a component are the end of the string or a
|
|
|
|
|
// non-terminal dot. If the string ends with a dot, this is not a valid OID
|
|
|
|
|
// string.
|
|
|
|
|
uint8_t u;
|
|
|
|
|
if (!CBS_get_u8(cbs, &u) ||
|
|
|
|
|
(u == '.' && CBS_len(cbs) > 0)) {
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (u < '0' || u > '9' ||
|
|
|
|
|
// Forbid stray leading zeros.
|
|
|
|
|
(seen_digit && *out == 0) ||
|
|
|
|
|
// Check for overflow.
|
2017-11-29 22:17:41 +00:00
|
|
|
*out > UINT64_MAX / 10 ||
|
|
|
|
|
*out * 10 > UINT64_MAX - (u - '0')) {
|
2017-11-22 22:05:50 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
*out = *out * 10 + (u - '0');
|
|
|
|
|
seen_digit = 1;
|
|
|
|
|
}
|
|
|
|
|
// The empty string is not a legal OID component.
|
|
|
|
|
return seen_digit;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int CBB_add_asn1_oid_from_text(CBB *cbb, const char *text, size_t len) {
|
|
|
|
|
if (!CBB_flush(cbb)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
CBS cbs;
|
|
|
|
|
CBS_init(&cbs, (const uint8_t *)text, len);
|
|
|
|
|
|
|
|
|
|
// OIDs must have at least two components.
|
2017-11-29 22:17:41 +00:00
|
|
|
uint64_t a, b;
|
2017-11-22 22:05:50 +00:00
|
|
|
if (!parse_dotted_decimal(&cbs, &a) ||
|
|
|
|
|
!parse_dotted_decimal(&cbs, &b)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// The first component is encoded as 40 * |a| + |b|. This assumes that |a| is
|
|
|
|
|
// 0, 1, or 2 and that, when it is 0 or 1, |b| is at most 39.
|
|
|
|
|
if (a > 2 ||
|
|
|
|
|
(a < 2 && b > 39) ||
|
2017-11-29 22:17:41 +00:00
|
|
|
b > UINT64_MAX - 80 ||
|
|
|
|
|
!add_base128_integer(cbb, 40u * a + b)) {
|
2017-11-22 22:05:50 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// The remaining components are encoded unmodified.
|
|
|
|
|
while (CBS_len(&cbs) > 0) {
|
|
|
|
|
if (!parse_dotted_decimal(&cbs, &a) ||
|
|
|
|
|
!add_base128_integer(cbb, a)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
2017-12-22 05:12:27 +00:00
|
|
|
|
|
|
|
|
static int compare_set_of_element(const void *a_ptr, const void *b_ptr) {
|
|
|
|
|
// See X.690, section 11.6 for the ordering. They are sorted in ascending
|
|
|
|
|
// order by their DER encoding.
|
|
|
|
|
const CBS *a = a_ptr, *b = b_ptr;
|
|
|
|
|
size_t a_len = CBS_len(a), b_len = CBS_len(b);
|
|
|
|
|
size_t min_len = a_len < b_len ? a_len : b_len;
|
|
|
|
|
int ret = OPENSSL_memcmp(CBS_data(a), CBS_data(b), min_len);
|
|
|
|
|
if (ret != 0) {
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
if (a_len == b_len) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
// If one is a prefix of the other, the shorter one sorts first. (This is not
|
|
|
|
|
// actually reachable. No DER encoding is a prefix of another DER encoding.)
|
|
|
|
|
return a_len < b_len ? -1 : 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int CBB_flush_asn1_set_of(CBB *cbb) {
|
|
|
|
|
if (!CBB_flush(cbb)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
CBS cbs;
|
|
|
|
|
size_t num_children = 0;
|
|
|
|
|
CBS_init(&cbs, CBB_data(cbb), CBB_len(cbb));
|
|
|
|
|
while (CBS_len(&cbs) != 0) {
|
|
|
|
|
if (!CBS_get_any_asn1_element(&cbs, NULL, NULL, NULL)) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
num_children++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (num_children < 2) {
|
|
|
|
|
return 1; // Nothing to do. This is the common case for X.509.
|
|
|
|
|
}
|
|
|
|
|
if (num_children > ((size_t)-1) / sizeof(CBS)) {
|
|
|
|
|
return 0; // Overflow.
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Parse out the children and sort. We alias them into a copy of so they
|
|
|
|
|
// remain valid as we rewrite |cbb|.
|
|
|
|
|
int ret = 0;
|
|
|
|
|
size_t buf_len = CBB_len(cbb);
|
|
|
|
|
uint8_t *buf = BUF_memdup(CBB_data(cbb), buf_len);
|
|
|
|
|
CBS *children = OPENSSL_malloc(num_children * sizeof(CBS));
|
|
|
|
|
if (buf == NULL || children == NULL) {
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
CBS_init(&cbs, buf, buf_len);
|
|
|
|
|
for (size_t i = 0; i < num_children; i++) {
|
|
|
|
|
if (!CBS_get_any_asn1_element(&cbs, &children[i], NULL, NULL)) {
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
qsort(children, num_children, sizeof(CBS), compare_set_of_element);
|
|
|
|
|
|
|
|
|
|
// Rewind |cbb| and write the contents back in the new order.
|
|
|
|
|
cbb->base->len = cbb->offset + cbb->pending_len_len;
|
|
|
|
|
for (size_t i = 0; i < num_children; i++) {
|
|
|
|
|
if (!CBB_add_bytes(cbb, CBS_data(&children[i]), CBS_len(&children[i]))) {
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
assert(CBB_len(cbb) == buf_len);
|
|
|
|
|
|
|
|
|
|
ret = 1;
|
|
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
OPENSSL_free(buf);
|
|
|
|
|
OPENSSL_free(children);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
