From 72b0217ab12b88bde83095cba1eca47043391712 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 12 Mar 2021 23:24:54 +0200 Subject: [PATCH] PKCS: Use ASN.1 helper functions Simplify ASN.1 parser operations by using the shared helper functions. Signed-off-by: Jouni Malinen --- src/tls/pkcs1.c | 24 ++++++--------- src/tls/pkcs5.c | 78 ++++++++++++++++++------------------------------- src/tls/pkcs8.c | 59 +++++++++++++------------------------ 3 files changed, 57 insertions(+), 104 deletions(-) diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c index 5761dfed0..49e439d02 100644 --- a/src/tls/pkcs1.c +++ b/src/tls/pkcs1.c @@ -236,11 +236,9 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, * */ if (asn1_get_next(decrypted, decrypted_len, &hdr) < 0 || - hdr.class != ASN1_CLASS_UNIVERSAL || - hdr.tag != ASN1_TAG_SEQUENCE) { - wpa_printf(MSG_DEBUG, - "PKCS #1: Expected SEQUENCE (DigestInfo) - found class %d tag 0x%x", - hdr.class, hdr.tag); + !asn1_is_sequence(&hdr)) { + asn1_unexpected(&hdr, + "PKCS #1: Expected SEQUENCE (DigestInfo)"); os_free(decrypted); return -1; } @@ -259,11 +257,9 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, */ if (asn1_get_next(pos, end - pos, &hdr) < 0 || - hdr.class != ASN1_CLASS_UNIVERSAL || - hdr.tag != ASN1_TAG_SEQUENCE) { - wpa_printf(MSG_DEBUG, - "PKCS #1: Expected SEQUENCE (AlgorithmIdentifier) - found class %d tag 0x%x", - hdr.class, hdr.tag); + !asn1_is_sequence(&hdr)) { + asn1_unexpected(&hdr, + "PKCS #1: Expected SEQUENCE (AlgorithmIdentifier)"); os_free(decrypted); return -1; } @@ -310,11 +306,9 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, pos = da_end; if (asn1_get_next(pos, end - pos, &hdr) < 0 || - hdr.class != ASN1_CLASS_UNIVERSAL || - hdr.tag != ASN1_TAG_OCTETSTRING) { - wpa_printf(MSG_DEBUG, - "PKCS #1: Expected OCTETSTRING (Digest) - found class %d tag 0x%x", - hdr.class, hdr.tag); + !asn1_is_octetstring(&hdr)) { + asn1_unexpected(&hdr, + "PKCS #1: Expected OCTETSTRING (Digest)"); os_free(decrypted); return -1; } diff --git a/src/tls/pkcs5.c b/src/tls/pkcs5.c index a2ad83b8a..7bef89b4f 100644 --- a/src/tls/pkcs5.c +++ b/src/tls/pkcs5.c @@ -107,22 +107,18 @@ static int pkcs5_get_params_pbes2(struct pkcs5_params *params, const u8 *pos, */ if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 || - hdr.class != ASN1_CLASS_UNIVERSAL || - hdr.tag != ASN1_TAG_SEQUENCE) { - wpa_printf(MSG_DEBUG, - "PKCS #5: Expected SEQUENCE (PBES2-params) - found class %d tag 0x%x", - hdr.class, hdr.tag); + !asn1_is_sequence(&hdr)) { + asn1_unexpected(&hdr, + "PKCS #5: Expected SEQUENCE (PBES2-params)"); return -1; } pos = hdr.payload; end = hdr.payload + hdr.length; if (asn1_get_next(pos, end - pos, &hdr) < 0 || - hdr.class != ASN1_CLASS_UNIVERSAL || - hdr.tag != ASN1_TAG_SEQUENCE) { - wpa_printf(MSG_DEBUG, - "PKCS #5: Expected SEQUENCE (keyDerivationFunc) - found class %d tag 0x%x", - hdr.class, hdr.tag); + !asn1_is_sequence(&hdr)) { + asn1_unexpected(&hdr, + "PKCS #5: Expected SEQUENCE (keyDerivationFunc)"); return -1; } @@ -161,11 +157,9 @@ static int pkcs5_get_params_pbes2(struct pkcs5_params *params, const u8 *pos, */ if (asn1_get_next(pos, end - pos, &hdr) < 0 || - hdr.class != ASN1_CLASS_UNIVERSAL || - hdr.tag != ASN1_TAG_SEQUENCE) { - wpa_printf(MSG_DEBUG, - "PKCS #5: Expected SEQUENCE (PBKDF2-params) - found class %d tag 0x%x", - hdr.class, hdr.tag); + !asn1_is_sequence(&hdr)) { + asn1_unexpected(&hdr, + "PKCS #5: Expected SEQUENCE (PBKDF2-params)"); return -1; } @@ -174,12 +168,10 @@ static int pkcs5_get_params_pbes2(struct pkcs5_params *params, const u8 *pos, /* For now, only support the salt CHOICE specified (OCTET STRING) */ if (asn1_get_next(pos, end - pos, &hdr) < 0 || - hdr.class != ASN1_CLASS_UNIVERSAL || - hdr.tag != ASN1_TAG_OCTETSTRING || + !asn1_is_octetstring(&hdr) || hdr.length > sizeof(params->salt)) { - wpa_printf(MSG_DEBUG, - "PKCS #5: Expected OCTET STRING (salt.specified) - found class %d tag 0x%x size %d", - hdr.class, hdr.tag, hdr.length); + asn1_unexpected(&hdr, + "PKCS #5: Expected OCTET STRING (salt.specified)"); return -1; } pos = hdr.payload + hdr.length; @@ -188,11 +180,8 @@ static int pkcs5_get_params_pbes2(struct pkcs5_params *params, const u8 *pos, wpa_hexdump(MSG_DEBUG, "PKCS #5: salt", params->salt, params->salt_len); /* iterationCount INTEGER */ - if (asn1_get_next(pos, end - pos, &hdr) < 0 || - hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) { - wpa_printf(MSG_DEBUG, - "PKCS #5: Expected INTEGER - found class %d tag 0x%x", - hdr.class, hdr.tag); + if (asn1_get_next(pos, end - pos, &hdr) < 0 || !asn1_is_integer(&hdr)) { + asn1_unexpected(&hdr, "PKCS #5: Expected INTEGER"); return -1; } if (hdr.length == 1) { @@ -222,11 +211,9 @@ static int pkcs5_get_params_pbes2(struct pkcs5_params *params, const u8 *pos, /* encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} */ if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 || - hdr.class != ASN1_CLASS_UNIVERSAL || - hdr.tag != ASN1_TAG_SEQUENCE) { - wpa_printf(MSG_DEBUG, - "PKCS #5: Expected SEQUENCE (encryptionScheme) - found class %d tag 0x%x", - hdr.class, hdr.tag); + !asn1_is_sequence(&hdr)) { + asn1_unexpected(&hdr, + "PKCS #5: Expected SEQUENCE (encryptionScheme)"); return -1; } @@ -258,12 +245,9 @@ static int pkcs5_get_params_pbes2(struct pkcs5_params *params, const u8 *pos, * specifying the initialization vector for CBC mode. */ if (asn1_get_next(pos, end - pos, &hdr) < 0 || - hdr.class != ASN1_CLASS_UNIVERSAL || - hdr.tag != ASN1_TAG_OCTETSTRING || - hdr.length != 8) { - wpa_printf(MSG_DEBUG, - "PKCS #5: Expected OCTET STRING (SIZE(8)) (IV) - found class %d tag 0x%x size %d", - hdr.class, hdr.tag, hdr.length); + !asn1_is_octetstring(&hdr) || hdr.length != 8) { + asn1_unexpected(&hdr, + "PKCS #5: Expected OCTET STRING (SIZE(8)) (IV)"); return -1; } os_memcpy(params->iv, hdr.payload, hdr.length); @@ -323,11 +307,9 @@ static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len, */ if (asn1_get_next(pos, enc_alg_end - pos, &hdr) < 0 || - hdr.class != ASN1_CLASS_UNIVERSAL || - hdr.tag != ASN1_TAG_SEQUENCE) { - wpa_printf(MSG_DEBUG, "PKCS #5: Expected SEQUENCE " - "(PBEParameter) - found class %d tag 0x%x", - hdr.class, hdr.tag); + !asn1_is_sequence(&hdr)) { + asn1_unexpected(&hdr, + "PKCS #5: Expected SEQUENCE (PBEParameter)"); return -1; } pos = hdr.payload; @@ -335,12 +317,9 @@ static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len, /* salt OCTET STRING SIZE(8) (PKCS #5) or OCTET STRING (PKCS #12) */ if (asn1_get_next(pos, end - pos, &hdr) < 0 || - hdr.class != ASN1_CLASS_UNIVERSAL || - hdr.tag != ASN1_TAG_OCTETSTRING || - hdr.length > sizeof(params->salt)) { - wpa_printf(MSG_DEBUG, "PKCS #5: Expected OCTETSTRING SIZE(8) " - "(salt) - found class %d tag 0x%x size %d", - hdr.class, hdr.tag, hdr.length); + !asn1_is_octetstring(&hdr) || hdr.length > sizeof(params->salt)) { + asn1_unexpected(&hdr, + "PKCS #5: Expected OCTETSTRING SIZE(8) (salt)"); return -1; } pos = hdr.payload + hdr.length; @@ -351,9 +330,8 @@ static int pkcs5_get_params(const u8 *enc_alg, size_t enc_alg_len, /* iterationCount INTEGER */ if (asn1_get_next(pos, end - pos, &hdr) < 0 || - hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) { - wpa_printf(MSG_DEBUG, "PKCS #5: Expected INTEGER - found " - "class %d tag 0x%x", hdr.class, hdr.tag); + !asn1_is_integer(&hdr)) { + asn1_unexpected(&hdr, "PKCS #5: Expected INTEGER"); return -1; } if (hdr.length == 1) diff --git a/src/tls/pkcs8.c b/src/tls/pkcs8.c index 52e43a440..75bbd120c 100644 --- a/src/tls/pkcs8.c +++ b/src/tls/pkcs8.c @@ -27,22 +27,17 @@ struct crypto_private_key * pkcs8_key_import(const u8 *buf, size_t len) /* PKCS #8, Chapter 6 */ /* PrivateKeyInfo ::= SEQUENCE */ - if (asn1_get_next(buf, len, &hdr) < 0 || - hdr.class != ASN1_CLASS_UNIVERSAL || - hdr.tag != ASN1_TAG_SEQUENCE) { - wpa_printf(MSG_DEBUG, "PKCS #8: Does not start with PKCS #8 " - "header (SEQUENCE); assume PKCS #8 not used"); + if (asn1_get_next(buf, len, &hdr) < 0 || !asn1_is_sequence(&hdr)) { + asn1_unexpected(&hdr, + "PKCS #8: Does not start with PKCS #8 header (SEQUENCE)"); return NULL; } pos = hdr.payload; end = pos + hdr.length; /* version Version (Version ::= INTEGER) */ - if (asn1_get_next(pos, end - pos, &hdr) < 0 || - hdr.class != ASN1_CLASS_UNIVERSAL || hdr.tag != ASN1_TAG_INTEGER) { - wpa_printf(MSG_DEBUG, "PKCS #8: Expected INTEGER - found " - "class %d tag 0x%x; assume PKCS #8 not used", - hdr.class, hdr.tag); + if (asn1_get_next(pos, end - pos, &hdr) < 0 || !asn1_is_integer(&hdr)) { + asn1_unexpected(&hdr, "PKCS #8: Expected INTEGER"); return NULL; } @@ -68,13 +63,9 @@ struct crypto_private_key * pkcs8_key_import(const u8 *buf, size_t len) /* privateKeyAlgorithm PrivateKeyAlgorithmIdentifier * (PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier) */ - if (asn1_get_next(pos, len, &hdr) < 0 || - hdr.class != ASN1_CLASS_UNIVERSAL || - hdr.tag != ASN1_TAG_SEQUENCE) { - wpa_printf(MSG_DEBUG, "PKCS #8: Expected SEQUENCE " - "(AlgorithmIdentifier) - found class %d tag 0x%x; " - "assume PKCS #8 not used", - hdr.class, hdr.tag); + if (asn1_get_next(pos, len, &hdr) < 0 || !asn1_is_sequence(&hdr)) { + asn1_unexpected(&hdr, + "PKCS #8: Expected SEQUENCE (AlgorithmIdentifier); assume PKCS #8 not used"); return NULL; } @@ -104,11 +95,9 @@ struct crypto_private_key * pkcs8_key_import(const u8 *buf, size_t len) /* privateKey PrivateKey (PrivateKey ::= OCTET STRING) */ if (asn1_get_next(pos, end - pos, &hdr) < 0 || - hdr.class != ASN1_CLASS_UNIVERSAL || - hdr.tag != ASN1_TAG_OCTETSTRING) { - wpa_printf(MSG_DEBUG, "PKCS #8: Expected OCTETSTRING " - "(privateKey) - found class %d tag 0x%x", - hdr.class, hdr.tag); + !asn1_is_octetstring(&hdr)) { + asn1_unexpected(&hdr, + "PKCS #8: Expected OCTETSTRING (privateKey)"); return NULL; } wpa_printf(MSG_DEBUG, "PKCS #8: Try to parse RSAPrivateKey"); @@ -139,12 +128,9 @@ pkcs8_enc_key_import(const u8 *buf, size_t len, const char *passwd) * EncryptedData ::= OCTET STRING */ - if (asn1_get_next(buf, len, &hdr) < 0 || - hdr.class != ASN1_CLASS_UNIVERSAL || - hdr.tag != ASN1_TAG_SEQUENCE) { - wpa_printf(MSG_DEBUG, "PKCS #8: Does not start with PKCS #8 " - "header (SEQUENCE); assume encrypted PKCS #8 not " - "used"); + if (asn1_get_next(buf, len, &hdr) < 0 || !asn1_is_sequence(&hdr)) { + asn1_unexpected(&hdr, + "PKCS #8: Does not start with PKCS #8 header (SEQUENCE); assume encrypted PKCS #8 not used"); return NULL; } pos = hdr.payload; @@ -152,12 +138,9 @@ pkcs8_enc_key_import(const u8 *buf, size_t len, const char *passwd) /* encryptionAlgorithm EncryptionAlgorithmIdentifier */ if (asn1_get_next(pos, end - pos, &hdr) < 0 || - hdr.class != ASN1_CLASS_UNIVERSAL || - hdr.tag != ASN1_TAG_SEQUENCE) { - wpa_printf(MSG_DEBUG, "PKCS #8: Expected SEQUENCE " - "(AlgorithmIdentifier) - found class %d tag 0x%x; " - "assume encrypted PKCS #8 not used", - hdr.class, hdr.tag); + !asn1_is_sequence(&hdr)) { + asn1_unexpected(&hdr, + "PKCS #8: Expected SEQUENCE (AlgorithmIdentifier); assume encrypted PKCS #8 not used"); return NULL; } enc_alg = hdr.payload; @@ -166,11 +149,9 @@ pkcs8_enc_key_import(const u8 *buf, size_t len, const char *passwd) /* encryptedData EncryptedData */ if (asn1_get_next(pos, end - pos, &hdr) < 0 || - hdr.class != ASN1_CLASS_UNIVERSAL || - hdr.tag != ASN1_TAG_OCTETSTRING) { - wpa_printf(MSG_DEBUG, "PKCS #8: Expected OCTETSTRING " - "(encryptedData) - found class %d tag 0x%x", - hdr.class, hdr.tag); + !asn1_is_octetstring(&hdr)) { + asn1_unexpected(&hdr, + "PKCS #8: Expected OCTETSTRING (encryptedData)"); return NULL; }