Chiebot-Mirror
/
boringssl
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Mirror of BoringSSL (grpc依赖) https://boringssl.googlesource.com/boringssl
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
877 Commits
61 Branches
23 Tags
511 MiB
Tag: Branch: Tree: 0378578cd4
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0378578cd4'
${ noResults }
boringssl/crypto/asn1/asn1_test.cc

2307 lines
84 KiB
Raw Normal View History Unescape

acvp: add CMAC-AES support. Change by Dan Janni. Change-Id: I3f059e7b1a822c6f97128ca92a693499a3f7fa8f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/41984 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>
5 years ago
/* Copyright (c) 2016, Google Inc.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
#include <limits.h>
#include <stdio.h>
Rewrite ASN1_INTEGER tests. This extends the old ASN1_INTEGER_set tests to cover all integers. There are a whole bunch of ways to construct and convert ASN1_INTEGERs (DER, BIGNUM, uint64_t, long, etc.). Rather than maintain one set of test vectors for small numbers and another for BIGNUMs, this CL makes a single set of BIGNUM-based test vectors. Notably, this test now covers: - Serialization and deserialization - ASN1_INTEGER_get, not just ASN1_INTEGER_set - BIGNUM conversions - ASN1_INTEGER_cmp Later CLs will add to this or change code covered by it. Change-Id: I05bd6bc9e70c392927937c2f727cee25092802a1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51629 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
#include <map>
Add some tests for time_t to ASN1_TIME conversions. Change-Id: I7712f66e16b761ee23292980cff039e62d29b22f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48666 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
#include <string>
acvp: add CMAC-AES support. Change by Dan Janni. Change-Id: I3f059e7b1a822c6f97128ca92a693499a3f7fa8f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/41984 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>
5 years ago
#include <vector>
#include <gtest/gtest.h>
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/bytestring.h>
#include <openssl/err.h>
#include <openssl/mem.h>
#include <openssl/obj.h>
#include <openssl/span.h>
Always encode booleans as DER. The ASN1_BOOLEAN representation is a mess. ASN1_BOOLEAN is an int and if non-negative (negative values mean omitted or default), gets cast to uint8_t and encoded as the value. This means callers are simply expected to know true is 0xff, not 1. Fix this by only encoding 0 or 0xff. This also fixes a bug where values like 0x100 are interpreted as true (e.g. in the tasn_enc.c logic to handle default values), but encoded as false because the cast only looks at the least significant byte. This CL does not change the parsing behavior, which is to allow any BER encoding and preserve the value in the in-memory representation (though we should tighten that). However the BER encode will no longer be preserved when re-encoding. Update-Note: Callers setting ASN1_BOOLEANs to a positive value other than 0xff will now encode 0xff. This probably fixes a bug, but if anyone was attaching significance to incorrectly-encoded booleans, that will break. Change-Id: I5bb53e068d5900daca07299a27c0551e78ffa91d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46924 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
#include <openssl/x509v3.h>
acvp: add CMAC-AES support. Change by Dan Janni. Change-Id: I3f059e7b1a822c6f97128ca92a693499a3f7fa8f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/41984 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>
5 years ago
#include "../test/test_util.h"
Test that built-in ASN1_STRING_TABLEs are sorted. There's a test in the file under ifdef, but that is not wired up into the build. Change-Id: Iec09277c7ce948c33303d12c325207de2188d908 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49766 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
#include "internal.h"
acvp: add CMAC-AES support. Change by Dan Janni. Change-Id: I3f059e7b1a822c6f97128ca92a693499a3f7fa8f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/41984 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>
5 years ago
Make ASN1_STRING_TABLE_add thread-safe and document. This function is a little awkward. It mutates global data, so if two libraries in the address space both attempt to define a custom OID, they will conflict. But some existing code uses it so, as long as it does so, we should make it thread-safe. Along the way, I've switched it to a hash table and removed the ability to overwrite existing entries. Previously, overwriting a built-in table would crash (on platforms where const structures are write-protected). Overwriting a dynamic table implemented this weird merging algorithm. The one caller I've seen does not appear to need this feature. I've also switched ASN1_STRING_TABLE_cleanup to a no-op, matching our other global cleanup functions. This function is not safe to call without global knowledge of all other uses of the library. Update-Note: ASN1_STRING_TABLE_add no longer allows overwrite existing entries. In most cases, this would crash or trigger a race condition anyway. Bug: 426 Change-Id: Ie024cca87feaef3ff10064b452f3a860844544da Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49769 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
#if defined(OPENSSL_THREADS)
#include <thread>
#endif
acvp: add CMAC-AES support. Change by Dan Janni. Change-Id: I3f059e7b1a822c6f97128ca92a693499a3f7fa8f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/41984 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>
5 years ago
// kTag128 is an ASN.1 structure with a universal tag with number 128.
static const uint8_t kTag128[] = {
0x1f, 0x81, 0x00, 0x01, 0x00,
};
// kTag258 is an ASN.1 structure with a universal tag with number 258.
static const uint8_t kTag258[] = {
0x1f, 0x82, 0x02, 0x01, 0x00,
};
static_assert(V_ASN1_NEG_INTEGER == 258,
"V_ASN1_NEG_INTEGER changed. Update kTag258 to collide with it.");
// kTagOverflow is an ASN.1 structure with a universal tag with number 2^35-1,
// which will not fit in an int.
static const uint8_t kTagOverflow[] = {
0x1f, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x01, 0x00,
};
TEST(ASN1Test, LargeTags) {
const uint8_t *p = kTag258;
bssl::UniquePtr<ASN1_TYPE> obj(d2i_ASN1_TYPE(NULL, &p, sizeof(kTag258)));
EXPECT_FALSE(obj) << "Parsed value with illegal tag" << obj->type;
ERR_clear_error();
p = kTagOverflow;
obj.reset(d2i_ASN1_TYPE(NULL, &p, sizeof(kTagOverflow)));
EXPECT_FALSE(obj) << "Parsed value with tag overflow" << obj->type;
ERR_clear_error();
p = kTag128;
obj.reset(d2i_ASN1_TYPE(NULL, &p, sizeof(kTag128)));
ASSERT_TRUE(obj);
EXPECT_EQ(128, obj->type);
const uint8_t kZero = 0;
EXPECT_EQ(Bytes(&kZero, 1), Bytes(obj->value.asn1_string->data,
obj->value.asn1_string->length));
}
Const-correct the low-level ASN1 i2d functions. This is completely unchecked for now, as it all goes through tasn_enc.c. But the only non-const encoders now are X509_NAME, and the functions that call into it, so we can fix up the ones at the bottom. I haven't done the macros that use the "name" or "fname" variants. The set of macros for const are a little weird. But before expanding the header macros out, I wanted to change the signatures on the macro side once, so the compiler checks they're expanded correctly. Update-Note: The type signature of some i2d functions, such as i2d_ASN1_OCTET_STRING, is now const-correct. Bug: 407 Change-Id: I03988f5591191b41ab4e7f014bd8d41cb071b39a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49908 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
// |obj| and |i2d_func| require different template parameters because C++ may
// deduce, say, |ASN1_STRING*| via |obj| and |const ASN1_STRING*| via
// |i2d_func|. Template argument deduction then fails. The language is not able
// to resolve this by observing that |const ASN1_STRING*| works for both.
template <typename T, typename U>
void TestSerialize(T obj, int (*i2d_func)(U a, uint8_t **pp),
Skip ASN.1 template tests in Windows shared library builds. This should fix the Chromium roll. Windows shared library builds are fussy about dllexport vs. dllimport in a way that's incompatible with external uses of the asn1t.h macros. The issue is the DECLARE_* macros will add dllexport vs. dllimport on the assumption the symbols are defined in libcrypto, but external definitions need a different selector. Rather than add more complex macros for this, just exclude those tests. Ideally we wouldn't supoport asn1t.h outside the library at all, if we can manage it, so no sense in trying to make it work. This excludes both the new and the old tests. Although this has been working thus far, it only works because we've been setting the BORINGSSL_IMPLEMENTATION symbol for test targets wrong in Chromium. I'm confused how that's been working at all (maybe dllexport vs. dllimport is more lax when it comes to functions rather than variables?), but when I do it correctly, the ASN1_LINKED_LIST template breaks too. Change-Id: I391edba1748f66c383ed55a9d23053674bbb876e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/44484 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
bssl::Span<const uint8_t> expected) {
Const-correct the low-level ASN1 i2d functions. This is completely unchecked for now, as it all goes through tasn_enc.c. But the only non-const encoders now are X509_NAME, and the functions that call into it, so we can fix up the ones at the bottom. I haven't done the macros that use the "name" or "fname" variants. The set of macros for const are a little weird. But before expanding the header macros out, I wanted to change the signatures on the macro side once, so the compiler checks they're expanded correctly. Update-Note: The type signature of some i2d functions, such as i2d_ASN1_OCTET_STRING, is now const-correct. Bug: 407 Change-Id: I03988f5591191b41ab4e7f014bd8d41cb071b39a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49908 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
static_assert(std::is_convertible<T, U>::value,
"incompatible parameter to i2d_func");
Compute ASN.1 BIT STRING sizes more consistently. OpenSSL's BIT STRING representation has two modes, one where it implicitly trims trailing zeros and the other where the number of unused bits is explicitly set. This means logic in ASN1_item_verify, or elsewhere in callers, that checks flags and ASN1_STRING_length is inconsistent with i2c_ASN1_BIT_STRING. Add ASN1_BIT_STRING_num_bytes for code that needs to deal with X.509 using BIT STRING for some fields instead of OCTET STRING. Switch ASN1_item_verify to it. Some external code does this too, so export it as public API. This is mostly a theoretical issue. All parsed BIT STRINGS use explicit byte strings, and there are no APIs (apart from not-yet-opaquified structs) to specify the ASN1_STRING in X509, etc., structures. We intentionally made X509_set1_signature_value, etc., internally construct the ASN1_STRING. Still having an API is more consistent and helps nudge callers towards rejecting excess bits when they want bytes. It may also be worth a public API for consistently accessing the bit count. I've left it alone for now because I've not seen callers that need it, and it saves worrying about bytes-to-bits overflows. This also fixes a bug in the original version of the truncating logic when the entire string was all zeros, and const-corrects a few parameters. Change-Id: I9d29842a3d3264b0cde61ca8cfea07d02177dbc2 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48225 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
// Test the allocating version first. It is easiest to debug.
uint8_t *ptr = nullptr;
int len = i2d_func(obj, &ptr);
ASSERT_GT(len, 0);
EXPECT_EQ(Bytes(expected), Bytes(ptr, len));
OPENSSL_free(ptr);
len = i2d_func(obj, nullptr);
ASSERT_GT(len, 0);
EXPECT_EQ(len, static_cast<int>(expected.size()));
Skip ASN.1 template tests in Windows shared library builds. This should fix the Chromium roll. Windows shared library builds are fussy about dllexport vs. dllimport in a way that's incompatible with external uses of the asn1t.h macros. The issue is the DECLARE_* macros will add dllexport vs. dllimport on the assumption the symbols are defined in libcrypto, but external definitions need a different selector. Rather than add more complex macros for this, just exclude those tests. Ideally we wouldn't supoport asn1t.h outside the library at all, if we can manage it, so no sense in trying to make it work. This excludes both the new and the old tests. Although this has been working thus far, it only works because we've been setting the BORINGSSL_IMPLEMENTATION symbol for test targets wrong in Chromium. I'm confused how that's been working at all (maybe dllexport vs. dllimport is more lax when it comes to functions rather than variables?), but when I do it correctly, the ASN1_LINKED_LIST template breaks too. Change-Id: I391edba1748f66c383ed55a9d23053674bbb876e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/44484 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
Compute ASN.1 BIT STRING sizes more consistently. OpenSSL's BIT STRING representation has two modes, one where it implicitly trims trailing zeros and the other where the number of unused bits is explicitly set. This means logic in ASN1_item_verify, or elsewhere in callers, that checks flags and ASN1_STRING_length is inconsistent with i2c_ASN1_BIT_STRING. Add ASN1_BIT_STRING_num_bytes for code that needs to deal with X.509 using BIT STRING for some fields instead of OCTET STRING. Switch ASN1_item_verify to it. Some external code does this too, so export it as public API. This is mostly a theoretical issue. All parsed BIT STRINGS use explicit byte strings, and there are no APIs (apart from not-yet-opaquified structs) to specify the ASN1_STRING in X509, etc., structures. We intentionally made X509_set1_signature_value, etc., internally construct the ASN1_STRING. Still having an API is more consistent and helps nudge callers towards rejecting excess bits when they want bytes. It may also be worth a public API for consistently accessing the bit count. I've left it alone for now because I've not seen callers that need it, and it saves worrying about bytes-to-bits overflows. This also fixes a bug in the original version of the truncating logic when the entire string was all zeros, and const-corrects a few parameters. Change-Id: I9d29842a3d3264b0cde61ca8cfea07d02177dbc2 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48225 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
std::vector<uint8_t> buf(len);
ptr = buf.data();
len = i2d_func(obj, &ptr);
ASSERT_EQ(len, static_cast<int>(expected.size()));
Skip ASN.1 template tests in Windows shared library builds. This should fix the Chromium roll. Windows shared library builds are fussy about dllexport vs. dllimport in a way that's incompatible with external uses of the asn1t.h macros. The issue is the DECLARE_* macros will add dllexport vs. dllimport on the assumption the symbols are defined in libcrypto, but external definitions need a different selector. Rather than add more complex macros for this, just exclude those tests. Ideally we wouldn't supoport asn1t.h outside the library at all, if we can manage it, so no sense in trying to make it work. This excludes both the new and the old tests. Although this has been working thus far, it only works because we've been setting the BORINGSSL_IMPLEMENTATION symbol for test targets wrong in Chromium. I'm confused how that's been working at all (maybe dllexport vs. dllimport is more lax when it comes to functions rather than variables?), but when I do it correctly, the ASN1_LINKED_LIST template breaks too. Change-Id: I391edba1748f66c383ed55a9d23053674bbb876e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/44484 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
EXPECT_EQ(ptr, buf.data() + buf.size());
EXPECT_EQ(Bytes(expected), Bytes(buf));
}
Rewrite ASN1_INTEGER tests. This extends the old ASN1_INTEGER_set tests to cover all integers. There are a whole bunch of ways to construct and convert ASN1_INTEGERs (DER, BIGNUM, uint64_t, long, etc.). Rather than maintain one set of test vectors for small numbers and another for BIGNUMs, this CL makes a single set of BIGNUM-based test vectors. Notably, this test now covers: - Serialization and deserialization - ASN1_INTEGER_get, not just ASN1_INTEGER_set - BIGNUM conversions - ASN1_INTEGER_cmp Later CLs will add to this or change code covered by it. Change-Id: I05bd6bc9e70c392927937c2f727cee25092802a1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51629 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
static bssl::UniquePtr<BIGNUM> BIGNUMPow2(unsigned bit) {
bssl::UniquePtr<BIGNUM> bn(BN_new());
if (!bn ||
!BN_set_bit(bn.get(), bit)) {
return nullptr;
}
return bn;
}
TEST(ASN1Test, Integer) {
bssl::UniquePtr<BIGNUM> int64_min = BIGNUMPow2(63);
ASSERT_TRUE(int64_min);
BN_set_negative(int64_min.get(), 1);
bssl::UniquePtr<BIGNUM> int64_max = BIGNUMPow2(63);
ASSERT_TRUE(int64_max);
ASSERT_TRUE(BN_sub_word(int64_max.get(), 1));
bssl::UniquePtr<BIGNUM> int32_min = BIGNUMPow2(31);
ASSERT_TRUE(int32_min);
BN_set_negative(int32_min.get(), 1);
bssl::UniquePtr<BIGNUM> int32_max = BIGNUMPow2(31);
ASSERT_TRUE(int32_max);
ASSERT_TRUE(BN_sub_word(int32_max.get(), 1));
struct {
// der is the DER encoding of the INTEGER, including the tag and length.
std::vector<uint8_t> der;
// type and data are the corresponding fields of the |ASN1_STRING|
// representation.
int type;
std::vector<uint8_t> data;
// bn_asc is the |BIGNUM| representation, as parsed by the |BN_asc2bn|
// function.
const char *bn_asc;
} kTests[] = {
// -2^64 - 1
{{0x02, 0x09, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
V_ASN1_NEG_INTEGER,
{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
"-0x10000000000000001"},
// -2^64
{{0x02, 0x09, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
V_ASN1_NEG_INTEGER,
{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
"-0x10000000000000000"},
// -2^64 + 1
{{0x02, 0x09, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
V_ASN1_NEG_INTEGER,
{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
"-0xffffffffffffffff"},
// -2^63 - 1
{{0x02, 0x09, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
V_ASN1_NEG_INTEGER,
{0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
"-0x8000000000000001"},
// -2^63 (INT64_MIN)
{{0x02, 0x08, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
V_ASN1_NEG_INTEGER,
{0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
"-0x8000000000000000"},
// -2^63 + 1
{{0x02, 0x08, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
V_ASN1_NEG_INTEGER,
{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
"-0x7fffffffffffffff"},
// -2^32 - 1
{{0x02, 0x05, 0xfe, 0xff, 0xff, 0xff, 0xff},
V_ASN1_NEG_INTEGER,
{0x01, 0x00, 0x00, 0x00, 0x01},
"-0x100000001"},
// -2^32
{{0x02, 0x05, 0xff, 0x00, 0x00, 0x00, 0x00},
V_ASN1_NEG_INTEGER,
{0x01, 0x00, 0x00, 0x00, 0x00},
"-0x100000000"},
// -2^32 + 1
{{0x02, 0x05, 0xff, 0x00, 0x00, 0x00, 0x01},
V_ASN1_NEG_INTEGER,
{0xff, 0xff, 0xff, 0xff},
"-0xffffffff"},
// -2^31 - 1
{{0x02, 0x05, 0xff, 0x7f, 0xff, 0xff, 0xff},
V_ASN1_NEG_INTEGER,
{0x80, 0x00, 0x00, 0x01},
"-0x80000001"},
// -2^31 (INT32_MIN)
{{0x02, 0x04, 0x80, 0x00, 0x00, 0x00},
V_ASN1_NEG_INTEGER,
{0x80, 0x00, 0x00, 0x00},
"-0x80000000"},
// -2^31 + 1
{{0x02, 0x04, 0x80, 0x00, 0x00, 0x01},
V_ASN1_NEG_INTEGER,
{0x7f, 0xff, 0xff, 0xff},
"-0x7fffffff"},
// -257
{{0x02, 0x02, 0xfe, 0xff}, V_ASN1_NEG_INTEGER, {0x01, 0x01}, "-257"},
// -256
{{0x02, 0x02, 0xff, 0x00}, V_ASN1_NEG_INTEGER, {0x01, 0x00}, "-256"},
// -255
{{0x02, 0x02, 0xff, 0x01}, V_ASN1_NEG_INTEGER, {0xff}, "-255"},
// -129
{{0x02, 0x02, 0xff, 0x7f}, V_ASN1_NEG_INTEGER, {0x81}, "-129"},
// -128
{{0x02, 0x01, 0x80}, V_ASN1_NEG_INTEGER, {0x80}, "-128"},
// -127
{{0x02, 0x01, 0x81}, V_ASN1_NEG_INTEGER, {0x7f}, "-127"},
// -1
{{0x02, 0x01, 0xff}, V_ASN1_NEG_INTEGER, {0x01}, "-1"},
// 0
Rewrite and tighten ASN1_INTEGER encoding and decoding. This fixes several issues around ASN1_INTEGER handling. First, invalid INTEGERs (not allowed in BER or DER) will no longer be accepted by d2i_ASN1_INTEGER. This aligns with upstream OpenSSL, which became strict in 6c5b6cb035666d46495ccbe4a4f3d5e3a659cd40, part of OpenSSL 1.1.0. In addition to matching the standard, this is needed to avoid round-tripping issues: ASN1_INTEGER uses a sign-and-magnitude representation, different from the DER two's complement representation. That means we cannot represent invalid DER INTEGERs. Attempting to do so messes up some invariants and causes values to not round-trip correctly when re-encoded. Thanks to Tavis Ormandy for catching this. Next, this CL tidies the story around invalid ASN1_INTEGERs (non-minimal and negative zero). Although we will never produce them in parsing, it is still possible to manually construct them with ASN1_STRING APIs. Historically (CVE-2016-2108), it was possible to get them out of the parser, due to a different bug, *and* i2d_ASN1_INTEGER had a memory error in doing so. That different bug has since been fixed, but we should still handle them correctly and test this. (To that end, this CL adds a test we ought to have added importing upstream's 3661bb4e7934668bd99ca777ea8b30eedfafa871 back in c4eec0c16b02c97a62a95b6a08656c3a9ddb6baa.) As the two's complement invariants are subtle as it is, I've opted to just fix the invalid values before encoding. However, invalid ASN1_INTEGERs still do not quite work right because ASN1_INTEGER_get, ASN1_INTEGER_cmp, and ASN1_STRING_cmp will all return surprising values with them. I've left those alone. Finally, that leads to the zero value. Almost every function believes the representation of 0 is a "\0" rather than "". However, a default-constructed INTEGER, like any other string type, is "". Those do not compare as equal. crypto/asn1 treats ASN1_INTEGER generically as ASN1_STRING enough that I think changing the other functions to match is cleaner than changing default-constructed ASN1_INTEGERs. Thus this CL removes all the special cases around zero. Update-Note: Invalid INTEGERs will no longer parse, but they already would not have parsed in OpenSSL. Additionally, zero is now internally represented as "" rather than "\0". Bug: 354 Change-Id: Id4d51a18f32afe90fd4df7455b21e0c8bdbc5389 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51632 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
{{0x02, 0x01, 0x00}, V_ASN1_INTEGER, {}, "0"},
Rewrite ASN1_INTEGER tests. This extends the old ASN1_INTEGER_set tests to cover all integers. There are a whole bunch of ways to construct and convert ASN1_INTEGERs (DER, BIGNUM, uint64_t, long, etc.). Rather than maintain one set of test vectors for small numbers and another for BIGNUMs, this CL makes a single set of BIGNUM-based test vectors. Notably, this test now covers: - Serialization and deserialization - ASN1_INTEGER_get, not just ASN1_INTEGER_set - BIGNUM conversions - ASN1_INTEGER_cmp Later CLs will add to this or change code covered by it. Change-Id: I05bd6bc9e70c392927937c2f727cee25092802a1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51629 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
// 1
{{0x02, 0x01, 0x01}, V_ASN1_INTEGER, {0x01}, "1"},
// 127
{{0x02, 0x01, 0x7f}, V_ASN1_INTEGER, {0x7f}, "127"},
// 128
{{0x02, 0x02, 0x00, 0x80}, V_ASN1_INTEGER, {0x80}, "128"},
// 129
{{0x02, 0x02, 0x00, 0x81}, V_ASN1_INTEGER, {0x81}, "129"},
// 255
{{0x02, 0x02, 0x00, 0xff}, V_ASN1_INTEGER, {0xff}, "255"},
// 256
{{0x02, 0x02, 0x01, 0x00}, V_ASN1_INTEGER, {0x01, 0x00}, "256"},
// 257
{{0x02, 0x02, 0x01, 0x01}, V_ASN1_INTEGER, {0x01, 0x01}, "257"},
// 2^31 - 2
{{0x02, 0x04, 0x7f, 0xff, 0xff, 0xfe},
V_ASN1_INTEGER,
{0x7f, 0xff, 0xff, 0xfe},
"0x7ffffffe"},
// 2^31 - 1 (INT32_MAX)
{{0x02, 0x04, 0x7f, 0xff, 0xff, 0xff},
V_ASN1_INTEGER,
{0x7f, 0xff, 0xff, 0xff},
"0x7fffffff"},
// 2^31
{{0x02, 0x05, 0x00, 0x80, 0x00, 0x00, 0x00},
V_ASN1_INTEGER,
{0x80, 0x00, 0x00, 0x00},
"0x80000000"},
// 2^32 - 2
{{0x02, 0x05, 0x00, 0xff, 0xff, 0xff, 0xfe},
V_ASN1_INTEGER,
{0xff, 0xff, 0xff, 0xfe},
"0xfffffffe"},
// 2^32 - 1 (UINT32_MAX)
{{0x02, 0x05, 0x00, 0xff, 0xff, 0xff, 0xff},
V_ASN1_INTEGER,
{0xff, 0xff, 0xff, 0xff},
"0xffffffff"},
// 2^32
{{0x02, 0x05, 0x01, 0x00, 0x00, 0x00, 0x00},
V_ASN1_INTEGER,
{0x01, 0x00, 0x00, 0x00, 0x00},
"0x100000000"},
// 2^63 - 2
{{0x02, 0x08, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe},
V_ASN1_INTEGER,
{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe},
"0x7ffffffffffffffe"},
// 2^63 - 1 (INT64_MAX)
{{0x02, 0x08, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
V_ASN1_INTEGER,
{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
"0x7fffffffffffffff"},
// 2^63
{{0x02, 0x09, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
V_ASN1_INTEGER,
{0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
"0x8000000000000000"},
// 2^64 - 2
{{0x02, 0x09, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe},
V_ASN1_INTEGER,
{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe},
"0xfffffffffffffffe"},
// 2^64 - 1 (UINT64_MAX)
{{0x02, 0x09, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
V_ASN1_INTEGER,
{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
"0xffffffffffffffff"},
// 2^64
{{0x02, 0x09, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
V_ASN1_INTEGER,
{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
"0x10000000000000000"},
// 2^64 + 1
{{0x02, 0x09, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
V_ASN1_INTEGER,
{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
"0x10000000000000001"},
};
for (const auto &t : kTests) {
SCOPED_TRACE(t.bn_asc);
// Collect a map of different ways to construct the integer. The key is the
// method used and is only retained to aid debugging.
std::map<std::string, bssl::UniquePtr<ASN1_INTEGER>> objs;
// Construct |ASN1_INTEGER| by setting the type and data manually.
bssl::UniquePtr<ASN1_INTEGER> by_data(ASN1_STRING_type_new(t.type));
ASSERT_TRUE(by_data);
ASSERT_TRUE(ASN1_STRING_set(by_data.get(), t.data.data(), t.data.size()));
objs["data"] = std::move(by_data);
// Construct |ASN1_INTEGER| from a |BIGNUM|.
BIGNUM *bn_raw = nullptr;
ASSERT_TRUE(BN_asc2bn(&bn_raw, t.bn_asc));
bssl::UniquePtr<BIGNUM> bn(bn_raw);
bssl::UniquePtr<ASN1_INTEGER> by_bn(BN_to_ASN1_INTEGER(bn.get(), nullptr));
ASSERT_TRUE(by_bn);
objs["bn"] = std::move(by_bn);
// Construct |ASN1_INTEGER| from decoding.
const uint8_t *ptr = t.der.data();
bssl::UniquePtr<ASN1_INTEGER> by_der(
d2i_ASN1_INTEGER(nullptr, &ptr, t.der.size()));
ASSERT_TRUE(by_der);
EXPECT_EQ(ptr, t.der.data() + t.der.size());
objs["der"] = std::move(by_der);
// Construct |ASN1_INTEGER| from |long| or |uint64_t|, if it fits.
Correctly handle LONG_MIN in ASN1_INTEGER_get. Along the way, add ASN1_INTEGER_get_uint64 from upstream, which has much better error-handling. Also fold the IntegerSetting test into the main integer test as the test data is largely redundant. Change-Id: I7ec84629264ebf405bea4bce59a13c4495d81ed7 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51634 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
bool fits_in_long = false, fits_in_u64 = false;
uint64_t u64 = 0;
Rewrite ASN1_INTEGER tests. This extends the old ASN1_INTEGER_set tests to cover all integers. There are a whole bunch of ways to construct and convert ASN1_INTEGERs (DER, BIGNUM, uint64_t, long, etc.). Rather than maintain one set of test vectors for small numbers and another for BIGNUMs, this CL makes a single set of BIGNUM-based test vectors. Notably, this test now covers: - Serialization and deserialization - ASN1_INTEGER_get, not just ASN1_INTEGER_set - BIGNUM conversions - ASN1_INTEGER_cmp Later CLs will add to this or change code covered by it. Change-Id: I05bd6bc9e70c392927937c2f727cee25092802a1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51629 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
long l = 0;
uint64_t abs_u64;
if (BN_get_u64(bn.get(), &abs_u64)) {
Correctly handle LONG_MIN in ASN1_INTEGER_get. Along the way, add ASN1_INTEGER_get_uint64 from upstream, which has much better error-handling. Also fold the IntegerSetting test into the main integer test as the test data is largely redundant. Change-Id: I7ec84629264ebf405bea4bce59a13c4495d81ed7 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51634 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
fits_in_u64 = !BN_is_negative(bn.get());
if (fits_in_u64) {
u64 = abs_u64;
Rewrite ASN1_INTEGER tests. This extends the old ASN1_INTEGER_set tests to cover all integers. There are a whole bunch of ways to construct and convert ASN1_INTEGERs (DER, BIGNUM, uint64_t, long, etc.). Rather than maintain one set of test vectors for small numbers and another for BIGNUMs, this CL makes a single set of BIGNUM-based test vectors. Notably, this test now covers: - Serialization and deserialization - ASN1_INTEGER_get, not just ASN1_INTEGER_set - BIGNUM conversions - ASN1_INTEGER_cmp Later CLs will add to this or change code covered by it. Change-Id: I05bd6bc9e70c392927937c2f727cee25092802a1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51629 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
bssl::UniquePtr<ASN1_INTEGER> by_u64(ASN1_INTEGER_new());
ASSERT_TRUE(by_u64);
Correctly handle LONG_MIN in ASN1_INTEGER_get. Along the way, add ASN1_INTEGER_get_uint64 from upstream, which has much better error-handling. Also fold the IntegerSetting test into the main integer test as the test data is largely redundant. Change-Id: I7ec84629264ebf405bea4bce59a13c4495d81ed7 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51634 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
ASSERT_TRUE(ASN1_INTEGER_set_uint64(by_u64.get(), u64));
Rewrite ASN1_INTEGER tests. This extends the old ASN1_INTEGER_set tests to cover all integers. There are a whole bunch of ways to construct and convert ASN1_INTEGERs (DER, BIGNUM, uint64_t, long, etc.). Rather than maintain one set of test vectors for small numbers and another for BIGNUMs, this CL makes a single set of BIGNUM-based test vectors. Notably, this test now covers: - Serialization and deserialization - ASN1_INTEGER_get, not just ASN1_INTEGER_set - BIGNUM conversions - ASN1_INTEGER_cmp Later CLs will add to this or change code covered by it. Change-Id: I05bd6bc9e70c392927937c2f727cee25092802a1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51629 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
objs["u64"] = std::move(by_u64);
}
if (sizeof(long) == 8) {
fits_in_long = BN_cmp(int64_min.get(), bn.get()) <= 0 &&
BN_cmp(bn.get(), int64_max.get()) <= 0;
} else {
ASSERT_EQ(4u, sizeof(long));
fits_in_long = BN_cmp(int32_min.get(), bn.get()) <= 0 &&
BN_cmp(bn.get(), int32_max.get()) <= 0;
}
if (fits_in_long) {
if (BN_is_negative(bn.get())) {
l = static_cast<long>(0u - abs_u64);
} else {
l = static_cast<long>(abs_u64);
}
bssl::UniquePtr<ASN1_INTEGER> by_long(ASN1_INTEGER_new());
ASSERT_TRUE(by_long);
ASSERT_TRUE(ASN1_INTEGER_set(by_long.get(), l));
objs["long"] = std::move(by_long);
}
}
Rewrite and tighten ASN1_INTEGER encoding and decoding. This fixes several issues around ASN1_INTEGER handling. First, invalid INTEGERs (not allowed in BER or DER) will no longer be accepted by d2i_ASN1_INTEGER. This aligns with upstream OpenSSL, which became strict in 6c5b6cb035666d46495ccbe4a4f3d5e3a659cd40, part of OpenSSL 1.1.0. In addition to matching the standard, this is needed to avoid round-tripping issues: ASN1_INTEGER uses a sign-and-magnitude representation, different from the DER two's complement representation. That means we cannot represent invalid DER INTEGERs. Attempting to do so messes up some invariants and causes values to not round-trip correctly when re-encoded. Thanks to Tavis Ormandy for catching this. Next, this CL tidies the story around invalid ASN1_INTEGERs (non-minimal and negative zero). Although we will never produce them in parsing, it is still possible to manually construct them with ASN1_STRING APIs. Historically (CVE-2016-2108), it was possible to get them out of the parser, due to a different bug, *and* i2d_ASN1_INTEGER had a memory error in doing so. That different bug has since been fixed, but we should still handle them correctly and test this. (To that end, this CL adds a test we ought to have added importing upstream's 3661bb4e7934668bd99ca777ea8b30eedfafa871 back in c4eec0c16b02c97a62a95b6a08656c3a9ddb6baa.) As the two's complement invariants are subtle as it is, I've opted to just fix the invalid values before encoding. However, invalid ASN1_INTEGERs still do not quite work right because ASN1_INTEGER_get, ASN1_INTEGER_cmp, and ASN1_STRING_cmp will all return surprising values with them. I've left those alone. Finally, that leads to the zero value. Almost every function believes the representation of 0 is a "\0" rather than "". However, a default-constructed INTEGER, like any other string type, is "". Those do not compare as equal. crypto/asn1 treats ASN1_INTEGER generically as ASN1_STRING enough that I think changing the other functions to match is cleaner than changing default-constructed ASN1_INTEGERs. Thus this CL removes all the special cases around zero. Update-Note: Invalid INTEGERs will no longer parse, but they already would not have parsed in OpenSSL. Additionally, zero is now internally represented as "" rather than "\0". Bug: 354 Change-Id: Id4d51a18f32afe90fd4df7455b21e0c8bdbc5389 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51632 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
// Default construction should return the zero |ASN1_INTEGER|.
if (BN_is_zero(bn.get())) {
bssl::UniquePtr<ASN1_INTEGER> by_default(ASN1_INTEGER_new());
ASSERT_TRUE(by_default);
objs["default"] = std::move(by_default);
}
Rewrite ASN1_INTEGER tests. This extends the old ASN1_INTEGER_set tests to cover all integers. There are a whole bunch of ways to construct and convert ASN1_INTEGERs (DER, BIGNUM, uint64_t, long, etc.). Rather than maintain one set of test vectors for small numbers and another for BIGNUMs, this CL makes a single set of BIGNUM-based test vectors. Notably, this test now covers: - Serialization and deserialization - ASN1_INTEGER_get, not just ASN1_INTEGER_set - BIGNUM conversions - ASN1_INTEGER_cmp Later CLs will add to this or change code covered by it. Change-Id: I05bd6bc9e70c392927937c2f727cee25092802a1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51629 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
// Test that every |ASN1_INTEGER| constructed behaves as expected.
for (const auto &pair : objs) {
// The fields should be as expected.
SCOPED_TRACE(pair.first);
const ASN1_INTEGER *obj = pair.second.get();
EXPECT_EQ(t.type, ASN1_STRING_type(obj));
EXPECT_EQ(Bytes(t.data), Bytes(ASN1_STRING_get0_data(obj),
ASN1_STRING_length(obj)));
// The object should encode correctly.
TestSerialize(obj, i2d_ASN1_INTEGER, t.der);
bssl::UniquePtr<BIGNUM> bn2(ASN1_INTEGER_to_BN(obj, nullptr));
ASSERT_TRUE(bn2);
EXPECT_EQ(0, BN_cmp(bn.get(), bn2.get()));
Correctly handle LONG_MIN in ASN1_INTEGER_get. Along the way, add ASN1_INTEGER_get_uint64 from upstream, which has much better error-handling. Also fold the IntegerSetting test into the main integer test as the test data is largely redundant. Change-Id: I7ec84629264ebf405bea4bce59a13c4495d81ed7 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51634 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
if (fits_in_u64) {
uint64_t v;
ASSERT_TRUE(ASN1_INTEGER_get_uint64(&v, obj));
EXPECT_EQ(v, u64);
} else {
uint64_t v;
EXPECT_FALSE(ASN1_INTEGER_get_uint64(&v, obj));
}
if (fits_in_long) {
Rewrite ASN1_INTEGER tests. This extends the old ASN1_INTEGER_set tests to cover all integers. There are a whole bunch of ways to construct and convert ASN1_INTEGERs (DER, BIGNUM, uint64_t, long, etc.). Rather than maintain one set of test vectors for small numbers and another for BIGNUMs, this CL makes a single set of BIGNUM-based test vectors. Notably, this test now covers: - Serialization and deserialization - ASN1_INTEGER_get, not just ASN1_INTEGER_set - BIGNUM conversions - ASN1_INTEGER_cmp Later CLs will add to this or change code covered by it. Change-Id: I05bd6bc9e70c392927937c2f727cee25092802a1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51629 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
EXPECT_EQ(l, ASN1_INTEGER_get(obj));
} else {
EXPECT_EQ(-1, ASN1_INTEGER_get(obj));
}
// All variations of integers should compare as equal to each other, as
// strings or integers. (Functions like |ASN1_TYPE_cmp| rely on
// string-based comparison.)
for (const auto &pair2 : objs) {
SCOPED_TRACE(pair2.first);
EXPECT_EQ(0, ASN1_INTEGER_cmp(obj, pair2.second.get()));
EXPECT_EQ(0, ASN1_STRING_cmp(obj, pair2.second.get()));
}
}
Rewrite and tighten ASN1_INTEGER encoding and decoding. This fixes several issues around ASN1_INTEGER handling. First, invalid INTEGERs (not allowed in BER or DER) will no longer be accepted by d2i_ASN1_INTEGER. This aligns with upstream OpenSSL, which became strict in 6c5b6cb035666d46495ccbe4a4f3d5e3a659cd40, part of OpenSSL 1.1.0. In addition to matching the standard, this is needed to avoid round-tripping issues: ASN1_INTEGER uses a sign-and-magnitude representation, different from the DER two's complement representation. That means we cannot represent invalid DER INTEGERs. Attempting to do so messes up some invariants and causes values to not round-trip correctly when re-encoded. Thanks to Tavis Ormandy for catching this. Next, this CL tidies the story around invalid ASN1_INTEGERs (non-minimal and negative zero). Although we will never produce them in parsing, it is still possible to manually construct them with ASN1_STRING APIs. Historically (CVE-2016-2108), it was possible to get them out of the parser, due to a different bug, *and* i2d_ASN1_INTEGER had a memory error in doing so. That different bug has since been fixed, but we should still handle them correctly and test this. (To that end, this CL adds a test we ought to have added importing upstream's 3661bb4e7934668bd99ca777ea8b30eedfafa871 back in c4eec0c16b02c97a62a95b6a08656c3a9ddb6baa.) As the two's complement invariants are subtle as it is, I've opted to just fix the invalid values before encoding. However, invalid ASN1_INTEGERs still do not quite work right because ASN1_INTEGER_get, ASN1_INTEGER_cmp, and ASN1_STRING_cmp will all return surprising values with them. I've left those alone. Finally, that leads to the zero value. Almost every function believes the representation of 0 is a "\0" rather than "". However, a default-constructed INTEGER, like any other string type, is "". Those do not compare as equal. crypto/asn1 treats ASN1_INTEGER generically as ASN1_STRING enough that I think changing the other functions to match is cleaner than changing default-constructed ASN1_INTEGERs. Thus this CL removes all the special cases around zero. Update-Note: Invalid INTEGERs will no longer parse, but they already would not have parsed in OpenSSL. Additionally, zero is now internally represented as "" rather than "\0". Bug: 354 Change-Id: Id4d51a18f32afe90fd4df7455b21e0c8bdbc5389 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51632 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
// Although our parsers will never output non-minimal |ASN1_INTEGER|s, it is
// possible to construct them manually. They should encode correctly.
std::vector<uint8_t> data = t.data;
const int kMaxExtraBytes = 5;
for (int i = 0; i < kMaxExtraBytes; i++) {
data.insert(data.begin(), 0x00);
SCOPED_TRACE(Bytes(data));
bssl::UniquePtr<ASN1_INTEGER> non_minimal(ASN1_STRING_type_new(t.type));
ASSERT_TRUE(non_minimal);
ASSERT_TRUE(ASN1_STRING_set(non_minimal.get(), data.data(), data.size()));
TestSerialize(non_minimal.get(), i2d_ASN1_INTEGER, t.der);
}
Rewrite ASN1_INTEGER tests. This extends the old ASN1_INTEGER_set tests to cover all integers. There are a whole bunch of ways to construct and convert ASN1_INTEGERs (DER, BIGNUM, uint64_t, long, etc.). Rather than maintain one set of test vectors for small numbers and another for BIGNUMs, this CL makes a single set of BIGNUM-based test vectors. Notably, this test now covers: - Serialization and deserialization - ASN1_INTEGER_get, not just ASN1_INTEGER_set - BIGNUM conversions - ASN1_INTEGER_cmp Later CLs will add to this or change code covered by it. Change-Id: I05bd6bc9e70c392927937c2f727cee25092802a1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51629 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
}
for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kTests); i++) {
SCOPED_TRACE(Bytes(kTests[i].der));
const uint8_t *ptr = kTests[i].der.data();
bssl::UniquePtr<ASN1_INTEGER> a(
d2i_ASN1_INTEGER(nullptr, &ptr, kTests[i].der.size()));
ASSERT_TRUE(a);
for (size_t j = 0; j < OPENSSL_ARRAY_SIZE(kTests); j++) {
SCOPED_TRACE(Bytes(kTests[j].der));
ptr = kTests[j].der.data();
bssl::UniquePtr<ASN1_INTEGER> b(
d2i_ASN1_INTEGER(nullptr, &ptr, kTests[j].der.size()));
ASSERT_TRUE(b);
// |ASN1_INTEGER_cmp| should compare numerically. |ASN1_STRING_cmp| does
// not but should preserve equality.
if (i < j) {
EXPECT_LT(ASN1_INTEGER_cmp(a.get(), b.get()), 0);
EXPECT_NE(ASN1_STRING_cmp(a.get(), b.get()), 0);
} else if (i > j) {
EXPECT_GT(ASN1_INTEGER_cmp(a.get(), b.get()), 0);
EXPECT_NE(ASN1_STRING_cmp(a.get(), b.get()), 0);
} else {
EXPECT_EQ(ASN1_INTEGER_cmp(a.get(), b.get()), 0);
EXPECT_EQ(ASN1_STRING_cmp(a.get(), b.get()), 0);
}
}
}
Rewrite and tighten ASN1_INTEGER encoding and decoding. This fixes several issues around ASN1_INTEGER handling. First, invalid INTEGERs (not allowed in BER or DER) will no longer be accepted by d2i_ASN1_INTEGER. This aligns with upstream OpenSSL, which became strict in 6c5b6cb035666d46495ccbe4a4f3d5e3a659cd40, part of OpenSSL 1.1.0. In addition to matching the standard, this is needed to avoid round-tripping issues: ASN1_INTEGER uses a sign-and-magnitude representation, different from the DER two's complement representation. That means we cannot represent invalid DER INTEGERs. Attempting to do so messes up some invariants and causes values to not round-trip correctly when re-encoded. Thanks to Tavis Ormandy for catching this. Next, this CL tidies the story around invalid ASN1_INTEGERs (non-minimal and negative zero). Although we will never produce them in parsing, it is still possible to manually construct them with ASN1_STRING APIs. Historically (CVE-2016-2108), it was possible to get them out of the parser, due to a different bug, *and* i2d_ASN1_INTEGER had a memory error in doing so. That different bug has since been fixed, but we should still handle them correctly and test this. (To that end, this CL adds a test we ought to have added importing upstream's 3661bb4e7934668bd99ca777ea8b30eedfafa871 back in c4eec0c16b02c97a62a95b6a08656c3a9ddb6baa.) As the two's complement invariants are subtle as it is, I've opted to just fix the invalid values before encoding. However, invalid ASN1_INTEGERs still do not quite work right because ASN1_INTEGER_get, ASN1_INTEGER_cmp, and ASN1_STRING_cmp will all return surprising values with them. I've left those alone. Finally, that leads to the zero value. Almost every function believes the representation of 0 is a "\0" rather than "". However, a default-constructed INTEGER, like any other string type, is "". Those do not compare as equal. crypto/asn1 treats ASN1_INTEGER generically as ASN1_STRING enough that I think changing the other functions to match is cleaner than changing default-constructed ASN1_INTEGERs. Thus this CL removes all the special cases around zero. Update-Note: Invalid INTEGERs will no longer parse, but they already would not have parsed in OpenSSL. Additionally, zero is now internally represented as "" rather than "\0". Bug: 354 Change-Id: Id4d51a18f32afe90fd4df7455b21e0c8bdbc5389 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51632 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
std::vector<uint8_t> kInvalidTests[] = {
// The empty string is not an integer.
{0x02, 0x00},
// Integers must be minimally-encoded.
{0x02, 0x02, 0x00, 0x00},
{0x02, 0x02, 0x00, 0x7f},
{0x02, 0x02, 0xff, 0xff},
{0x02, 0x02, 0xff, 0x80},
};
for (const auto &invalid : kInvalidTests) {
SCOPED_TRACE(Bytes(invalid));
const uint8_t *ptr = invalid.data();
bssl::UniquePtr<ASN1_INTEGER> integer(
d2i_ASN1_INTEGER(nullptr, &ptr, invalid.size()));
EXPECT_FALSE(integer);
}
Rewrite ASN1_INTEGER tests. This extends the old ASN1_INTEGER_set tests to cover all integers. There are a whole bunch of ways to construct and convert ASN1_INTEGERs (DER, BIGNUM, uint64_t, long, etc.). Rather than maintain one set of test vectors for small numbers and another for BIGNUMs, this CL makes a single set of BIGNUM-based test vectors. Notably, this test now covers: - Serialization and deserialization - ASN1_INTEGER_get, not just ASN1_INTEGER_set - BIGNUM conversions - ASN1_INTEGER_cmp Later CLs will add to this or change code covered by it. Change-Id: I05bd6bc9e70c392927937c2f727cee25092802a1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51629 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
// Callers expect |ASN1_INTEGER_get| and |ASN1_ENUMERATED_get| to return zero
// given NULL.
EXPECT_EQ(0, ASN1_INTEGER_get(nullptr));
EXPECT_EQ(0, ASN1_ENUMERATED_get(nullptr));
}
Rewrite and tighten ASN1_INTEGER encoding and decoding. This fixes several issues around ASN1_INTEGER handling. First, invalid INTEGERs (not allowed in BER or DER) will no longer be accepted by d2i_ASN1_INTEGER. This aligns with upstream OpenSSL, which became strict in 6c5b6cb035666d46495ccbe4a4f3d5e3a659cd40, part of OpenSSL 1.1.0. In addition to matching the standard, this is needed to avoid round-tripping issues: ASN1_INTEGER uses a sign-and-magnitude representation, different from the DER two's complement representation. That means we cannot represent invalid DER INTEGERs. Attempting to do so messes up some invariants and causes values to not round-trip correctly when re-encoded. Thanks to Tavis Ormandy for catching this. Next, this CL tidies the story around invalid ASN1_INTEGERs (non-minimal and negative zero). Although we will never produce them in parsing, it is still possible to manually construct them with ASN1_STRING APIs. Historically (CVE-2016-2108), it was possible to get them out of the parser, due to a different bug, *and* i2d_ASN1_INTEGER had a memory error in doing so. That different bug has since been fixed, but we should still handle them correctly and test this. (To that end, this CL adds a test we ought to have added importing upstream's 3661bb4e7934668bd99ca777ea8b30eedfafa871 back in c4eec0c16b02c97a62a95b6a08656c3a9ddb6baa.) As the two's complement invariants are subtle as it is, I've opted to just fix the invalid values before encoding. However, invalid ASN1_INTEGERs still do not quite work right because ASN1_INTEGER_get, ASN1_INTEGER_cmp, and ASN1_STRING_cmp will all return surprising values with them. I've left those alone. Finally, that leads to the zero value. Almost every function believes the representation of 0 is a "\0" rather than "". However, a default-constructed INTEGER, like any other string type, is "". Those do not compare as equal. crypto/asn1 treats ASN1_INTEGER generically as ASN1_STRING enough that I think changing the other functions to match is cleaner than changing default-constructed ASN1_INTEGERs. Thus this CL removes all the special cases around zero. Update-Note: Invalid INTEGERs will no longer parse, but they already would not have parsed in OpenSSL. Additionally, zero is now internally represented as "" rather than "\0". Bug: 354 Change-Id: Id4d51a18f32afe90fd4df7455b21e0c8bdbc5389 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51632 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
// Although invalid, a negative zero should encode correctly.
TEST(ASN1Test, NegativeZero) {
bssl::UniquePtr<ASN1_INTEGER> neg_zero(
ASN1_STRING_type_new(V_ASN1_NEG_INTEGER));
ASSERT_TRUE(neg_zero);
EXPECT_EQ(0, ASN1_INTEGER_get(neg_zero.get()));
static const uint8_t kDER[] = {0x02, 0x01, 0x00};
TestSerialize(neg_zero.get(), i2d_ASN1_INTEGER, kDER);
}
Skip ASN.1 template tests in Windows shared library builds. This should fix the Chromium roll. Windows shared library builds are fussy about dllexport vs. dllimport in a way that's incompatible with external uses of the asn1t.h macros. The issue is the DECLARE_* macros will add dllexport vs. dllimport on the assumption the symbols are defined in libcrypto, but external definitions need a different selector. Rather than add more complex macros for this, just exclude those tests. Ideally we wouldn't supoport asn1t.h outside the library at all, if we can manage it, so no sense in trying to make it work. This excludes both the new and the old tests. Although this has been working thus far, it only works because we've been setting the BORINGSSL_IMPLEMENTATION symbol for test targets wrong in Chromium. I'm confused how that's been working at all (maybe dllexport vs. dllimport is more lax when it comes to functions rather than variables?), but when I do it correctly, the ASN1_LINKED_LIST template breaks too. Change-Id: I391edba1748f66c383ed55a9d23053674bbb876e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/44484 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
TEST(ASN1Test, SerializeObject) {
static const uint8_t kDER[] = {0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
0xf7, 0x0d, 0x01, 0x01, 0x01};
const ASN1_OBJECT *obj = OBJ_nid2obj(NID_rsaEncryption);
TestSerialize(obj, i2d_ASN1_OBJECT, kDER);
}
Check tag class and constructed bit in d2i_ASN1_BOOLEAN. d2i_ASN1_BOOLEAN and i2d_ASN1_BOOLEAN don't go through the macros because ASN1_BOOLEAN is a slightly weird type (int instead of pointer). Their tag checks were missing a few bits. This does not affect any other d2i functions. Those already go through the ASN1_ITEM machinery. Change-Id: Ic892cd2a8b8f9ceb11e43d931f8aa6df921997d3 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49866 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
TEST(ASN1Test, Boolean) {
Skip ASN.1 template tests in Windows shared library builds. This should fix the Chromium roll. Windows shared library builds are fussy about dllexport vs. dllimport in a way that's incompatible with external uses of the asn1t.h macros. The issue is the DECLARE_* macros will add dllexport vs. dllimport on the assumption the symbols are defined in libcrypto, but external definitions need a different selector. Rather than add more complex macros for this, just exclude those tests. Ideally we wouldn't supoport asn1t.h outside the library at all, if we can manage it, so no sense in trying to make it work. This excludes both the new and the old tests. Although this has been working thus far, it only works because we've been setting the BORINGSSL_IMPLEMENTATION symbol for test targets wrong in Chromium. I'm confused how that's been working at all (maybe dllexport vs. dllimport is more lax when it comes to functions rather than variables?), but when I do it correctly, the ASN1_LINKED_LIST template breaks too. Change-Id: I391edba1748f66c383ed55a9d23053674bbb876e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/44484 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
static const uint8_t kTrue[] = {0x01, 0x01, 0xff};
TestSerialize(0xff, i2d_ASN1_BOOLEAN, kTrue);
Always encode booleans as DER. The ASN1_BOOLEAN representation is a mess. ASN1_BOOLEAN is an int and if non-negative (negative values mean omitted or default), gets cast to uint8_t and encoded as the value. This means callers are simply expected to know true is 0xff, not 1. Fix this by only encoding 0 or 0xff. This also fixes a bug where values like 0x100 are interpreted as true (e.g. in the tasn_enc.c logic to handle default values), but encoded as false because the cast only looks at the least significant byte. This CL does not change the parsing behavior, which is to allow any BER encoding and preserve the value in the in-memory representation (though we should tighten that). However the BER encode will no longer be preserved when re-encoding. Update-Note: Callers setting ASN1_BOOLEANs to a positive value other than 0xff will now encode 0xff. This probably fixes a bug, but if anyone was attaching significance to incorrectly-encoded booleans, that will break. Change-Id: I5bb53e068d5900daca07299a27c0551e78ffa91d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46924 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
// Other constants are also correctly encoded as TRUE.
TestSerialize(1, i2d_ASN1_BOOLEAN, kTrue);
TestSerialize(0x100, i2d_ASN1_BOOLEAN, kTrue);
Skip ASN.1 template tests in Windows shared library builds. This should fix the Chromium roll. Windows shared library builds are fussy about dllexport vs. dllimport in a way that's incompatible with external uses of the asn1t.h macros. The issue is the DECLARE_* macros will add dllexport vs. dllimport on the assumption the symbols are defined in libcrypto, but external definitions need a different selector. Rather than add more complex macros for this, just exclude those tests. Ideally we wouldn't supoport asn1t.h outside the library at all, if we can manage it, so no sense in trying to make it work. This excludes both the new and the old tests. Although this has been working thus far, it only works because we've been setting the BORINGSSL_IMPLEMENTATION symbol for test targets wrong in Chromium. I'm confused how that's been working at all (maybe dllexport vs. dllimport is more lax when it comes to functions rather than variables?), but when I do it correctly, the ASN1_LINKED_LIST template breaks too. Change-Id: I391edba1748f66c383ed55a9d23053674bbb876e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/44484 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
Check tag class and constructed bit in d2i_ASN1_BOOLEAN. d2i_ASN1_BOOLEAN and i2d_ASN1_BOOLEAN don't go through the macros because ASN1_BOOLEAN is a slightly weird type (int instead of pointer). Their tag checks were missing a few bits. This does not affect any other d2i functions. Those already go through the ASN1_ITEM machinery. Change-Id: Ic892cd2a8b8f9ceb11e43d931f8aa6df921997d3 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49866 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
const uint8_t *ptr = kTrue;
EXPECT_EQ(0xff, d2i_ASN1_BOOLEAN(nullptr, &ptr, sizeof(kTrue)));
EXPECT_EQ(ptr, kTrue + sizeof(kTrue));
Skip ASN.1 template tests in Windows shared library builds. This should fix the Chromium roll. Windows shared library builds are fussy about dllexport vs. dllimport in a way that's incompatible with external uses of the asn1t.h macros. The issue is the DECLARE_* macros will add dllexport vs. dllimport on the assumption the symbols are defined in libcrypto, but external definitions need a different selector. Rather than add more complex macros for this, just exclude those tests. Ideally we wouldn't supoport asn1t.h outside the library at all, if we can manage it, so no sense in trying to make it work. This excludes both the new and the old tests. Although this has been working thus far, it only works because we've been setting the BORINGSSL_IMPLEMENTATION symbol for test targets wrong in Chromium. I'm confused how that's been working at all (maybe dllexport vs. dllimport is more lax when it comes to functions rather than variables?), but when I do it correctly, the ASN1_LINKED_LIST template breaks too. Change-Id: I391edba1748f66c383ed55a9d23053674bbb876e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/44484 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
static const uint8_t kFalse[] = {0x01, 0x01, 0x00};
TestSerialize(0x00, i2d_ASN1_BOOLEAN, kFalse);
Check tag class and constructed bit in d2i_ASN1_BOOLEAN. d2i_ASN1_BOOLEAN and i2d_ASN1_BOOLEAN don't go through the macros because ASN1_BOOLEAN is a slightly weird type (int instead of pointer). Their tag checks were missing a few bits. This does not affect any other d2i functions. Those already go through the ASN1_ITEM machinery. Change-Id: Ic892cd2a8b8f9ceb11e43d931f8aa6df921997d3 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49866 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
ptr = kFalse;
EXPECT_EQ(0, d2i_ASN1_BOOLEAN(nullptr, &ptr, sizeof(kFalse)));
EXPECT_EQ(ptr, kFalse + sizeof(kFalse));
const std::vector<uint8_t> kInvalidBooleans[] = {
// No tag header.
{},
// No length.
{0x01},
// Truncated contents.
{0x01, 0x01},
// Contents too short or too long.
{0x01, 0x00},
{0x01, 0x02, 0x00, 0x00},
// Wrong tag number.
{0x02, 0x01, 0x00},
// Wrong tag class.
{0x81, 0x01, 0x00},
// Element is constructed.
{0x21, 0x01, 0x00},
// TODO(https://crbug.com/boringssl/354): Reject non-DER encodings of TRUE
// and test this.
};
for (const auto &invalid : kInvalidBooleans) {
SCOPED_TRACE(Bytes(invalid));
ptr = invalid.data();
EXPECT_EQ(-1, d2i_ASN1_BOOLEAN(nullptr, &ptr, invalid.size()));
ERR_clear_error();
}
Skip ASN.1 template tests in Windows shared library builds. This should fix the Chromium roll. Windows shared library builds are fussy about dllexport vs. dllimport in a way that's incompatible with external uses of the asn1t.h macros. The issue is the DECLARE_* macros will add dllexport vs. dllimport on the assumption the symbols are defined in libcrypto, but external definitions need a different selector. Rather than add more complex macros for this, just exclude those tests. Ideally we wouldn't supoport asn1t.h outside the library at all, if we can manage it, so no sense in trying to make it work. This excludes both the new and the old tests. Although this has been working thus far, it only works because we've been setting the BORINGSSL_IMPLEMENTATION symbol for test targets wrong in Chromium. I'm confused how that's been working at all (maybe dllexport vs. dllimport is more lax when it comes to functions rather than variables?), but when I do it correctly, the ASN1_LINKED_LIST template breaks too. Change-Id: I391edba1748f66c383ed55a9d23053674bbb876e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/44484 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
}
Always encode booleans as DER. The ASN1_BOOLEAN representation is a mess. ASN1_BOOLEAN is an int and if non-negative (negative values mean omitted or default), gets cast to uint8_t and encoded as the value. This means callers are simply expected to know true is 0xff, not 1. Fix this by only encoding 0 or 0xff. This also fixes a bug where values like 0x100 are interpreted as true (e.g. in the tasn_enc.c logic to handle default values), but encoded as false because the cast only looks at the least significant byte. This CL does not change the parsing behavior, which is to allow any BER encoding and preserve the value in the in-memory representation (though we should tighten that). However the BER encode will no longer be preserved when re-encoding. Update-Note: Callers setting ASN1_BOOLEANs to a positive value other than 0xff will now encode 0xff. This probably fixes a bug, but if anyone was attaching significance to incorrectly-encoded booleans, that will break. Change-Id: I5bb53e068d5900daca07299a27c0551e78ffa91d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46924 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
// The templates go through a different codepath, so test them separately.
TEST(ASN1Test, SerializeEmbeddedBoolean) {
bssl::UniquePtr<BASIC_CONSTRAINTS> val(BASIC_CONSTRAINTS_new());
ASSERT_TRUE(val);
// BasicConstraints defaults to FALSE, so the encoding should be empty.
static const uint8_t kLeaf[] = {0x30, 0x00};
val->ca = 0;
TestSerialize(val.get(), i2d_BASIC_CONSTRAINTS, kLeaf);
// TRUE should always be encoded as 0xff, independent of what value the caller
// placed in the |ASN1_BOOLEAN|.
static const uint8_t kCA[] = {0x30, 0x03, 0x01, 0x01, 0xff};
val->ca = 0xff;
TestSerialize(val.get(), i2d_BASIC_CONSTRAINTS, kCA);
val->ca = 1;
TestSerialize(val.get(), i2d_BASIC_CONSTRAINTS, kCA);
val->ca = 0x100;
TestSerialize(val.get(), i2d_BASIC_CONSTRAINTS, kCA);
}
Do not access value.ptr with V_ASN1_BOOLEAN. This fixes a bug in ASN1_TYPE_get. Partly imported from upstream's 261ec72d58af64327214a78ca1c54b169ad93c28, though I don't believe ASN1_TYPE_set was broken per se. There's also a lot more than in that commit. I've added a test to ensure we maintain the unused bits invariant anyway, in case external code relies on it. (The invariant comes from the pointer being NULL-initialized and from ASN1_primitive_free zeroing *pval on free.) Change-Id: I4c0c57519a7628041d81c26cd850317e01409556 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46324 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
TEST(ASN1Test, ASN1Type) {
const struct {
int type;
std::vector<uint8_t> der;
} kTests[] = {
// BOOLEAN { TRUE }
{V_ASN1_BOOLEAN, {0x01, 0x01, 0xff}},
// BOOLEAN { FALSE }
{V_ASN1_BOOLEAN, {0x01, 0x01, 0x00}},
// OCTET_STRING { "a" }
{V_ASN1_OCTET_STRING, {0x04, 0x01, 0x61}},
Correctly handle invalid ASN1_OBJECTs when encoding. asn1_ex_i2c actually does have an error condition, it just wasn't being handled. 628b3c7f2fdf68519c27dc087c400ca616616f4e, imported from upstream's f3f8e72f494b36d05e0d04fe418f92b692fbb261, tried to check for OID-less ASN1_OBJECTs and return an error. But it and the upstream change didn't actually work. -1 in this function means to omit the object, so OpenSSL was silently misinterpreting the input structure. This changes the calling convention for asn1_ex_i2c to support this. It is, unfortunately, a little messy because: 1. One cannot check for object presense without walking the ASN1_ITEM/ASN1_TEMPLATE structures. You can *almost* check if *pval is NULL, but ASN1_BOOLEAN is an int with -1 to indicate an omitted optional. There are also FBOOLEAN/TBOOLEAN types that omit FALSE/TRUE for DEFAULT. Thus, without more invasive changes, asn1_ex_i2c must be able to report an omitted element. 2. While the i2d functions report an omitted element by successfully writing zero bytes, i2c only writes the contents. It thus must distinguish between an omitted element and an element with zero-length contents. 3. i2c_ASN1_INTEGER and i2c_ASN1_BIT_STRING return zero on error rather than -1. Those error paths are not actually reachable because they only check for NULL. In fact, OpenSSL has even unexported them. But I found a few callers. Rather than unwind all this and change the calling convention, I've just made it handle 0 and map to -1 for now. It's all a no-op anyway, and hopefully we can redo all this with CBB later. I've just added an output parameter for now. In writing tests, I also noticed that the hand-written i2d_ASN1_OBJECT and i2d_ASN1_BOOLEAN return the wrong value for errors, so I've fixed that. Update-Note: A default-constructed object with a required ASN1_OBJECT field can no longer be encoded without initializing the ASN1_OBJECT. Note this affects X509: the signature algorithm is an ASN1_OBJECT. Tests that try to serialize an X509_new() must fill in all required fields. (Production code is unlikely to be affected because the output was unparsable anyway, while tests sometimes wouldn't notice.) Bug: 429 Change-Id: I04417f5ad6b994cc5ccca540c8a7714b9b3af33d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49348 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
// OCTET_STRING { }
{V_ASN1_OCTET_STRING, {0x04, 0x00}},
Do not access value.ptr with V_ASN1_BOOLEAN. This fixes a bug in ASN1_TYPE_get. Partly imported from upstream's 261ec72d58af64327214a78ca1c54b169ad93c28, though I don't believe ASN1_TYPE_set was broken per se. There's also a lot more than in that commit. I've added a test to ensure we maintain the unused bits invariant anyway, in case external code relies on it. (The invariant comes from the pointer being NULL-initialized and from ASN1_primitive_free zeroing *pval on free.) Change-Id: I4c0c57519a7628041d81c26cd850317e01409556 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46324 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
// BIT_STRING { `01` `00` }
{V_ASN1_BIT_STRING, {0x03, 0x02, 0x01, 0x00}},
// INTEGER { -1 }
{V_ASN1_INTEGER, {0x02, 0x01, 0xff}},
// OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2 }
{V_ASN1_OBJECT,
{0x06, 0x0c, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84, 0xb7,
0x09, 0x02}},
// NULL {}
{V_ASN1_NULL, {0x05, 0x00}},
// SEQUENCE {}
{V_ASN1_SEQUENCE, {0x30, 0x00}},
// SET {}
{V_ASN1_SET, {0x31, 0x00}},
// [0] { UTF8String { "a" } }
{V_ASN1_OTHER, {0xa0, 0x03, 0x0c, 0x01, 0x61}},
};
for (const auto &t : kTests) {
SCOPED_TRACE(Bytes(t.der));
// The input should successfully parse.
const uint8_t *ptr = t.der.data();
bssl::UniquePtr<ASN1_TYPE> val(d2i_ASN1_TYPE(nullptr, &ptr, t.der.size()));
ASSERT_TRUE(val);
EXPECT_EQ(ASN1_TYPE_get(val.get()), t.type);
EXPECT_EQ(val->type, t.type);
TestSerialize(val.get(), i2d_ASN1_TYPE, t.der);
}
}
// Test that reading |value.ptr| from a FALSE |ASN1_TYPE| behaves correctly. The
// type historically supported this, so maintain the invariant in case external
// code relies on it.
TEST(ASN1Test, UnusedBooleanBits) {
// OCTET_STRING { "a" }
static const uint8_t kDER[] = {0x04, 0x01, 0x61};
const uint8_t *ptr = kDER;
bssl::UniquePtr<ASN1_TYPE> val(d2i_ASN1_TYPE(nullptr, &ptr, sizeof(kDER)));
ASSERT_TRUE(val);
EXPECT_EQ(V_ASN1_OCTET_STRING, val->type);
EXPECT_TRUE(val->value.ptr);
// Set |val| to a BOOLEAN containing FALSE.
ASN1_TYPE_set(val.get(), V_ASN1_BOOLEAN, NULL);
EXPECT_EQ(V_ASN1_BOOLEAN, val->type);
EXPECT_FALSE(val->value.ptr);
}
Check tag class and constructed bit in d2i_ASN1_OBJECT. d2i_ASN1_OBJECT had a similar set of bugs in as in https://boringssl-review.googlesource.com/c/boringssl/+/49866. This does not affect any other d2i functions. Those already go through the ASN1_ITEM machinery. Update-Note: d2i_ASN1_OBJECT will now notice more incorrect tags. It was already checking for tag number 6, so it is unlikely anyone was relying on this as a non-tag-checking parser. Change-Id: I30f9ad28e3859aeb7a38c0ea299cd2e30002abce Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50290 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
TEST(ASN1Test, ParseASN1Object) {
Fix a memory leak with d2i_ASN1_OBJECT object reuse. (Imported from upstream's 65b88a75921533ada8b465bc8d5c0817ad927947 and 7c65179ad95d0f6f598ee82e763fce2567fe5802.) Change-Id: Id6a9604231d3cacc5e20af07e40d09e20dc9d3c0 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47332 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
// 1.2.840.113554.4.1.72585.2, an arbitrary unknown OID.
static const uint8_t kOID[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12,
0x04, 0x01, 0x84, 0xb7, 0x09, 0x02};
ASN1_OBJECT *obj = ASN1_OBJECT_create(NID_undef, kOID, sizeof(kOID),
"short name", "long name");
ASSERT_TRUE(obj);
// OBJECT_IDENTIFIER { 1.3.101.112 }
static const uint8_t kDER[] = {0x06, 0x03, 0x2b, 0x65, 0x70};
const uint8_t *ptr = kDER;
Check tag class and constructed bit in d2i_ASN1_OBJECT. d2i_ASN1_OBJECT had a similar set of bugs in as in https://boringssl-review.googlesource.com/c/boringssl/+/49866. This does not affect any other d2i functions. Those already go through the ASN1_ITEM machinery. Update-Note: d2i_ASN1_OBJECT will now notice more incorrect tags. It was already checking for tag number 6, so it is unlikely anyone was relying on this as a non-tag-checking parser. Change-Id: I30f9ad28e3859aeb7a38c0ea299cd2e30002abce Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50290 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
// Parse an |ASN1_OBJECT| with object reuse.
Fix a memory leak with d2i_ASN1_OBJECT object reuse. (Imported from upstream's 65b88a75921533ada8b465bc8d5c0817ad927947 and 7c65179ad95d0f6f598ee82e763fce2567fe5802.) Change-Id: Id6a9604231d3cacc5e20af07e40d09e20dc9d3c0 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47332 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
EXPECT_TRUE(d2i_ASN1_OBJECT(&obj, &ptr, sizeof(kDER)));
EXPECT_EQ(NID_ED25519, OBJ_obj2nid(obj));
ASN1_OBJECT_free(obj);
Check tag class and constructed bit in d2i_ASN1_OBJECT. d2i_ASN1_OBJECT had a similar set of bugs in as in https://boringssl-review.googlesource.com/c/boringssl/+/49866. This does not affect any other d2i functions. Those already go through the ASN1_ITEM machinery. Update-Note: d2i_ASN1_OBJECT will now notice more incorrect tags. It was already checking for tag number 6, so it is unlikely anyone was relying on this as a non-tag-checking parser. Change-Id: I30f9ad28e3859aeb7a38c0ea299cd2e30002abce Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50290 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
// Repeat the test, this time overriding a static |ASN1_OBJECT|. It should
// detect this and construct a new one.
Fix a memory leak with d2i_ASN1_OBJECT object reuse. (Imported from upstream's 65b88a75921533ada8b465bc8d5c0817ad927947 and 7c65179ad95d0f6f598ee82e763fce2567fe5802.) Change-Id: Id6a9604231d3cacc5e20af07e40d09e20dc9d3c0 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47332 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
obj = OBJ_nid2obj(NID_rsaEncryption);
ptr = kDER;
EXPECT_TRUE(d2i_ASN1_OBJECT(&obj, &ptr, sizeof(kDER)));
EXPECT_EQ(NID_ED25519, OBJ_obj2nid(obj));
ASN1_OBJECT_free(obj);
Check tag class and constructed bit in d2i_ASN1_OBJECT. d2i_ASN1_OBJECT had a similar set of bugs in as in https://boringssl-review.googlesource.com/c/boringssl/+/49866. This does not affect any other d2i functions. Those already go through the ASN1_ITEM machinery. Update-Note: d2i_ASN1_OBJECT will now notice more incorrect tags. It was already checking for tag number 6, so it is unlikely anyone was relying on this as a non-tag-checking parser. Change-Id: I30f9ad28e3859aeb7a38c0ea299cd2e30002abce Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50290 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
const std::vector<uint8_t> kInvalidObjects[] = {
// No tag header.
{},
// No length.
{0x06},
// Truncated contents.
{0x06, 0x01},
// An OID may not be empty.
{0x06, 0x00},
// The last byte may not be a continuation byte (high bit set).
{0x06, 0x03, 0x2b, 0x65, 0xf0},
// Each component must be minimally-encoded.
{0x06, 0x03, 0x2b, 0x65, 0x80, 0x70},
{0x06, 0x03, 0x80, 0x2b, 0x65, 0x70},
// Wrong tag number.
{0x01, 0x03, 0x2b, 0x65, 0x70},
// Wrong tag class.
{0x86, 0x03, 0x2b, 0x65, 0x70},
// Element is constructed.
{0x26, 0x03, 0x2b, 0x65, 0x70},
};
for (const auto &invalid : kInvalidObjects) {
SCOPED_TRACE(Bytes(invalid));
ptr = invalid.data();
obj = d2i_ASN1_OBJECT(nullptr, &ptr, invalid.size());
EXPECT_FALSE(obj);
ASN1_OBJECT_free(obj);
ERR_clear_error();
}
Fix a memory leak with d2i_ASN1_OBJECT object reuse. (Imported from upstream's 65b88a75921533ada8b465bc8d5c0817ad927947 and 7c65179ad95d0f6f598ee82e763fce2567fe5802.) Change-Id: Id6a9604231d3cacc5e20af07e40d09e20dc9d3c0 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47332 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
}
Compute ASN.1 BIT STRING sizes more consistently. OpenSSL's BIT STRING representation has two modes, one where it implicitly trims trailing zeros and the other where the number of unused bits is explicitly set. This means logic in ASN1_item_verify, or elsewhere in callers, that checks flags and ASN1_STRING_length is inconsistent with i2c_ASN1_BIT_STRING. Add ASN1_BIT_STRING_num_bytes for code that needs to deal with X.509 using BIT STRING for some fields instead of OCTET STRING. Switch ASN1_item_verify to it. Some external code does this too, so export it as public API. This is mostly a theoretical issue. All parsed BIT STRINGS use explicit byte strings, and there are no APIs (apart from not-yet-opaquified structs) to specify the ASN1_STRING in X509, etc., structures. We intentionally made X509_set1_signature_value, etc., internally construct the ASN1_STRING. Still having an API is more consistent and helps nudge callers towards rejecting excess bits when they want bytes. It may also be worth a public API for consistently accessing the bit count. I've left it alone for now because I've not seen callers that need it, and it saves worrying about bytes-to-bits overflows. This also fixes a bug in the original version of the truncating logic when the entire string was all zeros, and const-corrects a few parameters. Change-Id: I9d29842a3d3264b0cde61ca8cfea07d02177dbc2 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48225 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
TEST(ASN1Test, BitString) {
const size_t kNotWholeBytes = static_cast<size_t>(-1);
const struct {
std::vector<uint8_t> in;
size_t num_bytes;
} kValidInputs[] = {
// Empty bit string
{{0x03, 0x01, 0x00}, 0},
// 0b1
{{0x03, 0x02, 0x07, 0x80}, kNotWholeBytes},
// 0b1010
{{0x03, 0x02, 0x04, 0xa0}, kNotWholeBytes},
// 0b1010101
{{0x03, 0x02, 0x01, 0xaa}, kNotWholeBytes},
// 0b10101010
{{0x03, 0x02, 0x00, 0xaa}, 1},
// Bits 0 and 63 are set
{{0x03, 0x09, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, 8},
// 64 zero bits
{{0x03, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 8},
};
for (const auto &test : kValidInputs) {
SCOPED_TRACE(Bytes(test.in));
// The input should parse and round-trip correctly.
const uint8_t *ptr = test.in.data();
bssl::UniquePtr<ASN1_BIT_STRING> val(
d2i_ASN1_BIT_STRING(nullptr, &ptr, test.in.size()));
ASSERT_TRUE(val);
TestSerialize(val.get(), i2d_ASN1_BIT_STRING, test.in);
// Check the byte count.
size_t num_bytes;
if (test.num_bytes == kNotWholeBytes) {
EXPECT_FALSE(ASN1_BIT_STRING_num_bytes(val.get(), &num_bytes));
} else {
ASSERT_TRUE(ASN1_BIT_STRING_num_bytes(val.get(), &num_bytes));
EXPECT_EQ(num_bytes, test.num_bytes);
}
}
const std::vector<uint8_t> kInvalidInputs[] = {
// Wrong tag
{0x04, 0x01, 0x00},
// Missing leading byte
{0x03, 0x00},
// Leading byte too high
{0x03, 0x02, 0x08, 0x00},
{0x03, 0x02, 0xff, 0x00},
// Empty bit strings must have a zero leading byte.
Enforce DER rules for BIT STRING values. DER requires BIT STRING padding bits be zero. Bug: 354 Change-Id: Id59154cc4e77f91df8b9ff1eb1b09514116808da Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50288 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
{0x03, 0x01, 0x01},
Compute ASN.1 BIT STRING sizes more consistently. OpenSSL's BIT STRING representation has two modes, one where it implicitly trims trailing zeros and the other where the number of unused bits is explicitly set. This means logic in ASN1_item_verify, or elsewhere in callers, that checks flags and ASN1_STRING_length is inconsistent with i2c_ASN1_BIT_STRING. Add ASN1_BIT_STRING_num_bytes for code that needs to deal with X.509 using BIT STRING for some fields instead of OCTET STRING. Switch ASN1_item_verify to it. Some external code does this too, so export it as public API. This is mostly a theoretical issue. All parsed BIT STRINGS use explicit byte strings, and there are no APIs (apart from not-yet-opaquified structs) to specify the ASN1_STRING in X509, etc., structures. We intentionally made X509_set1_signature_value, etc., internally construct the ASN1_STRING. Still having an API is more consistent and helps nudge callers towards rejecting excess bits when they want bytes. It may also be worth a public API for consistently accessing the bit count. I've left it alone for now because I've not seen callers that need it, and it saves worrying about bytes-to-bits overflows. This also fixes a bug in the original version of the truncating logic when the entire string was all zeros, and const-corrects a few parameters. Change-Id: I9d29842a3d3264b0cde61ca8cfea07d02177dbc2 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48225 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
// Unused bits must all be zero.
Enforce DER rules for BIT STRING values. DER requires BIT STRING padding bits be zero. Bug: 354 Change-Id: Id59154cc4e77f91df8b9ff1eb1b09514116808da Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50288 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
{0x03, 0x02, 0x06, 0xc1 /* 0b11000001 */},
Compute ASN.1 BIT STRING sizes more consistently. OpenSSL's BIT STRING representation has two modes, one where it implicitly trims trailing zeros and the other where the number of unused bits is explicitly set. This means logic in ASN1_item_verify, or elsewhere in callers, that checks flags and ASN1_STRING_length is inconsistent with i2c_ASN1_BIT_STRING. Add ASN1_BIT_STRING_num_bytes for code that needs to deal with X.509 using BIT STRING for some fields instead of OCTET STRING. Switch ASN1_item_verify to it. Some external code does this too, so export it as public API. This is mostly a theoretical issue. All parsed BIT STRINGS use explicit byte strings, and there are no APIs (apart from not-yet-opaquified structs) to specify the ASN1_STRING in X509, etc., structures. We intentionally made X509_set1_signature_value, etc., internally construct the ASN1_STRING. Still having an API is more consistent and helps nudge callers towards rejecting excess bits when they want bytes. It may also be worth a public API for consistently accessing the bit count. I've left it alone for now because I've not seen callers that need it, and it saves worrying about bytes-to-bits overflows. This also fixes a bug in the original version of the truncating logic when the entire string was all zeros, and const-corrects a few parameters. Change-Id: I9d29842a3d3264b0cde61ca8cfea07d02177dbc2 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48225 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
};
for (const auto &test : kInvalidInputs) {
SCOPED_TRACE(Bytes(test));
const uint8_t *ptr = test.data();
bssl::UniquePtr<ASN1_BIT_STRING> val(
d2i_ASN1_BIT_STRING(nullptr, &ptr, test.size()));
EXPECT_FALSE(val);
}
}
TEST(ASN1Test, SetBit) {
bssl::UniquePtr<ASN1_BIT_STRING> val(ASN1_BIT_STRING_new());
ASSERT_TRUE(val);
static const uint8_t kBitStringEmpty[] = {0x03, 0x01, 0x00};
TestSerialize(val.get(), i2d_ASN1_BIT_STRING, kBitStringEmpty);
EXPECT_EQ(0, ASN1_BIT_STRING_get_bit(val.get(), 0));
EXPECT_EQ(0, ASN1_BIT_STRING_get_bit(val.get(), 100));
// Set a few bits via |ASN1_BIT_STRING_set_bit|.
ASSERT_TRUE(ASN1_BIT_STRING_set_bit(val.get(), 0, 1));
ASSERT_TRUE(ASN1_BIT_STRING_set_bit(val.get(), 1, 1));
ASSERT_TRUE(ASN1_BIT_STRING_set_bit(val.get(), 2, 0));
ASSERT_TRUE(ASN1_BIT_STRING_set_bit(val.get(), 3, 1));
static const uint8_t kBitString1101[] = {0x03, 0x02, 0x04, 0xd0};
TestSerialize(val.get(), i2d_ASN1_BIT_STRING, kBitString1101);
EXPECT_EQ(1, ASN1_BIT_STRING_get_bit(val.get(), 0));
EXPECT_EQ(1, ASN1_BIT_STRING_get_bit(val.get(), 1));
EXPECT_EQ(0, ASN1_BIT_STRING_get_bit(val.get(), 2));
EXPECT_EQ(1, ASN1_BIT_STRING_get_bit(val.get(), 3));
EXPECT_EQ(0, ASN1_BIT_STRING_get_bit(val.get(), 4));
// Bits that were set may be cleared.
ASSERT_TRUE(ASN1_BIT_STRING_set_bit(val.get(), 1, 0));
static const uint8_t kBitString1001[] = {0x03, 0x02, 0x04, 0x90};
TestSerialize(val.get(), i2d_ASN1_BIT_STRING, kBitString1001);
EXPECT_EQ(1, ASN1_BIT_STRING_get_bit(val.get(), 0));
EXPECT_EQ(0, ASN1_BIT_STRING_get_bit(val.get(), 1));
EXPECT_EQ(0, ASN1_BIT_STRING_get_bit(val.get(), 2));
EXPECT_EQ(1, ASN1_BIT_STRING_get_bit(val.get(), 3));
EXPECT_EQ(0, ASN1_BIT_STRING_get_bit(val.get(), 4));
// Clearing trailing bits truncates the string.
ASSERT_TRUE(ASN1_BIT_STRING_set_bit(val.get(), 3, 0));
static const uint8_t kBitString1[] = {0x03, 0x02, 0x07, 0x80};
TestSerialize(val.get(), i2d_ASN1_BIT_STRING, kBitString1);
EXPECT_EQ(1, ASN1_BIT_STRING_get_bit(val.get(), 0));
EXPECT_EQ(0, ASN1_BIT_STRING_get_bit(val.get(), 1));
EXPECT_EQ(0, ASN1_BIT_STRING_get_bit(val.get(), 2));
EXPECT_EQ(0, ASN1_BIT_STRING_get_bit(val.get(), 3));
EXPECT_EQ(0, ASN1_BIT_STRING_get_bit(val.get(), 4));
// Bits may be set beyond the end of the string.
ASSERT_TRUE(ASN1_BIT_STRING_set_bit(val.get(), 63, 1));
static const uint8_t kBitStringLong[] = {0x03, 0x09, 0x00, 0x80, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01};
TestSerialize(val.get(), i2d_ASN1_BIT_STRING, kBitStringLong);
EXPECT_EQ(1, ASN1_BIT_STRING_get_bit(val.get(), 0));
EXPECT_EQ(0, ASN1_BIT_STRING_get_bit(val.get(), 62));
EXPECT_EQ(1, ASN1_BIT_STRING_get_bit(val.get(), 63));
EXPECT_EQ(0, ASN1_BIT_STRING_get_bit(val.get(), 64));
// The string can be truncated back down again.
ASSERT_TRUE(ASN1_BIT_STRING_set_bit(val.get(), 63, 0));
TestSerialize(val.get(), i2d_ASN1_BIT_STRING, kBitString1);
EXPECT_EQ(1, ASN1_BIT_STRING_get_bit(val.get(), 0));
EXPECT_EQ(0, ASN1_BIT_STRING_get_bit(val.get(), 62));
EXPECT_EQ(0, ASN1_BIT_STRING_get_bit(val.get(), 63));
EXPECT_EQ(0, ASN1_BIT_STRING_get_bit(val.get(), 64));
// |ASN1_BIT_STRING_set_bit| also truncates when starting from a parsed
// string.
const uint8_t *ptr = kBitStringLong;
val.reset(d2i_ASN1_BIT_STRING(nullptr, &ptr, sizeof(kBitStringLong)));
ASSERT_TRUE(val);
TestSerialize(val.get(), i2d_ASN1_BIT_STRING, kBitStringLong);
ASSERT_TRUE(ASN1_BIT_STRING_set_bit(val.get(), 63, 0));
TestSerialize(val.get(), i2d_ASN1_BIT_STRING, kBitString1);
EXPECT_EQ(1, ASN1_BIT_STRING_get_bit(val.get(), 0));
EXPECT_EQ(0, ASN1_BIT_STRING_get_bit(val.get(), 62));
EXPECT_EQ(0, ASN1_BIT_STRING_get_bit(val.get(), 63));
EXPECT_EQ(0, ASN1_BIT_STRING_get_bit(val.get(), 64));
// A parsed bit string preserves trailing zero bits.
static const uint8_t kBitString10010[] = {0x03, 0x02, 0x03, 0x90};
ptr = kBitString10010;
val.reset(d2i_ASN1_BIT_STRING(nullptr, &ptr, sizeof(kBitString10010)));
ASSERT_TRUE(val);
TestSerialize(val.get(), i2d_ASN1_BIT_STRING, kBitString10010);
// But |ASN1_BIT_STRING_set_bit| will truncate it even if otherwise a no-op.
ASSERT_TRUE(ASN1_BIT_STRING_set_bit(val.get(), 0, 1));
TestSerialize(val.get(), i2d_ASN1_BIT_STRING, kBitString1001);
EXPECT_EQ(1, ASN1_BIT_STRING_get_bit(val.get(), 0));
EXPECT_EQ(0, ASN1_BIT_STRING_get_bit(val.get(), 62));
EXPECT_EQ(0, ASN1_BIT_STRING_get_bit(val.get(), 63));
EXPECT_EQ(0, ASN1_BIT_STRING_get_bit(val.get(), 64));
// By default, a BIT STRING implicitly truncates trailing zeros.
val.reset(ASN1_BIT_STRING_new());
ASSERT_TRUE(val);
static const uint8_t kZeros[64] = {0};
ASSERT_TRUE(ASN1_STRING_set(val.get(), kZeros, sizeof(kZeros)));
TestSerialize(val.get(), i2d_ASN1_BIT_STRING, kBitStringEmpty);
}
Document ASN1_STRING_to_UTF8. We already had a test, but move it to asn1_test.cc since it's part of the ASN.1 library. Also, since it's easy, test it using public APIs rather than stack-allocating an ASN1_STRING. Change-Id: Ic77494e6c8f74584d159a600e334416197761475 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48227 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
TEST(ASN1Test, StringToUTF8) {
static const struct {
std::vector<uint8_t> in;
int type;
const char *expected;
} kTests[] = {
// Non-minimal, two-byte UTF-8.
{{0xc0, 0x81}, V_ASN1_UTF8STRING, nullptr},
// Non-minimal, three-byte UTF-8.
{{0xe0, 0x80, 0x81}, V_ASN1_UTF8STRING, nullptr},
// Non-minimal, four-byte UTF-8.
{{0xf0, 0x80, 0x80, 0x81}, V_ASN1_UTF8STRING, nullptr},
// Truncated, four-byte UTF-8.
{{0xf0, 0x80, 0x80}, V_ASN1_UTF8STRING, nullptr},
// Low-surrogate value.
{{0xed, 0xa0, 0x80}, V_ASN1_UTF8STRING, nullptr},
// High-surrogate value.
{{0xed, 0xb0, 0x81}, V_ASN1_UTF8STRING, nullptr},
// Initial BOMs should be rejected from UCS-2 and UCS-4.
{{0xfe, 0xff, 0, 88}, V_ASN1_BMPSTRING, nullptr},
{{0, 0, 0xfe, 0xff, 0, 0, 0, 88}, V_ASN1_UNIVERSALSTRING, nullptr},
// Otherwise, BOMs should pass through.
{{0, 88, 0xfe, 0xff}, V_ASN1_BMPSTRING, "X\xef\xbb\xbf"},
{{0, 0, 0, 88, 0, 0, 0xfe, 0xff}, V_ASN1_UNIVERSALSTRING,
"X\xef\xbb\xbf"},
// The maximum code-point should pass though.
{{0, 16, 0xff, 0xfd}, V_ASN1_UNIVERSALSTRING, "\xf4\x8f\xbf\xbd"},
// Values outside the Unicode space should not.
{{0, 17, 0, 0}, V_ASN1_UNIVERSALSTRING, nullptr},
// Non-characters should be rejected.
{{0, 1, 0xff, 0xff}, V_ASN1_UNIVERSALSTRING, nullptr},
{{0, 1, 0xff, 0xfe}, V_ASN1_UNIVERSALSTRING, nullptr},
{{0, 0, 0xfd, 0xd5}, V_ASN1_UNIVERSALSTRING, nullptr},
// BMPString is UCS-2, not UTF-16, so surrogate pairs are invalid.
{{0xd8, 0, 0xdc, 1}, V_ASN1_BMPSTRING, nullptr},
Tidy up how ASN1_STRING_print_ex figures out the type. Between the lookup table, the multiple layers of reuse of the "type" variable, it is a little hard to follow what's going on with ASN1_STRING_print_ex. Replace the lookup table with a switch-case (implicitly handles the bounds check, and we can let the compiler figure out the best spelling). Then, rather than returning a "character width", which doen't represent UTF-8, just use the already-defined MBSTRING_* constants. (These changes should be covered by the existing ASN1Test.StringPrintEx test.) Change-Id: Ie3b2557bfae0f65db969e90cd0c76bc8ade963d4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/52365 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com>
3 years ago
// INTEGERs are stored as strings, but cannot be converted to UTF-8.
{{0x01}, V_ASN1_INTEGER, nullptr},
Document ASN1_STRING_to_UTF8. We already had a test, but move it to asn1_test.cc since it's part of the ASN.1 library. Also, since it's easy, test it using public APIs rather than stack-allocating an ASN1_STRING. Change-Id: Ic77494e6c8f74584d159a600e334416197761475 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48227 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
};
for (const auto &test : kTests) {
SCOPED_TRACE(Bytes(test.in));
SCOPED_TRACE(test.type);
bssl::UniquePtr<ASN1_STRING> s(ASN1_STRING_type_new(test.type));
ASSERT_TRUE(s);
ASSERT_TRUE(ASN1_STRING_set(s.get(), test.in.data(), test.in.size()));
uint8_t *utf8;
const int utf8_len = ASN1_STRING_to_UTF8(&utf8, s.get());
EXPECT_EQ(utf8_len < 0, test.expected == nullptr);
if (utf8_len >= 0) {
if (test.expected != nullptr) {
EXPECT_EQ(Bytes(test.expected), Bytes(utf8, utf8_len));
}
OPENSSL_free(utf8);
} else {
ERR_clear_error();
}
}
}
Add some tests for time_t to ASN1_TIME conversions. Change-Id: I7712f66e16b761ee23292980cff039e62d29b22f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48666 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
static std::string ASN1StringToStdString(const ASN1_STRING *str) {
return std::string(ASN1_STRING_get0_data(str),
ASN1_STRING_get0_data(str) + ASN1_STRING_length(str));
}
Validate ASN.1 times according to RFC 5280 Refuse to parse times that are invalid according to RFC 5280, with a few exceptions for compatibility. This can affect test code that relies on making and parsing certificates that contain invalid times. Update-Note: Certificates containing invalid ASN.1 times will no longer parse. Bug: 491, 427 Change-Id: I2a3fe3a4d359ac662340a225d05b360718eb8c29 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/52665 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com>
3 years ago
static bool ASN1Time_check_time_t(const ASN1_TIME *s, time_t t) {
struct tm stm, ttm;
int day, sec;
switch (ASN1_STRING_type(s)) {
case V_ASN1_GENERALIZEDTIME:
if (!asn1_generalizedtime_to_tm(&stm, s)) {
return false;
}
break;
case V_ASN1_UTCTIME:
if (!asn1_utctime_to_tm(&stm, s)) {
return false;
}
break;
default:
return 0;
}
if (!OPENSSL_gmtime(&t, &ttm) ||
!OPENSSL_gmtime_diff(&day, &sec, &ttm, &stm)) {
return false;
}
return day == 0 && sec ==0;
}
Add some tests for time_t to ASN1_TIME conversions. Change-Id: I7712f66e16b761ee23292980cff039e62d29b22f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48666 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
TEST(ASN1Test, SetTime) {
static const struct {
time_t time;
const char *generalized;
const char *utc;
} kTests[] = {
{-631152001, "19491231235959Z", nullptr},
{-631152000, "19500101000000Z", "500101000000Z"},
{0, "19700101000000Z", "700101000000Z"},
{981173106, "20010203040506Z", "010203040506Z"},
Validate ASN.1 times according to RFC 5280 Refuse to parse times that are invalid according to RFC 5280, with a few exceptions for compatibility. This can affect test code that relies on making and parsing certificates that contain invalid times. Update-Note: Certificates containing invalid ASN.1 times will no longer parse. Bug: 491, 427 Change-Id: I2a3fe3a4d359ac662340a225d05b360718eb8c29 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/52665 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com>
3 years ago
{951804000, "20000229060000Z", "000229060000Z"},
Add some tests for time_t to ASN1_TIME conversions. Change-Id: I7712f66e16b761ee23292980cff039e62d29b22f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48666 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
#if defined(OPENSSL_64_BIT)
// TODO(https://crbug.com/boringssl/416): These cases overflow 32-bit
// |time_t| and do not consistently work on 32-bit platforms. For now,
// disable the tests on 32-bit. Re-enable them once the bug is fixed.
{2524607999, "20491231235959Z", "491231235959Z"},
{2524608000, "20500101000000Z", nullptr},
Reject years outside 0000-9999 in ASN1_GENERALIZEDTIME_adj. They would previously output syntax errors. Change-Id: I7817a91d0c8ed8d6ac6a5a1fd9c9ed1223c5960e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48667 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
// Test boundary conditions.
{-62167219200, "00000101000000Z", nullptr},
{-62167219201, nullptr, nullptr},
{253402300799, "99991231235959Z", nullptr},
{253402300800, nullptr, nullptr},
Add some tests for time_t to ASN1_TIME conversions. Change-Id: I7712f66e16b761ee23292980cff039e62d29b22f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48666 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
#endif
};
for (const auto &t : kTests) {
SCOPED_TRACE(t.time);
#if defined(OPENSSL_WINDOWS)
// Windows |time_t| functions can only handle 1970 through 3000. See
// https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/gmtime-s-gmtime32-s-gmtime64-s?view=msvc-160
if (t.time < 0 || int64_t{t.time} > 32535215999) {
continue;
}
#endif
bssl::UniquePtr<ASN1_UTCTIME> utc(ASN1_UTCTIME_set(nullptr, t.time));
if (t.utc) {
ASSERT_TRUE(utc);
EXPECT_EQ(V_ASN1_UTCTIME, ASN1_STRING_type(utc.get()));
EXPECT_EQ(t.utc, ASN1StringToStdString(utc.get()));
Validate ASN.1 times according to RFC 5280 Refuse to parse times that are invalid according to RFC 5280, with a few exceptions for compatibility. This can affect test code that relies on making and parsing certificates that contain invalid times. Update-Note: Certificates containing invalid ASN.1 times will no longer parse. Bug: 491, 427 Change-Id: I2a3fe3a4d359ac662340a225d05b360718eb8c29 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/52665 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com>
3 years ago
EXPECT_TRUE(ASN1Time_check_time_t(utc.get(), t.time));
Add some tests for time_t to ASN1_TIME conversions. Change-Id: I7712f66e16b761ee23292980cff039e62d29b22f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48666 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
} else {
EXPECT_FALSE(utc);
}
bssl::UniquePtr<ASN1_GENERALIZEDTIME> generalized(
ASN1_GENERALIZEDTIME_set(nullptr, t.time));
if (t.generalized) {
ASSERT_TRUE(generalized);
EXPECT_EQ(V_ASN1_GENERALIZEDTIME, ASN1_STRING_type(generalized.get()));
EXPECT_EQ(t.generalized, ASN1StringToStdString(generalized.get()));
Validate ASN.1 times according to RFC 5280 Refuse to parse times that are invalid according to RFC 5280, with a few exceptions for compatibility. This can affect test code that relies on making and parsing certificates that contain invalid times. Update-Note: Certificates containing invalid ASN.1 times will no longer parse. Bug: 491, 427 Change-Id: I2a3fe3a4d359ac662340a225d05b360718eb8c29 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/52665 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com>
3 years ago
EXPECT_TRUE(ASN1Time_check_time_t(generalized.get(), t.time));
Add some tests for time_t to ASN1_TIME conversions. Change-Id: I7712f66e16b761ee23292980cff039e62d29b22f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48666 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
} else {
EXPECT_FALSE(generalized);
}
bssl::UniquePtr<ASN1_TIME> choice(ASN1_TIME_set(nullptr, t.time));
if (t.generalized) {
ASSERT_TRUE(choice);
if (t.utc) {
EXPECT_EQ(V_ASN1_UTCTIME, ASN1_STRING_type(choice.get()));
EXPECT_EQ(t.utc, ASN1StringToStdString(choice.get()));
} else {
EXPECT_EQ(V_ASN1_GENERALIZEDTIME, ASN1_STRING_type(choice.get()));
EXPECT_EQ(t.generalized, ASN1StringToStdString(choice.get()));
}
Validate ASN.1 times according to RFC 5280 Refuse to parse times that are invalid according to RFC 5280, with a few exceptions for compatibility. This can affect test code that relies on making and parsing certificates that contain invalid times. Update-Note: Certificates containing invalid ASN.1 times will no longer parse. Bug: 491, 427 Change-Id: I2a3fe3a4d359ac662340a225d05b360718eb8c29 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/52665 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com>
3 years ago
EXPECT_TRUE(ASN1Time_check_time_t(choice.get(), t.time));
Add some tests for time_t to ASN1_TIME conversions. Change-Id: I7712f66e16b761ee23292980cff039e62d29b22f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48666 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
} else {
EXPECT_FALSE(choice);
}
}
}
Document ASN.1 printing functions. ASN1_STRING_print_ex is extremely complex and attempting to implement RFC2253, so write some tests for it. Along the way, unexport CHARTYPE_*, which are internal book-keeping used in ASN1_STRING_print_ex. Change-Id: Idb27cd40fb66dc099d1fd6d039a00404608c2063 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48776 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
static std::vector<uint8_t> StringToVector(const std::string &str) {
return std::vector<uint8_t>(str.begin(), str.end());
}
TEST(ASN1Test, StringPrintEx) {
const struct {
int type;
std::vector<uint8_t> data;
int str_flags;
unsigned long flags;
std::string expected;
} kTests[] = {
// A string like "hello" is never escaped or quoted.
// |ASN1_STRFLGS_ESC_QUOTE| only introduces quotes when needed. Note
// OpenSSL interprets T61String as Latin-1.
{V_ASN1_T61STRING, StringToVector("hello"), 0, 0, "hello"},
{V_ASN1_T61STRING, StringToVector("hello"), 0,
ASN1_STRFLGS_ESC_2253 | ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB,
"hello"},
{V_ASN1_T61STRING, StringToVector("hello"), 0,
ASN1_STRFLGS_ESC_2253 | ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB |
ASN1_STRFLGS_ESC_QUOTE,
"hello"},
// By default, 8-bit characters are printed without escaping.
{V_ASN1_T61STRING,
{0, '\n', 0x80, 0xff, ',', '+', '"', '\\', '<', '>', ';'},
0,
0,
std::string(1, '\0') + "\n\x80\xff,+\"\\<>;"},
// Flags control different escapes. Note that any escape flag will cause
// blackslashes to be escaped.
{V_ASN1_T61STRING,
{0, '\n', 0x80, 0xff, ',', '+', '"', '\\', '<', '>', ';'},
0,
ASN1_STRFLGS_ESC_2253,
std::string(1, '\0') + "\n\x80\xff\\,\\+\\\"\\\\\\<\\>\\;"},
{V_ASN1_T61STRING,
{0, '\n', 0x80, 0xff, ',', '+', '"', '\\', '<', '>', ';'},
0,
ASN1_STRFLGS_ESC_CTRL,
"\\00\\0A\x80\xff,+\"\\\\<>;"},
{V_ASN1_T61STRING,
{0, '\n', 0x80, 0xff, ',', '+', '"', '\\', '<', '>', ';'},
0,
ASN1_STRFLGS_ESC_MSB,
std::string(1, '\0') + "\n\\80\\FF,+\"\\\\<>;"},
{V_ASN1_T61STRING,
{0, '\n', 0x80, 0xff, ',', '+', '"', '\\', '<', '>', ';'},
0,
ASN1_STRFLGS_ESC_2253 | ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB,
"\\00\\0A\\80\\FF\\,\\+\\\"\\\\\\<\\>\\;"},
Refer to RFCs consistently. We were a mix of "RFC1234" and "RFC 1234". Apparently there is actually an answer for this, which is with a space textually and without a space in the citation/reference tag: https://datatracker.ietf.org/doc/html/rfc7322#section-3.5 Change-Id: I0c44023163fe3a2a3ffe28cbc644d4c952dc8f1e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48965 Reviewed-by: Adam Langley <agl@google.com>
4 years ago
// When quoted, fewer characters need to be escaped in RFC 2253.
Document ASN.1 printing functions. ASN1_STRING_print_ex is extremely complex and attempting to implement RFC2253, so write some tests for it. Along the way, unexport CHARTYPE_*, which are internal book-keeping used in ASN1_STRING_print_ex. Change-Id: Idb27cd40fb66dc099d1fd6d039a00404608c2063 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48776 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
{V_ASN1_T61STRING,
{0, '\n', 0x80, 0xff, ',', '+', '"', '\\', '<', '>', ';'},
0,
ASN1_STRFLGS_ESC_2253 | ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB |
ASN1_STRFLGS_ESC_QUOTE,
"\"\\00\\0A\\80\\FF,+\\\"\\\\<>;\""},
// If no characters benefit from quotes, no quotes are added.
{V_ASN1_T61STRING,
{0, '\n', 0x80, 0xff, '"', '\\'},
0,
ASN1_STRFLGS_ESC_2253 | ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB |
ASN1_STRFLGS_ESC_QUOTE,
"\\00\\0A\\80\\FF\\\"\\\\"},
Refer to RFCs consistently. We were a mix of "RFC1234" and "RFC 1234". Apparently there is actually an answer for this, which is with a space textually and without a space in the citation/reference tag: https://datatracker.ietf.org/doc/html/rfc7322#section-3.5 Change-Id: I0c44023163fe3a2a3ffe28cbc644d4c952dc8f1e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48965 Reviewed-by: Adam Langley <agl@google.com>
4 years ago
// RFC 2253 only escapes spaces at the start and end of a string.
Document ASN.1 printing functions. ASN1_STRING_print_ex is extremely complex and attempting to implement RFC2253, so write some tests for it. Along the way, unexport CHARTYPE_*, which are internal book-keeping used in ASN1_STRING_print_ex. Change-Id: Idb27cd40fb66dc099d1fd6d039a00404608c2063 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48776 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
{V_ASN1_T61STRING, StringToVector(" "), 0, ASN1_STRFLGS_ESC_2253,
"\\ \\ "},
Set is_first and is_last correctly with ASN1_STRFLGS_UTF8_CONVERT. The comment says (in the now outdated orflags terms) that we don't need to worry about this case because is_first/is_last only affect ASCII codepoints, but it's easier to just set it correctly. Change-Id: Ib6db66adb162a555da50f563ffc9af9da4a878ec Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53126 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
{V_ASN1_T61STRING, StringToVector(" "), 0,
ASN1_STRFLGS_ESC_2253 | ASN1_STRFLGS_UTF8_CONVERT, "\\ \\ "},
Document ASN.1 printing functions. ASN1_STRING_print_ex is extremely complex and attempting to implement RFC2253, so write some tests for it. Along the way, unexport CHARTYPE_*, which are internal book-keeping used in ASN1_STRING_print_ex. Change-Id: Idb27cd40fb66dc099d1fd6d039a00404608c2063 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48776 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
{V_ASN1_T61STRING, StringToVector(" "), 0,
ASN1_STRFLGS_ESC_2253 | ASN1_STRFLGS_ESC_QUOTE, "\" \""},
Refer to RFCs consistently. We were a mix of "RFC1234" and "RFC 1234". Apparently there is actually an answer for this, which is with a space textually and without a space in the citation/reference tag: https://datatracker.ietf.org/doc/html/rfc7322#section-3.5 Change-Id: I0c44023163fe3a2a3ffe28cbc644d4c952dc8f1e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48965 Reviewed-by: Adam Langley <agl@google.com>
4 years ago
// RFC 2253 only escapes # at the start of a string.
Document ASN.1 printing functions. ASN1_STRING_print_ex is extremely complex and attempting to implement RFC2253, so write some tests for it. Along the way, unexport CHARTYPE_*, which are internal book-keeping used in ASN1_STRING_print_ex. Change-Id: Idb27cd40fb66dc099d1fd6d039a00404608c2063 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48776 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
{V_ASN1_T61STRING, StringToVector("###"), 0, ASN1_STRFLGS_ESC_2253,
"\\###"},
{V_ASN1_T61STRING, StringToVector("###"), 0,
ASN1_STRFLGS_ESC_2253 | ASN1_STRFLGS_ESC_QUOTE, "\"###\""},
// By default, strings are decoded and Unicode code points are
// individually escaped.
{V_ASN1_UTF8STRING, StringToVector("a\xc2\x80\xc4\x80\xf0\x90\x80\x80"),
0, ASN1_STRFLGS_ESC_MSB, "a\\80\\U0100\\W00010000"},
{V_ASN1_BMPSTRING,
{0x00, 'a', 0x00, 0x80, 0x01, 0x00},
0,
ASN1_STRFLGS_ESC_MSB,
"a\\80\\U0100"},
{V_ASN1_UNIVERSALSTRING,
{0x00, 0x00, 0x00, 'a', //
0x00, 0x00, 0x00, 0x80, //
0x00, 0x00, 0x01, 0x00, //
0x00, 0x01, 0x00, 0x00},
0,
ASN1_STRFLGS_ESC_MSB,
"a\\80\\U0100\\W00010000"},
// |ASN1_STRFLGS_UTF8_CONVERT| normalizes everything to UTF-8 and then
// escapes individual bytes.
{V_ASN1_IA5STRING, StringToVector("a\x80"), 0,
ASN1_STRFLGS_ESC_MSB | ASN1_STRFLGS_UTF8_CONVERT, "a\\C2\\80"},
{V_ASN1_T61STRING, StringToVector("a\x80"), 0,
ASN1_STRFLGS_ESC_MSB | ASN1_STRFLGS_UTF8_CONVERT, "a\\C2\\80"},
{V_ASN1_UTF8STRING, StringToVector("a\xc2\x80\xc4\x80\xf0\x90\x80\x80"),
0, ASN1_STRFLGS_ESC_MSB | ASN1_STRFLGS_UTF8_CONVERT,
"a\\C2\\80\\C4\\80\\F0\\90\\80\\80"},
{V_ASN1_BMPSTRING,
{0x00, 'a', 0x00, 0x80, 0x01, 0x00},
0,
ASN1_STRFLGS_ESC_MSB | ASN1_STRFLGS_UTF8_CONVERT,
"a\\C2\\80\\C4\\80"},
{V_ASN1_UNIVERSALSTRING,
{0x00, 0x00, 0x00, 'a', //
0x00, 0x00, 0x00, 0x80, //
0x00, 0x00, 0x01, 0x00, //
0x00, 0x01, 0x00, 0x00},
0,
ASN1_STRFLGS_ESC_MSB | ASN1_STRFLGS_UTF8_CONVERT,
"a\\C2\\80\\C4\\80\\F0\\90\\80\\80"},
// The same as above, but without escaping the UTF-8 encoding.
{V_ASN1_IA5STRING, StringToVector("a\x80"), 0, ASN1_STRFLGS_UTF8_CONVERT,
"a\xc2\x80"},
{V_ASN1_T61STRING, StringToVector("a\x80"), 0, ASN1_STRFLGS_UTF8_CONVERT,
"a\xc2\x80"},
{V_ASN1_UTF8STRING, StringToVector("a\xc2\x80\xc4\x80\xf0\x90\x80\x80"),
0, ASN1_STRFLGS_UTF8_CONVERT, "a\xc2\x80\xc4\x80\xf0\x90\x80\x80"},
{V_ASN1_BMPSTRING,
{0x00, 'a', 0x00, 0x80, 0x01, 0x00},
0,
ASN1_STRFLGS_UTF8_CONVERT,
"a\xc2\x80\xc4\x80"},
{V_ASN1_UNIVERSALSTRING,
{0x00, 0x00, 0x00, 'a', //
0x00, 0x00, 0x00, 0x80, //
0x00, 0x00, 0x01, 0x00, //
0x00, 0x01, 0x00, 0x00},
0,
ASN1_STRFLGS_UTF8_CONVERT,
"a\xc2\x80\xc4\x80\xf0\x90\x80\x80"},
// Types that cannot be decoded are, by default, treated as a byte string.
{V_ASN1_OCTET_STRING, {0xff}, 0, 0, "\xff"},
{-1, {0xff}, 0, 0, "\xff"},
{100, {0xff}, 0, 0, "\xff"},
// |ASN1_STRFLGS_UTF8_CONVERT| still converts these bytes to UTF-8.
//
// TODO(davidben): This seems like a bug. Although it's unclear because
Refer to RFCs consistently. We were a mix of "RFC1234" and "RFC 1234". Apparently there is actually an answer for this, which is with a space textually and without a space in the citation/reference tag: https://datatracker.ietf.org/doc/html/rfc7322#section-3.5 Change-Id: I0c44023163fe3a2a3ffe28cbc644d4c952dc8f1e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48965 Reviewed-by: Adam Langley <agl@google.com>
4 years ago
// the non-RFC-2253 options aren't especially sound. Can we just remove
Document ASN.1 printing functions. ASN1_STRING_print_ex is extremely complex and attempting to implement RFC2253, so write some tests for it. Along the way, unexport CHARTYPE_*, which are internal book-keeping used in ASN1_STRING_print_ex. Change-Id: Idb27cd40fb66dc099d1fd6d039a00404608c2063 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48776 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
// them?
{V_ASN1_OCTET_STRING, {0xff}, 0, ASN1_STRFLGS_UTF8_CONVERT, "\xc3\xbf"},
{-1, {0xff}, 0, ASN1_STRFLGS_UTF8_CONVERT, "\xc3\xbf"},
{100, {0xff}, 0, ASN1_STRFLGS_UTF8_CONVERT, "\xc3\xbf"},
// |ASN1_STRFLGS_IGNORE_TYPE| causes the string type to be ignored, so it
// is always treated as a byte string, even if it is not a valid encoding.
{V_ASN1_UTF8STRING, {0xff}, 0, ASN1_STRFLGS_IGNORE_TYPE, "\xff"},
{V_ASN1_BMPSTRING, {0xff}, 0, ASN1_STRFLGS_IGNORE_TYPE, "\xff"},
{V_ASN1_UNIVERSALSTRING, {0xff}, 0, ASN1_STRFLGS_IGNORE_TYPE, "\xff"},
// |ASN1_STRFLGS_SHOW_TYPE| prepends the type name.
{V_ASN1_UTF8STRING, {'a'}, 0, ASN1_STRFLGS_SHOW_TYPE, "UTF8STRING:a"},
{-1, {'a'}, 0, ASN1_STRFLGS_SHOW_TYPE, "(unknown):a"},
{100, {'a'}, 0, ASN1_STRFLGS_SHOW_TYPE, "(unknown):a"},
// |ASN1_STRFLGS_DUMP_ALL| and |ASN1_STRFLGS_DUMP_UNKNOWN| cause
// non-string types to be printed in hex, though without the DER wrapper
// by default.
{V_ASN1_UTF8STRING, StringToVector("\xe2\x98\x83"), 0,
ASN1_STRFLGS_DUMP_UNKNOWN, "\\U2603"},
{V_ASN1_UTF8STRING, StringToVector("\xe2\x98\x83"), 0,
ASN1_STRFLGS_DUMP_ALL, "#E29883"},
{V_ASN1_OCTET_STRING, StringToVector("\xe2\x98\x83"), 0,
ASN1_STRFLGS_DUMP_UNKNOWN, "#E29883"},
{V_ASN1_OCTET_STRING, StringToVector("\xe2\x98\x83"), 0,
ASN1_STRFLGS_DUMP_ALL, "#E29883"},
// |ASN1_STRFLGS_DUMP_DER| includes the entire element.
{V_ASN1_UTF8STRING, StringToVector("\xe2\x98\x83"), 0,
ASN1_STRFLGS_DUMP_ALL | ASN1_STRFLGS_DUMP_DER, "#0C03E29883"},
{V_ASN1_OCTET_STRING, StringToVector("\xe2\x98\x83"), 0,
ASN1_STRFLGS_DUMP_ALL | ASN1_STRFLGS_DUMP_DER, "#0403E29883"},
{V_ASN1_BIT_STRING,
{0x80},
ASN1_STRING_FLAG_BITS_LEFT | 4,
ASN1_STRFLGS_DUMP_ALL | ASN1_STRFLGS_DUMP_DER,
"#03020480"},
Fix ASN1_STRING_print_ex with negative integers. ASN1_STRING and ASN1_TYPE type values almost line up, but not quite. Negative INTEGERs are not possible in X509_NAME (tag2bit maps INTEGER to 0), but negative ENUMERATEDs are (tag2bit maps ENUMERATED to B_ASN1_UNKNOWN). See https://crbug.com/boringssl/412 for some notes on this mess. Either way, the library will freely produce ASN1_STRING INTEGERs and ENUMERATEDs in non-MSTRING contexts, so get this case right. Change-Id: Ica537f4d683e7a6becc96e2eee3cb66e53372124 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48785 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
// INTEGER { 1 }
{V_ASN1_INTEGER,
{0x01},
0,
ASN1_STRFLGS_DUMP_ALL | ASN1_STRFLGS_DUMP_DER,
"#020101"},
// INTEGER { -1 }
{V_ASN1_NEG_INTEGER,
{0x01},
0,
ASN1_STRFLGS_DUMP_ALL | ASN1_STRFLGS_DUMP_DER,
"#0201FF"},
// ENUMERATED { 1 }
{V_ASN1_ENUMERATED,
{0x01},
0,
ASN1_STRFLGS_DUMP_ALL | ASN1_STRFLGS_DUMP_DER,
"#0A0101"},
// ENUMERATED { -1 }
{V_ASN1_NEG_ENUMERATED,
{0x01},
0,
ASN1_STRFLGS_DUMP_ALL | ASN1_STRFLGS_DUMP_DER,
"#0A01FF"},
Document ASN.1 printing functions. ASN1_STRING_print_ex is extremely complex and attempting to implement RFC2253, so write some tests for it. Along the way, unexport CHARTYPE_*, which are internal book-keeping used in ASN1_STRING_print_ex. Change-Id: Idb27cd40fb66dc099d1fd6d039a00404608c2063 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48776 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
};
for (const auto &t : kTests) {
SCOPED_TRACE(t.type);
SCOPED_TRACE(Bytes(t.data));
SCOPED_TRACE(t.str_flags);
SCOPED_TRACE(t.flags);
bssl::UniquePtr<ASN1_STRING> str(ASN1_STRING_type_new(t.type));
ASSERT_TRUE(ASN1_STRING_set(str.get(), t.data.data(), t.data.size()));
str->flags = t.str_flags;
// If the |BIO| is null, it should measure the size.
int len = ASN1_STRING_print_ex(nullptr, str.get(), t.flags);
EXPECT_EQ(len, static_cast<int>(t.expected.size()));
// Measuring the size should also work for the |FILE| version
len = ASN1_STRING_print_ex_fp(nullptr, str.get(), t.flags);
EXPECT_EQ(len, static_cast<int>(t.expected.size()));
// Actually print the string.
bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
ASSERT_TRUE(bio);
len = ASN1_STRING_print_ex(bio.get(), str.get(), t.flags);
EXPECT_EQ(len, static_cast<int>(t.expected.size()));
const uint8_t *bio_contents;
size_t bio_len;
ASSERT_TRUE(BIO_mem_contents(bio.get(), &bio_contents, &bio_len));
EXPECT_EQ(t.expected, std::string(bio_contents, bio_contents + bio_len));
}
const struct {
int type;
std::vector<uint8_t> data;
int str_flags;
unsigned long flags;
} kUnprintableTests[] = {
// When decoding strings, invalid codepoints are errors.
{V_ASN1_UTF8STRING, {0xff}, 0, ASN1_STRFLGS_ESC_MSB},
{V_ASN1_BMPSTRING, {0xff}, 0, ASN1_STRFLGS_ESC_MSB},
{V_ASN1_BMPSTRING, {0xff}, 0, ASN1_STRFLGS_ESC_MSB},
{V_ASN1_UNIVERSALSTRING, {0xff}, 0, ASN1_STRFLGS_ESC_MSB},
};
for (const auto &t : kUnprintableTests) {
SCOPED_TRACE(t.type);
SCOPED_TRACE(Bytes(t.data));
SCOPED_TRACE(t.str_flags);
SCOPED_TRACE(t.flags);
bssl::UniquePtr<ASN1_STRING> str(ASN1_STRING_type_new(t.type));
ASSERT_TRUE(ASN1_STRING_set(str.get(), t.data.data(), t.data.size()));
str->flags = t.str_flags;
// If the |BIO| is null, it should measure the size.
int len = ASN1_STRING_print_ex(nullptr, str.get(), t.flags);
EXPECT_EQ(len, -1);
ERR_clear_error();
// Measuring the size should also work for the |FILE| version
len = ASN1_STRING_print_ex_fp(nullptr, str.get(), t.flags);
EXPECT_EQ(len, -1);
ERR_clear_error();
// Actually print the string.
bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
ASSERT_TRUE(bio);
len = ASN1_STRING_print_ex(bio.get(), str.get(), t.flags);
EXPECT_EQ(len, -1);
ERR_clear_error();
}
}
Add a test for ASN1_mbstring_copy and clean up. In writing the tests, I noticed that the documentation was wrong. First, the maximum lengths are measured in codepoints, not bytes. Second, the TODO was wrong. We actually do handle this correctly, *almost*. Rather, the bug is that the function assumes |mask| contains no extraneous bits. If it does, all extraneous bits are interpreted as B_ASN1_UTF8STRING. This seems like a bug, so I've gone ahead and fixed that, with a test. Change-Id: I7ba8fa700a8e21e6d25cb7ce879dace685eecf7e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48825 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
TEST(ASN1Test, MBString) {
const unsigned long kAll = B_ASN1_PRINTABLESTRING | B_ASN1_IA5STRING |
B_ASN1_T61STRING | B_ASN1_BMPSTRING |
B_ASN1_UNIVERSALSTRING | B_ASN1_UTF8STRING;
const struct {
int format;
std::vector<uint8_t> in;
unsigned long mask;
int expected_type;
std::vector<uint8_t> expected_data;
int num_codepoints;
} kTests[] = {
// Given a choice of formats, we pick the smallest that fits.
{MBSTRING_UTF8, {}, kAll, V_ASN1_PRINTABLESTRING, {}, 0},
{MBSTRING_UTF8, {'a'}, kAll, V_ASN1_PRINTABLESTRING, {'a'}, 1},
NUL is not printable. strchr is interprets the trailing NUL as part of the string, so is_printable thought NUL was allowed. Just write the code in the obvious way and let the compiler figure it out. (It seems to make a clever bitmask or something.) Update-Note: ASN1_mbstring_ncopy will no longer allow PrintableString for strings containing NUL. Change-Id: I3675191ceb44c06f0ac7b430f88272cabf392d35 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49065 Reviewed-by: Adam Langley <agl@google.com>
4 years ago
{MBSTRING_UTF8,
{'a', 'A', '0', '\'', '(', ')', '+', ',', '-', '.', '/', ':', '=', '?'},
kAll,
V_ASN1_PRINTABLESTRING,
{'a', 'A', '0', '\'', '(', ')', '+', ',', '-', '.', '/', ':', '=', '?'},
14},
{MBSTRING_UTF8, {'*'}, kAll, V_ASN1_IA5STRING, {'*'}, 1},
Add a test for ASN1_mbstring_copy and clean up. In writing the tests, I noticed that the documentation was wrong. First, the maximum lengths are measured in codepoints, not bytes. Second, the TODO was wrong. We actually do handle this correctly, *almost*. Rather, the bug is that the function assumes |mask| contains no extraneous bits. If it does, all extraneous bits are interpreted as B_ASN1_UTF8STRING. This seems like a bug, so I've gone ahead and fixed that, with a test. Change-Id: I7ba8fa700a8e21e6d25cb7ce879dace685eecf7e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48825 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
{MBSTRING_UTF8, {'\n'}, kAll, V_ASN1_IA5STRING, {'\n'}, 1},
{MBSTRING_UTF8,
{0xc2, 0x80 /* U+0080 */},
kAll,
V_ASN1_T61STRING,
{0x80},
1},
{MBSTRING_UTF8,
{0xc4, 0x80 /* U+0100 */},
kAll,
V_ASN1_BMPSTRING,
{0x01, 0x00},
1},
{MBSTRING_UTF8,
{0xf0, 0x90, 0x80, 0x80 /* U+10000 */},
kAll,
V_ASN1_UNIVERSALSTRING,
{0x00, 0x01, 0x00, 0x00},
1},
{MBSTRING_UTF8,
{0xf0, 0x90, 0x80, 0x80 /* U+10000 */},
kAll & ~B_ASN1_UNIVERSALSTRING,
V_ASN1_UTF8STRING,
{0xf0, 0x90, 0x80, 0x80},
1},
NUL is not printable. strchr is interprets the trailing NUL as part of the string, so is_printable thought NUL was allowed. Just write the code in the obvious way and let the compiler figure it out. (It seems to make a clever bitmask or something.) Update-Note: ASN1_mbstring_ncopy will no longer allow PrintableString for strings containing NUL. Change-Id: I3675191ceb44c06f0ac7b430f88272cabf392d35 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49065 Reviewed-by: Adam Langley <agl@google.com>
4 years ago
// NUL is not printable. It should also not terminate iteration.
{MBSTRING_UTF8, {0}, kAll, V_ASN1_IA5STRING, {0}, 1},
{MBSTRING_UTF8, {0, 'a'}, kAll, V_ASN1_IA5STRING, {0, 'a'}, 2},
Add a test for ASN1_mbstring_copy and clean up. In writing the tests, I noticed that the documentation was wrong. First, the maximum lengths are measured in codepoints, not bytes. Second, the TODO was wrong. We actually do handle this correctly, *almost*. Rather, the bug is that the function assumes |mask| contains no extraneous bits. If it does, all extraneous bits are interpreted as B_ASN1_UTF8STRING. This seems like a bug, so I've gone ahead and fixed that, with a test. Change-Id: I7ba8fa700a8e21e6d25cb7ce879dace685eecf7e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48825 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
// When a particular format is specified, we use it.
{MBSTRING_UTF8,
{'a'},
B_ASN1_PRINTABLESTRING,
V_ASN1_PRINTABLESTRING,
{'a'},
1},
{MBSTRING_UTF8, {'a'}, B_ASN1_IA5STRING, V_ASN1_IA5STRING, {'a'}, 1},
{MBSTRING_UTF8, {'a'}, B_ASN1_T61STRING, V_ASN1_T61STRING, {'a'}, 1},
{MBSTRING_UTF8, {'a'}, B_ASN1_UTF8STRING, V_ASN1_UTF8STRING, {'a'}, 1},
{MBSTRING_UTF8,
{'a'},
B_ASN1_BMPSTRING,
V_ASN1_BMPSTRING,
{0x00, 'a'},
1},
{MBSTRING_UTF8,
{'a'},
B_ASN1_UNIVERSALSTRING,
V_ASN1_UNIVERSALSTRING,
{0x00, 0x00, 0x00, 'a'},
1},
// A long string with characters of many widths, to test sizes are
// measured in code points.
{MBSTRING_UTF8,
{
'a', //
0xc2, 0x80, // U+0080
0xc4, 0x80, // U+0100
0xf0, 0x90, 0x80, 0x80, // U+10000
},
B_ASN1_UNIVERSALSTRING,
V_ASN1_UNIVERSALSTRING,
{
0x00, 0x00, 0x00, 'a', //
0x00, 0x00, 0x00, 0x80, //
0x00, 0x00, 0x01, 0x00, //
0x00, 0x01, 0x00, 0x00, //
},
4},
};
for (const auto &t : kTests) {
SCOPED_TRACE(t.format);
SCOPED_TRACE(Bytes(t.in));
SCOPED_TRACE(t.mask);
// Passing in nullptr should do a dry run.
EXPECT_EQ(t.expected_type,
ASN1_mbstring_copy(nullptr, t.in.data(), t.in.size(), t.format,
t.mask));
// Test allocating a new object.
ASN1_STRING *str = nullptr;
EXPECT_EQ(
t.expected_type,
ASN1_mbstring_copy(&str, t.in.data(), t.in.size(), t.format, t.mask));
ASSERT_TRUE(str);
EXPECT_EQ(t.expected_type, ASN1_STRING_type(str));
EXPECT_EQ(Bytes(t.expected_data),
Bytes(ASN1_STRING_get0_data(str), ASN1_STRING_length(str)));
// Test writing into an existing object.
ASN1_STRING_free(str);
str = ASN1_STRING_new();
ASSERT_TRUE(str);
ASN1_STRING *old_str = str;
EXPECT_EQ(
t.expected_type,
ASN1_mbstring_copy(&str, t.in.data(), t.in.size(), t.format, t.mask));
ASSERT_EQ(old_str, str);
EXPECT_EQ(t.expected_type, ASN1_STRING_type(str));
EXPECT_EQ(Bytes(t.expected_data),
Bytes(ASN1_STRING_get0_data(str), ASN1_STRING_length(str)));
ASN1_STRING_free(str);
str = nullptr;
// minsize and maxsize should be enforced, even in a dry run.
EXPECT_EQ(t.expected_type,
ASN1_mbstring_ncopy(nullptr, t.in.data(), t.in.size(), t.format,
t.mask, /*minsize=*/t.num_codepoints,
/*maxsize=*/t.num_codepoints));
EXPECT_EQ(t.expected_type,
ASN1_mbstring_ncopy(&str, t.in.data(), t.in.size(), t.format,
t.mask, /*minsize=*/t.num_codepoints,
/*maxsize=*/t.num_codepoints));
ASSERT_TRUE(str);
EXPECT_EQ(t.expected_type, ASN1_STRING_type(str));
EXPECT_EQ(Bytes(t.expected_data),
Bytes(ASN1_STRING_get0_data(str), ASN1_STRING_length(str)));
ASN1_STRING_free(str);
str = nullptr;
EXPECT_EQ(-1, ASN1_mbstring_ncopy(
nullptr, t.in.data(), t.in.size(), t.format, t.mask,
/*minsize=*/t.num_codepoints + 1, /*maxsize=*/0));
ERR_clear_error();
EXPECT_EQ(-1, ASN1_mbstring_ncopy(
&str, t.in.data(), t.in.size(), t.format, t.mask,
/*minsize=*/t.num_codepoints + 1, /*maxsize=*/0));
EXPECT_FALSE(str);
ERR_clear_error();
if (t.num_codepoints > 1) {
EXPECT_EQ(-1, ASN1_mbstring_ncopy(
nullptr, t.in.data(), t.in.size(), t.format, t.mask,
/*minsize=*/0, /*maxsize=*/t.num_codepoints - 1));
ERR_clear_error();
EXPECT_EQ(-1, ASN1_mbstring_ncopy(
&str, t.in.data(), t.in.size(), t.format, t.mask,
/*minsize=*/0, /*maxsize=*/t.num_codepoints - 1));
EXPECT_FALSE(str);
ERR_clear_error();
}
}
const struct {
int format;
std::vector<uint8_t> in;
unsigned long mask;
} kInvalidTests[] = {
// Invalid encodings are rejected.
{MBSTRING_UTF8, {0xff}, B_ASN1_UTF8STRING},
{MBSTRING_BMP, {0xff}, B_ASN1_UTF8STRING},
{MBSTRING_UNIV, {0xff}, B_ASN1_UTF8STRING},
// Lone surrogates are not code points.
{MBSTRING_UTF8, {0xed, 0xa0, 0x80}, B_ASN1_UTF8STRING},
{MBSTRING_BMP, {0xd8, 0x00}, B_ASN1_UTF8STRING},
{MBSTRING_UNIV, {0x00, 0x00, 0xd8, 0x00}, B_ASN1_UTF8STRING},
// The input does not fit in the allowed output types.
{MBSTRING_UTF8, {'\n'}, B_ASN1_PRINTABLESTRING},
{MBSTRING_UTF8,
{0xc2, 0x80 /* U+0080 */},
B_ASN1_PRINTABLESTRING | B_ASN1_IA5STRING},
{MBSTRING_UTF8,
{0xc4, 0x80 /* U+0100 */},
B_ASN1_PRINTABLESTRING | B_ASN1_IA5STRING | B_ASN1_T61STRING},
{MBSTRING_UTF8,
{0xf0, 0x90, 0x80, 0x80 /* U+10000 */},
B_ASN1_PRINTABLESTRING | B_ASN1_IA5STRING | B_ASN1_T61STRING |
B_ASN1_BMPSTRING},
// Unrecognized bits are ignored.
{MBSTRING_UTF8, {'\n'}, B_ASN1_PRINTABLESTRING | B_ASN1_SEQUENCE},
};
for (const auto &t : kInvalidTests) {
SCOPED_TRACE(t.format);
SCOPED_TRACE(Bytes(t.in));
SCOPED_TRACE(t.mask);
EXPECT_EQ(-1, ASN1_mbstring_copy(nullptr, t.in.data(), t.in.size(),
t.format, t.mask));
ERR_clear_error();
ASN1_STRING *str = nullptr;
EXPECT_EQ(-1, ASN1_mbstring_copy(&str, t.in.data(), t.in.size(),
t.format, t.mask));
ERR_clear_error();
EXPECT_EQ(nullptr, str);
}
}
Test ASN1_STRING_set_by_NID with built-in NIDs. Change-Id: I58a3fba79b03058aaff37bb3e83f971a4ecd2e99 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49767 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
TEST(ASN1Test, StringByNID) {
// |ASN1_mbstring_*| tests above test most of the interactions with |inform|,
// so all tests below use UTF-8.
const struct {
int nid;
std::string in;
int expected_type;
std::string expected;
} kTests[] = {
// Although DirectoryString and PKCS9String allow many types of strings,
// we prefer UTF8String.
{NID_commonName, "abc", V_ASN1_UTF8STRING, "abc"},
{NID_commonName, "\xe2\x98\x83", V_ASN1_UTF8STRING, "\xe2\x98\x83"},
{NID_localityName, "abc", V_ASN1_UTF8STRING, "abc"},
{NID_stateOrProvinceName, "abc", V_ASN1_UTF8STRING, "abc"},
{NID_organizationName, "abc", V_ASN1_UTF8STRING, "abc"},
{NID_organizationalUnitName, "abc", V_ASN1_UTF8STRING, "abc"},
{NID_pkcs9_unstructuredName, "abc", V_ASN1_UTF8STRING, "abc"},
{NID_pkcs9_challengePassword, "abc", V_ASN1_UTF8STRING, "abc"},
{NID_pkcs9_unstructuredAddress, "abc", V_ASN1_UTF8STRING, "abc"},
{NID_givenName, "abc", V_ASN1_UTF8STRING, "abc"},
{NID_givenName, "abc", V_ASN1_UTF8STRING, "abc"},
{NID_givenName, "abc", V_ASN1_UTF8STRING, "abc"},
{NID_surname, "abc", V_ASN1_UTF8STRING, "abc"},
{NID_initials, "abc", V_ASN1_UTF8STRING, "abc"},
{NID_name, "abc", V_ASN1_UTF8STRING, "abc"},
// Some attribute types use a particular string type.
{NID_countryName, "US", V_ASN1_PRINTABLESTRING, "US"},
{NID_pkcs9_emailAddress, "example@example.com", V_ASN1_IA5STRING,
"example@example.com"},
{NID_serialNumber, "1234", V_ASN1_PRINTABLESTRING, "1234"},
{NID_friendlyName, "abc", V_ASN1_BMPSTRING,
std::string({'\0', 'a', '\0', 'b', '\0', 'c'})},
{NID_dnQualifier, "US", V_ASN1_PRINTABLESTRING, "US"},
{NID_domainComponent, "com", V_ASN1_IA5STRING, "com"},
{NID_ms_csp_name, "abc", V_ASN1_BMPSTRING,
std::string({'\0', 'a', '\0', 'b', '\0', 'c'})},
// Unknown NIDs default to UTF8String.
{NID_rsaEncryption, "abc", V_ASN1_UTF8STRING, "abc"},
};
for (const auto &t : kTests) {
SCOPED_TRACE(t.nid);
SCOPED_TRACE(t.in);
// Test allocating a new object.
bssl::UniquePtr<ASN1_STRING> str(ASN1_STRING_set_by_NID(
nullptr, reinterpret_cast<const uint8_t *>(t.in.data()), t.in.size(),
MBSTRING_UTF8, t.nid));
ASSERT_TRUE(str);
EXPECT_EQ(t.expected_type, ASN1_STRING_type(str.get()));
EXPECT_EQ(Bytes(t.expected), Bytes(ASN1_STRING_get0_data(str.get()),
ASN1_STRING_length(str.get())));
// Test writing into an existing object.
str.reset(ASN1_STRING_new());
ASSERT_TRUE(str);
ASN1_STRING *old_str = str.get();
ASSERT_TRUE(ASN1_STRING_set_by_NID(
&old_str, reinterpret_cast<const uint8_t *>(t.in.data()), t.in.size(),
MBSTRING_UTF8, t.nid));
ASSERT_EQ(old_str, str.get());
EXPECT_EQ(t.expected_type, ASN1_STRING_type(str.get()));
EXPECT_EQ(Bytes(t.expected), Bytes(ASN1_STRING_get0_data(str.get()),
ASN1_STRING_length(str.get())));
}
const struct {
int nid;
std::string in;
} kInvalidTests[] = {
// DirectoryString forbids empty inputs.
{NID_commonName, ""},
{NID_localityName, ""},
{NID_stateOrProvinceName, ""},
{NID_organizationName, ""},
{NID_organizationalUnitName, ""},
{NID_pkcs9_unstructuredName, ""},
{NID_pkcs9_challengePassword, ""},
{NID_pkcs9_unstructuredAddress, ""},
{NID_givenName, ""},
{NID_givenName, ""},
{NID_givenName, ""},
{NID_surname, ""},
{NID_initials, ""},
{NID_name, ""},
// Test upper bounds from RFC 5280.
{NID_name, std::string(32769, 'a')},
{NID_commonName, std::string(65, 'a')},
{NID_localityName, std::string(129, 'a')},
{NID_stateOrProvinceName, std::string(129, 'a')},
{NID_organizationName, std::string(65, 'a')},
{NID_organizationalUnitName, std::string(65, 'a')},
{NID_pkcs9_emailAddress, std::string(256, 'a')},
{NID_serialNumber, std::string(65, 'a')},
// X520countryName must be exactly two characters.
{NID_countryName, "A"},
{NID_countryName, "AAA"},
// Some string types cannot represent all codepoints.
{NID_countryName, "\xe2\x98\x83"},
{NID_pkcs9_emailAddress, "\xe2\x98\x83"},
{NID_serialNumber, "\xe2\x98\x83"},
{NID_dnQualifier, "\xe2\x98\x83"},
{NID_domainComponent, "\xe2\x98\x83"},
};
for (const auto &t : kInvalidTests) {
SCOPED_TRACE(t.nid);
SCOPED_TRACE(t.in);
bssl::UniquePtr<ASN1_STRING> str(ASN1_STRING_set_by_NID(
nullptr, reinterpret_cast<const uint8_t *>(t.in.data()), t.in.size(),
MBSTRING_UTF8, t.nid));
EXPECT_FALSE(str);
ERR_clear_error();
}
}
Test ASN1_STRING_set_by_NID with custom NIDs. Callers may as well use ASN1_mbstring_ncopy directly, but some code uses this, so test it. I've intentionally not tested updating entries because it crashes if you use a built-in one, and updating a dynamic one seems unnecessary. Change-Id: If760a751fbdcd1a2f14d5dcb08de2b0f2a8d3549 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49768 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
TEST(ASN1Test, StringByCustomNID) {
// This test affects library-global state. We rely on nothing else in the test
// suite using these OIDs.
Make ASN1_STRING_TABLE_add thread-safe and document. This function is a little awkward. It mutates global data, so if two libraries in the address space both attempt to define a custom OID, they will conflict. But some existing code uses it so, as long as it does so, we should make it thread-safe. Along the way, I've switched it to a hash table and removed the ability to overwrite existing entries. Previously, overwriting a built-in table would crash (on platforms where const structures are write-protected). Overwriting a dynamic table implemented this weird merging algorithm. The one caller I've seen does not appear to need this feature. I've also switched ASN1_STRING_TABLE_cleanup to a no-op, matching our other global cleanup functions. This function is not safe to call without global knowledge of all other uses of the library. Update-Note: ASN1_STRING_TABLE_add no longer allows overwrite existing entries. In most cases, this would crash or trigger a race condition anyway. Bug: 426 Change-Id: Ie024cca87feaef3ff10064b452f3a860844544da Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49769 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
int nid1 = OBJ_create("1.2.840.113554.4.1.72585.1000", "custom OID 1000",
"custom OID 1000");
Test ASN1_STRING_set_by_NID with custom NIDs. Callers may as well use ASN1_mbstring_ncopy directly, but some code uses this, so test it. I've intentionally not tested updating entries because it crashes if you use a built-in one, and updating a dynamic one seems unnecessary. Change-Id: If760a751fbdcd1a2f14d5dcb08de2b0f2a8d3549 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49768 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
ASSERT_NE(NID_undef, nid1);
Make ASN1_STRING_TABLE_add thread-safe and document. This function is a little awkward. It mutates global data, so if two libraries in the address space both attempt to define a custom OID, they will conflict. But some existing code uses it so, as long as it does so, we should make it thread-safe. Along the way, I've switched it to a hash table and removed the ability to overwrite existing entries. Previously, overwriting a built-in table would crash (on platforms where const structures are write-protected). Overwriting a dynamic table implemented this weird merging algorithm. The one caller I've seen does not appear to need this feature. I've also switched ASN1_STRING_TABLE_cleanup to a no-op, matching our other global cleanup functions. This function is not safe to call without global knowledge of all other uses of the library. Update-Note: ASN1_STRING_TABLE_add no longer allows overwrite existing entries. In most cases, this would crash or trigger a race condition anyway. Bug: 426 Change-Id: Ie024cca87feaef3ff10064b452f3a860844544da Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49769 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
int nid2 = OBJ_create("1.2.840.113554.4.1.72585.1001", "custom OID 1001",
"custom OID 1001");
Test ASN1_STRING_set_by_NID with custom NIDs. Callers may as well use ASN1_mbstring_ncopy directly, but some code uses this, so test it. I've intentionally not tested updating entries because it crashes if you use a built-in one, and updating a dynamic one seems unnecessary. Change-Id: If760a751fbdcd1a2f14d5dcb08de2b0f2a8d3549 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49768 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
ASSERT_NE(NID_undef, nid2);
// Values registered in the string table should be picked up.
ASSERT_TRUE(ASN1_STRING_TABLE_add(nid1, 5, 10, V_ASN1_PRINTABLESTRING,
STABLE_NO_MASK));
bssl::UniquePtr<ASN1_STRING> str(ASN1_STRING_set_by_NID(
nullptr, reinterpret_cast<const uint8_t *>("12345"), 5, MBSTRING_UTF8,
nid1));
ASSERT_TRUE(str);
EXPECT_EQ(V_ASN1_PRINTABLESTRING, ASN1_STRING_type(str.get()));
EXPECT_EQ(Bytes("12345"), Bytes(ASN1_STRING_get0_data(str.get()),
ASN1_STRING_length(str.get())));
// Minimum and maximum lengths are enforced.
str.reset(ASN1_STRING_set_by_NID(
nullptr, reinterpret_cast<const uint8_t *>("1234"), 4, MBSTRING_UTF8,
nid1));
EXPECT_FALSE(str);
ERR_clear_error();
str.reset(ASN1_STRING_set_by_NID(
nullptr, reinterpret_cast<const uint8_t *>("12345678901"), 11,
MBSTRING_UTF8, nid1));
EXPECT_FALSE(str);
ERR_clear_error();
// Without |STABLE_NO_MASK|, we always pick UTF8String. -1 means there is no
// length limit.
ASSERT_TRUE(ASN1_STRING_TABLE_add(nid2, -1, -1, DIRSTRING_TYPE, 0));
str.reset(ASN1_STRING_set_by_NID(nullptr,
reinterpret_cast<const uint8_t *>("12345"),
5, MBSTRING_UTF8, nid2));
ASSERT_TRUE(str);
EXPECT_EQ(V_ASN1_UTF8STRING, ASN1_STRING_type(str.get()));
EXPECT_EQ(Bytes("12345"), Bytes(ASN1_STRING_get0_data(str.get()),
ASN1_STRING_length(str.get())));
Make ASN1_STRING_TABLE_add thread-safe and document. This function is a little awkward. It mutates global data, so if two libraries in the address space both attempt to define a custom OID, they will conflict. But some existing code uses it so, as long as it does so, we should make it thread-safe. Along the way, I've switched it to a hash table and removed the ability to overwrite existing entries. Previously, overwriting a built-in table would crash (on platforms where const structures are write-protected). Overwriting a dynamic table implemented this weird merging algorithm. The one caller I've seen does not appear to need this feature. I've also switched ASN1_STRING_TABLE_cleanup to a no-op, matching our other global cleanup functions. This function is not safe to call without global knowledge of all other uses of the library. Update-Note: ASN1_STRING_TABLE_add no longer allows overwrite existing entries. In most cases, this would crash or trigger a race condition anyway. Bug: 426 Change-Id: Ie024cca87feaef3ff10064b452f3a860844544da Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49769 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
// Overriding existing entries, built-in or custom, is an error.
EXPECT_FALSE(
ASN1_STRING_TABLE_add(NID_countryName, -1, -1, DIRSTRING_TYPE, 0));
EXPECT_FALSE(ASN1_STRING_TABLE_add(nid1, -1, -1, DIRSTRING_TYPE, 0));
}
#if defined(OPENSSL_THREADS)
TEST(ASN1Test, StringByCustomNIDThreads) {
// This test affects library-global state. We rely on nothing else in the test
// suite using these OIDs.
int nid1 = OBJ_create("1.2.840.113554.4.1.72585.1002", "custom OID 1002",
"custom OID 1002");
ASSERT_NE(NID_undef, nid1);
int nid2 = OBJ_create("1.2.840.113554.4.1.72585.1003", "custom OID 1003",
"custom OID 1003");
ASSERT_NE(NID_undef, nid2);
std::vector<std::thread> threads;
threads.emplace_back([&] {
ASSERT_TRUE(ASN1_STRING_TABLE_add(nid1, 5, 10, V_ASN1_PRINTABLESTRING,
STABLE_NO_MASK));
bssl::UniquePtr<ASN1_STRING> str(ASN1_STRING_set_by_NID(
nullptr, reinterpret_cast<const uint8_t *>("12345"), 5, MBSTRING_UTF8,
nid1));
ASSERT_TRUE(str);
EXPECT_EQ(V_ASN1_PRINTABLESTRING, ASN1_STRING_type(str.get()));
EXPECT_EQ(Bytes("12345"), Bytes(ASN1_STRING_get0_data(str.get()),
ASN1_STRING_length(str.get())));
});
threads.emplace_back([&] {
ASSERT_TRUE(ASN1_STRING_TABLE_add(nid2, 5, 10, V_ASN1_PRINTABLESTRING,
STABLE_NO_MASK));
bssl::UniquePtr<ASN1_STRING> str(ASN1_STRING_set_by_NID(
nullptr, reinterpret_cast<const uint8_t *>("12345"), 5, MBSTRING_UTF8,
nid2));
ASSERT_TRUE(str);
EXPECT_EQ(V_ASN1_PRINTABLESTRING, ASN1_STRING_type(str.get()));
EXPECT_EQ(Bytes("12345"), Bytes(ASN1_STRING_get0_data(str.get()),
ASN1_STRING_length(str.get())));
});
for (auto &thread : threads) {
thread.join();
}
Test ASN1_STRING_set_by_NID with custom NIDs. Callers may as well use ASN1_mbstring_ncopy directly, but some code uses this, so test it. I've intentionally not tested updating entries because it crashes if you use a built-in one, and updating a dynamic one seems unnecessary. Change-Id: If760a751fbdcd1a2f14d5dcb08de2b0f2a8d3549 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49768 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
}
Make ASN1_STRING_TABLE_add thread-safe and document. This function is a little awkward. It mutates global data, so if two libraries in the address space both attempt to define a custom OID, they will conflict. But some existing code uses it so, as long as it does so, we should make it thread-safe. Along the way, I've switched it to a hash table and removed the ability to overwrite existing entries. Previously, overwriting a built-in table would crash (on platforms where const structures are write-protected). Overwriting a dynamic table implemented this weird merging algorithm. The one caller I've seen does not appear to need this feature. I've also switched ASN1_STRING_TABLE_cleanup to a no-op, matching our other global cleanup functions. This function is not safe to call without global knowledge of all other uses of the library. Update-Note: ASN1_STRING_TABLE_add no longer allows overwrite existing entries. In most cases, this would crash or trigger a race condition anyway. Bug: 426 Change-Id: Ie024cca87feaef3ff10064b452f3a860844544da Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49769 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
#endif // OPENSSL_THREADS
Test ASN1_STRING_set_by_NID with custom NIDs. Callers may as well use ASN1_mbstring_ncopy directly, but some code uses this, so test it. I've intentionally not tested updating entries because it crashes if you use a built-in one, and updating a dynamic one seems unnecessary. Change-Id: If760a751fbdcd1a2f14d5dcb08de2b0f2a8d3549 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49768 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
Fix negative ENUMERATED values in multi-strings. I noticed this while I was reading through the encoder. OpenSSL's ASN.1 library is very sloppy when it comes to reusing enums. It has... - Universal tag numbers. These are just tag numbers from ASN.1 - utype. These are used in the ASN1_TYPE type field, as well as the ASN1_ITEM utype fields They are the same as universal tag numbers, except non-universal types map to V_ASN1_OTHER. I believe ASN1_TYPE types and ASN1_ITEM utypes are the same, but I am not positive. - ASN1_STRING types. These are the same as utypes, except V_ASN1_OTHER appears to only be possible when embedded inside ASN1_TYPE, and negative INTEGER and ENUMERATED values get mapped to V_ASN1_NEG_INTEGER and V_ASN1_NEG_ENUMERATED. Additionally, some values like V_ASN1_OBJECT are possible in a utype but not possible in an ASN1_STRING (and will cause lots of problems if ever placed in one). - Sometimes one of these enums is augmented with V_ASN1_UNDEF and/or V_ASN1_APP_CHOOSE for extra behaviors. - Probably others I'm missing. These get mixed up all the time. asn1_ex_i2c's MSTRING path converts from ASN1_STRING type to utype and forgets to normalize V_ASN1_NEG_*. This means that negative INTEGERs and ENUMERATEDs in MSTRINGs do not get encoded right. The negative INTEGER case is unreachable (unless the caller passes the wrong ASN1_STRING to an MSTRING i2d function, but mismatching i2d functions generally does wrong things), but the negative ENUMERATED case is reachable. Fix this and add a test. Change-Id: I762d482e72ebf03fd64bba291e751ab0b51af2a9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48805 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
// Test that multi-string types correctly encode negative ENUMERATED.
// Multi-string types cannot contain INTEGER, so we only test ENUMERATED.
TEST(ASN1Test, NegativeEnumeratedMultistring) {
static const uint8_t kMinusOne[] = {0x0a, 0x01, 0xff}; // ENUMERATED { -1 }
// |ASN1_PRINTABLE| is a multi-string type that allows ENUMERATED.
const uint8_t *p = kMinusOne;
bssl::UniquePtr<ASN1_STRING> str(
d2i_ASN1_PRINTABLE(nullptr, &p, sizeof(kMinusOne)));
ASSERT_TRUE(str);
TestSerialize(str.get(), i2d_ASN1_PRINTABLE, kMinusOne);
}
Rewrite ASN1_PRINTABLE_type and add tests. The old loop read one byte past the length. It also stopped the loop too early on interior NUL. See also upstream's https://github.com/openssl/openssl/pull/16433, though I've opted to rewrite the function entirely rather than use their fix. Also deduplicate the PrintableString check. Change-Id: Ia8bd282047c2a2ed1d5e71a68a3947c7c108df95 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49066 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
TEST(ASN1Test, PrintableType) {
const struct {
std::vector<uint8_t> in;
int result;
} kTests[] = {
{{}, V_ASN1_PRINTABLESTRING},
{{'a', 'A', '0', '\'', '(', ')', '+', ',', '-', '.', '/', ':', '=', '?'},
V_ASN1_PRINTABLESTRING},
{{'*'}, V_ASN1_IA5STRING},
{{'\0'}, V_ASN1_IA5STRING},
{{'\0', 'a'}, V_ASN1_IA5STRING},
{{0, 1, 2, 3, 125, 126, 127}, V_ASN1_IA5STRING},
{{0, 1, 2, 3, 125, 126, 127, 128}, V_ASN1_T61STRING},
{{128, 0, 1, 2, 3, 125, 126, 127}, V_ASN1_T61STRING},
};
for (const auto &t : kTests) {
SCOPED_TRACE(Bytes(t.in));
EXPECT_EQ(t.result, ASN1_PRINTABLE_type(t.in.data(), t.in.size()));
}
}
Check for invalid CHOICE selectors in i2d functions. This handles normal CHOICE types. A follow-up CL will handle MSTRING and ANY types. Update-Note: An invalid CHOICE object (e.g. GENERAL_NAME) will now fail when encoded, rather than be silently omitted. In particular, CHOICE objects are default-initialized by tasn_new.c in an empty -1 state. Structures containing a required CHOICE field can no longer be encoded without filling in the CHOICE. Bug: 429 Change-Id: I7011deadf518ddc344a56b07a0e268ceaae17fe0 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49347 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
// Encoding a CHOICE type with an invalid selector should fail.
TEST(ASN1Test, InvalidChoice) {
bssl::UniquePtr<GENERAL_NAME> name(GENERAL_NAME_new());
ASSERT_TRUE(name);
// CHOICE types are initialized with an invalid selector.
EXPECT_EQ(-1, name->type);
// |name| should fail to encode.
EXPECT_EQ(-1, i2d_GENERAL_NAME(name.get(), nullptr));
// The error should be propagated through types containing |name|.
bssl::UniquePtr<GENERAL_NAMES> names(GENERAL_NAMES_new());
ASSERT_TRUE(names);
EXPECT_TRUE(bssl::PushToStack(names.get(), std::move(name)));
EXPECT_EQ(-1, i2d_GENERAL_NAMES(names.get(), nullptr));
}
Correctly handle invalid ASN1_OBJECTs when encoding. asn1_ex_i2c actually does have an error condition, it just wasn't being handled. 628b3c7f2fdf68519c27dc087c400ca616616f4e, imported from upstream's f3f8e72f494b36d05e0d04fe418f92b692fbb261, tried to check for OID-less ASN1_OBJECTs and return an error. But it and the upstream change didn't actually work. -1 in this function means to omit the object, so OpenSSL was silently misinterpreting the input structure. This changes the calling convention for asn1_ex_i2c to support this. It is, unfortunately, a little messy because: 1. One cannot check for object presense without walking the ASN1_ITEM/ASN1_TEMPLATE structures. You can *almost* check if *pval is NULL, but ASN1_BOOLEAN is an int with -1 to indicate an omitted optional. There are also FBOOLEAN/TBOOLEAN types that omit FALSE/TRUE for DEFAULT. Thus, without more invasive changes, asn1_ex_i2c must be able to report an omitted element. 2. While the i2d functions report an omitted element by successfully writing zero bytes, i2c only writes the contents. It thus must distinguish between an omitted element and an element with zero-length contents. 3. i2c_ASN1_INTEGER and i2c_ASN1_BIT_STRING return zero on error rather than -1. Those error paths are not actually reachable because they only check for NULL. In fact, OpenSSL has even unexported them. But I found a few callers. Rather than unwind all this and change the calling convention, I've just made it handle 0 and map to -1 for now. It's all a no-op anyway, and hopefully we can redo all this with CBB later. I've just added an output parameter for now. In writing tests, I also noticed that the hand-written i2d_ASN1_OBJECT and i2d_ASN1_BOOLEAN return the wrong value for errors, so I've fixed that. Update-Note: A default-constructed object with a required ASN1_OBJECT field can no longer be encoded without initializing the ASN1_OBJECT. Note this affects X509: the signature algorithm is an ASN1_OBJECT. Tests that try to serialize an X509_new() must fill in all required fields. (Production code is unlikely to be affected because the output was unparsable anyway, while tests sometimes wouldn't notice.) Bug: 429 Change-Id: I04417f5ad6b994cc5ccca540c8a7714b9b3af33d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49348 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
// Encoding NID-only |ASN1_OBJECT|s should fail.
TEST(ASN1Test, InvalidObject) {
EXPECT_EQ(-1, i2d_ASN1_OBJECT(OBJ_nid2obj(NID_kx_ecdhe), nullptr));
bssl::UniquePtr<X509_ALGOR> alg(X509_ALGOR_new());
ASSERT_TRUE(alg);
ASSERT_TRUE(X509_ALGOR_set0(alg.get(), OBJ_nid2obj(NID_kx_ecdhe),
V_ASN1_UNDEF, nullptr));
EXPECT_EQ(-1, i2d_X509_ALGOR(alg.get(), nullptr));
}
Reject -1 types in ASN1_TYPE and MSTRINGs when encoding. See https://github.com/openssl/openssl/issues/16538 Update-Note: A default-constructed object with a required ANY or string-like CHOICE field cannot be encoded until the field is specified. Note this affects i2d_X509: notBefore and notAfter are string-like CHOICEs in OpenSSL. Bug: 429 Change-Id: I97d971fa588ab72be25a4c1eb7310ed330f16c4f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49349 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
4 years ago
// Encoding invalid |ASN1_TYPE|s should fail. |ASN1_TYPE|s are
// default-initialized to an invalid type.
TEST(ASN1Test, InvalidASN1Type) {
bssl::UniquePtr<ASN1_TYPE> obj(ASN1_TYPE_new());
ASSERT_TRUE(obj);
EXPECT_EQ(-1, obj->type);
EXPECT_EQ(-1, i2d_ASN1_TYPE(obj.get(), nullptr));
}
// Encoding invalid MSTRING types should fail. An MSTRING is a CHOICE of
// string-like types. They are initialized to an invalid type.
TEST(ASN1Test, InvalidMSTRING) {
bssl::UniquePtr<ASN1_STRING> obj(ASN1_TIME_new());
ASSERT_TRUE(obj);
EXPECT_EQ(-1, obj->type);
EXPECT_EQ(-1, i2d_ASN1_TIME(obj.get(), nullptr));
obj.reset(DIRECTORYSTRING_new());
ASSERT_TRUE(obj);
EXPECT_EQ(-1, obj->type);
EXPECT_EQ(-1, i2d_DIRECTORYSTRING(obj.get(), nullptr));
}
Test that built-in ASN1_STRING_TABLEs are sorted. There's a test in the file under ifdef, but that is not wired up into the build. Change-Id: Iec09277c7ce948c33303d12c325207de2188d908 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49766 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
TEST(ASN1Test, StringTableSorted) {
const ASN1_STRING_TABLE *table;
size_t table_len;
asn1_get_string_table_for_testing(&table, &table_len);
for (size_t i = 1; i < table_len; i++) {
EXPECT_LT(table[i-1].nid, table[i].nid);
}
}
Make ASN1_NULL an opaque pointer. crypto/asn1 represents an ASN.1 NULL value as a non-null ASN1_NULL* pointer, (ASN1_NULL*)1. It is a non-null pointer because a null pointer represents an omitted OPTIONAL NULL. It is an opaque pointer because there is no sense in allocating anything. This pointer cannot be dereferenced, yet ASN1_NULL is a typedef for int. This is confusing and probably undefined behavior. (N1548, 6.3.2.3, clause 7 requires pointer conversions between two pointer types be correctly aligned, even if the pointer is never dereferenced. Strangely, clause 5 above does not impose the same requirement when converting from integer to pointer, though it mostly punts to the implementation definition.) Of course, all of tasn_*.c is a giant strict aliasing violation anyway, but an opaque struct pointer is a slightly better choice here. (Note that, although ASN1_BOOLEAN is also a typedef for int, that situation is different: the ASN1_BOOLEAN representation is a plain ASN1_BOOLEAN, not ASN1_BOOLEAN*, while the ASN1_NULL representation is a pointer. ASN1_NULL could have had the same treatment and even used a little less memory, but changing that would break the API.) Update-Note: Code that was assuming ASN1_NULL was an int typedef will fail to compile. Given this was never dereferencable, it is hard to imagine anything relying on this. Bug: 438 Change-Id: Ia0c652eed66e76f82a3843af1fc877f06c8d5e8f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49805 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
TEST(ASN1Test, Null) {
// An |ASN1_NULL| is an opaque, non-null pointer. It is an arbitrary signaling
// value and does not need to be freed. (If the pointer is null, this is an
// omitted OPTIONAL NULL.)
EXPECT_NE(nullptr, ASN1_NULL_new());
// It is safe to free either the non-null pointer or the null one.
ASN1_NULL_free(ASN1_NULL_new());
ASN1_NULL_free(nullptr);
// A NULL may be decoded.
static const uint8_t kNull[] = {0x05, 0x00};
const uint8_t *ptr = kNull;
EXPECT_NE(nullptr, d2i_ASN1_NULL(nullptr, &ptr, sizeof(kNull)));
EXPECT_EQ(ptr, kNull + sizeof(kNull));
// It may also be re-encoded.
uint8_t *enc = nullptr;
int enc_len = i2d_ASN1_NULL(ASN1_NULL_new(), &enc);
ASSERT_GE(enc_len, 0);
EXPECT_EQ(Bytes(kNull), Bytes(enc, enc_len));
OPENSSL_free(enc);
enc = nullptr;
// Although the standalone representation of NULL is a non-null pointer, the
// |ASN1_TYPE| representation is a null pointer.
ptr = kNull;
bssl::UniquePtr<ASN1_TYPE> null_type(
d2i_ASN1_TYPE(nullptr, &ptr, sizeof(kNull)));
ASSERT_TRUE(null_type);
EXPECT_EQ(ptr, kNull + sizeof(kNull));
EXPECT_EQ(V_ASN1_NULL, ASN1_TYPE_get(null_type.get()));
EXPECT_EQ(nullptr, null_type->value.ptr);
}
Rewrite ASN1_item_pack and ASN1_item_unpack. ASN1_item_unpack was missing checks for trailing data. ASN1_item_pack's error handling was all wrong. (Leaking the temporary on error, checking the the wrong return value for i2d, would-be redundant check for NULL, were the other check not wrong.) Update-Note: ASN1_item_unpack now checks for trailing data. Change-Id: Ibaa19ba2b264fca36dd21109e66f9558d373c58b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49927 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
3 years ago
TEST(ASN1Test, Pack) {
bssl::UniquePtr<BASIC_CONSTRAINTS> val(BASIC_CONSTRAINTS_new());
ASSERT_TRUE(val);
val->ca = 0;
// Test all three calling conventions.
static const uint8_t kExpected[] = {0x30, 0x00};
bssl::UniquePtr<ASN1_STRING> str(
ASN1_item_pack(val.get(), ASN1_ITEM_rptr(BASIC_CONSTRAINTS), nullptr));
ASSERT_TRUE(str);
EXPECT_EQ(
Bytes(ASN1_STRING_get0_data(str.get()), ASN1_STRING_length(str.get())),
Bytes(kExpected));
ASN1_STRING *raw = nullptr;
str.reset(ASN1_item_pack(val.get(), ASN1_ITEM_rptr(BASIC_CONSTRAINTS), &raw));
ASSERT_TRUE(str);
EXPECT_EQ(raw, str.get());
EXPECT_EQ(
Bytes(ASN1_STRING_get0_data(str.get()), ASN1_STRING_length(str.get())),
Bytes(kExpected));
str.reset(ASN1_STRING_new());
ASSERT_TRUE(str);
raw = str.get();
EXPECT_TRUE(
ASN1_item_pack(val.get(), ASN1_ITEM_rptr(BASIC_CONSTRAINTS), &raw));
EXPECT_EQ(raw, str.get());
EXPECT_EQ(
Bytes(ASN1_STRING_get0_data(str.get()), ASN1_STRING_length(str.get())),
Bytes(kExpected));
}
TEST(ASN1Test, Unpack) {
bssl::UniquePtr<ASN1_STRING> str(ASN1_STRING_new());
ASSERT_TRUE(str);
static const uint8_t kValid[] = {0x30, 0x00};
ASSERT_TRUE(
ASN1_STRING_set(str.get(), kValid, sizeof(kValid)));
bssl::UniquePtr<BASIC_CONSTRAINTS> val(static_cast<BASIC_CONSTRAINTS *>(
ASN1_item_unpack(str.get(), ASN1_ITEM_rptr(BASIC_CONSTRAINTS))));
ASSERT_TRUE(val);
EXPECT_EQ(val->ca, 0);
EXPECT_EQ(val->pathlen, nullptr);
static const uint8_t kInvalid[] = {0x31, 0x00};
ASSERT_TRUE(ASN1_STRING_set(str.get(), kInvalid, sizeof(kInvalid)));
val.reset(static_cast<BASIC_CONSTRAINTS *>(
ASN1_item_unpack(str.get(), ASN1_ITEM_rptr(BASIC_CONSTRAINTS))));
EXPECT_FALSE(val);
static const uint8_t kTraiilingData[] = {0x30, 0x00, 0x00};
ASSERT_TRUE(
ASN1_STRING_set(str.get(), kTraiilingData, sizeof(kTraiilingData)));
val.reset(static_cast<BASIC_CONSTRAINTS *>(
ASN1_item_unpack(str.get(), ASN1_ITEM_rptr(BASIC_CONSTRAINTS))));
EXPECT_FALSE(val);
}
Fix BIT STRING comparison in ASN1_STRING_cmp. The comparison should notice differences in bit count. Update-Note: ASN1_STRING_cmp no longer incorrectly treats BIT STRINGs with different padding bits as equal. Bug: 446 Change-Id: I22b3fcc5d369540d029ca234e9b3b02402cec4c3 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49928 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
TEST(ASN1Test, StringCmp) {
struct Input {
int type;
std::vector<uint8_t> data;
int flags;
bool equals_previous;
};
// kInputs is a list of |ASN1_STRING| parameters, in sorted order. The input
// should be sorted by bit length, then data, then type.
const Input kInputs[] = {
{V_ASN1_BIT_STRING, {}, ASN1_STRING_FLAG_BITS_LEFT | 0, false},
{V_ASN1_BIT_STRING, {}, 0, true},
// When |ASN1_STRING_FLAG_BITS_LEFT| is unset, BIT STRINGs implicitly
// drop trailing zeros.
{V_ASN1_BIT_STRING, {0x00, 0x00, 0x00, 0x00}, 0, true},
{V_ASN1_OCTET_STRING, {}, 0, false},
{V_ASN1_UTF8STRING, {}, 0, false},
// BIT STRINGs with padding bits (i.e. not part of the actual value) are
// shorter and thus sort earlier:
// 1-bit inputs.
{V_ASN1_BIT_STRING, {0x00}, ASN1_STRING_FLAG_BITS_LEFT | 7, false},
{V_ASN1_BIT_STRING, {0x80}, ASN1_STRING_FLAG_BITS_LEFT | 7, false},
// 2-bit inputs.
{V_ASN1_BIT_STRING, {0x00}, ASN1_STRING_FLAG_BITS_LEFT | 6, false},
{V_ASN1_BIT_STRING, {0xc0}, ASN1_STRING_FLAG_BITS_LEFT | 6, false},
// 3-bit inputs.
{V_ASN1_BIT_STRING, {0x00}, ASN1_STRING_FLAG_BITS_LEFT | 5, false},
{V_ASN1_BIT_STRING, {0xe0}, ASN1_STRING_FLAG_BITS_LEFT | 5, false},
// 4-bit inputs.
{V_ASN1_BIT_STRING, {0xf0}, ASN1_STRING_FLAG_BITS_LEFT | 4, false},
{V_ASN1_BIT_STRING, {0xf0}, 0, true}, // 4 trailing zeros dropped.
{V_ASN1_BIT_STRING, {0xf0, 0x00}, 0, true}, // 12 trailing zeros dropped.
// 5-bit inputs.
{V_ASN1_BIT_STRING, {0x00}, ASN1_STRING_FLAG_BITS_LEFT | 3, false},
{V_ASN1_BIT_STRING, {0xf0}, ASN1_STRING_FLAG_BITS_LEFT | 3, false},
{V_ASN1_BIT_STRING, {0xf8}, ASN1_STRING_FLAG_BITS_LEFT | 3, false},
// 6-bit inputs.
{V_ASN1_BIT_STRING, {0x00}, ASN1_STRING_FLAG_BITS_LEFT | 2, false},
{V_ASN1_BIT_STRING, {0xf0}, ASN1_STRING_FLAG_BITS_LEFT | 2, false},
{V_ASN1_BIT_STRING, {0xfc}, ASN1_STRING_FLAG_BITS_LEFT | 2, false},
// 7-bit inputs.
{V_ASN1_BIT_STRING, {0x00}, ASN1_STRING_FLAG_BITS_LEFT | 1, false},
{V_ASN1_BIT_STRING, {0xf0}, ASN1_STRING_FLAG_BITS_LEFT | 1, false},
{V_ASN1_BIT_STRING, {0xfe}, ASN1_STRING_FLAG_BITS_LEFT | 1, false},
// 8-bit inputs.
{V_ASN1_BIT_STRING, {0x00}, ASN1_STRING_FLAG_BITS_LEFT | 0, false},
{V_ASN1_OCTET_STRING, {0x00}, 0, false},
{V_ASN1_UTF8STRING, {0x00}, 0, false},
{V_ASN1_BIT_STRING, {0x80}, ASN1_STRING_FLAG_BITS_LEFT | 0, false},
{V_ASN1_OCTET_STRING, {0x80}, 0, false},
{V_ASN1_UTF8STRING, {0x80}, 0, false},
{V_ASN1_BIT_STRING, {0xff}, ASN1_STRING_FLAG_BITS_LEFT | 0, false},
{V_ASN1_BIT_STRING, {0xff}, 0, true}, // No trailing zeros to drop.
{V_ASN1_OCTET_STRING, {0xff}, 0, false},
{V_ASN1_UTF8STRING, {0xff}, 0, false},
// Bytes are compared lexicographically.
{V_ASN1_BIT_STRING, {0x00, 0x00}, ASN1_STRING_FLAG_BITS_LEFT | 0, false},
{V_ASN1_OCTET_STRING, {0x00, 0x00}, 0, false},
{V_ASN1_UTF8STRING, {0x00, 0x00}, 0, false},
{V_ASN1_BIT_STRING, {0x00, 0xff}, ASN1_STRING_FLAG_BITS_LEFT | 0, false},
{V_ASN1_OCTET_STRING, {0x00, 0xff}, 0, false},
{V_ASN1_UTF8STRING, {0x00, 0xff}, 0, false},
{V_ASN1_BIT_STRING, {0xff, 0x00}, ASN1_STRING_FLAG_BITS_LEFT | 0, false},
{V_ASN1_OCTET_STRING, {0xff, 0x00}, 0, false},
{V_ASN1_UTF8STRING, {0xff, 0x00}, 0, false},
};
std::vector<bssl::UniquePtr<ASN1_STRING>> strs;
strs.reserve(OPENSSL_ARRAY_SIZE(kInputs));
for (const auto &input : kInputs) {
strs.emplace_back(ASN1_STRING_type_new(input.type));
ASSERT_TRUE(strs.back());
ASSERT_TRUE(ASN1_STRING_set(strs.back().get(), input.data.data(),
input.data.size()));
strs.back()->flags = input.flags;
}
for (size_t i = 0; i < strs.size(); i++) {
SCOPED_TRACE(i);
bool expect_equal = true;
for (size_t j = i; j < strs.size(); j++) {
SCOPED_TRACE(j);
if (j > i && !kInputs[j].equals_previous) {
expect_equal = false;
}
const int cmp_i_j = ASN1_STRING_cmp(strs[i].get(), strs[j].get());
const int cmp_j_i = ASN1_STRING_cmp(strs[j].get(), strs[i].get());
if (expect_equal) {
EXPECT_EQ(cmp_i_j, 0);
EXPECT_EQ(cmp_j_i, 0);
} else if (i < j) {
EXPECT_LT(cmp_i_j, 0);
EXPECT_GT(cmp_j_i, 0);
} else {
EXPECT_GT(cmp_i_j, 0);
EXPECT_LT(cmp_j_i, 0);
}
}
}
}
Fix error-handling for i2a_ASN1_OBJECT. Some BIO_write failures weren't handled. Otherwise would successfully write truncated results. The other i2a functions all report -1 on truncation, so match. While I'm here, write a test to make sure I didn't break this. Change-Id: If17d0209e75c15b3f37bceb1cdfb480fd2c62c4d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49931 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
3 years ago
TEST(ASN1Test, PrintASN1Object) {
const struct {
std::vector<uint8_t> in;
const char *expected;
} kDataTests[] = {
// Known OIDs print as the name.
{{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01}, "rsaEncryption"},
// Unknown OIDs print in decimal.
{{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84, 0xb7, 0x09, 0x00},
"1.2.840.113554.4.1.72585.0"},
// Inputs which cannot be parsed as OIDs print as "<INVALID>".
{{0xff}, "<INVALID>"},
// The function has an internal 80-byte buffer. Test inputs at that
// boundary. First, 78 characters.
{{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84, 0xb7,
0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
"1.2.840.113554.4.1.72585.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0."
"0.0.0.1"},
// 79 characters.
{{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84, 0xb7,
0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a},
"1.2.840.113554.4.1.72585.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0."
"0.0.0.10"},
// 80 characters.
{{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84, 0xb7,
0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64},
"1.2.840.113554.4.1.72585.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0."
"0.0.0.100"},
// 81 characters.
{{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84, 0xb7,
0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x87, 0x68},
"1.2.840.113554.4.1.72585.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0."
"0.0.0.1000"},
// 82 characters.
{{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84, 0xb7,
0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xce, 0x10},
"1.2.840.113554.4.1.72585.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0."
"0.0.0.10000"},
};
for (const auto &t : kDataTests) {
SCOPED_TRACE(Bytes(t.in));
bssl::UniquePtr<ASN1_OBJECT> obj(ASN1_OBJECT_create(
NID_undef, t.in.data(), t.in.size(), /*sn=*/nullptr, /*ln=*/nullptr));
ASSERT_TRUE(obj);
bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
ASSERT_TRUE(bio);
int len = i2a_ASN1_OBJECT(bio.get(), obj.get());
EXPECT_EQ(len, static_cast<int>(strlen(t.expected)));
const uint8_t *bio_data;
size_t bio_len;
BIO_mem_contents(bio.get(), &bio_data, &bio_len);
EXPECT_EQ(t.expected,
std::string(reinterpret_cast<const char *>(bio_data), bio_len));
}
// Test writing NULL.
bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
ASSERT_TRUE(bio);
int len = i2a_ASN1_OBJECT(bio.get(), nullptr);
EXPECT_EQ(len, 4);
const uint8_t *bio_data;
size_t bio_len;
BIO_mem_contents(bio.get(), &bio_data, &bio_len);
EXPECT_EQ("NULL",
std::string(reinterpret_cast<const char *>(bio_data), bio_len));
}
Rewrite ASN1_INTEGER tests. This extends the old ASN1_INTEGER_set tests to cover all integers. There are a whole bunch of ways to construct and convert ASN1_INTEGERs (DER, BIGNUM, uint64_t, long, etc.). Rather than maintain one set of test vectors for small numbers and another for BIGNUMs, this CL makes a single set of BIGNUM-based test vectors. Notably, this test now covers: - Serialization and deserialization - ASN1_INTEGER_get, not just ASN1_INTEGER_set - BIGNUM conversions - ASN1_INTEGER_cmp Later CLs will add to this or change code covered by it. Change-Id: I05bd6bc9e70c392927937c2f727cee25092802a1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51629 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
TEST(ASN1Test, GetObject) {
Return 0x80 in all ASN1_get_object error paths. If the header is valid, but the body is truncated, ASN1_get_object intentionally preserves the indefinite-length and constructed output bits. This means callers who check for error with == 0x80 may read off the end of the buffer on accident. This is unlikely to break callers: 0x80 was already a possible error value, so callers already needed to handle it. The original function's aim in returning more information is unlikely to matter because callers cannot distinguish 0x80 (could not parse header) and 0x80 (header was valid, definite-length, and primitive, but length was too long). Update-Note: ASN1_get_object's calling convention is slightly simplified. Bug: 451 Change-Id: If2b45c47e6b8864aef9fd5e04f313219639991ed Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50005 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
// The header is valid, but there are not enough bytes for the length.
static const uint8_t kTruncated[] = {0x30, 0x01};
const uint8_t *ptr = kTruncated;
long length;
int tag;
int tag_class;
EXPECT_EQ(0x80, ASN1_get_object(&ptr, &length, &tag, &tag_class,
sizeof(kTruncated)));
Remove support for indefinite lengths in crypto/asn1. This simplifies the ASN1_get_object calling convention and removes another significant source of tasn_dec.c complexity. This change does not affect our PKCS#7 and PKCS#12 parsers. Update-Note: Invalid certificates (and the few external structures using asn1t.h) with BER indefinite lengths will now be rejected. Bug: 354 Change-Id: I723036798fc3254d0a289c77b105fcbdcda309b2 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50287 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
static const uint8_t kIndefinite[] = {0x30, 0x80, 0x00, 0x00};
ptr = kIndefinite;
EXPECT_EQ(0x80, ASN1_get_object(&ptr, &length, &tag, &tag_class,
sizeof(kIndefinite)));
Return 0x80 in all ASN1_get_object error paths. If the header is valid, but the body is truncated, ASN1_get_object intentionally preserves the indefinite-length and constructed output bits. This means callers who check for error with == 0x80 may read off the end of the buffer on accident. This is unlikely to break callers: 0x80 was already a possible error value, so callers already needed to handle it. The original function's aim in returning more information is unlikely to matter because callers cannot distinguish 0x80 (could not parse header) and 0x80 (header was valid, definite-length, and primitive, but length was too long). Update-Note: ASN1_get_object's calling convention is slightly simplified. Bug: 451 Change-Id: If2b45c47e6b8864aef9fd5e04f313219639991ed Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50005 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
}
Reject [UNIVERSAL 0] in DER/BER element parsers. [UNIVERSAL 0] is reserved by X.680 for the encoding to use. BER uses this to encode indefinite-length EOCs, but it is possible to encode it in a definite-length element or in a non-EOC form (non-zero length, or constructed). Whether we accept such encodings is normally moot: parsers will reject the tag as unsuitable for the type. However, the ANY type matches all tags. Previously, we would allow this, but crypto/asn1 has some ad-hoc checks for unexpected EOCs, in some contexts, but not others. Generalize this check to simply rejecting [UNIVERSAL 0] in all forms. This avoids a weird hole in the abstraction where tags are sometimes representable in BER and sometimes not. It also means we'll preserve this check when migrating parsers from crypto/asn1. Update-Note: There are two kinds of impacts I might expect from this change. The first is BER parsers might be relying on the CBS DER/BER element parser to pick up EOCs, as our ber.c does. This should be caught by the most basic unit test and can be fixed by detecting EOCs externally. The second is code might be trying to parse "actual" elements with tag [UNIVERSAL 0]. No actual types use this tag, so any non-ANY field is already rejecting such inputs. However, it is possible some input has this tag in a field with type ANY. This CL will cause us to reject that input. Note, however, that crypto/asn1 already rejects unexpected EOCs inside sequences, so many cases were already rejected anyway. Such inputs are also invalid as the ANY should match some actual, unknown ASN.1 type, and that type cannot use the reserved tag. Fixed: 455 Change-Id: If42cacc01840439059baa0e67179d0f198234fc4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/52245 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
3 years ago
template <typename T>
void ExpectNoParse(T *(*d2i)(T **, const uint8_t **, long),
const std::vector<uint8_t> &in) {
SCOPED_TRACE(Bytes(in));
const uint8_t *ptr = in.data();
bssl::UniquePtr<T> obj(d2i(nullptr, &ptr, in.size()));
EXPECT_FALSE(obj);
}
// The zero tag, constructed or primitive, is reserved and should rejected by
// the parser.
TEST(ASN1Test, ZeroTag) {
ExpectNoParse(d2i_ASN1_TYPE, {0x00, 0x00});
ExpectNoParse(d2i_ASN1_TYPE, {0x00, 0x10, 0x00});
ExpectNoParse(d2i_ASN1_TYPE, {0x20, 0x00});
ExpectNoParse(d2i_ASN1_TYPE, {0x20, 0x00});
ExpectNoParse(d2i_ASN1_SEQUENCE_ANY, {0x30, 0x02, 0x00, 0x00});
ExpectNoParse(d2i_ASN1_SET_ANY, {0x31, 0x02, 0x00, 0x00});
// SEQUENCE {
// OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.1 }
// [UNIVERSAL 0 PRIMITIVE] {}
// }
ExpectNoParse(d2i_X509_ALGOR,
{0x30, 0x10, 0x06, 0x0c, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12,
0x04, 0x01, 0x84, 0xb7, 0x09, 0x01, 0x00, 0x00});
// SEQUENCE {
// OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.1 }
// [UNIVERSAL 0 CONSTRUCTED] {}
// }
ExpectNoParse(d2i_X509_ALGOR,
{0x30, 0x10, 0x06, 0x0c, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12,
0x04, 0x01, 0x84, 0xb7, 0x09, 0x01, 0x20, 0x00});
// SEQUENCE {
// OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.1 }
// [UNIVERSAL 0 PRIMITIVE] { "a" }
// }
ExpectNoParse(d2i_X509_ALGOR,
{0x30, 0x11, 0x06, 0x0c, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12,
0x04, 0x01, 0x84, 0xb7, 0x09, 0x01, 0x00, 0x01, 0x61});
}
Skip ASN.1 template tests in Windows shared library builds. This should fix the Chromium roll. Windows shared library builds are fussy about dllexport vs. dllimport in a way that's incompatible with external uses of the asn1t.h macros. The issue is the DECLARE_* macros will add dllexport vs. dllimport on the assumption the symbols are defined in libcrypto, but external definitions need a different selector. Rather than add more complex macros for this, just exclude those tests. Ideally we wouldn't supoport asn1t.h outside the library at all, if we can manage it, so no sense in trying to make it work. This excludes both the new and the old tests. Although this has been working thus far, it only works because we've been setting the BORINGSSL_IMPLEMENTATION symbol for test targets wrong in Chromium. I'm confused how that's been working at all (maybe dllexport vs. dllimport is more lax when it comes to functions rather than variables?), but when I do it correctly, the ASN1_LINKED_LIST template breaks too. Change-Id: I391edba1748f66c383ed55a9d23053674bbb876e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/44484 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
// The ASN.1 macros do not work on Windows shared library builds, where usage of
// |OPENSSL_EXPORT| is a bit stricter.
#if !defined(OPENSSL_WINDOWS) || !defined(BORINGSSL_SHARED_LIBRARY)
acvp: add CMAC-AES support. Change by Dan Janni. Change-Id: I3f059e7b1a822c6f97128ca92a693499a3f7fa8f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/41984 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>
5 years ago
typedef struct asn1_linked_list_st {
struct asn1_linked_list_st *next;
} ASN1_LINKED_LIST;
DECLARE_ASN1_ITEM(ASN1_LINKED_LIST)
DECLARE_ASN1_FUNCTIONS(ASN1_LINKED_LIST)
ASN1_SEQUENCE(ASN1_LINKED_LIST) = {
Reject missing required fields in i2d functions. See also 006906cddda37e24a66443199444ef4476697477 from OpenSSL, though this CL uses a different strategy from upstream. Upstream makes ASN1_item_ex_i2d continue to allow optionals and checks afterwards at every non-optional call site. This CL pushes down an optional parameter and says functions cannot omit items unless explicitly allowed. I think this is a better default, though it is a larger change. Fields are only optional when they come from an ASN1_TEMPLATE with the OPTIONAL flag. Upstream's strategy misses top-level calls. This CL additionally adds checks for optional ASN1_TEMPLATEs in contexts where it doesn't make sense. Only fields of SEQUENCEs and SETs may be OPTIONAL, but the ASN1_ITEM/ASN1_TEMPLATE split doesn't quite match ASN.1 itself. ASN1_TEMPLATE is additionally responsible for explicit/implicit tagging, and SEQUENCE/SET OF. That means CHOICE arms and the occasional top-level type (ASN1_ITEM_TEMPLATE) use ASN1_TEMPLATE but will get confused if marked optional. As part of this, i2d_FOO(NULL) now returns -1 rather than "successfully" writing 0 bytes. If we want to allow NULL at the top-level, that's not too hard to arrange, but our CBB-based i2d functions do not. Update-Note: Structures with missing mandatory fields can no longer be encoded. Note that, apart from the cases already handled by preceding CLs, tasn_new.c will fill in non-NULL empty objects everywhere. The main downstream impact I've seen of this particular change is in combination with other bugs. Consider a caller that does: GENERAL_NAME *name = GENERAL_NAME_new(); name->type = GEN_DNS; name->d.dNSName = DoSomethingComplicated(...); Suppose DoSomethingComplicated() was actually fallible and returned NULL, but the caller forgot to check. They'd now construct a GENERAL_NAME with a missing field. Previously, this would silently serialize some garbage (omitted field) or empty string. Now we fail to encode, but the true error was the uncaught DoSomethingComplicated() failure. (Which likely was itself a bug.) Bug: 429 Change-Id: I37fe618761be64a619be9fdc8d416f24ecbb8c46 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49350 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
ASN1_OPT(ASN1_LINKED_LIST, next, ASN1_LINKED_LIST),
acvp: add CMAC-AES support. Change by Dan Janni. Change-Id: I3f059e7b1a822c6f97128ca92a693499a3f7fa8f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/41984 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>
5 years ago
} ASN1_SEQUENCE_END(ASN1_LINKED_LIST)
IMPLEMENT_ASN1_FUNCTIONS(ASN1_LINKED_LIST)
static bool MakeLinkedList(bssl::UniquePtr<uint8_t> *out, size_t *out_len,
size_t count) {
bssl::ScopedCBB cbb;
std::vector<CBB> cbbs(count);
if (!CBB_init(cbb.get(), 2 * count) ||
!CBB_add_asn1(cbb.get(), &cbbs[0], CBS_ASN1_SEQUENCE)) {
return false;
}
for (size_t i = 1; i < count; i++) {
if (!CBB_add_asn1(&cbbs[i - 1], &cbbs[i], CBS_ASN1_SEQUENCE)) {
return false;
}
}
uint8_t *ptr;
if (!CBB_finish(cbb.get(), &ptr, out_len)) {
return false;
}
out->reset(ptr);
return true;
}
TEST(ASN1Test, Recursive) {
bssl::UniquePtr<uint8_t> data;
size_t len;
// Sanity-check that MakeLinkedList can be parsed.
ASSERT_TRUE(MakeLinkedList(&data, &len, 5));
const uint8_t *ptr = data.get();
ASN1_LINKED_LIST *list = d2i_ASN1_LINKED_LIST(nullptr, &ptr, len);
EXPECT_TRUE(list);
ASN1_LINKED_LIST_free(list);
// Excessively deep structures are rejected.
ASSERT_TRUE(MakeLinkedList(&data, &len, 100));
ptr = data.get();
list = d2i_ASN1_LINKED_LIST(nullptr, &ptr, len);
EXPECT_FALSE(list);
// Note checking the error queue here does not work. The error "stack trace"
// is too deep, so the |ASN1_R_NESTED_TOO_DEEP| entry drops off the queue.
ASN1_LINKED_LIST_free(list);
}
Reject bad ASN.1 templates with implicitly-tagged CHOICEs. This imports 1ecc76f6746cefd502c7e9000bdfa4e5d7911386 and 41d62636fd996c031c0c7cef746476278583dc9e from upstream. These would have rejected the mistake in OpenSSL's EDIPartyName sturcture. Change-Id: I4eb218f9372bea0f7ff302321b9dc1992ef0c13a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/44424 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
struct IMPLICIT_CHOICE {
ASN1_STRING *string;
};
DECLARE_ASN1_FUNCTIONS(IMPLICIT_CHOICE)
ASN1_SEQUENCE(IMPLICIT_CHOICE) = {
Reject missing required fields in i2d functions. See also 006906cddda37e24a66443199444ef4476697477 from OpenSSL, though this CL uses a different strategy from upstream. Upstream makes ASN1_item_ex_i2d continue to allow optionals and checks afterwards at every non-optional call site. This CL pushes down an optional parameter and says functions cannot omit items unless explicitly allowed. I think this is a better default, though it is a larger change. Fields are only optional when they come from an ASN1_TEMPLATE with the OPTIONAL flag. Upstream's strategy misses top-level calls. This CL additionally adds checks for optional ASN1_TEMPLATEs in contexts where it doesn't make sense. Only fields of SEQUENCEs and SETs may be OPTIONAL, but the ASN1_ITEM/ASN1_TEMPLATE split doesn't quite match ASN.1 itself. ASN1_TEMPLATE is additionally responsible for explicit/implicit tagging, and SEQUENCE/SET OF. That means CHOICE arms and the occasional top-level type (ASN1_ITEM_TEMPLATE) use ASN1_TEMPLATE but will get confused if marked optional. As part of this, i2d_FOO(NULL) now returns -1 rather than "successfully" writing 0 bytes. If we want to allow NULL at the top-level, that's not too hard to arrange, but our CBB-based i2d functions do not. Update-Note: Structures with missing mandatory fields can no longer be encoded. Note that, apart from the cases already handled by preceding CLs, tasn_new.c will fill in non-NULL empty objects everywhere. The main downstream impact I've seen of this particular change is in combination with other bugs. Consider a caller that does: GENERAL_NAME *name = GENERAL_NAME_new(); name->type = GEN_DNS; name->d.dNSName = DoSomethingComplicated(...); Suppose DoSomethingComplicated() was actually fallible and returned NULL, but the caller forgot to check. They'd now construct a GENERAL_NAME with a missing field. Previously, this would silently serialize some garbage (omitted field) or empty string. Now we fail to encode, but the true error was the uncaught DoSomethingComplicated() failure. (Which likely was itself a bug.) Bug: 429 Change-Id: I37fe618761be64a619be9fdc8d416f24ecbb8c46 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49350 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
ASN1_IMP(IMPLICIT_CHOICE, string, DIRECTORYSTRING, 0),
Reject bad ASN.1 templates with implicitly-tagged CHOICEs. This imports 1ecc76f6746cefd502c7e9000bdfa4e5d7911386 and 41d62636fd996c031c0c7cef746476278583dc9e from upstream. These would have rejected the mistake in OpenSSL's EDIPartyName sturcture. Change-Id: I4eb218f9372bea0f7ff302321b9dc1992ef0c13a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/44424 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
} ASN1_SEQUENCE_END(IMPLICIT_CHOICE)
IMPLEMENT_ASN1_FUNCTIONS(IMPLICIT_CHOICE)
// Test that the ASN.1 templates reject types with implicitly-tagged CHOICE
// types.
TEST(ASN1Test, ImplicitChoice) {
// Serializing a type with an implicitly tagged CHOICE should fail.
std::unique_ptr<IMPLICIT_CHOICE, decltype(&IMPLICIT_CHOICE_free)> obj(
IMPLICIT_CHOICE_new(), IMPLICIT_CHOICE_free);
EXPECT_EQ(-1, i2d_IMPLICIT_CHOICE(obj.get(), nullptr));
// An implicitly-tagged CHOICE is an error. Depending on the implementation,
// it may be misinterpreted as without the tag, or as clobbering the CHOICE
// tag. Test both inputs and ensure they fail.
// SEQUENCE { UTF8String {} }
static const uint8_t kInput1[] = {0x30, 0x02, 0x0c, 0x00};
const uint8_t *ptr = kInput1;
EXPECT_EQ(nullptr, d2i_IMPLICIT_CHOICE(nullptr, &ptr, sizeof(kInput1)));
// SEQUENCE { [0 PRIMITIVE] {} }
static const uint8_t kInput2[] = {0x30, 0x02, 0x80, 0x00};
ptr = kInput2;
EXPECT_EQ(nullptr, d2i_IMPLICIT_CHOICE(nullptr, &ptr, sizeof(kInput2)));
}
Skip ASN.1 template tests in Windows shared library builds. This should fix the Chromium roll. Windows shared library builds are fussy about dllexport vs. dllimport in a way that's incompatible with external uses of the asn1t.h macros. The issue is the DECLARE_* macros will add dllexport vs. dllimport on the assumption the symbols are defined in libcrypto, but external definitions need a different selector. Rather than add more complex macros for this, just exclude those tests. Ideally we wouldn't supoport asn1t.h outside the library at all, if we can manage it, so no sense in trying to make it work. This excludes both the new and the old tests. Although this has been working thus far, it only works because we've been setting the BORINGSSL_IMPLEMENTATION symbol for test targets wrong in Chromium. I'm confused how that's been working at all (maybe dllexport vs. dllimport is more lax when it comes to functions rather than variables?), but when I do it correctly, the ASN1_LINKED_LIST template breaks too. Change-Id: I391edba1748f66c383ed55a9d23053674bbb876e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/44484 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
Reject missing required fields in i2d functions. See also 006906cddda37e24a66443199444ef4476697477 from OpenSSL, though this CL uses a different strategy from upstream. Upstream makes ASN1_item_ex_i2d continue to allow optionals and checks afterwards at every non-optional call site. This CL pushes down an optional parameter and says functions cannot omit items unless explicitly allowed. I think this is a better default, though it is a larger change. Fields are only optional when they come from an ASN1_TEMPLATE with the OPTIONAL flag. Upstream's strategy misses top-level calls. This CL additionally adds checks for optional ASN1_TEMPLATEs in contexts where it doesn't make sense. Only fields of SEQUENCEs and SETs may be OPTIONAL, but the ASN1_ITEM/ASN1_TEMPLATE split doesn't quite match ASN.1 itself. ASN1_TEMPLATE is additionally responsible for explicit/implicit tagging, and SEQUENCE/SET OF. That means CHOICE arms and the occasional top-level type (ASN1_ITEM_TEMPLATE) use ASN1_TEMPLATE but will get confused if marked optional. As part of this, i2d_FOO(NULL) now returns -1 rather than "successfully" writing 0 bytes. If we want to allow NULL at the top-level, that's not too hard to arrange, but our CBB-based i2d functions do not. Update-Note: Structures with missing mandatory fields can no longer be encoded. Note that, apart from the cases already handled by preceding CLs, tasn_new.c will fill in non-NULL empty objects everywhere. The main downstream impact I've seen of this particular change is in combination with other bugs. Consider a caller that does: GENERAL_NAME *name = GENERAL_NAME_new(); name->type = GEN_DNS; name->d.dNSName = DoSomethingComplicated(...); Suppose DoSomethingComplicated() was actually fallible and returned NULL, but the caller forgot to check. They'd now construct a GENERAL_NAME with a missing field. Previously, this would silently serialize some garbage (omitted field) or empty string. Now we fail to encode, but the true error was the uncaught DoSomethingComplicated() failure. (Which likely was itself a bug.) Bug: 429 Change-Id: I37fe618761be64a619be9fdc8d416f24ecbb8c46 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49350 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
struct REQUIRED_FIELD {
ASN1_INTEGER *value;
ASN1_INTEGER *value_imp;
ASN1_INTEGER *value_exp;
STACK_OF(ASN1_INTEGER) *seq;
STACK_OF(ASN1_INTEGER) *seq_imp;
STACK_OF(ASN1_INTEGER) *seq_exp;
Make ASN1_NULL an opaque pointer. crypto/asn1 represents an ASN.1 NULL value as a non-null ASN1_NULL* pointer, (ASN1_NULL*)1. It is a non-null pointer because a null pointer represents an omitted OPTIONAL NULL. It is an opaque pointer because there is no sense in allocating anything. This pointer cannot be dereferenced, yet ASN1_NULL is a typedef for int. This is confusing and probably undefined behavior. (N1548, 6.3.2.3, clause 7 requires pointer conversions between two pointer types be correctly aligned, even if the pointer is never dereferenced. Strangely, clause 5 above does not impose the same requirement when converting from integer to pointer, though it mostly punts to the implementation definition.) Of course, all of tasn_*.c is a giant strict aliasing violation anyway, but an opaque struct pointer is a slightly better choice here. (Note that, although ASN1_BOOLEAN is also a typedef for int, that situation is different: the ASN1_BOOLEAN representation is a plain ASN1_BOOLEAN, not ASN1_BOOLEAN*, while the ASN1_NULL representation is a pointer. ASN1_NULL could have had the same treatment and even used a little less memory, but changing that would break the API.) Update-Note: Code that was assuming ASN1_NULL was an int typedef will fail to compile. Given this was never dereferencable, it is hard to imagine anything relying on this. Bug: 438 Change-Id: Ia0c652eed66e76f82a3843af1fc877f06c8d5e8f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49805 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
ASN1_NULL *null;
ASN1_NULL *null_imp;
ASN1_NULL *null_exp;
Reject missing required fields in i2d functions. See also 006906cddda37e24a66443199444ef4476697477 from OpenSSL, though this CL uses a different strategy from upstream. Upstream makes ASN1_item_ex_i2d continue to allow optionals and checks afterwards at every non-optional call site. This CL pushes down an optional parameter and says functions cannot omit items unless explicitly allowed. I think this is a better default, though it is a larger change. Fields are only optional when they come from an ASN1_TEMPLATE with the OPTIONAL flag. Upstream's strategy misses top-level calls. This CL additionally adds checks for optional ASN1_TEMPLATEs in contexts where it doesn't make sense. Only fields of SEQUENCEs and SETs may be OPTIONAL, but the ASN1_ITEM/ASN1_TEMPLATE split doesn't quite match ASN.1 itself. ASN1_TEMPLATE is additionally responsible for explicit/implicit tagging, and SEQUENCE/SET OF. That means CHOICE arms and the occasional top-level type (ASN1_ITEM_TEMPLATE) use ASN1_TEMPLATE but will get confused if marked optional. As part of this, i2d_FOO(NULL) now returns -1 rather than "successfully" writing 0 bytes. If we want to allow NULL at the top-level, that's not too hard to arrange, but our CBB-based i2d functions do not. Update-Note: Structures with missing mandatory fields can no longer be encoded. Note that, apart from the cases already handled by preceding CLs, tasn_new.c will fill in non-NULL empty objects everywhere. The main downstream impact I've seen of this particular change is in combination with other bugs. Consider a caller that does: GENERAL_NAME *name = GENERAL_NAME_new(); name->type = GEN_DNS; name->d.dNSName = DoSomethingComplicated(...); Suppose DoSomethingComplicated() was actually fallible and returned NULL, but the caller forgot to check. They'd now construct a GENERAL_NAME with a missing field. Previously, this would silently serialize some garbage (omitted field) or empty string. Now we fail to encode, but the true error was the uncaught DoSomethingComplicated() failure. (Which likely was itself a bug.) Bug: 429 Change-Id: I37fe618761be64a619be9fdc8d416f24ecbb8c46 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49350 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
};
DECLARE_ASN1_FUNCTIONS(REQUIRED_FIELD)
ASN1_SEQUENCE(REQUIRED_FIELD) = {
ASN1_SIMPLE(REQUIRED_FIELD, value, ASN1_INTEGER),
ASN1_IMP(REQUIRED_FIELD, value_imp, ASN1_INTEGER, 0),
ASN1_EXP(REQUIRED_FIELD, value_exp, ASN1_INTEGER, 1),
ASN1_SEQUENCE_OF(REQUIRED_FIELD, seq, ASN1_INTEGER),
ASN1_IMP_SEQUENCE_OF(REQUIRED_FIELD, seq_imp, ASN1_INTEGER, 2),
ASN1_EXP_SEQUENCE_OF(REQUIRED_FIELD, seq_exp, ASN1_INTEGER, 3),
Make ASN1_NULL an opaque pointer. crypto/asn1 represents an ASN.1 NULL value as a non-null ASN1_NULL* pointer, (ASN1_NULL*)1. It is a non-null pointer because a null pointer represents an omitted OPTIONAL NULL. It is an opaque pointer because there is no sense in allocating anything. This pointer cannot be dereferenced, yet ASN1_NULL is a typedef for int. This is confusing and probably undefined behavior. (N1548, 6.3.2.3, clause 7 requires pointer conversions between two pointer types be correctly aligned, even if the pointer is never dereferenced. Strangely, clause 5 above does not impose the same requirement when converting from integer to pointer, though it mostly punts to the implementation definition.) Of course, all of tasn_*.c is a giant strict aliasing violation anyway, but an opaque struct pointer is a slightly better choice here. (Note that, although ASN1_BOOLEAN is also a typedef for int, that situation is different: the ASN1_BOOLEAN representation is a plain ASN1_BOOLEAN, not ASN1_BOOLEAN*, while the ASN1_NULL representation is a pointer. ASN1_NULL could have had the same treatment and even used a little less memory, but changing that would break the API.) Update-Note: Code that was assuming ASN1_NULL was an int typedef will fail to compile. Given this was never dereferencable, it is hard to imagine anything relying on this. Bug: 438 Change-Id: Ia0c652eed66e76f82a3843af1fc877f06c8d5e8f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49805 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
ASN1_SIMPLE(REQUIRED_FIELD, null, ASN1_NULL),
ASN1_IMP(REQUIRED_FIELD, null_imp, ASN1_NULL, 4),
ASN1_EXP(REQUIRED_FIELD, null_exp, ASN1_NULL, 5),
Reject missing required fields in i2d functions. See also 006906cddda37e24a66443199444ef4476697477 from OpenSSL, though this CL uses a different strategy from upstream. Upstream makes ASN1_item_ex_i2d continue to allow optionals and checks afterwards at every non-optional call site. This CL pushes down an optional parameter and says functions cannot omit items unless explicitly allowed. I think this is a better default, though it is a larger change. Fields are only optional when they come from an ASN1_TEMPLATE with the OPTIONAL flag. Upstream's strategy misses top-level calls. This CL additionally adds checks for optional ASN1_TEMPLATEs in contexts where it doesn't make sense. Only fields of SEQUENCEs and SETs may be OPTIONAL, but the ASN1_ITEM/ASN1_TEMPLATE split doesn't quite match ASN.1 itself. ASN1_TEMPLATE is additionally responsible for explicit/implicit tagging, and SEQUENCE/SET OF. That means CHOICE arms and the occasional top-level type (ASN1_ITEM_TEMPLATE) use ASN1_TEMPLATE but will get confused if marked optional. As part of this, i2d_FOO(NULL) now returns -1 rather than "successfully" writing 0 bytes. If we want to allow NULL at the top-level, that's not too hard to arrange, but our CBB-based i2d functions do not. Update-Note: Structures with missing mandatory fields can no longer be encoded. Note that, apart from the cases already handled by preceding CLs, tasn_new.c will fill in non-NULL empty objects everywhere. The main downstream impact I've seen of this particular change is in combination with other bugs. Consider a caller that does: GENERAL_NAME *name = GENERAL_NAME_new(); name->type = GEN_DNS; name->d.dNSName = DoSomethingComplicated(...); Suppose DoSomethingComplicated() was actually fallible and returned NULL, but the caller forgot to check. They'd now construct a GENERAL_NAME with a missing field. Previously, this would silently serialize some garbage (omitted field) or empty string. Now we fail to encode, but the true error was the uncaught DoSomethingComplicated() failure. (Which likely was itself a bug.) Bug: 429 Change-Id: I37fe618761be64a619be9fdc8d416f24ecbb8c46 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49350 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
} ASN1_SEQUENCE_END(REQUIRED_FIELD)
IMPLEMENT_ASN1_FUNCTIONS(REQUIRED_FIELD)
// Test that structures with missing required fields cannot be serialized. Test
// the full combination of tagging and SEQUENCE OF.
TEST(ASN1Test, MissingRequiredField) {
EXPECT_EQ(-1, i2d_REQUIRED_FIELD(nullptr, nullptr));
std::unique_ptr<REQUIRED_FIELD, decltype(&REQUIRED_FIELD_free)> obj(
nullptr, REQUIRED_FIELD_free);
for (auto field : {&REQUIRED_FIELD::value, &REQUIRED_FIELD::value_imp,
&REQUIRED_FIELD::value_exp}) {
obj.reset(REQUIRED_FIELD_new());
ASSERT_TRUE(obj);
ASN1_INTEGER_free((*obj).*field);
(*obj).*field = nullptr;
EXPECT_EQ(-1, i2d_REQUIRED_FIELD(obj.get(), nullptr));
}
for (auto field : {&REQUIRED_FIELD::seq, &REQUIRED_FIELD::seq_imp,
&REQUIRED_FIELD::seq_exp}) {
obj.reset(REQUIRED_FIELD_new());
ASSERT_TRUE(obj);
sk_ASN1_INTEGER_pop_free((*obj).*field, ASN1_INTEGER_free);
(*obj).*field = nullptr;
EXPECT_EQ(-1, i2d_REQUIRED_FIELD(obj.get(), nullptr));
}
Make ASN1_NULL an opaque pointer. crypto/asn1 represents an ASN.1 NULL value as a non-null ASN1_NULL* pointer, (ASN1_NULL*)1. It is a non-null pointer because a null pointer represents an omitted OPTIONAL NULL. It is an opaque pointer because there is no sense in allocating anything. This pointer cannot be dereferenced, yet ASN1_NULL is a typedef for int. This is confusing and probably undefined behavior. (N1548, 6.3.2.3, clause 7 requires pointer conversions between two pointer types be correctly aligned, even if the pointer is never dereferenced. Strangely, clause 5 above does not impose the same requirement when converting from integer to pointer, though it mostly punts to the implementation definition.) Of course, all of tasn_*.c is a giant strict aliasing violation anyway, but an opaque struct pointer is a slightly better choice here. (Note that, although ASN1_BOOLEAN is also a typedef for int, that situation is different: the ASN1_BOOLEAN representation is a plain ASN1_BOOLEAN, not ASN1_BOOLEAN*, while the ASN1_NULL representation is a pointer. ASN1_NULL could have had the same treatment and even used a little less memory, but changing that would break the API.) Update-Note: Code that was assuming ASN1_NULL was an int typedef will fail to compile. Given this was never dereferencable, it is hard to imagine anything relying on this. Bug: 438 Change-Id: Ia0c652eed66e76f82a3843af1fc877f06c8d5e8f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49805 Reviewed-by: Adam Langley <agl@google.com>
3 years ago
for (auto field : {&REQUIRED_FIELD::null, &REQUIRED_FIELD::null_imp,
&REQUIRED_FIELD::null_exp}) {
obj.reset(REQUIRED_FIELD_new());
ASSERT_TRUE(obj);
(*obj).*field = nullptr;
EXPECT_EQ(-1, i2d_REQUIRED_FIELD(obj.get(), nullptr));
}
Reject missing required fields in i2d functions. See also 006906cddda37e24a66443199444ef4476697477 from OpenSSL, though this CL uses a different strategy from upstream. Upstream makes ASN1_item_ex_i2d continue to allow optionals and checks afterwards at every non-optional call site. This CL pushes down an optional parameter and says functions cannot omit items unless explicitly allowed. I think this is a better default, though it is a larger change. Fields are only optional when they come from an ASN1_TEMPLATE with the OPTIONAL flag. Upstream's strategy misses top-level calls. This CL additionally adds checks for optional ASN1_TEMPLATEs in contexts where it doesn't make sense. Only fields of SEQUENCEs and SETs may be OPTIONAL, but the ASN1_ITEM/ASN1_TEMPLATE split doesn't quite match ASN.1 itself. ASN1_TEMPLATE is additionally responsible for explicit/implicit tagging, and SEQUENCE/SET OF. That means CHOICE arms and the occasional top-level type (ASN1_ITEM_TEMPLATE) use ASN1_TEMPLATE but will get confused if marked optional. As part of this, i2d_FOO(NULL) now returns -1 rather than "successfully" writing 0 bytes. If we want to allow NULL at the top-level, that's not too hard to arrange, but our CBB-based i2d functions do not. Update-Note: Structures with missing mandatory fields can no longer be encoded. Note that, apart from the cases already handled by preceding CLs, tasn_new.c will fill in non-NULL empty objects everywhere. The main downstream impact I've seen of this particular change is in combination with other bugs. Consider a caller that does: GENERAL_NAME *name = GENERAL_NAME_new(); name->type = GEN_DNS; name->d.dNSName = DoSomethingComplicated(...); Suppose DoSomethingComplicated() was actually fallible and returned NULL, but the caller forgot to check. They'd now construct a GENERAL_NAME with a missing field. Previously, this would silently serialize some garbage (omitted field) or empty string. Now we fail to encode, but the true error was the uncaught DoSomethingComplicated() failure. (Which likely was itself a bug.) Bug: 429 Change-Id: I37fe618761be64a619be9fdc8d416f24ecbb8c46 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49350 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
}
Skip ASN.1 template tests in Windows shared library builds. This should fix the Chromium roll. Windows shared library builds are fussy about dllexport vs. dllimport in a way that's incompatible with external uses of the asn1t.h macros. The issue is the DECLARE_* macros will add dllexport vs. dllimport on the assumption the symbols are defined in libcrypto, but external definitions need a different selector. Rather than add more complex macros for this, just exclude those tests. Ideally we wouldn't supoport asn1t.h outside the library at all, if we can manage it, so no sense in trying to make it work. This excludes both the new and the old tests. Although this has been working thus far, it only works because we've been setting the BORINGSSL_IMPLEMENTATION symbol for test targets wrong in Chromium. I'm confused how that's been working at all (maybe dllexport vs. dllimport is more lax when it comes to functions rather than variables?), but when I do it correctly, the ASN1_LINKED_LIST template breaks too. Change-Id: I391edba1748f66c383ed55a9d23053674bbb876e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/44484 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
4 years ago
#endif // !WINDOWS || !SHARED_LIBRARY