1/* $OpenBSD: bytestring.h,v 1.24 2022/11/09 23:14:51 jsing Exp $ */ 2/* 3 * Copyright (c) 2014, Google Inc. 4 * 5 * Permission to use, copy, modify, and/or distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 12 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 14 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 15 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18#ifndef OPENSSL_HEADER_BYTESTRING_H 19#define OPENSSL_HEADER_BYTESTRING_H 20 21#include <sys/types.h> 22#include <stdint.h> 23 24__BEGIN_HIDDEN_DECLS 25 26/* 27 * Bytestrings are used for parsing and building TLS and ASN.1 messages. 28 * 29 * A "CBS" (CRYPTO ByteString) represents a string of bytes in memory and 30 * provides utility functions for safely parsing length-prefixed structures 31 * like TLS and ASN.1 from it. 32 * 33 * A "CBB" (CRYPTO ByteBuilder) is a memory buffer that grows as needed and 34 * provides utility functions for building length-prefixed messages. 35 */ 36 37/* CRYPTO ByteString */ 38typedef struct cbs_st { 39 const uint8_t *data; 40 size_t initial_len; 41 size_t len; 42} CBS; 43 44/* 45 * CBS_init sets |cbs| to point to |data|. It does not take ownership of 46 * |data|. 47 */ 48void CBS_init(CBS *cbs, const uint8_t *data, size_t len); 49 50/* 51 * CBS_skip advances |cbs| by |len| bytes. It returns one on success and zero 52 * otherwise. 53 */ 54int CBS_skip(CBS *cbs, size_t len); 55 56/* 57 * CBS_data returns a pointer to the contents of |cbs|. 58 */ 59const uint8_t *CBS_data(const CBS *cbs); 60 61/* 62 * CBS_len returns the number of bytes remaining in |cbs|. 63 */ 64size_t CBS_len(const CBS *cbs); 65 66/* 67 * CBS_offset returns the current offset into the original data of |cbs|. 68 */ 69size_t CBS_offset(const CBS *cbs); 70 71/* 72 * CBS_stow copies the current contents of |cbs| into |*out_ptr| and 73 * |*out_len|. If |*out_ptr| is not NULL, the contents are freed with 74 * free. It returns one on success and zero on allocation failure. On 75 * success, |*out_ptr| should be freed with free. If |cbs| is empty, 76 * |*out_ptr| will be NULL. 77 */ 78int CBS_stow(const CBS *cbs, uint8_t **out_ptr, size_t *out_len); 79 80/* 81 * CBS_strdup copies the current contents of |cbs| into |*out_ptr| as a 82 * NUL-terminated C string. If |*out_ptr| is not NULL, the contents are freed 83 * with free. It returns one on success and zero on failure. On success, 84 * |*out_ptr| should be freed with free. If |cbs| contains NUL bytes, 85 * CBS_strdup will fail. 86 */ 87int CBS_strdup(const CBS *cbs, char **out_ptr); 88 89/* 90 * CBS_write_bytes writes all of the remaining data from |cbs| into |dst| 91 * if it is at most |dst_len| bytes. If |copied| is not NULL, it will be set 92 * to the amount copied. It returns one on success and zero otherwise. 93 */ 94int CBS_write_bytes(const CBS *cbs, uint8_t *dst, size_t dst_len, 95 size_t *copied); 96 97/* 98 * CBS_contains_zero_byte returns one if the current contents of |cbs| contains 99 * a NUL byte and zero otherwise. 100 */ 101int CBS_contains_zero_byte(const CBS *cbs); 102 103/* 104 * CBS_mem_equal compares the current contents of |cbs| with the |len| bytes 105 * starting at |data|. If they're equal, it returns one, otherwise zero. If the 106 * lengths match, it uses a constant-time comparison. 107 */ 108int CBS_mem_equal(const CBS *cbs, const uint8_t *data, size_t len); 109 110/* 111 * CBS_get_u8 sets |*out| to the next uint8_t from |cbs| and advances |cbs|. It 112 * returns one on success and zero on error. 113 */ 114int CBS_get_u8(CBS *cbs, uint8_t *out); 115 116/* 117 * CBS_get_u16 sets |*out| to the next, big-endian uint16_t from |cbs| and 118 * advances |cbs|. It returns one on success and zero on error. 119 */ 120int CBS_get_u16(CBS *cbs, uint16_t *out); 121 122/* 123 * CBS_get_u24 sets |*out| to the next, big-endian 24-bit value from |cbs| and 124 * advances |cbs|. It returns one on success and zero on error. 125 */ 126int CBS_get_u24(CBS *cbs, uint32_t *out); 127 128/* 129 * CBS_get_u32 sets |*out| to the next, big-endian uint32_t value from |cbs| 130 * and advances |cbs|. It returns one on success and zero on error. 131 */ 132int CBS_get_u32(CBS *cbs, uint32_t *out); 133 134/* 135 * CBS_get_u64 sets |*out| to the next, big-endian uint64_t value from |cbs| 136 * and advances |cbs|. It returns one on success and zero on error. 137 */ 138int CBS_get_u64(CBS *cbs, uint64_t *out); 139 140/* 141 * CBS_get_last_u8 sets |*out| to the last uint8_t from |cbs| and shortens 142 * |cbs|. It returns one on success and zero on error. 143 */ 144int CBS_get_last_u8(CBS *cbs, uint8_t *out); 145 146/* 147 * CBS_get_bytes sets |*out| to the next |len| bytes from |cbs| and advances 148 * |cbs|. It returns one on success and zero on error. 149 */ 150int CBS_get_bytes(CBS *cbs, CBS *out, size_t len); 151 152/* 153 * CBS_get_u8_length_prefixed sets |*out| to the contents of an 8-bit, 154 * length-prefixed value from |cbs| and advances |cbs| over it. It returns one 155 * on success and zero on error. 156 */ 157int CBS_get_u8_length_prefixed(CBS *cbs, CBS *out); 158 159/* 160 * CBS_get_u16_length_prefixed sets |*out| to the contents of a 16-bit, 161 * big-endian, length-prefixed value from |cbs| and advances |cbs| over it. It 162 * returns one on success and zero on error. 163 */ 164int CBS_get_u16_length_prefixed(CBS *cbs, CBS *out); 165 166/* 167 * CBS_get_u24_length_prefixed sets |*out| to the contents of a 24-bit, 168 * big-endian, length-prefixed value from |cbs| and advances |cbs| over it. It 169 * returns one on success and zero on error. 170 */ 171int CBS_get_u24_length_prefixed(CBS *cbs, CBS *out); 172 173/* 174 * CBS_peek_u8 sets |*out| to the next uint8_t from |cbs|, but does not advance 175 * |cbs|. It returns one on success and zero on error. 176 */ 177int CBS_peek_u8(CBS *cbs, uint8_t *out); 178 179/* 180 * CBS_peek_u16 sets |*out| to the next, big-endian uint16_t from |cbs|, but 181 * does not advance |cbs|. It returns one on success and zero on error. 182 */ 183int CBS_peek_u16(CBS *cbs, uint16_t *out); 184 185/* 186 * CBS_peek_u24 sets |*out| to the next, big-endian 24-bit value from |cbs|, but 187 * does not advance |cbs|. It returns one on success and zero on error. 188 */ 189int CBS_peek_u24(CBS *cbs, uint32_t *out); 190 191/* 192 * CBS_peek_u32 sets |*out| to the next, big-endian uint32_t value from |cbs|, 193 * but does not advance |cbs|. It returns one on success and zero on error. 194 */ 195int CBS_peek_u32(CBS *cbs, uint32_t *out); 196 197/* 198 * CBS_peek_last_u8 sets |*out| to the last uint8_t from |cbs|, but does not 199 * shorten |cbs|. It returns one on success and zero on error. 200 */ 201int CBS_peek_last_u8(CBS *cbs, uint8_t *out); 202 203 204/* Parsing ASN.1 */ 205 206/* 207 * While an identifier can be multiple octets, this library only handles the 208 * single octet variety currently. This limits support up to tag number 30 209 * since tag number 31 is a reserved value to indicate multiple octets. 210 */ 211 212/* Bits 8 and 7: class tag type: See X.690 section 8.1.2.2. */ 213#define CBS_ASN1_UNIVERSAL 0x00 214#define CBS_ASN1_APPLICATION 0x40 215#define CBS_ASN1_CONTEXT_SPECIFIC 0x80 216#define CBS_ASN1_PRIVATE 0xc0 217 218/* Bit 6: Primitive or constructed: See X.690 section 8.1.2.3. */ 219#define CBS_ASN1_PRIMITIVE 0x00 220#define CBS_ASN1_CONSTRUCTED 0x20 221 222/* 223 * Bits 5 to 1 are the tag number. See X.680 section 8.6 for tag numbers of 224 * the universal class. 225 */ 226 227/* 228 * Common universal identifier octets. 229 * See X.690 section 8.1 and X.680 section 8.6 for universal tag numbers. 230 * 231 * Note: These definitions are the cause of some of the strange behavior in 232 * CBS's bs_ber.c. 233 * 234 * In BER, it is the sender's option to use primitive or constructed for 235 * bitstring (X.690 section 8.6.1) and octetstring (X.690 section 8.7.1). 236 * 237 * In DER, bitstring and octetstring are required to be primitive 238 * (X.690 section 10.2). 239 */ 240#define CBS_ASN1_BOOLEAN (CBS_ASN1_UNIVERSAL | CBS_ASN1_PRIMITIVE | 0x1) 241#define CBS_ASN1_INTEGER (CBS_ASN1_UNIVERSAL | CBS_ASN1_PRIMITIVE | 0x2) 242#define CBS_ASN1_BITSTRING (CBS_ASN1_UNIVERSAL | CBS_ASN1_PRIMITIVE | 0x3) 243#define CBS_ASN1_OCTETSTRING (CBS_ASN1_UNIVERSAL | CBS_ASN1_PRIMITIVE | 0x4) 244#define CBS_ASN1_OBJECT (CBS_ASN1_UNIVERSAL | CBS_ASN1_PRIMITIVE | 0x6) 245#define CBS_ASN1_ENUMERATED (CBS_ASN1_UNIVERSAL | CBS_ASN1_PRIMITIVE | 0xa) 246#define CBS_ASN1_SEQUENCE (CBS_ASN1_UNIVERSAL | CBS_ASN1_CONSTRUCTED | 0x10) 247#define CBS_ASN1_SET (CBS_ASN1_UNIVERSAL | CBS_ASN1_CONSTRUCTED | 0x11) 248 249/* 250 * CBS_get_asn1 sets |*out| to the contents of DER-encoded, ASN.1 element (not 251 * including tag and length bytes) and advances |cbs| over it. The ASN.1 252 * element must match |tag_value|. It returns one on success and zero 253 * on error. 254 * 255 * Tag numbers greater than 30 are not supported (i.e. short form only). 256 */ 257int CBS_get_asn1(CBS *cbs, CBS *out, unsigned int tag_value); 258 259/* 260 * CBS_get_asn1_element acts like |CBS_get_asn1| but |out| will include the 261 * ASN.1 header bytes too. 262 */ 263int CBS_get_asn1_element(CBS *cbs, CBS *out, unsigned int tag_value); 264 265/* 266 * CBS_peek_asn1_tag looks ahead at the next ASN.1 tag and returns one 267 * if the next ASN.1 element on |cbs| would have tag |tag_value|. If 268 * |cbs| is empty or the tag does not match, it returns zero. Note: if 269 * it returns one, CBS_get_asn1 may still fail if the rest of the 270 * element is malformed. 271 */ 272int CBS_peek_asn1_tag(const CBS *cbs, unsigned int tag_value); 273 274/* 275 * CBS_get_any_asn1_element sets |*out| to contain the next ASN.1 element from 276 * |*cbs| (including header bytes) and advances |*cbs|. It sets |*out_tag| to 277 * the tag number and |*out_header_len| to the length of the ASN.1 header. 278 * Each of |out|, |out_tag|, and |out_header_len| may be NULL to ignore 279 * the value. 280 * 281 * Tag numbers greater than 30 are not supported (i.e. short form only). 282 */ 283int CBS_get_any_asn1_element(CBS *cbs, CBS *out, unsigned int *out_tag, 284 size_t *out_header_len); 285 286/* 287 * CBS_get_asn1_uint64 gets an ASN.1 INTEGER from |cbs| using |CBS_get_asn1| 288 * and sets |*out| to its value. It returns one on success and zero on error, 289 * where error includes the integer being negative, or too large to represent 290 * in 64 bits. 291 */ 292int CBS_get_asn1_uint64(CBS *cbs, uint64_t *out); 293 294/* 295 * CBS_get_optional_asn1 gets an optional explicitly-tagged element 296 * from |cbs| tagged with |tag| and sets |*out| to its contents. If 297 * present, it sets |*out_present| to one, otherwise zero. It returns 298 * one on success, whether or not the element was present, and zero on 299 * decode failure. 300 */ 301int CBS_get_optional_asn1(CBS *cbs, CBS *out, int *out_present, 302 unsigned int tag); 303 304/* 305 * CBS_get_optional_asn1_octet_string gets an optional 306 * explicitly-tagged OCTET STRING from |cbs|. If present, it sets 307 * |*out| to the string and |*out_present| to one. Otherwise, it sets 308 * |*out| to empty and |*out_present| to zero. |out_present| may be 309 * NULL. It returns one on success, whether or not the element was 310 * present, and zero on decode failure. 311 */ 312int CBS_get_optional_asn1_octet_string(CBS *cbs, CBS *out, int *out_present, 313 unsigned int tag); 314 315/* 316 * CBS_get_optional_asn1_uint64 gets an optional explicitly-tagged 317 * INTEGER from |cbs|. If present, it sets |*out| to the 318 * value. Otherwise, it sets |*out| to |default_value|. It returns one 319 * on success, whether or not the element was present, and zero on 320 * decode failure. 321 */ 322int CBS_get_optional_asn1_uint64(CBS *cbs, uint64_t *out, unsigned int tag, 323 uint64_t default_value); 324 325/* 326 * CBS_get_optional_asn1_bool gets an optional, explicitly-tagged BOOLEAN from 327 * |cbs|. If present, it sets |*out| to either zero or one, based on the 328 * boolean. Otherwise, it sets |*out| to |default_value|. It returns one on 329 * success, whether or not the element was present, and zero on decode 330 * failure. 331 */ 332int CBS_get_optional_asn1_bool(CBS *cbs, int *out, unsigned int tag, 333 int default_value); 334 335 336/* 337 * CRYPTO ByteBuilder. 338 * 339 * |CBB| objects allow one to build length-prefixed serialisations. A |CBB| 340 * object is associated with a buffer and new buffers are created with 341 * |CBB_init|. Several |CBB| objects can point at the same buffer when a 342 * length-prefix is pending, however only a single |CBB| can be 'current' at 343 * any one time. For example, if one calls |CBB_add_u8_length_prefixed| then 344 * the new |CBB| points at the same buffer as the original. But if the original 345 * |CBB| is used then the length prefix is written out and the new |CBB| must 346 * not be used again. 347 * 348 * If one needs to force a length prefix to be written out because a |CBB| is 349 * going out of scope, use |CBB_flush|. 350 */ 351 352struct cbb_buffer_st { 353 uint8_t *buf; 354 355 /* The number of valid bytes. */ 356 size_t len; 357 358 /* The size of buf. */ 359 size_t cap; 360 361 /* 362 * One iff |buf| is owned by this object. If not then |buf| cannot be 363 * resized. 364 */ 365 char can_resize; 366}; 367 368typedef struct cbb_st { 369 struct cbb_buffer_st *base; 370 371 /* 372 * offset is the offset from the start of |base->buf| to the position of any 373 * pending length-prefix. 374 */ 375 size_t offset; 376 377 /* child points to a child CBB if a length-prefix is pending. */ 378 struct cbb_st *child; 379 380 /* 381 * pending_len_len contains the number of bytes in a pending length-prefix, 382 * or zero if no length-prefix is pending. 383 */ 384 uint8_t pending_len_len; 385 386 char pending_is_asn1; 387 388 /* 389 * is_top_level is true iff this is a top-level |CBB| (as opposed to a child 390 * |CBB|). Top-level objects are valid arguments for |CBB_finish|. 391 */ 392 char is_top_level; 393} CBB; 394 395/* 396 * CBB_init initialises |cbb| with |initial_capacity|. Since a |CBB| grows as 397 * needed, the |initial_capacity| is just a hint. It returns one on success or 398 * zero on error. 399 */ 400int CBB_init(CBB *cbb, size_t initial_capacity); 401 402/* 403 * CBB_init_fixed initialises |cbb| to write to |len| bytes at |buf|. Since 404 * |buf| cannot grow, trying to write more than |len| bytes will cause CBB 405 * functions to fail. It returns one on success or zero on error. 406 */ 407int CBB_init_fixed(CBB *cbb, uint8_t *buf, size_t len); 408 409/* 410 * CBB_cleanup frees all resources owned by |cbb| and other |CBB| objects 411 * writing to the same buffer. This should be used in an error case where a 412 * serialisation is abandoned. 413 */ 414void CBB_cleanup(CBB *cbb); 415 416/* 417 * CBB_finish completes any pending length prefix and sets |*out_data| to a 418 * malloced buffer and |*out_len| to the length of that buffer. The caller 419 * takes ownership of the buffer and, unless the buffer was fixed with 420 * |CBB_init_fixed|, must call |free| when done. 421 * 422 * It can only be called on a "top level" |CBB|, i.e. one initialised with 423 * |CBB_init| or |CBB_init_fixed|. It returns one on success and zero on 424 * error. 425 */ 426int CBB_finish(CBB *cbb, uint8_t **out_data, size_t *out_len); 427 428/* 429 * CBB_flush causes any pending length prefixes to be written out and any child 430 * |CBB| objects of |cbb| to be invalidated. It returns one on success or zero 431 * on error. 432 */ 433int CBB_flush(CBB *cbb); 434 435/* 436 * CBB_discard_child discards the current unflushed child of |cbb|. Neither the 437 * child's contents nor the length prefix will be included in the output. 438 */ 439void CBB_discard_child(CBB *cbb); 440 441/* 442 * CBB_add_u8_length_prefixed sets |*out_contents| to a new child of |cbb|. The 443 * data written to |*out_contents| will be prefixed in |cbb| with an 8-bit 444 * length. It returns one on success or zero on error. 445 */ 446int CBB_add_u8_length_prefixed(CBB *cbb, CBB *out_contents); 447 448/* 449 * CBB_add_u16_length_prefixed sets |*out_contents| to a new child of |cbb|. 450 * The data written to |*out_contents| will be prefixed in |cbb| with a 16-bit, 451 * big-endian length. It returns one on success or zero on error. 452 */ 453int CBB_add_u16_length_prefixed(CBB *cbb, CBB *out_contents); 454 455/* 456 * CBB_add_u24_length_prefixed sets |*out_contents| to a new child of |cbb|. 457 * The data written to |*out_contents| will be prefixed in |cbb| with a 24-bit, 458 * big-endian length. It returns one on success or zero on error. 459 */ 460int CBB_add_u24_length_prefixed(CBB *cbb, CBB *out_contents); 461 462/* 463 * CBB_add_asn sets |*out_contents| to a |CBB| into which the contents of an 464 * ASN.1 object can be written. The |tag| argument will be used as the tag for 465 * the object. Passing in |tag| number 31 will return in an error since only 466 * single octet identifiers are supported. It returns one on success or zero 467 * on error. 468 */ 469int CBB_add_asn1(CBB *cbb, CBB *out_contents, unsigned int tag); 470 471/* 472 * CBB_add_bytes appends |len| bytes from |data| to |cbb|. It returns one on 473 * success and zero otherwise. 474 */ 475int CBB_add_bytes(CBB *cbb, const uint8_t *data, size_t len); 476 477/* 478 * CBB_add_space appends |len| bytes to |cbb| and sets |*out_data| to point to 479 * the beginning of that space. The caller must then write |len| bytes of 480 * actual contents to |*out_data|. It returns one on success and zero 481 * otherwise. 482 */ 483int CBB_add_space(CBB *cbb, uint8_t **out_data, size_t len); 484 485/* 486 * CBB_add_u8 appends an 8-bit number from |value| to |cbb|. It returns one on 487 * success and zero otherwise. 488 */ 489int CBB_add_u8(CBB *cbb, size_t value); 490 491/* 492 * CBB_add_u8 appends a 16-bit, big-endian number from |value| to |cbb|. It 493 * returns one on success and zero otherwise. 494 */ 495int CBB_add_u16(CBB *cbb, size_t value); 496 497/* 498 * CBB_add_u24 appends a 24-bit, big-endian number from |value| to |cbb|. It 499 * returns one on success and zero otherwise. 500 */ 501int CBB_add_u24(CBB *cbb, size_t value); 502 503/* 504 * CBB_add_u32 appends a 32-bit, big-endian number from |value| to |cbb|. It 505 * returns one on success and zero otherwise. 506 */ 507int CBB_add_u32(CBB *cbb, size_t value); 508 509/* 510 * CBB_add_u64 appends a 64-bit, big-endian number from |value| to |cbb|. It 511 * returns one on success and zero otherwise. 512 */ 513int CBB_add_u64(CBB *cbb, uint64_t value); 514 515/* 516 * CBB_add_asn1_uint64 writes an ASN.1 INTEGER into |cbb| using |CBB_add_asn1| 517 * and writes |value| in its contents. It returns one on success and zero on 518 * error. 519 */ 520int CBB_add_asn1_uint64(CBB *cbb, uint64_t value); 521 522#ifdef LIBRESSL_INTERNAL 523/* 524 * CBS_dup sets |out| to point to cbs's |data| and |len|. It results in two 525 * CBS that point to the same buffer. 526 */ 527void CBS_dup(const CBS *cbs, CBS *out); 528 529/* 530 * cbs_get_any_asn1_element sets |*out| to contain the next ASN.1 element from 531 * |*cbs| (including header bytes) and advances |*cbs|. It sets |*out_tag| to 532 * the tag number and |*out_header_len| to the length of the ASN.1 header. If 533 * strict mode is disabled and the element has indefinite length then |*out| 534 * will only contain the header. Each of |out|, |out_tag|, and 535 * |out_header_len| may be NULL to ignore the value. 536 * 537 * Tag numbers greater than 30 are not supported (i.e. short form only). 538 */ 539int cbs_get_any_asn1_element_internal(CBS *cbs, CBS *out, unsigned int *out_tag, 540 size_t *out_header_len, int strict); 541 542/* 543 * CBS_asn1_indefinite_to_definite reads an ASN.1 structure from |in|. If it 544 * finds indefinite-length elements that otherwise appear to be valid DER, it 545 * attempts to convert the DER-like data to DER and sets |*out| and 546 * |*out_length| to describe a malloced buffer containing the DER data. 547 * Additionally, |*in| will be advanced over the ASN.1 data. 548 * 549 * If it doesn't find any indefinite-length elements then it sets |*out| to 550 * NULL and |*in| is unmodified. 551 * 552 * This is NOT a conversion from BER to DER. There are many restrictions when 553 * dealing with DER data. This is only concerned with one: indefinite vs. 554 * definite form. However, this suffices to handle the PKCS#7 and PKCS#12 output 555 * from NSS. 556 * 557 * It returns one on success and zero otherwise. 558 */ 559int CBS_asn1_indefinite_to_definite(CBS *in, uint8_t **out, size_t *out_len); 560#endif /* LIBRESSL_INTERNAL */ 561 562__END_HIDDEN_DECLS 563 564#endif /* OPENSSL_HEADER_BYTESTRING_H */ 565