sysadmin/ipxe
1
0
Fork 0
mirror of https://github.com/ipxe/ipxe synced 2025-12-13 07:20:47 +03:00
Code Issues Packages Projects Releases Wiki Activity

[crypto] Extend asn1_enter() to handle partial object cursors

Browse Source 
Handling large ASN.1 objects such as encrypted CMS files will require
the ability to use the asn1_enter() and asn1_skip() family of
functions on partial object cursors, where a defined additional length
is known to exist after the end of the data buffer pointed to by the
ASN.1 object cursor.

We already have support for partial object cursors in the underlying
asn1_start() operation used by both asn1_enter() and asn1_skip(), and
this is used by the DER image probe routine to check that the
potential DER file comprises a single ASN.1 SEQUENCE object.

Add asn1_enter_partial() to formalise the process of entering an ASN.1
partial object, and refactor the DER image probe routine to use this
instead of open-coding calls to the underlying asn1_start() operation.

There is no need for an equivalent asn1_skip_partial() function, since
only objects that are wholly contained within the partial cursor may
be successfully skipped.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
This commit is contained in:
Michael Brown
2024-08-07 13:18:47 +01:00
parent 0e73b48f77
commit 59e2b03e6a
3 changed files with 48 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/image/der.c
View File

@@ -76,8 +76,6 @@ static int der_probe ( struct image *image ) {
struct asn1_cursor cursor;
uint8_t buf[8];
size_t extra;
size_t total;
int len;
int rc;
/* Sanity check: no realistic DER image can be smaller than this */
@@ -90,21 +88,16 @@ static int der_probe ( struct image *image ) {
copy_from_user ( buf, image->data, 0, sizeof ( buf ) );
extra = ( image->len - sizeof ( buf ) );
/* Get length of ASN.1 sequence */
len = asn1_start ( &cursor, ASN1_SEQUENCE, extra );
if ( len < 0 ) {
rc = len;
/* Check that image begins with an ASN.1 sequence object */
if ( ( rc = asn1_enter_partial ( &cursor, ASN1_SEQUENCE,
&extra ) ) != 0 ) {
DBGC ( image, "DER %s is not valid ASN.1: %s\n",
image->name, strerror ( rc ) );
return rc;
}
/* Add length of tag and length bytes consumed by asn1_start() */
total = ( len + ( cursor.data - ( ( void * ) buf ) ) );
assert ( total <= image->len );
/* Check that image comprises a single well-formed ASN.1 object */
if ( total != image->len ) {
if ( extra != ( image->len - sizeof ( buf ) ) ) {
DBGC ( image, "DER %s is not single ASN.1\n", image->name );
return -ENOEXEC;
}