iBoot/lib/image/image4/image4_partial.c

235 lines
6.8 KiB
C
Raw Permalink Normal View History

2023-07-08 13:03:17 -07:00
/*
* Copyright (C) 2012 Apple Inc. All rights reserved.
*
* This document is the property of Apple Inc.
* It is considered confidential and proprietary.
*
* This document may not be reproduced or transmitted in any form,
* in whole or in part, without the express written permission of
* Apple Inc.
*/
#include <compiler.h>
#include <debug.h>
#include <stdlib.h>
#include <string.h>
#include <libDER/libDER_config.h>
#include <libDER/asn1Types.h>
#include <libDER/DER_Decode.h>
#include "image4_partial.h"
// TODO - libDER/asn1Types.h is missing ASN1_EOC
#ifndef ASN1_EOC
#define ASN1_EOC 0x00
#endif
static int der_expect(const DERItem *bounds, DERTag tag, DERDecodedInfo *info,
bool partial);
static int der_restrict(DERItem *bounds, const DERItem *item);
static int der_compare_ia5string(const DERItem *item, const char *s);
static int der_skip_over(DERItem *bounds, const DERItem *item);
static int der_expect_ia5string(DERItem *bounds, const char *s);
#ifdef TEST
static void hexdump(const void *buf, size_t len);
#endif
// Parse a partial buffer enough to identify and get type.
int image4_get_partial(const void *buf, size_t buf_bytes,
uint32_t *ret_type, uint32_t *ret_size)
{
DERItem bounds;
DERDecodedInfo info;
// See sample Image4 header at the top of this file.
bounds.data = (DERByte *) buf;
bounds.length = buf_bytes;
dprintf(DEBUG_SPEW, "image4_get_partial %p,%u\n",
bounds.data, (unsigned) bounds.length);
// Outer SEQUENCE. Allow partial.
dprintf(DEBUG_SPEW, "Parse outer SEQUENCE\n");
if (der_expect(&bounds, ASN1_CONSTR_SEQUENCE, &info, true) != 0)
return -1;
// Infer Image4 size from the bounds of the sequence.
if (ret_size != NULL) {
DERSize offset = info.content.data - bounds.data;
if (offset + info.content.length < offset) {
dprintf(DEBUG_SPEW, "Sneaky size wraparound %llu\n",
(uint64_t) offset + info.content.length);
return -1;
}
*ret_size = offset + info.content.length;
}
// Update bounds to contents of SEQUENCE.
if (der_restrict(&bounds, &info.content) != 0)
return -1;
// IA5String "IMG4". Update bounds to skip over.
dprintf(DEBUG_SPEW, "Parse IA5String \"IMG4\"\n");
if (der_expect_ia5string(&bounds, "IMG4") != 0)
return -1;
// Inner SEQUENCE. Allow partial.
dprintf(DEBUG_SPEW, "Parse inner sequence\n");
if (der_expect(&bounds, ASN1_CONSTR_SEQUENCE, &info, true) != 0)
return -1;
if (der_restrict(&bounds, &info.content) != 0)
return -1;
// IA5String "IM4P". Update bounds to skip over.
dprintf(DEBUG_SPEW, "Parse IA5String \"IM4P\"\n");
if (der_expect_ia5string(&bounds, "IM4P") != 0)
return -1;
// IA5String "type". We're interested in this one.
dprintf(DEBUG_SPEW, "Parse IA5String type\n");
if (der_expect(&bounds, ASN1_IA5_STRING, &info, false) != 0)
return -1;
if (info.content.length != sizeof(*ret_type)) {
dprintf(DEBUG_SPEW, "Expected %d byte tag, got %d\n",
(int) sizeof(*ret_type), (int) info.content.length);
return -1;
}
if (ret_type != NULL) {
uint32_t local_type;
memcpy(&local_type, info.content.data, sizeof(local_type));
*ret_type = swap32(local_type);
}
return 0;
}
static int
der_expect(const DERItem *bounds, DERTag tag, DERDecodedInfo *info,
bool partial)
{
DERReturn ret;
dprintf(DEBUG_SPEW, "Bounds %p,%u\n",
bounds->data, (unsigned) bounds->length);
ret = DERDecodeItemPartialBuffer(bounds, info, partial);
if (ret != DR_Success) {
dprintf(DEBUG_SPEW, "Error decoding DER: %d\n", (int) ret);
return ret;
} else if (info->tag != tag) {
dprintf(DEBUG_SPEW,
"Didn't get expected tag 0x%llx, got 0x%llx\n",
(uint64_t) tag, (uint64_t) info->tag);
return -1;
} else {
// Got expected tag.
return 0;
}
}
static int
der_restrict(DERItem *bounds, const DERItem *item)
{
// Update *bounds to *item, keeping staying within *bounds.
RELEASE_ASSERT(item->data >= bounds->data);
DERByte *buf_start = bounds->data;
DERByte *buf_end = bounds->data + bounds->length;
// This should have been guaranteed elsewhere, but worth checking.
// Zero length returned *bounds allowed.
if ((item->data < buf_start) || (item->data > buf_end)) {
dprintf(DEBUG_SPEW, "DERItem.data=%p outside bounds %p,%p\n",
item->data, buf_start, buf_end);
return -1;
}
// Set *bounds to *item, then restrict range.
bounds->data = item->data;
bounds->length = __min((size_t)item->length, (size_t)(buf_end - bounds->data));
return 0;
}
static int
der_compare_ia5string(const DERItem *item, const char *s)
{
int cmp;
size_t len = strlen(s);
dprintf(DEBUG_SPEW, "content %p,%u\n", item->data, item->length);
if (item->length != len) {
dprintf(DEBUG_SPEW, "IA5String expected %s but length %d\n",
s, (int) len);
return -1;
}
cmp = memcmp(item->data, s, len);
if (cmp != 0) {
dprintf(DEBUG_SPEW, "Expected %s, got:\n", s);
dhexdump(DEBUG_SPEW, item->data, len);
}
return cmp;
}
static int
der_skip_over(DERItem *bounds, const DERItem *item)
{
DERSize skip, offset;
// Calculate number of bytes to move bounds->data to end of *item.
RELEASE_ASSERT(item->data >= bounds->data);
offset = item->data - bounds->data;
skip = offset + item->length;
if ((skip < offset) || (skip > bounds->length)) {
dprintf(DEBUG_SPEW, "Skipping over item -> outside bounds\n");
return -1;
}
bounds->data += skip;
bounds->length -= skip;
return 0;
}
static int
der_expect_ia5string(DERItem *bounds, const char *s)
{
// Get IA5String info, compare data, update bounds to skip over.
DERDecodedInfo info;
if (der_expect(bounds, ASN1_IA5_STRING, &info, false) != 0)
return -1;
if (der_compare_ia5string(&info.content, s) != 0)
return -1;
if (der_skip_over(bounds, &info.content) != 0)
return -1;
return 0;
}
#ifdef TEST
// Run test with:
// cc -Werror -Wall -O -o image4_partial image4_partial.c ../../pki/libDER/DER_Decode.c -DTEST -DDEBUG_LEVEL=30 -I../../../include -I../../pki && ./image4_partial
// Try both -m32 and -m64
#include <assert.h>
int main() {
static const uint8_t big_img4[] = { // 4GB-1 file
0x30, 0x84, 0xff, 0xff, 0xff, 0xf9, // SEQUENCE { 4GB-7
0x16, 0x04, 0x49, 0x4d, 0x47, 0x34, // IA5String 'IMG4'
0x30, 0x84, 0xff, 0xff, 0xff, 0xed, // SEQUENCE { 4GB-19
0x16, 0x04, 0x49, 0x4d, 0x34, 0x50, // IA5String 'IM4P'
0x16, 0x04, 0x41, 0x42, 0x43, 0x44, // IA5String 'ABCD'
};
uint32_t type, size;
int ret = image4_get_partial(big_img4, sizeof(big_img4),
&type, &size);
assert(ret == 0);
assert(memcmp(&type, "ABCD", 4) == 0);
assert(size == 0xffffffff);
printf("Pass\n");
return 0;
}
static void hexdump(const void *buf, size_t len) {
const uint8_t *p = buf;
size_t i;
for (i = 0; i < len; ++i)
printf("[%llu] = 0x%02x '%c'\n", (uint64_t) i, p[i], p[i]);
}
void _panic(const char *func, const char *str, ...) {
va_list args;
va_start(args, str);
printf("\n%s: ", func);
vprintf(str, args);
printf("\n\n");
va_end(args);
exit(1);
}
#endif // defined(TEST)