235 lines
6.8 KiB
C
235 lines
6.8 KiB
C
/*
|
|
* Copyright (C) 2012 Apple Inc. All rights reserved.
|
|
*
|
|
* This document is the property of Apple Inc.
|
|
* It is considered confidential and proprietary.
|
|
*
|
|
* This document may not be reproduced or transmitted in any form,
|
|
* in whole or in part, without the express written permission of
|
|
* Apple Inc.
|
|
*/
|
|
|
|
#include <compiler.h>
|
|
#include <debug.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <libDER/libDER_config.h>
|
|
#include <libDER/asn1Types.h>
|
|
#include <libDER/DER_Decode.h>
|
|
#include "image4_partial.h"
|
|
|
|
// TODO - libDER/asn1Types.h is missing ASN1_EOC
|
|
#ifndef ASN1_EOC
|
|
#define ASN1_EOC 0x00
|
|
#endif
|
|
|
|
static int der_expect(const DERItem *bounds, DERTag tag, DERDecodedInfo *info,
|
|
bool partial);
|
|
static int der_restrict(DERItem *bounds, const DERItem *item);
|
|
static int der_compare_ia5string(const DERItem *item, const char *s);
|
|
static int der_skip_over(DERItem *bounds, const DERItem *item);
|
|
static int der_expect_ia5string(DERItem *bounds, const char *s);
|
|
|
|
#ifdef TEST
|
|
static void hexdump(const void *buf, size_t len);
|
|
#endif
|
|
|
|
// Parse a partial buffer enough to identify and get type.
|
|
int image4_get_partial(const void *buf, size_t buf_bytes,
|
|
uint32_t *ret_type, uint32_t *ret_size)
|
|
{
|
|
DERItem bounds;
|
|
DERDecodedInfo info;
|
|
// See sample Image4 header at the top of this file.
|
|
bounds.data = (DERByte *) buf;
|
|
bounds.length = buf_bytes;
|
|
dprintf(DEBUG_SPEW, "image4_get_partial %p,%u\n",
|
|
bounds.data, (unsigned) bounds.length);
|
|
|
|
// Outer SEQUENCE. Allow partial.
|
|
dprintf(DEBUG_SPEW, "Parse outer SEQUENCE\n");
|
|
if (der_expect(&bounds, ASN1_CONSTR_SEQUENCE, &info, true) != 0)
|
|
return -1;
|
|
// Infer Image4 size from the bounds of the sequence.
|
|
if (ret_size != NULL) {
|
|
DERSize offset = info.content.data - bounds.data;
|
|
if (offset + info.content.length < offset) {
|
|
dprintf(DEBUG_SPEW, "Sneaky size wraparound %llu\n",
|
|
(uint64_t) offset + info.content.length);
|
|
return -1;
|
|
}
|
|
*ret_size = offset + info.content.length;
|
|
}
|
|
// Update bounds to contents of SEQUENCE.
|
|
if (der_restrict(&bounds, &info.content) != 0)
|
|
return -1;
|
|
|
|
// IA5String "IMG4". Update bounds to skip over.
|
|
dprintf(DEBUG_SPEW, "Parse IA5String \"IMG4\"\n");
|
|
if (der_expect_ia5string(&bounds, "IMG4") != 0)
|
|
return -1;
|
|
|
|
// Inner SEQUENCE. Allow partial.
|
|
dprintf(DEBUG_SPEW, "Parse inner sequence\n");
|
|
if (der_expect(&bounds, ASN1_CONSTR_SEQUENCE, &info, true) != 0)
|
|
return -1;
|
|
if (der_restrict(&bounds, &info.content) != 0)
|
|
return -1;
|
|
|
|
// IA5String "IM4P". Update bounds to skip over.
|
|
dprintf(DEBUG_SPEW, "Parse IA5String \"IM4P\"\n");
|
|
if (der_expect_ia5string(&bounds, "IM4P") != 0)
|
|
return -1;
|
|
|
|
// IA5String "type". We're interested in this one.
|
|
dprintf(DEBUG_SPEW, "Parse IA5String type\n");
|
|
if (der_expect(&bounds, ASN1_IA5_STRING, &info, false) != 0)
|
|
return -1;
|
|
if (info.content.length != sizeof(*ret_type)) {
|
|
dprintf(DEBUG_SPEW, "Expected %d byte tag, got %d\n",
|
|
(int) sizeof(*ret_type), (int) info.content.length);
|
|
return -1;
|
|
}
|
|
if (ret_type != NULL) {
|
|
uint32_t local_type;
|
|
memcpy(&local_type, info.content.data, sizeof(local_type));
|
|
*ret_type = swap32(local_type);
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static int
|
|
der_expect(const DERItem *bounds, DERTag tag, DERDecodedInfo *info,
|
|
bool partial)
|
|
{
|
|
DERReturn ret;
|
|
dprintf(DEBUG_SPEW, "Bounds %p,%u\n",
|
|
bounds->data, (unsigned) bounds->length);
|
|
ret = DERDecodeItemPartialBuffer(bounds, info, partial);
|
|
if (ret != DR_Success) {
|
|
dprintf(DEBUG_SPEW, "Error decoding DER: %d\n", (int) ret);
|
|
return ret;
|
|
} else if (info->tag != tag) {
|
|
dprintf(DEBUG_SPEW,
|
|
"Didn't get expected tag 0x%llx, got 0x%llx\n",
|
|
(uint64_t) tag, (uint64_t) info->tag);
|
|
return -1;
|
|
} else {
|
|
// Got expected tag.
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
static int
|
|
der_restrict(DERItem *bounds, const DERItem *item)
|
|
{
|
|
// Update *bounds to *item, keeping staying within *bounds.
|
|
RELEASE_ASSERT(item->data >= bounds->data);
|
|
DERByte *buf_start = bounds->data;
|
|
DERByte *buf_end = bounds->data + bounds->length;
|
|
// This should have been guaranteed elsewhere, but worth checking.
|
|
// Zero length returned *bounds allowed.
|
|
if ((item->data < buf_start) || (item->data > buf_end)) {
|
|
dprintf(DEBUG_SPEW, "DERItem.data=%p outside bounds %p,%p\n",
|
|
item->data, buf_start, buf_end);
|
|
return -1;
|
|
}
|
|
// Set *bounds to *item, then restrict range.
|
|
bounds->data = item->data;
|
|
bounds->length = __min((size_t)item->length, (size_t)(buf_end - bounds->data));
|
|
return 0;
|
|
}
|
|
|
|
static int
|
|
der_compare_ia5string(const DERItem *item, const char *s)
|
|
{
|
|
int cmp;
|
|
size_t len = strlen(s);
|
|
dprintf(DEBUG_SPEW, "content %p,%u\n", item->data, item->length);
|
|
if (item->length != len) {
|
|
dprintf(DEBUG_SPEW, "IA5String expected %s but length %d\n",
|
|
s, (int) len);
|
|
return -1;
|
|
}
|
|
cmp = memcmp(item->data, s, len);
|
|
if (cmp != 0) {
|
|
dprintf(DEBUG_SPEW, "Expected %s, got:\n", s);
|
|
dhexdump(DEBUG_SPEW, item->data, len);
|
|
}
|
|
return cmp;
|
|
}
|
|
|
|
static int
|
|
der_skip_over(DERItem *bounds, const DERItem *item)
|
|
{
|
|
DERSize skip, offset;
|
|
// Calculate number of bytes to move bounds->data to end of *item.
|
|
RELEASE_ASSERT(item->data >= bounds->data);
|
|
offset = item->data - bounds->data;
|
|
skip = offset + item->length;
|
|
if ((skip < offset) || (skip > bounds->length)) {
|
|
dprintf(DEBUG_SPEW, "Skipping over item -> outside bounds\n");
|
|
return -1;
|
|
}
|
|
bounds->data += skip;
|
|
bounds->length -= skip;
|
|
return 0;
|
|
}
|
|
|
|
static int
|
|
der_expect_ia5string(DERItem *bounds, const char *s)
|
|
{
|
|
// Get IA5String info, compare data, update bounds to skip over.
|
|
DERDecodedInfo info;
|
|
if (der_expect(bounds, ASN1_IA5_STRING, &info, false) != 0)
|
|
return -1;
|
|
if (der_compare_ia5string(&info.content, s) != 0)
|
|
return -1;
|
|
if (der_skip_over(bounds, &info.content) != 0)
|
|
return -1;
|
|
return 0;
|
|
}
|
|
|
|
|
|
#ifdef TEST
|
|
// Run test with:
|
|
// cc -Werror -Wall -O -o image4_partial image4_partial.c ../../pki/libDER/DER_Decode.c -DTEST -DDEBUG_LEVEL=30 -I../../../include -I../../pki && ./image4_partial
|
|
// Try both -m32 and -m64
|
|
#include <assert.h>
|
|
|
|
int main() {
|
|
static const uint8_t big_img4[] = { // 4GB-1 file
|
|
0x30, 0x84, 0xff, 0xff, 0xff, 0xf9, // SEQUENCE { 4GB-7
|
|
0x16, 0x04, 0x49, 0x4d, 0x47, 0x34, // IA5String 'IMG4'
|
|
0x30, 0x84, 0xff, 0xff, 0xff, 0xed, // SEQUENCE { 4GB-19
|
|
0x16, 0x04, 0x49, 0x4d, 0x34, 0x50, // IA5String 'IM4P'
|
|
0x16, 0x04, 0x41, 0x42, 0x43, 0x44, // IA5String 'ABCD'
|
|
};
|
|
uint32_t type, size;
|
|
int ret = image4_get_partial(big_img4, sizeof(big_img4),
|
|
&type, &size);
|
|
assert(ret == 0);
|
|
assert(memcmp(&type, "ABCD", 4) == 0);
|
|
assert(size == 0xffffffff);
|
|
printf("Pass\n");
|
|
return 0;
|
|
}
|
|
|
|
static void hexdump(const void *buf, size_t len) {
|
|
const uint8_t *p = buf;
|
|
size_t i;
|
|
for (i = 0; i < len; ++i)
|
|
printf("[%llu] = 0x%02x '%c'\n", (uint64_t) i, p[i], p[i]);
|
|
}
|
|
|
|
void _panic(const char *func, const char *str, ...) {
|
|
va_list args;
|
|
va_start(args, str);
|
|
printf("\n%s: ", func);
|
|
vprintf(str, args);
|
|
printf("\n\n");
|
|
va_end(args);
|
|
exit(1);
|
|
}
|
|
#endif // defined(TEST)
|