Changeset 74672 in vbox for trunk/src/VBox

Timestamp:

Oct 8, 2018 12:08:51 PM (6 years ago)

Author:

vboxsync

Message:

IPRT/asn1: Hacked code into handling the necessary indefinite length stuff from apple. bugref:9232

Location:

trunk/src/VBox/Runtime

Files:

• VBox/VBoxRTImp.def (modified) (1 diff)
• common/asn1/asn1-cursor.cpp (modified) (9 diffs)
• common/crypto/pkcs7-asn1-decoder.cpp (modified) (1 diff)
• tools/RTSignTool.cpp (modified) (1 diff)

trunk/src/VBox/Runtime/VBox/VBoxRTImp.def

@@ -117 +117 @@
     RTAsn1Core_SetTagAndFlags
     RTAsn1CursorCheckEnd
+    RTAsn1CursorCheckSeqEnd
+    RTAsn1CursorCheckSetEnd
     RTAsn1CursorGetBitString
     RTAsn1CursorGetBitStringEx

trunk/src/VBox/Runtime/common/asn1/asn1-cursor.cpp

@@ -68 +68 @@
     pPrimaryCursor->Cursor.fFlags           = (uint8_t)fFlags; Assert(fFlags <= UINT8_MAX);
     pPrimaryCursor->Cursor.cDepth           = 0;
-    pPrimaryCursor->Cursor.cIndefinedRecs   = 0;
     pPrimaryCursor->Cursor.abReserved[0]    = 0;
+    pPrimaryCursor->Cursor.abReserved[1]    = 0;
     pPrimaryCursor->Cursor.pPrimary         = pPrimaryCursor;
     pPrimaryCursor->Cursor.pUp              = NULL;
@@ -89 +89 @@
     pChild->cDepth          = pParent->cDepth + 1;
     AssertReturn(pChild->cDepth < RTASN1_MAX_NESTING, VERR_ASN1_TOO_DEEPLY_NESTED);
-    pChild->cIndefinedRecs  = 0;
     pChild->abReserved[0]   = 0;
+    pChild->abReserved[1]   = 0;
     pChild->pPrimary        = pParent->pPrimary;
     pChild->pUp             = pParent;
@@ -114 +114 @@
     pChild->cDepth          = pParent->cDepth + 1;
     AssertReturn(pChild->cDepth < RTASN1_MAX_NESTING, VERR_ASN1_TOO_DEEPLY_NESTED);
-    pChild->cIndefinedRecs  = 0;
     pChild->abReserved[0]   = 0;
+    pChild->abReserved[1]   = 0;
     pChild->pPrimary        = pParent->pPrimary;
     pChild->pUp             = pParent;
@@ -194 +194 @@
     if (!(pCursor->fFlags & RTASN1CURSOR_FLAGS_INDEFINITE_LENGTH))
         return false;
-    /* This isn't quite right. */
-    if (pCursor->cbLeft > pCursor->cIndefinedRecs * (uint32_t)2)
-        return false;
-    return ASMMemIsZero(pCursor->pbCur, pCursor->cbLeft);
+    return pCursor->cbLeft >= 2
+        && pCursor->pbCur[0] == 0
+        && pCursor->pbCur[1] == 0;
 }
 
@@ -205 +204 @@
     if (pCursor->cbLeft == 0)
         return VINF_SUCCESS;
-    if (   (pCursor->fFlags & RTASN1CURSOR_FLAGS_INDEFINITE_LENGTH)
-        && pCursor->cbLeft == pCursor->cIndefinedRecs * (uint32_t)2
-        && ASMMemIsZero(pCursor->pbCur, pCursor->cbLeft))
-        return VINF_SUCCESS;
+
+    if (pCursor->fFlags & RTASN1CURSOR_FLAGS_INDEFINITE_LENGTH)
+    {
+        /*
+         * If we've got two zeros here we're good.  This helps us handle apple code
+         * signatures, where most of the big structures are of indefinite length.
+         * The problem here is when rtCrPkcs7ContentInfo_DecodeExtra works the
+         * octet string, it appears as if there extra padding at the end.
+         *
+         * It is of course possible that ASN.1 assumes we will parse the content of
+         * that octet string as if it were an ASN.1 substructure, looking for the
+         * end-of-content sequence and propage that up.  However, this works for now.
+         */
+        if (pCursor->cbLeft >= 2)
+        {
+            if (   pCursor->pbCur[0] == 0
+                && pCursor->pbCur[1] == 0)
+                return VINF_SUCCESS;
+            return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_NOT_AT_END,
+                                       "%u (%#x) bytes left over [indef: %.*Rhxs]",
+                                       pCursor->cbLeft, pCursor->cbLeft, RT_MIN(pCursor->cbLeft, 16), pCursor->pbCur);
+        }
+        return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_NOT_AT_END,
+                                   "%u (%#x) bytes left over [indef len]", pCursor->cbLeft, pCursor->cbLeft);
+    }
     return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_NOT_AT_END,
                                "%u (%#x) bytes left over", pCursor->cbLeft, pCursor->cbLeft);
+}
+
+
+/**
+ * Worker for RTAsn1CursorCheckSeqEnd and RTAsn1CursorCheckSetEnd.
+ */
+static int rtAsn1CursorCheckSeqOrSetEnd(PRTASN1CURSOR pCursor, PRTASN1CORE pAsn1Core)
+{
+    if (pCursor->cbLeft == 0)
+        return VINF_SUCCESS;
+
+    if (pAsn1Core->fFlags & RTASN1CORE_F_INDEFINITE_LENGTH)
+    {
+        if (pCursor->cbLeft >= 2)
+        {
+            if (   pCursor->pbCur[0] == 0
+                && pCursor->pbCur[1] == 0)
+            {
+                pAsn1Core->cb = (uint32_t)(pCursor->pbCur - pAsn1Core->uData.pu8);
+                pCursor->cbLeft -= 2;
+                pCursor->pbCur  += 2;
+
+                PRTASN1CURSOR pParentCursor = pCursor->pUp;
+                if (   pParentCursor
+                    && (pParentCursor->fFlags & RTASN1CURSOR_FLAGS_INDEFINITE_LENGTH))
+                {
+                    pParentCursor->pbCur  -= pCursor->cbLeft;
+                    pParentCursor->cbLeft += pCursor->cbLeft;
+                    return VINF_SUCCESS;
+                }
+
+                if (pCursor->cbLeft == 0)
+                    return VINF_SUCCESS;
+
+                return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_NOT_AT_END,
+                                           "%u (%#x) bytes left over (parent not indefinite length)", pCursor->cbLeft, pCursor->cbLeft);
+            }
+            return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_NOT_AT_END, "%u (%#x) bytes left over [indef: %.*Rhxs]",
+                                       pCursor->cbLeft, pCursor->cbLeft, RT_MIN(pCursor->cbLeft, 16), pCursor->pbCur);
+        }
+        return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_NOT_AT_END,
+                                   "1 byte left over, expected two for indefinite length end-of-content sequence");
+    }
+
+    return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_NOT_AT_END,
+                               "%u (%#x) bytes left over", pCursor->cbLeft, pCursor->cbLeft);
+
+}
+
+
+RTDECL(int) RTAsn1CursorCheckSeqEnd(PRTASN1CURSOR pCursor, PRTASN1SEQUENCECORE pSeqCore)
+{
+    return rtAsn1CursorCheckSeqOrSetEnd(pCursor, &pSeqCore->Asn1Core);
+}
+
+
+RTDECL(int) RTAsn1CursorCheckSetEnd(PRTASN1CURSOR pCursor, PRTASN1SETCORE pSetCore)
+{
+    return rtAsn1CursorCheckSeqOrSetEnd(pCursor, &pSetCore->Asn1Core);
 }
 
@@ -337 +416 @@
                 return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_BAD_INDEFINITE_LENGTH,
                                            "%s: Indefinite BER/CER encoding not supported for this tag (uTag=%#x)", pszErrorTag, uTag);
-            else if (pCursor->cIndefinedRecs > 8)
+            else if (pCursor->fFlags & RTASN1CURSOR_FLAGS_INDEFINITE_LENGTH)
                 return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_BAD_INDEFINITE_LENGTH,
-                                           "%s: Too many indefinite BER/CER encodings. (uTag=%#x)", pszErrorTag, uTag);
+                                           "%s: Nested indefinite BER/CER encoding. (uTag=%#x)", pszErrorTag, uTag);
             else if (pCursor->cbLeft < 2)
                 return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_BAD_INDEFINITE_LENGTH,
@@ -345 +424 @@
             else
             {
-                pCursor->cIndefinedRecs++;
                 pCursor->fFlags   |= RTASN1CURSOR_FLAGS_INDEFINITE_LENGTH;
                 pAsn1Core->fFlags |= RTASN1CORE_F_INDEFINITE_LENGTH;
-                cb = pCursor->cbLeft - pCursor->cIndefinedRecs * 2; /* tentatively */
+                cb = pCursor->cbLeft - 2; /* tentatively for sequences and sets, definite for others */
             }
         }
+        /* else if (cb == 0 && uTag == 0) { end of content } - callers handle this */
 
         /* Check if the length makes sense. */
@@ -474 +553 @@
 RTDECL(int) RTAsn1CursorPeek(PRTASN1CURSOR pCursor, PRTASN1CORE pAsn1Core)
 {
-    uint32_t        cbSavedLeft = pCursor->cbLeft;
-    uint8_t const  *pbSavedCur  = pCursor->pbCur;
-    PRTERRINFO      pErrInfo    = pCursor->pPrimary->pErrInfo;
+    uint32_t            cbSavedLeft         = pCursor->cbLeft;
+    uint8_t const      *pbSavedCur          = pCursor->pbCur;
+    uint8_t const       fSavedFlags         = pCursor->fFlags;
+    PRTERRINFO const    pErrInfo            = pCursor->pPrimary->pErrInfo;
     pCursor->pPrimary->pErrInfo = NULL;
 
@@ -482 +562 @@
 
     pCursor->pPrimary->pErrInfo = pErrInfo;
-    pCursor->pbCur  = pbSavedCur;
-    pCursor->cbLeft = cbSavedLeft;
+    pCursor->pbCur              = pbSavedCur;
+    pCursor->cbLeft             = cbSavedLeft;
+    pCursor->fFlags             = fSavedFlags;
     return rc;
 }

trunk/src/VBox/Runtime/common/crypto/pkcs7-asn1-decoder.cpp

@@ -90 +90 @@
     {
         /*
-         * Detect CMS octet string and open the content cursor.
-         * Current we don't have work with any contet which is octet string,
-         * they're all sequences, which make detection so much simpler.
+         * Detect CMS octet string format and open the content cursor.
+         *
+         * Current we don't have any octent string content which, they're all
+         * sequences, which make detection so much simpler.
          */
         PRTASN1OCTETSTRING  pOctetString = &pThis->Content;

trunk/src/VBox/Runtime/tools/RTSignTool.cpp

@@ -629 +629 @@
                 if (cVerbosity > 2)
                     RTPrintf("PKCS#7 signature: %u bytes\n", cbActual);
+                if (cVerbosity > 3)
+                    RTPrintf("%.*Rhxd\n", cbActual, pvBuf);
 
                 /*