Add a function for validating a DER-encoded INTEGER.

net/der/parse_values.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/logging.h"
 #include "base/numerics/safe_math.h"
 #include "net/der/parse_values.h"
 
 namespace net {
 
@@ skipping 107 matching lines @@
 }
 
 // BER interprets any non-zero value as true, while DER requires a bool to
 // have either all bits zero (false) or all bits one (true). To support
 // malformed certs, we recognized the BER encoding instead of failing to
 // parse.
 bool ParseBoolRelaxed(const Input& in, bool* out) {
   return ParseBoolInternal(in, out, true /* relaxed */);
 }
 
-bool ParseUint64(const Input& in, uint64_t* out) {
-  ByteReader reader(in);
-  size_t bytes_read = 0;
-  uint8_t data;
-  uint64_t value = 0;
-  // Note that for simplicity, this check only admits integers up to 2^63-1.
-  if (in.Length() > sizeof(uint64_t) || in.Length() == 0)
-    return false;
-  while (reader.ReadByte(&data)) {
-    if (bytes_read == 0 && (data & 0x80)) {
-      return false;
+// ITU-T X.690 section 8.3.2 specifies that an integer value must be encoded
+// in the smallest number of octets. If the encoding consists of more than
+// one octet, then the bits of the first octet and the most significant bit
+// of the second octet must not be all zeroes or all ones.
+bool IsValidInteger(const Input& in,
+                    bool* out_negative,
+                    size_t* out_numeric_length) {
+  der::ByteReader reader(in);
+  uint8_t first_byte;
+
+  if (!reader.ReadByte(&first_byte))
+    return false;  // Empty inputs are not allowed.
+
+  size_t numeric_length = in.Length();
+
+  uint8_t second_byte;
+  if (reader.ReadByte(&second_byte)) {
+    if (first_byte == 0) {
+      // The first byte in this case doesn't contribute to the number's value
+      // (just used to determine the sign).
+      numeric_length -= 1;
     }
-    value <<= 8;
-    value |= data;
-    bytes_read++;
-  }
-  // ITU-T X.690 section 8.3.2 specifies that an integer value must be encoded
-  // in the smallest number of octets. If the encoding consists of more than
-  // one octet, then the bits of the first octet and the most significant bit
-  // of the second octet must not be all zeroes or all ones.
-  // Because this function only parses unsigned integers, there's no need to
-  // check for the all ones case.
-  if (bytes_read > 1) {
-    ByteReader first_bytes_reader(in);
-    uint8_t first_byte;
-    uint8_t second_byte;
-    if (!first_bytes_reader.ReadByte(&first_byte) ||
-        !first_bytes_reader.ReadByte(&second_byte)) {
-      return false;
-    }
-    if (first_byte == 0 && !(second_byte & 0x80)) {
+
+    if ((first_byte == 0x00 || first_byte == 0xFF) &&
+        (first_byte & 0x80) == (second_byte & 0x80)) {
+      // Not a minimal encoding.
       return false;
     }
   }
+
+  *out_negative = (first_byte & 0x80) == 0x80;
+  *out_numeric_length = numeric_length;
+  return true;
+}
+
+bool ParseUint64(const Input& in, uint64_t* out) {
+  // Reject non-minimally encoded numbers, negative numbers, and non-negative
+  // numbers that would overflow the output type.
+  bool negative;
+  size_t numeric_length;
+  if (!IsValidInteger(in, &negative, &numeric_length))
+    return false;
+  if (negative || numeric_length > sizeof(*out))
+    return false;
+
+  ByteReader reader(in);
+  uint8_t data;
+  uint64_t value = 0;
+
+  while (reader.ReadByte(&data)) {
+    value <<= 8;
+    value |= data;
+  }
   *out = value;
   return true;
 }
 
 BitString::BitString(const Input& bytes, uint8_t unused_bits)
     : bytes_(bytes), unused_bits_(unused_bits) {
   DCHECK_LT(unused_bits, 8);
   DCHECK(unused_bits == 0 || bytes.Length() != 0);
 }
 
@@ skipping 135 matching lines @@
     return false;
   if (!ValidateGeneralizedTime(time))
     return false;
   *value = time;
   return true;
 }
 
 }  // namespace der
 
 }  // namespace net