# HG changeset patch
# User Matt Johnston <matt@ucc.asn.au>
# Date 1152263838 0
# Node ID 454a34b2dfd1332d39133d76c7c5310adc1844b1
# Parent  31743c9bdf789b397e01ff472dbee23dad41c687
Fixes from Erik Hovland:

cli-authpubkey.c:
    fix leak of keybuf

cli-kex.c:
    fix leak of fingerprint fp

cli-service.c:
    remove commented out code

dropbearkey.c:
    don't attepmt to free NULL key on failure

common-kex.c:
    only free key if it is initialised

keyimport.c:
    remove dead encrypted-key code
    don't leak a FILE* loading OpenSSH keys

rsa.c, dss.c:
    check return values for some libtommath functions

svr-kex.c:
    check return value retrieving DH kex mpint

svr-tcpfwd.c:
    fix null-dereference if remote tcp forward request fails

tcp-accept.c:
    don't incorrectly free the tcpinfo var

diff -r 31743c9bdf78 -r 454a34b2dfd1 cli-authpubkey.c
--- a/cli-authpubkey.c	Fri Jul 07 07:00:10 2006 +0000
+++ b/cli-authpubkey.c	Fri Jul 07 09:17:18 2006 +0000
@@ -112,6 +112,7 @@
 		/* Success */
 		break;
 	}
+	buf_free(keybuf);
 
 	if (keyitem != NULL) {
 		TRACE(("matching key"))
diff -r 31743c9bdf78 -r 454a34b2dfd1 cli-kex.c
--- a/cli-kex.c	Fri Jul 07 07:00:10 2006 +0000
+++ b/cli-kex.c	Fri Jul 07 09:17:18 2006 +0000
@@ -122,6 +122,7 @@
 	fprintf(stderr, "\nHost '%s' is not in the trusted hosts file.\n(fingerprint %s)\nDo you want to continue connecting? (y/n)\n", 
 			cli_opts.remotehost, 
 			fp);
+	m_free(fp);
 
 	tty = fopen(_PATH_TTY, "r");
 	if (tty) {
@@ -132,7 +133,6 @@
 	}
 
 	if (response == 'y') {
-		m_free(fp);
 		return;
 	}
 
diff -r 31743c9bdf78 -r 454a34b2dfd1 cli-service.c
--- a/cli-service.c	Fri Jul 07 07:00:10 2006 +0000
+++ b/cli-service.c	Fri Jul 07 09:17:18 2006 +0000
@@ -82,6 +82,4 @@
 	}
 
 	dropbear_exit("unrecognised service accept");
-	/* m_free(servicename); not reached */
-
 }
diff -r 31743c9bdf78 -r 454a34b2dfd1 dropbearkey.c
--- a/dropbearkey.c	Fri Jul 07 07:00:10 2006 +0000
+++ b/dropbearkey.c	Fri Jul 07 09:17:18 2006 +0000
@@ -283,8 +283,10 @@
 	buf_burn(buf);
 	buf_free(buf);
 	buf = NULL;
-	sign_key_free(key);
-	key = NULL;
+	if (key) {
+		sign_key_free(key);
+		key = NULL;
+	}
 	exit(err);
 }
 
diff -r 31743c9bdf78 -r 454a34b2dfd1 dss.c
--- a/dss.c	Fri Jul 07 07:00:10 2006 +0000
+++ b/dss.c	Fri Jul 07 09:17:18 2006 +0000
@@ -338,7 +338,9 @@
 	/* generate k */
 	m_mp_init(&dss_protok);
 	bytes_to_mp(&dss_protok, proto_k, SHA512_HASH_SIZE);
-	mp_mod(&dss_protok, key->q, &dss_k);
+	if (mp_mod(&dss_protok, key->q, &dss_k) != MP_OKAY) {
+		dropbear_exit("dss error");
+	}
 	mp_clear(&dss_protok);
 	m_burn(proto_k, SHA512_HASH_SIZE);
 #else /* DSS_PROTOK not defined*/
diff -r 31743c9bdf78 -r 454a34b2dfd1 keyimport.c
--- a/keyimport.c	Fri Jul 07 07:00:10 2006 +0000
+++ b/keyimport.c	Fri Jul 07 09:17:18 2006 +0000
@@ -361,7 +361,7 @@
 static struct openssh_key *load_openssh_key(const char *filename)
 {
 	struct openssh_key *ret;
-	FILE *fp;
+	FILE *fp = NULL;
 	char buffer[256];
 	char *errmsg = NULL, *p = NULL;
 	int headers_done;
@@ -482,6 +482,9 @@
 		memset(&ret, 0, sizeof(ret));
 		m_free(ret);
 	}
+	if (fp) {
+		fclose(fp);
+	}
 	if (errmsg) {
 		fprintf(stderr, "Error: %s\n", errmsg);
 	}
@@ -926,40 +929,6 @@
 	if (passphrase) {
 		fprintf(stderr, "Encrypted keys aren't supported currently\n");
 		goto error;
-#if 0
-		/*
-		 * Invent an iv. Then derive encryption key from passphrase
-		 * and iv/salt:
-		 * 
-		 *  - let block A equal MD5(passphrase || iv)
-		 *  - let block B equal MD5(A || passphrase || iv)
-		 *  - block C would be MD5(B || passphrase || iv) and so on
-		 *  - encryption key is the first N bytes of A || B
-		 */
-		struct MD5Context md5c;
-		unsigned char keybuf[32];
-
-		for (i = 0; i < 8; i++) iv[i] = random_byte();
-
-		MD5Init(&md5c);
-		MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase));
-		MD5Update(&md5c, iv, 8);
-		MD5Final(keybuf, &md5c);
-
-		MD5Init(&md5c);
-		MD5Update(&md5c, keybuf, 16);
-		MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase));
-		MD5Update(&md5c, iv, 8);
-		MD5Final(keybuf+16, &md5c);
-
-		/*
-		 * Now encrypt the key blob.
-		 */
-		des3_encrypt_pubkey_ossh(keybuf, iv, outblob, outlen);
-
-		memset(&md5c, 0, sizeof(md5c));
-		memset(keybuf, 0, sizeof(keybuf));
-#endif
 	}
 
 	/*
@@ -976,12 +945,6 @@
 		goto error;
 	}
 	fputs(header, fp);
-	if (passphrase) {
-		fprintf(fp, "Proc-Type: 4,ENCRYPTED\nDEK-Info: DES-EDE3-CBC,");
-		for (i = 0; i < 8; i++)
-			fprintf(fp, "%02X", iv[i]);
-		fprintf(fp, "\n\n");
-	}
 	base64_encode_fp(fp, outblob, outlen, 64);
 	fputs(footer, fp);
 	fclose(fp);
diff -r 31743c9bdf78 -r 454a34b2dfd1 rsa.c
--- a/rsa.c	Fri Jul 07 07:00:10 2006 +0000
+++ b/rsa.c	Fri Jul 07 09:17:18 2006 +0000
@@ -285,18 +285,29 @@
 	/* rsa_tmp1 is em */
 	/* em' = em * r^e mod n */
 
-	mp_exptmod(&rsa_tmp2, key->e, key->n, &rsa_s); /* rsa_s used as a temp var*/
-	mp_invmod(&rsa_tmp2, key->n, &rsa_tmp3);
-	mp_mulmod(&rsa_tmp1, &rsa_s, key->n, &rsa_tmp2);
+	/* rsa_s used as a temp var*/
+	if (mp_exptmod(&rsa_tmp2, key->e, key->n, &rsa_s) != MP_OKAY) {
+		dropbear_exit("rsa error");
+	}
+	if (mp_invmod(&rsa_tmp2, key->n, &rsa_tmp3) != MP_OKAY) {
+		dropbear_exit("rsa error");
+	}
+	if (mp_mulmod(&rsa_tmp1, &rsa_s, key->n, &rsa_tmp2) != MP_OKAY) {
+		dropbear_exit("rsa error");
+	}
 
 	/* rsa_tmp2 is em' */
 	/* s' = (em')^d mod n */
-	mp_exptmod(&rsa_tmp2, key->d, key->n, &rsa_tmp1);
+	if (mp_exptmod(&rsa_tmp2, key->d, key->n, &rsa_tmp1) != MP_OKAY) {
+		dropbear_exit("rsa error");
+	}
 
 	/* rsa_tmp1 is s' */
 	/* rsa_tmp3 is r^(-1) mod n */
 	/* s = (s')r^(-1) mod n */
-	mp_mulmod(&rsa_tmp1, &rsa_tmp3, key->n, &rsa_s);
+	if (mp_mulmod(&rsa_tmp1, &rsa_tmp3, key->n, &rsa_s) != MP_OKAY) {
+		dropbear_exit("rsa error");
+	}
 
 #else
 
diff -r 31743c9bdf78 -r 454a34b2dfd1 svr-kex.c
--- a/svr-kex.c	Fri Jul 07 07:00:10 2006 +0000
+++ b/svr-kex.c	Fri Jul 07 09:17:18 2006 +0000
@@ -52,7 +52,9 @@
 	}
 
 	m_mp_init(&dh_e);
-	buf_getmpint(ses.payload, &dh_e);
+	if (buf_getmpint(ses.payload, &dh_e) != DROPBEAR_SUCCESS) {
+		dropbear_exit("Failed to get kex value");
+	}
 
 	send_msg_kexdh_reply(&dh_e);
 
diff -r 31743c9bdf78 -r 454a34b2dfd1 svr-tcpfwd.c
--- a/svr-tcpfwd.c	Fri Jul 07 07:00:10 2006 +0000
+++ b/svr-tcpfwd.c	Fri Jul 07 09:17:18 2006 +0000
@@ -216,7 +216,7 @@
 	if (ret == DROPBEAR_FAILURE) {
 		/* we only free it if a listener wasn't created, since the listener
 		 * has to remember it if it's to be cancelled */
-		m_free(tcpinfo->listenaddr);
+		m_free(bindaddr);
 		m_free(tcpinfo);
 	}
 	TRACE(("leave remotetcpreq"))
diff -r 31743c9bdf78 -r 454a34b2dfd1 tcp-accept.c
--- a/tcp-accept.c	Fri Jul 07 07:00:10 2006 +0000
+++ b/tcp-accept.c	Fri Jul 07 09:17:18 2006 +0000
@@ -131,7 +131,6 @@
 			tcp_acceptor, cleanup_tcp);
 
 	if (listener == NULL) {
-		m_free(tcpinfo);
 		TRACE(("leave listen_tcpfwd: listener failed"))
 		return DROPBEAR_FAILURE;
 	}