# HG changeset patch # User Matt Johnston # Date 1152263838 0 # Node ID 454a34b2dfd1332d39133d76c7c5310adc1844b1 # Parent 31743c9bdf789b397e01ff472dbee23dad41c687 Fixes from Erik Hovland: cli-authpubkey.c: fix leak of keybuf cli-kex.c: fix leak of fingerprint fp cli-service.c: remove commented out code dropbearkey.c: don't attepmt to free NULL key on failure common-kex.c: only free key if it is initialised keyimport.c: remove dead encrypted-key code don't leak a FILE* loading OpenSSH keys rsa.c, dss.c: check return values for some libtommath functions svr-kex.c: check return value retrieving DH kex mpint svr-tcpfwd.c: fix null-dereference if remote tcp forward request fails tcp-accept.c: don't incorrectly free the tcpinfo var diff -r 31743c9bdf78 -r 454a34b2dfd1 cli-authpubkey.c --- a/cli-authpubkey.c Fri Jul 07 07:00:10 2006 +0000 +++ b/cli-authpubkey.c Fri Jul 07 09:17:18 2006 +0000 @@ -112,6 +112,7 @@ /* Success */ break; } + buf_free(keybuf); if (keyitem != NULL) { TRACE(("matching key")) diff -r 31743c9bdf78 -r 454a34b2dfd1 cli-kex.c --- a/cli-kex.c Fri Jul 07 07:00:10 2006 +0000 +++ b/cli-kex.c Fri Jul 07 09:17:18 2006 +0000 @@ -122,6 +122,7 @@ fprintf(stderr, "\nHost '%s' is not in the trusted hosts file.\n(fingerprint %s)\nDo you want to continue connecting? (y/n)\n", cli_opts.remotehost, fp); + m_free(fp); tty = fopen(_PATH_TTY, "r"); if (tty) { @@ -132,7 +133,6 @@ } if (response == 'y') { - m_free(fp); return; } diff -r 31743c9bdf78 -r 454a34b2dfd1 cli-service.c --- a/cli-service.c Fri Jul 07 07:00:10 2006 +0000 +++ b/cli-service.c Fri Jul 07 09:17:18 2006 +0000 @@ -82,6 +82,4 @@ } dropbear_exit("unrecognised service accept"); - /* m_free(servicename); not reached */ - } diff -r 31743c9bdf78 -r 454a34b2dfd1 dropbearkey.c --- a/dropbearkey.c Fri Jul 07 07:00:10 2006 +0000 +++ b/dropbearkey.c Fri Jul 07 09:17:18 2006 +0000 @@ -283,8 +283,10 @@ buf_burn(buf); buf_free(buf); buf = NULL; - sign_key_free(key); - key = NULL; + if (key) { + sign_key_free(key); + key = NULL; + } exit(err); } diff -r 31743c9bdf78 -r 454a34b2dfd1 dss.c --- a/dss.c Fri Jul 07 07:00:10 2006 +0000 +++ b/dss.c Fri Jul 07 09:17:18 2006 +0000 @@ -338,7 +338,9 @@ /* generate k */ m_mp_init(&dss_protok); bytes_to_mp(&dss_protok, proto_k, SHA512_HASH_SIZE); - mp_mod(&dss_protok, key->q, &dss_k); + if (mp_mod(&dss_protok, key->q, &dss_k) != MP_OKAY) { + dropbear_exit("dss error"); + } mp_clear(&dss_protok); m_burn(proto_k, SHA512_HASH_SIZE); #else /* DSS_PROTOK not defined*/ diff -r 31743c9bdf78 -r 454a34b2dfd1 keyimport.c --- a/keyimport.c Fri Jul 07 07:00:10 2006 +0000 +++ b/keyimport.c Fri Jul 07 09:17:18 2006 +0000 @@ -361,7 +361,7 @@ static struct openssh_key *load_openssh_key(const char *filename) { struct openssh_key *ret; - FILE *fp; + FILE *fp = NULL; char buffer[256]; char *errmsg = NULL, *p = NULL; int headers_done; @@ -482,6 +482,9 @@ memset(&ret, 0, sizeof(ret)); m_free(ret); } + if (fp) { + fclose(fp); + } if (errmsg) { fprintf(stderr, "Error: %s\n", errmsg); } @@ -926,40 +929,6 @@ if (passphrase) { fprintf(stderr, "Encrypted keys aren't supported currently\n"); goto error; -#if 0 - /* - * Invent an iv. Then derive encryption key from passphrase - * and iv/salt: - * - * - let block A equal MD5(passphrase || iv) - * - let block B equal MD5(A || passphrase || iv) - * - block C would be MD5(B || passphrase || iv) and so on - * - encryption key is the first N bytes of A || B - */ - struct MD5Context md5c; - unsigned char keybuf[32]; - - for (i = 0; i < 8; i++) iv[i] = random_byte(); - - MD5Init(&md5c); - MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase)); - MD5Update(&md5c, iv, 8); - MD5Final(keybuf, &md5c); - - MD5Init(&md5c); - MD5Update(&md5c, keybuf, 16); - MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase)); - MD5Update(&md5c, iv, 8); - MD5Final(keybuf+16, &md5c); - - /* - * Now encrypt the key blob. - */ - des3_encrypt_pubkey_ossh(keybuf, iv, outblob, outlen); - - memset(&md5c, 0, sizeof(md5c)); - memset(keybuf, 0, sizeof(keybuf)); -#endif } /* @@ -976,12 +945,6 @@ goto error; } fputs(header, fp); - if (passphrase) { - fprintf(fp, "Proc-Type: 4,ENCRYPTED\nDEK-Info: DES-EDE3-CBC,"); - for (i = 0; i < 8; i++) - fprintf(fp, "%02X", iv[i]); - fprintf(fp, "\n\n"); - } base64_encode_fp(fp, outblob, outlen, 64); fputs(footer, fp); fclose(fp); diff -r 31743c9bdf78 -r 454a34b2dfd1 rsa.c --- a/rsa.c Fri Jul 07 07:00:10 2006 +0000 +++ b/rsa.c Fri Jul 07 09:17:18 2006 +0000 @@ -285,18 +285,29 @@ /* rsa_tmp1 is em */ /* em' = em * r^e mod n */ - mp_exptmod(&rsa_tmp2, key->e, key->n, &rsa_s); /* rsa_s used as a temp var*/ - mp_invmod(&rsa_tmp2, key->n, &rsa_tmp3); - mp_mulmod(&rsa_tmp1, &rsa_s, key->n, &rsa_tmp2); + /* rsa_s used as a temp var*/ + if (mp_exptmod(&rsa_tmp2, key->e, key->n, &rsa_s) != MP_OKAY) { + dropbear_exit("rsa error"); + } + if (mp_invmod(&rsa_tmp2, key->n, &rsa_tmp3) != MP_OKAY) { + dropbear_exit("rsa error"); + } + if (mp_mulmod(&rsa_tmp1, &rsa_s, key->n, &rsa_tmp2) != MP_OKAY) { + dropbear_exit("rsa error"); + } /* rsa_tmp2 is em' */ /* s' = (em')^d mod n */ - mp_exptmod(&rsa_tmp2, key->d, key->n, &rsa_tmp1); + if (mp_exptmod(&rsa_tmp2, key->d, key->n, &rsa_tmp1) != MP_OKAY) { + dropbear_exit("rsa error"); + } /* rsa_tmp1 is s' */ /* rsa_tmp3 is r^(-1) mod n */ /* s = (s')r^(-1) mod n */ - mp_mulmod(&rsa_tmp1, &rsa_tmp3, key->n, &rsa_s); + if (mp_mulmod(&rsa_tmp1, &rsa_tmp3, key->n, &rsa_s) != MP_OKAY) { + dropbear_exit("rsa error"); + } #else diff -r 31743c9bdf78 -r 454a34b2dfd1 svr-kex.c --- a/svr-kex.c Fri Jul 07 07:00:10 2006 +0000 +++ b/svr-kex.c Fri Jul 07 09:17:18 2006 +0000 @@ -52,7 +52,9 @@ } m_mp_init(&dh_e); - buf_getmpint(ses.payload, &dh_e); + if (buf_getmpint(ses.payload, &dh_e) != DROPBEAR_SUCCESS) { + dropbear_exit("Failed to get kex value"); + } send_msg_kexdh_reply(&dh_e); diff -r 31743c9bdf78 -r 454a34b2dfd1 svr-tcpfwd.c --- a/svr-tcpfwd.c Fri Jul 07 07:00:10 2006 +0000 +++ b/svr-tcpfwd.c Fri Jul 07 09:17:18 2006 +0000 @@ -216,7 +216,7 @@ if (ret == DROPBEAR_FAILURE) { /* we only free it if a listener wasn't created, since the listener * has to remember it if it's to be cancelled */ - m_free(tcpinfo->listenaddr); + m_free(bindaddr); m_free(tcpinfo); } TRACE(("leave remotetcpreq")) diff -r 31743c9bdf78 -r 454a34b2dfd1 tcp-accept.c --- a/tcp-accept.c Fri Jul 07 07:00:10 2006 +0000 +++ b/tcp-accept.c Fri Jul 07 09:17:18 2006 +0000 @@ -131,7 +131,6 @@ tcp_acceptor, cleanup_tcp); if (listener == NULL) { - m_free(tcpinfo); TRACE(("leave listen_tcpfwd: listener failed")) return DROPBEAR_FAILURE; }