changeset 852:7540c0822374 ecc

Various cleanups and fixes for warnings
author Matt Johnston <matt@ucc.asn.au>
date Tue, 12 Nov 2013 23:02:32 +0800
parents c1c1b43f78c2
children b11cb2518116
files algo.h bignum.c cli-runopts.c common-algo.c common-kex.c ecc.c ecdsa.c ecdsa.h gensignkey.c signkey.c svr-auth.c svr-authpubkey.c svr-kex.c svr-runopts.c
diffstat 14 files changed, 34 insertions(+), 36 deletions(-) [+]
line wrap: on
line diff
--- a/algo.h	Sat Nov 09 00:14:28 2013 +0800
+++ b/algo.h	Tue Nov 12 23:02:32 2013 +0800
@@ -56,7 +56,6 @@
 extern const struct dropbear_cipher dropbear_nocipher;
 extern const struct dropbear_cipher_mode dropbear_mode_none;
 extern const struct dropbear_hash dropbear_nohash;
-extern const struct dropbear_kex kex_curve25519;
 
 struct dropbear_cipher {
 	const struct ltc_cipher_descriptor *cipherdesc;
--- a/bignum.c	Sat Nov 09 00:14:28 2013 +0800
+++ b/bignum.c	Tue Nov 12 23:02:32 2013 +0800
@@ -78,8 +78,6 @@
 /* hash the ssh representation of the mp_int mp */
 void hash_process_mp(const struct ltc_hash_descriptor *hash_desc, 
 				hash_state *hs, mp_int *mp) {
-
-	int i;
 	buffer * buf;
 
 	buf = buf_new(512 + 20); /* max buffer is a 4096 bit key, 
--- a/cli-runopts.c	Sat Nov 09 00:14:28 2013 +0800
+++ b/cli-runopts.c	Tue Nov 12 23:02:32 2013 +0800
@@ -450,7 +450,7 @@
 #ifdef ENABLE_CLI_PUBKEY_AUTH
 static void loadidentityfile(const char* filename) {
 	sign_key *key;
-	int keytype;
+	enum signkey_type keytype;
 
 	key = new_sign_key();
 	keytype = DROPBEAR_SIGNKEY_ANY;
--- a/common-algo.c	Sat Nov 09 00:14:28 2013 +0800
+++ b/common-algo.c	Tue Nov 12 23:02:32 2013 +0800
@@ -231,6 +231,8 @@
 static const struct dropbear_kex kex_dh_group1 = {DROPBEAR_KEX_NORMAL_DH, dh_p_1, DH_P_1_LEN, NULL, &sha1_desc };
 static const struct dropbear_kex kex_dh_group14 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha1_desc };
 
+/* These can't be const since dropbear_ecc_fill_dp() fills out
+ ecc_curve at runtime */
 #ifdef DROPBEAR_ECDH
 #ifdef DROPBEAR_ECC_256
 static struct dropbear_kex kex_ecdh_nistp256 = {DROPBEAR_KEX_ECDH, NULL, 0, &ecc_curve_nistp256, &sha256_desc };
@@ -245,7 +247,7 @@
 
 #ifdef DROPBEAR_CURVE25519
 /* Referred to directly */
-const struct dropbear_kex kex_curve25519 = {DROPBEAR_KEX_CURVE25519, NULL, 0, NULL, &sha256_desc };
+static const struct dropbear_kex kex_curve25519 = {DROPBEAR_KEX_CURVE25519, NULL, 0, NULL, &sha256_desc };
 #endif
 
 algo_type sshkex[] = {
--- a/common-kex.c	Sat Nov 09 00:14:28 2013 +0800
+++ b/common-kex.c	Tue Nov 12 23:02:32 2013 +0800
@@ -577,7 +577,7 @@
 	TRACE(("enter gen_kexdh_vals"))
 
 	struct kex_dh_param *param = m_malloc(sizeof(*param));
-	m_mp_init_multi(&param->pub, &param->priv, NULL);
+	m_mp_init_multi(&param->pub, &param->priv, &dh_g, &dh_p, &dh_q, NULL);
 
 	/* read the prime and generator*/
 	load_dh_p(&dh_p);
@@ -738,7 +738,7 @@
 
 void kexcurve25519_comb_key(struct kex_curve25519_param *param, buffer *buf_pub_them,
 	sign_key *hostkey) {
-	unsigned char* out = m_malloc(CURVE25519_LEN);
+	unsigned char out[CURVE25519_LEN];
 	const unsigned char* Q_C = NULL;
 	const unsigned char* Q_S = NULL;
 
@@ -748,10 +748,9 @@
 	}
 
 	curve25519_donna(out, param->priv, buf_pub_them->data);
-	ses.dh_K = m_malloc(sizeof(*ses.dh_K));
-	m_mp_init(ses.dh_K);
+	m_mp_alloc_init_multi(&ses.dh_K, NULL);
 	bytes_to_mp(ses.dh_K, out, CURVE25519_LEN);
-	m_free(out);
+	m_burn(out, sizeof(out));
 
 	/* Create the remainder of the hash buffer, to generate the exchange hash.
 	   See RFC5656 section 4 page 7 */
--- a/ecc.c	Sat Nov 09 00:14:28 2013 +0800
+++ b/ecc.c	Tue Nov 12 23:02:32 2013 +0800
@@ -6,7 +6,7 @@
 
 #ifdef DROPBEAR_ECC
 
-// .dp members are filled out by dropbear_ecc_fill_dp() at startup
+/* .dp members are filled out by dropbear_ecc_fill_dp() at startup */
 #ifdef DROPBEAR_ECC_256
 struct dropbear_ecc_curve ecc_curve_nistp256 = {
 	.ltc_size = 32,
@@ -44,7 +44,7 @@
 
 void dropbear_ecc_fill_dp() {
 	struct dropbear_ecc_curve **curve;
-	// libtomcrypt guarantees they're ordered by size
+	/* libtomcrypt guarantees they're ordered by size */
 	const ltc_ecc_set_type *dp = ltc_ecc_sets;
 	for (curve = dropbear_ecc_curves; *curve; curve++) {
 		for (;dp->size > 0; dp++) {
--- a/ecdsa.c	Sat Nov 09 00:14:28 2013 +0800
+++ b/ecdsa.c	Tue Nov 12 23:02:32 2013 +0800
@@ -246,8 +246,8 @@
 
 // returns values in s and r
 // returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE
-static int buf_get_ecdsa_verify_params(buffer *buf, struct dropbear_ecc_curve *curve,
-	void *r, void* s) {
+static int buf_get_ecdsa_verify_params(buffer *buf,
+			void *r, void* s) {
 	int ret = DROPBEAR_FAILURE;
 	unsigned int sig_len;
 	unsigned int sig_pos;
@@ -302,7 +302,7 @@
 		dropbear_exit("ECC error");
 	}
 
-	if (buf_get_ecdsa_verify_params(buf, curve, r, s) != DROPBEAR_SUCCESS) {
+	if (buf_get_ecdsa_verify_params(buf, r, s) != DROPBEAR_SUCCESS) {
 		goto out;
 	}
 
--- a/ecdsa.h	Sat Nov 09 00:14:28 2013 +0800
+++ b/ecdsa.h	Tue Nov 12 23:02:32 2013 +0800
@@ -7,6 +7,7 @@
 
 #ifdef DROPBEAR_ECDSA
 
+/* Prefer the larger size - it's fast anyway */
 #if defined(DROPBEAR_ECC_521)
 #define ECDSA_DEFAULT_SIZE 521
 #elif defined(DROPBEAR_ECC_384)
--- a/gensignkey.c	Sat Nov 09 00:14:28 2013 +0800
+++ b/gensignkey.c	Tue Nov 12 23:02:32 2013 +0800
@@ -85,6 +85,8 @@
 	/* now we can generate the key */
 	key = new_sign_key();
 
+	seedrandom();
+
 	switch(keytype) {
 #ifdef DROPBEAR_RSA
 		case DROPBEAR_SIGNKEY_RSA:
@@ -112,6 +114,8 @@
 			dropbear_exit("Internal error");
 	}
 
+	seedrandom();
+
 	buf = buf_new(MAX_PRIVKEY_SIZE); 
 
 	buf_put_priv_key(buf, key, keytype);
--- a/signkey.c	Sat Nov 09 00:14:28 2013 +0800
+++ b/signkey.c	Tue Nov 12 23:02:32 2013 +0800
@@ -39,8 +39,7 @@
 #ifdef DROPBEAR_ECDSA
 	"ecdsa-sha2-nistp256",
 	"ecdsa-sha2-nistp384",
-	"ecdsa-sha2-nistp521",
-	"ecdsa" // for keygen
+	"ecdsa-sha2-nistp521"
 #endif // DROPBEAR_ECDSA
 };
 
--- a/svr-auth.c	Sat Nov 09 00:14:28 2013 +0800
+++ b/svr-auth.c	Tue Nov 12 23:02:32 2013 +0800
@@ -231,7 +231,7 @@
 
 	char* listshell = NULL;
 	char* usershell = NULL;
-	int   uid;
+	uid_t uid;
 	TRACE(("enter checkusername"))
 	if (userlen > MAX_USERNAME_LEN) {
 		return DROPBEAR_FAILURE;
--- a/svr-authpubkey.c	Sat Nov 09 00:14:28 2013 +0800
+++ b/svr-authpubkey.c	Tue Nov 12 23:02:32 2013 +0800
@@ -89,7 +89,7 @@
 	buffer * signbuf = NULL;
 	sign_key * key = NULL;
 	char* fp = NULL;
-	int type = -1;
+	enum signkey_type type = -1;
 
 	TRACE(("enter pubkeyauth"))
 
--- a/svr-kex.c	Sat Nov 09 00:14:28 2013 +0800
+++ b/svr-kex.c	Tue Nov 12 23:02:32 2013 +0800
@@ -64,18 +64,19 @@
 		case DROPBEAR_KEX_CURVE25519:
 #if defined(DROPBEAR_ECDH) || defined(DROPBEAR_CURVE25519)
 			ecdh_qs = buf_getstringbuf(ses.payload);
-			if (ses.payload->pos != ses.payload->len) {
-				dropbear_exit("Bad kex value");
-			}
 #endif
 			break;
 	}
+	if (ses.payload->pos != ses.payload->len) {
+		dropbear_exit("Bad kex value");
+	}
 
 	send_msg_kexdh_reply(&dh_e, ecdh_qs);
 
 	mp_clear(&dh_e);
 	if (ecdh_qs) {
 		buf_free(ecdh_qs);
+		ecdh_qs = NULL;
 	}
 
 	send_msg_newkeys();
@@ -132,8 +133,11 @@
 	}
 
 	if (link(fn_temp, fn) < 0) {
+		/* It's OK to get EEXIST - we probably just lost a race
+		with another connection to generate the key */
 		if (errno != EEXIST) {
-			dropbear_log(LOG_ERR, "Failed moving key file to %s", fn);
+			dropbear_log(LOG_ERR, "Failed moving key file to %s: %s", fn,
+				strerror(errno));
 			/* XXX fallback to non-atomic copy for some filesystems? */
 			goto out;
 		}
@@ -151,14 +155,6 @@
 	{
 		dropbear_exit("Couldn't read or generate hostkey %s", fn);
 	}
-
-	// directory for keys.
-
-	// Create lockfile first, or wait if it exists. PID!
-	// Generate key
-	// write it, load to memory
-	// atomic rename, done.
-
 }
 #endif
 	
--- a/svr-runopts.c	Sat Nov 09 00:14:28 2013 +0800
+++ b/svr-runopts.c	Tue Nov 12 23:02:32 2013 +0800
@@ -410,30 +410,30 @@
 
 #ifdef DROPBEAR_RSA
 	if (type == DROPBEAR_SIGNKEY_RSA) {
-		loadhostkey_helper("RSA", &read_key->rsakey, &svr_opts.hostkey->rsakey, fatal_duplicate);
+		loadhostkey_helper("RSA", (void**)&read_key->rsakey, (void**)&svr_opts.hostkey->rsakey, fatal_duplicate);
 	}
 #endif
 
 #ifdef DROPBEAR_DSS
 	if (type == DROPBEAR_SIGNKEY_DSS) {
-		loadhostkey_helper("DSS", &read_key->dsskey, &svr_opts.hostkey->dsskey, fatal_duplicate);
+		loadhostkey_helper("DSS", (void**)&read_key->dsskey, (void**)&svr_opts.hostkey->dsskey, fatal_duplicate);
 	}
 #endif
 
 #ifdef DROPBEAR_ECDSA
 #ifdef DROPBEAR_ECC_256
 	if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP256) {
-		loadhostkey_helper("ECDSA256", &read_key->ecckey256, &svr_opts.hostkey->ecckey256, fatal_duplicate);
+		loadhostkey_helper("ECDSA256", (void**)&read_key->ecckey256, (void**)&svr_opts.hostkey->ecckey256, fatal_duplicate);
 	}
 #endif
 #ifdef DROPBEAR_ECC_384
 	if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP384) {
-		loadhostkey_helper("ECDSA384", &read_key->ecckey384, &svr_opts.hostkey->ecckey384, fatal_duplicate);
+		loadhostkey_helper("ECDSA384", (void**)&read_key->ecckey384, (void**)&svr_opts.hostkey->ecckey384, fatal_duplicate);
 	}
 #endif
 #ifdef DROPBEAR_ECC_521
 	if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP521) {
-		loadhostkey_helper("ECDSA521", &read_key->ecckey521, &svr_opts.hostkey->ecckey521, fatal_duplicate);
+		loadhostkey_helper("ECDSA521", (void**)&read_key->ecckey521, (void**)&svr_opts.hostkey->ecckey521, fatal_duplicate);
 	}
 #endif
 #endif // DROPBEAR_ECDSA