1/*
2 * Dropbear SSH
3 *
4 * Copyright (c) 2002,2003 Matt Johnston
5 * All rights reserved.
6 *
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
8 * of this software and associated documentation files (the "Software"), to deal
9 * in the Software without restriction, including without limitation the rights
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 * copies of the Software, and to permit persons to whom the Software is
12 * furnished to do so, subject to the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be included in
15 * all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 * SOFTWARE. */
24
25/* Buffer handling routines, designed to avoid overflows/using invalid data */
26
27#include "includes.h"
28#include "dbutil.h"
29#include "buffer.h"
30
31/* Prevent integer overflows when incrementing buffer position/length.
32 * Calling functions should check arguments first, but this provides a
33 * backstop */
34#define BUF_MAX_INCR 1000000000
35#define BUF_MAX_SIZE 1000000000
36
37/* avoid excessively large numbers, > ~8192 bits */
38#define BUF_MAX_MPINT (8240 / 8)
39
40/* Create (malloc) a new buffer of size */
41buffer* buf_new(unsigned int size) {
42
43	buffer* buf;
44
45	if (size > BUF_MAX_SIZE) {
46		dropbear_exit("buf->size too big");
47	}
48
49	buf = (buffer*)m_malloc(sizeof(buffer));
50
51	if (size > 0) {
52		buf->data = (unsigned char*)m_malloc(size);
53	} else {
54		buf->data = NULL;
55	}
56
57	buf->size = size;
58	buf->pos = 0;
59	buf->len = 0;
60
61	return buf;
62
63}
64
65/* free the buffer's data and the buffer itself */
66void buf_free(buffer* buf) {
67
68	m_free(buf->data)
69	m_free(buf);
70}
71
72/* overwrite the contents of the buffer to clear it */
73void buf_burn(buffer* buf) {
74
75	m_burn(buf->data, buf->size);
76
77}
78
79/* resize a buffer, pos and len will be repositioned if required when
80 * downsizing */
81void buf_resize(buffer *buf, unsigned int newsize) {
82
83	if (newsize > BUF_MAX_SIZE) {
84		dropbear_exit("buf->size too big");
85	}
86
87	buf->data = m_realloc(buf->data, newsize);
88	buf->size = newsize;
89	buf->len = MIN(newsize, buf->len);
90	buf->pos = MIN(newsize, buf->pos);
91
92}
93
94/* Create a copy of buf, allocating required memory etc. */
95/* The new buffer is sized the same as the length of the source buffer. */
96buffer* buf_newcopy(buffer* buf) {
97
98	buffer* ret;
99
100	ret = buf_new(buf->len);
101	ret->len = buf->len;
102	memcpy(ret->data, buf->data, buf->len);
103	return ret;
104}
105
106/* Set the length of the buffer */
107void buf_setlen(buffer* buf, unsigned int len) {
108	if (len > buf->size) {
109		dropbear_exit("bad buf_setlen");
110	}
111	buf->len = len;
112}
113
114/* Increment the length of the buffer */
115void buf_incrlen(buffer* buf, unsigned int incr) {
116	if (incr > BUF_MAX_INCR || buf->len + incr > buf->size) {
117		dropbear_exit("bad buf_incrlen");
118	}
119	buf->len += incr;
120}
121/* Set the position of the buffer */
122void buf_setpos(buffer* buf, unsigned int pos) {
123
124	if (pos > buf->len) {
125		dropbear_exit("bad buf_setpos");
126	}
127	buf->pos = pos;
128}
129
130/* increment the postion by incr, increasing the buffer length if required */
131void buf_incrwritepos(buffer* buf, unsigned int incr) {
132	if (incr > BUF_MAX_INCR || buf->pos + incr > buf->size) {
133		dropbear_exit("bad buf_incrwritepos");
134	}
135	buf->pos += incr;
136	if (buf->pos > buf->len) {
137		buf->len = buf->pos;
138	}
139}
140
141/* increment the position by incr, negative values are allowed, to
142 * decrement the pos*/
143void buf_incrpos(buffer* buf,  int incr) {
144	if (incr > BUF_MAX_INCR ||
145			(unsigned int)((int)buf->pos + incr) > buf->len
146			|| ((int)buf->pos + incr) < 0) {
147		dropbear_exit("bad buf_incrpos");
148	}
149	buf->pos += incr;
150}
151
152/* Get a byte from the buffer and increment the pos */
153unsigned char buf_getbyte(buffer* buf) {
154
155	/* This check is really just ==, but the >= allows us to check for the
156	 * bad case of pos > len, which should _never_ happen. */
157	if (buf->pos >= buf->len) {
158		dropbear_exit("bad buf_getbyte");
159	}
160	return buf->data[buf->pos++];
161}
162
163/* Get a bool from the buffer and increment the pos */
164unsigned char buf_getbool(buffer* buf) {
165
166	unsigned char b;
167	b = buf_getbyte(buf);
168	if (b != 0)
169		b = 1;
170	return b;
171}
172
173/* put a byte, incrementing the length if required */
174void buf_putbyte(buffer* buf, unsigned char val) {
175
176	if (buf->pos >= buf->len) {
177		buf_incrlen(buf, 1);
178	}
179	buf->data[buf->pos] = val;
180	buf->pos++;
181}
182
183/* returns an in-place pointer to the buffer, checking that
184 * the next len bytes from that position can be used */
185unsigned char* buf_getptr(buffer* buf, unsigned int len) {
186
187	if (buf->pos + len > buf->len) {
188		dropbear_exit("bad buf_getptr");
189	}
190	return &buf->data[buf->pos];
191}
192
193/* like buf_getptr, but checks against total size, not used length.
194 * This allows writing past the used length, but not past the size */
195unsigned char* buf_getwriteptr(buffer* buf, unsigned int len) {
196
197	if (buf->pos + len > buf->size) {
198		dropbear_exit("bad buf_getwriteptr");
199	}
200	return &buf->data[buf->pos];
201}
202
203/* Return a null-terminated string, it is malloced, so must be free()ed
204 * Note that the string isn't checked for null bytes, hence the retlen
205 * may be longer than what is returned by strlen */
206unsigned char* buf_getstring(buffer* buf, unsigned int *retlen) {
207
208	unsigned int len;
209	unsigned char* ret;
210	len = buf_getint(buf);
211	if (len > MAX_STRING_LEN) {
212		dropbear_exit("string too long");
213	}
214
215	if (retlen != NULL) {
216		*retlen = len;
217	}
218	ret = m_malloc(len+1);
219	memcpy(ret, buf_getptr(buf, len), len);
220	buf_incrpos(buf, len);
221	ret[len] = '\0';
222
223	return ret;
224}
225
226/* Just increment the buffer position the same as if we'd used buf_getstring,
227 * but don't bother copying/malloc()ing for it */
228void buf_eatstring(buffer *buf) {
229
230	buf_incrpos( buf, buf_getint(buf) );
231}
232
233/* Get an uint32 from the buffer and increment the pos */
234unsigned int buf_getint(buffer* buf) {
235	unsigned int ret;
236
237	LOAD32H(ret, buf_getptr(buf, 4));
238	buf_incrpos(buf, 4);
239	return ret;
240}
241
242/* put a 32bit uint into the buffer, incr bufferlen & pos if required */
243void buf_putint(buffer* buf, int unsigned val) {
244
245	STORE32H(val, buf_getwriteptr(buf, 4));
246	buf_incrwritepos(buf, 4);
247
248}
249
250/* put a SSH style string into the buffer, increasing buffer len if required */
251void buf_putstring(buffer* buf, const unsigned char* str, unsigned int len) {
252
253	buf_putint(buf, len);
254	buf_putbytes(buf, str, len);
255
256}
257
258/* put the set of len bytes into the buffer, incrementing the pos, increasing
259 * len if required */
260void buf_putbytes(buffer *buf, const unsigned char *bytes, unsigned int len) {
261	memcpy(buf_getwriteptr(buf, len), bytes, len);
262	buf_incrwritepos(buf, len);
263}
264
265
266/* for our purposes we only need positive (or 0) numbers, so will
267 * fail if we get negative numbers */
268void buf_putmpint(buffer* buf, mp_int * mp) {
269
270	unsigned int len, pad = 0;
271	TRACE(("enter buf_putmpint"))
272
273	dropbear_assert(mp != NULL);
274
275	if (SIGN(mp) == MP_NEG) {
276		dropbear_exit("negative bignum");
277	}
278
279	/* zero check */
280	if (USED(mp) == 1 && DIGIT(mp, 0) == 0) {
281		len = 0;
282	} else {
283		/* SSH spec requires padding for mpints with the MSB set, this code
284		 * implements it */
285		len = mp_count_bits(mp);
286		/* if the top bit of MSB is set, we need to pad */
287		pad = (len%8 == 0) ? 1 : 0;
288		len = len / 8 + 1; /* don't worry about rounding, we need it for
289							  padding anyway when len%8 == 0 */
290
291	}
292
293	/* store the length */
294	buf_putint(buf, len);
295
296	/* store the actual value */
297	if (len > 0) {
298		if (pad) {
299			buf_putbyte(buf, 0x00);
300		}
301		if (mp_to_unsigned_bin(mp, buf_getwriteptr(buf, len-pad)) != MP_OKAY) {
302			dropbear_exit("mpint error");
303		}
304		buf_incrwritepos(buf, len-pad);
305	}
306
307	TRACE(("leave buf_putmpint"))
308}
309
310/* Retrieve an mp_int from the buffer.
311 * Will fail for -ve since they shouldn't be required here.
312 * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
313int buf_getmpint(buffer* buf, mp_int* mp) {
314
315	unsigned int len;
316	len = buf_getint(buf);
317
318	if (len == 0) {
319		mp_zero(mp);
320		return DROPBEAR_SUCCESS;
321	}
322
323	if (len > BUF_MAX_MPINT) {
324		return DROPBEAR_FAILURE;
325	}
326
327	/* check for negative */
328	if (*buf_getptr(buf, 1) & (1 << (CHAR_BIT-1))) {
329		return DROPBEAR_FAILURE;
330	}
331
332	if (mp_read_unsigned_bin(mp, buf_getptr(buf, len), len) != MP_OKAY) {
333		return DROPBEAR_FAILURE;
334	}
335
336	buf_incrpos(buf, len);
337	return DROPBEAR_SUCCESS;
338}
339