2 * Dropbear - a SSH2 server
4 * Copyright (c) 2002,2003 Matt Johnston
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
8 * of this software and associated documentation files (the "Software"), to deal
9 * in the Software without restriction, including without limitation the rights
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 * copies of the Software, and to permit persons to whom the Software is
12 * furnished to do so, subject to the following conditions:
14 * The above copyright notice and this permission notice shall be included in
15 * all copies or substantial portions of the Software.
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
25 /* Buffer handling routines, designed to avoid overflows/using invalid data */
31 /* Create (malloc) a new buffer of size */
32 buffer* buf_new(unsigned int size) {
36 ret = (buffer*)m_malloc(sizeof(buffer));
42 /* free the buffer's data and the buffer itself */
43 void buf_free(buffer* buf) {
49 /* overwrite the contents of the buffer to clear it */
50 void buf_burn(buffer* buf) {
52 m_burn(buf->data, buf->size);
56 /* initialise an already allocated buffer. The data won't be freed before
58 void buf_init(buffer* buf, unsigned int size) {
61 buf->data = (unsigned char*)m_malloc(size);
71 /* resize a buffer, pos and len will be repositioned if required */
72 void buf_resize(buffer *buf, unsigned int newsize) {
74 buf->data = m_realloc(buf->data, newsize);
76 buf->len = MIN(newsize, buf->len);
77 buf->pos = MIN(newsize, buf->pos);
81 /* create a copy of buf, allocating required memory etc */
82 /* the new buffer is sized the same as the length of the source buffer */
83 /* lenonly is a boolean flag specifying whether to set the size of the new
84 * buffer to be just the len of the source buffer (1), or the size of the
85 * source buffer (0) */
86 buffer* buf_newcopy(buffer* buf) {
90 ret = buf_new(buf->len);
92 memcpy(ret->data, buf->data, buf->len);
96 /* Set the length of the buffer */
97 void buf_setlen(buffer* buf, unsigned int len) {
98 if (len > buf->size) {
99 dropbear_exit("bad buf_setlen");
104 /* Increment the length of the buffer */
105 void buf_incrlen(buffer* buf, unsigned int incr) {
106 if (buf->len + incr > buf->size) {
107 dropbear_exit("bad buf_incrlen");
111 /* Set the position of the buffer */
112 void buf_setpos(buffer* buf, unsigned int pos) {
114 if (pos > buf->len) {
115 dropbear_exit("bad buf_setpos");
120 /* increment the postion by incr, increasing the buffer length if required */
121 void buf_incrwritepos(buffer* buf, unsigned int incr) {
122 if (buf->pos + incr > buf->size) {
123 dropbear_exit("bad buf_incrwritepos");
126 if (buf->pos > buf->len) {
131 /* increment the position by incr, negative values are allowed, to
132 * decrement the pos*/
133 void buf_incrpos(buffer* buf, int incr) {
134 if ((unsigned int)((int)buf->pos + incr) > buf->len
135 || ((int)buf->pos + incr) < 0) {
136 dropbear_exit("bad buf_incrpos");
141 /* Get a byte from the buffer and increment the pos */
142 unsigned char buf_getbyte(buffer* buf) {
144 if (buf->pos >= buf->len) {
145 dropbear_exit("bad buf_getbyte");
147 return buf->data[buf->pos++];
150 /* put a byte, incrementing the length if required */
151 void buf_putbyte(buffer* buf, unsigned char val) {
153 if (buf->pos >= buf->len) {
156 buf->data[buf->pos] = val;
160 /* returns an in-place pointer to the buffer, for boundschecking */
161 unsigned char* buf_getptr(buffer* buf, unsigned int len) {
163 if (buf->pos + len > buf->len) {
164 dropbear_exit("bad buf_getptr");
166 return &buf->data[buf->pos];
169 /* like buf_getptr, but checks against total size, not used length.
170 * This allows writing past the used length, but not past the size */
171 unsigned char* buf_getwriteptr(buffer* buf, unsigned int len) {
173 if (buf->pos + len > buf->size) {
174 dropbear_exit("bad buf_getwriteptr");
176 return &buf->data[buf->pos];
179 /* return a null-terminated string, it is malloced, so must be free()ed
180 * Note that the string isn't checked for null bytes, hence the retlen
181 * may be longer than what is returned by strlen */
182 unsigned char* buf_getstring(buffer* buf, unsigned int *retlen) {
186 len = buf_getint(buf);
187 if (len > MAX_STRING_LEN) {
188 dropbear_exit("string too long");
191 if (retlen != NULL) {
194 ret = m_malloc(len+1);
195 memcpy(ret, buf_getptr(buf, len), len);
196 buf_incrpos(buf, len);
202 /* Get an uint32 from the buffer and increment the pos */
203 unsigned int buf_getint(buffer* buf) {
206 LOAD32H(ret, buf_getptr(buf, 4));
211 /* put a 32bit uint into the buffer, incr bufferlen & pos if required */
212 void buf_putint(buffer* buf, int unsigned val) {
214 STORE32H(val, buf_getwriteptr(buf, 4));
215 buf_incrwritepos(buf, 4);
219 /* put a SSH style string into the buffer, increasing buffer len if required */
220 void buf_putstring(buffer* buf, const unsigned char* str, unsigned int len) {
222 buf_putint(buf, len);
223 buf_putbytes(buf, str, len);
227 /* put the set of len bytes into the buffer, incrementing the pos, increasing
229 void buf_putbytes(buffer *buf, const unsigned char *bytes, unsigned int len) {
230 memcpy(buf_getwriteptr(buf, len), bytes, len);
231 buf_incrwritepos(buf, len);
235 /* for our purposes we only need positive (or 0) numbers, so will
236 * fail if we get negative numbers */
237 void buf_putmpint(buffer* buf, mp_int * mp) {
239 unsigned int len, pad = 0;
240 TRACE(("enter buf_putmpint"));
244 if (SIGN(mp) == MP_NEG) {
245 dropbear_exit("negative bignum");
249 if (USED(mp) == 1 && DIGIT(mp, 0) == 0) {
252 /* SSH spec requires padding for mpints with the MSB set, this code
254 len = mp_count_bits(mp);
255 /* if the top bit of MSB is set, we need to pad */
256 pad = (len%8 == 0) ? 1 : 0;
257 len = len / 8 + 1; /* don't worry about rounding, we need it for
258 padding anyway when len%8 == 0 */
262 /* store the length */
263 buf_putint(buf, len);
265 /* store the actual value */
268 buf_putbyte(buf, 0x00);
270 if (mp_to_unsigned_bin(mp, buf_getwriteptr(buf, len-pad)) != MP_OKAY) {
271 dropbear_exit("mpint error");
273 buf_incrwritepos(buf, len-pad);
276 TRACE(("leave buf_putmpint"));
279 /* Retrieve an mp_int from the buffer.
280 * Will fail for -ve since they shouldn't be required here.
281 * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
282 int buf_getmpint(buffer* buf, mp_int* mp) {
285 len = buf_getint(buf);
289 return DROPBEAR_SUCCESS;
292 /* check for negative */
293 if (*buf_getptr(buf, 1) & (1 << (CHAR_BIT-1))) {
294 return DROPBEAR_FAILURE;
297 if (mp_read_unsigned_bin(mp, buf_getptr(buf, len), len) != MP_OKAY) {
298 return DROPBEAR_FAILURE;
301 buf_incrpos(buf, len);
302 return DROPBEAR_SUCCESS;