diff --git a/libssh/client.c b/libssh/client.c index b79c6058..76645e5a 100644 --- a/libssh/client.c +++ b/libssh/client.c @@ -213,7 +213,13 @@ static int dh_handshake(SSH_SESSION *session){ crypto_free(session->current_crypto); /* XXX later, include a function to change keys */ session->current_crypto=session->next_crypto; - session->next_crypto=crypto_new(); + + session->next_crypto = crypto_new(); + if (session->next_crypto == NULL) { + leave_function(); + return SSH_ERROR; + } + session->dh_handshake_state=DH_STATE_FINISHED; leave_function(); return SSH_OK; diff --git a/libssh/crypt.c b/libssh/crypt.c index 75c22dfd..9d8fa0f2 100644 --- a/libssh/crypt.c +++ b/libssh/crypt.c @@ -90,7 +90,10 @@ unsigned char * packet_encrypt(SSH_SESSION *session,void *data,u32 len){ #endif out=malloc(len); if(session->version==2){ - ctx=hmac_init(session->current_crypto->encryptMAC,20,HMAC_SHA1); + ctx = hmac_init(session->current_crypto->encryptMAC,20,HMAC_SHA1); + if (ctx == NULL) { + return NULL; + } hmac_update(ctx,(unsigned char *)&seq,sizeof(u32)); hmac_update(ctx,data,len); hmac_final(ctx,session->current_crypto->hmacbuf,&finallen); @@ -115,12 +118,16 @@ unsigned char * packet_encrypt(SSH_SESSION *session,void *data,u32 len){ return NULL; } +/* TODO FIXME think about the return value isn't 0 enough and -1 on error */ int packet_hmac_verify(SSH_SESSION *session,BUFFER *buffer,unsigned char *mac){ HMACCTX ctx; unsigned char hmacbuf[EVP_MAX_MD_SIZE]; unsigned int len; u32 seq=htonl(session->recv_seq); ctx=hmac_init(session->current_crypto->decryptMAC,20,HMAC_SHA1); + if (ctx == NULL) { + return -1; + } hmac_update(ctx,(unsigned char *)&seq,sizeof(u32)); hmac_update(ctx,buffer_get(buffer),buffer_get_len(buffer)); hmac_final(ctx,hmacbuf,&len); diff --git a/libssh/dh.c b/libssh/dh.c index 377cfe34..c89c7c81 100644 --- a/libssh/dh.c +++ b/libssh/dh.c @@ -355,6 +355,8 @@ static void sha_add(STRING *str,SHACTX ctx){ #endif } */ + +/* TODO FIXME add memory checking and a return value */ void make_sessionid(SSH_SESSION *session){ SHACTX ctx; STRING *num,*str; @@ -362,7 +364,11 @@ void make_sessionid(SSH_SESSION *session){ BUFFER *buf=buffer_new(); u32 len; enter_function(); - ctx=sha1_init(); + + ctx = sha1_init(); + if (ctx == NULL) { + return; + } str=string_from_char(session->clientbanner); buffer_add_ssh_string(buf,str); @@ -450,8 +456,12 @@ void hashbufin_add_cookie(SSH_SESSION *session,unsigned char *cookie){ buffer_add_data(session->in_hashbuf,cookie,16); } +/* TODO FIXME add return value for memory checks */ static void generate_one_key(STRING *k,unsigned char session_id[SHA_DIGEST_LEN],unsigned char output[SHA_DIGEST_LEN],char letter){ SHACTX ctx=sha1_init(); + if (ctx == NULL) { + return; + } sha1_update(ctx,k,string_len(k)+4); sha1_update(ctx,session_id,SHA_DIGEST_LEN); sha1_update(ctx,&letter,1); @@ -459,6 +469,7 @@ static void generate_one_key(STRING *k,unsigned char session_id[SHA_DIGEST_LEN], sha1_final(output,ctx); } +/* TODO FIXME add return value for memory checks */ void generate_session_keys(SSH_SESSION *session){ STRING *k_string; SHACTX ctx; @@ -484,6 +495,9 @@ void generate_session_keys(SSH_SESSION *session){ /* XXX verify it's ok for server implementation */ if(session->next_crypto->out_cipher->keysize > SHA_DIGEST_LEN*8){ ctx=sha1_init(); + if (ctx == NULL) { + return; + } sha1_update(ctx,k_string,string_len(k_string)+4); sha1_update(ctx,session->next_crypto->session_id,SHA_DIGEST_LEN); sha1_update(ctx,session->next_crypto->encryptkey,SHA_DIGEST_LEN); @@ -533,6 +547,10 @@ int ssh_get_pubkey_hash(SSH_SESSION *session,unsigned char hash[MD5_DIGEST_LEN]) int len=string_len(pubkey); ctx=md5_init(); + if (ctx == NULL) { + return 0; + } + md5_update(ctx,pubkey->string,len); md5_final(hash,ctx); return MD5_DIGEST_LEN; diff --git a/libssh/kex.c b/libssh/kex.c index db86c8cb..e325aeda 100644 --- a/libssh/kex.c +++ b/libssh/kex.c @@ -353,9 +353,17 @@ static STRING *make_rsa1_string(STRING *e, STRING *n){ return ret; } +/* TODO FIXME add return value and error checking in callers */ static void build_session_id1(SSH_SESSION *session, STRING *servern, STRING *hostn){ - MD5CTX md5=md5_init(); + MD5CTX md5; + + md5 = md5_init(); + if (md5 == NULL) { + return; + } + + #ifdef DEBUG_CRYPTO ssh_print_hexa("host modulus",hostn->string,string_len(hostn)); ssh_print_hexa("server modulus",servern->string,string_len(servern)); diff --git a/libssh/keyfiles.c b/libssh/keyfiles.c index cefcc98a..d91d0351 100644 --- a/libssh/keyfiles.c +++ b/libssh/keyfiles.c @@ -993,10 +993,14 @@ static int match_hashed_host(SSH_SESSION *session, char *host, char *sourcehash) if(strncmp(sourcehash,"|1|",3) != 0) return 0; source=strdup(sourcehash+3); + if (source == NULL) { + leave_function(); + return 0; + } b64hash=strchr(source,'|'); if(!b64hash){ /* Invalid hash */ - free(source); + SAFE_FREE(source); leave_function(); return 0; } @@ -1006,6 +1010,11 @@ static int match_hashed_host(SSH_SESSION *session, char *host, char *sourcehash) hash=base64_to_bin(b64hash); free(source); mac=hmac_init(buffer_get(salt),buffer_get_len(salt),HMAC_SHA1); + if (mac == NULL) { + SAFE_FREE(source); + leave_function(); + return 0; + } hmac_update(mac,host,strlen(host)); hmac_final(mac,buffer,&size); if(size == buffer_get_len(hash) && memcmp(buffer,buffer_get(hash),size)==0) diff --git a/libssh/keys.c b/libssh/keys.c index 82d5ce39..cdef39fc 100644 --- a/libssh/keys.c +++ b/libssh/keys.c @@ -715,7 +715,11 @@ STRING *ssh_do_sign(SSH_SESSION *session,BUFFER *sigbuf, PRIVATE_KEY *privatekey return NULL; } string_fill(session_str,crypto->session_id,SHA_DIGEST_LEN); - ctx=sha1_init(); + ctx = sha1_init(); + if (ctx == NULL) { + SAFE_FREE(session_str); + return NULL; + } sha1_update(ctx,session_str,string_len(session_str)+4); SAFE_FREE(session_str); sha1_update(ctx,buffer_get(sigbuf),buffer_get_len(sigbuf)); @@ -818,7 +822,10 @@ STRING *ssh_sign_session_id(SSH_SESSION *session, PRIVATE_KEY *privatekey){ #ifdef HAVE_LIBGCRYPT gcry_sexp_t data_sexp; #endif - ctx=sha1_init(); + ctx = sha1_init(); + if (ctx == NULL) { + return NULL; + } sha1_update(ctx,crypto->session_id,SHA_DIGEST_LEN); sha1_final(hash+1,ctx); hash[0]=0; diff --git a/libssh/server.c b/libssh/server.c index 65903dee..6cc0087b 100644 --- a/libssh/server.c +++ b/libssh/server.c @@ -307,7 +307,10 @@ static int dh_handshake_server(SSH_SESSION *session){ crypto_free(session->current_crypto); /* XXX later, include a function to change keys */ session->current_crypto=session->next_crypto; - session->next_crypto=crypto_new(); + session->next_crypto = crypto_new(); + if (session->next_crypto == NULL) { + return -1; + } return 0; } /* do the banner and key exchange */ diff --git a/libssh/session.c b/libssh/session.c index 6c88c6c2..02eaf0b7 100644 --- a/libssh/session.c +++ b/libssh/session.c @@ -43,6 +43,9 @@ SSH_SESSION *ssh_new(void) { SSH_SESSION *session=malloc(sizeof (SSH_SESSION)); memset(session,0,sizeof(SSH_SESSION)); session->next_crypto=crypto_new(); + if (session->next_crypto == NULL) { + goto err; + } session->maxchannel=FIRST_CHANNEL; session->socket = ssh_socket_new(session); if (session->socket == NULL) { diff --git a/libssh/wrapper.c b/libssh/wrapper.c index 5c8d9b3c..fd47c7ad 100644 --- a/libssh/wrapper.c +++ b/libssh/wrapper.c @@ -38,6 +38,17 @@ #include #include #include + +/* TODO FIXME */ +static int alloc_key(struct crypto_struct *cipher) { + cipher->key = malloc(cipher->keylen); + if (cipher->key == NULL) { + return -1; + } + + return 0; +} + #ifdef HAVE_LIBGCRYPT #include @@ -97,17 +108,16 @@ void hmac_final(HMACCTX c,unsigned char *hashmacbuf,unsigned int *len){ gcry_md_close(c); } -static void alloc_key(struct crypto_struct *cipher){ - cipher->key=malloc(cipher->keylen); -} - /* the wrapper functions for blowfish */ static void blowfish_set_key(struct crypto_struct *cipher, void *key, void *IV){ - if(!cipher->key){ - alloc_key(cipher); - gcry_cipher_open(&cipher->key[0],GCRY_CIPHER_BLOWFISH,GCRY_CIPHER_MODE_CBC,0); - gcry_cipher_setkey(cipher->key[0],key,16); - gcry_cipher_setiv(cipher->key[0],IV,8); + if(cipher->key == NULL) { + /* TODO FIXME */ + if (alloc_key(cipher) < 0) { + return; + } + gcry_cipher_open(&cipher->key[0],GCRY_CIPHER_BLOWFISH,GCRY_CIPHER_MODE_CBC,0); + gcry_cipher_setkey(cipher->key[0],key,16); + gcry_cipher_setiv(cipher->key[0],IV,8); } } @@ -121,7 +131,10 @@ static void blowfish_decrypt(struct crypto_struct *cipher, void *in, void *out, static void aes_set_key(struct crypto_struct *cipher, void *key, void *IV){ if(!cipher->key){ - alloc_key(cipher); + /* TODO FIXME */ + if (alloc_key(cipher) < 0) { + return; + } switch(cipher->keysize){ case 128: gcry_cipher_open(&cipher->key[0],GCRY_CIPHER_AES128,GCRY_CIPHER_MODE_CBC,0); @@ -148,7 +161,10 @@ static void aes_decrypt(struct crypto_struct *cipher, void *in, void *out,unsign static void des3_set_key(struct crypto_struct *cipher, void *key, void *IV){ if(!cipher->key){ - alloc_key(cipher); + /* TODO FIXME */ + if (alloc_key(cipher) < 0) { + return; + } gcry_cipher_open(&cipher->key[0],GCRY_CIPHER_3DES,GCRY_CIPHER_MODE_CBC,0); gcry_cipher_setkey(cipher->key[0],key,24); gcry_cipher_setiv(cipher->key[0],IV,8); @@ -167,7 +183,10 @@ static void des3_decrypt(struct crypto_struct *cipher, void *in, void *out, static void des3_1_set_key(struct crypto_struct *cipher, void *key, void *IV){ if(!cipher->key){ - alloc_key(cipher); + /* TODO FIXME */ + if (alloc_key(cipher) < 0) { + return; + } gcry_cipher_open(&cipher->key[0],GCRY_CIPHER_DES,GCRY_CIPHER_MODE_CBC,0); gcry_cipher_setkey(cipher->key[0],key,8); gcry_cipher_setiv(cipher->key[0],IV,8); @@ -231,7 +250,10 @@ static struct crypto_struct ssh_ciphertab[]={ #endif SHACTX sha1_init(){ - SHACTX c=malloc(sizeof(*c)); + SHACTX c = malloc(sizeof(*c)); + if (c == NULL) { + return NULL; + } SHA1_Init(c); return c; } @@ -247,7 +269,10 @@ void sha1(unsigned char *digest,int len,unsigned char *hash){ } MD5CTX md5_init(){ - MD5CTX c=malloc(sizeof(*c)); + MD5CTX c = malloc(sizeof(*c)); + if (c == NULL) { + return NULL; + } MD5_Init(c); return c; } @@ -261,7 +286,11 @@ void md5_final(unsigned char *md,MD5CTX c){ HMACCTX hmac_init(const void *key, int len,int type){ HMACCTX ctx; - ctx=malloc(sizeof(*ctx)); + + ctx = malloc(sizeof(*ctx)); + if (ctx == NULL) { + return NULL; + } #ifndef OLD_CRYPTO HMAC_CTX_init(ctx); // openssl 0.9.7 requires it. #endif @@ -291,15 +320,14 @@ void hmac_final(HMACCTX ctx,unsigned char *hashmacbuf,unsigned int *len){ free(ctx); } -static void alloc_key(struct crypto_struct *cipher){ - cipher->key=malloc(cipher->keylen); -} - #ifdef HAS_BLOWFISH /* the wrapper functions for blowfish */ static void blowfish_set_key(struct crypto_struct *cipher, void *key){ if(!cipher->key){ - alloc_key(cipher); + /* TODO FIXME */ + if (alloc_key(cipher) < 0) { + return; + } BF_set_key(cipher->key,16,key); } } @@ -315,13 +343,19 @@ static void blowfish_decrypt(struct crypto_struct *cipher, void *in, void *out,u #ifdef HAS_AES static void aes_set_encrypt_key(struct crypto_struct *cipher, void *key){ if(!cipher->key){ - alloc_key(cipher); + /* TODO FIXME */ + if (alloc_key(cipher) < 0) { + return; + } AES_set_encrypt_key(key,cipher->keysize,cipher->key); } } static void aes_set_decrypt_key(struct crypto_struct *cipher, void *key){ if(!cipher->key){ - alloc_key(cipher); + /* TODO FIXME */ + if (alloc_key(cipher) < 0) { + return; + } AES_set_decrypt_key(key,cipher->keysize,cipher->key); } } @@ -335,7 +369,10 @@ static void aes_decrypt(struct crypto_struct *cipher, void *in, void *out, unsig #ifdef HAS_DES static void des3_set_key(struct crypto_struct *cipher, void *key){ if(!cipher->key){ - alloc_key(cipher); + /* TODO FIXME */ + if (alloc_key(cipher) < 0) { + return; + } DES_set_odd_parity(key); DES_set_odd_parity(key+8); DES_set_odd_parity(key+16); @@ -413,7 +450,13 @@ static struct crypto_struct ssh_ciphertab[]={ /* it allocates a new cipher structure based on its offset into the global table */ static struct crypto_struct *cipher_new(int offset){ - struct crypto_struct *cipher=malloc(sizeof(struct crypto_struct)); + struct crypto_struct *cipher; + + cipher = malloc(sizeof(struct crypto_struct)); + if (cipher == NULL) { + return NULL; + } + /* note the memcpy will copy the pointers : so, you shouldn't free them */ memcpy(cipher,&ssh_ciphertab[offset],sizeof(*cipher)); return cipher; @@ -436,10 +479,17 @@ static void cipher_free(struct crypto_struct *cipher){ free(cipher); } -CRYPTO *crypto_new(void){ - CRYPTO *crypto=malloc(sizeof (CRYPTO)); - memset(crypto,0,sizeof(*crypto)); - return crypto; +CRYPTO *crypto_new(void) { + CRYPTO *crypto; + + crypto = malloc(sizeof (CRYPTO)); + if (crypto == NULL) { + return NULL; + } + + ZERO_STRUCTP(crypto); + + return crypto; } void crypto_free(CRYPTO *crypto){ @@ -477,7 +527,13 @@ static int crypt_set_algorithms2(SSH_SESSION *session){ return SSH_ERROR; } ssh_log(session,SSH_LOG_PACKET,"Set output algorithm %s",wanted); - session->next_crypto->out_cipher=cipher_new(i); + + session->next_crypto->out_cipher = cipher_new(i); + if (session->next_crypto->out_cipher == NULL) { + ssh_set_error(session, SSH_FATAL, "No space left"); + return SSH_ERROR; + } + i=0; /* in */ wanted=session->client_kex.methods[SSH_CRYPT_S_C]; @@ -488,7 +544,13 @@ static int crypt_set_algorithms2(SSH_SESSION *session){ return SSH_ERROR; } ssh_log(session,SSH_LOG_PACKET,"Set input algorithm %s",wanted); - session->next_crypto->in_cipher=cipher_new(i); + + session->next_crypto->in_cipher = cipher_new(i); + if (session->next_crypto->in_cipher == NULL) { + ssh_set_error(session, SSH_FATAL, "No space left"); + return SSH_ERROR; + } + /* compression */ if(strstr(session->client_kex.methods[SSH_COMP_C_S],"zlib")) session->next_crypto->do_compress_out=1; @@ -506,8 +568,19 @@ static int crypt_set_algorithms1(SSH_SESSION *session){ ssh_set_error(session,SSH_FATAL,"cipher 3des-cbc-ssh1 not found !"); return -1; } - session->next_crypto->out_cipher=cipher_new(i); - session->next_crypto->in_cipher=cipher_new(i); + + session->next_crypto->out_cipher = cipher_new(i); + if (session->next_crypto->out_cipher == NULL) { + ssh_set_error(session, SSH_FATAL, "No space left"); + return SSH_ERROR; + } + + session->next_crypto->in_cipher = cipher_new(i); + if (session->next_crypto->in_cipher == NULL) { + ssh_set_error(session, SSH_FATAL, "No space left"); + return SSH_ERROR; + } + return SSH_OK; } @@ -545,8 +618,14 @@ int crypt_set_algorithms_server(SSH_SESSION *session){ return SSH_ERROR; } ssh_log(session,SSH_LOG_PACKET,"Set output algorithm %s",match); - session->next_crypto->out_cipher=cipher_new(i); - free(match); + SAFE_FREE(match); + + session->next_crypto->out_cipher = cipher_new(i); + if (session->next_crypto->out_cipher == NULL) { + ssh_set_error(session, SSH_FATAL, "No space left"); + leave_function(); + return SSH_ERROR; + } i=0; /* in */ client=session->client_kex.methods[SSH_CRYPT_C_S]; @@ -567,8 +646,15 @@ int crypt_set_algorithms_server(SSH_SESSION *session){ return SSH_ERROR; } ssh_log(session,SSH_LOG_PACKET,"Set input algorithm %s",match); - session->next_crypto->in_cipher=cipher_new(i); - free(match); + SAFE_FREE(match); + + session->next_crypto->in_cipher = cipher_new(i); + if (session->next_crypto->in_cipher == NULL) { + ssh_set_error(session, SSH_FATAL, "No space left"); + leave_function(); + return SSH_ERROR; + } + /* compression */ client=session->client_kex.methods[SSH_CRYPT_C_S]; server=session->server_kex.methods[SSH_CRYPT_C_S];