shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-09 18:04:25 +09:00
Code Issues Packages Projects Releases Wiki Activity

bignum: Make sure the padding is large enough for the number

Browse Source 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
This commit is contained in:
Jakub Jelen
2025-01-15 22:25:36 +01:00
parent 1ea9708409
commit 0cda1c0e83
3 changed files with 37 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/bignum.c
View File

@@ -40,7 +40,10 @@ static ssh_string make_bignum_string(bignum num, size_t pad_to_len)
pad++; pad++;
} }
} else { } else {
pad = pad_to_len - bignum_num_bytes(num); if (len > pad_to_len) {
return NULL;
}
pad = pad_to_len - len;
} }
#ifdef DEBUG_CRYPTO #ifdef DEBUG_CRYPTO

22
tests/unittests/torture_bignum.c
View File

@@ -54,11 +54,13 @@ static void check_bignum(int n, const char *nstr)
bignum num3 = NULL; bignum num3 = NULL;
ssh_string str = NULL; ssh_string str = NULL;
char *dec = NULL; char *dec = NULL;
int rc;
num = bignum_new(); num = bignum_new();
assert_non_null(num); assert_non_null(num);
assert_int_equal (1, bignum_set_word (num, n)); rc = bignum_set_word(num, n);
assert_int_equal(rc, 1);
ssh_print_bignum("num", num); ssh_print_bignum("num", num);
@@ -115,6 +117,24 @@ static void check_bignum(int n, const char *nstr)
assert_string_equal(nstr, dec); assert_string_equal(nstr, dec);
ssh_crypto_free(dec); ssh_crypto_free(dec);
/* negative test */
str = ssh_make_padded_bignum_string(num, 2);
if (n > 65535) {
/* larger values need larger padding! */
assert_null(str);
} else {
assert_non_null(str);
assert_int_equal(2, ntohl(str->size));
if (n > 0 && n <= 255) {
assert_int_equal(0, str->data[0]);
assert_int_equal(n, str->data[1]);
} else {
assert_int_equal(n >> 8, str->data[0]);
assert_int_equal(n & 0xFF, str->data[1]);
}
ssh_string_free(str);
}
bignum_safe_free(num); bignum_safe_free(num);
bignum_safe_free(num2); bignum_safe_free(num2);
bignum_safe_free(num3); bignum_safe_free(num3);

15
tests/unittests/torture_buffer.c
View File

@@ -277,17 +277,26 @@ static void torture_ssh_buffer_bignum(void **state)
num = bignum_new(); num = bignum_new();
assert_non_null(num); assert_non_null(num);
assert_int_equal(1, bignum_set_word(num, 255));
rc = bignum_set_word(num, 255);
assert_int_equal(rc, 1);
rc = ssh_buffer_pack(buffer, "FB", num, (size_t)4, num); rc = ssh_buffer_pack(buffer, "FB", num, (size_t)4, num);
assert_int_equal(rc, SSH_OK); assert_int_equal(rc, SSH_OK);
bignum_safe_free(num);
len = ssh_buffer_get_len(buffer); len = ssh_buffer_get_len(buffer);
assert_int_equal(len, sizeof(verif) - 1); assert_int_equal(len, sizeof(verif) - 1);
assert_memory_equal(ssh_buffer_get(buffer), verif, sizeof(verif) - 1); assert_memory_equal(ssh_buffer_get(buffer), verif, sizeof(verif) - 1);
/* negative test -- this number requires 3 bytes */
rc = bignum_set_word(num, 256 * 256);
assert_int_equal(rc, 1);
rc = ssh_buffer_pack(buffer, "FB", num, (size_t)2, num);
assert_int_equal(rc, SSH_ERROR);
bignum_safe_free(num);
SSH_BUFFER_FREE(buffer); SSH_BUFFER_FREE(buffer);
} }