$NetBSD: patch-aa,v 1.2 2005/06/17 15:32:44 hira Exp $ --- src/protocol_auth.c Fri May 27 14:28:54 2005 +++ src/protocol_auth.c Fri May 27 14:28:30 2005 @@ -118,7 +118,7 @@ bool send_metakey(connection_t *c) { - char buffer[MAX_STRING_SIZE]; + char *buffer; int len; bool x; @@ -129,10 +129,11 @@ /* Allocate buffers for the meta key */ if(!c->outkey) - c->outkey = xmalloc(len); + c->outkey = xmalloc_and_zero(len); if(!c->outctx) c->outctx = xmalloc_and_zero(sizeof(*c->outctx)); + buffer = xmalloc_and_zero(2 * len + 1); cp(); /* Copy random data to the buffer */ @@ -167,6 +168,7 @@ if(RSA_public_encrypt(len, c->outkey, buffer, c->rsa_key, RSA_NO_PADDING) != len) { logger(LOG_ERR, _("Error during encryption of meta key for %s (%s)"), c->name, c->hostname); + free(buffer); return false; } @@ -191,35 +193,45 @@ c->outcipher->iv_len)) { logger(LOG_ERR, _("Error during initialisation of cipher for %s (%s): %s"), c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); + free(buffer); return false; } c->status.encryptout = true; } + free(buffer); return x; } bool metakey_h(connection_t *c) { - char buffer[MAX_STRING_SIZE]; + char *buffer, fmt[513]; int cipher, digest, maclength, compression; int len; cp(); - if(sscanf(c->buffer, "%*d %d %d %d %d " MAX_STRING, &cipher, &digest, &maclength, &compression, buffer) != 5) { + len = RSA_size(myself->connection->rsa_key); + buffer = xmalloc(2 * len + 1); + memset(buffer, 0, 2 * len + 1); + + memset(fmt, 0, 513); + snprintf(fmt, 512, "%%*d %%d %%d %%d %%d %%%ds", 2 * len); + + if(sscanf(c->buffer, fmt, &cipher, &digest, &maclength, &compression, buffer) != 5) { logger(LOG_ERR, _("Got bad %s from %s (%s)"), "METAKEY", c->name, c->hostname); + free(buffer); return false; } - len = RSA_size(myself->connection->rsa_key); /* Check if the length of the meta key is all right */ if(strlen(buffer) != len * 2) { logger(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name, c->hostname, "wrong keylength"); + free(buffer); return false; } @@ -240,6 +252,7 @@ if(RSA_private_decrypt(len, buffer, c->inkey, myself->connection->rsa_key, RSA_NO_PADDING) != len) { /* See challenge() */ logger(LOG_ERR, _("Error during encryption of meta key for %s (%s)"), c->name, c->hostname); + free(buffer); return false; } @@ -258,6 +271,7 @@ if(!c->incipher) { logger(LOG_ERR, _("%s (%s) uses unknown cipher!"), c->name, c->hostname); + free(buffer); return false; } @@ -267,6 +281,7 @@ c->incipher->iv_len)) { logger(LOG_ERR, _("Error during initialisation of cipher from %s (%s): %s"), c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); + free(buffer); return false; } @@ -282,11 +297,13 @@ if(!c->indigest) { logger(LOG_ERR, _("Node %s (%s) uses unknown digest!"), c->name, c->hostname); + free(buffer); return false; } if(c->inmaclength > c->indigest->md_size || c->inmaclength < 0) { logger(LOG_ERR, _("%s (%s) uses bogus MAC length!"), c->name, c->hostname); + free(buffer); return false; } } else { @@ -297,19 +314,22 @@ c->allow_request = CHALLENGE; + free(buffer); return send_challenge(c); } bool send_challenge(connection_t *c) { - char buffer[MAX_STRING_SIZE]; + char *buffer; int len; + bool ret; cp(); /* CHECKME: what is most reasonable value for len? */ len = RSA_size(c->rsa_key); + buffer = xmalloc_and_zero(2 * len + 1); /* Allocate buffers for the challenge */ @@ -327,29 +347,37 @@ /* Send the challenge */ - return send_request(c, "%d %s", CHALLENGE, buffer); + ret = send_request(c, "%d %s", CHALLENGE, buffer); + + free(buffer); + + return ret; } bool challenge_h(connection_t *c) { - char buffer[MAX_STRING_SIZE]; - int len; + char *buffer, fmt[513]; + int len = RSA_size(myself->connection->rsa_key); cp(); - if(sscanf(c->buffer, "%*d " MAX_STRING, buffer) != 1) { + buffer = xmalloc(2 * len + 1); + memset(fmt, 0, 513); + snprintf(fmt, 512, "%%*d %%%ds", 2*len); + + if(sscanf(c->buffer, fmt, buffer) != 1) { logger(LOG_ERR, _("Got bad %s from %s (%s)"), "CHALLENGE", c->name, c->hostname); + free(buffer); return false; } - len = RSA_size(myself->connection->rsa_key); - /* Check if the length of the challenge is all right */ if(strlen(buffer) != len * 2) { logger(LOG_ERR, _("Possible intruder %s (%s): %s"), c->name, c->hostname, "wrong challenge length"); + free(buffer); return false; } @@ -366,6 +394,7 @@ /* Rest is done by send_chal_reply() */ + free(buffer); return send_chal_reply(c); }