diff options
author | Jon Simons <jon@jonsimons.org> | 2014-10-05 05:59:54 -0700 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2014-12-05 10:42:32 +0100 |
commit | 4745d652b5e71c27fd891edfe690162c0b8d3005 (patch) | |
tree | 42eaa0d31af549788f8f9c91716f8c23a1336fab | |
parent | a48711ae7ef890c94e2a824afb899df385c406ee (diff) | |
download | libssh-4745d652b5e71c27fd891edfe690162c0b8d3005.tar.gz libssh-4745d652b5e71c27fd891edfe690162c0b8d3005.tar.xz libssh-4745d652b5e71c27fd891edfe690162c0b8d3005.zip |
pki_crypto.c: plug ecdsa_sig->[r,s] bignum leaks
Per ecdsa(3ssl), ECDSA_SIG_new does allocate its 'r' and 's' bignum fields.
Fix a bug where the initial 'r' and 's' bignums were being overwritten with
newly-allocated bignums, resulting in a memory leak.
BUG: https://red.libssh.org/issues/175
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
-rw-r--r-- | include/libssh/bignum.h | 1 | ||||
-rw-r--r-- | src/bignum.c | 9 | ||||
-rw-r--r-- | src/pki_crypto.c | 4 |
3 files changed, 12 insertions, 2 deletions
diff --git a/include/libssh/bignum.h b/include/libssh/bignum.h index e5f2a472..61786c84 100644 --- a/include/libssh/bignum.h +++ b/include/libssh/bignum.h @@ -25,6 +25,7 @@ #include "libssh/libgcrypt.h" bignum make_string_bn(ssh_string string); +void make_string_bn_inplace(ssh_string string, bignum bnout); ssh_string make_bignum_string(bignum num); void ssh_print_bignum(const char *which,bignum num); diff --git a/src/bignum.c b/src/bignum.c index 14b5aa54..39de2487 100644 --- a/src/bignum.c +++ b/src/bignum.c @@ -81,6 +81,15 @@ bignum make_string_bn(ssh_string string){ return bn; } +void make_string_bn_inplace(ssh_string string, bignum bnout) { + unsigned int len = ssh_string_len(string); +#ifdef HAVE_LIBGCRYPT + #error "unsupported" +#elif defined HAVE_LIBCRYPTO + bignum_bin2bn(string->data, len, bnout); +#endif +} + /* prints the bignum on stderr */ void ssh_print_bignum(const char *which, bignum num) { #ifdef HAVE_LIBGCRYPT diff --git a/src/pki_crypto.c b/src/pki_crypto.c index 5706fdf0..6fc471c0 100644 --- a/src/pki_crypto.c +++ b/src/pki_crypto.c @@ -1421,7 +1421,7 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, ssh_print_hexa("r", ssh_string_data(r), ssh_string_len(r)); #endif - sig->ecdsa_sig->r = make_string_bn(r); + make_string_bn_inplace(r, sig->ecdsa_sig->r); ssh_string_burn(r); ssh_string_free(r); if (sig->ecdsa_sig->r == NULL) { @@ -1442,7 +1442,7 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, ssh_print_hexa("s", ssh_string_data(s), ssh_string_len(s)); #endif - sig->ecdsa_sig->s = make_string_bn(s); + make_string_bn_inplace(s, sig->ecdsa_sig->s); ssh_string_burn(s); ssh_string_free(s); if (sig->ecdsa_sig->s == NULL) { |