1/* $OpenBSD: sshbuf-getput-basic.c,v 1.13 2022/05/25 06:03:44 djm Exp $ */ 2/* 3 * Copyright (c) 2011 Damien Miller 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18#define SSHBUF_INTERNAL 19#include "includes.h" 20 21#include <sys/types.h> 22 23#include <stdarg.h> 24#include <stdlib.h> 25#include <stdio.h> 26#include <string.h> 27#ifdef HAVE_STDINT_H 28# include <stdint.h> 29#endif 30 31#include "ssherr.h" 32#include "sshbuf.h" 33 34int 35sshbuf_get(struct sshbuf *buf, void *v, size_t len) 36{ 37 const u_char *p = sshbuf_ptr(buf); 38 int r; 39 40 if ((r = sshbuf_consume(buf, len)) < 0) 41 return r; 42 if (v != NULL && len != 0) 43 memcpy(v, p, len); 44 return 0; 45} 46 47int 48sshbuf_get_u64(struct sshbuf *buf, u_int64_t *valp) 49{ 50 const u_char *p = sshbuf_ptr(buf); 51 int r; 52 53 if ((r = sshbuf_consume(buf, 8)) < 0) 54 return r; 55 if (valp != NULL) 56 *valp = PEEK_U64(p); 57 return 0; 58} 59 60int 61sshbuf_get_u32(struct sshbuf *buf, u_int32_t *valp) 62{ 63 const u_char *p = sshbuf_ptr(buf); 64 int r; 65 66 if ((r = sshbuf_consume(buf, 4)) < 0) 67 return r; 68 if (valp != NULL) 69 *valp = PEEK_U32(p); 70 return 0; 71} 72 73int 74sshbuf_get_u16(struct sshbuf *buf, u_int16_t *valp) 75{ 76 const u_char *p = sshbuf_ptr(buf); 77 int r; 78 79 if ((r = sshbuf_consume(buf, 2)) < 0) 80 return r; 81 if (valp != NULL) 82 *valp = PEEK_U16(p); 83 return 0; 84} 85 86int 87sshbuf_get_u8(struct sshbuf *buf, u_char *valp) 88{ 89 const u_char *p = sshbuf_ptr(buf); 90 int r; 91 92 if ((r = sshbuf_consume(buf, 1)) < 0) 93 return r; 94 if (valp != NULL) 95 *valp = (u_int8_t)*p; 96 return 0; 97} 98 99static int 100check_offset(const struct sshbuf *buf, int wr, size_t offset, size_t len) 101{ 102 if (sshbuf_ptr(buf) == NULL) /* calls sshbuf_check_sanity() */ 103 return SSH_ERR_INTERNAL_ERROR; 104 if (offset >= SIZE_MAX - len) 105 return SSH_ERR_INVALID_ARGUMENT; 106 if (offset + len > sshbuf_len(buf)) { 107 return wr ? 108 SSH_ERR_NO_BUFFER_SPACE : SSH_ERR_MESSAGE_INCOMPLETE; 109 } 110 return 0; 111} 112 113static int 114check_roffset(const struct sshbuf *buf, size_t offset, size_t len, 115 const u_char **p) 116{ 117 int r; 118 119 *p = NULL; 120 if ((r = check_offset(buf, 0, offset, len)) != 0) 121 return r; 122 *p = sshbuf_ptr(buf) + offset; 123 return 0; 124} 125 126int 127sshbuf_peek_u64(const struct sshbuf *buf, size_t offset, u_int64_t *valp) 128{ 129 const u_char *p = NULL; 130 int r; 131 132 if (valp != NULL) 133 *valp = 0; 134 if ((r = check_roffset(buf, offset, 8, &p)) != 0) 135 return r; 136 if (valp != NULL) 137 *valp = PEEK_U64(p); 138 return 0; 139} 140 141int 142sshbuf_peek_u32(const struct sshbuf *buf, size_t offset, u_int32_t *valp) 143{ 144 const u_char *p = NULL; 145 int r; 146 147 if (valp != NULL) 148 *valp = 0; 149 if ((r = check_roffset(buf, offset, 4, &p)) != 0) 150 return r; 151 if (valp != NULL) 152 *valp = PEEK_U32(p); 153 return 0; 154} 155 156int 157sshbuf_peek_u16(const struct sshbuf *buf, size_t offset, u_int16_t *valp) 158{ 159 const u_char *p = NULL; 160 int r; 161 162 if (valp != NULL) 163 *valp = 0; 164 if ((r = check_roffset(buf, offset, 2, &p)) != 0) 165 return r; 166 if (valp != NULL) 167 *valp = PEEK_U16(p); 168 return 0; 169} 170 171int 172sshbuf_peek_u8(const struct sshbuf *buf, size_t offset, u_char *valp) 173{ 174 const u_char *p = NULL; 175 int r; 176 177 if (valp != NULL) 178 *valp = 0; 179 if ((r = check_roffset(buf, offset, 1, &p)) != 0) 180 return r; 181 if (valp != NULL) 182 *valp = *p; 183 return 0; 184} 185 186int 187sshbuf_get_string(struct sshbuf *buf, u_char **valp, size_t *lenp) 188{ 189 const u_char *val; 190 size_t len; 191 int r; 192 193 if (valp != NULL) 194 *valp = NULL; 195 if (lenp != NULL) 196 *lenp = 0; 197 if ((r = sshbuf_get_string_direct(buf, &val, &len)) < 0) 198 return r; 199 if (valp != NULL) { 200 if ((*valp = malloc(len + 1)) == NULL) { 201 SSHBUF_DBG(("SSH_ERR_ALLOC_FAIL")); 202 return SSH_ERR_ALLOC_FAIL; 203 } 204 if (len != 0) 205 memcpy(*valp, val, len); 206 (*valp)[len] = '\0'; 207 } 208 if (lenp != NULL) 209 *lenp = len; 210 return 0; 211} 212 213int 214sshbuf_get_string_direct(struct sshbuf *buf, const u_char **valp, size_t *lenp) 215{ 216 size_t len; 217 const u_char *p; 218 int r; 219 220 if (valp != NULL) 221 *valp = NULL; 222 if (lenp != NULL) 223 *lenp = 0; 224 if ((r = sshbuf_peek_string_direct(buf, &p, &len)) < 0) 225 return r; 226 if (valp != NULL) 227 *valp = p; 228 if (lenp != NULL) 229 *lenp = len; 230 if (sshbuf_consume(buf, len + 4) != 0) { 231 /* Shouldn't happen */ 232 SSHBUF_DBG(("SSH_ERR_INTERNAL_ERROR")); 233 SSHBUF_ABORT(); 234 return SSH_ERR_INTERNAL_ERROR; 235 } 236 return 0; 237} 238 239int 240sshbuf_peek_string_direct(const struct sshbuf *buf, const u_char **valp, 241 size_t *lenp) 242{ 243 u_int32_t len; 244 const u_char *p = sshbuf_ptr(buf); 245 246 if (valp != NULL) 247 *valp = NULL; 248 if (lenp != NULL) 249 *lenp = 0; 250 if (sshbuf_len(buf) < 4) { 251 SSHBUF_DBG(("SSH_ERR_MESSAGE_INCOMPLETE")); 252 return SSH_ERR_MESSAGE_INCOMPLETE; 253 } 254 len = PEEK_U32(p); 255 if (len > SSHBUF_SIZE_MAX - 4) { 256 SSHBUF_DBG(("SSH_ERR_STRING_TOO_LARGE")); 257 return SSH_ERR_STRING_TOO_LARGE; 258 } 259 if (sshbuf_len(buf) - 4 < len) { 260 SSHBUF_DBG(("SSH_ERR_MESSAGE_INCOMPLETE")); 261 return SSH_ERR_MESSAGE_INCOMPLETE; 262 } 263 if (valp != NULL) 264 *valp = p + 4; 265 if (lenp != NULL) 266 *lenp = len; 267 return 0; 268} 269 270int 271sshbuf_get_cstring(struct sshbuf *buf, char **valp, size_t *lenp) 272{ 273 size_t len; 274 const u_char *p, *z; 275 int r; 276 277 if (valp != NULL) 278 *valp = NULL; 279 if (lenp != NULL) 280 *lenp = 0; 281 if ((r = sshbuf_peek_string_direct(buf, &p, &len)) != 0) 282 return r; 283 /* Allow a \0 only at the end of the string */ 284 if (len > 0 && 285 (z = memchr(p , '\0', len)) != NULL && z < p + len - 1) { 286 SSHBUF_DBG(("SSH_ERR_INVALID_FORMAT")); 287 return SSH_ERR_INVALID_FORMAT; 288 } 289 if ((r = sshbuf_skip_string(buf)) != 0) 290 return -1; 291 if (valp != NULL) { 292 if ((*valp = malloc(len + 1)) == NULL) { 293 SSHBUF_DBG(("SSH_ERR_ALLOC_FAIL")); 294 return SSH_ERR_ALLOC_FAIL; 295 } 296 if (len != 0) 297 memcpy(*valp, p, len); 298 (*valp)[len] = '\0'; 299 } 300 if (lenp != NULL) 301 *lenp = (size_t)len; 302 return 0; 303} 304 305int 306sshbuf_get_stringb(struct sshbuf *buf, struct sshbuf *v) 307{ 308 u_int32_t len; 309 u_char *p; 310 int r; 311 312 /* 313 * Use sshbuf_peek_string_direct() to figure out if there is 314 * a complete string in 'buf' and copy the string directly 315 * into 'v'. 316 */ 317 if ((r = sshbuf_peek_string_direct(buf, NULL, NULL)) != 0 || 318 (r = sshbuf_get_u32(buf, &len)) != 0 || 319 (r = sshbuf_reserve(v, len, &p)) != 0 || 320 (r = sshbuf_get(buf, p, len)) != 0) 321 return r; 322 return 0; 323} 324 325int 326sshbuf_put(struct sshbuf *buf, const void *v, size_t len) 327{ 328 u_char *p; 329 int r; 330 331 if ((r = sshbuf_reserve(buf, len, &p)) < 0) 332 return r; 333 if (len != 0) 334 memcpy(p, v, len); 335 return 0; 336} 337 338int 339sshbuf_putb(struct sshbuf *buf, const struct sshbuf *v) 340{ 341 if (v == NULL) 342 return 0; 343 return sshbuf_put(buf, sshbuf_ptr(v), sshbuf_len(v)); 344} 345 346int 347sshbuf_putf(struct sshbuf *buf, const char *fmt, ...) 348{ 349 va_list ap; 350 int r; 351 352 va_start(ap, fmt); 353 r = sshbuf_putfv(buf, fmt, ap); 354 va_end(ap); 355 return r; 356} 357 358int 359sshbuf_putfv(struct sshbuf *buf, const char *fmt, va_list ap) 360{ 361 va_list ap2; 362 int r, len; 363 u_char *p; 364 365 VA_COPY(ap2, ap); 366 if ((len = vsnprintf(NULL, 0, fmt, ap2)) < 0) { 367 r = SSH_ERR_INVALID_ARGUMENT; 368 goto out; 369 } 370 if (len == 0) { 371 r = 0; 372 goto out; /* Nothing to do */ 373 } 374 va_end(ap2); 375 VA_COPY(ap2, ap); 376 if ((r = sshbuf_reserve(buf, (size_t)len + 1, &p)) < 0) 377 goto out; 378 if ((r = vsnprintf((char *)p, len + 1, fmt, ap2)) != len) { 379 r = SSH_ERR_INTERNAL_ERROR; 380 goto out; /* Shouldn't happen */ 381 } 382 /* Consume terminating \0 */ 383 if ((r = sshbuf_consume_end(buf, 1)) != 0) 384 goto out; 385 r = 0; 386 out: 387 va_end(ap2); 388 return r; 389} 390 391int 392sshbuf_put_u64(struct sshbuf *buf, u_int64_t val) 393{ 394 u_char *p; 395 int r; 396 397 if ((r = sshbuf_reserve(buf, 8, &p)) < 0) 398 return r; 399 POKE_U64(p, val); 400 return 0; 401} 402 403int 404sshbuf_put_u32(struct sshbuf *buf, u_int32_t val) 405{ 406 u_char *p; 407 int r; 408 409 if ((r = sshbuf_reserve(buf, 4, &p)) < 0) 410 return r; 411 POKE_U32(p, val); 412 return 0; 413} 414 415int 416sshbuf_put_u16(struct sshbuf *buf, u_int16_t val) 417{ 418 u_char *p; 419 int r; 420 421 if ((r = sshbuf_reserve(buf, 2, &p)) < 0) 422 return r; 423 POKE_U16(p, val); 424 return 0; 425} 426 427int 428sshbuf_put_u8(struct sshbuf *buf, u_char val) 429{ 430 u_char *p; 431 int r; 432 433 if ((r = sshbuf_reserve(buf, 1, &p)) < 0) 434 return r; 435 p[0] = val; 436 return 0; 437} 438 439static int 440check_woffset(struct sshbuf *buf, size_t offset, size_t len, u_char **p) 441{ 442 int r; 443 444 *p = NULL; 445 if ((r = check_offset(buf, 1, offset, len)) != 0) 446 return r; 447 if (sshbuf_mutable_ptr(buf) == NULL) 448 return SSH_ERR_BUFFER_READ_ONLY; 449 *p = sshbuf_mutable_ptr(buf) + offset; 450 return 0; 451} 452 453int 454sshbuf_poke_u64(struct sshbuf *buf, size_t offset, u_int64_t val) 455{ 456 u_char *p = NULL; 457 int r; 458 459 if ((r = check_woffset(buf, offset, 8, &p)) != 0) 460 return r; 461 POKE_U64(p, val); 462 return 0; 463} 464 465int 466sshbuf_poke_u32(struct sshbuf *buf, size_t offset, u_int32_t val) 467{ 468 u_char *p = NULL; 469 int r; 470 471 if ((r = check_woffset(buf, offset, 4, &p)) != 0) 472 return r; 473 POKE_U32(p, val); 474 return 0; 475} 476 477int 478sshbuf_poke_u16(struct sshbuf *buf, size_t offset, u_int16_t val) 479{ 480 u_char *p = NULL; 481 int r; 482 483 if ((r = check_woffset(buf, offset, 2, &p)) != 0) 484 return r; 485 POKE_U16(p, val); 486 return 0; 487} 488 489int 490sshbuf_poke_u8(struct sshbuf *buf, size_t offset, u_char val) 491{ 492 u_char *p = NULL; 493 int r; 494 495 if ((r = check_woffset(buf, offset, 1, &p)) != 0) 496 return r; 497 *p = val; 498 return 0; 499} 500 501int 502sshbuf_poke(struct sshbuf *buf, size_t offset, void *v, size_t len) 503{ 504 u_char *p = NULL; 505 int r; 506 507 if ((r = check_woffset(buf, offset, len, &p)) != 0) 508 return r; 509 memcpy(p, v, len); 510 return 0; 511} 512 513int 514sshbuf_put_string(struct sshbuf *buf, const void *v, size_t len) 515{ 516 u_char *d; 517 int r; 518 519 if (len > SSHBUF_SIZE_MAX - 4) { 520 SSHBUF_DBG(("SSH_ERR_NO_BUFFER_SPACE")); 521 return SSH_ERR_NO_BUFFER_SPACE; 522 } 523 if ((r = sshbuf_reserve(buf, len + 4, &d)) < 0) 524 return r; 525 POKE_U32(d, len); 526 if (len != 0) 527 memcpy(d + 4, v, len); 528 return 0; 529} 530 531int 532sshbuf_put_cstring(struct sshbuf *buf, const char *v) 533{ 534 return sshbuf_put_string(buf, v, v == NULL ? 0 : strlen(v)); 535} 536 537int 538sshbuf_put_stringb(struct sshbuf *buf, const struct sshbuf *v) 539{ 540 if (v == NULL) 541 return sshbuf_put_string(buf, NULL, 0); 542 543 return sshbuf_put_string(buf, sshbuf_ptr(v), sshbuf_len(v)); 544} 545 546int 547sshbuf_froms(struct sshbuf *buf, struct sshbuf **bufp) 548{ 549 const u_char *p; 550 size_t len; 551 struct sshbuf *ret; 552 int r; 553 554 if (buf == NULL || bufp == NULL) 555 return SSH_ERR_INVALID_ARGUMENT; 556 *bufp = NULL; 557 if ((r = sshbuf_peek_string_direct(buf, &p, &len)) != 0) 558 return r; 559 if ((ret = sshbuf_from(p, len)) == NULL) 560 return SSH_ERR_ALLOC_FAIL; 561 if ((r = sshbuf_consume(buf, len + 4)) != 0 || /* Shouldn't happen */ 562 (r = sshbuf_set_parent(ret, buf)) != 0) { 563 sshbuf_free(ret); 564 return r; 565 } 566 *bufp = ret; 567 return 0; 568} 569 570int 571sshbuf_put_bignum2_bytes(struct sshbuf *buf, const void *v, size_t len) 572{ 573 u_char *d; 574 const u_char *s = (const u_char *)v; 575 int r, prepend; 576 577 if (len > SSHBUF_SIZE_MAX - 5) { 578 SSHBUF_DBG(("SSH_ERR_NO_BUFFER_SPACE")); 579 return SSH_ERR_NO_BUFFER_SPACE; 580 } 581 /* Skip leading zero bytes */ 582 for (; len > 0 && *s == 0; len--, s++) 583 ; 584 /* 585 * If most significant bit is set then prepend a zero byte to 586 * avoid interpretation as a negative number. 587 */ 588 prepend = len > 0 && (s[0] & 0x80) != 0; 589 if ((r = sshbuf_reserve(buf, len + 4 + prepend, &d)) < 0) 590 return r; 591 POKE_U32(d, len + prepend); 592 if (prepend) 593 d[4] = 0; 594 if (len != 0) 595 memcpy(d + 4 + prepend, s, len); 596 return 0; 597} 598 599int 600sshbuf_get_bignum2_bytes_direct(struct sshbuf *buf, 601 const u_char **valp, size_t *lenp) 602{ 603 const u_char *d; 604 size_t len, olen; 605 int r; 606 607 if ((r = sshbuf_peek_string_direct(buf, &d, &olen)) < 0) 608 return r; 609 len = olen; 610 /* Refuse negative (MSB set) bignums */ 611 if ((len != 0 && (*d & 0x80) != 0)) 612 return SSH_ERR_BIGNUM_IS_NEGATIVE; 613 /* Refuse overlong bignums, allow prepended \0 to avoid MSB set */ 614 if (len > SSHBUF_MAX_BIGNUM + 1 || 615 (len == SSHBUF_MAX_BIGNUM + 1 && *d != 0)) 616 return SSH_ERR_BIGNUM_TOO_LARGE; 617 /* Trim leading zeros */ 618 while (len > 0 && *d == 0x00) { 619 d++; 620 len--; 621 } 622 if (valp != NULL) 623 *valp = d; 624 if (lenp != NULL) 625 *lenp = len; 626 if (sshbuf_consume(buf, olen + 4) != 0) { 627 /* Shouldn't happen */ 628 SSHBUF_DBG(("SSH_ERR_INTERNAL_ERROR")); 629 SSHBUF_ABORT(); 630 return SSH_ERR_INTERNAL_ERROR; 631 } 632 return 0; 633} 634