/src/dropbear/src/buffer.c

Source
/*
 * Dropbear SSH
 * 
 * Copyright (c) 2002,2003 Matt Johnston
 * All rights reserved.
 * 
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 * 
 * The above copyright notice and this permission notice shall be included in
 * all copies or substantial portions of the Software.
 * 
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE. */

/* Buffer handling routines, designed to avoid overflows/using invalid data */

#include "includes.h"
#include "dbutil.h"
#include "buffer.h"

/* Prevent integer overflows when incrementing buffer position/length.
 * Calling functions should check arguments first, but this provides a
 * backstop */
#define BUF_MAX_INCR 1000000000
#define BUF_MAX_SIZE 1000000000

/* avoid excessively large numbers, > ~8192 bits */
#define BUF_MAX_MPINT (8240 / 8)

/* Create (malloc) a new buffer of size */
buffer* buf_new(unsigned int size) {
  buffer* buf;
  if (size > BUF_MAX_SIZE) {
    dropbear_exit("buf->size too big");
  }

  buf = (buffer*)m_malloc(sizeof(buffer)+size);
  buf->data = (unsigned char*)buf + sizeof(buffer);
  buf->size = size;
  return buf;
}

/* free the buffer's data and the buffer itself */
void buf_free(buffer* buf) {
  m_free(buf);
}

/* overwrite the contents of the buffer then free it */
void buf_burn_free(buffer* buf) {
  m_burn(buf->data, buf->size);
  m_free(buf);
}


/* resize a buffer, pos and len will be repositioned if required when
 * downsizing */
buffer* buf_resize(buffer *buf, unsigned int newsize) {
  if (newsize > BUF_MAX_SIZE) {
    dropbear_exit("buf->size too big");
  }

  buf = m_realloc(buf, sizeof(buffer)+newsize);
  buf->data = (unsigned char*)buf + sizeof(buffer);
  buf->size = newsize;
  buf->len = MIN(newsize, buf->len);
  buf->pos = MIN(newsize, buf->pos);
  return buf;
}

/* Create a copy of buf, allocating required memory etc. */
/* The new buffer is sized the same as the length of the source buffer. */
buffer* buf_newcopy(const buffer* buf) {
  
  buffer* ret;

  ret = buf_new(buf->len);
  ret->len = buf->len;
  if (buf->len > 0) {
    memcpy(ret->data, buf->data, buf->len);
  }
  return ret;
}

/* Set the length of the buffer */
void buf_setlen(buffer* buf, unsigned int len) {
  if (len > buf->size) {
    dropbear_exit("Bad buf_setlen");
  }
  buf->len = len;
  buf->pos = MIN(buf->pos, buf->len);
}

/* Increment the length of the buffer */
void buf_incrlen(buffer* buf, unsigned int incr) {
  if (incr > BUF_MAX_INCR || buf->len + incr > buf->size) {
    dropbear_exit("Bad buf_incrlen");
  }
  buf->len += incr;
}
/* Set the position of the buffer */
void buf_setpos(buffer* buf, unsigned int pos) {

  if (pos > buf->len) {
    dropbear_exit("Bad buf_setpos");
  }
  buf->pos = pos;
}

/* increment the position by incr, increasing the buffer length if required */
void buf_incrwritepos(buffer* buf, unsigned int incr) {
  if (incr > BUF_MAX_INCR || buf->pos + incr > buf->size) {
    dropbear_exit("Bad buf_incrwritepos");
  }
  buf->pos += incr;
  if (buf->pos > buf->len) {
    buf->len = buf->pos;
  }
}

/* increment the position by incr */
void buf_incrpos(buffer* buf, unsigned int incr) {
  if (incr > BUF_MAX_INCR 
    || (buf->pos + incr) > buf->len) {
    dropbear_exit("Bad buf_incrpos");
  }
  buf->pos += incr;
}

/* decrement the position by decr */
void buf_decrpos(buffer* buf, unsigned int decr) {
  if (decr > buf->pos) {
    dropbear_exit("Bad buf_decrpos");
  }
  buf->pos -= decr;
}

/* Get a byte from the buffer and increment the pos */
unsigned char buf_getbyte(buffer* buf) {

  /* This check is really just ==, but the >= allows us to check for the
   * bad case of pos > len, which should _never_ happen. */
  if (buf->pos >= buf->len) {
    dropbear_exit("Bad buf_getbyte");
  }
  return buf->data[buf->pos++];
}

/* Get a bool from the buffer and increment the pos */
unsigned char buf_getbool(buffer* buf) {

  unsigned char b;
  b = buf_getbyte(buf);
  if (b != 0)
    b = 1;
  return b;
}

/* put a byte, incrementing the length if required */
void buf_putbyte(buffer* buf, unsigned char val) {

  if (buf->pos >= buf->len) {
    buf_incrlen(buf, 1);
  }
  buf->data[buf->pos] = val;
  buf->pos++;
}

/* returns an in-place pointer to the buffer, checking that
 * the next len bytes from that position can be used */
unsigned char* buf_getptr(const buffer* buf, unsigned int len) {

  if (len > BUF_MAX_INCR || buf->pos + len > buf->len) {
    dropbear_exit("Bad buf_getptr");
  }
  return &buf->data[buf->pos];
}

/* like buf_getptr, but checks against total size, not used length.
 * This allows writing past the used length, but not past the size */
unsigned char* buf_getwriteptr(const buffer* buf, unsigned int len) {

  if (len > BUF_MAX_INCR || buf->pos + len > buf->size) {
    dropbear_exit("Bad buf_getwriteptr");
  }
  return &buf->data[buf->pos];
}

/* Return a null-terminated string, it is malloced, so must be free()ed
 * Note that the string isn't checked for null bytes, hence the retlen
 * may be longer than what is returned by strlen */
char* buf_getstring(buffer* buf, unsigned int *retlen) {

  unsigned int len;
  char* ret;
  void* src = NULL;
  len = buf_getint(buf);
  if (len > MAX_STRING_LEN) {
    dropbear_exit("String too long");
  }

  if (retlen != NULL) {
    *retlen = len;
  }
  src = buf_getptr(buf, len);
  ret = m_malloc(len+1);
  memcpy(ret, src, len);
  buf_incrpos(buf, len);
  ret[len] = '\0';

  return ret;
}

/* Return a string as a newly allocated buffer */
static buffer * buf_getstringbuf_int(buffer *buf, int incllen) {
  buffer *ret = NULL;
  unsigned int len = buf_getint(buf);
  int extra = 0;
  if (len > MAX_STRING_LEN) {
    dropbear_exit("String too long");
  }
  if (incllen) {
    extra = 4;
  }
  ret = buf_new(len+extra);
  if (incllen) {
    buf_putint(ret, len);
  }
  memcpy(buf_getwriteptr(ret, len), buf_getptr(buf, len), len);
  buf_incrpos(buf, len);
  buf_incrlen(ret, len);
  buf_setpos(ret, 0);
  return ret;
}

/* Return a string as a newly allocated buffer */
buffer * buf_getstringbuf(buffer *buf) {
  return buf_getstringbuf_int(buf, 0);
}

/* Returns a string in a new buffer, including the length */
buffer * buf_getbuf(buffer *buf) {
  return buf_getstringbuf_int(buf, 1);
}

/* Returns the equivalent of buf_getptr() as a new buffer. */
buffer * buf_getptrcopy(const buffer* buf, unsigned int len) {
  unsigned char *src = buf_getptr(buf, len);
  buffer *ret = buf_new(len);
  buf_putbytes(ret, src, len);
  buf_setpos(ret, 0);
  return ret;
}

/* Just increment the buffer position the same as if we'd used buf_getstring,
 * but don't bother copying/malloc()ing for it */
void buf_eatstring(buffer *buf) {

  buf_incrpos( buf, buf_getint(buf) );
}

/* Get an uint32 from the buffer and increment the pos */
unsigned int buf_getint(buffer* buf) {
  unsigned int ret;

  LOAD32H(ret, buf_getptr(buf, 4));
  buf_incrpos(buf, 4);
  return ret;
}

/* put a 32bit uint into the buffer, incr bufferlen & pos if required */
void buf_putint(buffer* buf, int unsigned val) {

  STORE32H(val, buf_getwriteptr(buf, 4));
  buf_incrwritepos(buf, 4);

}

/* put a SSH style string into the buffer, increasing buffer len if required */
void buf_putstring(buffer* buf, const char* str, unsigned int len) {
  
  buf_putint(buf, len);
  buf_putbytes(buf, (const unsigned char*)str, len);

}

/* puts an entire buffer as a SSH string. ignore pos of buf_str. */
void buf_putbufstring(buffer *buf, const buffer* buf_str) {
  buf_putstring(buf, (const char*)buf_str->data, buf_str->len);
}

/* put the set of len bytes into the buffer, incrementing the pos, increasing
 * len if required */
void buf_putbytes(buffer *buf, const unsigned char *bytes, unsigned int len) {
  memcpy(buf_getwriteptr(buf, len), bytes, len);
  buf_incrwritepos(buf, len);
}
  

/* for our purposes we only need positive (or 0) numbers, so will
 * fail if we get negative numbers */
void buf_putmpint(buffer* buf, const mp_int * mp) {
  size_t written;
  unsigned int len, pad = 0;
  TRACE2(("enter buf_putmpint"))

  dropbear_assert(mp != NULL);

  if (mp_isneg(mp)) {
    dropbear_exit("negative bignum");
  }

  /* zero check */
  if (mp_iszero(mp)) {
    len = 0;
  } else {
    /* SSH spec requires padding for mpints with the MSB set, this code
     * implements it */
    len = mp_count_bits(mp);
    /* if the top bit of MSB is set, we need to pad */
    pad = (len%8 == 0) ? 1 : 0;
    len = len / 8 + 1; /* don't worry about rounding, we need it for
                padding anyway when len%8 == 0 */

  }

  /* store the length */
  buf_putint(buf, len);
  
  /* store the actual value */
  if (len > 0) {
    if (pad) {
      buf_putbyte(buf, 0x00);
    }
    if (mp_to_ubin(mp, buf_getwriteptr(buf, len-pad), len-pad, &written) != MP_OKAY) {
      dropbear_exit("mpint error");
    }
    buf_incrwritepos(buf, written);
  }

  TRACE2(("leave buf_putmpint"))
}

/* Retrieve an mp_int from the buffer.
 * Will fail for -ve since they shouldn't be required here.
 * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
int buf_getmpint(buffer* buf, mp_int* mp) {

  unsigned int len;
  len = buf_getint(buf);
  
  if (len == 0) {
    mp_zero(mp);
    return DROPBEAR_SUCCESS;
  }

  if (len > BUF_MAX_MPINT) {
    return DROPBEAR_FAILURE;
  }

  /* check for negative */
  if (*buf_getptr(buf, 1) & (1 << (CHAR_BIT-1))) {
    return DROPBEAR_FAILURE;
  }

  if (mp_from_ubin(mp, buf_getptr(buf, len), len) != MP_OKAY) {
    return DROPBEAR_FAILURE;
  }

  buf_incrpos(buf, len);
  return DROPBEAR_SUCCESS;
}

Coverage Report

Created: 2026-04-12 06:08

Line	Count	Source
1		/*
2		* Dropbear SSH
3		*
4		* Copyright (c) 2002,2003 Matt Johnston
5		* All rights reserved.
6		*
7		* Permission is hereby granted, free of charge, to any person obtaining a copy
8		* of this software and associated documentation files (the "Software"), to deal
9		* in the Software without restriction, including without limitation the rights
10		* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11		* copies of the Software, and to permit persons to whom the Software is
12		* furnished to do so, subject to the following conditions:
13		*
14		* The above copyright notice and this permission notice shall be included in
15		* all copies or substantial portions of the Software.
16		*
17		* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18		* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19		* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20		* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21		* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22		* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23		* SOFTWARE. */
24
25		/* Buffer handling routines, designed to avoid overflows/using invalid data */
26
27		#include "includes.h"
28		#include "dbutil.h"
29		#include "buffer.h"
30
31		/* Prevent integer overflows when incrementing buffer position/length.
32		* Calling functions should check arguments first, but this provides a
33		* backstop */
34	44.4M	#define BUF_MAX_INCR 1000000000
35	772k	#define BUF_MAX_SIZE 1000000000
36
37		/* avoid excessively large numbers, > ~8192 bits */
38	13.1k	#define BUF_MAX_MPINT (8240 / 8)
39
40		/* Create (malloc) a new buffer of size */
41	745k	buffer* buf_new(unsigned int size) {
42	745k	buffer* buf;
43	745k	if (size > BUF_MAX_SIZE) {
44	0	dropbear_exit("buf->size too big");
45	0	}
46
47	745k	buf = (buffer*)m_malloc(sizeof(buffer)+size);
48	745k	buf->data = (unsigned char*)buf + sizeof(buffer);
49	745k	buf->size = size;
50	745k	return buf;
51	745k	}
52
53		/* free the buffer's data and the buffer itself */
54	632k	void buf_free(buffer* buf) {
55	632k	m_free(buf);
56	632k	}
57
58		/* overwrite the contents of the buffer then free it */
59	91.9k	void buf_burn_free(buffer* buf) {
60	91.9k	m_burn(buf->data, buf->size);
61	91.9k	m_free(buf);
62	91.9k	}
63
64
65		/* resize a buffer, pos and len will be repositioned if required when
66		* downsizing */
67	26.2k	buffer* buf_resize(buffer *buf, unsigned int newsize) {
68	26.2k	if (newsize > BUF_MAX_SIZE) {
69	0	dropbear_exit("buf->size too big");
70	0	}
71
72	26.2k	buf = m_realloc(buf, sizeof(buffer)+newsize);
73	26.2k	buf->data = (unsigned char*)buf + sizeof(buffer);
74	26.2k	buf->size = newsize;
75	26.2k	buf->len = MIN(newsize, buf->len);
76	26.2k	buf->pos = MIN(newsize, buf->pos);
77	26.2k	return buf;
78	26.2k	}
79
80		/* Create a copy of buf, allocating required memory etc. */
81		/* The new buffer is sized the same as the length of the source buffer. */
82	34.4k	buffer* buf_newcopy(const buffer* buf) {
83
84	34.4k	buffer* ret;
85
86	34.4k	ret = buf_new(buf->len);
87	34.4k	ret->len = buf->len;
88	34.4k	if (buf->len > 0) {
89	34.4k	memcpy(ret->data, buf->data, buf->len);
90	34.4k	}
91	34.4k	return ret;
92	34.4k	}
93
94		/* Set the length of the buffer */
95	1.13M	void buf_setlen(buffer* buf, unsigned int len) {
96	1.13M	if (len > buf->size) {
97	0	dropbear_exit("Bad buf_setlen");
98	0	}
99	1.13M	buf->len = len;
100	1.13M	buf->pos = MIN(buf->pos, buf->len);
101	1.13M	}
102
103		/* Increment the length of the buffer */
104	3.34M	void buf_incrlen(buffer* buf, unsigned int incr) {
105	3.34M	if (incr > BUF_MAX_INCR \|\| buf->len + incr > buf->size) {
106	0	dropbear_exit("Bad buf_incrlen");
107	0	}
108	3.34M	buf->len += incr;
109	3.34M	}
110		/* Set the position of the buffer */
111	4.69M	void buf_setpos(buffer* buf, unsigned int pos) {
112
113	4.69M	if (pos > buf->len) {
114	0	dropbear_exit("Bad buf_setpos");
115	0	}
116	4.69M	buf->pos = pos;
117	4.69M	}
118
119		/* increment the position by incr, increasing the buffer length if required */
120	4.36M	void buf_incrwritepos(buffer* buf, unsigned int incr) {
121	4.36M	if (incr > BUF_MAX_INCR \|\| buf->pos + incr > buf->size) {
122	0	dropbear_exit("Bad buf_incrwritepos");
123	0	}
124	4.36M	buf->pos += incr;
125	4.36M	if (buf->pos > buf->len) {
126	3.22M	buf->len = buf->pos;
127	3.22M	}
128	4.36M	}
129
130		/* increment the position by incr */
131	3.10M	void buf_incrpos(buffer* buf, unsigned int incr) {
132	3.10M	if (incr > BUF_MAX_INCR
133	3.10M	\|\| (buf->pos + incr) > buf->len) {
134	501	dropbear_exit("Bad buf_incrpos");
135	501	}
136	3.10M	buf->pos += incr;
137	3.10M	}
138
139		/* decrement the position by decr */
140	6.35k	void buf_decrpos(buffer* buf, unsigned int decr) {
141	6.35k	if (decr > buf->pos) {
142	0	dropbear_exit("Bad buf_decrpos");
143	0	}
144	6.35k	buf->pos -= decr;
145	6.35k	}
146
147		/* Get a byte from the buffer and increment the pos */
148	1.18M	unsigned char buf_getbyte(buffer* buf) {
149
150		/* This check is really just ==, but the >= allows us to check for the
151		* bad case of pos > len, which should _never_ happen. */
152	1.18M	if (buf->pos >= buf->len) {
153	49	dropbear_exit("Bad buf_getbyte");
154	49	}
155	1.18M	return buf->data[buf->pos++];
156	1.18M	}
157
158		/* Get a bool from the buffer and increment the pos */
159	33.1k	unsigned char buf_getbool(buffer* buf) {
160
161	33.1k	unsigned char b;
162	33.1k	b = buf_getbyte(buf);
163	33.1k	if (b != 0)
164	11.5k	b = 1;
165	33.1k	return b;
166	33.1k	}
167
168		/* put a byte, incrementing the length if required */
169	3.07M	void buf_putbyte(buffer* buf, unsigned char val) {
170
171	3.07M	if (buf->pos >= buf->len) {
172	2.69M	buf_incrlen(buf, 1);
173	2.69M	}
174	3.07M	buf->data[buf->pos] = val;
175	3.07M	buf->pos++;
176	3.07M	}
177
178		/* returns an in-place pointer to the buffer, checking that
179		* the next len bytes from that position can be used */
180	6.48M	unsigned char* buf_getptr(const buffer* buf, unsigned int len) {
181
182	6.48M	if (len > BUF_MAX_INCR \|\| buf->pos + len > buf->len) {
183	2.37k	dropbear_exit("Bad buf_getptr");
184	2.37k	}
185	6.47M	return &buf->data[buf->pos];
186	6.48M	}
187
188		/* like buf_getptr, but checks against total size, not used length.
189		* This allows writing past the used length, but not past the size */
190	4.93M	unsigned char* buf_getwriteptr(const buffer* buf, unsigned int len) {
191
192	4.93M	if (len > BUF_MAX_INCR \|\| buf->pos + len > buf->size) {
193	10	dropbear_exit("Bad buf_getwriteptr");
194	10	}
195	4.93M	return &buf->data[buf->pos];
196	4.93M	}
197
198		/* Return a null-terminated string, it is malloced, so must be free()ed
199		* Note that the string isn't checked for null bytes, hence the retlen
200		* may be longer than what is returned by strlen */
201	242k	char* buf_getstring(buffer* buf, unsigned int *retlen) {
202
203	242k	unsigned int len;
204	242k	char* ret;
205	242k	void* src = NULL;
206	242k	len = buf_getint(buf);
207	242k	if (len > MAX_STRING_LEN) {
208	357	dropbear_exit("String too long");
209	357	}
210
211	242k	if (retlen != NULL) {
212	240k	*retlen = len;
213	240k	}
214	242k	src = buf_getptr(buf, len);
215	242k	ret = m_malloc(len+1);
216	242k	memcpy(ret, src, len);
217	242k	buf_incrpos(buf, len);
218	242k	ret[len] = '\0';
219
220	242k	return ret;
221	242k	}
222
223		/* Return a string as a newly allocated buffer */
224	17.2k	static buffer * buf_getstringbuf_int(buffer *buf, int incllen) {
225	17.2k	buffer *ret = NULL;
226	17.2k	unsigned int len = buf_getint(buf);
227	17.2k	int extra = 0;
228	17.2k	if (len > MAX_STRING_LEN) {
229	499	dropbear_exit("String too long");
230	499	}
231	16.7k	if (incllen) {
232	66	extra = 4;
233	66	}
234	16.7k	ret = buf_new(len+extra);
235	16.7k	if (incllen) {
236	66	buf_putint(ret, len);
237	66	}
238	16.7k	memcpy(buf_getwriteptr(ret, len), buf_getptr(buf, len), len);
239	16.7k	buf_incrpos(buf, len);
240	16.7k	buf_incrlen(ret, len);
241	16.7k	buf_setpos(ret, 0);
242	16.7k	return ret;
243	17.2k	}
244
245		/* Return a string as a newly allocated buffer */
246	17.1k	buffer * buf_getstringbuf(buffer *buf) {
247	17.1k	return buf_getstringbuf_int(buf, 0);
248	17.1k	}
249
250		/* Returns a string in a new buffer, including the length */
251	102	buffer * buf_getbuf(buffer *buf) {
252	102	return buf_getstringbuf_int(buf, 1);
253	102	}
254
255		/* Returns the equivalent of buf_getptr() as a new buffer. */
256	202	buffer * buf_getptrcopy(const buffer* buf, unsigned int len) {
257	202	unsigned char *src = buf_getptr(buf, len);
258	202	buffer *ret = buf_new(len);
259	202	buf_putbytes(ret, src, len);
260	202	buf_setpos(ret, 0);
261	202	return ret;
262	202	}
263
264		/* Just increment the buffer position the same as if we'd used buf_getstring,
265		* but don't bother copying/malloc()ing for it */
266	45.4k	void buf_eatstring(buffer *buf) {
267
268	45.4k	buf_incrpos( buf, buf_getint(buf) );
269	45.4k	}
270
271		/* Get an uint32 from the buffer and increment the pos */
272	575k	unsigned int buf_getint(buffer* buf) {
273	575k	unsigned int ret;
274
275	575k	LOAD32H(ret, buf_getptr(buf, 4));
276	575k	buf_incrpos(buf, 4);
277	575k	return ret;
278	575k	}
279
280		/* put a 32bit uint into the buffer, incr bufferlen & pos if required */
281	1.99M	void buf_putint(buffer* buf, int unsigned val) {
282
283	1.99M	STORE32H(val, buf_getwriteptr(buf, 4));
284	1.99M	buf_incrwritepos(buf, 4);
285
286	1.99M	}
287
288		/* put a SSH style string into the buffer, increasing buffer len if required */
289	192k	void buf_putstring(buffer* buf, const char* str, unsigned int len) {
290
291	192k	buf_putint(buf, len);
292	192k	buf_putbytes(buf, (const unsigned char*)str, len);
293
294	192k	}
295
296		/* puts an entire buffer as a SSH string. ignore pos of buf_str. */
297	26.9k	void buf_putbufstring(buffer buf, const buffer buf_str) {
298	26.9k	buf_putstring(buf, (const char*)buf_str->data, buf_str->len);
299	26.9k	}
300
301		/* put the set of len bytes into the buffer, incrementing the pos, increasing
302		* len if required */
303	955k	void buf_putbytes(buffer buf, const unsigned char bytes, unsigned int len) {
304	955k	memcpy(buf_getwriteptr(buf, len), bytes, len);
305	955k	buf_incrwritepos(buf, len);
306	955k	}
307
308
309		/* for our purposes we only need positive (or 0) numbers, so will
310		* fail if we get negative numbers */
311	74.4k	void buf_putmpint(buffer* buf, const mp_int * mp) {
312	74.4k	size_t written;
313	74.4k	unsigned int len, pad = 0;
314	74.4k	TRACE2(("enter buf_putmpint"))
315
316	74.4k	dropbear_assert(mp != NULL);
317
318	74.4k	if (mp_isneg(mp)) {
319	0	dropbear_exit("negative bignum");
320	0	}
321
322		/* zero check */
323	74.4k	if (mp_iszero(mp)) {
324	589	len = 0;
325	73.8k	} else {
326		/* SSH spec requires padding for mpints with the MSB set, this code
327		* implements it */
328	73.8k	len = mp_count_bits(mp);
329		/* if the top bit of MSB is set, we need to pad */
330	73.8k	pad = (len%8 == 0) ? 1 : 0;
331	73.8k	len = len / 8 + 1; /* don't worry about rounding, we need it for
332		padding anyway when len%8 == 0 */
333
334	73.8k	}
335
336		/* store the length */
337	74.4k	buf_putint(buf, len);
338
339		/* store the actual value */
340	74.4k	if (len > 0) {
341	73.8k	if (pad) {
342	37.5k	buf_putbyte(buf, 0x00);
343	37.5k	}
344	73.8k	if (mp_to_ubin(mp, buf_getwriteptr(buf, len-pad), len-pad, &written) != MP_OKAY) {
345	0	dropbear_exit("mpint error");
346	0	}
347	73.8k	buf_incrwritepos(buf, written);
348	73.8k	}
349
350	74.4k	TRACE2(("leave buf_putmpint"))
351	74.4k	}
352
353		/* Retrieve an mp_int from the buffer.
354		* Will fail for -ve since they shouldn't be required here.
355		* Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
356	15.0k	int buf_getmpint(buffer* buf, mp_int* mp) {
357
358	15.0k	unsigned int len;
359	15.0k	len = buf_getint(buf);
360
361	15.0k	if (len == 0) {
362	1.86k	mp_zero(mp);
363	1.86k	return DROPBEAR_SUCCESS;
364	1.86k	}
365
366	13.1k	if (len > BUF_MAX_MPINT) {
367	287	return DROPBEAR_FAILURE;
368	287	}
369
370		/* check for negative */
371	12.8k	if (*buf_getptr(buf, 1) & (1 << (CHAR_BIT-1))) {
372	44	return DROPBEAR_FAILURE;
373	44	}
374
375	12.8k	if (mp_from_ubin(mp, buf_getptr(buf, len), len) != MP_OKAY) {
376	0	return DROPBEAR_FAILURE;
377	0	}
378
379	12.8k	buf_incrpos(buf, len);
380	12.8k	return DROPBEAR_SUCCESS;
381	12.8k	}