Fix reading broken BER in gcrypt/rsa.c

[tinc] / src / gcrypt / rsa.c

diff --git a/src/gcrypt/rsa.c b/src/gcrypt/rsa.c
index 5d12985..04aa358 100644 (file)
--- a/src/gcrypt/rsa.c
+++ b/src/gcrypt/rsa.c
@@ -1,6 +1,6 @@
 /*
     rsa.c -- RSA key handling
-    Copyright (C) 2007-2012 Guus Sliepen <guus@tinc-vpn.org>
+    Copyright (C) 2007-2022 Guus Sliepen <guus@tinc-vpn.org>
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -17,14 +17,17 @@
     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 
-#include "system.h"
+#include "../system.h"
 
 #include <gcrypt.h>
 
-#include "logger.h"
-#include "rsa.h"
 #include "pem.h"
-#include "xalloc.h"
+
+#include "asn1.h"
+#include "rsa.h"
+#include "../logger.h"
+#include "../rsa.h"
+#include "../xalloc.h"
 
 // BER decoding functions
 
@@ -62,14 +65,14 @@ static size_t ber_read_len(unsigned char **p, size_t *buflen) {
 
        if(**p & 0x80) {
                size_t result = 0;
-               int len = *(*p)++ & 0x7f;
+               size_t len = *(*p)++ & 0x7f;
                (*buflen)--;
 
                if(len > *buflen) {
                        return 0;
                }
 
-               while(len--) {
+               for(; len; --len) {
                        result = (size_t)(result << 8);
                        result |= *(*p)++;
                        (*buflen)--;
@@ -82,20 +85,11 @@ static size_t ber_read_len(unsigned char **p, size_t *buflen) {
        }
 }
 
-
-static bool ber_read_sequence(unsigned char **p, size_t *buflen, size_t *result) {
+static bool ber_skip_sequence(unsigned char **p, size_t *buflen) {
        int tag = ber_read_id(p, buflen);
-       size_t len = ber_read_len(p, buflen);
 
-       if(tag == 0x10) {
-               if(result) {
-                       *result = len;
-               }
-
-               return true;
-       } else {
-               return false;
-       }
+       return tag == TAG_SEQUENCE &&
+              ber_read_len(p, buflen) > 0;
 }
 
 static bool ber_read_mpi(unsigned char **p, size_t *buflen, gcry_mpi_t *mpi) {
@@ -117,32 +111,41 @@ static bool ber_read_mpi(unsigned char **p, size_t *buflen, gcry_mpi_t *mpi) {
        return mpi ? !err : true;
 }
 
-rsa_t *rsa_set_hex_public_key(char *n, char *e) {
+rsa_t *rsa_set_hex_public_key(const char *n, const char *e) {
        rsa_t *rsa = xzalloc(sizeof(rsa_t));
 
-       gcry_error_t err = gcry_mpi_scan(&rsa->n, GCRYMPI_FMT_HEX, n, 0, NULL)
-                          ? : gcry_mpi_scan(&rsa->e, GCRYMPI_FMT_HEX, e, 0, NULL);
+       gcry_error_t err = gcry_mpi_scan(&rsa->n, GCRYMPI_FMT_HEX, n, 0, NULL);
+
+       if(!err) {
+               err = gcry_mpi_scan(&rsa->e, GCRYMPI_FMT_HEX, e, 0, NULL);
+       }
 
        if(err) {
                logger(DEBUG_ALWAYS, LOG_ERR, "Error while reading RSA public key: %s", gcry_strerror(errno));
-               free(rsa);
+               rsa_free(rsa);
                return false;
        }
 
        return rsa;
 }
 
-rsa_t *rsa_set_hex_private_key(char *n, char *e, char *d) {
+rsa_t *rsa_set_hex_private_key(const char *n, const char *e, const char *d) {
        rsa_t *rsa = xzalloc(sizeof(rsa_t));
 
-       gcry_error_t err = gcry_mpi_scan(&rsa->n, GCRYMPI_FMT_HEX, n, 0, NULL)
-                          ? : gcry_mpi_scan(&rsa->e, GCRYMPI_FMT_HEX, e, 0, NULL)
-                          ? : gcry_mpi_scan(&rsa->d, GCRYMPI_FMT_HEX, d, 0, NULL);
+       gcry_error_t err = gcry_mpi_scan(&rsa->n, GCRYMPI_FMT_HEX, n, 0, NULL);
+
+       if(!err) {
+               err = gcry_mpi_scan(&rsa->e, GCRYMPI_FMT_HEX, e, 0, NULL);
+       }
+
+       if(!err) {
+               err = gcry_mpi_scan(&rsa->d, GCRYMPI_FMT_HEX, d, 0, NULL);
+       }
 
        if(err) {
                logger(DEBUG_ALWAYS, LOG_ERR, "Error while reading RSA public key: %s", gcry_strerror(errno));
-               free(rsa);
-               return false;
+               rsa_free(rsa);
+               return NULL;
        }
 
        return rsa;
@@ -161,12 +164,12 @@ rsa_t *rsa_read_pem_public_key(FILE *fp) {
 
        rsa_t *rsa = xzalloc(sizeof(rsa_t));
 
-       if(!ber_read_sequence(&derp, &derlen, NULL)
+       if(!ber_skip_sequence(&derp, &derlen)
                        || !ber_read_mpi(&derp, &derlen, &rsa->n)
                        || !ber_read_mpi(&derp, &derlen, &rsa->e)
                        || derlen) {
                logger(DEBUG_ALWAYS, LOG_ERR, "Error while decoding RSA public key");
-               free(rsa);
+               rsa_free(rsa);
                return NULL;
        }
 
@@ -184,7 +187,7 @@ rsa_t *rsa_read_pem_private_key(FILE *fp) {
 
        rsa_t *rsa = xzalloc(sizeof(rsa_t));
 
-       if(!ber_read_sequence(&derp, &derlen, NULL)
+       if(!ber_skip_sequence(&derp, &derlen)
                        || !ber_read_mpi(&derp, &derlen, NULL)
                        || !ber_read_mpi(&derp, &derlen, &rsa->n)
                        || !ber_read_mpi(&derp, &derlen, &rsa->e)
@@ -196,59 +199,62 @@ rsa_t *rsa_read_pem_private_key(FILE *fp) {
                        || !ber_read_mpi(&derp, &derlen, NULL) // u
                        || derlen) {
                logger(DEBUG_ALWAYS, LOG_ERR, "Error while decoding RSA private key");
-               free(rsa);
-               return NULL;
+               rsa_free(rsa);
+               rsa = NULL;
        }
 
+       memzero(derbuf, sizeof(derbuf));
        return rsa;
 }
 
-size_t rsa_size(rsa_t *rsa) {
+size_t rsa_size(const rsa_t *rsa) {
        return (gcry_mpi_get_nbits(rsa->n) + 7) / 8;
 }
 
+static bool check(gcry_error_t err) {
+       if(err) {
+               logger(DEBUG_ALWAYS, LOG_ERR, "gcrypt error %s/%s", gcry_strsource(err), gcry_strerror(err));
+       }
+
+       return !err;
+}
+
 /* Well, libgcrypt has functions to handle RSA keys, but they suck.
  * So we just use libgcrypt's mpi functions, and do the math ourselves.
  */
 
-// TODO: get rid of this macro, properly clean up gcry_ structures after use
-#define check(foo) { gcry_error_t err = (foo); if(err) {logger(DEBUG_ALWAYS, LOG_ERR, "gcrypt error %s/%s at %s:%d", gcry_strsource(err), gcry_strerror(err), __FILE__, __LINE__); return false; }}
+static bool rsa_powm(const gcry_mpi_t ed, const gcry_mpi_t n, const void *in, size_t len, void *out) {
+       gcry_mpi_t inmpi = NULL;
 
-bool rsa_public_encrypt(rsa_t *rsa, void *in, size_t len, void *out) {
-       gcry_mpi_t inmpi;
-       check(gcry_mpi_scan(&inmpi, GCRYMPI_FMT_USG, in, len, NULL));
+       if(!check(gcry_mpi_scan(&inmpi, GCRYMPI_FMT_USG, in, len, NULL))) {
+               return false;
+       }
 
-       gcry_mpi_t outmpi = gcry_mpi_new(len * 8);
-       gcry_mpi_powm(outmpi, inmpi, rsa->e, rsa->n);
+       gcry_mpi_t outmpi = gcry_mpi_snew(len * 8);
+       gcry_mpi_powm(outmpi, inmpi, ed, n);
 
        size_t out_bytes = (gcry_mpi_get_nbits(outmpi) + 7) / 8;
        size_t pad = len - MIN(out_bytes, len);
+       unsigned char *pout = out;
 
        for(; pad; --pad) {
-               *(char *)out++ = 0;
+               *pout++ = 0;
        }
 
-       check(gcry_mpi_print(GCRYMPI_FMT_USG, out, len, NULL, outmpi));
-
-       return true;
-}
-
-bool rsa_private_decrypt(rsa_t *rsa, void *in, size_t len, void *out) {
-       gcry_mpi_t inmpi;
-       check(gcry_mpi_scan(&inmpi, GCRYMPI_FMT_USG, in, len, NULL));
-
-       gcry_mpi_t outmpi = gcry_mpi_new(len * 8);
-       gcry_mpi_powm(outmpi, inmpi, rsa->d, rsa->n);
+       bool ok = check(gcry_mpi_print(GCRYMPI_FMT_USG, pout, len, NULL, outmpi));
 
-       size_t pad = len - (gcry_mpi_get_nbits(outmpi) + 7) / 8;
+       gcry_mpi_release(outmpi);
+       gcry_mpi_release(inmpi);
 
-       for(; pad; --pad) {
-               *(char *)out++ = 0;
-       }
+       return ok;
+}
 
-       check(gcry_mpi_print(GCRYMPI_FMT_USG, out, len, NULL, outmpi));
+bool rsa_public_encrypt(rsa_t *rsa, const void *in, size_t len, void *out) {
+       return rsa_powm(rsa->e, rsa->n, in, len, out);
+}
 
-       return true;
+bool rsa_private_decrypt(rsa_t *rsa, const void *in, size_t len, void *out) {
+       return rsa_powm(rsa->d, rsa->n, in, len, out);
 }
 
 void rsa_free(rsa_t *rsa) {