X-Git-Url: https://git.distorted.org.uk/u/mdw/putty/blobdiff_plain/d737853b942c17aeb9db09ef59046edd9daa652e..14ec1d8392d27cd5f9dc923ff7dc6416827d4060:/sshrsa.c

diff --git a/sshrsa.c b/sshrsa.c
index 0c1b2ef5..3bd971f8 100644
--- a/sshrsa.c
+++ b/sshrsa.c
@@ -110,7 +110,7 @@ static void sha512_mpint(SHA512_State * s, Bignum b)
 	lenbuf[0] = bignum_byte(b, len);
 	SHA512_Bytes(s, lenbuf, 1);
     }
-    memset(lenbuf, 0, sizeof(lenbuf));
+    smemclr(lenbuf, sizeof(lenbuf));
 }
 
 /*
@@ -413,16 +413,18 @@ int rsa_verify(struct RSAKey *key)
     pm1 = copybn(key->p);
     decbn(pm1);
     ed = modmul(key->exponent, key->private_exponent, pm1);
+    freebn(pm1);
     cmp = bignum_cmp(ed, One);
-    sfree(ed);
+    freebn(ed);
     if (cmp != 0)
 	return 0;
 
     qm1 = copybn(key->q);
     decbn(qm1);
     ed = modmul(key->exponent, key->private_exponent, qm1);
+    freebn(qm1);
     cmp = bignum_cmp(ed, One);
-    sfree(ed);
+    freebn(ed);
     if (cmp != 0)
 	return 0;
 
@@ -448,7 +450,7 @@ int rsa_verify(struct RSAKey *key)
      */
     n = modmul(key->iqmp, key->q, key->p);
     cmp = bignum_cmp(n, One);
-    sfree(n);
+    freebn(n);
     if (cmp != 0)
 	return 0;
 
@@ -525,7 +527,9 @@ static void getstring(char **data, int *datalen, char **p, int *length)
     *p = NULL;
     if (*datalen < 4)
 	return;
-    *length = GET_32BIT(*data);
+    *length = toint(GET_32BIT(*data));
+    if (*length < 0)
+        return;
     *datalen -= 4;
     *data += 4;
     if (*datalen < *length)
@@ -554,8 +558,6 @@ static void *rsa2_newkey(char *data, int len)
     struct RSAKey *rsa;
 
     rsa = snew(struct RSAKey);
-    if (!rsa)
-	return NULL;
     getstring(&data, &len, &p, &slen);
 
     if (!p || slen != 7 || memcmp(p, "ssh-rsa", 7)) {
@@ -690,8 +692,6 @@ static void *rsa2_openssh_createkey(unsigned char **blob, int *len)
     struct RSAKey *rsa;
 
     rsa = snew(struct RSAKey);
-    if (!rsa)
-	return NULL;
     rsa->comment = NULL;
 
     rsa->modulus = getmp(b, len);
@@ -703,13 +703,12 @@ static void *rsa2_openssh_createkey(unsigned char **blob, int *len)
 
     if (!rsa->modulus || !rsa->exponent || !rsa->private_exponent ||
 	!rsa->iqmp || !rsa->p || !rsa->q) {
-	sfree(rsa->modulus);
-	sfree(rsa->exponent);
-	sfree(rsa->private_exponent);
-	sfree(rsa->iqmp);
-	sfree(rsa->p);
-	sfree(rsa->q);
-	sfree(rsa);
+        rsa2_freekey(rsa);
+	return NULL;
+    }
+
+    if (!rsa_verify(rsa)) {
+	rsa2_freekey(rsa);
 	return NULL;
     }
 
@@ -838,6 +837,8 @@ static int rsa2_verifysig(void *key, char *sig, int siglen,
 	return 0;
     }
     in = getmp(&sig, &siglen);
+    if (!in)
+        return 0;
     out = modpow(in, rsa->exponent, rsa->modulus);
     freebn(in);