===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/Attic/bufaux.c,v
retrieving revision 1.17.4.2
retrieving revision 1.29.2.1
diff -u -r1.17.4.2 -r1.29.2.1
--- src/usr.bin/ssh/Attic/bufaux.c	2002/04/23 02:13:50	1.17.4.2
+++ src/usr.bin/ssh/Attic/bufaux.c	2004/02/28 03:51:32	1.29.2.1
@@ -37,7 +37,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: bufaux.c,v 1.17.4.2 2002/04/23 02:13:50 jason Exp $");
+RCSID("$OpenBSD: bufaux.c,v 1.29.2.1 2004/02/28 03:51:32 brad Exp $");
 
 #include <openssl/bn.h>
 #include "bufaux.h"
@@ -50,7 +50,7 @@
  * by (bits+7)/8 bytes of binary data, msb first.
  */
 void
-buffer_put_bignum(Buffer *buffer, BIGNUM *value)
+buffer_put_bignum(Buffer *buffer, const BIGNUM *value)
 {
 	int bits = BN_num_bits(value);
 	int bin_size = (bits + 7) / 8;
@@ -80,7 +80,7 @@
 void
 buffer_get_bignum(Buffer *buffer, BIGNUM *value)
 {
-	int bits, bytes;
+	u_int bits, bytes;
 	u_char buf[2], *bin;
 
 	/* Get the number for bits. */
@@ -88,6 +88,8 @@
 	bits = GET_16BIT(buf);
 	/* Compute the number of binary bytes that follow. */
 	bytes = (bits + 7) / 8;
+	if (bytes > 8 * 1024)
+		fatal("buffer_get_bignum: cannot handle BN of size %d", bytes);
 	if (buffer_len(buffer) < bytes)
 		fatal("buffer_get_bignum: input buffer too small");
 	bin = buffer_ptr(buffer);
@@ -99,30 +101,30 @@
  * Stores an BIGNUM in the buffer in SSH2 format.
  */
 void
-buffer_put_bignum2(Buffer *buffer, BIGNUM *value)
+buffer_put_bignum2(Buffer *buffer, const BIGNUM *value)
 {
-	int bytes = BN_num_bytes(value) + 1;
-	u_char *buf = xmalloc(bytes);
+	u_int bytes;
+	u_char *buf;
 	int oi;
-	int hasnohigh = 0;
+	u_int hasnohigh = 0;
+
+	if (BN_is_zero(value)) {
+		buffer_put_int(buffer, 0);
+		return;
+	}
+	if (value->neg)
+		fatal("buffer_put_bignum2: negative numbers not supported");
+	bytes = BN_num_bytes(value) + 1; /* extra padding byte */
+	if (bytes < 2)
+		fatal("buffer_put_bignum2: BN too small");
+	buf = xmalloc(bytes);
 	buf[0] = '\0';
 	/* Get the value of in binary */
 	oi = BN_bn2bin(value, buf+1);
 	if (oi != bytes-1)
-		fatal("buffer_put_bignum: BN_bn2bin() failed: oi %d != bin_size %d",
-		    oi, bytes);
+		fatal("buffer_put_bignum2: BN_bn2bin() failed: "
+		    "oi %d != bin_size %d", oi, bytes);
 	hasnohigh = (buf[1] & 0x80) ? 0 : 1;
-	if (value->neg) {
-		/**XXX should be two's-complement */
-		int i, carry;
-		u_char *uc = buf;
-		log("negativ!");
-		for (i = bytes-1, carry = 1; i>=0; i--) {
-			uc[i] ^= 0xff;
-			if (carry)
-				carry = !++uc[i];
-		}
-	}
 	buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh);
 	memset(buf, 0, bytes);
 	xfree(buf);
@@ -131,12 +133,17 @@
 void
 buffer_get_bignum2(Buffer *buffer, BIGNUM *value)
 {
-	/**XXX should be two's-complement */
-	int len;
-	u_char *bin = buffer_get_string(buffer, (u_int *)&len);
+	u_int len;
+	u_char *bin = buffer_get_string(buffer, &len);
+
+	if (len > 0 && (bin[0] & 0x80))
+		fatal("buffer_get_bignum2: negative numbers not supported");
+	if (len > 8 * 1024)
+		fatal("buffer_get_bignum2: cannot handle BN of size %d", len);
 	BN_bin2bn(bin, len, value);
 	xfree(bin);
 }
+
 /*
  * Returns integers from the buffer (msb first).
  */
@@ -145,6 +152,7 @@
 buffer_get_short(Buffer *buffer)
 {
 	u_char buf[2];
+
 	buffer_get(buffer, (char *) buf, 2);
 	return GET_16BIT(buf);
 }
@@ -153,6 +161,7 @@
 buffer_get_int(Buffer *buffer)
 {
 	u_char buf[4];
+
 	buffer_get(buffer, (char *) buf, 4);
 	return GET_32BIT(buf);
 }
@@ -161,6 +170,7 @@
 buffer_get_int64(Buffer *buffer)
 {
 	u_char buf[8];
+
 	buffer_get(buffer, (char *) buf, 8);
 	return GET_64BIT(buf);
 }
@@ -172,6 +182,7 @@
 buffer_put_short(Buffer *buffer, u_short value)
 {
 	char buf[2];
+
 	PUT_16BIT(buf, value);
 	buffer_append(buffer, buf, 2);
 }
@@ -180,6 +191,7 @@
 buffer_put_int(Buffer *buffer, u_int value)
 {
 	char buf[4];
+
 	PUT_32BIT(buf, value);
 	buffer_append(buffer, buf, 4);
 }
@@ -188,6 +200,7 @@
 buffer_put_int64(Buffer *buffer, u_int64_t value)
 {
 	char buf[8];
+
 	PUT_64BIT(buf, value);
 	buffer_append(buffer, buf, 8);
 }
@@ -203,12 +216,13 @@
 void *
 buffer_get_string(Buffer *buffer, u_int *length_ptr)
 {
-	u_int len;
 	u_char *value;
+	u_int len;
+
 	/* Get the length. */
 	len = buffer_get_int(buffer);
 	if (len > 256 * 1024)
-		fatal("Received packet with bad string length %d", len);
+		fatal("buffer_get_string: bad string length %u", len);
 	/* Allocate space for the string.  Add one byte for a null character. */
 	value = xmalloc(len + 1);
 	/* Get the string. */
@@ -233,6 +247,8 @@
 void
 buffer_put_cstring(Buffer *buffer, const char *s)
 {
+	if (s == NULL)
+		fatal("buffer_put_cstring: s == NULL");
 	buffer_put_string(buffer, s, strlen(s));
 }
 
@@ -243,6 +259,7 @@
 buffer_get_char(Buffer *buffer)
 {
 	char ch;
+
 	buffer_get(buffer, &ch, 1);
 	return (u_char) ch;
 }
@@ -254,5 +271,6 @@
 buffer_put_char(Buffer *buffer, int value)
 {
 	char ch = value;
+
 	buffer_append(buffer, &ch, 1);
 }