From 13cb43ad4c9be48914f17ea434f858aba0f8a06e Mon Sep 17 00:00:00 2001
From: Steffen Jaeckel <s@jaeckel.eu>
Date: Sun, 24 Sep 2017 13:11:35 +0200
Subject: [PATCH] initialize 'flags' etc. to invalid values before trying to
 decode

---
 src/pk/dh/dh_import.c        | 8 +++++++-
 src/pk/dsa/dsa_decrypt_key.c | 3 ++-
 src/pk/dsa/dsa_import.c      | 9 +++++++--
 src/pk/ecc/ecc_decrypt_key.c | 3 ++-
 src/pk/ecc/ecc_import.c      | 7 ++++++-
 src/pk/rsa/rsa_import.c      | 1 +
 6 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/src/pk/dh/dh_import.c b/src/pk/dh/dh_import.c
index 579a6aa..b600b5c 100644
--- a/src/pk/dh/dh_import.c
+++ b/src/pk/dh/dh_import.c
@@ -32,6 +32,8 @@ int dh_import(const unsigned char *in, unsigned long inlen, dh_key *key)
       return err;
    }
 
+   version = 666;
+   flags[0] = 0xff;
    /* find out what type of key it is */
    err = der_decode_sequence_multi(in, inlen,
                                    LTC_ASN1_SHORT_INTEGER, 1UL, &version,
@@ -58,7 +60,7 @@ int dh_import(const unsigned char *in, unsigned long inlen, dh_key *key)
             goto error;
          }
       }
-      else {
+      else if (flags[0] == 0) {
          key->type = PK_PUBLIC;
          if ((err = der_decode_sequence_multi(in, inlen,
                                               LTC_ASN1_SHORT_INTEGER, 1UL, &version,
@@ -70,6 +72,10 @@ int dh_import(const unsigned char *in, unsigned long inlen, dh_key *key)
             goto error;
          }
       }
+      else {
+         err = CRYPT_INVALID_PACKET;
+         goto error;
+      }
    }
    else {
       err = CRYPT_INVALID_PACKET;
diff --git a/src/pk/dsa/dsa_decrypt_key.c b/src/pk/dsa/dsa_decrypt_key.c
index 806ef3e..67426b8 100644
--- a/src/pk/dsa/dsa_decrypt_key.c
+++ b/src/pk/dsa/dsa_decrypt_key.c
@@ -30,7 +30,8 @@ int dsa_decrypt_key(const unsigned char *in,  unsigned long  inlen,
 {
    unsigned char  *skey, *expt;
    void           *g_pub;
-   unsigned long  x, y, hashOID[32];
+   unsigned long  x, y;
+   unsigned long  hashOID[32] = { 0 };
    int            hash, err;
    ltc_asn1_list  decode[3];
 
diff --git a/src/pk/dsa/dsa_import.c b/src/pk/dsa/dsa_import.c
index 08d64b7..8d949eb 100644
--- a/src/pk/dsa/dsa_import.c
+++ b/src/pk/dsa/dsa_import.c
@@ -38,13 +38,14 @@ int dsa_import(const unsigned char *in, unsigned long inlen, dsa_key *key)
       return CRYPT_MEM;
    }
 
+   flags[0] = 0xff;
    /* try to match the old libtomcrypt format */
    err = der_decode_sequence_multi(in, inlen, LTC_ASN1_BIT_STRING, 1UL, flags,
                                               LTC_ASN1_EOL,        0UL, NULL);
 
    if (err == CRYPT_OK || err == CRYPT_PK_INVALID_SIZE) {
        /* private key */
-       if (flags[0]) {
+       if (flags[0] == 1) {
            if ((err = der_decode_sequence_multi(in, inlen,
                                   LTC_ASN1_BIT_STRING,   1UL, flags,
                                   LTC_ASN1_INTEGER,      1UL, key->g,
@@ -59,7 +60,7 @@ int dsa_import(const unsigned char *in, unsigned long inlen, dsa_key *key)
            goto LBL_OK;
        }
        /* public key */
-       else {
+       else if (flags[0] == 0) {
            if ((err = der_decode_sequence_multi(in, inlen,
                                       LTC_ASN1_BIT_STRING,   1UL, flags,
                                       LTC_ASN1_INTEGER,      1UL, key->g,
@@ -72,6 +73,10 @@ int dsa_import(const unsigned char *in, unsigned long inlen, dsa_key *key)
            key->type = PK_PUBLIC;
            goto LBL_OK;
        }
+       else {
+          err = CRYPT_INVALID_PACKET;
+          goto LBL_ERR;
+       }
    }
    /* get key type */
    if ((err = der_decode_sequence_multi(in, inlen,
diff --git a/src/pk/ecc/ecc_decrypt_key.c b/src/pk/ecc/ecc_decrypt_key.c
index 4a16de9..9492401 100644
--- a/src/pk/ecc/ecc_decrypt_key.c
+++ b/src/pk/ecc/ecc_decrypt_key.c
@@ -35,7 +35,8 @@ int ecc_decrypt_key(const unsigned char *in,  unsigned long  inlen,
                           ecc_key *key)
 {
    unsigned char *ecc_shared, *skey, *pub_expt;
-   unsigned long  x, y, hashOID[32];
+   unsigned long  x, y;
+   unsigned long  hashOID[32] = { 0 };
    int            hash, err;
    ecc_key        pubkey;
    ltc_asn1_list  decode[3];
diff --git a/src/pk/ecc/ecc_import.c b/src/pk/ecc/ecc_import.c
index 034c9bd..fce70e2 100644
--- a/src/pk/ecc/ecc_import.c
+++ b/src/pk/ecc/ecc_import.c
@@ -104,6 +104,7 @@ int ecc_import_ex(const unsigned char *in, unsigned long inlen, ecc_key *key, co
       return CRYPT_MEM;
    }
 
+   flags[0] = 0xff;
    /* find out what type of key it is */
    err = der_decode_sequence_multi(in, inlen, LTC_ASN1_BIT_STRING, 1UL, flags,
                                               LTC_ASN1_EOL,        0UL, NULL);
@@ -124,7 +125,7 @@ int ecc_import_ex(const unsigned char *in, unsigned long inlen, ecc_key *key, co
                                      LTC_ASN1_EOL,             0UL, NULL)) != CRYPT_OK) {
          goto done;
       }
-   } else {
+   } else if (flags[0] == 0) {
       /* public key */
       key->type = PK_PUBLIC;
       if ((err = der_decode_sequence_multi(in, inlen,
@@ -136,6 +137,10 @@ int ecc_import_ex(const unsigned char *in, unsigned long inlen, ecc_key *key, co
          goto done;
       }
    }
+   else {
+      err = CRYPT_INVALID_PACKET;
+      goto done;
+   }
 
    if (dp == NULL) {
      /* find the idx */
diff --git a/src/pk/rsa/rsa_import.c b/src/pk/rsa/rsa_import.c
index fbae39b..db432b5 100644
--- a/src/pk/rsa/rsa_import.c
+++ b/src/pk/rsa/rsa_import.c
@@ -65,6 +65,7 @@ int rsa_import(const unsigned char *in, unsigned long inlen, rsa_key *key)
       goto LBL_FREE;
    }
 
+   mp_set_int(key->N, 666);
    /* not SSL public key, try to match against PKCS #1 standards */
    err = der_decode_sequence_multi(in, inlen, LTC_ASN1_INTEGER, 1UL, key->N,
                                               LTC_ASN1_EOL,     0UL, NULL);