diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-01-20 23:01:59 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-01-21 10:54:37 +1100 |
commit | 24757c1ae309324e98d50e5935478655be04e549 (patch) | |
tree | c6d1a58101dacabb2b5562c3681097dd33fe3c0d | |
parent | 749aef30321595435ddacef2f31d7a8f2b289309 (diff) |
upstream: cleanup PKCS#11 ECDSA pubkey loading: the returned
object should never have a DER header
work by markus; feedback and ok djm@
OpenBSD-Commit-ID: b617fa585eddbbf0b1245b58b7a3c4b8d613db17
-rw-r--r-- | ssh-pkcs11.c | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index dd8d501ae..0c8629a37 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-pkcs11.c,v 1.29 2019/01/20 23:00:12 djm Exp $ */ | 1 | /* $OpenBSD: ssh-pkcs11.c,v 1.30 2019/01/20 23:01:59 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2010 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2010 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2014 Pedro Martelletto. All rights reserved. | 4 | * Copyright (c) 2014 Pedro Martelletto. All rights reserved. |
@@ -576,6 +576,7 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, | |||
576 | CK_SESSION_HANDLE session; | 576 | CK_SESSION_HANDLE session; |
577 | CK_FUNCTION_LIST *f = NULL; | 577 | CK_FUNCTION_LIST *f = NULL; |
578 | CK_RV rv; | 578 | CK_RV rv; |
579 | ASN1_OCTET_STRING *octet = NULL; | ||
579 | EC_KEY *ec = NULL; | 580 | EC_KEY *ec = NULL; |
580 | EC_GROUP *group = NULL; | 581 | EC_GROUP *group = NULL; |
581 | struct sshkey *key = NULL; | 582 | struct sshkey *key = NULL; |
@@ -644,15 +645,16 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, | |||
644 | goto fail; | 645 | goto fail; |
645 | } | 646 | } |
646 | 647 | ||
647 | attrp = (const unsigned char *)key_attr[1].pValue; | 648 | attrp = key_attr[1].pValue; |
648 | if (o2i_ECPublicKey(&ec, &attrp, key_attr[1].ulValueLen) == NULL) { | 649 | octet = d2i_ASN1_OCTET_STRING(NULL, &attrp, key_attr[1].ulValueLen); |
649 | /* try to skip DER header (octet string type and length byte) */ | 650 | if (octet == NULL) { |
650 | attrp = (const unsigned char *)key_attr[1].pValue + 2; | 651 | ossl_error("d2i_ASN1_OCTET_STRING failed"); |
651 | if (o2i_ECPublicKey(&ec, &attrp, key_attr[1].ulValueLen - 2) | 652 | goto fail; |
652 | == NULL) { | 653 | } |
653 | ossl_error("o2i_ECPublicKey failed"); | 654 | attrp = octet->data; |
654 | goto fail; | 655 | if (o2i_ECPublicKey(&ec, &attrp, octet->length) == NULL) { |
655 | } | 656 | ossl_error("o2i_ECPublicKey failed"); |
657 | goto fail; | ||
656 | } | 658 | } |
657 | 659 | ||
658 | nid = sshkey_ecdsa_key_to_nid(ec); | 660 | nid = sshkey_ecdsa_key_to_nid(ec); |
@@ -683,6 +685,8 @@ fail: | |||
683 | EC_KEY_free(ec); | 685 | EC_KEY_free(ec); |
684 | if (group) | 686 | if (group) |
685 | EC_GROUP_free(group); | 687 | EC_GROUP_free(group); |
688 | if (octet) | ||
689 | ASN1_OCTET_STRING_free(octet); | ||
686 | 690 | ||
687 | return (key); | 691 | return (key); |
688 | } | 692 | } |