diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-01-21 00:01:59 +0100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-01-21 00:54:37 +0100 |
commit | 24757c1ae309324e98d50e5935478655be04e549 (patch) | |
tree | c6d1a58101dacabb2b5562c3681097dd33fe3c0d /ssh-pkcs11.c | |
parent | upstream: cleanup unnecessary code in ECDSA pkcs#11 signature (diff) | |
download | openssh-24757c1ae309324e98d50e5935478655be04e549.tar.xz openssh-24757c1ae309324e98d50e5935478655be04e549.zip |
upstream: cleanup PKCS#11 ECDSA pubkey loading: the returned
object should never have a DER header
work by markus; feedback and ok djm@
OpenBSD-Commit-ID: b617fa585eddbbf0b1245b58b7a3c4b8d613db17
Diffstat (limited to 'ssh-pkcs11.c')
-rw-r--r-- | ssh-pkcs11.c | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index dd8d501ae..0c8629a37 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11.c,v 1.29 2019/01/20 23:00:12 djm Exp $ */ +/* $OpenBSD: ssh-pkcs11.c,v 1.30 2019/01/20 23:01:59 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * Copyright (c) 2014 Pedro Martelletto. All rights reserved. @@ -576,6 +576,7 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, CK_SESSION_HANDLE session; CK_FUNCTION_LIST *f = NULL; CK_RV rv; + ASN1_OCTET_STRING *octet = NULL; EC_KEY *ec = NULL; EC_GROUP *group = NULL; struct sshkey *key = NULL; @@ -644,15 +645,16 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, goto fail; } - attrp = (const unsigned char *)key_attr[1].pValue; - if (o2i_ECPublicKey(&ec, &attrp, key_attr[1].ulValueLen) == NULL) { - /* try to skip DER header (octet string type and length byte) */ - attrp = (const unsigned char *)key_attr[1].pValue + 2; - if (o2i_ECPublicKey(&ec, &attrp, key_attr[1].ulValueLen - 2) - == NULL) { - ossl_error("o2i_ECPublicKey failed"); - goto fail; - } + attrp = key_attr[1].pValue; + octet = d2i_ASN1_OCTET_STRING(NULL, &attrp, key_attr[1].ulValueLen); + if (octet == NULL) { + ossl_error("d2i_ASN1_OCTET_STRING failed"); + goto fail; + } + attrp = octet->data; + if (o2i_ECPublicKey(&ec, &attrp, octet->length) == NULL) { + ossl_error("o2i_ECPublicKey failed"); + goto fail; } nid = sshkey_ecdsa_key_to_nid(ec); @@ -683,6 +685,8 @@ fail: EC_KEY_free(ec); if (group) EC_GROUP_free(group); + if (octet) + ASN1_OCTET_STRING_free(octet); return (key); } |