diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2024-08-15 02:51:51 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2024-08-15 04:07:59 +0200 |
| commit | 7bdfc20516e288b58c8c847958059c7b141eeff9 (patch) | |
| tree | c2058c785fc099f0e8741feeb6916e793c2792bc /ssh-pkcs11.c | |
| parent | upstream: Reorder calloc arguments (diff) | |
| download | openssh-7bdfc20516e288b58c8c847958059c7b141eeff9.tar.xz openssh-7bdfc20516e288b58c8c847958059c7b141eeff9.zip | |
upstream: Convert RSA and ECDSA key to the libcrypto EVP_PKEY API.
DSA remains unconverted as it will be removed within six months.
Based on patches originally from Dmitry Belyavskiy, but significantly
reworked based on feedback from Bob Beck, Joel Sing and especially
Theo Buehler (apologies to anyone I've missed).
ok tb@
OpenBSD-Commit-ID: d098744e89f1dc7e5952a6817bef234eced648b5
Diffstat (limited to 'ssh-pkcs11.c')
| -rw-r--r-- | ssh-pkcs11.c | 42 |
1 files changed, 29 insertions, 13 deletions
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index 1e76e8b2b..fadf9c9c6 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11.c,v 1.62 2024/04/02 12:22:38 deraadt Exp $ */ +/* $OpenBSD: ssh-pkcs11.c,v 1.63 2024/08/15 00:51:51 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * Copyright (c) 2014 Pedro Martelletto. All rights reserved. @@ -502,8 +502,10 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len); } - RSA_set_method(rsa, rsa_method); - RSA_set_ex_data(rsa, rsa_idx, k11); + if (RSA_set_method(rsa, rsa_method) != 1) + fatal_f("RSA_set_method failed"); + if (RSA_set_ex_data(rsa, rsa_idx, k11) != 1) + fatal_f("RSA_set_ex_data failed"); return (0); } @@ -615,8 +617,10 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, k11->keyid = xmalloc(k11->keyid_len); memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len); } - EC_KEY_set_method(ec, ec_key_method); - EC_KEY_set_ex_data(ec, ec_key_idx, k11); + if (EC_KEY_set_method(ec, ec_key_method) != 1) + fatal_f("EC_KEY_set_method failed"); + if (EC_KEY_set_ex_data(ec, ec_key_idx, k11) != 1) + fatal_f("EC_KEY_set_ex_data failed"); return (0); } @@ -803,11 +807,14 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, goto fail; } - key->ecdsa = ec; + EVP_PKEY_free(key->pkey); + if ((key->pkey = EVP_PKEY_new()) == NULL) + fatal("EVP_PKEY_new failed"); + if (EVP_PKEY_set1_EC_KEY(key->pkey, ec) != 1) + fatal("EVP_PKEY_set1_EC_KEY failed"); key->ecdsa_nid = nid; key->type = KEY_ECDSA; key->flags |= SSHKEY_FLAG_EXT; - ec = NULL; /* now owned by key */ fail: for (i = 0; i < 3; i++) @@ -899,10 +906,13 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, goto fail; } - key->rsa = rsa; + EVP_PKEY_free(key->pkey); + if ((key->pkey = EVP_PKEY_new()) == NULL) + fatal("EVP_PKEY_new failed"); + if (EVP_PKEY_set1_RSA(key->pkey, rsa) != 1) + fatal("EVP_PKEY_set1_RSA failed"); key->type = KEY_RSA; key->flags |= SSHKEY_FLAG_EXT; - rsa = NULL; /* now owned by key */ fail: for (i = 0; i < 3; i++) @@ -1014,10 +1024,13 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, goto out; } - key->rsa = rsa; + EVP_PKEY_free(key->pkey); + if ((key->pkey = EVP_PKEY_new()) == NULL) + fatal("EVP_PKEY_new failed"); + if (EVP_PKEY_set1_RSA(key->pkey, rsa) != 1) + fatal("EVP_PKEY_set1_RSA failed"); key->type = KEY_RSA; key->flags |= SSHKEY_FLAG_EXT; - rsa = NULL; /* now owned by key */ #if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) } else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) { if (EVP_PKEY_get0_EC_KEY(evp) == NULL) { @@ -1044,11 +1057,14 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, goto out; } - key->ecdsa = ec; + EVP_PKEY_free(key->pkey); + if ((key->pkey = EVP_PKEY_new()) == NULL) + fatal("EVP_PKEY_new failed"); + if (EVP_PKEY_set1_EC_KEY(key->pkey, ec) != 1) + fatal("EVP_PKEY_set1_EC_KEY failed"); key->ecdsa_nid = nid; key->type = KEY_ECDSA; key->flags |= SSHKEY_FLAG_EXT; - ec = NULL; /* now owned by key */ #endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ } else { error("unknown certificate key type"); |