[openssh-commits] [openssh] 04/12: upstream: factor out sshsk_ecdsa_assemble(); ok djm@
git+noreply at mindrot.org
git+noreply at mindrot.org
Wed Nov 13 08:54:26 AEDT 2019
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit cef84a062db8cfeece26f067235dc440f6992c17
Author: markus at openbsd.org <markus at openbsd.org>
Date: Tue Nov 12 19:29:54 2019 +0000
upstream: factor out sshsk_ecdsa_assemble(); ok djm@
OpenBSD-Commit-ID: 2313761a3a84ccfe032874d638d3c363e0f14026
---
ssh-sk.c | 96 +++++++++++++++++++++++++++++++++++++++-------------------------
1 file changed, 59 insertions(+), 37 deletions(-)
diff --git a/ssh-sk.c b/ssh-sk.c
index 122a1e2b..c0f6c1cc 100644
--- a/ssh-sk.c
+++ b/ssh-sk.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-sk.c,v 1.1 2019/10/31 21:16:20 djm Exp $ */
+/* $OpenBSD: ssh-sk.c,v 1.2 2019/11/12 19:29:54 markus Exp $ */
/*
* Copyright (c) 2019 Google LLC
*
@@ -143,6 +143,61 @@ sshsk_free_sign_response(struct sk_sign_response *r)
freezero(r, sizeof(*r));
};
+/* Assemble key from response */
+static int
+sshsk_ecdsa_assemble(struct sk_enroll_response *resp, struct sshkey **keyp)
+{
+ struct sshkey *key = NULL;
+ struct sshbuf *b = NULL;
+ EC_POINT *q = NULL;
+ int r;
+
+ *keyp = NULL;
+ if ((key = sshkey_new(KEY_ECDSA_SK)) == NULL) {
+ error("%s: sshkey_new failed", __func__);
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ key->ecdsa_nid = NID_X9_62_prime256v1;
+ if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) == NULL ||
+ (q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL ||
+ (b = sshbuf_new()) == NULL) {
+ error("%s: allocation failed", __func__);
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ if ((r = sshbuf_put_string(b,
+ resp->public_key, resp->public_key_len)) != 0) {
+ error("%s: buffer error: %s", __func__, ssh_err(r));
+ goto out;
+ }
+ if ((r = sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa))) != 0) {
+ error("%s: parse key: %s", __func__, ssh_err(r));
+ r = SSH_ERR_INVALID_FORMAT;
+ goto out;
+ }
+ if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), q) != 0) {
+ error("Security key returned invalid ECDSA key");
+ r = SSH_ERR_KEY_INVALID_EC_VALUE;
+ goto out;
+ }
+ if (EC_KEY_set_public_key(key->ecdsa, q) != 1) {
+ /* XXX assume it is a allocation error */
+ error("%s: allocation failed", __func__);
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ /* success */
+ *keyp = key;
+ key = NULL; /* transferred */
+ r = 0;
+ out:
+ EC_POINT_free(q);
+ sshkey_free(key);
+ sshbuf_free(b);
+ return r;
+}
+
int
sshsk_enroll(const char *provider_path, const char *application,
uint8_t flags, struct sshbuf *challenge_buf, struct sshkey **keyp,
@@ -155,8 +210,6 @@ sshsk_enroll(const char *provider_path, const char *application,
size_t challenge_len;
struct sk_enroll_response *resp = NULL;
int r = SSH_ERR_INTERNAL_ERROR;
- struct sshbuf *b = NULL;
- EC_POINT *q = NULL;
*keyp = NULL;
if (attest)
@@ -206,49 +259,20 @@ sshsk_enroll(const char *provider_path, const char *application,
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
- /* Assemble key from response */
- if ((key = sshkey_new(KEY_ECDSA_SK)) == NULL) {
- error("%s: sshkey_new failed", __func__);
- r = SSH_ERR_ALLOC_FAIL;
+ if ((r = sshsk_ecdsa_assemble(resp, &key)) != 0)
goto out;
- }
- key->ecdsa_nid = NID_X9_62_prime256v1;
key->sk_flags = flags;
- if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) == NULL ||
- (q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL ||
- (key->sk_key_handle = sshbuf_new()) == NULL ||
- (key->sk_reserved = sshbuf_new()) == NULL ||
- (b = sshbuf_new()) == NULL) {
+ if ((key->sk_key_handle = sshbuf_new()) == NULL ||
+ (key->sk_reserved = sshbuf_new()) == NULL) {
error("%s: allocation failed", __func__);
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
- if ((r = sshbuf_put_string(b,
- resp->public_key, resp->public_key_len)) != 0) {
- error("%s: buffer error: %s", __func__, ssh_err(r));
- goto out;
- }
if ((key->sk_application = strdup(application)) == NULL) {
error("%s: strdup application failed", __func__);
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
- if ((r = sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa))) != 0) {
- error("%s: parse key: %s", __func__, ssh_err(r));
- r = SSH_ERR_INVALID_FORMAT;
- goto out;
- }
- if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), q) != 0) {
- error("Security key returned invalid ECDSA key");
- r = SSH_ERR_KEY_INVALID_EC_VALUE;
- goto out;
- }
- if (EC_KEY_set_public_key(key->ecdsa, q) != 1) {
- /* XXX assume it is a allocation error */
- error("%s: allocation failed", __func__);
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
if ((r = sshbuf_put(key->sk_key_handle, resp->key_handle,
resp->key_handle_len)) != 0) {
error("%s: buffer error: %s", __func__, ssh_err(r));
@@ -273,9 +297,7 @@ sshsk_enroll(const char *provider_path, const char *application,
key = NULL; /* transferred */
r = 0;
out:
- EC_POINT_free(q);
sshsk_free(skp);
- sshbuf_free(b);
sshkey_free(key);
sshsk_free_enroll_response(resp);
explicit_bzero(randchall, sizeof(randchall));
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list