summaryrefslogtreecommitdiffstats
path: root/ssh-pkcs11.c
diff options
context:
space:
mode:
Diffstat (limited to 'ssh-pkcs11.c')
-rw-r--r--ssh-pkcs11.c42
1 files changed, 29 insertions, 13 deletions
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index 1e76e8b..fadf9c9 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11.c,v 1.62 2024/04/02 12:22:38 deraadt Exp $ */
+/* $OpenBSD: ssh-pkcs11.c,v 1.63 2024/08/15 00:51:51 djm Exp $ */
/*
* Copyright (c) 2010 Markus Friedl. All rights reserved.
* Copyright (c) 2014 Pedro Martelletto. All rights reserved.
@@ -502,8 +502,10 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len);
}
- RSA_set_method(rsa, rsa_method);
- RSA_set_ex_data(rsa, rsa_idx, k11);
+ if (RSA_set_method(rsa, rsa_method) != 1)
+ fatal_f("RSA_set_method failed");
+ if (RSA_set_ex_data(rsa, rsa_idx, k11) != 1)
+ fatal_f("RSA_set_ex_data failed");
return (0);
}
@@ -615,8 +617,10 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
k11->keyid = xmalloc(k11->keyid_len);
memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len);
}
- EC_KEY_set_method(ec, ec_key_method);
- EC_KEY_set_ex_data(ec, ec_key_idx, k11);
+ if (EC_KEY_set_method(ec, ec_key_method) != 1)
+ fatal_f("EC_KEY_set_method failed");
+ if (EC_KEY_set_ex_data(ec, ec_key_idx, k11) != 1)
+ fatal_f("EC_KEY_set_ex_data failed");
return (0);
}
@@ -803,11 +807,14 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
goto fail;
}
- key->ecdsa = ec;
+ EVP_PKEY_free(key->pkey);
+ if ((key->pkey = EVP_PKEY_new()) == NULL)
+ fatal("EVP_PKEY_new failed");
+ if (EVP_PKEY_set1_EC_KEY(key->pkey, ec) != 1)
+ fatal("EVP_PKEY_set1_EC_KEY failed");
key->ecdsa_nid = nid;
key->type = KEY_ECDSA;
key->flags |= SSHKEY_FLAG_EXT;
- ec = NULL; /* now owned by key */
fail:
for (i = 0; i < 3; i++)
@@ -899,10 +906,13 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
goto fail;
}
- key->rsa = rsa;
+ EVP_PKEY_free(key->pkey);
+ if ((key->pkey = EVP_PKEY_new()) == NULL)
+ fatal("EVP_PKEY_new failed");
+ if (EVP_PKEY_set1_RSA(key->pkey, rsa) != 1)
+ fatal("EVP_PKEY_set1_RSA failed");
key->type = KEY_RSA;
key->flags |= SSHKEY_FLAG_EXT;
- rsa = NULL; /* now owned by key */
fail:
for (i = 0; i < 3; i++)
@@ -1014,10 +1024,13 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
goto out;
}
- key->rsa = rsa;
+ EVP_PKEY_free(key->pkey);
+ if ((key->pkey = EVP_PKEY_new()) == NULL)
+ fatal("EVP_PKEY_new failed");
+ if (EVP_PKEY_set1_RSA(key->pkey, rsa) != 1)
+ fatal("EVP_PKEY_set1_RSA failed");
key->type = KEY_RSA;
key->flags |= SSHKEY_FLAG_EXT;
- rsa = NULL; /* now owned by key */
#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
} else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) {
if (EVP_PKEY_get0_EC_KEY(evp) == NULL) {
@@ -1044,11 +1057,14 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
goto out;
}
- key->ecdsa = ec;
+ EVP_PKEY_free(key->pkey);
+ if ((key->pkey = EVP_PKEY_new()) == NULL)
+ fatal("EVP_PKEY_new failed");
+ if (EVP_PKEY_set1_EC_KEY(key->pkey, ec) != 1)
+ fatal("EVP_PKEY_set1_EC_KEY failed");
key->ecdsa_nid = nid;
key->type = KEY_ECDSA;
key->flags |= SSHKEY_FLAG_EXT;
- ec = NULL; /* now owned by key */
#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
} else {
error("unknown certificate key type");