1 files changed, 22 insertions, 7 deletions

diff --git a/ssh-sk.c b/ssh-sk.c
index d1c1880..a2a7d72 100644
--- a/ssh-sk.c
+++ b/ssh-sk.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-sk.c,v 1.40 2023/07/19 14:02:27 djm Exp $ */
+/* $OpenBSD: ssh-sk.c,v 1.41 2024/08/15 00:51:51 djm Exp $ */
 /*
  * Copyright (c) 2019 Google LLC
  *
@@ -32,6 +32,7 @@
 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
 #include <openssl/objects.h>
 #include <openssl/ec.h>
+#include <openssl/evp.h>
 #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
 
 #include "log.h"
@@ -207,7 +208,9 @@ sshsk_ecdsa_assemble(struct sk_enroll_response *resp, struct sshkey **keyp)
 {
 	struct sshkey *key = NULL;
 	struct sshbuf *b = NULL;
+	EC_KEY *ecdsa = NULL;
 	EC_POINT *q = NULL;
+	const EC_GROUP *g = NULL;
 	int r;
 
 	*keyp = NULL;
@@ -217,8 +220,9 @@ sshsk_ecdsa_assemble(struct sk_enroll_response *resp, struct sshkey **keyp)
 		goto out;
 	}
 	key->ecdsa_nid = NID_X9_62_prime256v1;
-	if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) == NULL ||
-	    (q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL ||
+	if ((ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) == NULL ||
+	    (g = EC_KEY_get0_group(ecdsa)) == NULL ||
+	    (q = EC_POINT_new(g)) == NULL ||
 	    (b = sshbuf_new()) == NULL) {
 		error_f("allocation failed");
 		r = SSH_ERR_ALLOC_FAIL;
@@ -229,30 +233,41 @@ sshsk_ecdsa_assemble(struct sk_enroll_response *resp, struct sshkey **keyp)
 		error_fr(r, "sshbuf_put_string");
 		goto out;
 	}
-	if ((r = sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa))) != 0) {
+	if ((r = sshbuf_get_ec(b, q, g)) != 0) {
 		error_fr(r, "parse");
 		r = SSH_ERR_INVALID_FORMAT;
 		goto out;
 	}
-	if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), q) != 0) {
+	if (sshkey_ec_validate_public(g, q) != 0) {
 		error("Authenticator returned invalid ECDSA key");
 		r = SSH_ERR_KEY_INVALID_EC_VALUE;
 		goto out;
 	}
-	if (EC_KEY_set_public_key(key->ecdsa, q) != 1) {
+	if (EC_KEY_set_public_key(ecdsa, q) != 1) {
 		/* XXX assume it is a allocation error */
 		error_f("allocation failed");
 		r = SSH_ERR_ALLOC_FAIL;
 		goto out;
 	}
+	if ((key->pkey = EVP_PKEY_new()) == NULL) {
+		error_f("allocation failed");
+		r = SSH_ERR_ALLOC_FAIL;
+		goto out;
+	}
+	if (EVP_PKEY_set1_EC_KEY(key->pkey, ecdsa) != 1) {
+		error_f("Assigning EC_KEY failed");
+		r = SSH_ERR_LIBCRYPTO_ERROR;
+		goto out;
+	}
 	/* success */
 	*keyp = key;
 	key = NULL; /* transferred */
 	r = 0;
  out:
-	EC_POINT_free(q);
 	sshkey_free(key);
 	sshbuf_free(b);
+	EC_KEY_free(ecdsa);
+	EC_POINT_free(q);
 	return r;
 }
 #endif /* WITH_OPENSSL */