[PATCH 2/2] Adopt new SecurityKey API for sk-usbhid and sk-dummy

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



---
 regress/misc/sk-dummy/sk-dummy.c | 35 +++++++++++++++++++-
 sk-usbhid.c                      | 55 ++++++++++++++++++++++++++++++++
 ssh-sk.c                         | 49 ++++------------------------
 3 files changed, 95 insertions(+), 44 deletions(-)

diff --git a/regress/misc/sk-dummy/sk-dummy.c b/regress/misc/sk-dummy/sk-dummy.c
index 347b21227..de96e7ef5 100644
--- a/regress/misc/sk-dummy/sk-dummy.c
+++ b/regress/misc/sk-dummy/sk-dummy.c
@@ -50,7 +50,7 @@
 
 /* #define SK_DEBUG 1 */
 
-#if SSH_SK_VERSION_MAJOR != 0x000a0000
+#if SSH_SK_VERSION_MAJOR != 0x000b0000
 # error SK API has changed, sk-dummy.c needs an update
 #endif
 
@@ -59,6 +59,9 @@
 # define sk_enroll		ssh_sk_enroll
 # define sk_sign		ssh_sk_sign
 # define sk_load_resident_keys	ssh_sk_load_resident_keys
+# define sk_free_enroll_response	ssh_sk_free_enroll_response
+# define sk_free_sign_response	ssh_sk_free_sign_response
+# define sk_free_resident_keys	ssh_sk_free_resident_keys
 #endif /* !SK_STANDALONE */
 
 static void skdebug(const char *func, const char *fmt, ...)
@@ -541,3 +544,33 @@ sk_load_resident_keys(const char *pin, struct sk_option **options,
 {
 	return SSH_SK_ERR_UNSUPPORTED;
 }
+
+void
+sk_free_enroll_response(struct sk_enroll_response *enroll_resp)
+{
+	if (enroll_resp == NULL)
+		return;
+	freezero(enroll_resp->key_handle, enroll_resp->key_handle_len);
+	freezero(enroll_resp->public_key, enroll_resp->public_key_len);
+	freezero(enroll_resp->signature, enroll_resp->signature_len);
+	freezero(enroll_resp->attestation_cert, enroll_resp->attestation_cert_len);
+	freezero(enroll_resp->authdata, enroll_resp->authdata_len);
+	freezero(enroll_resp, sizeof(*enroll_resp));
+}
+
+void
+sk_free_sign_response(struct sk_sign_response *sign_resp)
+{
+	if (sign_resp == NULL)
+		return;
+	freezero(sign_resp->sig_r, sign_resp->sig_r_len);
+	freezero(sign_resp->sig_s, sign_resp->sig_s_len);
+	freezero(sign_resp, sizeof(*sign_resp));
+}
+
+/* sk_load_resident_keys returns SSH_SK_ERR_UNSUPPORTED */
+void
+sk_free_sk_resident_keys(struct sk_resident_key **rks, size_t nrks)
+{
+	return;
+}
diff --git a/sk-usbhid.c b/sk-usbhid.c
index 427431b9a..01c68c842 100644
--- a/sk-usbhid.c
+++ b/sk-usbhid.c
@@ -90,6 +90,9 @@
 # define sk_enroll		ssh_sk_enroll
 # define sk_sign		ssh_sk_sign
 # define sk_load_resident_keys	ssh_sk_load_resident_keys
+# define sk_free_enroll_response	ssh_sk_free_enroll_response
+# define sk_free_sign_response	ssh_sk_free_sign_response
+# define sk_free_sk_resident_keys	ssh_sk_free_sk_resident_keys
 #endif /* !SK_STANDALONE */
 
 #include "sk-api.h"
@@ -134,6 +137,15 @@ int sk_sign(uint32_t alg, const uint8_t *data, size_t data_len,
 int sk_load_resident_keys(const char *pin, struct sk_option **options,
     struct sk_resident_key ***rks, size_t *nrks);
 
+/* Free sk_sign_response allocated by provider */
+void sk_free_enroll_response(struct sk_enroll_response *enroll_resp);
+
+/* Free sk_sign_response allocated by provider */
+void sk_free_sign_response(struct sk_sign_response *sign_resp);
+
+/* Free sk_resident_key allocated by provider */
+void sk_free_sk_resident_keys(struct sk_resident_key **rks, size_t nrks);
+
 static void skdebug(const char *func, const char *fmt, ...)
     __attribute__((__format__ (printf, 2, 3)));
 
@@ -1479,4 +1491,47 @@ sk_load_resident_keys(const char *pin, struct sk_option **options,
 	return ret;
 }
 
+void
+sk_free_enroll_response(struct sk_enroll_response *enroll_resp)
+{
+	if (enroll_resp == NULL)
+		return;
+	freezero(enroll_resp->key_handle, enroll_resp->key_handle_len);
+	freezero(enroll_resp->public_key, enroll_resp->public_key_len);
+	freezero(enroll_resp->signature, enroll_resp->signature_len);
+	freezero(enroll_resp->attestation_cert, enroll_resp->attestation_cert_len);
+	freezero(enroll_resp->authdata, enroll_resp->authdata_len);
+	freezero(enroll_resp, sizeof(*enroll_resp));
+}
+
+void
+sk_free_sign_response(struct sk_sign_response *sign_resp)
+{
+	if (sign_resp == NULL)
+		return;
+	freezero(sign_resp->sig_r, sign_resp->sig_r_len);
+	freezero(sign_resp->sig_s, sign_resp->sig_s_len);
+	freezero(sign_resp, sizeof(*sign_resp));
+}
+
+void
+sk_free_sk_resident_keys(struct sk_resident_key **rks, size_t nrks)
+{
+	size_t i;
+
+	if (nrks == 0 || rks == NULL)
+		return;
+	for (i = 0; i < nrks; i++) {
+		free(rks[i]->application);
+		freezero(rks[i]->user_id, rks[i]->user_id_len);
+		freezero(rks[i]->key.key_handle, rks[i]->key.key_handle_len);
+		freezero(rks[i]->key.public_key, rks[i]->key.public_key_len);
+		freezero(rks[i]->key.signature, rks[i]->key.signature_len);
+		freezero(rks[i]->key.attestation_cert,
+		    rks[i]->key.attestation_cert_len);
+		freezero(rks[i], sizeof(**rks));
+	}
+	free(rks);
+}
+
 #endif /* ENABLE_SK_INTERNAL */
diff --git a/ssh-sk.c b/ssh-sk.c
index 19ac9dda8..9cc5bd4c1 100644
--- a/ssh-sk.c
+++ b/ssh-sk.c
@@ -101,6 +101,9 @@ int ssh_sk_sign(int alg, const uint8_t *message, size_t message_len,
     struct sk_sign_response **sign_response);
 int ssh_sk_load_resident_keys(const char *pin, struct sk_option **opts,
     struct sk_resident_key ***rks, size_t *nrks);
+void ssh_sk_free_enroll_response(struct sk_enroll_response *enroll_resp);
+void ssh_sk_free_sign_response(struct sk_sign_response *enroll_resp);
+void ssh_sk_free_sk_resident_keys(struct sk_resident_key **rks, size_t nrks);
 
 static void
 sshsk_free(struct sshsk_provider *p)
@@ -137,6 +140,9 @@ sshsk_open(const char *path)
 		ret->sk_enroll = ssh_sk_enroll;
 		ret->sk_sign = ssh_sk_sign;
 		ret->sk_load_resident_keys = ssh_sk_load_resident_keys;
+		ret->sk_free_enroll_response = ssh_sk_free_enroll_response;
+		ret->sk_free_sign_response = ssh_sk_free_sign_response;
+		ret->sk_free_sk_resident_keys = ssh_sk_free_sk_resident_keys;
 		return ret;
 #else
 		error("internal security key support not enabled");
@@ -206,29 +212,6 @@ fail:
 	return NULL;
 }
 
-static void
-sshsk_free_enroll_response(struct sk_enroll_response *r)
-{
-	if (r == NULL)
-		return;
-	freezero(r->key_handle, r->key_handle_len);
-	freezero(r->public_key, r->public_key_len);
-	freezero(r->signature, r->signature_len);
-	freezero(r->attestation_cert, r->attestation_cert_len);
-	freezero(r->authdata, r->authdata_len);
-	freezero(r, sizeof(*r));
-}
-
-static void
-sshsk_free_sign_response(struct sk_sign_response *r)
-{
-	if (r == NULL)
-		return;
-	freezero(r->sig_r, r->sig_r_len);
-	freezero(r->sig_s, r->sig_s_len);
-	freezero(r, sizeof(*r));
-}
-
 #ifdef WITH_OPENSSL
 /* Assemble key from response */
 static int
@@ -781,26 +764,6 @@ sshsk_sign(const char *provider_path, struct sshkey *key,
 	return r;
 }
 
-static void
-sshsk_free_sk_resident_keys(struct sk_resident_key **rks, size_t nrks)
-{
-	size_t i;
-
-	if (nrks == 0 || rks == NULL)
-		return;
-	for (i = 0; i < nrks; i++) {
-		free(rks[i]->application);
-		freezero(rks[i]->user_id, rks[i]->user_id_len);
-		freezero(rks[i]->key.key_handle, rks[i]->key.key_handle_len);
-		freezero(rks[i]->key.public_key, rks[i]->key.public_key_len);
-		freezero(rks[i]->key.signature, rks[i]->key.signature_len);
-		freezero(rks[i]->key.attestation_cert,
-		    rks[i]->key.attestation_cert_len);
-		freezero(rks[i], sizeof(**rks));
-	}
-	free(rks);
-}
-
 static void
 sshsk_free_resident_key(struct sshsk_resident_key *srk)
 {
-- 
2.39.5

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux