--- regress/misc/sk-dummy/sk-dummy.c | 35 +++++++++++++++++++- sk-usbhid.c | 55 ++++++++++++++++++++++++++++++++ ssh-sk.c | 49 ++++------------------------ 3 files changed, 95 insertions(+), 44 deletions(-) diff --git a/regress/misc/sk-dummy/sk-dummy.c b/regress/misc/sk-dummy/sk-dummy.c index 347b21227..de96e7ef5 100644 --- a/regress/misc/sk-dummy/sk-dummy.c +++ b/regress/misc/sk-dummy/sk-dummy.c @@ -50,7 +50,7 @@ /* #define SK_DEBUG 1 */ -#if SSH_SK_VERSION_MAJOR != 0x000a0000 +#if SSH_SK_VERSION_MAJOR != 0x000b0000 # error SK API has changed, sk-dummy.c needs an update #endif @@ -59,6 +59,9 @@ # define sk_enroll ssh_sk_enroll # define sk_sign ssh_sk_sign # define sk_load_resident_keys ssh_sk_load_resident_keys +# define sk_free_enroll_response ssh_sk_free_enroll_response +# define sk_free_sign_response ssh_sk_free_sign_response +# define sk_free_resident_keys ssh_sk_free_resident_keys #endif /* !SK_STANDALONE */ static void skdebug(const char *func, const char *fmt, ...) @@ -541,3 +544,33 @@ sk_load_resident_keys(const char *pin, struct sk_option **options, { return SSH_SK_ERR_UNSUPPORTED; } + +void +sk_free_enroll_response(struct sk_enroll_response *enroll_resp) +{ + if (enroll_resp == NULL) + return; + freezero(enroll_resp->key_handle, enroll_resp->key_handle_len); + freezero(enroll_resp->public_key, enroll_resp->public_key_len); + freezero(enroll_resp->signature, enroll_resp->signature_len); + freezero(enroll_resp->attestation_cert, enroll_resp->attestation_cert_len); + freezero(enroll_resp->authdata, enroll_resp->authdata_len); + freezero(enroll_resp, sizeof(*enroll_resp)); +} + +void +sk_free_sign_response(struct sk_sign_response *sign_resp) +{ + if (sign_resp == NULL) + return; + freezero(sign_resp->sig_r, sign_resp->sig_r_len); + freezero(sign_resp->sig_s, sign_resp->sig_s_len); + freezero(sign_resp, sizeof(*sign_resp)); +} + +/* sk_load_resident_keys returns SSH_SK_ERR_UNSUPPORTED */ +void +sk_free_sk_resident_keys(struct sk_resident_key **rks, size_t nrks) +{ + return; +} diff --git a/sk-usbhid.c b/sk-usbhid.c index 427431b9a..01c68c842 100644 --- a/sk-usbhid.c +++ b/sk-usbhid.c @@ -90,6 +90,9 @@ # define sk_enroll ssh_sk_enroll # define sk_sign ssh_sk_sign # define sk_load_resident_keys ssh_sk_load_resident_keys +# define sk_free_enroll_response ssh_sk_free_enroll_response +# define sk_free_sign_response ssh_sk_free_sign_response +# define sk_free_sk_resident_keys ssh_sk_free_sk_resident_keys #endif /* !SK_STANDALONE */ #include "sk-api.h" @@ -134,6 +137,15 @@ int sk_sign(uint32_t alg, const uint8_t *data, size_t data_len, int sk_load_resident_keys(const char *pin, struct sk_option **options, struct sk_resident_key ***rks, size_t *nrks); +/* Free sk_sign_response allocated by provider */ +void sk_free_enroll_response(struct sk_enroll_response *enroll_resp); + +/* Free sk_sign_response allocated by provider */ +void sk_free_sign_response(struct sk_sign_response *sign_resp); + +/* Free sk_resident_key allocated by provider */ +void sk_free_sk_resident_keys(struct sk_resident_key **rks, size_t nrks); + static void skdebug(const char *func, const char *fmt, ...) __attribute__((__format__ (printf, 2, 3))); @@ -1479,4 +1491,47 @@ sk_load_resident_keys(const char *pin, struct sk_option **options, return ret; } +void +sk_free_enroll_response(struct sk_enroll_response *enroll_resp) +{ + if (enroll_resp == NULL) + return; + freezero(enroll_resp->key_handle, enroll_resp->key_handle_len); + freezero(enroll_resp->public_key, enroll_resp->public_key_len); + freezero(enroll_resp->signature, enroll_resp->signature_len); + freezero(enroll_resp->attestation_cert, enroll_resp->attestation_cert_len); + freezero(enroll_resp->authdata, enroll_resp->authdata_len); + freezero(enroll_resp, sizeof(*enroll_resp)); +} + +void +sk_free_sign_response(struct sk_sign_response *sign_resp) +{ + if (sign_resp == NULL) + return; + freezero(sign_resp->sig_r, sign_resp->sig_r_len); + freezero(sign_resp->sig_s, sign_resp->sig_s_len); + freezero(sign_resp, sizeof(*sign_resp)); +} + +void +sk_free_sk_resident_keys(struct sk_resident_key **rks, size_t nrks) +{ + size_t i; + + if (nrks == 0 || rks == NULL) + return; + for (i = 0; i < nrks; i++) { + free(rks[i]->application); + freezero(rks[i]->user_id, rks[i]->user_id_len); + freezero(rks[i]->key.key_handle, rks[i]->key.key_handle_len); + freezero(rks[i]->key.public_key, rks[i]->key.public_key_len); + freezero(rks[i]->key.signature, rks[i]->key.signature_len); + freezero(rks[i]->key.attestation_cert, + rks[i]->key.attestation_cert_len); + freezero(rks[i], sizeof(**rks)); + } + free(rks); +} + #endif /* ENABLE_SK_INTERNAL */ diff --git a/ssh-sk.c b/ssh-sk.c index 19ac9dda8..9cc5bd4c1 100644 --- a/ssh-sk.c +++ b/ssh-sk.c @@ -101,6 +101,9 @@ int ssh_sk_sign(int alg, const uint8_t *message, size_t message_len, struct sk_sign_response **sign_response); int ssh_sk_load_resident_keys(const char *pin, struct sk_option **opts, struct sk_resident_key ***rks, size_t *nrks); +void ssh_sk_free_enroll_response(struct sk_enroll_response *enroll_resp); +void ssh_sk_free_sign_response(struct sk_sign_response *enroll_resp); +void ssh_sk_free_sk_resident_keys(struct sk_resident_key **rks, size_t nrks); static void sshsk_free(struct sshsk_provider *p) @@ -137,6 +140,9 @@ sshsk_open(const char *path) ret->sk_enroll = ssh_sk_enroll; ret->sk_sign = ssh_sk_sign; ret->sk_load_resident_keys = ssh_sk_load_resident_keys; + ret->sk_free_enroll_response = ssh_sk_free_enroll_response; + ret->sk_free_sign_response = ssh_sk_free_sign_response; + ret->sk_free_sk_resident_keys = ssh_sk_free_sk_resident_keys; return ret; #else error("internal security key support not enabled"); @@ -206,29 +212,6 @@ fail: return NULL; } -static void -sshsk_free_enroll_response(struct sk_enroll_response *r) -{ - if (r == NULL) - return; - freezero(r->key_handle, r->key_handle_len); - freezero(r->public_key, r->public_key_len); - freezero(r->signature, r->signature_len); - freezero(r->attestation_cert, r->attestation_cert_len); - freezero(r->authdata, r->authdata_len); - freezero(r, sizeof(*r)); -} - -static void -sshsk_free_sign_response(struct sk_sign_response *r) -{ - if (r == NULL) - return; - freezero(r->sig_r, r->sig_r_len); - freezero(r->sig_s, r->sig_s_len); - freezero(r, sizeof(*r)); -} - #ifdef WITH_OPENSSL /* Assemble key from response */ static int @@ -781,26 +764,6 @@ sshsk_sign(const char *provider_path, struct sshkey *key, return r; } -static void -sshsk_free_sk_resident_keys(struct sk_resident_key **rks, size_t nrks) -{ - size_t i; - - if (nrks == 0 || rks == NULL) - return; - for (i = 0; i < nrks; i++) { - free(rks[i]->application); - freezero(rks[i]->user_id, rks[i]->user_id_len); - freezero(rks[i]->key.key_handle, rks[i]->key.key_handle_len); - freezero(rks[i]->key.public_key, rks[i]->key.public_key_len); - freezero(rks[i]->key.signature, rks[i]->key.signature_len); - freezero(rks[i]->key.attestation_cert, - rks[i]->key.attestation_cert_len); - freezero(rks[i], sizeof(**rks)); - } - free(rks); -} - static void sshsk_free_resident_key(struct sshsk_resident_key *srk) { -- 2.39.5 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev