[pkg-opensc-commit] [libp11] 06/33: Added EC public key sanity checks

Mon Sep 19 02:11:02 UTC 2016

This is an automated email from the git hooks/post-receive script.

eric pushed a commit to branch master
in repository libp11.

commit 80c5a9419bbc4c31b76da54741a0594251342878
Author: Michał Trojnara <Michal.Trojnara at stunnel.org>
Date:   Thu Apr 21 22:34:11 2016 +0200

    Added EC public key sanity checks
    
    Require returned EC public keys to contain the params and the point.
---
 src/p11_ec.c | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/src/p11_ec.c b/src/p11_ec.c
index 20905ca..f93fbfc 100644
--- a/src/p11_ec.c
+++ b/src/p11_ec.c
@@ -88,11 +88,9 @@ static void free_ec_ex_index()
 
 static EC_KEY *pkcs11_get_ec(PKCS11_KEY *key)
 {
-	EC_KEY *ec;
-	size_t params_len = 0;
-	CK_BYTE *params;
-	size_t point_len = 0;
-	CK_BYTE *point;
+	EC_KEY *ec, *found_params = NULL, *found_point = NULL;
+	CK_BYTE *params, *point;
+	size_t params_len = 0, point_len = 0;
 	PKCS11_KEY *pubkey;
 
 	ec = EC_KEY_new();
@@ -108,7 +106,7 @@ static EC_KEY *pkcs11_get_ec(PKCS11_KEY *key)
 		const unsigned char *a = params;
 
 		/* Convert to OpenSSL parmas */
-		d2i_ECParameters(&ec, &a, (long)params_len);
+		found_params = d2i_ECParameters(&ec, &a, (long)params_len);
 		OPENSSL_free(params);
 	}
 
@@ -119,23 +117,28 @@ static EC_KEY *pkcs11_get_ec(PKCS11_KEY *key)
 	if (!key_getattr_alloc(pubkey, CKA_EC_POINT, &point, &point_len)) {
 		const unsigned char *a;
 		ASN1_OCTET_STRING *os;
-		EC_KEY *success = NULL;
 
 		/* PKCS#11-compliant modules should return ASN1_OCTET_STRING */
 		a = point;
 		os = d2i_ASN1_OCTET_STRING(NULL, &a, (long)point_len);
 		if (os) {
 			a = os->data;
-			success = o2i_ECPublicKey(&ec, &a, os->length);
+			found_point = o2i_ECPublicKey(&ec, &a, os->length);
 			ASN1_STRING_free(os);
 		}
-		if (success == NULL) { /* Workaround for broken PKCS#11 modules */
+		if (found_point == NULL) { /* Workaround for broken PKCS#11 modules */
 			a = point;
-			o2i_ECPublicKey(&ec, &a, point_len);
+			found_point = o2i_ECPublicKey(&ec, &a, point_len);
 		}
 		OPENSSL_free(point);
 	}
 
+	/* A public keys requires both the params and the point to be present */
+	if (!key->isPrivate && (found_params == NULL || found_point == NULL)) {
+		EC_KEY_free(ec);
+		return NULL;
+	}
+
 	return ec;
 }
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/libp11.git

