DPP: Use crypto_ec_key_parse_pub() in dpp_get_subject_public_key()

The extra validation steps through the OpenSSL X509 API are not really necessary here and they most duplicate checks that happen implicitly within d2i_PUBKEY() and the EVP_PKEY_get0_EC_KEY() checks in crypto_ec_key_parse_pub(). Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-06-28 18:25:26 +02:00 · 2021-06-28 18:25:26 +02:00 · e294a73d0c
commit e294a73d0c
parent 9c1632908d
2 changed files with 10 additions and 115 deletions
--- a/src/common/dpp_crypto.c
+++ b/src/common/dpp_crypto.c
@ -101,21 +101,6 @@ const struct dpp_curve_params * dpp_get_curve_jwk_crv(const char *name)
 }
 static const struct dpp_curve_params *
 dpp_get_curve_oid(const ASN1_OBJECT *poid)
 {
 	ASN1_OBJECT *oid;
 	int i;
 	for (i = 0; dpp_curves[i].name; i++) {
 		oid = OBJ_txt2obj(dpp_curves[i].name, 0);
 		if (oid && OBJ_cmp(poid, oid) == 0)
 			return &dpp_curves[i];
 	}
 	return NULL;
 }
 const struct dpp_curve_params * dpp_get_curve_nid(int nid)
 {
 	int i, tmp;
@ -833,118 +818,32 @@ int dpp_bi_pubkey_hash(struct dpp_bootstrap_info *bi,
 int dpp_get_subject_public_key(struct dpp_bootstrap_info *bi,
 			       const u8 *data, size_t data_len)
 {
-	EVP_PKEY *pkey;
+	struct crypto_ec_key *key;
 	const unsigned char *p;
 	int res;
 	X509_PUBKEY *pub = NULL;
 	ASN1_OBJECT *ppkalg;
 	const unsigned char *pk;
 	int ppklen;
 	X509_ALGOR *pa;
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
 	(defined(LIBRESSL_VERSION_NUMBER) && \
 	 LIBRESSL_VERSION_NUMBER < 0x20800000L)
 	ASN1_OBJECT *pa_oid;
 #else
 	const ASN1_OBJECT *pa_oid;
 #endif
 	const void *pval;
 	int ptype;
 	const ASN1_OBJECT *poid;
 	char buf[100];
 	if (dpp_bi_pubkey_hash(bi, data, data_len) < 0) {
 		wpa_printf(MSG_DEBUG, "DPP: Failed to hash public key");
 		return -1;
 	}
-	/* DER encoded ASN.1 SubjectPublicKeyInfo
+	key = crypto_ec_key_parse_pub(data, data_len);
-	 *
+	if (!key) {
 	 * SubjectPublicKeyInfo  ::=  SEQUENCE  {
 	 *      algorithm            AlgorithmIdentifier,
 	 *      subjectPublicKey     BIT STRING  }
 	 *
 	 * AlgorithmIdentifier  ::=  SEQUENCE  {
 	 *      algorithm               OBJECT IDENTIFIER,
 	 *      parameters              ANY DEFINED BY algorithm OPTIONAL  }
 	 *
 	 * subjectPublicKey = compressed format public key per ANSI X9.63
 	 * algorithm = ecPublicKey (1.2.840.10045.2.1)
 	 * parameters = shall be present and shall be OBJECT IDENTIFIER; e.g.,
 	 *       prime256v1 (1.2.840.10045.3.1.7)
 	 */
 	p = data;
 	pkey = d2i_PUBKEY(NULL, &p, data_len);
 	if (!pkey) {
 		wpa_printf(MSG_DEBUG,
 			   "DPP: Could not parse URI public-key SubjectPublicKeyInfo");
 		return -1;
 	}
-	if (EVP_PKEY_type(EVP_PKEY_id(pkey)) != EVP_PKEY_EC) {
+	bi->curve = dpp_get_curve_ike_group(crypto_ec_key_group(key));
 		wpa_printf(MSG_DEBUG,
 			   "DPP: SubjectPublicKeyInfo does not describe an EC key");
 		EVP_PKEY_free(pkey);
 		return -1;
 	}
 	res = X509_PUBKEY_set(&pub, pkey);
 	if (res != 1) {
 		wpa_printf(MSG_DEBUG, "DPP: Could not set pubkey");
 		goto fail;
 	}
 	res = X509_PUBKEY_get0_param(&ppkalg, &pk, &ppklen, &pa, pub);
 	if (res != 1) {
 		wpa_printf(MSG_DEBUG,
 			   "DPP: Could not extract SubjectPublicKeyInfo parameters");
 		goto fail;
 	}
 	res = OBJ_obj2txt(buf, sizeof(buf), ppkalg, 0);
 	if (res < 0 || (size_t) res >= sizeof(buf)) {
 		wpa_printf(MSG_DEBUG,
 			   "DPP: Could not extract SubjectPublicKeyInfo algorithm");
 		goto fail;
 	}
 	wpa_printf(MSG_DEBUG, "DPP: URI subjectPublicKey algorithm: %s", buf);
 	if (os_strcmp(buf, "id-ecPublicKey") != 0) {
 		wpa_printf(MSG_DEBUG,
 			   "DPP: Unsupported SubjectPublicKeyInfo algorithm");
 		goto fail;
 	}
 	X509_ALGOR_get0(&pa_oid, &ptype, (void *) &pval, pa);
 	if (ptype != V_ASN1_OBJECT) {
 		wpa_printf(MSG_DEBUG,
 			   "DPP: SubjectPublicKeyInfo parameters did not contain an OID");
 		goto fail;
 	}
 	poid = pval;
 	res = OBJ_obj2txt(buf, sizeof(buf), poid, 0);
 	if (res < 0 || (size_t) res >= sizeof(buf)) {
 		wpa_printf(MSG_DEBUG,
 			   "DPP: Could not extract SubjectPublicKeyInfo parameters OID");
 		goto fail;
 	}
 	wpa_printf(MSG_DEBUG, "DPP: URI subjectPublicKey parameters: %s", buf);
 	bi->curve = dpp_get_curve_oid(poid);
 	if (!bi->curve) {
 		wpa_printf(MSG_DEBUG,
-			   "DPP: Unsupported SubjectPublicKeyInfo curve: %s",
+			   "DPP: Unsupported SubjectPublicKeyInfo curve: group %d",
-			   buf);
+			   crypto_ec_key_group(key));
 		goto fail;
 	}
-	wpa_hexdump(MSG_DEBUG, "DPP: URI subjectPublicKey", pk, ppklen);
+	bi->pubkey = key;
 	X509_PUBKEY_free(pub);
 	bi->pubkey = (struct crypto_ec_key *) pkey;
 	return 0;
 fail:
-	X509_PUBKEY_free(pub);
+	crypto_ec_key_deinit(key);
 	EVP_PKEY_free(pkey);
 	return -1;
 }
@ -1231,13 +1130,11 @@ dpp_check_signed_connector(struct dpp_signed_connector_info *info,
 			   const u8 *csign_key, size_t csign_key_len,
 			   const u8 *peer_connector, size_t peer_connector_len)
 {
 	const unsigned char *p;
 	struct crypto_ec_key *csign;
 	char *signed_connector = NULL;
 	enum dpp_status_error res = DPP_STATUS_INVALID_CONNECTOR;
-	p = csign_key;
+	csign = crypto_ec_key_parse_pub(csign_key, csign_key_len);
 	csign = (struct crypto_ec_key *) d2i_PUBKEY(NULL, &p, csign_key_len);
 	if (!csign) {
 		wpa_printf(MSG_ERROR,
 			   "DPP: Failed to parse local C-sign-key information");
--- a/src/common/dpp_reconfig.c
+++ b/src/common/dpp_reconfig.c
@ -41,7 +41,6 @@ struct wpabuf * dpp_build_reconfig_announcement(const u8 *csign_key,
 {
 	struct wpabuf *msg = NULL;
 	struct crypto_ec_key *csign = NULL;
 	const unsigned char *p;
 	struct wpabuf *uncomp;
 	u8 hash[SHA256_MAC_LEN];
 	const u8 *addr[1];
@ -61,8 +60,7 @@ struct wpabuf * dpp_build_reconfig_announcement(const u8 *csign_key,
 		goto fail;
 	}
-	p = csign_key;
+	csign = crypto_ec_key_parse_pub(csign_key, csign_key_len);
 	csign = (struct crypto_ec_key *) d2i_PUBKEY(NULL, &p, csign_key_len);
 	if (!csign) {
 		wpa_printf(MSG_ERROR,
 			   "DPP: Failed to parse local C-sign-key information");