pki: Factor out the backend-specifics from cleaning the key structure

Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
2025-11-29 01:03:57 +03:00 · 2022-08-18 14:08:04 +02:00
parent bc0c027ac0
commit 382ff38caa
5 changed files with 64 additions and 44 deletions
--- a/include/libssh/pki_priv.h
+++ b/include/libssh/pki_priv.h
@@ -49,6 +49,8 @@ enum ssh_key_e {
  SSH_KEY_PRIVATE
 };

+void pki_key_clean(ssh_key key);
+
 int pki_key_ecdsa_nid_from_name(const char *name);
 const char *pki_key_ecdsa_nid_to_name(int nid);
 const char *ssh_key_signature_to_char(enum ssh_keytypes_e type,
--- a/src/pki.c
+++ b/src/pki.c
@@ -154,37 +154,9 @@ void ssh_key_clean (ssh_key key)
 {
    if (key == NULL)
        return;
-#ifdef HAVE_LIBGCRYPT
-    if(key->dsa) gcry_sexp_release(key->dsa);
-    if(key->rsa) gcry_sexp_release(key->rsa);
-    if(key->ecdsa) gcry_sexp_release(key->ecdsa);
-#elif defined HAVE_LIBCRYPTO
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
-    if(key->dsa) DSA_free(key->dsa);
-    if(key->rsa) RSA_free(key->rsa);
-#else
-    if(key->key) EVP_PKEY_free(key->key);
-#endif /* OPENSSL_VERSION_NUMBER */
-#ifdef HAVE_OPENSSL_ECC
-/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
- * https://github.com/openssl/openssl/pull/16624
- * Move whole HAVE_OPENSSL_EC into #if < 0x3 above
- */
-#if 1
-    if(key->ecdsa) EC_KEY_free(key->ecdsa);
-#endif
-#endif /* HAVE_OPENSSL_ECC */
-#elif defined HAVE_LIBMBEDCRYPTO
-    if (key->rsa != NULL) {
-        mbedtls_pk_free(key->rsa);
-        SAFE_FREE(key->rsa);
-    }

-    if (key->ecdsa != NULL) {
-        mbedtls_ecdsa_free(key->ecdsa);
-        SAFE_FREE(key->ecdsa);
-    }
-#endif
+    pki_key_clean(key);
+
    if (key->ed25519_privkey != NULL){
 #ifdef HAVE_OPENSSL_ED25519
        /* In OpenSSL implementation the private key is only the private
@@ -208,21 +180,10 @@ void ssh_key_clean (ssh_key key)
        ssh_string_free(key->sk_application);
    }
    key->cert_type = SSH_KEYTYPE_UNKNOWN;
-    key->flags=SSH_KEY_FLAG_EMPTY;
-    key->type=SSH_KEYTYPE_UNKNOWN;
+    key->flags = SSH_KEY_FLAG_EMPTY;
+    key->type = SSH_KEYTYPE_UNKNOWN;
    key->ecdsa_nid = 0;
-    key->type_c=NULL;
-#if !defined(HAVE_LIBCRYPTO) || OPENSSL_VERSION_NUMBER < 0x30000000L
-    key->dsa = NULL;
-    key->rsa = NULL;
-#else
-    key->key = NULL;
-#endif /* OPENSSL_VERSION_NUMBER */
-/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
- * https://github.com/openssl/openssl/pull/16624
- * Move into #if OPENSSL_VERSION_NUMBER < 0x3 above
- */
-    key->ecdsa = NULL;
+    key->type_c = NULL;
 }

 /**
--- a/src/pki_crypto.c
+++ b/src/pki_crypto.c
@@ -87,6 +87,30 @@ static int pem_get_password(char *buf, int size, int rwflag, void *userdata) {
    return 0;
 }

+void pki_key_clean(ssh_key key)
+{
+    if (key == NULL)
+        return;
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+    DSA_free(key->dsa);
+    key->dsa = NULL;
+    RSA_free(key->rsa);
+    key->rsa = NULL;
+#endif /* OPENSSL_VERSION_NUMBER */
+#ifdef HAVE_OPENSSL_ECC
+/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
+ * https://github.com/openssl/openssl/pull/16624
+ * Move whole HAVE_OPENSSL_ECC into #if < 0x3 above
+ */
+#if 1
+    EC_KEY_free(key->ecdsa);
+    key->ecdsa = NULL;
+#endif
+#endif /* HAVE_OPENSSL_ECC */
+    EVP_PKEY_free(key->key);
+    key->key = NULL;
+}
+
 #ifdef HAVE_OPENSSL_ECC
 /* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
 * https://github.com/openssl/openssl/pull/16624
--- a/src/pki_gcrypt.c
+++ b/src/pki_gcrypt.c
@@ -283,6 +283,23 @@ static int passphrase_to_key(char *data, unsigned int datalen,
  return 0;
 }

+void pki_key_clean(ssh_key key)
+{
+    if (key == NULL)
+        return;
+
+    if (key->dsa)
+        gcry_sexp_release(key->dsa);
+    if (key->rsa)
+        gcry_sexp_release(key->rsa);
+    if (key->ecdsa)
+        gcry_sexp_release(key->ecdsa);
+
+    key->dsa = NULL;
+    key->rsa = NULL;
+    key->ecdsa = NULL;
+}
+
 static int privatekey_decrypt(int algo, int mode, unsigned int key_len,
                       unsigned char *iv, unsigned int iv_len,
                       ssh_buffer data, ssh_auth_callback cb,
--- a/src/pki_mbedcrypto.c
+++ b/src/pki_mbedcrypto.c
@@ -38,6 +38,22 @@
 #define MAX_PASSPHRASE_SIZE 1024
 #define MAX_KEY_SIZE 32

+void pki_key_clean(ssh_key key)
+{
+    if (key == NULL)
+        return;
+
+    if (key->rsa != NULL) {
+        mbedtls_pk_free(key->rsa);
+        SAFE_FREE(key->rsa);
+    }
+
+    if (key->ecdsa != NULL) {
+        mbedtls_ecdsa_free(key->ecdsa);
+        SAFE_FREE(key->ecdsa);
+    }
+}
+
 ssh_string pki_private_key_to_pem(const ssh_key key, const char *passphrase,
        ssh_auth_callback auth_fn, void *auth_data)
 {