From 7de9722d23c43c631439aed79ab6dbb49736e4a8 Mon Sep 17 00:00:00 2001
From: Sahana Prasad <sahana@redhat.com>
Date: Thu, 14 May 2020 16:18:03 +0200
Subject: src/pki_crypto.c pki_publickey_to_blob() should not be used to export
 public key from                  private keys for ecdsa keys.                
  ssh_userauth_publickey() calls ssh_pki_export_pubkey_blob() and tries to
 export                  the the public key from private key if public keys
 are not already imported                  into pkcs #11 tokens.

Signed-off-by: Sahana Prasad <sahana@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
---
 src/pki_crypto.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/pki_crypto.c b/src/pki_crypto.c
index 689faa1e..08409209 100644
--- a/src/pki_crypto.c
+++ b/src/pki_crypto.c
@@ -1330,6 +1330,14 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
                 return NULL;
             }
 
+#ifdef WITH_PKCS11_URI
+            if (ssh_key_is_private(key) && !EC_KEY_get0_public_key(key->ecdsa)) {
+                SSH_LOG(SSH_LOG_INFO, "It is mandatory to have separate public"
+                        " ECDSA key objects in the PKCS #11 device. Unlike RSA,"
+                        " ECDSA public keys cannot be derived from their private keys.");
+                goto fail;
+            }
+#endif
             e = make_ecpoint_string(EC_KEY_get0_group(key->ecdsa),
                                     EC_KEY_get0_public_key(key->ecdsa));
             if (e == NULL) {
-- 
cgit v1.2.3