SSH cert sign: check OpenSSL return code (#446)

Yubico · Jan 10, 2025 · b07263e · b07263e
1 parent ae51177
commit b07263e
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 18 deletions.
diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
@@ -155,7 +155,7 @@ jobs:
 
       - name: upload artifacts for the test job
         if: ${{ matrix.upload_for_test == 'true' }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: "${{ env.ARTIFACT_NAME }}"
           path: yubihsm-shell.tar.gz
@@ -186,7 +186,7 @@ jobs:
     steps:
 
       - name: clone the Yubico/yubihsm-shell repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: yubihsm-shell
 
@@ -288,7 +288,7 @@ jobs:
 
       - name: upload artifacts for the test job
         if: ${{ matrix.upload_for_test == 'true' }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: "${{ env.ARTIFACT_NAME }}"
           path: yubihsm-shell.tar.gz
@@ -385,7 +385,7 @@ jobs:
           echo "ARTIFACT_NAME=yubihsm-shell_${ESCAPED_IMAGE}_${CC}" >> $GITHUB_ENV
 
       - name: download artifacts from the build job
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: "${{ env.ARTIFACT_NAME }}"
 
@@ -417,7 +417,7 @@ jobs:
           echo "DEFAULT_CONNECTOR_URL=$DEFAULT_CONNECTOR_URL" >> $GITHUB_ENV
 
       - name: clone the YubicoLabs/pkcs11test repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           repository: YubicoLabs/pkcs11test
           path: pkcs11test
@@ -450,7 +450,7 @@ jobs:
           fi
 
       - name: clone the YubicoLabs/python-pkcs11tester repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           repository: YubicoLabs/python-pkcs11tester
           path: python-pkcs11tester

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -188,7 +188,7 @@ jobs:
                                   jq
 
       - name: clone the Yubico/yubihsm-shell repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: yubihsm-shell
 
@@ -283,7 +283,7 @@ jobs:
 
 
       - name: upload artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: "yubihsm-shell-${{ env.PLATFORM }}-amd64"
           path: ${{ env.PLATFORM }}
@@ -304,7 +304,7 @@ jobs:
     steps:
 
       - name: clone the Yubico/yubihsm-shell repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: yubihsm-shell
 
@@ -408,7 +408,7 @@ jobs:
 
 
       - name: upload artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: "yubihsm-shell-${{ env.PLATFORM }}-amd64"
           path: ${{ env.PLATFORM }}
diff --git a/src/commands.c b/src/commands.c
@@ -3098,12 +3098,19 @@ int yh_com_sign_ssh_certificate(yubihsm_context *ctx, Argument *argv,
   uint8_t data[YH_MSG_BUF_SIZE + 1024] = {0};
   size_t response_len = sizeof(data);
 
-  if (argv[4].len != (4 + 256)) { // 4 bytes timestamp + 256 byte signature
-    fprintf(stderr, "Failed to sign ssh certificate: %s\n",
+  if (argv[4].len > YH_MSG_BUF_SIZE) {
+    fprintf(stderr, "Failed to sign ssh certificate: %s. Data too long\n",
             yh_strerror(YHR_BUFFER_TOO_SMALL));
     return -1;
   }
 
+  const size_t certdata_offset = 4 + 256; // 4 bytes timestamp + 256 byte signature
+  if(argv[4].len < certdata_offset) {
+    fprintf(stderr, "Failed to sign ssh certificate: %s. Data too short.\n",
+            yh_strerror(YHR_WRONG_LENGTH));
+    return -1;
+  }
+
   memcpy(data, argv[4].x, argv[4].len);
   response_len -= argv[4].len;
 
@@ -3129,14 +3136,16 @@ int yh_com_sign_ssh_certificate(yubihsm_context *ctx, Argument *argv,
   }
   bio = BIO_push(b64, bio);
 
+  int cert_len = argv[4].len - certdata_offset + response_len;
   BUF_MEM *bufferPtr = 0;
 
-  (void) BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL);
-  (void) BIO_write(bio, data + 4 + 256,
-                   argv[4].len + response_len - 4 -
-                     256); // TODO(adma): FIXME, unmagify
-  (void) BIO_flush(bio);
-  (void) BIO_get_mem_ptr(bio, &bufferPtr);
+  BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL);
+  if (BIO_write(bio, data + certdata_offset, cert_len) != cert_len) {
+        fprintf(stderr, "Failed to write SSH certificate.\n");
+        return -1;
+  }
+  BIO_flush(bio);
+  BIO_get_mem_ptr(bio, &bufferPtr);
 
   const char *ssh_cert_str =
     "[email protected] "; // TODO(adma): ECDSA