[Bug 2474] Enabling ECDSA in PKCS#11 support for ssh-agent

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat Nov 25 09:17:51 AEDT 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2474

Dmitry Savintsev <dsavints at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3069|0                           |1
        is obsolete|                            |
                 CC|                            |dsavints at gmail.com

--- Comment #9 from Dmitry Savintsev <dsavints at gmail.com> ---
Created attachment 3093
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3093&action=edit
Fifth Iteration off 7.6p1

I believe there is a small bug in the previous version of the patch
("Updated for 7.6p1" - 2017-10-20 15:48 EST) with missing zero check on
k11->keyid_len before calling xmalloc in pkcs11_ecdsa_wrap. This leads
to ssh-pkcs11-helper crashing when trying to add a SoftHSM
(https://www.opendnssec.org/softhsm/) card with an ECDSA key (though it
works fine with only RSA keys present).  The check "if (k11->keyid_len
> 0) {" is present in the pkcs11_rsa_wrap function, now added also in
pkcs11_ecdsa_wrap.  I also uploaded the 7.6p1 version with the previous
("Updated for 7.6p1") patch to
https://github.com/dmitris/openssh-portable/tree/7.6p1-bug2474-patch,
the version with the current fix is in
https://github.com/dmitris/openssh-portable/tree/7.6p1-bug2474-patch-fix
and the diff can be seen in the demo PR
https://github.com/dmitris/openssh-portable/pull/1/files.  

With the fix applied, I was able to successfully add the SoftHSM "card"
with ECDSA keys with "ssh-add -s
/usr/local/lib/softhsm/libsofthsm2.so".  (Thanks so much Mathias for
creating the patch and making this possible!)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list