[Bug 3364] New: Using "ssh-keygen -D pkcs11" with HSM fails due to "xmalloc: zero size"

Thu Nov 18 20:52:56 AEDT 2021

https://bugzilla.mindrot.org/show_bug.cgi?id=3364

            Bug ID: 3364
           Summary: Using "ssh-keygen -D pkcs11" with HSM fails due to
                    "xmalloc: zero size"
           Product: Portable OpenSSH
           Version: 8.8p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Smartcard
          Assignee: unassigned-bugs at mindrot.org
          Reporter: ietxezarreta at ikerlan.es

When using the cryptochip ATECC608B, from Microchip, with the provided
cryptolibrary "cryptoauthlib", the pkcs11 related operations fail due
to "xmalloc: zero size".

Steps to reproduce:
1.- Compile and install Microchip cryptoauthlib library.
2.- Modify this library to handle unset Mutexes (in functions
pkcs11_lock_context and pkcs11_unlock_context change rv = CKR_CANT_LOCK
for rv = CKR_OK)
3.- execute command ssh-keygen -D /usr/lib/libcryptoauth.so

Actual result:
xmalloc: zero size

Expected output:
C_GetAttributeValue failed: 7
failed to fetch key
ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPmKkZ2M7DeVdwOpCW8XSnLYUbPx5RIk8OF8B0F0OwmRWexpsZONwft41YRI76gxZ/cN7wt4wO765ULvXQhxFCQ=
device

This issue was solved by protecting the allocation of "k11->keyid" in
line 614 of file "ssh-pkcs11.c", for example like:

++ if(k11->keyid_len)
++ {
        k11->keyid = xmalloc(k11->keyid_len);
        memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len);
++ }

Would it be possible to include this fix or something similar to solve
the problem?

Thank you very much!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.