[Bug 2474] Enabling ECDSA in PKCS#11 support for ssh-agent

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat Nov 25 09:17:51 AEDT 2017


Dmitry Savintsev <dsavints at gmail.com> changed:

           What    |Removed                     |Added
   Attachment #3069|0                           |1
        is obsolete|                            |
                 CC|                            |dsavints at gmail.com

--- Comment #9 from Dmitry Savintsev <dsavints at gmail.com> ---
Created attachment 3093
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3093&action=edit
Fifth Iteration off 7.6p1

I believe there is a small bug in the previous version of the patch
("Updated for 7.6p1" - 2017-10-20 15:48 EST) with missing zero check on
k11->keyid_len before calling xmalloc in pkcs11_ecdsa_wrap. This leads
to ssh-pkcs11-helper crashing when trying to add a SoftHSM
(https://www.opendnssec.org/softhsm/) card with an ECDSA key (though it
works fine with only RSA keys present).  The check "if (k11->keyid_len
> 0) {" is present in the pkcs11_rsa_wrap function, now added also in
pkcs11_ecdsa_wrap.  I also uploaded the 7.6p1 version with the previous
("Updated for 7.6p1") patch to
the version with the current fix is in
and the diff can be seen in the demo PR

With the fix applied, I was able to successfully add the SoftHSM "card"
with ECDSA keys with "ssh-add -s
/usr/local/lib/softhsm/libsofthsm2.so".  (Thanks so much Mathias for
creating the patch and making this possible!)

You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list