From c53a1d4e90a24c9f940c59bd1cec51215fe00ce4 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 11 Mar 2019 16:08:21 +0100
Subject: [PATCH] Ignore PKCS#11 label if no key is found with it (#1671262)

---
 openssh-7.6p1-pkcs11-ecdsa.patch | 17 +++++++++++++++--
 openssh-7.6p1-pkcs11-uri.patch   | 12 +++++++++++-
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/openssh-7.6p1-pkcs11-ecdsa.patch b/openssh-7.6p1-pkcs11-ecdsa.patch
index d356a90..68fe97b 100644
--- a/openssh-7.6p1-pkcs11-ecdsa.patch
+++ b/openssh-7.6p1-pkcs11-ecdsa.patch
@@ -466,7 +466,7 @@ diff -up openssh/ssh-pkcs11.c.pkcs11-ecdsa openssh/ssh-pkcs11.c
  		{ CKA_ID, NULL, 0 },
  		{ CKA_LABEL, NULL, 0 }
  	};
-@@ -569,29 +772,60 @@ pkcs11_fetch_keys(struct pkcs11_provider
+@@ -569,37 +772,72 @@ pkcs11_fetch_keys(struct pkcs11_provider
  		{ CKA_SUBJECT, NULL, 0 },
  		{ CKA_VALUE, NULL, 0 }
  	};
@@ -532,7 +532,20 @@ diff -up openssh/ssh-pkcs11.c.pkcs11-ecdsa openssh/ssh-pkcs11.c
 +	    pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size - 1,
  	    cert_attribs, keysp, nkeys) < 0)
  		return (-1);
- 	return (0);
+ 	if (*nkeys == 0) {
+ 		/* Try once more without the label filter */
+ 		filter_size--;
+ 		if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, filter_size,
+ 		    pubkey_attribs, keysp, nkeys) < 0 ||
+-		    pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size,
++#ifdef ENABLE_PKCS11_ECDSA
++		    pkcs11_fetch_keys_filter(p, slotidx, ecdsa_filter, filter_size,
++		    ecdsa_attribs, keysp, nkeys) < 0||
++#endif /* ENABLE_PKCS11_ECDSA */
++		    pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size - 1,
+ 		    cert_attribs, keysp, nkeys) < 0)
+ 	 		return (-1);
+ 	}
 @@ -624,8 +858,13 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
      CK_ATTRIBUTE filter[], size_t filter_size, CK_ATTRIBUTE attribs[4],
      struct sshkey ***keysp, int *nkeys)
diff --git a/openssh-7.6p1-pkcs11-uri.patch b/openssh-7.6p1-pkcs11-uri.patch
index 9dac289..708f016 100644
--- a/openssh-7.6p1-pkcs11-uri.patch
+++ b/openssh-7.6p1-pkcs11-uri.patch
@@ -3785,7 +3785,7 @@ diff -up openssh/ssh-pkcs11.c.pkcs11-uri openssh/ssh-pkcs11.c
  	return (0);
  }
  
-@@ -404,38 +537,62 @@ pkcs11_open_session(struct pkcs11_provid
+@@ -404,39 +537,72 @@ pkcs11_open_session(struct pkcs11_provid
   * keysp points to an (possibly empty) array with *nkeys keys.
   */
  static int pkcs11_fetch_keys_filter(struct pkcs11_provider *, CK_ULONG,
@@ -3854,8 +3854,18 @@ diff -up openssh/ssh-pkcs11.c.pkcs11-uri openssh/ssh-pkcs11.c
 +	    pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size,
 +	    cert_attribs, keysp, nkeys) < 0)
  		return (-1);
++	if (*nkeys == 0) {
++		/* Try once more without the label filter */
++		filter_size--;
++		if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, filter_size,
++		    pubkey_attribs, keysp, nkeys) < 0 ||
++		    pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size,
++		    cert_attribs, keysp, nkeys) < 0)
++	 		return (-1);
++	}
  	return (0);
  }
+ 
 @@ -462,14 +619,15 @@ have_rsa_key(const RSA *rsa)
  
  static int