Ignore PKCS#11 label if no key is found with it (#1671262)

This commit is contained in:
Jakub Jelen 2019-03-11 16:08:21 +01:00
parent c694548168
commit c53a1d4e90
2 changed files with 26 additions and 3 deletions

View File

@ -466,7 +466,7 @@ diff -up openssh/ssh-pkcs11.c.pkcs11-ecdsa openssh/ssh-pkcs11.c
{ CKA_ID, NULL, 0 }, { CKA_ID, NULL, 0 },
{ CKA_LABEL, NULL, 0 } { CKA_LABEL, NULL, 0 }
}; };
@@ -569,29 +772,60 @@ pkcs11_fetch_keys(struct pkcs11_provider @@ -569,37 +772,72 @@ pkcs11_fetch_keys(struct pkcs11_provider
{ CKA_SUBJECT, NULL, 0 }, { CKA_SUBJECT, NULL, 0 },
{ CKA_VALUE, NULL, 0 } { CKA_VALUE, NULL, 0 }
}; };
@ -532,7 +532,20 @@ diff -up openssh/ssh-pkcs11.c.pkcs11-ecdsa openssh/ssh-pkcs11.c
+ pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size - 1, + pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size - 1,
cert_attribs, keysp, nkeys) < 0) cert_attribs, keysp, nkeys) < 0)
return (-1); return (-1);
return (0); if (*nkeys == 0) {
/* Try once more without the label filter */
filter_size--;
if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, filter_size,
pubkey_attribs, keysp, nkeys) < 0 ||
- pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size,
+#ifdef ENABLE_PKCS11_ECDSA
+ pkcs11_fetch_keys_filter(p, slotidx, ecdsa_filter, filter_size,
+ ecdsa_attribs, keysp, nkeys) < 0||
+#endif /* ENABLE_PKCS11_ECDSA */
+ pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size - 1,
cert_attribs, keysp, nkeys) < 0)
return (-1);
}
@@ -624,8 +858,13 @@ pkcs11_fetch_keys_filter(struct pkcs11_p @@ -624,8 +858,13 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
CK_ATTRIBUTE filter[], size_t filter_size, CK_ATTRIBUTE attribs[4], CK_ATTRIBUTE filter[], size_t filter_size, CK_ATTRIBUTE attribs[4],
struct sshkey ***keysp, int *nkeys) struct sshkey ***keysp, int *nkeys)

View File

@ -3785,7 +3785,7 @@ diff -up openssh/ssh-pkcs11.c.pkcs11-uri openssh/ssh-pkcs11.c
return (0); return (0);
} }
@@ -404,38 +537,62 @@ pkcs11_open_session(struct pkcs11_provid @@ -404,39 +537,72 @@ pkcs11_open_session(struct pkcs11_provid
* keysp points to an (possibly empty) array with *nkeys keys. * keysp points to an (possibly empty) array with *nkeys keys.
*/ */
static int pkcs11_fetch_keys_filter(struct pkcs11_provider *, CK_ULONG, static int pkcs11_fetch_keys_filter(struct pkcs11_provider *, CK_ULONG,
@ -3854,8 +3854,18 @@ diff -up openssh/ssh-pkcs11.c.pkcs11-uri openssh/ssh-pkcs11.c
+ pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size, + pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size,
+ cert_attribs, keysp, nkeys) < 0) + cert_attribs, keysp, nkeys) < 0)
return (-1); return (-1);
+ if (*nkeys == 0) {
+ /* Try once more without the label filter */
+ filter_size--;
+ if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, filter_size,
+ pubkey_attribs, keysp, nkeys) < 0 ||
+ pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size,
+ cert_attribs, keysp, nkeys) < 0)
+ return (-1);
+ }
return (0); return (0);
} }
@@ -462,14 +619,15 @@ have_rsa_key(const RSA *rsa) @@ -462,14 +619,15 @@ have_rsa_key(const RSA *rsa)
static int static int