Ignore PKCS#11 label if no key is found with it (#1671262)

2019-03-11 16:08:21 +01:00 · 2019-03-11 16:08:21 +01:00 · c53a1d4e90
commit c53a1d4e90
parent c694548168
2 changed files with 26 additions and 3 deletions
--- a/openssh-7.6p1-pkcs11-ecdsa.patch
+++ b/openssh-7.6p1-pkcs11-ecdsa.patch
@ -466,7 +466,7 @@ diff -up openssh/ssh-pkcs11.c.pkcs11-ecdsa openssh/ssh-pkcs11.c
 		{ CKA_ID, NULL, 0 },
 		{ CKA_LABEL, NULL, 0 }
 	};
-@@ -569,29 +772,60 @@ pkcs11_fetch_keys(struct pkcs11_provider
+@@ -569,37 +772,72 @@ pkcs11_fetch_keys(struct pkcs11_provider
 		{ CKA_SUBJECT, NULL, 0 },
 		{ CKA_VALUE, NULL, 0 }
 	};
@ -532,7 +532,20 @@ diff -up openssh/ssh-pkcs11.c.pkcs11-ecdsa openssh/ssh-pkcs11.c
 +	    pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size - 1,
 	    cert_attribs, keysp, nkeys) < 0)
 		return (-1);
- 	return (0);
+ 	if (*nkeys == 0) {
+ 		/* Try once more without the label filter */
+ 		filter_size--;
+ 		if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, filter_size,
+ 		    pubkey_attribs, keysp, nkeys) < 0 ||
+-		    pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size,
+#ifdef ENABLE_PKCS11_ECDSA
+		    pkcs11_fetch_keys_filter(p, slotidx, ecdsa_filter, filter_size,
+		    ecdsa_attribs, keysp, nkeys) < 0||
+#endif /* ENABLE_PKCS11_ECDSA */
+		    pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size - 1,
+ 		    cert_attribs, keysp, nkeys) < 0)
+ 	 		return (-1);
+ 	}
@@ -624,8 +858,13 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
     CK_ATTRIBUTE filter[], size_t filter_size, CK_ATTRIBUTE attribs[4],
     struct sshkey ***keysp, int *nkeys)
--- a/openssh-7.6p1-pkcs11-uri.patch
+++ b/openssh-7.6p1-pkcs11-uri.patch
@ -3785,7 +3785,7 @@ diff -up openssh/ssh-pkcs11.c.pkcs11-uri openssh/ssh-pkcs11.c
 	return (0);
 }
 
-@@ -404,38 +537,62 @@ pkcs11_open_session(struct pkcs11_provid
+@@ -404,39 +537,72 @@ pkcs11_open_session(struct pkcs11_provid
  * keysp points to an (possibly empty) array with *nkeys keys.
  */
 static int pkcs11_fetch_keys_filter(struct pkcs11_provider *, CK_ULONG,
@ -3854,8 +3854,18 @@ diff -up openssh/ssh-pkcs11.c.pkcs11-uri openssh/ssh-pkcs11.c
 +	    pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size,
 +	    cert_attribs, keysp, nkeys) < 0)
 		return (-1);
+	if (*nkeys == 0) {
+		/* Try once more without the label filter */
+		filter_size--;
+		if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, filter_size,
+		    pubkey_attribs, keysp, nkeys) < 0 ||
+		    pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size,
+		    cert_attribs, keysp, nkeys) < 0)
+	 		return (-1);
+	}
 	return (0);
 }
+ 
@@ -462,14 +619,15 @@ have_rsa_key(const RSA *rsa)
 
 static int