pkcs11: Add support for 'serial' in PKCS#11 URI

The patch was updated by the upstream MR
https://github.com/openssh/openssh-portable/pull/406
by npocs@redhat.com

openssh-8.0p1-pkcs11-uri.patch

@@ -68,7 +68,7 @@ diff -up openssh-8.7p1/configure.ac.pkcs11-uri openssh-8.7p1/configure.ac
 diff -up openssh-8.7p1/Makefile.in.pkcs11-uri openssh-8.7p1/Makefile.in
 --- openssh-8.7p1/Makefile.in.pkcs11-uri	2021-08-30 13:07:43.571699324 +0200
 +++ openssh-8.7p1/Makefile.in	2021-08-30 13:07:43.663700096 +0200
-@@ -103,7 +103,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+@@ -105,7 +105,7 @@
  	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-ecdsa-sk.o \
  	ssh-ed25519-sk.o ssh-rsa.o dh.o \
  	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
@@ -103,7 +103,7 @@ diff -up openssh-8.7p1/Makefile.in.pkcs11-uri openssh-8.7p1/Makefile.in
  	$(MKDIR_P) `pwd`/regress/misc/sk-dummy
  	[ -f `pwd`/regress/Makefile ] || \
  	    ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
-@@ -677,6 +682,16 @@ regress/unittests/utf8/test_utf8$(EXEEXT
+@@ -685,6 +690,16 @@
  	    regress/unittests/test_helper/libtest_helper.a \
  	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(TESTLIBS)
  
@@ -534,7 +534,7 @@ diff -up openssh-8.7p1/regress/unittests/Makefile.pkcs11-uri openssh-8.7p1/regre
 diff -up openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.7p1/regress/unittests/pkcs11/tests.c
 --- openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri	2021-08-30 13:07:43.664700104 +0200
 +++ openssh-8.7p1/regress/unittests/pkcs11/tests.c	2021-08-30 13:07:43.664700104 +0200
-@@ -0,0 +1,337 @@
+@@ -0,0 +1,346 @@
 +/*
 + * Copyright (c) 2017 Red Hat
 + *
@@ -563,7 +563,7 @@ diff -up openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.7p1
 +#include "sshbuf.h"
 +#include "ssh-pkcs11-uri.h"
 +
-+#define EMPTY_URI compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL)
++#define EMPTY_URI compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL)
 +
 +/* prototypes are not public -- specify them here internally for tests */
 +struct sshbuf *percent_encode(const char *, size_t, char *);
@@ -596,6 +596,10 @@ diff -up openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.7p1
 +		ASSERT_STRING_EQ(a->lib_manuf, b->lib_manuf);
 +	else /* both should be null */
 +		ASSERT_PTR_EQ(a->lib_manuf, b->lib_manuf);
++	if (b->serial != NULL)
++		ASSERT_STRING_EQ(a->serial, b->serial);
++	else /* both should be null */
++		ASSERT_PTR_EQ(a->serial, b->serial);
 +}
 +
 +void
@@ -630,7 +634,7 @@ diff -up openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.7p1
 +
 +struct pkcs11_uri *
 +compose_uri(unsigned char *id, size_t id_len, char *token, char *lib_manuf,
-+    char *manuf, char *module_path, char *object, char *pin)
++    char *manuf, char *serial, char *module_path, char *object, char *pin)
 +{
 +	struct pkcs11_uri *uri = pkcs11_uri_init();
 +	if (id_len > 0) {
@@ -641,6 +645,7 @@ diff -up openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.7p1
 +	uri->token = token;
 +	uri->lib_manuf = lib_manuf;
 +	uri->manuf = manuf;
++	uri->serial = serial;
 +	uri->object = object;
 +	uri->pin = pin;
 +	return uri;
@@ -651,47 +656,49 @@ diff -up openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.7p1
 +{
 +	/* path arguments */
 +	check_parse("pkcs11:id=%01",
-+	    compose_uri("\x01", 1, NULL, NULL, NULL, NULL, NULL, NULL));
++	    compose_uri("\x01", 1, NULL, NULL, NULL, NULL, NULL, NULL, NULL));
 +	check_parse("pkcs11:id=%00%01",
-+	    compose_uri("\x00\x01", 2, NULL, NULL, NULL, NULL, NULL, NULL));
++	    compose_uri("\x00\x01", 2, NULL, NULL, NULL, NULL, NULL, NULL, NULL));
 +	check_parse("pkcs11:token=SSH%20Keys",
-+	    compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL, NULL));
++	    compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL, NULL, NULL));
 +	check_parse("pkcs11:library-manufacturer=OpenSC",
-+	    compose_uri(NULL, 0, NULL, "OpenSC", NULL, NULL, NULL, NULL));
++	    compose_uri(NULL, 0, NULL, "OpenSC", NULL, NULL, NULL, NULL, NULL));
 +	check_parse("pkcs11:manufacturer=piv_II",
-+	    compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, NULL, NULL));
++	    compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, NULL, NULL, NULL));
++	check_parse("pkcs11:serial=IamSerial",
++	    compose_uri(NULL, 0, NULL, NULL, NULL, "IamSerial", NULL, NULL, NULL));
 +	check_parse("pkcs11:object=SIGN%20Key",
-+	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL, "SIGN Key", NULL));
++	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL, "SIGN Key", NULL));
 +	/* query arguments */
 +	check_parse("pkcs11:?module-path=/usr/lib64/p11-kit-proxy.so",
-+	    compose_uri(NULL, 0, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, NULL));
++	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, NULL));
 +	check_parse("pkcs11:?pin-value=123456",
-+	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL, "123456"));
++	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL, "123456"));
 +
 +	/* combinations */
 +	/* ID SHOULD be percent encoded */
 +	check_parse("pkcs11:token=SSH%20Key;id=0",
-+	    compose_uri("0", 1, "SSH Key", NULL, NULL, NULL, NULL, NULL));
++	    compose_uri("0", 1, "SSH Key", NULL, NULL, NULL, NULL, NULL, NULL));
 +	check_parse(
 +	    "pkcs11:manufacturer=CAC?module-path=/usr/lib64/p11-kit-proxy.so",
-+	    compose_uri(NULL, 0, NULL, NULL, "CAC",
++	    compose_uri(NULL, 0, NULL, NULL, "CAC", NULL,
 +	    "/usr/lib64/p11-kit-proxy.so", NULL, NULL));
 +	check_parse(
 +	    "pkcs11:object=RSA%20Key?module-path=/usr/lib64/pkcs11/opencryptoki.so",
-+	    compose_uri(NULL, 0, NULL, NULL, NULL,
++	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL,
 +	    "/usr/lib64/pkcs11/opencryptoki.so", "RSA Key", NULL));
 +	check_parse("pkcs11:?module-path=/usr/lib64/p11-kit-proxy.so&pin-value=123456",
-+	    compose_uri(NULL, 0, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, "123456"));
++	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, "123456"));
 +
 +	/* empty path component matches everything */
 +	check_parse("pkcs11:", EMPTY_URI);
 +
 +	/* empty string is a valid to match against (and different from NULL) */
 +	check_parse("pkcs11:token=",
-+	    compose_uri(NULL, 0, "", NULL, NULL, NULL, NULL, NULL));
++	    compose_uri(NULL, 0, "", NULL, NULL, NULL, NULL, NULL, NULL));
 +	/* Percent character needs to be percent-encoded */
 +	check_parse("pkcs11:token=%25",
-+	     compose_uri(NULL, 0, "%", NULL, NULL, NULL, NULL, NULL));
++	     compose_uri(NULL, 0, "%", NULL, NULL, NULL, NULL, NULL, NULL));
 +}
 +
 +static void
@@ -703,7 +710,7 @@ diff -up openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.7p1
 +	check_parse_rv("pkcs11:id=%ZZ", EMPTY_URI, -1);
 +	/* Space MUST be percent encoded -- XXX not enforced yet */
 +	check_parse("pkcs11:token=SSH Keys",
-+	    compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL, NULL));
++	    compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL, NULL, NULL));
 +	/* MUST NOT contain duplicate attributes of the same name */
 +	check_parse_rv("pkcs11:id=%01;id=%02", EMPTY_URI, -1);
 +	/* MUST NOT contain duplicate attributes of the same name */
@@ -734,29 +741,31 @@ diff -up openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.7p1
 +{
 +	/* path arguments */
 +	check_gen("pkcs11:id=%01",
-+	    compose_uri("\x01", 1, NULL, NULL, NULL, NULL, NULL, NULL));
++	    compose_uri("\x01", 1, NULL, NULL, NULL, NULL, NULL, NULL, NULL));
 +	check_gen("pkcs11:id=%00%01",
-+	    compose_uri("\x00\x01", 2, NULL, NULL, NULL, NULL, NULL, NULL));
++	    compose_uri("\x00\x01", 2, NULL, NULL, NULL, NULL, NULL, NULL, NULL));
 +	check_gen("pkcs11:token=SSH%20Keys", /* space must be percent encoded */
-+	    compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL, NULL));
++	    compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL, NULL, NULL));
 +	/* library-manufacturer is not implmented now */
 +	/*check_gen("pkcs11:library-manufacturer=OpenSC",
-+	    compose_uri(NULL, 0, NULL, "OpenSC", NULL, NULL, NULL, NULL));*/
++	    compose_uri(NULL, 0, NULL, "OpenSC", NULL, NULL, NULL, NULL, NULL));*/
 +	check_gen("pkcs11:manufacturer=piv_II",
-+	    compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, NULL, NULL));
++	    compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, NULL, NULL, NULL));
++	check_gen("pkcs11:serial=IamSerial",
++	    compose_uri(NULL, 0, NULL, NULL, NULL, "IamSerial", NULL, NULL, NULL));
 +	check_gen("pkcs11:object=RSA%20Key",
-+	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL, "RSA Key", NULL));
++	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL, "RSA Key", NULL));
 +	/* query arguments */
 +	check_gen("pkcs11:?module-path=/usr/lib64/p11-kit-proxy.so",
-+	    compose_uri(NULL, 0, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, NULL));
++	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, NULL));
 +
 +	/* combinations */
 +	check_gen("pkcs11:id=%02;token=SSH%20Keys",
-+	    compose_uri("\x02", 1, "SSH Keys", NULL, NULL, NULL, NULL, NULL));
++	    compose_uri("\x02", 1, "SSH Keys", NULL, NULL, NULL, NULL, NULL, NULL));
 +	check_gen("pkcs11:id=%EE%02?module-path=/usr/lib64/p11-kit-proxy.so",
-+	    compose_uri("\xEE\x02", 2, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, NULL));
++	    compose_uri("\xEE\x02", 2, NULL, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, NULL));
 +	check_gen("pkcs11:object=Encryption%20Key;manufacturer=piv_II",
-+	    compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, "Encryption Key", NULL));
++	    compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, NULL, "Encryption Key", NULL));
 +
 +	/* empty path component matches everything */
 +	check_gen("pkcs11:", EMPTY_URI);
@@ -1545,7 +1554,7 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
  }
  
  static RSA_METHOD *rsa_method;
-@@ -195,6 +286,55 @@ static EC_KEY_METHOD *ec_key_method;
+@@ -195,6 +286,56 @@ static EC_KEY_METHOD *ec_key_method;
  static int ec_key_idx = 0;
  #endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
  
@@ -1587,6 +1596,7 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
 +	uri.module_path = k11->provider->module->module_path;
 +	uri.lib_manuf = k11->provider->module->info.manufacturerID;
 +	uri.manuf = k11->provider->module->slotinfo[k11->slotidx].token.manufacturerID;
++	uri.serial = k11->provider->module->slotinfo[k11->slotidx].token.serialNumber;
 +
 +	p = pkcs11_uri_get(&uri);
 +	/* do not cleanup -- we do not allocate here, only reference */
@@ -1620,9 +1630,12 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
  	if ((rv = f->C_FindObjectsInit(session, attr, nattr)) != CKR_OK) {
  		error("C_FindObjectsInit failed (nattr %lu): %lu", nattr, rv);
  		return (-1);
-@@ -262,12 +403,12 @@ pkcs11_login_slot(struct pkcs11_provider
+@@ -260,14 +403,14 @@ pkcs11_login_slot(struct pkcs11_provider
+ 	if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
+ 		verbose("Deferring PIN entry to reader keypad.");
  	else {
- 		snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
+-		snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
++		snprintf(prompt, sizeof(prompt), "Enter PIN for '%.32s': ",
  		    si->token.label);
 -		if ((pin = read_passphrase(prompt, RP_ALLOW_EOF)) == NULL) {
 +		if ((pin = read_passphrase(prompt, RP_ALLOW_EOF|RP_ALLOW_STDIN)) == NULL) {
@@ -1754,6 +1767,27 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
  	EC_KEY_set_method(ec, ec_key_method);
  	EC_KEY_set_ex_data(ec, ec_key_idx, k11);
  
+@@ -622,7 +779,8 @@
+ }
+ #endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+ 
+-/* remove trailing spaces */
++/* remove trailing spaces. Note, that this does NOT guarantee the buffer
++ * will be null terminated if there are no trailing spaces! */
+ static void
+ rmspace(u_char *buf, size_t len)
+ {
+@@ -630,8 +788,8 @@
+ 
+ 	if (!len)
+ 		return;
+-	for (i = len - 1;  i > 0; i--)
+-		if (i == len - 1 || buf[i] == ' ')
++	for (i = len - 1; i > 0; i--)
++		if (buf[i] == ' ')
+ 			buf[i] = '\0';
+ 		else
+ 			break;
 @@ -650,8 +806,8 @@ pkcs11_open_session(struct pkcs11_provid
  	CK_SESSION_HANDLE	session;
  	int			login_required, ret;
@@ -2157,7 +2191,7 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
  	int ret = -1;
  	struct pkcs11_provider *p = NULL;
  	void *handle = NULL;
-@@ -1517,164 +1702,298 @@ pkcs11_register_provider(char *provider_
+@@ -1517,164 +1702,305 @@
  	CK_FUNCTION_LIST *f = NULL;
  	CK_TOKEN_INFO *token;
  	CK_ULONG i;
@@ -2243,20 +2277,12 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
  		error("C_GetInfo for provider %s failed: %lu",
 -		    provider_id, rv);
 +		    provider_module, rv);
-+		goto fail;
-+	}
-+	rmspace(m->info.manufacturerID, sizeof(m->info.manufacturerID));
-+	if (uri->lib_manuf != NULL &&
-+	    strcmp(uri->lib_manuf, m->info.manufacturerID)) {
-+		debug_f("Skipping provider %s not matching library_manufacturer",
-+		    m->info.manufacturerID);
  		goto fail;
  	}
 -	rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID));
 -	rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription));
-+	rmspace(m->info.libraryDescription, sizeof(m->info.libraryDescription));
- 	debug("provider %s: manufacturerID <%s> cryptokiVersion %d.%d"
- 	    " libraryDescription <%s> libraryVersion %d.%d",
+-	debug("provider %s: manufacturerID <%s> cryptokiVersion %d.%d"
+-	    " libraryDescription <%s> libraryVersion %d.%d",
 -	    provider_id,
 -	    p->info.manufacturerID,
 -	    p->info.cryptokiVersion.major,
@@ -2265,6 +2291,16 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
 -	    p->info.libraryVersion.major,
 -	    p->info.libraryVersion.minor);
 -	if ((rv = f->C_GetSlotList(CK_TRUE, NULL, &p->nslots)) != CKR_OK) {
++	rmspace(m->info.manufacturerID, sizeof(m->info.manufacturerID));
++	if (uri->lib_manuf != NULL &&
++	    strncmp(uri->lib_manuf, m->info.manufacturerID, 32)) {
++		debug_f("Skipping provider %s not matching library_manufacturer",
++		    m->info.manufacturerID);
++		goto fail;
++	}
++	rmspace(m->info.libraryDescription, sizeof(m->info.libraryDescription));
++	debug("provider %s: manufacturerID <%.32s> cryptokiVersion %d.%d"
++	    " libraryDescription <%.32s> libraryVersion %d.%d",
 +	    provider_module,
 +	    m->info.manufacturerID,
 +	    m->info.cryptokiVersion.major,
@@ -2321,6 +2357,9 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
  		rmspace(token->manufacturerID, sizeof(token->manufacturerID));
  		rmspace(token->model, sizeof(token->model));
  		rmspace(token->serialNumber, sizeof(token->serialNumber));
+-		debug("provider %s slot %lu: label <%s> manufacturerID <%s> "
+-		    "model <%s> serial <%s> flags 0x%lx",
+-		    provider_id, (unsigned long)i,
 +	}
 +	m->module_path = provider_module;
 +	provider_module = NULL;
@@ -2389,22 +2428,28 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
 +			continue;
 +		}
 +		if (uri->token != NULL &&
-+		    strcmp(token->label, uri->token) != 0) {
-+			debug2_f("ignoring token not matching label (%s) "
++		    strncmp(token->label, uri->token, 32) != 0) {
++			debug2_f("ignoring token not matching label (%.32s) "
 +			    "specified by PKCS#11 URI in slot %lu",
 +			    token->label, (unsigned long)i);
 +			continue;
 +		}
 +		if (uri->manuf != NULL &&
-+		    strcmp(token->manufacturerID, uri->manuf) != 0) {
++		    strncmp(token->manufacturerID, uri->manuf, 32) != 0) {
 +			debug2_f("ignoring token not matching requrested "
-+			    "manufacturerID (%s) specified by PKCS#11 URI in "
++			    "manufacturerID (%.32s) specified by PKCS#11 URI in "
 +			    "slot %lu", token->manufacturerID, (unsigned long)i);
 +			continue;
 +		}
- 		debug("provider %s slot %lu: label <%s> manufacturerID <%s> "
- 		    "model <%s> serial <%s> flags 0x%lx",
--		    provider_id, (unsigned long)i,
++		if (uri->serial != NULL &&
++		    strncmp(token->serialNumber, uri->serial, 16) != 0) {
++			debug2_f("ignoring token not matching requrested "
++			    "serialNumber (%s) specified by PKCS#11 URI in "
++			    "slot %lu", token->serialNumber, (unsigned long)i);
++			continue;
++		}
++		debug("provider %s slot %lu: label <%.32s> manufacturerID <%.32s> "
++		    "model <%.16s> serial <%.16s> flags 0x%lx",
 +		    provider_uri, (unsigned long)i,
  		    token->label, token->manufacturerID, token->model,
  		    token->serialNumber, token->flags);
@@ -2443,7 +2488,7 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
 +			pkcs11_fetch_certs(p, i, keyp, labelsp, &nkeys, uri);
 +		}
 +		if (nkeys == 0 && uri->object != NULL) {
-+			debug3_f("No keys found. Retrying without label (%s) ",
++			debug3_f("No keys found. Retrying without label (%.32s) ",
 +			    uri->object);
 +			/* Try once more without the label filter */
 +			char *label = uri->object;
@@ -2531,7 +2576,7 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
  
  	/* no keys found or some other error, de-register provider */
  	if (nkeys <= 0 && p != NULL) {
-@@ -1683,7 +2002,37 @@ pkcs11_add_provider(char *provider_id, c
+@@ -1684,7 +2012,37 @@ pkcs11_add_provider(char *provider_id, c
  		pkcs11_provider_unref(p);
  	}
  	if (nkeys == 0)
@@ -2591,7 +2636,7 @@ diff -up openssh-8.7p1/ssh-pkcs11.h.pkcs11-uri openssh-8.7p1/ssh-pkcs11.h
 diff -up openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.c
 --- openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri	2021-08-30 13:07:43.667700130 +0200
 +++ openssh-8.7p1/ssh-pkcs11-uri.c	2021-08-30 13:07:43.667700130 +0200
-@@ -0,0 +1,419 @@
+@@ -0,0 +1,437 @@
 +/*
 + * Copyright (c) 2017 Red Hat
 + *
@@ -2634,13 +2679,14 @@ diff -up openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.
 +#define PKCS11_URI_OBJECT "object"
 +#define PKCS11_URI_LIB_MANUF "library-manufacturer"
 +#define PKCS11_URI_MANUF "manufacturer"
++#define PKCS11_URI_SERIAL "serial"
 +#define PKCS11_URI_MODULE_PATH "module-path"
 +#define PKCS11_URI_PIN_VALUE "pin-value"
 +
 +/* Keyword tokens. */
 +typedef enum {
-+	pId, pToken, pObject, pLibraryManufacturer, pManufacturer, pModulePath,
-+	pPinValue, pBadOption
++	pId, pToken, pObject, pLibraryManufacturer, pManufacturer, pSerial,
++	pModulePath, pPinValue, pBadOption
 +} pkcs11uriOpCodes;
 +
 +/* Textual representation of the tokens. */
@@ -2653,6 +2699,7 @@ diff -up openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.
 +	{ PKCS11_URI_OBJECT, pObject },
 +	{ PKCS11_URI_LIB_MANUF, pLibraryManufacturer },
 +	{ PKCS11_URI_MANUF, pManufacturer },
++	{ PKCS11_URI_SERIAL, pSerial },
 +	{ PKCS11_URI_MODULE_PATH, pModulePath },
 +	{ PKCS11_URI_PIN_VALUE, pPinValue },
 +	{ NULL, pBadOption }
@@ -2811,6 +2858,16 @@ diff -up openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.
 +			goto err;
 +	}
 +
++	/* Write serial */
++	if (uri->serial) {
++		struct sshbuf *serial = percent_encode(uri->serial,
++		    strlen(uri->serial), PKCS11_URI_WHITELIST);
++		path = pkcs11_uri_append(path, PKCS11_URI_PATH_SEPARATOR,
++		    PKCS11_URI_SERIAL, serial);
++		if (path == NULL)
++			goto err;
++	}
++
 +	/* Write module_path */
 +	if (uri->module_path) {
 +		struct sshbuf *module = percent_encode(uri->module_path,
@@ -2853,6 +2910,7 @@ diff -up openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.
 +	free(pkcs11->object);
 +	free(pkcs11->lib_manuf);
 +	free(pkcs11->manuf);
++	free(pkcs11->serial);
 +	if (pkcs11->pin)
 +		freezero(pkcs11->pin, strlen(pkcs11->pin));
 +	free(pkcs11);
@@ -2948,6 +3006,11 @@ diff -up openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.
 +			charptr = &pkcs11->manuf;
 +			goto parse_string;
 +
++		case pSerial:
++			/* CK_TOKEN_INFO -> serialNumber */
++			charptr = &pkcs11->serial;
++			goto parse_string;
++
 +		case pLibraryManufacturer:
 +			/* CK_INFO -> manufacturerID */
 +			charptr = &pkcs11->lib_manuf;
@@ -3014,7 +3077,7 @@ diff -up openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.
 diff -up openssh-8.7p1/ssh-pkcs11-uri.h.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.h
 --- openssh-8.7p1/ssh-pkcs11-uri.h.pkcs11-uri	2021-08-30 13:07:43.667700130 +0200
 +++ openssh-8.7p1/ssh-pkcs11-uri.h	2021-08-30 13:07:43.667700130 +0200
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,43 @@
 +/*
 + * Copyright (c) 2017 Red Hat
 + *
@@ -3046,6 +3109,7 @@ diff -up openssh-8.7p1/ssh-pkcs11-uri.h.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.
 +	char *object;
 +	char *lib_manuf;
 +	char *manuf;
++	char *serial;
 +	/* query */
 +	char *module_path;
 +	char *pin; /* Only parsed, but not printed */

openssh-9.3p1-merged-openssl-evp.patch

@@ -710,9 +710,9 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
 +	return 0;
 +}
 +
- /* remove trailing spaces */
+ /* remove trailing spaces. Note, that this does NOT guarantee the buffer
+  * will be null terminated if there are no trailing spaces! */
  static void
- rmspace(u_char *buf, size_t len)
 diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-pkcs11-client.c openssh-9.3p1-patched/ssh-pkcs11-client.c
 --- openssh-9.3p1/ssh-pkcs11-client.c	2023-06-06 15:53:36.591443976 +0200
 +++ openssh-9.3p1-patched/ssh-pkcs11-client.c	2023-06-06 15:52:25.626551768 +0200

openssh.spec

@@ -47,7 +47,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 9.3p1
-%global openssh_rel 8
+%global openssh_rel 9
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 9
 
@@ -741,6 +741,11 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Thu Aug 03 2023 Norbert Pocs <npocs@redhat.com> - 9.3p1-9
+- pkcs11: Add support for 'serial' in PKCS#11 URI
+- Apply the upstream MR related to the previous pkcs11 issue
+- https://github.com/openssh/openssh-portable/pull/406
+
 * Thu Aug 03 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.3p1-8
 - Split including crypto-policies to a separate config (rhbz#1970566)
 - Disable forking of ssh-agent on startup (rhbz#2148555)