openssh bugs - Oct 2025 - [Bug 3877] New: Regression when trying to free CA keys in ssh-keygen

https://bugzilla.mindrot.org/show_bug.cgi?id=3877

            Bug ID: 3877
           Summary: Regression when trying to free CA keys in ssh-keygen
           Product: Portable OpenSSH
           Version: 10.1p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: cjwatson at debian.org

In Debian, we noticed that the ssh-agent-filter package's tests fail
against OpenSSH 10.1p1.  An example log is at
https://ci.debian.net/packages/s/ssh-agent-filter/testing/amd64/65004014/,
and since that may expire and the output is quite short I'll copy it
here:

  Agent pid 972
  Identity added: key0 (key0)
  Identity added: key1 (key1)
  test_list_filter
  test_sign_filter
  ASSERT:
  test_confirmation
  ASSERT:
  ASSERT:

  Ran 3 tests.

  FAILED (failures=3)

I bisected this to
https://anongit.mindrot.org/openssh.git/commit/?id=846987d1233f24bbe87ebed347e328f45525388a
(applying
https://anongit.mindrot.org/openssh.git/commit/?id=1362f6c0f4ca3306a201a6572bb9ec0d47d8edb3
to fix the build on Linux); specifically it's due to the addition of
sshkey_free(ca) in do_ca_sign.  Here's a cut-down reproducer, to be run
in a temporary directory:

  $ ssh-agent sh -c 'ssh-keygen -q -t ed25519 -N "" -C key0 -f
key0 &&
ssh-keygen -q -t ed25519 -N "" -C key1 -f key1 && ssh-add key0
key1 &&
rm key0 key1 && ssh-keygen -Us key1 -I identify key0; echo $?; rm -f
key0* key1*'
  Identity added: key0 (key0)
  Identity added: key1 (key1)
  Signed user key key0-cert.pub: id "identify" serial 0 valid forever
  pkcs11_key_free: no helper for ED25519 key
  255

https://anongit.mindrot.org/openssh.git/commit/?id=a8c0e5c871c0c7ee5ae93e353b1499a53c09c71d
is clearly related.  It's not specific to Ed25519; RSA and ECDSA behave
the same way.

It seems that ssh-keygen is setting SSHKEY_FLAG_EXT in ca->flags, which
causes sshkey_free_contents to call pkcs11_key_free, which assumes that
a helper has been started even though that isn't the case here.  But
I'm not quite sure what the right approach to fixing this should be;
should ssh-keygen be arranging to start a helper somehow, or should
something between sshkey_free_contents and pkcs11_key_free arrange for
this situation not to be a fatal error?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3877

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Created attachment 3908
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3908&action=edit
steal CA key from agent list

Here's one fix. Instead of marking the CA key external, "steal" it
from
the list of agent keys where it is actually external.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3877

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Created attachment 3909
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3909&action=edit
Use ssh-pkcs11.c directly in ssh-keygen

Here's a different fix - I noticed that your reproducer doesn't work on
OpenBSD, because it doesn't use PKCS#11 via ssh-pkcs11-client.c (i.e.
via ssh-pkcs11-helper) but directly by linking against ssh-pkcs11.c.

We can do that too.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3877

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
I'm particularly interested in whether the second patch solves the
problem for you, as we're going to do a 10.2 release shortly to fix bug
#3872 and we could include that easily.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3877

--- Comment #4 from Colin Watson <cjwatson at debian.org> ---
The first patch fails here, resulting in:

  Couldn't certify key key0: invalid argument
  255

The second patch seems to work, though.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3877

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3908|0                           |1
        is obsolete|                            |

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Created attachment 3910
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3910&action=edit
steal CA key from agent list (attempt 2)

oops, here's a fixed version of the first patch. Passes your test on my
Debian system

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3877

--- Comment #6 from Colin Watson <cjwatson at debian.org> ---
OK, those two patches work for me now, either separately or in
combination, and with both my reduced test case and the original
ssh-agent-filter tests.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3877

--- Comment #7 from Damien Miller <djm at mindrot.org> ---
I've committed the Makefile.in change and it will be in the
openssh-10.2 release we'll do in a couple of days.

I'll commit the other fix separately too.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3877

--- Comment #8 from Colin Watson <cjwatson at debian.org> ---
Thanks!  I'll cherry-pick the Makefile.in fix for now then, and pick up
10.2p1 when it's out.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3877

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |3876


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3876
[Bug 3876] Tracking bug for OpenSSH 10.2
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3877

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #9 from Damien Miller <djm at mindrot.org> ---
Both of these have been committed now and the Makefile.in fix is in
10.2 - thanks

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.