search for: pkcs11_add_provid

...onent: sshd Assignee: unassigned-bugs at mindrot.org Reporter: loganaden at gmail.com Created attachment 2377 --> https://bugzilla.mindrot.org/attachment.cgi?id=2377&action=edit use_after_free fix blob() might be freed on subsequent loop iterations. if ((nkeys = pkcs11_add_provider(name, pin, &keys)) > 0) { buffer_put_char(&msg, SSH2_AGENT_IDENTITIES_ANSWER); buffer_put_int(&msg, nkeys); for (i = 0; i < nkeys; i++) { key_to_blob(keys[i], &blob, &blen) bu...

...buf[i] == '\n' || buf[i] == '\r') { + buf[i] = '\0'; + break; + } + } + + return xstrdup(buf); +} + /* openssl callback doing the actual signing operation */ static int pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, @@ -575,6 +607,9 @@ pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp) CK_TOKEN_INFO *token; CK_ULONG i; + if (!pin) + pin = pkcs11_read_pinfile(); + *keyp = NULL; if (pkcs11_provider_lookup(provider_id) != NULL) { debug("%s: provider already registered: %s",

...Looking into the code of ssh to understand the behavior of ssh -I revealed, that it considers the presence of the PKCS#11 flags (at least partly). If the CKF_LOGIN_REQUIRED flag is not set, as done by our HSM PKCS#11 library, SSH derives the keys available through the PKCS#11 library as follows. 1. pkcs11_add_provider [3][4] is called, which calls pkcs11_register_provider [5] 2. pkcs11_register_provider performs some sanity checks and setting up, and then tries to derive keys for the slots available [6] 3. For deriving keys a PKCS#11 session is opened by calling pkcs11_open_session [7]. pkcs11_open_session ch...

...if (buf[i] == '\n' || buf[i] == '\r') { + buf[i] = '\0'; + break; + } + } + + return xstrdup(buf); +} + /* openssl callback doing the actual signing operation */ static int pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, @@ -575,6 +607,9 @@ pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp) CK_TOKEN_INFO *token; CK_ULONG i; + if (!pin) + pin = pkcs11_read_pinfile(); + *keyp = NULL; if (pkcs11_provider_lookup(provider_id) != NULL) { debug("%s: provider already registered: %s", ___________________________________________...

Hi, Is there any way to store HostKey in hardware (and delegate the related processing)? I have been using Roumen Petrov's x509 patch for clients, which works via an OpenSSL engine, but it does not seem to support server HostKey: http://roumenpetrov.info/pipermail/ssh_x509_roumenpetrov.info/2012q4/000019.html For PKCS#11, I have found an email on this list from a year back suggesting this

Hi list, I have no idea if Damien Miller had the time to work on that. I have an initial patch to authenticate using PKCS#11 and ECDSA keys. This requires OpenSSL 1.0.2, prior OpenSSL versions do not expose the required interfaces to override the signature function pointer for ECDSA. The only limitation is that the OpenSSL API misses some cleanup function (finish, for instance), hence I have yet

https://bugzilla.mindrot.org/show_bug.cgi?id=2652 Bug ID: 2652 Summary: PKCS11 login skipped if login required and no pin set Product: Portable OpenSSH Version: 7.4p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: Smartcard Assignee: