search for: process_sign_request2

...request, and the point of the test was to have the sign operation fail. To trigger this, I was passing in an invalid key blob (specifically, the string ?xxx?). In OpenSSH 7.5p1, this resulted in the following debug output: debug2: fd 3 setting O_NONBLOCK debug3: fd 4 is O_NONBLOCK debug1: type 13 process_sign_request2: cannot parse key blob: invalid format debug1: XXX shrink: 3 < 4 As expected, a failure was returned to this request, and the agent continued to run, waiting for a new request. However, after upgrading to OpenSSH 7.6p1, I saw very different behavior. In this case, the following debugging output...

...Assignee: unassigned-bugs at mindrot.org Reporter: leon.weiss at rub.de Created attachment 3852 --> https://bugzilla.mindrot.org/attachment.cgi?id=3852&action=edit Patch suggestion The `main` function of ssh_agent makes sure to initialize `websafe_allowlist`, which is used in `process_sign_request2`. The fuzzer for this component does not use the main function, but calls `process_sign_request2` directly, leaving the value uninitialized. Fuzzing inputs reaching this code cause a NULL ptr dereference. This seems to be an issue only present in the fuzzing code, but leads to false positives an...

...readFunction)auth_thread_run, thr)) { + error("pthread_create: %s", strerror(errno)); + return -1; + } + } + p->num_threads = numthreads; + + openssl_thread_locks_setup(); + return 0; +} + +#endif + +static void +schedule_sign_request2(SocketEntry *e) +{ +#ifndef HAVE_LIBPTHREAD + process_sign_request2(e); +#else + if (tpool.num_threads) { + e->type = AUTH_INUSE; + req_queue_enqueue(&(tpool.queue), process_sign_request2, e); + } else { + process_sign_request2(e); + } +#endif +} + /* shared */ static void process_remove_identity(SocketEntry *e, int version) @@ -397,8 +667,11 @@...

...socket bindings, 0 constraints debug3: identity_permitted: entering: key RSA comment "Public key for PIV Attestation", 0 socket bindings, 0 constraints debug2: process_request_identities: replying with 2 allowed of 2 available keys debug1: process_message: socket 1 (fd=4) type 13 debug1: process_sign_request2: entering process_sign_request2: RSA-CERT key not found ``` It is also not possible to get `ssh-agent` to load the certificate with: ``` $ ssh-add -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so ~/.ssh/id_rsa-cert.pub Enter passphrase for PKCS#11: Card added: /usr/lib/x86_64-linux-gnu/p11-kit-proxy....

...-- ssh-agent.c | 2 +- 1 files changed, 1 insertion(+), 1 deletion(-) diff -uprN openssh-4.3p2/ssh-agent.c openssh-4.3p2-kylie/ssh-agent.c --- openssh-4.3p2/ssh-agent.c 2005-11-04 22:15:00.000000000 -0600 +++ openssh-4.3p2-kylie/ssh-agent.c 2006-05-04 15:05:48.000000000 -0500 @@ -305,8 +305,8 @@ process_sign_request2(SocketEntry *e) Identity *id = lookup_identity(key, 2); if (id != NULL && (!id->confirm || confirm_key(id) == 0)) ok = key_sign(id->key, &signature, &slen, data, dlen); + key_free(key); } - key_free(key); buffer_init(&msg); if (ok == 0) { buffer_put_cha...

Hi, I applied the following minor diff to preserve the value of the extern variable across calls to process_sign_request2() in ssh-agent.c. I've no idea if the attachment of the attachment will come out correctly so a cvs diff is also attached. Regards, Alistair -------------- next part -------------- An embedded message was scrubbed... From: "Alistair G. Crooks" <agc at NetBSD.org> Subject: CVS...

...uot; from agent for certificate debug3: sign_and_send_pubkey: signing using ssh-ed25519-cert-v01 at openssh.com SHA256:ieHFl8uwTyPo18egdwxbBq+YqmfN6SyE3cE9Hc5ZxiQ sign_and_send_pubkey: signing failed for ED25519 "thibault at emil" from agent: agent refused operation ``` in ssh-agent: ``` process_sign_request2: refusing use of destination-constrained key to sign an unidentified signature ``` There seems to be a mismatch in the keys used for signing. When host constraints are used, the userauth request is parsed and the key that should do the signing does not seem to match the key that is referenced in t...

...d earlier, but with OpenSSH 7.6p1, they were suddenly causing >> ssh-agent to exit. > > Sorry, I've committed this fix: > > > diff --git a/ssh-agent.c b/ssh-agent.c > index 9693722..0c88ab1 100644 > --- a/ssh-agent.c > +++ b/ssh-agent.c > @@ -272,8 +272,11 @@ process_sign_request2(SocketEntry *e) > fatal("%s: sshbuf_new failed", __func__); > if ((r = sshkey_froms(e->request, &key)) != 0 || > (r = sshbuf_get_string_direct(e->request, &data, &dlen)) != 0 || > - (r = sshbuf_get_u32(e->request, &flags)) != 0) > - fat...

Hey Damien, > Generally we prefer to use ssh-askpass for agent notifications. Are you able to use that? Hmm, okay, but it's not clear to me how to make that work. Is what you have in mind documented somewhere? I don't see this specific situation covered in the manpages and a web search doesn't turn up much. I thought ssh-askpass was only invoked when the key is first added to the

...mp; (!id->confirm || confirm_key(id) == 0)) { - struct sshkey *private = id->key; + struct sshkey *private = id->idkey->key; /* Decrypt the challenge using the private key. */ if ((r = rsa_private_decrypt(challenge, challenge, private->rsa) != 0)) { @@ -380,7 +428,7 @@ process_sign_request2(SocketEntry *e) u_int compat = 0, flags; int r, ok = -1; struct sshbuf *msg; - struct sshkey *key; + struct sshkey *key, *sign_key; struct identity *id; if ((msg = sshbuf_new()) == NULL) @@ -403,7 +451,12 @@ process_sign_request2(SocketEntry *e) verbose("%s: user refused key&quo...

https://bugzilla.mindrot.org/show_bug.cgi?id=2890 Bug ID: 2890 Summary: ssh-agent should not fail after removing and inserting smart card Product: Portable OpenSSH Version: 7.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component:

https://bugzilla.mindrot.org/show_bug.cgi?id=2635 Bug ID: 2635 Summary: Unable to use SSH Agent and user level PKCS11Provider configuration directive Product: Portable OpenSSH Version: 7.3p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5