| Summary: | PKCS#11 authentication fails with "xmalloc: zero size" for some certificates. | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Matt Robinson <mdrtbugzilla> | ||||||||
| Component: | Smartcard | Assignee: | Assigned to nobody <unassigned-bugs> | ||||||||
| Status: | CLOSED FIXED | ||||||||||
| Severity: | normal | CC: | djm, evasive.gyron, jjelen | ||||||||
| Priority: | P2 | ||||||||||
| Version: | 7.1p1 | ||||||||||
| Hardware: | All | ||||||||||
| OS: | All | ||||||||||
| Bug Depends on: | |||||||||||
| Bug Blocks: | 2451 | ||||||||||
| Attachments: |
|
||||||||||
Fix applied - this will be in OpenSSH 5.6. Thanks! Move resolved bugs to CLOSED after 5.7 release Created attachment 2713 [details]
Patch to fix xmalloc error when using pkcs11 for auth for 7.x releases
This problem reappeared in openssh 7.x releases. Attached patch should fix the problem. This is related to the bug #2429 (see proposed and applied patch with check of the length before calling xmalloc in attachment #2670 [details]). Your original error should not appear again, because the check for length is at the moment before calling xmalloc. The note in the code and in linked bugzilla says that the CKA_ID is allowed to be empty. Can you elaborate more on what problems you see at the moment? Error is exactly as described by original author. ssh -A -I /usr/lib/libeToken.so -p example.net -vvv OpenSSH_7.1p1, OpenSSL 1.0.2d 9 Jul 2015 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to example.com [0000:1111:2222:3333:4444:5555] port 21. debug1: Connection established. debug1: manufacturerID <SafeNet, Inc.> cryptokiVersion 2.20 libraryDescription <SafeNet eToken PKCS#11> libraryVersion 9.0 debug1: label <eToken> manufacturerID <SafeNet, Inc.> model <eToken> serial <01234567> flags 0x60d debug1: have 1 keys debug1: have 2 keys xmalloc: zero size Output with sensitive data removed. Created attachment 2714 [details]
Avoid xmalloc(0)
Please try this patch.
Provided patch corrects the xmalloc error. Thanks. Any updates on status of this patch? Will it be included in next release? Applied, this will be in openssh-7.2 commit d2d772f55b19bb0e8d03c2fe1b9bb176d9779efd Author: djm@openbsd.org <djm@openbsd.org> Date: Fri Feb 12 00:20:30 2016 +0000 upstream commit avoid fatal() for PKCS11 tokens that present empty key IDs bz#1773, ok markus@ Upstream-ID: 044a764fee526f2c4a9d530bd10695422d01fc54 Close all resolved bugs after release of OpenSSH 7.7. |
Created attachment 1851 [details] Patch to fix xmalloc error when using pkcs11 for auth I've been trying to use an Aladdin eToken PRO 64k (4.2) USB smart card for public key ssh authentication (using the -I option with the PKCS11 library for the eToken), but OpenSSH would abort with the message: xmalloc: zero size I tracked this down to the pkcs11_fetch_keys function in ssh-pkcs11.c, and discovered that C_GetAttributeValue returns a ulValueLen of 0 for some of the attributes for some of my certificates. I believe that this may be being caused by some CA certificates that I also have on the eToken, which are stored without their private keys. The attached patch (against CVS) resolves this issue by skipping to the next certificate if any of the three attributes are returned as having zero length. This should not affect operation for users currently not experiencing this error. I'm using Cygwin under Windows 7 x64, but I believe that this would happen on other platforms, so I've set Hardware and OS to All.