upstream commit

don't ignore PKCS#11 hosted keys that return empty
 CKA_ID; patch by Jakub Jelen via bz#2429; ok markus

Upstream-ID: 2f7c94744eb0342f8ee8bf97b2351d4e00116485

diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index 4156d0886e8559af405941d6efd489fde5e8b82a..92614a52d64d323123a710016301e38437ef6efe 100644 (file)
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11.c,v 1.20 2015/07/18 08:00:21 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11.c,v 1.21 2015/07/18 08:02:17 djm Exp $ */
 /*
  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
  *
@@ -481,15 +481,23 @@ pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx,
                        error("C_GetAttributeValue failed: %lu", rv);
                        continue;
                }
-               /* check that none of the attributes are zero length */
-               if (attribs[0].ulValueLen == 0 ||
-                   attribs[1].ulValueLen == 0 ||
+               /*
+                * Allow CKA_ID (always first attribute) to be empty, but
+                * ensure that none of the others are zero length.
+                * XXX assumes CKA_ID is always first.
+                */
+               if (attribs[1].ulValueLen == 0 ||
                    attribs[2].ulValueLen == 0) {
                        continue;
                }
                /* allocate buffers for attributes */
-               for (i = 0; i < 3; i++)
-                       attribs[i].pValue = xmalloc(attribs[i].ulValueLen);
+               for (i = 0; i < 3; i++) {
+                       if (attribs[i].ulValueLen > 0) {
+                               attribs[i].pValue = xmalloc(
+                                   attribs[i].ulValueLen);
+                       }
+               }
+
                /*
                 * retrieve ID, modulus and public exponent of RSA key,
                 * or ID, subject and value for certificates.