[Bug 2638] Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects

2021-10-13 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2638

Ahmed Sayeed  changed:

   What|Removed |Added

 CC||ahmedsayeed1...@yahoo.com

--- Comment #8 from Ahmed Sayeed  ---
--8<---
 1 size_t fwrite(const void * __restrict ptr, size_t size,
http://www-look-4.com/category/travel/
 2   size_t nmemb, register FILE * __restrict stream)
 3 {
 4 size_t retval; https://komiya-dental.com/category/technology/
 5 __STDIO_AUTO_THREADLOCK_VAR;
 6  http://www.iu-bloomington.com/category/technology/
 7 >   __STDIO_AUTO_THREADLOCK(stream);
 8 
 9 retval = fwrite_unlocked(ptr, size, nmemb, stream);
10  https://waytowhatsnext.com/category/technology/
11 __STDIO_AUTO_THREADUNLOCK(stream);
12  http://www.wearelondonmade.com/category/travel/
13 return retval;
14 }
-->8---
 http://www.jopspeech.com/category/travel/
Here, we are at line 7. Using the "next" command leads no where.
However,
setting a breakpoint on line 9 and issuing "continue" works.
http://joerg.li/category/travel/
Looking at the assembly instructions reveals that we're dealing with
the
critical section entry code [1] that should never be interrupted, in
this
case by the debugger's implicit breakpoints:
http://connstr.net/category/travel/

--8<---
  ... http://embermanchester.uk/category/travel/
1 add_s   r0,r13,0x38
2 mov_s   r3,1
3 llock   r2,[r0]<-.
4 brne.nt r2,0,14 --.  |
http://www.slipstone.co.uk/category/travel/
5 scond   r3,[r0]   |  |
6 bne -10 --|--'
7 brne_s  r2,0,84 <-' http://www.logoarts.co.uk/category/travel/
  ...
-->8---
 http://www.acpirateradio.co.uk/category/travel/
Lines 3 until 5 (inclusive) are supposed to be executed atomically.
Therefore,
GDB should never (implicitly) insert a breakpoint on lines 4 and 5,
else the http://www.compilatori.com/category/travel/ 
program will try to acquire the lock again by jumping back to line 3
and
gets stuck in an infinite loop.
https://www.webb-dev.co.uk/category/technology/

The solution is to make GDB aware of these patterns so it inserts
breakpoints
after the sequence -- line 6 in this example.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2638] Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects

2021-04-22 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2638

Damien Miller  changed:

   What|Removed |Added

 Status|RESOLVED|CLOSED

--- Comment #7 from Damien Miller  ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2638] Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects

2019-01-22 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2638

Damien Miller  changed:

   What|Removed |Added

 Resolution|--- |FIXED
 Status|NEW |RESOLVED

--- Comment #6 from Damien Miller  ---
This has been committed and will be in OpenSSH 8.0

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2638] Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects

2019-01-22 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2638

--- Comment #5 from Jakub Jelen  ---
Unfortunately ... but you can try that with your yubikey and with
OpenSC if you load the private key in the "SIGN KEY" slot 9c [0].

Note, that after [1] being merged in OpenSC last year, the trick with
only single login does not work anymore so in the proposed patch, we
should drop the did_login variable, otherwise it will not work (at
least with OpenSC pkcs11 module). Therefore, in the single-shot
connection, the pin is asked twice, which is unfortunate, but probably
closest to the PIV specification.

One note for the code style:

+   struct pkcs11_slotinfo  *si;
+   CK_FUNCTION_LIST*f;
+   CK_BBOOLflag = 0;
+   CK_ATTRIBUTEattr;
+   CK_RVrv;
^-- misaligned indentation (missing
space in flag, attr)

[0]
https://developers.yubico.com/PIV/Introduction/Certificate_slots.html
[1] https://github.com/OpenSC/OpenSC/pull/1256

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2638] Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects

2019-01-21 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2638

Damien Miller  changed:

   What|Removed |Added

   Keywords||pkcs11

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2638] Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects

2019-01-21 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2638

Damien Miller  changed:

   What|Removed |Added

   Attachment #3033|0   |1
is obsolete||
 CC||d...@mindrot.org

--- Comment #3 from Damien Miller  ---
Created attachment 3225
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3225&action=edit
revised patch after PKCS#11 ECDSA support landed

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2638] Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects

2019-01-21 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2638

Damien Miller  changed:

   What|Removed |Added

 Blocks||2915

--- Comment #4 from Damien Miller  ---
Pity there seems no way to test this using softhsm2


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2915
[Bug 2915] Tracking bug for 8.0 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2638] Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects

2018-07-31 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2638

Orion Poplawski  changed:

   What|Removed |Added

 CC||or...@cora.nwra.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2638] Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects

2017-08-11 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2638

Jakub Jelen  changed:

   What|Removed |Added

   Attachment #2890|0   |1
is obsolete||

--- Comment #2 from Jakub Jelen  ---
Created attachment 3033
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3033&action=edit
patch sharing the login code

We (In reply to Damien Miller from comment #1)
> Can't we reuse si->logged_in here and skip the extra variable?

We would need to reset the variable after the signing if you talk only
about variable sharing. It would work, but the actual
always-authenticate function would not get called for the second time.
It would call the original login before SignInit with
non-CONTEXT_SPECIFIC_LOGIN. It would work in some of the cases, but it
would not be according to the PKCS#11 specification. For example, if
the PINs are different, it would fail.
I don't see a way how to retain the same functionality without this
variable, but feel free to propose a solution.

Though after the second thought (year after), sharing the code for
C_Login, which is quite the same except the login type would make
sense.

I do not share the pkcs11_interactive check, because we need this
prompt from non-interactive ssh-agent process using askpass.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2638] Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects

2017-08-10 Thread bugzilla-daemon 
https://bugzilla.mindrot.org/show_bug.cgi?id=2638

--- Comment #1 from Damien Miller  ---
Comment on attachment 2890
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2890
[PATCH] Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private
objects


>@@ -316,6 +359,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, 
>u_char *to, RSA *rsa,
>   return (-1);
>   }
>   si->logged_in = 1;
>+  login_performed = 1;

...

>+  } else if (!login_performed &&
>+  pkcs11_always_authenticate(k11->provider, si, obj) < 0) {
>+  error("Failed to re-authenticate to access ALWAYS_AUTHENTICATE 
>object");

Can't we reuse si->logged_in here and skip the extra variable?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs