[Bug 884] DSA keys (id_dsa.pub) with 8192 bits or more aren't correctly recognized

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Jun 24 23:36:30 EST 2004


------- Additional Comments From dmr at gmx.it  2004-06-24 23:36 -------
> > every attempt to raise the keysize over 8192 bits limit won't work
> Maybe a limit in OpenSSL's DSA functions?
> Your read_whole_line() function seems a lot more complicated than it needs to
> be.  xrealloc will leave the file content intact, so instead of ftell/fseek/goto
> you can just initialise everthing to zero/NULL then just repeatedly read chunks
> until you get a newline, eg,
> while (1) {
>         buf = xrealloc(buf, size + CHUNKSZ);
>         size += CHUNKSZ;
>         nextpart = buf + len;
>         if (fgets(nextpart, CHUNKSZ, f) == NULL)
>                 break;
>         len += strlen(nextpart);
>         if (buf[len - 1] == '\n')
>                 break;
> }
> (For bonus points, add some better handling of fgets() == NULL.  Or use
> buffer_append instead of xrealloc.)

You are right... but that patch was only a quick and dirty trick... that
function has been stripped down from another place only for testing purposes.
However now it shoud be ok.
> Anyway, an 8kbit key is just over 4KBytes encoded and I don't think it's
> worth the extra complexity of making it dynamic just to save a couple of KB
> of stack space.

IMHO the problem here is that the maximum key size is hard coded in openssh,
while it should be _at most_ hard coded in (e.g.) openssl...
> Either way key_try_load_public shouldn't pass incomplete lines to key_read,

I agree... However, the following patch should fix - it worked pretty fine for
me - any key-size troubles: tested ok with 32K keys, actually in production on
my cluster and several other systems.

Thanks a lot for your support.


------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list