Call for testing: OpenSSH 7.6
Darren Tucker
dtucker at zip.com.au
Fri Sep 22 22:28:01 AEST 2017
On Thu, Sep 21, 2017 at 02:22:10AM -0500, Zev Weiss wrote:
> test_kex: regress/unittests/kex/test_kex.c:91 test #1 "sshkey_generate"
> ASSERT_INT_EQ(sshkey_generate(keytype, bits, &private), 0) failed:
> sshkey_generate(keytype, bits, &private) = -56
That error code is:
$ grep -- -56 ssherr.h
#define SSH_ERR_KEY_LENGTH -56
Unfortunately there's lots of places in that code that can return that.
I have seen that on one Cygwin system (OpenSSL 1.0.2k) here so I added
the below code to try to narrow it down. On mine it gave:
test_kex: dsa_generate_private_key bits 2048 expected 1024
but I don't understand how.
Don't try to use ssh or sshd with this diff as it'll probably mess
things up pretty good.
diff --git a/ssh-sandbox.h b/ssh-sandbox.h
index bd5fd83..6bd76b3 100644
--- a/ssh-sandbox.h
+++ b/ssh-sandbox.h
@@ -22,3 +22,4 @@ struct ssh_sandbox *ssh_sandbox_init(struct monitor *);
void ssh_sandbox_child(struct ssh_sandbox *);
void ssh_sandbox_parent_finish(struct ssh_sandbox *);
void ssh_sandbox_parent_preauth(struct ssh_sandbox *, pid_t);
+#define setrlimit(x,y) (0)
diff --git a/sshkey.c b/sshkey.c
index e91c54f..cfdd437 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1394,8 +1394,11 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
if (rsap == NULL)
return SSH_ERR_INVALID_ARGUMENT;
if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE ||
- bits > SSHBUF_MAX_BIGNUM * 8)
+ bits > SSHBUF_MAX_BIGNUM * 8) {
+ fprintf(stderr, "%s bits %d min %d max %d\n", __func__, bits,
+ SSH_RSA_MINIMUM_MODULUS_SIZE, SSHBUF_MAX_BIGNUM);
return SSH_ERR_KEY_LENGTH;
+ }
*rsap = NULL;
if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
@@ -1425,8 +1428,10 @@ dsa_generate_private_key(u_int bits, DSA **dsap)
if (dsap == NULL)
return SSH_ERR_INVALID_ARGUMENT;
- if (bits != 1024)
+ if (bits != 1024) {
+ fprintf(stderr, "%s bits %d expected %d\n", __func__, bits, 1024);
return SSH_ERR_KEY_LENGTH;
+ }
if ((private = DSA_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
@@ -1505,8 +1510,10 @@ ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap)
if (nid == NULL || ecdsap == NULL)
return SSH_ERR_INVALID_ARGUMENT;
- if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1)
+ if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) {
+ fprintf(stderr, "%s bits %d\n", __func__, bits);
return SSH_ERR_KEY_LENGTH;
+ }
*ecdsap = NULL;
if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
@@ -1881,6 +1888,8 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
goto out;
}
if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
+ fprintf(stderr, "%s num_bits %d min %d\n", __func__,
+ BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
ret = SSH_ERR_KEY_LENGTH;
goto out;
}
@@ -2664,6 +2673,8 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
(r = ssh_rsa_generate_additional_parameters(k)) != 0)
goto out;
if (BN_num_bits(k->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
+ fprintf(stderr, "%s num_bits %d min %d\n", __func__,
+ BN_num_bits(k->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
r = SSH_ERR_KEY_LENGTH;
goto out;
}
@@ -2678,6 +2689,8 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
(r = ssh_rsa_generate_additional_parameters(k)) != 0)
goto out;
if (BN_num_bits(k->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
+ fprintf(stderr, "%s num_bits %d min %d\n", __func__,
+ BN_num_bits(k->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
r = SSH_ERR_KEY_LENGTH;
goto out;
}
@@ -3476,6 +3489,8 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
goto out;
}
if (BN_num_bits(prv->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
+ fprintf(stderr, "%s num_bits %d min %d\n", __func__,
+ BN_num_bits(prv->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
r = SSH_ERR_KEY_LENGTH;
goto out;
}
--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list