On Thu, Sep 21, 2017 at 02:22:10AM -0500, Zev Weiss wrote: > test_kex: regress/unittests/kex/test_kex.c:91 test #1 "sshkey_generate" > ASSERT_INT_EQ(sshkey_generate(keytype, bits, &private), 0) failed: > sshkey_generate(keytype, bits, &private) = -56 That error code is: $ grep -- -56 ssherr.h #define SSH_ERR_KEY_LENGTH -56 Unfortunately there's lots of places in that code that can return that. I have seen that on one Cygwin system (OpenSSL 1.0.2k) here so I added the below code to try to narrow it down. On mine it gave: test_kex: dsa_generate_private_key bits 2048 expected 1024 but I don't understand how. Don't try to use ssh or sshd with this diff as it'll probably mess things up pretty good. diff --git a/ssh-sandbox.h b/ssh-sandbox.h index bd5fd83..6bd76b3 100644 --- a/ssh-sandbox.h +++ b/ssh-sandbox.h @@ -22,3 +22,4 @@ struct ssh_sandbox *ssh_sandbox_init(struct monitor *); void ssh_sandbox_child(struct ssh_sandbox *); void ssh_sandbox_parent_finish(struct ssh_sandbox *); void ssh_sandbox_parent_preauth(struct ssh_sandbox *, pid_t); +#define setrlimit(x,y) (0) diff --git a/sshkey.c b/sshkey.c index e91c54f..cfdd437 100644 --- a/sshkey.c +++ b/sshkey.c @@ -1394,8 +1394,11 @@ rsa_generate_private_key(u_int bits, RSA **rsap) if (rsap == NULL) return SSH_ERR_INVALID_ARGUMENT; if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE || - bits > SSHBUF_MAX_BIGNUM * 8) + bits > SSHBUF_MAX_BIGNUM * 8) { + fprintf(stderr, "%s bits %d min %d max %d\n", __func__, bits, + SSH_RSA_MINIMUM_MODULUS_SIZE, SSHBUF_MAX_BIGNUM); return SSH_ERR_KEY_LENGTH; + } *rsap = NULL; if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) { ret = SSH_ERR_ALLOC_FAIL; @@ -1425,8 +1428,10 @@ dsa_generate_private_key(u_int bits, DSA **dsap) if (dsap == NULL) return SSH_ERR_INVALID_ARGUMENT; - if (bits != 1024) + if (bits != 1024) { + fprintf(stderr, "%s bits %d expected %d\n", __func__, bits, 1024); return SSH_ERR_KEY_LENGTH; + } if ((private = DSA_new()) == NULL) { ret = SSH_ERR_ALLOC_FAIL; goto out; @@ -1505,8 +1510,10 @@ ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) if (nid == NULL || ecdsap == NULL) return SSH_ERR_INVALID_ARGUMENT; - if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) + if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) { + fprintf(stderr, "%s bits %d\n", __func__, bits); return SSH_ERR_KEY_LENGTH; + } *ecdsap = NULL; if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) { ret = SSH_ERR_ALLOC_FAIL; @@ -1881,6 +1888,8 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, goto out; } if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { + fprintf(stderr, "%s num_bits %d min %d\n", __func__, + BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE); ret = SSH_ERR_KEY_LENGTH; goto out; } @@ -2664,6 +2673,8 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) (r = ssh_rsa_generate_additional_parameters(k)) != 0) goto out; if (BN_num_bits(k->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { + fprintf(stderr, "%s num_bits %d min %d\n", __func__, + BN_num_bits(k->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE); r = SSH_ERR_KEY_LENGTH; goto out; } @@ -2678,6 +2689,8 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) (r = ssh_rsa_generate_additional_parameters(k)) != 0) goto out; if (BN_num_bits(k->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { + fprintf(stderr, "%s num_bits %d min %d\n", __func__, + BN_num_bits(k->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE); r = SSH_ERR_KEY_LENGTH; goto out; } @@ -3476,6 +3489,8 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, goto out; } if (BN_num_bits(prv->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { + fprintf(stderr, "%s num_bits %d min %d\n", __func__, + BN_num_bits(prv->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE); r = SSH_ERR_KEY_LENGTH; goto out; } -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev