Hi Brent,
For portable you add -lthr so I think that's fine. As LIBADD= thr wasn't
available in FreeBSD's base framework I opted for pthreads. Still have
to test with adding -lthr.
Cheers, Bernard.
On 2018-04-08 1:36, Brent Cook wrote:
Hmm, that means we're missing a pthread dependency for FreeBSD by
default in portable, I think.
On Sat, Apr 7, 2018 at 6:19 PM, Bernard Spil <brnrd@xxxxxxxxxxx> wrote:
On 2018-04-07 21:50, Bob Beck wrote:
So this:
cipher->cipher = enc = EVP_get_cipherbyname(p);
Is returning NULL
and then
if (enc == NULL) {
PEMerror(PEM_R_UNSUPPORTED_ENCRYPTION);
Is your failure.
You need to instrument EVP_get_cipherbyname to see what's failing.
the autoinit call was added there between 2.6 and 2.7 - so
OPENSSL_init_crypto could cause you to return NULL if it
fails - however that should only fail if your pthread_once or
pthread_self are insane or failing.
So see what thing in EVP_get_cipherbyname is failing
I think you wanna intsrument EVP_
On Sat, Apr 7, 2018 at 1:13 PM, Bernard Spil <brnrd@xxxxxxxxxxx> wrote:
Hi Joel,
After adding that line
3769 clear_libcrypto_errors();
3770 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL,
3771 (char *)passphrase)) == NULL) {
3772 r = convert_libcrypto_error();
3773 ERR_print_errors_fp(stderr);
3774 goto out;
3775 }
$ bin/ssh-add ~/.ssh/id_rsa-oldformat
34383182280:error:09FFF072:lib(9):func(4095):reason(114):/usr/src/crypto/libressl/crypto/pem/pem_lib.c:529:
Error loading key "/home/bernard/.ssh/id_rsa-oldformat": invalid format
Cheers, Bernard.
2018-04-07 14:30 GMT+02:00 Joel Sing <joel@xxxxxxxxxx>:
On Saturday 07 April 2018 11:50:15 Bernard Spil wrote:
On 2018-04-07 11:24, Bernard Spil wrote:
On 2018-04-07 9:04, Joel Sing wrote:
On Friday 06 April 2018 21:31:01 Bernard Spil wrote:
Hi,
When using OpenSSH with LibreSSL 2.7.x it cannot read existing RSA
and
ECDSA private keys.
Error loading key "./id_rsa": invalid format
Rebuilding OpenSSH with LibreSSL 2.6.x fixes the issue. I had fixed
this
issue early on with LibreSSL 2.7 by converting the key to "new file
format" (to verify the ecdsa key wasn't corrupted I loaded it in
Fail:
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,<snip>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,<snip>
Success (both keys after converting):
-----BEGIN OPENSSH PRIVATE KEY-----
I've been digging through ssh-keygen to find a way to convert them
but
have yet to find the right knobs. -e only exports public keys.
Currently running `make test` on OpenSSH 7.7 with LibreSSL 2.7.2.
Any hints?
What does the following say, when compiled with 2.7.2:
$ openssl version
$ openssl rsa -in ~/.ssh/id_rsa -noout ; echo $?
$ ssh -V
Meanwhile I've figured out that I can prevent issues if I convert the
private key file to new format with
ssh-keygen -po -f keyfile
This is a workaround - it uses an OpenSSH specific format, rather than
OpenSSL's encrypted PEM.
I had saved my old key as id_rsa-oldformat
$ openssl version
LibreSSL 2.7.2
$ openssl rsa -in ~/.ssh/id_rsa-oldformat -noout
Enter pass phrase for /home/bernard/.ssh/id_rsa-oldformat:
$ echo $?
0
This confirms that LibreSSL 2.7.2 can still read, decode and decrypt
the key.
$ ssh -V
OpenSSH_7.2p2, LibreSSL 2.7.1
$ /usr/local/bin/ssh -V
OpenSSH_7.6p1, LibreSSL 2.7.1
I see that I need to recompile ssh with 2.7.2, the libraries they use
are 2.7.2 not 2.7.1.
Cheers, Bernard.
To rule out issues with OpenSSH in base or ports on FreeBSD, I've now
built a vanilla OpenSSH 7.7p1 linked against LibreSSL. No change.
$ ./configure --prefix=$HOME/openssh
$ make
$ make instal
$ cd ~/openssh/bin
$ ./ssh -V
OpenSSH_7.7p1, LibreSSL 2.7.2
$ ldd ./ssh
./ssh:
libcrypto.so.43 => /lib/libcrypto.so.43 (0x8008c3000)
libutil.so.9 => /lib/libutil.so.9 (0x800cab000)
libz.so.6 => /lib/libz.so.6 (0x800ebf000)
libcrypt.so.5 => /lib/libcrypt.so.5 (0x8010d8000)
libc.so.7 => /lib/libc.so.7 (0x8012f7000)
$ ./ssh-add ~/.ssh/id_rsa-oldformat
Error loading key "/home/bernard/.ssh/id_rsa-oldformat": invalid format
I've built LibreSSL 2.7.2 portable and OpenSSH 7.7p1 on a clean system:
$ ./ssh -V
OpenSSH_7.7p1, LibreSSL 2.7.2
$ ./ssh-add
Enter passphrase for /home/joel/.ssh/id_rsa:
Identity added: /home/joel/.ssh/id_rsa (/home/joel/.ssh/id_rsa)
The only thing that really changed from 2.6.4 to 2.7.2 in this area was
the
auto-initialisation. I suspect that there is something with your
environment
that is triggering the problem. The failure you're seeing is most
likely
coming from the PEM_read_bio_PrivateKey() call in
sshkey_parse_private_pem_fileblob() - adding the following after line
3772 of
sshkey.c may give us some insight:
ERR_print_errors_fp(stderr);
Thanks for the hint Bob! Was not linking against the thread libs. Added
that and now it's all hunkydory for base.
Cheers,
Bernard.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev