[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Passphrase not working for ssh_pki_export_privkey_file


On Sunday, 8 February 2015 11:17:39 CET Julian Lunz wrote:
> On Fri, 06 Feb 2015 09:35:56 +0100
> 
> Andreas Schneider <asn@xxxxxxxxxxxxxx> wrote:
> > On Thursday 05 February 2015 16:21:03 Julian Lunz wrote:
> > > I had time to dig a bit further.
> > > 
> > > The function pki_private_key_to_pem in src/pki_crypto.c +554
> > > is missing a cipher in case of passphrase != NULL.
> > > 
> > > ssh-keygen uses AES-128-CBC therefore this is used in the attached
> > > patch.
> > > 
> > > Is the mailing list the preferred way for patches or better via
> > > Redmine?
> > 
> > Thank you very much for your contribution. It is fine to send patches
> > to the mailing list.
> > 
> > However to add the patch to the libssh repository we also need a test
> > for it!
> > 
> > Please take a look at tests/unittests/torture_pki.c and add a test.
> > You get the unit tests if you install cmocka [1] and run 'cmake
> > -DUNIT_TESTING=ON ..'
> > 
> > 
> > Cheers,
> > 
> > 	-- andreas
> > 
> > [1] http://cmocka.org
> 
> Sure, please find attached a patch series with tests included.
> 
> # 0001-Fix-pki_private_key_to_pem-by-adding-cipher.patch
> Contains the fix which adds cipher to ssh_string pki_private_key_to_pem.
> 
> 
> # 0002-tests-Add-encrypted-keys-export-for-rsa-dsa-ecdsa.patch
> Contains updated test for torture_pki_write_privkey_[rsa,dsa,ecdsa]
> + added private keys for ecdsa.
> 
> 
> I changed the existing calls to ssh_pki_export_privkey_file which had
> "" as a passhrase since NULL != "".
> 
> If PEM_write_bio_RSAPrivateKey has no cipher set, as it was before 0001,
> keys are always written in unencrypted form.
> 
> The documentation for ssh_pki_export_privkey_file says:
> 
> passphrase The passphrase to use to encrypt the key with or
>             NULL. An empty string means no passphrase.
> 
> If this should behave like that a check for an empty string in addition
> to check for NULL is needed.

Hi Julian,

looks like we totally forgot about your patchset. Sorry for that!

Could you please resend it with your Sign-Off and rebase on master? Also 
strange is that the test asks for a password.


Thanks,


	Andreas

-- 
Andreas Schneider                   GPG-ID: CC014E3D
www.cryptomilk.org                asn@xxxxxxxxxxxxxx



Archive administrator: postmaster@lists.cynapses.org