openssh bugs - Mar 2017 - [Bug 2699] New: PKCS#8 private keys with AES-128-CBC stopped working

https://bugzilla.mindrot.org/show_bug.cgi?id=2699

            Bug ID: 2699
           Summary: PKCS#8 private keys with AES-128-CBC stopped working
           Product: Portable OpenSSH
           Version: 7.5p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: peter at lekensteyn.nl

In older OpenSSH versions, the key derivation method was quite weak,
but the encryption method could be changed (see
https://security.stackexchange.com/a/39293). Basically:
openssl pkcs8 -topk8 -in id_rsa -out keypk8.pem -v2 AES-128-CBC

With the latest OpenSSH version, the key no longer functions. "ssh
host" fails with "invalid format".

Expected result (7.4p1):
$ ssh-keygen -f keypk8.pem -y
Enter passphrase: 1234
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDQ33ndDr5N/AI8y2PzrqGbadLeS5fSf2GsVJx2B2KxhazL2z5Oufin+wjJ1hW12/zWyQs/9CFYQFrife+PrMUOdLitsmlD3l4lBQ29+XKsmPabtINPJQ0n4dxgBGeFxTCd4lJwiysmVsXPnNrgQTcx2nirrIk1C7wSW9Ai9W3fZQ=
Actual result (7.5p1):
$ ssh-keygen -f keypk8.pem -y
Enter passphrase: 
Load key "keypk8.pem": invalid format

$ cat keypk8.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICzzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIjD0b5HeRJgcCAggA
MB0GCWCGSAFlAwQBAgQQO0b81Wq1hf72ClU42A/MlgSCAoCtUR3Stws9u5+CE3B8
ewvZeDZRm1suk2vCrt1f/AMUTZv18hfJtreS3qcAJAUJbuzpC8B/xNLv/k2SfPkl
pEX3hma9JNebVt6CwnFnxiSGqVthNuO7iprTnabTcwMZVJnx32YoqEa3rS/NWf+D
kMSWHcuUSngreuL8XA3oWlzIcDDcEGY/gpLFvli4YXnBJe0fM/NBBm1QqTOWgNlB
xCzbVwi58aELHt9OYzhYQOnNVFE3ZJxwzBQZA7+lsiwAPQZhCVFuoR5nbsHAGq4m
ATb5Zl6kXqQFbyHnNimcuZPvNpNJ5AKpgSUDgGpDycxsp4a59noG9jKdlubrlvgl
cXFsA3COBKB87edRgLDU2X2+XTrtGRtRBfwkt5Os3+4NQYGpI7s3KT/VCEAoQSgZ
HKXLW6UjMtE/prNXiGlOCMlvWiBxJC1ZH4OsG6vVjmH7jX6xE4sxIER9ENezKGHC
pcqP6qfne5O/gkKwd3IDMbsdNp2rislAP4baXk9lHbxVKTzbW1xPDHq5iXlcGuUZ
q4Mgena5VUIIgPN1RTBFWwLVNHKlVJcM0w3+OVAK84/aX7NUyhLV6fZgi3jVSkaV
aHDDAezvzUwwgm63du0hBZlWLkl2IY7b/SOsTaZV9bwiaLG4kmlMhwYQEKpTIgDA
ZMJ/oQAWKgWqm7Vg4kW06ri7iKOoIWIIDINbgB1hiFVOdVOLFFDKBd/Rso6pCDlQ
jHcrA4nwzsqKqFG3+NKRmUtaIwAekWTKgknlVu+nhGBA/PjOFnucyBY2hceJpLsK
9W7EgT2Y/QURyMRf9OE2rtV+8C01C0tyyIXxEleV941N9AeK4F2GMeL2/i/blyuN
TVmf
-----END ENCRYPTED PRIVATE KEY-----

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2699

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
I can't replicate this on either OpenBSD or Linux (Ubuntu variant). I
tried the key you provided and one that I generated:

$ ssh-keygen -t rsa -f k -C '' -N ''
Generating public/private rsa key pair.
Your identification has been saved in k.
Your public key has been saved in k.pub.
The key fingerprint is:
SHA256:m4QOVbZ5Q5sWhFIox47fgcUManmU2RNzIJJfYl9SmNw 
The key's randomart image is:
+---[RSA 2048]----+
|    .o+ at BX*      |
|    o=X+&*E+     |
|    +BoBo+*      |
|   ..o+.oo .     |
|    ....S.       |
|     o...o       |
|      . o        |
|                 |
|                 |
+----[SHA256]-----+
$ openssl pkcs8 -topk8 -in k -out k.pem -v2 AES-128-CBC
Enter Encryption Password:
Verifying - Enter Encryption Password:
$ chmod 0600 k.pem 
$ ssh-keygen -yf k.pem 
Enter passphrase: 
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQD0cTGZ+1cqjei8PdYa7FoFUHYsUST7jTneMP+FktaD3RKqrkpKQdvTBfRqcYUeiwscgqmKa5KYvNvz2GXhO3Nk6Pe46MI9CC+bKoR/Gt+okQU54zua4TlmRRsPxQdGat6vtcD7bPeFcIpXLGt4troMs7VVSBgrVI1Z+QG2v41L85l360vsmo5mVDDKWODlG7D0QyulJpf9WVuAD9fAorBKh5hA2mcWLYiInD9uxsw3xst0nPnQdHXvTNkfF2u8LD6Hurh5ewYu58a8RSozCDqSn0s3F0Sm5oO4oJw+zd1QG/ljJ/fn2bPr2RCUx9L2CkjQcQAFZm13flx8tg77pJ+Z
$ ./ssh-keygen -yf k.pem 
Enter passphrase: 
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQD0cTGZ+1cqjei8PdYa7FoFUHYsUST7jTneMP+FktaD3RKqrkpKQdvTBfRqcYUeiwscgqmKa5KYvNvz2GXhO3Nk6Pe46MI9CC+bKoR/Gt+okQU54zua4TlmRRsPxQdGat6vtcD7bPeFcIpXLGt4troMs7VVSBgrVI1Z+QG2v41L85l360vsmo5mVDDKWODlG7D0QyulJpf9WVuAD9fAorBKh5hA2mcWLYiInD9uxsw3xst0nPnQdHXvTNkfF2u8LD6Hurh5ewYu58a8RSozCDqSn0s3F0Sm5oO4oJw+zd1QG/ljJ/fn2bPr2RCUx9L2CkjQcQAFZm13flx8tg77pJ+Z
[djm at demiurge openssh]$ ssh -V
OpenSSH_7.2p2, OpenSSL 1.0.1f 6 Jan 2014
[djm at demiurge openssh]$ ./ssh -V
OpenSSH_7.5p1, OpenSSL 1.0.1f 6 Jan 2014

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2699

--- Comment #2 from Peter Wu <peter at lekensteyn.nl> ---
Perhaps the passphrase was wrongly entered (bad keyboard state?). It
works now when the correct passphrase is typed in (rebooted in
between).

Can the error message can be improved?

$ ssh-keygen -yf keypk8.pem
Enter passphrase: 1233
Load key "keypk8.pem": invalid format
$ ssh -V
OpenSSH_7.5p1, OpenSSL 1.0.2k  26 Jan 2017

$ ssh-keygen -yf keypk8.pem
Enter passphrase: 1233
Load key "keypk8.pem": incorrect passphrase supplied to decrypt
private
key
$ ssh -V
OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2699

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |dtucker at zip.com.au
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
   Attachment #2990|                            |ok?(dtucker at zip.com.au)
              Flags|                            |

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Created attachment 2990
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2990&action=edit
search first entry in libcrypto error stack for better error

OpenSSL makes it unfortunately painful to determine the actual problem
when it fails, by scattering root and proximal problems across an error
stack. This patch searches deeper in the stack and prefers to return
"wrong passphrase" errors when it finds them to other causes.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2699

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2698


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2698
[Bug 2698] Tracking bug for OpenSSH 7.6 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2699

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2990|ok?(dtucker at zip.com.au)     |ok+
              Flags|                            |

--- Comment #4 from Darren Tucker <dtucker at zip.com.au> ---
Comment on attachment 2990
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2990
search first entry in libcrypto error stack for better error

looks reasonable but I don't know openssl that well.  maybe you want
get one of the libressl folks to look?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2699

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Patch applied. This will be in openssh 7.6

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2699

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after release of OpenSSH 7.7.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.