openssh bugs - Aug 2019 - [Bug 3050] New: "Bits has bad value 99999 (too large)" and "key bits exceeds maximum 16384"

https://bugzilla.mindrot.org/show_bug.cgi?id=3050

            Bug ID: 3050
           Summary: "Bits has bad value 99999 (too large)" and
"key bits
                    exceeds maximum 16384"
           Product: Portable OpenSSH
           Version: 8.0p1
          Hardware: All
                OS: Mac OS X
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: zaomir at outlook.com

libres-MacBook:~ libre$ ssh-keygen -b 99999
Bits has bad value 99999 (too large)
libres-MacBook:~ libre$ ssh-keygen -b 32768
key bits exceeds maximum 16384


Why are these two error messages in different formats?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3050

zaomir at outlook.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|8.0p1                       |7.9p1

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3050

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to zaomir from comment #0)
> Why are these two error messages in different formats?
They're different because they're getting caught be different checks.
> libres-MacBook:~ libre$ ssh-keygen -b 99999
> Bits has bad value 99999 (too large)
This is the general sanity check in the getopt parsing:

    bits = (u_int32_t)strtonum(optarg, 10, 32768, &errstr);
    if (errstr)
        fatal("Bits has bad value %s (%s)",
            optarg, errstr);
> libres-MacBook:~ libre$ ssh-keygen -b 32768
> key bits exceeds maximum 16384
This one is in the key-specific checks (type_bits_valid()), and these
limits are imposed by the build of OpenSSL:

   maxbits = (type == KEY_DSA) ?
       OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
   if (*bitsp > maxbits)
      fatal("key bits exceeds maximum %d", maxbits);

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3050

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
   Attachment #3308|                            |ok?(djm at mindrot.org)
              Flags|                            |

--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
Created attachment 3308
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3308&action=edit
Defer bit size tests to key-specific check

Without change:
$ ssh-keygen -b 99999  -t rsa -f /tmp/t
Bits has bad value 99999 (too large)

With change:
$ ssh-keygen/obj/ssh-keygen -b 99999  -t rsa -f /tmp/t
Invalid RSA key length: maximum is 16384 bits

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3050

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2988
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
This has been fixed (up to the size allowed by the underlying type,
anyway):

$ ./ssh-keygen -b 99999999
Invalid RSA key length: maximum is 16384 bits

If you want RSA keys larger than 16k you'll need to compile OpenSSL
with the larger limit then compile OpenSSH against that.  It'll
probably be an interop hassle, though.


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2988
[Bug 2988] Tracking bug for 8.1 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3050

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3050

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3308|ok?(djm at mindrot.org)        |
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.