Work around conch interoperability failure

Twisted Conch fails to read private keys in the new format (https://twistedmatrix.com/trac/ticket/9515). Work around this until it can be fixed in Twisted.
author: Colin Watson <cjwatson@debian.org> 2018-08-30 01:00:47 +0100
committer: Colin Watson <cjwatson@debian.org> 2018-08-30 01:01:39 +0100
commit: 8d7ec0eab1ec3f0836a02c574281e400de45a0ac (patch)
tree: f6e224a08c5f2a8a5d2b5916d1ec817baddbfa90 /debian
parent: 816386e17654ca36834bebbf351419e460fad8f6 (diff)
parent: 38966b4afedee3bb57d3b1b0a7df4ff438fb9fd0 (diff)
4 files changed, 76 insertions, 2 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 7cfb27f1e..19b6c162b 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-16a47fc4b04977a14f44dd433c8da1499fa80671
+38966b4afedee3bb57d3b1b0a7df4ff438fb9fd0
-16a47fc4b04977a14f44dd433c8da1499fa80671
+38966b4afedee3bb57d3b1b0a7df4ff438fb9fd0
 e6547182a54f0f268ee36e7c99319eeddffbaff2
 e6547182a54f0f268ee36e7c99319eeddffbaff2
 openssh_7.8p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index c3502c25a..652b7e27b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -102,6 +102,8 @@ openssh (1:7.8p1-1) UNRELEASED; urgency=medium
    - sshd(8): Expose details of completed authentication to PAM auth
      modules via SSH_AUTH_INFO_0 in the PAM environment.
  * Switch debian/watch to HTTPS.
+  * Temporarily work around https://twistedmatrix.com/trac/ticket/9515 in
+    regression tests.
 -- Colin Watson <cjwatson@debian.org>  Fri, 24 Aug 2018 10:13:03 +0100
diff --git a/debian/patches/conch-old-privkey-format.patch b/debian/patches/conch-old-privkey-format.patch
new file mode 100644
index 000000000..ff5be43d8
--- /dev/null
+++ b/debian/patches/conch-old-privkey-format.patch
@@ -0,0 +1,71 @@
+From 38966b4afedee3bb57d3b1b0a7df4ff438fb9fd0 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Thu, 30 Aug 2018 00:58:56 +0100
+Subject: Work around conch interoperability failure
+Twisted Conch fails to read private keys in the new format
+(https://twistedmatrix.com/trac/ticket/9515).  Work around this until it
+can be fixed in Twisted.
+Forwarded: not-needed
+Last-Update: 2018-08-30
+Patch-Name: conch-old-privkey-format.patch
+---
+ regress/Makefile         |  5 +++--
+ regress/conch-ciphers.sh |  2 +-
+ regress/test-exec.sh     | 12 ++++++++++++
+ 3 files changed, 16 insertions(+), 3 deletions(-)
+diff --git a/regress/Makefile b/regress/Makefile
+index 647b4a049..6e462a4f6 100644
+--- a/regress/Makefile
+++ b/regress/Makefile
+@@ -110,8 +110,9 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \
+                modpipe netcat no_identity_config \
+                pidfile putty.rsa2 ready regress.log \
+                remote_pid revoked-* rsa rsa-agent rsa-agent.pub rsa.pub \
+-               rsa1 rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \
+-               rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
+               rsa1 rsa1-agent rsa1-agent.pub rsa1.pub \
+               rsa_oldfmt rsa_oldfmt.pub \
+               rsa_ssh2_cr.prv rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
+                scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
+                sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
+                ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
+diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh
+index 199d863a0..c7df19fd4 100644
+--- a/regress/conch-ciphers.sh
+++ b/regress/conch-ciphers.sh
+@@ -16,7 +16,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \
+        rm -f ${COPY}
+        # XXX the 2nd "cat" seems to be needed because of buggy FD handling
+        # in conch
+-       ${CONCH} --identity $OBJ/rsa --port $PORT --user $USER  -e none \
+       ${CONCH} --identity $OBJ/rsa_oldfmt --port $PORT --user $USER  -e none \
+            --known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \
+            127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY}
+        if [ $? -ne 0 ]; then
+diff --git a/regress/test-exec.sh b/regress/test-exec.sh
+index 40d46e3cd..1bbd47f25 100644
+--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
+@@ -504,6 +504,18 @@ REGRESS_INTEROP_CONCH=no
+ if test -x "$CONCH" ; then
+        REGRESS_INTEROP_CONCH=yes
+ fi
+case "$SCRIPT" in
+*conch*)       ;;
+*)             REGRESS_INTEROP_CONCH=no
+esac
+
+if test "$REGRESS_INTEROP_CONCH" = "yes" ; then
+       # Convert rsa key to old format to work around
+       # https://twistedmatrix.com/trac/ticket/9515
+       cp $OBJ/rsa $OBJ/rsa_oldfmt
+       cp $OBJ/rsa.pub $OBJ/rsa_oldfmt.pub
+       ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/rsa_oldfmt >/dev/null
+fi
+ 
+ # If PuTTY is present and we are running a PuTTY test, prepare keys and
+ # configuration
diff --git a/debian/patches/series b/debian/patches/series
index 1f82bea11..a248f086a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,3 +23,4 @@ debian-config.patch
 restore-authorized_keys2.patch
 seccomp-s390-flock-ipc.patch
 seccomp-s390-ioctl-ep11-crypto.patch
+conch-old-privkey-format.patch
author	Colin Watson <cjwatson@debian.org>	2018-08-30 01:00:47 +0100
committer	Colin Watson <cjwatson@debian.org>	2018-08-30 01:01:39 +0100
commit	8d7ec0eab1ec3f0836a02c574281e400de45a0ac (patch)
tree	f6e224a08c5f2a8a5d2b5916d1ec817baddbfa90 /debian
parent	816386e17654ca36834bebbf351419e460fad8f6 (diff)
parent	38966b4afedee3bb57d3b1b0a7df4ff438fb9fd0 (diff)

diff --git a/debian/.git-dpm b/debian/.git-dpm index 7cfb27f1e..19b6c162b 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1	# see git-dpm(1) from git-dpm package	1	# see git-dpm(1) from git-dpm package
2	16a47fc4b04977a14f44dd433c8da1499fa80671	2	38966b4afedee3bb57d3b1b0a7df4ff438fb9fd0
3	16a47fc4b04977a14f44dd433c8da1499fa80671	3	38966b4afedee3bb57d3b1b0a7df4ff438fb9fd0
4	e6547182a54f0f268ee36e7c99319eeddffbaff2	4	e6547182a54f0f268ee36e7c99319eeddffbaff2
5	e6547182a54f0f268ee36e7c99319eeddffbaff2	5	e6547182a54f0f268ee36e7c99319eeddffbaff2
6	openssh_7.8p1.orig.tar.gz	6	openssh_7.8p1.orig.tar.gz


diff --git a/debian/changelog b/debian/changelog index c3502c25a..652b7e27b 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -102,6 +102,8 @@ openssh (1:7.8p1-1) UNRELEASED; urgency=medium
102	- sshd(8): Expose details of completed authentication to PAM auth	102	- sshd(8): Expose details of completed authentication to PAM auth
103	modules via SSH_AUTH_INFO_0 in the PAM environment.	103	modules via SSH_AUTH_INFO_0 in the PAM environment.
104	* Switch debian/watch to HTTPS.	104	* Switch debian/watch to HTTPS.
		105	* Temporarily work around https://twistedmatrix.com/trac/ticket/9515 in
		106	regression tests.
105		107
106	-- Colin Watson <cjwatson@debian.org> Fri, 24 Aug 2018 10:13:03 +0100	108	-- Colin Watson <cjwatson@debian.org> Fri, 24 Aug 2018 10:13:03 +0100
107		109


diff --git a/debian/patches/conch-old-privkey-format.patch b/debian/patches/conch-old-privkey-format.patch new file mode 100644 index 000000000..ff5be43d8 --- /dev/null +++ b/debian/patches/conch-old-privkey-format.patch
@@ -0,0 +1,71 @@
		1	From 38966b4afedee3bb57d3b1b0a7df4ff438fb9fd0 Mon Sep 17 00:00:00 2001
		2	From: Colin Watson <cjwatson@debian.org>
		3	Date: Thu, 30 Aug 2018 00:58:56 +0100
		4	Subject: Work around conch interoperability failure
		5
		6	Twisted Conch fails to read private keys in the new format
		7	(https://twistedmatrix.com/trac/ticket/9515). Work around this until it
		8	can be fixed in Twisted.
		9
		10	Forwarded: not-needed
		11	Last-Update: 2018-08-30
		12
		13	Patch-Name: conch-old-privkey-format.patch
		14	---
		15	regress/Makefile \| 5 +++--
		16	regress/conch-ciphers.sh \| 2 +-
		17	regress/test-exec.sh \| 12 ++++++++++++
		18	3 files changed, 16 insertions(+), 3 deletions(-)
		19
		20	diff --git a/regress/Makefile b/regress/Makefile
		21	index 647b4a049..6e462a4f6 100644
		22	--- a/regress/Makefile
		23	+++ b/regress/Makefile
		24	@@ -110,8 +110,9 @@ CLEANFILES= .core actual agent-key. authorized_keys_${USERNAME} \
		25	modpipe netcat no_identity_config \
		26	pidfile putty.rsa2 ready regress.log \
		27	remote_pid revoked-* rsa rsa-agent rsa-agent.pub rsa.pub \
		28	- rsa1 rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \
		29	- rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
		30	+ rsa1 rsa1-agent rsa1-agent.pub rsa1.pub \
		31	+ rsa_oldfmt rsa_oldfmt.pub \
		32	+ rsa_ssh2_cr.prv rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
		33	scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
		34	sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
		35	ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
		36	diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh
		37	index 199d863a0..c7df19fd4 100644
		38	--- a/regress/conch-ciphers.sh
		39	+++ b/regress/conch-ciphers.sh
		40	@@ -16,7 +16,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \
		41	rm -f ${COPY}
		42	# XXX the 2nd "cat" seems to be needed because of buggy FD handling
		43	# in conch
		44	- ${CONCH} --identity $OBJ/rsa --port $PORT --user $USER -e none \
		45	+ ${CONCH} --identity $OBJ/rsa_oldfmt --port $PORT --user $USER -e none \
		46	--known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \
		47	127.0.0.1 "cat ${DATA}" 2>/dev/null \| cat > ${COPY}
		48	if [ $? -ne 0 ]; then
		49	diff --git a/regress/test-exec.sh b/regress/test-exec.sh
		50	index 40d46e3cd..1bbd47f25 100644
		51	--- a/regress/test-exec.sh
		52	+++ b/regress/test-exec.sh
		53	@@ -504,6 +504,18 @@ REGRESS_INTEROP_CONCH=no
		54	if test -x "$CONCH" ; then
		55	REGRESS_INTEROP_CONCH=yes
		56	fi
		57	+case "$SCRIPT" in
		58	+conch) ;;
		59	+*) REGRESS_INTEROP_CONCH=no
		60	+esac
		61	+
		62	+if test "$REGRESS_INTEROP_CONCH" = "yes" ; then
		63	+ # Convert rsa key to old format to work around
		64	+ # https://twistedmatrix.com/trac/ticket/9515
		65	+ cp $OBJ/rsa $OBJ/rsa_oldfmt
		66	+ cp $OBJ/rsa.pub $OBJ/rsa_oldfmt.pub
		67	+ ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/rsa_oldfmt >/dev/null
		68	+fi
		69
		70	# If PuTTY is present and we are running a PuTTY test, prepare keys and
		71	# configuration


diff --git a/debian/patches/series b/debian/patches/series index 1f82bea11..a248f086a 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -23,3 +23,4 @@ debian-config.patch
23	restore-authorized_keys2.patch	23	restore-authorized_keys2.patch
24	seccomp-s390-flock-ipc.patch	24	seccomp-s390-flock-ipc.patch
25	seccomp-s390-ioctl-ep11-crypto.patch	25	seccomp-s390-ioctl-ep11-crypto.patch
		26	conch-old-privkey-format.patch