cfengine 3.10.1 "RSA exponent is too small or not odd" bootstrap error
138 views
Skip to first unread message
Xander Cage
Jul 11, 2017, 5:07:26 AM7/11/17
to help-c...@googlegroups.com
while testing out 3.10.1 some errors came up during bootstrap.
root@aixbuildhost: /var/cfengine/bin # ./startup.sh
error: The public key RSA exponent is too small or not odd
error: The public key RSA exponent is too small or not odd
notice: Q: ".../cf-execd"": error: The public key RSA exponent is too small or not odd
Q: ".../cf-execd"": error: The public key RSA exponent is too small or not odd
notice: Q: "...f-serverd"": error: The public key RSA exponent is too small or not odd
Q: "...f-serverd"": error: The public key RSA exponent is too small or not odd
notice: Q: ".../cf-agent" -f /": error: The public key RSA exponent is too small or not odd
Q: ".../cf-agent" -f /": error: The public key RSA exponent is too small or not odd
Q: ".../cf-agent" -f /": notice: Q: "...-monitord"": error: The public key RSA exponent is too small or not odd
R: Bootstrapping from host '172.17.14.37' via built-in policy '/var/cfengine/inputs/failsafe.cf'
R: This host assumes the role of policy server
R: Updated local policy from policy server
R: Started the server
R: Started the scheduler
notice: Bootstrap to '172.17.14.37' completed successfully!
Enter code here...what did i wrong?
Dimitrios Apostolou
Jul 11, 2017, 5:31:14 AM7/11/17
to Xander Cage, help-cfengine
Hello! What package are you using, or is it a custom build? Are you
installing over an old installation, if so, how old it is? What is the
first command in "startup.sh" that gives the "exponent too small"
error message?
Dimitris
> --
> You received this message because you are subscribed to the Google Groups
> "help-cfengine" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to help-cfengin...@googlegroups.com.
> To post to this group, send email to help-c...@googlegroups.com.
> Visit this group at https://groups.google.com/group/help-cfengine.
> For more options, visit https://groups.google.com/d/optout.
installing over an old installation, if so, how old it is? What is the
first command in "startup.sh" that gives the "exponent too small"
error message?
Dimitris
> You received this message because you are subscribed to the Google Groups
> "help-cfengine" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to help-cfengin...@googlegroups.com.
> To post to this group, send email to help-c...@googlegroups.com.
> Visit this group at https://groups.google.com/group/help-cfengine.
> For more options, visit https://groups.google.com/d/optout.
Xander Cage
Jul 11, 2017, 6:43:56 AM7/11/17
to help-cfengine, christia...@itsv.at
it is a "custom" aix build, but it contains nothing fancy (configure,make,install as usual). i install clean, old version removed. the startup.sh only contains the bootrap command (/var/cfengine/bin/cf-agent --bootstrap 172.17.14.37)
Dimitrios Apostolou
Jul 11, 2017, 6:58:53 AM7/11/17
to Xander Cage, help-cfengine
On Tue, Jul 11, 2017 at 12:43 PM, Xander Cage <christia...@itsv.at> wrote:
>
> it is a "custom" aix build, but it contains nothing fancy
> (configure,make,install as usual). i install clean, old version removed. the
Which openssl version does it link to? Do you wipe off all of ppkeys
>
> it is a "custom" aix build, but it contains nothing fancy
> (configure,make,install as usual). i install clean, old version removed. the
directory? If so, try running first "cf-key" to create a new pair of
keys. Does it fail with the same message?
Dimitris
Xander Cage
Jul 11, 2017, 7:31:03 AM7/11/17
to help-cfengine, christia...@itsv.at
openssl version is 1.0.21
root@aixbuildhost: /var/cfengine # rpm -qa | grep openssl
openssl-devel-1.0.2l-1.ppc
openssl-1.0.2l-1.ppc
even with new cf-key after wiping out ppkeys dir, the same error.
the spec file used to build the rpm:
root@aixbuildhost: /var/cfengine # rpm -qa | grep openssl
openssl-devel-1.0.2l-1.ppc
openssl-1.0.2l-1.ppc
even with new cf-key after wiping out ppkeys dir, the same error.
the spec file used to build the rpm:
Summary: A systems administration tool for networks
Name: cfengine
Version: 3.10.1
Release: itsv1
License: GPLv2+
Group: Applications/System
Source0: ftp://ftp.iu.hio.no/pub/cfengine/%{name}-%{version}.tar.gz
Source1: startup.sh
URL: http://www.cfengine.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: AIX-rpm >= 5.2.0.0
BuildRequires: bison, flex, m4
BuildRequires: curl-devel >= 7.51.0-1
BuildRequires: openssl-devel >= 1.0.2j-2
BuildRequires: pcre-devel >= 8.39-1
BuildRequires: libxml2-devel >= 2.9.4-1
BuildRequires: openldap-devel >= 2.4.45-0.1
Requires: AIX-rpm >= 5.2.0.0
Requires: curl >= 7.51.0-1
Requires: openssl >= 1.0.2j-2
Requires: pcre >= 8.39-1
Requires: libxml2 >= 2.9.4-1
Requires: openldap >= 2.4.45-0.1
%description
Cfengine, or the configuration engine is an agent/software robot and a
very high level language for building expert systems to administrate
and configure large computer networks. Cfengine uses the idea of
classes and a primitive form of intelligence to define and automate
the configuration and maintenance of system state, for small to huge
configurations. Cfengine is designed to be a part of a computer immune
system.
%prep
%setup -q
%build
export CONFIG_SHELL=/usr/bin/ksh
export CONFIG_ENV_ARGS=/usr/bin/ksh
export OBJECT_MODE=64
export CC="xlc_r -D_LARGE_FILES"
export CFLAGS="-q64 -qmaxmem=-1 -DNDEBUG -DSYSV -D_AIX -D_AIX64 -D_AIX41 -D_AIX43 -D_AIX51 -D_AIX52 -D_AIX53 -D_AIX61 -D_AIX71 -D_ALL_SOURCE -DFUNCPROTO=15 -I/opt/freeware/include"
export CXX="xlC_r"
export CXXFLAGS=$CFLAGS
export LDFLAGS="-L/opt/freeware/lib64 -Wl,-blibpath:/opt/freeware/lib64:/usr/lib:/lib -Wl,-bmaxdata:0x80000000 -Wl,-b64 -Wl,-bexpall -Wl,-bnoipath"
./configure \
--prefix=/var/cfengine \
--sbindir=/var/cfengine/bin \
--localstatedir=/var/cfengine \
--with-workdir=/var/cfengine \
--with-openssl \
--with-lmdb \
--with-pcre \
--with-libxml2
gmake %{?_smp_mflags}
%install
[ "${RPM_BUILD_ROOT}" != "/" ] && rm -rf ${RPM_BUILD_ROOT}
gmake install DESTDIR=${RPM_BUILD_ROOT}
#/usr/bin/strip ${RPM_BUILD_ROOT}/var/cfengine/bin/* || :
cp %{SOURCE1} ${RPM_BUILD_ROOT}/var/cfengine/bin/
%pre
%post
/var/cfengine/bin/cf-key >/dev/null || :
chmod 700 /var/cfengine/ppkeys
/var/cfengine/bin/startup.sh
/usr/sbin/lsitab cfengine 1>/dev/null 2>&1 || \
/usr/sbin/mkitab "cfengine:2:once:/var/cfengine/bin/startup.sh > /dev/console 2>&1"
%preun
ps -ef | grep cf-agent | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
ps -ef | grep cf-execd | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
ps -ef | grep cf-monitord | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
ps -ef | grep cf-serverd | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
%postun
%clean
[ "${RPM_BUILD_ROOT}" != "/" ] && rm -rf ${RPM_BUILD_ROOT}
%files
%defattr(-,root,system,-)
/var/cfengine/bin/*
/var/cfengine/inputs
/var/cfengine/lib/*
/var/cfengine/modules
/var/cfengine/outputs
/var/cfengine/plugins
/var/cfengine/ppkeys
/var/cfengine/share/*
%changelog
* Mon Jul 10 2017 .... ...... <...........@......> - 3.10.1-1-itsv
- first rpm version of itsv cfengine
Enter code here...Dimitrios Apostolou
Jul 11, 2017, 7:55:22 AM7/11/17
to Xander Cage, help-cfengine
Alright, this error message comes from libpromises/crypto.c:
if (PUBKEY != NULL
&& ((BN_num_bits(PUBKEY->e) < 2) || (!BN_is_odd(PUBKEY->e))))
{
Log(LOG_LEVEL_ERR, "The public key RSA exponent is too small or not odd");
return false;
}
Could you edit the Log() line to print some more details? Something like that:
Log(LOG_LEVEL_ERR, "The public key RSA exponent is too small or not
odd (num_bits=%d is_odd=%d)", BN_num_bits(PUBKEY->e),
BN_is_odd(PUBKEY->e));
Do you get any warnings while compiling? What is the new message you
get after re-compiling?
Dimitris
if (PUBKEY != NULL
&& ((BN_num_bits(PUBKEY->e) < 2) || (!BN_is_odd(PUBKEY->e))))
{
Log(LOG_LEVEL_ERR, "The public key RSA exponent is too small or not odd");
return false;
}
Could you edit the Log() line to print some more details? Something like that:
Log(LOG_LEVEL_ERR, "The public key RSA exponent is too small or not
odd (num_bits=%d is_odd=%d)", BN_num_bits(PUBKEY->e),
BN_is_odd(PUBKEY->e));
Do you get any warnings while compiling? What is the new message you
get after re-compiling?
Dimitris
Xander Cage
Jul 12, 2017, 6:52:54 AM7/12/17
to help-cfengine, christia...@itsv.at
changed the log line, now the following message appears
error: The public key RSA exponent is too small or not odd (num_bits=17 is_odd=0)
error: The public key RSA exponent is too small or not odd (num_bits=17 is_odd=0)
notice: Q: ".../cf-execd"": error: The public key RSA exponent is too small or not odd (num_bits=17 is_odd=0)
Q: ".../cf-execd"": error: The public key RSA exponent is too small or not odd (num_bits=17 is_odd=0)
notice: Q: "...f-serverd"": error: The public key RSA exponent is too small or not odd (num_bits=17 is_odd=0)
Q: "...f-serverd"": error: The public key RSA exponent is too small or not odd (num_bits=17 is_odd=0)
notice: Q: ".../cf-agent" -f /": error: The public key RSA exponent is too small or not odd (num_bits=17 is_odd=0)
Q: ".../cf-agent" -f /": error: The public key RSA exponent is too small or not odd (num_bits=17 is_odd=0)
Q: ".../cf-agent" -f /": notice: Q: "...-monitord"": error: The public key RSA exponent is too small or not odd (num_bits=17 is_odd=0)
R: Bootstrapping from host '172.17.14.37' via built-in policy '/var/cfengine/inputs/failsafe.cf'
R: This host assumes the role of policy server
R: Updated local policy from policy server
R: Started the server
R: Started the scheduler
notice: Bootstrap to '172.17.14.37' completed successfully!
Enter code here...Dimitrios Apostolou
Jul 12, 2017, 10:02:24 AM7/12/17
to Xander Cage, help-cfengine
On Wed, Jul 12, 2017 at 12:52 PM, Xander Cage <christia...@itsv.at> wrote:
> error: The public key RSA exponent is too small or not odd (num_bits=17
> is_odd=0)
That makes no sense. An RSA public key exponent can not be even, but
> error: The public key RSA exponent is too small or not odd (num_bits=17
> is_odd=0)
only odd. Such a key can not be generated by OpenSSL. Can you attach
the key material localhost.pub and localhost.priv here, if you don't
intend to reuse them?
Dimitris
Xander Cage
Jul 12, 2017, 10:06:38 AM7/12/17
to help-cfengine, christia...@itsv.at
root@aixbuildhost: /var/cfengine/ppkeys # cat localhost.priv
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,33929A397D085C83
2trjx8OrznOm6gXrNeXQm/nPyVBnY6PLCBQXRvru1SQ0y8enuoysQ7dfo53Nhtz8
tMgMxYZRTtxlT2ei6dKQNdIgF+iznREYyR9X7wWZwxxK1MkoW6tw1+Nxb+2YxKKB
6iD+Nknj1yxl8weHwImlZLa1gxhY+HfCGMWFQc5dMtmr47t3rrieJMOhfzmRtFeB
8qIwUr9othjYQezrbhljepDu7+1MKOt5keNykEfxlEwpvI8m500c7ONP+vqxB67e
kJyhBOmz7MQE8/8srLPVx1PXUUIuMEvR5AfpTXLZBpNzIGgDxNqBuDUjSspRP7QS
+/u8puSXbIHCeGWNu80IZRQ6vcSvxDtqiKbobLJa6j/N0bl9qahX+VEGWvXUIu8z
NTkQ8JkJj/ELS6wthQKXla75EwtOEpLwGlDoSFLzGvFpUHep1DGsHS2890vcY0aV
NV5+YFjYCsGUIU7npQkPedamDX9RoGnQIM6keO5TF0yFX7RDrZoWJY5gquPDDz48
IxF8TN448JNZEkwEneyhmVt/FHaKH3XrNqg9/88HxdsHciwMk8iFvrhY8AKmvNjG
UYIEgfLnPm7NSFE7PYxlmpFv1B+uZLOcqJir9Ja5oIf4PTinVrz8gLXUp9fA+Jrb
Ss0XBubuBGbpDLCGbnK+MoSkhUUIHSu5gLsOPUUqR6E9fQlx+3+PtIpU3p/qGmOa
rzalCzyr2lHxgIyIMJB3NpIkqJA6I7AqmIOKf5NibwHKIBqcgx7YjefCXRoFf+6g
+U5Hh0CYOFfqHzQzczggVF42sECCvctt5C1GnpGHZtVjOOmNVA+3Q4gXzTA2wlcO
5tFzCkfsJaxsCRCrUk6pBiiLTUsTiyHJ+UYsdBXZTn4dNnqCQuJH0W7soNnILDx6
aZhV2a+13QAfgc9+jERx2dHCuJjRSNnwHjY+LUM9DCqxg+reRpF9q28iH0On4/uR
RKHHDq3udhzx4KhedCLloa0JwBB7rId5/0M3rDZd/6Cm/Fm92+QsqZegjDdaI82G
+xV0lU4qLGUTNiSvbJVkezDGKUU4awUdACH1gwICsBIt/nynIHDRVf/EyMJda8S5
5aqpx1dSxqjiyObvOJnSYwSsteHmWidfOAxUZdcwF0o9XFKu5DY1OZOpjLYjquv9
Y1cmScOHoDUdsN4QYwSLFdh9cOcfZ0YMlWJEoUYRPKScaQgaeH1mjX/Kgn8tMHMi
cxppjzDf/ZoNpartTfYtSqdq0XYA7sTYa2gQAyYG9ljqZW9esEu5JiTN3qpOipUJ
EfKShzly5jiHlP92GoqG9IOR4zu78WZW6Zinx6QS5AhwM5l6fIp/t+nbhG8l4ERE
dwxtkHJRZ/q0d6AJAYXY2MITSH3wWkTbW57c01TGeWFOwfkFCcYltNvC5gaR4CQn
raJlhEvYBnd9OsPVqVXe8vQAKZtkMi1LrLkox8NMIN5dtlPQCCKAQ9UNDZRLSRoF
rsJvim+jIlMKbBLFoMT4ze6QudzIGUv+fUoow/D5rboujaj5mC+ge523729hJsWV
ZZ/zEw0g63I4NhqGfaq7qQmEMNcwpMJxbMpvCiukyhvaXiZT5MAsURF+3yVW4vth
-----END RSA PRIVATE KEY-----
Enter code here...root@aixbuildhost: /var/cfengine/ppkeys # cat localhost.pub
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAnbL7DSpOOaold5HXW554Mw67O6rFiq8dJWLHgv789LQz2BuFrHxM
5W3QLx5jcX3y4htVgFAcy7FOsforCSnfH4v7ukuIT1WrWY1CeJxg7Xgu/BrK1ExF
+IDB+6vT41eOsNfT45YriTVknEW4JcuPBsmLgcPhXx1eWvcmljbqCRwxA70CKAqx
3p9J0n8jaiKzABAk7W0ofu+u0c7ghLrBfOTzIT/oZ4DbIYw7ol7kHV6OH55PsRz+
L0GsVURjS7FJyvA3tn5jBY2ayX9lffkVHxMf7VmikhIFa0Pp31gDnFTEe26YYXlR
yLGkGfbj24RQMUnkaY4hQef6XHl0SaFOlwIDAQAB
-----END RSA PUBLIC KEY-----
Enter code here...Dimitrios Apostolou
Jul 12, 2017, 10:16:04 AM7/12/17
to Xander Cage, help-cfengine
On Wed, Jul 12, 2017 at 4:06 PM, Xander Cage <christia...@itsv.at> wrote:
> -----BEGIN RSA PUBLIC KEY-----
> MIIBCgKCAQEAnbL7DSpOOaold5HXW554Mw67O6rFiq8dJWLHgv789LQz2BuFrHxM
> 5W3QLx5jcX3y4htVgFAcy7FOsforCSnfH4v7ukuIT1WrWY1CeJxg7Xgu/BrK1ExF
> +IDB+6vT41eOsNfT45YriTVknEW4JcuPBsmLgcPhXx1eWvcmljbqCRwxA70CKAqx
> 3p9J0n8jaiKzABAk7W0ofu+u0c7ghLrBfOTzIT/oZ4DbIYw7ol7kHV6OH55PsRz+
> L0GsVURjS7FJyvA3tn5jBY2ayX9lffkVHxMf7VmikhIFa0Pp31gDnFTEe26YYXlR
> yLGkGfbj24RQMUnkaY4hQef6XHl0SaFOlwIDAQAB
> -----END RSA PUBLIC KEY-----
$ openssl rsa -in /tmp/localhost.pub -text -noout -RSAPublicKey_in
> -----BEGIN RSA PUBLIC KEY-----
> MIIBCgKCAQEAnbL7DSpOOaold5HXW554Mw67O6rFiq8dJWLHgv789LQz2BuFrHxM
> 5W3QLx5jcX3y4htVgFAcy7FOsforCSnfH4v7ukuIT1WrWY1CeJxg7Xgu/BrK1ExF
> +IDB+6vT41eOsNfT45YriTVknEW4JcuPBsmLgcPhXx1eWvcmljbqCRwxA70CKAqx
> 3p9J0n8jaiKzABAk7W0ofu+u0c7ghLrBfOTzIT/oZ4DbIYw7ol7kHV6OH55PsRz+
> L0GsVURjS7FJyvA3tn5jBY2ayX9lffkVHxMf7VmikhIFa0Pp31gDnFTEe26YYXlR
> yLGkGfbj24RQMUnkaY4hQef6XHl0SaFOlwIDAQAB
> -----END RSA PUBLIC KEY-----
Public-Key: (2048 bit)
Modulus:
00:9d:b2:fb:0d:2a:4e:39:aa:25:77:91:d7:5b:9e:
78:33:0e:bb:3b:aa:c5:8a:af:1d:25:62:c7:82:fe:
fc:f4:b4:33:d8:1b:85:ac:7c:4c:e5:6d:d0:2f:1e:
63:71:7d:f2:e2:1b:55:80:50:1c:cb:b1:4e:b1:fa:
2b:09:29:df:1f:8b:fb:ba:4b:88:4f:55:ab:59:8d:
42:78:9c:60:ed:78:2e:fc:1a:ca:d4:4c:45:f8:80:
c1:fb:ab:d3:e3:57:8e:b0:d7:d3:e3:96:2b:89:35:
64:9c:45:b8:25:cb:8f:06:c9:8b:81:c3:e1:5f:1d:
5e:5a:f7:26:96:36:ea:09:1c:31:03:bd:02:28:0a:
b1:de:9f:49:d2:7f:23:6a:22:b3:00:10:24:ed:6d:
28:7e:ef:ae:d1:ce:e0:84:ba:c1:7c:e4:f3:21:3f:
e8:67:80:db:21:8c:3b:a2:5e:e4:1d:5e:8e:1f:9e:
4f:b1:1c:fe:2f:41:ac:55:44:63:4b:b1:49:ca:f0:
37:b6:7e:63:05:8d:9a:c9:7f:65:7d:f9:15:1f:13:
1f:ed:59:a2:92:12:05:6b:43:e9:df:58:03:9c:54:
c4:7b:6e:98:61:79:51:c8:b1:a4:19:f6:e3:db:84:
50:31:49:e4:69:8e:21:41:e7:fa:5c:79:74:49:a1:
4e:97
Exponent: 65537 (0x10001)
Your exponent is indeed 17 bits long, but it is definitely odd. Are
you sure your openssl is good?
Dimitris
Xander Cage
Jul 12, 2017, 10:29:25 AM7/12/17
to help-cfengine, christia...@itsv.at
openssl was built from official sources, so i consider it "good" as far as this can be said about openssl.
Dimitrios Apostolou
Jul 12, 2017, 10:31:27 AM7/12/17
to Xander Cage, help-cfengine
What's the output of this command on the same AIX box?
openssl rsa -in /tmp/localhost.pub -text -noout -RSAPublicKey_in
openssl rsa -in /tmp/localhost.pub -text -noout -RSAPublicKey_in
Xander Cage
Jul 12, 2017, 10:34:20 AM7/12/17
to help-cfengine, christia...@itsv.at
root@aixbuildhost: /var/cfengine/ppkeys # /opt/freeware/bin/openssl rsa -in /tmp/localhost.pub -text -noout -RSAPublicKey_in
Public-Key: (2048 bit)
Modulus:
00:9d:b2:fb:0d:2a:4e:39:aa:25:77:91:d7:5b:9e:
78:33:0e:bb:3b:aa:c5:8a:af:1d:25:62:c7:82:fe:
fc:f4:b4:33:d8:1b:85:ac:7c:4c:e5:6d:d0:2f:1e:
63:71:7d:f2:e2:1b:55:80:50:1c:cb:b1:4e:b1:fa:
2b:09:29:df:1f:8b:fb:ba:4b:88:4f:55:ab:59:8d:
42:78:9c:60:ed:78:2e:fc:1a:ca:d4:4c:45:f8:80:
c1:fb:ab:d3:e3:57:8e:b0:d7:d3:e3:96:2b:89:35:
64:9c:45:b8:25:cb:8f:06:c9:8b:81:c3:e1:5f:1d:
5e:5a:f7:26:96:36:ea:09:1c:31:03:bd:02:28:0a:
b1:de:9f:49:d2:7f:23:6a:22:b3:00:10:24:ed:6d:
28:7e:ef:ae:d1:ce:e0:84:ba:c1:7c:e4:f3:21:3f:
e8:67:80:db:21:8c:3b:a2:5e:e4:1d:5e:8e:1f:9e:
4f:b1:1c:fe:2f:41:ac:55:44:63:4b:b1:49:ca:f0:
37:b6:7e:63:05:8d:9a:c9:7f:65:7d:f9:15:1f:13:
1f:ed:59:a2:92:12:05:6b:43:e9:df:58:03:9c:54:
c4:7b:6e:98:61:79:51:c8:b1:a4:19:f6:e3:db:84:
50:31:49:e4:69:8e:21:41:e7:fa:5c:79:74:49:a1:
4e:97
Exponent: 65537 (0x10001)
Dimitrios Apostolou
Jul 12, 2017, 10:37:24 AM7/12/17
to Xander Cage, help-cfengine
OK, then maybe CFEngine is reading the wrong file. Can you run the the
strace command equivalent (truss?) and copy the output a couple of
pages before cf-engine spews that message?
strace command equivalent (truss?) and copy the output a couple of
pages before cf-engine spews that message?
Xander Cage
Jul 13, 2017, 4:49:45 AM7/13/17
to help-cfengine, christia...@itsv.at
i trussed the process but could not find any evidence off the error message. but i found a kopen with the keyfile.
statx("/var/cfengine", 0x0FFFFFFFFFFF91E0, 176, 01) = 0
statx("/var", 0x0FFFFFFFFFFF91E0, 176, 0) = 0
statx("/var/cfengine", 0x0FFFFFFFFFFF91E0, 176, 0) = 0
statx("/var/cfengine/state", 0x0FFFFFFFFFFFB4A0, 176, 0) = 0
statx("/var/cfengine/modules", 0x0FFFFFFFFFFFB4A0, 176, 0) = 0
statx("/var/cfengine/ppkeys", 0x0FFFFFFFFFFFB4A0, 176, 0) = 0
getuidx(2) = 0
kopen("/var/cfengine/ppkeys/localhost.priv", O_RDONLY) = 3
kioctl(3, 22528, 0x0000000000000000, 0x0000000000000000) Err#25 ENOTTY
kioctl(3, 22528, 0x0000000000000000, 0x0000000000000000) Err#25 ENOTTY
kread(3, " - - - - - B E G I N R".., 4096) = 1751
close(3) = 0
getuidx(2) = 0
kopen("/var/cfengine/ppkeys/localhost.pub", O_RDONLY) = 3
kioctl(3, 22528, 0x0000000000000000, 0x0000000000000000) Err#25 ENOTTY
kioctl(3, 22528, 0x0000000000000000, 0x0000000000000000) Err#25 ENOTTY
kread(3, " - - - - - B E G I N R".., 4096) = 426
close(3) = 0
statx("/usr/share/lib/zoneinfo//Europe/Vienna", 0x0FFFFFFFFFFFAE90, 176, 0) = 0
kopen("/usr/share/lib/zoneinfo//Europe/Vienna", O_RDONLY) = 3
kread(3, " T Z i f 2\0\0\0\0\0\0\0".., 41448) = 2211
close(3) = 0
__libc_sbrk(0x0000000000010020) = 0x0000000110087660
kopen("/usr/share/lib/zoneinfo//posixrules", O_RDONLY) Err#2 ENOENT
kwrite(1, " e r r o r : T h".., 85) = 85
socket(1, 2, 0) = 3
kfcntl(3, F_SETFD, 0x0000000000000001) = 0
connext(3, 0x09001000A0022A58, 16) = 0
statx("/usr/share/lib/zoneinfo//Europe/Vienna", 0x0FFFFFFFFFFFA530, 176, 0) = 0
_getpid() = 14614628
kopen("/dev/null", O_WRONLY|O_CREAT|O_TRUNC, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH) = 4
kioctl(4, 22528, 0x0000000000000000, 0x0000000000000000) Err#19 ENODEV
kioctl(4, 22528, 0x0000000000000000, 0x0000000000000000) Err#19 ENODEV
kwrite(4, " C F E n g i n e ( a g e".., 93) = 93
close(4) = 0
Dimitrios Apostolou
Jul 13, 2017, 6:02:16 AM7/13/17
to Xander Cage, help-cfengine
On Thu, Jul 13, 2017 at 10:49 AM, Xander Cage <christia...@itsv.at> wrote:
> i trussed the process but could not find any evidence off the error message.
> but i found a kopen with the keyfile.
And in the same trussed run you still get the error message that the
> i trussed the process but could not find any evidence off the error message.
> but i found a kopen with the keyfile.
exponent is not odd? But when you examine
/var/cfengine/ppkeys/localhost.pub with openssl, the exponent comes
out odd, as it should? It just doesn't make any sense.
Dimitris
Xander Cage
Jul 13, 2017, 6:07:32 AM7/13/17
to help-cfengine, christia...@itsv.at
yes , the error spills out on stdout but not in the truss output file. just for fun i made a build of version 3.10.0 , runs without any errors.
Dimitrios Apostolou
Jul 13, 2017, 7:22:03 AM7/13/17
to Xander Cage, help-cfengine
On Thu, Jul 13, 2017 at 12:07 PM, Xander Cage <christia...@itsv.at> wrote:
> yes , the error spills out on stdout but not in the truss output file. just
> for fun i made a build of version 3.10.0 , runs without any errors.
Can you redirect both truss output and normal output to a file (truss
> yes , the error spills out on stdout but not in the truss output file. just
> for fun i made a build of version 3.10.0 , runs without any errors.
cf-whatever >truss.log 2>&1) , gzip it, and send it directly to me?
Does 3.10.0 work with the same key? Or did you wipe off /var/cfengine?
If so can you try 3.10.0 with a key from 3.10.1? Finally can you "ldd"
the 3.10.1 binary in /var/cfengine/bin, and libpromises.so in
/var/cfengine/lib? I want to see which openssl they link to.
Dimitris
Xander Cage
Jul 14, 2017, 3:22:17 AM7/14/17
to help-cfengine, christia...@itsv.at
i rebuilt the package with an older version of openssl (1.0.2k), same error.
Dimitrios Apostolou
Jul 14, 2017, 5:59:20 AM7/14/17
to Xander Cage, help-cfengine
The strace output you sent me from cf-promises shows no indications:
everything is normal until the error message is printed.
You mentioned earlier that 3.10.0 works.
Does 3.10.0 work with the same key? Or did you wipe off /var/cfengine?
If so can you try 3.10.0 with a key from 3.10.1? Finally can you "ldd"
the 3.10.1 binary in /var/cfengine/bin, and libpromises.so in
/var/cfengine/lib? Can you do the same for the working 3.10.0?
everything is normal until the error message is printed.
You mentioned earlier that 3.10.0 works.
Does 3.10.0 work with the same key? Or did you wipe off /var/cfengine?
If so can you try 3.10.0 with a key from 3.10.1? Finally can you "ldd"
the 3.10.1 binary in /var/cfengine/bin, and libpromises.so in
I want to see which openssl they link to.
Dimitris
Dimitris
Xander Cage
Jul 17, 2017, 4:57:34 AM7/17/17
to help-c...@googlegroups.com, christia...@itsv.at
this case gets weirder every day. i rebuilt the openssl rpm from the source rpm and recompiled cfengine 3.10.0 and 3.10.1 against it. now the error comes up on both versions. i dont know, but i think there is something fishy within this openssl relaese. i have no idea how to proceed from here. should i post this on the openssl lists?
update: did a ldd on a binary and the lib file, it seems they use different versions of the openssl library. libpromises.so wants to load the old ibm openssl.
root@aixbuildhost: /var/cfengine/bin # ldd cf-agent
cf-agent needs:
/lib/libc.a(shr_64.o)
/lib/libpthread.a(shr_xpg5_64.o)
/var/cfengine/lib/libpromises.a(libpromises.so.3)
/opt/freeware/lib/libxml2.a(libxml2.so.2)
/opt/freeware/lib/libpcre.a(libpcre.so.1)
/lib/libpam.a(shr_64.o)
/unix
/lib/libcrypt.a(shr_64.o)
/lib/libpthreads.a(shr_xpg5_64.o)
/opt/freeware/lib/libyaml.a(libyaml-0.so.2)
/lib/libdl.a(shr_64.o)
/opt/freeware/lib/libcrypto.a(libcrypto.so.1.0.2)
/opt/freeware/lib/libssl.a(libssl.so.1.0.2)
/opt/freeware/lib/libcurl.a(libcurl.so.4)
/lib/libc.a(shr.o)
/opt/freeware/lib/libiconv.a(libiconv.so.2)
/opt/freeware/lib/libz.a(libz.so.1)
/opt/freeware/lib/liblzma.a(liblzma.so.5)
/lib/libpthread.a(shr_xpg5.o)
/lib/libpthreads.a(shr_xpg5.o)
/lib/libmls.a(shr_64.o)
/opt/freeware/lib/libssh2.a(libssh2.so.1)
/lib/libcrypt.a(shr.o)
/lib/libpthreads.a(shr_comm.o)
/lib/libmlsenc.a(shr_64.o)
/lib/libodm.a(shr_64.o)
root@aixbuildhost: /var/cfengine/bin # cd .
root@aixbuildhost: /var/cfengine/bin # cd .
root@aixbuildhost: /var/cfengine/bin # cd lib
-bash: cd: lib: No such file or directory
root@aixbuildhost: /var/cfengine/bin # cd ..
root@aixbuildhost: /var/cfengine # ls
bin cfagent.aixbuildhost.log lib outputs ppkeys reports
cf-execd.pid inputs masterfiles plugins promise_summary.log share
cf-serverd.pid lastseen modules policy_server.dat randseed state
root@aixbuildhost: /var/cfengine # cd lib
root@aixbuildhost: /var/cfengine/lib # ls
libpromises.a libpromises.la
root@aixbuildhost: /var/cfengine/lib # ar -Xany -tv libpromises.a
rwxr-xr-x 0/0 2369509 Jul 17 11:12 2017 libpromises.so.3
root@aixbuildhost: /var/cfengine/lib # ar -Xany x libpromises.a
root@aixbuildhost: /var/cfengine/lib # ls
libpromises.a libpromises.la libpromises.so.3
root@aixbuildhost: /var/cfengine/lib # ldd libpromises.so.3
libpromises.so.3 needs:
/usr/lib/libc.a(shr_64.o)
/usr/lib/libpthreads.a(shr_xpg5_64.o)
/usr/lib/libpcre.a(libpcre.so.1)
/usr/lib/libyaml.a(libyaml-0.so.2)
/usr/lib/libdl.a(shr_64.o)
/usr/lib/libcrypto.a(libcrypto.so.1.0.2)
ar: 0707-109 Member name libcrypto.so.1.0.2 does not exist.
dump: /tmp/tmpdir19792106/extract/libcrypto.so.1.0.2: 0654-106 Cannot open the specified file.
/usr/lib/libssl.a(libssl.so.1.0.2)
ar: 0707-109 Member name libssl.so.1.0.2 does not exist.
dump: /tmp/tmpdir19792106/extract/libssl.so.1.0.2: 0654-106 Cannot open the specified file.
/usr/lib/libcurl.a(libcurl.so.4)
/unix
/usr/lib/libcrypt.a(shr_64.o)
/usr/lib/libc.a(shr.o)
/usr/lib/libpthreads.a(shr_xpg5.o)
/usr/lib/libz.a(libz.so.1)
/usr/lib/libssh2.a(libssh2.so.1)
/usr/lib/libcrypt.a(shr.o)
/usr/lib/libpthreads.a(shr_comm.o)
update 2: fixed the search path in libpromises.so, same error.
root@aixbuildhost: /var/cfengine/lib # ldd libpromises.so.3
libpromises.so.3 needs:
/usr/lib/libc.a(shr_64.o)
/usr/lib/libpthreads.a(shr_xpg5_64.o)
/opt/freeware/lib/libpcre.a(libpcre.so.1)
/opt/freeware/lib/libyaml.a(libyaml-0.so.2)
/usr/lib/libdl.a(shr_64.o)
/opt/freeware/lib/libcrypto.a(libcrypto.so.1.0.2)
/opt/freeware/lib/liblmdb.a(liblmdb.so)
/opt/freeware/lib/libssl.a(libssl.so.1.0.2)
/opt/freeware/lib/libcurl.a(libcurl.so.4)
/unix
/usr/lib/libcrypt.a(shr_64.o)
/usr/lib/libc.a(shr.o)
/usr/lib/libpthreads.a(shr_xpg5.o)
/opt/freeware/lib/libz.a(libz.so.1)
/opt/freeware/lib/libssh2.a(libssh2.so.1)
/usr/lib/libcrypt.a(shr.o)
/usr/lib/libpthreads.a(shr_comm.o)
Xander Cage
Jul 17, 2017, 7:14:35 AM7/17/17
to help-cfengine, christia...@itsv.at
i created an issue on the openssl bugtracker, please hook up and fill in some details.
https://github.com/openssl/openssl/issues/3949
Dimitrios Apostolou
Jul 17, 2017, 8:53:52 AM7/17/17
to Xander Cage, help-cfengine
On Mon, Jul 17, 2017 at 1:14 PM, Xander Cage <christia...@itsv.at> wrote:
> update: did a ldd on a binary and the lib file, it seems they use different
> versions of the openssl library. libpromises.so wants to load the old ibm
> openssl.
Before building, try configuring --with-openssl=/var/cfengine or
> update: did a ldd on a binary and the lib file, it seems they use different
> versions of the openssl library. libpromises.so wants to load the old ibm
> openssl.
wherever the correct "lib" folder is in.
Xander Cage
Apr 8, 2019, 8:32:41 AM4/8/19
to help-cfengine
i just want to inform you guys that this error ist still present in 3.12.1.
root@aixbuildhostng: /var/cfengine/bin # ./cf-agent -V
CFEngine Core 3.12.1
root@aixbuildhostng: /var/cfengine/bin # ./cf-agent -D SPARE_DAILY
error: The public key RSA exponent is too small or not odd
error: RSA Exponent too small or not odd for key: /var/cfengine/ppkeys/root-MD5=ecafd01a913ec45ec5b9f6f940434bec.pub
error: TRUST FAILED, server presented untrusted key: MD5=ecafd01a913ec45ec5b9f6f940434bec
error: No suitable server found
error: Unable to open template file '/var/cfengine/inputs/ntp.conf.tmpl' to make '/etc/ntp.conf'
error: Method 'b0005_itsv_config_ntp' failed in some repairs
error: RSA Exponent too small or not odd for key: /var/cfengine/ppkeys/root-MD5=ecafd01a913ec45ec5b9f6f940434bec.pub
error: TRUST FAILED, server presented untrusted key: MD5=ecafd01a913ec45ec5b9f6f940434bec
error: No suitable server found
error: Method 'cferoot_sync_filelist' failed in some repairs
error: RSA Exponent too small or not odd for key: /var/cfengine/ppkeys/root-MD5=ecafd01a913ec45ec5b9f6f940434bec.pub
error: TRUST FAILED, server presented untrusted key: MD5=ecafd01a913ec45ec5b9f6f940434bec
error: No suitable server found
error: Method 'cferoot_sync_filelist' failed in some repairs
error: RSA Exponent too small or not odd for key: /var/cfengine/ppkeys/root-MD5=ecafd01a913ec45ec5b9f6f940434bec.pub
error: TRUST FAILED, server presented untrusted key: MD5=ecafd01a913ec45ec5b9f6f940434bec
error: No suitable server found
error: Method 'cferoot_sync_filelist' failed in some repairs
error: RSA Exponent too small or not odd for key: /var/cfengine/ppkeys/root-MD5=ecafd01a913ec45ec5b9f6f940434bec.pub
error: TRUST FAILED, server presented untrusted key: MD5=ecafd01a913ec45ec5b9f6f940434bec
error: No suitable server found
error: Method 'cferoot_sync_filelist' failed in some repairs
error: RSA Exponent too small or not odd for key: /var/cfengine/ppkeys/root-MD5=ecafd01a913ec45ec5b9f6f940434bec.pub
error: TRUST FAILED, server presented untrusted key: MD5=ecafd01a913ec45ec5b9f6f940434bec
error: No suitable server found
error: Method 'cferoot_sync_filelist' failed in some repairs
error: RSA Exponent too small or not odd for key: /var/cfengine/ppkeys/root-MD5=ecafd01a913ec45ec5b9f6f940434bec.pub
error: TRUST FAILED, server presented untrusted key: MD5=ecafd01a913ec45ec5b9f6f940434bec
error: No suitable server found
error: Method 'cferoot_sync_filelist' failed in some repairs
error: RSA Exponent too small or not odd for key: /var/cfengine/ppkeys/root-MD5=ecafd01a913ec45ec5b9f6f940434bec.pub
error: TRUST FAILED, server presented untrusted key: MD5=ecafd01a913ec45ec5b9f6f940434bec
error: No suitable server found
error: Method 'cferoot_sync_filelist' failed in some repairs
error: RSA Exponent too small or not odd for key: /var/cfengine/ppkeys/root-MD5=ecafd01a913ec45ec5b9f6f940434bec.pub
error: TRUST FAILED, server presented untrusted key: MD5=ecafd01a913ec45ec5b9f6f940434bec
error: No suitable server found
error: Method 'cferoot_sync_filelist' failed in some repairs
error: RSA Exponent too small or not odd for key: /var/cfengine/ppkeys/root-MD5=ecafd01a913ec45ec5b9f6f940434bec.pub
error: TRUST FAILED, server presented untrusted key: MD5=ecafd01a913ec45ec5b9f6f940434bec
error: No suitable server found
error: Method 'cferoot_sync_filelist' failed in some repairs
error: RSA Exponent too small or not odd for key: /var/cfengine/ppkeys/root-MD5=ecafd01a913ec45ec5b9f6f940434bec.pub
error: TRUST FAILED, server presented untrusted key: MD5=ecafd01a913ec45ec5b9f6f940434bec
error: No suitable server found
error: Method 'cferoot_sync_filelist' failed in some repairs
error: RSA Exponent too small or not odd for key: /var/cfengine/ppkeys/root-MD5=ecafd01a913ec45ec5b9f6f940434bec.pub
error: TRUST FAILED, server presented untrusted key: MD5=ecafd01a913ec45ec5b9f6f940434bec
error: No suitable server found
error: Method 'cferoot_sync_filelist' failed in some repairs
error: RSA Exponent too small or not odd for key: /var/cfengine/ppkeys/root-MD5=ecafd01a913ec45ec5b9f6f940434bec.pub
error: TRUST FAILED, server presented untrusted key: MD5=ecafd01a913ec45ec5b9f6f940434bec
error: No suitable server found
error: Method 'cferoot_sync_filelist' failed in some repairs
error: RSA Exponent too small or not odd for key: /var/cfengine/ppkeys/root-MD5=ecafd01a913ec45ec5b9f6f940434bec.pub
error: TRUST FAILED, server presented untrusted key: MD5=ecafd01a913ec45ec5b9f6f940434bec
error: No suitable server found
error: Method 'cferoot_sync_filelist' failed in some repairs
error: RSA Exponent too small or not odd for key: /var/cfengine/ppkeys/root-MD5=ecafd01a913ec45ec5b9f6f940434bec.pub
error: TRUST FAILED, server presented untrusted key: MD5=ecafd01a913ec45ec5b9f6f940434bec
error: No suitable server found
error: Method 'cferoot_sync_filelist' failed in some repairs
error: Method 'nagios_user' failed in some repairs
error: Method 'b0037_nagios_user' failed in some repairs
error: Method 'itsv_autorun' failed in some repairs
On Monday, July 17, 2017 at 2:53:52 PM UTC+2, Dimitrios Apostolou wrote:
Vratislav Podzimek
Apr 8, 2019, 8:44:10 AM4/8/19
to help-c...@googlegroups.com
On Mon, 2019-04-08 at 05:32 -0700, Xander Cage wrote:
> i just want to inform you guys that this error ist still present in 3.12.1.
Thanks for letting us know! Any chance you could try a 3.13 build?
> i just want to inform you guys that this error ist still present in 3.12.1.
--
Vratislav
Xander Cage
Apr 8, 2019, 9:07:08 AM4/8/19
to help-cfengine
no problem..will try it out shortly.
Xander Cage
Apr 8, 2019, 9:31:16 AM4/8/19
to help-cfengine
same error...
root@aixbuildhostng: /var/cfengine/bin # ./cf-agent -V
CFEngine Core 3.13.0
craig.c...@northern.tech
Apr 8, 2019, 11:00:34 AM4/8/19
to help-cfengine
Hello,
I was looking at the openssl thread and it seemed you had resolved this issue before with some specific compiler options?
with "./Configure aix64-cc --prefix=/usr/local/itsvbuild/64
--openssldir=/usr/local/itsvbuild/64/ssl shared" and a rebuild of
cfengine against this version the error is gone. i have not the
slightest idea why but it is. the only difference is it was built
without rpmbuild which is ODD (pun intended).
however, as there will be no more groundbreaking insights, this thread can be closed.
however, as there will be no more groundbreaking insights, this thread can be closed.
Just wondering if you were still building from source and using the above configuration that seemed to work for you previously?
Or did you test out packaged builds from us for 3.12.1 and 3.13?
Thanks,
Craig
Xander Cage
Apr 9, 2019, 6:31:34 AM4/9/19
to help-cfengine
this openssl issue is of no importance, because now i use IBM's native openssl delivered with aix. can the cause of this whole madnes come from the aix/ppc platform endianess (AIX on power is BIG Endian)?
i mean, cfengine works, in reality this message is only "cosmetic". besides this, i am very curious what might be the root cause.
i made a patch which lowers the severity for now.
packagebuilder@aixbuildhostng: /home/packagebuilder/rpmbuild/SOURCES # cat cfengine-3.12.1-itsv1.aix.patch
--- cfengine-3.12.1.ORIG/libpromises/crypto.c 2018-11-29 12:44:49 +0000
+++ cfengine-3.12.1.CHANGED/libpromises/crypto.c 2019-04-09 12:15:24 +0000
@@ -262,8 +262,9 @@ bool LoadSecretKeys(const char *const pr
RSA_get0_key(*pub_key, &n, &e, NULL);
if ((BN_num_bits(e) < 2) || (!BN_is_odd(e)))
{
- Log(LOG_LEVEL_ERR, "The public key RSA exponent is too small or not odd");
- return false;
+ /* changed for aix, this is an impossible situation. see "https://groups.google.com/forum/#!topic/help-cfengine/-hmnIz0fA4Q" */
+ Log(LOG_LEVEL_NOTICE, "The public key RSA exponent is too small or not odd, this is some AIX bullshit and can be ignored");
+ return true;
}
}
@@ -411,10 +412,11 @@ RSA *HavePublicKey(const char *username,
RSA_get0_key(newkey, &n, &e, NULL);
if ((BN_num_bits(e) < 2) || (!BN_is_odd(e)))
{
- Log(LOG_LEVEL_ERR, "RSA Exponent too small or not odd for key: %s",
+ Log(LOG_LEVEL_ERR, "RSA Exponent too small or not odd for key: %s",
newname);
RSA_free(newkey);
- return NULL;
+ return NULL;
+
}
}
Xander Cage
Apr 9, 2019, 9:00:08 AM4/9/19
to help-cfengine
some findings, i toyed around a little bit, and it seems openssl's "BN_is_odd" function is the bad guy. i reversed the logic in crypto.c and now the error is gone. i have not the slightest idea whats going on here, or why this function works inverse in aix.
any enlightenments from your side?
patch:
root@aixbuildhostng: /root # cat /home/packagebuilder/rpmbuild/SOURCES/cfengine-3.12.1-itsv1.aix.patch
--- cfengine-3.12.1.ORIG/libpromises/crypto.c 2018-11-29 12:44:49 +0000
+++ cfengine-3.12.1.CHANGED/libpromises/crypto.c 2019-04-09 14:48:56 +0000
@@ -260,7 +260,7 @@ bool LoadSecretKeys(const char *const pr
{
const BIGNUM *n, *e;
RSA_get0_key(*pub_key, &n, &e, NULL);
- if ((BN_num_bits(e) < 2) || (!BN_is_odd(e)))
+ if ((BN_num_bits(e) < 2) || (BN_is_odd(e)))
{
Log(LOG_LEVEL_ERR, "The public key RSA exponent is too small or not odd");
return false;
@@ -409,7 +409,7 @@ RSA *HavePublicKey(const char *username,
{
const BIGNUM *n, *e;
RSA_get0_key(newkey, &n, &e, NULL);
- if ((BN_num_bits(e) < 2) || (!BN_is_odd(e)))
+ if ((BN_num_bits(e) < 2) || (BN_is_odd(e)))
{
Log(LOG_LEVEL_ERR, "RSA Exponent too small or not odd for key: %s",
newname);
@@ -504,7 +504,7 @@ RSA *LoadPublicKey(const char *filename)
RSA_get0_key(key, &n, &e, NULL);
- if (BN_num_bits(e) < 2 || !BN_is_odd(e))
+ if (BN_num_bits(e) < 2 || BN_is_odd(e))
{
Log(LOG_LEVEL_ERR, "Error while reading public key '%s' - RSA Exponent is too small or not odd. (BN_num_bits: %s)",
filename, GetErrorStr());
craig.c...@northern.tech
Apr 9, 2019, 11:08:08 AM4/9/19
to help-cfengine
On Tuesday, April 9, 2019 at 8:00:08 AM UTC-5, Xander Cage wrote:some findings, i toyed around a little bit, and it seems openssl's "BN_is_odd" function is the bad guy. i reversed the logic in crypto.c and now the error is gone. i have not the slightest idea whats going on here, or why this function works inverse in aix.any enlightenments from your side?
Thanks for the research!
I read openssl/crypto/bn/README.pod and didn't see anything particularly related.
I looked for bugs at https://github.com/openssl/openssl/issues?utf8=%E2%9C%93&q=+BN_is_odd+ and found nothing related.
I do see that there are two tests that look at BN_is_odd().
~/src/openssl/test$ find | xargs grep -s BN_is_odd
./testutil/tests.c: if (a != NULL && BN_is_odd(a))
./testutil/tests.c: if (a != NULL && !BN_is_odd(a))
./bntest.c: && TEST_false((BN_is_odd(a) && BN_is_odd(c))
./bntest.c: || (!BN_is_odd(a) && !BN_is_odd(c)))))
./bntest.c: if (BN_is_odd(m)) {
./bntest.c: if (BN_is_odd(m)) {
I wonder if you can run those tests and see how the results go? Maybe that would be a good starting place for you to submit a bug to openssl or to give us an indication where cfengine code might be going wrong.
If I can, I will try to build and run those tests on an AIX box.
Can you remind me what version of AIX OS and hardware you are using as well as version of openssl? So we can compare accurately?
Thanks,
Craig
Xander Cage
Apr 10, 2019, 1:53:24 AM4/10/19
to help-cfengine
someone on stackoverflow seems to have a similar problem...
Xander Cage
Apr 10, 2019, 4:27:48 AM4/10/19
to help-cfengine
i did the openssl BIGNUM tests and they went through successfully...weird.
starting big number library test, could take a while...
test BN_add
test BN_sub
test BN_lshift1
test BN_lshift (fixed)
test BN_lshift
test BN_rshift1
test BN_rshift
test BN_sqr
test BN_mul
test BN_div
test BN_div_word
test BN_div_recp
test BN_mod
test BN_mod_mul
test BN_mont
test BN_mod_exp
test BN_mod_exp_mont_consttime
test BN_exp
test BN_kronecker
....+++++
....................................................................................................
test BN_mod_sqrt
.....
.....
.....
.....
.....
.....
.....
.....
.......+++++++++++++++++++++++++++
.....
......................+++++++++++++++++++++++++++
.....
..+++++++++++++++++++++++++++
.....
........+++++++++++++++++++++++++++
.....
.+++++++++++++++++++++++++++
.....
.....................................+++++++++++++++++++++++++++
.....
.+++++++++++++++++++++++++++
.....
.+++++++++++++++++++++++++++
.....
test BN_GF2m_add
test BN_GF2m_mod
test BN_GF2m_mod_mul
test BN_GF2m_mod_sqr
test BN_GF2m_mod_inv
test BN_GF2m_mod_div
test BN_GF2m_mod_exp
test BN_GF2m_mod_sqrt
test BN_GF2m_mod_solve_quad
test BN_CTX_get BN_FLG_CONSTTIME
running bc
verify BN_add....................................................................................................
verify BN_sub......................................................................................................................................................
verify BN_lshift1....................................................................................................
verify BN_lshift (fixed)....................................................................................................
verify BN_lshift....................................................................................................
verify BN_rshift1....................................................................................................
verify BN_rshift....................................................................................................
verify BN_sqr......................................................................................................
verify BN_mul......................................................................................................................................................
verify BN_div............................................................................................................................................................................................................................................................................................................
verify BN_div_word........................................................................................................................................................................................................
verify BN_div_recp............................................................................................................................................................................................................................................................................................................
verify BN_mod....................................................................................................
verify BN_mod_mul............................................................................................................................................................................................................................................................................................................
verify BN_mont.....
verify BN_mod_exp.....
verify BN_mod_exp_mont_consttime.....
verify BN_exp.....
verify BN_kronecker
verify BN_mod_sqrt
verify BN_GF2m_add
verify BN_GF2m_mod
verify BN_GF2m_mod_mul
verify BN_GF2m_mod_sqr
verify BN_GF2m_mod_inv
verify BN_GF2m_mod_div
verify BN_GF2m_mod_exp
verify BN_GF2m_mod_sqrt
verify BN_GF2m_mod_solve_quad
verify BN_CTX_get BN_FLG_CONSTTIME
2222 tests passed
Xander Cage
Apr 10, 2019, 5:30:26 AM4/10/19
to help-c...@googlegroups.com
i compiled some test code, on aix(big endian) and linux ppc64le(little endian). they run on the same hardware. the results are conclusive.
aix compile string: gcc -maix64 -lcrypto -o openssl_odd_even openssl_odd_even.c
linux compile string: gcc -lcrypto -o openssl_odd_even openssl_odd_even.c
code:
#include <stdio.h>
#include <openssl/pem.h>
#include <openssl/err.h> /* ERR_* */
#include <openssl/rand.h> /* RAND_* */
#include <openssl/bn.h> /* BN_* */
int get_key(const unsigned char *buf, int len) {
RSA *rsa = d2i_RSA_PUBKEY(NULL, &buf, len);
if (rsa != NULL) {
if (rsa->e != NULL) {
printf("BN : <%s> (hex) -- <%s> (dec)\n", BN_bn2hex(rsa->e), BN_bn2dec(rsa->e));
if (BN_is_odd(rsa->e) == 0) {
printf("Error : RSA public exponent is even\n");
} else {
printf("RSA public exponent is OK.\n");
return 0;
}
}
RSA_free(rsa);
} else {
printf("Error : RSA is NULL\n");
}
return 1;
}
int main() {
const unsigned char data[] = { 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xd6, 0x70, 0x5d, 0x67, 0xf2, 0xe1, 0x34, 0x82, 0xd5, 0x2d, 0x79, 0xdd, 0x42, 0x55, 0x41, 0xaf, 0x0c, 0xc2, 0xb4, 0xb0, 0x94, 0xc6, 0xa0, 0x40, 0x54, 0x2e, 0x0f, 0xa5, 0x12, 0x3d, 0x43, 0x96, 0x13, 0x2d, 0x17, 0x50, 0xe5, 0x9a, 0x5a, 0x6e, 0x99, 0xc7, 0xd2, 0x63, 0x4c, 0xcd, 0x57, 0xcb, 0x57, 0x7e, 0x1e, 0x5f, 0x97, 0xaa, 0xbd, 0xe5, 0xc0, 0x98, 0xd9, 0x07, 0x52, 0xdc, 0x27, 0xa4, 0x19, 0xb2, 0x81, 0x5d, 0xd5, 0x03, 0x5c, 0xd2, 0xb3, 0xb8, 0x28, 0xaa, 0xd7, 0xaf, 0x02, 0x08, 0x1c, 0x6c, 0xc2, 0xa4, 0x6c, 0x41, 0xd3, 0xa6, 0xae, 0x51, 0x69, 0xb7, 0xd5, 0x79, 0xb8, 0x62, 0x68, 0x9e, 0xa9, 0x44, 0x8e, 0xbe, 0xb1, 0x2e, 0x1a, 0x3c, 0x4b, 0x21, 0x7b, 0x7d, 0x36, 0xf0, 0x97, 0x98, 0x81, 0x63, 0xa6, 0xfa, 0xf8, 0x28, 0x22, 0x72, 0xfe, 0x16, 0xa8, 0x16, 0x89, 0xbb, 0x02, 0x03, 0x01, 0x00, 0x01 }; /* A DER buffer, valid with openssl rsa -pubin -in <file> -inform DER */
return get_key(data, sizeof data);
}
results aix:
packagebuilder@aixbuildhostng: /home/packagebuilder/test # ./openssl_odd_even
BN : <010001> (hex) -- <65537> (dec)
Error : RSA public exponent is even
results linux ppc64le:
root@lpgaixmgmtlx01:/root>./openssl_odd_even
BN : <010001> (hex) -- <65537> (dec)
RSA public exponent is OK.
and this problem only exists in 64bit mode, 32bit works ok on aix. this is real fun.
packagebuilder@aixbuildhostng: /home/packagebuilder/test # gcc -maix32 -lcrypto -o openssl_odd_even openssl_odd_even.c
packagebuilder@aixbuildhostng: /home/packagebuilder/test # ./openssl_odd_even
BN : <010001> (hex) -- <65537> (dec)
RSA public exponent is OK.
packagebuilder@aixbuildhostng: /home/packagebuilder/test # file openssl_odd_even
openssl_odd_even: executable (RISC System/6000 V3.1) or obj module not stripped
Xander Cage
Apr 10, 2019, 8:02:21 AM4/10/19
to help-c...@googlegroups.com
AIX Version:
packagebuilder@aixbuildhostng: /home/packagebuilder/test # oslevel -s
7100-05-01-1731
7100-05-01-1731
openssl:
packagebuilder@aixbuildhostng: /home/packagebuilder/test # lslpp -l | grep openssl
openssl.base 1.0.2.1601 COMMITTED Open Secure Socket Layer
openssl.license 1.0.2.1601 COMMITTED Open Secure Socket License
openssl.man.en_US 1.0.2.1601 COMMITTED Open Secure Socket Layer
openssl.base 1.0.2.1601 COMMITTED Open Secure Socket Layer
openssl.base 1.0.2.1601 COMMITTED Open Secure Socket Layer
openssl.license 1.0.2.1601 COMMITTED Open Secure Socket License
openssl.man.en_US 1.0.2.1601 COMMITTED Open Secure Socket Layer
openssl.base 1.0.2.1601 COMMITTED Open Secure Socket Layer
dependencies/buildtoolchain exclusiv from ibm's aixtoolbox no bullfreeware no perzl rpm's.
Hardware is IBM E980 / Power9 Processors
specfile used to build cfengine:
Summary: A systems administration tool for networks
Name: cfengine
Version: 3.12.1
Release: itsv1
License: GPLv2+
Group: Applications/System
Source0: https://cfengine-package-repos.s3.amazonaws.com/tarballs/%{name}-%{version}.tar.gz
Source1: startup.sh
Patch0: cfengine-3.12.1-itsv1.aix.patch
URL: http://www.cfengine.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: AIX-rpm >= 5.2.0.0
BuildRequires: bison, flex, m4, make, gcc
BuildRequires: curl-devel >= 7.51.0-1
BuildRequires: pcre-devel >= 8.39-1
BuildRequires: libxml2-devel >= 2.9.4-1
BuildRequires: liblmdb-devel >= 0.9.21-2
BuildRequires: libyaml-devel >= 0.1.4-2
BuildRequires: libssh2-devel
BuildRequires: cyrus-sasl-devel
BuildRequires: xz-devel
Requires: AIX-rpm >= 5.2.0.0
Requires: libgcc
Requires: libstdc++
Requires: curl >= 7.51.0-1
Requires: pcre >= 8.39-1
Requires: libxml2 >= 2.9.4-1
Requires: liblmdb >= 0.9.21-2
Requires: libyaml >= 0.1.4-2
Requires: openldap
Requires: xz-libs
Requires: libssh2
Requires: cyrus-sasl
Conflicts: cfengine
%description
Cfengine, or the configuration engine is an agent/software robot and a
very high level language for building expert systems to administrate
and configure large computer networks. Cfengine uses the idea of
classes and a primitive form of intelligence to define and automate
the configuration and maintenance of system state, for small to huge
configurations. Cfengine is designed to be a part of a computer immune
system.
%prep
%setup -q
%patch0 -p1
%build
export CONFIG_SHELL=/usr/bin/ksh
export CONFIG_ENV_ARGS=/usr/bin/ksh
export OBJECT_MODE=64
export AR="/usr/bin/ar -X64"
export RANLIB="/usr/bin/ranlib -X64"
export NM="/usr/bin/nm -X64"
export CC="gcc -maix64"
export CXX="g++ -maix64"
export CFLAGS="-DSYSV -D_AIX -D_ALL_SOURCE -DFUNCPROTO=15 -O -I/opt/freeware/include"
export CXXFLAGS=$CFLAGS
export LDFLAGS="-L/opt/freeware/lib64 -L/opt/freeware/lib -Wl,-blibpath:/opt/freeware/lib64:/opt/freeware/lib:/usr/lib:/lib"
./configure \
--prefix=/var/cfengine \
--sbindir=/var/cfengine/bin \
--localstatedir=/var/cfengine \
--with-workdir=/var/cfengine \
--without-postgresql \
--without-mysql \
--with-lmdb \
--with-openssl \
--with-pcre \
--with-libcurl \
--with-libyaml \
--with-libxml2
gmake %{?_smp_mflags}
%install
[ "${RPM_BUILD_ROOT}" != "/" ] && rm -rf ${RPM_BUILD_ROOT}
gmake install DESTDIR=${RPM_BUILD_ROOT}
/usr/bin/strip ${RPM_BUILD_ROOT}/var/cfengine/bin/* || :
cp %{SOURCE1} ${RPM_BUILD_ROOT}/var/cfengine/bin/
%pre
%post
/var/cfengine/bin/cf-key >/dev/null || :
chmod 700 /var/cfengine/ppkeys
/var/cfengine/bin/startup.sh
/usr/sbin/lsitab cfengine 1>/dev/null 2>&1 || \
/usr/sbin/mkitab "cfengine:2:once:/var/cfengine/bin/startup.sh > /dev/console 2>&1"
%preun
ps -ef | grep cf-agent | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
ps -ef | grep cf-execd | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
ps -ef | grep cf-monitord | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
ps -ef | grep cf-serverd | awk '{print $2}' | xargs kill -9 > /dev/null 2>&1
%postun
%clean
[ "${RPM_BUILD_ROOT}" != "/" ] && rm -rf ${RPM_BUILD_ROOT}
%files
%defattr(-,root,system,-)
/var/cfengine/bin/*
/var/cfengine/inputs
/var/cfengine/lib/*
/var/cfengine/modules
/var/cfengine/outputs
/var/cfengine/plugins
/var/cfengine/ppkeys
/var/cfengine/share/*
%changelog
* Mon Apr 8 2019 Christian Tremel <email removed> - 3.12.1-1-itsv
- update to 3.12.1, gcc build
* Mon Jul 10 2017 Christian Tremel <email removed> - 3.10.1-1-itsv
- first rpm version of itsv cfengine
craig.c...@northern.tech
Apr 10, 2019, 2:26:31 PM4/10/19
to help-cfengine
Xander,
Thanks for all the information. Would you like to submit a bug and add a summary of this thread there so we can continue in a bit more structured way?
see link for "report a problem" at https://cfengine.com/support/
Interestingly looking back at your initial post I am wondering what impact the error log statements have on functionality? You might include functional impact of the error in your bug report.
I am working on getting an AIX VM up and running to fiddle with this.
Thanks again,
Craig
Xander Cage
Apr 11, 2019, 3:54:35 AM4/11/19
to help-c...@googlegroups.com
i dont think this is a cfengine bug, this is clearly openssl's fault, so i opened an issue over there. will also file a bugreport at IBM. i wonder why nobody else has run into this, maybe i am the only one who builds 64bit cfengine on aix *g*
Xander Cage
Jun 18, 2019, 6:22:02 AM6/18/19
to help-cfengine
i just wanted to let you guys know that ibm found the culprit and fixed their openssl package.
A. OpenSSL 1.0.2.1800 version contains the following fixes as part of this release :
- TS002131610: RSA keys not properly generated in 64-bit library
so nothing to do on your side ;-)
Nick Anderson
Jun 18, 2019, 9:27:13 AM6/18/19
to Xander Cage, help-cfengine
Xander Cage writes:
i just wanted to let you guys know that ibm found the culprit and fixed their openssl package. A. OpenSSL 1.0.2.1800 version contains the following fixes as part of this release : - TS002131610: RSA keys not properly generated in 64-bit library so nothing to do on your side ;-)
Thanks for the follow-up Xander!
– Nick Anderson | Doer of Things | (+1) 785-550-1767 | https://northern.tech
Reply all
Reply to author
Forward
0 new messages