GNU bug report logs -
#77154
[PATCH 0/1] Update libssh2 and change crypto backend
Previous Next
To reply to this bug, email your comments to 77154 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#77154; Package
guix-patches.
(Fri, 21 Mar 2025 15:29:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Christoph Buck <dev <at> icepic.de>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Fri, 21 Mar 2025 15:29:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi!
This changeset bumps the verion of libssh2 from 1.10.0 to 1.11.1 and changes
the crypto backend from libgcrypt to openssl. This is necessary in order to
support ed25119 hostkeys. For in depth discussion see [1]
[1] https://lists.gnu.org/archive/html/guix-devel/2025-03/msg00165.html
Christoph Buck (1):
gnu: libssh2: Change crypto backend to openssl
gnu/packages/ssh.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
base-commit: efac1498c15198afc4f9a2bc700408bde1b3b3ed
prerequisite-patch-id: 0b1c4cf499ba54dfc80f907e777d8b1ff4083c0d
--
2.48.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#77154; Package
guix-patches.
(Fri, 21 Mar 2025 18:09:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 77154 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/ssh.scm (libssh2): Change crypto backend to openssl
[arguments]: Replace libgcrypt with openssl
[propagated-inputs]: Replace libgcrypt with openssl
Change crypto backend to openssl to support ed25119 hostkeys.
Change-Id: I7603149d6e3a3c251bdc6c3238769a63b6a04d26
---
gnu/packages/ssh.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index 66d9656caf..9a6f79bb30 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -193,9 +193,9 @@ (define-public libssh2
(build-system gnu-build-system)
;; The installed libssh2.pc file does not include paths to libgcrypt and
;; zlib libraries, so we need to propagate the inputs.
- (propagated-inputs (list libgcrypt zlib))
+ (propagated-inputs (list openssl zlib))
(arguments
- (list #:configure-flags #~'("--with-libgcrypt"
+ (list #:configure-flags #~'("--with-crypto=openssl"
"--disable-static"
"--disable-docker-tests" )))
(synopsis "Client-side C library implementing the SSH2 protocol")
--
2.48.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#77154; Package
guix-patches.
(Fri, 21 Mar 2025 18:29:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 77154 <at> debbugs.gnu.org (full text, mbox):
Hi!
Sorry for the spam! I messed up the first patch series. Here is the complete
changeset.
Christoph Buck (2):
gnu: libssh2: Update to 1.11.1
gnu: libssh2: Change crypto backend to openssl
gnu/packages/ssh.scm | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
base-commit: efac1498c15198afc4f9a2bc700408bde1b3b3ed
--
2.45.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#77154; Package
guix-patches.
(Fri, 21 Mar 2025 18:29:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 77154 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/ssh.scm (libssh2): Update to 1.11.1
[arguments]: Disable tests which requires docker
Change-Id: I1bfd8f2db82c190f2b036b3e2e722ded90d07435
---
gnu/packages/ssh.scm | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index fecb3a2559..66d9656caf 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -181,7 +181,7 @@ (define-public libssh
(define-public libssh2
(package
(name "libssh2")
- (version "1.10.0")
+ (version "1.11.1")
(source (origin
(method url-fetch)
(uri (string-append
@@ -189,14 +189,15 @@ (define-public libssh2
version ".tar.gz"))
(sha256
(base32
- "0l8xwhhscvss7q007vpbkbv7jh9s43579rx2sf8lnfgd7l7yjr1d"))))
+ "1xsqysmrq40gdfjndd1yrcvwic16kn4jrzir6pn8xfadwg5pdv6r"))))
(build-system gnu-build-system)
;; The installed libssh2.pc file does not include paths to libgcrypt and
;; zlib libraries, so we need to propagate the inputs.
(propagated-inputs (list libgcrypt zlib))
(arguments
(list #:configure-flags #~'("--with-libgcrypt"
- "--disable-static")))
+ "--disable-static"
+ "--disable-docker-tests" )))
(synopsis "Client-side C library implementing the SSH2 protocol")
(description
"libssh2 is a library intended to allow software developers access to
--
2.45.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#77154; Package
guix-patches.
(Fri, 21 Mar 2025 18:29:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 77154 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/ssh.scm (libssh2): Change crypto backend to openssl
[arguments]: Replace libgcrypt with openssl
[propagated-inputs]: Replace libgcrypt with openssl
Change crypto backend to openssl to support ed25119 hostkeys.
Change-Id: I7603149d6e3a3c251bdc6c3238769a63b6a04d26
---
gnu/packages/ssh.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index 66d9656caf..9a6f79bb30 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -193,9 +193,9 @@ (define-public libssh2
(build-system gnu-build-system)
;; The installed libssh2.pc file does not include paths to libgcrypt and
;; zlib libraries, so we need to propagate the inputs.
- (propagated-inputs (list libgcrypt zlib))
+ (propagated-inputs (list openssl zlib))
(arguments
- (list #:configure-flags #~'("--with-libgcrypt"
+ (list #:configure-flags #~'("--with-crypto=openssl"
"--disable-static"
"--disable-docker-tests" )))
(synopsis "Client-side C library implementing the SSH2 protocol")
--
2.45.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#77154; Package
guix-patches.
(Sat, 22 Mar 2025 00:35:01 GMT)
Full text and
rfc822 format available.
Message #20 received at 77154 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
I noticed the following typo in the commit message:
> Change crypto backend to openssl to support ed25119 hostkeys.
should read:
> Change crypto backend to openssl to support ed25519 hostkeys.
HTH
--
Ashish SHUKLA | GPG: F682 CDCC 39DC 0FEA E116 20B6 C746 CFA9 E74F A4B0
"If I destroy you, what business is it of yours ?" (Dark Forest, Liu Cixin)
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#77154; Package
guix-patches.
(Sat, 22 Mar 2025 20:46:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 77154 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/ssh.scm (libssh2): Update to 1.11.1
[arguments]: Disable tests which requires docker
Change-Id: I1bfd8f2db82c190f2b036b3e2e722ded90d07435
---
gnu/packages/ssh.scm | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index fecb3a2559..66d9656caf 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -181,7 +181,7 @@ (define-public libssh
(define-public libssh2
(package
(name "libssh2")
- (version "1.10.0")
+ (version "1.11.1")
(source (origin
(method url-fetch)
(uri (string-append
@@ -189,14 +189,15 @@ (define-public libssh2
version ".tar.gz"))
(sha256
(base32
- "0l8xwhhscvss7q007vpbkbv7jh9s43579rx2sf8lnfgd7l7yjr1d"))))
+ "1xsqysmrq40gdfjndd1yrcvwic16kn4jrzir6pn8xfadwg5pdv6r"))))
(build-system gnu-build-system)
;; The installed libssh2.pc file does not include paths to libgcrypt and
;; zlib libraries, so we need to propagate the inputs.
(propagated-inputs (list libgcrypt zlib))
(arguments
(list #:configure-flags #~'("--with-libgcrypt"
- "--disable-static")))
+ "--disable-static"
+ "--disable-docker-tests" )))
(synopsis "Client-side C library implementing the SSH2 protocol")
(description
"libssh2 is a library intended to allow software developers access to
base-commit: efac1498c15198afc4f9a2bc700408bde1b3b3ed
--
2.45.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#77154; Package
guix-patches.
(Sat, 22 Mar 2025 20:46:02 GMT)
Full text and
rfc822 format available.
Message #26 received at 77154 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/ssh.scm (libssh2): Change crypto backend to openssl
[arguments]: Replace libgcrypt with openssl
[propagated-inputs]: Replace libgcrypt with openssl
Change crypto backend to openssl to support ed25519 hostkeys.
Change-Id: I7603149d6e3a3c251bdc6c3238769a63b6a04d26
---
gnu/packages/ssh.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index 66d9656caf..9a6f79bb30 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -193,9 +193,9 @@ (define-public libssh2
(build-system gnu-build-system)
;; The installed libssh2.pc file does not include paths to libgcrypt and
;; zlib libraries, so we need to propagate the inputs.
- (propagated-inputs (list libgcrypt zlib))
+ (propagated-inputs (list openssl zlib))
(arguments
- (list #:configure-flags #~'("--with-libgcrypt"
+ (list #:configure-flags #~'("--with-crypto=openssl"
"--disable-static"
"--disable-docker-tests" )))
(synopsis "Client-side C library implementing the SSH2 protocol")
--
2.45.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#77154; Package
guix-patches.
(Wed, 23 Apr 2025 02:40:01 GMT)
Full text and
rfc822 format available.
Message #29 received at 77154 <at> debbugs.gnu.org (full text, mbox):
tag 77154 + moreinfo
quit
Hi,
Christoph Buck <dev <at> icepic.de> writes:
> * gnu/packages/ssh.scm (libssh2): Change crypto backend to openssl
> [arguments]: Replace libgcrypt with openssl
> [propagated-inputs]: Replace libgcrypt with openssl
>
> Change crypto backend to openssl to support ed25519 hostkeys.
>
> Change-Id: I7603149d6e3a3c251bdc6c3238769a63b6a04d26
> ---
> gnu/packages/ssh.scm | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
> index 66d9656caf..9a6f79bb30 100644
> --- a/gnu/packages/ssh.scm
> +++ b/gnu/packages/ssh.scm
> @@ -193,9 +193,9 @@ (define-public libssh2
> (build-system gnu-build-system)
> ;; The installed libssh2.pc file does not include paths to libgcrypt and
> ;; zlib libraries, so we need to propagate the inputs.
> - (propagated-inputs (list libgcrypt zlib))
> + (propagated-inputs (list openssl zlib))
> (arguments
> - (list #:configure-flags #~'("--with-libgcrypt"
> + (list #:configure-flags #~'("--with-crypto=openssl"
> "--disable-static"
> "--disable-docker-tests" )))
> (synopsis "Client-side C library implementing the SSH2 protocol")
I believe this series may be obsolete; libgcrypt 1.11 (already packaged
in Guix) appears to come with ed25519 support. The release notes
https://lists.gnu.org/archive/html/info-gnu/2024-06/msg00004.html
mention for example:
GCRY_KEM_RAW_X25519 NEW kem algo.
GCRY_KEM_DHKEM25519 NEW kem algo.
introduced since libgcrypt 1.10.
Is the original issue resolved? It seems that there is some support for
elliptic curve crypto using libgcrypt in libssh2 already, according to
[0].
[0] https://github.com/libssh2/libssh2/discussions/1255
Could you please report the exact issue you are having when using
libgcrypt?
--
Thanks,
Maxim
Added tag(s) moreinfo.
Request was from
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
to
control <at> debbugs.gnu.org.
(Wed, 23 Apr 2025 02:40:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#77154; Package
guix-patches.
(Sun, 27 Apr 2025 09:32:04 GMT)
Full text and
rfc822 format available.
Message #34 received at 77154 <at> debbugs.gnu.org (full text, mbox):
Hi Maxim,
> I believe this series may be obsolete; libgcrypt 1.11 (already packaged in Guix) appears to come with ed25519 support.
> ...
> Is the original issue resolved?
> ...
> Could you please report the exact issue you are having when using libgcrypt?
I don't think so.
I reran my tests: Guix on Debian foreign distro with channels.scm using git over SSH with SSH keys to Debian git server.
1. Full patch series: guix pull with libssh2 @ 1.11.1 compiled against libopenssl (3.0.8, latest one in guix): works.
2. First patch from patch series: guix pull with libssh2 @ 1.11.1 compiled against libgcrypt (1.11, latest one in guix): fails.
3. Guix baseline: guix pull with libssh2 @ 1.10.0 (latest one in guix) compiled against libgcrypt (1.11, latest one in guix): fails.
The client-side failure:
"guix pull: error: Git error: failed to start SSH session: Unable to exchange encryption keys"
And corresponding error message on the server:
"Apr 26 19:39:36 <hostname-redacted> sshd[1661214]: Unable to negotiate with <ip-and-port-redacted>: no matching host key type found. Their offer: ssh-rsa [preauth]"
I took another look at the libssh2 source code (https://github.com/libssh2/libssh2/blob/master/src/libgcrypt.h#L67), and the current master branch code (606c102, last commit 2 months ago) still disables support for ED25519 in libcrypt.h:
"#define LIBSSH2_ED25519 0"
Note: the libssh2 Github issue linked upthread mentions that the SSH key needs to be in a PEM format. Mine was not for the tests above (or any previous emails.) I looked into it more closely for this email, but could not figure out how to convert or make an ed25519 SSH key in PEM format using ssh-keygen.
Cheers,
Matthew Todd
matthew <at> zerobitcoder.net
Information forwarded
to
guix-patches <at> gnu.org:
bug#77154; Package
guix-patches.
(Mon, 28 Apr 2025 04:35:02 GMT)
Full text and
rfc822 format available.
Message #37 received at 77154 <at> debbugs.gnu.org (full text, mbox):
Hi,
"Matthew Todd" <matthew <at> zerobitcoder.net> writes:
[...]
> I took another look at the libssh2 source code
> (https://github.com/libssh2/libssh2/blob/master/src/libgcrypt.h#L67),
> and the current master branch code (606c102, last commit 2 months ago)
> still disables support for ED25519 in libcrypt.h:
> "#define LIBSSH2_ED25519 0"
Thanks for explaining and pointing to the relevant source. Then it
seems the change you propose is justified. in libssh (not libssh2),
they recently deprecated the use of libgcrypt and I've already migrated
the package to use openssl instead, so both libssh and libssh2 will be
relying on openssl, which will at least be consistent.
--
Thanks,
Maxim
This bug report was last modified 49 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.