Re: Call for testing: OpenSSH 6.8

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



OpenSSH has been configured with the following options:
                     User binaries: /opt/bin
                   System binaries: /opt/sbin
               Configuration files: /opt/etc
                   Askpass program: /opt/libexec/ssh-askpass
                      Manual pages: /opt/share/man/manX
                          PID file: /opt/etc
  Privilege separation chroot path: /var/empty
            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/opt/bin
                    Manpage format: man
                       PAM support: no
                   OSF SIA support: no
                 KerberosV support: no
                   SELinux support: no
                 Smartcard support:
                     S/KEY support: no
              MD5 password support: no
                   libedit support: no
  Solaris process contract support: no
           Solaris project support: no
       IP address in $DISPLAY hack: no
           Translate v4 in v6 hack: no
                  BSD Auth support: no
              Random number source: OpenSSL internal ONLY
             Privsep sandbox style: rlimit

              Host: powerpc-ibm-aix5.3.0.0
          Compiler: cc -qlanglvl=extc89
    Compiler flags: -g
Preprocessor flags:
      Linker flags:  -blibpath:/usr/lib:/lib
         Libraries: -lcrypto -lz
Just one example - they are all like this:
cc -qlanglvl=extc89 -g  -I. -I.  -DSSHDIR=\"/opt/etc\"
-D_PATH_SSH_PROGRAM=\"/opt/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/libexec/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/opt/libexec/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/opt/libexec/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/opt/libexec/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/opt/etc\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\"
-DHAVE_CONFIG_H -c dns.c -o dns.o
"/usr/include/stdarg.h", line 89.9: 1506-236 (W) Macro name va_copy has
been redefined.
"/usr/include/stdarg.h", line 89.9: 1506-358 (I) "va_copy" is defined on
line 838 of defines.h.

...
ranlib libssh.a
cc -qlanglvl=extc89 -o ssh ssh.o readconf.o clientloop.o sshtty.o
sshconnect.o sshconnect1.o sshconnect2.o mux.o roaming_common.o
roaming_client.o -L. -Lopenbsd-compat/  -blibpath:/usr/lib:/lib -lssh
-lopenbsd-compat  -lcrypto -lz
ld: 0711-317 ERROR: Undefined symbol: .va_copy
ld: 0711-317 ERROR: Undefined symbol: .EC_KEY_free
ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more
information.

The error above is a bit unusual.
1) It has been seen before that with -qlanglvl=extc89 that va_copy is not
found. This is clear, I think, from the stdarg.h file:

   +88  #ifdef _ISOC99_SOURCE
   +89  #define va_copy(__list1,__list2) ((void)(__list1 = __list2))
   +90  #endif
   +91
   +92  #endif /* _ANSI_C_SOURCE */

I would think that _ISOC99_SOURCE would not be defined with
-qlanglvl=extc89.

2) Simple test:
cat c89.c
#include <stdarg.h>

/*
 * test what gets defined with flag -qlanglvl=extc89 and -qlanglvl=extc99
 */

c89(void *a, void *b)
{

#ifdef _ANSI_C_SOURCE
#ifdef _ISOC99_SOURCE
        va_copy(a,b);
#else
        fake_ansi_copy(a,b);
#endif
#endif
#ifndef _ANSI_C_SOURCE
        fake_noansi_copy(a,b);
#endif
}

main()
{
        char a[4], b[4];
        c89(a,b);
}


root@x064:[/data/prj/openbsd/openssh/openssh]cc -qlanglvl=extc89 -E c89.c
#line 62 "/usr/include/va_list.h"
typedef char *va_list;
#line 7 "c89.c"
c89(void *a, void *b)
{
#line 12
        va_copy(a,b);
#line 20
}

main()
{
        char a[4], b[4];
        c89(a,b);
#line 29
}
root@x064:[/data/prj/openbsd/openssh/openssh]cc -qlanglvl=extc89 c89.c
ld: 0711-317 ERROR: Undefined symbol: .va_copy
ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more
information.
root@x064:[/data/prj/openbsd/openssh/openssh]cc -qlanglvl=extc99 -E c89.c
#line 62 "/usr/include/va_list.h"
typedef char *va_list;
#line 7 "c89.c"
c89(void *a, void *b)
{
#line 12
        __builtin_va_copy(a,b);
#line 20
}

main()
{
        char a[4], b[4];
        c89(a,b);
#line 29
}

3) Repeating above steps - prefixed with
CC=xlc
export CC
configure: creating ./config.status
config.status: creating Makefile
config.status: creating buildpkg.sh
config.status: creating opensshd.init
config.status: creating openssh.xml
config.status: creating openbsd-compat/Makefile
config.status: creating openbsd-compat/regress/Makefile
config.status: creating survey.sh
config.status: creating config.h
config.status: config.h is unchanged

OpenSSH has been configured with the following options:
                     User binaries: /opt/bin
                   System binaries: /opt/sbin
               Configuration files: /opt/etc
                   Askpass program: /opt/libexec/ssh-askpass
                      Manual pages: /opt/share/man/manX
                          PID file: /opt/etc
  Privilege separation chroot path: /var/empty
            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/opt/bin
                    Manpage format: man
                       PAM support: no
                   OSF SIA support: no
                 KerberosV support: no
                   SELinux support: no
                 Smartcard support:
                     S/KEY support: no
              MD5 password support: no
                   libedit support: no
  Solaris process contract support: no
           Solaris project support: no
       IP address in $DISPLAY hack: no
           Translate v4 in v6 hack: no
                  BSD Auth support: no
              Random number source: OpenSSL internal ONLY
             Privsep sandbox style: rlimit

              Host: powerpc-ibm-aix5.3.0.0
          Compiler: xlc
    Compiler flags: -g
Preprocessor flags:
      Linker flags:  -blibpath:/usr/lib:/lib
         Libraries: -lcrypto -lz


gets rid of all the complaints about va_copy being redefined - but still
end missing
.EC_KEY_free

xlc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o
sshconnect1.o sshconnect2.o mux.o roaming_common.o roaming_client.o -L.
-Lopenbsd-compat/  -blibpath:/usr/lib:/lib -lssh -lopenbsd-compat  -lcrypto
-lz
ld: 0711-317 ERROR: Undefined symbol: .EC_KEY_free
ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more
information.
make: *** [ssh] Error 8

No idea where this should be coming from (the check in configure is for
0.9.8k as minimum, and that is the level installed)


root@x064:[/data/prj/openbsd/openssh/openssh]lslpp -L | grep openssl
  openssl.base            0.9.8.1101    C     F    Open Secure Socket Layer
  openssl.license         0.9.8.1101    C     F    Open Secure Socket
License
 So this would be building against openssl-0.9.8k (because k is 11th letter)

Conclusion:
regarding CC value: when using IBM C - force to xlc when CC seems to be cc

No idea re: EC_KEY_free (newer openssl needed?)

On Thu, Feb 19, 2015 at 11:21 PM, Damien Miller <djm@xxxxxxxxxxx> wrote:

> Hi,
>
> OpenSSH 6.8 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release contains
> some substantial new features and a number of bugfixes.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs or
> via Git at https://anongit.mindrot.org/openssh.git/
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev@xxxxxxxxxxx.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Changes since OpenSSH 6.7
> =========================
>
> This is a major release, containing a number of new features as
> well as a large internal re-factoring.
>
> Potentially-incompatible changes
> --------------------------------
>
>  * sshd(8): UseDNS now defaults to 'no'. Configurations that match
>    against the client host name (via sshd_config or authorized_keys)
>    may need to re-enable it or convert to matching against addresses.
>
> New Features
> ------------
>
>  * Much of OpenSSH's internal code has been re-factored to be more
>    library-like. These changes are mostly not user-visible, but
>    have greatly improved OpenSSH's testability and internal layout.
>
>  * Add FingerprintHash option to ssh(1) and sshd(8), and equivalent
>    command-line flags to the other tools to control algorithm used
>    for key fingerprints. The default changes from MD5 to SHA256 and
>    format from hex to base64.
>
>    Fingerprints now have the hash algorithm prepended. An example of
>    the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE
>    Please note that visual host keys will also be different.
>
>  * ssh(1), sshd(8): Host key rotation support. Add a protocol
>    extension for a server to inform a client of all its available
>    host keys after authentication has completed. The client may
>    record the keys in known_hosts, allowing it to upgrade to better
>    host key algorithms and a server to gracefully rotate its keys.
>
>    The client side of this is controlled by a UpdateHostkeys config
>    option (default on).
>
>  * ssh(1): Add a ssh_config HostbasedKeyType option to control which
>    host public key types are tried during host-based authentication.
>
>  * ssh(1), sshd(8): fix connection-killing host key mismatch errors
>    when sshd offers multiple ECDSA keys of different lengths.
>
>  * ssh(1): when host name canonicalisation is enabled, try to
>    parse host names as addresses before looking them up for
>    canonicalisation. fixes bz#2074 and avoiding needless DNS
>    lookups in some cases.
>
>  * ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer
>    require OpenSSH to be compiled with OpenSSL support.
>
>  * ssh(1), ssh-keysign(8): Make ed25519 keys work for host based
>    authentication.
>
>  * sshd(8): SSH protocol v.1 workaround for the Meyer, et al,
>    Bleichenbacher Side Channel Attack. Fake up a bignum key before
>    RSA decryption.
>
>  * sshd(8): Remember which public keys have been used for
>    authentication and refuse to accept previously-used keys.
>    This allows AuthenticationMethods=publickey,publickey to require
>    that users authenticate using two _different_ public keys.
>
>  * sshd(8): add sshd_config HostbasedAcceptedKeyTypes and
>    PubkeyAcceptedKeyTypes options to allow sshd to control what
>    public key types will be accepted. Currently defaults to all.
>
>  * sshd(8): Don't count partial authentication success as a failure
>    against MaxAuthTries.
>
>  * ssh(1): Add RevokedHostKeys option for the client to allow
>    text-file or KRL-based revocation of host keys.
>
>  * ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by
>    serial number or key ID without scoping to a particular CA.
>
>  * ssh(1): Add a "Match canonical" criteria that allows ssh_config
>    Match blocks to trigger only in the second config pass.
>
>  * ssh(1): Add a -G option to ssh that causes it to parse its
>    configuration and dump the result to stdout, similar to "sshd -T".
>
>  * ssh(1): Allow Match criteria to be negated. E.g. "Match !host".
>
>  * The regression test suite has been extended to cover more OpenSSH
>    features. The unit tests have been expanded and now cover key
>    exchange.
>
> Bugfixes
> --------
>
>  * ssh-keyscan(1): ssh-keyscan has been made much more robust again
>    servers that hang or violate the SSH protocol.
>
>  * ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were
>    being lost as comment fields.
>
>  * ssh(1): Allow ssh_config Port options set in the second config
>    parse phase to be applied (they were being ignored). bz#2286
>
>  * ssh(1): Tweak config re-parsing with host canonicalisation - make
>    the second pass through the config files always run when host name
>    canonicalisation is enabled (and not whenever the host name
>    changes) bz#2267
>
>  * ssh(1): Fix passing of wildcard forward bind addresses when
>    connection multiplexing is in use; bz#2324;
>
>  * ssh-keygen(1): Fix broken private key conversion from non-OpenSSH
>    formats; bz#2345.
>
>  * ssh-keygen(1): Fix KRL generation bug when multiple CAs are in
>    use.
>
>  * Various fixed to manual pages: bz#2288, bz#2316, bz#2273
>
> Portable OpenSSH
> ----------------
>
>  * Support --without-openssl at configure time
>
>    Disables and removes dependency on OpenSSL. Many features,
>    including SSH protocol 1 are not supported and the set of crypto
>    options is greatly restricted. This will only work on system with
>    native arc4random or /dev/urandom.
>
>    Considered highly experimental for now.
>
>  * Support --without-ssh1 option at configure time
>
>    Allows disabling support for SSH protocol 1.
>
>    Still experimental - not all regression and unit tests have been
>    been adapted for the absence of SSH protocol 1.
>
>  * sshd(8): Fix compilation on systems with IPv6 support in utmpx; bz#2296
>
>  * Allow custom service name for sshd on Cygwin. Permits the use of
>    multiple sshd running with different service names.
>
> Reporting Bugs:
> ===============
>
> - Please read http://www.openssh.com/report.html
>   Security bugs should be reported directly to openssh@xxxxxxxxxxx
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
> Ben Lindstrom.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux