* [PATCH 0/1] openssh: three fixes
@ 2013-06-07 2:27 rongqing.li
2013-06-07 2:27 ` [PATCH 1/1] " rongqing.li
0 siblings, 1 reply; 4+ messages in thread
From: rongqing.li @ 2013-06-07 2:27 UTC (permalink / raw)
To: openembedded-core
From: "Roy.Li" <rongqing.li@windriver.com>
The following changes since commit 9ba812ab1f613d28f9eb3192d2ff1a34dfce33e4:
binutils: fix compile error of complex expressions before @l/@h (2013-06-03 16:46:37 +0100)
are available in the git repository at:
git://git.pokylinux.org/poky-contrib roy/openssh
http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/openssh
Roy.Li (1):
openssh: three fixes
.../openssh-6.2p1/mac_compute-alignment.patch | 39 ++++++++++++++++++++
.../openssh-permit_empty_passwd.patch | 33 +++++++++++++++++
meta/recipes-connectivity/openssh/openssh_6.2p1.bb | 5 +++
3 files changed, 77 insertions(+)
create mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch
--
1.7.10.4
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/1] openssh: three fixes
2013-06-07 2:27 [PATCH 0/1] openssh: three fixes rongqing.li
@ 2013-06-07 2:27 ` rongqing.li
2013-06-07 21:41 ` Saul Wold
0 siblings, 1 reply; 4+ messages in thread
From: rongqing.li @ 2013-06-07 2:27 UTC (permalink / raw)
To: openembedded-core
From: "Roy.Li" <rongqing.li@windriver.com>
1. fix a alignment issue on ARM v7 NEON cpu
2. fix a empty passwd issue
3. enable tcp-wrappers by default
Signed-off-by: Roy.Li <rongqing.li@windriver.com>
---
.../openssh-6.2p1/mac_compute-alignment.patch | 39 ++++++++++++++++++++
.../openssh-permit_empty_passwd.patch | 33 +++++++++++++++++
meta/recipes-connectivity/openssh/openssh_6.2p1.bb | 5 +++
3 files changed, 77 insertions(+)
create mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch b/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch
new file mode 100644
index 0000000..ea8a31a
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch
@@ -0,0 +1,39 @@
+Upstream-Status: Pending
+
+The mac_compute() function in openssh calls umac_final() to prepend a tag
+to a buffer. Umac_final() calls pdf_gen_xor() on the tag as its final
+operation, and as implemented, pdf_gen_xor() assumes an appropriate
+alignment for 64-bit operations on its buffer. However, the buffer
+is declared in mac_compute() as a static u_char array, and the linker
+doesn't guarantee 64-bit alignment for such arrays. On ARM v7 NEON
+platforms with gcc, 64-bit values must be 64-bit aligned, and the
+unaligned buffer declaration caused alignment faults when executing
+certain openssh tests.
+
+Force the buffer in mac_compute() to be 64-bit aligned.
+
+Signed-off-by: Donn Seeley <donn.seeley@windriver.com>
+---
+ mac.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/mac.c
++++ b/mac.c
+@@ -132,12 +132,14 @@ mac_init(Mac *mac)
+ u_char *
+ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
+ {
+- static u_char m[EVP_MAX_MD_SIZE];
++ static u_int64_t m_buf[(EVP_MAX_MD_SIZE + sizeof (u_int64_t) - 1)
++ / sizeof (u_int64_t)];
++ u_char *m = (u_char *)m_buf;
+ u_char b[4], nonce[8];
+
+- if (mac->mac_len > sizeof(m))
++ if (mac->mac_len > EVP_MAX_MD_SIZE)
+ fatal("mac_compute: mac too long %u %lu",
+- mac->mac_len, (u_long)sizeof(m));
++ mac->mac_len, (u_long)EVP_MAX_MD_SIZE);
+
+ switch (mac->type) {
+ case SSH_EVP:
diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch b/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch
new file mode 100644
index 0000000..c1d7f8e
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch
@@ -0,0 +1,33 @@
+Subject: [PATCH] openssh: fix permit_empty_passwd
+
+Upstream-Status: pending
+
+When pam enabled, userauth_none calls auth_password("") -->
+pam_authenticate("") will cause pam_auth process in the fail
+status. This will block all login, even users with a correct
+password.
+
+userauth_none should alway return false since sshd
+would check passwords in userauth_passwd using pam* modules.
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ auth2-none.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/auth2-none.c b/auth2-none.c
+index c8c6c74..560feef 100644
+--- a/auth2-none.c
++++ b/auth2-none.c
+@@ -61,6 +61,8 @@ userauth_none(Authctxt *authctxt)
+ {
+ none_enabled = 0;
+ packet_check_eom();
++ if (options.use_pam)
++ return 0;
+ if (options.permit_empty_passwd && options.password_authentication)
+ return (PRIVSEP(auth_password(authctxt, "")));
+ return (0);
+--
+1.7.9.5
+
diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p1.bb b/meta/recipes-connectivity/openssh/openssh_6.2p1.bb
index 20502c4..198c09d 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.2p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.2p1.bb
@@ -25,6 +25,8 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
file://ssh_config \
file://init \
file://openssh-CVE-2011-4327.patch \
+ file://mac_compute-alignment.patch \
+ file://openssh-permit_empty_passwd.patch \
${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"
PAM_SRC_URI = "file://sshd"
@@ -45,6 +47,9 @@ inherit autotools
CFLAGS += "-D__FILE_OFFSET_BITS=64"
export LD = "${CC}"
+PACKAGECONFIG ??= "tcp-wrappers"
+PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
+
EXTRA_OECONF = "--with-rand-helper=no \
${@base_contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \
--without-zlib-version-check \
--
1.7.10.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/1] openssh: three fixes
2013-06-07 2:27 ` [PATCH 1/1] " rongqing.li
@ 2013-06-07 21:41 ` Saul Wold
2013-06-08 2:47 ` Rongqing Li
0 siblings, 1 reply; 4+ messages in thread
From: Saul Wold @ 2013-06-07 21:41 UTC (permalink / raw)
To: rongqing.li, Donn Seeley, xin.ouyang; +Cc: openembedded-core
On 06/06/2013 07:27 PM, rongqing.li@windriver.com wrote:
> From: "Roy.Li" <rongqing.li@windriver.com>
>
> 1. fix a alignment issue on ARM v7 NEON cpu
> 2. fix a empty passwd issue
> 3. enable tcp-wrappers by default
>
openssh has been updated to 6.2p2, so can you please rebase these
patches to that newer version.
Also, have they been sumbitted upstream, for security related bug, I
would like to know if the upstream will accept them for correctness
since they could lead to security issues otherwise.
Thanks
Sau!
> Signed-off-by: Roy.Li <rongqing.li@windriver.com>
> ---
> .../openssh-6.2p1/mac_compute-alignment.patch | 39 ++++++++++++++++++++
> .../openssh-permit_empty_passwd.patch | 33 +++++++++++++++++
> meta/recipes-connectivity/openssh/openssh_6.2p1.bb | 5 +++
> 3 files changed, 77 insertions(+)
> create mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch
> create mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch
>
> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch b/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch
> new file mode 100644
> index 0000000..ea8a31a
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch
> @@ -0,0 +1,39 @@
> +Upstream-Status: Pending
> +
> +The mac_compute() function in openssh calls umac_final() to prepend a tag
> +to a buffer. Umac_final() calls pdf_gen_xor() on the tag as its final
> +operation, and as implemented, pdf_gen_xor() assumes an appropriate
> +alignment for 64-bit operations on its buffer. However, the buffer
> +is declared in mac_compute() as a static u_char array, and the linker
> +doesn't guarantee 64-bit alignment for such arrays. On ARM v7 NEON
> +platforms with gcc, 64-bit values must be 64-bit aligned, and the
> +unaligned buffer declaration caused alignment faults when executing
> +certain openssh tests.
> +
> +Force the buffer in mac_compute() to be 64-bit aligned.
> +
> +Signed-off-by: Donn Seeley <donn.seeley@windriver.com>
> +---
> + mac.c | 8 +++++---
> + 1 file changed, 5 insertions(+), 3 deletions(-)
> +
> +--- a/mac.c
> ++++ b/mac.c
> +@@ -132,12 +132,14 @@ mac_init(Mac *mac)
> + u_char *
> + mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
> + {
> +- static u_char m[EVP_MAX_MD_SIZE];
> ++ static u_int64_t m_buf[(EVP_MAX_MD_SIZE + sizeof (u_int64_t) - 1)
> ++ / sizeof (u_int64_t)];
> ++ u_char *m = (u_char *)m_buf;
> + u_char b[4], nonce[8];
> +
> +- if (mac->mac_len > sizeof(m))
> ++ if (mac->mac_len > EVP_MAX_MD_SIZE)
> + fatal("mac_compute: mac too long %u %lu",
> +- mac->mac_len, (u_long)sizeof(m));
> ++ mac->mac_len, (u_long)EVP_MAX_MD_SIZE);
> +
> + switch (mac->type) {
> + case SSH_EVP:
> diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch b/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch
> new file mode 100644
> index 0000000..c1d7f8e
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch
> @@ -0,0 +1,33 @@
> +Subject: [PATCH] openssh: fix permit_empty_passwd
> +
> +Upstream-Status: pending
> +
> +When pam enabled, userauth_none calls auth_password("") -->
> +pam_authenticate("") will cause pam_auth process in the fail
> +status. This will block all login, even users with a correct
> +password.
> +
> +userauth_none should alway return false since sshd
> +would check passwords in userauth_passwd using pam* modules.
> +
> +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
> +---
> + auth2-none.c | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/auth2-none.c b/auth2-none.c
> +index c8c6c74..560feef 100644
> +--- a/auth2-none.c
> ++++ b/auth2-none.c
> +@@ -61,6 +61,8 @@ userauth_none(Authctxt *authctxt)
> + {
> + none_enabled = 0;
> + packet_check_eom();
> ++ if (options.use_pam)
> ++ return 0;
> + if (options.permit_empty_passwd && options.password_authentication)
> + return (PRIVSEP(auth_password(authctxt, "")));
> + return (0);
> +--
> +1.7.9.5
> +
> diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p1.bb b/meta/recipes-connectivity/openssh/openssh_6.2p1.bb
> index 20502c4..198c09d 100644
> --- a/meta/recipes-connectivity/openssh/openssh_6.2p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_6.2p1.bb
> @@ -25,6 +25,8 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
> file://ssh_config \
> file://init \
> file://openssh-CVE-2011-4327.patch \
> + file://mac_compute-alignment.patch \
> + file://openssh-permit_empty_passwd.patch \
> ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"
>
> PAM_SRC_URI = "file://sshd"
> @@ -45,6 +47,9 @@ inherit autotools
> CFLAGS += "-D__FILE_OFFSET_BITS=64"
> export LD = "${CC}"
>
> +PACKAGECONFIG ??= "tcp-wrappers"
> +PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
> +
> EXTRA_OECONF = "--with-rand-helper=no \
> ${@base_contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \
> --without-zlib-version-check \
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/1] openssh: three fixes
2013-06-07 21:41 ` Saul Wold
@ 2013-06-08 2:47 ` Rongqing Li
0 siblings, 0 replies; 4+ messages in thread
From: Rongqing Li @ 2013-06-08 2:47 UTC (permalink / raw)
To: Saul Wold; +Cc: openembedded-core
On 06/08/2013 05:41 AM, Saul Wold wrote:
> On 06/06/2013 07:27 PM, rongqing.li@windriver.com wrote:
>> From: "Roy.Li" <rongqing.li@windriver.com>
>>
>> 1. fix a alignment issue on ARM v7 NEON cpu
>> 2. fix a empty passwd issue
>> 3. enable tcp-wrappers by default
>>
> openssh has been updated to 6.2p2, so can you please rebase these
> patches to that newer version.
>
> Also, have they been sumbitted upstream, for security related bug, I
> would like to know if the upstream will accept them for correctness
> since they could lead to security issues otherwise.
>
Seems they are not submitted to upstream,
I will submit them to upstream, then send out to Oe-core.
-Roy
> Thanks
> Sau!
>
>> Signed-off-by: Roy.Li <rongqing.li@windriver.com>
>> ---
>> .../openssh-6.2p1/mac_compute-alignment.patch | 39
>> ++++++++++++++++++++
>> .../openssh-permit_empty_passwd.patch | 33
>> +++++++++++++++++
>> meta/recipes-connectivity/openssh/openssh_6.2p1.bb | 5 +++
>> 3 files changed, 77 insertions(+)
>> create mode 100644
>> meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch
>>
>> create mode 100644
>> meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch
>>
>>
>> diff --git
>> a/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch
>> b/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch
>>
>> new file mode 100644
>> index 0000000..ea8a31a
>> --- /dev/null
>> +++
>> b/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch
>>
>> @@ -0,0 +1,39 @@
>> +Upstream-Status: Pending
>> +
>> +The mac_compute() function in openssh calls umac_final() to prepend a
>> tag
>> +to a buffer. Umac_final() calls pdf_gen_xor() on the tag as its final
>> +operation, and as implemented, pdf_gen_xor() assumes an appropriate
>> +alignment for 64-bit operations on its buffer. However, the buffer
>> +is declared in mac_compute() as a static u_char array, and the linker
>> +doesn't guarantee 64-bit alignment for such arrays. On ARM v7 NEON
>> +platforms with gcc, 64-bit values must be 64-bit aligned, and the
>> +unaligned buffer declaration caused alignment faults when executing
>> +certain openssh tests.
>> +
>> +Force the buffer in mac_compute() to be 64-bit aligned.
>> +
>> +Signed-off-by: Donn Seeley <donn.seeley@windriver.com>
>> +---
>> + mac.c | 8 +++++---
>> + 1 file changed, 5 insertions(+), 3 deletions(-)
>> +
>> +--- a/mac.c
>> ++++ b/mac.c
>> +@@ -132,12 +132,14 @@ mac_init(Mac *mac)
>> + u_char *
>> + mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
>> + {
>> +- static u_char m[EVP_MAX_MD_SIZE];
>> ++ static u_int64_t m_buf[(EVP_MAX_MD_SIZE + sizeof (u_int64_t) - 1)
>> ++ / sizeof (u_int64_t)];
>> ++ u_char *m = (u_char *)m_buf;
>> + u_char b[4], nonce[8];
>> +
>> +- if (mac->mac_len > sizeof(m))
>> ++ if (mac->mac_len > EVP_MAX_MD_SIZE)
>> + fatal("mac_compute: mac too long %u %lu",
>> +- mac->mac_len, (u_long)sizeof(m));
>> ++ mac->mac_len, (u_long)EVP_MAX_MD_SIZE);
>> +
>> + switch (mac->type) {
>> + case SSH_EVP:
>> diff --git
>> a/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch
>> b/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch
>>
>> new file mode 100644
>> index 0000000..c1d7f8e
>> --- /dev/null
>> +++
>> b/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch
>>
>> @@ -0,0 +1,33 @@
>> +Subject: [PATCH] openssh: fix permit_empty_passwd
>> +
>> +Upstream-Status: pending
>> +
>> +When pam enabled, userauth_none calls auth_password("") -->
>> +pam_authenticate("") will cause pam_auth process in the fail
>> +status. This will block all login, even users with a correct
>> +password.
>> +
>> +userauth_none should alway return false since sshd
>> +would check passwords in userauth_passwd using pam* modules.
>> +
>> +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
>> +---
>> + auth2-none.c | 2 ++
>> + 1 file changed, 2 insertions(+)
>> +
>> +diff --git a/auth2-none.c b/auth2-none.c
>> +index c8c6c74..560feef 100644
>> +--- a/auth2-none.c
>> ++++ b/auth2-none.c
>> +@@ -61,6 +61,8 @@ userauth_none(Authctxt *authctxt)
>> + {
>> + none_enabled = 0;
>> + packet_check_eom();
>> ++ if (options.use_pam)
>> ++ return 0;
>> + if (options.permit_empty_passwd && options.password_authentication)
>> + return (PRIVSEP(auth_password(authctxt, "")));
>> + return (0);
>> +--
>> +1.7.9.5
>> +
>> diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p1.bb
>> b/meta/recipes-connectivity/openssh/openssh_6.2p1.bb
>> index 20502c4..198c09d 100644
>> --- a/meta/recipes-connectivity/openssh/openssh_6.2p1.bb
>> +++ b/meta/recipes-connectivity/openssh/openssh_6.2p1.bb
>> @@ -25,6 +25,8 @@ SRC_URI =
>> "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
>> file://ssh_config \
>> file://init \
>> file://openssh-CVE-2011-4327.patch \
>> + file://mac_compute-alignment.patch \
>> + file://openssh-permit_empty_passwd.patch \
>> ${@base_contains('DISTRO_FEATURES', 'pam',
>> '${PAM_SRC_URI}', '', d)}"
>>
>> PAM_SRC_URI = "file://sshd"
>> @@ -45,6 +47,9 @@ inherit autotools
>> CFLAGS += "-D__FILE_OFFSET_BITS=64"
>> export LD = "${CC}"
>>
>> +PACKAGECONFIG ??= "tcp-wrappers"
>> +PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
>> +
>> EXTRA_OECONF = "--with-rand-helper=no \
>> ${@base_contains('DISTRO_FEATURES', 'pam',
>> '--with-pam', '--without-pam', d)} \
>> --without-zlib-version-check \
>>
>
>
--
Best Reagrds,
Roy | RongQing Li
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-06-08 2:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-06-07 2:27 [PATCH 0/1] openssh: three fixes rongqing.li
2013-06-07 2:27 ` [PATCH 1/1] " rongqing.li
2013-06-07 21:41 ` Saul Wold
2013-06-08 2:47 ` Rongqing Li
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox