* [PATCH 0/1] openssh: three fixes @ 2013-06-07 2:27 rongqing.li 2013-06-07 2:27 ` [PATCH 1/1] " rongqing.li 0 siblings, 1 reply; 4+ messages in thread From: rongqing.li @ 2013-06-07 2:27 UTC (permalink / raw) To: openembedded-core From: "Roy.Li" <rongqing.li@windriver.com> The following changes since commit 9ba812ab1f613d28f9eb3192d2ff1a34dfce33e4: binutils: fix compile error of complex expressions before @l/@h (2013-06-03 16:46:37 +0100) are available in the git repository at: git://git.pokylinux.org/poky-contrib roy/openssh http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/openssh Roy.Li (1): openssh: three fixes .../openssh-6.2p1/mac_compute-alignment.patch | 39 ++++++++++++++++++++ .../openssh-permit_empty_passwd.patch | 33 +++++++++++++++++ meta/recipes-connectivity/openssh/openssh_6.2p1.bb | 5 +++ 3 files changed, 77 insertions(+) create mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch create mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch -- 1.7.10.4 ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/1] openssh: three fixes 2013-06-07 2:27 [PATCH 0/1] openssh: three fixes rongqing.li @ 2013-06-07 2:27 ` rongqing.li 2013-06-07 21:41 ` Saul Wold 0 siblings, 1 reply; 4+ messages in thread From: rongqing.li @ 2013-06-07 2:27 UTC (permalink / raw) To: openembedded-core From: "Roy.Li" <rongqing.li@windriver.com> 1. fix a alignment issue on ARM v7 NEON cpu 2. fix a empty passwd issue 3. enable tcp-wrappers by default Signed-off-by: Roy.Li <rongqing.li@windriver.com> --- .../openssh-6.2p1/mac_compute-alignment.patch | 39 ++++++++++++++++++++ .../openssh-permit_empty_passwd.patch | 33 +++++++++++++++++ meta/recipes-connectivity/openssh/openssh_6.2p1.bb | 5 +++ 3 files changed, 77 insertions(+) create mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch create mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch b/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch new file mode 100644 index 0000000..ea8a31a --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch @@ -0,0 +1,39 @@ +Upstream-Status: Pending + +The mac_compute() function in openssh calls umac_final() to prepend a tag +to a buffer. Umac_final() calls pdf_gen_xor() on the tag as its final +operation, and as implemented, pdf_gen_xor() assumes an appropriate +alignment for 64-bit operations on its buffer. However, the buffer +is declared in mac_compute() as a static u_char array, and the linker +doesn't guarantee 64-bit alignment for such arrays. On ARM v7 NEON +platforms with gcc, 64-bit values must be 64-bit aligned, and the +unaligned buffer declaration caused alignment faults when executing +certain openssh tests. + +Force the buffer in mac_compute() to be 64-bit aligned. + +Signed-off-by: Donn Seeley <donn.seeley@windriver.com> +--- + mac.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/mac.c ++++ b/mac.c +@@ -132,12 +132,14 @@ mac_init(Mac *mac) + u_char * + mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen) + { +- static u_char m[EVP_MAX_MD_SIZE]; ++ static u_int64_t m_buf[(EVP_MAX_MD_SIZE + sizeof (u_int64_t) - 1) ++ / sizeof (u_int64_t)]; ++ u_char *m = (u_char *)m_buf; + u_char b[4], nonce[8]; + +- if (mac->mac_len > sizeof(m)) ++ if (mac->mac_len > EVP_MAX_MD_SIZE) + fatal("mac_compute: mac too long %u %lu", +- mac->mac_len, (u_long)sizeof(m)); ++ mac->mac_len, (u_long)EVP_MAX_MD_SIZE); + + switch (mac->type) { + case SSH_EVP: diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch b/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch new file mode 100644 index 0000000..c1d7f8e --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch @@ -0,0 +1,33 @@ +Subject: [PATCH] openssh: fix permit_empty_passwd + +Upstream-Status: pending + +When pam enabled, userauth_none calls auth_password("") --> +pam_authenticate("") will cause pam_auth process in the fail +status. This will block all login, even users with a correct +password. + +userauth_none should alway return false since sshd +would check passwords in userauth_passwd using pam* modules. + +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> +--- + auth2-none.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/auth2-none.c b/auth2-none.c +index c8c6c74..560feef 100644 +--- a/auth2-none.c ++++ b/auth2-none.c +@@ -61,6 +61,8 @@ userauth_none(Authctxt *authctxt) + { + none_enabled = 0; + packet_check_eom(); ++ if (options.use_pam) ++ return 0; + if (options.permit_empty_passwd && options.password_authentication) + return (PRIVSEP(auth_password(authctxt, ""))); + return (0); +-- +1.7.9.5 + diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p1.bb b/meta/recipes-connectivity/openssh/openssh_6.2p1.bb index 20502c4..198c09d 100644 --- a/meta/recipes-connectivity/openssh/openssh_6.2p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_6.2p1.bb @@ -25,6 +25,8 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar. file://ssh_config \ file://init \ file://openssh-CVE-2011-4327.patch \ + file://mac_compute-alignment.patch \ + file://openssh-permit_empty_passwd.patch \ ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}" PAM_SRC_URI = "file://sshd" @@ -45,6 +47,9 @@ inherit autotools CFLAGS += "-D__FILE_OFFSET_BITS=64" export LD = "${CC}" +PACKAGECONFIG ??= "tcp-wrappers" +PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers" + EXTRA_OECONF = "--with-rand-helper=no \ ${@base_contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \ --without-zlib-version-check \ -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/1] openssh: three fixes 2013-06-07 2:27 ` [PATCH 1/1] " rongqing.li @ 2013-06-07 21:41 ` Saul Wold 2013-06-08 2:47 ` Rongqing Li 0 siblings, 1 reply; 4+ messages in thread From: Saul Wold @ 2013-06-07 21:41 UTC (permalink / raw) To: rongqing.li, Donn Seeley, xin.ouyang; +Cc: openembedded-core On 06/06/2013 07:27 PM, rongqing.li@windriver.com wrote: > From: "Roy.Li" <rongqing.li@windriver.com> > > 1. fix a alignment issue on ARM v7 NEON cpu > 2. fix a empty passwd issue > 3. enable tcp-wrappers by default > openssh has been updated to 6.2p2, so can you please rebase these patches to that newer version. Also, have they been sumbitted upstream, for security related bug, I would like to know if the upstream will accept them for correctness since they could lead to security issues otherwise. Thanks Sau! > Signed-off-by: Roy.Li <rongqing.li@windriver.com> > --- > .../openssh-6.2p1/mac_compute-alignment.patch | 39 ++++++++++++++++++++ > .../openssh-permit_empty_passwd.patch | 33 +++++++++++++++++ > meta/recipes-connectivity/openssh/openssh_6.2p1.bb | 5 +++ > 3 files changed, 77 insertions(+) > create mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch > create mode 100644 meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch > > diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch b/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch > new file mode 100644 > index 0000000..ea8a31a > --- /dev/null > +++ b/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch > @@ -0,0 +1,39 @@ > +Upstream-Status: Pending > + > +The mac_compute() function in openssh calls umac_final() to prepend a tag > +to a buffer. Umac_final() calls pdf_gen_xor() on the tag as its final > +operation, and as implemented, pdf_gen_xor() assumes an appropriate > +alignment for 64-bit operations on its buffer. However, the buffer > +is declared in mac_compute() as a static u_char array, and the linker > +doesn't guarantee 64-bit alignment for such arrays. On ARM v7 NEON > +platforms with gcc, 64-bit values must be 64-bit aligned, and the > +unaligned buffer declaration caused alignment faults when executing > +certain openssh tests. > + > +Force the buffer in mac_compute() to be 64-bit aligned. > + > +Signed-off-by: Donn Seeley <donn.seeley@windriver.com> > +--- > + mac.c | 8 +++++--- > + 1 file changed, 5 insertions(+), 3 deletions(-) > + > +--- a/mac.c > ++++ b/mac.c > +@@ -132,12 +132,14 @@ mac_init(Mac *mac) > + u_char * > + mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen) > + { > +- static u_char m[EVP_MAX_MD_SIZE]; > ++ static u_int64_t m_buf[(EVP_MAX_MD_SIZE + sizeof (u_int64_t) - 1) > ++ / sizeof (u_int64_t)]; > ++ u_char *m = (u_char *)m_buf; > + u_char b[4], nonce[8]; > + > +- if (mac->mac_len > sizeof(m)) > ++ if (mac->mac_len > EVP_MAX_MD_SIZE) > + fatal("mac_compute: mac too long %u %lu", > +- mac->mac_len, (u_long)sizeof(m)); > ++ mac->mac_len, (u_long)EVP_MAX_MD_SIZE); > + > + switch (mac->type) { > + case SSH_EVP: > diff --git a/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch b/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch > new file mode 100644 > index 0000000..c1d7f8e > --- /dev/null > +++ b/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch > @@ -0,0 +1,33 @@ > +Subject: [PATCH] openssh: fix permit_empty_passwd > + > +Upstream-Status: pending > + > +When pam enabled, userauth_none calls auth_password("") --> > +pam_authenticate("") will cause pam_auth process in the fail > +status. This will block all login, even users with a correct > +password. > + > +userauth_none should alway return false since sshd > +would check passwords in userauth_passwd using pam* modules. > + > +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> > +--- > + auth2-none.c | 2 ++ > + 1 file changed, 2 insertions(+) > + > +diff --git a/auth2-none.c b/auth2-none.c > +index c8c6c74..560feef 100644 > +--- a/auth2-none.c > ++++ b/auth2-none.c > +@@ -61,6 +61,8 @@ userauth_none(Authctxt *authctxt) > + { > + none_enabled = 0; > + packet_check_eom(); > ++ if (options.use_pam) > ++ return 0; > + if (options.permit_empty_passwd && options.password_authentication) > + return (PRIVSEP(auth_password(authctxt, ""))); > + return (0); > +-- > +1.7.9.5 > + > diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p1.bb b/meta/recipes-connectivity/openssh/openssh_6.2p1.bb > index 20502c4..198c09d 100644 > --- a/meta/recipes-connectivity/openssh/openssh_6.2p1.bb > +++ b/meta/recipes-connectivity/openssh/openssh_6.2p1.bb > @@ -25,6 +25,8 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar. > file://ssh_config \ > file://init \ > file://openssh-CVE-2011-4327.patch \ > + file://mac_compute-alignment.patch \ > + file://openssh-permit_empty_passwd.patch \ > ${@base_contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}" > > PAM_SRC_URI = "file://sshd" > @@ -45,6 +47,9 @@ inherit autotools > CFLAGS += "-D__FILE_OFFSET_BITS=64" > export LD = "${CC}" > > +PACKAGECONFIG ??= "tcp-wrappers" > +PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers" > + > EXTRA_OECONF = "--with-rand-helper=no \ > ${@base_contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \ > --without-zlib-version-check \ > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/1] openssh: three fixes 2013-06-07 21:41 ` Saul Wold @ 2013-06-08 2:47 ` Rongqing Li 0 siblings, 0 replies; 4+ messages in thread From: Rongqing Li @ 2013-06-08 2:47 UTC (permalink / raw) To: Saul Wold; +Cc: openembedded-core On 06/08/2013 05:41 AM, Saul Wold wrote: > On 06/06/2013 07:27 PM, rongqing.li@windriver.com wrote: >> From: "Roy.Li" <rongqing.li@windriver.com> >> >> 1. fix a alignment issue on ARM v7 NEON cpu >> 2. fix a empty passwd issue >> 3. enable tcp-wrappers by default >> > openssh has been updated to 6.2p2, so can you please rebase these > patches to that newer version. > > Also, have they been sumbitted upstream, for security related bug, I > would like to know if the upstream will accept them for correctness > since they could lead to security issues otherwise. > Seems they are not submitted to upstream, I will submit them to upstream, then send out to Oe-core. -Roy > Thanks > Sau! > >> Signed-off-by: Roy.Li <rongqing.li@windriver.com> >> --- >> .../openssh-6.2p1/mac_compute-alignment.patch | 39 >> ++++++++++++++++++++ >> .../openssh-permit_empty_passwd.patch | 33 >> +++++++++++++++++ >> meta/recipes-connectivity/openssh/openssh_6.2p1.bb | 5 +++ >> 3 files changed, 77 insertions(+) >> create mode 100644 >> meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch >> >> create mode 100644 >> meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch >> >> >> diff --git >> a/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch >> b/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch >> >> new file mode 100644 >> index 0000000..ea8a31a >> --- /dev/null >> +++ >> b/meta/recipes-connectivity/openssh/openssh-6.2p1/mac_compute-alignment.patch >> >> @@ -0,0 +1,39 @@ >> +Upstream-Status: Pending >> + >> +The mac_compute() function in openssh calls umac_final() to prepend a >> tag >> +to a buffer. Umac_final() calls pdf_gen_xor() on the tag as its final >> +operation, and as implemented, pdf_gen_xor() assumes an appropriate >> +alignment for 64-bit operations on its buffer. However, the buffer >> +is declared in mac_compute() as a static u_char array, and the linker >> +doesn't guarantee 64-bit alignment for such arrays. On ARM v7 NEON >> +platforms with gcc, 64-bit values must be 64-bit aligned, and the >> +unaligned buffer declaration caused alignment faults when executing >> +certain openssh tests. >> + >> +Force the buffer in mac_compute() to be 64-bit aligned. >> + >> +Signed-off-by: Donn Seeley <donn.seeley@windriver.com> >> +--- >> + mac.c | 8 +++++--- >> + 1 file changed, 5 insertions(+), 3 deletions(-) >> + >> +--- a/mac.c >> ++++ b/mac.c >> +@@ -132,12 +132,14 @@ mac_init(Mac *mac) >> + u_char * >> + mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen) >> + { >> +- static u_char m[EVP_MAX_MD_SIZE]; >> ++ static u_int64_t m_buf[(EVP_MAX_MD_SIZE + sizeof (u_int64_t) - 1) >> ++ / sizeof (u_int64_t)]; >> ++ u_char *m = (u_char *)m_buf; >> + u_char b[4], nonce[8]; >> + >> +- if (mac->mac_len > sizeof(m)) >> ++ if (mac->mac_len > EVP_MAX_MD_SIZE) >> + fatal("mac_compute: mac too long %u %lu", >> +- mac->mac_len, (u_long)sizeof(m)); >> ++ mac->mac_len, (u_long)EVP_MAX_MD_SIZE); >> + >> + switch (mac->type) { >> + case SSH_EVP: >> diff --git >> a/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch >> b/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch >> >> new file mode 100644 >> index 0000000..c1d7f8e >> --- /dev/null >> +++ >> b/meta/recipes-connectivity/openssh/openssh-6.2p1/openssh-permit_empty_passwd.patch >> >> @@ -0,0 +1,33 @@ >> +Subject: [PATCH] openssh: fix permit_empty_passwd >> + >> +Upstream-Status: pending >> + >> +When pam enabled, userauth_none calls auth_password("") --> >> +pam_authenticate("") will cause pam_auth process in the fail >> +status. This will block all login, even users with a correct >> +password. >> + >> +userauth_none should alway return false since sshd >> +would check passwords in userauth_passwd using pam* modules. >> + >> +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> >> +--- >> + auth2-none.c | 2 ++ >> + 1 file changed, 2 insertions(+) >> + >> +diff --git a/auth2-none.c b/auth2-none.c >> +index c8c6c74..560feef 100644 >> +--- a/auth2-none.c >> ++++ b/auth2-none.c >> +@@ -61,6 +61,8 @@ userauth_none(Authctxt *authctxt) >> + { >> + none_enabled = 0; >> + packet_check_eom(); >> ++ if (options.use_pam) >> ++ return 0; >> + if (options.permit_empty_passwd && options.password_authentication) >> + return (PRIVSEP(auth_password(authctxt, ""))); >> + return (0); >> +-- >> +1.7.9.5 >> + >> diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p1.bb >> b/meta/recipes-connectivity/openssh/openssh_6.2p1.bb >> index 20502c4..198c09d 100644 >> --- a/meta/recipes-connectivity/openssh/openssh_6.2p1.bb >> +++ b/meta/recipes-connectivity/openssh/openssh_6.2p1.bb >> @@ -25,6 +25,8 @@ SRC_URI = >> "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar. >> file://ssh_config \ >> file://init \ >> file://openssh-CVE-2011-4327.patch \ >> + file://mac_compute-alignment.patch \ >> + file://openssh-permit_empty_passwd.patch \ >> ${@base_contains('DISTRO_FEATURES', 'pam', >> '${PAM_SRC_URI}', '', d)}" >> >> PAM_SRC_URI = "file://sshd" >> @@ -45,6 +47,9 @@ inherit autotools >> CFLAGS += "-D__FILE_OFFSET_BITS=64" >> export LD = "${CC}" >> >> +PACKAGECONFIG ??= "tcp-wrappers" >> +PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers" >> + >> EXTRA_OECONF = "--with-rand-helper=no \ >> ${@base_contains('DISTRO_FEATURES', 'pam', >> '--with-pam', '--without-pam', d)} \ >> --without-zlib-version-check \ >> > > -- Best Reagrds, Roy | RongQing Li ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-06-08 2:47 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-06-07 2:27 [PATCH 0/1] openssh: three fixes rongqing.li 2013-06-07 2:27 ` [PATCH 1/1] " rongqing.li 2013-06-07 21:41 ` Saul Wold 2013-06-08 2:47 ` Rongqing Li
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox