openssh unix dev - Aug 2014 - Call for testing: OpenSSH 6.7

On Mon, 25 Aug 2014, Kevin Brott wrote:
> > ...
> >
> > > *3  --without-pie  # otherwise will not load openssl - which
doesn't use
> > PIE
> > > during compile on 64-bit systems
> >
> > We should probably find a way to delay the PIE checks until after we
have
> > most dependency libraries located to catch this.
> >
> 
> Per IAN's comment - I tried building openssl on another x64 system
> using ./config
> shared instead of just ./config (builds static library) so that it would
> try to use -fPIC.  After installing and creating an
> /etc/ld.so.conf.d/openssl-101.conf pointing to /usr/local/ssl/lib
> (configure pukes without this - it can't find libssl.so.1.0.0 even with
an
> explicit --with-ssl-dir) ... configure works as advertised without telling
> it --without-pie, and make test is 'all tests passed'.  Perhaps a
quick
> check to see if libssl is a static or shared library would be in order
> before asking for a slice of pie? ;p
Yes, the only impediment to doing it before this release are 1) making it
work cross-platform (simply delaying the PIE checks until after OpenSSL
has been located might be sufficient for this) and 2) not breaking
anything else in the process (unfortunately, delaying the OpenSSL checks
would almost certainly break something)
> > any clues in regress/failed-*?
> >
> >
> Brought that VM back up (admittedly I didn't look too deep at this one
-
> was trying to get through the test suite first), looking at those files I
> see this:
> 
> # ls -alrt failed-*
> -rw-r--r--    1 root     root          308 Aug 25 09:05 failed-ssh.log
> -rw-r--r--    1 root     root          236 Aug 25 09:05 failed-sshd.log
> -rw-r--r--    1 root     root           89 Aug 25 09:05 failed-regress.log
> [root at buildhost regress]# cat failed-regress.log
> trace: wait for sshd
> FAIL: ssh connect after login grace timeout failed without privsep
> 
> [root at buildhost regress]# cat failed-sshd.log
> trace: wait for sshd
> Received signal 15; terminating.
> debug2: channel 0: rcvd close
> Received disconnect from 127.0.0.1: 11: disconnected by user
> debug1: do_cleanup
> FAIL: ssh connect after login grace timeout failed without privsep
> 
> [root at buildhost regress]# cat failed-ssh.log
> trace: wait for sshd
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to 127.0.0.1 [127.0.0.1] port 4242.
> debug1: connect to address 127.0.0.1 port 4242: Connection refused
> ssh: connect to host 127.0.0.1 port 4242: Connection refused
> FAIL: ssh connect after login grace timeout failed without privsep
> 
> Need to dig through my email archives - I would swear this is a
> (previously fixed) race in the test suite where it wasn't waiting
properly.
Yes, this was supposed to "fix" it

       - djm at cvs.openbsd.org 2014/03/13 20:44:49
         [login-timeout.sh]
         this test is a sorry mess of race conditions; add another sleep
         to avoid a failure on slow machines (at least until I find a
         better way)

Guess I'll have to look for that "better way" soon...

-d

Good news/Bad News

The test race in RHEL 3.4 seems to be gone ... but another ec.h failure ...

Using http://www.mindrot.org/openssh_snap/openssh-SNAP-20140827.tar.gz
OS              Build_Target                CC
OpenSSL       BUILD    TEST
==============  =========================== ============================ ====== 
================*RHEL 3.4        i386-redhat-linux           gcc 3.2.3-47
1.0.1i**a     OK*1     all tests passed*

*AIX 5300-12-04  powerpc-ibm-aix5.3.0.0      gcc 4.2.0-3         0.9.8k
   FAIL*1     *
*FAIL*1 missing e.h in test_sshbuf_getput_crypto*
  gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -Wno-pointer-sign -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset  -I. -I.
-DSSHDIR=\"/usr/local/etc\" 
-D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/var/run\" 
-D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\"
-DHAVE_CONFIG_H -c regress/unittests/sshbuf/test_sshbuf_getput_crypto.c -o
regress/unittests/sshbuf/test_sshbuf_getput_crypto.o
  regress/unittests/sshbuf/test_sshbuf_getput_crypto.c:20:24: error:
openssl/ec.h: No such file or directory
  regress/unittests/sshbuf/test_sshbuf_getput_crypto.c: In function
'sshbuf_getput_crypto_tests':
  regress/unittests/sshbuf/test_sshbuf_getput_crypto.c:35: warning: unused
variable 'bn_y'
  regress/unittests/sshbuf/test_sshbuf_getput_crypto.c:35: warning: unused
variable 'bn_x'
  regress/unittests/sshbuf/test_sshbuf_getput_crypto.c:34: warning: unused
variable 's'
  regress/unittests/sshbuf/test_sshbuf_getput_crypto.c:33: warning: unused
variable 'd'
  make: The error code from the last command is 1.




On Mon, Aug 25, 2014 at 4:45 PM, Damien Miller <djm at mindrot.org> wrote:
> On Mon, 25 Aug 2014, Kevin Brott wrote:
>
> > > ...
> > >
> > > > *3  --without-pie  # otherwise will not load openssl - which
doesn't
> use
> > > PIE
> > > > during compile on 64-bit systems
> > >
> > > We should probably find a way to delay the PIE checks until after
we
> have
> > > most dependency libraries located to catch this.
> > >
> >
> > Per IAN's comment - I tried building openssl on another x64 system
> > using ./config
> > shared instead of just ./config (builds static library) so that it
would
> > try to use -fPIC.  After installing and creating an
> > /etc/ld.so.conf.d/openssl-101.conf pointing to /usr/local/ssl/lib
> > (configure pukes without this - it can't find libssl.so.1.0.0 even
with
> an
> > explicit --with-ssl-dir) ... configure works as advertised without
> telling
> > it --without-pie, and make test is 'all tests passed'. 
Perhaps a quick
> > check to see if libssl is a static or shared library would be in order
> > before asking for a slice of pie? ;p
>
> Yes, the only impediment to doing it before this release are 1) making it
> work cross-platform (simply delaying the PIE checks until after OpenSSL
> has been located might be sufficient for this) and 2) not breaking
> anything else in the process (unfortunately, delaying the OpenSSL checks
> would almost certainly break something)
>
> > > any clues in regress/failed-*?
> > >
> > >
> > Brought that VM back up (admittedly I didn't look too deep at this
one -
> > was trying to get through the test suite first), looking at those
files I
> > see this:
> >
> > # ls -alrt failed-*
> > -rw-r--r--    1 root     root          308 Aug 25 09:05 failed-ssh.log
> > -rw-r--r--    1 root     root          236 Aug 25 09:05
failed-sshd.log
> > -rw-r--r--    1 root     root           89 Aug 25 09:05
> failed-regress.log
> > [root at buildhost regress]# cat failed-regress.log
> > trace: wait for sshd
> > FAIL: ssh connect after login grace timeout failed without privsep
> >
> > [root at buildhost regress]# cat failed-sshd.log
> > trace: wait for sshd
> > Received signal 15; terminating.
> > debug2: channel 0: rcvd close
> > Received disconnect from 127.0.0.1: 11: disconnected by user
> > debug1: do_cleanup
> > FAIL: ssh connect after login grace timeout failed without privsep
> >
> > [root at buildhost regress]# cat failed-ssh.log
> > trace: wait for sshd
> > debug2: ssh_connect: needpriv 0
> > debug1: Connecting to 127.0.0.1 [127.0.0.1] port 4242.
> > debug1: connect to address 127.0.0.1 port 4242: Connection refused
> > ssh: connect to host 127.0.0.1 port 4242: Connection refused
> > FAIL: ssh connect after login grace timeout failed without privsep
> >
> > Need to dig through my email archives - I would swear this is a
> > (previously fixed) race in the test suite where it wasn't waiting
> properly.
>
> Yes, this was supposed to "fix" it
>
>        - djm at cvs.openbsd.org 2014/03/13 20:44:49
>          [login-timeout.sh]
>          this test is a sorry mess of race conditions; add another sleep
>          to avoid a failure on slow machines (at least until I find a
>          better way)
>
> Guess I'll have to look for that "better way" soon...
>
> -d
>


-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */