Fix net-misc/openssh for OpenSSL 1.1 |
||||
Issue description
net-misc/openssh-7.3_p1-r8 fails to build with dev-libs/openssl-1.1.0f.
The compile errors are:
In file included from ssh_api.c:20:
In file included from ./ssh_api.h:26:
./cipher.h:69:17: error: field has incomplete type 'EVP_CIPHER_CTX' (aka 'struct evp_cipher_ctx_st')
EVP_CIPHER_CTX evp;
^
/usr/include/openssl/ossl_typ.h:90:16: note: forward declaration of 'struct evp_cipher_ctx_st'
typedef struct evp_cipher_ctx_st EVP_CIPHER_CTX;
^
x86_64-cros-linux-gnu-gcc -O2 -pipe -O2 -pipe -march=corei7 -g -fno-exceptions -fno-unwind-tables -fno-asynchronous-unwind-tables -clang-syntax -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -
fno-strict-aliasing -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c bindresvport.c
In file included from authfile.c:41:
./cipher.h:69:17: error: field has incomplete type 'EVP_CIPHER_CTX' (aka 'struct evp_cipher_ctx_st')
EVP_CIPHER_CTX evp;
^
/usr/include/openssl/ossl_typ.h:90:16: note: forward declaration of 'struct evp_cipher_ctx_st'
typedef struct evp_cipher_ctx_st EVP_CIPHER_CTX;
^
1 error generated.
In file included from authfd.c:58:
./cipher.h:69:17: error: field has incomplete type 'EVP_CIPHER_CTX' (aka 'struct evp_cipher_ctx_st')
EVP_CIPHER_CTX evp;
^
/usr/include/openssl/ossl_typ.h:90:16: note: forward declaration of 'struct evp_cipher_ctx_st'
typedef struct evp_cipher_ctx_st EVP_CIPHER_CTX;
^
1 error generated.
In file included from sshkey.c:56:
./cipher.h:69:17: error: field has incomplete type 'EVP_CIPHER_CTX' (aka 'struct evp_cipher_ctx_st')
EVP_CIPHER_CTX evp;
^
/usr/include/openssl/ossl_typ.h:90:16: note: forward declaration of 'struct evp_cipher_ctx_st'
typedef struct evp_cipher_ctx_st EVP_CIPHER_CTX;
^
sshkey.c:275:28: error: incomplete definition of type 'struct rsa_st'
return BN_num_bits(k->rsa->n);
~~~~~~^
/usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
typedef struct rsa_st RSA;
^
sshkey.c:278:28: error: incomplete definition of type 'struct dsa_st'
return BN_num_bits(k->dsa->p);
~~~~~~^
/usr/include/openssl/ossl_typ.h:107:16: note: forward declaration of 'struct dsa_st'
typedef struct dsa_st DSA;
^
make: *** [Makefile:152: authfd.o] Error 1
sshkey.c:479:11: error: incomplete definition of type 'struct rsa_st'
(rsa->n = BN_new()) == NULL ||
~~~^
/usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
typedef struct rsa_st RSA;
^
sshkey.c:480:11: error: incomplete definition of type 'struct rsa_st'
(rsa->e = BN_new()) == NULL) {
~~~^
/usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
typedef struct rsa_st RSA;
^
sshkey.c:491:11: error: incomplete definition of type 'struct dsa_st'
(dsa->p = BN_new()) == NULL ||
~~~^
/usr/include/openssl/ossl_typ.h:107:16: note: forward declaration of 'struct dsa_st'
typedef struct dsa_st DSA;
^
sshkey.c:492:11: error: incomplete definition of type 'struct dsa_st'
(dsa->q = BN_new()) == NULL ||
~~~^
/usr/include/openssl/ossl_typ.h:107:16: note: forward declaration of 'struct dsa_st'
typedef struct dsa_st DSA;
^
sshkey.c:493:11: error: incomplete definition of type 'struct dsa_st'
(dsa->g = BN_new()) == NULL ||
~~~^
/usr/include/openssl/ossl_typ.h:107:16: note: forward declaration of 'struct dsa_st'
typedef struct dsa_st DSA;
^
sshkey.c:494:11: error: incomplete definition of type 'struct dsa_st'
(dsa->pub_key = BN_new()) == NULL) {
~~~^
/usr/include/openssl/ossl_typ.h:107:16: note: forward declaration of 'struct dsa_st'
typedef struct dsa_st DSA;
^
sshkey.c:538:35: error: incomplete definition of type 'struct rsa_st'
if (bn_maybe_alloc_failed(k->rsa->d) ||
~~~~~~^
sshkey.c:537:35: note: expanded from macro 'bn_maybe_alloc_failed'
#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
^
/usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
typedef struct rsa_st RSA;
^
sshkey.c:538:35: error: incomplete definition of type 'struct rsa_st'
if (bn_maybe_alloc_failed(k->rsa->d) ||
~~~~~~^
sshkey.c:537:49: note: expanded from macro 'bn_maybe_alloc_failed'
#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
^
/usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
typedef struct rsa_st RSA;
^
sshkey.c:539:35: error: incomplete definition of type 'struct rsa_st'
bn_maybe_alloc_failed(k->rsa->iqmp) ||
~~~~~~^
sshkey.c:537:35: note: expanded from macro 'bn_maybe_alloc_failed'
#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
^
/usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
typedef struct rsa_st RSA;
^
sshkey.c:539:35: error: incomplete definition of type 'struct rsa_st'
bn_maybe_alloc_failed(k->rsa->iqmp) ||
~~~~~~^
sshkey.c:537:49: note: expanded from macro 'bn_maybe_alloc_failed'
#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
^
/usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
typedef struct rsa_st RSA;
^
sshkey.c:540:35: error: incomplete definition of type 'struct rsa_st'
bn_maybe_alloc_failed(k->rsa->q) ||
~~~~~~^
sshkey.c:537:35: note: expanded from macro 'bn_maybe_alloc_failed'
#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
^
/usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
typedef struct rsa_st RSA;
^
sshkey.c:540:35: error: incomplete definition of type 'struct rsa_st'
bn_maybe_alloc_failed(k->rsa->q) ||
~~~~~~^
sshkey.c:537:49: note: expanded from macro 'bn_maybe_alloc_failed'
#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
^
/usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
typedef struct rsa_st RSA;
^
sshkey.c:541:35: error: incomplete definition of type 'struct rsa_st'
bn_maybe_alloc_failed(k->rsa->p) ||
~~~~~~^
sshkey.c:537:35: note: expanded from macro 'bn_maybe_alloc_failed'
#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
^
/usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
typedef struct rsa_st RSA;
^
sshkey.c:541:35: error: incomplete definition of type 'struct rsa_st'
bn_maybe_alloc_failed(k->rsa->p) ||
~~~~~~^
sshkey.c:537:49: note: expanded from macro 'bn_maybe_alloc_failed'
#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
^
/usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
typedef struct rsa_st RSA;
^
sshkey.c:542:35: error: incomplete definition of type 'struct rsa_st'
bn_maybe_alloc_failed(k->rsa->dmq1) ||
~~~~~~^
sshkey.c:537:35: note: expanded from macro 'bn_maybe_alloc_failed'
#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
^
/usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
typedef struct rsa_st RSA;
^
sshkey.c:542:35: error: incomplete definition of type 'struct rsa_st'
bn_maybe_alloc_failed(k->rsa->dmq1) ||
~~~~~~^
sshkey.c:537:49: note: expanded from macro 'bn_maybe_alloc_failed'
#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
^
/usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
typedef struct rsa_st RSA;
^
fatal error: too many errors emitted, stopping now [-ferror-limit=]
,
Aug 16 2017
One issue with this update is that the upstream gentoo ebuild [0] wants to do this:
pkg_preinst() {
enewgroup sshd 22
enewuser sshd 22 -1 /var/empty sshd
}
[0] https://gitweb.gentoo.org/repo/gentoo.git/tree/net-misc/openssh/openssh-7.5_p1-r2.ebuild#n297
However, in the eclass-overlay, we use profiles/base/accounts/group/sshd to force sshd to be gid:204 [1].
[1] https://chromium-review.googlesource.com/184946
This causes emerge to fail with error message:
* Adding group 'sshd' to your system ...
* 22 conflicts with provided 204!
* ERROR: net-misc/openssh-7.5_p1-r3::chromiumos failed (preinst phase):
* 22 conflicts with provided 204!
Any advice on the best way to fix this?
,
Aug 17 2017
if Fedora has a patch, we can just roll that the enewuser call barfs only if the ebuild is in chromiumos-overlay. if it's in portage-stable, we silently ignore the args :).
,
Aug 22 2017
I've run into another issue with this update. On test images, the sshd is started by the /etc/init/openssh-server.conf upstart script. Actually, this is really a symlink to /usr/share/chromeos-ssh-config/init/openssh-server.conf. This script instructs sshd to use port 2222. We use port 2222 instead of 22, because the system uses sslh-fork (started by /etc/init/sslh.conf) to fork incoming connections @ port 22 between sshd and ADB. With openssl-7.5_p1-r3, for some reason this ssh forking does not seem to work properly. The openssh-server upstart script never seems to finish; it gets stuck in state: $ initctl status openssh-server openssh-server start/spawned, process 2513 If I disable the sslh upstart script, and invoke its contents manually after boot, then the openssh upstart script proceeds to "start/running", and ssh starts working: # minijail0 -i -I -p -l -r -v -w -S /usr/share/policy/sslh-seccomp.policy -L -- /usr/sbin/sslh-fork -F/etc/containers/android/sslh.conf sslh-fork v1.17 started # initctl status openssh-server openssh-server start/running, process 2867
,
Aug 22 2017
Aha... the openssh-server.conf installed via chromeos-sshd-init has this:
expect fork
script
# sshd refuses to execute unless invoked with a full path. Go figure.
# For cros_embedded, sshd is in dev image so its in /usr/local/sbin.
if [ ! -f /usr/sbin/sshd ]; then
exec /usr/local/sbin/sshd -oPort=2222
else
exec /usr/sbin/sshd -oPort=2222
fi
end script
IIUC, the "exec" here is not right. 'exec' is a special upstart stanza used when a command has only a single line. When used withing a script stanza, it invokes the following command with the 'exec' shell command.
Searching through git, it looks like this bug was introduced by the patch:
https://gerrit.chromium.org/gerrit/44015
This CL created the new "script / end script" stanza, but accidentally kept the leading "exec"... yes, this CL is from 4.5 years ago.
Removing the 'exec' from the openssh-server script stanza allows the openssh-server script to complete and sslh to run and set up the sslh-fork.
,
Aug 22 2017
CL to fix #4/5: https://chrome-internal-review.googlesource.com/437072
,
Aug 22 2017
Good catch!
,
Aug 23 2017
,
Aug 24 2017
The following revision refers to this bug: https://chrome-internal.googlesource.com/chromeos/overlays/project-cheets-private/+/7ed974c5cfb2edaa51d0cb1d3c719a979cc697df commit 7ed974c5cfb2edaa51d0cb1d3c719a979cc697df Author: Daniel Kurtz <djkurtz@chromium.org> Date: Thu Aug 24 04:17:27 2017
,
Aug 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/e0814d31018371dd45b6df3b9dbbc6e1fd912454 commit e0814d31018371dd45b6df3b9dbbc6e1fd912454 Author: Mike Frysinger <vapier@chromium.org> Date: Thu Aug 24 04:17:26 2017 openssh-server: use -D in init script With newer versions of OpenSSH, it has logic[1] to see if it's already been daemonized, and then changes its forking behavior based on that. The way Upstart spawns processes triggers that logic which causes the init script to misbehave -- it can't track the right child process. Lets change how we start up sshd instead by telling it to always run in the foreground. That bypasses the new logic, and simplifies the overall startup. Everything sshd was doing to daemonize Upstart is already doing the same, so there's no need to duplicate. [1]: https://github.com/openssh/openssh-portable/commit/7fc4766ac78abae81ee75b22b7550720bfa28a33 BUG=chromium:739357 TEST=rebooting/restarting and openssh init still works TEST=precq passes Change-Id: I8a477f93bdf6d6f692950ffda9a6bfb956c723a7 Reviewed-on: https://chromium-review.googlesource.com/629048 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Daniel Kurtz <djkurtz@chromium.org> Reviewed-by: Daniel Kurtz <djkurtz@chromium.org> [rename] https://crrev.com/e0814d31018371dd45b6df3b9dbbc6e1fd912454/chromeos-base/chromeos-sshd-init/chromeos-sshd-init-0.0.1-r9.ebuild [modify] https://crrev.com/e0814d31018371dd45b6df3b9dbbc6e1fd912454/chromeos-base/chromeos-sshd-init/files/openssh-server.conf
,
Aug 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/03a7fc1bab04a2bd4dd61ebd5d4dc078f10988de commit 03a7fc1bab04a2bd4dd61ebd5d4dc078f10988de Author: Mike Frysinger <vapier@chromium.org> Date: Thu Aug 24 22:15:04 2017 openssh-server: allow people to pass custom args to sshd The only thing ARC++ wants to change here is to run sshd on port 2222 so that it can launch sslh and proxy adb connections. Add an env knob so they can customize this behavior w/out having to duplicate all the files. BUG=chromium:739357 TEST=precq passes Change-Id: Ieac32d6791740587a8d4fb7d212394cb6a5ad88c Reviewed-on: https://chromium-review.googlesource.com/630380 Commit-Ready: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Luis Hector Chavez <lhchavez@chromium.org> [modify] https://crrev.com/03a7fc1bab04a2bd4dd61ebd5d4dc078f10988de/chromeos-base/chromeos-sshd-init/files/openssh-server.conf [rename] https://crrev.com/03a7fc1bab04a2bd4dd61ebd5d4dc078f10988de/chromeos-base/chromeos-sshd-init/chromeos-sshd-init-0.0.1-r10.ebuild
,
Aug 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/86b45fdb5ea86208ba5f27cff5a29af086faf31b commit 86b45fdb5ea86208ba5f27cff5a29af086faf31b Author: Mike Frysinger <vapier@chromium.org> Date: Fri Aug 25 19:08:58 2017 arc-sslh-init: move ARC++ sslh logic to public overlay This works with the common chromeos-sshd-init so we don't have to duplicate it anymore. BUG=chromium:739357 TEST=precq passes CQ-DEPEND=CL:*438514 Change-Id: I309c3e29bd0bb1635c00eec65b0cec434fa31878 Reviewed-on: https://chromium-review.googlesource.com/630381 Commit-Ready: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [rename] https://crrev.com/86b45fdb5ea86208ba5f27cff5a29af086faf31b/chromeos-base/chromeos-sshd-init/chromeos-sshd-init-0.0.2.ebuild [add] https://crrev.com/86b45fdb5ea86208ba5f27cff5a29af086faf31b/chromeos-base/arc-sslh-init/arc-sslh-init-0.0.1.ebuild [add] https://crrev.com/86b45fdb5ea86208ba5f27cff5a29af086faf31b/chromeos-base/arc-sslh-init/files/sslh.conf [add] https://crrev.com/86b45fdb5ea86208ba5f27cff5a29af086faf31b/chromeos-base/arc-sslh-init/files/sslh-seccomp-amd64.policy [delete] https://crrev.com/30190d4da7effaa069d56cfc248cfbcac2aaac55/chromeos-base/chromeos-sshd-init/chromeos-sshd-init-0.0.1-r10.ebuild [add] https://crrev.com/86b45fdb5ea86208ba5f27cff5a29af086faf31b/chromeos-base/arc-sslh-init/files/upstart/openssh-server.override [add] https://crrev.com/86b45fdb5ea86208ba5f27cff5a29af086faf31b/chromeos-base/arc-sslh-init/files/sslh-seccomp-arm.policy [add] https://crrev.com/86b45fdb5ea86208ba5f27cff5a29af086faf31b/chromeos-base/arc-sslh-init/files/upstart/sslh.conf [add] https://crrev.com/86b45fdb5ea86208ba5f27cff5a29af086faf31b/chromeos-base/chromeos-sshd-init/chromeos-sshd-init-0.0.2-r1.ebuild
,
Aug 25 2017
The following revision refers to this bug: https://chrome-internal.googlesource.com/chromeos/overlays/project-cheets-private/+/a5a29f7020854364f40469bf763a96793212a804 commit a5a29f7020854364f40469bf763a96793212a804 Author: Mike Frysinger <vapier@chromium.org> Date: Fri Aug 25 19:08:59 2017
,
Sep 6 2017
The following revision refers to this bug: https://chrome-internal.googlesource.com/chromeos/cheets-scripts/+/491a8b66458249acb9ced0fcd3d6078fe365bb76 commit 491a8b66458249acb9ced0fcd3d6078fe365bb76 Author: Mike Frysinger <vapier@chromium.org> Date: Wed Sep 06 01:25:10 2017
,
Jan 7
|
||||
►
Sign in to add a comment |
||||
Comment 1 by djkurtz@chromium.org
, Jul 5 2017