Re: sshd failure following errata 007 for 5.8

2015-11-02 Thread Tichodroma 

On 2015-11-02, Stuart Henderson  wrote:
[...]
> So I think your system is messed up somehow. Your symptoms are more
> like what would happen if you'd copied some old libcrypto.so.XX file
> to libcrypto.so.35.0 and locally built various apps against that.
>
> In your position I'd probably boot the 5.8 installer and do an
> 'upgrade' install over the top of your current system to make sure the
> files are  correct for 5.8. Then forcibly reinstall all packages with
>
> # PKG_PATH=http://ftp.fr.openbsd.org/pub/OpenBSD/5.8/packages/amd64/
> pkg_add -u -D installed
[...]

Thank you Stuart.

I:
- rebooted on bsd.rd
- launched upgrade
- pkg_add -u -D installed
- restarted applying patches : as before
  - 001 fails during make :
sshd.o: In function `main':
sshd.c:(.text+0x414e): undefined reference to `do_authentication'
monitor.o: In function `mm_answer_rsa_response':
monitor.c:(.text+0x9e0): undefined reference to 
`auth_rsa_verify_response'

monitor.o: In function `mm_answer_rsa_challenge':
monitor.c:(.text+0xbd7): undefined reference to 
`auth_rsa_generate_challenge'

monitor.o: In function `mm_answer_rsa_keyallowed':
monitor.c:(.text+0xe41): undefined reference to `auth_rsa_key_allowed'
monitor.o: In function `mm_answer_keyallowed':
monitor.c:(.text+0x1faf): undefined reference to 
`auth_rhosts_rsa_key_allowed'

collect2: ld returned 1 exit status
*** Error 1 in sshd (:87 'sshd')
*** Error 1 in /usr/src/usr.bin/ssh (:48 'all')
  - 004 fails.

I then stopped patching and started thinking.
Last month, our firewall experienced three times some sort of freezing
(no way to login), of which I couldn't find any other way out than cold
booting and some fsck work in the case of the second freeze. Because of
limited time to operate, I put it back to work, but I'm wondering now if
I shouldn't reinstall it from scratch.

Olivier Debré

Re: sshd failure following errata 007 for 5.8

2015-11-02 Thread Tichodroma 

Stuart Henderson  writes:

> I'm not sure what happened here, there's no way that patch 007 would
> do this, and in any event EVP_mdc2 was removed before 5.8 so shouldn't
> be referenced by that sshd binary.
>
> Where did your base58 file come from?

Hello Stuart.

Thanks for your help.

I downloaded:
- base58.tgz from http://ftp.fr.openbsd.org/pub/OpenBSD/5.8/amd64/
- cd-src.tar.gz from http://ftp.fr.openbsd.org/pub/OpenBSD/5.8/

It appears to me now that other apps are broken, for instance wget:
wget:/usr/lib/libcrypto.so.35.0: undefined symbol 'ENGINE_load_rsax'

As I wrote in a message that I now discover I never sent :-), though not
being a developer, I thought that all executables dynamically linked
with libcrypto would break. Wget behavior looks to me as a confirmation
of that.

So, once again, I choose to:
- wipe out /usr/src/
- put in place a fresh cd-src.tar.gz
- put in place base58.tgz
- not apply patches that failed for me: 001, 004 and 007.

Olivier Debré

Re: sshd failure following errata 007 for 5.8

2015-11-02 Thread Stuart Henderson 
On 2015-11-02, Tichodroma  wrote:
> Stuart Henderson  writes:
>
> > I'm not sure what happened here, there's no way that patch 007 would
> > do this, and in any event EVP_mdc2 was removed before 5.8 so shouldn't
> > be referenced by that sshd binary.
> >
> > Where did your base58 file come from?
>
> Hello Stuart.
>
> Thanks for your help.
>
> I downloaded:
> - base58.tgz from http://ftp.fr.openbsd.org/pub/OpenBSD/5.8/amd64/
> - cd-src.tar.gz from http://ftp.fr.openbsd.org/pub/OpenBSD/5.8/
>
> It appears to me now that other apps are broken, for instance wget:
> wget:/usr/lib/libcrypto.so.35.0: undefined symbol 'ENGINE_load_rsax'
>
> As I wrote in a message that I now discover I never sent :-), though not
> being a developer, I thought that all executables dynamically linked
> with libcrypto would break. Wget behavior looks to me as a confirmation
> of that.

No, programs dynamically linking to libcrypto will continue to work
unless functions are removed from the library or their calling interface
changes. The patch doesn't do either of those things, so should be no
problem. When those things *are* done in a library, we change the library
version number so that existing binaries will continue to use the old
library, but we don't do that for errata patches.

So I think your system is messed up somehow. Your symptoms are more like
what would happen if you'd copied some old libcrypto.so.XX file to
libcrypto.so.35.0 and locally built various apps against that.

In your position I'd probably boot the 5.8 installer and do an 'upgrade'
install over the top of your current system to make sure the files are
correct for 5.8. Then forcibly reinstall all packages with

# PKG_PATH=http://ftp.fr.openbsd.org/pub/OpenBSD/5.8/packages/amd64/ pkg_add -u 
-D installed

> So, once again, I choose to:
> - wipe out /usr/src/
> - put in place a fresh cd-src.tar.gz
> - put in place base58.tgz
> - not apply patches that failed for me: 001, 004 and 007.

I've just downloaded http://ftp.fr.openbsd.org/pub/OpenBSD/5.8/cd-src.tar.gz
and tried patching; all of the 5.8 patches successfully apply for me.

$ sha256 -b cd-src.tar.gz 
SHA256 (cd-src.tar.gz) = dPH+mhrjIgrG3jC/aOIaMW9LtdekZejihIl3zwXzs/o=

Re: sshd failure following errata 007 for 5.8

2015-11-01 Thread Stuart Henderson 
Olivier Debré  
free.fr> writes:

> 
> Hello everyone.
> 
> Following Ted's advice regarding 
the use of cd-src.tar.gz
> 
(http://article.gmane.org/gmane.os.op
enbsd.misc/226175), for all 5.8
> patches, I did so.
> I first had an error during 004 
smtpd security fix. Never mind, I use
> Postfix.
> I then applied 007 libcrypto 
reliability fix. No error visible 
during
> the process, but now sshd barks:
> 
> 
/usr/sbin/sshd:/usr/lib/libcrypto.so.
35.0: undefined symbol 'EVP_mdc2'
> lazy binding failed!
> Segmentation fault (core dumped)
> 
> Libcrypto-linked applications are 
quite numerous, to say the least. I
> found 45 in /usr/sbin, 15 in 
/usr/local/sbin/.
> Any idea as to what went wrong?
> I consider putting back the 
libcrypto-linked applications from 
base58
> file set, but I'm sure there's 
someting better to do!

I'm not sure what happened here, 
there's no way that patch 007 would 
do this, and in any event EVP_mdc2 
was removed before 5.8 so shouldn't 
be referenced by that sshd binary. 

Where did your base58 file come from?

Re: sshd failure following errata 007 for 5.8

2015-10-30 Thread Jared Hamilton 
Hi Olivier,

I ran into this same issue. I simply rebuilt ssh after applying
libcrypto patch with:
cd /usr/src/usr.bin/ssh
make obj
make depend
make
make install

Hope that helps

--
Jared

- Original message -
From: Olivier Debré <tichodr...@free.fr>
To: misc@openbsd.org
Subject: sshd failure following errata 007 for 5.8
Date: Fri, 30 Oct 2015 14:34:01 + (UTC)

Hello everyone.

Following Ted's advice regarding the use of cd-src.tar.gz
(http://article.gmane.org/gmane.os.openbsd.misc/226175), for all 5.8
patches, I did so.
I first had an error during 004 smtpd security fix. Never mind, I use
Postfix.
I then applied 007 libcrypto reliability fix. No error visible during
the process, but now sshd barks:

/usr/sbin/sshd:/usr/lib/libcrypto.so.35.0: undefined symbol 'EVP_mdc2'
lazy binding failed!
Segmentation fault (core dumped)

Libcrypto-linked applications are quite numerous, to say the least. I
found 45 in /usr/sbin, 15 in /usr/local/sbin/.
Any idea as to what went wrong?
I consider putting back the libcrypto-linked applications from base58
file set, but I'm sure there's someting better to do!

Thanks.

Olivier Debré

Re: sshd failure following errata 007 for 5.8

2015-10-30 Thread Jared Hamilton 
Oof - forgive the top post. Sorry everyone.

-- 
Jared

sshd failure following errata 007 for 5.8

2015-10-30 Thread Olivier Debré 
Hello everyone.

Following Ted's advice regarding the use of cd-src.tar.gz
(http://article.gmane.org/gmane.os.openbsd.misc/226175), for all 5.8
patches, I did so.
I first had an error during 004 smtpd security fix. Never mind, I use
Postfix.
I then applied 007 libcrypto reliability fix. No error visible during
the process, but now sshd barks:

/usr/sbin/sshd:/usr/lib/libcrypto.so.35.0: undefined symbol 'EVP_mdc2'
lazy binding failed!
Segmentation fault (core dumped)

Libcrypto-linked applications are quite numerous, to say the least. I
found 45 in /usr/sbin, 15 in /usr/local/sbin/.
Any idea as to what went wrong?
I consider putting back the libcrypto-linked applications from base58
file set, but I'm sure there's someting better to do!

Thanks.

Olivier Debré

Re: sshd failure following errata 007 for 5.8

2015-10-30 Thread Olivier Debré 
Jared Hamilton  fastmail.com> writes:

> 
> Hi Olivier,
> 
> I ran into this same issue. I simply rebuilt ssh after applying
> libcrypto patch with:
> cd /usr/src/usr.bin/ssh
> make obj
> make depend
> make
> make install
> 
> Hope that helps
> 
> --
> Jared

Thank you Jared.

I did as you suggest, however :
/usr/src/usr.bin/ssh # make
===> lib
===> ssh
===> sshd
cc   -o sshd sshd.o auth-rhosts.o auth-passwd.o sshpty.o sshlogin.o
servconf.o serverloop.o auth.o auth2.o auth-options.o session.o
auth-chall.o auth2-chall.o groupaccess.o auth-bsdauth.o auth2-hostbased.o
auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o
monitor.o monitor_wrap.o sftp-server.o sftp-common.o roaming_common.o
roaming_serv.o sandbox-systrace.o -L/usr/src/usr.bin/ssh/sshd/../lib/obj
-lssh -lutil -L/usr/src/usr.bin/ssh/sshd/../lib/obj -lssh -lutil -lcrypto
-lutil -lz
sshd.o: In function `main':
sshd.c:(.text+0x414e): undefined reference to `do_authentication'
monitor.o: In function `mm_answer_rsa_response':
monitor.c:(.text+0x9e0): undefined reference to `auth_rsa_verify_response'
monitor.o: In function `mm_answer_rsa_challenge':
monitor.c:(.text+0xbd7): undefined reference to `auth_rsa_generate_challenge'
monitor.o: In function `mm_answer_rsa_keyallowed':
monitor.c:(.text+0xe41): undefined reference to `auth_rsa_key_allowed'
monitor.o: In function `mm_answer_keyallowed':
monitor.c:(.text+0x1faf): undefined reference to `auth_rhosts_rsa_key_allowed'
/usr/lib/libcrypto.so.35.0: undefined reference to `ENGINE_load_rsax'
/usr/lib/libcrypto.so.35.0: undefined reference to `EVP_mdc2'
collect2: ld returned 1 exit status
*** Error 1 in sshd (:87 'sshd')
*** Error 1 in /usr/src/usr.bin/ssh (:48 'all')

I'm not a developer. Maybe I should have rebuilt /usr/src with cd-src.tar.gz
before?

Plus, as I wrote, there are 50+ apps linked with libcrypto, and I prefer
putting back all base58.tgz in place instead of rebuilding all of them.

Anyway, it seems that now we are two having experienced that.

Olivier

Re: sshd failure following errata 007 for 5.8

2015-10-30 Thread Kurt Mosiejczuk 
On Fri, Oct 30, 2015 at 03:41:19PM +, Olivier Debr?? wrote:

> Plus, as I wrote, there are 50+ apps linked with libcrypto, and I prefer
> putting back all base58.tgz in place instead of rebuilding all of them.

There aren't 50+ apps linked *statically* to libcrypto.  They use it as
a shared library.  There's not need to rebuild all those.  That's why
the patch doesn't mention rebuilding other things.

--Kurt