Bug ID 1159097
Summary OpenSSH 7.9p1-lp151.3.4 source package: Wrong function name used in patch (openssh-7.7p1-gssapi_key_exchange.patch)
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.1
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Network
Assignee bnc-team-screening@forge.provo.novell.com
Reporter scheiner@hlrs.de
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

User-Agent:       Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0)
Gecko/20100101 Firefox/70.0
Build Identifier: 

During creation of a GSI and HPN enabled OpenSSH package ([1]) for the GridCF's
Grid Community Toolkit we (a colleague of mine and me) discovered an oddity in
the "openssh-7.7p1-gssapi_key_exchange.patch" which is part of [2] - the
package used as basis for [1].

[1]:
https://build.opensuse.org/package/show/home:frank_scheiner:gct/gsi-openssh

[2]:
http://download.opensuse.org/source/distribution/leap/15.1/repo/oss/src/openssh-7.9p1-lp151.3.4.src.rpm

There we have:

```
1575 +int
1576 +kexgss_server(struct ssh *ssh)
[...]
1603 +       const BIGNUM *p, *g, *pub_key;
[...]
1650 +               DH_set0_pqg(dh, &p, NULL, &g);
[...]
1652 +               packet_put_bignum2((BIGNUM *)p);
1653 +               packet_put_bignum2((BIGNUM *)g);
[...]
1745 +       DH_get0_key(dh, &pub_key, NULL);
[...]
1793 +       packet_put_bignum2(pub_key);
```

Specifically line 1650 looks odd, when comparing the arguments (and their
types) to the actual interface of the `DH_set0_pqg()` function on e.g. [3]:

```
int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
```

```
void DH_get0_pqg(const DH *dh,
                  const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
```
... also from [3] would be a better fit here.

[3]: https://www.openssl.org/docs/man1.1.1/man3/DH_set0_pqg.html

And comparing these specific lines to their counterparts in the OpenSSH 7.9p1
src RPM in Fedora ([4], from the "openssh-7.8p1-gsskex.patch" patch):

```
1390 +int
1391 +kexgss_server(struct ssh *ssh)
[...]
1418 +       const BIGNUM *p, *g, *pub_key;
[...]
1464 +               DH_get0_pqg(dh, &p, NULL, &g);
[...]
1466 +               packet_put_bignum2((BIGNUM *)p);
1467 +               packet_put_bignum2((BIGNUM *)g);
[...]
1559 +       DH_get0_key(dh, &pub_key, NULL);
[...]
1607 +       packet_put_bignum2(pub_key);
```

...it looks like the function name in the openSUSE patch differs and maybe is
the result of a typo?

[4]:
https://kojipkgs.fedoraproject.org/packages/gsi-openssh/7.9p1/7.fc31/src/gsi-openssh-7.9p1-7.fc31.src.rpm

When compiling with the assumed wrong function name in the openSUSE patch
together with our GSI patch(es) (which use the GSSAPI), this creates the
following related warnings:

```
gcc -fpie -fstack-protector -pipe -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign
-Wno-unused-result -fno-strict-aliasing -ftrapv -fno-builtin-memset
-fstack-protector-strong -fPIE   -I. -I.  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE
-D_DEFAULT_SOURCE -I/usr/include/editline -DLDAP_DEPRECATED -DOPENSSL_LOAD_CONF
-I/usr/include/globus -DSSHDIR=\"/etc/gsissh\"
-D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/gsissh/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/libexec/gsissh/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/libexec/gsissh/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/gsissh/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/lib/empty\"
-DHAVE_CONFIG_H -c kexgsss.c -o kexgsss.o
kexgsss.c: In function ���kexgss_server���:
kexgsss.c:131:32: warning: passing argument 2 of ���DH_set0_pqg��� from
incompatible pointer type [-Wincompatible-pointer-types]
                DH_set0_pqg(dh, &p, NULL, &g);
                                ^
In file included from /usr/include/openssl/dsa.h:31:0,
                 from sshkey.h:33,
                 from kexgsss.c:37:
/usr/include/openssl/dh.h:175:5: note: expected ���BIGNUM * {aka struct bignum_st
*}��� but argument is of type ���const BIGNUM ** {aka const struct bignum_st **}���
 int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
     ^~~~~~~~~~~
kexgsss.c:131:42: warning: passing argument 4 of ���DH_set0_pqg��� from
incompatible pointer type [-Wincompatible-pointer-types]
                DH_set0_pqg(dh, &p, NULL, &g);
                                          ^
In file included from /usr/include/openssl/dsa.h:31:0,
                 from sshkey.h:33,
                 from kexgsss.c:37:
/usr/include/openssl/dh.h:175:5: note: expected ���BIGNUM * {aka struct bignum_st
*}��� but argument is of type ���const BIGNUM ** {aka const struct bignum_st **}���
 int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
     ^~~~~~~~~~~
In file included from packet.h:223:0,
                 from kexgsss.c:41:
opacket.h:77:39: warning: passing argument 2 of ���ssh_packet_put_bignum2���
discards ���const��� qualifier from pointer target type [-Wdiscarded-qualifiers]
  ssh_packet_put_bignum2(active_state, (value))
                                       ^
kexgsss.c:275:2: note: in expansion of macro ���packet_put_bignum2���
  packet_put_bignum2(pub_key);
  ^~~~~~~~~~~~~~~~~~
opacket.h:10:10: note: expected ���BIGNUM * {aka struct bignum_st *}��� but
argument is of type ���const BIGNUM * {aka const struct bignum_st *}���
 void     ssh_packet_put_bignum2(struct ssh *, BIGNUM * value);
          ^~~~~~~~~~~~~~~~~~~~~~
[...]
```

When using the assumed correct function name, these warnings are gone, but a
new warning appears due to passing a const var as non-const argument:

```
[  131s] gcc -fmessage-length=0 -grecord-gcc-switches -O2 -Wall
-D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables
-fasynchronous-unwind-tables -fstack-clash-protection -fpie -fstack-protector
-pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security
-Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result
-fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset
-fstack-protector-strong -fPIE   -I. -I.  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE
-D_DEFAULT_SOURCE -I/usr/include/editline -DLDAP_DEPRECATED -DOPENSSL_LOAD_CONF
-I/usr/include/globus  -DSSHDIR=\"/etc/gsissh\"
-D_PATH_SSH_PROGRAM=\"/usr/bin/gsissh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/gsissh/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/lib/gsissh/sftp-server\"
-D_PATH_SSH_KEY_SIGN=\"/usr/lib/gsissh/ssh-keysign\"
-D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/gsissh/ssh-pkcs11-helper\"
-D_PATH_SSH_PIDDIR=\"/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/lib/empty\"
-DHAVE_CONFIG_H -c ssh.c -o ssh.o
[  131s] In file included from packet.h:223:0,
[  131s]                  from kexgsss.c:41:
[  131s] kexgsss.c: In function 'kexgss_server':
[  131s] opacket.h:77:39: warning: passing argument 2 of
'ssh_packet_put_bignum2' discards 'const' qualifier from pointer target type
[-Wdiscarded-qualifiers]
[  131s]   ssh_packet_put_bignum2(active_state, (value))
[  131s]                                        ^
[  131s] kexgsss.c:275:2: note: in expansion of macro 'packet_put_bignum2'
[  131s]   packet_put_bignum2(pub_key);
[  131s]   ^~~~~~~~~~~~~~~~~~
[  131s] opacket.h:10:10: note: expected 'BIGNUM * {aka struct bignum_st *}'
but argument is of type 'const BIGNUM * {aka const struct bignum_st *}'
[  131s]  void     ssh_packet_put_bignum2(struct ssh *, BIGNUM * value);
[  131s]           ^~~~~~~~~~~~~~~~~~~~~~
```

What's your opinion on that?

Reproducible: Always

You are receiving this mail because: