Re: Util-linux to use OpenSSL for MD5

[Jan Dvořák]

I do apologize, some errors crawled in.

http://jh.gvn.cz/~jd870911/hlfs/openssl/util-linux-2.12r-openssl-3.patch
Index: chapter06/util-linux.xml
===
--- chapter06/util-linux.xml(revision 1042)
+++ chapter06/util-linux.xml(working copy)
@@ -62,13 +62,18 @@
 patch -Np1 -i ../&util-linux-cramfs-patch;
 patch -Np1 -i ../&util-linux-lseek-patch;
 
+   Util-linux ships with it's own MD5 implementation. Following
+   patch adds possibility to use the one that comes with OpenSSL.
+
+patch -Np1 -i 
../&util-linux-openssl-patch;
+
 Prepare Util-linux for compilation:
 
 ./configure
 
 Compile the package:
 
-make HAVE_KILL=yes HAVE_SLN=yes
+make HAVE_KILL=yes HAVE_SLN=yes 
HAVE_OPENSSL=yes
 
 
   The meaning of the make parameters:
@@ -90,13 +95,22 @@
 
   
 
+  
+HAVE_OPENSSL=yes
+
+  This utilizes applied OpenSSL patch and makes
+  mcookie and mkfs.cramfs
+  link against libcrypto.so.
+
+  
+
 
 
 This package does not come with a test suite.
 
 Install the package:
 
-make HAVE_KILL=yes HAVE_SLN=yes install
+make HAVE_KILL=yes HAVE_SLN=yes HAVE_OPENSSL 
install
 
   
 
Index: patches.ent
===
--- patches.ent (revision 1042)
+++ patches.ent (working copy)
@@ -168,6 +168,10 @@
 
 
 
+
+
+
+
 
 
 
-- 
http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Util-linux to use OpenSSL for MD5

[Jan Dvořák]

Hi there again,

	reworked patch for Util-linux. The patch can be downloaded from 
http://jh.gvn.cz/~jd870911/hlfs/openssl/util-linux-2.12r-openssl-2.patch 
and patch to the book is attached for discussion. This relates to quite 
old thread (can't find it right now) about making everything in the 
system use OpenSSL for the cryptography whenever possible.


BTW; What happened to kernel crypto api?

- Mordae
Index: chapter06/util-linux.xml
===
--- chapter06/util-linux.xml(revision 1042)
+++ chapter06/util-linux.xml(working copy)
@@ -62,13 +62,18 @@
 patch -Np1 -i ../&util-linux-cramfs-patch;
 patch -Np1 -i ../&util-linux-lseek-patch;
 
+   Util-linux ships with it's own MD5 implementation. Following
+   patch adds possibility to use the one that comes with OpenSSL.
+
+patch -Np1 -i 
../&util-linux-openssl-patch;
+
 Prepare Util-linux for compilation:
 
 ./configure
 
 Compile the package:
 
-make HAVE_KILL=yes HAVE_SLN=yes
+make HAVE_KILL=yes HAVE_SLN=yes 
HAVE_OPENSSL=yes
 
 
   The meaning of the make parameters:
@@ -90,13 +95,22 @@
 
   
 
+  
+HAVE_OPENSSL=yes
+
+  This utilizes applied OpenSSL patch and makes
+  mcookie and mkfs.cramfs
+  link against libcrypto.so.
+
+  
+
 
 
 This package does not come with a test suite.
 
 Install the package:
 
-make HAVE_KILL=yes HAVE_SLN=yes install
+make HAVE_KILL=yes HAVE_SLN=yes HAVE_OPENSSL 
install
 
   
 
Index: patches.ent
===
--- patches.ent (revision 1042)
+++ patches.ent (working copy)
@@ -168,6 +168,10 @@
 
 
 
+
+
+
+
 
 
 
-- 
http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Re: debugging strategies

[Jan Dvořák]

Robert Connolly wrote:
> GDB doesn't build, or doesn't work?
For me it does build, but fails like this:

$ cat >>gdb-test.c < search starts here:
  /usr/local/include
  /usr/lib/gcc/i686-pc-linux-gnu/4.1.1/include
  /usr/include
End of search list.
GNU C version 4.1.1 (i686-pc-linux-gnu)
compiled by GNU C version 4.1.1.
GGC heuristics: --param ggc-min-expand=30 --param ggc-min-heapsize=4096
Compiler executable checksum: 7dab25506487cc63d4fe4f4a489fe76a
 
/usr/lib/gcc/i686-pc-linux-gnu/4.1.1/../../../../i686-pc-linux-gnu/bin/as 
-V -Qy -o /tmp/ccq06cYU.o /tmp/cc42vwe1.s
GNU assembler version 2.17 (i686-pc-linux-gnu) using BFD version 2.17
  /usr/lib/gcc/i686-pc-linux-gnu/4.1.1/collect2 --eh-frame-hdr -m 
elf_i386 -dynamic-linker /lib/ld-linux.so.2 -z now -z relro -z combreloc 
-pie -o gdb-test /usr/lib/gcc/i686-pc-linux-gnu/4.1.1/../../../Scrt1.o 
/usr/lib/gcc/i686-pc-linux-gnu/4.1.1/../../../crti.o 
/usr/lib/gcc/i686-pc-linux-gnu/4.1.1/crtbeginS.o 
-L/usr/lib/gcc/i686-pc-linux-gnu/4.1.1 
-L/usr/lib/gcc/i686-pc-linux-gnu/4.1.1 
-L/usr/lib/gcc/i686-pc-linux-gnu/4.1.1/../../../../i686-pc-linux-gnu/lib 
-L/usr/lib/gcc/i686-pc-linux-gnu/4.1.1/../../.. /tmp/ccq06cYU.o -lgcc 
--as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s 
--no-as-needed /usr/lib/gcc/i686-pc-linux-gnu/4.1.1/crtendS.o 
/usr/lib/gcc/i686-pc-linux-gnu/4.1.1/../../../crtn.o

-

$ gdb ./gdb-test
GNU gdb 6.6
[snip warranty]
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) b main
Breakpoint 1 at 0x656
(gdb) r
Starting program: /home/mordae/w/gdb-test
Failed to read a valid object file image from memory.
Warning:
Cannot insert breakpoint 1.
Error accessing memory address 0x656: Input/output error.
(gdb) quit
The program is running.  Exit anyway? (y or n) y

-

$ gdb /lib/ld-linux.so.2
GNU gdb 6.6
[snip warranty]
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) b main
Function "main" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y

Breakpoint 1 (main) pending.
(gdb) run ./gdb-test
Starting program: /lib/ld-linux.so.2 ./gdb-test
Failed to read a valid object file image from memory.

Program exited with code 052.
(gdb) quit

-

$ /sbin/paxctl -permsx ./gdb-test
$ /sbin/paxctl -v ./gdb-test
PaX control v0.4
Copyright 2004,2005,2006 PaX Team <[EMAIL PROTECTED]>

- PaX flags: -p-s-m-x-e-r [./gdb-test]
PAGEEXEC is disabled
SEGMEXEC is disabled
MPROTECT is disabled
RANDEXEC is disabled
EMUTRAMP is disabled
RANDMMAP is disabled

-

$ # Repeated both `gdb ./gdb-test` and `gdb /lib/ld-linux.so.2` (run 
./gdb-test) with exactly same results...

-

$ cp /lib/ld-linux.so.2 ./
$ cp /lib/libc.so.6 ./
$ export LD_LIBRARY_PATH=.
$ /sbin/paxctl -permsx ./ld-linux.so.2
$ /sbin/paxctl -v ./ld-linux.so.2
PaX control v0.4
Copyright 2004,2005,2006 PaX Team <[EMAIL PROTECTED]>

- PaX flags: -p-s-m-x-e-r [./ld-linux.so.2]
PAGEEXEC is disabled
SEGMEXEC is disabled
MPROTECT is disabled
RANDEXEC is disabled
EMUTRAMP is disabled
RANDMMAP is disabled
$ /sbin/paxctl -permsx ./libc.so.6
$ /sbin/paxctl -v ./libc.so.6
PaX control v0.4
Copyright 2004,2005,2006 PaX Team <[EMAIL PROTECTED]>

- PaX flags: -p-s-m-x-e-r [./libc.so.6]
PAGEEXEC is disabled
SEGMEXEC is disabled
MPROTECT is disabled
RANDEXEC is disabled
EMUTRAMP is disabled
RANDMMAP is disabled
$ ./ld-linux.so.2 --list ./gdb-test
linux-gate.so.1 =>  (0xe000)
libc.so.6 => ./libc.so.6 (0xb7e7)
/lib/ld-linux.so.2 => ./ld-linux.so.2 (0x8000)


-

# Both gdb runs failed once again -- now with paxctl'ed libc and once 
again even with paxctl'ed dynamic loader. Same errors...


-

And second prob... How to compile without hardening?

- Mordae
-- 
http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Re: Possible security issue with blowfish shadow passwords

[Jan Dvořák]

Kevin Day wrote:
>> - Linux-PAM (set passwords to blowfish as pam seems to handle them)
>> password = abcd
>> 4) abcd = pass
>> 5) abcde = pass
Maybe this piece of code from modules/pam_unix/support.c:709?

/*
  * Note, we are comparing the bigcrypt of the password with
  * the contents of the password field. If the latter was
  * encrypted with regular crypt (and not bigcrypt) it will
  * have been truncated for storage relative to the output
  * of bigcrypt here. As such we need to compare only the
  * stored string with the subset of bigcrypt's result.
  * Bug 521314: The strncmp comparison is for legacy support.
  */
if (strncmp(pp, salt, salt_len) == 0) {
 retval = PAM_SUCCESS;
} else {
 retval = PAM_AUTH_ERR;
}


Investigate what exactly strncmp() gets and see if it's the problem.

fprintf(stderr, "BUGTRACK: strncmp(\"%s\", \"%s\", %i)\n",
pp, salt, salt_len);
if (strncmp(pp, salt, salt_len) == 0) {
...

Good luck...
-- 
http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Re: hlfs fwrite changes to binutils and gcc

[Jan Dvořák]

Hi,

> Move 
>  to , include the vanilla header in the new 
> , then redefine the functions with assertions... unless NDEBUG is 
> defined. This would be a lot easier to work with, as a sysadmin, and would 
> work transparently with all packages.
The only problem is that we will get errors even when there is a check 
in the code. I'm however going to recompile something smaller 
(coreutils, bash) and then see how it works...

Fine, done... I've tried coreutils with checks in unistd.h and malloc.h, 
bits/stdio2.h, bits/wchar2.h, stat.h, stdio.h and stdlib.h I'll try 
tomorrow. It looks quite good. Coreutils testsuite went OK... I'm see 
tomorrow...
-- 
http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Package Management notice in 6.1

[Jan Dvořák]

EHLO,

> 6.1. Introduction
> [...]
> For a package management method specifically geared towards HLFS, we
> recommend [...]/hints/downloads/files/more_control_and_pkg_man.txt.
If this is true, shouldn't instructions in the book be adjusted to make
installation in such conditions painless?

Some time ago, the hint about UnionFS package management was released.
What about adding some king of package management to the book? It's an
important part of secure system. With UnionFS-based one we could learn
users to check packages about to be installed whether they don't replace
anything important or install anything setuid. It also makes it possible
to (almost) completely rebuild and reinstall system while running.

It is even possible to rebuild e.g. openssl, then include it in the
overlay and rebuild some applications against it (without actually
merging it to the system) and then merge it all at once in a few minutes.



signature.asc
Description: OpenPGP digital signature
-- 
http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Re: Using assert(3) to deal with -D_FORTIFY_SOURCE warnings

[Jan Dvořák]

Robert Connolly wrote:
> Hello. Does it seem reasonable to use:
> - fwrite (...);
> + assert(fwrite (...));
> ...
> to deal with -D_FORTIFY_SOURCE warnings with fwrite(), dup(), chdir(), 
> fchown(), fgets(), write(), mktemp(), mkstemp(), mkdtemp(), and friends who 
Seems very reasonable, but upstream may get confused by getting these
assertions as bug reports. But it's a good thing anyway.

- Mordae



signature.asc
Description: OpenPGP digital signature
-- 
http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Re: util-linux using libcrypto

[Jan Dvořák]

Hi,

another think I just found out. Glibc's sunrpc has it's own impl of DES.

As noted in sunrpc/des_impl.c: Collected from libdes and modified for
SECURE RPC by Martin Kuck 1994, funny huh?

:]



signature.asc
Description: OpenPGP digital signature
-- 
http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Re: util-linux using libcrypto

[Jan Dvořák]

Hi,

> It shouldn't be hard to remove libcrypt from glibc
We'll have to build it later as it defines crypt(). Maybe we could only
replace it's MD5 algo with OpenSSL's and build it separately once
libcrypto is in place...

# EOF
-- 
http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Re: cryptodev

[Jan Dvořák]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Alex,

> Anyway, this is altogether too deep a discussion over the adding of a 
> simple option :-P
That option is there since you noticed that first time... :]

Anyway, current version can be found at
.

# EOF
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFFDtTxoXByE0GKaE0RAo5HAJ9bT5gAEH+9sh7MHb4+mNFbLxTqZACfbmoz
OeJ6FBX81QqYXpRhEcnW3ms=
=vmMV
-END PGP SIGNATURE-
-- 
http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Re: util-linux using libcrypto

[Jan Dvořák]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

I've re-written that ugly patch and post this one. It +/- integrates to
the build system (and you won't tell it from that messy stuff there). To
enable it, just edit MCONFIG and

sed -e 's/^HAVE_OPENSSL=no/HAVE_OPENSSL=yes/'

./configure then checks for this option and if enabled, it verifies
 is in place and sets CPP/Makefile macros that together
with appropriate Makefile and source files' changes causes embeded md5.c
to be ignored and applications link against libcrypto.

What do you think?

Patch can be downloaded from
.

# EOF
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFFDtPPoXByE0GKaE0RAnMNAJ0ZPYwEvuq8R8TPBkUtZ1DE8t+higCgs6cg
/aoEDWj1GkdZE1G9DBxUPh4=
=Al/E
-END PGP SIGNATURE-
-- 
http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Re: 5.2. Embryo Toolchain - Stages differs (ggc-common.o)

[Jan Dvořák]

> so I followed Robert's hint to CFLAGS="-fno-stack-protector -no-pie",
> but I end up with another error. It is not possible to set CFLAGS like
> this as we don't include SSP and PIE in stage1 xgcc so it fails as it
> don't know anything about them.
Correction: It *is* possible to build this way. One must only pass the
variable as `CFLAGS='...' ./configure ...` and not export CFLAGS='...'.
I do apologize for disturbing you. :]
-- 
http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

5.2. Embryo Toolchain - Stages differs (ggc-common.o)

[Jan Dvořák]

Hi,

I tried to build 5.2. last night and got this error (./ggc-comon.o
differs). Very similar problem has already been reported according
google in

so I followed Robert's hint to CFLAGS="-fno-stack-protector -no-pie",
but I end up with another error. It is not possible to set CFLAGS like
this as we don't include SSP and PIE in stage1 xgcc so it fails as it
don't know anything about them.

I'm using gcc-3.4.4 (ssp) with glibc-2.3.6 (it's old HLFS). I guess I
may be able to compile it without bootstrap, but I just want to figure
this out.

- Mordae
-- 
http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Re: Status of HLFS project

[Jan Dvořák]

Hi,

>>> It's active, but I seem to be the only maintainer and I work 55 hours
>>> per week.
>> I don't have exactly *much* time either, but I'd like to help you. Alas,
>> I'm not much C-positive. So, first I'm going to study new HLFS features
>> and then I'll build to see how it goes.
> Well I'd like to say that I'm a _Happy_ HLFS user for 2 years now and
I only for about 1 year.

> I have a few years of experience with general programming (Pascal/FPC),
> a year and a half of C, around six months with java. In scripting
> languages I know bash, php and the general html/dhtml/css/js.
I am BASH-positive. About PHP... PHP/5.1, 5.2-dev, 6.0-dev installed...
Most of my time in PHP for more then two years. Some time spent on Java,
but it's all the same. I've even done some C, but never got to C++ as I
didn't need to.

> Is there an official TODO list that we could read trough and choose
> things to do that would suit Our experience?
Yeah, give us chance to participate. Let's bring it to real life! There
are some things I'd like to see in HLFS... Xorg/7.1, latest udev and
UTF-8 for ncurses. Non-english locales sucks (and I'm from Czechia).

# EOF
-- 
http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Status of HLFS project

[Jan Dvořák]

Hi,

what is the current HLFS status? Is project temporary stopped or is it
completely dead? It obviously is not in active development.
What are we waiting for? How can I, HLFS (Glibc) user help you to bring
HLFS further?

- Mordae
-- 
http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page