4 files changed, 63 insertions, 2 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 252076632..002104d0d 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-624433c4fff092e3aaaff6aa8954eb93e0387c44
+ada7edd8b4ec246a0c1c283c5e5956f09d503fbd
-624433c4fff092e3aaaff6aa8954eb93e0387c44
+ada7edd8b4ec246a0c1c283c5e5956f09d503fbd
 971a7653746a6972b907dfe0ce139c06e4a6f482
 971a7653746a6972b907dfe0ce139c06e4a6f482
 openssh_7.4p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 246811ec9..b69cfe21b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,9 @@ openssh (1:7.4p1-4) UNRELEASED; urgency=medium
  * Run regression tests inside annotate-output to try to diagnose timeout
    issues.
+  * Make integrity tests more robust against timeouts in the case where the
+    first test in a series for a given MAC happens to modify the low bytes
+    of a packet length.
 -- Colin Watson <cjwatson@debian.org>  Sun, 01 Jan 2017 14:32:26 +0000
diff --git a/debian/patches/regress-integrity-robust.patch b/debian/patches/regress-integrity-robust.patch
new file mode 100644
index 000000000..92b5ae5fc
--- /dev/null
+++ b/debian/patches/regress-integrity-robust.patch
@@ -0,0 +1,57 @@
+From ada7edd8b4ec246a0c1c283c5e5956f09d503fbd Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sun, 1 Jan 2017 15:21:10 +0000
+Subject: Make integrity tests more robust against timeouts
+If the first test in a series for a given MAC happens to modify the low
+bytes of a packet length, then ssh will time out and this will be
+interpreted as a test failure.  Handle this failure mode.
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2658
+Patch-Name: regress-integrity-robust.patch
+Last-Update: 2017-01-01
+---
+ regress/integrity.sh | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+diff --git a/regress/integrity.sh b/regress/integrity.sh
+index 39d310de..fd7d58bc 100644
+--- a/regress/integrity.sh
+++ b/regress/integrity.sh
+@@ -5,8 +5,6 @@ tid="integrity"
+ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+ 
+ # start at byte 2900 (i.e. after kex) and corrupt at different offsets
+-# XXX the test hangs if we modify the low bytes of the packet length
+-# XXX and ssh tries to read...
+ tries=10
+ startoffset=2900
+ macs=`${SSH} -Q mac`
+@@ -27,6 +25,7 @@ for m in $macs; do
+        elen=0
+        epad=0
+        emac=0
+       etmo=0
+        ecnt=0
+        skip=0
+        for off in `jot $tries $startoffset`; do
+@@ -61,14 +60,16 @@ for m in $macs; do
+                Corrupted?MAC* | *message?authentication?code?incorrect*)
+                                emac=`expr $emac + 1`; skip=0;;
+                padding*)       epad=`expr $epad + 1`; skip=0;;
+               *Timeout,?server*)
+                               etmo=`expr $etmo + 1`; skip=0;;
+                *)              fail "unexpected error mac $m at $off: $out";;
+                esac
+        done
+-       verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen"
+       verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen timeout $etmo"
+        if [ $emac -eq 0 ]; then
+                fail "$m: no mac errors"
+        fi
+-       expect=`expr $ecnt - $epad - $elen`
+       expect=`expr $ecnt - $epad - $elen - $etmo`
+        if [ $emac -ne $expect ]; then
+                fail "$m: expected $expect mac errors, got $emac"
+        fi
diff --git a/debian/patches/series b/debian/patches/series
index f7dded322..6f9132c27 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -24,3 +24,4 @@ gnome-ssh-askpass2-icon.patch
 sigstop.patch
 systemd-readiness.patch
 debian-config.patch
+regress-integrity-robust.patch

diff --git a/debian/.git-dpm b/debian/.git-dpm index 252076632..002104d0d 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1	# see git-dpm(1) from git-dpm package	1	# see git-dpm(1) from git-dpm package
2	624433c4fff092e3aaaff6aa8954eb93e0387c44	2	ada7edd8b4ec246a0c1c283c5e5956f09d503fbd
3	624433c4fff092e3aaaff6aa8954eb93e0387c44	3	ada7edd8b4ec246a0c1c283c5e5956f09d503fbd
4	971a7653746a6972b907dfe0ce139c06e4a6f482	4	971a7653746a6972b907dfe0ce139c06e4a6f482
5	971a7653746a6972b907dfe0ce139c06e4a6f482	5	971a7653746a6972b907dfe0ce139c06e4a6f482
6	openssh_7.4p1.orig.tar.gz	6	openssh_7.4p1.orig.tar.gz


diff --git a/debian/changelog b/debian/changelog index 246811ec9..b69cfe21b 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -2,6 +2,9 @@ openssh (1:7.4p1-4) UNRELEASED; urgency=medium
2		2
3	* Run regression tests inside annotate-output to try to diagnose timeout	3	* Run regression tests inside annotate-output to try to diagnose timeout
4	issues.	4	issues.
		5	* Make integrity tests more robust against timeouts in the case where the
		6	first test in a series for a given MAC happens to modify the low bytes
		7	of a packet length.
5		8
6	-- Colin Watson <cjwatson@debian.org> Sun, 01 Jan 2017 14:32:26 +0000	9	-- Colin Watson <cjwatson@debian.org> Sun, 01 Jan 2017 14:32:26 +0000
7		10


diff --git a/debian/patches/regress-integrity-robust.patch b/debian/patches/regress-integrity-robust.patch new file mode 100644 index 000000000..92b5ae5fc --- /dev/null +++ b/debian/patches/regress-integrity-robust.patch
@@ -0,0 +1,57 @@
		1	From ada7edd8b4ec246a0c1c283c5e5956f09d503fbd Mon Sep 17 00:00:00 2001
		2	From: Colin Watson <cjwatson@debian.org>
		3	Date: Sun, 1 Jan 2017 15:21:10 +0000
		4	Subject: Make integrity tests more robust against timeouts
		5
		6	If the first test in a series for a given MAC happens to modify the low
		7	bytes of a packet length, then ssh will time out and this will be
		8	interpreted as a test failure. Handle this failure mode.
		9
		10	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2658
		11	Patch-Name: regress-integrity-robust.patch
		12
		13	Last-Update: 2017-01-01
		14	---
		15	regress/integrity.sh \| 9 +++++----
		16	1 file changed, 5 insertions(+), 4 deletions(-)
		17
		18	diff --git a/regress/integrity.sh b/regress/integrity.sh
		19	index 39d310de..fd7d58bc 100644
		20	--- a/regress/integrity.sh
		21	+++ b/regress/integrity.sh
		22	@@ -5,8 +5,6 @@ tid="integrity"
		23	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
		24
		25	# start at byte 2900 (i.e. after kex) and corrupt at different offsets
		26	-# XXX the test hangs if we modify the low bytes of the packet length
		27	-# XXX and ssh tries to read...
		28	tries=10
		29	startoffset=2900
		30	macs=`${SSH} -Q mac`
		31	@@ -27,6 +25,7 @@ for m in $macs; do
		32	elen=0
		33	epad=0
		34	emac=0
		35	+ etmo=0
		36	ecnt=0
		37	skip=0
		38	for off in `jot $tries $startoffset`; do
		39	@@ -61,14 +60,16 @@ for m in $macs; do
		40	Corrupted?MAC* \| message?authentication?code?incorrect)
		41	emac=`expr $emac + 1`; skip=0;;
		42	padding*) epad=`expr $epad + 1`; skip=0;;
		43	+ Timeout,?server)
		44	+ etmo=`expr $etmo + 1`; skip=0;;
		45	*) fail "unexpected error mac $m at $off: $out";;
		46	esac
		47	done
		48	- verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen"
		49	+ verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen timeout $etmo"
		50	if [ $emac -eq 0 ]; then
		51	fail "$m: no mac errors"
		52	fi
		53	- expect=`expr $ecnt - $epad - $elen`
		54	+ expect=`expr $ecnt - $epad - $elen - $etmo`
		55	if [ $emac -ne $expect ]; then
		56	fail "$m: expected $expect mac errors, got $emac"
		57	fi


diff --git a/debian/patches/series b/debian/patches/series index f7dded322..6f9132c27 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -24,3 +24,4 @@ gnome-ssh-askpass2-icon.patch
24	sigstop.patch	24	sigstop.patch
25	systemd-readiness.patch	25	systemd-readiness.patch
26	debian-config.patch	26	debian-config.patch
		27	regress-integrity-robust.patch