Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
1 2 3  View All
Call for testing: OpenSSH 9.7
djm at mindrot
Mar 4, 2024, 4:24 PM
Post #1 of 73 (336 views)
Permalink
Hi,

OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a bugfix release.

Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/

The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html

Portable OpenSSH is also available via git using the
instructions at http://www.openssh.com/portable.html#cvs
At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
https://github.com/openssh/openssh-portable

Running the regression tests supplied with Portable OpenSSH does not
require installation and is a simply:

$ ./configure && make tests

Live testing on suitable non-production systems is also appreciated.
Please send reports of success or failure to
openssh-unix-dev@mindrot.org. Security bugs should be reported
directly to openssh@openssh.com.

Below is a summary of changes. More detail may be found in the ChangeLog
in the portable OpenSSH tarballs.

Thanks to the many people who contributed to this release.

Future deprecation notice
=========================

OpenSSH plans to remove support for the DSA signature algorithm in
early 2025 and compile-time disable it later this year.

DSA, as specified in the SSHv2 protocol, is inherently weak - being
limited to a 160 bit private key and use of the SHA1 digest. Its
estimated security level is only 80 bits symmetric equivalent.

OpenSSH has disabled DSA keys by default since 2015 but has retained
run-time optional support for them. DSA was the only mandatory-to-
implement algorithm in the SSHv2 RFCs[3], mostly because alternative
algorithms were encumbered by patents when the SSHv2 protocol was
specified.

This has not been the case for decades at this point and better
algorithms are well supported by all actively-maintained SSH
implementations. We do not consider the costs of maintaining DSA in
OpenSSH to be justified and hope that removing it from OpenSSH can
accelerate its wider deprecation in supporting cryptography
libraries.

This release makes DSA support in OpenSSH compile-time optional,
defaulting to on. We intend the next release to change the default
to disable DSA at compile time. The first OpenSSH release of 2025
will remove DSA support entirely.

Changes since OpenSSH 9.6
=========================

This release contains mostly bugfixes.

New features
------------

* ssh(1), sshd(8): add a "global" ChannelTimeout type that watches
all open channels and will close all open channels if there is no
traffic on any of them for the specified interval. This is in
addition to the existing per-channel timeouts added recently.

This supports situations like having both session and x11
forwarding channels open where one may be idle for an extended
period but the other is actively used. The global timeout could
close both channels when both have been idle for too long.

* All: make DSA key support compile-time optional, defaulting to on.

Bugfixes
--------

* sshd(8): don't append an unnecessary space to the end of subsystem
arguments (bz3667)

* ssh(1): fix the multiplexing "channel proxy" mode, broken when
keystroke timing obfuscation was added. (GHPR#463)

* ssh(1), sshd(8): fix spurious configuration parsing errors when
options that accept array arguments are overridden (bz3657).

* Many fixes to manual pages and other documentation, including
GHPR#462, GHPR#454, GHPR#442 and GHPR#441.

* Greatly improve interop testing against PuTTY.

Portability
-----------

* Improve the error message when the autoconf OpenSSL header check
fails (bz#3668)

* Improve detection of broken toolchain -fzero-call-used-regs support
(bz3645).

* Fix regress/misc/fuzz-harness fuzzers and make them compile without
warnings when using clang16

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
Tim Rice and Ben Lindstrom.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 9.7 [ In reply to ]
predrag.zecevic.1961 at googlemail
Mar 5, 2024, 2:12 AM
Post #2 of 73 (336 views)
Permalink
On 2024-03-05 01:24, Damien Miller wrote:
> Hi,
>
> OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/

Hi all,

it compiles under OpenIndiana against custom OpenSSL 3.2 library and
works fine (I did just basic ssh server and client tests):

:; uname -rosv
SunOS 5.11 illumos-8b0687e22a illumos

:; which ssh
/pz/SFW/bin/ssh

:; /pz/SFW/bin/ssh -V
OpenSSH_9.6p1-snap20240305, OpenSSL 3.2.1 30 Jan 2024

Thanks you.
Best regards

--
Predrag Ze?evi?
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 9.7 [ In reply to ]
rapier at psc
Mar 5, 2024, 11:01 AM
Post #3 of 73 (336 views)
Permalink
On my test systems:

Ubuntu 22.04 with GCC 11.4 and OpenSSL 3.0.2 on AMD: PASS
Fedora 39 with GCC 12.3.1 and OpenSSL 3.0.9 on Intel: PASS
OS X 14.3.1 with clang 15.0.0 on Apple M2 (--without-openssl): FAIL

The failure is with "make tests" specifically when it runs
/Users/rapier/openssh-portable/ssh-keygen -if
/Users/rapier/openssh-portable/regress/rsa_ssh2.prv | diff -
/Users/rapier/openssh-portable/regress/rsa_openssh.prv
key conversion disabled at compile time
0a1,15
> -----BEGIN RSA PRIVATE KEY-----
> // elided //
> -----END RSA PRIVATE KEY-----
make[1]: *** [t1] Error 1

Make t-exec, in contrast, does pass all tests. I'm seeing the same
behaviour on Ubuntu 22.04 if I use --without-openssl so I'm guessing
this is expected behaviour.


Chris

On 3/4/24 7:24 PM, Damien Miller wrote:
>
> Hi,
>
> OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via git using the
> instructions at http://www.openssh.com/portable.html#cvs
> At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
> https://github.com/openssh/openssh-portable
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev@mindrot.org. Security bugs should be reported
> directly to openssh@openssh.com.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Future deprecation notice
> =========================
>
> OpenSSH plans to remove support for the DSA signature algorithm in
> early 2025 and compile-time disable it later this year.
>
> DSA, as specified in the SSHv2 protocol, is inherently weak - being
> limited to a 160 bit private key and use of the SHA1 digest. Its
> estimated security level is only 80 bits symmetric equivalent.
>
> OpenSSH has disabled DSA keys by default since 2015 but has retained
> run-time optional support for them. DSA was the only mandatory-to-
> implement algorithm in the SSHv2 RFCs[3], mostly because alternative
> algorithms were encumbered by patents when the SSHv2 protocol was
> specified.
>
> This has not been the case for decades at this point and better
> algorithms are well supported by all actively-maintained SSH
> implementations. We do not consider the costs of maintaining DSA in
> OpenSSH to be justified and hope that removing it from OpenSSH can
> accelerate its wider deprecation in supporting cryptography
> libraries.
>
> This release makes DSA support in OpenSSH compile-time optional,
> defaulting to on. We intend the next release to change the default
> to disable DSA at compile time. The first OpenSSH release of 2025
> will remove DSA support entirely.
>
> Changes since OpenSSH 9.6
> =========================
>
> This release contains mostly bugfixes.
>
> New features
> ------------
>
> * ssh(1), sshd(8): add a "global" ChannelTimeout type that watches
> all open channels and will close all open channels if there is no
> traffic on any of them for the specified interval. This is in
> addition to the existing per-channel timeouts added recently.
>
> This supports situations like having both session and x11
> forwarding channels open where one may be idle for an extended
> period but the other is actively used. The global timeout could
> close both channels when both have been idle for too long.
>
> * All: make DSA key support compile-time optional, defaulting to on.
>
> Bugfixes
> --------
>
> * sshd(8): don't append an unnecessary space to the end of subsystem
> arguments (bz3667)
>
> * ssh(1): fix the multiplexing "channel proxy" mode, broken when
> keystroke timing obfuscation was added. (GHPR#463)
>
> * ssh(1), sshd(8): fix spurious configuration parsing errors when
> options that accept array arguments are overridden (bz3657).
>
> * Many fixes to manual pages and other documentation, including
> GHPR#462, GHPR#454, GHPR#442 and GHPR#441.
>
> * Greatly improve interop testing against PuTTY.
>
> Portability
> -----------
>
> * Improve the error message when the autoconf OpenSSL header check
> fails (bz#3668)
>
> * Improve detection of broken toolchain -fzero-call-used-regs support
> (bz3645).
>
> * Fix regress/misc/fuzz-harness fuzzers and make them compile without
> warnings when using clang16
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 9.7 [ In reply to ]
djm at mindrot
Mar 5, 2024, 7:03 PM
Post #4 of 73 (336 views)
Permalink
On Tue, 5 Mar 2024, Chris Rapier wrote:

> On my test systems:
>
> Ubuntu 22.04 with GCC 11.4 and OpenSSL 3.0.2 on AMD: PASS
> Fedora 39 with GCC 12.3.1 and OpenSSL 3.0.9 on Intel: PASS
> OS X 14.3.1 with clang 15.0.0 on Apple M2 (--without-openssl): FAIL
>
> The failure is with "make tests" specifically when it runs
> /Users/rapier/openssh-portable/ssh-keygen -if
> /Users/rapier/openssh-portable/regress/rsa_ssh2.prv | diff -
> /Users/rapier/openssh-portable/regress/rsa_openssh.prv
> key conversion disabled at compile time
> 0a1,15
> > -----BEGIN RSA PRIVATE KEY-----
> > // elided //
> > -----END RSA PRIVATE KEY-----
> make[1]: *** [t1] Error 1
>
> Make t-exec, in contrast, does pass all tests. I'm seeing the same behaviour
> on Ubuntu 22.04 if I use --without-openssl so I'm guessing this is expected
> behaviour.

Thanks, I just committed a fix for this.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 9.7 [ In reply to ]
doctor at doctor
Mar 5, 2024, 10:20 PM
Post #5 of 73 (336 views)
Permalink
On Tue, Mar 05, 2024 at 11:24:28AM +1100, Damien Miller wrote:
>
> Hi,
>
> OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via git using the
> instructions at http://www.openssh.com/portable.html#cvs
> At https://anongit.mindrot.org/openssh.git/ or via a mirror at Github:
> https://github.com/openssh/openssh-portable
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also appreciated.
> Please send reports of success or failure to
> openssh-unix-dev@mindrot.org. Security bugs should be reported
> directly to openssh@openssh.com.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> Future deprecation notice
> =========================
>
> OpenSSH plans to remove support for the DSA signature algorithm in
> early 2025 and compile-time disable it later this year.
>
> DSA, as specified in the SSHv2 protocol, is inherently weak - being
> limited to a 160 bit private key and use of the SHA1 digest. Its
> estimated security level is only 80 bits symmetric equivalent.
>
> OpenSSH has disabled DSA keys by default since 2015 but has retained
> run-time optional support for them. DSA was the only mandatory-to-
> implement algorithm in the SSHv2 RFCs[3], mostly because alternative
> algorithms were encumbered by patents when the SSHv2 protocol was
> specified.
>
> This has not been the case for decades at this point and better
> algorithms are well supported by all actively-maintained SSH
> implementations. We do not consider the costs of maintaining DSA in
> OpenSSH to be justified and hope that removing it from OpenSSH can
> accelerate its wider deprecation in supporting cryptography
> libraries.
>
> This release makes DSA support in OpenSSH compile-time optional,
> defaulting to on. We intend the next release to change the default
> to disable DSA at compile time. The first OpenSSH release of 2025
> will remove DSA support entirely.
>
> Changes since OpenSSH 9.6
> =========================
>
> This release contains mostly bugfixes.
>
> New features
> ------------
>
> * ssh(1), sshd(8): add a "global" ChannelTimeout type that watches
> all open channels and will close all open channels if there is no
> traffic on any of them for the specified interval. This is in
> addition to the existing per-channel timeouts added recently.
>
> This supports situations like having both session and x11
> forwarding channels open where one may be idle for an extended
> period but the other is actively used. The global timeout could
> close both channels when both have been idle for too long.
>
> * All: make DSA key support compile-time optional, defaulting to on.
>
> Bugfixes
> --------
>
> * sshd(8): don't append an unnecessary space to the end of subsystem
> arguments (bz3667)
>
> * ssh(1): fix the multiplexing "channel proxy" mode, broken when
> keystroke timing obfuscation was added. (GHPR#463)
>
> * ssh(1), sshd(8): fix spurious configuration parsing errors when
> options that accept array arguments are overridden (bz3657).
>
> * Many fixes to manual pages and other documentation, including
> GHPR#462, GHPR#454, GHPR#442 and GHPR#441.
>
> * Greatly improve interop testing against PuTTY.
>
> Portability
> -----------
>
> * Improve the error message when the autoconf OpenSSL header check
> fails (bz#3668)
>
> * Improve detection of broken toolchain -fzero-call-used-regs support
> (bz3645).
>
> * Fix regress/misc/fuzz-harness fuzzers and make them compile without
> warnings when using clang16
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


Showstopper problem!

I want configure to work with /usr/local/bin/openssl and not /usr/bin/openssl

--
Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism ; unsubscribe from Google Groups to be seen
What worth the power of law that won't stop lawlessness? -unknown
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 9.7 [ In reply to ]
vinschen at redhat
Mar 6, 2024, 4:17 AM
Post #6 of 73 (336 views)
Permalink
Hi Damien,

On Mar 5 11:24, Damien Miller wrote:
>
> Hi,
>
> OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.

Tested on Cygwin 3.5.1.

I have a testsuite failure in the dynamic-forward testcase.

trace: will use ProxyCommand /home/corinna/tmp/openssh/openssh-9.7p1-1.x86_64/build/regress/netcat -x 127.0.0.1:4243 -X
trace: wait for sshd
trace: test -D forwarding
trace: start dynamic -D forwarding, fork to background
trace: testing ssh socks version 4 host 127.0.0.1 (-D)
FAIL: ssh failed with exit status 255
[...]

I attached the tar file with the logs.

All other tests succeed.


Thanks,
Corinna

Attached Files:

Re: Call for testing: OpenSSH 9.7 [ In reply to ]
djm at mindrot
Mar 6, 2024, 7:11 AM
Post #7 of 73 (336 views)
Permalink
On Tue, 5 Mar 2024, The Doctor wrote:

> Showstopper problem!
>
> I want configure to work with /usr/local/bin/openssl and not /usr/bin/openssl

You can use --with-ssl-dir for this. --with-ssl-dir=/foo will have
configure try /foo/bin/openssl and /foo/apps/openssl. Otherwise it
just searches $PATH.

Nothing has changed here for the last couple of releases.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 9.7 [ In reply to ]
djm at mindrot
Mar 6, 2024, 7:14 AM
Post #8 of 73 (336 views)
Permalink
On Wed, 6 Mar 2024, Corinna Vinschen wrote:

> Hi Damien,
>
> On Mar 5 11:24, Damien Miller wrote:
> >
> > Hi,
> >
> > OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing
> > on as many platforms and systems as possible. This is a bugfix release.
>
> Tested on Cygwin 3.5.1.
>
> I have a testsuite failure in the dynamic-forward testcase.
>
> trace: will use ProxyCommand /home/corinna/tmp/openssh/openssh-9.7p1-1.x86_64/build/regress/netcat -x 127.0.0.1:4243 -X
> trace: wait for sshd
> trace: test -D forwarding
> trace: start dynamic -D forwarding, fork to background
> trace: testing ssh socks version 4 host 127.0.0.1 (-D)
> FAIL: ssh failed with exit status 255
> [...]
>
> I attached the tar file with the logs.

Unfortunately the logs don't show anything of use here. This test seems
to be working in our CI

https://github.com/openssh/openssh-portable/actions/runs/8166331476/job/22324927234#step:11:803

I'll see if I can reproduce the failure.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 9.7 [ In reply to ]
doctor at doctor
Mar 6, 2024, 7:25 AM
Post #9 of 73 (336 views)
Permalink
On Thu, Mar 07, 2024 at 02:11:21AM +1100, Damien Miller wrote:
>
>
> On Tue, 5 Mar 2024, The Doctor wrote:
>
> > Showstopper problem!
> >
> > I want configure to work with /usr/local/bin/openssl and not /usr/bin/openssl
>
> You can use --with-ssl-dir for this. --with-ssl-dir=/foo will have
> configure try /foo/bin/openssl and /foo/apps/openssl. Otherwise it
> just searches $PATH.
>
> Nothing has changed here for the last couple of releases.
>

Wrong!

It has done this since 9.6

I set -with-ssl-dir=/usr/local

ad I do expect /usr/local/bin/openssl to turn up
and
not

/usr/bin/openssl

> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

--
Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism ; unsubscribe from Google Groups to be seen
What worth the power of law that won't stop lawlessness? -unknown
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 9.7 [ In reply to ]
vinschen at redhat
Mar 6, 2024, 8:56 AM
Post #10 of 73 (336 views)
Permalink
On Mar 7 02:14, Damien Miller wrote:
> On Wed, 6 Mar 2024, Corinna Vinschen wrote:
>
> > Hi Damien,
> >
> > On Mar 5 11:24, Damien Miller wrote:
> > >
> > > Hi,
> > >
> > > OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing
> > > on as many platforms and systems as possible. This is a bugfix release.
> >
> > Tested on Cygwin 3.5.1.
> >
> > I have a testsuite failure in the dynamic-forward testcase.
> >
> > trace: will use ProxyCommand /home/corinna/tmp/openssh/openssh-9.7p1-1.x86_64/build/regress/netcat -x 127.0.0.1:4243 -X
> > trace: wait for sshd
> > trace: test -D forwarding
> > trace: start dynamic -D forwarding, fork to background
> > trace: testing ssh socks version 4 host 127.0.0.1 (-D)
> > FAIL: ssh failed with exit status 255
> > [...]
> >
> > I attached the tar file with the logs.
>
> Unfortunately the logs don't show anything of use here. This test seems
> to be working in our CI
>
> https://github.com/openssh/openssh-portable/actions/runs/8166331476/job/22324927234#step:11:803

This is weird, in particular because you're running this on the same
Cygwin release.

Could this be triggered by firewall settings or something like that?

> I'll see if I can reproduce the failure.

Thanks,
Corinna

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 9.7 [ In reply to ]
hi at 90
Mar 6, 2024, 1:03 PM
Post #11 of 73 (334 views)
Permalink
Successfully built and passed all tests on two different machines here running Artix Linux.

Just a disclaimer, however, on one of these machines I also included a patch I committed which is the subject of my open GitHub PR for adding configuration options to specify alternative ~/.ssh/rc and ~/.ssh/environment files. I am yet to come up with any automated tests for that myself, however I'd be happy to do so, should the patch be considered.
https://github.com/openssh/openssh-portable/pull/466

Kind regards.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 9.7 [ In reply to ]
hi at 90
Mar 6, 2024, 1:03 PM
Post #12 of 73 (334 views)
Permalink
Successfully built and passed all tests on two different machines here running Artix Linux.

Just a disclaimer, however, on one of these machines I also included a patch I committed which is the subject of my open GitHub PR for adding configuration options to specify alternative ~/.ssh/rc and ~/.ssh/environment files. I am yet to come up with any automated tests for that myself, however I'd be happy to do so, should the patch be considered.
https://github.com/openssh/openssh-portable/pull/466

Kind regards.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 9.7 [ In reply to ]
hi at 90
Mar 6, 2024, 1:22 PM
Post #13 of 73 (335 views)
Permalink
On 2024-03-05 00:24, Damien Miller wrote:
> Hi,
>
> OpenSSH 9.7p1 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This is a bugfix release.

Hello. Successfully built and passed tests on two different machines running Artix Linux, one physical and one virtual. This also included a rebased patch of mine which is the subject of a current PR.

Kind regards.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Re: Call for testing: OpenSSH 9.7 [ In reply to ]
hi at 90
Mar 6, 2024, 1:30 PM
Post #14 of 73 (334 views)
Permalink
6 March 2024 at 21:22, "90" <hi@90.gripe> wrote:

> Hello. Successfully built and passed tests on two different machines running Artix Linux, one physical and one virtual. This also included a rebased patch of mine which is the subject of a current PR.
>
> Kind regards.
>

Please excuse that second email, I'm not used to the delay that mailing lists can occasionally have and I assumed that the first attempt landed in some spam filter just because I linked the GitHub PR directly.

Kind regards.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Re: Call for testing: OpenSSH 9.7 [ In reply to ]
hi at 90
Mar 6, 2024, 1:30 PM
Post #15 of 73 (334 views)
Permalink
6 March 2024 at 21:22, "90" <hi@90.gripe> wrote:

> Hello. Successfully built and passed tests on two different machines running Artix Linux, one physical and one virtual. This also included a rebased patch of mine which is the subject of a current PR.
>
> Kind regards.
>

Please excuse that second email, I'm not used to the delay that mailing lists can occasionally have and I assumed that the first attempt landed in some spam filter just because I linked the GitHub PR directly.

Kind regards.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 9.7 [ In reply to ]
djm at mindrot
Mar 6, 2024, 2:33 PM
Post #16 of 73 (334 views)
Permalink
On Wed, 6 Mar 2024, Corinna Vinschen wrote:

> > Unfortunately the logs don't show anything of use here. This test seems
> > to be working in our CI
> >
> > https://github.com/openssh/openssh-portable/actions/runs/8166331476/job/22324927234#step:11:803
>
> This is weird, in particular because you're running this on the same
> Cygwin release.
>
> Could this be triggered by firewall settings or something like that?

Almost certainly yes
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 9.7 [ In reply to ]
djm at mindrot
Mar 6, 2024, 2:37 PM
Post #17 of 73 (334 views)
Permalink
On Wed, 6 Mar 2024, The Doctor wrote:

> > On Tue, 5 Mar 2024, The Doctor wrote:
> >
> > > Showstopper problem!
> > >
> > > I want configure to work with /usr/local/bin/openssl and not /usr/bin/openssl
> >
> > You can use --with-ssl-dir for this. --with-ssl-dir=/foo will have
> > configure try /foo/bin/openssl and /foo/apps/openssl. Otherwise it
> > just searches $PATH.
> >
> > Nothing has changed here for the last couple of releases.
> >
>
> Wrong!
>
> It has done this since 9.6
>
> I set -with-ssl-dir=/usr/local
>
> ad I do expect /usr/local/bin/openssl to turn up
> and
> not
>
> /usr/bin/openssl

Nothing has changed here:

https://github.com/openssh/openssh-portable/compare/V_9_5_P1...master#diff-49473dca262eeab3b4a43002adb08b4db31020d190caaad1594b47f1d5daa810

It would be helpful if you could post working/failing logs from each version.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 9.7 [ In reply to ]
dtucker at dtucker
Mar 6, 2024, 2:39 PM
Post #18 of 73 (333 views)
Permalink
On Thu, 7 Mar 2024 at 02:19, Damien Miller <djm@mindrot.org> wrote:
>
>
>
> On Tue, 5 Mar 2024, The Doctor wrote:
>
> > Showstopper problem!
> >
> > I want configure to work with /usr/local/bin/openssl and not /usr/bin/openssl
>
> You can use --with-ssl-dir for this. --with-ssl-dir=/foo will have
> configure try /foo/bin/openssl and /foo/apps/openssl. Otherwise it
> just searches $PATH.
>
> Nothing has changed here for the last couple of releases.

I changed it to better support OpenSSL directories in non-default paths:
https://github.com/openssh/openssh-portable/commit/26cab41c05

Just reversing the search path order will cause other problems,
though, since there is no guarantee the bin/openssl in a non-default
location is functional (eg if its libraries are not in the system
default runtime linker path and it's built without -rpath, which it's
usually not).

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 9.7 [ In reply to ]
dtucker at dtucker
Mar 6, 2024, 2:58 PM
Post #19 of 73 (333 views)
Permalink
On Thu, Mar 07, 2024 at 09:39:31AM +1100, Darren Tucker wrote:
> On Thu, 7 Mar 2024 at 02:19, Damien Miller <djm@mindrot.org> wrote:
> > On Tue, 5 Mar 2024, The Doctor wrote:
> > > Showstopper problem!
> > >
> > > I want configure to work with /usr/local/bin/openssl and not /usr/bin/openssl
[...]
> I changed it to better support OpenSSL directories in non-default paths:
> https://github.com/openssh/openssh-portable/commit/26cab41c05
>
> Just reversing the search path order will cause other problems,
> though, since there is no guarantee the bin/openssl in a non-default
> location is functional (eg if its libraries are not in the system
> default runtime linker path and it's built without -rpath, which it's
> usually not).

Please try this patch. Note that you will need to run "autoreconf" to
rebuild configure before rerunning it. I think it covers all of the
cases correctly:

$ which openssl
/usr/bin/openssl

$ ./configure | grep bin/openssl && grep OPENSSL_BIN Makefile
checking for openssl... /usr/bin/openssl
OPENSSL_BIN='/usr/bin/openssl' \

$ ./configure --with-ssl-dir=/usr/local | grep
bin/openssl && grep OPENSSL_BIN Makefile
checking for openssl... /usr/local/bin/openssl
OPENSSL_BIN='/usr/local/bin/openssl' \

$ ./configure --with-ssl-dir=/opt/openssl/3.3.0-dev --with-rpath=-Wl,-rpath, | grep bin/openssl && grep OPENSSL_BIN Makefile
checking for openssl... /usr/bin/openssl
OPENSSL_BIN='/usr/bin/openssl' \

$ /opt/openssl/3.3.0-dev/bin/openssl version
/opt/openssl/3.3.0-dev/bin/openssl: /lib64/libssl.so.3: version
`OPENSSL_3.2.0' not found (required by /opt/openssl/3.3.0-dev/bin/openssl)

$ make ssh >/dev/null && ./ssh -V
OpenSSH_9.6p1, OpenSSL 3.3.0-dev

diff --git a/configure.ac b/configure.ac
index fda092830..1aba65c00 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2735,7 +2735,15 @@ AC_ARG_WITH([ssl-dir],
else
CPPFLAGS="-I${withval} ${CPPFLAGS}"
fi
- openssl_bin_PATH="${PATH}${PATH_SEPARATOR}${withval}/bin${PATH_SEPARATOR}${withval}/apps"
+ dnl Ensure specified openssl binary works, eg it can
+ dnl find its runtime libraries, before trying to use.
+ if test -x "${withval}/bin/openssl" && \
+ "${withval}/bin/openssl" version >/dev/null 2>&1; then
+ openssl_bin_PATH="${withval}/bin${PATH_SEPARATOR}${PATH}"
+ elif test -x "${withval}/apps/openssl" && \
+ "${withval}/apps/openssl" version >/dev/null 2>&1; then
+ openssl_bin_PATH="${withval}/apps${PATH_SEPARATOR}${PATH}"
+ fi
fi
]
)

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 9.7 [ In reply to ]
doctor at doctor
Mar 6, 2024, 4:57 PM
Post #20 of 73 (333 views)
Permalink
On Thu, Mar 07, 2024 at 09:39:31AM +1100, Darren Tucker wrote:
> On Thu, 7 Mar 2024 at 02:19, Damien Miller <djm@mindrot.org> wrote:
> >
> >
> >
> > On Tue, 5 Mar 2024, The Doctor wrote:
> >
> > > Showstopper problem!
> > >
> > > I want configure to work with /usr/local/bin/openssl and not /usr/bin/openssl
> >
> > You can use --with-ssl-dir for this. --with-ssl-dir=/foo will have
> > configure try /foo/bin/openssl and /foo/apps/openssl. Otherwise it
> > just searches $PATH.
> >
> > Nothing has changed here for the last couple of releases.
>
> I changed it to better support OpenSSL directories in non-default paths:
> https://github.com/openssh/openssh-portable/commit/26cab41c05
>
> Just reversing the search path order will cause other problems,
> though, since there is no guarantee the bin/openssl in a non-default
> location is functional (eg if its libraries are not in the system
> default runtime linker path and it's built without -rpath, which it's
> usually not).
>
As long as /foo/bin/openssl is picked up, that should be the resolution.

> --
> Darren Tucker (dtucker at dtucker.net)
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.

--
Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism ; unsubscribe from Google Groups to be seen
What worth the power of law that won't stop lawlessness? -unknown
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 9.7 [ In reply to ]
doctor at doctor
Mar 6, 2024, 4:59 PM
Post #21 of 73 (333 views)
Permalink
On Thu, Mar 07, 2024 at 09:58:38AM +1100, Darren Tucker wrote:
> On Thu, Mar 07, 2024 at 09:39:31AM +1100, Darren Tucker wrote:
> > On Thu, 7 Mar 2024 at 02:19, Damien Miller <djm@mindrot.org> wrote:
> > > On Tue, 5 Mar 2024, The Doctor wrote:
> > > > Showstopper problem!
> > > >
> > > > I want configure to work with /usr/local/bin/openssl and not /usr/bin/openssl
> [...]
> > I changed it to better support OpenSSL directories in non-default paths:
> > https://github.com/openssh/openssh-portable/commit/26cab41c05
> >
> > Just reversing the search path order will cause other problems,
> > though, since there is no guarantee the bin/openssl in a non-default
> > location is functional (eg if its libraries are not in the system
> > default runtime linker path and it's built without -rpath, which it's
> > usually not).
>
> Please try this patch. Note that you will need to run "autoreconf" to
> rebuild configure before rerunning it. I think it covers all of the
> cases correctly:
>
> $ which openssl
> /usr/bin/openssl
>
> $ ./configure | grep bin/openssl && grep OPENSSL_BIN Makefile
> checking for openssl... /usr/bin/openssl
> OPENSSL_BIN='/usr/bin/openssl' \
>
> $ ./configure --with-ssl-dir=/usr/local | grep
> bin/openssl && grep OPENSSL_BIN Makefile
> checking for openssl... /usr/local/bin/openssl
> OPENSSL_BIN='/usr/local/bin/openssl' \
>
> $ ./configure --with-ssl-dir=/opt/openssl/3.3.0-dev --with-rpath=-Wl,-rpath, | grep bin/openssl && grep OPENSSL_BIN Makefile
> checking for openssl... /usr/bin/openssl
> OPENSSL_BIN='/usr/bin/openssl' \
>
> $ /opt/openssl/3.3.0-dev/bin/openssl version
> /opt/openssl/3.3.0-dev/bin/openssl: /lib64/libssl.so.3: version
> `OPENSSL_3.2.0' not found (required by /opt/openssl/3.3.0-dev/bin/openssl)
>
> $ make ssh >/dev/null && ./ssh -V
> OpenSSH_9.6p1, OpenSSL 3.3.0-dev
>
> diff --git a/configure.ac b/configure.ac
> index fda092830..1aba65c00 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -2735,7 +2735,15 @@ AC_ARG_WITH([ssl-dir],
> else
> CPPFLAGS="-I${withval} ${CPPFLAGS}"
> fi
> - openssl_bin_PATH="${PATH}${PATH_SEPARATOR}${withval}/bin${PATH_SEPARATOR}${withval}/apps"
> + dnl Ensure specified openssl binary works, eg it can
> + dnl find its runtime libraries, before trying to use.
> + if test -x "${withval}/bin/openssl" && \
> + "${withval}/bin/openssl" version >/dev/null 2>&1; then
> + openssl_bin_PATH="${withval}/bin${PATH_SEPARATOR}${PATH}"
> + elif test -x "${withval}/apps/openssl" && \
> + "${withval}/apps/openssl" version >/dev/null 2>&1; then
> + openssl_bin_PATH="${withval}/apps${PATH_SEPARATOR}${PATH}"
> + fi
> fi
> ]
> )
>

In which test release can this be made available?

> --
> Darren Tucker (dtucker at dtucker.net)
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.

--
Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism ; unsubscribe from Google Groups to be seen
What worth the power of law that won't stop lawlessness? -unknown
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 9.7 [ In reply to ]
dtucker at dtucker
Mar 6, 2024, 6:19 PM
Post #22 of 73 (333 views)
Permalink
On Thu, 7 Mar 2024 at 12:00, The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
> On Thu, Mar 07, 2024 at 09:58:38AM +1100, Darren Tucker wrote:
[...]
> > Please try this patch. Note that you will need to run "autoreconf" to
> > rebuild configure before rerunning it.
[...]
> In which test release can this be made available?

It has not been committed and is not currently in any test release or
snapshot. We're trying to confirm it does in fact fix what you have
observed. You will need to apply the patch yourself to a snapshot or
git HEAD and run "autoreconf" to rebuild configure, then run
./configure with your options.



--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 9.7 [ In reply to ]
doctor at doctor
Mar 6, 2024, 6:38 PM
Post #23 of 73 (333 views)
Permalink
On Thu, Mar 07, 2024 at 01:19:36PM +1100, Darren Tucker wrote:
> On Thu, 7 Mar 2024 at 12:00, The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
> > On Thu, Mar 07, 2024 at 09:58:38AM +1100, Darren Tucker wrote:
> [...]
> > > Please try this patch. Note that you will need to run "autoreconf" to
> > > rebuild configure before rerunning it.
> [...]
> > In which test release can this be made available?
>
> It has not been committed and is not currently in any test release or
> snapshot. We're trying to confirm it does in fact fix what you have
> observed. You will need to apply the patch yourself to a snapshot or
> git HEAD and run "autoreconf" to rebuild configure, then run
> ./configure with your options.
>
>

Tried it and got

checking for openssl... /usr/bin/openssl
checking for openssl/opensslv.h... yes
checking OpenSSL header version... 30200020 (OpenSSL 3.2.2-dev )
checking for OpenSSL_version... yes
checking for OpenSSL_version_num... yes
checking OpenSSL library version... 300000e0 (OpenSSL 3.0.14-dev )
checking whether OpenSSL's headers match the library... no
configure: error: Your OpenSSL headers do not match your
library. Check config.log for details.
If you are sure your installation is consistent, you can disable the check
by running "./configure --without-openssl-header-check".
Also see contrib/findssl.sh for help identifying header/library mismatches.


>
> --
> Darren Tucker (dtucker at dtucker.net)
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.

--
Member - Liberal International This is doctor@nk.ca Ici doctor@nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism ; unsubscribe from Google Groups to be seen
What worth the power of law that won't stop lawlessness? -unknown
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 9.7 [ In reply to ]
dtucker at dtucker
Mar 6, 2024, 6:51 PM
Post #24 of 73 (333 views)
Permalink
On Thu, 7 Mar 2024 at 13:39, The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
>
> On Thu, Mar 07, 2024 at 01:19:36PM +1100, Darren Tucker wrote:
> > On Thu, 7 Mar 2024 at 12:00, The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
> > > On Thu, Mar 07, 2024 at 09:58:38AM +1100, Darren Tucker wrote:
> > [...]
> > > > Please try this patch. Note that you will need to run "autoreconf" to
> > > > rebuild configure before rerunning it.
> > [...]
> > > In which test release can this be made available?
> >
> > It has not been committed and is not currently in any test release or
> > snapshot. We're trying to confirm it does in fact fix what you have
> > observed. You will need to apply the patch yourself to a snapshot or
> > git HEAD and run "autoreconf" to rebuild configure, then run
> > ./configure with your options.
> >
> >
>
> Tried it and got
>
> checking for openssl... /usr/bin/openssl
> checking for openssl/opensslv.h... yes
> checking OpenSSL header version... 30200020 (OpenSSL 3.2.2-dev )
> checking for OpenSSL_version... yes
> checking for OpenSSL_version_num... yes
> checking OpenSSL library version... 300000e0 (OpenSSL 3.0.14-dev )
> checking whether OpenSSL's headers match the library... no
> configure: error: Your OpenSSL headers do not match your
> library. Check config.log for details.
> If you are sure your installation is consistent, you can disable the check
> by running "./configure --without-openssl-header-check".
> Also see contrib/findssl.sh for help identifying header/library mismatches.

That sounds like the runtime linker path problem I described in my
first reply. Is the OpenSSL 3.2.2-dev version of libcrypto in your
runtime linker path? I assume that's in /usr/local/lib? Does
/usr/local/bin/openssl actually work?

You can use --with-rpath in your configure invocation to set -R/-rpath
(exact details will vary by system and/or linker, for GNU ld, that
would be --with-rpath=-Wl,-rpath,).

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Call for testing: OpenSSH 9.7 [ In reply to ]
dtucker at dtucker
Mar 6, 2024, 6:51 PM
Post #25 of 73 (333 views)
Permalink
On Thu, 7 Mar 2024 at 13:39, The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
>
> On Thu, Mar 07, 2024 at 01:19:36PM +1100, Darren Tucker wrote:
> > On Thu, 7 Mar 2024 at 12:00, The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
> > > On Thu, Mar 07, 2024 at 09:58:38AM +1100, Darren Tucker wrote:
> > [...]
> > > > Please try this patch. Note that you will need to run "autoreconf" to
> > > > rebuild configure before rerunning it.
> > [...]
> > > In which test release can this be made available?
> >
> > It has not been committed and is not currently in any test release or
> > snapshot. We're trying to confirm it does in fact fix what you have
> > observed. You will need to apply the patch yourself to a snapshot or
> > git HEAD and run "autoreconf" to rebuild configure, then run
> > ./configure with your options.
> >
> >
>
> Tried it and got
>
> checking for openssl... /usr/bin/openssl
> checking for openssl/opensslv.h... yes
> checking OpenSSL header version... 30200020 (OpenSSL 3.2.2-dev )
> checking for OpenSSL_version... yes
> checking for OpenSSL_version_num... yes
> checking OpenSSL library version... 300000e0 (OpenSSL 3.0.14-dev )
> checking whether OpenSSL's headers match the library... no
> configure: error: Your OpenSSL headers do not match your
> library. Check config.log for details.
> If you are sure your installation is consistent, you can disable the check
> by running "./configure --without-openssl-header-check".
> Also see contrib/findssl.sh for help identifying header/library mismatches.

That sounds like the runtime linker path problem I described in my
first reply. Is the OpenSSL 3.2.2-dev version of libcrypto in your
runtime linker path? I assume that's in /usr/local/lib? Does
/usr/local/bin/openssl actually work?

You can use --with-rpath in your configure invocation to set -R/-rpath
(exact details will vary by system and/or linker, for GNU ld, that
would be --with-rpath=-Wl,-rpath,).

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
1 2 3  View All

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal