[meta-openssl102-fips][PATCH 0/6] hardknott fixes

[meta-openssl102-fips][PATCH 0/6] hardknott fixes

[Yi Zhao]

Changqing Li (1):
  openssh: refresh patches to 8.5p1

Chen Qi (1):
  layer.conf: add hardknott to LAYERSERIES_COMPAT

Yi Zhao (4):
  README.build: add "Known Issues" section
  openssh: refresh patches to 8.4p1
  openssh: fix the double free error for ssh-cavs
  openssh: set kex->sessin_id via sshbuf_put in ssh-cavs

 README.build                                  |  28 +++
 conf/layer.conf                               |   2 +-
 .../0001-conditional-enable-fips-mode.patch   |  46 ++---
 ...ps.patch => 0001-openssh-8.4p1-fips.patch} | 173 +++++++-----------
 ...1-ssh-cavs-fix-the-double-free-error.patch | 161 ++++++++++++++++
 ...avs-set-kex-sessin_id-via-sshbuf_put.patch |  45 +++++
 recipes-connectivity/openssh/openssh_fips.inc |   4 +-
 7 files changed, 327 insertions(+), 132 deletions(-)
 rename recipes-connectivity/openssh/openssh/{0001-openssh-8.2p1-fips.patch => 0001-openssh-8.4p1-fips.patch} (73%)
 create mode 100644 recipes-connectivity/openssh/openssh/0001-ssh-cavs-fix-the-double-free-error.patch
 create mode 100644 recipes-connectivity/openssh/openssh/0001-ssh-cavs-set-kex-sessin_id-via-sshbuf_put.patch

-- 
2.25.1

[meta-openssl102-fips][PATCH 1/6] README.build: add "Known Issues" section

[Yi Zhao]

There is an openssl build error if the prebuilt FIPS object module is
built on target with a CPU which supports AVX/AVX2 instruction set.
Add section "Known Issues" to describe this issue.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 README.build | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/README.build b/README.build
index 102c850..36e3875 100644
--- a/README.build
+++ b/README.build
@@ -254,3 +254,31 @@ Note this sample command is functionally equivalent to:
 $ env OPENSSL_FIPS=1 openssl sha1 -hmac etaonrishdlcupfm fips_hmac.c
 HMAC-SHA1(fips_hmac.c)= ae25ad68d9a8cc04075100563a437fa37829afcc
 
+=======================
+Known Issues
+=======================
+If the CPU on target machine which building FIPS object module is newer than
+Nehalem (e.g. Sandy Brigde) or is an Intel Atom processor. Then you may
+encounter an error when building openssl with the FIPS object module:
+qemu: uncaught target signal 4 (Illegal instruction).
+
+The current processor emulated in qemu is set to Nehalem. But the GCC will use
+-march=native to enable all instruction subsets supported by the target machine
+when building FIPS object module. The illegal instruction error will occur if
+some instruction subsets (e.g AVX/AVX2) are not supported by Nehalem.
+
+To check if the CPU is Intel Atom:
+$ cat /proc/cpuinfo | grep "Atom"
+
+To check if the CPU supports AVX/AVX2:
+$ cat /proc/cpuinfo | grep "avx"
+Or:
+$ gcc -dM -E - < /dev/null | grep "AVX"
+
+As a workaround, we can specify -march=nehalem in GCC before build the FIPS
+object module:
+$ export CC="gcc -march=nehalem"
+$ ./config [no-asm]
+$ make
+$ make install
+
-- 
2.25.1

[meta-openssl102-fips][PATCH 2/6] openssh: refresh patches to 8.4p1

[Yi Zhao]

Refresh patches to openssh-8.4p1.
Reference:
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-7.7p1-fips.patch
(commit: fbd5f1bee2e2cdc7b1b47f4604b8347d8c3ed63f)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 .../0001-conditional-enable-fips-mode.patch   |  40 ++---
 ...ps.patch => 0001-openssh-8.4p1-fips.patch} | 159 +++++++-----------
 recipes-connectivity/openssh/openssh_fips.inc |   2 +-
 3 files changed, 80 insertions(+), 121 deletions(-)
 rename recipes-connectivity/openssh/openssh/{0001-openssh-8.2p1-fips.patch => 0001-openssh-8.4p1-fips.patch} (75%)

diff --git a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
index 942fda6..17c5967 100644
--- a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
+++ b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
@@ -1,4 +1,4 @@
-From ef6490841a73b4f71ca35e09328c6a8b0ad9dba9 Mon Sep 17 00:00:00 2001
+From 571b24129e3c3a84e38a59a32aa61fa40e04e1e2 Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu.jia@windriver.com>
 Date: Sat, 21 Dec 2019 13:03:23 +0800
 Subject: [PATCH] conditional enable fips mode
@@ -44,10 +44,10 @@ index 06566d3..a10566d 100644
  	sanitise_stdfd();
  
 diff --git a/sftp-server.c b/sftp-server.c
-index 359204f..346255a 100644
+index 55386fa..8c1634e 100644
 --- a/sftp-server.c
 +++ b/sftp-server.c
-@@ -1576,6 +1576,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
+@@ -1577,6 +1577,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
  	extern char *optarg;
  	extern char *__progname;
  
@@ -56,7 +56,7 @@ index 359204f..346255a 100644
  	log_init(__progname, log_level, log_facility, log_stderr);
  
 diff --git a/sftp.c b/sftp.c
-index ff14d3c..a633200 100644
+index c88c861..171bc56 100644
 --- a/sftp.c
 +++ b/sftp.c
 @@ -2390,6 +2390,7 @@ main(int argc, char **argv)
@@ -68,10 +68,10 @@ index ff14d3c..a633200 100644
  	sanitise_stdfd();
  	msetlocale();
 diff --git a/ssh-add.c b/ssh-add.c
-index 8057eb1..19f3da2 100644
+index 936dc21..b7ac2d2 100644
 --- a/ssh-add.c
 +++ b/ssh-add.c
-@@ -628,6 +628,7 @@ main(int argc, char **argv)
+@@ -671,6 +671,7 @@ main(int argc, char **argv)
  	SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
  	LogLevel log_level = SYSLOG_LEVEL_INFO;
  
@@ -80,10 +80,10 @@ index 8057eb1..19f3da2 100644
  	sanitise_stdfd();
  
 diff --git a/ssh-agent.c b/ssh-agent.c
-index 7eb6f0d..1409044 100644
+index e1fd1f3..da49b57 100644
 --- a/ssh-agent.c
 +++ b/ssh-agent.c
-@@ -1196,6 +1196,7 @@ main(int ac, char **av)
+@@ -1289,6 +1289,7 @@ main(int ac, char **av)
  	size_t npfd = 0;
  	u_int maxfds;
  
@@ -92,10 +92,10 @@ index 7eb6f0d..1409044 100644
  	sanitise_stdfd();
  
 diff --git a/ssh-keygen.c b/ssh-keygen.c
-index feafe73..9b832f6 100644
+index cb8e569..67c7d62 100644
 --- a/ssh-keygen.c
 +++ b/ssh-keygen.c
-@@ -3140,6 +3140,7 @@ main(int argc, char **argv)
+@@ -3184,6 +3184,7 @@ main(int argc, char **argv)
  	extern int optind;
  	extern char *optarg;
  
@@ -104,10 +104,10 @@ index feafe73..9b832f6 100644
  	sanitise_stdfd();
  
 diff --git a/ssh-keyscan.c b/ssh-keyscan.c
-index a5e6440..e56a9d1 100644
+index ca19042..c667f2c 100644
 --- a/ssh-keyscan.c
 +++ b/ssh-keyscan.c
-@@ -675,6 +675,7 @@ main(int argc, char **argv)
+@@ -667,6 +667,7 @@ main(int argc, char **argv)
  	extern int optind;
  	extern char *optarg;
  
@@ -116,7 +116,7 @@ index a5e6440..e56a9d1 100644
  	seed_rng();
  	TAILQ_INIT(&tq);
 diff --git a/ssh-keysign.c b/ssh-keysign.c
-index 3e3ea3e..4804c42 100644
+index 7991e0f..26a3bab 100644
 --- a/ssh-keysign.c
 +++ b/ssh-keysign.c
 @@ -173,6 +173,7 @@ main(int argc, char **argv)
@@ -128,7 +128,7 @@ index 3e3ea3e..4804c42 100644
  		fatal("%s: pledge: %s", __progname, strerror(errno));
  
 diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c
-index 17220d6..1af0c2e 100644
+index d73e835..e508684 100644
 --- a/ssh-pkcs11-helper.c
 +++ b/ssh-pkcs11-helper.c
 @@ -332,6 +332,7 @@ main(int argc, char **argv)
@@ -140,22 +140,22 @@ index 17220d6..1af0c2e 100644
  	seed_rng();
  	TAILQ_INIT(&pkcs11_keylist);
 diff --git a/ssh.c b/ssh.c
-index 49331fc..06836dd 100644
+index aabd5d3..81393f1 100644
 --- a/ssh.c
 +++ b/ssh.c
-@@ -606,6 +606,7 @@ main(int ac, char **av)
- 	u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
+@@ -660,6 +660,7 @@ main(int ac, char **av)
  	size_t n, len;
+ 	u_int j;
  
 +	ssh_enable_fips_mode();
  	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
  	sanitise_stdfd();
  
 diff --git a/sshd.c b/sshd.c
-index b86d682..304bf01 100644
+index 1f1fcc2..0f68419 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -1514,6 +1514,7 @@ main(int ac, char **av)
+@@ -1553,6 +1553,7 @@ main(int ac, char **av)
  	Authctxt *authctxt;
  	struct connection_info *connection_info = NULL;
  
@@ -208,5 +208,5 @@ index abaf7ad..b3b1c8c 100644
  		__attribute__((__nonnull__ (2)));
 +void	ssh_enable_fips_mode(void);
 -- 
-2.7.4
+2.17.1
 
diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch b/recipes-connectivity/openssh/openssh/0001-openssh-8.4p1-fips.patch
similarity index 75%
rename from recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch
rename to recipes-connectivity/openssh/openssh/0001-openssh-8.4p1-fips.patch
index c1de130..48c18b4 100644
--- a/recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch
+++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.4p1-fips.patch
@@ -1,7 +1,7 @@
-From c51dd44e1c594ddeb3a27ae5d9be2899e4bf2ac6 Mon Sep 17 00:00:00 2001
+From 059b61a58b27c40fbb78b3930cdcf110ff717340 Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu.jia@windriver.com>
 Date: Sat, 21 Dec 2019 11:45:38 +0800
-Subject: [PATCH] openssh 8.2p1 fips
+Subject: [PATCH] openssh 8.4p1 fips
 
 Port openssh-7.7p1-fips.patch from Fedora
 https://src.fedoraproject.org/rpms/openssh.git
@@ -12,11 +12,17 @@ Upstream-Status: Inappropriate [oe specific]
 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
 
 Rebase to 8.2p1
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+
+Rebase to 8.4p1
+Port openssh-7.7p1-fips.patch from Fedora
+https://src.fedoraproject.org/rpms/openssh.git
+(commit: fbd5f1bee2e2cdc7b1b47f4604b8347d8c3ed63f)
+
 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
  Makefile.in              | 14 +++++++-------
  cipher-ctr.c             |  3 ++-
- clientloop.c             |  2 +-
  dh.c                     | 40 ++++++++++++++++++++++++++++++++++++++++
  dh.h                     |  1 +
  kex.c                    |  5 ++++-
@@ -27,21 +33,20 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
  servconf.c               | 15 ++++++++++-----
  ssh-keygen.c             | 16 +++++++++++++++-
  ssh.c                    | 16 ++++++++++++++++
- sshconnect2.c            |  8 ++++++--
  sshd.c                   | 19 +++++++++++++++++++
  sshkey.c                 |  4 ++++
- 16 files changed, 178 insertions(+), 23 deletions(-)
+ 14 files changed, 171 insertions(+), 20 deletions(-)
 
 diff --git a/Makefile.in b/Makefile.in
-index e754947..57f94f4 100644
+index acfb919..5b2c397 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -206,25 +206,25 @@ libssh.a: $(LIBSSH_OBJS)
+@@ -204,25 +204,25 @@ libssh.a: $(LIBSSH_OBJS)
  	$(RANLIB) $@
  
  ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
--	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
-+	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
+-	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS)
++	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(GSSLIBS)
  
  sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
 -	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
@@ -68,7 +73,7 @@ index e754947..57f94f4 100644
  
  ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
  	$(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-@@ -233,7 +233,7 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
+@@ -231,7 +231,7 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
  	$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
  
  ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
@@ -91,19 +96,6 @@ index 32771f2..74fac3b 100644
  #endif
  	return (&aes_ctr);
  }
-diff --git a/clientloop.c b/clientloop.c
-index ebd0dbc..b3e0c19 100644
---- a/clientloop.c
-+++ b/clientloop.c
-@@ -2083,7 +2083,7 @@ static int
- key_accepted_by_hostkeyalgs(const struct sshkey *key)
- {
- 	const char *ktype = sshkey_ssh_name(key);
--	const char *hostkeyalgs = options.hostkeyalgorithms;
-+	const char *hostkeyalgs = (FIPS_mode() ? KEX_FIPS_PK_ALG : options.hostkeyalgorithms);
- 
- 	if (key == NULL || key->type == KEY_UNSPEC)
- 		return 0;
 diff --git a/dh.c b/dh.c
 index 7cb135d..306f1bc 100644
 --- a/dh.c
@@ -173,7 +165,7 @@ index 5d6df62..54c7aa2 100644
  u_int	 dh_estimate(int);
  
 diff --git a/kex.c b/kex.c
-index ce85f04..9cc14de 100644
+index aecb939..3d5d3b0 100644
 --- a/kex.c
 +++ b/kex.c
 @@ -163,7 +163,10 @@ kex_names_valid(const char *names)
@@ -265,36 +257,36 @@ index 5312e60..d0accae 100644
  #define	SSH_ALLOWED_CA_SIGALGS	\
  	"ecdsa-sha2-nistp256," \
 diff --git a/readconf.c b/readconf.c
-index f3cac6b..26b9a59 100644
+index 554efd7..16eda65 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -2187,11 +2187,16 @@ fill_default_options(Options * options)
+@@ -2255,11 +2255,16 @@ fill_default_options(Options * options)
  	all_key = sshkey_alg_list(0, 0, 1, ',');
  	all_sig = sshkey_alg_list(0, 1, 1, ',');
  	/* remove unsupported algos from default lists */
--	def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher);
--	def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac);
--	def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex);
--	def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
--	def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
-+	def_cipher = match_filter_whitelist((FIPS_mode() ?
+-	def_cipher = match_filter_allowlist(KEX_CLIENT_ENCRYPT, all_cipher);
+-	def_mac = match_filter_allowlist(KEX_CLIENT_MAC, all_mac);
+-	def_kex = match_filter_allowlist(KEX_CLIENT_KEX, all_kex);
+-	def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
+-	def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
++	def_cipher = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher);
-+	def_mac = match_filter_whitelist((FIPS_mode() ?
++	def_mac = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac);
-+	def_kex = match_filter_whitelist((FIPS_mode() ?
++	def_kex = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex);
-+	def_key = match_filter_whitelist((FIPS_mode() ?
++	def_key = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
-+	def_sig = match_filter_whitelist((FIPS_mode() ?
++	def_sig = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
  #define ASSEMBLE(what, defaults, all) \
  	do { \
  		if ((r = kex_assemble_names(&options->what, \
 diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index f80981f..00702a7 100644
+index e0768c0..8971bba 100644
 --- a/sandbox-seccomp-filter.c
 +++ b/sandbox-seccomp-filter.c
-@@ -156,6 +156,9 @@ static const struct sock_filter preauth_insns[] = {
+@@ -157,6 +157,9 @@ static const struct sock_filter preauth_insns[] = {
  #ifdef __NR_open
  	SC_DENY(__NR_open, EACCES),
  #endif
@@ -305,33 +297,33 @@ index f80981f..00702a7 100644
  	SC_DENY(__NR_openat, EACCES),
  #endif
 diff --git a/servconf.c b/servconf.c
-index 70f5f73..815beaf 100644
+index f08e374..dbcee84 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -212,11 +212,16 @@ assemble_algorithms(ServerOptions *o)
+@@ -213,11 +213,16 @@ assemble_algorithms(ServerOptions *o)
  	all_key = sshkey_alg_list(0, 0, 1, ',');
  	all_sig = sshkey_alg_list(0, 1, 1, ',');
  	/* remove unsupported algos from default lists */
--	def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher);
--	def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac);
--	def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex);
--	def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
--	def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
-+	def_cipher = match_filter_whitelist((FIPS_mode() ?
+-	def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher);
+-	def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac);
+-	def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex);
+-	def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
+-	def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
++	def_cipher = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher);
-+	def_mac = match_filter_whitelist((FIPS_mode() ?
++	def_mac = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac);
-+	def_kex = match_filter_whitelist((FIPS_mode() ?
++	def_kex = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex);
-+	def_key = match_filter_whitelist((FIPS_mode() ?
++	def_key = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
-+	def_sig = match_filter_whitelist((FIPS_mode() ?
++	def_sig = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
  #define ASSEMBLE(what, defaults, all) \
  	do { \
  		if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
 diff --git a/ssh-keygen.c b/ssh-keygen.c
-index 0d6ed1f..feafe73 100644
+index a12b79a..cb8e569 100644
 --- a/ssh-keygen.c
 +++ b/ssh-keygen.c
 @@ -204,6 +204,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
@@ -347,7 +339,7 @@ index 0d6ed1f..feafe73 100644
  	switch (type) {
  	case KEY_DSA:
  		if (*bitsp != 1024)
-@@ -1088,9 +1094,17 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1094,9 +1100,17 @@ do_gen_all_hostkeys(struct passwd *pw)
  			first = 1;
  			printf("%s: generating new host keys: ", __progname);
  		}
@@ -364,10 +356,10 @@ index 0d6ed1f..feafe73 100644
  		fflush(stdout);
 -		type = sshkey_type_from_name(key_types[i].key_type);
  		if ((fd = mkstemp(prv_tmp)) == -1) {
- 			error("Could not save your public key in %s: %s",
+ 			error("Could not save your private key in %s: %s",
  			    prv_tmp, strerror(errno));
 diff --git a/ssh.c b/ssh.c
-index 15aee56..49331fc 100644
+index f34ca0d..aabd5d3 100644
 --- a/ssh.c
 +++ b/ssh.c
 @@ -77,6 +77,8 @@
@@ -379,7 +371,7 @@ index 15aee56..49331fc 100644
  #include "openbsd-compat/openssl-compat.h"
  #include "openbsd-compat/sys-queue.h"
  
-@@ -608,6 +610,16 @@ main(int ac, char **av)
+@@ -662,6 +664,16 @@ main(int ac, char **av)
  	sanitise_stdfd();
  
  	__progname = ssh_get_progname(av[0]);
@@ -396,52 +388,19 @@ index 15aee56..49331fc 100644
  
  #ifndef HAVE_SETPROCTITLE
  	/* Prepare for later setproctitle emulation */
-@@ -622,6 +634,10 @@ main(int ac, char **av)
- 
- 	seed_rng();
+@@ -1500,6 +1512,10 @@ main(int ac, char **av)
+ 		exit(0);
+ 	}
  
 +	if (FIPS_mode()) {
 +		logit("FIPS mode initialized");
 +	}
 +
- 	/*
- 	 * Discard other fds that are hanging around. These can cause problem
- 	 * with backgrounded ssh processes started by ControlPersist.
-diff --git a/sshconnect2.c b/sshconnect2.c
-index af00fb3..639fc51 100644
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -44,6 +44,8 @@
- #include <vis.h>
- #endif
- 
-+#include <openssl/crypto.h>
-+
- #include "openbsd-compat/sys-queue.h"
- 
- #include "xmalloc.h"
-@@ -119,7 +121,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
- 	for (i = 0; i < options.num_system_hostfiles; i++)
- 		load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
- 
--	oavail = avail = xstrdup(options.hostkeyalgorithms);
-+	oavail = avail = xstrdup((FIPS_mode()
-+	    ? KEX_FIPS_PK_ALG : options.hostkeyalgorithms));
- 	maxlen = strlen(avail) + 1;
- 	first = xmalloc(maxlen);
- 	last = xmalloc(maxlen);
-@@ -179,7 +182,8 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
- 	/* Expand or fill in HostkeyAlgorithms */
- 	all_key = sshkey_alg_list(0, 0, 1, ',');
- 	if (kex_assemble_names(&options.hostkeyalgorithms,
--	    kex_default_pk_alg(), all_key) != 0)
-+	    (FIPS_mode() ? KEX_FIPS_PK_ALG : kex_default_pk_alg()),
-+	    all_key) != 0)
- 		fatal("%s: kex_assemble_namelist", __func__);
- 	free(all_key);
- 
+ 	/* Expand SecurityKeyProvider if it refers to an environment variable */
+ 	if (options.sk_provider != NULL && *options.sk_provider == '$' &&
+ 	    strlen(options.sk_provider) > 1) {
 diff --git a/sshd.c b/sshd.c
-index 5b9a0b5..b86d682 100644
+index 5af7986..1f1fcc2 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -66,6 +66,7 @@
@@ -461,7 +420,7 @@ index 5b9a0b5..b86d682 100644
  #include "openbsd-compat/openssl-compat.h"
  #endif
  
-@@ -1516,6 +1519,18 @@ main(int ac, char **av)
+@@ -1555,6 +1558,18 @@ main(int ac, char **av)
  #endif
  	__progname = ssh_get_progname(av[0]);
  
@@ -480,7 +439,7 @@ index 5b9a0b5..b86d682 100644
  	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
  	saved_argc = ac;
  	rexec_argc = ac;
-@@ -1990,6 +2005,10 @@ main(int ac, char **av)
+@@ -2039,6 +2054,10 @@ main(int ac, char **av)
  	/* Reinitialize the log (because of the fork above). */
  	log_init(__progname, options.log_level, options.log_facility, log_stderr);
  
@@ -492,7 +451,7 @@ index 5b9a0b5..b86d682 100644
  	   unmounted if desired. */
  	if (chdir("/") == -1)
 diff --git a/sshkey.c b/sshkey.c
-index 57995ee..3fa4274 100644
+index ac451f1..4f72eab 100644
 --- a/sshkey.c
 +++ b/sshkey.c
 @@ -34,6 +34,7 @@
@@ -511,7 +470,7 @@ index 57995ee..3fa4274 100644
  #include "ssh-sk.h"
  
  #ifdef WITH_XMSS
-@@ -1597,6 +1599,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
+@@ -1595,6 +1597,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
  	}
  	if (!BN_set_word(f4, RSA_F4) ||
  	    !RSA_generate_key_ex(private, bits, f4, NULL)) {
@@ -521,5 +480,5 @@ index 57995ee..3fa4274 100644
  		goto out;
  	}
 -- 
-2.7.4
+2.17.1
 
diff --git a/recipes-connectivity/openssh/openssh_fips.inc b/recipes-connectivity/openssh/openssh_fips.inc
index c74532f..4fdb2aa 100644
--- a/recipes-connectivity/openssh/openssh_fips.inc
+++ b/recipes-connectivity/openssh/openssh_fips.inc
@@ -6,7 +6,7 @@ DEPENDS += " \
 RRECOMMENDS_${PN}-sshd_remove = "rng-tools"
 
 SRC_URI += " \
-    file://0001-openssh-8.2p1-fips.patch \
+    file://0001-openssh-8.4p1-fips.patch \
     file://0001-conditional-enable-fips-mode.patch \
     file://openssh-6.6p1-ctr-cavstest.patch \
     file://openssh-6.7p1-kdf-cavs.patch \
-- 
2.25.1

[meta-openssl102-fips][PATCH 3/6] openssh: fix the double free error for ssh-cavs

[Yi Zhao]

There is a 'double free or corruption' error when running ssh-cavs:
$ /usr/libexec/ssh-cavs -K
0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4
-H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20
Initial IV (client to server) = 4bb320d1679dfd3a
Initial IV (server to client) = 43dea6fdf263a308
Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed
Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0
Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640
Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479
double free or corruption (out)
Aborted

Since openssh 8.x, the ssh->kex has been allocated when struct ssh is
initialized in function ssh_alloc_session_state()[1] and will be freed
in function ssh_packet_close()[2]. We don't need to make the ssh->kex to
point a extra kex struct which will cause the memory corruption and
memory leak.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 ...1-ssh-cavs-fix-the-double-free-error.patch | 161 ++++++++++++++++++
 recipes-connectivity/openssh/openssh_fips.inc |   1 +
 2 files changed, 162 insertions(+)
 create mode 100644 recipes-connectivity/openssh/openssh/0001-ssh-cavs-fix-the-double-free-error.patch

diff --git a/recipes-connectivity/openssh/openssh/0001-ssh-cavs-fix-the-double-free-error.patch b/recipes-connectivity/openssh/openssh/0001-ssh-cavs-fix-the-double-free-error.patch
new file mode 100644
index 0000000..7d7fc14
--- /dev/null
+++ b/recipes-connectivity/openssh/openssh/0001-ssh-cavs-fix-the-double-free-error.patch
@@ -0,0 +1,161 @@
+From b6202d402a27467a8a4bacaca4064ee731a03fa7 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Sun, 17 Jan 2021 11:17:53 +0800
+Subject: [PATCH] ssh-cavs: fix the double free error
+
+There is a 'double free or corruption' error when running ssh-cavs:
+$ /usr/libexec/ssh-cavs -K
+0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4
+-H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20
+Initial IV (client to server) = 4bb320d1679dfd3a
+Initial IV (server to client) = 43dea6fdf263a308
+Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed
+Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0
+Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640
+Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479
+double free or corruption (out)
+Aborted
+
+Since openssh 8.x, the ssh->kex has been allocated when struct ssh is
+initialized in function ssh_alloc_session_state()[1] and will be freed
+in function ssh_packet_close()[2]. We don't need to make the ssh->kex to
+point a extra kex struct which will cause the memory corruption and
+memory leak.
+
+[1] https://github.com/openssh/openssh-portable/commit/0a843d9a0e805f14653a555f5c7a8ba99d62c12d
+[2] https://github.com/openssh/openssh-portable/commit/55ef3e9cbd5b336bd0f89205716924886fcf86de
+
+Upstream-Status: Pending
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ ssh-cavs.c | 60 ++++++++++++++++++++++++------------------------------
+ 1 file changed, 27 insertions(+), 33 deletions(-)
+
+diff --git a/ssh-cavs.c b/ssh-cavs.c
+index b74ae7f..641a453 100644
+--- a/ssh-cavs.c
++++ b/ssh-cavs.c
+@@ -164,7 +164,6 @@ struct kdf_cavs {
+ static int sshkdf_cavs(struct kdf_cavs *test)
+ {
+ 	int ret = 0;
+-	struct kex kex;
+ 	struct sshbuf *Kb = NULL;
+ 	BIGNUM *Kbn = NULL;
+ 	int mode = 0;
+@@ -175,8 +174,6 @@ static int sshkdf_cavs(struct kdf_cavs *test)
+ #define HEXOUTLEN 500
+ 	char hex[HEXOUTLEN];
+ 
+-	memset(&kex, 0, sizeof(struct kex));
+-
+ 	Kbn = BN_new();
+ 	BN_bin2bn(test->K, test->Klen, Kbn);
+ 	if (!Kbn) {
+@@ -192,24 +189,29 @@ static int sshkdf_cavs(struct kdf_cavs *test)
+ 	}
+ 	sshbuf_put_bignum2(Kb, Kbn);
+ 
+-	kex.session_id = test->session_id;
+-	kex.session_id_len = test->session_id_len;
++	if ((ssh = ssh_packet_set_connection(NULL, -1, -1)) == NULL){
++		printf("Allocation error\n");
++		goto out;
++	}
++
++	ssh->kex->session_id = test->session_id;
++	ssh->kex->session_id_len = test->session_id_len;
+ 
+ 	/* setup kex */
+ 
+ 	/* select the right hash based on struct ssh_digest digests */
+ 	switch (test->ik_len) {
+ 		case 20:
+-			kex.hash_alg = SSH_DIGEST_SHA1;
++			ssh->kex->hash_alg = SSH_DIGEST_SHA1;
+ 			break;
+ 		case 32:
+-			kex.hash_alg = SSH_DIGEST_SHA256;
++			ssh->kex->hash_alg = SSH_DIGEST_SHA256;
+ 			break;
+ 		case 48:
+-			kex.hash_alg = SSH_DIGEST_SHA384;
++			ssh->kex->hash_alg = SSH_DIGEST_SHA384;
+ 			break;
+ 		case 64:
+-			kex.hash_alg = SSH_DIGEST_SHA512;
++			ssh->kex->hash_alg = SSH_DIGEST_SHA512;
+ 			break;
+ 		default:
+ 			printf("Wrong hash type %u\n", test->ik_len);
+@@ -219,41 +221,35 @@ static int sshkdf_cavs(struct kdf_cavs *test)
+ 
+ 	/* implement choose_enc */
+ 	for (mode = 0; mode < 2; mode++) {
+-		kex.newkeys[mode] = calloc(1, sizeof(struct newkeys));
+-		if (!kex.newkeys[mode]) {
++		ssh->kex->newkeys[mode] = calloc(1, sizeof(struct newkeys));
++		if (!ssh->kex->newkeys[mode]) {
+ 			printf("allocation of newkeys failed\n");
+ 			ret = 1;
+ 			goto out;
+ 		}
+-		kex.newkeys[mode]->enc.iv_len = test->iv_len;
+-		kex.newkeys[mode]->enc.key_len = test->ek_len;
+-		kex.newkeys[mode]->enc.block_size = (test->iv_len == 64) ? 8 : 16;
+-		kex.newkeys[mode]->mac.key_len = test->ik_len;
++		ssh->kex->newkeys[mode]->enc.iv_len = test->iv_len;
++		ssh->kex->newkeys[mode]->enc.key_len = test->ek_len;
++		ssh->kex->newkeys[mode]->enc.block_size = (test->iv_len == 64) ? 8 : 16;
++		ssh->kex->newkeys[mode]->mac.key_len = test->ik_len;
+ 	}
+ 
+ 	/* implement kex_choose_conf */
+-	kex.we_need = kex.newkeys[0]->enc.key_len;
+-	if (kex.we_need < kex.newkeys[0]->enc.block_size)
+-		kex.we_need = kex.newkeys[0]->enc.block_size;
+-	if (kex.we_need < kex.newkeys[0]->enc.iv_len)
+-		kex.we_need = kex.newkeys[0]->enc.iv_len;
+-	if (kex.we_need < kex.newkeys[0]->mac.key_len)
+-		kex.we_need = kex.newkeys[0]->mac.key_len;
++	ssh->kex->we_need = ssh->kex->newkeys[0]->enc.key_len;
++	if (ssh->kex->we_need < ssh->kex->newkeys[0]->enc.block_size)
++		ssh->kex->we_need = ssh->kex->newkeys[0]->enc.block_size;
++	if (ssh->kex->we_need < ssh->kex->newkeys[0]->enc.iv_len)
++		ssh->kex->we_need = ssh->kex->newkeys[0]->enc.iv_len;
++	if (ssh->kex->we_need < ssh->kex->newkeys[0]->mac.key_len)
++		ssh->kex->we_need = ssh->kex->newkeys[0]->mac.key_len;
+ 
+ 	/* MODE_OUT (1) -> server to client
+ 	 * MODE_IN (0) -> client to server */
+-	kex.server = 1;
++	ssh->kex->server = 1;
+ 
+-	/* do it */
+-	if ((ssh = ssh_packet_set_connection(NULL, -1, -1)) == NULL){
+-		printf("Allocation error\n");
+-		goto out;
+-	}
+-	ssh->kex = &kex;
+ 	kex_derive_keys(ssh, test->H, test->Hlen, Kb);
+ 
+-	ctoskeys = kex.newkeys[0];
+-	stockeys = kex.newkeys[1];
++	ctoskeys = ssh->kex->newkeys[0];
++	stockeys = ssh->kex->newkeys[1];
+ 
+ 	/* get data */
+ 	memset(hex, 0, HEXOUTLEN);
+@@ -376,8 +372,6 @@ int main(int argc, char *argv[])
+ 	ret = sshkdf_cavs(&test);
+ 
+ out:
+-	if (test.session_id)
+-		free(test.session_id);
+ 	if (test.K)
+ 		free(test.K);
+ 	if (test.H)
+-- 
+2.17.1
+
diff --git a/recipes-connectivity/openssh/openssh_fips.inc b/recipes-connectivity/openssh/openssh_fips.inc
index 4fdb2aa..961f2d5 100644
--- a/recipes-connectivity/openssh/openssh_fips.inc
+++ b/recipes-connectivity/openssh/openssh_fips.inc
@@ -10,6 +10,7 @@ SRC_URI += " \
     file://0001-conditional-enable-fips-mode.patch \
     file://openssh-6.6p1-ctr-cavstest.patch \
     file://openssh-6.7p1-kdf-cavs.patch \
+    file://0001-ssh-cavs-fix-the-double-free-error.patch \
 "
 
 do_install_append() {
-- 
2.25.1

[meta-openssl102-fips][PATCH 4/6] openssh: refresh patches to 8.5p1

[Yi Zhao]

From: Changqing Li <changqing.li@windriver.com>

Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
 .../0001-conditional-enable-fips-mode.patch   | 40 ++++++++--------
 .../openssh/0001-openssh-8.4p1-fips.patch     | 48 +++++++++----------
 2 files changed, 44 insertions(+), 44 deletions(-)

diff --git a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
index 17c5967..9fd19c0 100644
--- a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
+++ b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
@@ -1,4 +1,4 @@
-From 571b24129e3c3a84e38a59a32aa61fa40e04e1e2 Mon Sep 17 00:00:00 2001
+From 48888de317391522186c6ae24a8d6d7d7add2673 Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu.jia@windriver.com>
 Date: Sat, 21 Dec 2019 13:03:23 +0800
 Subject: [PATCH] conditional enable fips mode
@@ -44,10 +44,10 @@ index 06566d3..a10566d 100644
  	sanitise_stdfd();
  
 diff --git a/sftp-server.c b/sftp-server.c
-index 55386fa..8c1634e 100644
+index 7300900..42da9d7 100644
 --- a/sftp-server.c
 +++ b/sftp-server.c
-@@ -1577,6 +1577,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
+@@ -1616,6 +1616,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
  	extern char *optarg;
  	extern char *__progname;
  
@@ -56,10 +56,10 @@ index 55386fa..8c1634e 100644
  	log_init(__progname, log_level, log_facility, log_stderr);
  
 diff --git a/sftp.c b/sftp.c
-index c88c861..171bc56 100644
+index fb3c08d..85b9b67 100644
 --- a/sftp.c
 +++ b/sftp.c
-@@ -2390,6 +2390,7 @@ main(int argc, char **argv)
+@@ -2345,6 +2345,7 @@ main(int argc, char **argv)
  	size_t num_requests = DEFAULT_NUM_REQUESTS;
  	long long limit_kbps = 0;
  
@@ -68,10 +68,10 @@ index c88c861..171bc56 100644
  	sanitise_stdfd();
  	msetlocale();
 diff --git a/ssh-add.c b/ssh-add.c
-index 936dc21..b7ac2d2 100644
+index 7edb9f9..c75f85b 100644
 --- a/ssh-add.c
 +++ b/ssh-add.c
-@@ -671,6 +671,7 @@ main(int argc, char **argv)
+@@ -667,6 +667,7 @@ main(int argc, char **argv)
  	SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
  	LogLevel log_level = SYSLOG_LEVEL_INFO;
  
@@ -80,10 +80,10 @@ index 936dc21..b7ac2d2 100644
  	sanitise_stdfd();
  
 diff --git a/ssh-agent.c b/ssh-agent.c
-index e1fd1f3..da49b57 100644
+index 58fe6dd..9018a7c 100644
 --- a/ssh-agent.c
 +++ b/ssh-agent.c
-@@ -1289,6 +1289,7 @@ main(int ac, char **av)
+@@ -1388,6 +1388,7 @@ main(int ac, char **av)
  	size_t npfd = 0;
  	u_int maxfds;
  
@@ -92,10 +92,10 @@ index e1fd1f3..da49b57 100644
  	sanitise_stdfd();
  
 diff --git a/ssh-keygen.c b/ssh-keygen.c
-index cb8e569..67c7d62 100644
+index 6451584..246caa1 100644
 --- a/ssh-keygen.c
 +++ b/ssh-keygen.c
-@@ -3184,6 +3184,7 @@ main(int argc, char **argv)
+@@ -3153,6 +3153,7 @@ main(int argc, char **argv)
  	extern int optind;
  	extern char *optarg;
  
@@ -104,7 +104,7 @@ index cb8e569..67c7d62 100644
  	sanitise_stdfd();
  
 diff --git a/ssh-keyscan.c b/ssh-keyscan.c
-index ca19042..c667f2c 100644
+index 7abbcbf..b604bfd 100644
 --- a/ssh-keyscan.c
 +++ b/ssh-keyscan.c
 @@ -667,6 +667,7 @@ main(int argc, char **argv)
@@ -116,7 +116,7 @@ index ca19042..c667f2c 100644
  	seed_rng();
  	TAILQ_INIT(&tq);
 diff --git a/ssh-keysign.c b/ssh-keysign.c
-index 7991e0f..26a3bab 100644
+index 907162d..294148a 100644
 --- a/ssh-keysign.c
 +++ b/ssh-keysign.c
 @@ -173,6 +173,7 @@ main(int argc, char **argv)
@@ -128,10 +128,10 @@ index 7991e0f..26a3bab 100644
  		fatal("%s: pledge: %s", __progname, strerror(errno));
  
 diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c
-index d73e835..e508684 100644
+index a9a6fe3..3c76f70 100644
 --- a/ssh-pkcs11-helper.c
 +++ b/ssh-pkcs11-helper.c
-@@ -332,6 +332,7 @@ main(int argc, char **argv)
+@@ -326,6 +326,7 @@ main(int argc, char **argv)
  	extern char *__progname;
  	struct pollfd pfd[2];
  
@@ -140,22 +140,22 @@ index d73e835..e508684 100644
  	seed_rng();
  	TAILQ_INIT(&pkcs11_keylist);
 diff --git a/ssh.c b/ssh.c
-index aabd5d3..81393f1 100644
+index 729d87a..ab78b53 100644
 --- a/ssh.c
 +++ b/ssh.c
-@@ -660,6 +660,7 @@ main(int ac, char **av)
- 	size_t n, len;
+@@ -650,6 +650,7 @@ main(int ac, char **av)
  	u_int j;
+ 	struct ssh_conn_info *cinfo = NULL;
  
 +	ssh_enable_fips_mode();
  	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
  	sanitise_stdfd();
  
 diff --git a/sshd.c b/sshd.c
-index 1f1fcc2..0f68419 100644
+index fee4703..07faf7b 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -1553,6 +1553,7 @@ main(int ac, char **av)
+@@ -1534,6 +1534,7 @@ main(int ac, char **av)
  	Authctxt *authctxt;
  	struct connection_info *connection_info = NULL;
  
diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.4p1-fips.patch b/recipes-connectivity/openssh/openssh/0001-openssh-8.4p1-fips.patch
index 48c18b4..10687ff 100644
--- a/recipes-connectivity/openssh/openssh/0001-openssh-8.4p1-fips.patch
+++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.4p1-fips.patch
@@ -1,4 +1,4 @@
-From 059b61a58b27c40fbb78b3930cdcf110ff717340 Mon Sep 17 00:00:00 2001
+From 0452f9dc4acf90b8d7ac6ddf6ebbe455d202ce54 Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu.jia@windriver.com>
 Date: Sat, 21 Dec 2019 11:45:38 +0800
 Subject: [PATCH] openssh 8.4p1 fips
@@ -38,7 +38,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
  14 files changed, 171 insertions(+), 20 deletions(-)
 
 diff --git a/Makefile.in b/Makefile.in
-index acfb919..5b2c397 100644
+index e3cd296..bf53fb0 100644
 --- a/Makefile.in
 +++ b/Makefile.in
 @@ -204,25 +204,25 @@ libssh.a: $(LIBSSH_OBJS)
@@ -97,7 +97,7 @@ index 32771f2..74fac3b 100644
  	return (&aes_ctr);
  }
 diff --git a/dh.c b/dh.c
-index 7cb135d..306f1bc 100644
+index b5bb35e..676f893 100644
 --- a/dh.c
 +++ b/dh.c
 @@ -152,6 +152,12 @@ choose_dh(int min, int wantbits, int max)
@@ -165,10 +165,10 @@ index 5d6df62..54c7aa2 100644
  u_int	 dh_estimate(int);
  
 diff --git a/kex.c b/kex.c
-index aecb939..3d5d3b0 100644
+index 30425ab..1250f42 100644
 --- a/kex.c
 +++ b/kex.c
-@@ -163,7 +163,10 @@ kex_names_valid(const char *names)
+@@ -165,7 +165,10 @@ kex_names_valid(const char *names)
  	for ((p = strsep(&cp, ",")); p && *p != '\0';
  	    (p = strsep(&cp, ","))) {
  		if (kex_alg_by_name(p) == NULL) {
@@ -181,7 +181,7 @@ index aecb939..3d5d3b0 100644
  			return 0;
  		}
 diff --git a/kexgexc.c b/kexgexc.c
-index 323a659..812112d 100644
+index 4a2e741..2535732 100644
 --- a/kexgexc.c
 +++ b/kexgexc.c
 @@ -28,6 +28,7 @@
@@ -192,7 +192,7 @@ index 323a659..812112d 100644
  #include <sys/types.h>
  
  #include <openssl/dh.h>
-@@ -113,6 +114,10 @@ input_kex_dh_gex_group(int type, u_int32_t seq, struct ssh *ssh)
+@@ -115,6 +116,10 @@ input_kex_dh_gex_group(int type, u_int32_t seq, struct ssh *ssh)
  		r = SSH_ERR_ALLOC_FAIL;
  		goto out;
  	}
@@ -204,7 +204,7 @@ index 323a659..812112d 100644
  
  	/* generate and send 'e', client DH public key */
 diff --git a/myproposal.h b/myproposal.h
-index 5312e60..d0accae 100644
+index f03b7df..57b8779 100644
 --- a/myproposal.h
 +++ b/myproposal.h
 @@ -57,6 +57,20 @@
@@ -255,12 +255,12 @@ index 5312e60..d0accae 100644
 +
  /* Not a KEX value, but here so all the algorithm defaults are together */
  #define	SSH_ALLOWED_CA_SIGALGS	\
- 	"ecdsa-sha2-nistp256," \
+ 	"ssh-ed25519," \
 diff --git a/readconf.c b/readconf.c
-index 554efd7..16eda65 100644
+index 724974b..870a654 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -2255,11 +2255,16 @@ fill_default_options(Options * options)
+@@ -2475,11 +2475,16 @@ fill_default_options(Options * options)
  	all_key = sshkey_alg_list(0, 0, 1, ',');
  	all_sig = sshkey_alg_list(0, 1, 1, ',');
  	/* remove unsupported algos from default lists */
@@ -283,7 +283,7 @@ index 554efd7..16eda65 100644
  	do { \
  		if ((r = kex_assemble_names(&options->what, \
 diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index e0768c0..8971bba 100644
+index d8dc712..c6e62e4 100644
 --- a/sandbox-seccomp-filter.c
 +++ b/sandbox-seccomp-filter.c
 @@ -157,6 +157,9 @@ static const struct sock_filter preauth_insns[] = {
@@ -297,10 +297,10 @@ index e0768c0..8971bba 100644
  	SC_DENY(__NR_openat, EACCES),
  #endif
 diff --git a/servconf.c b/servconf.c
-index f08e374..dbcee84 100644
+index 9695583..98f6303 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -213,11 +213,16 @@ assemble_algorithms(ServerOptions *o)
+@@ -218,11 +218,16 @@ assemble_algorithms(ServerOptions *o)
  	all_key = sshkey_alg_list(0, 0, 1, ',');
  	all_sig = sshkey_alg_list(0, 1, 1, ',');
  	/* remove unsupported algos from default lists */
@@ -323,10 +323,10 @@ index f08e374..dbcee84 100644
  	do { \
  		if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
 diff --git a/ssh-keygen.c b/ssh-keygen.c
-index a12b79a..cb8e569 100644
+index cfb5f11..6451584 100644
 --- a/ssh-keygen.c
 +++ b/ssh-keygen.c
-@@ -204,6 +204,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
+@@ -205,6 +205,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
  #endif
  	}
  #ifdef WITH_OPENSSL
@@ -339,7 +339,7 @@ index a12b79a..cb8e569 100644
  	switch (type) {
  	case KEY_DSA:
  		if (*bitsp != 1024)
-@@ -1094,9 +1100,17 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1095,9 +1101,17 @@ do_gen_all_hostkeys(struct passwd *pw)
  			first = 1;
  			printf("%s: generating new host keys: ", __progname);
  		}
@@ -359,7 +359,7 @@ index a12b79a..cb8e569 100644
  			error("Could not save your private key in %s: %s",
  			    prv_tmp, strerror(errno));
 diff --git a/ssh.c b/ssh.c
-index f34ca0d..aabd5d3 100644
+index 53330da..729d87a 100644
 --- a/ssh.c
 +++ b/ssh.c
 @@ -77,6 +77,8 @@
@@ -371,7 +371,7 @@ index f34ca0d..aabd5d3 100644
  #include "openbsd-compat/openssl-compat.h"
  #include "openbsd-compat/sys-queue.h"
  
-@@ -662,6 +664,16 @@ main(int ac, char **av)
+@@ -652,6 +654,16 @@ main(int ac, char **av)
  	sanitise_stdfd();
  
  	__progname = ssh_get_progname(av[0]);
@@ -388,7 +388,7 @@ index f34ca0d..aabd5d3 100644
  
  #ifndef HAVE_SETPROCTITLE
  	/* Prepare for later setproctitle emulation */
-@@ -1500,6 +1512,10 @@ main(int ac, char **av)
+@@ -1506,6 +1518,10 @@ main(int ac, char **av)
  		exit(0);
  	}
  
@@ -400,7 +400,7 @@ index f34ca0d..aabd5d3 100644
  	if (options.sk_provider != NULL && *options.sk_provider == '$' &&
  	    strlen(options.sk_provider) > 1) {
 diff --git a/sshd.c b/sshd.c
-index 5af7986..1f1fcc2 100644
+index eff4778..fee4703 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -66,6 +66,7 @@
@@ -420,7 +420,7 @@ index 5af7986..1f1fcc2 100644
  #include "openbsd-compat/openssl-compat.h"
  #endif
  
-@@ -1555,6 +1558,18 @@ main(int ac, char **av)
+@@ -1536,6 +1539,18 @@ main(int ac, char **av)
  #endif
  	__progname = ssh_get_progname(av[0]);
  
@@ -439,7 +439,7 @@ index 5af7986..1f1fcc2 100644
  	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
  	saved_argc = ac;
  	rexec_argc = ac;
-@@ -2039,6 +2054,10 @@ main(int ac, char **av)
+@@ -2017,6 +2032,10 @@ main(int ac, char **av)
  	/* Reinitialize the log (because of the fork above). */
  	log_init(__progname, options.log_level, options.log_facility, log_stderr);
  
@@ -451,7 +451,7 @@ index 5af7986..1f1fcc2 100644
  	   unmounted if desired. */
  	if (chdir("/") == -1)
 diff --git a/sshkey.c b/sshkey.c
-index ac451f1..4f72eab 100644
+index b25c59a..8fcfe22 100644
 --- a/sshkey.c
 +++ b/sshkey.c
 @@ -34,6 +34,7 @@
-- 
2.25.1

[meta-openssl102-fips][PATCH 5/6] openssh: set kex->sessin_id via sshbuf_put in ssh-cavs

[Yi Zhao]

The kex->session_id has been replaced from u_char * to sshbuf and
kex->session_id_len has been removed in openssh 8.5[1]. Update ssh-cavs
to adapt it.

Fixes:
ssh-cavs.c:198:12: error: 'struct kex' has no member named 'session_id_len'; did you mean 'session_id'?
  198 |  ssh->kex->session_id_len = test->session_id_len;
      |            ^~~~~~~~~~~~~~
      |            session_id

[1] https://github.com/openssh/openssh-portable/commit/39be3dc209f28f9c1ebfeba42adde8963b01e1cd

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 ...avs-set-kex-sessin_id-via-sshbuf_put.patch | 45 +++++++++++++++++++
 recipes-connectivity/openssh/openssh_fips.inc |  1 +
 2 files changed, 46 insertions(+)
 create mode 100644 recipes-connectivity/openssh/openssh/0001-ssh-cavs-set-kex-sessin_id-via-sshbuf_put.patch

diff --git a/recipes-connectivity/openssh/openssh/0001-ssh-cavs-set-kex-sessin_id-via-sshbuf_put.patch b/recipes-connectivity/openssh/openssh/0001-ssh-cavs-set-kex-sessin_id-via-sshbuf_put.patch
new file mode 100644
index 0000000..20e8604
--- /dev/null
+++ b/recipes-connectivity/openssh/openssh/0001-ssh-cavs-set-kex-sessin_id-via-sshbuf_put.patch
@@ -0,0 +1,45 @@
+From 3841d7c1057e62a57c49e5042080202739c9bf98 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Thu, 8 Apr 2021 15:09:21 +0800
+Subject: [PATCH] ssh-cavs: set kex->sessin_id via sshbuf_put
+
+The kex->session_id has been replaced from u_char * to sshbuf and
+kex->session_id_len has been removed in openssh 8.5[1]. Update ssh-cavs
+to adapt it.
+
+Fixes:
+ssh-cavs.c:198:12: error: 'struct kex' has no member named 'session_id_len'; did you mean 'session_id'?
+  198 |  ssh->kex->session_id_len = test->session_id_len;
+      |            ^~~~~~~~~~~~~~
+      |            session_id
+
+[1] https://github.com/openssh/openssh-portable/commit/39be3dc209f28f9c1ebfeba42adde8963b01e1cd
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ ssh-cavs.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/ssh-cavs.c b/ssh-cavs.c
+index 641a453..48bae74 100644
+--- a/ssh-cavs.c
++++ b/ssh-cavs.c
+@@ -194,8 +194,11 @@ static int sshkdf_cavs(struct kdf_cavs *test)
+ 		goto out;
+ 	}
+ 
+-	ssh->kex->session_id = test->session_id;
+-	ssh->kex->session_id_len = test->session_id_len;
++	if (sshbuf_put(ssh->kex->session_id, test->session_id, test->session_id_len) != 0) {
++		printf("cannot convert session_id into sshbuf\n");
++		ret = 1;
++		goto out;
++	}
+ 
+ 	/* setup kex */
+ 
+-- 
+2.17.1
+
diff --git a/recipes-connectivity/openssh/openssh_fips.inc b/recipes-connectivity/openssh/openssh_fips.inc
index 961f2d5..194a6f4 100644
--- a/recipes-connectivity/openssh/openssh_fips.inc
+++ b/recipes-connectivity/openssh/openssh_fips.inc
@@ -11,6 +11,7 @@ SRC_URI += " \
     file://openssh-6.6p1-ctr-cavstest.patch \
     file://openssh-6.7p1-kdf-cavs.patch \
     file://0001-ssh-cavs-fix-the-double-free-error.patch \
+    file://0001-ssh-cavs-set-kex-sessin_id-via-sshbuf_put.patch \
 "
 
 do_install_append() {
-- 
2.25.1

[meta-openssl102-fips][PATCH 6/6] layer.conf: add hardknott to LAYERSERIES_COMPAT

[Yi Zhao]

From: Chen Qi <Qi.Chen@windriver.com>

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 conf/layer.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/layer.conf b/conf/layer.conf
index 892cf79..01026f0 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -10,7 +10,7 @@ BBFILE_PRIORITY_meta-openssl-one-zero-two-fips = "5"
 
 LAYERVERSION_meta-openssl-one-zero-two-fips = "1"
 
-LAYERSERIES_COMPAT_meta-openssl-one-zero-two-fips = "zeus"
+LAYERSERIES_COMPAT_meta-openssl-one-zero-two-fips = "hardknott"
 
 LAYERPATH_meta-openssl-one-zero-two-fips = "${LAYERDIR}"
 
-- 
2.25.1

Re: [meta-openssl102-fips][PATCH 0/6] hardknott fixes

[Jason Wessel]

Merged.

On 4/22/21 1:56 AM, Yi Zhao wrote:
>
> Changqing Li (1):
>    openssh: refresh patches to 8.5p1
>
> Chen Qi (1):
>    layer.conf: add hardknott to LAYERSERIES_COMPAT
>
> Yi Zhao (4):
>    README.build: add "Known Issues" section
>    openssh: refresh patches to 8.4p1
>    openssh: fix the double free error for ssh-cavs
>    openssh: set kex->sessin_id via sshbuf_put in ssh-cavs
>
>   README.build                                  |  28 +++
>   conf/layer.conf                               |   2 +-
>   .../0001-conditional-enable-fips-mode.patch   |  46 ++---
>   ...ps.patch => 0001-openssh-8.4p1-fips.patch} | 173 +++++++-----------
>   ...1-ssh-cavs-fix-the-double-free-error.patch | 161 ++++++++++++++++
>   ...avs-set-kex-sessin_id-via-sshbuf_put.patch |  45 +++++
>   recipes-connectivity/openssh/openssh_fips.inc |   4 +-
>   7 files changed, 327 insertions(+), 132 deletions(-)
>   rename recipes-connectivity/openssh/openssh/{0001-openssh-8.2p1-fips.patch => 0001-openssh-8.4p1-fips.patch} (73%)
>   create mode 100644 recipes-connectivity/openssh/openssh/0001-ssh-cavs-fix-the-double-free-error.patch
>   create mode 100644 recipes-connectivity/openssh/openssh/0001-ssh-cavs-set-kex-sessin_id-via-sshbuf_put.patch
>