[meta-openssl102-fips][PATCH 1/3] openssh bbappend: refresh local patches to 8.1p1

[meta-openssl102-fips][PATCH 1/3] openssh bbappend: refresh local patches to 8.1p1

[Yi Zhao]

From: Hongxu Jia <hongxu.jia@windriver.com>

Since upstream oe-core upgraded openssh to 8.1p1,
refresh local patches of fips

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
 .../0001-conditional-enable-fips-mode.patch   |  26 +++--
 .../openssh/0001-openssh-8.0p1-fips.patch     | 100 +++++++++++-------
 .../openssh/openssh-6.6p1-ctr-cavstest.patch  |  14 +--
 .../openssh/openssh-6.7p1-kdf-cavs.patch      |  15 +--
 4 files changed, 91 insertions(+), 64 deletions(-)

diff --git a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
index b47e184..705d4be 100644
--- a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
+++ b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
@@ -1,6 +1,6 @@
-From ea3e5eceab28ad2c00d438efbcea2be37a1b2969 Mon Sep 17 00:00:00 2001
+From fac114e44c00382af087fec04cd4c2fbd144d759 Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Sun, 22 Sep 2019 14:31:51 +0800
+Date: Sat, 21 Dec 2019 13:03:23 +0800
 Subject: [PATCH] conditional enable fips mode
 
 Insert ssh_enable_fips_mode to ssh_malloc_init where each main app will invoke,
@@ -14,10 +14,10 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
  1 file changed, 24 insertions(+)
 
 diff --git a/xmalloc.c b/xmalloc.c
-index 5cc0310..0218ccd 100644
+index 9cd0127..75d5018 100644
 --- a/xmalloc.c
 +++ b/xmalloc.c
-@@ -23,12 +23,20 @@
+@@ -23,6 +23,10 @@
  #include <stdlib.h>
  #include <string.h>
  
@@ -28,17 +28,23 @@ index 5cc0310..0218ccd 100644
  #include "xmalloc.h"
  #include "log.h"
  
+@@ -30,11 +34,15 @@
+ char *malloc_options = "S";
+ #endif /* __OpenBSD__ */
+ 
 +void ssh_enable_fips_mode(void);
 +
- void
- ssh_malloc_init(void)
+ void *
+ xmalloc(size_t size)
  {
+ 	void *ptr;
+ 
 +	ssh_enable_fips_mode();
 +
- #if defined(__OpenBSD__)
- 	extern char *malloc_options;
- 
-@@ -116,3 +124,19 @@ xasprintf(char **ret, const char *fmt, ...)
+ 	if (size == 0)
+ 		fatal("xmalloc: zero size");
+ 	ptr = malloc(size);
+@@ -110,3 +118,19 @@ xasprintf(char **ret, const char *fmt, ...)
  
  	return (i);
  }
diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
index a4b5836..0e35e31 100644
--- a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
+++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
@@ -1,6 +1,6 @@
-From 255e5dcdec36df7222f69b253dfc05be63927ed2 Mon Sep 17 00:00:00 2001
+From 511f5dfb3e22d30a7d573313fa88a063f1d49753 Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Fri, 20 Sep 2019 17:59:00 +0800
+Date: Sat, 21 Dec 2019 11:45:38 +0800
 Subject: [PATCH] openssh 8.0p1 fips
 
 Port openssh-7.7p1-fips.patch from Fedora
@@ -22,18 +22,18 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
  readconf.c               | 17 +++++++++--------
  sandbox-seccomp-filter.c |  3 +++
  servconf.c               | 19 ++++++++++---------
- ssh-keygen.c             |  6 ++++++
+ ssh-keygen.c             | 17 ++++++++++++++++-
  ssh.c                    | 16 ++++++++++++++++
  sshconnect2.c            | 11 ++++++++---
  sshd.c                   | 19 +++++++++++++++++++
  sshkey.c                 |  4 ++++
- 16 files changed, 176 insertions(+), 30 deletions(-)
+ 16 files changed, 186 insertions(+), 31 deletions(-)
 
 diff --git a/Makefile.in b/Makefile.in
-index 6f001bb..ddd1804 100644
+index adb1977..37aec69 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -170,31 +170,31 @@ libssh.a: $(LIBSSH_OBJS)
+@@ -175,31 +175,31 @@ libssh.a: $(LIBSSH_OBJS)
  	$(RANLIB) $@
  
  ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@@ -55,9 +55,9 @@ index 6f001bb..ddd1804 100644
 -	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
  
- ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
--	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o
+-	$(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++	$(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
  
  ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o
 -	$(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@@ -68,10 +68,10 @@ index 6f001bb..ddd1804 100644
  
  ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
 -	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-+	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
++	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
  
- sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
- 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o
+ 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 diff --git a/cipher-ctr.c b/cipher-ctr.c
 index 32771f2..74fac3b 100644
 --- a/cipher-ctr.c
@@ -87,10 +87,10 @@ index 32771f2..74fac3b 100644
  	return (&aes_ctr);
  }
 diff --git a/clientloop.c b/clientloop.c
-index 086c0df..0b308d4 100644
+index b5a1f70..0b675fe 100644
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -2036,7 +2036,8 @@ key_accepted_by_hostkeyalgs(const struct sshkey *key)
+@@ -2035,7 +2035,8 @@ key_accepted_by_hostkeyalgs(const struct sshkey *key)
  {
  	const char *ktype = sshkey_ssh_name(key);
  	const char *hostkeyalgs = options.hostkeyalgorithms != NULL ?
@@ -101,7 +101,7 @@ index 086c0df..0b308d4 100644
  	if (key == NULL || key->type == KEY_UNSPEC)
  		return 0;
 diff --git a/dh.c b/dh.c
-index a98d39e..92e800a 100644
+index 7cb135d..306f1bc 100644
 --- a/dh.c
 +++ b/dh.c
 @@ -152,6 +152,12 @@ choose_dh(int min, int wantbits, int max)
@@ -157,10 +157,10 @@ index a98d39e..92e800a 100644
 +
  #endif /* WITH_OPENSSL */
 diff --git a/dh.h b/dh.h
-index adb643a..5d1cad5 100644
+index 5d6df62..54c7aa2 100644
 --- a/dh.h
 +++ b/dh.h
-@@ -43,6 +43,7 @@ DH	*dh_new_group_fallback(int);
+@@ -45,6 +45,7 @@ DH	*dh_new_group_fallback(int);
  
  int	 dh_gen_key(DH *, int);
  int	 dh_pub_is_valid(const DH *, const BIGNUM *);
@@ -169,7 +169,7 @@ index adb643a..5d1cad5 100644
  u_int	 dh_estimate(int);
  
 diff --git a/kex.c b/kex.c
-index 34808b5..b356a26 100644
+index 49d7015..f1f982d 100644
 --- a/kex.c
 +++ b/kex.c
 @@ -161,7 +161,10 @@ kex_names_valid(const char *names)
@@ -208,7 +208,7 @@ index 1c65b8a..b6b25bf 100644
  
  	/* generate and send 'e', client DH public key */
 diff --git a/myproposal.h b/myproposal.h
-index f167298..812d9a2 100644
+index 34bd10c..a3ae74b 100644
 --- a/myproposal.h
 +++ b/myproposal.h
 @@ -111,6 +111,14 @@
@@ -264,12 +264,12 @@ index f167298..812d9a2 100644
 +
  /* Not a KEX value, but here so all the algorithm defaults are together */
  #define	SSH_ALLOWED_CA_SIGALGS	\
- 	"ecdsa-sha2-nistp256," \
+ 	HOSTKEY_ECDSA_METHODS \
 diff --git a/readconf.c b/readconf.c
-index ec497e7..1f1a16d 100644
+index f78b4d6..2f56ed2 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -2116,18 +2116,19 @@ fill_default_options(Options * options)
+@@ -2125,18 +2125,19 @@ fill_default_options(Options * options)
  	all_kex = kex_alg_list(',');
  	all_key = sshkey_alg_list(0, 0, 1, ',');
  	all_sig = sshkey_alg_list(0, 1, 1, ',');
@@ -298,10 +298,10 @@ index ec497e7..1f1a16d 100644
  	free(all_cipher);
  	free(all_mac);
 diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index 5edbc69..3c40136 100644
+index b5cda70..f0607a3 100644
 --- a/sandbox-seccomp-filter.c
 +++ b/sandbox-seccomp-filter.c
-@@ -137,6 +137,9 @@ static const struct sock_filter preauth_insns[] = {
+@@ -156,6 +156,9 @@ static const struct sock_filter preauth_insns[] = {
  #ifdef __NR_open
  	SC_DENY(__NR_open, EACCES),
  #endif
@@ -312,7 +312,7 @@ index 5edbc69..3c40136 100644
  	SC_DENY(__NR_openat, EACCES),
  #endif
 diff --git a/servconf.c b/servconf.c
-index ffac5d2..7ad0e4e 100644
+index e76f9c3..591d437 100644
 --- a/servconf.c
 +++ b/servconf.c
 @@ -200,18 +200,19 @@ assemble_algorithms(ServerOptions *o)
@@ -345,13 +345,13 @@ index ffac5d2..7ad0e4e 100644
  	free(all_cipher);
  	free(all_mac);
 diff --git a/ssh-keygen.c b/ssh-keygen.c
-index 3898b28..f3f4975 100644
+index 8c829ca..cb4982d 100644
 --- a/ssh-keygen.c
 +++ b/ssh-keygen.c
-@@ -199,6 +199,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
- 	    OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
- 	if (*bitsp > maxbits)
- 		fatal("key bits exceeds maximum %d", maxbits);
+@@ -201,6 +201,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
+ #endif
+ 	}
+ #ifdef WITH_OPENSSL
 +	if (FIPS_mode()) {
 +		if (type == KEY_DSA)
 +			fatal("DSA keys are not allowed in FIPS mode");
@@ -361,8 +361,28 @@ index 3898b28..f3f4975 100644
  	switch (type) {
  	case KEY_DSA:
  		if (*bitsp != 1024)
+@@ -1061,9 +1067,18 @@ do_gen_all_hostkeys(struct passwd *pw)
+ 			first = 1;
+ 			printf("%s: generating new host keys: ", __progname);
+ 		}
++
++		type = sshkey_type_from_name(key_types[i].key_type);
++
++		/* Skip the keys that are not supported in FIPS mode */
++		if (FIPS_mode() && (type == KEY_DSA || type == KEY_ED25519)) {
++			logit("Skipping %s key in FIPS mode",
++				key_types[i].key_type_display);
++			goto next;
++		}
++
+ 		printf("%s ", key_types[i].key_type_display);
+ 		fflush(stdout);
+-		type = sshkey_type_from_name(key_types[i].key_type);
+ 		if ((fd = mkstemp(prv_tmp)) == -1) {
+ 			error("Could not save your public key in %s: %s",
+ 			    prv_tmp, strerror(errno));
 diff --git a/ssh.c b/ssh.c
-index 91e7c35..1cf14f6 100644
+index ee51823..0724df4 100644
 --- a/ssh.c
 +++ b/ssh.c
 @@ -76,6 +76,8 @@
@@ -403,7 +423,7 @@ index 91e7c35..1cf14f6 100644
  	 * Discard other fds that are hanging around. These can cause problem
  	 * with backgrounded ssh processes started by ControlPersist.
 diff --git a/sshconnect2.c b/sshconnect2.c
-index dffee90..28b2554 100644
+index 87fa70a..a42aacb 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
 @@ -44,6 +44,8 @@
@@ -445,7 +465,7 @@ index dffee90..28b2554 100644
  		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
  		    compat_pkalg_proposal(
 diff --git a/sshd.c b/sshd.c
-index a3c1975..bf25d76 100644
+index f8dee0f..2bf8939 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -66,6 +66,7 @@
@@ -465,7 +485,7 @@ index a3c1975..bf25d76 100644
  #include "openbsd-compat/openssl-compat.h"
  #endif
  
-@@ -1447,6 +1450,18 @@ main(int ac, char **av)
+@@ -1445,6 +1448,18 @@ main(int ac, char **av)
  #endif
  	__progname = ssh_get_progname(av[0]);
  
@@ -484,7 +504,7 @@ index a3c1975..bf25d76 100644
  	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
  	saved_argc = ac;
  	rexec_argc = ac;
-@@ -1905,6 +1920,10 @@ main(int ac, char **av)
+@@ -1910,6 +1925,10 @@ main(int ac, char **av)
  	/* Reinitialize the log (because of the fork above). */
  	log_init(__progname, options.log_level, options.log_facility, log_stderr);
  
@@ -496,7 +516,7 @@ index a3c1975..bf25d76 100644
  	   unmounted if desired. */
  	if (chdir("/") == -1)
 diff --git a/sshkey.c b/sshkey.c
-index ad19577..18906cb 100644
+index ef90563..1b1ba01 100644
 --- a/sshkey.c
 +++ b/sshkey.c
 @@ -34,6 +34,7 @@
@@ -508,14 +528,14 @@ index ad19577..18906cb 100644
  
  #include "crypto_api.h"
 @@ -57,6 +58,7 @@
+ #define SSHKEY_INTERNAL
  #include "sshkey.h"
- #include "sshkey-xmss.h"
  #include "match.h"
 +#include "log.h"
  
- #include "xmss_fast.h"
- 
-@@ -1481,6 +1483,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
+ #ifdef WITH_XMSS
+ #include "sshkey-xmss.h"
+@@ -1491,6 +1493,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
  	}
  	if (!BN_set_word(f4, RSA_F4) ||
  	    !RSA_generate_key_ex(private, bits, f4, NULL)) {
diff --git a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
index 29371f8..8b74451 100644
--- a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
+++ b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
@@ -1,7 +1,7 @@
-From a94a3d95439018dc7d276ec72de91af369ea413e Mon Sep 17 00:00:00 2001
+From 6d65893a85bddfc543ce894ee4940bd0d5ab368e Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Sun, 22 Sep 2019 21:32:18 +0800
-Subject: [PATCH 1/2] add CAVS test driver for the aes-ctr ciphers
+Date: Sat, 21 Dec 2019 13:05:19 +0800
+Subject: [PATCH] add CAVS test driver for the aes-ctr ciphers
 
 Original submission to Fedora, see:
    https://lists.fedoraproject.org/pipermail/scm-commits/2012-January/715044.html
@@ -25,7 +25,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
  create mode 100644 ctr-cavstest.c
 
 diff --git a/Makefile.in b/Makefile.in
-index ddd1804..cb34681 100644
+index 37aec69..1d6e298 100644
 --- a/Makefile.in
 +++ b/Makefile.in
 @@ -23,6 +23,7 @@ SSH_PROGRAM=@bindir@/ssh
@@ -45,7 +45,7 @@ index ddd1804..cb34681 100644
  
  XMSS_OBJS=\
  	ssh-xmss.o \
-@@ -193,6 +194,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o c
+@@ -198,6 +199,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o c
  ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
  	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
  
@@ -53,9 +53,9 @@ index ddd1804..cb34681 100644
 +	$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
 +
  ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
- 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
+ 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
  
-@@ -343,6 +347,7 @@ install-files:
+@@ -348,6 +352,7 @@ install-files:
  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
  	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
diff --git a/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch b/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
index 7ac881f..0cbccd7 100644
--- a/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
+++ b/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
@@ -1,7 +1,7 @@
-From 210d15fd146ff7037f03fff5e0ba6fcf0bfde683 Mon Sep 17 00:00:00 2001
+From 6b6e0f7d4a517378a8d53b84fbef2cfc78c42f46 Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Sun, 22 Sep 2019 21:40:51 +0800
-Subject: [PATCH 2/2] add KDF CAVS test driver
+Date: Sat, 21 Dec 2019 13:08:52 +0800
+Subject: [PATCH] add KDF CAVS test driver
 
 Original submission to Fedora, see:
    https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20150216/1514788.html
@@ -17,6 +17,7 @@ This is the makefile.in change for the normal configuration.
 Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
 
 Upstream-Status: Inappropriate [oe specific]
+
 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
 ---
  Makefile.in        |   8 +-
@@ -27,7 +28,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
  create mode 100644 ssh-cavs_driver.pl
 
 diff --git a/Makefile.in b/Makefile.in
-index cb34681..368097e 100644
+index 1d6e298..be28411 100644
 --- a/Makefile.in
 +++ b/Makefile.in
 @@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
@@ -47,7 +48,7 @@ index cb34681..368097e 100644
  
  XMSS_OBJS=\
  	ssh-xmss.o \
-@@ -197,6 +198,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
+@@ -202,6 +203,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
  ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
  	$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
  
@@ -55,9 +56,9 @@ index cb34681..368097e 100644
 +	$(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +
  ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
- 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
+ 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
  
-@@ -348,6 +352,8 @@ install-files:
+@@ -353,6 +357,8 @@ install-files:
  	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
  	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
-- 
2.17.1

[meta-openssl102-fips][PATCH 2/3] openssh: fix failure to enter FIPS mode

[Yi Zhao]

In 0001-conditional-enable-fips-mode.patch, it inserts a function
ssh_enable_fips_mode to ssh_malloc_init which is invoked by main
function. But ssh_malloc_init is removed in openssh 8.1p1. Refresh the
patch, insert ssh_enable_fips_mode function to main function for all
applications.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 .../0001-conditional-enable-fips-mode.patch   | 185 ++++++++++++++++--
 1 file changed, 164 insertions(+), 21 deletions(-)

diff --git a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
index 705d4be..a0f496a 100644
--- a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
+++ b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
@@ -1,4 +1,4 @@
-From fac114e44c00382af087fec04cd4c2fbd144d759 Mon Sep 17 00:00:00 2001
+From 60204df9d1f54f581f9ddc5443228550cadd4b4b Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu.jia@windriver.com>
 Date: Sat, 21 Dec 2019 13:03:23 +0800
 Subject: [PATCH] conditional enable fips mode
@@ -9,12 +9,162 @@ enable fips mode according to the existence of "/etc/system-fips"
 Upstream-Status: Inappropriate [oe specific]
 
 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+
+The ssh_malloc_init function is removed in openssh 8.1p1, we need to
+insert ssh_enable_fips_mode function to main function for all
+applications.
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- xmalloc.c | 24 ++++++++++++++++++++++++
- 1 file changed, 24 insertions(+)
+ sftp-server-main.c  |  1 +
+ sftp-server.c       |  1 +
+ sftp.c              |  1 +
+ ssh-add.c           |  1 +
+ ssh-agent.c         |  1 +
+ ssh-keygen.c        |  1 +
+ ssh-keyscan.c       |  1 +
+ ssh-keysign.c       |  1 +
+ ssh-pkcs11-helper.c |  1 +
+ ssh.c               |  1 +
+ sshd.c              |  1 +
+ xmalloc.c           | 20 ++++++++++++++++++++
+ xmalloc.h           |  1 +
+ 13 files changed, 32 insertions(+)
 
+diff --git a/sftp-server-main.c b/sftp-server-main.c
+index 06566d3..a10566d 100644
+--- a/sftp-server-main.c
++++ b/sftp-server-main.c
+@@ -39,6 +39,7 @@ main(int argc, char **argv)
+ {
+ 	struct passwd *user_pw;
+ 
++	ssh_enable_fips_mode();
+ 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ 	sanitise_stdfd();
+ 
+diff --git a/sftp-server.c b/sftp-server.c
+index 359204f..346255a 100644
+--- a/sftp-server.c
++++ b/sftp-server.c
+@@ -1576,6 +1576,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
+ 	extern char *optarg;
+ 	extern char *__progname;
+ 
++	ssh_enable_fips_mode();
+ 	__progname = ssh_get_progname(argv[0]);
+ 	log_init(__progname, log_level, log_facility, log_stderr);
+ 
+diff --git a/sftp.c b/sftp.c
+index b66037f..ca263ac 100644
+--- a/sftp.c
++++ b/sftp.c
+@@ -2387,6 +2387,7 @@ main(int argc, char **argv)
+ 	size_t num_requests = DEFAULT_NUM_REQUESTS;
+ 	long long limit_kbps = 0;
+ 
++	ssh_enable_fips_mode();
+ 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ 	sanitise_stdfd();
+ 	msetlocale();
+diff --git a/ssh-add.c b/ssh-add.c
+index ebfb8a3..b7d59bc 100644
+--- a/ssh-add.c
++++ b/ssh-add.c
+@@ -577,6 +577,7 @@ main(int argc, char **argv)
+ 	SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
+ 	LogLevel log_level = SYSLOG_LEVEL_INFO;
+ 
++	ssh_enable_fips_mode();
+ 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ 	sanitise_stdfd();
+ 
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 9c6680a..d701479 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -1104,6 +1104,7 @@ main(int ac, char **av)
+ 	size_t npfd = 0;
+ 	u_int maxfds;
+ 
++	ssh_enable_fips_mode();
+ 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ 	sanitise_stdfd();
+ 
+diff --git a/ssh-keygen.c b/ssh-keygen.c
+index cb4982d..84dd269 100644
+--- a/ssh-keygen.c
++++ b/ssh-keygen.c
+@@ -2800,6 +2800,7 @@ main(int argc, char **argv)
+ 	extern int optind;
+ 	extern char *optarg;
+ 
++	ssh_enable_fips_mode();
+ 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ 	sanitise_stdfd();
+ 
+diff --git a/ssh-keyscan.c b/ssh-keyscan.c
+index 5de0508..0644261 100644
+--- a/ssh-keyscan.c
++++ b/ssh-keyscan.c
+@@ -663,6 +663,7 @@ main(int argc, char **argv)
+ 	extern int optind;
+ 	extern char *optarg;
+ 
++	ssh_enable_fips_mode();
+ 	__progname = ssh_get_progname(argv[0]);
+ 	seed_rng();
+ 	TAILQ_INIT(&tq);
+diff --git a/ssh-keysign.c b/ssh-keysign.c
+index 6cfd5b4..23cf403 100644
+--- a/ssh-keysign.c
++++ b/ssh-keysign.c
+@@ -173,6 +173,7 @@ main(int argc, char **argv)
+ 	char *host, *fp;
+ 	size_t slen, dlen;
+ 
++	ssh_enable_fips_mode();
+ 	if (pledge("stdio rpath getpw dns id", NULL) != 0)
+ 		fatal("%s: pledge: %s", __progname, strerror(errno));
+ 
+diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c
+index 3bcc244..6a78a1a 100644
+--- a/ssh-pkcs11-helper.c
++++ b/ssh-pkcs11-helper.c
+@@ -325,6 +325,7 @@ main(int argc, char **argv)
+ 	extern char *__progname;
+ 	struct pollfd pfd[2];
+ 
++	ssh_enable_fips_mode();
+ 	__progname = ssh_get_progname(argv[0]);
+ 	seed_rng();
+ 	TAILQ_INIT(&pkcs11_keylist);
+diff --git a/ssh.c b/ssh.c
+index 0724df4..9178673 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -598,6 +598,7 @@ main(int ac, char **av)
+ 	struct ssh_digest_ctx *md;
+ 	u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
+ 
++	ssh_enable_fips_mode();
+ 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ 	sanitise_stdfd();
+ 
+diff --git a/sshd.c b/sshd.c
+index 2bf8939..c75e34a 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -1443,6 +1443,7 @@ main(int ac, char **av)
+ 	Authctxt *authctxt;
+ 	struct connection_info *connection_info = NULL;
+ 
++	ssh_enable_fips_mode();
+ #ifdef HAVE_SECUREWARE
+ 	(void)set_auth_parameters(ac, av);
+ #endif
 diff --git a/xmalloc.c b/xmalloc.c
-index 9cd0127..75d5018 100644
+index 9cd0127..e2f8145 100644
 --- a/xmalloc.c
 +++ b/xmalloc.c
 @@ -23,6 +23,10 @@
@@ -28,23 +178,7 @@ index 9cd0127..75d5018 100644
  #include "xmalloc.h"
  #include "log.h"
  
-@@ -30,11 +34,15 @@
- char *malloc_options = "S";
- #endif /* __OpenBSD__ */
- 
-+void ssh_enable_fips_mode(void);
-+
- void *
- xmalloc(size_t size)
- {
- 	void *ptr;
- 
-+	ssh_enable_fips_mode();
-+
- 	if (size == 0)
- 		fatal("xmalloc: zero size");
- 	ptr = malloc(size);
-@@ -110,3 +118,19 @@ xasprintf(char **ret, const char *fmt, ...)
+@@ -110,3 +114,19 @@ xasprintf(char **ret, const char *fmt, ...)
  
  	return (i);
  }
@@ -64,6 +198,15 @@ index 9cd0127..75d5018 100644
 +        }
 +    }
 +}
+diff --git a/xmalloc.h b/xmalloc.h
+index 1d5f62d..d71b8a8 100644
+--- a/xmalloc.h
++++ b/xmalloc.h
+@@ -24,3 +24,4 @@ char	*xstrdup(const char *);
+ int	 xasprintf(char **, const char *, ...)
+                 __attribute__((__format__ (printf, 2, 3)))
+                 __attribute__((__nonnull__ (2)));
++void	ssh_enable_fips_mode(void);
 -- 
 2.7.4
 
-- 
2.17.1

[meta-openssl102-fips][PATCH 3/3] fipscheck: only enable if OPENSSL_FIPS_ENABLED is set

[Yi Zhao]

We encountered the following error when building fipscheck without
setting OPENSSL_FIPS_ENABLED:

ERROR: Nothing PROVIDES 'openssl-fips' (but /buildarea/poky/meta-openssl102-fips/recipes-support/fipscheck/fipscheck_1.5.0.bb DEPENDS on or otherwise requires it)
openssl-fips was skipped: To enable the openssl-fips recipe set OPENSSL_FIPS_ENABLED = '1'.
ERROR: Required build target 'fipscheck' has no buildable providers.
Missing or unbuildable dependency chain was: ['fipscheck', 'openssl-fips']

Add a check function as openssl-fips recipe does. Build fipscheck only
if OPENSSL_FIPS_ENABLED is set.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 recipes-support/fipscheck/fipscheck_1.5.0.bb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/recipes-support/fipscheck/fipscheck_1.5.0.bb b/recipes-support/fipscheck/fipscheck_1.5.0.bb
index 9faed9c..970640d 100644
--- a/recipes-support/fipscheck/fipscheck_1.5.0.bb
+++ b/recipes-support/fipscheck/fipscheck_1.5.0.bb
@@ -49,4 +49,9 @@ pkg_postinst_${PN} () {
     fi
 }
 
+python __anonymous() {
+    if d.getVar("OPENSSL_FIPS_ENABLED", True) != "1":
+        raise bb.parse.SkipPackage("To enable the fipscheck recipe set OPENSSL_FIPS_ENABLED = '1'.")
+}
+
 FILES_${PN} += "${libdir}/fipscheck"
-- 
2.17.1

Re: [yocto] [meta-openssl102-fips][PATCH 1/3] openssh bbappend: refresh local patches to 8.1p1

[Mark Hatle]

Sorry, I missed this when it was originally sent.

I've updated master with these patches.  Thanks!

Please check master, if you see anything missing please let me know.

--Mark

On 1/20/20 8:00 PM, Yi Zhao wrote:
> From: Hongxu Jia <hongxu.jia@windriver.com>
> 
> Since upstream oe-core upgraded openssh to 8.1p1,
> refresh local patches of fips
> 
> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> ---
>  .../0001-conditional-enable-fips-mode.patch   |  26 +++--
>  .../openssh/0001-openssh-8.0p1-fips.patch     | 100 +++++++++++-------
>  .../openssh/openssh-6.6p1-ctr-cavstest.patch  |  14 +--
>  .../openssh/openssh-6.7p1-kdf-cavs.patch      |  15 +--
>  4 files changed, 91 insertions(+), 64 deletions(-)
> 
> diff --git a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
> index b47e184..705d4be 100644
> --- a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
> +++ b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
> @@ -1,6 +1,6 @@
> -From ea3e5eceab28ad2c00d438efbcea2be37a1b2969 Mon Sep 17 00:00:00 2001
> +From fac114e44c00382af087fec04cd4c2fbd144d759 Mon Sep 17 00:00:00 2001
>  From: Hongxu Jia <hongxu.jia@windriver.com>
> -Date: Sun, 22 Sep 2019 14:31:51 +0800
> +Date: Sat, 21 Dec 2019 13:03:23 +0800
>  Subject: [PATCH] conditional enable fips mode
>  
>  Insert ssh_enable_fips_mode to ssh_malloc_init where each main app will invoke,
> @@ -14,10 +14,10 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>   1 file changed, 24 insertions(+)
>  
>  diff --git a/xmalloc.c b/xmalloc.c
> -index 5cc0310..0218ccd 100644
> +index 9cd0127..75d5018 100644
>  --- a/xmalloc.c
>  +++ b/xmalloc.c
> -@@ -23,12 +23,20 @@
> +@@ -23,6 +23,10 @@
>   #include <stdlib.h>
>   #include <string.h>
>   
> @@ -28,17 +28,23 @@ index 5cc0310..0218ccd 100644
>   #include "xmalloc.h"
>   #include "log.h"
>   
> +@@ -30,11 +34,15 @@
> + char *malloc_options = "S";
> + #endif /* __OpenBSD__ */
> + 
>  +void ssh_enable_fips_mode(void);
>  +
> - void
> - ssh_malloc_init(void)
> + void *
> + xmalloc(size_t size)
>   {
> + 	void *ptr;
> + 
>  +	ssh_enable_fips_mode();
>  +
> - #if defined(__OpenBSD__)
> - 	extern char *malloc_options;
> - 
> -@@ -116,3 +124,19 @@ xasprintf(char **ret, const char *fmt, ...)
> + 	if (size == 0)
> + 		fatal("xmalloc: zero size");
> + 	ptr = malloc(size);
> +@@ -110,3 +118,19 @@ xasprintf(char **ret, const char *fmt, ...)
>   
>   	return (i);
>   }
> diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
> index a4b5836..0e35e31 100644
> --- a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
> +++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
> @@ -1,6 +1,6 @@
> -From 255e5dcdec36df7222f69b253dfc05be63927ed2 Mon Sep 17 00:00:00 2001
> +From 511f5dfb3e22d30a7d573313fa88a063f1d49753 Mon Sep 17 00:00:00 2001
>  From: Hongxu Jia <hongxu.jia@windriver.com>
> -Date: Fri, 20 Sep 2019 17:59:00 +0800
> +Date: Sat, 21 Dec 2019 11:45:38 +0800
>  Subject: [PATCH] openssh 8.0p1 fips
>  
>  Port openssh-7.7p1-fips.patch from Fedora
> @@ -22,18 +22,18 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>   readconf.c               | 17 +++++++++--------
>   sandbox-seccomp-filter.c |  3 +++
>   servconf.c               | 19 ++++++++++---------
> - ssh-keygen.c             |  6 ++++++
> + ssh-keygen.c             | 17 ++++++++++++++++-
>   ssh.c                    | 16 ++++++++++++++++
>   sshconnect2.c            | 11 ++++++++---
>   sshd.c                   | 19 +++++++++++++++++++
>   sshkey.c                 |  4 ++++
> - 16 files changed, 176 insertions(+), 30 deletions(-)
> + 16 files changed, 186 insertions(+), 31 deletions(-)
>  
>  diff --git a/Makefile.in b/Makefile.in
> -index 6f001bb..ddd1804 100644
> +index adb1977..37aec69 100644
>  --- a/Makefile.in
>  +++ b/Makefile.in
> -@@ -170,31 +170,31 @@ libssh.a: $(LIBSSH_OBJS)
> +@@ -175,31 +175,31 @@ libssh.a: $(LIBSSH_OBJS)
>   	$(RANLIB) $@
>   
>   ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
> @@ -55,9 +55,9 @@ index 6f001bb..ddd1804 100644
>  -	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
>  +	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
>   
> - ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
> --	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> -+	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
> + ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o
> +-	$(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> ++	$(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
>   
>   ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o
>  -	$(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> @@ -68,10 +68,10 @@ index 6f001bb..ddd1804 100644
>   
>   ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
>  -	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
> -+	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
> ++	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
>   
> - sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
> - 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> + sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o
> + 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
>  diff --git a/cipher-ctr.c b/cipher-ctr.c
>  index 32771f2..74fac3b 100644
>  --- a/cipher-ctr.c
> @@ -87,10 +87,10 @@ index 32771f2..74fac3b 100644
>   	return (&aes_ctr);
>   }
>  diff --git a/clientloop.c b/clientloop.c
> -index 086c0df..0b308d4 100644
> +index b5a1f70..0b675fe 100644
>  --- a/clientloop.c
>  +++ b/clientloop.c
> -@@ -2036,7 +2036,8 @@ key_accepted_by_hostkeyalgs(const struct sshkey *key)
> +@@ -2035,7 +2035,8 @@ key_accepted_by_hostkeyalgs(const struct sshkey *key)
>   {
>   	const char *ktype = sshkey_ssh_name(key);
>   	const char *hostkeyalgs = options.hostkeyalgorithms != NULL ?
> @@ -101,7 +101,7 @@ index 086c0df..0b308d4 100644
>   	if (key == NULL || key->type == KEY_UNSPEC)
>   		return 0;
>  diff --git a/dh.c b/dh.c
> -index a98d39e..92e800a 100644
> +index 7cb135d..306f1bc 100644
>  --- a/dh.c
>  +++ b/dh.c
>  @@ -152,6 +152,12 @@ choose_dh(int min, int wantbits, int max)
> @@ -157,10 +157,10 @@ index a98d39e..92e800a 100644
>  +
>   #endif /* WITH_OPENSSL */
>  diff --git a/dh.h b/dh.h
> -index adb643a..5d1cad5 100644
> +index 5d6df62..54c7aa2 100644
>  --- a/dh.h
>  +++ b/dh.h
> -@@ -43,6 +43,7 @@ DH	*dh_new_group_fallback(int);
> +@@ -45,6 +45,7 @@ DH	*dh_new_group_fallback(int);
>   
>   int	 dh_gen_key(DH *, int);
>   int	 dh_pub_is_valid(const DH *, const BIGNUM *);
> @@ -169,7 +169,7 @@ index adb643a..5d1cad5 100644
>   u_int	 dh_estimate(int);
>   
>  diff --git a/kex.c b/kex.c
> -index 34808b5..b356a26 100644
> +index 49d7015..f1f982d 100644
>  --- a/kex.c
>  +++ b/kex.c
>  @@ -161,7 +161,10 @@ kex_names_valid(const char *names)
> @@ -208,7 +208,7 @@ index 1c65b8a..b6b25bf 100644
>   
>   	/* generate and send 'e', client DH public key */
>  diff --git a/myproposal.h b/myproposal.h
> -index f167298..812d9a2 100644
> +index 34bd10c..a3ae74b 100644
>  --- a/myproposal.h
>  +++ b/myproposal.h
>  @@ -111,6 +111,14 @@
> @@ -264,12 +264,12 @@ index f167298..812d9a2 100644
>  +
>   /* Not a KEX value, but here so all the algorithm defaults are together */
>   #define	SSH_ALLOWED_CA_SIGALGS	\
> - 	"ecdsa-sha2-nistp256," \
> + 	HOSTKEY_ECDSA_METHODS \
>  diff --git a/readconf.c b/readconf.c
> -index ec497e7..1f1a16d 100644
> +index f78b4d6..2f56ed2 100644
>  --- a/readconf.c
>  +++ b/readconf.c
> -@@ -2116,18 +2116,19 @@ fill_default_options(Options * options)
> +@@ -2125,18 +2125,19 @@ fill_default_options(Options * options)
>   	all_kex = kex_alg_list(',');
>   	all_key = sshkey_alg_list(0, 0, 1, ',');
>   	all_sig = sshkey_alg_list(0, 1, 1, ',');
> @@ -298,10 +298,10 @@ index ec497e7..1f1a16d 100644
>   	free(all_cipher);
>   	free(all_mac);
>  diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
> -index 5edbc69..3c40136 100644
> +index b5cda70..f0607a3 100644
>  --- a/sandbox-seccomp-filter.c
>  +++ b/sandbox-seccomp-filter.c
> -@@ -137,6 +137,9 @@ static const struct sock_filter preauth_insns[] = {
> +@@ -156,6 +156,9 @@ static const struct sock_filter preauth_insns[] = {
>   #ifdef __NR_open
>   	SC_DENY(__NR_open, EACCES),
>   #endif
> @@ -312,7 +312,7 @@ index 5edbc69..3c40136 100644
>   	SC_DENY(__NR_openat, EACCES),
>   #endif
>  diff --git a/servconf.c b/servconf.c
> -index ffac5d2..7ad0e4e 100644
> +index e76f9c3..591d437 100644
>  --- a/servconf.c
>  +++ b/servconf.c
>  @@ -200,18 +200,19 @@ assemble_algorithms(ServerOptions *o)
> @@ -345,13 +345,13 @@ index ffac5d2..7ad0e4e 100644
>   	free(all_cipher);
>   	free(all_mac);
>  diff --git a/ssh-keygen.c b/ssh-keygen.c
> -index 3898b28..f3f4975 100644
> +index 8c829ca..cb4982d 100644
>  --- a/ssh-keygen.c
>  +++ b/ssh-keygen.c
> -@@ -199,6 +199,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
> - 	    OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
> - 	if (*bitsp > maxbits)
> - 		fatal("key bits exceeds maximum %d", maxbits);
> +@@ -201,6 +201,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
> + #endif
> + 	}
> + #ifdef WITH_OPENSSL
>  +	if (FIPS_mode()) {
>  +		if (type == KEY_DSA)
>  +			fatal("DSA keys are not allowed in FIPS mode");
> @@ -361,8 +361,28 @@ index 3898b28..f3f4975 100644
>   	switch (type) {
>   	case KEY_DSA:
>   		if (*bitsp != 1024)
> +@@ -1061,9 +1067,18 @@ do_gen_all_hostkeys(struct passwd *pw)
> + 			first = 1;
> + 			printf("%s: generating new host keys: ", __progname);
> + 		}
> ++
> ++		type = sshkey_type_from_name(key_types[i].key_type);
> ++
> ++		/* Skip the keys that are not supported in FIPS mode */
> ++		if (FIPS_mode() && (type == KEY_DSA || type == KEY_ED25519)) {
> ++			logit("Skipping %s key in FIPS mode",
> ++				key_types[i].key_type_display);
> ++			goto next;
> ++		}
> ++
> + 		printf("%s ", key_types[i].key_type_display);
> + 		fflush(stdout);
> +-		type = sshkey_type_from_name(key_types[i].key_type);
> + 		if ((fd = mkstemp(prv_tmp)) == -1) {
> + 			error("Could not save your public key in %s: %s",
> + 			    prv_tmp, strerror(errno));
>  diff --git a/ssh.c b/ssh.c
> -index 91e7c35..1cf14f6 100644
> +index ee51823..0724df4 100644
>  --- a/ssh.c
>  +++ b/ssh.c
>  @@ -76,6 +76,8 @@
> @@ -403,7 +423,7 @@ index 91e7c35..1cf14f6 100644
>   	 * Discard other fds that are hanging around. These can cause problem
>   	 * with backgrounded ssh processes started by ControlPersist.
>  diff --git a/sshconnect2.c b/sshconnect2.c
> -index dffee90..28b2554 100644
> +index 87fa70a..a42aacb 100644
>  --- a/sshconnect2.c
>  +++ b/sshconnect2.c
>  @@ -44,6 +44,8 @@
> @@ -445,7 +465,7 @@ index dffee90..28b2554 100644
>   		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
>   		    compat_pkalg_proposal(
>  diff --git a/sshd.c b/sshd.c
> -index a3c1975..bf25d76 100644
> +index f8dee0f..2bf8939 100644
>  --- a/sshd.c
>  +++ b/sshd.c
>  @@ -66,6 +66,7 @@
> @@ -465,7 +485,7 @@ index a3c1975..bf25d76 100644
>   #include "openbsd-compat/openssl-compat.h"
>   #endif
>   
> -@@ -1447,6 +1450,18 @@ main(int ac, char **av)
> +@@ -1445,6 +1448,18 @@ main(int ac, char **av)
>   #endif
>   	__progname = ssh_get_progname(av[0]);
>   
> @@ -484,7 +504,7 @@ index a3c1975..bf25d76 100644
>   	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
>   	saved_argc = ac;
>   	rexec_argc = ac;
> -@@ -1905,6 +1920,10 @@ main(int ac, char **av)
> +@@ -1910,6 +1925,10 @@ main(int ac, char **av)
>   	/* Reinitialize the log (because of the fork above). */
>   	log_init(__progname, options.log_level, options.log_facility, log_stderr);
>   
> @@ -496,7 +516,7 @@ index a3c1975..bf25d76 100644
>   	   unmounted if desired. */
>   	if (chdir("/") == -1)
>  diff --git a/sshkey.c b/sshkey.c
> -index ad19577..18906cb 100644
> +index ef90563..1b1ba01 100644
>  --- a/sshkey.c
>  +++ b/sshkey.c
>  @@ -34,6 +34,7 @@
> @@ -508,14 +528,14 @@ index ad19577..18906cb 100644
>   
>   #include "crypto_api.h"
>  @@ -57,6 +58,7 @@
> + #define SSHKEY_INTERNAL
>   #include "sshkey.h"
> - #include "sshkey-xmss.h"
>   #include "match.h"
>  +#include "log.h"
>   
> - #include "xmss_fast.h"
> - 
> -@@ -1481,6 +1483,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
> + #ifdef WITH_XMSS
> + #include "sshkey-xmss.h"
> +@@ -1491,6 +1493,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
>   	}
>   	if (!BN_set_word(f4, RSA_F4) ||
>   	    !RSA_generate_key_ex(private, bits, f4, NULL)) {
> diff --git a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
> index 29371f8..8b74451 100644
> --- a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
> +++ b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
> @@ -1,7 +1,7 @@
> -From a94a3d95439018dc7d276ec72de91af369ea413e Mon Sep 17 00:00:00 2001
> +From 6d65893a85bddfc543ce894ee4940bd0d5ab368e Mon Sep 17 00:00:00 2001
>  From: Hongxu Jia <hongxu.jia@windriver.com>
> -Date: Sun, 22 Sep 2019 21:32:18 +0800
> -Subject: [PATCH 1/2] add CAVS test driver for the aes-ctr ciphers
> +Date: Sat, 21 Dec 2019 13:05:19 +0800
> +Subject: [PATCH] add CAVS test driver for the aes-ctr ciphers
>  
>  Original submission to Fedora, see:
>     https://lists.fedoraproject.org/pipermail/scm-commits/2012-January/715044.html
> @@ -25,7 +25,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>   create mode 100644 ctr-cavstest.c
>  
>  diff --git a/Makefile.in b/Makefile.in
> -index ddd1804..cb34681 100644
> +index 37aec69..1d6e298 100644
>  --- a/Makefile.in
>  +++ b/Makefile.in
>  @@ -23,6 +23,7 @@ SSH_PROGRAM=@bindir@/ssh
> @@ -45,7 +45,7 @@ index ddd1804..cb34681 100644
>   
>   XMSS_OBJS=\
>   	ssh-xmss.o \
> -@@ -193,6 +194,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o c
> +@@ -198,6 +199,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o c
>   ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
>   	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
>   
> @@ -53,9 +53,9 @@ index ddd1804..cb34681 100644
>  +	$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
>  +
>   ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
> - 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
> + 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
>   
> -@@ -343,6 +347,7 @@ install-files:
> +@@ -348,6 +352,7 @@ install-files:
>   	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
>   	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
>   	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
> diff --git a/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch b/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
> index 7ac881f..0cbccd7 100644
> --- a/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
> +++ b/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
> @@ -1,7 +1,7 @@
> -From 210d15fd146ff7037f03fff5e0ba6fcf0bfde683 Mon Sep 17 00:00:00 2001
> +From 6b6e0f7d4a517378a8d53b84fbef2cfc78c42f46 Mon Sep 17 00:00:00 2001
>  From: Hongxu Jia <hongxu.jia@windriver.com>
> -Date: Sun, 22 Sep 2019 21:40:51 +0800
> -Subject: [PATCH 2/2] add KDF CAVS test driver
> +Date: Sat, 21 Dec 2019 13:08:52 +0800
> +Subject: [PATCH] add KDF CAVS test driver
>  
>  Original submission to Fedora, see:
>     https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20150216/1514788.html
> @@ -17,6 +17,7 @@ This is the makefile.in change for the normal configuration.
>  Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
>  
>  Upstream-Status: Inappropriate [oe specific]
> +
>  Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>  ---
>   Makefile.in        |   8 +-
> @@ -27,7 +28,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>   create mode 100644 ssh-cavs_driver.pl
>  
>  diff --git a/Makefile.in b/Makefile.in
> -index cb34681..368097e 100644
> +index 1d6e298..be28411 100644
>  --- a/Makefile.in
>  +++ b/Makefile.in
>  @@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
> @@ -47,7 +48,7 @@ index cb34681..368097e 100644
>   
>   XMSS_OBJS=\
>   	ssh-xmss.o \
> -@@ -197,6 +198,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
> +@@ -202,6 +203,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
>   ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
>   	$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
>   
> @@ -55,9 +56,9 @@ index cb34681..368097e 100644
>  +	$(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
>  +
>   ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
> - 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
> + 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
>   
> -@@ -348,6 +352,8 @@ install-files:
> +@@ -353,6 +357,8 @@ install-files:
>   	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
>   	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
>   	$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
> 
> 
> 
>