* Re: [yocto] [meta-openssl102-fips][PATCH V2] openssh: refresh patches to 8.2p1
[not found] <15F51207A66311A8.18319@lists.yoctoproject.org>
@ 2020-03-27 1:55 ` Yi Zhao
0 siblings, 0 replies; only message in thread
From: Yi Zhao @ 2020-03-27 1:55 UTC (permalink / raw)
To: yocto, mark.hatle
[-- Attachment #1: Type: text/plain, Size: 41112 bytes --]
Ping
On 2/20/20 5:24 PM, Yi Zhao wrote:
> Refresh patches to openssh-8.2p1.
> Reference:
> http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-7.7p1-fips.patch
> (commit 51f5c1c99f1d20e48328edde666061d0ce0da83b)
>
> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
> ---
> .../0001-conditional-enable-fips-mode.patch | 54 ++--
> ...ps.patch => 0001-openssh-8.2p1-fips.patch} | 300 ++++++++----------
> .../openssh/openssh-6.6p1-ctr-cavstest.patch | 35 +-
> .../openssh/openssh-6.7p1-kdf-cavs.patch | 35 +-
> recipes-connectivity/openssh/openssh_fips.inc | 2 +-
> 5 files changed, 202 insertions(+), 224 deletions(-)
> rename recipes-connectivity/openssh/openssh/{0001-openssh-8.0p1-fips.patch => 0001-openssh-8.2p1-fips.patch} (57%)
>
> diff --git a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
> index a0f496a..942fda6 100644
> --- a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
> +++ b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
> @@ -1,4 +1,4 @@
> -From 60204df9d1f54f581f9ddc5443228550cadd4b4b Mon Sep 17 00:00:00 2001
> +From ef6490841a73b4f71ca35e09328c6a8b0ad9dba9 Mon Sep 17 00:00:00 2001
> From: Hongxu Jia <hongxu.jia@windriver.com>
> Date: Sat, 21 Dec 2019 13:03:23 +0800
> Subject: [PATCH] conditional enable fips mode
> @@ -56,10 +56,10 @@ index 359204f..346255a 100644
> log_init(__progname, log_level, log_facility, log_stderr);
>
> diff --git a/sftp.c b/sftp.c
> -index b66037f..ca263ac 100644
> +index ff14d3c..a633200 100644
> --- a/sftp.c
> +++ b/sftp.c
> -@@ -2387,6 +2387,7 @@ main(int argc, char **argv)
> +@@ -2390,6 +2390,7 @@ main(int argc, char **argv)
> size_t num_requests = DEFAULT_NUM_REQUESTS;
> long long limit_kbps = 0;
>
> @@ -68,10 +68,10 @@ index b66037f..ca263ac 100644
> sanitise_stdfd();
> msetlocale();
> diff --git a/ssh-add.c b/ssh-add.c
> -index ebfb8a3..b7d59bc 100644
> +index 8057eb1..19f3da2 100644
> --- a/ssh-add.c
> +++ b/ssh-add.c
> -@@ -577,6 +577,7 @@ main(int argc, char **argv)
> +@@ -628,6 +628,7 @@ main(int argc, char **argv)
> SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
> LogLevel log_level = SYSLOG_LEVEL_INFO;
>
> @@ -80,10 +80,10 @@ index ebfb8a3..b7d59bc 100644
> sanitise_stdfd();
>
> diff --git a/ssh-agent.c b/ssh-agent.c
> -index 9c6680a..d701479 100644
> +index 7eb6f0d..1409044 100644
> --- a/ssh-agent.c
> +++ b/ssh-agent.c
> -@@ -1104,6 +1104,7 @@ main(int ac, char **av)
> +@@ -1196,6 +1196,7 @@ main(int ac, char **av)
> size_t npfd = 0;
> u_int maxfds;
>
> @@ -92,10 +92,10 @@ index 9c6680a..d701479 100644
> sanitise_stdfd();
>
> diff --git a/ssh-keygen.c b/ssh-keygen.c
> -index cb4982d..84dd269 100644
> +index feafe73..9b832f6 100644
> --- a/ssh-keygen.c
> +++ b/ssh-keygen.c
> -@@ -2800,6 +2800,7 @@ main(int argc, char **argv)
> +@@ -3140,6 +3140,7 @@ main(int argc, char **argv)
> extern int optind;
> extern char *optarg;
>
> @@ -104,10 +104,10 @@ index cb4982d..84dd269 100644
> sanitise_stdfd();
>
> diff --git a/ssh-keyscan.c b/ssh-keyscan.c
> -index 5de0508..0644261 100644
> +index a5e6440..e56a9d1 100644
> --- a/ssh-keyscan.c
> +++ b/ssh-keyscan.c
> -@@ -663,6 +663,7 @@ main(int argc, char **argv)
> +@@ -675,6 +675,7 @@ main(int argc, char **argv)
> extern int optind;
> extern char *optarg;
>
> @@ -116,7 +116,7 @@ index 5de0508..0644261 100644
> seed_rng();
> TAILQ_INIT(&tq);
> diff --git a/ssh-keysign.c b/ssh-keysign.c
> -index 6cfd5b4..23cf403 100644
> +index 3e3ea3e..4804c42 100644
> --- a/ssh-keysign.c
> +++ b/ssh-keysign.c
> @@ -173,6 +173,7 @@ main(int argc, char **argv)
> @@ -128,10 +128,10 @@ index 6cfd5b4..23cf403 100644
> fatal("%s: pledge: %s", __progname, strerror(errno));
>
> diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c
> -index 3bcc244..6a78a1a 100644
> +index 17220d6..1af0c2e 100644
> --- a/ssh-pkcs11-helper.c
> +++ b/ssh-pkcs11-helper.c
> -@@ -325,6 +325,7 @@ main(int argc, char **argv)
> +@@ -332,6 +332,7 @@ main(int argc, char **argv)
> extern char *__progname;
> struct pollfd pfd[2];
>
> @@ -140,22 +140,22 @@ index 3bcc244..6a78a1a 100644
> seed_rng();
> TAILQ_INIT(&pkcs11_keylist);
> diff --git a/ssh.c b/ssh.c
> -index 0724df4..9178673 100644
> +index 49331fc..06836dd 100644
> --- a/ssh.c
> +++ b/ssh.c
> -@@ -598,6 +598,7 @@ main(int ac, char **av)
> - struct ssh_digest_ctx *md;
> +@@ -606,6 +606,7 @@ main(int ac, char **av)
> u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
> + size_t n, len;
>
> + ssh_enable_fips_mode();
> /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
> sanitise_stdfd();
>
> diff --git a/sshd.c b/sshd.c
> -index 2bf8939..c75e34a 100644
> +index b86d682..304bf01 100644
> --- a/sshd.c
> +++ b/sshd.c
> -@@ -1443,6 +1443,7 @@ main(int ac, char **av)
> +@@ -1514,6 +1514,7 @@ main(int ac, char **av)
> Authctxt *authctxt;
> struct connection_info *connection_info = NULL;
>
> @@ -164,7 +164,7 @@ index 2bf8939..c75e34a 100644
> (void)set_auth_parameters(ac, av);
> #endif
> diff --git a/xmalloc.c b/xmalloc.c
> -index 9cd0127..e2f8145 100644
> +index b48d33b..456a063 100644
> --- a/xmalloc.c
> +++ b/xmalloc.c
> @@ -23,6 +23,10 @@
> @@ -178,9 +178,9 @@ index 9cd0127..e2f8145 100644
> #include "xmalloc.h"
> #include "log.h"
>
> -@@ -110,3 +114,19 @@ xasprintf(char **ret, const char *fmt, ...)
> -
> - return (i);
> +@@ -117,3 +121,19 @@ xasprintf(char **ret, const char *fmt, ...)
> + va_end(ap);
> + return i;
> }
> +
> +void
> @@ -199,13 +199,13 @@ index 9cd0127..e2f8145 100644
> + }
> +}
> diff --git a/xmalloc.h b/xmalloc.h
> -index 1d5f62d..d71b8a8 100644
> +index abaf7ad..b3b1c8c 100644
> --- a/xmalloc.h
> +++ b/xmalloc.h
> -@@ -24,3 +24,4 @@ char *xstrdup(const char *);
> - int xasprintf(char **, const char *, ...)
> - __attribute__((__format__ (printf, 2, 3)))
> +@@ -26,3 +26,4 @@ int xasprintf(char **, const char *, ...)
> __attribute__((__nonnull__ (2)));
> + int xvasprintf(char **, const char *, va_list)
> + __attribute__((__nonnull__ (2)));
> +void ssh_enable_fips_mode(void);
> --
> 2.7.4
> diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch b/recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch
> similarity index 57%
> rename from recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
> rename to recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch
> index 0e35e31..c1de130 100644
> --- a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
> +++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch
> @@ -1,7 +1,7 @@
> -From 511f5dfb3e22d30a7d573313fa88a063f1d49753 Mon Sep 17 00:00:00 2001
> +From c51dd44e1c594ddeb3a27ae5d9be2899e4bf2ac6 Mon Sep 17 00:00:00 2001
> From: Hongxu Jia <hongxu.jia@windriver.com>
> Date: Sat, 21 Dec 2019 11:45:38 +0800
> -Subject: [PATCH] openssh 8.0p1 fips
> +Subject: [PATCH] openssh 8.2p1 fips
>
> Port openssh-7.7p1-fips.patch from Fedora
> https://src.fedoraproject.org/rpms/openssh.git
> @@ -10,30 +10,33 @@ https://src.fedoraproject.org/rpms/openssh.git
> Upstream-Status: Inappropriate [oe specific]
>
> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> +
> +Rebase to 8.2p1
> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
> ---
> Makefile.in | 14 +++++++-------
> cipher-ctr.c | 3 ++-
> - clientloop.c | 3 ++-
> + clientloop.c | 2 +-
> dh.c | 40 ++++++++++++++++++++++++++++++++++++++++
> dh.h | 1 +
> kex.c | 5 ++++-
> kexgexc.c | 5 +++++
> - myproposal.h | 40 ++++++++++++++++++++++++++++++++++++++++
> - readconf.c | 17 +++++++++--------
> + myproposal.h | 35 +++++++++++++++++++++++++++++++++++
> + readconf.c | 15 ++++++++++-----
> sandbox-seccomp-filter.c | 3 +++
> - servconf.c | 19 ++++++++++---------
> - ssh-keygen.c | 17 ++++++++++++++++-
> + servconf.c | 15 ++++++++++-----
> + ssh-keygen.c | 16 +++++++++++++++-
> ssh.c | 16 ++++++++++++++++
> - sshconnect2.c | 11 ++++++++---
> + sshconnect2.c | 8 ++++++--
> sshd.c | 19 +++++++++++++++++++
> sshkey.c | 4 ++++
> - 16 files changed, 186 insertions(+), 31 deletions(-)
> + 16 files changed, 178 insertions(+), 23 deletions(-)
>
> diff --git a/Makefile.in b/Makefile.in
> -index adb1977..37aec69 100644
> +index e754947..57f94f4 100644
> --- a/Makefile.in
> +++ b/Makefile.in
> -@@ -175,31 +175,31 @@ libssh.a: $(LIBSSH_OBJS)
> +@@ -206,25 +206,25 @@ libssh.a: $(LIBSSH_OBJS)
> $(RANLIB) $@
>
> ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
> @@ -44,34 +47,36 @@ index adb1977..37aec69 100644
> - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
> + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
>
> - scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
> - $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> + scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
> + $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
>
> - ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
> -- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> -+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
> + ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS)
> +- $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> ++ $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
>
> - ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
> -- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> -+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
> + ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS)
> +- $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> ++ $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
>
> - ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o
> -- $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> -+ $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
> + ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYGEN_OBJS)
> +- $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> ++ $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
>
> - ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o
> -- $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> -+ $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
> + ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSIGN_OBJS)
> +- $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> ++ $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
>
> - ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
> - $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
> + ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
> + $(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
> +@@ -233,7 +233,7 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
> + $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
>
> - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
> -- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
> -+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
> + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
> +- $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
> ++ $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
>
> - sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o
> - $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> + sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
> + $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> diff --git a/cipher-ctr.c b/cipher-ctr.c
> index 32771f2..74fac3b 100644
> --- a/cipher-ctr.c
> @@ -87,16 +92,15 @@ index 32771f2..74fac3b 100644
> return (&aes_ctr);
> }
> diff --git a/clientloop.c b/clientloop.c
> -index b5a1f70..0b675fe 100644
> +index ebd0dbc..b3e0c19 100644
> --- a/clientloop.c
> +++ b/clientloop.c
> -@@ -2035,7 +2035,8 @@ key_accepted_by_hostkeyalgs(const struct sshkey *key)
> +@@ -2083,7 +2083,7 @@ static int
> + key_accepted_by_hostkeyalgs(const struct sshkey *key)
> {
> const char *ktype = sshkey_ssh_name(key);
> - const char *hostkeyalgs = options.hostkeyalgorithms != NULL ?
> -- options.hostkeyalgorithms : KEX_DEFAULT_PK_ALG;
> -+ options.hostkeyalgorithms : (FIPS_mode() ?
> -+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG);
> +- const char *hostkeyalgs = options.hostkeyalgorithms;
> ++ const char *hostkeyalgs = (FIPS_mode() ? KEX_FIPS_PK_ALG : options.hostkeyalgorithms);
>
> if (key == NULL || key->type == KEY_UNSPEC)
> return 0;
> @@ -169,10 +173,10 @@ index 5d6df62..54c7aa2 100644
> u_int dh_estimate(int);
>
> diff --git a/kex.c b/kex.c
> -index 49d7015..f1f982d 100644
> +index ce85f04..9cc14de 100644
> --- a/kex.c
> +++ b/kex.c
> -@@ -161,7 +161,10 @@ kex_names_valid(const char *names)
> +@@ -163,7 +163,10 @@ kex_names_valid(const char *names)
> for ((p = strsep(&cp, ",")); p && *p != '\0';
> (p = strsep(&cp, ","))) {
> if (kex_alg_by_name(p) == NULL) {
> @@ -185,7 +189,7 @@ index 49d7015..f1f982d 100644
> return 0;
> }
> diff --git a/kexgexc.c b/kexgexc.c
> -index 1c65b8a..b6b25bf 100644
> +index 323a659..812112d 100644
> --- a/kexgexc.c
> +++ b/kexgexc.c
> @@ -28,6 +28,7 @@
> @@ -208,97 +212,86 @@ index 1c65b8a..b6b25bf 100644
>
> /* generate and send 'e', client DH public key */
> diff --git a/myproposal.h b/myproposal.h
> -index 34bd10c..a3ae74b 100644
> +index 5312e60..d0accae 100644
> --- a/myproposal.h
> +++ b/myproposal.h
> -@@ -111,6 +111,14 @@
> +@@ -57,6 +57,20 @@
> "rsa-sha2-256," \
> "ssh-rsa"
>
> +#define KEX_FIPS_PK_ALG \
> -+ HOSTKEY_ECDSA_CERT_METHODS \
> ++ "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
> ++ "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
> ++ "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
> ++ "rsa-sha2-512-cert-v01@openssh.com," \
> ++ "rsa-sha2-256-cert-v01@openssh.com," \
> + "ssh-rsa-cert-v01@openssh.com," \
> -+ HOSTKEY_ECDSA_METHODS \
> ++ "ecdsa-sha2-nistp256," \
> ++ "ecdsa-sha2-nistp384," \
> ++ "ecdsa-sha2-nistp521," \
> + "rsa-sha2-512," \
> + "rsa-sha2-256," \
> + "ssh-rsa"
> +
> - /* the actual algorithms */
> -
> - #define KEX_SERVER_ENCRYPT \
> -@@ -134,6 +142,38 @@
> + #define KEX_SERVER_ENCRYPT \
> + "chacha20-poly1305@openssh.com," \
> + "aes128-ctr,aes192-ctr,aes256-ctr," \
> +@@ -78,6 +92,27 @@
>
> #define KEX_CLIENT_MAC KEX_SERVER_MAC
>
> +#define KEX_FIPS_ENCRYPT \
> + "aes128-ctr,aes192-ctr,aes256-ctr," \
> + "aes128-cbc,3des-cbc," \
> -+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se" \
> -+ AESGCM_CIPHER_MODES
> -+#ifdef HAVE_EVP_SHA256
> -+# define KEX_DEFAULT_KEX_FIPS \
> -+ KEX_ECDH_METHODS \
> -+ KEX_SHA2_METHODS \
> ++ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
> ++ "aes128-gcm@openssh.com,aes256-gcm@openssh.com"
> ++#define KEX_DEFAULT_KEX_FIPS \
> ++ "ecdh-sha2-nistp256," \
> ++ "ecdh-sha2-nistp384," \
> ++ "ecdh-sha2-nistp521," \
> ++ "diffie-hellman-group-exchange-sha256," \
> ++ "diffie-hellman-group16-sha512," \
> ++ "diffie-hellman-group18-sha512," \
> + "diffie-hellman-group14-sha256"
> -+# define KEX_FIPS_MAC \
> ++#define KEX_FIPS_MAC \
> + "hmac-sha1," \
> + "hmac-sha2-256," \
> + "hmac-sha2-512," \
> + "hmac-sha1-etm@openssh.com," \
> + "hmac-sha2-256-etm@openssh.com," \
> + "hmac-sha2-512-etm@openssh.com"
> -+#else
> -+# ifdef OPENSSL_HAS_NISTP521
> -+# define KEX_DEFAULT_KEX_FIPS \
> -+ "ecdh-sha2-nistp256," \
> -+ "ecdh-sha2-nistp384," \
> -+ "ecdh-sha2-nistp521"
> -+# else
> -+# define KEX_DEFAULT_KEX_FIPS \
> -+ "ecdh-sha2-nistp256," \
> -+ "ecdh-sha2-nistp384"
> -+# endif
> -+#define KEX_FIPS_MAC \
> -+ "hmac-sha1"
> -+#endif
> +
> /* Not a KEX value, but here so all the algorithm defaults are together */
> #define SSH_ALLOWED_CA_SIGALGS \
> - HOSTKEY_ECDSA_METHODS \
> + "ecdsa-sha2-nistp256," \
> diff --git a/readconf.c b/readconf.c
> -index f78b4d6..2f56ed2 100644
> +index f3cac6b..26b9a59 100644
> --- a/readconf.c
> +++ b/readconf.c
> -@@ -2125,18 +2125,19 @@ fill_default_options(Options * options)
> - all_kex = kex_alg_list(',');
> +@@ -2187,11 +2187,16 @@ fill_default_options(Options * options)
> all_key = sshkey_alg_list(0, 0, 1, ',');
> all_sig = sshkey_alg_list(0, 1, 1, ',');
> --#define ASSEMBLE(what, defaults, all) \
> -+#define ASSEMBLE(what, defaults, fips_defaults, all) \
> + /* remove unsupported algos from default lists */
> +- def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher);
> +- def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac);
> +- def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex);
> +- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
> +- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
> ++ def_cipher = match_filter_whitelist((FIPS_mode() ?
> ++ KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher);
> ++ def_mac = match_filter_whitelist((FIPS_mode() ?
> ++ KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac);
> ++ def_kex = match_filter_whitelist((FIPS_mode() ?
> ++ KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex);
> ++ def_key = match_filter_whitelist((FIPS_mode() ?
> ++ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
> ++ def_sig = match_filter_whitelist((FIPS_mode() ?
> ++ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
> + #define ASSEMBLE(what, defaults, all) \
> do { \
> if ((r = kex_assemble_names(&options->what, \
> -- defaults, all)) != 0) \
> -+ (FIPS_mode() ? fips_defaults : defaults), \
> -+ all)) != 0) \
> - fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
> - } while (0)
> -- ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher);
> -- ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac);
> -- ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex);
> -- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
> -- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
> -- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
> -+ ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
> -+ ASSEMBLE(macs, KEX_CLIENT_MAC, KEX_FIPS_MAC, all_mac);
> -+ ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
> -+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
> -+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
> -+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
> - #undef ASSEMBLE
> - free(all_cipher);
> - free(all_mac);
> diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
> -index b5cda70..f0607a3 100644
> +index f80981f..00702a7 100644
> --- a/sandbox-seccomp-filter.c
> +++ b/sandbox-seccomp-filter.c
> @@ -156,6 +156,9 @@ static const struct sock_filter preauth_insns[] = {
> @@ -312,43 +305,36 @@ index b5cda70..f0607a3 100644
> SC_DENY(__NR_openat, EACCES),
> #endif
> diff --git a/servconf.c b/servconf.c
> -index e76f9c3..591d437 100644
> +index 70f5f73..815beaf 100644
> --- a/servconf.c
> +++ b/servconf.c
> -@@ -200,18 +200,19 @@ assemble_algorithms(ServerOptions *o)
> - all_kex = kex_alg_list(',');
> +@@ -212,11 +212,16 @@ assemble_algorithms(ServerOptions *o)
> all_key = sshkey_alg_list(0, 0, 1, ',');
> all_sig = sshkey_alg_list(0, 1, 1, ',');
> --#define ASSEMBLE(what, defaults, all) \
> -+#define ASSEMBLE(what, defaults, fips_defaults, all) \
> + /* remove unsupported algos from default lists */
> +- def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher);
> +- def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac);
> +- def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex);
> +- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
> +- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
> ++ def_cipher = match_filter_whitelist((FIPS_mode() ?
> ++ KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher);
> ++ def_mac = match_filter_whitelist((FIPS_mode() ?
> ++ KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac);
> ++ def_kex = match_filter_whitelist((FIPS_mode() ?
> ++ KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex);
> ++ def_key = match_filter_whitelist((FIPS_mode() ?
> ++ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
> ++ def_sig = match_filter_whitelist((FIPS_mode() ?
> ++ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
> + #define ASSEMBLE(what, defaults, all) \
> do { \
> -- if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
> -+ if ((r = kex_assemble_names(&o->what, (FIPS_mode() \
> -+ ? fips_defaults : defaults), all)) != 0) \
> - fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
> - } while (0)
> -- ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher);
> -- ASSEMBLE(macs, KEX_SERVER_MAC, all_mac);
> -- ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
> -- ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
> -- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
> -- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
> -- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
> -+ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
> -+ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
> -+ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
> -+ ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
> -+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
> -+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
> -+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
> - #undef ASSEMBLE
> - free(all_cipher);
> - free(all_mac);
> + if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
> diff --git a/ssh-keygen.c b/ssh-keygen.c
> -index 8c829ca..cb4982d 100644
> +index 0d6ed1f..feafe73 100644
> --- a/ssh-keygen.c
> +++ b/ssh-keygen.c
> -@@ -201,6 +201,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
> +@@ -204,6 +204,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
> #endif
> }
> #ifdef WITH_OPENSSL
> @@ -361,17 +347,16 @@ index 8c829ca..cb4982d 100644
> switch (type) {
> case KEY_DSA:
> if (*bitsp != 1024)
> -@@ -1061,9 +1067,18 @@ do_gen_all_hostkeys(struct passwd *pw)
> +@@ -1088,9 +1094,17 @@ do_gen_all_hostkeys(struct passwd *pw)
> first = 1;
> printf("%s: generating new host keys: ", __progname);
> }
> -+
> + type = sshkey_type_from_name(key_types[i].key_type);
> +
> + /* Skip the keys that are not supported in FIPS mode */
> + if (FIPS_mode() && (type == KEY_DSA || type == KEY_ED25519)) {
> + logit("Skipping %s key in FIPS mode",
> -+ key_types[i].key_type_display);
> ++ key_types[i].key_type_display);
> + goto next;
> + }
> +
> @@ -382,10 +367,10 @@ index 8c829ca..cb4982d 100644
> error("Could not save your public key in %s: %s",
> prv_tmp, strerror(errno));
> diff --git a/ssh.c b/ssh.c
> -index ee51823..0724df4 100644
> +index 15aee56..49331fc 100644
> --- a/ssh.c
> +++ b/ssh.c
> -@@ -76,6 +76,8 @@
> +@@ -77,6 +77,8 @@
> #include <openssl/evp.h>
> #include <openssl/err.h>
> #endif
> @@ -394,7 +379,7 @@ index ee51823..0724df4 100644
> #include "openbsd-compat/openssl-compat.h"
> #include "openbsd-compat/sys-queue.h"
>
> -@@ -600,6 +602,16 @@ main(int ac, char **av)
> +@@ -608,6 +610,16 @@ main(int ac, char **av)
> sanitise_stdfd();
>
> __progname = ssh_get_progname(av[0]);
> @@ -411,7 +396,7 @@ index ee51823..0724df4 100644
>
> #ifndef HAVE_SETPROCTITLE
> /* Prepare for later setproctitle emulation */
> -@@ -614,6 +626,10 @@ main(int ac, char **av)
> +@@ -622,6 +634,10 @@ main(int ac, char **av)
>
> seed_rng();
>
> @@ -423,7 +408,7 @@ index ee51823..0724df4 100644
> * Discard other fds that are hanging around. These can cause problem
> * with backgrounded ssh processes started by ControlPersist.
> diff --git a/sshconnect2.c b/sshconnect2.c
> -index 87fa70a..a42aacb 100644
> +index af00fb3..639fc51 100644
> --- a/sshconnect2.c
> +++ b/sshconnect2.c
> @@ -44,6 +44,8 @@
> @@ -435,37 +420,28 @@ index 87fa70a..a42aacb 100644
> #include "openbsd-compat/sys-queue.h"
>
> #include "xmalloc.h"
> -@@ -117,7 +119,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
> +@@ -119,7 +121,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
> for (i = 0; i < options.num_system_hostfiles; i++)
> load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
>
> -- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
> +- oavail = avail = xstrdup(options.hostkeyalgorithms);
> + oavail = avail = xstrdup((FIPS_mode()
> -+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
> ++ ? KEX_FIPS_PK_ALG : options.hostkeyalgorithms));
> maxlen = strlen(avail) + 1;
> first = xmalloc(maxlen);
> last = xmalloc(maxlen);
> -@@ -179,14 +182,16 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
> - if (options.hostkeyalgorithms != NULL) {
> - all_key = sshkey_alg_list(0, 0, 1, ',');
> - if (kex_assemble_names(&options.hostkeyalgorithms,
> -- KEX_DEFAULT_PK_ALG, all_key) != 0)
> -+ (FIPS_mode() ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG),
> -+ all_key) != 0)
> - fatal("%s: kex_assemble_namelist", __func__);
> - free(all_key);
> - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
> - compat_pkalg_proposal(options.hostkeyalgorithms);
> - } else {
> - /* Enforce default */
> -- options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
> -+ options.hostkeyalgorithms = xstrdup((FIPS_mode()
> -+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
> - /* Prefer algorithms that we already have keys for */
> - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
> - compat_pkalg_proposal(
> +@@ -179,7 +182,8 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
> + /* Expand or fill in HostkeyAlgorithms */
> + all_key = sshkey_alg_list(0, 0, 1, ',');
> + if (kex_assemble_names(&options.hostkeyalgorithms,
> +- kex_default_pk_alg(), all_key) != 0)
> ++ (FIPS_mode() ? KEX_FIPS_PK_ALG : kex_default_pk_alg()),
> ++ all_key) != 0)
> + fatal("%s: kex_assemble_namelist", __func__);
> + free(all_key);
> +
> diff --git a/sshd.c b/sshd.c
> -index f8dee0f..2bf8939 100644
> +index 5b9a0b5..b86d682 100644
> --- a/sshd.c
> +++ b/sshd.c
> @@ -66,6 +66,7 @@
> @@ -485,7 +461,7 @@ index f8dee0f..2bf8939 100644
> #include "openbsd-compat/openssl-compat.h"
> #endif
>
> -@@ -1445,6 +1448,18 @@ main(int ac, char **av)
> +@@ -1516,6 +1519,18 @@ main(int ac, char **av)
> #endif
> __progname = ssh_get_progname(av[0]);
>
> @@ -504,7 +480,7 @@ index f8dee0f..2bf8939 100644
> /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
> saved_argc = ac;
> rexec_argc = ac;
> -@@ -1910,6 +1925,10 @@ main(int ac, char **av)
> +@@ -1990,6 +2005,10 @@ main(int ac, char **av)
> /* Reinitialize the log (because of the fork above). */
> log_init(__progname, options.log_level, options.log_facility, log_stderr);
>
> @@ -516,7 +492,7 @@ index f8dee0f..2bf8939 100644
> unmounted if desired. */
> if (chdir("/") == -1)
> diff --git a/sshkey.c b/sshkey.c
> -index ef90563..1b1ba01 100644
> +index 57995ee..3fa4274 100644
> --- a/sshkey.c
> +++ b/sshkey.c
> @@ -34,6 +34,7 @@
> @@ -532,10 +508,10 @@ index ef90563..1b1ba01 100644
> #include "sshkey.h"
> #include "match.h"
> +#include "log.h"
> + #include "ssh-sk.h"
>
> #ifdef WITH_XMSS
> - #include "sshkey-xmss.h"
> -@@ -1491,6 +1493,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
> +@@ -1597,6 +1599,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
> }
> if (!BN_set_word(f4, RSA_F4) ||
> !RSA_generate_key_ex(private, bits, f4, NULL)) {
> diff --git a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
> index 8b74451..c7635b2 100644
> --- a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
> +++ b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
> @@ -1,4 +1,4 @@
> -From 6d65893a85bddfc543ce894ee4940bd0d5ab368e Mon Sep 17 00:00:00 2001
> +From bf3211bbff5cb9e1ef588f74844b04e09a9ad2b6 Mon Sep 17 00:00:00 2001
> From: Hongxu Jia <hongxu.jia@windriver.com>
> Date: Sat, 21 Dec 2019 13:05:19 +0800
> Subject: [PATCH] add CAVS test driver for the aes-ctr ciphers
> @@ -18,6 +18,7 @@ Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
>
> Upstream-Status: Inappropriate [oe specific]
> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
> ---
> Makefile.in | 7 +-
> ctr-cavstest.c | 215 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> @@ -25,7 +26,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> create mode 100644 ctr-cavstest.c
>
> diff --git a/Makefile.in b/Makefile.in
> -index 37aec69..1d6e298 100644
> +index 57f94f4..0accd89 100644
> --- a/Makefile.in
> +++ b/Makefile.in
> @@ -23,6 +23,7 @@ SSH_PROGRAM=@bindir@/ssh
> @@ -34,35 +35,35 @@ index 37aec69..1d6e298 100644
> SSH_KEYSIGN=$(libexecdir)/ssh-keysign
> +CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
> SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
> + SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
> PRIVSEP_PATH=@PRIVSEP_PATH@
> - SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
> -@@ -60,7 +61,7 @@ EXEEXT=@EXEEXT@
> - MANFMT=@MANFMT@
> - MKDIR_P=@MKDIR_P@
> +@@ -68,7 +69,7 @@ MKDIR_P=@MKDIR_P@
>
> --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
> -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ctr-cavstest$(EXEEXT)
> + .SUFFIXES: .lo
> +
> +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
> ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ctr-cavstest$(EXEEXT)
>
> XMSS_OBJS=\
> ssh-xmss.o \
> -@@ -198,6 +199,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o c
> - ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
> - $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
> +@@ -232,6 +233,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
> + ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
> + $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
>
> +ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
> + $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
> +
> - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
> - $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
> + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
> + $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
>
> -@@ -348,6 +352,7 @@ install-files:
> - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
> - $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
> +@@ -389,6 +393,7 @@ install-files:
> $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
> -+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
> $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
> + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
> ++ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
> $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
> $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
> + $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
> diff --git a/ctr-cavstest.c b/ctr-cavstest.c
> new file mode 100644
> index 0000000..0d4776b
> diff --git a/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch b/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
> index 0cbccd7..4a0ae2c 100644
> --- a/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
> +++ b/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
> @@ -1,4 +1,4 @@
> -From 6b6e0f7d4a517378a8d53b84fbef2cfc78c42f46 Mon Sep 17 00:00:00 2001
> +From a2c2c21275ea701c2f0ae54bf5945c92860e9208 Mon Sep 17 00:00:00 2001
> From: Hongxu Jia <hongxu.jia@windriver.com>
> Date: Sat, 21 Dec 2019 13:08:52 +0800
> Subject: [PATCH] add KDF CAVS test driver
> @@ -19,6 +19,7 @@ Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
> Upstream-Status: Inappropriate [oe specific]
>
> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
> ---
> Makefile.in | 8 +-
> ssh-cavs.c | 387 +++++++++++++++++++++++++++++++++++++++++++++++++++++
> @@ -28,7 +29,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> create mode 100644 ssh-cavs_driver.pl
>
> diff --git a/Makefile.in b/Makefile.in
> -index 1d6e298..be28411 100644
> +index 0accd89..5789323 100644
> --- a/Makefile.in
> +++ b/Makefile.in
> @@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
> @@ -37,36 +38,36 @@ index 1d6e298..be28411 100644
> CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
> +SSH_CAVS=$(libexecdir)/ssh-cavs
> SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
> + SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
> PRIVSEP_PATH=@PRIVSEP_PATH@
> - SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
> -@@ -61,7 +62,7 @@ EXEEXT=@EXEEXT@
> - MANFMT=@MANFMT@
> - MKDIR_P=@MKDIR_P@
> +@@ -69,7 +70,7 @@ MKDIR_P=@MKDIR_P@
>
> --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ctr-cavstest$(EXEEXT)
> -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
> + .SUFFIXES: .lo
> +
> +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ctr-cavstest$(EXEEXT)
> ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
>
> XMSS_OBJS=\
> ssh-xmss.o \
> -@@ -202,6 +203,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
> +@@ -236,6 +237,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
> ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
> $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
>
> -+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o
> -+ $(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> ++ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS)
> ++ $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> +
> - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
> - $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
> + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
> + $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
>
> -@@ -353,6 +357,8 @@ install-files:
> - $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
> - $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
> +@@ -394,6 +398,8 @@ install-files:
> + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
> + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
> $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
> + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT)
> + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs_driver.pl $(DESTDIR)$(libexecdir)/ssh-cavs_driver.pl
> - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
> $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
> $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
> + $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
> diff --git a/ssh-cavs.c b/ssh-cavs.c
> new file mode 100644
> index 0000000..b74ae7f
> diff --git a/recipes-connectivity/openssh/openssh_fips.inc b/recipes-connectivity/openssh/openssh_fips.inc
> index 0eafb98..c74532f 100644
> --- a/recipes-connectivity/openssh/openssh_fips.inc
> +++ b/recipes-connectivity/openssh/openssh_fips.inc
> @@ -6,7 +6,7 @@ DEPENDS += " \
> RRECOMMENDS_${PN}-sshd_remove = "rng-tools"
>
> SRC_URI += " \
> - file://0001-openssh-8.0p1-fips.patch \
> + file://0001-openssh-8.2p1-fips.patch \
> file://0001-conditional-enable-fips-mode.patch \
> file://openssh-6.6p1-ctr-cavstest.patch \
> file://openssh-6.7p1-kdf-cavs.patch \
>
>
[-- Attachment #2: Type: text/html, Size: 43081 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-03-27 1:55 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <15F51207A66311A8.18319@lists.yoctoproject.org>
2020-03-27 1:55 ` [yocto] [meta-openssl102-fips][PATCH V2] openssh: refresh patches to 8.2p1 Yi Zhao
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.