* Re: [yocto] [meta-openssl102-fips][PATCH V2] openssh: refresh patches to 8.2p1
[not found] <15F51207A66311A8.18319@lists.yoctoproject.org>
@ 2020-03-27 1:55 ` Yi Zhao
0 siblings, 0 replies; only message in thread
From: Yi Zhao @ 2020-03-27 1:55 UTC (permalink / raw)
To: yocto, mark.hatle
[-- Attachment #1: Type: text/plain, Size: 41112 bytes --]
Ping
On 2/20/20 5:24 PM, Yi Zhao wrote:
> Refresh patches to openssh-8.2p1.
> Reference:
> http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-7.7p1-fips.patch
> (commit 51f5c1c99f1d20e48328edde666061d0ce0da83b)
>
> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
> ---
> .../0001-conditional-enable-fips-mode.patch | 54 ++--
> ...ps.patch => 0001-openssh-8.2p1-fips.patch} | 300 ++++++++----------
> .../openssh/openssh-6.6p1-ctr-cavstest.patch | 35 +-
> .../openssh/openssh-6.7p1-kdf-cavs.patch | 35 +-
> recipes-connectivity/openssh/openssh_fips.inc | 2 +-
> 5 files changed, 202 insertions(+), 224 deletions(-)
> rename recipes-connectivity/openssh/openssh/{0001-openssh-8.0p1-fips.patch => 0001-openssh-8.2p1-fips.patch} (57%)
>
> diff --git a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
> index a0f496a..942fda6 100644
> --- a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
> +++ b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
> @@ -1,4 +1,4 @@
> -From 60204df9d1f54f581f9ddc5443228550cadd4b4b Mon Sep 17 00:00:00 2001
> +From ef6490841a73b4f71ca35e09328c6a8b0ad9dba9 Mon Sep 17 00:00:00 2001
> From: Hongxu Jia <hongxu.jia@windriver.com>
> Date: Sat, 21 Dec 2019 13:03:23 +0800
> Subject: [PATCH] conditional enable fips mode
> @@ -56,10 +56,10 @@ index 359204f..346255a 100644
> log_init(__progname, log_level, log_facility, log_stderr);
>
> diff --git a/sftp.c b/sftp.c
> -index b66037f..ca263ac 100644
> +index ff14d3c..a633200 100644
> --- a/sftp.c
> +++ b/sftp.c
> -@@ -2387,6 +2387,7 @@ main(int argc, char **argv)
> +@@ -2390,6 +2390,7 @@ main(int argc, char **argv)
> size_t num_requests = DEFAULT_NUM_REQUESTS;
> long long limit_kbps = 0;
>
> @@ -68,10 +68,10 @@ index b66037f..ca263ac 100644
> sanitise_stdfd();
> msetlocale();
> diff --git a/ssh-add.c b/ssh-add.c
> -index ebfb8a3..b7d59bc 100644
> +index 8057eb1..19f3da2 100644
> --- a/ssh-add.c
> +++ b/ssh-add.c
> -@@ -577,6 +577,7 @@ main(int argc, char **argv)
> +@@ -628,6 +628,7 @@ main(int argc, char **argv)
> SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
> LogLevel log_level = SYSLOG_LEVEL_INFO;
>
> @@ -80,10 +80,10 @@ index ebfb8a3..b7d59bc 100644
> sanitise_stdfd();
>
> diff --git a/ssh-agent.c b/ssh-agent.c
> -index 9c6680a..d701479 100644
> +index 7eb6f0d..1409044 100644
> --- a/ssh-agent.c
> +++ b/ssh-agent.c
> -@@ -1104,6 +1104,7 @@ main(int ac, char **av)
> +@@ -1196,6 +1196,7 @@ main(int ac, char **av)
> size_t npfd = 0;
> u_int maxfds;
>
> @@ -92,10 +92,10 @@ index 9c6680a..d701479 100644
> sanitise_stdfd();
>
> diff --git a/ssh-keygen.c b/ssh-keygen.c
> -index cb4982d..84dd269 100644
> +index feafe73..9b832f6 100644
> --- a/ssh-keygen.c
> +++ b/ssh-keygen.c
> -@@ -2800,6 +2800,7 @@ main(int argc, char **argv)
> +@@ -3140,6 +3140,7 @@ main(int argc, char **argv)
> extern int optind;
> extern char *optarg;
>
> @@ -104,10 +104,10 @@ index cb4982d..84dd269 100644
> sanitise_stdfd();
>
> diff --git a/ssh-keyscan.c b/ssh-keyscan.c
> -index 5de0508..0644261 100644
> +index a5e6440..e56a9d1 100644
> --- a/ssh-keyscan.c
> +++ b/ssh-keyscan.c
> -@@ -663,6 +663,7 @@ main(int argc, char **argv)
> +@@ -675,6 +675,7 @@ main(int argc, char **argv)
> extern int optind;
> extern char *optarg;
>
> @@ -116,7 +116,7 @@ index 5de0508..0644261 100644
> seed_rng();
> TAILQ_INIT(&tq);
> diff --git a/ssh-keysign.c b/ssh-keysign.c
> -index 6cfd5b4..23cf403 100644
> +index 3e3ea3e..4804c42 100644
> --- a/ssh-keysign.c
> +++ b/ssh-keysign.c
> @@ -173,6 +173,7 @@ main(int argc, char **argv)
> @@ -128,10 +128,10 @@ index 6cfd5b4..23cf403 100644
> fatal("%s: pledge: %s", __progname, strerror(errno));
>
> diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c
> -index 3bcc244..6a78a1a 100644
> +index 17220d6..1af0c2e 100644
> --- a/ssh-pkcs11-helper.c
> +++ b/ssh-pkcs11-helper.c
> -@@ -325,6 +325,7 @@ main(int argc, char **argv)
> +@@ -332,6 +332,7 @@ main(int argc, char **argv)
> extern char *__progname;
> struct pollfd pfd[2];
>
> @@ -140,22 +140,22 @@ index 3bcc244..6a78a1a 100644
> seed_rng();
> TAILQ_INIT(&pkcs11_keylist);
> diff --git a/ssh.c b/ssh.c
> -index 0724df4..9178673 100644
> +index 49331fc..06836dd 100644
> --- a/ssh.c
> +++ b/ssh.c
> -@@ -598,6 +598,7 @@ main(int ac, char **av)
> - struct ssh_digest_ctx *md;
> +@@ -606,6 +606,7 @@ main(int ac, char **av)
> u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
> + size_t n, len;
>
> + ssh_enable_fips_mode();
> /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
> sanitise_stdfd();
>
> diff --git a/sshd.c b/sshd.c
> -index 2bf8939..c75e34a 100644
> +index b86d682..304bf01 100644
> --- a/sshd.c
> +++ b/sshd.c
> -@@ -1443,6 +1443,7 @@ main(int ac, char **av)
> +@@ -1514,6 +1514,7 @@ main(int ac, char **av)
> Authctxt *authctxt;
> struct connection_info *connection_info = NULL;
>
> @@ -164,7 +164,7 @@ index 2bf8939..c75e34a 100644
> (void)set_auth_parameters(ac, av);
> #endif
> diff --git a/xmalloc.c b/xmalloc.c
> -index 9cd0127..e2f8145 100644
> +index b48d33b..456a063 100644
> --- a/xmalloc.c
> +++ b/xmalloc.c
> @@ -23,6 +23,10 @@
> @@ -178,9 +178,9 @@ index 9cd0127..e2f8145 100644
> #include "xmalloc.h"
> #include "log.h"
>
> -@@ -110,3 +114,19 @@ xasprintf(char **ret, const char *fmt, ...)
> -
> - return (i);
> +@@ -117,3 +121,19 @@ xasprintf(char **ret, const char *fmt, ...)
> + va_end(ap);
> + return i;
> }
> +
> +void
> @@ -199,13 +199,13 @@ index 9cd0127..e2f8145 100644
> + }
> +}
> diff --git a/xmalloc.h b/xmalloc.h
> -index 1d5f62d..d71b8a8 100644
> +index abaf7ad..b3b1c8c 100644
> --- a/xmalloc.h
> +++ b/xmalloc.h
> -@@ -24,3 +24,4 @@ char *xstrdup(const char *);
> - int xasprintf(char **, const char *, ...)
> - __attribute__((__format__ (printf, 2, 3)))
> +@@ -26,3 +26,4 @@ int xasprintf(char **, const char *, ...)
> __attribute__((__nonnull__ (2)));
> + int xvasprintf(char **, const char *, va_list)
> + __attribute__((__nonnull__ (2)));
> +void ssh_enable_fips_mode(void);
> --
> 2.7.4
> diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch b/recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch
> similarity index 57%
> rename from recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
> rename to recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch
> index 0e35e31..c1de130 100644
> --- a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
> +++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch
> @@ -1,7 +1,7 @@
> -From 511f5dfb3e22d30a7d573313fa88a063f1d49753 Mon Sep 17 00:00:00 2001
> +From c51dd44e1c594ddeb3a27ae5d9be2899e4bf2ac6 Mon Sep 17 00:00:00 2001
> From: Hongxu Jia <hongxu.jia@windriver.com>
> Date: Sat, 21 Dec 2019 11:45:38 +0800
> -Subject: [PATCH] openssh 8.0p1 fips
> +Subject: [PATCH] openssh 8.2p1 fips
>
> Port openssh-7.7p1-fips.patch from Fedora
> https://src.fedoraproject.org/rpms/openssh.git
> @@ -10,30 +10,33 @@ https://src.fedoraproject.org/rpms/openssh.git
> Upstream-Status: Inappropriate [oe specific]
>
> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> +
> +Rebase to 8.2p1
> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
> ---
> Makefile.in | 14 +++++++-------
> cipher-ctr.c | 3 ++-
> - clientloop.c | 3 ++-
> + clientloop.c | 2 +-
> dh.c | 40 ++++++++++++++++++++++++++++++++++++++++
> dh.h | 1 +
> kex.c | 5 ++++-
> kexgexc.c | 5 +++++
> - myproposal.h | 40 ++++++++++++++++++++++++++++++++++++++++
> - readconf.c | 17 +++++++++--------
> + myproposal.h | 35 +++++++++++++++++++++++++++++++++++
> + readconf.c | 15 ++++++++++-----
> sandbox-seccomp-filter.c | 3 +++
> - servconf.c | 19 ++++++++++---------
> - ssh-keygen.c | 17 ++++++++++++++++-
> + servconf.c | 15 ++++++++++-----
> + ssh-keygen.c | 16 +++++++++++++++-
> ssh.c | 16 ++++++++++++++++
> - sshconnect2.c | 11 ++++++++---
> + sshconnect2.c | 8 ++++++--
> sshd.c | 19 +++++++++++++++++++
> sshkey.c | 4 ++++
> - 16 files changed, 186 insertions(+), 31 deletions(-)
> + 16 files changed, 178 insertions(+), 23 deletions(-)
>
> diff --git a/Makefile.in b/Makefile.in
> -index adb1977..37aec69 100644
> +index e754947..57f94f4 100644
> --- a/Makefile.in
> +++ b/Makefile.in
> -@@ -175,31 +175,31 @@ libssh.a: $(LIBSSH_OBJS)
> +@@ -206,25 +206,25 @@ libssh.a: $(LIBSSH_OBJS)
> $(RANLIB) $@
>
> ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
> @@ -44,34 +47,36 @@ index adb1977..37aec69 100644
> - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
> + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
>
> - scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
> - $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> + scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
> + $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
>
> - ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
> -- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> -+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
> + ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS)
> +- $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> ++ $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
>
> - ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
> -- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> -+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
> + ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS)
> +- $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> ++ $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
>
> - ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o
> -- $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> -+ $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
> + ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYGEN_OBJS)
> +- $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> ++ $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
>
> - ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o
> -- $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> -+ $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
> + ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSIGN_OBJS)
> +- $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> ++ $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
>
> - ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
> - $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
> + ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
> + $(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
> +@@ -233,7 +233,7 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
> + $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
>
> - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
> -- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
> -+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
> + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
> +- $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
> ++ $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
>
> - sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o
> - $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> + sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
> + $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> diff --git a/cipher-ctr.c b/cipher-ctr.c
> index 32771f2..74fac3b 100644
> --- a/cipher-ctr.c
> @@ -87,16 +92,15 @@ index 32771f2..74fac3b 100644
> return (&aes_ctr);
> }
> diff --git a/clientloop.c b/clientloop.c
> -index b5a1f70..0b675fe 100644
> +index ebd0dbc..b3e0c19 100644
> --- a/clientloop.c
> +++ b/clientloop.c
> -@@ -2035,7 +2035,8 @@ key_accepted_by_hostkeyalgs(const struct sshkey *key)
> +@@ -2083,7 +2083,7 @@ static int
> + key_accepted_by_hostkeyalgs(const struct sshkey *key)
> {
> const char *ktype = sshkey_ssh_name(key);
> - const char *hostkeyalgs = options.hostkeyalgorithms != NULL ?
> -- options.hostkeyalgorithms : KEX_DEFAULT_PK_ALG;
> -+ options.hostkeyalgorithms : (FIPS_mode() ?
> -+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG);
> +- const char *hostkeyalgs = options.hostkeyalgorithms;
> ++ const char *hostkeyalgs = (FIPS_mode() ? KEX_FIPS_PK_ALG : options.hostkeyalgorithms);
>
> if (key == NULL || key->type == KEY_UNSPEC)
> return 0;
> @@ -169,10 +173,10 @@ index 5d6df62..54c7aa2 100644
> u_int dh_estimate(int);
>
> diff --git a/kex.c b/kex.c
> -index 49d7015..f1f982d 100644
> +index ce85f04..9cc14de 100644
> --- a/kex.c
> +++ b/kex.c
> -@@ -161,7 +161,10 @@ kex_names_valid(const char *names)
> +@@ -163,7 +163,10 @@ kex_names_valid(const char *names)
> for ((p = strsep(&cp, ",")); p && *p != '\0';
> (p = strsep(&cp, ","))) {
> if (kex_alg_by_name(p) == NULL) {
> @@ -185,7 +189,7 @@ index 49d7015..f1f982d 100644
> return 0;
> }
> diff --git a/kexgexc.c b/kexgexc.c
> -index 1c65b8a..b6b25bf 100644
> +index 323a659..812112d 100644
> --- a/kexgexc.c
> +++ b/kexgexc.c
> @@ -28,6 +28,7 @@
> @@ -208,97 +212,86 @@ index 1c65b8a..b6b25bf 100644
>
> /* generate and send 'e', client DH public key */
> diff --git a/myproposal.h b/myproposal.h
> -index 34bd10c..a3ae74b 100644
> +index 5312e60..d0accae 100644
> --- a/myproposal.h
> +++ b/myproposal.h
> -@@ -111,6 +111,14 @@
> +@@ -57,6 +57,20 @@
> "rsa-sha2-256," \
> "ssh-rsa"
>
> +#define KEX_FIPS_PK_ALG \
> -+ HOSTKEY_ECDSA_CERT_METHODS \
> ++ "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
> ++ "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
> ++ "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
> ++ "rsa-sha2-512-cert-v01@openssh.com," \
> ++ "rsa-sha2-256-cert-v01@openssh.com," \
> + "ssh-rsa-cert-v01@openssh.com," \
> -+ HOSTKEY_ECDSA_METHODS \
> ++ "ecdsa-sha2-nistp256," \
> ++ "ecdsa-sha2-nistp384," \
> ++ "ecdsa-sha2-nistp521," \
> + "rsa-sha2-512," \
> + "rsa-sha2-256," \
> + "ssh-rsa"
> +
> - /* the actual algorithms */
> -
> - #define KEX_SERVER_ENCRYPT \
> -@@ -134,6 +142,38 @@
> + #define KEX_SERVER_ENCRYPT \
> + "chacha20-poly1305@openssh.com," \
> + "aes128-ctr,aes192-ctr,aes256-ctr," \
> +@@ -78,6 +92,27 @@
>
> #define KEX_CLIENT_MAC KEX_SERVER_MAC
>
> +#define KEX_FIPS_ENCRYPT \
> + "aes128-ctr,aes192-ctr,aes256-ctr," \
> + "aes128-cbc,3des-cbc," \
> -+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se" \
> -+ AESGCM_CIPHER_MODES
> -+#ifdef HAVE_EVP_SHA256
> -+# define KEX_DEFAULT_KEX_FIPS \
> -+ KEX_ECDH_METHODS \
> -+ KEX_SHA2_METHODS \
> ++ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
> ++ "aes128-gcm@openssh.com,aes256-gcm@openssh.com"
> ++#define KEX_DEFAULT_KEX_FIPS \
> ++ "ecdh-sha2-nistp256," \
> ++ "ecdh-sha2-nistp384," \
> ++ "ecdh-sha2-nistp521," \
> ++ "diffie-hellman-group-exchange-sha256," \
> ++ "diffie-hellman-group16-sha512," \
> ++ "diffie-hellman-group18-sha512," \
> + "diffie-hellman-group14-sha256"
> -+# define KEX_FIPS_MAC \
> ++#define KEX_FIPS_MAC \
> + "hmac-sha1," \
> + "hmac-sha2-256," \
> + "hmac-sha2-512," \
> + "hmac-sha1-etm@openssh.com," \
> + "hmac-sha2-256-etm@openssh.com," \
> + "hmac-sha2-512-etm@openssh.com"
> -+#else
> -+# ifdef OPENSSL_HAS_NISTP521
> -+# define KEX_DEFAULT_KEX_FIPS \
> -+ "ecdh-sha2-nistp256," \
> -+ "ecdh-sha2-nistp384," \
> -+ "ecdh-sha2-nistp521"
> -+# else
> -+# define KEX_DEFAULT_KEX_FIPS \
> -+ "ecdh-sha2-nistp256," \
> -+ "ecdh-sha2-nistp384"
> -+# endif
> -+#define KEX_FIPS_MAC \
> -+ "hmac-sha1"
> -+#endif
> +
> /* Not a KEX value, but here so all the algorithm defaults are together */
> #define SSH_ALLOWED_CA_SIGALGS \
> - HOSTKEY_ECDSA_METHODS \
> + "ecdsa-sha2-nistp256," \
> diff --git a/readconf.c b/readconf.c
> -index f78b4d6..2f56ed2 100644
> +index f3cac6b..26b9a59 100644
> --- a/readconf.c
> +++ b/readconf.c
> -@@ -2125,18 +2125,19 @@ fill_default_options(Options * options)
> - all_kex = kex_alg_list(',');
> +@@ -2187,11 +2187,16 @@ fill_default_options(Options * options)
> all_key = sshkey_alg_list(0, 0, 1, ',');
> all_sig = sshkey_alg_list(0, 1, 1, ',');
> --#define ASSEMBLE(what, defaults, all) \
> -+#define ASSEMBLE(what, defaults, fips_defaults, all) \
> + /* remove unsupported algos from default lists */
> +- def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher);
> +- def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac);
> +- def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex);
> +- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
> +- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
> ++ def_cipher = match_filter_whitelist((FIPS_mode() ?
> ++ KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher);
> ++ def_mac = match_filter_whitelist((FIPS_mode() ?
> ++ KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac);
> ++ def_kex = match_filter_whitelist((FIPS_mode() ?
> ++ KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex);
> ++ def_key = match_filter_whitelist((FIPS_mode() ?
> ++ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
> ++ def_sig = match_filter_whitelist((FIPS_mode() ?
> ++ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
> + #define ASSEMBLE(what, defaults, all) \
> do { \
> if ((r = kex_assemble_names(&options->what, \
> -- defaults, all)) != 0) \
> -+ (FIPS_mode() ? fips_defaults : defaults), \
> -+ all)) != 0) \
> - fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
> - } while (0)
> -- ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher);
> -- ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac);
> -- ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex);
> -- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
> -- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
> -- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
> -+ ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
> -+ ASSEMBLE(macs, KEX_CLIENT_MAC, KEX_FIPS_MAC, all_mac);
> -+ ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
> -+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
> -+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
> -+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
> - #undef ASSEMBLE
> - free(all_cipher);
> - free(all_mac);
> diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
> -index b5cda70..f0607a3 100644
> +index f80981f..00702a7 100644
> --- a/sandbox-seccomp-filter.c
> +++ b/sandbox-seccomp-filter.c
> @@ -156,6 +156,9 @@ static const struct sock_filter preauth_insns[] = {
> @@ -312,43 +305,36 @@ index b5cda70..f0607a3 100644
> SC_DENY(__NR_openat, EACCES),
> #endif
> diff --git a/servconf.c b/servconf.c
> -index e76f9c3..591d437 100644
> +index 70f5f73..815beaf 100644
> --- a/servconf.c
> +++ b/servconf.c
> -@@ -200,18 +200,19 @@ assemble_algorithms(ServerOptions *o)
> - all_kex = kex_alg_list(',');
> +@@ -212,11 +212,16 @@ assemble_algorithms(ServerOptions *o)
> all_key = sshkey_alg_list(0, 0, 1, ',');
> all_sig = sshkey_alg_list(0, 1, 1, ',');
> --#define ASSEMBLE(what, defaults, all) \
> -+#define ASSEMBLE(what, defaults, fips_defaults, all) \
> + /* remove unsupported algos from default lists */
> +- def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher);
> +- def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac);
> +- def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex);
> +- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
> +- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
> ++ def_cipher = match_filter_whitelist((FIPS_mode() ?
> ++ KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher);
> ++ def_mac = match_filter_whitelist((FIPS_mode() ?
> ++ KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac);
> ++ def_kex = match_filter_whitelist((FIPS_mode() ?
> ++ KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex);
> ++ def_key = match_filter_whitelist((FIPS_mode() ?
> ++ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
> ++ def_sig = match_filter_whitelist((FIPS_mode() ?
> ++ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
> + #define ASSEMBLE(what, defaults, all) \
> do { \
> -- if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
> -+ if ((r = kex_assemble_names(&o->what, (FIPS_mode() \
> -+ ? fips_defaults : defaults), all)) != 0) \
> - fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
> - } while (0)
> -- ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher);
> -- ASSEMBLE(macs, KEX_SERVER_MAC, all_mac);
> -- ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
> -- ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
> -- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
> -- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
> -- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
> -+ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
> -+ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
> -+ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
> -+ ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
> -+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
> -+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
> -+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
> - #undef ASSEMBLE
> - free(all_cipher);
> - free(all_mac);
> + if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
> diff --git a/ssh-keygen.c b/ssh-keygen.c
> -index 8c829ca..cb4982d 100644
> +index 0d6ed1f..feafe73 100644
> --- a/ssh-keygen.c
> +++ b/ssh-keygen.c
> -@@ -201,6 +201,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
> +@@ -204,6 +204,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
> #endif
> }
> #ifdef WITH_OPENSSL
> @@ -361,17 +347,16 @@ index 8c829ca..cb4982d 100644
> switch (type) {
> case KEY_DSA:
> if (*bitsp != 1024)
> -@@ -1061,9 +1067,18 @@ do_gen_all_hostkeys(struct passwd *pw)
> +@@ -1088,9 +1094,17 @@ do_gen_all_hostkeys(struct passwd *pw)
> first = 1;
> printf("%s: generating new host keys: ", __progname);
> }
> -+
> + type = sshkey_type_from_name(key_types[i].key_type);
> +
> + /* Skip the keys that are not supported in FIPS mode */
> + if (FIPS_mode() && (type == KEY_DSA || type == KEY_ED25519)) {
> + logit("Skipping %s key in FIPS mode",
> -+ key_types[i].key_type_display);
> ++ key_types[i].key_type_display);
> + goto next;
> + }
> +
> @@ -382,10 +367,10 @@ index 8c829ca..cb4982d 100644
> error("Could not save your public key in %s: %s",
> prv_tmp, strerror(errno));
> diff --git a/ssh.c b/ssh.c
> -index ee51823..0724df4 100644
> +index 15aee56..49331fc 100644
> --- a/ssh.c
> +++ b/ssh.c
> -@@ -76,6 +76,8 @@
> +@@ -77,6 +77,8 @@
> #include <openssl/evp.h>
> #include <openssl/err.h>
> #endif
> @@ -394,7 +379,7 @@ index ee51823..0724df4 100644
> #include "openbsd-compat/openssl-compat.h"
> #include "openbsd-compat/sys-queue.h"
>
> -@@ -600,6 +602,16 @@ main(int ac, char **av)
> +@@ -608,6 +610,16 @@ main(int ac, char **av)
> sanitise_stdfd();
>
> __progname = ssh_get_progname(av[0]);
> @@ -411,7 +396,7 @@ index ee51823..0724df4 100644
>
> #ifndef HAVE_SETPROCTITLE
> /* Prepare for later setproctitle emulation */
> -@@ -614,6 +626,10 @@ main(int ac, char **av)
> +@@ -622,6 +634,10 @@ main(int ac, char **av)
>
> seed_rng();
>
> @@ -423,7 +408,7 @@ index ee51823..0724df4 100644
> * Discard other fds that are hanging around. These can cause problem
> * with backgrounded ssh processes started by ControlPersist.
> diff --git a/sshconnect2.c b/sshconnect2.c
> -index 87fa70a..a42aacb 100644
> +index af00fb3..639fc51 100644
> --- a/sshconnect2.c
> +++ b/sshconnect2.c
> @@ -44,6 +44,8 @@
> @@ -435,37 +420,28 @@ index 87fa70a..a42aacb 100644
> #include "openbsd-compat/sys-queue.h"
>
> #include "xmalloc.h"
> -@@ -117,7 +119,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
> +@@ -119,7 +121,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
> for (i = 0; i < options.num_system_hostfiles; i++)
> load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
>
> -- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
> +- oavail = avail = xstrdup(options.hostkeyalgorithms);
> + oavail = avail = xstrdup((FIPS_mode()
> -+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
> ++ ? KEX_FIPS_PK_ALG : options.hostkeyalgorithms));
> maxlen = strlen(avail) + 1;
> first = xmalloc(maxlen);
> last = xmalloc(maxlen);
> -@@ -179,14 +182,16 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
> - if (options.hostkeyalgorithms != NULL) {
> - all_key = sshkey_alg_list(0, 0, 1, ',');
> - if (kex_assemble_names(&options.hostkeyalgorithms,
> -- KEX_DEFAULT_PK_ALG, all_key) != 0)
> -+ (FIPS_mode() ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG),
> -+ all_key) != 0)
> - fatal("%s: kex_assemble_namelist", __func__);
> - free(all_key);
> - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
> - compat_pkalg_proposal(options.hostkeyalgorithms);
> - } else {
> - /* Enforce default */
> -- options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
> -+ options.hostkeyalgorithms = xstrdup((FIPS_mode()
> -+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
> - /* Prefer algorithms that we already have keys for */
> - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
> - compat_pkalg_proposal(
> +@@ -179,7 +182,8 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
> + /* Expand or fill in HostkeyAlgorithms */
> + all_key = sshkey_alg_list(0, 0, 1, ',');
> + if (kex_assemble_names(&options.hostkeyalgorithms,
> +- kex_default_pk_alg(), all_key) != 0)
> ++ (FIPS_mode() ? KEX_FIPS_PK_ALG : kex_default_pk_alg()),
> ++ all_key) != 0)
> + fatal("%s: kex_assemble_namelist", __func__);
> + free(all_key);
> +
> diff --git a/sshd.c b/sshd.c
> -index f8dee0f..2bf8939 100644
> +index 5b9a0b5..b86d682 100644
> --- a/sshd.c
> +++ b/sshd.c
> @@ -66,6 +66,7 @@
> @@ -485,7 +461,7 @@ index f8dee0f..2bf8939 100644
> #include "openbsd-compat/openssl-compat.h"
> #endif
>
> -@@ -1445,6 +1448,18 @@ main(int ac, char **av)
> +@@ -1516,6 +1519,18 @@ main(int ac, char **av)
> #endif
> __progname = ssh_get_progname(av[0]);
>
> @@ -504,7 +480,7 @@ index f8dee0f..2bf8939 100644
> /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
> saved_argc = ac;
> rexec_argc = ac;
> -@@ -1910,6 +1925,10 @@ main(int ac, char **av)
> +@@ -1990,6 +2005,10 @@ main(int ac, char **av)
> /* Reinitialize the log (because of the fork above). */
> log_init(__progname, options.log_level, options.log_facility, log_stderr);
>
> @@ -516,7 +492,7 @@ index f8dee0f..2bf8939 100644
> unmounted if desired. */
> if (chdir("/") == -1)
> diff --git a/sshkey.c b/sshkey.c
> -index ef90563..1b1ba01 100644
> +index 57995ee..3fa4274 100644
> --- a/sshkey.c
> +++ b/sshkey.c
> @@ -34,6 +34,7 @@
> @@ -532,10 +508,10 @@ index ef90563..1b1ba01 100644
> #include "sshkey.h"
> #include "match.h"
> +#include "log.h"
> + #include "ssh-sk.h"
>
> #ifdef WITH_XMSS
> - #include "sshkey-xmss.h"
> -@@ -1491,6 +1493,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
> +@@ -1597,6 +1599,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
> }
> if (!BN_set_word(f4, RSA_F4) ||
> !RSA_generate_key_ex(private, bits, f4, NULL)) {
> diff --git a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
> index 8b74451..c7635b2 100644
> --- a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
> +++ b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
> @@ -1,4 +1,4 @@
> -From 6d65893a85bddfc543ce894ee4940bd0d5ab368e Mon Sep 17 00:00:00 2001
> +From bf3211bbff5cb9e1ef588f74844b04e09a9ad2b6 Mon Sep 17 00:00:00 2001
> From: Hongxu Jia <hongxu.jia@windriver.com>
> Date: Sat, 21 Dec 2019 13:05:19 +0800
> Subject: [PATCH] add CAVS test driver for the aes-ctr ciphers
> @@ -18,6 +18,7 @@ Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
>
> Upstream-Status: Inappropriate [oe specific]
> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
> ---
> Makefile.in | 7 +-
> ctr-cavstest.c | 215 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> @@ -25,7 +26,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> create mode 100644 ctr-cavstest.c
>
> diff --git a/Makefile.in b/Makefile.in
> -index 37aec69..1d6e298 100644
> +index 57f94f4..0accd89 100644
> --- a/Makefile.in
> +++ b/Makefile.in
> @@ -23,6 +23,7 @@ SSH_PROGRAM=@bindir@/ssh
> @@ -34,35 +35,35 @@ index 37aec69..1d6e298 100644
> SSH_KEYSIGN=$(libexecdir)/ssh-keysign
> +CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
> SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
> + SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
> PRIVSEP_PATH=@PRIVSEP_PATH@
> - SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
> -@@ -60,7 +61,7 @@ EXEEXT=@EXEEXT@
> - MANFMT=@MANFMT@
> - MKDIR_P=@MKDIR_P@
> +@@ -68,7 +69,7 @@ MKDIR_P=@MKDIR_P@
>
> --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
> -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ctr-cavstest$(EXEEXT)
> + .SUFFIXES: .lo
> +
> +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
> ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ctr-cavstest$(EXEEXT)
>
> XMSS_OBJS=\
> ssh-xmss.o \
> -@@ -198,6 +199,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o c
> - ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
> - $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
> +@@ -232,6 +233,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
> + ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
> + $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
>
> +ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
> + $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
> +
> - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
> - $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
> + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
> + $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
>
> -@@ -348,6 +352,7 @@ install-files:
> - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
> - $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
> +@@ -389,6 +393,7 @@ install-files:
> $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
> -+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
> $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
> + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
> ++ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
> $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
> $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
> + $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
> diff --git a/ctr-cavstest.c b/ctr-cavstest.c
> new file mode 100644
> index 0000000..0d4776b
> diff --git a/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch b/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
> index 0cbccd7..4a0ae2c 100644
> --- a/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
> +++ b/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
> @@ -1,4 +1,4 @@
> -From 6b6e0f7d4a517378a8d53b84fbef2cfc78c42f46 Mon Sep 17 00:00:00 2001
> +From a2c2c21275ea701c2f0ae54bf5945c92860e9208 Mon Sep 17 00:00:00 2001
> From: Hongxu Jia <hongxu.jia@windriver.com>
> Date: Sat, 21 Dec 2019 13:08:52 +0800
> Subject: [PATCH] add KDF CAVS test driver
> @@ -19,6 +19,7 @@ Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
> Upstream-Status: Inappropriate [oe specific]
>
> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
> ---
> Makefile.in | 8 +-
> ssh-cavs.c | 387 +++++++++++++++++++++++++++++++++++++++++++++++++++++
> @@ -28,7 +29,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> create mode 100644 ssh-cavs_driver.pl
>
> diff --git a/Makefile.in b/Makefile.in
> -index 1d6e298..be28411 100644
> +index 0accd89..5789323 100644
> --- a/Makefile.in
> +++ b/Makefile.in
> @@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
> @@ -37,36 +38,36 @@ index 1d6e298..be28411 100644
> CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
> +SSH_CAVS=$(libexecdir)/ssh-cavs
> SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
> + SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
> PRIVSEP_PATH=@PRIVSEP_PATH@
> - SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
> -@@ -61,7 +62,7 @@ EXEEXT=@EXEEXT@
> - MANFMT=@MANFMT@
> - MKDIR_P=@MKDIR_P@
> +@@ -69,7 +70,7 @@ MKDIR_P=@MKDIR_P@
>
> --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ctr-cavstest$(EXEEXT)
> -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
> + .SUFFIXES: .lo
> +
> +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ctr-cavstest$(EXEEXT)
> ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
>
> XMSS_OBJS=\
> ssh-xmss.o \
> -@@ -202,6 +203,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
> +@@ -236,6 +237,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
> ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
> $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
>
> -+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o
> -+ $(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> ++ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS)
> ++ $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
> +
> - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
> - $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
> + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
> + $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
>
> -@@ -353,6 +357,8 @@ install-files:
> - $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
> - $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
> +@@ -394,6 +398,8 @@ install-files:
> + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
> + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
> $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
> + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT)
> + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs_driver.pl $(DESTDIR)$(libexecdir)/ssh-cavs_driver.pl
> - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
> $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
> $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
> + $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
> diff --git a/ssh-cavs.c b/ssh-cavs.c
> new file mode 100644
> index 0000000..b74ae7f
> diff --git a/recipes-connectivity/openssh/openssh_fips.inc b/recipes-connectivity/openssh/openssh_fips.inc
> index 0eafb98..c74532f 100644
> --- a/recipes-connectivity/openssh/openssh_fips.inc
> +++ b/recipes-connectivity/openssh/openssh_fips.inc
> @@ -6,7 +6,7 @@ DEPENDS += " \
> RRECOMMENDS_${PN}-sshd_remove = "rng-tools"
>
> SRC_URI += " \
> - file://0001-openssh-8.0p1-fips.patch \
> + file://0001-openssh-8.2p1-fips.patch \
> file://0001-conditional-enable-fips-mode.patch \
> file://openssh-6.6p1-ctr-cavstest.patch \
> file://openssh-6.7p1-kdf-cavs.patch \
>
>
[-- Attachment #2: Type: text/html, Size: 43081 bytes --]
^ permalink raw reply [flat|nested] only message in thread