* [meta-openssl102-fips][PATCH] openssh: Fix patch to properly apply on 7.9 version found in warrior
@ 2020-01-29 18:47 michael.davis
2020-01-30 2:49 ` [yocto] " Mark Hatle
[not found] ` <15EE8AC7B7888B94.12430@lists.yoctoproject.org>
0 siblings, 2 replies; 4+ messages in thread
From: michael.davis @ 2020-01-29 18:47 UTC (permalink / raw)
To: yocto; +Cc: Davis, Michael
[-- Attachment #1: Type: text/plain, Size: 4280 bytes --]
Signed-off-by: Michael Davis <michael.davis@essvote.com>
---
.../openssh/0001-openssh-8.0p1-fips.patch | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
index 30534c7..5ff4eff 100644
--- a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
+++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
@@ -270,10 +270,10 @@ Index: git/readconf.c
===================================================================
--- git.orig/readconf.c
+++ git/readconf.c
-@@ -2077,17 +2077,18 @@ fill_default_options(Options * options)
- all_mac = mac_alg_list(',');
+@@ -2178,18 +2178,19 @@ fill_default_options(Options * options)
all_kex = kex_alg_list(',');
all_key = sshkey_alg_list(0, 0, 1, ',');
+ all_sig = sshkey_alg_list(0, 1, 1, ',');
-#define ASSEMBLE(what, defaults, all) \
+#define ASSEMBLE(what, defaults, fips_defaults, all) \
do { \
@@ -288,11 +288,13 @@ Index: git/readconf.c
- ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
-+ ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
-+ ASSEMBLE(macs, KEX_CLIENT_MAC, KEX_FIPS_MAC, all_mac);
-+ ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
+- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
++ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
++ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
++ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
++ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
#undef ASSEMBLE
free(all_cipher);
free(all_mac);
@@ -314,10 +316,10 @@ Index: git/servconf.c
===================================================================
--- git.orig/servconf.c
+++ git/servconf.c
-@@ -198,17 +198,18 @@ assemble_algorithms(ServerOptions *o)
- all_mac = mac_alg_list(',');
+@@ -209,18 +209,19 @@ assemble_algorithms(ServerOptions *o)
all_kex = kex_alg_list(',');
all_key = sshkey_alg_list(0, 0, 1, ',');
+ all_sig = sshkey_alg_list(0, 1, 1, ',');
-#define ASSEMBLE(what, defaults, all) \
+#define ASSEMBLE(what, defaults, fips_defaults, all) \
do { \
@@ -332,12 +334,14 @@ Index: git/servconf.c
- ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
+- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
+ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
+ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
+ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
+ ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
++ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
#undef ASSEMBLE
free(all_cipher);
free(all_mac);
--
2.24.1
Disclaimer
The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.
This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more visit the Mimecast website.
[-- Attachment #2: Type: text/html, Size: 4894 bytes --]
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [yocto] [meta-openssl102-fips][PATCH] openssh: Fix patch to properly apply on 7.9 version found in warrior
2020-01-29 18:47 [meta-openssl102-fips][PATCH] openssh: Fix patch to properly apply on 7.9 version found in warrior michael.davis
@ 2020-01-30 2:49 ` Mark Hatle
[not found] ` <15EE8AC7B7888B94.12430@lists.yoctoproject.org>
1 sibling, 0 replies; 4+ messages in thread
From: Mark Hatle @ 2020-01-30 2:49 UTC (permalink / raw)
To: Davis, Michael, yocto
Should this be applied only to the warrior branch? I don't typically build
warrior branch, but I'm happy to accept patches if you can verify it's working
properly.
--Mark
On 1/29/20 12:47 PM, Davis, Michael wrote:
> Signed-off-by: Michael Davis <michael.davis@essvote.com>
> ---
> .../openssh/0001-openssh-8.0p1-fips.patch | 18 +++++++++++-------
> 1 file changed, 11 insertions(+), 7 deletions(-)
>
> diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
> b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
> index 30534c7..5ff4eff 100644
> --- a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
> +++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
> @@ -270,10 +270,10 @@ Index: git/readconf.c
> ===================================================================
> --- git.orig/readconf.c
> +++ git/readconf.c
> -@@ -2077,17 +2077,18 @@ fill_default_options(Options * options)
> - all_mac = mac_alg_list(',');
> +@@ -2178,18 +2178,19 @@ fill_default_options(Options * options)
> all_kex = kex_alg_list(',');
> all_key = sshkey_alg_list(0, 0, 1, ',');
> + all_sig = sshkey_alg_list(0, 1, 1, ',');
> -#define ASSEMBLE(what, defaults, all) \
> +#define ASSEMBLE(what, defaults, fips_defaults, all) \
> do { \
> @@ -288,11 +288,13 @@ Index: git/readconf.c
> - ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
> - ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
> - ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
> -+ ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
> -+ ASSEMBLE(macs, KEX_CLIENT_MAC, KEX_FIPS_MAC, all_mac);
> -+ ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
> +- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
> ++ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
> ++ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
> ++ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
> + ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
> + ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
> ++ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
> #undef ASSEMBLE
> free(all_cipher);
> free(all_mac);
> @@ -314,10 +316,10 @@ Index: git/servconf.c
> ===================================================================
> --- git.orig/servconf.c
> +++ git/servconf.c
> -@@ -198,17 +198,18 @@ assemble_algorithms(ServerOptions *o)
> - all_mac = mac_alg_list(',');
> +@@ -209,18 +209,19 @@ assemble_algorithms(ServerOptions *o)
> all_kex = kex_alg_list(',');
> all_key = sshkey_alg_list(0, 0, 1, ',');
> + all_sig = sshkey_alg_list(0, 1, 1, ',');
> -#define ASSEMBLE(what, defaults, all) \
> +#define ASSEMBLE(what, defaults, fips_defaults, all) \
> do { \
> @@ -332,12 +334,14 @@ Index: git/servconf.c
> - ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
> - ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
> - ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
> +- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
> + ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
> + ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
> + ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
> + ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
> + ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
> + ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
> ++ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
> #undef ASSEMBLE
> free(all_cipher);
> free(all_mac);
> --
> 2.24.1
>
>
> *Disclaimer*
>
> The information contained in this communication from the sender is confidential.
> It is intended solely for use by the recipient and others authorized to receive
> it. If you are not the recipient, you are hereby notified that any disclosure,
> copying, distribution or taking action in relation of the contents of this
> information is strictly prohibited and may be unlawful.
>
> This email has been scanned for viruses and malware, and may have been
> automatically archived by *Mimecast Ltd*, an innovator in Software as a Service
> (SaaS) for business. Providing a *safer* and *more useful* place for your human
> generated data. Specializing in; Security, archiving and compliance. To find out
> more Click Here <http://www.mimecast.com/products/>.
>
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [yocto] [meta-openssl102-fips][PATCH] openssh: Fix patch to properly apply on 7.9 version found in warrior
[not found] ` <15EE8AC7B7888B94.12430@lists.yoctoproject.org>
@ 2020-01-30 3:08 ` Mark Hatle
[not found] ` <15EE8B59D258FBDC.13285@lists.yoctoproject.org>
1 sibling, 0 replies; 4+ messages in thread
From: Mark Hatle @ 2020-01-30 3:08 UTC (permalink / raw)
To: Davis, Michael, yocto
On 1/29/20 8:49 PM, Mark Hatle wrote:
> Should this be applied only to the warrior branch? I don't typically build
> warrior branch, but I'm happy to accept patches if you can verify it's working
> properly.
I tried to apply this patch, but unfortunately it's corrupt. Likely by an
exchange server or outlook.
If you can, you can generate a pull request at:
https://github.com/mhatle/meta-openssl102-fips
I prefer mailing list, but I realize sometime employers infrastructure can make
email more problematic then it otherwise should be..
--Mark
> --Mark
>
> On 1/29/20 12:47 PM, Davis, Michael wrote:
>> Signed-off-by: Michael Davis <michael.davis@essvote.com>
>> ---
>> .../openssh/0001-openssh-8.0p1-fips.patch | 18 +++++++++++-------
>> 1 file changed, 11 insertions(+), 7 deletions(-)
>>
>> diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
>> b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
>> index 30534c7..5ff4eff 100644
>> --- a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
>> +++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
>> @@ -270,10 +270,10 @@ Index: git/readconf.c
>> ===================================================================
>> --- git.orig/readconf.c
>> +++ git/readconf.c
>> -@@ -2077,17 +2077,18 @@ fill_default_options(Options * options)
>> - all_mac = mac_alg_list(',');
>> +@@ -2178,18 +2178,19 @@ fill_default_options(Options * options)
>> all_kex = kex_alg_list(',');
>> all_key = sshkey_alg_list(0, 0, 1, ',');
>> + all_sig = sshkey_alg_list(0, 1, 1, ',');
>> -#define ASSEMBLE(what, defaults, all) \
>> +#define ASSEMBLE(what, defaults, fips_defaults, all) \
>> do { \
>> @@ -288,11 +288,13 @@ Index: git/readconf.c
>> - ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
>> - ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
>> - ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
>> -+ ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
>> -+ ASSEMBLE(macs, KEX_CLIENT_MAC, KEX_FIPS_MAC, all_mac);
>> -+ ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
>> +- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
>> ++ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
>> ++ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
>> ++ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
>> + ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
>> + ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
>> ++ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
>> #undef ASSEMBLE
>> free(all_cipher);
>> free(all_mac);
>> @@ -314,10 +316,10 @@ Index: git/servconf.c
>> ===================================================================
>> --- git.orig/servconf.c
>> +++ git/servconf.c
>> -@@ -198,17 +198,18 @@ assemble_algorithms(ServerOptions *o)
>> - all_mac = mac_alg_list(',');
>> +@@ -209,18 +209,19 @@ assemble_algorithms(ServerOptions *o)
>> all_kex = kex_alg_list(',');
>> all_key = sshkey_alg_list(0, 0, 1, ',');
>> + all_sig = sshkey_alg_list(0, 1, 1, ',');
>> -#define ASSEMBLE(what, defaults, all) \
>> +#define ASSEMBLE(what, defaults, fips_defaults, all) \
>> do { \
>> @@ -332,12 +334,14 @@ Index: git/servconf.c
>> - ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
>> - ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
>> - ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
>> +- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
>> + ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
>> + ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
>> + ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
>> + ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
>> + ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
>> + ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
>> ++ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
>> #undef ASSEMBLE
>> free(all_cipher);
>> free(all_mac);
>> --
>> 2.24.1
>>
>>
>> *Disclaimer*
>>
>> The information contained in this communication from the sender is confidential.
>> It is intended solely for use by the recipient and others authorized to receive
>> it. If you are not the recipient, you are hereby notified that any disclosure,
>> copying, distribution or taking action in relation of the contents of this
>> information is strictly prohibited and may be unlawful.
>>
>> This email has been scanned for viruses and malware, and may have been
>> automatically archived by *Mimecast Ltd*, an innovator in Software as a Service
>> (SaaS) for business. Providing a *safer* and *more useful* place for your human
>> generated data. Specializing in; Security, archiving and compliance. To find out
>> more Click Here <http://www.mimecast.com/products/>.
>>
>>
>>
>>
>>
>>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [yocto] [meta-openssl102-fips][PATCH] openssh: Fix patch to properly apply on 7.9 version found in warrior
[not found] ` <15EE8B59D258FBDC.13285@lists.yoctoproject.org>
@ 2020-02-01 3:03 ` Mark Hatle
0 siblings, 0 replies; 4+ messages in thread
From: Mark Hatle @ 2020-02-01 3:03 UTC (permalink / raw)
To: Davis, Michael, yocto
Thanks for the pull request.. pushed.
--Mark
On 1/29/20 9:08 PM, Mark Hatle wrote:
>
>
> On 1/29/20 8:49 PM, Mark Hatle wrote:
>> Should this be applied only to the warrior branch? I don't typically build
>> warrior branch, but I'm happy to accept patches if you can verify it's working
>> properly.
>
> I tried to apply this patch, but unfortunately it's corrupt. Likely by an
> exchange server or outlook.
>
> If you can, you can generate a pull request at:
>
> https://github.com/mhatle/meta-openssl102-fips
>
> I prefer mailing list, but I realize sometime employers infrastructure can make
> email more problematic then it otherwise should be..
>
> --Mark
>
>> --Mark
>>
>> On 1/29/20 12:47 PM, Davis, Michael wrote:
>>> Signed-off-by: Michael Davis <michael.davis@essvote.com>
>>> ---
>>> .../openssh/0001-openssh-8.0p1-fips.patch | 18 +++++++++++-------
>>> 1 file changed, 11 insertions(+), 7 deletions(-)
>>>
>>> diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
>>> b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
>>> index 30534c7..5ff4eff 100644
>>> --- a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
>>> +++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
>>> @@ -270,10 +270,10 @@ Index: git/readconf.c
>>> ===================================================================
>>> --- git.orig/readconf.c
>>> +++ git/readconf.c
>>> -@@ -2077,17 +2077,18 @@ fill_default_options(Options * options)
>>> - all_mac = mac_alg_list(',');
>>> +@@ -2178,18 +2178,19 @@ fill_default_options(Options * options)
>>> all_kex = kex_alg_list(',');
>>> all_key = sshkey_alg_list(0, 0, 1, ',');
>>> + all_sig = sshkey_alg_list(0, 1, 1, ',');
>>> -#define ASSEMBLE(what, defaults, all) \
>>> +#define ASSEMBLE(what, defaults, fips_defaults, all) \
>>> do { \
>>> @@ -288,11 +288,13 @@ Index: git/readconf.c
>>> - ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
>>> - ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
>>> - ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
>>> -+ ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
>>> -+ ASSEMBLE(macs, KEX_CLIENT_MAC, KEX_FIPS_MAC, all_mac);
>>> -+ ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
>>> +- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
>>> ++ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
>>> ++ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
>>> ++ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
>>> + ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
>>> + ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
>>> ++ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
>>> #undef ASSEMBLE
>>> free(all_cipher);
>>> free(all_mac);
>>> @@ -314,10 +316,10 @@ Index: git/servconf.c
>>> ===================================================================
>>> --- git.orig/servconf.c
>>> +++ git/servconf.c
>>> -@@ -198,17 +198,18 @@ assemble_algorithms(ServerOptions *o)
>>> - all_mac = mac_alg_list(',');
>>> +@@ -209,18 +209,19 @@ assemble_algorithms(ServerOptions *o)
>>> all_kex = kex_alg_list(',');
>>> all_key = sshkey_alg_list(0, 0, 1, ',');
>>> + all_sig = sshkey_alg_list(0, 1, 1, ',');
>>> -#define ASSEMBLE(what, defaults, all) \
>>> +#define ASSEMBLE(what, defaults, fips_defaults, all) \
>>> do { \
>>> @@ -332,12 +334,14 @@ Index: git/servconf.c
>>> - ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
>>> - ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
>>> - ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
>>> +- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
>>> + ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
>>> + ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
>>> + ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
>>> + ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
>>> + ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
>>> + ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
>>> ++ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
>>> #undef ASSEMBLE
>>> free(all_cipher);
>>> free(all_mac);
>>> --
>>> 2.24.1
>>>
>>>
>>> *Disclaimer*
>>>
>>> The information contained in this communication from the sender is confidential.
>>> It is intended solely for use by the recipient and others authorized to receive
>>> it. If you are not the recipient, you are hereby notified that any disclosure,
>>> copying, distribution or taking action in relation of the contents of this
>>> information is strictly prohibited and may be unlawful.
>>>
>>> This email has been scanned for viruses and malware, and may have been
>>> automatically archived by *Mimecast Ltd*, an innovator in Software as a Service
>>> (SaaS) for business. Providing a *safer* and *more useful* place for your human
>>> generated data. Specializing in; Security, archiving and compliance. To find out
>>> more Click Here <http://www.mimecast.com/products/>.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-02-01 3:03 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-29 18:47 [meta-openssl102-fips][PATCH] openssh: Fix patch to properly apply on 7.9 version found in warrior michael.davis
2020-01-30 2:49 ` [yocto] " Mark Hatle
[not found] ` <15EE8AC7B7888B94.12430@lists.yoctoproject.org>
2020-01-30 3:08 ` Mark Hatle
[not found] ` <15EE8B59D258FBDC.13285@lists.yoctoproject.org>
2020-02-01 3:03 ` Mark Hatle
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.