Refresh patches to openssh-8.2p1. Reference: http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-7.7p1-fips.patch (commit 51f5c1c99f1d20e48328edde666061d0ce0da83b)
Signed-off-by: Yi Zhao <yi.z...@windriver.com> --- .../0001-conditional-enable-fips-mode.patch | 54 ++-- ...ps.patch => 0001-openssh-8.2p1-fips.patch} | 300 ++++++++---------- .../openssh/openssh-6.6p1-ctr-cavstest.patch | 35 +- .../openssh/openssh-6.7p1-kdf-cavs.patch | 35 +- recipes-connectivity/openssh/openssh_fips.inc | 2 +- 5 files changed, 202 insertions(+), 224 deletions(-) rename recipes-connectivity/openssh/openssh/{0001-openssh-8.0p1-fips.patch => 0001-openssh-8.2p1-fips.patch} (57%) diff --git a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch index a0f496a..942fda6 100644 --- a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch +++ b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch @@ -1,4 +1,4 @@ -From 60204df9d1f54f581f9ddc5443228550cadd4b4b Mon Sep 17 00:00:00 2001 +From ef6490841a73b4f71ca35e09328c6a8b0ad9dba9 Mon Sep 17 00:00:00 2001 From: Hongxu Jia <hongxu....@windriver.com> Date: Sat, 21 Dec 2019 13:03:23 +0800 Subject: [PATCH] conditional enable fips mode @@ -56,10 +56,10 @@ index 359204f..346255a 100644 log_init(__progname, log_level, log_facility, log_stderr); diff --git a/sftp.c b/sftp.c -index b66037f..ca263ac 100644 +index ff14d3c..a633200 100644 --- a/sftp.c +++ b/sftp.c -@@ -2387,6 +2387,7 @@ main(int argc, char **argv) +@@ -2390,6 +2390,7 @@ main(int argc, char **argv) size_t num_requests = DEFAULT_NUM_REQUESTS; long long limit_kbps = 0; @@ -68,10 +68,10 @@ index b66037f..ca263ac 100644 sanitise_stdfd(); msetlocale(); diff --git a/ssh-add.c b/ssh-add.c -index ebfb8a3..b7d59bc 100644 +index 8057eb1..19f3da2 100644 --- a/ssh-add.c +++ b/ssh-add.c -@@ -577,6 +577,7 @@ main(int argc, char **argv) +@@ -628,6 +628,7 @@ main(int argc, char **argv) SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; LogLevel log_level = SYSLOG_LEVEL_INFO; @@ -80,10 +80,10 @@ index ebfb8a3..b7d59bc 100644 sanitise_stdfd(); diff --git a/ssh-agent.c b/ssh-agent.c -index 9c6680a..d701479 100644 +index 7eb6f0d..1409044 100644 --- a/ssh-agent.c +++ b/ssh-agent.c -@@ -1104,6 +1104,7 @@ main(int ac, char **av) +@@ -1196,6 +1196,7 @@ main(int ac, char **av) size_t npfd = 0; u_int maxfds; @@ -92,10 +92,10 @@ index 9c6680a..d701479 100644 sanitise_stdfd(); diff --git a/ssh-keygen.c b/ssh-keygen.c -index cb4982d..84dd269 100644 +index feafe73..9b832f6 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c -@@ -2800,6 +2800,7 @@ main(int argc, char **argv) +@@ -3140,6 +3140,7 @@ main(int argc, char **argv) extern int optind; extern char *optarg; @@ -104,10 +104,10 @@ index cb4982d..84dd269 100644 sanitise_stdfd(); diff --git a/ssh-keyscan.c b/ssh-keyscan.c -index 5de0508..0644261 100644 +index a5e6440..e56a9d1 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c -@@ -663,6 +663,7 @@ main(int argc, char **argv) +@@ -675,6 +675,7 @@ main(int argc, char **argv) extern int optind; extern char *optarg; @@ -116,7 +116,7 @@ index 5de0508..0644261 100644 seed_rng(); TAILQ_INIT(&tq); diff --git a/ssh-keysign.c b/ssh-keysign.c -index 6cfd5b4..23cf403 100644 +index 3e3ea3e..4804c42 100644 --- a/ssh-keysign.c +++ b/ssh-keysign.c @@ -173,6 +173,7 @@ main(int argc, char **argv) @@ -128,10 +128,10 @@ index 6cfd5b4..23cf403 100644 fatal("%s: pledge: %s", __progname, strerror(errno)); diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c -index 3bcc244..6a78a1a 100644 +index 17220d6..1af0c2e 100644 --- a/ssh-pkcs11-helper.c +++ b/ssh-pkcs11-helper.c -@@ -325,6 +325,7 @@ main(int argc, char **argv) +@@ -332,6 +332,7 @@ main(int argc, char **argv) extern char *__progname; struct pollfd pfd[2]; @@ -140,22 +140,22 @@ index 3bcc244..6a78a1a 100644 seed_rng(); TAILQ_INIT(&pkcs11_keylist); diff --git a/ssh.c b/ssh.c -index 0724df4..9178673 100644 +index 49331fc..06836dd 100644 --- a/ssh.c +++ b/ssh.c -@@ -598,6 +598,7 @@ main(int ac, char **av) - struct ssh_digest_ctx *md; +@@ -606,6 +606,7 @@ main(int ac, char **av) u_char conn_hash[SSH_DIGEST_MAX_LENGTH]; + size_t n, len; + ssh_enable_fips_mode(); /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); diff --git a/sshd.c b/sshd.c -index 2bf8939..c75e34a 100644 +index b86d682..304bf01 100644 --- a/sshd.c +++ b/sshd.c -@@ -1443,6 +1443,7 @@ main(int ac, char **av) +@@ -1514,6 +1514,7 @@ main(int ac, char **av) Authctxt *authctxt; struct connection_info *connection_info = NULL; @@ -164,7 +164,7 @@ index 2bf8939..c75e34a 100644 (void)set_auth_parameters(ac, av); #endif diff --git a/xmalloc.c b/xmalloc.c -index 9cd0127..e2f8145 100644 +index b48d33b..456a063 100644 --- a/xmalloc.c +++ b/xmalloc.c @@ -23,6 +23,10 @@ @@ -178,9 +178,9 @@ index 9cd0127..e2f8145 100644 #include "xmalloc.h" #include "log.h" -@@ -110,3 +114,19 @@ xasprintf(char **ret, const char *fmt, ...) - - return (i); +@@ -117,3 +121,19 @@ xasprintf(char **ret, const char *fmt, ...) + va_end(ap); + return i; } + +void @@ -199,13 +199,13 @@ index 9cd0127..e2f8145 100644 + } +} diff --git a/xmalloc.h b/xmalloc.h -index 1d5f62d..d71b8a8 100644 +index abaf7ad..b3b1c8c 100644 --- a/xmalloc.h +++ b/xmalloc.h -@@ -24,3 +24,4 @@ char *xstrdup(const char *); - int xasprintf(char **, const char *, ...) - __attribute__((__format__ (printf, 2, 3))) +@@ -26,3 +26,4 @@ int xasprintf(char **, const char *, ...) __attribute__((__nonnull__ (2))); + int xvasprintf(char **, const char *, va_list) + __attribute__((__nonnull__ (2))); +void ssh_enable_fips_mode(void); -- 2.7.4 diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch b/recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch similarity index 57% rename from recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch rename to recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch index 0e35e31..c1de130 100644 --- a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch +++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch @@ -1,7 +1,7 @@ -From 511f5dfb3e22d30a7d573313fa88a063f1d49753 Mon Sep 17 00:00:00 2001 +From c51dd44e1c594ddeb3a27ae5d9be2899e4bf2ac6 Mon Sep 17 00:00:00 2001 From: Hongxu Jia <hongxu....@windriver.com> Date: Sat, 21 Dec 2019 11:45:38 +0800 -Subject: [PATCH] openssh 8.0p1 fips +Subject: [PATCH] openssh 8.2p1 fips Port openssh-7.7p1-fips.patch from Fedora https://src.fedoraproject.org/rpms/openssh.git @@ -10,30 +10,33 @@ https://src.fedoraproject.org/rpms/openssh.git Upstream-Status: Inappropriate [oe specific] Signed-off-by: Hongxu Jia <hongxu....@windriver.com> + +Rebase to 8.2p1 +Signed-off-by: Yi Zhao <yi.z...@windriver.com> --- Makefile.in | 14 +++++++------- cipher-ctr.c | 3 ++- - clientloop.c | 3 ++- + clientloop.c | 2 +- dh.c | 40 ++++++++++++++++++++++++++++++++++++++++ dh.h | 1 + kex.c | 5 ++++- kexgexc.c | 5 +++++ - myproposal.h | 40 ++++++++++++++++++++++++++++++++++++++++ - readconf.c | 17 +++++++++-------- + myproposal.h | 35 +++++++++++++++++++++++++++++++++++ + readconf.c | 15 ++++++++++----- sandbox-seccomp-filter.c | 3 +++ - servconf.c | 19 ++++++++++--------- - ssh-keygen.c | 17 ++++++++++++++++- + servconf.c | 15 ++++++++++----- + ssh-keygen.c | 16 +++++++++++++++- ssh.c | 16 ++++++++++++++++ - sshconnect2.c | 11 ++++++++--- + sshconnect2.c | 8 ++++++-- sshd.c | 19 +++++++++++++++++++ sshkey.c | 4 ++++ - 16 files changed, 186 insertions(+), 31 deletions(-) + 16 files changed, 178 insertions(+), 23 deletions(-) diff --git a/Makefile.in b/Makefile.in -index adb1977..37aec69 100644 +index e754947..57f94f4 100644 --- a/Makefile.in +++ b/Makefile.in -@@ -175,31 +175,31 @@ libssh.a: $(LIBSSH_OBJS) +@@ -206,25 +206,25 @@ libssh.a: $(LIBSSH_OBJS) $(RANLIB) $@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) @@ -44,34 +47,36 @@ index adb1977..37aec69 100644 - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) - scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o - $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS) + $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o -- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS) +- $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o -- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS) +- $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o -- $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYGEN_OBJS) +- $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o -- $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSIGN_OBJS) +- $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o - $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS) + $(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) +@@ -233,7 +233,7 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS) + $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o -- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) +- $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) ++ $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) - sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o - $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS) + $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) diff --git a/cipher-ctr.c b/cipher-ctr.c index 32771f2..74fac3b 100644 --- a/cipher-ctr.c @@ -87,16 +92,15 @@ index 32771f2..74fac3b 100644 return (&aes_ctr); } diff --git a/clientloop.c b/clientloop.c -index b5a1f70..0b675fe 100644 +index ebd0dbc..b3e0c19 100644 --- a/clientloop.c +++ b/clientloop.c -@@ -2035,7 +2035,8 @@ key_accepted_by_hostkeyalgs(const struct sshkey *key) +@@ -2083,7 +2083,7 @@ static int + key_accepted_by_hostkeyalgs(const struct sshkey *key) { const char *ktype = sshkey_ssh_name(key); - const char *hostkeyalgs = options.hostkeyalgorithms != NULL ? -- options.hostkeyalgorithms : KEX_DEFAULT_PK_ALG; -+ options.hostkeyalgorithms : (FIPS_mode() ? -+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG); +- const char *hostkeyalgs = options.hostkeyalgorithms; ++ const char *hostkeyalgs = (FIPS_mode() ? KEX_FIPS_PK_ALG : options.hostkeyalgorithms); if (key == NULL || key->type == KEY_UNSPEC) return 0; @@ -169,10 +173,10 @@ index 5d6df62..54c7aa2 100644 u_int dh_estimate(int); diff --git a/kex.c b/kex.c -index 49d7015..f1f982d 100644 +index ce85f04..9cc14de 100644 --- a/kex.c +++ b/kex.c -@@ -161,7 +161,10 @@ kex_names_valid(const char *names) +@@ -163,7 +163,10 @@ kex_names_valid(const char *names) for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { if (kex_alg_by_name(p) == NULL) { @@ -185,7 +189,7 @@ index 49d7015..f1f982d 100644 return 0; } diff --git a/kexgexc.c b/kexgexc.c -index 1c65b8a..b6b25bf 100644 +index 323a659..812112d 100644 --- a/kexgexc.c +++ b/kexgexc.c @@ -28,6 +28,7 @@ @@ -208,97 +212,86 @@ index 1c65b8a..b6b25bf 100644 /* generate and send 'e', client DH public key */ diff --git a/myproposal.h b/myproposal.h -index 34bd10c..a3ae74b 100644 +index 5312e60..d0accae 100644 --- a/myproposal.h +++ b/myproposal.h -@@ -111,6 +111,14 @@ +@@ -57,6 +57,20 @@ "rsa-sha2-256," \ "ssh-rsa" +#define KEX_FIPS_PK_ALG \ -+ HOSTKEY_ECDSA_CERT_METHODS \ ++ "ecdsa-sha2-nistp256-cert-...@openssh.com," \ ++ "ecdsa-sha2-nistp384-cert-...@openssh.com," \ ++ "ecdsa-sha2-nistp521-cert-...@openssh.com," \ ++ "rsa-sha2-512-cert-...@openssh.com," \ ++ "rsa-sha2-256-cert-...@openssh.com," \ + "ssh-rsa-cert-...@openssh.com," \ -+ HOSTKEY_ECDSA_METHODS \ ++ "ecdsa-sha2-nistp256," \ ++ "ecdsa-sha2-nistp384," \ ++ "ecdsa-sha2-nistp521," \ + "rsa-sha2-512," \ + "rsa-sha2-256," \ + "ssh-rsa" + - /* the actual algorithms */ - - #define KEX_SERVER_ENCRYPT \ -@@ -134,6 +142,38 @@ + #define KEX_SERVER_ENCRYPT \ + "chacha20-poly1...@openssh.com," \ + "aes128-ctr,aes192-ctr,aes256-ctr," \ +@@ -78,6 +92,27 @@ #define KEX_CLIENT_MAC KEX_SERVER_MAC +#define KEX_FIPS_ENCRYPT \ + "aes128-ctr,aes192-ctr,aes256-ctr," \ + "aes128-cbc,3des-cbc," \ -+ "aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se" \ -+ AESGCM_CIPHER_MODES -+#ifdef HAVE_EVP_SHA256 -+# define KEX_DEFAULT_KEX_FIPS \ -+ KEX_ECDH_METHODS \ -+ KEX_SHA2_METHODS \ ++ "aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se," \ ++ "aes128-...@openssh.com,aes256-...@openssh.com" ++#define KEX_DEFAULT_KEX_FIPS \ ++ "ecdh-sha2-nistp256," \ ++ "ecdh-sha2-nistp384," \ ++ "ecdh-sha2-nistp521," \ ++ "diffie-hellman-group-exchange-sha256," \ ++ "diffie-hellman-group16-sha512," \ ++ "diffie-hellman-group18-sha512," \ + "diffie-hellman-group14-sha256" -+# define KEX_FIPS_MAC \ ++#define KEX_FIPS_MAC \ + "hmac-sha1," \ + "hmac-sha2-256," \ + "hmac-sha2-512," \ + "hmac-sha1-...@openssh.com," \ + "hmac-sha2-256-...@openssh.com," \ + "hmac-sha2-512-...@openssh.com" -+#else -+# ifdef OPENSSL_HAS_NISTP521 -+# define KEX_DEFAULT_KEX_FIPS \ -+ "ecdh-sha2-nistp256," \ -+ "ecdh-sha2-nistp384," \ -+ "ecdh-sha2-nistp521" -+# else -+# define KEX_DEFAULT_KEX_FIPS \ -+ "ecdh-sha2-nistp256," \ -+ "ecdh-sha2-nistp384" -+# endif -+#define KEX_FIPS_MAC \ -+ "hmac-sha1" -+#endif + /* Not a KEX value, but here so all the algorithm defaults are together */ #define SSH_ALLOWED_CA_SIGALGS \ - HOSTKEY_ECDSA_METHODS \ + "ecdsa-sha2-nistp256," \ diff --git a/readconf.c b/readconf.c -index f78b4d6..2f56ed2 100644 +index f3cac6b..26b9a59 100644 --- a/readconf.c +++ b/readconf.c -@@ -2125,18 +2125,19 @@ fill_default_options(Options * options) - all_kex = kex_alg_list(','); +@@ -2187,11 +2187,16 @@ fill_default_options(Options * options) all_key = sshkey_alg_list(0, 0, 1, ','); all_sig = sshkey_alg_list(0, 1, 1, ','); --#define ASSEMBLE(what, defaults, all) \ -+#define ASSEMBLE(what, defaults, fips_defaults, all) \ + /* remove unsupported algos from default lists */ +- def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher); +- def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac); +- def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex); +- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key); +- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig); ++ def_cipher = match_filter_whitelist((FIPS_mode() ? ++ KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher); ++ def_mac = match_filter_whitelist((FIPS_mode() ? ++ KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac); ++ def_kex = match_filter_whitelist((FIPS_mode() ? ++ KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex); ++ def_key = match_filter_whitelist((FIPS_mode() ? ++ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key); ++ def_sig = match_filter_whitelist((FIPS_mode() ? ++ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig); + #define ASSEMBLE(what, defaults, all) \ do { \ if ((r = kex_assemble_names(&options->what, \ -- defaults, all)) != 0) \ -+ (FIPS_mode() ? fips_defaults : defaults), \ -+ all)) != 0) \ - fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \ - } while (0) -- ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher); -- ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac); -- ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex); -- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); -- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); -- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); -+ ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher); -+ ASSEMBLE(macs, KEX_CLIENT_MAC, KEX_FIPS_MAC, all_mac); -+ ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, KEX_DEFAULT_KEX_FIPS, all_kex); -+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key); -+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key); -+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig); - #undef ASSEMBLE - free(all_cipher); - free(all_mac); diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index b5cda70..f0607a3 100644 +index f80981f..00702a7 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -156,6 +156,9 @@ static const struct sock_filter preauth_insns[] = { @@ -312,43 +305,36 @@ index b5cda70..f0607a3 100644 SC_DENY(__NR_openat, EACCES), #endif diff --git a/servconf.c b/servconf.c -index e76f9c3..591d437 100644 +index 70f5f73..815beaf 100644 --- a/servconf.c +++ b/servconf.c -@@ -200,18 +200,19 @@ assemble_algorithms(ServerOptions *o) - all_kex = kex_alg_list(','); +@@ -212,11 +212,16 @@ assemble_algorithms(ServerOptions *o) all_key = sshkey_alg_list(0, 0, 1, ','); all_sig = sshkey_alg_list(0, 1, 1, ','); --#define ASSEMBLE(what, defaults, all) \ -+#define ASSEMBLE(what, defaults, fips_defaults, all) \ + /* remove unsupported algos from default lists */ +- def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher); +- def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac); +- def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex); +- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key); +- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig); ++ def_cipher = match_filter_whitelist((FIPS_mode() ? ++ KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher); ++ def_mac = match_filter_whitelist((FIPS_mode() ? ++ KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac); ++ def_kex = match_filter_whitelist((FIPS_mode() ? ++ KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex); ++ def_key = match_filter_whitelist((FIPS_mode() ? ++ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key); ++ def_sig = match_filter_whitelist((FIPS_mode() ? ++ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig); + #define ASSEMBLE(what, defaults, all) \ do { \ -- if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \ -+ if ((r = kex_assemble_names(&o->what, (FIPS_mode() \ -+ ? fips_defaults : defaults), all)) != 0) \ - fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \ - } while (0) -- ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher); -- ASSEMBLE(macs, KEX_SERVER_MAC, all_mac); -- ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex); -- ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key); -- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); -- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); -- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); -+ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher); -+ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac); -+ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex); -+ ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key); -+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key); -+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key); -+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig); - #undef ASSEMBLE - free(all_cipher); - free(all_mac); + if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \ diff --git a/ssh-keygen.c b/ssh-keygen.c -index 8c829ca..cb4982d 100644 +index 0d6ed1f..feafe73 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c -@@ -201,6 +201,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp) +@@ -204,6 +204,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp) #endif } #ifdef WITH_OPENSSL @@ -361,17 +347,16 @@ index 8c829ca..cb4982d 100644 switch (type) { case KEY_DSA: if (*bitsp != 1024) -@@ -1061,9 +1067,18 @@ do_gen_all_hostkeys(struct passwd *pw) +@@ -1088,9 +1094,17 @@ do_gen_all_hostkeys(struct passwd *pw) first = 1; printf("%s: generating new host keys: ", __progname); } -+ + type = sshkey_type_from_name(key_types[i].key_type); + + /* Skip the keys that are not supported in FIPS mode */ + if (FIPS_mode() && (type == KEY_DSA || type == KEY_ED25519)) { + logit("Skipping %s key in FIPS mode", -+ key_types[i].key_type_display); ++ key_types[i].key_type_display); + goto next; + } + @@ -382,10 +367,10 @@ index 8c829ca..cb4982d 100644 error("Could not save your public key in %s: %s", prv_tmp, strerror(errno)); diff --git a/ssh.c b/ssh.c -index ee51823..0724df4 100644 +index 15aee56..49331fc 100644 --- a/ssh.c +++ b/ssh.c -@@ -76,6 +76,8 @@ +@@ -77,6 +77,8 @@ #include <openssl/evp.h> #include <openssl/err.h> #endif @@ -394,7 +379,7 @@ index ee51823..0724df4 100644 #include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/sys-queue.h" -@@ -600,6 +602,16 @@ main(int ac, char **av) +@@ -608,6 +610,16 @@ main(int ac, char **av) sanitise_stdfd(); __progname = ssh_get_progname(av[0]); @@ -411,7 +396,7 @@ index ee51823..0724df4 100644 #ifndef HAVE_SETPROCTITLE /* Prepare for later setproctitle emulation */ -@@ -614,6 +626,10 @@ main(int ac, char **av) +@@ -622,6 +634,10 @@ main(int ac, char **av) seed_rng(); @@ -423,7 +408,7 @@ index ee51823..0724df4 100644 * Discard other fds that are hanging around. These can cause problem * with backgrounded ssh processes started by ControlPersist. diff --git a/sshconnect2.c b/sshconnect2.c -index 87fa70a..a42aacb 100644 +index af00fb3..639fc51 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -44,6 +44,8 @@ @@ -435,37 +420,28 @@ index 87fa70a..a42aacb 100644 #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" -@@ -117,7 +119,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) +@@ -119,7 +121,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) for (i = 0; i < options.num_system_hostfiles; i++) load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]); -- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG); +- oavail = avail = xstrdup(options.hostkeyalgorithms); + oavail = avail = xstrdup((FIPS_mode() -+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG)); ++ ? KEX_FIPS_PK_ALG : options.hostkeyalgorithms)); maxlen = strlen(avail) + 1; first = xmalloc(maxlen); last = xmalloc(maxlen); -@@ -179,14 +182,16 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) - if (options.hostkeyalgorithms != NULL) { - all_key = sshkey_alg_list(0, 0, 1, ','); - if (kex_assemble_names(&options.hostkeyalgorithms, -- KEX_DEFAULT_PK_ALG, all_key) != 0) -+ (FIPS_mode() ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), -+ all_key) != 0) - fatal("%s: kex_assemble_namelist", __func__); - free(all_key); - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = - compat_pkalg_proposal(options.hostkeyalgorithms); - } else { - /* Enforce default */ -- options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); -+ options.hostkeyalgorithms = xstrdup((FIPS_mode() -+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG)); - /* Prefer algorithms that we already have keys for */ - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = - compat_pkalg_proposal( +@@ -179,7 +182,8 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) + /* Expand or fill in HostkeyAlgorithms */ + all_key = sshkey_alg_list(0, 0, 1, ','); + if (kex_assemble_names(&options.hostkeyalgorithms, +- kex_default_pk_alg(), all_key) != 0) ++ (FIPS_mode() ? KEX_FIPS_PK_ALG : kex_default_pk_alg()), ++ all_key) != 0) + fatal("%s: kex_assemble_namelist", __func__); + free(all_key); + diff --git a/sshd.c b/sshd.c -index f8dee0f..2bf8939 100644 +index 5b9a0b5..b86d682 100644 --- a/sshd.c +++ b/sshd.c @@ -66,6 +66,7 @@ @@ -485,7 +461,7 @@ index f8dee0f..2bf8939 100644 #include "openbsd-compat/openssl-compat.h" #endif -@@ -1445,6 +1448,18 @@ main(int ac, char **av) +@@ -1516,6 +1519,18 @@ main(int ac, char **av) #endif __progname = ssh_get_progname(av[0]); @@ -504,7 +480,7 @@ index f8dee0f..2bf8939 100644 /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ saved_argc = ac; rexec_argc = ac; -@@ -1910,6 +1925,10 @@ main(int ac, char **av) +@@ -1990,6 +2005,10 @@ main(int ac, char **av) /* Reinitialize the log (because of the fork above). */ log_init(__progname, options.log_level, options.log_facility, log_stderr); @@ -516,7 +492,7 @@ index f8dee0f..2bf8939 100644 unmounted if desired. */ if (chdir("/") == -1) diff --git a/sshkey.c b/sshkey.c -index ef90563..1b1ba01 100644 +index 57995ee..3fa4274 100644 --- a/sshkey.c +++ b/sshkey.c @@ -34,6 +34,7 @@ @@ -532,10 +508,10 @@ index ef90563..1b1ba01 100644 #include "sshkey.h" #include "match.h" +#include "log.h" + #include "ssh-sk.h" #ifdef WITH_XMSS - #include "sshkey-xmss.h" -@@ -1491,6 +1493,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap) +@@ -1597,6 +1599,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap) } if (!BN_set_word(f4, RSA_F4) || !RSA_generate_key_ex(private, bits, f4, NULL)) { diff --git a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch index 8b74451..c7635b2 100644 --- a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch +++ b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch @@ -1,4 +1,4 @@ -From 6d65893a85bddfc543ce894ee4940bd0d5ab368e Mon Sep 17 00:00:00 2001 +From bf3211bbff5cb9e1ef588f74844b04e09a9ad2b6 Mon Sep 17 00:00:00 2001 From: Hongxu Jia <hongxu....@windriver.com> Date: Sat, 21 Dec 2019 13:05:19 +0800 Subject: [PATCH] add CAVS test driver for the aes-ctr ciphers @@ -18,6 +18,7 @@ Signed-off-by: Mark Hatle <mark.ha...@windriver.com> Upstream-Status: Inappropriate [oe specific] Signed-off-by: Hongxu Jia <hongxu....@windriver.com> +Signed-off-by: Yi Zhao <yi.z...@windriver.com> --- Makefile.in | 7 +- ctr-cavstest.c | 215 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -25,7 +26,7 @@ Signed-off-by: Hongxu Jia <hongxu....@windriver.com> create mode 100644 ctr-cavstest.c diff --git a/Makefile.in b/Makefile.in -index 37aec69..1d6e298 100644 +index 57f94f4..0accd89 100644 --- a/Makefile.in +++ b/Makefile.in @@ -23,6 +23,7 @@ SSH_PROGRAM=@bindir@/ssh @@ -34,35 +35,35 @@ index 37aec69..1d6e298 100644 SSH_KEYSIGN=$(libexecdir)/ssh-keysign +CTR_CAVSTEST=$(libexecdir)/ctr-cavstest SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper + SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper PRIVSEP_PATH=@PRIVSEP_PATH@ - SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ -@@ -60,7 +61,7 @@ EXEEXT=@EXEEXT@ - MANFMT=@MANFMT@ - MKDIR_P=@MKDIR_P@ +@@ -68,7 +69,7 @@ MKDIR_P=@MKDIR_P@ --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ctr-cavstest$(EXEEXT) + .SUFFIXES: .lo + +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ctr-cavstest$(EXEEXT) XMSS_OBJS=\ ssh-xmss.o \ -@@ -198,6 +199,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o c - ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o - $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) +@@ -232,6 +233,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS) + ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS) + $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) +ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o + $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) + - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o - $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) + $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) -@@ -348,6 +352,7 @@ install-files: - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) +@@ -389,6 +393,7 @@ install-files: $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) -+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) ++ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) + $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 diff --git a/ctr-cavstest.c b/ctr-cavstest.c new file mode 100644 index 0000000..0d4776b diff --git a/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch b/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch index 0cbccd7..4a0ae2c 100644 --- a/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch +++ b/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch @@ -1,4 +1,4 @@ -From 6b6e0f7d4a517378a8d53b84fbef2cfc78c42f46 Mon Sep 17 00:00:00 2001 +From a2c2c21275ea701c2f0ae54bf5945c92860e9208 Mon Sep 17 00:00:00 2001 From: Hongxu Jia <hongxu....@windriver.com> Date: Sat, 21 Dec 2019 13:08:52 +0800 Subject: [PATCH] add KDF CAVS test driver @@ -19,6 +19,7 @@ Signed-off-by: Mark Hatle <mark.ha...@windriver.com> Upstream-Status: Inappropriate [oe specific] Signed-off-by: Hongxu Jia <hongxu....@windriver.com> +Signed-off-by: Yi Zhao <yi.z...@windriver.com> --- Makefile.in | 8 +- ssh-cavs.c | 387 +++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -28,7 +29,7 @@ Signed-off-by: Hongxu Jia <hongxu....@windriver.com> create mode 100644 ssh-cavs_driver.pl diff --git a/Makefile.in b/Makefile.in -index 1d6e298..be28411 100644 +index 0accd89..5789323 100644 --- a/Makefile.in +++ b/Makefile.in @@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass @@ -37,36 +38,36 @@ index 1d6e298..be28411 100644 CTR_CAVSTEST=$(libexecdir)/ctr-cavstest +SSH_CAVS=$(libexecdir)/ssh-cavs SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper + SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper PRIVSEP_PATH=@PRIVSEP_PATH@ - SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ -@@ -61,7 +62,7 @@ EXEEXT=@EXEEXT@ - MANFMT=@MANFMT@ - MKDIR_P=@MKDIR_P@ +@@ -69,7 +70,7 @@ MKDIR_P=@MKDIR_P@ --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ctr-cavstest$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT) + .SUFFIXES: .lo + +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ctr-cavstest$(EXEEXT) ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT) XMSS_OBJS=\ ssh-xmss.o \ -@@ -202,6 +203,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11 +@@ -236,6 +237,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS) ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) -+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o -+ $(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS) ++ $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o - $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) + $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) -@@ -353,6 +357,8 @@ install-files: - $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) - $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) +@@ -394,6 +398,8 @@ install-files: + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs_driver.pl $(DESTDIR)$(libexecdir)/ssh-cavs_driver.pl - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) + $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 diff --git a/ssh-cavs.c b/ssh-cavs.c new file mode 100644 index 0000000..b74ae7f diff --git a/recipes-connectivity/openssh/openssh_fips.inc b/recipes-connectivity/openssh/openssh_fips.inc index 0eafb98..c74532f 100644 --- a/recipes-connectivity/openssh/openssh_fips.inc +++ b/recipes-connectivity/openssh/openssh_fips.inc @@ -6,7 +6,7 @@ DEPENDS += " \ RRECOMMENDS_${PN}-sshd_remove = "rng-tools" SRC_URI += " \ - file://0001-openssh-8.0p1-fips.patch \ + file://0001-openssh-8.2p1-fips.patch \ file://0001-conditional-enable-fips-mode.patch \ file://openssh-6.6p1-ctr-cavstest.patch \ file://openssh-6.7p1-kdf-cavs.patch \ -- 2.17.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#48524): https://lists.yoctoproject.org/g/yocto/message/48524 Mute This Topic: https://lists.yoctoproject.org/mt/71425087/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-