Enable fips mode according to the existence of "/etc/system-fips"
Signed-off-by: Hongxu Jia <hongxu....@windriver.com> --- .../0001-conditional-enable-fips-mode.patch | 63 ++++++++++++++++++++++ recipes-connectivity/openssh/openssh_fips.inc | 1 + 2 files changed, 64 insertions(+) create mode 100644 recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch diff --git a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch new file mode 100644 index 0000000..b47e184 --- /dev/null +++ b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch @@ -0,0 +1,63 @@ +From ea3e5eceab28ad2c00d438efbcea2be37a1b2969 Mon Sep 17 00:00:00 2001 +From: Hongxu Jia <hongxu....@windriver.com> +Date: Sun, 22 Sep 2019 14:31:51 +0800 +Subject: [PATCH] conditional enable fips mode + +Insert ssh_enable_fips_mode to ssh_malloc_init where each main app will invoke, +enable fips mode according to the existence of "/etc/system-fips" + +Upstream-Status: Inappropriate [oe specific] + +Signed-off-by: Hongxu Jia <hongxu....@windriver.com> +--- + xmalloc.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/xmalloc.c b/xmalloc.c +index 5cc0310..0218ccd 100644 +--- a/xmalloc.c ++++ b/xmalloc.c +@@ -23,12 +23,20 @@ + #include <stdlib.h> + #include <string.h> + ++#include <openssl/err.h> ++#include <openssl/crypto.h> ++#include <unistd.h> ++ + #include "xmalloc.h" + #include "log.h" + ++void ssh_enable_fips_mode(void); ++ + void + ssh_malloc_init(void) + { ++ ssh_enable_fips_mode(); ++ + #if defined(__OpenBSD__) + extern char *malloc_options; + +@@ -116,3 +124,19 @@ xasprintf(char **ret, const char *fmt, ...) + + return (i); + } ++ ++void ++ssh_enable_fips_mode(void) ++{ ++ if (access("/etc/system-fips", F_OK) == 0) { ++ if (!FIPS_mode_set(1)) { ++ /* make sure the error stack is available for some hint as ++ * to why this operation failed ++ */ ++ ERR_load_crypto_strings(); ++ ERR_print_errors_fp(stdout); ++ fatal("FIPS_mode_set(): failed to enter FIPS mode!\n"); ++ exit(1); ++ } ++ } ++} +-- +2.7.4 + diff --git a/recipes-connectivity/openssh/openssh_fips.inc b/recipes-connectivity/openssh/openssh_fips.inc index df84c39..33a84c9 100644 --- a/recipes-connectivity/openssh/openssh_fips.inc +++ b/recipes-connectivity/openssh/openssh_fips.inc @@ -5,6 +5,7 @@ DEPENDS += " \ " SRC_URI += " \ file://0001-openssh-8.0p1-fips.patch \ + file://0001-conditional-enable-fips-mode.patch \ " do_install_append() { -- 2.7.4 -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto