[meta-openssl102-fips][PATCH 4/6] openssh: refresh patches to 8.5p1


Yi Zhao
 

From: Changqing Li <changqing.li@...>

Signed-off-by: Changqing Li <changqing.li@...>
---
.../0001-conditional-enable-fips-mode.patch | 40 ++++++++--------
.../openssh/0001-openssh-8.4p1-fips.patch | 48 +++++++++----------
2 files changed, 44 insertions(+), 44 deletions(-)

diff --git a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
index 17c5967..9fd19c0 100644
--- a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
+++ b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
@@ -1,4 +1,4 @@
-From 571b24129e3c3a84e38a59a32aa61fa40e04e1e2 Mon Sep 17 00:00:00 2001
+From 48888de317391522186c6ae24a8d6d7d7add2673 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@...>
Date: Sat, 21 Dec 2019 13:03:23 +0800
Subject: [PATCH] conditional enable fips mode
@@ -44,10 +44,10 @@ index 06566d3..a10566d 100644
sanitise_stdfd();

diff --git a/sftp-server.c b/sftp-server.c
-index 55386fa..8c1634e 100644
+index 7300900..42da9d7 100644
--- a/sftp-server.c
+++ b/sftp-server.c
-@@ -1577,6 +1577,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
+@@ -1616,6 +1616,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
extern char *optarg;
extern char *__progname;

@@ -56,10 +56,10 @@ index 55386fa..8c1634e 100644
log_init(__progname, log_level, log_facility, log_stderr);

diff --git a/sftp.c b/sftp.c
-index c88c861..171bc56 100644
+index fb3c08d..85b9b67 100644
--- a/sftp.c
+++ b/sftp.c
-@@ -2390,6 +2390,7 @@ main(int argc, char **argv)
+@@ -2345,6 +2345,7 @@ main(int argc, char **argv)
size_t num_requests = DEFAULT_NUM_REQUESTS;
long long limit_kbps = 0;

@@ -68,10 +68,10 @@ index c88c861..171bc56 100644
sanitise_stdfd();
msetlocale();
diff --git a/ssh-add.c b/ssh-add.c
-index 936dc21..b7ac2d2 100644
+index 7edb9f9..c75f85b 100644
--- a/ssh-add.c
+++ b/ssh-add.c
-@@ -671,6 +671,7 @@ main(int argc, char **argv)
+@@ -667,6 +667,7 @@ main(int argc, char **argv)
SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
LogLevel log_level = SYSLOG_LEVEL_INFO;

@@ -80,10 +80,10 @@ index 936dc21..b7ac2d2 100644
sanitise_stdfd();

diff --git a/ssh-agent.c b/ssh-agent.c
-index e1fd1f3..da49b57 100644
+index 58fe6dd..9018a7c 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
-@@ -1289,6 +1289,7 @@ main(int ac, char **av)
+@@ -1388,6 +1388,7 @@ main(int ac, char **av)
size_t npfd = 0;
u_int maxfds;

@@ -92,10 +92,10 @@ index e1fd1f3..da49b57 100644
sanitise_stdfd();

diff --git a/ssh-keygen.c b/ssh-keygen.c
-index cb8e569..67c7d62 100644
+index 6451584..246caa1 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
-@@ -3184,6 +3184,7 @@ main(int argc, char **argv)
+@@ -3153,6 +3153,7 @@ main(int argc, char **argv)
extern int optind;
extern char *optarg;

@@ -104,7 +104,7 @@ index cb8e569..67c7d62 100644
sanitise_stdfd();

diff --git a/ssh-keyscan.c b/ssh-keyscan.c
-index ca19042..c667f2c 100644
+index 7abbcbf..b604bfd 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -667,6 +667,7 @@ main(int argc, char **argv)
@@ -116,7 +116,7 @@ index ca19042..c667f2c 100644
seed_rng();
TAILQ_INIT(&tq);
diff --git a/ssh-keysign.c b/ssh-keysign.c
-index 7991e0f..26a3bab 100644
+index 907162d..294148a 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -173,6 +173,7 @@ main(int argc, char **argv)
@@ -128,10 +128,10 @@ index 7991e0f..26a3bab 100644
fatal("%s: pledge: %s", __progname, strerror(errno));

diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c
-index d73e835..e508684 100644
+index a9a6fe3..3c76f70 100644
--- a/ssh-pkcs11-helper.c
+++ b/ssh-pkcs11-helper.c
-@@ -332,6 +332,7 @@ main(int argc, char **argv)
+@@ -326,6 +326,7 @@ main(int argc, char **argv)
extern char *__progname;
struct pollfd pfd[2];

@@ -140,22 +140,22 @@ index d73e835..e508684 100644
seed_rng();
TAILQ_INIT(&pkcs11_keylist);
diff --git a/ssh.c b/ssh.c
-index aabd5d3..81393f1 100644
+index 729d87a..ab78b53 100644
--- a/ssh.c
+++ b/ssh.c
-@@ -660,6 +660,7 @@ main(int ac, char **av)
- size_t n, len;
+@@ -650,6 +650,7 @@ main(int ac, char **av)
u_int j;
+ struct ssh_conn_info *cinfo = NULL;

+ ssh_enable_fips_mode();
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();

diff --git a/sshd.c b/sshd.c
-index 1f1fcc2..0f68419 100644
+index fee4703..07faf7b 100644
--- a/sshd.c
+++ b/sshd.c
-@@ -1553,6 +1553,7 @@ main(int ac, char **av)
+@@ -1534,6 +1534,7 @@ main(int ac, char **av)
Authctxt *authctxt;
struct connection_info *connection_info = NULL;

diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.4p1-fips.patch b/recipes-connectivity/openssh/openssh/0001-openssh-8.4p1-fips.patch
index 48c18b4..10687ff 100644
--- a/recipes-connectivity/openssh/openssh/0001-openssh-8.4p1-fips.patch
+++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.4p1-fips.patch
@@ -1,4 +1,4 @@
-From 059b61a58b27c40fbb78b3930cdcf110ff717340 Mon Sep 17 00:00:00 2001
+From 0452f9dc4acf90b8d7ac6ddf6ebbe455d202ce54 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@...>
Date: Sat, 21 Dec 2019 11:45:38 +0800
Subject: [PATCH] openssh 8.4p1 fips
@@ -38,7 +38,7 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
14 files changed, 171 insertions(+), 20 deletions(-)

diff --git a/Makefile.in b/Makefile.in
-index acfb919..5b2c397 100644
+index e3cd296..bf53fb0 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -204,25 +204,25 @@ libssh.a: $(LIBSSH_OBJS)
@@ -97,7 +97,7 @@ index 32771f2..74fac3b 100644
return (&aes_ctr);
}
diff --git a/dh.c b/dh.c
-index 7cb135d..306f1bc 100644
+index b5bb35e..676f893 100644
--- a/dh.c
+++ b/dh.c
@@ -152,6 +152,12 @@ choose_dh(int min, int wantbits, int max)
@@ -165,10 +165,10 @@ index 5d6df62..54c7aa2 100644
u_int dh_estimate(int);

diff --git a/kex.c b/kex.c
-index aecb939..3d5d3b0 100644
+index 30425ab..1250f42 100644
--- a/kex.c
+++ b/kex.c
-@@ -163,7 +163,10 @@ kex_names_valid(const char *names)
+@@ -165,7 +165,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) {
@@ -181,7 +181,7 @@ index aecb939..3d5d3b0 100644
return 0;
}
diff --git a/kexgexc.c b/kexgexc.c
-index 323a659..812112d 100644
+index 4a2e741..2535732 100644
--- a/kexgexc.c
+++ b/kexgexc.c
@@ -28,6 +28,7 @@
@@ -192,7 +192,7 @@ index 323a659..812112d 100644
#include <sys/types.h>

#include <openssl/dh.h>
-@@ -113,6 +114,10 @@ input_kex_dh_gex_group(int type, u_int32_t seq, struct ssh *ssh)
+@@ -115,6 +116,10 @@ input_kex_dh_gex_group(int type, u_int32_t seq, struct ssh *ssh)
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
@@ -204,7 +204,7 @@ index 323a659..812112d 100644

/* generate and send 'e', client DH public key */
diff --git a/myproposal.h b/myproposal.h
-index 5312e60..d0accae 100644
+index f03b7df..57b8779 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -57,6 +57,20 @@
@@ -255,12 +255,12 @@ index 5312e60..d0accae 100644
+
/* Not a KEX value, but here so all the algorithm defaults are together */
#define SSH_ALLOWED_CA_SIGALGS \
- "ecdsa-sha2-nistp256," \
+ "ssh-ed25519," \
diff --git a/readconf.c b/readconf.c
-index 554efd7..16eda65 100644
+index 724974b..870a654 100644
--- a/readconf.c
+++ b/readconf.c
-@@ -2255,11 +2255,16 @@ fill_default_options(Options * options)
+@@ -2475,11 +2475,16 @@ fill_default_options(Options * options)
all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ',');
/* remove unsupported algos from default lists */
@@ -283,7 +283,7 @@ index 554efd7..16eda65 100644
do { \
if ((r = kex_assemble_names(&options->what, \
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index e0768c0..8971bba 100644
+index d8dc712..c6e62e4 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -157,6 +157,9 @@ static const struct sock_filter preauth_insns[] = {
@@ -297,10 +297,10 @@ index e0768c0..8971bba 100644
SC_DENY(__NR_openat, EACCES),
#endif
diff --git a/servconf.c b/servconf.c
-index f08e374..dbcee84 100644
+index 9695583..98f6303 100644
--- a/servconf.c
+++ b/servconf.c
-@@ -213,11 +213,16 @@ assemble_algorithms(ServerOptions *o)
+@@ -218,11 +218,16 @@ assemble_algorithms(ServerOptions *o)
all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ',');
/* remove unsupported algos from default lists */
@@ -323,10 +323,10 @@ index f08e374..dbcee84 100644
do { \
if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
diff --git a/ssh-keygen.c b/ssh-keygen.c
-index a12b79a..cb8e569 100644
+index cfb5f11..6451584 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
-@@ -204,6 +204,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
+@@ -205,6 +205,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
#endif
}
#ifdef WITH_OPENSSL
@@ -339,7 +339,7 @@ index a12b79a..cb8e569 100644
switch (type) {
case KEY_DSA:
if (*bitsp != 1024)
-@@ -1094,9 +1100,17 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1095,9 +1101,17 @@ do_gen_all_hostkeys(struct passwd *pw)
first = 1;
printf("%s: generating new host keys: ", __progname);
}
@@ -359,7 +359,7 @@ index a12b79a..cb8e569 100644
error("Could not save your private key in %s: %s",
prv_tmp, strerror(errno));
diff --git a/ssh.c b/ssh.c
-index f34ca0d..aabd5d3 100644
+index 53330da..729d87a 100644
--- a/ssh.c
+++ b/ssh.c
@@ -77,6 +77,8 @@
@@ -371,7 +371,7 @@ index f34ca0d..aabd5d3 100644
#include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"

-@@ -662,6 +664,16 @@ main(int ac, char **av)
+@@ -652,6 +654,16 @@ main(int ac, char **av)
sanitise_stdfd();

__progname = ssh_get_progname(av[0]);
@@ -388,7 +388,7 @@ index f34ca0d..aabd5d3 100644

#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
-@@ -1500,6 +1512,10 @@ main(int ac, char **av)
+@@ -1506,6 +1518,10 @@ main(int ac, char **av)
exit(0);
}

@@ -400,7 +400,7 @@ index f34ca0d..aabd5d3 100644
if (options.sk_provider != NULL && *options.sk_provider == '$' &&
strlen(options.sk_provider) > 1) {
diff --git a/sshd.c b/sshd.c
-index 5af7986..1f1fcc2 100644
+index eff4778..fee4703 100644
--- a/sshd.c
+++ b/sshd.c
@@ -66,6 +66,7 @@
@@ -420,7 +420,7 @@ index 5af7986..1f1fcc2 100644
#include "openbsd-compat/openssl-compat.h"
#endif

-@@ -1555,6 +1558,18 @@ main(int ac, char **av)
+@@ -1536,6 +1539,18 @@ main(int ac, char **av)
#endif
__progname = ssh_get_progname(av[0]);

@@ -439,7 +439,7 @@ index 5af7986..1f1fcc2 100644
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac;
rexec_argc = ac;
-@@ -2039,6 +2054,10 @@ main(int ac, char **av)
+@@ -2017,6 +2032,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);

@@ -451,7 +451,7 @@ index 5af7986..1f1fcc2 100644
unmounted if desired. */
if (chdir("/") == -1)
diff --git a/sshkey.c b/sshkey.c
-index ac451f1..4f72eab 100644
+index b25c59a..8fcfe22 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -34,6 +34,7 @@
--
2.25.1

Join yocto@lists.yoctoproject.org to automatically receive all group messages.