Date   

Re: how to reuse generated library in a nativesdk recipe #sdk #systemd

Martin Jansa
 

On Thu, Feb 20, 2020 at 08:14:04AM +0000, Mikko.Rapeli@bmw.de wrote:
On Wed, Feb 19, 2020 at 10:57:41PM +0100, Martin Jansa wrote:
DEPENDS_class-target += "systemd"
You surely meant
DEPENDS_append_class-target = " systemd"
here
Yes, quite likely. Tough reason why += doesn't work is a mystery to me :)

I hack things until "bitbake -e" shows the right things for the recipes.
I agree it's a bit confusing at first (I was doing the same long time
ago, before bitbake -e was even showing the history of evaluation), but
everybody who uses bitbake often should learn this simple difference:

FOO_append_override = " bar"
is "conditional" append, so it will append "bar" only when "override" is
being used

FOO_override += "bar"
always appends to "FOO_override" and then it overrides whole "FOO" variable

There are other more subtle differences like "+=" adds leading space,
_append doesn't and _append is processed later (which is important when
appending to variable set with ?=), but the above difference is a must
to know.

Also
FOO_append += "bar"
is just silly way how to add leading space to the value, one should
always use
FOO_append = " bar"
when appending to space separated list (like DEPENDS).

Cheers,

-Mikko

On Wed, Feb 19, 2020 at 10:48 PM Mikko Rapeli <mikko.rapeli@bmw.de> wrote:

Hi,

On Wed, Feb 19, 2020 at 01:37:19AM -0800, Armando Hernandez wrote:
Hello,

I have a recipe that builds a library. The recipe specifies an
additional package "${PN}-systemd" along with other systemd related
variables and finally it instructs that the package should be built with
"-DWITH_SYSTEMD=ON" being passed to cmake. So far so good. But, I extended
this recipe to nativesdk because I need this library on it. When trying to
build the corresponding nativesdk package, the build fails at the
configuration step (i.e. "do_configure") claiming it cannot find the
package systemd.

Is there a way I can install the -already-generated libraries into my
SDK (potentially via the corresponding nativesdk recipe) without having to
rebuild the package? Or do I need to somehow include such systemd package
in my sdk (which I don't think I need at all)?

Any hints and pointers as to were to look at are very well appreciated.
Thanks.
Make the systemd dependency for target only, e.g. DEPENDS_class-target +=
"systemd"
etc.

There may be relevant use cases to build some of systemd components or
tools
to native or nativesdk targets too. In that case add BBCLASSEXTEND +=
"nativesdk" etc
in a bbappend to systemd.

Hope this helps,

-Mikko


Re: Bitbake returning non-zero due to sstate errors

Richard Purdie
 

On Thu, 2020-02-20 at 11:26 +0000, Paul Barker wrote:
In my new CI setup I'm using an sstate mirror which seems to have
some
occasional download issues. This results in the setscene task
failing.
For example:

ERROR: qt3d-5.13.2+gitAUTOINC+93361f1a59-r0
do_package_write_ipk_setscene: Fetcher failure: Unable to find file
file://fd/sstate:qt3d:armv7at2hf-neon-linux-
gnueabi:5.13.2+gitAUTOINC+93361f1a59:r0:armv7at2hf-
neon:3:fda6c3edff0205b07ff176cf16771247117fa310bc65a6a1df6befc4230e0a
74_package_write_ipk.tgz;downloadfilename=fd/sstate:qt3d:armv7at2hf-
neon-linux-gnueabi:5.13.2+gitAUTOINC+93361f1a59:r0:armv7at2hf-
neon:3:fda6c3edff0205b07ff176cf16771247117fa310bc65a6a1df6befc4230e0a
74_package_write_ipk.tgz
anywhere. The paths that were searched were:
/builds/SanCloudLtd/sancloud-arago/build/sstate-cache
/builds/SanCloudLtd/sancloud-arago/build/sstate-cache
ERROR: qt3d-5.13.2+gitAUTOINC+93361f1a59-r0
do_package_write_ipk_setscene: No suitable staging package found
ERROR: Logfile of failure stored in:
/builds/SanCloudLtd/sancloud-arago/build/tmp/work/armv7at2hf-neon-
linux-gnueabi/qt3d/5.13.2+gitAUTOINC+93361f1a59-
r0/temp/log.do_package_write_ipk_setscene.10524
NOTE: recipe qt3d-5.13.2+gitAUTOINC+93361f1a59-r0: task
do_package_write_ipk_setscene: Failed
WARNING: Setscene task
(/builds/SanCloudLtd/sancloud-arago/sources/meta-qt5/recipes-
qt/qt5/qt3d_git.bb:do_package_write_ipk_setscene)
failed with exit code '1' - real task will be run instead

As indicated in the final warning message there the real tasks run
since no sstate artifact is available. These tasks succeed:

NOTE: recipe qt3d-5.13.2+gitAUTOINC+93361f1a59-r0: task
do_package_write_ipk: Succeeded

The result is a successful build of the desired images. However, the
build is marked as a failure due to those sstate errors:

Summary: There were 11 ERROR messages shown, returning a non-zero
exit code.

Is this the expected behaviour? The final images are built correctly.
I can't see any simple way to mask those setscene errors but I might
be missing something.

The full log can be seen at
https://gitlab.com/SanCloudLtd/sancloud-arago/-/jobs/443901140/raw.
I'm on the zeus branch here, I'll try to re-test on master later if I
can.
We've discussed this before and it can be argued either way.

Personally, I worry about why artefacts "disappear" and this is why its
an error, files should not be disappearing part way through a build.

From a bitbake perspective, a task really did fail and task failures
are errors. The fact it was able to recover is a bonus.

Perhaps it should be a warning now we have levels of warnings that are
meaningful. Previously we threw so many, this would have been one more
lost amongst many. I know many people don't like the behaviour.

Cheers,

Richard


Bitbake returning non-zero due to sstate errors

 

In my new CI setup I'm using an sstate mirror which seems to have some
occasional download issues. This results in the setscene task failing.
For example:

ERROR: qt3d-5.13.2+gitAUTOINC+93361f1a59-r0
do_package_write_ipk_setscene: Fetcher failure: Unable to find file
file://fd/sstate:qt3d:armv7at2hf-neon-linux-gnueabi:5.13.2+gitAUTOINC+93361f1a59:r0:armv7at2hf-neon:3:fda6c3edff0205b07ff176cf16771247117fa310bc65a6a1df6befc4230e0a74_package_write_ipk.tgz;downloadfilename=fd/sstate:qt3d:armv7at2hf-neon-linux-gnueabi:5.13.2+gitAUTOINC+93361f1a59:r0:armv7at2hf-neon:3:fda6c3edff0205b07ff176cf16771247117fa310bc65a6a1df6befc4230e0a74_package_write_ipk.tgz
anywhere. The paths that were searched were:
/builds/SanCloudLtd/sancloud-arago/build/sstate-cache
/builds/SanCloudLtd/sancloud-arago/build/sstate-cache
ERROR: qt3d-5.13.2+gitAUTOINC+93361f1a59-r0
do_package_write_ipk_setscene: No suitable staging package found
ERROR: Logfile of failure stored in:
/builds/SanCloudLtd/sancloud-arago/build/tmp/work/armv7at2hf-neon-linux-gnueabi/qt3d/5.13.2+gitAUTOINC+93361f1a59-r0/temp/log.do_package_write_ipk_setscene.10524
NOTE: recipe qt3d-5.13.2+gitAUTOINC+93361f1a59-r0: task
do_package_write_ipk_setscene: Failed
WARNING: Setscene task
(/builds/SanCloudLtd/sancloud-arago/sources/meta-qt5/recipes-qt/qt5/qt3d_git.bb:do_package_write_ipk_setscene)
failed with exit code '1' - real task will be run instead

As indicated in the final warning message there the real tasks run
since no sstate artifact is available. These tasks succeed:

NOTE: recipe qt3d-5.13.2+gitAUTOINC+93361f1a59-r0: task
do_package_write_ipk: Succeeded

The result is a successful build of the desired images. However, the
build is marked as a failure due to those sstate errors:

Summary: There were 11 ERROR messages shown, returning a non-zero exit code.

Is this the expected behaviour? The final images are built correctly.
I can't see any simple way to mask those setscene errors but I might
be missing something.

The full log can be seen at
https://gitlab.com/SanCloudLtd/sancloud-arago/-/jobs/443901140/raw.
I'm on the zeus branch here, I'll try to re-test on master later if I
can.

Thanks,
Paul


Re: [OE-core] Yocto Project Status WW07'20

Richard Purdie
 

On Thu, 2020-02-20 at 07:46 +0000, Jain, Sangeeta wrote:
Planned upcoming dot releases:
YP 2.7.3 built and in QA

I didn’t see any notification for this build. Am I missing something?
No, its due to be built but isn't built yet!

I think that was meant to say 3.0.2, sorry about any confusion.

Cheers,

Richard


Re: [meta-openssl102-fips][PATCH] openssh: refresh patches to 8.2p1

Yi Zhao
 

Please ignore this. I have sent V2 with clean commit message.


//Yi

On 2/20/20 5:19 PM, Yi Zhao wrote:
Issue: LINCD-1151

Refresh patches to openssh-8.2p1.
Reference:
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-7.7p1-fips.patch
(commit 51f5c1c99f1d20e48328edde666061d0ce0da83b)

(LOCAL REV: NOT UPSTREAM) -- send to meta-openssl102-fips on 20200220

Signed-off-by: Yi Zhao <yi.zhao@...>
---
 .../0001-conditional-enable-fips-mode.patch   |  54 ++--
 ...ps.patch => 0001-openssh-8.2p1-fips.patch} | 300 ++++++++----------
 .../openssh/openssh-6.6p1-ctr-cavstest.patch  |  35 +-
 .../openssh/openssh-6.7p1-kdf-cavs.patch      |  35 +-
 recipes-connectivity/openssh/openssh_fips.inc |   2 +-
 5 files changed, 202 insertions(+), 224 deletions(-)
 rename recipes-connectivity/openssh/openssh/{0001-openssh-8.0p1-fips.patch => 0001-openssh-8.2p1-fips.patch} (57%)

diff --git a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
index a0f496a..942fda6 100644
--- a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
+++ b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
@@ -1,4 +1,4 @@
-From 60204df9d1f54f581f9ddc5443228550cadd4b4b Mon Sep 17 00:00:00 2001
+From ef6490841a73b4f71ca35e09328c6a8b0ad9dba9 Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu.jia@...>
 Date: Sat, 21 Dec 2019 13:03:23 +0800
 Subject: [PATCH] conditional enable fips mode
@@ -56,10 +56,10 @@ index 359204f..346255a 100644
  	log_init(__progname, log_level, log_facility, log_stderr);
  
 diff --git a/sftp.c b/sftp.c
-index b66037f..ca263ac 100644
+index ff14d3c..a633200 100644
 --- a/sftp.c
 +++ b/sftp.c
-@@ -2387,6 +2387,7 @@ main(int argc, char **argv)
+@@ -2390,6 +2390,7 @@ main(int argc, char **argv)
  	size_t num_requests = DEFAULT_NUM_REQUESTS;
  	long long limit_kbps = 0;
  
@@ -68,10 +68,10 @@ index b66037f..ca263ac 100644
  	sanitise_stdfd();
  	msetlocale();
 diff --git a/ssh-add.c b/ssh-add.c
-index ebfb8a3..b7d59bc 100644
+index 8057eb1..19f3da2 100644
 --- a/ssh-add.c
 +++ b/ssh-add.c
-@@ -577,6 +577,7 @@ main(int argc, char **argv)
+@@ -628,6 +628,7 @@ main(int argc, char **argv)
  	SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
  	LogLevel log_level = SYSLOG_LEVEL_INFO;
  
@@ -80,10 +80,10 @@ index ebfb8a3..b7d59bc 100644
  	sanitise_stdfd();
  
 diff --git a/ssh-agent.c b/ssh-agent.c
-index 9c6680a..d701479 100644
+index 7eb6f0d..1409044 100644
 --- a/ssh-agent.c
 +++ b/ssh-agent.c
-@@ -1104,6 +1104,7 @@ main(int ac, char **av)
+@@ -1196,6 +1196,7 @@ main(int ac, char **av)
  	size_t npfd = 0;
  	u_int maxfds;
  
@@ -92,10 +92,10 @@ index 9c6680a..d701479 100644
  	sanitise_stdfd();
  
 diff --git a/ssh-keygen.c b/ssh-keygen.c
-index cb4982d..84dd269 100644
+index feafe73..9b832f6 100644
 --- a/ssh-keygen.c
 +++ b/ssh-keygen.c
-@@ -2800,6 +2800,7 @@ main(int argc, char **argv)
+@@ -3140,6 +3140,7 @@ main(int argc, char **argv)
  	extern int optind;
  	extern char *optarg;
  
@@ -104,10 +104,10 @@ index cb4982d..84dd269 100644
  	sanitise_stdfd();
  
 diff --git a/ssh-keyscan.c b/ssh-keyscan.c
-index 5de0508..0644261 100644
+index a5e6440..e56a9d1 100644
 --- a/ssh-keyscan.c
 +++ b/ssh-keyscan.c
-@@ -663,6 +663,7 @@ main(int argc, char **argv)
+@@ -675,6 +675,7 @@ main(int argc, char **argv)
  	extern int optind;
  	extern char *optarg;
  
@@ -116,7 +116,7 @@ index 5de0508..0644261 100644
  	seed_rng();
  	TAILQ_INIT(&tq);
 diff --git a/ssh-keysign.c b/ssh-keysign.c
-index 6cfd5b4..23cf403 100644
+index 3e3ea3e..4804c42 100644
 --- a/ssh-keysign.c
 +++ b/ssh-keysign.c
 @@ -173,6 +173,7 @@ main(int argc, char **argv)
@@ -128,10 +128,10 @@ index 6cfd5b4..23cf403 100644
  		fatal("%s: pledge: %s", __progname, strerror(errno));
  
 diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c
-index 3bcc244..6a78a1a 100644
+index 17220d6..1af0c2e 100644
 --- a/ssh-pkcs11-helper.c
 +++ b/ssh-pkcs11-helper.c
-@@ -325,6 +325,7 @@ main(int argc, char **argv)
+@@ -332,6 +332,7 @@ main(int argc, char **argv)
  	extern char *__progname;
  	struct pollfd pfd[2];
  
@@ -140,22 +140,22 @@ index 3bcc244..6a78a1a 100644
  	seed_rng();
  	TAILQ_INIT(&pkcs11_keylist);
 diff --git a/ssh.c b/ssh.c
-index 0724df4..9178673 100644
+index 49331fc..06836dd 100644
 --- a/ssh.c
 +++ b/ssh.c
-@@ -598,6 +598,7 @@ main(int ac, char **av)
- 	struct ssh_digest_ctx *md;
+@@ -606,6 +606,7 @@ main(int ac, char **av)
  	u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
+ 	size_t n, len;
  
 +	ssh_enable_fips_mode();
  	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
  	sanitise_stdfd();
  
 diff --git a/sshd.c b/sshd.c
-index 2bf8939..c75e34a 100644
+index b86d682..304bf01 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -1443,6 +1443,7 @@ main(int ac, char **av)
+@@ -1514,6 +1514,7 @@ main(int ac, char **av)
  	Authctxt *authctxt;
  	struct connection_info *connection_info = NULL;
  
@@ -164,7 +164,7 @@ index 2bf8939..c75e34a 100644
  	(void)set_auth_parameters(ac, av);
  #endif
 diff --git a/xmalloc.c b/xmalloc.c
-index 9cd0127..e2f8145 100644
+index b48d33b..456a063 100644
 --- a/xmalloc.c
 +++ b/xmalloc.c
 @@ -23,6 +23,10 @@
@@ -178,9 +178,9 @@ index 9cd0127..e2f8145 100644
  #include "xmalloc.h"
  #include "log.h"
  
-@@ -110,3 +114,19 @@ xasprintf(char **ret, const char *fmt, ...)
- 
- 	return (i);
+@@ -117,3 +121,19 @@ xasprintf(char **ret, const char *fmt, ...)
+ 	va_end(ap);
+ 	return i;
  }
 +
 +void
@@ -199,13 +199,13 @@ index 9cd0127..e2f8145 100644
 +    }
 +}
 diff --git a/xmalloc.h b/xmalloc.h
-index 1d5f62d..d71b8a8 100644
+index abaf7ad..b3b1c8c 100644
 --- a/xmalloc.h
 +++ b/xmalloc.h
-@@ -24,3 +24,4 @@ char	*xstrdup(const char *);
- int	 xasprintf(char **, const char *, ...)
-                 __attribute__((__format__ (printf, 2, 3)))
+@@ -26,3 +26,4 @@ int	 xasprintf(char **, const char *, ...)
                  __attribute__((__nonnull__ (2)));
+ int	 xvasprintf(char **, const char *, va_list)
+ 		__attribute__((__nonnull__ (2)));
 +void	ssh_enable_fips_mode(void);
 -- 
 2.7.4
diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch b/recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch
similarity index 57%
rename from recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
rename to recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch
index 0e35e31..c1de130 100644
--- a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
+++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch
@@ -1,7 +1,7 @@
-From 511f5dfb3e22d30a7d573313fa88a063f1d49753 Mon Sep 17 00:00:00 2001
+From c51dd44e1c594ddeb3a27ae5d9be2899e4bf2ac6 Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu.jia@...>
 Date: Sat, 21 Dec 2019 11:45:38 +0800
-Subject: [PATCH] openssh 8.0p1 fips
+Subject: [PATCH] openssh 8.2p1 fips
 
 Port openssh-7.7p1-fips.patch from Fedora
 https://src.fedoraproject.org/rpms/openssh.git
@@ -10,30 +10,33 @@ https://src.fedoraproject.org/rpms/openssh.git
 Upstream-Status: Inappropriate [oe specific]
 
 Signed-off-by: Hongxu Jia <hongxu.jia@...>
+
+Rebase to 8.2p1
+Signed-off-by: Yi Zhao <yi.zhao@...>
 ---
  Makefile.in              | 14 +++++++-------
  cipher-ctr.c             |  3 ++-
- clientloop.c             |  3 ++-
+ clientloop.c             |  2 +-
  dh.c                     | 40 ++++++++++++++++++++++++++++++++++++++++
  dh.h                     |  1 +
  kex.c                    |  5 ++++-
  kexgexc.c                |  5 +++++
- myproposal.h             | 40 ++++++++++++++++++++++++++++++++++++++++
- readconf.c               | 17 +++++++++--------
+ myproposal.h             | 35 +++++++++++++++++++++++++++++++++++
+ readconf.c               | 15 ++++++++++-----
  sandbox-seccomp-filter.c |  3 +++
- servconf.c               | 19 ++++++++++---------
- ssh-keygen.c             | 17 ++++++++++++++++-
+ servconf.c               | 15 ++++++++++-----
+ ssh-keygen.c             | 16 +++++++++++++++-
  ssh.c                    | 16 ++++++++++++++++
- sshconnect2.c            | 11 ++++++++---
+ sshconnect2.c            |  8 ++++++--
  sshd.c                   | 19 +++++++++++++++++++
  sshkey.c                 |  4 ++++
- 16 files changed, 186 insertions(+), 31 deletions(-)
+ 16 files changed, 178 insertions(+), 23 deletions(-)
 
 diff --git a/Makefile.in b/Makefile.in
-index adb1977..37aec69 100644
+index e754947..57f94f4 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -175,31 +175,31 @@ libssh.a: $(LIBSSH_OBJS)
+@@ -206,25 +206,25 @@ libssh.a: $(LIBSSH_OBJS)
  	$(RANLIB) $@
  
  ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@@ -44,34 +47,36 @@ index adb1977..37aec69 100644
 -	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
 +	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
  
- scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
- 	$(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
+ 	$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
  
- ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
--	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS)
+-	$(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++	$(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
  
- ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
--	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS)
+-	$(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++	$(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
  
- ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o
--	$(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+	$(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYGEN_OBJS)
+-	$(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++	$(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
  
- ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o
--	$(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+	$(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSIGN_OBJS)
+-	$(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++	$(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
  
- ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
- 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
+ 	$(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+@@ -233,7 +233,7 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
+ 	$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
  
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
--	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-+	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
+-	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
++	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
  
- sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o
- 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
+ 	$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 diff --git a/cipher-ctr.c b/cipher-ctr.c
 index 32771f2..74fac3b 100644
 --- a/cipher-ctr.c
@@ -87,16 +92,15 @@ index 32771f2..74fac3b 100644
  	return (&aes_ctr);
  }
 diff --git a/clientloop.c b/clientloop.c
-index b5a1f70..0b675fe 100644
+index ebd0dbc..b3e0c19 100644
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -2035,7 +2035,8 @@ key_accepted_by_hostkeyalgs(const struct sshkey *key)
+@@ -2083,7 +2083,7 @@ static int
+ key_accepted_by_hostkeyalgs(const struct sshkey *key)
  {
  	const char *ktype = sshkey_ssh_name(key);
- 	const char *hostkeyalgs = options.hostkeyalgorithms != NULL ?
--	    options.hostkeyalgorithms : KEX_DEFAULT_PK_ALG;
-+	    options.hostkeyalgorithms : (FIPS_mode() ?
-+	    KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG);
+-	const char *hostkeyalgs = options.hostkeyalgorithms;
++	const char *hostkeyalgs = (FIPS_mode() ? KEX_FIPS_PK_ALG : options.hostkeyalgorithms);
  
  	if (key == NULL || key->type == KEY_UNSPEC)
  		return 0;
@@ -169,10 +173,10 @@ index 5d6df62..54c7aa2 100644
  u_int	 dh_estimate(int);
  
 diff --git a/kex.c b/kex.c
-index 49d7015..f1f982d 100644
+index ce85f04..9cc14de 100644
 --- a/kex.c
 +++ b/kex.c
-@@ -161,7 +161,10 @@ kex_names_valid(const char *names)
+@@ -163,7 +163,10 @@ kex_names_valid(const char *names)
  	for ((p = strsep(&cp, ",")); p && *p != '\0';
  	    (p = strsep(&cp, ","))) {
  		if (kex_alg_by_name(p) == NULL) {
@@ -185,7 +189,7 @@ index 49d7015..f1f982d 100644
  			return 0;
  		}
 diff --git a/kexgexc.c b/kexgexc.c
-index 1c65b8a..b6b25bf 100644
+index 323a659..812112d 100644
 --- a/kexgexc.c
 +++ b/kexgexc.c
 @@ -28,6 +28,7 @@
@@ -208,97 +212,86 @@ index 1c65b8a..b6b25bf 100644
  
  	/* generate and send 'e', client DH public key */
 diff --git a/myproposal.h b/myproposal.h
-index 34bd10c..a3ae74b 100644
+index 5312e60..d0accae 100644
 --- a/myproposal.h
 +++ b/myproposal.h
-@@ -111,6 +111,14 @@
+@@ -57,6 +57,20 @@
  	"rsa-sha2-256," \
  	"ssh-rsa"
  
 +#define	KEX_FIPS_PK_ALG	\
-+	HOSTKEY_ECDSA_CERT_METHODS \
++	"ecdsa-sha2-nistp256-cert-v01@...," \
++	"ecdsa-sha2-nistp384-cert-v01@...," \
++	"ecdsa-sha2-nistp521-cert-v01@...," \
++	"rsa-sha2-512-cert-v01@...," \
++	"rsa-sha2-256-cert-v01@...," \
 +	"ssh-rsa-cert-v01@...," \
-+	HOSTKEY_ECDSA_METHODS \
++	"ecdsa-sha2-nistp256," \
++	"ecdsa-sha2-nistp384," \
++	"ecdsa-sha2-nistp521," \
 +	"rsa-sha2-512," \
 +	"rsa-sha2-256," \
 +	"ssh-rsa"
 +
- /* the actual algorithms */
- 
- #define KEX_SERVER_ENCRYPT \
-@@ -134,6 +142,38 @@
+ #define	KEX_SERVER_ENCRYPT \
+ 	"chacha20-poly1305@...," \
+ 	"aes128-ctr,aes192-ctr,aes256-ctr," \
+@@ -78,6 +92,27 @@
  
  #define KEX_CLIENT_MAC KEX_SERVER_MAC
  
 +#define	KEX_FIPS_ENCRYPT \
 +	"aes128-ctr,aes192-ctr,aes256-ctr," \
 +	"aes128-cbc,3des-cbc," \
-+	"aes192-cbc,aes256-cbc,rijndael-cbc@..." \
-+	AESGCM_CIPHER_MODES
-+#ifdef HAVE_EVP_SHA256
-+# define KEX_DEFAULT_KEX_FIPS		\
-+	KEX_ECDH_METHODS \
-+	KEX_SHA2_METHODS \
++	"aes192-cbc,aes256-cbc,rijndael-cbc@...," \
++	"aes128-gcm@...,aes256-gcm@..."
++#define KEX_DEFAULT_KEX_FIPS		\
++	"ecdh-sha2-nistp256," \
++	"ecdh-sha2-nistp384," \
++	"ecdh-sha2-nistp521," \
++	"diffie-hellman-group-exchange-sha256," \
++	"diffie-hellman-group16-sha512," \
++	"diffie-hellman-group18-sha512," \
 +	"diffie-hellman-group14-sha256"
-+# define KEX_FIPS_MAC \
++#define KEX_FIPS_MAC \
 +	"hmac-sha1," \
 +	"hmac-sha2-256," \
 +	"hmac-sha2-512," \
 +	"hmac-sha1-etm@...," \
 +	"hmac-sha2-256-etm@...," \
 +	"hmac-sha2-512-etm@..."
-+#else
-+# ifdef OPENSSL_HAS_NISTP521
-+#  define KEX_DEFAULT_KEX_FIPS		\
-+	"ecdh-sha2-nistp256," \
-+	"ecdh-sha2-nistp384," \
-+	"ecdh-sha2-nistp521"
-+# else
-+#  define KEX_DEFAULT_KEX_FIPS		\
-+	"ecdh-sha2-nistp256," \
-+	"ecdh-sha2-nistp384"
-+# endif
-+#define        KEX_FIPS_MAC \
-+       "hmac-sha1"
-+#endif
 +
  /* Not a KEX value, but here so all the algorithm defaults are together */
  #define	SSH_ALLOWED_CA_SIGALGS	\
- 	HOSTKEY_ECDSA_METHODS \
+ 	"ecdsa-sha2-nistp256," \
 diff --git a/readconf.c b/readconf.c
-index f78b4d6..2f56ed2 100644
+index f3cac6b..26b9a59 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -2125,18 +2125,19 @@ fill_default_options(Options * options)
- 	all_kex = kex_alg_list(',');
+@@ -2187,11 +2187,16 @@ fill_default_options(Options * options)
  	all_key = sshkey_alg_list(0, 0, 1, ',');
  	all_sig = sshkey_alg_list(0, 1, 1, ',');
--#define ASSEMBLE(what, defaults, all) \
-+#define ASSEMBLE(what, defaults, fips_defaults, all) \
+ 	/* remove unsupported algos from default lists */
+-	def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher);
+-	def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac);
+-	def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex);
+-	def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
+-	def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
++	def_cipher = match_filter_whitelist((FIPS_mode() ?
++	    KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher);
++	def_mac = match_filter_whitelist((FIPS_mode() ?
++	    KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac);
++	def_kex = match_filter_whitelist((FIPS_mode() ?
++	    KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex);
++	def_key = match_filter_whitelist((FIPS_mode() ?
++	    KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
++	def_sig = match_filter_whitelist((FIPS_mode() ?
++	    KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
+ #define ASSEMBLE(what, defaults, all) \
  	do { \
  		if ((r = kex_assemble_names(&options->what, \
--		    defaults, all)) != 0) \
-+		    (FIPS_mode() ? fips_defaults : defaults), \
-+		    all)) != 0) \
- 			fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
- 	} while (0)
--	ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher);
--	ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac);
--	ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex);
--	ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
--	ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
--	ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
-+	ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
-+	ASSEMBLE(macs, KEX_CLIENT_MAC, KEX_FIPS_MAC, all_mac);
-+	ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
-+	ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
-+	ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
-+	ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
- #undef ASSEMBLE
- 	free(all_cipher);
- 	free(all_mac);
 diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index b5cda70..f0607a3 100644
+index f80981f..00702a7 100644
 --- a/sandbox-seccomp-filter.c
 +++ b/sandbox-seccomp-filter.c
 @@ -156,6 +156,9 @@ static const struct sock_filter preauth_insns[] = {
@@ -312,43 +305,36 @@ index b5cda70..f0607a3 100644
  	SC_DENY(__NR_openat, EACCES),
  #endif
 diff --git a/servconf.c b/servconf.c
-index e76f9c3..591d437 100644
+index 70f5f73..815beaf 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -200,18 +200,19 @@ assemble_algorithms(ServerOptions *o)
- 	all_kex = kex_alg_list(',');
+@@ -212,11 +212,16 @@ assemble_algorithms(ServerOptions *o)
  	all_key = sshkey_alg_list(0, 0, 1, ',');
  	all_sig = sshkey_alg_list(0, 1, 1, ',');
--#define ASSEMBLE(what, defaults, all) \
-+#define ASSEMBLE(what, defaults, fips_defaults, all) \
+ 	/* remove unsupported algos from default lists */
+-	def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher);
+-	def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac);
+-	def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex);
+-	def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
+-	def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
++	def_cipher = match_filter_whitelist((FIPS_mode() ?
++	    KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher);
++	def_mac = match_filter_whitelist((FIPS_mode() ?
++	    KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac);
++	def_kex = match_filter_whitelist((FIPS_mode() ?
++	    KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex);
++	def_key = match_filter_whitelist((FIPS_mode() ?
++	    KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
++	def_sig = match_filter_whitelist((FIPS_mode() ?
++	    KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
+ #define ASSEMBLE(what, defaults, all) \
  	do { \
--		if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
-+		if ((r = kex_assemble_names(&o->what, (FIPS_mode() \
-+		    ? fips_defaults : defaults), all)) != 0) \
- 			fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
- 	} while (0)
--	ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher);
--	ASSEMBLE(macs, KEX_SERVER_MAC, all_mac);
--	ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
--	ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
--	ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
--	ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
--	ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
-+	ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
-+	ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
-+	ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
-+	ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
-+	ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
-+	ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
-+	ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
- #undef ASSEMBLE
- 	free(all_cipher);
- 	free(all_mac);
+ 		if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
 diff --git a/ssh-keygen.c b/ssh-keygen.c
-index 8c829ca..cb4982d 100644
+index 0d6ed1f..feafe73 100644
 --- a/ssh-keygen.c
 +++ b/ssh-keygen.c
-@@ -201,6 +201,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
+@@ -204,6 +204,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
  #endif
  	}
  #ifdef WITH_OPENSSL
@@ -361,17 +347,16 @@ index 8c829ca..cb4982d 100644
  	switch (type) {
  	case KEY_DSA:
  		if (*bitsp != 1024)
-@@ -1061,9 +1067,18 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1088,9 +1094,17 @@ do_gen_all_hostkeys(struct passwd *pw)
  			first = 1;
  			printf("%s: generating new host keys: ", __progname);
  		}
-+
 +		type = sshkey_type_from_name(key_types[i].key_type);
 +
 +		/* Skip the keys that are not supported in FIPS mode */
 +		if (FIPS_mode() && (type == KEY_DSA || type == KEY_ED25519)) {
 +			logit("Skipping %s key in FIPS mode",
-+				key_types[i].key_type_display);
++			    key_types[i].key_type_display);
 +			goto next;
 +		}
 +
@@ -382,10 +367,10 @@ index 8c829ca..cb4982d 100644
  			error("Could not save your public key in %s: %s",
  			    prv_tmp, strerror(errno));
 diff --git a/ssh.c b/ssh.c
-index ee51823..0724df4 100644
+index 15aee56..49331fc 100644
 --- a/ssh.c
 +++ b/ssh.c
-@@ -76,6 +76,8 @@
+@@ -77,6 +77,8 @@
  #include <openssl/evp.h>
  #include <openssl/err.h>
  #endif
@@ -394,7 +379,7 @@ index ee51823..0724df4 100644
  #include "openbsd-compat/openssl-compat.h"
  #include "openbsd-compat/sys-queue.h"
  
-@@ -600,6 +602,16 @@ main(int ac, char **av)
+@@ -608,6 +610,16 @@ main(int ac, char **av)
  	sanitise_stdfd();
  
  	__progname = ssh_get_progname(av[0]);
@@ -411,7 +396,7 @@ index ee51823..0724df4 100644
  
  #ifndef HAVE_SETPROCTITLE
  	/* Prepare for later setproctitle emulation */
-@@ -614,6 +626,10 @@ main(int ac, char **av)
+@@ -622,6 +634,10 @@ main(int ac, char **av)
  
  	seed_rng();
  
@@ -423,7 +408,7 @@ index ee51823..0724df4 100644
  	 * Discard other fds that are hanging around. These can cause problem
  	 * with backgrounded ssh processes started by ControlPersist.
 diff --git a/sshconnect2.c b/sshconnect2.c
-index 87fa70a..a42aacb 100644
+index af00fb3..639fc51 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
 @@ -44,6 +44,8 @@
@@ -435,37 +420,28 @@ index 87fa70a..a42aacb 100644
  #include "openbsd-compat/sys-queue.h"
  
  #include "xmalloc.h"
-@@ -117,7 +119,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -119,7 +121,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
  	for (i = 0; i < options.num_system_hostfiles; i++)
  		load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
  
--	oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
+-	oavail = avail = xstrdup(options.hostkeyalgorithms);
 +	oavail = avail = xstrdup((FIPS_mode()
-+	    ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
++	    ? KEX_FIPS_PK_ALG : options.hostkeyalgorithms));
  	maxlen = strlen(avail) + 1;
  	first = xmalloc(maxlen);
  	last = xmalloc(maxlen);
-@@ -179,14 +182,16 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
- 	if (options.hostkeyalgorithms != NULL) {
- 		all_key = sshkey_alg_list(0, 0, 1, ',');
- 		if (kex_assemble_names(&options.hostkeyalgorithms,
--		    KEX_DEFAULT_PK_ALG, all_key) != 0)
-+		    (FIPS_mode() ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG),
-+		    all_key) != 0)
- 			fatal("%s: kex_assemble_namelist", __func__);
- 		free(all_key);
- 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
- 		    compat_pkalg_proposal(options.hostkeyalgorithms);
- 	} else {
- 		/* Enforce default */
--		options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
-+		options.hostkeyalgorithms = xstrdup((FIPS_mode()
-+		    ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
- 		/* Prefer algorithms that we already have keys for */
- 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
- 		    compat_pkalg_proposal(
+@@ -179,7 +182,8 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
+ 	/* Expand or fill in HostkeyAlgorithms */
+ 	all_key = sshkey_alg_list(0, 0, 1, ',');
+ 	if (kex_assemble_names(&options.hostkeyalgorithms,
+-	    kex_default_pk_alg(), all_key) != 0)
++	    (FIPS_mode() ? KEX_FIPS_PK_ALG : kex_default_pk_alg()),
++	    all_key) != 0)
+ 		fatal("%s: kex_assemble_namelist", __func__);
+ 	free(all_key);
+ 
 diff --git a/sshd.c b/sshd.c
-index f8dee0f..2bf8939 100644
+index 5b9a0b5..b86d682 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -66,6 +66,7 @@
@@ -485,7 +461,7 @@ index f8dee0f..2bf8939 100644
  #include "openbsd-compat/openssl-compat.h"
  #endif
  
-@@ -1445,6 +1448,18 @@ main(int ac, char **av)
+@@ -1516,6 +1519,18 @@ main(int ac, char **av)
  #endif
  	__progname = ssh_get_progname(av[0]);
  
@@ -504,7 +480,7 @@ index f8dee0f..2bf8939 100644
  	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
  	saved_argc = ac;
  	rexec_argc = ac;
-@@ -1910,6 +1925,10 @@ main(int ac, char **av)
+@@ -1990,6 +2005,10 @@ main(int ac, char **av)
  	/* Reinitialize the log (because of the fork above). */
  	log_init(__progname, options.log_level, options.log_facility, log_stderr);
  
@@ -516,7 +492,7 @@ index f8dee0f..2bf8939 100644
  	   unmounted if desired. */
  	if (chdir("/") == -1)
 diff --git a/sshkey.c b/sshkey.c
-index ef90563..1b1ba01 100644
+index 57995ee..3fa4274 100644
 --- a/sshkey.c
 +++ b/sshkey.c
 @@ -34,6 +34,7 @@
@@ -532,10 +508,10 @@ index ef90563..1b1ba01 100644
  #include "sshkey.h"
  #include "match.h"
 +#include "log.h"
+ #include "ssh-sk.h"
  
  #ifdef WITH_XMSS
- #include "sshkey-xmss.h"
-@@ -1491,6 +1493,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
+@@ -1597,6 +1599,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
  	}
  	if (!BN_set_word(f4, RSA_F4) ||
  	    !RSA_generate_key_ex(private, bits, f4, NULL)) {
diff --git a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
index 8b74451..c7635b2 100644
--- a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
+++ b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
@@ -1,4 +1,4 @@
-From 6d65893a85bddfc543ce894ee4940bd0d5ab368e Mon Sep 17 00:00:00 2001
+From bf3211bbff5cb9e1ef588f74844b04e09a9ad2b6 Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu.jia@...>
 Date: Sat, 21 Dec 2019 13:05:19 +0800
 Subject: [PATCH] add CAVS test driver for the aes-ctr ciphers
@@ -18,6 +18,7 @@ Signed-off-by: Mark Hatle <mark.hatle@...>
 
 Upstream-Status: Inappropriate [oe specific]
 Signed-off-by: Hongxu Jia <hongxu.jia@...>
+Signed-off-by: Yi Zhao <yi.zhao@...>
 ---
  Makefile.in    |   7 +-
  ctr-cavstest.c | 215 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
@@ -25,7 +26,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@...>
  create mode 100644 ctr-cavstest.c
 
 diff --git a/Makefile.in b/Makefile.in
-index 37aec69..1d6e298 100644
+index 57f94f4..0accd89 100644
 --- a/Makefile.in
 +++ b/Makefile.in
 @@ -23,6 +23,7 @@ SSH_PROGRAM=@bindir@/ssh
@@ -34,35 +35,35 @@ index 37aec69..1d6e298 100644
  SSH_KEYSIGN=$(libexecdir)/ssh-keysign
 +CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
  SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
  PRIVSEP_PATH=@PRIVSEP_PATH@
- SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
-@@ -60,7 +61,7 @@ EXEEXT=@EXEEXT@
- MANFMT=@MANFMT@
- MKDIR_P=@MKDIR_P@
+@@ -68,7 +69,7 @@ MKDIR_P=@MKDIR_P@
  
--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ctr-cavstest$(EXEEXT)
+ .SUFFIXES: .lo
+ 
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ctr-cavstest$(EXEEXT)
  
  XMSS_OBJS=\
  	ssh-xmss.o \
-@@ -198,6 +199,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o c
- ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
- 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+@@ -232,6 +233,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
+ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
+ 	$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
  
 +ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
 +	$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
 +
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
- 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
+ 	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
  
-@@ -348,6 +352,7 @@ install-files:
- 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
- 	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
+@@ -389,6 +393,7 @@ install-files:
  	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-+	$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
++	$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+ 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
 diff --git a/ctr-cavstest.c b/ctr-cavstest.c
 new file mode 100644
 index 0000000..0d4776b
diff --git a/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch b/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
index 0cbccd7..4a0ae2c 100644
--- a/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
+++ b/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
@@ -1,4 +1,4 @@
-From 6b6e0f7d4a517378a8d53b84fbef2cfc78c42f46 Mon Sep 17 00:00:00 2001
+From a2c2c21275ea701c2f0ae54bf5945c92860e9208 Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu.jia@...>
 Date: Sat, 21 Dec 2019 13:08:52 +0800
 Subject: [PATCH] add KDF CAVS test driver
@@ -19,6 +19,7 @@ Signed-off-by: Mark Hatle <mark.hatle@...>
 Upstream-Status: Inappropriate [oe specific]
 
 Signed-off-by: Hongxu Jia <hongxu.jia@...>
+Signed-off-by: Yi Zhao <yi.zhao@...>
 ---
  Makefile.in        |   8 +-
  ssh-cavs.c         | 387 +++++++++++++++++++++++++++++++++++++++++++++++++++++
@@ -28,7 +29,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@...>
  create mode 100644 ssh-cavs_driver.pl
 
 diff --git a/Makefile.in b/Makefile.in
-index 1d6e298..be28411 100644
+index 0accd89..5789323 100644
 --- a/Makefile.in
 +++ b/Makefile.in
 @@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
@@ -37,36 +38,36 @@ index 1d6e298..be28411 100644
  CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
 +SSH_CAVS=$(libexecdir)/ssh-cavs
  SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
  PRIVSEP_PATH=@PRIVSEP_PATH@
- SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
-@@ -61,7 +62,7 @@ EXEEXT=@EXEEXT@
- MANFMT=@MANFMT@
- MKDIR_P=@MKDIR_P@
+@@ -69,7 +70,7 @@ MKDIR_P=@MKDIR_P@
  
--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ctr-cavstest$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
+ .SUFFIXES: .lo
+ 
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ctr-cavstest$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
  
  XMSS_OBJS=\
  	ssh-xmss.o \
-@@ -202,6 +203,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
+@@ -236,6 +237,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
  ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
  	$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
  
-+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o
-+	$(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS)
++	$(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
- 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
+ 	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
  
-@@ -353,6 +357,8 @@ install-files:
- 	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
- 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
+@@ -394,6 +398,8 @@ install-files:
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
 +	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT)
 +	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs_driver.pl $(DESTDIR)$(libexecdir)/ssh-cavs_driver.pl
- 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+ 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
 diff --git a/ssh-cavs.c b/ssh-cavs.c
 new file mode 100644
 index 0000000..b74ae7f
diff --git a/recipes-connectivity/openssh/openssh_fips.inc b/recipes-connectivity/openssh/openssh_fips.inc
index 0eafb98..c74532f 100644
--- a/recipes-connectivity/openssh/openssh_fips.inc
+++ b/recipes-connectivity/openssh/openssh_fips.inc
@@ -6,7 +6,7 @@ DEPENDS += " \
 RRECOMMENDS_${PN}-sshd_remove = "rng-tools"
 
 SRC_URI += " \
-    file://0001-openssh-8.0p1-fips.patch \
+    file://0001-openssh-8.2p1-fips.patch \
     file://0001-conditional-enable-fips-mode.patch \
     file://openssh-6.6p1-ctr-cavstest.patch \
     file://openssh-6.7p1-kdf-cavs.patch \


    


[meta-openssl102-fips][PATCH V2] openssh: refresh patches to 8.2p1

Yi Zhao
 

Refresh patches to openssh-8.2p1.
Reference:
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-7.7p1-fips.patch
(commit 51f5c1c99f1d20e48328edde666061d0ce0da83b)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
.../0001-conditional-enable-fips-mode.patch | 54 ++--
...ps.patch => 0001-openssh-8.2p1-fips.patch} | 300 ++++++++----------
.../openssh/openssh-6.6p1-ctr-cavstest.patch | 35 +-
.../openssh/openssh-6.7p1-kdf-cavs.patch | 35 +-
recipes-connectivity/openssh/openssh_fips.inc | 2 +-
5 files changed, 202 insertions(+), 224 deletions(-)
rename recipes-connectivity/openssh/openssh/{0001-openssh-8.0p1-fips.patch => 0001-openssh-8.2p1-fips.patch} (57%)

diff --git a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
index a0f496a..942fda6 100644
--- a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
+++ b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
@@ -1,4 +1,4 @@
-From 60204df9d1f54f581f9ddc5443228550cadd4b4b Mon Sep 17 00:00:00 2001
+From ef6490841a73b4f71ca35e09328c6a8b0ad9dba9 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@windriver.com>
Date: Sat, 21 Dec 2019 13:03:23 +0800
Subject: [PATCH] conditional enable fips mode
@@ -56,10 +56,10 @@ index 359204f..346255a 100644
log_init(__progname, log_level, log_facility, log_stderr);

diff --git a/sftp.c b/sftp.c
-index b66037f..ca263ac 100644
+index ff14d3c..a633200 100644
--- a/sftp.c
+++ b/sftp.c
-@@ -2387,6 +2387,7 @@ main(int argc, char **argv)
+@@ -2390,6 +2390,7 @@ main(int argc, char **argv)
size_t num_requests = DEFAULT_NUM_REQUESTS;
long long limit_kbps = 0;

@@ -68,10 +68,10 @@ index b66037f..ca263ac 100644
sanitise_stdfd();
msetlocale();
diff --git a/ssh-add.c b/ssh-add.c
-index ebfb8a3..b7d59bc 100644
+index 8057eb1..19f3da2 100644
--- a/ssh-add.c
+++ b/ssh-add.c
-@@ -577,6 +577,7 @@ main(int argc, char **argv)
+@@ -628,6 +628,7 @@ main(int argc, char **argv)
SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
LogLevel log_level = SYSLOG_LEVEL_INFO;

@@ -80,10 +80,10 @@ index ebfb8a3..b7d59bc 100644
sanitise_stdfd();

diff --git a/ssh-agent.c b/ssh-agent.c
-index 9c6680a..d701479 100644
+index 7eb6f0d..1409044 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
-@@ -1104,6 +1104,7 @@ main(int ac, char **av)
+@@ -1196,6 +1196,7 @@ main(int ac, char **av)
size_t npfd = 0;
u_int maxfds;

@@ -92,10 +92,10 @@ index 9c6680a..d701479 100644
sanitise_stdfd();

diff --git a/ssh-keygen.c b/ssh-keygen.c
-index cb4982d..84dd269 100644
+index feafe73..9b832f6 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
-@@ -2800,6 +2800,7 @@ main(int argc, char **argv)
+@@ -3140,6 +3140,7 @@ main(int argc, char **argv)
extern int optind;
extern char *optarg;

@@ -104,10 +104,10 @@ index cb4982d..84dd269 100644
sanitise_stdfd();

diff --git a/ssh-keyscan.c b/ssh-keyscan.c
-index 5de0508..0644261 100644
+index a5e6440..e56a9d1 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
-@@ -663,6 +663,7 @@ main(int argc, char **argv)
+@@ -675,6 +675,7 @@ main(int argc, char **argv)
extern int optind;
extern char *optarg;

@@ -116,7 +116,7 @@ index 5de0508..0644261 100644
seed_rng();
TAILQ_INIT(&tq);
diff --git a/ssh-keysign.c b/ssh-keysign.c
-index 6cfd5b4..23cf403 100644
+index 3e3ea3e..4804c42 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -173,6 +173,7 @@ main(int argc, char **argv)
@@ -128,10 +128,10 @@ index 6cfd5b4..23cf403 100644
fatal("%s: pledge: %s", __progname, strerror(errno));

diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c
-index 3bcc244..6a78a1a 100644
+index 17220d6..1af0c2e 100644
--- a/ssh-pkcs11-helper.c
+++ b/ssh-pkcs11-helper.c
-@@ -325,6 +325,7 @@ main(int argc, char **argv)
+@@ -332,6 +332,7 @@ main(int argc, char **argv)
extern char *__progname;
struct pollfd pfd[2];

@@ -140,22 +140,22 @@ index 3bcc244..6a78a1a 100644
seed_rng();
TAILQ_INIT(&pkcs11_keylist);
diff --git a/ssh.c b/ssh.c
-index 0724df4..9178673 100644
+index 49331fc..06836dd 100644
--- a/ssh.c
+++ b/ssh.c
-@@ -598,6 +598,7 @@ main(int ac, char **av)
- struct ssh_digest_ctx *md;
+@@ -606,6 +606,7 @@ main(int ac, char **av)
u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
+ size_t n, len;

+ ssh_enable_fips_mode();
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();

diff --git a/sshd.c b/sshd.c
-index 2bf8939..c75e34a 100644
+index b86d682..304bf01 100644
--- a/sshd.c
+++ b/sshd.c
-@@ -1443,6 +1443,7 @@ main(int ac, char **av)
+@@ -1514,6 +1514,7 @@ main(int ac, char **av)
Authctxt *authctxt;
struct connection_info *connection_info = NULL;

@@ -164,7 +164,7 @@ index 2bf8939..c75e34a 100644
(void)set_auth_parameters(ac, av);
#endif
diff --git a/xmalloc.c b/xmalloc.c
-index 9cd0127..e2f8145 100644
+index b48d33b..456a063 100644
--- a/xmalloc.c
+++ b/xmalloc.c
@@ -23,6 +23,10 @@
@@ -178,9 +178,9 @@ index 9cd0127..e2f8145 100644
#include "xmalloc.h"
#include "log.h"

-@@ -110,3 +114,19 @@ xasprintf(char **ret, const char *fmt, ...)
-
- return (i);
+@@ -117,3 +121,19 @@ xasprintf(char **ret, const char *fmt, ...)
+ va_end(ap);
+ return i;
}
+
+void
@@ -199,13 +199,13 @@ index 9cd0127..e2f8145 100644
+ }
+}
diff --git a/xmalloc.h b/xmalloc.h
-index 1d5f62d..d71b8a8 100644
+index abaf7ad..b3b1c8c 100644
--- a/xmalloc.h
+++ b/xmalloc.h
-@@ -24,3 +24,4 @@ char *xstrdup(const char *);
- int xasprintf(char **, const char *, ...)
- __attribute__((__format__ (printf, 2, 3)))
+@@ -26,3 +26,4 @@ int xasprintf(char **, const char *, ...)
__attribute__((__nonnull__ (2)));
+ int xvasprintf(char **, const char *, va_list)
+ __attribute__((__nonnull__ (2)));
+void ssh_enable_fips_mode(void);
--
2.7.4
diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch b/recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch
similarity index 57%
rename from recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
rename to recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch
index 0e35e31..c1de130 100644
--- a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
+++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch
@@ -1,7 +1,7 @@
-From 511f5dfb3e22d30a7d573313fa88a063f1d49753 Mon Sep 17 00:00:00 2001
+From c51dd44e1c594ddeb3a27ae5d9be2899e4bf2ac6 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@windriver.com>
Date: Sat, 21 Dec 2019 11:45:38 +0800
-Subject: [PATCH] openssh 8.0p1 fips
+Subject: [PATCH] openssh 8.2p1 fips

Port openssh-7.7p1-fips.patch from Fedora
https://src.fedoraproject.org/rpms/openssh.git
@@ -10,30 +10,33 @@ https://src.fedoraproject.org/rpms/openssh.git
Upstream-Status: Inappropriate [oe specific]

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+
+Rebase to 8.2p1
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
Makefile.in | 14 +++++++-------
cipher-ctr.c | 3 ++-
- clientloop.c | 3 ++-
+ clientloop.c | 2 +-
dh.c | 40 ++++++++++++++++++++++++++++++++++++++++
dh.h | 1 +
kex.c | 5 ++++-
kexgexc.c | 5 +++++
- myproposal.h | 40 ++++++++++++++++++++++++++++++++++++++++
- readconf.c | 17 +++++++++--------
+ myproposal.h | 35 +++++++++++++++++++++++++++++++++++
+ readconf.c | 15 ++++++++++-----
sandbox-seccomp-filter.c | 3 +++
- servconf.c | 19 ++++++++++---------
- ssh-keygen.c | 17 ++++++++++++++++-
+ servconf.c | 15 ++++++++++-----
+ ssh-keygen.c | 16 +++++++++++++++-
ssh.c | 16 ++++++++++++++++
- sshconnect2.c | 11 ++++++++---
+ sshconnect2.c | 8 ++++++--
sshd.c | 19 +++++++++++++++++++
sshkey.c | 4 ++++
- 16 files changed, 186 insertions(+), 31 deletions(-)
+ 16 files changed, 178 insertions(+), 23 deletions(-)

diff --git a/Makefile.in b/Makefile.in
-index adb1977..37aec69 100644
+index e754947..57f94f4 100644
--- a/Makefile.in
+++ b/Makefile.in
-@@ -175,31 +175,31 @@ libssh.a: $(LIBSSH_OBJS)
+@@ -206,25 +206,25 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@

ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@@ -44,34 +47,36 @@ index adb1977..37aec69 100644
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)

- scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
- $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
+ $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)

- ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
-- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS)
+- $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)

- ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
-- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS)
+- $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)

- ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o
-- $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+ $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYGEN_OBJS)
+- $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)

- ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o
-- $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+ $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSIGN_OBJS)
+- $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)

- ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
- $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
+ $(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+@@ -233,7 +233,7 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
+ $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)

- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
-- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
+- $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
++ $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)

- sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o
- $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
+ $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff --git a/cipher-ctr.c b/cipher-ctr.c
index 32771f2..74fac3b 100644
--- a/cipher-ctr.c
@@ -87,16 +92,15 @@ index 32771f2..74fac3b 100644
return (&aes_ctr);
}
diff --git a/clientloop.c b/clientloop.c
-index b5a1f70..0b675fe 100644
+index ebd0dbc..b3e0c19 100644
--- a/clientloop.c
+++ b/clientloop.c
-@@ -2035,7 +2035,8 @@ key_accepted_by_hostkeyalgs(const struct sshkey *key)
+@@ -2083,7 +2083,7 @@ static int
+ key_accepted_by_hostkeyalgs(const struct sshkey *key)
{
const char *ktype = sshkey_ssh_name(key);
- const char *hostkeyalgs = options.hostkeyalgorithms != NULL ?
-- options.hostkeyalgorithms : KEX_DEFAULT_PK_ALG;
-+ options.hostkeyalgorithms : (FIPS_mode() ?
-+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG);
+- const char *hostkeyalgs = options.hostkeyalgorithms;
++ const char *hostkeyalgs = (FIPS_mode() ? KEX_FIPS_PK_ALG : options.hostkeyalgorithms);

if (key == NULL || key->type == KEY_UNSPEC)
return 0;
@@ -169,10 +173,10 @@ index 5d6df62..54c7aa2 100644
u_int dh_estimate(int);

diff --git a/kex.c b/kex.c
-index 49d7015..f1f982d 100644
+index ce85f04..9cc14de 100644
--- a/kex.c
+++ b/kex.c
-@@ -161,7 +161,10 @@ kex_names_valid(const char *names)
+@@ -163,7 +163,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) {
@@ -185,7 +189,7 @@ index 49d7015..f1f982d 100644
return 0;
}
diff --git a/kexgexc.c b/kexgexc.c
-index 1c65b8a..b6b25bf 100644
+index 323a659..812112d 100644
--- a/kexgexc.c
+++ b/kexgexc.c
@@ -28,6 +28,7 @@
@@ -208,97 +212,86 @@ index 1c65b8a..b6b25bf 100644

/* generate and send 'e', client DH public key */
diff --git a/myproposal.h b/myproposal.h
-index 34bd10c..a3ae74b 100644
+index 5312e60..d0accae 100644
--- a/myproposal.h
+++ b/myproposal.h
-@@ -111,6 +111,14 @@
+@@ -57,6 +57,20 @@
"rsa-sha2-256," \
"ssh-rsa"

+#define KEX_FIPS_PK_ALG \
-+ HOSTKEY_ECDSA_CERT_METHODS \
++ "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
++ "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
++ "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
++ "rsa-sha2-512-cert-v01@openssh.com," \
++ "rsa-sha2-256-cert-v01@openssh.com," \
+ "ssh-rsa-cert-v01@openssh.com," \
-+ HOSTKEY_ECDSA_METHODS \
++ "ecdsa-sha2-nistp256," \
++ "ecdsa-sha2-nistp384," \
++ "ecdsa-sha2-nistp521," \
+ "rsa-sha2-512," \
+ "rsa-sha2-256," \
+ "ssh-rsa"
+
- /* the actual algorithms */
-
- #define KEX_SERVER_ENCRYPT \
-@@ -134,6 +142,38 @@
+ #define KEX_SERVER_ENCRYPT \
+ "chacha20-poly1305@openssh.com," \
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
+@@ -78,6 +92,27 @@

#define KEX_CLIENT_MAC KEX_SERVER_MAC

+#define KEX_FIPS_ENCRYPT \
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
+ "aes128-cbc,3des-cbc," \
-+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se" \
-+ AESGCM_CIPHER_MODES
-+#ifdef HAVE_EVP_SHA256
-+# define KEX_DEFAULT_KEX_FIPS \
-+ KEX_ECDH_METHODS \
-+ KEX_SHA2_METHODS \
++ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
++ "aes128-gcm@openssh.com,aes256-gcm@openssh.com"
++#define KEX_DEFAULT_KEX_FIPS \
++ "ecdh-sha2-nistp256," \
++ "ecdh-sha2-nistp384," \
++ "ecdh-sha2-nistp521," \
++ "diffie-hellman-group-exchange-sha256," \
++ "diffie-hellman-group16-sha512," \
++ "diffie-hellman-group18-sha512," \
+ "diffie-hellman-group14-sha256"
-+# define KEX_FIPS_MAC \
++#define KEX_FIPS_MAC \
+ "hmac-sha1," \
+ "hmac-sha2-256," \
+ "hmac-sha2-512," \
+ "hmac-sha1-etm@openssh.com," \
+ "hmac-sha2-256-etm@openssh.com," \
+ "hmac-sha2-512-etm@openssh.com"
-+#else
-+# ifdef OPENSSL_HAS_NISTP521
-+# define KEX_DEFAULT_KEX_FIPS \
-+ "ecdh-sha2-nistp256," \
-+ "ecdh-sha2-nistp384," \
-+ "ecdh-sha2-nistp521"
-+# else
-+# define KEX_DEFAULT_KEX_FIPS \
-+ "ecdh-sha2-nistp256," \
-+ "ecdh-sha2-nistp384"
-+# endif
-+#define KEX_FIPS_MAC \
-+ "hmac-sha1"
-+#endif
+
/* Not a KEX value, but here so all the algorithm defaults are together */
#define SSH_ALLOWED_CA_SIGALGS \
- HOSTKEY_ECDSA_METHODS \
+ "ecdsa-sha2-nistp256," \
diff --git a/readconf.c b/readconf.c
-index f78b4d6..2f56ed2 100644
+index f3cac6b..26b9a59 100644
--- a/readconf.c
+++ b/readconf.c
-@@ -2125,18 +2125,19 @@ fill_default_options(Options * options)
- all_kex = kex_alg_list(',');
+@@ -2187,11 +2187,16 @@ fill_default_options(Options * options)
all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ',');
--#define ASSEMBLE(what, defaults, all) \
-+#define ASSEMBLE(what, defaults, fips_defaults, all) \
+ /* remove unsupported algos from default lists */
+- def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher);
+- def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac);
+- def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex);
+- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
+- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
++ def_cipher = match_filter_whitelist((FIPS_mode() ?
++ KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher);
++ def_mac = match_filter_whitelist((FIPS_mode() ?
++ KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac);
++ def_kex = match_filter_whitelist((FIPS_mode() ?
++ KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex);
++ def_key = match_filter_whitelist((FIPS_mode() ?
++ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
++ def_sig = match_filter_whitelist((FIPS_mode() ?
++ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
+ #define ASSEMBLE(what, defaults, all) \
do { \
if ((r = kex_assemble_names(&options->what, \
-- defaults, all)) != 0) \
-+ (FIPS_mode() ? fips_defaults : defaults), \
-+ all)) != 0) \
- fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
- } while (0)
-- ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher);
-- ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac);
-- ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex);
-- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
-- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
-- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
-+ ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
-+ ASSEMBLE(macs, KEX_CLIENT_MAC, KEX_FIPS_MAC, all_mac);
-+ ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
-+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
-+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
-+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
- #undef ASSEMBLE
- free(all_cipher);
- free(all_mac);
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index b5cda70..f0607a3 100644
+index f80981f..00702a7 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -156,6 +156,9 @@ static const struct sock_filter preauth_insns[] = {
@@ -312,43 +305,36 @@ index b5cda70..f0607a3 100644
SC_DENY(__NR_openat, EACCES),
#endif
diff --git a/servconf.c b/servconf.c
-index e76f9c3..591d437 100644
+index 70f5f73..815beaf 100644
--- a/servconf.c
+++ b/servconf.c
-@@ -200,18 +200,19 @@ assemble_algorithms(ServerOptions *o)
- all_kex = kex_alg_list(',');
+@@ -212,11 +212,16 @@ assemble_algorithms(ServerOptions *o)
all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ',');
--#define ASSEMBLE(what, defaults, all) \
-+#define ASSEMBLE(what, defaults, fips_defaults, all) \
+ /* remove unsupported algos from default lists */
+- def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher);
+- def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac);
+- def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex);
+- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
+- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
++ def_cipher = match_filter_whitelist((FIPS_mode() ?
++ KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher);
++ def_mac = match_filter_whitelist((FIPS_mode() ?
++ KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac);
++ def_kex = match_filter_whitelist((FIPS_mode() ?
++ KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex);
++ def_key = match_filter_whitelist((FIPS_mode() ?
++ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
++ def_sig = match_filter_whitelist((FIPS_mode() ?
++ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
+ #define ASSEMBLE(what, defaults, all) \
do { \
-- if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
-+ if ((r = kex_assemble_names(&o->what, (FIPS_mode() \
-+ ? fips_defaults : defaults), all)) != 0) \
- fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
- } while (0)
-- ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher);
-- ASSEMBLE(macs, KEX_SERVER_MAC, all_mac);
-- ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
-- ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
-- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
-- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
-- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
-+ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
-+ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
-+ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
-+ ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
-+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
-+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
-+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
- #undef ASSEMBLE
- free(all_cipher);
- free(all_mac);
+ if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
diff --git a/ssh-keygen.c b/ssh-keygen.c
-index 8c829ca..cb4982d 100644
+index 0d6ed1f..feafe73 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
-@@ -201,6 +201,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
+@@ -204,6 +204,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
#endif
}
#ifdef WITH_OPENSSL
@@ -361,17 +347,16 @@ index 8c829ca..cb4982d 100644
switch (type) {
case KEY_DSA:
if (*bitsp != 1024)
-@@ -1061,9 +1067,18 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1088,9 +1094,17 @@ do_gen_all_hostkeys(struct passwd *pw)
first = 1;
printf("%s: generating new host keys: ", __progname);
}
-+
+ type = sshkey_type_from_name(key_types[i].key_type);
+
+ /* Skip the keys that are not supported in FIPS mode */
+ if (FIPS_mode() && (type == KEY_DSA || type == KEY_ED25519)) {
+ logit("Skipping %s key in FIPS mode",
-+ key_types[i].key_type_display);
++ key_types[i].key_type_display);
+ goto next;
+ }
+
@@ -382,10 +367,10 @@ index 8c829ca..cb4982d 100644
error("Could not save your public key in %s: %s",
prv_tmp, strerror(errno));
diff --git a/ssh.c b/ssh.c
-index ee51823..0724df4 100644
+index 15aee56..49331fc 100644
--- a/ssh.c
+++ b/ssh.c
-@@ -76,6 +76,8 @@
+@@ -77,6 +77,8 @@
#include <openssl/evp.h>
#include <openssl/err.h>
#endif
@@ -394,7 +379,7 @@ index ee51823..0724df4 100644
#include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"

-@@ -600,6 +602,16 @@ main(int ac, char **av)
+@@ -608,6 +610,16 @@ main(int ac, char **av)
sanitise_stdfd();

__progname = ssh_get_progname(av[0]);
@@ -411,7 +396,7 @@ index ee51823..0724df4 100644

#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
-@@ -614,6 +626,10 @@ main(int ac, char **av)
+@@ -622,6 +634,10 @@ main(int ac, char **av)

seed_rng();

@@ -423,7 +408,7 @@ index ee51823..0724df4 100644
* Discard other fds that are hanging around. These can cause problem
* with backgrounded ssh processes started by ControlPersist.
diff --git a/sshconnect2.c b/sshconnect2.c
-index 87fa70a..a42aacb 100644
+index af00fb3..639fc51 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -44,6 +44,8 @@
@@ -435,37 +420,28 @@ index 87fa70a..a42aacb 100644
#include "openbsd-compat/sys-queue.h"

#include "xmalloc.h"
-@@ -117,7 +119,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -119,7 +121,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
for (i = 0; i < options.num_system_hostfiles; i++)
load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);

-- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
+- oavail = avail = xstrdup(options.hostkeyalgorithms);
+ oavail = avail = xstrdup((FIPS_mode()
-+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
++ ? KEX_FIPS_PK_ALG : options.hostkeyalgorithms));
maxlen = strlen(avail) + 1;
first = xmalloc(maxlen);
last = xmalloc(maxlen);
-@@ -179,14 +182,16 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
- if (options.hostkeyalgorithms != NULL) {
- all_key = sshkey_alg_list(0, 0, 1, ',');
- if (kex_assemble_names(&options.hostkeyalgorithms,
-- KEX_DEFAULT_PK_ALG, all_key) != 0)
-+ (FIPS_mode() ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG),
-+ all_key) != 0)
- fatal("%s: kex_assemble_namelist", __func__);
- free(all_key);
- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
- compat_pkalg_proposal(options.hostkeyalgorithms);
- } else {
- /* Enforce default */
-- options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
-+ options.hostkeyalgorithms = xstrdup((FIPS_mode()
-+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
- /* Prefer algorithms that we already have keys for */
- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
- compat_pkalg_proposal(
+@@ -179,7 +182,8 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
+ /* Expand or fill in HostkeyAlgorithms */
+ all_key = sshkey_alg_list(0, 0, 1, ',');
+ if (kex_assemble_names(&options.hostkeyalgorithms,
+- kex_default_pk_alg(), all_key) != 0)
++ (FIPS_mode() ? KEX_FIPS_PK_ALG : kex_default_pk_alg()),
++ all_key) != 0)
+ fatal("%s: kex_assemble_namelist", __func__);
+ free(all_key);
+
diff --git a/sshd.c b/sshd.c
-index f8dee0f..2bf8939 100644
+index 5b9a0b5..b86d682 100644
--- a/sshd.c
+++ b/sshd.c
@@ -66,6 +66,7 @@
@@ -485,7 +461,7 @@ index f8dee0f..2bf8939 100644
#include "openbsd-compat/openssl-compat.h"
#endif

-@@ -1445,6 +1448,18 @@ main(int ac, char **av)
+@@ -1516,6 +1519,18 @@ main(int ac, char **av)
#endif
__progname = ssh_get_progname(av[0]);

@@ -504,7 +480,7 @@ index f8dee0f..2bf8939 100644
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac;
rexec_argc = ac;
-@@ -1910,6 +1925,10 @@ main(int ac, char **av)
+@@ -1990,6 +2005,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);

@@ -516,7 +492,7 @@ index f8dee0f..2bf8939 100644
unmounted if desired. */
if (chdir("/") == -1)
diff --git a/sshkey.c b/sshkey.c
-index ef90563..1b1ba01 100644
+index 57995ee..3fa4274 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -34,6 +34,7 @@
@@ -532,10 +508,10 @@ index ef90563..1b1ba01 100644
#include "sshkey.h"
#include "match.h"
+#include "log.h"
+ #include "ssh-sk.h"

#ifdef WITH_XMSS
- #include "sshkey-xmss.h"
-@@ -1491,6 +1493,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
+@@ -1597,6 +1599,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
}
if (!BN_set_word(f4, RSA_F4) ||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
diff --git a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
index 8b74451..c7635b2 100644
--- a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
+++ b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
@@ -1,4 +1,4 @@
-From 6d65893a85bddfc543ce894ee4940bd0d5ab368e Mon Sep 17 00:00:00 2001
+From bf3211bbff5cb9e1ef588f74844b04e09a9ad2b6 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@windriver.com>
Date: Sat, 21 Dec 2019 13:05:19 +0800
Subject: [PATCH] add CAVS test driver for the aes-ctr ciphers
@@ -18,6 +18,7 @@ Signed-off-by: Mark Hatle <mark.hatle@windriver.com>

Upstream-Status: Inappropriate [oe specific]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
Makefile.in | 7 +-
ctr-cavstest.c | 215 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
@@ -25,7 +26,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
create mode 100644 ctr-cavstest.c

diff --git a/Makefile.in b/Makefile.in
-index 37aec69..1d6e298 100644
+index 57f94f4..0accd89 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -23,6 +23,7 @@ SSH_PROGRAM=@bindir@/ssh
@@ -34,35 +35,35 @@ index 37aec69..1d6e298 100644
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
- SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
-@@ -60,7 +61,7 @@ EXEEXT=@EXEEXT@
- MANFMT=@MANFMT@
- MKDIR_P=@MKDIR_P@
+@@ -68,7 +69,7 @@ MKDIR_P=@MKDIR_P@

--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ctr-cavstest$(EXEEXT)
+ .SUFFIXES: .lo
+
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ctr-cavstest$(EXEEXT)

XMSS_OBJS=\
ssh-xmss.o \
-@@ -198,6 +199,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o c
- ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
- $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+@@ -232,6 +233,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
+ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
+ $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)

+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
+
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
+ $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)

-@@ -348,6 +352,7 @@ install-files:
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
+@@ -389,6 +393,7 @@ install-files:
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
++ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+ $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff --git a/ctr-cavstest.c b/ctr-cavstest.c
new file mode 100644
index 0000000..0d4776b
diff --git a/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch b/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
index 0cbccd7..4a0ae2c 100644
--- a/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
+++ b/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
@@ -1,4 +1,4 @@
-From 6b6e0f7d4a517378a8d53b84fbef2cfc78c42f46 Mon Sep 17 00:00:00 2001
+From a2c2c21275ea701c2f0ae54bf5945c92860e9208 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@windriver.com>
Date: Sat, 21 Dec 2019 13:08:52 +0800
Subject: [PATCH] add KDF CAVS test driver
@@ -19,6 +19,7 @@ Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Upstream-Status: Inappropriate [oe specific]

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
Makefile.in | 8 +-
ssh-cavs.c | 387 +++++++++++++++++++++++++++++++++++++++++++++++++++++
@@ -28,7 +29,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
create mode 100644 ssh-cavs_driver.pl

diff --git a/Makefile.in b/Makefile.in
-index 1d6e298..be28411 100644
+index 0accd89..5789323 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
@@ -37,36 +38,36 @@ index 1d6e298..be28411 100644
CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
+SSH_CAVS=$(libexecdir)/ssh-cavs
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
- SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
-@@ -61,7 +62,7 @@ EXEEXT=@EXEEXT@
- MANFMT=@MANFMT@
- MKDIR_P=@MKDIR_P@
+@@ -69,7 +70,7 @@ MKDIR_P=@MKDIR_P@

--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ctr-cavstest$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
+ .SUFFIXES: .lo
+
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ctr-cavstest$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)

XMSS_OBJS=\
ssh-xmss.o \
-@@ -202,6 +203,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
+@@ -236,6 +237,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)

-+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o
-+ $(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS)
++ $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
+ $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)

-@@ -353,6 +357,8 @@ install-files:
- $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
- $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
+@@ -394,6 +398,8 @@ install-files:
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs_driver.pl $(DESTDIR)$(libexecdir)/ssh-cavs_driver.pl
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+ $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff --git a/ssh-cavs.c b/ssh-cavs.c
new file mode 100644
index 0000000..b74ae7f
diff --git a/recipes-connectivity/openssh/openssh_fips.inc b/recipes-connectivity/openssh/openssh_fips.inc
index 0eafb98..c74532f 100644
--- a/recipes-connectivity/openssh/openssh_fips.inc
+++ b/recipes-connectivity/openssh/openssh_fips.inc
@@ -6,7 +6,7 @@ DEPENDS += " \
RRECOMMENDS_${PN}-sshd_remove = "rng-tools"

SRC_URI += " \
- file://0001-openssh-8.0p1-fips.patch \
+ file://0001-openssh-8.2p1-fips.patch \
file://0001-conditional-enable-fips-mode.patch \
file://openssh-6.6p1-ctr-cavstest.patch \
file://openssh-6.7p1-kdf-cavs.patch \
--
2.17.1


[meta-openssl102-fips][PATCH] openssh: refresh patches to 8.2p1

Yi Zhao
 

Issue: LINCD-1151

Refresh patches to openssh-8.2p1.
Reference:
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-7.7p1-fips.patch
(commit 51f5c1c99f1d20e48328edde666061d0ce0da83b)

(LOCAL REV: NOT UPSTREAM) -- send to meta-openssl102-fips on 20200220

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
.../0001-conditional-enable-fips-mode.patch | 54 ++--
...ps.patch => 0001-openssh-8.2p1-fips.patch} | 300 ++++++++----------
.../openssh/openssh-6.6p1-ctr-cavstest.patch | 35 +-
.../openssh/openssh-6.7p1-kdf-cavs.patch | 35 +-
recipes-connectivity/openssh/openssh_fips.inc | 2 +-
5 files changed, 202 insertions(+), 224 deletions(-)
rename recipes-connectivity/openssh/openssh/{0001-openssh-8.0p1-fips.patch => 0001-openssh-8.2p1-fips.patch} (57%)

diff --git a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
index a0f496a..942fda6 100644
--- a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
+++ b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
@@ -1,4 +1,4 @@
-From 60204df9d1f54f581f9ddc5443228550cadd4b4b Mon Sep 17 00:00:00 2001
+From ef6490841a73b4f71ca35e09328c6a8b0ad9dba9 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@windriver.com>
Date: Sat, 21 Dec 2019 13:03:23 +0800
Subject: [PATCH] conditional enable fips mode
@@ -56,10 +56,10 @@ index 359204f..346255a 100644
log_init(__progname, log_level, log_facility, log_stderr);

diff --git a/sftp.c b/sftp.c
-index b66037f..ca263ac 100644
+index ff14d3c..a633200 100644
--- a/sftp.c
+++ b/sftp.c
-@@ -2387,6 +2387,7 @@ main(int argc, char **argv)
+@@ -2390,6 +2390,7 @@ main(int argc, char **argv)
size_t num_requests = DEFAULT_NUM_REQUESTS;
long long limit_kbps = 0;

@@ -68,10 +68,10 @@ index b66037f..ca263ac 100644
sanitise_stdfd();
msetlocale();
diff --git a/ssh-add.c b/ssh-add.c
-index ebfb8a3..b7d59bc 100644
+index 8057eb1..19f3da2 100644
--- a/ssh-add.c
+++ b/ssh-add.c
-@@ -577,6 +577,7 @@ main(int argc, char **argv)
+@@ -628,6 +628,7 @@ main(int argc, char **argv)
SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
LogLevel log_level = SYSLOG_LEVEL_INFO;

@@ -80,10 +80,10 @@ index ebfb8a3..b7d59bc 100644
sanitise_stdfd();

diff --git a/ssh-agent.c b/ssh-agent.c
-index 9c6680a..d701479 100644
+index 7eb6f0d..1409044 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
-@@ -1104,6 +1104,7 @@ main(int ac, char **av)
+@@ -1196,6 +1196,7 @@ main(int ac, char **av)
size_t npfd = 0;
u_int maxfds;

@@ -92,10 +92,10 @@ index 9c6680a..d701479 100644
sanitise_stdfd();

diff --git a/ssh-keygen.c b/ssh-keygen.c
-index cb4982d..84dd269 100644
+index feafe73..9b832f6 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
-@@ -2800,6 +2800,7 @@ main(int argc, char **argv)
+@@ -3140,6 +3140,7 @@ main(int argc, char **argv)
extern int optind;
extern char *optarg;

@@ -104,10 +104,10 @@ index cb4982d..84dd269 100644
sanitise_stdfd();

diff --git a/ssh-keyscan.c b/ssh-keyscan.c
-index 5de0508..0644261 100644
+index a5e6440..e56a9d1 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
-@@ -663,6 +663,7 @@ main(int argc, char **argv)
+@@ -675,6 +675,7 @@ main(int argc, char **argv)
extern int optind;
extern char *optarg;

@@ -116,7 +116,7 @@ index 5de0508..0644261 100644
seed_rng();
TAILQ_INIT(&tq);
diff --git a/ssh-keysign.c b/ssh-keysign.c
-index 6cfd5b4..23cf403 100644
+index 3e3ea3e..4804c42 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -173,6 +173,7 @@ main(int argc, char **argv)
@@ -128,10 +128,10 @@ index 6cfd5b4..23cf403 100644
fatal("%s: pledge: %s", __progname, strerror(errno));

diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c
-index 3bcc244..6a78a1a 100644
+index 17220d6..1af0c2e 100644
--- a/ssh-pkcs11-helper.c
+++ b/ssh-pkcs11-helper.c
-@@ -325,6 +325,7 @@ main(int argc, char **argv)
+@@ -332,6 +332,7 @@ main(int argc, char **argv)
extern char *__progname;
struct pollfd pfd[2];

@@ -140,22 +140,22 @@ index 3bcc244..6a78a1a 100644
seed_rng();
TAILQ_INIT(&pkcs11_keylist);
diff --git a/ssh.c b/ssh.c
-index 0724df4..9178673 100644
+index 49331fc..06836dd 100644
--- a/ssh.c
+++ b/ssh.c
-@@ -598,6 +598,7 @@ main(int ac, char **av)
- struct ssh_digest_ctx *md;
+@@ -606,6 +606,7 @@ main(int ac, char **av)
u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
+ size_t n, len;

+ ssh_enable_fips_mode();
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();

diff --git a/sshd.c b/sshd.c
-index 2bf8939..c75e34a 100644
+index b86d682..304bf01 100644
--- a/sshd.c
+++ b/sshd.c
-@@ -1443,6 +1443,7 @@ main(int ac, char **av)
+@@ -1514,6 +1514,7 @@ main(int ac, char **av)
Authctxt *authctxt;
struct connection_info *connection_info = NULL;

@@ -164,7 +164,7 @@ index 2bf8939..c75e34a 100644
(void)set_auth_parameters(ac, av);
#endif
diff --git a/xmalloc.c b/xmalloc.c
-index 9cd0127..e2f8145 100644
+index b48d33b..456a063 100644
--- a/xmalloc.c
+++ b/xmalloc.c
@@ -23,6 +23,10 @@
@@ -178,9 +178,9 @@ index 9cd0127..e2f8145 100644
#include "xmalloc.h"
#include "log.h"

-@@ -110,3 +114,19 @@ xasprintf(char **ret, const char *fmt, ...)
-
- return (i);
+@@ -117,3 +121,19 @@ xasprintf(char **ret, const char *fmt, ...)
+ va_end(ap);
+ return i;
}
+
+void
@@ -199,13 +199,13 @@ index 9cd0127..e2f8145 100644
+ }
+}
diff --git a/xmalloc.h b/xmalloc.h
-index 1d5f62d..d71b8a8 100644
+index abaf7ad..b3b1c8c 100644
--- a/xmalloc.h
+++ b/xmalloc.h
-@@ -24,3 +24,4 @@ char *xstrdup(const char *);
- int xasprintf(char **, const char *, ...)
- __attribute__((__format__ (printf, 2, 3)))
+@@ -26,3 +26,4 @@ int xasprintf(char **, const char *, ...)
__attribute__((__nonnull__ (2)));
+ int xvasprintf(char **, const char *, va_list)
+ __attribute__((__nonnull__ (2)));
+void ssh_enable_fips_mode(void);
--
2.7.4
diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch b/recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch
similarity index 57%
rename from recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
rename to recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch
index 0e35e31..c1de130 100644
--- a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
+++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch
@@ -1,7 +1,7 @@
-From 511f5dfb3e22d30a7d573313fa88a063f1d49753 Mon Sep 17 00:00:00 2001
+From c51dd44e1c594ddeb3a27ae5d9be2899e4bf2ac6 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@windriver.com>
Date: Sat, 21 Dec 2019 11:45:38 +0800
-Subject: [PATCH] openssh 8.0p1 fips
+Subject: [PATCH] openssh 8.2p1 fips

Port openssh-7.7p1-fips.patch from Fedora
https://src.fedoraproject.org/rpms/openssh.git
@@ -10,30 +10,33 @@ https://src.fedoraproject.org/rpms/openssh.git
Upstream-Status: Inappropriate [oe specific]

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+
+Rebase to 8.2p1
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
Makefile.in | 14 +++++++-------
cipher-ctr.c | 3 ++-
- clientloop.c | 3 ++-
+ clientloop.c | 2 +-
dh.c | 40 ++++++++++++++++++++++++++++++++++++++++
dh.h | 1 +
kex.c | 5 ++++-
kexgexc.c | 5 +++++
- myproposal.h | 40 ++++++++++++++++++++++++++++++++++++++++
- readconf.c | 17 +++++++++--------
+ myproposal.h | 35 +++++++++++++++++++++++++++++++++++
+ readconf.c | 15 ++++++++++-----
sandbox-seccomp-filter.c | 3 +++
- servconf.c | 19 ++++++++++---------
- ssh-keygen.c | 17 ++++++++++++++++-
+ servconf.c | 15 ++++++++++-----
+ ssh-keygen.c | 16 +++++++++++++++-
ssh.c | 16 ++++++++++++++++
- sshconnect2.c | 11 ++++++++---
+ sshconnect2.c | 8 ++++++--
sshd.c | 19 +++++++++++++++++++
sshkey.c | 4 ++++
- 16 files changed, 186 insertions(+), 31 deletions(-)
+ 16 files changed, 178 insertions(+), 23 deletions(-)

diff --git a/Makefile.in b/Makefile.in
-index adb1977..37aec69 100644
+index e754947..57f94f4 100644
--- a/Makefile.in
+++ b/Makefile.in
-@@ -175,31 +175,31 @@ libssh.a: $(LIBSSH_OBJS)
+@@ -206,25 +206,25 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@

ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@@ -44,34 +47,36 @@ index adb1977..37aec69 100644
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)

- scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
- $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
+ $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)

- ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
-- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS)
+- $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)

- ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
-- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS)
+- $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)

- ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o
-- $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+ $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYGEN_OBJS)
+- $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)

- ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o
-- $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+ $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSIGN_OBJS)
+- $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)

- ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
- $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
+ $(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+@@ -233,7 +233,7 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
+ $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)

- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
-- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
+- $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
++ $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)

- sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o
- $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
+ $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff --git a/cipher-ctr.c b/cipher-ctr.c
index 32771f2..74fac3b 100644
--- a/cipher-ctr.c
@@ -87,16 +92,15 @@ index 32771f2..74fac3b 100644
return (&aes_ctr);
}
diff --git a/clientloop.c b/clientloop.c
-index b5a1f70..0b675fe 100644
+index ebd0dbc..b3e0c19 100644
--- a/clientloop.c
+++ b/clientloop.c
-@@ -2035,7 +2035,8 @@ key_accepted_by_hostkeyalgs(const struct sshkey *key)
+@@ -2083,7 +2083,7 @@ static int
+ key_accepted_by_hostkeyalgs(const struct sshkey *key)
{
const char *ktype = sshkey_ssh_name(key);
- const char *hostkeyalgs = options.hostkeyalgorithms != NULL ?
-- options.hostkeyalgorithms : KEX_DEFAULT_PK_ALG;
-+ options.hostkeyalgorithms : (FIPS_mode() ?
-+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG);
+- const char *hostkeyalgs = options.hostkeyalgorithms;
++ const char *hostkeyalgs = (FIPS_mode() ? KEX_FIPS_PK_ALG : options.hostkeyalgorithms);

if (key == NULL || key->type == KEY_UNSPEC)
return 0;
@@ -169,10 +173,10 @@ index 5d6df62..54c7aa2 100644
u_int dh_estimate(int);

diff --git a/kex.c b/kex.c
-index 49d7015..f1f982d 100644
+index ce85f04..9cc14de 100644
--- a/kex.c
+++ b/kex.c
-@@ -161,7 +161,10 @@ kex_names_valid(const char *names)
+@@ -163,7 +163,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) {
@@ -185,7 +189,7 @@ index 49d7015..f1f982d 100644
return 0;
}
diff --git a/kexgexc.c b/kexgexc.c
-index 1c65b8a..b6b25bf 100644
+index 323a659..812112d 100644
--- a/kexgexc.c
+++ b/kexgexc.c
@@ -28,6 +28,7 @@
@@ -208,97 +212,86 @@ index 1c65b8a..b6b25bf 100644

/* generate and send 'e', client DH public key */
diff --git a/myproposal.h b/myproposal.h
-index 34bd10c..a3ae74b 100644
+index 5312e60..d0accae 100644
--- a/myproposal.h
+++ b/myproposal.h
-@@ -111,6 +111,14 @@
+@@ -57,6 +57,20 @@
"rsa-sha2-256," \
"ssh-rsa"

+#define KEX_FIPS_PK_ALG \
-+ HOSTKEY_ECDSA_CERT_METHODS \
++ "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
++ "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
++ "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
++ "rsa-sha2-512-cert-v01@openssh.com," \
++ "rsa-sha2-256-cert-v01@openssh.com," \
+ "ssh-rsa-cert-v01@openssh.com," \
-+ HOSTKEY_ECDSA_METHODS \
++ "ecdsa-sha2-nistp256," \
++ "ecdsa-sha2-nistp384," \
++ "ecdsa-sha2-nistp521," \
+ "rsa-sha2-512," \
+ "rsa-sha2-256," \
+ "ssh-rsa"
+
- /* the actual algorithms */
-
- #define KEX_SERVER_ENCRYPT \
-@@ -134,6 +142,38 @@
+ #define KEX_SERVER_ENCRYPT \
+ "chacha20-poly1305@openssh.com," \
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
+@@ -78,6 +92,27 @@

#define KEX_CLIENT_MAC KEX_SERVER_MAC

+#define KEX_FIPS_ENCRYPT \
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
+ "aes128-cbc,3des-cbc," \
-+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se" \
-+ AESGCM_CIPHER_MODES
-+#ifdef HAVE_EVP_SHA256
-+# define KEX_DEFAULT_KEX_FIPS \
-+ KEX_ECDH_METHODS \
-+ KEX_SHA2_METHODS \
++ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
++ "aes128-gcm@openssh.com,aes256-gcm@openssh.com"
++#define KEX_DEFAULT_KEX_FIPS \
++ "ecdh-sha2-nistp256," \
++ "ecdh-sha2-nistp384," \
++ "ecdh-sha2-nistp521," \
++ "diffie-hellman-group-exchange-sha256," \
++ "diffie-hellman-group16-sha512," \
++ "diffie-hellman-group18-sha512," \
+ "diffie-hellman-group14-sha256"
-+# define KEX_FIPS_MAC \
++#define KEX_FIPS_MAC \
+ "hmac-sha1," \
+ "hmac-sha2-256," \
+ "hmac-sha2-512," \
+ "hmac-sha1-etm@openssh.com," \
+ "hmac-sha2-256-etm@openssh.com," \
+ "hmac-sha2-512-etm@openssh.com"
-+#else
-+# ifdef OPENSSL_HAS_NISTP521
-+# define KEX_DEFAULT_KEX_FIPS \
-+ "ecdh-sha2-nistp256," \
-+ "ecdh-sha2-nistp384," \
-+ "ecdh-sha2-nistp521"
-+# else
-+# define KEX_DEFAULT_KEX_FIPS \
-+ "ecdh-sha2-nistp256," \
-+ "ecdh-sha2-nistp384"
-+# endif
-+#define KEX_FIPS_MAC \
-+ "hmac-sha1"
-+#endif
+
/* Not a KEX value, but here so all the algorithm defaults are together */
#define SSH_ALLOWED_CA_SIGALGS \
- HOSTKEY_ECDSA_METHODS \
+ "ecdsa-sha2-nistp256," \
diff --git a/readconf.c b/readconf.c
-index f78b4d6..2f56ed2 100644
+index f3cac6b..26b9a59 100644
--- a/readconf.c
+++ b/readconf.c
-@@ -2125,18 +2125,19 @@ fill_default_options(Options * options)
- all_kex = kex_alg_list(',');
+@@ -2187,11 +2187,16 @@ fill_default_options(Options * options)
all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ',');
--#define ASSEMBLE(what, defaults, all) \
-+#define ASSEMBLE(what, defaults, fips_defaults, all) \
+ /* remove unsupported algos from default lists */
+- def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher);
+- def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac);
+- def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex);
+- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
+- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
++ def_cipher = match_filter_whitelist((FIPS_mode() ?
++ KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher);
++ def_mac = match_filter_whitelist((FIPS_mode() ?
++ KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac);
++ def_kex = match_filter_whitelist((FIPS_mode() ?
++ KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex);
++ def_key = match_filter_whitelist((FIPS_mode() ?
++ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
++ def_sig = match_filter_whitelist((FIPS_mode() ?
++ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
+ #define ASSEMBLE(what, defaults, all) \
do { \
if ((r = kex_assemble_names(&options->what, \
-- defaults, all)) != 0) \
-+ (FIPS_mode() ? fips_defaults : defaults), \
-+ all)) != 0) \
- fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
- } while (0)
-- ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher);
-- ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac);
-- ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex);
-- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
-- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
-- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
-+ ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
-+ ASSEMBLE(macs, KEX_CLIENT_MAC, KEX_FIPS_MAC, all_mac);
-+ ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
-+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
-+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
-+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
- #undef ASSEMBLE
- free(all_cipher);
- free(all_mac);
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index b5cda70..f0607a3 100644
+index f80981f..00702a7 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -156,6 +156,9 @@ static const struct sock_filter preauth_insns[] = {
@@ -312,43 +305,36 @@ index b5cda70..f0607a3 100644
SC_DENY(__NR_openat, EACCES),
#endif
diff --git a/servconf.c b/servconf.c
-index e76f9c3..591d437 100644
+index 70f5f73..815beaf 100644
--- a/servconf.c
+++ b/servconf.c
-@@ -200,18 +200,19 @@ assemble_algorithms(ServerOptions *o)
- all_kex = kex_alg_list(',');
+@@ -212,11 +212,16 @@ assemble_algorithms(ServerOptions *o)
all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ',');
--#define ASSEMBLE(what, defaults, all) \
-+#define ASSEMBLE(what, defaults, fips_defaults, all) \
+ /* remove unsupported algos from default lists */
+- def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher);
+- def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac);
+- def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex);
+- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
+- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
++ def_cipher = match_filter_whitelist((FIPS_mode() ?
++ KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher);
++ def_mac = match_filter_whitelist((FIPS_mode() ?
++ KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac);
++ def_kex = match_filter_whitelist((FIPS_mode() ?
++ KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex);
++ def_key = match_filter_whitelist((FIPS_mode() ?
++ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
++ def_sig = match_filter_whitelist((FIPS_mode() ?
++ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
+ #define ASSEMBLE(what, defaults, all) \
do { \
-- if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
-+ if ((r = kex_assemble_names(&o->what, (FIPS_mode() \
-+ ? fips_defaults : defaults), all)) != 0) \
- fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
- } while (0)
-- ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher);
-- ASSEMBLE(macs, KEX_SERVER_MAC, all_mac);
-- ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
-- ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
-- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
-- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
-- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
-+ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
-+ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
-+ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
-+ ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
-+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
-+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
-+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
- #undef ASSEMBLE
- free(all_cipher);
- free(all_mac);
+ if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
diff --git a/ssh-keygen.c b/ssh-keygen.c
-index 8c829ca..cb4982d 100644
+index 0d6ed1f..feafe73 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
-@@ -201,6 +201,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
+@@ -204,6 +204,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
#endif
}
#ifdef WITH_OPENSSL
@@ -361,17 +347,16 @@ index 8c829ca..cb4982d 100644
switch (type) {
case KEY_DSA:
if (*bitsp != 1024)
-@@ -1061,9 +1067,18 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1088,9 +1094,17 @@ do_gen_all_hostkeys(struct passwd *pw)
first = 1;
printf("%s: generating new host keys: ", __progname);
}
-+
+ type = sshkey_type_from_name(key_types[i].key_type);
+
+ /* Skip the keys that are not supported in FIPS mode */
+ if (FIPS_mode() && (type == KEY_DSA || type == KEY_ED25519)) {
+ logit("Skipping %s key in FIPS mode",
-+ key_types[i].key_type_display);
++ key_types[i].key_type_display);
+ goto next;
+ }
+
@@ -382,10 +367,10 @@ index 8c829ca..cb4982d 100644
error("Could not save your public key in %s: %s",
prv_tmp, strerror(errno));
diff --git a/ssh.c b/ssh.c
-index ee51823..0724df4 100644
+index 15aee56..49331fc 100644
--- a/ssh.c
+++ b/ssh.c
-@@ -76,6 +76,8 @@
+@@ -77,6 +77,8 @@
#include <openssl/evp.h>
#include <openssl/err.h>
#endif
@@ -394,7 +379,7 @@ index ee51823..0724df4 100644
#include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"

-@@ -600,6 +602,16 @@ main(int ac, char **av)
+@@ -608,6 +610,16 @@ main(int ac, char **av)
sanitise_stdfd();

__progname = ssh_get_progname(av[0]);
@@ -411,7 +396,7 @@ index ee51823..0724df4 100644

#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
-@@ -614,6 +626,10 @@ main(int ac, char **av)
+@@ -622,6 +634,10 @@ main(int ac, char **av)

seed_rng();

@@ -423,7 +408,7 @@ index ee51823..0724df4 100644
* Discard other fds that are hanging around. These can cause problem
* with backgrounded ssh processes started by ControlPersist.
diff --git a/sshconnect2.c b/sshconnect2.c
-index 87fa70a..a42aacb 100644
+index af00fb3..639fc51 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -44,6 +44,8 @@
@@ -435,37 +420,28 @@ index 87fa70a..a42aacb 100644
#include "openbsd-compat/sys-queue.h"

#include "xmalloc.h"
-@@ -117,7 +119,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -119,7 +121,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
for (i = 0; i < options.num_system_hostfiles; i++)
load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);

-- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
+- oavail = avail = xstrdup(options.hostkeyalgorithms);
+ oavail = avail = xstrdup((FIPS_mode()
-+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
++ ? KEX_FIPS_PK_ALG : options.hostkeyalgorithms));
maxlen = strlen(avail) + 1;
first = xmalloc(maxlen);
last = xmalloc(maxlen);
-@@ -179,14 +182,16 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
- if (options.hostkeyalgorithms != NULL) {
- all_key = sshkey_alg_list(0, 0, 1, ',');
- if (kex_assemble_names(&options.hostkeyalgorithms,
-- KEX_DEFAULT_PK_ALG, all_key) != 0)
-+ (FIPS_mode() ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG),
-+ all_key) != 0)
- fatal("%s: kex_assemble_namelist", __func__);
- free(all_key);
- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
- compat_pkalg_proposal(options.hostkeyalgorithms);
- } else {
- /* Enforce default */
-- options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
-+ options.hostkeyalgorithms = xstrdup((FIPS_mode()
-+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
- /* Prefer algorithms that we already have keys for */
- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
- compat_pkalg_proposal(
+@@ -179,7 +182,8 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
+ /* Expand or fill in HostkeyAlgorithms */
+ all_key = sshkey_alg_list(0, 0, 1, ',');
+ if (kex_assemble_names(&options.hostkeyalgorithms,
+- kex_default_pk_alg(), all_key) != 0)
++ (FIPS_mode() ? KEX_FIPS_PK_ALG : kex_default_pk_alg()),
++ all_key) != 0)
+ fatal("%s: kex_assemble_namelist", __func__);
+ free(all_key);
+
diff --git a/sshd.c b/sshd.c
-index f8dee0f..2bf8939 100644
+index 5b9a0b5..b86d682 100644
--- a/sshd.c
+++ b/sshd.c
@@ -66,6 +66,7 @@
@@ -485,7 +461,7 @@ index f8dee0f..2bf8939 100644
#include "openbsd-compat/openssl-compat.h"
#endif

-@@ -1445,6 +1448,18 @@ main(int ac, char **av)
+@@ -1516,6 +1519,18 @@ main(int ac, char **av)
#endif
__progname = ssh_get_progname(av[0]);

@@ -504,7 +480,7 @@ index f8dee0f..2bf8939 100644
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac;
rexec_argc = ac;
-@@ -1910,6 +1925,10 @@ main(int ac, char **av)
+@@ -1990,6 +2005,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);

@@ -516,7 +492,7 @@ index f8dee0f..2bf8939 100644
unmounted if desired. */
if (chdir("/") == -1)
diff --git a/sshkey.c b/sshkey.c
-index ef90563..1b1ba01 100644
+index 57995ee..3fa4274 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -34,6 +34,7 @@
@@ -532,10 +508,10 @@ index ef90563..1b1ba01 100644
#include "sshkey.h"
#include "match.h"
+#include "log.h"
+ #include "ssh-sk.h"

#ifdef WITH_XMSS
- #include "sshkey-xmss.h"
-@@ -1491,6 +1493,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
+@@ -1597,6 +1599,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
}
if (!BN_set_word(f4, RSA_F4) ||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
diff --git a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
index 8b74451..c7635b2 100644
--- a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
+++ b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
@@ -1,4 +1,4 @@
-From 6d65893a85bddfc543ce894ee4940bd0d5ab368e Mon Sep 17 00:00:00 2001
+From bf3211bbff5cb9e1ef588f74844b04e09a9ad2b6 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@windriver.com>
Date: Sat, 21 Dec 2019 13:05:19 +0800
Subject: [PATCH] add CAVS test driver for the aes-ctr ciphers
@@ -18,6 +18,7 @@ Signed-off-by: Mark Hatle <mark.hatle@windriver.com>

Upstream-Status: Inappropriate [oe specific]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
Makefile.in | 7 +-
ctr-cavstest.c | 215 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
@@ -25,7 +26,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
create mode 100644 ctr-cavstest.c

diff --git a/Makefile.in b/Makefile.in
-index 37aec69..1d6e298 100644
+index 57f94f4..0accd89 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -23,6 +23,7 @@ SSH_PROGRAM=@bindir@/ssh
@@ -34,35 +35,35 @@ index 37aec69..1d6e298 100644
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
- SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
-@@ -60,7 +61,7 @@ EXEEXT=@EXEEXT@
- MANFMT=@MANFMT@
- MKDIR_P=@MKDIR_P@
+@@ -68,7 +69,7 @@ MKDIR_P=@MKDIR_P@

--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ctr-cavstest$(EXEEXT)
+ .SUFFIXES: .lo
+
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ctr-cavstest$(EXEEXT)

XMSS_OBJS=\
ssh-xmss.o \
-@@ -198,6 +199,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o c
- ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
- $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+@@ -232,6 +233,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
+ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
+ $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)

+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
+
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
+ $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)

-@@ -348,6 +352,7 @@ install-files:
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
+@@ -389,6 +393,7 @@ install-files:
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
++ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+ $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff --git a/ctr-cavstest.c b/ctr-cavstest.c
new file mode 100644
index 0000000..0d4776b
diff --git a/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch b/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
index 0cbccd7..4a0ae2c 100644
--- a/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
+++ b/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
@@ -1,4 +1,4 @@
-From 6b6e0f7d4a517378a8d53b84fbef2cfc78c42f46 Mon Sep 17 00:00:00 2001
+From a2c2c21275ea701c2f0ae54bf5945c92860e9208 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@windriver.com>
Date: Sat, 21 Dec 2019 13:08:52 +0800
Subject: [PATCH] add KDF CAVS test driver
@@ -19,6 +19,7 @@ Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Upstream-Status: Inappropriate [oe specific]

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
Makefile.in | 8 +-
ssh-cavs.c | 387 +++++++++++++++++++++++++++++++++++++++++++++++++++++
@@ -28,7 +29,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
create mode 100644 ssh-cavs_driver.pl

diff --git a/Makefile.in b/Makefile.in
-index 1d6e298..be28411 100644
+index 0accd89..5789323 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
@@ -37,36 +38,36 @@ index 1d6e298..be28411 100644
CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
+SSH_CAVS=$(libexecdir)/ssh-cavs
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
- SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
-@@ -61,7 +62,7 @@ EXEEXT=@EXEEXT@
- MANFMT=@MANFMT@
- MKDIR_P=@MKDIR_P@
+@@ -69,7 +70,7 @@ MKDIR_P=@MKDIR_P@

--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ctr-cavstest$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
+ .SUFFIXES: .lo
+
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ctr-cavstest$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)

XMSS_OBJS=\
ssh-xmss.o \
-@@ -202,6 +203,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
+@@ -236,6 +237,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)

-+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o
-+ $(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS)
++ $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
+ $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)

-@@ -353,6 +357,8 @@ install-files:
- $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
- $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
+@@ -394,6 +398,8 @@ install-files:
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs_driver.pl $(DESTDIR)$(libexecdir)/ssh-cavs_driver.pl
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+ $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff --git a/ssh-cavs.c b/ssh-cavs.c
new file mode 100644
index 0000000..b74ae7f
diff --git a/recipes-connectivity/openssh/openssh_fips.inc b/recipes-connectivity/openssh/openssh_fips.inc
index 0eafb98..c74532f 100644
--- a/recipes-connectivity/openssh/openssh_fips.inc
+++ b/recipes-connectivity/openssh/openssh_fips.inc
@@ -6,7 +6,7 @@ DEPENDS += " \
RRECOMMENDS_${PN}-sshd_remove = "rng-tools"

SRC_URI += " \
- file://0001-openssh-8.0p1-fips.patch \
+ file://0001-openssh-8.2p1-fips.patch \
file://0001-conditional-enable-fips-mode.patch \
file://openssh-6.6p1-ctr-cavstest.patch \
file://openssh-6.7p1-kdf-cavs.patch \
--
2.17.1


Re: how to reuse generated library in a nativesdk recipe #sdk #systemd

Mikko Rapeli
 

On Wed, Feb 19, 2020 at 10:57:41PM +0100, Martin Jansa wrote:
DEPENDS_class-target += "systemd"
You surely meant
DEPENDS_append_class-target = " systemd"
here
Yes, quite likely. Tough reason why += doesn't work is a mystery to me :)

I hack things until "bitbake -e" shows the right things for the recipes.

-Mikko

On Wed, Feb 19, 2020 at 10:48 PM Mikko Rapeli <mikko.rapeli@bmw.de> wrote:

Hi,

On Wed, Feb 19, 2020 at 01:37:19AM -0800, Armando Hernandez wrote:
Hello,

I have a recipe that builds a library. The recipe specifies an
additional package "${PN}-systemd" along with other systemd related
variables and finally it instructs that the package should be built with
"-DWITH_SYSTEMD=ON" being passed to cmake. So far so good. But, I extended
this recipe to nativesdk because I need this library on it. When trying to
build the corresponding nativesdk package, the build fails at the
configuration step (i.e. "do_configure") claiming it cannot find the
package systemd.

Is there a way I can install the -already-generated libraries into my
SDK (potentially via the corresponding nativesdk recipe) without having to
rebuild the package? Or do I need to somehow include such systemd package
in my sdk (which I don't think I need at all)?

Any hints and pointers as to were to look at are very well appreciated.
Thanks.
Make the systemd dependency for target only, e.g. DEPENDS_class-target +=
"systemd"
etc.

There may be relevant use cases to build some of systemd components or
tools
to native or nativesdk targets too. In that case add BBCLASSEXTEND +=
"nativesdk" etc
in a bbappend to systemd.

Hope this helps,

-Mikko


Re: [OE-core] Yocto Project Status WW07'20

Sangeeta Jain
 

Planned upcoming dot releases:

  • YP 2.7.3 built and in QA

 

I didn’t see any notification for this build. Am I missing something?

 

Thanks,

Sangeeta

 

From: openembedded-core-bounces@... <openembedded-core-bounces@...> On Behalf Of sjolley.yp.pm@...
Sent: Wednesday, 19 February, 2020 12:10 AM
To: yocto@...; openembedded-core@...
Subject: [OE-core] Yocto Project Status WW07'20

 

Current Dev Position: YP 3.1 M3

Next Deadline: YP 3.1 M3 build date 2/24/2020

 

Next Team Meetings:

 

Key Status/Updates:

  • The project recently updated its git hosting infrastructure and there were some issues encountered with the cgit http/https repository sharing. Those issues should now be resolved, apologies if they caused issues for anyone. The git:// protocol sharing was unaffected.
  • YP 3.0.2 rc2 is in QA with the report due soon.
  • We continue to see a small number of reproducibility issues with master which need resolving for green builds (in particular gstreamer and perl).
  • A significant memory usage issue was identified during bitbake parsing where memory usage would grow in each parser thread linearly per number of recipes parsed. This would therefore particularly affect large numbers of layers, multilibs and multiconfig. The fix has merged into bitbake along with the corresponding zeus and warrior branches. For one test case it reduced peak memory usage during parsing for 5 multiconfigs from 20GB to 2GB.
  • Warrior patches for 2.7.3 are out for review.
  • With the git infrastructure issue updated, we now have centos8 workers added to the autobuilder.
  • We are making various queued changes to the autobuilder configuration to fix bugs, improve efficiency and test coverage but this may result in some test result instability as we test and resolve issues.
  • We’re collecting a list of companies, products and projects which use the Yocto Project on the wiki: https://wiki.yoctoproject.org/wiki/Project_Users Please add any you know are missing (or email Richard/Stephen who can add).
  • The triage team is worried about attendance at triage meetings and the project is finding it hard to find people to help fix bugs. If anyone is willing to work on bugs, assistance would be greatly appreciated.

 

YP 3.1 Milestone Dates:

  • YP 3.1 M3 build date 2/24/2020
  • YP 3.1 M3 release date 3/6/2020
  • YP 3.1 M4 build date  3/30/2020
  • YP 3.1 M4 release date  4/24/2020

 

Planned upcoming dot releases:

  • YP 2.7.3 built and in QA
  • YP 2.7.3 release date 2/21/2020
  • YP 3.0.2 build date  2/3/2020
  • YP 3.0.2 release date 2/14/2020

 

Tracking Metrics:

    • Total patches found: 1360 (last week 1361)
    • Patches in the Pending State: 546 (40%) [last week 547 (40%)]

 

The Yocto Project’s technical governance is through its Technical Steering Committee, more information is available at:

https://wiki.yoctoproject.org/wiki/TSC

 

The Status reports are now stored on the wiki at: https://wiki.yoctoproject.org/wiki/Weekly_Status

 

[If anyone has suggestions for other information you’d like to see on this weekly status update, let us know!]

 

Thanks,

 

Stephen K. Jolley

Yocto Project Program Manager

(    Cell:                (208) 244-4460

* Email:              sjolley.yp.pm@...

 


Re: QA Cycle report for build (yocto-3.0.2.rc2)

Sangeeta Jain
 

-----Original Message-----
From: Mittal, Anuj <anuj.mittal@intel.com>
Sent: Thursday, 20 February, 2020 11:35 AM
To: Richard Purdie <richard.purdie@linuxfoundation.org>; akuster808
<akuster808@gmail.com>; Jain, Sangeeta <sangeeta.jain@intel.com>;
yocto@lists.yoctoproject.org
Cc: otavio@ossystems.com.br; yi.zhao@windriver.com; Sangal, Apoorv
<apoorv.sangal@intel.com>; Yeoh, Ee Peng <ee.peng.yeoh@intel.com>; Chan,
Aaron Chun Yew <aaron.chun.yew.chan@intel.com>; sjolley.yp.pm@gmail.com;
Tummalapalli, Vineela <vineela.tummalapalli@intel.com>
Subject: RE: [yocto] QA Cycle report for build (yocto-3.0.2.rc2)

On Wed, 2020-02-19 at 14:41 -0800, akuster808 wrote:

On 2/18/20 11:33 PM, Jain, Sangeeta wrote:
Hi All,

This is the full report for yocto-3.0.2.rc2:
https://git.yoctoproject.org/cgit/cgit.cgi/yocto-testresults-contr
ib
/tree/?h=intel-yocto-testresults

======= Summary ========
No high milestone defects.
one new defects are found in this cycle - oeqa/runtime test
'test_dnf_exclude' failed (Bugid:13797) openssh ptest failed (BUG
id:13796) bash ptest failed (BUG id:13795)

======= Bugs ========
https://bugzilla.yoctoproject.org/show_bug.cgi?id=13797
From the error log, it looks like we are trying to install 7.67 while zeus has 7.66
so it errors out. I am guessing that curl wasn't built in a clean build directory so
the correct version of curl is deployed. Can this test be re-run please?
Re-run the test in new build directory and after having 'bitbake curl'.
It is passing now. Updating bug in Bugzila.


https://bugzilla.yoctoproject.org/show_bug.cgi?id=13796
This needs:

https://github.com/openssh/openssh-
portable/commit/ff31f15773ee173502eec4d7861ec56f26bba381

https://bugzilla.yoctoproject.org/show_bug.cgi?id=13795
Was because of the bash CVE patch.


Thank you for logging the defects.

I suspect this in now in the hands of the YP TSC.
What is the stable maintainer's thoughts on this?

In particular I'm worried about the bash patch and whether the ptest
regression above is related to that or not? Any recommendation?
Looks like it's related but I don't think the impact is much. The test is failing
because the line number that is expected to fail changed (because of the lines
being added in the test). So we should be okay in my opinion.

Thanks,

Anuj


Re: Modified GENIVI Cannelloni recipe with strange side effects

Zoran
 

Hello Laurent,

U R correct (and why I am not surprised?!). :-)

The correct recipe is here (it becomes very simplistic, seems):
https://github.com/ZoranStojsavljevic/meta-socketcan/blob/master/recipes-can/cannelloni/cannelloni.bb

I have (out of my ignorance) one question, which confuses me: Why this
functionality does not reside in do_install_append () (I would expect
this to be correct one, but it seems that inheritance in bitbake has
changed)?

Many thanks (what we, ignorant YOCTO guys, will do without the experts),
Zoran
_______

On Wed, Feb 19, 2020 at 7:05 PM Laurent Gauthier
<laurent.gauthier@soccasys.com> wrote:

Hi Zoran,

I just saw your reply now.

I think that you might want to remove the INHIBIT_SYSROOT_STRIP and
other INHIBIT_* options from your recipe.

For reference a message from Khem warning that this option should be
used sparingly:

* https://www.yoctoproject.org/pipermail/yocto/2019-March/044415.html

My best guess is that the use of this option is directly linked to
chrpath being needed.

As this recipe is being built with a rather clean looking
CMakeLists.txt none of these weird options are needed.

Kind regards, Laurent.

On Mon, Feb 17, 2020 at 8:01 AM Zoran Stojsavljevic
<zoran.stojsavljevic@gmail.com> wrote:

The issue I see is that the following files have been build but NOT installed:

* libcannelloni-common.so.0
* libcannelloni-common.so.0.0.1
Not quite... The solution is outlined here (in function do_install):
+ ## ERROR: QA Issue: package cannelloni contains bad RPATH
+ ## quick fix is in a do_install or do_install_append do
+ chrpath -d ${D}${bindir}/cannelloni

https://github.com/ZoranStojsavljevic/meta-socketcan/blob/master/recipes-can/cannelloni/cannelloni.bb
https://github.com/ZoranStojsavljevic/meta-socketcan/blob/master/recipes-can/cannelloni/cannelloni.bb_GENIVI

I admit, your first email has shaken my head, so I can see things much
more clear. :-)

My best guess, this solution is just a workaround (not the final one),
since I have in ${D} the following:

cannelloni-1.0: package cannelloni contains bad RPATH
/home/user/projects2/beaglebone-black/bbb-yocto/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/cannelloni/1.0-r0/build:
in file /home/user/projects2/beaglebone-black/bbb-yocto/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/cannelloni/1.0-r0/packages-split/cannelloni/usr/bin/cannelloni
[rpaths]

So, since my limited knowledge about bitbake build systems ends here,
somebody from YOCTO primes (potentially Khem Raj, Ross Burton, maybe
even Richard Purdie) should look more closely into this issue
(apologies for my unsolicited suggestions).

Laurent,

Once again, thank you for unselfish help,
Zoran
_______


On Fri, Feb 14, 2020 at 2:20 PM Laurent Gauthier
<laurent.gauthier@soccasys.com> wrote:

Hi Zoran,

You are almost there! I can feel it... :-)

The issue I see is that the following files have been build but NOTinstalled:

* libcannelloni-common.so.0
* libcannelloni-common.so.0.0.1

If you make sure that they are installed that should fix your issue.

Based on the info you provided no RDEPENDS seems to be required as it
all appears that everything is in one package named "cannelloni",
rather than a package for the main executable and then packages for
libraries.

Kind regards, Laurent.

On Fri, Feb 14, 2020 at 12:43 PM Zoran Stojsavljevic
<zoran.stojsavljevic@gmail.com> wrote:

Hello Laurent,

Many thanks to you for the help. :-)

I did some modifications, and now I have all the elements in there/in place:

[user@fedora31-ssd cannelloni]$ cd ../../../build/tmp
[user@fedora31-ssd tmp]$ find . -name libcannelloni*
./work/cortexa8hf-neon-poky-linux-gnueabi/cannelloni/1.0-r0/image/usr/lib/libcannelloni-common.so
./work/cortexa8hf-neon-poky-linux-gnueabi/cannelloni/1.0-r0/sysroot-destdir/usr/lib/libcannelloni-common.so
./work/cortexa8hf-neon-poky-linux-gnueabi/cannelloni/1.0-r0/package/usr/lib/.debug/libcannelloni-common.so
./work/cortexa8hf-neon-poky-linux-gnueabi/cannelloni/1.0-r0/package/usr/lib/libcannelloni-common.so
./work/cortexa8hf-neon-poky-linux-gnueabi/cannelloni/1.0-r0/packages-split/cannelloni/usr/lib/libcannelloni-common.so
./work/cortexa8hf-neon-poky-linux-gnueabi/cannelloni/1.0-r0/packages-split/cannelloni-dbg/usr/lib/.debug/libcannelloni-common.so
./work/cortexa8hf-neon-poky-linux-gnueabi/cannelloni/1.0-r0/build/libcannelloni-common.so.0
./work/cortexa8hf-neon-poky-linux-gnueabi/cannelloni/1.0-r0/build/libcannelloni-common.so.0.0.1
./work/cortexa8hf-neon-poky-linux-gnueabi/cannelloni/1.0-r0/build/libcannelloni-common.so
./sysroots-components/cortexa8hf-neon/cannelloni/usr/lib/libcannelloni-common.so

I miss the very end of your thoughts. Namely:

The name of the package containing the shared library is name of the
xxx first-level directory "packages-split/xxx".
So, how should I write the RDEPENDS command?

Something as: RDEPENDS_${PN} = "???"

What should I put on the right side of the equation (according to the above traces)?

Thank you,
Zoran
_______

On Fri, Feb 14, 2020 at 11:49 AM Laurent Gauthier <laurent.gauthier@soccasys.com> wrote:

Hi Zoran,

The issue seems to be that the executable /usr/bin/cannelloni has a
reference to a shared library (libcannelloni-common.so.0) for which
the Yocto build system is not able to determine automatically which
package provides it.

Based on the name I would assume that this package should be created
by the same recipe that produces this executable (one recipe produces
multiple packages).

The most probable reason for this is that the new version of the
package you are trying to build does not install the "missing" shared
library properly. But here are some steps you could follow to try to
determine the stage of build/install/package where the shared library
goes missing.

To debug this I would suggest that you check that this
"libcannelloni-common.so.0" shared library is present in several
directories.

First in the build directory:

* /home/user/projects2/beaglebone-black/bbb-yocto/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/cannelloni/1.0-r0/build

If it is not there that would be very surprising. I will assume that
it is present. Let us know if it is not.

Then the next location to check for this shared library is the following:

* /home/user/projects2/beaglebone-black/bbb-yocto/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/cannelloni/1.0-r0/package

If the file is not there, then it means that the recipe did not
"install" it (as this directory is populated by do_install).

If the file is there then you can check if it is correctly assigned in
a package by determining if it is also found in:

* /home/user/projects2/beaglebone-black/bbb-yocto/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/cannelloni/1.0-r0/packages-split

If the file is not there, then it means that the recipe did not
"package" it properly (as this directory is populated by do_package).
You should review the recipe for any anomaly in assigning installed
files to individual packages.

If the file is there then you probably should add the package that
contains the shared library in the RDEPENDS for the "cannelloni"
package.

The name of the package containing the shared library is name of the
xxx first-level directory "packages-split/xxx".

Not sure if that will solve your issue, but hopefully that will help.

Kind Regards, Laurent.

On Fri, Feb 14, 2020 at 11:27 AM Zoran <zoran.stojsavljevic@gmail.com> wrote:

Hello List,

I am trying to solve very interesting ERROR I am getting with slightly modified GENIVI Canneloni recipe:
https://github.com/ZoranStojsavljevic/meta-socketcan/blob/master/recipes-can/cannelloni/cannelloni.bb

If I take the recipe as is, everything works fine, with:
## SRCREV = "${AUTOREV}"
SRCREV = "0fb6880b719b8acf2b4210b264b7140135e4be8a"

Everything works fine, but if I swap the static hash with auto latest hash (SRCREV = "${AUTOREV}":
SRCREV = "${AUTOREV}"
## SRCREV = "0fb6880b719b8acf2b4210b264b7140135e4be8a"

I am getting these ERRORS, which seems to me very strange?!
_______

Sstate summary: Wanted 11 Found 6 Missed 5 Current 1398 (54% match, 99% complete)
NOTE: Executing Tasks
NOTE: Setscene tasks completed
ERROR: cannelloni-1.0-r0 do_package_qa: QA Issue: package cannelloni contains bad RPATH /home/user/projects2/beaglebone-black/bbb-yocto/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/cannelloni/1.0-r0/build: in file /home/user/projects2/beaglebone-black/bbb-yocto/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/cannelloni/1.0-r0/packages-split/cannelloni/usr/bin/cannelloni [rpaths]
ERROR: cannelloni-1.0-r0 do_package_qa: QA Issue: /usr/bin/cannelloni contained in package cannelloni requires libcannelloni-common.so.0, but no providers found in RDEPENDS_cannelloni? [file-rdeps]
ERROR: cannelloni-1.0-r0 do_package_qa: QA run found fatal errors. Please consider fixing them.
ERROR: Logfile of failure stored in: /home/user/projects2/beaglebone-black/bbb-yocto/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/cannelloni/1.0-r0/temp/log.do_package_qa.255490
ERROR: Task (/home/user/projects2/beaglebone-black/bbb-yocto/meta-socketcan/recipes-can/cannelloni/cannelloni.bb:do_package_qa) failed with exit code '1'
NOTE: Tasks Summary: Attempted 3791 tasks of which 3788 didn't need to be rerun and 1 failed.
_______

Any advise how to make GENIVI Cannelloni recipe to work with: SRCREV = "${AUTOREV}" ???

Thank you,
Zoran



--
Laurent Gauthier
Phone: +33 630 483 429
http://soccasys.com


--
Laurent Gauthier
Phone: +33 630 483 429
http://soccasys.com


--
Laurent Gauthier
Phone: +33 630 483 429
http://soccasys.com


Re: QA Cycle report for build (yocto-3.0.2.rc2)

Anuj Mittal
 

On Wed, 2020-02-19 at 14:41 -0800, akuster808 wrote:

On 2/18/20 11:33 PM, Jain, Sangeeta wrote:
Hi All,

This is the full report for yocto-3.0.2.rc2:
https://git.yoctoproject.org/cgit/cgit.cgi/yocto-testresults-contrib
/tree/?h=intel-yocto-testresults

======= Summary ========
No high milestone defects.
one new defects are found in this cycle - oeqa/runtime test
'test_dnf_exclude' failed (Bugid:13797) openssh ptest failed (BUG
id:13796) bash ptest failed (BUG id:13795)

======= Bugs ========
https://bugzilla.yoctoproject.org/show_bug.cgi?id=13797
From the error log, it looks like we are trying to install 7.67 while zeus has 7.66 so it errors out. I am guessing that curl wasn't built in a clean build directory so the correct version of curl is deployed. Can this test be re-run please?

https://bugzilla.yoctoproject.org/show_bug.cgi?id=13796
This needs:

https://github.com/openssh/openssh-portable/commit/ff31f15773ee173502eec4d7861ec56f26bba381

https://bugzilla.yoctoproject.org/show_bug.cgi?id=13795
Was because of the bash CVE patch.


Thank you for logging the defects.

I suspect this in now in the hands of the YP TSC.
What is the stable maintainer's thoughts on this?

In particular I'm worried about the bash patch and whether the ptest regression above
is related to that or not? Any recommendation?
Looks like it's related but I don't think the impact is much. The test is failing because the line number that is expected to fail changed (because of the lines being added in the test). So we should be okay in my opinion.

Thanks,

Anuj


Re: You advice to append environment set up to local root shell profile

JH
 

May be I should append to shells script.

On 2/20/20, JH <jupiter.hce@gmail.com> wrote:
Hi,

I want to setup export LD_LIBRARY_PATH and export PATH to the
/home/root shell profile, the oe-core base-files has a profile file,
is it a right way to copy that file to my application layer, to extend
it and to add new path to export LD_LIBRARY_PATH and export PATH? I'll
handle it by a base-files_%.bbappend in my application layer.

Thank you.

Kind regards,

- jh


You advice to append environment set up to local root shell profile

JH
 

Hi,

I want to setup export LD_LIBRARY_PATH and export PATH to the
/home/root shell profile, the oe-core base-files has a profile file,
is it a right way to copy that file to my application layer, to extend
it and to add new path to export LD_LIBRARY_PATH and export PATH? I'll
handle it by a base-files_%.bbappend in my application layer.

Thank you.

Kind regards,

- jh


Re: QA Cycle report for build (yocto-3.0.2.rc2)

Khem Raj
 

On 2/19/20 2:42 PM, Richard Purdie wrote:
On Wed, 2020-02-19 at 14:41 -0800, akuster808 wrote:

On 2/18/20 11:33 PM, Jain, Sangeeta wrote:
Hi All,

This is the full report for yocto-3.0.2.rc2:
https://git.yoctoproject.org/cgit/cgit.cgi/yocto-testresults-contrib/tree/?h=intel-yocto-testresults

======= Summary ========
No high milestone defects.
one new defects are found in this cycle - oeqa/runtime test
'test_dnf_exclude' failed (Bugid:13797)
openssh ptest failed (BUG id:13796)
bash ptest failed (BUG id:13795)

======= Bugs ========
https://bugzilla.yoctoproject.org/show_bug.cgi?id=13797
https://bugzilla.yoctoproject.org/show_bug.cgi?id=13796
https://bugzilla.yoctoproject.org/show_bug.cgi?id=13795
Thank you for logging the defects.

I suspect this in now in the hands of the YP TSC.
What is the stable maintainer's thoughts on this?
In particular I'm worried about the bash patch and whether the ptest
regression above is related to that or not? Any recommendation?
I agree, two failures are openssh related and I think they should be root caused.

Cheers,
Richard


Re: QA Cycle report for build (yocto-3.0.2.rc2)

Richard Purdie
 

On Wed, 2020-02-19 at 14:41 -0800, akuster808 wrote:

On 2/18/20 11:33 PM, Jain, Sangeeta wrote:
Hi All,

This is the full report for yocto-3.0.2.rc2:
https://git.yoctoproject.org/cgit/cgit.cgi/yocto-testresults-contrib/tree/?h=intel-yocto-testresults

======= Summary ========
No high milestone defects.
one new defects are found in this cycle - oeqa/runtime test
'test_dnf_exclude' failed (Bugid:13797)
openssh ptest failed (BUG id:13796)
bash ptest failed (BUG id:13795)

======= Bugs ========
https://bugzilla.yoctoproject.org/show_bug.cgi?id=13797
https://bugzilla.yoctoproject.org/show_bug.cgi?id=13796
https://bugzilla.yoctoproject.org/show_bug.cgi?id=13795
Thank you for logging the defects.

I suspect this in now in the hands of the YP TSC.
What is the stable maintainer's thoughts on this?

In particular I'm worried about the bash patch and whether the ptest
regression above is related to that or not? Any recommendation?

Cheers,

Richard


Re: QA Cycle report for build (yocto-3.0.2.rc2)

Armin Kuster
 

On 2/18/20 11:33 PM, Jain, Sangeeta wrote:
Hi All,

This is the full report for yocto-3.0.2.rc2:
https://git.yoctoproject.org/cgit/cgit.cgi/yocto-testresults-contrib/tree/?h=intel-yocto-testresults

======= Summary ========
No high milestone defects.
one new defects are found in this cycle - oeqa/runtime test 'test_dnf_exclude' failed (Bugid:13797)
openssh ptest failed (BUG id:13796)
bash ptest failed (BUG id:13795)

======= Bugs ========
https://bugzilla.yoctoproject.org/show_bug.cgi?id=13797
https://bugzilla.yoctoproject.org/show_bug.cgi?id=13796
https://bugzilla.yoctoproject.org/show_bug.cgi?id=13795
Thank you for logging the defects.

I suspect this in now in the hands of the YP TSC.

regards,
Armin

Thanks,
Sangeeta

-----Original Message-----
From: yocto@lists.yoctoproject.org <yocto@lists.yoctoproject.org> On Behalf
Of pokybuild@centos7-ty-3.yocto.io
Sent: Wednesday, 12 February, 2020 3:56 PM
To: yocto@lists.yoctoproject.org
Cc: otavio@ossystems.com.br; yi.zhao@windriver.com; Sangal, Apoorv
<apoorv.sangal@intel.com>; Yeoh, Ee Peng <ee.peng.yeoh@intel.com>; Chan,
Aaron Chun Yew <aaron.chun.yew.chan@intel.com>;
richard.purdie@linuxfoundation.org; akuster808@gmail.com;
sjolley.yp.pm@gmail.com; Jain, Sangeeta <sangeeta.jain@intel.com>
Subject: [yocto] QA notification for completed autobuilder build (yocto-
3.0.2.rc2)


A build flagged for QA (yocto-3.0.2.rc2) was completed on the autobuilder and is
available at:


https://autobuilder.yocto.io/pub/releases/yocto-3.0.2.rc2


Build hash information:

bitbake: 95687be83e716220eb3893b67428f97fd59fc2c5
meta-gplv2: 0f4eecc000f66d114ad258fa31aed66afa292166
meta-intel: b04e1edb9300a57e200a187a3255f67b50519202
meta-mingw: 756963cc28ebc163df7d7f4b4ee004c18d3d3260
oecore: 799b3cd1016bd765f4452a5e81ea5613c9089bce
poky: fe857e4179355bcfb79303c16baf3ad87fca59a4



This is an automated message from the Yocto Project Autobuilder
Git: git://git.yoctoproject.org/yocto-autobuilder2
Email: richard.purdie@linuxfoundation.org



Re: Yocto [thud], [zeus] do_fetch and do_unpack failures with offline/online svn build! #yocto #python

Mikko Rapeli
 

On Tue, Feb 18, 2020 at 07:25:15AM +0000, Georgi Georgiev via Lists.Yoctoproject.Org wrote:
OK,
I read some code and I added the next line:

--- a/bitbake/lib/bb/fetch2/svn.py
+++ b/bitbake/lib/bb/fetch2/svn.py
@@ -145,6 +145,7 @@ class Svn(FetchMethod):

if not ("externals" in ud.parm and ud.parm["externals"] == "nowarn"):
# Warn the user if this had externals (won't catch them all)
+ svnfetchcmd = self._buildsvncommand(ud, d, "fetch")
output = runfetchcmd("svn propget svn:externals || true", d, workdir=ud.moddir)
if output:
if "--ignore-externals" in svnfetchcmd.split():

This works for me perfectly. I may look little redundant but...
Any comments?
@Mikko,
Looks good to me.

We have only one svn repo in the whole project :-)
Lucky you :)

-Mikko


Re: Issue while adding the support for TLS1.3 in existing krogoth yocto #yocto #apt #raspberrypi

Mikko Rapeli
 

Hi,

On Tue, Feb 18, 2020 at 01:20:25PM +0530, amaya jindal wrote:
Thanks for your prompt reply. But is not there any way similar to add
support for TLS1.3 instead of moving to new yocto releases
openssl is tricky to update and requires backporting fixes for many, many recipes
to get builds passing etc. Depending on project size, it may be possible
to update only those components which you use, e.g. backport commits from
poky master or release branches like warrior. The number of backported changes
will be large. I've ported openssl 1.1.1d patches to yocto 2.5 sumo but it wasn't
pretty. A strategy with regular yocto updates is much better and forces you
to think of your dependencies and patches much harder.

Hope this helps,

-Mikko


Re: Debugging gdb built by Yocto

Richard Purdie
 

On Tue, 2020-02-18 at 11:26 -0500, Patrick Doyle wrote:
Does anybody have any tips or tricks for how I might debug the
(cross-canadian) gdb built by Yocto's SDK?

I need to add some printf's to the gdb code to help track down why
something isn't working, but none of my traditional
get-ready-to-debug-this-code techniques are working.

How can I run the gdb that I just built? Note that I am presuming
that I can

$ bitbake gdb-cross-canadian-mipsel -ccompile -f
Do you perhaps want gdb-cross-mipsel ?

cross-canadian is designed to be run as part of the SDK.

Cheers,

Richard

5381 - 5400 of 53908