[yocto] [meta-openssl102-fips][PATCH 8/16] openssh: conditional enable fips mode

Wed Sep 25 00:24:05 PDT 2019

Enable fips mode according to the existence of "/etc/system-fips"

Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
---
 .../0001-conditional-enable-fips-mode.patch        | 63 ++++++++++++++++++++++
 recipes-connectivity/openssh/openssh_fips.inc      |  1 +
 2 files changed, 64 insertions(+)
 create mode 100644 recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch

diff --git a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
new file mode 100644
index 0000000..b47e184
--- /dev/null
+++ b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
@@ -0,0 +1,63 @@
+From ea3e5eceab28ad2c00d438efbcea2be37a1b2969 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia at windriver.com>
+Date: Sun, 22 Sep 2019 14:31:51 +0800
+Subject: [PATCH] conditional enable fips mode
+
+Insert ssh_enable_fips_mode to ssh_malloc_init where each main app will invoke,
+enable fips mode according to the existence of "/etc/system-fips"
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
+---
+ xmalloc.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/xmalloc.c b/xmalloc.c
+index 5cc0310..0218ccd 100644
+--- a/xmalloc.c
++++ b/xmalloc.c
+@@ -23,12 +23,20 @@
+ #include <stdlib.h>
+ #include <string.h>
+ 
++#include <openssl/err.h>
++#include <openssl/crypto.h>
++#include <unistd.h>
++
+ #include "xmalloc.h"
+ #include "log.h"
+ 
++void ssh_enable_fips_mode(void);
++
+ void
+ ssh_malloc_init(void)
+ {
++	ssh_enable_fips_mode();
++
+ #if defined(__OpenBSD__)
+ 	extern char *malloc_options;
+ 
+@@ -116,3 +124,19 @@ xasprintf(char **ret, const char *fmt, ...)
+ 
+ 	return (i);
+ }
++
++void
++ssh_enable_fips_mode(void)
++{
++    if (access("/etc/system-fips", F_OK) == 0) {
++        if (!FIPS_mode_set(1)) {
++            /* make sure the error stack is available for some hint as
++             * to why this operation failed
++             */
++            ERR_load_crypto_strings();
++            ERR_print_errors_fp(stdout);
++            fatal("FIPS_mode_set(): failed to enter FIPS mode!\n");
++            exit(1);
++        }
++    }
++}
+-- 
+2.7.4
+
diff --git a/recipes-connectivity/openssh/openssh_fips.inc b/recipes-connectivity/openssh/openssh_fips.inc
index 8f21264..9d25b5b 100644
--- a/recipes-connectivity/openssh/openssh_fips.inc
+++ b/recipes-connectivity/openssh/openssh_fips.inc
@@ -5,6 +5,7 @@ DEPENDS += " \
 "
 SRC_URI += " \
     file://0001-openssh-8.0p1-fips.patch \
+    file://0001-conditional-enable-fips-mode.patch \
 "
 
 do_install_append() {
-- 
2.7.4

