From c70ef2745800bd1115f3de3e66420f2e4f4f2421 Mon Sep 17 00:00:00 2001
From: Colton Willey <colton@wolfssl.com>
Date: Tue, 21 Apr 2026 15:59:04 -0700
Subject: [PATCH] fips-baseline: re-add SSHKDF to default and FIPS providers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

SSHKDF (RFC 4253) was stripped from both the default and FIPS providers by
the fips-baseline patches, but the KDF is FIPS-compliant: it derives keys
using FIPS-approved hash functions (SHA-2 family). Stock OpenSSL 3 ships it
in both providers. wolfProvider implements it, and RHEL's openssh-kdf patch
(Patch964) routes every SSH key exchange through EVP_KDF_fetch("SSHKDF") —
so stripping it breaks RHEL-patched openssh entirely under the baseline.

Re-add the entry across all 4 defltprov and 5 fipsprov variant files so
callers using the fips-baseline build can fetch SSHKDF the same as they
would from stock OpenSSL.
---
 patches/openssl-fips-baseline/providers/defltprov/3.0.0-3.1.x.c  | 1 +
 patches/openssl-fips-baseline/providers/defltprov/3.2.0-3.3.x.c  | 1 +
 patches/openssl-fips-baseline/providers/defltprov/3.4.0-3.4.x.c  | 1 +
 patches/openssl-fips-baseline/providers/defltprov/3.5.0+.c       | 1 +
 .../openssl-fips-baseline/providers/fips/fipsprov/3.0.0-3.1.x.c  | 1 +
 .../openssl-fips-baseline/providers/fips/fipsprov/3.2.0-3.3.x.c  | 1 +
 .../openssl-fips-baseline/providers/fips/fipsprov/3.4.0-3.4.x.c  | 1 +
 .../openssl-fips-baseline/providers/fips/fipsprov/3.5.0-3.5.1.c  | 1 +
 patches/openssl-fips-baseline/providers/fips/fipsprov/3.5.2+.c   | 1 +
 9 files changed, 9 insertions(+)

diff --git a/patches/openssl-fips-baseline/providers/defltprov/3.0.0-3.1.x.c b/patches/openssl-fips-baseline/providers/defltprov/3.0.0-3.1.x.c
index 4a6ad5a2..82e30af3 100644
--- a/patches/openssl-fips-baseline/providers/defltprov/3.0.0-3.1.x.c
+++ b/patches/openssl-fips-baseline/providers/defltprov/3.0.0-3.1.x.c
@@ -141,6 +141,7 @@ static const OSSL_ALGORITHM deflt_kdfs[] = {
     { PROV_NAMES_PBKDF2, "provider=default", ossl_kdf_pbkdf2_functions },
     { PROV_NAMES_TLS1_PRF, "provider=default", ossl_kdf_tls1_prf_functions },
     { PROV_NAMES_KBKDF, "provider=default", ossl_kdf_kbkdf_functions },
+    { PROV_NAMES_SSHKDF, "provider=default", ossl_kdf_sshkdf_functions },
     { NULL, NULL, NULL }
 };
 
diff --git a/patches/openssl-fips-baseline/providers/defltprov/3.2.0-3.3.x.c b/patches/openssl-fips-baseline/providers/defltprov/3.2.0-3.3.x.c
index 42f81311..f689f778 100644
--- a/patches/openssl-fips-baseline/providers/defltprov/3.2.0-3.3.x.c
+++ b/patches/openssl-fips-baseline/providers/defltprov/3.2.0-3.3.x.c
@@ -141,6 +141,7 @@ static const OSSL_ALGORITHM deflt_kdfs[] = {
     { PROV_NAMES_PBKDF2, "provider=default", ossl_kdf_pbkdf2_functions },
     { PROV_NAMES_TLS1_PRF, "provider=default", ossl_kdf_tls1_prf_functions },
     { PROV_NAMES_KBKDF, "provider=default", ossl_kdf_kbkdf_functions },
+    { PROV_NAMES_SSHKDF, "provider=default", ossl_kdf_sshkdf_functions },
     { NULL, NULL, NULL }
 };
 
diff --git a/patches/openssl-fips-baseline/providers/defltprov/3.4.0-3.4.x.c b/patches/openssl-fips-baseline/providers/defltprov/3.4.0-3.4.x.c
index ceb0b824..7444ec17 100644
--- a/patches/openssl-fips-baseline/providers/defltprov/3.4.0-3.4.x.c
+++ b/patches/openssl-fips-baseline/providers/defltprov/3.4.0-3.4.x.c
@@ -134,6 +134,7 @@ static const OSSL_ALGORITHM deflt_kdfs[] = {
     { PROV_NAMES_PBKDF2, "provider=default", ossl_kdf_pbkdf2_functions },
     { PROV_NAMES_TLS1_PRF, "provider=default", ossl_kdf_tls1_prf_functions },
     { PROV_NAMES_KBKDF, "provider=default", ossl_kdf_kbkdf_functions },
+    { PROV_NAMES_SSHKDF, "provider=default", ossl_kdf_sshkdf_functions },
     { NULL, NULL, NULL }
 };
 
diff --git a/patches/openssl-fips-baseline/providers/defltprov/3.5.0+.c b/patches/openssl-fips-baseline/providers/defltprov/3.5.0+.c
index ffcedf44..a3cce45e 100644
--- a/patches/openssl-fips-baseline/providers/defltprov/3.5.0+.c
+++ b/patches/openssl-fips-baseline/providers/defltprov/3.5.0+.c
@@ -164,6 +164,7 @@ static const OSSL_ALGORITHM deflt_kdfs[] = {
     { PROV_NAMES_TLS1_PRF, "provider=default", ossl_kdf_tls1_prf_functions },
     { PROV_NAMES_KBKDF, "provider=default", ossl_kdf_kbkdf_functions },
     { PROV_NAMES_KRB5KDF, "provider=default", ossl_kdf_krb5kdf_functions },
+    { PROV_NAMES_SSHKDF, "provider=default", ossl_kdf_sshkdf_functions },
     { NULL, NULL, NULL }
 };
 
diff --git a/patches/openssl-fips-baseline/providers/fips/fipsprov/3.0.0-3.1.x.c b/patches/openssl-fips-baseline/providers/fips/fipsprov/3.0.0-3.1.x.c
index ea4812b8..c50727fe 100644
--- a/patches/openssl-fips-baseline/providers/fips/fipsprov/3.0.0-3.1.x.c
+++ b/patches/openssl-fips-baseline/providers/fips/fipsprov/3.0.0-3.1.x.c
@@ -308,6 +308,7 @@ static const OSSL_ALGORITHM fips_kdfs[] = {
     { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
       ossl_kdf_tls1_prf_functions },
     { PROV_NAMES_KBKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_kbkdf_functions },
+    { PROV_NAMES_SSHKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_sshkdf_functions },
     { NULL, NULL, NULL }
 };
 
diff --git a/patches/openssl-fips-baseline/providers/fips/fipsprov/3.2.0-3.3.x.c b/patches/openssl-fips-baseline/providers/fips/fipsprov/3.2.0-3.3.x.c
index 61af11a6..4100aacb 100644
--- a/patches/openssl-fips-baseline/providers/fips/fipsprov/3.2.0-3.3.x.c
+++ b/patches/openssl-fips-baseline/providers/fips/fipsprov/3.2.0-3.3.x.c
@@ -308,6 +308,7 @@ static const OSSL_ALGORITHM fips_kdfs[] = {
     { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
       ossl_kdf_tls1_prf_functions },
     { PROV_NAMES_KBKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_kbkdf_functions },
+    { PROV_NAMES_SSHKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_sshkdf_functions },
     { NULL, NULL, NULL }
 };
 
diff --git a/patches/openssl-fips-baseline/providers/fips/fipsprov/3.4.0-3.4.x.c b/patches/openssl-fips-baseline/providers/fips/fipsprov/3.4.0-3.4.x.c
index c46ab889..9670ade7 100644
--- a/patches/openssl-fips-baseline/providers/fips/fipsprov/3.4.0-3.4.x.c
+++ b/patches/openssl-fips-baseline/providers/fips/fipsprov/3.4.0-3.4.x.c
@@ -314,6 +314,7 @@ static const OSSL_ALGORITHM fips_kdfs[] = {
     { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
       ossl_kdf_tls1_prf_functions },
     { PROV_NAMES_KBKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_kbkdf_functions },
+    { PROV_NAMES_SSHKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_sshkdf_functions },
     { NULL, NULL, NULL }
 };
 
diff --git a/patches/openssl-fips-baseline/providers/fips/fipsprov/3.5.0-3.5.1.c b/patches/openssl-fips-baseline/providers/fips/fipsprov/3.5.0-3.5.1.c
index 5673486d..c098e517 100644
--- a/patches/openssl-fips-baseline/providers/fips/fipsprov/3.5.0-3.5.1.c
+++ b/patches/openssl-fips-baseline/providers/fips/fipsprov/3.5.0-3.5.1.c
@@ -343,6 +343,7 @@ static const OSSL_ALGORITHM fips_kdfs[] = {
     { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
       ossl_kdf_tls1_prf_functions },
     { PROV_NAMES_KBKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_kbkdf_functions },
+    { PROV_NAMES_SSHKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_sshkdf_functions },
     { NULL, NULL, NULL }
 };
 
diff --git a/patches/openssl-fips-baseline/providers/fips/fipsprov/3.5.2+.c b/patches/openssl-fips-baseline/providers/fips/fipsprov/3.5.2+.c
index 2ed1816e..2a9c7510 100644
--- a/patches/openssl-fips-baseline/providers/fips/fipsprov/3.5.2+.c
+++ b/patches/openssl-fips-baseline/providers/fips/fipsprov/3.5.2+.c
@@ -343,6 +343,7 @@ static const OSSL_ALGORITHM fips_kdfs[] = {
     { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
       ossl_kdf_tls1_prf_functions },
     { PROV_NAMES_KBKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_kbkdf_functions },
+    { PROV_NAMES_SSHKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_sshkdf_functions },
     { NULL, NULL, NULL }
 };