Use FIPS KEX defaults in FIPS mode

Resolves: RHEL-58986

openssh-7.7p1-fips.patch

@@ -744,3 +744,23 @@ diff -up openssh-8.7p1/ssh-ed25519.c.fips3 openssh-8.7p1/ssh-ed25519.c
  
  	if ((b = sshbuf_from(sig, siglen)) == NULL)
  		return SSH_ERR_ALLOC_FAIL;
+diff -up openssh-9.9p1/kex.c.xxx openssh-9.9p1/kex.c
+--- openssh-9.9p1/kex.c.xxx	2024-10-11 12:44:08.087426597 +0200
++++ openssh-9.9p1/kex.c	2024-10-11 14:00:10.404714521 +0200
+@@ -40,6 +40,7 @@
+ #ifdef WITH_OPENSSL
+ #include <openssl/crypto.h>
+ #include <openssl/dh.h>
++#include <openssl/fips.h>
+ # ifdef HAVE_EVP_KDF_CTX_NEW
+ # include <openssl/kdf.h>
+ # include <openssl/param_build.h>
+@@ -109,7 +110,7 @@ kex_proposal_populate_entries(struct ssh
+ 
+ 	/* Append EXT_INFO signalling to KexAlgorithms */
+ 	if (kexalgos == NULL)
+-		kexalgos = defprop[PROPOSAL_KEX_ALGS];
++	    kexalgos = FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : defprop[PROPOSAL_KEX_ALGS];
+ 	if ((cp = kex_names_cat(kexalgos, ssh->kex->server ?
+ 	    "ext-info-s,kex-strict-s-v00@openssh.com" :
+ 	    "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL)

openssh.spec

@@ -662,6 +662,8 @@ test -f %{sysconfig_anaconda} && \
   Resolves: RHEL-60564
 - Separate ssh-keysign to a dedicated package
   Resolves: RHEL-62112
+- Use FIPS KEX defaults in FIPS mode
+  Resolves: RHEL-58986
 
 * Mon Sep 16 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-6
 - rebuilt