Use FIPS KEX defaults in FIPS mode
Resolves: RHEL-58986
This commit is contained in:
parent
2a4f84e7ce
commit
0802365f07
@ -744,3 +744,23 @@ diff -up openssh-8.7p1/ssh-ed25519.c.fips3 openssh-8.7p1/ssh-ed25519.c
|
||||
|
||||
if ((b = sshbuf_from(sig, siglen)) == NULL)
|
||||
return SSH_ERR_ALLOC_FAIL;
|
||||
diff -up openssh-9.9p1/kex.c.xxx openssh-9.9p1/kex.c
|
||||
--- openssh-9.9p1/kex.c.xxx 2024-10-11 12:44:08.087426597 +0200
|
||||
+++ openssh-9.9p1/kex.c 2024-10-11 14:00:10.404714521 +0200
|
||||
@@ -40,6 +40,7 @@
|
||||
#ifdef WITH_OPENSSL
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/dh.h>
|
||||
+#include <openssl/fips.h>
|
||||
# ifdef HAVE_EVP_KDF_CTX_NEW
|
||||
# include <openssl/kdf.h>
|
||||
# include <openssl/param_build.h>
|
||||
@@ -109,7 +110,7 @@ kex_proposal_populate_entries(struct ssh
|
||||
|
||||
/* Append EXT_INFO signalling to KexAlgorithms */
|
||||
if (kexalgos == NULL)
|
||||
- kexalgos = defprop[PROPOSAL_KEX_ALGS];
|
||||
+ kexalgos = FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : defprop[PROPOSAL_KEX_ALGS];
|
||||
if ((cp = kex_names_cat(kexalgos, ssh->kex->server ?
|
||||
"ext-info-s,kex-strict-s-v00@openssh.com" :
|
||||
"ext-info-c,kex-strict-c-v00@openssh.com")) == NULL)
|
||||
|
@ -662,6 +662,8 @@ test -f %{sysconfig_anaconda} && \
|
||||
Resolves: RHEL-60564
|
||||
- Separate ssh-keysign to a dedicated package
|
||||
Resolves: RHEL-62112
|
||||
- Use FIPS KEX defaults in FIPS mode
|
||||
Resolves: RHEL-58986
|
||||
|
||||
* Mon Sep 16 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-6
|
||||
- rebuilt
|
||||
|
Loading…
Reference in New Issue
Block a user