Use FIPS KEX defaults in FIPS mode

Resolves: RHEL-58986
This commit is contained in:
Dmitry Belyavskiy 2024-10-11 14:15:51 +02:00
parent 2a4f84e7ce
commit 0802365f07
2 changed files with 22 additions and 0 deletions

View File

@ -744,3 +744,23 @@ diff -up openssh-8.7p1/ssh-ed25519.c.fips3 openssh-8.7p1/ssh-ed25519.c
if ((b = sshbuf_from(sig, siglen)) == NULL)
return SSH_ERR_ALLOC_FAIL;
diff -up openssh-9.9p1/kex.c.xxx openssh-9.9p1/kex.c
--- openssh-9.9p1/kex.c.xxx 2024-10-11 12:44:08.087426597 +0200
+++ openssh-9.9p1/kex.c 2024-10-11 14:00:10.404714521 +0200
@@ -40,6 +40,7 @@
#ifdef WITH_OPENSSL
#include <openssl/crypto.h>
#include <openssl/dh.h>
+#include <openssl/fips.h>
# ifdef HAVE_EVP_KDF_CTX_NEW
# include <openssl/kdf.h>
# include <openssl/param_build.h>
@@ -109,7 +110,7 @@ kex_proposal_populate_entries(struct ssh
/* Append EXT_INFO signalling to KexAlgorithms */
if (kexalgos == NULL)
- kexalgos = defprop[PROPOSAL_KEX_ALGS];
+ kexalgos = FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : defprop[PROPOSAL_KEX_ALGS];
if ((cp = kex_names_cat(kexalgos, ssh->kex->server ?
"ext-info-s,kex-strict-s-v00@openssh.com" :
"ext-info-c,kex-strict-c-v00@openssh.com")) == NULL)

View File

@ -662,6 +662,8 @@ test -f %{sysconfig_anaconda} && \
Resolves: RHEL-60564
- Separate ssh-keysign to a dedicated package
Resolves: RHEL-62112
- Use FIPS KEX defaults in FIPS mode
Resolves: RHEL-58986
* Mon Sep 16 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-6
- rebuilt