rpms/openssh
7
0
Fork 2
Code Issues Pull Requests Releases Activity

Don't negotiate non-FIPS algorithms in ssh-keyscan key exchange in FIPS mode

Browse Source 
Resolves: RHEL-88565

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
Zoltan Fridrich 2026-03-18 16:05:26 +01:00
parent f5a6642da3
commit 3f5a4dc4f9
2 changed files with 31 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
openssh-7.7p1-fips.patch
View File

@ -701,3 +701,29 @@ diff -up openssh-9.9p1/kex.c.xxx openssh-9.9p1/kex.c
if ((cp = kex_names_cat(kexalgos, ssh->kex->server ?
"ext-info-s,kex-strict-s-v00@openssh.com" :
"ext-info-c,kex-strict-c-v00@openssh.com")) == NULL)
diff --color -ruNp a/ssh-keyscan.c b/ssh-keyscan.c
--- a/ssh-keyscan.c 2026-03-18 13:58:55.708193373 +0100
+++ b/ssh-keyscan.c 2026-03-18 15:34:35.495942538 +0100
@@ -22,6 +22,7 @@
#ifdef WITH_OPENSSL
#include <openssl/bn.h>
#endif
+#include <openssl/fips.h>
#include <limits.h>
#include <netdb.h>
@@ -239,6 +240,14 @@ keygrab_ssh2(con *c)
char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
int r;
+ if (FIPS_mode()) {
+ myproposal[PROPOSAL_KEX_ALGS] = KEX_DEFAULT_KEX_FIPS;
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = KEX_FIPS_ENCRYPT;
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT;
+ myproposal[PROPOSAL_MAC_ALGS_CTOS] = KEX_FIPS_MAC;
+ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC;
+ }
+
switch (c->c_keytype) {
case KT_DSA:
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?

6
openssh.spec
View File

@ -43,7 +43,7 @@
Summary: An open source implementation of SSH protocol version 2
Name: openssh
Version: %{openssh_ver}
Release: 22%{?dist}
Release: 23%{?dist}
URL: http://www.openssh.com/portable.html
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@ -719,6 +719,10 @@ test -f %{sysconfig_anaconda} && \
%attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
%changelog
* Wed Mar 18 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-23
- Don't negotiate non-FIPS algorithms in ssh-keyscan key exchange in FIPS mode
Resolves: RHEL-88565
* Thu Mar 12 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-22
- Remove recommendation of p11-kit
Resolves: RHEL-139070