From 5be8bc1b40dc4fe1f468c0af418becc5df14f9e5 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 15 Sep 2025 15:31:09 +0200
Subject: [PATCH] Relax GSS Kex restriction in FIPS mode

Resolves: RHEL-91181
---
 openssh-7.7p1-fips.patch | 30 ------------------------------
 openssh.spec             |  6 +++++-
 2 files changed, 5 insertions(+), 31 deletions(-)

diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch
index 9f83eee..fcd0245 100644
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@@ -360,36 +360,6 @@ diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
  	/*
  	 * Chdir to the root directory so that the current disk can be
  	 * unmounted if desired.
-diff -up openssh-8.6p1/sshd-session.c.fips openssh-8.6p1/sshd-session.c
---- a/sshd-session.c.fips	2021-05-06 12:08:36.493926838 +0200
-+++ b/sshd-session.c	2021-05-06 12:13:56.501492639 +0200
-@@ -78,6 +79,7 @@
- #include <openssl/bn.h>
- #include <openssl/evp.h>
- #include <openssl/rand.h>
-+#include <openssl/fips.h>
- #include "openbsd-compat/openssl-compat.h"
- #endif
- 
-@@ -2506,10 +2513,14 @@ do_ssh2_kex(struct ssh *ssh)
- 	if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
- 		orig = NULL;
- 
--	if (options.gss_keyex)
--		gss = ssh_gssapi_server_mechanisms();
--	else
--		gss = NULL;
-+	if (options.gss_keyex) {
-+		if (FIPS_mode()) {
-+			logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
-+			options.gss_keyex = 0;
-+		} else {
-+			gss = ssh_gssapi_server_mechanisms();
-+		}
-+	}
- 
- 	if (gss && orig)
- 		xasprintf(&newstr, "%s,%s", gss, orig);
 diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
 --- openssh-8.6p1/sshkey.c.fips	2021-05-06 12:08:36.493926838 +0200
 +++ openssh-8.6p1/sshkey.c	2021-05-06 12:08:36.502926908 +0200
diff --git a/openssh.spec b/openssh.spec
index 2214ddb..25e2e77 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -43,7 +43,7 @@
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
 Version: %{openssh_ver}
-Release: 13%{?dist}
+Release: 14%{?dist}
 URL: http://www.openssh.com/portable.html
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@@ -689,6 +689,10 @@ test -f %{sysconfig_anaconda} && \
 %attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
 
 %changelog
+* Mon Sep 15 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-14
+- Relax GSS Kex restriction in FIPS mode
+  Resolves: RHEL-91181
+
 * Mon Sep 01 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-13
 - Allow non-cryptographical use of MD5 in GSS Kex in FIPS mode
   Related: RHEL-91181