From c9904c7c8ae91b9a629beb89b3a1337561e6c883 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Mon, 9 Jan 2023 12:48:20 +0100
Subject: [PATCH] Fix build against updated OpenSSL

Resolves: rhbz#2158966
---
 openssh-7.7p1-fips.patch | 98 ++++++++++++++++++++++++++++------------
 openssh.spec             |  5 +-
 2 files changed, 73 insertions(+), 30 deletions(-)

diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch
index 62468ac..d1e44b0 100644
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@@ -1,6 +1,14 @@
 diff -up openssh-8.6p1/dh.c.fips openssh-8.6p1/dh.c
 --- openssh-8.6p1/dh.c.fips	2021-04-16 05:55:25.000000000 +0200
-+++ openssh-8.6p1/dh.c	2021-04-19 16:58:47.750263410 +0200
++++ openssh-8.6p1/dh.c	2021-05-06 12:12:10.107634472 +0200
+@@ -36,6 +36,7 @@
+ 
+ #include <openssl/bn.h>
+ #include <openssl/dh.h>
++#include <openssl/fips.h>
+ 
+ #include "dh.h"
+ #include "pathnames.h"
 @@ -164,6 +164,12 @@ choose_dh(int min, int wantbits, int max
  	int best, bestcount, which, linenum;
  	struct dhgroup dhg;
@@ -54,8 +62,8 @@ diff -up openssh-8.6p1/dh.c.fips openssh-8.6p1/dh.c
 +
  #endif /* WITH_OPENSSL */
 diff -up openssh-8.6p1/dh.h.fips openssh-8.6p1/dh.h
---- openssh-8.6p1/dh.h.fips	2021-04-19 16:53:03.064577862 +0200
-+++ openssh-8.6p1/dh.h	2021-04-19 16:59:31.951616078 +0200
+--- openssh-8.6p1/dh.h.fips	2021-05-06 12:08:36.498926877 +0200
++++ openssh-8.6p1/dh.h	2021-05-06 12:11:28.393298005 +0200
 @@ -45,6 +45,7 @@ DH	*dh_new_group_fallback(int);
  
  int	 dh_gen_key(DH *, int);
@@ -65,8 +73,16 @@ diff -up openssh-8.6p1/dh.h.fips openssh-8.6p1/dh.h
  u_int	 dh_estimate(int);
  void	 dh_set_moduli_file(const char *);
 diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c
---- openssh-8.6p1/kex.c.fips	2021-04-19 16:53:03.058577815 +0200
-+++ openssh-8.6p1/kex.c	2021-04-19 16:53:03.065577869 +0200
+--- openssh-8.6p1/kex.c.fips	2021-05-06 12:08:36.489926807 +0200
++++ openssh-8.6p1/kex.c	2021-05-06 12:08:36.498926877 +0200
+@@ -39,6 +39,7 @@
+ 
+ #ifdef WITH_OPENSSL
+ #include <openssl/crypto.h>
++#include <openssl/fips.h>
+ #include <openssl/dh.h>
+ # ifdef HAVE_EVP_KDF_CTX_NEW_ID
+ # include <openssl/kdf.h>
 @@ -203,7 +203,10 @@ kex_names_valid(const char *names)
  	for ((p = strsep(&cp, ",")); p && *p != '\0';
  	    (p = strsep(&cp, ","))) {
@@ -81,12 +97,12 @@ diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c
  		}
 diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c
 --- openssh-8.6p1/kexgexc.c.fips	2021-04-16 05:55:25.000000000 +0200
-+++ openssh-8.6p1/kexgexc.c	2021-04-19 16:53:03.065577869 +0200
++++ openssh-8.6p1/kexgexc.c	2021-05-06 12:08:36.498926877 +0200
 @@ -28,6 +28,7 @@
  
  #ifdef WITH_OPENSSL
  
-+#include <openssl/crypto.h>
++#include <openssl/fips.h>
  #include <sys/types.h>
  
  #include <openssl/dh.h>
@@ -152,8 +168,16 @@ diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
  #define	SSH_ALLOWED_CA_SIGALGS	\
  	"ssh-ed25519," \
 diff -up openssh-8.6p1/readconf.c.fips openssh-8.6p1/readconf.c
---- openssh-8.6p1/readconf.c.fips	2021-04-19 16:53:02.999577362 +0200
-+++ openssh-8.6p1/readconf.c	2021-04-19 16:53:03.065577869 +0200
+--- openssh-8.6p1/readconf.c.fips	2021-05-06 12:08:36.428926336 +0200
++++ openssh-8.6p1/readconf.c	2021-05-06 12:08:36.499926885 +0200
+@@ -39,6 +39,7 @@
+ #include <string.h>
+ #include <stdarg.h>
+ #include <unistd.h>
++#include <openssl/fips.h>
+ #ifdef USE_SYSTEM_GLOB
+ # include <glob.h>
+ #else
 @@ -2538,11 +2538,16 @@ fill_default_options(Options * options)
  	all_key = sshkey_alg_list(0, 0, 1, ',');
  	all_sig = sshkey_alg_list(0, 1, 1, ',');
@@ -177,8 +201,8 @@ diff -up openssh-8.6p1/readconf.c.fips openssh-8.6p1/readconf.c
  	do { \
  		if ((r = kex_assemble_names(&options->what, \
 diff -up openssh-8.6p1/sandbox-seccomp-filter.c.fips openssh-8.6p1/sandbox-seccomp-filter.c
---- openssh-8.6p1/sandbox-seccomp-filter.c.fips	2021-04-19 16:53:03.034577631 +0200
-+++ openssh-8.6p1/sandbox-seccomp-filter.c	2021-04-19 16:53:03.065577869 +0200
+--- openssh-8.6p1/sandbox-seccomp-filter.c.fips	2021-05-06 12:08:36.463926606 +0200
++++ openssh-8.6p1/sandbox-seccomp-filter.c	2021-05-06 12:08:36.499926885 +0200
 @@ -160,6 +160,9 @@ static const struct sock_filter preauth_
  #ifdef __NR_open
  	SC_DENY(__NR_open, EACCES),
@@ -190,8 +214,16 @@ diff -up openssh-8.6p1/sandbox-seccomp-filter.c.fips openssh-8.6p1/sandbox-secco
  	SC_DENY(__NR_openat, EACCES),
  #endif
 diff -up openssh-8.6p1/servconf.c.fips openssh-8.6p1/servconf.c
---- openssh-8.6p1/servconf.c.fips	2021-04-19 16:53:03.027577577 +0200
-+++ openssh-8.6p1/servconf.c	2021-04-19 16:53:03.066577877 +0200
+--- openssh-8.6p1/servconf.c.fips	2021-05-06 12:08:36.455926545 +0200
++++ openssh-8.6p1/servconf.c	2021-05-06 12:08:36.500926893 +0200
+@@ -38,6 +38,7 @@
+ #include <limits.h>
+ #include <stdarg.h>
+ #include <errno.h>
++#include <openssl/fips.h>
+ #ifdef HAVE_UTIL_H
+ #include <util.h>
+ #endif
 @@ -226,11 +226,16 @@ assemble_algorithms(ServerOptions *o)
  	all_key = sshkey_alg_list(0, 0, 1, ',');
  	all_sig = sshkey_alg_list(0, 1, 1, ',');
@@ -215,13 +247,13 @@ diff -up openssh-8.6p1/servconf.c.fips openssh-8.6p1/servconf.c
  	do { \
  		if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
 diff -up openssh-8.6p1/ssh.c.fips openssh-8.6p1/ssh.c
---- openssh-8.6p1/ssh.c.fips	2021-04-19 16:53:03.038577662 +0200
-+++ openssh-8.6p1/ssh.c	2021-04-19 16:53:03.066577877 +0200
+--- openssh-8.6p1/ssh.c.fips	2021-05-06 12:08:36.467926637 +0200
++++ openssh-8.6p1/ssh.c	2021-05-06 12:08:36.500926893 +0200
 @@ -77,6 +77,7 @@
  #include <openssl/evp.h>
  #include <openssl/err.h>
  #endif
-+#include <openssl/crypto.h>
++#include <openssl/fips.h>
  #include "openbsd-compat/openssl-compat.h"
  #include "openbsd-compat/sys-queue.h"
  
@@ -237,13 +269,13 @@ diff -up openssh-8.6p1/ssh.c.fips openssh-8.6p1/ssh.c
  	if (options.sk_provider != NULL && *options.sk_provider == '$' &&
  	    strlen(options.sk_provider) > 1) {
 diff -up openssh-8.6p1/sshconnect2.c.fips openssh-8.6p1/sshconnect2.c
---- openssh-8.6p1/sshconnect2.c.fips	2021-04-19 16:53:03.055577792 +0200
-+++ openssh-8.6p1/sshconnect2.c	2021-04-19 16:53:03.066577877 +0200
+--- openssh-8.6p1/sshconnect2.c.fips	2021-05-06 12:08:36.485926777 +0200
++++ openssh-8.6p1/sshconnect2.c	2021-05-06 12:08:36.501926900 +0200
 @@ -45,6 +45,8 @@
  #include <vis.h>
  #endif
  
-+#include <openssl/crypto.h>
++#include <openssl/fips.h>
 +
  #include "openbsd-compat/sys-queue.h"
  
@@ -318,8 +350,8 @@ diff -up openssh-8.6p1/sshconnect2.c.fips openssh-8.6p1/sshconnect2.c
  	}
  #endif
 diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
---- openssh-8.6p1/sshd.c.fips	2021-04-19 16:53:03.060577831 +0200
-+++ openssh-8.6p1/sshd.c	2021-04-19 16:57:45.827769340 +0200
+--- openssh-8.6p1/sshd.c.fips	2021-05-06 12:08:36.493926838 +0200
++++ openssh-8.6p1/sshd.c	2021-05-06 12:13:56.501492639 +0200
 @@ -66,6 +66,7 @@
  #endif
  #include <pwd.h>
@@ -332,7 +364,7 @@ diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
  #include <openssl/dh.h>
  #include <openssl/bn.h>
  #include <openssl/rand.h>
-+#include <openssl/crypto.h>
++#include <openssl/fips.h>
  #include "openbsd-compat/openssl-compat.h"
  #endif
  
@@ -389,13 +421,13 @@ diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
  	if (gss && orig)
  		xasprintf(&newstr, "%s,%s", gss, orig);
 diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
---- openssh-8.6p1/sshkey.c.fips	2021-04-19 16:53:03.061577838 +0200
-+++ openssh-8.6p1/sshkey.c	2021-04-19 16:53:03.067577885 +0200
+--- openssh-8.6p1/sshkey.c.fips	2021-05-06 12:08:36.493926838 +0200
++++ openssh-8.6p1/sshkey.c	2021-05-06 12:08:36.502926908 +0200
 @@ -34,6 +34,7 @@
  #include <openssl/evp.h>
  #include <openssl/err.h>
  #include <openssl/pem.h>
-+#include <openssl/crypto.h>
++#include <openssl/fips.h>
  #endif
  
  #include "crypto_api.h"
@@ -480,8 +512,16 @@ diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
  		    compat, detailsp);
  #ifdef WITH_XMSS
 diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
---- openssh-8.6p1/ssh-keygen.c.fips	2021-04-19 16:53:03.038577662 +0200
-+++ openssh-8.6p1/ssh-keygen.c	2021-04-19 16:53:03.068577892 +0200
+--- openssh-8.6p1/ssh-keygen.c.fips	2021-05-06 12:08:36.467926637 +0200
++++ openssh-8.6p1/ssh-keygen.c	2021-05-06 12:08:36.503926916 +0200
+@@ -20,6 +20,7 @@
+ 
+ #ifdef WITH_OPENSSL
+ #include <openssl/evp.h>
++#include <openssl/fips.h>
+ #include <openssl/pem.h>
+ #include "openbsd-compat/openssl-compat.h"
+ #endif
 @@ -205,6 +205,12 @@ type_bits_valid(int type, const char *na
  #endif
  	}
@@ -521,7 +561,7 @@ diff -up openssh-8.7p1/kexgen.c.fips3 openssh-8.7p1/kexgen.c
  #include <stdio.h>
  #include <string.h>
  #include <signal.h>
-+#include <openssl/crypto.h>
++#include <openssl/fips.h>
  
  #include "sshkey.h"
  #include "kex.h"
@@ -607,7 +647,7 @@ diff -up openssh-8.7p1/ssh-ed25519.c.fips3 openssh-8.7p1/ssh-ed25519.c
  
  #include <string.h>
  #include <stdarg.h>
-+#include <openssl/crypto.h>
++#include <openssl/fips.h>
  
  #include "log.h"
  #include "sshbuf.h"
diff --git a/openssh.spec b/openssh.spec
index 91e1d5c..b836e2a 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -47,7 +47,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 9.0p1
-%global openssh_rel 8
+%global openssh_rel 9
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 7
 
@@ -724,6 +724,9 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Mon Jan 09 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.0p1-9
+- Fix build against updated OpenSSL (rhbz#2158966)
+
 * Mon Oct 24 2022 Norbert Pocs <npocs@redhat.com> - 9.0p1-8
 - Add additional audit logging about ssh key used to login (rhbz#2049947)