From 0802365f07bf36afd75655b02ead9d2f47152536 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Oct 11 2024 12:15:51 +0000
Subject: Use FIPS KEX defaults in FIPS mode


Resolves: RHEL-58986

---

diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch
index a53f9f6..5d8da08 100644
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@@ -744,3 +744,23 @@ diff -up openssh-8.7p1/ssh-ed25519.c.fips3 openssh-8.7p1/ssh-ed25519.c
  
  	if ((b = sshbuf_from(sig, siglen)) == NULL)
  		return SSH_ERR_ALLOC_FAIL;
+diff -up openssh-9.9p1/kex.c.xxx openssh-9.9p1/kex.c
+--- openssh-9.9p1/kex.c.xxx	2024-10-11 12:44:08.087426597 +0200
++++ openssh-9.9p1/kex.c	2024-10-11 14:00:10.404714521 +0200
+@@ -40,6 +40,7 @@
+ #ifdef WITH_OPENSSL
+ #include <openssl/crypto.h>
+ #include <openssl/dh.h>
++#include <openssl/fips.h>
+ # ifdef HAVE_EVP_KDF_CTX_NEW
+ # include <openssl/kdf.h>
+ # include <openssl/param_build.h>
+@@ -109,7 +110,7 @@ kex_proposal_populate_entries(struct ssh
+ 
+ 	/* Append EXT_INFO signalling to KexAlgorithms */
+ 	if (kexalgos == NULL)
+-		kexalgos = defprop[PROPOSAL_KEX_ALGS];
++	    kexalgos = FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : defprop[PROPOSAL_KEX_ALGS];
+ 	if ((cp = kex_names_cat(kexalgos, ssh->kex->server ?
+ 	    "ext-info-s,kex-strict-s-v00@openssh.com" :
+ 	    "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL)
diff --git a/openssh.spec b/openssh.spec
index db7c945..c52ddf5 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -662,6 +662,8 @@ test -f %{sysconfig_anaconda} && \
   Resolves: RHEL-60564
 - Separate ssh-keysign to a dedicated package
   Resolves: RHEL-62112
+- Use FIPS KEX defaults in FIPS mode
+  Resolves: RHEL-58986
 
 * Mon Sep 16 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-6
 - rebuilt