From 1c01acf847fb8f029d394c4c2faae9c825de126f Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Jul 26 2024 11:18:20 +0000
Subject: Change ssh-keygen defaults in FIPS mode


Resolves: RHEL-37324

---

diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch
index e44fef2..6a14cb3 100644
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@@ -516,6 +516,14 @@ diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
  #include <openssl/pem.h>
  #include "openbsd-compat/openssl-compat.h"
  #endif
+@@ -69,6 +69,7 @@
+ #include "cipher.h"
+ 
+ #define DEFAULT_KEY_TYPE_NAME "ed25519"
++#define FIPS_DEFAULT_KEY_TYPE_NAME "rsa"
+ 
+ /*
+  * Default number of bits in the RSA, DSA and ECDSA keys.  These value can be
 @@ -205,6 +205,12 @@ type_bits_valid(int type, const char *na
  #endif
  	}
@@ -529,6 +537,15 @@ diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
  	switch (type) {
  	case KEY_DSA:
  		if (*bitsp != 1024)
+@@ -266,7 +267,7 @@ ask_filename(struct passwd *pw, const ch
+ 	char *name = NULL;
+ 
+ 	if (key_type_name == NULL)
+-		name = _PATH_SSH_CLIENT_ID_ED25519;
++		name = FIPS_mode() ? _PATH_SSH_CLIENT_ID_RSA : _PATH_SSH_CLIENT_ID_ED25519;
+ 	else {
+ 		switch (sshkey_type_from_name(key_type_name)) {
+ #ifdef WITH_DSA
 @@ -1098,9 +1104,17 @@ do_gen_all_hostkeys(struct passwd *pw)
  			first = 1;
  			printf("%s: generating new host keys: ", __progname);
@@ -548,6 +565,15 @@ diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
  		if ((fd = mkstemp(prv_tmp)) == -1) {
  			error("Could not save your private key in %s: %s",
  			    prv_tmp, strerror(errno));
+@@ -3830,7 +3831,7 @@ main(int argc, char **argv)
+ 	}
+ 
+ 	if (key_type_name == NULL)
+-		key_type_name = DEFAULT_KEY_TYPE_NAME;
++		key_type_name = FIPS_mode() ? FIPS_DEFAULT_KEY_TYPE_NAME : DEFAULT_KEY_TYPE_NAME;
+ 
+ 	type = sshkey_type_from_name(key_type_name);
+ 	type_bits_valid(type, key_type_name, &bits);
 diff -up openssh-9.3p1/ssh-rsa.c.evpgenrsa openssh-9.3p1/ssh-rsa.c
 --- openssh-9.3p1/ssh-rsa.c.evpgenrsa	2022-06-30 15:14:58.200518353 +0200
 +++ openssh-9.3p1/ssh-rsa.c	2022-06-30 15:24:31.499641196 +0200
diff --git a/openssh.spec b/openssh.spec
index b2930c8..ff19cd6 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -39,7 +39,7 @@
 %{?static_openssl:%global static_libcrypto 1}
 
 %global openssh_ver 9.8p1
-%global openssh_rel 1
+%global openssh_rel 2
 
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
@@ -653,11 +653,15 @@ test -f %{sysconfig_anaconda} && \
 %attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
 
 %changelog
+* Fri Jul 26 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-2.0
+- Temporary disabling self-test
+  Related: RHEL-42635
+- Change ssh-keygen defaults in FIPS mode
+  Resolves: RHEL-37324
+
 * Thu Jul 25 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-1.0
 - Rebase OpenSSH to 9.8p1
   Resolves: RHEL-42635
-- Temporary disabling self-test
-  Related: RHEL-42635
 
 * Fri Jul 12 2024 Zoltan Fridrich <zfridric@redhat.com> - 9.6p1-1.5
 - Build OpenSSH without ENGINE API