From e8876f1b1f9f6d0b6f68ce4279ae8b68fa3bc911 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Oct 19 2018 09:41:34 +0000
Subject: Honor GSSAPIServerIdentity for GSSAPI Key Exchange (#1637167)


---

diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch
index ae019fc..6450b5f 100644
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@@ -528,7 +528,7 @@ diff -up openssh-7.7p1/sshconnect2.c.fips openssh-7.7p1/sshconnect2.c
  	maxlen = strlen(avail) + 1;
  	first = xmalloc(maxlen);
  	last = xmalloc(maxlen);
-@@ -290,21 +293,26 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -290,23 +293,28 @@ ssh_kex2(char *host, struct sockaddr *ho
  
  #ifdef GSSAPI
  	if (options.gss_keyex) {
@@ -536,7 +536,9 @@ diff -up openssh-7.7p1/sshconnect2.c.fips openssh-7.7p1/sshconnect2.c
 -		 * client to the key exchange algorithm proposal */
 -		orig = options.kex_algorithms;
 -
--		if (options.gss_trust_dns)
+-		if (options.gss_server_identity)
+-			gss_host = options.gss_server_identity;
+-		else if (options.gss_trust_dns)
 -			gss_host = (char *)get_canonical_hostname(active_state, 1);
 -		else
 -			gss_host = host;
@@ -555,7 +557,9 @@ diff -up openssh-7.7p1/sshconnect2.c.fips openssh-7.7p1/sshconnect2.c
 +			 * client to the key exchange algorithm proposal */
 +			orig = options.kex_algorithms;
 +
-+			if (options.gss_trust_dns)
++			if (options.gss_server_identity)
++				gss_host = options.gss_server_identity;
++			else if (options.gss_trust_dns)
 +				gss_host = (char *)get_canonical_hostname(active_state, 1);
 +			else
 +				gss_host = host;
diff --git a/openssh-7.8p1-gsskex.patch b/openssh-7.8p1-gsskex.patch
index a2c99e3..2903b69 100644
--- a/openssh-7.8p1-gsskex.patch
+++ b/openssh-7.8p1-gsskex.patch
@@ -2431,7 +2431,7 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
  /*
   * SSH2 key exchange
   */
-@@ -162,9 +280,34 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -162,9 +280,36 @@ ssh_kex2(char *host, struct sockaddr *ho
  	struct kex *kex;
  	int r;
  
@@ -2449,7 +2449,9 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
 +		 * client to the key exchange algorithm proposal */
 +		orig = options.kex_algorithms;
 +
-+		if (options.gss_trust_dns)
++		if (options.gss_server_identity)
++			gss_host = options.gss_server_identity;
++		else if (options.gss_trust_dns)
 +			gss_host = (char *)get_canonical_hostname(active_state, 1);
 +		else
 +			gss_host = host;