diff --git a/SOURCES/openssh-7.7p1-fips.patch b/SOURCES/openssh-7.7p1-fips.patch
index f28b943..90b4fba 100644
--- a/SOURCES/openssh-7.7p1-fips.patch
+++ b/SOURCES/openssh-7.7p1-fips.patch
@@ -174,12 +174,14 @@ diff -up openssh-7.9p1/Makefile.in.fips openssh-7.9p1/Makefile.in
diff -up openssh-7.9p1/myproposal.h.fips openssh-7.9p1/myproposal.h
--- openssh-7.9p1/myproposal.h.fips 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/myproposal.h 2019-03-11 17:06:37.621878041 +0100
-@@ -116,6 +116,14 @@
+@@ -116,6 +116,16 @@
"rsa-sha2-256," \
"ssh-rsa"
+#define KEX_FIPS_PK_ALG \
+ HOSTKEY_ECDSA_CERT_METHODS \
++ "rsa-sha2-512-cert-v01@openssh.com," \
++ "rsa-sha2-256-cert-v01@openssh.com," \
+ "ssh-rsa-cert-v01@openssh.com," \
+ HOSTKEY_ECDSA_METHODS \
+ "rsa-sha2-512," \
@@ -556,3 +558,22 @@ diff -up openssh-7.9p1/ssh-keygen.c.fips openssh-7.9p1/ssh-keygen.c
switch (type) {
case KEY_DSA:
if (*bitsp != 1024)
+@@ -1029,9 +1035,17 @@ do_gen_all_hostkeys(struct passwd *pw)
+ first = 1;
+ printf("%s: generating new host keys: ", __progname);
+ }
++ type = sshkey_type_from_name(key_types[i].key_type);
++
++ /* Skip the keys that are not supported in FIPS mode */
++ if (FIPS_mode() && (type == KEY_DSA || type == KEY_ED25519)) {
++ logit("Skipping %s key in FIPS mode",
++ key_types[i].key_type_display);
++ goto next;
++ }
++
+ printf("%s ", key_types[i].key_type_display);
+ fflush(stdout);
+- type = sshkey_type_from_name(key_types[i].key_type);
+ if ((fd = mkstemp(prv_tmp)) == -1) {
+ error("Could not save your public key in %s: %s",
+ prv_tmp, strerror(errno));
diff --git a/SOURCES/openssh-8.0p1-crypto-policies.patch b/SOURCES/openssh-8.0p1-crypto-policies.patch
index 8a63501..ffd4bae 100644
--- a/SOURCES/openssh-8.0p1-crypto-policies.patch
+++ b/SOURCES/openssh-8.0p1-crypto-policies.patch
@@ -13,7 +13,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
-.Ed
+The default is handled system-wide by
+.Xr crypto-policies 7 .
-+To see the defaults and how to modifuy this default, see manual page
++To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
.Pp
The list of available ciphers may also be obtained using
@@ -26,7 +26,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
-.Dq gss-gex-sha1-,gss-group14-sha1- .
+The default is handled system-wide by
+.Xr crypto-policies 7 .
-+To see the defaults and how to modifuy this default, see manual page
++To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
This option only applies to protocol version 2 connections using GSSAPI.
.It Cm HashKnownHosts
@@ -47,7 +47,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
-.Ed
+The default is handled system-wide by
+.Xr crypto-policies 7 .
-+To see the defaults and how to modifuy this default, see manual page
++To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
.Pp
The list of available key exchange algorithms may also be obtained using
@@ -66,7 +66,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
-.Ed
+The default is handled system-wide by
+.Xr crypto-policies 7 .
-+To see the defaults and how to modifuy this default, see manual page
++To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
.Pp
The list of available MAC algorithms may also be obtained using
@@ -88,7 +88,7 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
-.Ed
+The default is handled system-wide by
+.Xr crypto-policies 7 .
-+To see the defaults and how to modifuy this default, see manual page
++To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
.Pp
The list of available key types may also be obtained using
@@ -108,7 +108,7 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
-.Ed
+The default is handled system-wide by
+.Xr crypto-policies 7 .
-+To see the defaults and how to modifuy this default, see manual page
++To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
.Pp
The list of available ciphers may also be obtained using
@@ -121,7 +121,7 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
-.Dq gss-gex-sha1-,gss-group14-sha1- .
+The default is handled system-wide by
+.Xr crypto-policies 7 .
-+To see the defaults and how to modifuy this default, see manual page
++To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
This option only applies to protocol version 2 connections using GSSAPI.
.It Cm HostbasedAcceptedKeyTypes
@@ -143,7 +143,7 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
-.Ed
+The default is handled system-wide by
+.Xr crypto-policies 7 .
-+To see the defaults and how to modifuy this default, see manual page
++To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
.Pp
The list of available key types may also be obtained using
@@ -162,7 +162,7 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
-.Ed
+The default is handled system-wide by
+.Xr crypto-policies 7 .
-+To see the defaults and how to modifuy this default, see manual page
++To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
.Pp
The list of available key exchange algorithms may also be obtained using
@@ -181,7 +181,7 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
-.Ed
+The default is handled system-wide by
+.Xr crypto-policies 7 .
-+To see the defaults and how to modifuy this default, see manual page
++To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
.Pp
The list of available MAC algorithms may also be obtained using
@@ -203,7 +203,7 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
-.Ed
+The default is handled system-wide by
+.Xr crypto-policies 7 .
-+To see the defaults and how to modifuy this default, see manual page
++To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
.Pp
The list of available key types may also be obtained using
diff --git a/SOURCES/openssh-8.0p1-openssl-pem.patch b/SOURCES/openssh-8.0p1-openssl-pem.patch
index 28becd0..7e4fa81 100644
--- a/SOURCES/openssh-8.0p1-openssl-pem.patch
+++ b/SOURCES/openssh-8.0p1-openssl-pem.patch
@@ -1,14 +1,176 @@
-commit 2fe812887139ce32eeca52f9a0c141bdc7c4c8af
-Author: Jakub Jelen <jjelen@redhat.com>
-Date: Wed May 22 17:25:22 2019 +0200
+From eb0d8e708a1f958aecd2d6e2ff2450af488d4c2a Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 15 Jul 2019 13:16:29 +0000
+Subject: [PATCH] upstream: support PKCS8 as an optional format for storage of
- New PEM export format withou MD5
+private keys, enabled via "ssh-keygen -m PKCS8" on operations that save
+private keys to disk.
+The OpenSSH native key format remains the default, but PKCS8 is a
+superior format to PEM if interoperability with non-OpenSSH software
+is required, as it may use a less terrible KDF (IIRC PEM uses a single
+round of MD5 as a KDF).
+
+adapted from patch by Jakub Jelen via bz3013; ok markus
+
+OpenBSD-Commit-ID: 027824e3bc0b1c243dc5188504526d73a55accb1
+---
+ authfile.c | 6 ++--
+ ssh-keygen.1 | 9 +++---
+ ssh-keygen.c | 25 +++++++++--------
+ sshkey.c | 78 +++++++++++++++++++++++++++++++++++++---------------
+ sshkey.h | 11 ++++++--
+ 5 files changed, 87 insertions(+), 42 deletions(-)
+
+diff --git a/authfile.c b/authfile.c
+index 2166c1689..851c1a8a1 100644
+--- a/authfile.c
++++ b/authfile.c
+@@ -74,7 +74,7 @@ sshkey_save_private_blob(struct sshbuf *keybuf, const char *filename)
+ int
+ sshkey_save_private(struct sshkey *key, const char *filename,
+ const char *passphrase, const char *comment,
+- int force_new_format, const char *new_format_cipher, int new_format_rounds)
++ int format, const char *openssh_format_cipher, int openssh_format_rounds)
+ {
+ struct sshbuf *keyblob = NULL;
+ int r;
+@@ -82,7 +82,7 @@ sshkey_save_private(struct sshkey *key, const char *filename,
+ if ((keyblob = sshbuf_new()) == NULL)
+ return SSH_ERR_ALLOC_FAIL;
+ if ((r = sshkey_private_to_fileblob(key, keyblob, passphrase, comment,
+- force_new_format, new_format_cipher, new_format_rounds)) != 0)
++ format, openssh_format_cipher, openssh_format_rounds)) != 0)
+ goto out;
+ if ((r = sshkey_save_private_blob(keyblob, filename)) != 0)
+ goto out;
+diff --git a/ssh-keygen.1 b/ssh-keygen.1
+index f42127c60..8184a1797 100644
+--- a/ssh-keygen.1
++++ b/ssh-keygen.1
+@@ -419,11 +419,12 @@ The supported key formats are:
+ .Dq RFC4716
+ (RFC 4716/SSH2 public or private key),
+ .Dq PKCS8
+-(PEM PKCS8 public key)
++(PKCS8 public or private key)
+ or
+ .Dq PEM
+ (PEM public key).
+-The default conversion format is
++By default OpenSSH will write newly-generated private keys in its own
++format, but when converting public keys for export the default format is
+ .Dq RFC4716 .
+ Setting a format of
+ .Dq PEM
+diff --git a/ssh-keygen.c b/ssh-keygen.c
+index b019a02ff..5dcad1f61 100644
+--- a/ssh-keygen.c
++++ b/ssh-keygen.c
+@@ -147,11 +147,11 @@ static char *key_type_name = NULL;
+ /* Load key from this PKCS#11 provider */
+ static char *pkcs11provider = NULL;
+
+-/* Use new OpenSSH private key format when writing SSH2 keys instead of PEM */
+-static int use_new_format = 1;
++/* Format for writing private keys */
++static int private_key_format = SSHKEY_PRIVATE_OPENSSH;
+
+ /* Cipher for new-format private keys */
+-static char *new_format_cipher = NULL;
++static char *openssh_format_cipher = NULL;
+
+ /*
+ * Number of KDF rounds to derive new format keys /
+@@ -1048,7 +1048,8 @@ do_gen_all_hostkeys(struct passwd *pw)
+ snprintf(comment, sizeof comment, "%s@%s", pw->pw_name,
+ hostname);
+ if ((r = sshkey_save_private(private, prv_tmp, "",
+- comment, use_new_format, new_format_cipher, rounds)) != 0) {
++ comment, private_key_format, openssh_format_cipher,
++ rounds)) != 0) {
+ error("Saving key \"%s\" failed: %s",
+ prv_tmp, ssh_err(r));
+ goto failnext;
+@@ -1391,7 +1392,7 @@ do_change_passphrase(struct passwd *pw)
+
+ /* Save the file using the new passphrase. */
+ if ((r = sshkey_save_private(private, identity_file, passphrase1,
+- comment, use_new_format, new_format_cipher, rounds)) != 0) {
++ comment, private_key_format, openssh_format_cipher, rounds)) != 0) {
+ error("Saving key \"%s\" failed: %s.",
+ identity_file, ssh_err(r));
+ explicit_bzero(passphrase1, strlen(passphrase1));
+@@ -1480,7 +1481,7 @@ do_change_comment(struct passwd *pw, const char *identity_comment)
+ }
+
+ if (private->type != KEY_ED25519 && private->type != KEY_XMSS &&
+- !use_new_format) {
++ private_key_format != SSHKEY_PRIVATE_OPENSSH) {
+ error("Comments are only supported for keys stored in "
+ "the new format (-o).");
+ explicit_bzero(passphrase, strlen(passphrase));
+@@ -1514,7 +1515,8 @@ do_change_comment(struct passwd *pw, const char *identity_comment)
+
+ /* Save the file using the new passphrase. */
+ if ((r = sshkey_save_private(private, identity_file, passphrase,
+- new_comment, use_new_format, new_format_cipher, rounds)) != 0) {
++ new_comment, private_key_format, openssh_format_cipher,
++ rounds)) != 0) {
+ error("Saving key \"%s\" failed: %s",
+ identity_file, ssh_err(r));
+ explicit_bzero(passphrase, strlen(passphrase));
+@@ -2525,11 +2527,12 @@ main(int argc, char **argv)
+ }
+ if (strcasecmp(optarg, "PKCS8") == 0) {
+ convert_format = FMT_PKCS8;
++ private_key_format = SSHKEY_PRIVATE_PKCS8;
+ break;
+ }
+ if (strcasecmp(optarg, "PEM") == 0) {
+ convert_format = FMT_PEM;
+- use_new_format = 0;
++ private_key_format = SSHKEY_PRIVATE_PEM;
+ break;
+ }
+ fatal("Unsupported conversion format \"%s\"", optarg);
+@@ -2567,7 +2570,7 @@ main(int argc, char **argv)
+ add_cert_option(optarg);
+ break;
+ case 'Z':
+- new_format_cipher = optarg;
++ openssh_format_cipher = optarg;
+ break;
+ case 'C':
+ identity_comment = optarg;
+@@ -2912,7 +2915,7 @@ main(int argc, char **argv)
+
+ /* Save the key with the given passphrase and comment. */
+ if ((r = sshkey_save_private(private, identity_file, passphrase1,
+- comment, use_new_format, new_format_cipher, rounds)) != 0) {
++ comment, private_key_format, openssh_format_cipher, rounds)) != 0) {
+ error("Saving key \"%s\" failed: %s",
+ identity_file, ssh_err(r));
+ explicit_bzero(passphrase1, strlen(passphrase1));
diff --git a/sshkey.c b/sshkey.c
-index b95ed0b1..1a271512 100644
+index 6b5ff0485..a0cea9257 100644
--- a/sshkey.c
+++ b/sshkey.c
-@@ -3805,26 +3805,28 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob,
+@@ -3975,10 +3975,10 @@ sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase,
+
+
+ #ifdef WITH_OPENSSL
+-/* convert SSH v2 key in OpenSSL PEM format */
++/* convert SSH v2 key to PEM or PKCS#8 format */
+ static int
+-sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob,
+- const char *_passphrase, const char *comment)
++sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *blob,
++ int format, const char *_passphrase, const char *comment)
+ {
+ int success, r;
+ int blen, len = strlen(_passphrase);
+@@ -3988,26 +3988,46 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *buf,
const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL;
char *bptr;
BIO *bio = NULL;
@@ -16,47 +178,68 @@ index b95ed0b1..1a271512 100644
if (len > 0 && len <= 4)
return SSH_ERR_PASSPHRASE_TOO_SHORT;
- if ((bio = BIO_new(BIO_s_mem())) == NULL)
- return SSH_ERR_ALLOC_FAIL;
-+ if ((pkey = EVP_PKEY_new()) == NULL) {
-+ BIO_free(bio);
-+ return SSH_ERR_ALLOC_FAIL;
-+ }
+- if ((bio = BIO_new(BIO_s_mem())) == NULL)
+- return SSH_ERR_ALLOC_FAIL;
++ if ((bio = BIO_new(BIO_s_mem())) == NULL) {
++ r = SSH_ERR_ALLOC_FAIL;
++ goto out;
++ }
++
++ if (format == SSHKEY_PRIVATE_PKCS8 && (pkey = EVP_PKEY_new()) == NULL) {
++ r = SSH_ERR_ALLOC_FAIL;
++ goto out;
++ }
switch (key->type) {
case KEY_DSA:
- success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
- cipher, passphrase, len, NULL, NULL);
-+ success = EVP_PKEY_set1_DSA(pkey, key->dsa);
++ if (format == SSHKEY_PRIVATE_PEM) {
++ success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
++ cipher, passphrase, len, NULL, NULL);
++ } else {
++ success = EVP_PKEY_set1_DSA(pkey, key->dsa);
++ }
break;
#ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
- success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
- cipher, passphrase, len, NULL, NULL);
-+ success = EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa);
++ if (format == SSHKEY_PRIVATE_PEM) {
++ success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
++ cipher, passphrase, len, NULL, NULL);
++ } else {
++ success = EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa);
++ }
break;
#endif
case KEY_RSA:
- success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
- cipher, passphrase, len, NULL, NULL);
-+ success = EVP_PKEY_set1_RSA(pkey, key->rsa);
++ if (format == SSHKEY_PRIVATE_PEM) {
++ success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
++ cipher, passphrase, len, NULL, NULL);
++ } else {
++ success = EVP_PKEY_set1_RSA(pkey, key->rsa);
++ }
break;
default:
success = 0;
-@@ -3834,6 +3836,12 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob,
+@@ -4023,6 +4040,13 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *buf,
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
-+ success = PEM_write_bio_PrivateKey(bio, pkey,
-+ cipher, passphrase, len, NULL, NULL);
-+ if (success == 0) {
-+ r = SSH_ERR_LIBCRYPTO_ERROR;
-+ goto out;
++ if (format == SSHKEY_PRIVATE_PKCS8) {
++ if ((success = PEM_write_bio_PrivateKey(bio, pkey, cipher,
++ passphrase, len, NULL, NULL)) == 0) {
++ r = SSH_ERR_LIBCRYPTO_ERROR;
++ goto out;
++ }
+ }
if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) {
r = SSH_ERR_INTERNAL_ERROR;
goto out;
-@@ -3842,6 +3850,7 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob,
+@@ -4035,6 +4059,7 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *buf,
goto out;
r = 0;
out:
@@ -64,4 +247,78 @@ index b95ed0b1..1a271512 100644
BIO_free(bio);
return r;
}
+@@ -4046,29 +4071,38 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *buf,
+ int
+ sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob,
+ const char *passphrase, const char *comment,
+- int force_new_format, const char *new_format_cipher, int new_format_rounds)
++ int format, const char *openssh_format_cipher, int openssh_format_rounds)
+ {
+ switch (key->type) {
+ #ifdef WITH_OPENSSL
+ case KEY_DSA:
+ case KEY_ECDSA:
+ case KEY_RSA:
+- if (force_new_format) {
+- return sshkey_private_to_blob2(key, blob, passphrase,
+- comment, new_format_cipher, new_format_rounds);
+- }
+- return sshkey_private_pem_to_blob(key, blob,
+- passphrase, comment);
++ break; /* see below */
+ #endif /* WITH_OPENSSL */
+ case KEY_ED25519:
+ #ifdef WITH_XMSS
+ case KEY_XMSS:
+ #endif /* WITH_XMSS */
+ return sshkey_private_to_blob2(key, blob, passphrase,
+- comment, new_format_cipher, new_format_rounds);
++ comment, openssh_format_cipher, openssh_format_rounds);
+ default:
+ return SSH_ERR_KEY_TYPE_UNKNOWN;
+ }
++
++#ifdef WITH_OPENSSL
++ switch (format) {
++ case SSHKEY_PRIVATE_OPENSSH:
++ return sshkey_private_to_blob2(key, blob, passphrase,
++ comment, openssh_format_cipher, openssh_format_rounds);
++ case SSHKEY_PRIVATE_PEM:
++ case SSHKEY_PRIVATE_PKCS8:
++ return sshkey_private_to_blob_pem_pkcs8(key, blob,
++ format, passphrase, comment);
++ default:
++ return SSH_ERR_INVALID_ARGUMENT;
++ }
++#endif /* WITH_OPENSSL */
+ }
+
+
+diff --git a/sshkey.h b/sshkey.h
+index 41d159a1b..d30a69cc9 100644
+--- a/sshkey.h
++++ b/sshkey.h
+@@ -88,6 +88,13 @@ enum sshkey_serialize_rep {
+ SSHKEY_SERIALIZE_INFO = 254,
+ };
+
++/* Private key disk formats */
++enum sshkey_private_format {
++ SSHKEY_PRIVATE_OPENSSH = 0,
++ SSHKEY_PRIVATE_PEM = 1,
++ SSHKEY_PRIVATE_PKCS8 = 2,
++};
++
+ /* key is stored in external hardware */
+ #define SSHKEY_FLAG_EXT 0x0001
+
+@@ -221,7 +228,7 @@ int sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **keyp);
+ /* private key file format parsing and serialisation */
+ int sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob,
+ const char *passphrase, const char *comment,
+- int force_new_format, const char *new_format_cipher, int new_format_rounds);
++ int format, const char *openssh_format_cipher, int openssh_format_rounds);
+ int sshkey_parse_private_fileblob(struct sshbuf *buffer,
+ const char *passphrase, struct sshkey **keyp, char **commentp);
+ int sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
index 3d31e54..6784355 100644
--- a/SPECS/openssh.spec
+++ b/SPECS/openssh.spec
@@ -66,7 +66,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.0p1
-%global openssh_rel 2
+%global openssh_rel 3
%global pam_ssh_agent_ver 0.10.3
%global pam_ssh_agent_rel 7
@@ -733,6 +733,12 @@ getent passwd sshd >/dev/null || \
%endif
%changelog
+* Tue Jul 23 2019 Jakub Jelen <jjelen@redhat.com> - 8.0p1-3 + 0.10.3-7
+- Fix typos in manual pages (#1668325)
+- Use the upstream support for PKCS#8 PEM files alongside with the legacy PEM files (#1712436)
+- Unbreak ssh-keygen -A in FIPS mode (#1732424)
+- Add missing RSA certificate types to offered hostkey types in FIPS mode (#1732449)
+
* Wed Jun 12 2019 Jakub Jelen <jjelen@redhat.com> - 8.0p1-2 + 0.10.3-7
- Allow specifying a pin-value in PKCS #11 URI in ssh-add (#1639698)
- Whitelist another syscall variant for s390x cryptographic module (ibmca engine) (#1714915)