File openssh-fips-moduli-skip-filtering-nonfips.patch of Package openssh.17414

commit 1f8aa004e3a2dcd0b64d4b8446e3971257fd8e54
Author: Hans Petter Jansson <hpj@hpjansson.org>
Date:   Fri Nov 27 17:14:48 2020 +0100

    Skip filtering outside FIPS mode. We need this because openssl's
    DH_check() takes a long time to run when FIPS is disabled -- it
    won't filter by a predefined list then, but instead applies
    safe-prime checks. These typically add up to several minutes of
    run time for the default moduli file.

diff --git a/dh.c b/dh.c
index 13e7c18..b254be7 100644
--- a/dh.c
+++ b/dh.c
@@ -152,6 +152,15 @@ dhg_is_approved(const struct dhgroup *dhg)
 	int dh_status;
 	int is_ok = 0;
 
+	/* Skip filtering outside FIPS mode. We need this because openssl's
+	 * DH_check() takes a long time to run when FIPS is disabled -- it
+	 * won't filter by a predefined list then, but instead applies
+	 * safe-prime checks. These typically add up to several minutes of
+	 * run time for the default moduli file. */
+	if (!fips_mode()) {
+		return 1;
+	}
+
 	/* DH_set0_pqg() transfers ownership of the bignums, so we
 	 * make temporary copies here for simplicity. */
 	g = BN_dup(dhg->g);