jonathan/openssh
1
0
Fork 0
forked from rpms/openssh
Code Pull Requests Activity

Disable ed25519 and ed25519-sk keys in FIPS mode

Browse Source 
Related: rhbz#2087915
This commit is contained in:
Dmitry Belyavskiy 2022-07-14 12:23:52 +02:00
parent 0d823b2f2a
commit b17ff3bc91
2 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
openssh-7.7p1-fips.patch
View File

@ -348,7 +348,7 @@ diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
&key, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR)
do_log2_r(r, ll, "Unable to load host key \"%s\"",
options.host_key_files[i]);
+ if (FIPS_mode() && (sshkey_type_plain(key->type) == KEY_ED25519_SK
+ if (FIPS_mode() && key != NULL && (sshkey_type_plain(key->type) == KEY_ED25519_SK
+ || sshkey_type_plain(key->type) == KEY_ED25519)) {
+ logit_f("sshd: Ed25519 keys are not allowed in FIPS mode, skipping %s", options.host_key_files[i]);
+ sshkey_free(key);

6
openssh.spec
View File

@ -51,7 +51,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.7p1
%global openssh_rel 14
%global openssh_rel 15
%global pam_ssh_agent_ver 0.10.4
%global pam_ssh_agent_rel 4
@ -720,6 +720,10 @@ test -f %{sysconfig_anaconda} && \
%endif
%changelog
* Thu Jul 14 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-15
- Disable ed25519 and ed25519-sk keys in FIPS mode
Related: rhbz#2087915
* Wed Jul 13 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-14
- Disable ed25519 and ed25519-sk keys in FIPS mode
Related: rhbz#2087915