Fix SSH-agent interface in FIPS mode

Resolves: rhbz#2073567
This commit is contained in:
Jakub Jelen 2023-03-30 14:38:42 +02:00
parent 0ad46db225
commit f8c15a5bc2
2 changed files with 46 additions and 0 deletions

View File

@ -0,0 +1,42 @@
From c4436ebfa58f219190f1244928001b4293293343 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 12 Apr 2022 16:26:58 +0200
Subject: [PATCH GnuPG] agent: Ignore MD5 Fingerprints for ssh keys
--
* agent/command-ssh.c (add_control_entry): Ignore failure of the MD5
digest
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
agent/command-ssh.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/agent/command-ssh.c b/agent/command-ssh.c
index a7784e728..46821e3c8 100644
--- a/agent/command-ssh.c
+++ b/agent/command-ssh.c
@@ -1095,8 +1095,9 @@ add_control_entry (ctrl_t ctrl, ssh_key_type_spec_t *spec,
time_t atime = time (NULL);
err = ssh_get_fingerprint_string (key, GCRY_MD_MD5, &fpr_md5);
+ /* ignore the errors as MD5 is not available in FIPS mode */
if (err)
- goto out;
+ fpr_md5 = NULL;
err = ssh_get_fingerprint_string (key, GCRY_MD_SHA256, &fpr_sha256);
if (err)
@@ -1113,7 +1114,8 @@ add_control_entry (ctrl_t ctrl, ssh_key_type_spec_t *spec,
spec->name,
1900+tp->tm_year, tp->tm_mon+1, tp->tm_mday,
tp->tm_hour, tp->tm_min, tp->tm_sec,
- fpr_md5, fpr_sha256, hexgrip, ttl, confirm? " confirm":"");
+ fpr_md5? fpr_md5:"", fpr_sha256, hexgrip, ttl,
+ confirm? " confirm":"");
}
out:
--
2.39.2

View File

@ -36,6 +36,9 @@ Patch33: gnupg-2.3.3-disable-sha1.patch
# Fix AEAD packet construction # Fix AEAD packet construction
# https://dev.gnupg.org/T5856 # https://dev.gnupg.org/T5856
Patch34: gnupg-2.3.3-aead-packet.patch Patch34: gnupg-2.3.3-aead-packet.patch
# Fix ssh-agent behavior in FIPS mode
# https://dev.gnupg.org/T5929
Patch35: gnupg-2.3.3-ssh-fips.patch
URL: https://www.gnupg.org/ URL: https://www.gnupg.org/
@ -123,6 +126,7 @@ to the base GnuPG package
%patch32 -p1 -b .CVE-2022-34903 %patch32 -p1 -b .CVE-2022-34903
%patch33 -p1 -b .sha1 %patch33 -p1 -b .sha1
%patch34 -p1 -b .aead %patch34 -p1 -b .aead
%patch35 -p1 -b .ssh-fips
# pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper) # pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
# Note: this is just the name of the default shared lib to load in scdaemon, # Note: this is just the name of the default shared lib to load in scdaemon,