Disable ed25519 and ed25519-sk keys in FIPS mode

Related: rhbz#2087915
2022-07-14 12:23:52 +02:00 · 2022-07-14 12:23:52 +02:00 · b17ff3bc91
parent 0d823b2f2a
commit b17ff3bc91
2 changed files with 6 additions and 2 deletions
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@ -348,7 +348,7 @@ diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
 		    &key, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR)
 			do_log2_r(r, ll, "Unable to load host key \"%s\"",
 			    options.host_key_files[i]);
-+		if (FIPS_mode() && (sshkey_type_plain(key->type) == KEY_ED25519_SK
+		if (FIPS_mode() && key != NULL && (sshkey_type_plain(key->type) == KEY_ED25519_SK
 +				||  sshkey_type_plain(key->type) == KEY_ED25519)) {
 +		    logit_f("sshd: Ed25519 keys are not allowed in FIPS mode, skipping %s", options.host_key_files[i]);
 +		    sshkey_free(key);
--- a/openssh.spec
+++ b/openssh.spec
@ -51,7 +51,7 @@

 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.7p1
-%global openssh_rel 14
+%global openssh_rel 15
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 4

@ -720,6 +720,10 @@ test -f %{sysconfig_anaconda} && \
 %endif

 %changelog
+* Thu Jul 14 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-15
+- Disable ed25519 and ed25519-sk keys in FIPS mode
+  Related: rhbz#2087915
+
 * Wed Jul 13 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-14
 - Disable ed25519 and ed25519-sk keys in FIPS mode
  Related: rhbz#2087915