Disable ed25519 and ed25519-sk keys in FIPS mode

Related: rhbz#2087915

openssh-7.7p1-fips.patch

@@ -407,6 +407,25 @@ diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
  #include "ssh-sk.h"
  
  #ifdef WITH_XMSS
+@@ -285,6 +285,18 @@ sshkey_alg_list(int certs_only, int plai
+ 	for (kt = keytypes; kt->type != -1; kt++) {
+ 		if (kt->name == NULL || kt->type == KEY_NULL)
+ 			continue;
++		if (FIPS_mode()) {
++			switch (kt->type) {
++			case KEY_ED25519:
++			case KEY_ED25519_SK:
++			case KEY_ED25519_CERT:
++			case KEY_ED25519_SK_CERT:
++			     continue;
++			     break;
++			default:
++			     break;
++			}
++		}
+ 		if (!include_sigonly && kt->sigonly)
+ 			continue;
+ 		if ((certs_only && !kt->cert) || (plain_only && kt->cert))
 @@ -1503,6 +1503,20 @@ sshkey_read(struct sshkey *ret, char **c
  		return SSH_ERR_EC_CURVE_MISMATCH;
  	}

openssh.spec

@@ -51,7 +51,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.7p1
-%global openssh_rel 16
+%global openssh_rel 17
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 4
 
@@ -725,6 +725,10 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Thu Jul 14 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-17
+- Disable ed25519 and ed25519-sk keys in FIPS mode
+  Related: rhbz#2087915
+
 * Thu Jul 14 2022 Zoltan Fridrich <zfridric@redhat.com> - 8.7p1-16
 - Don't propose disallowed algorithms during hostkey negotiation
   Resolves: rhbz#2068423