Page MenuHome GnuPG

gnupg fails to add ssh key to control entry in FIPS mode with libgcrypt 1.10.1
Closed, ResolvedPublic

Description

The FIPS mode disables MD5 digest, but gpg-agent with support for ssh requires MD5 to calculate legacy digests, placing them in comment of the control file. This fails, but no reasonable error message is presented to the user.

The gnupg2 should either stop using the MD5 digests (OpenSSH does not use them for years by default), ignore failures generating these fingerprints or at least report some usable errors to users in case this happens. Currently, the user interaction looks like this:

# ssh-add testkey
Please enter a passphrase to protect the received secret key
   SHA256:IHw/1uKMQBjUXcFZItMsF2wnWP4fWJuubkSJxSBgvZw
   root@rhel-9-0-0-20220401-0.local
within gpg-agent's key storage
Passphrase: 
Repeat: 
Identity added: testkey (root@rhel-9-0-0-20220401-0.local)

# ssh-add -l
The agent has no identities.

My proposal is to ignore failures from generating the md5 fingerprints if they are not available, but I do not mind the other options.

Similarly issue is present in the tests that needs to be adjusted, probably to detect the fips mode based on the libgcrypt FIPS mode status. I have a patch for the t-ssh-utils.

There are other issues in FIPS mode mostly handling of algorithms unsupported in FIPS mode, but I did not get into the scm format yet to be able to fix them yet.

Details

External Link
https://bugzilla.redhat.com/show_bug.cgi?id=2073567
Version
master with libgcrypt 1.10.1 in FIPS mode

Related Objects

Event Timeline

gniibe triaged this task as Normal priority.
gniibe added a subscriber: gniibe.

Patches applied and pushed. For the common/t-ssh-utils, I applied my fix for the use case with key on command line when FIPS mode is enabled (MD5 error is OK, in this case).

gniibe moved this task from Next to Done on the FIPS board.