openssh unix dev - Aug 2012 - second FIPS patch for openssh 6.0p1, fix pubkey

The patch to enable FIPS mode for openssh 6.0p1 missed two instances of
the ssh client trying to use MD5. It causes pubkey-based authentication
to fail in FIPS mode.

I have copied the missing changes from auth2-pubkey.c into sshconnect2.c.

Here is a patch:


 
diff -cr openssh-6.0p1/sshconnect2.c openssh-6.0p1-patched/sshconnect2.c
*** openssh-6.0p1/sshconnect2.c	Sun May 29 07:42:34 2011
--- openssh-6.0p1-patched/sshconnect2.c	Wed Aug 29 14:59:19 2012
***************
*** 77,82 ****
--- 77,88 ----
  #include "ssh-gss.h"
  #endif
  
+ #include <openssl/sha.h>
+ #ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
+ #endif
+ 
+ 
  /* import */
  extern char *client_version_string;
  extern char *server_version_string;
***************
*** 591,597 ****
  		    key->type, pktype);
  		goto done;
  	}
! 	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
  	debug2("input_userauth_pk_ok: fp %s", fp);
  	xfree(fp);
  
--- 604,611 ----
  		    key->type, pktype);
  		goto done;
  	}
! 	fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
!                             SSH_FP_HEX);
  	debug2("input_userauth_pk_ok: fp %s", fp);
  	xfree(fp);
  
***************
*** 1204,1210 ****
  	int have_sig = 1;
  	char *fp;
  
! 	fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
  	debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
  	xfree(fp);
  
--- 1218,1225 ----
  	int have_sig = 1;
  	char *fp;
  
! 	fp = key_fingerprint(id->key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
!                             SSH_FP_HEX);
  	debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
  	xfree(fp);
  


-Mag

> The patch to enable FIPS mode for openssh 6.0p1 missed two instances of the
ssh client trying to use MD5.
I assume you're talking about the patch I posted.  My patch had another
mistake... there's a third place with the same issue, in ssh-agent.c

I've updated the patch and reposted it at the same location:
http://jpschaaf.com/stuff/openssh-6.0p1-fips.diff

Comments are always appreciated...  Particularly if anyone knows what the
"right way" is to handle the case where cipher is NULL in authfile.c

Jonathan