Revert "Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode"

Disabling EVP_PKEY_sign and EVP_PKEY_verify also breaks EVP_SignFinal, which is used by many applications, among them OpenSSH. This change thus broke sshd in FIPS mode. Revert it for now until we found a better solution. Related: rhbz#2087147 Signed-off-by: Clemens Lang <cllang@redhat.com>
2 years ago · 96926ffe00
parent 794d81540e
commit 96926ffe00
1 changed files with 4 additions and 1 deletions
--- a/openssl.spec
+++ b/openssl.spec
@ -118,7 +118,8 @@ Patch58: 0058-FIPS-limit-rsa-encrypt.patch
 Patch60: 0060-FIPS-KAT-signature-tests.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2087147
 Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
-Patch62: 0062-Disable-EVP_PKEY_-sign-verify-in-FIPS-provider.patch
+# Disabled for now because it breaks EVP_SignFinal
+#Patch62: 0062-Disable-EVP_PKEY_-sign-verify-in-FIPS-provider.patch
 # https://github.com/openssl/openssl/pull/18141
 Patch63: 0063-CVE-2022-1473.patch
 # upstream commits 55c80c222293a972587004c185dc5653ae207a0e 2eda98790c5c2741d76d23cc1e74b0dc4f4b391a
@ -463,6 +464,8 @@ install -m644 %{SOURCE9} \
 - Resolves: rhbz#2087911
 - CVE-2022-1292 openssl: c_rehash script allows command injection
 - Resolves: rhbz#2090362
+- Revert "Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode"
+  Related: rhbz#2087147

 * Thu May 19 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-32
 - `openssl ecparam -list_curves` lists only FIPS-approved curves in FIPS mode