From 96926ffe007338075ed55b582e20b4650d67efd2 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Wed, 25 May 2022 18:17:35 +0200 Subject: [PATCH] Revert "Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode" Disabling EVP_PKEY_sign and EVP_PKEY_verify also breaks EVP_SignFinal, which is used by many applications, among them OpenSSH. This change thus broke sshd in FIPS mode. Revert it for now until we found a better solution. Related: rhbz#2087147 Signed-off-by: Clemens Lang --- openssl.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/openssl.spec b/openssl.spec index dfa064b..cd48db8 100644 --- a/openssl.spec +++ b/openssl.spec @@ -118,7 +118,8 @@ Patch58: 0058-FIPS-limit-rsa-encrypt.patch Patch60: 0060-FIPS-KAT-signature-tests.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2087147 Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch -Patch62: 0062-Disable-EVP_PKEY_-sign-verify-in-FIPS-provider.patch +# Disabled for now because it breaks EVP_SignFinal +#Patch62: 0062-Disable-EVP_PKEY_-sign-verify-in-FIPS-provider.patch # https://github.com/openssl/openssl/pull/18141 Patch63: 0063-CVE-2022-1473.patch # upstream commits 55c80c222293a972587004c185dc5653ae207a0e 2eda98790c5c2741d76d23cc1e74b0dc4f4b391a @@ -463,6 +464,8 @@ install -m644 %{SOURCE9} \ - Resolves: rhbz#2087911 - CVE-2022-1292 openssl: c_rehash script allows command injection - Resolves: rhbz#2090362 +- Revert "Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode" + Related: rhbz#2087147 * Thu May 19 2022 Dmitry Belyavskiy - 1:3.0.1-32 - `openssl ecparam -list_curves` lists only FIPS-approved curves in FIPS mode