Using DigestSign/DigestVerify functions for better FIPS compatibility

Resolves: RHEL-5217
2023-11-07 17:44:31 +01:00 · 2023-11-07 17:44:31 +01:00 · 2e04a3ede2
commit 2e04a3ede2
parent 6c888396c9
2 changed files with 6 additions and 9 deletions
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@ -471,7 +471,7 @@ diff -up openssh-7.9p1/sshkey.c.fips openssh-7.9p1/sshkey.c
 
 #include "xmss_fast.h"
 
-@@ -392,13 +394,14 @@ sshkey_calculate_signature(EVP_PKEY *pkey
+@@ -392,7 +394,8 @@ sshkey_calculate_signature(EVP_PKEY *pkey
 {
 	EVP_MD_CTX *ctx = NULL;
 	u_char *sig = NULL;
@ -481,13 +481,6 @@ diff -up openssh-7.9p1/sshkey.c.fips openssh-7.9p1/sshkey.c
 
 	if (sigp == NULL || lenp == NULL) {
 		return SSH_ERR_INVALID_ARGUMENT;
- 	}
- 
-	slen = EVP_PKEY_size(pkey);
-+	slen = EVP_PKEY_get_size(pkey);
- 	if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
- 		return SSH_ERR_INVALID_ARGUMENT;
- 
@@ -411,9 +414,10 @@ sshkey_calculate_signature(EVP_PKEY *pkey
 		ret = SSH_ERR_ALLOC_FAIL;
 		goto error;
--- a/openssh.spec
+++ b/openssh.spec
@ -66,7 +66,7 @@

 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.0p1
-%global openssh_rel 20
+%global openssh_rel 21
 %global pam_ssh_agent_ver 0.10.3
 %global pam_ssh_agent_rel 7

@ -815,6 +815,10 @@ getent passwd sshd >/dev/null || \
 %endif

 %changelog
+* Tue Nov 07 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-21
+- Using DigestSign/DigestVerify functions for better FIPS compatibility
+  Resolves: RHEL-5217
+
 * Mon Oct 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-20
 - Limit artificial delays in sshd while login using AD user
  Resolves: RHEL-1684