The functions gcry_pk_hash_sign and gcry_pk_hash_verify miss the checks for the FIPS status so they work regardless the fips status.
This was probably overlooked when initially implemented. The change should be trivial:
From d43acc80c711fd49f9ce9db5b2e9cf3213f88f60 Mon Sep 17 00:00:00 2001 From: Jakub Jelen <jjelen@redhat.com> Date: Wed, 1 Mar 2023 17:14:00 +0100 Subject: [PATCH] visibility: Check FIPS operational status for MD+Sign operation * src/visibility.c (gcry_pk_hash_sign): Check fips status before calling the operation itself (gcry_pk_hash_verify): Ditto. -- Signed-off-by: Jakub Jelen <jjelen@redhat.com> --- src/visibility.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/visibility.c b/src/visibility.c index 73db3dea..1f17e147 100644 --- a/src/visibility.c +++ b/src/visibility.c @@ -1050,6 +1050,11 @@ gcry_error_t gcry_pk_hash_sign (gcry_sexp_t *result, const char *data_tmpl, gcry_sexp_t skey, gcry_md_hd_t hd, gcry_ctx_t ctx) { + if (!fips_is_operational ()) + { + *result = NULL; + return gpg_error (fips_not_operational ()); + } return gpg_error (_gcry_pk_sign_md (result, data_tmpl, hd, skey, ctx)); } @@ -1065,6 +1070,8 @@ gcry_error_t gcry_pk_hash_verify (gcry_sexp_t sigval, const char *data_tmpl, gcry_sexp_t pkey, gcry_md_hd_t hd, gcry_ctx_t ctx) { + if (!fips_is_operational ()) + return gpg_error (fips_not_operational ()); return gpg_error (_gcry_pk_verify_md (sigval, data_tmpl, hd, pkey, ctx)); } -- 2.39.1