MD4 cipher requires OpenSSL3's "legacy" provider, while MD5 fetched from
the "default" one. Both ciphers are unavailable in FIPS mode, however
MD5 is tolerated for RADIUS requests on local host.
The OpenSSL3 library context was missing the "default" provider, causing
MD5 encryption to fail in FIPS mode.
Resolves: rhbz#2068458
Signed-off-by: Julien Rische <jrische@redhat.com>
Bypass OpenSSL's restrictions to use KRB5KDF in FIPS mode in case at
least one of AES SHA-1 HMAC encryption types are used.
Use OpenSSL 3.0 library context to access MD4 and MD5 lazily from
legacy provider if RADIUS is being used or RC4 encryption type is
enabled, without affecting global context.
Remove EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag since does not have any
effect anymore.
Such exceptions should not be allowed by the default FIPS crypto
policy.
Resolves: rhbz#2039684
Resolves: rhbz#2053135
Signed-off-by: Julien Rische <jrische@redhat.com>
Julien Rische
Robbie Harwood
DistroBaker
Troy Dawson
Petr Šabata