Don't limit using SHA1 in KDFs in non-FIPS mode.
Resolves: RHEL-5295
This commit is contained in:
parent
131e7d1602
commit
223304543a
@ -287,22 +287,6 @@ index 699ada7c52..e534ad0a5f 100644
|
||||
return mdnid;
|
||||
}
|
||||
|
||||
@@ -244,5 +254,15 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md)
|
||||
if (ossl_securitycheck_enabled(ctx))
|
||||
return ossl_digest_get_approved_nid(md) != NID_undef;
|
||||
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
||||
+
|
||||
+#ifndef FIPS_MODULE
|
||||
+ {
|
||||
+ int mdnid = EVP_MD_nid(md);
|
||||
+ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
|
||||
+ && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
return 1;
|
||||
}
|
||||
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
|
||||
index de7f0d3a0a..ce54a94fbc 100644
|
||||
--- a/providers/common/securitycheck_default.c
|
||||
|
@ -525,6 +525,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
|
||||
* Mon Oct 16 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-25
|
||||
- Provide relevant diagnostics when FIPS checksum is corrupted
|
||||
Resolves: RHEL-5317
|
||||
- Don't limit using SHA1 in KDFs in non-FIPS mode.
|
||||
Resolves: RHEL-5295
|
||||
|
||||
* Wed Jul 12 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-24
|
||||
- Make FIPS module configuration more crypto-policies friendly
|
||||
|
Loading…
Reference in New Issue
Block a user