Don't limit using SHA1 in KDFs in non-FIPS mode.
Resolves: RHEL-5295
This commit is contained in:
parent
131e7d1602
commit
223304543a
@ -287,22 +287,6 @@ index 699ada7c52..e534ad0a5f 100644
|
|||||||
return mdnid;
|
return mdnid;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -244,5 +254,15 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md)
|
|
||||||
if (ossl_securitycheck_enabled(ctx))
|
|
||||||
return ossl_digest_get_approved_nid(md) != NID_undef;
|
|
||||||
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
|
||||||
+
|
|
||||||
+#ifndef FIPS_MODULE
|
|
||||||
+ {
|
|
||||||
+ int mdnid = EVP_MD_nid(md);
|
|
||||||
+ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
|
|
||||||
+ && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
|
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
|
||||||
index de7f0d3a0a..ce54a94fbc 100644
|
index de7f0d3a0a..ce54a94fbc 100644
|
||||||
--- a/providers/common/securitycheck_default.c
|
--- a/providers/common/securitycheck_default.c
|
||||||
|
@ -525,6 +525,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
|
|||||||
* Mon Oct 16 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-25
|
* Mon Oct 16 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-25
|
||||||
- Provide relevant diagnostics when FIPS checksum is corrupted
|
- Provide relevant diagnostics when FIPS checksum is corrupted
|
||||||
Resolves: RHEL-5317
|
Resolves: RHEL-5317
|
||||||
|
- Don't limit using SHA1 in KDFs in non-FIPS mode.
|
||||||
|
Resolves: RHEL-5295
|
||||||
|
|
||||||
* Wed Jul 12 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-24
|
* Wed Jul 12 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-24
|
||||||
- Make FIPS module configuration more crypto-policies friendly
|
- Make FIPS module configuration more crypto-policies friendly
|
||||||
|
Loading…
Reference in New Issue
Block a user