openssl/0046-FIPS-permitsha1-hmac.patch
Dmitry Belyavskiy 6cdaa527d8 Explicitly permit SHA1 HMAC
Related: rhbz#2026445
2022-01-17 13:19:40 +01:00

53 lines
1.9 KiB
Diff

diff -up openssl-3.0.0/providers/implementations/macs/hmac_prov.c.sha1hmac openssl-3.0.0/providers/implementations/macs/hmac_prov.c
--- openssl-3.0.0/providers/implementations/macs/hmac_prov.c.sha1hmac 2022-01-13 12:11:19.547755685 +0100
+++ openssl-3.0.0/providers/implementations/macs/hmac_prov.c 2022-01-13 12:49:50.538432459 +0100
@@ -14,6 +14,7 @@
#include "internal/deprecated.h"
#include <string.h>
+#include <strings.h>
#include <openssl/core_dispatch.h>
#include <openssl/core_names.h>
@@ -305,13 +306,40 @@ static int hmac_set_ctx_params(void *vma
struct hmac_data_st *macctx = vmacctx;
OSSL_LIB_CTX *ctx = PROV_LIBCTX_OF(macctx->provctx);
const OSSL_PARAM *p;
+#ifdef FIPS_MODULE
+ const OSSL_PARAM *pdgst;
+#endif
int flags = 0;
if (params == NULL)
return 1;
+#ifdef FIPS_MODULE
+ /* Red Hat removes fips=yes property from SHA1, but it's still
+ * included in FIPS provider and we want HMAC working with it */
+ pdgst = OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST);
+ if (pdgst != NULL) {
+ const char *dgstname;
+
+ if (pdgst->data_type != OSSL_PARAM_UTF8_STRING)
+ return 0;
+ dgstname = pdgst->data;
+ if (dgstname != NULL) {
+ if ((strncasecmp("SHA1", dgstname, 4) == 0)
+ || (strncasecmp("SHA-1", dgstname, 5) == 0)) {
+ if (ossl_prov_digest_fetch(&macctx->digest, ctx,
+ "SHA1", "provider=fips,-fips") == NULL)
+ return 0;
+ } else {
+ if (!ossl_prov_digest_load_from_params(&macctx->digest, params, ctx))
+ return 0;
+ }
+ }
+ }
+#else
if (!ossl_prov_digest_load_from_params(&macctx->digest, params, ctx))
return 0;
+#endif
if (!set_flag(params, OSSL_MAC_PARAM_DIGEST_NOINIT, EVP_MD_CTX_FLAG_NO_INIT,
&flags))