Explicitly permit SHA1 HMAC

Related: rhbz#2026445
3 years ago · 6cdaa527d8
parent cc37486d86
commit 6cdaa527d8
1 changed files with 52 additions and 0 deletions
--- a/0046-FIPS-permitsha1-hmac.patch
+++ b/0046-FIPS-permitsha1-hmac.patch
@ -0,0 +1,52 @@
+diff -up openssl-3.0.0/providers/implementations/macs/hmac_prov.c.sha1hmac openssl-3.0.0/providers/implementations/macs/hmac_prov.c
+--- openssl-3.0.0/providers/implementations/macs/hmac_prov.c.sha1hmac	2022-01-13 12:11:19.547755685 +0100
+++ openssl-3.0.0/providers/implementations/macs/hmac_prov.c	2022-01-13 12:49:50.538432459 +0100
+@@ -14,6 +14,7 @@
+ #include "internal/deprecated.h"
+ 
+ #include <string.h>
+#include <strings.h>
+ 
+ #include <openssl/core_dispatch.h>
+ #include <openssl/core_names.h>
+@@ -305,13 +306,40 @@ static int hmac_set_ctx_params(void *vma
+     struct hmac_data_st *macctx = vmacctx;
+     OSSL_LIB_CTX *ctx = PROV_LIBCTX_OF(macctx->provctx);
+     const OSSL_PARAM *p;
+#ifdef FIPS_MODULE
+    const OSSL_PARAM *pdgst;
+#endif
+     int flags = 0;
+ 
+     if (params == NULL)
+         return 1;
+ 
+#ifdef FIPS_MODULE
+    /* Red Hat removes fips=yes property from SHA1, but it's still
+     * included in FIPS provider and we want HMAC working with it */
+    pdgst = OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST);
+    if (pdgst != NULL) {
+        const char *dgstname;
+
+        if (pdgst->data_type != OSSL_PARAM_UTF8_STRING)
+            return 0;
+        dgstname = pdgst->data;
+        if (dgstname != NULL) {
+            if ((strncasecmp("SHA1", dgstname, 4) == 0)
+               || (strncasecmp("SHA-1", dgstname, 5) == 0)) {
+               if (ossl_prov_digest_fetch(&macctx->digest, ctx,
+                                   "SHA1", "provider=fips,-fips") == NULL)
+                   return 0;
+            } else {
+                if (!ossl_prov_digest_load_from_params(&macctx->digest, params, ctx))
+                return 0;
+            }
+        }
+    }
+#else
+     if (!ossl_prov_digest_load_from_params(&macctx->digest, params, ctx))
+         return 0;
+#endif
+ 
+     if (!set_flag(params, OSSL_MAC_PARAM_DIGEST_NOINIT, EVP_MD_CTX_FLAG_NO_INIT,
+                   &flags))