From 6cdaa527d8da997e720bd33b37056c6d3076834a Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Thu, 13 Jan 2022 13:34:38 +0100
Subject: [PATCH] Explicitly permit SHA1 HMAC

Related: rhbz#2026445
---
 0046-FIPS-permitsha1-hmac.patch | 52 +++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 0046-FIPS-permitsha1-hmac.patch

diff --git a/0046-FIPS-permitsha1-hmac.patch b/0046-FIPS-permitsha1-hmac.patch
new file mode 100644
index 0000000..cd302b7
--- /dev/null
+++ b/0046-FIPS-permitsha1-hmac.patch
@@ -0,0 +1,52 @@
+diff -up openssl-3.0.0/providers/implementations/macs/hmac_prov.c.sha1hmac openssl-3.0.0/providers/implementations/macs/hmac_prov.c
+--- openssl-3.0.0/providers/implementations/macs/hmac_prov.c.sha1hmac	2022-01-13 12:11:19.547755685 +0100
++++ openssl-3.0.0/providers/implementations/macs/hmac_prov.c	2022-01-13 12:49:50.538432459 +0100
+@@ -14,6 +14,7 @@
+ #include "internal/deprecated.h"
+ 
+ #include <string.h>
++#include <strings.h>
+ 
+ #include <openssl/core_dispatch.h>
+ #include <openssl/core_names.h>
+@@ -305,13 +306,40 @@ static int hmac_set_ctx_params(void *vma
+     struct hmac_data_st *macctx = vmacctx;
+     OSSL_LIB_CTX *ctx = PROV_LIBCTX_OF(macctx->provctx);
+     const OSSL_PARAM *p;
++#ifdef FIPS_MODULE
++    const OSSL_PARAM *pdgst;
++#endif
+     int flags = 0;
+ 
+     if (params == NULL)
+         return 1;
+ 
++#ifdef FIPS_MODULE
++    /* Red Hat removes fips=yes property from SHA1, but it's still
++     * included in FIPS provider and we want HMAC working with it */
++    pdgst = OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST);
++    if (pdgst != NULL) {
++        const char *dgstname;
++
++        if (pdgst->data_type != OSSL_PARAM_UTF8_STRING)
++            return 0;
++        dgstname = pdgst->data;
++        if (dgstname != NULL) {
++            if ((strncasecmp("SHA1", dgstname, 4) == 0)
++               || (strncasecmp("SHA-1", dgstname, 5) == 0)) {
++               if (ossl_prov_digest_fetch(&macctx->digest, ctx,
++                                   "SHA1", "provider=fips,-fips") == NULL)
++                   return 0;
++            } else {
++                if (!ossl_prov_digest_load_from_params(&macctx->digest, params, ctx))
++                return 0;
++            }
++        }
++    }
++#else
+     if (!ossl_prov_digest_load_from_params(&macctx->digest, params, ctx))
+         return 0;
++#endif
+ 
+     if (!set_flag(params, OSSL_MAC_PARAM_DIGEST_NOINIT, EVP_MD_CTX_FLAG_NO_INIT,
+                   &flags))