diff -up openssl-3.0.0/providers/implementations/macs/hmac_prov.c.sha1hmac openssl-3.0.0/providers/implementations/macs/hmac_prov.c
--- openssl-3.0.0/providers/implementations/macs/hmac_prov.c.sha1hmac	2022-01-13 12:11:19.547755685 +0100
+++ openssl-3.0.0/providers/implementations/macs/hmac_prov.c	2022-01-13 12:49:50.538432459 +0100
@@ -14,6 +14,7 @@
 #include "internal/deprecated.h"
 
 #include <string.h>
+#include <strings.h>
 
 #include <openssl/core_dispatch.h>
 #include <openssl/core_names.h>
@@ -305,13 +306,40 @@ static int hmac_set_ctx_params(void *vma
     struct hmac_data_st *macctx = vmacctx;
     OSSL_LIB_CTX *ctx = PROV_LIBCTX_OF(macctx->provctx);
     const OSSL_PARAM *p;
+#ifdef FIPS_MODULE
+    const OSSL_PARAM *pdgst;
+#endif
     int flags = 0;
 
     if (params == NULL)
         return 1;
 
+#ifdef FIPS_MODULE
+    /* Red Hat removes fips=yes property from SHA1, but it's still
+     * included in FIPS provider and we want HMAC working with it */
+    pdgst = OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_DIGEST);
+    if (pdgst != NULL) {
+        const char *dgstname;
+
+        if (pdgst->data_type != OSSL_PARAM_UTF8_STRING)
+            return 0;
+        dgstname = pdgst->data;
+        if (dgstname != NULL) {
+            if ((strncasecmp("SHA1", dgstname, 4) == 0)
+               || (strncasecmp("SHA-1", dgstname, 5) == 0)) {
+               if (ossl_prov_digest_fetch(&macctx->digest, ctx,
+                                   "SHA1", "provider=fips,-fips") == NULL)
+                   return 0;
+            } else {
+                if (!ossl_prov_digest_load_from_params(&macctx->digest, params, ctx))
+                return 0;
+            }
+        }
+    }
+#else
     if (!ossl_prov_digest_load_from_params(&macctx->digest, params, ctx))
         return 0;
+#endif
 
     if (!set_flag(params, OSSL_MAC_PARAM_DIGEST_NOINIT, EVP_MD_CTX_FLAG_NO_INIT,
                   &flags))