File openssl-fips_allow_md5_sha1_for_tls1.0.patch of Package openssl-1_1.17562

Index: openssl-1.1.0i/ssl/statem/statem_clnt.c
===================================================================
--- openssl-1.1.0i.orig/ssl/statem/statem_clnt.c	2018-08-14 14:45:09.000000000 +0200
+++ openssl-1.1.0i/ssl/statem/statem_clnt.c	2020-01-18 16:33:49.479601945 +0100
@@ -1716,6 +1716,9 @@ MSG_PROCESS_RETURN tls_process_key_excha
             goto err;
         }
 
+        /* Allow md5/sha1 in FIPS */
+        EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+
         if (EVP_VerifyInit_ex(md_ctx, md, NULL) <= 0
             || EVP_VerifyUpdate(md_ctx, &(s->s3->client_random[0]),
                                 SSL3_RANDOM_SIZE) <= 0
Index: openssl-1.1.0i/ssl/s3_enc.c
===================================================================
--- openssl-1.1.0i.orig/ssl/s3_enc.c	2018-08-14 14:45:09.000000000 +0200
+++ openssl-1.1.0i/ssl/s3_enc.c	2020-01-18 16:33:49.479601945 +0100
@@ -369,6 +369,9 @@ int ssl3_digest_cached_records(SSL *s, i
             return 0;
         }
 
+        /* Allow md5/sha1 in FIPS */
+        EVP_MD_CTX_set_flags(s->s3->handshake_dgst, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+
         md = ssl_handshake_md(s);
         if (md == NULL || !EVP_DigestInit_ex(s->s3->handshake_dgst, md, NULL)
             || !EVP_DigestUpdate(s->s3->handshake_dgst, hdata, hdatalen)) {
Index: openssl-1.1.0i/crypto/evp/c_alld.c
===================================================================
--- openssl-1.1.0i.orig/crypto/evp/c_alld.c	2020-01-18 16:33:48.695597515 +0100
+++ openssl-1.1.0i/crypto/evp/c_alld.c	2020-01-18 16:35:07.572043216 +0100
@@ -58,6 +58,8 @@ void openssl_add_all_digests_int(void)
         EVP_add_digest(EVP_sha256());
         EVP_add_digest(EVP_sha384());
         EVP_add_digest(EVP_sha512());
+        /* Add md5_sha1 in FIPS for TLS 1.0 */
+        EVP_add_digest(EVP_md5_sha1());
     }
 #endif
 }
openSUSE Build Service is sponsored by