Overview

File 0012-Allow-KRB5KDF-in-FIPS-mode.patch of Package krb5.37150

From e49fac84bb32cd55f4384f7aff093146a5fa39ea Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Oct 2024 11:55:45 +0200
Subject: [PATCH] Allow KRB5KDF in FIPS mode

If the applied crypto-policy allows the aes256-cts-hmac-sha1-96 or
aes128-cts-hmac-sha1-96 encryption types, bypass the FIPS restrictions.

Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
 src/lib/crypto/openssl/kdf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lib/crypto/openssl/kdf.c b/src/lib/crypto/openssl/kdf.c
index 41e845eae0..2713850997 100644
--- a/src/lib/crypto/openssl/kdf.c
+++ b/src/lib/crypto/openssl/kdf.c
@@ -200,7 +200,7 @@ k5_derive_random_rfc3961(const struct krb5_enc_provider *enc, krb5_key key,
         goto done;
     }
 
-    kdf = EVP_KDF_fetch(NULL, "KRB5KDF", NULL);
+    kdf = EVP_KDF_fetch(NULL, "KRB5KDF", "-fips");
     if (kdf == NULL) {
         ret = KRB5_CRYPTO_INTERNAL;
         goto done;
-- 
2.47.0
openSUSE Build Service is sponsored by
Places