File openssl-fips_allow_md5_sha1_for_tls1.0.patch of Package openssl-1_1.14217
Index: openssl-1.1.0i/ssl/statem/statem_clnt.c
===================================================================
--- openssl-1.1.0i.orig/ssl/statem/statem_clnt.c 2018-08-14 14:45:09.000000000 +0200
+++ openssl-1.1.0i/ssl/statem/statem_clnt.c 2020-01-18 16:33:49.479601945 +0100
@@ -1716,6 +1716,9 @@ MSG_PROCESS_RETURN tls_process_key_excha
goto err;
}
+ /* Allow md5/sha1 in FIPS */
+ EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+
if (EVP_VerifyInit_ex(md_ctx, md, NULL) <= 0
|| EVP_VerifyUpdate(md_ctx, &(s->s3->client_random[0]),
SSL3_RANDOM_SIZE) <= 0
Index: openssl-1.1.0i/ssl/s3_enc.c
===================================================================
--- openssl-1.1.0i.orig/ssl/s3_enc.c 2018-08-14 14:45:09.000000000 +0200
+++ openssl-1.1.0i/ssl/s3_enc.c 2020-01-18 16:33:49.479601945 +0100
@@ -369,6 +369,9 @@ int ssl3_digest_cached_records(SSL *s, i
return 0;
}
+ /* Allow md5/sha1 in FIPS */
+ EVP_MD_CTX_set_flags(s->s3->handshake_dgst, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+
md = ssl_handshake_md(s);
if (md == NULL || !EVP_DigestInit_ex(s->s3->handshake_dgst, md, NULL)
|| !EVP_DigestUpdate(s->s3->handshake_dgst, hdata, hdatalen)) {
Index: openssl-1.1.0i/crypto/evp/c_alld.c
===================================================================
--- openssl-1.1.0i.orig/crypto/evp/c_alld.c 2020-01-18 16:33:48.695597515 +0100
+++ openssl-1.1.0i/crypto/evp/c_alld.c 2020-01-18 16:35:07.572043216 +0100
@@ -58,6 +58,8 @@ void openssl_add_all_digests_int(void)
EVP_add_digest(EVP_sha256());
EVP_add_digest(EVP_sha384());
EVP_add_digest(EVP_sha512());
+ /* Add md5_sha1 in FIPS for TLS 1.0 */
+ EVP_add_digest(EVP_md5_sha1());
}
#endif
}