OpenSSL: Enable HMAC with short salt in FIPS configuration

OpenSSL fips provider prevents use of HMAC with key size smaller than
112 bits. This would be fine for actual cases that use HMAC with a key,
but there are cases that use a shorter salt (e.g., SAE PWE derivation).
Allow those cases to use the OpenSSL default provider instead of the
fips provider in builds that do not use CONFIG_FIPS=y.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index ba87feb617e89b9b042e2a4609c86401de032040..c84ccb466f50da3b767b7778654f723dec5d0c51 100644 (file)
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -1609,6 +1609,13 @@ static int openssl_hmac_vector(char *digest, const u8 *key,
        if (os_strcmp(digest, "MD5") == 0) {
                openssl_need_md5();
                property_query = "provider!=fips";
+       } else if (key_len < 14 && OSSL_PROVIDER_available(NULL, "fips")) {
+               /* Need to use non-FIPS provider in OpenSSL to handle cases
+                * where HMAC is used with salt that is less than 112 bits
+                * instead of the HMAC uses with an actual key. */
+               openssl_disable_fips();
+               openssl_load_default_provider_if_fips();
+               property_query = "provider!=fips";
        }
 #endif /* CONFIG_FIPS */
        hmac = EVP_MAC_fetch(NULL, "HMAC", property_query);