From 20cc83d13239b386b23b3e2912e07d17f4539280 Mon Sep 17 00:00:00 2001
From: Mark Kogan <mkogan@redhat.com>
Date: Thu, 14 Oct 2021 14:32:31 +0000
Subject: [PATCH] rgw: under fips, set flag to allow md5 in select rgw ops -
 for review

the ovrrides for review and relevant md5 usage:
```
src/rgw/rgw_crypt.cc:975:      unsigned char key_hash_res[CEPH_CRYPTO_MD5_DIGESTSIZE];
    int rgw_s3_prepare_encrypt(...)
        crypt_http_responses["x-amz-server-side-encryption-customer-algorithm"] = "AES256";
        crypt_http_responses["x-amz-server-side-encryption-customer-key-MD5"] = std::string(keymd5);
                                                           ~~~~~~~~~~~~~~~~

src/rgw/rgw_crypt.cc:1225:    uint8_t key_hash_res[CEPH_CRYPTO_MD5_DIGESTSIZE];
    int rgw_s3_prepare_decrypt(...)
        crypt_http_responses["x-amz-server-side-encryption-customer-algorithm"] = "AES256";
        crypt_http_responses["x-amz-server-side-encryption-customer-key-MD5"] = keymd5;
                                                           ~~~~~~~~~~~~~~~~

src/rgw/rgw_keystone.cc:40:  unsigned char m[CEPH_CRYPTO_MD5_DIGESTSIZE];
        void TokenCache::add_admin(...)
	  rgw_get_token_id(token.token.id, admin_token_id);
	                                   ~~~~~~~~~~~~~~ md5
	  add_locked(admin_token_id, token);

        void TokenCache::add_barbican(...)
	  rgw_get_token_id(token.token.id, barbican_token_id);
	                                   ~~~~~~~~~~~~~~~~~ md5
	  add_locked(barbican_token_id, token);
```

Signed-off-by: Mark Kogan <mkogan@redhat.com>
(cherry picked from commit 551e0c8f38f3f646dbfb5fbfde51d3107ca90cc6)
---
 src/rgw/rgw_crypt.cc    | 4 ++++
 src/rgw/rgw_keystone.cc | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/src/rgw/rgw_crypt.cc b/src/rgw/rgw_crypt.cc
index 9d3e2f545573b..a5161e7d8fd66 100644
--- a/src/rgw/rgw_crypt.cc
+++ b/src/rgw/rgw_crypt.cc
@@ -717,6 +717,8 @@ int rgw_s3_prepare_encrypt(struct req_state* s,
       }
 
       MD5 key_hash;
+      // Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
+      key_hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
       unsigned char key_hash_res[CEPH_CRYPTO_MD5_DIGESTSIZE];
       key_hash.Update(reinterpret_cast<const unsigned char*>(key_bin.c_str()), key_bin.size());
       key_hash.Final(key_hash_res);
@@ -960,6 +962,8 @@ int rgw_s3_prepare_decrypt(struct req_state* s,
     }
 
     MD5 key_hash;
+    // Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
+    key_hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
     uint8_t key_hash_res[CEPH_CRYPTO_MD5_DIGESTSIZE];
     key_hash.Update(reinterpret_cast<const unsigned char*>(key_bin.c_str()), key_bin.size());
     key_hash.Final(key_hash_res);
diff --git a/src/rgw/rgw_keystone.cc b/src/rgw/rgw_keystone.cc
index e9c14bd13a0a7..fe37963691c4c 100644
--- a/src/rgw/rgw_keystone.cc
+++ b/src/rgw/rgw_keystone.cc
@@ -38,6 +38,8 @@ void rgw_get_token_id(const string& token, string& token_id)
   unsigned char m[CEPH_CRYPTO_MD5_DIGESTSIZE];
 
   MD5 hash;
+  // Allow use of MD5 digest in FIPS mode for non-cryptographic purposes
+  hash.SetFlags(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
   hash.Update((const unsigned char *)token.c_str(), token.size());
   hash.Final(m);
 
-- 
2.47.3