aws · jouho · Jul 31, 2024 · Jul 8, 2024 · Jul 8, 2024 · Jul 16, 2024
diff --git a/crypto/s2n_hmac.c b/crypto/s2n_hmac.c
@@ -82,10 +82,6 @@ bool s2n_hmac_is_available(s2n_hmac_algorithm hmac_alg)
     case S2N_HMAC_MD5:
     case S2N_HMAC_SSLv3_MD5:
     case S2N_HMAC_SSLv3_SHA1:
-        /* Some libcryptos, such as OpenSSL, disable MD5 by default when in FIPS mode, which is
-         * required in order to negotiate SSLv3. However, this is supported in AWS-LC.
-         */
-        return !s2n_is_in_fips_mode() || s2n_libcrypto_is_awslc();
     case S2N_HMAC_NONE:
     case S2N_HMAC_SHA1:
     case S2N_HMAC_SHA224:

diff --git a/tests/cbmc/proofs/s2n_hmac_is_available/s2n_hmac_is_available_harness.c b/tests/cbmc/proofs/s2n_hmac_is_available/s2n_hmac_is_available_harness.c
@@ -34,7 +34,6 @@ void s2n_hmac_is_available_harness()
         case S2N_HASH_MD5:
         case S2N_HMAC_SSLv3_MD5:
         case S2N_HMAC_SSLv3_SHA1:
-            assert(is_available == !s2n_is_in_fips_mode() || s2n_libcrypto_is_awslc()); break;
         case S2N_HASH_NONE:
         case S2N_HASH_SHA1:
         case S2N_HASH_SHA224:

diff --git a/tests/unit/s2n_crypto_test.c b/tests/unit/s2n_crypto_test.c
@@ -123,14 +123,6 @@ int main()
         for (size_t i = 0; i < s2n_array_len(supported_versions); i++) {
             const uint8_t version = supported_versions[i];
 
-            /* See https://github.com/aws/s2n-tls/issues/4476
-             * Retrieving the master secret won't vary between FIPS and non-FIPS,
-             * so this testing limitation is not a concern.
-             */
-            if (s2n_is_in_fips_mode() && version == S2N_SSLv3) {
-                continue;
-            }
-
             DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
             EXPECT_NOT_NULL(config);
             EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, ecdsa_chain_and_key));

diff --git a/tests/unit/s2n_hmac_test.c b/tests/unit/s2n_hmac_test.c
@@ -24,6 +24,17 @@
 #include "testlib/s2n_testlib.h"
 #include "utils/s2n_safety.h"
 
+static S2N_RESULT s2n_allow_md5_for_fips(struct s2n_hmac_state *hmac)
+{
+    if (s2n_is_in_fips_mode()) {
+        RESULT_GUARD_POSIX(s2n_hash_allow_md5_for_fips(&hmac->inner));
+        RESULT_GUARD_POSIX(s2n_hash_allow_md5_for_fips(&hmac->inner_just_key));
+        RESULT_GUARD_POSIX(s2n_hash_allow_md5_for_fips(&hmac->outer));
+        RESULT_GUARD_POSIX(s2n_hash_allow_md5_for_fips(&hmac->outer_just_key));
+    }
+    return S2N_RESULT_OK;
+}
+
 int main(int argc, char **argv)
 {
     uint8_t digest_pad[256];
@@ -52,6 +63,7 @@ int main(int argc, char **argv)
         uint8_t hmac_sslv3_md5_size = 0;
         POSIX_GUARD(s2n_hmac_digest_size(S2N_HMAC_SSLv3_MD5, &hmac_sslv3_md5_size));
         EXPECT_EQUAL(hmac_sslv3_md5_size, 16);
+        EXPECT_OK(s2n_allow_md5_for_fips(&hmac));
         EXPECT_SUCCESS(s2n_hmac_init(&hmac, S2N_HMAC_SSLv3_MD5, sekrit, strlen((char *) sekrit)));
         EXPECT_SUCCESS(s2n_hmac_update(&hmac, hello, strlen((char *) hello)));
         EXPECT_SUCCESS(s2n_hmac_digest(&hmac, digest_pad, 16));

diff --git a/tls/s2n_prf.c b/tls/s2n_prf.c
@@ -157,6 +157,10 @@ static int s2n_sslv3_prf(struct s2n_connection *conn, struct s2n_blob *secret, s
 
         struct s2n_hash_state *md5 = workspace;
         POSIX_GUARD(s2n_hash_reset(md5));
+        /* FIPS specifically allows MD5 for the legacy PRF */
+        if (s2n_is_in_fips_mode() && conn->actual_protocol_version < S2N_TLS12) {
+            POSIX_GUARD(s2n_hash_allow_md5_for_fips(workspace));
+        }
         POSIX_GUARD(s2n_hash_init(md5, S2N_HASH_MD5));
         POSIX_GUARD(s2n_hash_update(md5, secret->data, secret->size));
         POSIX_GUARD(s2n_hash_update(md5, sha_digest, sizeof(sha_digest)));