Make the RAND code available from inside the FIPS module

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9035)

2 files changed, 15 insertions, 2 deletions

diff --git a/crypto/hmac/build.info b/crypto/hmac/build.info
index f63524d3be..b1c146182c 100644
--- a/crypto/hmac/build.info
+++ b/crypto/hmac/build.info
@@ -1,3 +1,6 @@
 LIBS=../../libcrypto
-SOURCE[../../libcrypto]=\
-        hmac.c hm_ameth.c hm_meth.c
+
+$COMMON=hmac.c hm_meth.c
+
+SOURCE[../../libcrypto]=$COMMON hm_ameth.c
+SOURCE[../../providers/fips]=$COMMON
diff --git a/crypto/hmac/hm_meth.c b/crypto/hmac/hm_meth.c
index db9af95cb7..19278ef67d 100644
--- a/crypto/hmac/hm_meth.c
+++ b/crypto/hmac/hm_meth.c
@@ -152,6 +152,15 @@ static int hmac_ctrl_str(EVP_MAC_IMPL *hctx, const char *type,
 {
     if (!value)
         return 0;
+#ifndef FIPS_MODE
+    /*
+     * We don't have EVP_get_digestbyname() in FIPS_MODE. That function returns
+     * an EVP_MD without an associated provider implementation (i.e. it is
+     * using "implicit fetch"). We could replace it with an "explicit" fetch
+     * using EVP_MD_fetch(), but we'd then be required to free the returned
+     * EVP_MD somewhere. Probably the complexity isn't worth it as we are
+     * unlikely to need this ctrl in FIPS_MODE anyway.
+     */
     if (strcmp(type, "digest") == 0) {
         const EVP_MD *d = EVP_get_digestbyname(value);
 
@@ -159,6 +168,7 @@ static int hmac_ctrl_str(EVP_MAC_IMPL *hctx, const char *type,
             return 0;
         return hmac_ctrl_int(hctx, EVP_MAC_CTRL_SET_MD, d);
     }
+#endif
     if (strcmp(type, "key") == 0)
         return EVP_str2ctrl(hmac_ctrl_str_cb, hctx, EVP_MAC_CTRL_SET_KEY,
                             value);