diff --git a/SOURCES/git-2.18.1-core-crypto-hmac.patch b/SOURCES/git-2.18.1-core-crypto-hmac.patch
new file mode 100644
index 0000000..a1c8d7f
--- /dev/null
+++ b/SOURCES/git-2.18.1-core-crypto-hmac.patch
@@ -0,0 +1,70 @@
+diff -ru git-2.18.1/builtin/receive-pack.c git-2.18.1_patched/builtin/receive-pack.c
+--- git-2.18.1/builtin/receive-pack.c	2018-09-27 22:44:44.000000000 +0200
++++ git-2.18.1_patched/builtin/receive-pack.c	2019-06-11 11:19:52.887797134 +0200
+@@ -26,6 +26,8 @@
+ #include "oidset.h"
+ #include "packfile.h"
+ #include "protocol.h"
++#include <openssl/hmac.h>
++#include <openssl/evp.h>
+ 
+ static const char * const receive_pack_usage[] = {
+ 	N_("git receive-pack <git-dir>"),
+@@ -419,43 +421,11 @@
+ 
+ #define HMAC_BLOCK_SIZE 64
+ 
+-static void hmac_sha1(unsigned char *out,
++static inline void hmac_sha1(unsigned char *out,
+ 		      const char *key_in, size_t key_len,
+ 		      const char *text, size_t text_len)
+ {
+-	unsigned char key[HMAC_BLOCK_SIZE];
+-	unsigned char k_ipad[HMAC_BLOCK_SIZE];
+-	unsigned char k_opad[HMAC_BLOCK_SIZE];
+-	int i;
+-	git_SHA_CTX ctx;
+-
+-	/* RFC 2104 2. (1) */
+-	memset(key, '\0', HMAC_BLOCK_SIZE);
+-	if (HMAC_BLOCK_SIZE < key_len) {
+-		git_SHA1_Init(&ctx);
+-		git_SHA1_Update(&ctx, key_in, key_len);
+-		git_SHA1_Final(key, &ctx);
+-	} else {
+-		memcpy(key, key_in, key_len);
+-	}
+-
+-	/* RFC 2104 2. (2) & (5) */
+-	for (i = 0; i < sizeof(key); i++) {
+-		k_ipad[i] = key[i] ^ 0x36;
+-		k_opad[i] = key[i] ^ 0x5c;
+-	}
+-
+-	/* RFC 2104 2. (3) & (4) */
+-	git_SHA1_Init(&ctx);
+-	git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
+-	git_SHA1_Update(&ctx, text, text_len);
+-	git_SHA1_Final(out, &ctx);
+-
+-	/* RFC 2104 2. (6) & (7) */
+-	git_SHA1_Init(&ctx);
+-	git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
+-	git_SHA1_Update(&ctx, out, GIT_SHA1_RAWSZ);
+-	git_SHA1_Final(out, &ctx);
++	HMAC(EVP_sha1(), key_in, key_len, text, text_len, out, NULL);
+ }
+ 
+ static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
+diff -ru git-2.18.1/Makefile git-2.18.1_patched/Makefile
+--- git-2.18.1/Makefile	2018-09-27 22:44:44.000000000 +0200
++++ git-2.18.1_patched/Makefile	2019-06-10 17:28:26.137986964 +0200
+@@ -1721,6 +1721,8 @@
+ 	BASIC_CFLAGS += -DHAVE_GETDELIM
+ endif
+ 
++EXTLIBS += -lcrypto
++
+ ifneq ($(PROCFS_EXECUTABLE_PATH),)
+ 	procfs_executable_path_SQ = $(subst ','\'',$(PROCFS_EXECUTABLE_PATH))
+ 	BASIC_CFLAGS += '-DPROCFS_EXECUTABLE_PATH="$(procfs_executable_path_SQ)"'
diff --git a/SPECS/git.spec b/SPECS/git.spec
index 03b05d7..00698f8 100644
--- a/SPECS/git.spec
+++ b/SPECS/git.spec
@@ -103,7 +103,7 @@
 
 Name:           %{?scl_prefix}git
 Version:        2.18.1
-Release:        3%{?rcrev}%{?dist}
+Release:        4%{?rcrev}%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
 URL:            https://git-scm.com/
@@ -148,6 +148,8 @@ Patch5:         0001-config-document-value-2-for-protocol.version.patch
 # https://bugzilla.redhat.com/1653143
 # https://github.com/git/git/commit/321fd82389.patch
 Patch7:         0001-run-command-mark-path-lookup-errors-with-ENOENT.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1619113
+Patch8:         git-2.18.1-core-crypto-hmac.patch
 
 %if %{with docs}
 BuildRequires:  asciidoc >= 8.4.1
@@ -492,6 +494,7 @@ cat << \EOF > config.mak
 V = 1
 CFLAGS = %{optflags}
 LDFLAGS = %{__global_ldflags}
+LIBS = ${LIBS}
 NEEDS_CRYPTO_WITH_SSL = 1
 USE_LIBPCRE = 1
 ETC_GITCONFIG = %{_sysconfdir}/gitconfig
@@ -958,6 +961,10 @@ make test || ./print-failed-test-output
 %{?with_docs:%{_pkgdocdir}/git-instaweb.html}
 
 %changelog
+* Tue Jun 11 2019 Marcel Plch <mplch@redhat.com> - 2.18.1-4
+- Use HMAC from libcrypto instead of git's implementation
+- Resolves: rhbz#1619113
+
 * Tue Dec 11 2018 Pavel Cahyna <pcahyna@redhat.com> - 2.18.1-3
 - apply upstream run-command PATH fix (CVE-2018-19486)
 - config: document value 2 for protocol.version (upstream patch)