Use HMAC from libcrypto instead of git's implementation

Resolves: #1956345
2021-05-03 16:22:19 +02:00 · 2021-05-03 16:22:19 +02:00 · 9ee49ebb55
parent 29f45662dc
commit 9ee49ebb55
2 changed files with 77 additions and 1 deletions
--- a/git-2.27.0-core-crypto-hmac.patch
+++ b/git-2.27.0-core-crypto-hmac.patch
@ -0,0 +1,70 @@
+diff -ur a/builtin/receive-pack.c b/builtin/receive-pack.c
+--- a/builtin/receive-pack.c	2020-06-01 17:49:27.000000000 +0200
+++ b/builtin/receive-pack.c	2020-06-15 15:28:48.149268576 +0200
+@@ -29,6 +29,8 @@
+ #include "commit-reach.h"
+ #include "worktree.h"
+ #include "shallow.h"
+#include <openssl/hmac.h>	
+#include <openssl/evp.h>
+ 
+ static const char * const receive_pack_usage[] = {
+ 	N_("git receive-pack <git-dir>"),
+@@ -419,43 +421,11 @@
+ 	return 0;
+ }
+ 
+-static void hmac_hash(unsigned char *out,
+static inline void hmac_hash(unsigned char *out,
+ 		      const char *key_in, size_t key_len,
+ 		      const char *text, size_t text_len)
+ {
+-	unsigned char key[GIT_MAX_BLKSZ];
+-	unsigned char k_ipad[GIT_MAX_BLKSZ];
+-	unsigned char k_opad[GIT_MAX_BLKSZ];
+-	int i;
+-	git_hash_ctx ctx;
+-
+-	/* RFC 2104 2. (1) */
+-	memset(key, '\0', GIT_MAX_BLKSZ);
+-	if (the_hash_algo->blksz < key_len) {
+-		the_hash_algo->init_fn(&ctx);
+-		the_hash_algo->update_fn(&ctx, key_in, key_len);
+-		the_hash_algo->final_fn(key, &ctx);
+-	} else {
+-		memcpy(key, key_in, key_len);
+-	}
+-
+-	/* RFC 2104 2. (2) & (5) */
+-	for (i = 0; i < sizeof(key); i++) {
+-		k_ipad[i] = key[i] ^ 0x36;
+-		k_opad[i] = key[i] ^ 0x5c;
+-	}
+-
+-	/* RFC 2104 2. (3) & (4) */
+-	the_hash_algo->init_fn(&ctx);
+-	the_hash_algo->update_fn(&ctx, k_ipad, sizeof(k_ipad));
+-	the_hash_algo->update_fn(&ctx, text, text_len);
+-	the_hash_algo->final_fn(out, &ctx);
+-
+-	/* RFC 2104 2. (6) & (7) */
+-	the_hash_algo->init_fn(&ctx);
+-	the_hash_algo->update_fn(&ctx, k_opad, sizeof(k_opad));
+-	the_hash_algo->update_fn(&ctx, out, the_hash_algo->rawsz);
+-	the_hash_algo->final_fn(out, &ctx);
+	HMAC(EVP_sha1(), key_in, key_len, text, text_len, out, NULL);
+ }
+ 
+ static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
+diff -ur a/Makefile b/Makefile
+--- a/Makefile	2020-06-01 17:49:27.000000000 +0200
+++ b/Makefile	2020-06-15 15:00:45.212758547 +0200
+@@ -1830,6 +1830,8 @@
+ 	BASIC_CFLAGS += -DHAVE_GETDELIM
+ endif
+ 
+EXTLIBS += -lcrypto
+
+ ifneq ($(PROCFS_EXECUTABLE_PATH),)
+ 	procfs_executable_path_SQ = $(subst ','\'',$(PROCFS_EXECUTABLE_PATH))
+ 	BASIC_CFLAGS += '-DPROCFS_EXECUTABLE_PATH="$(procfs_executable_path_SQ)"'
--- a/git.spec
+++ b/git.spec
@ -97,7 +97,7 @@

 Name:           git
 Version:        2.31.1
-Release:        1%{?rcrev}%{?dist}.1
+Release:        2%{?rcrev}%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
 URL:            https://git-scm.com/
@ -128,6 +128,8 @@ Source99:       print-failed-test-output

 # https://bugzilla.redhat.com/490602
 Patch0:         git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch
+# https://bugzilla.redhat.com/1956345
+Patch1:         git-2.27.0-core-crypto-hmac.patch

 %if %{with docs}
 # pod2man is needed to build Git.3pm
@ -1070,6 +1072,10 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %{?with_docs:%{_pkgdocdir}/git-svn.html}

 %changelog
+* Mon May 03 2021 Ondřej Pohořelský <opohorel@redhat.com> - 2.31.1-2
+- Use HMAC from libcrypto instead of git's implementation 
+- Resolves: #1956345
+
 * Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.31.1-1.1
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937