From 9ee49ebb557e7462b3ea6f609b4fc87016f1b09f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Poho=C5=99elsk=C3=BD?= Date: Mon, 3 May 2021 16:22:19 +0200 Subject: [PATCH] Use HMAC from libcrypto instead of git's implementation Resolves: #1956345 --- git-2.27.0-core-crypto-hmac.patch | 70 +++++++++++++++++++++++++++++++ git.spec | 8 +++- 2 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 git-2.27.0-core-crypto-hmac.patch diff --git a/git-2.27.0-core-crypto-hmac.patch b/git-2.27.0-core-crypto-hmac.patch new file mode 100644 index 0000000..c99ced2 --- /dev/null +++ b/git-2.27.0-core-crypto-hmac.patch @@ -0,0 +1,70 @@ +diff -ur a/builtin/receive-pack.c b/builtin/receive-pack.c +--- a/builtin/receive-pack.c 2020-06-01 17:49:27.000000000 +0200 ++++ b/builtin/receive-pack.c 2020-06-15 15:28:48.149268576 +0200 +@@ -29,6 +29,8 @@ + #include "commit-reach.h" + #include "worktree.h" + #include "shallow.h" ++#include ++#include + + static const char * const receive_pack_usage[] = { + N_("git receive-pack "), +@@ -419,43 +421,11 @@ + return 0; + } + +-static void hmac_hash(unsigned char *out, ++static inline void hmac_hash(unsigned char *out, + const char *key_in, size_t key_len, + const char *text, size_t text_len) + { +- unsigned char key[GIT_MAX_BLKSZ]; +- unsigned char k_ipad[GIT_MAX_BLKSZ]; +- unsigned char k_opad[GIT_MAX_BLKSZ]; +- int i; +- git_hash_ctx ctx; +- +- /* RFC 2104 2. (1) */ +- memset(key, '\0', GIT_MAX_BLKSZ); +- if (the_hash_algo->blksz < key_len) { +- the_hash_algo->init_fn(&ctx); +- the_hash_algo->update_fn(&ctx, key_in, key_len); +- the_hash_algo->final_fn(key, &ctx); +- } else { +- memcpy(key, key_in, key_len); +- } +- +- /* RFC 2104 2. (2) & (5) */ +- for (i = 0; i < sizeof(key); i++) { +- k_ipad[i] = key[i] ^ 0x36; +- k_opad[i] = key[i] ^ 0x5c; +- } +- +- /* RFC 2104 2. (3) & (4) */ +- the_hash_algo->init_fn(&ctx); +- the_hash_algo->update_fn(&ctx, k_ipad, sizeof(k_ipad)); +- the_hash_algo->update_fn(&ctx, text, text_len); +- the_hash_algo->final_fn(out, &ctx); +- +- /* RFC 2104 2. (6) & (7) */ +- the_hash_algo->init_fn(&ctx); +- the_hash_algo->update_fn(&ctx, k_opad, sizeof(k_opad)); +- the_hash_algo->update_fn(&ctx, out, the_hash_algo->rawsz); +- the_hash_algo->final_fn(out, &ctx); ++ HMAC(EVP_sha1(), key_in, key_len, text, text_len, out, NULL); + } + + static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp) +diff -ur a/Makefile b/Makefile +--- a/Makefile 2020-06-01 17:49:27.000000000 +0200 ++++ b/Makefile 2020-06-15 15:00:45.212758547 +0200 +@@ -1830,6 +1830,8 @@ + BASIC_CFLAGS += -DHAVE_GETDELIM + endif + ++EXTLIBS += -lcrypto ++ + ifneq ($(PROCFS_EXECUTABLE_PATH),) + procfs_executable_path_SQ = $(subst ','\'',$(PROCFS_EXECUTABLE_PATH)) + BASIC_CFLAGS += '-DPROCFS_EXECUTABLE_PATH="$(procfs_executable_path_SQ)"' diff --git a/git.spec b/git.spec index 0933147..3955662 100644 --- a/git.spec +++ b/git.spec @@ -97,7 +97,7 @@ Name: git Version: 2.31.1 -Release: 1%{?rcrev}%{?dist}.1 +Release: 2%{?rcrev}%{?dist} Summary: Fast Version Control System License: GPLv2 URL: https://git-scm.com/ @@ -128,6 +128,8 @@ Source99: print-failed-test-output # https://bugzilla.redhat.com/490602 Patch0: git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch +# https://bugzilla.redhat.com/1956345 +Patch1: git-2.27.0-core-crypto-hmac.patch %if %{with docs} # pod2man is needed to build Git.3pm @@ -1070,6 +1072,10 @@ rmdir --ignore-fail-on-non-empty "$testdir" %{?with_docs:%{_pkgdocdir}/git-svn.html} %changelog +* Mon May 03 2021 Ondřej Pohořelský - 2.31.1-2 +- Use HMAC from libcrypto instead of git's implementation +- Resolves: #1956345 + * Thu Apr 15 2021 Mohan Boddu - 2.31.1-1.1 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937