Fix md5 in FIPS mode with OpenSSL 3.0.0

OpenSSL 3.0.0+ does not support EVP_MD_CTX_FLAG_NON_FIPS_ALLOW any longer. In OpenSSL 1.1.1 the non FIPS allowed flag is context specific, while in 3.0.0+ it is a different EVP_MD provider. Resolves: #2050541
2022-02-07 22:41:02 +01:00 · 2022-02-07 22:41:02 +01:00 · 0d4a89ed92
commit 0d4a89ed92
parent db03980787
2 changed files with 36 additions and 1 deletions
--- a/mariadb-fips.patch
+++ b/mariadb-fips.patch
@ -0,0 +1,28 @@
+Fix md5 in FIPS mode
+
+OpenSSL 3.0.0+ does not support EVP_MD_CTX_FLAG_NON_FIPS_ALLOW any longer.
+In OpenSSL 1.1.1 the non FIPS allowed flag is context specific, while
+in 3.0.0+ it is a different EVP_MD provider.
+
+Resolves: rhbz#2050541
+
+diff -up mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc.fips mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc
+--- mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc.fips	2022-02-07 16:36:47.255131576 +0100
+++ mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc	2022-02-07 22:57:32.391002916 +0100
+@@ -52,12 +52,15 @@ static void md5_result(EVP_MD_CTX *conte
+ 
+ static void md5_init(EVP_MD_CTX *context)
+ {
+  EVP_MD *md5;
+  md5 = EVP_MD_fetch(NULL, "MD5", "fips=no");
+   EVP_MD_CTX_init(context);
+ #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+   /* Ok to ignore FIPS: MD5 is not used for crypto here */
+   EVP_MD_CTX_set_flags(context, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ #endif
+-  EVP_DigestInit_ex(context, EVP_md5(), NULL);
+  EVP_DigestInit_ex(context, md5, NULL);
+  EVP_MD_free(md5);
+ }
+ 
+ static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len)
--- a/mariadb.spec
+++ b/mariadb.spec
@ -154,7 +154,7 @@

 Name:             mariadb
 Version:          10.5.13
-Release:          2%{?with_debug:.debug}%{?dist}
+Release:          3%{?with_debug:.debug}%{?dist}
 Epoch:            3

 Summary:          A very fast and robust SQL database server
@ -221,6 +221,8 @@ Patch11:          %{pkgnamepatch}-pcdir.patch
 Patch12:           %{pkgnamepatch}-openssl3.patch
 #   Patch15:  Add option to edit groonga's and groonga-normalizer-mysql install path
 Patch15:          %{pkgnamepatch}-groonga.patch
+#   Patch16: Fix MD5 in FIPS mode
+Patch16:          %{pkgnamepatch}-fips.patch

 BuildRequires:    make
 BuildRequires:    cmake gcc-c++
@ -752,6 +754,7 @@ rm -r storage/rocksdb/
 %patch12 -p1
 %endif
 %patch15 -p1
+%patch16 -p1

 # generate a list of tests that fail, but are not disabled by upstream
 cat %{SOURCE50} | tee -a mysql-test/unstable-tests
@ -1649,6 +1652,10 @@ fi
 %endif

 %changelog
+* Mon Feb 07 2022 Honza Horak <hhorak@redhat.com> - 3:10.5.13-3
+- Fix md5 in FIPS mode with OpenSSL 3.0.0
+  Resolves: #2050541
+
 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3:10.5.13-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild