import mariadb-10.5.13-2.el9

SOURCES/mariadb-fips.patch

@@ -0,0 +1,28 @@
+Fix md5 in FIPS mode
+
+OpenSSL 3.0.0+ does not support EVP_MD_CTX_FLAG_NON_FIPS_ALLOW any longer.
+In OpenSSL 1.1.1 the non FIPS allowed flag is context specific, while
+in 3.0.0+ it is a different EVP_MD provider.
+
+Resolves: rhbz#2050541
+
+diff -up mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc.fips mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc
+--- mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc.fips	2022-02-07 16:36:47.255131576 +0100
++++ mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc	2022-02-07 22:57:32.391002916 +0100
+@@ -52,12 +52,15 @@ static void md5_result(EVP_MD_CTX *conte
+ 
+ static void md5_init(EVP_MD_CTX *context)
+ {
++  EVP_MD *md5;
++  md5 = EVP_MD_fetch(NULL, "MD5", "fips=no");
+   EVP_MD_CTX_init(context);
+ #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+   /* Ok to ignore FIPS: MD5 is not used for crypto here */
+   EVP_MD_CTX_set_flags(context, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ #endif
+-  EVP_DigestInit_ex(context, EVP_md5(), NULL);
++  EVP_DigestInit_ex(context, md5, NULL);
++  EVP_MD_free(md5);
+ }
+ 
+ static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len)

SPECS/mariadb.spec

@@ -154,7 +154,7 @@
 
 Name:             mariadb
 Version:          10.5.13
-Release:          1%{?with_debug:.debug}%{?dist}
+Release:          2%{?with_debug:.debug}%{?dist}
 Epoch:            3
 
 Summary:          A very fast and robust SQL database server
@@ -226,6 +226,8 @@ Patch11:          %{pkgnamepatch}-pcdir.patch
 Patch12:           %{pkgnamepatch}-openssl3.patch
 #   Patch15:  Add option to edit groonga's and groonga-normalizer-mysql install path
 Patch15:          %{pkgnamepatch}-groonga.patch
+#   Patch16: Fix MD5 in FIPS mode
+Patch16:          %{pkgnamepatch}-fips.patch
 
 BuildRequires:    make
 BuildRequires:    cmake gcc-c++
@@ -757,6 +759,7 @@ rm -r storage/rocksdb/
 %patch12 -p1
 %endif
 %patch15 -p1
+%patch16 -p1
 
 # generate a list of tests that fail, but are not disabled by upstream
 cat %{SOURCE50} | tee -a mysql-test/unstable-tests
@@ -850,7 +853,7 @@ fi
          -DGROONGA_NORMALIZER_MYSQL_PROJECT_NAME=%{name}-server/groonga-normalizer-mysql \
          -DENABLED_LOCAL_INFILE=ON \
          -DENABLE_DTRACE=ON \
-         -DSECURITY_HARDENED=ON \
+         -DSECURITY_HARDENED=OFF \
          -DWITH_WSREP=%{?with_galera:ON}%{!?with_galera:OFF} \
          -DWITH_INNODB_DISALLOW_WRITES=%{?with_galera:ON}%{!?with_galera:OFF} \
          -DWITH_EMBEDDED_SERVER=%{?with_embedded:ON}%{!?with_embedded:OFF} \
@@ -879,6 +882,10 @@ fi
          -DCONNECT_WITH_JDBC=OFF \
 %{?with_debug: -DCMAKE_BUILD_TYPE=Debug -DWITH_ASAN=OFF -DWITH_INNODB_EXTRA_DEBUG=ON -DWITH_VALGRIND=ON}
 
+# The -DSECURITY_HARDENED is used to force a set of compilation flags for hardening
+# The issue is that the MariaDB upstream level of hardening is lower than expected by Red Hat
+# We disable this option to the default compilation flags (which have higher level of hardening) will be used
+
 
 CFLAGS="$CFLAGS -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE"
 # force PIC mode so that we can build libmysqld.so
@@ -1647,6 +1654,10 @@ fi
 %endif
 
 %changelog
+* Mon Feb 07 2022 Honza Horak <hhorak@redhat.com> - 3:10.5.13-2
+- Fix md5 in FIPS mode with OpenSSL 3.0.0
+  Resolves: #2050541
+
 * Thu Dec 02 2021 Michal Schorm <mschorm@redhat.com> - 3:10.5.13-1
 - Rebase to 10.5.13
 
@@ -1688,7 +1699,7 @@ fi
 * Tue May 11 2021 Michal Schorm <mschorm@redhat.com> - 3:10.5.10-1
 - Rebase to 10.5.10
 
-* Fri May 21 2021 Honza Horak <hhorak@redhat.com> - 3:10.5.9-9
+* Tue May 11 2021 Honza Horak <hhorak@redhat.com> - 3:10.5.9-9
 - Fix OpenSSL 3.x compatibility
   Resolves: #1962047