Allow to use MD5 in FIPS mode

Related: #1449689
2017-07-31 17:53:42 +02:00 · 2017-07-31 17:53:42 +02:00 · 87ebae8cab
commit 87ebae8cab
parent db61b0f7ec
2 changed files with 57 additions and 1 deletions
--- a/community-mysql-md5_fips.patch
+++ b/community-mysql-md5_fips.patch
@ -0,0 +1,50 @@
+Added to address RHBZ#1449689
+
+Original patch notes from <hhorak@redhat.com> follows:
+
+...
+
+In FIPS mode there is no md5 by default, unless declared it is specifically
+allowed. MD5 is used for non-crypto related things in MySQL (digests related
+to performance schema and table list), so it is ok to use MD5 there.
+
+However, there is also MD5() SQL function, that should still keep working,
+but users should know they should avoid using it in FIPS mode.
+
+RHBZ: #1351791
+
+Upstream bug reports:
+http://bugs.mysql.com/bug.php?id=83696
+https://jira.mariadb.org/browse/MDEV-7788
+
+
+diff -Naurp mysql-5.7.18_original/mysys_ssl/my_md5.cc mysql-5.7.18_patched/mysys_ssl/my_md5.cc
+--- mysql-5.7.18_original/mysys_ssl/my_md5.cc	2017-03-18 08:45:14.000000000 +0100
+++ mysql-5.7.18_patched/mysys_ssl/my_md5.cc	2017-05-12 12:19:38.584814619 +0200
+@@ -38,13 +38,22 @@ static void my_md5_hash(char *digest, co
+ 
+ #elif defined(HAVE_OPENSSL)
+ #include <openssl/md5.h>
+#include <openssl/evp.h>
+ 
+ static void my_md5_hash(unsigned char* digest, unsigned const char *buf, int len)
+ {
+-  MD5_CTX ctx;
+-  MD5_Init (&ctx);
+-  MD5_Update (&ctx, buf, len);
+-  MD5_Final (digest, &ctx);
+ EVP_MD_CTX *ctx;
+ ctx = EVP_MD_CTX_create();
+
+ #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+  /* we will be using MD5, which is not allowed under FIPS */
+  EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ #endif
+
+ EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+ EVP_DigestUpdate(ctx, buf, len);
+ EVP_DigestFinal_ex(ctx, digest, NULL);
+ EVP_MD_CTX_destroy(ctx);
+ }
+ 
+ #endif /* HAVE_YASSL */
--- a/community-mysql.spec
+++ b/community-mysql.spec
@ -84,7 +84,7 @@

 Name:             community-mysql
 Version:          5.7.19
-Release:          4%{?with_debug:.debug}%{?dist}
+Release:          5%{?with_debug:.debug}%{?dist}
 Summary:          MySQL client programs and shared libraries
 Group:            Applications/Databases
 URL:              http://www.mysql.com
@ -120,6 +120,7 @@ Patch3:           %{pkgnamepatch}-logrotate.patch
 Patch4:           %{pkgnamepatch}-file-contents.patch
 Patch5:           %{pkgnamepatch}-scripts.patch
 Patch6:           %{pkgnamepatch}-paths.patch
+Patch7:           %{pkgnamepatch}-md5_fips.patch

 # Patches specific for this mysql package
 Patch51:          %{pkgnamepatch}-chain-certs.patch
@ -400,6 +401,7 @@ the MySQL sources.
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
 %patch51 -p1
 %patch52 -p1
 %if %{with_shared_lib_major_hack}
@ -971,6 +973,10 @@ fi
 %endif

 %changelog
+* Fri Aug 04 2017 Honza Horak <hhorak@redhat.com> - 5.7.19-5
+- Allow to use MD5 in FIPS mode
+  Related: #1449689
+
 * Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.19-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild