From 87ebae8cabae1f2b5d992fde3228b4491d81298e Mon Sep 17 00:00:00 2001 From: Honza Horak Date: Mon, 31 Jul 2017 17:53:42 +0200 Subject: [PATCH] Allow to use MD5 in FIPS mode Related: #1449689 --- community-mysql-md5_fips.patch | 50 ++++++++++++++++++++++++++++++++++ community-mysql.spec | 8 +++++- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 community-mysql-md5_fips.patch diff --git a/community-mysql-md5_fips.patch b/community-mysql-md5_fips.patch new file mode 100644 index 0000000..4c2ad54 --- /dev/null +++ b/community-mysql-md5_fips.patch @@ -0,0 +1,50 @@ +Added to address RHBZ#1449689 + +Original patch notes from follows: + +... + +In FIPS mode there is no md5 by default, unless declared it is specifically +allowed. MD5 is used for non-crypto related things in MySQL (digests related +to performance schema and table list), so it is ok to use MD5 there. + +However, there is also MD5() SQL function, that should still keep working, +but users should know they should avoid using it in FIPS mode. + +RHBZ: #1351791 + +Upstream bug reports: +http://bugs.mysql.com/bug.php?id=83696 +https://jira.mariadb.org/browse/MDEV-7788 + + +diff -Naurp mysql-5.7.18_original/mysys_ssl/my_md5.cc mysql-5.7.18_patched/mysys_ssl/my_md5.cc +--- mysql-5.7.18_original/mysys_ssl/my_md5.cc 2017-03-18 08:45:14.000000000 +0100 ++++ mysql-5.7.18_patched/mysys_ssl/my_md5.cc 2017-05-12 12:19:38.584814619 +0200 +@@ -38,13 +38,22 @@ static void my_md5_hash(char *digest, co + + #elif defined(HAVE_OPENSSL) + #include ++#include + + static void my_md5_hash(unsigned char* digest, unsigned const char *buf, int len) + { +- MD5_CTX ctx; +- MD5_Init (&ctx); +- MD5_Update (&ctx, buf, len); +- MD5_Final (digest, &ctx); ++ EVP_MD_CTX *ctx; ++ ctx = EVP_MD_CTX_create(); ++ ++ #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW ++ /* we will be using MD5, which is not allowed under FIPS */ ++ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); ++ #endif ++ ++ EVP_DigestInit_ex(ctx, EVP_md5(), NULL); ++ EVP_DigestUpdate(ctx, buf, len); ++ EVP_DigestFinal_ex(ctx, digest, NULL); ++ EVP_MD_CTX_destroy(ctx); + } + + #endif /* HAVE_YASSL */ diff --git a/community-mysql.spec b/community-mysql.spec index 010746c..cc4ca23 100644 --- a/community-mysql.spec +++ b/community-mysql.spec @@ -84,7 +84,7 @@ Name: community-mysql Version: 5.7.19 -Release: 4%{?with_debug:.debug}%{?dist} +Release: 5%{?with_debug:.debug}%{?dist} Summary: MySQL client programs and shared libraries Group: Applications/Databases URL: http://www.mysql.com @@ -120,6 +120,7 @@ Patch3: %{pkgnamepatch}-logrotate.patch Patch4: %{pkgnamepatch}-file-contents.patch Patch5: %{pkgnamepatch}-scripts.patch Patch6: %{pkgnamepatch}-paths.patch +Patch7: %{pkgnamepatch}-md5_fips.patch # Patches specific for this mysql package Patch51: %{pkgnamepatch}-chain-certs.patch @@ -400,6 +401,7 @@ the MySQL sources. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 %patch51 -p1 %patch52 -p1 %if %{with_shared_lib_major_hack} @@ -971,6 +973,10 @@ fi %endif %changelog +* Fri Aug 04 2017 Honza Horak - 5.7.19-5 +- Allow to use MD5 in FIPS mode + Related: #1449689 + * Wed Aug 02 2017 Fedora Release Engineering - 5.7.19-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild