51 lines
		
	
	
		
			1.5 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
			
		
		
	
	
			51 lines
		
	
	
		
			1.5 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
| Added to address RHBZ#1449689
 | |
| 
 | |
| Original patch notes from <hhorak@redhat.com> follows:
 | |
| 
 | |
| ...
 | |
| 
 | |
| In FIPS mode there is no md5 by default, unless declared it is specifically
 | |
| allowed. MD5 is used for non-crypto related things in MySQL (digests related
 | |
| to performance schema and table list), so it is ok to use MD5 there.
 | |
| 
 | |
| However, there is also MD5() SQL function, that should still keep working,
 | |
| but users should know they should avoid using it in FIPS mode.
 | |
| 
 | |
| RHBZ: #1351791
 | |
| 
 | |
| Upstream bug reports:
 | |
| http://bugs.mysql.com/bug.php?id=83696
 | |
| https://jira.mariadb.org/browse/MDEV-7788
 | |
| 
 | |
| 
 | |
| diff -Naurp mysql-5.7.18_original/mysys_ssl/my_md5.cc mysql-5.7.18_patched/mysys_ssl/my_md5.cc
 | |
| --- mysql-5.7.18_original/mysys_ssl/my_md5.cc	2017-03-18 08:45:14.000000000 +0100
 | |
| +++ mysql-5.7.18_patched/mysys_ssl/my_md5.cc	2017-05-12 12:19:38.584814619 +0200
 | |
| @@ -38,13 +38,22 @@ static void my_md5_hash(char *digest, co
 | |
|  
 | |
|  #elif defined(HAVE_OPENSSL)
 | |
|  #include <openssl/md5.h>
 | |
| +#include <openssl/evp.h>
 | |
|  
 | |
|  static void my_md5_hash(unsigned char* digest, unsigned const char *buf, int len)
 | |
|  {
 | |
| -  MD5_CTX ctx;
 | |
| -  MD5_Init (&ctx);
 | |
| -  MD5_Update (&ctx, buf, len);
 | |
| -  MD5_Final (digest, &ctx);
 | |
| + EVP_MD_CTX *ctx;
 | |
| + ctx = EVP_MD_CTX_create();
 | |
| +
 | |
| + #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
 | |
| +  /* we will be using MD5, which is not allowed under FIPS */
 | |
| +  EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
 | |
| + #endif
 | |
| +
 | |
| + EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
 | |
| + EVP_DigestUpdate(ctx, buf, len);
 | |
| + EVP_DigestFinal_ex(ctx, digest, NULL);
 | |
| + EVP_MD_CTX_destroy(ctx);
 | |
|  }
 | |
|  
 | |
|  #endif /* HAVE_YASSL */
 |