Allow to use MD5 in FIPS mode

Related: #1449689
This commit is contained in:
Honza Horak 2017-07-31 17:53:42 +02:00 committed by Michal Schorm
parent d967b83f8a
commit 6a32704ac7
2 changed files with 57 additions and 1 deletions

View File

@ -0,0 +1,50 @@
Added to address RHBZ#1449689
Original patch notes from <hhorak@redhat.com> follows:
...
In FIPS mode there is no md5 by default, unless declared it is specifically
allowed. MD5 is used for non-crypto related things in MySQL (digests related
to performance schema and table list), so it is ok to use MD5 there.
However, there is also MD5() SQL function, that should still keep working,
but users should know they should avoid using it in FIPS mode.
RHBZ: #1351791
Upstream bug reports:
http://bugs.mysql.com/bug.php?id=83696
https://jira.mariadb.org/browse/MDEV-7788
diff -Naurp mysql-5.7.18_original/mysys_ssl/my_md5.cc mysql-5.7.18_patched/mysys_ssl/my_md5.cc
--- mysql-5.7.18_original/mysys_ssl/my_md5.cc 2017-03-18 08:45:14.000000000 +0100
+++ mysql-5.7.18_patched/mysys_ssl/my_md5.cc 2017-05-12 12:19:38.584814619 +0200
@@ -38,13 +38,22 @@ static void my_md5_hash(char *digest, co
#elif defined(HAVE_OPENSSL)
#include <openssl/md5.h>
+#include <openssl/evp.h>
static void my_md5_hash(unsigned char* digest, unsigned const char *buf, int len)
{
- MD5_CTX ctx;
- MD5_Init (&ctx);
- MD5_Update (&ctx, buf, len);
- MD5_Final (digest, &ctx);
+ EVP_MD_CTX *ctx;
+ ctx = EVP_MD_CTX_create();
+
+ #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+ /* we will be using MD5, which is not allowed under FIPS */
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ #endif
+
+ EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+ EVP_DigestUpdate(ctx, buf, len);
+ EVP_DigestFinal_ex(ctx, digest, NULL);
+ EVP_MD_CTX_destroy(ctx);
}
#endif /* HAVE_YASSL */

View File

@ -84,7 +84,7 @@
Name: community-mysql Name: community-mysql
Version: 5.7.19 Version: 5.7.19
Release: 4%{?with_debug:.debug}%{?dist} Release: 5%{?with_debug:.debug}%{?dist}
Summary: MySQL client programs and shared libraries Summary: MySQL client programs and shared libraries
Group: Applications/Databases Group: Applications/Databases
URL: http://www.mysql.com URL: http://www.mysql.com
@ -120,6 +120,7 @@ Patch3: %{pkgnamepatch}-logrotate.patch
Patch4: %{pkgnamepatch}-file-contents.patch Patch4: %{pkgnamepatch}-file-contents.patch
Patch5: %{pkgnamepatch}-scripts.patch Patch5: %{pkgnamepatch}-scripts.patch
Patch6: %{pkgnamepatch}-paths.patch Patch6: %{pkgnamepatch}-paths.patch
Patch7: %{pkgnamepatch}-md5_fips.patch
# Patches specific for this mysql package # Patches specific for this mysql package
Patch51: %{pkgnamepatch}-chain-certs.patch Patch51: %{pkgnamepatch}-chain-certs.patch
@ -400,6 +401,7 @@ the MySQL sources.
%patch4 -p1 %patch4 -p1
%patch5 -p1 %patch5 -p1
%patch6 -p1 %patch6 -p1
%patch7 -p1
%patch51 -p1 %patch51 -p1
%patch52 -p1 %patch52 -p1
%if %{with_shared_lib_major_hack} %if %{with_shared_lib_major_hack}
@ -971,6 +973,10 @@ fi
%endif %endif
%changelog %changelog
* Fri Aug 04 2017 Honza Horak <hhorak@redhat.com> - 5.7.19-5
- Allow to use MD5 in FIPS mode
Related: #1449689
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.19-4 * Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.19-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild