parent
d967b83f8a
commit
6a32704ac7
50
community-mysql-md5_fips.patch
Normal file
50
community-mysql-md5_fips.patch
Normal file
@ -0,0 +1,50 @@
|
||||
Added to address RHBZ#1449689
|
||||
|
||||
Original patch notes from <hhorak@redhat.com> follows:
|
||||
|
||||
...
|
||||
|
||||
In FIPS mode there is no md5 by default, unless declared it is specifically
|
||||
allowed. MD5 is used for non-crypto related things in MySQL (digests related
|
||||
to performance schema and table list), so it is ok to use MD5 there.
|
||||
|
||||
However, there is also MD5() SQL function, that should still keep working,
|
||||
but users should know they should avoid using it in FIPS mode.
|
||||
|
||||
RHBZ: #1351791
|
||||
|
||||
Upstream bug reports:
|
||||
http://bugs.mysql.com/bug.php?id=83696
|
||||
https://jira.mariadb.org/browse/MDEV-7788
|
||||
|
||||
|
||||
diff -Naurp mysql-5.7.18_original/mysys_ssl/my_md5.cc mysql-5.7.18_patched/mysys_ssl/my_md5.cc
|
||||
--- mysql-5.7.18_original/mysys_ssl/my_md5.cc 2017-03-18 08:45:14.000000000 +0100
|
||||
+++ mysql-5.7.18_patched/mysys_ssl/my_md5.cc 2017-05-12 12:19:38.584814619 +0200
|
||||
@@ -38,13 +38,22 @@ static void my_md5_hash(char *digest, co
|
||||
|
||||
#elif defined(HAVE_OPENSSL)
|
||||
#include <openssl/md5.h>
|
||||
+#include <openssl/evp.h>
|
||||
|
||||
static void my_md5_hash(unsigned char* digest, unsigned const char *buf, int len)
|
||||
{
|
||||
- MD5_CTX ctx;
|
||||
- MD5_Init (&ctx);
|
||||
- MD5_Update (&ctx, buf, len);
|
||||
- MD5_Final (digest, &ctx);
|
||||
+ EVP_MD_CTX *ctx;
|
||||
+ ctx = EVP_MD_CTX_create();
|
||||
+
|
||||
+ #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
|
||||
+ /* we will be using MD5, which is not allowed under FIPS */
|
||||
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||
+ #endif
|
||||
+
|
||||
+ EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
|
||||
+ EVP_DigestUpdate(ctx, buf, len);
|
||||
+ EVP_DigestFinal_ex(ctx, digest, NULL);
|
||||
+ EVP_MD_CTX_destroy(ctx);
|
||||
}
|
||||
|
||||
#endif /* HAVE_YASSL */
|
@ -84,7 +84,7 @@
|
||||
|
||||
Name: community-mysql
|
||||
Version: 5.7.19
|
||||
Release: 4%{?with_debug:.debug}%{?dist}
|
||||
Release: 5%{?with_debug:.debug}%{?dist}
|
||||
Summary: MySQL client programs and shared libraries
|
||||
Group: Applications/Databases
|
||||
URL: http://www.mysql.com
|
||||
@ -120,6 +120,7 @@ Patch3: %{pkgnamepatch}-logrotate.patch
|
||||
Patch4: %{pkgnamepatch}-file-contents.patch
|
||||
Patch5: %{pkgnamepatch}-scripts.patch
|
||||
Patch6: %{pkgnamepatch}-paths.patch
|
||||
Patch7: %{pkgnamepatch}-md5_fips.patch
|
||||
|
||||
# Patches specific for this mysql package
|
||||
Patch51: %{pkgnamepatch}-chain-certs.patch
|
||||
@ -400,6 +401,7 @@ the MySQL sources.
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch51 -p1
|
||||
%patch52 -p1
|
||||
%if %{with_shared_lib_major_hack}
|
||||
@ -971,6 +973,10 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Aug 04 2017 Honza Horak <hhorak@redhat.com> - 5.7.19-5
|
||||
- Allow to use MD5 in FIPS mode
|
||||
Related: #1449689
|
||||
|
||||
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.19-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user