rpm/rpm-4.16.1.3-bump-rpmdb-cookie-hash-to-SHA256-for-FIPS.patch
Michal Domonkos 1a9baff802 Add patches for release 10
Resolves: #1943724
Resolves: #2048455
Resolves: #2037352
Resolves: #2025906
2022-02-01 15:38:08 +01:00

33 lines
1.2 KiB
Diff

From a26f6655546158153807017e7ded2aff5e4e10e4 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Mon, 31 Jan 2022 11:13:35 +0200
Subject: [PATCH] Bump hash for rpmdb cookie to SHA256 to appease FIPS
The rpmdb cookie is not a security feature, but as these existing
hashes are more convenient than coming up with our own... we then
run into the great big wall of FIPS which in its current incarnation
disallows use of SHA1. And so rpmdbCookie() fails under current FIPS.
Just bumping the algorithm to SHA256 seems the path of lowest
resistance, whether that algo makes sense for this purpose or not.
---
lib/rpmdb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/rpmdb.c b/lib/rpmdb.c
index 01d49a641..00bd4236f 100644
--- a/lib/rpmdb.c
+++ b/lib/rpmdb.c
@@ -2642,7 +2642,7 @@ char *rpmdbCookie(rpmdb db)
rpmdbIndexIterator ii = rpmdbIndexIteratorInit(db, RPMDBI_NAME);
if (ii) {
- DIGEST_CTX ctx = rpmDigestInit(PGPHASHALGO_SHA1, RPMDIGEST_NONE);
+ DIGEST_CTX ctx = rpmDigestInit(PGPHASHALGO_SHA256, RPMDIGEST_NONE);
const void *key = 0;
size_t keylen = 0;
while ((rpmdbIndexIteratorNext(ii, &key, &keylen)) == 0) {
--
2.34.1