mysql5/mysql5-md5_fips.patch

Added to address RHBZ#1449689

Original patch notes from <hhorak@redhat.com> follows:

...

In FIPS mode there is no md5 by default, unless declared it is specifically
allowed. MD5 is used for non-crypto related things in MySQL (digests related
to performance schema and table list), so it is ok to use MD5 there.

However, there is also MD5() SQL function, that should still keep working,
but users should know they should avoid using it in FIPS mode.

RHBZ: #1351791

Upstream bug reports:
http://bugs.mysql.com/bug.php?id=83696
https://jira.mariadb.org/browse/MDEV-7788


diff -Naurp mysql-5.7.34_original/mysys_ssl/my_md5.cc mysql-5.7.34_patched/mysys_ssl/my_md5.cc
--- mysql-5.7.34_original/mysys_ssl/my_md5.cc   2017-03-18 08:45:14.000000000 +0100
+++ mysql-5.7.34_patched/mysys_ssl/my_md5.cc    2017-05-12 12:19:38.584814619 +0200
@@ -41,10 +41,18 @@
 
 static void my_md5_hash(unsigned char* digest, unsigned const char *buf, int len)
 {
-  MD5_CTX ctx;
-  MD5_Init (&ctx);
-  MD5_Update (&ctx, buf, len);
-  MD5_Final (digest, &ctx);
+ EVP_MD_CTX *ctx;
+ ctx = EVP_MD_CTX_create();
+
+ #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+  /* we will be using MD5, which is not allowed under FIPS */
+  EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ #endif
+
+ EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+ EVP_DigestUpdate(ctx, buf, len);
+ EVP_DigestFinal_ex(ctx, digest, NULL);
+ EVP_MD_CTX_destroy(ctx);
 }
 
 #endif /* HAVE_OPENSSL */
package init 2020-10-23 16:05:26 +08:00			`Added to address RHBZ#1449689`

			`Original patch notes from <hhorak@redhat.com> follows:`

			`...`

			`In FIPS mode there is no md5 by default, unless declared it is specifically`
			`allowed. MD5 is used for non-crypto related things in MySQL (digests related`
			`to performance schema and table list), so it is ok to use MD5 there.`

			`However, there is also MD5() SQL function, that should still keep working,`
			`but users should know they should avoid using it in FIPS mode.`

			`RHBZ: #1351791`

			`Upstream bug reports:`
			`http://bugs.mysql.com/bug.php?id=83696`
			`https://jira.mariadb.org/browse/MDEV-7788`


Bump from 5.7.21 to 5.7.34 version for Mysql 5.7 This commit affects: 1. Bump from 5.7.21 to latest 5.7.34 2. Correct the test steps and options in spec file 3. Refactor part of the file structure according to the new packages in spec file 4. Refactor part of the patch files relied on the new source code. 2021-07-01 09:25:28 +08:00			`diff -Naurp mysql-5.7.34_original/mysys_ssl/my_md5.cc mysql-5.7.34_patched/mysys_ssl/my_md5.cc`
			`--- mysql-5.7.34_original/mysys_ssl/my_md5.cc 2017-03-18 08:45:14.000000000 +0100`
			`+++ mysql-5.7.34_patched/mysys_ssl/my_md5.cc 2017-05-12 12:19:38.584814619 +0200`
			`@@ -41,10 +41,18 @@`
package init 2020-10-23 16:05:26 +08:00
			`static void my_md5_hash(unsigned char* digest, unsigned const char *buf, int len)`
			`{`
			`- MD5_CTX ctx;`
			`- MD5_Init (&ctx);`
			`- MD5_Update (&ctx, buf, len);`
			`- MD5_Final (digest, &ctx);`
			`+ EVP_MD_CTX *ctx;`
			`+ ctx = EVP_MD_CTX_create();`
			`+`
			`+ #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW`
			`+ /* we will be using MD5, which is not allowed under FIPS */`
			`+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);`
			`+ #endif`
			`+`
			`+ EVP_DigestInit_ex(ctx, EVP_md5(), NULL);`
			`+ EVP_DigestUpdate(ctx, buf, len);`
			`+ EVP_DigestFinal_ex(ctx, digest, NULL);`
			`+ EVP_MD_CTX_destroy(ctx);`
			`}`

Bump from 5.7.21 to 5.7.34 version for Mysql 5.7 This commit affects: 1. Bump from 5.7.21 to latest 5.7.34 2. Correct the test steps and options in spec file 3. Refactor part of the file structure according to the new packages in spec file 4. Refactor part of the patch files relied on the new source code. 2021-07-01 09:25:28 +08:00			`#endif /* HAVE_OPENSSL */`