michal-grzedzicki / rpms / rpm

Forked from rpms/rpm 4 months ago
Clone

Blame SOURCES/rpm-4.16.1.3-bump-rpmdb-cookie-hash-to-SHA256-for-FIPS.patch

137a59
From a26f6655546158153807017e7ded2aff5e4e10e4 Mon Sep 17 00:00:00 2001
137a59
From: Panu Matilainen <pmatilai@redhat.com>
137a59
Date: Mon, 31 Jan 2022 11:13:35 +0200
137a59
Subject: [PATCH] Bump hash for rpmdb cookie to SHA256 to appease FIPS
137a59
137a59
The rpmdb cookie is not a security feature, but as these existing
137a59
hashes are more convenient than coming up with our own... we then
137a59
run into the great big wall of FIPS which in its current incarnation
137a59
disallows use of SHA1. And so rpmdbCookie() fails under current FIPS.
137a59
137a59
Just bumping the algorithm to SHA256 seems the path of lowest
137a59
resistance, whether that algo makes sense for this purpose or not.
137a59
---
137a59
 lib/rpmdb.c | 2 +-
137a59
 1 file changed, 1 insertion(+), 1 deletion(-)
137a59
137a59
diff --git a/lib/rpmdb.c b/lib/rpmdb.c
137a59
index 01d49a641..00bd4236f 100644
137a59
--- a/lib/rpmdb.c
137a59
+++ b/lib/rpmdb.c
137a59
@@ -2642,7 +2642,7 @@ char *rpmdbCookie(rpmdb db)
137a59
     rpmdbIndexIterator ii = rpmdbIndexIteratorInit(db, RPMDBI_NAME);
137a59
 
137a59
     if (ii) {
137a59
-	DIGEST_CTX ctx = rpmDigestInit(PGPHASHALGO_SHA1, RPMDIGEST_NONE);
137a59
+	DIGEST_CTX ctx = rpmDigestInit(PGPHASHALGO_SHA256, RPMDIGEST_NONE);
137a59
 	const void *key = 0;
137a59
 	size_t keylen = 0;
137a59
 	while ((rpmdbIndexIteratorNext(ii, &key, &keylen)) == 0) {
137a59
-- 
137a59
2.34.1
137a59