From c60dbf09d53d711fe2047d3bae39ddac85cca80c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 01 2022 11:12:51 +0000 Subject: import mariadb-10.5.13-2.el9 --- diff --git a/SOURCES/mariadb-fips.patch b/SOURCES/mariadb-fips.patch new file mode 100644 index 0000000..443af6f --- /dev/null +++ b/SOURCES/mariadb-fips.patch @@ -0,0 +1,28 @@ +Fix md5 in FIPS mode + +OpenSSL 3.0.0+ does not support EVP_MD_CTX_FLAG_NON_FIPS_ALLOW any longer. +In OpenSSL 1.1.1 the non FIPS allowed flag is context specific, while +in 3.0.0+ it is a different EVP_MD provider. + +Resolves: rhbz#2050541 + +diff -up mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc.fips mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc +--- mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc.fips 2022-02-07 16:36:47.255131576 +0100 ++++ mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc 2022-02-07 22:57:32.391002916 +0100 +@@ -52,12 +52,15 @@ static void md5_result(EVP_MD_CTX *conte + + static void md5_init(EVP_MD_CTX *context) + { ++ EVP_MD *md5; ++ md5 = EVP_MD_fetch(NULL, "MD5", "fips=no"); + EVP_MD_CTX_init(context); + #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW + /* Ok to ignore FIPS: MD5 is not used for crypto here */ + EVP_MD_CTX_set_flags(context, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + #endif +- EVP_DigestInit_ex(context, EVP_md5(), NULL); ++ EVP_DigestInit_ex(context, md5, NULL); ++ EVP_MD_free(md5); + } + + static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len) diff --git a/SPECS/mariadb.spec b/SPECS/mariadb.spec index ddf57a3..21e2489 100644 --- a/SPECS/mariadb.spec +++ b/SPECS/mariadb.spec @@ -154,7 +154,7 @@ Name: mariadb Version: 10.5.13 -Release: 1%{?with_debug:.debug}%{?dist} +Release: 2%{?with_debug:.debug}%{?dist} Epoch: 3 Summary: A very fast and robust SQL database server @@ -226,6 +226,8 @@ Patch11: %{pkgnamepatch}-pcdir.patch Patch12: %{pkgnamepatch}-openssl3.patch # Patch15: Add option to edit groonga's and groonga-normalizer-mysql install path Patch15: %{pkgnamepatch}-groonga.patch +# Patch16: Fix MD5 in FIPS mode +Patch16: %{pkgnamepatch}-fips.patch BuildRequires: make BuildRequires: cmake gcc-c++ @@ -757,6 +759,7 @@ rm -r storage/rocksdb/ %patch12 -p1 %endif %patch15 -p1 +%patch16 -p1 # generate a list of tests that fail, but are not disabled by upstream cat %{SOURCE50} | tee -a mysql-test/unstable-tests @@ -850,7 +853,7 @@ fi -DGROONGA_NORMALIZER_MYSQL_PROJECT_NAME=%{name}-server/groonga-normalizer-mysql \ -DENABLED_LOCAL_INFILE=ON \ -DENABLE_DTRACE=ON \ - -DSECURITY_HARDENED=ON \ + -DSECURITY_HARDENED=OFF \ -DWITH_WSREP=%{?with_galera:ON}%{!?with_galera:OFF} \ -DWITH_INNODB_DISALLOW_WRITES=%{?with_galera:ON}%{!?with_galera:OFF} \ -DWITH_EMBEDDED_SERVER=%{?with_embedded:ON}%{!?with_embedded:OFF} \ @@ -879,6 +882,10 @@ fi -DCONNECT_WITH_JDBC=OFF \ %{?with_debug: -DCMAKE_BUILD_TYPE=Debug -DWITH_ASAN=OFF -DWITH_INNODB_EXTRA_DEBUG=ON -DWITH_VALGRIND=ON} +# The -DSECURITY_HARDENED is used to force a set of compilation flags for hardening +# The issue is that the MariaDB upstream level of hardening is lower than expected by Red Hat +# We disable this option to the default compilation flags (which have higher level of hardening) will be used + CFLAGS="$CFLAGS -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE" # force PIC mode so that we can build libmysqld.so @@ -1647,6 +1654,10 @@ fi %endif %changelog +* Mon Feb 07 2022 Honza Horak - 3:10.5.13-2 +- Fix md5 in FIPS mode with OpenSSL 3.0.0 + Resolves: #2050541 + * Thu Dec 02 2021 Michal Schorm - 3:10.5.13-1 - Rebase to 10.5.13 @@ -1688,7 +1699,7 @@ fi * Tue May 11 2021 Michal Schorm - 3:10.5.10-1 - Rebase to 10.5.10 -* Fri May 21 2021 Honza Horak - 3:10.5.9-9 +* Tue May 11 2021 Honza Horak - 3:10.5.9-9 - Fix OpenSSL 3.x compatibility Resolves: #1962047