Blame SOURCES/rpm-4.16.1.3-bump-rpmdb-cookie-hash-to-SHA256-for-FIPS.patch
|
|
137a59 |
From a26f6655546158153807017e7ded2aff5e4e10e4 Mon Sep 17 00:00:00 2001
|
|
|
137a59 |
From: Panu Matilainen <pmatilai@redhat.com>
|
|
|
137a59 |
Date: Mon, 31 Jan 2022 11:13:35 +0200
|
|
|
137a59 |
Subject: [PATCH] Bump hash for rpmdb cookie to SHA256 to appease FIPS
|
|
|
137a59 |
|
|
|
137a59 |
The rpmdb cookie is not a security feature, but as these existing
|
|
|
137a59 |
hashes are more convenient than coming up with our own... we then
|
|
|
137a59 |
run into the great big wall of FIPS which in its current incarnation
|
|
|
137a59 |
disallows use of SHA1. And so rpmdbCookie() fails under current FIPS.
|
|
|
137a59 |
|
|
|
137a59 |
Just bumping the algorithm to SHA256 seems the path of lowest
|
|
|
137a59 |
resistance, whether that algo makes sense for this purpose or not.
|
|
|
137a59 |
---
|
|
|
137a59 |
lib/rpmdb.c | 2 +-
|
|
|
137a59 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
137a59 |
|
|
|
137a59 |
diff --git a/lib/rpmdb.c b/lib/rpmdb.c
|
|
|
137a59 |
index 01d49a641..00bd4236f 100644
|
|
|
137a59 |
--- a/lib/rpmdb.c
|
|
|
137a59 |
+++ b/lib/rpmdb.c
|
|
|
137a59 |
@@ -2642,7 +2642,7 @@ char *rpmdbCookie(rpmdb db)
|
|
|
137a59 |
rpmdbIndexIterator ii = rpmdbIndexIteratorInit(db, RPMDBI_NAME);
|
|
|
137a59 |
|
|
|
137a59 |
if (ii) {
|
|
|
137a59 |
- DIGEST_CTX ctx = rpmDigestInit(PGPHASHALGO_SHA1, RPMDIGEST_NONE);
|
|
|
137a59 |
+ DIGEST_CTX ctx = rpmDigestInit(PGPHASHALGO_SHA256, RPMDIGEST_NONE);
|
|
|
137a59 |
const void *key = 0;
|
|
|
137a59 |
size_t keylen = 0;
|
|
|
137a59 |
while ((rpmdbIndexIteratorNext(ii, &key, &keylen)) == 0) {
|
|
|
137a59 |
--
|
|
|
137a59 |
2.34.1
|
|
|
137a59 |
|