Blame rpm-4.16.1.3-bump-rpmdb-cookie-hash-to-SHA256-for-FIPS.patch

Michal Domonkos 1a9baf
From a26f6655546158153807017e7ded2aff5e4e10e4 Mon Sep 17 00:00:00 2001
Michal Domonkos 1a9baf
From: Panu Matilainen <pmatilai@redhat.com>
Michal Domonkos 1a9baf
Date: Mon, 31 Jan 2022 11:13:35 +0200
Michal Domonkos 1a9baf
Subject: [PATCH] Bump hash for rpmdb cookie to SHA256 to appease FIPS
Michal Domonkos 1a9baf
Michal Domonkos 1a9baf
The rpmdb cookie is not a security feature, but as these existing
Michal Domonkos 1a9baf
hashes are more convenient than coming up with our own... we then
Michal Domonkos 1a9baf
run into the great big wall of FIPS which in its current incarnation
Michal Domonkos 1a9baf
disallows use of SHA1. And so rpmdbCookie() fails under current FIPS.
Michal Domonkos 1a9baf
Michal Domonkos 1a9baf
Just bumping the algorithm to SHA256 seems the path of lowest
Michal Domonkos 1a9baf
resistance, whether that algo makes sense for this purpose or not.
Michal Domonkos 1a9baf
---
Michal Domonkos 1a9baf
 lib/rpmdb.c | 2 +-
Michal Domonkos 1a9baf
 1 file changed, 1 insertion(+), 1 deletion(-)
Michal Domonkos 1a9baf
Michal Domonkos 1a9baf
diff --git a/lib/rpmdb.c b/lib/rpmdb.c
Michal Domonkos 1a9baf
index 01d49a641..00bd4236f 100644
Michal Domonkos 1a9baf
--- a/lib/rpmdb.c
Michal Domonkos 1a9baf
+++ b/lib/rpmdb.c
Michal Domonkos 1a9baf
@@ -2642,7 +2642,7 @@ char *rpmdbCookie(rpmdb db)
Michal Domonkos 1a9baf
     rpmdbIndexIterator ii = rpmdbIndexIteratorInit(db, RPMDBI_NAME);
Michal Domonkos 1a9baf
 
Michal Domonkos 1a9baf
     if (ii) {
Michal Domonkos 1a9baf
-	DIGEST_CTX ctx = rpmDigestInit(PGPHASHALGO_SHA1, RPMDIGEST_NONE);
Michal Domonkos 1a9baf
+	DIGEST_CTX ctx = rpmDigestInit(PGPHASHALGO_SHA256, RPMDIGEST_NONE);
Michal Domonkos 1a9baf
 	const void *key = 0;
Michal Domonkos 1a9baf
 	size_t keylen = 0;
Michal Domonkos 1a9baf
 	while ((rpmdbIndexIteratorNext(ii, &key, &keylen)) == 0) {
Michal Domonkos 1a9baf
-- 
Michal Domonkos 1a9baf
2.34.1
Michal Domonkos 1a9baf