michal-grzedzicki / rpms / rpm

Forked from rpms/rpm 6 months ago
Clone

Blame SOURCES/rpm-4.16.1.3-bump-rpmdb-cookie-hash-to-SHA256-for-FIPS.patch

a5e32e
From a26f6655546158153807017e7ded2aff5e4e10e4 Mon Sep 17 00:00:00 2001
a5e32e
From: Panu Matilainen <pmatilai@redhat.com>
a5e32e
Date: Mon, 31 Jan 2022 11:13:35 +0200
a5e32e
Subject: [PATCH] Bump hash for rpmdb cookie to SHA256 to appease FIPS
a5e32e
a5e32e
The rpmdb cookie is not a security feature, but as these existing
a5e32e
hashes are more convenient than coming up with our own... we then
a5e32e
run into the great big wall of FIPS which in its current incarnation
a5e32e
disallows use of SHA1. And so rpmdbCookie() fails under current FIPS.
a5e32e
a5e32e
Just bumping the algorithm to SHA256 seems the path of lowest
a5e32e
resistance, whether that algo makes sense for this purpose or not.
a5e32e
---
a5e32e
 lib/rpmdb.c | 2 +-
a5e32e
 1 file changed, 1 insertion(+), 1 deletion(-)
a5e32e
a5e32e
diff --git a/lib/rpmdb.c b/lib/rpmdb.c
a5e32e
index 01d49a641..00bd4236f 100644
a5e32e
--- a/lib/rpmdb.c
a5e32e
+++ b/lib/rpmdb.c
a5e32e
@@ -2642,7 +2642,7 @@ char *rpmdbCookie(rpmdb db)
a5e32e
     rpmdbIndexIterator ii = rpmdbIndexIteratorInit(db, RPMDBI_NAME);
a5e32e
 
a5e32e
     if (ii) {
a5e32e
-	DIGEST_CTX ctx = rpmDigestInit(PGPHASHALGO_SHA1, RPMDIGEST_NONE);
a5e32e
+	DIGEST_CTX ctx = rpmDigestInit(PGPHASHALGO_SHA256, RPMDIGEST_NONE);
a5e32e
 	const void *key = 0;
a5e32e
 	size_t keylen = 0;
a5e32e
 	while ((rpmdbIndexIteratorNext(ii, &key, &keylen)) == 0) {
a5e32e
-- 
a5e32e
2.34.1
a5e32e