diff options
author | Panu Matilainen <pmatilai@redhat.com> | 2022-01-31 11:13:35 +0200 |
---|---|---|
committer | Michal Domonkos <mdomonko@redhat.com> | 2022-07-01 10:52:14 +0200 |
commit | 1db8004b3bcbf073257b4a059915001d512e0686 (patch) | |
tree | 1d077088eb8d48bbd3356bc51cb732f2504b6314 | |
parent | 030f74db1ecfdcaf72c9152ecfd74ee7c96faff3 (diff) | |
download | rpm-1db8004b3bcbf073257b4a059915001d512e0686.tar.gz |
Bump hash for rpmdb cookie to SHA256 to appease FIPS
The rpmdb cookie is not a security feature, but as these existing
hashes are more convenient than coming up with our own... we then
run into the great big wall of FIPS which in its current incarnation
disallows use of SHA1. And so rpmdbCookie() fails under current FIPS.
Just bumping the algorithm to SHA256 seems the path of lowest
resistance, whether that algo makes sense for this purpose or not.
(cherry picked from commit a26f6655546158153807017e7ded2aff5e4e10e4)
-rw-r--r-- | lib/rpmdb.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/rpmdb.c b/lib/rpmdb.c index 2fa1f00fa..99a2619c4 100644 --- a/lib/rpmdb.c +++ b/lib/rpmdb.c @@ -2643,7 +2643,7 @@ char *rpmdbCookie(rpmdb db) rpmdbIndexIterator ii = rpmdbIndexIteratorInit(db, RPMDBI_NAME); if (ii) { - DIGEST_CTX ctx = rpmDigestInit(PGPHASHALGO_SHA1, RPMDIGEST_NONE); + DIGEST_CTX ctx = rpmDigestInit(PGPHASHALGO_SHA256, RPMDIGEST_NONE); const void *key = 0; size_t keylen = 0; while ((rpmdbIndexIteratorNext(ii, &key, &keylen)) == 0) { |