do not use sha1 and md5 by default

2021-05-20 09:50:18 +02:00 · 2021-05-20 09:50:18 +02:00 · d550a7a774
parent b43ff98e62
commit d550a7a774
2 changed files with 60 additions and 1 deletions
--- a/aide-configure.patch
+++ b/aide-configure.patch
@ -0,0 +1,51 @@
+diff --color -ru a/configure.ac b/configure.ac
+--- a/configure.ac	2021-05-20 09:31:11.686987129 +0200
+++ b/configure.ac	2021-05-20 09:39:43.369967457 +0200
+@@ -784,11 +784,11 @@
+ 	[if test "x$withval" = "xmd5" ;then
+ 	   CONFIGHMACTYPE="MHASH_MD5"
+ 	else if test "x$withval" = "xsha1" ;then
+-	      CONFIGHMACTYPE="MHASH_SHA1"
+	   CONFIGHMACTYPE="MHASH_SHA1"
+ 	else if test "x$withval" = "xsha256" ;then
+-	      CONFIGHMACTYPE="MHASH_SHA256"
+	   CONFIGHMACTYPE="MHASH_SHA256"
+ 	else if test "x$withval" = "xsha512" ;then
+-	      CONFIGHMACTYPE="MHASH_SHA512"
+	   CONFIGHMACTYPE="MHASH_SHA512"
+         else 
+ 	   echo "Valid parameters for --with-confighmactype are md5, sha1, sha256 and sha512"
+ 	   exit 1
+@@ -799,7 +799,6 @@
+ 	AC_DEFINE_UNQUOTED(CONFIGHMACTYPE,$CONFIGHMACTYPE,[hash type for config file check])],
+ 	[
+ 	AC_DEFINE_UNQUOTED(CONFIGHMACTYPE,MHASH_MD5,[hash type for config file check])]
+-,
+ )
+ 
+ AC_ARG_WITH([confighmackey],
+@@ -846,18 +845,18 @@
+ 
+ AC_ARG_WITH([dbhmactype],
+ 	AC_HELP_STRING([--with-dbhmactype=TYPE],
+-		[Hash type to use for checking db. Valid values are md5 and sha1.]),
+		[Hash type to use for checking db. Valid values are md5, sha1, sha256 and sha512.]),
+ 	[if test "x$withval" = "xmd5" ;then
+ 	   DBHMACTYPE="MHASH_MD5"
+ 	else if test "x$withval" = "xsha1" ;then
+-	      DBHMACTYPE="MHASH_SHA1"
+	   DBHMACTYPE="MHASH_SHA1"
+ 	else if test "x$withval" = "xsha256" ;then
+-	      CONFIGHMACTYPE="MHASH_SHA256"
+	   DBHMACTYPE="MHASH_SHA256"
+ 	else if test "x$withval" = "xsha512" ;then
+-	      CONFIGHMACTYPE="MHASH_SHA512"
+	   DBHMACTYPE="MHASH_SHA512"
+         else 
+-	      echo "Valid parameters for --with-dbhmactype are md5, sha1, sha256 and sha512"
+-	      exit 1
+	   echo "Valid parameters for --with-dbhmactype are md5, sha1, sha256 and sha512"
+	   exit 1
+ 	fi
+ 	fi
+ 	fi
--- a/aide.spec
+++ b/aide.spec
@ -36,6 +36,7 @@ Patch4: aide-0.15-syslog-format.patch
 Patch5: aide-0.16-crypto-disable-haval-and-others.patch
 Patch6: coverity.patch
 Patch7: aide-0.16-crash-elf.patch
+Patch8: aide-configure.patch

 %description
 AIDE (Advanced Intrusion Detection Environment) is a file integrity
@ -57,7 +58,9 @@ autoreconf -ivf
  --with-selinux \
  --with-xattr \
  --with-e2fsattrs \
-  --with-audit
+  --with-audit \
+  --with-confighmactype=sha512 \
+  --with-dbhmactype=sha512
 %make_build

 %install
@ -80,6 +83,11 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
 %dir %attr(0700,root,root) %{_localstatedir}/log/aide

 %changelog
+* Thu May 20 2021 Zoltan Fridrich <zfridric@redhat.com> - 0.16-19
+- fix configuration option with-dbhmactype
+- do not use sha1 and md5 by default
+  Resolves: rhbz#1935457
+
 * Mon May 10 2021 Zoltan Fridrich <zfridric@redhat.com> - 0.16-19
 - use gating and config file from rhel-8.5
 - remove check of periodically changing files