openscap/0003-Drop-bogus-VERIFY_SIGNATURE-and-VERIFY_DIGEST-checks.patch

From efd08dd9d8453583f1e801ddb5ac0af65cc86f69 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Tue, 11 Jun 2019 16:12:57 +0300
Subject: [PATCH 3/3] Drop bogus VERIFY_SIGNATURE and VERIFY_DIGEST checks

VERIFY_SIGNATURE and VERIFY_DIGEST are not independent verification
checks, these checks are performed internally by rpm and failure in
either will cause the entire header failing to load. These flags allow
disabling that verification, but this doesn't make sense for openscap
and doesn't work this way in rpm >= 4.15 anyway.
---
 .../probes/unix/linux/rpmverifypackage_probe.c     | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
index ed6c714d8..06059ae47 100644
--- a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
+++ b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c
@@ -69,9 +69,7 @@ typedef struct {
 
 const rpmverifypackage_bhmap_t rpmverifypackage_bhmap[] = {
 	{ "nodeps",        (uint64_t)VERIFY_DEPS      , "--nodeps"},
-	{ "nodigest",      (uint64_t)VERIFY_DIGEST    , "--nodigest"},
 	{ "noscripts",     (uint64_t)VERIFY_SCRIPT    , "--noscript"},
-	{ "nosignature",   (uint64_t)VERIFY_SIGNATURE , "--nosignature"}
 };
 
 struct rpmverify_res {
@@ -409,24 +407,12 @@ static int rpmverifypackage_additem(probe_ctx *ctx, struct rpmverify_res *res)
 		probe_item_ent_add(item, "dependency_check_passed", NULL, value);
 		SEXP_free(value);
 	}
-	if (res->vflags & VERIFY_DIGEST) {
-		dI("VERIFY_DIGEST %d", res->vresults & VERIFY_DIGEST);
-		value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_DIGEST ? "1" : "0"), 1);
-		probe_item_ent_add(item, "digest_check_passed", NULL, value);
-		SEXP_free(value);
-	}
 	if (res->vflags & VERIFY_SCRIPT) {
 		dI("VERIFY_SCRIPT %d", res->vresults & VERIFY_SCRIPT);
 		value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SCRIPT ? "1" : "0"), 1);
 		probe_item_ent_add(item, "verification_script_successful", NULL, value);
 		SEXP_free(value);
 	}
-	if (res->vflags & VERIFY_SIGNATURE) {
-		dI("VERIFY_SIGNATURE %d", res->vresults & VERIFY_SIGNATURE);
-		value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SIGNATURE ? "1" : "0"), 1);
-		probe_item_ent_add(item, "signature_check_passed", NULL, value);
-		SEXP_free(value);
-	}
 
 	return probe_item_collect(ctx, item) == 2 ? 1 : 0;
 }
-- 
2.22.0
Backport pmatilai's patches for RPM 4.15 build fix Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org> 2019-06-11 14:09:07 +00:00			`From efd08dd9d8453583f1e801ddb5ac0af65cc86f69 Mon Sep 17 00:00:00 2001`
			`From: Panu Matilainen <pmatilai@redhat.com>`
			`Date: Tue, 11 Jun 2019 16:12:57 +0300`
			`Subject: [PATCH 3/3] Drop bogus VERIFY_SIGNATURE and VERIFY_DIGEST checks`

			`VERIFY_SIGNATURE and VERIFY_DIGEST are not independent verification`
			`checks, these checks are performed internally by rpm and failure in`
			`either will cause the entire header failing to load. These flags allow`
			`disabling that verification, but this doesn't make sense for openscap`
			`and doesn't work this way in rpm >= 4.15 anyway.`
			`---`
			`.../probes/unix/linux/rpmverifypackage_probe.c \| 14 --------------`
			`1 file changed, 14 deletions(-)`

			`diff --git a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c`
			`index ed6c714d8..06059ae47 100644`
			`--- a/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c`
			`+++ b/src/OVAL/probes/unix/linux/rpmverifypackage_probe.c`
			`@@ -69,9 +69,7 @@ typedef struct {`

			`const rpmverifypackage_bhmap_t rpmverifypackage_bhmap[] = {`
			`{ "nodeps", (uint64_t)VERIFY_DEPS , "--nodeps"},`
			`- { "nodigest", (uint64_t)VERIFY_DIGEST , "--nodigest"},`
			`{ "noscripts", (uint64_t)VERIFY_SCRIPT , "--noscript"},`
			`- { "nosignature", (uint64_t)VERIFY_SIGNATURE , "--nosignature"}`
			`};`

			`struct rpmverify_res {`
			`@@ -409,24 +407,12 @@ static int rpmverifypackage_additem(probe_ctx ctx, struct rpmverify_res res)`
			`probe_item_ent_add(item, "dependency_check_passed", NULL, value);`
			`SEXP_free(value);`
			`}`
			`- if (res->vflags & VERIFY_DIGEST) {`
			`- dI("VERIFY_DIGEST %d", res->vresults & VERIFY_DIGEST);`
			`- value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_DIGEST ? "1" : "0"), 1);`
			`- probe_item_ent_add(item, "digest_check_passed", NULL, value);`
			`- SEXP_free(value);`
			`- }`
			`if (res->vflags & VERIFY_SCRIPT) {`
			`dI("VERIFY_SCRIPT %d", res->vresults & VERIFY_SCRIPT);`
			`value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SCRIPT ? "1" : "0"), 1);`
			`probe_item_ent_add(item, "verification_script_successful", NULL, value);`
			`SEXP_free(value);`
			`}`
			`- if (res->vflags & VERIFY_SIGNATURE) {`
			`- dI("VERIFY_SIGNATURE %d", res->vresults & VERIFY_SIGNATURE);`
			`- value = probe_entval_from_cstr(OVAL_DATATYPE_BOOLEAN, (res->vresults & VERIFY_SIGNATURE ? "1" : "0"), 1);`
			`- probe_item_ent_add(item, "signature_check_passed", NULL, value);`
			`- SEXP_free(value);`
			`- }`

			`return probe_item_collect(ctx, item) == 2 ? 1 : 0;`
			`}`
			`--`
			`2.22.0`