oscap-anaconda-addon/oscap-anaconda-addon-2.0.1-fix_fips_hashes_2_PR_257.patch

From 7fdd6b28705a5c9ab5b836840ae521715ed6f893 Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Wed, 6 Nov 2024 12:05:39 +0100
Subject: [PATCH] Do not rely on hashlib.algorithms_available

An algorithm could be a part of hashlib.algorithms_available set,
but still uninstantiatable in current runtime configuration.

See: https://github.com/python/cpython/issues/91257.
---
 org_fedora_oscap/utils.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/org_fedora_oscap/utils.py b/org_fedora_oscap/utils.py
index 26fe40d..c05afe5 100644
--- a/org_fedora_oscap/utils.py
+++ b/org_fedora_oscap/utils.py
@@ -148,7 +148,16 @@ def get_hashing_algorithm(fingerprint):
 
     expected_hash_ids = {'md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512'}
     available_hash_ids = expected_hash_ids.intersection(hashlib.algorithms_available)
-    hashes = (hashlib.new(hash_id) for hash_id in available_hash_ids)
+
+    hashes = []
+    for hash_id in available_hash_ids:
+        try:
+            hash_obj = hashlib.new(hash_id)
+            hashes.append(hash_obj)
+        except ValueError as e:
+            # We have an unavailable algorithm, that is a part of hashlib.algorithms_available,
+            # for example see https://github.com/python/cpython/issues/91257.
+            pass
 
     if len(fingerprint) % 2 == 1:
         return None
Update oscap-anaconda-addon for RHEL 9.6 Additional fix to the hashes problem with FIPS. Resolves: RHEL-40367 2024-11-06 11:23:54 +00:00			`From 7fdd6b28705a5c9ab5b836840ae521715ed6f893 Mon Sep 17 00:00:00 2001`
			`From: Evgeny Kolesnikov <ekolesni@redhat.com>`
			`Date: Wed, 6 Nov 2024 12:05:39 +0100`
			`Subject: [PATCH] Do not rely on hashlib.algorithms_available`

			`An algorithm could be a part of hashlib.algorithms_available set,`
			`but still uninstantiatable in current runtime configuration.`

			`See: https://github.com/python/cpython/issues/91257.`
			`---`
			`org_fedora_oscap/utils.py \| 11 ++++++++++-`
			`1 file changed, 10 insertions(+), 1 deletion(-)`

			`diff --git a/org_fedora_oscap/utils.py b/org_fedora_oscap/utils.py`
			`index 26fe40d..c05afe5 100644`
			`--- a/org_fedora_oscap/utils.py`
			`+++ b/org_fedora_oscap/utils.py`
			`@@ -148,7 +148,16 @@ def get_hashing_algorithm(fingerprint):`

			`expected_hash_ids = {'md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512'}`
			`available_hash_ids = expected_hash_ids.intersection(hashlib.algorithms_available)`
			`- hashes = (hashlib.new(hash_id) for hash_id in available_hash_ids)`
			`+`
			`+ hashes = []`
			`+ for hash_id in available_hash_ids:`
			`+ try:`
			`+ hash_obj = hashlib.new(hash_id)`
			`+ hashes.append(hash_obj)`
			`+ except ValueError as e:`
			`+ # We have an unavailable algorithm, that is a part of hashlib.algorithms_available,`
			`+ # for example see https://github.com/python/cpython/issues/91257.`
			`+ pass`

			`if len(fingerprint) % 2 == 1:`
			`return None`