diff --git a/oscap-anaconda-addon-2.0.1-fix_fips_hashes_PR_255.patch b/oscap-anaconda-addon-2.0.1-fix_fips_hashes_PR_255.patch new file mode 100644 index 0000000..421eb5f --- /dev/null +++ b/oscap-anaconda-addon-2.0.1-fix_fips_hashes_PR_255.patch @@ -0,0 +1,83 @@ +From fa02df9da7ce26dcd8051df541bf6d1da52dd849 Mon Sep 17 00:00:00 2001 +From: Evgeny Kolesnikov +Date: Fri, 4 Oct 2024 14:15:13 +0200 +Subject: [PATCH] Do not assume availability of hashing algorithms in hashlib + +Particular offender at this moment is 'md5', which is not available +in FIPS build of Python. +--- + org_fedora_oscap/utils.py | 5 +++-- + tests/test_utils.py | 38 ++++++++++++++++++++++++++++++++------ + 2 files changed, 35 insertions(+), 8 deletions(-) + +diff --git a/org_fedora_oscap/utils.py b/org_fedora_oscap/utils.py +index 3be83254..26fe40df 100644 +--- a/org_fedora_oscap/utils.py ++++ b/org_fedora_oscap/utils.py +@@ -146,8 +146,9 @@ def get_hashing_algorithm(fingerprint): + + """ + +- hashes = (hashlib.md5(), hashlib.sha1(), hashlib.sha224(), +- hashlib.sha256(), hashlib.sha384(), hashlib.sha512()) ++ expected_hash_ids = {'md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512'} ++ available_hash_ids = expected_hash_ids.intersection(hashlib.algorithms_available) ++ hashes = (hashlib.new(hash_id) for hash_id in available_hash_ids) + + if len(fingerprint) % 2 == 1: + return None +diff --git a/tests/test_utils.py b/tests/test_utils.py +index c2d663f6..7fe3332e 100644 +--- a/tests/test_utils.py ++++ b/tests/test_utils.py +@@ -27,6 +27,9 @@ + + from org_fedora_oscap import utils + ++import hashlib ++import warnings ++ + + @pytest.fixture() + def mock_os(): +@@ -146,11 +149,34 @@ def test_gen(): + + + def test_hash(): +- file_hash = '87fcda7d9e7a22412e95779e2f8e70f929106c7b27a94f5f8510553ebf4624a6' +- hash_obj = utils.get_hashing_algorithm(file_hash) +- assert hash_obj.name == "sha256" ++ file_hashes = { ++ 'md5': 'ea38136ca349e139c59f09e09d2aa956', ++ 'sha1': 'f905458483be8ac21002ab2c6409d3a10b3813f1', ++ 'sha224': '2b1e795db6b7397f47a270fbb5059e76b94a8c972240b17c45db1f13', ++ 'sha256': '87fcda7d9e7a22412e95779e2f8e70f929106c7b27a94f5f8510553ebf4624a6', ++ 'sha384': 'b3ffdfad2bf33caf6e44a8b34386ad741bb80fb02306d3889b8a5645cde31e9d' ++ '31ec44e0b0e6ce84d83a57339b75b9bf', ++ 'sha512': '7b05940e8d69e804a90f5110d22ad3a1cd03adc5bf4d0a4779790c78118b3c61' ++ 'b7f3a3cd39fcf2902ec92ac80df71b952a7aeb2d53c16f0e77436eeb91e33e1d' ++ } ++ ++ for hash_id, file_hash in file_hashes.items(): ++ if hash_id not in hashlib.algorithms_available: ++ warnings.warn(RuntimeWarning('Expected hash algorithm \'%s\' is not ' ++ 'available in this build of Python' % hash_id)) ++ continue ++ ++ hash_obj = utils.get_hashing_algorithm(file_hash) ++ assert hash_obj.name == hash_id + +- filepath = os.path.join(os.path.dirname(__file__), 'data', 'file') +- computed_hash = utils.get_file_fingerprint(filepath, hash_obj) ++ filepath = os.path.join(os.path.dirname(__file__), 'data', 'file') ++ computed_hash = utils.get_file_fingerprint(filepath, hash_obj) + +- assert file_hash == computed_hash ++ assert file_hash == computed_hash ++ ++ ++def test_hash_unknown(): ++ file_hash = 'XXXX' ++ ++ hash_obj = utils.get_hashing_algorithm(file_hash) ++ assert hash_obj is None diff --git a/oscap-anaconda-addon.spec b/oscap-anaconda-addon.spec index 293e8f8..247b6b8 100644 --- a/oscap-anaconda-addon.spec +++ b/oscap-anaconda-addon.spec @@ -10,7 +10,7 @@ Name: oscap-anaconda-addon Version: 2.0.0 -Release: 17%{?dist} +Release: 18%{?dist} Summary: Anaconda addon integrating OpenSCAP to the installation process License: GPLv2+ @@ -36,6 +36,7 @@ Patch13: oscap-anaconda-addon-2.1.0-content_paths-PR_227.patch Patch14: oscap-anaconda-addon-null-http_only_uri-PR_233.patch Patch15: oscap-anaconda-addon-2.0.1-tar-extraction-PR_250.patch Patch16: oscap-anaconda-addon-2.0.1-package-groups-PR_248.patch +Patch17: oscap-anaconda-addon-2.0.1-fix_fips_hashes_PR_255.patch BuildArch: noarch BuildRequires: make @@ -75,6 +76,9 @@ make install DESTDIR=%{buildroot} %doc COPYING ChangeLog README.md %changelog +* Mon Oct 14 2024 Evgenii Kolesnikov - 2.0.0-18 +- Fix checksums in FIPS mode (RHEL-40367) + * Wed Jul 19 2023 Jan Černý - 2.0.0-17 - Update translations (rhbz#2189526) - Fix tar file extraction (rhbz#2218875)