From 2b59e3a0af0519cf27fad94fbce46f731ffb5031 Mon Sep 17 00:00:00 2001 From: Evgeny Kolesnikov Date: Wed, 6 Nov 2024 12:23:54 +0100 Subject: [PATCH] Update oscap-anaconda-addon for RHEL 9.6 Additional fix to the hashes problem with FIPS. Resolves: RHEL-40367 --- ...addon-2.0.1-fix_fips_hashes_2_PR_257.patch | 35 +++++++++++++++++++ oscap-anaconda-addon.spec | 6 +++- 2 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 oscap-anaconda-addon-2.0.1-fix_fips_hashes_2_PR_257.patch diff --git a/oscap-anaconda-addon-2.0.1-fix_fips_hashes_2_PR_257.patch b/oscap-anaconda-addon-2.0.1-fix_fips_hashes_2_PR_257.patch new file mode 100644 index 0000000..f7c1f5e --- /dev/null +++ b/oscap-anaconda-addon-2.0.1-fix_fips_hashes_2_PR_257.patch @@ -0,0 +1,35 @@ +From 7fdd6b28705a5c9ab5b836840ae521715ed6f893 Mon Sep 17 00:00:00 2001 +From: Evgeny Kolesnikov +Date: Wed, 6 Nov 2024 12:05:39 +0100 +Subject: [PATCH] Do not rely on hashlib.algorithms_available + +An algorithm could be a part of hashlib.algorithms_available set, +but still uninstantiatable in current runtime configuration. + +See: https://github.com/python/cpython/issues/91257. +--- + org_fedora_oscap/utils.py | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/org_fedora_oscap/utils.py b/org_fedora_oscap/utils.py +index 26fe40d..c05afe5 100644 +--- a/org_fedora_oscap/utils.py ++++ b/org_fedora_oscap/utils.py +@@ -148,7 +148,16 @@ def get_hashing_algorithm(fingerprint): + + expected_hash_ids = {'md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512'} + available_hash_ids = expected_hash_ids.intersection(hashlib.algorithms_available) +- hashes = (hashlib.new(hash_id) for hash_id in available_hash_ids) ++ ++ hashes = [] ++ for hash_id in available_hash_ids: ++ try: ++ hash_obj = hashlib.new(hash_id) ++ hashes.append(hash_obj) ++ except ValueError as e: ++ # We have an unavailable algorithm, that is a part of hashlib.algorithms_available, ++ # for example see https://github.com/python/cpython/issues/91257. ++ pass + + if len(fingerprint) % 2 == 1: + return None diff --git a/oscap-anaconda-addon.spec b/oscap-anaconda-addon.spec index 5ee7f74..922175b 100644 --- a/oscap-anaconda-addon.spec +++ b/oscap-anaconda-addon.spec @@ -10,7 +10,7 @@ Name: oscap-anaconda-addon Version: 2.0.0 -Release: 19%{?dist} +Release: 20%{?dist} Summary: Anaconda addon integrating OpenSCAP to the installation process License: GPLv2+ @@ -37,6 +37,7 @@ Patch14: oscap-anaconda-addon-null-http_only_uri-PR_233.patch Patch15: oscap-anaconda-addon-2.0.1-tar-extraction-PR_250.patch Patch16: oscap-anaconda-addon-2.0.1-package-groups-PR_248.patch Patch17: oscap-anaconda-addon-2.0.1-fix_fips_hashes_PR_255.patch +Patch18: oscap-anaconda-addon-2.0.1-fix_fips_hashes_2_PR_255.patch BuildArch: noarch BuildRequires: make @@ -76,6 +77,9 @@ make install DESTDIR=%{buildroot} %doc COPYING ChangeLog README.md %changelog +* Wed Nov 06 2024 Evgenii Kolesnikov - 2.0.0-20 +- Re-fix checksums in FIPS mode (RHEL-40367) + * Mon Oct 21 2024 Evgenii Kolesnikov - 2.0.0-19 - Add missing chunk for PR_227 patch file (RHEL-40367)