Update oscap-anaconda-addon for RHEL 9.6

Additional fix to the hashes problem with FIPS. Resolves: RHEL-40367
2024-11-06 12:23:54 +01:00 · 2024-11-06 12:23:54 +01:00 · 2b59e3a0af
commit 2b59e3a0af
parent caa5df31af
2 changed files with 40 additions and 1 deletions
--- a/oscap-anaconda-addon-2.0.1-fix_fips_hashes_2_PR_257.patch
+++ b/oscap-anaconda-addon-2.0.1-fix_fips_hashes_2_PR_257.patch
@ -0,0 +1,35 @@
+From 7fdd6b28705a5c9ab5b836840ae521715ed6f893 Mon Sep 17 00:00:00 2001
+From: Evgeny Kolesnikov <ekolesni@redhat.com>
+Date: Wed, 6 Nov 2024 12:05:39 +0100
+Subject: [PATCH] Do not rely on hashlib.algorithms_available
+
+An algorithm could be a part of hashlib.algorithms_available set,
+but still uninstantiatable in current runtime configuration.
+
+See: https://github.com/python/cpython/issues/91257.
+---
+ org_fedora_oscap/utils.py | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/org_fedora_oscap/utils.py b/org_fedora_oscap/utils.py
+index 26fe40d..c05afe5 100644
+--- a/org_fedora_oscap/utils.py
+++ b/org_fedora_oscap/utils.py
+@@ -148,7 +148,16 @@ def get_hashing_algorithm(fingerprint):
+ 
+     expected_hash_ids = {'md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512'}
+     available_hash_ids = expected_hash_ids.intersection(hashlib.algorithms_available)
+-    hashes = (hashlib.new(hash_id) for hash_id in available_hash_ids)
+
+    hashes = []
+    for hash_id in available_hash_ids:
+        try:
+            hash_obj = hashlib.new(hash_id)
+            hashes.append(hash_obj)
+        except ValueError as e:
+            # We have an unavailable algorithm, that is a part of hashlib.algorithms_available,
+            # for example see https://github.com/python/cpython/issues/91257.
+            pass
+ 
+     if len(fingerprint) % 2 == 1:
+         return None
--- a/oscap-anaconda-addon.spec
+++ b/oscap-anaconda-addon.spec
@ -10,7 +10,7 @@

 Name:           oscap-anaconda-addon
 Version:        2.0.0
-Release:        19%{?dist}
+Release:        20%{?dist}
 Summary:        Anaconda addon integrating OpenSCAP to the installation process

 License:        GPLv2+
@ -37,6 +37,7 @@ Patch14: 	oscap-anaconda-addon-null-http_only_uri-PR_233.patch
 Patch15: 	oscap-anaconda-addon-2.0.1-tar-extraction-PR_250.patch
 Patch16: 	oscap-anaconda-addon-2.0.1-package-groups-PR_248.patch
 Patch17: 	oscap-anaconda-addon-2.0.1-fix_fips_hashes_PR_255.patch
+Patch18: 	oscap-anaconda-addon-2.0.1-fix_fips_hashes_2_PR_255.patch

 BuildArch:      noarch
 BuildRequires:  make
@ -76,6 +77,9 @@ make install DESTDIR=%{buildroot}
 %doc COPYING ChangeLog README.md

 %changelog
+* Wed Nov 06 2024 Evgenii Kolesnikov <ekolesni@redhat.com> - 2.0.0-20
+- Re-fix checksums in FIPS mode (RHEL-40367)
+
 * Mon Oct 21 2024 Evgenii Kolesnikov <ekolesni@redhat.com> - 2.0.0-19
 - Add missing chunk for PR_227 patch file (RHEL-40367)