diff options
author | Aleš Matěj <amatej@redhat.com> | 2021-04-27 15:51:11 +0300 |
---|---|---|
committer | Jaroslav Rohel <jrohel@redhat.com> | 2021-09-29 10:44:41 +0300 |
commit | a602e05c94cf768a9f6705ee71beb843b505cc6d (patch) | |
tree | 26e7b4b68a694355bc6771c7d33ff028b597d399 | |
parent | dde3331b9b9919702dcb58776e7c4e1de0bc49a6 (diff) |
Make use of SHA-1 and MD5 conditional, off by default (RhBug:1935486)
But ON for Python build.
= changelog =
msg: Remove insecure hashes SHA-1 and MD5 from the default build
type: security
resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1935486
-rw-r--r-- | CMakeLists.txt | 6 | ||||
-rw-r--r-- | setup.py | 1 | ||||
-rw-r--r-- | src/checksum.c | 36 | ||||
-rw-r--r-- | src/checksum.h | 20 | ||||
-rw-r--r-- | src/compression_wrapper.c | 8 | ||||
-rw-r--r-- | src/python/createrepo_c/__init__.py | 16 | ||||
-rw-r--r-- | src/python/createrepo_cmodule.c | 2 | ||||
-rw-r--r-- | tests/test_checksum.c | 10 |
8 files changed, 64 insertions, 35 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index 3d9b6ea..b016960 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -67,6 +67,12 @@ IF (ENABLE_LEGACY_WEAKDEPS) ADD_DEFINITIONS("-DENABLE_LEGACY_WEAKDEPS=1") ENDIF (ENABLE_LEGACY_WEAKDEPS) +# Legacy hash functions +OPTION (WITH_LEGACY_HASHES "Build with SHA-1 and MD5 support" OFF) +IF (WITH_LEGACY_HASHES) + ADD_DEFINITIONS("-DWITH_LEGACY_HASHES=1") +ENDIF (WITH_LEGACY_HASHES) + # drpm OPTION (ENABLE_DRPM "Enable delta RPM support?" OFF) IF (ENABLE_DRPM) @@ -43,6 +43,7 @@ setup( '-DCREATEREPO_C_INSTALL_MANPAGES:BOOL=OFF', '-DENABLE_BASHCOMP:BOOL=OFF', '-DENABLE_DRPM:BOOL=OFF', + '-DWITH_LEGACY_HASHES:BOOL=ON', ], cmake_languages=['C'], entry_points={ diff --git a/src/checksum.c b/src/checksum.c index 688ae66..485461d 100644 --- a/src/checksum.c +++ b/src/checksum.c @@ -52,25 +52,27 @@ cr_checksum_type(const char *name) for (size_t x = 0; x <= len; x++) name_lower[x] = tolower(name[x]); - if (!strncmp(name_lower, "md", 2)) { - // MD* family - if (name_lower[2] == '5') - return CR_CHECKSUM_MD5; - } else if (!strncmp(name_lower, "sha", 3)) { + if (!strncmp(name_lower, "sha", 3)) { // SHA* family char *sha_type = name_lower + 3; - if (!strcmp(sha_type, "")) + if (!strcmp(sha_type, "512")) + return CR_CHECKSUM_SHA512; + else if (!strcmp(sha_type, "384")) + return CR_CHECKSUM_SHA384; + else if (!strcmp(sha_type, "256")) + return CR_CHECKSUM_SHA256; + else if (!strcmp(sha_type, "224")) + return CR_CHECKSUM_SHA224; +#ifdef WITH_LEGACY_HASHES + else if (!strcmp(sha_type, "")) return CR_CHECKSUM_SHA; else if (!strcmp(sha_type, "1")) return CR_CHECKSUM_SHA1; - else if (!strcmp(sha_type, "224")) - return CR_CHECKSUM_SHA224; - else if (!strcmp(sha_type, "256")) - return CR_CHECKSUM_SHA256; - else if (!strcmp(sha_type, "384")) - return CR_CHECKSUM_SHA384; - else if (!strcmp(sha_type, "512")) - return CR_CHECKSUM_SHA512; + } else if (!strncmp(name_lower, "md", 2)) { + // MD* family + if (name_lower[2] == '5') + return CR_CHECKSUM_MD5; +#endif } return CR_CHECKSUM_UNKNOWN; @@ -82,12 +84,14 @@ cr_checksum_name_str(cr_ChecksumType type) switch (type) { case CR_CHECKSUM_UNKNOWN: return "Unknown checksum"; +#ifdef WITH_LEGACY_HASHES case CR_CHECKSUM_MD5: return "md5"; case CR_CHECKSUM_SHA: return "sha"; case CR_CHECKSUM_SHA1: return "sha1"; +#endif case CR_CHECKSUM_SHA224: return "sha224"; case CR_CHECKSUM_SHA256: @@ -117,9 +121,11 @@ cr_checksum_file(const char *filename, const EVP_MD *ctx_type; switch (type) { +#ifdef WITH_LEGACY_HASHES case CR_CHECKSUM_MD5: ctx_type = EVP_md5(); break; case CR_CHECKSUM_SHA: ctx_type = EVP_sha1(); break; case CR_CHECKSUM_SHA1: ctx_type = EVP_sha1(); break; +#endif case CR_CHECKSUM_SHA224: ctx_type = EVP_sha224(); break; case CR_CHECKSUM_SHA256: ctx_type = EVP_sha256(); break; case CR_CHECKSUM_SHA384: ctx_type = EVP_sha384(); break; @@ -201,9 +207,11 @@ cr_checksum_new(cr_ChecksumType type, GError **err) assert(!err || *err == NULL); switch (type) { +#ifdef WITH_LEGACY_HASHES case CR_CHECKSUM_MD5: ctx_type = EVP_md5(); break; case CR_CHECKSUM_SHA: ctx_type = EVP_sha1(); break; case CR_CHECKSUM_SHA1: ctx_type = EVP_sha1(); break; +#endif case CR_CHECKSUM_SHA224: ctx_type = EVP_sha224(); break; case CR_CHECKSUM_SHA256: ctx_type = EVP_sha256(); break; case CR_CHECKSUM_SHA384: ctx_type = EVP_sha384(); break; diff --git a/src/checksum.h b/src/checksum.h index a04fb52..66ad4b7 100644 --- a/src/checksum.h +++ b/src/checksum.h @@ -41,15 +41,17 @@ typedef struct _cr_ChecksumCtx cr_ChecksumCtx; * is for the compatibility with original createrepo. */ typedef enum { - CR_CHECKSUM_UNKNOWN, /*!< Unknown checksum */ - CR_CHECKSUM_MD5, /*!< MD5 checksum */ - CR_CHECKSUM_SHA, /*!< SHA checksum */ - CR_CHECKSUM_SHA1, /*!< SHA1 checksum */ - CR_CHECKSUM_SHA224, /*!< SHA224 checksum */ - CR_CHECKSUM_SHA256, /*!< SHA256 checksum */ - CR_CHECKSUM_SHA384, /*!< SHA384 checksum */ - CR_CHECKSUM_SHA512, /*!< SHA512 checksum */ - CR_CHECKSUM_SENTINEL, /*!< sentinel of the list */ + CR_CHECKSUM_UNKNOWN = 0, /*!< Unknown checksum */ +#ifdef WITH_LEGACY_HASHES + CR_CHECKSUM_MD5 = 1, /*!< MD5 checksum */ + CR_CHECKSUM_SHA = 2, /*!< SHA checksum */ + CR_CHECKSUM_SHA1 = 3, /*!< SHA1 checksum */ +#endif + CR_CHECKSUM_SHA224 = 4, /*!< SHA224 checksum */ + CR_CHECKSUM_SHA256 = 5, /*!< SHA256 checksum */ + CR_CHECKSUM_SHA384 = 6, /*!< SHA384 checksum */ + CR_CHECKSUM_SHA512 = 7, /*!< SHA512 checksum */ + CR_CHECKSUM_SENTINEL = 8, /*!< sentinel of the list */ } cr_ChecksumType; /** Return checksum name. diff --git a/src/compression_wrapper.c b/src/compression_wrapper.c index cb1fd24..15e9e38 100644 --- a/src/compression_wrapper.c +++ b/src/compression_wrapper.c @@ -303,10 +303,12 @@ cr_cktype_from_zck(zckCtx *zck, GError **err) "Unable to read hash from zchunk file"); return CR_CHECKSUM_UNKNOWN; } - if (cktype == ZCK_HASH_SHA1) - return CR_CHECKSUM_SHA1; - else if (cktype == ZCK_HASH_SHA256) + if (cktype == ZCK_HASH_SHA256) return CR_CHECKSUM_SHA256; +#ifdef WITH_LEGACY_HASHES + else if (cktype == ZCK_HASH_SHA1) + return CR_CHECKSUM_SHA1; +#endif else { const char *ckname = zck_hash_name_from_type(cktype); if (ckname == NULL) diff --git a/src/python/createrepo_c/__init__.py b/src/python/createrepo_c/__init__.py index f9289f8..0fc94f7 100644 --- a/src/python/createrepo_c/__init__.py +++ b/src/python/createrepo_c/__init__.py @@ -15,15 +15,13 @@ VERSION_PATCH = _createrepo_c.VERSION_PATCH #: Patch version #: Version string VERSION = u"%d.%d.%d" % (VERSION_MAJOR, VERSION_MINOR, VERSION_PATCH) -UNKNOWN_CHECKSUM = _createrepo_c.CHECKSUM_UNKNOWN #: Checksum unknown -CHECKSUM_UNKNOWN = _createrepo_c.CHECKSUM_UNKNOWN #: Checksum unknown -MD5 = _createrepo_c.MD5 #: MD5 checksum -SHA = _createrepo_c.SHA #: SHA1 checksum alias -SHA1 = _createrepo_c.SHA1 #: SHA1 checksum -SHA224 = _createrepo_c.SHA224 #: SHA224 checksum -SHA256 = _createrepo_c.SHA256 #: SHA256 checksum -SHA384 = _createrepo_c.SHA384 #: SHA384 checksum -SHA512 = _createrepo_c.SHA512 #: SHA512 checksum +UNKNOWN_CHECKSUM = _createrepo_c.CHECKSUM_UNKNOWN #: Checksum unknown +CHECKSUM_UNKNOWN = _createrepo_c.CHECKSUM_UNKNOWN #: Checksum unknown + +for hash_name in ('MD5', 'SHA', 'SHA1', 'SHA224', 'SHA256', 'SHA384', 'SHA512'): + hash_attr = getattr(_createrepo_c, hash_name, None) + if hash_attr: + globals()[hash_name] = hash_attr MODE_READ = _createrepo_c.MODE_READ #: Read open mode MODE_WRITE = _createrepo_c.MODE_WRITE #: Write open mode diff --git a/src/python/createrepo_cmodule.c b/src/python/createrepo_cmodule.c index 7bd4fc2..c0b9200 100644 --- a/src/python/createrepo_cmodule.c +++ b/src/python/createrepo_cmodule.c @@ -238,9 +238,11 @@ PyInit__createrepo_c(void) /* Checksum types */ PyModule_AddIntConstant(m, "CHECKSUM_UNKNOWN", CR_CHECKSUM_UNKNOWN); +#ifdef WITH_LEGACY_HASHES PyModule_AddIntConstant(m, "MD5", CR_CHECKSUM_MD5); PyModule_AddIntConstant(m, "SHA", CR_CHECKSUM_SHA); PyModule_AddIntConstant(m, "SHA1", CR_CHECKSUM_SHA1); +#endif PyModule_AddIntConstant(m, "SHA224", CR_CHECKSUM_SHA224); PyModule_AddIntConstant(m, "SHA256", CR_CHECKSUM_SHA256); PyModule_AddIntConstant(m, "SHA384", CR_CHECKSUM_SHA384); diff --git a/tests/test_checksum.c b/tests/test_checksum.c index 93e6d13..84046ec 100644 --- a/tests/test_checksum.c +++ b/tests/test_checksum.c @@ -31,12 +31,14 @@ test_cr_checksum_file(void) char *checksum; GError *tmp_err = NULL; +#ifdef WITH_LEGACY_HASHES checksum = cr_checksum_file(TEST_EMPTY_FILE, CR_CHECKSUM_MD5, NULL); g_assert_cmpstr(checksum, ==, "d41d8cd98f00b204e9800998ecf8427e"); g_free(checksum); checksum = cr_checksum_file(TEST_EMPTY_FILE, CR_CHECKSUM_SHA1, NULL); g_assert_cmpstr(checksum, ==, "da39a3ee5e6b4b0d3255bfef95601890afd80709"); g_free(checksum); +#endif checksum = cr_checksum_file(TEST_EMPTY_FILE, CR_CHECKSUM_SHA256, NULL); g_assert_cmpstr(checksum, ==, "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649" "b934ca495991b7852b855"); @@ -47,6 +49,7 @@ test_cr_checksum_file(void) "7a81a538327af927da3e"); g_free(checksum); +#ifdef WITH_LEGACY_HASHES checksum = cr_checksum_file(TEST_TEXT_FILE, CR_CHECKSUM_MD5, &tmp_err); g_assert_cmpstr(checksum, ==, "d6d4da5c15f8fe7570ce6ab6b3503916"); g_assert(!tmp_err); @@ -55,6 +58,7 @@ test_cr_checksum_file(void) g_assert_cmpstr(checksum, ==, "da048ee8fabfbef1b3d6d3f5a4be20029eecec77"); g_assert(!tmp_err); g_free(checksum); +#endif checksum = cr_checksum_file(TEST_TEXT_FILE, CR_CHECKSUM_SHA256, &tmp_err); g_assert_cmpstr(checksum, ==, "2f395bdfa2750978965e4781ddf224c89646c7d7a15" "69b7ebb023b170f7bd8bb"); @@ -67,12 +71,14 @@ test_cr_checksum_file(void) g_assert(!tmp_err); g_free(checksum); +#ifdef WITH_LEGACY_HASHES checksum = cr_checksum_file(TEST_BINARY_FILE, CR_CHECKSUM_MD5, NULL); g_assert_cmpstr(checksum, ==, "4f8b033d7a402927a20c9328fc0e0f46"); g_free(checksum); checksum = cr_checksum_file(TEST_BINARY_FILE, CR_CHECKSUM_SHA1, NULL); g_assert_cmpstr(checksum, ==, "3539fb660a41846352ac4fa9076d168a3c77070b"); g_free(checksum); +#endif checksum = cr_checksum_file(TEST_BINARY_FILE, CR_CHECKSUM_SHA256, NULL); g_assert_cmpstr(checksum, ==, "bf68e32ad78cea8287be0f35b74fa3fecd0eaa91770" "b48f1a7282b015d6d883e"); @@ -91,11 +97,13 @@ test_cr_checksum_file(void) g_error_free(tmp_err); tmp_err = NULL; +#ifdef WITH_LEGACY_HASHES checksum = cr_checksum_file(NON_EXIST_FILE, CR_CHECKSUM_MD5, &tmp_err); g_assert(!checksum); g_assert(tmp_err); g_error_free(tmp_err); tmp_err = NULL; +#endif } @@ -104,6 +112,7 @@ test_cr_checksum_name_str(void) { const char *checksum_name; +#ifdef WITH_LEGACY_HASHES checksum_name = cr_checksum_name_str(CR_CHECKSUM_MD5); g_assert_cmpstr(checksum_name, ==, "md5"); @@ -112,6 +121,7 @@ test_cr_checksum_name_str(void) checksum_name = cr_checksum_name_str(CR_CHECKSUM_SHA1); g_assert_cmpstr(checksum_name, ==, "sha1"); +#endif checksum_name = cr_checksum_name_str(CR_CHECKSUM_SHA224); g_assert_cmpstr(checksum_name, ==, "sha224"); |