Make use of SHA-1 and MD5 conditional, off by default (RhBug:1935486)

But ON for Python build.

= changelog =
msg: Remove insecure hashes SHA-1 and MD5 from the default build
type: security
resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1935486

8 files changed, 64 insertions, 35 deletions

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 3d9b6ea..b016960 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -67,6 +67,12 @@ IF (ENABLE_LEGACY_WEAKDEPS)
     ADD_DEFINITIONS("-DENABLE_LEGACY_WEAKDEPS=1")
 ENDIF (ENABLE_LEGACY_WEAKDEPS)
 
+# Legacy hash functions
+OPTION (WITH_LEGACY_HASHES "Build with SHA-1 and MD5 support" OFF)
+IF (WITH_LEGACY_HASHES)
+    ADD_DEFINITIONS("-DWITH_LEGACY_HASHES=1")
+ENDIF (WITH_LEGACY_HASHES)
+
 # drpm
 OPTION (ENABLE_DRPM "Enable delta RPM support?" OFF)
 IF (ENABLE_DRPM)
diff --git a/setup.py b/setup.py
index 1cd7e1a..442dfb1 100644
--- a/setup.py
+++ b/setup.py
@@ -43,6 +43,7 @@ setup(
         '-DCREATEREPO_C_INSTALL_MANPAGES:BOOL=OFF',
         '-DENABLE_BASHCOMP:BOOL=OFF',
         '-DENABLE_DRPM:BOOL=OFF',
+        '-DWITH_LEGACY_HASHES:BOOL=ON',
     ],
     cmake_languages=['C'],
     entry_points={
diff --git a/src/checksum.c b/src/checksum.c
index 688ae66..485461d 100644
--- a/src/checksum.c
+++ b/src/checksum.c
@@ -52,25 +52,27 @@ cr_checksum_type(const char *name)
     for (size_t x = 0; x <= len; x++)
         name_lower[x] = tolower(name[x]);
 
-    if (!strncmp(name_lower, "md", 2)) {
-        // MD* family
-        if (name_lower[2] == '5')
-            return CR_CHECKSUM_MD5;
-    } else if (!strncmp(name_lower, "sha", 3)) {
+    if (!strncmp(name_lower, "sha", 3)) {
         // SHA* family
         char *sha_type = name_lower + 3;
-        if (!strcmp(sha_type, ""))
+        if (!strcmp(sha_type, "512"))
+            return CR_CHECKSUM_SHA512;
+        else if (!strcmp(sha_type, "384"))
+            return CR_CHECKSUM_SHA384;
+        else if (!strcmp(sha_type, "256"))
+            return CR_CHECKSUM_SHA256;
+        else if (!strcmp(sha_type, "224"))
+            return CR_CHECKSUM_SHA224;
+#ifdef WITH_LEGACY_HASHES
+        else if (!strcmp(sha_type, ""))
             return CR_CHECKSUM_SHA;
         else if (!strcmp(sha_type, "1"))
             return CR_CHECKSUM_SHA1;
-        else if (!strcmp(sha_type, "224"))
-            return CR_CHECKSUM_SHA224;
-        else if (!strcmp(sha_type, "256"))
-            return CR_CHECKSUM_SHA256;
-        else if (!strcmp(sha_type, "384"))
-            return CR_CHECKSUM_SHA384;
-        else if (!strcmp(sha_type, "512"))
-            return CR_CHECKSUM_SHA512;
+    } else if (!strncmp(name_lower, "md", 2)) {
+        // MD* family
+        if (name_lower[2] == '5')
+            return CR_CHECKSUM_MD5;
+#endif
     }
 
     return CR_CHECKSUM_UNKNOWN;
@@ -82,12 +84,14 @@ cr_checksum_name_str(cr_ChecksumType type)
     switch (type) {
     case CR_CHECKSUM_UNKNOWN:
         return "Unknown checksum";
+#ifdef WITH_LEGACY_HASHES
     case CR_CHECKSUM_MD5:
         return "md5";
     case CR_CHECKSUM_SHA:
         return "sha";
     case CR_CHECKSUM_SHA1:
         return "sha1";
+#endif
     case CR_CHECKSUM_SHA224:
         return "sha224";
     case CR_CHECKSUM_SHA256:
@@ -117,9 +121,11 @@ cr_checksum_file(const char *filename,
     const EVP_MD *ctx_type;
 
     switch (type) {
+#ifdef WITH_LEGACY_HASHES
         case CR_CHECKSUM_MD5:    ctx_type = EVP_md5();    break;
         case CR_CHECKSUM_SHA:    ctx_type = EVP_sha1();   break;
         case CR_CHECKSUM_SHA1:   ctx_type = EVP_sha1();   break;
+#endif
         case CR_CHECKSUM_SHA224: ctx_type = EVP_sha224(); break;
         case CR_CHECKSUM_SHA256: ctx_type = EVP_sha256(); break;
         case CR_CHECKSUM_SHA384: ctx_type = EVP_sha384(); break;
@@ -201,9 +207,11 @@ cr_checksum_new(cr_ChecksumType type, GError **err)
     assert(!err || *err == NULL);
 
     switch (type) {
+#ifdef WITH_LEGACY_HASHES
         case CR_CHECKSUM_MD5:    ctx_type = EVP_md5();    break;
         case CR_CHECKSUM_SHA:    ctx_type = EVP_sha1();   break;
         case CR_CHECKSUM_SHA1:   ctx_type = EVP_sha1();   break;
+#endif
         case CR_CHECKSUM_SHA224: ctx_type = EVP_sha224(); break;
         case CR_CHECKSUM_SHA256: ctx_type = EVP_sha256(); break;
         case CR_CHECKSUM_SHA384: ctx_type = EVP_sha384(); break;
diff --git a/src/checksum.h b/src/checksum.h
index a04fb52..66ad4b7 100644
--- a/src/checksum.h
+++ b/src/checksum.h
@@ -41,15 +41,17 @@ typedef struct _cr_ChecksumCtx cr_ChecksumCtx;
  * is for the compatibility with original createrepo.
  */
 typedef enum {
-    CR_CHECKSUM_UNKNOWN,    /*!< Unknown checksum */
-    CR_CHECKSUM_MD5,        /*!< MD5 checksum */
-    CR_CHECKSUM_SHA,        /*!< SHA checksum */
-    CR_CHECKSUM_SHA1,       /*!< SHA1 checksum */
-    CR_CHECKSUM_SHA224,     /*!< SHA224 checksum */
-    CR_CHECKSUM_SHA256,     /*!< SHA256 checksum */
-    CR_CHECKSUM_SHA384,     /*!< SHA384 checksum */
-    CR_CHECKSUM_SHA512,     /*!< SHA512 checksum */
-    CR_CHECKSUM_SENTINEL,   /*!< sentinel of the list */
+    CR_CHECKSUM_UNKNOWN  = 0,   /*!< Unknown checksum */
+#ifdef WITH_LEGACY_HASHES
+    CR_CHECKSUM_MD5      = 1,   /*!< MD5 checksum */
+    CR_CHECKSUM_SHA      = 2,   /*!< SHA checksum */
+    CR_CHECKSUM_SHA1     = 3,   /*!< SHA1 checksum */
+#endif
+    CR_CHECKSUM_SHA224   = 4,   /*!< SHA224 checksum */
+    CR_CHECKSUM_SHA256   = 5,   /*!< SHA256 checksum */
+    CR_CHECKSUM_SHA384   = 6,   /*!< SHA384 checksum */
+    CR_CHECKSUM_SHA512   = 7,   /*!< SHA512 checksum */
+    CR_CHECKSUM_SENTINEL = 8,   /*!< sentinel of the list */
 } cr_ChecksumType;
 
 /** Return checksum name.
diff --git a/src/compression_wrapper.c b/src/compression_wrapper.c
index cb1fd24..15e9e38 100644
--- a/src/compression_wrapper.c
+++ b/src/compression_wrapper.c
@@ -303,10 +303,12 @@ cr_cktype_from_zck(zckCtx *zck, GError **err)
                     "Unable to read hash from zchunk file");
         return CR_CHECKSUM_UNKNOWN;
     }
-    if (cktype == ZCK_HASH_SHA1)
-        return CR_CHECKSUM_SHA1;
-    else if (cktype == ZCK_HASH_SHA256)
+    if (cktype == ZCK_HASH_SHA256)
         return CR_CHECKSUM_SHA256;
+#ifdef WITH_LEGACY_HASHES
+    else if (cktype == ZCK_HASH_SHA1)
+        return CR_CHECKSUM_SHA1;
+#endif
     else {
         const char *ckname = zck_hash_name_from_type(cktype);
         if (ckname == NULL)
diff --git a/src/python/createrepo_c/__init__.py b/src/python/createrepo_c/__init__.py
index f9289f8..0fc94f7 100644
--- a/src/python/createrepo_c/__init__.py
+++ b/src/python/createrepo_c/__init__.py
@@ -15,15 +15,13 @@ VERSION_PATCH = _createrepo_c.VERSION_PATCH  #: Patch version
 #: Version string
 VERSION = u"%d.%d.%d" % (VERSION_MAJOR, VERSION_MINOR, VERSION_PATCH)
 
-UNKNOWN_CHECKSUM    = _createrepo_c.CHECKSUM_UNKNOWN #: Checksum unknown
-CHECKSUM_UNKNOWN    = _createrepo_c.CHECKSUM_UNKNOWN #: Checksum unknown
-MD5                 = _createrepo_c.MD5              #: MD5 checksum
-SHA                 = _createrepo_c.SHA              #: SHA1 checksum alias
-SHA1                = _createrepo_c.SHA1             #: SHA1 checksum
-SHA224              = _createrepo_c.SHA224           #: SHA224 checksum
-SHA256              = _createrepo_c.SHA256           #: SHA256 checksum
-SHA384              = _createrepo_c.SHA384           #: SHA384 checksum
-SHA512              = _createrepo_c.SHA512           #: SHA512 checksum
+UNKNOWN_CHECKSUM = _createrepo_c.CHECKSUM_UNKNOWN #: Checksum unknown
+CHECKSUM_UNKNOWN = _createrepo_c.CHECKSUM_UNKNOWN #: Checksum unknown
+
+for hash_name in ('MD5', 'SHA', 'SHA1', 'SHA224', 'SHA256', 'SHA384', 'SHA512'):
+    hash_attr = getattr(_createrepo_c, hash_name, None)
+    if hash_attr:
+        globals()[hash_name] = hash_attr
 
 MODE_READ   = _createrepo_c.MODE_READ  #: Read open mode
 MODE_WRITE  = _createrepo_c.MODE_WRITE #: Write open mode
diff --git a/src/python/createrepo_cmodule.c b/src/python/createrepo_cmodule.c
index 7bd4fc2..c0b9200 100644
--- a/src/python/createrepo_cmodule.c
+++ b/src/python/createrepo_cmodule.c
@@ -238,9 +238,11 @@ PyInit__createrepo_c(void)
 
     /* Checksum types */
     PyModule_AddIntConstant(m, "CHECKSUM_UNKNOWN", CR_CHECKSUM_UNKNOWN);
+#ifdef WITH_LEGACY_HASHES
     PyModule_AddIntConstant(m, "MD5", CR_CHECKSUM_MD5);
     PyModule_AddIntConstant(m, "SHA", CR_CHECKSUM_SHA);
     PyModule_AddIntConstant(m, "SHA1", CR_CHECKSUM_SHA1);
+#endif
     PyModule_AddIntConstant(m, "SHA224", CR_CHECKSUM_SHA224);
     PyModule_AddIntConstant(m, "SHA256", CR_CHECKSUM_SHA256);
     PyModule_AddIntConstant(m, "SHA384", CR_CHECKSUM_SHA384);
diff --git a/tests/test_checksum.c b/tests/test_checksum.c
index 93e6d13..84046ec 100644
--- a/tests/test_checksum.c
+++ b/tests/test_checksum.c
@@ -31,12 +31,14 @@ test_cr_checksum_file(void)
     char *checksum;
     GError *tmp_err = NULL;
 
+#ifdef WITH_LEGACY_HASHES
     checksum = cr_checksum_file(TEST_EMPTY_FILE, CR_CHECKSUM_MD5, NULL);
     g_assert_cmpstr(checksum, ==, "d41d8cd98f00b204e9800998ecf8427e");
     g_free(checksum);
     checksum = cr_checksum_file(TEST_EMPTY_FILE, CR_CHECKSUM_SHA1, NULL);
     g_assert_cmpstr(checksum, ==, "da39a3ee5e6b4b0d3255bfef95601890afd80709");
     g_free(checksum);
+#endif
     checksum = cr_checksum_file(TEST_EMPTY_FILE, CR_CHECKSUM_SHA256, NULL);
     g_assert_cmpstr(checksum, ==, "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649"
             "b934ca495991b7852b855");
@@ -47,6 +49,7 @@ test_cr_checksum_file(void)
             "7a81a538327af927da3e");
     g_free(checksum);
 
+#ifdef WITH_LEGACY_HASHES
     checksum = cr_checksum_file(TEST_TEXT_FILE, CR_CHECKSUM_MD5, &tmp_err);
     g_assert_cmpstr(checksum, ==, "d6d4da5c15f8fe7570ce6ab6b3503916");
     g_assert(!tmp_err);
@@ -55,6 +58,7 @@ test_cr_checksum_file(void)
     g_assert_cmpstr(checksum, ==, "da048ee8fabfbef1b3d6d3f5a4be20029eecec77");
     g_assert(!tmp_err);
     g_free(checksum);
+#endif
     checksum = cr_checksum_file(TEST_TEXT_FILE, CR_CHECKSUM_SHA256, &tmp_err);
     g_assert_cmpstr(checksum, ==, "2f395bdfa2750978965e4781ddf224c89646c7d7a15"
             "69b7ebb023b170f7bd8bb");
@@ -67,12 +71,14 @@ test_cr_checksum_file(void)
     g_assert(!tmp_err);
     g_free(checksum);
 
+#ifdef WITH_LEGACY_HASHES
     checksum = cr_checksum_file(TEST_BINARY_FILE, CR_CHECKSUM_MD5, NULL);
     g_assert_cmpstr(checksum, ==, "4f8b033d7a402927a20c9328fc0e0f46");
     g_free(checksum);
     checksum = cr_checksum_file(TEST_BINARY_FILE, CR_CHECKSUM_SHA1, NULL);
     g_assert_cmpstr(checksum, ==, "3539fb660a41846352ac4fa9076d168a3c77070b");
     g_free(checksum);
+#endif
     checksum = cr_checksum_file(TEST_BINARY_FILE, CR_CHECKSUM_SHA256, NULL);
     g_assert_cmpstr(checksum, ==, "bf68e32ad78cea8287be0f35b74fa3fecd0eaa91770"
             "b48f1a7282b015d6d883e");
@@ -91,11 +97,13 @@ test_cr_checksum_file(void)
     g_error_free(tmp_err);
     tmp_err = NULL;
 
+#ifdef WITH_LEGACY_HASHES
     checksum = cr_checksum_file(NON_EXIST_FILE, CR_CHECKSUM_MD5, &tmp_err);
     g_assert(!checksum);
     g_assert(tmp_err);
     g_error_free(tmp_err);
     tmp_err = NULL;
+#endif
 }
 
 
@@ -104,6 +112,7 @@ test_cr_checksum_name_str(void)
 {
     const char *checksum_name;
 
+#ifdef WITH_LEGACY_HASHES
     checksum_name = cr_checksum_name_str(CR_CHECKSUM_MD5);
     g_assert_cmpstr(checksum_name, ==, "md5");
 
@@ -112,6 +121,7 @@ test_cr_checksum_name_str(void)
 
     checksum_name = cr_checksum_name_str(CR_CHECKSUM_SHA1);
     g_assert_cmpstr(checksum_name, ==, "sha1");
+#endif
 
     checksum_name = cr_checksum_name_str(CR_CHECKSUM_SHA224);
     g_assert_cmpstr(checksum_name, ==, "sha224");