zhangyiss/spack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Support MD5 with a warning when OpenSSL is compiled in FIPS mode (#7531)

Browse Source 
* This allows Spack to work with MD5 hashes on machines with openssl in FIPS mode.
* We are still using MD5 for validation in many places, and a later PR will replace all uses of MD5 with SHA256.
* This is a quick fix until that happens.
This commit is contained in:
scheibelp 2018-03-21 14:11:54 -07:00 committed by Todd Gamblin
parent 6127b02324
commit e8a0637606
1 changed files with 48 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
lib/spack/spack/util/crypto.py
View File

@ -25,17 +25,62 @@
import sys import sys
import hashlib import hashlib
import llnl.util.tty as tty
"""Set of acceptable hashes that Spack will use.""" """Set of acceptable hashes that Spack will use."""
hashes = dict((h, getattr(hashlib, h)) for h in [ _hash_algorithms = [
'md5', 'md5',
'sha1', 'sha1',
'sha224', 'sha224',
'sha256', 'sha256',
'sha384', 'sha384',
'sha512']) 'sha512']
_deprecated_hash_algorithms = ['md5']
hashes = dict()
"""Index for looking up hasher for a digest.""" """Index for looking up hasher for a digest."""
_size_to_hash = dict((h().digest_size, h) for h in hashes.values()) _size_to_hash = dict()
class DeprecatedHash(object):
def __init__(self, hash_alg, alert_fn, disable_security_check):
self.hash_alg = hash_alg
self.alert_fn = alert_fn
self.disable_security_check = disable_security_check
def __call__(self, disable_alert=False):
if not disable_alert:
self.alert_fn("Deprecation warning: {0} checksums will not be"
" supported in future Spack releases."
.format(self.hash_alg))
if self.disable_security_check:
return hashlib.new(self.hash_alg, usedforsecurity=False)
else:
return hashlib.new(self.hash_alg)
for h in _hash_algorithms:
try:
if h in _deprecated_hash_algorithms:
hash_gen = DeprecatedHash(
h, tty.debug, disable_security_check=False)
_size_to_hash[hash_gen(disable_alert=True).digest_size] = hash_gen
else:
hash_gen = getattr(hashlib, h)
_size_to_hash[hash_gen().digest_size] = hash_gen
hashes[h] = hash_gen
except ValueError:
# Some systems may support the 'usedforsecurity' option so try with
# that (but display a warning when it is used)
hash_gen = DeprecatedHash(h, tty.warn, disable_security_check=True)
hashes[h] = hash_gen
_size_to_hash[hash_gen(disable_alert=True).digest_size] = hash_gen
def checksum(hashlib_algo, filename, **kwargs): def checksum(hashlib_algo, filename, **kwargs):