diff options
| author | scheibelp <scheibel1@llnl.gov> | 2018-03-21 14:11:54 -0700 |
|---|---|---|
| committer | Todd Gamblin <tgamblin@llnl.gov> | 2018-03-21 14:11:54 -0700 |
| commit | e8a063760668aed96a3b524207ba2cb1eb2fec66 (patch) | |
| tree | aed9ab240318b8fd8a527f9de39d8cde17d2a5a5 /lib | |
| parent | 6127b02324d0b7af4015dc0be68023a77ce852ad (diff) | |
| download | spack-e8a063760668aed96a3b524207ba2cb1eb2fec66.tar.gz spack-e8a063760668aed96a3b524207ba2cb1eb2fec66.tar.bz2 spack-e8a063760668aed96a3b524207ba2cb1eb2fec66.tar.xz spack-e8a063760668aed96a3b524207ba2cb1eb2fec66.zip | |
Support MD5 with a warning when OpenSSL is compiled in FIPS mode (#7531)
* This allows Spack to work with MD5 hashes on machines with openssl in FIPS mode.
* We are still using MD5 for validation in many places, and a later PR will replace all uses of MD5 with SHA256.
* This is a quick fix until that happens.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/spack/spack/util/crypto.py | 51 |
1 files changed, 48 insertions, 3 deletions
diff --git a/lib/spack/spack/util/crypto.py b/lib/spack/spack/util/crypto.py index 13262be551..28bc640d52 100644 --- a/lib/spack/spack/util/crypto.py +++ b/lib/spack/spack/util/crypto.py @@ -25,17 +25,62 @@ import sys import hashlib +import llnl.util.tty as tty + + """Set of acceptable hashes that Spack will use.""" -hashes = dict((h, getattr(hashlib, h)) for h in [ +_hash_algorithms = [ 'md5', 'sha1', 'sha224', 'sha256', 'sha384', - 'sha512']) + 'sha512'] + + +_deprecated_hash_algorithms = ['md5'] + + +hashes = dict() + """Index for looking up hasher for a digest.""" -_size_to_hash = dict((h().digest_size, h) for h in hashes.values()) +_size_to_hash = dict() + + +class DeprecatedHash(object): + def __init__(self, hash_alg, alert_fn, disable_security_check): + self.hash_alg = hash_alg + self.alert_fn = alert_fn + self.disable_security_check = disable_security_check + + def __call__(self, disable_alert=False): + if not disable_alert: + self.alert_fn("Deprecation warning: {0} checksums will not be" + " supported in future Spack releases." + .format(self.hash_alg)) + if self.disable_security_check: + return hashlib.new(self.hash_alg, usedforsecurity=False) + else: + return hashlib.new(self.hash_alg) + + +for h in _hash_algorithms: + try: + if h in _deprecated_hash_algorithms: + hash_gen = DeprecatedHash( + h, tty.debug, disable_security_check=False) + _size_to_hash[hash_gen(disable_alert=True).digest_size] = hash_gen + else: + hash_gen = getattr(hashlib, h) + _size_to_hash[hash_gen().digest_size] = hash_gen + hashes[h] = hash_gen + except ValueError: + # Some systems may support the 'usedforsecurity' option so try with + # that (but display a warning when it is used) + hash_gen = DeprecatedHash(h, tty.warn, disable_security_check=True) + hashes[h] = hash_gen + _size_to_hash[hash_gen(disable_alert=True).digest_size] = hash_gen def checksum(hashlib_algo, filename, **kwargs): |