Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fips: work on fips enforced systems - v1 #345

Closed
wants to merge 5 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 19 additions & 26 deletions .github/workflows/tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -52,27 +52,19 @@ jobs:
- name: Python 3 integration tests
run: PYTHONPATH=. python3 ./tests/integration_tests.py

centos-7:
name: CentOS 7
fedora-40:
name: Fedora 40
runs-on: ubuntu-latest
container: centos:7
container: fedora:40
steps:
- run: yum -y install epel-release
- run: |
yum -y install \
python2-pytest \
python2-pyyaml \
python36-pytest \
python36-yaml
- uses: actions/checkout@v1

- name: Python 2 unit tests
run: PYTHONPATH=. py.test-2.7
- name: Python 2 integration tests
run: PYTHONPATH=. python2 ./tests/integration_tests.py

dnf -y install \
python3 \
python3-pytest \
python3-pyyaml
- uses: actions/checkout@v4
- name: Python 3 unit tests
run: PYTHONPATH=. py.test-3
run: PYTHONPATH=. pytest-3
- name: Python 3 integration tests
run: PYTHONPATH=. python3 ./tests/integration_tests.py

Expand All @@ -92,17 +84,17 @@ jobs:
- name: Python 3 integration tests
run: PYTHONPATH=. python3 ./tests/integration_tests.py

fedora-38:
name: Fedora 38
ubuntu-2404:
name: Ubuntu 24.04
runs-on: ubuntu-latest
container: fedora:38
container: ubuntu:24.04
steps:
- run: apt update
- run: |
dnf -y install \
python3 \
apt -y install \
python3-pytest \
python3-pyyaml
- uses: actions/checkout@v2
python3-yaml
- uses: actions/checkout@v1
- name: Python 3 unit tests
run: PYTHONPATH=. pytest-3
- name: Python 3 integration tests
Expand Down Expand Up @@ -234,9 +226,10 @@ jobs:
name: MacOS Latest
runs-on: macos-latest
steps:
- run: PATH="/usr/local/opt/python/libexec/bin:$PATH" >> $GITHUB_ENV
- run: brew install python
- run: pip3 install PyYAML
- run: pip3 install pytest
- run: brew install PyYAML
- run: pip3 install --break-system-packages pytest
- uses: actions/checkout@v1
- run: PYTHONPATH=. python3 -m pytest
- run: PYTHONPATH=. python3 ./tests/integration_tests.py
11 changes: 5 additions & 6 deletions suricata/update/main.py
Original file line number Diff line number Diff line change
Expand Up @@ -114,8 +114,7 @@ def check_checksum(self, tmp_filename, url, checksum_url=None):
if not isinstance(checksum_url, str):
checksum_url = url[0] + ".md5"
net_arg=(checksum_url,url[1])
local_checksum = hashlib.md5(
open(tmp_filename, "rb").read()).hexdigest().strip()
local_checksum = util.md5_hexdigest(open(tmp_filename, "rb").read())
remote_checksum_buf = io.BytesIO()
logger.info("Checking %s." % (checksum_url))
net.get(net_arg, remote_checksum_buf)
Expand Down Expand Up @@ -154,7 +153,7 @@ def url_basename(self, url):
return filename

def get_tmp_filename(self, url):
url_hash = hashlib.md5(url.encode("utf-8")).hexdigest()
url_hash = util.md5_hexdigest(url.encode("utf-8"))
return os.path.join(
config.get_cache_dir(),
"%s-%s" % (url_hash, self.url_basename(url)))
Expand Down Expand Up @@ -470,7 +469,7 @@ def handle_dataset_files(rule, dep_files):
return
dataset_contents = dep_files[source_filename]

source_filename_hash = hashlib.md5(source_filename.encode()).hexdigest()
source_filename_hash = util.md5_hexdigest(source_filename.encode())
new_rule = re.sub(r"(dataset.*?load\s+){}".format(dataset_filename), r"\g<1>datasets/{}".format(source_filename_hash), rule.format())
dest_filename = os.path.join(config.get_output_dir(), "datasets", source_filename_hash)
dest_dir = os.path.dirname(dest_filename)
Expand Down Expand Up @@ -783,7 +782,7 @@ def md5(self, filename):
if not os.path.exists(filename):
return ""
else:
return hashlib.md5(open(filename, "rb").read()).hexdigest()
return util.md5_hexdigest(open(filename, "rb").read())

def any_modified(self):
for filename in self.hashes:
Expand Down Expand Up @@ -1000,7 +999,7 @@ def load_sources(suricata_version):
for url in urls:

# To de-duplicate filenames, add a prefix that is a hash of the URL.
prefix = hashlib.md5(url[0].encode()).hexdigest()
prefix = util.md5_hexdigest(url[0].encode())
source_files = Fetch().run(url)
for key in source_files:
content = source_files[key]
Expand Down
11 changes: 7 additions & 4 deletions suricata/update/util.py
Original file line number Diff line number Diff line change
Expand Up @@ -22,15 +22,18 @@
import atexit
import shutil
import zipfile
import sys

def md5_hexdigest(filename):
""" Compute the MD5 checksum for the contents of the provided filename.

:param filename: Filename to computer MD5 checksum of.
def md5_hexdigest(buf):
""" Compute the MD5 checksum for the provided buffer.

:returns: A string representing the hex value of the computed MD5.
"""
return hashlib.md5(open(filename).read().encode()).hexdigest()
if sys.version_info.major < 3 or (sys.version_info.major == 3 and sys.version_info.minor < 9):
return hashlib.md5(buf).hexdigest().strip()
else:
return hashlib.md5(buf, usedforsecurity=False).hexdigest().strip()

def mktempdir(delete_on_exit=True):
""" Create a temporary directory that is removed on exit. """
Expand Down
2 changes: 1 addition & 1 deletion tests/test_util.py
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,4 @@ def test_hexdigest(self):
test_file.flush()
self.assertEqual(
"120ea8a25e5d487bf68b5f7096440019",
util.md5_hexdigest(test_file.name))
util.md5_hexdigest(open(test_file.name).read().encode()))
Loading