bb25e9550b
md5 is not an approved algorithm in FIPS mode, and trying to instantiate a hashlib.md5() will fail when the system is running in FIPS mode. md5 is allowed when in a non-security context. There is a plan to add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate whether or not the instance is being used in a security context. In the case where it is not, the instantiation of md5 will be allowed. See https://bugs.python.org/issue9216 for more details. Some downstream python versions already support this parameter. To support these versions, a new encapsulation of md5() has been added to oslo_utils. See https://review.opendev.org/#/c/750031/ This patch is to replace the instances of hashlib.md5() with this new encapsulation, adding an annotation indicating whether the usage is a security context or not. Reviewers need to pay particular attention as to whether the keyword parameter (usedforsecurity) is set correctly. Almost all instances of md5 usage appear to be to refer to etags, to do checksums, or to generate uuids for paths. I had hoped to update the bandit config to enable scanning for instances of md5 and bad algorithms, so that instances would not creep in in future, but I couldn't find the bandit config. With this patch (and the corresponding os-brick and oslo-versioned_object dependent changes) all the functional tests and alnmost all the unit tests pass on a FIPS enabled system. Issues I found were as follows: - Cinder appears to be using md5 in a security context in cinder/volume/drivers/synology/synology_common.py. If this is really the case, then we'll need to consider how to replace md5 in this usage. This case did not appear to exercised in the unit or functional tests I ran. - Cinder appears to use md5 in a security context in cinder/volume/drivers/stx/client.py, which resulted in the failed unit test cinder.tests.unit.volume.drivers.test_seagate.TestSeagateClient.test_login This was the only unit test that failed. Change-Id: I57ec3e7e99c78535fa8051d011d970adb7fb89ab Depends-On: https://review.opendev.org/#/c/756151 |
||
|---|---|---|
| api-ref/source | ||
| cinder | ||
| contrib/block-box | ||
| doc | ||
| etc/cinder | ||
| playbooks | ||
| rally-jobs | ||
| releasenotes | ||
| tools | ||
| .coveragerc | ||
| .gitignore | ||
| .gitreview | ||
| .pylintrc | ||
| .stestr.conf | ||
| .zuul.yaml | ||
| CONTRIBUTING.rst | ||
| HACKING.rst | ||
| LICENSE | ||
| README.rst | ||
| bindep.txt | ||
| driver-requirements.txt | ||
| lower-constraints.txt | ||
| mypy-files.txt | ||
| reno.yaml | ||
| requirements.txt | ||
| setup.cfg | ||
| setup.py | ||
| test-requirements.txt | ||
| tox.ini | ||
README.rst
OpenStack Cinder
OpenStack Cinder is a storage service for an open cloud computing service.
You can learn more about Cinder at:
Getting Started
If you'd like to run from the master branch, you can clone the git repo:
git clone https://opendev.org/openstack/cinder
If you'd like to contribute, please see the information in CONTRIBUTING.rst
You can raise bugs on Launchpad