Replace md5 for fips

md5 is not an approved algorithm in FIPS mode, and trying to
instantiate a hashlib.md5() will fail when the system is running in
FIPS mode.

md5 is allowed when in a non-security context.  There is a plan to
add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate
whether or not the instance is being used in a security context.

In the case where it is not, the instantiation of md5 will be allowed.
See https://bugs.python.org/issue9216 for more details.

Some downstream python versions already support this parameter.  To
support these versions, a new encapsulation of md5() has been added to
oslo_utils.  See https://review.opendev.org/#/c/750031/

In this case, md5 is used to generate fingerprints when ssh keys are
being generated and imported.  Without this patch, these operations
fail on FIPS enabled systems.

Change-Id: I1fe8e8bb181fa2a704eec38be09619e5a648f2f1
This commit is contained in:
Ade Lee 2021-01-28 14:21:48 -05:00
parent 6c0ceda365
commit 59986cfd4f

View File

@ -35,6 +35,7 @@ from cryptography.hazmat.primitives import serialization
from cryptography import x509
from oslo_concurrency import processutils
from oslo_log import log as logging
from oslo_utils.secretutils import md5
import paramiko
import nova.conf
@ -70,10 +71,7 @@ def generate_fingerprint(public_key: str) -> str:
serialization.load_ssh_public_key(
pub_bytes, backends.default_backend())
pub_data = base64.b64decode(public_key.split(' ')[1])
digest = hashes.Hash(hashes.MD5(), backends.default_backend())
digest.update(pub_data)
md5hash = digest.finalize()
raw_fp = binascii.hexlify(md5hash).decode('ascii')
raw_fp = md5(pub_data, usedforsecurity=False).hexdigest()
return ':'.join(a + b for a, b in zip(raw_fp[::2], raw_fp[1::2]))
except Exception:
raise exception.InvalidKeypair(