Replace md5 for fips
md5 is not an approved algorithm in FIPS mode, and trying to instantiate a hashlib.md5() will fail when the system is running in FIPS mode. md5 is allowed when in a non-security context. There is a plan to add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate whether or not the instance is being used in a security context. In the case where it is not, the instantiation of md5 will be allowed. See https://bugs.python.org/issue9216 for more details. Some downstream python versions already support this parameter. To support these versions, a new encapsulation of md5() has been added to oslo_utils. See https://review.opendev.org/#/c/750031/ In this case, md5 is used to generate fingerprints when ssh keys are being generated and imported. Without this patch, these operations fail on FIPS enabled systems. Change-Id: I1fe8e8bb181fa2a704eec38be09619e5a648f2f1
This commit is contained in:
parent
6c0ceda365
commit
59986cfd4f
@ -35,6 +35,7 @@ from cryptography.hazmat.primitives import serialization
|
||||
from cryptography import x509
|
||||
from oslo_concurrency import processutils
|
||||
from oslo_log import log as logging
|
||||
from oslo_utils.secretutils import md5
|
||||
import paramiko
|
||||
|
||||
import nova.conf
|
||||
@ -70,10 +71,7 @@ def generate_fingerprint(public_key: str) -> str:
|
||||
serialization.load_ssh_public_key(
|
||||
pub_bytes, backends.default_backend())
|
||||
pub_data = base64.b64decode(public_key.split(' ')[1])
|
||||
digest = hashes.Hash(hashes.MD5(), backends.default_backend())
|
||||
digest.update(pub_data)
|
||||
md5hash = digest.finalize()
|
||||
raw_fp = binascii.hexlify(md5hash).decode('ascii')
|
||||
raw_fp = md5(pub_data, usedforsecurity=False).hexdigest()
|
||||
return ':'.join(a + b for a, b in zip(raw_fp[::2], raw_fp[1::2]))
|
||||
except Exception:
|
||||
raise exception.InvalidKeypair(
|
||||
|
Loading…
x
Reference in New Issue
Block a user