From 59986cfd4f1155603fcf3a87270612e17037e92e Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Thu, 28 Jan 2021 14:21:48 -0500
Subject: [PATCH] Replace md5 for fips

md5 is not an approved algorithm in FIPS mode, and trying to
instantiate a hashlib.md5() will fail when the system is running in
FIPS mode.

md5 is allowed when in a non-security context.  There is a plan to
add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate
whether or not the instance is being used in a security context.

In the case where it is not, the instantiation of md5 will be allowed.
See https://bugs.python.org/issue9216 for more details.

Some downstream python versions already support this parameter.  To
support these versions, a new encapsulation of md5() has been added to
oslo_utils.  See https://review.opendev.org/#/c/750031/

In this case, md5 is used to generate fingerprints when ssh keys are
being generated and imported.  Without this patch, these operations
fail on FIPS enabled systems.

Change-Id: I1fe8e8bb181fa2a704eec38be09619e5a648f2f1
---
 nova/crypto.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/nova/crypto.py b/nova/crypto.py
index 05d6196c4114..7df12f396d74 100644
--- a/nova/crypto.py
+++ b/nova/crypto.py
@@ -35,6 +35,7 @@ from cryptography.hazmat.primitives import serialization
 from cryptography import x509
 from oslo_concurrency import processutils
 from oslo_log import log as logging
+from oslo_utils.secretutils import md5
 import paramiko
 
 import nova.conf
@@ -70,10 +71,7 @@ def generate_fingerprint(public_key: str) -> str:
         serialization.load_ssh_public_key(
             pub_bytes, backends.default_backend())
         pub_data = base64.b64decode(public_key.split(' ')[1])
-        digest = hashes.Hash(hashes.MD5(), backends.default_backend())
-        digest.update(pub_data)
-        md5hash = digest.finalize()
-        raw_fp = binascii.hexlify(md5hash).decode('ascii')
+        raw_fp = md5(pub_data, usedforsecurity=False).hexdigest()
         return ':'.join(a + b for a, b in zip(raw_fp[::2], raw_fp[1::2]))
     except Exception:
         raise exception.InvalidKeypair(