Replace md5 with oslo version
md5 is not an approved algorithm in FIPS mode, and trying to instantiate a hashlib.md5() will fail when the system is running in FIPS mode. md5 is allowed when in a non-security context. There is a plan to add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate whether or not the instance is being used in a security context. In the case where it is not, the instantiation of md5 will be allowed. See https://bugs.python.org/issue9216 for more details. Some downstream python versions already support this parameter. To support these versions, a new encapsulation of md5() has been added to oslo_utils. See https://review.opendev.org/#/c/750031/ This patch is to replace the instances of hashlib.md5() with this new encapsulation, adding an annotation indicating whether the usage is a security context or not. The instances being replaced here appear to be used to provide representations for paths. There is in fact already a sha256 version of get_hash_str that is supposed to be used in security sensitive usages. With this change (and the related dependent changes), the unit and functional tests pass when run on a FIPS enabled system. Change-Id: If0ec11e7b7fcde4dacc57265c4dd77b0f536bfab Depends-On: https://review.opendev.org/#/c/756432 Depends-On: https://review.opendev.org/#/c/756153 Depends-On: https://review.opendev.org/#/c/760160
This commit is contained in:
parent
7dcc4cfea7
commit
c82ce37635
|
@ -83,7 +83,7 @@ oslo.rootwrap==5.8.0
|
|||
oslo.serialization==2.21.1
|
||||
oslo.service==1.40.1
|
||||
oslo.upgradecheck==0.1.1
|
||||
oslo.utils==4.5.0
|
||||
oslo.utils==4.7.0
|
||||
oslo.versionedobjects==1.35.0
|
||||
oslo.vmware==2.17.0
|
||||
oslotest==3.8.0
|
||||
|
|
|
@ -17,11 +17,11 @@
|
|||
Helpers for filesystem related routines.
|
||||
"""
|
||||
|
||||
import hashlib
|
||||
import six
|
||||
|
||||
from oslo_concurrency import processutils
|
||||
from oslo_log import log as logging
|
||||
from oslo_utils.secretutils import md5
|
||||
|
||||
import nova.privsep
|
||||
|
||||
|
@ -284,7 +284,7 @@ def _get_hash_str(base_str):
|
|||
"""
|
||||
if isinstance(base_str, six.text_type):
|
||||
base_str = base_str.encode('utf-8')
|
||||
return hashlib.md5(base_str).hexdigest()
|
||||
return md5(base_str, usedforsecurity=False).hexdigest()
|
||||
|
||||
|
||||
def get_file_extension_for_os_type(os_type, default_ephemeral_format,
|
||||
|
|
|
@ -13,7 +13,6 @@
|
|||
# under the License.
|
||||
|
||||
import datetime
|
||||
import hashlib
|
||||
import os
|
||||
import os.path
|
||||
import tempfile
|
||||
|
@ -31,6 +30,7 @@ from oslo_context import context as common_context
|
|||
from oslo_context import fixture as context_fixture
|
||||
from oslo_utils import encodeutils
|
||||
from oslo_utils import fixture as utils_fixture
|
||||
from oslo_utils.secretutils import md5
|
||||
import six
|
||||
|
||||
from nova import context
|
||||
|
@ -203,7 +203,7 @@ class GenericUtilsTestCase(test.NoDBTestCase):
|
|||
def test_get_hash_str(self):
|
||||
base_str = b"foo"
|
||||
base_unicode = u"foo"
|
||||
value = hashlib.md5(base_str).hexdigest()
|
||||
value = md5(base_str, usedforsecurity=False).hexdigest()
|
||||
self.assertEqual(
|
||||
value, utils.get_hash_str(base_str))
|
||||
self.assertEqual(
|
||||
|
|
|
@ -43,6 +43,7 @@ import oslo_messaging as messaging
|
|||
from oslo_utils import encodeutils
|
||||
from oslo_utils import excutils
|
||||
from oslo_utils import importutils
|
||||
from oslo_utils.secretutils import md5
|
||||
from oslo_utils import strutils
|
||||
from oslo_utils import timeutils
|
||||
import six
|
||||
|
@ -786,7 +787,7 @@ def get_hash_str(base_str):
|
|||
"""
|
||||
if isinstance(base_str, six.text_type):
|
||||
base_str = base_str.encode('utf-8')
|
||||
return hashlib.md5(base_str).hexdigest()
|
||||
return md5(base_str, usedforsecurity=False).hexdigest()
|
||||
|
||||
|
||||
def get_sha256_str(base_str):
|
||||
|
|
|
@ -40,7 +40,7 @@ oslo.log>=3.36.0 # Apache-2.0
|
|||
oslo.reports>=1.18.0 # Apache-2.0
|
||||
oslo.serialization!=2.19.1,>=2.21.1 # Apache-2.0
|
||||
oslo.upgradecheck>=0.1.1
|
||||
oslo.utils>=4.5.0 # Apache-2.0
|
||||
oslo.utils>=4.7.0 # Apache-2.0
|
||||
oslo.db>=4.44.0 # Apache-2.0
|
||||
oslo.rootwrap>=5.8.0 # Apache-2.0
|
||||
oslo.messaging>=10.3.0 # Apache-2.0
|
||||
|
|
Loading…
Reference in New Issue