Replace md5 with oslo version
md5 is not an approved algorithm in FIPS mode, and trying to instantiate a hashlib.md5() will fail when the system is running in FIPS mode. md5 is allowed when in a non-security context. There is a plan to add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate whether or not the instance is being used in a security context. In the case where it is not, the instantiation of md5 will be allowed. See https://bugs.python.org/issue9216 for more details. Some downstream python versions already support this parameter. To support these versions, a new encapsulation of md5() has been added to oslo_utils. See https://review.opendev.org/#/c/750031/ This patch is to replace the instances of hashlib.md5() with this new encapsulation, adding an annotation indicating whether the usage is a security context or not. In this case, md5 is computed as one of the object hashes for the purposes of object versioning. Change-Id: Idf36897d690a20d23123950618643d0b9e085f6c Depends-On: https://review.opendev.org/#/c/760160
This commit is contained in:
parent
e8b3a90978
commit
9f0f31eb8b
@ -35,7 +35,7 @@ oslo.messaging==5.29.0
|
||||
oslo.middleware==3.31.0
|
||||
oslo.serialization==2.18.0
|
||||
oslo.service==1.24.0
|
||||
oslo.utils==3.33.0
|
||||
oslo.utils==4.7.0
|
||||
oslotest==3.2.0
|
||||
Paste==2.0.2
|
||||
PasteDeploy==1.5.0
|
||||
|
@ -24,12 +24,12 @@ from collections import namedtuple
|
||||
from collections import OrderedDict
|
||||
import copy
|
||||
import datetime
|
||||
import hashlib
|
||||
import inspect
|
||||
import logging
|
||||
from unittest import mock
|
||||
|
||||
import fixtures
|
||||
from oslo_utils.secretutils import md5
|
||||
from oslo_utils import versionutils as vutils
|
||||
|
||||
from oslo_versionedobjects import base
|
||||
@ -271,8 +271,9 @@ class ObjectVersionChecker(object):
|
||||
if extra_data_func:
|
||||
relevant_data += extra_data_func(obj_class)
|
||||
|
||||
fingerprint = '%s-%s' % (obj_class.VERSION, hashlib.md5(
|
||||
bytes(repr(relevant_data).encode())).hexdigest())
|
||||
fingerprint = '%s-%s' % (obj_class.VERSION, md5(
|
||||
bytes(repr(relevant_data).encode()),
|
||||
usedforsecurity=False).hexdigest())
|
||||
return fingerprint
|
||||
|
||||
def get_hashes(self, extra_data_func=None):
|
||||
|
@ -0,0 +1,4 @@
|
||||
---
|
||||
features:
|
||||
- Updated _get_fingerprint to use new oslo.utils encapsulation of md5 to
|
||||
allow md5 hashes to be returned on a FIPS enabled system.
|
@ -6,7 +6,7 @@ oslo.config>=5.2.0 # Apache-2.0
|
||||
oslo.context>=2.19.2 # Apache-2.0
|
||||
oslo.messaging>=5.29.0 # Apache-2.0
|
||||
oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
|
||||
oslo.utils>=3.33.0 # Apache-2.0
|
||||
oslo.utils>=4.7.0 # Apache-2.0
|
||||
iso8601>=0.1.11 # MIT
|
||||
oslo.log>=3.36.0 # Apache-2.0
|
||||
oslo.i18n>=3.15.3 # Apache-2.0
|
||||
|
Loading…
Reference in New Issue
Block a user