Replace md5 with oslo version

md5 is not an approved algorithm in FIPS mode, and trying to
instantiate a hashlib.md5() will fail when the system is running in
FIPS mode.

md5 is allowed when in a non-security context.  There is a plan to
add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate
whether or not the instance is being used in a security context.

In the case where it is not, the instantiation of md5 will be allowed.
See https://bugs.python.org/issue9216 for more details.

Some downstream python versions already support this parameter.  To
support these versions, a new encapsulation of md5() has been added to
oslo_utils.  See https://review.opendev.org/#/c/750031/

This patch is to replace the instances of hashlib.md5() with this new
encapsulation, adding an annotation indicating whether the usage is
a security context or not.

In this case, md5 is computed as one of the object hashes for the
purposes of object versioning.

Change-Id: Idf36897d690a20d23123950618643d0b9e085f6c
Depends-On: https://review.opendev.org/#/c/760160
This commit is contained in:
Ade Lee 2020-10-01 10:40:31 -04:00
parent e8b3a90978
commit 9f0f31eb8b
4 changed files with 10 additions and 5 deletions

View File

@ -35,7 +35,7 @@ oslo.messaging==5.29.0
oslo.middleware==3.31.0
oslo.serialization==2.18.0
oslo.service==1.24.0
oslo.utils==3.33.0
oslo.utils==4.7.0
oslotest==3.2.0
Paste==2.0.2
PasteDeploy==1.5.0

View File

@ -24,12 +24,12 @@ from collections import namedtuple
from collections import OrderedDict
import copy
import datetime
import hashlib
import inspect
import logging
from unittest import mock
import fixtures
from oslo_utils.secretutils import md5
from oslo_utils import versionutils as vutils
from oslo_versionedobjects import base
@ -271,8 +271,9 @@ class ObjectVersionChecker(object):
if extra_data_func:
relevant_data += extra_data_func(obj_class)
fingerprint = '%s-%s' % (obj_class.VERSION, hashlib.md5(
bytes(repr(relevant_data).encode())).hexdigest())
fingerprint = '%s-%s' % (obj_class.VERSION, md5(
bytes(repr(relevant_data).encode()),
usedforsecurity=False).hexdigest())
return fingerprint
def get_hashes(self, extra_data_func=None):

View File

@ -0,0 +1,4 @@
---
features:
- Updated _get_fingerprint to use new oslo.utils encapsulation of md5 to
allow md5 hashes to be returned on a FIPS enabled system.

View File

@ -6,7 +6,7 @@ oslo.config>=5.2.0 # Apache-2.0
oslo.context>=2.19.2 # Apache-2.0
oslo.messaging>=5.29.0 # Apache-2.0
oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
oslo.utils>=3.33.0 # Apache-2.0
oslo.utils>=4.7.0 # Apache-2.0
iso8601>=0.1.11 # MIT
oslo.log>=3.36.0 # Apache-2.0
oslo.i18n>=3.15.3 # Apache-2.0