From 9f0f31eb8b6953bdd299e34658644142bedfc1e8 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Thu, 1 Oct 2020 10:40:31 -0400 Subject: [PATCH] Replace md5 with oslo version md5 is not an approved algorithm in FIPS mode, and trying to instantiate a hashlib.md5() will fail when the system is running in FIPS mode. md5 is allowed when in a non-security context. There is a plan to add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate whether or not the instance is being used in a security context. In the case where it is not, the instantiation of md5 will be allowed. See https://bugs.python.org/issue9216 for more details. Some downstream python versions already support this parameter. To support these versions, a new encapsulation of md5() has been added to oslo_utils. See https://review.opendev.org/#/c/750031/ This patch is to replace the instances of hashlib.md5() with this new encapsulation, adding an annotation indicating whether the usage is a security context or not. In this case, md5 is computed as one of the object hashes for the purposes of object versioning. Change-Id: Idf36897d690a20d23123950618643d0b9e085f6c Depends-On: https://review.opendev.org/#/c/760160 --- lower-constraints.txt | 2 +- oslo_versionedobjects/fixture.py | 7 ++++--- .../notes/update_md5_for_fips-e5a8f8f438ac81fb.yaml | 4 ++++ requirements.txt | 2 +- 4 files changed, 10 insertions(+), 5 deletions(-) create mode 100644 releasenotes/notes/update_md5_for_fips-e5a8f8f438ac81fb.yaml diff --git a/lower-constraints.txt b/lower-constraints.txt index a1e990d1..4d20032f 100644 --- a/lower-constraints.txt +++ b/lower-constraints.txt @@ -35,7 +35,7 @@ oslo.messaging==5.29.0 oslo.middleware==3.31.0 oslo.serialization==2.18.0 oslo.service==1.24.0 -oslo.utils==3.33.0 +oslo.utils==4.7.0 oslotest==3.2.0 Paste==2.0.2 PasteDeploy==1.5.0 diff --git a/oslo_versionedobjects/fixture.py b/oslo_versionedobjects/fixture.py index 960146b3..9661c70e 100644 --- a/oslo_versionedobjects/fixture.py +++ b/oslo_versionedobjects/fixture.py @@ -24,12 +24,12 @@ from collections import namedtuple from collections import OrderedDict import copy import datetime -import hashlib import inspect import logging from unittest import mock import fixtures +from oslo_utils.secretutils import md5 from oslo_utils import versionutils as vutils from oslo_versionedobjects import base @@ -271,8 +271,9 @@ class ObjectVersionChecker(object): if extra_data_func: relevant_data += extra_data_func(obj_class) - fingerprint = '%s-%s' % (obj_class.VERSION, hashlib.md5( - bytes(repr(relevant_data).encode())).hexdigest()) + fingerprint = '%s-%s' % (obj_class.VERSION, md5( + bytes(repr(relevant_data).encode()), + usedforsecurity=False).hexdigest()) return fingerprint def get_hashes(self, extra_data_func=None): diff --git a/releasenotes/notes/update_md5_for_fips-e5a8f8f438ac81fb.yaml b/releasenotes/notes/update_md5_for_fips-e5a8f8f438ac81fb.yaml new file mode 100644 index 00000000..fadd096e --- /dev/null +++ b/releasenotes/notes/update_md5_for_fips-e5a8f8f438ac81fb.yaml @@ -0,0 +1,4 @@ +--- +features: + - Updated _get_fingerprint to use new oslo.utils encapsulation of md5 to + allow md5 hashes to be returned on a FIPS enabled system. diff --git a/requirements.txt b/requirements.txt index 8eb7ca53..1235e455 100644 --- a/requirements.txt +++ b/requirements.txt @@ -6,7 +6,7 @@ oslo.config>=5.2.0 # Apache-2.0 oslo.context>=2.19.2 # Apache-2.0 oslo.messaging>=5.29.0 # Apache-2.0 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0 -oslo.utils>=3.33.0 # Apache-2.0 +oslo.utils>=4.7.0 # Apache-2.0 iso8601>=0.1.11 # MIT oslo.log>=3.36.0 # Apache-2.0 oslo.i18n>=3.15.3 # Apache-2.0