openstack
/
oslo.versionedobjects
Code Issues Proposed changes

Replace md5 with oslo version 

md5 is not an approved algorithm in FIPS mode, and trying to
instantiate a hashlib.md5() will fail when the system is running in
FIPS mode.

md5 is allowed when in a non-security context.  There is a plan to
add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate
whether or not the instance is being used in a security context.

In the case where it is not, the instantiation of md5 will be allowed.
See https://bugs.python.org/issue9216 for more details.

Some downstream python versions already support this parameter.  To
support these versions, a new encapsulation of md5() has been added to
oslo_utils.  See https://review.opendev.org/#/c/750031/

This patch is to replace the instances of hashlib.md5() with this new
encapsulation, adding an annotation indicating whether the usage is
a security context or not.

In this case, md5 is computed as one of the object hashes for the
purposes of object versioning.

Change-Id: Idf36897d690a20d23123950618643d0b9e085f6c
Depends-On: https://review.opendev.org/#/c/760160
This commit is contained in:
Ade Lee 2020-10-01 10:40:31 -04:00
parent e8b3a90978
commit 9f0f31eb8b
4 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lower-constraints.txt
View File

@ -35,7 +35,7 @@ oslo.messaging==5.29.0
oslo.middleware==3.31.0 oslo.middleware==3.31.0
oslo.serialization==2.18.0 oslo.serialization==2.18.0
oslo.service==1.24.0 oslo.service==1.24.0
oslo.utils==3.33.0 oslo.utils==4.7.0
oslotest==3.2.0 oslotest==3.2.0
Paste==2.0.2 Paste==2.0.2
PasteDeploy==1.5.0 PasteDeploy==1.5.0

7
oslo_versionedobjects/fixture.py
View File

@ -24,12 +24,12 @@ from collections import namedtuple
from collections import OrderedDict from collections import OrderedDict
import copy import copy
import datetime import datetime
import hashlib
import inspect import inspect
import logging import logging
from unittest import mock from unittest import mock
import fixtures import fixtures
from oslo_utils.secretutils import md5
from oslo_utils import versionutils as vutils from oslo_utils import versionutils as vutils
from oslo_versionedobjects import base from oslo_versionedobjects import base
@ -271,8 +271,9 @@ class ObjectVersionChecker(object):
if extra_data_func: if extra_data_func:
relevant_data += extra_data_func(obj_class) relevant_data += extra_data_func(obj_class)
fingerprint = '%s-%s' % (obj_class.VERSION, hashlib.md5( fingerprint = '%s-%s' % (obj_class.VERSION, md5(
bytes(repr(relevant_data).encode())).hexdigest()) bytes(repr(relevant_data).encode()),
usedforsecurity=False).hexdigest())
return fingerprint return fingerprint
def get_hashes(self, extra_data_func=None): def get_hashes(self, extra_data_func=None):

4
releasenotes/notes/update_md5_for_fips-e5a8f8f438ac81fb.yaml Normal file
View File

@ -0,0 +1,4 @@
---
features:
- Updated _get_fingerprint to use new oslo.utils encapsulation of md5 to
allow md5 hashes to be returned on a FIPS enabled system.

2
requirements.txt
View File

@ -6,7 +6,7 @@ oslo.config>=5.2.0 # Apache-2.0
oslo.context>=2.19.2 # Apache-2.0 oslo.context>=2.19.2 # Apache-2.0
oslo.messaging>=5.29.0 # Apache-2.0 oslo.messaging>=5.29.0 # Apache-2.0
oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
oslo.utils>=3.33.0 # Apache-2.0 oslo.utils>=4.7.0 # Apache-2.0
iso8601>=0.1.11 # MIT iso8601>=0.1.11 # MIT
oslo.log>=3.36.0 # Apache-2.0 oslo.log>=3.36.0 # Apache-2.0
oslo.i18n>=3.15.3 # Apache-2.0 oslo.i18n>=3.15.3 # Apache-2.0