openstack/python-novaclient
Code Issues Proposed changes

Use SHA256 instead of MD5 in completion cache

Browse Source 
FIPS 140 are U.S. government computer security standards that specify
requirements for cryptography modules. MD5 is not FIPS compliant [1].
Previously, MD5 was used as the hash algorithm for the bash completion
cache. Hosts running in FIPS mode [2] block execution of the MD5 hash.
This makes python-novaclient unusable on FIPS-enabled machines. This
patch replaces MD5 with SHA256, which is FIPS compliant.

[1] https://csrc.nist.gov/projects/hash-functions
[2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations

Change-Id: Ia8750bc27aa9a2cfafb6f4f49252f5bd81bc1a40
This commit is contained in:
Artom Lifshitz 2019-05-09 14:34:35 -04:00
parent f7f5df9c1d
commit 2595bac229
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
novaclient/base.py
View File

@ -307,8 +307,8 @@ class Manager(HookableMixin):
# endpoint pair # endpoint pair
username = utils.env('OS_USERNAME', 'NOVA_USERNAME') username = utils.env('OS_USERNAME', 'NOVA_USERNAME')
url = utils.env('OS_URL', 'NOVA_URL') url = utils.env('OS_URL', 'NOVA_URL')
uniqifier = hashlib.md5(username.encode('utf-8') + uniqifier = hashlib.sha256(username.encode('utf-8') +
url.encode('utf-8')).hexdigest() url.encode('utf-8')).hexdigest()
cache_dir = os.path.expanduser(os.path.join(base_dir, uniqifier)) cache_dir = os.path.expanduser(os.path.join(base_dir, uniqifier))