diff options
author | Ade Lee <alee@redhat.com> | 2020-09-04 15:55:31 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2020-09-16 16:47:07 -0400 |
commit | 603fa500c1a24ad8753b680b8d75468abbd3dd76 (patch) | |
tree | 237ca464a7f5946843ca69fbbee1f763db0268a1 /releasenotes | |
parent | 7c4a94c0c3fcbd8f05541944851728f30deadd9b (diff) | |
download | oslo-utils-603fa500c1a24ad8753b680b8d75468abbd3dd76.tar.gz |
Add function to encapsule md5 for FIPS systems
For systems in FIPS mode, invocations of MD5 will fail. This occurs
even in cases where the MD5 is used in a non-cryptographical context
eg. for an etag in swift.
There is a proposal in Python to allow developers to mark these
non-crypto cases as valid through a new usedforsecurity keyword.
See https://bugs.python.org/issue9216.
Some downstream versions of python already implement this keyword.
To permit OpenStack to run in FIPS enabled systems with these versions
of python, we add a simple encapsulation of hashlib.md5() here.
Once the issue is resolved in upstream python, we can remove this
function.
Change-Id: I09433fea6ad6e6849677a93b269e24dec5c05b69
Diffstat (limited to 'releasenotes')
-rw-r--r-- | releasenotes/notes/add-md5-wrapper-7bf81c2464a7a224.yaml | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/releasenotes/notes/add-md5-wrapper-7bf81c2464a7a224.yaml b/releasenotes/notes/add-md5-wrapper-7bf81c2464a7a224.yaml new file mode 100644 index 0000000..b28b120 --- /dev/null +++ b/releasenotes/notes/add-md5-wrapper-7bf81c2464a7a224.yaml @@ -0,0 +1,16 @@ +--- +features: + - | + A wrapper for hashlib.md5() has been added to allow OpenStack to run on + systems where FIPS is enabled. Under FIPS, md5 is disabled and calls to + hashlib.md5() will fail. In most cases in OpenStack, though, md5 is not + used within a security context. + + In https://bugs.python.org/issue9216, a proposal has been made to allow + the addition of a keyword parameter usedforsecurity, which can be used to + designate non-security context uses. In this case, md5() operations would + be permitted. This feature is expected to be delivered in python 3.9. + + Downstream python already supports this option, though. This wrapper + simply allows for this option to be supported where the underlying python + version supports it. |