Add function to encapsule md5 for FIPS systems

For systems in FIPS mode, invocations of MD5 will fail.  This occurs
even in cases where the MD5 is used in a non-cryptographical context
eg. for an etag in swift.

There is a proposal in Python to allow developers to mark these
non-crypto cases as valid through a new usedforsecurity keyword.
See https://bugs.python.org/issue9216.

Some downstream versions of python already implement this keyword.
To permit OpenStack to run in FIPS enabled systems with these versions
of python, we add a simple encapsulation of hashlib.md5() here.

Once the issue is resolved in upstream python, we can remove this
function.

Change-Id: I09433fea6ad6e6849677a93b269e24dec5c05b69

1 files changed, 16 insertions, 0 deletions

diff --git a/releasenotes/notes/add-md5-wrapper-7bf81c2464a7a224.yaml b/releasenotes/notes/add-md5-wrapper-7bf81c2464a7a224.yaml
new file mode 100644
index 0000000..b28b120
--- /dev/null
+++ b/releasenotes/notes/add-md5-wrapper-7bf81c2464a7a224.yaml
@@ -0,0 +1,16 @@
+---
+features:
+  - |
+    A wrapper for hashlib.md5() has been added to allow OpenStack to run on
+    systems where FIPS is enabled.  Under FIPS, md5 is disabled and calls to
+    hashlib.md5() will fail.  In most cases in OpenStack, though, md5 is not
+    used within a security context.
+
+    In https://bugs.python.org/issue9216, a proposal has been made to allow
+    the addition of a keyword parameter usedforsecurity, which can be used to
+    designate non-security context uses.  In this case, md5() operations would
+    be permitted.  This feature is expected to be delivered in python 3.9.
+
+    Downstream python already supports this option, though.  This wrapper
+    simply allows for this option to be supported where the underlying python
+    version supports it.