Replace md5 for fips

md5 is not an approved algorithm in FIPS mode, and trying to instantiate a hashlib.md5() will fail when the system is running in FIPS mode. md5 is allowed when in a non-security context. There is a plan to add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate whether or not the instance is being used in a security context. In the case where it is not, the instantiation of md5 will be allowed. See https://bugs.python.org/issue9216 for more details. Some downstream python versions already support this parameter. To support these versions, a new encapsulation of md5() has been added to oslo_utils. See https://review.opendev.org/#/c/750031/ In this case, md5 is used to calculate the hash of a database record to ensure record uniqueness. Change-Id: Ic2571caa71dc99c417ea0933d5d4947287cbe312 (cherry picked from commit 7ea5643290)
2021-06-25 16:10:59 -04:00 · 2021-06-25 16:10:59 -04:00 · e1ee648fc0
parent 914b55a631
commit e1ee648fc0
3 changed files with 7 additions and 7 deletions
--- a/designate/storage/impl_sqlalchemy/init.py
+++ b/designate/storage/impl_sqlalchemy/init.py
@ -14,9 +14,9 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 import time
-import hashlib

 from oslo_log import log as logging
+from oslo_utils.secretutils import md5
 from sqlalchemy import select, distinct, func
 from sqlalchemy.sql.expression import or_

@ -799,11 +799,11 @@ class SQLAlchemyStorage(sqlalchemy_base.SQLAlchemy, storage_base.Storage):
        """
        Calculates the hash of the record, used to ensure record uniqueness.
        """
-        md5 = hashlib.md5()
-        md5.update(("%s:%s" % (record.recordset_id,
-                               record.data)).encode('utf-8'))
+        md5sum = md5(usedforsecurity=False)
+        md5sum.update(("%s:%s" % (record.recordset_id,
+                                  record.data)).encode('utf-8'))

-        return md5.hexdigest()
+        return md5sum.hexdigest()

    def create_record(self, context, zone_id, recordset_id, record):
        # Fetch the zone as we need the tenant_id
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@ -83,7 +83,7 @@ oslo.rootwrap==5.8.0
 oslo.serialization==2.25.0
 oslo.service==1.31.0
 oslo.upgradecheck==1.3.0
-oslo.utils==4.5.0
+oslo.utils==4.7.0
 oslo.versionedobjects==1.31.2
 oslotest==3.2.0
 packaging==20.4
--- a/requirements.txt
+++ b/requirements.txt
@ -20,7 +20,7 @@ oslo.rootwrap>=5.8.0 # Apache-2.0
 oslo.serialization>=2.25.0 # Apache-2.0
 oslo.service>=1.31.0 # Apache-2.0
 oslo.upgradecheck>=1.3.0
-oslo.utils>=4.5.0 # Apache-2.0
+oslo.utils>=4.7.0 # Apache-2.0
 oslo.versionedobjects>=1.31.2 # Apache-2.0
 Paste>=2.0.2 # MIT
 PasteDeploy>=1.5.0 # MIT