Replace md5 with oslo version

md5 is not an approved algorithm in FIPS mode, and trying to instantiate a hashlib.md5() will fail when the system is running in FIPS mode. md5 is allowed when in a non-security context. There is a plan to add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate whether or not the instance is being used in a security context. In the case where it is not, the instantiation of md5 will be allowed. See https://bugs.python.org/issue9216 for more details. Some downstream python versions already support this parameter. To support these versions, a new encapsulation of md5() has been added to oslo_utils. See https://review.opendev.org/#/c/750031/ This patch is to replace the instances of hashlib.md5() with this new encapsulation, adding an annotation indicating whether the usage is a security context or not. In this case, md5 is computed as one of the object hashes for the purposes of object versioning. Change-Id: Idf36897d690a20d23123950618643d0b9e085f6c Depends-On: https://review.opendev.org/#/c/760160
2020-10-01 10:40:31 -04:00 · 2020-10-01 10:40:31 -04:00 · 9f0f31eb8b
parent e8b3a90978
commit 9f0f31eb8b
4 changed files with 10 additions and 5 deletions
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@ -35,7 +35,7 @@ oslo.messaging==5.29.0
 oslo.middleware==3.31.0
 oslo.serialization==2.18.0
 oslo.service==1.24.0
-oslo.utils==3.33.0
+oslo.utils==4.7.0
 oslotest==3.2.0
 Paste==2.0.2
 PasteDeploy==1.5.0
--- a/oslo_versionedobjects/fixture.py
+++ b/oslo_versionedobjects/fixture.py
@ -24,12 +24,12 @@ from collections import namedtuple
 from collections import OrderedDict
 import copy
 import datetime
-import hashlib
 import inspect
 import logging
 from unittest import mock

 import fixtures
+from oslo_utils.secretutils import md5
 from oslo_utils import versionutils as vutils

 from oslo_versionedobjects import base
@ -271,8 +271,9 @@ class ObjectVersionChecker(object):
        if extra_data_func:
            relevant_data += extra_data_func(obj_class)

-        fingerprint = '%s-%s' % (obj_class.VERSION, hashlib.md5(
-            bytes(repr(relevant_data).encode())).hexdigest())
+        fingerprint = '%s-%s' % (obj_class.VERSION, md5(
+            bytes(repr(relevant_data).encode()),
+            usedforsecurity=False).hexdigest())
        return fingerprint

    def get_hashes(self, extra_data_func=None):
--- a/releasenotes/notes/update_md5_for_fips-e5a8f8f438ac81fb.yaml
+++ b/releasenotes/notes/update_md5_for_fips-e5a8f8f438ac81fb.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - Updated _get_fingerprint to use new oslo.utils encapsulation of md5 to
+    allow md5 hashes to be returned on a FIPS enabled system.
--- a/requirements.txt
+++ b/requirements.txt
@ -6,7 +6,7 @@ oslo.config>=5.2.0 # Apache-2.0
 oslo.context>=2.19.2 # Apache-2.0
 oslo.messaging>=5.29.0 # Apache-2.0
 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
-oslo.utils>=3.33.0 # Apache-2.0
+oslo.utils>=4.7.0 # Apache-2.0
 iso8601>=0.1.11 # MIT
 oslo.log>=3.36.0 # Apache-2.0
 oslo.i18n>=3.15.3 # Apache-2.0