Use SHA256 instead of MD5 in completion cache

FIPS 140 are U.S. government computer security standards that specify requirements for cryptography modules. MD5 is not FIPS compliant [1]. Previously, MD5 was used as the hash algorithm for the bash completion cache. Hosts running in FIPS mode [2] block execution of the MD5 hash. This makes python-novaclient unusable on FIPS-enabled machines. This patch replaces MD5 with SHA256, which is FIPS compliant. [1] https://csrc.nist.gov/projects/hash-functions [2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations Change-Id: Ia8750bc27aa9a2cfafb6f4f49252f5bd81bc1a40
2019-05-09 14:34:35 -04:00 · 2019-05-09 14:34:35 -04:00 · 2595bac229
parent f7f5df9c1d
commit 2595bac229
1 changed files with 2 additions and 2 deletions
--- a/novaclient/base.py
+++ b/novaclient/base.py
@ -307,8 +307,8 @@ class Manager(HookableMixin):
            # endpoint pair
            username = utils.env('OS_USERNAME', 'NOVA_USERNAME')
            url = utils.env('OS_URL', 'NOVA_URL')
-            uniqifier = hashlib.md5(username.encode('utf-8') +
-                                    url.encode('utf-8')).hexdigest()
+            uniqifier = hashlib.sha256(username.encode('utf-8') +
+                                       url.encode('utf-8')).hexdigest()

            cache_dir = os.path.expanduser(os.path.join(base_dir, uniqifier))