603fa500c1
For systems in FIPS mode, invocations of MD5 will fail. This occurs even in cases where the MD5 is used in a non-cryptographical context eg. for an etag in swift. There is a proposal in Python to allow developers to mark these non-crypto cases as valid through a new usedforsecurity keyword. See https://bugs.python.org/issue9216. Some downstream versions of python already implement this keyword. To permit OpenStack to run in FIPS enabled systems with these versions of python, we add a simple encapsulation of hashlib.md5() here. Once the issue is resolved in upstream python, we can remove this function. Change-Id: I09433fea6ad6e6849677a93b269e24dec5c05b69
17 lines
773 B
YAML
17 lines
773 B
YAML
---
|
|
features:
|
|
- |
|
|
A wrapper for hashlib.md5() has been added to allow OpenStack to run on
|
|
systems where FIPS is enabled. Under FIPS, md5 is disabled and calls to
|
|
hashlib.md5() will fail. In most cases in OpenStack, though, md5 is not
|
|
used within a security context.
|
|
|
|
In https://bugs.python.org/issue9216, a proposal has been made to allow
|
|
the addition of a keyword parameter usedforsecurity, which can be used to
|
|
designate non-security context uses. In this case, md5() operations would
|
|
be permitted. This feature is expected to be delivered in python 3.9.
|
|
|
|
Downstream python already supports this option, though. This wrapper
|
|
simply allows for this option to be supported where the underlying python
|
|
version supports it.
|