openstack/cinder
Code Issues Proposed changes
d9c90cf488
cinder/requirements.txt
Ade Lee bb25e9550b Replace md5 with oslo version 
md5 is not an approved algorithm in FIPS mode, and trying to
instantiate a hashlib.md5() will fail when the system is running in
FIPS mode.

md5 is allowed when in a non-security context.  There is a plan to
add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate
whether or not the instance is being used in a security context.

In the case where it is not, the instantiation of md5 will be allowed.
See https://bugs.python.org/issue9216 for more details.

Some downstream python versions already support this parameter.  To
support these versions, a new encapsulation of md5() has been added to
oslo_utils.  See https://review.opendev.org/#/c/750031/

This patch is to replace the instances of hashlib.md5() with this new
encapsulation, adding an annotation indicating whether the usage is
a security context or not.

Reviewers need to pay particular attention as to whether the keyword
parameter (usedforsecurity) is set correctly.  Almost all instances
of md5 usage appear to be to refer to etags, to do checksums, or to
generate uuids for paths.

I had hoped to update the bandit config to enable scanning for instances
of md5 and bad algorithms, so that instances would not creep in in future,
but I couldn't find the bandit config.

With this patch (and the corresponding os-brick and oslo-versioned_object
dependent changes) all the functional tests and alnmost all the unit tests
pass on a FIPS enabled system.

Issues I found were as follows:

- Cinder appears to be using md5 in a security context in
  cinder/volume/drivers/synology/synology_common.py.  If this is really
  the case, then we'll need to consider how to replace md5 in this usage.
  This case did not appear to exercised in the unit or functional tests I ran.

- Cinder appears to use md5 in a security context in
  cinder/volume/drivers/stx/client.py, which resulted in the failed unit test
  cinder.tests.unit.volume.drivers.test_seagate.TestSeagateClient.test_login
  This was the only unit test that failed.

Change-Id: I57ec3e7e99c78535fa8051d011d970adb7fb89ab
Depends-On: https://review.opendev.org/#/c/756151
2020-11-13 16:01:14 -05:00

67 lines
2.1 KiB
Plaintext
Raw Blame History

# The order of packages is significant, because pip processes them in the order
# of appearance. Changing the order has an impact on the overall integration
# process, which may cause wedges in the gate later.
pbr!=2.1.0,>=5.4.1 # Apache-2.0
decorator>=4.1.0 # BSD
eventlet>=0.26.0 # MIT
greenlet>=0.4.15 # MIT
httplib2>=0.9.1 # MIT
importlib_metadata>=1.7.0;python_version<'3.8' # Apache-2.0
iso8601>=0.1.12 # MIT
jsonschema>=3.2.0 # MIT
keystoneauth1>=3.14.0 # Apache-2.0
keystonemiddleware>=4.21.0 # Apache-2.0
lxml>=4.2.0 # BSD
oauth2client!=4.0.0,>=1.5.0 # Apache-2.0
oslo.config>=6.11.0 # Apache-2.0
oslo.concurrency>=3.26.0 # Apache-2.0
oslo.context>=2.23.0 # Apache-2.0
oslo.db>=6.0.0 # Apache-2.0
oslo.log>=4.3.0 # Apache-2.0
oslo.messaging>=6.4.0 # Apache-2.0
oslo.middleware>=3.31.0 # Apache-2.0
oslo.policy>=1.44.1 # Apache-2.0
oslo.privsep>=2.3.0 # Apache-2.0
oslo.reports>=1.18.0 # Apache-2.0
oslo.rootwrap>=5.8.0 # Apache-2.0
oslo.serialization>=2.25.0 # Apache-2.0
oslo.service>=2.0.0 # Apache-2.0
oslo.upgradecheck>=0.1.0 # Apache-2.0
oslo.utils>=4.7.0 # Apache-2.0
oslo.versionedobjects>=1.31.2 # Apache-2.0
osprofiler>=1.4.0 # Apache-2.0
packaging>=20.4
paramiko>=2.7.1 # LGPLv2.1+
Paste>=2.0.2 # MIT
PasteDeploy>=1.5.0 # MIT
psutil>=3.2.2 # BSD
pyparsing>=2.2.1 # MIT
python-barbicanclient>=4.9.0 # Apache-2.0
python-glanceclient>=2.15.0 # Apache-2.0
python-keystoneclient>=3.15.0 # Apache-2.0
python-novaclient>=9.1.0 # Apache-2.0
python-swiftclient>=3.2.0 # Apache-2.0
pytz>=2015.7 # MIT
requests>=2.18.0,!=2.20.0 # Apache-2.0
Routes>=2.3.1 # MIT
taskflow>=3.8.0 # Apache-2.0
rtslib-fb>=2.1.65 # Apache-2.0
six>=1.11.0 # MIT
SQLAlchemy>=1.3.0 # MIT
sqlalchemy-migrate>=0.13.0 # Apache-2.0
stevedore>=1.31.0 # Apache-2.0
tabulate>=0.8.5 # MIT
tenacity>=6.1.0 # Apache-2.0
WebOb>=1.7.1 # MIT
oslo.i18n>=3.24.0 # Apache-2.0
oslo.vmware>=2.35.0 # Apache-2.0
os-brick>=4.0.1 # Apache-2.0
os-win>=4.2.0 # Apache-2.0
tooz>=1.58.0 # Apache-2.0
google-api-python-client>=1.4.2 # Apache-2.0
castellan>=1.3.0 # Apache-2.0
cryptography>=2.1.4 # BSD/Apache-2.0
cursive>=0.2.1 # Apache-2.0
zstd>=1.4.5.0 # BSD
View Git Blame Copy Permalink