diff options
| author | Ade Lee <alee@redhat.com> | 2020-09-11 16:28:11 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2020-12-15 09:52:55 -0500 |
| commit | 5320ecbaf2c0e77842ab1ee3eb8106948dc06704 (patch) | |
| tree | 3d5fb4362e559fe811f426eae3640b20515ea0ae /swift/common/middleware/s3api/s3request.py | |
| parent | 36107b4a692d7cf63698dd831388193fb1eae51e (diff) | |
| download | swift-5320ecbaf2c0e77842ab1ee3eb8106948dc06704.tar.gz | |
replace md5 with swift utils version
md5 is not an approved algorithm in FIPS mode, and trying to
instantiate a hashlib.md5() will fail when the system is running in
FIPS mode.
md5 is allowed when in a non-security context. There is a plan to
add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate
whether or not the instance is being used in a security context.
In the case where it is not, the instantiation of md5 will be allowed.
See https://bugs.python.org/issue9216 for more details.
Some downstream python versions already support this parameter. To
support these versions, a new encapsulation of md5() is added to
swift/common/utils.py. This encapsulation is identical to the one being
added to oslo.utils, but is recreated here to avoid adding a dependency.
This patch is to replace the instances of hashlib.md5() with this new
encapsulation, adding an annotation indicating whether the usage is
a security context or not.
While this patch seems large, it is really just the same change over and
again. Reviewers need to pay particular attention as to whether the
keyword parameter (usedforsecurity) is set correctly. Right now, all
of them appear to be not used in a security context.
Now that all the instances have been converted, we can update the bandit
run to look for these instances and ensure that new invocations do not
creep in.
With this latest patch, the functional and unit tests all pass
on a FIPS enabled system.
Co-Authored-By: Pete Zaitcev
Change-Id: Ibb4917da4c083e1e094156d748708b87387f2d87
Diffstat (limited to 'swift/common/middleware/s3api/s3request.py')
| -rw-r--r-- | swift/common/middleware/s3api/s3request.py | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/swift/common/middleware/s3api/s3request.py b/swift/common/middleware/s3api/s3request.py index 384b64538..f3ae06307 100644 --- a/swift/common/middleware/s3api/s3request.py +++ b/swift/common/middleware/s3api/s3request.py @@ -17,7 +17,7 @@ import base64 import binascii from collections import defaultdict, OrderedDict from email.header import Header -from hashlib import sha1, sha256, md5 +from hashlib import sha1, sha256 import hmac import re import six @@ -26,7 +26,7 @@ from six.moves.urllib.parse import quote, unquote, parse_qsl import string from swift.common.utils import split_path, json, get_swift_info, \ - close_if_possible + close_if_possible, md5 from swift.common import swob from swift.common.http import HTTP_OK, HTTP_CREATED, HTTP_ACCEPTED, \ HTTP_NO_CONTENT, HTTP_UNAUTHORIZED, HTTP_FORBIDDEN, HTTP_NOT_FOUND, \ @@ -866,7 +866,8 @@ class S3Request(swob.Request): raise InvalidRequest('Missing required header for this request: ' 'Content-MD5') - digest = base64.b64encode(md5(body).digest()).strip().decode('ascii') + digest = base64.b64encode(md5( + body, usedforsecurity=False).digest()).strip().decode('ascii') if self.environ['HTTP_CONTENT_MD5'] != digest: raise BadDigest(content_md5=self.environ['HTTP_CONTENT_MD5']) |