On Tue, Jan 17, 2017 at 10:11 AM, Yolanda Robla Mota <yrobl...@redhat.com> wrote:
> Hi, in previous threads, there have been discussions about enabling FIPS, > and the problems we are hitting with md5 inside OpenStack: > http://lists.openstack.org/pipermail/openstack-dev/2016- > November/107035.html > > It is important from a security perspective to enable FIPS, however > OpenStack cannot boot with that, because of the existence of md5 calls in > several projects. These calls are not used for security, just for hash > generation, but even with that, FIPS is blocking them. > > There is a patch proposed for newest versions of python, to avoid that > problem. The idea is that when a hash method is called, users could specify > if these are used for security or not. If the useforsecurity flag is set to > False, FIPS won't block the call. See: http://bugs.python.org/issue9216 > > This won't land until next versions of Python, however the patch is > already on place for current RHEL and CentOS versions that are used in > OpenStack deploys. Using that patch as a base, I have a proposal to allow > FIPS enabling, at least in the distros that support it. > > The idea is to create a wrapper around md5, something like: > md5_wrapper('string_to_hash', useforsecurity=False) > > This method will check the signature of hashlib.md5, and see if that's > offering the useforsecurity parameter. If that's offered, it will pass the > given parameter from the wrapper. If not, we will just call > md5('string_to_hash') . > > This gives us the possibility to whitelist all the md5 calls, and enabling > FIPS kernel booting without problems. It will start to work for distros > supporting it, and it will be ready to use generally when the patch lands > in python upstream and another distros adopt it. At some point, when all > projects are using newest python versions, this wrapper could disappear and > use md5 useforsecurity parameter natively. > > The steps needed to achieve it are: > - create a wrapper, place it on some existing project or create a new fips > one > - search and replace all md5 calls used in OpenStack core projects , to > use that new wrapper. Note that all the md5 calls will be whitelisted by > default. We have not noted any md5 call that is used for security, but if > that exists, it shall be better to use another algorithms, in terms of > security. > > What do people think about it? > > Sounds pragmatic to me. The other option explored was for projects to migrate to sha2, but that transpired to be a huge challenge for some projects that had complex functionality built up around md5. I see this as a non breaking way to allow FIPS compliant kernels, without throwing the `baby out with the bath water`, as we use md5. > Best > > -- > Yolanda Robla Mota > NFV Partner Engineer > yrobl...@redhat.com > +34 605641639 <+34%20605%2064%2016%2039> >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
