From c82ce37635e397d0e3344ff99c971d92f06aa6c5 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Tue, 6 Oct 2020 14:02:33 -0400
Subject: [PATCH] Replace md5 with oslo version

md5 is not an approved algorithm in FIPS mode, and trying to
instantiate a hashlib.md5() will fail when the system is running in
FIPS mode.

md5 is allowed when in a non-security context.  There is a plan to
add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate
whether or not the instance is being used in a security context.

In the case where it is not, the instantiation of md5 will be allowed.
See https://bugs.python.org/issue9216 for more details.

Some downstream python versions already support this parameter.  To
support these versions, a new encapsulation of md5() has been added to
oslo_utils.  See https://review.opendev.org/#/c/750031/

This patch is to replace the instances of hashlib.md5() with this new
encapsulation, adding an annotation indicating whether the usage is
a security context or not.

The instances being replaced here appear to be used to provide
representations for paths.  There is in fact already a sha256 version
of get_hash_str that is supposed to be used in security sensitive
usages.

With this change (and the related dependent changes), the unit and
functional tests pass when run on a FIPS enabled system.

Change-Id: If0ec11e7b7fcde4dacc57265c4dd77b0f536bfab
Depends-On: https://review.opendev.org/#/c/756432
Depends-On: https://review.opendev.org/#/c/756153
Depends-On: https://review.opendev.org/#/c/760160
---
 lower-constraints.txt         | 2 +-
 nova/privsep/fs.py            | 4 ++--
 nova/tests/unit/test_utils.py | 4 ++--
 nova/utils.py                 | 3 ++-
 requirements.txt              | 2 +-
 5 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/lower-constraints.txt b/lower-constraints.txt
index 04af416aa6..5702e8b020 100644
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@@ -83,7 +83,7 @@ oslo.rootwrap==5.8.0
 oslo.serialization==2.21.1
 oslo.service==1.40.1
 oslo.upgradecheck==0.1.1
-oslo.utils==4.5.0
+oslo.utils==4.7.0
 oslo.versionedobjects==1.35.0
 oslo.vmware==2.17.0
 oslotest==3.8.0
diff --git a/nova/privsep/fs.py b/nova/privsep/fs.py
index 0c1cc94dc4..b5506449c6 100644
--- a/nova/privsep/fs.py
+++ b/nova/privsep/fs.py
@@ -17,11 +17,11 @@
 Helpers for filesystem related routines.
 """
 
-import hashlib
 import six
 
 from oslo_concurrency import processutils
 from oslo_log import log as logging
+from oslo_utils.secretutils import md5
 
 import nova.privsep
 
@@ -284,7 +284,7 @@ def _get_hash_str(base_str):
     """
     if isinstance(base_str, six.text_type):
         base_str = base_str.encode('utf-8')
-    return hashlib.md5(base_str).hexdigest()
+    return md5(base_str, usedforsecurity=False).hexdigest()
 
 
 def get_file_extension_for_os_type(os_type, default_ephemeral_format,
diff --git a/nova/tests/unit/test_utils.py b/nova/tests/unit/test_utils.py
index e9930fcb7a..c6330cf3f6 100644
--- a/nova/tests/unit/test_utils.py
+++ b/nova/tests/unit/test_utils.py
@@ -13,7 +13,6 @@
 #    under the License.
 
 import datetime
-import hashlib
 import os
 import os.path
 import tempfile
@@ -31,6 +30,7 @@ from oslo_context import context as common_context
 from oslo_context import fixture as context_fixture
 from oslo_utils import encodeutils
 from oslo_utils import fixture as utils_fixture
+from oslo_utils.secretutils import md5
 import six
 
 from nova import context
@@ -203,7 +203,7 @@ class GenericUtilsTestCase(test.NoDBTestCase):
     def test_get_hash_str(self):
         base_str = b"foo"
         base_unicode = u"foo"
-        value = hashlib.md5(base_str).hexdigest()
+        value = md5(base_str, usedforsecurity=False).hexdigest()
         self.assertEqual(
             value, utils.get_hash_str(base_str))
         self.assertEqual(
diff --git a/nova/utils.py b/nova/utils.py
index 0a40fa6ffc..7dc65dab76 100644
--- a/nova/utils.py
+++ b/nova/utils.py
@@ -43,6 +43,7 @@ import oslo_messaging as messaging
 from oslo_utils import encodeutils
 from oslo_utils import excutils
 from oslo_utils import importutils
+from oslo_utils.secretutils import md5
 from oslo_utils import strutils
 from oslo_utils import timeutils
 import six
@@ -786,7 +787,7 @@ def get_hash_str(base_str):
     """
     if isinstance(base_str, six.text_type):
         base_str = base_str.encode('utf-8')
-    return hashlib.md5(base_str).hexdigest()
+    return md5(base_str, usedforsecurity=False).hexdigest()
 
 
 def get_sha256_str(base_str):
diff --git a/requirements.txt b/requirements.txt
index e62366561e..ccf10aa7b9 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -40,7 +40,7 @@ oslo.log>=3.36.0 # Apache-2.0
 oslo.reports>=1.18.0 # Apache-2.0
 oslo.serialization!=2.19.1,>=2.21.1 # Apache-2.0
 oslo.upgradecheck>=0.1.1
-oslo.utils>=4.5.0 # Apache-2.0
+oslo.utils>=4.7.0 # Apache-2.0
 oslo.db>=4.44.0 # Apache-2.0
 oslo.rootwrap>=5.8.0 # Apache-2.0
 oslo.messaging>=10.3.0 # Apache-2.0