<div dir="ltr"><div id="gmail-magicdomid51" class="gmail-ace-line"><span class="gmail-">Hi all,</span></div><div id="gmail-magicdomid9" class="gmail-ace-line"><br></div><div id="gmail-magicdomid53" class="gmail-ace-line"><span class="gmail-">As many have already seen, a number of changes have been merged in OpenStack as part of the effort to allow OpenStack to run on FIPS enabled systems.  This effort has been captured in a proposed community goal. [1].</span></div><div id="gmail-magicdomid12" class="gmail-ace-line"><br></div><div id="gmail-magicdomid57" class="gmail-ace-line"><span class="gmail-">One of the requirements for this effort is that md5sum() not be used in a security related context. In fact, python 3.9 has been modified to raise an exception of hashlib.md5sum() is called on a FIPS enabled system, unless it is explicitly annotated with a usedforsecurity=False attribute [2].  We added a wrapper for md5sum in oslo.config to take advantage of this attribute. [3,4,5]</span></div><div id="gmail-magicdomid58" class="gmail-ace-line"><span class="gmail-">  </span></div><div id="gmail-magicdomid61" class="gmail-ace-line"><span class="gmail-">Where we have less control is in libraries used by Openstack - and in particular, paramiko.  Paramiko fails on FIPS enabled systems
 because of a call to md5sum() in get_fingerprint().  A patch has been 
submitted to fix this problem. [6].  Unfortunately, it takes a very long time for paramiko to fix issues. </span></div><div id="gmail-magicdomid62" class="gmail-ace-line"><span class="gmail-">  </span></div><div id="gmail-magicdomid64" class="gmail-ace-line"><span class="gmail-">In
 order for us to make progress on FIPS testing, a small monkey-patch for
 paramiko was checked into tempest. [7].  Because this change was made to a test tool, this patch was relatively uncontroversial.</span></div><div id="gmail-magicdomid65" class="gmail-ace-line"><span class="gmail-">  </span></div><div id="gmail-magicdomid69" class="gmail-ace-line"><span class="gmail-">A
 similar change has been found to be needed for manila [8].  I would 
expect that a similar change will be needed in other components that use paramiko to SSH to other systems (eg. cinder, neutron?)  I suspect that the only reason this has not been detected in FIPS testing more widely yet is because the components that use paramiko for SSH are being tested in third party tests that do not, as yet, test FIPS.</span></div><div id="gmail-magicdomid29" class="gmail-ace-line"><br></div><div id="gmail-magicdomid71" class="gmail-ace-line"><span class="gmail-">At the request of the manila team, I am bringing this monkey-patch to the attention of the wider OpenStack community to get feedback on the pros and cons of applying this monkey-patch.</span></div><div id="gmail-magicdomid32" class="gmail-ace-line"><br></div><div id="gmail-magicdomid72" class="gmail-ace-line"><span class="gmail-">A couple things to note:</span></div><div id="gmail-magicdomid73" class="gmail-ace-line"><span class="gmail-">1. This monkey patch is quite small in scope and only needed until paramiko fixes the issue.</span></div><div id="gmail-magicdomid75" class="gmail-ace-line"><span class="gmail-">2.
 paramiko is not FIPS compliant, and so we will ultimately need to fix 
paramiko or replace it with a different library on FIPS enabled systems.  When we do this, we would remove the monkey patch.</span></div><div id="gmail-magicdomid37" class="gmail-ace-line"><br></div><div id="gmail-magicdomid76" class="gmail-ace-line"><span class="gmail-">Thanks,</span></div><div id="gmail-magicdomid77" class="gmail-ace-line"><span class="gmail-">Ade Lee<br></span></div><div id="gmail-magicdomid41" class="gmail-ace-line"><br></div><div id="gmail-magicdomid78" class="gmail-ace-line"><span class="gmail-">[1] </span><span class="gmail-url"><a href="https://opendev.org/openstack/governance/src/branch/master/goals/proposed/fips.rst" rel="noreferrer noopener">https://opendev.org/openstack/governance/src/branch/master/goals/proposed/fips.rst</a></span></div><div id="gmail-magicdomid79" class="gmail-ace-line"><span class="gmail-">[2] </span><span class="gmail-url"><a href="https://bugs.python.org/issue9216" rel="noreferrer noopener">https://bugs.python.org/issue9216</a></span></div><div id="gmail-magicdomid80" class="gmail-ace-line"><span class="gmail-">[3] </span><span class="gmail-url"><a href="https://review.opendev.org/c/openstack/oslo.utils/+/750031" rel="noreferrer noopener">https://review.opendev.org/c/openstack/oslo.utils/+/750031</a></span></div><div id="gmail-magicdomid81" class="gmail-ace-line"><span class="gmail-">[4] Patches to various projects to use oslo.utils adapter for hashlib.md5 (as examples): glance: </span><span class="gmail-url"><a href="https://review.opendev.org/c/openstack/glance/+/756158" rel="noreferrer noopener">https://review.opendev.org/c/openstack/glance/+/756158</a></span><span class="gmail-"> nova: </span><span class="gmail-url"><a href="https://review.opendev.org/c/openstack/nova/+/756434" rel="noreferrer noopener">https://review.opendev.org/c/openstack/nova/+/756434</a></span><span class="gmail-"> nova: </span><span class="gmail-url"><a href="https://review.opendev.org/c/openstack/nova/+/777686" rel="noreferrer noopener">https://review.opendev.org/c/openstack/nova/+/777686</a></span><span class="gmail-"> os-brick: </span><span class="gmail-url"><a href="https://review.opendev.org/c/openstack/os-brick/+/756151" rel="noreferrer noopener">https://review.opendev.org/c/openstack/os-brick/+/756151</a></span><span class="gmail-"> oslo: </span><span class="gmail-url"><a href="https://review.opendev.org/c/openstack/oslo.versionedobjects/+/756153" rel="noreferrer noopener">https://review.opendev.org/c/openstack/oslo.versionedobjects/+/756153</a></span><span class="gmail-"> tooz: </span><span class="gmail-url"><a href="https://review.opendev.org/c/openstack/tooz/+/756432" rel="noreferrer noopener">https://review.opendev.org/c/openstack/tooz/+/756432</a></span><span class="gmail-"> opensdk: </span><span class="gmail-url"><a href="https://review.opendev.org/c/openstack/openstacksdk/+/767411" rel="noreferrer noopener">https://review.opendev.org/c/openstack/openstacksdk/+/767411</a></span><span class="gmail-"> octavia: </span><span class="gmail-url"><a href="https://review.opendev.org/c/openstack/octavia/+/798146" rel="noreferrer noopener">https://review.opendev.org/c/openstack/octavia/+/798146</a></span><span class="gmail-"> designate: </span><span class="gmail-url"><a href="https://review.opendev.org/c/openstack/designate/+/798157" rel="noreferrer noopener">https://review.opendev.org/c/openstack/designate/+/798157</a></span><span class="gmail-"> glance_store: </span><span class="gmail-url"><a href="https://review.opendev.org/c/openstack/glance_store/+/756157" rel="noreferrer noopener">https://review.opendev.org/c/openstack/glance_store/+/756157</a></span></div><div id="gmail-magicdomid82" class="gmail-ace-line"><span class="gmail-">[5] Swift patch to handle hashlib.md5 </span><span class="gmail-url"><a href="https://review.opendev.org/c/openstack/swift/+/751966" rel="noreferrer noopener">https://review.opendev.org/c/openstack/swift/+/751966</a></span></div><div id="gmail-magicdomid83" class="gmail-ace-line"><span class="gmail-">[6] </span><span class="gmail-url"><a href="https://github.com/paramiko/paramiko/pull/1928" rel="noreferrer noopener">https://github.com/paramiko/paramiko/pull/1928</a></span></div><div id="gmail-magicdomid84" class="gmail-ace-line"><span class="gmail-">[7] </span><span class="gmail-url"><a href="https://review.opendev.org/c/openstack/tempest/+/822560" rel="noreferrer noopener">https://review.opendev.org/c/openstack/tempest/+/822560</a></span></div><div id="gmail-magicdomid85" class="gmail-ace-line"><span class="gmail-">[8] </span><span class="gmail-url"><a href="https://review.opendev.org/c/openstack/manila/+/819375" rel="noreferrer noopener">https://review.opendev.org/c/openstack/manila/+/819375</a></span></div></div>