[openstack-dev] [security] FIPS compliance

Yolanda Robla Mota yroblamo at redhat.com
Tue Jan 17 10:11:38 UTC 2017


Hi, in previous threads, there have been discussions about enabling FIPS,
and the problems we are hitting with md5 inside OpenStack:
http://lists.openstack.org/pipermail/openstack-dev/2016-November/107035.html

It is important from a security perspective to enable FIPS, however
OpenStack cannot boot with that, because of the existence of md5 calls in
several projects. These calls are not used for security, just for hash
generation, but even with that, FIPS is blocking them.

There is a patch proposed for newest versions of python, to avoid that
problem. The idea is that when a hash method is called, users could specify
if these are used for security or not. If the useforsecurity flag is set to
False, FIPS won't block the call. See: http://bugs.python.org/issue9216

This won't land until next versions of Python, however the patch is already
on place for current RHEL and CentOS versions that are used in OpenStack
deploys. Using that patch as a base, I have a proposal to allow FIPS
enabling, at least in the distros that support it.

The idea is to create a wrapper around md5, something like:
md5_wrapper('string_to_hash', useforsecurity=False)

This method will check the signature of hashlib.md5, and see if that's
offering the useforsecurity parameter. If that's offered, it will pass the
given parameter from the wrapper. If not, we will just call
md5('string_to_hash') .

This gives us the possibility to whitelist all the md5 calls, and enabling
FIPS kernel booting without problems. It will start to work for distros
supporting it, and it will be ready to use generally when the patch lands
in python upstream and another distros adopt it. At some point, when all
projects are using newest python versions, this wrapper could disappear and
use md5 useforsecurity parameter natively.

The steps needed to achieve it are:
- create a wrapper, place it on some existing project or create a new fips
one
- search and replace all md5 calls used in OpenStack core projects , to use
that new wrapper. Note that all the md5 calls will be whitelisted by
default. We have not noted any md5 call that is used for security, but if
that exists, it shall be better to use another algorithms, in terms of
security.

What do people think about it?

Best

-- 
Yolanda Robla Mota
NFV Partner Engineer
yroblamo at redhat.com
+34 605641639
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170117/aa64abf6/attachment.html>


More information about the OpenStack-dev mailing list