Open Stack

On Tue, Jan 17, 2017 at 10:11 AM, Yolanda Robla Mota <yroblamo at redhat.com>
wrote:

> Hi, in previous threads, there have been discussions about enabling FIPS,
> and the problems we are hitting with md5 inside OpenStack:
> http://lists.openstack.org/pipermail/openstack-dev/2016-
> November/107035.html
>
> It is important from a security perspective to enable FIPS, however
> OpenStack cannot boot with that, because of the existence of md5 calls in
> several projects. These calls are not used for security, just for hash
> generation, but even with that, FIPS is blocking them.
>
> There is a patch proposed for newest versions of python, to avoid that
> problem. The idea is that when a hash method is called, users could specify
> if these are used for security or not. If the useforsecurity flag is set to
> False, FIPS won't block the call. See: http://bugs.python.org/issue9216
>
> This won't land until next versions of Python, however the patch is
> already on place for current RHEL and CentOS versions that are used in
> OpenStack deploys. Using that patch as a base, I have a proposal to allow
> FIPS enabling, at least in the distros that support it.
>
> The idea is to create a wrapper around md5, something like:
> md5_wrapper('string_to_hash', useforsecurity=False)
>
> This method will check the signature of hashlib.md5, and see if that's
> offering the useforsecurity parameter. If that's offered, it will pass the
> given parameter from the wrapper. If not, we will just call
> md5('string_to_hash') .
>
> This gives us the possibility to whitelist all the md5 calls, and enabling
> FIPS kernel booting without problems. It will start to work for distros
> supporting it, and it will be ready to use generally when the patch lands
> in python upstream and another distros adopt it. At some point, when all
> projects are using newest python versions, this wrapper could disappear and
> use md5 useforsecurity parameter natively.
>
> The steps needed to achieve it are:
> - create a wrapper, place it on some existing project or create a new fips
> one
> - search and replace all md5 calls used in OpenStack core projects , to
> use that new wrapper. Note that all the md5 calls will be whitelisted by
> default. We have not noted any md5 call that is used for security, but if
> that exists, it shall be better to use another algorithms, in terms of
> security.
>
> What do people think about it?
>
>
Sounds pragmatic to me. The other option explored was for projects to
migrate to sha2, but that transpired to be a huge challenge for some
projects that had complex functionality built up around md5.

I see this as a non breaking way to allow FIPS compliant kernels, without
throwing the `baby out with the bath water`, as we use md5.




> Best
>
> --
> Yolanda Robla Mota
> NFV Partner Engineer
> yroblamo at redhat.com
> +34 605641639 <+34%20605%2064%2016%2039>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170117/6e8b358c/attachment.html>