[openstack-dev] [security] FIPS compliance

Ian Cordasco sigmavirus24 at gmail.com
Tue Jan 17 11:59:13 UTC 2017


On Tue, Jan 17, 2017 at 4:11 AM, Yolanda Robla Mota <yroblamo at redhat.com> wrote:
> Hi, in previous threads, there have been discussions about enabling FIPS,
> and the problems we are hitting with md5 inside OpenStack:
> http://lists.openstack.org/pipermail/openstack-dev/2016-November/107035.html
>
> It is important from a security perspective to enable FIPS, however
> OpenStack cannot boot with that, because of the existence of md5 calls in
> several projects. These calls are not used for security, just for hash
> generation, but even with that, FIPS is blocking them.
>
> There is a patch proposed for newest versions of python, to avoid that
> problem. The idea is that when a hash method is called, users could specify
> if these are used for security or not. If the useforsecurity flag is set to
> False, FIPS won't block the call. See: http://bugs.python.org/issue9216

This patch looks to have died off in 2013 prior to Robert's comment from today.

> This won't land until next versions of Python, however the patch is already
> on place for current RHEL and CentOS versions that are used in OpenStack
> deploys. Using that patch as a base, I have a proposal to allow FIPS
> enabling, at least in the distros that support it.
>
> The idea is to create a wrapper around md5, something like:
> md5_wrapper('string_to_hash', useforsecurity=False)

We should probably work harder on actually landing the patch in Python
first. I agree with Robert that the optional boolean parameter is
awkward. It'd be better to have a fips submodule.

> This method will check the signature of hashlib.md5, and see if that's
> offering the useforsecurity parameter. If that's offered, it will pass the
> given parameter from the wrapper. If not, we will just call
> md5('string_to_hash') .
>
> This gives us the possibility to whitelist all the md5 calls, and enabling
> FIPS kernel booting without problems. It will start to work for distros
> supporting it, and it will be ready to use generally when the patch lands in
> python upstream and another distros adopt it. At some point, when all
> projects are using newest python versions, this wrapper could disappear and
> use md5 useforsecurity parameter natively.

I'd much rather have the upstream interface fixed in Python and then
to have a wrapper that does things the correct way. Otherwise, we're
encouraging other distros to use a patch that still requires a lot of
edits to address the review comments and might be defining an API that
will never end up in Python.

> The steps needed to achieve it are:
> - create a wrapper, place it on some existing project or create a new fips
> one
> - search and replace all md5 calls used in OpenStack core projects , to use
> that new wrapper. Note that all the md5 calls will be whitelisted by
> default. We have not noted any md5 call that is used for security, but if
> that exists, it shall be better to use another algorithms, in terms of
> security.
>
> What do people think about it?

I think people should work on the Python patches *first*. Once they're
merged, *then* we should potentially create a wrapper (if it's still
necessary at that point) to do this.

-- 
Ian Cordasco



More information about the OpenStack-dev mailing list