Question on monkey-patching paramiko for FIPS

Ade Lee alee at redhat.com
Tue Apr 19 20:59:03 UTC 2022


Hi all,

As many have already seen, a number of changes have been merged in
OpenStack as part of the effort to allow OpenStack to run on FIPS enabled
systems.  This effort has been captured in a proposed community goal. [1].

One of the requirements for this effort is that md5sum() not be used in a
security related context. In fact, python 3.9 has been modified to raise an
exception of hashlib.md5sum() is called on a FIPS enabled system, unless it
is explicitly annotated with a usedforsecurity=False attribute [2].  We
added a wrapper for md5sum in oslo.config to take advantage of this
attribute. [3,4,5]

Where we have less control is in libraries used by Openstack - and in
particular, paramiko.  Paramiko fails on FIPS enabled systems because of a
call to md5sum() in get_fingerprint().  A patch has been submitted to fix
this problem. [6].  Unfortunately, it takes a very long time for paramiko
to fix issues.

In order for us to make progress on FIPS testing, a small monkey-patch for
paramiko was checked into tempest. [7].  Because this change was made to a
test tool, this patch was relatively uncontroversial.

A similar change has been found to be needed for manila [8].  I would
expect that a similar change will be needed in other components that use
paramiko to SSH to other systems (eg. cinder, neutron?)  I suspect that the
only reason this has not been detected in FIPS testing more widely yet is
because the components that use paramiko for SSH are being tested in third
party tests that do not, as yet, test FIPS.

At the request of the manila team, I am bringing this monkey-patch to the
attention of the wider OpenStack community to get feedback on the pros and
cons of applying this monkey-patch.

A couple things to note:
1. This monkey patch is quite small in scope and only needed until paramiko
fixes the issue.
2. paramiko is not FIPS compliant, and so we will ultimately need to fix
paramiko or replace it with a different library on FIPS enabled systems.
When we do this, we would remove the monkey patch.

Thanks,
Ade Lee

[1]
https://opendev.org/openstack/governance/src/branch/master/goals/proposed/fips.rst
[2] https://bugs.python.org/issue9216
[3] https://review.opendev.org/c/openstack/oslo.utils/+/750031
[4] Patches to various projects to use oslo.utils adapter for hashlib.md5
(as examples): glance:
https://review.opendev.org/c/openstack/glance/+/756158 nova:
https://review.opendev.org/c/openstack/nova/+/756434 nova:
https://review.opendev.org/c/openstack/nova/+/777686 os-brick:
https://review.opendev.org/c/openstack/os-brick/+/756151 oslo:
https://review.opendev.org/c/openstack/oslo.versionedobjects/+/756153 tooz:
https://review.opendev.org/c/openstack/tooz/+/756432 opensdk:
https://review.opendev.org/c/openstack/openstacksdk/+/767411 octavia:
https://review.opendev.org/c/openstack/octavia/+/798146 designate:
https://review.opendev.org/c/openstack/designate/+/798157 glance_store:
https://review.opendev.org/c/openstack/glance_store/+/756157
[5] Swift patch to handle hashlib.md5
https://review.opendev.org/c/openstack/swift/+/751966
[6] https://github.com/paramiko/paramiko/pull/1928
[7] https://review.opendev.org/c/openstack/tempest/+/822560
[8] https://review.opendev.org/c/openstack/manila/+/819375
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220419/44c2ac3d/attachment.htm>


More information about the openstack-discuss mailing list