[Openstack-security] [Bug 1251647] Re: Heat does home-grown symmetric crypto (AES-CFB) for no apparent reason
Clint Byrum
clint at fewbar.com
Sat Dec 7 02:57:45 UTC 2013
** Changed in: heat
Importance: Undecided => High
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1251647
Title:
Heat does home-grown symmetric crypto (AES-CFB) for no apparent reason
Status in Orchestration API (Heat):
In Progress
Status in OpenStack Security Advisories:
Invalid
Bug description:
In the following commit:
https://github.com/openstack/heat/commit/58cd52624b50476ed5ed1c5c0ba7cb1b4d7ba66d
... a decision was introduced to encrypt authentication information
using unauthenticated AES-CFB.
There's a few things I don't like about that commit, but suffice to
say that heat/engine/auth.py should probably not be a place where
symmetric crypto decisions are made.
I've been told that there's a new public API for symmetric encryption,
SymmetricCrypto that lives in openstack/common/crypto/utils.py:
https://github.com/openstack/oslo-
incubator/blob/master/openstack/common/crypto/utils.py#L99
I think that also gets a few things wrong, but at the very least Heat
should use a centralized thing for encrypting stuff.
(I'd love to complain about and work on SymmetricCrypto too, but
that's not this ticket :)
To manage notifications about this bug go to:
https://bugs.launchpad.net/heat/+bug/1251647/+subscriptions
More information about the Openstack-security
mailing list