Reviewed: https://review.openstack.org/59684 Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=37919c6b955e9f9b87d4dc76056efce858c63b1d Submitter: Jenkins Branch: master commit 37919c6b955e9f9b87d4dc76056efce858c63b1d Author: Angus Salkeld <asalkeld at redhat.com> Date: Tue Dec 3 21:24:36 2013 +1100 oslo: add the crypto module This is to be used instead of the hand rolled heat/common/crypt.py. Partial-bug: #1251647 Change-Id: I622b9d0c942075f99fdbaff470906123c631504a -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1251647 Title: Heat does home-grown symmetric crypto (AES-CFB) for no apparent reason Status in Orchestration API (Heat): In Progress Status in OpenStack Security Advisories: Invalid Bug description: In the following commit: https://github.com/openstack/heat/commit/58cd52624b50476ed5ed1c5c0ba7cb1b4d7ba66d ... a decision was introduced to encrypt authentication information using unauthenticated AES-CFB. There's a few things I don't like about that commit, but suffice to say that heat/engine/auth.py should probably not be a place where symmetric crypto decisions are made. I've been told that there's a new public API for symmetric encryption, SymmetricCrypto that lives in openstack/common/crypto/utils.py: https://github.com/openstack/oslo- incubator/blob/master/openstack/common/crypto/utils.py#L99 I think that also gets a few things wrong, but at the very least Heat should use a centralized thing for encrypting stuff. (I'd love to complain about and work on SymmetricCrypto too, but that's not this ticket :) To manage notifications about this bug go to: https://bugs.launchpad.net/heat/+bug/1251647/+subscriptions