Reviewed: https://review.openstack.org/62295 Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=f67cd2182823e4f4173aabd9c67e5ba3b0a20d92 Submitter: Jenkins Branch: master commit f67cd2182823e4f4173aabd9c67e5ba3b0a20d92 Author: Angus Salkeld <asalkeld at redhat.com> Date: Mon Dec 16 19:59:18 2013 +1100 Add support for multiple encryption methods We use only one encrypt() method but it returns the method to decrypt the data. This way we can change the encryption mechanism but always have a way to know how to decrypt whatever is stored. Change-Id: I2315a33105a8766f69d02f0617af39a9dae19ddf Partial-bug: #1251647 -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1251647 Title: Heat does home-grown symmetric crypto (AES-CFB) for no apparent reason Status in Orchestration API (Heat): In Progress Status in OpenStack Security Advisories: Invalid Bug description: In the following commit: https://github.com/openstack/heat/commit/58cd52624b50476ed5ed1c5c0ba7cb1b4d7ba66d ... a decision was introduced to encrypt authentication information using unauthenticated AES-CFB. There's a few things I don't like about that commit, but suffice to say that heat/engine/auth.py should probably not be a place where symmetric crypto decisions are made. I've been told that there's a new public API for symmetric encryption, SymmetricCrypto that lives in openstack/common/crypto/utils.py: https://github.com/openstack/oslo- incubator/blob/master/openstack/common/crypto/utils.py#L99 I think that also gets a few things wrong, but at the very least Heat should use a centralized thing for encrypting stuff. (I'd love to complain about and work on SymmetricCrypto too, but that's not this ticket :) To manage notifications about this bug go to: https://bugs.launchpad.net/heat/+bug/1251647/+subscriptions