Use SHA256 instead of MD5 in completion cache

FIPS 140 are U.S. government computer security standards that specify requirements for cryptography modules. MD5 is not FIPS compliant [1]. Previously, MD5 was used as the hash algorithm for the bash completion cache. Hosts running in FIPS mode [2] block execution of the MD5 hash. This makes python-novaclient unusable on FIPS-enabled machines. This patch replaces MD5 with SHA256, which is FIPS compliant. [1] https://csrc.nist.gov/projects/hash-functions [2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations Change-Id: Ia8750bc27aa9a2cfafb6f4f49252f5bd81bc1a40 (cherry picked from commit 2595bac)
openstack · Jun 7, 2019 · e15cc78 · e15cc78
1 parent ef842ca
commit e15cc78
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/novaclient/base.py b/novaclient/base.py
@@ -307,8 +307,8 @@ def completion_cache(self, cache_type, obj_class, mode):
             # endpoint pair
             username = utils.env('OS_USERNAME', 'NOVA_USERNAME')
             url = utils.env('OS_URL', 'NOVA_URL')
-            uniqifier = hashlib.md5(username.encode('utf-8') +
-                                    url.encode('utf-8')).hexdigest()
+            uniqifier = hashlib.sha256(username.encode('utf-8') +
+                                       url.encode('utf-8')).hexdigest()
 
             cache_dir = os.path.expanduser(os.path.join(base_dir, uniqifier))