Heat does home-grown symmetric crypto (AES-CFB) for no apparent reason
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Heat |
Fix Released
|
High
|
Angus Salkeld | ||
OpenStack Security Advisory |
Invalid
|
Undecided
|
Unassigned |
Bug Description
In the following commit:
https:/
... a decision was introduced to encrypt authentication information using unauthenticated AES-CFB.
There's a few things I don't like about that commit, but suffice to say that heat/engine/auth.py should probably not be a place where symmetric crypto decisions are made.
I've been told that there's a new public API for symmetric encryption, SymmetricCrypto that lives in openstack/
I think that also gets a few things wrong, but at the very least Heat should use a centralized thing for encrypting stuff.
(I'd love to complain about and work on SymmetricCrypto too, but that's not this ticket :)
information type: | Private Security → Public |
tags: | added: security |
Changed in ossa: | |
status: | Incomplete → Invalid |
Changed in heat: | |
importance: | Undecided → High |
Changed in heat: | |
milestone: | none → icehouse-2 |
Changed in heat: | |
status: | Fix Committed → Fix Released |
Changed in heat: | |
milestone: | icehouse-2 → 2014.1 |
I think that affects heat rather than heat-templates