OpenStack Heat

Use sha256 instead of sha1 for resource signature

Bug #1447904 reported by Ethan Lynn
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Heat
Fix Released
Undecided
Ethan Lynn
OpenStack Heat 5.0.0 "liberty"
Kilo
Fix Released
Undecided
Unassigned
OpenStack Heat 2015.1.1

Bug Description

Following codes use sha1 to calculate hash, it's unsafe.
https://github.com/openstack/heat/blob/ad4c00e672fdd2c1c8461d7e4813dff4b093ae0f/heat/engine/resources/stack_resource.py#L509
    def implementation_signature(self):
        schema_names = ([prop for prop in self.properties_schema] +
                        [at for at in self.attributes_schema])
        schema_hash = hashlib.sha1(';'.join(schema_names))
        definition = {'template': self.child_template(),
                      'files': self.stack.t.files}
        definition_hash = hashlib.sha1(jsonutils.dumps(definition))
        return (schema_hash.hexdigest(), definition_hash.hexdigest())

We use a tool to scan potential security issue, and discover this code.

It's recommended to use sha256 instead of sha1 in codes.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/177075

Changed in heat:
assignee: nobody → Ethan Lynn (ethanlynn)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to heat (master)

Reviewed: https://review.openstack.org/177075
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=dc9c3945feb6487f80bb42aa00b742e042da9b13
Submitter: Jenkins
Branch: master

commit dc9c3945feb6487f80bb42aa00b742e042da9b13
Author: Ethan Lynn <email address hidden>
Date: Thu Apr 23 13:44:03 2015 +0800

    Use SHA256 instead of SHA1 for resource signature

    SHA1 is not safe for signature, use sha256 instead.

    Closes-Bug: #1447904
    Change-Id: I093464d9c1e30d317de75a4ac3d1d51f1c110114

Changed in heat:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to heat (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/177602

Revision history for this message
Steven Hardy (shardy) wrote :

I'm not sure I understand this - we're not using the hash for access control or any sort of authentication, so why is it unsafe (other than that the tool says so)?

The main thing this patch will do, AFAICT, is force replacement for all nested stack resources, even if they've not changed their templates, which IMO is a pretty undesirable side-effect of this change.

Revision history for this message
Steven Hardy (shardy) wrote :

Actually, that's wrong, I was thinking we stored the hash, but we re-calculate it every update, so it's probably OK.

Still seems like more of a theoretical lack of safety to me though.

Revision history for this message
Steve Baker (steve-stevebaker) wrote :

Yes, this is likely a safe use of SHA1, but it is probably better to stop using it so it doesn't get red-flagged repeatedly

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to heat (stable/kilo)

Reviewed: https://review.openstack.org/177602
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=536dc83c90986465393363ff28f707dc403728d4
Submitter: Jenkins
Branch: stable/kilo

commit 536dc83c90986465393363ff28f707dc403728d4
Author: Ethan Lynn <email address hidden>
Date: Thu Apr 23 13:44:03 2015 +0800

    Use SHA256 instead of SHA1 for resource signature

    SHA1 is not safe for signature, use sha256 instead.

    Closes-Bug: #1447904
    Change-Id: I093464d9c1e30d317de75a4ac3d1d51f1c110114
    (cherry picked from commit dc9c3945feb6487f80bb42aa00b742e042da9b13)

tags: added: in-stable-kilo
Thierry Carrez (ttx)
Changed in heat:
milestone: none → liberty-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in heat:
milestone: liberty-1 → 5.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.