Cinder populates a legacy'checksum' volume property which is an md5 hash of volume metadata content.We know that now md5 encryption can be breached by brute force cracking, so in the python code security monitoring, it has been considered that md5 encryption will have security vulnerabilities. We know that now md5 encryption can be breached by brute force cracking, so in the python code security monitoring, it has been considered that md5 encryption will have security vulnerabilities. Continue to use md5 cannot be guaranteed in environments that comply with various security standards (for example, FIPS).
The code is in cinder/api/v3/volume_metadata.py.
class Controller(volume_meta_v2.Controller):
"""The volume metadata API controller for the OpenStack API."""
def _validate_etag(self, req, volume_id):
if not req.if_match:
return True
context = req.environ['cinder.context']
metadata = self._get_metadata(context, volume_id)
data = jsonutils.dumps({"metadata": metadata})
if six.PY3:
data = data.encode('utf-8')
checksum = hashlib.md5(data).hexdigest()
return checksum in req.if_match.etags
To remove the dependency on the insecure MD5 algorithm, do we need to consider using SHA256?
md5 in this particular location is not being used for any security-sensitive purpose, and was marked as such in this change:
https:/
We could change to a different algorithm for validating etags but there doesn't appear to be a pressing security motivation for doing so.
This change above allows this usage of md5 to work on a FIPS-configured system.