[synology] embed driver uses the insecure MD5 algorithm
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
New
|
Low
|
Unassigned |
Bug Description
Sysnology driver uses the insecure MD5 algorithm in derive key iv of AES and PKCS1v15 padding in RSA encryption. It should use more secure hash algorithm and OAEP padding in RSA encryption.
Pre-conditions: NA
Step-by-step reproduction steps: NA
Expected output: NA
Actual output: NA
Version: Train
Environment: NA
Perceived severity: NA
Tags (Affected component): NA
Attachments: Sysnology driver uses the insecure MD5 algorithm in derive key iv of AES and PKCS1v15 padding in RSA encryption.
cinder/
AESCipher.
def _derive_
d = d_i = b''
while len(d) < key_length + iv_length:
md5_str = d_i + password + salt
d_i = hashlib.
d += d_i
return d[:key_length], d[key_length:
Session.
def _encrypt_RSA(self, modulus, passphrase, text):
public_key = public_
if isinstance(text, str):
text = text.encode(
ciphertext = public_key.encrypt(
text,
)
return ciphertext
Stx driver uses the insecure MD5 algorithm in login. It should use more secure hash algorithm, such as sha512.
Pre-conditions: NA
Step-by-step reproduction steps: NA
Expected output: NA
Actual output: NA
Version: Train
Environment: NA
Perceived severity: NA
Tags (Affected component): NA
Attachments: Stx driver uses the insecure MD5 algorithm in login.
cinder/
STXClient.
@coordinati
def _get_session_
"""Retrieve a session key from the array."""
hash_ = "%s_%s" % (self._login, self._password)
if six.PY3:
hash_ = hash_.encode(
hash_ = hashlib.md5(hash_) # nosec
digest = hash_.hexdigest()
url = self._base_url + "/login/" + digest
try:
xml = requests.get(url, verify=
except requests.
msg = _("Failed to obtain MC session key")
raise stx_exception.
... ...
I think the problem is on master as well: https:/ /opendev. org/openstack/ cinder/ src/branch/ master/ cinder/ volume/ drivers/ synology/ synology_ common. py#L117