From 3fd961d08588bd1ec31f8cfc72201dfa1a4e85d6 Mon Sep 17 00:00:00 2001
From: Kotresh HR <khiremat@redhat.com>
Date: Wed, 20 Dec 2017 15:24:11 +0530
Subject: fips/geo-rep: Replace MD5 with SHA256

MD5 is not fips compliant. Hence replacing
with SHA256.

NOTE:
The hash is used to form the ctl_path for the ssh connection.
The length of ctl_path for ssh connection should not be > 108.
ssh fails with ctl_path too long if it is so. But when rsync
is piped to ssh, it is not taking > 90. rsync is failing with
error number 12. Hence using first 32 bytes of hash. Hash
collision doesn't matter as only one sock file is created
per directory.

Change-Id: I58aeb32a80b5422f6ac0188cf33fbecccbf08ae7
Updates: #230
Signed-off-by: Kotresh HR <khiremat@redhat.com>
---
 geo-replication/syncdaemon/syncdutils.py | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

(limited to 'geo-replication')

diff --git a/geo-replication/syncdaemon/syncdutils.py b/geo-replication/syncdaemon/syncdutils.py
index bc03522fdd..5dd535a5c7 100644
--- a/geo-replication/syncdaemon/syncdutils.py
+++ b/geo-replication/syncdaemon/syncdutils.py
@@ -49,7 +49,7 @@ except ImportError:
 import gsyncdconfig as gconf
 from rconf import rconf
 
-from hashlib import md5 as md5
+from hashlib import sha256 as sha256
 
 # auxiliary gfid based access prefix
 _CL_AUX_GFID_PFX = ".gfid/"
@@ -157,13 +157,21 @@ def setup_ssh_ctl(ctld, remote_addr, resource_url):
     rconf.ssh_ctl_dir = ctld
     content = "SLAVE_HOST=%s\nSLAVE_RESOURCE_URL=%s" % (remote_addr,
                                                         resource_url)
-    content_md5 = md5hex(content)
+    content_sha256 = sha256hex(content)
+    """
+    The length of ctl_path for ssh connection should not be > 108.
+    ssh fails with ctl_path too long if it is so. But when rsync
+    is piped to ssh, it is not taking > 90. Hence using first 32
+    bytes of hash. Hash collision doesn't matter as only one sock
+    file is created per directory.
+    """
+    content_sha256 = content_sha256[:32]
     fname = os.path.join(rconf.ssh_ctl_dir,
-                         "%s.mft" % content_md5)
+                         "%s.mft" % content_sha256)
 
     create_manifest(fname, content)
     ssh_ctl_path = os.path.join(rconf.ssh_ctl_dir,
-                                "%s.sock" % content_md5)
+                                "%s.sock" % content_sha256)
     rconf.ssh_ctl_args = ["-oControlMaster=auto", "-S", ssh_ctl_path]
 
 
@@ -510,8 +518,8 @@ def gauxpfx():
     return _CL_AUX_GFID_PFX
 
 
-def md5hex(s):
-    return md5(s).hexdigest()
+def sha256hex(s):
+    return sha256(s).hexdigest()
 
 
 def selfkill(sig=SIGTERM):
-- 
cgit