[ovs-dev] [PATCH] ovs-bugtool: Switch from MD5 to SHA-256.
Ben Pfaff
blp at ovn.org
Thu Aug 11 04:14:27 UTC 2016
While going through a FIPS certification process we discovered that
ovs-bugtool uses MD5 to identify the contents of files. FIPS doesn't allow
use of the obsolete and broken MD5 algorithm, so this commit switches to
SHA-256.
In a way, this is a silly requirement. ovs-bugtool only uses MD5 to
identify file content, mostly to ensure that the contents of the bug report
have not been corrupted. MD5 is perfectly adequate for that purpose; in
fact a 16-bit CRC would probably be adequate. On the other hand, there is
basically no cost and no disadvantage to switching to SHA-256, so why not
do it? That's why I think that this is a reasonable change.
VMware-BZ: #1708786
Signed-off-by: Ben Pfaff <blp at ovn.org>
---
utilities/bugtool/ovs-bugtool.in | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/utilities/bugtool/ovs-bugtool.in b/utilities/bugtool/ovs-bugtool.in
index 9e85bc7..bb771b0 100755
--- a/utilities/bugtool/ovs-bugtool.in
+++ b/utilities/bugtool/ovs-bugtool.in
@@ -14,7 +14,7 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# Copyright (c) 2005, 2007 XenSource Ltd.
-# Copyright (c) 2010, 2011, 2012, 2013, 2015 Nicira, Inc.
+# Copyright (c) 2010, 2011, 2012, 2013, 2015, 2016 Nicira, Inc.
#
# To add new entries to the bugtool, you need to:
@@ -49,7 +49,7 @@ import zipfile
from subprocess import Popen, PIPE
from select import select
from signal import SIGTERM
-import md5
+import hashlib
import platform
import fcntl
import warnings
@@ -139,7 +139,6 @@ ISCSIADM = 'iscsiadm'
LOSETUP = 'losetup'
LS = 'ls'
LSPCI = 'lspci'
-MD5SUM = 'md5sum'
MODINFO = 'modinfo'
MPPUTIL = 'mppUtil'
MULTIPATHD = 'multipathd'
@@ -151,6 +150,7 @@ PS = 'ps'
ROUTE = 'route'
RPM = 'rpm'
SG_MAP = 'sg_map'
+SHA256_SUM = 'sha256sum'
SYSCTL = 'sysctl'
TC = 'tc'
UPTIME = 'uptime'
@@ -526,8 +526,8 @@ exclude those logs from the archive.
file_output(CAP_BOOT_LOADER, [GRUB_CONFIG])
cmd_output(CAP_BOOT_LOADER, [LS, '-lR', '/boot'])
- cmd_output(CAP_BOOT_LOADER, [MD5SUM, BOOT_KERNEL, BOOT_INITRD],
- label='vmlinuz-initrd.md5sum')
+ cmd_output(CAP_BOOT_LOADER, [SHA256_SUM, BOOT_KERNEL, BOOT_INITRD],
+ label='vmlinuz-initrd.sha256sum')
cmd_output(CAP_DISK_INFO, [FDISK, '-l'])
file_output(CAP_DISK_INFO, [PROC_PARTITIONS, PROC_MOUNTS])
@@ -1071,14 +1071,14 @@ def inventory_entry(document, subdir, k, v):
el.setAttribute('capability', v['cap'])
el.setAttribute('filename',
os.path.join(subdir, construct_filename(k, v)))
- el.setAttribute('md5sum', md5sum(v))
+ el.setAttribute('sha256sum', sha256(v))
document.getElementsByTagName(INVENTORY_XML_ROOT)[0].appendChild(el)
except:
pass
-def md5sum(d):
- m = md5.new()
+def sha256(d):
+ m = hashlib.sha256()
if 'filename' in d:
f = open(d['filename'])
data = f.read(1024)
--
2.1.3
More information about the dev
mailing list