[ovs-dev] [PATCH] ovs-bugtool: Switch from MD5 to SHA-256.

Ben Pfaff blp at ovn.org
Thu Aug 11 04:14:27 UTC 2016 

While going through a FIPS certification process we discovered that
ovs-bugtool uses MD5 to identify the contents of files.  FIPS doesn't allow
use of the obsolete and broken MD5 algorithm, so this commit switches to
SHA-256.

In a way, this is a silly requirement.  ovs-bugtool only uses MD5 to
identify file content, mostly to ensure that the contents of the bug report
have not been corrupted.  MD5 is perfectly adequate for that purpose; in
fact a 16-bit CRC would probably be adequate.  On the other hand, there is
basically no cost and no disadvantage to switching to SHA-256, so why not
do it?  That's why I think that this is a reasonable change.

VMware-BZ: #1708786
Signed-off-by: Ben Pfaff <blp at ovn.org>
---
 utilities/bugtool/ovs-bugtool.in | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/utilities/bugtool/ovs-bugtool.in b/utilities/bugtool/ovs-bugtool.in
index 9e85bc7..bb771b0 100755
--- a/utilities/bugtool/ovs-bugtool.in
+++ b/utilities/bugtool/ovs-bugtool.in
@@ -14,7 +14,7 @@
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 #
 # Copyright (c) 2005, 2007 XenSource Ltd.
-# Copyright (c) 2010, 2011, 2012, 2013, 2015 Nicira, Inc.
+# Copyright (c) 2010, 2011, 2012, 2013, 2015, 2016 Nicira, Inc.
 
 #
 # To add new entries to the bugtool, you need to:
@@ -49,7 +49,7 @@ import zipfile
 from subprocess import Popen, PIPE
 from select import select
 from signal import SIGTERM
-import md5
+import hashlib
 import platform
 import fcntl
 import warnings
@@ -139,7 +139,6 @@ ISCSIADM = 'iscsiadm'
 LOSETUP = 'losetup'
 LS = 'ls'
 LSPCI = 'lspci'
-MD5SUM = 'md5sum'
 MODINFO = 'modinfo'
 MPPUTIL = 'mppUtil'
 MULTIPATHD = 'multipathd'
@@ -151,6 +150,7 @@ PS = 'ps'
 ROUTE = 'route'
 RPM = 'rpm'
 SG_MAP = 'sg_map'
+SHA256_SUM = 'sha256sum'
 SYSCTL = 'sysctl'
 TC = 'tc'
 UPTIME = 'uptime'
@@ -526,8 +526,8 @@ exclude those logs from the archive.
 
     file_output(CAP_BOOT_LOADER, [GRUB_CONFIG])
     cmd_output(CAP_BOOT_LOADER, [LS, '-lR', '/boot'])
-    cmd_output(CAP_BOOT_LOADER, [MD5SUM, BOOT_KERNEL, BOOT_INITRD],
-               label='vmlinuz-initrd.md5sum')
+    cmd_output(CAP_BOOT_LOADER, [SHA256_SUM, BOOT_KERNEL, BOOT_INITRD],
+               label='vmlinuz-initrd.sha256sum')
 
     cmd_output(CAP_DISK_INFO, [FDISK, '-l'])
     file_output(CAP_DISK_INFO, [PROC_PARTITIONS, PROC_MOUNTS])
@@ -1071,14 +1071,14 @@ def inventory_entry(document, subdir, k, v):
         el.setAttribute('capability', v['cap'])
         el.setAttribute('filename',
                         os.path.join(subdir, construct_filename(k, v)))
-        el.setAttribute('md5sum', md5sum(v))
+        el.setAttribute('sha256sum', sha256(v))
         document.getElementsByTagName(INVENTORY_XML_ROOT)[0].appendChild(el)
     except:
         pass
 
 
-def md5sum(d):
-    m = md5.new()
+def sha256(d):
+    m = hashlib.sha256()
     if 'filename' in d:
         f = open(d['filename'])
         data = f.read(1024)
-- 
2.1.3

More information about the dev mailing list