diff options
| author | Kotresh HR <khiremat@redhat.com> | 2017-12-20 15:24:11 +0530 |
|---|---|---|
| committer | Kotresh HR <khiremat@redhat.com> | 2017-12-22 15:32:06 +0000 |
| commit | 3fd961d08588bd1ec31f8cfc72201dfa1a4e85d6 (patch) | |
| tree | 31f48a57bc34eae25ffab73c560e44b6e33f7f82 /geo-replication/syncdaemon | |
| parent | c96a1338fe8139d07a0aa1bc40f0843d033f0324 (diff) | |
fips/geo-rep: Replace MD5 with SHA256
MD5 is not fips compliant. Hence replacing
with SHA256.
NOTE:
The hash is used to form the ctl_path for the ssh connection.
The length of ctl_path for ssh connection should not be > 108.
ssh fails with ctl_path too long if it is so. But when rsync
is piped to ssh, it is not taking > 90. rsync is failing with
error number 12. Hence using first 32 bytes of hash. Hash
collision doesn't matter as only one sock file is created
per directory.
Change-Id: I58aeb32a80b5422f6ac0188cf33fbecccbf08ae7
Updates: #230
Signed-off-by: Kotresh HR <khiremat@redhat.com>
Diffstat (limited to 'geo-replication/syncdaemon')
| -rw-r--r-- | geo-replication/syncdaemon/syncdutils.py | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/geo-replication/syncdaemon/syncdutils.py b/geo-replication/syncdaemon/syncdutils.py index bc03522fdda..5dd535a5c7f 100644 --- a/geo-replication/syncdaemon/syncdutils.py +++ b/geo-replication/syncdaemon/syncdutils.py @@ -49,7 +49,7 @@ except ImportError: import gsyncdconfig as gconf from rconf import rconf -from hashlib import md5 as md5 +from hashlib import sha256 as sha256 # auxiliary gfid based access prefix _CL_AUX_GFID_PFX = ".gfid/" @@ -157,13 +157,21 @@ def setup_ssh_ctl(ctld, remote_addr, resource_url): rconf.ssh_ctl_dir = ctld content = "SLAVE_HOST=%s\nSLAVE_RESOURCE_URL=%s" % (remote_addr, resource_url) - content_md5 = md5hex(content) + content_sha256 = sha256hex(content) + """ + The length of ctl_path for ssh connection should not be > 108. + ssh fails with ctl_path too long if it is so. But when rsync + is piped to ssh, it is not taking > 90. Hence using first 32 + bytes of hash. Hash collision doesn't matter as only one sock + file is created per directory. + """ + content_sha256 = content_sha256[:32] fname = os.path.join(rconf.ssh_ctl_dir, - "%s.mft" % content_md5) + "%s.mft" % content_sha256) create_manifest(fname, content) ssh_ctl_path = os.path.join(rconf.ssh_ctl_dir, - "%s.sock" % content_md5) + "%s.sock" % content_sha256) rconf.ssh_ctl_args = ["-oControlMaster=auto", "-S", ssh_ctl_path] @@ -510,8 +518,8 @@ def gauxpfx(): return _CL_AUX_GFID_PFX -def md5hex(s): - return md5(s).hexdigest() +def sha256hex(s): + return sha256(s).hexdigest() def selfkill(sig=SIGTERM): |