Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is there any way to use non-openssl md5 for hashlib in python?

Tags:

python

hash

md5

hashlib

I generate md5 content hashes for upload verification, but it has recently come to my attention that this will fail for any users running on a FIPS enabled machine. FIPS disables openssl md5, resulting in a ValueError when I try to initialize hashlib. Normally I would use SHA instead, but I'm relying on an external service which requires a content-md5 header.

My question is this: Is there any way to force Python to use a non-openssl hashing function? There was some talk here about adding a usedforsecurity flag, but it doesn't seem to have gone anywhere.

like image 618
Jordon Phillips Avatar asked Mar 14 '23 04:03

Jordon Phillips

2 Answers

Flag usedforsecurity=False is available only on some of the distributions as it is not part of the upstream. You can find in in Red Hat Enterprise Linux and derivates (CentOs, Scientific Linux, Oracle Unbreakable Linux, ...).

You are free to use md5 (and other cryptographically dangerous hashes) only for non-crypto stuff, e.g. using it for caching results.

md5=hashlib.new('md5',usedforsecurity=False) md5.update(data_to_hash) hex=md5.hexdigest()

like image 137
Marek Grác Avatar answered Apr 29 '23 17:04

Marek Grác

The answer to "how can I send a content-md5 header from a FIPS mode machine" is you don't use non-FIPS validated algorithms when FIPS mode is enabled as you would likely be violating federal regulations or organizational policy by doing so, since the only significant reason to FIPS enable a machine is if there is a regulatory (or perhaps preventive policy) requirement to do so.

There is some discussion in this github issues list as well, suggesting that content-md5 must be optional.

Give that regulatory requirement, you CANNOT use MD5, since it is not a FIPS compliant algorithm, and therefore CANNOT have a FIPS validated(!) implementation.

You need to do one of the following:

  • get that service to not require the content-md5 header

  • use a different service

  • use a different originating machine which is not required to be in FIPS mode

If your management needs a reference, see Annex A Approved Security Functions for FIPS PUB 140-2, straight from nist.gov.

like image 28
Anti-weakpasswords Avatar answered Apr 29 '23 17:04

Anti-weakpasswords
Sign in to Comment

Related questions

Python 32-bit development on 64-bit Windows [closed]
python calling custom exceptions from if-statement and try-except
python find all neighbours of a given node in a list of lists
Access data in Excel - Reuter from python
How can I interact with this modal dialog using Webdriver & Python?
Python SSL example from docs gives "Connection reset by peer" error
f2py function release GIL
Communicating between objects in Python
How to decrease the timeout for my python application connecting to mysql server
Sublime text creating new view
Inverse of hasattr in Python
Python - finding the longest sequence with findall
How to rename variables in a loop in Python [duplicate]
Save a list of objects in django
How can I get html content written by JavaScript with Selenium/Python [duplicate]
How to reset NavigatonToolbar "history" when re-plotting data on the same axis?
SciPy step response plot seems to break for some values
How can I automate this sequence of lldb commands?
Tornado socket.error on ARM
Using any other values in pyaudio for rate / format / chunk give me the error: [Errno Input overflowed] -9981

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!