Is there any way to use non-openssl md5 for hashlib in python?

老子叫甜甜 提交于 2019-12-22 10:27:08

问题


I generate md5 content hashes for upload verification, but it has recently come to my attention that this will fail for any users running on a FIPS enabled machine. FIPS disables openssl md5, resulting in a ValueError when I try to initialize hashlib. Normally I would use SHA instead, but I'm relying on an external service which requires a content-md5 header.

My question is this: Is there any way to force Python to use a non-openssl hashing function? There was some talk here about adding a usedforsecurity flag, but it doesn't seem to have gone anywhere.


回答1:


The answer to "how can I send a content-md5 header from a FIPS mode machine" is you don't use non-FIPS validated algorithms when FIPS mode is enabled as you would likely be violating federal regulations or organizational policy by doing so, since the only significant reason to FIPS enable a machine is if there is a regulatory (or perhaps preventive policy) requirement to do so.

There is some discussion in this github issues list as well, suggesting that content-md5 must be optional.

Give that regulatory requirement, you CANNOT use MD5, since it is not a FIPS compliant algorithm, and therefore CANNOT have a FIPS validated(!) implementation.

You need to do one of the following:

  • get that service to not require the content-md5 header

  • use a different service

  • use a different originating machine which is not required to be in FIPS mode

If your management needs a reference, see Annex A Approved Security Functions for FIPS PUB 140-2, straight from nist.gov.




回答2:


Flag usedforsecurity=False is available only on some of the distributions as it is not part of the upstream. You can find in in Red Hat Enterprise Linux and derivates (CentOs, Scientific Linux, Oracle Unbreakable Linux, ...).

You are free to use md5 (and other cryptographically dangerous hashes) only for non-crypto stuff, e.g. using it for caching results.

md5=hashlib.new('md5',usedforsecurity=False) md5.update(data_to_hash) hex=md5.hexdigest()



来源:https://stackoverflow.com/questions/35586302/is-there-any-way-to-use-non-openssl-md5-for-hashlib-in-python

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!