问题
I generate md5 content hashes for upload verification, but it has recently come to my attention that this will fail for any users running on a FIPS enabled machine. FIPS disables openssl md5, resulting in a ValueError
when I try to initialize hashlib. Normally I would use SHA instead, but I'm relying on an external service which requires a content-md5 header.
My question is this: Is there any way to force Python to use a non-openssl hashing function? There was some talk here about adding a usedforsecurity
flag, but it doesn't seem to have gone anywhere.
回答1:
The answer to "how can I send a content-md5 header from a FIPS mode machine" is you don't use non-FIPS validated algorithms when FIPS mode is enabled as you would likely be violating federal regulations or organizational policy by doing so, since the only significant reason to FIPS enable a machine is if there is a regulatory (or perhaps preventive policy) requirement to do so.
There is some discussion in this github issues list as well, suggesting that content-md5 must be optional.
Give that regulatory requirement, you CANNOT use MD5, since it is not a FIPS compliant algorithm, and therefore CANNOT have a FIPS validated(!) implementation.
You need to do one of the following:
get that service to not require the content-md5 header
use a different service
use a different originating machine which is not required to be in FIPS mode
If your management needs a reference, see Annex A Approved Security Functions for FIPS PUB 140-2, straight from nist.gov.
回答2:
Flag usedforsecurity=False is available only on some of the distributions as it is not part of the upstream. You can find in in Red Hat Enterprise Linux and derivates (CentOs, Scientific Linux, Oracle Unbreakable Linux, ...).
You are free to use md5 (and other cryptographically dangerous hashes) only for non-crypto stuff, e.g. using it for caching results.
md5=hashlib.new('md5',usedforsecurity=False)
md5.update(data_to_hash)
hex=md5.hexdigest()
来源:https://stackoverflow.com/questions/35586302/is-there-any-way-to-use-non-openssl-md5-for-hashlib-in-python