Change auth.py to be used in a FIPS system

[Jose-albino]

Expected Result

Using the requests to perform a HTTPS action is working in a FIPS environment

Actual Result

In UNIX environment with fips enabled the MD5 can't be used.
It provides this error

ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS

Solution

Apply this patch in auth.py

`

*** 145,151 ****
def md5_utf8(x):
if isinstance(x, str):
x = x.encode("utf-8")
! return hashlib.md5(x).hexdigest()
hash_utf8 = md5_utf8
elif _algorithm == "SHA":
--- 145,151 ----
def md5_utf8(x):
if isinstance(x, str):
x = x.encode("utf-8")
! return hashlib.md5(x,usedforsecurity=False).hexdigest()
hash_utf8 = md5_utf8
elif _algorithm == "SHA":

`

[SeJunB]

Could I work on this ticket ?
The usedforsecurity parameter is only available in python >= 3.9. Plan is to set usedforsecurity to True only if python version >= 3.9.

[Jose-albino]

that seems ok for me. We use already python 3.10/3.11 in our environment and i believe most cases also

[sigmavirus24]

We support all supported Python versions, which still includes 3.9

[SeJunB]

After giving this a thought, I am hesitant on adding the usedforsecurity attribute to MD5 in the HTTPDigestAuth class for the following reasons:

1. Security Documentation Conflict

• The hashlib documentation explicitly states that usedforsecurity should only be used in non-security contexts. Adding this attribute to HTTPDigestAuth would directly contradict this guidance.
• RFC 7616 does not recommend MD5 as a secure hashing algorithm for digest authentication.

2. FIPS Compliance and Compatibility Risks

• Setting usedforsecurity=False could inadvertently enable MD5-based HTTPDigestAuthentication in environments and could cause trouble for any users using requests in a FIPS environment.

Recommendation:

• Close this issue
• For teams requiring this specific configuration, recommend forking and maintaining a custom patched version
• Encourage migration to more secure hashing algorithms (e.g., SHA)

In my experience working with customers requiring FIPS compliance, they typically prefer upgrading to more secure authentication methods rather than maintaining legacy MD5-based approaches.