Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change auth.py to be used in a FIPS system #6810

Open
Jose-albino opened this issue Oct 18, 2024 · 4 comments
Open

Change auth.py to be used in a FIPS system #6810

Jose-albino opened this issue Oct 18, 2024 · 4 comments

Comments

@Jose-albino
Copy link

Jose-albino commented Oct 18, 2024
edited
Loading

Expected Result

Using the requests to perform a HTTPS action is working in a FIPS environment

Actual Result

In UNIX environment with fips enabled the MD5 can't be used.
It provides this error

ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS

Solution

Apply this patch in auth.py

`

*** 145,151 ****
def md5_utf8(x):
if isinstance(x, str):
x = x.encode("utf-8")
! return hashlib.md5(x).hexdigest()
hash_utf8 = md5_utf8
elif _algorithm == "SHA":
--- 145,151 ----
def md5_utf8(x):
if isinstance(x, str):
x = x.encode("utf-8")
! return hashlib.md5(x,usedforsecurity=False).hexdigest()
hash_utf8 = md5_utf8
elif _algorithm == "SHA":

`
@Jose-albino Jose-albino changed the title FIPS capable library Change auth.py to be used in a FIPS system Oct 18, 2024
@SeJunB
Copy link

SeJunB commented Nov 6, 2024
edited
Loading

Could I work on this ticket ?
The usedforsecurity parameter is only available in python >= 3.9. Plan is to set usedforsecurity to True only if python version >= 3.9.

@Jose-albino
Copy link
Author

that seems ok for me. We use already python 3.10/3.11 in our environment and i believe most cases also

@sigmavirus24
Copy link
Contributor

We support all supported Python versions, which still includes 3.9

@SeJunB
Copy link

SeJunB commented Nov 29, 2024

After giving this a thought, I am hesitant on adding the usedforsecurity attribute to MD5 in the HTTPDigestAuth class for the following reasons:

  1. Security Documentation Conflict
  • The hashlib documentation explicitly states that usedforsecurity should only be used in non-security contexts. Adding this attribute to HTTPDigestAuth would directly contradict this guidance.
  • RFC 7616 does not recommend MD5 as a secure hashing algorithm for digest authentication.
  1. FIPS Compliance and Compatibility Risks
  • Setting usedforsecurity=False could inadvertently enable MD5-based HTTPDigestAuthentication in environments and could cause trouble for any users using requests in a FIPS environment.

Recommendation:

  • Close this issue
  • For teams requiring this specific configuration, recommend forking and maintaining a custom patched version
  • Encourage migration to more secure hashing algorithms (e.g., SHA)

In my experience working with customers requiring FIPS compliance, they typically prefer upgrading to more secure authentication methods rather than maintaining legacy MD5-based approaches.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@sigmavirus24 @SeJunB @Jose-albino and others