Use usedforsecurity=False for md5() calls to make suds work on FIPS enabled systems

[oalbrigt]

No description provided.

[phillbaker]

In reading s3tools/s3cmd#1005 (comment) and some of the linked blog posts/issues, it seems like this was only added in Python 3.9. If you can add code that checks the python version, this makes sense to me.

…

On Mon, Feb 28, 2022 at 5:27 AM Oyvind Albrigtsen ***@***.***> wrote: ------------------------------ You can view, comment on, or merge this pull request online at: #72 Commit Summary - 2ca2d05 <2ca2d05> Use usedforsecurity=False for md5() calls to make suds work on FIPS enabled systems File Changes (2 files <https://github.com/suds-community/suds/pull/72/files>) - *M* suds/reader.py <https://github.com/suds-community/suds/pull/72/files#diff-318a8848f0f369c3626638e439e3144f50f8d384f9ec1ac0815dfe212b32f951> (2) - *M* suds/wsse.py <https://github.com/suds-community/suds/pull/72/files#diff-2d50ac51fd315fb8a680da5f5600826da25a680faade11c5520033461c3da39c> (2) Patch Links: - https://github.com/suds-community/suds/pull/72.patch - https://github.com/suds-community/suds/pull/72.diff — Reply to this email directly, view it on GitHub <#72>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAXCKLH4QHIQSNLIQPBTFTU5NEZDANCNFSM5PQVXE3Q> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[ptoscano]

(part of subscription-manager/virt-who team here)

While this seems OK-ish, I wonder whether the Reader class needs md5 at all. It seems it is used only for caching, so I wonder there a cache system could be implemented without using md5 at all.

[oalbrigt]

I think you're right, but I dont see an issue in using it.

[phillbaker]

Thanks - I'm wondering if this could have "false positives" of catching ValueErrors (and then trying the version with usedforsecurity) when it shouldn't.

A few other options from looking at how others approach this:

• Flip the order and catch AttributeError, e.g.

        try:
            # FIPS requires usedforsecurity=False and might not be
            # available on all distros: https://bugs.python.org/issue9216
            h = md5(name.encode(), usedforsecurity=False).hexdigest()
        except AttributeError:
            h = md5(name.encode()).hexdigest()

• A compatibility method: git-cola/git-cola@5ae40d2#diff-a5804055429122cbb41a6b906aa928641e4d7fee27c79dbe7bb47c726eeaeb73R32
• Just checking for python version >= 3.9 https://github.com/pytest-dev/pytest-randomly/pull/415/files#diff-77e4b024fe5132833f7d62b9ffc8028a856311e1a3afbb81f5715efc2bea28b9R5

If this is available in earlier versions of python on RHEL, I can see how checking for python 3.9 doesn't make sense.

No strong opinions on this, but let me know what you think.

[oalbrigt]

That sounds like a better way to do it. I've pushed the update.