6

When I run the following on my Macbook, I get the error:

>>> import hashlib
>>> hashlib.md5(usedforsecurity=False)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
TypeError: openssl_md5() takes no keyword arguments

But when I run it on my Linux box, it works!

>>> import hashlib
>>> hashlib.md5(usedforsecurity=False)
<md5 HASH object @ 0x7f763c1375d0>

My problem is, I need to run some safe, non-security related code on my FIPS enabled system (such as managing a cache of user requests which hashes the user query as an MD5 string). Using the usedforsecurity flag prevents a FIPs exception.

This works fine, except when I want to test my code on my Macbook. My Macbook's "libcrypto" library apparently doesn't support this usedforsecurity flag. Is there a good way to detect if the underlying C bindings behind hashlib.md5 support this flag or not?

robert
  • 1,402
  • 1
  • 15
  • 21

2 Answers2

10

If you use hashlib.new('md5', usedforsecurity=False) instead of hashlib.md5(usedforsecurity=False) it will not raise exception, even if the keyword argument is not supported.

Masood Khaari
  • 2,911
  • 2
  • 23
  • 40
monkeyman79
  • 602
  • 4
  • 13
3

I ran into the same problem with FIPS and hashlib.md5(), but I was able to do this to check:

>>> import hashlib, inspect
>>> inspect.getargspec(hashlib.new)
ArgSpec(args=['name', 'string', 'usedforsecurity'], varargs=None, keywords=None, defaults=('', True))

On Python 3+, getargspec is deprecated, so getfullargspec should be used instead. The data structure is similar, but usedforsecurity is in the kwonlyargs field now.

>>> inspect.getfullargspec(hashlib.new)
FullArgSpec(args=['name', 'data'], varargs=None, varkw='kwargs', defaults=(b'',), kwonlyargs=['usedforsecurity'], kwonlydefaults={'usedforsecurity': True}, annotations={})
anthony sottile
  • 61,815
  • 15
  • 148
  • 207
Tim
  • 248
  • 3
  • 14