Why not use FIPS-compliant algorithm instead of MD5 about suds-py3 HOT 5 CLOSED

A PR to address this is most welcome. Also if you provide the details of what value it will add to this lib and what effects this will make (e.g, compatibility) it would be easier to understand and contribute.

from suds-py3.

Hi @cackharot,
Thanks for your response, here is my analysis:

Analysis for file: suds/wsse.py
Occurrence in code:

def setnonce(self, text=None):
        """
        Set I{nonce} which is arbitraty set of bytes to prevent
        reply attacks.
        @param text: The nonce text value.
            Generated when I{None}.
        @type text: str
        """
        if text is None:
            s = []
            s.append(self.username)
            s.append(self.password)
            s.append(Token.sysdate())
            m = md5()
            m.update(':'.join(s).encode("utf-8"))
            self.nonce = m.hexdigest()
        else:
            self.nonce = text

Issue
The above method uses the MD5 algorithm to generate the nonce that can be used to prevent the reply attacks. As MD5 is not FIPS compliant, the above method could fail on FIPS enabled platforms.

Resolution
While finding an alternative for the MD5, I found that the MD5 function is replaced by SHA-256 and SHA-512 in later versions of Digest Access Authentication (Method which we are using).

Impact
While MD5 produces the message digest that is 128 bit long, sha256 produces the message digest that is 256 bit long. But, as the nonces are the random number issued in the authentication, this should not affect anything.

Analysis for file: suds/reader.py
Occurrence in code:

def mangle(self, name, x):
        """
        Mangle the name by hashing the I{name} and appending I{x}.
        @return: the mangled name.
        """
        h = hashlib.md5(name.encode('utf8')).hexdigest()
        return '%s-%s' % (h, x)

Issue
The above method uses the MD5 algorithm to generate the nonce that can be used to prevent the reply attacks. As MD5 is not FIPS compliant, the above method could fail on FIPS enabled platforms.

Resolution
The above method mangles(generates the hash for) the name variable, appends it with x and returns it. The returned value is used as a name to cache and retrieve the vCenter Server properties.

Impact
Using the sha1 algorithm to generate hashes will provide a hash of 160 bits, which is a little longer than the hash provided by the md5 algorithm. It will not be an issue, as it will only be used as a name to get and set the cache.

from suds-py3.

I have opened a pull request to fix this issue :)

from suds-py3.

Done. Thanks!

from suds-py3.

Hi @cackharot,
Thanks for the quick action. Can you please tell me when the new version of the suds-py3 library is being released?
If it is going to take, what can be the procedure to make the above changes in the library which is already released and use it.?
Big thanks,

from suds-py3.