jvanasco
commented
2 years ago I'm open to PRs that would allow this to be configurable by end-users, but I don't foresee myself supporting this anytime soon. That would address your concern with support for people using FIPs libraries.
This package does a lot to eke out as much performance and as small a footprint as possible. Potentially, only a substring of a larger digest could be used, but I still have reservations. Right now, dropping MD5 is off the table.
Quickly looking at the code for a refresher:
:class:_SessionStateneeds to access a fingerprint_SessionStateis only invoked byRedisSession:class:RedisSessionneeds to access a fingerprintRedisSessionaccepts multiple callables,
What I'm comfortable with right now:
- any code named "hash" could be renamed "fingerprint" or even "insecure_fingerprint" , so a manual audit will pass easier.
RedisSessioncould accept/register afingerprint_funccallable (or similar name), then use that and pass it to_SessionStateRedisSessionFactorywould accept the same arg, and pass it toRedisSession
session.hashed_value uses hashlib.md5
While this MD5 usage isn't security related, MD5 usage is deprecated. It triggers security warnings for scanners, and isn't available in FIPS environment.
The easiest solution would be to use a different algorithm, such as SHA256 or SHA512.