Skip to content

Mark non-security md5 usage to allow for compatibility with fips environments#1288

Open
lratc wants to merge 1 commit intoapache:trunkfrom
lratc:fips_compatibility_mark_non_security_md5
Open

Mark non-security md5 usage to allow for compatibility with fips environments#1288
lratc wants to merge 1 commit intoapache:trunkfrom
lratc:fips_compatibility_mark_non_security_md5

Conversation

@lratc
Copy link
Copy Markdown

@lratc lratc commented Apr 23, 2026

As per python/cpython#53462 hashlib.md5() takes an implicit "usedforsecurity=True" argument. In a FIPS-140 environment, this causes the cassandra-python-driver to error as md5 is not permitted for security usage.

ModuleNotFoundError: No module named 'md5'

Within the context of this package, the token is not used for security - this is used for an internal hashing function only, so marking it as usedforsecurity=False is a straightforward method to permit its usage without affecting compatibility.

@absurdfarce absurdfarce self-requested a review April 27, 2026 21:24
Copilot AI reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Cassandra driver’s MD5-based token hashing to explicitly mark MD5 usage as non-security-related, improving compatibility with FIPS-140 environments where MD5 may be disallowed for security purposes.

Changes:

  • Replace from hashlib import md5 with import hashlib.
  • Update MD5Token.hash_fn to call hashlib.md5(..., usedforsecurity=False).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread cassandra/metadata.py
if isinstance(key, str):
key = key.encode('UTF-8')
return abs(varint_unpack(md5(key).digest()))
return abs(varint_unpack(hashlib.md5(key,usedforsecurity=False).digest()))
Copy link

Copilot AI Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PEP8/style: add a space after the comma in hashlib.md5(key,usedforsecurity=False) for readability/consistency (i.e., key, usedforsecurity=False).

Suggested change
return abs(varint_unpack(hashlib.md5(key,usedforsecurity=False).digest()))
return abs(varint_unpack(hashlib.md5(key, usedforsecurity=False).digest()))

Copilot uses AI. Check for mistakes.
Comment thread cassandra/metadata.py
if isinstance(key, str):
key = key.encode('UTF-8')
return abs(varint_unpack(md5(key).digest()))
return abs(varint_unpack(hashlib.md5(key,usedforsecurity=False).digest()))
Copy link

Copilot AI Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hashlib.md5(..., usedforsecurity=False) is not supported by all Python implementations (e.g., PyPy may raise TypeError: md5() takes no keyword arguments), which would break token hashing at runtime. Consider feature-detecting support once (e.g., try calling with usedforsecurity=False and fall back to a call without the kwarg) so the driver remains compatible while still fixing FIPS on CPython/OpenSSL builds that honor the flag.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@absurdfarce absurdfarce Awaiting requested review from absurdfarce

@bschoening bschoening Awaiting requested review from bschoening

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lratc