Skip to content

Fix download failing on FIPS machines #7698

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Apr 25, 2024
Merged

Fix download failing on FIPS machines #7698

merged 5 commits into from
Apr 25, 2024

Conversation

@MattTheCuber
Copy link
Contributor

@MattTheCuber MattTheCuber commented Apr 23, 2024

Description

This PR fixes downloads failing on FIPS enabled machines due to insecure MD5 hashing. The two solutions are to disable MD5 hashing (SHA1 is allowed and faster), or use the usedforsecurity=False flag. This PR uses the second method. However, the usedforsecurity flag only works for Python 3.9 and later (which was accounted for). Let me know if you have a better implementation to solve this issue.

The error thrown on FIPS enabled machine is:
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS

Types of changes

  • Non-breaking change (fix or new feature that would not break existing functionality).
  • Breaking change (fix or new feature that would cause existing functionality to change).
  • New tests added to cover the changes.
  • Integration tests passed locally by running ./runtests.sh -f -u --net --coverage.
  • Quick tests passed locally by running ./runtests.sh --quick --unittests --disttests.
  • In-line docstrings updated.
  • Documentation updated, tested make html command in the docs/ folder.

@MattTheCuber
fix(apps): fix download fails on FIPS machines
8205192 
Signed-off-by: Matthew Vine <32849887+MattTheCuber@users.noreply.github.com>
@KumoLiu KumoLiu requested review from KumoLiu, Nic-Ma and ericspod April 23, 2024 15:33
ericspod
ericspod reviewed Apr 23, 2024
View reviewed changes
@ericspod
Copy link
Member

ericspod commented Apr 23, 2024

I think this change is fine. @Nic-Ma @KumoLiu just to check with you that there isn't any security implications to consider here.

@MattTheCuber @ericspod
docs(apps): add hash change comment
6dd0b82 
Co-authored-by: Eric Kerfoot <17726042+ericspod@users.noreply.github.com>
Signed-off-by: Matthew Vine <32849887+MattTheCuber@users.noreply.github.com>
@KumoLiu
Copy link
Contributor

KumoLiu commented Apr 24, 2024

I think this change is fine. @Nic-Ma @KumoLiu just to check with you that there isn't any security implications to consider here.

I checked the usage for this check_hash, looks only used for downloading, will merge this one first.

@KumoLiu
Copy link
Contributor

KumoLiu commented Apr 24, 2024

/build

@KumoLiu
Copy link
Contributor

KumoLiu commented Apr 24, 2024

/build

@KumoLiu KumoLiu merged commit 8c709de into Project-MONAI:dev Apr 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ericspod ericspod ericspod left review comments

@KumoLiu KumoLiu KumoLiu approved these changes

@Nic-Ma Nic-Ma Awaiting requested review from Nic-Ma Nic-Ma is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MattTheCuber @ericspod @KumoLiu