pytype icon indicating copy to clipboard operation
pytype copied to clipboard
verified publisher icon google

hashlib.md5 not supported when FIPS is enabled

Open samholton opened this issue 1 year ago • 2 comments

We are using python3.11 on a RHEL9 instance with FIPS enabled. pytype is failing with _hashlib.UnsupportedDigestmodError: [digital envelope routines] unsupported

Can a FIPS compliant hash function be used here? https://github.com/google/pytype/blob/97d949161b27259af283fc1d271f8cf056ddf9b6/pytype/pyi/parser.py#L783

It looks like md5 is used a few other places as well: https://github.com/search?q=repo%3Agoogle%2Fpytype%20md5&type=code

ninja: Entering directory `.pytype'
[1/13] check tests.testingUtils
FAILED: /home/ec2-user/jenkins/workspace/er_MyProject-Analytics_PR-391/src/.pytype/pyi/tests/testingUtils.pyi 
/home/ec2-user/jenkins/workspace/er_MyProject-Analytics_PR-391/.pyenv-python3.11/bin/python3.11 -m pytype.main --imports_info /home/ec2-user/jenkins/workspace/er_MyProject-Analytics_PR-391/src/.pytype/imports/tests.testingUtils.imports --module-name tests.testingUtils --platform linux -V 3.11 -o /home/ec2-user/jenkins/workspace/er_MyProject-Analytics_PR-391/src/.pytype/pyi/tests/testingUtils.pyi --analyze-annotated --nofail --quick /home/ec2-user/jenkins/workspace/er_MyProject-Analytics_PR-391/src/tests/testingUtils.py
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/home/ec2-user/jenkins/workspace/er_MyProject-Analytics_PR-391/.pyenv-python3.11/lib64/python3.11/site-packages/pytype/main.py", line 150, in <module>
    sys.exit(main() or 0)
             ^^^^^^
  File "/home/ec2-user/jenkins/workspace/er_MyProject-Analytics_PR-391/.pyenv-python3.11/lib64/python3.11/site-packages/pytype/main.py", line 135, in main
    return _run_pytype(options)
           ^^^^^^^^^^^^^^^^^^^^
  File "/home/ec2-user/jenkins/workspace/er_MyProject-Analytics_PR-391/.pyenv-python3.11/lib64/python3.11/site-packages/pytype/main.py", line 146, in _run_pytype
    return io.process_one_file(options)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/ec2-user/jenkins/workspace/er_MyProject-Analytics_PR-391/.pyenv-python3.11/lib64/python3.11/site-packages/pytype/io.py", line 72, in wrapper
    return f(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^
  File "/home/ec2-user/jenkins/workspace/er_MyProject-Analytics_PR-391/.pyenv-python3.11/lib64/python3.11/site-packages/pytype/io.py", line 274, in process_one_file
    ret = check_or_generate_pyi(options)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/ec2-user/jenkins/workspace/er_MyProject-Analytics_PR-391/.pyenv-python3.11/lib64/python3.11/site-packages/pytype/io.py", line 72, in wrapper
    return f(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^
  File "/home/ec2-user/jenkins/workspace/er_MyProject-Analytics_PR-391/.pyenv-python3.11/lib64/python3.11/site-packages/pytype/io.py", line 244, in check_or_generate_pyi
    ast = pytd_builtins.GetDefaultAst(
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/ec2-user/jenkins/workspace/er_MyProject-Analytics_PR-391/.pyenv-python3.11/lib64/python3.11/site-packages/pytype/imports/builtin_stubs.py", line 40, in GetDefaultAst
    return parser.parse_string(src=DEFAULT_SRC, options=options)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/ec2-user/jenkins/workspace/er_MyProject-Analytics_PR-391/.pyenv-python3.11/lib64/python3.11/site-packages/pytype/pyi/parser.py", line 897, in parse_string
    return parse_pyi(src, filename=filename, module_name=name, options=options)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/ec2-user/jenkins/workspace/er_MyProject-Analytics_PR-391/.pyenv-python3.11/lib64/python3.11/site-packages/pytype/pyi/parser.py", line 920, in parse_pyi
    root = post_process_ast(root, src, module_name)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/ec2-user/jenkins/workspace/er_MyProject-Analytics_PR-391/.pyenv-python3.11/lib64/python3.11/site-packages/pytype/pyi/parser.py", line 783, in post_process_ast
    ast = ast.Replace(name=hashlib.md5(src.encode("utf-8")).hexdigest())
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
_hashlib.UnsupportedDigestmodError: [digital envelope routines] unsupported
ninja: build stopped: subcommand failed.

samholton avatar Nov 26 '24 16:11 samholton

pytype/pytype/pyi/parser.py

Just needs to be changed to

ast = ast.Replace(name=hashlib.md5(src.encode("utf-8"), usedforsecurity=False).hexdigest())

bgiaccio avatar Dec 06 '24 14:12 bgiaccio

pytype/pytype/pyi/parser.py

Just needs to be changed to

ast = ast.Replace(name=hashlib.md5(src.encode("utf-8"), usedforsecurity=False).hexdigest())

Confirmed this does work on my RHEL9 instance with FIPS enabled.

samholton avatar Dec 09 '24 15:12 samholton

Hi, thank you for your report. Google is shifting its effort to a different approach for type checking apart from pytype, and we're not planning to put in any effort in the near future in pytype, so we'll close this issue. Please see the announcement here.

h-joo avatar Aug 20 '25 16:08 h-joo