Skip to content

Cython fails to build code on FIPS-enabled systems #2790

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Cynthia-Higginbotham opened this issue Jan 8, 2019 · 5 comments
Closed

Cython fails to build code on FIPS-enabled systems #2790

Cynthia-Higginbotham opened this issue Jan 8, 2019 · 5 comments

Comments

@Cynthia-Higginbotham
Copy link

Cython crashes when it attempts to compile code on an FIPS-enabled system, because the md5 hashlib is disabled, as you can see in the log excerpt below (emphasis on the key error message mine):

` ------------------------------------------------------------

TestClass:8:5: Compiler crash in AnalyseDeclarationsTransform

ModuleNode.body = StatListNode(TestClass:4:0)
StatListNode.stats[1] = CnameDecoratorNode(TestClass:8:5,
    cname = '__pyx_TestClass')

Compiler crash traceback from this point on:
  File "Cython/Compiler/Visitor.py", line 180, in Cython.Compiler.Visitor.TreeVisitor._visit
  File "/tmp/pip-build-env-za1cx7s2/lib64/python3.4/site-packages/Cython/Compiler/ParseTreeTransforms.py", line 1635, in visit_CClassDefNode
    self._inject_pickle_methods(node)
  File "/tmp/pip-build-env-za1cx7s2/lib64/python3.4/site-packages/Cython/Compiler/ParseTreeTransforms.py", line 1703, in _inject_pickle_methods
    checksum = '0x%s' % hashlib.md5(' '.join(all_members_names).encode('utf-8')).hexdigest()[:7]
**ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips**
building 'cartopy.geodesic._geodesic' extension
creating build/temp.linux-x86_64-3.4/lib/cartopy/geodesic
/usr/bin/gcc -Wno-unused-result -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -I/opt/rh/rh-python34/root/usr/include -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -I/opt/rh/rh-python34/root/usr/include -I/tmp/pip-build-env-za1cx7s2/lib64/python3.4/site-packages/numpy/core/include -I/opt/rh/rh-python34/root/usr/include/python3.4m -c lib/cartopy/geodesic/_geodesic.c -o build/temp.linux-x86_64-3.4/lib/cartopy/geodesic/_geodesic.o
lib/cartopy/geodesic/_geodesic.c:1:2: error: #error Do not use this file, it is the result of a failed Cython compilation.
 #error Do not use this file, it is the result of a failed Cython compilation.
  ^
error: command '/usr/bin/gcc' failed with exit status 1

`
Is there a way to tell Cython to use an alternate hashlib, such as sha256? If not, there needs to be, because as it stands, no python package that requires Cython compiles can be built on any FIPS-enabled system. This is a serious, show-stopping problem.

@scoder
Copy link
Contributor

scoder commented Jan 8, 2019

(rolling eyes) … I wonder what the problem is that people have with MD5 for non-cryptographic use cases…

In case others are interested, FIPS is some certification standard from the USA: https://en.wikipedia.org/wiki/FIPS_140-2

MD5 is actually in the list of guaranteed algorithms (Py3.7):

>>> import hashlib
>>> hashlib.algorithms_guaranteed
{'sha3_224', 'sha3_384', 'shake_256', 'shake_128', 'sha256', 'sha1', 'sha384', 'sha512', 'blake2b', 'sha3_512', 'md5', 'blake2s', 'sha224', 'sha3_256'}

What hashes are available in your environment? SHA-1? I know, that's considered broken, too, but it's the fastest I have on my side, about twice as fast for me as SHA-256 (and actually a bit faster than MD-5). Funny enough, even SHA-512 is faster than SHA-256 for me. Might be a 64bit optimisation thing.

Also note that this only regards the Cython compiler itself. Cython generated modules are not impacted by this and should work just fine on a FIPS system.

@scoder scoder added this to the 3.0 milestone Jan 8, 2019
@scoder scoder closed this as completed in f00af64 Jan 8, 2019
@scoder
Copy link
Contributor

scoder commented Jan 8, 2019

I changed the file fingerprinting to SHA-1 for 3.0. Thanks for the report.

@jameshalgren
Copy link

Related (or possibly same) failure discussed here: https://bugzilla.redhat.com/show_bug.cgi?id=984445

@scoder What did you do to change the file fingerprinting and (presumably) successfully compile?

tag @hellkite500

@da-woods
Copy link
Contributor

da-woods commented Apr 7, 2021

What did you do to change the file fingerprinting and (presumably) successfully compile?

Presumably f00af64?

@hellkite500
Copy link

@jameshalgren da-woods beat me to it:

Looking at the git-blame this looks like the commit f00af64 changed the hash algorithm.

Since this isn't in the released version, you can either try to patch yourself, or pull and install from head or some other candidate that has this change, i.e. this alpha release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants