Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use usedforsecurity=False when calling hashlib.blake2b to avoid crashing on FIPS enabled systems #1934

Closed
simonw opened this issue Feb 14, 2024 · 3 comments
Closed

Use usedforsecurity=False when calling hashlib.blake2b to avoid crashing on FIPS enabled systems #1934

simonw opened this issue Feb 14, 2024 · 3 comments

Comments

@simonw
Copy link
Contributor

simonw commented Feb 14, 2024

As reported here:

Pint currently uses the hashlib.blake2b hashing function:

pint/pint/_vendor/flexparser.py

Lines 1118 to 1123 in 3cc2d36

_hasher: ty.Callable[
[
bytes,
],
HasherProtocol,
] = hashlib.blake2b

On systems with FIPS enabled (I only just learned about these today, see my notes here) this will result in a runtime error that looks something like this:

ValueError: [digital envelope routines] unsupported

The fix as-of Python 3.9 is to pass usedforsecurity=False to the hashlib.blake2b constructor, documented here.

To continue supporting Python 3.8 you can use the pattern I demonstrate in https://til.simonwillison.net/python/md5-fips

def md5_not_usedforsecurity(s):
    try:
        return hashlib.md5(s.encode("utf8"), usedforsecurity=False).hexdigest()
    except TypeError:
        # For Python 3.8 which does not support usedforsecurity=False
        return hashlib.md5(s.encode("utf8")).hexdigest()
@simonw simonw changed the title Use Use usedforsecurity=False when calling hashlib.blake2b to avoid crashing on FIPS enabled systes Feb 14, 2024
@simonw simonw changed the title Use usedforsecurity=False when calling hashlib.blake2b to avoid crashing on FIPS enabled systes Use usedforsecurity=False when calling hashlib.blake2b to avoid crashing on FIPS enabled systems Feb 14, 2024
@simonw simonw mentioned this issue Feb 14, 2024
Closed
@simonw
Copy link
Contributor Author

simonw commented Feb 14, 2024

Looks like 3.8 isn't supported anyway:

pint/pyproject.toml

Line 29 in 3cc2d36

requires-python = ">=3.9"

@hgrecco
Copy link
Owner

hgrecco commented Feb 14, 2024

This has been fixed in flexparser and the fix will be moved into pint.

Also Pint follows NEP29. Next version of Pint will be released in Apr/May and the Minimum Python and Numpy versions will be 3.10+ and 1.23+.

@simonw simonw mentioned this issue Feb 14, 2024
Closed
simonw added a commit to simonw/pint that referenced this issue Feb 14, 2024
@simonw
usedforsecurity=False on hash functions, refs hgrecco#1934
08ea0f0
simonw added a commit to simonw/pint that referenced this issue Feb 14, 2024
@simonw
CHANGES entry for hgrecco#1934
a5eea83
mjsir911 pushed a commit to terrapower/pint that referenced this issue Mar 4, 2024
@simonw @mjsir911
usedforsecurity=False on hash functions, refs hgrecco#1934
4c68729
mjsir911 pushed a commit to terrapower/pint that referenced this issue Mar 4, 2024
@simonw @mjsir911
usedforsecurity=False on hash functions, refs hgrecco#1934
f65682a
mjsir911 pushed a commit to terrapower/pint that referenced this issue Mar 4, 2024
@simonw @mjsir911
CHANGES entry for hgrecco#1934
c959822
@hgrecco
Copy link
Owner

hgrecco commented Mar 9, 2024

This has been fixed.

@hgrecco hgrecco closed this as completed Mar 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

usedforsecurity=False on hash functions simonw/pint
2 participants
@simonw @hgrecco