Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix download failing on FIPS machines #7698

Merged
merged 5 commits into from
Apr 25, 2024
Merged

Fix download failing on FIPS machines #7698

merged 5 commits into from
Apr 25, 2024

Conversation

MattTheCuber
Copy link
Contributor

Description

This PR fixes downloads failing on FIPS enabled machines due to insecure MD5 hashing. The two solutions are to disable MD5 hashing (SHA1 is allowed and faster), or use the usedforsecurity=False flag. This PR uses the second method. However, the usedforsecurity flag only works for Python 3.9 and later (which was accounted for). Let me know if you have a better implementation to solve this issue.

The error thrown on FIPS enabled machine is:
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS

Types of changes

  • Non-breaking change (fix or new feature that would not break existing functionality).
  • Breaking change (fix or new feature that would cause existing functionality to change).
  • New tests added to cover the changes.
  • Integration tests passed locally by running ./runtests.sh -f -u --net --coverage.
  • Quick tests passed locally by running ./runtests.sh --quick --unittests --disttests.
  • In-line docstrings updated.
  • Documentation updated, tested make html command in the docs/ folder.

@MattTheCuber
fix(apps): fix download fails on FIPS machines
8205192 
Signed-off-by: Matthew Vine <32849887+MattTheCuber@users.noreply.github.com>
ericspod
ericspod reviewed Apr 23, 2024
View reviewed changes
monai/apps/utils.py Outdated Show resolved Hide resolved
@ericspod
Copy link
Member

I think this change is fine. @Nic-Ma @KumoLiu just to check with you that there isn't any security implications to consider here.

@MattTheCuber @ericspod
docs(apps): add hash change comment
6dd0b82 
Co-authored-by: Eric Kerfoot <17726042+ericspod@users.noreply.github.com>
Signed-off-by: Matthew Vine <32849887+MattTheCuber@users.noreply.github.com>
@KumoLiu
Copy link
Contributor

KumoLiu commented Apr 24, 2024

I think this change is fine. @Nic-Ma @KumoLiu just to check with you that there isn't any security implications to consider here.

I checked the usage for this check_hash, looks only used for downloading, will merge this one first.

@KumoLiu
Copy link
Contributor

KumoLiu commented Apr 24, 2024

/build

@KumoLiu
Copy link
Contributor

KumoLiu commented Apr 24, 2024

/build

@KumoLiu KumoLiu merged commit 8c709de into Project-MONAI:dev Apr 25, 2024
28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericspod ericspod ericspod left review comments

@KumoLiu KumoLiu KumoLiu approved these changes

@Nic-Ma Nic-Ma Awaiting requested review from Nic-Ma

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@MattTheCuber @ericspod @KumoLiu