Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cython fails to build code on FIPS-enabled systems

See original GitHub issue

Cython crashes when it attempts to compile code on an FIPS-enabled system, because the md5 hashlib is disabled, as you can see in the log excerpt below (emphasis on the key error message mine):

` ------------------------------------------------------------

TestClass:8:5: Compiler crash in AnalyseDeclarationsTransform

ModuleNode.body = StatListNode(TestClass:4:0)
StatListNode.stats[1] = CnameDecoratorNode(TestClass:8:5,
    cname = '__pyx_TestClass')

Compiler crash traceback from this point on:
  File "Cython/Compiler/Visitor.py", line 180, in Cython.Compiler.Visitor.TreeVisitor._visit
  File "/tmp/pip-build-env-za1cx7s2/lib64/python3.4/site-packages/Cython/Compiler/ParseTreeTransforms.py", line 1635, in visit_CClassDefNode
    self._inject_pickle_methods(node)
  File "/tmp/pip-build-env-za1cx7s2/lib64/python3.4/site-packages/Cython/Compiler/ParseTreeTransforms.py", line 1703, in _inject_pickle_methods
    checksum = '0x%s' % hashlib.md5(' '.join(all_members_names).encode('utf-8')).hexdigest()[:7]
**ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips**
building 'cartopy.geodesic._geodesic' extension
creating build/temp.linux-x86_64-3.4/lib/cartopy/geodesic
/usr/bin/gcc -Wno-unused-result -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -I/opt/rh/rh-python34/root/usr/include -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -I/opt/rh/rh-python34/root/usr/include -I/tmp/pip-build-env-za1cx7s2/lib64/python3.4/site-packages/numpy/core/include -I/opt/rh/rh-python34/root/usr/include/python3.4m -c lib/cartopy/geodesic/_geodesic.c -o build/temp.linux-x86_64-3.4/lib/cartopy/geodesic/_geodesic.o
lib/cartopy/geodesic/_geodesic.c:1:2: error: #error Do not use this file, it is the result of a failed Cython compilation.
 #error Do not use this file, it is the result of a failed Cython compilation.
  ^
error: command '/usr/bin/gcc' failed with exit status 1

` Is there a way to tell Cython to use an alternate hashlib, such as sha256? If not, there needs to be, because as it stands, no python package that requires Cython compiles can be built on any FIPS-enabled system. This is a serious, show-stopping problem.

Issue Analytics

State:
Created 5 years ago
Comments:5 (2 by maintainers)

Top GitHub Comments

1reaction

scodercommented, Jan 8, 2019

I changed the file fingerprinting to SHA-1 for 3.0. Thanks for the report.

1reaction

scodercommented, Jan 8, 2019

(rolling eyes) … I wonder what the problem is that people have with MD5 for non-cryptographic use cases…

In case others are interested, FIPS is some certification standard from the USA: https://en.wikipedia.org/wiki/FIPS_140-2

MD5 is actually in the list of guaranteed algorithms (Py3.7):

>>> import hashlib
>>> hashlib.algorithms_guaranteed
{'sha3_224', 'sha3_384', 'shake_256', 'shake_128', 'sha256', 'sha1', 'sha384', 'sha512', 'blake2b', 'sha3_512', 'md5', 'blake2s', 'sha224', 'sha3_256'}

What hashes are available in your environment? SHA-1? I know, that’s considered broken, too, but it’s the fastest I have on my side, about twice as fast for me as SHA-256 (and actually a bit faster than MD-5). Funny enough, even SHA-512 is faster than SHA-256 for me. Might be a 64bit optimisation thing.

Also note that this only regards the Cython compiler itself. Cython generated modules are not impacted by this and should work just fine on a FIPS system.