search

nedbat / cog

Small bits of Python computation for static files
MIT License
340 stars 26 forks source link

Cog fails to run on a FIPS-compliant system #26

Closed khanfluence closed 9 months ago

khanfluence commented 10 months ago

I can't run Cog because my hosts operate in FIPS mode. Cog uses MD5, which isn't compliant with FIPS. By default in Python, hashes are considered a security item by FIPS. Python added a usedforsecurity argument to hashlib constructors for non-cryptographic usage: https://docs.python.org/3/library/hashlib.html#hash-algorithms. Also, FIPS generally approves the SHA-2 family of hashes: https://csrc.nist.gov/pubs/fips/180-4/upd1/final.

Here's output from running Cog on a FIPS-mode host:

[dev@6d507bf42c10 cog-example]$ cog -r cog-input
Cogging cog-input
Traceback (most recent call last):
  File "/home/dev/cog-example/.venv/bin/cog", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/home/dev/cog-example/.venv/lib64/python3.11/site-packages/cogapp/cogapp.py", line 845, in main
    return Cog().main(sys.argv)
           ^^^^^^^^^^^^^^^^^^^^
  File "/home/dev/cog-example/.venv/lib64/python3.11/site-packages/cogapp/cogapp.py", line 794, in main
    self.callableMain(argv)
  File "/home/dev/cog-example/.venv/lib64/python3.11/site-packages/cogapp/cogapp.py", line 782, in callableMain
    self.processArguments([a])
  File "/home/dev/cog-example/.venv/lib64/python3.11/site-packages/cogapp/cogapp.py", line 756, in processArguments
    self.processWildcards(args[0])
  File "/home/dev/cog-example/.venv/lib64/python3.11/site-packages/cogapp/cogapp.py", line 721, in processWildcards
    self.processOneFile(sMatchingFile)
  File "/home/dev/cog-example/.venv/lib64/python3.11/site-packages/cogapp/cogapp.py", line 693, in processOneFile
    sNewText = self.processString(sOldText, fname=sFile)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/dev/cog-example/.venv/lib64/python3.11/site-packages/cogapp/cogapp.py", line 631, in processString
    self.processFile(fOld, fNew, fname=fname)
  File "/home/dev/cog-example/.venv/lib64/python3.11/site-packages/cogapp/cogapp.py", line 467, in processFile
    self.cogmodulename = 'cog_' + hashlib.md5(sFileOut.encode()).hexdigest()
                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS