Skip to content

Enable FIPS compliance by calling blake2b with usedforsecurity=False #1307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 19, 2025
Merged

Enable FIPS compliance by calling blake2b with usedforsecurity=False #1307

merged 1 commit into from
Feb 19, 2025

Conversation

davemcphee
Copy link
Contributor

@davemcphee davemcphee commented Feb 19, 2025
edited
Loading

On FIPS compliant systems, various nox-poetry functions generate a FIPS error, eg.:

[2025-02-19T21:22:05.288Z] + poetry run nox -s unit cover
[2025-02-19T21:22:05.851Z] nox > Running session unit
[2025-02-19T21:22:05.851Z] nox > Creating virtual environment (virtualenv) using python in .nox/unit
[2025-02-19T21:22:06.415Z] nox > Session unit raised exception ValueError('[digital envelope routines: EVP_DigestInit_ex] disabled for FIPS')
[2025-02-19T21:22:06.415Z] Traceback (most recent call last):
[2025-02-19T21:22:06.415Z]   File "/home/container_****/.cache/pypoetry/virtualenvs/boxtest2-jsg9YKC4-py3.11/lib/python3.11/site-packages/nox/sessions.py", line 1036, in execute
[2025-02-19T21:22:06.415Z]     self.func(session)
[2025-02-19T21:22:06.415Z]   File "/home/container_****/.cache/pypoetry/virtualenvs/boxtest2-jsg9YKC4-py3.11/lib/python3.11/site-packages/nox/_decorators.py", line 86, in __call__
[2025-02-19T21:22:06.415Z]     return self.func(*args, **kwargs)
[2025-02-19T21:22:06.415Z]            ^^^^^^^^^^^^^^^^^^^^^^^^^^
[2025-02-19T21:22:06.415Z]   File "/home/container_****/.cache/pypoetry/virtualenvs/boxtest2-jsg9YKC4-py3.11/lib/python3.11/site-packages/nox_poetry/sessions.py", line 43, in wrapper
[2025-02-19T21:22:06.415Z]     function(proxy, *_args, **_kwargs)
[2025-02-19T21:22:06.415Z]   File "/home/****/workspace/CNEA_boxtest2_PR-72/noxfile.py", line 81, in unit
[2025-02-19T21:22:06.415Z]     session.install(*UNIT_TEST_STANDARD_DEPENDENCIES)
[2025-02-19T21:22:06.415Z]   File "/home/container_****/.cache/pypoetry/virtualenvs/boxtest2-jsg9YKC4-py3.11/lib/python3.11/site-packages/nox_poetry/sessions.py", line 292, in install
[2025-02-19T21:22:06.415Z]     return self.poetry.install(*args, **kwargs)
[2025-02-19T21:22:06.415Z]            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[2025-02-19T21:22:06.415Z]   File "/home/container_****/.cache/pypoetry/virtualenvs/boxtest2-jsg9YKC4-py3.11/lib/python3.11/site-packages/nox_poetry/sessions.py", line 147, in install
[2025-02-19T21:22:06.415Z]     requirements = self.export_requirements()
[2025-02-19T21:22:06.415Z]                    ^^^^^^^^^^^^^^^^^^^^^^^^^^
[2025-02-19T21:22:06.415Z]   File "/home/container_****/.cache/pypoetry/virtualenvs/boxtest2-jsg9YKC4-py3.11/lib/python3.11/site-packages/nox_poetry/sessions.py", line 224, in export_requirements
[2025-02-19T21:22:06.415Z]     digest = hashlib.blake2b(lockdata).hexdigest()
[2025-02-19T21:22:06.415Z]              ^^^^^^^^^^^^^^^^^^^^^^^^^
[2025-02-19T21:22:06.415Z] ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS

Calling hashlib's blake2b with usedforsecurity=False should resolve this for users running on FIPS enabled systems.

fixes #1226

@edgarrmondragon edgarrmondragon self-assigned this Feb 19, 2025
@edgarrmondragon edgarrmondragon mentioned this pull request Feb 19, 2025
Closed
@davemcphee
Copy link
Contributor Author

Well THAT is the fastest turn around I've ever witnessed, wow 🥇

Thank you, you've made our CI systems very happy!

@edgarrmondragon
Copy link
Collaborator

Well THAT is the fastest turn around I've ever witnessed, wow 🥇

Thank you, you've made our CI systems very happy!

Thanks, we'll work on making a release soon.

@edgarrmondragon edgarrmondragon merged commit 0cfe96a into cjolowicz:main Feb 19, 2025
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edgarrmondragon edgarrmondragon edgarrmondragon approved these changes

Assignees

@edgarrmondragon edgarrmondragon

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

export_requirements fails on FIPS-enabled systems
2 participants
@davemcphee @edgarrmondragon