sqlalchemy: Errors from use of hashlib.md5 for truncated names on FIPS-enabled systems

Describe the bug

On systems (RHEL) where FIPS is enabled, the md5 is disabled in openssl and calls to hashlib.md5() in python will fail with an error like:

# SNIP
|   File "/opt/app-root/lib64/python3.11/site-packages/sqlalchemy/sql/compiler.py", line 7507, in _truncate_and_render_maxlen_name
|     name = name[0 : max_ - 8] + "_" + util.md5_hex(name)[-4:]
|                                       ^^^^^^^^^^^^^^^^^^
|   File "/opt/app-root/lib64/python3.11/site-packages/sqlalchemy/util/langhelpers.py", line 90, in md5_hex
|     m = hashlib.md5()
|         ^^^^^^^^^^^^^
| ValueError: [digital envelope routines] unsupported
|
| Application startup failed. Exiting.
| Server stopped!

As mentioned in the docs, for newer versions of python (3.9+) there is a usedforsecurity flag that can be set to False to avoid this error.

Optional link from https://docs.sqlalchemy.org which documents the behavior that is expected

No response

SQLAlchemy Version in Use

2.0.15

DBAPI (i.e. the database driver)

psycopg2

Database Vendor and Major Version

Postgresql 15

Python Version

3.11

Operating system

Linux, OSX

To Reproduce

# Create table with a constraint name or column name that exceeds a maximum length.

class MyModel(DeclarativeBase):
    __tablename__ = "mytable"

    id: Mapped[int] = mapped_column(primary_key=True)
    very_very_very_very_very_very_very_very_very_very_long_name: Mapped[str]
#   0123456789012345678901234567890123456789012345678901234567890123456789
#   1         2         3         4         5         6         7

Error

# SNIP
|   File "/opt/app-root/lib64/python3.11/site-packages/sqlalchemy/sql/compiler.py", line 7507, in _truncate_and_render_maxlen_name
|     name = name[0 : max_ - 8] + "_" + util.md5_hex(name)[-4:]
|                                       ^^^^^^^^^^^^^^^^^^
|   File "/opt/app-root/lib64/python3.11/site-packages/sqlalchemy/util/langhelpers.py", line 90, in md5_hex
|     m = hashlib.md5()
|         ^^^^^^^^^^^^^
| ValueError: [digital envelope routines] unsupported
|
| Application startup failed. Exiting.
| Server stopped!

Additional context

No response

About this issue

Original URL
State: closed
Created 10 months ago
Comments: 16 (12 by maintainers)

Commits related to this issue

qualify hashlib.md5() with usedforsecurity=False Qualified the use of ``hashlib.md5()`` within the DDL compiler, which is used to generate deterministic four-character suffixes for long index and con... — committed to lelit/sqlalchemy by zzzeek 10 months ago

Most upvoted comments

it’s checked into main now so if you want to install from github you can try that. otherwise it will go out in 2.0.21

zzzeek on Sep 14, 2023

you can get a tar.gz of the whole dist from that gerrit link https://gerrit.sqlalchemy.org/changes/sqlalchemy%2Fsqlalchemy~4884/revisions/1/archive?format=tgz

zzzeek on Sep 12, 2023

OK, will add a compat function, thanks

zzzeek on Sep 12, 2023