From 8c709de12010929307060628a450741e1263e8e5 Mon Sep 17 00:00:00 2001
From: Matthew Vine <32849887+MattTheCuber@users.noreply.github.com>
Date: Wed, 24 Apr 2024 23:10:30 -0400
Subject: [PATCH] Fix download failing on FIPS machines (#7698)

### Description
This PR fixes downloads failing on FIPS enabled machines due to insecure
MD5 hashing. The two solutions are to disable MD5 hashing (SHA1 is
allowed and faster), or use the `usedforsecurity=False` flag. This PR
uses the second method. However, the `usedforsecurity` flag only works
for Python 3.9 and later (which was accounted for). Let me know if you
have a better implementation to solve this issue.

The error thrown on FIPS enabled machine is:
```ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS```

### Types of changes
<!--- Put an `x` in all the boxes that apply, and remove the not applicable items -->
- [x] Non-breaking change (fix or new feature that would not break existing functionality).
- [ ] Breaking change (fix or new feature that would cause existing functionality to change).
- [ ] New tests added to cover the changes.
- [ ] Integration tests passed locally by running `./runtests.sh -f -u --net --coverage`.
- [ ] Quick tests passed locally by running `./runtests.sh --quick --unittests  --disttests`.
- [ ] In-line docstrings updated.
- [ ] Documentation updated, tested `make html` command in the `docs/` folder.

---------

Signed-off-by: Matthew Vine <32849887+MattTheCuber@users.noreply.github.com>
Co-authored-by: Eric Kerfoot <17726042+ericspod@users.noreply.github.com>
Co-authored-by: YunLiu <55491388+KumoLiu@users.noreply.github.com>
---
 monai/apps/utils.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/monai/apps/utils.py b/monai/apps/utils.py
index db541923b5..0c998146a3 100644
--- a/monai/apps/utils.py
+++ b/monai/apps/utils.py
@@ -135,7 +135,12 @@ def check_hash(filepath: PathLike, val: str | None = None, hash_type: str = "md5
         logger.info(f"Expected {hash_type} is None, skip {hash_type} check for file {filepath}.")
         return True
     actual_hash_func = look_up_option(hash_type.lower(), SUPPORTED_HASH_TYPES)
-    actual_hash = actual_hash_func()
+
+    if sys.version_info >= (3, 9):
+        actual_hash = actual_hash_func(usedforsecurity=False)  # allows checks on FIPS enabled machines
+    else:
+        actual_hash = actual_hash_func()
+
     try:
         with open(filepath, "rb") as f:
             for chunk in iter(lambda: f.read(1024 * 1024), b""):