From c830f5c56b90556d89c74730450f8ea99eebac30 Mon Sep 17 00:00:00 2001
From: Kyle Martin <martinky24@gmail.com>
Date: Tue, 11 Feb 2025 17:57:54 -0700
Subject: [PATCH 1/2] remove md5 usage to prevent issues on FIPS enabled
 systems matplotlib#29603

---
 lib/matplotlib/sphinxext/mathmpl.py |  2 +-
 lib/matplotlib/testing/compare.py   | 12 +++++-------
 lib/matplotlib/texmanager.py        |  2 +-
 3 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/lib/matplotlib/sphinxext/mathmpl.py b/lib/matplotlib/sphinxext/mathmpl.py
index 3e0d562e2d15..b1dcfacc68de 100644
--- a/lib/matplotlib/sphinxext/mathmpl.py
+++ b/lib/matplotlib/sphinxext/mathmpl.py
@@ -146,7 +146,7 @@ def latex2html(node, source):
     fontset = node['fontset']
     fontsize = node['fontsize']
     name = 'math-{}'.format(
-        hashlib.md5(f'{latex}{fontset}{fontsize}'.encode()).hexdigest()[-10:])
+        hashlib.sha256(f'{latex}{fontset}{fontsize}'.encode()).hexdigest()[-10:])
 
     destdir = Path(setup.app.builder.outdir, '_images', 'mathmpl')
     destdir.mkdir(parents=True, exist_ok=True)
diff --git a/lib/matplotlib/testing/compare.py b/lib/matplotlib/testing/compare.py
index 455fde2394f7..4c08731b2b31 100644
--- a/lib/matplotlib/testing/compare.py
+++ b/lib/matplotlib/testing/compare.py
@@ -46,22 +46,20 @@ def get_cache_dir():
 
 
 def get_file_hash(path, block_size=2 ** 20):
-    md5 = hashlib.md5()
+    sha256 = hashlib.sha256()
     with open(path, 'rb') as fd:
         while True:
             data = fd.read(block_size)
             if not data:
                 break
-            md5.update(data)
+            sha256.update(data)
 
     if Path(path).suffix == '.pdf':
-        md5.update(str(mpl._get_executable_info("gs").version)
-                   .encode('utf-8'))
+        sha256.update(str(mpl._get_executable_info("gs").version).encode('utf-8'))
     elif Path(path).suffix == '.svg':
-        md5.update(str(mpl._get_executable_info("inkscape").version)
-                   .encode('utf-8'))
+        sha256.update(str(mpl._get_executable_info("inkscape").version).encode('utf-8'))
 
-    return md5.hexdigest()
+    return sha256.hexdigest()
 
 
 class _ConverterError(Exception):
diff --git a/lib/matplotlib/texmanager.py b/lib/matplotlib/texmanager.py
index 03813249f61c..0f67bd8e7393 100644
--- a/lib/matplotlib/texmanager.py
+++ b/lib/matplotlib/texmanager.py
@@ -168,7 +168,7 @@ def get_basefile(cls, tex, fontsize, dpi=None):
         Return a filename based on a hash of the string, fontsize, and dpi.
         """
         src = cls._get_tex_source(tex, fontsize) + str(dpi)
-        filehash = hashlib.md5(src.encode('utf-8')).hexdigest()
+        filehash = hashlib.sha256(src.encode('utf-8')).hexdigest()
         filepath = Path(cls._texcache)
 
         num_letters, num_levels = 2, 2

From 938ad62a583bccb71ffafad900687a53cce124e1 Mon Sep 17 00:00:00 2001
From: Kyle Martin <martinky24@gmail.com>
Date: Tue, 11 Feb 2025 19:58:32 -0700
Subject: [PATCH 2/2] add in usedforsecurity=False to communicate that these
 hashing applications are not used for security-based purposes

---
 lib/matplotlib/sphinxext/mathmpl.py | 5 ++++-
 lib/matplotlib/testing/compare.py   | 2 +-
 lib/matplotlib/texmanager.py        | 5 ++++-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/lib/matplotlib/sphinxext/mathmpl.py b/lib/matplotlib/sphinxext/mathmpl.py
index b1dcfacc68de..30f024524258 100644
--- a/lib/matplotlib/sphinxext/mathmpl.py
+++ b/lib/matplotlib/sphinxext/mathmpl.py
@@ -146,7 +146,10 @@ def latex2html(node, source):
     fontset = node['fontset']
     fontsize = node['fontsize']
     name = 'math-{}'.format(
-        hashlib.sha256(f'{latex}{fontset}{fontsize}'.encode()).hexdigest()[-10:])
+        hashlib.sha256(
+            f'{latex}{fontset}{fontsize}'.encode(),
+            usedforsecurity=False,
+        ).hexdigest()[-10:])
 
     destdir = Path(setup.app.builder.outdir, '_images', 'mathmpl')
     destdir.mkdir(parents=True, exist_ok=True)
diff --git a/lib/matplotlib/testing/compare.py b/lib/matplotlib/testing/compare.py
index 4c08731b2b31..67897e76edcb 100644
--- a/lib/matplotlib/testing/compare.py
+++ b/lib/matplotlib/testing/compare.py
@@ -46,7 +46,7 @@ def get_cache_dir():
 
 
 def get_file_hash(path, block_size=2 ** 20):
-    sha256 = hashlib.sha256()
+    sha256 = hashlib.sha256(usedforsecurity=False)
     with open(path, 'rb') as fd:
         while True:
             data = fd.read(block_size)
diff --git a/lib/matplotlib/texmanager.py b/lib/matplotlib/texmanager.py
index 0f67bd8e7393..94fc94e9e840 100644
--- a/lib/matplotlib/texmanager.py
+++ b/lib/matplotlib/texmanager.py
@@ -168,7 +168,10 @@ def get_basefile(cls, tex, fontsize, dpi=None):
         Return a filename based on a hash of the string, fontsize, and dpi.
         """
         src = cls._get_tex_source(tex, fontsize) + str(dpi)
-        filehash = hashlib.sha256(src.encode('utf-8')).hexdigest()
+        filehash = hashlib.sha256(
+            src.encode('utf-8'),
+            usedforsecurity=False
+        ).hexdigest()
         filepath = Path(cls._texcache)
 
         num_letters, num_levels = 2, 2