[Misc] Add backup hash algorithm for FIPS constrained environments

[geodavic]

There are many places where hashlib.md5 is used to compute hashes in configs. This algorithm isn't Federal Information Processing Standards (FIPS) compliant, and so the vLLM engine will fail to start inside environments where md5 is forcefully disabled.

Purpose

Add a backup hashing algorithm for environments where hashlib.md5 is disabled. These changes will still use md5 when it is available, ensuring no existing behavior is changed. But when it is not available, it will fall back to a FIPS compliant algorithm (sha256).

Test Plan

I spun up a server locally and performed inference

Test Result

---

Essential Elements of an Effective PR Description Checklist

• The purpose of the PR, such as "Fix some issue (link existing issues this PR will resolve)".
• The test plan, such as providing test command.
• The test results, such as pasting the results comparison before and after, or e2e results
• (Optional) The necessary documentation update, such as updating supported_models.md and examples for a new model.
• (Optional) Release notes update. If your change is user facing, please update the release notes draft in the Google Doc.

[gemini-code-assist]

Code Review

This pull request introduces a safe_hash utility to provide a fallback hashing mechanism for FIPS-constrained environments where md5 is disabled. The changes correctly replace hashlib.md5 with safe_hash across the codebase, ensuring that sha256 is used as a fallback. My review focuses on the implementation of safe_hash and its usage. I've identified one area for improvement in the safe_hash implementation to ensure consistency in parameter passing. Overall, this is a good change that improves compatibility in secure environments.

[geodavic]

@russellb This is a fresh PR with the DCO fixes (I botched the old one and force pushed, so had to create a new PR).
Old one with reviews here: #28477

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[heheda12345]

CC @russellb

[hmellor]

This is missing the hash_factors method in vllm/config/utils.py making this PR incomplete (#26468 merged while this was in review)

[geodavic]

@hmellor are you talking about this function? It's there

[hmellor]

I meant that it was not using safe_hash, but I see now that it is using sha256 which was not a problem anyway

Misunderstanding

[hmellor]

Docs failure is relevant WARNING - griffe: vllm/utils/hashing.py:76: No type or annotation for returned value 1

[geodavic]

@hmellor thanks!

[geodavic]

@russellb can I get one more stamp? Should go through now (finally)