We use MD5 as a choice of file hashing. The problem is, that with FIPS enabled, the low-level routine doesn’t just refuse, but it even calls OpenSSL’s abort function, terminating the program with prejudice. The EVP routine is more reasonable, simply refusing to provide MD5. But as mentioned, I am not asking for MD5 as a cryptographic algorithm, but as a file hash. OpenSSL does not provide a way to differentiate that, though.
It seems to me that it would be better if OpenSSL refused at a higher level such as when asking for an HMAC or TLS suite. If I want MD5 for digesting a file, it would be nice if OpenSSL didn’t refuse it.
Are there any workarounds to this, other than disabling FIPS or rolling my own?
Check out the recent vulnerability the NSA discovered in Microsoft CAPI, the attack uses an MD5 collision to introduce corrupted data into a cache.
This is the correct behavior and it is specified for good reason. If there is a FIPS requirement, it very likely prohibits MD5.
This is one of the many reasons we try to eliminate use of MD5 in specifications.
On Wed, Feb 1, 2023 at 2:51 PM Sands, Daniel via openssl-users <openssl-users@xxxxxxxxxxx> wrote: