Re: MD5 and FIPS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


If you are using OpenSSL 1.0.2 and the old FOM, you're out of luck.

If you are using OpenSSL 3.0 with the FIPS provider, you can still access MD5 by loading appropriate providers and specifying a property query.  See the migration or FIPS guides.

FIPS does permit non-cryptographic use of non-validated algorithms under some circumstances.  I suggest discussing the details with your FIPS lab.  Like most things FIPS: it's murky, nuanced and awash with pitfalls.


On 2/2/23 07:20, Michael Wojcik via openssl-users wrote:
From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> On Behalf Of Sands, Daniel via openssl-users
Sent: Wednesday, 1 February, 2023 12:51
We use MD5 as a choice of file hashing.  The problem is, that with FIPS enabled, the low-level routine doesn't
just refuse, but it even calls OpenSSL's abort function, terminating the program with prejudice.  The EVP routine is
more reasonable, simply refusing to provide MD5.  But as mentioned, I am not asking for MD5 as a cryptographic
algorithm, but as a file hash.  OpenSSL does not provide a way to differentiate that, though.
I don't think FIPS 140-2 differentiates. You include MD5, you violate your FIPS 140 validation. It doesn't matter what you're using it for.

Are there any workarounds to this, other than disabling FIPS or rolling my own?
If you want MD5, you might as well not use FIPS mode, because the validation no longer applies anyway. At least that's my understanding.

That said, if you really do need to implement MD5, there's reference C source in RFC 1321. It's trivial to extract and compile. Or use any of many other libraries, or run an MD5 utility (like md5sum) as an external process since you're hashing files -- just beware of command-injection attacks if the input pathname is tainted.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux