MD5 and FIPS

Michael Wojcik Michael.Wojcik at microfocus.com
Wed Feb 1 20:20:28 UTC 2023


> From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Sands, Daniel via openssl-users
> Sent: Wednesday, 1 February, 2023 12:51

> We use MD5 as a choice of file hashing.  The problem is, that with FIPS enabled, the low-level routine doesn't
> just refuse, but it even calls OpenSSL's abort function, terminating the program with prejudice.  The EVP routine is
> more reasonable, simply refusing to provide MD5.  But as mentioned, I am not asking for MD5 as a cryptographic
> algorithm, but as a file hash.  OpenSSL does not provide a way to differentiate that, though.

I don't think FIPS 140-2 differentiates. You include MD5, you violate your FIPS 140 validation. It doesn't matter what you're using it for.

> Are there any workarounds to this, other than disabling FIPS or rolling my own?

If you want MD5, you might as well not use FIPS mode, because the validation no longer applies anyway. At least that's my understanding.

That said, if you really do need to implement MD5, there's reference C source in RFC 1321. It's trivial to extract and compile. Or use any of many other libraries, or run an MD5 utility (like md5sum) as an external process since you're hashing files -- just beware of command-injection attacks if the input pathname is tainted.

-- 
Michael Wojcik


More information about the openssl-users mailing list