MD5 and FIPS
Dr Paul Dale
pauli at openssl.org
Wed Feb 1 21:32:53 UTC 2023
If you are using OpenSSL 1.0.2 and the old FOM, you're out of luck.
If you are using OpenSSL 3.0 with the FIPS provider, you can still
access MD5 by loading appropriate providers and specifying a property
query. See the migration or FIPS guides.
FIPS does permit non-cryptographic use of non-validated algorithms under
some circumstances. I suggest discussing the details with your FIPS
lab. Like most things FIPS: it's murky, nuanced and awash with pitfalls.
Pauli
On 2/2/23 07:20, Michael Wojcik via openssl-users wrote:
>> From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Sands, Daniel via openssl-users
>> Sent: Wednesday, 1 February, 2023 12:51
>> We use MD5 as a choice of file hashing. The problem is, that with FIPS enabled, the low-level routine doesn't
>> just refuse, but it even calls OpenSSL's abort function, terminating the program with prejudice. The EVP routine is
>> more reasonable, simply refusing to provide MD5. But as mentioned, I am not asking for MD5 as a cryptographic
>> algorithm, but as a file hash. OpenSSL does not provide a way to differentiate that, though.
> I don't think FIPS 140-2 differentiates. You include MD5, you violate your FIPS 140 validation. It doesn't matter what you're using it for.
>
>> Are there any workarounds to this, other than disabling FIPS or rolling my own?
> If you want MD5, you might as well not use FIPS mode, because the validation no longer applies anyway. At least that's my understanding.
>
> That said, if you really do need to implement MD5, there's reference C source in RFC 1321. It's trivial to extract and compile. Or use any of many other libraries, or run an MD5 utility (like md5sum) as an external process since you're hashing files -- just beware of command-injection attacks if the input pathname is tainted.
>
More information about the openssl-users
mailing list