FIPS and MD5

Petr Menšík pemensik at redhat.com
Tue Feb 16 15:49:35 UTC 2021


It depends on what version are we talking about? I think 9.16 version
should not need it anymore, because it can handle MD5 failure from
openssl library. I used downstream patch to emulate compile-time disable
just in runtime on RHEL.

I think it should be sufficient to disable it from configuration.
Would it work with:
disable-algorithms "." {
RSAMD5;
};

I am afraid my request was reason behind FIPS check inclusion, but I
commented those FIPS checks away from RHEL BIND 9.11, because they
didn't work for me. Used instead downstream patch with
isc_md5_available() function.

Can you specify at least major version, about which are you interested?

Cheers,
Petr

On 2/11/21 10:25 AM, Josef Moellers wrote:
> Hi,
> 
> It appears that one can enable FIPS at runtime but then needs to switch
> off MD5 at compile-time.
> 
> 1) would it make sense to just not populate the
> dst_t_func[DST_ALG_HMACMD5] pointer when this happens?
> I.e. in dst__hmacmd5_init(), rather than abort ("FIPS mode is 1: MD5 is
> only supported if the value is 0.\nPlease disable either FIPS mode or
> MD5."), issue a warning ("FIPS mode is 1: MD5 is only supported if the
> value is 0.\nDisabling MD5 support." and set *funcp to NULL?
> 
> 2) If this would be acceptable, what function should we use to alert the
> user of this fact?
> 
> Thanks and stay safe!
> 
> Josef
> 

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-workers/attachments/20210216/0c656187/attachment.bin>


More information about the bind-workers mailing list