FIPS and MD5

Josef Moellers jmoellers at suse.de
Tue Feb 16 16:01:55 UTC 2021


Hello Petr,

Thanks.

On 16.02.21 16:49, Petr Menšík wrote:
> It depends on what version are we talking about? I think 9.16 version
> should not need it anymore, because it can handle MD5 failure from
> openssl library. I used downstream patch to emulate compile-time disable
> just in runtime on RHEL.

As I wrote, I was thinking about just not populating the function
pointer in the case of a colision.

> I think it should be sufficient to disable it from configuration.
> Would it work with:
> disable-algorithms "." {
> RSAMD5;
> };

I'll try that.

> I am afraid my request was reason behind FIPS check inclusion, but I
> commented those FIPS checks away from RHEL BIND 9.11, because they
> didn't work for me. Used instead downstream patch with
> isc_md5_available() function.
> 
> Can you specify at least major version, about which are you interested?

It's a tad older: 9.11.22

Take care,

Josef
> On 2/11/21 10:25 AM, Josef Moellers wrote:
>> Hi,
>>
>> It appears that one can enable FIPS at runtime but then needs to switch
>> off MD5 at compile-time.
>>
>> 1) would it make sense to just not populate the
>> dst_t_func[DST_ALG_HMACMD5] pointer when this happens?
>> I.e. in dst__hmacmd5_init(), rather than abort ("FIPS mode is 1: MD5 is
>> only supported if the value is 0.\nPlease disable either FIPS mode or
>> MD5."), issue a warning ("FIPS mode is 1: MD5 is only supported if the
>> value is 0.\nDisabling MD5 support." and set *funcp to NULL?
>>
>> 2) If this would be acceptable, what function should we use to alert the
>> user of this fact?
>>
>> Thanks and stay safe!
>>
>> Josef
>>
> 
> 
> _______________________________________________
> bind-workers mailing list
> bind-workers at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-workers
> 


-- 
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg
Germany

(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-workers/attachments/20210216/0abc0d2f/attachment.bin>


More information about the bind-workers mailing list