Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

configure.md5 hashing with MD5 is not FIPS compliant #78

Closed
agelwarg opened this issue Apr 4, 2017 · 1 comment
Closed

configure.md5 hashing with MD5 is not FIPS compliant #78

agelwarg opened this issue Apr 4, 2017 · 1 comment

Comments

@agelwarg
Copy link

agelwarg commented Apr 4, 2017

It looks like an MD5 digest is used in MiniPortile#configure and MiniPortile#configured?. It looks like security is not a concern given what it's used for. However, this will fail on an OS running in FIPS mode as MD5 is not an accepted digest algorithm. One option is to use a supported algorithm, such as Digest::SHA256, but that may not even be necessary as you might even be okay to use computed_options.to_s without hashing it. Thoughts?

For reference, the failure can be demonstrated on a FIPS-enabled system as follows:

irb(main):001:0> require 'digest/md5'
=> true
irb(main):002:0> Digest::MD5.hexdigest("anything")
md5_dgst.c(78): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
Aborted (core dumped)
@agelwarg agelwarg mentioned this issue Apr 4, 2017
Closed
@agelwarg
Copy link
Author

agelwarg commented Apr 4, 2017
edited
Loading

One option using a SHA256:
agelwarg@399fefc

Another option not using any digest:
agelwarg@f41e42e

larskanis added a commit to larskanis/mini_portile that referenced this issue May 31, 2017
@larskanis
Remove MD5 for configure options hashing - it's unnecessary.
d7353da 
MD5 is no longer available in environments with strict security settings
especially when running in FIPS mode.

Fixes flavorjones#78
larskanis added a commit to larskanis/mini_portile that referenced this issue May 31, 2017
@larskanis
Remove MD5 for configure options hashing - it's unnecessary.
b07da60 
MD5 is no longer available in environments with strict security settings
especially when running in FIPS mode.

Fixes flavorjones#78
larskanis added a commit to larskanis/mini_portile that referenced this issue May 31, 2017
@larskanis
Remove MD5 for configure options hashing - it's unnecessary.
c8689f9 
MD5 is no longer available in environments with strict security settings
especially when running in FIPS mode.

Fixes flavorjones#78
@larskanis larskanis mentioned this issue May 31, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@agelwarg