search

flavorjones / mini_portile

mini_portile and mini_portile2 - Simple autoconf and cmake builder for developers
MIT License
114 stars 51 forks source link

configure.md5 hashing with MD5 is not FIPS compliant #78

Closed agelwarg closed 7 years ago

agelwarg commented 7 years ago

It looks like an MD5 digest is used in MiniPortile#configure and MiniPortile#configured?. It looks like security is not a concern given what it's used for. However, this will fail on an OS running in FIPS mode as MD5 is not an accepted digest algorithm. One option is to use a supported algorithm, such as Digest::SHA256, but that may not even be necessary as you might even be okay to use computed_options.to_s without hashing it. Thoughts?

For reference, the failure can be demonstrated on a FIPS-enabled system as follows:

irb(main):001:0> require 'digest/md5'
=> true
irb(main):002:0> Digest::MD5.hexdigest("anything")
md5_dgst.c(78): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
Aborted (core dumped)
agelwarg commented 7 years ago

One option using a SHA256: https://github.com/agelwarg/mini_portile/commit/399fefc35f357157c1e19682755137c3a447cd61

Another option not using any digest: https://github.com/agelwarg/mini_portile/commit/f41e42e5b1e7b90ce21a83576df58ef89f9aef0b