ckepper
commented
6 years ago Which hashing algorithms would be FIPS compliant?
Closed jamal22066 closed 6 years ago
ckepper
commented
6 years ago Which hashing algorithms would be FIPS compliant?
jamal22066
commented
6 years ago It can be found here under 'Approved security functions':
https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402annexa.pdf
jamal22066
commented
6 years ago I was able to resolve his issue by adjusting the code to use sha-512 instead of the FIPS incompatible MD5 hash.
ckepper
commented
6 years ago Would you mind posting your solution as a pull request?
jamal22066
commented
6 years ago I have created a fork called jamal22066-FIPS-compatability
v0lk3r
commented
6 years ago I just committed https://github.com/pediapress/mwlib/commit/73b3ad7298092ec456f1ec7d48436a4a6d2cadf8 That replaces all md5 hashes with sha1. I choose sha1 instead of sha256 since it's on the FIPS list and it's 40 bytes instead of 64 (where md5 is 32). Since we're not using the hashes for any security related features the weakness of sha1 doesn't matter
jamal22066
commented
6 years ago Thank You
The following error occurs when FIPS mode on RHEL 7 is enabled:
Traceback (most recent call last): File "/usr/bin/bottle.py", line 862, in _handle return route.call(*args) File "/usr/bin/bottle.py", line 1740, in wrapper rv = callback(a, **ka) File "/usr/lib64/python2.7/site-packages/mwlib/nserve.py", line 171, in dispatch_command return Application().dispatch(request) File "/usr/lib64/python2.7/site-packages/mwlib/nserve.py", line 220, in dispatch collection_id = self.new_collection(request.params) File "/usr/lib64/python2.7/site-packages/mwlib/nserve.py", line 263, in new_collection collection_id = make_collection_id(post_data) File "/usr/lib64/python2.7/site-packages/mwlib/nserve.py", line 79, in make_collection_id sio.write(calc_checksum(mbobj)) File "/usr/lib64/python2.7/site-packages/mwlib/metabook.py", line 211, in calc_checksum return md5(metabook.dumps()).hexdigest() ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
This is happening because MD5 is not allowed if the server is to be FIPS compliant. Line 211 of metabook.py is:
def calc_checksum(metabook): return md5(metabook.dumps()).hexdigest()
More on FIPS:
https://en.wikipedia.org/wiki/FIPS_140-2
How difficult would it be to move away from MD5 to a FIPS complaint hash? Mediawiki is used by many government agencies and MWLIB was a key component until FIPS was enabled on the server :(