squid md5 and fips mode

From: Paul Wouters <pwouters_at_redhat.com>
Date: Mon, 18 Jun 2012 17:10:59 -0400 (EDT)

Hi,

I have been looking at FIPS issues with squid in both RHEL5 and RHEL6.

In fips mode, MD5 is not allowed for securing web traffic (with some TLS
exceptions) nor user authentication. It is allowed for other things,
such as hashes for disk objects.

The problem in older versions of squid was that the cache object code
used md5, and since openssl did not allow it, it would die. This was
fixed with a patch by using the squid buildin md5 functions for the
cache object hashes. See https://bugzilla.redhat.com/show_bug.cgi?id=705097

Now for recent versions of squid, I have the reverse problem. The
openssl md5 code is never used, so I had to patch it back to using
openssl with the exception for the cache object id where I used private_MD5_Init()

It basically undoes most of these commits:

- Changing 'xMD5' function name to 'SquidMD5'
- Changing 'MD5_CTX' typedef to 'SquidMD5_CTX'
- Changing 'MD5_DIGEST_CHARS' define to 'SQUID_MD5_DIGEST_LENGTH'
- Changing 'MD5_DIGEST_LENGTH' define to 'SQUID_MD5_DIGEST_LENGTH'
- Removing messy #ifdef logic in include/md5.h that tries to use
   the system libraries if available. We'll always use the Squid MD5
   routines.

My request is to basically undo this change, and to use openssl again
where possible, so that fips enforcement does not fail with the custom
crypto code that goes undetected. A rought patch (that does not take
into account systems with no crypt()) is attached at:

https://bugzilla.redhat.com/show_bug.cgi?id=833086

Thanks,

Paul
Received on Tue Jun 19 2012 - 08:45:29 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 19 2012 - 12:00:09 MDT