https://issues.apache.org/bugzilla/show_bug.cgi?id=54468
Bug ID: 54468
Summary: Restore FIPS operation when compiled against OpenSSL
1.0.1c
Product: Tomcat Native
Version: 1.1.24
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P2
Component: Library
Assignee: dev@tomcat.apache.org
Reporter: wr...@apache.org
Classification: Unclassified
Created attachment 29882
--> https://issues.apache.org/bugzilla/attachment.cgi?id=29882&action=edit
Patch to replace MD5 with an EVP implementation of SHA1
OpenSSL 1.0.1c strongly deprecated direct access to low level MD5/SHA hash
functions when running in FIPS mode, in favor of the EVP API. tcnative cannot
toggle FIPS mode when combined with this version, and must be ported to the
higher-level EVP digest api.
Since it is entirely reasonable to drop MD5 altogether from an OpenSSL build,
while I was patching this to use the EVP API for this ***non-cryptographic***
hash application (associating a ssl session key with an explict host:port, in
a fixed length key), I made the shift from MD5 to SHA1, as it should be
expected
to survive for a longer period of time than MD5.
Another alternative would be to hash with an even longer key, then fold
segments
of the hash with an xor into a smaller result size. The only collision to be
avoided are each of the virtual host name:port combinations sharing the same
session cache. But I saved that as an exercise for another day.
It turned out that SSL_vhost_algo_id() was unused; that implementation did not
even match the implementation represented by the in-line code, and seemed more
productive to simply drop this stub entirely.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
