pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: llvm build fail when Linux kernel/openssl in FIPS 140-2 compliance mode

I would probably blame the language invoked in implementing the
directive. Most of the time, the STIG just flat out says "The system
is not configured to use FIPS compliant Algorithms for Encryption,
Hashing, and Signing" and the audit tools use this verbatim. For
example, at the kernel level itself, if you're running a standard grub
setup like the one that RedHat-derived distributions provide, and you
don't ensure every kernel line (including the old ones) in the grub
menu specifies the FIPS flag, the audit tool will generate a finding
(i.e. fail you), even if you never plan to boot into them after

So in the case of OpenSSL, it doesn't know the context of why you're
calling md5 digest, and most of the time the STIG doesn't really care,
so by default it will ban any invocation.

There should be a way to bypass md5 in a build script though; 99% of
cases sha256 is available. At least we're only talking about builds
here. Could be worse:

On Mon, Jun 28, 2021 at 5:48 PM Joerg Sonnenberger <> wrote:
> On Mon, Jun 28, 2021 at 11:26:55AM -0400, Peter Lai wrote:
> > Can someone point me to the appropriate upstream forum to resolve llvm
> > not building when OpenSSL is in FIPS mode? The build script attempts
> > to invoke md5 function which is linked to OpenSSL on Linux and that is
> > not a FIPS 140-2 certified hash function. Maybe Iain, as you're in
> > .gov-space?
> We had bug reports for libarchive after overeager efforts to rip out
> "insecure" hash functions. There is a major difference between using MD5
> to implement HMAC or as part of a TLS connection and using it as a plain
> (portable) hash function. The way it is handled in OpenSSL is completely BS and
> just about the worst possible way to do it.
> Joerg

Home | Main Index | Thread Index | Old Index