Skip to content

disables MD5 on FIPS builds and adds WP_ALLOW_NON_FIPS flag #236

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
padelsbach merged 1 commit into from
Aug 1, 2025
Merged

disables MD5 on FIPS builds and adds WP_ALLOW_NON_FIPS flag #236

padelsbach merged 1 commit into from
Aug 1, 2025

Conversation

@BridgerVoss
Copy link

@BridgerVoss BridgerVoss commented Jul 28, 2025
edited
Loading

MD5 was getting enabled on FIPS builds which shouldn't be happening. Added WP_ALLOW_NON_FIPS flag to allow usage of DES3 or MD5 if they are enabled in the FIPS build.

padelsbach
padelsbach previously approved these changes Jul 28, 2025
View reviewed changes
Copy link
Contributor

@padelsbach padelsbach left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine to me. Will let @ColtonWilley chime in

@ColtonWilley
Copy link
Contributor

ColtonWilley commented Jul 29, 2025

I am not so sure about this one. In general wolfProvider is not the one who determines algo support, it relies on the wolfssl includes to dictate which algos are enabled.

There are no other switches in settings.h on FIPS, despite many of those algos also not being included in the FIPS module. At a minimum it makes the code inconsistent, 3DES would also fall into this same category.

We should either not enforce, or enforce in a robust and consistent way. Let me think some more and consult with Kaleb on this.

@BridgerVoss
Copy link
Author

BridgerVoss commented Jul 29, 2025

I am not so sure about this one. In general wolfProvider is not the one who determines algo support, it relies on the wolfssl includes to dictate which algos are enabled.

There are no other switches in settings.h on FIPS, despite many of those algos also not being included in the FIPS module. At a minimum it makes the code inconsistent, 3DES would also fall into this same category.

We should either not enforce, or enforce in a robust and consistent way. Let me think some more and consult with Kaleb on this.

@ColtonWilley in the XXX-fips-test directory MD5 is enabled by default. Would updating this to disabled by default be better? 3DES is disabled by defualt here.

@BridgerVoss BridgerVoss changed the title disables MD5 on FIPS builds disables MD5 on FIPS builds and adds WP_ALLOW_NON_FIPS flag Jul 30, 2025
ColtonWilley
ColtonWilley reviewed Jul 30, 2025
View reviewed changes
padelsbach
padelsbach reviewed Jul 30, 2025
View reviewed changes
padelsbach
padelsbach reviewed Jul 30, 2025
View reviewed changes
@BridgerVoss BridgerVoss force-pushed the bug_fix branch 4 times, most recently from 2748565 to 3c9d4ca Compare July 31, 2025 19:39
padelsbach
padelsbach reviewed Jul 31, 2025
View reviewed changes
@BridgerVoss
Copy link
Author

BridgerVoss commented Jul 31, 2025

retest this please Jenkins

@padelsbach padelsbach merged commit c1fa9ed into wolfSSL:master Aug 1, 2025
262 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@padelsbach padelsbach padelsbach approved these changes

@ColtonWilley ColtonWilley Awaiting requested review from ColtonWilley

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BridgerVoss @ColtonWilley @padelsbach