FIPS support for ATS

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

FIPS support for ATS

Phillip Moore
Hi,

Is anyone running ATS in a FIPS* (Federal Information Processing Standard) compliant setup?  

I was looking into this and ATS has some code that seems to allow it to call the fips enable function from openssl but it doesn't work quite right it seems.

I've patched ATS to force FIPS mode on but ATS fails to start due to MD5 hash functions no longer being available, and ATS seems to heavily use MD5 internally. 

As a crazy idea just to see what would happen I basically did s/md5/sha256 in the code base and was able to make ATS compile and run but it never logged the 'fips enabled' bits, but it didn't complain about MD5 either. 

I'm wondering if there was some initial effort for FIPS support that was abandoned, and what I see in the code now is that remnants.

Thanks for any comments,

Phillip Moore

Reply | Threaded
Open this post in threaded view
|

Re: FIPS support for ATS

Bryan Call-2
From dealing with the FIPS and lock issues before, the motivation was to not handle FIPS locks do to the performance impact.  That might have changed with OpenSSL 1.1.0 when the locking issues were resolved.

Backing out the FIPS code in ATS should be all that you need to do and have a FIPS enabled library.

We have talked about moving from md5 to sha256 before and I would be supportive of that.

-Bryan

On Sep 20, 2017, at 12:15 PM, Phillip Moore <[hidden email]> wrote:

Hi,

Is anyone running ATS in a FIPS* (Federal Information Processing Standard) compliant setup?  

I was looking into this and ATS has some code that seems to allow it to call the fips enable function from openssl but it doesn't work quite right it seems.

I've patched ATS to force FIPS mode on but ATS fails to start due to MD5 hash functions no longer being available, and ATS seems to heavily use MD5 internally. 

As a crazy idea just to see what would happen I basically did s/md5/sha256 in the code base and was able to make ATS compile and run but it never logged the 'fips enabled' bits, but it didn't complain about MD5 either. 

I'm wondering if there was some initial effort for FIPS support that was abandoned, and what I see in the code now is that remnants.

Thanks for any comments,

Phillip Moore