Remove MD5 Usage or document usage for API Security
Problem Overview
As part of our FIPS compliance goals, MD5 can not be used and needs to be replaced.
Remarks
- This command was used to find
md5
references:grep -rInw ./ -e '.*[Mm][Dd]5.*'
- There is code that is in the repository but it does not get compiled into the FIPS build due to changes done in #354230 (closed). It added 3 symbols to conditionally compile code:
APISEC_CHECK_TLSCONF
APISEC_CHECK_HEARTBLEED
APISEC_PROXY
Solution
-
Remove uses of MD5 and replace them with more secure SHA256 if possible. -
CHANGE Replace md5sum
withsha256sum
in build and test scripts. See MR-651./api-fuzzing-src/build/docker/dotnet/build:169:export IMAGE_NAME=dotnet-toolchain_`md5sum build/docker/dotnet/Dockerfile | sed -e "s/^\\\\\\//" | cut -c -32` ./api-fuzzing-src/build/docker/make_publish_gitlabci:40:export IMAGE_NAME=dotnet-toolchain_`md5sum build/docker/dotnet/Dockerfile | sed -e "s/^\\\\\\//" | cut -c -32` ./api-fuzzing-src/build/docker/make_publish_prod_gitlabci:57:export IMAGE_NAME=dotnet-toolchain_`md5sum build/docker/dotnet/Dockerfile | sed -e "s/^\\\\\\//" | cut -c -32` ./api-fuzzing-src/build/jobs/linting:37:export IMAGE_NAME=${NAME}_`md5sum $DOCKER_FILE | sed -e "s/^\\\\\\//" | cut -c -32` ./api-fuzzing-src/build/make_publish_python.sh:65:export IMAGE_NAME=${NAME}_`md5sum $DOCKER_FILE | sed -e "s/^\\\\\\//" | cut -c -32` ./api-fuzzing-src/web/Test/cacheorloadcontainer.sh:31:export IMAGE_NAME=test-${NAME}_`md5sum $DOCKER_FILE | sed -e "s/^\\\\\\//" | cut -c -32`
-
NO CHANGE This folder is not shipped. Legacy code. ./api-fuzzing-src/web/Demon/Watcher.cs:16: private MD5 _md5 = MD5.Create(); ./api-fuzzing-src/web/Demon/Watcher.cs:88: return _md5.ComputeHash(input);
-
NO CHANGE This is not a usage of MD5, it's for building a profile of what's allowed or not allowed. Changing it could cause configuration files not to load correctly. ./api-fuzzing-src/web/PeachWeb/Core/Checks/TlsConfiguration/TlsServerProfile.cs:37: Md5 = 1, ./api-fuzzing-src/web/PeachWeb/Core/Checks/TlsConfiguration/TlsServerProfile.cs:60: [Display(Name = "MD5")] Md5, ./api-fuzzing-src/web/PeachWeb/Core/Checks/TlsConfiguration/TlsServerProfile.cs:197: TlsHash.Md5,
-
NO CHANGE This is not a configuration file, it's providing a list of known ciphers. This is used when determining if a TLS configuration matches or fails a policy check. ./api-fuzzing-src/web/PeachWeb/Resources/Checks/TlsConfigurationCheck/ciphers.json:9: "GnuTLS": "TLS_RSA_NULL_MD5", ... ./api-fuzzing-src/web/PeachWeb/Resources/Checks/TlsConfigurationCheck/ciphers.json:251: "IANA": "TLS_KRB5_EXPORT_WITH_RC4_40_MD5", ./api-fuzzing-src/web/PeachWeb/Resources/Checks/TlsConfigurationCheck/ciphers.txt:93: 0x00,0x18 - ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5 ... ./api-fuzzing-src/web/PeachWeb/Resources/Checks/TlsConfigurationCheck/ciphers.txt:121: 0x00,0x01 - NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5
-
NO CHANGE This is a list of known headers and must not be changed. ./api-fuzzing-src/web/PeachWeb/Runner/Services/OverridesKnownHeaders.cs:37: new OverridesKnownHeader("Content-MD5", HttpHeaderType.Content),
-
NO CHANGE This is a list of known headers and must not be changed. ./api-fuzzing-src/web/Runner/Services/OverridesKnownHeaders.cs:37: new OverridesKnownHeader("Content-MD5", HttpHeaderType.Content),
-
CHANGE This folder is not shipped. Removal of this will need to include other components that are available in local debug builds to make sure we don't break everyone. I think we have an issue already to remove the legacy code that uses this folder. (see build/make_web_release.sh line 103) NOTE A code change is required to also include this logic when performing web_fips
build. See MR-6650./api-fuzzing-src/web/PeachWeb/wwwroot/vendor/highlight/highlight.min.js:3:... maxtrans md5 measures...
-
NO CHANGE This MD5 text refers to a dependency for the NodeJS module, but the NodeJS module is not deployed in the build and NodeJS module is not in use. ./api-fuzzing-src/web/SDK/libraries/nodejs/package-lock.json:959: "md5": { ./api-fuzzing-src/web/SDK/libraries/nodejs/package-lock.json:961: "resolved": "https://registry.npmjs.org/md5/-/md5-2.2.1.tgz", ./api-fuzzing-src/web/SDK/libraries/nodejs/package-lock.json:1039: "md5": "^2.1.0",
-
NO CHANGE This folder is not shipped. Excluded by flag APISEC_PROXY
./api-fuzzing-src/web/Test/Proxy/ProxyServerTests.cs:667: "Content-MD5: 5NfxtO0uQtFYmPSyewGdpA==;", ./api-fuzzing-src/web/Test/Proxy/ProxyServerTests.cs:710: System.Text.Encoding.ASCII.GetBytes("11d\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>InvalidDigest</Code><Message>The Content-Md5 you specified is not valid.</Message><Key></Key><BucketName></BucketName><Resource>/boto3-test-1490899683-5872/test.txt</Resource><RequestId>3L137</RequestId><HostId>3L137</HostId></Error>\r\n0\r\n\r\n") ./api-fuzzing-src/web/Test/Proxy/ProxyServerTests.cs:812: "Content-MD5: 5NfxtO0uQtFYmPSyewGdpA==;", ./api-fuzzing-src/web/Test/Proxy/ProxyServerTests.cs:946: "Content-MD5: 5NfxtO0uQtFYmPSyewGdpA==;",
-
NO CHANGE This folder is not shipped. Excluded by flag APISEC_CHECK_TLSCONF
./api-fuzzing-src/web/Test/Unit/Core/Services/FaultCollectorTests.cs:366: new Tuple<TlsHash, TlsSignature>(TlsHash.Md5, TlsSignature.Dsa),
-
-
If MD5 is needed and can not be replaced document in this issue why it is needed so that we can discuss further and convey that information to the auditors.