-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make MD5 hash implementation configurable #1445
Conversation
What's the use case? |
From what I understand it is to allow using CouchDB when FIPS mode is enabled. In that case computing md5 via OpenSSL ( The other alternative is to switch CouchDB to use a different hash function, but that is a bigger change, so I suggested just using Erlang's built-in md5 for now as an option. There was some discussion here about it: #1171 |
@rnewson Updated to include rationale, thank you for the reminder. |
EUnit tests pass with and without the +1 I'd suggest mentioning the issue number (#1171) in the commit message. Also rebase against latest master. Then create a docs pull request to make note about the new option. Maybe under |
781ca24
to
abb8217
Compare
@rokek no, don't need a new PR. Just switch to master, do a git pull to update it. Then switch back to the PR branch. Run Documentation PR is separate. |
@rokek LGTM. Thanks for your contribution, it is much appreciated! I'll merge it and will review the docs PR |
@nickva Thank you for the assistance! |
#1445 introduced a shim to enable CouchDB to be compiled to use the Erlang MD5 function. This allows CouchDB to run in FIPS environments where the crypto module is restricted such that `crypto:hash(md5,..)` is blocked (fails with `notsup` error). This commit replaces usage of `crypto:hash(md5, ..)` introduced since the original PR with the shim function.
#1445 introduced a shim to enable CouchDB to be compiled to use the Erlang MD5 function. This allows CouchDB to run in FIPS environments where the crypto module is restricted such that `crypto:hash(md5,..)` is blocked (fails with `notsup` error). This commit replaces usage of `crypto:hash(md5, ..)` introduced since the original PR with the shim function.
Overview
This aims to enable CouchDB to run in an environment where OpenSSL MD5 hash operations are explicitly disallowed by the operating system, for example: when running in "FIPS mode." Because CouchDB does not make use of MD5 hashes for cryptographic purposes, this workaround does not defeat the purpose of "FIPS mode," provided that the system owner is aware of and consents to its use.
Approach
Testing recommendations
make check
Related Issues or Pull Requests
#1171
Checklist