Add local MD5 implementation so S3 works when FIPS is enabled.

S3 requires the Content-MD5 header for many requests but MD5 is not available via OpenSSL when FIPS is enabled because it is considered to be insecure. Even though our usage does not present any security risks a local M5 implementation is required to circumvent the over-broad FIPS restriction. Vendorize the MD5 implementation found at https://openwall.info/wiki/people/solar/software/public-domain-source-code/md5 and add full coverage for the module in the common/crypto unit tests.
2025-07-05 00:28:52 +02:00 · 2020-05-20 14:56:13 -04:00
parent d5f451a8b9
commit f15d6104d2
5 changed files with 402 additions and 15 deletions
--- a/test/src/module/common/cryptoTest.c
+++ b/test/src/module/common/cryptoTest.c
@ -329,8 +329,41 @@ testRun(void)
        TEST_RESULT_VOID(ioFilterFree(hash), "    free hash");

        // -------------------------------------------------------------------------------------------------------------------------
+        TEST_TITLE("md5 hash - zero bytes");
+
        TEST_ASSIGN(hash, cryptoHashNew(strNew(HASH_TYPE_MD5)), "create md5 hash");
-        TEST_RESULT_STR_Z(varStr(ioFilterResult(hash)), HASH_TYPE_MD5_ZERO, "    check empty hash");
+        TEST_RESULT_STR_Z(varStr(ioFilterResult(hash)), HASH_TYPE_MD5_ZERO, "check empty hash");
+
+        // Exercise most of the conditions in the local MD5 code
+        // -------------------------------------------------------------------------------------------------------------------------
+        TEST_TITLE("md5 hash - mixed bytes");
+
+        TEST_ASSIGN(hash, cryptoHashNew(strNew(HASH_TYPE_MD5)), "create md5 hash");
+        TEST_RESULT_VOID(ioFilterProcessIn(hash, BUFSTRZ("1")), "add 1");
+        TEST_RESULT_VOID(ioFilterProcessIn(hash, BUFSTRZ("123456789012345678901234567890123")), "add 32 bytes");
+        TEST_RESULT_VOID(
+            ioFilterProcessIn(
+                hash,
+                BUFSTRZ(
+                    "12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890"
+                    "12345678901234567890123456789012345678901234567890")),
+                "add 160 bytes");
+        TEST_RESULT_VOID(
+            ioFilterProcessIn(hash, BUFSTRZ("12345678901234567890123456789001234567890012345678901234")), "add 58 bytes");
+
+        TEST_RESULT_STR_Z(varStr(ioFilterResult(hash)), "3318600bc9c1d379e91e4bae90721243", "check hash");
+
+        // Full coverage of local MD5 requires processing > 511MB of data but that makes the test run too long. Instead we'll cheat
+        // a bit and initialize the context at 511MB to start. This does not produce a valid MD5 hash but does provide coverage of
+        // that one condition cheaply.
+        // -------------------------------------------------------------------------------------------------------------------------
+        TEST_TITLE("md5 hash - > 0x1fffffff bytes");
+
+        TEST_ASSIGN(hash, cryptoHashNew(strNew(HASH_TYPE_MD5)), "create md5 hash");
+        ((CryptoHash *)ioFilterDriver(hash))->md5Context->lo = 0x1fffffff;
+
+        TEST_RESULT_VOID(ioFilterProcessIn(hash, BUFSTRZ("1")), "add 1");
+        TEST_RESULT_STR_Z(varStr(ioFilterResult(hash)), "5c99876f9cafa7f485eac9c7a8a2764c", "check hash");

        // -------------------------------------------------------------------------------------------------------------------------
        TEST_ASSIGN(hash, cryptoHashNew(strNew(HASH_TYPE_SHA256)), "create sha256 hash");