[ovs-dev] [PATCH] ovs-bugtool: Switch from MD5 to SHA-256.
Ben Pfaff
blp at ovn.org
Thu Aug 11 16:56:56 UTC 2016
On Thu, Aug 11, 2016 at 07:59:10AM -0500, Ryan Moats wrote:
>
>
> "dev" <dev-bounces at openvswitch.org> wrote on 08/10/2016 11:14:27 PM:
>
> > From: Ben Pfaff <blp at ovn.org>
> > To: dev at openvswitch.org
> > Cc: Ben Pfaff <blp at ovn.org>
> > Date: 08/10/2016 11:14 PM
> > Subject: [ovs-dev] [PATCH] ovs-bugtool: Switch from MD5 to SHA-256.
> > Sent by: "dev" <dev-bounces at openvswitch.org>
> >
> > While going through a FIPS certification process we discovered that
> > ovs-bugtool uses MD5 to identify the contents of files. FIPS doesn't
> allow
> > use of the obsolete and broken MD5 algorithm, so this commit switches to
> > SHA-256.
> >
> > In a way, this is a silly requirement. ovs-bugtool only uses MD5 to
> > identify file content, mostly to ensure that the contents of the bug
> report
> > have not been corrupted. MD5 is perfectly adequate for that purpose; in
> > fact a 16-bit CRC would probably be adequate. On the other hand, there
> is
> > basically no cost and no disadvantage to switching to SHA-256, so why not
> > do it? That's why I think that this is a reasonable change.
> >
> > VMware-BZ: #1708786
> > Signed-off-by: Ben Pfaff <blp at ovn.org>
> > ---
>
> Yes, it's annoying, but arguing with FIPS reminds me of bringing a knife
> to a gun fight...
>
> The patch looks sane so ...
>
> Acked-by: Ryan Moats <rmoats at us.ibm.com>
Thanks a lot. I applied this to master.
> (On a side note, I realized that we don't really have a unit test for this
> tool, but honestly, I'm not sure it's worth adding one - I leave that to
> wiser heads than mine...)
It's a good idea.
More information about the dev
mailing list