[CSHARP-1937] C# Driver 2.X does not allow upload to GridFS when FIPS is enabled Created: 10/Mar/17  Updated: 05/Feb/18  Resolved: 05/Feb/18

Status: Closed
Project: C# Driver
Component/s: GridFS
Affects Version/s: 2.2.3, 2.4.2
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Steve Hall Assignee: Unassigned
Resolution: Duplicate Votes: 3
Labels: FIPS, c#, gridfs
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows 10 x64


Issue Links:
Duplicate
duplicates CSHARP-2162 GridFS MD5 digest must be optional Closed
Related
related to CSHARP-2162 GridFS MD5 digest must be optional Closed
related to CSHARP-1703 SCRAM-SHA-1 fails on FIPS machines Closed
Case:

 Description   

Hi
If I enable FIPS then I can no longer upload streams to GridFS using the new driver (this worked on the old driver). This simple code shows the issue :

      var client = new MongoClient("mongodb://localhost:27017");
      var db = client.GetDatabase("Test");
      var gridfs = new GridFSBucket(db);
      const string filename = @"C:\temp\test.txt";
      System.IO.File.WriteAllText(filename, "THIS IS A TEST");
      try
      {
          var file = System.IO.File.Open(filename, FileMode.Open, FileAccess.Read);
          var id = gridfs.UploadFromStream(filename, file, null);
          file.Close();
      }
      catch (Exception ex)
      {
          MessageBox.Show(ex.InnerException.Message);
      }

This yields the following error :

{{ This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.}}

I expect this is due to GridFSForwardOnlyUploadStream.cs using IncrementalMD5.

We used to be able to upload with the old driver as we could specify disabling the MD5 check when connecting to GridFS :

    var settings = new MongoGridFSSettings { UpdateMD5 = false, VerifyMD5 = false };

Thanks,
Steve H



 Comments   
Comment by Robert Stam [ 05/Feb/18 ]

We no longer plan to write our own implementation of MD5 to bypass FIPS mode enforcement in the OS.

Instead, we are making a small change to the GridFS API which will allow the application to disable computation of the MD5 checksum. An application will be able to use GridFS on a FIPS mode machine by using the new option to disable the MD5 checksum.

See:

https://jira.mongodb.org/browse/CSHARP-2162

Comment by Steve Hall [ 10/Mar/17 ]

Thanks Robert - I know, FIPS is very annoying but we have customers who insist on it being enabled and this means we're dead in the water with them with respect to upgrading our code to the new driver.

Thanks for the update
Steve

Comment by Robert Stam [ 10/Mar/17 ]

The 2.x GridFS implementation follows the new GridFS spec that all drivers follow. In this new spec (and therefore in the 2.x C# driver) calculating the MD5 hash is mandatory, and therefore can no longer be turned off.

FIPS unfortunately doesn't distinguish between cryptographic uses of MD5 (where security is important) and benign uses of MD5 such as used by GridFS.

We have a related ticket to write our own implementation of MD5 to use where security is not important. FIPS wouldn't see that and therefore GridFS could be used even when FIPS is enabled.

Comment by Steve Hall [ 10/Mar/17 ]

I expect this issue occurs on all versions of the 2.x driver but I have only tested it on the ones listed.

Generated at Wed Feb 07 21:41:07 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.