Skip to content

Replace hardcoded use of MD5 in sync-diff-inspector with configurable option to support FIPS-compliant environments.#886

Open
maxz-db wants to merge 1 commit intopingcap:masterfrom
maxz-db:sync-diff-inspector-fips
Open

Replace hardcoded use of MD5 in sync-diff-inspector with configurable option to support FIPS-compliant environments.#886
maxz-db wants to merge 1 commit intopingcap:masterfrom
maxz-db:sync-diff-inspector-fips

Conversation

@maxz-db
Copy link

@maxz-db maxz-db commented Feb 14, 2026

Context:

Changes:

What problem does this PR solve?

Issue Number: close #885

What is changed and how it works?

  • Added a new checksum-algorithm configuration flag to sync-diff-inspector:
    • Supported options: md5" and "sha256" hash functions for checksumming
    • Default: md5 for backwards compatibility.

Tests

  • Unit test
  • Manual test on dev environment.

@maxz-db
Replace hardcoded use of MD5 in sync-diff-inspector with configurable…
4985cf3 
… option to support FIPS-compliant environments. (pingcap#6)

Context:
TiDB FIPS build mode introduced in 7.6.0: pingcap/tidb#47949.
TiDB binaries built with FIPS 140-3 compliance mode disable MD5 hashing in OpenSSL library used by TiKV.

Problem:
sync-diff-inspector relies on hardcoded MD5() for chunk checksumming.
For performance reasons, TiDB may push expression evaluation down to TiKV coprocessor (tidb_query_expr), which uses OpenSSL for cryptographic functions.
In FIPS mode, TiKV's OpenSSL inner_evp_generic_fetch() tries to load MD5 algorithm and fails with error code 50856204 (EVP_R_UNSUPPORTED).
As a result, sync-diff-inspector fails because TiDB rejected all MD5-based checksum queries due to OpenSSL security policy restrictions.

Changes:
- Added a new `checksum-algorithm` configuration flag:
  - Supported options: md5" and "sha256" hash functions for checksumming
  - Default: md5 for backwards compatibility.
@ti-chi-bot
Copy link

ti-chi-bot bot commented Feb 14, 2026

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@ti-chi-bot
Copy link

ti-chi-bot bot commented Feb 14, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign francis0407 for approval. For more information see the Code Review Process.
Please ensure that each of them provides their approval before proceeding.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ti-chi-bot ti-chi-bot bot requested a review from pingyu February 14, 2026 02:25
@ti-chi-bot
Copy link

ti-chi-bot bot commented Feb 14, 2026

Hi @maxz-db. Thanks for your PR.

I'm waiting for a pingcap member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@ti-chi-bot
Copy link

ti-chi-bot bot commented Feb 14, 2026

Welcome @maxz-db!

It looks like this is your first PR to pingcap/tidb-tools 🎉.

I'm the bot to help you request reviewers, add labels and more, See available commands.

We want to make sure your contribution gets all the attention it needs!



Thank you, and welcome to pingcap/tidb-tools. 😃

@pingcap-cla-assistant
Copy link

pingcap-cla-assistant bot commented Feb 14, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@ti-chi-bot ti-chi-bot bot added the size/L label Feb 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pingyu pingyu Awaiting requested review from pingyu

Assignees

No one assigned

Labels

contribution do-not-merge/release-note-label-needed first-time-contributor needs-ok-to-test size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

sync-diff-inspector fails on TiDB cluster v8.5.4 with FIPS enabled

1 participant

@maxz-db