Use of MD5 in WebRTC TURN request is not FIPS compliant

[ppv-milestone]

Hi
When running with SIPSorcery on a FIPS enabled machine I get the following exception when communicating with a TURN server in WebRTC:
This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()
at SIPSorcery.Net.RtpIceChannel.GetAuthenticatedStunRequest(STUNMessage stunRequest, String username, Byte[] realm, String password, Byte[] nonce)

I have been reading the specification on STUN protocol and it specifies the use of MD5, and I have also been able to find some sources discussing this issue between STUN specs and FIPS, so it seems like it is a problem with the standard, but I have also tried running Chrome on the same FIPS enabled machine towards the same TURN server and it works fine, so seemingly there is a workaround.
Does anyone know if there is a workaround for this when you use SIPSorcery?
Thanks!
Br,
Peter

[ha-ves]

BouncyCastle's FIPS compliance on C# is still far from being in this library.

Many SYSLIB0021 warnings are being suppressed, it's yet to be updated with Bouncy Castle's.

example, these may perhaps be replaced

sipsorcery/src/net/ICE/RtpIceChannel.cs

Lines 2589 to 2593 in 32f9a66

	// TODO: When .NET Standard and Framework support are deprecated this pragma can be removed.
	#pragma warning disable SYSLIB0021
	MD5 md5 = new MD5CryptoServiceProvider();
	byte[] md5Hash = md5.ComputeHash(Encoding.UTF8.GetBytes(key));
	#pragma warning restore SYSLIB0021

with

var inp = Encoding.UTF8.GetBytes(key);

var md5 = new MD5Digest();
md5.BlockUpdate(inp, 0, inp.Length);
var md5Hash = new byte[md5.GetDigestSize()];
md5.DoFinal(md5Hash, 0);

[sipsorcery]

@ha-ves just got in ahead of me.

MD5 should only be used if the sipsorcery end has been supplied an STUN or TURN server to establish an authenticated connect to, see here.

That being said the STUN message integrity check between the WebRTC peers, i.e. the app using the sipsorcery library and the browser, uses SHA1, see here, and I can't imagine that's FIPS compliant either.

RFC8489 does update STUN to use SHA256 and adds updated password algorithms to replace MD5. This library hasn't gotten around to implementing that RFC yet.

[ppv-milestone]

Thanks a lot for the answers. Our team is currently looking into implementing a replacement (one or the other), so will probably end up in a pull request soon.