Disable FIPS by application?

Peter Wu peter at lekensteyn.nl
Tue Apr 11 14:20:26 CEST 2017


Recently Wireshark has made Libgcrypt mandatory so we could drop the
bundled code for MD5, SHA1, DES, etc. Since some (older) protocols use
these algorithms, it must be supported.

However with FIPS mode enforced, these algorithms are not enabled. Is
there any workaround other than bundling the code again (sigh)? Like
requesting Libgcrypt not to enable FIPS mode from the application?

QEMU had a similar problem in the past with this mode:

Here is the output (from https://code.wireshark.org/review/20095):

    # echo 1 > /etc/gcrypt/fips_enabled
    $ ./run/capinfos -H /path/to/a.pcap
    error in libgcrypt, file fips.c, line 301, function _gcry_inactivate_fips_mode: MD5 used
    Ohhhh jeeee: ... this is a bug (md.c:809:md_read)
    fatal error in libgcrypt, file misc.c, line 140, function _gcry_logv: internal error (fatal or bug)
    Aborted (core dumped)
Kind regards,
Peter Wu

More information about the Gcrypt-devel mailing list