Disable FIPS by application?

Peter Wu peter at lekensteyn.nl
Tue Apr 11 16:59:06 CEST 2017


On Tue, Apr 11, 2017 at 04:48:52PM +0200, Stephan Müller wrote:
> Am Dienstag, 11. April 2017, 14:20:26 CEST schrieb Peter Wu:
> 
> Hi Peter,
> 
> > Hi,
> > 
> > Recently Wireshark has made Libgcrypt mandatory so we could drop the
> > bundled code for MD5, SHA1, DES, etc. Since some (older) protocols use
> > these algorithms, it must be supported.
> > 
> > However with FIPS mode enforced, these algorithms are not enabled. Is
> > there any workaround other than bundling the code again (sigh)? Like
> > requesting Libgcrypt not to enable FIPS mode from the application?
> 
> It is the idea of the FIPS mode to not allow MD5 and friends.

Yes, that's understood. The problem however is that the application is
not intended to be subject to this policy.

> However, for FIPS 140-2 level 1 validations (this is the highest that can be 
> achieved by libgcrypt), there is *no* need for a techncial enforcement. I.e. 
> it is perfectly viable to drop all code that disallows ciphers when in FIPS 
> mode.

So is it possible to disable this enforcement in a Libgcrypt user?

Kind regards,
Peter

> > 
> > QEMU had a similar problem in the past with this mode:
> > https://lists.gnu.org/archive/html/gnutls-devel/2008-09/msg00063.html
> > 
> > Here is the output (from https://code.wireshark.org/review/20095):
> > 
> >     # echo 1 > /etc/gcrypt/fips_enabled
> >     $ ./run/capinfos -H /path/to/a.pcap
> >     error in libgcrypt, file fips.c, line 301, function
> > _gcry_inactivate_fips_mode: MD5 used Ohhhh jeeee: ... this is a bug
> > (md.c:809:md_read)
> >     fatal error in libgcrypt, file misc.c, line 140, function _gcry_logv:
> > internal error (fatal or bug) Aborted (core dumped)
> 
> 
> 
> Ciao
> Stephan



More information about the Gcrypt-devel mailing list