Disable FIPS by application?
Peter Wu
peter at lekensteyn.nl
Tue Apr 11 17:27:39 CEST 2017
On Tue, Apr 11, 2017 at 05:14:29PM +0200, Stephan Müller wrote:
> Am Dienstag, 11. April 2017, 16:59:06 CEST schrieb Peter Wu:
>
> Hi Peter,
>
> > On Tue, Apr 11, 2017 at 04:48:52PM +0200, Stephan Müller wrote:
> > > Am Dienstag, 11. April 2017, 14:20:26 CEST schrieb Peter Wu:
> > >
> > > Hi Peter,
> > >
> > > > Hi,
> > > >
> > > > Recently Wireshark has made Libgcrypt mandatory so we could drop the
> > > > bundled code for MD5, SHA1, DES, etc. Since some (older) protocols use
> > > > these algorithms, it must be supported.
> > > >
> > > > However with FIPS mode enforced, these algorithms are not enabled. Is
> > > > there any workaround other than bundling the code again (sigh)? Like
> > > > requesting Libgcrypt not to enable FIPS mode from the application?
> > >
> > > It is the idea of the FIPS mode to not allow MD5 and friends.
> >
> > Yes, that's understood. The problem however is that the application is
> > not intended to be subject to this policy.
>
> That is the common crux of the matter :-)
> >
> > > However, for FIPS 140-2 level 1 validations (this is the highest that can
> > > be achieved by libgcrypt), there is *no* need for a techncial
> > > enforcement. I.e. it is perfectly viable to drop all code that disallows
> > > ciphers when in FIPS mode.
> >
> > So is it possible to disable this enforcement in a Libgcrypt user?
>
> It is permissible to disable the enforcement of the cipher restrictions. Other
> FIPS related enforcements cannot be removed.
Hmm, that is unfortunate. So in order to (for example) support MD5 (for
verifying checksums or deriving keys for decryption and dissection), we
would have to use another crypto library *or*
require the administrator to keep FIPS enforcement disabled (by not
creating /etc/gcrypt/fips_enabled)?
--
Kind regards,
Peter Wu
https://lekensteyn.nl
PS. For some reason your messages are not appearing in the archives at
https://lists.gnupg.org/pipermail/gcrypt-devel/2017-April/
More information about the Gcrypt-devel
mailing list