Disable FIPS by application?
Stephan Müller
smueller at chronox.de
Tue Apr 11 17:43:35 CEST 2017
Am Dienstag, 11. April 2017, 17:27:39 CEST schrieb Peter Wu:
Hi Peter,
> > > So is it possible to disable this enforcement in a Libgcrypt user?
> >
> > It is permissible to disable the enforcement of the cipher restrictions.
> > Other FIPS related enforcements cannot be removed.
>
> Hmm, that is unfortunate. So in order to (for example) support MD5 (for
> verifying checksums or deriving keys for decryption and dissection), we
> would have to use another crypto library *or*
> require the administrator to keep FIPS enforcement disabled (by not
> creating /etc/gcrypt/fips_enabled)?
Maybe I was not clear: you can remove the code that disables the non-approved
ciphers like MD5. I.e. you can technically use MD5 even though libgcrypt is in
FIPS mode.
Other FIPS changes (like the use of the SP800-90A DRBG or self tests) must not
be touched.
Ciao
Stephan
More information about the Gcrypt-devel
mailing list