Disable FIPS by application?

Stephan Müller smueller at chronox.de
Tue Apr 11 17:43:35 CEST 2017

Am Dienstag, 11. April 2017, 17:27:39 CEST schrieb Peter Wu:

Hi Peter,

> > > So is it possible to disable this enforcement in a Libgcrypt user?
> > 
> > It is permissible to disable the enforcement of the cipher restrictions.
> > Other FIPS related enforcements cannot be removed.
> Hmm, that is unfortunate. So in order to (for example) support MD5 (for
> verifying checksums or deriving keys for decryption and dissection), we
> would have to use another crypto library *or*
> require the administrator to keep FIPS enforcement disabled (by not
> creating /etc/gcrypt/fips_enabled)?

Maybe I was not clear: you can remove the code that disables the non-approved 
ciphers like MD5. I.e. you can technically use MD5 even though libgcrypt is in 
FIPS mode.

Other FIPS changes (like the use of the SP800-90A DRBG or self tests) must not 
be touched.


More information about the Gcrypt-devel mailing list