Disable FIPS by application?
Stephan Müller
smueller at chronox.de
Tue Apr 11 16:48:52 CEST 2017
Am Dienstag, 11. April 2017, 14:20:26 CEST schrieb Peter Wu:
Hi Peter,
> Hi,
>
> Recently Wireshark has made Libgcrypt mandatory so we could drop the
> bundled code for MD5, SHA1, DES, etc. Since some (older) protocols use
> these algorithms, it must be supported.
>
> However with FIPS mode enforced, these algorithms are not enabled. Is
> there any workaround other than bundling the code again (sigh)? Like
> requesting Libgcrypt not to enable FIPS mode from the application?
It is the idea of the FIPS mode to not allow MD5 and friends.
However, for FIPS 140-2 level 1 validations (this is the highest that can be
achieved by libgcrypt), there is *no* need for a techncial enforcement. I.e.
it is perfectly viable to drop all code that disallows ciphers when in FIPS
mode.
>
> QEMU had a similar problem in the past with this mode:
> https://lists.gnu.org/archive/html/gnutls-devel/2008-09/msg00063.html
>
> Here is the output (from https://code.wireshark.org/review/20095):
>
> # echo 1 > /etc/gcrypt/fips_enabled
> $ ./run/capinfos -H /path/to/a.pcap
> error in libgcrypt, file fips.c, line 301, function
> _gcry_inactivate_fips_mode: MD5 used Ohhhh jeeee: ... this is a bug
> (md.c:809:md_read)
> fatal error in libgcrypt, file misc.c, line 140, function _gcry_logv:
> internal error (fatal or bug) Aborted (core dumped)
Ciao
Stephan
More information about the Gcrypt-devel
mailing list