Disable FIPS by application?

Stephan Müller smueller at chronox.de
Tue Apr 11 16:48:52 CEST 2017

Am Dienstag, 11. April 2017, 14:20:26 CEST schrieb Peter Wu:

Hi Peter,

> Hi,
> Recently Wireshark has made Libgcrypt mandatory so we could drop the
> bundled code for MD5, SHA1, DES, etc. Since some (older) protocols use
> these algorithms, it must be supported.
> However with FIPS mode enforced, these algorithms are not enabled. Is
> there any workaround other than bundling the code again (sigh)? Like
> requesting Libgcrypt not to enable FIPS mode from the application?

It is the idea of the FIPS mode to not allow MD5 and friends.

However, for FIPS 140-2 level 1 validations (this is the highest that can be 
achieved by libgcrypt), there is *no* need for a techncial enforcement. I.e. 
it is perfectly viable to drop all code that disallows ciphers when in FIPS 

> QEMU had a similar problem in the past with this mode:
> https://lists.gnu.org/archive/html/gnutls-devel/2008-09/msg00063.html
> Here is the output (from https://code.wireshark.org/review/20095):
>     # echo 1 > /etc/gcrypt/fips_enabled
>     $ ./run/capinfos -H /path/to/a.pcap
>     error in libgcrypt, file fips.c, line 301, function
> _gcry_inactivate_fips_mode: MD5 used Ohhhh jeeee: ... this is a bug
> (md.c:809:md_read)
>     fatal error in libgcrypt, file misc.c, line 140, function _gcry_logv:
> internal error (fatal or bug) Aborted (core dumped)


More information about the Gcrypt-devel mailing list