Disable FIPS by application?

Stephan Müller smueller at chronox.de
Tue Apr 11 17:14:29 CEST 2017


Am Dienstag, 11. April 2017, 16:59:06 CEST schrieb Peter Wu:

Hi Peter,

> On Tue, Apr 11, 2017 at 04:48:52PM +0200, Stephan Müller wrote:
> > Am Dienstag, 11. April 2017, 14:20:26 CEST schrieb Peter Wu:
> > 
> > Hi Peter,
> > 
> > > Hi,
> > > 
> > > Recently Wireshark has made Libgcrypt mandatory so we could drop the
> > > bundled code for MD5, SHA1, DES, etc. Since some (older) protocols use
> > > these algorithms, it must be supported.
> > > 
> > > However with FIPS mode enforced, these algorithms are not enabled. Is
> > > there any workaround other than bundling the code again (sigh)? Like
> > > requesting Libgcrypt not to enable FIPS mode from the application?
> > 
> > It is the idea of the FIPS mode to not allow MD5 and friends.
> 
> Yes, that's understood. The problem however is that the application is
> not intended to be subject to this policy.

That is the common crux of the matter :-)
> 
> > However, for FIPS 140-2 level 1 validations (this is the highest that can
> > be achieved by libgcrypt), there is *no* need for a techncial
> > enforcement. I.e. it is perfectly viable to drop all code that disallows
> > ciphers when in FIPS mode.
> 
> So is it possible to disable this enforcement in a Libgcrypt user?

It is permissible to disable the enforcement of the cipher restrictions. Other 
FIPS related enforcements cannot be removed.

Ciao
Stephan



More information about the Gcrypt-devel mailing list