Disable FIPS by application?

Jussi Kivilinna jussi.kivilinna at iki.fi
Sat May 13 15:14:48 CEST 2017


On 11.04.2017 17:48, Stephan Müller wrote:
> It is the idea of the FIPS mode to not allow MD5 and friends.
> However, for FIPS 140-2 level 1 validations (this is the highest that can be 
> achieved by libgcrypt), there is *no* need for a techncial enforcement. I.e. 
> it is perfectly viable to drop all code that disallows ciphers when in FIPS 
> mode.

So, to clarify, following code in cipher.c (and similar piece in md.c) could be
removed altogether?

  _gcry_cipher_init (void)
    if (fips_mode())
        /* disable algorithms that are disallowed in fips */
        int idx;
        gcry_cipher_spec_t *spec;

        for (idx = 0; (spec = cipher_list[idx]); idx++)
          if (!spec->flags.fips)
            spec->flags.disabled = 1;

    return 0;


More information about the Gcrypt-devel mailing list