Disable FIPS by application?
Jussi Kivilinna
jussi.kivilinna at iki.fi
Sat May 13 15:14:48 CEST 2017
Hello,
On 11.04.2017 17:48, Stephan Müller wrote:
> It is the idea of the FIPS mode to not allow MD5 and friends.
>
> However, for FIPS 140-2 level 1 validations (this is the highest that can be
> achieved by libgcrypt), there is *no* need for a techncial enforcement. I.e.
> it is perfectly viable to drop all code that disallows ciphers when in FIPS
> mode.
>
So, to clarify, following code in cipher.c (and similar piece in md.c) could be
removed altogether?
gcry_err_code_t
_gcry_cipher_init (void)
{
if (fips_mode())
{
/* disable algorithms that are disallowed in fips */
int idx;
gcry_cipher_spec_t *spec;
for (idx = 0; (spec = cipher_list[idx]); idx++)
if (!spec->flags.fips)
spec->flags.disabled = 1;
}
return 0;
}
-Jussi
More information about the Gcrypt-devel
mailing list