Disable FIPS by application?
smueller at chronox.de
Sat May 13 16:57:55 CEST 2017
Am Samstag, 13. Mai 2017, 15:14:48 CEST schrieb Jussi Kivilinna:
> On 11.04.2017 17:48, Stephan Müller wrote:
> > It is the idea of the FIPS mode to not allow MD5 and friends.
> > However, for FIPS 140-2 level 1 validations (this is the highest that can
> > be achieved by libgcrypt), there is *no* need for a techncial
> > enforcement. I.e. it is perfectly viable to drop all code that disallows
> > ciphers when in FIPS mode.
> So, to clarify, following code in cipher.c (and similar piece in md.c) could
> be removed altogether?
> _gcry_cipher_init (void)
> if (fips_mode())
> /* disable algorithms that are disallowed in fips */
> int idx;
> gcry_cipher_spec_t *spec;
> for (idx = 0; (spec = cipher_list[idx]); idx++)
> if (!spec->flags.fips)
> spec->flags.disabled = 1;
> return 0;
If I interpret that code snippet correctly, it disables ciphers that do not
have the fips flag.
If my interpretation of the code is correct, the code could be removed, but
can also stay.
More information about the Gcrypt-devel