Disable FIPS by application?

Stephan Müller smueller at chronox.de
Sat May 13 16:57:55 CEST 2017


Am Samstag, 13. Mai 2017, 15:14:48 CEST schrieb Jussi Kivilinna:

Hi Jussi,

> Hello,
> 
> On 11.04.2017 17:48, Stephan Müller wrote:
> > It is the idea of the FIPS mode to not allow MD5 and friends.
> > 
> > However, for FIPS 140-2 level 1 validations (this is the highest that can
> > be achieved by libgcrypt), there is *no* need for a techncial
> > enforcement. I.e. it is perfectly viable to drop all code that disallows
> > ciphers when in FIPS mode.
> 
> So, to clarify, following code in cipher.c (and similar piece in md.c) could
> be removed altogether?
> 
>   gcry_err_code_t
>   _gcry_cipher_init (void)
>   {
>     if (fips_mode())
>       {
>         /* disable algorithms that are disallowed in fips */
>         int idx;
>         gcry_cipher_spec_t *spec;
> 
>         for (idx = 0; (spec = cipher_list[idx]); idx++)
>           if (!spec->flags.fips)
>             spec->flags.disabled = 1;
>       }
> 
>     return 0;
>   }

If I interpret that code snippet correctly, it disables ciphers that do not 
have the fips flag.

If my interpretation of the code is correct, the code could be removed, but 
can also stay.

Ciao
Stephan



More information about the Gcrypt-devel mailing list