Error using GPG2 in FIPS mode

Werner Koch wk at
Wed Jun 29 14:53:23 CEST 2011

> I'm having some trouble trying to use GnuPG2 with FIPS mode enabled*.
> For example, when invoking --gen-key I get the following error:
> ---
> Ohhhh jeeee: cipher 3 not found

This is due to the passphrase generation code which calls Libgcrypt with
a certain algorithm:

   dek->keylen = openpgp_cipher_get_algo_keylen (dek->algo);

Now Libgcrypt expects that the algorithm used for this function is valid
and because that is not the case in FIPS mode it aborts.  Agreed, GnuPG
should check whether the algorithm is valid before calling such
functions.  However in non-FIPS mode this is always guaranteed because
CAST5 is a SHOULD algorithm in OpenPGP.  I only did some basic fixups to
GnuPG to allow running it on a FIPS enabled system (like separate
implementation of RIPE-MD-160, which is used internally by GPG).  There
was no request to make GPG runnable on a FIPS enabled system.

You make use the option "--s2k-cipher-algo AES128" to solve at least
this problem.  There are likely other problems.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list