Disable FIPS by application?
Peter Wu
peter at lekensteyn.nl
Tue Apr 11 14:20:26 CEST 2017
Hi,
Recently Wireshark has made Libgcrypt mandatory so we could drop the
bundled code for MD5, SHA1, DES, etc. Since some (older) protocols use
these algorithms, it must be supported.
However with FIPS mode enforced, these algorithms are not enabled. Is
there any workaround other than bundling the code again (sigh)? Like
requesting Libgcrypt not to enable FIPS mode from the application?
QEMU had a similar problem in the past with this mode:
https://lists.gnu.org/archive/html/gnutls-devel/2008-09/msg00063.html
Here is the output (from https://code.wireshark.org/review/20095):
# echo 1 > /etc/gcrypt/fips_enabled
$ ./run/capinfos -H /path/to/a.pcap
error in libgcrypt, file fips.c, line 301, function _gcry_inactivate_fips_mode: MD5 used
Ohhhh jeeee: ... this is a bug (md.c:809:md_read)
fatal error in libgcrypt, file misc.c, line 140, function _gcry_logv: internal error (fatal or bug)
Aborted (core dumped)
--
Kind regards,
Peter Wu
https://lekensteyn.nl
More information about the Gcrypt-devel
mailing list