Disable FIPS by application?
Peter Wu
peter at lekensteyn.nl
Tue Apr 11 17:59:58 CEST 2017
On Tue, Apr 11, 2017 at 05:43:35PM +0200, Stephan Müller wrote:
> Am Dienstag, 11. April 2017, 17:27:39 CEST schrieb Peter Wu:
>
> Hi Peter,
>
> > > > So is it possible to disable this enforcement in a Libgcrypt user?
> > >
> > > It is permissible to disable the enforcement of the cipher restrictions.
> > > Other FIPS related enforcements cannot be removed.
> >
> > Hmm, that is unfortunate. So in order to (for example) support MD5 (for
> > verifying checksums or deriving keys for decryption and dissection), we
> > would have to use another crypto library *or*
> > require the administrator to keep FIPS enforcement disabled (by not
> > creating /etc/gcrypt/fips_enabled)?
>
> Maybe I was not clear: you can remove the code that disables the non-approved
> ciphers like MD5.
Which code? Libgcrypt? We are not bundling Libgcrypt but use whatever is
installed on the system.
> you can technically use MD5 even though libgcrypt is in FIPS mode.
It seems possible to do this based on a look in src/fips.c, except when
FIPS enforcement is in effect (/etc/gcrypt/fips_enabled = 1).
> Other FIPS changes (like the use of the SP800-90A DRBG or self tests) must not
> be touched.
>
> Ciao
> Stephan
--
Kind regards,
Peter Wu
https://lekensteyn.nl
More information about the Gcrypt-devel
mailing list