Disable FIPS by application?
Stephan Müller
smueller at chronox.de
Tue Apr 11 18:01:46 CEST 2017
Am Dienstag, 11. April 2017, 17:59:58 CEST schrieb Peter Wu:
Hi Peter,
> On Tue, Apr 11, 2017 at 05:43:35PM +0200, Stephan Müller wrote:
> > Am Dienstag, 11. April 2017, 17:27:39 CEST schrieb Peter Wu:
> >
> > Hi Peter,
> >
> > > > > So is it possible to disable this enforcement in a Libgcrypt user?
> > > >
> > > > It is permissible to disable the enforcement of the cipher
> > > > restrictions.
> > > > Other FIPS related enforcements cannot be removed.
> > >
> > > Hmm, that is unfortunate. So in order to (for example) support MD5 (for
> > > verifying checksums or deriving keys for decryption and dissection), we
> > > would have to use another crypto library *or*
> > > require the administrator to keep FIPS enforcement disabled (by not
> > > creating /etc/gcrypt/fips_enabled)?
> >
> > Maybe I was not clear: you can remove the code that disables the
> > non-approved ciphers like MD5.
>
> Which code? Libgcrypt? We are not bundling Libgcrypt but use whatever is
> installed on the system.
Exactly that is the problem. The current libgcrypt code disables ciphers like
MD5. This is not really needed and could be reverted in the libgcrypt code.
This though would not help you in the short run.
Ciao
Stephan
More information about the Gcrypt-devel
mailing list