Disable FIPS by application?
Stephan Müller
smueller at chronox.de
Tue Apr 11 17:14:29 CEST 2017
Am Dienstag, 11. April 2017, 16:59:06 CEST schrieb Peter Wu:
Hi Peter,
> On Tue, Apr 11, 2017 at 04:48:52PM +0200, Stephan Müller wrote:
> > Am Dienstag, 11. April 2017, 14:20:26 CEST schrieb Peter Wu:
> >
> > Hi Peter,
> >
> > > Hi,
> > >
> > > Recently Wireshark has made Libgcrypt mandatory so we could drop the
> > > bundled code for MD5, SHA1, DES, etc. Since some (older) protocols use
> > > these algorithms, it must be supported.
> > >
> > > However with FIPS mode enforced, these algorithms are not enabled. Is
> > > there any workaround other than bundling the code again (sigh)? Like
> > > requesting Libgcrypt not to enable FIPS mode from the application?
> >
> > It is the idea of the FIPS mode to not allow MD5 and friends.
>
> Yes, that's understood. The problem however is that the application is
> not intended to be subject to this policy.
That is the common crux of the matter :-)
>
> > However, for FIPS 140-2 level 1 validations (this is the highest that can
> > be achieved by libgcrypt), there is *no* need for a techncial
> > enforcement. I.e. it is perfectly viable to drop all code that disallows
> > ciphers when in FIPS mode.
>
> So is it possible to disable this enforcement in a Libgcrypt user?
It is permissible to disable the enforcement of the cipher restrictions. Other
FIPS related enforcements cannot be removed.
Ciao
Stephan
More information about the Gcrypt-devel
mailing list