[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gcrypt-devel
Subject:    Re: Disable FIPS by application?
From:       Stephan =?ISO-8859-1?Q?M=FCller?= <smueller () chronox ! de>
Date:       2017-04-11 16:01:46
Message-ID: 1768768.a5AMtH48UN () tauon ! chronox ! de
[Download RAW message or body]

Am Dienstag, 11. April 2017, 17:59:58 CEST schrieb Peter Wu:

Hi Peter,

> On Tue, Apr 11, 2017 at 05:43:35PM +0200, Stephan M=FCller wrote:
> > Am Dienstag, 11. April 2017, 17:27:39 CEST schrieb Peter Wu:
> > =

> > Hi Peter,
> > =

> > > > > So is it possible to disable this enforcement in a Libgcrypt user?
> > > > =

> > > > It is permissible to disable the enforcement of the cipher
> > > > restrictions.
> > > > Other FIPS related enforcements cannot be removed.
> > > =

> > > Hmm, that is unfortunate. So in order to (for example) support MD5 (f=
or
> > > verifying checksums or deriving keys for decryption and dissection), =
we
> > > would have to use another crypto library *or*
> > > require the administrator to keep FIPS enforcement disabled (by not
> > > creating /etc/gcrypt/fips_enabled)?
> > =

> > Maybe I was not clear: you can remove the code that disables the
> > non-approved ciphers like MD5.
> =

> Which code? Libgcrypt? We are not bundling Libgcrypt but use whatever is
> installed on the system.

Exactly that is the problem. The current libgcrypt code disables ciphers li=
ke =

MD5. This is not really needed and could be reverted in the libgcrypt code. =

This though would not help you in the short run.

Ciao
Stephan

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
[prev in list] [next in list] [prev in thread] [next in thread]