Page MenuHome GnuPG

libgcrypt: Restrict message digest use
Open, HighPublic

Description

Red Hat's patch of libgcrypt-1.8.3-md-fips-enforce.patch:
https://dev.gnupg.org/rCd508f7358d9e842f062e820dad7fb84f181622f0

I'd understand the intention of this change (as the title of patch suggests), but we need to make sure if it works well.

  • With the patch, for MD5, when fips_mode() returns 1 but it's not enforced, it just go through with no errors.
    • I wonder if the check of _gcry_enforced_fips_mode () should be also removed.
  • We also have such checks and relaxing in gcry_md_hash_buffer and gcry_md_hash_buffers, don't we need to change too?

The original commit which add relaxing is:
rC3f204a1533f1: Do no restrtc usage of MD5 in fips mode.

I wonder if the intention of the patch is reverting rC3f204a15.

Event Timeline

The changelog in https://src.fedoraproject.org/rpms/libgcrypt/c/402a3b5f2eed746bea996c5743c99bec9bbc3487?branch=master

disable non-approved FIPS hashes in the enforced FIPS mode

But it had been disabled (that is, returning an error by GPG_ERR_DIGEST_ALGO) in the enforced FIPS mode... so, I wonder about what was the original intention.

Note that even after rCce1cbe16992a: Disable non-allowed algorithms in FIPS mode, gcry_md_open won't return an error with disabled algo.

I am not sure. MD5 is still important for some applications, say CRAM-MD5. IIRC, back in 2008 we dis-allowed RMD160 and added separate RMD160 code directly to gpg to fulfill FIPS requirements.

We plan this for 1.10 but it may also go into one of the next 1.9.x releases

The patch references the following bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1659495

It claims MD4 was working in all the FIPS modes in RHEL8 (while not working in older RHEL versions). This was because of the condition

From my understanding, this patch is trying to make the behavior of FIPS disabled algorithms more consistent in FIPS enforced mode using the flags.fips of the md structure.