libgcrypt: Restrict message digest use
Open, HighPublic

Description

Red Hat's patch of libgcrypt-1.8.3-md-fips-enforce.patch:
https://dev.gnupg.org/rCd508f7358d9e842f062e820dad7fb84f181622f0

I'd understand the intention of this change (as the title of patch suggests), but we need to make sure if it works well.

  • With the patch, for MD5, when fips_mode() returns 1 but it's not enforced, it just go through with no errors.
    • I wonder if the check of _gcry_enforced_fips_mode () should be also removed.
  • We also have such checks and relaxing in gcry_md_hash_buffer and gcry_md_hash_buffers, don't we need to change too?

The original commit which add relaxing is:
rC3f204a1533f1: Do no restrtc usage of MD5 in fips mode.

I wonder if the intention of the patch is reverting rC3f204a15.

gniibe updated the task description. (Show Details)Jan 15 2021, 8:33 AM
gniibe added a comment.EditedJan 15 2021, 8:44 AM

The changelog in https://src.fedoraproject.org/rpms/libgcrypt/c/402a3b5f2eed746bea996c5743c99bec9bbc3487?branch=master

disable non-approved FIPS hashes in the enforced FIPS mode

But it had been disabled (that is, returning an error by GPG_ERR_DIGEST_ALGO) in the enforced FIPS mode... so, I wonder about what was the original intention.

Note that even after rCce1cbe16992a: Disable non-allowed algorithms in FIPS mode, gcry_md_open won't return an error with disabled algo.

werner added a subscriber: werner.Jan 18 2021, 8:32 AM

I am not sure. MD5 is still important for some applications, say CRAM-MD5. IIRC, back in 2008 we dis-allowed RMD160 and added separate RMD160 code directly to gpg to fulfill FIPS requirements.

werner moved this task from Backlog to For 1.10 on the libgcrypt board.Jan 19 2021, 10:09 AM

We plan this for 1.10 but it may also go into one of the next 1.9.x releases