Page MenuHome GnuPG
Create Task
Maniphest T6291

FIPS: dirmngr CRL hash uses MD5
Closed, WontfixPublic
Actions

Description

In FIPS mode, libgcrypt has recently disabled MD5 and dirmngr fails setting the CRL cache record as it needs to calculate the MD5 sum of the cache file in dirmngr/crlcache.c:hash_dbfile(). It fails when trying to set up the MD5 hash context. I think the hashing algorithm could be upgraded to adapt to the FIPS changes in libgcrypt.

This report is related to https://dev.gnupg.org/T6191.

Details

External Link
https://bugzilla.opensuse.org/show_bug.cgi?id=1205789
Version
gnupg-2.3.8 libgcrypt-1.10.1

Related Objects

Event Timeline

pmgdeb created this task.Nov 29 2022, 2:13 PM
werner closed this task as Wontfix.Nov 29 2022, 2:50 PM
werner claimed this task.
werner added a subscriber: werner.

There are other uses of MD5 and thus we can't disable it. For example gpgsm also lists the MD5 fingerprint of certificates because they are still in use at some places.

In dirmngr's DIR.txt MD5 is used as a checksum for consistency but without a cryptographic relevance. Thus its use okay - even in FIPS.

pmgdeb added a comment.EditedNov 29 2022, 2:50 PM

Patch using SHA1 instead of MD5.

0001-FIPS-dirmngr-CRL-hash-uses-MD5.patch4 KBDownload

pmgdeb added a comment.Nov 29 2022, 2:55 PM

Sure, but this will need adaption in FIPS mode as it fails with:

error setting up MD5 hash context: Invalid digest algorithm