Page MenuHome GnuPG

FIPS: dirmngr CRL hash uses MD5
Closed, WontfixPublic


In FIPS mode, libgcrypt has recently disabled MD5 and dirmngr fails setting the CRL cache record as it needs to calculate the MD5 sum of the cache file in dirmngr/crlcache.c:hash_dbfile(). It fails when trying to set up the MD5 hash context. I think the hashing algorithm could be upgraded to adapt to the FIPS changes in libgcrypt.

This report is related to


External Link
gnupg-2.3.8 libgcrypt-1.10.1

Event Timeline

werner claimed this task.
werner added a subscriber: werner.

There are other uses of MD5 and thus we can't disable it. For example gpgsm also lists the MD5 fingerprint of certificates because they are still in use at some places.

In dirmngr's DIR.txt MD5 is used as a checksum for consistency but without a cryptographic relevance. Thus its use okay - even in FIPS.

Patch using SHA1 instead of MD5.

Sure, but this will need adaption in FIPS mode as it fails with:

error setting up MD5 hash context: Invalid digest algorithm