Page MenuHome GnuPG
Create Task
Maniphest T6515

GPG in FIPS mode spits out useless "out of core handler ignored in FIPS mode" message on every execution
Closed, ResolvedPublic
Actions

Description

If FIPS mode is active on the server, every single execution of the gpg client will start out with:

gpg: out of core handler ignored in FIPS mode

This is because the setup_libgcrypt_logging function in the main gnupg code calls libgcrypt's _gcry_set_outofcore_handler function, and the function does not support setting an out-of-core handler in FIPS mode.

It does not matter if you are importing/exporting keys, or listing keys, or even trying to display help with gpg --help. This message will always be the first thing you see. Always, for every single user running GPG in FIPS mode.

It is not helpful to users, because nobody cares that obscure out-of-memory handler isn't installed, and they might be alarmed that they are doing something wrong. It is not helpful to server administrators, because there is no way to disable the message or resolve the situation though configuration.

It is a message that is only helpful to developers who develop apps that interact with libgcrypt that might be calling _gcry_set_outofcore_handler in an inappropriate context, asking them to fix their code so that it doesn't try to install the handler. Thankfully, you happen to develop both gnupg and libgcrypt.

Can setup_libgcrypt_logging be changed to not call gcry_set_outofcore_handler if fips_mode ()?

Details

External Link
https://dev.gnupg.org/source/gnupg/browse/master/common/miscellaneous.c$101
Version
22350d0768d3

Revisions and Commits

rC libgcrypt
rC6c79dcddd151 Remove out of core handler setting message in FIPS mode.

Related Objects

Event Timeline

SineSwiper created this task.Jun 1 2023, 5:48 PM
werner triaged this task as Normal priority.Jun 5 2023, 12:49 PM
werner added a subscriber: werner.Jun 13 2023, 11:19 AM

Let's fix this in Libgcrypt (ignore setting of the handler)

gniibe added a commit: rC6c79dcddd151: Remove out of core handler setting message in FIPS mode..Jun 16 2023, 7:26 AM
gniibe claimed this task.Jun 16 2023, 7:28 AM
gniibe added a subscriber: gniibe.

For libgcrypt, initially when the code was put, it made some sense.
Now, it's useless, so, let's simply remove the message.

gniibe changed the task status from Open to Testing.Jun 16 2023, 7:28 AM
werner moved this task from Backlog to Ready for release on the FIPS board.Aug 8 2023, 11:08 AM
werner mentioned this in T6817: Release Libgcrypt 1.10.3.Nov 14 2023, 1:12 PM
werner closed this task as Resolved.Wed, Apr 3, 9:28 AM