Page MenuHome GnuPG

GPG in FIPS mode spits out useless "out of core handler ignored in FIPS mode" message on every execution
Testing, NormalPublic

Description

If FIPS mode is active on the server, every single execution of the gpg client will start out with:

gpg: out of core handler ignored in FIPS mode

This is because the setup_libgcrypt_logging function in the main gnupg code calls libgcrypt's _gcry_set_outofcore_handler function, and the function does not support setting an out-of-core handler in FIPS mode.

It does not matter if you are importing/exporting keys, or listing keys, or even trying to display help with gpg --help. This message will always be the first thing you see. Always, for every single user running GPG in FIPS mode.

It is not helpful to users, because nobody cares that obscure out-of-memory handler isn't installed, and they might be alarmed that they are doing something wrong. It is not helpful to server administrators, because there is no way to disable the message or resolve the situation though configuration.

It is a message that is only helpful to developers who develop apps that interact with libgcrypt that might be calling _gcry_set_outofcore_handler in an inappropriate context, asking them to fix their code so that it doesn't try to install the handler. Thankfully, you happen to develop both gnupg and libgcrypt.

Can setup_libgcrypt_logging be changed to not call gcry_set_outofcore_handler if fips_mode ()?

Related Objects

Event Timeline

werner triaged this task as Normal priority.Jun 5 2023, 12:49 PM

Let's fix this in Libgcrypt (ignore setting of the handler)

gniibe added a subscriber: gniibe.

For libgcrypt, initially when the code was put, it made some sense.
Now, it's useless, so, let's simply remove the message.

gniibe changed the task status from Open to Testing.Jun 16 2023, 7:28 AM
gniibe mentioned this in Unknown Object (Event).Jun 19 2023, 6:30 AM