Created attachment 1514382 [details]
Description of problem:
On RHEL-6 and RHEL-7, for libgcrypt there were three modes of FIPS
* NON-FIPS MODE
* FIPS mode disabled and
* no /etc/gcrypt/fips_enabled and
* GCRYCTL_FORCE_FIPS_MODE "off"
* SOFT-FIPS MODE
* FIPS mode enabled or
* GCRYCTL_FORCE_FIPS_MODE "on" or
* /etc/gcrypt/fips_enabled exists without a non-zero value
* ENFORCED-FIPS MODE
* /etc/gcrypt/fips_enabled exists with a non-zero value or
* ( GCRYCTL_FORCE_FIPS_MODE "on" or
FIPS mode enabled or
/etc/gcrypt/fips_enabled exists without a non-zero value
) and GCRYCTL_SET_ENFORCED_FIPS_FLAG "on"
In RHEL-6 and RHEL-7 MD4 was allowed in NON-FIPS MODE only. On RHEL-8, MD4 is allowed in all modes.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
0. Set modes according to description.
1. Compile attached reproducer:
gcc -o gcrypt gcrypt.c -lgcrypt -lgpg-error
2. Execute it
./gcrypt --enforced-fips --md4
Reproducer pass in all modes.
Reproducer should pass only in NON-FIPS MODE.
See also BZ#808520.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.