Re: BUG #19457: RE: pgp_sym_encrypt silently accepts non-FIPS ciphers (bf, cast5, 3des) when OpenSSL is in FIPS mod

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Daniel Gustafsson <[email protected]>
To: Michael Paquier <[email protected]>
Cc: [email protected]
Cc: [email protected]
Subject: Re: BUG #19457: RE:  pgp_sym_encrypt silently accepts non-FIPS ciphers (bf, cast5, 3des) when OpenSSL is in FIPS mod
Date: Fri, 24 Apr 2026 10:11:04 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<[email protected]>
	<[email protected]>

> On 24 Apr 2026, at 06:20, Michael Paquier <[email protected]> wrote:
> 
> On Tue, Apr 21, 2026 at 04:04:40PM +0200, Daniel Gustafsson wrote:
>> Not just FIPS, it should check CheckBuiltinCryptoMode() to be consistent with
>> the other builtin checks.
> 
> I am interesting in getting that fixed for the next point release, so
> I have given it a try, finishing with the attached.  This would cause
> pgp_sym_encrypt() and pgp_sym_decrypt() to complain when the builtin
> mode is disabled, making things more consistent with the surroundings.
> 
> I agree that this could break environments where builtin_crypto is
> off, as the functions would now be blocked, but I am not sure that
> this is worth worrying about as builtin_crypto=on is the default.

I'm not convinced this is material for a minor release, the feature works as
documented and it was never documented to cover PGP.  Re-reading the thread PGP
was never discussed, and while that admittedly seem like an oversight doing
this in a minor release will alter documented behaviour which is generally not
what we want to do.

--
Daniel Gustafsson

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: BUG #19457: RE:  pgp_sym_encrypt silently accepts non-FIPS ciphers (bf, cast5, 3des) when OpenSSL is in FIPS mod
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox