Fail selftests when checksum file is missing in FIPS mode only
Testing, NormalPublic

Description

Libgcrypt runs self-check including hmac based binary verification outside FIPS mode and breaks keepassxc. See SUSE bug report [0] and the patch submitted in the pull request [1].

[0] https://bugzilla.opensuse.org/show_bug.cgi?id=1117355
[1] https://github.com/gpg/libgcrypt/pull/5

pmgdeb created this task.Nov 29 2018, 11:34 AM

Adding the patch here.

gniibe claimed this task.Feb 25 2019, 1:09 AM
gniibe added a subscriber: gniibe.

Thanks for your report.
I think that your patch is too generous to run HMAC even if fips_mode is not enabled; Simply, we can stop calling integrity check when fips_mode is not active.

gniibe triaged this task as Normal priority.Feb 25 2019, 1:10 AM
gniibe added a project: Testing.

Fixed in master.

gniibe changed the task status from Open to Testing.Jun 25 2019, 6:01 AM