Page MenuHome GnuPG
Create Task
Maniphest T4274

Fail selftests when checksum file is missing in FIPS mode only
Closed, ResolvedPublic
Actions

Description

Libgcrypt runs self-check including hmac based binary verification outside FIPS mode and breaks keepassxc. See SUSE bug report [0] and the patch submitted in the pull request [1].

[0] https://bugzilla.opensuse.org/show_bug.cgi?id=1117355
[1] https://github.com/gpg/libgcrypt/pull/5

Details

External Link
https://bugzilla.opensuse.org/show_bug.cgi?id=1117355
Version
libgcrypt-1.8.4

Revisions and Commits

rC libgcrypt
rCad133fc79757 fips: Only test check_binary_integrity when fips_mode is enabled.

Related Objects
Search...

Event Timeline

pmgdeb created this task.Nov 29 2018, 11:34 AM
werner added a project: libgcrypt.Nov 29 2018, 2:55 PM
pmgdeb added a comment.Dec 12 2018, 5:30 PM

Adding the patch here.

libgcrypt-binary_integrity_in_non-FIPS.patch893 BDownload

werner added a parent task: T4294: Release Libgcrypt 1.9.0.Dec 17 2018, 10:11 AM
gniibe claimed this task.Feb 25 2019, 1:09 AM
gniibe added a subscriber: gniibe.

Thanks for your report.
I think that your patch is too generous to run HMAC even if fips_mode is not enabled; Simply, we can stop calling integrity check when fips_mode is not active.

gniibe triaged this task as Normal priority.Feb 25 2019, 1:10 AM
gniibe added a project: Restricted Project.

Fixed in master.

gniibe added a commit: rCad133fc79757: fips: Only test check_binary_integrity when fips_mode is enabled..Feb 25 2019, 1:43 AM
gniibe changed the task status from Open to Testing.Jun 25 2019, 6:01 AM
gniibe removed a parent task: T4294: Release Libgcrypt 1.9.0.Mar 19 2020, 5:20 AM
gniibe added a subtask: T4294: Release Libgcrypt 1.9.0.
werner closed this task as Resolved.Jan 7 2021, 10:52 AM
werner closed subtask T4294: Release Libgcrypt 1.9.0 as Resolved.Jan 19 2021, 1:54 PM