Bug 1842850

Summary: gnutls_set_default_priority() fails with a non-existing /etc/crypto-policies/back-ends/gnutls.config
Product: Red Hat Enterprise Linux 8 Reporter: Martin Pitt <mpitt>
Component: crypto-policiesAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: high Docs Contact:
Priority: high    
Version: 8.3CC: bgoncalv, nmavrogi, omoris, tmraz
Target Milestone: rcKeywords: Regression, Triaged
Target Release: 8.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: crypto-policies-20200610-1.git0ac8b1f.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 01:58:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1835661    

Description Martin Pitt 2020-06-02 08:16:11 UTC 
Description of problem: a recent update in RHEL 8.3 (after May 25) broke GnuTLS at least in build environments. We noticed that in our Cockpit RHEL 8.3 image refresh (https://github.com/cockpit-project/bots/pull/920).

The unit tests now fail a lot with

DEBUG: ERROR:src/tls/test-server.c:220:assert_https_outcome: assertion failed (gnutls_set_default_priority (session) == GNUTLS_E_SUCCESS): (-50 == 0)
DEBUG: SKIP: test-tls-server Bail out! ERROR:src/tls/test-server.c:220:assert_https_outcome: assertion failed (gnutls_set_default_priority (session) == GNUTLS_E_SUCCESS): (-50 == 0)

This can be reproduced without cockpit, too:

   gnutls-serv -d 5 --x509keyfile=src/bridge/mock-server.key --x509certfile=src/bridge/mock-server.crt --http

(the particular cert and key don't matter -- just pick any that you happen to have laying around), andthen

    curl -k https://localhost:5556

gnutls-serv shows what it's failing on:

|<3>| ASSERT: cert-cred-x509.c[_gnutls_read_key_file]:594
Error reading '/etc/cockpit/ws-certs.d/0-self-signed.cert' or '/etc/cockpit/ws-certs.d/0-self-signed.cert'
Error: Error while reading file.
[mockbuild@m1 cockpit-219.43.ge9bd9dc9a]$ gnutls-serv -d 5 --x509keyfile=src/bridge/mock-server.key --x509certfile=src/bridge/mock-server.crt --http
|<3>| ASSERT: attributes.c[_x509_parse_attribute]:103
|<3>| ASSERT: attributes.c[_x509_parse_attribute]:174
|<3>| ASSERT: x509_ext.c[gnutls_subject_alt_names_get]:110
|<3>| ASSERT: x509.c[get_alt_name]:1853
|<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60
HTTP Server listening on IPv4 0.0.0.0 port 5556...done
HTTP Server listening on IPv6 :: port 5556...done


|<5>| REC[0x55f703f086a0]: Allocating epoch #0
|<2>| cfg: unable to access: /etc/crypto-policies/back-ends/gnutls.config: 2
|<2>| resolved 'SYSTEM' to '', next ''
|<2>| unable to resolve @SYSTEM
|<3>| ASSERT: priority.c[gnutls_priority_init]:2009
|<3>| ASSERT: priority.c[gnutls_priority_set_direct]:2335
Could not set default policy: The request is invalid.

That makes the curl request fail ("OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:5556").

This is *very* similar to bug 1835661, but a slightly different root cause -- there, the permission of /etc/crypto-policies/back-ends/gnutls.config got broken, but in a default mock environment that file does not exist in the first place:

$ ls -l /etc/crypto-policies/back-ends/
total 0

Preferably GnuTLS should get along with an empty directory and just assume the defaults then -- both for upgradeability and also for keeping a clean /etc it is not at all desirable to get a new "unbreak my computer" file. If you must, then presumably the package needs a %post or so to make sure that the file exists -- but IMHO, a fallback in code is so much better than this packaging hackery.

Version-Release number of selected component (if applicable):

gnutls-3.6.13-3.el8.x86_64
crypto-policies-20200527-4.git63fc906.el8.noarch

How reproducible: Always
Comment 1 Martin Pitt 2020-06-02 08:24:08 UTC 
Note that crypto-policies-scripts and thus /usr/bin/update-crypto-policies do *not* exist in the mock -- gnutls-devel does not require it, and also shouldn't -- there shouldn't be a need for setting a crypto policy *just* for building a package.

Running

   ln -s /usr/share/crypto-policies/DEFAULT/gnutls.txt /etc/crypto-policies/back-ends/gnutls.config

before the build works around the bug.
Comment 4 Tomas Mraz 2020-06-09 17:13:28 UTC 
This is regression from latest crypto-policies builds. There is a %post lua script that is supposed to create the symlinks but it does not work when the initial mock chroot is created. There is a potential fix in crypto-policies-20200527-5.git63fc906.el8. I'd ask you to test it once it gets into the composes.
Comment 8 Ondrej Moriš 2020-06-23 14:26:15 UTC 
Martin, can you please verify that the problem is now fixed? Updated crypto-policies should be already in the buildroot.
Comment 9 Martin Pitt 2020-06-25 08:53:18 UTC 
I confirm that this is fixed again in current nighlies. Thank you! I can't set the bug to VERIFIED officially (only QE is able to), but I vouch for it :-)
Comment 13 errata-xmlrpc 2020-11-04 01:58:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (crypto-policies bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4536