Bug 1845806
| Summary: | gnutls 3.6.14 broken in FIPS mode: FIPS140-2 self testing part 2 failed | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Martin Pitt <mpitt> |
| Component: | gnutls | Assignee: | Anderson Sasaki <ansasaki> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | urgent | Docs Contact: | |
| Priority: | high | ||
| Version: | 32 | CC: | ansasaki, crypto-team, dueno, nmavrogi, pemensik, tmraz, vasintalana |
| Target Milestone: | --- | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | gnutls-3.6.14-2.fc32 gnutls-3.6.15-1.fc31 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-06-16 01:30:14 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Martin Pitt
2020-06-10 06:16:59 UTC
Sorry, of course the reproducer should include: 0. Enable FIPS mode: fips-mode-setup --enable # docker run -it --rm fedora:32 # dnf -y install gnutls-utils # rpm -q gnutls gnutls-3.6.14-1.fc32.x86_64 # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv ... gnutls[3]: ASSERT: fips.c[get_library_path]:156 gnutls[2]: Could not get path for library none gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:447 gnutls[1]: FIPS140-2 self testing part 2 failed gnutls[3]: ASSERT: global.c[_gnutls_global_init]:380 Error in GnuTLS initialization: Error while performing self checks. global_init: Error while performing self checks. # dnf -y downgrade gnutls # rpm -q gnutls gnutls-3.6.13-1.fc32.x86_64 # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv ... gnutls[3]: ASSERT: fips.c[get_library_path]:155 gnutls[2]: Could not get path for library libnettle.so.6 gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:446 gnutls[1]: FIPS140-2 self testing part 2 failed gnutls[3]: ASSERT: global.c[_gnutls_global_init]:380 Error in GnuTLS initialization: Error while performing self checks. global_init: Error while performing self checks. # docker run -it --rm fedora:31 # dnf -y install gnutls-utils # rpm -q gnutls gnutls-3.6.13-1.fc31.x86_64 # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv ... Warning: no private key and certificate pairs were set. HTTP Server listening on IPv4 0.0.0.0 port 5556...done HTTP Server listening on IPv6 :: port 5556...done # dnf -y downgrade gnutls # rpm -q gnutls gnutls-3.6.10-1.fc31.x86_64 # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv ... gnutls[3]: ASSERT: pubkey.c[pubkey_verify_data]:2248 gnutls[3]: ASSERT: pubkey.c[gnutls_pubkey_verify_data2]:1781 gnutls[3]: ASSERT: crypto-selftests-pk.c[test_known_sig]:510 gnutls[2]: DSA-2048-known-sig self test failed gnutls[3]: ASSERT: crypto-selftests-pk.c[gnutls_pk_self_test]:807 gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:409 gnutls[1]: FIPS140-2 self testing part 2 failed gnutls[3]: ASSERT: global.c[_gnutls_global_init]:381 Error in GnuTLS initialization: Error while performing self checks. global_init: Error while performing self checks. FEDORA-2020-7d50550ddf has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-7d50550ddf FEDORA-2020-5ccd452c8e has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-5ccd452c8e (In reply to Virgiantara Sintalana from comment #2) > # docker run -it --rm fedora:32 > # dnf -y install gnutls-utils > # rpm -q gnutls > gnutls-3.6.14-1.fc32.x86_64 > # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv > ... > gnutls[3]: ASSERT: fips.c[get_library_path]:156 > gnutls[2]: Could not get path for library none > gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:447 > gnutls[1]: FIPS140-2 self testing part 2 failed > gnutls[3]: ASSERT: global.c[_gnutls_global_init]:380 > Error in GnuTLS initialization: Error while performing self checks. > global_init: Error while performing self checks. > > # dnf -y downgrade gnutls > # rpm -q gnutls > gnutls-3.6.13-1.fc32.x86_64 > # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv > ... > gnutls[3]: ASSERT: fips.c[get_library_path]:155 > gnutls[2]: Could not get path for library libnettle.so.6 > gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:446 > gnutls[1]: FIPS140-2 self testing part 2 failed > gnutls[3]: ASSERT: global.c[_gnutls_global_init]:380 > Error in GnuTLS initialization: Error while performing self checks. > global_init: Error while performing self checks. > > > > # docker run -it --rm fedora:31 > # dnf -y install gnutls-utils > # rpm -q gnutls > gnutls-3.6.13-1.fc31.x86_64 > # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv > ... > Warning: no private key and certificate pairs were set. > HTTP Server listening on IPv4 0.0.0.0 port 5556...done > HTTP Server listening on IPv6 :: port 5556...done > > # dnf -y downgrade gnutls > # rpm -q gnutls > gnutls-3.6.10-1.fc31.x86_64 > # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv > ... > gnutls[3]: ASSERT: pubkey.c[pubkey_verify_data]:2248 > gnutls[3]: ASSERT: pubkey.c[gnutls_pubkey_verify_data2]:1781 > gnutls[3]: ASSERT: crypto-selftests-pk.c[test_known_sig]:510 > gnutls[2]: DSA-2048-known-sig self test failed > gnutls[3]: ASSERT: crypto-selftests-pk.c[gnutls_pk_self_test]:807 > gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:409 > gnutls[1]: FIPS140-2 self testing part 2 failed > gnutls[3]: ASSERT: global.c[_gnutls_global_init]:381 > Error in GnuTLS initialization: Error while performing self checks. > global_init: Error while performing self checks. Forgive me. Forgot to add a rawhide version. # docker run -it --rm fedora:33 # dnf -y install gnutls-utils # rpm -q gnutls gnutls-3.6.14-1.fc33.x86_64 # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv ... gnutls[3]: ASSERT: fips.c[get_library_path]:156 gnutls[2]: Could not get path for library none gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:447 gnutls[1]: FIPS140-2 self testing part 2 failed gnutls[3]: ASSERT: global.c[_gnutls_global_init]:380 Error in GnuTLS initialization: Error while performing self checks. global_init: Error while performing self checks. gnutls-3.6.14-2.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5ccd452c8e gnutls-3.6.14-2.fc32 has been pushed to the Fedora 32 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-7d50550ddf gnutls-3.6.14-2.fc32 has been pushed to the Fedora 32 stable repository. If problems still persist, please make note of it in this bug report. FEDORA-2020-30cd8d9ad6 has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-30cd8d9ad6` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-30cd8d9ad6 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-30cd8d9ad6 has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report. |