Bug 2064790

Summary: SHA384 in gnutls works only once
Product: Red Hat Enterprise Linux 8 Reporter: Miroslav Lichvar <mlichvar>
Component: gnutlsAssignee: Daiki Ueno <dueno>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 8.5Keywords: Triaged
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-22 07:58:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2062356    

Description Miroslav Lichvar 2022-03-16 14:49:12 UTC 
Description of problem:
Some HW-accelerated versions of SHA384 work only once. This was fixed upstream in the following commits:
https://gitlab.com/gnutls/gnutls/-/commit/acdfeb4b3f0c64ad20f28513618e9903bfb81426
https://gitlab.com/gnutls/gnutls/-/commit/66cf3d31b44e5b9300c6fce475f9284caa4cca4d

This bug prevents chrony from switching to gnutls as the hashing library in order to support AES-CMAC keys which are now recommended for NTP authentication in RFC 8573. (AES-CMAC is not supported in the Nettle version present in RHEL8.)

Version-Release number of selected component (if applicable):
gnutls-3.6.16-4.el8.x86_64

How reproducible:
always

Steps to Reproduce:
1. build chrony-4.2 configured with option "--without-nettle"
2. make check

Actual results:
...
Testing hash                           FAIL (on line 119)

Expected results:

All tests passed
Comment 1 Daiki Ueno 2022-03-17 10:24:46 UTC 
I guess this could be worked around by not using gnutls_hash_copy but always create a new context, but it's not acceptable because of performance, right?
Comment 2 Miroslav Lichvar 2022-03-17 10:35:01 UTC 
Yes, in the chrony case the hash context is reused for performance reasons and to avoid unnecessary memory allocations. It does not call gnutls_hash_copy(), it relies on gnutls_hash_output() resetting the state.