Bug 2073018
| Summary: | Libgcrypt error: integrity check failed: Invalid object when in FIPS mode | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Martin Pitt <mpitt> |
| Component: | libgcrypt | Assignee: | Jakub Jelen <jjelen> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 36 | CC: | cllang, crypto-team, jjelen, ssorce, tm |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | libgcrypt-1.10.1-2.fc36 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-07 04:19:57 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Sounds like pakcage notes stuff is relinking the binary after the checksum is added, therefore invalidating *and* removing it from the binary ... From koji build log: ECHO_N=-n READELF=readelf AWK=gawk \ ./gen-note-integrity.sh > libgcrypt.so.hmac make[2]: Leaving directory '/builddir/build/BUILD/libgcrypt-1.10.1/src' make[2]: Entering directory '/builddir/build/BUILD/libgcrypt-1.10.1/src' objcopy --add-section .note.fdo.integrity=libgcrypt.so.hmac \ --set-section-flags .note.fdo.integrity=noload,readonly \ .libs/libgcrypt.so .libs/libgcrypt.so.new mv -f .libs/libgcrypt.so.new .libs/libgcrypt.so.*.* make[2]: Leaving directory '/builddir/build/BUILD/libgcrypt-1.10.1/src' make[2]: Entering directory '/builddir/build/BUILD/libgcrypt-1.10.1/src' /bin/sh ../libtool --tag=CC --mode=link gcc -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fvisibility=hidden -fno-delete-null-pointer-checks -Wall -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -Wl,-dT,/builddir/build/BUILD/libgcrypt-1.10.1/.package_note-libgcrypt-1.10.1-1.fc36.x86_64.ld -o mpicalc mpicalc-mpicalc.o libgcrypt.la -lgpg-error libtool: link: gcc -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fvisibility=hidden -fno-delete-null-pointer-checks -Wall -Wl,-z -Wl,relro -Wl,--as-needed -Wl,-z -Wl,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -Wl,-dT -Wl,/builddir/build/BUILD/libgcrypt-1.10.1/.package_note-libgcrypt-1.10.1-1.fc36.x86_64.ld -o .libs/mpicalc mpicalc-mpicalc.o ./.libs/libgcrypt.so -lgpg-error make[2]: Leaving directory '/builddir/build/BUILD/libgcrypt-1.10.1/src' Thank you for the report. I am looking into that as I obviously messed up the checksum re-creation after the debuginfo is stripped, because I did not notice how much different. Fortunately, it affects only FIPS mode on Fedora, which is hopefully not much used. FEDORA-2022-ec883a424c has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-ec883a424c FEDORA-2022-ec883a424c has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-ec883a424c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-ec883a424c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-ec883a424c has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: libgcrypt was recently updated from 1.10.0-1.fc36 to 1.10.1-1.fc36. This introduced a regression (or at least scary errors) in FIPS mode. Version-Release number of selected component (if applicable): libgcrypt 1.10.1-1.fc36 How reproducible: Always Steps to Reproduce: 1. fips-mode-setup --enable 2. reboot 3. journalctl -b -t sshd Actual results: The journalctl command *itself* prints libgcrypt selftest: binary (0): Invalid object and otherwise the logs show: Apr 07 13:15:59 fedora-36-127-0-0-2-2201 sshd[981]: libgcrypt selftest: binary (0): Invalid object Apr 07 13:15:59 fedora-36-127-0-0-2-2201 sshd[981]: Libgcrypt error: integrity check failed: Invalid object Apr 07 13:15:59 fedora-36-127-0-0-2-2201 sshd[981]: Libgcrypt notice: state transition Self-Test => Error Apr 07 13:15:59 fedora-36-127-0-0-2-2201 sshd[981]: Server listening on 0.0.0.0 port 22. Apr 07 13:15:59 fedora-36-127-0-0-2-2201 sshd[981]: Server listening on :: port 22. Apr 07 13:16:11 fedora-36-127-0-0-2-2201 sshd[2127]: libgcrypt selftest: binary (0): Invalid object Apr 07 13:16:11 fedora-36-127-0-0-2-2201 sshd[2127]: Libgcrypt error: integrity check failed: Invalid object Apr 07 13:16:11 fedora-36-127-0-0-2-2201 sshd[2127]: Libgcrypt notice: state transition Self-Test => Error This is true for a lot of services: # journalctl -b | grep gcrypt | wc -l libgcrypt selftest: binary (0): Invalid object 465 Expected results: gcrypt self-tests succeed Additional info: This was spotted in https://github.com/cockpit-project/bots/pull/3198, cockpit CI's fedora-36 image refresh.