Bug 2107563

Summary: FIPS mode doesn't work in GNUTLS
Product: [Fedora] Fedora Reporter: Zdenek Dohnal <zdohnal>
Component: gnutlsAssignee: Red Hat Crypto Team <crypto-team>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: ansasaki, crypto-team, dueno, fkrenzel, tm, zfridric
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-18 06:52:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zdenek Dohnal 2022-07-15 12:06:12 UTC 
If I enable FIPS mode in rawhide and reboot, gnutls library is not able to load up with error:

'''
Error in GnuTLS initialization: Error while performing self checks.
'''

and GNUTLS relaxing does not work.


Steps to reproduce:
1) $ fips-mode-setup --enable
2) $ systemctl reboot
3) (run a binary which uses GNUTLS, f.e. /usr/lib/cups/filter/pdftopdf from cups-filters package)

$ /usr/lib/cups/filter/pdftopdf 1 root '' 1 '' /usr/share/cups/data/default-testpage.pdf

Actual results under FIPS:
- /etc/system-fips is not created

Logs:
Error in GnuTLS initialization: Error while performing self checks.
DEBUG: pdftopdf: No PPD file specified, could not determine whether to log pages or not, so turned off page logging.
DEBUG: PDF interactive form and annotation flattening done via QPDF
DEBUG: pdftopdf: "print-scaling" IPP attribute: auto
DEBUG: pdftopdf: Print scaling mode: Do not scale, center, crop if needed
After Cropping: 794.000000 595.000000 792.000000 612.000000
...
After Cropping: 794.000000 595.000000 792.000000 612.000000
ERROR: Exception: gnutls: MD5 error: An algorithm that is not enabled was negotiated.

Expected results under FIPS:

DEBUG: pdftopdf: No PPD file specified, could not determine whether to log pages or not, so turned off page logging.
DEBUG: PDF interactive form and annotation flattening done via QPDF



Would you mind looking into it?
Comment 1 Daiki Ueno 2022-07-18 00:58:05 UTC 
Thank you for the report; this might be related to bug 2107563. Could you check which versions of gnutls/nettle/gmp are installed on your system?

It would also be helpful if you could collect debug logs with GNUTLS_DEBUG_LEVEL:
https://www.gnutls.org/manual/html_node/Debugging-and-auditing.html#Debugging-and-auditing
Comment 2 Zdenek Dohnal 2022-07-18 06:52:05 UTC 
Hi Daiki,

thank you for looking into this!

Ok, I've updated system (I saw one relevant update - to gnutls-3.7.6-4) and FIPS works now - 'fips-mode-enable' shows it is enabled and the binaries using gnutls and its relaxed mode are now working correctly.

However, /etc/system-fips is not created after enabling FIPS and rebooting the machine - then I checked crypto-policies changelog and it mentions /etc/system-fips is abandoned, so I'll rewrite the test.
Comment 3 Daiki Ueno 2022-07-19 05:10:16 UTC 
> this might be related to bug 2107563

Sorry, the correct bug was bug 2099651. I've opened a PR to enforce a more strict dependency check to prevent this kind of issue in the future:
https://src.fedoraproject.org/rpms/gnutls/pull-request/46