Description of problem: The gnutls 3.6.14 update (https://bodhi.fedoraproject.org/updates/FEDORA-2020-0cce3578e2) completely broke in FIPS mode. This was originally reported against cockpit (https://github.com/cockpit-project/cockpit/issues/14074), but affects all GnuTLS applications. Version-Release number of selected component (if applicable): gnutls-3.6.14-1.fc32.x86_64 gnutls-3.6.13-1.fc32.x86_64 is confirmed to work (dnf downgrade gnutls) How reproducible: Always Steps to Reproduce: 1. GNUTLS_DEBUG_LEVEL=9999 gnutls serv Actual results: gnutls[3]: ASSERT: fips.c[get_library_path]:156 gnutls[2]: Could not get path for library none gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:447 gnutls[1]: FIPS140-2 self testing part 2 failed gnutls[3]: ASSERT: global.c[_gnutls_global_init]:380 Error in GnuTLS initialization: Error while performing self checks. global_init: Error while performing self checks. Expected results: Self-checks pass and test server is started Additional info:
Sorry, of course the reproducer should include: 0. Enable FIPS mode: fips-mode-setup --enable
# docker run -it --rm fedora:32 # dnf -y install gnutls-utils # rpm -q gnutls gnutls-3.6.14-1.fc32.x86_64 # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv ... gnutls[3]: ASSERT: fips.c[get_library_path]:156 gnutls[2]: Could not get path for library none gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:447 gnutls[1]: FIPS140-2 self testing part 2 failed gnutls[3]: ASSERT: global.c[_gnutls_global_init]:380 Error in GnuTLS initialization: Error while performing self checks. global_init: Error while performing self checks. # dnf -y downgrade gnutls # rpm -q gnutls gnutls-3.6.13-1.fc32.x86_64 # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv ... gnutls[3]: ASSERT: fips.c[get_library_path]:155 gnutls[2]: Could not get path for library libnettle.so.6 gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:446 gnutls[1]: FIPS140-2 self testing part 2 failed gnutls[3]: ASSERT: global.c[_gnutls_global_init]:380 Error in GnuTLS initialization: Error while performing self checks. global_init: Error while performing self checks. # docker run -it --rm fedora:31 # dnf -y install gnutls-utils # rpm -q gnutls gnutls-3.6.13-1.fc31.x86_64 # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv ... Warning: no private key and certificate pairs were set. HTTP Server listening on IPv4 0.0.0.0 port 5556...done HTTP Server listening on IPv6 :: port 5556...done # dnf -y downgrade gnutls # rpm -q gnutls gnutls-3.6.10-1.fc31.x86_64 # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv ... gnutls[3]: ASSERT: pubkey.c[pubkey_verify_data]:2248 gnutls[3]: ASSERT: pubkey.c[gnutls_pubkey_verify_data2]:1781 gnutls[3]: ASSERT: crypto-selftests-pk.c[test_known_sig]:510 gnutls[2]: DSA-2048-known-sig self test failed gnutls[3]: ASSERT: crypto-selftests-pk.c[gnutls_pk_self_test]:807 gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:409 gnutls[1]: FIPS140-2 self testing part 2 failed gnutls[3]: ASSERT: global.c[_gnutls_global_init]:381 Error in GnuTLS initialization: Error while performing self checks. global_init: Error while performing self checks.
FEDORA-2020-7d50550ddf has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-7d50550ddf
FEDORA-2020-5ccd452c8e has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-5ccd452c8e
(In reply to Virgiantara Sintalana from comment #2) > # docker run -it --rm fedora:32 > # dnf -y install gnutls-utils > # rpm -q gnutls > gnutls-3.6.14-1.fc32.x86_64 > # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv > ... > gnutls[3]: ASSERT: fips.c[get_library_path]:156 > gnutls[2]: Could not get path for library none > gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:447 > gnutls[1]: FIPS140-2 self testing part 2 failed > gnutls[3]: ASSERT: global.c[_gnutls_global_init]:380 > Error in GnuTLS initialization: Error while performing self checks. > global_init: Error while performing self checks. > > # dnf -y downgrade gnutls > # rpm -q gnutls > gnutls-3.6.13-1.fc32.x86_64 > # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv > ... > gnutls[3]: ASSERT: fips.c[get_library_path]:155 > gnutls[2]: Could not get path for library libnettle.so.6 > gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:446 > gnutls[1]: FIPS140-2 self testing part 2 failed > gnutls[3]: ASSERT: global.c[_gnutls_global_init]:380 > Error in GnuTLS initialization: Error while performing self checks. > global_init: Error while performing self checks. > > > > # docker run -it --rm fedora:31 > # dnf -y install gnutls-utils > # rpm -q gnutls > gnutls-3.6.13-1.fc31.x86_64 > # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv > ... > Warning: no private key and certificate pairs were set. > HTTP Server listening on IPv4 0.0.0.0 port 5556...done > HTTP Server listening on IPv6 :: port 5556...done > > # dnf -y downgrade gnutls > # rpm -q gnutls > gnutls-3.6.10-1.fc31.x86_64 > # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv > ... > gnutls[3]: ASSERT: pubkey.c[pubkey_verify_data]:2248 > gnutls[3]: ASSERT: pubkey.c[gnutls_pubkey_verify_data2]:1781 > gnutls[3]: ASSERT: crypto-selftests-pk.c[test_known_sig]:510 > gnutls[2]: DSA-2048-known-sig self test failed > gnutls[3]: ASSERT: crypto-selftests-pk.c[gnutls_pk_self_test]:807 > gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:409 > gnutls[1]: FIPS140-2 self testing part 2 failed > gnutls[3]: ASSERT: global.c[_gnutls_global_init]:381 > Error in GnuTLS initialization: Error while performing self checks. > global_init: Error while performing self checks. Forgive me. Forgot to add a rawhide version. # docker run -it --rm fedora:33 # dnf -y install gnutls-utils # rpm -q gnutls gnutls-3.6.14-1.fc33.x86_64 # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv ... gnutls[3]: ASSERT: fips.c[get_library_path]:156 gnutls[2]: Could not get path for library none gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:447 gnutls[1]: FIPS140-2 self testing part 2 failed gnutls[3]: ASSERT: global.c[_gnutls_global_init]:380 Error in GnuTLS initialization: Error while performing self checks. global_init: Error while performing self checks.
gnutls-3.6.14-2.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5ccd452c8e
gnutls-3.6.14-2.fc32 has been pushed to the Fedora 32 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-7d50550ddf
gnutls-3.6.14-2.fc32 has been pushed to the Fedora 32 stable repository. If problems still persist, please make note of it in this bug report.
FEDORA-2020-30cd8d9ad6 has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-30cd8d9ad6` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-30cd8d9ad6 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-30cd8d9ad6 has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report.