Bug 1845806 - gnutls 3.6.14 broken in FIPS mode: FIPS140-2 self testing part 2 failed
Summary: gnutls 3.6.14 broken in FIPS mode: FIPS140-2 self testing part 2 failed
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: gnutls
Version: 32
Hardware: Unspecified
OS: Unspecified
high
urgent
Target Milestone: ---
Assignee: Anderson Sasaki
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-06-10 06:16 UTC by Martin Pitt
Modified: 2020-09-04 15:13 UTC (History)
7 users (show)

Fixed In Version: gnutls-3.6.14-2.fc32
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-06-16 01:30:14 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Gitlab gnutls/gnutls/-/merge_requests/1286 None None None 2020-06-10 07:21:49 UTC

Description Martin Pitt 2020-06-10 06:16:59 UTC
Description of problem: The gnutls 3.6.14 update (https://bodhi.fedoraproject.org/updates/FEDORA-2020-0cce3578e2) completely broke in FIPS mode. This was originally reported against cockpit (https://github.com/cockpit-project/cockpit/issues/14074), but affects all GnuTLS applications.

Version-Release number of selected component (if applicable):

gnutls-3.6.14-1.fc32.x86_64

gnutls-3.6.13-1.fc32.x86_64 is confirmed to work (dnf downgrade gnutls)


How reproducible: Always


Steps to Reproduce:
1. GNUTLS_DEBUG_LEVEL=9999 gnutls serv

Actual results:

gnutls[3]: ASSERT: fips.c[get_library_path]:156
gnutls[2]: Could not get path for library none
gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:447
gnutls[1]: FIPS140-2 self testing part 2 failed
gnutls[3]: ASSERT: global.c[_gnutls_global_init]:380
Error in GnuTLS initialization: Error while performing self checks.
global_init: Error while performing self checks.


Expected results:
Self-checks pass and test server is started

Additional info:

Comment 1 Martin Pitt 2020-06-10 06:25:22 UTC
Sorry, of course the reproducer should include:

0. Enable FIPS mode:
   fips-mode-setup --enable

Comment 2 Virgiantara Sintalana 2020-06-10 14:18:07 UTC
# docker run -it --rm fedora:32
# dnf -y install gnutls-utils
# rpm -q gnutls
gnutls-3.6.14-1.fc32.x86_64
# GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv
...
gnutls[3]: ASSERT: fips.c[get_library_path]:156
gnutls[2]: Could not get path for library none
gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:447
gnutls[1]: FIPS140-2 self testing part 2 failed
gnutls[3]: ASSERT: global.c[_gnutls_global_init]:380
Error in GnuTLS initialization: Error while performing self checks.
global_init: Error while performing self checks.

# dnf -y downgrade gnutls
# rpm -q gnutls
gnutls-3.6.13-1.fc32.x86_64
# GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv
...
gnutls[3]: ASSERT: fips.c[get_library_path]:155
gnutls[2]: Could not get path for library libnettle.so.6
gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:446
gnutls[1]: FIPS140-2 self testing part 2 failed
gnutls[3]: ASSERT: global.c[_gnutls_global_init]:380
Error in GnuTLS initialization: Error while performing self checks.
global_init: Error while performing self checks.



# docker run -it --rm fedora:31
# dnf -y install gnutls-utils
# rpm -q gnutls
gnutls-3.6.13-1.fc31.x86_64
# GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv
...
Warning: no private key and certificate pairs were set.
HTTP Server listening on IPv4 0.0.0.0 port 5556...done
HTTP Server listening on IPv6 :: port 5556...done

# dnf -y downgrade gnutls
# rpm -q gnutls
gnutls-3.6.10-1.fc31.x86_64
# GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv
...
gnutls[3]: ASSERT: pubkey.c[pubkey_verify_data]:2248
gnutls[3]: ASSERT: pubkey.c[gnutls_pubkey_verify_data2]:1781
gnutls[3]: ASSERT: crypto-selftests-pk.c[test_known_sig]:510
gnutls[2]: DSA-2048-known-sig self test failed
gnutls[3]: ASSERT: crypto-selftests-pk.c[gnutls_pk_self_test]:807
gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:409
gnutls[1]: FIPS140-2 self testing part 2 failed
gnutls[3]: ASSERT: global.c[_gnutls_global_init]:381
Error in GnuTLS initialization: Error while performing self checks.
global_init: Error while performing self checks.

Comment 3 Fedora Update System 2020-06-10 18:10:03 UTC
FEDORA-2020-7d50550ddf has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-7d50550ddf

Comment 4 Fedora Update System 2020-06-10 18:11:02 UTC
FEDORA-2020-5ccd452c8e has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-5ccd452c8e

Comment 5 Virgiantara Sintalana 2020-06-11 00:31:09 UTC
(In reply to Virgiantara Sintalana from comment #2)
> # docker run -it --rm fedora:32
> # dnf -y install gnutls-utils
> # rpm -q gnutls
> gnutls-3.6.14-1.fc32.x86_64
> # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv
> ...
> gnutls[3]: ASSERT: fips.c[get_library_path]:156
> gnutls[2]: Could not get path for library none
> gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:447
> gnutls[1]: FIPS140-2 self testing part 2 failed
> gnutls[3]: ASSERT: global.c[_gnutls_global_init]:380
> Error in GnuTLS initialization: Error while performing self checks.
> global_init: Error while performing self checks.
> 
> # dnf -y downgrade gnutls
> # rpm -q gnutls
> gnutls-3.6.13-1.fc32.x86_64
> # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv
> ...
> gnutls[3]: ASSERT: fips.c[get_library_path]:155
> gnutls[2]: Could not get path for library libnettle.so.6
> gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:446
> gnutls[1]: FIPS140-2 self testing part 2 failed
> gnutls[3]: ASSERT: global.c[_gnutls_global_init]:380
> Error in GnuTLS initialization: Error while performing self checks.
> global_init: Error while performing self checks.
> 
> 
> 
> # docker run -it --rm fedora:31
> # dnf -y install gnutls-utils
> # rpm -q gnutls
> gnutls-3.6.13-1.fc31.x86_64
> # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv
> ...
> Warning: no private key and certificate pairs were set.
> HTTP Server listening on IPv4 0.0.0.0 port 5556...done
> HTTP Server listening on IPv6 :: port 5556...done
> 
> # dnf -y downgrade gnutls
> # rpm -q gnutls
> gnutls-3.6.10-1.fc31.x86_64
> # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv
> ...
> gnutls[3]: ASSERT: pubkey.c[pubkey_verify_data]:2248
> gnutls[3]: ASSERT: pubkey.c[gnutls_pubkey_verify_data2]:1781
> gnutls[3]: ASSERT: crypto-selftests-pk.c[test_known_sig]:510
> gnutls[2]: DSA-2048-known-sig self test failed
> gnutls[3]: ASSERT: crypto-selftests-pk.c[gnutls_pk_self_test]:807
> gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:409
> gnutls[1]: FIPS140-2 self testing part 2 failed
> gnutls[3]: ASSERT: global.c[_gnutls_global_init]:381
> Error in GnuTLS initialization: Error while performing self checks.
> global_init: Error while performing self checks.

Forgive me.
Forgot to add a rawhide version.

# docker run -it --rm fedora:33
# dnf -y install gnutls-utils
# rpm -q gnutls
gnutls-3.6.14-1.fc33.x86_64
# GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv
...
gnutls[3]: ASSERT: fips.c[get_library_path]:156
gnutls[2]: Could not get path for library none
gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:447
gnutls[1]: FIPS140-2 self testing part 2 failed
gnutls[3]: ASSERT: global.c[_gnutls_global_init]:380
Error in GnuTLS initialization: Error while performing self checks.
global_init: Error while performing self checks.

Comment 6 Fedora Update System 2020-06-14 17:16:14 UTC
gnutls-3.6.14-2.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5ccd452c8e

Comment 7 Fedora Update System 2020-06-14 18:01:46 UTC
gnutls-3.6.14-2.fc32 has been pushed to the Fedora 32 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-7d50550ddf

Comment 8 Fedora Update System 2020-06-16 01:30:14 UTC
gnutls-3.6.14-2.fc32 has been pushed to the Fedora 32 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2020-09-04 15:13:10 UTC
FEDORA-2020-30cd8d9ad6 has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-30cd8d9ad6`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-30cd8d9ad6

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.


Note You need to log in before you can comment on or make changes to this bug.