2173612 – Error while performing self checks in FIPS mode

Bug 2173612 - Error while performing self checks in FIPS mode

Summary: Error while performing self checks in FIPS mode

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	gnutls
Sub Component:
Version:	38
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Red Hat Crypto Team
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	CockpitTest
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-02-27 12:13 UTC by Marius Vollmer
Modified:	2023-03-18 05:01 UTC (History)
CC List:	6 users (show)
Fixed In Version:	gnutls-3.8.0-1.fc37 gnutls-3.8.0-2.fc38 gnutls-3.8.0-2.fc36
Clone Of:
Environment:
Last Closed:	2023-03-01 01:58:47 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FC-767	0	None	None	None	2023-02-27 12:14:37 UTC

Description Marius Vollmer 2023-02-27 12:13:58 UTC

Description of problem:

Any gnutls utility fails during initialization when in FIPS mode.

Version-Release number of selected component (if applicable):
rpmquery gnutls nettle
gnutls-3.7.8-11.fc38.x86_64
nettle-3.8-3.fc38.x86_64

How reproducible:
Always

Steps to Reproduce:
1. GNUTLS_FORCE_FIPS_MODE=1 gnutls-cli-debug

Actual results:
Error in GnuTLS initialization: Error while performing self checks.
global state initialization error

Expected results:
GnuTLS debug client 3.7.8
Checking localhost:443
Could not connect to 127.0.0.1:443: Connection refused

Additional info:

This is very similar to bug 2099651, which was fixed by rebuilding gnutls, I think.

Comment 1 Fedora Update System 2023-02-27 12:58:49 UTC

FEDORA-2023-4fc4c33f2b has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2023-4fc4c33f2b

Comment 2 Fedora Update System 2023-02-27 12:59:12 UTC

FEDORA-2023-1c4a6a47ae has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-1c4a6a47ae

Comment 3 Fedora Update System 2023-02-27 12:59:43 UTC

FEDORA-2023-5b378b82b3 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5b378b82b3

Comment 4 Daiki Ueno 2023-02-27 16:38:59 UTC

With GNUTLS_DEBUG_LEVEL=10, it says:

gnutls[2]: Calculated MAC for /lib64/libnettle.so.8 does not match
gnutls[3]: ASSERT: ../../lib/fips.c[check_lib_hmac]:383

So gnutls package is rebuilt against older nettle package (3.8-2.fc37), while the latest nettle is 3.8-3.fc38. We have a gating test[1] to prevent this, though it apparently didn't help with mass-rebuild. The updates linked from the above comments should indeed fix the issue.

1. https://src.fedoraproject.org/rpms/gnutls/blob/rawhide/f/gating.yml

Comment 5 Fedora Update System 2023-02-28 01:47:28 UTC

FEDORA-2023-4fc4c33f2b has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-4fc4c33f2b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-4fc4c33f2b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2023-02-28 01:56:46 UTC

FEDORA-2023-5b378b82b3 has been pushed to the Fedora 38 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-5b378b82b3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2023-02-28 02:53:29 UTC

FEDORA-2023-1c4a6a47ae has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-1c4a6a47ae`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-1c4a6a47ae

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2023-03-01 01:58:47 UTC

FEDORA-2023-1c4a6a47ae has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 9 Fedora Update System 2023-03-03 01:11:48 UTC

FEDORA-2023-4fc4c33f2b has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-4fc4c33f2b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-4fc4c33f2b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2023-03-03 02:21:47 UTC

FEDORA-2023-5b378b82b3 has been pushed to the Fedora 38 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-5b378b82b3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2023-03-14 00:16:59 UTC

FEDORA-2023-5b378b82b3 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 12 Fedora Update System 2023-03-18 05:01:15 UTC

FEDORA-2023-4fc4c33f2b has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.