Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1845806
Summary: | gnutls 3.6.14 broken in FIPS mode: FIPS140-2 self testing part 2 failed | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Martin Pitt <mpitt> |
Component: | gnutls | Assignee: | Anderson Sasaki <ansasaki> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | urgent | Docs Contact: | |
Priority: | high | ||
Version: | 32 | CC: | ansasaki, crypto-team, dueno, nmavrogi, pemensik, tmraz, vasintalana |
Target Milestone: | --- | Keywords: | Regression |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | gnutls-3.6.14-2.fc32 gnutls-3.6.15-1.fc31 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-06-16 01:30:14 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Martin Pitt
2020-06-10 06:16:59 UTC
Sorry, of course the reproducer should include: 0. Enable FIPS mode: fips-mode-setup --enable # docker run -it --rm fedora:32 # dnf -y install gnutls-utils # rpm -q gnutls gnutls-3.6.14-1.fc32.x86_64 # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv ... gnutls[3]: ASSERT: fips.c[get_library_path]:156 gnutls[2]: Could not get path for library none gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:447 gnutls[1]: FIPS140-2 self testing part 2 failed gnutls[3]: ASSERT: global.c[_gnutls_global_init]:380 Error in GnuTLS initialization: Error while performing self checks. global_init: Error while performing self checks. # dnf -y downgrade gnutls # rpm -q gnutls gnutls-3.6.13-1.fc32.x86_64 # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv ... gnutls[3]: ASSERT: fips.c[get_library_path]:155 gnutls[2]: Could not get path for library libnettle.so.6 gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:446 gnutls[1]: FIPS140-2 self testing part 2 failed gnutls[3]: ASSERT: global.c[_gnutls_global_init]:380 Error in GnuTLS initialization: Error while performing self checks. global_init: Error while performing self checks. # docker run -it --rm fedora:31 # dnf -y install gnutls-utils # rpm -q gnutls gnutls-3.6.13-1.fc31.x86_64 # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv ... Warning: no private key and certificate pairs were set. HTTP Server listening on IPv4 0.0.0.0 port 5556...done HTTP Server listening on IPv6 :: port 5556...done # dnf -y downgrade gnutls # rpm -q gnutls gnutls-3.6.10-1.fc31.x86_64 # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv ... gnutls[3]: ASSERT: pubkey.c[pubkey_verify_data]:2248 gnutls[3]: ASSERT: pubkey.c[gnutls_pubkey_verify_data2]:1781 gnutls[3]: ASSERT: crypto-selftests-pk.c[test_known_sig]:510 gnutls[2]: DSA-2048-known-sig self test failed gnutls[3]: ASSERT: crypto-selftests-pk.c[gnutls_pk_self_test]:807 gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:409 gnutls[1]: FIPS140-2 self testing part 2 failed gnutls[3]: ASSERT: global.c[_gnutls_global_init]:381 Error in GnuTLS initialization: Error while performing self checks. global_init: Error while performing self checks. FEDORA-2020-7d50550ddf has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-7d50550ddf FEDORA-2020-5ccd452c8e has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-5ccd452c8e (In reply to Virgiantara Sintalana from comment #2) > # docker run -it --rm fedora:32 > # dnf -y install gnutls-utils > # rpm -q gnutls > gnutls-3.6.14-1.fc32.x86_64 > # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv > ... > gnutls[3]: ASSERT: fips.c[get_library_path]:156 > gnutls[2]: Could not get path for library none > gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:447 > gnutls[1]: FIPS140-2 self testing part 2 failed > gnutls[3]: ASSERT: global.c[_gnutls_global_init]:380 > Error in GnuTLS initialization: Error while performing self checks. > global_init: Error while performing self checks. > > # dnf -y downgrade gnutls > # rpm -q gnutls > gnutls-3.6.13-1.fc32.x86_64 > # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv > ... > gnutls[3]: ASSERT: fips.c[get_library_path]:155 > gnutls[2]: Could not get path for library libnettle.so.6 > gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:446 > gnutls[1]: FIPS140-2 self testing part 2 failed > gnutls[3]: ASSERT: global.c[_gnutls_global_init]:380 > Error in GnuTLS initialization: Error while performing self checks. > global_init: Error while performing self checks. > > > > # docker run -it --rm fedora:31 > # dnf -y install gnutls-utils > # rpm -q gnutls > gnutls-3.6.13-1.fc31.x86_64 > # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv > ... > Warning: no private key and certificate pairs were set. > HTTP Server listening on IPv4 0.0.0.0 port 5556...done > HTTP Server listening on IPv6 :: port 5556...done > > # dnf -y downgrade gnutls > # rpm -q gnutls > gnutls-3.6.10-1.fc31.x86_64 > # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv > ... > gnutls[3]: ASSERT: pubkey.c[pubkey_verify_data]:2248 > gnutls[3]: ASSERT: pubkey.c[gnutls_pubkey_verify_data2]:1781 > gnutls[3]: ASSERT: crypto-selftests-pk.c[test_known_sig]:510 > gnutls[2]: DSA-2048-known-sig self test failed > gnutls[3]: ASSERT: crypto-selftests-pk.c[gnutls_pk_self_test]:807 > gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:409 > gnutls[1]: FIPS140-2 self testing part 2 failed > gnutls[3]: ASSERT: global.c[_gnutls_global_init]:381 > Error in GnuTLS initialization: Error while performing self checks. > global_init: Error while performing self checks. Forgive me. Forgot to add a rawhide version. # docker run -it --rm fedora:33 # dnf -y install gnutls-utils # rpm -q gnutls gnutls-3.6.14-1.fc33.x86_64 # GNUTLS_FORCE_FIPS_MODE=1 GNUTLS_DEBUG_LEVEL=9999 gnutls-serv ... gnutls[3]: ASSERT: fips.c[get_library_path]:156 gnutls[2]: Could not get path for library none gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:447 gnutls[1]: FIPS140-2 self testing part 2 failed gnutls[3]: ASSERT: global.c[_gnutls_global_init]:380 Error in GnuTLS initialization: Error while performing self checks. global_init: Error while performing self checks. gnutls-3.6.14-2.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5ccd452c8e gnutls-3.6.14-2.fc32 has been pushed to the Fedora 32 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-7d50550ddf gnutls-3.6.14-2.fc32 has been pushed to the Fedora 32 stable repository. If problems still persist, please make note of it in this bug report. FEDORA-2020-30cd8d9ad6 has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-30cd8d9ad6` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-30cd8d9ad6 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-30cd8d9ad6 has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report. |