Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2173612 - Error while performing self checks in FIPS mode
Summary: Error while performing self checks in FIPS mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: gnutls
Version: 38
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Red Hat Crypto Team
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: CockpitTest
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-02-27 12:13 UTC by Marius Vollmer
Modified: 2023-03-18 05:01 UTC (History)
6 users (show)

Fixed In Version: gnutls-3.8.0-1.fc37 gnutls-3.8.0-2.fc38 gnutls-3.8.0-2.fc36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-03-01 01:58:47 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FC-767 0 None None None 2023-02-27 12:14:37 UTC

Description Marius Vollmer 2023-02-27 12:13:58 UTC
Description of problem:

Any gnutls utility fails during initialization when in FIPS mode.

Version-Release number of selected component (if applicable):
rpmquery gnutls nettle
gnutls-3.7.8-11.fc38.x86_64
nettle-3.8-3.fc38.x86_64

How reproducible:
Always

Steps to Reproduce:
1. GNUTLS_FORCE_FIPS_MODE=1 gnutls-cli-debug

Actual results:
Error in GnuTLS initialization: Error while performing self checks.
global state initialization error

Expected results:
GnuTLS debug client 3.7.8
Checking localhost:443
Could not connect to 127.0.0.1:443: Connection refused

Additional info:

This is very similar to bug 2099651, which was fixed by rebuilding gnutls, I think.

Comment 1 Fedora Update System 2023-02-27 12:58:49 UTC
FEDORA-2023-4fc4c33f2b has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2023-4fc4c33f2b

Comment 2 Fedora Update System 2023-02-27 12:59:12 UTC
FEDORA-2023-1c4a6a47ae has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-1c4a6a47ae

Comment 3 Fedora Update System 2023-02-27 12:59:43 UTC
FEDORA-2023-5b378b82b3 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5b378b82b3

Comment 4 Daiki Ueno 2023-02-27 16:38:59 UTC
With GNUTLS_DEBUG_LEVEL=10, it says:

gnutls[2]: Calculated MAC for /lib64/libnettle.so.8 does not match
gnutls[3]: ASSERT: ../../lib/fips.c[check_lib_hmac]:383

So gnutls package is rebuilt against older nettle package (3.8-2.fc37), while the latest nettle is 3.8-3.fc38. We have a gating test[1] to prevent this, though it apparently didn't help with mass-rebuild. The updates linked from the above comments should indeed fix the issue.

1. https://src.fedoraproject.org/rpms/gnutls/blob/rawhide/f/gating.yml

Comment 5 Fedora Update System 2023-02-28 01:47:28 UTC
FEDORA-2023-4fc4c33f2b has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-4fc4c33f2b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-4fc4c33f2b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2023-02-28 01:56:46 UTC
FEDORA-2023-5b378b82b3 has been pushed to the Fedora 38 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-5b378b82b3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2023-02-28 02:53:29 UTC
FEDORA-2023-1c4a6a47ae has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-1c4a6a47ae`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-1c4a6a47ae

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2023-03-01 01:58:47 UTC
FEDORA-2023-1c4a6a47ae has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 9 Fedora Update System 2023-03-03 01:11:48 UTC
FEDORA-2023-4fc4c33f2b has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-4fc4c33f2b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-4fc4c33f2b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2023-03-03 02:21:47 UTC
FEDORA-2023-5b378b82b3 has been pushed to the Fedora 38 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-5b378b82b3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2023-03-14 00:16:59 UTC
FEDORA-2023-5b378b82b3 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 12 Fedora Update System 2023-03-18 05:01:15 UTC
FEDORA-2023-4fc4c33f2b has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.