-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
rhel-10.0
-
None
-
gnutls-3.8.5-7.el10
-
None
-
Medium
-
1
-
sst_security_crypto
-
ssg_security
-
None
-
False
-
-
None
-
Crypto24Q3
-
Pass
-
None
-
None
What were you trying to do that didn't work?
When FIPS mode is enabled GnuTLS fails with " Error while performing self checks."
Please provide the package NVR for which bug is seen:
gnutls-3.8.5-5.el10.x86_64
How reproducible:
100%
Steps to reproduce
1. Enable FIPS, rebooth and ensure it is enabled
$ fips-mode-setup --enable $ reboot $ fips-mode-setup --check FIPS mode is enabled. Initramfs fips module is enabled. The current crypto policy (FIPS) is based on the FIPS policy.
2. Run any GnuTLS application. I'm using following simplest application possible:
#include <stdio.h> #include <gnutls/gnutls.h> int main(void) { int rv; if ((rv = gnutls_global_init()) != 0) { printf("Cannot init gnutls %u\n", rv); } else { printf("Ok"); } return rv; }
and compiled with gcc `pkg-config --libs gnutls` test.c
3. Application fails
$ ./a.out Error in GnuTLS initialization: Error while performing self checks. Cannot init gnutls 4294966896
When GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS=1 is set, no failure happens.
With debugging set a more information is provided
... gnutls[2]: Successfully verified MAC for /lib64/libgnutls.so.30 gnutls[2]: Loading: /lib64/libnettle.so.8 gnutls[2]: FIPS140-2 context is not set gnutls[2]: Calculated MAC for /lib64/libnettle.so.8 does not match gnutls[3]: ASSERT: ../../lib/fips.c[check_lib_hmac]:386 gnutls[3]: ASSERT: ../../lib/fips.c[_gnutls_fips_perform_self_checks2]:650 gnutls[1]: FIPS140-2 self testing part 2 failed gnutls[3]: ASSERT: ../../lib/global.c[_gnutls_global_init]:381 Error in GnuTLS initialization: Error while performing self checks. Cannot init gnutls 4294966896
Expected results
No error during self check
Actual results
Error during selfcheck
- blocks
-
-
- Closed
-
-
-
- Integration
-
- is duplicated by
-
-
- Closed
-
- links to
