+++ This bug was initially created as a clone of Bug #2005048 +++

Description of problem:

When chrony upstream tests are executed via TC#520626 - /CoreOS/chrony/Sanity/upstream-testsuite [1] in FIPS mode then 'nts' test case fails (other tests pass) as follows:

Testing NTP authentication with NTS:
network with 1*1 servers and 1 clients:
non-default settings:
client_conf= nosystemcert ntstrustedcerts /dev/null ntstrustedcerts tmp/server1.crt ntstrustedcerts /dev/null logdir tmp log rawmeasurements
client_server_options=minpoll 6 maxpoll 6 nts
dns=1
max_sync_time=400
server_conf= ntsserverkey tmp/server1.key ntsservercert tmp/server1.crt ntsprocesses 0 ntsrotate 66 ntsdumpdir tmp
starting node 1: OK
starting node 2: OK
running simulation: OK
checking chronyd exit:
node 1: BAD
node 2: OK
FAIL

It only happens in FIPS mode.

[1] http://pkgs.devel.redhat.com/cgit/tests/chrony/tree/Sanity/upstream-testsuite

Version-Release number of selected component (if applicable):

chrony-4.1-1.el8

How reproducible:

• Always when FIPS mode is enabled
• Never when FIPS mode is disabled

Steps to Reproduce:

1. Enable FIPS mode (fips-mode-setup --enabled && reboot)
2. Install test dependecies (recommend section in main.fmf)
3. Run aforementioned test (bash runtest.sh).

Actual results:

nts fails

Expected results:

all tests pass

— Additional comment from Miroslav Lichvar on 2021-09-20 13:18:20 UTC —

NTS uses AES-SIV-CMAC, which does not seem to be allowed by gnutls in FIPS mode. gnutls_aead_cipher_init() returns with an error (An algorithm that is not enabled was negotiated.).

I'm not sure if that is expected or not, but I don't think it's a chrony issue. Reassigning to gnutls.