Skip to content
GitLab
Closed
Created by Anderson Sasaki@ansasakiDeveloper

FIPS self-tests fail for algorithms disabled by configuration files

Description of problem:

This bug was originally reported in https://bugzilla.redhat.com/show_bug.cgi?id=1813384

When an algorithm tested during FIPS power-on self-tests is disabled by the used configuration file (e.g through crypto-policies in Fedora), the FIPS self-tests fail.

The suggested way to fix this issue is to postpone the loading of the configuration file during the library initialization

Version of gnutls used:

3.6.12

Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

Fedora 31

How reproducible:

100%

Steps to Reproduce:

  • Create a configuration file which disables one of the tested algorithms. For example containing:
[overrides]
insecure-sig = DSA-SHA256

[priorities]
SYSTEM=NORMAL
  • Use that configuration and run an application forcing FIPS mode:
$ GNUTLS_SYSTEM_PRIORITY_FILE=config.cfg GNUTLS_FORCE_FIPS_MODE=1 certtool

Actual results:

Error in GnuTLS initialization: Error while performing self checks.
global_init: Error while performing self checks.

Expected results:

No error