[gnutls-devel] GnuTLS | FIPS self-tests fail for algorithms disabled by configuration files (#956)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Wed Mar 18 16:16:29 CET 2020



Anderson Sasaki created an issue: https://gitlab.com/gnutls/gnutls/-/issues/956



## Description of problem:
This bug was originally reported in https://bugzilla.redhat.com/show_bug.cgi?id=1813384

When an algorithm tested during FIPS power-on self-tests is disabled by the used configuration file (e.g through crypto-policies in Fedora), the FIPS self-tests fail.

The suggested way to fix this issue is to postpone the loading of the configuration file during the library initialization

## Version of gnutls used:
3.6.12

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Fedora 31

## How reproducible:
100%

Steps to Reproduce:

 * Create a configuration file which disables one of the tested algorithms. For example containing:
```
[overrides]
insecure-sig = DSA-SHA256

[priorities]
SYSTEM=NORMAL
```
 * Use that configuration and run an application forcing FIPS mode:
```
$ GNUTLS_SYSTEM_PRIORITY_FILE=config.cfg GNUTLS_FORCE_FIPS_MODE=1 certtool
```

## Actual results:
```
Error in GnuTLS initialization: Error while performing self checks.
global_init: Error while performing self checks.
```
## Expected results:
No error

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/956
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200318/304fcd40/attachment.html>


More information about the Gnutls-devel mailing list