[gnutls-devel] GnuTLS | FIPS self-tests fail for algorithms disabled by configuration files (#956)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Wed Mar 18 16:16:29 CET 2020
Anderson Sasaki created an issue: https://gitlab.com/gnutls/gnutls/-/issues/956
## Description of problem:
This bug was originally reported in https://bugzilla.redhat.com/show_bug.cgi?id=1813384
When an algorithm tested during FIPS power-on self-tests is disabled by the used configuration file (e.g through crypto-policies in Fedora), the FIPS self-tests fail.
The suggested way to fix this issue is to postpone the loading of the configuration file during the library initialization
## Version of gnutls used:
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
## How reproducible:
Steps to Reproduce:
* Create a configuration file which disables one of the tested algorithms. For example containing:
insecure-sig = DSA-SHA256
* Use that configuration and run an application forcing FIPS mode:
$ GNUTLS_SYSTEM_PRIORITY_FILE=config.cfg GNUTLS_FORCE_FIPS_MODE=1 certtool
## Actual results:
Error in GnuTLS initialization: Error while performing self checks.
global_init: Error while performing self checks.
## Expected results:
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/956
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel