Ubuntu
cryptsetup package

sha256 hash not supported after upgrading to 22.10

Bug #1993944 reported by somekool
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cryptsetup (Ubuntu)
Expired
Critical
Unassigned
Kinetic
Expired
Critical
Unassigned

Bug Description

I just upgraded from 22.04 to 22.10, and I cannot open my LUKS volume.

here is as much information that I could find

```
$ sudo cryptsetup luksDump --debug /dev/nvme0n1p7
# cryptsetup 2.5.0 processing "cryptsetup luksDump --debug /dev/nvme0n1p7"
# Verifying parameters for command luksDump.
# Running command luksDump.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating context for crypt device /dev/nvme0n1p7.
# Trying to open and read device /dev/nvme0n1p7 with direct-io.
# Initialising device-mapper backend library.
# Trying to load any crypt type from device /dev/nvme0n1p7.
# Crypto backend (OpenSSL 3.0.5 5 Jul 2022 [default][legacy]) initialized in cryptsetup library version 2.5.0.
# Detected kernel Linux 5.19.0-23-generic x86_64.
Requested hash sha256 is not supported.
Device /dev/nvme0n1p7 is not a valid LUKS device.
# Releasing crypt device /dev/nvme0n1p7 context.
# Releasing device-mapper backend.
# Unlocking memory.
Command failed with code -1 (wrong or missing parameters).
```

so the actual errors appears to be `Requested hash sha256 is not supported.`

I opened an issue on cryptsetup itself, but he is telling me its likely an OpenSSL miss-configuration, or a missing package. sha256 i mandatory

https://gitlab.com/cryptsetup/cryptsetup/-/issues/782

I am seeing reference to sha256 in `/etc/ssl/openssl.cnf`

but when I type just `openssl -v` I get ...

```
FATAL: Startup failure (dev note: apps_startup()) for openssl
4057E8D4727F0000:error:80000002:system library:process_include:No such file or directory:../crypto/conf/conf_def.c:805:calling stat(fipsmodule.cnf)
4057E8D4727F0000:error:07800069:common libcrypto routines:provider_conf_load:provider section error:../crypto/provider_conf.c:156:section=fips_sect not found
4057E8D4727F0000:error:0700006D:configuration file routines:module_run:module initialization error:../crypto/conf/conf_mod.c:270:module=providers, value=provider_sect retcode=-1
```

could it be related?

Steve Langasek (vorlon)
Changed in cryptsetup (Ubuntu):
importance: Undecided → Critical
status: New → Triaged
tags: added: foundations-todo
Revision history for this message
somekool (somekool) wrote :

I don't know if its the right solution for all ubuntu users.
but I found that I could comment out the two fips related line in the openssl config
and everything works now.

```
$ grep fips /etc/ssl/openssl.cnf
# Optionally include a file that is generated by the OpenSSL fipsinstall
# fips provider. It contains a named section e.g. [fips_sect] which is
#.include fipsmodule.cnf
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
#fips = fips_sect
```

Revision history for this message
Adrien Nader (adrien) wrote :

Thank you for digging in your issue.

I have troubles reproducing this and there seems to be no obvious path for that file to have been modified that way.

Do you remember changing anything in the openssl configuration (including other lines)? Do you have etckeeper installed maybe? Can you provide the output of 'stat /etc/ssl/openssl.cnf'? Can you provide your full openssl.cnf file?

The two blocks of configuration that you mention do not exist in 22.04 and they are commented out in 22.10.

Adrien Nader (adrien)
Changed in cryptsetup (Ubuntu):
status: Triaged → Incomplete
Changed in cryptsetup (Ubuntu Kinetic):
status: Triaged → Incomplete
Adrien Nader (adrien)
tags: removed: foundations-todo
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for cryptsetup (Ubuntu Kinetic) because there has been no activity for 60 days.]

Changed in cryptsetup (Ubuntu Kinetic):
status: Incomplete → Expired
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for cryptsetup (Ubuntu) because there has been no activity for 60 days.]

Changed in cryptsetup (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.