| 2016-08-17 18:18:13 |
Joy Latten |
bug |
|
|
added bug |
| 2016-08-17 18:20:26 |
Joy Latten |
description |
The openssl contains incomplete fips patches. In light that the fips is incomplete and will not be completed in the main archive and they are impacting customers, they should be withdrawn. See lp bugs 1593953, 1591797, 1594748, 1588524, 1613658. Removal of these fips patches will remove these fips-related issues.
[Test case]
1. Problem in 1594748
Note: this problem was reported in upstream openssl and testcase posted there also.
https://rt.openssl.org/Ticket/Display.html?id=4559
CRYPTO_set_mem_functions() always returns 0 because library initialization within fips code already calls CRYPTO_malloc() and disables it.
This testcase should cause openssl to abort, but instead it returns a context.
#include <stdio.h>
#include <stdlib.h>
#include <openssl/ssl.h>
void * my_alloc(size_t n) { abort(); }
void my_free(void *p) { abort(); }
void * my_realloc(void *p, size_t n) { abort(); }
int main(int argc, const char **argv)
{
const SSL_METHOD *method;
SSL_CTX *ctx;
CRYPTO_set_mem_functions(my_alloc, my_realloc, my_free);
SSL_library_init();
method = SSLv23_client_method();
ctx = SSL_CTX_new(method);
printf("Got ctx %p\n", ctx);
return 0;
}
2. Problem in 1593953
EC key generation allows user to generate keys using EC curves that the EC sign and verify
do not support when OPENSSL_FIPS is defined.
Testcase taken from lp #1593953
openssl ecparam -genkey -name Oakley-EC2N-4
will fail when OPENSSL_FIPS is defined since it causes a fips key-pair consistency check to be done.
Otherwise, without OPENSSL_FIPS defined, the check is not done.
3. Problem reported in 1588524
Error code being skipped...
Testcase taken from lp #1588524
#include <openssl/err.h>
#include <openssl/ssl.h>
int main() {
int rc;
unsigned long fips_err;
SSL_library_init();
SSL_load_error_strings();
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
rc = FIPS_mode_set(1);
fips_err = ERR_peek_last_error();
// FIPS_mode_set will return 0 on failure, which is expected if
// the FIPS module is not compiled. In this case, we should then
// be able to get the error code
// CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0xf06d065)
// https://wiki.openssl.org/index.php/FIPS_mode_set%28%29
printf("%d %lu\n", rc, fips_err);
ERR_print_errors_fp(stdout);
ERR_free_strings();
return 0;
}
Should report an error message.
[ Regression potential ]
Removing the fips patches should decrease regression potential of openssl in the main archive. |
openssl-1.0.2g-1ubuntu4.1 in xenial.
The openssl contains incomplete fips patches. In light that the fips is incomplete and will not be completed in the main archive and they are impacting customers, they should be withdrawn. See lp bugs 1593953, 1591797, 1594748, 1588524, 1613658. Removal of these fips patches will remove these fips-related issues.
[Test case]
1. Problem in 1594748
Note: this problem was reported in upstream openssl and testcase posted there also.
https://rt.openssl.org/Ticket/Display.html?id=4559
CRYPTO_set_mem_functions() always returns 0 because library initialization within fips code already calls CRYPTO_malloc() and disables it.
This testcase should cause openssl to abort, but instead it returns a context.
#include <stdio.h>
#include <stdlib.h>
#include <openssl/ssl.h>
void * my_alloc(size_t n) { abort(); }
void my_free(void *p) { abort(); }
void * my_realloc(void *p, size_t n) { abort(); }
int main(int argc, const char **argv)
{
const SSL_METHOD *method;
SSL_CTX *ctx;
CRYPTO_set_mem_functions(my_alloc, my_realloc, my_free);
SSL_library_init();
method = SSLv23_client_method();
ctx = SSL_CTX_new(method);
printf("Got ctx %p\n", ctx);
return 0;
}
2. Problem in 1593953
EC key generation allows user to generate keys using EC curves that the EC sign and verify
do not support when OPENSSL_FIPS is defined.
Testcase taken from lp #1593953
openssl ecparam -genkey -name Oakley-EC2N-4
will fail when OPENSSL_FIPS is defined since it causes a fips key-pair consistency check to be done.
Otherwise, without OPENSSL_FIPS defined, the check is not done.
3. Problem reported in 1588524
Error code being skipped...
Testcase taken from lp #1588524
#include <openssl/err.h>
#include <openssl/ssl.h>
int main() {
int rc;
unsigned long fips_err;
SSL_library_init();
SSL_load_error_strings();
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
rc = FIPS_mode_set(1);
fips_err = ERR_peek_last_error();
// FIPS_mode_set will return 0 on failure, which is expected if
// the FIPS module is not compiled. In this case, we should then
// be able to get the error code
// CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0xf06d065)
// https://wiki.openssl.org/index.php/FIPS_mode_set%28%29
printf("%d %lu\n", rc, fips_err);
ERR_print_errors_fp(stdout);
ERR_free_strings();
return 0;
}
Should report an error message.
[ Regression potential ]
Removing the fips patches should decrease regression potential of openssl in the main archive. |
|
| 2016-08-17 18:22:50 |
Joy Latten |
description |
openssl-1.0.2g-1ubuntu4.1 in xenial.
The openssl contains incomplete fips patches. In light that the fips is incomplete and will not be completed in the main archive and they are impacting customers, they should be withdrawn. See lp bugs 1593953, 1591797, 1594748, 1588524, 1613658. Removal of these fips patches will remove these fips-related issues.
[Test case]
1. Problem in 1594748
Note: this problem was reported in upstream openssl and testcase posted there also.
https://rt.openssl.org/Ticket/Display.html?id=4559
CRYPTO_set_mem_functions() always returns 0 because library initialization within fips code already calls CRYPTO_malloc() and disables it.
This testcase should cause openssl to abort, but instead it returns a context.
#include <stdio.h>
#include <stdlib.h>
#include <openssl/ssl.h>
void * my_alloc(size_t n) { abort(); }
void my_free(void *p) { abort(); }
void * my_realloc(void *p, size_t n) { abort(); }
int main(int argc, const char **argv)
{
const SSL_METHOD *method;
SSL_CTX *ctx;
CRYPTO_set_mem_functions(my_alloc, my_realloc, my_free);
SSL_library_init();
method = SSLv23_client_method();
ctx = SSL_CTX_new(method);
printf("Got ctx %p\n", ctx);
return 0;
}
2. Problem in 1593953
EC key generation allows user to generate keys using EC curves that the EC sign and verify
do not support when OPENSSL_FIPS is defined.
Testcase taken from lp #1593953
openssl ecparam -genkey -name Oakley-EC2N-4
will fail when OPENSSL_FIPS is defined since it causes a fips key-pair consistency check to be done.
Otherwise, without OPENSSL_FIPS defined, the check is not done.
3. Problem reported in 1588524
Error code being skipped...
Testcase taken from lp #1588524
#include <openssl/err.h>
#include <openssl/ssl.h>
int main() {
int rc;
unsigned long fips_err;
SSL_library_init();
SSL_load_error_strings();
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
rc = FIPS_mode_set(1);
fips_err = ERR_peek_last_error();
// FIPS_mode_set will return 0 on failure, which is expected if
// the FIPS module is not compiled. In this case, we should then
// be able to get the error code
// CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0xf06d065)
// https://wiki.openssl.org/index.php/FIPS_mode_set%28%29
printf("%d %lu\n", rc, fips_err);
ERR_print_errors_fp(stdout);
ERR_free_strings();
return 0;
}
Should report an error message.
[ Regression potential ]
Removing the fips patches should decrease regression potential of openssl in the main archive. |
Package: openssl-1.0.2g-1ubuntu4.1
Distro: xenial
The openssl contains incomplete fips patches. In light that the fips is incomplete and will not be completed in the main archive and they are impacting customers, they should be withdrawn. See lp bugs 1593953, 1591797, 1594748, 1588524, 1613658. Removal of these fips patches will remove these fips-related issues.
[Test case]
1. Problem in 1594748
Note: this problem was reported in upstream openssl and testcase posted there also.
https://rt.openssl.org/Ticket/Display.html?id=4559
CRYPTO_set_mem_functions() always returns 0 because library initialization within fips code already calls CRYPTO_malloc() and disables it.
This testcase should cause openssl to abort, but instead it returns a context.
#include <stdio.h>
#include <stdlib.h>
#include <openssl/ssl.h>
void * my_alloc(size_t n) { abort(); }
void my_free(void *p) { abort(); }
void * my_realloc(void *p, size_t n) { abort(); }
int main(int argc, const char **argv)
{
const SSL_METHOD *method;
SSL_CTX *ctx;
CRYPTO_set_mem_functions(my_alloc, my_realloc, my_free);
SSL_library_init();
method = SSLv23_client_method();
ctx = SSL_CTX_new(method);
printf("Got ctx %p\n", ctx);
return 0;
}
2. Problem in 1593953
EC key generation allows user to generate keys using EC curves that the EC sign and verify
do not support when OPENSSL_FIPS is defined.
Testcase taken from lp #1593953
openssl ecparam -genkey -name Oakley-EC2N-4
will fail when OPENSSL_FIPS is defined since it causes a fips key-pair consistency check to be done.
Otherwise, without OPENSSL_FIPS defined, the check is not done.
3. Problem reported in 1588524
Error code being skipped...
Testcase taken from lp #1588524
#include <openssl/err.h>
#include <openssl/ssl.h>
int main() {
int rc;
unsigned long fips_err;
SSL_library_init();
SSL_load_error_strings();
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
rc = FIPS_mode_set(1);
fips_err = ERR_peek_last_error();
// FIPS_mode_set will return 0 on failure, which is expected if
// the FIPS module is not compiled. In this case, we should then
// be able to get the error code
// CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0xf06d065)
// https://wiki.openssl.org/index.php/FIPS_mode_set%28%29
printf("%d %lu\n", rc, fips_err);
ERR_print_errors_fp(stdout);
ERR_free_strings();
return 0;
}
Should report an error message.
[ Regression potential ]
Removing the fips patches should decrease regression potential of openssl in the main archive. |
|
| 2016-08-19 16:55:23 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Xenial |
|
| 2016-08-19 16:55:23 |
Marc Deslauriers |
bug task added |
|
openssl (Ubuntu Xenial) |
|
| 2016-08-19 16:55:23 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Yakkety |
|
| 2016-08-19 16:55:23 |
Marc Deslauriers |
bug task added |
|
openssl (Ubuntu Yakkety) |
|
| 2016-08-19 16:55:30 |
Marc Deslauriers |
openssl (Ubuntu Yakkety): status |
New |
Fix Committed |
|
| 2016-08-19 16:57:26 |
Marc Deslauriers |
openssl (Ubuntu Xenial): status |
New |
Confirmed |
|
| 2016-08-19 16:57:30 |
Marc Deslauriers |
openssl (Ubuntu Xenial): assignee |
|
Marc Deslauriers (mdeslaur) |
|
| 2016-08-22 11:12:45 |
Marc Deslauriers |
openssl (Ubuntu Yakkety): status |
Fix Committed |
Fix Released |
|
| 2016-08-22 11:15:03 |
Marc Deslauriers |
openssl (Ubuntu Xenial): status |
Confirmed |
In Progress |
|
| 2016-08-22 11:15:28 |
Marc Deslauriers |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2016-08-23 01:28:56 |
Ken Baker |
bug |
|
|
added subscriber Ken Baker |
| 2016-08-24 14:02:56 |
Chris J Arges |
openssl (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
| 2016-08-24 14:03:00 |
Chris J Arges |
bug |
|
|
added subscriber SRU Verification |
| 2016-08-24 14:03:07 |
Chris J Arges |
tags |
|
verification-needed |
|
| 2016-09-13 16:58:52 |
Marc Deslauriers |
tags |
verification-needed |
verification-done |
|
| 2016-09-22 20:06:30 |
Launchpad Janitor |
openssl (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
| 2016-09-22 20:06:30 |
Launchpad Janitor |
cve linked |
|
2016-2177 |
|
| 2016-09-22 20:06:30 |
Launchpad Janitor |
cve linked |
|
2016-2178 |
|
| 2016-09-22 20:06:30 |
Launchpad Janitor |
cve linked |
|
2016-2179 |
|
| 2016-09-22 20:06:30 |
Launchpad Janitor |
cve linked |
|
2016-2180 |
|
| 2016-09-22 20:06:30 |
Launchpad Janitor |
cve linked |
|
2016-2181 |
|
| 2016-09-22 20:06:30 |
Launchpad Janitor |
cve linked |
|
2016-2182 |
|
| 2016-09-22 20:06:30 |
Launchpad Janitor |
cve linked |
|
2016-2183 |
|
| 2016-09-22 20:06:30 |
Launchpad Janitor |
cve linked |
|
2016-6302 |
|
| 2016-09-22 20:06:30 |
Launchpad Janitor |
cve linked |
|
2016-6303 |
|
| 2016-09-22 20:06:30 |
Launchpad Janitor |
cve linked |
|
2016-6304 |
|
| 2016-09-22 20:06:30 |
Launchpad Janitor |
cve linked |
|
2016-6306 |
|
