[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Steve Beattie]

** Changed in: openssl (Ubuntu Bionic)
   Status: New => Confirmed

** Changed in: openssl (Ubuntu)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl
  library.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Joy Latten]

** Changed in: openssl (Ubuntu)
 Assignee: (unassigned) => Joy Latten (j-latten)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Joy Latten]

Additional testing for ntpq authentication to ensure MD5 still works for
ntpq in archive

NOTE: The shown testing is ntpq(with patch) + openssl from archive. To ensure 
all still works.
Testing with ntpq + fips-openssl was also done successfully.
 
VM-A (ntp server) 

1. Edit /etc/ntp.keys to include,

1 SHA1 austintexas
2 MD5 cedarpark

2. Edit /etc/ntp.conf to include.

keys /etc/ntp.keys   
trustedkey 2 
controlkey 2
requestkey 2

3. restart ntp
sudo service ntp restart

VM-B (ntp client)

$ dpkg -l | grep ntp
ii  ntp1:4.2.8p10+dfsg-5ubuntu7.1+ppa1  
   amd64Network Time Protocol daemon and utility programs

1. Edit /etc/ntp.keys to include,

1 SHA1 austintexas
2 MD5 cedarpark

2. Edit /etc/ntp.conf to include,
keys /etc/ntp.keys
server  key 2
trustedkey 2
controlkey 2
requestkey 2

3. I commented out all the "pool" entries in /etc/ntp.conf

4. restart ntp
sudo service ntp restart


On the client,

$ ntpq -c as

ind assid status  conf reach auth condition  last_event cnt
===
  1 46728  f014   yes   yes   ok reject   reachable  1

Notice that "auth" is ok.

$ ntpq
ntpq> keytype
keytype is MD5 with 16 octet digests
ntpq> keyid 2
ntpq> ifstats
MD5 Password: 
interface namesend
 #  address/broadcast drop flag ttl mc received sent failed peers   uptime
==
  0 v6wildcard   D   81   0  0  0  0  0 0   96
[::]:123
  1 v4wildcard   D   89   0  0  0  0  0 0   96
0.0.0.0:123
  2 lo   .5   0  0  2  1  0 0   96
127.0.0.1:123
  3 ens3 .   19   0  0  2  2  0 1   96
192.168.122.105:123
  4 lo   .5   0  0  0  0  0 0   96
[::1]:123
  5 ens3 .   11   0  0  0  0  0 0   96
[fe80::5054:ff:fefe:b092%2]:123
ntpq> 


Note: issuing "ifstats" requires authentication.

I also tested with SHA1 and it worked as well.


And last test on client, 
ntpq -p 

remote   refid  st t when poll reach   delay   offset  jitter
==
 192.168.122.106 204.11.201.123 u   56   6471.5412.723   0.826

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Joy Latten]

Testing:

There are no autopkgtests for ntp pkg and we do not run "make check" in
the tests dir as part of the build. So, just in case it is applicable, I
ran make check on my local build to ensure everything passes.

** Attachment added: "Results of running make check in ../tests directory"
   
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+attachment/5392383/+files/ntp-test-results

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Joy Latten]

** Description changed:

  [Impact]
  In FIPS mode on Bionic MD5 is semi-disabled causing some applications to 
segfault.
  
- ntpq uses crypto hashes to authenticate its requests. By default it appears 
to use an internal md5 implementation. However, when compiled with openssl it 
creates a lists of acceptable hashes from openssl that can be used. 
-  
+ ntpq uses crypto hashes to authenticate its requests. By default it uses
+ md5. However, when compiled with openssl it creates a lists of
+ acceptable hashes from openssl that can be used.
+ 
  [Test Steps]
  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)
  
  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.
  
  EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
  For FIPS mode it adds:
  EVP_add_digest(EVP_md5());
  
  What happens later in ntpq is (list_md_fn function inside ntpq.c):
  ctx = EVP_MD_CTX_new();
  EVP_DigestInit(ctx, EVP_get_digestbyname(name));
  EVP_DigestFinal(ctx, digest, _len);
  
  First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex):
  #ifdef OPENSSL_FIPS
  if (FIPS_mode()) {
  if (!(type->flags & EVP_MD_FLAG_FIPS)
  && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
  EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
  return 0;
  }
  }
  #endif
  
  Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
  After getting back to ntpq.c:
  ctx->engine and ctx->digest are not set (due to the mentioned error), hence
  
  inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
  OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
  causes a segfault (ctx->digest is NULL).
  
  So either MD5 shouldn't be added in FIPS mode or it should have the
  EVP_MD_FLAG_FIPS to be properly initialized.
  
  [Regression Potential]
  
- I believe the resolution to check the return code and if unsuccessful, do not 
include the hash algorithm in the internal ntpq digest list, should not 
introduce any regression.
- It will simply not add md5 and md5_sha1 to its lists of digests when compiled 
with openssl. Instead it will add the others like sha1, sha2, and sha3.
+ I don't think this should regress ntpq + openssl from the Ubuntu
+ archive.
+ 
+ Current archive ntpq + openssl behaviour:
+ openssl includes all message digests and hands ntpq a sorted digest-list. 
+ ntpq doesn't check return from EVP_Digest(Init|Final) and assumes all is well 
and sticks all digests into its list regardless if it is working or not.
+ 
+ i.e.  
+ ntpq> help keytype
+ function: set key type to use for authenticated requests, one of:
+ MD4, MD5, RIPEMD160, SHA1, SHAKE128
+ 
+ If somehow openssl library is corrupted and sends back erroneous
+ results, its possible the authentication will just not ever work.
+ 
+ Newly fixed archive ntpq + oenssl beahviour:
+ openssl includes all message digests and hands ntpq a sorted digest-list.
+ ntpq checks each one and includes each working digest. With a non-corrupted 
openssl, everything works fine and ntpq includes each into its list. Ends up 
with a list identical to the one above.
+  
+ If somehow opensll library is corrupted and sends back erroneous results, 
ntpq will hopefully catch it by checking return code and include only those 
algos that appear to be working. Its possible authentication will work for ntpq.
+ 
+ The difference will be seen in ntpq + fips-openssl. ntpq will check
+ return, and for fips-not-approved algos, return will indicate an error.
+ So these algos will be skipped and ntpq will not include into its digest
+ list. Resulting in a much shorter list of only fips-approved algos.
+ 
+ i.e.
+ ntpq> help keytype
+ function: set key type to use for authenticated requests, one of:
+ SHA1, SHAKE128
+ 
+ Since md5 is ntpq's default auth algo, this will need to be changed to one of 
the above algos in the config files. 
+ But I think it is somewhat understood that MD5 is bad in a FIPS environment.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Joy Latten]

** Description changed:

- In FIPS mode on Bionic MD5 is semi-disabled causing some applications to
- segfault.
+ [Impact]
+ In FIPS mode on Bionic MD5 is semi-disabled causing some applications to 
segfault.
  
+ ntpq uses crypto hashes to authenticate its requests. By default it appears 
to use an internal md5 implementation. However, when compiled with openssl it 
creates a lists of acceptable hashes from openssl that can be used. 
+  
+ [Test Steps]
  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)
  
  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.
  
  EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
  For FIPS mode it adds:
  EVP_add_digest(EVP_md5());
  
  What happens later in ntpq is (list_md_fn function inside ntpq.c):
  ctx = EVP_MD_CTX_new();
  EVP_DigestInit(ctx, EVP_get_digestbyname(name));
  EVP_DigestFinal(ctx, digest, _len);
  
  First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex):
  #ifdef OPENSSL_FIPS
  if (FIPS_mode()) {
  if (!(type->flags & EVP_MD_FLAG_FIPS)
  && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
  EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
  return 0;
  }
  }
  #endif
  
  Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
  After getting back to ntpq.c:
  ctx->engine and ctx->digest are not set (due to the mentioned error), hence
  
  inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
  OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
  causes a segfault (ctx->digest is NULL).
  
  So either MD5 shouldn't be added in FIPS mode or it should have the
  EVP_MD_FLAG_FIPS to be properly initialized.
+ 
+ [Regression Potential]
+ 
+ I believe the resolution to check the return code and if unsuccessful, do not 
include the hash algorithm in the internal ntpq digest list, should not 
introduce any regression.
+ It will simply not add md5 and md5_sha1 to its lists of digests when compiled 
with openssl. Instead it will add the others like sha1, sha2, and sha3.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Joy Latten]

Build log: 
https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/19570468

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Joy Latten]

debdiff for bionic


** Attachment added: "debdiff.bionic"
   
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+attachment/5391374/+files/debdiff.bionic

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Dariusz Gadomski]

Oh, I have found it: ppa:j-latten/joydevppa

Works perfectly. Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Dariusz Gadomski]

Sure. Sounds good. Do you have it available in a ppa anywhere to give it
a try?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Joy Latten]

I added return checks to ntpq code and this appears to solve the
problem. Is it ok to make this an SRU?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Joy Latten]

Also, this is only applicable in bionic. Neither xenial nor focal
experience this issue.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Joy Latten]

It seems 2 things are happening to generate this issue

1.fips-openssl in bionic has md5 and md5_sha1 in fips digest list with
explicit purpose of accommodating PRF use only in fips mode. But you
must pass the flag, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW to successfully use
them.

2. ntpq does not check return codes from EVP_ calls. It has,
ctx = EVP_MD_CTX_new();
EVP_DigestInit(ctx, EVP_get_digestbyname(name));
EVP_DigestFinal(ctx, digest, _len);
EVP_MD_CTX_free(ctx);
if (digest_len > (MAX_MAC_LEN - sizeof(keyid_t)))
return;

EVP_DigestInit() would have returned 0 in this case indicating a
failure.

Possible fixes:
1. in fips-libcrypto library remove md5 from fips digest list and keep md5_sha1 
for PRF and mark as fips-allowed. Can still use md5 with 
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag, but its just not in fips digest list.

Note: this fix can be put in fips-update ppa for availability. But, it
may be a while before it is re-certified.

2. ntpq should check its return codes and do appropriate thing on error.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Dariusz Gadomski]

@j-latten: please let me know if I can provide any help with this.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Dariusz Gadomski]

** Description changed:

  In FIPS mode on Bionic MD5 is semi-disabled causing some applications to
  segfault.
  
  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)
  
  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.
  
  EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
  For FIPS mode it adds:
  EVP_add_digest(EVP_md5());
  
  What happens later in ntpq is (list_md_fn function inside ntpq.c):
  ctx = EVP_MD_CTX_new();
  EVP_DigestInit(ctx, EVP_get_digestbyname(name));
  EVP_DigestFinal(ctx, digest, _len);
  
- First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point:
+ First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex):
  #ifdef OPENSSL_FIPS
- if (FIPS_mode()) {
- if (!(type->flags & EVP_MD_FLAG_FIPS)
- && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
- EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
- return 0;
- }
- }
+ if (FIPS_mode()) {
+ if (!(type->flags & EVP_MD_FLAG_FIPS)
+ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
+ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
+ return 0;
+ }
+ }
  #endif
  
  Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
  After getting back to ntpq.c:
  ctx->engine and ctx->digest are not set (due to the mentioned error), hence
  
  inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
  OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
  causes a segfault (ctx->digest is NULL).
  
  So either MD5 shouldn't be added in FIPS mode or it should have the
  EVP_MD_FLAG_FIPS to be properly initialized.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Joy Latten]

Investigating.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Dariusz Gadomski]

Changelog in bug #1553309 mentions "- debian/patches/openssl-1.0.2g-
fips-md5-allow.patch: [PATCH 3/6] Allow md5 in fips mode."

I am however unaware of the context of this change (e.g. MD5 is not
included here: [1])

[1]
https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402annexa.pdf

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Dariusz Gadomski]

** Changed in: openssl (Ubuntu Bionic)
   Importance: Undecided => Medium

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Dariusz Gadomski]

FTR: EVP_add_digest(EVP_md5()); is not present in the Xenial build,
hence there's no crash there.

** Tags added: sts

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs