[Touch-packages] [Bug 1898078] Re: FIPS OpenSSL crashes Python2.7 hashlib when using MD5

[Joy Latten]

This has been fixed in bionic. Already fixed in xenial.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1898078

Title:
  FIPS OpenSSL crashes Python2.7 hashlib when using MD5

Status in python2.7 package in Ubuntu:
  New
Status in python2.7 source package in Xenial:
  New
Status in python2.7 source package in Bionic:
  New
Status in python2.7 source package in Focal:
  New
Status in python2.7 source package in Groovy:
  New

Bug description:
  LP #1835135 was fixed in python2.7. However, when python2.7 was
  updated to current verion, the fix was not included. It needs to be
  included again into current version of python2.7 to prevent FIPS
  issues when using fips openssl with python's hashlib. This is only a
  problem in latest python2.7 versions in xenial, bionic, focal, and
  groovy. python3 versions do not have this problem in these releases.

  The fix was a backport of
  
https://github.com/python/cpython/pull/1777/commits/5e3e3568d27b99dabe44b8aa6283dc76d70f2dae

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1898078/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1731410] Re: package pcscd 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: подпроцесс установлен сценарий post-installation возвратил код ошибки 1

[Joy Latten]

Hi, Is this still an issue? Changing the status to incomplete.

** Changed in: pcsc-lite (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu.
https://bugs.launchpad.net/bugs/1731410

Title:
  package pcscd 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade:
  подпроцесс установлен сценарий post-installation возвратил код ошибки
  1

Status in pcsc-lite package in Ubuntu:
  Incomplete

Bug description:
   sudo apt-get install openvpn easy-rsa
  [sudo] пароль для max: 
  Чтение списков пакетов… Готово
  Построение дерева зависимостей   
  Чтение информации о состоянии… Готово
  Будут установлены следующие дополнительные пакеты:
libccid libpkcs11-helper1 opensc opensc-pkcs11 pcscd
  НОВЫЕ пакеты, которые будут установлены:
easy-rsa libccid libpkcs11-helper1 opensc opensc-pkcs11 openvpn pcscd
  обновлено 0, установлено 7 новых пакетов, для удаления отмечено 0 пакетов, и 
1 пакетов не обновлено.
  Необходимо скачать 1 544 kБ архивов.
  После данной операции, объём занятого дискового пространства возрастёт на 4 
993 kB.
  Хотите продолжить? [Д/н] y
  Пол:1 http://ru.archive.ubuntu.com/ubuntu xenial/main amd64 libpkcs11-helper1 
amd64 1.11-5 [44,0 kB]
  Пол:2 http://ru.archive.ubuntu.com/ubuntu xenial/universe amd64 opensc-pkcs11 
amd64 0.15.0-1ubuntu1 [708 kB]
  Пол:3 http://ru.archive.ubuntu.com/ubuntu xenial-updates/universe amd64 
libccid amd64 1.4.22-1ubuntu0.1 [85,8 kB]
  Пол:4 http://ru.archive.ubuntu.com/ubuntu xenial-updates/universe amd64 pcscd 
amd64 1.8.14-1ubuntu1.16.04.1 [55,7 kB]
  Пол:5 http://ru.archive.ubuntu.com/ubuntu xenial/universe amd64 opensc amd64 
0.15.0-1ubuntu1 [212 kB]
  Пол:6 http://ru.archive.ubuntu.com/ubuntu xenial-updates/main amd64 openvpn 
amd64 2.3.10-1ubuntu2.1 [421 kB]
  Пол:7 http://ru.archive.ubuntu.com/ubuntu xenial/universe amd64 easy-rsa all 
2.2.2-2 [17,4 kB]
  Получено 1 544 kБ за 0с (1 946 kБ/c)
  Предварительная настройка пакетов ...
  Выбор ранее не выбранного пакета libpkcs11-helper1:amd64.
  dpkg: предупреждение: список файлов пакета «resolvconf» отсутствует; 
предполагаем, что на данный момент у пакета нет установленных файлов
  (Чтение базы данных … на данный момент установлен 246061 файл и каталог.)
  Подготовка к распаковке …/libpkcs11-helper1_1.11-5_amd64.deb …
  Распаковывается libpkcs11-helper1:amd64 (1.11-5) …
  Выбор ранее не выбранного пакета opensc-pkcs11:amd64.
  Подготовка к распаковке …/opensc-pkcs11_0.15.0-1ubuntu1_amd64.deb …
  Распаковывается opensc-pkcs11:amd64 (0.15.0-1ubuntu1) …
  Выбор ранее не выбранного пакета libccid.
  Подготовка к распаковке …/libccid_1.4.22-1ubuntu0.1_amd64.deb …
  Распаковывается libccid (1.4.22-1ubuntu0.1) …
  Выбор ранее не выбранного пакета pcscd.
  Подготовка к распаковке …/pcscd_1.8.14-1ubuntu1.16.04.1_amd64.deb …
  Распаковывается pcscd (1.8.14-1ubuntu1.16.04.1) …
  Выбор ранее не выбранного пакета opensc.
  Подготовка к распаковке …/opensc_0.15.0-1ubuntu1_amd64.deb …
  Распаковывается opensc (0.15.0-1ubuntu1) …
  Выбор ранее не выбранного пакета openvpn.
  Подготовка к распаковке …/openvpn_2.3.10-1ubuntu2.1_amd64.deb …
  Распаковывается openvpn (2.3.10-1ubuntu2.1) …
  Выбор ранее не выбранного пакета easy-rsa.
  Подготовка к распаковке …/easy-rsa_2.2.2-2_all.deb …
  Распаковывается easy-rsa (2.2.2-2) …
  Обрабатываются триггеры для libc-bin (2.23-0ubuntu9) …
  Обрабатываются триггеры для man-db (2.7.5-1) …
  Обрабатываются триггеры для systemd (229-4ubuntu21) …
  Обрабатываются триггеры для ureadahead (0.100.0-19) …
  ureadahead will be reprofiled on next reboot
  Настраивается пакет libpkcs11-helper1:amd64 (1.11-5) …
  Настраивается пакет opensc-pkcs11:amd64 (0.15.0-1ubuntu1) …
  Настраивается пакет libccid (1.4.22-1ubuntu0.1) …
  Настраивается пакет pcscd (1.8.14-1ubuntu1.16.04.1) …
  insserv: warning: script 'K10runmbbservice' missing LSB tags and overrides
  insserv: warning: script 'runmbbservice' missing LSB tags and overrides
  insserv: There is a loop between service plymouth and urandom if started
  insserv:  loop involving service urandom at depth 4
  insserv:  loop involving service hwclock at depth 3
  insserv: There is a loop between service runmbbservice and udev if started
  insserv:  loop involving service udev at depth 1
  insserv: Starting runmbbservice depends on plymouth and therefore on system 
facility `$all' which can not be true!
  insserv: Starting runmbbservice depends on plymouth and therefore on system 
facility `$all' which can not be true!
  insserv: Starting runmbbservice depends on plymouth and therefore on system 
facility `$all' which can not be true!
  insserv: Starting runmbbservice depends on plymouth and therefore on system 
facility `$all' which can not be true!
  insserv: Starting runmbbservice depends on plymouth and therefore on system 
facility `$all' which can not be true!
  insserv: Starting runmbbservice depends on plymouth 

[Touch-packages] [Bug 1683378] Re: package libpcsclite1:amd64 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting

[Joy Latten]

Hi, Is this still an issue? Changing the status to incomplete.

** Changed in: pcsc-lite (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu.
https://bugs.launchpad.net/bugs/1683378

Title:
  package libpcsclite1:amd64 1.8.14-1ubuntu1.16.04.1 failed to
  install/upgrade: package is in a very bad inconsistent state; you
  should  reinstall it before attempting configuration

Status in pcsc-lite package in Ubuntu:
  Incomplete

Bug description:
  kernel panic

  ProblemType: Package
  DistroRelease: Ubuntu 16.04
  Package: libpcsclite1:amd64 1.8.14-1ubuntu1.16.04.1
  ProcVersionSignature: Ubuntu 4.4.0-66.87-generic 4.4.44
  Uname: Linux 4.4.0-66-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.5
  Architecture: amd64
  Date: Sat Apr 15 16:04:43 2017
  Dependencies:
   gcc-6-base 6.0.1-0ubuntu1
   libc6 2.23-0ubuntu7
   libgcc1 1:6.0.1-0ubuntu1
  DuplicateSignature:
   package:libpcsclite1:amd64:1.8.14-1ubuntu1.16.04.1
   Setting up libc6-dev:amd64 (2.23-0ubuntu7) ...
   dpkg: error processing package libpcsclite1:amd64 (--configure):
package is in a very bad inconsistent state; you should
  ErrorMessage: package is in a very bad inconsistent state; you should  
reinstall it before attempting configuration
  InstallationDate: Installed on 2017-01-06 (101 days ago)
  InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 
(20160719)
  RelatedPackageVersions:
   dpkg 1.18.4ubuntu1.1
   apt  1.2.19
  SourcePackage: pcsc-lite
  Title: package libpcsclite1:amd64 1.8.14-1ubuntu1.16.04.1 failed to 
install/upgrade: package is in a very bad inconsistent state; you should  
reinstall it before attempting configuration
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1683378/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1690543] Re: package libpcsclite1 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: a tentar sobreescrever '/usr/share/doc/libpcsclite1/changelog.Debian.gz' partilhado, que é di

[Joy Latten]

Hi, Is this still an issue? Changing the status to incomplete.

** Changed in: pcsc-lite (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu.
https://bugs.launchpad.net/bugs/1690543

Title:
  package libpcsclite1 1.8.14-1ubuntu1.16.04.1 failed to
  install/upgrade: a tentar sobreescrever
  '/usr/share/doc/libpcsclite1/changelog.Debian.gz' partilhado, que é
  diferente de outras instâncias do pacote libpcsclite1:amd64

Status in pcsc-lite package in Ubuntu:
  Incomplete

Bug description:
  Isso acontece quando eu ligo a máquina

  ProblemType: Package
  DistroRelease: Ubuntu 16.04
  Package: libpcsclite1 1.8.14-1ubuntu1.16.04.1
  ProcVersionSignature: Ubuntu 4.4.0-62.83-generic 4.4.40
  Uname: Linux 4.4.0-62-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.5
  Architecture: amd64
  Date: Fri May 12 20:35:07 2017
  Dependencies:
   gcc-6-base 6.0.1-0ubuntu1
   libc6 2.23-0ubuntu7
   libgcc1 1:6.0.1-0ubuntu1
  DpkgHistoryLog:
   Start-Date: 2017-05-12  20:35:07
   Commandline: apt-get -f install
   Upgrade: libpcsclite1:amd64 (1.8.5-1ubuntu1, 1.8.14-1ubuntu1.16.04.1)
  DpkgTerminalLog:
   A preparar para desempacotar 
.../libpcsclite1_1.8.14-1ubuntu1.16.04.1_amd64.deb ...
   A descompactar libpcsclite1:amd64 (1.8.14-1ubuntu1.16.04.1) sobre 
(1.8.5-1ubuntu1) ...
   dpkg: erro ao processar o arquivo 
/var/cache/apt/archives/libpcsclite1_1.8.14-1ubuntu1.16.04.1_amd64.deb 
(--unpack):
a tentar sobreescrever '/usr/share/doc/libpcsclite1/changelog.Debian.gz' 
partilhado, que é diferente de outras instâncias do pacote libpcsclite1:amd64
  ErrorMessage: a tentar sobreescrever 
'/usr/share/doc/libpcsclite1/changelog.Debian.gz' partilhado, que é diferente 
de outras instâncias do pacote libpcsclite1:amd64
  InstallationDate: Installed on 2017-01-13 (120 days ago)
  InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 
(20160719)
  RelatedPackageVersions:
   dpkg 1.18.4ubuntu1.2
   apt  1.2.20
  SourcePackage: pcsc-lite
  Title: package libpcsclite1 1.8.14-1ubuntu1.16.04.1 failed to 
install/upgrade: a tentar sobreescrever 
'/usr/share/doc/libpcsclite1/changelog.Debian.gz' partilhado, que é diferente 
de outras instâncias do pacote libpcsclite1:amd64
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1690543/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1570359] Re: pcscd crashed with SIGSEGV in __elf_set___libc_thread_subfreeres_element___rpc_thread_destroy__()

[Joy Latten]

Hi, Is this still an issue? Changing the status to incomplete.

** Changed in: pcsc-lite (Ubuntu)
   Status: Confirmed => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu.
https://bugs.launchpad.net/bugs/1570359

Title:
  pcscd crashed with SIGSEGV in
  __elf_set___libc_thread_subfreeres_element___rpc_thread_destroy__()

Status in pcsc-lite package in Ubuntu:
  Incomplete

Bug description:
  crashed when login

  ProblemType: Crash
  DistroRelease: Ubuntu 16.04
  Package: pcscd 1.8.14-1ubuntu1
  ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
  Uname: Linux 4.4.0-16-generic x86_64
  NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
  ApportVersion: 2.20.1-0ubuntu1
  Architecture: amd64
  Date: Mon Apr  4 17:29:56 2016
  Disassembly: => 0x7f7da881b64c:   Cannot access memory at address 
0x7f7da881b64c
  ExecutablePath: /usr/sbin/pcscd
  InstallationDate: Installed on 2016-03-06 (39 days ago)
  InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Alpha amd64 (20160304)
  ProcCmdline: /usr/sbin/pcscd --foreground --auto-exit
  SegvAnalysis:
   Segfault happened at: 0x7f7da881b64c:Cannot access memory at address 
0x7f7da881b64c
   PC (0x7f7da881b64c) not located in a known VMA region (needed executable 
region)!
   Stack memory exhausted (SP below stack segment)
  SegvReason: executing unknown VMA
  Signal: 11
  SourcePackage: pcsc-lite
  StacktraceTop:
   ?? ()
   __elf_set___libc_thread_subfreeres_element___rpc_thread_destroy__ () from 
/lib/x86_64-linux-gnu/libc.so.6
   ?? ()
  Title: pcscd crashed with SIGSEGV in 
__elf_set___libc_thread_subfreeres_element___rpc_thread_destroy__()
  UpgradeStatus: No upgrade log present (probably fresh install)
  UserGroups:

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1570359/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1539999] Re: Omnikey Cardreader not working

[Joy Latten]

Is this still an issue? Changing to incomplete.

** Changed in: pcsc-lite (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu.
https://bugs.launchpad.net/bugs/153

Title:
  Omnikey Cardreader not working

Status in pcsc-lite package in Ubuntu:
  Incomplete

Bug description:
  On my desktop & sony vaio laptop, Alpha 2 Ubuntu-mate does not start my usb 
Omnikey 3121 card reader.
  The 3121 is listed in terminal when I perform 'lsusb'. The reader does work 
under concurrent devuan 1. I have installed pcscd (which drags in libccid 
correctly) & pcsc-tools but this hasn't corrected the problem even with a 
reboot.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/153/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1366152] Re: System crash when Vasco-card-reader is plugged in at powerup

[Joy Latten]

This bugreport has had no activity and has eol. Closing.

** Changed in: pcsc-lite (Ubuntu)
   Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu.
https://bugs.launchpad.net/bugs/1366152

Title:
  System crash when Vasco-card-reader is plugged in at powerup

Status in pcsc-lite package in Ubuntu:
  Won't Fix

Bug description:
  I'm using VASCO Data Security International Digipass 905 SmartCard Reader 
which is working fine. However if the device is plugged in at power-up, the 
device isn't handled well. Although the device is in the ilisted usb-devices, 
pcsc-scan doesn't find the device at all (Which is normal as the green-led is 
going out after the kernel starts). If one tries to remove the card-reader,
  a system-crash happens. After that the pcscd-service seems to be halted :
  pcsc_scan
  PC/SC device scanner
  V 1.4.22 (c) 2001-2011, Ludovic Rousseau 
  Compiled with PC/SC lite version: 1.8.10
  SCardEstablishContext: Service not available.

  One can recover from this problem by
  1. Unplugging the reader
  2. Manually starting the service again by sudo service pcscd start 
  3. Plugging back the reader in (green led stays on, red led goes on when a 
card is put in)

  The bug is not related to a 64-bit architecture as it happens also
  with 32-bit machines.

  Info about the device
  Bus 001 Device 005: ID 1a44:0001 VASCO Data Security International Digipass 
905 SmartCard Reader
  Couldn't open device, some information will be missing
  Device Descriptor:
bLength18
bDescriptorType 1
bcdUSB   1.10
bDeviceClass0 (Defined at Interface level)
bDeviceSubClass 0 
bDeviceProtocol 0 
bMaxPacketSize0 8
idVendor   0x1a44 VASCO Data Security International
idProduct  0x0001 Digipass 905 SmartCard Reader
bcdDevice1.02
iManufacturer   1 
iProduct2 
iSerial 0 
bNumConfigurations  1
Configuration Descriptor:
  bLength 9
  bDescriptorType 2
  wTotalLength   93
  bNumInterfaces  1
  bConfigurationValue 1
  iConfiguration  0 
  bmAttributes 0x80
(Bus Powered)
  MaxPower   50mA
  Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber0
bAlternateSetting   0
bNumEndpoints   3
bInterfaceClass11 Chip/SmartCard
bInterfaceSubClass  0 
bInterfaceProtocol  0 
iInterface  0 
ChipCard Interface Descriptor:
  bLength54
  bDescriptorType33
  bcdCCID  1.00
  nMaxSlotIndex   0
  bVoltageSupport 3  5.0V 3.0V 
  dwProtocols 3  T=0 T=1
  dwDefaultClock   3700
  dwMaxiumumClock  3700
  bNumClockSupported  1
  dwDataRate   9946 bps
  dwMaxDataRate  318280 bps
  bNumDataRatesSupp. 53
  dwMaxIFSD 254
  dwSyncProtocols  0007  2-wire 3-wire I2C
  dwMechanical  
  dwFeatures   000404BE
Auto configuration based on ATR
Auto activation on insert
Auto voltage selection
Auto clock change
Auto baud rate change
Auto PPS made by CCID
Auto IFSD exchange
Short and extended APDU level exchange
  dwMaxCCIDMsgLen   272
  bClassGetResponseecho
  bClassEnvelope   echo
  wlcdLayout   none
  bPINSupport 0 
  bMaxCCIDBusySlots   1
Endpoint Descriptor:
  bLength 7
  bDescriptorType 5
  bEndpointAddress 0x81  EP 1 IN
  bmAttributes3
Transfer TypeInterrupt
Synch Type   None
Usage Type   Data
  wMaxPacketSize 0x0004  1x 4 bytes
  bInterval  32
Endpoint Descriptor:
  bLength 7
  bDescriptorType 5
  bEndpointAddress 0x02  EP 2 OUT
  bmAttributes2
Transfer TypeBulk
Synch Type   None
Usage Type   Data
  wMaxPacketSize 0x0010  1x 16 bytes
  bInterval   0
Endpoint Descriptor:
  bLength 7
  bDescriptorType 5
  bEndpointAddress 0x83  EP 3 IN
  bmAttributes2
Transfer TypeBulk

[Touch-packages] [Bug 1700104] Re: package pcscd 1.8.10-1ubuntu1.1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1

[Joy Latten]

Fixed in subsequent release. Closing.

** Changed in: pcsc-lite (Ubuntu)
   Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu.
https://bugs.launchpad.net/bugs/1700104

Title:
  package pcscd 1.8.10-1ubuntu1.1 failed to install/upgrade: subprocess
  installed post-installation script returned error exit status 1

Status in pcsc-lite package in Ubuntu:
  Won't Fix

Bug description:
  .

  ProblemType: Package
  DistroRelease: Ubuntu 14.04
  Package: pcscd 1.8.10-1ubuntu1.1
  ProcVersionSignature: Ubuntu 4.4.0-81.104~14.04.1-generic 4.4.67
  Uname: Linux 4.4.0-81-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.24
  AptOrdering:
   pcscd: Install
   pcscd: Configure
  Architecture: amd64
  Date: Fri Jun 23 12:21:31 2017
  DuplicateSignature: package:pcscd:1.8.10-1ubuntu1.1:subprocess installed 
post-installation script returned error exit status 1
  ErrorMessage: subprocess installed post-installation script returned error 
exit status 1
  InstallationDate: Installed on 2016-12-28 (177 days ago)
  InstallationMedia: Ubuntu 14.04.5 LTS "Trusty Tahr" - Release amd64 (20160803)
  RelatedPackageVersions:
   dpkg 1.17.5ubuntu5.7
   apt  1.0.1ubuntu2.17
  SourcePackage: pcsc-lite
  Title: package pcscd 1.8.10-1ubuntu1.1 failed to install/upgrade: subprocess 
installed post-installation script returned error exit status 1
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1700104/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1161882] Re: ACR38U Does not work on 12.10

[Joy Latten]

This bug was not applicable to pcsc-lite package. Closing since no
activity and eol.

** Changed in: pcsc-lite (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu.
https://bugs.launchpad.net/bugs/1161882

Title:
  ACR38U Does not work on 12.10

Status in pcsc-lite package in Ubuntu:
  Invalid

Bug description:
  I have ACR38U CCID reader and it works great under Ubuntu 10.10
  but it doesn't work under 12.10

  
  here's log from Ubuntu 10.10 (it works there)
  -
  0336 ifdhandler.c:1565:init_driver() DriverOptions: 0x
  0013 ifdhandler.c:82:IFDHCreateChannelByName() lun: 0, device: 
usb:072f/90cc:libusb:005:002
  0674 ccid_usb.c:285:OpenUSBByName() Manufacturer: Ludovic Rousseau 
(ludovic.rouss...@free.fr)
  0301 ccid_usb.c:295:OpenUSBByName() ProductString: Generic CCID driver
  0294 ccid_usb.c:301:OpenUSBByName() Copyright: This driver is protected 
by terms of the GNU Lesser General Public License version 2.1, or (at your 
option) any later version.
  00053062 ccid_usb.c:501:OpenUSBByName() Found Vendor/Product: 072F/90CC (ACS 
ACR 38U-CCID)
  0016 ccid_usb.c:503:OpenUSBByName() Using USB bus/device: 005/002
  2747 ccid_usb.c:893:get_data_rates() IFD does not support GET_DATA_RATES 
request: Success
  8994 ifdhandler.c:364:IFDHGetCapabilities() tag: 0xFB0, 
usb:072f/90cc:libusb:005:002 (lun: 0)
  0020 readerfactory.c:249:RFAddReader() Using the pcscd polling thread
  2025 ifdhandler.c:364:IFDHGetCapabilities() tag: 0xFAE, 
usb:072f/90cc:libusb:005:002 (lun: 0)
  0014 ifdhandler.c:418:IFDHGetCapabilities() Reader supports 1 slot(s)
  3935 ifdhandler.c:1043:IFDHPowerICC() action: PowerUp, 
usb:072f/90cc:libusb:005:002 (lun: 0)
  00152050 Card ATR: 3B 6D 00 00 80 31 80 65 B0 87 27 01 BC 83 08 90 00
  --
  but doesn't on Ubuntu 12.10

  5311 ccid_usb.c:649:OpenUSBByName() Found Vendor/Product: 072F/90CC (ACS 
ACR38U-CCID)
  0019 ccid_usb.c:651:OpenUSBByName() Using USB bus/device: 004/007
  2590 ccid_usb.c:1366:get_data_rates() IFD does not support GET_DATA_RATES 
request: Success
  1979 ifdhandler.c:220:IFDHCreateChannelByName() dwFeatures: 0x00010030
  0047 ifdhandler.c:221:IFDHCreateChannelByName() wLcdLayout: 0x
  0034 ifdhandler.c:222:IFDHCreateChannelByName() bPINSupport: 0x00
  0050 ifdhandler.c:223:IFDHCreateChannelByName() dwMaxCCIDMessageLength: 
271
  0045 ifdhandler.c:224:IFDHCreateChannelByName() dwMaxIFSD: 247
  0044 ifdhandler.c:225:IFDHCreateChannelByName() dwDefaultClock: 4000
  0033 ifdhandler.c:226:IFDHCreateChannelByName() dwMaxDataRate: 344100
  0045 ifdhandler.c:227:IFDHCreateChannelByName() bMaxSlotIndex: 0
  0043 ifdhandler.c:228:IFDHCreateChannelByName() bCurrentSlotIndex: 0
  0044 ifdhandler.c:229:IFDHCreateChannelByName() bInterfaceProtocol: 0x00
  0033 ifdhandler.c:230:IFDHCreateChannelByName() bNumEndpoints: 3
  0038 ifdhandler.c:231:IFDHCreateChannelByName() bVoltageSupport: 0x07
  0041 ifdhandler.c:536:IFDHGetCapabilities() tag: 0xFB3, 
usb:072f/90cc:libudev:0:/dev/bus/usb/004/007 (lun: 0)
  0040 readerfactory.c:327:RFAddReader() Using the pcscd polling thread
  1538 ifdhandler.c:536:IFDHGetCapabilities() tag: 0xFAE, 
usb:072f/90cc:libudev:0:/dev/bus/usb/004/007 (lun: 0)
  0028 ifdhandler.c:630:IFDHGetCapabilities() Reader supports 1 slot(s)
  3888 ifdhandler.c:1354:IFDHPowerICC() action: PowerUp, 
usb:072f/90cc:libudev:0:/dev/bus/usb/004/007 (lun: 0)
  00152081 eventhandler.c:256:EHStatusHandlerThread() powerState: 
POWER_STATE_POWERED
  0047 Card ATR: 3B 6D 00 00 80 31 80 65 B0 87 27 01 BC 83 08 90 00 
  00404960 ifdhandler.c:1354:IFDHPowerICC() action: PowerDown, 
usb:072f/90cc:libudev:0:/dev/bus/usb/004/007 (lun: 0)
  00098010 eventhandler.c:446:EHStatusHandlerThread() powerState: 
POWER_STATE_UNPOWERED

  syslog 
  ---
  Mar 29 18:55:07 ubuntu12 kernel: [ 1959.368178] usb 4-1: USB disconnect, 
device number 7
  Mar 29 18:55:11 ubuntu12 kernel: [ 1963.700087] usb 4-1: new full-speed USB 
device number 9 using uhci_hcd
  Mar 29 18:55:11 ubuntu12 kernel: [ 1963.876838] usb 4-1: New USB device 
found, idVendor=072f, idProduct=90cc
  Mar 29 18:55:11 ubuntu12 kernel: [ 1963.876851] usb 4-1: New USB device 
strings: Mfr=1, Product=2, SerialNumber=0
  Mar 29 18:55:11 ubuntu12 kernel: [ 1963.876859] usb 4-1: Product: CCID USB 
Reader
  Mar 29 18:55:11 ubuntu12 kernel: [ 1963.876867] usb 4-1: Manufacturer: ACS
  Mar 29 18:55:11 ubuntu12 mtp-probe: checking bus 4, device 9: 
"/sys/devices/pci:00/:00:1d.0/usb4/4-1"
  Mar 29 18:55:11 ubuntu12 mtp-probe: bus: 4, device: 9 was not an MTP device

  what can be a reason?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1161882/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages

[Touch-packages] [Bug 1090238] Re: pcscd hangs after ejecting Rutoken ECP making some comunication with token

[Joy Latten]

This was fixed in subsequent release. Closing.

** Changed in: pcsc-lite (Ubuntu)
   Status: Confirmed => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu.
https://bugs.launchpad.net/bugs/1090238

Title:
  pcscd hangs after ejecting Rutoken ECP making some comunication with
  token

Status in pcsc-lite package in Ubuntu:
  Fix Committed

Bug description:
  Im running any example from rutoken sdk after ejecting Rutoken. Pcscd
  got an error and nothing happens him to continue working only daemon
  restart helps. If im not using rutokenecp library all works ok.

  This error is fixed in pcscd 1.8.7 please upgrade
  pcscd,libpcsclite1,ccid pac kages.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.10
  Package: pcscd 1.8.5-1ubuntu1
  ProcVersionSignature: Ubuntu 3.5.0-19.30-generic 3.5.7
  Uname: Linux 3.5.0-19-generic x86_64
  NonfreeKernelModules: nvidia
  ApportVersion: 2.6.1-0ubuntu9
  Architecture: amd64
  Date: Fri Dec 14 10:24:57 2012
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2012-10-11 (63 days ago)
  InstallationMedia: Xubuntu 12.04.1 LTS "Precise Pangolin" - Release amd64 
(20120822.1)
  MarkForUpload: True
  SourcePackage: pcsc-lite
  UpgradeStatus: Upgraded to quantal on 2012-10-29 (45 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1090238/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1061947] Re: pcscd (auto)starting and permission troubles

[Joy Latten]

This is most likely fixed via pcscd starting from systemd in current
releases. Closing this since it has had no activity and has eol.

** Changed in: pcsc-lite (Ubuntu)
   Status: Confirmed => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu.
https://bugs.launchpad.net/bugs/1061947

Title:
  pcscd (auto)starting and permission troubles

Status in pcsc-lite package in Ubuntu:
  Fix Committed

Bug description:
  Kernel: Linux 3.2.0-31-generic-pae (i686)
  Distribution  : Ubuntu 12.04.1 LTS
  Desktop   : XFCE 4
  pcscd : 1.7.4-2ubuntu2

  Information on how to start pcscd the right way is very limited. What
  I found out after digging in for some days ... : --help and man pcscd
  are not really helpful. After installing the packet, pcscd doesn't
  launch itself.

  After a while I found out there is a script /etc/init.d/pcscd (not mentioned 
in man) that is supposed to start the daemon at startup, but it has a line 
'exit 0' in it preventing it from running ..., and a comment that is not very 
helpful for an average Linux user. So I think ok, it doesn't need to run at 
startup. Let me try to start the daemon myself ...
  essAnd then troubles begin. It's easy mess to it up: As I found out (and it 
took me a while, believe me...) running pcscd as simple  user (not as root) 
hangs further well behaviour of the daemon. Only if you use it with the -x 
option, it will kill itself after 60s. Otherwise it just states it is already 
running but can't access a card reader.

  So please, state clearly in man that you have to run pcscd as root to
  start it as a daemon !  Or, alternatively, make the timeout of 60 s
  the default so that you can get out of a blocking situation !

  To check the good working of a card reader, pcsc_scan can be used. But
  also here, if you start it as a regular user and pcscd isn't launched
  yet, it launches the daemon for you, but hey, you are not root, so
  bingo, blocked again. Luckily, it seams to be launched with the -x
  option, so (only) after 60s you can try again, as root this time ...
  To make the whole a little more confusing, once the daemon is running,
  you can launch pcsc_scan as regular user without problem. But that's
  good, I think, after all, since it means (as far as I understand) that
  applications can get to the card reader without any augmented
  permissions.

  So stays the question: how do I start the daemon the right way ?  I haven't 
found out yet ...
  I could use /etc/init.d/pcscd and comment out the 'exit 0'. But I fear the 
daemon will be very diligent to do its work, probing my machine for the heck of 
it (as I noted running sudo pcscd -x -d and watching syslog).

  Ideally, the daemon would be started on startup, with the right
  permissions, but without it probing constantly for some reader. Then
  an application that wants to get access to a reader, could 'tickle'
  the daemon so it starts probing for some time, the application does
  its thing, and the daemon stops probing when not needed anymore.

  If someone knows this is possible, or if there is another preferred scenario, 
I would be glad to hear about it !  Read also that a new version of pcscd will 
use another mean to start automatically, but it's not supported (yet?) on 
Ubuntu ?
  Meanwhile, I hope this info can already help someone taming this one ...

  Bart.

  The technical stuff:

  After boot (daemon not running) executing 'sudo pcsc_scan' -- it's working !
  Information for reader is displayed. Even if after that (within 60s) I just 
run
  'pcsc_scan', the information is displayed again.
  syslog messages (had some logging enabled in my driver):
    Oct  4 16:31:22 BP-LIN pcscd: debuglog.c:269:DebugLogSetLevel() debug 
level=debug
    Oct  4 16:31:22 BP-LIN kernel: [ 3379.177470] OZSCRLX ozscr_open: called
    Oct  4 16:31:22 BP-LIN kernel: [ 3379.177489] OZSCRLX ozscr_ioctl: 
OZSCR_STATUS
    ...
    Oct  4 16:32:28 BP-LIN kernel: [ 3445.597205] OZSCRLX ozscr_ioctl: 
OZSCR_STATUS
    Oct  4 16:32:28 BP-LIN kernel: [ 3445.997318] OZSCRLX ozscr_ioctl: 
OZSCR_STATUS
    Oct  4 16:32:29 BP-LIN kernel: [ 3446.398025] OZSCRLX ozscr_close: called

  Ok, now relaunching 'pcsc_scan' as regular user. The daemon just keeps waiting
  for a reader, no information for the reader displayed.
  syslog states:
    Oct  4 16:34:26 BP-LIN pcscd: dyn_unix.c:81:DYN_GetAddress() 
IFDHCreateChannelByName: /usr/local/o2micro/lib_OZSCR.so: undefined symbol: 
IFDHCreateChannelByName
    Oct  4 16:34:26 BP-LIN pcscd: readerfactory.c:965:RFInitializeReader() Open 
Port 0xF1 Failed (/dev/o2scr0)
    Oct  4 16:34:26 BP-LIN pcscd: readerfactory.c:275:RFAddReader() O2Micro 
SmartCardBus Reader init failed.

  Escaping and trying to run 'pcsc_scan' again. No luck ...
  syslog states:
    Oct  4 16:36:38 BP-LIN pcscd: pcscdaemon.c:342:main() file 

[Touch-packages] [Bug 796893] Re: Rutoken Magistra init fails in natty

[Joy Latten]

This bugreport has had no activity and has eol. Closing.

** Changed in: pcsc-lite (Ubuntu)
   Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu.
https://bugs.launchpad.net/bugs/796893

Title:
  Rutoken Magistra init fails in natty

Status in pcsc-lite package in Ubuntu:
  Won't Fix

Bug description:
  After upgrade 10.10 -> 11.04 i have permanent problems with rutoken.
  This is syslog after each usert of token to USB:

  
  Jun 13 20:11:56 sportmac pcscd: ccid_usb.c:441:OpenUSBByName() Can't 
libusb_open(2/11): -3
  Jun 13 20:11:56 sportmac pcscd: ifdhandler.c:101:IFDHCreateChannelByName() 
failed
  Jun 13 20:11:56 sportmac pcscd: readerfactory.c:965:RFInitializeReader() Open 
Port 0x20 Failed (usb:0a89/0060:libudev:0:/dev/bus/usb/002/011)
  Jun 13 20:11:56 sportmac pcscd: readerfactory.c:275:RFAddReader() Aktiv 
Rutoken Magistra init failed.
  

  If i stop pcscd service & run it manually in debug mode (pcscd -fd),
  then everything works. Never had such problem in ubuntu 10.10. My
  hardware is mac-mini with nvidea (previous to 'unibody')

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/796893/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1004683] Re: pcscd fails to access Reiner SCT CyberJack card reader

[Joy Latten]

This bugreport has had no activity and has eol. Closing.

** Changed in: pcsc-lite (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu.
https://bugs.launchpad.net/bugs/1004683

Title:
  pcscd fails to access Reiner SCT CyberJack card reader

Status in pcsc-lite package in Ubuntu:
  Invalid

Bug description:
  I tried to access my banking card for the first time since upgrading to 
Precise Pengolin, but the system behaved somewhat strange:
  When i plug the reader into the USB port I usually get a LED flashing a few 
times and some info about the device and its firmware version. I saw this today 
as well, but instead of waiting for actions from the banking software the 
display fell dead again and I couldn't do my banking.
  I investigates a bit and found this in syslog every time I plugged in the 
reader:

  May 25 21:50:00 host kernel: [ 8119.920068] usb 2-2: new full-speed USB 
device number 9 using uhci_hcd
  May 25 21:50:01 host mtp-probe: checking bus 2, device 9: 
"/sys/devices/pci:00/:00:1d.0/usb2/2-2"
  May 25 21:50:01 host mtp-probe: bus: 2, device: 9 was not an MTP device

  Scanning through udev rules I found the device in /lib/udev/rules.d/40
  -libifd-cyberjack6.rules:

  ATTR{idVendor}=="0c4b", ATTR{idProduct}=="0400", MODE="660",
  GROUP="pcscd"

  Looks good to me, so I'm a bit lost for now.
  Maybe this is a udev problem, not pcscd's ?

  
  My setup information:
  Description:Ubuntu 12.04 LTS
  Release:12.04

  pcscd:
Installiert: 1.7.4-2ubuntu2
Kandidat:1.7.4-2ubuntu2
Versionstabelle:
   *** 1.7.4-2ubuntu2 0
  500 http://de.archive.ubuntu.com/ubuntu/ precise/universe i386 
Packages
  100 /var/lib/dpkg/status

  
  Please let me know if and how I can be of any help to solve this.

  Thanks for your hard work, I love working with Ubuntu every day, as it
  fits my needs.

  Friedemann

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1004683/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 776082] Re: pcscd spams syslog whenever mozilla is running and CAC card is not inserted/present

[Joy Latten]

This bugreport has had no activity and has eol. Closing.

** Changed in: pcsc-lite (Ubuntu)
   Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu.
https://bugs.launchpad.net/bugs/776082

Title:
  pcscd spams syslog whenever mozilla is running and CAC card is not
  inserted/present

Status in pcsc-lite package in Ubuntu:
  Won't Fix

Bug description:
  pcscd spams syslog whenever mozilla firefox 4.0.1 is running.  This was not 
present in Ubuntu 10.04 with its version of firefox.  I have a SCR3340 
ExpressCard54 card reader. Following 2 messages are continuously asserted in 
syslog  occur whenever CAC is not present and Firefox is running.  Created a 
13GB syslog overnight!
  May  2 22:12:27 simple-laptop pcscd: winscard.c:290:SCardConnect() Card Not 
Inserted
  May  2 22:12:27 simple-laptop pcscd: winscard_svc.c:447:ContextThread() 
CONNECT rv=0x801C for client 6

  Occurs once whenever CAC (smart card) is removed
  May  2 22:12:19 simple-laptop pcscd: winscard_svc.c:555:ContextThread() 
STATUS rv=0x80100069 for client 6

  Following 2 messages are continuously asserted in syslog when card reader is 
removed from the ExpressCard slot
  May  2 22:31:27 simple-laptop pcscd: winscard_svc.c:447:ContextThread() 
CONNECT rv=0x8019 for client 6
  May  2 22:31:28 simple-laptop pcscd: winscard.c:241:SCardConnect() Reader SCM 
SCR 3340 ExpressCard54 [CCID Interface] (21220827700942) 00 00 Not Found

  I have tried to suppress the messages with DAEMON_ARGS="--critical" in
  the '/etc/default/pcscd' file to no avail.

  ProblemType: Bug
  DistroRelease: Ubuntu 11.04
  Package: pcscd 1.7.0-2ubuntu2
  ProcVersionSignature: Ubuntu 2.6.38-8.42-generic 2.6.38.2
  Uname: Linux 2.6.38-8-generic x86_64
  Architecture: amd64
  Date: Mon May  2 22:23:10 2011
  InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release amd64 (20110427.1)
  ProcEnviron:
   LANGUAGE=en_US:en
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: pcsc-lite
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/776082/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 790502] Re: If OS has started the pcscd service won'n start up

[Joy Latten]

This bugreport has had no activity and has eol. Closing.

** Changed in: pcsc-lite (Ubuntu)
   Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu.
https://bugs.launchpad.net/bugs/790502

Title:
  If OS has started the pcscd service won'n start up

Status in pcsc-lite package in Ubuntu:
  Won't Fix

Bug description:
  Kern.log shows lipthread error:
  May 30 13:17:38 mar kernel: [  366.715760] pcscd[2114]: segfault at 10 ip 
7f8e25f74394 sp 7f8e2478cb00 error 4 in 
libpthread-2.13.so[7f8e25f6b000+18000]

  ProblemType: Bug
  DistroRelease: Ubuntu 11.04
  Package: pcscd 1.7.0-2ubuntu2
  ProcVersionSignature: Ubuntu 2.6.38-8.42-generic 2.6.38.2
  Uname: Linux 2.6.38-8-generic x86_64
  Architecture: amd64
  Date: Tue May 31 09:38:47 2011
  InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release amd64 (20110427.1)
  ProcEnviron:
   LANGUAGE=en_US:en
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: pcsc-lite
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/790502/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 795540] Re: package pcscd 1.7.0-2ubuntu2 failed to install/upgrade: ErrorMessage: subprocess installed post-installation script returned error exit status 1

[Joy Latten]

This bugreport has had no activity and has eol. Closing.


** Changed in: pcsc-lite (Ubuntu)
   Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu.
https://bugs.launchpad.net/bugs/795540

Title:
  package pcscd 1.7.0-2ubuntu2 failed to install/upgrade: ErrorMessage:
  subprocess installed post-installation script returned error exit
  status 1

Status in pcsc-lite package in Ubuntu:
  Won't Fix

Bug description:
  Binary package hint: pcscd

  jadler@server:~$ lsb_release -rd
  Description:  Ubuntu 11.04
  Release:  11.04
  jadler@server:~$ apt-cache policy pcsc
  pcscada-dbg   pcscd pcsc-omnikey  pcsc-tools
  jadler@server:~$ apt-cache policy pcsc-lite
  N: Unable to locate package pcsc-lite
  jadler@server:~$ apt-cache policy pcscd 
  pcscd:
Installed: 1.7.0-2ubuntu2
Candidate: 1.7.0-2ubuntu2
Version table:
   *** 1.7.0-2ubuntu2 0
  500 http://se.archive.ubuntu.com/ubuntu/ natty/universe amd64 Packages
  100 /var/lib/dpkg/status

  Upgrading 10.10 to 11.04

  ProblemType: Package
  DistroRelease: Ubuntu 11.04
  Package: pcscd 1.7.0-2ubuntu2
  ProcVersionSignature: Ubuntu 2.6.35-28.50-generic 2.6.35.11
  Uname: Linux 2.6.35-28-generic x86_64
  NonfreeKernelModules: nvidia
  Architecture: amd64
  Date: Fri Jun 10 08:17:33 2011
  ErrorMessage: ErrorMessage: subprocess installed post-installation script 
returned error exit status 1
  InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
  SourcePackage: pcsc-lite
  Title: package pcscd 1.7.0-2ubuntu2 failed to install/upgrade: ErrorMessage: 
subprocess installed post-installation script returned error exit status 1
  UpgradeStatus: Upgraded to natty on 2011-06-09 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/795540/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 336815] Re: Aladdin etoken pro not supported anymore with pcscd

[Joy Latten]

This bug appears to have been fixed in an update. Closing.

** Changed in: pcsc-lite (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu.
https://bugs.launchpad.net/bugs/336815

Title:
  Aladdin etoken pro not supported anymore with pcscd

Status in pcsc-lite package in Ubuntu:
  Fix Released

Bug description:
  Binary package hint: pcscd

  Aladdin etoken pro usb (ID 0529:0620 Aladdin Knowledge Systems ) used
  to work with the pcscd version in hardy, but does not works anymore
  with pcscd 1.4.102-1ubuntu1

  The token is not anymore visible in Aladdin's middleware, while i can
  still read an eToken smarcard in another smart card reader.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/336815/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1898078] Re: FIPS OpenSSL crashes Python2.7 hashlib when using MD5

[Joy Latten]

** Description changed:

- The fix for #1835135 was not included into the python2.7 update. This
- bug has been opened to include it.
+ The fix for #1835135 was included into a python2.7 ver when python2.7
+ was updated, the fix was not included. It needs to be put pack into the
+ latest version pf python2.7 to prevent FIPS issues when using fips
+ openssl with python's hashlib. This is only a problem in latest
+ python2.7 versions in xenial, bionic, focal, and groovy. python3
+ versions do not have this problem on the above releases.
+ 
+ The fix was a backport of
+ 
https://github.com/python/cpython/pull/1777/commits/5e3e3568d27b99dabe44b8aa6283dc76d70f2dae

** Description changed:

- The fix for #1835135 was included into a python2.7 ver when python2.7
- was updated, the fix was not included. It needs to be put pack into the
- latest version pf python2.7 to prevent FIPS issues when using fips
- openssl with python's hashlib. This is only a problem in latest
- python2.7 versions in xenial, bionic, focal, and groovy. python3
- versions do not have this problem on the above releases.
+ LP #1835135 was fixed in python2.7. However, when python2.7 was updated
+ to current verion, the fix was not included. It needs to be included
+ again into current version of python2.7 to prevent FIPS issues when
+ using fips openssl with python's hashlib. This is only a problem in
+ latest python2.7 versions in xenial, bionic, focal, and groovy. python3
+ versions do not have this problem in these releases.
  
  The fix was a backport of
  
https://github.com/python/cpython/pull/1777/commits/5e3e3568d27b99dabe44b8aa6283dc76d70f2dae

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1898078

Title:
  FIPS OpenSSL crashes Python2.7 hashlib when using MD5

Status in python2.7 package in Ubuntu:
  New
Status in python2.7 source package in Xenial:
  New
Status in python2.7 source package in Bionic:
  New
Status in python2.7 source package in Focal:
  New
Status in python2.7 source package in Groovy:
  New

Bug description:
  LP #1835135 was fixed in python2.7. However, when python2.7 was
  updated to current verion, the fix was not included. It needs to be
  included again into current version of python2.7 to prevent FIPS
  issues when using fips openssl with python's hashlib. This is only a
  problem in latest python2.7 versions in xenial, bionic, focal, and
  groovy. python3 versions do not have this problem in these releases.

  The fix was a backport of
  
https://github.com/python/cpython/pull/1777/commits/5e3e3568d27b99dabe44b8aa6283dc76d70f2dae

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1898078/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1898078] Re: FIPS OpenSSL crashes Python2.7 hashlib when using MD5

[Joy Latten]

** Also affects: python2.7 (Ubuntu Groovy)
   Importance: Undecided
   Status: New

** Also affects: python2.7 (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: python2.7 (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: python2.7 (Ubuntu Focal)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1898078

Title:
  FIPS OpenSSL crashes Python2.7 hashlib when using MD5

Status in python2.7 package in Ubuntu:
  New
Status in python2.7 source package in Xenial:
  New
Status in python2.7 source package in Bionic:
  New
Status in python2.7 source package in Focal:
  New
Status in python2.7 source package in Groovy:
  New

Bug description:
  The fix for #1835135 was not included into the python2.7 update. This
  bug has been opened to include it.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1898078/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1898078] [NEW] FIPS OpenSSL crashes Python2.7 hashlib when using MD5

[Joy Latten]

Public bug reported:

The fix for #1835135 was not included into the python2.7 update. This
bug has been opened to include it.

** Affects: python2.7 (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1898078

Title:
  FIPS OpenSSL crashes Python2.7 hashlib when using MD5

Status in python2.7 package in Ubuntu:
  New

Bug description:
  The fix for #1835135 was not included into the python2.7 update. This
  bug has been opened to include it.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1898078/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1892559] Re: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite

[Joy Latten]

pcsc-lite source package provides pcscd and libpcsclite1 and thus is
needed for smartcard deployment.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu.
https://bugs.launchpad.net/bugs/1892559

Title:
  [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite

Status in ccid package in Ubuntu:
  New
Status in opensc package in Ubuntu:
  Incomplete
Status in pam-pkcs11 package in Ubuntu:
  New
Status in pcsc-lite package in Ubuntu:
  Incomplete
Status in pcsc-perl package in Ubuntu:
  Invalid
Status in pcsc-tools package in Ubuntu:
  Invalid

Bug description:
  ==> ccid <==
  [Availability]
  ccid is in universe, and builds on all architectures.

  [Rationale]
  The desktop team and security team are interested in bringing smartcard
  authentication to enterprise desktop environments.

  [Security]
  No CVEs for ccid are listed in our database.
  Doesn't appear to bind to a socket.
  No privileged executables, but does have udev rules.
  Probably needs a security review.

  [Quality assurance]
  No test suite.
  Does require odd hardware that we'll probably need to buy.
  I don't see debconf questions.
  ccid is well maintained in Debian by upstream author.
  One open wishlist bug in BTS, harmless.

  One open bug in launchpad, not security, but looks very frustrating
  for the users. The upstream author was engaged but it never reached
  resolution.  https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1175465

  Has a debian/watch file.
  Quilt packaging.

  P: ccid source: no-dep5-copyright
  P: ccid source: package-uses-experimental-debhelper-compat-version 13

  [Dependencies]
  Minimal dependencies, in main

  [Standards compliance]
  Appears to satisfy FHS and Debian policy

  [Maintenance]
  The desktop team will subscribe to bugs, however it is expected that the
  security team will assist with security-relevant questions.

  [Background information]
  ccid provides drivers to interact with usb-connected smart card readers.

  ==> libpam-pkcs11 <==
  [Availability]
  Source package pam-pkcs11 is in universe and builds on all architectures.

  [Rationale]
  The desktop team and security team are interested in bringing smartcard
  authentication to enterprise desktop environments.

  [Security]
  No CVEs in our database.
  Doesn't appear to bind to sockets.
  No privileged executables (but is a PAM module).
  As a PAM module this will require a security review.

  [Quality assurance]
  The package does not call pam-auth-update in its postinst #1650366
  Does not ask questions during install.
  One Ubuntu bug claims very poor behaviour if a card isn't plugged in.
  No Debian bugs.
  Occasional updates in Debian by long-term maintainer.
  Does require odd hardware that we'll probably need to buy.
  Does not appear to run tests during build.
  Has scary warnings in the build logs.
  Has a debian/watch file.

  Ancient standards version; other smaller lintian messages, mostly
  documentation problems.

  Quilt packaging.

  [Dependencies]
  Depends on libcurl4, libldap-2.4-2, libpam0g, libpcsclite1, libssl1.1
  All are in main.

  [Standards compliance]
  The package does not call pam-auth-update in its postinst #1650366
  Otherwise looks to conform to FHS and Debian policies

  [Maintenance]
  The desktop team will subscribe to bugs, however it is expected that the
  security team will assist with security-relevant questions.

  [Background information]
  This PAM module can use CRLs and full-chain verification of certificates.
  It can also do LDAP, AD, and Kerberos username mapping.

  ==> libpcsc-perl <==
  [Availability]
  Source package pcsc-perl is in universe, builds for all architectures,
  plus i386

  [Rationale]
  The desktop team and security team are interested in bringing smartcard
  authentication to enterprise desktop environments.

  [Security]
  There are no cves for pcsc-perl in our database.
  No privileged executables.
  Doesn't appear to bind to sockets.
  Probably needs a security review.

  [Quality assurance]
  Library package not intended to be used directly.
  No debconf questions.
  No bugs in Debian.
  No bugs in Ubuntu.
  Does require odd hardware that we'll probably need to buy.
  Tests exist, not run during the build; probably can't run during the build.
  Includes debian/watch file.
  A handful of lintian issues
  Quilt packaging.

  [Dependencies]
  libpcsc-perl depends upon libpcsclite1, libc6, perl, perlapi-5.30.0.
  All are in main.

  [Standards compliance]
  One oddity, Card.pod is stored in 
/usr/lib/x86_64-linux-gnu/perl5/5.30/Chipcard/PCSC/
  Many other perl packages have .pod files in these directory trees so maybe
  it's fine, but it seems funny all the same.

  Otherwise appears to satisfy FHS and Debian policy.

  [Maintenance]
  The desktop team will subscribe to bugs, however it is expected that the
  security team will assist with security-relevant 

[Touch-packages] [Bug 1892559] Re: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite

[Joy Latten]

pcscd is required. When removed, I am not able to get any info from the
driver about the reader or the smartcard. pcscd loads the smartcard
driver and coordinates communications.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu.
https://bugs.launchpad.net/bugs/1892559

Title:
  [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite

Status in ccid package in Ubuntu:
  New
Status in opensc package in Ubuntu:
  Incomplete
Status in pam-pkcs11 package in Ubuntu:
  New
Status in pcsc-lite package in Ubuntu:
  Incomplete
Status in pcsc-perl package in Ubuntu:
  Invalid
Status in pcsc-tools package in Ubuntu:
  Invalid

Bug description:
  ==> ccid <==
  [Availability]
  ccid is in universe, and builds on all architectures.

  [Rationale]
  The desktop team and security team are interested in bringing smartcard
  authentication to enterprise desktop environments.

  [Security]
  No CVEs for ccid are listed in our database.
  Doesn't appear to bind to a socket.
  No privileged executables, but does have udev rules.
  Probably needs a security review.

  [Quality assurance]
  No test suite.
  Does require odd hardware that we'll probably need to buy.
  I don't see debconf questions.
  ccid is well maintained in Debian by upstream author.
  One open wishlist bug in BTS, harmless.

  One open bug in launchpad, not security, but looks very frustrating
  for the users. The upstream author was engaged but it never reached
  resolution.  https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1175465

  Has a debian/watch file.
  Quilt packaging.

  P: ccid source: no-dep5-copyright
  P: ccid source: package-uses-experimental-debhelper-compat-version 13

  [Dependencies]
  Minimal dependencies, in main

  [Standards compliance]
  Appears to satisfy FHS and Debian policy

  [Maintenance]
  The desktop team will subscribe to bugs, however it is expected that the
  security team will assist with security-relevant questions.

  [Background information]
  ccid provides drivers to interact with usb-connected smart card readers.

  ==> libpam-pkcs11 <==
  [Availability]
  Source package pam-pkcs11 is in universe and builds on all architectures.

  [Rationale]
  The desktop team and security team are interested in bringing smartcard
  authentication to enterprise desktop environments.

  [Security]
  No CVEs in our database.
  Doesn't appear to bind to sockets.
  No privileged executables (but is a PAM module).
  As a PAM module this will require a security review.

  [Quality assurance]
  The package does not call pam-auth-update in its postinst #1650366
  Does not ask questions during install.
  One Ubuntu bug claims very poor behaviour if a card isn't plugged in.
  No Debian bugs.
  Occasional updates in Debian by long-term maintainer.
  Does require odd hardware that we'll probably need to buy.
  Does not appear to run tests during build.
  Has scary warnings in the build logs.
  Has a debian/watch file.

  Ancient standards version; other smaller lintian messages, mostly
  documentation problems.

  Quilt packaging.

  [Dependencies]
  Depends on libcurl4, libldap-2.4-2, libpam0g, libpcsclite1, libssl1.1
  All are in main.

  [Standards compliance]
  The package does not call pam-auth-update in its postinst #1650366
  Otherwise looks to conform to FHS and Debian policies

  [Maintenance]
  The desktop team will subscribe to bugs, however it is expected that the
  security team will assist with security-relevant questions.

  [Background information]
  This PAM module can use CRLs and full-chain verification of certificates.
  It can also do LDAP, AD, and Kerberos username mapping.

  ==> libpcsc-perl <==
  [Availability]
  Source package pcsc-perl is in universe, builds for all architectures,
  plus i386

  [Rationale]
  The desktop team and security team are interested in bringing smartcard
  authentication to enterprise desktop environments.

  [Security]
  There are no cves for pcsc-perl in our database.
  No privileged executables.
  Doesn't appear to bind to sockets.
  Probably needs a security review.

  [Quality assurance]
  Library package not intended to be used directly.
  No debconf questions.
  No bugs in Debian.
  No bugs in Ubuntu.
  Does require odd hardware that we'll probably need to buy.
  Tests exist, not run during the build; probably can't run during the build.
  Includes debian/watch file.
  A handful of lintian issues
  Quilt packaging.

  [Dependencies]
  libpcsc-perl depends upon libpcsclite1, libc6, perl, perlapi-5.30.0.
  All are in main.

  [Standards compliance]
  One oddity, Card.pod is stored in 
/usr/lib/x86_64-linux-gnu/perl5/5.30/Chipcard/PCSC/
  Many other perl packages have .pod files in these directory trees so maybe
  it's fine, but it seems funny all the same.

  Otherwise appears to satisfy FHS and Debian policy.

  [Maintenance]
  The desktop team will subscribe to bugs, however it is 

[Touch-packages] [Bug 1892559] Re: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite

[Joy Latten]

Hi Seth and Christian,

I did a smartcard setup and confirmed I did not have to use anything
from pcsc-tools. And pcsc-tools seem to depend on libpcsc-perl, so won't
need pcsc-perl either.

My "sudo apt install opensc" pulled in libccid, libpcslite1, opensc-
pkcs11 and pcscd binary packages. I only needed one additional install
of "libpam-pkcs11".


Next, I am looking into the pcscd requirement. Will comment shortly.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu.
https://bugs.launchpad.net/bugs/1892559

Title:
  [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite

Status in ccid package in Ubuntu:
  New
Status in opensc package in Ubuntu:
  Incomplete
Status in pam-pkcs11 package in Ubuntu:
  New
Status in pcsc-lite package in Ubuntu:
  Incomplete
Status in pcsc-perl package in Ubuntu:
  Invalid
Status in pcsc-tools package in Ubuntu:
  Invalid

Bug description:
  ==> ccid <==
  [Availability]
  ccid is in universe, and builds on all architectures.

  [Rationale]
  The desktop team and security team are interested in bringing smartcard
  authentication to enterprise desktop environments.

  [Security]
  No CVEs for ccid are listed in our database.
  Doesn't appear to bind to a socket.
  No privileged executables, but does have udev rules.
  Probably needs a security review.

  [Quality assurance]
  No test suite.
  Does require odd hardware that we'll probably need to buy.
  I don't see debconf questions.
  ccid is well maintained in Debian by upstream author.
  One open wishlist bug in BTS, harmless.

  One open bug in launchpad, not security, but looks very frustrating
  for the users. The upstream author was engaged but it never reached
  resolution.  https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1175465

  Has a debian/watch file.
  Quilt packaging.

  P: ccid source: no-dep5-copyright
  P: ccid source: package-uses-experimental-debhelper-compat-version 13

  [Dependencies]
  Minimal dependencies, in main

  [Standards compliance]
  Appears to satisfy FHS and Debian policy

  [Maintenance]
  The desktop team will subscribe to bugs, however it is expected that the
  security team will assist with security-relevant questions.

  [Background information]
  ccid provides drivers to interact with usb-connected smart card readers.

  ==> libpam-pkcs11 <==
  [Availability]
  Source package pam-pkcs11 is in universe and builds on all architectures.

  [Rationale]
  The desktop team and security team are interested in bringing smartcard
  authentication to enterprise desktop environments.

  [Security]
  No CVEs in our database.
  Doesn't appear to bind to sockets.
  No privileged executables (but is a PAM module).
  As a PAM module this will require a security review.

  [Quality assurance]
  The package does not call pam-auth-update in its postinst #1650366
  Does not ask questions during install.
  One Ubuntu bug claims very poor behaviour if a card isn't plugged in.
  No Debian bugs.
  Occasional updates in Debian by long-term maintainer.
  Does require odd hardware that we'll probably need to buy.
  Does not appear to run tests during build.
  Has scary warnings in the build logs.
  Has a debian/watch file.

  Ancient standards version; other smaller lintian messages, mostly
  documentation problems.

  Quilt packaging.

  [Dependencies]
  Depends on libcurl4, libldap-2.4-2, libpam0g, libpcsclite1, libssl1.1
  All are in main.

  [Standards compliance]
  The package does not call pam-auth-update in its postinst #1650366
  Otherwise looks to conform to FHS and Debian policies

  [Maintenance]
  The desktop team will subscribe to bugs, however it is expected that the
  security team will assist with security-relevant questions.

  [Background information]
  This PAM module can use CRLs and full-chain verification of certificates.
  It can also do LDAP, AD, and Kerberos username mapping.

  ==> libpcsc-perl <==
  [Availability]
  Source package pcsc-perl is in universe, builds for all architectures,
  plus i386

  [Rationale]
  The desktop team and security team are interested in bringing smartcard
  authentication to enterprise desktop environments.

  [Security]
  There are no cves for pcsc-perl in our database.
  No privileged executables.
  Doesn't appear to bind to sockets.
  Probably needs a security review.

  [Quality assurance]
  Library package not intended to be used directly.
  No debconf questions.
  No bugs in Debian.
  No bugs in Ubuntu.
  Does require odd hardware that we'll probably need to buy.
  Tests exist, not run during the build; probably can't run during the build.
  Includes debian/watch file.
  A handful of lintian issues
  Quilt packaging.

  [Dependencies]
  libpcsc-perl depends upon libpcsclite1, libc6, perl, perlapi-5.30.0.
  All are in main.

  [Standards compliance]
  One oddity, Card.pod is stored in 
/usr/lib/x86_64-linux-gnu/perl5/5.30/Chipcard/PCSC/
  Many 

[Touch-packages] [Bug 1884265] Re: [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library.

[Joy Latten]

** Description changed:

  [Impact]
  In FIPS mode on Bionic MD5 is semi-disabled causing some applications to 
segfault.
  
  ntpq uses crypto hashes to authenticate its requests. By default it uses
  md5. However, when compiled with openssl it creates a lists of
  acceptable hashes from openssl that can be used.
+ 
+ This issue is only applicable in bionic when using fips-openssl.
  
  [Test Steps]
  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)
  
  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.
  
  EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
  For FIPS mode it adds:
  EVP_add_digest(EVP_md5());
  
  What happens later in ntpq is (list_md_fn function inside ntpq.c):
  ctx = EVP_MD_CTX_new();
  EVP_DigestInit(ctx, EVP_get_digestbyname(name));
  EVP_DigestFinal(ctx, digest, _len);
  
  First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex):
  #ifdef OPENSSL_FIPS
  if (FIPS_mode()) {
  if (!(type->flags & EVP_MD_FLAG_FIPS)
  && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
  EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
  return 0;
  }
  }
  #endif
  
  Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
  After getting back to ntpq.c:
  ctx->engine and ctx->digest are not set (due to the mentioned error), hence
  
  inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
  OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
  causes a segfault (ctx->digest is NULL).
  
  So either MD5 shouldn't be added in FIPS mode or it should have the
  EVP_MD_FLAG_FIPS to be properly initialized.
  
  [Regression Potential]
  
  I don't think this should regress ntpq + openssl from the Ubuntu
  archive.
  
  Current archive ntpq + openssl behaviour:
- openssl includes all message digests and hands ntpq a sorted digest-list. 
+ openssl includes all message digests and hands ntpq a sorted digest-list.
  ntpq doesn't check return from EVP_Digest(Init|Final) and assumes all is well 
and sticks all digests into its list regardless if it is working or not.
  
- i.e.  
+ i.e.
  ntpq> help keytype
  function: set key type to use for authenticated requests, one of:
- MD4, MD5, RIPEMD160, SHA1, SHAKE128
+ MD4, MD5, RIPEMD160, SHA1, SHAKE128
  
  If somehow openssl library is corrupted and sends back erroneous
  results, its possible the authentication will just not ever work.
  
  Newly fixed archive ntpq + oenssl beahviour:
  openssl includes all message digests and hands ntpq a sorted digest-list.
  ntpq checks each one and includes each working digest. With a non-corrupted 
openssl, everything works fine and ntpq includes each into its list. Ends up 
with a list identical to the one above.
-  
- If somehow opensll library is corrupted and sends back erroneous results, 
ntpq will hopefully catch it by checking return code and include only those 
algos that appear to be working. Its possible authentication will work for ntpq.
+ 
+ If somehow opensll library is corrupted and sends back erroneous
+ results, ntpq will hopefully catch it by checking return code and
+ include only those algos that appear to be working. Its possible
+ authentication will work for ntpq.
  
  The difference will be seen in ntpq + fips-openssl. ntpq will check
  return, and for fips-not-approved algos, return will indicate an error.
  So these algos will be skipped and ntpq will not include into its digest
  list. Resulting in a much shorter list of only fips-approved algos.
  
  i.e.
  ntpq> help keytype
  function: set key type to use for authenticated requests, one of:
- SHA1, SHAKE128
+ SHA1, SHAKE128
  
- Since md5 is ntpq's default auth algo, this will need to be changed to one of 
the above algos in the config files. 
+ Since md5 is ntpq's default auth algo, this will need to be changed to one of 
the above algos in the config files.
  But I think it is somewhat understood that MD5 is bad in a FIPS environment.

** Description changed:

  [Impact]
  In FIPS mode on Bionic MD5 is semi-disabled causing some applications to 
segfault.
  
  ntpq uses crypto hashes to authenticate its requests. By default it uses
  md5. However, when compiled with openssl it creates a lists of
  acceptable hashes from openssl that can be used.
  
- This issue is only applicable in bionic when using fips-openssl.
+ This issue is only applicable in bionic and when using fips-openssl.
  
  [Test Steps]
  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)
  
  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.
  
  EVP_MD_do_all_sorted eventually 

[Touch-packages] [Bug 1884265] Re: [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library.

[Joy Latten]

** Summary changed:

- [fips] Not fully initialized digest segfaulting some client applications
+ [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl
  library.

Status in openssl package in Ubuntu:
  In Progress
Status in openssl source package in Bionic:
  Confirmed

Bug description:
  [Impact]
  In FIPS mode on Bionic MD5 is semi-disabled causing some applications to 
segfault.

  ntpq uses crypto hashes to authenticate its requests. By default it
  uses md5. However, when compiled with openssl it creates a lists of
  acceptable hashes from openssl that can be used.

  [Test Steps]
  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)

  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.

  EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
  For FIPS mode it adds:
  EVP_add_digest(EVP_md5());

  What happens later in ntpq is (list_md_fn function inside ntpq.c):
  ctx = EVP_MD_CTX_new();
  EVP_DigestInit(ctx, EVP_get_digestbyname(name));
  EVP_DigestFinal(ctx, digest, _len);

  First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex):
  #ifdef OPENSSL_FIPS
  if (FIPS_mode()) {
  if (!(type->flags & EVP_MD_FLAG_FIPS)
  && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
  EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
  return 0;
  }
  }
  #endif

  Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
  After getting back to ntpq.c:
  ctx->engine and ctx->digest are not set (due to the mentioned error), hence

  inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
  OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
  causes a segfault (ctx->digest is NULL).

  So either MD5 shouldn't be added in FIPS mode or it should have the
  EVP_MD_FLAG_FIPS to be properly initialized.

  [Regression Potential]

  I don't think this should regress ntpq + openssl from the Ubuntu
  archive.

  Current archive ntpq + openssl behaviour:
  openssl includes all message digests and hands ntpq a sorted digest-list. 
  ntpq doesn't check return from EVP_Digest(Init|Final) and assumes all is well 
and sticks all digests into its list regardless if it is working or not.

  i.e.  
  ntpq> help keytype
  function: set key type to use for authenticated requests, one of:
  MD4, MD5, RIPEMD160, SHA1, SHAKE128

  If somehow openssl library is corrupted and sends back erroneous
  results, its possible the authentication will just not ever work.

  Newly fixed archive ntpq + oenssl beahviour:
  openssl includes all message digests and hands ntpq a sorted digest-list.
  ntpq checks each one and includes each working digest. With a non-corrupted 
openssl, everything works fine and ntpq includes each into its list. Ends up 
with a list identical to the one above.
   
  If somehow opensll library is corrupted and sends back erroneous results, 
ntpq will hopefully catch it by checking return code and include only those 
algos that appear to be working. Its possible authentication will work for ntpq.

  The difference will be seen in ntpq + fips-openssl. ntpq will check
  return, and for fips-not-approved algos, return will indicate an
  error. So these algos will be skipped and ntpq will not include into
  its digest list. Resulting in a much shorter list of only fips-
  approved algos.

  i.e.
  ntpq> help keytype
  function: set key type to use for authenticated requests, one of:
  SHA1, SHAKE128

  Since md5 is ntpq's default auth algo, this will need to be changed to one of 
the above algos in the config files. 
  But I think it is somewhat understood that MD5 is bad in a FIPS environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Joy Latten]

** Changed in: openssl (Ubuntu)
 Assignee: (unassigned) => Joy Latten (j-latten)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

Status in openssl package in Ubuntu:
  New
Status in openssl source package in Bionic:
  New

Bug description:
  [Impact]
  In FIPS mode on Bionic MD5 is semi-disabled causing some applications to 
segfault.

  ntpq uses crypto hashes to authenticate its requests. By default it
  uses md5. However, when compiled with openssl it creates a lists of
  acceptable hashes from openssl that can be used.

  [Test Steps]
  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)

  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.

  EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
  For FIPS mode it adds:
  EVP_add_digest(EVP_md5());

  What happens later in ntpq is (list_md_fn function inside ntpq.c):
  ctx = EVP_MD_CTX_new();
  EVP_DigestInit(ctx, EVP_get_digestbyname(name));
  EVP_DigestFinal(ctx, digest, _len);

  First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex):
  #ifdef OPENSSL_FIPS
  if (FIPS_mode()) {
  if (!(type->flags & EVP_MD_FLAG_FIPS)
  && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
  EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
  return 0;
  }
  }
  #endif

  Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
  After getting back to ntpq.c:
  ctx->engine and ctx->digest are not set (due to the mentioned error), hence

  inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
  OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
  causes a segfault (ctx->digest is NULL).

  So either MD5 shouldn't be added in FIPS mode or it should have the
  EVP_MD_FLAG_FIPS to be properly initialized.

  [Regression Potential]

  I don't think this should regress ntpq + openssl from the Ubuntu
  archive.

  Current archive ntpq + openssl behaviour:
  openssl includes all message digests and hands ntpq a sorted digest-list. 
  ntpq doesn't check return from EVP_Digest(Init|Final) and assumes all is well 
and sticks all digests into its list regardless if it is working or not.

  i.e.  
  ntpq> help keytype
  function: set key type to use for authenticated requests, one of:
  MD4, MD5, RIPEMD160, SHA1, SHAKE128

  If somehow openssl library is corrupted and sends back erroneous
  results, its possible the authentication will just not ever work.

  Newly fixed archive ntpq + oenssl beahviour:
  openssl includes all message digests and hands ntpq a sorted digest-list.
  ntpq checks each one and includes each working digest. With a non-corrupted 
openssl, everything works fine and ntpq includes each into its list. Ends up 
with a list identical to the one above.
   
  If somehow opensll library is corrupted and sends back erroneous results, 
ntpq will hopefully catch it by checking return code and include only those 
algos that appear to be working. Its possible authentication will work for ntpq.

  The difference will be seen in ntpq + fips-openssl. ntpq will check
  return, and for fips-not-approved algos, return will indicate an
  error. So these algos will be skipped and ntpq will not include into
  its digest list. Resulting in a much shorter list of only fips-
  approved algos.

  i.e.
  ntpq> help keytype
  function: set key type to use for authenticated requests, one of:
  SHA1, SHAKE128

  Since md5 is ntpq's default auth algo, this will need to be changed to one of 
the above algos in the config files. 
  But I think it is somewhat understood that MD5 is bad in a FIPS environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Joy Latten]

Additional testing for ntpq authentication to ensure MD5 still works for
ntpq in archive

NOTE: The shown testing is ntpq(with patch) + openssl from archive. To ensure 
all still works.
Testing with ntpq + fips-openssl was also done successfully.
 
VM-A (ntp server) 

1. Edit /etc/ntp.keys to include,

1 SHA1 austintexas
2 MD5 cedarpark

2. Edit /etc/ntp.conf to include.

keys /etc/ntp.keys   
trustedkey 2 
controlkey 2
requestkey 2

3. restart ntp
sudo service ntp restart

VM-B (ntp client)

$ dpkg -l | grep ntp
ii  ntp1:4.2.8p10+dfsg-5ubuntu7.1+ppa1  
   amd64Network Time Protocol daemon and utility programs

1. Edit /etc/ntp.keys to include,

1 SHA1 austintexas
2 MD5 cedarpark

2. Edit /etc/ntp.conf to include,
keys /etc/ntp.keys
server  key 2
trustedkey 2
controlkey 2
requestkey 2

3. I commented out all the "pool" entries in /etc/ntp.conf

4. restart ntp
sudo service ntp restart


On the client,

$ ntpq -c as

ind assid status  conf reach auth condition  last_event cnt
===
  1 46728  f014   yes   yes   ok reject   reachable  1

Notice that "auth" is ok.

$ ntpq
ntpq> keytype
keytype is MD5 with 16 octet digests
ntpq> keyid 2
ntpq> ifstats
MD5 Password: 
interface namesend
 #  address/broadcast drop flag ttl mc received sent failed peers   uptime
==
  0 v6wildcard   D   81   0  0  0  0  0 0   96
[::]:123
  1 v4wildcard   D   89   0  0  0  0  0 0   96
0.0.0.0:123
  2 lo   .5   0  0  2  1  0 0   96
127.0.0.1:123
  3 ens3 .   19   0  0  2  2  0 1   96
192.168.122.105:123
  4 lo   .5   0  0  0  0  0 0   96
[::1]:123
  5 ens3 .   11   0  0  0  0  0 0   96
[fe80::5054:ff:fefe:b092%2]:123
ntpq> 


Note: issuing "ifstats" requires authentication.

I also tested with SHA1 and it worked as well.


And last test on client, 
ntpq -p 

remote   refid  st t when poll reach   delay   offset  jitter
==
 192.168.122.106 204.11.201.123 u   56   6471.5412.723   0.826

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

Status in openssl package in Ubuntu:
  New
Status in openssl source package in Bionic:
  New

Bug description:
  [Impact]
  In FIPS mode on Bionic MD5 is semi-disabled causing some applications to 
segfault.

  ntpq uses crypto hashes to authenticate its requests. By default it
  uses md5. However, when compiled with openssl it creates a lists of
  acceptable hashes from openssl that can be used.

  [Test Steps]
  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)

  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.

  EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
  For FIPS mode it adds:
  EVP_add_digest(EVP_md5());

  What happens later in ntpq is (list_md_fn function inside ntpq.c):
  ctx = EVP_MD_CTX_new();
  EVP_DigestInit(ctx, EVP_get_digestbyname(name));
  EVP_DigestFinal(ctx, digest, _len);

  First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex):
  #ifdef OPENSSL_FIPS
  if (FIPS_mode()) {
  if (!(type->flags & EVP_MD_FLAG_FIPS)
  && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
  EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
  return 0;
  }
  }
  #endif

  Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
  After getting back to ntpq.c:
  ctx->engine and ctx->digest are not set (due to the mentioned error), hence

  inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
  OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
  causes a segfault (ctx->digest is NULL).

  So either MD5 shouldn't be added in FIPS mode or it should have the
  EVP_MD_FLAG_FIPS to be properly initialized.

  [Regression Potential]

  I don't think this should regress ntpq + openssl from the Ubuntu
  archive.

  Current archive ntpq + openssl behaviour:
  openssl includes all message digests and hands ntpq a sorted digest-list. 
  ntpq doesn't check return from EVP_Digest(Init|Final) and assumes all is well 
and sticks all 

[Touch-packages] [Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Joy Latten]

Testing:

There are no autopkgtests for ntp pkg and we do not run "make check" in
the tests dir as part of the build. So, just in case it is applicable, I
ran make check on my local build to ensure everything passes.

** Attachment added: "Results of running make check in ../tests directory"
   
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+attachment/5392383/+files/ntp-test-results

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

Status in openssl package in Ubuntu:
  New
Status in openssl source package in Bionic:
  New

Bug description:
  [Impact]
  In FIPS mode on Bionic MD5 is semi-disabled causing some applications to 
segfault.

  ntpq uses crypto hashes to authenticate its requests. By default it
  uses md5. However, when compiled with openssl it creates a lists of
  acceptable hashes from openssl that can be used.

  [Test Steps]
  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)

  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.

  EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
  For FIPS mode it adds:
  EVP_add_digest(EVP_md5());

  What happens later in ntpq is (list_md_fn function inside ntpq.c):
  ctx = EVP_MD_CTX_new();
  EVP_DigestInit(ctx, EVP_get_digestbyname(name));
  EVP_DigestFinal(ctx, digest, _len);

  First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex):
  #ifdef OPENSSL_FIPS
  if (FIPS_mode()) {
  if (!(type->flags & EVP_MD_FLAG_FIPS)
  && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
  EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
  return 0;
  }
  }
  #endif

  Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
  After getting back to ntpq.c:
  ctx->engine and ctx->digest are not set (due to the mentioned error), hence

  inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
  OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
  causes a segfault (ctx->digest is NULL).

  So either MD5 shouldn't be added in FIPS mode or it should have the
  EVP_MD_FLAG_FIPS to be properly initialized.

  [Regression Potential]

  I don't think this should regress ntpq + openssl from the Ubuntu
  archive.

  Current archive ntpq + openssl behaviour:
  openssl includes all message digests and hands ntpq a sorted digest-list. 
  ntpq doesn't check return from EVP_Digest(Init|Final) and assumes all is well 
and sticks all digests into its list regardless if it is working or not.

  i.e.  
  ntpq> help keytype
  function: set key type to use for authenticated requests, one of:
  MD4, MD5, RIPEMD160, SHA1, SHAKE128

  If somehow openssl library is corrupted and sends back erroneous
  results, its possible the authentication will just not ever work.

  Newly fixed archive ntpq + oenssl beahviour:
  openssl includes all message digests and hands ntpq a sorted digest-list.
  ntpq checks each one and includes each working digest. With a non-corrupted 
openssl, everything works fine and ntpq includes each into its list. Ends up 
with a list identical to the one above.
   
  If somehow opensll library is corrupted and sends back erroneous results, 
ntpq will hopefully catch it by checking return code and include only those 
algos that appear to be working. Its possible authentication will work for ntpq.

  The difference will be seen in ntpq + fips-openssl. ntpq will check
  return, and for fips-not-approved algos, return will indicate an
  error. So these algos will be skipped and ntpq will not include into
  its digest list. Resulting in a much shorter list of only fips-
  approved algos.

  i.e.
  ntpq> help keytype
  function: set key type to use for authenticated requests, one of:
  SHA1, SHAKE128

  Since md5 is ntpq's default auth algo, this will need to be changed to one of 
the above algos in the config files. 
  But I think it is somewhat understood that MD5 is bad in a FIPS environment.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Joy Latten]

** Description changed:

  [Impact]
  In FIPS mode on Bionic MD5 is semi-disabled causing some applications to 
segfault.
  
- ntpq uses crypto hashes to authenticate its requests. By default it appears 
to use an internal md5 implementation. However, when compiled with openssl it 
creates a lists of acceptable hashes from openssl that can be used. 
-  
+ ntpq uses crypto hashes to authenticate its requests. By default it uses
+ md5. However, when compiled with openssl it creates a lists of
+ acceptable hashes from openssl that can be used.
+ 
  [Test Steps]
  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)
  
  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.
  
  EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
  For FIPS mode it adds:
  EVP_add_digest(EVP_md5());
  
  What happens later in ntpq is (list_md_fn function inside ntpq.c):
  ctx = EVP_MD_CTX_new();
  EVP_DigestInit(ctx, EVP_get_digestbyname(name));
  EVP_DigestFinal(ctx, digest, _len);
  
  First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex):
  #ifdef OPENSSL_FIPS
  if (FIPS_mode()) {
  if (!(type->flags & EVP_MD_FLAG_FIPS)
  && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
  EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
  return 0;
  }
  }
  #endif
  
  Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
  After getting back to ntpq.c:
  ctx->engine and ctx->digest are not set (due to the mentioned error), hence
  
  inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
  OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
  causes a segfault (ctx->digest is NULL).
  
  So either MD5 shouldn't be added in FIPS mode or it should have the
  EVP_MD_FLAG_FIPS to be properly initialized.
  
  [Regression Potential]
  
- I believe the resolution to check the return code and if unsuccessful, do not 
include the hash algorithm in the internal ntpq digest list, should not 
introduce any regression.
- It will simply not add md5 and md5_sha1 to its lists of digests when compiled 
with openssl. Instead it will add the others like sha1, sha2, and sha3.
+ I don't think this should regress ntpq + openssl from the Ubuntu
+ archive.
+ 
+ Current archive ntpq + openssl behaviour:
+ openssl includes all message digests and hands ntpq a sorted digest-list. 
+ ntpq doesn't check return from EVP_Digest(Init|Final) and assumes all is well 
and sticks all digests into its list regardless if it is working or not.
+ 
+ i.e.  
+ ntpq> help keytype
+ function: set key type to use for authenticated requests, one of:
+ MD4, MD5, RIPEMD160, SHA1, SHAKE128
+ 
+ If somehow openssl library is corrupted and sends back erroneous
+ results, its possible the authentication will just not ever work.
+ 
+ Newly fixed archive ntpq + oenssl beahviour:
+ openssl includes all message digests and hands ntpq a sorted digest-list.
+ ntpq checks each one and includes each working digest. With a non-corrupted 
openssl, everything works fine and ntpq includes each into its list. Ends up 
with a list identical to the one above.
+  
+ If somehow opensll library is corrupted and sends back erroneous results, 
ntpq will hopefully catch it by checking return code and include only those 
algos that appear to be working. Its possible authentication will work for ntpq.
+ 
+ The difference will be seen in ntpq + fips-openssl. ntpq will check
+ return, and for fips-not-approved algos, return will indicate an error.
+ So these algos will be skipped and ntpq will not include into its digest
+ list. Resulting in a much shorter list of only fips-approved algos.
+ 
+ i.e.
+ ntpq> help keytype
+ function: set key type to use for authenticated requests, one of:
+ SHA1, SHAKE128
+ 
+ Since md5 is ntpq's default auth algo, this will need to be changed to one of 
the above algos in the config files. 
+ But I think it is somewhat understood that MD5 is bad in a FIPS environment.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

Status in openssl package in Ubuntu:
  New
Status in openssl source package in Bionic:
  New

Bug description:
  [Impact]
  In FIPS mode on Bionic MD5 is semi-disabled causing some applications to 
segfault.

  ntpq uses crypto hashes to authenticate its requests. By default it
  uses md5. However, when compiled with openssl it creates a lists of
  acceptable hashes from openssl that can be used.

  [Test Steps]
  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core 

[Touch-packages] [Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Joy Latten]

** Description changed:

- In FIPS mode on Bionic MD5 is semi-disabled causing some applications to
- segfault.
+ [Impact]
+ In FIPS mode on Bionic MD5 is semi-disabled causing some applications to 
segfault.
  
+ ntpq uses crypto hashes to authenticate its requests. By default it appears 
to use an internal md5 implementation. However, when compiled with openssl it 
creates a lists of acceptable hashes from openssl that can be used. 
+  
+ [Test Steps]
  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)
  
  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.
  
  EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
  For FIPS mode it adds:
  EVP_add_digest(EVP_md5());
  
  What happens later in ntpq is (list_md_fn function inside ntpq.c):
  ctx = EVP_MD_CTX_new();
  EVP_DigestInit(ctx, EVP_get_digestbyname(name));
  EVP_DigestFinal(ctx, digest, _len);
  
  First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex):
  #ifdef OPENSSL_FIPS
  if (FIPS_mode()) {
  if (!(type->flags & EVP_MD_FLAG_FIPS)
  && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
  EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
  return 0;
  }
  }
  #endif
  
  Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
  After getting back to ntpq.c:
  ctx->engine and ctx->digest are not set (due to the mentioned error), hence
  
  inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
  OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
  causes a segfault (ctx->digest is NULL).
  
  So either MD5 shouldn't be added in FIPS mode or it should have the
  EVP_MD_FLAG_FIPS to be properly initialized.
+ 
+ [Regression Potential]
+ 
+ I believe the resolution to check the return code and if unsuccessful, do not 
include the hash algorithm in the internal ntpq digest list, should not 
introduce any regression.
+ It will simply not add md5 and md5_sha1 to its lists of digests when compiled 
with openssl. Instead it will add the others like sha1, sha2, and sha3.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

Status in openssl package in Ubuntu:
  New
Status in openssl source package in Bionic:
  New

Bug description:
  [Impact]
  In FIPS mode on Bionic MD5 is semi-disabled causing some applications to 
segfault.

  ntpq uses crypto hashes to authenticate its requests. By default it appears 
to use an internal md5 implementation. However, when compiled with openssl it 
creates a lists of acceptable hashes from openssl that can be used. 
   
  [Test Steps]
  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)

  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.

  EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
  For FIPS mode it adds:
  EVP_add_digest(EVP_md5());

  What happens later in ntpq is (list_md_fn function inside ntpq.c):
  ctx = EVP_MD_CTX_new();
  EVP_DigestInit(ctx, EVP_get_digestbyname(name));
  EVP_DigestFinal(ctx, digest, _len);

  First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex):
  #ifdef OPENSSL_FIPS
  if (FIPS_mode()) {
  if (!(type->flags & EVP_MD_FLAG_FIPS)
  && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
  EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
  return 0;
  }
  }
  #endif

  Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
  After getting back to ntpq.c:
  ctx->engine and ctx->digest are not set (due to the mentioned error), hence

  inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
  OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
  causes a segfault (ctx->digest is NULL).

  So either MD5 shouldn't be added in FIPS mode or it should have the
  EVP_MD_FLAG_FIPS to be properly initialized.

  [Regression Potential]

  I believe the resolution to check the return code and if unsuccessful, do not 
include the hash algorithm in the internal ntpq digest list, should not 
introduce any regression.
  It will simply not add md5 and md5_sha1 to its lists of digests when compiled 
with openssl. Instead it will add the others like sha1, sha2, and sha3.

To manage notifications about this bug go to:

[Touch-packages] [Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Joy Latten]

debdiff for bionic


** Attachment added: "debdiff.bionic"
   
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+attachment/5391374/+files/debdiff.bionic

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

Status in openssl package in Ubuntu:
  New
Status in openssl source package in Bionic:
  New

Bug description:
  In FIPS mode on Bionic MD5 is semi-disabled causing some applications
  to segfault.

  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)

  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.

  EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
  For FIPS mode it adds:
  EVP_add_digest(EVP_md5());

  What happens later in ntpq is (list_md_fn function inside ntpq.c):
  ctx = EVP_MD_CTX_new();
  EVP_DigestInit(ctx, EVP_get_digestbyname(name));
  EVP_DigestFinal(ctx, digest, _len);

  First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex):
  #ifdef OPENSSL_FIPS
  if (FIPS_mode()) {
  if (!(type->flags & EVP_MD_FLAG_FIPS)
  && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
  EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
  return 0;
  }
  }
  #endif

  Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
  After getting back to ntpq.c:
  ctx->engine and ctx->digest are not set (due to the mentioned error), hence

  inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
  OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
  causes a segfault (ctx->digest is NULL).

  So either MD5 shouldn't be added in FIPS mode or it should have the
  EVP_MD_FLAG_FIPS to be properly initialized.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Joy Latten]

Build log: 
https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/19570468

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

Status in openssl package in Ubuntu:
  New
Status in openssl source package in Bionic:
  New

Bug description:
  In FIPS mode on Bionic MD5 is semi-disabled causing some applications
  to segfault.

  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)

  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.

  EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
  For FIPS mode it adds:
  EVP_add_digest(EVP_md5());

  What happens later in ntpq is (list_md_fn function inside ntpq.c):
  ctx = EVP_MD_CTX_new();
  EVP_DigestInit(ctx, EVP_get_digestbyname(name));
  EVP_DigestFinal(ctx, digest, _len);

  First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex):
  #ifdef OPENSSL_FIPS
  if (FIPS_mode()) {
  if (!(type->flags & EVP_MD_FLAG_FIPS)
  && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
  EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
  return 0;
  }
  }
  #endif

  Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
  After getting back to ntpq.c:
  ctx->engine and ctx->digest are not set (due to the mentioned error), hence

  inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
  OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
  causes a segfault (ctx->digest is NULL).

  So either MD5 shouldn't be added in FIPS mode or it should have the
  EVP_MD_FLAG_FIPS to be properly initialized.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Joy Latten]

I added return checks to ntpq code and this appears to solve the
problem. Is it ok to make this an SRU?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

Status in openssl package in Ubuntu:
  New
Status in openssl source package in Bionic:
  New

Bug description:
  In FIPS mode on Bionic MD5 is semi-disabled causing some applications
  to segfault.

  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)

  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.

  EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
  For FIPS mode it adds:
  EVP_add_digest(EVP_md5());

  What happens later in ntpq is (list_md_fn function inside ntpq.c):
  ctx = EVP_MD_CTX_new();
  EVP_DigestInit(ctx, EVP_get_digestbyname(name));
  EVP_DigestFinal(ctx, digest, _len);

  First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex):
  #ifdef OPENSSL_FIPS
  if (FIPS_mode()) {
  if (!(type->flags & EVP_MD_FLAG_FIPS)
  && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
  EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
  return 0;
  }
  }
  #endif

  Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
  After getting back to ntpq.c:
  ctx->engine and ctx->digest are not set (due to the mentioned error), hence

  inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
  OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
  causes a segfault (ctx->digest is NULL).

  So either MD5 shouldn't be added in FIPS mode or it should have the
  EVP_MD_FLAG_FIPS to be properly initialized.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Joy Latten]

Also, this is only applicable in bionic. Neither xenial nor focal
experience this issue.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

Status in openssl package in Ubuntu:
  New
Status in openssl source package in Bionic:
  New

Bug description:
  In FIPS mode on Bionic MD5 is semi-disabled causing some applications
  to segfault.

  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)

  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.

  EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
  For FIPS mode it adds:
  EVP_add_digest(EVP_md5());

  What happens later in ntpq is (list_md_fn function inside ntpq.c):
  ctx = EVP_MD_CTX_new();
  EVP_DigestInit(ctx, EVP_get_digestbyname(name));
  EVP_DigestFinal(ctx, digest, _len);

  First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex):
  #ifdef OPENSSL_FIPS
  if (FIPS_mode()) {
  if (!(type->flags & EVP_MD_FLAG_FIPS)
  && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
  EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
  return 0;
  }
  }
  #endif

  Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
  After getting back to ntpq.c:
  ctx->engine and ctx->digest are not set (due to the mentioned error), hence

  inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
  OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
  causes a segfault (ctx->digest is NULL).

  So either MD5 shouldn't be added in FIPS mode or it should have the
  EVP_MD_FLAG_FIPS to be properly initialized.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Joy Latten]

It seems 2 things are happening to generate this issue

1.fips-openssl in bionic has md5 and md5_sha1 in fips digest list with
explicit purpose of accommodating PRF use only in fips mode. But you
must pass the flag, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW to successfully use
them.

2. ntpq does not check return codes from EVP_ calls. It has,
ctx = EVP_MD_CTX_new();
EVP_DigestInit(ctx, EVP_get_digestbyname(name));
EVP_DigestFinal(ctx, digest, _len);
EVP_MD_CTX_free(ctx);
if (digest_len > (MAX_MAC_LEN - sizeof(keyid_t)))
return;

EVP_DigestInit() would have returned 0 in this case indicating a
failure.

Possible fixes:
1. in fips-libcrypto library remove md5 from fips digest list and keep md5_sha1 
for PRF and mark as fips-allowed. Can still use md5 with 
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag, but its just not in fips digest list.

Note: this fix can be put in fips-update ppa for availability. But, it
may be a while before it is re-certified.

2. ntpq should check its return codes and do appropriate thing on error.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

Status in openssl package in Ubuntu:
  New
Status in openssl source package in Bionic:
  New

Bug description:
  In FIPS mode on Bionic MD5 is semi-disabled causing some applications
  to segfault.

  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)

  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.

  EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
  For FIPS mode it adds:
  EVP_add_digest(EVP_md5());

  What happens later in ntpq is (list_md_fn function inside ntpq.c):
  ctx = EVP_MD_CTX_new();
  EVP_DigestInit(ctx, EVP_get_digestbyname(name));
  EVP_DigestFinal(ctx, digest, _len);

  First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex):
  #ifdef OPENSSL_FIPS
  if (FIPS_mode()) {
  if (!(type->flags & EVP_MD_FLAG_FIPS)
  && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
  EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
  return 0;
  }
  }
  #endif

  Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
  After getting back to ntpq.c:
  ctx->engine and ctx->digest are not set (due to the mentioned error), hence

  inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
  OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
  causes a segfault (ctx->digest is NULL).

  So either MD5 shouldn't be added in FIPS mode or it should have the
  EVP_MD_FLAG_FIPS to be properly initialized.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications

[Joy Latten]

Investigating.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1884265

Title:
  [fips] Not fully initialized digest segfaulting some client
  applications

Status in openssl package in Ubuntu:
  New
Status in openssl source package in Bionic:
  New

Bug description:
  In FIPS mode on Bionic MD5 is semi-disabled causing some applications
  to segfault.

  Test case:
  sudo apt install ntp
  ntpq -p
  Segmentation fault (core dumped)

  What happens there is ntpq wants to iterate all available digests
  (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this
  task.

  EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c.
  For FIPS mode it adds:
  EVP_add_digest(EVP_md5());

  What happens later in ntpq is (list_md_fn function inside ntpq.c):
  ctx = EVP_MD_CTX_new();
  EVP_DigestInit(ctx, EVP_get_digestbyname(name));
  EVP_DigestFinal(ctx, digest, _len);

  First digest it gets is MD5, but while running EVP_DigestInit for it, it gets 
to this point:
  #ifdef OPENSSL_FIPS
  if (FIPS_mode()) {
  if (!(type->flags & EVP_MD_FLAG_FIPS)
  && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
  EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
  return 0;
  }
  }
  #endif

  Due to type->flags for MD5 being 0 there's an error set 
(EVP_R_DISABLED_FOR_FIPS).
  After getting back to ntpq.c:
  ctx->engine and ctx->digest are not set (due to the mentioned error), hence

  inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c)
  OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
  causes a segfault (ctx->digest is NULL).

  So either MD5 shouldn't be added in FIPS mode or it should have the
  EVP_MD_FLAG_FIPS to be properly initialized.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1865504] Re: hwclock reports incorrect status in audit message

[Joy Latten]

** Tags added: verification-done-eoan

** Tags added: verification-done-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

Status in util-linux package in Ubuntu:
  Fix Released
Status in util-linux source package in Bionic:
  Fix Committed
Status in util-linux source package in Eoan:
  Fix Committed
Status in util-linux package in Debian:
  Unknown

Bug description:
  [Impact]

  hwclock reports incorrect status in audit message:
  - hwclock calls audit_log_user_message(3) to create an audit entry.
  - audit_log_user_message(3) result 1 is "success" and 0 is "failed".
  - hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse status.
  - Thus reports its status incorrectly in audit message.

  It is a requirement for Common Criteria Certification that hwclock
  reports correct status in audit message.

  This has been fixed upstream in https://github.com/karelzak/util-
  linux/commit/189edf1fe501ea39b35911337eab1740888fae7a

  [Test Steps]

  Steps to test:
  1. Install auditd
  2. Run following testcase,

  # hwclock
  2020-03-02 15:03:03.280351+

  # hwclock --set --date "1/1/2000 00:00:00"
  # echo $?
  0
  # hwclock
  2000-01-01 00:00:05.413924+

  # hwclock --utc --systohc
  # echo $?
  0
  # hwclock
  2020-03-02 15:07:00.264331+

  Following audit messages from /var/log/audit/audit.log,

  Note that last field in each audit record produced when hardware clock
  was modified has, "res=failed". Although, testcase shows no* failure
  occurred.

  type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0
  auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock"
  hostname=bionic-fips addr=? terminal=pts/0 res=failed'

  type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0
  auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock"
  hostname=bionic-fips addr=? terminal=pts/0 res=failed'

  [Regression Potential]

  Changes limited to the result value passed to audit_log_user_message(3),
  so the audit messages will change the 'res=' field (to correct result.)

  There should not be any regression to fix the status given to auditd.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1865504] Re: hwclock reports incorrect status in audit message

[Joy Latten]

Successful verification on amd64 for bionic

$ dpkg -l | grep util-linux
ii  util-linux2.31.1-0.4ubuntu3.6   
  amd64miscellaneous system utilities

$ cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS"

type=USYS_CONFIG msg=audit(1584464596.658:106): pid=13437 uid=0
auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname
=bionic-fips addr=? terminal=pts/0 res=success'

type=USYS_CONFIG msg=audit(1584464615.494:117): pid=13441 uid=0
auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname
=bionic-fips addr=? terminal=pts/0 res=success'

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

Status in util-linux package in Ubuntu:
  Fix Released
Status in util-linux source package in Bionic:
  Fix Committed
Status in util-linux source package in Eoan:
  Fix Committed
Status in util-linux package in Debian:
  Unknown

Bug description:
  [Impact]

  hwclock reports incorrect status in audit message:
  - hwclock calls audit_log_user_message(3) to create an audit entry.
  - audit_log_user_message(3) result 1 is "success" and 0 is "failed".
  - hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse status.
  - Thus reports its status incorrectly in audit message.

  It is a requirement for Common Criteria Certification that hwclock
  reports correct status in audit message.

  This has been fixed upstream in https://github.com/karelzak/util-
  linux/commit/189edf1fe501ea39b35911337eab1740888fae7a

  [Test Steps]

  Steps to test:
  1. Install auditd
  2. Run following testcase,

  # hwclock
  2020-03-02 15:03:03.280351+

  # hwclock --set --date "1/1/2000 00:00:00"
  # echo $?
  0
  # hwclock
  2000-01-01 00:00:05.413924+

  # hwclock --utc --systohc
  # echo $?
  0
  # hwclock
  2020-03-02 15:07:00.264331+

  Following audit messages from /var/log/audit/audit.log,

  Note that last field in each audit record produced when hardware clock
  was modified has, "res=failed". Although, testcase shows no* failure
  occurred.

  type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0
  auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock"
  hostname=bionic-fips addr=? terminal=pts/0 res=failed'

  type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0
  auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock"
  hostname=bionic-fips addr=? terminal=pts/0 res=failed'

  [Regression Potential]

  Changes limited to the result value passed to audit_log_user_message(3),
  so the audit messages will change the 'res=' field (to correct result.)

  There should not be any regression to fix the status given to auditd.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1865504] Re: hwclock reports incorrect status in audit message

[Joy Latten]

Successful verification on amd64 for eaon

$ dpkg -l | grep util-linux
ii  util-linux   2.34-0.1ubuntu2.4  
amd64miscellaneous system utilities

Audit records found in /var/log/audit/audit.log,

type=USYS_CONFIG msg=audit(1584463433.533:68): pid=4263 uid=0 auid=1000
ses=1 msg='op=change-system-time exe="/usr/sbin/hwclock" hostname=eaon-
server addr=? terminal=pts/0 res=success'

type=USYS_CONFIG msg=audit(1584463480.497:81): pid=4268 uid=0 auid=1000
ses=1 msg='op=change-system-time exe="/usr/sbin/hwclock" hostname=eaon-
server addr=? terminal=pts/0 res=success'

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

Status in util-linux package in Ubuntu:
  Fix Released
Status in util-linux source package in Bionic:
  Fix Committed
Status in util-linux source package in Eoan:
  Fix Committed
Status in util-linux package in Debian:
  Unknown

Bug description:
  [Impact]

  hwclock reports incorrect status in audit message:
  - hwclock calls audit_log_user_message(3) to create an audit entry.
  - audit_log_user_message(3) result 1 is "success" and 0 is "failed".
  - hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse status.
  - Thus reports its status incorrectly in audit message.

  It is a requirement for Common Criteria Certification that hwclock
  reports correct status in audit message.

  This has been fixed upstream in https://github.com/karelzak/util-
  linux/commit/189edf1fe501ea39b35911337eab1740888fae7a

  [Test Steps]

  Steps to test:
  1. Install auditd
  2. Run following testcase,

  # hwclock
  2020-03-02 15:03:03.280351+

  # hwclock --set --date "1/1/2000 00:00:00"
  # echo $?
  0
  # hwclock
  2000-01-01 00:00:05.413924+

  # hwclock --utc --systohc
  # echo $?
  0
  # hwclock
  2020-03-02 15:07:00.264331+

  Following audit messages from /var/log/audit/audit.log,

  Note that last field in each audit record produced when hardware clock
  was modified has, "res=failed". Although, testcase shows no* failure
  occurred.

  type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0
  auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock"
  hostname=bionic-fips addr=? terminal=pts/0 res=failed'

  type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0
  auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock"
  hostname=bionic-fips addr=? terminal=pts/0 res=failed'

  [Regression Potential]

  Changes limited to the result value passed to audit_log_user_message(3),
  so the audit messages will change the 'res=' field (to correct result.)

  There should not be any regression to fix the status given to auditd.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1865504] Re: hwclock reports incorrect status in audit message

[Joy Latten]

Mauricio, 
Thank you so much for handling. Much appreciated. I took a quick look at the 
above #15 and #16 and perhaps a retry may be beneficial... there were some 
timeouts...

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

Status in util-linux package in Ubuntu:
  Fix Released
Status in util-linux source package in Bionic:
  Fix Committed
Status in util-linux source package in Eoan:
  Fix Committed
Status in util-linux package in Debian:
  Unknown

Bug description:
  [Impact]

  hwclock reports incorrect status in audit message:
  - hwclock calls audit_log_user_message(3) to create an audit entry.
  - audit_log_user_message(3) result 1 is "success" and 0 is "failed".
  - hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse status.
  - Thus reports its status incorrectly in audit message.

  It is a requirement for Common Criteria Certification that hwclock
  reports correct status in audit message.

  This has been fixed upstream in https://github.com/karelzak/util-
  linux/commit/189edf1fe501ea39b35911337eab1740888fae7a

  [Test Steps]

  Steps to test:
  1. Install auditd
  2. Run following testcase,

  # hwclock
  2020-03-02 15:03:03.280351+

  # hwclock --set --date "1/1/2000 00:00:00"
  # echo $?
  0
  # hwclock
  2000-01-01 00:00:05.413924+

  # hwclock --utc --systohc
  # echo $?
  0
  # hwclock
  2020-03-02 15:07:00.264331+

  Following audit messages from /var/log/audit/audit.log,

  Note that last field in each audit record produced when hardware clock
  was modified has, "res=failed". Although, testcase shows no* failure
  occurred.

  type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0
  auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock"
  hostname=bionic-fips addr=? terminal=pts/0 res=failed'

  type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0
  auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock"
  hostname=bionic-fips addr=? terminal=pts/0 res=failed'

  [Regression Potential]

  Changes limited to the result value passed to audit_log_user_message(3),
  so the audit messages will change the 'res=' field (to correct result.)

  There should not be any regression to fix the status given to auditd.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1865504] Re: hwclock reports incorrect status in audit message

[Joy Latten]

** Also affects: util-linux (Ubuntu Eoan)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

Status in util-linux package in Ubuntu:
  New
Status in util-linux source package in Bionic:
  New
Status in util-linux source package in Eoan:
  New
Status in util-linux package in Debian:
  Unknown

Bug description:
  [IMPACT]
  hwclock reports incrorect status in audit message

  hwclock calls audit_log_user_message(3) to create an audit entry.
  audit_log_user_message(3) result 1 is "success" and 0 is
  "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse
  status. Thus reports it's status incorrectly in audit message. 

  It is a requirement for Common Criteria Certification that hwclock
  reports correct status in audit message.

  This has been fixed upstream in https://github.com/karelzak/util-
  linux/commit/189edf1fe501ea39b35911337eab1740888fae7a

  [TEST]

  Steps to test:
  1. Install auditd
  2. Run following testcase,

  # hwclock
  2020-03-02 15:03:03.280351+
  # hwclock --set --date "1/1/2000 00:00:00"
  # echo $?
  0
  # hwclock
  2000-01-01 00:00:05.413924+
  # hwclock --utc --systohc
  # echo $?
  0
  # hwclock
  2020-03-02 15:07:00.264331+

  Following audit messages from /var/log/audit/audit.log,

  type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000 
ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips 
addr=? terminal=pts/0 res=failed'
  type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000 
ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips 
addr=? terminal=pts/0 res=failed'

  Note that last entry in each audit record produced when hardware clock
  was modified has, "res=failed". Although, testcase shows no failure
  occurred.

  [Regression Potential]
  There should not be any regression to fix the status given to auditd.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1865504] Re: hwclock reports incorrect status in audit message

[Joy Latten]

The debdiff for focal

** Attachment removed: "debdiff for focal"
   
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+attachment/5333544/+files/debdiff.focal

** Attachment added: "debdiff.focal"
   
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+attachment/5333895/+files/debdiff.focal

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

Status in util-linux package in Ubuntu:
  New
Status in util-linux package in Debian:
  Unknown

Bug description:
  [IMPACT]
  hwclock reports incrorect status in audit message

  hwclock calls audit_log_user_message(3) to create an audit entry.
  audit_log_user_message(3) result 1 is "success" and 0 is
  "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse
  status. Thus reports it's status incorrectly in audit message. 

  It is a requirement for Common Criteria Certification that hwclock
  reports correct status in audit message.

  This has been fixed upstream in https://github.com/karelzak/util-
  linux/commit/189edf1fe501ea39b35911337eab1740888fae7a

  [TEST]

  Steps to test:
  1. Install auditd
  2. Run following testcase,

  # hwclock
  2020-03-02 15:03:03.280351+
  # hwclock --set --date "1/1/2000 00:00:00"
  # echo $?
  0
  # hwclock
  2000-01-01 00:00:05.413924+
  # hwclock --utc --systohc
  # echo $?
  0
  # hwclock
  2020-03-02 15:07:00.264331+

  Following audit messages from /var/log/audit/audit.log,

  type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000 
ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips 
addr=? terminal=pts/0 res=failed'
  type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000 
ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips 
addr=? terminal=pts/0 res=failed'

  Note that last entry in each audit record produced when hardware clock
  was modified has, "res=failed". Although, testcase shows no failure
  occurred.

  [Regression Potential]
  There should not be any regression to fix the status given to auditd.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1865504] Re: hwclock reports incorrect status in audit message

[Joy Latten]

** Also affects: util-linux (Ubuntu Bionic)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

Status in util-linux package in Ubuntu:
  New
Status in util-linux source package in Bionic:
  New
Status in util-linux package in Debian:
  Unknown

Bug description:
  [IMPACT]
  hwclock reports incrorect status in audit message

  hwclock calls audit_log_user_message(3) to create an audit entry.
  audit_log_user_message(3) result 1 is "success" and 0 is
  "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse
  status. Thus reports it's status incorrectly in audit message. 

  It is a requirement for Common Criteria Certification that hwclock
  reports correct status in audit message.

  This has been fixed upstream in https://github.com/karelzak/util-
  linux/commit/189edf1fe501ea39b35911337eab1740888fae7a

  [TEST]

  Steps to test:
  1. Install auditd
  2. Run following testcase,

  # hwclock
  2020-03-02 15:03:03.280351+
  # hwclock --set --date "1/1/2000 00:00:00"
  # echo $?
  0
  # hwclock
  2000-01-01 00:00:05.413924+
  # hwclock --utc --systohc
  # echo $?
  0
  # hwclock
  2020-03-02 15:07:00.264331+

  Following audit messages from /var/log/audit/audit.log,

  type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000 
ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips 
addr=? terminal=pts/0 res=failed'
  type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000 
ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips 
addr=? terminal=pts/0 res=failed'

  Note that last entry in each audit record produced when hardware clock
  was modified has, "res=failed". Although, testcase shows no failure
  occurred.

  [Regression Potential]
  There should not be any regression to fix the status given to auditd.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1865504] Re: hwclock reports incorrect status in audit message

[Joy Latten]

** Attachment added: "debdiff for focal"
   
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+attachment/5333544/+files/debdiff.focal

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

Status in util-linux package in Ubuntu:
  New
Status in util-linux package in Debian:
  Unknown

Bug description:
  [IMPACT]
  hwclock reports incrorect status in audit message

  hwclock calls audit_log_user_message(3) to create an audit entry.
  audit_log_user_message(3) result 1 is "success" and 0 is
  "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse
  status. Thus reports it's status incorrectly in audit message. 

  It is a requirement for Common Criteria Certification that hwclock
  reports correct status in audit message.

  This has been fixed upstream in https://github.com/karelzak/util-
  linux/commit/189edf1fe501ea39b35911337eab1740888fae7a

  [TEST]

  Steps to test:
  1. Install auditd
  2. Run following testcase,

  # hwclock
  2020-03-02 15:03:03.280351+
  # hwclock --set --date "1/1/2000 00:00:00"
  # echo $?
  0
  # hwclock
  2000-01-01 00:00:05.413924+
  # hwclock --utc --systohc
  # echo $?
  0
  # hwclock
  2020-03-02 15:07:00.264331+

  Following audit messages from /var/log/audit/audit.log,

  type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000 
ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips 
addr=? terminal=pts/0 res=failed'
  type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000 
ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips 
addr=? terminal=pts/0 res=failed'

  Note that last entry in each audit record produced when hardware clock
  was modified has, "res=failed". Although, testcase shows no failure
  occurred.

  [Regression Potential]
  There should not be any regression to fix the status given to auditd.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1865504] Re: hwclock reports incorrect status in audit message

[Joy Latten]

Build log 
https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/18795481

** Bug watch added: Debian Bug tracker #953065
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953065

** Also affects: util-linux (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953065
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

Status in util-linux package in Ubuntu:
  New
Status in util-linux package in Debian:
  Unknown

Bug description:
  [IMPACT]
  hwclock reports incrorect status in audit message

  hwclock calls audit_log_user_message(3) to create an audit entry.
  audit_log_user_message(3) result 1 is "success" and 0 is
  "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse
  status. Thus reports it's status incorrectly in audit message. 

  It is a requirement for Common Criteria Certification that hwclock
  reports correct status in audit message.

  This has been fixed upstream in https://github.com/karelzak/util-
  linux/commit/189edf1fe501ea39b35911337eab1740888fae7a

  [TEST]

  Steps to test:
  1. Install auditd
  2. Run following testcase,

  # hwclock
  2020-03-02 15:03:03.280351+
  # hwclock --set --date "1/1/2000 00:00:00"
  # echo $?
  0
  # hwclock
  2000-01-01 00:00:05.413924+
  # hwclock --utc --systohc
  # echo $?
  0
  # hwclock
  2020-03-02 15:07:00.264331+

  Following audit messages from /var/log/audit/audit.log,

  type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000 
ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips 
addr=? terminal=pts/0 res=failed'
  type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000 
ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips 
addr=? terminal=pts/0 res=failed'

  Note that last entry in each audit record produced when hardware clock
  was modified has, "res=failed". Although, testcase shows no failure
  occurred.

  [Regression Potential]
  There should not be any regression to fix the status given to auditd.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1865504] Re: hwclock reports incorrect status in audit message

[Joy Latten]

** Description changed:

+ [IMPACT]
+ hwclock reports incrorect status in audit message
+ 
+ hwclock calls audit_log_user_message(3) to create an audit entry.
  audit_log_user_message(3) result 1 is "success" and 0 is
  "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse
- status. Thus reports status incorrectly in audit message. This has been fixed 
upstream in 
https://github.com/karelzak/util-linux/commit/189edf1fe501ea39b35911337eab1740888fae7a
+ status. Thus reports it's status incorrectly in audit message. 
+ 
+ It is a requirement for Common Criteria Certification that hwclock
+ reports correct status in audit message.
+ 
+ This has been fixed upstream in https://github.com/karelzak/util-
+ linux/commit/189edf1fe501ea39b35911337eab1740888fae7a
+ 
+ [TEST]
+ 
+ Steps to test:
+ 1. Install auditd
+ 2. Run following testcase,
+ 
+ # hwclock
+ 2020-03-02 15:03:03.280351+
+ # hwclock --set --date "1/1/2000 00:00:00"
+ # echo $?
+ 0
+ # hwclock
+ 2000-01-01 00:00:05.413924+
+ # hwclock --utc --systohc
+ # echo $?
+ 0
+ # hwclock
+ 2020-03-02 15:07:00.264331+
+ 
+ Following audit messages from /var/log/audit/audit.log,
+ 
+ type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000 
ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips 
addr=? terminal=pts/0 res=failed'
+ type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000 
ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips 
addr=? terminal=pts/0 res=failed'
+ 
+ Note that last entry in each audit record produced when hardware clock
+ was modified has, "res=failed". Although, testcase shows no failure
+ occurred.
+ 
+ [Regression Potential]
+ There should not be any regression to fix the status given to auditd.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

Status in util-linux package in Ubuntu:
  New

Bug description:
  [IMPACT]
  hwclock reports incrorect status in audit message

  hwclock calls audit_log_user_message(3) to create an audit entry.
  audit_log_user_message(3) result 1 is "success" and 0 is
  "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse
  status. Thus reports it's status incorrectly in audit message. 

  It is a requirement for Common Criteria Certification that hwclock
  reports correct status in audit message.

  This has been fixed upstream in https://github.com/karelzak/util-
  linux/commit/189edf1fe501ea39b35911337eab1740888fae7a

  [TEST]

  Steps to test:
  1. Install auditd
  2. Run following testcase,

  # hwclock
  2020-03-02 15:03:03.280351+
  # hwclock --set --date "1/1/2000 00:00:00"
  # echo $?
  0
  # hwclock
  2000-01-01 00:00:05.413924+
  # hwclock --utc --systohc
  # echo $?
  0
  # hwclock
  2020-03-02 15:07:00.264331+

  Following audit messages from /var/log/audit/audit.log,

  type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000 
ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips 
addr=? terminal=pts/0 res=failed'
  type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000 
ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips 
addr=? terminal=pts/0 res=failed'

  Note that last entry in each audit record produced when hardware clock
  was modified has, "res=failed". Although, testcase shows no failure
  occurred.

  [Regression Potential]
  There should not be any regression to fix the status given to auditd.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1865504] [NEW] hwclock reports incorrect status in audit message

[Joy Latten]

Public bug reported:

audit_log_user_message(3) result 1 is "success" and 0 is
"failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse
status. Thus reports status incorrectly in audit message. This has been fixed 
upstream in 
https://github.com/karelzak/util-linux/commit/189edf1fe501ea39b35911337eab1740888fae7a

** Affects: util-linux (Ubuntu)
 Importance: High
 Assignee: Joy Latten (j-latten)
 Status: New

** Changed in: util-linux (Ubuntu)
   Importance: Undecided => Medium

** Changed in: util-linux (Ubuntu)
   Importance: Medium => High

** Changed in: util-linux (Ubuntu)
 Assignee: (unassigned) => Joy Latten (j-latten)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

Status in util-linux package in Ubuntu:
  New

Bug description:
  audit_log_user_message(3) result 1 is "success" and 0 is
  "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse
  status. Thus reports status incorrectly in audit message. This has been fixed 
upstream in 
https://github.com/karelzak/util-linux/commit/189edf1fe501ea39b35911337eab1740888fae7a

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib

[Joy Latten]

The 2.7 and 3.5 python packages in the security proposed PPA have been
successfully tested in a fips and non-fips xenial environment.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1835135

Title:
  FIPS OpenSSL crashes Python2 hashlib

Status in python2.7 package in Ubuntu:
  Triaged
Status in python3.5 package in Ubuntu:
  Invalid
Status in python2.7 source package in Xenial:
  In Progress
Status in python3.5 source package in Xenial:
  In Progress
Status in python2.7 source package in Bionic:
  In Progress
Status in python3.5 source package in Bionic:
  Invalid
Status in python2.7 source package in Cosmic:
  Won't Fix
Status in python3.5 source package in Cosmic:
  Invalid
Status in python2.7 source package in Disco:
  In Progress
Status in python3.5 source package in Disco:
  Invalid
Status in python2.7 source package in Eoan:
  Triaged
Status in python3.5 source package in Eoan:
  Invalid

Bug description:
  If Ubuntu/Canonical's FIPS-compliant OpenSSL is initialized with
  SSL_library_init, then Python2's hashlib bindings for MD5 can trigger
  a SIGSEGV via a NULL pointer dereference (if calling the .update
  method) or a SIGABRT (if passing input to the constructor or passing
  no input and invoking the .final method). This happens if, for
  example, PyOpenSSL is imported before hashlib.

  Canonical's FIPS patches for OpenSSL introduce some odd behavior that
  arguably should be revisited, but the (TL;DR) core bug is that Python2
  hashlib doesn't properly check the return value of EVP_DigestInit,
  preventing hashlib from falling back to it's internal MD5
  implementation and instead setting things up for use of the MD5
  context to trigger SIGSEGV or SIGABRT.

  Python3 correctly checks the return value, so the fix is to backport
  the relevant code into Python2 (see
  python2.7-2.7.12/Modules/_hashopenssl.c).

  See attached good.py and bad.py files which exhibit the import order-
  dependent crashing issue. See attached fips-md5-python-init-bug.c
  which shows the FIPS OpenSSL behaviors that conditionally tickle the
  Python2 bug. The C file also contains a much more detailed description
  of the Python2 bug and other behavior which I'd rather not repeat
  here.

  I discovered this bug investigating an issue with the third-party apt-
  boto-s3 package. See https://github.com/boto/boto3/issues/2021

  Note that this bug effects Splunk, Inc, which has a corporate Ubuntu
  Advantage license. My login account is attached to a different,
  single-seat license.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib

[Joy Latten]

Upon looking at the source for both python2.7 and python3.5 in xenial,
neither checks the return value from EVP_DigestInit in
Modules/_hashopenssl.c file.

However, python3.6 (in bionic, cosmic and disco) does have the check.

So the check will need to be backported to python 2.7 and python 3.5 in
xenial.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1835135

Title:
  FIPS OpenSSL crashes Python2 hashlib

Status in python2.7 package in Ubuntu:
  Triaged

Bug description:
  If Ubuntu/Canonical's FIPS-compliant OpenSSL is initialized with
  SSL_library_init, then Python2's hashlib bindings for MD5 can trigger
  a SIGSEGV via a NULL pointer dereference (if calling the .update
  method) or a SIGABRT (if passing input to the constructor or passing
  no input and invoking the .final method). This happens if, for
  example, PyOpenSSL is imported before hashlib.

  Canonical's FIPS patches for OpenSSL introduce some odd behavior that
  arguably should be revisited, but the (TL;DR) core bug is that Python2
  hashlib doesn't properly check the return value of EVP_DigestInit,
  preventing hashlib from falling back to it's internal MD5
  implementation and instead setting things up for use of the MD5
  context to trigger SIGSEGV or SIGABRT.

  Python3 correctly checks the return value, so the fix is to backport
  the relevant code into Python2 (see
  python2.7-2.7.12/Modules/_hashopenssl.c).

  See attached good.py and bad.py files which exhibit the import order-
  dependent crashing issue. See attached fips-md5-python-init-bug.c
  which shows the FIPS OpenSSL behaviors that conditionally tickle the
  Python2 bug. The C file also contains a much more detailed description
  of the Python2 bug and other behavior which I'd rather not repeat
  here.

  I discovered this bug investigating an issue with the third-party apt-
  boto-s3 package. See https://github.com/boto/boto3/issues/2021

  Note that this bug effects Splunk, Inc, which has a corporate Ubuntu
  Advantage license. My login account is attached to a different,
  single-seat license.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib

[Joy Latten]

Like python3, python2 should check the return value of EVP_DigestInit.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1835135

Title:
  FIPS OpenSSL crashes Python2 hashlib

Status in python2.7 package in Ubuntu:
  Triaged

Bug description:
  If Ubuntu/Canonical's FIPS-compliant OpenSSL is initialized with
  SSL_library_init, then Python2's hashlib bindings for MD5 can trigger
  a SIGSEGV via a NULL pointer dereference (if calling the .update
  method) or a SIGABRT (if passing input to the constructor or passing
  no input and invoking the .final method). This happens if, for
  example, PyOpenSSL is imported before hashlib.

  Canonical's FIPS patches for OpenSSL introduce some odd behavior that
  arguably should be revisited, but the (TL;DR) core bug is that Python2
  hashlib doesn't properly check the return value of EVP_DigestInit,
  preventing hashlib from falling back to it's internal MD5
  implementation and instead setting things up for use of the MD5
  context to trigger SIGSEGV or SIGABRT.

  Python3 correctly checks the return value, so the fix is to backport
  the relevant code into Python2 (see
  python2.7-2.7.12/Modules/_hashopenssl.c).

  See attached good.py and bad.py files which exhibit the import order-
  dependent crashing issue. See attached fips-md5-python-init-bug.c
  which shows the FIPS OpenSSL behaviors that conditionally tickle the
  Python2 bug. The C file also contains a much more detailed description
  of the Python2 bug and other behavior which I'd rather not repeat
  here.

  I discovered this bug investigating an issue with the third-party apt-
  boto-s3 package. See https://github.com/boto/boto3/issues/2021

  Note that this bug effects Splunk, Inc, which has a corporate Ubuntu
  Advantage license. My login account is attached to a different,
  single-seat license.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib

[Joy Latten]

The assessment is accurate.

FIPS 140-2 does not allow MD5 except for use in PRF.

Thus the  OpenSSL_add_all_digests in fips openssl does not include MD5. 
However, SSL_library_init() does include MD5 but only for use in calculating 
the PRF. Notice in tls1_P_hash() in ssl/t1_enc.c
the flag, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW, is set in the context to permit this 
use of MD5.
Apps wishing to calculate their own PRF can do the same.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1835135

Title:
  FIPS OpenSSL crashes Python2 hashlib

Status in python2.7 package in Ubuntu:
  Triaged

Bug description:
  If Ubuntu/Canonical's FIPS-compliant OpenSSL is initialized with
  SSL_library_init, then Python2's hashlib bindings for MD5 can trigger
  a SIGSEGV via a NULL pointer dereference (if calling the .update
  method) or a SIGABRT (if passing input to the constructor or passing
  no input and invoking the .final method). This happens if, for
  example, PyOpenSSL is imported before hashlib.

  Canonical's FIPS patches for OpenSSL introduce some odd behavior that
  arguably should be revisited, but the (TL;DR) core bug is that Python2
  hashlib doesn't properly check the return value of EVP_DigestInit,
  preventing hashlib from falling back to it's internal MD5
  implementation and instead setting things up for use of the MD5
  context to trigger SIGSEGV or SIGABRT.

  Python3 correctly checks the return value, so the fix is to backport
  the relevant code into Python2 (see
  python2.7-2.7.12/Modules/_hashopenssl.c).

  See attached good.py and bad.py files which exhibit the import order-
  dependent crashing issue. See attached fips-md5-python-init-bug.c
  which shows the FIPS OpenSSL behaviors that conditionally tickle the
  Python2 bug. The C file also contains a much more detailed description
  of the Python2 bug and other behavior which I'd rather not repeat
  here.

  I discovered this bug investigating an issue with the third-party apt-
  boto-s3 package. See https://github.com/boto/boto3/issues/2021

  Note that this bug effects Splunk, Inc, which has a corporate Ubuntu
  Advantage license. My login account is attached to a different,
  single-seat license.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib

[Joy Latten]

Investigating

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python2.7 in Ubuntu.
https://bugs.launchpad.net/bugs/1835135

Title:
  FIPS OpenSSL crashes Python2 hashlib

Status in python2.7 package in Ubuntu:
  Triaged

Bug description:
  If Ubuntu/Canonical's FIPS-compliant OpenSSL is initialized with
  SSL_library_init, then Python2's hashlib bindings for MD5 can trigger
  a SIGSEGV via a NULL pointer dereference (if calling the .update
  method) or a SIGABRT (if passing input to the constructor or passing
  no input and invoking the .final method). This happens if, for
  example, PyOpenSSL is imported before hashlib.

  Canonical's FIPS patches for OpenSSL introduce some odd behavior that
  arguably should be revisited, but the (TL;DR) core bug is that Python2
  hashlib doesn't properly check the return value of EVP_DigestInit,
  preventing hashlib from falling back to it's internal MD5
  implementation and instead setting things up for use of the MD5
  context to trigger SIGSEGV or SIGABRT.

  Python3 correctly checks the return value, so the fix is to backport
  the relevant code into Python2 (see
  python2.7-2.7.12/Modules/_hashopenssl.c).

  See attached good.py and bad.py files which exhibit the import order-
  dependent crashing issue. See attached fips-md5-python-init-bug.c
  which shows the FIPS OpenSSL behaviors that conditionally tickle the
  Python2 bug. The C file also contains a much more detailed description
  of the Python2 bug and other behavior which I'd rather not repeat
  here.

  I discovered this bug investigating an issue with the third-party apt-
  boto-s3 package. See https://github.com/boto/boto3/issues/2021

  Note that this bug effects Splunk, Inc, which has a corporate Ubuntu
  Advantage license. My login account is attached to a different,
  single-seat license.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: Enable auditing in util-linux.

[Joy Latten]

Update on Artful regression analysis from comment #22.

1. Same as in comment #22. Hopefully these can be ignored as they were
for xenial.

2. Same as in comment #22. tests passed in different runs as stated
above. When the failures occurred, was because of time outs while
waiting for something. Failures appear to be intermittent and not
related to change made here.

3. gnocchi - appear to be a testcase usage message from python. Not
related to change made in this bug.

4. libdata-uuid-libuuid-perl (s390x) Julian did a test here using hello
and prior version of util-linux and they both failed with same error. So
this error is not related to this bug change. Something else changed
perhaps in testcase or test environment.

5. tracker passes on a re-run

6. nplan passes on a re-run

Conclusion: Hopefully above explanations result in regressions having
been resolved so util-linux in artful can be promoted.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  Enable auditing in util-linux.

Status in util-linux package in Ubuntu:
  Fix Released
Status in util-linux source package in Xenial:
  Fix Committed
Status in util-linux source package in Zesty:
  Fix Committed
Status in util-linux source package in Artful:
  Fix Committed
Status in util-linux package in Debian:
  New

Bug description:
  [IMPACT]
  Enable auditing in util-linux. The config option, --with-audit enables 
auditing.

  Only the hwclock and the login commands within util-linux package have
  source code for auditing. But that source code is disabled by default
  and requires the config option, --with-audit to enable it. The login
  command is not built nor shipped in util-linux. Ubuntu uses the login
  command from shadow instead. Thus, only hwclock command would be
  affected by this change.

  The change would enable the hwclock command to generate an audit log
  message to /var/log/audit/audit.log whenever it changes the hardware
  clock. This message will only get logged to /var/log/audit/audit.log,
  if auditd daemon is running. Otherwise, if the auditd is not running,
  like most log messages, it will get logged to /var/log/kern.log and|or
  /var/log/syslog if these services are enabled.

  That the hwclock generates an audit message when hardware clock is
  changed is a requirement for Common Criteria EAL2 certification for
  Xenial.

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail. Attached the Common Criteria
  testcase below.

  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: Enable auditing in util-linux.

[Joy Latten]

Summary of analysis of the autopkgtest failures listed for his SRU in
http://people.canonical.com/~ubuntu-archive/pending-sru.html

For Artful regressions:

1. dpdk (s390x), ocfs2-tools (s390x), lxcfs(s390x), ori(s390x), 
network-manager(s390x), lxd(s390x) 
These all have failing testcases that were skipped in prior version of 
util-linux. The same reason stated in comment #21 above may be applicable here 
as well. 

2. network-manager(ppc64el) - has had 2 runs. In one run, test_wpa1_ip4
fails, test_rfkill pass. In the other run, test_wpa1_ip4 pass and
test_rfkill fail. A timeout results in the failure. Seems testcases do
pass for this version of util-linux but sensitive current workload
maybe...

3. gnocchi(all platforms) - further investigating.

4. libdata-uuid-libuuid-perl(s390x) - might be to the change in test
environment such as #1.

5. tracker(arm64) - further investigation. no prior run to compare with.

6. nplan(arm64) - further investigation. no prior run to compare with.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  Enable auditing in util-linux.

Status in util-linux package in Ubuntu:
  Fix Released
Status in util-linux source package in Xenial:
  Fix Committed
Status in util-linux source package in Zesty:
  Fix Committed
Status in util-linux source package in Artful:
  Fix Committed
Status in util-linux package in Debian:
  New

Bug description:
  [IMPACT]
  Enable auditing in util-linux. The config option, --with-audit enables 
auditing.

  Only the hwclock and the login commands within util-linux package have
  source code for auditing. But that source code is disabled by default
  and requires the config option, --with-audit to enable it. The login
  command is not built nor shipped in util-linux. Ubuntu uses the login
  command from shadow instead. Thus, only hwclock command would be
  affected by this change.

  The change would enable the hwclock command to generate an audit log
  message to /var/log/audit/audit.log whenever it changes the hardware
  clock. This message will only get logged to /var/log/audit/audit.log,
  if auditd daemon is running. Otherwise, if the auditd is not running,
  like most log messages, it will get logged to /var/log/kern.log and|or
  /var/log/syslog if these services are enabled.

  That the hwclock generates an audit message when hardware clock is
  changed is a requirement for Common Criteria EAL2 certification for
  Xenial.

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail. Attached the Common Criteria
  testcase below.

  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: Enable auditing in util-linux.

[Joy Latten]

Summary of analysis of the autopkgtest failures listed for this SRU in
http://people.canonical.com/~ubuntu-archive/pending-sru.html

For Xenial regressions:

1. In xenial, the failing testcases had been skipped in prior versions and not 
run. 
i.e. "SKIP Test requires machine-level isolation but testbed does not provide 
that"

I talked to Julian who informed me that s390x testd went from LXC
containers to VMs.

Now those tests that had not been run before, were executing and
failing.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  Enable auditing in util-linux.

Status in util-linux package in Ubuntu:
  Fix Released
Status in util-linux source package in Xenial:
  Fix Committed
Status in util-linux source package in Zesty:
  Fix Committed
Status in util-linux source package in Artful:
  Fix Committed
Status in util-linux package in Debian:
  New

Bug description:
  [IMPACT]
  Enable auditing in util-linux. The config option, --with-audit enables 
auditing.

  Only the hwclock and the login commands within util-linux package have
  source code for auditing. But that source code is disabled by default
  and requires the config option, --with-audit to enable it. The login
  command is not built nor shipped in util-linux. Ubuntu uses the login
  command from shadow instead. Thus, only hwclock command would be
  affected by this change.

  The change would enable the hwclock command to generate an audit log
  message to /var/log/audit/audit.log whenever it changes the hardware
  clock. This message will only get logged to /var/log/audit/audit.log,
  if auditd daemon is running. Otherwise, if the auditd is not running,
  like most log messages, it will get logged to /var/log/kern.log and|or
  /var/log/syslog if these services are enabled.

  That the hwclock generates an audit message when hardware clock is
  changed is a requirement for Common Criteria EAL2 certification for
  Xenial.

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail. Attached the Common Criteria
  testcase below.

  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: Enable auditing in util-linux.

[Joy Latten]

verified successfully in amd64 VM for zesty.

$ cat /etc/os-release 
NAME="Ubuntu"
VERSION="17.04 (Zesty Zapus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 17.04"
VERSION_ID="17.04"
HOME_URL="https://www.ubuntu.com/;
SUPPORT_URL="https://help.ubuntu.com/;
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/;
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy;
VERSION_CODENAME=zesty
UBUNTU_CODENAME=zesty

$ dpkg -l | grep util-linux
ii  util-linux 2.29-1ubuntu2.2  
 amd64miscellaneous system utilities

$ uname -a
Linux zestyguest 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 
x86_64 x86_64 x86_64 GNU/Linux

message logged after altering hardware clock,

type=USYS_CONFIG msg=audit(1512158548.257:24): pid=3081 uid=0 auid=1000
ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=? addr=?
terminal=pts/0 res=success'




** Tags added: verification-done-zesty

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  Enable auditing in util-linux.

Status in util-linux package in Ubuntu:
  Fix Released
Status in util-linux source package in Xenial:
  Fix Committed
Status in util-linux source package in Zesty:
  Fix Committed
Status in util-linux source package in Artful:
  Fix Committed
Status in util-linux package in Debian:
  New

Bug description:
  [IMPACT]
  Enable auditing in util-linux. The config option, --with-audit enables 
auditing.

  Only the hwclock and the login commands within util-linux package have
  source code for auditing. But that source code is disabled by default
  and requires the config option, --with-audit to enable it. The login
  command is not built nor shipped in util-linux. Ubuntu uses the login
  command from shadow instead. Thus, only hwclock command would be
  affected by this change.

  The change would enable the hwclock command to generate an audit log
  message to /var/log/audit/audit.log whenever it changes the hardware
  clock. This message will only get logged to /var/log/audit/audit.log,
  if auditd daemon is running. Otherwise, if the auditd is not running,
  like most log messages, it will get logged to /var/log/kern.log and|or
  /var/log/syslog if these services are enabled.

  That the hwclock generates an audit message when hardware clock is
  changed is a requirement for Common Criteria EAL2 certification for
  Xenial.

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail. Attached the Common Criteria
  testcase below.

  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: Enable auditing in util-linux.

[Joy Latten]

Verified on xenial on a P8 and a z13 zlpar.

>From P8:
$ cat /etc/os-release
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.3 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/;
SUPPORT_URL="http://help.ubuntu.com/;
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/;
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

$ uname -a
Linux  4.4.0-87-generic #110-Ubuntu SMP Tue Jul 18 12:53:44 UTC 2017 
ppc64le ppc64le ppc64le GNU/Linux

$ dpkg -l | grep util-linux
ii  util-linux 2.27.1-6ubuntu3.4
  ppc64el  miscellaneous system utilities

resulting log message, after altering system clock,

type=USYS_CONFIG msg=audit(1512153890.632:29): pid=26156 uid=0 auid=1000
ses=998 msg='changing system time exe="/sbin/hwclock" hostname=? addr=?
terminal=pts/0 res=success'



Test on z-13 zlpar,

$ cat /etc/os-release 
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.3 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/;
SUPPORT_URL="http://help.ubuntu.com/;
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/;
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

uname -a
Linux  4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:35:14 UTC 2017 s390x 
s390x s390x GNU/Linux

ubuntu@s1lp12:~$ dpkg -l | grep util-linux
ii  util-linux 2.27.1-6ubuntu3.4
  s390xmiscellaneous system utilities

$ /usr/bin/sudo hwclock --set --date "1/1/2000 00:00:00"
hwclock: Cannot access the Hardware Clock via any known method.
hwclock: Use the --debug option to see the details of our search for an access 
method.

This is correct behaviour since zlpar cannot access the hw clock and is
consistent with prior versions.

message logged indicates the failure, 
type=USYS_CONFIG msg=audit(1512154473.517:12321): pid=84471 uid=0 auid=1000 
ses=1134 msg='changing system time exe="/sbin/hwclock" hostname=? addr=? 
terminal=pts/1 res=failed'


** Tags added: verification-done-xenial

** Description changed:

  [IMPACT]
  Enable auditing in util-linux. The config option, --with-audit enables 
auditing.
-  
- Only the hwclock and the login commands within util-linux package have source 
code for auditing. But that source code is disabled by default and requires the 
config option, --with-audit to enable it. The login command is not built nor 
shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, 
only hwclock command would be affected by this change.
+ 
+ Only the hwclock and the login commands within util-linux package have
+ source code for auditing. But that source code is disabled by default
+ and requires the config option, --with-audit to enable it. The login
+ command is not built nor shipped in util-linux. Ubuntu uses the login
+ command from shadow instead. Thus, only hwclock command would be
+ affected by this change.
  
  The change would enable the hwclock command to generate an audit log
  message to /var/log/audit/audit.log whenever it changes the hardware
- clock. This message will only get logged if auditd daemon is running.
- Otherwise, nothing gets logged.
+ clock. This message will only get logged to /var/log/audit/audit.log, if
+ auditd daemon is running. Otherwise, if the auditd is not running, like
+ most log messages, it will get logged to /var/log/kern.log and|or
+ /var/log/syslog if these services are enabled.
  
  That the hwclock generates an audit message when hardware clock is
  changed is a requirement for Common Criteria EAL2 certification for
  Xenial.
  
  [TEST]
  
  This has been tested on both P8 and amd64 architectures. With the patch
  all the Common Criteria testcases pass for hwclock. Before this patch,
  the functional part of the testcase passed, but the check for the
  triggered audit records would fail. Attached the Common Criteria
  testcase below.
  
  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.
  
  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  Enable auditing in util-linux.

Status in util-linux package in Ubuntu:
  Fix Released
Status in util-linux source package in Xenial:
  Fix Committed
Status in util-linux source package in Zesty:
  Fix Committed
Status in util-linux source package in Artful:
  Fix Committed
Status in util-linux package in Debian:
  New

Bug description:
  [IMPACT]
  Enable auditing in util-linux. The config option, --with-audit enables 
auditing.

  Only the hwclock and the login 

[Touch-packages] [Bug 1722313] Re: Enable auditing in util-linux.

[Joy Latten]

** Tags added: verification-done-artful

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  Enable auditing in util-linux.

Status in util-linux package in Ubuntu:
  Fix Released
Status in util-linux source package in Xenial:
  In Progress
Status in util-linux source package in Zesty:
  In Progress
Status in util-linux source package in Artful:
  Fix Committed
Status in util-linux package in Debian:
  New

Bug description:
  [IMPACT]
  Enable auditing in util-linux. The config option, --with-audit enables 
auditing.
   
  Only the hwclock and the login commands within util-linux package have source 
code for auditing. But that source code is disabled by default and requires the 
config option, --with-audit to enable it. The login command is not built nor 
shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, 
only hwclock command would be affected by this change.

  The change would enable the hwclock command to generate an audit log
  message to /var/log/audit/audit.log whenever it changes the hardware
  clock. This message will only get logged if auditd daemon is running.
  Otherwise, nothing gets logged.

  That the hwclock generates an audit message when hardware clock is
  changed is a requirement for Common Criteria EAL2 certification for
  Xenial.

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail. Attached the Common Criteria
  testcase below.

  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: Enable auditing in util-linux.

[Joy Latten]

Sorry, comment #13 had a cut-and-paste issue.

log message is, 
type=USYS_CONFIG msg=audit(1511898182.500:184): pid=3305 uid=0 auid=1000 ses=2 
msg='op=change-system-time exe="/sbin/hwclock" hostname=artfulguest addr=? 
terminal=pts/0 res=success'

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  Enable auditing in util-linux.

Status in util-linux package in Ubuntu:
  Fix Released
Status in util-linux source package in Xenial:
  In Progress
Status in util-linux source package in Zesty:
  In Progress
Status in util-linux source package in Artful:
  Fix Committed
Status in util-linux package in Debian:
  New

Bug description:
  [IMPACT]
  Enable auditing in util-linux. The config option, --with-audit enables 
auditing.
   
  Only the hwclock and the login commands within util-linux package have source 
code for auditing. But that source code is disabled by default and requires the 
config option, --with-audit to enable it. The login command is not built nor 
shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, 
only hwclock command would be affected by this change.

  The change would enable the hwclock command to generate an audit log
  message to /var/log/audit/audit.log whenever it changes the hardware
  clock. This message will only get logged if auditd daemon is running.
  Otherwise, nothing gets logged.

  That the hwclock generates an audit message when hardware clock is
  changed is a requirement for Common Criteria EAL2 certification for
  Xenial.

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail. Attached the Common Criteria
  testcase below.

  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: Enable auditing in util-linux.

[Joy Latten]

Generated an artful VM and verified that this is fixed in artful.

ubuntu@artfulguest:~$ cat /etc/os-release 
NAME="Ubuntu"
VERSION="17.10 (Artful Aardvark)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 17.10"
VERSION_ID="17.10"
HOME_URL="https://www.ubuntu.com/;
SUPPORT_URL="https://help.ubuntu.com/;
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/;
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy;
VERSION_CODENAME=artful
UBUNTU_CODENAME=artful

altered the hwclock via "sudo hwclock --set --date "1/1/2000 00:00:00"

received following audit log message in appropriate log files when applicable.
type=USER_CMD msg=audit(1511896792.291:29): pid=3008 uid=1000 auid=1000 ses=2 
msg='cwd="/home/ubuntu" cmd="hwclock" terminal=pts/0 res=success'

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  Enable auditing in util-linux.

Status in util-linux package in Ubuntu:
  Fix Released
Status in util-linux source package in Xenial:
  In Progress
Status in util-linux source package in Zesty:
  In Progress
Status in util-linux source package in Artful:
  Fix Committed
Status in util-linux package in Debian:
  New

Bug description:
  [IMPACT]
  Enable auditing in util-linux. The config option, --with-audit enables 
auditing.
   
  Only the hwclock and the login commands within util-linux package have source 
code for auditing. But that source code is disabled by default and requires the 
config option, --with-audit to enable it. The login command is not built nor 
shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, 
only hwclock command would be affected by this change.

  The change would enable the hwclock command to generate an audit log
  message to /var/log/audit/audit.log whenever it changes the hardware
  clock. This message will only get logged if auditd daemon is running.
  Otherwise, nothing gets logged.

  That the hwclock generates an audit message when hardware clock is
  changed is a requirement for Common Criteria EAL2 certification for
  Xenial.

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail. Attached the Common Criteria
  testcase below.

  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: Enable auditing in util-linux.

[Joy Latten]

version of package verified on artful,
 
ubuntu@artfulguest:~$ dpkg -l | grep util-linux
ii  util-linux 2.30.1-0ubuntu4.1
amd64miscellaneous system utilities

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  Enable auditing in util-linux.

Status in util-linux package in Ubuntu:
  Fix Released
Status in util-linux source package in Xenial:
  In Progress
Status in util-linux source package in Zesty:
  In Progress
Status in util-linux source package in Artful:
  Fix Committed
Status in util-linux package in Debian:
  New

Bug description:
  [IMPACT]
  Enable auditing in util-linux. The config option, --with-audit enables 
auditing.
   
  Only the hwclock and the login commands within util-linux package have source 
code for auditing. But that source code is disabled by default and requires the 
config option, --with-audit to enable it. The login command is not built nor 
shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, 
only hwclock command would be affected by this change.

  The change would enable the hwclock command to generate an audit log
  message to /var/log/audit/audit.log whenever it changes the hardware
  clock. This message will only get logged if auditd daemon is running.
  Otherwise, nothing gets logged.

  That the hwclock generates an audit message when hardware clock is
  changed is a requirement for Common Criteria EAL2 certification for
  Xenial.

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail. Attached the Common Criteria
  testcase below.

  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: Enable auditing in util-linux.

[Joy Latten]

** Summary changed:

- [SRU][xenial] Enable auditing in util-linux.
+ Enable auditing in util-linux.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  Enable auditing in util-linux.

Status in util-linux package in Ubuntu:
  In Progress
Status in util-linux source package in Xenial:
  New
Status in util-linux source package in Zesty:
  New
Status in util-linux source package in Artful:
  New
Status in util-linux package in Debian:
  New

Bug description:
  [IMPACT]
  Enable auditing in util-linux. The config option, --with-audit enables 
auditing.
   
  Only the hwclock and the login commands within util-linux package have source 
code for auditing. But that source code is disabled by default and requires the 
config option, --with-audit to enable it. The login command is not built nor 
shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, 
only hwclock command would be affected by this change.

  The change would enable the hwclock command to generate an audit log
  message to /var/log/audit/audit.log whenever it changes the hardware
  clock. This message will only get logged if auditd daemon is running.
  Otherwise, nothing gets logged.

  That the hwclock generates an audit message when hardware clock is
  changed is a requirement for Common Criteria EAL2 certification for
  Xenial.

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail. Attached the Common Criteria
  testcase below.

  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.

[Joy Latten]

I have also submitted a patch against recent debian version of this
package to Debian. Just in case, I also noted in the debian bug thread
the following:

- util-linux package is Priority: required and the libaudit1 package is
Priority: optional.

Possibly this is no longer a problem in reference to a change in Version
4.0.1 listed here,
https://www.debian.org/doc/packaging-manuals/upgrading-checklist.txt

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  [SRU][xenial] Enable auditing in util-linux.

Status in util-linux package in Ubuntu:
  In Progress
Status in util-linux source package in Xenial:
  New
Status in util-linux source package in Zesty:
  New
Status in util-linux source package in Artful:
  New
Status in util-linux package in Debian:
  New

Bug description:
  [IMPACT]
  Enable auditing in util-linux. The config option, --with-audit enables 
auditing.
   
  Only the hwclock and the login commands within util-linux package have source 
code for auditing. But that source code is disabled by default and requires the 
config option, --with-audit to enable it. The login command is not built nor 
shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, 
only hwclock command would be affected by this change.

  The change would enable the hwclock command to generate an audit log
  message to /var/log/audit/audit.log whenever it changes the hardware
  clock. This message will only get logged if auditd daemon is running.
  Otherwise, nothing gets logged.

  That the hwclock generates an audit message when hardware clock is
  changed is a requirement for Common Criteria EAL2 certification for
  Xenial.

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail. Attached the Common Criteria
  testcase below.

  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.

[Joy Latten]

** Attachment added: "debdiff.bionic"
   
https://bugs.launchpad.net/debian/+source/util-linux/+bug/1722313/+attachment/5006681/+files/debdiff.bionic

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  [SRU][xenial] Enable auditing in util-linux.

Status in util-linux package in Ubuntu:
  In Progress
Status in util-linux source package in Xenial:
  New
Status in util-linux source package in Zesty:
  New
Status in util-linux source package in Artful:
  New
Status in util-linux package in Debian:
  New

Bug description:
  [IMPACT]
  Enable auditing in util-linux. The config option, --with-audit enables 
auditing.
   
  Only the hwclock and the login commands within util-linux package have source 
code for auditing. But that source code is disabled by default and requires the 
config option, --with-audit to enable it. The login command is not built nor 
shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, 
only hwclock command would be affected by this change.

  The change would enable the hwclock command to generate an audit log
  message to /var/log/audit/audit.log whenever it changes the hardware
  clock. This message will only get logged if auditd daemon is running.
  Otherwise, nothing gets logged.

  That the hwclock generates an audit message when hardware clock is
  changed is a requirement for Common Criteria EAL2 certification for
  Xenial.

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail. Attached the Common Criteria
  testcase below.

  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.

[Joy Latten]

** Changed in: util-linux (Ubuntu)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  [SRU][xenial] Enable auditing in util-linux.

Status in util-linux package in Ubuntu:
  In Progress
Status in util-linux source package in Xenial:
  New
Status in util-linux source package in Zesty:
  New
Status in util-linux source package in Artful:
  New
Status in util-linux package in Debian:
  New

Bug description:
  [IMPACT]
  Enable auditing in util-linux. The config option, --with-audit enables 
auditing.
   
  Only the hwclock and the login commands within util-linux package have source 
code for auditing. But that source code is disabled by default and requires the 
config option, --with-audit to enable it. The login command is not built nor 
shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, 
only hwclock command would be affected by this change.

  The change would enable the hwclock command to generate an audit log
  message to /var/log/audit/audit.log whenever it changes the hardware
  clock. This message will only get logged if auditd daemon is running.
  Otherwise, nothing gets logged.

  That the hwclock generates an audit message when hardware clock is
  changed is a requirement for Common Criteria EAL2 certification for
  Xenial.

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail. Attached the Common Criteria
  testcase below.

  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.

[Joy Latten]

Build logs and test runs can be found in PPA at,
https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+packages

Please note, the versioning of the packages are incorrect in PPA, my
apologies. I did them correctly in the debdiff for each release that I
have attached.

Comment #3 just contains the testcase I use to verify that the audit
entry is created when the config option is enabled.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  [SRU][xenial] Enable auditing in util-linux.

Status in util-linux package in Ubuntu:
  New
Status in util-linux source package in Xenial:
  New
Status in util-linux source package in Zesty:
  New
Status in util-linux source package in Artful:
  New
Status in util-linux package in Debian:
  New

Bug description:
  [IMPACT]
  Enable auditing in util-linux. The config option, --with-audit enables 
auditing.
   
  Only the hwclock and the login commands within util-linux package have source 
code for auditing. But that source code is disabled by default and requires the 
config option, --with-audit to enable it. The login command is not built nor 
shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, 
only hwclock command would be affected by this change.

  The change would enable the hwclock command to generate an audit log
  message to /var/log/audit/audit.log whenever it changes the hardware
  clock. This message will only get logged if auditd daemon is running.
  Otherwise, nothing gets logged.

  That the hwclock generates an audit message when hardware clock is
  changed is a requirement for Common Criteria EAL2 certification for
  Xenial.

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail. Attached the Common Criteria
  testcase below.

  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.

[Joy Latten]

** Attachment added: "debdiff.artful"
   
https://bugs.launchpad.net/debian/+source/util-linux/+bug/1722313/+attachment/5006620/+files/debdiff.artful

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  [SRU][xenial] Enable auditing in util-linux.

Status in util-linux package in Ubuntu:
  New
Status in util-linux source package in Xenial:
  New
Status in util-linux source package in Zesty:
  New
Status in util-linux source package in Artful:
  New
Status in util-linux package in Debian:
  New

Bug description:
  [IMPACT]
  Enable auditing in util-linux. The config option, --with-audit enables 
auditing.
   
  Only the hwclock and the login commands within util-linux package have source 
code for auditing. But that source code is disabled by default and requires the 
config option, --with-audit to enable it. The login command is not built nor 
shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, 
only hwclock command would be affected by this change.

  The change would enable the hwclock command to generate an audit log
  message to /var/log/audit/audit.log whenever it changes the hardware
  clock. This message will only get logged if auditd daemon is running.
  Otherwise, nothing gets logged.

  That the hwclock generates an audit message when hardware clock is
  changed is a requirement for Common Criteria EAL2 certification for
  Xenial.

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail. Attached the Common Criteria
  testcase below.

  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.

[Joy Latten]

** Attachment added: "debdiff.zesty"
   
https://bugs.launchpad.net/debian/+source/util-linux/+bug/1722313/+attachment/5006619/+files/debdiff.zesty

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  [SRU][xenial] Enable auditing in util-linux.

Status in util-linux package in Ubuntu:
  New
Status in util-linux source package in Xenial:
  New
Status in util-linux source package in Zesty:
  New
Status in util-linux source package in Artful:
  New
Status in util-linux package in Debian:
  New

Bug description:
  [IMPACT]
  Enable auditing in util-linux. The config option, --with-audit enables 
auditing.
   
  Only the hwclock and the login commands within util-linux package have source 
code for auditing. But that source code is disabled by default and requires the 
config option, --with-audit to enable it. The login command is not built nor 
shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, 
only hwclock command would be affected by this change.

  The change would enable the hwclock command to generate an audit log
  message to /var/log/audit/audit.log whenever it changes the hardware
  clock. This message will only get logged if auditd daemon is running.
  Otherwise, nothing gets logged.

  That the hwclock generates an audit message when hardware clock is
  changed is a requirement for Common Criteria EAL2 certification for
  Xenial.

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail. Attached the Common Criteria
  testcase below.

  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.

[Joy Latten]

** Attachment added: "debdiff.xenial"
   
https://bugs.launchpad.net/debian/+source/util-linux/+bug/1722313/+attachment/5006617/+files/debdiff.xenial

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  [SRU][xenial] Enable auditing in util-linux.

Status in util-linux package in Ubuntu:
  New
Status in util-linux source package in Xenial:
  New
Status in util-linux source package in Zesty:
  New
Status in util-linux source package in Artful:
  New
Status in util-linux package in Debian:
  New

Bug description:
  [IMPACT]
  Enable auditing in util-linux. The config option, --with-audit enables 
auditing.
   
  Only the hwclock and the login commands within util-linux package have source 
code for auditing. But that source code is disabled by default and requires the 
config option, --with-audit to enable it. The login command is not built nor 
shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, 
only hwclock command would be affected by this change.

  The change would enable the hwclock command to generate an audit log
  message to /var/log/audit/audit.log whenever it changes the hardware
  clock. This message will only get logged if auditd daemon is running.
  Otherwise, nothing gets logged.

  That the hwclock generates an audit message when hardware clock is
  changed is a requirement for Common Criteria EAL2 certification for
  Xenial.

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail. Attached the Common Criteria
  testcase below.

  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.

[Joy Latten]

** Attachment removed: "debdiff of version 3.3 and 3.4~joyppa2"
   
https://bugs.launchpad.net/debian/+source/util-linux/+bug/1722313/+attachment/4966026/+files/debdiff.out

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  [SRU][xenial] Enable auditing in util-linux.

Status in util-linux package in Ubuntu:
  New
Status in util-linux source package in Xenial:
  New
Status in util-linux source package in Zesty:
  New
Status in util-linux source package in Artful:
  New
Status in util-linux package in Debian:
  New

Bug description:
  [IMPACT]
  Enable auditing in util-linux. The config option, --with-audit enables 
auditing.
   
  Only the hwclock and the login commands within util-linux package have source 
code for auditing. But that source code is disabled by default and requires the 
config option, --with-audit to enable it. The login command is not built nor 
shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, 
only hwclock command would be affected by this change.

  The change would enable the hwclock command to generate an audit log
  message to /var/log/audit/audit.log whenever it changes the hardware
  clock. This message will only get logged if auditd daemon is running.
  Otherwise, nothing gets logged.

  That the hwclock generates an audit message when hardware clock is
  changed is a requirement for Common Criteria EAL2 certification for
  Xenial.

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail. Attached the Common Criteria
  testcase below.

  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.

[Joy Latten]

** Description changed:

  [IMPACT]
- There is a requirement for Common Criteria EAL2 certification that changes to 
the system's hardware clock be audited/monitored. In Ubuntu the hwclock command 
can be used to alter the system's hardware clock. Thus this event needs to be 
audited for EAL2. The hwclock command within util-linux has the ability to 
create an audit event when the system's hardware clock is altered, but this 
ability is enabled via the --with-audit config option. This option is currently 
not enabled.
+ Enable auditing in util-linux. The config option, --with-audit enables 
auditing.
+  
+ Only the hwclock and the login commands within util-linux package have source 
code for auditing. But that source code is disabled by default and requires the 
config option, --with-audit to enable it. The login command is not built nor 
shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, 
only hwclock command would be affected by this change.
  
- Only the hwclock and the login commands within util-linux package use
- this --with-audit config option to enable auditing. However, it appears
- the login command is not built nor shipped in util-linux. Ubuntu uses
- the login command from shadow instead. Thus, only hwclock command would
- be affected by this change. The change would enable (1) call to
- audit_open to create a netlink socket descritor. (2) generate an audit
- entry when system hardware clock altered. The entry will be logged into
- the /var/log/audit/audit.log IF auditd is installed and running.
+ The change would enable the hwclock command to generate an audit log
+ message to /var/log/audit/audit.log whenever it changes the hardware
+ clock. This message will only get logged if auditd daemon is running.
+ Otherwise, nothing gets logged.
+ 
+ That the hwclock generates an audit message when hardware clock is
+ changed is a requirement for Common Criteria EAL2 certification for
+ Xenial.
  
  [TEST]
  
  This has been tested on both P8 and amd64 architectures. With the patch
  all the Common Criteria testcases pass for hwclock. Before this patch,
  the functional part of the testcase passed, but the check for the
  triggered audit records would fail. Attached the Common Criteria
  testcase below.
  
  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.
  
  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  [SRU][xenial] Enable auditing in util-linux.

Status in util-linux package in Ubuntu:
  New
Status in util-linux source package in Xenial:
  New
Status in util-linux source package in Zesty:
  New
Status in util-linux source package in Artful:
  New
Status in util-linux package in Debian:
  Unknown

Bug description:
  [IMPACT]
  Enable auditing in util-linux. The config option, --with-audit enables 
auditing.
   
  Only the hwclock and the login commands within util-linux package have source 
code for auditing. But that source code is disabled by default and requires the 
config option, --with-audit to enable it. The login command is not built nor 
shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, 
only hwclock command would be affected by this change.

  The change would enable the hwclock command to generate an audit log
  message to /var/log/audit/audit.log whenever it changes the hardware
  clock. This message will only get logged if auditd daemon is running.
  Otherwise, nothing gets logged.

  That the hwclock generates an audit message when hardware clock is
  changed is a requirement for Common Criteria EAL2 certification for
  Xenial.

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail. Attached the Common Criteria
  testcase below.

  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   

[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.

[Joy Latten]

** Summary changed:

- [SRU][xenial] Add "--with-audit" config option so that the hwclock command 
creates an audit record when the hardware clock is altered.
+ [SRU][xenial] Enable auditing in util-linux.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  [SRU][xenial] Enable auditing in util-linux.

Status in util-linux package in Ubuntu:
  New
Status in util-linux source package in Xenial:
  New
Status in util-linux source package in Zesty:
  New
Status in util-linux source package in Artful:
  New
Status in util-linux package in Debian:
  Unknown

Bug description:
  [IMPACT]
  There is a requirement for Common Criteria EAL2 certification that changes to 
the system's hardware clock be audited/monitored. In Ubuntu the hwclock command 
can be used to alter the system's hardware clock. Thus this event needs to be 
audited for EAL2. The hwclock command within util-linux has the ability to 
create an audit event when the system's hardware clock is altered, but this 
ability is enabled via the --with-audit config option. This option is currently 
not enabled.

  Only the hwclock and the login commands within util-linux package use
  this --with-audit config option to enable auditing. However, it
  appears the login command is not built nor shipped in util-linux.
  Ubuntu uses the login command from shadow instead. Thus, only hwclock
  command would be affected by this change. The change would enable (1)
  call to audit_open to create a netlink socket descritor. (2) generate
  an audit entry when system hardware clock altered. The entry will be
  logged into the /var/log/audit/audit.log IF auditd is installed and
  running.

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail. Attached the Common Criteria
  testcase below.

  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered.

[Joy Latten]

** Bug watch added: Debian Bug tracker #745771
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745771

** Also affects: util-linux (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745771
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  [SRU][xenial] Add "--with-audit" config option so that the hwclock
  command creates an audit record when the hardware clock is altered.

Status in util-linux package in Ubuntu:
  New
Status in util-linux package in Debian:
  Unknown

Bug description:
  [IMPACT]
  There is a requirement for Common Criteria EAL2 certification that changes to 
the system's hardware clock be audited/monitored. In Ubuntu the hwclock command 
can be used to alter the system's hardware clock. Thus this event needs to be 
audited for EAL2. The hwclock command within util-linux has the ability to 
create an audit event when the system's hardware clock is altered, but this 
ability is enabled via the --with-audit config option. This option is currently 
not enabled.

  Only the hwclock and the login commands within util-linux package use
  this --with-audit config option to enable auditing. However, it
  appears the login command is not built nor shipped in util-linux.
  Ubuntu uses the login command from shadow instead. Thus, only hwclock
  command would be affected by this change. The change would enable (1)
  call to audit_open to create a netlink socket descritor. (2) generate
  an audit entry when system hardware clock altered. The entry will be
  logged into the /var/log/audit/audit.log IF auditd is installed and
  running.

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail. Attached the Common Criteria
  testcase below.

  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered.

[Joy Latten]

Comment #3 Should have read "Common Criteria EAL2 hwclock testcase".

** Description changed:

  [IMPACT]
  There is a requirement for Common Criteria EAL2 certification that changes to 
the system's hardware clock be audited/monitored. In Ubuntu the hwclock command 
can be used to alter the system's hardware clock. Thus this event needs to be 
audited for EAL2. The hwclock command within util-linux has the ability to 
create an audit event when the system's hardware clock is altered, but this 
ability is enabled via the --with-audit config option. This option is currently 
not enabled.
  
- Only the hwclock and the login commands within util-linux package use this 
--with-audit config option to enable auditing. However, it appears the login 
command is not built nor shipped in util-linux. Ubuntu uses the login command 
from shadow instead. Thus, only hwclock command would be affected by this 
change. The change would enable (1) call to audit_open to create a netlink 
socket descritor. (2) generate an audit entry when system hardware clock 
altered. The entry will be logged into the /var/log/audit/audit.log IF auditd 
is installed and running.
-  
+ Only the hwclock and the login commands within util-linux package use
+ this --with-audit config option to enable auditing. However, it appears
+ the login command is not built nor shipped in util-linux. Ubuntu uses
+ the login command from shadow instead. Thus, only hwclock command would
+ be affected by this change. The change would enable (1) call to
+ audit_open to create a netlink socket descritor. (2) generate an audit
+ entry when system hardware clock altered. The entry will be logged into
+ the /var/log/audit/audit.log IF auditd is installed and running.
+ 
  [TEST]
  
  This has been tested on both P8 and amd64 architectures. With the patch
  all the Common Criteria testcases pass for hwclock. Before this patch,
  the functional part of the testcase passed, but the check for the
- triggered audit records would fail.
+ triggered audit records would fail. Attached the Common Criteria
+ testcase below.
+ 
+ Also, the util-linux package has testcases that get run during the
+ build. All of these pass. Pointer to build log below.
  
  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  [SRU][xenial] Add "--with-audit" config option so that the hwclock
  command creates an audit record when the hardware clock is altered.

Status in util-linux package in Ubuntu:
  New

Bug description:
  [IMPACT]
  There is a requirement for Common Criteria EAL2 certification that changes to 
the system's hardware clock be audited/monitored. In Ubuntu the hwclock command 
can be used to alter the system's hardware clock. Thus this event needs to be 
audited for EAL2. The hwclock command within util-linux has the ability to 
create an audit event when the system's hardware clock is altered, but this 
ability is enabled via the --with-audit config option. This option is currently 
not enabled.

  Only the hwclock and the login commands within util-linux package use
  this --with-audit config option to enable auditing. However, it
  appears the login command is not built nor shipped in util-linux.
  Ubuntu uses the login command from shadow instead. Thus, only hwclock
  command would be affected by this change. The change would enable (1)
  call to audit_open to create a netlink socket descritor. (2) generate
  an audit entry when system hardware clock altered. The entry will be
  logged into the /var/log/audit/audit.log IF auditd is installed and
  running.

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail. Attached the Common Criteria
  testcase below.

  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered.

[Joy Latten]

** Attachment added: "EAL hwclock testcase"
   
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+attachment/4966040/+files/test_hwclock.bash

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  [SRU][xenial] Add "--with-audit" config option so that the hwclock
  command creates an audit record when the hardware clock is altered.

Status in util-linux package in Ubuntu:
  New

Bug description:
  [IMPACT]
  There is a requirement for Common Criteria EAL2 certification that changes to 
the system's hardware clock be audited/monitored. In Ubuntu the hwclock command 
can be used to alter the system's hardware clock. Thus this event needs to be 
audited for EAL2. The hwclock command within util-linux has the ability to 
create an audit event when the system's hardware clock is altered, but this 
ability is enabled via the --with-audit config option. This option is currently 
not enabled.

  Only the hwclock and the login commands within util-linux package use
  this --with-audit config option to enable auditing. However, it
  appears the login command is not built nor shipped in util-linux.
  Ubuntu uses the login command from shadow instead. Thus, only hwclock
  command would be affected by this change. The change would enable (1)
  call to audit_open to create a netlink socket descritor. (2) generate
  an audit entry when system hardware clock altered. The entry will be
  logged into the /var/log/audit/audit.log IF auditd is installed and
  running.

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail. Attached the Common Criteria
  testcase below.

  Also, the util-linux package has testcases that get run during the
  build. All of these pass. Pointer to build log below.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered.

[Joy Latten]

build log and tests run
https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/13375821

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  [SRU][xenial] Add "--with-audit" config option so that the hwclock
  command creates an audit record when the hardware clock is altered.

Status in util-linux package in Ubuntu:
  New

Bug description:
  [IMPACT]
  There is a requirement for Common Criteria EAL2 certification that changes to 
the system's hardware clock be audited/monitored. In Ubuntu the hwclock command 
can be used to alter the system's hardware clock. Thus this event needs to be 
audited for EAL2. The hwclock command within util-linux has the ability to 
create an audit event when the system's hardware clock is altered, but this 
ability is enabled via the --with-audit config option. This option is currently 
not enabled.

  Only the hwclock and the login commands within util-linux package use this 
--with-audit config option to enable auditing. However, it appears the login 
command is not built nor shipped in util-linux. Ubuntu uses the login command 
from shadow instead. Thus, only hwclock command would be affected by this 
change. The change would enable (1) call to audit_open to create a netlink 
socket descritor. (2) generate an audit entry when system hardware clock 
altered. The entry will be logged into the /var/log/audit/audit.log IF auditd 
is installed and running.
   
  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered.

[Joy Latten]

** Description changed:

  [IMPACT]
  There is a requirement for Common Criteria EAL2 certification that changes to 
the system's hardware clock be audited/monitored. In Ubuntu the hwclock command 
can be used to alter the system's hardware clock. Thus this event needs to be 
audited for EAL2. The hwclock command within util-linux has the ability to 
create an audit event when the system's hardware clock is altered, but this 
ability is enabled via the --with-audit config option. This option is currently 
not enabled.
  
- Only the hwclock and the login commands within util-linux package use
- this --with-audit config option to enable auditing. However, it appears
- the login command is not built nor shipped in util-linux. Ubuntu uses
- the login command from shadow instead. Thus, only hwclock command would
- be affected by this change. The change would enable (1) call to
- audit_open to create a netlink socket descritor. (2) generate an audit
- entry when system hardware clock altered. The entry will be logged into
- the /var/log/audit/audit.log IF auditd is installed and running.
- 
- [FIX]
- 
+ Only the hwclock and the login commands within util-linux package use this 
--with-audit config option to enable auditing. However, it appears the login 
command is not built nor shipped in util-linux. Ubuntu uses the login command 
from shadow instead. Thus, only hwclock command would be affected by this 
change. The change would enable (1) call to audit_open to create a netlink 
socket descritor. (2) generate an audit entry when system hardware clock 
altered. The entry will be logged into the /var/log/audit/audit.log IF auditd 
is installed and running.
+  
  [TEST]
  
  This has been tested on both P8 and amd64 architectures. With the patch
  all the Common Criteria testcases pass for hwclock. Before this patch,
  the functional part of the testcase passed, but the check for the
  triggered audit records would fail.
  
  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

** Attachment added: "debdiff of version 3.3 and 3.4~joyppa2"
   
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+attachment/4966026/+files/debdiff.out

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  [SRU][xenial] Add "--with-audit" config option so that the hwclock
  command creates an audit record when the hardware clock is altered.

Status in util-linux package in Ubuntu:
  New

Bug description:
  [IMPACT]
  There is a requirement for Common Criteria EAL2 certification that changes to 
the system's hardware clock be audited/monitored. In Ubuntu the hwclock command 
can be used to alter the system's hardware clock. Thus this event needs to be 
audited for EAL2. The hwclock command within util-linux has the ability to 
create an audit event when the system's hardware clock is altered, but this 
ability is enabled via the --with-audit config option. This option is currently 
not enabled.

  Only the hwclock and the login commands within util-linux package use this 
--with-audit config option to enable auditing. However, it appears the login 
command is not built nor shipped in util-linux. Ubuntu uses the login command 
from shadow instead. Thus, only hwclock command would be affected by this 
change. The change would enable (1) call to audit_open to create a netlink 
socket descritor. (2) generate an audit entry when system hardware clock 
altered. The entry will be logged into the /var/log/audit/audit.log IF auditd 
is installed and running.
   
  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1722313] [NEW] [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered.

[Joy Latten]

Public bug reported:

[IMPACT]
There is a requirement for Common Criteria EAL2 certification that changes to 
the system's hardware clock be audited/monitored. In Ubuntu the hwclock command 
can be used to alter the system's hardware clock. Thus this event needs to be 
audited for EAL2. The hwclock command within util-linux has the ability to 
create an audit event when the system's hardware clock is altered, but this 
ability is enabled via the --with-audit config option. This option is currently 
not enabled.

Only the hwclock and the login commands within util-linux package use
this --with-audit config option to enable auditing. However, it appears
the login command is not built nor shipped in util-linux. Ubuntu uses
the login command from shadow instead. Thus, only hwclock command would
be affected by this change. The change would enable (1) call to
audit_open to create a netlink socket descritor. (2) generate an audit
entry when system hardware clock altered. The entry will be logged into
the /var/log/audit/audit.log IF auditd is installed and running.

[FIX]

[TEST]

This has been tested on both P8 and amd64 architectures. With the patch
all the Common Criteria testcases pass for hwclock. Before this patch,
the functional part of the testcase passed, but the check for the
triggered audit records would fail.

[REGRESSION POTENTIAL]
The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

** Affects: util-linux (Ubuntu)
 Importance: Undecided
 Status: New

** Summary changed:

- Add "--with-audit" config option so that the hwclock command creates audit 
records when it is used to alter the hardware clock.
+ [SRU][xenial] Add "--with-audit" config option so that the hwclock command 
creates an audit record when the hardware clock is altered.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1722313

Title:
  [SRU][xenial] Add "--with-audit" config option so that the hwclock
  command creates an audit record when the hardware clock is altered.

Status in util-linux package in Ubuntu:
  New

Bug description:
  [IMPACT]
  There is a requirement for Common Criteria EAL2 certification that changes to 
the system's hardware clock be audited/monitored. In Ubuntu the hwclock command 
can be used to alter the system's hardware clock. Thus this event needs to be 
audited for EAL2. The hwclock command within util-linux has the ability to 
create an audit event when the system's hardware clock is altered, but this 
ability is enabled via the --with-audit config option. This option is currently 
not enabled.

  Only the hwclock and the login commands within util-linux package use
  this --with-audit config option to enable auditing. However, it
  appears the login command is not built nor shipped in util-linux.
  Ubuntu uses the login command from shadow instead. Thus, only hwclock
  command would be affected by this change. The change would enable (1)
  call to audit_open to create a netlink socket descritor. (2) generate
  an audit entry when system hardware clock altered. The entry will be
  logged into the /var/log/audit/audit.log IF auditd is installed and
  running.

  [FIX]

  [TEST]

  This has been tested on both P8 and amd64 architectures. With the
  patch all the Common Criteria testcases pass for hwclock. Before this
  patch, the functional part of the testcase passed, but the check for
  the triggered audit records would fail.

  [REGRESSION POTENTIAL]
  The regression potential for this should be small. This change does not take 
away from any current functionality. It just adds the ability to generate an 
audit entry when system hardware clock is altered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Joy Latten]

I tested version 1.0.2g-1ubuntu4.3 with the death.c program from the
upstream openssl bug ticket 4559 and confirmed this problem is now
resolved.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

Status in OpenSSL:
  Unknown
Status in openssl package in Ubuntu:
  Fix Released
Status in openssl source package in Xenial:
  Fix Committed

Bug description:
  Description:  Ubuntu 16.04 LTS
  Release:  16.04

  openssl:
Installed: 1.0.2g-1ubuntu4.1
Candidate: 1.0.2g-1ubuntu4.1
Version table:
   *** 1.0.2g-1ubuntu4.1 500
  500 http://fi.archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
  500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 
Packages
  100 /var/lib/dpkg/status
   1.0.2g-1ubuntu4 500
  500 http://fi.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

  CRYPTO_set_mem_functions() always returns 0 because library
  initialization already calls CRYPTO_malloc() and disables it:

  #0  CRYPTO_malloc (num=num@entry=1168, file=file@entry=0x770ae02c 
"fips_drbg_lib.c",
  line=line@entry=106) at mem.c:329
  #1  0x770596df in FIPS_drbg_new (type=type@entry=0, 
flags=flags@entry=0)
  at fips_drbg_lib.c:106
  #2  0x7705aeb9 in FIPS_drbg_health_check (
  dctx=dctx@entry=0x7731c960 ) at fips_drbg_selftest.c:760
  #3  0x770595f0 in FIPS_drbg_init (dctx=dctx@entry=0x7731c960 
,
  type=, flags=) at fips_drbg_lib.c:94
  #4  0x76fe38f3 in RAND_init_fips () at rand_lib.c:287
  #5  0x76f26f7a in OPENSSL_init_library () at o_init.c:119
  #6  0x77de74ea in call_init (l=, argc=argc@entry=1,
  argv=argv@entry=0x7fffe5e8, env=env@entry=0x7fffe5f8) at 
dl-init.c:72
  #7  0x77de75fb in call_init (env=0x7fffe5f8, argv=0x7fffe5e8, 
argc=1,
  l=) at dl-init.c:30
  #8  _dl_init (main_map=main_map@entry=0x640380, argc=1, argv=0x7fffe5e8,
  env=0x7fffe5f8) at dl-init.c:120

  This doesn't happen in upstream OpenSSL or in Debian's OpenSSL.
  Looking at the patches, this is caused by FIPS_drbg_init() in
  openssl-1.0.2g-fips.patch:

  +if (!(dctx->xflags & DRBG_FLAG_TEST)) {
  +if (!FIPS_drbg_health_check(dctx)) {
  +FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
  +return 0;
  +}
  +}

  I don't want any FIPS mode enabled though, so does it really even need
  to call RAND_init_fips() then?

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1588524] Re: FIPS_mode_set reports incorrect error message

[Joy Latten]

I tested this on 1.0.2g-1ubuntu4.3 using the openssl_fips_test.c that
was attached. And all worked as expected and I received the expected
error message. Thus verifying this issue has been resolved in 1.0.2g-
1ubuntu4.3,

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1588524

Title:
  FIPS_mode_set reports incorrect error message

Status in openssl package in Ubuntu:
  Fix Released

Bug description:
  Hi! Some integration tests we run attempt to enable FIPS mode in
  OpenSSL, and assert that either our software continues to work, or
  that the error message emitted by OpenSSL is related to missing the
  FIPS module.

  On Ubuntu 14.10, running FIPS_mode_set fails and produces an error like:
  140225357260448:error:0F06D065:common libcrypto routines:FIPS_mode_set:fips 
mode not supported:o_fips.c:92:

  On Ubuntu 16.04 running OpenSSL/libssl1.0.0 version 1.0.2g-1ubuntu4.1,
  FIPS_mode_set fails, but does not produce an error message.

  I have attached a C file which, when executed on both these platforms,
  will demonstrate this behavior.

  I believe this may have been introduced by this ticket: 
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309
  It provides a patch called openssl-1.0.2g-ubuntu-fips-cleanup.patch which 
includes this statement:
  +@@ -443,6 +430,7 @@ int FIPS_module_mode_set(int onoff, const char *auth)
  + fips_selftest_fail = 0;
  + ret = 1;
  +  end:
  ++ERR_clear_error(); /* clear above err msg; fips mode disabled for now */
  + fips_clear_owning_thread();
  + fips_w_unlock();
  + return ret;

  This appears to be clearing the error messages we're asserting on
  before returning from FIPS_module_mode_set.

  For reference, here is our ticket where we are tracking this issue:
  https://jira.mongodb.org/browse/SERVER-24350

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1588524/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1613658] Re: OPENSSL_init_library () crash in conjunction with faketime

[Joy Latten]

I forgot to add, we will file a bug with Debian to pick up this commit.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1613658

Title:
  OPENSSL_init_library () crash in conjunction with faketime

Status in openssl package in Ubuntu:
  New

Bug description:
  Program that use library openssl will crash when they are run in
  "faketime" (in the tool that sets system date to certain faked
  time/date).

  Impact: this bug makes it impossible to do deterministic build of
  application using for example cmake and faketime.

  Also according to https://github.com/wolfcw/libfaketime/issues/93
  This is not a bug of libfaketime or cmake. This bug comes from openssl 
library.

  
  Reproduce example:
  $ REFERENCE_DATETIME="2016-08-05 00:00:00"  
  $ export LD_PRELOAD=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1
  $ export FAKETIME=$REFERENCE_DATETIME
  $ cmake . --> Segmentation fault (core dumped)  ## Even with empty 
CMakeLists.txt file

  
  ($gdb cmake .) output:
  (gdb) run
  Starting program: /usr/bin/cmake 
  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

  Program received signal SIGSEGV, Segmentation fault.
  0x in ?? ()
  (gdb) bt
  #0  0x in ?? ()
  #1  0x77bd16d2 in time () from 
/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1
  #2  0x749c1f79 in RAND_poll () from 
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
  #3  0x749c0bd5 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
  #4  0x749c1603 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
  #5  0x74a37288 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
  #6  0x74a37914 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
  #7  0x749c1993 in RAND_init_fips () from 
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
  #8  0x74904f7a in OPENSSL_init_library () from 
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
  #9  0x77de74ea in call_init (l=, argc=argc@entry=1, 
argv=argv@entry=0x7fffec08, env=env@entry=0x7fffec18) at dl-init.c:72
  #10 0x77de75fb in call_init (env=0x7fffec18, argv=0x7fffec08, 
argc=1, l=) at dl-init.c:30
  #11 _dl_init (main_map=0x77ffe168, argc=1, argv=0x7fffec08, 
env=0x7fffec18) at dl-init.c:120
  #12 0x77dd7cfa in _dl_start_user () from /lib64/ld-linux-x86-64.so.2
  #13 0x0001 in ?? ()
  #14 0x7fffee15 in ?? ()
  #15 0x in ?? ()

  
  ubuntu release:
  $ lsb_release -a ; uname  -a 
  No LSB modules are available.
  Distributor ID:   Ubuntu
  Description:  Ubuntu 16.04.1 LTS
  Release:  16.04
  Codename: xenial
  Linux gitian 4.2.0-42-generic #49-Ubuntu SMP Tue Jun 28 21:26:26 UTC 2016 
x86_64 x86_64 x86_64 GNU/Linux

  
  openssl version:
  $ apt-cache policy openssl
  openssl:
Installed: 1.0.2g-1ubuntu4.1
Candidate: 1.0.2g-1ubuntu4.1
Version table:
   *** 1.0.2g-1ubuntu4.1 500
  500 http://10.0.3.2:3142/security.ubuntu.com/ubuntu 
xenial-security/main amd64 Packages
  500 http://10.0.3.2:3142/archive.ubuntu.com/ubuntu 
xenial-updates/main amd64 Packages
  100 /var/lib/dpkg/status
   1.0.2g-1ubuntu4 500
  500 http://10.0.3.2:3142/archive.ubuntu.com/ubuntu xenial/main amd64 
Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1613658/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1613658] Re: OPENSSL_init_library () crash in conjunction with faketime

[Joy Latten]

Marcelo and I took a look at this...

o_init.c in openssl has following constructor, introduced for fips.
void __attribute__ ((constructor)) OPENSSL_init_library(void)

OPENSSL_init_library() when OPENSSL_FIPS is defined, calls
RAND_init_fips() which eventually calls RAND_poll() which calls
time(NULL). This can get called before libfaketime has initialized. Thus
the core dump.

We noticed following commit in libfaketime that takes care of the constructor 
situation,  
https://github.com/wolfcw/libfaketime/commit/0bde083556e243e87bddaaf94e68f2ef85dad769
This commit will allow libfaketime to call its init routine if it has not yet 
been called.
This commit is not in the current version of libfaketime in xenial.

I compiled libfaketime in github and tried my testcase and it worked.
I used the testcase that was referenced above at 
https://github.com/wolfcw/libfaketime/issues/93

So we need above commit for libfaketime.


** Bug watch added: github.com/wolfcw/libfaketime/issues #93
   https://github.com/wolfcw/libfaketime/issues/93

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1613658

Title:
  OPENSSL_init_library () crash in conjunction with faketime

Status in openssl package in Ubuntu:
  New

Bug description:
  Program that use library openssl will crash when they are run in
  "faketime" (in the tool that sets system date to certain faked
  time/date).

  Impact: this bug makes it impossible to do deterministic build of
  application using for example cmake and faketime.

  Also according to https://github.com/wolfcw/libfaketime/issues/93
  This is not a bug of libfaketime or cmake. This bug comes from openssl 
library.

  
  Reproduce example:
  $ REFERENCE_DATETIME="2016-08-05 00:00:00"  
  $ export LD_PRELOAD=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1
  $ export FAKETIME=$REFERENCE_DATETIME
  $ cmake . --> Segmentation fault (core dumped)  ## Even with empty 
CMakeLists.txt file

  
  ($gdb cmake .) output:
  (gdb) run
  Starting program: /usr/bin/cmake 
  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

  Program received signal SIGSEGV, Segmentation fault.
  0x in ?? ()
  (gdb) bt
  #0  0x in ?? ()
  #1  0x77bd16d2 in time () from 
/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1
  #2  0x749c1f79 in RAND_poll () from 
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
  #3  0x749c0bd5 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
  #4  0x749c1603 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
  #5  0x74a37288 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
  #6  0x74a37914 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
  #7  0x749c1993 in RAND_init_fips () from 
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
  #8  0x74904f7a in OPENSSL_init_library () from 
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
  #9  0x77de74ea in call_init (l=, argc=argc@entry=1, 
argv=argv@entry=0x7fffec08, env=env@entry=0x7fffec18) at dl-init.c:72
  #10 0x77de75fb in call_init (env=0x7fffec18, argv=0x7fffec08, 
argc=1, l=) at dl-init.c:30
  #11 _dl_init (main_map=0x77ffe168, argc=1, argv=0x7fffec08, 
env=0x7fffec18) at dl-init.c:120
  #12 0x77dd7cfa in _dl_start_user () from /lib64/ld-linux-x86-64.so.2
  #13 0x0001 in ?? ()
  #14 0x7fffee15 in ?? ()
  #15 0x in ?? ()

  
  ubuntu release:
  $ lsb_release -a ; uname  -a 
  No LSB modules are available.
  Distributor ID:   Ubuntu
  Description:  Ubuntu 16.04.1 LTS
  Release:  16.04
  Codename: xenial
  Linux gitian 4.2.0-42-generic #49-Ubuntu SMP Tue Jun 28 21:26:26 UTC 2016 
x86_64 x86_64 x86_64 GNU/Linux

  
  openssl version:
  $ apt-cache policy openssl
  openssl:
Installed: 1.0.2g-1ubuntu4.1
Candidate: 1.0.2g-1ubuntu4.1
Version table:
   *** 1.0.2g-1ubuntu4.1 500
  500 http://10.0.3.2:3142/security.ubuntu.com/ubuntu 
xenial-security/main amd64 Packages
  500 http://10.0.3.2:3142/archive.ubuntu.com/ubuntu 
xenial-updates/main amd64 Packages
  100 /var/lib/dpkg/status
   1.0.2g-1ubuntu4 500
  500 http://10.0.3.2:3142/archive.ubuntu.com/ubuntu xenial/main amd64 
Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1613658/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1614210] [NEW] Remove incomplete fips in openssl in xenial.

[Joy Latten]

Public bug reported:

Package: openssl-1.0.2g-1ubuntu4.1
Distro: xenial

The openssl contains incomplete fips patches. In light that the fips is
incomplete and will not be completed in the main archive and they are
impacting customers, they should be withdrawn. See lp bugs 1593953,
1591797, 1594748, 1588524, 1613658. Removal of these fips patches will
remove these fips-related issues.

[Test case]
1. Problem in 1594748
Note: this problem was reported in upstream openssl and testcase posted there 
also.
https://rt.openssl.org/Ticket/Display.html?id=4559

CRYPTO_set_mem_functions() always returns 0 because library
initialization within fips code already calls CRYPTO_malloc() and
disables it.

This testcase should cause openssl to abort, but instead it returns a
context.

#include 
#include 
#include 
void * my_alloc(size_t n) { abort(); }
void my_free(void *p) { abort(); }
void * my_realloc(void *p, size_t n) { abort(); }
int main(int argc, const char **argv)
{
  const SSL_METHOD *method;
  SSL_CTX *ctx;
  CRYPTO_set_mem_functions(my_alloc, my_realloc, my_free);
  SSL_library_init();
  method = SSLv23_client_method();
  ctx = SSL_CTX_new(method);
  printf("Got ctx %p\n", ctx);
  return 0;
}

2. Problem in 1593953
EC key generation allows user to generate keys using EC curves that the EC sign 
and verify
do not support when OPENSSL_FIPS is defined.
Testcase taken from lp #1593953

openssl ecparam -genkey -name Oakley-EC2N-4

will fail when OPENSSL_FIPS is defined since it causes a fips key-pair 
consistency check to be done.
Otherwise, without OPENSSL_FIPS defined, the check is not done.

3. Problem reported in 1588524
Error code being skipped...

Testcase taken from lp #1588524

#include 
#include 

int main() {
int rc;
unsigned long fips_err;
SSL_library_init();
SSL_load_error_strings();
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
rc = FIPS_mode_set(1);
fips_err = ERR_peek_last_error();

// FIPS_mode_set will return 0 on failure, which is expected if
// the FIPS module is not compiled. In this case, we should then
// be able to get the error code
// CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0xf06d065)
// https://wiki.openssl.org/index.php/FIPS_mode_set%28%29
printf("%d %lu\n", rc, fips_err);
ERR_print_errors_fp(stdout);

ERR_free_strings();
return 0;
}

Should report an error message.

[ Regression potential ]
Removing the fips patches should decrease regression potential of openssl in 
the main archive.

** Affects: openssl (Ubuntu)
 Importance: Undecided
 Status: New

** Description changed:

+ openssl-1.0.2g-1ubuntu4.1 in xenial.
+ 
  The openssl contains incomplete fips patches. In light that the fips is
  incomplete and will not be completed in the main archive and they are
  impacting customers, they should be withdrawn. See lp bugs 1593953,
  1591797, 1594748, 1588524, 1613658. Removal of these fips patches will
  remove these fips-related issues.
  
  [Test case]
- 1. Problem in 1594748 
+ 1. Problem in 1594748
  Note: this problem was reported in upstream openssl and testcase posted there 
also.
  https://rt.openssl.org/Ticket/Display.html?id=4559
  
  CRYPTO_set_mem_functions() always returns 0 because library
  initialization within fips code already calls CRYPTO_malloc() and
  disables it.
  
  This testcase should cause openssl to abort, but instead it returns a
  context.
  
  #include 
  #include 
  #include 
  void * my_alloc(size_t n) { abort(); }
  void my_free(void *p) { abort(); }
  void * my_realloc(void *p, size_t n) { abort(); }
  int main(int argc, const char **argv)
  {
-   const SSL_METHOD *method;
-   SSL_CTX *ctx;
-   CRYPTO_set_mem_functions(my_alloc, my_realloc, my_free);
-   SSL_library_init();
-   method = SSLv23_client_method();
-   ctx = SSL_CTX_new(method);
-   printf("Got ctx %p\n", ctx);
-   return 0;
+   const SSL_METHOD *method;
+   SSL_CTX *ctx;
+   CRYPTO_set_mem_functions(my_alloc, my_realloc, my_free);
+   SSL_library_init();
+   method = SSLv23_client_method();
+   ctx = SSL_CTX_new(method);
+   printf("Got ctx %p\n", ctx);
+   return 0;
  }
  
  2. Problem in 1593953
  EC key generation allows user to generate keys using EC curves that the EC 
sign and verify
  do not support when OPENSSL_FIPS is defined.
  Testcase taken from lp #1593953
  
  openssl ecparam -genkey -name Oakley-EC2N-4
  
  will fail when OPENSSL_FIPS is defined since it causes a fips key-pair 
consistency check to be done.
  Otherwise, without OPENSSL_FIPS defined, the check is not done.
  
  3. Problem reported in 1588524
  Error code being skipped...
  
  Testcase taken from lp #1588524
  
  #include 
  #include 
  
  int main() {
- int rc;
- unsigned long fips_err;
- SSL_library_init();
- SSL_load_error_strings();
- ERR_load_crypto_strings();
- OpenSSL_add_all_algorithms();
- rc = FIPS_mode_set(1);
- fips_err = ERR_peek_last_error();
+ int rc;
+ unsigned long 

[Touch-packages] [Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Joy Latten]

Investigating.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

Status in OpenSSL:
  Unknown
Status in openssl package in Ubuntu:
  Confirmed

Bug description:
  Description:  Ubuntu 16.04 LTS
  Release:  16.04

  openssl:
Installed: 1.0.2g-1ubuntu4.1
Candidate: 1.0.2g-1ubuntu4.1
Version table:
   *** 1.0.2g-1ubuntu4.1 500
  500 http://fi.archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
  500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 
Packages
  100 /var/lib/dpkg/status
   1.0.2g-1ubuntu4 500
  500 http://fi.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

  CRYPTO_set_mem_functions() always returns 0 because library
  initialization already calls CRYPTO_malloc() and disables it:

  #0  CRYPTO_malloc (num=num@entry=1168, file=file@entry=0x770ae02c 
"fips_drbg_lib.c",
  line=line@entry=106) at mem.c:329
  #1  0x770596df in FIPS_drbg_new (type=type@entry=0, 
flags=flags@entry=0)
  at fips_drbg_lib.c:106
  #2  0x7705aeb9 in FIPS_drbg_health_check (
  dctx=dctx@entry=0x7731c960 ) at fips_drbg_selftest.c:760
  #3  0x770595f0 in FIPS_drbg_init (dctx=dctx@entry=0x7731c960 
,
  type=, flags=) at fips_drbg_lib.c:94
  #4  0x76fe38f3 in RAND_init_fips () at rand_lib.c:287
  #5  0x76f26f7a in OPENSSL_init_library () at o_init.c:119
  #6  0x77de74ea in call_init (l=, argc=argc@entry=1,
  argv=argv@entry=0x7fffe5e8, env=env@entry=0x7fffe5f8) at 
dl-init.c:72
  #7  0x77de75fb in call_init (env=0x7fffe5f8, argv=0x7fffe5e8, 
argc=1,
  l=) at dl-init.c:30
  #8  _dl_init (main_map=main_map@entry=0x640380, argc=1, argv=0x7fffe5e8,
  env=0x7fffe5f8) at dl-init.c:120

  This doesn't happen in upstream OpenSSL or in Debian's OpenSSL.
  Looking at the patches, this is caused by FIPS_drbg_init() in
  openssl-1.0.2g-fips.patch:

  +if (!(dctx->xflags & DRBG_FLAG_TEST)) {
  +if (!FIPS_drbg_health_check(dctx)) {
  +FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
  +return 0;
  +}
  +}

  I don't want any FIPS mode enabled though, so does it really even need
  to call RAND_init_fips() then?

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Joy Latten]

Waiting to see upstream commit/fix for this since this is an issue in
the upstream openssl code when OPENSSL_FIPS is defined.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

Status in OpenSSL:
  Unknown
Status in openssl package in Ubuntu:
  New

Bug description:
  Description:  Ubuntu 16.04 LTS
  Release:  16.04

  openssl:
Installed: 1.0.2g-1ubuntu4.1
Candidate: 1.0.2g-1ubuntu4.1
Version table:
   *** 1.0.2g-1ubuntu4.1 500
  500 http://fi.archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
  500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 
Packages
  100 /var/lib/dpkg/status
   1.0.2g-1ubuntu4 500
  500 http://fi.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

  CRYPTO_set_mem_functions() always returns 0 because library
  initialization already calls CRYPTO_malloc() and disables it:

  #0  CRYPTO_malloc (num=num@entry=1168, file=file@entry=0x770ae02c 
"fips_drbg_lib.c",
  line=line@entry=106) at mem.c:329
  #1  0x770596df in FIPS_drbg_new (type=type@entry=0, 
flags=flags@entry=0)
  at fips_drbg_lib.c:106
  #2  0x7705aeb9 in FIPS_drbg_health_check (
  dctx=dctx@entry=0x7731c960 ) at fips_drbg_selftest.c:760
  #3  0x770595f0 in FIPS_drbg_init (dctx=dctx@entry=0x7731c960 
,
  type=, flags=) at fips_drbg_lib.c:94
  #4  0x76fe38f3 in RAND_init_fips () at rand_lib.c:287
  #5  0x76f26f7a in OPENSSL_init_library () at o_init.c:119
  #6  0x77de74ea in call_init (l=, argc=argc@entry=1,
  argv=argv@entry=0x7fffe5e8, env=env@entry=0x7fffe5f8) at 
dl-init.c:72
  #7  0x77de75fb in call_init (env=0x7fffe5f8, argv=0x7fffe5e8, 
argc=1,
  l=) at dl-init.c:30
  #8  _dl_init (main_map=main_map@entry=0x640380, argc=1, argv=0x7fffe5e8,
  env=0x7fffe5f8) at dl-init.c:120

  This doesn't happen in upstream OpenSSL or in Debian's OpenSSL.
  Looking at the patches, this is caused by FIPS_drbg_init() in
  openssl-1.0.2g-fips.patch:

  +if (!(dctx->xflags & DRBG_FLAG_TEST)) {
  +if (!FIPS_drbg_health_check(dctx)) {
  +FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
  +return 0;
  +}
  +}

  I don't want any FIPS mode enabled though, so does it really even need
  to call RAND_init_fips() then?

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Joy Latten]

Just as a note, the fips mode is not enabled in 1.0.2g-1ubuntu4.1. But
OPENSSL_FIPS is defined and its codes compiled in. Thus in
OPENSSL_init_library(), the RAND_init_fips() is included in.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

Status in OpenSSL:
  Unknown
Status in openssl package in Ubuntu:
  New

Bug description:
  Description:  Ubuntu 16.04 LTS
  Release:  16.04

  openssl:
Installed: 1.0.2g-1ubuntu4.1
Candidate: 1.0.2g-1ubuntu4.1
Version table:
   *** 1.0.2g-1ubuntu4.1 500
  500 http://fi.archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
  500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 
Packages
  100 /var/lib/dpkg/status
   1.0.2g-1ubuntu4 500
  500 http://fi.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

  CRYPTO_set_mem_functions() always returns 0 because library
  initialization already calls CRYPTO_malloc() and disables it:

  #0  CRYPTO_malloc (num=num@entry=1168, file=file@entry=0x770ae02c 
"fips_drbg_lib.c",
  line=line@entry=106) at mem.c:329
  #1  0x770596df in FIPS_drbg_new (type=type@entry=0, 
flags=flags@entry=0)
  at fips_drbg_lib.c:106
  #2  0x7705aeb9 in FIPS_drbg_health_check (
  dctx=dctx@entry=0x7731c960 ) at fips_drbg_selftest.c:760
  #3  0x770595f0 in FIPS_drbg_init (dctx=dctx@entry=0x7731c960 
,
  type=, flags=) at fips_drbg_lib.c:94
  #4  0x76fe38f3 in RAND_init_fips () at rand_lib.c:287
  #5  0x76f26f7a in OPENSSL_init_library () at o_init.c:119
  #6  0x77de74ea in call_init (l=, argc=argc@entry=1,
  argv=argv@entry=0x7fffe5e8, env=env@entry=0x7fffe5f8) at 
dl-init.c:72
  #7  0x77de75fb in call_init (env=0x7fffe5f8, argv=0x7fffe5e8, 
argc=1,
  l=) at dl-init.c:30
  #8  _dl_init (main_map=main_map@entry=0x640380, argc=1, argv=0x7fffe5e8,
  env=0x7fffe5f8) at dl-init.c:120

  This doesn't happen in upstream OpenSSL or in Debian's OpenSSL.
  Looking at the patches, this is caused by FIPS_drbg_init() in
  openssl-1.0.2g-fips.patch:

  +if (!(dctx->xflags & DRBG_FLAG_TEST)) {
  +if (!FIPS_drbg_health_check(dctx)) {
  +FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
  +return 0;
  +}
  +}

  I don't want any FIPS mode enabled though, so does it really even need
  to call RAND_init_fips() then?

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Joy Latten]

** Also affects: openssl via
   http://rt.openssl.org/Ticket/Display.html?id=4559
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

Status in OpenSSL:
  Unknown
Status in openssl package in Ubuntu:
  New

Bug description:
  Description:  Ubuntu 16.04 LTS
  Release:  16.04

  openssl:
Installed: 1.0.2g-1ubuntu4.1
Candidate: 1.0.2g-1ubuntu4.1
Version table:
   *** 1.0.2g-1ubuntu4.1 500
  500 http://fi.archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
  500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 
Packages
  100 /var/lib/dpkg/status
   1.0.2g-1ubuntu4 500
  500 http://fi.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

  CRYPTO_set_mem_functions() always returns 0 because library
  initialization already calls CRYPTO_malloc() and disables it:

  #0  CRYPTO_malloc (num=num@entry=1168, file=file@entry=0x770ae02c 
"fips_drbg_lib.c",
  line=line@entry=106) at mem.c:329
  #1  0x770596df in FIPS_drbg_new (type=type@entry=0, 
flags=flags@entry=0)
  at fips_drbg_lib.c:106
  #2  0x7705aeb9 in FIPS_drbg_health_check (
  dctx=dctx@entry=0x7731c960 ) at fips_drbg_selftest.c:760
  #3  0x770595f0 in FIPS_drbg_init (dctx=dctx@entry=0x7731c960 
,
  type=, flags=) at fips_drbg_lib.c:94
  #4  0x76fe38f3 in RAND_init_fips () at rand_lib.c:287
  #5  0x76f26f7a in OPENSSL_init_library () at o_init.c:119
  #6  0x77de74ea in call_init (l=, argc=argc@entry=1,
  argv=argv@entry=0x7fffe5e8, env=env@entry=0x7fffe5f8) at 
dl-init.c:72
  #7  0x77de75fb in call_init (env=0x7fffe5f8, argv=0x7fffe5e8, 
argc=1,
  l=) at dl-init.c:30
  #8  _dl_init (main_map=main_map@entry=0x640380, argc=1, argv=0x7fffe5e8,
  env=0x7fffe5f8) at dl-init.c:120

  This doesn't happen in upstream OpenSSL or in Debian's OpenSSL.
  Looking at the patches, this is caused by FIPS_drbg_init() in
  openssl-1.0.2g-fips.patch:

  +if (!(dctx->xflags & DRBG_FLAG_TEST)) {
  +if (!FIPS_drbg_health_check(dctx)) {
  +FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
  +return 0;
  +}
  +}

  I don't want any FIPS mode enabled though, so does it really even need
  to call RAND_init_fips() then?

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Joy Latten]

Ok, this is also "broken" or an issue in upstream openssl 1.0.2 when 
OPENSSL_FIPS is defined. 
See, https://rt.openssl.org/Ticket/Display.html?id=4559#txn-68189 or
http://rt.openssl.org/Ticket/Display.html?id=4559

** Bug watch added: OpenSSL RT #4559
   http://rt.openssl.org/Ticket/Display.html?id=4559

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

Status in openssl package in Ubuntu:
  New

Bug description:
  Description:  Ubuntu 16.04 LTS
  Release:  16.04

  openssl:
Installed: 1.0.2g-1ubuntu4.1
Candidate: 1.0.2g-1ubuntu4.1
Version table:
   *** 1.0.2g-1ubuntu4.1 500
  500 http://fi.archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
  500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 
Packages
  100 /var/lib/dpkg/status
   1.0.2g-1ubuntu4 500
  500 http://fi.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

  CRYPTO_set_mem_functions() always returns 0 because library
  initialization already calls CRYPTO_malloc() and disables it:

  #0  CRYPTO_malloc (num=num@entry=1168, file=file@entry=0x770ae02c 
"fips_drbg_lib.c",
  line=line@entry=106) at mem.c:329
  #1  0x770596df in FIPS_drbg_new (type=type@entry=0, 
flags=flags@entry=0)
  at fips_drbg_lib.c:106
  #2  0x7705aeb9 in FIPS_drbg_health_check (
  dctx=dctx@entry=0x7731c960 ) at fips_drbg_selftest.c:760
  #3  0x770595f0 in FIPS_drbg_init (dctx=dctx@entry=0x7731c960 
,
  type=, flags=) at fips_drbg_lib.c:94
  #4  0x76fe38f3 in RAND_init_fips () at rand_lib.c:287
  #5  0x76f26f7a in OPENSSL_init_library () at o_init.c:119
  #6  0x77de74ea in call_init (l=, argc=argc@entry=1,
  argv=argv@entry=0x7fffe5e8, env=env@entry=0x7fffe5f8) at 
dl-init.c:72
  #7  0x77de75fb in call_init (env=0x7fffe5f8, argv=0x7fffe5e8, 
argc=1,
  l=) at dl-init.c:30
  #8  _dl_init (main_map=main_map@entry=0x640380, argc=1, argv=0x7fffe5e8,
  env=0x7fffe5f8) at dl-init.c:120

  This doesn't happen in upstream OpenSSL or in Debian's OpenSSL.
  Looking at the patches, this is caused by FIPS_drbg_init() in
  openssl-1.0.2g-fips.patch:

  +if (!(dctx->xflags & DRBG_FLAG_TEST)) {
  +if (!FIPS_drbg_health_check(dctx)) {
  +FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
  +return 0;
  +}
  +}

  I don't want any FIPS mode enabled though, so does it really even need
  to call RAND_init_fips() then?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1594748/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1594748] Re: CRYPTO_set_mem_functions() is broken

[Joy Latten]

Looking into this...

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

Status in openssl package in Ubuntu:
  New

Bug description:
  Description:  Ubuntu 16.04 LTS
  Release:  16.04

  openssl:
Installed: 1.0.2g-1ubuntu4.1
Candidate: 1.0.2g-1ubuntu4.1
Version table:
   *** 1.0.2g-1ubuntu4.1 500
  500 http://fi.archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
  500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 
Packages
  100 /var/lib/dpkg/status
   1.0.2g-1ubuntu4 500
  500 http://fi.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

  CRYPTO_set_mem_functions() always returns 0 because library
  initialization already calls CRYPTO_malloc() and disables it:

  #0  CRYPTO_malloc (num=num@entry=1168, file=file@entry=0x770ae02c 
"fips_drbg_lib.c",
  line=line@entry=106) at mem.c:329
  #1  0x770596df in FIPS_drbg_new (type=type@entry=0, 
flags=flags@entry=0)
  at fips_drbg_lib.c:106
  #2  0x7705aeb9 in FIPS_drbg_health_check (
  dctx=dctx@entry=0x7731c960 ) at fips_drbg_selftest.c:760
  #3  0x770595f0 in FIPS_drbg_init (dctx=dctx@entry=0x7731c960 
,
  type=, flags=) at fips_drbg_lib.c:94
  #4  0x76fe38f3 in RAND_init_fips () at rand_lib.c:287
  #5  0x76f26f7a in OPENSSL_init_library () at o_init.c:119
  #6  0x77de74ea in call_init (l=, argc=argc@entry=1,
  argv=argv@entry=0x7fffe5e8, env=env@entry=0x7fffe5f8) at 
dl-init.c:72
  #7  0x77de75fb in call_init (env=0x7fffe5f8, argv=0x7fffe5e8, 
argc=1,
  l=) at dl-init.c:30
  #8  _dl_init (main_map=main_map@entry=0x640380, argc=1, argv=0x7fffe5e8,
  env=0x7fffe5f8) at dl-init.c:120

  This doesn't happen in upstream OpenSSL or in Debian's OpenSSL.
  Looking at the patches, this is caused by FIPS_drbg_init() in
  openssl-1.0.2g-fips.patch:

  +if (!(dctx->xflags & DRBG_FLAG_TEST)) {
  +if (!FIPS_drbg_health_check(dctx)) {
  +FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
  +return 0;
  +}
  +}

  I don't want any FIPS mode enabled though, so does it really even need
  to call RAND_init_fips() then?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1594748/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1593953] Re: EC_KEY_generate_key() causes FIPS self-test failure

[Joy Latten]

Looking into this...

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1593953

Title:
  EC_KEY_generate_key() causes FIPS self-test failure

Status in openssl package in Ubuntu:
  New

Bug description:
  EC_KEY_generate_key() internally calls fips_pkey_signature_test()
  which performs a pairwise check by ECDSA signing/verifying, but some
  groups don't support ECDSA.

  For example, `openssl ecparam -genkey -name Oakley-EC2N-4` fails.
  Unfortunately `openssl ecparam` doesn't give any useful information so
  I modified a bit:

  ~~~
  diff --git a/apps/ecparam.c b/apps/ecparam.c
  index 71b67f4..db89c2f 100644
  --- a/apps/ecparam.c
  +++ b/apps/ecparam.c
  @@ -585,6 +585,7 @@ int MAIN(int argc, char **argv)
   
   if (!EC_KEY_generate_key(eckey)) {
   EC_KEY_free(eckey);
  +ERR_print_errors(bio_err);
   goto end;
   }
   if (outformat == FORMAT_ASN1)
  ~~~

  And I got:

  ~~~
  $ LD_LIBRARY_PATH=$(pwd)/target/lib ./target/bin/openssl ecparam -genkey 
-name Oakley-EC2N-4
  -BEGIN EC PARAMETERS-
  BgA=
  -END EC PARAMETERS-
  140614096975512:error:0306E06C:bignum routines:BN_mod_inverse:no 
inverse:bn_gcd.c:525:
  140614096975512:error:0306E06C:bignum routines:BN_mod_inverse:no 
inverse:bn_gcd.c:525:
  140614096975512:error:2A067003:lib(42):ECDSA_sign_setup:BN lib:ecs_ossl.c:206:
  
140614096975512:error:2A06502A:lib(42):ECDSA_do_sign:reason(42):ecs_ossl.c:302:
  140614096975512:error:2D079089:FIPS routines:fips_pkey_signature_test:test 
failure:fips_post.c:166:
  140614096975512:error:2D06A07F:FIPS routines:FIPS_CHECK_EC:pairwise test 
failed:ec_key.c:249:
  ~~~

  I'm using Ubuntu 16.04 and openssl 1.0.2g-1ubuntu4.1.

  
  This was originally reported at Ruby's issue tracker:

  https://bugs.ruby-lang.org/issues/12504

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1593953/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1591797] Re: Only run FIPS self tests when FIPS is enabled

[Joy Latten]

This is a FIPS 140-2 requirement.
The FIPS_mode_set(1) in init_fips_mode() called from OPENSSL_init_library is to 
satisfy the FIPS 140-2, Section 4.9 requirement that power-up selftest be run 
when the module is powered-up. This must be done regardless of whether the 
module is to be run in FIPS mode or not. Reading /proc entry only indicates 
whether to run the module in FIPS mode.

Note: The FIPS code in openssl in Xenial is a work-in-progress and is not 
complete.
All effort is made to optimize the power-up selftest as mush as possible.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1591797

Title:
  Only run FIPS self tests when FIPS is enabled

Status in openssl package in Ubuntu:
  New

Bug description:
  The FIPS changes added in 1.0.2g-1ubuntu3/1.0.2g-1ubuntu4 as discussed
  in https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309
  always run the FIPS self tests independent of FIPS being enabled (via
  /proc/sys/crypto/fips_enabled).

  The performance impact of running these FIPS tests on armhf
  (beaglebone and raspberry pi 2&3) is significant (~ 700ms).  On amd64
  it is measurable but far less significant (~ 10ms).  On a long running
  process this may be insignificant, but for command line tools this is
  problematic.  I've seen performance differences with wget, dig,
  nslookup, and host.  I am sure there are others.  The specific numbers
  above are from the sample code below.

  The relevant initialization can be found in crypto/o_init.c:
  static void init_fips_mode(void)
  {
  char buf[2] = "0";
  int fd;

  /* Ensure the selftests always run */
  FIPS_mode_set(1);

  /* For now, do not enforce fips mode via env var
  if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
  buf[0] = '1';
  } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { */
  if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
  while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; close(fd);
  }
  /* Failure reading the fips mode switch file means just not
   * switching into FIPS mode. We would break too many things
   * otherwise..
   */

  if (buf[0] != '1') {
  /* drop down to non-FIPS mode if it is not requested */
  FIPS_mode_set(0);
  } else {
  /* abort if selftest failed */
  FIPS_selftest_check();
  }
  }

  I would like to see these tests only run if /proc/sys/crypto/fips_enabled 
exists, and is 1.  This still meets the original proposal as written in the 
1553309 thread:
  1. openssl must read a 1 from /proc/sys/crypto/fips_enabled.
  2. The selftests must pass
  3. The integrity check must pass

  To see the performance differences you can build and time the following 
program:
  #include 
  #include 

  int main() {
OpenSSL_add_ssl_algorithms();
  }

  To measure the system performance without FIPS I installed 1.0.2g-
  1ubuntu2 from: https://launchpad.net/ubuntu/+source/openssl/1.0.2g-
  1ubuntu2 on both armhf and amd64.  I have also recompiled 1.0.2g-
  1ubuntu4.1 with the call to FIPS_mode_set(1) commented out.

  When I run the original 1.0.2g-1ubuntu4.1 on my Raspberry Pi I see the 
following times:
  real0m0.690s
  real0m0.683s
  real0m0.705s
  real0m0.690s

  The same system with 1.0.2g-1ubuntu4.1 modified and the call to 
FIPS_mode_set(1) commented out:
  real0m0.010s
  real0m0.010s
  real0m0.009s
  real0m0.012s
  real0m0.010s

  The same system with 1.0.2g-1ubuntu2:
  real0m0.010s
  real0m0.009s
  real0m0.009s
  real0m0.011s
  real0m0.012s

  
  Here is some information about my system:
  $ lsb_release -rd
  Description:Ubuntu 16.04 LTS
  Release:16.04

  $ apt-cache policy libssl1.0.0
  libssl1.0.0:
Installed: 1.0.2g-1ubuntu4.1
Candidate: 1.0.2g-1ubuntu4.1
Version table:
   *** 1.0.2g-1ubuntu4.1 500
  500 http://ports.ubuntu.com/ubuntu-ports xenial-security/main armhf 
Packages 500 http://ports.ubuntu.com/ubuntu-ports xenial-updates/main armhf 
Packages 100 /var/lib/dpkg/status
   1.0.2g-1ubuntu4 500
  500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1591797/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1588524] Re: FIPS_mode_set reports incorrect error message

[Joy Latten]

Will definitely remove clearing the error as we continue completing the
code.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1588524

Title:
  FIPS_mode_set reports incorrect error message

Status in openssl package in Ubuntu:
  New

Bug description:
  Hi! Some integration tests we run attempt to enable FIPS mode in
  OpenSSL, and assert that either our software continues to work, or
  that the error message emitted by OpenSSL is related to missing the
  FIPS module.

  On Ubuntu 14.10, running FIPS_mode_set fails and produces an error like:
  140225357260448:error:0F06D065:common libcrypto routines:FIPS_mode_set:fips 
mode not supported:o_fips.c:92:

  On Ubuntu 16.04 running OpenSSL/libssl1.0.0 version 1.0.2g-1ubuntu4.1,
  FIPS_mode_set fails, but does not produce an error message.

  I have attached a C file which, when executed on both these platforms,
  will demonstrate this behavior.

  I believe this may have been introduced by this ticket: 
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309
  It provides a patch called openssl-1.0.2g-ubuntu-fips-cleanup.patch which 
includes this statement:
  +@@ -443,6 +430,7 @@ int FIPS_module_mode_set(int onoff, const char *auth)
  + fips_selftest_fail = 0;
  + ret = 1;
  +  end:
  ++ERR_clear_error(); /* clear above err msg; fips mode disabled for now */
  + fips_clear_owning_thread();
  + fips_w_unlock();
  + return ret;

  This appears to be clearing the error messages we're asserting on
  before returning from FIPS_module_mode_set.

  For reference, here is our ticket where we are tracking this issue:
  https://jira.mongodb.org/browse/SERVER-24350

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1588524/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1588524] Re: FIPS_mode_set reports incorrect error message

[Joy Latten]

I purposely cleared this error message from the queue so that no one would be 
distracted or thwarted by the addition of the fips code while it is a work in 
progress and not complete. FIPS_module_mode_set() at this point will always 
fail and return an error code. 
But yes, I see in your test program that you also want to print the error 
message if
you get an error code.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1588524

Title:
  FIPS_mode_set reports incorrect error message

Status in openssl package in Ubuntu:
  New

Bug description:
  Hi! Some integration tests we run attempt to enable FIPS mode in
  OpenSSL, and assert that either our software continues to work, or
  that the error message emitted by OpenSSL is related to missing the
  FIPS module.

  On Ubuntu 14.10, running FIPS_mode_set fails and produces an error like:
  140225357260448:error:0F06D065:common libcrypto routines:FIPS_mode_set:fips 
mode not supported:o_fips.c:92:

  On Ubuntu 16.04 running OpenSSL/libssl1.0.0 version 1.0.2g-1ubuntu4.1,
  FIPS_mode_set fails, but does not produce an error message.

  I have attached a C file which, when executed on both these platforms,
  will demonstrate this behavior.

  I believe this may have been introduced by this ticket: 
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309
  It provides a patch called openssl-1.0.2g-ubuntu-fips-cleanup.patch which 
includes this statement:
  +@@ -443,6 +430,7 @@ int FIPS_module_mode_set(int onoff, const char *auth)
  + fips_selftest_fail = 0;
  + ret = 1;
  +  end:
  ++ERR_clear_error(); /* clear above err msg; fips mode disabled for now */
  + fips_clear_owning_thread();
  + fips_w_unlock();
  + return ret;

  This appears to be clearing the error messages we're asserting on
  before returning from FIPS_module_mode_set.

  For reference, here is our ticket where we are tracking this issue:
  https://jira.mongodb.org/browse/SERVER-24350

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1588524/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

[Joy Latten]

I have subscribed to openssl bug reports.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1553309

Title:
  [FFe]: Include FIPS 140-2 into openssl  package

Status in openssl package in Ubuntu:
  Fix Released

Bug description:
  This is a request for a Feature Freeze Exception to include FIPS 140-2 
selftest into the openssl package in preparation for the FIPS 140-2 compliance 
for 16.0.4. 
  This patchset will :
   - add ability to config, compile, run with fips option enabled
   - add the selftest files to crypto/fips directory. 
   - minor changes to several algorithms in crypto directory to ensure the 
selftest compile successfully when fips is enabled. 
   
  The selftest will be initiated externally at this point and not internally.
  Hope to have a test package ready early next week.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Re: [Touch-packages] [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

[Joy Latten]

Hi Martin,
I have a newbie question, what else should I do for this feature freeze?
Thanks! :-)

regards,
Joy

On Fri, Apr 15, 2016 at 12:14 AM, Martin Pitt 
wrote:

> Thanks! There's still an awful amount of patch noise, but indeed some of
> it is unavoidable as you say. But this is incrementally better than
> before, thanks for the cleanup!
>
> I uploaded this now: https://launchpad.net/ubuntu/+source/openssl/1.0
> .2g-1ubuntu4
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1553309
>
> Title:
>   [FFe]: Include FIPS 140-2 into openssl  package
>
> Status in openssl package in Ubuntu:
>   Fix Released
>
> Bug description:
>   This is a request for a Feature Freeze Exception to include FIPS 140-2
> selftest into the openssl package in preparation for the FIPS 140-2
> compliance for 16.0.4.
>   This patchset will :
>- add ability to config, compile, run with fips option enabled
>- add the selftest files to crypto/fips directory.
>- minor changes to several algorithms in crypto directory to ensure the
> selftest compile successfully when fips is enabled.
>
>   The selftest will be initiated externally at this point and not
> internally.
>   Hope to have a test package ready early next week.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions
>

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1553309

Title:
  [FFe]: Include FIPS 140-2 into openssl  package

Status in openssl package in Ubuntu:
  Fix Released

Bug description:
  This is a request for a Feature Freeze Exception to include FIPS 140-2 
selftest into the openssl package in preparation for the FIPS 140-2 compliance 
for 16.0.4. 
  This patchset will :
   - add ability to config, compile, run with fips option enabled
   - add the selftest files to crypto/fips directory. 
   - minor changes to several algorithms in crypto directory to ensure the 
selftest compile successfully when fips is enabled. 
   
  The selftest will be initiated externally at this point and not internally.
  Hope to have a test package ready early next week.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

[Joy Latten]

Also, ran same testing on latest ppa version (ppa7) and they all passed.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1553309

Title:
  [FFe]: Include FIPS 140-2 into openssl  package

Status in openssl package in Ubuntu:
  Fix Released

Bug description:
  This is a request for a Feature Freeze Exception to include FIPS 140-2 
selftest into the openssl package in preparation for the FIPS 140-2 compliance 
for 16.0.4. 
  This patchset will :
   - add ability to config, compile, run with fips option enabled
   - add the selftest files to crypto/fips directory. 
   - minor changes to several algorithms in crypto directory to ensure the 
selftest compile successfully when fips is enabled. 
   
  The selftest will be initiated externally at this point and not internally.
  Hope to have a test package ready early next week.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

[Joy Latten]

Hi Martin,
I also ran an interdiff  when I re-factored  to ensure alignment with original 
fedora patches. 2 or 3 of them  did not apply cleanly, for various reasons, so 
I had to make very small changes. I also named each patch in debian/patches to 
be same as in fedora.

For  interdiff of 
openssl-1.0.2g-fips.patch, for some reason "Configure" shows up in diff yet I 
did not make any changes to patch. Visually compared to make sure code is the 
same and no regression.
openssl-1.0.2a-fips-ec.patch, we do not ship a "version.map" file, so when 
applying patch it prompts for location of file... so I removed it. So will show 
up in diff.
openssl-1.0.2a-fips-ctor.patch failed to apply altogether, because it is 
looking for a line of code that contains "secure_getenv" and not "getenv". 
upstream has "getenv" for that line of code, but fedora must have other patches 
applied before this one that changes it to "secure_getenv". So I corrected and 
this will show up in interdiff.

Corrected Origin in all the patches from fedora.

Hope this is all ok.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1553309

Title:
  [FFe]: Include FIPS 140-2 into openssl  package

Status in openssl package in Ubuntu:
  Fix Released

Bug description:
  This is a request for a Feature Freeze Exception to include FIPS 140-2 
selftest into the openssl package in preparation for the FIPS 140-2 compliance 
for 16.0.4. 
  This patchset will :
   - add ability to config, compile, run with fips option enabled
   - add the selftest files to crypto/fips directory. 
   - minor changes to several algorithms in crypto directory to ensure the 
selftest compile successfully when fips is enabled. 
   
  The selftest will be initiated externally at this point and not internally.
  Hope to have a test package ready early next week.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

[Joy Latten]

Hi Martin, my ppa has a debdiff that is against my prior version. You
may find this more useful than the ppa I just attached above. here is a
pointer, https://launchpadlibrarian.net/253756858/openssl_1.0.2g-
1ubuntu3~ppa6_1.0.2g-1ubuntu3~ppa7.diff.gz

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1553309

Title:
  [FFe]: Include FIPS 140-2 into openssl  package

Status in openssl package in Ubuntu:
  Fix Released

Bug description:
  This is a request for a Feature Freeze Exception to include FIPS 140-2 
selftest into the openssl package in preparation for the FIPS 140-2 compliance 
for 16.0.4. 
  This patchset will :
   - add ability to config, compile, run with fips option enabled
   - add the selftest files to crypto/fips directory. 
   - minor changes to several algorithms in crypto directory to ensure the 
selftest compile successfully when fips is enabled. 
   
  The selftest will be initiated externally at this point and not internally.
  Hope to have a test package ready early next week.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

[Joy Latten]

New debdiff with fixed Origin and cleaner fedora patches.

** Attachment added: "New debdiff against openssl-1.0.2g-1ubuntu2"
   
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+attachment/4636880/+files/debdiff-openssl_1.0.2g-1ubuntu3~ppa7

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1553309

Title:
  [FFe]: Include FIPS 140-2 into openssl  package

Status in openssl package in Ubuntu:
  Fix Released

Bug description:
  This is a request for a Feature Freeze Exception to include FIPS 140-2 
selftest into the openssl package in preparation for the FIPS 140-2 compliance 
for 16.0.4. 
  This patchset will :
   - add ability to config, compile, run with fips option enabled
   - add the selftest files to crypto/fips directory. 
   - minor changes to several algorithms in crypto directory to ensure the 
selftest compile successfully when fips is enabled. 
   
  The selftest will be initiated externally at this point and not internally.
  Hope to have a test package ready early next week.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Re: [Touch-packages] [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package

[Joy Latten]

Ok, I will get to work on these changes now.
I will keep the first 5 patches original to fedora. And then in my cleanup
patch do the stuff to get rid of undefined symbols, etc...
And that way I can point my Origin to the git.fedora.

Thanks!!

regards,
Joy


On Wed, Apr 13, 2016 at 3:32 PM, Martin Pitt <martin.p...@ubuntu.com> wrote:

> Joy Latten [2016-04-13 18:08 -]:
> > Started looking into those patch diffs...
> > for the openssl-1.0.2a-fips-ec.patch one, I had a bunch of undefined
> > symbols and so cleaned these up, causing my diff to be slightly off... my
> > bad.
>
> Ah, that makes sense.
>
> > Oh, and also, that patch installed "fips/cavs/fips_ecdhvs.c and
> > fips/cavs/fips_ecdsavs.c which are testcases I did not want to include. I
> > ignored them, but should have just removed them in my cleanup patch.
>
> Is that really necessary? Adding two .c files seems rather harmless if
> nothing refers to it, i. e. removing them from the Makefile only (in
> the ubuntu patch) should suffice?
>
> > Do you agree that I should move these things into my cleanup patch?
>
> That would be good indeed, as it avoids confusion for the next person
> who looks at this why the patches are different.
>
> Please also update the Origin:, preferablyto the git.fedora ones as
> then they are one click away from comparing/for updating.
>
> Thank you!
>
> Martin
> --
> Martin Pitt| http://www.piware.de
> Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1553309
>
> Title:
>   [FFe]: Include FIPS 140-2 into openssl  package
>
> Status in openssl package in Ubuntu:
>   In Progress
>
> Bug description:
>   This is a request for a Feature Freeze Exception to include FIPS 140-2
> selftest into the openssl package in preparation for the FIPS 140-2
> compliance for 16.0.4.
>   This patchset will :
>- add ability to config, compile, run with fips option enabled
>- add the selftest files to crypto/fips directory.
>- minor changes to several algorithms in crypto directory to ensure the
> selftest compile successfully when fips is enabled.
>
>   The selftest will be initiated externally at this point and not
> internally.
>   Hope to have a test package ready early next week.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions
>

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1553309

Title:
  [FFe]: Include FIPS 140-2 into openssl  package

Status in openssl package in Ubuntu:
  Fix Released

Bug description:
  This is a request for a Feature Freeze Exception to include FIPS 140-2 
selftest into the openssl package in preparation for the FIPS 140-2 compliance 
for 16.0.4. 
  This patchset will :
   - add ability to config, compile, run with fips option enabled
   - add the selftest files to crypto/fips directory. 
   - minor changes to several algorithms in crypto directory to ensure the 
selftest compile successfully when fips is enabled. 
   
  The selftest will be initiated externally at this point and not internally.
  Hope to have a test package ready early next week.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp