[Touch-packages] [Bug 1898078] Re: FIPS OpenSSL crashes Python2.7 hashlib when using MD5
This has been fixed in bionic. Already fixed in xenial. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1898078 Title: FIPS OpenSSL crashes Python2.7 hashlib when using MD5 Status in python2.7 package in Ubuntu: New Status in python2.7 source package in Xenial: New Status in python2.7 source package in Bionic: New Status in python2.7 source package in Focal: New Status in python2.7 source package in Groovy: New Bug description: LP #1835135 was fixed in python2.7. However, when python2.7 was updated to current verion, the fix was not included. It needs to be included again into current version of python2.7 to prevent FIPS issues when using fips openssl with python's hashlib. This is only a problem in latest python2.7 versions in xenial, bionic, focal, and groovy. python3 versions do not have this problem in these releases. The fix was a backport of https://github.com/python/cpython/pull/1777/commits/5e3e3568d27b99dabe44b8aa6283dc76d70f2dae To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1898078/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1731410] Re: package pcscd 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: подпроцесс установлен сценарий post-installation возвратил код ошибки 1
Hi, Is this still an issue? Changing the status to incomplete. ** Changed in: pcsc-lite (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/1731410 Title: package pcscd 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: подпроцесс установлен сценарий post-installation возвратил код ошибки 1 Status in pcsc-lite package in Ubuntu: Incomplete Bug description: sudo apt-get install openvpn easy-rsa [sudo] пароль для max: Чтение списков пакетов… Готово Построение дерева зависимостей Чтение информации о состоянии… Готово Будут установлены следующие дополнительные пакеты: libccid libpkcs11-helper1 opensc opensc-pkcs11 pcscd НОВЫЕ пакеты, которые будут установлены: easy-rsa libccid libpkcs11-helper1 opensc opensc-pkcs11 openvpn pcscd обновлено 0, установлено 7 новых пакетов, для удаления отмечено 0 пакетов, и 1 пакетов не обновлено. Необходимо скачать 1 544 kБ архивов. После данной операции, объём занятого дискового пространства возрастёт на 4 993 kB. Хотите продолжить? [Д/н] y Пол:1 http://ru.archive.ubuntu.com/ubuntu xenial/main amd64 libpkcs11-helper1 amd64 1.11-5 [44,0 kB] Пол:2 http://ru.archive.ubuntu.com/ubuntu xenial/universe amd64 opensc-pkcs11 amd64 0.15.0-1ubuntu1 [708 kB] Пол:3 http://ru.archive.ubuntu.com/ubuntu xenial-updates/universe amd64 libccid amd64 1.4.22-1ubuntu0.1 [85,8 kB] Пол:4 http://ru.archive.ubuntu.com/ubuntu xenial-updates/universe amd64 pcscd amd64 1.8.14-1ubuntu1.16.04.1 [55,7 kB] Пол:5 http://ru.archive.ubuntu.com/ubuntu xenial/universe amd64 opensc amd64 0.15.0-1ubuntu1 [212 kB] Пол:6 http://ru.archive.ubuntu.com/ubuntu xenial-updates/main amd64 openvpn amd64 2.3.10-1ubuntu2.1 [421 kB] Пол:7 http://ru.archive.ubuntu.com/ubuntu xenial/universe amd64 easy-rsa all 2.2.2-2 [17,4 kB] Получено 1 544 kБ за 0с (1 946 kБ/c) Предварительная настройка пакетов ... Выбор ранее не выбранного пакета libpkcs11-helper1:amd64. dpkg: предупреждение: список файлов пакета «resolvconf» отсутствует; предполагаем, что на данный момент у пакета нет установленных файлов (Чтение базы данных … на данный момент установлен 246061 файл и каталог.) Подготовка к распаковке …/libpkcs11-helper1_1.11-5_amd64.deb … Распаковывается libpkcs11-helper1:amd64 (1.11-5) … Выбор ранее не выбранного пакета opensc-pkcs11:amd64. Подготовка к распаковке …/opensc-pkcs11_0.15.0-1ubuntu1_amd64.deb … Распаковывается opensc-pkcs11:amd64 (0.15.0-1ubuntu1) … Выбор ранее не выбранного пакета libccid. Подготовка к распаковке …/libccid_1.4.22-1ubuntu0.1_amd64.deb … Распаковывается libccid (1.4.22-1ubuntu0.1) … Выбор ранее не выбранного пакета pcscd. Подготовка к распаковке …/pcscd_1.8.14-1ubuntu1.16.04.1_amd64.deb … Распаковывается pcscd (1.8.14-1ubuntu1.16.04.1) … Выбор ранее не выбранного пакета opensc. Подготовка к распаковке …/opensc_0.15.0-1ubuntu1_amd64.deb … Распаковывается opensc (0.15.0-1ubuntu1) … Выбор ранее не выбранного пакета openvpn. Подготовка к распаковке …/openvpn_2.3.10-1ubuntu2.1_amd64.deb … Распаковывается openvpn (2.3.10-1ubuntu2.1) … Выбор ранее не выбранного пакета easy-rsa. Подготовка к распаковке …/easy-rsa_2.2.2-2_all.deb … Распаковывается easy-rsa (2.2.2-2) … Обрабатываются триггеры для libc-bin (2.23-0ubuntu9) … Обрабатываются триггеры для man-db (2.7.5-1) … Обрабатываются триггеры для systemd (229-4ubuntu21) … Обрабатываются триггеры для ureadahead (0.100.0-19) … ureadahead will be reprofiled on next reboot Настраивается пакет libpkcs11-helper1:amd64 (1.11-5) … Настраивается пакет opensc-pkcs11:amd64 (0.15.0-1ubuntu1) … Настраивается пакет libccid (1.4.22-1ubuntu0.1) … Настраивается пакет pcscd (1.8.14-1ubuntu1.16.04.1) … insserv: warning: script 'K10runmbbservice' missing LSB tags and overrides insserv: warning: script 'runmbbservice' missing LSB tags and overrides insserv: There is a loop between service plymouth and urandom if started insserv: loop involving service urandom at depth 4 insserv: loop involving service hwclock at depth 3 insserv: There is a loop between service runmbbservice and udev if started insserv: loop involving service udev at depth 1 insserv: Starting runmbbservice depends on plymouth and therefore on system facility `$all' which can not be true! insserv: Starting runmbbservice depends on plymouth and therefore on system facility `$all' which can not be true! insserv: Starting runmbbservice depends on plymouth and therefore on system facility `$all' which can not be true! insserv: Starting runmbbservice depends on plymouth and therefore on system facility `$all' which can not be true! insserv: Starting runmbbservice depends on plymouth and therefore on system facility `$all' which can not be true! insserv: Starting runmbbservice depends on plymouth
[Touch-packages] [Bug 1683378] Re: package libpcsclite1:amd64 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting
Hi, Is this still an issue? Changing the status to incomplete. ** Changed in: pcsc-lite (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/1683378 Title: package libpcsclite1:amd64 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting configuration Status in pcsc-lite package in Ubuntu: Incomplete Bug description: kernel panic ProblemType: Package DistroRelease: Ubuntu 16.04 Package: libpcsclite1:amd64 1.8.14-1ubuntu1.16.04.1 ProcVersionSignature: Ubuntu 4.4.0-66.87-generic 4.4.44 Uname: Linux 4.4.0-66-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.5 Architecture: amd64 Date: Sat Apr 15 16:04:43 2017 Dependencies: gcc-6-base 6.0.1-0ubuntu1 libc6 2.23-0ubuntu7 libgcc1 1:6.0.1-0ubuntu1 DuplicateSignature: package:libpcsclite1:amd64:1.8.14-1ubuntu1.16.04.1 Setting up libc6-dev:amd64 (2.23-0ubuntu7) ... dpkg: error processing package libpcsclite1:amd64 (--configure): package is in a very bad inconsistent state; you should ErrorMessage: package is in a very bad inconsistent state; you should reinstall it before attempting configuration InstallationDate: Installed on 2017-01-06 (101 days ago) InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719) RelatedPackageVersions: dpkg 1.18.4ubuntu1.1 apt 1.2.19 SourcePackage: pcsc-lite Title: package libpcsclite1:amd64 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: package is in a very bad inconsistent state; you should reinstall it before attempting configuration UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1683378/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1690543] Re: package libpcsclite1 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: a tentar sobreescrever '/usr/share/doc/libpcsclite1/changelog.Debian.gz' partilhado, que é di
Hi, Is this still an issue? Changing the status to incomplete. ** Changed in: pcsc-lite (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/1690543 Title: package libpcsclite1 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: a tentar sobreescrever '/usr/share/doc/libpcsclite1/changelog.Debian.gz' partilhado, que é diferente de outras instâncias do pacote libpcsclite1:amd64 Status in pcsc-lite package in Ubuntu: Incomplete Bug description: Isso acontece quando eu ligo a máquina ProblemType: Package DistroRelease: Ubuntu 16.04 Package: libpcsclite1 1.8.14-1ubuntu1.16.04.1 ProcVersionSignature: Ubuntu 4.4.0-62.83-generic 4.4.40 Uname: Linux 4.4.0-62-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.5 Architecture: amd64 Date: Fri May 12 20:35:07 2017 Dependencies: gcc-6-base 6.0.1-0ubuntu1 libc6 2.23-0ubuntu7 libgcc1 1:6.0.1-0ubuntu1 DpkgHistoryLog: Start-Date: 2017-05-12 20:35:07 Commandline: apt-get -f install Upgrade: libpcsclite1:amd64 (1.8.5-1ubuntu1, 1.8.14-1ubuntu1.16.04.1) DpkgTerminalLog: A preparar para desempacotar .../libpcsclite1_1.8.14-1ubuntu1.16.04.1_amd64.deb ... A descompactar libpcsclite1:amd64 (1.8.14-1ubuntu1.16.04.1) sobre (1.8.5-1ubuntu1) ... dpkg: erro ao processar o arquivo /var/cache/apt/archives/libpcsclite1_1.8.14-1ubuntu1.16.04.1_amd64.deb (--unpack): a tentar sobreescrever '/usr/share/doc/libpcsclite1/changelog.Debian.gz' partilhado, que é diferente de outras instâncias do pacote libpcsclite1:amd64 ErrorMessage: a tentar sobreescrever '/usr/share/doc/libpcsclite1/changelog.Debian.gz' partilhado, que é diferente de outras instâncias do pacote libpcsclite1:amd64 InstallationDate: Installed on 2017-01-13 (120 days ago) InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719) RelatedPackageVersions: dpkg 1.18.4ubuntu1.2 apt 1.2.20 SourcePackage: pcsc-lite Title: package libpcsclite1 1.8.14-1ubuntu1.16.04.1 failed to install/upgrade: a tentar sobreescrever '/usr/share/doc/libpcsclite1/changelog.Debian.gz' partilhado, que é diferente de outras instâncias do pacote libpcsclite1:amd64 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1690543/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1570359] Re: pcscd crashed with SIGSEGV in __elf_set___libc_thread_subfreeres_element___rpc_thread_destroy__()
Hi, Is this still an issue? Changing the status to incomplete. ** Changed in: pcsc-lite (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/1570359 Title: pcscd crashed with SIGSEGV in __elf_set___libc_thread_subfreeres_element___rpc_thread_destroy__() Status in pcsc-lite package in Ubuntu: Incomplete Bug description: crashed when login ProblemType: Crash DistroRelease: Ubuntu 16.04 Package: pcscd 1.8.14-1ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6 Uname: Linux 4.4.0-16-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20.1-0ubuntu1 Architecture: amd64 Date: Mon Apr 4 17:29:56 2016 Disassembly: => 0x7f7da881b64c: Cannot access memory at address 0x7f7da881b64c ExecutablePath: /usr/sbin/pcscd InstallationDate: Installed on 2016-03-06 (39 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Alpha amd64 (20160304) ProcCmdline: /usr/sbin/pcscd --foreground --auto-exit SegvAnalysis: Segfault happened at: 0x7f7da881b64c:Cannot access memory at address 0x7f7da881b64c PC (0x7f7da881b64c) not located in a known VMA region (needed executable region)! Stack memory exhausted (SP below stack segment) SegvReason: executing unknown VMA Signal: 11 SourcePackage: pcsc-lite StacktraceTop: ?? () __elf_set___libc_thread_subfreeres_element___rpc_thread_destroy__ () from /lib/x86_64-linux-gnu/libc.so.6 ?? () Title: pcscd crashed with SIGSEGV in __elf_set___libc_thread_subfreeres_element___rpc_thread_destroy__() UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1570359/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1539999] Re: Omnikey Cardreader not working
Is this still an issue? Changing to incomplete. ** Changed in: pcsc-lite (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/153 Title: Omnikey Cardreader not working Status in pcsc-lite package in Ubuntu: Incomplete Bug description: On my desktop & sony vaio laptop, Alpha 2 Ubuntu-mate does not start my usb Omnikey 3121 card reader. The 3121 is listed in terminal when I perform 'lsusb'. The reader does work under concurrent devuan 1. I have installed pcscd (which drags in libccid correctly) & pcsc-tools but this hasn't corrected the problem even with a reboot. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/153/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1366152] Re: System crash when Vasco-card-reader is plugged in at powerup
This bugreport has had no activity and has eol. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/1366152 Title: System crash when Vasco-card-reader is plugged in at powerup Status in pcsc-lite package in Ubuntu: Won't Fix Bug description: I'm using VASCO Data Security International Digipass 905 SmartCard Reader which is working fine. However if the device is plugged in at power-up, the device isn't handled well. Although the device is in the ilisted usb-devices, pcsc-scan doesn't find the device at all (Which is normal as the green-led is going out after the kernel starts). If one tries to remove the card-reader, a system-crash happens. After that the pcscd-service seems to be halted : pcsc_scan PC/SC device scanner V 1.4.22 (c) 2001-2011, Ludovic Rousseau Compiled with PC/SC lite version: 1.8.10 SCardEstablishContext: Service not available. One can recover from this problem by 1. Unplugging the reader 2. Manually starting the service again by sudo service pcscd start 3. Plugging back the reader in (green led stays on, red led goes on when a card is put in) The bug is not related to a 64-bit architecture as it happens also with 32-bit machines. Info about the device Bus 001 Device 005: ID 1a44:0001 VASCO Data Security International Digipass 905 SmartCard Reader Couldn't open device, some information will be missing Device Descriptor: bLength18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x1a44 VASCO Data Security International idProduct 0x0001 Digipass 905 SmartCard Reader bcdDevice1.02 iManufacturer 1 iProduct2 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 93 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 50mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber0 bAlternateSetting 0 bNumEndpoints 3 bInterfaceClass11 Chip/SmartCard bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 ChipCard Interface Descriptor: bLength54 bDescriptorType33 bcdCCID 1.00 nMaxSlotIndex 0 bVoltageSupport 3 5.0V 3.0V dwProtocols 3 T=0 T=1 dwDefaultClock 3700 dwMaxiumumClock 3700 bNumClockSupported 1 dwDataRate 9946 bps dwMaxDataRate 318280 bps bNumDataRatesSupp. 53 dwMaxIFSD 254 dwSyncProtocols 0007 2-wire 3-wire I2C dwMechanical dwFeatures 000404BE Auto configuration based on ATR Auto activation on insert Auto voltage selection Auto clock change Auto baud rate change Auto PPS made by CCID Auto IFSD exchange Short and extended APDU level exchange dwMaxCCIDMsgLen 272 bClassGetResponseecho bClassEnvelope echo wlcdLayout none bPINSupport 0 bMaxCCIDBusySlots 1 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes3 Transfer TypeInterrupt Synch Type None Usage Type Data wMaxPacketSize 0x0004 1x 4 bytes bInterval 32 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes2 Transfer TypeBulk Synch Type None Usage Type Data wMaxPacketSize 0x0010 1x 16 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x83 EP 3 IN bmAttributes2 Transfer TypeBulk
[Touch-packages] [Bug 1700104] Re: package pcscd 1.8.10-1ubuntu1.1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
Fixed in subsequent release. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/1700104 Title: package pcscd 1.8.10-1ubuntu1.1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1 Status in pcsc-lite package in Ubuntu: Won't Fix Bug description: . ProblemType: Package DistroRelease: Ubuntu 14.04 Package: pcscd 1.8.10-1ubuntu1.1 ProcVersionSignature: Ubuntu 4.4.0-81.104~14.04.1-generic 4.4.67 Uname: Linux 4.4.0-81-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.24 AptOrdering: pcscd: Install pcscd: Configure Architecture: amd64 Date: Fri Jun 23 12:21:31 2017 DuplicateSignature: package:pcscd:1.8.10-1ubuntu1.1:subprocess installed post-installation script returned error exit status 1 ErrorMessage: subprocess installed post-installation script returned error exit status 1 InstallationDate: Installed on 2016-12-28 (177 days ago) InstallationMedia: Ubuntu 14.04.5 LTS "Trusty Tahr" - Release amd64 (20160803) RelatedPackageVersions: dpkg 1.17.5ubuntu5.7 apt 1.0.1ubuntu2.17 SourcePackage: pcsc-lite Title: package pcscd 1.8.10-1ubuntu1.1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1700104/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1161882] Re: ACR38U Does not work on 12.10
This bug was not applicable to pcsc-lite package. Closing since no activity and eol. ** Changed in: pcsc-lite (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/1161882 Title: ACR38U Does not work on 12.10 Status in pcsc-lite package in Ubuntu: Invalid Bug description: I have ACR38U CCID reader and it works great under Ubuntu 10.10 but it doesn't work under 12.10 here's log from Ubuntu 10.10 (it works there) - 0336 ifdhandler.c:1565:init_driver() DriverOptions: 0x 0013 ifdhandler.c:82:IFDHCreateChannelByName() lun: 0, device: usb:072f/90cc:libusb:005:002 0674 ccid_usb.c:285:OpenUSBByName() Manufacturer: Ludovic Rousseau (ludovic.rouss...@free.fr) 0301 ccid_usb.c:295:OpenUSBByName() ProductString: Generic CCID driver 0294 ccid_usb.c:301:OpenUSBByName() Copyright: This driver is protected by terms of the GNU Lesser General Public License version 2.1, or (at your option) any later version. 00053062 ccid_usb.c:501:OpenUSBByName() Found Vendor/Product: 072F/90CC (ACS ACR 38U-CCID) 0016 ccid_usb.c:503:OpenUSBByName() Using USB bus/device: 005/002 2747 ccid_usb.c:893:get_data_rates() IFD does not support GET_DATA_RATES request: Success 8994 ifdhandler.c:364:IFDHGetCapabilities() tag: 0xFB0, usb:072f/90cc:libusb:005:002 (lun: 0) 0020 readerfactory.c:249:RFAddReader() Using the pcscd polling thread 2025 ifdhandler.c:364:IFDHGetCapabilities() tag: 0xFAE, usb:072f/90cc:libusb:005:002 (lun: 0) 0014 ifdhandler.c:418:IFDHGetCapabilities() Reader supports 1 slot(s) 3935 ifdhandler.c:1043:IFDHPowerICC() action: PowerUp, usb:072f/90cc:libusb:005:002 (lun: 0) 00152050 Card ATR: 3B 6D 00 00 80 31 80 65 B0 87 27 01 BC 83 08 90 00 -- but doesn't on Ubuntu 12.10 5311 ccid_usb.c:649:OpenUSBByName() Found Vendor/Product: 072F/90CC (ACS ACR38U-CCID) 0019 ccid_usb.c:651:OpenUSBByName() Using USB bus/device: 004/007 2590 ccid_usb.c:1366:get_data_rates() IFD does not support GET_DATA_RATES request: Success 1979 ifdhandler.c:220:IFDHCreateChannelByName() dwFeatures: 0x00010030 0047 ifdhandler.c:221:IFDHCreateChannelByName() wLcdLayout: 0x 0034 ifdhandler.c:222:IFDHCreateChannelByName() bPINSupport: 0x00 0050 ifdhandler.c:223:IFDHCreateChannelByName() dwMaxCCIDMessageLength: 271 0045 ifdhandler.c:224:IFDHCreateChannelByName() dwMaxIFSD: 247 0044 ifdhandler.c:225:IFDHCreateChannelByName() dwDefaultClock: 4000 0033 ifdhandler.c:226:IFDHCreateChannelByName() dwMaxDataRate: 344100 0045 ifdhandler.c:227:IFDHCreateChannelByName() bMaxSlotIndex: 0 0043 ifdhandler.c:228:IFDHCreateChannelByName() bCurrentSlotIndex: 0 0044 ifdhandler.c:229:IFDHCreateChannelByName() bInterfaceProtocol: 0x00 0033 ifdhandler.c:230:IFDHCreateChannelByName() bNumEndpoints: 3 0038 ifdhandler.c:231:IFDHCreateChannelByName() bVoltageSupport: 0x07 0041 ifdhandler.c:536:IFDHGetCapabilities() tag: 0xFB3, usb:072f/90cc:libudev:0:/dev/bus/usb/004/007 (lun: 0) 0040 readerfactory.c:327:RFAddReader() Using the pcscd polling thread 1538 ifdhandler.c:536:IFDHGetCapabilities() tag: 0xFAE, usb:072f/90cc:libudev:0:/dev/bus/usb/004/007 (lun: 0) 0028 ifdhandler.c:630:IFDHGetCapabilities() Reader supports 1 slot(s) 3888 ifdhandler.c:1354:IFDHPowerICC() action: PowerUp, usb:072f/90cc:libudev:0:/dev/bus/usb/004/007 (lun: 0) 00152081 eventhandler.c:256:EHStatusHandlerThread() powerState: POWER_STATE_POWERED 0047 Card ATR: 3B 6D 00 00 80 31 80 65 B0 87 27 01 BC 83 08 90 00 00404960 ifdhandler.c:1354:IFDHPowerICC() action: PowerDown, usb:072f/90cc:libudev:0:/dev/bus/usb/004/007 (lun: 0) 00098010 eventhandler.c:446:EHStatusHandlerThread() powerState: POWER_STATE_UNPOWERED syslog --- Mar 29 18:55:07 ubuntu12 kernel: [ 1959.368178] usb 4-1: USB disconnect, device number 7 Mar 29 18:55:11 ubuntu12 kernel: [ 1963.700087] usb 4-1: new full-speed USB device number 9 using uhci_hcd Mar 29 18:55:11 ubuntu12 kernel: [ 1963.876838] usb 4-1: New USB device found, idVendor=072f, idProduct=90cc Mar 29 18:55:11 ubuntu12 kernel: [ 1963.876851] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0 Mar 29 18:55:11 ubuntu12 kernel: [ 1963.876859] usb 4-1: Product: CCID USB Reader Mar 29 18:55:11 ubuntu12 kernel: [ 1963.876867] usb 4-1: Manufacturer: ACS Mar 29 18:55:11 ubuntu12 mtp-probe: checking bus 4, device 9: "/sys/devices/pci:00/:00:1d.0/usb4/4-1" Mar 29 18:55:11 ubuntu12 mtp-probe: bus: 4, device: 9 was not an MTP device what can be a reason? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1161882/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages
[Touch-packages] [Bug 1090238] Re: pcscd hangs after ejecting Rutoken ECP making some comunication with token
This was fixed in subsequent release. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/1090238 Title: pcscd hangs after ejecting Rutoken ECP making some comunication with token Status in pcsc-lite package in Ubuntu: Fix Committed Bug description: Im running any example from rutoken sdk after ejecting Rutoken. Pcscd got an error and nothing happens him to continue working only daemon restart helps. If im not using rutokenecp library all works ok. This error is fixed in pcscd 1.8.7 please upgrade pcscd,libpcsclite1,ccid pac kages. ProblemType: Bug DistroRelease: Ubuntu 12.10 Package: pcscd 1.8.5-1ubuntu1 ProcVersionSignature: Ubuntu 3.5.0-19.30-generic 3.5.7 Uname: Linux 3.5.0-19-generic x86_64 NonfreeKernelModules: nvidia ApportVersion: 2.6.1-0ubuntu9 Architecture: amd64 Date: Fri Dec 14 10:24:57 2012 EcryptfsInUse: Yes InstallationDate: Installed on 2012-10-11 (63 days ago) InstallationMedia: Xubuntu 12.04.1 LTS "Precise Pangolin" - Release amd64 (20120822.1) MarkForUpload: True SourcePackage: pcsc-lite UpgradeStatus: Upgraded to quantal on 2012-10-29 (45 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1090238/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1061947] Re: pcscd (auto)starting and permission troubles
This is most likely fixed via pcscd starting from systemd in current releases. Closing this since it has had no activity and has eol. ** Changed in: pcsc-lite (Ubuntu) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/1061947 Title: pcscd (auto)starting and permission troubles Status in pcsc-lite package in Ubuntu: Fix Committed Bug description: Kernel: Linux 3.2.0-31-generic-pae (i686) Distribution : Ubuntu 12.04.1 LTS Desktop : XFCE 4 pcscd : 1.7.4-2ubuntu2 Information on how to start pcscd the right way is very limited. What I found out after digging in for some days ... : --help and man pcscd are not really helpful. After installing the packet, pcscd doesn't launch itself. After a while I found out there is a script /etc/init.d/pcscd (not mentioned in man) that is supposed to start the daemon at startup, but it has a line 'exit 0' in it preventing it from running ..., and a comment that is not very helpful for an average Linux user. So I think ok, it doesn't need to run at startup. Let me try to start the daemon myself ... essAnd then troubles begin. It's easy mess to it up: As I found out (and it took me a while, believe me...) running pcscd as simple user (not as root) hangs further well behaviour of the daemon. Only if you use it with the -x option, it will kill itself after 60s. Otherwise it just states it is already running but can't access a card reader. So please, state clearly in man that you have to run pcscd as root to start it as a daemon ! Or, alternatively, make the timeout of 60 s the default so that you can get out of a blocking situation ! To check the good working of a card reader, pcsc_scan can be used. But also here, if you start it as a regular user and pcscd isn't launched yet, it launches the daemon for you, but hey, you are not root, so bingo, blocked again. Luckily, it seams to be launched with the -x option, so (only) after 60s you can try again, as root this time ... To make the whole a little more confusing, once the daemon is running, you can launch pcsc_scan as regular user without problem. But that's good, I think, after all, since it means (as far as I understand) that applications can get to the card reader without any augmented permissions. So stays the question: how do I start the daemon the right way ? I haven't found out yet ... I could use /etc/init.d/pcscd and comment out the 'exit 0'. But I fear the daemon will be very diligent to do its work, probing my machine for the heck of it (as I noted running sudo pcscd -x -d and watching syslog). Ideally, the daemon would be started on startup, with the right permissions, but without it probing constantly for some reader. Then an application that wants to get access to a reader, could 'tickle' the daemon so it starts probing for some time, the application does its thing, and the daemon stops probing when not needed anymore. If someone knows this is possible, or if there is another preferred scenario, I would be glad to hear about it ! Read also that a new version of pcscd will use another mean to start automatically, but it's not supported (yet?) on Ubuntu ? Meanwhile, I hope this info can already help someone taming this one ... Bart. The technical stuff: After boot (daemon not running) executing 'sudo pcsc_scan' -- it's working ! Information for reader is displayed. Even if after that (within 60s) I just run 'pcsc_scan', the information is displayed again. syslog messages (had some logging enabled in my driver): Oct 4 16:31:22 BP-LIN pcscd: debuglog.c:269:DebugLogSetLevel() debug level=debug Oct 4 16:31:22 BP-LIN kernel: [ 3379.177470] OZSCRLX ozscr_open: called Oct 4 16:31:22 BP-LIN kernel: [ 3379.177489] OZSCRLX ozscr_ioctl: OZSCR_STATUS ... Oct 4 16:32:28 BP-LIN kernel: [ 3445.597205] OZSCRLX ozscr_ioctl: OZSCR_STATUS Oct 4 16:32:28 BP-LIN kernel: [ 3445.997318] OZSCRLX ozscr_ioctl: OZSCR_STATUS Oct 4 16:32:29 BP-LIN kernel: [ 3446.398025] OZSCRLX ozscr_close: called Ok, now relaunching 'pcsc_scan' as regular user. The daemon just keeps waiting for a reader, no information for the reader displayed. syslog states: Oct 4 16:34:26 BP-LIN pcscd: dyn_unix.c:81:DYN_GetAddress() IFDHCreateChannelByName: /usr/local/o2micro/lib_OZSCR.so: undefined symbol: IFDHCreateChannelByName Oct 4 16:34:26 BP-LIN pcscd: readerfactory.c:965:RFInitializeReader() Open Port 0xF1 Failed (/dev/o2scr0) Oct 4 16:34:26 BP-LIN pcscd: readerfactory.c:275:RFAddReader() O2Micro SmartCardBus Reader init failed. Escaping and trying to run 'pcsc_scan' again. No luck ... syslog states: Oct 4 16:36:38 BP-LIN pcscd: pcscdaemon.c:342:main() file
[Touch-packages] [Bug 796893] Re: Rutoken Magistra init fails in natty
This bugreport has had no activity and has eol. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/796893 Title: Rutoken Magistra init fails in natty Status in pcsc-lite package in Ubuntu: Won't Fix Bug description: After upgrade 10.10 -> 11.04 i have permanent problems with rutoken. This is syslog after each usert of token to USB: Jun 13 20:11:56 sportmac pcscd: ccid_usb.c:441:OpenUSBByName() Can't libusb_open(2/11): -3 Jun 13 20:11:56 sportmac pcscd: ifdhandler.c:101:IFDHCreateChannelByName() failed Jun 13 20:11:56 sportmac pcscd: readerfactory.c:965:RFInitializeReader() Open Port 0x20 Failed (usb:0a89/0060:libudev:0:/dev/bus/usb/002/011) Jun 13 20:11:56 sportmac pcscd: readerfactory.c:275:RFAddReader() Aktiv Rutoken Magistra init failed. If i stop pcscd service & run it manually in debug mode (pcscd -fd), then everything works. Never had such problem in ubuntu 10.10. My hardware is mac-mini with nvidea (previous to 'unibody') To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/796893/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1004683] Re: pcscd fails to access Reiner SCT CyberJack card reader
This bugreport has had no activity and has eol. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/1004683 Title: pcscd fails to access Reiner SCT CyberJack card reader Status in pcsc-lite package in Ubuntu: Invalid Bug description: I tried to access my banking card for the first time since upgrading to Precise Pengolin, but the system behaved somewhat strange: When i plug the reader into the USB port I usually get a LED flashing a few times and some info about the device and its firmware version. I saw this today as well, but instead of waiting for actions from the banking software the display fell dead again and I couldn't do my banking. I investigates a bit and found this in syslog every time I plugged in the reader: May 25 21:50:00 host kernel: [ 8119.920068] usb 2-2: new full-speed USB device number 9 using uhci_hcd May 25 21:50:01 host mtp-probe: checking bus 2, device 9: "/sys/devices/pci:00/:00:1d.0/usb2/2-2" May 25 21:50:01 host mtp-probe: bus: 2, device: 9 was not an MTP device Scanning through udev rules I found the device in /lib/udev/rules.d/40 -libifd-cyberjack6.rules: ATTR{idVendor}=="0c4b", ATTR{idProduct}=="0400", MODE="660", GROUP="pcscd" Looks good to me, so I'm a bit lost for now. Maybe this is a udev problem, not pcscd's ? My setup information: Description:Ubuntu 12.04 LTS Release:12.04 pcscd: Installiert: 1.7.4-2ubuntu2 Kandidat:1.7.4-2ubuntu2 Versionstabelle: *** 1.7.4-2ubuntu2 0 500 http://de.archive.ubuntu.com/ubuntu/ precise/universe i386 Packages 100 /var/lib/dpkg/status Please let me know if and how I can be of any help to solve this. Thanks for your hard work, I love working with Ubuntu every day, as it fits my needs. Friedemann To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/1004683/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 776082] Re: pcscd spams syslog whenever mozilla is running and CAC card is not inserted/present
This bugreport has had no activity and has eol. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/776082 Title: pcscd spams syslog whenever mozilla is running and CAC card is not inserted/present Status in pcsc-lite package in Ubuntu: Won't Fix Bug description: pcscd spams syslog whenever mozilla firefox 4.0.1 is running. This was not present in Ubuntu 10.04 with its version of firefox. I have a SCR3340 ExpressCard54 card reader. Following 2 messages are continuously asserted in syslog occur whenever CAC is not present and Firefox is running. Created a 13GB syslog overnight! May 2 22:12:27 simple-laptop pcscd: winscard.c:290:SCardConnect() Card Not Inserted May 2 22:12:27 simple-laptop pcscd: winscard_svc.c:447:ContextThread() CONNECT rv=0x801C for client 6 Occurs once whenever CAC (smart card) is removed May 2 22:12:19 simple-laptop pcscd: winscard_svc.c:555:ContextThread() STATUS rv=0x80100069 for client 6 Following 2 messages are continuously asserted in syslog when card reader is removed from the ExpressCard slot May 2 22:31:27 simple-laptop pcscd: winscard_svc.c:447:ContextThread() CONNECT rv=0x8019 for client 6 May 2 22:31:28 simple-laptop pcscd: winscard.c:241:SCardConnect() Reader SCM SCR 3340 ExpressCard54 [CCID Interface] (21220827700942) 00 00 Not Found I have tried to suppress the messages with DAEMON_ARGS="--critical" in the '/etc/default/pcscd' file to no avail. ProblemType: Bug DistroRelease: Ubuntu 11.04 Package: pcscd 1.7.0-2ubuntu2 ProcVersionSignature: Ubuntu 2.6.38-8.42-generic 2.6.38.2 Uname: Linux 2.6.38-8-generic x86_64 Architecture: amd64 Date: Mon May 2 22:23:10 2011 InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release amd64 (20110427.1) ProcEnviron: LANGUAGE=en_US:en LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: pcsc-lite UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/776082/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 790502] Re: If OS has started the pcscd service won'n start up
This bugreport has had no activity and has eol. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/790502 Title: If OS has started the pcscd service won'n start up Status in pcsc-lite package in Ubuntu: Won't Fix Bug description: Kern.log shows lipthread error: May 30 13:17:38 mar kernel: [ 366.715760] pcscd[2114]: segfault at 10 ip 7f8e25f74394 sp 7f8e2478cb00 error 4 in libpthread-2.13.so[7f8e25f6b000+18000] ProblemType: Bug DistroRelease: Ubuntu 11.04 Package: pcscd 1.7.0-2ubuntu2 ProcVersionSignature: Ubuntu 2.6.38-8.42-generic 2.6.38.2 Uname: Linux 2.6.38-8-generic x86_64 Architecture: amd64 Date: Tue May 31 09:38:47 2011 InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release amd64 (20110427.1) ProcEnviron: LANGUAGE=en_US:en LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: pcsc-lite UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/790502/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 795540] Re: package pcscd 1.7.0-2ubuntu2 failed to install/upgrade: ErrorMessage: subprocess installed post-installation script returned error exit status 1
This bugreport has had no activity and has eol. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/795540 Title: package pcscd 1.7.0-2ubuntu2 failed to install/upgrade: ErrorMessage: subprocess installed post-installation script returned error exit status 1 Status in pcsc-lite package in Ubuntu: Won't Fix Bug description: Binary package hint: pcscd jadler@server:~$ lsb_release -rd Description: Ubuntu 11.04 Release: 11.04 jadler@server:~$ apt-cache policy pcsc pcscada-dbg pcscd pcsc-omnikey pcsc-tools jadler@server:~$ apt-cache policy pcsc-lite N: Unable to locate package pcsc-lite jadler@server:~$ apt-cache policy pcscd pcscd: Installed: 1.7.0-2ubuntu2 Candidate: 1.7.0-2ubuntu2 Version table: *** 1.7.0-2ubuntu2 0 500 http://se.archive.ubuntu.com/ubuntu/ natty/universe amd64 Packages 100 /var/lib/dpkg/status Upgrading 10.10 to 11.04 ProblemType: Package DistroRelease: Ubuntu 11.04 Package: pcscd 1.7.0-2ubuntu2 ProcVersionSignature: Ubuntu 2.6.35-28.50-generic 2.6.35.11 Uname: Linux 2.6.35-28-generic x86_64 NonfreeKernelModules: nvidia Architecture: amd64 Date: Fri Jun 10 08:17:33 2011 ErrorMessage: ErrorMessage: subprocess installed post-installation script returned error exit status 1 InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007) SourcePackage: pcsc-lite Title: package pcscd 1.7.0-2ubuntu2 failed to install/upgrade: ErrorMessage: subprocess installed post-installation script returned error exit status 1 UpgradeStatus: Upgraded to natty on 2011-06-09 (0 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/795540/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 336815] Re: Aladdin etoken pro not supported anymore with pcscd
This bug appears to have been fixed in an update. Closing. ** Changed in: pcsc-lite (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/336815 Title: Aladdin etoken pro not supported anymore with pcscd Status in pcsc-lite package in Ubuntu: Fix Released Bug description: Binary package hint: pcscd Aladdin etoken pro usb (ID 0529:0620 Aladdin Knowledge Systems ) used to work with the pcscd version in hardy, but does not works anymore with pcscd 1.4.102-1ubuntu1 The token is not anymore visible in Aladdin's middleware, while i can still read an eToken smarcard in another smart card reader. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pcsc-lite/+bug/336815/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1898078] Re: FIPS OpenSSL crashes Python2.7 hashlib when using MD5
** Description changed: - The fix for #1835135 was not included into the python2.7 update. This - bug has been opened to include it. + The fix for #1835135 was included into a python2.7 ver when python2.7 + was updated, the fix was not included. It needs to be put pack into the + latest version pf python2.7 to prevent FIPS issues when using fips + openssl with python's hashlib. This is only a problem in latest + python2.7 versions in xenial, bionic, focal, and groovy. python3 + versions do not have this problem on the above releases. + + The fix was a backport of + https://github.com/python/cpython/pull/1777/commits/5e3e3568d27b99dabe44b8aa6283dc76d70f2dae ** Description changed: - The fix for #1835135 was included into a python2.7 ver when python2.7 - was updated, the fix was not included. It needs to be put pack into the - latest version pf python2.7 to prevent FIPS issues when using fips - openssl with python's hashlib. This is only a problem in latest - python2.7 versions in xenial, bionic, focal, and groovy. python3 - versions do not have this problem on the above releases. + LP #1835135 was fixed in python2.7. However, when python2.7 was updated + to current verion, the fix was not included. It needs to be included + again into current version of python2.7 to prevent FIPS issues when + using fips openssl with python's hashlib. This is only a problem in + latest python2.7 versions in xenial, bionic, focal, and groovy. python3 + versions do not have this problem in these releases. The fix was a backport of https://github.com/python/cpython/pull/1777/commits/5e3e3568d27b99dabe44b8aa6283dc76d70f2dae -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1898078 Title: FIPS OpenSSL crashes Python2.7 hashlib when using MD5 Status in python2.7 package in Ubuntu: New Status in python2.7 source package in Xenial: New Status in python2.7 source package in Bionic: New Status in python2.7 source package in Focal: New Status in python2.7 source package in Groovy: New Bug description: LP #1835135 was fixed in python2.7. However, when python2.7 was updated to current verion, the fix was not included. It needs to be included again into current version of python2.7 to prevent FIPS issues when using fips openssl with python's hashlib. This is only a problem in latest python2.7 versions in xenial, bionic, focal, and groovy. python3 versions do not have this problem in these releases. The fix was a backport of https://github.com/python/cpython/pull/1777/commits/5e3e3568d27b99dabe44b8aa6283dc76d70f2dae To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1898078/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1898078] Re: FIPS OpenSSL crashes Python2.7 hashlib when using MD5
** Also affects: python2.7 (Ubuntu Groovy) Importance: Undecided Status: New ** Also affects: python2.7 (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: python2.7 (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: python2.7 (Ubuntu Focal) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1898078 Title: FIPS OpenSSL crashes Python2.7 hashlib when using MD5 Status in python2.7 package in Ubuntu: New Status in python2.7 source package in Xenial: New Status in python2.7 source package in Bionic: New Status in python2.7 source package in Focal: New Status in python2.7 source package in Groovy: New Bug description: The fix for #1835135 was not included into the python2.7 update. This bug has been opened to include it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1898078/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1898078] [NEW] FIPS OpenSSL crashes Python2.7 hashlib when using MD5
Public bug reported: The fix for #1835135 was not included into the python2.7 update. This bug has been opened to include it. ** Affects: python2.7 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1898078 Title: FIPS OpenSSL crashes Python2.7 hashlib when using MD5 Status in python2.7 package in Ubuntu: New Bug description: The fix for #1835135 was not included into the python2.7 update. This bug has been opened to include it. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1898078/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1892559] Re: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite
pcsc-lite source package provides pcscd and libpcsclite1 and thus is needed for smartcard deployment. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/1892559 Title: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite Status in ccid package in Ubuntu: New Status in opensc package in Ubuntu: Incomplete Status in pam-pkcs11 package in Ubuntu: New Status in pcsc-lite package in Ubuntu: Incomplete Status in pcsc-perl package in Ubuntu: Invalid Status in pcsc-tools package in Ubuntu: Invalid Bug description: ==> ccid <== [Availability] ccid is in universe, and builds on all architectures. [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] No CVEs for ccid are listed in our database. Doesn't appear to bind to a socket. No privileged executables, but does have udev rules. Probably needs a security review. [Quality assurance] No test suite. Does require odd hardware that we'll probably need to buy. I don't see debconf questions. ccid is well maintained in Debian by upstream author. One open wishlist bug in BTS, harmless. One open bug in launchpad, not security, but looks very frustrating for the users. The upstream author was engaged but it never reached resolution. https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1175465 Has a debian/watch file. Quilt packaging. P: ccid source: no-dep5-copyright P: ccid source: package-uses-experimental-debhelper-compat-version 13 [Dependencies] Minimal dependencies, in main [Standards compliance] Appears to satisfy FHS and Debian policy [Maintenance] The desktop team will subscribe to bugs, however it is expected that the security team will assist with security-relevant questions. [Background information] ccid provides drivers to interact with usb-connected smart card readers. ==> libpam-pkcs11 <== [Availability] Source package pam-pkcs11 is in universe and builds on all architectures. [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] No CVEs in our database. Doesn't appear to bind to sockets. No privileged executables (but is a PAM module). As a PAM module this will require a security review. [Quality assurance] The package does not call pam-auth-update in its postinst #1650366 Does not ask questions during install. One Ubuntu bug claims very poor behaviour if a card isn't plugged in. No Debian bugs. Occasional updates in Debian by long-term maintainer. Does require odd hardware that we'll probably need to buy. Does not appear to run tests during build. Has scary warnings in the build logs. Has a debian/watch file. Ancient standards version; other smaller lintian messages, mostly documentation problems. Quilt packaging. [Dependencies] Depends on libcurl4, libldap-2.4-2, libpam0g, libpcsclite1, libssl1.1 All are in main. [Standards compliance] The package does not call pam-auth-update in its postinst #1650366 Otherwise looks to conform to FHS and Debian policies [Maintenance] The desktop team will subscribe to bugs, however it is expected that the security team will assist with security-relevant questions. [Background information] This PAM module can use CRLs and full-chain verification of certificates. It can also do LDAP, AD, and Kerberos username mapping. ==> libpcsc-perl <== [Availability] Source package pcsc-perl is in universe, builds for all architectures, plus i386 [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] There are no cves for pcsc-perl in our database. No privileged executables. Doesn't appear to bind to sockets. Probably needs a security review. [Quality assurance] Library package not intended to be used directly. No debconf questions. No bugs in Debian. No bugs in Ubuntu. Does require odd hardware that we'll probably need to buy. Tests exist, not run during the build; probably can't run during the build. Includes debian/watch file. A handful of lintian issues Quilt packaging. [Dependencies] libpcsc-perl depends upon libpcsclite1, libc6, perl, perlapi-5.30.0. All are in main. [Standards compliance] One oddity, Card.pod is stored in /usr/lib/x86_64-linux-gnu/perl5/5.30/Chipcard/PCSC/ Many other perl packages have .pod files in these directory trees so maybe it's fine, but it seems funny all the same. Otherwise appears to satisfy FHS and Debian policy. [Maintenance] The desktop team will subscribe to bugs, however it is expected that the security team will assist with security-relevant
[Touch-packages] [Bug 1892559] Re: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite
pcscd is required. When removed, I am not able to get any info from the driver about the reader or the smartcard. pcscd loads the smartcard driver and coordinates communications. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/1892559 Title: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite Status in ccid package in Ubuntu: New Status in opensc package in Ubuntu: Incomplete Status in pam-pkcs11 package in Ubuntu: New Status in pcsc-lite package in Ubuntu: Incomplete Status in pcsc-perl package in Ubuntu: Invalid Status in pcsc-tools package in Ubuntu: Invalid Bug description: ==> ccid <== [Availability] ccid is in universe, and builds on all architectures. [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] No CVEs for ccid are listed in our database. Doesn't appear to bind to a socket. No privileged executables, but does have udev rules. Probably needs a security review. [Quality assurance] No test suite. Does require odd hardware that we'll probably need to buy. I don't see debconf questions. ccid is well maintained in Debian by upstream author. One open wishlist bug in BTS, harmless. One open bug in launchpad, not security, but looks very frustrating for the users. The upstream author was engaged but it never reached resolution. https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1175465 Has a debian/watch file. Quilt packaging. P: ccid source: no-dep5-copyright P: ccid source: package-uses-experimental-debhelper-compat-version 13 [Dependencies] Minimal dependencies, in main [Standards compliance] Appears to satisfy FHS and Debian policy [Maintenance] The desktop team will subscribe to bugs, however it is expected that the security team will assist with security-relevant questions. [Background information] ccid provides drivers to interact with usb-connected smart card readers. ==> libpam-pkcs11 <== [Availability] Source package pam-pkcs11 is in universe and builds on all architectures. [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] No CVEs in our database. Doesn't appear to bind to sockets. No privileged executables (but is a PAM module). As a PAM module this will require a security review. [Quality assurance] The package does not call pam-auth-update in its postinst #1650366 Does not ask questions during install. One Ubuntu bug claims very poor behaviour if a card isn't plugged in. No Debian bugs. Occasional updates in Debian by long-term maintainer. Does require odd hardware that we'll probably need to buy. Does not appear to run tests during build. Has scary warnings in the build logs. Has a debian/watch file. Ancient standards version; other smaller lintian messages, mostly documentation problems. Quilt packaging. [Dependencies] Depends on libcurl4, libldap-2.4-2, libpam0g, libpcsclite1, libssl1.1 All are in main. [Standards compliance] The package does not call pam-auth-update in its postinst #1650366 Otherwise looks to conform to FHS and Debian policies [Maintenance] The desktop team will subscribe to bugs, however it is expected that the security team will assist with security-relevant questions. [Background information] This PAM module can use CRLs and full-chain verification of certificates. It can also do LDAP, AD, and Kerberos username mapping. ==> libpcsc-perl <== [Availability] Source package pcsc-perl is in universe, builds for all architectures, plus i386 [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] There are no cves for pcsc-perl in our database. No privileged executables. Doesn't appear to bind to sockets. Probably needs a security review. [Quality assurance] Library package not intended to be used directly. No debconf questions. No bugs in Debian. No bugs in Ubuntu. Does require odd hardware that we'll probably need to buy. Tests exist, not run during the build; probably can't run during the build. Includes debian/watch file. A handful of lintian issues Quilt packaging. [Dependencies] libpcsc-perl depends upon libpcsclite1, libc6, perl, perlapi-5.30.0. All are in main. [Standards compliance] One oddity, Card.pod is stored in /usr/lib/x86_64-linux-gnu/perl5/5.30/Chipcard/PCSC/ Many other perl packages have .pod files in these directory trees so maybe it's fine, but it seems funny all the same. Otherwise appears to satisfy FHS and Debian policy. [Maintenance] The desktop team will subscribe to bugs, however it is
[Touch-packages] [Bug 1892559] Re: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite
Hi Seth and Christian, I did a smartcard setup and confirmed I did not have to use anything from pcsc-tools. And pcsc-tools seem to depend on libpcsc-perl, so won't need pcsc-perl either. My "sudo apt install opensc" pulled in libccid, libpcslite1, opensc- pkcs11 and pcscd binary packages. I only needed one additional install of "libpam-pkcs11". Next, I am looking into the pcscd requirement. Will comment shortly. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pcsc-lite in Ubuntu. https://bugs.launchpad.net/bugs/1892559 Title: [MIR] ccid libpam-pkcs1 libpcsc-perl opensc pcsc-tools pcsc-lite Status in ccid package in Ubuntu: New Status in opensc package in Ubuntu: Incomplete Status in pam-pkcs11 package in Ubuntu: New Status in pcsc-lite package in Ubuntu: Incomplete Status in pcsc-perl package in Ubuntu: Invalid Status in pcsc-tools package in Ubuntu: Invalid Bug description: ==> ccid <== [Availability] ccid is in universe, and builds on all architectures. [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] No CVEs for ccid are listed in our database. Doesn't appear to bind to a socket. No privileged executables, but does have udev rules. Probably needs a security review. [Quality assurance] No test suite. Does require odd hardware that we'll probably need to buy. I don't see debconf questions. ccid is well maintained in Debian by upstream author. One open wishlist bug in BTS, harmless. One open bug in launchpad, not security, but looks very frustrating for the users. The upstream author was engaged but it never reached resolution. https://bugs.launchpad.net/ubuntu/+source/ccid/+bug/1175465 Has a debian/watch file. Quilt packaging. P: ccid source: no-dep5-copyright P: ccid source: package-uses-experimental-debhelper-compat-version 13 [Dependencies] Minimal dependencies, in main [Standards compliance] Appears to satisfy FHS and Debian policy [Maintenance] The desktop team will subscribe to bugs, however it is expected that the security team will assist with security-relevant questions. [Background information] ccid provides drivers to interact with usb-connected smart card readers. ==> libpam-pkcs11 <== [Availability] Source package pam-pkcs11 is in universe and builds on all architectures. [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] No CVEs in our database. Doesn't appear to bind to sockets. No privileged executables (but is a PAM module). As a PAM module this will require a security review. [Quality assurance] The package does not call pam-auth-update in its postinst #1650366 Does not ask questions during install. One Ubuntu bug claims very poor behaviour if a card isn't plugged in. No Debian bugs. Occasional updates in Debian by long-term maintainer. Does require odd hardware that we'll probably need to buy. Does not appear to run tests during build. Has scary warnings in the build logs. Has a debian/watch file. Ancient standards version; other smaller lintian messages, mostly documentation problems. Quilt packaging. [Dependencies] Depends on libcurl4, libldap-2.4-2, libpam0g, libpcsclite1, libssl1.1 All are in main. [Standards compliance] The package does not call pam-auth-update in its postinst #1650366 Otherwise looks to conform to FHS and Debian policies [Maintenance] The desktop team will subscribe to bugs, however it is expected that the security team will assist with security-relevant questions. [Background information] This PAM module can use CRLs and full-chain verification of certificates. It can also do LDAP, AD, and Kerberos username mapping. ==> libpcsc-perl <== [Availability] Source package pcsc-perl is in universe, builds for all architectures, plus i386 [Rationale] The desktop team and security team are interested in bringing smartcard authentication to enterprise desktop environments. [Security] There are no cves for pcsc-perl in our database. No privileged executables. Doesn't appear to bind to sockets. Probably needs a security review. [Quality assurance] Library package not intended to be used directly. No debconf questions. No bugs in Debian. No bugs in Ubuntu. Does require odd hardware that we'll probably need to buy. Tests exist, not run during the build; probably can't run during the build. Includes debian/watch file. A handful of lintian issues Quilt packaging. [Dependencies] libpcsc-perl depends upon libpcsclite1, libc6, perl, perlapi-5.30.0. All are in main. [Standards compliance] One oddity, Card.pod is stored in /usr/lib/x86_64-linux-gnu/perl5/5.30/Chipcard/PCSC/ Many
[Touch-packages] [Bug 1884265] Re: [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library.
** Description changed: [Impact] In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. ntpq uses crypto hashes to authenticate its requests. By default it uses md5. However, when compiled with openssl it creates a lists of acceptable hashes from openssl that can be used. + + This issue is only applicable in bionic when using fips-openssl. [Test Steps] Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c. For FIPS mode it adds: EVP_add_digest(EVP_md5()); What happens later in ntpq is (list_md_fn function inside ntpq.c): ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex): #ifdef OPENSSL_FIPS if (FIPS_mode()) { if (!(type->flags & EVP_MD_FLAG_FIPS) && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; } } #endif Due to type->flags for MD5 being 0 there's an error set (EVP_R_DISABLED_FOR_FIPS). After getting back to ntpq.c: ctx->engine and ctx->digest are not set (due to the mentioned error), hence inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c) OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); causes a segfault (ctx->digest is NULL). So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized. [Regression Potential] I don't think this should regress ntpq + openssl from the Ubuntu archive. Current archive ntpq + openssl behaviour: - openssl includes all message digests and hands ntpq a sorted digest-list. + openssl includes all message digests and hands ntpq a sorted digest-list. ntpq doesn't check return from EVP_Digest(Init|Final) and assumes all is well and sticks all digests into its list regardless if it is working or not. - i.e. + i.e. ntpq> help keytype function: set key type to use for authenticated requests, one of: - MD4, MD5, RIPEMD160, SHA1, SHAKE128 + MD4, MD5, RIPEMD160, SHA1, SHAKE128 If somehow openssl library is corrupted and sends back erroneous results, its possible the authentication will just not ever work. Newly fixed archive ntpq + oenssl beahviour: openssl includes all message digests and hands ntpq a sorted digest-list. ntpq checks each one and includes each working digest. With a non-corrupted openssl, everything works fine and ntpq includes each into its list. Ends up with a list identical to the one above. - - If somehow opensll library is corrupted and sends back erroneous results, ntpq will hopefully catch it by checking return code and include only those algos that appear to be working. Its possible authentication will work for ntpq. + + If somehow opensll library is corrupted and sends back erroneous + results, ntpq will hopefully catch it by checking return code and + include only those algos that appear to be working. Its possible + authentication will work for ntpq. The difference will be seen in ntpq + fips-openssl. ntpq will check return, and for fips-not-approved algos, return will indicate an error. So these algos will be skipped and ntpq will not include into its digest list. Resulting in a much shorter list of only fips-approved algos. i.e. ntpq> help keytype function: set key type to use for authenticated requests, one of: - SHA1, SHAKE128 + SHA1, SHAKE128 - Since md5 is ntpq's default auth algo, this will need to be changed to one of the above algos in the config files. + Since md5 is ntpq's default auth algo, this will need to be changed to one of the above algos in the config files. But I think it is somewhat understood that MD5 is bad in a FIPS environment. ** Description changed: [Impact] In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. ntpq uses crypto hashes to authenticate its requests. By default it uses md5. However, when compiled with openssl it creates a lists of acceptable hashes from openssl that can be used. - This issue is only applicable in bionic when using fips-openssl. + This issue is only applicable in bionic and when using fips-openssl. [Test Steps] Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually
[Touch-packages] [Bug 1884265] Re: [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library.
** Summary changed: - [fips] Not fully initialized digest segfaulting some client applications + [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] ntpq segfaults when attempting to use MD5 from FIPS-openssl library. Status in openssl package in Ubuntu: In Progress Status in openssl source package in Bionic: Confirmed Bug description: [Impact] In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. ntpq uses crypto hashes to authenticate its requests. By default it uses md5. However, when compiled with openssl it creates a lists of acceptable hashes from openssl that can be used. [Test Steps] Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c. For FIPS mode it adds: EVP_add_digest(EVP_md5()); What happens later in ntpq is (list_md_fn function inside ntpq.c): ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex): #ifdef OPENSSL_FIPS if (FIPS_mode()) { if (!(type->flags & EVP_MD_FLAG_FIPS) && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; } } #endif Due to type->flags for MD5 being 0 there's an error set (EVP_R_DISABLED_FOR_FIPS). After getting back to ntpq.c: ctx->engine and ctx->digest are not set (due to the mentioned error), hence inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c) OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); causes a segfault (ctx->digest is NULL). So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized. [Regression Potential] I don't think this should regress ntpq + openssl from the Ubuntu archive. Current archive ntpq + openssl behaviour: openssl includes all message digests and hands ntpq a sorted digest-list. ntpq doesn't check return from EVP_Digest(Init|Final) and assumes all is well and sticks all digests into its list regardless if it is working or not. i.e. ntpq> help keytype function: set key type to use for authenticated requests, one of: MD4, MD5, RIPEMD160, SHA1, SHAKE128 If somehow openssl library is corrupted and sends back erroneous results, its possible the authentication will just not ever work. Newly fixed archive ntpq + oenssl beahviour: openssl includes all message digests and hands ntpq a sorted digest-list. ntpq checks each one and includes each working digest. With a non-corrupted openssl, everything works fine and ntpq includes each into its list. Ends up with a list identical to the one above. If somehow opensll library is corrupted and sends back erroneous results, ntpq will hopefully catch it by checking return code and include only those algos that appear to be working. Its possible authentication will work for ntpq. The difference will be seen in ntpq + fips-openssl. ntpq will check return, and for fips-not-approved algos, return will indicate an error. So these algos will be skipped and ntpq will not include into its digest list. Resulting in a much shorter list of only fips- approved algos. i.e. ntpq> help keytype function: set key type to use for authenticated requests, one of: SHA1, SHAKE128 Since md5 is ntpq's default auth algo, this will need to be changed to one of the above algos in the config files. But I think it is somewhat understood that MD5 is bad in a FIPS environment. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
** Changed in: openssl (Ubuntu) Assignee: (unassigned) => Joy Latten (j-latten) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications Status in openssl package in Ubuntu: New Status in openssl source package in Bionic: New Bug description: [Impact] In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. ntpq uses crypto hashes to authenticate its requests. By default it uses md5. However, when compiled with openssl it creates a lists of acceptable hashes from openssl that can be used. [Test Steps] Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c. For FIPS mode it adds: EVP_add_digest(EVP_md5()); What happens later in ntpq is (list_md_fn function inside ntpq.c): ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex): #ifdef OPENSSL_FIPS if (FIPS_mode()) { if (!(type->flags & EVP_MD_FLAG_FIPS) && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; } } #endif Due to type->flags for MD5 being 0 there's an error set (EVP_R_DISABLED_FOR_FIPS). After getting back to ntpq.c: ctx->engine and ctx->digest are not set (due to the mentioned error), hence inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c) OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); causes a segfault (ctx->digest is NULL). So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized. [Regression Potential] I don't think this should regress ntpq + openssl from the Ubuntu archive. Current archive ntpq + openssl behaviour: openssl includes all message digests and hands ntpq a sorted digest-list. ntpq doesn't check return from EVP_Digest(Init|Final) and assumes all is well and sticks all digests into its list regardless if it is working or not. i.e. ntpq> help keytype function: set key type to use for authenticated requests, one of: MD4, MD5, RIPEMD160, SHA1, SHAKE128 If somehow openssl library is corrupted and sends back erroneous results, its possible the authentication will just not ever work. Newly fixed archive ntpq + oenssl beahviour: openssl includes all message digests and hands ntpq a sorted digest-list. ntpq checks each one and includes each working digest. With a non-corrupted openssl, everything works fine and ntpq includes each into its list. Ends up with a list identical to the one above. If somehow opensll library is corrupted and sends back erroneous results, ntpq will hopefully catch it by checking return code and include only those algos that appear to be working. Its possible authentication will work for ntpq. The difference will be seen in ntpq + fips-openssl. ntpq will check return, and for fips-not-approved algos, return will indicate an error. So these algos will be skipped and ntpq will not include into its digest list. Resulting in a much shorter list of only fips- approved algos. i.e. ntpq> help keytype function: set key type to use for authenticated requests, one of: SHA1, SHAKE128 Since md5 is ntpq's default auth algo, this will need to be changed to one of the above algos in the config files. But I think it is somewhat understood that MD5 is bad in a FIPS environment. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
Additional testing for ntpq authentication to ensure MD5 still works for ntpq in archive NOTE: The shown testing is ntpq(with patch) + openssl from archive. To ensure all still works. Testing with ntpq + fips-openssl was also done successfully. VM-A (ntp server) 1. Edit /etc/ntp.keys to include, 1 SHA1 austintexas 2 MD5 cedarpark 2. Edit /etc/ntp.conf to include. keys /etc/ntp.keys trustedkey 2 controlkey 2 requestkey 2 3. restart ntp sudo service ntp restart VM-B (ntp client) $ dpkg -l | grep ntp ii ntp1:4.2.8p10+dfsg-5ubuntu7.1+ppa1 amd64Network Time Protocol daemon and utility programs 1. Edit /etc/ntp.keys to include, 1 SHA1 austintexas 2 MD5 cedarpark 2. Edit /etc/ntp.conf to include, keys /etc/ntp.keys server key 2 trustedkey 2 controlkey 2 requestkey 2 3. I commented out all the "pool" entries in /etc/ntp.conf 4. restart ntp sudo service ntp restart On the client, $ ntpq -c as ind assid status conf reach auth condition last_event cnt === 1 46728 f014 yes yes ok reject reachable 1 Notice that "auth" is ok. $ ntpq ntpq> keytype keytype is MD5 with 16 octet digests ntpq> keyid 2 ntpq> ifstats MD5 Password: interface namesend # address/broadcast drop flag ttl mc received sent failed peers uptime == 0 v6wildcard D 81 0 0 0 0 0 0 96 [::]:123 1 v4wildcard D 89 0 0 0 0 0 0 96 0.0.0.0:123 2 lo .5 0 0 2 1 0 0 96 127.0.0.1:123 3 ens3 . 19 0 0 2 2 0 1 96 192.168.122.105:123 4 lo .5 0 0 0 0 0 0 96 [::1]:123 5 ens3 . 11 0 0 0 0 0 0 96 [fe80::5054:ff:fefe:b092%2]:123 ntpq> Note: issuing "ifstats" requires authentication. I also tested with SHA1 and it worked as well. And last test on client, ntpq -p remote refid st t when poll reach delay offset jitter == 192.168.122.106 204.11.201.123 u 56 6471.5412.723 0.826 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications Status in openssl package in Ubuntu: New Status in openssl source package in Bionic: New Bug description: [Impact] In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. ntpq uses crypto hashes to authenticate its requests. By default it uses md5. However, when compiled with openssl it creates a lists of acceptable hashes from openssl that can be used. [Test Steps] Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c. For FIPS mode it adds: EVP_add_digest(EVP_md5()); What happens later in ntpq is (list_md_fn function inside ntpq.c): ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex): #ifdef OPENSSL_FIPS if (FIPS_mode()) { if (!(type->flags & EVP_MD_FLAG_FIPS) && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; } } #endif Due to type->flags for MD5 being 0 there's an error set (EVP_R_DISABLED_FOR_FIPS). After getting back to ntpq.c: ctx->engine and ctx->digest are not set (due to the mentioned error), hence inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c) OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); causes a segfault (ctx->digest is NULL). So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized. [Regression Potential] I don't think this should regress ntpq + openssl from the Ubuntu archive. Current archive ntpq + openssl behaviour: openssl includes all message digests and hands ntpq a sorted digest-list. ntpq doesn't check return from EVP_Digest(Init|Final) and assumes all is well and sticks all
[Touch-packages] [Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
Testing: There are no autopkgtests for ntp pkg and we do not run "make check" in the tests dir as part of the build. So, just in case it is applicable, I ran make check on my local build to ensure everything passes. ** Attachment added: "Results of running make check in ../tests directory" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+attachment/5392383/+files/ntp-test-results -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications Status in openssl package in Ubuntu: New Status in openssl source package in Bionic: New Bug description: [Impact] In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. ntpq uses crypto hashes to authenticate its requests. By default it uses md5. However, when compiled with openssl it creates a lists of acceptable hashes from openssl that can be used. [Test Steps] Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c. For FIPS mode it adds: EVP_add_digest(EVP_md5()); What happens later in ntpq is (list_md_fn function inside ntpq.c): ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex): #ifdef OPENSSL_FIPS if (FIPS_mode()) { if (!(type->flags & EVP_MD_FLAG_FIPS) && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; } } #endif Due to type->flags for MD5 being 0 there's an error set (EVP_R_DISABLED_FOR_FIPS). After getting back to ntpq.c: ctx->engine and ctx->digest are not set (due to the mentioned error), hence inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c) OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); causes a segfault (ctx->digest is NULL). So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized. [Regression Potential] I don't think this should regress ntpq + openssl from the Ubuntu archive. Current archive ntpq + openssl behaviour: openssl includes all message digests and hands ntpq a sorted digest-list. ntpq doesn't check return from EVP_Digest(Init|Final) and assumes all is well and sticks all digests into its list regardless if it is working or not. i.e. ntpq> help keytype function: set key type to use for authenticated requests, one of: MD4, MD5, RIPEMD160, SHA1, SHAKE128 If somehow openssl library is corrupted and sends back erroneous results, its possible the authentication will just not ever work. Newly fixed archive ntpq + oenssl beahviour: openssl includes all message digests and hands ntpq a sorted digest-list. ntpq checks each one and includes each working digest. With a non-corrupted openssl, everything works fine and ntpq includes each into its list. Ends up with a list identical to the one above. If somehow opensll library is corrupted and sends back erroneous results, ntpq will hopefully catch it by checking return code and include only those algos that appear to be working. Its possible authentication will work for ntpq. The difference will be seen in ntpq + fips-openssl. ntpq will check return, and for fips-not-approved algos, return will indicate an error. So these algos will be skipped and ntpq will not include into its digest list. Resulting in a much shorter list of only fips- approved algos. i.e. ntpq> help keytype function: set key type to use for authenticated requests, one of: SHA1, SHAKE128 Since md5 is ntpq's default auth algo, this will need to be changed to one of the above algos in the config files. But I think it is somewhat understood that MD5 is bad in a FIPS environment. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
** Description changed: [Impact] In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. - ntpq uses crypto hashes to authenticate its requests. By default it appears to use an internal md5 implementation. However, when compiled with openssl it creates a lists of acceptable hashes from openssl that can be used. - + ntpq uses crypto hashes to authenticate its requests. By default it uses + md5. However, when compiled with openssl it creates a lists of + acceptable hashes from openssl that can be used. + [Test Steps] Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c. For FIPS mode it adds: EVP_add_digest(EVP_md5()); What happens later in ntpq is (list_md_fn function inside ntpq.c): ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex): #ifdef OPENSSL_FIPS if (FIPS_mode()) { if (!(type->flags & EVP_MD_FLAG_FIPS) && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; } } #endif Due to type->flags for MD5 being 0 there's an error set (EVP_R_DISABLED_FOR_FIPS). After getting back to ntpq.c: ctx->engine and ctx->digest are not set (due to the mentioned error), hence inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c) OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); causes a segfault (ctx->digest is NULL). So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized. [Regression Potential] - I believe the resolution to check the return code and if unsuccessful, do not include the hash algorithm in the internal ntpq digest list, should not introduce any regression. - It will simply not add md5 and md5_sha1 to its lists of digests when compiled with openssl. Instead it will add the others like sha1, sha2, and sha3. + I don't think this should regress ntpq + openssl from the Ubuntu + archive. + + Current archive ntpq + openssl behaviour: + openssl includes all message digests and hands ntpq a sorted digest-list. + ntpq doesn't check return from EVP_Digest(Init|Final) and assumes all is well and sticks all digests into its list regardless if it is working or not. + + i.e. + ntpq> help keytype + function: set key type to use for authenticated requests, one of: + MD4, MD5, RIPEMD160, SHA1, SHAKE128 + + If somehow openssl library is corrupted and sends back erroneous + results, its possible the authentication will just not ever work. + + Newly fixed archive ntpq + oenssl beahviour: + openssl includes all message digests and hands ntpq a sorted digest-list. + ntpq checks each one and includes each working digest. With a non-corrupted openssl, everything works fine and ntpq includes each into its list. Ends up with a list identical to the one above. + + If somehow opensll library is corrupted and sends back erroneous results, ntpq will hopefully catch it by checking return code and include only those algos that appear to be working. Its possible authentication will work for ntpq. + + The difference will be seen in ntpq + fips-openssl. ntpq will check + return, and for fips-not-approved algos, return will indicate an error. + So these algos will be skipped and ntpq will not include into its digest + list. Resulting in a much shorter list of only fips-approved algos. + + i.e. + ntpq> help keytype + function: set key type to use for authenticated requests, one of: + SHA1, SHAKE128 + + Since md5 is ntpq's default auth algo, this will need to be changed to one of the above algos in the config files. + But I think it is somewhat understood that MD5 is bad in a FIPS environment. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications Status in openssl package in Ubuntu: New Status in openssl source package in Bionic: New Bug description: [Impact] In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. ntpq uses crypto hashes to authenticate its requests. By default it uses md5. However, when compiled with openssl it creates a lists of acceptable hashes from openssl that can be used. [Test Steps] Test case: sudo apt install ntp ntpq -p Segmentation fault (core
[Touch-packages] [Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
** Description changed: - In FIPS mode on Bionic MD5 is semi-disabled causing some applications to - segfault. + [Impact] + In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. + ntpq uses crypto hashes to authenticate its requests. By default it appears to use an internal md5 implementation. However, when compiled with openssl it creates a lists of acceptable hashes from openssl that can be used. + + [Test Steps] Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c. For FIPS mode it adds: EVP_add_digest(EVP_md5()); What happens later in ntpq is (list_md_fn function inside ntpq.c): ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex): #ifdef OPENSSL_FIPS if (FIPS_mode()) { if (!(type->flags & EVP_MD_FLAG_FIPS) && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; } } #endif Due to type->flags for MD5 being 0 there's an error set (EVP_R_DISABLED_FOR_FIPS). After getting back to ntpq.c: ctx->engine and ctx->digest are not set (due to the mentioned error), hence inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c) OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); causes a segfault (ctx->digest is NULL). So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized. + + [Regression Potential] + + I believe the resolution to check the return code and if unsuccessful, do not include the hash algorithm in the internal ntpq digest list, should not introduce any regression. + It will simply not add md5 and md5_sha1 to its lists of digests when compiled with openssl. Instead it will add the others like sha1, sha2, and sha3. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications Status in openssl package in Ubuntu: New Status in openssl source package in Bionic: New Bug description: [Impact] In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. ntpq uses crypto hashes to authenticate its requests. By default it appears to use an internal md5 implementation. However, when compiled with openssl it creates a lists of acceptable hashes from openssl that can be used. [Test Steps] Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c. For FIPS mode it adds: EVP_add_digest(EVP_md5()); What happens later in ntpq is (list_md_fn function inside ntpq.c): ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex): #ifdef OPENSSL_FIPS if (FIPS_mode()) { if (!(type->flags & EVP_MD_FLAG_FIPS) && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; } } #endif Due to type->flags for MD5 being 0 there's an error set (EVP_R_DISABLED_FOR_FIPS). After getting back to ntpq.c: ctx->engine and ctx->digest are not set (due to the mentioned error), hence inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c) OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); causes a segfault (ctx->digest is NULL). So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized. [Regression Potential] I believe the resolution to check the return code and if unsuccessful, do not include the hash algorithm in the internal ntpq digest list, should not introduce any regression. It will simply not add md5 and md5_sha1 to its lists of digests when compiled with openssl. Instead it will add the others like sha1, sha2, and sha3. To manage notifications about this bug go to:
[Touch-packages] [Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
debdiff for bionic ** Attachment added: "debdiff.bionic" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+attachment/5391374/+files/debdiff.bionic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications Status in openssl package in Ubuntu: New Status in openssl source package in Bionic: New Bug description: In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c. For FIPS mode it adds: EVP_add_digest(EVP_md5()); What happens later in ntpq is (list_md_fn function inside ntpq.c): ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex): #ifdef OPENSSL_FIPS if (FIPS_mode()) { if (!(type->flags & EVP_MD_FLAG_FIPS) && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; } } #endif Due to type->flags for MD5 being 0 there's an error set (EVP_R_DISABLED_FOR_FIPS). After getting back to ntpq.c: ctx->engine and ctx->digest are not set (due to the mentioned error), hence inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c) OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); causes a segfault (ctx->digest is NULL). So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
Build log: https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/19570468 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications Status in openssl package in Ubuntu: New Status in openssl source package in Bionic: New Bug description: In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c. For FIPS mode it adds: EVP_add_digest(EVP_md5()); What happens later in ntpq is (list_md_fn function inside ntpq.c): ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex): #ifdef OPENSSL_FIPS if (FIPS_mode()) { if (!(type->flags & EVP_MD_FLAG_FIPS) && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; } } #endif Due to type->flags for MD5 being 0 there's an error set (EVP_R_DISABLED_FOR_FIPS). After getting back to ntpq.c: ctx->engine and ctx->digest are not set (due to the mentioned error), hence inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c) OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); causes a segfault (ctx->digest is NULL). So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
I added return checks to ntpq code and this appears to solve the problem. Is it ok to make this an SRU? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications Status in openssl package in Ubuntu: New Status in openssl source package in Bionic: New Bug description: In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c. For FIPS mode it adds: EVP_add_digest(EVP_md5()); What happens later in ntpq is (list_md_fn function inside ntpq.c): ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex): #ifdef OPENSSL_FIPS if (FIPS_mode()) { if (!(type->flags & EVP_MD_FLAG_FIPS) && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; } } #endif Due to type->flags for MD5 being 0 there's an error set (EVP_R_DISABLED_FOR_FIPS). After getting back to ntpq.c: ctx->engine and ctx->digest are not set (due to the mentioned error), hence inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c) OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); causes a segfault (ctx->digest is NULL). So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
Also, this is only applicable in bionic. Neither xenial nor focal experience this issue. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications Status in openssl package in Ubuntu: New Status in openssl source package in Bionic: New Bug description: In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c. For FIPS mode it adds: EVP_add_digest(EVP_md5()); What happens later in ntpq is (list_md_fn function inside ntpq.c): ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex): #ifdef OPENSSL_FIPS if (FIPS_mode()) { if (!(type->flags & EVP_MD_FLAG_FIPS) && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; } } #endif Due to type->flags for MD5 being 0 there's an error set (EVP_R_DISABLED_FOR_FIPS). After getting back to ntpq.c: ctx->engine and ctx->digest are not set (due to the mentioned error), hence inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c) OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); causes a segfault (ctx->digest is NULL). So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
It seems 2 things are happening to generate this issue 1.fips-openssl in bionic has md5 and md5_sha1 in fips digest list with explicit purpose of accommodating PRF use only in fips mode. But you must pass the flag, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW to successfully use them. 2. ntpq does not check return codes from EVP_ calls. It has, ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); EVP_MD_CTX_free(ctx); if (digest_len > (MAX_MAC_LEN - sizeof(keyid_t))) return; EVP_DigestInit() would have returned 0 in this case indicating a failure. Possible fixes: 1. in fips-libcrypto library remove md5 from fips digest list and keep md5_sha1 for PRF and mark as fips-allowed. Can still use md5 with EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag, but its just not in fips digest list. Note: this fix can be put in fips-update ppa for availability. But, it may be a while before it is re-certified. 2. ntpq should check its return codes and do appropriate thing on error. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications Status in openssl package in Ubuntu: New Status in openssl source package in Bionic: New Bug description: In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c. For FIPS mode it adds: EVP_add_digest(EVP_md5()); What happens later in ntpq is (list_md_fn function inside ntpq.c): ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point (openssl/crypto/evp/digest.c EVP_DigestInit_ex): #ifdef OPENSSL_FIPS if (FIPS_mode()) { if (!(type->flags & EVP_MD_FLAG_FIPS) && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; } } #endif Due to type->flags for MD5 being 0 there's an error set (EVP_R_DISABLED_FOR_FIPS). After getting back to ntpq.c: ctx->engine and ctx->digest are not set (due to the mentioned error), hence inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c) OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); causes a segfault (ctx->digest is NULL). So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1884265] Re: [fips] Not fully initialized digest segfaulting some client applications
Investigating. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1884265 Title: [fips] Not fully initialized digest segfaulting some client applications Status in openssl package in Ubuntu: New Status in openssl source package in Bionic: New Bug description: In FIPS mode on Bionic MD5 is semi-disabled causing some applications to segfault. Test case: sudo apt install ntp ntpq -p Segmentation fault (core dumped) What happens there is ntpq wants to iterate all available digests (list_digest_names in ntpq.c). It uses EVP_MD_do_all_sorted for this task. EVP_MD_do_all_sorted eventually runs openssl_add_all_digests_int in c_alld.c. For FIPS mode it adds: EVP_add_digest(EVP_md5()); What happens later in ntpq is (list_md_fn function inside ntpq.c): ctx = EVP_MD_CTX_new(); EVP_DigestInit(ctx, EVP_get_digestbyname(name)); EVP_DigestFinal(ctx, digest, _len); First digest it gets is MD5, but while running EVP_DigestInit for it, it gets to this point: #ifdef OPENSSL_FIPS if (FIPS_mode()) { if (!(type->flags & EVP_MD_FLAG_FIPS) && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); return 0; } } #endif Due to type->flags for MD5 being 0 there's an error set (EVP_R_DISABLED_FOR_FIPS). After getting back to ntpq.c: ctx->engine and ctx->digest are not set (due to the mentioned error), hence inside EVP_DigestFinal_ex (openssl/crypto/evp/digest.c) OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); causes a segfault (ctx->digest is NULL). So either MD5 shouldn't be added in FIPS mode or it should have the EVP_MD_FLAG_FIPS to be properly initialized. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1865504] Re: hwclock reports incorrect status in audit message
** Tags added: verification-done-eoan ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message Status in util-linux package in Ubuntu: Fix Released Status in util-linux source package in Bionic: Fix Committed Status in util-linux source package in Eoan: Fix Committed Status in util-linux package in Debian: Unknown Bug description: [Impact] hwclock reports incorrect status in audit message: - hwclock calls audit_log_user_message(3) to create an audit entry. - audit_log_user_message(3) result 1 is "success" and 0 is "failed". - hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse status. - Thus reports its status incorrectly in audit message. It is a requirement for Common Criteria Certification that hwclock reports correct status in audit message. This has been fixed upstream in https://github.com/karelzak/util- linux/commit/189edf1fe501ea39b35911337eab1740888fae7a [Test Steps] Steps to test: 1. Install auditd 2. Run following testcase, # hwclock 2020-03-02 15:03:03.280351+ # hwclock --set --date "1/1/2000 00:00:00" # echo $? 0 # hwclock 2000-01-01 00:00:05.413924+ # hwclock --utc --systohc # echo $? 0 # hwclock 2020-03-02 15:07:00.264331+ Following audit messages from /var/log/audit/audit.log, Note that last field in each audit record produced when hardware clock was modified has, "res=failed". Although, testcase shows no* failure occurred. type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' [Regression Potential] Changes limited to the result value passed to audit_log_user_message(3), so the audit messages will change the 'res=' field (to correct result.) There should not be any regression to fix the status given to auditd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1865504] Re: hwclock reports incorrect status in audit message
Successful verification on amd64 for bionic $ dpkg -l | grep util-linux ii util-linux2.31.1-0.4ubuntu3.6 amd64miscellaneous system utilities $ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS" type=USYS_CONFIG msg=audit(1584464596.658:106): pid=13437 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname =bionic-fips addr=? terminal=pts/0 res=success' type=USYS_CONFIG msg=audit(1584464615.494:117): pid=13441 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname =bionic-fips addr=? terminal=pts/0 res=success' -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message Status in util-linux package in Ubuntu: Fix Released Status in util-linux source package in Bionic: Fix Committed Status in util-linux source package in Eoan: Fix Committed Status in util-linux package in Debian: Unknown Bug description: [Impact] hwclock reports incorrect status in audit message: - hwclock calls audit_log_user_message(3) to create an audit entry. - audit_log_user_message(3) result 1 is "success" and 0 is "failed". - hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse status. - Thus reports its status incorrectly in audit message. It is a requirement for Common Criteria Certification that hwclock reports correct status in audit message. This has been fixed upstream in https://github.com/karelzak/util- linux/commit/189edf1fe501ea39b35911337eab1740888fae7a [Test Steps] Steps to test: 1. Install auditd 2. Run following testcase, # hwclock 2020-03-02 15:03:03.280351+ # hwclock --set --date "1/1/2000 00:00:00" # echo $? 0 # hwclock 2000-01-01 00:00:05.413924+ # hwclock --utc --systohc # echo $? 0 # hwclock 2020-03-02 15:07:00.264331+ Following audit messages from /var/log/audit/audit.log, Note that last field in each audit record produced when hardware clock was modified has, "res=failed". Although, testcase shows no* failure occurred. type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' [Regression Potential] Changes limited to the result value passed to audit_log_user_message(3), so the audit messages will change the 'res=' field (to correct result.) There should not be any regression to fix the status given to auditd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1865504] Re: hwclock reports incorrect status in audit message
Successful verification on amd64 for eaon $ dpkg -l | grep util-linux ii util-linux 2.34-0.1ubuntu2.4 amd64miscellaneous system utilities Audit records found in /var/log/audit/audit.log, type=USYS_CONFIG msg=audit(1584463433.533:68): pid=4263 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/usr/sbin/hwclock" hostname=eaon- server addr=? terminal=pts/0 res=success' type=USYS_CONFIG msg=audit(1584463480.497:81): pid=4268 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/usr/sbin/hwclock" hostname=eaon- server addr=? terminal=pts/0 res=success' -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message Status in util-linux package in Ubuntu: Fix Released Status in util-linux source package in Bionic: Fix Committed Status in util-linux source package in Eoan: Fix Committed Status in util-linux package in Debian: Unknown Bug description: [Impact] hwclock reports incorrect status in audit message: - hwclock calls audit_log_user_message(3) to create an audit entry. - audit_log_user_message(3) result 1 is "success" and 0 is "failed". - hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse status. - Thus reports its status incorrectly in audit message. It is a requirement for Common Criteria Certification that hwclock reports correct status in audit message. This has been fixed upstream in https://github.com/karelzak/util- linux/commit/189edf1fe501ea39b35911337eab1740888fae7a [Test Steps] Steps to test: 1. Install auditd 2. Run following testcase, # hwclock 2020-03-02 15:03:03.280351+ # hwclock --set --date "1/1/2000 00:00:00" # echo $? 0 # hwclock 2000-01-01 00:00:05.413924+ # hwclock --utc --systohc # echo $? 0 # hwclock 2020-03-02 15:07:00.264331+ Following audit messages from /var/log/audit/audit.log, Note that last field in each audit record produced when hardware clock was modified has, "res=failed". Although, testcase shows no* failure occurred. type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' [Regression Potential] Changes limited to the result value passed to audit_log_user_message(3), so the audit messages will change the 'res=' field (to correct result.) There should not be any regression to fix the status given to auditd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1865504] Re: hwclock reports incorrect status in audit message
Mauricio, Thank you so much for handling. Much appreciated. I took a quick look at the above #15 and #16 and perhaps a retry may be beneficial... there were some timeouts... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message Status in util-linux package in Ubuntu: Fix Released Status in util-linux source package in Bionic: Fix Committed Status in util-linux source package in Eoan: Fix Committed Status in util-linux package in Debian: Unknown Bug description: [Impact] hwclock reports incorrect status in audit message: - hwclock calls audit_log_user_message(3) to create an audit entry. - audit_log_user_message(3) result 1 is "success" and 0 is "failed". - hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse status. - Thus reports its status incorrectly in audit message. It is a requirement for Common Criteria Certification that hwclock reports correct status in audit message. This has been fixed upstream in https://github.com/karelzak/util- linux/commit/189edf1fe501ea39b35911337eab1740888fae7a [Test Steps] Steps to test: 1. Install auditd 2. Run following testcase, # hwclock 2020-03-02 15:03:03.280351+ # hwclock --set --date "1/1/2000 00:00:00" # echo $? 0 # hwclock 2000-01-01 00:00:05.413924+ # hwclock --utc --systohc # echo $? 0 # hwclock 2020-03-02 15:07:00.264331+ Following audit messages from /var/log/audit/audit.log, Note that last field in each audit record produced when hardware clock was modified has, "res=failed". Although, testcase shows no* failure occurred. type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' [Regression Potential] Changes limited to the result value passed to audit_log_user_message(3), so the audit messages will change the 'res=' field (to correct result.) There should not be any regression to fix the status given to auditd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1865504] Re: hwclock reports incorrect status in audit message
** Also affects: util-linux (Ubuntu Eoan) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message Status in util-linux package in Ubuntu: New Status in util-linux source package in Bionic: New Status in util-linux source package in Eoan: New Status in util-linux package in Debian: Unknown Bug description: [IMPACT] hwclock reports incrorect status in audit message hwclock calls audit_log_user_message(3) to create an audit entry. audit_log_user_message(3) result 1 is "success" and 0 is "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse status. Thus reports it's status incorrectly in audit message. It is a requirement for Common Criteria Certification that hwclock reports correct status in audit message. This has been fixed upstream in https://github.com/karelzak/util- linux/commit/189edf1fe501ea39b35911337eab1740888fae7a [TEST] Steps to test: 1. Install auditd 2. Run following testcase, # hwclock 2020-03-02 15:03:03.280351+ # hwclock --set --date "1/1/2000 00:00:00" # echo $? 0 # hwclock 2000-01-01 00:00:05.413924+ # hwclock --utc --systohc # echo $? 0 # hwclock 2020-03-02 15:07:00.264331+ Following audit messages from /var/log/audit/audit.log, type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' Note that last entry in each audit record produced when hardware clock was modified has, "res=failed". Although, testcase shows no failure occurred. [Regression Potential] There should not be any regression to fix the status given to auditd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1865504] Re: hwclock reports incorrect status in audit message
The debdiff for focal ** Attachment removed: "debdiff for focal" https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+attachment/5333544/+files/debdiff.focal ** Attachment added: "debdiff.focal" https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+attachment/5333895/+files/debdiff.focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message Status in util-linux package in Ubuntu: New Status in util-linux package in Debian: Unknown Bug description: [IMPACT] hwclock reports incrorect status in audit message hwclock calls audit_log_user_message(3) to create an audit entry. audit_log_user_message(3) result 1 is "success" and 0 is "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse status. Thus reports it's status incorrectly in audit message. It is a requirement for Common Criteria Certification that hwclock reports correct status in audit message. This has been fixed upstream in https://github.com/karelzak/util- linux/commit/189edf1fe501ea39b35911337eab1740888fae7a [TEST] Steps to test: 1. Install auditd 2. Run following testcase, # hwclock 2020-03-02 15:03:03.280351+ # hwclock --set --date "1/1/2000 00:00:00" # echo $? 0 # hwclock 2000-01-01 00:00:05.413924+ # hwclock --utc --systohc # echo $? 0 # hwclock 2020-03-02 15:07:00.264331+ Following audit messages from /var/log/audit/audit.log, type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' Note that last entry in each audit record produced when hardware clock was modified has, "res=failed". Although, testcase shows no failure occurred. [Regression Potential] There should not be any regression to fix the status given to auditd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1865504] Re: hwclock reports incorrect status in audit message
** Also affects: util-linux (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message Status in util-linux package in Ubuntu: New Status in util-linux source package in Bionic: New Status in util-linux package in Debian: Unknown Bug description: [IMPACT] hwclock reports incrorect status in audit message hwclock calls audit_log_user_message(3) to create an audit entry. audit_log_user_message(3) result 1 is "success" and 0 is "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse status. Thus reports it's status incorrectly in audit message. It is a requirement for Common Criteria Certification that hwclock reports correct status in audit message. This has been fixed upstream in https://github.com/karelzak/util- linux/commit/189edf1fe501ea39b35911337eab1740888fae7a [TEST] Steps to test: 1. Install auditd 2. Run following testcase, # hwclock 2020-03-02 15:03:03.280351+ # hwclock --set --date "1/1/2000 00:00:00" # echo $? 0 # hwclock 2000-01-01 00:00:05.413924+ # hwclock --utc --systohc # echo $? 0 # hwclock 2020-03-02 15:07:00.264331+ Following audit messages from /var/log/audit/audit.log, type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' Note that last entry in each audit record produced when hardware clock was modified has, "res=failed". Although, testcase shows no failure occurred. [Regression Potential] There should not be any regression to fix the status given to auditd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1865504] Re: hwclock reports incorrect status in audit message
** Attachment added: "debdiff for focal" https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+attachment/5333544/+files/debdiff.focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message Status in util-linux package in Ubuntu: New Status in util-linux package in Debian: Unknown Bug description: [IMPACT] hwclock reports incrorect status in audit message hwclock calls audit_log_user_message(3) to create an audit entry. audit_log_user_message(3) result 1 is "success" and 0 is "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse status. Thus reports it's status incorrectly in audit message. It is a requirement for Common Criteria Certification that hwclock reports correct status in audit message. This has been fixed upstream in https://github.com/karelzak/util- linux/commit/189edf1fe501ea39b35911337eab1740888fae7a [TEST] Steps to test: 1. Install auditd 2. Run following testcase, # hwclock 2020-03-02 15:03:03.280351+ # hwclock --set --date "1/1/2000 00:00:00" # echo $? 0 # hwclock 2000-01-01 00:00:05.413924+ # hwclock --utc --systohc # echo $? 0 # hwclock 2020-03-02 15:07:00.264331+ Following audit messages from /var/log/audit/audit.log, type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' Note that last entry in each audit record produced when hardware clock was modified has, "res=failed". Although, testcase shows no failure occurred. [Regression Potential] There should not be any regression to fix the status given to auditd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1865504] Re: hwclock reports incorrect status in audit message
Build log https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/18795481 ** Bug watch added: Debian Bug tracker #953065 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953065 ** Also affects: util-linux (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953065 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message Status in util-linux package in Ubuntu: New Status in util-linux package in Debian: Unknown Bug description: [IMPACT] hwclock reports incrorect status in audit message hwclock calls audit_log_user_message(3) to create an audit entry. audit_log_user_message(3) result 1 is "success" and 0 is "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse status. Thus reports it's status incorrectly in audit message. It is a requirement for Common Criteria Certification that hwclock reports correct status in audit message. This has been fixed upstream in https://github.com/karelzak/util- linux/commit/189edf1fe501ea39b35911337eab1740888fae7a [TEST] Steps to test: 1. Install auditd 2. Run following testcase, # hwclock 2020-03-02 15:03:03.280351+ # hwclock --set --date "1/1/2000 00:00:00" # echo $? 0 # hwclock 2000-01-01 00:00:05.413924+ # hwclock --utc --systohc # echo $? 0 # hwclock 2020-03-02 15:07:00.264331+ Following audit messages from /var/log/audit/audit.log, type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' Note that last entry in each audit record produced when hardware clock was modified has, "res=failed". Although, testcase shows no failure occurred. [Regression Potential] There should not be any regression to fix the status given to auditd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1865504] Re: hwclock reports incorrect status in audit message
** Description changed: + [IMPACT] + hwclock reports incrorect status in audit message + + hwclock calls audit_log_user_message(3) to create an audit entry. audit_log_user_message(3) result 1 is "success" and 0 is "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse - status. Thus reports status incorrectly in audit message. This has been fixed upstream in https://github.com/karelzak/util-linux/commit/189edf1fe501ea39b35911337eab1740888fae7a + status. Thus reports it's status incorrectly in audit message. + + It is a requirement for Common Criteria Certification that hwclock + reports correct status in audit message. + + This has been fixed upstream in https://github.com/karelzak/util- + linux/commit/189edf1fe501ea39b35911337eab1740888fae7a + + [TEST] + + Steps to test: + 1. Install auditd + 2. Run following testcase, + + # hwclock + 2020-03-02 15:03:03.280351+ + # hwclock --set --date "1/1/2000 00:00:00" + # echo $? + 0 + # hwclock + 2000-01-01 00:00:05.413924+ + # hwclock --utc --systohc + # echo $? + 0 + # hwclock + 2020-03-02 15:07:00.264331+ + + Following audit messages from /var/log/audit/audit.log, + + type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' + type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' + + Note that last entry in each audit record produced when hardware clock + was modified has, "res=failed". Although, testcase shows no failure + occurred. + + [Regression Potential] + There should not be any regression to fix the status given to auditd. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message Status in util-linux package in Ubuntu: New Bug description: [IMPACT] hwclock reports incrorect status in audit message hwclock calls audit_log_user_message(3) to create an audit entry. audit_log_user_message(3) result 1 is "success" and 0 is "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse status. Thus reports it's status incorrectly in audit message. It is a requirement for Common Criteria Certification that hwclock reports correct status in audit message. This has been fixed upstream in https://github.com/karelzak/util- linux/commit/189edf1fe501ea39b35911337eab1740888fae7a [TEST] Steps to test: 1. Install auditd 2. Run following testcase, # hwclock 2020-03-02 15:03:03.280351+ # hwclock --set --date "1/1/2000 00:00:00" # echo $? 0 # hwclock 2000-01-01 00:00:05.413924+ # hwclock --utc --systohc # echo $? 0 # hwclock 2020-03-02 15:07:00.264331+ Following audit messages from /var/log/audit/audit.log, type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed' Note that last entry in each audit record produced when hardware clock was modified has, "res=failed". Although, testcase shows no failure occurred. [Regression Potential] There should not be any regression to fix the status given to auditd. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1865504] [NEW] hwclock reports incorrect status in audit message
Public bug reported: audit_log_user_message(3) result 1 is "success" and 0 is "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse status. Thus reports status incorrectly in audit message. This has been fixed upstream in https://github.com/karelzak/util-linux/commit/189edf1fe501ea39b35911337eab1740888fae7a ** Affects: util-linux (Ubuntu) Importance: High Assignee: Joy Latten (j-latten) Status: New ** Changed in: util-linux (Ubuntu) Importance: Undecided => Medium ** Changed in: util-linux (Ubuntu) Importance: Medium => High ** Changed in: util-linux (Ubuntu) Assignee: (unassigned) => Joy Latten (j-latten) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1865504 Title: hwclock reports incorrect status in audit message Status in util-linux package in Ubuntu: New Bug description: audit_log_user_message(3) result 1 is "success" and 0 is "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse status. Thus reports status incorrectly in audit message. This has been fixed upstream in https://github.com/karelzak/util-linux/commit/189edf1fe501ea39b35911337eab1740888fae7a To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib
The 2.7 and 3.5 python packages in the security proposed PPA have been successfully tested in a fips and non-fips xenial environment. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1835135 Title: FIPS OpenSSL crashes Python2 hashlib Status in python2.7 package in Ubuntu: Triaged Status in python3.5 package in Ubuntu: Invalid Status in python2.7 source package in Xenial: In Progress Status in python3.5 source package in Xenial: In Progress Status in python2.7 source package in Bionic: In Progress Status in python3.5 source package in Bionic: Invalid Status in python2.7 source package in Cosmic: Won't Fix Status in python3.5 source package in Cosmic: Invalid Status in python2.7 source package in Disco: In Progress Status in python3.5 source package in Disco: Invalid Status in python2.7 source package in Eoan: Triaged Status in python3.5 source package in Eoan: Invalid Bug description: If Ubuntu/Canonical's FIPS-compliant OpenSSL is initialized with SSL_library_init, then Python2's hashlib bindings for MD5 can trigger a SIGSEGV via a NULL pointer dereference (if calling the .update method) or a SIGABRT (if passing input to the constructor or passing no input and invoking the .final method). This happens if, for example, PyOpenSSL is imported before hashlib. Canonical's FIPS patches for OpenSSL introduce some odd behavior that arguably should be revisited, but the (TL;DR) core bug is that Python2 hashlib doesn't properly check the return value of EVP_DigestInit, preventing hashlib from falling back to it's internal MD5 implementation and instead setting things up for use of the MD5 context to trigger SIGSEGV or SIGABRT. Python3 correctly checks the return value, so the fix is to backport the relevant code into Python2 (see python2.7-2.7.12/Modules/_hashopenssl.c). See attached good.py and bad.py files which exhibit the import order- dependent crashing issue. See attached fips-md5-python-init-bug.c which shows the FIPS OpenSSL behaviors that conditionally tickle the Python2 bug. The C file also contains a much more detailed description of the Python2 bug and other behavior which I'd rather not repeat here. I discovered this bug investigating an issue with the third-party apt- boto-s3 package. See https://github.com/boto/boto3/issues/2021 Note that this bug effects Splunk, Inc, which has a corporate Ubuntu Advantage license. My login account is attached to a different, single-seat license. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib
Upon looking at the source for both python2.7 and python3.5 in xenial, neither checks the return value from EVP_DigestInit in Modules/_hashopenssl.c file. However, python3.6 (in bionic, cosmic and disco) does have the check. So the check will need to be backported to python 2.7 and python 3.5 in xenial. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1835135 Title: FIPS OpenSSL crashes Python2 hashlib Status in python2.7 package in Ubuntu: Triaged Bug description: If Ubuntu/Canonical's FIPS-compliant OpenSSL is initialized with SSL_library_init, then Python2's hashlib bindings for MD5 can trigger a SIGSEGV via a NULL pointer dereference (if calling the .update method) or a SIGABRT (if passing input to the constructor or passing no input and invoking the .final method). This happens if, for example, PyOpenSSL is imported before hashlib. Canonical's FIPS patches for OpenSSL introduce some odd behavior that arguably should be revisited, but the (TL;DR) core bug is that Python2 hashlib doesn't properly check the return value of EVP_DigestInit, preventing hashlib from falling back to it's internal MD5 implementation and instead setting things up for use of the MD5 context to trigger SIGSEGV or SIGABRT. Python3 correctly checks the return value, so the fix is to backport the relevant code into Python2 (see python2.7-2.7.12/Modules/_hashopenssl.c). See attached good.py and bad.py files which exhibit the import order- dependent crashing issue. See attached fips-md5-python-init-bug.c which shows the FIPS OpenSSL behaviors that conditionally tickle the Python2 bug. The C file also contains a much more detailed description of the Python2 bug and other behavior which I'd rather not repeat here. I discovered this bug investigating an issue with the third-party apt- boto-s3 package. See https://github.com/boto/boto3/issues/2021 Note that this bug effects Splunk, Inc, which has a corporate Ubuntu Advantage license. My login account is attached to a different, single-seat license. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib
Like python3, python2 should check the return value of EVP_DigestInit. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1835135 Title: FIPS OpenSSL crashes Python2 hashlib Status in python2.7 package in Ubuntu: Triaged Bug description: If Ubuntu/Canonical's FIPS-compliant OpenSSL is initialized with SSL_library_init, then Python2's hashlib bindings for MD5 can trigger a SIGSEGV via a NULL pointer dereference (if calling the .update method) or a SIGABRT (if passing input to the constructor or passing no input and invoking the .final method). This happens if, for example, PyOpenSSL is imported before hashlib. Canonical's FIPS patches for OpenSSL introduce some odd behavior that arguably should be revisited, but the (TL;DR) core bug is that Python2 hashlib doesn't properly check the return value of EVP_DigestInit, preventing hashlib from falling back to it's internal MD5 implementation and instead setting things up for use of the MD5 context to trigger SIGSEGV or SIGABRT. Python3 correctly checks the return value, so the fix is to backport the relevant code into Python2 (see python2.7-2.7.12/Modules/_hashopenssl.c). See attached good.py and bad.py files which exhibit the import order- dependent crashing issue. See attached fips-md5-python-init-bug.c which shows the FIPS OpenSSL behaviors that conditionally tickle the Python2 bug. The C file also contains a much more detailed description of the Python2 bug and other behavior which I'd rather not repeat here. I discovered this bug investigating an issue with the third-party apt- boto-s3 package. See https://github.com/boto/boto3/issues/2021 Note that this bug effects Splunk, Inc, which has a corporate Ubuntu Advantage license. My login account is attached to a different, single-seat license. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib
The assessment is accurate. FIPS 140-2 does not allow MD5 except for use in PRF. Thus the OpenSSL_add_all_digests in fips openssl does not include MD5. However, SSL_library_init() does include MD5 but only for use in calculating the PRF. Notice in tls1_P_hash() in ssl/t1_enc.c the flag, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW, is set in the context to permit this use of MD5. Apps wishing to calculate their own PRF can do the same. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1835135 Title: FIPS OpenSSL crashes Python2 hashlib Status in python2.7 package in Ubuntu: Triaged Bug description: If Ubuntu/Canonical's FIPS-compliant OpenSSL is initialized with SSL_library_init, then Python2's hashlib bindings for MD5 can trigger a SIGSEGV via a NULL pointer dereference (if calling the .update method) or a SIGABRT (if passing input to the constructor or passing no input and invoking the .final method). This happens if, for example, PyOpenSSL is imported before hashlib. Canonical's FIPS patches for OpenSSL introduce some odd behavior that arguably should be revisited, but the (TL;DR) core bug is that Python2 hashlib doesn't properly check the return value of EVP_DigestInit, preventing hashlib from falling back to it's internal MD5 implementation and instead setting things up for use of the MD5 context to trigger SIGSEGV or SIGABRT. Python3 correctly checks the return value, so the fix is to backport the relevant code into Python2 (see python2.7-2.7.12/Modules/_hashopenssl.c). See attached good.py and bad.py files which exhibit the import order- dependent crashing issue. See attached fips-md5-python-init-bug.c which shows the FIPS OpenSSL behaviors that conditionally tickle the Python2 bug. The C file also contains a much more detailed description of the Python2 bug and other behavior which I'd rather not repeat here. I discovered this bug investigating an issue with the third-party apt- boto-s3 package. See https://github.com/boto/boto3/issues/2021 Note that this bug effects Splunk, Inc, which has a corporate Ubuntu Advantage license. My login account is attached to a different, single-seat license. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib
Investigating -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to python2.7 in Ubuntu. https://bugs.launchpad.net/bugs/1835135 Title: FIPS OpenSSL crashes Python2 hashlib Status in python2.7 package in Ubuntu: Triaged Bug description: If Ubuntu/Canonical's FIPS-compliant OpenSSL is initialized with SSL_library_init, then Python2's hashlib bindings for MD5 can trigger a SIGSEGV via a NULL pointer dereference (if calling the .update method) or a SIGABRT (if passing input to the constructor or passing no input and invoking the .final method). This happens if, for example, PyOpenSSL is imported before hashlib. Canonical's FIPS patches for OpenSSL introduce some odd behavior that arguably should be revisited, but the (TL;DR) core bug is that Python2 hashlib doesn't properly check the return value of EVP_DigestInit, preventing hashlib from falling back to it's internal MD5 implementation and instead setting things up for use of the MD5 context to trigger SIGSEGV or SIGABRT. Python3 correctly checks the return value, so the fix is to backport the relevant code into Python2 (see python2.7-2.7.12/Modules/_hashopenssl.c). See attached good.py and bad.py files which exhibit the import order- dependent crashing issue. See attached fips-md5-python-init-bug.c which shows the FIPS OpenSSL behaviors that conditionally tickle the Python2 bug. The C file also contains a much more detailed description of the Python2 bug and other behavior which I'd rather not repeat here. I discovered this bug investigating an issue with the third-party apt- boto-s3 package. See https://github.com/boto/boto3/issues/2021 Note that this bug effects Splunk, Inc, which has a corporate Ubuntu Advantage license. My login account is attached to a different, single-seat license. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: Enable auditing in util-linux.
Update on Artful regression analysis from comment #22. 1. Same as in comment #22. Hopefully these can be ignored as they were for xenial. 2. Same as in comment #22. tests passed in different runs as stated above. When the failures occurred, was because of time outs while waiting for something. Failures appear to be intermittent and not related to change made here. 3. gnocchi - appear to be a testcase usage message from python. Not related to change made in this bug. 4. libdata-uuid-libuuid-perl (s390x) Julian did a test here using hello and prior version of util-linux and they both failed with same error. So this error is not related to this bug change. Something else changed perhaps in testcase or test environment. 5. tracker passes on a re-run 6. nplan passes on a re-run Conclusion: Hopefully above explanations result in regressions having been resolved so util-linux in artful can be promoted. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: Enable auditing in util-linux. Status in util-linux package in Ubuntu: Fix Released Status in util-linux source package in Xenial: Fix Committed Status in util-linux source package in Zesty: Fix Committed Status in util-linux source package in Artful: Fix Committed Status in util-linux package in Debian: New Bug description: [IMPACT] Enable auditing in util-linux. The config option, --with-audit enables auditing. Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware clock. This message will only get logged to /var/log/audit/audit.log, if auditd daemon is running. Otherwise, if the auditd is not running, like most log messages, it will get logged to /var/log/kern.log and|or /var/log/syslog if these services are enabled. That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: Enable auditing in util-linux.
Summary of analysis of the autopkgtest failures listed for his SRU in http://people.canonical.com/~ubuntu-archive/pending-sru.html For Artful regressions: 1. dpdk (s390x), ocfs2-tools (s390x), lxcfs(s390x), ori(s390x), network-manager(s390x), lxd(s390x) These all have failing testcases that were skipped in prior version of util-linux. The same reason stated in comment #21 above may be applicable here as well. 2. network-manager(ppc64el) - has had 2 runs. In one run, test_wpa1_ip4 fails, test_rfkill pass. In the other run, test_wpa1_ip4 pass and test_rfkill fail. A timeout results in the failure. Seems testcases do pass for this version of util-linux but sensitive current workload maybe... 3. gnocchi(all platforms) - further investigating. 4. libdata-uuid-libuuid-perl(s390x) - might be to the change in test environment such as #1. 5. tracker(arm64) - further investigation. no prior run to compare with. 6. nplan(arm64) - further investigation. no prior run to compare with. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: Enable auditing in util-linux. Status in util-linux package in Ubuntu: Fix Released Status in util-linux source package in Xenial: Fix Committed Status in util-linux source package in Zesty: Fix Committed Status in util-linux source package in Artful: Fix Committed Status in util-linux package in Debian: New Bug description: [IMPACT] Enable auditing in util-linux. The config option, --with-audit enables auditing. Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware clock. This message will only get logged to /var/log/audit/audit.log, if auditd daemon is running. Otherwise, if the auditd is not running, like most log messages, it will get logged to /var/log/kern.log and|or /var/log/syslog if these services are enabled. That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: Enable auditing in util-linux.
Summary of analysis of the autopkgtest failures listed for this SRU in http://people.canonical.com/~ubuntu-archive/pending-sru.html For Xenial regressions: 1. In xenial, the failing testcases had been skipped in prior versions and not run. i.e. "SKIP Test requires machine-level isolation but testbed does not provide that" I talked to Julian who informed me that s390x testd went from LXC containers to VMs. Now those tests that had not been run before, were executing and failing. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: Enable auditing in util-linux. Status in util-linux package in Ubuntu: Fix Released Status in util-linux source package in Xenial: Fix Committed Status in util-linux source package in Zesty: Fix Committed Status in util-linux source package in Artful: Fix Committed Status in util-linux package in Debian: New Bug description: [IMPACT] Enable auditing in util-linux. The config option, --with-audit enables auditing. Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware clock. This message will only get logged to /var/log/audit/audit.log, if auditd daemon is running. Otherwise, if the auditd is not running, like most log messages, it will get logged to /var/log/kern.log and|or /var/log/syslog if these services are enabled. That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: Enable auditing in util-linux.
verified successfully in amd64 VM for zesty. $ cat /etc/os-release NAME="Ubuntu" VERSION="17.04 (Zesty Zapus)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 17.04" VERSION_ID="17.04" HOME_URL="https://www.ubuntu.com/; SUPPORT_URL="https://help.ubuntu.com/; BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/; PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy; VERSION_CODENAME=zesty UBUNTU_CODENAME=zesty $ dpkg -l | grep util-linux ii util-linux 2.29-1ubuntu2.2 amd64miscellaneous system utilities $ uname -a Linux zestyguest 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux message logged after altering hardware clock, type=USYS_CONFIG msg=audit(1512158548.257:24): pid=3081 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=? addr=? terminal=pts/0 res=success' ** Tags added: verification-done-zesty -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: Enable auditing in util-linux. Status in util-linux package in Ubuntu: Fix Released Status in util-linux source package in Xenial: Fix Committed Status in util-linux source package in Zesty: Fix Committed Status in util-linux source package in Artful: Fix Committed Status in util-linux package in Debian: New Bug description: [IMPACT] Enable auditing in util-linux. The config option, --with-audit enables auditing. Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware clock. This message will only get logged to /var/log/audit/audit.log, if auditd daemon is running. Otherwise, if the auditd is not running, like most log messages, it will get logged to /var/log/kern.log and|or /var/log/syslog if these services are enabled. That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: Enable auditing in util-linux.
Verified on xenial on a P8 and a z13 zlpar. >From P8: $ cat /etc/os-release NAME="Ubuntu" VERSION="16.04.3 LTS (Xenial Xerus)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 16.04.3 LTS" VERSION_ID="16.04" HOME_URL="http://www.ubuntu.com/; SUPPORT_URL="http://help.ubuntu.com/; BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/; VERSION_CODENAME=xenial UBUNTU_CODENAME=xenial $ uname -a Linux 4.4.0-87-generic #110-Ubuntu SMP Tue Jul 18 12:53:44 UTC 2017 ppc64le ppc64le ppc64le GNU/Linux $ dpkg -l | grep util-linux ii util-linux 2.27.1-6ubuntu3.4 ppc64el miscellaneous system utilities resulting log message, after altering system clock, type=USYS_CONFIG msg=audit(1512153890.632:29): pid=26156 uid=0 auid=1000 ses=998 msg='changing system time exe="/sbin/hwclock" hostname=? addr=? terminal=pts/0 res=success' Test on z-13 zlpar, $ cat /etc/os-release NAME="Ubuntu" VERSION="16.04.3 LTS (Xenial Xerus)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 16.04.3 LTS" VERSION_ID="16.04" HOME_URL="http://www.ubuntu.com/; SUPPORT_URL="http://help.ubuntu.com/; BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/; VERSION_CODENAME=xenial UBUNTU_CODENAME=xenial uname -a Linux 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:35:14 UTC 2017 s390x s390x s390x GNU/Linux ubuntu@s1lp12:~$ dpkg -l | grep util-linux ii util-linux 2.27.1-6ubuntu3.4 s390xmiscellaneous system utilities $ /usr/bin/sudo hwclock --set --date "1/1/2000 00:00:00" hwclock: Cannot access the Hardware Clock via any known method. hwclock: Use the --debug option to see the details of our search for an access method. This is correct behaviour since zlpar cannot access the hw clock and is consistent with prior versions. message logged indicates the failure, type=USYS_CONFIG msg=audit(1512154473.517:12321): pid=84471 uid=0 auid=1000 ses=1134 msg='changing system time exe="/sbin/hwclock" hostname=? addr=? terminal=pts/1 res=failed' ** Tags added: verification-done-xenial ** Description changed: [IMPACT] Enable auditing in util-linux. The config option, --with-audit enables auditing. - - Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. + + Only the hwclock and the login commands within util-linux package have + source code for auditing. But that source code is disabled by default + and requires the config option, --with-audit to enable it. The login + command is not built nor shipped in util-linux. Ubuntu uses the login + command from shadow instead. Thus, only hwclock command would be + affected by this change. The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware - clock. This message will only get logged if auditd daemon is running. - Otherwise, nothing gets logged. + clock. This message will only get logged to /var/log/audit/audit.log, if + auditd daemon is running. Otherwise, if the auditd is not running, like + most log messages, it will get logged to /var/log/kern.log and|or + /var/log/syslog if these services are enabled. That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: Enable auditing in util-linux. Status in util-linux package in Ubuntu: Fix Released Status in util-linux source package in Xenial: Fix Committed Status in util-linux source package in Zesty: Fix Committed Status in util-linux source package in Artful: Fix Committed Status in util-linux package in Debian: New Bug description: [IMPACT] Enable auditing in util-linux. The config option, --with-audit enables auditing. Only the hwclock and the login
[Touch-packages] [Bug 1722313] Re: Enable auditing in util-linux.
** Tags added: verification-done-artful -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: Enable auditing in util-linux. Status in util-linux package in Ubuntu: Fix Released Status in util-linux source package in Xenial: In Progress Status in util-linux source package in Zesty: In Progress Status in util-linux source package in Artful: Fix Committed Status in util-linux package in Debian: New Bug description: [IMPACT] Enable auditing in util-linux. The config option, --with-audit enables auditing. Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware clock. This message will only get logged if auditd daemon is running. Otherwise, nothing gets logged. That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: Enable auditing in util-linux.
Sorry, comment #13 had a cut-and-paste issue. log message is, type=USYS_CONFIG msg=audit(1511898182.500:184): pid=3305 uid=0 auid=1000 ses=2 msg='op=change-system-time exe="/sbin/hwclock" hostname=artfulguest addr=? terminal=pts/0 res=success' -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: Enable auditing in util-linux. Status in util-linux package in Ubuntu: Fix Released Status in util-linux source package in Xenial: In Progress Status in util-linux source package in Zesty: In Progress Status in util-linux source package in Artful: Fix Committed Status in util-linux package in Debian: New Bug description: [IMPACT] Enable auditing in util-linux. The config option, --with-audit enables auditing. Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware clock. This message will only get logged if auditd daemon is running. Otherwise, nothing gets logged. That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: Enable auditing in util-linux.
Generated an artful VM and verified that this is fixed in artful. ubuntu@artfulguest:~$ cat /etc/os-release NAME="Ubuntu" VERSION="17.10 (Artful Aardvark)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 17.10" VERSION_ID="17.10" HOME_URL="https://www.ubuntu.com/; SUPPORT_URL="https://help.ubuntu.com/; BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/; PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy; VERSION_CODENAME=artful UBUNTU_CODENAME=artful altered the hwclock via "sudo hwclock --set --date "1/1/2000 00:00:00" received following audit log message in appropriate log files when applicable. type=USER_CMD msg=audit(1511896792.291:29): pid=3008 uid=1000 auid=1000 ses=2 msg='cwd="/home/ubuntu" cmd="hwclock" terminal=pts/0 res=success' -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: Enable auditing in util-linux. Status in util-linux package in Ubuntu: Fix Released Status in util-linux source package in Xenial: In Progress Status in util-linux source package in Zesty: In Progress Status in util-linux source package in Artful: Fix Committed Status in util-linux package in Debian: New Bug description: [IMPACT] Enable auditing in util-linux. The config option, --with-audit enables auditing. Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware clock. This message will only get logged if auditd daemon is running. Otherwise, nothing gets logged. That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: Enable auditing in util-linux.
version of package verified on artful, ubuntu@artfulguest:~$ dpkg -l | grep util-linux ii util-linux 2.30.1-0ubuntu4.1 amd64miscellaneous system utilities -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: Enable auditing in util-linux. Status in util-linux package in Ubuntu: Fix Released Status in util-linux source package in Xenial: In Progress Status in util-linux source package in Zesty: In Progress Status in util-linux source package in Artful: Fix Committed Status in util-linux package in Debian: New Bug description: [IMPACT] Enable auditing in util-linux. The config option, --with-audit enables auditing. Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware clock. This message will only get logged if auditd daemon is running. Otherwise, nothing gets logged. That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: Enable auditing in util-linux.
** Summary changed: - [SRU][xenial] Enable auditing in util-linux. + Enable auditing in util-linux. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: Enable auditing in util-linux. Status in util-linux package in Ubuntu: In Progress Status in util-linux source package in Xenial: New Status in util-linux source package in Zesty: New Status in util-linux source package in Artful: New Status in util-linux package in Debian: New Bug description: [IMPACT] Enable auditing in util-linux. The config option, --with-audit enables auditing. Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware clock. This message will only get logged if auditd daemon is running. Otherwise, nothing gets logged. That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.
I have also submitted a patch against recent debian version of this package to Debian. Just in case, I also noted in the debian bug thread the following: - util-linux package is Priority: required and the libaudit1 package is Priority: optional. Possibly this is no longer a problem in reference to a change in Version 4.0.1 listed here, https://www.debian.org/doc/packaging-manuals/upgrading-checklist.txt -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Enable auditing in util-linux. Status in util-linux package in Ubuntu: In Progress Status in util-linux source package in Xenial: New Status in util-linux source package in Zesty: New Status in util-linux source package in Artful: New Status in util-linux package in Debian: New Bug description: [IMPACT] Enable auditing in util-linux. The config option, --with-audit enables auditing. Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware clock. This message will only get logged if auditd daemon is running. Otherwise, nothing gets logged. That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.
** Attachment added: "debdiff.bionic" https://bugs.launchpad.net/debian/+source/util-linux/+bug/1722313/+attachment/5006681/+files/debdiff.bionic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Enable auditing in util-linux. Status in util-linux package in Ubuntu: In Progress Status in util-linux source package in Xenial: New Status in util-linux source package in Zesty: New Status in util-linux source package in Artful: New Status in util-linux package in Debian: New Bug description: [IMPACT] Enable auditing in util-linux. The config option, --with-audit enables auditing. Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware clock. This message will only get logged if auditd daemon is running. Otherwise, nothing gets logged. That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.
** Changed in: util-linux (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Enable auditing in util-linux. Status in util-linux package in Ubuntu: In Progress Status in util-linux source package in Xenial: New Status in util-linux source package in Zesty: New Status in util-linux source package in Artful: New Status in util-linux package in Debian: New Bug description: [IMPACT] Enable auditing in util-linux. The config option, --with-audit enables auditing. Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware clock. This message will only get logged if auditd daemon is running. Otherwise, nothing gets logged. That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.
Build logs and test runs can be found in PPA at, https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+packages Please note, the versioning of the packages are incorrect in PPA, my apologies. I did them correctly in the debdiff for each release that I have attached. Comment #3 just contains the testcase I use to verify that the audit entry is created when the config option is enabled. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Enable auditing in util-linux. Status in util-linux package in Ubuntu: New Status in util-linux source package in Xenial: New Status in util-linux source package in Zesty: New Status in util-linux source package in Artful: New Status in util-linux package in Debian: New Bug description: [IMPACT] Enable auditing in util-linux. The config option, --with-audit enables auditing. Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware clock. This message will only get logged if auditd daemon is running. Otherwise, nothing gets logged. That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.
** Attachment added: "debdiff.artful" https://bugs.launchpad.net/debian/+source/util-linux/+bug/1722313/+attachment/5006620/+files/debdiff.artful -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Enable auditing in util-linux. Status in util-linux package in Ubuntu: New Status in util-linux source package in Xenial: New Status in util-linux source package in Zesty: New Status in util-linux source package in Artful: New Status in util-linux package in Debian: New Bug description: [IMPACT] Enable auditing in util-linux. The config option, --with-audit enables auditing. Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware clock. This message will only get logged if auditd daemon is running. Otherwise, nothing gets logged. That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.
** Attachment added: "debdiff.zesty" https://bugs.launchpad.net/debian/+source/util-linux/+bug/1722313/+attachment/5006619/+files/debdiff.zesty -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Enable auditing in util-linux. Status in util-linux package in Ubuntu: New Status in util-linux source package in Xenial: New Status in util-linux source package in Zesty: New Status in util-linux source package in Artful: New Status in util-linux package in Debian: New Bug description: [IMPACT] Enable auditing in util-linux. The config option, --with-audit enables auditing. Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware clock. This message will only get logged if auditd daemon is running. Otherwise, nothing gets logged. That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.
** Attachment added: "debdiff.xenial" https://bugs.launchpad.net/debian/+source/util-linux/+bug/1722313/+attachment/5006617/+files/debdiff.xenial -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Enable auditing in util-linux. Status in util-linux package in Ubuntu: New Status in util-linux source package in Xenial: New Status in util-linux source package in Zesty: New Status in util-linux source package in Artful: New Status in util-linux package in Debian: New Bug description: [IMPACT] Enable auditing in util-linux. The config option, --with-audit enables auditing. Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware clock. This message will only get logged if auditd daemon is running. Otherwise, nothing gets logged. That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.
** Attachment removed: "debdiff of version 3.3 and 3.4~joyppa2" https://bugs.launchpad.net/debian/+source/util-linux/+bug/1722313/+attachment/4966026/+files/debdiff.out -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Enable auditing in util-linux. Status in util-linux package in Ubuntu: New Status in util-linux source package in Xenial: New Status in util-linux source package in Zesty: New Status in util-linux source package in Artful: New Status in util-linux package in Debian: New Bug description: [IMPACT] Enable auditing in util-linux. The config option, --with-audit enables auditing. Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware clock. This message will only get logged if auditd daemon is running. Otherwise, nothing gets logged. That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.
** Description changed: [IMPACT] - There is a requirement for Common Criteria EAL2 certification that changes to the system's hardware clock be audited/monitored. In Ubuntu the hwclock command can be used to alter the system's hardware clock. Thus this event needs to be audited for EAL2. The hwclock command within util-linux has the ability to create an audit event when the system's hardware clock is altered, but this ability is enabled via the --with-audit config option. This option is currently not enabled. + Enable auditing in util-linux. The config option, --with-audit enables auditing. + + Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. - Only the hwclock and the login commands within util-linux package use - this --with-audit config option to enable auditing. However, it appears - the login command is not built nor shipped in util-linux. Ubuntu uses - the login command from shadow instead. Thus, only hwclock command would - be affected by this change. The change would enable (1) call to - audit_open to create a netlink socket descritor. (2) generate an audit - entry when system hardware clock altered. The entry will be logged into - the /var/log/audit/audit.log IF auditd is installed and running. + The change would enable the hwclock command to generate an audit log + message to /var/log/audit/audit.log whenever it changes the hardware + clock. This message will only get logged if auditd daemon is running. + Otherwise, nothing gets logged. + + That the hwclock generates an audit message when hardware clock is + changed is a requirement for Common Criteria EAL2 certification for + Xenial. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Enable auditing in util-linux. Status in util-linux package in Ubuntu: New Status in util-linux source package in Xenial: New Status in util-linux source package in Zesty: New Status in util-linux source package in Artful: New Status in util-linux package in Debian: Unknown Bug description: [IMPACT] Enable auditing in util-linux. The config option, --with-audit enables auditing. Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware clock. This message will only get logged if auditd daemon is running. Otherwise, nothing gets logged. That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help
[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Enable auditing in util-linux.
** Summary changed: - [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered. + [SRU][xenial] Enable auditing in util-linux. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Enable auditing in util-linux. Status in util-linux package in Ubuntu: New Status in util-linux source package in Xenial: New Status in util-linux source package in Zesty: New Status in util-linux source package in Artful: New Status in util-linux package in Debian: Unknown Bug description: [IMPACT] There is a requirement for Common Criteria EAL2 certification that changes to the system's hardware clock be audited/monitored. In Ubuntu the hwclock command can be used to alter the system's hardware clock. Thus this event needs to be audited for EAL2. The hwclock command within util-linux has the ability to create an audit event when the system's hardware clock is altered, but this ability is enabled via the --with-audit config option. This option is currently not enabled. Only the hwclock and the login commands within util-linux package use this --with-audit config option to enable auditing. However, it appears the login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable (1) call to audit_open to create a netlink socket descritor. (2) generate an audit entry when system hardware clock altered. The entry will be logged into the /var/log/audit/audit.log IF auditd is installed and running. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered.
** Bug watch added: Debian Bug tracker #745771 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745771 ** Also affects: util-linux (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745771 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered. Status in util-linux package in Ubuntu: New Status in util-linux package in Debian: Unknown Bug description: [IMPACT] There is a requirement for Common Criteria EAL2 certification that changes to the system's hardware clock be audited/monitored. In Ubuntu the hwclock command can be used to alter the system's hardware clock. Thus this event needs to be audited for EAL2. The hwclock command within util-linux has the ability to create an audit event when the system's hardware clock is altered, but this ability is enabled via the --with-audit config option. This option is currently not enabled. Only the hwclock and the login commands within util-linux package use this --with-audit config option to enable auditing. However, it appears the login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable (1) call to audit_open to create a netlink socket descritor. (2) generate an audit entry when system hardware clock altered. The entry will be logged into the /var/log/audit/audit.log IF auditd is installed and running. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered.
Comment #3 Should have read "Common Criteria EAL2 hwclock testcase". ** Description changed: [IMPACT] There is a requirement for Common Criteria EAL2 certification that changes to the system's hardware clock be audited/monitored. In Ubuntu the hwclock command can be used to alter the system's hardware clock. Thus this event needs to be audited for EAL2. The hwclock command within util-linux has the ability to create an audit event when the system's hardware clock is altered, but this ability is enabled via the --with-audit config option. This option is currently not enabled. - Only the hwclock and the login commands within util-linux package use this --with-audit config option to enable auditing. However, it appears the login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable (1) call to audit_open to create a netlink socket descritor. (2) generate an audit entry when system hardware clock altered. The entry will be logged into the /var/log/audit/audit.log IF auditd is installed and running. - + Only the hwclock and the login commands within util-linux package use + this --with-audit config option to enable auditing. However, it appears + the login command is not built nor shipped in util-linux. Ubuntu uses + the login command from shadow instead. Thus, only hwclock command would + be affected by this change. The change would enable (1) call to + audit_open to create a netlink socket descritor. (2) generate an audit + entry when system hardware clock altered. The entry will be logged into + the /var/log/audit/audit.log IF auditd is installed and running. + [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the - triggered audit records would fail. + triggered audit records would fail. Attached the Common Criteria + testcase below. + + Also, the util-linux package has testcases that get run during the + build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered. Status in util-linux package in Ubuntu: New Bug description: [IMPACT] There is a requirement for Common Criteria EAL2 certification that changes to the system's hardware clock be audited/monitored. In Ubuntu the hwclock command can be used to alter the system's hardware clock. Thus this event needs to be audited for EAL2. The hwclock command within util-linux has the ability to create an audit event when the system's hardware clock is altered, but this ability is enabled via the --with-audit config option. This option is currently not enabled. Only the hwclock and the login commands within util-linux package use this --with-audit config option to enable auditing. However, it appears the login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable (1) call to audit_open to create a netlink socket descritor. (2) generate an audit entry when system hardware clock altered. The entry will be logged into the /var/log/audit/audit.log IF auditd is installed and running. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered.
** Attachment added: "EAL hwclock testcase" https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+attachment/4966040/+files/test_hwclock.bash -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered. Status in util-linux package in Ubuntu: New Bug description: [IMPACT] There is a requirement for Common Criteria EAL2 certification that changes to the system's hardware clock be audited/monitored. In Ubuntu the hwclock command can be used to alter the system's hardware clock. Thus this event needs to be audited for EAL2. The hwclock command within util-linux has the ability to create an audit event when the system's hardware clock is altered, but this ability is enabled via the --with-audit config option. This option is currently not enabled. Only the hwclock and the login commands within util-linux package use this --with-audit config option to enable auditing. However, it appears the login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable (1) call to audit_open to create a netlink socket descritor. (2) generate an audit entry when system hardware clock altered. The entry will be logged into the /var/log/audit/audit.log IF auditd is installed and running. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below. Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered.
build log and tests run https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/13375821 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered. Status in util-linux package in Ubuntu: New Bug description: [IMPACT] There is a requirement for Common Criteria EAL2 certification that changes to the system's hardware clock be audited/monitored. In Ubuntu the hwclock command can be used to alter the system's hardware clock. Thus this event needs to be audited for EAL2. The hwclock command within util-linux has the ability to create an audit event when the system's hardware clock is altered, but this ability is enabled via the --with-audit config option. This option is currently not enabled. Only the hwclock and the login commands within util-linux package use this --with-audit config option to enable auditing. However, it appears the login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable (1) call to audit_open to create a netlink socket descritor. (2) generate an audit entry when system hardware clock altered. The entry will be logged into the /var/log/audit/audit.log IF auditd is installed and running. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] Re: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered.
** Description changed: [IMPACT] There is a requirement for Common Criteria EAL2 certification that changes to the system's hardware clock be audited/monitored. In Ubuntu the hwclock command can be used to alter the system's hardware clock. Thus this event needs to be audited for EAL2. The hwclock command within util-linux has the ability to create an audit event when the system's hardware clock is altered, but this ability is enabled via the --with-audit config option. This option is currently not enabled. - Only the hwclock and the login commands within util-linux package use - this --with-audit config option to enable auditing. However, it appears - the login command is not built nor shipped in util-linux. Ubuntu uses - the login command from shadow instead. Thus, only hwclock command would - be affected by this change. The change would enable (1) call to - audit_open to create a netlink socket descritor. (2) generate an audit - entry when system hardware clock altered. The entry will be logged into - the /var/log/audit/audit.log IF auditd is installed and running. - - [FIX] - + Only the hwclock and the login commands within util-linux package use this --with-audit config option to enable auditing. However, it appears the login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable (1) call to audit_open to create a netlink socket descritor. (2) generate an audit entry when system hardware clock altered. The entry will be logged into the /var/log/audit/audit.log IF auditd is installed and running. + [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. ** Attachment added: "debdiff of version 3.3 and 3.4~joyppa2" https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+attachment/4966026/+files/debdiff.out -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered. Status in util-linux package in Ubuntu: New Bug description: [IMPACT] There is a requirement for Common Criteria EAL2 certification that changes to the system's hardware clock be audited/monitored. In Ubuntu the hwclock command can be used to alter the system's hardware clock. Thus this event needs to be audited for EAL2. The hwclock command within util-linux has the ability to create an audit event when the system's hardware clock is altered, but this ability is enabled via the --with-audit config option. This option is currently not enabled. Only the hwclock and the login commands within util-linux package use this --with-audit config option to enable auditing. However, it appears the login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable (1) call to audit_open to create a netlink socket descritor. (2) generate an audit entry when system hardware clock altered. The entry will be logged into the /var/log/audit/audit.log IF auditd is installed and running. [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1722313] [NEW] [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered.
Public bug reported: [IMPACT] There is a requirement for Common Criteria EAL2 certification that changes to the system's hardware clock be audited/monitored. In Ubuntu the hwclock command can be used to alter the system's hardware clock. Thus this event needs to be audited for EAL2. The hwclock command within util-linux has the ability to create an audit event when the system's hardware clock is altered, but this ability is enabled via the --with-audit config option. This option is currently not enabled. Only the hwclock and the login commands within util-linux package use this --with-audit config option to enable auditing. However, it appears the login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable (1) call to audit_open to create a netlink socket descritor. (2) generate an audit entry when system hardware clock altered. The entry will be logged into the /var/log/audit/audit.log IF auditd is installed and running. [FIX] [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. ** Affects: util-linux (Ubuntu) Importance: Undecided Status: New ** Summary changed: - Add "--with-audit" config option so that the hwclock command creates audit records when it is used to alter the hardware clock. + [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/1722313 Title: [SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered. Status in util-linux package in Ubuntu: New Bug description: [IMPACT] There is a requirement for Common Criteria EAL2 certification that changes to the system's hardware clock be audited/monitored. In Ubuntu the hwclock command can be used to alter the system's hardware clock. Thus this event needs to be audited for EAL2. The hwclock command within util-linux has the ability to create an audit event when the system's hardware clock is altered, but this ability is enabled via the --with-audit config option. This option is currently not enabled. Only the hwclock and the login commands within util-linux package use this --with-audit config option to enable auditing. However, it appears the login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable (1) call to audit_open to create a netlink socket descritor. (2) generate an audit entry when system hardware clock altered. The entry will be logged into the /var/log/audit/audit.log IF auditd is installed and running. [FIX] [TEST] This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. [REGRESSION POTENTIAL] The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
I tested version 1.0.2g-1ubuntu4.3 with the death.c program from the upstream openssl bug ticket 4559 and confirmed this problem is now resolved. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken Status in OpenSSL: Unknown Status in openssl package in Ubuntu: Fix Released Status in openssl source package in Xenial: Fix Committed Bug description: Description: Ubuntu 16.04 LTS Release: 16.04 openssl: Installed: 1.0.2g-1ubuntu4.1 Candidate: 1.0.2g-1ubuntu4.1 Version table: *** 1.0.2g-1ubuntu4.1 500 500 http://fi.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 1.0.2g-1ubuntu4 500 500 http://fi.archive.ubuntu.com/ubuntu xenial/main amd64 Packages CRYPTO_set_mem_functions() always returns 0 because library initialization already calls CRYPTO_malloc() and disables it: #0 CRYPTO_malloc (num=num@entry=1168, file=file@entry=0x770ae02c "fips_drbg_lib.c", line=line@entry=106) at mem.c:329 #1 0x770596df in FIPS_drbg_new (type=type@entry=0, flags=flags@entry=0) at fips_drbg_lib.c:106 #2 0x7705aeb9 in FIPS_drbg_health_check ( dctx=dctx@entry=0x7731c960 ) at fips_drbg_selftest.c:760 #3 0x770595f0 in FIPS_drbg_init (dctx=dctx@entry=0x7731c960 , type=, flags=) at fips_drbg_lib.c:94 #4 0x76fe38f3 in RAND_init_fips () at rand_lib.c:287 #5 0x76f26f7a in OPENSSL_init_library () at o_init.c:119 #6 0x77de74ea in call_init (l=, argc=argc@entry=1, argv=argv@entry=0x7fffe5e8, env=env@entry=0x7fffe5f8) at dl-init.c:72 #7 0x77de75fb in call_init (env=0x7fffe5f8, argv=0x7fffe5e8, argc=1, l=) at dl-init.c:30 #8 _dl_init (main_map=main_map@entry=0x640380, argc=1, argv=0x7fffe5e8, env=0x7fffe5f8) at dl-init.c:120 This doesn't happen in upstream OpenSSL or in Debian's OpenSSL. Looking at the patches, this is caused by FIPS_drbg_init() in openssl-1.0.2g-fips.patch: +if (!(dctx->xflags & DRBG_FLAG_TEST)) { +if (!FIPS_drbg_health_check(dctx)) { +FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE); +return 0; +} +} I don't want any FIPS mode enabled though, so does it really even need to call RAND_init_fips() then? To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1588524] Re: FIPS_mode_set reports incorrect error message
I tested this on 1.0.2g-1ubuntu4.3 using the openssl_fips_test.c that was attached. And all worked as expected and I received the expected error message. Thus verifying this issue has been resolved in 1.0.2g- 1ubuntu4.3, -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1588524 Title: FIPS_mode_set reports incorrect error message Status in openssl package in Ubuntu: Fix Released Bug description: Hi! Some integration tests we run attempt to enable FIPS mode in OpenSSL, and assert that either our software continues to work, or that the error message emitted by OpenSSL is related to missing the FIPS module. On Ubuntu 14.10, running FIPS_mode_set fails and produces an error like: 140225357260448:error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported:o_fips.c:92: On Ubuntu 16.04 running OpenSSL/libssl1.0.0 version 1.0.2g-1ubuntu4.1, FIPS_mode_set fails, but does not produce an error message. I have attached a C file which, when executed on both these platforms, will demonstrate this behavior. I believe this may have been introduced by this ticket: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309 It provides a patch called openssl-1.0.2g-ubuntu-fips-cleanup.patch which includes this statement: +@@ -443,6 +430,7 @@ int FIPS_module_mode_set(int onoff, const char *auth) + fips_selftest_fail = 0; + ret = 1; + end: ++ERR_clear_error(); /* clear above err msg; fips mode disabled for now */ + fips_clear_owning_thread(); + fips_w_unlock(); + return ret; This appears to be clearing the error messages we're asserting on before returning from FIPS_module_mode_set. For reference, here is our ticket where we are tracking this issue: https://jira.mongodb.org/browse/SERVER-24350 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1588524/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1613658] Re: OPENSSL_init_library () crash in conjunction with faketime
I forgot to add, we will file a bug with Debian to pick up this commit. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1613658 Title: OPENSSL_init_library () crash in conjunction with faketime Status in openssl package in Ubuntu: New Bug description: Program that use library openssl will crash when they are run in "faketime" (in the tool that sets system date to certain faked time/date). Impact: this bug makes it impossible to do deterministic build of application using for example cmake and faketime. Also according to https://github.com/wolfcw/libfaketime/issues/93 This is not a bug of libfaketime or cmake. This bug comes from openssl library. Reproduce example: $ REFERENCE_DATETIME="2016-08-05 00:00:00" $ export LD_PRELOAD=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1 $ export FAKETIME=$REFERENCE_DATETIME $ cmake . --> Segmentation fault (core dumped) ## Even with empty CMakeLists.txt file ($gdb cmake .) output: (gdb) run Starting program: /usr/bin/cmake [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x in ?? () (gdb) bt #0 0x in ?? () #1 0x77bd16d2 in time () from /usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1 #2 0x749c1f79 in RAND_poll () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 #3 0x749c0bd5 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 #4 0x749c1603 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 #5 0x74a37288 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 #6 0x74a37914 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 #7 0x749c1993 in RAND_init_fips () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 #8 0x74904f7a in OPENSSL_init_library () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 #9 0x77de74ea in call_init (l=, argc=argc@entry=1, argv=argv@entry=0x7fffec08, env=env@entry=0x7fffec18) at dl-init.c:72 #10 0x77de75fb in call_init (env=0x7fffec18, argv=0x7fffec08, argc=1, l=) at dl-init.c:30 #11 _dl_init (main_map=0x77ffe168, argc=1, argv=0x7fffec08, env=0x7fffec18) at dl-init.c:120 #12 0x77dd7cfa in _dl_start_user () from /lib64/ld-linux-x86-64.so.2 #13 0x0001 in ?? () #14 0x7fffee15 in ?? () #15 0x in ?? () ubuntu release: $ lsb_release -a ; uname -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.1 LTS Release: 16.04 Codename: xenial Linux gitian 4.2.0-42-generic #49-Ubuntu SMP Tue Jun 28 21:26:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux openssl version: $ apt-cache policy openssl openssl: Installed: 1.0.2g-1ubuntu4.1 Candidate: 1.0.2g-1ubuntu4.1 Version table: *** 1.0.2g-1ubuntu4.1 500 500 http://10.0.3.2:3142/security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 500 http://10.0.3.2:3142/archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.0.2g-1ubuntu4 500 500 http://10.0.3.2:3142/archive.ubuntu.com/ubuntu xenial/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1613658/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1613658] Re: OPENSSL_init_library () crash in conjunction with faketime
Marcelo and I took a look at this... o_init.c in openssl has following constructor, introduced for fips. void __attribute__ ((constructor)) OPENSSL_init_library(void) OPENSSL_init_library() when OPENSSL_FIPS is defined, calls RAND_init_fips() which eventually calls RAND_poll() which calls time(NULL). This can get called before libfaketime has initialized. Thus the core dump. We noticed following commit in libfaketime that takes care of the constructor situation, https://github.com/wolfcw/libfaketime/commit/0bde083556e243e87bddaaf94e68f2ef85dad769 This commit will allow libfaketime to call its init routine if it has not yet been called. This commit is not in the current version of libfaketime in xenial. I compiled libfaketime in github and tried my testcase and it worked. I used the testcase that was referenced above at https://github.com/wolfcw/libfaketime/issues/93 So we need above commit for libfaketime. ** Bug watch added: github.com/wolfcw/libfaketime/issues #93 https://github.com/wolfcw/libfaketime/issues/93 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1613658 Title: OPENSSL_init_library () crash in conjunction with faketime Status in openssl package in Ubuntu: New Bug description: Program that use library openssl will crash when they are run in "faketime" (in the tool that sets system date to certain faked time/date). Impact: this bug makes it impossible to do deterministic build of application using for example cmake and faketime. Also according to https://github.com/wolfcw/libfaketime/issues/93 This is not a bug of libfaketime or cmake. This bug comes from openssl library. Reproduce example: $ REFERENCE_DATETIME="2016-08-05 00:00:00" $ export LD_PRELOAD=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1 $ export FAKETIME=$REFERENCE_DATETIME $ cmake . --> Segmentation fault (core dumped) ## Even with empty CMakeLists.txt file ($gdb cmake .) output: (gdb) run Starting program: /usr/bin/cmake [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x in ?? () (gdb) bt #0 0x in ?? () #1 0x77bd16d2 in time () from /usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1 #2 0x749c1f79 in RAND_poll () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 #3 0x749c0bd5 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 #4 0x749c1603 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 #5 0x74a37288 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 #6 0x74a37914 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 #7 0x749c1993 in RAND_init_fips () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 #8 0x74904f7a in OPENSSL_init_library () from /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 #9 0x77de74ea in call_init (l=, argc=argc@entry=1, argv=argv@entry=0x7fffec08, env=env@entry=0x7fffec18) at dl-init.c:72 #10 0x77de75fb in call_init (env=0x7fffec18, argv=0x7fffec08, argc=1, l=) at dl-init.c:30 #11 _dl_init (main_map=0x77ffe168, argc=1, argv=0x7fffec08, env=0x7fffec18) at dl-init.c:120 #12 0x77dd7cfa in _dl_start_user () from /lib64/ld-linux-x86-64.so.2 #13 0x0001 in ?? () #14 0x7fffee15 in ?? () #15 0x in ?? () ubuntu release: $ lsb_release -a ; uname -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.1 LTS Release: 16.04 Codename: xenial Linux gitian 4.2.0-42-generic #49-Ubuntu SMP Tue Jun 28 21:26:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux openssl version: $ apt-cache policy openssl openssl: Installed: 1.0.2g-1ubuntu4.1 Candidate: 1.0.2g-1ubuntu4.1 Version table: *** 1.0.2g-1ubuntu4.1 500 500 http://10.0.3.2:3142/security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 500 http://10.0.3.2:3142/archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.0.2g-1ubuntu4 500 500 http://10.0.3.2:3142/archive.ubuntu.com/ubuntu xenial/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1613658/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1614210] [NEW] Remove incomplete fips in openssl in xenial.
Public bug reported: Package: openssl-1.0.2g-1ubuntu4.1 Distro: xenial The openssl contains incomplete fips patches. In light that the fips is incomplete and will not be completed in the main archive and they are impacting customers, they should be withdrawn. See lp bugs 1593953, 1591797, 1594748, 1588524, 1613658. Removal of these fips patches will remove these fips-related issues. [Test case] 1. Problem in 1594748 Note: this problem was reported in upstream openssl and testcase posted there also. https://rt.openssl.org/Ticket/Display.html?id=4559 CRYPTO_set_mem_functions() always returns 0 because library initialization within fips code already calls CRYPTO_malloc() and disables it. This testcase should cause openssl to abort, but instead it returns a context. #include #include #include void * my_alloc(size_t n) { abort(); } void my_free(void *p) { abort(); } void * my_realloc(void *p, size_t n) { abort(); } int main(int argc, const char **argv) { const SSL_METHOD *method; SSL_CTX *ctx; CRYPTO_set_mem_functions(my_alloc, my_realloc, my_free); SSL_library_init(); method = SSLv23_client_method(); ctx = SSL_CTX_new(method); printf("Got ctx %p\n", ctx); return 0; } 2. Problem in 1593953 EC key generation allows user to generate keys using EC curves that the EC sign and verify do not support when OPENSSL_FIPS is defined. Testcase taken from lp #1593953 openssl ecparam -genkey -name Oakley-EC2N-4 will fail when OPENSSL_FIPS is defined since it causes a fips key-pair consistency check to be done. Otherwise, without OPENSSL_FIPS defined, the check is not done. 3. Problem reported in 1588524 Error code being skipped... Testcase taken from lp #1588524 #include #include int main() { int rc; unsigned long fips_err; SSL_library_init(); SSL_load_error_strings(); ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); rc = FIPS_mode_set(1); fips_err = ERR_peek_last_error(); // FIPS_mode_set will return 0 on failure, which is expected if // the FIPS module is not compiled. In this case, we should then // be able to get the error code // CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0xf06d065) // https://wiki.openssl.org/index.php/FIPS_mode_set%28%29 printf("%d %lu\n", rc, fips_err); ERR_print_errors_fp(stdout); ERR_free_strings(); return 0; } Should report an error message. [ Regression potential ] Removing the fips patches should decrease regression potential of openssl in the main archive. ** Affects: openssl (Ubuntu) Importance: Undecided Status: New ** Description changed: + openssl-1.0.2g-1ubuntu4.1 in xenial. + The openssl contains incomplete fips patches. In light that the fips is incomplete and will not be completed in the main archive and they are impacting customers, they should be withdrawn. See lp bugs 1593953, 1591797, 1594748, 1588524, 1613658. Removal of these fips patches will remove these fips-related issues. [Test case] - 1. Problem in 1594748 + 1. Problem in 1594748 Note: this problem was reported in upstream openssl and testcase posted there also. https://rt.openssl.org/Ticket/Display.html?id=4559 CRYPTO_set_mem_functions() always returns 0 because library initialization within fips code already calls CRYPTO_malloc() and disables it. This testcase should cause openssl to abort, but instead it returns a context. #include #include #include void * my_alloc(size_t n) { abort(); } void my_free(void *p) { abort(); } void * my_realloc(void *p, size_t n) { abort(); } int main(int argc, const char **argv) { - const SSL_METHOD *method; - SSL_CTX *ctx; - CRYPTO_set_mem_functions(my_alloc, my_realloc, my_free); - SSL_library_init(); - method = SSLv23_client_method(); - ctx = SSL_CTX_new(method); - printf("Got ctx %p\n", ctx); - return 0; + const SSL_METHOD *method; + SSL_CTX *ctx; + CRYPTO_set_mem_functions(my_alloc, my_realloc, my_free); + SSL_library_init(); + method = SSLv23_client_method(); + ctx = SSL_CTX_new(method); + printf("Got ctx %p\n", ctx); + return 0; } 2. Problem in 1593953 EC key generation allows user to generate keys using EC curves that the EC sign and verify do not support when OPENSSL_FIPS is defined. Testcase taken from lp #1593953 openssl ecparam -genkey -name Oakley-EC2N-4 will fail when OPENSSL_FIPS is defined since it causes a fips key-pair consistency check to be done. Otherwise, without OPENSSL_FIPS defined, the check is not done. 3. Problem reported in 1588524 Error code being skipped... Testcase taken from lp #1588524 #include #include int main() { - int rc; - unsigned long fips_err; - SSL_library_init(); - SSL_load_error_strings(); - ERR_load_crypto_strings(); - OpenSSL_add_all_algorithms(); - rc = FIPS_mode_set(1); - fips_err = ERR_peek_last_error(); + int rc; + unsigned long
[Touch-packages] [Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
Investigating. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken Status in OpenSSL: Unknown Status in openssl package in Ubuntu: Confirmed Bug description: Description: Ubuntu 16.04 LTS Release: 16.04 openssl: Installed: 1.0.2g-1ubuntu4.1 Candidate: 1.0.2g-1ubuntu4.1 Version table: *** 1.0.2g-1ubuntu4.1 500 500 http://fi.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 1.0.2g-1ubuntu4 500 500 http://fi.archive.ubuntu.com/ubuntu xenial/main amd64 Packages CRYPTO_set_mem_functions() always returns 0 because library initialization already calls CRYPTO_malloc() and disables it: #0 CRYPTO_malloc (num=num@entry=1168, file=file@entry=0x770ae02c "fips_drbg_lib.c", line=line@entry=106) at mem.c:329 #1 0x770596df in FIPS_drbg_new (type=type@entry=0, flags=flags@entry=0) at fips_drbg_lib.c:106 #2 0x7705aeb9 in FIPS_drbg_health_check ( dctx=dctx@entry=0x7731c960 ) at fips_drbg_selftest.c:760 #3 0x770595f0 in FIPS_drbg_init (dctx=dctx@entry=0x7731c960 , type=, flags=) at fips_drbg_lib.c:94 #4 0x76fe38f3 in RAND_init_fips () at rand_lib.c:287 #5 0x76f26f7a in OPENSSL_init_library () at o_init.c:119 #6 0x77de74ea in call_init (l=, argc=argc@entry=1, argv=argv@entry=0x7fffe5e8, env=env@entry=0x7fffe5f8) at dl-init.c:72 #7 0x77de75fb in call_init (env=0x7fffe5f8, argv=0x7fffe5e8, argc=1, l=) at dl-init.c:30 #8 _dl_init (main_map=main_map@entry=0x640380, argc=1, argv=0x7fffe5e8, env=0x7fffe5f8) at dl-init.c:120 This doesn't happen in upstream OpenSSL or in Debian's OpenSSL. Looking at the patches, this is caused by FIPS_drbg_init() in openssl-1.0.2g-fips.patch: +if (!(dctx->xflags & DRBG_FLAG_TEST)) { +if (!FIPS_drbg_health_check(dctx)) { +FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE); +return 0; +} +} I don't want any FIPS mode enabled though, so does it really even need to call RAND_init_fips() then? To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
Waiting to see upstream commit/fix for this since this is an issue in the upstream openssl code when OPENSSL_FIPS is defined. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken Status in OpenSSL: Unknown Status in openssl package in Ubuntu: New Bug description: Description: Ubuntu 16.04 LTS Release: 16.04 openssl: Installed: 1.0.2g-1ubuntu4.1 Candidate: 1.0.2g-1ubuntu4.1 Version table: *** 1.0.2g-1ubuntu4.1 500 500 http://fi.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 1.0.2g-1ubuntu4 500 500 http://fi.archive.ubuntu.com/ubuntu xenial/main amd64 Packages CRYPTO_set_mem_functions() always returns 0 because library initialization already calls CRYPTO_malloc() and disables it: #0 CRYPTO_malloc (num=num@entry=1168, file=file@entry=0x770ae02c "fips_drbg_lib.c", line=line@entry=106) at mem.c:329 #1 0x770596df in FIPS_drbg_new (type=type@entry=0, flags=flags@entry=0) at fips_drbg_lib.c:106 #2 0x7705aeb9 in FIPS_drbg_health_check ( dctx=dctx@entry=0x7731c960 ) at fips_drbg_selftest.c:760 #3 0x770595f0 in FIPS_drbg_init (dctx=dctx@entry=0x7731c960 , type=, flags=) at fips_drbg_lib.c:94 #4 0x76fe38f3 in RAND_init_fips () at rand_lib.c:287 #5 0x76f26f7a in OPENSSL_init_library () at o_init.c:119 #6 0x77de74ea in call_init (l=, argc=argc@entry=1, argv=argv@entry=0x7fffe5e8, env=env@entry=0x7fffe5f8) at dl-init.c:72 #7 0x77de75fb in call_init (env=0x7fffe5f8, argv=0x7fffe5e8, argc=1, l=) at dl-init.c:30 #8 _dl_init (main_map=main_map@entry=0x640380, argc=1, argv=0x7fffe5e8, env=0x7fffe5f8) at dl-init.c:120 This doesn't happen in upstream OpenSSL or in Debian's OpenSSL. Looking at the patches, this is caused by FIPS_drbg_init() in openssl-1.0.2g-fips.patch: +if (!(dctx->xflags & DRBG_FLAG_TEST)) { +if (!FIPS_drbg_health_check(dctx)) { +FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE); +return 0; +} +} I don't want any FIPS mode enabled though, so does it really even need to call RAND_init_fips() then? To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
Just as a note, the fips mode is not enabled in 1.0.2g-1ubuntu4.1. But OPENSSL_FIPS is defined and its codes compiled in. Thus in OPENSSL_init_library(), the RAND_init_fips() is included in. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken Status in OpenSSL: Unknown Status in openssl package in Ubuntu: New Bug description: Description: Ubuntu 16.04 LTS Release: 16.04 openssl: Installed: 1.0.2g-1ubuntu4.1 Candidate: 1.0.2g-1ubuntu4.1 Version table: *** 1.0.2g-1ubuntu4.1 500 500 http://fi.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 1.0.2g-1ubuntu4 500 500 http://fi.archive.ubuntu.com/ubuntu xenial/main amd64 Packages CRYPTO_set_mem_functions() always returns 0 because library initialization already calls CRYPTO_malloc() and disables it: #0 CRYPTO_malloc (num=num@entry=1168, file=file@entry=0x770ae02c "fips_drbg_lib.c", line=line@entry=106) at mem.c:329 #1 0x770596df in FIPS_drbg_new (type=type@entry=0, flags=flags@entry=0) at fips_drbg_lib.c:106 #2 0x7705aeb9 in FIPS_drbg_health_check ( dctx=dctx@entry=0x7731c960 ) at fips_drbg_selftest.c:760 #3 0x770595f0 in FIPS_drbg_init (dctx=dctx@entry=0x7731c960 , type=, flags=) at fips_drbg_lib.c:94 #4 0x76fe38f3 in RAND_init_fips () at rand_lib.c:287 #5 0x76f26f7a in OPENSSL_init_library () at o_init.c:119 #6 0x77de74ea in call_init (l=, argc=argc@entry=1, argv=argv@entry=0x7fffe5e8, env=env@entry=0x7fffe5f8) at dl-init.c:72 #7 0x77de75fb in call_init (env=0x7fffe5f8, argv=0x7fffe5e8, argc=1, l=) at dl-init.c:30 #8 _dl_init (main_map=main_map@entry=0x640380, argc=1, argv=0x7fffe5e8, env=0x7fffe5f8) at dl-init.c:120 This doesn't happen in upstream OpenSSL or in Debian's OpenSSL. Looking at the patches, this is caused by FIPS_drbg_init() in openssl-1.0.2g-fips.patch: +if (!(dctx->xflags & DRBG_FLAG_TEST)) { +if (!FIPS_drbg_health_check(dctx)) { +FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE); +return 0; +} +} I don't want any FIPS mode enabled though, so does it really even need to call RAND_init_fips() then? To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
** Also affects: openssl via http://rt.openssl.org/Ticket/Display.html?id=4559 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken Status in OpenSSL: Unknown Status in openssl package in Ubuntu: New Bug description: Description: Ubuntu 16.04 LTS Release: 16.04 openssl: Installed: 1.0.2g-1ubuntu4.1 Candidate: 1.0.2g-1ubuntu4.1 Version table: *** 1.0.2g-1ubuntu4.1 500 500 http://fi.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 1.0.2g-1ubuntu4 500 500 http://fi.archive.ubuntu.com/ubuntu xenial/main amd64 Packages CRYPTO_set_mem_functions() always returns 0 because library initialization already calls CRYPTO_malloc() and disables it: #0 CRYPTO_malloc (num=num@entry=1168, file=file@entry=0x770ae02c "fips_drbg_lib.c", line=line@entry=106) at mem.c:329 #1 0x770596df in FIPS_drbg_new (type=type@entry=0, flags=flags@entry=0) at fips_drbg_lib.c:106 #2 0x7705aeb9 in FIPS_drbg_health_check ( dctx=dctx@entry=0x7731c960 ) at fips_drbg_selftest.c:760 #3 0x770595f0 in FIPS_drbg_init (dctx=dctx@entry=0x7731c960 , type=, flags=) at fips_drbg_lib.c:94 #4 0x76fe38f3 in RAND_init_fips () at rand_lib.c:287 #5 0x76f26f7a in OPENSSL_init_library () at o_init.c:119 #6 0x77de74ea in call_init (l=, argc=argc@entry=1, argv=argv@entry=0x7fffe5e8, env=env@entry=0x7fffe5f8) at dl-init.c:72 #7 0x77de75fb in call_init (env=0x7fffe5f8, argv=0x7fffe5e8, argc=1, l=) at dl-init.c:30 #8 _dl_init (main_map=main_map@entry=0x640380, argc=1, argv=0x7fffe5e8, env=0x7fffe5f8) at dl-init.c:120 This doesn't happen in upstream OpenSSL or in Debian's OpenSSL. Looking at the patches, this is caused by FIPS_drbg_init() in openssl-1.0.2g-fips.patch: +if (!(dctx->xflags & DRBG_FLAG_TEST)) { +if (!FIPS_drbg_health_check(dctx)) { +FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE); +return 0; +} +} I don't want any FIPS mode enabled though, so does it really even need to call RAND_init_fips() then? To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1594748/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
Ok, this is also "broken" or an issue in upstream openssl 1.0.2 when OPENSSL_FIPS is defined. See, https://rt.openssl.org/Ticket/Display.html?id=4559#txn-68189 or http://rt.openssl.org/Ticket/Display.html?id=4559 ** Bug watch added: OpenSSL RT #4559 http://rt.openssl.org/Ticket/Display.html?id=4559 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken Status in openssl package in Ubuntu: New Bug description: Description: Ubuntu 16.04 LTS Release: 16.04 openssl: Installed: 1.0.2g-1ubuntu4.1 Candidate: 1.0.2g-1ubuntu4.1 Version table: *** 1.0.2g-1ubuntu4.1 500 500 http://fi.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 1.0.2g-1ubuntu4 500 500 http://fi.archive.ubuntu.com/ubuntu xenial/main amd64 Packages CRYPTO_set_mem_functions() always returns 0 because library initialization already calls CRYPTO_malloc() and disables it: #0 CRYPTO_malloc (num=num@entry=1168, file=file@entry=0x770ae02c "fips_drbg_lib.c", line=line@entry=106) at mem.c:329 #1 0x770596df in FIPS_drbg_new (type=type@entry=0, flags=flags@entry=0) at fips_drbg_lib.c:106 #2 0x7705aeb9 in FIPS_drbg_health_check ( dctx=dctx@entry=0x7731c960 ) at fips_drbg_selftest.c:760 #3 0x770595f0 in FIPS_drbg_init (dctx=dctx@entry=0x7731c960 , type=, flags=) at fips_drbg_lib.c:94 #4 0x76fe38f3 in RAND_init_fips () at rand_lib.c:287 #5 0x76f26f7a in OPENSSL_init_library () at o_init.c:119 #6 0x77de74ea in call_init (l=, argc=argc@entry=1, argv=argv@entry=0x7fffe5e8, env=env@entry=0x7fffe5f8) at dl-init.c:72 #7 0x77de75fb in call_init (env=0x7fffe5f8, argv=0x7fffe5e8, argc=1, l=) at dl-init.c:30 #8 _dl_init (main_map=main_map@entry=0x640380, argc=1, argv=0x7fffe5e8, env=0x7fffe5f8) at dl-init.c:120 This doesn't happen in upstream OpenSSL or in Debian's OpenSSL. Looking at the patches, this is caused by FIPS_drbg_init() in openssl-1.0.2g-fips.patch: +if (!(dctx->xflags & DRBG_FLAG_TEST)) { +if (!FIPS_drbg_health_check(dctx)) { +FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE); +return 0; +} +} I don't want any FIPS mode enabled though, so does it really even need to call RAND_init_fips() then? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1594748/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1594748] Re: CRYPTO_set_mem_functions() is broken
Looking into this... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1594748 Title: CRYPTO_set_mem_functions() is broken Status in openssl package in Ubuntu: New Bug description: Description: Ubuntu 16.04 LTS Release: 16.04 openssl: Installed: 1.0.2g-1ubuntu4.1 Candidate: 1.0.2g-1ubuntu4.1 Version table: *** 1.0.2g-1ubuntu4.1 500 500 http://fi.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 1.0.2g-1ubuntu4 500 500 http://fi.archive.ubuntu.com/ubuntu xenial/main amd64 Packages CRYPTO_set_mem_functions() always returns 0 because library initialization already calls CRYPTO_malloc() and disables it: #0 CRYPTO_malloc (num=num@entry=1168, file=file@entry=0x770ae02c "fips_drbg_lib.c", line=line@entry=106) at mem.c:329 #1 0x770596df in FIPS_drbg_new (type=type@entry=0, flags=flags@entry=0) at fips_drbg_lib.c:106 #2 0x7705aeb9 in FIPS_drbg_health_check ( dctx=dctx@entry=0x7731c960 ) at fips_drbg_selftest.c:760 #3 0x770595f0 in FIPS_drbg_init (dctx=dctx@entry=0x7731c960 , type=, flags=) at fips_drbg_lib.c:94 #4 0x76fe38f3 in RAND_init_fips () at rand_lib.c:287 #5 0x76f26f7a in OPENSSL_init_library () at o_init.c:119 #6 0x77de74ea in call_init (l=, argc=argc@entry=1, argv=argv@entry=0x7fffe5e8, env=env@entry=0x7fffe5f8) at dl-init.c:72 #7 0x77de75fb in call_init (env=0x7fffe5f8, argv=0x7fffe5e8, argc=1, l=) at dl-init.c:30 #8 _dl_init (main_map=main_map@entry=0x640380, argc=1, argv=0x7fffe5e8, env=0x7fffe5f8) at dl-init.c:120 This doesn't happen in upstream OpenSSL or in Debian's OpenSSL. Looking at the patches, this is caused by FIPS_drbg_init() in openssl-1.0.2g-fips.patch: +if (!(dctx->xflags & DRBG_FLAG_TEST)) { +if (!FIPS_drbg_health_check(dctx)) { +FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE); +return 0; +} +} I don't want any FIPS mode enabled though, so does it really even need to call RAND_init_fips() then? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1594748/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1593953] Re: EC_KEY_generate_key() causes FIPS self-test failure
Looking into this... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1593953 Title: EC_KEY_generate_key() causes FIPS self-test failure Status in openssl package in Ubuntu: New Bug description: EC_KEY_generate_key() internally calls fips_pkey_signature_test() which performs a pairwise check by ECDSA signing/verifying, but some groups don't support ECDSA. For example, `openssl ecparam -genkey -name Oakley-EC2N-4` fails. Unfortunately `openssl ecparam` doesn't give any useful information so I modified a bit: ~~~ diff --git a/apps/ecparam.c b/apps/ecparam.c index 71b67f4..db89c2f 100644 --- a/apps/ecparam.c +++ b/apps/ecparam.c @@ -585,6 +585,7 @@ int MAIN(int argc, char **argv) if (!EC_KEY_generate_key(eckey)) { EC_KEY_free(eckey); +ERR_print_errors(bio_err); goto end; } if (outformat == FORMAT_ASN1) ~~~ And I got: ~~~ $ LD_LIBRARY_PATH=$(pwd)/target/lib ./target/bin/openssl ecparam -genkey -name Oakley-EC2N-4 -BEGIN EC PARAMETERS- BgA= -END EC PARAMETERS- 140614096975512:error:0306E06C:bignum routines:BN_mod_inverse:no inverse:bn_gcd.c:525: 140614096975512:error:0306E06C:bignum routines:BN_mod_inverse:no inverse:bn_gcd.c:525: 140614096975512:error:2A067003:lib(42):ECDSA_sign_setup:BN lib:ecs_ossl.c:206: 140614096975512:error:2A06502A:lib(42):ECDSA_do_sign:reason(42):ecs_ossl.c:302: 140614096975512:error:2D079089:FIPS routines:fips_pkey_signature_test:test failure:fips_post.c:166: 140614096975512:error:2D06A07F:FIPS routines:FIPS_CHECK_EC:pairwise test failed:ec_key.c:249: ~~~ I'm using Ubuntu 16.04 and openssl 1.0.2g-1ubuntu4.1. This was originally reported at Ruby's issue tracker: https://bugs.ruby-lang.org/issues/12504 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1593953/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1591797] Re: Only run FIPS self tests when FIPS is enabled
This is a FIPS 140-2 requirement. The FIPS_mode_set(1) in init_fips_mode() called from OPENSSL_init_library is to satisfy the FIPS 140-2, Section 4.9 requirement that power-up selftest be run when the module is powered-up. This must be done regardless of whether the module is to be run in FIPS mode or not. Reading /proc entry only indicates whether to run the module in FIPS mode. Note: The FIPS code in openssl in Xenial is a work-in-progress and is not complete. All effort is made to optimize the power-up selftest as mush as possible. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1591797 Title: Only run FIPS self tests when FIPS is enabled Status in openssl package in Ubuntu: New Bug description: The FIPS changes added in 1.0.2g-1ubuntu3/1.0.2g-1ubuntu4 as discussed in https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309 always run the FIPS self tests independent of FIPS being enabled (via /proc/sys/crypto/fips_enabled). The performance impact of running these FIPS tests on armhf (beaglebone and raspberry pi 2&3) is significant (~ 700ms). On amd64 it is measurable but far less significant (~ 10ms). On a long running process this may be insignificant, but for command line tools this is problematic. I've seen performance differences with wget, dig, nslookup, and host. I am sure there are others. The specific numbers above are from the sample code below. The relevant initialization can be found in crypto/o_init.c: static void init_fips_mode(void) { char buf[2] = "0"; int fd; /* Ensure the selftests always run */ FIPS_mode_set(1); /* For now, do not enforce fips mode via env var if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { buf[0] = '1'; } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { */ if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; close(fd); } /* Failure reading the fips mode switch file means just not * switching into FIPS mode. We would break too many things * otherwise.. */ if (buf[0] != '1') { /* drop down to non-FIPS mode if it is not requested */ FIPS_mode_set(0); } else { /* abort if selftest failed */ FIPS_selftest_check(); } } I would like to see these tests only run if /proc/sys/crypto/fips_enabled exists, and is 1. This still meets the original proposal as written in the 1553309 thread: 1. openssl must read a 1 from /proc/sys/crypto/fips_enabled. 2. The selftests must pass 3. The integrity check must pass To see the performance differences you can build and time the following program: #include #include int main() { OpenSSL_add_ssl_algorithms(); } To measure the system performance without FIPS I installed 1.0.2g- 1ubuntu2 from: https://launchpad.net/ubuntu/+source/openssl/1.0.2g- 1ubuntu2 on both armhf and amd64. I have also recompiled 1.0.2g- 1ubuntu4.1 with the call to FIPS_mode_set(1) commented out. When I run the original 1.0.2g-1ubuntu4.1 on my Raspberry Pi I see the following times: real0m0.690s real0m0.683s real0m0.705s real0m0.690s The same system with 1.0.2g-1ubuntu4.1 modified and the call to FIPS_mode_set(1) commented out: real0m0.010s real0m0.010s real0m0.009s real0m0.012s real0m0.010s The same system with 1.0.2g-1ubuntu2: real0m0.010s real0m0.009s real0m0.009s real0m0.011s real0m0.012s Here is some information about my system: $ lsb_release -rd Description:Ubuntu 16.04 LTS Release:16.04 $ apt-cache policy libssl1.0.0 libssl1.0.0: Installed: 1.0.2g-1ubuntu4.1 Candidate: 1.0.2g-1ubuntu4.1 Version table: *** 1.0.2g-1ubuntu4.1 500 500 http://ports.ubuntu.com/ubuntu-ports xenial-security/main armhf Packages 500 http://ports.ubuntu.com/ubuntu-ports xenial-updates/main armhf Packages 100 /var/lib/dpkg/status 1.0.2g-1ubuntu4 500 500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1591797/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1588524] Re: FIPS_mode_set reports incorrect error message
Will definitely remove clearing the error as we continue completing the code. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1588524 Title: FIPS_mode_set reports incorrect error message Status in openssl package in Ubuntu: New Bug description: Hi! Some integration tests we run attempt to enable FIPS mode in OpenSSL, and assert that either our software continues to work, or that the error message emitted by OpenSSL is related to missing the FIPS module. On Ubuntu 14.10, running FIPS_mode_set fails and produces an error like: 140225357260448:error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported:o_fips.c:92: On Ubuntu 16.04 running OpenSSL/libssl1.0.0 version 1.0.2g-1ubuntu4.1, FIPS_mode_set fails, but does not produce an error message. I have attached a C file which, when executed on both these platforms, will demonstrate this behavior. I believe this may have been introduced by this ticket: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309 It provides a patch called openssl-1.0.2g-ubuntu-fips-cleanup.patch which includes this statement: +@@ -443,6 +430,7 @@ int FIPS_module_mode_set(int onoff, const char *auth) + fips_selftest_fail = 0; + ret = 1; + end: ++ERR_clear_error(); /* clear above err msg; fips mode disabled for now */ + fips_clear_owning_thread(); + fips_w_unlock(); + return ret; This appears to be clearing the error messages we're asserting on before returning from FIPS_module_mode_set. For reference, here is our ticket where we are tracking this issue: https://jira.mongodb.org/browse/SERVER-24350 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1588524/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1588524] Re: FIPS_mode_set reports incorrect error message
I purposely cleared this error message from the queue so that no one would be distracted or thwarted by the addition of the fips code while it is a work in progress and not complete. FIPS_module_mode_set() at this point will always fail and return an error code. But yes, I see in your test program that you also want to print the error message if you get an error code. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1588524 Title: FIPS_mode_set reports incorrect error message Status in openssl package in Ubuntu: New Bug description: Hi! Some integration tests we run attempt to enable FIPS mode in OpenSSL, and assert that either our software continues to work, or that the error message emitted by OpenSSL is related to missing the FIPS module. On Ubuntu 14.10, running FIPS_mode_set fails and produces an error like: 140225357260448:error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported:o_fips.c:92: On Ubuntu 16.04 running OpenSSL/libssl1.0.0 version 1.0.2g-1ubuntu4.1, FIPS_mode_set fails, but does not produce an error message. I have attached a C file which, when executed on both these platforms, will demonstrate this behavior. I believe this may have been introduced by this ticket: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309 It provides a patch called openssl-1.0.2g-ubuntu-fips-cleanup.patch which includes this statement: +@@ -443,6 +430,7 @@ int FIPS_module_mode_set(int onoff, const char *auth) + fips_selftest_fail = 0; + ret = 1; + end: ++ERR_clear_error(); /* clear above err msg; fips mode disabled for now */ + fips_clear_owning_thread(); + fips_w_unlock(); + return ret; This appears to be clearing the error messages we're asserting on before returning from FIPS_module_mode_set. For reference, here is our ticket where we are tracking this issue: https://jira.mongodb.org/browse/SERVER-24350 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1588524/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
I have subscribed to openssl bug reports. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package Status in openssl package in Ubuntu: Fix Released Bug description: This is a request for a Feature Freeze Exception to include FIPS 140-2 selftest into the openssl package in preparation for the FIPS 140-2 compliance for 16.0.4. This patchset will : - add ability to config, compile, run with fips option enabled - add the selftest files to crypto/fips directory. - minor changes to several algorithms in crypto directory to ensure the selftest compile successfully when fips is enabled. The selftest will be initiated externally at this point and not internally. Hope to have a test package ready early next week. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
Hi Martin, I have a newbie question, what else should I do for this feature freeze? Thanks! :-) regards, Joy On Fri, Apr 15, 2016 at 12:14 AM, Martin Pittwrote: > Thanks! There's still an awful amount of patch noise, but indeed some of > it is unavoidable as you say. But this is incrementally better than > before, thanks for the cleanup! > > I uploaded this now: https://launchpad.net/ubuntu/+source/openssl/1.0 > .2g-1ubuntu4 > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1553309 > > Title: > [FFe]: Include FIPS 140-2 into openssl package > > Status in openssl package in Ubuntu: > Fix Released > > Bug description: > This is a request for a Feature Freeze Exception to include FIPS 140-2 > selftest into the openssl package in preparation for the FIPS 140-2 > compliance for 16.0.4. > This patchset will : >- add ability to config, compile, run with fips option enabled >- add the selftest files to crypto/fips directory. >- minor changes to several algorithms in crypto directory to ensure the > selftest compile successfully when fips is enabled. > > The selftest will be initiated externally at this point and not > internally. > Hope to have a test package ready early next week. > > To manage notifications about this bug go to: > > https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package Status in openssl package in Ubuntu: Fix Released Bug description: This is a request for a Feature Freeze Exception to include FIPS 140-2 selftest into the openssl package in preparation for the FIPS 140-2 compliance for 16.0.4. This patchset will : - add ability to config, compile, run with fips option enabled - add the selftest files to crypto/fips directory. - minor changes to several algorithms in crypto directory to ensure the selftest compile successfully when fips is enabled. The selftest will be initiated externally at this point and not internally. Hope to have a test package ready early next week. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
Also, ran same testing on latest ppa version (ppa7) and they all passed. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package Status in openssl package in Ubuntu: Fix Released Bug description: This is a request for a Feature Freeze Exception to include FIPS 140-2 selftest into the openssl package in preparation for the FIPS 140-2 compliance for 16.0.4. This patchset will : - add ability to config, compile, run with fips option enabled - add the selftest files to crypto/fips directory. - minor changes to several algorithms in crypto directory to ensure the selftest compile successfully when fips is enabled. The selftest will be initiated externally at this point and not internally. Hope to have a test package ready early next week. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
Hi Martin, I also ran an interdiff when I re-factored to ensure alignment with original fedora patches. 2 or 3 of them did not apply cleanly, for various reasons, so I had to make very small changes. I also named each patch in debian/patches to be same as in fedora. For interdiff of openssl-1.0.2g-fips.patch, for some reason "Configure" shows up in diff yet I did not make any changes to patch. Visually compared to make sure code is the same and no regression. openssl-1.0.2a-fips-ec.patch, we do not ship a "version.map" file, so when applying patch it prompts for location of file... so I removed it. So will show up in diff. openssl-1.0.2a-fips-ctor.patch failed to apply altogether, because it is looking for a line of code that contains "secure_getenv" and not "getenv". upstream has "getenv" for that line of code, but fedora must have other patches applied before this one that changes it to "secure_getenv". So I corrected and this will show up in interdiff. Corrected Origin in all the patches from fedora. Hope this is all ok. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package Status in openssl package in Ubuntu: Fix Released Bug description: This is a request for a Feature Freeze Exception to include FIPS 140-2 selftest into the openssl package in preparation for the FIPS 140-2 compliance for 16.0.4. This patchset will : - add ability to config, compile, run with fips option enabled - add the selftest files to crypto/fips directory. - minor changes to several algorithms in crypto directory to ensure the selftest compile successfully when fips is enabled. The selftest will be initiated externally at this point and not internally. Hope to have a test package ready early next week. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
Hi Martin, my ppa has a debdiff that is against my prior version. You may find this more useful than the ppa I just attached above. here is a pointer, https://launchpadlibrarian.net/253756858/openssl_1.0.2g- 1ubuntu3~ppa6_1.0.2g-1ubuntu3~ppa7.diff.gz -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package Status in openssl package in Ubuntu: Fix Released Bug description: This is a request for a Feature Freeze Exception to include FIPS 140-2 selftest into the openssl package in preparation for the FIPS 140-2 compliance for 16.0.4. This patchset will : - add ability to config, compile, run with fips option enabled - add the selftest files to crypto/fips directory. - minor changes to several algorithms in crypto directory to ensure the selftest compile successfully when fips is enabled. The selftest will be initiated externally at this point and not internally. Hope to have a test package ready early next week. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
New debdiff with fixed Origin and cleaner fedora patches. ** Attachment added: "New debdiff against openssl-1.0.2g-1ubuntu2" https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+attachment/4636880/+files/debdiff-openssl_1.0.2g-1ubuntu3~ppa7 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package Status in openssl package in Ubuntu: Fix Released Bug description: This is a request for a Feature Freeze Exception to include FIPS 140-2 selftest into the openssl package in preparation for the FIPS 140-2 compliance for 16.0.4. This patchset will : - add ability to config, compile, run with fips option enabled - add the selftest files to crypto/fips directory. - minor changes to several algorithms in crypto directory to ensure the selftest compile successfully when fips is enabled. The selftest will be initiated externally at this point and not internally. Hope to have a test package ready early next week. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1553309] Re: [FFe]: Include FIPS 140-2 into openssl package
Ok, I will get to work on these changes now. I will keep the first 5 patches original to fedora. And then in my cleanup patch do the stuff to get rid of undefined symbols, etc... And that way I can point my Origin to the git.fedora. Thanks!! regards, Joy On Wed, Apr 13, 2016 at 3:32 PM, Martin Pitt <martin.p...@ubuntu.com> wrote: > Joy Latten [2016-04-13 18:08 -]: > > Started looking into those patch diffs... > > for the openssl-1.0.2a-fips-ec.patch one, I had a bunch of undefined > > symbols and so cleaned these up, causing my diff to be slightly off... my > > bad. > > Ah, that makes sense. > > > Oh, and also, that patch installed "fips/cavs/fips_ecdhvs.c and > > fips/cavs/fips_ecdsavs.c which are testcases I did not want to include. I > > ignored them, but should have just removed them in my cleanup patch. > > Is that really necessary? Adding two .c files seems rather harmless if > nothing refers to it, i. e. removing them from the Makefile only (in > the ubuntu patch) should suffice? > > > Do you agree that I should move these things into my cleanup patch? > > That would be good indeed, as it avoids confusion for the next person > who looks at this why the patches are different. > > Please also update the Origin:, preferablyto the git.fedora ones as > then they are one click away from comparing/for updating. > > Thank you! > > Martin > -- > Martin Pitt| http://www.piware.de > Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1553309 > > Title: > [FFe]: Include FIPS 140-2 into openssl package > > Status in openssl package in Ubuntu: > In Progress > > Bug description: > This is a request for a Feature Freeze Exception to include FIPS 140-2 > selftest into the openssl package in preparation for the FIPS 140-2 > compliance for 16.0.4. > This patchset will : >- add ability to config, compile, run with fips option enabled >- add the selftest files to crypto/fips directory. >- minor changes to several algorithms in crypto directory to ensure the > selftest compile successfully when fips is enabled. > > The selftest will be initiated externally at this point and not > internally. > Hope to have a test package ready early next week. > > To manage notifications about this bug go to: > > https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1553309 Title: [FFe]: Include FIPS 140-2 into openssl package Status in openssl package in Ubuntu: Fix Released Bug description: This is a request for a Feature Freeze Exception to include FIPS 140-2 selftest into the openssl package in preparation for the FIPS 140-2 compliance for 16.0.4. This patchset will : - add ability to config, compile, run with fips option enabled - add the selftest files to crypto/fips directory. - minor changes to several algorithms in crypto directory to ensure the selftest compile successfully when fips is enabled. The selftest will be initiated externally at this point and not internally. Hope to have a test package ready early next week. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp