** Description changed: - FIPS 140-2 does not permit MD5 except when used for pseudorandom - function (PRF). When openvpn requests MD5 operation to FIPS-mode- - openssl, since it is not allowed in general, fips-mode-openssl goes into - an error state. + [IMPACT] + openvpn when estabishing a tls connection will segfault when used with Ubuntu's FIPS 140-2 libcrypto.so (openssl). - openvpn needs to set a specific fips-mode-openssl flag to indicate it is - using MD5 for PRF, thereby fips-mode-openssl will grant the request - instead of entering an error state. In non-fips-openssl the flag has no - meaning. + openvpn tls connection does TLS PRF(pseudorandom function) to produce securely generated pseudo random output that is used to generate keys. + MD5 is used as the hash in this computation. + + FIPS 140-2 does not permit MD5 use except when used for pseudorandom + function (PRF). When openvpn requests MD5 operation to FIPS-mode + libcrypto.so, since it is not allowed in general, FIPS-mode libcrypto.so + goes into an error state. + + openvpn needs to set and pass a flag that FIPS-mode libcrypto.so + recognizes and that indicates it is using MD5 for PRF, thereby FIPS-mode + libcrypto.so will grant the request instead of entering an error state. + In non-FIPS libcrypto.so the flag has no meaning. + + [TEST] + Testing comprised establishing a tls connection between an openvpn client and server. Once the connection was successfully established, a ping thru the established vpn tunnel was done from the client for assurance. + + Because this flag has no meaning in non-FIPS libcrypto.so, nothing changes for openvpn behaviour in disco. Interoperability testing was done to ensure no regression. Test data reflects testing was done between openvpn server and client with and without the patch and between various releases (xenial, bionic, and disco). + + Test Data will be attached below. + + Note: a test was also done with a FIPS-enabled system to ensure + everything worked and no regression.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807439 Title: openvpn crashes when run with fips openssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1807439/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
