Since it is not possible to enable FIPS in Questing I'm marking it as invalid/not affected by the bug.
** Description changed: + [ Impact ] + + * Current implementation of OpenSC for interacting with smartcards under + FIPS mode fails with a SEGFAULT when trying to use it (e.g. with + pkcs11-tool). + + * This is caused by the fact that when OpenSC tries to retrieve + a hashing implementation from OpenSSL a NULL pointer is returned + and OpenSC uses it without checking. + + * The actual issue is that the null pointer is returned due to OpenSSL + context misconfiguration not being aware it is run in FIPS mode + and returns NULL-pointers for any hashing algorithm. + + [ Test Plan ] + + 1. Set up an Ubuntu system with a release that supports FIPS mode (e.g. 24.04). + 2. Attach Ubuntu Pro license and enable fips-updates: + sudo pro attach + sudo pro enable fips-updates + 3. Reboot. + 4. Connect a smartcard (a YubiKey works for the testing purposes). + 5. Run: + pkcs11-tool -L + + Expected result: + Correct information is displayed. E.g. + # pkcs11-tool -L + Available slots: + Slot 0 (0x0): Yubico YubiKey OTP+FIDO+CCID 00 00 + token label : ubuntu + (...) + + Actual result: + pkcs11-tool terminates due to a SEGFAULT. + + [ Where problems could occur ] + + * In FIPS mode by default the "fips" OpenSSL provider will be used by + default. + + * If there would be an intention to use a different one (which + shouldn't be the case) it may not be possible to do so with the fix in + place. + + * If the original issue has been addressed by any other means (e.g. + openssl configuration change) the behavior may change to the hardcoded + in the fix. + + [ Other Info ] + Original bug description + release: ubuntu 24.04 noble opensc package version: 0.25.0~rc1-1ubuntu0.1~esm1 510 0.25.0~rc1-1build2 both versions are affected. openssl version: 3.0.13-0ubuntu3+Fips1 Sru backport from upstream issue: https://github.com/OpenSC/OpenSC/issues/3495 On Ubuntu24.04 with FIPS enabled, openssl is segfaulting when using the pkcs11-tool -L command to list slots. user1@ubuntu:~$ sudo pkcs11-tool -L Segmentation fault On Ubuntu vm (lxd or qemu) with fips enabled. sudo pro attach <token uuid> sudo pro enable fips-updates - sudo apt-get install opensc + sudo apt-get install opensc Reboot vm after logging in again, run the command sudo pkcs11-tool -L and we see the error Segmentation fault. Expected Output Available slots: /usr/bin/pkcs11-tool --module=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -L Slot 0 (0x0): Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface... - token label : John Doe - token manufacturer : Common Access Card - token model : PKCS#15 emulated - token flags : login required, PIN pad present, rng, token initialized, PIN initialized - hardware version : 0.0 - firmware version : 0.0 - serial num : 000058bd002c19b5 - pin min/max : 4/8 + token label : John Doe + token manufacturer : Common Access Card + token model : PKCS#15 emulated + token flags : login required, PIN pad present, rng, token initialized, PIN initialized + hardware version : 0.0 + firmware version : 0.0 + serial num : 000058bd002c19b5 + pin min/max : 4/8 ** Changed in: opensc (Ubuntu Questing) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2127205 Title: pkcs11-tool is sending null sha-1 digest to Openssl on FIPS enabled ubuntu 24.04 To manage notifications about this bug go to: https://bugs.launchpad.net/opensc/+bug/2127205/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
