** Description changed: [ Impact ] - * Current implementation of OpenSC for interacting with smartcards under - FIPS mode fails with a SEGFAULT when trying to use it (e.g. with - pkcs11-tool). + * Current implementation of OpenSC for interacting with smartcards under + FIPS mode fails with a SEGFAULT when trying to use it (e.g. with + pkcs11-tool). - * This is caused by the fact that when OpenSC tries to retrieve - a hashing implementation from OpenSSL a NULL pointer is returned - and OpenSC uses it without checking. + * This is caused by the fact that when OpenSC tries to retrieve + a hashing implementation from OpenSSL a NULL pointer is returned + and OpenSC uses it without checking. - * The actual issue is that the null pointer is returned due to OpenSSL - context misconfiguration not being aware it is run in FIPS mode - and returns NULL-pointers for any hashing algorithm. + * The actual issue is that the null pointer is returned due to OpenSSL + context misconfiguration not being aware it is run in FIPS mode + and returns NULL-pointers for any hashing algorithm. [ Test Plan ] - 1. Set up an Ubuntu system with a release that supports FIPS mode (e.g. 24.04). - 2. Attach Ubuntu Pro license and enable fips-updates: - sudo pro attach - sudo pro enable fips-updates - 3. Reboot. - 4. Connect a smartcard (a YubiKey works for the testing purposes). - 5. Run: - pkcs11-tool -L + 1. Set up an Ubuntu system with a release that supports FIPS mode (e.g. 24.04). + 2. Attach Ubuntu Pro license and enable fips-updates: + sudo pro attach + sudo pro enable fips-updates + 3. Reboot. + 4. Connect a smartcard (a YubiKey works for the testing purposes). + 5. Run: + pkcs11-tool -L Expected result: Correct information is displayed. E.g. # pkcs11-tool -L Available slots: Slot 0 (0x0): Yubico YubiKey OTP+FIDO+CCID 00 00 - token label : ubuntu + token label : ubuntu (...) Actual result: pkcs11-tool terminates due to a SEGFAULT. [ Where problems could occur ] - * In FIPS mode by default the "fips" OpenSSL provider will be used by + * In FIPS mode by default the "fips" OpenSSL provider will be used by default. - * If there would be an intention to use a different one (which + * If there would be an intention to use a different one (which shouldn't be the case) it may not be possible to do so with the fix in place. - * If the original issue has been addressed by any other means (e.g. + * If the original issue has been addressed by any other means (e.g. openssl configuration change) the behavior may change to the hardcoded in the fix. [ Other Info ] Original bug description release: ubuntu 24.04 noble opensc package version: 0.25.0~rc1-1ubuntu0.1~esm1 510 0.25.0~rc1-1build2 both versions are affected. openssl version: 3.0.13-0ubuntu3+Fips1 Sru backport from upstream issue: https://github.com/OpenSC/OpenSC/issues/3495 On Ubuntu24.04 with FIPS enabled, openssl is segfaulting when using the pkcs11-tool -L command to list slots. user1@ubuntu:~$ sudo pkcs11-tool -L Segmentation fault On Ubuntu vm (lxd or qemu) with fips enabled. sudo pro attach <token uuid> sudo pro enable fips-updates sudo apt-get install opensc Reboot vm after logging in again, run the command sudo pkcs11-tool -L and we see the error Segmentation fault. Expected Output Available slots: /usr/bin/pkcs11-tool --module=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -L Slot 0 (0x0): Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface... token label : John Doe token manufacturer : Common Access Card token model : PKCS#15 emulated token flags : login required, PIN pad present, rng, token initialized, PIN initialized hardware version : 0.0 firmware version : 0.0 serial num : 000058bd002c19b5 pin min/max : 4/8
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2127205 Title: pkcs11-tool is sending null sha-1 digest to Openssl on FIPS enabled ubuntu 24.04 To manage notifications about this bug go to: https://bugs.launchpad.net/opensc/+bug/2127205/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
