Hello Joy, or anyone else affected, Accepted openssl into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/1.0.2g- 1ubuntu4.3 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: openssl (Ubuntu Xenial) Status: In Progress => Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1614210 Title: Remove incomplete fips in openssl in xenial. Status in openssl package in Ubuntu: Fix Released Status in openssl source package in Xenial: Fix Committed Status in openssl source package in Yakkety: Fix Released Bug description: Package: openssl-1.0.2g-1ubuntu4.1 Distro: xenial The openssl contains incomplete fips patches. In light that the fips is incomplete and will not be completed in the main archive and they are impacting customers, they should be withdrawn. See lp bugs 1593953, 1591797, 1594748, 1588524, 1613658. Removal of these fips patches will remove these fips-related issues. [Test case] 1. Problem in 1594748 Note: this problem was reported in upstream openssl and testcase posted there also. https://rt.openssl.org/Ticket/Display.html?id=4559 CRYPTO_set_mem_functions() always returns 0 because library initialization within fips code already calls CRYPTO_malloc() and disables it. This testcase should cause openssl to abort, but instead it returns a context. #include <stdio.h> #include <stdlib.h> #include <openssl/ssl.h> void * my_alloc(size_t n) { abort(); } void my_free(void *p) { abort(); } void * my_realloc(void *p, size_t n) { abort(); } int main(int argc, const char **argv) { const SSL_METHOD *method; SSL_CTX *ctx; CRYPTO_set_mem_functions(my_alloc, my_realloc, my_free); SSL_library_init(); method = SSLv23_client_method(); ctx = SSL_CTX_new(method); printf("Got ctx %p\n", ctx); return 0; } 2. Problem in 1593953 EC key generation allows user to generate keys using EC curves that the EC sign and verify do not support when OPENSSL_FIPS is defined. Testcase taken from lp #1593953 openssl ecparam -genkey -name Oakley-EC2N-4 will fail when OPENSSL_FIPS is defined since it causes a fips key-pair consistency check to be done. Otherwise, without OPENSSL_FIPS defined, the check is not done. 3. Problem reported in 1588524 Error code being skipped... Testcase taken from lp #1588524 #include <openssl/err.h> #include <openssl/ssl.h> int main() { int rc; unsigned long fips_err; SSL_library_init(); SSL_load_error_strings(); ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); rc = FIPS_mode_set(1); fips_err = ERR_peek_last_error(); // FIPS_mode_set will return 0 on failure, which is expected if // the FIPS module is not compiled. In this case, we should then // be able to get the error code // CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0xf06d065) // https://wiki.openssl.org/index.php/FIPS_mode_set%28%29 printf("%d %lu\n", rc, fips_err); ERR_print_errors_fp(stdout); ERR_free_strings(); return 0; } Should report an error message. [ Regression potential ] Removing the fips patches should decrease regression potential of openssl in the main archive. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1614210/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
