Looks like some of the changes requested have been made but there's a few more that are needed. Specifically:
* d/changelog needs to include the bug reference * d/changelog shouldn't include an extraneous [ Eric Berry ] header -- that's only needed when someone else (mentioned in the footer) is making the change, or if multiple changes by different authors are included in the upload, which isn't the case here * d/changelog needs a slightly different version number in questing: ...ubuntu3 as this is just "another" Ubuntu change and we're not trying to avoid collision with a version in a future series * In d/p/fips-pbkdf2-fix-invalid-salt-length.patch there's no need to include a "Forwarded: not-needed" header. That usually indicates a change we've made that didn't come from upstream, and isn't being forwarded because upstream don't want it. In this case, the change comes directly from upstream (as noted by the Origin header) so we don't need a Forwarded header at all * The questing branch needs to be rebased onto the current questing- devel (2.4.1-5ubuntu1 merged recently from Debian) -- I've checked and it appears the FIPS changes were committed after 2.4.1 was released so the changes are still required there Given that I think these are the only changes remaining, and that they're fairly trivial, rather than go back and forth on this (given it's been several months already), I'm going to make these changes myself and sponsor for the questing. If that builds successfully (and I've still got time this shift), I'll tackle the plucky, noble, and jammy branches. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/2107773 Title: [SRU] Enabling FIPS causes SALT to be 8 bytes, but OpenSSL 3.0.2 checks if SALT is < 16 bytes, breaking Dovecot and possibly other packages. Status in dovecot package in Ubuntu: New Status in openssl package in Ubuntu: Invalid Status in dovecot source package in Focal: Won't Fix Status in openssl source package in Focal: Won't Fix Status in dovecot source package in Jammy: New Status in openssl source package in Jammy: Invalid Status in dovecot source package in Noble: New Status in openssl source package in Noble: Invalid Status in dovecot source package in Oracular: Won't Fix Status in openssl source package in Oracular: Won't Fix Status in dovecot source package in Plucky: New Status in openssl source package in Plucky: Invalid Status in dovecot source package in Questing: New Status in openssl source package in Questing: Invalid Bug description: [ Impact ] * When one enables FIPS mode on a Jammy system and then attempts to use Dovecot to create an encrypted mailbox, the module returns a invalid salt length error. * FIPS mode requires a 16 byte salt for PBEKDF2 and Dovecot is only requesting 8 bytes of salt. The solution is to modify Dovecot to request 16 bytes of salt. [ Test Plan ] Test 1 ------ * Install Dovecot on the system - sudo apt install dovecot-auth-lua dovecot-core dovecot-gssapi dovecot-imapd dovecot-ldap dovecot-lmtpd dovecot-managesieved dovecot-mysql dovecot-pgsql dovecot-pop3d dovecot-sieve dovecot-solr dovecot-sqlite dovecot-submissiond * Enable mailbox encryption. - Add /etc/dovecot/conf.d//mail-crypt.conf to enable mailbox encryption: mail_location = mbox:~/mail:INBOX=/var/mail/%u listen = * mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } userdb { driver = passwd } mail_plugins = $mail_plugins mail_crypt plugin { mail_crypt_curve = secp521r1 mail_crypt_save_version=2 } mail_attribute_dict = file:%h/Maildir/dovecot-attributes imap_metadata = yes * Add a test user to the system: - sudo useradd -m -s /bin/bash -p <password> <username> * Issue the following command to create an encrypted mailbox: - sudo doveadm -o plugin/mail_crypt_private_password=e32f1f174d7576716d5df899e7d5cb6b64cdb33584c71882e9f7e1f79f2e695e mailbox cryptokey generate -u <username> * Verify that no error occurs. * Enable FIPS on a Jammy system. - sudo pro attach <token> - sudo pro enable fips-updates - sudo reboot (To test FIPS on a Noble system) - sudo add-apt-repository ppa:fips-cc-stig/fips-under-certification - sudo apt install -y ubuntu-fips openssh-server=1:9.6p1-3ubuntu13+Fips1~rc0 \ openssh-client=1:9.6p1-3ubuntu13+Fips1~rc0 \ openssh-sftp-server=1:9.6p1-3ubuntu13+Fips1~rc0 \ --allow-downgrades --yes * Reboot * Delete the mailbox - rm -rf ~/mail * Issue the following command to create an encrypted mailbox: - sudo doveadm -o plugin/mail_crypt_private_password=e32f1f174d7576716d5df899e7d5cb6b64cdb33584c71882e9f7e1f79f2e695e mailbox cryptokey generate -u <username> * Verify that an error occurs. * Update Dovecot to the fixed version. * Repeat the commands to delete the mailbox and to create an encrypted mailbox. * After installing the fix, verify that no error occurs. Test 2 ------ * Setup dovecot on jammy without fips as before. * Also install postfix and mailutils - sudo apt install postfix mailtuils - Setup postfix as a local server * Send mail to the user on the same host: - echo "This is a test" | mail -s "TEST" <username>@<hostname> * Connect to the imaps mailbox from another system and verify messages can be read: - openssl s_client --connect <hostname>:993 - a login <username> <password> - b select inbox - c fetch 1:* all * Verify that message can be viewed. * Update dovecot to the fixed version and verify that the message can still be downloaded * Upgrade to fips [ Where problems could occur ] * The increased salt size of 16 bytes could potentially cause issues in allocated data structures, but unit tests don't seem to have a probleem. * The patch is recent and has not been distributed in an upstream release. [ Other Info ] This is really only needed on systems where FIPS is supported, i.e. Jammy and Noble and 26.04, but patches have been provided for oracular, plucky, and questing. -------------- We deployed Ubuntu Server 22.04 FIPS on Azure as it is now a FIPS Certified release. See https://ubuntu.com/blog/fips-140-3-for-ubuntu-22-04lts ~# lsb_release -rd Description: Ubuntu 22.04.5 LTS Release: 22.04 After installing Ubuntu Server 22.04 FIPS, we then deployed Dovecot modules as shown here: -------------- # apt search dovecot | grep "install" WARNING: apt does not have a stable CLI interface. Use with caution in scripts. dovecot-core/jammy-updates,jammy-security,now 1:2.3.16+dfsg1-3ubuntu2.4 amd64 [installed] dovecot-imapd/jammy-updates,jammy-security,now 1:2.3.16+dfsg1-3ubuntu2.4 amd64 [installed] dovecot-lmtpd/jammy-updates,jammy-security,now 1:2.3.16+dfsg1-3ubuntu2.4 amd64 [installed] dovecot-managesieved/jammy-updates,jammy-security,now 1:2.3.16+dfsg1-3ubuntu2.4 amd64 [installed] dovecot-mysql/jammy-updates,jammy-security,now 1:2.3.16+dfsg1-3ubuntu2.4 amd64 [installed] dovecot-pop3d/jammy-updates,jammy-security,now 1:2.3.16+dfsg1-3ubuntu2.4 amd64 [installed] dovecot-sieve/jammy-updates,jammy-security,now 1:2.3.16+dfsg1-3ubuntu2.4 amd64 [installed] ~# apt-cache policy dovecot-core dovecot-core: Installed: 1:2.3.16+dfsg1-3ubuntu2.4 Candidate: 1:2.3.16+dfsg1-3ubuntu2.4 Version table: *** 1:2.3.16+dfsg1-3ubuntu2.4 500 500 http://azure.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages 500 http://azure.archive.ubuntu.com/ubuntu jammy-security/main amd64 Packages 100 /var/lib/dpkg/status 1:2.3.16+dfsg1-3ubuntu2 500 500 http://azure.archive.ubuntu.com/ubuntu jammy/main amd64 Packages ------------- We attempted to add a mailbox with encryption: ------------- sudo -u vmail doveadm -o plugin/mail_crypt_private_password=e32f1f174d7576716d5df899e7d5cb6b64cdb33584c71882e9f7e1f79f2e695e mailbox cryptokey generate -u u...@domain.com doveadm(u...@domain.com): Error: mail_crypt_user_generate_keypair(u...@domain.com) failed: error:1C800070:Provider routines::invalid salt length doveadm(u...@domain.com): Warning: mailbox cryptokey generate: Nothing was matched. Use -U or specify mask? Folder Public ID x ERROR: error:1C800070:Provider routines::invalid salt length Segmentation fault ------------- After researching the error, I found a single note in the OpenSSL bug tracker referencing the error. https://github.com/openssl/openssl/issues/24962 The suggested options are not available as they defeat the purpose of being FIPS compliant and certified. As a result, Dovecot is completely broken on 22.04 FIPS if using encrypted mailboxes. (At least in our testing) Expected behavior: The SALT length should match what the required check is, which is 16 bytes. Dovecot should utilize an appropriate version to produce encryption keys using the required SALT length. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/2107773/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
