It seems 2 things are happening to generate this issue
1.fips-openssl in bionic has md5 and md5_sha1 in fips digest list with
explicit purpose of accommodating PRF use only in fips mode. But you
must pass the flag, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW to successfully use
them.
2. ntpq does not check return codes from EVP_ calls. It has,
ctx = EVP_MD_CTX_new();
EVP_DigestInit(ctx, EVP_get_digestbyname(name));
EVP_DigestFinal(ctx, digest, &digest_len);
EVP_MD_CTX_free(ctx);
if (digest_len > (MAX_MAC_LEN - sizeof(keyid_t)))
return;
EVP_DigestInit() would have returned 0 in this case indicating a
failure.
Possible fixes:
1. in fips-libcrypto library remove md5 from fips digest list and keep md5_sha1
for PRF and mark as fips-allowed. Can still use md5 with
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag, but its just not in fips digest list.
Note: this fix can be put in fips-update ppa for availability. But, it
may be a while before it is re-certified.
2. ntpq should check its return codes and do appropriate thing on error.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1884265
Title:
[fips] Not fully initialized digest segfaulting some client
applications
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1884265/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
