Merge ~j-latten/ubuntu/+source/openvpn:disco-openvpn-fips-crash-1807439 into ubuntu/+source/openvpn:ubuntu/devel
Status: | Merged | ||||
---|---|---|---|---|---|
Approved by: | Andreas Hasenack | ||||
Approved revision: | b2baff9479374293e4f6a4e138d15da60137dec7 | ||||
Merged at revision: | b2baff9479374293e4f6a4e138d15da60137dec7 | ||||
Proposed branch: | ~j-latten/ubuntu/+source/openvpn:disco-openvpn-fips-crash-1807439 | ||||
Merge into: | ubuntu/+source/openvpn:ubuntu/devel | ||||
Diff against target: |
132 lines (+110/-0) 3 files modified
debian/changelog (+7/-0) debian/patches/openvpn-fips-2.4.patch (+102/-0) debian/patches/series (+1/-0) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Andreas Hasenack | Approve | ||
Seth Arnold (community) | Approve | ||
Canonical Server | Pending | ||
Review via email: mp+361583@code.launchpad.net |
Description of the change
LP #1807439
openvpn when establishing a tls connection will segfault when used with Ubuntu's FIPS 140-2 libcrypto.so (openssl).
openvpn tls connection does TLS PRF(pseudorandom function) to produce securely generated pseudo random output that is used to generate keys.
MD5 is used as the hash in this computation.
FIPS 140-2 does not permit MD5 use except when used for pseudorandom function (PRF). When openvpn requests MD5 operation to FIPS-mode libcrypto.so, since it is not allowed in general, FIPS-mode libcrypto.so goes into an error state.
openvpn needs to set and pass a flag that FIPS-mode libcrypto.so recognizes and that indicates it is using MD5 for PRF, thereby FIPS-mode libcrypto.so will grant the request instead of entering an error state. In non-FIPS libcrypto.so the flag has no meaning.
Thanks for this! First pass, comments inline.