Merge ~j-latten/ubuntu/+source/openvpn:bionic-openvpn-fips-crash-1807439 into ubuntu/+source/openvpn:ubuntu/bionic-devel
Status: | Merged | ||||
---|---|---|---|---|---|
Approved by: | Andreas Hasenack | ||||
Approved revision: | 04437b0b94d21ebe2b84eb6bcb7eb7409f879612 | ||||
Merged at revision: | 04437b0b94d21ebe2b84eb6bcb7eb7409f879612 | ||||
Proposed branch: | ~j-latten/ubuntu/+source/openvpn:bionic-openvpn-fips-crash-1807439 | ||||
Merge into: | ubuntu/+source/openvpn:ubuntu/bionic-devel | ||||
Diff against target: |
132 lines (+110/-0) 3 files modified
debian/changelog (+7/-0) debian/patches/openvpn-fips-2.4.patch (+102/-0) debian/patches/series (+1/-0) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Andreas Hasenack | Approve | ||
Review via email: mp+361635@code.launchpad.net |
Description of the change
openvpn when estabishing a tls connection will segfault when used with Ubuntu's FIPS 140-2 libcrypto.so (openssl).
openvpn tls connection does TLS PRF(pseudorandom function) to produce securely generated pseudo random output that is used to generate keys.
MD5 is used as the hash in this computation.
FIPS 140-2 does not permit MD5 use except when used for pseudorandom function (PRF). When openvpn requests MD5 operation to FIPS-mode libcrypto.so, since it is not allowed in general, FIPS-mode libcrypto.so goes into an error state.
openvpn needs to set and pass a flag-value that FIPS-mode libcrypto.so checks and indicates it is using MD5 for PRF, thereby FIPS-mode libcrypto.so will grant the request instead of entering an error state. In non-FIPS libcrypto.so this particular check does not occur, so nothing should change.
This is the same patch already applied in disco, and reviewed by the security team.
Sponsoring.