Merge ~j-latten/ubuntu/+source/openvpn:xenial-openvpn-fips-crash-1807439 into ubuntu/+source/openvpn:ubuntu/xenial-devel
Status: | Merged | ||||
---|---|---|---|---|---|
Approved by: | Andreas Hasenack | ||||
Approved revision: | 8c4584bd5ceeb65241566e00049c7be88166646f | ||||
Merged at revision: | 8c4584bd5ceeb65241566e00049c7be88166646f | ||||
Proposed branch: | ~j-latten/ubuntu/+source/openvpn:xenial-openvpn-fips-crash-1807439 | ||||
Merge into: | ubuntu/+source/openvpn:ubuntu/xenial-devel | ||||
Diff against target: |
373 lines (+351/-0) 3 files modified
debian/changelog (+7/-0) debian/patches/openvpn-fips140-2.3.2.patch (+343/-0) debian/patches/series (+1/-0) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Andreas Hasenack | Approve | ||
Seth Arnold (community) | Approve | ||
Review via email: mp+361638@code.launchpad.net |
Description of the change
openvpn segfaults when linked with fips-mode openssl because of MD5 algo.
openvpn version 2.3.x uses MD5 for (1). hashing its internal state and (2) tls connection TLS PRF(pseudorandom function).
FIPS 140-2 does not permit MD5 except for PRF. fips mode openssl checks a flag value to permit this.
Upstream, openvpn 2.4.x internal hash algo was changed to SHA256, thus fixing (1) in 2.4.x. Thus this fix for version 2.3.x changes algo to SHA256.
For (2), openvpn needs to set a context flag-value that FIPS-mode libcrypto.so checks to indicate permit MD5. FIPS-mode libcrypto.so will grant the request instead of entering an error state. In non-FIPS libcrypto.so this check does not exist since it always permits MD5. However, the particular flag value is defined in both fips and non-fips openssl code.
Note: Upstream has not fixed (2).
Looks good to me, thanks.