[Bug 1588524] Re: FIPS_mode_set reports incorrect error message

Chris J Arges 1588524 at bugs.launchpad.net
Wed Aug 24 14:02:06 UTC 2016 

Hello Spencer, or anyone else affected,

Accepted openssl into xenial-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/openssl/1.0.2g-
1ubuntu4.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1588524

Title:
  FIPS_mode_set reports incorrect error message

Status in openssl package in Ubuntu:
  Fix Released

Bug description:
  Hi! Some integration tests we run attempt to enable FIPS mode in
  OpenSSL, and assert that either our software continues to work, or
  that the error message emitted by OpenSSL is related to missing the
  FIPS module.

  On Ubuntu 14.10, running FIPS_mode_set fails and produces an error like:
  140225357260448:error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported:o_fips.c:92:

  On Ubuntu 16.04 running OpenSSL/libssl1.0.0 version 1.0.2g-1ubuntu4.1,
  FIPS_mode_set fails, but does not produce an error message.

  I have attached a C file which, when executed on both these platforms,
  will demonstrate this behavior.

  I believe this may have been introduced by this ticket: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309
  It provides a patch called openssl-1.0.2g-ubuntu-fips-cleanup.patch which includes this statement:
  +@@ -443,6 +430,7 @@ int FIPS_module_mode_set(int onoff, const char *auth)
  +     fips_selftest_fail = 0;
  +     ret = 1;
  +  end:
  ++    ERR_clear_error(); /* clear above err msg; fips mode disabled for now */
  +     fips_clear_owning_thread();
  +     fips_w_unlock();
  +     return ret;

  This appears to be clearing the error messages we're asserting on
  before returning from FIPS_module_mode_set.

  For reference, here is our ticket where we are tracking this issue:
  https://jira.mongodb.org/browse/SERVER-24350

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1588524/+subscriptions

More information about the foundations-bugs mailing list