[Bug 1594748] [NEW] CRYPTO_set_mem_functions() is broken

Tue, 21 Jun 2016 03:06:01 -0700 

Public bug reported:

Description:    Ubuntu 16.04 LTS
Release:        16.04

openssl:
  Installed: 1.0.2g-1ubuntu4.1
  Candidate: 1.0.2g-1ubuntu4.1
  Version table:
 *** 1.0.2g-1ubuntu4.1 500
        500 http://fi.archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 
Packages
        100 /var/lib/dpkg/status
     1.0.2g-1ubuntu4 500
        500 http://fi.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

CRYPTO_set_mem_functions() always returns 0 because library
initialization already calls CRYPTO_malloc() and disables it:

#0  CRYPTO_malloc (num=num@entry=1168, file=file@entry=0x7ffff70ae02c 
"fips_drbg_lib.c",
    line=line@entry=106) at mem.c:329
#1  0x00007ffff70596df in FIPS_drbg_new (type=type@entry=0, flags=flags@entry=0)
    at fips_drbg_lib.c:106
#2  0x00007ffff705aeb9 in FIPS_drbg_health_check (
    dctx=dctx@entry=0x7ffff731c960 <ossl_dctx>) at fips_drbg_selftest.c:760
#3  0x00007ffff70595f0 in FIPS_drbg_init (dctx=dctx@entry=0x7ffff731c960 
<ossl_dctx>,
    type=<optimized out>, flags=<optimized out>) at fips_drbg_lib.c:94
#4  0x00007ffff6fe38f3 in RAND_init_fips () at rand_lib.c:287
#5  0x00007ffff6f26f7a in OPENSSL_init_library () at o_init.c:119
#6  0x00007ffff7de74ea in call_init (l=<optimized out>, argc=argc@entry=1,
    argv=argv@entry=0x7fffffffe5e8, env=env@entry=0x7fffffffe5f8) at 
dl-init.c:72
#7  0x00007ffff7de75fb in call_init (env=0x7fffffffe5f8, argv=0x7fffffffe5e8, 
argc=1,
    l=<optimized out>) at dl-init.c:30
#8  _dl_init (main_map=main_map@entry=0x640380, argc=1, argv=0x7fffffffe5e8,
    env=0x7fffffffe5f8) at dl-init.c:120

This doesn't happen in upstream OpenSSL or in Debian's OpenSSL. Looking
at the patches, this is caused by FIPS_drbg_init() in openssl-1.0.2g-
fips.patch:

+    if (!(dctx->xflags & DRBG_FLAG_TEST)) {
+        if (!FIPS_drbg_health_check(dctx)) {
+            FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
+            return 0;
+        }
+    }

I don't want any FIPS mode enabled though, so does it really even need
to call RAND_init_fips() then?

** Affects: openssl (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1594748

Title:
  CRYPTO_set_mem_functions() is broken

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1594748/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to