Public bug reported:
We deployed Ubuntu Server 22.04 FIPS on Azure as it is now a FIPS
Certified release. See https://ubuntu.com/blog/fips-140-3-for-
ubuntu-22-04lts
~# lsb_release -rd
Description: Ubuntu 22.04.5 LTS
Release: 22.04
After installing Ubuntu Server 22.04 FIPS, we then deployed Dovecot modules as
shown here:
--------------
# apt search dovecot | grep "install"
WARNING: apt does not have a stable CLI interface. Use with caution in
scripts.
dovecot-core/jammy-updates,jammy-security,now 1:2.3.16+dfsg1-3ubuntu2.4 amd64
[installed]
dovecot-imapd/jammy-updates,jammy-security,now 1:2.3.16+dfsg1-3ubuntu2.4 amd64
[installed]
dovecot-lmtpd/jammy-updates,jammy-security,now 1:2.3.16+dfsg1-3ubuntu2.4 amd64
[installed]
dovecot-managesieved/jammy-updates,jammy-security,now 1:2.3.16+dfsg1-3ubuntu2.4
amd64 [installed]
dovecot-mysql/jammy-updates,jammy-security,now 1:2.3.16+dfsg1-3ubuntu2.4 amd64
[installed]
dovecot-pop3d/jammy-updates,jammy-security,now 1:2.3.16+dfsg1-3ubuntu2.4 amd64
[installed]
dovecot-sieve/jammy-updates,jammy-security,now 1:2.3.16+dfsg1-3ubuntu2.4 amd64
[installed]
~# apt-cache policy dovecot-core
dovecot-core:
Installed: 1:2.3.16+dfsg1-3ubuntu2.4
Candidate: 1:2.3.16+dfsg1-3ubuntu2.4
Version table:
*** 1:2.3.16+dfsg1-3ubuntu2.4 500
500 http://azure.archive.ubuntu.com/ubuntu jammy-updates/main amd64
Packages
500 http://azure.archive.ubuntu.com/ubuntu jammy-security/main amd64
Packages
100 /var/lib/dpkg/status
1:2.3.16+dfsg1-3ubuntu2 500
500 http://azure.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
-------------
We attempted to add a mailbox with encryption:
-------------
sudo -u vmail doveadm -o
plugin/mail_crypt_private_password=e32f1f174d7576716d5df899e7d5cb6b64cdb33584c71882e9f7e1f79f2e695e
mailbox cryptokey generate -u [email protected]
doveadm([email protected]): Error:
mail_crypt_user_generate_keypair([email protected]) failed:
error:1C800070:Provider routines::invalid salt length
doveadm([email protected]): Warning: mailbox cryptokey generate: Nothing was
matched. Use -U or specify mask?
Folder Public ID
x ERROR: error:1C800070:Provider routines::invalid salt length
Segmentation fault
-------------
After researching the error, I found a single note in the OpenSSL bug tracker
referencing the error.
https://github.com/openssl/openssl/issues/24962
The suggested options are not available as they defeat the purpose of being
FIPS compliant and certified.
As a result, Dovecot is completely broken on 22.04 FIPS if using encrypted
mailboxes. (At least in our testing)
Expected behavior:
The SALT length should match what the required check is, which is 16
bytes. Dovecot should utilize an appropriate version to produce
encryption keys using the required SALT length.
** Affects: openssl (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2107773
Title:
Enabling FIPS causes SALT to be 8 bytes, but OpenSSL 3.0.2 checks if
SALT is < 16 bytes, breaking Dovecot and possibly other packages.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2107773/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
