Bug 1012481 - s_server -dtls1 crashes in FIPS mode
s_server -dtls1 crashes in FIPS mode
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openssl (Show other bugs)
Unspecified Unspecified
unspecified Severity urgent
: rc
: ---
Assigned To: Tomas Mraz
Hubert Kario
: Regression, TestBlocker
Depends On:
  Show dependency treegraph
Reported: 2013-09-26 10:35 EDT by Hubert Kario
Modified: 2013-11-21 04:25 EST (History)
1 user (show)

See Also:
Fixed In Version: openssl-1.0.1e-15.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-11-21 04:25:50 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Hubert Kario 2013-09-26 10:35:01 EDT
Description of problem:
When running `openssl s_server -dtls1` in FIPS mode, the server crashes after accepting the first connection

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. openssl req -nodes -x509 -new -out server.pem -keyout server.key -days 365 -subj "/C=XX/ST=mystate/L=mytown/O=myorganisation/OU=myou/CN=myname/emailAddress=myemail/"
2. OPENSSL_FORCE_FIPS_MODE=1 openssl s_server -accept 4433 -dtls1 -cert server.pem -key server.key
3. openssl s_client -dtls1 -connect localhost:4433

Actual results:
Using default temp DH parameters
Using default temp ECDH parameters
Segmentation fault (core dumped)

Expected results:
Connection accepted, cipher negotiated, communication possible.

Additional info:
gdb stacktrace:

[root@rhel6-64 test]# OPENSSL_FORCE_FIPS_MODE=1 gdb --args openssl s_server -accept 4433 -dtls1 -cert server.pem -key server.key
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-60.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
Reading symbols from /usr/bin/openssl...Reading symbols from /usr/lib/debug/usr/bin/openssl.debug...done.
(gdb) run
Starting program: /usr/bin/openssl s_server -accept 4433 -dtls1 -cert server.pem -key server.key
[Thread debugging using libthread_db enabled]
Using default temp DH parameters
Using default temp ECDH parameters

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.107.el6.x86_64 keyutils-libs-1.4-4.el6.x86_64 krb5-libs-1.10.3-10.el6.x86_64 libcom_err-1.41.12-14.el6.x86_64 libselinux-2.0.94-5.3.el6.x86_64 zlib-1.2.3-29.el6.x86_64
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007ffff7dbe338 in dtls1_send_server_key_exchange (s=0x760aa0) at d1_srvr.c:1378
#2  0x00007ffff7dbf7f0 in dtls1_accept (s=0x760aa0) at d1_srvr.c:488
#3  0x0000000000439c06 in init_ssl_connection (con=0x760aa0) at s_server.c:2415
#4  0x000000000043a27c in sv_body (hostname=<value optimized out>, s=7, context=<value optimized out>) at s_server.c:2310
#5  0x000000000044cf9a in do_server (port=0x7fffffffe6b6 "4433", type=2, ret=0x67cf98, cb=0x43a0b0 <sv_body>, context=0x0)
    at s_socket.c:324
#6  0x0000000000438ec7 in s_server_main (argc=0, argv=0x7fffffffe430) at s_server.c:1901
#7  0x0000000000417018 in do_cmd (prog=0x698490, argc=8, argv=0x7fffffffe3f0) at openssl.c:489
#8  0x0000000000417a93 in main (Argc=8, Argv=0x7fffffffe3f0) at openssl.c:381
(gdb) quit
A debugging session is active.

        Inferior 1 [process 11826] will be killed.

Quit anyway? (y or n) y

This blocks QE from verifying that there is no regression for CVE-2012-2333-record-length-handling-integer-underflow. The problem itself is a regression from openssl-1.0.0-27.el6_4.2.x86_64
Comment 1 Tomas Mraz 2013-09-27 12:04:22 EDT
I did not hunt for acks on this one and just committed the fix as it is trivial.
Can we close this as duplicate of the rebase bug?
Comment 7 errata-xmlrpc 2013-11-21 04:25:50 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.