1012481 – s_server -dtls1 crashes in FIPS mode

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1012481 - s_server -dtls1 crashes in FIPS mode

Summary: s_server -dtls1 crashes in FIPS mode

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	openssl
Sub Component:
Version:	6.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	Hubert Kario
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-09-26 14:35 UTC by Hubert Kario
Modified:	2013-11-21 09:25 UTC (History)
CC List:	1 user (show)
Fixed In Version:	openssl-1.0.1e-15.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-11-21 09:25:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1585	0	normal	SHIPPED_LIVE	openssl bug fix and enhancement update	2013-11-20 21:39:39 UTC

Description Hubert Kario 2013-09-26 14:35:01 UTC

Description of problem:
When running `openssl s_server -dtls1` in FIPS mode, the server crashes after accepting the first connection

Version-Release number of selected component (if applicable):
openssl-1.0.1e-13.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. openssl req -nodes -x509 -new -out server.pem -keyout server.key -days 365 -subj "/C=XX/ST=mystate/L=mytown/O=myorganisation/OU=myou/CN=myname/emailAddress=myemail/"
2. OPENSSL_FORCE_FIPS_MODE=1 openssl s_server -accept 4433 -dtls1 -cert server.pem -key server.key
3. openssl s_client -dtls1 -connect localhost:4433

Actual results:
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
Segmentation fault (core dumped)

Expected results:
Connection accepted, cipher negotiated, communication possible.

Additional info:
gdb stacktrace:

[root@rhel6-64 test]# OPENSSL_FORCE_FIPS_MODE=1 gdb --args openssl s_server -accept 4433 -dtls1 -cert server.pem -key server.key
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-60.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/openssl...Reading symbols from /usr/lib/debug/usr/bin/openssl.debug...done.
done.
(gdb) run
Starting program: /usr/bin/openssl s_server -accept 4433 -dtls1 -cert server.pem -key server.key
[Thread debugging using libthread_db enabled]
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.107.el6.x86_64 keyutils-libs-1.4-4.el6.x86_64 krb5-libs-1.10.3-10.el6.x86_64 libcom_err-1.41.12-14.el6.x86_64 libselinux-2.0.94-5.3.el6.x86_64 zlib-1.2.3-29.el6.x86_64
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007ffff7dbe338 in dtls1_send_server_key_exchange (s=0x760aa0) at d1_srvr.c:1378
#2  0x00007ffff7dbf7f0 in dtls1_accept (s=0x760aa0) at d1_srvr.c:488
#3  0x0000000000439c06 in init_ssl_connection (con=0x760aa0) at s_server.c:2415
#4  0x000000000043a27c in sv_body (hostname=<value optimized out>, s=7, context=<value optimized out>) at s_server.c:2310
#5  0x000000000044cf9a in do_server (port=0x7fffffffe6b6 "4433", type=2, ret=0x67cf98, cb=0x43a0b0 <sv_body>, context=0x0)
    at s_socket.c:324
#6  0x0000000000438ec7 in s_server_main (argc=0, argv=0x7fffffffe430) at s_server.c:1901
#7  0x0000000000417018 in do_cmd (prog=0x698490, argc=8, argv=0x7fffffffe3f0) at openssl.c:489
#8  0x0000000000417a93 in main (Argc=8, Argv=0x7fffffffe3f0) at openssl.c:381
(gdb) quit
A debugging session is active.

        Inferior 1 [process 11826] will be killed.

Quit anyway? (y or n) y

This blocks QE from verifying that there is no regression for CVE-2012-2333-record-length-handling-integer-underflow. The problem itself is a regression from openssl-1.0.0-27.el6_4.2.x86_64

Comment 1 Tomas Mraz 2013-09-27 16:04:22 UTC

I did not hunt for acks on this one and just committed the fix as it is trivial.
Can we close this as duplicate of the rebase bug?

Comment 7 errata-xmlrpc 2013-11-21 09:25:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1585.html

Note You need to log in before you can comment on or make changes to this bug.