Bug 1369260 - OpenVPN crashes in FIPS mode
Summary: OpenVPN crashes in FIPS mode
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: openvpn
Version: epel7
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: David Sommerseth
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2016-08-22 21:23 UTC by DHC
Modified: 2018-02-16 18:22 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-02-16 18:20:01 UTC
Type: Bug

Attachments (Terms of Use)
Modified version of SuSE patch, also checks binary (14.31 KB, patch)
2016-08-22 21:23 UTC, DHC
no flags Details | Diff
Patch to .spec file (2.16 KB, patch)
2016-08-22 21:24 UTC, DHC
no flags Details | Diff
openSUSE FIPS patch (3.96 KB, patch)
2017-06-23 15:32 UTC, Robert Thralls
no flags Details | Diff

Description DHC 2016-08-22 21:23:40 UTC
Created attachment 1193087 [details]
Modified version of SuSE patch, also checks binary

Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:
100% reproducible on EL6
does not reproduce on EL7

Steps to Reproduce:
1.  Pass fips=1 as a kernel boot parameter; reboot
2.  Verify the system really is in FIPS mode via "fipscheck"; you should see "fips mode is on" as output
3.  Install openVPN on two systems.
4.  (With one exception, described in item 4b) Establish a connection as described in the OpenVPN "Static Key Mini-Howto"
4b) Specify "cipher AES-256-CBC" in both config files.

Actual results:
Server and/or client segfaults.

Expected results:
Ideally, openVPN would still work. At very least, a clean message explaining what happened.  

Additional info:
Web searches show a lot of people are running into this, and SuSE has published a patch for the OpenVPN source.  I'm attaching patches and an updated .spec file.

Comment 1 DHC 2016-08-22 21:24:38 UTC
Created attachment 1193089 [details]
Patch to .spec file

Comment 2 DHC 2016-08-22 21:26:08 UTC
Note:  looks like fipscheck doesn't say "fips mode is on" in EL6.  Disregard step 2.

Comment 3 David Sommerseth 2016-08-23 09:48:41 UTC
FYU: I have started a discussion upstream OpenVPN to add FIPS support.


Comment 4 David Sommerseth 2017-04-24 21:06:53 UTC
Can you please test openvpn-2.4.1 on a FIPS enabled system now?  We have added a patch in this so it should no longer require MD5.

Comment 5 Robert Thralls 2017-06-23 15:32:52 UTC
Created attachment 1291136 [details]
openSUSE FIPS patch

The openvpn-2.4.1-3 packages currently in EPEL still segfalt on EL6 in FIPS mode. With "verb 11", the last line in the server log is for "tls1_P_hash seed:".

openSUSE has a patch that sets EVP_MD_CTX_FLAG_NON_FIPS_ALLOW the "special PRF-exception for MD5 in FIPS" mentioned in the OpenVPN issue above (#725) to actually work (see attached).


Comment 6 Robert Thralls 2017-06-23 15:48:11 UTC
Ah, sorry, got my wires a bit crossed. It's been a long night/morning....

To clarify, the openSUSE patch mentioned and attached here a few months ago was for OpenVPN 2.3. I've been using that in my own 2.3 el6 packages for a while with success, slightly modified as upstream changed.

The code that was eventually accepted into 2.4 (https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13926.html) does not include the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW part, so doesn't actually work under FIPS mode. It segfaults during the TLS PRF function.

The openSUSE patch has just been updated for 2.4 (coincidentally as I was doing the same thing myself last night), which is what I attached in my last comment. The only difference between their patch now and mine is that they set the cipher default to AES-256-CBC instead of BF-CBC, which I personally think was unnecessary and a bit ugly, since the documentation wasn't updated to reflect that.

Comment 7 David Sommerseth 2017-06-23 21:18:05 UTC
First of all, I'm not going to do what SUSE does - applying their own patches on-top of OpenVPN and not even trying to be involved in getting these patches upstream.  I want Fedora to ship as little additional modifications as possible, and when needed - let it be really strictly Fedora related.  Anything else 

The other thing, I had a quick look at the openvpn-2.4.3 package SUSE have ... And I didn't spot any new FIPS related patches.   Can you please please point at the exact patch for v2.4.3?   Then we can see how we can get that upstream first.

That said, it is far more fruitful to have this discussion in the upstream trac ticket: https://community.openvpn.net/openvpn/ticket/725

Comment 8 David Sommerseth 2017-06-23 21:20:39 UTC
Sorry!  I now spotted the patch you added ... which looks more like v2.4 related.  I initially took it to be the v2.3 patch.

Comment 9 David Sommerseth 2018-02-16 18:20:01 UTC
FIPS is now being discussed and looked at upstream.  So closing this ticket as UPSTREAM, as this is not something we will patch outside the upstream project.

Comment 10 David Sommerseth 2018-02-16 18:22:18 UTC
Oh, forgot the upstream Trac ticket URL:  https://community.openvpn.net/openvpn/ticket/725

Note You need to log in before you can comment on or make changes to this bug.