Bug 1464293 - libfaketime triggers openssl (libcrypto?) segfault in FIPS mode
libfaketime triggers openssl (libcrypto?) segfault in FIPS mode
Status: NEW
Product: Fedora EPEL
Classification: Fedora
Component: libfaketime (Show other bugs)
epel7
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Paul Wouters
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-22 21:45 EDT by Travers Carter
Modified: 2017-06-22 23:13 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Travers Carter 2017-06-22 21:45:03 EDT
Description of problem:
Use of libfaketime with openssl triggers a segfault if the system is in FIPS mode. See
* [BUG] https://github.com/wolfcw/libfaketime/issues/93
* [BUG] https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1613658
* [PATCH] https://github.com/wolfcw/libfaketime/commit/0bde083556e243e87bddaaf94e68f2ef85dad769


Version-Release number of selected component (if applicable):
libfaketime-0.9.6-1.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. yum install hmaccalc fipscheck dracut-fips dracut-fips-aesni
2. rebuild initrd (dracut -f)
3. Boot the system with "fips=1" in the kernel boot arguments
4. Run "faketime -f '2017-01-01 00:00:00' openssl"


Actual results:
# faketime -f '2017-06-23 01:02:03' openssl ciphers
Caught Segmentation fault

Expected results:
faketime -f '2017-06-23 01:02:03' openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:KRB5-DES-CBC3-SHA

Additional info:
Not sure whether the initrd build is mandatory or just booting with fips=1 is sufficient.
Comment 1 Paul Wouters 2017-06-22 22:44:10 EDT
upstream is about to release 0.9.7 which includes that fix. So if this isn't super urgent, I'd prefer to wait and just to 0.9.7 since there are quite a lot of fixes since 0.9.6
Comment 2 Travers Carter 2017-06-22 23:13:52 EDT
Not super urgent from my perspective.

I'd love to see fix within the next month or so, so if the next release is expected within the next few weeks it would absolutely make sense to just wait for that rather than cherry-picking the individual fix.

Note You need to log in before you can comment on or make changes to this bug.