[Bug 1947588] Autopkgtest regression report (openssl/1.1.1f-1ubuntu2.14)

Ubuntu SRU Bot 1947588 at bugs.launchpad.net
Thu Jun 16 02:18:48 UTC 2022 

All autopkgtests for the newly accepted openssl (1.1.1f-1ubuntu2.14) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

trafficserver/8.0.5+ds-3 (ppc64el)
linux-oem-5.14/5.14.0-1042.47 (amd64)
linux-hwe-5.11/5.11.0-61.61 (armhf)
linux-intel-iotg-5.15/5.15.0-1008.11~20.04.1 (amd64)
linux-hwe-5.15/5.15.0-33.34~20.04.1 (armhf)
mysql-8.0/8.0.29-0ubuntu0.20.04.3 (amd64)
puma/3.12.4-1ubuntu2 (arm64)
linux-hwe-5.13/5.13.0-48.54~20.04.1 (armhf)
diaspora-installer/0.7.6.1+debian1 (s390x, arm64)


Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-
migration/focal/update_excuses.html#openssl

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1947588

Title:
  Infinite Loop in OpenSSL s_server

Status in openssl package in Ubuntu:
  Fix Released
Status in openssl source package in Focal:
  Fix Committed
Status in openssl source package in Impish:
  Fix Committed
Status in openssl source package in Jammy:
  Fix Committed

Bug description:
  [Impact]

  The TLS test server `openssl s_server` can very easily be led into an
  infinite loop if configured with incompatible settings and used via
  DTLS. This makes it harder to test one's TLS configuration.

  [Test plan]

  In one session:
  $ openssl s_server -nocert -psk 01020304 -dtls1
  In parallel:
  $ openssl s_client -dtls1 -psk 01020304

  The server session will enter an infinite loop:
  Using default temp DH parameters
  ACCEPT
  ERROR
  140247926990208:error:141FC044:SSL routines:tls_setup_handshake:internal error:../ssl/statem/statem_lib.c:109:
  ERROR
  140247926990208:error:141FC044:SSL routines:tls_setup_handshake:internal error:../ssl/statem/statem_lib.c:109:
  ERROR
  ... etc...

  [Where problems could occur]

  The patch is fairly self-contained, so regressions should only occur in
  the `openssl s_server` application, and not in the libssl or libcrypto
  libraries.
  However, the patch could break said server, which might be used in e.g.
  autopkgtests.

  [Original report]
  Launching openssl s_server as follows:

  $ openssl s_server -nocert -psk 01020304 -dtls1

  And using openssl s_client to connect to it like this:

  $ openssl s_client -dtls1 -psk 01020304

  Results in s_server entering an infinite loop:

  Using default temp DH parameters
  ACCEPT
  ERROR
  140247926990208:error:141FC044:SSL routines:tls_setup_handshake:internal error:../ssl/statem/statem_lib.c:109:
  ERROR
  140247926990208:error:141FC044:SSL routines:tls_setup_handshake:internal error:../ssl/statem/statem_lib.c:109:
  ERROR

  ...and so on...

  I have confirmed that upstream OpenSSL does not have this issue in a
  default build of 1.1.1j or 1.1.1k. Upstream 1.1.1l has a different bug
  with these commands (https://github.com/openssl/openssl/issues/16707)
  and it was while working on the fix for that issue
  (https://github.com/openssl/openssl/pull/16838) that I noticed this
  problem in the Ubuntu packages.

  $ lsb_release -rd
  Description: Ubuntu 21.04
  Release: 21.04

  $ apt-cache policy openssl
  openssl:
    Installed: 1.1.1j-1ubuntu3.5
    Candidate: 1.1.1j-1ubuntu3.5
    Version table:
   *** 1.1.1j-1ubuntu3.5 500
          500 http://gb.archive.ubuntu.com/ubuntu hirsute-updates/main amd64 Packages
          500 http://security.ubuntu.com/ubuntu hirsute-security/main amd64 Packages
          100 /var/lib/dpkg/status
       1.1.1j-1ubuntu3 500
          500 http://gb.archive.ubuntu.com/ubuntu hirsute/main amd64 Packages

  $ openssl version -a
  OpenSSL 1.1.1j 16 Feb 2021
  built on: Mon Aug 23 17:02:39 2021 UTC
  platform: debian-amd64
  options: bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
  compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -ffile-prefix-map=/build/openssl-5U8yxE/openssl-1.1.1j=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
  OPENSSLDIR: "/usr/lib/ssl"
  ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
  Seeding source: os-specific

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1947588/+subscriptions

More information about the foundations-bugs mailing list