CRYPTO_set_mem_functions() is broken

Looking into this...

Ok, this is also "broken" or an issue in upstream openssl 1.0.2 when OPENSSL_FIPS is defined.
See, https://rt.openssl.org/Ticket/Display.html?id=4559#txn-68189 or
http://rt.openssl.org/Ticket/Display.html?id=4559

Waiting to see upstream commit/fix for this since this is an issue in the upstream openssl code when OPENSSL_FIPS is defined.

Just as a note, the fips mode is not enabled in 1.0.2g-1ubuntu4.1. But OPENSSL_FIPS is defined and its codes compiled in. Thus in OPENSSL_init_library(), the RAND_init_fips() is included in.

Status changed to 'Confirmed' because the bug affects multiple users.

@Joy

It looks like the upstream bug has been rejected. Do you know what the resolution for this issue was? Can you work with upstream to figure out what's going on?

Thanks,

Investigating.

This needs to be resolved in Xenial as well.

For those affected by this in xenial, I have created a PPA with fips removed from the openssl binaries.

See it here.
https://launchpad.net/~chiluk/+archive/ubuntu/openssl+nofips

This bug was fixed in the package openssl - 1.0.2g-1ubuntu8

---------------
openssl (1.0.2g-1ubuntu8) yakkety; urgency=medium

  * Remove unused FIPS patches for now. (LP: #1594748, LP: #1593953,
    LP: #1591797, LP: #1588524)

 -- Marc Deslauriers <email address hidden> Mon, 15 Aug 2016 14:20:42 -0400

Hello Timo, or anyone else affected,

Accepted openssl into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu4.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

I tested version 1.0.2g-1ubuntu4.3 with the death.c program from the upstream openssl bug ticket 4559 and confirmed this problem is now resolved.

This bug was fixed in the package openssl - 1.0.2g-1ubuntu4.4

---------------
openssl (1.0.2g-1ubuntu4.4) xenial-security; urgency=medium

  * SECURITY UPDATE: Pointer arithmetic undefined behaviour
    - debian/patches/CVE-2016-2177.patch: avoid undefined pointer
      arithmetic in ssl/s3_srvr.c, ssl/ssl_sess.c, ssl/t1_lib.c.
    - CVE-2016-2177
  * SECURITY UPDATE: Constant time flag not preserved in DSA signing
    - debian/patches/CVE-2016-2178-*.patch: preserve BN_FLG_CONSTTIME in
      crypto/dsa/dsa_ossl.c.
    - CVE-2016-2178
  * SECURITY UPDATE: DTLS buffered message DoS
    - debian/patches/CVE-2016-2179.patch: fix queue handling in
      ssl/d1_both.c, ssl/d1_clnt.c, ssl/d1_lib.c, ssl/d1_srvr.c,
      ssl/ssl_locl.h.
    - CVE-2016-2179
  * SECURITY UPDATE: OOB read in TS_OBJ_print_bio()
    - debian/patches/CVE-2016-2180.patch: fix text handling in
      crypto/ts/ts_lib.c.
    - CVE-2016-2180
  * SECURITY UPDATE: DTLS replay protection DoS
    - debian/patches/CVE-2016-2181-1.patch: properly handle unprocessed
      records in ssl/d1_pkt.c.
    - debian/patches/CVE-2016-2181-2.patch: protect against replay attacks
      in ssl/d1_pkt.c, ssl/ssl.h, ssl/ssl_err.c.
    - debian/patches/CVE-2016-2181-3.patch: update error code in ssl/ssl.h.
    - CVE-2016-2181
  * SECURITY UPDATE: OOB write in BN_bn2dec()
    - debian/patches/CVE-2016-2182.patch: don't overflow buffer in
      crypto/bn/bn_print.c.
    - CVE-2016-2182
  * SECURITY UPDATE: SWEET32 Mitigation
    - debian/patches/CVE-2016-2183.patch: move DES ciphersuites from HIGH
      to MEDIUM in ssl/s3_lib.c.
    - CVE-2016-2183
  * SECURITY UPDATE: Malformed SHA512 ticket DoS
    - debian/patches/CVE-2016-6302.patch: sanity check ticket length in
      ssl/t1_lib.c.
    - CVE-2016-6302
  * SECURITY UPDATE: OOB write in MDC2_Update()
    - debian/patches/CVE-2016-6303.patch: avoid overflow in
      crypto/mdc2/mdc2dgst.c.
    - CVE-2016-6303
  * SECURITY UPDATE: OCSP Status Request extension unbounded memory growth
    - debian/patches/CVE-2016-6304.patch: remove OCSP_RESPIDs from previous
      handshake in ssl/t1_lib.c.
    - CVE-2016-6304
  * SECURITY UPDATE: Certificate message OOB reads
    - debian/patches/CVE-2016-6306-1.patch: check lengths in ssl/s3_clnt.c,
      ssl/s3_srvr.c.
    - debian/patches/CVE-2016-6306-2.patch: make message buffer slightly
      larger in ssl/d1_both.c, ssl/s3_both.c.
    - CVE-2016-6306

 -- Marc Deslauriers <email address hidden> Thu, 22 Sep 2016 08:22:22 -0400