Infinite Loop in OpenSSL s_server

Hi Matt, thanks for taking the time to report this, as well as investigating the different versions that might be affected.

I just checked, and both Impish and Jammy are affected as well (the latter using OpenSSL 3.0).

Disregard the (now deleted) comment regarding Focal, I got mixed up in my terminals. Focal is affected, but Bionic is not.

I suspect this is caused by our patch that changes the semantics of security level 2 to also drop support for (D)TLS < 1.2.

I had a look at what's going on there. My understanding (with the caveat that the code of s_server is quite hard to follow, even within GDB) is that when the socket receives the packet, the server goes on and try to establish a connection, only to find out that it cannot because it has an inconsistent configuration (DTLS1 being disabled on seclevel 2 on Ubuntu), thus erroring out early, before it actually reads from the socket, thus triggering the loop all over again. This does not happen with TCP-based protocols, I assume because the underlying stream socket is closed (haven't checked the details though).

Fixing this cleanly would probably be a bit tricky (do we want to abort() the application? If not, what do we do with the incoming datagram?) but isn't very urgent either as it is an issue with the s_server code, which AIUI is a debugging tool.

Thanks for your analysis. Based on your description I was able to find an instance of this bug that impacts an unmodified upstream OpenSSL directly. I've raised an issue for it here:

https://github.com/openssl/openssl/issues/18047

That particular instance only impacts OpenSSL 3.0 - but its the same underlying cause as here.

FYI, upstream merged a fix for the underlying problem in OpenSSL 3.0:

https://github.com/openssl/openssl/commit/8b63b174b00b0e8c5cefcea12989d90450e04b24

I expect a similar fix to be backported to 1.1.1 soon. Although the specific issue that this bug report is about doesn't impact upstream, I expect that any backported fix will also resolve this bug.

FYI, upstream have now also merged a fix in the 1.1.1 branch:

https://github.com/openssl/openssl/commit/e04ba889594d84a8805f3d0caeadf0527470e508

If Ubuntu pulls in that patch I expect that this bug should be fixed by it.

Thanks for the follow up! I'll try to fold the fix for this in the next
Jammy SRU, I don't know about other releases yet.

This bug was fixed in the package openssl - 3.0.3-5ubuntu2

---------------
openssl (3.0.3-5ubuntu2) kinetic; urgency=medium

  * d/p/Set-systemwide-default-settings-for-libssl-users: don't comment out
    the CipherString string to avoid an empty section.

 -- Simon Chopin <email address hidden> Tue, 31 May 2022 13:02:15 +0200

Hello Matt, or anyone else affected,

Accepted openssl into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Matt, or anyone else affected,

Accepted openssl into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

On a fresh Jammy LXC container:

root@rational-polliwog:~# dpkg -l openssl | tail -n 1
ii openssl 3.0.2-0ubuntu1.4 amd64 Secure Sockets Layer toolkit - cryptographic utility
root@rational-polliwog:~# openssl s_server -nocert -psk 01020304 -dtls1
Using default temp DH parameters
ACCEPT
ERROR
40472C92B97F0000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:../ssl/statem/statem_lib.c:104:
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   0 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   0 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

Marking as verified.

Hello Matt, or anyone else affected,

Accepted openssl into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/1.1.1l-1ubuntu1.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Matt, or anyone else affected,

Accepted openssl into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.14 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted openssl (1.1.1l-1ubuntu1.4) for impish have finished running.
The following regressions have been reported in tests triggered by the package:

nagios-plugins-contrib/35.20210511ubuntu2 (ppc64el)
nodejs/12.22.5~dfsg-5ubuntu1 (amd64)
swupdate/2020.11-2 (ppc64el)
asterisk/1:16.16.1~dfsg-2 (s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/impish/update_excuses.html#openssl

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted openssl (1.1.1f-1ubuntu2.14) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

trafficserver/8.0.5+ds-3 (ppc64el)
linux-oem-5.14/5.14.0-1042.47 (amd64)
linux-hwe-5.11/5.11.0-61.61 (armhf)
linux-intel-iotg-5.15/5.15.0-1008.11~20.04.1 (amd64)
linux-hwe-5.15/5.15.0-33.34~20.04.1 (armhf)
mysql-8.0/8.0.29-0ubuntu0.20.04.3 (amd64)
puma/3.12.4-1ubuntu2 (arm64)
linux-hwe-5.13/5.13.0-48.54~20.04.1 (armhf)
diaspora-installer/0.7.6.1+debian1 (s390x, arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#openssl

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

This bug was fixed in the package openssl - 3.0.2-0ubuntu1.4

---------------
openssl (3.0.2-0ubuntu1.4) jammy; urgency=medium

  * d/p/lp1978093/*: renew some expiring test certificates (LP: #1978093)

openssl (3.0.2-0ubuntu1.3) jammy; urgency=medium

  * d/p/lp1974037/*: cherry-pick another patchset to fix regressions with the
    previous lp1974037 one (LP: #1974037)
  * d/p/Set-systemwide-default-settings-for-libssl-users: partially apply it on
    Ubuntu to make it easier for user to change security level (LP: #1972056)
  * d/p/lp1947588.patch: Cherry-picked as our patches make it very easy to
    trigger the underlying bug (LP: #1947588)

 -- Simon Chopin <email address hidden> Thu, 09 Jun 2022 13:20:55 +0200

The verification of the Stable Release Update for openssl has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Focal verification:

❯ dpkg -l openssl | tail -n 1
ii openssl 1.1.1f-1ubuntu2.14 amd64 Secure Sockets Layer toolkit - cryptographic utility

❯ openssl s_client -dtls1 -psk 01020304
CONNECTED(00000003)
140292984321344:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:../ssl/statem/statem_clnt.c:1112:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 15 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
---

Impish verification:

❯ dpkg -l openssl | tail -n 1
ii openssl 1.1.1l-1ubuntu1.4 amd64 Secure Sockets Layer toolkit - cryptographic utility

❯ openssl s_server -nocert -psk 01020304 -dtls1
Using default temp DH parameters
ACCEPT
ERROR
140008339306304:error:141FC044:SSL routines:tls_setup_handshake:internal error:../ssl/statem/statem_lib.c:109:
shutting down SSL
CONNECTION CLOSED
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   0 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   0 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)

This bug was fixed in the package openssl - 1.1.1l-1ubuntu1.5

---------------
openssl (1.1.1l-1ubuntu1.5) impish-security; urgency=medium

  * SECURITY UPDATE: c_rehash script allows command injection
    - debian/patches/CVE-2022-1292.patch: switch to upstream patch, and
      apply it before c_rehash-compat.patch.
    - debian/patches/CVE-2022-2068.patch: fix file operations in
      tools/c_rehash.in.
    - debian/patches/c_rehash-compat.patch: updated patch to apply after
      the security updates.
    - CVE-2022-2068

 -- Marc Deslauriers <email address hidden> Wed, 15 Jun 2022 10:38:42 -0400

This bug was fixed in the package openssl - 1.1.1f-1ubuntu2.15

---------------
openssl (1.1.1f-1ubuntu2.15) focal-security; urgency=medium

  * SECURITY UPDATE: c_rehash script allows command injection
    - debian/patches/CVE-2022-1292.patch: switch to upstream patch, and
      apply it before c_rehash-compat.patch.
    - debian/patches/CVE-2022-2068.patch: fix file operations in
      tools/c_rehash.in.
    - debian/patches/c_rehash-compat.patch: updated patch to apply after
      the security updates.
    - CVE-2022-2068

 -- Marc Deslauriers <email address hidden> Wed, 15 Jun 2022 14:16:37 -0400