[Touch-packages] [Bug 1591411] Re: systemd-logind must be restarted every ~1000 SSH logins to prevent a ~25 second delay
Are there any updates on fixing this in xenial/16.04? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dbus in Ubuntu. https://bugs.launchpad.net/bugs/1591411 Title: systemd-logind must be restarted every ~1000 SSH logins to prevent a ~25 second delay Status in D-Bus: Unknown Status in systemd: Unknown Status in dbus package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Fix Released Status in dbus source package in Xenial: Confirmed Status in systemd source package in Xenial: Invalid Bug description: I noticed on a system that accepts large numbers of SSH connections that after awhile, SSH sessions were taking ~25 seconds to complete. Looking in /var/log/auth.log, systemd-logind starts failing with the following: Jun 10 23:55:28 test sshd[3666]: pam_unix(sshd:session): session opened for user ubuntu by (uid=0) Jun 10 23:55:28 test systemd-logind[105]: New session c1052 of user ubuntu. Jun 10 23:55:28 test systemd-logind[105]: Failed to abandon session scope: Transport endpoint is not connected Jun 10 23:55:28 test sshd[3666]: pam_systemd(sshd:session): Failed to create session: Message recipient disconnected from message bus without replying I reproduced this in an LXD container by doing something like: lxc launch ubuntu:x test lxc exec test -- login -f ubuntu ssh-import-id Then ran a script as follows (passing in ubuntu@): while [ 1 ]; do (time ssh $1 "echo OK > /dev/null") 2>&1 | grep ^real >> log done In my case, after 1052 logins, the 1053rd and thereafter were taking 25+ seconds to complete. Here are some snippets from the log file: $ cat log | grep 0m0 | wc -l 1052 $ cat log | grep 0m25 | wc -l 4 $ tail -5 log real 0m0.222s real 0m25.232s real 0m25.235s real 0m25.236s real 0m25.239s ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: systemd 229-4ubuntu5 ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8 Uname: Linux 4.4.0-22-generic x86_64 ApportVersion: 2.20.1-0ubuntu2 Architecture: amd64 Date: Sat Jun 11 00:09:34 2016 MachineType: Notebook W230SS ProcEnviron: TERM=xterm-256color PATH=(custom, no user) ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.4.0-22-generic root=/dev/mapper/ubuntu--vg-root ro quiet splash SourcePackage: systemd SystemdDelta: [EXTENDED] /lib/systemd/system/rc-local.service → /lib/systemd/system/rc-local.service.d/debian.conf [EXTENDED] /lib/systemd/system/systemd-timesyncd.service → /lib/systemd/system/systemd-timesyncd.service.d/disable-with-time-daemon.conf 2 overridden configuration files found. UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 04/15/2014 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: 4.6.5 dmi.board.asset.tag: Tag 12345 dmi.board.name: W230SS dmi.board.vendor: Notebook dmi.board.version: Not Applicable dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 9 dmi.chassis.vendor: Notebook dmi.chassis.version: N/A dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr4.6.5:bd04/15/2014:svnNotebook:pnW230SS:pvrNotApplicable:rvnNotebook:rnW230SS:rvrNotApplicable:cvnNotebook:ct9:cvrN/A: dmi.product.name: W230SS dmi.product.version: Not Applicable dmi.sys.vendor: Notebook To manage notifications about this bug go to: https://bugs.launchpad.net/dbus/+bug/1591411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1591797] Re: Only run FIPS self tests when FIPS is enabled
Chris, I can confirm that 1.0.2g-1ubuntu4.3 in xenial-proposed on armhf
works as expected.
** Tags removed: verification-needed
** Tags added: verification-done
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1591797
Title:
Only run FIPS self tests when FIPS is enabled
Status in openssl package in Ubuntu:
Fix Released
Bug description:
The FIPS changes added in 1.0.2g-1ubuntu3/1.0.2g-1ubuntu4 as discussed
in https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309
always run the FIPS self tests independent of FIPS being enabled (via
/proc/sys/crypto/fips_enabled).
The performance impact of running these FIPS tests on armhf
(beaglebone and raspberry pi 2&3) is significant (~ 700ms). On amd64
it is measurable but far less significant (~ 10ms). On a long running
process this may be insignificant, but for command line tools this is
problematic. I've seen performance differences with wget, dig,
nslookup, and host. I am sure there are others. The specific numbers
above are from the sample code below.
The relevant initialization can be found in crypto/o_init.c:
static void init_fips_mode(void)
{
char buf[2] = "0";
int fd;
/* Ensure the selftests always run */
FIPS_mode_set(1);
/* For now, do not enforce fips mode via env var
if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
buf[0] = '1';
} else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { */
if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; close(fd);
}
/* Failure reading the fips mode switch file means just not
* switching into FIPS mode. We would break too many things
* otherwise..
*/
if (buf[0] != '1') {
/* drop down to non-FIPS mode if it is not requested */
FIPS_mode_set(0);
} else {
/* abort if selftest failed */
FIPS_selftest_check();
}
}
I would like to see these tests only run if /proc/sys/crypto/fips_enabled
exists, and is 1. This still meets the original proposal as written in the
1553309 thread:
1. openssl must read a 1 from /proc/sys/crypto/fips_enabled.
2. The selftests must pass
3. The integrity check must pass
To see the performance differences you can build and time the following
program:
#include
#include
int main() {
OpenSSL_add_ssl_algorithms();
}
To measure the system performance without FIPS I installed 1.0.2g-
1ubuntu2 from: https://launchpad.net/ubuntu/+source/openssl/1.0.2g-
1ubuntu2 on both armhf and amd64. I have also recompiled 1.0.2g-
1ubuntu4.1 with the call to FIPS_mode_set(1) commented out.
When I run the original 1.0.2g-1ubuntu4.1 on my Raspberry Pi I see the
following times:
real0m0.690s
real0m0.683s
real0m0.705s
real0m0.690s
The same system with 1.0.2g-1ubuntu4.1 modified and the call to
FIPS_mode_set(1) commented out:
real0m0.010s
real0m0.010s
real0m0.009s
real0m0.012s
real0m0.010s
The same system with 1.0.2g-1ubuntu2:
real0m0.010s
real0m0.009s
real0m0.009s
real0m0.011s
real0m0.012s
Here is some information about my system:
$ lsb_release -rd
Description:Ubuntu 16.04 LTS
Release:16.04
$ apt-cache policy libssl1.0.0
libssl1.0.0:
Installed: 1.0.2g-1ubuntu4.1
Candidate: 1.0.2g-1ubuntu4.1
Version table:
*** 1.0.2g-1ubuntu4.1 500
500 http://ports.ubuntu.com/ubuntu-ports xenial-security/main armhf
Packages 500 http://ports.ubuntu.com/ubuntu-ports xenial-updates/main armhf
Packages 100 /var/lib/dpkg/status
1.0.2g-1ubuntu4 500
500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1591797/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1614210] Re: Remove incomplete fips in openssl in xenial.
I can confirm that 1.0.2g-1ubuntu4.3 in xenial-proposed on armhf
resolves the bug I described in
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1591797.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1614210
Title:
Remove incomplete fips in openssl in xenial.
Status in openssl package in Ubuntu:
Fix Released
Status in openssl source package in Xenial:
Fix Committed
Status in openssl source package in Yakkety:
Fix Released
Bug description:
Package: openssl-1.0.2g-1ubuntu4.1
Distro: xenial
The openssl contains incomplete fips patches. In light that the fips
is incomplete and will not be completed in the main archive and they
are impacting customers, they should be withdrawn. See lp bugs
1593953, 1591797, 1594748, 1588524, 1613658. Removal of these fips
patches will remove these fips-related issues.
[Test case]
1. Problem in 1594748
Note: this problem was reported in upstream openssl and testcase posted there
also.
https://rt.openssl.org/Ticket/Display.html?id=4559
CRYPTO_set_mem_functions() always returns 0 because library
initialization within fips code already calls CRYPTO_malloc() and
disables it.
This testcase should cause openssl to abort, but instead it returns a
context.
#include
#include
#include
void * my_alloc(size_t n) { abort(); }
void my_free(void *p) { abort(); }
void * my_realloc(void *p, size_t n) { abort(); }
int main(int argc, const char **argv)
{
const SSL_METHOD *method;
SSL_CTX *ctx;
CRYPTO_set_mem_functions(my_alloc, my_realloc, my_free);
SSL_library_init();
method = SSLv23_client_method();
ctx = SSL_CTX_new(method);
printf("Got ctx %p\n", ctx);
return 0;
}
2. Problem in 1593953
EC key generation allows user to generate keys using EC curves that the EC
sign and verify
do not support when OPENSSL_FIPS is defined.
Testcase taken from lp #1593953
openssl ecparam -genkey -name Oakley-EC2N-4
will fail when OPENSSL_FIPS is defined since it causes a fips key-pair
consistency check to be done.
Otherwise, without OPENSSL_FIPS defined, the check is not done.
3. Problem reported in 1588524
Error code being skipped...
Testcase taken from lp #1588524
#include
#include
int main() {
int rc;
unsigned long fips_err;
SSL_library_init();
SSL_load_error_strings();
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
rc = FIPS_mode_set(1);
fips_err = ERR_peek_last_error();
// FIPS_mode_set will return 0 on failure, which is expected if
// the FIPS module is not compiled. In this case, we should then
// be able to get the error code
// CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0xf06d065)
// https://wiki.openssl.org/index.php/FIPS_mode_set%28%29
printf("%d %lu\n", rc, fips_err);
ERR_print_errors_fp(stdout);
ERR_free_strings();
return 0;
}
Should report an error message.
[ Regression potential ]
Removing the fips patches should decrease regression potential of openssl in
the main archive.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1614210/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1591797] Re: Only run FIPS self tests when FIPS is enabled
Marc Deslauriers,
Will this change to remove the FIPS patches be backported and released
in Xenial?
-- Ken
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1591797
Title:
Only run FIPS self tests when FIPS is enabled
Status in openssl package in Ubuntu:
Fix Released
Bug description:
The FIPS changes added in 1.0.2g-1ubuntu3/1.0.2g-1ubuntu4 as discussed
in https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309
always run the FIPS self tests independent of FIPS being enabled (via
/proc/sys/crypto/fips_enabled).
The performance impact of running these FIPS tests on armhf
(beaglebone and raspberry pi 2&3) is significant (~ 700ms). On amd64
it is measurable but far less significant (~ 10ms). On a long running
process this may be insignificant, but for command line tools this is
problematic. I've seen performance differences with wget, dig,
nslookup, and host. I am sure there are others. The specific numbers
above are from the sample code below.
The relevant initialization can be found in crypto/o_init.c:
static void init_fips_mode(void)
{
char buf[2] = "0";
int fd;
/* Ensure the selftests always run */
FIPS_mode_set(1);
/* For now, do not enforce fips mode via env var
if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
buf[0] = '1';
} else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { */
if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; close(fd);
}
/* Failure reading the fips mode switch file means just not
* switching into FIPS mode. We would break too many things
* otherwise..
*/
if (buf[0] != '1') {
/* drop down to non-FIPS mode if it is not requested */
FIPS_mode_set(0);
} else {
/* abort if selftest failed */
FIPS_selftest_check();
}
}
I would like to see these tests only run if /proc/sys/crypto/fips_enabled
exists, and is 1. This still meets the original proposal as written in the
1553309 thread:
1. openssl must read a 1 from /proc/sys/crypto/fips_enabled.
2. The selftests must pass
3. The integrity check must pass
To see the performance differences you can build and time the following
program:
#include
#include
int main() {
OpenSSL_add_ssl_algorithms();
}
To measure the system performance without FIPS I installed 1.0.2g-
1ubuntu2 from: https://launchpad.net/ubuntu/+source/openssl/1.0.2g-
1ubuntu2 on both armhf and amd64. I have also recompiled 1.0.2g-
1ubuntu4.1 with the call to FIPS_mode_set(1) commented out.
When I run the original 1.0.2g-1ubuntu4.1 on my Raspberry Pi I see the
following times:
real0m0.690s
real0m0.683s
real0m0.705s
real0m0.690s
The same system with 1.0.2g-1ubuntu4.1 modified and the call to
FIPS_mode_set(1) commented out:
real0m0.010s
real0m0.010s
real0m0.009s
real0m0.012s
real0m0.010s
The same system with 1.0.2g-1ubuntu2:
real0m0.010s
real0m0.009s
real0m0.009s
real0m0.011s
real0m0.012s
Here is some information about my system:
$ lsb_release -rd
Description:Ubuntu 16.04 LTS
Release:16.04
$ apt-cache policy libssl1.0.0
libssl1.0.0:
Installed: 1.0.2g-1ubuntu4.1
Candidate: 1.0.2g-1ubuntu4.1
Version table:
*** 1.0.2g-1ubuntu4.1 500
500 http://ports.ubuntu.com/ubuntu-ports xenial-security/main armhf
Packages 500 http://ports.ubuntu.com/ubuntu-ports xenial-updates/main armhf
Packages 100 /var/lib/dpkg/status
1.0.2g-1ubuntu4 500
500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1591797/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1591797] [NEW] Only run FIPS self tests when FIPS is enabled
Public bug reported:
The FIPS changes added in 1.0.2g-1ubuntu3/1.0.2g-1ubuntu4 as discussed
in https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309 always
run the FIPS self tests independent of FIPS being enabled (via
/proc/sys/crypto/fips_enabled).
The performance impact of running these FIPS tests on armhf (beaglebone
and raspberry pi 2&3) is significant (~ 700ms). On amd64 it is
measurable but far less significant (~ 10ms). On a long running process
this may be insignificant, but for command line tools this is
problematic. I've seen performance differences with wget, dig,
nslookup, and host. I am sure there are others. The specific numbers
above are from the sample code below.
The relevant initialization can be found in crypto/o_init.c:
static void init_fips_mode(void)
{
char buf[2] = "0";
int fd;
/* Ensure the selftests always run */
FIPS_mode_set(1);
/* For now, do not enforce fips mode via env var
if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
buf[0] = '1';
} else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { */
if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; close(fd);
}
/* Failure reading the fips mode switch file means just not
* switching into FIPS mode. We would break too many things
* otherwise..
*/
if (buf[0] != '1') {
/* drop down to non-FIPS mode if it is not requested */
FIPS_mode_set(0);
} else {
/* abort if selftest failed */
FIPS_selftest_check();
}
}
I would like to see these tests only run if /proc/sys/crypto/fips_enabled
exists, and is 1. This still meets the original proposal as written in the
1553309 thread:
1. openssl must read a 1 from /proc/sys/crypto/fips_enabled.
2. The selftests must pass
3. The integrity check must pass
To see the performance differences you can build and time the following program:
#include
#include
int main() {
OpenSSL_add_ssl_algorithms();
}
To measure the system performance without FIPS I installed 1.0.2g-
1ubuntu2 from: https://launchpad.net/ubuntu/+source/openssl/1.0.2g-
1ubuntu2 on both armhf and amd64. I have also recompiled 1.0.2g-
1ubuntu4.1 with the call to FIPS_mode_set(1) commented out.
When I run the original 1.0.2g-1ubuntu4.1 on my Raspberry Pi I see the
following times:
real0m0.690s
real0m0.683s
real0m0.705s
real0m0.690s
The same system with 1.0.2g-1ubuntu4.1 modified and the call to
FIPS_mode_set(1) commented out:
real0m0.010s
real0m0.010s
real0m0.009s
real0m0.012s
real0m0.010s
The same system with 1.0.2g-1ubuntu2:
real0m0.010s
real0m0.009s
real0m0.009s
real0m0.011s
real0m0.012s
Here is some information about my system:
$ lsb_release -rd
Description:Ubuntu 16.04 LTS
Release:16.04
$ apt-cache policy libssl1.0.0
libssl1.0.0:
Installed: 1.0.2g-1ubuntu4.1
Candidate: 1.0.2g-1ubuntu4.1
Version table:
*** 1.0.2g-1ubuntu4.1 500
500 http://ports.ubuntu.com/ubuntu-ports xenial-security/main armhf
Packages 500 http://ports.ubuntu.com/ubuntu-ports xenial-updates/main armhf
Packages 100 /var/lib/dpkg/status
1.0.2g-1ubuntu4 500
500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages
** Affects: openssl (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1591797
Title:
Only run FIPS self tests when FIPS is enabled
Status in openssl package in Ubuntu:
New
Bug description:
The FIPS changes added in 1.0.2g-1ubuntu3/1.0.2g-1ubuntu4 as discussed
in https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309
always run the FIPS self tests independent of FIPS being enabled (via
/proc/sys/crypto/fips_enabled).
The performance impact of running these FIPS tests on armhf
(beaglebone and raspberry pi 2&3) is significant (~ 700ms). On amd64
it is measurable but far less significant (~ 10ms). On a long running
process this may be insignificant, but for command line tools this is
problematic. I've seen performance differences with wget, dig,
nslookup, and host. I am sure there are others. The specific numbers
above are from the sample code below.
The relevant initialization can be found in crypto/o_init.c:
static void init_fips_mode(void)
{
char buf[2] = "0";
int fd;
/* Ensure the selftests always run */
FIPS_mode_set(1);
/* For now, do not enforce fips mode via env var
if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
buf[0] = '1';
} else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { */
if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; close(fd);
}
/*
