[Touch-packages] [Bug 1591411] Re: systemd-logind must be restarted every ~1000 SSH logins to prevent a ~25 second delay
Are there any updates on fixing this in xenial/16.04? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dbus in Ubuntu. https://bugs.launchpad.net/bugs/1591411 Title: systemd-logind must be restarted every ~1000 SSH logins to prevent a ~25 second delay Status in D-Bus: Unknown Status in systemd: Unknown Status in dbus package in Ubuntu: Confirmed Status in systemd package in Ubuntu: Fix Released Status in dbus source package in Xenial: Confirmed Status in systemd source package in Xenial: Invalid Bug description: I noticed on a system that accepts large numbers of SSH connections that after awhile, SSH sessions were taking ~25 seconds to complete. Looking in /var/log/auth.log, systemd-logind starts failing with the following: Jun 10 23:55:28 test sshd[3666]: pam_unix(sshd:session): session opened for user ubuntu by (uid=0) Jun 10 23:55:28 test systemd-logind[105]: New session c1052 of user ubuntu. Jun 10 23:55:28 test systemd-logind[105]: Failed to abandon session scope: Transport endpoint is not connected Jun 10 23:55:28 test sshd[3666]: pam_systemd(sshd:session): Failed to create session: Message recipient disconnected from message bus without replying I reproduced this in an LXD container by doing something like: lxc launch ubuntu:x test lxc exec test -- login -f ubuntu ssh-import-id Then ran a script as follows (passing in ubuntu@): while [ 1 ]; do (time ssh $1 "echo OK > /dev/null") 2>&1 | grep ^real >> log done In my case, after 1052 logins, the 1053rd and thereafter were taking 25+ seconds to complete. Here are some snippets from the log file: $ cat log | grep 0m0 | wc -l 1052 $ cat log | grep 0m25 | wc -l 4 $ tail -5 log real 0m0.222s real 0m25.232s real 0m25.235s real 0m25.236s real 0m25.239s ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: systemd 229-4ubuntu5 ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8 Uname: Linux 4.4.0-22-generic x86_64 ApportVersion: 2.20.1-0ubuntu2 Architecture: amd64 Date: Sat Jun 11 00:09:34 2016 MachineType: Notebook W230SS ProcEnviron: TERM=xterm-256color PATH=(custom, no user) ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.4.0-22-generic root=/dev/mapper/ubuntu--vg-root ro quiet splash SourcePackage: systemd SystemdDelta: [EXTENDED] /lib/systemd/system/rc-local.service → /lib/systemd/system/rc-local.service.d/debian.conf [EXTENDED] /lib/systemd/system/systemd-timesyncd.service → /lib/systemd/system/systemd-timesyncd.service.d/disable-with-time-daemon.conf 2 overridden configuration files found. UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 04/15/2014 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: 4.6.5 dmi.board.asset.tag: Tag 12345 dmi.board.name: W230SS dmi.board.vendor: Notebook dmi.board.version: Not Applicable dmi.chassis.asset.tag: No Asset Tag dmi.chassis.type: 9 dmi.chassis.vendor: Notebook dmi.chassis.version: N/A dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr4.6.5:bd04/15/2014:svnNotebook:pnW230SS:pvrNotApplicable:rvnNotebook:rnW230SS:rvrNotApplicable:cvnNotebook:ct9:cvrN/A: dmi.product.name: W230SS dmi.product.version: Not Applicable dmi.sys.vendor: Notebook To manage notifications about this bug go to: https://bugs.launchpad.net/dbus/+bug/1591411/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1591797] Re: Only run FIPS self tests when FIPS is enabled
Chris, I can confirm that 1.0.2g-1ubuntu4.3 in xenial-proposed on armhf works as expected. ** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1591797 Title: Only run FIPS self tests when FIPS is enabled Status in openssl package in Ubuntu: Fix Released Bug description: The FIPS changes added in 1.0.2g-1ubuntu3/1.0.2g-1ubuntu4 as discussed in https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309 always run the FIPS self tests independent of FIPS being enabled (via /proc/sys/crypto/fips_enabled). The performance impact of running these FIPS tests on armhf (beaglebone and raspberry pi 2&3) is significant (~ 700ms). On amd64 it is measurable but far less significant (~ 10ms). On a long running process this may be insignificant, but for command line tools this is problematic. I've seen performance differences with wget, dig, nslookup, and host. I am sure there are others. The specific numbers above are from the sample code below. The relevant initialization can be found in crypto/o_init.c: static void init_fips_mode(void) { char buf[2] = "0"; int fd; /* Ensure the selftests always run */ FIPS_mode_set(1); /* For now, do not enforce fips mode via env var if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { buf[0] = '1'; } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { */ if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; close(fd); } /* Failure reading the fips mode switch file means just not * switching into FIPS mode. We would break too many things * otherwise.. */ if (buf[0] != '1') { /* drop down to non-FIPS mode if it is not requested */ FIPS_mode_set(0); } else { /* abort if selftest failed */ FIPS_selftest_check(); } } I would like to see these tests only run if /proc/sys/crypto/fips_enabled exists, and is 1. This still meets the original proposal as written in the 1553309 thread: 1. openssl must read a 1 from /proc/sys/crypto/fips_enabled. 2. The selftests must pass 3. The integrity check must pass To see the performance differences you can build and time the following program: #include #include int main() { OpenSSL_add_ssl_algorithms(); } To measure the system performance without FIPS I installed 1.0.2g- 1ubuntu2 from: https://launchpad.net/ubuntu/+source/openssl/1.0.2g- 1ubuntu2 on both armhf and amd64. I have also recompiled 1.0.2g- 1ubuntu4.1 with the call to FIPS_mode_set(1) commented out. When I run the original 1.0.2g-1ubuntu4.1 on my Raspberry Pi I see the following times: real0m0.690s real0m0.683s real0m0.705s real0m0.690s The same system with 1.0.2g-1ubuntu4.1 modified and the call to FIPS_mode_set(1) commented out: real0m0.010s real0m0.010s real0m0.009s real0m0.012s real0m0.010s The same system with 1.0.2g-1ubuntu2: real0m0.010s real0m0.009s real0m0.009s real0m0.011s real0m0.012s Here is some information about my system: $ lsb_release -rd Description:Ubuntu 16.04 LTS Release:16.04 $ apt-cache policy libssl1.0.0 libssl1.0.0: Installed: 1.0.2g-1ubuntu4.1 Candidate: 1.0.2g-1ubuntu4.1 Version table: *** 1.0.2g-1ubuntu4.1 500 500 http://ports.ubuntu.com/ubuntu-ports xenial-security/main armhf Packages 500 http://ports.ubuntu.com/ubuntu-ports xenial-updates/main armhf Packages 100 /var/lib/dpkg/status 1.0.2g-1ubuntu4 500 500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1591797/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1614210] Re: Remove incomplete fips in openssl in xenial.
I can confirm that 1.0.2g-1ubuntu4.3 in xenial-proposed on armhf resolves the bug I described in https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1591797. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1614210 Title: Remove incomplete fips in openssl in xenial. Status in openssl package in Ubuntu: Fix Released Status in openssl source package in Xenial: Fix Committed Status in openssl source package in Yakkety: Fix Released Bug description: Package: openssl-1.0.2g-1ubuntu4.1 Distro: xenial The openssl contains incomplete fips patches. In light that the fips is incomplete and will not be completed in the main archive and they are impacting customers, they should be withdrawn. See lp bugs 1593953, 1591797, 1594748, 1588524, 1613658. Removal of these fips patches will remove these fips-related issues. [Test case] 1. Problem in 1594748 Note: this problem was reported in upstream openssl and testcase posted there also. https://rt.openssl.org/Ticket/Display.html?id=4559 CRYPTO_set_mem_functions() always returns 0 because library initialization within fips code already calls CRYPTO_malloc() and disables it. This testcase should cause openssl to abort, but instead it returns a context. #include #include #include void * my_alloc(size_t n) { abort(); } void my_free(void *p) { abort(); } void * my_realloc(void *p, size_t n) { abort(); } int main(int argc, const char **argv) { const SSL_METHOD *method; SSL_CTX *ctx; CRYPTO_set_mem_functions(my_alloc, my_realloc, my_free); SSL_library_init(); method = SSLv23_client_method(); ctx = SSL_CTX_new(method); printf("Got ctx %p\n", ctx); return 0; } 2. Problem in 1593953 EC key generation allows user to generate keys using EC curves that the EC sign and verify do not support when OPENSSL_FIPS is defined. Testcase taken from lp #1593953 openssl ecparam -genkey -name Oakley-EC2N-4 will fail when OPENSSL_FIPS is defined since it causes a fips key-pair consistency check to be done. Otherwise, without OPENSSL_FIPS defined, the check is not done. 3. Problem reported in 1588524 Error code being skipped... Testcase taken from lp #1588524 #include #include int main() { int rc; unsigned long fips_err; SSL_library_init(); SSL_load_error_strings(); ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); rc = FIPS_mode_set(1); fips_err = ERR_peek_last_error(); // FIPS_mode_set will return 0 on failure, which is expected if // the FIPS module is not compiled. In this case, we should then // be able to get the error code // CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0xf06d065) // https://wiki.openssl.org/index.php/FIPS_mode_set%28%29 printf("%d %lu\n", rc, fips_err); ERR_print_errors_fp(stdout); ERR_free_strings(); return 0; } Should report an error message. [ Regression potential ] Removing the fips patches should decrease regression potential of openssl in the main archive. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1614210/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1591797] Re: Only run FIPS self tests when FIPS is enabled
Marc Deslauriers, Will this change to remove the FIPS patches be backported and released in Xenial? -- Ken -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1591797 Title: Only run FIPS self tests when FIPS is enabled Status in openssl package in Ubuntu: Fix Released Bug description: The FIPS changes added in 1.0.2g-1ubuntu3/1.0.2g-1ubuntu4 as discussed in https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309 always run the FIPS self tests independent of FIPS being enabled (via /proc/sys/crypto/fips_enabled). The performance impact of running these FIPS tests on armhf (beaglebone and raspberry pi 2&3) is significant (~ 700ms). On amd64 it is measurable but far less significant (~ 10ms). On a long running process this may be insignificant, but for command line tools this is problematic. I've seen performance differences with wget, dig, nslookup, and host. I am sure there are others. The specific numbers above are from the sample code below. The relevant initialization can be found in crypto/o_init.c: static void init_fips_mode(void) { char buf[2] = "0"; int fd; /* Ensure the selftests always run */ FIPS_mode_set(1); /* For now, do not enforce fips mode via env var if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { buf[0] = '1'; } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { */ if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; close(fd); } /* Failure reading the fips mode switch file means just not * switching into FIPS mode. We would break too many things * otherwise.. */ if (buf[0] != '1') { /* drop down to non-FIPS mode if it is not requested */ FIPS_mode_set(0); } else { /* abort if selftest failed */ FIPS_selftest_check(); } } I would like to see these tests only run if /proc/sys/crypto/fips_enabled exists, and is 1. This still meets the original proposal as written in the 1553309 thread: 1. openssl must read a 1 from /proc/sys/crypto/fips_enabled. 2. The selftests must pass 3. The integrity check must pass To see the performance differences you can build and time the following program: #include #include int main() { OpenSSL_add_ssl_algorithms(); } To measure the system performance without FIPS I installed 1.0.2g- 1ubuntu2 from: https://launchpad.net/ubuntu/+source/openssl/1.0.2g- 1ubuntu2 on both armhf and amd64. I have also recompiled 1.0.2g- 1ubuntu4.1 with the call to FIPS_mode_set(1) commented out. When I run the original 1.0.2g-1ubuntu4.1 on my Raspberry Pi I see the following times: real0m0.690s real0m0.683s real0m0.705s real0m0.690s The same system with 1.0.2g-1ubuntu4.1 modified and the call to FIPS_mode_set(1) commented out: real0m0.010s real0m0.010s real0m0.009s real0m0.012s real0m0.010s The same system with 1.0.2g-1ubuntu2: real0m0.010s real0m0.009s real0m0.009s real0m0.011s real0m0.012s Here is some information about my system: $ lsb_release -rd Description:Ubuntu 16.04 LTS Release:16.04 $ apt-cache policy libssl1.0.0 libssl1.0.0: Installed: 1.0.2g-1ubuntu4.1 Candidate: 1.0.2g-1ubuntu4.1 Version table: *** 1.0.2g-1ubuntu4.1 500 500 http://ports.ubuntu.com/ubuntu-ports xenial-security/main armhf Packages 500 http://ports.ubuntu.com/ubuntu-ports xenial-updates/main armhf Packages 100 /var/lib/dpkg/status 1.0.2g-1ubuntu4 500 500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1591797/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1591797] [NEW] Only run FIPS self tests when FIPS is enabled
Public bug reported: The FIPS changes added in 1.0.2g-1ubuntu3/1.0.2g-1ubuntu4 as discussed in https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309 always run the FIPS self tests independent of FIPS being enabled (via /proc/sys/crypto/fips_enabled). The performance impact of running these FIPS tests on armhf (beaglebone and raspberry pi 2&3) is significant (~ 700ms). On amd64 it is measurable but far less significant (~ 10ms). On a long running process this may be insignificant, but for command line tools this is problematic. I've seen performance differences with wget, dig, nslookup, and host. I am sure there are others. The specific numbers above are from the sample code below. The relevant initialization can be found in crypto/o_init.c: static void init_fips_mode(void) { char buf[2] = "0"; int fd; /* Ensure the selftests always run */ FIPS_mode_set(1); /* For now, do not enforce fips mode via env var if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { buf[0] = '1'; } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { */ if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; close(fd); } /* Failure reading the fips mode switch file means just not * switching into FIPS mode. We would break too many things * otherwise.. */ if (buf[0] != '1') { /* drop down to non-FIPS mode if it is not requested */ FIPS_mode_set(0); } else { /* abort if selftest failed */ FIPS_selftest_check(); } } I would like to see these tests only run if /proc/sys/crypto/fips_enabled exists, and is 1. This still meets the original proposal as written in the 1553309 thread: 1. openssl must read a 1 from /proc/sys/crypto/fips_enabled. 2. The selftests must pass 3. The integrity check must pass To see the performance differences you can build and time the following program: #include #include int main() { OpenSSL_add_ssl_algorithms(); } To measure the system performance without FIPS I installed 1.0.2g- 1ubuntu2 from: https://launchpad.net/ubuntu/+source/openssl/1.0.2g- 1ubuntu2 on both armhf and amd64. I have also recompiled 1.0.2g- 1ubuntu4.1 with the call to FIPS_mode_set(1) commented out. When I run the original 1.0.2g-1ubuntu4.1 on my Raspberry Pi I see the following times: real0m0.690s real0m0.683s real0m0.705s real0m0.690s The same system with 1.0.2g-1ubuntu4.1 modified and the call to FIPS_mode_set(1) commented out: real0m0.010s real0m0.010s real0m0.009s real0m0.012s real0m0.010s The same system with 1.0.2g-1ubuntu2: real0m0.010s real0m0.009s real0m0.009s real0m0.011s real0m0.012s Here is some information about my system: $ lsb_release -rd Description:Ubuntu 16.04 LTS Release:16.04 $ apt-cache policy libssl1.0.0 libssl1.0.0: Installed: 1.0.2g-1ubuntu4.1 Candidate: 1.0.2g-1ubuntu4.1 Version table: *** 1.0.2g-1ubuntu4.1 500 500 http://ports.ubuntu.com/ubuntu-ports xenial-security/main armhf Packages 500 http://ports.ubuntu.com/ubuntu-ports xenial-updates/main armhf Packages 100 /var/lib/dpkg/status 1.0.2g-1ubuntu4 500 500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages ** Affects: openssl (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1591797 Title: Only run FIPS self tests when FIPS is enabled Status in openssl package in Ubuntu: New Bug description: The FIPS changes added in 1.0.2g-1ubuntu3/1.0.2g-1ubuntu4 as discussed in https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309 always run the FIPS self tests independent of FIPS being enabled (via /proc/sys/crypto/fips_enabled). The performance impact of running these FIPS tests on armhf (beaglebone and raspberry pi 2&3) is significant (~ 700ms). On amd64 it is measurable but far less significant (~ 10ms). On a long running process this may be insignificant, but for command line tools this is problematic. I've seen performance differences with wget, dig, nslookup, and host. I am sure there are others. The specific numbers above are from the sample code below. The relevant initialization can be found in crypto/o_init.c: static void init_fips_mode(void) { char buf[2] = "0"; int fd; /* Ensure the selftests always run */ FIPS_mode_set(1); /* For now, do not enforce fips mode via env var if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { buf[0] = '1'; } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { */ if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; close(fd); } /*