[Touch-packages] [Bug 1591797] Re: Only run FIPS self tests when FIPS is enabled

2016-08-25 Thread Ken Baker 
Chris, I can confirm that 1.0.2g-1ubuntu4.3 in xenial-proposed on armhf
works as expected.

** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1591797

Title:
  Only run FIPS self tests when FIPS is enabled

Status in openssl package in Ubuntu:
  Fix Released

Bug description:
  The FIPS changes added in 1.0.2g-1ubuntu3/1.0.2g-1ubuntu4 as discussed
  in https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309
  always run the FIPS self tests independent of FIPS being enabled (via
  /proc/sys/crypto/fips_enabled).

  The performance impact of running these FIPS tests on armhf
  (beaglebone and raspberry pi 2&3) is significant (~ 700ms).  On amd64
  it is measurable but far less significant (~ 10ms).  On a long running
  process this may be insignificant, but for command line tools this is
  problematic.  I've seen performance differences with wget, dig,
  nslookup, and host.  I am sure there are others.  The specific numbers
  above are from the sample code below.

  The relevant initialization can be found in crypto/o_init.c:
  static void init_fips_mode(void)
  {
  char buf[2] = "0";
  int fd;

  /* Ensure the selftests always run */
  FIPS_mode_set(1);

  /* For now, do not enforce fips mode via env var
  if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
  buf[0] = '1';
  } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { */
  if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
  while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; close(fd);
  }
  /* Failure reading the fips mode switch file means just not
   * switching into FIPS mode. We would break too many things
   * otherwise..
   */

  if (buf[0] != '1') {
  /* drop down to non-FIPS mode if it is not requested */
  FIPS_mode_set(0);
  } else {
  /* abort if selftest failed */
  FIPS_selftest_check();
  }
  }

  I would like to see these tests only run if /proc/sys/crypto/fips_enabled 
exists, and is 1.  This still meets the original proposal as written in the 
1553309 thread:
  1. openssl must read a 1 from /proc/sys/crypto/fips_enabled.
  2. The selftests must pass
  3. The integrity check must pass

  To see the performance differences you can build and time the following 
program:
  #include 
  #include 

  int main() {
OpenSSL_add_ssl_algorithms();
  }

  To measure the system performance without FIPS I installed 1.0.2g-
  1ubuntu2 from: https://launchpad.net/ubuntu/+source/openssl/1.0.2g-
  1ubuntu2 on both armhf and amd64.  I have also recompiled 1.0.2g-
  1ubuntu4.1 with the call to FIPS_mode_set(1) commented out.

  When I run the original 1.0.2g-1ubuntu4.1 on my Raspberry Pi I see the 
following times:
  real0m0.690s
  real0m0.683s
  real0m0.705s
  real0m0.690s

  The same system with 1.0.2g-1ubuntu4.1 modified and the call to 
FIPS_mode_set(1) commented out:
  real0m0.010s
  real0m0.010s
  real0m0.009s
  real0m0.012s
  real0m0.010s

  The same system with 1.0.2g-1ubuntu2:
  real0m0.010s
  real0m0.009s
  real0m0.009s
  real0m0.011s
  real0m0.012s

  
  Here is some information about my system:
  $ lsb_release -rd
  Description:Ubuntu 16.04 LTS
  Release:16.04

  $ apt-cache policy libssl1.0.0
  libssl1.0.0:
Installed: 1.0.2g-1ubuntu4.1
Candidate: 1.0.2g-1ubuntu4.1
Version table:
   *** 1.0.2g-1ubuntu4.1 500
  500 http://ports.ubuntu.com/ubuntu-ports xenial-security/main armhf 
Packages 500 http://ports.ubuntu.com/ubuntu-ports xenial-updates/main armhf 
Packages 100 /var/lib/dpkg/status
   1.0.2g-1ubuntu4 500
  500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1591797/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1591797] Re: Only run FIPS self tests when FIPS is enabled

2016-08-24 Thread Chris J Arges 
Hello Ken, or anyone else affected,

Accepted openssl into xenial-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/openssl/1.0.2g-
1ubuntu4.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1591797

Title:
  Only run FIPS self tests when FIPS is enabled

Status in openssl package in Ubuntu:
  Fix Released

Bug description:
  The FIPS changes added in 1.0.2g-1ubuntu3/1.0.2g-1ubuntu4 as discussed
  in https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309
  always run the FIPS self tests independent of FIPS being enabled (via
  /proc/sys/crypto/fips_enabled).

  The performance impact of running these FIPS tests on armhf
  (beaglebone and raspberry pi 2&3) is significant (~ 700ms).  On amd64
  it is measurable but far less significant (~ 10ms).  On a long running
  process this may be insignificant, but for command line tools this is
  problematic.  I've seen performance differences with wget, dig,
  nslookup, and host.  I am sure there are others.  The specific numbers
  above are from the sample code below.

  The relevant initialization can be found in crypto/o_init.c:
  static void init_fips_mode(void)
  {
  char buf[2] = "0";
  int fd;

  /* Ensure the selftests always run */
  FIPS_mode_set(1);

  /* For now, do not enforce fips mode via env var
  if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
  buf[0] = '1';
  } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { */
  if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
  while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; close(fd);
  }
  /* Failure reading the fips mode switch file means just not
   * switching into FIPS mode. We would break too many things
   * otherwise..
   */

  if (buf[0] != '1') {
  /* drop down to non-FIPS mode if it is not requested */
  FIPS_mode_set(0);
  } else {
  /* abort if selftest failed */
  FIPS_selftest_check();
  }
  }

  I would like to see these tests only run if /proc/sys/crypto/fips_enabled 
exists, and is 1.  This still meets the original proposal as written in the 
1553309 thread:
  1. openssl must read a 1 from /proc/sys/crypto/fips_enabled.
  2. The selftests must pass
  3. The integrity check must pass

  To see the performance differences you can build and time the following 
program:
  #include 
  #include 

  int main() {
OpenSSL_add_ssl_algorithms();
  }

  To measure the system performance without FIPS I installed 1.0.2g-
  1ubuntu2 from: https://launchpad.net/ubuntu/+source/openssl/1.0.2g-
  1ubuntu2 on both armhf and amd64.  I have also recompiled 1.0.2g-
  1ubuntu4.1 with the call to FIPS_mode_set(1) commented out.

  When I run the original 1.0.2g-1ubuntu4.1 on my Raspberry Pi I see the 
following times:
  real0m0.690s
  real0m0.683s
  real0m0.705s
  real0m0.690s

  The same system with 1.0.2g-1ubuntu4.1 modified and the call to 
FIPS_mode_set(1) commented out:
  real0m0.010s
  real0m0.010s
  real0m0.009s
  real0m0.012s
  real0m0.010s

  The same system with 1.0.2g-1ubuntu2:
  real0m0.010s
  real0m0.009s
  real0m0.009s
  real0m0.011s
  real0m0.012s

  
  Here is some information about my system:
  $ lsb_release -rd
  Description:Ubuntu 16.04 LTS
  Release:16.04

  $ apt-cache policy libssl1.0.0
  libssl1.0.0:
Installed: 1.0.2g-1ubuntu4.1
Candidate: 1.0.2g-1ubuntu4.1
Version table:
   *** 1.0.2g-1ubuntu4.1 500
  500 http://ports.ubuntu.com/ubuntu-ports xenial-security/main armhf 
Packages 500 http://ports.ubuntu.com/ubuntu-ports xenial-updates/main armhf 
Packages 100 /var/lib/dpkg/status
   1.0.2g-1ubuntu4 500
  500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1591797/+subscriptions

-- 
Mailing list:

[Touch-packages] [Bug 1591797] Re: Only run FIPS self tests when FIPS is enabled

2016-08-23 Thread Marc Deslauriers 
Yes, see bug 1614210 for the SRU to xenial.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1591797

Title:
  Only run FIPS self tests when FIPS is enabled

Status in openssl package in Ubuntu:
  Fix Released

Bug description:
  The FIPS changes added in 1.0.2g-1ubuntu3/1.0.2g-1ubuntu4 as discussed
  in https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309
  always run the FIPS self tests independent of FIPS being enabled (via
  /proc/sys/crypto/fips_enabled).

  The performance impact of running these FIPS tests on armhf
  (beaglebone and raspberry pi 2&3) is significant (~ 700ms).  On amd64
  it is measurable but far less significant (~ 10ms).  On a long running
  process this may be insignificant, but for command line tools this is
  problematic.  I've seen performance differences with wget, dig,
  nslookup, and host.  I am sure there are others.  The specific numbers
  above are from the sample code below.

  The relevant initialization can be found in crypto/o_init.c:
  static void init_fips_mode(void)
  {
  char buf[2] = "0";
  int fd;

  /* Ensure the selftests always run */
  FIPS_mode_set(1);

  /* For now, do not enforce fips mode via env var
  if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
  buf[0] = '1';
  } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { */
  if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
  while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; close(fd);
  }
  /* Failure reading the fips mode switch file means just not
   * switching into FIPS mode. We would break too many things
   * otherwise..
   */

  if (buf[0] != '1') {
  /* drop down to non-FIPS mode if it is not requested */
  FIPS_mode_set(0);
  } else {
  /* abort if selftest failed */
  FIPS_selftest_check();
  }
  }

  I would like to see these tests only run if /proc/sys/crypto/fips_enabled 
exists, and is 1.  This still meets the original proposal as written in the 
1553309 thread:
  1. openssl must read a 1 from /proc/sys/crypto/fips_enabled.
  2. The selftests must pass
  3. The integrity check must pass

  To see the performance differences you can build and time the following 
program:
  #include 
  #include 

  int main() {
OpenSSL_add_ssl_algorithms();
  }

  To measure the system performance without FIPS I installed 1.0.2g-
  1ubuntu2 from: https://launchpad.net/ubuntu/+source/openssl/1.0.2g-
  1ubuntu2 on both armhf and amd64.  I have also recompiled 1.0.2g-
  1ubuntu4.1 with the call to FIPS_mode_set(1) commented out.

  When I run the original 1.0.2g-1ubuntu4.1 on my Raspberry Pi I see the 
following times:
  real0m0.690s
  real0m0.683s
  real0m0.705s
  real0m0.690s

  The same system with 1.0.2g-1ubuntu4.1 modified and the call to 
FIPS_mode_set(1) commented out:
  real0m0.010s
  real0m0.010s
  real0m0.009s
  real0m0.012s
  real0m0.010s

  The same system with 1.0.2g-1ubuntu2:
  real0m0.010s
  real0m0.009s
  real0m0.009s
  real0m0.011s
  real0m0.012s

  
  Here is some information about my system:
  $ lsb_release -rd
  Description:Ubuntu 16.04 LTS
  Release:16.04

  $ apt-cache policy libssl1.0.0
  libssl1.0.0:
Installed: 1.0.2g-1ubuntu4.1
Candidate: 1.0.2g-1ubuntu4.1
Version table:
   *** 1.0.2g-1ubuntu4.1 500
  500 http://ports.ubuntu.com/ubuntu-ports xenial-security/main armhf 
Packages 500 http://ports.ubuntu.com/ubuntu-ports xenial-updates/main armhf 
Packages 100 /var/lib/dpkg/status
   1.0.2g-1ubuntu4 500
  500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1591797/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1591797] Re: Only run FIPS self tests when FIPS is enabled

2016-08-22 Thread Ken Baker 
Marc Deslauriers,

Will this change to remove the FIPS patches be backported and released
in Xenial?

-- Ken

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1591797

Title:
  Only run FIPS self tests when FIPS is enabled

Status in openssl package in Ubuntu:
  Fix Released

Bug description:
  The FIPS changes added in 1.0.2g-1ubuntu3/1.0.2g-1ubuntu4 as discussed
  in https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309
  always run the FIPS self tests independent of FIPS being enabled (via
  /proc/sys/crypto/fips_enabled).

  The performance impact of running these FIPS tests on armhf
  (beaglebone and raspberry pi 2&3) is significant (~ 700ms).  On amd64
  it is measurable but far less significant (~ 10ms).  On a long running
  process this may be insignificant, but for command line tools this is
  problematic.  I've seen performance differences with wget, dig,
  nslookup, and host.  I am sure there are others.  The specific numbers
  above are from the sample code below.

  The relevant initialization can be found in crypto/o_init.c:
  static void init_fips_mode(void)
  {
  char buf[2] = "0";
  int fd;

  /* Ensure the selftests always run */
  FIPS_mode_set(1);

  /* For now, do not enforce fips mode via env var
  if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
  buf[0] = '1';
  } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { */
  if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
  while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; close(fd);
  }
  /* Failure reading the fips mode switch file means just not
   * switching into FIPS mode. We would break too many things
   * otherwise..
   */

  if (buf[0] != '1') {
  /* drop down to non-FIPS mode if it is not requested */
  FIPS_mode_set(0);
  } else {
  /* abort if selftest failed */
  FIPS_selftest_check();
  }
  }

  I would like to see these tests only run if /proc/sys/crypto/fips_enabled 
exists, and is 1.  This still meets the original proposal as written in the 
1553309 thread:
  1. openssl must read a 1 from /proc/sys/crypto/fips_enabled.
  2. The selftests must pass
  3. The integrity check must pass

  To see the performance differences you can build and time the following 
program:
  #include 
  #include 

  int main() {
OpenSSL_add_ssl_algorithms();
  }

  To measure the system performance without FIPS I installed 1.0.2g-
  1ubuntu2 from: https://launchpad.net/ubuntu/+source/openssl/1.0.2g-
  1ubuntu2 on both armhf and amd64.  I have also recompiled 1.0.2g-
  1ubuntu4.1 with the call to FIPS_mode_set(1) commented out.

  When I run the original 1.0.2g-1ubuntu4.1 on my Raspberry Pi I see the 
following times:
  real0m0.690s
  real0m0.683s
  real0m0.705s
  real0m0.690s

  The same system with 1.0.2g-1ubuntu4.1 modified and the call to 
FIPS_mode_set(1) commented out:
  real0m0.010s
  real0m0.010s
  real0m0.009s
  real0m0.012s
  real0m0.010s

  The same system with 1.0.2g-1ubuntu2:
  real0m0.010s
  real0m0.009s
  real0m0.009s
  real0m0.011s
  real0m0.012s

  
  Here is some information about my system:
  $ lsb_release -rd
  Description:Ubuntu 16.04 LTS
  Release:16.04

  $ apt-cache policy libssl1.0.0
  libssl1.0.0:
Installed: 1.0.2g-1ubuntu4.1
Candidate: 1.0.2g-1ubuntu4.1
Version table:
   *** 1.0.2g-1ubuntu4.1 500
  500 http://ports.ubuntu.com/ubuntu-ports xenial-security/main armhf 
Packages 500 http://ports.ubuntu.com/ubuntu-ports xenial-updates/main armhf 
Packages 100 /var/lib/dpkg/status
   1.0.2g-1ubuntu4 500
  500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1591797/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1591797] Re: Only run FIPS self tests when FIPS is enabled

2016-08-22 Thread Launchpad Bug Tracker 
This bug was fixed in the package openssl - 1.0.2g-1ubuntu8

---
openssl (1.0.2g-1ubuntu8) yakkety; urgency=medium

  * Remove unused FIPS patches for now. (LP: #1594748, LP: #1593953,
LP: #1591797, LP: #1588524)

 -- Marc Deslauriers   Mon, 15 Aug 2016
14:20:42 -0400

** Changed in: openssl (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1591797

Title:
  Only run FIPS self tests when FIPS is enabled

Status in openssl package in Ubuntu:
  Fix Released

Bug description:
  The FIPS changes added in 1.0.2g-1ubuntu3/1.0.2g-1ubuntu4 as discussed
  in https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309
  always run the FIPS self tests independent of FIPS being enabled (via
  /proc/sys/crypto/fips_enabled).

  The performance impact of running these FIPS tests on armhf
  (beaglebone and raspberry pi 2&3) is significant (~ 700ms).  On amd64
  it is measurable but far less significant (~ 10ms).  On a long running
  process this may be insignificant, but for command line tools this is
  problematic.  I've seen performance differences with wget, dig,
  nslookup, and host.  I am sure there are others.  The specific numbers
  above are from the sample code below.

  The relevant initialization can be found in crypto/o_init.c:
  static void init_fips_mode(void)
  {
  char buf[2] = "0";
  int fd;

  /* Ensure the selftests always run */
  FIPS_mode_set(1);

  /* For now, do not enforce fips mode via env var
  if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
  buf[0] = '1';
  } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { */
  if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
  while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; close(fd);
  }
  /* Failure reading the fips mode switch file means just not
   * switching into FIPS mode. We would break too many things
   * otherwise..
   */

  if (buf[0] != '1') {
  /* drop down to non-FIPS mode if it is not requested */
  FIPS_mode_set(0);
  } else {
  /* abort if selftest failed */
  FIPS_selftest_check();
  }
  }

  I would like to see these tests only run if /proc/sys/crypto/fips_enabled 
exists, and is 1.  This still meets the original proposal as written in the 
1553309 thread:
  1. openssl must read a 1 from /proc/sys/crypto/fips_enabled.
  2. The selftests must pass
  3. The integrity check must pass

  To see the performance differences you can build and time the following 
program:
  #include 
  #include 

  int main() {
OpenSSL_add_ssl_algorithms();
  }

  To measure the system performance without FIPS I installed 1.0.2g-
  1ubuntu2 from: https://launchpad.net/ubuntu/+source/openssl/1.0.2g-
  1ubuntu2 on both armhf and amd64.  I have also recompiled 1.0.2g-
  1ubuntu4.1 with the call to FIPS_mode_set(1) commented out.

  When I run the original 1.0.2g-1ubuntu4.1 on my Raspberry Pi I see the 
following times:
  real0m0.690s
  real0m0.683s
  real0m0.705s
  real0m0.690s

  The same system with 1.0.2g-1ubuntu4.1 modified and the call to 
FIPS_mode_set(1) commented out:
  real0m0.010s
  real0m0.010s
  real0m0.009s
  real0m0.012s
  real0m0.010s

  The same system with 1.0.2g-1ubuntu2:
  real0m0.010s
  real0m0.009s
  real0m0.009s
  real0m0.011s
  real0m0.012s

  
  Here is some information about my system:
  $ lsb_release -rd
  Description:Ubuntu 16.04 LTS
  Release:16.04

  $ apt-cache policy libssl1.0.0
  libssl1.0.0:
Installed: 1.0.2g-1ubuntu4.1
Candidate: 1.0.2g-1ubuntu4.1
Version table:
   *** 1.0.2g-1ubuntu4.1 500
  500 http://ports.ubuntu.com/ubuntu-ports xenial-security/main armhf 
Packages 500 http://ports.ubuntu.com/ubuntu-ports xenial-updates/main armhf 
Packages 100 /var/lib/dpkg/status
   1.0.2g-1ubuntu4 500
  500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1591797/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1591797] Re: Only run FIPS self tests when FIPS is enabled

2016-06-13 Thread Joy Latten 
This is a FIPS 140-2 requirement.
The FIPS_mode_set(1) in init_fips_mode() called from OPENSSL_init_library is to 
satisfy the FIPS 140-2, Section 4.9 requirement that power-up selftest be run 
when the module is powered-up. This must be done regardless of whether the 
module is to be run in FIPS mode or not. Reading /proc entry only indicates 
whether to run the module in FIPS mode.

Note: The FIPS code in openssl in Xenial is a work-in-progress and is not 
complete.
All effort is made to optimize the power-up selftest as mush as possible.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1591797

Title:
  Only run FIPS self tests when FIPS is enabled

Status in openssl package in Ubuntu:
  New

Bug description:
  The FIPS changes added in 1.0.2g-1ubuntu3/1.0.2g-1ubuntu4 as discussed
  in https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1553309
  always run the FIPS self tests independent of FIPS being enabled (via
  /proc/sys/crypto/fips_enabled).

  The performance impact of running these FIPS tests on armhf
  (beaglebone and raspberry pi 2&3) is significant (~ 700ms).  On amd64
  it is measurable but far less significant (~ 10ms).  On a long running
  process this may be insignificant, but for command line tools this is
  problematic.  I've seen performance differences with wget, dig,
  nslookup, and host.  I am sure there are others.  The specific numbers
  above are from the sample code below.

  The relevant initialization can be found in crypto/o_init.c:
  static void init_fips_mode(void)
  {
  char buf[2] = "0";
  int fd;

  /* Ensure the selftests always run */
  FIPS_mode_set(1);

  /* For now, do not enforce fips mode via env var
  if (getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
  buf[0] = '1';
  } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { */
  if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
  while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; close(fd);
  }
  /* Failure reading the fips mode switch file means just not
   * switching into FIPS mode. We would break too many things
   * otherwise..
   */

  if (buf[0] != '1') {
  /* drop down to non-FIPS mode if it is not requested */
  FIPS_mode_set(0);
  } else {
  /* abort if selftest failed */
  FIPS_selftest_check();
  }
  }

  I would like to see these tests only run if /proc/sys/crypto/fips_enabled 
exists, and is 1.  This still meets the original proposal as written in the 
1553309 thread:
  1. openssl must read a 1 from /proc/sys/crypto/fips_enabled.
  2. The selftests must pass
  3. The integrity check must pass

  To see the performance differences you can build and time the following 
program:
  #include 
  #include 

  int main() {
OpenSSL_add_ssl_algorithms();
  }

  To measure the system performance without FIPS I installed 1.0.2g-
  1ubuntu2 from: https://launchpad.net/ubuntu/+source/openssl/1.0.2g-
  1ubuntu2 on both armhf and amd64.  I have also recompiled 1.0.2g-
  1ubuntu4.1 with the call to FIPS_mode_set(1) commented out.

  When I run the original 1.0.2g-1ubuntu4.1 on my Raspberry Pi I see the 
following times:
  real0m0.690s
  real0m0.683s
  real0m0.705s
  real0m0.690s

  The same system with 1.0.2g-1ubuntu4.1 modified and the call to 
FIPS_mode_set(1) commented out:
  real0m0.010s
  real0m0.010s
  real0m0.009s
  real0m0.012s
  real0m0.010s

  The same system with 1.0.2g-1ubuntu2:
  real0m0.010s
  real0m0.009s
  real0m0.009s
  real0m0.011s
  real0m0.012s

  
  Here is some information about my system:
  $ lsb_release -rd
  Description:Ubuntu 16.04 LTS
  Release:16.04

  $ apt-cache policy libssl1.0.0
  libssl1.0.0:
Installed: 1.0.2g-1ubuntu4.1
Candidate: 1.0.2g-1ubuntu4.1
Version table:
   *** 1.0.2g-1ubuntu4.1 500
  500 http://ports.ubuntu.com/ubuntu-ports xenial-security/main armhf 
Packages 500 http://ports.ubuntu.com/ubuntu-ports xenial-updates/main armhf 
Packages 100 /var/lib/dpkg/status
   1.0.2g-1ubuntu4 500
  500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1591797/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp