Skip Menu |
 

This queue is for tickets about the Net-SSLeay CPAN distribution.

Report information
The Basics
Id: 81575
Status: resolved
Worked: 30 min
Priority: 0/
Queue: Net-SSLeay

People
Owner: MIKEM [...] cpan.org
Requestors: BOLDRA [...] boldra.org
Cc: OLIVER [...] cpan.org
AdminCc:

Bug Information
Severity: Important
Broken in: 1.49
Fixed in: (no value)

Attachments
perl-Net-SSLeay_avoid_mutex_deadlock.patch



Subject: 04_basic.t hangs at SSLeay_add_ssl_algorithms (suse 11 + perl 5.16.2)
Download (untitled) / with headers
text/plain 2.9k
t/local/04_basic.t calls Net::SSLeay::SSLeay_add_ssl_algorithms() (via Test::Exception, but this is not the cause), Net::SSLeay::SSLeay_add_ssl_algorithms() does not return. openssl version: OpenSSL 0.9.8j-fips 07 Jan 2009 (on a very similar host with 0.9.8h the problem is not present) uname -a: Linux ivml2171 3.0.42-0.7-default #1 SMP Tue Oct 9 11:58:45 UTC 2012 (a8dc443) x86_64 x86_64 x86_64 GNU/Linux perl -V: Summary of my perl5 (revision 5 version 16 subversion 2) configuration: Platform: osname=linux, osvers=3.0.42-0.7-default, archname=x86_64-linux-thread-multi uname='linux ivml2171 3.0.42-0.7-default #1 smp tue oct 9 11:58:45 utc 2012 (a8dc443) x86_64 x86_64 x86_64 gnulinux ' config_args='-d -Dusethreads' hint=recommended, useposix=true, d_sigaction=define useithreads=define, usemultiplicity=define useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef use64bitint=define, use64bitall=define, uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', optimize='-O2', cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include' ccversion='', gccversion='4.3.4 [gcc-4_3-branch revision 152973]', gccosandvers='' intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=8, prototype=define Linker and Libraries: ld='cc', ldflags =' -fstack-protector -L/usr/local/lib' libpth=/usr/local/lib /lib/../lib64 /usr/lib/../lib64 /lib /usr/lib /lib64 /usr/lib64 /usr/local/lib64 libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc -lgdbm_compat perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc libc=/lib/libc-2.11.3.so, so=so, useshrplib=false, libperl=libperl.a gnulibc_version='2.11.3' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E' cccdlflags='-fPIC', lddlflags='-shared -O2 -L/usr/local/lib -fstack-protector' Characteristics of this binary (from libperl): Compile-time options: HAS_TIMES MULTIPLICITY PERLIO_LAYERS PERL_DONT_CREATE_GVSV PERL_IMPLICIT_CONTEXT PERL_MALLOC_WRAP PERL_PRESERVE_IVUV USE_64_BIT_ALL USE_64_BIT_INT USE_ITHREADS USE_LARGE_FILES USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE USE_LOCALE_NUMERIC USE_PERLIO USE_PERL_ATOF USE_REENTRANT_API Built under linux Compiled at Nov 23 2012 11:36:38 @INC: /usr/local/lib/perl5/site_perl/5.16.2/x86_64-linux-thread-multi /usr/local/lib/perl5/site_perl/5.16.2 /usr/local/lib/perl5/5.16.2/x86_64-linux-thread-multi /usr/local/lib/perl5/5.16.2
Download (untitled) / with headers
text/plain 221b
Show quoted text
> openssl version: > OpenSSL 0.9.8j-fips 07 Jan 2009 > (on a very similar host with 0.9.8h the problem is not present)
I just noticed that the second host doesn't have Test::Exception installed, so the tests weren't run.
Subject: Re: [rt.cpan.org #81575] 04_basic.t hangs at SSLeay_add_ssl_algorithms (suse 11 + perl 5.16.2)
Date: Sun, 02 Dec 2012 09:01:45 +1000
To: bug-Net-SSLeay [...] rt.cpan.org
From: Mike McCauley <mikem [...] open.com.au>
Download (untitled) / with headers
text/plain 4.5k
Hello, Hmmm, if Net::SSLeay::SSLeay_add_ssl_algorithms() does not return, I suspect it is hanging in SSL_library_init, which would indicate a problem with the underlying openssl library. I notice it is a FIPS enabled openssl you are using? You can check by running the test under the gdb debugger, waiting for it to hang and then getting a stack backtrace. That will help me to understand the problem. Cheers. On Friday, November 30, 2012 07:13:13 AM you wrote: Show quoted text
> Fri Nov 30 07:13:11 2012: Request 81575 was acted upon. > Transaction: Ticket created by BOLDRA > Queue: Net-SSLeay > Subject: 04_basic.t hangs at SSLeay_add_ssl_algorithms (suse 11 + perl > 5.16.2) Broken in: 1.49 > Severity: Important > Owner: Nobody > Requestors: BOLDRA@boldra.org > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=81575 > > > > t/local/04_basic.t calls Net::SSLeay::SSLeay_add_ssl_algorithms() (via > Test::Exception, but this is not the cause), > Net::SSLeay::SSLeay_add_ssl_algorithms() does not return. > > openssl version: > OpenSSL 0.9.8j-fips 07 Jan 2009 > (on a very similar host with 0.9.8h the problem is not present) > > uname -a: > Linux ivml2171 3.0.42-0.7-default #1 SMP Tue Oct 9 11:58:45 UTC 2012 > (a8dc443) x86_64 x86_64 x86_64 GNU/Linux > > perl -V: > Summary of my perl5 (revision 5 version 16 subversion 2) configuration: > > Platform: > osname=linux, osvers=3.0.42-0.7-default, > archname=x86_64-linux-thread-multi > uname='linux ivml2171 3.0.42-0.7-default #1 smp tue oct 9 11:58:45 > utc 2012 (a8dc443) x86_64 x86_64 x86_64 gnulinux ' > config_args='-d -Dusethreads' > hint=recommended, useposix=true, d_sigaction=define > useithreads=define, usemultiplicity=define > useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef > use64bitint=define, use64bitall=define, uselongdouble=undef > usemymalloc=n, bincompat5005=undef > Compiler: > cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing > -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE > -D_FILE_OFFSET_BITS=64', > optimize='-O2', > cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe > -fstack-protector -I/usr/local/include' > ccversion='', gccversion='4.3.4 [gcc-4_3-branch revision 152973]', > gccosandvers='' > intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678 > d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 > ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', > lseeksize=8 > alignbytes=8, prototype=define > Linker and Libraries: > ld='cc', ldflags =' -fstack-protector -L/usr/local/lib' > libpth=/usr/local/lib /lib/../lib64 /usr/lib/../lib64 /lib /usr/lib > /lib64 /usr/lib64 /usr/local/lib64 > libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc > -lgdbm_compat > perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc > libc=/lib/libc-2.11.3.so, so=so, useshrplib=false, libperl=libperl.a > gnulibc_version='2.11.3' > Dynamic Linking: > dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E' > cccdlflags='-fPIC', lddlflags='-shared -O2 -L/usr/local/lib > -fstack-protector' > > > Characteristics of this binary (from libperl): > Compile-time options: HAS_TIMES MULTIPLICITY PERLIO_LAYERS > PERL_DONT_CREATE_GVSV PERL_IMPLICIT_CONTEXT > PERL_MALLOC_WRAP PERL_PRESERVE_IVUV USE_64_BIT_ALL > USE_64_BIT_INT USE_ITHREADS USE_LARGE_FILES > USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE > USE_LOCALE_NUMERIC USE_PERLIO USE_PERL_ATOF > USE_REENTRANT_API > Built under linux > Compiled at Nov 23 2012 11:36:38 > @INC: > /usr/local/lib/perl5/site_perl/5.16.2/x86_64-linux-thread-multi > /usr/local/lib/perl5/site_perl/5.16.2 > /usr/local/lib/perl5/5.16.2/x86_64-linux-thread-multi > /usr/local/lib/perl5/5.16.2
-- Mike McCauley mikem@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
Download (untitled) / with headers
text/plain 1.6k
Hi Mike, Thanks for your fast answer - I've been putting off replying because I'm so unfamiliar with gdb, but it was easier than I expected. (gdb) backtrace #0 0x00007f2e162e9294 in __lll_lock_wait () from /lib64/libpthread.so.0 #1 0x00007f2e162e4619 in _L_lock_1008 () from /lib64/libpthread.so.0 #2 0x00007f2e162e442e in pthread_mutex_lock () from /lib64/libpthread.so.0 #3 0x00007f2e15b36505 in openssl_locking_function (mode=<optimized Show quoted text
out>, type=<optimized out>, file=0x0, line=-1) at SSLeay.xs:253
#4 0x00007f2e1560806e in ?? () from /usr/lib64/libcrypto.so.0.9.8 #5 0x00007f2e156084a7 in FIPS_mode_set () from /usr/lib64/libcrypto.so.0.9.8 #6 0x00007f2e155d5ea9 in OPENSSL_init () from /usr/lib64/libcrypto.so.0.9.8 #7 0x00007f2e158e3d99 in SSL_library_init () from /usr/lib64/libssl.so.0.9.8 #8 0x00007f2e15b36475 in XS_Net__SSLeay_library_init (my_perl=<optimized out>, cv=<optimized out>) at SSLeay.xs:1737 #9 0x00000000004a7315 in Perl_pp_entersub () #10 0x00000000004a5896 in Perl_runops_standard () #11 0x0000000000436dee in perl_run () #12 0x000000000041d78c in main () I hope there's something useful for you in there! Thanks for your help. On Sat Dec 01 18:02:05 2012, mikem@open.com.au wrote: Show quoted text
> Hello, > > > Hmmm, if Net::SSLeay::SSLeay_add_ssl_algorithms() does not return, I > suspect > it is hanging in SSL_library_init, which would indicate a problem with > the > underlying openssl library. I notice it is a FIPS enabled openssl you > are > using? > > You can check by running the test under the gdb debugger, waiting for > it to > hang and then getting a stack backtrace. That will help me to > understand the > problem. > > Cheers. > > >
Subject: Re: [rt.cpan.org #81575] 04_basic.t hangs at SSLeay_add_ssl_algorithms (suse 11 + perl 5.16.2)
Date: Thu, 06 Dec 2012 07:24:51 +1000
To: bug-Net-SSLeay [...] rt.cpan.org
From: Mike McCauley <mikem [...] open.com.au>
Download (untitled) / with headers
text/plain 2.8k
Hello Paul, thanks for the trace. It seems to tell me that you do not have a recent openssl/fips, though I am not 100% sure. Can you tell me how you acquired the openssl+fips library and headers? Was it a distro package, or did you build it yourself? What versions of openssl and fips did you use? Precisely how did you build it (detailed instructions please)? Cheers. On Tuesday, December 04, 2012 10:38:29 AM Paul Boldra via RT wrote: Show quoted text
> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=81575 > > > Hi Mike, > > Thanks for your fast answer - I've been putting off replying because I'm > so unfamiliar with gdb, but it was easier than I expected. > > (gdb) backtrace > #0 0x00007f2e162e9294 in __lll_lock_wait () from /lib64/libpthread.so.0 > #1 0x00007f2e162e4619 in _L_lock_1008 () from /lib64/libpthread.so.0 > #2 0x00007f2e162e442e in pthread_mutex_lock () from /lib64/libpthread.so.0 > #3 0x00007f2e15b36505 in openssl_locking_function (mode=<optimized
> out>, type=<optimized out>, file=0x0, line=-1) at SSLeay.xs:253
> #4 0x00007f2e1560806e in ?? () from /usr/lib64/libcrypto.so.0.9.8 > #5 0x00007f2e156084a7 in FIPS_mode_set () from > /usr/lib64/libcrypto.so.0.9.8 > #6 0x00007f2e155d5ea9 in OPENSSL_init () from /usr/lib64/libcrypto.so.0.9.8 > #7 0x00007f2e158e3d99 in SSL_library_init () from > /usr/lib64/libssl.so.0.9.8 > #8 0x00007f2e15b36475 in XS_Net__SSLeay_library_init > (my_perl=<optimized out>, cv=<optimized out>) at SSLeay.xs:1737 > #9 0x00000000004a7315 in Perl_pp_entersub () > #10 0x00000000004a5896 in Perl_runops_standard () > #11 0x0000000000436dee in perl_run () > #12 0x000000000041d78c in main () > > I hope there's something useful for you in there! > > Thanks for your help. > > On Sat Dec 01 18:02:05 2012, mikem@open.com.au wrote:
> > Hello, > > > > > > Hmmm, if Net::SSLeay::SSLeay_add_ssl_algorithms() does not return, I > > suspect > > it is hanging in SSL_library_init, which would indicate a problem with > > the > > underlying openssl library. I notice it is a FIPS enabled openssl you > > are > > using? > > > > You can check by running the test under the gdb debugger, waiting for > > it to > > hang and then getting a stack backtrace. That will help me to > > understand the > > problem. > > > > Cheers.
-- Mike McCauley mikem@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
Download (untitled) / with headers
text/plain 2.7k
Hi Mike, thanks again for your patience with this. This is SLES 11 - I didn't build any of the openssl packages myself. Yast tells me the openssl is current, and it includes a changelog up to July this year, but not detailled compilation options. Version: 0.9.8j-0.44.1 Build Time: Tue Jul 10 13:32:41 2012 Packager: http://bugs.opensuse.org Architecture: x86_64 Build Host: URL: http://www.openssl.org/ Source Package: openssl-0.9.8j-0.44.1 FIPS is a bit more of a mystery. Yast tells me there's no "FIPS" installed, but I found /usr/share/doc/packages/openssl/README-FIPS.txt which says: Dear user of the SUSE Linux Enterprise Server, SLES11-SP1 comes with openssl of version 0.9.8j, a version upgrade from 0.9.8h that came with earlier revisions of SLES11. The new version has support for FIPS-140-2 mode of operation. FIPS is short for Federal Information Processing Standard. For more information on FIPS-140-2, please see http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf and more publications on the NIST website. The openssl shared libraries are used by numerous packages in the SUSE Linux Enterprise Server. If the library runs in FIPS-140-2 mode, then the binary that links against the library at runtime makes use of FIPS-140-2 validated cryptography as defined in its cryptographic module. By consequence, a large number of packages can make a claim about using FIPS-140-2 validated cryptographical functions. Both the 64bit and the 32bit shared libraries are supported in FIPS-140-2 mode of operation. Both in 64bit and in 32bit mode, the AES-NI assembler optimizations are supported and used, if the used CPU supports the AES-NI instructions. These assembler optimizations can deliver a substantial performance benefit. To check if your system's CPU(s) has (have) AES-NI support, have a look into the Linux kernel's /proc file /proc/cpuinfo - search it for the "aes" flag. AES-NI support can be disabled by setting the environment variable OPENSSL_DISABLE_AESNI before running binaries that link against openssl. The "openssl speed" command can give you an idea for the performance differences. The cryptographic module as defined for FIPS-140-2 is contained in the files /usr/lib64/.libcrypto.so.0.9.8.hmac /usr/lib64/.libssl.so.0.9.8.hmac /usr/lib64/libcrypto.so.0.9.8 /usr/lib64/libssl.so.0.9.8 for 64bit operation and /usr/lib/.libcrypto.so.0.9.8.hmac /usr/lib/.libssl.so.0.9.8.hmac /usr/lib/libcrypto.so.0.9.8 /usr/lib/libssl.so.0.9.8 (snip) -------------------------------------------------------------------- I thought I might find some more in /etc/ssl/openssl.cnf, but "ack fips /etc/ssl" turns up nothing. Hopefully this is enough to reproduce the problem. thanks very much for your efforts! Paul Boldra
Subject: Re: [rt.cpan.org #81575] 04_basic.t hangs at SSLeay_add_ssl_algorithms (suse 11 + perl 5.16.2)
Date: Fri, 07 Dec 2012 10:27:05 +1000
To: bug-Net-SSLeay [...] rt.cpan.org
From: Mike McCauley <mikem [...] open.com.au>
Download (untitled) / with headers
text/plain 3.9k
Hi again, thanks for this info, We are investigating now. Looks to me like your openssl is getting started in FIPS mode. According to the rest of README-FIPS.txt,this should only happen if the environemnt variable OPENSSL_FORCE_FIPS_MODE is set to 1. Can you confirm this is the case for you? Otherwise I would expect openssl (and therfore the make test) to *not* run in FIPS mode. Cheers. On Thursday, December 06, 2012 06:24:09 AM you wrote: Show quoted text
> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=81575 > > > Hi Mike, > > thanks again for your patience with this. This is SLES 11 - I didn't > build any of the openssl packages myself. Yast tells me the openssl is > current, and it includes a changelog up to July this year, but not > detailled compilation options. > > Version: 0.9.8j-0.44.1 > Build Time: Tue Jul 10 13:32:41 2012 > Packager: http://bugs.opensuse.org > Architecture: x86_64 > Build Host: > URL: http://www.openssl.org/ > Source Package: openssl-0.9.8j-0.44.1 > > FIPS is a bit more of a mystery. Yast tells me there's no "FIPS" > installed, but I found /usr/share/doc/packages/openssl/README-FIPS.txt > which says: > > Dear user of the SUSE Linux Enterprise Server, > > SLES11-SP1 comes with openssl of version 0.9.8j, a version upgrade from > 0.9.8h that came with earlier revisions of SLES11. > > The new version has support for FIPS-140-2 mode of operation. > FIPS is short for Federal Information Processing Standard. > For more information on FIPS-140-2, please see > http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf > and more publications on the NIST website. > > The openssl shared libraries are used by numerous packages in the > SUSE Linux Enterprise Server. If the library runs in FIPS-140-2 mode, > then the binary that links against the library at runtime makes use > of FIPS-140-2 validated cryptography as defined in its cryptographic > module. By consequence, a large number of packages can make a claim > about using FIPS-140-2 validated cryptographical functions. > > Both the 64bit and the 32bit shared libraries are supported in FIPS-140-2 > mode of operation. > Both in 64bit and in 32bit mode, the AES-NI assembler optimizations are > supported and used, if the used CPU supports the AES-NI instructions. These > assembler optimizations can deliver a substantial performance benefit. > To check if your system's CPU(s) has (have) AES-NI support, have a look > into the Linux kernel's /proc file /proc/cpuinfo - search it for the "aes" > flag. > AES-NI support can be disabled by setting the environment variable > OPENSSL_DISABLE_AESNI before running binaries that link against openssl. > The "openssl speed" command can give you an idea for the performance > differences. > > > The cryptographic module as defined for FIPS-140-2 is contained in the files > /usr/lib64/.libcrypto.so.0.9.8.hmac > /usr/lib64/.libssl.so.0.9.8.hmac > /usr/lib64/libcrypto.so.0.9.8 > /usr/lib64/libssl.so.0.9.8 > for 64bit operation and > /usr/lib/.libcrypto.so.0.9.8.hmac > /usr/lib/.libssl.so.0.9.8.hmac > /usr/lib/libcrypto.so.0.9.8 > /usr/lib/libssl.so.0.9.8 > > (snip) > -------------------------------------------------------------------- > > I thought I might find some more in /etc/ssl/openssl.cnf, but "ack fips > /etc/ssl" turns up nothing. Hopefully this is enough to reproduce the > problem. > > thanks very much for your efforts! > > Paul Boldra
-- Mike McCauley mikem@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
Subject: Re: [rt.cpan.org #81575] 04_basic.t hangs at SSLeay_add_ssl_algorithms (suse 11 + perl 5.16.2)
Date: Fri, 07 Dec 2012 13:17:35 +1000
To: bug-Net-SSLeay [...] rt.cpan.org
From: Mike McCauley <mikem [...] open.com.au>
Download (untitled) / with headers
text/plain 5.3k
Hi again, we have been able to reproduce this problem by building openssl-fips-1.2 and openssl-0.9.8j by hand here, then running net-ssleay against it and adding FIPS_mode_set(1) to the test suites. The problem is caused by a bug in openssl-0.9.8j that only appears when external locking functions are used (net-ssleay implements external openssl locking functions in terms of mutexes) Details: FIPS_mode_set() calls fips_w_lock(); to set a write lock on lock number 39 (CRYPTO_LOCK_FIPS) and it holds that write lock while it does its work. then it calls if(FIPS_mode()) ..... but FIPS_mode() calls fips_r_lock(); to set a read lock on the same lock number 39 (CRYPTO_LOCK_FIPS) before it does its work. but of course this read lock is never granted due to a deadlock with the previously granted write lock. This problem does not normally appear in FIPS enabled openssl 0.9.8j, since the default built-in internal locking in openssl is a no-op As for what to do now: I think the only answer is to upgrade to a later openssl-fips. Cheers. On Thursday, December 06, 2012 07:27:25 PM mikem@open.com.au via RT wrote: Show quoted text
> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=81575 > > > Hi again, > > thanks for this info, > We are investigating now. > > Looks to me like your openssl is getting started in FIPS mode. According to > the rest of README-FIPS.txt,this should only happen if the environemnt > variable OPENSSL_FORCE_FIPS_MODE is set to 1. Can you confirm this is the > case for you? > > Otherwise I would expect openssl (and therfore the make test) to *not* run > in FIPS mode. > > Cheers. > > On Thursday, December 06, 2012 06:24:09 AM you wrote:
> > Queue: Net-SSLeay > > > > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=81575 > > > > > Hi Mike, > > > > thanks again for your patience with this. This is SLES 11 - I didn't > > build any of the openssl packages myself. Yast tells me the openssl is > > current, and it includes a changelog up to July this year, but not > > detailled compilation options. > > > > Version: 0.9.8j-0.44.1 > > Build Time: Tue Jul 10 13:32:41 2012 > > Packager: http://bugs.opensuse.org > > Architecture: x86_64 > > Build Host: > > URL: http://www.openssl.org/ > > Source Package: openssl-0.9.8j-0.44.1 > > > > FIPS is a bit more of a mystery. Yast tells me there's no "FIPS" > > installed, but I found /usr/share/doc/packages/openssl/README-FIPS.txt > > which says: > > > > Dear user of the SUSE Linux Enterprise Server, > > > > SLES11-SP1 comes with openssl of version 0.9.8j, a version upgrade from > > 0.9.8h that came with earlier revisions of SLES11. > > > > The new version has support for FIPS-140-2 mode of operation. > > FIPS is short for Federal Information Processing Standard. > > For more information on FIPS-140-2, please see > > http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf > > and more publications on the NIST website. > > > > The openssl shared libraries are used by numerous packages in the > > SUSE Linux Enterprise Server. If the library runs in FIPS-140-2 mode, > > then the binary that links against the library at runtime makes use > > of FIPS-140-2 validated cryptography as defined in its cryptographic > > module. By consequence, a large number of packages can make a claim > > about using FIPS-140-2 validated cryptographical functions. > > > > Both the 64bit and the 32bit shared libraries are supported in FIPS-140-2 > > mode of operation. > > Both in 64bit and in 32bit mode, the AES-NI assembler optimizations are > > supported and used, if the used CPU supports the AES-NI instructions. > > These > > assembler optimizations can deliver a substantial performance benefit. > > To check if your system's CPU(s) has (have) AES-NI support, have a look > > into the Linux kernel's /proc file /proc/cpuinfo - search it for the "aes" > > flag. > > AES-NI support can be disabled by setting the environment variable > > OPENSSL_DISABLE_AESNI before running binaries that link against openssl. > > The "openssl speed" command can give you an idea for the performance > > differences. > > > > > > The cryptographic module as defined for FIPS-140-2 is contained in the > > files /usr/lib64/.libcrypto.so.0.9.8.hmac > > > > /usr/lib64/.libssl.so.0.9.8.hmac > > /usr/lib64/libcrypto.so.0.9.8 > > /usr/lib64/libssl.so.0.9.8 > > > > for 64bit operation and > > > > /usr/lib/.libcrypto.so.0.9.8.hmac > > /usr/lib/.libssl.so.0.9.8.hmac > > /usr/lib/libcrypto.so.0.9.8 > > /usr/lib/libssl.so.0.9.8 > > > > (snip) > > -------------------------------------------------------------------- > > > > I thought I might find some more in /etc/ssl/openssl.cnf, but "ack fips > > /etc/ssl" turns up nothing. Hopefully this is enough to reproduce the > > problem. > > > > thanks very much for your efforts! > > > > Paul Boldra
-- Mike McCauley mikem@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
Subject: Re: [rt.cpan.org #81575] 04_basic.t hangs at SSLeay_add_ssl_algorithms (suse 11 + perl 5.16.2)
Date: Fri, 07 Dec 2012 13:45:36 +1000
To: bug-Net-SSLeay [...] rt.cpan.org
From: Mike McCauley <mikem [...] open.com.au>
Download (untitled) / with headers
text/plain 5.7k
Hi again, On Friday, December 07, 2012 01:17:35 PM Mike McCauley wrote: Show quoted text
> Hi again, > > we have been able to reproduce this problem by building openssl-fips-1.2 and > openssl-0.9.8j by hand here, then running net-ssleay against it and adding > FIPS_mode_set(1) to the test suites. > > The problem is caused by a bug in openssl-0.9.8j that only appears when > external locking functions are used (net-ssleay implements external openssl > locking functions in terms of mutexes) > > Details: > > FIPS_mode_set() > calls > fips_w_lock(); > to set a write lock on lock number 39 (CRYPTO_LOCK_FIPS) > and it holds that write lock while it does its work. > > then it calls > > if(FIPS_mode()) > ..... > > but FIPS_mode() > calls fips_r_lock(); > to set a read lock on the same lock number 39 (CRYPTO_LOCK_FIPS) > before it does its work. > > but of course this read lock is never granted due to a deadlock with the > previously granted write lock. > > This problem does not normally appear in FIPS enabled openssl 0.9.8j, since > the default built-in internal locking in openssl is a no-op > > > As for what to do now: > > I think the only answer is to upgrade to a later openssl-fips.
or disable FIPS mode when you run net-ssleay. Cheers. Show quoted text
> > Cheers. > > On Thursday, December 06, 2012 07:27:25 PM mikem@open.com.au via RT wrote:
> > Queue: Net-SSLeay > > > > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=81575 > > > > > Hi again, > > > > thanks for this info, > > We are investigating now. > > > > Looks to me like your openssl is getting started in FIPS mode. According > > to > > the rest of README-FIPS.txt,this should only happen if the environemnt > > variable OPENSSL_FORCE_FIPS_MODE is set to 1. Can you confirm this is the > > case for you? > > > > Otherwise I would expect openssl (and therfore the make test) to *not* run > > in FIPS mode. > > > > Cheers. > > > > On Thursday, December 06, 2012 06:24:09 AM you wrote:
> > > Queue: Net-SSLeay > > > > > > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=81575 > > > > > > > Hi Mike, > > > > > > thanks again for your patience with this. This is SLES 11 - I didn't > > > build any of the openssl packages myself. Yast tells me the openssl is > > > current, and it includes a changelog up to July this year, but not > > > detailled compilation options. > > > > > > Version: 0.9.8j-0.44.1 > > > Build Time: Tue Jul 10 13:32:41 2012 > > > Packager: http://bugs.opensuse.org > > > Architecture: x86_64 > > > Build Host: > > > URL: http://www.openssl.org/ > > > Source Package: openssl-0.9.8j-0.44.1 > > > > > > FIPS is a bit more of a mystery. Yast tells me there's no "FIPS" > > > installed, but I found /usr/share/doc/packages/openssl/README-FIPS.txt > > > which says: > > > > > > Dear user of the SUSE Linux Enterprise Server, > > > > > > SLES11-SP1 comes with openssl of version 0.9.8j, a version upgrade from > > > 0.9.8h that came with earlier revisions of SLES11. > > > > > > The new version has support for FIPS-140-2 mode of operation. > > > FIPS is short for Federal Information Processing Standard. > > > For more information on FIPS-140-2, please see > > > http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf > > > and more publications on the NIST website. > > > > > > The openssl shared libraries are used by numerous packages in the > > > SUSE Linux Enterprise Server. If the library runs in FIPS-140-2 mode, > > > then the binary that links against the library at runtime makes use > > > of FIPS-140-2 validated cryptography as defined in its cryptographic > > > module. By consequence, a large number of packages can make a claim > > > about using FIPS-140-2 validated cryptographical functions. > > > > > > Both the 64bit and the 32bit shared libraries are supported in > > > FIPS-140-2 > > > mode of operation. > > > Both in 64bit and in 32bit mode, the AES-NI assembler optimizations are > > > supported and used, if the used CPU supports the AES-NI instructions. > > > These > > > assembler optimizations can deliver a substantial performance benefit. > > > To check if your system's CPU(s) has (have) AES-NI support, have a look > > > into the Linux kernel's /proc file /proc/cpuinfo - search it for the > > > "aes" > > > flag. > > > AES-NI support can be disabled by setting the environment variable > > > OPENSSL_DISABLE_AESNI before running binaries that link against openssl. > > > The "openssl speed" command can give you an idea for the performance > > > differences. > > > > > > > > > The cryptographic module as defined for FIPS-140-2 is contained in the > > > files /usr/lib64/.libcrypto.so.0.9.8.hmac > > > > > > /usr/lib64/.libssl.so.0.9.8.hmac > > > /usr/lib64/libcrypto.so.0.9.8 > > > /usr/lib64/libssl.so.0.9.8 > > > > > > for 64bit operation and > > > > > > /usr/lib/.libcrypto.so.0.9.8.hmac > > > /usr/lib/.libssl.so.0.9.8.hmac > > > /usr/lib/libcrypto.so.0.9.8 > > > /usr/lib/libssl.so.0.9.8 > > > > > > (snip) > > > -------------------------------------------------------------------- > > > > > > I thought I might find some more in /etc/ssl/openssl.cnf, but "ack fips > > > /etc/ssl" turns up nothing. Hopefully this is enough to reproduce the > > > problem. > > > > > > thanks very much for your efforts! > > > > > > Paul Boldra
-- Mike McCauley mikem@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
Download (untitled) / with headers
text/plain 567b
Hi Mike, ivml2171:~ # env|grep -i fips ivml2171:~ # Nothing in my environment about fips. I'll try the upgrade. I have no need to keep this ticket open. Thanks for your help! Paul Boldra On Thu Dec 06 19:27:23 2012, mikem@open.com.au wrote: Show quoted text
> Hi again, > > thanks for this info, > We are investigating now. > > Looks to me like your openssl is getting started in FIPS mode. > According to > the rest of README-FIPS.txt,this should only happen if the environemnt > variable OPENSSL_FORCE_FIPS_MODE is set to 1. Can you confirm this is > the case > for you? >
RT-Send-CC: mikem [...] open.com.au
Download (untitled) / with headers
text/plain 544b
On Fri Dec 07 03:40:42 2012, BOLDRA wrote: Show quoted text
> Nothing in my environment about fips. I'll try the upgrade. I have no > need to keep this ticket open. Thanks for your help!
I enountered this same issue on SLES 11 SP2, which has openssl-0.9.8j installed. An upgrade to openssl-0.9.8r did resolve the problem. If this ticket had not existed I would have spent a lot of time on the issue, so many thanks. The packages for 0.9.8r can be found in this repository: http://download.opensuse.org/repositories/security:/fips/ regards, oliver.
Subject: Re: [rt.cpan.org #81575] 04_basic.t hangs at SSLeay_add_ssl_algorithms (suse 11 + perl 5.16.2)
Date: Wed, 12 Dec 2012 06:54:09 +1000
To: bug-Net-SSLeay [...] rt.cpan.org
From: Mike McCauley <mikem [...] open.com.au>
Download (untitled) / with headers
text/plain 1.3k
Thanks for the info Oliver. Hope that helps the OP. Cheers. On Tuesday, December 11, 2012 10:33:51 AM you wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=81575 > > > On Fri Dec 07 03:40:42 2012, BOLDRA wrote:
> > Nothing in my environment about fips. I'll try the upgrade. I have no > > need to keep this ticket open. Thanks for your help!
> > I enountered this same issue on SLES 11 SP2, which has openssl-0.9.8j > installed. > > An upgrade to openssl-0.9.8r did resolve the problem. > > If this ticket had not existed I would have spent a lot of time on the > issue, so many thanks. > > The packages for 0.9.8r can be found in this repository: > > http://download.opensuse.org/repositories/security:/fips/ > > > regards, > oliver.
-- Mike McCauley mikem@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
From: vcizek [...] suse.cz
Download (untitled) / with headers
text/plain 643b
On Tue Dec 11 10:33:49 2012, OLIVER wrote: Show quoted text
> On Fri Dec 07 03:40:42 2012, BOLDRA wrote:
> > Nothing in my environment about fips. I'll try the upgrade. I have > > no > > need to keep this ticket open. Thanks for your help!
> > I enountered this same issue on SLES 11 SP2, which has openssl-0.9.8j > installed. > > An upgrade to openssl-0.9.8r did resolve the problem. >
We got a similar report from our customers, who experienced the issue with perl-Net-SSLeay 1.51-2 and openssl-0.9.8j. It's essentially the same bug as http://wiki.strongswan.org/issues/198 The attached patch resolves the issue. Could this be added to Net-SSLeay?
Subject: perl-Net-SSLeay_avoid_mutex_deadlock.patch
--- a/SSLeay.xs +++ b/SSLeay.xs @@ -227,9 +227,13 @@ UV get_my_thread_id(void) /* returns thr PUTBACK; count = call_method("tid", G_SCALAR|G_EVAL); SPAGAIN; - if (SvTRUE(ERRSV) || count != 1) - /* if threads not loaded or an error occurs return 0 */ - tid = 0; + if (SvTRUE(ERRSV) || count == 1) { + /* if threads not loaded or an error occurs return 1 + OpenSSL locks the mutex in FIPS_mode_set() and then + tries to lock it again in FIPS_mode() - only because + of the unfortunate thread_id above*/ + tid = 1; + } else tid = (UV)POPi; PUTBACK; @@ -1850,7 +1854,7 @@ SSL_library_init() #if OPENSSL_VERSION_NUMBER >= 0x0090700fL #define REM5 "NOTE: requires 0.9.7+" - + void ENGINE_load_builtin_engines()
Subject: Re: [rt.cpan.org #81575] 04_basic.t hangs at SSLeay_add_ssl_algorithms (suse 11 + perl 5.16.2)
Date: Tue, 11 Feb 2014 12:07:37 +1000
To: bug-Net-SSLeay [...] rt.cpan.org
From: Mike McCauley <mikem [...] airspayce.com>
Download (untitled) / with headers
text/plain 1.4k
Hello, thanks for your note and patch. But... are you sure this is right?: you changed if (SvTRUE(ERRSV) || count != 1) to if (SvTRUE(ERRSV) || count == 1) which seems to also change the sense of the test, rather than just the returned thread id. in this case, count is the number of items returned by threads->id(), which I would expect usually to be 1. Cheers. that seems to change the sense of the test On Thursday, February 06, 2014 08:07:05 AM you wrote: Show quoted text
> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=81575 > > > On Tue Dec 11 10:33:49 2012, OLIVER wrote:
> > On Fri Dec 07 03:40:42 2012, BOLDRA wrote:
> > > Nothing in my environment about fips. I'll try the upgrade. I have > > > no > > > need to keep this ticket open. Thanks for your help!
> > > > I enountered this same issue on SLES 11 SP2, which has openssl-0.9.8j > > installed. > > > > An upgrade to openssl-0.9.8r did resolve the problem.
> > We got a similar report from our customers, who experienced the issue with > perl-Net-SSLeay 1.51-2 and openssl-0.9.8j. > > It's essentially the same bug as http://wiki.strongswan.org/issues/198 > > The attached patch resolves the issue. > Could this be added to Net-SSLeay?
-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474 Fax +61 7 5598-7070
Nothing further heard. Assume OK.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.