Bug #81575 for Net-SSLeay: 04_basic.t hangs at SSLeay_add_ssl_algorithms (suse 11 + perl 5.16.2)

> openssl version: > OpenSSL 0.9.8j-fips 07 Jan 2009 > (on a very similar host with 0.9.8h the problem is not present)

> Fri Nov 30 07:13:11 2012: Request 81575 was acted upon. > Transaction: Ticket created by BOLDRA > Queue: Net-SSLeay > Subject: 04_basic.t hangs at SSLeay_add_ssl_algorithms (suse 11 + perl > 5.16.2) Broken in: 1.49 > Severity: Important > Owner: Nobody > Requestors: BOLDRA@boldra.org > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=81575 > > > > t/local/04_basic.t calls Net::SSLeay::SSLeay_add_ssl_algorithms() (via > Test::Exception, but this is not the cause), > Net::SSLeay::SSLeay_add_ssl_algorithms() does not return. > > openssl version: > OpenSSL 0.9.8j-fips 07 Jan 2009 > (on a very similar host with 0.9.8h the problem is not present) > > uname -a: > Linux ivml2171 3.0.42-0.7-default #1 SMP Tue Oct 9 11:58:45 UTC 2012 > (a8dc443) x86_64 x86_64 x86_64 GNU/Linux > > perl -V: > Summary of my perl5 (revision 5 version 16 subversion 2) configuration: > > Platform: > osname=linux, osvers=3.0.42-0.7-default, > archname=x86_64-linux-thread-multi > uname='linux ivml2171 3.0.42-0.7-default #1 smp tue oct 9 11:58:45 > utc 2012 (a8dc443) x86_64 x86_64 x86_64 gnulinux ' > config_args='-d -Dusethreads' > hint=recommended, useposix=true, d_sigaction=define > useithreads=define, usemultiplicity=define > useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef > use64bitint=define, use64bitall=define, uselongdouble=undef > usemymalloc=n, bincompat5005=undef > Compiler: > cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing > -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE > -D_FILE_OFFSET_BITS=64', > optimize='-O2', > cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe > -fstack-protector -I/usr/local/include' > ccversion='', gccversion='4.3.4 [gcc-4_3-branch revision 152973]', > gccosandvers='' > intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678 > d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 > ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', > lseeksize=8 > alignbytes=8, prototype=define > Linker and Libraries: > ld='cc', ldflags =' -fstack-protector -L/usr/local/lib' > libpth=/usr/local/lib /lib/../lib64 /usr/lib/../lib64 /lib /usr/lib > /lib64 /usr/lib64 /usr/local/lib64 > libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc > -lgdbm_compat > perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc > libc=/lib/libc-2.11.3.so, so=so, useshrplib=false, libperl=libperl.a > gnulibc_version='2.11.3' > Dynamic Linking: > dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E' > cccdlflags='-fPIC', lddlflags='-shared -O2 -L/usr/local/lib > -fstack-protector' > > > Characteristics of this binary (from libperl): > Compile-time options: HAS_TIMES MULTIPLICITY PERLIO_LAYERS > PERL_DONT_CREATE_GVSV PERL_IMPLICIT_CONTEXT > PERL_MALLOC_WRAP PERL_PRESERVE_IVUV USE_64_BIT_ALL > USE_64_BIT_INT USE_ITHREADS USE_LARGE_FILES > USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE > USE_LOCALE_NUMERIC USE_PERLIO USE_PERL_ATOF > USE_REENTRANT_API > Built under linux > Compiled at Nov 23 2012 11:36:38 > @INC: > /usr/local/lib/perl5/site_perl/5.16.2/x86_64-linux-thread-multi > /usr/local/lib/perl5/site_perl/5.16.2 > /usr/local/lib/perl5/5.16.2/x86_64-linux-thread-multi > /usr/local/lib/perl5/5.16.2

> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=81575 > > > Hi Mike, > > Thanks for your fast answer - I've been putting off replying because I'm > so unfamiliar with gdb, but it was easier than I expected. > > (gdb) backtrace > #0 0x00007f2e162e9294 in __lll_lock_wait () from /lib64/libpthread.so.0 > #1 0x00007f2e162e4619 in _L_lock_1008 () from /lib64/libpthread.so.0 > #2 0x00007f2e162e442e in pthread_mutex_lock () from /lib64/libpthread.so.0 > #3 0x00007f2e15b36505 in openssl_locking_function (mode=<optimized > #4 0x00007f2e1560806e in ?? () from /usr/lib64/libcrypto.so.0.9.8 > #5 0x00007f2e156084a7 in FIPS_mode_set () from > /usr/lib64/libcrypto.so.0.9.8 > #6 0x00007f2e155d5ea9 in OPENSSL_init () from /usr/lib64/libcrypto.so.0.9.8 > #7 0x00007f2e158e3d99 in SSL_library_init () from > /usr/lib64/libssl.so.0.9.8 > #8 0x00007f2e15b36475 in XS_Net__SSLeay_library_init > (my_perl=<optimized out>, cv=<optimized out>) at SSLeay.xs:1737 > #9 0x00000000004a7315 in Perl_pp_entersub () > #10 0x00000000004a5896 in Perl_runops_standard () > #11 0x0000000000436dee in perl_run () > #12 0x000000000041d78c in main () > > I hope there's something useful for you in there! > > Thanks for your help. > > On Sat Dec 01 18:02:05 2012, mikem@open.com.au wrote:

> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=81575 > > > Hi Mike, > > thanks again for your patience with this. This is SLES 11 - I didn't > build any of the openssl packages myself. Yast tells me the openssl is > current, and it includes a changelog up to July this year, but not > detailled compilation options. > > Version: 0.9.8j-0.44.1 > Build Time: Tue Jul 10 13:32:41 2012 > Packager: http://bugs.opensuse.org > Architecture: x86_64 > Build Host: > URL: http://www.openssl.org/ > Source Package: openssl-0.9.8j-0.44.1 > > FIPS is a bit more of a mystery. Yast tells me there's no "FIPS" > installed, but I found /usr/share/doc/packages/openssl/README-FIPS.txt > which says: > > Dear user of the SUSE Linux Enterprise Server, > > SLES11-SP1 comes with openssl of version 0.9.8j, a version upgrade from > 0.9.8h that came with earlier revisions of SLES11. > > The new version has support for FIPS-140-2 mode of operation. > FIPS is short for Federal Information Processing Standard. > For more information on FIPS-140-2, please see > http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf > and more publications on the NIST website. > > The openssl shared libraries are used by numerous packages in the > SUSE Linux Enterprise Server. If the library runs in FIPS-140-2 mode, > then the binary that links against the library at runtime makes use > of FIPS-140-2 validated cryptography as defined in its cryptographic > module. By consequence, a large number of packages can make a claim > about using FIPS-140-2 validated cryptographical functions. > > Both the 64bit and the 32bit shared libraries are supported in FIPS-140-2 > mode of operation. > Both in 64bit and in 32bit mode, the AES-NI assembler optimizations are > supported and used, if the used CPU supports the AES-NI instructions. These > assembler optimizations can deliver a substantial performance benefit. > To check if your system's CPU(s) has (have) AES-NI support, have a look > into the Linux kernel's /proc file /proc/cpuinfo - search it for the "aes" > flag. > AES-NI support can be disabled by setting the environment variable > OPENSSL_DISABLE_AESNI before running binaries that link against openssl. > The "openssl speed" command can give you an idea for the performance > differences. > > > The cryptographic module as defined for FIPS-140-2 is contained in the files > /usr/lib64/.libcrypto.so.0.9.8.hmac > /usr/lib64/.libssl.so.0.9.8.hmac > /usr/lib64/libcrypto.so.0.9.8 > /usr/lib64/libssl.so.0.9.8 > for 64bit operation and > /usr/lib/.libcrypto.so.0.9.8.hmac > /usr/lib/.libssl.so.0.9.8.hmac > /usr/lib/libcrypto.so.0.9.8 > /usr/lib/libssl.so.0.9.8 > > (snip) > -------------------------------------------------------------------- > > I thought I might find some more in /etc/ssl/openssl.cnf, but "ack fips > /etc/ssl" turns up nothing. Hopefully this is enough to reproduce the > problem. > > thanks very much for your efforts! > > Paul Boldra

> Hi again, > > we have been able to reproduce this problem by building openssl-fips-1.2 and > openssl-0.9.8j by hand here, then running net-ssleay against it and adding > FIPS_mode_set(1) to the test suites. > > The problem is caused by a bug in openssl-0.9.8j that only appears when > external locking functions are used (net-ssleay implements external openssl > locking functions in terms of mutexes) > > Details: > > FIPS_mode_set() > calls > fips_w_lock(); > to set a write lock on lock number 39 (CRYPTO_LOCK_FIPS) > and it holds that write lock while it does its work. > > then it calls > > if(FIPS_mode()) > ..... > > but FIPS_mode() > calls fips_r_lock(); > to set a read lock on the same lock number 39 (CRYPTO_LOCK_FIPS) > before it does its work. > > but of course this read lock is never granted due to a deadlock with the > previously granted write lock. > > This problem does not normally appear in FIPS enabled openssl 0.9.8j, since > the default built-in internal locking in openssl is a no-op > > > As for what to do now: > > I think the only answer is to upgrade to a later openssl-fips.

> > Cheers. > > On Thursday, December 06, 2012 07:27:25 PM mikem@open.com.au via RT wrote:

> Nothing in my environment about fips. I'll try the upgrade. I have no > need to keep this ticket open. Thanks for your help!

> <URL: https://rt.cpan.org/Ticket/Display.html?id=81575 > > > On Fri Dec 07 03:40:42 2012, BOLDRA wrote: > > I enountered this same issue on SLES 11 SP2, which has openssl-0.9.8j > installed. > > An upgrade to openssl-0.9.8r did resolve the problem. > > If this ticket had not existed I would have spent a lot of time on the > issue, so many thanks. > > The packages for 0.9.8r can be found in this repository: > > http://download.opensuse.org/repositories/security:/fips/ > > > regards, > oliver.

> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=81575 > > > On Tue Dec 11 10:33:49 2012, OLIVER wrote: > > We got a similar report from our customers, who experienced the issue with > perl-Net-SSLeay 1.51-2 and openssl-0.9.8j. > > It's essentially the same bug as http://wiki.strongswan.org/issues/198 > > The attached patch resolves the issue. > Could this be added to Net-SSLeay?