Barbican

Enabling FIPS mode on SafeNet HSM causes 500 error on encrypt

Bug #1606591 reported by John McKenzie
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Barbican
Fix Released
Undecided
John McKenzie

Bug Description

When using a FIPS 140-2 compliant firmware on a SafeNet Luna HSM, the pkcs11 module fails during encrypt operations, resulting in a CKR_MECHANISM_PARAM_INVALID error. See below.

This error is produced due to the pkcs11 module generating a random IV and using it for the encrypt operation. FIPS 140-2 requires that the IV be generated by the HSM on device, not generated on the client and passed into the HSM (like the module currently behaves).

The fix for this issue is to not generate the IV and let the HSM device handle that. This will work with FIPS 140-2 enabled or not and should actually produce a small performance increase for encrypt operations.

https://en.wikipedia.org/wiki/FIPS_140-2

-----

POST /v1/secrets HTTP/1.1
Accept: application/json
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 67
Content-Type: application/json
Host: XXX
User-Agent: HTTPie/0.9.2
X-Auth-Token: XXX

{
    "payload": "my-secret-here",
    "payload_content_type": "text/plain"
}

HTTP/1.1 500 Server Error
Content-Length: 131
Content-Type: application/json; charset=UTF-8
Date: Mon, 25 Jul 2016 18:05:43 GMT
Date: Mon, 25 Jul 2016 18:05:45 GMT
Server: Jetty(9.2.z-SNAPSHOT)
x-trans-id: XXX

{
    "code": 500,
    "description": "Secret creation failure seen - please contact site administrator.",
    "title": "Internal Server Error"
}

-----

WARNING barbican.plugin.crypto.p11_crypto [XXX - XXX - - -] Reinitializing PKCS#11 library: HSM returned response code: 0x71L CKR_MECHANISM_PARAM_INVALID
ERROR barbican.api.controllers [XXX - XXX - - -] Secret creation failure seen - please contact site administrator.
ERROR barbican.api.controllers Traceback (most recent call last):
ERROR barbican.api.controllers File "/usr/lib/python2.7/site-packages/barbican/api/controllers/__init__.py", line 103, in handler
ERROR barbican.api.controllers return fn(inst, *args, **kwargs)
ERROR barbican.api.controllers File "/usr/lib/python2.7/site-packages/barbican/api/controllers/__init__.py", line 89, in enforcer
ERROR barbican.api.controllers return fn(inst, *args, **kwargs)
ERROR barbican.api.controllers File "/usr/lib/python2.7/site-packages/barbican/api/controllers/__init__.py", line 155, in content_types_enforcer
ERROR barbican.api.controllers return fn(inst, *args, **kwargs)
ERROR barbican.api.controllers File "/usr/lib/python2.7/site-packages/barbican/api/controllers/secrets.py", line 432, in on_post
ERROR barbican.api.controllers transport_key_id=data.get('transport_key_id'))
ERROR barbican.api.controllers File "/usr/lib/python2.7/site-packages/barbican/plugin/resources.py", line 106, in store_secret
ERROR barbican.api.controllers secret_model, project_model)
ERROR barbican.api.controllers File "/usr/lib/python2.7/site-packages/barbican/plugin/resources.py", line 274, in _store_secret_using_plugin
ERROR barbican.api.controllers secret_metadata = store_plugin.store_secret(secret_dto, context)
ERROR barbican.api.controllers File "/usr/lib/python2.7/site-packages/barbican/plugin/store_crypto.py", line 96, in store_secret
ERROR barbican.api.controllers encrypt_dto, kek_meta_dto, context.project_model.external_id
ERROR barbican.api.controllers File "/usr/lib/python2.7/site-packages/barbican/plugin/crypto/p11_crypto.py", line 103, in encrypt
ERROR barbican.api.controllers project_id)
ERROR barbican.api.controllers File "/usr/lib/python2.7/site-packages/barbican/plugin/crypto/p11_crypto.py", line 138, in _call_pkcs11
ERROR barbican.api.controllers return func(*args, **kwargs)
ERROR barbican.api.controllers File "/usr/lib/python2.7/site-packages/barbican/plugin/crypto/p11_crypto.py", line 145, in _encrypt
ERROR barbican.api.controllers kek, encrypt_dto.unencrypted, session
ERROR barbican.api.controllers File "/usr/lib64/python2.7/site-packages/newrelic-2.68.0.50/newrelic/api/function_trace.py", line 110, in literal_wrapper
ERROR barbican.api.controllers return wrapped(*args, **kwargs)
ERROR barbican.api.controllers File "/usr/lib/python2.7/site-packages/barbican/plugin/crypto/pkcs11.py", line 399, in encrypt
ERROR barbican.api.controllers self._check_error(rv)
ERROR barbican.api.controllers File "/usr/lib/python2.7/site-packages/barbican/plugin/crypto/pkcs11.py", line 572, in _check_error
ERROR barbican.api.controllers "HSM returned response code: {code}").format(code=hex_code))
ERROR barbican.api.controllers P11CryptoPluginException: HSM returned response code: 0x71L CKR_MECHANISM_PARAM_INVALID
ERROR barbican.api.controllers
INFO barbican.api.middleware.context [XXX - XXX - - -] Processed request: 500 Internal Server Error - POST http://barbican:9311/v1/secrets

See original description
John McKenzie (jmckind)
Changed in barbican:
assignee: nobody → John McKenzie (jmckind)
description: updated
summary: - Enabling FIPS mode on SafeNet HSM causes 500 with
- CKR_MECHANISM_PARAM_INVALID error on encrypt
+ Enabling FIPS mode on SafeNet HSM causes 500 error on encrypt
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to barbican (master)

Fix proposed to branch: master
Review: https://review.openstack.org/347434

Changed in barbican:
status: New → In Progress
John McKenzie (jmckind)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to barbican (master)

Reviewed: https://review.openstack.org/347434
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=4b09adc356552374d486333a17a07f56d958cd16
Submitter: Jenkins
Branch: master

commit 4b09adc356552374d486333a17a07f56d958cd16
Author: John McKenzie <email address hidden>
Date: Tue Jul 26 09:52:49 2016 -0500

    Generate IV on HSM device for encrypt operations

    FIPS 140-2 requires that the IV be generated by the HSM, on device.
    This change makes the IV optional to the _build_gcm_mechanism
    function and removes the generation of the random IV in the encrypt
    method to defer the IV creation to the HSM.

    Change-Id: I5ac3b8f67b7ece35a283e7468a4fc06592576996
    Closes-Bug: 1606591
    Co-Authored-By: Randall Burt <email address hidden>

Changed in barbican:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/barbican 3.0.0.0b3

This issue was fixed in the openstack/barbican 3.0.0.0b3 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.