[UBUNTU] - opencryptoki: EP11 token fails when using Strict-Session mode or VHSM-Mode
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Canonical Foundations Team | ||
opencryptoki (Ubuntu) |
Fix Released
|
Undecided
|
Skipper Bug Screeners | ||
Cosmic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
SRU Justification
[Impact]
An issue with passing the 'target_list' pointer (that hold data of the adapters aka crypto cards) to the function 'handle_
Dependent on the memory content, a failure can be caused in processing all adapters in EP11 mode and will most likely cause the "CKR_DEVICE_ERROR" error to be returned by C_Login when the STRICT_SESSION and/or VHSM_MODE is enabled in the ep11tok.conf config file.
An upstream accepted commit is already available:
https:/
The commit id and patch is quite straightforward and compact and shows that fixing the way the target_list is passed to the handle_
Since this issue can break the EP11 functionality a fix in opencryptoki version 3.10 and 3.11 is needed.
[Test Case]
Setup an opencryptoki environment (with crypto adapter in EP11 mode) and configure the EP11 token with keyword STRICT_MODE and/or VHSM_MODE in config file /etc/opencrypto
Now run "pkcsep11_session show -slot 4" and enter the user pin.
It fails with the following message :"C_Login() rc = 0x30 [CKR_DEVICE_ERROR]"
The opencryptoki trace shows lines like the following, with corrupted APQNs:
11/23/2018 10:43:45 [ep11_specific.
11/23/2018 10:43:45 [ep11_specific.
11/23/2018 10:43:45 [ep11_specific.
11/23/2018 10:43:45 [ep11_specific.
11/23/2018 10:43:45 [ep11_specific.
11/23/2018 10:43:45 [ep11_specific.
[Regression Potential]
The issue occurs while using opencryptoki and EP11 in mode STRICT_MODE or VHSM_MODE (or both) using a crypto card.
Crypto cards are available for different platforms - however, this issue occurred while using CryptoExpress adapters on s390x.
Since the changes in the patch are quite obvious and limited to just four lines (each with the same change), the regression risk can be considered as low.
Furthermore it fixes a function that is broken today, the situation will just be improved with having the fix in place - assumed that no further problems, that are not directly related to this fix, will b eintroduced (like in packaging or update).
Since opencryptoki versions 3.10 and 3.11 are affected, the packages in (non-LTS) disco and cosmic need that fix.
In between the fix already landed in the current development release (disco) - just cosmic is left.
A test with the fixed opencryptoki version from disco was successfully done.
__________
When the EP11 token of Opencryptoki is configured with STRICT_MODE or VHSM_MODE (or both) in config file /etc/opencrypto
---Steps to Reproduce---
Configure the EP11 token of Opencryptoki with keywords STRICT_MODE or VHSM_MODE (or both) in config file /etc/opencrypto
Then run 'pkcsep11_session show -slot 4' and enter the user pin.It fails with 'C_Login() rc = 0x30 [CKR_DEVICE_ERROR]'
The OCK trace shows lines like the following with corrupted APQNs:
11/23/2018 10:43:45 [ep11_specific.
11/23/2018 10:43:45 [ep11_specific.
11/23/2018 10:43:45 [ep11_specific.
11/23/2018 10:43:45 [ep11_specific.
11/23/2018 10:43:45 [ep11_specific.
11/23/2018 10:43:45 [ep11_specific.
Userspace tool common name: Opencryptoki
Problem exit only for version 3.10 and 3.11.
For Version 3.11 following upstream commit can be applied seamlessly.
Upstream commit that fixes this problem:
https:/
For version 3.10 , patch attached.
Mean, need to be integrated into 18.10 and 19.04
(taken from comment #2)
Changed in ubuntu-z-systems: | |
status: | New → Triaged |
importance: | Undecided → High |
assignee: | nobody → Canonical Foundations Team (canonical-foundations) |
description: | updated |
tags: | added: id-5c58a51d0c3bde2ade0d7cc4 |
Changed in opencryptoki (Ubuntu): | |
status: | New → Fix Committed |
Changed in opencryptoki (Ubuntu Cosmic): | |
status: | New → In Progress |
Changed in ubuntu-z-systems: | |
status: | Triaged → In Progress |
description: | updated |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done removed: verification-needed |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
Default Comment by Bridge