[UBUNTU 22.10] opencryptoki C_GenerateKeyPair() fails after generating > 500 RSA keys with CEX7 and CEX8 crypto cards
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Skipper Bug Screeners | ||
opencryptoki (Ubuntu) |
Fix Released
|
High
|
Simon Chopin |
Bug Description
---Problem Description---
opencryptoki C_GenerateKeyPair() fails after generating > 500 RSA keys with CEX7 crypto cards
Running a program that generates RSA keys and tests encyrption/
C_GenerateKeyPair()
C_EncryptInit()
C_Encrypt()
C_DecryptInit()
C_Decrypt()
C_SignInit()
C_Sign() (RSA Sign)
C_VerifyInit()
C_Verify() (RSA Verify)
C_SignInit()
C_SignUpdate() (RSA Multipart sign)
C_VerifyInit()
C_VerifyUpdate() (RSA multi-part verify)
C_VerifyFinal()
C_DestroyObject() (Destroy RSA public key)
C_DestroyObject() (Destroy RSA private key)
When running single-threaded, it fails consistently on loop 504. When running multi-threaded it fails on about the 506th iteration across all threads (ie with 5 threads, each thread fails after about 100 loops).
On the 504th loop, the C_GenerateKeyPair() call fails with return code 6. Looking at the /var/log/
```
09/06/2022 15:37:09 6099 [usr/lib/
09/06/2022 15:37:09 6099 [usr/lib/
09/06/2022 15:37:09 6099 [usr/lib/
09/06/2022 15:37:09 6099 [usr/lib/
09/06/2022 15:37:09 6099 [usr/lib/
09/06/2022 15:37:09 6099 [usr/lib/
09/06/2022 15:37:09 6099 [usr/lib/
09/06/2022 15:37:09 6099 [usr/lib/
09/06/2022 15:37:09 6099 [usr/lib/
09/06/2022 15:37:09 6099 [usr/lib/
09/06/2022 15:37:09 6099 [usr/lib/
09/06/2022 15:37:09 6099 [usr/lib/
09/06/2022 15:37:09 6099 [usr/lib/
09/06/2022 15:37:09 6099 [usr/lib/
09/06/2022 15:37:09 6099 [usr/lib/
09/06/2022 15:37:09 6099 [usr/lib/
09/06/2022 15:37:09 6099 [usr/lib/
```
I tested it on both z15 and z16 (with different crypto cards) and got the same failure. In all cases, I am running on a KVM guest and using CEX7 crypto cards. I have not tested yet on CEX8 crypto cards.
---
External link: https:/
tags: | added: architecture-s39064 bugnameltc-199964 severity-high targetmilestone-inin--- |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
tags: | added: rls-kk-incoming |
description: | updated |
tags: | added: pei-29 |
Changed in opencryptoki (Ubuntu): | |
assignee: | nobody → Simon Chopin (schopin) |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Released |
tags: |
added: targetmilestone-inin2210 removed: targetmilestone-inin--- |
------- Comment From <email address hidden> 2022-09-14 07:52 EDT------- /github. com/opencryptok i/opencryptoki/ commit/ 5d0d588e391ab2f 69bc6218b921bca 092055606e
====== Comment by Ingo: ========
For the record, this bug was introduced with the following commit
https:/
which went into OCK 3.18.0. So only Distros with 3.18.0 are affected by this problem.
------- Comment From <email address hidden> 2022-09-14 07:53 EDT------- /github. com/opencryptok i/opencryptoki/ commit/ d5ccb00e52f5b0c 66533f085cda36f 63f7583d44
== Comment: <email address hidden> ==
I would assume that this is fixed by the following commit:
https:/
Without this fix, any creation of a new token object will leak one open file. So after so many new token objects, the limit of open files is reached, and it starts to fail.