[UBUNTU 22.04] openssl with ibmca engine configured dumps core when creating a new certificate
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Skipper Bug Screeners | ||
openssl (Ubuntu) |
Fix Released
|
High
|
Adrien Nader | ||
Jammy |
Fix Released
|
High
|
Adrien Nader | ||
Lunar |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
=== SRU information ===
[Meta]
This bug is part of a series of three bugs for a single SRU.
The "central" bug with the global information and debdiff is http://
[Impact]
Openssl using an engine dumps core upon certificate creation; other operations are probably affected too. Overall, engines are likely mostly unusable.
[Test plan]
- An openssl engine is req. to test the fix.
- A z13 / LinuxONE LPAR or z/VM guest is needed, with attached APQN.
- Check with 'lszcrypt -V' the availability (online) of the hw crypto resources.
- Install the needed package that allows to exploit the hw crypto resources:
sudo apt-get install libica-utils libica? openssl-ibmca
- And copy a working sample openssf.cnf file:
sudo cp /usr/share/
- Verify if the 'openssl engine' lists an ibmca engine,
in addition to the dynamic engine:
openssl engine
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support <===
- try to create a new certificate, using this cmd-line:
openssl req -new -newkey rsa:2048 -x509 -sha256 -nodes -out __cert.pem -keyout __key.pem --subj '/CN=US'
- The above command must not lead to a 'Segmentation fault (core dumped)',
rather than create a proper certificate file.
Also watch /var/log/syslog / journalctl for more details.
- Upgrade not only the openssl package itself,
but also libssl3, before verification.
- The issue is fixed in openssl 3.0.8 which landed in lunar.
[Where problems could occur]
I don't pretend to understand the lifecycle of providers in openssl3 but the patch is simple and has been widely tested by now, including on ubuntu. Thus, I see little chance an unexpected problem would occur with it.
[Patches]
The patches come directly from upstream and apply cleanly.
https:/
=== Original description ===
openssl req -new -newkey rsa:2048 -x509 -sha256 -nodes -out __cert.pem -keyout __key.pem --subj '/CN=US'
---Problem Description---
OpenSSL with ibmca engine configured dumps core when creating a new certificate.
# openssl engine
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
# openssl req -new -newkey rsa:2048 -x509 -sha256 -nodes -out __cert.pem -keyout __key.pem --subj '/CN=US'
Segmentation fault (core dumped)
# journalctl
Jun 07 13:06:08 SYSTEM kernel: User process fault: interruption code 003b ilc:2 in libc.so.
Jun 07 13:06:08 SYSTEM kernel: Failing address: 0000000000000000 TEID: 0000000000000800
Jun 07 13:06:08 SYSTEM kernel: Fault in primary space mode while using user ASCE.
Jun 07 13:06:08 SYSTEM kernel: AS:000000009c2941c7 R3:0000000000000024
Jun 07 13:06:08 SYSTEM kernel: CPU: 2 PID: 2344 Comm: openssl Kdump: loaded Not tainted 5.15.0-73-generic #80-Ubuntu
Jun 07 13:06:08 SYSTEM kernel: Hardware name: IBM 3931 A01 703 (z/VM 7.3.0)
Jun 07 13:06:08 SYSTEM kernel: User PSW : 0705000180000000 000003ffae11c708
Jun 07 13:06:08 SYSTEM kernel: R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:1 AS:0 CC:0 PM:0 RI:0 EA:3
Jun 07 13:06:08 SYSTEM kernel: User GPRS: 0000000000000007 000003ffae11c6f0 0000000000000000 000002aa3289f9d0
Jun 07 13:06:08 SYSTEM kernel: 000002aa1825980f 000002aa3289f9d0 0000000000000000 000002aa328a4300
Jun 07 13:06:08 SYSTEM kernel: 000003ffae870720 000003ffae657128 000002aa000003ff 0000000000000000
Jun 07 13:06:08 SYSTEM kernel: 000003ffae24dd10 000003ffae657120 000003ffae437c22 000003ffec2fe000
Jun 07 13:06:08 SYSTEM kernel: User Code: 000003ffae11c6fc: b90400b2 lgr %r11,%r2
Jun 07 13:06:08 SYSTEM kernel: Last Breaking-
Jun 07 13:06:08 SYSTEM kernel: [<000003ffae332
Jun 07 13:06:08 SYSTEM systemd[1]: Started Process Core Dump (PID 2345/UID 0).
Jun 07 13:06:08 SYSTEM systemd-
Jun 07 13:06:08 SYSTEM systemd[1]: systemd-
Jun 07 13:06:31 SYSTEM kernel: User process fault: interruption code 003b ilc:2 in libc.so.
Jun 07 13:06:31 SYSTEM kernel: Failing address: 0000000000000000 TEID: 0000000000000800
Jun 07 13:06:31 SYSTEM kernel: Fault in primary space mode while using user ASCE.
Jun 07 13:06:31 SYSTEM kernel: AS:000000009c2941c7 R3:0000000000000024
Jun 07 13:06:31 SYSTEM kernel: CPU: 2 PID: 2356 Comm: openssl Kdump: loaded Not tainted 5.15.0-73-generic #80-Ubuntu
Jun 07 13:06:31 SYSTEM kernel: Hardware name: IBM 3931 A01 703 (z/VM 7.3.0)
Jun 07 13:06:31 SYSTEM kernel: User PSW : 0705000180000000 000003ffbee9c708
Jun 07 13:06:31 SYSTEM kernel: R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:1 AS:0 CC:0 PM:0 RI:0 EA:3
Jun 07 13:06:31 SYSTEM kernel: User GPRS: 0000000000000007 000003ffbee9c6f0 0000000000000000 000002aa176569d0
Jun 07 13:06:31 SYSTEM kernel: 000002aa3dc356c6 000002aa176569d0 0000000000000000 000002aa1765b300
Jun 07 13:06:31 SYSTEM kernel: 000003ffbf5f0720 000003ffbf3d7128 000002aa000003ff 0000000000000000
Jun 07 13:06:31 SYSTEM kernel: 000003ffbefcdd10 000003ffbf3d7120 000003ffbf1b7c22 000003ffc4efdd40
Jun 07 13:06:31 SYSTEM kernel: User Code: 000003ffbee9c6fc: b90400b2 lgr %r11,%r2
Jun 07 13:06:31 SYSTEM kernel: Last Breaking-
Jun 07 13:06:31 SYSTEM kernel: [<000003ffbf0b2
Jun 07 13:06:32 SYSTEM systemd[1]: Started Process Core Dump (PID 2357/UID 0).
Jun 07 13:06:32 SYSTEM systemd-
Contact Information = <email address hidden> <email address hidden>
---uname output---
Linux SYSTEM 5.15.0-73-generic #80-Ubuntu SMP Mon May 15 15:23:03 UTC 2023 s390x s390x s390x GNU/Linux
Machine Type = Manufacturer: IBM Type: 3931 Model: 703 A01
---Steps to Reproduce---
1. Configure openssl to be used with ibmca engine.
2. run the following command:
# openssl req -new -newkey rsa:2048 -x509 -sha256 -nodes -out __cert.pem -keyout __key.pem --subj '/CN=US'
3. Check the syslog
Userspace tool common name: openssl
The userspace tool has the following bit modes: 64
Userspace rpm: openssl 3.0.2-0ubuntu1.10 s390x
Userspace tool obtained from project website: na
== Comment: #1 - Grgo =======
Further investigations point to this open issue on openssl repository https:/
The default_algorithms declaration of RAND and others has no effect on the behaviour of this problem.
== Comment: #2 - Ingo - 2023-06-12 06:05:20 =======
The OpenSSL fix for the mentioned issue https:/
https:/
The corresponding commit for the openssl-3.0 branch is
https:/
This commit is included in OpenSSL 3.0.8.
Please include this commit into the OpenSSL package shipped with 22.04 (and later releases).
tags: | added: architecture-s39064 bugnameltc-202749 severity-high targetmilestone-inin22045 |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
affects: | linux (Ubuntu) → openssl (Ubuntu) |
Changed in ubuntu-z-systems: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
Changed in openssl (Ubuntu): | |
assignee: | Skipper Bug Screeners (skipper-screen-team) → nobody |
importance: | Undecided → High |
Changed in ubuntu-z-systems: | |
importance: | Undecided → High |
tags: | added: rls-jj-incoming |
tags: |
added: foundations-todo removed: rls-jj-incoming |
Changed in openssl (Ubuntu): | |
assignee: | nobody → Adrien Nader (adrien-n) |
milestone: | none → jammy-updates |
status: | New → In Progress |
Changed in ubuntu-z-systems: | |
status: | New → In Progress |
Changed in openssl (Ubuntu Jammy): | |
status: | New → In Progress |
Changed in openssl (Ubuntu Lunar): | |
status: | New → Fix Released |
Changed in openssl (Ubuntu Jammy): | |
importance: | Undecided → High |
assignee: | nobody → Adrien Nader (adrien-n) |
milestone: | none → jammy-updates |
Changed in openssl (Ubuntu): | |
milestone: | jammy-updates → none |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
tags: | removed: foundations-todo |
description: | updated |
I've created a PPA for Jammy that incorporates the fix mentionned. The details are available at https:/ /launchpad. net/~adrien- n/+archive/ ubuntu/ openssl- jammy-sru . Could you test it and confirm your issue is solved?