2019-02-04 10:19:22 |
bugproxy |
bug |
|
|
added bug |
2019-02-04 10:19:25 |
bugproxy |
tags |
|
architecture-s39064 bugnameltc-175229 severity-high targetmilestone-inin1904 |
|
2019-02-04 10:19:26 |
bugproxy |
attachment added |
|
Patch on top of OCK version 3.10 https://bugs.launchpad.net/bugs/1814521/+attachment/5235808/+files/0001-EP11-Fix-target_list-passing-for-EP11-session-logon-.patch |
|
2019-02-04 10:19:29 |
bugproxy |
ubuntu: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
2019-02-04 10:19:32 |
bugproxy |
affects |
ubuntu |
opencryptoki (Ubuntu) |
|
2019-02-04 10:26:13 |
Frank Heimes |
bug task added |
|
ubuntu-z-systems |
|
2019-02-04 10:26:23 |
Frank Heimes |
ubuntu-z-systems: status |
New |
Triaged |
|
2019-02-04 10:26:29 |
Frank Heimes |
ubuntu-z-systems: importance |
Undecided |
High |
|
2019-02-04 10:26:46 |
Frank Heimes |
ubuntu-z-systems: assignee |
|
Canonical Foundations Team (canonical-foundations) |
|
2019-02-04 11:02:09 |
Frank Heimes |
description |
Description will follow |
When the EP11 token of Opencryptoki is configured with STRICT_MODE or VHSM_MODE (or both) in config file /etc/opencryptoki/ep11tok.conf then C_Login may return CKR_DEVICE_ERROR.
---Steps to Reproduce---
Configure the EP11 token of Opencryptoki with keywords STRICT_MODE or VHSM_MODE (or both) in config file /etc/opencryptoki/ep11tok.conf
Then run 'pkcsep11_session show -slot 4' and enter the user pin.It fails with 'C_Login() rc = 0x30 [CKR_DEVICE_ERROR]'
The OCK trace shows lines like the following with corrupted APQNs:
11/23/2018 10:43:45 [ep11_specific.c:6208 ep11tok] INFO: ep11tok_login_session session=1
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 2B8E.FFFF8EE0
11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000
11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000
Userspace tool common name: Opencryptoki
Problem exit only for version 3.10 and 3.11.
For Version 3.11 following upstream commit can be applied seamlessly.
Upstream commit that fixes this problem:
https://github.com/opencryptoki/opencryptoki/commit/1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b
For version 3.10 , patch attached.
Mean, need to be integrated into 18.10 and 19.04
(taken from comment #2) |
|
2019-02-05 13:24:27 |
Francis Ginther |
tags |
architecture-s39064 bugnameltc-175229 severity-high targetmilestone-inin1904 |
architecture-s39064 bugnameltc-175229 id-5c58a51d0c3bde2ade0d7cc4 severity-high targetmilestone-inin1904 |
|
2019-02-21 10:44:49 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Cosmic |
|
2019-02-21 10:44:49 |
Dimitri John Ledkov |
bug task added |
|
opencryptoki (Ubuntu Cosmic) |
|
2019-02-21 10:44:55 |
Dimitri John Ledkov |
opencryptoki (Ubuntu): status |
New |
Fix Committed |
|
2019-02-21 10:47:33 |
Dimitri John Ledkov |
opencryptoki (Ubuntu Cosmic): status |
New |
In Progress |
|
2019-02-21 12:01:32 |
Launchpad Janitor |
opencryptoki (Ubuntu): status |
Fix Committed |
Fix Released |
|
2019-02-21 12:51:11 |
Frank Heimes |
ubuntu-z-systems: status |
Triaged |
In Progress |
|
2019-03-01 20:46:15 |
Steve Langasek |
opencryptoki (Ubuntu Cosmic): status |
In Progress |
Incomplete |
|
2019-03-04 07:30:56 |
Frank Heimes |
description |
When the EP11 token of Opencryptoki is configured with STRICT_MODE or VHSM_MODE (or both) in config file /etc/opencryptoki/ep11tok.conf then C_Login may return CKR_DEVICE_ERROR.
---Steps to Reproduce---
Configure the EP11 token of Opencryptoki with keywords STRICT_MODE or VHSM_MODE (or both) in config file /etc/opencryptoki/ep11tok.conf
Then run 'pkcsep11_session show -slot 4' and enter the user pin.It fails with 'C_Login() rc = 0x30 [CKR_DEVICE_ERROR]'
The OCK trace shows lines like the following with corrupted APQNs:
11/23/2018 10:43:45 [ep11_specific.c:6208 ep11tok] INFO: ep11tok_login_session session=1
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 2B8E.FFFF8EE0
11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000
11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000
Userspace tool common name: Opencryptoki
Problem exit only for version 3.10 and 3.11.
For Version 3.11 following upstream commit can be applied seamlessly.
Upstream commit that fixes this problem:
https://github.com/opencryptoki/opencryptoki/commit/1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b
For version 3.10 , patch attached.
Mean, need to be integrated into 18.10 and 19.04
(taken from comment #2) |
SRU Information
[Impact]
An issue with passing the 'target_list' pointer (that hold data of the adapters aka crypto cards) to the function 'handle_all_ep11_cards' (that finally deals with all adapters in EP11 mode) can lead to an error.
Hence dependent on the memory content, a failure can be caused in processing all adapters in EP11 mode and will most likely cause the "CKR_DEVICE_ERROR" error to be returned by C_Login when the STRICT_SESSION and/or VHSM_MODE is enabled in the ep11tok.conf config file.
An upstream accepted commit is already available:
https://github.com/opencryptoki/opencryptoki/commit/1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b
The commit id and patch is quite straightforward and compact and shows that fixing the way the target_list is passed to the handle_all_ep11_cards function at four places in the code solves this situation.
Since this issue can break the EP11 functionality a fixing opencryptoki version 3.10 and 3.11 is needed where this issue can occur.
[Test Case]
Setup an opencryptoki environment (with crypto adapter in EP11 mode) and configure the EP11 token of with the keywords STRICT_MODE and/or VHSM_MODE in config file /etc/opencryptoki/ep11tok.conf.
Now run "pkcsep11_session show -slot 4" and enter the user pin.
It fails with the following message :"C_Login() rc = 0x30 [CKR_DEVICE_ERROR]"
The opencryptoki trace shows lines like the following with corrupted APQNs:
11/23/2018 10:43:45 [ep11_specific.c:6208 ep11tok] INFO: ep11tok_login_session session=1
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 2B8E.FFFF8EE0
11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000
11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000
[Regression Potential]
The issue occurs while using opencryptoki and EP11 in mode STRICT_MODE or VHSM_MODE (or both) with a crypto card.
Crypto cards are available for different platforms - however, this case especially occurred while using CryptoExpress adapters on s390x.
Since the changes in the patch are quite obvious and limited to just four lines (each with the same change), the regression risk can be considered as low.
Furthermore it fixes a function that is broken today, the situation will just be improved with having the fix in place - assumed that no problems that are not directly related to this fix will happen (like packaging or update).
Since opencryptoki versions 3.10 and 3.11 are affected, the packages in (non-LTS) disco and cosmic need that fix.
In between the fix already landed in the current development release (disco) - just cosmic is left.
A test with the fixed opencryptoki version from disco was successfully done, too.
__________
When the EP11 token of Opencryptoki is configured with STRICT_MODE or VHSM_MODE (or both) in config file /etc/opencryptoki/ep11tok.conf then C_Login may return CKR_DEVICE_ERROR.
---Steps to Reproduce---
Configure the EP11 token of Opencryptoki with keywords STRICT_MODE or VHSM_MODE (or both) in config file /etc/opencryptoki/ep11tok.conf
Then run 'pkcsep11_session show -slot 4' and enter the user pin.It fails with 'C_Login() rc = 0x30 [CKR_DEVICE_ERROR]'
The OCK trace shows lines like the following with corrupted APQNs:
11/23/2018 10:43:45 [ep11_specific.c:6208 ep11tok] INFO: ep11tok_login_session session=1
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 2B8E.FFFF8EE0
11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000
11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000
Userspace tool common name: Opencryptoki
Problem exit only for version 3.10 and 3.11.
For Version 3.11 following upstream commit can be applied seamlessly.
Upstream commit that fixes this problem:
https://github.com/opencryptoki/opencryptoki/commit/1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b
For version 3.10 , patch attached.
Mean, need to be integrated into 18.10 and 19.04
(taken from comment #2) |
|
2019-03-04 07:31:15 |
Frank Heimes |
opencryptoki (Ubuntu Cosmic): status |
Incomplete |
In Progress |
|
2019-03-04 15:30:00 |
Frank Heimes |
description |
SRU Information
[Impact]
An issue with passing the 'target_list' pointer (that hold data of the adapters aka crypto cards) to the function 'handle_all_ep11_cards' (that finally deals with all adapters in EP11 mode) can lead to an error.
Hence dependent on the memory content, a failure can be caused in processing all adapters in EP11 mode and will most likely cause the "CKR_DEVICE_ERROR" error to be returned by C_Login when the STRICT_SESSION and/or VHSM_MODE is enabled in the ep11tok.conf config file.
An upstream accepted commit is already available:
https://github.com/opencryptoki/opencryptoki/commit/1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b
The commit id and patch is quite straightforward and compact and shows that fixing the way the target_list is passed to the handle_all_ep11_cards function at four places in the code solves this situation.
Since this issue can break the EP11 functionality a fixing opencryptoki version 3.10 and 3.11 is needed where this issue can occur.
[Test Case]
Setup an opencryptoki environment (with crypto adapter in EP11 mode) and configure the EP11 token of with the keywords STRICT_MODE and/or VHSM_MODE in config file /etc/opencryptoki/ep11tok.conf.
Now run "pkcsep11_session show -slot 4" and enter the user pin.
It fails with the following message :"C_Login() rc = 0x30 [CKR_DEVICE_ERROR]"
The opencryptoki trace shows lines like the following with corrupted APQNs:
11/23/2018 10:43:45 [ep11_specific.c:6208 ep11tok] INFO: ep11tok_login_session session=1
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 2B8E.FFFF8EE0
11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000
11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000
[Regression Potential]
The issue occurs while using opencryptoki and EP11 in mode STRICT_MODE or VHSM_MODE (or both) with a crypto card.
Crypto cards are available for different platforms - however, this case especially occurred while using CryptoExpress adapters on s390x.
Since the changes in the patch are quite obvious and limited to just four lines (each with the same change), the regression risk can be considered as low.
Furthermore it fixes a function that is broken today, the situation will just be improved with having the fix in place - assumed that no problems that are not directly related to this fix will happen (like packaging or update).
Since opencryptoki versions 3.10 and 3.11 are affected, the packages in (non-LTS) disco and cosmic need that fix.
In between the fix already landed in the current development release (disco) - just cosmic is left.
A test with the fixed opencryptoki version from disco was successfully done, too.
__________
When the EP11 token of Opencryptoki is configured with STRICT_MODE or VHSM_MODE (or both) in config file /etc/opencryptoki/ep11tok.conf then C_Login may return CKR_DEVICE_ERROR.
---Steps to Reproduce---
Configure the EP11 token of Opencryptoki with keywords STRICT_MODE or VHSM_MODE (or both) in config file /etc/opencryptoki/ep11tok.conf
Then run 'pkcsep11_session show -slot 4' and enter the user pin.It fails with 'C_Login() rc = 0x30 [CKR_DEVICE_ERROR]'
The OCK trace shows lines like the following with corrupted APQNs:
11/23/2018 10:43:45 [ep11_specific.c:6208 ep11tok] INFO: ep11tok_login_session session=1
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 2B8E.FFFF8EE0
11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000
11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000
Userspace tool common name: Opencryptoki
Problem exit only for version 3.10 and 3.11.
For Version 3.11 following upstream commit can be applied seamlessly.
Upstream commit that fixes this problem:
https://github.com/opencryptoki/opencryptoki/commit/1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b
For version 3.10 , patch attached.
Mean, need to be integrated into 18.10 and 19.04
(taken from comment #2) |
SRU Justification
[Impact]
An issue with passing the 'target_list' pointer (that hold data of the adapters aka crypto cards) to the function 'handle_all_ep11_cards' (that finally deals with all adapters in EP11 mode) can lead to an error.
Dependent on the memory content, a failure can be caused in processing all adapters in EP11 mode and will most likely cause the "CKR_DEVICE_ERROR" error to be returned by C_Login when the STRICT_SESSION and/or VHSM_MODE is enabled in the ep11tok.conf config file.
An upstream accepted commit is already available:
https://github.com/opencryptoki/opencryptoki/commit/1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b
The commit id and patch is quite straightforward and compact and shows that fixing the way the target_list is passed to the handle_all_ep11_cards function at four places in the code solves this issue.
Since this issue can break the EP11 functionality a fix in opencryptoki version 3.10 and 3.11 is needed.
[Test Case]
Setup an opencryptoki environment (with crypto adapter in EP11 mode) and configure the EP11 token with keyword STRICT_MODE and/or VHSM_MODE in config file /etc/opencryptoki/ep11tok.conf.
Now run "pkcsep11_session show -slot 4" and enter the user pin.
It fails with the following message :"C_Login() rc = 0x30 [CKR_DEVICE_ERROR]"
The opencryptoki trace shows lines like the following, with corrupted APQNs:
11/23/2018 10:43:45 [ep11_specific.c:6208 ep11tok] INFO: ep11tok_login_session session=1
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 2B8E.FFFF8EE0
11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000
11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000
[Regression Potential]
The issue occurs while using opencryptoki and EP11 in mode STRICT_MODE or VHSM_MODE (or both) using a crypto card.
Crypto cards are available for different platforms - however, this issue occurred while using CryptoExpress adapters on s390x.
Since the changes in the patch are quite obvious and limited to just four lines (each with the same change), the regression risk can be considered as low.
Furthermore it fixes a function that is broken today, the situation will just be improved with having the fix in place - assumed that no further problems, that are not directly related to this fix, will b eintroduced (like in packaging or update).
Since opencryptoki versions 3.10 and 3.11 are affected, the packages in (non-LTS) disco and cosmic need that fix.
In between the fix already landed in the current development release (disco) - just cosmic is left.
A test with the fixed opencryptoki version from disco was successfully done.
__________
When the EP11 token of Opencryptoki is configured with STRICT_MODE or VHSM_MODE (or both) in config file /etc/opencryptoki/ep11tok.conf then C_Login may return CKR_DEVICE_ERROR.
---Steps to Reproduce---
Configure the EP11 token of Opencryptoki with keywords STRICT_MODE or VHSM_MODE (or both) in config file /etc/opencryptoki/ep11tok.conf
Then run 'pkcsep11_session show -slot 4' and enter the user pin.It fails with 'C_Login() rc = 0x30 [CKR_DEVICE_ERROR]'
The OCK trace shows lines like the following with corrupted APQNs:
11/23/2018 10:43:45 [ep11_specific.c:6208 ep11tok] INFO: ep11tok_login_session session=1
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 2B8E.FFFF8EE0
11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000
11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000
Userspace tool common name: Opencryptoki
Problem exit only for version 3.10 and 3.11.
For Version 3.11 following upstream commit can be applied seamlessly.
Upstream commit that fixes this problem:
https://github.com/opencryptoki/opencryptoki/commit/1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b
For version 3.10 , patch attached.
Mean, need to be integrated into 18.10 and 19.04
(taken from comment #2) |
|
2019-03-05 20:41:48 |
Brian Murray |
opencryptoki (Ubuntu Cosmic): status |
In Progress |
Fix Committed |
|
2019-03-05 20:41:50 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2019-03-05 20:41:52 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2019-03-05 20:41:55 |
Brian Murray |
tags |
architecture-s39064 bugnameltc-175229 id-5c58a51d0c3bde2ade0d7cc4 severity-high targetmilestone-inin1904 |
architecture-s39064 bugnameltc-175229 id-5c58a51d0c3bde2ade0d7cc4 severity-high targetmilestone-inin1904 verification-needed verification-needed-cosmic |
|
2019-03-06 05:22:08 |
Frank Heimes |
ubuntu-z-systems: status |
In Progress |
Fix Committed |
|
2019-03-06 09:11:28 |
bugproxy |
tags |
architecture-s39064 bugnameltc-175229 id-5c58a51d0c3bde2ade0d7cc4 severity-high targetmilestone-inin1904 verification-needed verification-needed-cosmic |
architecture-s39064 bugnameltc-175229 id-5c58a51d0c3bde2ade0d7cc4 severity-high targetmilestone-inin1904 verification-done-cosmic verification-needed |
|
2019-03-06 09:22:02 |
Frank Heimes |
tags |
architecture-s39064 bugnameltc-175229 id-5c58a51d0c3bde2ade0d7cc4 severity-high targetmilestone-inin1904 verification-done-cosmic verification-needed |
architecture-s39064 bugnameltc-175229 id-5c58a51d0c3bde2ade0d7cc4 severity-high targetmilestone-inin1904 verification-done verification-done-cosmic |
|
2019-03-14 09:27:54 |
Launchpad Janitor |
opencryptoki (Ubuntu Cosmic): status |
Fix Committed |
Fix Released |
|
2019-03-14 09:27:59 |
Ćukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2019-03-14 10:05:22 |
Frank Heimes |
ubuntu-z-systems: status |
Fix Committed |
Fix Released |
|