Ubuntu
opencryptoki package

[UBUNTU] - opencryptoki: EP11 token fails when using Strict-Session mode or VHSM-Mode

Bug #1814521 reported by bugproxy
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Canonical Foundations Team
opencryptoki (Ubuntu)
Fix Released
Undecided
Skipper Bug Screeners
Cosmic
Fix Released
Undecided
Unassigned

Bug Description

SRU Justification

[Impact]

An issue with passing the 'target_list' pointer (that hold data of the adapters aka crypto cards) to the function 'handle_all_ep11_cards' (that finally deals with all adapters in EP11 mode) can lead to an error.

Dependent on the memory content, a failure can be caused in processing all adapters in EP11 mode and will most likely cause the "CKR_DEVICE_ERROR" error to be returned by C_Login when the STRICT_SESSION and/or VHSM_MODE is enabled in the ep11tok.conf config file.

An upstream accepted commit is already available:
https://github.com/opencryptoki/opencryptoki/commit/1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b
The commit id and patch is quite straightforward and compact and shows that fixing the way the target_list is passed to the handle_all_ep11_cards function at four places in the code solves this issue.

Since this issue can break the EP11 functionality a fix in opencryptoki version 3.10 and 3.11 is needed.

[Test Case]

Setup an opencryptoki environment (with crypto adapter in EP11 mode) and configure the EP11 token with keyword STRICT_MODE and/or VHSM_MODE in config file /etc/opencryptoki/ep11tok.conf.

Now run "pkcsep11_session show -slot 4" and enter the user pin.
It fails with the following message :"C_Login() rc = 0x30 [CKR_DEVICE_ERROR]"

The opencryptoki trace shows lines like the following, with corrupted APQNs:

11/23/2018 10:43:45 [ep11_specific.c:6208 ep11tok] INFO: ep11tok_login_session session=1
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 2B8E.FFFF8EE0
11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000
11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000

[Regression Potential]

The issue occurs while using opencryptoki and EP11 in mode STRICT_MODE or VHSM_MODE (or both) using a crypto card.
Crypto cards are available for different platforms - however, this issue occurred while using CryptoExpress adapters on s390x.

Since the changes in the patch are quite obvious and limited to just four lines (each with the same change), the regression risk can be considered as low.
Furthermore it fixes a function that is broken today, the situation will just be improved with having the fix in place - assumed that no further problems, that are not directly related to this fix, will b eintroduced (like in packaging or update).

Since opencryptoki versions 3.10 and 3.11 are affected, the packages in (non-LTS) disco and cosmic need that fix.
In between the fix already landed in the current development release (disco) - just cosmic is left.

A test with the fixed opencryptoki version from disco was successfully done.

__________

When the EP11 token of Opencryptoki is configured with STRICT_MODE or VHSM_MODE (or both) in config file /etc/opencryptoki/ep11tok.conf then C_Login may return CKR_DEVICE_ERROR.

---Steps to Reproduce---
Configure the EP11 token of Opencryptoki with keywords STRICT_MODE or VHSM_MODE (or both) in config file /etc/opencryptoki/ep11tok.conf

Then run 'pkcsep11_session show -slot 4' and enter the user pin.It fails with 'C_Login() rc = 0x30 [CKR_DEVICE_ERROR]'

The OCK trace shows lines like the following with corrupted APQNs:

11/23/2018 10:43:45 [ep11_specific.c:6208 ep11tok] INFO: ep11tok_login_session session=1
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 2B8E.FFFF8EE0
11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000
11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000

Userspace tool common name: Opencryptoki

Problem exit only for version 3.10 and 3.11.

For Version 3.11 following upstream commit can be applied seamlessly.
Upstream commit that fixes this problem:
https://github.com/opencryptoki/opencryptoki/commit/1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b

For version 3.10 , patch attached.

Mean, need to be integrated into 18.10 and 19.04

(taken from comment #2)

See original description
Revision history for this message
bugproxy (bugproxy) wrote : Patch on top of OCK version 3.10

Default Comment by Bridge

tags: added: architecture-s39064 bugnameltc-175229 severity-high targetmilestone-inin1904
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → opencryptoki (Ubuntu)
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: New → Triaged
importance: Undecided → High
assignee: nobody → Canonical Foundations Team (canonical-foundations)
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2019-02-04 05:31 EDT-------
Problem Description:

When the EP11 token of Opencryptoki is configured with STRICT_MODE or VHSM_MODE (or both) in config file /etc/opencryptoki/ep11tok.conf then C_Login may return CKR_DEVICE_ERROR.

---Steps to Reproduce---
Configure the EP11 token of Opencryptoki with keywords STRICT_MODE or VHSM_MODE (or both) in config file /etc/opencryptoki/ep11tok.conf

Then run 'pkcsep11_session show -slot 4' and enter the user pin.It fails with 'C_Login() rc = 0x30 [CKR_DEVICE_ERROR]'

The OCK trace shows lines like the following with corrupted APQNs:

11/23/2018 10:43:45 [ep11_specific.c:6208 ep11tok] INFO: ep11tok_login_session session=1
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 2B8E.FFFF8EE0
11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000
11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6
11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000

Userspace tool common name: Opencryptoki

Problem exit only for version 3.10 and 3.11.

For Version 3.11 following upstream commit can be applied seamlessly.
Upstream commit that fixes this problem:
https://github.com/opencryptoki/opencryptoki/commit/1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b

For version 3.10 , patch attached.

Mean, need to be integrated into 18.10 and 19.04

Frank Heimes (fheimes)
description: updated
Francis Ginther (fginther)
tags: added: id-5c58a51d0c3bde2ade0d7cc4
Dimitri John Ledkov (xnox)
Changed in opencryptoki (Ubuntu):
status: New → Fix Committed
Changed in opencryptoki (Ubuntu Cosmic):
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opencryptoki - 3.11.0+dfsg-0ubuntu2

---------------
opencryptoki (3.11.0+dfsg-0ubuntu2) disco; urgency=medium

  * EP11: Fix target_list passing for EP11-session logon/logoff. LP:
    #1814521

 -- Dimitri John Ledkov <email address hidden> Thu, 21 Feb 2019 11:42:49 +0100

Changed in opencryptoki (Ubuntu):
status: Fix Committed → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Triaged → In Progress
Revision history for this message
Steve Langasek (vorlon) wrote :

This bug is blocked from being accepted from the SRU queue by the lack of an SRU template on the bug, including an analysis of the regression potential of this change.

Changed in opencryptoki (Ubuntu Cosmic):
status: In Progress → Incomplete
Revision history for this message
Frank Heimes (fheimes) wrote :

@vorlon: I added the missing SRU information to the bug description - please have a look.

description: updated
Changed in opencryptoki (Ubuntu Cosmic):
status: Incomplete → In Progress
Frank Heimes (fheimes)
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello bugproxy, or anyone else affected,

Accepted opencryptoki into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/opencryptoki/3.10.0+dfsg-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in opencryptoki (Ubuntu Cosmic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-cosmic
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2019-03-06 04:03 EDT-------
I have successfully tested this with opencryptoki 3.10.0+dfsg-0ubuntu1.1 from -proposed on Ubuntu 18.10. After updating to the -proposed package the error does no longer show up.

Setting tag to verification-done-cosmic.

tags: added: verification-done-cosmic
removed: verification-needed-cosmic
Frank Heimes (fheimes)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opencryptoki - 3.10.0+dfsg-0ubuntu1.1

---------------
opencryptoki (3.10.0+dfsg-0ubuntu1.1) cosmic; urgency=medium

  * EP11: Fix target_list passing for EP11-session logon/logoff. LP:
    #1814521

 -- Dimitri John Ledkov <email address hidden> Thu, 21 Feb 2019 11:45:57 +0100

Changed in opencryptoki (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for opencryptoki has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2019-03-15 06:31 EDT-------
IBM Bugzilla status -> closed, Fix release for all requested distros

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.