| 2022-09-14 08:49:18 |
bugproxy |
bug |
|
|
added bug |
| 2022-09-14 08:49:21 |
bugproxy |
tags |
|
architecture-s39064 bugnameltc-199964 severity-high targetmilestone-inin--- |
|
| 2022-09-14 08:49:22 |
bugproxy |
ubuntu: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
| 2022-09-14 08:49:27 |
bugproxy |
affects |
ubuntu |
linux (Ubuntu) |
|
| 2022-09-14 13:18:54 |
Frank Heimes |
affects |
linux (Ubuntu) |
opencryptoki (Ubuntu) |
|
| 2022-09-14 13:19:11 |
Frank Heimes |
bug task added |
|
ubuntu-z-systems |
|
| 2022-09-14 13:19:29 |
Frank Heimes |
ubuntu-z-systems: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
| 2022-09-14 13:19:36 |
Frank Heimes |
opencryptoki (Ubuntu): importance |
Undecided |
High |
|
| 2022-09-14 13:19:38 |
Frank Heimes |
ubuntu-z-systems: importance |
Undecided |
High |
|
| 2022-09-14 13:19:43 |
Frank Heimes |
opencryptoki (Ubuntu): status |
New |
In Progress |
|
| 2022-09-14 13:19:46 |
Frank Heimes |
ubuntu-z-systems: status |
New |
In Progress |
|
| 2022-09-14 15:47:42 |
Frank Heimes |
attachment added |
|
debdiff_opencryptoki_kinetic_from_3.18.0+dfsg-0ubuntu1_to_3.18.0+dfsg-0ubuntu2.diff https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1989558/+attachment/5615823/+files/debdiff_opencryptoki_kinetic_from_3.18.0+dfsg-0ubuntu1_to_3.18.0+dfsg-0ubuntu2.diff |
|
| 2022-09-14 15:48:12 |
Frank Heimes |
opencryptoki (Ubuntu): assignee |
Skipper Bug Screeners (skipper-screen-team) |
|
|
| 2022-09-14 15:48:32 |
Frank Heimes |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
| 2022-09-29 09:27:30 |
Frank Heimes |
tags |
architecture-s39064 bugnameltc-199964 severity-high targetmilestone-inin--- |
architecture-s39064 bugnameltc-199964 rls-kk-incoming severity-high targetmilestone-inin--- |
|
| 2022-09-29 14:03:15 |
Frank Heimes |
description |
---Problem Description---
opencryptoki C_GenerateKeyPair() fails after generating > 500 RSA keys with CEX7 crypto cards
Running a program that generates RSA keys and tests encyrption/decryption on Crypto cards, is failing after about 500 iterations. The program makes the following opencryptoki calls in a loop:
C_GenerateKeyPair()
C_EncryptInit()
C_Encrypt()
C_DecryptInit()
C_Decrypt()
C_SignInit()
C_Sign() (RSA Sign)
C_VerifyInit()
C_Verify() (RSA Verify)
C_SignInit()
C_SignUpdate() (RSA Multipart sign)
C_VerifyInit()
C_VerifyUpdate() (RSA multi-part verify)
C_VerifyFinal()
C_DestroyObject() (Destroy RSA public key)
C_DestroyObject() (Destroy RSA private key)
When running single-threaded, it fails consistently on loop 504. When running multi-threaded it fails on about the 506th iteration across all threads (ie with 5 threads, each thread fails after about 100 loops).
On the 504th loop, the C_GenerateKeyPair() call fails with return code 6. Looking at the /var/log/opencryptoki/trace.* logfile, I found these error messages which seem to correspond to the failure:
```
09/06/2022 15:37:09 6099 [usr/lib/api/api_interface.c:1106 api] DEVEL: fcn->ST_DestroyObject returned:0x0
09/06/2022 15:37:09 6099 [usr/lib/api/api_interface.c:1996 api] INFO: C_GenerateKeyPair
09/06/2022 15:37:09 6099 [usr/lib/api/api_interface.c:2019 api] INFO: Valid Session handle id: 2
09/06/2022 15:37:09 6099 [usr/lib/ep11_stdll/ep11_specific.c:5977 ep11tok] INFO: rsa_ec_generate_keypair m_GenerateKeyPair rc=0x0 spki_len=0x1a6 privkey_blob_len=0x970 mech='CKM_RSA_PKCS_KEY_PAIR_GEN'
09/06/2022 15:37:09 6099 [usr/lib/ep11_stdll/ep11_specific.c:6612 ep11tok] INFO: ep11tok_generate_key_pair rc=0x0 hpubkey=0x1 hprivkey=0x2 pub_name='' priv_name='' pub_obj=0x3ff7001d210 priv_obj=0x3ff70068460
09/06/2022 15:37:09 6099 [usr/lib/common/loadsave.c:149 ep11tok] DEVEL: Unable to set permissions on file.
09/06/2022 15:37:09 6099 [usr/lib/common/loadsave.c:149 ep11tok] DEVEL: Unable to set permissions on file.
09/06/2022 15:37:09 6099 [usr/lib/common/loadsave.c:149 ep11tok] DEVEL: Unable to set permissions on file.
09/06/2022 15:37:09 6099 [usr/lib/common/obj_mgr.c:613 ep11tok] DEVEL: Object created: handle: 2
09/06/2022 15:37:09 6099 [usr/lib/common/loadsave.c:2409 ep11tok] ERROR: fopen(/var/lib/opencryptoki/ep11tok/TOK_OBJ/OBxIH3zb): Too many open files
09/06/2022 15:37:09 6099 [usr/lib/ep11_stdll/ep11_specific.c:6749 ep11tok] DEVEL: ep11tok_generate_key_pair Object mgr create final failed
09/06/2022 15:37:09 6099 [usr/lib/common/obj_mgr.c:991 ep11tok] DEVEL: Object found: handle: 2
09/06/2022 15:37:09 6099 [usr/lib/common/loadsave.c:224 ep11tok] ERROR: fopen failed
09/06/2022 15:37:09 6099 [usr/lib/ep11_stdll/new_host.c:3837 ep11tok] DEVEL: ep11tok_generate_key_pair() failed.
09/06/2022 15:37:09 6099 [usr/lib/ep11_stdll/new_host.c:3840 ep11tok] INFO: C_GenerateKeyPair: rc = 0x00000006, sess = 2, mech = 0x0
09/06/2022 15:37:09 6099 [usr/lib/api/api_interface.c:2041 api] DEVEL: fcn->ST_GenerateKeyPair returned:0x6
09/06/2022 15:37:09 6099 [usr/lib/api/api_interface.c:1653 api] INFO: C_Finalize
```
I tested it on both z15 and z16 (with different crypto cards) and got the same failure. In all cases, I am running on a KVM guest and using CEX7 crypto cards. I have not tested yet on CEX8 crypto cards. |
---Problem Description---
opencryptoki C_GenerateKeyPair() fails after generating > 500 RSA keys with CEX7 crypto cards
Running a program that generates RSA keys and tests encyrption/decryption on Crypto cards, is failing after about 500 iterations. The program makes the following opencryptoki calls in a loop:
C_GenerateKeyPair()
C_EncryptInit()
C_Encrypt()
C_DecryptInit()
C_Decrypt()
C_SignInit()
C_Sign() (RSA Sign)
C_VerifyInit()
C_Verify() (RSA Verify)
C_SignInit()
C_SignUpdate() (RSA Multipart sign)
C_VerifyInit()
C_VerifyUpdate() (RSA multi-part verify)
C_VerifyFinal()
C_DestroyObject() (Destroy RSA public key)
C_DestroyObject() (Destroy RSA private key)
When running single-threaded, it fails consistently on loop 504. When running multi-threaded it fails on about the 506th iteration across all threads (ie with 5 threads, each thread fails after about 100 loops).
On the 504th loop, the C_GenerateKeyPair() call fails with return code 6. Looking at the /var/log/opencryptoki/trace.* logfile, I found these error messages which seem to correspond to the failure:
```
09/06/2022 15:37:09 6099 [usr/lib/api/api_interface.c:1106 api] DEVEL: fcn->ST_DestroyObject returned:0x0
09/06/2022 15:37:09 6099 [usr/lib/api/api_interface.c:1996 api] INFO: C_GenerateKeyPair
09/06/2022 15:37:09 6099 [usr/lib/api/api_interface.c:2019 api] INFO: Valid Session handle id: 2
09/06/2022 15:37:09 6099 [usr/lib/ep11_stdll/ep11_specific.c:5977 ep11tok] INFO: rsa_ec_generate_keypair m_GenerateKeyPair rc=0x0 spki_len=0x1a6 privkey_blob_len=0x970 mech='CKM_RSA_PKCS_KEY_PAIR_GEN'
09/06/2022 15:37:09 6099 [usr/lib/ep11_stdll/ep11_specific.c:6612 ep11tok] INFO: ep11tok_generate_key_pair rc=0x0 hpubkey=0x1 hprivkey=0x2 pub_name='' priv_name='' pub_obj=0x3ff7001d210 priv_obj=0x3ff70068460
09/06/2022 15:37:09 6099 [usr/lib/common/loadsave.c:149 ep11tok] DEVEL: Unable to set permissions on file.
09/06/2022 15:37:09 6099 [usr/lib/common/loadsave.c:149 ep11tok] DEVEL: Unable to set permissions on file.
09/06/2022 15:37:09 6099 [usr/lib/common/loadsave.c:149 ep11tok] DEVEL: Unable to set permissions on file.
09/06/2022 15:37:09 6099 [usr/lib/common/obj_mgr.c:613 ep11tok] DEVEL: Object created: handle: 2
09/06/2022 15:37:09 6099 [usr/lib/common/loadsave.c:2409 ep11tok] ERROR: fopen(/var/lib/opencryptoki/ep11tok/TOK_OBJ/OBxIH3zb): Too many open files
09/06/2022 15:37:09 6099 [usr/lib/ep11_stdll/ep11_specific.c:6749 ep11tok] DEVEL: ep11tok_generate_key_pair Object mgr create final failed
09/06/2022 15:37:09 6099 [usr/lib/common/obj_mgr.c:991 ep11tok] DEVEL: Object found: handle: 2
09/06/2022 15:37:09 6099 [usr/lib/common/loadsave.c:224 ep11tok] ERROR: fopen failed
09/06/2022 15:37:09 6099 [usr/lib/ep11_stdll/new_host.c:3837 ep11tok] DEVEL: ep11tok_generate_key_pair() failed.
09/06/2022 15:37:09 6099 [usr/lib/ep11_stdll/new_host.c:3840 ep11tok] INFO: C_GenerateKeyPair: rc = 0x00000006, sess = 2, mech = 0x0
09/06/2022 15:37:09 6099 [usr/lib/api/api_interface.c:2041 api] DEVEL: fcn->ST_GenerateKeyPair returned:0x6
09/06/2022 15:37:09 6099 [usr/lib/api/api_interface.c:1653 api] INFO: C_Finalize
```
I tested it on both z15 and z16 (with different crypto cards) and got the same failure. In all cases, I am running on a KVM guest and using CEX7 crypto cards. I have not tested yet on CEX8 crypto cards.
---
External link: https://warthogs.atlassian.net/browse/PEI-29 |
|
| 2022-09-29 14:03:16 |
Frank Heimes |
tags |
architecture-s39064 bugnameltc-199964 rls-kk-incoming severity-high targetmilestone-inin--- |
architecture-s39064 bugnameltc-199964 pei-29 rls-kk-incoming severity-high targetmilestone-inin--- |
|
| 2022-10-05 09:16:32 |
Simon Chopin |
removed subscriber Ubuntu Sponsors Team |
|
|
|
| 2022-10-05 09:16:35 |
Simon Chopin |
opencryptoki (Ubuntu): assignee |
|
Simon Chopin (schopin) |
|
| 2022-10-05 11:22:15 |
Launchpad Janitor |
opencryptoki (Ubuntu): status |
In Progress |
Fix Released |
|
| 2022-10-05 11:42:15 |
Frank Heimes |
ubuntu-z-systems: status |
In Progress |
Fix Released |
|
| 2022-10-07 15:10:20 |
bugproxy |
tags |
architecture-s39064 bugnameltc-199964 pei-29 rls-kk-incoming severity-high targetmilestone-inin--- |
architecture-s39064 bugnameltc-199964 pei-29 rls-kk-incoming severity-high targetmilestone-inin2210 |
|
