[Ubuntu 22.04] zkey: Fix re-enciphering of EP11 identity key of KMIP plugin
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Skipper Bug Screeners | ||
s390-tools (Ubuntu) |
Fix Released
|
High
|
Skipper Bug Screeners | ||
Jammy |
Fix Released
|
High
|
Unassigned | ||
s390-tools-signed (Ubuntu) |
Fix Released
|
High
|
Skipper Bug Screeners | ||
Jammy |
Fix Released
|
High
|
Unassigned |
Bug Description
SRU Justification:
------------------
[ Impact ]
* When re-enciphering the identity key
and/or wrapping key of the zkey KMIP plugin via 'zkey kms reencipher',
the operation completes without an error,
but the secure keys are left un-reenciphered.
* A subsequent connection attempt with the KMIP server will fail
because the identity key is no longer valid.
* The re-enciphered secure key is not copied back into the key token buffer.
* Also, the the public key part,
i.e. the MACed SubjectPublicKe
must also be re-enciphered (i.e. re-MACed),
since the MAC is calculated with the EP11 master key.
[ Fix ]
* 4e2ebe03 4e2ebe0370d9fb0
[ Test Plan ]
* An Ubuntu Server 22.04 for s390x installation with a CryptoExpress
adapter in EP11 mode and at least one available/online domain is needed.
* Perform a master key change on the EP11 APQNs used with the KMIP plugin.
* The is done indirectly, via libkmipclient, a shared library that
provides the KMIP client to communicate with an KMIP server.
* Test will be done by IBM.
[ Where problems could occur ]
* The memcpy, at the beginning and/or at the end or the inserted code
could be wrong, and copy wrong contents.
* The newly introduced 're-encipher MACed SPKI' code can be erroneous,
which may lead to a non working fix.
* The calculation and handling of the length which could lead to a broken cmdblock.
* Problems could occur in case the re-encryption is done with a different
master key compared to the initial encryption,
even though if this should be caught as 'CKR_IBM_
[ Other Info ]
* The s390-tools version v2.23 in kinetic already incl. this fix,
hence it's not affected,
nor versions for Ubuntu releases (in service) older than jammy
are affected.
__________
Description:
zkey: Fix re-enciphering of EP11 identity key of KMIP plugin
Symptom:
When re-enciphering the identity key and/or wrapping key of the zkey KMIP plugin via 'zkey kms reencipher', the operation completes without an error, but the secure keys are left un-reenciphered. A subsequent connection attempt with the KMIP server will fail because the identity key is no longer valid.
Problem:
The re-enciphered secure key is not copied back into the key token buffer. Also, the the public key part, i.e. the MACed SubjectPublicKe
Solution:
Copy the re-enciphered secure key back into the key token buffer, and also re-encipher the public key part.
Reproduction: Perform a master key change on the EP11 APQNs used with the
KMIP plugin.
Problem-ID: 197605
Upstream-ID: 4e2ebe0370d9fb0
Preventive: yes
Date: 2022-04-08
Author: Ingo Franzki <email address hidden>
Component: s390-tools
== Comment: #1 - Ingo Franzki <email address hidden> - 2022-04-08 09:57:45 ==
Upstream commit:
https:/
tags: | added: architecture-s39064 bugnameltc-197607 severity-high targetmilestone-inin--- |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
affects: | linux (Ubuntu) → s390-tools (Ubuntu) |
Changed in ubuntu-z-systems: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
importance: | Undecided → High |
tags: | added: foundations-triage-discuss |
description: | updated |
tags: |
added: foundations-todo removed: foundations-triage-discuss |
Changed in s390-tools (Ubuntu): | |
importance: | Undecided → High |
Changed in s390-tools-signed (Ubuntu): | |
importance: | Undecided → High |
Changed in s390-tools (Ubuntu Jammy): | |
status: | New → Confirmed |
Changed in s390-tools-signed (Ubuntu Jammy): | |
status: | New → Confirmed |
Changed in s390-tools (Ubuntu Jammy): | |
status: | Confirmed → Triaged |
Changed in s390-tools-signed (Ubuntu Jammy): | |
status: | Confirmed → Triaged |
Changed in s390-tools (Ubuntu): | |
status: | In Progress → Fix Released |
Changed in s390-tools-signed (Ubuntu): | |
status: | In Progress → Fix Released |
Changed in s390-tools (Ubuntu Jammy): | |
importance: | Undecided → High |
Changed in s390-tools-signed (Ubuntu Jammy): | |
importance: | Undecided → High |
Changed in s390-tools-signed (Ubuntu): | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
tags: |
added: targetmilestone-inin2204 removed: targetmilestone-inin--- |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
tags: | removed: foundations-todo |
A set of test packages is now available via the PPA below that are supposed to fix LP#1990520 as well as LP#1990524: /launchpad. net/~fheimes/ +archive/ ubuntu/ lp1990520+ lp1990524
https:/