2022-09-22 11:39:18 |
bugproxy |
bug |
|
|
added bug |
2022-09-22 11:39:20 |
bugproxy |
tags |
|
architecture-s39064 bugnameltc-197607 severity-high targetmilestone-inin--- |
|
2022-09-22 11:39:21 |
bugproxy |
ubuntu: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
2022-09-22 11:39:25 |
bugproxy |
affects |
ubuntu |
linux (Ubuntu) |
|
2022-09-22 11:46:11 |
Frank Heimes |
affects |
linux (Ubuntu) |
s390-tools (Ubuntu) |
|
2022-09-22 11:46:21 |
Frank Heimes |
bug task added |
|
ubuntu-z-systems |
|
2022-09-22 11:46:32 |
Frank Heimes |
bug task added |
|
s390-tools-signed (Ubuntu) |
|
2022-09-22 11:46:52 |
Frank Heimes |
ubuntu-z-systems: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
2022-09-22 11:46:59 |
Frank Heimes |
ubuntu-z-systems: importance |
Undecided |
High |
|
2022-09-23 19:33:01 |
Dan Bungert |
tags |
architecture-s39064 bugnameltc-197607 severity-high targetmilestone-inin--- |
architecture-s39064 bugnameltc-197607 foundations-triage-discuss severity-high targetmilestone-inin--- |
|
2022-09-27 14:39:30 |
Frank Heimes |
attachment added |
|
debdiffs.tgz https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/1990520/+attachment/5619462/+files/debdiffs.tgz |
|
2022-09-27 14:39:44 |
Frank Heimes |
s390-tools-signed (Ubuntu): status |
New |
In Progress |
|
2022-09-27 14:39:49 |
Frank Heimes |
s390-tools (Ubuntu): status |
New |
In Progress |
|
2022-09-27 14:39:52 |
Frank Heimes |
ubuntu-z-systems: status |
New |
In Progress |
|
2022-09-27 16:25:51 |
Ubuntu Foundations Team Bug Bot |
tags |
architecture-s39064 bugnameltc-197607 foundations-triage-discuss severity-high targetmilestone-inin--- |
architecture-s39064 bugnameltc-197607 foundations-triage-discuss patch severity-high targetmilestone-inin--- |
|
2022-09-27 16:26:00 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
2022-09-27 16:37:12 |
Frank Heimes |
description |
Description:
zkey: Fix re-enciphering of EP11 identity key of KMIP plugin
Symptom:
When re-enciphering the identity key and/or wrapping key of the zkey KMIP plugin via 'zkey kms reencipher', the operation completes without an error, but the secure keys are left un-reenciphered. A subsequent connection attempt with the KMIP server will fail because the identity key is no longer valid.
Problem:
The re-enciphered secure key is not copied back into the key token buffer. Also, the the public key part, i.e. the MACed SubjectPublicKeyInfo (SPKI) structure must also be re-enciphered (i.e. re-MACed), since the MAC is calculated with the EP11 master key.
Solution:
Copy the re-enciphered secure key back into the key token buffer, and also re-encipher the public key part.
Reproduction: Perform a master key change on the EP11 APQNs used with the
KMIP plugin.
Problem-ID: 197605
Upstream-ID: 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397
Preventive: yes
Date: 2022-04-08
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Component: s390-tools
== Comment: #1 - Ingo Franzki <ifranzki@de.ibm.com> - 2022-04-08 09:57:45 ==
Upstream commit:
https://github.com/ibm-s390-linux/s390-tools/commit/4e2ebe0370d9fb036b7554d5ac5df4418dbe0397 |
SRU Justification:
------------------
[ Impact ]
* When re-enciphering the identity key
and/or wrapping key of the zkey KMIP plugin via 'zkey kms reencipher',
the operation completes without an error,
but the secure keys are left un-reenciphered.
* A subsequent connection attempt with the KMIP server will fail
because the identity key is no longer valid.
* The re-enciphered secure key is not copied back into the key token buffer.
* Also, the the public key part,
i.e. the MACed SubjectPublicKeyInfo (SPKI) structure
must also be re-enciphered (i.e. re-MACed),
since the MAC is calculated with the EP11 master key.
[ Fix ]
* 4e2ebe03 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397 "libseckey: Fix re-enciphering of EP11 secure key"
[ Test Plan ]
* An Ubuntu Server 22.04 for s390x installation with a CryptoExpress
adapter in EP11 mode and at least one available/online domain is needed.
* Perform a master key change on the EP11 APQNs used with the KMIP plugin.
* The is done indirectly, via libkmipclient, a shared library that
provides the KMIP client to communicate with an KMIP server.
* Test will be done by IBM.
[ Where problems could occur ]
* The memcpy, at the beginning and/or at the end or the inserted code
could be wrong, and copy wrong contents.
* The newly introduced 're-encipher MACed SPKI' code can be erroneous,
which may lead to a non working fix.
* The calculation and handling of the length which could lead to a broken cmdblock.
* Problems could occur in case the re-encryption is done with a different
master key compared to the initial encryption,
even though if this should be caught as 'CKR_IBM_WKID_MISMATCH'.
[ Other Info ]
* The s390-tools version v2.23 in kinetic already incl. this fix,
hence it's not affected,
nor versions for Ubuntu releases (in service) older than jammy
are affected.
__________
Description:
zkey: Fix re-enciphering of EP11 identity key of KMIP plugin
Symptom:
When re-enciphering the identity key and/or wrapping key of the zkey KMIP plugin via 'zkey kms reencipher', the operation completes without an error, but the secure keys are left un-reenciphered. A subsequent connection attempt with the KMIP server will fail because the identity key is no longer valid.
Problem:
The re-enciphered secure key is not copied back into the key token buffer. Also, the the public key part, i.e. the MACed SubjectPublicKeyInfo (SPKI) structure must also be re-enciphered (i.e. re-MACed), since the MAC is calculated with the EP11 master key.
Solution:
Copy the re-enciphered secure key back into the key token buffer, and also re-encipher the public key part.
Reproduction: Perform a master key change on the EP11 APQNs used with the
KMIP plugin.
Problem-ID: 197605
Upstream-ID: 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397
Preventive: yes
Date: 2022-04-08
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Component: s390-tools
== Comment: #1 - Ingo Franzki <ifranzki@de.ibm.com> - 2022-04-08 09:57:45 ==
Upstream commit:
https://github.com/ibm-s390-linux/s390-tools/commit/4e2ebe0370d9fb036b7554d5ac5df4418dbe0397 |
|
2022-09-29 15:31:07 |
Julian Andres Klode |
bug |
|
|
added subscriber Ubuntu Foundations Bugs |
2022-09-29 15:31:13 |
Julian Andres Klode |
tags |
architecture-s39064 bugnameltc-197607 foundations-triage-discuss patch severity-high targetmilestone-inin--- |
architecture-s39064 bugnameltc-197607 foundations-todo patch severity-high targetmilestone-inin--- |
|
2022-09-29 15:31:38 |
Julian Andres Klode |
s390-tools (Ubuntu): importance |
Undecided |
High |
|
2022-09-29 15:31:39 |
Julian Andres Klode |
s390-tools-signed (Ubuntu): importance |
Undecided |
High |
|
2022-10-11 13:21:49 |
Simon Chopin |
nominated for series |
|
Ubuntu Jammy |
|
2022-10-11 13:21:49 |
Simon Chopin |
bug task added |
|
s390-tools (Ubuntu Jammy) |
|
2022-10-11 13:21:49 |
Simon Chopin |
bug task added |
|
s390-tools-signed (Ubuntu Jammy) |
|
2022-10-11 13:21:58 |
Simon Chopin |
s390-tools (Ubuntu Jammy): status |
New |
Confirmed |
|
2022-10-11 13:22:01 |
Simon Chopin |
s390-tools-signed (Ubuntu Jammy): status |
New |
Confirmed |
|
2022-10-11 13:22:06 |
Simon Chopin |
s390-tools (Ubuntu Jammy): status |
Confirmed |
Triaged |
|
2022-10-11 13:22:07 |
Simon Chopin |
s390-tools-signed (Ubuntu Jammy): status |
Confirmed |
Triaged |
|
2022-10-11 13:22:10 |
Simon Chopin |
s390-tools (Ubuntu): status |
In Progress |
Fix Released |
|
2022-10-11 13:22:12 |
Simon Chopin |
s390-tools-signed (Ubuntu): status |
In Progress |
Fix Released |
|
2022-10-11 13:22:16 |
Simon Chopin |
s390-tools (Ubuntu Jammy): importance |
Undecided |
High |
|
2022-10-11 13:22:18 |
Simon Chopin |
s390-tools-signed (Ubuntu Jammy): importance |
Undecided |
High |
|
2022-11-07 15:23:33 |
Julian Andres Klode |
s390-tools-signed (Ubuntu): assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
2022-12-02 00:45:59 |
Łukasz Zemczak |
s390-tools (Ubuntu Jammy): status |
Triaged |
Fix Committed |
|
2022-12-02 00:46:01 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2022-12-02 00:46:02 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
2022-12-02 00:46:06 |
Łukasz Zemczak |
tags |
architecture-s39064 bugnameltc-197607 foundations-todo patch severity-high targetmilestone-inin--- |
architecture-s39064 bugnameltc-197607 foundations-todo patch severity-high targetmilestone-inin--- verification-needed verification-needed-jammy |
|
2022-12-02 00:49:45 |
Łukasz Zemczak |
s390-tools-signed (Ubuntu Jammy): status |
Triaged |
Fix Committed |
|
2022-12-05 09:40:17 |
bugproxy |
tags |
architecture-s39064 bugnameltc-197607 foundations-todo patch severity-high targetmilestone-inin--- verification-needed verification-needed-jammy |
architecture-s39064 bugnameltc-197607 foundations-todo patch severity-high targetmilestone-inin--- verification-done verification-done-jammy |
|
2022-12-05 10:50:25 |
Frank Heimes |
ubuntu-z-systems: status |
In Progress |
Fix Committed |
|
2023-01-05 10:29:45 |
bugproxy |
tags |
architecture-s39064 bugnameltc-197607 foundations-todo patch severity-high targetmilestone-inin--- verification-done verification-done-jammy |
architecture-s39064 bugnameltc-197607 foundations-todo patch severity-high targetmilestone-inin2204 verification-done verification-done-jammy |
|
2023-01-10 19:46:41 |
Launchpad Janitor |
s390-tools (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2023-01-10 19:46:49 |
Launchpad Janitor |
s390-tools-signed (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
2023-01-10 19:47:05 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2023-01-10 20:22:42 |
Frank Heimes |
ubuntu-z-systems: status |
Fix Committed |
Fix Released |
|
2023-06-02 15:33:17 |
Benjamin Drung |
tags |
architecture-s39064 bugnameltc-197607 foundations-todo patch severity-high targetmilestone-inin2204 verification-done verification-done-jammy |
architecture-s39064 bugnameltc-197607 patch severity-high targetmilestone-inin2204 verification-done verification-done-jammy |
|
2024-01-02 10:35:14 |
Benjamin Drung |
removed subscriber Ubuntu Foundations Bugs |
|
|
|