** Description changed: - SRU Information + SRU Justification [Impact] An issue with passing the 'target_list' pointer (that hold data of the adapters aka crypto cards) to the function 'handle_all_ep11_cards' (that finally deals with all adapters in EP11 mode) can lead to an error. - Hence dependent on the memory content, a failure can be caused in - processing all adapters in EP11 mode and will most likely cause the + Dependent on the memory content, a failure can be caused in processing + all adapters in EP11 mode and will most likely cause the "CKR_DEVICE_ERROR" error to be returned by C_Login when the STRICT_SESSION and/or VHSM_MODE is enabled in the ep11tok.conf config file. An upstream accepted commit is already available: https://github.com/opencryptoki/opencryptoki/commit/1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b - The commit id and patch is quite straightforward and compact and shows that fixing the way the target_list is passed to the handle_all_ep11_cards function at four places in the code solves this situation. + The commit id and patch is quite straightforward and compact and shows that fixing the way the target_list is passed to the handle_all_ep11_cards function at four places in the code solves this issue. - Since this issue can break the EP11 functionality a fixing opencryptoki - version 3.10 and 3.11 is needed where this issue can occur. + Since this issue can break the EP11 functionality a fix in opencryptoki + version 3.10 and 3.11 is needed. [Test Case] Setup an opencryptoki environment (with crypto adapter in EP11 mode) and - configure the EP11 token of with the keywords STRICT_MODE and/or - VHSM_MODE in config file /etc/opencryptoki/ep11tok.conf. + configure the EP11 token with keyword STRICT_MODE and/or VHSM_MODE in + config file /etc/opencryptoki/ep11tok.conf. Now run "pkcsep11_session show -slot 4" and enter the user pin. It fails with the following message :"C_Login() rc = 0x30 [CKR_DEVICE_ERROR]" - The opencryptoki trace shows lines like the following with corrupted + The opencryptoki trace shows lines like the following, with corrupted APQNs: 11/23/2018 10:43:45 [ep11_specific.c:6208 ep11tok] INFO: ep11tok_login_session session=1 11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 2B8E.FFFF8EE0 11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6 11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000 11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6 11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000 [Regression Potential] - The issue occurs while using opencryptoki and EP11 in mode STRICT_MODE or VHSM_MODE (or both) with a crypto card. - Crypto cards are available for different platforms - however, this case especially occurred while using CryptoExpress adapters on s390x. + The issue occurs while using opencryptoki and EP11 in mode STRICT_MODE or VHSM_MODE (or both) using a crypto card. + Crypto cards are available for different platforms - however, this issue occurred while using CryptoExpress adapters on s390x. Since the changes in the patch are quite obvious and limited to just four lines (each with the same change), the regression risk can be considered as low. - Furthermore it fixes a function that is broken today, the situation will just be improved with having the fix in place - assumed that no problems that are not directly related to this fix will happen (like packaging or update). + Furthermore it fixes a function that is broken today, the situation will just be improved with having the fix in place - assumed that no further problems, that are not directly related to this fix, will b eintroduced (like in packaging or update). Since opencryptoki versions 3.10 and 3.11 are affected, the packages in (non-LTS) disco and cosmic need that fix. In between the fix already landed in the current development release (disco) - just cosmic is left. A test with the fixed opencryptoki version from disco was successfully - done, too. + done. __________ - - When the EP11 token of Opencryptoki is configured with STRICT_MODE or VHSM_MODE (or both) in config file /etc/opencryptoki/ep11tok.conf then C_Login may return CKR_DEVICE_ERROR. + When the EP11 token of Opencryptoki is configured with STRICT_MODE or + VHSM_MODE (or both) in config file /etc/opencryptoki/ep11tok.conf then + C_Login may return CKR_DEVICE_ERROR. ---Steps to Reproduce--- Configure the EP11 token of Opencryptoki with keywords STRICT_MODE or VHSM_MODE (or both) in config file /etc/opencryptoki/ep11tok.conf Then run 'pkcsep11_session show -slot 4' and enter the user pin.It fails with 'C_Login() rc = 0x30 [CKR_DEVICE_ERROR]' The OCK trace shows lines like the following with corrupted APQNs: 11/23/2018 10:43:45 [ep11_specific.c:6208 ep11tok] INFO: ep11tok_login_session session=1 11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 2B8E.FFFF8EE0 11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6 11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000 11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6 11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000 Userspace tool common name: Opencryptoki Problem exit only for version 3.10 and 3.11. For Version 3.11 following upstream commit can be applied seamlessly. Upstream commit that fixes this problem: https://github.com/opencryptoki/opencryptoki/commit/1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b For version 3.10 , patch attached. Mean, need to be integrated into 18.10 and 19.04 (taken from comment #2)
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814521 Title: [UBUNTU] - opencryptoki: EP11 token fails when using Strict-Session mode or VHSM-Mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1814521/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
