------- Comment From heinz-werner_se...@de.ibm.com 2019-08-16 04:12 EDT------- Problem description (Tested with 18.04.2 but need be fixed with 18.04.3) Summary ======= Ubuntu 18.04.2 system installed ( 4.15.0-55-generic kernel ) providing opencryptoki version 3.9.0, and libica version 3.2.1 The digest_tests being part of the github opencryptoki package show failures. Total=641, Ran=521, Passed=391, Failed=130, Skipped=120, Errors=0 The problem is immediately reproducible. Independent of crypto cards being online.
Details ======= Set up Ubuntu 18.04.2 with opencryptoki and libica3. Initialize the opencryptoki ICA token, compile and build the opencryptoki tests being part of the github opencryptoki package tagged as 3.9.0. After successful initialization, the ICA token is expected to be readily initialized as follows: # pkcsconf -t -c 0 Token #0 Info: Label: icatest Manufacturer: IBM Corp. Model: IBM ICA Serial Number: 123 Flags: 0x44D (RNG|LOGIN_REQUIRED|USER_PIN_INITIALIZED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED) Sessions: 0/18446744073709551614 R/W Sessions: 18446744073709551615/18446744073709551614 PIN Length: 4-8 Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF Hardware Version: 1.0 Firmware Version: 1.0 Time: 17:48:54 Terminal ouptut =============== Output of the failing tests for digest_tests ... ------ * TESTSUITE do_SignVerify_HMAC BEGIN SHA-512 HMAC Sign Verify. ------ * TESTCASE do_SignVerify_HMAC BEGIN Sign Verify SHA-512 HMAC with test vector 0. * TESTCASE do_SignVerify_HMAC FAIL (digest_func.c:1284) hashed data does not match test vector's hashed data ------ * TESTCASE do_SignVerify_HMAC BEGIN Sign Verify SHA-512 HMAC with test vector 1. * TESTCASE do_SignVerify_HMAC FAIL (digest_func.c:1284) hashed data does not match test vector's hashed data ------ * TESTCASE do_SignVerify_HMAC BEGIN Sign Verify SHA-512 HMAC with test vector 2. * TESTCASE do_SignVerify_HMAC FAIL (digest_func.c:1284) hashed data does not match test vector's hashed data ------ * TESTCASE do_SignVerify_HMAC BEGIN Sign Verify SHA-512 HMAC with test vector 3. * TESTCASE do_SignVerify_HMAC FAIL (digest_func.c:1284) hashed data does not match test vector's hashed data ------ * TESTCASE do_SignVerify_HMAC BEGIN Sign Verify SHA-512 HMAC with test vector 4. * TESTCASE do_SignVerify_HMAC FAIL (digest_func.c:1284) hashed data does not match test vector's hashed data ------ * TESTCASE do_SignVerify_HMAC BEGIN Sign Verify SHA-512 HMAC with test vector 5. * TESTCASE do_SignVerify_HMAC FAIL (digest_func.c:1284) hashed data does not match test vector's hashed data ------ Debug data ========== See attached output of the digest_tests run. ---uname output--- Linux system 4.15.0-55-generic #60-Ubuntu SMP Tue Jul 2 18:21:03 UTC 2019 s390x s390x s390x GNU/Linux Machine Type = IBM 3906 ---Steps to Reproduce--- 1.) Install the opencryptoki and libica3 packages 2.) Add your user to the pkcs11 group: usermod -aG pkcs11 root and re-login 3.) run: systemctl start pkcsslotd.service 4.) compile and build the opencryptoki version 3.9.0 test cases using the GitHub package version 3.9 5.) run the digest_tests from the testcases/crypto/ directory, against the ICA slot ./digest_tests -slot <N> The userspace tool has the following bit modes: 64bit Userspace rpm: opencryptoki ------- Comment From heinz-werner_se...@de.ibm.com 2019-08-16 04:14 EDT------- Solution : Backport for 3.9.0 This is fixed with commit https://github.com/opencryptoki/opencryptoki/commit/363f465755399e124b6f503db111c2b8390cfffe that came after 3.9.0. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840420 Title: [UBUNTU] 18.04.3 - hash verification error with SHA-512 HMAC running the opencryptoki digest_tests on the ICA token To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1840420/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
