Public bug reported: ---Problem Description--- opencryptoki C_GenerateKeyPair() fails after generating > 500 RSA keys with CEX7 crypto cards
Running a program that generates RSA keys and tests encyrption/decryption on Crypto cards, is failing after about 500 iterations. The program makes the following opencryptoki calls in a loop: C_GenerateKeyPair() C_EncryptInit() C_Encrypt() C_DecryptInit() C_Decrypt() C_SignInit() C_Sign() (RSA Sign) C_VerifyInit() C_Verify() (RSA Verify) C_SignInit() C_SignUpdate() (RSA Multipart sign) C_VerifyInit() C_VerifyUpdate() (RSA multi-part verify) C_VerifyFinal() C_DestroyObject() (Destroy RSA public key) C_DestroyObject() (Destroy RSA private key) When running single-threaded, it fails consistently on loop 504. When running multi-threaded it fails on about the 506th iteration across all threads (ie with 5 threads, each thread fails after about 100 loops). On the 504th loop, the C_GenerateKeyPair() call fails with return code 6. Looking at the /var/log/opencryptoki/trace.* logfile, I found these error messages which seem to correspond to the failure: ``` 09/06/2022 15:37:09 6099 [usr/lib/api/api_interface.c:1106 api] DEVEL: fcn->ST_DestroyObject returned:0x0 09/06/2022 15:37:09 6099 [usr/lib/api/api_interface.c:1996 api] INFO: C_GenerateKeyPair 09/06/2022 15:37:09 6099 [usr/lib/api/api_interface.c:2019 api] INFO: Valid Session handle id: 2 09/06/2022 15:37:09 6099 [usr/lib/ep11_stdll/ep11_specific.c:5977 ep11tok] INFO: rsa_ec_generate_keypair m_GenerateKeyPair rc=0x0 spki_len=0x1a6 privkey_blob_len=0x970 mech='CKM_RSA_PKCS_KEY_PAIR_GEN' 09/06/2022 15:37:09 6099 [usr/lib/ep11_stdll/ep11_specific.c:6612 ep11tok] INFO: ep11tok_generate_key_pair rc=0x0 hpubkey=0x1 hprivkey=0x2 pub_name='' priv_name='' pub_obj=0x3ff7001d210 priv_obj=0x3ff70068460 09/06/2022 15:37:09 6099 [usr/lib/common/loadsave.c:149 ep11tok] DEVEL: Unable to set permissions on file. 09/06/2022 15:37:09 6099 [usr/lib/common/loadsave.c:149 ep11tok] DEVEL: Unable to set permissions on file. 09/06/2022 15:37:09 6099 [usr/lib/common/loadsave.c:149 ep11tok] DEVEL: Unable to set permissions on file. 09/06/2022 15:37:09 6099 [usr/lib/common/obj_mgr.c:613 ep11tok] DEVEL: Object created: handle: 2 09/06/2022 15:37:09 6099 [usr/lib/common/loadsave.c:2409 ep11tok] ERROR: fopen(/var/lib/opencryptoki/ep11tok/TOK_OBJ/OBxIH3zb): Too many open files 09/06/2022 15:37:09 6099 [usr/lib/ep11_stdll/ep11_specific.c:6749 ep11tok] DEVEL: ep11tok_generate_key_pair Object mgr create final failed 09/06/2022 15:37:09 6099 [usr/lib/common/obj_mgr.c:991 ep11tok] DEVEL: Object found: handle: 2 09/06/2022 15:37:09 6099 [usr/lib/common/loadsave.c:224 ep11tok] ERROR: fopen failed 09/06/2022 15:37:09 6099 [usr/lib/ep11_stdll/new_host.c:3837 ep11tok] DEVEL: ep11tok_generate_key_pair() failed. 09/06/2022 15:37:09 6099 [usr/lib/ep11_stdll/new_host.c:3840 ep11tok] INFO: C_GenerateKeyPair: rc = 0x00000006, sess = 2, mech = 0x0 09/06/2022 15:37:09 6099 [usr/lib/api/api_interface.c:2041 api] DEVEL: fcn->ST_GenerateKeyPair returned:0x6 09/06/2022 15:37:09 6099 [usr/lib/api/api_interface.c:1653 api] INFO: C_Finalize ``` I tested it on both z15 and z16 (with different crypto cards) and got the same failure. In all cases, I am running on a KVM guest and using CEX7 crypto cards. I have not tested yet on CEX8 crypto cards. ** Affects: linux (Ubuntu) Importance: Undecided Assignee: Skipper Bug Screeners (skipper-screen-team) Status: New ** Tags: architecture-s39064 bugnameltc-199964 severity-high targetmilestone-inin--- ** Tags added: architecture-s39064 bugnameltc-199964 severity-high targetmilestone-inin--- ** Changed in: ubuntu Assignee: (unassigned) => Skipper Bug Screeners (skipper-screen-team) ** Package changed: ubuntu => linux (Ubuntu) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1989558 Title: [UBUNTU 22.10] opencryptoki C_GenerateKeyPair() fails after generating > 500 RSA keys with CEX7 and CEX8 crypto cards Status in linux package in Ubuntu: New Bug description: ---Problem Description--- opencryptoki C_GenerateKeyPair() fails after generating > 500 RSA keys with CEX7 crypto cards Running a program that generates RSA keys and tests encyrption/decryption on Crypto cards, is failing after about 500 iterations. The program makes the following opencryptoki calls in a loop: C_GenerateKeyPair() C_EncryptInit() C_Encrypt() C_DecryptInit() C_Decrypt() C_SignInit() C_Sign() (RSA Sign) C_VerifyInit() C_Verify() (RSA Verify) C_SignInit() C_SignUpdate() (RSA Multipart sign) C_VerifyInit() C_VerifyUpdate() (RSA multi-part verify) C_VerifyFinal() C_DestroyObject() (Destroy RSA public key) C_DestroyObject() (Destroy RSA private key) When running single-threaded, it fails consistently on loop 504. When running multi-threaded it fails on about the 506th iteration across all threads (ie with 5 threads, each thread fails after about 100 loops). On the 504th loop, the C_GenerateKeyPair() call fails with return code 6. Looking at the /var/log/opencryptoki/trace.* logfile, I found these error messages which seem to correspond to the failure: ``` 09/06/2022 15:37:09 6099 [usr/lib/api/api_interface.c:1106 api] DEVEL: fcn->ST_DestroyObject returned:0x0 09/06/2022 15:37:09 6099 [usr/lib/api/api_interface.c:1996 api] INFO: C_GenerateKeyPair 09/06/2022 15:37:09 6099 [usr/lib/api/api_interface.c:2019 api] INFO: Valid Session handle id: 2 09/06/2022 15:37:09 6099 [usr/lib/ep11_stdll/ep11_specific.c:5977 ep11tok] INFO: rsa_ec_generate_keypair m_GenerateKeyPair rc=0x0 spki_len=0x1a6 privkey_blob_len=0x970 mech='CKM_RSA_PKCS_KEY_PAIR_GEN' 09/06/2022 15:37:09 6099 [usr/lib/ep11_stdll/ep11_specific.c:6612 ep11tok] INFO: ep11tok_generate_key_pair rc=0x0 hpubkey=0x1 hprivkey=0x2 pub_name='' priv_name='' pub_obj=0x3ff7001d210 priv_obj=0x3ff70068460 09/06/2022 15:37:09 6099 [usr/lib/common/loadsave.c:149 ep11tok] DEVEL: Unable to set permissions on file. 09/06/2022 15:37:09 6099 [usr/lib/common/loadsave.c:149 ep11tok] DEVEL: Unable to set permissions on file. 09/06/2022 15:37:09 6099 [usr/lib/common/loadsave.c:149 ep11tok] DEVEL: Unable to set permissions on file. 09/06/2022 15:37:09 6099 [usr/lib/common/obj_mgr.c:613 ep11tok] DEVEL: Object created: handle: 2 09/06/2022 15:37:09 6099 [usr/lib/common/loadsave.c:2409 ep11tok] ERROR: fopen(/var/lib/opencryptoki/ep11tok/TOK_OBJ/OBxIH3zb): Too many open files 09/06/2022 15:37:09 6099 [usr/lib/ep11_stdll/ep11_specific.c:6749 ep11tok] DEVEL: ep11tok_generate_key_pair Object mgr create final failed 09/06/2022 15:37:09 6099 [usr/lib/common/obj_mgr.c:991 ep11tok] DEVEL: Object found: handle: 2 09/06/2022 15:37:09 6099 [usr/lib/common/loadsave.c:224 ep11tok] ERROR: fopen failed 09/06/2022 15:37:09 6099 [usr/lib/ep11_stdll/new_host.c:3837 ep11tok] DEVEL: ep11tok_generate_key_pair() failed. 09/06/2022 15:37:09 6099 [usr/lib/ep11_stdll/new_host.c:3840 ep11tok] INFO: C_GenerateKeyPair: rc = 0x00000006, sess = 2, mech = 0x0 09/06/2022 15:37:09 6099 [usr/lib/api/api_interface.c:2041 api] DEVEL: fcn->ST_GenerateKeyPair returned:0x6 09/06/2022 15:37:09 6099 [usr/lib/api/api_interface.c:1653 api] INFO: C_Finalize ``` I tested it on both z15 and z16 (with different crypto cards) and got the same failure. In all cases, I am running on a KVM guest and using CEX7 crypto cards. I have not tested yet on CEX8 crypto cards. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1989558/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp