@vorlon: I added the missing SRU information to the bug description - please have a look.
** Description changed: - When the EP11 token of Opencryptoki is configured with STRICT_MODE or - VHSM_MODE (or both) in config file /etc/opencryptoki/ep11tok.conf then - C_Login may return CKR_DEVICE_ERROR. + SRU Information + + [Impact] + + An issue with passing the 'target_list' pointer (that hold data of the + adapters aka crypto cards) to the function 'handle_all_ep11_cards' (that + finally deals with all adapters in EP11 mode) can lead to an error. + + Hence dependent on the memory content, a failure can be caused in + processing all adapters in EP11 mode and will most likely cause the + "CKR_DEVICE_ERROR" error to be returned by C_Login when the + STRICT_SESSION and/or VHSM_MODE is enabled in the ep11tok.conf config + file. + + An upstream accepted commit is already available: + https://github.com/opencryptoki/opencryptoki/commit/1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b + The commit id and patch is quite straightforward and compact and shows that fixing the way the target_list is passed to the handle_all_ep11_cards function at four places in the code solves this situation. + + Since this issue can break the EP11 functionality a fixing opencryptoki + version 3.10 and 3.11 is needed where this issue can occur. + + [Test Case] + + Setup an opencryptoki environment (with crypto adapter in EP11 mode) and + configure the EP11 token of with the keywords STRICT_MODE and/or + VHSM_MODE in config file /etc/opencryptoki/ep11tok.conf. + + Now run "pkcsep11_session show -slot 4" and enter the user pin. + It fails with the following message :"C_Login() rc = 0x30 [CKR_DEVICE_ERROR]" + + The opencryptoki trace shows lines like the following with corrupted + APQNs: + + 11/23/2018 10:43:45 [ep11_specific.c:6208 ep11tok] INFO: ep11tok_login_session session=1 + 11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 2B8E.FFFF8EE0 + 11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6 + 11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000 + 11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6 + 11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000 + + [Regression Potential] + + The issue occurs while using opencryptoki and EP11 in mode STRICT_MODE or VHSM_MODE (or both) with a crypto card. + Crypto cards are available for different platforms - however, this case especially occurred while using CryptoExpress adapters on s390x. + + Since the changes in the patch are quite obvious and limited to just four lines (each with the same change), the regression risk can be considered as low. + Furthermore it fixes a function that is broken today, the situation will just be improved with having the fix in place - assumed that no problems that are not directly related to this fix will happen (like packaging or update). + + Since opencryptoki versions 3.10 and 3.11 are affected, the packages in (non-LTS) disco and cosmic need that fix. + In between the fix already landed in the current development release (disco) - just cosmic is left. + + A test with the fixed opencryptoki version from disco was successfully + done, too. + + __________ + + + When the EP11 token of Opencryptoki is configured with STRICT_MODE or VHSM_MODE (or both) in config file /etc/opencryptoki/ep11tok.conf then C_Login may return CKR_DEVICE_ERROR. ---Steps to Reproduce--- Configure the EP11 token of Opencryptoki with keywords STRICT_MODE or VHSM_MODE (or both) in config file /etc/opencryptoki/ep11tok.conf Then run 'pkcsep11_session show -slot 4' and enter the user pin.It fails with 'C_Login() rc = 0x30 [CKR_DEVICE_ERROR]' The OCK trace shows lines like the following with corrupted APQNs: 11/23/2018 10:43:45 [ep11_specific.c:6208 ep11tok] INFO: ep11tok_login_session session=1 11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 2B8E.FFFF8EE0 11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6 11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000 11/23/2018 10:43:45 [ep11_specific.c:6127 ep11tok] ERROR: ep11_login_handler dll_m_Login failed: 0x6 11/23/2018 10:43:45 [ep11_specific.c:6074 ep11tok] INFO: Logging in adapter 00.0000 Userspace tool common name: Opencryptoki Problem exit only for version 3.10 and 3.11. For Version 3.11 following upstream commit can be applied seamlessly. Upstream commit that fixes this problem: https://github.com/opencryptoki/opencryptoki/commit/1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b For version 3.10 , patch attached. Mean, need to be integrated into 18.10 and 19.04 (taken from comment #2) ** Changed in: opencryptoki (Ubuntu Cosmic) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814521 Title: [UBUNTU] - opencryptoki: EP11 token fails when using Strict-Session mode or VHSM-Mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1814521/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs