[UBUNTU] 18.04.3 - hash verification error with SHA-512 HMAC running the opencryptoki digest_tests on the ICA token
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Canonical Foundations Team | ||
opencryptoki (Ubuntu) |
Fix Released
|
Undecided
|
Skipper Bug Screeners | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Problem description (Tested with 18.04.2 but need be fixed with 18.04.3)
Summary
=======
Ubuntu 18.04.2 system installed ( 4.15.0-55-generic kernel ) providing
opencryptoki version 3.9.0, and libica version 3.2.1
The digest_tests being part of the github opencryptoki package show failures.
Total=641, Ran=521, Passed=391, Failed=130, Skipped=120, Errors=0
The problem is immediately reproducible.
Independent of crypto cards being online.
Details
=======
Set up Ubuntu 18.04.2 with opencryptoki and libica3.
Initialize the opencryptoki ICA token, compile and build the opencryptoki tests
being part of the github opencryptoki package tagged as 3.9.0.
After successful initialization, the ICA token is expected to be readily initialized
as follows:
# pkcsconf -t -c 0
Token #0 Info:
Label: icatest
Manufacturer: IBM Corp.
Model: IBM ICA
Serial Number: 123
Flags: 0x44D (RNG|LOGIN_
Sessions: 0/1844674407370
R/W Sessions: 184467440737095
PIN Length: 4-8
Public Memory: 0xFFFFFFFFFFFFF
Private Memory: 0xFFFFFFFFFFFFF
Hardware Version: 1.0
Firmware Version: 1.0
Time: 17:48:54
Terminal ouptut
===============
Output of the failing tests for digest_tests
...
------
* TESTSUITE do_SignVerify_HMAC BEGIN SHA-512 HMAC Sign Verify.
------
* TESTCASE do_SignVerify_HMAC BEGIN Sign Verify SHA-512 HMAC with test vector 0.
* TESTCASE do_SignVerify_HMAC FAIL (digest_
------
* TESTCASE do_SignVerify_HMAC BEGIN Sign Verify SHA-512 HMAC with test vector 1.
* TESTCASE do_SignVerify_HMAC FAIL (digest_
------
* TESTCASE do_SignVerify_HMAC BEGIN Sign Verify SHA-512 HMAC with test vector 2.
* TESTCASE do_SignVerify_HMAC FAIL (digest_
------
* TESTCASE do_SignVerify_HMAC BEGIN Sign Verify SHA-512 HMAC with test vector 3.
* TESTCASE do_SignVerify_HMAC FAIL (digest_
------
* TESTCASE do_SignVerify_HMAC BEGIN Sign Verify SHA-512 HMAC with test vector 4.
* TESTCASE do_SignVerify_HMAC FAIL (digest_
------
* TESTCASE do_SignVerify_HMAC BEGIN Sign Verify SHA-512 HMAC with test vector 5.
* TESTCASE do_SignVerify_HMAC FAIL (digest_
------
Debug data
==========
See attached output of the digest_tests run.
---uname output---
Linux system 4.15.0-55-generic #60-Ubuntu SMP Tue Jul 2 18:21:03 UTC 2019 s390x s390x s390x GNU/Linux
Machine Type = IBM 3906
---Steps to Reproduce---
1.) Install the opencryptoki and libica3 packages
2.) Add your user to the pkcs11 group: usermod -aG pkcs11 root and re-login
3.) run: systemctl start pkcsslotd.service
4.) compile and build the opencryptoki version 3.9.0 test cases using the
GitHub package version 3.9
5.) run the digest_tests from the testcases/crypto/ directory, against the ICA slot
./digest_tests -slot <N>
The userspace tool has the following bit modes: 64bit
Userspace rpm: opencryptoki
------- Comment From <email address hidden> 2019-08-16 04:14 EDT-------
Solution : Backport for 3.9.0
This is fixed with commit https:/
tags: | added: architecture-s39064 bugnameltc-180486 severity-critical targetmilestone-inin--- |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → opencryptoki (Ubuntu) |
description: | updated |
Changed in ubuntu-z-systems: | |
status: | New → Triaged |
importance: | Undecided → Critical |
assignee: | nobody → Canonical Foundations Team (canonical-foundations) |
Changed in ubuntu-z-systems: | |
importance: | Critical → High |
Changed in opencryptoki (Ubuntu): | |
status: | New → Fix Released |
Changed in ubuntu-z-systems: | |
status: | Triaged → In Progress |
Changed in opencryptoki (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
------- Comment From <email address hidden> 2019-08-16 04:12 EDT-------
Problem description (Tested with 18.04.2 but need be fixed with 18.04.3)
Summary
=======
Ubuntu 18.04.2 system installed ( 4.15.0-55-generic kernel ) providing
opencryptoki version 3.9.0, and libica version 3.2.1
The digest_tests being part of the github opencryptoki package show failures.
Total=641, Ran=521, Passed=391, Failed=130, Skipped=120, Errors=0
The problem is immediately reproducible.
Independent of crypto cards being online.
Details
=======
Set up Ubuntu 18.04.2 with opencryptoki and libica3.
Initialize the opencryptoki ICA token, compile and build the opencryptoki tests
being part of the github opencryptoki package tagged as 3.9.0.
After successful initialization, the ICA token is expected to be readily initialized
as follows:
# pkcsconf -t -c 0 REQUIRED| USER_PIN_ INITIALIZED| CLOCK_ON_ TOKEN|TOKEN_ INITIALIZED) 9551614 51615/184467440 73709551614 FFF/0xFFFFFFFFF FFFFFFF FFF/0xFFFFFFFFF FFFFFFF
Token #0 Info:
Label: icatest
Manufacturer: IBM Corp.
Model: IBM ICA
Serial Number: 123
Flags: 0x44D (RNG|LOGIN_
Sessions: 0/1844674407370
R/W Sessions: 184467440737095
PIN Length: 4-8
Public Memory: 0xFFFFFFFFFFFFF
Private Memory: 0xFFFFFFFFFFFFF
Hardware Version: 1.0
Firmware Version: 1.0
Time: 17:48:54
Terminal ouptut func.c: 1284) hashed data does not match test vector's hashed data func.c: 1284) hashed data does not match test vector's hashed data func.c: 1284) hashed data does not match test vector's hashed data func.c: 1284) hashed data does not match test vector's hashed data func.c: 1284) hashed data does not match test vector's hashed data func.c: 1284) hashed data does not match test vector's hashed data
===============
Output of the failing tests for digest_tests
...
------
* TESTSUITE do_SignVerify_HMAC BEGIN SHA-512 HMAC Sign Verify.
------
* TESTCASE do_SignVerify_HMAC BEGIN Sign Verify SHA-512 HMAC with test vector 0.
* TESTCASE do_SignVerify_HMAC FAIL (digest_
------
* TESTCASE do_SignVerify_HMAC BEGIN Sign Verify SHA-512 HMAC with test vector 1.
* TESTCASE do_SignVerify_HMAC FAIL (digest_
------
* TESTCASE do_SignVerify_HMAC BEGIN Sign Verify SHA-512 HMAC with test vector 2.
* TESTCASE do_SignVerify_HMAC FAIL (digest_
------
* TESTCASE do_SignVerify_HMAC BEGIN Sign Verify SHA-512 HMAC with test vector 3.
* TESTCASE do_SignVerify_HMAC FAIL (digest_
------
* TESTCASE do_SignVerify_HMAC BEGIN Sign Verify SHA-512 HMAC with test vector 4.
* TESTCASE do_SignVerify_HMAC FAIL (digest_
------
* TESTCASE do_SignVerify_HMAC BEGIN Sign Verify SHA-512 HMAC with test vector 5.
* TESTCASE do_SignVerify_HMAC FAIL (digest_
------
Debug data
==========
See attached output of the digest_tests run.
---uname output---
Linux system 4.15.0-55-generic #60-Ubuntu SMP Tue Jul 2 18:21:03 UTC 2019 s390x s390x s390x GNU/Linux
Machine Type = IBM 3906
---Steps to Reproduce--- crypto/ ...
1.) Install the opencryptoki and libica3 packages
2.) Add your user to the pkcs11 group: usermod -aG pkcs11 root and re-login
3.) run: systemctl start pkcsslotd.service
4.) compile and build the opencryptoki version 3.9.0 test cases using the
GitHub package version 3.9
5.) run the digest_tests from the testcases/