--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: TPM token fails to reinitialize properly on reload
- From: David Smith <dds@google.com>
- Date: Wed, 10 Nov 2010 14:16:32 -0800
- Message-id: <AANLkTinHREGNB56B-mKO4OxCMx9zvsWxpi_dDEc2bknm@mail.gmail.com>
Package: opencryptoki
Version: 2.2.8+dfsg-4
The TPM token code uses some global variables to track the storage
root key, root public & private keys, and leaf public & private keys
from the TPM. These variables are not properly reinitialized during
unload and reload of the module. In the case of wpasupplicant, this
results in PKCS#11 becoming unusable and one must kill the process to
start a fresh reconfiguration.
How to reproduce, given a wpasupplicant configuration that uses
opencryptoki to use the TPM for private key:
- Connect to the network once, ensure a normal connection is possible.
- Kill the opencryptoki pkcsslotd process (send SIGKILL; it ignores
SIGTERM while in use).
- Start a new opencryptoki pkcsslotd process.
- Attempt to reconnect to the same network.
Expected behavior:
- wpasupplicant should unload the PKCS#11 openssl engine library and
reload it for the reconnection attempt.
- The connection should succeed.
Observed behavior:
- wpasupplicant unloads the PKCS#11 openssl engine library and
reloads it for the reconnection attempt.
- After wpasupplicant loads the PKCS#11 openssl engine library, it
fails to load the private key.
The failure to load the private key was debugged back to failure in
the opencryptoki TPM library to load the private root key. The private
key fails to load because the session object opencryptoki uses to load
the key into the TPM is stale, left over from the first session.
A patch for this is attached and the patch has been sent upstream. See
http://sourceforge.net/tracker/?func=detail&atid=710344&aid=3073688&group_id=128009
and https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/645576.
Author: David Smith <dds@google.com>
Description: Reset TPM datastructures on init, not just logout.
Index: opencryptoki-2.2.8+dfsg/usr/lib/pkcs11/tpm_stdll/tpm_specific.c
===================================================================
--- opencryptoki-2.2.8+dfsg.orig/usr/lib/pkcs11/tpm_stdll/tpm_specific.c 2010-10-28 12:56:36.000000000 -0700
+++ opencryptoki-2.2.8+dfsg/usr/lib/pkcs11/tpm_stdll/tpm_specific.c 2010-10-28 15:19:41.000000000 -0700
@@ -111,6 +111,22 @@
CK_BYTE current_so_pin_sha[SHA1_HASH_SIZE];
+static void
+clear_internal_structures()
+{
+ hSRK = NULL_HKEY;
+ hPrivateLeafKey = NULL_HKEY;
+ hPublicLeafKey = NULL_HKEY;
+ hPrivateRootKey = NULL_HKEY;
+ hPublicRootKey = NULL_HKEY;
+
+ memset(master_key_private, 0, MK_SIZE);
+ memset(current_so_pin_sha, 0, SHA1_HASH_SIZE);
+ memset(current_user_pin_sha, 0, SHA1_HASH_SIZE);
+
+ object_mgr_purge_private_token_objects();
+}
+
CK_RV
token_specific_session(CK_SLOT_ID slotid)
{
@@ -263,7 +279,7 @@
{
TSS_RESULT result;
TSS_HPOLICY hPolicy;
- static TSS_BOOL get_srk_pub_key = TRUE;
+ TSS_BOOL get_srk_pub_key = TRUE;
UINT32 key_size;
key_size = util_get_keysize_flag(size_n * 8);
@@ -1669,19 +1685,11 @@
{
if (hPrivateLeafKey != NULL_HKEY) {
Tspi_Key_UnloadKey(hPrivateLeafKey);
- hPrivateLeafKey = NULL_HKEY;
} else if (hPublicLeafKey != NULL_HKEY) {
Tspi_Key_UnloadKey(hPublicLeafKey);
- hPublicLeafKey = NULL_HKEY;
}
- memset(master_key_private, 0, MK_SIZE);
- memset(current_so_pin_sha, 0, SHA1_HASH_SIZE);
- memset(current_user_pin_sha, 0, SHA1_HASH_SIZE);
-
- /* pulled from new_host.c */
- object_mgr_purge_private_token_objects();
-
+ clear_internal_structures();
return CKR_OK;
}
@@ -2005,6 +2013,7 @@
return CKR_FUNCTION_FAILED;
}
+ clear_internal_structures();
return CKR_OK;
}
--- End Message ---
--- Begin Message ---
Source: opencryptoki
Source-Version: 2.3.1+dfsg-2
We believe that the bug you reported is fixed in the latest version of
opencryptoki, which is due to be installed in the Debian FTP archive:
libopencryptoki-dev_2.3.1+dfsg-2_amd64.deb
to main/o/opencryptoki/libopencryptoki-dev_2.3.1+dfsg-2_amd64.deb
libopencryptoki0_2.3.1+dfsg-2_amd64.deb
to main/o/opencryptoki/libopencryptoki0_2.3.1+dfsg-2_amd64.deb
opencryptoki-dbg_2.3.1+dfsg-2_amd64.deb
to main/o/opencryptoki/opencryptoki-dbg_2.3.1+dfsg-2_amd64.deb
opencryptoki_2.3.1+dfsg-2.debian.tar.gz
to main/o/opencryptoki/opencryptoki_2.3.1+dfsg-2.debian.tar.gz
opencryptoki_2.3.1+dfsg-2.dsc
to main/o/opencryptoki/opencryptoki_2.3.1+dfsg-2.dsc
opencryptoki_2.3.1+dfsg-2_amd64.deb
to main/o/opencryptoki/opencryptoki_2.3.1+dfsg-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 603104@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alessio Treglia <alessio@debian.org> (supplier of updated opencryptoki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 26 Jul 2011 12:18:45 +0200
Source: opencryptoki
Binary: opencryptoki opencryptoki-dbg libopencryptoki0 libopencryptoki-dev
Architecture: source amd64
Version: 2.3.1+dfsg-2
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Alessio Treglia <alessio@debian.org>
Description:
libopencryptoki-dev - PKCS#11 implementation (development)
libopencryptoki0 - PKCS#11 implementation (library)
opencryptoki - PKCS#11 implementation (daemon)
opencryptoki-dbg - PKCS#11 implementation (debug)
Closes: 603104
Changes:
opencryptoki (2.3.1+dfsg-2) unstable; urgency=low
.
* QA upload.
* Add patch to reset TPM datastructures on init, and not just logout,
fixes TPM token reinitialization failure on reload.
Thanks to David Smith for the patch (Closes: #603104, LP: #645576)
Checksums-Sha1:
0568c12bf37e46313584fc127794bb7a5b8a75fa 1220 opencryptoki_2.3.1+dfsg-2.dsc
22309740c250c2b3eed095636ebf2ed2e5a4481c 16137 opencryptoki_2.3.1+dfsg-2.debian.tar.gz
4ee20bfe70eaecdc2c72d3bf3a505255ae0ad216 57298 opencryptoki_2.3.1+dfsg-2_amd64.deb
73d6b97b6e132fdb5310b474fc584f3f6df29b5c 495274 opencryptoki-dbg_2.3.1+dfsg-2_amd64.deb
d520fc5e862b90fc5513d1fc41dacb7a3d416d71 257406 libopencryptoki0_2.3.1+dfsg-2_amd64.deb
c4979b9407fd254b655a359352bcc175a1200053 29936 libopencryptoki-dev_2.3.1+dfsg-2_amd64.deb
Checksums-Sha256:
8749e847bb1574f455675623edeec47a470832539ca5e780989adbc880b1b6be 1220 opencryptoki_2.3.1+dfsg-2.dsc
2216ee5cc3c5251d84523322d5ebb6f203d5133de7609e1c540b5f6bdba50da8 16137 opencryptoki_2.3.1+dfsg-2.debian.tar.gz
94c18b0c109078d0e09897aa3c424f1aa57b2f9b13f7d4e86e7e6908033482d7 57298 opencryptoki_2.3.1+dfsg-2_amd64.deb
791358a510ba28071d637b01283ad90c838d3da02097521c1c350e9fc5056162 495274 opencryptoki-dbg_2.3.1+dfsg-2_amd64.deb
58e10e35933051e0465c0c6e94c811388514e3f34aed47aac1a5060c0f2fa864 257406 libopencryptoki0_2.3.1+dfsg-2_amd64.deb
af9b98eb660736340638c132190ac1294d2743c95f93ccf517bb45183a8013c5 29936 libopencryptoki-dev_2.3.1+dfsg-2_amd64.deb
Files:
61bc07613c8084fe061d7f6bd982f4dc 1220 admin optional opencryptoki_2.3.1+dfsg-2.dsc
efe89fb9852347a526c4bee9b8b85f57 16137 admin optional opencryptoki_2.3.1+dfsg-2.debian.tar.gz
1ec42d0a7b5cda5380a61aaf77cd8129 57298 admin optional opencryptoki_2.3.1+dfsg-2_amd64.deb
a815cd1a497ccae74c19068de9174c31 495274 debug extra opencryptoki-dbg_2.3.1+dfsg-2_amd64.deb
96904d8f04977d80fd34daaa07a81035 257406 libs optional libopencryptoki0_2.3.1+dfsg-2_amd64.deb
b1d4aeb37264e828915dcbeaa5d22b26 29936 libdevel optional libopencryptoki-dev_2.3.1+dfsg-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk4ule8ACgkQRdSMfNz8P9DXagCfRGEgC9Nai27/WbodFLPRxqz+
GrIAnjQb+aiwuRBdnPmfVvMEwlvhmILg
=Vgpr
-----END PGP SIGNATURE-----
--- End Message ---