[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#603104: marked as done (TPM token fails to reinitialize properly on reload)

Your message dated Tue, 26 Jul 2011 10:34:33 +0000
with message-id <E1Qley9-0005kZ-T7@franck.debian.org>
and subject line Bug#603104: fixed in opencryptoki 2.3.1+dfsg-2
has caused the Debian Bug report #603104,
regarding TPM token fails to reinitialize properly on reload
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

603104: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603104
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: opencryptoki
Version: 2.2.8+dfsg-4

The TPM token code uses some global variables to track the storage
root key, root public & private keys, and leaf public & private keys
from the TPM. These variables are not properly reinitialized during
unload and reload of the module. In the case of wpasupplicant, this
results in PKCS#11 becoming unusable and one must kill the process to
start a fresh reconfiguration.

How to reproduce, given a wpasupplicant configuration that uses
opencryptoki to use the TPM for private key:
  - Connect to the network once, ensure a normal connection is possible.
  - Kill the opencryptoki pkcsslotd process (send SIGKILL; it ignores
SIGTERM while in use).
  - Start a new opencryptoki pkcsslotd process.
  - Attempt to reconnect to the same network.

Expected behavior:
  - wpasupplicant should unload the PKCS#11 openssl engine library and
reload it for the reconnection attempt.
  - The connection should succeed.

Observed behavior:
  - wpasupplicant unloads the PKCS#11 openssl engine library and
reloads it for the reconnection attempt.
  - After wpasupplicant loads the PKCS#11 openssl engine library, it
fails to load the private key.

The failure to load the private key was debugged back to failure in
the opencryptoki TPM library to load the private root key. The private
key fails to load because the session object opencryptoki uses to load
the key into the TPM is stale, left over from the first session.

A patch for this is attached and the patch has been sent upstream. See
and https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/645576.
Author: David Smith <dds@google.com>
Description: Reset TPM datastructures on init, not just logout.
Index: opencryptoki-2.2.8+dfsg/usr/lib/pkcs11/tpm_stdll/tpm_specific.c
--- opencryptoki-2.2.8+dfsg.orig/usr/lib/pkcs11/tpm_stdll/tpm_specific.c	2010-10-28 12:56:36.000000000 -0700
+++ opencryptoki-2.2.8+dfsg/usr/lib/pkcs11/tpm_stdll/tpm_specific.c	2010-10-28 15:19:41.000000000 -0700
@@ -111,6 +111,22 @@
 CK_BYTE current_so_pin_sha[SHA1_HASH_SIZE];
+static void
+	hPrivateLeafKey = NULL_HKEY;
+	hPublicLeafKey = NULL_HKEY;
+	hPrivateRootKey = NULL_HKEY;
+	hPublicRootKey = NULL_HKEY;
+	memset(master_key_private, 0, MK_SIZE);
+	memset(current_so_pin_sha, 0, SHA1_HASH_SIZE);
+	memset(current_user_pin_sha, 0, SHA1_HASH_SIZE);
+	object_mgr_purge_private_token_objects();
 token_specific_session(CK_SLOT_ID  slotid)
@@ -263,7 +279,7 @@
 	TSS_RESULT result;
 	TSS_HPOLICY hPolicy;
-	static TSS_BOOL get_srk_pub_key = TRUE;
+	TSS_BOOL get_srk_pub_key = TRUE;
 	UINT32 key_size;
 	key_size = util_get_keysize_flag(size_n * 8);
@@ -1669,19 +1685,11 @@
 	if (hPrivateLeafKey != NULL_HKEY) {
-		hPrivateLeafKey = NULL_HKEY;
 	} else if (hPublicLeafKey != NULL_HKEY) {
-		hPublicLeafKey = NULL_HKEY;
-	memset(master_key_private, 0, MK_SIZE);
-	memset(current_so_pin_sha, 0, SHA1_HASH_SIZE);
-	memset(current_user_pin_sha, 0, SHA1_HASH_SIZE);
-	/* pulled from new_host.c */
-	object_mgr_purge_private_token_objects();
+	clear_internal_structures();
 	return CKR_OK;
@@ -2005,6 +2013,7 @@
                 return CKR_FUNCTION_FAILED;
+	clear_internal_structures();
 	return CKR_OK;

--- End Message ---
--- Begin Message ---
Source: opencryptoki
Source-Version: 2.3.1+dfsg-2

We believe that the bug you reported is fixed in the latest version of
opencryptoki, which is due to be installed in the Debian FTP archive:

  to main/o/opencryptoki/libopencryptoki-dev_2.3.1+dfsg-2_amd64.deb
  to main/o/opencryptoki/libopencryptoki0_2.3.1+dfsg-2_amd64.deb
  to main/o/opencryptoki/opencryptoki-dbg_2.3.1+dfsg-2_amd64.deb
  to main/o/opencryptoki/opencryptoki_2.3.1+dfsg-2.debian.tar.gz
  to main/o/opencryptoki/opencryptoki_2.3.1+dfsg-2.dsc
  to main/o/opencryptoki/opencryptoki_2.3.1+dfsg-2_amd64.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 603104@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Alessio Treglia <alessio@debian.org> (supplier of updated opencryptoki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.8
Date: Tue, 26 Jul 2011 12:18:45 +0200
Source: opencryptoki
Binary: opencryptoki opencryptoki-dbg libopencryptoki0 libopencryptoki-dev
Architecture: source amd64
Version: 2.3.1+dfsg-2
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Alessio Treglia <alessio@debian.org>
 libopencryptoki-dev - PKCS#11 implementation (development)
 libopencryptoki0 - PKCS#11 implementation (library)
 opencryptoki - PKCS#11 implementation (daemon)
 opencryptoki-dbg - PKCS#11 implementation (debug)
Closes: 603104
 opencryptoki (2.3.1+dfsg-2) unstable; urgency=low
   * QA upload.
   * Add patch to reset TPM datastructures on init, and not just logout,
     fixes TPM token reinitialization failure on reload.
     Thanks to David Smith for the patch (Closes: #603104, LP: #645576)
 0568c12bf37e46313584fc127794bb7a5b8a75fa 1220 opencryptoki_2.3.1+dfsg-2.dsc
 22309740c250c2b3eed095636ebf2ed2e5a4481c 16137 opencryptoki_2.3.1+dfsg-2.debian.tar.gz
 4ee20bfe70eaecdc2c72d3bf3a505255ae0ad216 57298 opencryptoki_2.3.1+dfsg-2_amd64.deb
 73d6b97b6e132fdb5310b474fc584f3f6df29b5c 495274 opencryptoki-dbg_2.3.1+dfsg-2_amd64.deb
 d520fc5e862b90fc5513d1fc41dacb7a3d416d71 257406 libopencryptoki0_2.3.1+dfsg-2_amd64.deb
 c4979b9407fd254b655a359352bcc175a1200053 29936 libopencryptoki-dev_2.3.1+dfsg-2_amd64.deb
 8749e847bb1574f455675623edeec47a470832539ca5e780989adbc880b1b6be 1220 opencryptoki_2.3.1+dfsg-2.dsc
 2216ee5cc3c5251d84523322d5ebb6f203d5133de7609e1c540b5f6bdba50da8 16137 opencryptoki_2.3.1+dfsg-2.debian.tar.gz
 94c18b0c109078d0e09897aa3c424f1aa57b2f9b13f7d4e86e7e6908033482d7 57298 opencryptoki_2.3.1+dfsg-2_amd64.deb
 791358a510ba28071d637b01283ad90c838d3da02097521c1c350e9fc5056162 495274 opencryptoki-dbg_2.3.1+dfsg-2_amd64.deb
 58e10e35933051e0465c0c6e94c811388514e3f34aed47aac1a5060c0f2fa864 257406 libopencryptoki0_2.3.1+dfsg-2_amd64.deb
 af9b98eb660736340638c132190ac1294d2743c95f93ccf517bb45183a8013c5 29936 libopencryptoki-dev_2.3.1+dfsg-2_amd64.deb
 61bc07613c8084fe061d7f6bd982f4dc 1220 admin optional opencryptoki_2.3.1+dfsg-2.dsc
 efe89fb9852347a526c4bee9b8b85f57 16137 admin optional opencryptoki_2.3.1+dfsg-2.debian.tar.gz
 1ec42d0a7b5cda5380a61aaf77cd8129 57298 admin optional opencryptoki_2.3.1+dfsg-2_amd64.deb
 a815cd1a497ccae74c19068de9174c31 495274 debug extra opencryptoki-dbg_2.3.1+dfsg-2_amd64.deb
 96904d8f04977d80fd34daaa07a81035 257406 libs optional libopencryptoki0_2.3.1+dfsg-2_amd64.deb
 b1d4aeb37264e828915dcbeaa5d22b26 29936 libdevel optional libopencryptoki-dev_2.3.1+dfsg-2_amd64.deb

Version: GnuPG v1.4.11 (GNU/Linux)


--- End Message ---

Reply to: