Bug 1473335
Summary: | infinite loop when reading card with cac driver | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> |
Component: | opensc | Assignee: | Jakub Jelen <jjelen> |
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.4 | CC: | jjelen, jstodola, nmavrogi, rpattath, sbose |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | opensc-0.16.0-8.20170227git777e2a3.el7 | Doc Type: | Bug Fix |
Doc Text: |
Cause: The driver code was not handling errors correctly.
Consequence: Reading some of the restricted objects on CAC cards led to infinite loop and therefore software hang.
Fix: The error codes are handled properly.
Result: The tools can read all supported objects on the card without problems.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-04-10 18:28:08 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Attachments: |
Description
Scott Poore
2017-07-20 14:00:59 UTC
Created attachment 1301761 [details]
opensc debug log with loop
Explanation of the error from earlier email discussion: What is going on there, is that the driver tries to read the files on the card, but card returns status words SW are 69:82, which means "Security status not satisfied". This means that we can not read this data (even after login). But the endless loop is certainly bug and should be fixed From what I see in the log, it is the p11tool trying to get attribute CKA_VALUE of "PKI Credential" data object and it never returns. The loop is there because the cac_apdu_io() does not check for the SW (unless SW1=61), the error is not visible from cac_read_file() and we cycle until we load all data we expect. Proper fix would be to check for the SW in every case and return appropriate error. Created attachment 1301817 [details]
opensc debug log from sssd failure
This is the debug log from an attempted failure as hit by SSSD.
This is the same error. But triggered by the search for the objects with given CKA_VALUE over PKCS#11. I don't see how we could workaround this problem for SSSD without rebuilding the package and fixing this problem. I wonder if coolkey still handles this case correctly? Scott, can you try to remove OpenSC and add coolkey to /etc/pki/nssdb and check if authentication with SSSD work with the expected certificates? Coolkey should work as before (if not, then it is a regression). There were not dramatic changes in the code related to CAC. Then I think we should add this ticket at least to the Known Issues of 7.4 and recommend to use coolkey if customers have issues using OpenSC cac card driver. Nevertheless I think it would be good to have a fix which can be released in one of the 7.4 batch updates. For the record, this was fixed as part of the following upstream PR: https://github.com/OpenSC/OpenSC/pull/1120 (In reply to Scott Poore from comment #0) > Description of problem: > > While trying to test a GSC-IS Smart Card, I configured opensc to use the cac > driver. I hit a problem where commands were running/hanging indefinitely. > When looking at the debug logging output, it looks like we've hit an > infinite loop. > > Version-Release number of selected component (if applicable): > opensc-0.16.0-5.20170227git777e2a3.el7.x86_64 > > How reproducible: > It is happening consistently now in my test environment and Dev was able to > reproduce it. > > Steps to Reproduce: > 1. Setup client to be able to read smart card > > yum install opensc gnutls-utils > > 2. Configure opensc to use cac driver > > vi /etc/opensc-x86_64.conf > # Set the following: > card_drivers = cac, PIV-II; So with the above config, is opensc expected to detect only certs on PIV/CAC cards? PIV/CAC cards worked as expected, there was no hang and the certificates were correctly detected. But when I used a SC650 SCP03 smartcard which is non CAC/PIV p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all hung. I am attaching the opensc debug log at this point. > > 3. Try to read the card > > p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all > > Actual results: > > hangs indefinitely > > Expected results: > > returns data from card > > Additional info: > > To determine loop, set debugging in config > > vi /etc/opensc-x86_64.conf > > app default { > ... > debug = 9; > debug_file = /tmp/opensc-debug.log > ... Created attachment 1367576 [details]
opensc debug log for non CAC/PIV cards
What you attached does not look like a debug log, but as some database. I can not reproduce it with current version in Fedora and with CardOS cards. Created attachment 1368107 [details]
opensc debug log for non CAC/PIV cards
Reduced the debug level to 5 to get this log file
Thank you for the log. It looks like a card that responds to the CAC instructions with a success, but it cycles infinitely because there are no data returned, where the driver expects some. For these cards, we should probably add some check to this cycle and exit in case there are no data returned. Can you verify that the following scratch build resolves your problem? https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=14806973 If so, I will update the package in errata. [root@dhcp129-107 ~]# rpm -q opensc opensc-0.16.0-8.20170227git777e2a3.el7.x86_64 [root@dhcp129-107 ~]# modutil -list -dbdir /etc/pki/nssdb/ Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.34 slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 slot: NSS User Private Key and Certificate Services token: NSS Certificate DB uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 2. OpenSC PKCS #11 Module library name: opensc-pkcs11.so uri: pkcs11:library-manufacturer=OpenSC%20Project;library-description=OpenSC%20smartcard%20framework;library-version=0.16 slots: 1 slot attached status: loaded slot: OMNIKEY AG CardMan 3021 00 00 token: CAC II (CAC II) uri: pkcs11:token=CAC%20II%20(CAC%20II);manufacturer=Common%20Access%20Card;serial=00000000;model=PKCS%2315%20emulated ----------------------------------------------------------- [root@dhcp129-107 ~]# p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all warning: no token URL was provided for this operation; the available tokens are: [root@dhcp129-107 ~]# p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all No matching objects found [root@dhcp129-107 ~]# I tried p11tool using PIV card and a SC650 SCP03 non-CAC card. modutil lists the token info as CAC for the non-CAC cards. I do not see a hang when trying to run p11tool but it does not list the certs either. This is with the following config vi /etc/opensc-x86_64.conf # Set the following: card_drivers = cac, PIV-II; Attaching the new logs. The log will contain info about a successful attempt using PIV card. Created attachment 1369599 [details]
opensc debug log for non CAC/PIV cards with scratch build
(In reply to Roshni from comment #17) > I tried p11tool using PIV card and a SC650 SCP03 non-CAC card. modutil lists > the token info as CAC for the non-CAC cards. I do not see a hang when trying > to run p11tool but it does not list the certs either. This is with the > following config > > vi /etc/opensc-x86_64.conf > # Set the following: > card_drivers = cac, PIV-II; > > Attaching the new logs. The log will contain info about a successful attempt > using PIV card. Thank you for testing. The patch was not properly setting the return code so the detection when through successfully for quite much anything. The next build should handle this case correctly: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=14815166 The patch now looks this way: diff -up OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c.old OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c --- OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c.old 2017-12-19 10:39:08.662925868 +0100 +++ OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c 2017-12-19 10:39:58.665293224 +0100 @@ -450,6 +450,10 @@ static int cac_read_file(sc_card_t *card if (r < 0) { goto fail; } + if (len == 0) { + r = SC_ERROR_FILE_NOT_FOUND; + goto fail; + } } *out_len = size; *out_buf = out; Let me know if it works as expected for you. I do not see a hang now when using non-CAC/PIV cards but here the difference when using coolkey and opensc. The card I am using here is a not a CAC card. [root@dhcp129-107 ~]# modutil -list -dbdir /etc/pki/nssdb/ Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.34 slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 slot: NSS User Private Key and Certificate Services token: NSS Certificate DB uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 2. OpenSC PKCS #11 Module library name: opensc-pkcs11.so uri: pkcs11:library-manufacturer=OpenSC%20Project;library-description=OpenSC%20smartcard%20framework;library-version=0.16 slots: 1 slot attached status: loaded slot: OMNIKEY AG CardMan 3021 00 00 token: CAC II (CAC II) uri: pkcs11:token=CAC%20II%20(CAC%20II);manufacturer=Common%20Access%20Card;serial=73ca040aa43bd95b;model=PKCS%2315%20emulated ----------------------------------------------------------- [root@dhcp129-107 ~]# pkcs11 pkcs11_eventmgr pkcs11_listcerts pkcs11-switch pkcs11_inspect pkcs11_setup pkcs11-tool [root@dhcp129-107 ~]# pkcs11-switch coolkey WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Module "CoolKey PKCS #11 Module" added to database. Module "OpenSC PKCS #11 Module" deleted from database. [root@dhcp129-107 ~]# modutil -list -dbdir /etc/pki/nssdb/ Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.34 slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 slot: NSS User Private Key and Certificate Services token: NSS Certificate DB uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 2. CoolKey PKCS #11 Module library name: libcoolkeypk11.so uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=CoolKey%20PKCS%20%2311%20Module%20%20%20%20%20;library-version=1.0 slots: 1 slot attached status: loaded slot: OMNIKEY AG CardMan 3021 00 00 token: kdcuser2 uri: pkcs11:token=kdcuser2;manufacturer=4090%20Axalto;serial=240e0327;model=614575c1240e0327 ----------------------------------------------------------- This will probably take some more time to investigate . I see that for the card recognition, it is enough when the card answers positively to select command. Changing this will require more significant changes. Since we have a workaround (changing order of the card drivers used for identification in configuration file -- does it work with the default configuration?), I would consider the original issue resolved by the last patch (I will update the package as we will agree) and for the new problem, lets open a new bug, saying something like "Card XXX is identified as CAC with configuration preferring CAC cards". There is upstream issue [1] discussion with similar cases which require fallback to different driver late in the initialization phase so I believe there is a way to resolve it, but we will need some more time to do so. Also please, make sure the configuration you are using knows the card you want it to detect. With configuration "card_drivers = cac, PIV-II;" you limit the functionality to only these two types and others will not get detected! [1] https://github.com/OpenSC/OpenSC/issues/946 (In reply to Jakub Jelen from comment #19) > (In reply to Roshni from comment #17) > > I tried p11tool using PIV card and a SC650 SCP03 non-CAC card. modutil lists > > the token info as CAC for the non-CAC cards. I do not see a hang when trying > > to run p11tool but it does not list the certs either. This is with the > > following config > > > > vi /etc/opensc-x86_64.conf > > # Set the following: > > card_drivers = cac, PIV-II; > > > > Attaching the new logs. The log will contain info about a successful attempt > > using PIV card. > > Thank you for testing. The patch was not properly setting the return code so > the detection when through successfully for quite much anything. > > The next build should handle this case correctly: > > https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=14815166 Is the above build available on nightly compose yet? I do not see it under brew either. Please mark this bug back to ON_QA if the build is available for testing. I shall mark this bug verified and open a new bug for the driver issue. > > The patch now looks this way: > > diff -up > OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c.old > OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c > --- > OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c.old > 2017-12-19 10:39:08.662925868 +0100 > +++ OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c > 2017-12-19 10:39:58.665293224 +0100 > @@ -450,6 +450,10 @@ static int cac_read_file(sc_card_t *card > if (r < 0) { > goto fail; > } > + if (len == 0) { > + r = SC_ERROR_FILE_NOT_FOUND; > + goto fail; > + } > } > *out_len = size; > *out_buf = out; > > > Let me know if it works as expected for you. No, it was just a scratch build that is gone by now. There is a new one: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=14854543 At this late, I can not commit new things into dist git unless the bug has a blocker or exception flags. Please, set appropriate flag to ? and we will ask PM for approval. sigh ... I probably had a bad look into the commit policy or it was changed. Anyway, new build it on the way so moving to ON_QA and adding a new build to errata. [root@dhcp129-107 ~]# rpm -qi opensc Name : opensc Version : 0.16.0 Release : 8.20170227git777e2a3.el7 Architecture: x86_64 Install Date: Mon 08 Jan 2018 12:11:28 PM EST Group : System Environment/Libraries Size : 3260567 License : LGPLv2+ Signature : RSA/SHA256, Wed 03 Jan 2018 08:15:09 AM EST, Key ID 199e2f91fd431d51 Source RPM : opensc-0.16.0-8.20170227git777e2a3.el7.src.rpm Build Date : Wed 03 Jan 2018 07:51:51 AM EST Build Host : x86-034.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : https://github.com/OpenSC/OpenSC/wiki Summary : Smart card library and applications I do not see a hang for CAC and non-CAC when card_drivers = cac, PIV-II; is set in card_drivers = cac, PIV-II; Opened a bug for the issue in comment 20 https://bugzilla.redhat.com/show_bug.cgi?id=1532349 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0987 |