Bug 2068091

Summary:	pkcsconf -t failed with Segmentation fault (core dumped) in FIPS mode
Product:	Red Hat Enterprise Linux 9	Reporter:	Filip Dvorak <fdvorak>
Component:	opencryptoki	Assignee:	Than Ngo <than>
Status:	CLOSED ERRATA	QA Contact:	Karel Srot <ksrot>
Severity:	low	Docs Contact:
Priority:	unspecified
Version:	9.0	CC:	ksrot
Target Milestone:	rc	Keywords:	Regression, Triaged
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	opencryptoki-3.18.0-1.el9	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-11-15 11:16:10 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Filip Dvorak 2022-03-24 12:57:40 UTC

Description of problem:
pkcsconf -t failed with Segmentation fault (core dumped) in FIPS mode

Version-Release number of selected component (if applicable):
opencryptoki-3.17.0-5.el9_0.x86_64
RHEL-9.0.0-20220322.0

How reproducible:


Steps to Reproduce:
1.usermod -aG pkcs11 root
2.systemctl start pkcsslotd
3.pkcsconf -t

Actual results:
...
C_GetSlotList returned 0 slots. Check that your tokens are installed correctly.
Segmentation fault (core dumped)
...

Expected results:
I am not sure if pkcsconf should work in FIPS but it should not fail with coredump (Segmentation fault)

Additional info:

(gdb) run -t
Starting program: /usr/sbin/pkcsconf -t
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Invalid cast.
warning: Probes-based dynamic linker interface failed.
Reverting to original interface.
[New Thread 0x7ffff6e5e640 (LWP 7378)]
C_GetSlotList returned 0 slots. Check that your tokens are installed correctly.

Thread 2 "pkcsconf" received signal SIG32, Real-time event 32.
[Switching to Thread 0x7ffff6e5e640 (LWP 7378)]
start_thread (arg=<optimized out>) at pthread_create.c:429
429	      LIBC_PROBE (pthread_start, 3, (pthread_t) pd, pd->start_routine, pd->arg);

Comment 1 Filip Dvorak 2022-03-24 13:08:47 UTC

it works on:

- RHEL-9.0.0-20211108.6-Beta (FIPS)
opensc-0.22.0-1.el9.x86_64
opencryptoki-3.16.0-12.el9.x86_64
openssl-3.0.0-0.beta2.7.el9.x86_64

# usermod -aG pkcs11 root
# systemctl start pkcsslotd
# pkcsconf -t
Token #3 Info:
	Label: softtok                         
	Manufacturer: IBM                             
...

- RHEL8.5 (FIPS)
opensc-0.20.0-4.el8.x86_64
opencryptoki-3.16.0-5.el8.x86_64
openssl-1.1.1k-4.el8.x86_64

Comment 2 Than Ngo 2022-03-24 13:47:35 UTC

(In reply to Filip Dvorak from comment #1)
> it works on:
> 
> - RHEL-9.0.0-20211108.6-Beta (FIPS)
> opensc-0.22.0-1.el9.x86_64
> opencryptoki-3.16.0-12.el9.x86_64
> openssl-3.0.0-0.beta2.7.el9.x86_64
> 
> # usermod -aG pkcs11 root
> # systemctl start pkcsslotd
> # pkcsconf -t
> Token #3 Info:
> 	Label: softtok                         
> 	Manufacturer: IBM                             
> ...
> 
> - RHEL8.5 (FIPS)
> opensc-0.20.0-4.el8.x86_64
> opencryptoki-3.16.0-5.el8.x86_64
> openssl-1.1.1k-4.el8.x86_64

Hi Filip,

could you please test opencryptoki-3.17.0-3.el8 on rhel-8.6 in FIPS mode if it works?
Thank you!

Comment 3 Karel Srot 2022-03-25 09:06:53 UTC

FTR, on RHEL-8.6 pkcsconf -t works but token initialization fails with an error:

 :: [ 10:34:59 ] :: [  BEGIN   ] :: Running 'su user25428 -c 'source  /home/ksrot/devel/src.fedoraproject.org/opencryptoki/Library/token-manipulation/lib.sh && pkcsInitToken 3''
 SLOT: 3
 LABEL: softtok
 pkcsInitToken: Initialize token
 spawn /usr/sbin/pkcsconf -c 3 -I
 Enter the SO PIN: 
 Enter a unique token label: softtok                         
 pkcsInitToken: Changing SO PIN
 spawn /usr/sbin/pkcsconf -c 3 -P
 Enter the SO PIN: 
 Enter the new SO PIN: 
 Re-enter the new SO PIN: 
 Error logging in: 0x6 (CKR_FUNCTION_FAILED)
 Error: pkcsInitToken: Failed to change SO PIN

https://beaker.engineering.redhat.com/jobs/6431903

Comment 12 errata-xmlrpc 2022-11-15 11:16:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (opencryptoki bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8307