Bug 1473335 - infinite loop when reading card with cac driver
infinite loop when reading card with cac driver
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: opensc (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Jakub Jelen
Asha Akkiangady
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-20 10:00 EDT by Scott Poore
Modified: 2018-04-10 14:28 EDT (History)
5 users (show)

See Also:
Fixed In Version: opensc-0.16.0-8.20170227git777e2a3.el7
Doc Type: Bug Fix
Doc Text:
Cause: The driver code was not handling errors correctly. Consequence: Reading some of the restricted objects on CAC cards led to infinite loop and therefore software hang. Fix: The error codes are handled properly. Result: The tools can read all supported objects on the card without problems.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 14:28:08 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
opensc debug log with loop (477.77 KB, text/plain)
2017-07-20 10:01 EDT, Scott Poore
no flags Details
opensc debug log from sssd failure (1.63 MB, text/plain)
2017-07-20 11:20 EDT, Scott Poore
no flags Details
opensc debug log for non CAC/PIV cards (1.39 MB, application/x-tar)
2017-12-13 16:08 EST, Roshni
no flags Details
opensc debug log for non CAC/PIV cards (1009.11 KB, text/plain)
2017-12-14 11:46 EST, Roshni
no flags Details
opensc debug log for non CAC/PIV cards with scratch build (712.29 KB, text/plain)
2017-12-18 12:01 EST, Roshni
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0987 None None None 2018-04-10 14:28 EDT

  None (edit)
Description Scott Poore 2017-07-20 10:00:59 EDT
Description of problem:

While trying to test a GSC-IS Smart Card, I configured opensc to use the cac driver. I hit a problem where commands were running/hanging indefinitely.  When looking at the debug logging output, it looks like we've hit an infinite loop.

Version-Release number of selected component (if applicable):
opensc-0.16.0-5.20170227git777e2a3.el7.x86_64

How reproducible:
It is happening consistently now in my test environment and Dev was able to reproduce it.

Steps to Reproduce:
1.  Setup client to be able to read smart card

yum install opensc gnutls-utils

2.  Configure opensc to use cac driver

vi /etc/opensc-x86_64.conf
# Set the following:
card_drivers = cac, PIV-II;

3.  Try to read the card

p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all

Actual results:

hangs indefinitely

Expected results:

returns data from card

Additional info:

To determine loop, set debugging in config

vi /etc/opensc-x86_64.conf

app default {
...
        debug = 9;
        debug_file = /tmp/opensc-debug.log
...
Comment 2 Scott Poore 2017-07-20 10:01 EDT
Created attachment 1301761 [details]
opensc debug log with loop
Comment 3 Jakub Jelen 2017-07-20 10:20:17 EDT
Explanation of the error from earlier email discussion:

What is going on there, is that the driver tries to read the files on
the card, but card returns status words SW are 69:82, which means
"Security status not satisfied". This means that we can not read this
data (even after login). But the endless loop is certainly bug and
should be fixed

From what I see in the log, it is the p11tool trying to get attribute
CKA_VALUE of "PKI Credential" data object and it never returns.

The loop is there because the cac_apdu_io() does not check for the SW
(unless SW1=61), the error is not visible from cac_read_file() and we
cycle until we load all data we expect. Proper fix would be to check
for the SW in every case and return appropriate error.
Comment 4 Scott Poore 2017-07-20 11:20 EDT
Created attachment 1301817 [details]
opensc debug log from sssd failure

This is the debug log from an attempted failure as hit by SSSD.
Comment 5 Jakub Jelen 2017-07-20 11:27:11 EDT
This is the same error. But triggered by the search for the objects with given CKA_VALUE over PKCS#11. I don't see how we could workaround this problem for SSSD without rebuilding the package and fixing this problem.
Comment 6 Sumit Bose 2017-07-20 11:51:19 EDT
I wonder if coolkey still handles this case correctly? Scott, can you try to remove OpenSC and add coolkey to /etc/pki/nssdb and check if authentication with SSSD work with the expected certificates?
Comment 7 Jakub Jelen 2017-07-20 12:00:16 EDT
Coolkey should work as before (if not, then it is a regression). There were not dramatic changes in the code related to CAC.
Comment 8 Sumit Bose 2017-07-20 12:34:21 EDT
Then I think we should add this ticket at least to the Known Issues of 7.4 and recommend to use coolkey if customers have issues using OpenSC cac card driver.

Nevertheless I think it would be good to have a fix which can be released in one of the 7.4 batch updates.
Comment 10 Jakub Jelen 2017-08-21 10:38:50 EDT
For the record, this was fixed as part of the following upstream PR:
https://github.com/OpenSC/OpenSC/pull/1120
Comment 12 Roshni 2017-12-13 16:08:25 EST
(In reply to Scott Poore from comment #0)
> Description of problem:
> 
> While trying to test a GSC-IS Smart Card, I configured opensc to use the cac
> driver. I hit a problem where commands were running/hanging indefinitely. 
> When looking at the debug logging output, it looks like we've hit an
> infinite loop.
> 
> Version-Release number of selected component (if applicable):
> opensc-0.16.0-5.20170227git777e2a3.el7.x86_64
> 
> How reproducible:
> It is happening consistently now in my test environment and Dev was able to
> reproduce it.
> 
> Steps to Reproduce:
> 1.  Setup client to be able to read smart card
> 
> yum install opensc gnutls-utils
> 
> 2.  Configure opensc to use cac driver
> 
> vi /etc/opensc-x86_64.conf
> # Set the following:
> card_drivers = cac, PIV-II;

So with the above config, is opensc expected to detect only certs on PIV/CAC cards? PIV/CAC cards worked as expected, there was no hang and the certificates were correctly detected. But when I used a SC650 SCP03 smartcard which is non CAC/PIV p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all hung. I am attaching the opensc debug log at this point.
> 
> 3.  Try to read the card
> 
> p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all
> 
> Actual results:
> 
> hangs indefinitely
> 
> Expected results:
> 
> returns data from card
> 
> Additional info:
> 
> To determine loop, set debugging in config
> 
> vi /etc/opensc-x86_64.conf
> 
> app default {
> ...
>         debug = 9;
>         debug_file = /tmp/opensc-debug.log
> ...
Comment 13 Roshni 2017-12-13 16:08 EST
Created attachment 1367576 [details]
opensc debug log for non CAC/PIV cards
Comment 14 Jakub Jelen 2017-12-14 03:22:07 EST
What you attached does not look like a debug log, but as some database.

I can not reproduce it with current version in Fedora and with CardOS cards.
Comment 15 Roshni 2017-12-14 11:46 EST
Created attachment 1368107 [details]
opensc debug log for non CAC/PIV cards

Reduced the debug level to 5 to get this log file
Comment 16 Jakub Jelen 2017-12-18 06:34:57 EST
Thank you for the log. It looks like a card that responds to the CAC instructions with a success, but it cycles infinitely because there are no data returned, where the driver expects some. For these cards, we should probably add some check to this cycle and exit in case there are no data returned.

Can you verify that the following scratch build resolves your problem?

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=14806973

If so, I will update the package in errata.
Comment 17 Roshni 2017-12-18 12:01:13 EST
[root@dhcp129-107 ~]# rpm -q opensc
opensc-0.16.0-8.20170227git777e2a3.el7.x86_64
[root@dhcp129-107 ~]# modutil -list -dbdir /etc/pki/nssdb/

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	   uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.34
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services
	  uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB
	  uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. OpenSC PKCS #11 Module
	library name: opensc-pkcs11.so
	   uri: pkcs11:library-manufacturer=OpenSC%20Project;library-description=OpenSC%20smartcard%20framework;library-version=0.16
	 slots: 1 slot attached
	status: loaded

	 slot: OMNIKEY AG CardMan 3021 00 00
	token: CAC II (CAC II)
	  uri: pkcs11:token=CAC%20II%20(CAC%20II);manufacturer=Common%20Access%20Card;serial=00000000;model=PKCS%2315%20emulated
-----------------------------------------------------------


[root@dhcp129-107 ~]# p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all
warning: no token URL was provided for this operation; the available tokens are:
[root@dhcp129-107 ~]# p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all
No matching objects found
[root@dhcp129-107 ~]#


I tried p11tool using PIV card and a SC650 SCP03 non-CAC card. modutil lists the token info as CAC for the non-CAC cards. I do not see a hang when trying to run p11tool but it does not list the certs either. This is with the following config

vi /etc/opensc-x86_64.conf
# Set the following:
card_drivers = cac, PIV-II;

Attaching the new logs. The log will contain info about a successful attempt using PIV card.
Comment 18 Roshni 2017-12-18 12:01 EST
Created attachment 1369599 [details]
opensc debug log for non CAC/PIV cards with scratch build
Comment 19 Jakub Jelen 2017-12-19 04:46:04 EST
(In reply to Roshni from comment #17)
> I tried p11tool using PIV card and a SC650 SCP03 non-CAC card. modutil lists
> the token info as CAC for the non-CAC cards. I do not see a hang when trying
> to run p11tool but it does not list the certs either. This is with the
> following config
> 
> vi /etc/opensc-x86_64.conf
> # Set the following:
> card_drivers = cac, PIV-II;
> 
> Attaching the new logs. The log will contain info about a successful attempt
> using PIV card.

Thank you for testing. The patch was not properly setting the return code so the detection when through successfully for quite much anything.

The next build should handle this case correctly:

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=14815166

The patch now looks this way:

diff -up OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c.old OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c
--- OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c.old	2017-12-19 10:39:08.662925868 +0100
+++ OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c	2017-12-19 10:39:58.665293224 +0100
@@ -450,6 +450,10 @@ static int cac_read_file(sc_card_t *card
 		if (r < 0) {
 			goto fail;
 		}
+		if (len == 0) {
+			r = SC_ERROR_FILE_NOT_FOUND;
+			goto fail;
+		}
 	}
 	*out_len = size;
 	*out_buf = out;


Let me know if it works as expected for you.
Comment 20 Roshni 2017-12-21 12:03:08 EST
I do not see a hang now when using non-CAC/PIV cards but here the difference when using coolkey and opensc. The card I am using here is a not a CAC card.

[root@dhcp129-107 ~]# modutil -list -dbdir /etc/pki/nssdb/

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	   uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.34
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services
	  uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB
	  uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. OpenSC PKCS #11 Module
	library name: opensc-pkcs11.so
	   uri: pkcs11:library-manufacturer=OpenSC%20Project;library-description=OpenSC%20smartcard%20framework;library-version=0.16
	 slots: 1 slot attached
	status: loaded

	 slot: OMNIKEY AG CardMan 3021 00 00
	token: CAC II (CAC II)
	  uri: pkcs11:token=CAC%20II%20(CAC%20II);manufacturer=Common%20Access%20Card;serial=73ca040aa43bd95b;model=PKCS%2315%20emulated
-----------------------------------------------------------
[root@dhcp129-107 ~]# pkcs11
pkcs11_eventmgr   pkcs11_listcerts  pkcs11-switch     
pkcs11_inspect    pkcs11_setup      pkcs11-tool       
[root@dhcp129-107 ~]# pkcs11-switch coolkey

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

Module "CoolKey PKCS #11 Module" added to database.
Module "OpenSC PKCS #11 Module" deleted from database.
[root@dhcp129-107 ~]# modutil -list -dbdir /etc/pki/nssdb/

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	   uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.34
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services
	  uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB
	  uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. CoolKey PKCS #11 Module
	library name: libcoolkeypk11.so
	   uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=CoolKey%20PKCS%20%2311%20Module%20%20%20%20%20;library-version=1.0
	 slots: 1 slot attached
	status: loaded

	 slot: OMNIKEY AG CardMan 3021 00 00
	token: kdcuser2
	  uri: pkcs11:token=kdcuser2;manufacturer=4090%20Axalto;serial=240e0327;model=614575c1240e0327
-----------------------------------------------------------
Comment 21 Jakub Jelen 2017-12-23 16:48:58 EST
This will probably take some more time to investigate . I see that for the card recognition, it is enough when the card answers positively to select command. Changing this will require more significant changes.

Since we have a workaround (changing order of the card drivers used for identification in configuration file -- does it work with the default configuration?), I would consider the original issue resolved by the last patch (I will update the package as we will agree) and for the new problem, lets open a new bug, saying something like "Card XXX is identified as CAC with configuration preferring CAC cards". There is upstream issue [1] discussion with similar cases which require fallback to different driver late in the initialization phase so I believe there is a way to resolve it, but we will need some more time to do so.

Also please, make sure the configuration you are using knows the card you want it to detect. With configuration "card_drivers = cac, PIV-II;" you limit the functionality to only these two types and others will not get detected!

[1] https://github.com/OpenSC/OpenSC/issues/946
Comment 22 Roshni 2018-01-02 14:00:18 EST
(In reply to Jakub Jelen from comment #19)
> (In reply to Roshni from comment #17)
> > I tried p11tool using PIV card and a SC650 SCP03 non-CAC card. modutil lists
> > the token info as CAC for the non-CAC cards. I do not see a hang when trying
> > to run p11tool but it does not list the certs either. This is with the
> > following config
> > 
> > vi /etc/opensc-x86_64.conf
> > # Set the following:
> > card_drivers = cac, PIV-II;
> > 
> > Attaching the new logs. The log will contain info about a successful attempt
> > using PIV card.
> 
> Thank you for testing. The patch was not properly setting the return code so
> the detection when through successfully for quite much anything.
> 
> The next build should handle this case correctly:
> 
> https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=14815166

Is the above build available on nightly compose yet? I do not see it under brew either. Please mark this bug back to ON_QA if the build is available for testing. I shall mark this bug verified and open a new bug for the driver issue.
> 
> The patch now looks this way:
> 
> diff -up
> OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c.old
> OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c
> ---
> OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c.old
> 2017-12-19 10:39:08.662925868 +0100
> +++ OpenSC-777e2a3751e3f6d53f056c98e9e20e42af674fb1/src/libopensc/card-cac.c
> 2017-12-19 10:39:58.665293224 +0100
> @@ -450,6 +450,10 @@ static int cac_read_file(sc_card_t *card
>  		if (r < 0) {
>  			goto fail;
>  		}
> +		if (len == 0) {
> +			r = SC_ERROR_FILE_NOT_FOUND;
> +			goto fail;
> +		}
>  	}
>  	*out_len = size;
>  	*out_buf = out;
> 
> 
> Let me know if it works as expected for you.
Comment 23 Jakub Jelen 2018-01-03 03:28:13 EST
No, it was just a scratch build that is gone by now. There is a new one:

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=14854543

At this late, I can not commit new things into dist git unless the bug has a blocker or exception flags. Please, set appropriate flag to ? and we will ask PM for approval.
Comment 24 Jakub Jelen 2018-01-03 07:53:35 EST
sigh ... I probably had a bad look into the commit policy or it was changed. Anyway, new build it on the way so moving to ON_QA and adding a new build to errata.
Comment 25 Roshni 2018-01-08 12:36:49 EST
[root@dhcp129-107 ~]# rpm -qi opensc
Name        : opensc
Version     : 0.16.0
Release     : 8.20170227git777e2a3.el7
Architecture: x86_64
Install Date: Mon 08 Jan 2018 12:11:28 PM EST
Group       : System Environment/Libraries
Size        : 3260567
License     : LGPLv2+
Signature   : RSA/SHA256, Wed 03 Jan 2018 08:15:09 AM EST, Key ID 199e2f91fd431d51
Source RPM  : opensc-0.16.0-8.20170227git777e2a3.el7.src.rpm
Build Date  : Wed 03 Jan 2018 07:51:51 AM EST
Build Host  : x86-034.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/OpenSC/OpenSC/wiki
Summary     : Smart card library and applications

I do not see a hang for CAC and non-CAC when card_drivers = cac, PIV-II; is set in card_drivers = cac, PIV-II;
Opened a bug for the issue in comment 20 https://bugzilla.redhat.com/show_bug.cgi?id=1532349
Comment 28 errata-xmlrpc 2018-04-10 14:28:08 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0987

Note You need to log in before you can comment on or make changes to this bug.