Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-62713

libssh fails to use pkcs11-provider when it is already activated in openssl config

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • rhel-10.0.beta
    • libssh
    • None
    • No
    • Low
    • rhel-sst-security-crypto
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      When pkcs11-provider is already configured in openssl config, libssh fails to read keys from the token. Notice that pkcs11-provider-0.5 adds drop-in configuration to openssl that activates the provider and hence once this version is installed libssh cannot get the objects from the token through pkcs11-provider.

       

      Libssh is loading the provider explicitly (ie. without need to have it enabled beforehand by openssl). If the provider is not yet configured in openssl, libssh works fine but once you add it, it stops working. It seems as if libssh loads the provider multiple times without checking that it is already loaded.

      What is the impact of this issue to you?

      Unable to use sw/hw tokens for authentication in libssh with drop-in pkcs11-provider openssl config.

      Please provide the package NVR for which the bug is seen:

      pkcs11-provider-0.5-5.el10.x86_64
      libssh-0.10.6-8.el10.x86_64

      How reproducible is this bug?:

      100%

      Steps to reproduce

      1. Install pkcs11-provider >= 0.5 (make sure it is activated in /etc/pki/tls/openssl.d/pkcs11-provider.conf).
      2. Execute e.g. torture_pki_rsa_uri from the libssh self-test.

      Expected results

      Test pass, pkcs11-provider log shows a single initialization (attached p11prov-debug.good.log).

      Actual results

      Test fails, pkcs11-provider log shows multiple initializations (attached p11prov-debug.bad.log).

        1. p11prov-debug.bad.log.txt
          27 kB
          Ondrej Moris
        2. p11prov-debug.good.log.txt
          52 kB
          Ondrej Moris

              shebburn@redhat.com Sahana Prasad Hebbur Narasimha Prasad
              omoris Ondrej Moris
              Sahana Prasad Hebbur Narasimha Prasad Sahana Prasad Hebbur Narasimha Prasad
              George Pantelakis George Pantelakis
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: