Bug 699408

Summary: Data Corruption: opencryptoki erroneously returns error when reading its token data from disk
Product: Red Hat Enterprise Linux 6 Reporter: IBM Bug Proxy <bugproxy>
Component: opencryptokiAssignee: Dan HorĂ¡k <dhorak>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.1CC: balkov, borgan, cward, jjarvis, jkachuck, ksrot, mvadkert, rvokal, sglass, syeghiay
Target Milestone: rcKeywords: OtherQA, Regression
Target Release: 6.1   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: opencryptoki-2.3.3-2.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 13:53:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 632765, 684385    
Attachments:
Description Flags
Patch to add to opencryptoki 2.3.3 srpm, which fixes the token data loading issue
none
Patch to RHEL 6 beta1 snap 4 to add the previous patch to the srpm specfile none

Description IBM Bug Proxy 2011-04-25 14:50:58 UTC 
---Problem Description---
opencryptoki erroneously returns error when reading its token data from disk.
  
---Steps to Reproduce---
 Using a testcase from opencryptoki's testsuite, tok_obj:

$ PKCS11_USER_PIN=1234 ./tok_obj -slot 0
1.  Create a token object
2.  Count token objects
3.  Verify contents of the first token object
4.  Destroy all token objects
5.  Initialize Token
6.  Set USER PIN
7.  Get Token Info
9.  Exit
Selection:   

At the prompt, enter 1, then 4.  4 will fail with CKR_FUNCTION_FAILED

Userspace rpm: opencryptoki-libs 

Hi Redhat,

  This bug was discovered during feature verification for opencryptoki.  Please
apply the attached patches, which will fix the issue.  The RH feature is
bugzilla 632765.

Thanks,
Kent
      
1. Server architecture(s) (please list all effected) (x86/POWER6/Z/etc.): All
2. Server type (9117-MMA/HS20/s390/etc.): N/A
3. Other components involved (ixgbe/java/emulex/etc.): opencryptoki
4. Does the server have the latest GA firmware? N/A
5. Has the problem been shown to occur on more than one system? Yes
6. Collect "sosreport" from machine problem was found on, and attach to bug. N/A
7. What is the latest official distro build on which this bug has been seen? RHEL 6.1 snap 4
Comment 1 IBM Bug Proxy 2011-04-25 14:51:02 UTC 
Created attachment 494682 [details]
Patch to add to opencryptoki 2.3.3 srpm, which fixes the token data loading issue
Comment 2 IBM Bug Proxy 2011-04-25 14:51:06 UTC 
Created attachment 494683 [details]
Patch to RHEL 6 beta1 snap 4 to add the previous patch to the srpm specfile
Comment 5 IBM Bug Proxy 2011-04-25 16:51:23 UTC 
------- Comment From yoder1.com 2011-04-25 12:47 EDT-------
The upshot of this bug is that it is a data corruption issue -- data stored by opencryptoki cannot be re-loaded correctly after an application shuts down.

Changing the severity to ship issue.
Comment 6 IBM Bug Proxy 2011-04-25 17:51:50 UTC 
------- Comment From tpnoonan.com 2011-04-25 13:43 EDT-------
this is a data corruptor
Comment 7 IBM Bug Proxy 2011-04-25 18:11:10 UTC 
------- Comment From sglass.com 2011-04-25 14:05 EDT-------
This has been tested by IBM
Comment 10 John Jarvis 2011-04-26 18:11:14 UTC 
This fix is approved and planned for inclusion in the RHEL 6.1 Release Candidate.
Comment 12 Miroslav Vadkerti 2011-04-27 20:48:03 UTC 
Doing sanity testing only:
* current version of opencryptoki in RHEL6.1: opencryptoki-2.3.3-2.el6.x86_64
* patch opencryptoki-2.3.3-strip_pkcs_padding.patch applied:
--- opencryptoki-2.3.3.rhel6snap4/usr/lib/pkcs11/common/utility.c	2011-01-13 18:26:36.000000000 +0100
+++ opencryptoki-2.3.3/usr/lib/pkcs11/common/utility.c	2011-04-21 18:32:21.000000000 +0200
@@ -1104,9 +1104,10 @@ strip_pkcs_padding( CK_BYTE   * ptr,
    CK_BYTE  pad_value;
 
    pad_value = ptr[total_len - 1];
-   if (pad_value > total_len)
+   if (pad_value > total_len) {
        st_err_log(10, __FILE__, __LINE__);
        return CKR_ENCRYPTED_DATA_INVALID;
+   }
 
    // thus, we have 'pad_value' bytes of 'pad_value' appended to the end
    //
* all available RHTS tests PASS:
/CoreOS/openCryptoki/Regression/bz415971-pkcsconf-validation-of-PIN-is-wrong
/CoreOS/openCryptoki/Regression/bz612274-Opencryptoki-session-object-performance-degradation
/CoreOS/openCryptoki/Sanity/init-scripts-LSB
/CoreOS/openCryptoki/Sanity/testsuite - some of the tests fail - reported
upstream
Comment 13 IBM Bug Proxy 2011-05-05 15:30:55 UTC 
------- Comment From yoder1.com 2011-05-05 11:25 EDT-------
Verified in RHEL6.1-20110427.0-Server-s390x-DVD1.iso, closing defect.

Kent
Comment 14 errata-xmlrpc 2011-05-19 13:53:51 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0661.html