Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 699408

Summary: Data Corruption: opencryptoki erroneously returns error when reading its token data from disk
Product: Red Hat Enterprise Linux 6 Reporter: IBM Bug Proxy <bugproxy>
Component: opencryptokiAssignee: Dan HorĂ¡k <dhorak>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.1CC: balkov, borgan, cward, jjarvis, jkachuck, ksrot, mvadkert, rvokal, sglass, syeghiay
Target Milestone: rcKeywords: OtherQA, Regression
Target Release: 6.1   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: opencryptoki-2.3.3-2.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 13:53:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 632765, 684385    
Attachments:
Description Flags
Patch to add to opencryptoki 2.3.3 srpm, which fixes the token data loading issue
none
Patch to RHEL 6 beta1 snap 4 to add the previous patch to the srpm specfile none

Description IBM Bug Proxy 2011-04-25 14:50:58 UTC 
---Problem Description---
opencryptoki erroneously returns error when reading its token data from disk.
  
---Steps to Reproduce---
 Using a testcase from opencryptoki's testsuite, tok_obj:

$ PKCS11_USER_PIN=1234 ./tok_obj -slot 0
1.  Create a token object
2.  Count token objects
3.  Verify contents of the first token object
4.  Destroy all token objects
5.  Initialize Token
6.  Set USER PIN
7.  Get Token Info
9.  Exit
Selection:   

At the prompt, enter 1, then 4.  4 will fail with CKR_FUNCTION_FAILED

Userspace rpm: opencryptoki-libs 

Hi Redhat,

  This bug was discovered during feature verification for opencryptoki.  Please
apply the attached patches, which will fix the issue.  The RH feature is
bugzilla 632765.

Thanks,
Kent
      
1. Server architecture(s) (please list all effected) (x86/POWER6/Z/etc.): All
2. Server type (9117-MMA/HS20/s390/etc.): N/A
3. Other components involved (ixgbe/java/emulex/etc.): opencryptoki
4. Does the server have the latest GA firmware? N/A
5. Has the problem been shown to occur on more than one system? Yes
6. Collect "sosreport" from machine problem was found on, and attach to bug. N/A
7. What is the latest official distro build on which this bug has been seen? RHEL 6.1 snap 4
Comment 1 IBM Bug Proxy 2011-04-25 14:51:02 UTC 
Created attachment 494682 [details]
Patch to add to opencryptoki 2.3.3 srpm, which fixes the token data loading issue
Comment 2 IBM Bug Proxy 2011-04-25 14:51:06 UTC 
Created attachment 494683 [details]
Patch to RHEL 6 beta1 snap 4 to add the previous patch to the srpm specfile
Comment 5 IBM Bug Proxy 2011-04-25 16:51:23 UTC 
------- Comment From yoder1.com 2011-04-25 12:47 EDT-------
The upshot of this bug is that it is a data corruption issue -- data stored by opencryptoki cannot be re-loaded correctly after an application shuts down.

Changing the severity to ship issue.
Comment 6 IBM Bug Proxy 2011-04-25 17:51:50 UTC 
------- Comment From tpnoonan.com 2011-04-25 13:43 EDT-------
this is a data corruptor
Comment 7 IBM Bug Proxy 2011-04-25 18:11:10 UTC 
------- Comment From sglass.com 2011-04-25 14:05 EDT-------
This has been tested by IBM
Comment 10 John Jarvis 2011-04-26 18:11:14 UTC 
This fix is approved and planned for inclusion in the RHEL 6.1 Release Candidate.
Comment 12 Miroslav Vadkerti 2011-04-27 20:48:03 UTC 
Doing sanity testing only:
* current version of opencryptoki in RHEL6.1: opencryptoki-2.3.3-2.el6.x86_64
* patch opencryptoki-2.3.3-strip_pkcs_padding.patch applied:
--- opencryptoki-2.3.3.rhel6snap4/usr/lib/pkcs11/common/utility.c	2011-01-13 18:26:36.000000000 +0100
+++ opencryptoki-2.3.3/usr/lib/pkcs11/common/utility.c	2011-04-21 18:32:21.000000000 +0200
@@ -1104,9 +1104,10 @@ strip_pkcs_padding( CK_BYTE   * ptr,
    CK_BYTE  pad_value;
 
    pad_value = ptr[total_len - 1];
-   if (pad_value > total_len)
+   if (pad_value > total_len) {
        st_err_log(10, __FILE__, __LINE__);
        return CKR_ENCRYPTED_DATA_INVALID;
+   }
 
    // thus, we have 'pad_value' bytes of 'pad_value' appended to the end
    //
* all available RHTS tests PASS:
/CoreOS/openCryptoki/Regression/bz415971-pkcsconf-validation-of-PIN-is-wrong
/CoreOS/openCryptoki/Regression/bz612274-Opencryptoki-session-object-performance-degradation
/CoreOS/openCryptoki/Sanity/init-scripts-LSB
/CoreOS/openCryptoki/Sanity/testsuite - some of the tests fail - reported
upstream
Comment 13 IBM Bug Proxy 2011-05-05 15:30:55 UTC 
------- Comment From yoder1.com 2011-05-05 11:25 EDT-------
Verified in RHEL6.1-20110427.0-Server-s390x-DVD1.iso, closing defect.

Kent
Comment 14 errata-xmlrpc 2011-05-19 13:53:51 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0661.html