Hide Forgot
---Problem Description--- opencryptoki erroneously returns error when reading its token data from disk. ---Steps to Reproduce--- Using a testcase from opencryptoki's testsuite, tok_obj: $ PKCS11_USER_PIN=1234 ./tok_obj -slot 0 1. Create a token object 2. Count token objects 3. Verify contents of the first token object 4. Destroy all token objects 5. Initialize Token 6. Set USER PIN 7. Get Token Info 9. Exit Selection: At the prompt, enter 1, then 4. 4 will fail with CKR_FUNCTION_FAILED Userspace rpm: opencryptoki-libs Hi Redhat, This bug was discovered during feature verification for opencryptoki. Please apply the attached patches, which will fix the issue. The RH feature is bugzilla 632765. Thanks, Kent 1. Server architecture(s) (please list all effected) (x86/POWER6/Z/etc.): All 2. Server type (9117-MMA/HS20/s390/etc.): N/A 3. Other components involved (ixgbe/java/emulex/etc.): opencryptoki 4. Does the server have the latest GA firmware? N/A 5. Has the problem been shown to occur on more than one system? Yes 6. Collect "sosreport" from machine problem was found on, and attach to bug. N/A 7. What is the latest official distro build on which this bug has been seen? RHEL 6.1 snap 4
Created attachment 494682 [details] Patch to add to opencryptoki 2.3.3 srpm, which fixes the token data loading issue
Created attachment 494683 [details] Patch to RHEL 6 beta1 snap 4 to add the previous patch to the srpm specfile
------- Comment From yoder1.com 2011-04-25 12:47 EDT------- The upshot of this bug is that it is a data corruption issue -- data stored by opencryptoki cannot be re-loaded correctly after an application shuts down. Changing the severity to ship issue.
------- Comment From tpnoonan.com 2011-04-25 13:43 EDT------- this is a data corruptor
------- Comment From sglass.com 2011-04-25 14:05 EDT------- This has been tested by IBM
This fix is approved and planned for inclusion in the RHEL 6.1 Release Candidate.
Doing sanity testing only: * current version of opencryptoki in RHEL6.1: opencryptoki-2.3.3-2.el6.x86_64 * patch opencryptoki-2.3.3-strip_pkcs_padding.patch applied: --- opencryptoki-2.3.3.rhel6snap4/usr/lib/pkcs11/common/utility.c 2011-01-13 18:26:36.000000000 +0100 +++ opencryptoki-2.3.3/usr/lib/pkcs11/common/utility.c 2011-04-21 18:32:21.000000000 +0200 @@ -1104,9 +1104,10 @@ strip_pkcs_padding( CK_BYTE * ptr, CK_BYTE pad_value; pad_value = ptr[total_len - 1]; - if (pad_value > total_len) + if (pad_value > total_len) { st_err_log(10, __FILE__, __LINE__); return CKR_ENCRYPTED_DATA_INVALID; + } // thus, we have 'pad_value' bytes of 'pad_value' appended to the end // * all available RHTS tests PASS: /CoreOS/openCryptoki/Regression/bz415971-pkcsconf-validation-of-PIN-is-wrong /CoreOS/openCryptoki/Regression/bz612274-Opencryptoki-session-object-performance-degradation /CoreOS/openCryptoki/Sanity/init-scripts-LSB /CoreOS/openCryptoki/Sanity/testsuite - some of the tests fail - reported upstream
------- Comment From yoder1.com 2011-05-05 11:25 EDT------- Verified in RHEL6.1-20110427.0-Server-s390x-DVD1.iso, closing defect. Kent
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0661.html