- Issued:
- 2009-12-18
- Updated:
- 2009-12-18
RHBA-2009:1685 - openCryptoki bug fix update
Synopsis
openCryptoki bug fix update
Type/Severity
Bug Fix Advisory
Topic
Updated openCryptoki packages that resolve several issues are now available.
Description
The openCryptoki package contains version 2.11 of the PKCS#11 API, implemented for IBM Cryptocards. This package includes support for the IBM 4758 Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), the IBM CP Assist for Cryptographic Function (FC 3863 on IBM System z).
These updated openCryptoki packages provide fixes for the following bugs:
-
after initializing a hardware cryptographic token, attempting to unwrap an AES key failed and caused openCryptoki to return a "CKR_TEMPLATE_INCOMPLETE" error code. With this update, AES key unwrapping now succeeds as expected. (BZ#540471)
-
the openCryptoki API enables programs to offload the computation of the message authentication code (MAC) to the Central Processor Assist for Cryptographic Function (CPACF) of cryptographic hardware. When using PKCS#11 for the acceleration of cryptographic instructions, openCryptoki returned an error code of "411", indicating that the MAC was unable to be verified. With this update, the MAC is now computed successfully after being offloaded to the CPACF. (BZ#540474)
-
openCryptoki was not properly recognizing that secure-key crypto support was installed, and so the "CCA" token was not being enabled for use. (BZ#545379)
All users of openCryptoki are advised to upgrade to these updated packages, which resolve these issues.
Solution
Before applying this update, make sure that all previously-released errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.http://kbase.redhat.com/faq/docs/DOC-11259
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Enterprise Linux for x86_64 - Extended Update Support | 5.4 | x86_64 |
| Red Hat Enterprise Linux for x86_64 - Extended Update Support | 5.4 | i386 |
| Red Hat Enterprise Linux for Power, big endian | 5 | ppc |
| Red Hat Enterprise Linux for Power, big endian - Extended Update Support | 5.4 | ppc |
| Red Hat Enterprise Linux for IBM z Systems | 5 | s390x |
| Red Hat Enterprise Linux for IBM z Systems - Extended Update Support | 5.4 | s390x |
| Red Hat Enterprise Linux Workstation | 5 | x86_64 |
| Red Hat Enterprise Linux Workstation | 5 | i386 |
| Red Hat Enterprise Linux Server | 5 | x86_64 |
| Red Hat Enterprise Linux Server | 5 | i386 |
| Red Hat Enterprise Linux Server from RHUI | 5 | x86_64 |
| Red Hat Enterprise Linux Server from RHUI | 5 | i386 |
| Red Hat Enterprise Linux Desktop | 5 | x86_64 |
| Red Hat Enterprise Linux Desktop | 5 | i386 |
Updated Packages
- openCryptoki-devel-2.2.4-22.el5_4.2.s390x.rpm
- openCryptoki-2.2.4-22.el5_4.2.i386.rpm
- openCryptoki-2.2.4-22.el5_4.2.s390x.rpm
- openCryptoki-2.2.4-22.el5_4.2.ppc64.rpm
- openCryptoki-devel-2.2.4-22.el5_4.2.i386.rpm
- openCryptoki-devel-2.2.4-22.el5_4.2.x86_64.rpm
- openCryptoki-2.2.4-22.el5_4.2.x86_64.rpm
- openCryptoki-devel-2.2.4-22.el5_4.2.ppc64.rpm
- openCryptoki-2.2.4-22.el5_4.2.src.rpm
- openCryptoki-2.2.4-22.el5_4.2.s390.rpm
Fixes
- This content is not included.BZ - 540471
- This content is not included.BZ - 540474
- This content is not included.BZ - 545379
CVEs
(none)
References
(none)
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.