Issued:
2012-02-20
Updated:
2012-02-20

RHBA-2012:0239 - openCryptoki bug fix update

Synopsis

openCryptoki bug fix update

Type/Severity

Bug Fix Advisory (none)

Topic

An updated openCryptoki package that fixes four bugs is now available for Red Hat Enterprise Linux 5.

Description

The openCryptoki package contains version 2.11 of the public-key cryptography standards (PKCS)#11 API, implemented for IBM Cryptocards. This package includes support for the IBM 4758 Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), and the IBM CP Assist for Cryptographic Function (FC 3863 on IBM System z).

This update fixes the following bugs:

  • Prior to this update, the process to unwrap an Advanced Encryption Standard (AES) key could, under certain circumstances, fail after a hardware cryptographic token was initialized. As a result, openCryptoki returned the error "CKR_TEMPLATE_INCOMPLETE". This update modifies the AES key unwrapping process so that it no longer fails. (BZ#538879)

  • Prior to this update, the message authentication code (MAC) could, under certain circumstances, fail to be verified when using the PKCS#11 API for the acceleration of cryptographic instructions and the error "411 = MAC did not verify." was retunred. This update modifies the underlying code so that the MAC is now computed successfully after being offloaded to the CPACF. (BZ#539168)

  • Prior to this update, openCryptoki did not correctly recognize whether secure-key crypto support was installed when the pkcs11_startup and pkcs_slot scripts were running. As a consequence, the Common Cryptographic Architecture (CCA) token did not correctly work. This update modifies the pkcs11_startup and pkcs_slot scripts to improve the secure-key crypto support check. Now, the CCA token works as expected. (BZ#541028)

  • Prior to this update, OpenCryptoki used linked lists to track objects and sessions in memory, performing an exhaustive search in practically every PKCS#11 call. As a consequence, the overall performance of cryptographic operations degraded exponentially with the number of objects per token or open sessions per process. This update modifies the underlying source code so that the overall performance remains constant. (BZ#612274)

All users of openCryptoki are advised to upgrade to these updated packages, which fix these bugs.

Solution

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.https://access.redhat.com/kb/docs/DOC-11259

Affected Products

ProductVersionArch
Red Hat Enterprise Linux for Power, big endian5ppc
Red Hat Enterprise Linux for IBM z Systems5s390x
Red Hat Enterprise Linux Workstation5x86_64
Red Hat Enterprise Linux Workstation5i386
Red Hat Enterprise Linux Server5x86_64
Red Hat Enterprise Linux Server5i386
Red Hat Enterprise Linux Server from RHUI5x86_64
Red Hat Enterprise Linux Server from RHUI5i386
Red Hat Enterprise Linux Desktop5x86_64
Red Hat Enterprise Linux Desktop5i386

Updated Packages

  • openCryptoki-devel-2.2.4-25.el5.ppc64.rpm
  • openCryptoki-2.2.4-25.el5.i386.rpm
  • openCryptoki-2.2.4-25.el5.s390x.rpm
  • openCryptoki-2.2.4-25.el5.s390.rpm
  • openCryptoki-devel-2.2.4-25.el5.i386.rpm
  • openCryptoki-devel-2.2.4-25.el5.x86_64.rpm
  • openCryptoki-devel-2.2.4-25.el5.s390x.rpm
  • openCryptoki-2.2.4-25.el5.ppc64.rpm
  • openCryptoki-2.2.4-25.el5.src.rpm
  • openCryptoki-2.2.4-25.el5.x86_64.rpm

Fixes

(none)

CVEs

(none)

References

(none)

Additional information