- Issued:
- 2009-12-18
- Updated:
- 2009-12-18
RHBA-2009:1685 - Bug Fix Advisory
Synopsis
openCryptoki bug fix update
Type/Severity
Bug Fix Advisory
Red Hat Lightspeed patch analysis
Identify and remediate systems affected by this advisory.
Topic
Updated openCryptoki packages that resolve several issues are now available.
Description
The openCryptoki package contains version 2.11 of the PKCS#11 API,
implemented for IBM Cryptocards. This package includes support for the IBM
4758 Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM
eServer Cryptographic Accelerator (FC 4960 on IBM eServer System p), the
IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), the IBM CP Assist
for Cryptographic Function (FC 3863 on IBM System z).
These updated openCryptoki packages provide fixes for the following bugs:
- after initializing a hardware cryptographic token, attempting to unwrap
an AES key failed and caused openCryptoki to return a
"CKR_TEMPLATE_INCOMPLETE" error code. With this update, AES key unwrapping
now succeeds as expected. (BZ#540471)
- the openCryptoki API enables programs to offload the computation of the
message authentication code (MAC) to the Central Processor Assist for
Cryptographic Function (CPACF) of cryptographic hardware. When using
PKCS#11 for the acceleration of cryptographic instructions, openCryptoki
returned an error code of "411", indicating that the MAC was unable to be
verified. With this update, the MAC is now computed successfully after
being offloaded to the CPACF. (BZ#540474)
- openCryptoki was not properly recognizing that secure-key crypto support
was installed, and so the "CCA" token was not being enabled for use. (BZ#545379)
All users of openCryptoki are advised to upgrade to these updated packages,
which resolve these issues.
Solution
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259
Affected Products
- Red Hat Enterprise Linux Server 5 x86_64
- Red Hat Enterprise Linux Server 5 i386
- Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.4 x86_64
- Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.4 i386
- Red Hat Enterprise Linux Workstation 5 x86_64
- Red Hat Enterprise Linux Workstation 5 i386
- Red Hat Enterprise Linux Desktop 5 x86_64
- Red Hat Enterprise Linux Desktop 5 i386
- Red Hat Enterprise Linux for IBM z Systems 5 s390x
- Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.4 s390x
- Red Hat Enterprise Linux for Power, big endian 5 ppc
- Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.4 ppc
- Red Hat Enterprise Linux Server from RHUI 5 x86_64
- Red Hat Enterprise Linux Server from RHUI 5 i386
Fixes
- BZ - 540471 - CKR_TEMPLATE_INCOMPLETE exception from openCryptoki on an unwrap of an AES key
- BZ - 540474 - openCryptoki error computing MAC during offload of MAC-hashing to CPACF using PKCS11
- BZ - 545379 - CCA token not being recognized properly
CVEs
(none)
References
(none)
Red Hat Enterprise Linux Server 5
| SRPM | |
|---|---|
| openCryptoki-2.2.4-22.el5_4.2.src.rpm | SHA-256: 6e01a0e57c4a7c486cb39d5c69774a7793301d18b83ace31822a25204e70271e |
| x86_64 | |
| openCryptoki-2.2.4-22.el5_4.2.i386.rpm | SHA-256: 23e1f9a33273dba2b9e847c8237d07a009a9c4d8c8f639bb2727865eebd34e84 |
| openCryptoki-2.2.4-22.el5_4.2.x86_64.rpm | SHA-256: cb5bb6a558b2155afa978bd8154a4ae86e335578f17e448658a411c747fce83c |
| openCryptoki-devel-2.2.4-22.el5_4.2.i386.rpm | SHA-256: 34ca365b44f99f5b1d4b774215984d21d8b57efb76bacd73dbb09b188fa4dc5d |
| openCryptoki-devel-2.2.4-22.el5_4.2.x86_64.rpm | SHA-256: 46cf037b48c98b4c0c39f3b725b1819c12fa161ef493e98b96f96dc6b0eeafa5 |
| i386 | |
| openCryptoki-2.2.4-22.el5_4.2.i386.rpm | SHA-256: 23e1f9a33273dba2b9e847c8237d07a009a9c4d8c8f639bb2727865eebd34e84 |
| openCryptoki-devel-2.2.4-22.el5_4.2.i386.rpm | SHA-256: 34ca365b44f99f5b1d4b774215984d21d8b57efb76bacd73dbb09b188fa4dc5d |
Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.4
| SRPM | |
|---|---|
| x86_64 | |
| i386 |
Red Hat Enterprise Linux Workstation 5
| SRPM | |
|---|---|
| openCryptoki-2.2.4-22.el5_4.2.src.rpm | SHA-256: 6e01a0e57c4a7c486cb39d5c69774a7793301d18b83ace31822a25204e70271e |
| x86_64 | |
| openCryptoki-2.2.4-22.el5_4.2.i386.rpm | SHA-256: 23e1f9a33273dba2b9e847c8237d07a009a9c4d8c8f639bb2727865eebd34e84 |
| openCryptoki-2.2.4-22.el5_4.2.x86_64.rpm | SHA-256: cb5bb6a558b2155afa978bd8154a4ae86e335578f17e448658a411c747fce83c |
| openCryptoki-devel-2.2.4-22.el5_4.2.i386.rpm | SHA-256: 34ca365b44f99f5b1d4b774215984d21d8b57efb76bacd73dbb09b188fa4dc5d |
| openCryptoki-devel-2.2.4-22.el5_4.2.x86_64.rpm | SHA-256: 46cf037b48c98b4c0c39f3b725b1819c12fa161ef493e98b96f96dc6b0eeafa5 |
| i386 | |
| openCryptoki-2.2.4-22.el5_4.2.i386.rpm | SHA-256: 23e1f9a33273dba2b9e847c8237d07a009a9c4d8c8f639bb2727865eebd34e84 |
| openCryptoki-devel-2.2.4-22.el5_4.2.i386.rpm | SHA-256: 34ca365b44f99f5b1d4b774215984d21d8b57efb76bacd73dbb09b188fa4dc5d |
Red Hat Enterprise Linux Desktop 5
| SRPM | |
|---|---|
| openCryptoki-2.2.4-22.el5_4.2.src.rpm | SHA-256: 6e01a0e57c4a7c486cb39d5c69774a7793301d18b83ace31822a25204e70271e |
| x86_64 | |
| openCryptoki-2.2.4-22.el5_4.2.i386.rpm | SHA-256: 23e1f9a33273dba2b9e847c8237d07a009a9c4d8c8f639bb2727865eebd34e84 |
| openCryptoki-2.2.4-22.el5_4.2.x86_64.rpm | SHA-256: cb5bb6a558b2155afa978bd8154a4ae86e335578f17e448658a411c747fce83c |
| i386 | |
| openCryptoki-2.2.4-22.el5_4.2.i386.rpm | SHA-256: 23e1f9a33273dba2b9e847c8237d07a009a9c4d8c8f639bb2727865eebd34e84 |
Red Hat Enterprise Linux for IBM z Systems 5
| SRPM | |
|---|---|
| openCryptoki-2.2.4-22.el5_4.2.src.rpm | SHA-256: 6e01a0e57c4a7c486cb39d5c69774a7793301d18b83ace31822a25204e70271e |
| s390x | |
| openCryptoki-2.2.4-22.el5_4.2.s390.rpm | SHA-256: 98ba919acae201726f843d874b4af73055143bf17a3ceda072aebd19a142b9dc |
| openCryptoki-2.2.4-22.el5_4.2.s390x.rpm | SHA-256: 7e769fbd220e38c7c88cafe814f20ac3520877638512c0c27145b180419d95ab |
| openCryptoki-devel-2.2.4-22.el5_4.2.s390x.rpm | SHA-256: 8b11113043a435efce0d65753a1c24d9e66df65de9d2c07e14c7245cd45443c7 |
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.4
| SRPM | |
|---|---|
| s390x |
Red Hat Enterprise Linux for Power, big endian 5
| SRPM | |
|---|---|
| openCryptoki-2.2.4-22.el5_4.2.src.rpm | SHA-256: 6e01a0e57c4a7c486cb39d5c69774a7793301d18b83ace31822a25204e70271e |
| ppc | |
| openCryptoki-2.2.4-22.el5_4.2.ppc64.rpm | SHA-256: d1e98dd6419b12e0d86f222e0feec6164e7117990c85236b7e61bfc21609f5a3 |
| openCryptoki-devel-2.2.4-22.el5_4.2.ppc64.rpm | SHA-256: 38fa9135c04ab7c81b4774397fa9a0005a043ae8c22d1fc21004356ca014c786 |
Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.4
| SRPM | |
|---|---|
| ppc |
Red Hat Enterprise Linux Server from RHUI 5
| SRPM | |
|---|---|
| openCryptoki-2.2.4-22.el5_4.2.src.rpm | SHA-256: 6e01a0e57c4a7c486cb39d5c69774a7793301d18b83ace31822a25204e70271e |
| x86_64 | |
| openCryptoki-2.2.4-22.el5_4.2.i386.rpm | SHA-256: 23e1f9a33273dba2b9e847c8237d07a009a9c4d8c8f639bb2727865eebd34e84 |
| openCryptoki-2.2.4-22.el5_4.2.x86_64.rpm | SHA-256: cb5bb6a558b2155afa978bd8154a4ae86e335578f17e448658a411c747fce83c |
| openCryptoki-devel-2.2.4-22.el5_4.2.i386.rpm | SHA-256: 34ca365b44f99f5b1d4b774215984d21d8b57efb76bacd73dbb09b188fa4dc5d |
| openCryptoki-devel-2.2.4-22.el5_4.2.x86_64.rpm | SHA-256: 46cf037b48c98b4c0c39f3b725b1819c12fa161ef493e98b96f96dc6b0eeafa5 |
| i386 | |
| openCryptoki-2.2.4-22.el5_4.2.i386.rpm | SHA-256: 23e1f9a33273dba2b9e847c8237d07a009a9c4d8c8f639bb2727865eebd34e84 |
| openCryptoki-devel-2.2.4-22.el5_4.2.i386.rpm | SHA-256: 34ca365b44f99f5b1d4b774215984d21d8b57efb76bacd73dbb09b188fa4dc5d |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
