RHBA-2010:0699 - Bug Fix Advisory

Topic

Updated openCryptoki packages that resolve an issue are now available.

Description

The openCryptoki package contains version 2.11 of the PKCS#11 API, implemented
for IBM Cryptocards. This package includes support for the IBM 4758
Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer
Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto
Express2 (FC 0863 or FC 0870 on IBM System z), and the IBM CP Assist for
Cryptographic Function (FC 3863 on IBM System z).

These updated openCryptoki packages provide fix for the following bug:

• previously, the overall performance of cryptographic operations degraded

exponentially with the number of objects per token or open sessions per process.
This was caused by the fact that OpenCryptoki used linked-lists to track objects
and sessions in memory, thus, performing an exhaustive search in practically
every PKCS#11 call. With this update, the overall performance remains constant.
(BZ#627560)

All users of openCryptoki are advised to upgrade to these updated packages,
which resolve this issue.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 627560 - Opencryptoki session/object performance degradation

CVEs

(none)

References

(none)