Skip to navigation

Bug Fix Advisory opencryptoki bug fix and enhancement update

Advisory: RHBA-2011:1572-2
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2011-12-06
Last updated on: 2011-12-06
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Workstation (v. 6)

Details

Updated opencryptoki packages that fix several bugs and add various enhancements
are now available for Red Hat Enterprise Linux 6.

The openCryptoki package contains version 2.11 of the PKCS#11 API, implemented
for IBM Cryptocards. This package includes support for the IBM 4758
Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer
Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto
Express2 (FC 0863 or FC 0870 on IBM System z), and the IBM CP Assist for
Cryptographic Function (FC 3863 on IBM System z).

These updated opencryptoki packages provide fixes for the following bugs:

* When setting the length of an RSA key for the IBM Cryptographic Accelerator
(ICA) token, initialization of the CKA_MODULUS_BITS internal attribute of
PKCS#11 was not properly tested and the RSA key length could have been set
incorrectly. As a consequence, RSA key verification in the ICA token failed. To
ensure that the RSA key is set correctly, two conditions have been added in the
respective function in the ICA specific library. The RSA key operations now work
properly on the ICA token. (BZ#734489)

* Prior to this update, the documentation provided with opencryptoki packages
stated that users using opencryptoki needed to be members of the "pkcs11" group
but did not mention the real privileges granted by adding a user to the group.
Consequently, it was not clear that the members of the "pkcs11" group are
assumed to be fully trusted. With this update opencryptoki(7) man page now
contains a security note. (BZ#730903)

* Prior to this update, an unnecessary check in the attach_shared_memory()
function was made which therefore required explicit group membership regardless
of the current effective privileges. Consequently, upon installation of the
opencryptoki packages and creation of the "pkcs11" group, the root user was
added to the group. However, root user should not need access to the group to be
able to access shared memory. With this update the shared memory checks have
been corrected and root user no longer requires membership of the "pkcs11"
group. (BZ#732756)

In addition, these updated packages provide the following enhancement:

* The openCryptoki package has been upgraded to upstream version 2.4, which
provides a number of bug fixes and enhancements over the previous version.
(BZ#693779)

Users are advised to upgrade to these updated packages, which fix these bugs and
add these enhancements.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
opencryptoki-2.4-2.el6.src.rpm
File outdated by:  RHBA-2014:0257
    MD5: 80f8581853122c7a4fde1e4e433fb429
SHA-256: 1381541193d8ec79b8c1bb896150eec7feca1edf0a54332cabf4a0deb5967bd7
 
IA-32:
opencryptoki-2.4-2.el6.i686.rpm
File outdated by:  RHBA-2014:0257
    MD5: 8d7d79eb1253d160dd334c084db9149c
SHA-256: 35b681f4215c8c021a22c27118af026d30678b0b405b7a1f1c977c592eed71c0
opencryptoki-debuginfo-2.4-2.el6.i686.rpm
File outdated by:  RHBA-2014:0257
    MD5: b3a17b9689b259d66643004e463fe810
SHA-256: 136ab8ed9959f657a50e0fa5c72ebfd1870dfb5e503e617eab369a35c3d84b16
opencryptoki-devel-2.4-2.el6.i686.rpm
File outdated by:  RHBA-2014:0257
    MD5: d95d065275b59d40846f6a95da6dfa9c
SHA-256: 406e8cbfb47a0b96b7df7613b88249b6c4c72d7910d0003daf1fa4d164e52af2
opencryptoki-libs-2.4-2.el6.i686.rpm
File outdated by:  RHBA-2014:0257
    MD5: d09e883728537c985c569789d9975e10
SHA-256: c42994613a8a5025c410a1cc98357814141f89978efb56a1ddcecc6be3d22a3f
 
x86_64:
opencryptoki-2.4-2.el6.x86_64.rpm
File outdated by:  RHBA-2014:0257
    MD5: 4824371bc4663b710903554d25dee48c
SHA-256: 292314a354d8a3624dd66f4e31323326ff372e5412345c2da8e647791d63142e
opencryptoki-debuginfo-2.4-2.el6.i686.rpm
File outdated by:  RHBA-2014:0257
    MD5: b3a17b9689b259d66643004e463fe810
SHA-256: 136ab8ed9959f657a50e0fa5c72ebfd1870dfb5e503e617eab369a35c3d84b16
opencryptoki-debuginfo-2.4-2.el6.x86_64.rpm
File outdated by:  RHBA-2014:0257
    MD5: 0728ec54656e7f034ef522069001d4ff
SHA-256: fadda10c1c5921fcdbac7976a04bd31dd1a79b30cfbe399f54e1a54393f9dd95
opencryptoki-devel-2.4-2.el6.i686.rpm
File outdated by:  RHBA-2014:0257
    MD5: d95d065275b59d40846f6a95da6dfa9c
SHA-256: 406e8cbfb47a0b96b7df7613b88249b6c4c72d7910d0003daf1fa4d164e52af2
opencryptoki-devel-2.4-2.el6.x86_64.rpm
File outdated by:  RHBA-2014:0257
    MD5: cce7967314bc840d2ddedeea6f8ffb4c
SHA-256: a263a2da9ad1bf82ba33f56825295c54871fd32e2e66ecb5ab28e68e90b580b2
opencryptoki-libs-2.4-2.el6.i686.rpm
File outdated by:  RHBA-2014:0257
    MD5: d09e883728537c985c569789d9975e10
SHA-256: c42994613a8a5025c410a1cc98357814141f89978efb56a1ddcecc6be3d22a3f
opencryptoki-libs-2.4-2.el6.x86_64.rpm
File outdated by:  RHBA-2014:0257
    MD5: dcfa79fc18f778bdeab9743149e57ffc
SHA-256: 88c42fca06f641c5a22abb85d881c7fc88f8dad4a4ab0e2e0bec320226f26d8a
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
opencryptoki-2.4-2.el6.src.rpm
File outdated by:  RHBA-2014:0257
    MD5: 80f8581853122c7a4fde1e4e433fb429
SHA-256: 1381541193d8ec79b8c1bb896150eec7feca1edf0a54332cabf4a0deb5967bd7
 
IA-32:
opencryptoki-2.4-2.el6.i686.rpm
File outdated by:  RHBA-2014:0257
    MD5: 8d7d79eb1253d160dd334c084db9149c
SHA-256: 35b681f4215c8c021a22c27118af026d30678b0b405b7a1f1c977c592eed71c0
opencryptoki-debuginfo-2.4-2.el6.i686.rpm
File outdated by:  RHBA-2014:0257
    MD5: b3a17b9689b259d66643004e463fe810
SHA-256: 136ab8ed9959f657a50e0fa5c72ebfd1870dfb5e503e617eab369a35c3d84b16
opencryptoki-devel-2.4-2.el6.i686.rpm
File outdated by:  RHBA-2014:0257
    MD5: d95d065275b59d40846f6a95da6dfa9c
SHA-256: 406e8cbfb47a0b96b7df7613b88249b6c4c72d7910d0003daf1fa4d164e52af2
opencryptoki-libs-2.4-2.el6.i686.rpm
File outdated by:  RHBA-2014:0257
    MD5: d09e883728537c985c569789d9975e10
SHA-256: c42994613a8a5025c410a1cc98357814141f89978efb56a1ddcecc6be3d22a3f
 
PPC:
opencryptoki-2.4-2.el6.ppc64.rpm
File outdated by:  RHBA-2014:0257
    MD5: 847d365ef90d55f23b0d55cffe5f1083
SHA-256: fbd2ecfa883693178966138da4823743729306f857f8fd7492181a38fadcacf1
opencryptoki-debuginfo-2.4-2.el6.ppc.rpm
File outdated by:  RHBA-2014:0257
    MD5: 125057cc621cf3878c0e081dc5df4dc7
SHA-256: b3cf369fec7abaf329c90a606d5c684bfa6881745dc65501935b88277ab1ce39
opencryptoki-debuginfo-2.4-2.el6.ppc64.rpm
File outdated by:  RHBA-2014:0257
    MD5: 7e97c4772977ec70b25e53d8e8b5ff03
SHA-256: c4594278d6bb68351a4267796d79b7791519844264bebb4f9a61c6d1def8cd97
opencryptoki-devel-2.4-2.el6.ppc.rpm
File outdated by:  RHBA-2014:0257
    MD5: 7e968ed6ee52d776a76b37b3bf55769e
SHA-256: 21ff42de6ffd5a4ce5ebb8603dbe2f15388272e478a5c4db4d6447344a0561c3
opencryptoki-devel-2.4-2.el6.ppc64.rpm
File outdated by:  RHBA-2014:0257
    MD5: 68bf88d0a90a676d040a4072d45878ed
SHA-256: 46325c5b148f22d92c577ac168012c25d108cfb1b295df054a770345138f4678
opencryptoki-libs-2.4-2.el6.ppc.rpm
File outdated by:  RHBA-2014:0257
    MD5: 3ba4ed158cf7ddc83ecdaec4b6a3e648
SHA-256: c4a75bc7e3552a7ac41f6f4c471debfb9720b2002eb1fe152a06c3c1a5c2a7cc
opencryptoki-libs-2.4-2.el6.ppc64.rpm
File outdated by:  RHBA-2014:0257
    MD5: 66b2ac2bc0c0e4eb2efcfb256daada40
SHA-256: 439b745634998517758f9d98acf17df839f3e7766c9dda579f00a791405086f5
 
s390x:
opencryptoki-2.4-2.el6.s390x.rpm
File outdated by:  RHBA-2014:0257
    MD5: 8110af5773c56f6bf48a4ba1d78ce875
SHA-256: decc14e1fea6a5b53e73390737f5dd152f0e971985eed05cd2e0c2685d575efa
opencryptoki-debuginfo-2.4-2.el6.s390.rpm
File outdated by:  RHBA-2014:0257
    MD5: 12215dc2fb6025fe04e487c555980d20
SHA-256: 0d08a259c71ccdcfc53065030b60f0919e1a2646a8cc4ae16b8274d4cc1b6ebd
opencryptoki-debuginfo-2.4-2.el6.s390x.rpm
File outdated by:  RHBA-2014:0257
    MD5: e43158c20e5e764402b152b4327ce9eb
SHA-256: 13e348a7d6ab95b31dffb23f527eaa4d3be6d8a2a39d38f424e3400697f146fb
opencryptoki-devel-2.4-2.el6.s390.rpm
File outdated by:  RHBA-2014:0257
    MD5: 58b27acc4b97f4f2b47975030a9151c3
SHA-256: b8e5482baa1c95dbcbed1ca9d52633b6873843b847fa5867e9799fddbc43380a
opencryptoki-devel-2.4-2.el6.s390x.rpm
File outdated by:  RHBA-2014:0257
    MD5: cfea8d0a2f4f1893ec2a785ef1292657
SHA-256: 44d288c20f340881429188145541d6cb9e12ec326320f5806ded5c951e3cad80
opencryptoki-libs-2.4-2.el6.s390.rpm
File outdated by:  RHBA-2014:0257
    MD5: 70d3661a7c787e45b92b849985f73697
SHA-256: 5cb69e4d421de1bbae38f96a69cfbf24f54b5ea13309ee2fd692a7d35cdb67da
opencryptoki-libs-2.4-2.el6.s390x.rpm
File outdated by:  RHBA-2014:0257
    MD5: 74535ba5abd0acac0514af58842bf74d
SHA-256: ef5e11738c15a5f3be8481cb6345a8fbe619ab13ebb5a270ee5b3e7fc87fa6ee
 
x86_64:
opencryptoki-2.4-2.el6.x86_64.rpm
File outdated by:  RHBA-2014:0257
    MD5: 4824371bc4663b710903554d25dee48c
SHA-256: 292314a354d8a3624dd66f4e31323326ff372e5412345c2da8e647791d63142e
opencryptoki-debuginfo-2.4-2.el6.i686.rpm
File outdated by:  RHBA-2014:0257
    MD5: b3a17b9689b259d66643004e463fe810
SHA-256: 136ab8ed9959f657a50e0fa5c72ebfd1870dfb5e503e617eab369a35c3d84b16
opencryptoki-debuginfo-2.4-2.el6.x86_64.rpm
File outdated by:  RHBA-2014:0257
    MD5: 0728ec54656e7f034ef522069001d4ff
SHA-256: fadda10c1c5921fcdbac7976a04bd31dd1a79b30cfbe399f54e1a54393f9dd95
opencryptoki-devel-2.4-2.el6.i686.rpm
File outdated by:  RHBA-2014:0257
    MD5: d95d065275b59d40846f6a95da6dfa9c
SHA-256: 406e8cbfb47a0b96b7df7613b88249b6c4c72d7910d0003daf1fa4d164e52af2
opencryptoki-devel-2.4-2.el6.x86_64.rpm
File outdated by:  RHBA-2014:0257
    MD5: cce7967314bc840d2ddedeea6f8ffb4c
SHA-256: a263a2da9ad1bf82ba33f56825295c54871fd32e2e66ecb5ab28e68e90b580b2
opencryptoki-libs-2.4-2.el6.i686.rpm
File outdated by:  RHBA-2014:0257
    MD5: d09e883728537c985c569789d9975e10
SHA-256: c42994613a8a5025c410a1cc98357814141f89978efb56a1ddcecc6be3d22a3f
opencryptoki-libs-2.4-2.el6.x86_64.rpm
File outdated by:  RHBA-2014:0257
    MD5: dcfa79fc18f778bdeab9743149e57ffc
SHA-256: 88c42fca06f641c5a22abb85d881c7fc88f8dad4a4ab0e2e0bec320226f26d8a
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
opencryptoki-2.4-2.el6.src.rpm
File outdated by:  RHBA-2014:0257
    MD5: 80f8581853122c7a4fde1e4e433fb429
SHA-256: 1381541193d8ec79b8c1bb896150eec7feca1edf0a54332cabf4a0deb5967bd7
 
IA-32:
opencryptoki-2.4-2.el6.i686.rpm
File outdated by:  RHBA-2014:0257
    MD5: 8d7d79eb1253d160dd334c084db9149c
SHA-256: 35b681f4215c8c021a22c27118af026d30678b0b405b7a1f1c977c592eed71c0
opencryptoki-debuginfo-2.4-2.el6.i686.rpm
File outdated by:  RHBA-2014:0257
    MD5: b3a17b9689b259d66643004e463fe810
SHA-256: 136ab8ed9959f657a50e0fa5c72ebfd1870dfb5e503e617eab369a35c3d84b16
opencryptoki-devel-2.4-2.el6.i686.rpm
File outdated by:  RHBA-2014:0257
    MD5: d95d065275b59d40846f6a95da6dfa9c
SHA-256: 406e8cbfb47a0b96b7df7613b88249b6c4c72d7910d0003daf1fa4d164e52af2
opencryptoki-libs-2.4-2.el6.i686.rpm
File outdated by:  RHBA-2014:0257
    MD5: d09e883728537c985c569789d9975e10
SHA-256: c42994613a8a5025c410a1cc98357814141f89978efb56a1ddcecc6be3d22a3f
 
x86_64:
opencryptoki-2.4-2.el6.x86_64.rpm
File outdated by:  RHBA-2014:0257
    MD5: 4824371bc4663b710903554d25dee48c
SHA-256: 292314a354d8a3624dd66f4e31323326ff372e5412345c2da8e647791d63142e
opencryptoki-debuginfo-2.4-2.el6.i686.rpm
File outdated by:  RHBA-2014:0257
    MD5: b3a17b9689b259d66643004e463fe810
SHA-256: 136ab8ed9959f657a50e0fa5c72ebfd1870dfb5e503e617eab369a35c3d84b16
opencryptoki-debuginfo-2.4-2.el6.x86_64.rpm
File outdated by:  RHBA-2014:0257
    MD5: 0728ec54656e7f034ef522069001d4ff
SHA-256: fadda10c1c5921fcdbac7976a04bd31dd1a79b30cfbe399f54e1a54393f9dd95
opencryptoki-devel-2.4-2.el6.i686.rpm
File outdated by:  RHBA-2014:0257
    MD5: d95d065275b59d40846f6a95da6dfa9c
SHA-256: 406e8cbfb47a0b96b7df7613b88249b6c4c72d7910d0003daf1fa4d164e52af2
opencryptoki-devel-2.4-2.el6.x86_64.rpm
File outdated by:  RHBA-2014:0257
    MD5: cce7967314bc840d2ddedeea6f8ffb4c
SHA-256: a263a2da9ad1bf82ba33f56825295c54871fd32e2e66ecb5ab28e68e90b580b2
opencryptoki-libs-2.4-2.el6.i686.rpm
File outdated by:  RHBA-2014:0257
    MD5: d09e883728537c985c569789d9975e10
SHA-256: c42994613a8a5025c410a1cc98357814141f89978efb56a1ddcecc6be3d22a3f
opencryptoki-libs-2.4-2.el6.x86_64.rpm
File outdated by:  RHBA-2014:0257
    MD5: dcfa79fc18f778bdeab9743149e57ffc
SHA-256: 88c42fca06f641c5a22abb85d881c7fc88f8dad4a4ab0e2e0bec320226f26d8a
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

730903 - opencryptoki: document implications of the pkcs11 group membership
732756 - opencryptoki: don't add root to pkcs11 group



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/