Skip to navigation

Bug Fix Advisory openCryptoki bug fix update

Advisory: RHBA-2009:1685-1
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2009-12-18
Last updated on: 2009-12-18
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux EUS (v. 5.4.z server)

Details

Updated openCryptoki packages that resolve several issues are now available.

The openCryptoki package contains version 2.11 of the PKCS#11 API,
implemented for IBM Cryptocards. This package includes support for the IBM
4758 Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM
eServer Cryptographic Accelerator (FC 4960 on IBM eServer System p), the
IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), the IBM CP Assist
for Cryptographic Function (FC 3863 on IBM System z).

These updated openCryptoki packages provide fixes for the following bugs:

* after initializing a hardware cryptographic token, attempting to unwrap
an AES key failed and caused openCryptoki to return a
"CKR_TEMPLATE_INCOMPLETE" error code. With this update, AES key unwrapping
now succeeds as expected. (BZ#540471)

* the openCryptoki API enables programs to offload the computation of the
message authentication code (MAC) to the Central Processor Assist for
Cryptographic Function (CPACF) of cryptographic hardware. When using
PKCS#11 for the acceleration of cryptographic instructions, openCryptoki
returned an error code of "411", indicating that the MAC was unable to be
verified. With this update, the MAC is now computed successfully after
being offloaded to the CPACF. (BZ#540474)

* openCryptoki was not properly recognizing that secure-key crypto support
was installed, and so the "CCA" token was not being enabled for use. (BZ#545379)

All users of openCryptoki are advised to upgrade to these updated packages,
which resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
openCryptoki-2.2.4-22.el5_4.2.src.rpm
File outdated by:  RHBA-2012:0239
    MD5: 1647b70bf4d10a557792332ad689a544
 
IA-32:
openCryptoki-devel-2.2.4-22.el5_4.2.i386.rpm
File outdated by:  RHBA-2012:0239
    MD5: 5d268a5763316ae8571a77f71eed02b4
 
x86_64:
openCryptoki-devel-2.2.4-22.el5_4.2.i386.rpm
File outdated by:  RHBA-2012:0239
    MD5: 5d268a5763316ae8571a77f71eed02b4
openCryptoki-devel-2.2.4-22.el5_4.2.x86_64.rpm
File outdated by:  RHBA-2012:0239
    MD5: d1d39befe0ca63b00c28bfb4afeb455e
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
openCryptoki-2.2.4-22.el5_4.2.src.rpm
File outdated by:  RHBA-2012:0239
    MD5: 1647b70bf4d10a557792332ad689a544
 
IA-32:
openCryptoki-2.2.4-22.el5_4.2.i386.rpm
File outdated by:  RHBA-2012:0239
    MD5: c39f9fc94c798f334fb397ad35aa01ca
openCryptoki-devel-2.2.4-22.el5_4.2.i386.rpm
File outdated by:  RHBA-2012:0239
    MD5: 5d268a5763316ae8571a77f71eed02b4
 
PPC:
openCryptoki-2.2.4-22.el5_4.2.ppc64.rpm
File outdated by:  RHBA-2012:0239
    MD5: 3f7379d949727035e0bdba159885ad7e
openCryptoki-devel-2.2.4-22.el5_4.2.ppc64.rpm
File outdated by:  RHBA-2012:0239
    MD5: d0a01de0c5ed5fb1506a203ef18ada3e
 
s390x:
openCryptoki-2.2.4-22.el5_4.2.s390.rpm
File outdated by:  RHBA-2012:0239
    MD5: e8cafd37becc9045b2c5ddfa6f470f32
openCryptoki-2.2.4-22.el5_4.2.s390x.rpm
File outdated by:  RHBA-2012:0239
    MD5: 1384e4c8dbac96005a353c33ab74bfa2
openCryptoki-devel-2.2.4-22.el5_4.2.s390x.rpm
File outdated by:  RHBA-2012:0239
    MD5: 394f8a8ccba33e02e8ecca5b15799855
 
x86_64:
openCryptoki-2.2.4-22.el5_4.2.i386.rpm
File outdated by:  RHBA-2012:0239
    MD5: c39f9fc94c798f334fb397ad35aa01ca
openCryptoki-2.2.4-22.el5_4.2.x86_64.rpm
File outdated by:  RHBA-2012:0239
    MD5: 9dd00670094c9a0981353eaed6161517
openCryptoki-devel-2.2.4-22.el5_4.2.i386.rpm
File outdated by:  RHBA-2012:0239
    MD5: 5d268a5763316ae8571a77f71eed02b4
openCryptoki-devel-2.2.4-22.el5_4.2.x86_64.rpm
File outdated by:  RHBA-2012:0239
    MD5: d1d39befe0ca63b00c28bfb4afeb455e
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
openCryptoki-2.2.4-22.el5_4.2.src.rpm
File outdated by:  RHBA-2012:0239
    MD5: 1647b70bf4d10a557792332ad689a544
 
IA-32:
openCryptoki-2.2.4-22.el5_4.2.i386.rpm
File outdated by:  RHBA-2012:0239
    MD5: c39f9fc94c798f334fb397ad35aa01ca
 
x86_64:
openCryptoki-2.2.4-22.el5_4.2.i386.rpm
File outdated by:  RHBA-2012:0239
    MD5: c39f9fc94c798f334fb397ad35aa01ca
openCryptoki-2.2.4-22.el5_4.2.x86_64.rpm
File outdated by:  RHBA-2012:0239
    MD5: 9dd00670094c9a0981353eaed6161517
 
Red Hat Enterprise Linux EUS (v. 5.4.z server)

SRPMS:
openCryptoki-2.2.4-22.el5_4.2.src.rpm
File outdated by:  RHBA-2012:0239
    MD5: 1647b70bf4d10a557792332ad689a544
 
IA-32:
openCryptoki-2.2.4-22.el5_4.2.i386.rpm     MD5: c39f9fc94c798f334fb397ad35aa01ca
openCryptoki-devel-2.2.4-22.el5_4.2.i386.rpm     MD5: 5d268a5763316ae8571a77f71eed02b4
 
PPC:
openCryptoki-2.2.4-22.el5_4.2.ppc64.rpm     MD5: 3f7379d949727035e0bdba159885ad7e
openCryptoki-devel-2.2.4-22.el5_4.2.ppc64.rpm     MD5: d0a01de0c5ed5fb1506a203ef18ada3e
 
s390x:
openCryptoki-2.2.4-22.el5_4.2.s390.rpm     MD5: e8cafd37becc9045b2c5ddfa6f470f32
openCryptoki-2.2.4-22.el5_4.2.s390x.rpm     MD5: 1384e4c8dbac96005a353c33ab74bfa2
openCryptoki-devel-2.2.4-22.el5_4.2.s390x.rpm     MD5: 394f8a8ccba33e02e8ecca5b15799855
 
x86_64:
openCryptoki-2.2.4-22.el5_4.2.i386.rpm     MD5: c39f9fc94c798f334fb397ad35aa01ca
openCryptoki-2.2.4-22.el5_4.2.x86_64.rpm     MD5: 9dd00670094c9a0981353eaed6161517
openCryptoki-devel-2.2.4-22.el5_4.2.i386.rpm     MD5: 5d268a5763316ae8571a77f71eed02b4
openCryptoki-devel-2.2.4-22.el5_4.2.x86_64.rpm     MD5: d1d39befe0ca63b00c28bfb4afeb455e
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

540471 - CKR_TEMPLATE_INCOMPLETE exception from openCryptoki on an unwrap of an AES key
540474 - openCryptoki error computing MAC during offload of MAC-hashing to CPACF using PKCS11
545379 - CCA token not being recognized properly



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/