Patch-ID# 118918-24
Download this patch from My Oracle Support
Your use of the firmware, software and any other materials contained
in this update is subject to My Oracle Support Terms of Use, which
may be viewed at My Oracle Support.
|
For further information on patching best practices and resources, please
see the following links:
|
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
|
Keywords: security libpkcs11 metaslot libpkcs11 mars crypto opl aes
Synopsis: SunOS 5.10: Solaris Crypto Framework patch
Date: Feb/05/2007
Install Requirements: After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reboot is performed. Unless
otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reboot is performed.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.
Solaris Release: 10
SunOS Release: 5.10
Unbundled Product:
Unbundled Release:
Xref: This patch available for x86 as patch 118919
Topic: SunOS 5.10: Solaris Crypto Framework patch
*********************************************************************
NOTE: This patch may contain one or more OEM-specific platform ports.
See the appropriate OEM_NOTES file within the patch for
information specific to these platforms.
DO NOT INSTALL this patch on an OEM system if a corresponding
OEM_NOTES file is not present (or is present, but instructs not
to install the patch), unless the OEM vendor directs otherwise.
*********************************************************************
Relevant Architectures: sparc sparc.sun4u sparc.sun4v
Bugs fixed with this patch:
Changes incorporated in this version: 6474874 6484163
Patches accumulated and obsoleted by this patch: 116781-02 119012-03 121282-02 121284-02 121292-01 121473-01 121476-01 121478-01 121786-01 123444-01
Patches which conflict with this patch:
Patches required with this patch:
Obsoleted by:
Files included with this patch:
/etc/crypto/kcf.conf
/etc/crypto/pkcs11.conf
/etc/inet/ipsecalgs
/kernel/crypto/sparcv9/aes
/kernel/crypto/sparcv9/blowfish
/kernel/crypto/sparcv9/des
/kernel/crypto/sparcv9/md5
/kernel/crypto/sparcv9/rsa
/kernel/crypto/sparcv9/sha1
/kernel/crypto/sparcv9/sha2
/kernel/drv/sparcv9/crypto
/kernel/kmdb/sparcv9/crypto
/kernel/misc/sparcv9/des
/kernel/misc/sparcv9/kcf
/kernel/misc/sparcv9/md5
/kernel/misc/sparcv9/sha1
/kernel/misc/sparcv9/sha2
/lib/libmd5.so.1
/lib/sparcv9/libmd5.so.1
/platform/SUNW,SPARC-Enterprise/kernel/crypto/sparcv9/aes
/platform/SUNW,Sun-Fire-V215/kernel/crypto/sparcv9/aes
/platform/sun4u-us3/kernel/crypto/sparcv9/aes
/platform/sun4u/kernel/crypto/sparcv9/arcfour
/platform/sun4u/kernel/crypto/sparcv9/des
/platform/sun4u/kernel/crypto/sparcv9/md5
/platform/sun4u/kernel/crypto/sparcv9/rsa
/platform/sun4u/kernel/crypto/sparcv9/sha1
/platform/sun4u/kernel/misc/sparcv9/des
/platform/sun4u/kernel/misc/sparcv9/md5
/platform/sun4u/kernel/misc/sparcv9/sha1
/platform/sun4u/lib/libmd5_psr.so.1
/platform/sun4u/lib/sparcv9/libmd5_psr.so.1
/platform/sun4v/kernel/crypto/sparcv9/arcfour
/platform/sun4v/kernel/crypto/sparcv9/md5
/platform/sun4v/kernel/misc/sparcv9/md5
/usr/bin/digest
/usr/bin/mac
/usr/bin/pktool
/usr/include/security/pkcs11t.h
/usr/lib/libcryptoutil.so.1
/usr/lib/libpkcs11.so.1
/usr/lib/mdb/kvm/sparcv9/crypto.so
/usr/lib/security/pkcs11_kernel.so.1
/usr/lib/security/pkcs11_softtoken.so.1
/usr/lib/security/sparcv9/pkcs11_kernel.so.1
/usr/lib/security/sparcv9/pkcs11_softtoken.so.1
/usr/lib/sparcv9/libcryptoutil.so.1
/usr/lib/sparcv9/libpkcs11.so.1
/usr/sbin/cryptoadm
Problem Description:
6474874 cryptoadm(1M) silently re-enables random number operations
6484163 memory leak in get_dsa_public_key
(from 118918-23)
6480958 "Keystore version failure" warning message should be moved to LOG_DEBUG
(from 118918-22)
6271754 pkcs11_softtoken too aggressive in looking for token data files
(from 118918-21)
6192431 C_GetAttribute value with CKA_KEY_TYPE attribute returns 8 bytes in 32-bit mode
6439285 kernel des3 fails to return corrected key when all 3 parts of the key are identical
(from 118918-20)
This revision accumulates S10U3 feature point patch 123444-01.
(from 118918-19)
6394953 sun4u sha1 kernel module does not preserve floating point state completely
(from 118918-18)
6399680 logical provider selects busy member
(from 118918-17)
6408419 i.ipsecalgsbase CAS missing in 118918-14 & 118919-12
6405871 (rework) patch 118918-15 delivers 'f' objects previously delivered in 119012-03
6342468 patchrm 118918-03 complains about failed to parse /etc/crypto/pkcs11.conf
(from 118918-16)
6405871 patch 118918-15 delivers 'f' objects previously delivered in 119012-03
(from 118918-15)
6296920 IPsec 3DES can't be used in two-key mode
(from 118918-14)
This revision accumulates S10U2 feature point patches 121282-02,
121284-02, 121292-01, 121786-01 and also delivers the following fixes:
6287428 add sha2 to the i.kcfconfbase upgrade script
6336517 kernel blowfish no longer works
6372133 Seattle (Sun Fire V215/V245) & Boston (Sun Fire V445) platforms NUMA/MPO support non-functional
6373525 Boston (Sun Fire V445) platmod does not return correct cpu unum in plat_get_cpu_unum
6358078 Seattle (Sun Fire V215/V245) & Boston (Sun Fire V445) property usage incorrect for power/pmugpio/mi2cv
(from 118918-13)
This revision removes kernel/drv/sparcv9/kssl which exists in 118822-30.
(from 118918-12)
6276483 libpkcs11 pthread_atfork() code can cause child process to hang
6345493 fork(2) handling fixes from 6276483 needs further work in pkcs11_softtoken
6360218 uprev for patches that do not manually preserve the 'e' prototype file attribute
6359179 i.script (pkgproto cmd) - is not "e" file friendly (synopsis modified)
(from 118918-11)
6376993 x86 patch T118844-29 is missing an object causing functional failure
(from 118918-10)
5039273 failure in crypto_verify() when using a bignum with value 0 for CKM_RSA_X_509
5062050 kernel bignum (thus rsa) should use the sparc optimized version
6264344 remove gratuitous bzero() calls from SHA1Final() and MD5Final()
6278572 %asi registers based MD5 implementation for Niagara (UltraSPARC T1) in Solaris
6278578 reduce store stalls by in-register coalescing for a faster RC4 on Niagara (UltraSPARC T1)
6286372 kernel SHA1Update uses global variable making it non-reentrant
4925453 further optimization can be done for RC4 on SPARC
6357426 increase rndmag_threshold and rndbuf_len default values
(from 118918-09)
6249979 sha1 slow on Niagara (UltraSPARC T1)
(from 118918-08)
6274680 Metaslot on Niagara (UltraSPARC T1) suddenly becomes very slow at high load
(from 118918-07)
6264379 Metaslot caused 20% performance degradation in crypto operations
6250963 Metaslot doesn't perform well when there are many slots
6276609 memory leak in meta_GetMechanismInfo
6280574 pk11keymgmt_test dumps core
6262344 Metaslot crashes in call to C_UnwrapKey during generation
6252894 BER routines in LDAP library don't work for 64 bit
(from 118918-06)
6222467 system calls from C_Initialize() get interrupted
(from 118918-05)
4926742 CKM_DH_PKCS_DERIVE fails if derived secret is shorter than prime
6215816 C_FindObjectsInit fails when token isn't present
6220814 C_DigestKey failure causes C_DestroyObject being hung
6217866 S1WS sometimes drops SSL connections
6223866 C_SignInit() sometimes doesn't work using a generated key
6223869 Metaslot trying to create key with bogus data
6223863 Metaslot needs to return CK_EFFECTIVELY_INFINITE in token info
6231978 Apache/mod_ssl fails SSL connections when Metaslot is present with SCA 1000
(from 118918-04)
6228384 (rework) cryptoadm gettext for usage too simplistic
6231739 (rework) cryptoadm bugfix lost "metaslot" usage keywords
(from 118918-03)
6228384 cryptoadm gettext for usage too simplistic
6231739 cryptoadm bugfix lost "metaslot" usage keywords
(from 118918-02)
This revision accumulates S10U1 feature point patch 116781-02.
(from 118918-01)
This revision accumulates S10U1 feature point patch 116781-01.
(from 116781-02)
6197284 implement C_UnwrapKey(<secret keys>) with decrypt/create_object when needed in pkcs11_kernel
6197268 pkcs11_kernel shouldn't reject C_GetAttributeValue() for a secret key's CKA_VALUE_LEN attr
6204887 SEGV in process_found_objects()
6195934 pkcs11_kernel C_DecryptInit() can return with the object_mutex still held
(from 116781-01)
4691624 libpkcs11: uCF meta slot management
6199119 pk11object test program core dumps with metaslot+pkcs11_kernel+Deimos configured
6215509 fix for 4691624 introduced a lock violation
(from 121473-01)
5062050 kernel bignum (thus rsa) should use the sparc optimized version
(from 121476-01)
6264344 remove gratuitous bzero() calls from SHA1Final() and MD5Final()
(from 121478-01)
6364043 kssl shouldn't submit non multiple of the cipher's block size for decryption
(from 121282-02)
4721729 support AES Counter mode for encryption
6253484 support mechanisms with complex mech_param structures across the EF stack
6314217 hide underlying providers of logical providers
6355571 fix for 6352877 broke the export source build
6355597 fix for 6352877 broke punchin
6352877 ckpi_004 - CKM_AES_ECB mechanism test failing with lots of Crypto error 29 messages
(from 121282-01)
4920408 PKCS#11 v2.20 support for the Crypto Framework
6181926 support SHA256, SHA384, SHA512 in kernel
(from 121284-02)
6372587 pkcs11_softtoken should use getpwuid_r(3C) to avoid overwriting thread-specific data
6372169 blowfish can read past mblk and panic in cbc mode
6368332 libpkcs11 should report that it is v2.20 not v2.11
(from 121284-01)
4920408 PKCS#11 v2.20 support for the Crypto Framework
6181926 support SHA256, SHA384, SHA512 in kernel
6336131 CKM_TLS_PRF support
6287425 residual bzero's in hmac part of sha2
6198116 dprov in amd64 mode fails when interfacing with 32bit pk11objectkernel test
5067502 dprov no longer generating correct key sizes for some mechanisms
(from 121292-01)
4931202 provide import utility from PKCS12 file to softtoken's keystore
5059459 provide utility to export-to-PKCS#12-file from softtoken
5059461 pktool(1) needs subcommands to list and delete objects in softtoken
6216772 update pktool(1) list/delete subcommands
6278459 add "tokens" subcommand to pktool(1)
6288840 pktool(1) alternate token support
6332420 change pktool CLI to use attr=value format
(from 121786-01)
4721729 support AES Counter mode for encryption
6355571 fix for 6352877 broke the export source build
6355597 fix for 6352877 broke punchin
6352877 ckpi_004 - CKM_AES_ECB mechanism test failing with lots of Crypto error 29 messages
(from 119012-03)
5072858 cryptoadm disable does not work as expected when logical provider slot is involved
6250168 assertion failure when second provider has function group flags in different class
5100567 add logical provider assertion from crypto_provider_notification()
(from 119012-02)
6222467 system calls from C_Initialize() get interrupted
6195428 "Slot Info is NULL for vca0" error when running SUNvts vcatest on E15K
6211857 driver panics when kcf_free_context() is called
(from 119012-01)
6200215 ulMaxRwSessionCount says CK_UNAVAILABLE_INFORMATION
(from 123444-01)
6379529 Solaris for OPL Project
6427002 connect(cfgadm) fails after hotplug into empty slots 2,3 and 4
6427559 Oberon hotplug requires updates from Oberon Spec v1.01
Patch Installation Instructions:
--------------------------------
For Solaris 2.0-2.6 releases, refer to the Install.info file and/or
the README within the patch for instructions on using the generic
'installpatch' and 'backoutpatch' scripts provided with each patch.
For Solaris 7-10 releases, refer to the man pages for instructions
on using 'patchadd' and 'patchrm' scripts provided with Solaris.
Any other special or non-generic installation instructions should be
described below as special instructions. The following example
installs a patch to a standalone machine:
example# patchadd /var/spool/patch/104945-02
The following example removes a patch from a standalone system:
example# patchrm 104945-02
For additional examples please see the appropriate man pages.
Special Install Instructions:
-----------------------------
NOTE 1: Reboot system after patch installation is complete.
NOTE 2: If you have the SUNWcry package installed, you MUST also install the
following patch:
118562-01 (or greater) Solaris Data Encryption Kit Patch
NOTE 3: To get the complete fix for bug 4926742 (CKM_DH_PKCS_DERIVE fails
if derived secret is shorter than prime), please also install the
following patch:
118562-03 (or greater) Solaris Data Encryption Kit Patch
NOTE 4: To get the complete fix for bug 6222467 (system calls from
C_Initialize() get interrupted), please also install the
following patch:
118562-04 (or greater) Solaris Data Encryption Kit Patch
NOTE 5: To get the complete support for algorithm optimization for crypto
and kernel modules for restricted and non-restricted key lengths
versions, please also install the following patch:
118562-08 (or greater) Solaris Data Encryption Kit Patch
NOTE 6: To get the complete MARS (Crypto Accelerator 6000) RFE, please also
install the following patch:
118833-04 (or greater) kernel patch
NOTE 7: To get the complete support for SPARC(R) Enterprise Mx000 servers,
please also install the following patches:
118833-25 (or greater) kernel patch
123839-01 (or greater) FMA patch
123914-01 (or greater) header files patch
README -- Last modified date: Saturday, November 10, 2012