Patch-ID# 118918-13 NOTE: *********************************************************************** READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE. *********************************************************************** Keywords: libpkcs11 metaslot sun4u kernel md5 crypto sun4u sha1 crypto Synopsis: SunOS 5.10: Solaris Crypto Framework patch Date: Mar/07/2006 Install Requirements: Reboot immediately after patch is installed Install in Single User Mode Solaris Release: 10 SunOS Release: 5.10 Unbundled Product: Unbundled Release: Xref: This patch available for x86 as patch 118919 Topic: SunOS 5.10: Solaris Crypto Framework patch ********************************************************************* NOTE: This patch may contain one or more OEM-specific platform ports. See the appropriate OEM_NOTES file within the patch for information specific to these platforms. DO NOT INSTALL this patch on an OEM system if a corresponding OEM_NOTES file is not present (or is present, but instructs not to install the patch), unless the OEM vendor directs otherwise. ********************************************************************* Relevant Architectures: sparc sparc.sun4u sparc.sun4v BugId's fixed with this patch: 4691624 4925453 4926742 5039273 5062050 6195934 6197268 6197284 6199119 6204887 6215509 6215816 6217866 6220814 6222467 6223863 6223866 6223869 6228384 6231739 6231978 6249979 6250963 6252894 6262344 6264344 6264379 6274680 6276483 6276609 6278572 6278578 6280574 6286372 6345493 6357426 6359179 6360218 6364043 6376993 Changes incorporated in this version: Patches accumulated and obsoleted by this patch: 116781-02 121473-01 121476-01 121478-01 Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /etc/crypto/pkcs11.conf /kernel/crypto/sparcv9/md5 /kernel/crypto/sparcv9/rsa /kernel/crypto/sparcv9/sha1 /kernel/misc/sparcv9/kcf /kernel/misc/sparcv9/md5 /kernel/misc/sparcv9/sha1 /lib/libmd5.so.1 /lib/sparcv9/libmd5.so.1 /platform/sun4u/kernel/crypto/sparcv9/arcfour /platform/sun4u/kernel/crypto/sparcv9/md5 /platform/sun4u/kernel/crypto/sparcv9/rsa /platform/sun4u/kernel/crypto/sparcv9/sha1 /platform/sun4u/kernel/misc/sparcv9/md5 /platform/sun4u/kernel/misc/sparcv9/sha1 /platform/sun4u/lib/libmd5_psr.so.1 /platform/sun4u/lib/sparcv9/libmd5_psr.so.1 /platform/sun4v/kernel/crypto/sparcv9/arcfour /platform/sun4v/kernel/crypto/sparcv9/md5 /platform/sun4v/kernel/misc/sparcv9/md5 /usr/bin/pktool /usr/lib/libcryptoutil.so.1 /usr/lib/libpkcs11.so.1 /usr/lib/security/pkcs11_kernel.so.1 /usr/lib/security/pkcs11_softtoken.so.1 /usr/lib/security/sparcv9/pkcs11_kernel.so.1 /usr/lib/security/sparcv9/pkcs11_softtoken.so.1 /usr/lib/sparcv9/libcryptoutil.so.1 /usr/lib/sparcv9/libpkcs11.so.1 /usr/sbin/cryptoadm Problem Description: Respun to remove kernel/drv/sparcv9/kssl which exists in 118822-30. (from 118918-12) 6276483 libpkcs11 pthread_atfork() code can cause child process to hang 6345493 fork(2) handling fixes from 6276483 needs further work in pkcs11_softtoken 6360218 uprev needed for patches that do not manually preserve the 'e' prototype file attribute 6359179 i.script (pkgproto cmd) - is not "e" file friendly (synopsis modified) (from 118918-11) 6376993 X86 patch T118844-29 is missing an object causing functional failure (from 118918-10) This patch was subsequently badpatched since some objects were not updated by result of the bug fixes. 5039273 Failure in crypto_verify() when using a bignum with value 0 for CKM_RSA_X_509 5062050 kernel bignum (thus rsa) should use the sparc optimized version 6264344 Remove gratuitous bzero() calls from SHA1Final() and MD5Final() 6278572 %asi registers based MD5 implementation for Niagara in solaris 6278578 reduce store stalls by in-register coalescing for a faster RC4 on Niagara 6286372 kernel SHA1Update uses global variable making it non-reentrant 4925453 Further optimization can be done for RC4 on SPARC 6357426 increase rndmag_threshold and rndbuf_len default values (from 118918-09) 6249979 sha1 slow on Niagara (from 118918-08) 6274680 Metaslot on Niagara suddenly becomes very slow at high load (from 118918-07) 6264379 Metaslot caused 20% performance degradation in crypto operations 6250963 Metaslot doesn't perform well when there are many slots 6276609 memory leak in meta_GetMechanismInfo 6280574 pk11keymgmt_test dumps core 6262344 Metaslot crashes in call to C_UnwrapKey during generation 6252894 BER routines in LDAP library don't work for 64 bit (from 118918-06) 6222467 system calls from C_Initialize() get interrupted (from 118918-05) 4926742 CKM_DH_PKCS_DERIVE fails if derived secret is shorter than prime 6215816 C_FindObjectsInit fails when token isn't present 6220814 C_DigestKey failure causes C_DestroyObject being hung 6217866 S1WS sometimes drops SSL connections 6223866 C_SignInit() sometimes doesn't work using a generated key 6223869 Metaslot trying to create key with bogus data 6223863 metaslot needs to return CK_EFFECTIVELY_INFINITE in token info 6231978 Apache/mod_ssl fails SSL connections when Metaslot is present with SCA 1000 (from 118918-04) 6228384 (rework) cryptoadm gettext for usage too simplistic 6231739 (rework) cryptoadm bugfix lost "metaslot" usage keywords (from 118918-03) 6228384 cryptoadm gettext for usage too simplistic 6231739 cryptoadm bugfix lost "metaslot" usage keywords (from 118918-02) This patch revision accumulates/obsoletes Solaris Update S10U1 feature point patch 116781-02. (from 118918-01) This patch revision accumulates/obsoletes Solaris Update S10U1 feature point patch 116781-01. (from 116781-02) 6197284 implement C_UnwrapKey() with decrypt/create_object when needed in pkcs11_kernel 6197268 pkcs11_kernel shouldn't reject C_GetAttributeValue() for a secret key's CKA_VALUE_LEN attr 6204887 SEGV in process_found_objects() 6195934 pkcs11_kernel C_DecryptInit() can return with the object_mutex still held (from 116781-01) 4691624 libpkcs11: uCF meta slot management 6199119 pk11object test program core dumps with metaslot+pkcs11_kernel+Demos configured 6215509 fix for 4691624 introduced a lock violation (from 121473-01) 5062050 kernel bignum (thus rsa) should use the sparc optimized version (from 121476-01) 6264344 Remove gratuitous bzero() calls from SHA1Final() and MD5Final() (from 121478-01) 6364043 kssl shouldn't submit non multiple of the cipher's block size for decryption Patch Installation Instructions: -------------------------------- For Solaris 2.0-2.6 releases, refer to the Install.info file and/or the README within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. For Solaris 7-10 releases, refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/104945-02 The following example removes a patch from a standalone system: example# patchrm 104945-02 For additional examples please see the appropriate man pages. Special Install Instructions: ----------------------------- NOTE 1: Reboot system after patch installation is complete. NOTE 2: If you're planning to set up Zones on this system, please make sure to install the following patch which fixes bugid 6216195 (zone installation confused UPDATE=yes in pkginfo(4) file.) 119254-06 (or greater) Install and Patch Utilities Patch NOTE 3: If you have the SUNWcry package installed, you MUST also install the following patch: 118562-01 (or greater) Solaris Data Encryption Kit Patch NOTE 4: To get the complete fix for bug 4926742 (CKM_DH_PKCS_DERIVE fails if derived secret is shorter than prime), please install the following patch: 118562-03 (or greater) Solaris Data Encryption Kit Patch NOTE 5: To get the complete fix for bug 6222467 (system calls from C_Initialize() get interrupted), please install the following patch: 118562-04 (or greater) Solaris Data Encryption Kit Patch NOTE 6: To obtain the complete support for algorithm optimization for crypto and kernel modules for restricted and non-restricted key lengths version please install the following patch: 118562-08 (or greater) Solaris Data Encryption Kit Patch README -- Last modified date: Tuesday, March 7, 2006