Accepting request 220960 from home:oertel:branches:security

- Updated to openCryptoki v3.1: See ChangeLog for complete details
  (FATE#315426)
  - opencryptoki-3.1
    - New ep11 token to support IBM Crypto Express adpaters
      (starting with Crypto Express 4S adapters) configured with
      Enterprise PKCS#11(EP11) firmware. (FATE#315330)
  - opencryptoki-3.0
    - New opencryptoki.conf file to replace pk_config_data and
      pkcs11_starup.  The opencryptoki.conf contains slot entry
      information for tokens.
    - Removed pkcs_slot and pkcs11_startup shell scripts.
    - ICA token supports CKM_DES_OFB64, CKM_DES_CFB8, CKM_DES_CFB6
      mechanisms using 3DES keys. (FATE#315323)
    - ICA token supports CKM_DES3_MAC and CKM_DES3_MAC_GENERAL
      mechanisms. (FATE#315323)
    - ICA token supports CKM_AES_OFB, CKM_AES_CFB8, CKM_AES_CFB64,
      CKM_AES_CFB128, CKM_AES_MAC, and CKM_AES_MAC_GENERAL
      mechanisms. (FATE#315323)
  - opencryptoki-2.4.1 (21 Feb 2012)
    - SHA256 support added for CCA token (FATE#315289)
- Using insserv macros in %post, %preun and %postun sections
- Cleaned up spec file
- removed patches:
  - ocki-2.2.6-PIN-backspace.patch
- added patches:
  - ocki-3.1-fix-implicit-decl.patch
  - ocki-3.1-remove-make-install-chgrp-chmod.patch
  - ocki-3.1-fix-init_d-path.patch

- add aarch64 to 64bit archs

OBS-URL: https://build.opensuse.org/request/show/220960
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=13

ocki-2.2.6-PIN-backspace.patch

@@ -1,228 +0,0 @@
---- usr/sbin/pkcsconf/pkcsconf.c
-+++ usr/sbin/pkcsconf/pkcsconf.c
-@@ -333,7 +333,7 @@
- CK_RV init(void);
- void  usage(char *);
- int   echo(int);
--void  get_pin(CK_CHAR **);
-+int   get_pin(CK_CHAR **);
- CK_RV cleanup(void);
- CK_RV display_pkcs11_info(void);
- CK_RV get_slot_list(int, CK_CHAR_PTR);
-@@ -499,9 +499,13 @@
-     * the SO pin, if not ask for the PIN */
-    if (flags & CFG_INITIALIZE){
-       if (~flags & CFG_SO_PIN){
--         printf(PKCSINIT_MSG(SOPIN, "Enter the SO PIN: "));
--         fflush(stdout);
--         get_pin(&(sopin));
-+	      int rc;
-+
-+	      do {
-+		      printf(PKCSINIT_MSG(SOPIN, "Enter the SO PIN: "));
-+		      fflush(stdout);
-+		      rc = get_pin(&(sopin));
-+	      } while (rc == -EINVAL);
-       }
-       rc = init_token(sopin);
-    }
-@@ -511,18 +515,29 @@
-     * the New User PIN on the command line if not ask for the PIN and verify it */
-    if (flags & CFG_INIT_USER){
-       if (~flags & CFG_SO_PIN) {
--         printf(PKCSINIT_MSG(SOPIN, "Enter the SO PIN: "));
--         fflush(stdout);
--         get_pin(&sopin);
-+	      int rc;
-+
-+	      do {
-+		      printf(PKCSINIT_MSG(SOPIN, "Enter the SO PIN: "));
-+		      fflush(stdout);
-+		      rc = get_pin(&sopin);
-+	      } while (rc == -EINVAL);
-       }
-       if (~flags & CFG_NEW_PIN) {
--         printf(PKCSINIT_MSG(NEWUSER, "Enter the new user PIN: "));
--         fflush(stdout);
--         get_pin(&newpin);
--	 newpinlen = strlen(newpin);
--         printf(PKCSINIT_MSG(VNEWUSER, "Re-enter the new user PIN: "));
--         fflush(stdout);
--         get_pin(&newpin2);
-+	      int rc;
-+
-+	      do {
-+		      printf(PKCSINIT_MSG(NEWUSER, "Enter the new user PIN: "));
-+		      fflush(stdout);
-+		      rc = get_pin(&newpin);
-+	      } while (rc == -EINVAL);
-+	      newpinlen = strlen(newpin);
-+	      do {
-+		      printf(PKCSINIT_MSG(VNEWUSER,
-+					  "Re-enter the new user PIN: "));
-+		      fflush(stdout);
-+		      rc = get_pin(&newpin2);
-+	      } while (rc == -EINVAL);
- 	 newpin2len = strlen(newpin2);
-          if (newpinlen != newpin2len || memcmp(newpin, newpin2, strlen((char *)newpin)) != 0) {
-             printf(PKCSINIT_MSG(PINMISMATCH, "New PINs do not match.\n"));
-@@ -537,18 +552,28 @@
-     * current SO PIN and the New PIN in.  If not prompt and validate them. */
-    if (flags & CFG_SET_SO){
-       if (~flags & CFG_SO_PIN) {
--         printf(PKCSINIT_MSG(SOPIN, "Enter the SO PIN: "));
--         fflush(stdout);
--         get_pin(&sopin);
-+	      int rc;
-+
-+	      do {
-+		      printf(PKCSINIT_MSG(SOPIN, "Enter the SO PIN: "));
-+		      fflush(stdout);
-+		      rc = get_pin(&sopin);
-+	      } while (rc == -EINVAL);
-       }
-       if (~flags & CFG_NEW_PIN) {
--         printf(PKCSINIT_MSG(NEWSO, "Enter the new SO PIN: "));
--         fflush(stdout);
--         get_pin(&newpin);
-+	      int rc;
-+
-+	      do {
-+		      printf(PKCSINIT_MSG(NEWSO, "Enter the new SO PIN: "));
-+		      fflush(stdout);
-+		      rc = get_pin(&newpin);
-+	      } while (rc == -EINVAL);
- 	 newpinlen = strlen(newpin);
--         printf(PKCSINIT_MSG(VNEWSO, "Re-enter the new SO PIN: "));
--         fflush(stdout);
--         get_pin(&newpin2);
-+	      do {
-+		      printf(PKCSINIT_MSG(VNEWSO, "Re-enter the new SO PIN: "));
-+		      fflush(stdout);
-+		      rc = get_pin(&newpin2);
-+	      } while (rc == -EINVAL);
- 	 newpin2len = strlen(newpin2);
-          if (newpinlen != newpin2len || memcmp(newpin, newpin2, strlen((char *)newpin)) != 0) {
-             printf(PKCSINIT_MSG(PINMISMATCH, "New PINs do not match.\n"));
-@@ -563,18 +588,26 @@
-     * current User PIN and the New PIN in.  If not prompt and validate them. */
-    if (flags & CFG_SET_USER){
-       if (~flags & CFG_USER_PIN) {
--         printf(PKCSINIT_MSG(USERPIN, "Enter user PIN: "));
--         fflush(stdout);
--         get_pin(&pin);
-+	      int rc;
-+
-+	      do {
-+		      printf(PKCSINIT_MSG(USERPIN, "Enter user PIN: "));
-+		      fflush(stdout);
-+		      rc = get_pin(&pin);
-+	      } while (rc == -EINVAL);
-       }
-       if (~flags & CFG_NEW_PIN) {
--         printf(PKCSINIT_MSG(NEWUSER, "Enter the new user PIN: "));
--         fflush(stdout);
--         get_pin(&newpin);
--	 newpinlen = strlen(newpin);
--         printf(PKCSINIT_MSG(VNEWUSER, "Re-enter the new user PIN: "));
--         fflush(stdout);
--         get_pin(&newpin2);
-+	      do {
-+		      printf(PKCSINIT_MSG(NEWUSER, "Enter the new user PIN: "));
-+		      fflush(stdout);
-+		      rc = get_pin(&newpin);
-+	      } while (rc == -EINVAL);
-+	      newpinlen = strlen(newpin);
-+	      do {
-+		      printf(PKCSINIT_MSG(VNEWUSER, "Re-enter the new user PIN: "));
-+		      fflush(stdout);
-+		      rc = get_pin(&newpin2);
-+	      } while (rc == -EINVAL);
- 	 newpin2len = strlen(newpin2);
-          if (newpinlen != newpin2len || memcmp(newpin, newpin2, strlen((char *)newpin)) != 0) {
-             printf(PKCSINIT_MSG(PINMISMATCH, "New PINs do not match.\n"));
-@@ -619,41 +652,49 @@
- 
- }
- 
--void
--get_pin(CK_CHAR ** pin){
--   int  count = 0;
--   char buff[PIN_SIZE] = { 0 }, c = 0;
--
--   /* Turn off echoing to the terminal when getting the password */
--   echo(FALSE);
--
--   /* Get each character and print out a '*' for each input */
--   for (count = 0; (c != LINE_FEED) && (count < PIN_SIZE); count++){
--      buff[count] = getc(stdin);
--      c = buff[count];
--      if ((c != LINE_FEED) && (c != BACK_SPACE))
--         printf("*");
--      if (c == BACK_SPACE) {
--         printf("%c%c%c", BACK_SPACE, ' ', BACK_SPACE);
--         count-=2;
--      }
--      fflush(stdout);
--   }
--
--   echo(TRUE);
--
--   /* After we get the password go to the next line */
--   printf("\n");
--   fflush(stdout);
--
--   /* Allocate 80 bytes for the user PIN.  This is large enough for the tokens
--    * supported in AIX 5.0 and 5.1 */
--   *pin = (unsigned char *)malloc(PIN_SIZE);
--
--   /* Strip the carage return from the user input (it is not part of the PIN)
--    * and put the PIN in the return buffer */
--   buff[count-1] =  '\0'; //NULL; 
--   strncpy((char *)*pin, buff, strlen((char *)buff)+1); // keep the trailing null for the strlen
-+int get_pin(CK_CHAR **pin)
-+{
-+	int  count;
-+	char buff[PIN_SIZE] = { 0 }, c = 0;
-+	int rc = 0;
-+
-+	*pin = NULL;
-+	/* Turn off echoing to the terminal when getting the password */
-+	echo(FALSE);
-+	/* Get each character and print out a '*' for each input */
-+	for (count = 0; (c != LINE_FEED) && (count < PIN_SIZE); count++) {
-+		buff[count] = getc(stdin);
-+		c = buff[count];
-+		if (c == BACK_SPACE || c == DELETE) {
-+			printf("\nBackspace and delete character not allowed. "
-+			       "Please retry entering your PIN.\n");
-+			rc = -EINVAL;
-+			echo(TRUE);
-+			fflush(stdout);
-+			goto out;
-+		}
-+		if ((c != LINE_FEED))
-+			printf("*");
-+		fflush(stdout);
-+	}
-+	echo(TRUE);
-+	/* After we get the password go to the next line */
-+	printf("\n");
-+	fflush(stdout);
-+	/* Allocate 80 bytes for the user PIN. This is large enough
-+	 * for the tokens supported in AIX 5.0 and 5.1 */
-+	*pin = (unsigned char *)malloc(PIN_SIZE);
-+	if (!(*pin)) {
-+		rc = -ENOMEM;
-+		goto out;
-+	}
-+	/* Strip the carage return from the user input (it is not part
-+	 * of the PIN) and put the PIN in the return buffer */
-+	buff[count - 1] =  '\0';
-+	/* keep the trailing null for the strlen */
-+	strncpy((char *)*pin, buff, (strlen((char *)buff) + 1));
-+out:
-+	return rc;
- }
- 
- int

ocki-3.1-fix-implicit-decl.patch

@@ -0,0 +1,66 @@
+--- opencryptoki.orig/usr/lib/pkcs11/common/loadsave.c	2014-01-27 15:01:58.000000000 -0700
++++ opencryptoki/usr/lib/pkcs11/common/loadsave.c	2014-01-31 10:56:26.377812000 -0700
+@@ -287,6 +287,9 @@
+ //
+ //
+ 
++/* _GNU_SOURCE necessary for asprintf */
++#define _GNU_SOURCE
++
+ #include <pthread.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+--- opencryptoki.orig/usr/lib/pkcs11/common/mech_rng.c	2014-01-27 15:01:58.000000000 -0700
++++ opencryptoki/usr/lib/pkcs11/common/mech_rng.c	2014-01-31 11:00:30.004283000 -0700
+@@ -301,6 +301,7 @@
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <fcntl.h>
++#include <unistd.h>
+ 
+ 
+ #include "pkcs11types.h"
+--- opencryptoki.orig/usr/sbin/pkcsslotd/garbage_linux.c	2014-01-27 15:01:58.000000000 -0700
++++ opencryptoki/usr/sbin/pkcsslotd/garbage_linux.c	2014-01-31 11:03:14.422314000 -0700
+@@ -294,6 +294,7 @@
+ #include <string.h>
+ #include <sys/types.h>
+ #include <fcntl.h>
++#include <unistd.h>
+ 
+ #include "log.h"
+ #include "slotmgr.h"
+--- opencryptoki.orig/usr/sbin/pkcsslotd/mutex.c	2014-01-31 11:08:15.000000000 -0700
++++ opencryptoki/usr/sbin/pkcsslotd/mutex.c	2014-01-31 11:08:25.929081000 -0700
+@@ -293,6 +293,9 @@
+ #include <sys/types.h>
+ #include <sys/file.h>
+ #include <grp.h>
++#include <sys/stat.h>
++#include <string.h>
++#include <unistd.h>
+ 
+ #include "log.h"
+ #include "slotmgr.h"
+--- opencryptoki.orig/usr/sbin/pkcsslotd/slotmgr.c	2014-01-27 15:01:58.000000000 -0700
++++ opencryptoki/usr/sbin/pkcsslotd/slotmgr.c	2014-01-31 11:12:08.708122000 -0700
+@@ -292,6 +292,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <errno.h>
++#include <unistd.h>
+ 
+ #include "log.h"
+ #include "slotmgr.h"
+--- opencryptoki.orig/usr/lib/pkcs11/tpm_stdll/tpm_specific.c	2014-01-27 15:01:58.000000000 -0700
++++ opencryptoki/usr/lib/pkcs11/tpm_stdll/tpm_specific.c	2014-01-31 11:16:45.158228000 -0700
+@@ -31,6 +31,9 @@
+  *
+  */
+ 
++#define _GNU_SOURCE
++#include <stdio.h>
++
+ #include <pthread.h>
+ #include <string.h>
+ #include <stdlib.h>

ocki-3.1-fix-init_d-path.patch

@@ -0,0 +1,11 @@
+--- opencryptoki.orig/misc/Makefile.am	2014-01-27 15:01:57.000000000 -0700
++++ opencryptoki/misc/Makefile.am	2014-01-31 09:15:15.816980000 -0700
+@@ -11,7 +11,7 @@ pkcsslotd.service: pkcsslotd.service.in
+ 	@SED@ -e s!\@sbindir\@!"@sbindir@"!g < $< > $@-t
+ 	mv $@-t $@
+ else
+-initddir = $(sysconfdir)/rc.d/init.d
++initddir = $(sysconfdir)/init.d
+ initd_SCRIPTS = pkcsslotd
+ 
+ CLEANFILES = pkcsslotd

ocki-3.1-remove-make-install-chgrp-chmod.patch

@@ -0,0 +1,54 @@
+--- opencryptoki.orig/usr/lib/pkcs11/soft_stdll/Makefile.am	2014-01-27 15:01:58.000000000 -0700
++++ opencryptoki/usr/lib/pkcs11/soft_stdll/Makefile.am	2014-01-31 08:15:21.781145000 -0700
+@@ -54,13 +54,7 @@ install-data-hook:
+ 	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
+ 		ln -sf libpkcs11_sw.so PKCS11_SW.so
+ 	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ
+-	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ
+-	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok
+-	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ
+-	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok
+ 	$(MKDIR_P) $(DESTDIR)$(lockdir)/swtok
+-	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/swtok
+-	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/swtok
+ 
+ uninstall-hook:
+ 	if test -d $(DESTDIR)$(libdir)/opencryptoki/stdll; then \
+--- opencryptoki.orig/usr/lib/pkcs11/tpm_stdll/Makefile.am	2014-01-27 15:01:58.000000000 -0700
++++ opencryptoki/usr/lib/pkcs11/tpm_stdll/Makefile.am	2014-01-31 08:20:37.999866000 -0700
+@@ -69,11 +69,7 @@ install-data-hook:
+ 	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
+ 		ln -sf libpkcs11_tpm.so PKCS11_TPM.so
+ 	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
+-	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
+-	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
+ 	$(MKDIR_P) $(DESTDIR)$(lockdir)/tpm
+-	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/tpm 
+-	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/tpm
+ 
+ uninstall-hook:
+ 	if test -d $(DESTDIR)$(libdir)/opencryptoki/stdll; then \
+--- opencryptoki.orig/usr/lib/pkcs11/cca_stdll/Makefile.am	2014-01-27 15:01:58.000000000 -0700
++++ opencryptoki/usr/lib/pkcs11/cca_stdll/Makefile.am	2014-01-31 08:30:51.030956000 -0700
+@@ -66,13 +66,7 @@ install-data-hook:
+ 	cd $(DESTDIR)/$(libdir)/opencryptoki/stdll && \
+ 		ln -sf libpkcs11_cca.so PKCS11_CCA.so
+ 	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
+-	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
+-	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok
+-	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
+-	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok
+ 	$(MKDIR_P) $(DESTDIR)$(lockdir)/ccatok
+-	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/ccatok
+-	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/ccatok
+ 
+ uninstall-hook:
+ 	if test -d $(DESTDIR)/$(libdir)/opencryptoki/stdll; then \
+--- opencryptoki.orig/usr/Makefile.am	2014-01-27 15:01:58.000000000 -0700
++++ opencryptoki/usr/Makefile.am	2014-01-31 08:33:02.949361000 -0700
+@@ -6,5 +6,3 @@ SUBDIRS = lib $(DAEMONDIRS)
+ 
+ install-data-hook:
+ 	$(MKDIR_P) $(DESTDIR)$(lockdir)
+-	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)
+-	$(CHMOD) 0770 $(DESTDIR)$(lockdir)

openCryptoki.changes

@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Mon Feb  4 17:16:25 UTC 2014 - jjolly@suse.com
+
+- Updated to openCryptoki v3.1: See ChangeLog for complete details
+  (FATE#315426)
+  - opencryptoki-3.1
+    - New ep11 token to support IBM Crypto Express adpaters
+      (starting with Crypto Express 4S adapters) configured with
+      Enterprise PKCS#11(EP11) firmware. (FATE#315330)
+  - opencryptoki-3.0
+    - New opencryptoki.conf file to replace pk_config_data and
+      pkcs11_starup.  The opencryptoki.conf contains slot entry
+      information for tokens.
+    - Removed pkcs_slot and pkcs11_startup shell scripts.
+    - ICA token supports CKM_DES_OFB64, CKM_DES_CFB8, CKM_DES_CFB6
+      mechanisms using 3DES keys. (FATE#315323)
+    - ICA token supports CKM_DES3_MAC and CKM_DES3_MAC_GENERAL
+      mechanisms. (FATE#315323)
+    - ICA token supports CKM_AES_OFB, CKM_AES_CFB8, CKM_AES_CFB64,
+      CKM_AES_CFB128, CKM_AES_MAC, and CKM_AES_MAC_GENERAL
+      mechanisms. (FATE#315323)
+  - opencryptoki-2.4.1 (21 Feb 2012)
+    - SHA256 support added for CCA token (FATE#315289)
+- Using insserv macros in %post, %preun and %postun sections
+- Cleaned up spec file
+- removed patches:
+  - ocki-2.2.6-PIN-backspace.patch
+- added patches:
+  - ocki-3.1-fix-implicit-decl.patch
+  - ocki-3.1-remove-make-install-chgrp-chmod.patch
+  - ocki-3.1-fix-init_d-path.patch
+
+-------------------------------------------------------------------
+Tue Feb  4 13:22:49 CET 2014 - ro@suse.de
+
+- add aarch64 to 64bit archs 
+
 -------------------------------------------------------------------
 Tue Dec 10 19:25:44 UTC 2013 - dvaleev@suse.com
 

openCryptoki.pkcsslotd

@@ -18,6 +18,7 @@
 # Default-Start: 3 5
 # Default-Stop: 0 1 2 6
 # Description: Start the pkcsslotd daemon
+# Short-Description: Start the pkcsslotd daemon
 ### END INIT INFO
 
 . /etc/rc.status

openCryptoki.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package openCryptoki
 #
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,32 +19,37 @@
 %define openCryptoki_32bit_arch %ix86 s390 ppc %arm
 # support in the workings for: ppc64
 # no support in sight for: ia64
-%define openCryptoki_64bit_arch s390x ppc64 ppc64le x86_64
+%define openCryptoki_64bit_arch s390x ppc64 ppc64le x86_64 aarch64
 # autobuild:/work/cd/lib/misc/group
 #   openCryptoki    pkcs11:x:64:
 %define pkcs11_group_id 64
-%define oc_cvs_tag opencryptoki-%{version}
+%define oc_cvs_tag opencryptoki
 
 Name:           openCryptoki
+BuildRequires:  bison
+BuildRequires:  flex
 BuildRequires:  gcc-c++
 BuildRequires:  libica
 BuildRequires:  libtool
 BuildRequires:  openssl-devel
 BuildRequires:  pwdutils
+BuildRequires:  trousers-devel
 Summary:        An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
 License:        IPL-1.0
 Group:          Productivity/Security
-Version:        2.2.6
+Version:        3.1
 Release:        0
 # :pserver:anonymous@cvs.sourceforge.net:/cvsroot/opencryptoki
 # cvs co -r openCryptoki-2-1-5 -d openCryptoki-2-1-5 .
-Source:         %{oc_cvs_tag}.tar.bz2
+Source:         %{oc_cvs_tag}-v%{version}.tar.bz2
 Source1:        openCryptoki.pkcsslotd
 Source2:        openCryptoki-TFAQ.html
-Patch1:         ocki-2.2.6-PIN-backspace.patch
+Patch1:         ocki-3.1-remove-make-install-chgrp-chmod.patch
+Patch2:         ocki-3.1-fix-init_d-path.patch
+Patch3:         ocki-3.1-fix-implicit-decl.patch
 Url:            http://oss.software.ibm.com/developerworks/opensource/opencryptoki
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-PreReq:         /usr/sbin/groupadd /usr/bin/id /usr/sbin/usermod /bin/sed
+PreReq:         /usr/sbin/groupadd /usr/bin/id /usr/sbin/usermod /bin/sed %insserv_prereq
 # IBM maintains openCryptoki on these architectures:
 ExclusiveArch:  %openCryptoki_32bit_arch %openCryptoki_64bit_arch
 #
@@ -119,12 +124,14 @@ Cryptographic Accelerator (FC 4960 on pSeries).
 
 %prep
 %setup -q -n %{oc_cvs_tag}
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
 cp %{SOURCE2} .
-%patch1
 
 %build
 autoreconf --force --install
-CFLAGS="$RPM_OPT_FLAGS -D__USE_BSD" ./configure --prefix=/usr --libdir=%{_libdir} --enable-tpmtok
+CFLAGS="$RPM_OPT_FLAGS -D__USE_BSD" ./configure --prefix=/usr --libdir=%{_libdir} --enable-tpmtok --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir}
 make
 
 %install
@@ -154,6 +161,9 @@ y/ /,/
 s/^,//
 '),pkcs11  root
 
+%preun
+%{stop_on_removal pkcsslotd}
+
 %post
 # Symlink from /var/lib/opencryptoki to /etc/pkcs11
 if [ ! -L %{_sysconfdir}/pkcs11 ] ; then
@@ -164,11 +174,15 @@ if [ ! -L %{_sysconfdir}/pkcs11 ] ; then
 	fi
 fi
 /sbin/ldconfig
+%{fillup_and_insserv -f pkcsslotd}
 
 %postun
 if [ -L %{_sysconfdir}/pkcs11 ] ; then
 	rm %{_sysconfdir}/pkcs11
 fi
+%{restart_on_update pkcsslotd}
+%{insserv_cleanup}
+
 %ifarch %openCryptoki_32bit_arch
 
 %postun 32bit
@@ -180,8 +194,6 @@ fi
 cd %{_libdir}/opencryptoki && ln -sf ./libopencryptoki.so PKCS11_API.so
 ln -sf %{_sbindir} %{_libdir}/opencryptoki/methods
 rm -rf %{_libdir}/pkcs11/stdll
-if [ -d %{_libdir}/pkcs11 ] ; then
-    cd %{_libdir}/pkcs11
     ln -sf ../opencryptoki/stdll stdll
     cd stdll
     [ -f libpkcs11_ica.so ] && ln -sf ./libpkcs11_ica.so PKCS11_ICA.so || true
@@ -202,16 +214,26 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6
 %defattr(-,root,root)
 %doc openCryptoki-TFAQ.html
   # configuration directory
-%dir %attr(755,root,pkcs11) /var/lib/opencryptoki
+%dir /etc/opencryptoki
+%config /etc/opencryptoki/opencryptoki.conf
 /etc/init.d/pkcsslotd
 /usr/sbin/rcpkcsslotd
   # utilities
 /usr/sbin/pkcsslotd
-/usr/sbin/pkcs11_startup
 /usr/sbin/pkcsconf
-/usr/sbin/pkcs_slot
 %dir %{_libdir}/opencryptoki
 %dir %{_libdir}/opencryptoki/stdll
+  # State and lock directories
+%dir %attr(755,root,pkcs11) %{_localstatedir}/lib/opencryptoki
+%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ccatok
+%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ccatok/TOK_OBJ
+%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/swtok
+%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/swtok/TOK_OBJ
+%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/tpm
+%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki
+%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/ccatok
+%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/swtok
+%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/tpm
 %{_mandir}/man*/*
 
 %files devel
@@ -242,8 +264,6 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6
 %ghost %{_libdir}/pkcs11/stdll
 %ghost %{_libdir}/pkcs11/methods
 %{_libdir}/pkcs11/*.so
-# %{_libdir}/libopencryptoki.so
-# %{_libdir}/libopencryptoki.so.0
 %{_sysconfdir}/ld.so.conf.d/*
 %endif
 %ifarch %openCryptoki_64bit_arch
@@ -257,8 +277,6 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6
 %{_libdir}/opencryptoki/stdll/*.so
 %{_libdir}/opencryptoki/stdll/*.0
 %{_libdir}/pkcs11
-# %{_libdir}/libopencryptoki.so
-# %{_libdir}/libopencryptoki.so.0
 %{_sysconfdir}/ld.so.conf.d/*
 %endif
 

opencryptoki-2.2.6.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c4e59e4a67207986c4cb77bc6a922806d6fa53282a722a17eb08095b0778c8fb
-size 983838

opencryptoki-v3.1.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:05df5d5657e1de41ca7c81e0cc8c8c42d7b842fb062ad76f4961efffb0984aca
+size 680250