Accepting request 649626 from home:markkp:branches:security

- Upgraded to version 3.11.0 (Fate#325685) * opencryptoki 3.11.0 EP11 enhancements A lot of bug fixes - Reworked the ocki-3.1-remove-make-install-chgrp.patch to apply properly to 3.11, and renamed it to ocki-3.11-remove-make-install-chgrp.patch - Removed obsolete patch ocki-3.5-icsf-coverity-memoryleakfix.patch - Upgraded to version 3.10.0 (Fate#325685) * opencryptoki 3.10.0 Add support to ECC on ICA token and to common code. Add SHA224 support to SOFT token. Improve pkcsslotd logging. Fix sha512_hmac_sign and rsa_x509_verify for ICA token. Fix tracing of session id. Fix and improve testcases. Fix spec file permission for log directory. Fix build warnings. * opencryptoki 3.9.0 Fix token reinitialization Fix conditional man pages EP11 enhancements EP11 EC Key import Increase RSA max key length Fix broken links on documentation Define CK_FALSE and CK_TRUE macros Improve build flags - Dropped obsolete patch ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch - Made multiple changes to the spec file based on spec-cleaner output. - Added an rpmlintrc file to squelch warnings about adding ghost entries for files under /var/log/opencryptoki/ OBS-URL: https://build.opensuse.org/request/show/649626 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=78
2018-11-16 16:33:50 +00:00 · 2018-11-16 16:33:50 +00:00 · e7f80fc66d
commit e7f80fc66d
parent 4866a500c9
8 changed files with 141 additions and 1154 deletions
--- a/ocki-3.11-remove-make-install-chgrp.patch
+++ b/ocki-3.11-remove-make-install-chgrp.patch
@ -1,16 +1,8 @@
--- opencryptoki/usr/Makefile.am
+--- opencryptoki-3.11.0/Makefile.am	2018-11-16 09:53:03.000000000 -0500
-+++ opencryptoki/usr/Makefile.am
+++ opencryptoki-3.11.0/Makefile.am	2018-11-16 10:28:35.114837306 -0500
-@@ -6,5 +6,4 @@
+@@ -51,24 +51,18 @@
- 
+ 	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
- install-data-hook:
+ 		ln -fs libpkcs11_cca.so PKCS11_CCA.so
 	$(MKDIR_P) $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
 -	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
 	$(CHMOD) 0770 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
 --- opencryptoki/usr/lib/pkcs11/cca_stdll/Makefile.am
 +++ opencryptoki/usr/lib/pkcs11/cca_stdll/Makefile.am
@@ -66,12 +66,9 @@
 	cd $(DESTDIR)/$(libdir)/opencryptoki/stdll && \
 		ln -sf libpkcs11_cca.so PKCS11_CCA.so
 	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
 -	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
 -	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok
@ -19,13 +11,10 @@
 	$(MKDIR_P) $(DESTDIR)$(lockdir)/ccatok
 -	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/ccatok
 	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/ccatok
- 
+ endif
- uninstall-hook:
+ if ENABLE_EP11TOK
 --- opencryptoki/usr/lib/pkcs11/ep11_stdll/Makefile.am
 +++ opencryptoki/usr/lib/pkcs11/ep11_stdll/Makefile.am
@@ -49,12 +49,9 @@
 	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
- 		ln -sf libpkcs11_ep11.so PKCS11_EP11.so
+ 		ln -fs libpkcs11_ep11.so PKCS11_EP11.so
 	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ
 -	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ
 -	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok
@ -34,13 +23,11 @@
 	$(MKDIR_P) $(DESTDIR)$(lockdir)/ep11tok
 -	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/ep11tok
 	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/ep11tok
- 
+ 	test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
- uninstall-hook:
+ 	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || $(INSTALL) -m 644 $(srcdir)/usr/lib/ep11_stdll/ep11tok.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || true
--- opencryptoki/usr/lib/pkcs11/ica_s390_stdll/Makefile.am
+@@ -78,24 +72,18 @@
 +++ opencryptoki/usr/lib/pkcs11/ica_s390_stdll/Makefile.am
@@ -64,12 +64,9 @@
 	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
- 		ln -sf libpkcs11_ica.so PKCS11_ICA.so
+ 		ln -fs libpkcs11_ica.so PKCS11_ICA.so
 	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ
 -	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ
 -	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite
@ -49,26 +36,10 @@
 	$(MKDIR_P) $(DESTDIR)$(lockdir)/lite
 -	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/lite
 	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/lite
- 
+ endif
- uninstall-hook:
+ if ENABLE_SWTOK
 --- opencryptoki/usr/lib/pkcs11/icsf_stdll/Makefile.am
 +++ opencryptoki/usr/lib/pkcs11/icsf_stdll/Makefile.am
@@ -79,10 +79,8 @@
 	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
- 		ln -sf libpkcs11_icsf.so PKCS11_ICSF.so
+ 		ln -fs libpkcs11_sw.so PKCS11_SW.so
 	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
 -	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
 	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
 	$(MKDIR_P) $(DESTDIR)$(lockdir)/icsf
 -	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/icsf 
 	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/icsf
 uninstall-hook:
 --- opencryptoki/usr/lib/pkcs11/soft_stdll/Makefile.am
 +++ opencryptoki/usr/lib/pkcs11/soft_stdll/Makefile.am
@@ -56,12 +56,9 @@
 	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
 		ln -sf libpkcs11_sw.so PKCS11_SW.so
 	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ
 -	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ
 -	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok
@ -77,18 +48,35 @@
 	$(MKDIR_P) $(DESTDIR)$(lockdir)/swtok
 -	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/swtok
 	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/swtok
- 
+ endif
- uninstall-hook:
+ if ENABLE_TPMTOK
--- opencryptoki/usr/lib/pkcs11/tpm_stdll/Makefile.am
+@@ -103,10 +91,8 @@
 +++ opencryptoki/usr/lib/pkcs11/tpm_stdll/Makefile.am
@@ -71,10 +71,8 @@
 	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
- 		ln -sf libpkcs11_tpm.so PKCS11_TPM.so
+ 		ln -fs libpkcs11_tpm.so PKCS11_TPM.so
 	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
 -	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
 	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
 	$(MKDIR_P) $(DESTDIR)$(lockdir)/tpm
-	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/tpm 
+-	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/tpm
 	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/tpm
 endif
 if ENABLE_ICSFTOK
@@ -114,10 +100,8 @@
 	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
 		ln -fs libpkcs11_icsf.so PKCS11_ICSF.so
 	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
 -	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
 	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
 	$(MKDIR_P) $(DESTDIR)$(lockdir)/icsf
 -	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/icsf
 	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/icsf
 endif
 if ENABLE_DAEMON
@@ -139,7 +123,6 @@
 	@echo "Remember you must run ldconfig before using the above settings"
 	@echo "--------------------------------------------------------------"
 	$(MKDIR_P) $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
 -	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
 	$(CHMOD) 0770 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
 uninstall-hook:
--- a/ocki-3.5-icsf-coverity-memoryleakfix.patch
+++ b/ocki-3.5-icsf-coverity-memoryleakfix.patch
@ -1,34 +0,0 @@
 commit 54013d80a2f5eaa9ac58712a57de0cd87a55cdae
 Author: Jakub Jelen <jjelen@redhat.com>
 Date:   Thu May 19 17:05:46 2016 -0400
    icsftok memory leak fix identified in coverity scan
    Signed-off-by: Vineetha Pai <vpishar@us.ibm.com>
 diff --git a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c
 index 5b7fb45..1c25cd2 100644
 --- a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c
 +++ b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c
@@ -4664,6 +4664,7 @@ CK_RV icsftok_unwrap_key(SESSION *session, CK_MECHANISM_PTR mech,
                                         "(expected %lu)\n",
                                         (unsigned long) mech->ulParameterLen,
                                         (unsigned long) expected_block_size);
 +                        free(key_mapping);
                         return CKR_MECHANISM_PARAM_INVALID;
                 }
                 break;
@@ -4671,12 +4672,14 @@ CK_RV icsftok_unwrap_key(SESSION *session, CK_MECHANISM_PTR mech,
 		if (mech->ulParameterLen != 0){
                         TRACE_ERROR("%s\n",
 				ock_err(ERR_MECHANISM_PARAM_INVALID));
 +                        free(key_mapping);
                         return CKR_MECHANISM_PARAM_INVALID;
                 }
                 break;
 	default:
 		TRACE_ERROR("icsf invalid %lu mechanism for key wrapping\n",
 			mech->mechanism);
 +		free(key_mapping);
 		return CKR_MECHANISM_INVALID;
 	}
--- a/ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch
+++ b/ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch
@ -1,965 +0,0 @@
 From f55886b7fae14a7a13c2a532224584de51d6ad84 Mon Sep 17 00:00:00 2001
 From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
 Date: Thu, 8 Mar 2018 15:12:20 -0300
 Subject: [PATCH 1/3] Fix Hardware Feature Object validation and tests
 Monotonic Counters have read-only attributes. If during CreateObject the
 supplied template specifies a value for any of the read-only attributes,
 then the attempt should fail with the error code CKR_ATTRIBUTE_READ_ONLY.
 Fixed tests that created Monotonic counters objects.
 Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
 ---
 testcases/misc_tests/obj_mgmt.c | 451 ++++++++++++++++++++--------------------
 testcases/pkcs11/hw_fn.c        | 413 ++++++++++++++++++------------------
 usr/lib/pkcs11/common/hwf_obj.c |   4 +-
 3 files changed, 444 insertions(+), 424 deletions(-)
 diff --git a/testcases/misc_tests/obj_mgmt.c b/testcases/misc_tests/obj_mgmt.c
 index 3ab0d03a..bc875c7c 100644
 --- a/testcases/misc_tests/obj_mgmt.c
 +++ b/testcases/misc_tests/obj_mgmt.c
@@ -1162,251 +1162,260 @@ CK_RV do_CreateTokenObjects(void)
 }
 /*
 - * do_HW_Feature_Search Test:
 + * do_HWFeatureSearch Test:
  *
 - * 1. Create 5 objects, 3 of which are HW_FEATURE objects.
 + * 1. Create 4 objects, 2 of which are HW_FEATURE objects (1 of them is a
 + *    monotonic counter).
  * 2. Search for objects using a template that does not have its
  *    HW_FEATURE attribute set.
  * 3. Result should be that the other 2 objects are returned, and
  *    not the HW_FEATURE objects.
  * 4. Search for objects using a template that does have its
  *    HW_FEATURE attribute set.
 - * 5. Result should be that the 3 hardware feature objects are returned.
 + * 5. Result should be that the only hardware feature objects that is not a
 + *    monotonic counter should be returned.
  *
  */
 -
 CK_RV do_HWFeatureSearch(void)
 {
 -	unsigned int            i;
 -	CK_RV 			rc, loc_rc;
 -	CK_ULONG		find_count;
 -	CK_SLOT_ID		slot_id;
 -	CK_BBOOL		false = FALSE;
 -	CK_BBOOL                true = TRUE;
 -
 -	CK_SESSION_HANDLE 	h_session;
 -	CK_BYTE           	user_pin[PKCS11_MAX_PIN_LEN];
 -	CK_ULONG          	user_pin_len;
 -
 -	/* A counter object */
 -	CK_OBJECT_CLASS         counter1_class = CKO_HW_FEATURE;
 -	CK_HW_FEATURE_TYPE      feature1_type = CKH_MONOTONIC_COUNTER;
 -	CK_UTF8CHAR             counter1_label[] = "Monotonic counter";
 -	CK_CHAR			counter1_value[16];
 -	CK_ATTRIBUTE            counter1_template[] = {
 -		{CKA_CLASS,		&counter1_class, sizeof(counter1_class)},
 -		{CKA_HW_FEATURE_TYPE,	&feature1_type,  sizeof(feature1_type)},
 -		{CKA_LABEL,		counter1_label,  sizeof(counter1_label)-1},
 -		{CKA_VALUE,		counter1_value,	sizeof(counter1_value)},
 -		{CKA_RESET_ON_INIT,	&true,		sizeof(true)},
 -		{CKA_HAS_RESET,		&false,		sizeof(false)}
 -	};
 -	/* A clock object */
 -	CK_OBJECT_CLASS         clock_class = CKO_HW_FEATURE;
 -	CK_HW_FEATURE_TYPE      clock_type = CKH_CLOCK;
 -	CK_UTF8CHAR             clock_label[] = "Clock";
 -	CK_CHAR			clock_value[16];
 -	CK_ATTRIBUTE            clock_template[] = {
 -		{CKA_CLASS,		&clock_class, sizeof(clock_class)},
 -		{CKA_HW_FEATURE_TYPE,	&clock_type,  sizeof(clock_type)},
 -		{CKA_LABEL,		clock_label,  sizeof(clock_label)-1},
 -		{CKA_VALUE,		clock_value,	sizeof(clock_value)}
 -	};
 -	/* A data object */
 -	CK_OBJECT_CLASS		obj1_class = CKO_DATA;
 -	CK_UTF8CHAR             obj1_label[] = "Object 1";
 -	CK_BYTE			obj1_data[] = "Object 1's data";
 -	CK_ATTRIBUTE            obj1_template[] = {
 -		{CKA_CLASS,		&obj1_class,    sizeof(obj1_class)},
 -		{CKA_TOKEN,		&true,          sizeof(true)},
 -		{CKA_LABEL,		obj1_label,     sizeof(obj1_label)-1},
 -		{CKA_VALUE,		obj1_data,	sizeof(obj1_data)}
 -	};
 -	/* A secret key object */
 -	CK_OBJECT_CLASS		obj2_class = CKO_SECRET_KEY;
 -	CK_KEY_TYPE		obj2_type = CKK_AES;
 -	CK_UTF8CHAR             obj2_label[] = "Object 2";
 -	CK_BYTE			obj2_data[AES_KEY_SIZE_128];
 -	CK_ATTRIBUTE            obj2_template[] = {
 -		{CKA_CLASS,		&obj2_class,    sizeof(obj2_class)},
 -		{CKA_TOKEN,		&true,          sizeof(true)},
 -		{CKA_KEY_TYPE,		&obj2_type,	sizeof(obj2_type)},
 -		{CKA_LABEL,		obj2_label,     sizeof(obj2_label)-1},
 -		{CKA_VALUE,		obj2_data,	sizeof(obj2_data)}
 -	};
 -
 -	CK_OBJECT_HANDLE        h_counter1,
 -				h_clock,
 -				h_obj1,
 -				h_obj2,
 -				obj_list[10];
 -	CK_ATTRIBUTE		find_tmpl[] = {
 -		{CKA_CLASS,	&counter1_class, sizeof(counter1_class)}
 +    unsigned int    i;
 +    CK_RV           rc, loc_rc;
 +    CK_ULONG        find_count;
 +    CK_SLOT_ID      slot_id;
 +    CK_BBOOL        false = FALSE;
 +    CK_BBOOL        true = TRUE;
 +
 +    CK_SESSION_HANDLE   h_session;
 +    CK_BYTE             user_pin[PKCS11_MAX_PIN_LEN];
 +    CK_ULONG            user_pin_len;
 +
 +    /* A counter object */
 +    CK_OBJECT_CLASS     counter1_class = CKO_HW_FEATURE;
 +    CK_HW_FEATURE_TYPE  feature1_type = CKH_MONOTONIC_COUNTER;
 +    CK_UTF8CHAR         counter1_label[] = "Monotonic counter";
 +    CK_CHAR             counter1_value[16];
 +    CK_ATTRIBUTE        counter1_template[] = {
 +        {CKA_CLASS,             &counter1_class,    sizeof(counter1_class)},
 +        {CKA_HW_FEATURE_TYPE,   &feature1_type,     sizeof(feature1_type)},
 +        {CKA_LABEL,             counter1_label,     sizeof(counter1_label)-1},
 +        {CKA_VALUE,             counter1_value,     sizeof(counter1_value)},
 +        {CKA_RESET_ON_INIT,     &true,              sizeof(true)},
 +        {CKA_HAS_RESET,         &false,             sizeof(false)}
 +    };
 +
 +    /* A clock object */
 +    CK_OBJECT_CLASS     clock_class = CKO_HW_FEATURE;
 +    CK_HW_FEATURE_TYPE  clock_type = CKH_CLOCK;
 +    CK_UTF8CHAR         clock_label[] = "Clock";
 +    CK_CHAR             clock_value[16];
 +    CK_ATTRIBUTE        clock_template[] = {
 +        {CKA_CLASS,             &clock_class,   sizeof(clock_class)},
 +        {CKA_HW_FEATURE_TYPE,   &clock_type,    sizeof(clock_type)},
 +        {CKA_LABEL,             clock_label,    sizeof(clock_label)-1},
 +        {CKA_VALUE,             clock_value,    sizeof(clock_value)}
 +    };
 +
 +    /* A data object */
 +    CK_OBJECT_CLASS obj1_class = CKO_DATA;
 +    CK_UTF8CHAR     obj1_label[] = "Object 1";
 +    CK_BYTE         obj1_data[] = "Object 1's data";
 +    CK_ATTRIBUTE    obj1_template[] = {
 +        {CKA_CLASS, &obj1_class,    sizeof(obj1_class)},
 +        {CKA_TOKEN, &true,          sizeof(true)},
 +        {CKA_LABEL, obj1_label,     sizeof(obj1_label)-1},
 +        {CKA_VALUE, obj1_data,      sizeof(obj1_data)}
 +    };
 +
 +    /* A secret key object */
 +    CK_OBJECT_CLASS obj2_class = CKO_SECRET_KEY;
 +    CK_KEY_TYPE     obj2_type = CKK_AES;
 +    CK_UTF8CHAR     obj2_label[] = "Object 2";
 +    CK_BYTE         obj2_data[AES_KEY_SIZE_128];
 +    CK_ATTRIBUTE    obj2_template[] = {
 +		{CKA_CLASS,     &obj2_class,    sizeof(obj2_class)},
 +		{CKA_TOKEN,     &true,          sizeof(true)},
 +		{CKA_KEY_TYPE,  &obj2_type,     sizeof(obj2_type)},
 +		{CKA_LABEL,     obj2_label,     sizeof(obj2_label)-1},
 +		{CKA_VALUE,     obj2_data,      sizeof(obj2_data)}
 	};
 -        if (skip_token_obj == TRUE) {
 -                testcase_notice("Skipping tests that creates token objects");
 -                return CKR_OK;
 +    CK_OBJECT_HANDLE h_counter1,
 +                     h_clock,
 +                     h_obj1,
 +                     h_obj2,
 +                     obj_list[10];
 +
 +    CK_ATTRIBUTE find_tmpl[] = {
 +        {CKA_CLASS,	&counter1_class, sizeof(counter1_class)}
 +    };
 +
 +    if (skip_token_obj == TRUE) {
 +        testcase_notice("Skipping tests that creates token objects");
 +        return CKR_OK;
 +    }
 +
 +    slot_id = SLOT_ID;
 +
 +    testcase_begin("starting...");
 +
 +    if (get_user_pin(user_pin))
 +        return CKR_FUNCTION_FAILED;
 +
 +    user_pin_len = (CK_ULONG)strlen((char *)user_pin);
 +
 +    /* Open a session with the token */
 +    rc = funcs->C_OpenSession(slot_id,
 +                              (CKF_SERIAL_SESSION|CKF_RW_SESSION),
 +                              NULL_PTR,
 +                              NULL_PTR,
 +                              &h_session);
 +    if (rc != CKR_OK) {
 +        testcase_fail("C_OpenSession() rc = %s", p11_get_ckr(rc));
 +        goto done;
 +    }
 +
 +    // Login correctly
 +    rc = funcs->C_Login(h_session, CKU_USER, user_pin, user_pin_len);
 +    if (rc != CKR_OK) {
 +        testcase_fail("C_Login() rc = %s", p11_get_ckr(rc));
 +        goto session_close;
 +    }
 +
 +    /* Create the 4 test objects */
 +    rc = funcs->C_CreateObject(h_session, obj1_template, 4, &h_obj1);
 +    if (rc != CKR_OK) {
 +        testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
 +		return rc;
 +	}
 +
 +    rc = funcs->C_CreateObject(h_session, obj2_template, 5, &h_obj2);
 +    if (rc != CKR_OK) {
 +        testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
 +        goto destroy_1;
 +    }
 +
 +    /* try and create a monotonic object. This should fail
 +     * since it is a read only feature.
 +     */
 +    rc = funcs->C_CreateObject(h_session, counter1_template, 6, &h_counter1);
 +    if (rc != CKR_ATTRIBUTE_READ_ONLY) {
 +        testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
 +        goto destroy_2;
 +    }
 +
 +    rc = funcs->C_CreateObject(h_session, clock_template, 4, &h_clock);
 +    if (rc != CKR_OK) {
 +        testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
 +        goto destroy_2;
 +    }
 +
 +
 +    /* Search for the 2 objects w/o HW_FEATURE set */
 +    /* A NULL template here should return all objects in v2.01, but
 +     * in v2.11, it should return all objects *except* HW_FEATURE
 +     * objects.
 +     */
 +    rc = funcs->C_FindObjectsInit(h_session, NULL, 0);
 +    if (rc != CKR_OK) {
 +        testcase_fail("C_FindObjectsInit() rc = %s", p11_get_ckr(rc));
 +        goto destroy;
 +    }
 +
 +    rc = funcs->C_FindObjects(h_session, obj_list, 10, &find_count);
 +    if (rc != CKR_OK) {
 +        testcase_fail("C_FindObjects() rc = %s", p11_get_ckr(rc));
 +        goto destroy;
 +    }
 +
 +    /* So, we created 4 objects before here, and then searched with a NULL
 +     * template, so that should return all objects except our hardware
 +     * feature object
 +     */
 +    if (find_count != 2) {
 +        testcase_fail("found %ld objects when expected 2", find_count);
 +        rc = -1;
 +        goto destroy;
 +    }
 +
 +    if (obj_list[0] != h_obj1 && obj_list[0] != h_obj2) {
 +        testcase_fail("found the wrong object handle");
 +        rc = -1;
 +        goto destroy;
 +    }
 +
 +    if (obj_list[1] != h_obj1 && obj_list[1] != h_obj2) {
 +        testcase_fail("found the wrong object handle");
 +        rc = -1;
 +        goto destroy;
 +    }
 +
 +    rc = funcs->C_FindObjectsFinal(h_session);
 +    if (rc != CKR_OK) {
 +        testcase_fail("C_FindObjectsFinal() rc = %s", p11_get_ckr(rc));
 +        goto destroy;
 +    }
 +
 +    // Now find the hardware feature objects
 +    rc = funcs->C_FindObjectsInit(h_session, find_tmpl, 1);
 +    if (rc != CKR_OK) {
 +        testcase_fail("C_FindObjectsInit() rc = %s", p11_get_ckr(rc));
 +        goto destroy;
 +    }
 +
 +    rc = funcs->C_FindObjects(h_session, obj_list, 10, &find_count);
 +    if (rc != CKR_OK) {
 +        testcase_fail("C_FindObjects() rc = %s", p11_get_ckr(rc));
 +        goto destroy;
 +    }
 +
 +    if (find_count != 1) {
 +        testcase_fail("found %ld objects when expected 1", find_count);
 +        funcs->C_FindObjectsFinal(h_session);
 +        rc = -1;
 +        goto destroy;
 +    }
 +
 +    /* Make sure we got the right ones */
 +	for (i=0; i < find_count; i++) {
 +        if (obj_list[i] != h_counter1 && obj_list[i] != h_clock) {
 +            testcase_fail("found the wrong object handles");
 +            rc = -1;
         }
 +    }
 -	slot_id = SLOT_ID;
 -
 -        testcase_begin("starting...");
 -
 -	if (get_user_pin(user_pin))
 -		return CKR_FUNCTION_FAILED;
 -	user_pin_len = (CK_ULONG)strlen((char *)user_pin);
 -
 -	/* Open a session with the token */
 -	if( (rc = funcs->C_OpenSession(slot_id,
 -					(CKF_SERIAL_SESSION|CKF_RW_SESSION),
 -					NULL_PTR,
 -					NULL_PTR,
 -					&h_session)) != CKR_OK ) {
 -                testcase_fail("C_OpenSession() rc = %s", p11_get_ckr(rc));
 -		goto done;
 -	}
 -
 -	// Login correctly
 -	rc = funcs->C_Login(h_session, CKU_USER, user_pin, user_pin_len);
 -	if( rc != CKR_OK ) {
 -                testcase_fail("C_Login() rc = %s", p11_get_ckr(rc));
 -		goto session_close;
 -	}
 -
 -	/* Create the 3 test objects */
 -	if( (rc = funcs->C_CreateObject(h_session, obj1_template, 4, &h_obj1)) != CKR_OK) {
 -                testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
 -		return rc;
 -	}
 -
 -	if( (rc = funcs->C_CreateObject(h_session, obj2_template, 5, &h_obj2)) != CKR_OK) {
 -                testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
 -		goto destroy_1;
 -	}
 -
 -	/* try and create a monotonic object. This should fail
 -	 * since it is a read only feature.
 -	 */
 -	if( (rc = funcs->C_CreateObject(h_session, counter1_template, 6, &h_counter1)) != CKR_ATTRIBUTE_READ_ONLY) {
 -                testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
 -		goto destroy_2;
 -	}
 -
 -	if( (rc = funcs->C_CreateObject(h_session, clock_template, 4, &h_clock)) != CKR_OK) {
 -                testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc));
 -		goto destroy_2;
 -	}
 -
 -
 -	/* Search for the 2 objects w/o HW_FEATURE set */
 -
 -	/* A NULL template here should return all objects in v2.01, but
 -	 * in v2.11, it should return all objects *except* HW_FEATURE
 -	 * objects. - KEY
 -	 */
 -	rc = funcs->C_FindObjectsInit(h_session, NULL, 0 );
 -	if (rc != CKR_OK) {
 -                testcase_fail("C_FindObjectsInit() rc = %s", p11_get_ckr(rc));
 -		goto destroy;
 -	}
 -
 -	rc = funcs->C_FindObjects(h_session, obj_list, 10, &find_count );
 -	if (rc != CKR_OK) {
 -                testcase_fail("C_FindObjects() rc = %s", p11_get_ckr(rc));
 -		goto destroy;
 -	}
 -
 -	/* So, we created 3 objects before here, and then searched with a NULL
 -	 * template, so that should return all objects except our hardware
 -	 * feature object. -KEY */
 -	if (find_count != 2) {
 -                testcase_fail("found %ld objects when expected 2", find_count);
 -		rc = -1;
 -		goto destroy;
 -	}
 -
 -	if (obj_list[0] != h_obj1 && obj_list[0] != h_obj2) {
 -                testcase_fail("found the wrong object handle");
 -		rc = -1;
 -		goto destroy;
 -	}
 -
 -	if (obj_list[1] != h_obj1 && obj_list[1] != h_obj2) {
 -                testcase_fail("found the wrong object handle");
 -		rc = -1;
 -		goto destroy;
 -	}
 -
 -	rc = funcs->C_FindObjectsFinal(h_session);
 -	if (rc != CKR_OK) {
 -                testcase_fail("C_FindObjectsFinal() rc = %s", p11_get_ckr(rc));
 -		goto destroy;
 -	}
 -
 -
 -	// Now find the hardware feature objects
 -	rc = funcs->C_FindObjectsInit(h_session, find_tmpl, 1 );
 -	if (rc != CKR_OK) {
 -                testcase_fail("C_FindObjectsInit() rc = %s", p11_get_ckr(rc));
 -		goto destroy;
 -	}
 +    rc = funcs->C_FindObjectsFinal(h_session);
 +    if (rc != CKR_OK) {
 +        testcase_fail("C_FindObjectsFinal() rc = %s", p11_get_ckr(rc));
 +    }
 -	rc = funcs->C_FindObjects(h_session, obj_list, 10, &find_count );
 -	if (rc != CKR_OK) {
 -                testcase_fail("C_FindObjects() rc = %s", p11_get_ckr(rc));
 -		goto destroy;
 -	}
 -
 -	if (find_count != 1) {
 -                testcase_fail("found %ld objects when expected 1", find_count);
 -		funcs->C_FindObjectsFinal(h_session);   // TODO: check if we really need this here
 -		rc = -1;
 -		goto destroy;
 -	}
 -
 -	/* Make sure we got the right ones */
 -	for( i=0; i < find_count; i++) {
 -		if(obj_list[i] != h_counter1 &&
 -		   obj_list[i] != h_clock)
 -		{
 -
 -                        testcase_fail("found the wrong object handles");
 -			rc = -1;
 -		}
 -	}
 -
 -	rc = funcs->C_FindObjectsFinal(h_session );
 -	if (rc != CKR_OK) {
 -                testcase_fail("C_FindObjectsFinal() rc = %s", p11_get_ckr(rc));
 -	}
 -
 -        testcase_pass("Looks okay...");
 +    testcase_pass("Looks okay...");
 destroy:
 -	/* Destroy the created objects, don't clobber the rc */
 -	loc_rc = funcs->C_DestroyObject(h_session, h_clock);
 -	if( loc_rc != CKR_OK )
 -                testcase_fail("C_DestroyObject() rc = %s", p11_get_ckr(loc_rc));
 +    /* Destroy the created objects, don't clobber the rc */
 +    loc_rc = funcs->C_DestroyObject(h_session, h_clock);
 +    if (loc_rc != CKR_OK)
 +        testcase_fail("C_DestroyObject() rc = %s", p11_get_ckr(loc_rc));
 destroy_2:
 -	loc_rc = funcs->C_DestroyObject(h_session, h_obj2);
 -	if( loc_rc != CKR_OK )
 -                testcase_fail("C_DestroyObject() rc = %s", p11_get_ckr(loc_rc));
 +    loc_rc = funcs->C_DestroyObject(h_session, h_obj2);
 +    if (loc_rc != CKR_OK)
 +        testcase_fail("C_DestroyObject() rc = %s", p11_get_ckr(loc_rc));
 destroy_1:
 -	loc_rc = funcs->C_DestroyObject(h_session, h_obj1);
 -	if( loc_rc != CKR_OK )
 -                testcase_fail("C_DestroyObject() rc = %s", p11_get_ckr(loc_rc));
 +    loc_rc = funcs->C_DestroyObject(h_session, h_obj1);
 +    if (loc_rc != CKR_OK)
 +        testcase_fail("C_DestroyObject() rc = %s", p11_get_ckr(loc_rc));
 -	loc_rc = funcs->C_Logout(h_session);
 -	if( loc_rc != CKR_OK )
 -                testcase_fail("C_Logout() rc = %s", p11_get_ckr(loc_rc));
 +    loc_rc = funcs->C_Logout(h_session);
 +    if (loc_rc != CKR_OK)
 +        testcase_fail("C_Logout() rc = %s", p11_get_ckr(loc_rc));
 session_close:
 -	/* Close the session */
 -	if( (loc_rc = funcs->C_CloseSession(h_session)) != CKR_OK )
 -                testcase_fail("C_CloseSession() rc = %s", p11_get_ckr(loc_rc));
 +    /* Close the session */
 +    loc_rc = funcs->C_CloseSession(h_session);
 +    if (loc_rc != CKR_OK)
 +        testcase_fail("C_CloseSession() rc = %s", p11_get_ckr(loc_rc));
 +
 done:
 -	return rc;
 +    return rc;
 }
 CK_RV obj_mgmt_functions()
 diff --git a/testcases/pkcs11/hw_fn.c b/testcases/pkcs11/hw_fn.c
 index 701a6770..62632291 100644
 --- a/testcases/pkcs11/hw_fn.c
 +++ b/testcases/pkcs11/hw_fn.c
@@ -40,227 +40,238 @@ CK_SESSION_HANDLE	sess;
 /*
  * do_HW_Feature_Seatch Test:
  *
 - * 1. Create 5 objects, 3 of which are HW_FEATURE objects.
 + * 1. Create 5 objects, 3 of which are HW_FEATURE objects (2 of them are
 + *    monotonic counters).
  * 2. Search for objects using a template that does not have its
  *    HW_FEATURE attribute set.
  * 3. Result should be that the other 2 objects are returned, and
  *    not the HW_FEATURE objects.
  * 4. Search for objects using a template that does have its
  *    HW_FEATURE attribute set.
 - * 5. Result should be that the 3 hardware feature objects are returned.
 + * 5. Result should be that the only hardware feature objects that are not
 + *    monotonic counters should be returned.
  *
  */
 -
 int do_HW_Feature_Search(void)
 {
 -	unsigned int            i;
 -	CK_RV 			rc;
 -	CK_ULONG		find_count;
 -
 -	CK_BBOOL		false = FALSE;
 -        CK_BBOOL                true = TRUE;
 -
 -	// A counter object
 -        CK_OBJECT_CLASS         counter1_class = CKO_HW_FEATURE;
 -        CK_HW_FEATURE_TYPE      feature1_type = CKH_MONOTONIC_COUNTER;
 -        CK_UTF8CHAR             counter1_label[] = "Monotonic counter";
 -	CK_CHAR			counter1_value[16];
 -        CK_ATTRIBUTE            counter1_template[] = {
 -                {CKA_CLASS,		&counter1_class, sizeof(counter1_class)},
 -                {CKA_HW_FEATURE_TYPE,	&feature1_type,  sizeof(feature1_type)},
 -                {CKA_LABEL,		counter1_label,  sizeof(counter1_label)-1},
 -		{CKA_VALUE,		counter1_value,	sizeof(counter1_value)},
 -		{CKA_RESET_ON_INIT,	&true,		sizeof(true)},
 -		{CKA_HAS_RESET,		&false,		sizeof(false)}
 -        };
 -	// Another counter object
 -        CK_OBJECT_CLASS         counter2_class = CKO_HW_FEATURE;
 -        CK_HW_FEATURE_TYPE      feature2_type = CKH_MONOTONIC_COUNTER;
 -        CK_UTF8CHAR             counter2_label[] = "Monotonic counter";
 -	CK_CHAR			counter2_value[16];
 -        CK_ATTRIBUTE            counter2_template[] = {
 -                {CKA_CLASS,		&counter2_class, sizeof(counter2_class)},
 -                {CKA_HW_FEATURE_TYPE,	&feature2_type,  sizeof(feature2_type)},
 -                {CKA_LABEL,		counter2_label,  sizeof(counter2_label)-1},
 -		{CKA_VALUE,		counter2_value,	sizeof(counter2_value)},
 -		{CKA_RESET_ON_INIT,	&true,		sizeof(true)},
 -		{CKA_HAS_RESET,		&false,		sizeof(false)}
 -        };
 -	// A clock object
 -        CK_OBJECT_CLASS         clock_class = CKO_HW_FEATURE;
 -        CK_HW_FEATURE_TYPE      clock_type = CKH_CLOCK;
 -        CK_UTF8CHAR             clock_label[] = "Clock";
 -	CK_CHAR			clock_value[16];
 -        CK_ATTRIBUTE            clock_template[] = {
 -                {CKA_CLASS,		&clock_class, sizeof(clock_class)},
 -                {CKA_HW_FEATURE_TYPE,	&clock_type,  sizeof(clock_type)},
 -                {CKA_LABEL,		clock_label,  sizeof(clock_label)-1},
 -		{CKA_VALUE,		clock_value,	sizeof(clock_value)}
 -        };
 -	// A data object
 -	CK_OBJECT_CLASS		obj1_class = CKO_DATA;
 -        CK_UTF8CHAR             obj1_label[] = "Object 1";
 -	CK_BYTE			obj1_data[] = "Object 1's data";
 -        CK_ATTRIBUTE            obj1_template[] = {
 -                {CKA_CLASS,		&obj1_class,    sizeof(obj1_class)},
 -                {CKA_TOKEN,		&true,          sizeof(true)},
 -                {CKA_LABEL,		obj1_label,     sizeof(obj1_label)-1},
 -		{CKA_VALUE,		obj1_data,	sizeof(obj1_data)}
 -        };
 -	// A secret key object
 -	CK_OBJECT_CLASS		obj2_class = CKO_SECRET_KEY;
 -	CK_KEY_TYPE		obj2_type = CKK_AES;
 -        CK_UTF8CHAR             obj2_label[] = "Object 2";
 -	CK_BYTE			obj2_data[AES_KEY_SIZE_128];
 -        CK_ATTRIBUTE            obj2_template[] = {
 -                {CKA_CLASS,		&obj2_class,    sizeof(obj2_class)},
 -                {CKA_TOKEN,		&true,          sizeof(true)},
 -		{CKA_KEY_TYPE,		&obj2_type,	sizeof(obj2_type)},
 -                {CKA_LABEL,		obj2_label,     sizeof(obj2_label)-1},
 -		{CKA_VALUE,		obj2_data,	sizeof(obj2_data)}
 -        };
 -
 -        CK_OBJECT_HANDLE        h_counter1,
 -				h_counter2,
 -				h_clock,
 -				h_obj1,
 -				h_obj2,
 -				obj_list[10];
 -	CK_ATTRIBUTE		find_tmpl[] = {
 -		{CKA_CLASS,	&counter1_class, sizeof(counter1_class)}
 -	};
 -
 -
 -	/* Create the 3 test objects */
 -	if( (rc = funcs->C_CreateObject(sess, obj1_template, 4, &h_obj1)) != CKR_OK) {
 -		show_error("C_CreateObject #1", rc);
 -		return rc;
 -	}
 -
 -	if( (rc = funcs->C_CreateObject(sess, obj2_template, 5, &h_obj2)) != CKR_OK) {
 -		show_error("C_CreateObject #2", rc);
 -		goto destroy_1;
 -	}
 -
 -	if( (rc = funcs->C_CreateObject(sess, counter1_template, 6, &h_counter1)) != CKR_OK) {
 -		show_error("C_CreateObject #3", rc);
 -		goto destroy_2;
 -	}
 -
 -	if( (rc = funcs->C_CreateObject(sess, counter2_template, 6, &h_counter2)) != CKR_OK) {
 -		show_error("C_CreateObject #4", rc);
 -		goto destroy_3;
 -	}
 -
 -	if( (rc = funcs->C_CreateObject(sess, clock_template, 4, &h_clock)) != CKR_OK) {
 -		show_error("C_CreateObject #5", rc);
 -		goto destroy_4;
 -	}
 -
 -
 -	// Search for the 2 objects w/o HW_FEATURE set
 -	//
 -
 -	// A NULL template here should return all objects in v2.01, but
 -	// in v2.11, it should return all objects *except* HW_FEATURE
 -	// objects. - KEY
 -	rc = funcs->C_FindObjectsInit( sess, NULL, 0 );
 -	if (rc != CKR_OK) {
 -		show_error("   C_FindObjectsInit #1", rc );
 -		goto done;
 -	}
 -
 -	rc = funcs->C_FindObjects( sess, obj_list, 10, &find_count );
 -	if (rc != CKR_OK) {
 -		show_error("   C_FindObjects #1", rc );
 -		goto done;
 -	}
 -
 -	/* So, we created 3 objects before here, and then searched with a NULL
 -	 * template, so that should return all objects except our hardware
 -	 * feature object. -KEY */
 -	if (find_count != 2) {
 -		printf("%s:%d ERROR:  C_FindObjects #1 should have found 2 objects!\n"
 -				"           It found %ld objects\n", __FILE__, __LINE__,
 -				find_count);
 -		rc = -1;
 -		goto done;
 -	}
 -
 -	if (obj_list[0] != h_obj1 && obj_list[0] != h_obj2) {
 -		printf("%s:%d ERROR:  C_FindObjects #1 found the wrong objects!\n",
 -				__FILE__, __LINE__);
 -		rc = -1;
 -		goto done;
 -	}
 -
 -	if (obj_list[1] != h_obj1 && obj_list[1] != h_obj2) {
 -		printf("%s:%d ERROR:  C_FindObjects #1 found the wrong objects!\n",
 -				__FILE__, __LINE__);
 -		rc = -1;
 -		goto done;
 -	}
 -
 -	rc = funcs->C_FindObjectsFinal( sess );
 -	if (rc != CKR_OK) {
 -		show_error("   C_FindObjectsFinal #1", rc );
 -		goto done;
 -	}
 -
 +    unsigned int    i;
 +    CK_RV 			rc;
 +    CK_ULONG		find_count;
 +
 +    CK_BBOOL        false = FALSE;
 +    CK_BBOOL        true = TRUE;
 +
 +    // A counter object
 +    CK_OBJECT_CLASS         counter1_class = CKO_HW_FEATURE;
 +    CK_HW_FEATURE_TYPE      feature1_type = CKH_MONOTONIC_COUNTER;
 +    CK_UTF8CHAR             counter1_label[] = "Monotonic counter";
 +    CK_CHAR                 counter1_value[16];
 +    CK_ATTRIBUTE            counter1_template[] = {
 +        {CKA_CLASS,             &counter1_class,    sizeof(counter1_class)},
 +        {CKA_HW_FEATURE_TYPE,   &feature1_type,     sizeof(feature1_type)},
 +        {CKA_LABEL,             counter1_label,     sizeof(counter1_label)-1},
 +        {CKA_VALUE,             counter1_value,     sizeof(counter1_value)},
 +        {CKA_RESET_ON_INIT,     &true,              sizeof(true)},
 +        {CKA_HAS_RESET,         &false,             sizeof(false)}
 +    };
 +
 +    // Another counter object
 +    CK_OBJECT_CLASS         counter2_class = CKO_HW_FEATURE;
 +    CK_HW_FEATURE_TYPE      feature2_type = CKH_MONOTONIC_COUNTER;
 +    CK_UTF8CHAR             counter2_label[] = "Monotonic counter";
 +    CK_CHAR                 counter2_value[16];
 +    CK_ATTRIBUTE            counter2_template[] = {
 +        {CKA_CLASS,             &counter2_class,    sizeof(counter2_class)},
 +        {CKA_HW_FEATURE_TYPE,   &feature2_type,     sizeof(feature2_type)},
 +        {CKA_LABEL,             counter2_label,     sizeof(counter2_label)-1},
 +        {CKA_VALUE,             counter2_value,     sizeof(counter2_value)},
 +        {CKA_RESET_ON_INIT,     &true,              sizeof(true)},
 +        {CKA_HAS_RESET,         &false,             sizeof(false)}
 +    };
 +
 +    // A clock object
 +    CK_OBJECT_CLASS         clock_class = CKO_HW_FEATURE;
 +    CK_HW_FEATURE_TYPE      clock_type = CKH_CLOCK;
 +    CK_UTF8CHAR             clock_label[] = "Clock";
 +    CK_CHAR                 clock_value[16];
 +    CK_ATTRIBUTE            clock_template[] = {
 +        {CKA_CLASS,             &clock_class,   sizeof(clock_class)},
 +        {CKA_HW_FEATURE_TYPE,   &clock_type,    sizeof(clock_type)},
 +        {CKA_LABEL,             clock_label,    sizeof(clock_label)-1},
 +        {CKA_VALUE,             clock_value,    sizeof(clock_value)}
 +    };
 +
 +    // A data object
 +    CK_OBJECT_CLASS     obj1_class = CKO_DATA;
 +    CK_UTF8CHAR         obj1_label[] = "Object 1";
 +    CK_BYTE             obj1_data[] = "Object 1's data";
 +    CK_ATTRIBUTE        obj1_template[] = {
 +        {CKA_CLASS,     &obj1_class,    sizeof(obj1_class)},
 +        {CKA_TOKEN,     &true,          sizeof(true)},
 +        {CKA_LABEL,     obj1_label,     sizeof(obj1_label)-1},
 +        {CKA_VALUE,     obj1_data,      sizeof(obj1_data)}
 +    };
 -	// Now find the hardware feature objects
 -        rc = funcs->C_FindObjectsInit( sess, find_tmpl, 1 );
 -        if (rc != CKR_OK) {
 -                show_error("   C_FindObjectsInit #2", rc );
 -                goto done;
 -        }
 -
 -        rc = funcs->C_FindObjects( sess, obj_list, 10, &find_count );
 -        if (rc != CKR_OK) {
 -                show_error("   C_FindObjects #2", rc );
 -                goto done;
 -        }
 -
 -        if (find_count != 3) {
 -                printf("%s:%d ERROR:  C_FindObjects #2 should have found 3 objects!\n"
 -                       "           It found %ld objects\n", __FILE__, __LINE__,
 -		       find_count);
 -                funcs->C_FindObjectsFinal( sess );
 -		rc = -1;
 -                goto done;
 -        }
 -
 -	/* Make sure we got the right ones */
 -	for( i=0; i < find_count; i++) {
 -		if(	obj_list[i] != h_counter1 &&
 -			obj_list[i] != h_counter2 &&
 -			obj_list[i] != h_clock)
 -		{
 -
 -			printf("%s:%d ERROR:  C_FindObjects #2 found the wrong\n"
 -					" objects!", __FILE__, __LINE__);
 -			rc = -1;
 -		}
 +	// A secret key object
 +    CK_OBJECT_CLASS     obj2_class = CKO_SECRET_KEY;
 +    CK_KEY_TYPE         obj2_type = CKK_AES;
 +    CK_UTF8CHAR         obj2_label[] = "Object 2";
 +    CK_BYTE             obj2_data[AES_KEY_SIZE_128];
 +    CK_ATTRIBUTE        obj2_template[] = {
 +        {CKA_CLASS,     &obj2_class,    sizeof(obj2_class)},
 +        {CKA_TOKEN,     &true,          sizeof(true)},
 +        {CKA_KEY_TYPE,  &obj2_type,     sizeof(obj2_type)},
 +        {CKA_LABEL,     obj2_label,     sizeof(obj2_label)-1},
 +        {CKA_VALUE,     obj2_data,      sizeof(obj2_data)}
 +    };
 +
 +    CK_OBJECT_HANDLE h_counter1,
 +                     h_counter2,
 +                     h_clock,
 +                     h_obj1,
 +                     h_obj2,
 +                     obj_list[10];
 +
 +    CK_ATTRIBUTE find_tmpl[] = {
 +        {CKA_CLASS,	&counter1_class, sizeof(counter1_class)}
 +    };
 +
 +    /* Create the 5 test objects */
 +    rc = funcs->C_CreateObject(sess, obj1_template, 4, &h_obj1);
 +    if (rc != CKR_OK) {
 +        show_error("C_CreateObject #1", rc);
 +        return rc;
 +    }
 +
 +    rc = funcs->C_CreateObject(sess, obj2_template, 5, &h_obj2);
 +    if (rc != CKR_OK) {
 +        show_error("C_CreateObject #2", rc);
 +        goto destroy_1;
 +    }
 +
 +    rc = funcs->C_CreateObject(sess, counter1_template, 6, &h_counter1);
 +    if (rc != CKR_ATTRIBUTE_READ_ONLY) {
 +        show_error("C_CreateObject #3", rc);
 +        goto destroy_2;
 +    }
 +
 +    rc = funcs->C_CreateObject(sess, counter2_template, 6, &h_counter2);
 +    if (rc != CKR_ATTRIBUTE_READ_ONLY) {
 +        show_error("C_CreateObject #4", rc);
 +        goto destroy_3;
 +    }
 +
 +    rc = funcs->C_CreateObject(sess, clock_template, 4, &h_clock);
 +    if (rc != CKR_OK) {
 +        show_error("C_CreateObject #5", rc);
 +        goto destroy_4;
 +    }
 +
 +
 +    /* Search for the 2 objects w/o HW_FEATURE set
 +     * A NULL template here should return all objects in v2.01, but
 +     * in v2.11, it should return all objects *except* HW_FEATURE
 +     * objects.
 +     */
 +    rc = funcs->C_FindObjectsInit(sess, NULL, 0);
 +    if (rc != CKR_OK) {
 +        show_error("   C_FindObjectsInit #1", rc);
 +        goto done;
 +    }
 +
 +    rc = funcs->C_FindObjects(sess, obj_list, 10, &find_count);
 +    if (rc != CKR_OK) {
 +        show_error("   C_FindObjects #1", rc);
 +        goto done;
 +    }
 +
 +    /* So, we created 5 objects before here, and then searched with a NULL
 +     * template, so that should return all objects except our hardware
 +     * feature object.
 +     */
 +    if (find_count != 2) {
 +        printf("%s:%d ERROR:  C_FindObjects #1 should have found 2 objects!\n"
 +               "           It found %ld objects\n", __FILE__, __LINE__,
 +               find_count);
 +        rc = -1;
 +        goto done;
 +    }
 +
 +    if (obj_list[0] != h_obj1 && obj_list[0] != h_obj2) {
 +        printf("%s:%d ERROR:  C_FindObjects #1 found the wrong objects!\n",
 +                __FILE__, __LINE__);
 +        rc = -1;
 +        goto done;
 +    }
 +
 +    if (obj_list[1] != h_obj1 && obj_list[1] != h_obj2) {
 +        printf("%s:%d ERROR:  C_FindObjects #1 found the wrong objects!\n",
 +                __FILE__, __LINE__);
 +        rc = -1;
 +        goto done;
 +    }
 +
 +    rc = funcs->C_FindObjectsFinal(sess);
 +    if (rc != CKR_OK) {
 +        show_error("   C_FindObjectsFinal #1", rc);
 +        goto done;
 +    }
 +
 +
 +    /* Now find the hardware feature objects (should find only 1 since monotonic
 +     * counters are read-only
 +     */
 +    rc = funcs->C_FindObjectsInit(sess, find_tmpl, 1);
 +    if (rc != CKR_OK) {
 +        show_error("   C_FindObjectsInit #2", rc);
 +        goto done;
 +    }
 +
 +    rc = funcs->C_FindObjects(sess, obj_list, 10, &find_count);
 +    if (rc != CKR_OK) {
 +        show_error("   C_FindObjects #2", rc);
 +        goto done;
 +    }
 +
 +    if (find_count != 1) {
 +        printf("%s:%d ERROR:  C_FindObjects #2 should have found 1 object!\n"
 +               "           It found %ld objects\n", __FILE__, __LINE__,
 +               find_count);
 +        funcs->C_FindObjectsFinal(sess);
 +        rc = -1;
 +        goto done;
 +    }
 +
 +    /* Make sure we got the right ones */
 +    for( i=0; i < find_count; i++) {
 +        if (obj_list[i] != h_counter1 &&
 +            obj_list[i] != h_counter2 &&
 +			obj_list[i] != h_clock) {
 +
 +            printf("%s:%d ERROR:  C_FindObjects #2 found the wrong\n"
 +                   " objects!", __FILE__, __LINE__);
 +            rc = -1;
         }
 +    }
 -        rc = funcs->C_FindObjectsFinal( sess );
 -        if (rc != CKR_OK) {
 -                show_error("   C_FindObjectsFinal #2", rc );
 -        }
 +    rc = funcs->C_FindObjectsFinal(sess);
 +    if (rc != CKR_OK) {
 +        show_error("   C_FindObjectsFinal #2", rc);
 +    }
 done:
 -	/* Destroy the created objects, don't clobber the rc */
 -	funcs->C_DestroyObject(sess, h_clock);
 +    /* Destroy the created objects, don't clobber the rc */
 +    funcs->C_DestroyObject(sess, h_clock);
 destroy_4:
 -	funcs->C_DestroyObject(sess, h_counter2);
 +    funcs->C_DestroyObject(sess, h_counter2);
 destroy_3:
 -	funcs->C_DestroyObject(sess, h_counter1);
 +    funcs->C_DestroyObject(sess, h_counter1);
 destroy_2:
 -	funcs->C_DestroyObject(sess, h_obj2);
 +    funcs->C_DestroyObject(sess, h_obj2);
 destroy_1:
 -	funcs->C_DestroyObject(sess, h_obj1);
 +    funcs->C_DestroyObject(sess, h_obj1);
 -	return rc;
 +    return rc;
 }
 diff --git a/usr/lib/pkcs11/common/hwf_obj.c b/usr/lib/pkcs11/common/hwf_obj.c
 index 0decc22b..2a6ac45a 100644
 --- a/usr/lib/pkcs11/common/hwf_obj.c
 +++ b/usr/lib/pkcs11/common/hwf_obj.c
@@ -169,8 +169,8 @@ counter_validate_attribute( TEMPLATE *tmpl, CK_ATTRIBUTE *attr, CK_ULONG mode)
       case CKA_HAS_RESET:
 	 /* Fall Through */
       case CKA_RESET_ON_INIT:
 -            return CKR_OK;
 -
 +          TRACE_ERROR("%s\n", ock_err(ERR_ATTRIBUTE_READ_ONLY));
 +          return CKR_ATTRIBUTE_READ_ONLY;
       default:
 	 return hwf_validate_attribute( tmpl, attr, mode );
    }
 -- 
 2.13.6
--- a/1
+++ b/1
@ -0,0 +1 @@
 addFilter("openCryptoki.* tmpfile-not-in-filelist /var/lock/opencryptoki/")
--- a/openCryptoki.changes
+++ b/openCryptoki.changes
@ -1,3 +1,42 @@
 -------------------------------------------------------------------
 Fri Nov 16 15:00:52 UTC 2018 - mpost@suse.com
 - Upgraded to version 3.11.0 (Fate#325685)
  * opencryptoki 3.11.0
    EP11 enhancements
    A lot of bug fixes
 - Reworked the ocki-3.1-remove-make-install-chgrp.patch to apply
  properly to 3.11, and renamed it to
  ocki-3.11-remove-make-install-chgrp.patch
 - Removed obsolete patch ocki-3.5-icsf-coverity-memoryleakfix.patch
 -------------------------------------------------------------------
 Thu Nov 15 22:01:51 UTC 2018 - mpost@suse.com
 - Upgraded to version 3.10.0 (Fate#325685)
  * opencryptoki 3.10.0
    Add support to ECC on ICA token and to common code.
    Add SHA224 support to SOFT token.
    Improve pkcsslotd logging.
    Fix sha512_hmac_sign and rsa_x509_verify for ICA token.
    Fix tracing of session id.
    Fix and improve testcases.
    Fix spec file permission for log directory.
    Fix build warnings.
 * opencryptoki 3.9.0
    Fix token reinitialization
    Fix conditional man pages
    EP11 enhancements
    EP11 EC Key import
    Increase RSA max key length
    Fix broken links on documentation
    Define CK_FALSE and CK_TRUE macros
    Improve build flags
 - Dropped obsolete patch ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch
 - Made multiple changes to the spec file based on spec-cleaner output.
 - Added an rpmlintrc file to squelch warnings about adding ghost
  entries for files under /var/log/opencryptoki/
 -------------------------------------------------------------------
 Tue Apr 17 22:56:43 UTC 2018 - mpost@suse.com
--- a/openCryptoki.spec
+++ b/openCryptoki.spec
@ -16,7 +16,7 @@
 #
-%define openCryptoki_32bit_arch %arm %ix86 s390 ppc
+%define openCryptoki_32bit_arch %{arm} %{ix86} s390 ppc
 # support in the workings for: ppc64
 # no support in sight for: ia64
 %define openCryptoki_64bit_arch aarch64 s390x ppc64 ppc64le x86_64
@ -32,47 +32,42 @@
 %endif
 Name:           openCryptoki
-BuildRequires:  bison
+Version:        3.11.0
-BuildRequires:  flex
+Release:        0
 BuildRequires:  gcc-c++
 %ifarch s390 s390x
 BuildRequires:  libica-devel
 BuildRequires:  libica-tools
 %endif
 BuildRequires:  libtool
 BuildRequires:  openldap2-devel
 BuildRequires:  openssl-devel >= 1.0
 BuildRequires:  pwdutils
 BuildRequires:  trousers-devel
 %if %{uses_systemd}
 BuildRequires:  pkgconfig(systemd)
 %{?systemd_requires}
 %else
 BuildRequires:  %insserv_prereq
 %endif
 BuildRequires:  dos2unix
 Summary:        An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
 License:        CPL-1.0
 Group:          Productivity/Security
-Version:        3.8.2
+Url:            https://sourceforge.net/projects/opencryptoki/
 Release:        0
 Source:         %{oc_cvs_tag}-%{version}.tar.gz
 Source1:        openCryptoki.pkcsslotd
 Source2:        openCryptoki-TFAQ.html
 Source3:        openCryptoki-tmp.conf
 Source4:        openCryptoki-rpmlintrc
 # Patch 1 is needed because group pkcs11 doesn't exist in the build environment
 # and because we don't want(?) various file and directory permissions to be 0700.
-Patch1:         ocki-3.1-remove-make-install-chgrp.patch
+Patch1:         ocki-3.11-remove-make-install-chgrp.patch
-Patch2:         ocki-3.5-icsf-coverity-memoryleakfix.patch
+BuildRequires:  bison
-Patch3:         ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch
+BuildRequires:  dos2unix
-
+BuildRequires:  flex
-Url:            https://sourceforge.net/projects/opencryptoki/
+BuildRequires:  gcc-c++
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+BuildRequires:  libtool
-PreReq:         /usr/sbin/groupadd /usr/bin/id /usr/sbin/usermod /bin/sed
+BuildRequires:  openldap2-devel
 BuildRequires:  openssl-devel >= 1.0
 BuildRequires:  pkgconfig
 BuildRequires:  pwdutils
 BuildRequires:  trousers-devel
 BuildRequires:  pkgconfig(systemd)
 PreReq:         %{_bindir}/id
 PreReq:         %{_sbindir}/groupadd
 PreReq:         %{_sbindir}/usermod
 PreReq:         /bin/sed
 # IBM maintains openCryptoki on these architectures:
-ExclusiveArch:  %openCryptoki_32bit_arch %openCryptoki_64bit_arch
+ExclusiveArch:  %{openCryptoki_32bit_arch} %{openCryptoki_64bit_arch}
-#
+%{?systemd_requires}
 %ifarch s390 s390x
 BuildRequires:  libica-devel
 BuildRequires:  libica-tools
 %endif
 %description
 The PKCS#11 version 2.11 API implemented for the IBM cryptographic
@ -80,17 +75,16 @@ cards. This package includes support for the IBM 4758 cryptographic
 coprocessor (with the PKCS#11 firmware loaded) and the IBM eServer
 Cryptographic Accelerator (FC 4960 on pSeries).
 %package devel
 Summary:        An Implementation of PKCS#11 (Cryptoki) v2.01 for IBM Cryptographic Hardware
 Group:          Development/Languages/C and C++
 Requires:       glibc-devel
 %ifarch s390 s390x
 Requires:       libica-devel
 %endif
 Requires:       libopenssl-devel
 Requires:       openldap2-devel
 Requires:       trousers-devel
 %ifarch s390 s390x
 Requires:       libica-devel
 %endif
 %description devel
 The PKCS#11 version 2.01 API implemented for the IBM cryptographic
@ -98,8 +92,7 @@ cards. This package includes support for the IBM 4758 cryptographic
 co-processor (with the PKCS#11 firmware loaded) and the IBM eServer
 Cryptographic Accelerator (FC 4960 on pSeries).
-
+%ifarch %{openCryptoki_32bit_arch}
 %ifarch %openCryptoki_32bit_arch
 %package 32bit
 Summary:        An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
@ -107,7 +100,7 @@ Summary:        An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptograp
 # installation:
 Group:          Productivity/Security
 PreReq:         openCryptoki
-ExclusiveArch:  %openCryptoki_32bit_arch
+ExclusiveArch:  %{openCryptoki_32bit_arch}
 %description 32bit
 This is a re-packaged binary rpm. For the package source, please look
@ -118,9 +111,9 @@ cards. This package includes support for the IBM 4758 cryptographic
 coprocessor (with the PKCS#11 firmware loaded) and the IBM eServer
 Cryptographic Accelerator (FC 4960 on pSeries).
 %endif
-%ifarch %openCryptoki_64bit_arch
+
 %ifarch %{openCryptoki_64bit_arch}
 %package 64bit
 Summary:        An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
@ -128,7 +121,7 @@ Summary:        An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptograp
 # installation:
 Group:          Productivity/Security
 PreReq:         openCryptoki
-ExclusiveArch:  %openCryptoki_64bit_arch
+ExclusiveArch:  %{openCryptoki_64bit_arch}
 %description 64bit
 This is a re-packaged binary rpm. For the package source, please look
@ -139,14 +132,11 @@ cards. This package includes support for the IBM 4758 cryptographic
 coprocessor (with the PKCS#11 firmware loaded) and the IBM eServer
 Cryptographic Accelerator (FC 4960 on pSeries).
 %endif
 %prep
 %setup -q -n %{oc_cvs_tag}-%{version}
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 cp %{SOURCE2} .
@ -154,46 +144,33 @@ cp %{SOURCE2} .
 autoreconf --force --install
 %configure \
 	--enable-tpmtok \
 %if %{uses_systemd}
 	--with-systemd=%{_unitdir}
 %endif
 make %{?_smp_mflags}
 dos2unix doc/README.ep11_stdll
 %install
 %make_install
-install -d $RPM_BUILD_ROOT/usr/include
+install -d %{buildroot}%{_includedir}
-install -d $RPM_BUILD_ROOT/var/lib/opencryptoki
+install -d %{buildroot}%{_localstatedir}/lib/opencryptoki
-install -d $RPM_BUILD_ROOT/etc/init.d
+install -d %{buildroot}%{_initddir}
-install -d $RPM_BUILD_ROOT/usr/sbin
+install -d %{buildroot}%{_sbindir}
-%if %{uses_systemd}
+install -d %{buildroot}%{_prefix}/lib/tmpfiles.d
-install -d $RPM_BUILD_ROOT/usr/lib/tmpfiles.d
+install -m 644 %{SOURCE3} %{buildroot}%{_prefix}/lib/tmpfiles.d/opencryptoki.conf
-install -m 644 %{S:3} $RPM_BUILD_ROOT/usr/lib/tmpfiles.d/opencryptoki.conf
+ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcpkcsslotd
-ln -s /usr/sbin/service $RPM_BUILD_ROOT/usr/sbin/rcpkcsslotd
+rm -rf %{buildroot}/tmp
 %else
 install -m 544 %{S:1} $RPM_BUILD_ROOT/etc/init.d/pkcsslotd
 ln -sfv ../../etc/init.d/pkcsslotd $RPM_BUILD_ROOT/usr/sbin/rcpkcsslotd
 %endif
 rm -rf $RPM_BUILD_ROOT/tmp
 # Remove all development files
-find $RPM_BUILD_ROOT%{_libdir} -type f -name "*.la" -delete
+find %{buildroot} -type f -name "*.la" -delete -print
-rm -f $RPM_BUILD_ROOT%{_libdir}/opencryptoki/methods
+rm -f %{buildroot}%{_libdir}/opencryptoki/methods
 %pre
 %if %{uses_systemd}
 %{service_add_pre pkcsslotd.service}
 %endif
 # autobuild:/work/cd/lib/misc/group
 # openCryptoki    pkcs11:x:64:
-/usr/sbin/groupadd -g %pkcs11_group_id -r pkcs11 2>/dev/null || true
+%{_sbindir}/groupadd -g %{pkcs11_group_id} -r pkcs11 2>/dev/null || true
-/usr/sbin/usermod -a -G pkcs11 root
+%{_sbindir}/usermod -a -G pkcs11 root
 %preun
 %if %{uses_systemd}
 %{service_del_preun pkcsslotd.service}
 %else
 %{stop_on_removal pkcsslotd}
 %endif
 %post
 # Symlink from /var/lib/opencryptoki to /etc/pkcs11
@ -205,44 +182,30 @@ if [ ! -L %{_sysconfdir}/pkcs11 ] ; then
 	fi
 fi
 /sbin/ldconfig
 %if %{uses_systemd}
 %{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/opencryptoki.conf}
 %{service_add_post pkcsslotd.service}
 %else
 %{fillup_and_insserv -f pkcsslotd}
 %endif
 %postun
 if [ -L %{_sysconfdir}/pkcs11 ] ; then
 	rm %{_sysconfdir}/pkcs11
 fi
 %if %{uses_systemd}
 %{service_del_postun pkcsslotd.service}
 %else
 %{restart_on_update pkcsslotd}
 %{insserv_cleanup}
 %endif
-%ifarch %openCryptoki_32bit_arch
+%ifarch %{openCryptoki_32bit_arch}
 %postun 32bit
 if [ -L %{_sysconfdir}/pkcs11 ] ; then
 	rm %{_sysconfdir}/pkcs11
 fi
 %if %{uses_systemd}
 %{service_del_postun pkcsslotd.service}
 %else
 %{restart_on_update pkcsslotd}
 %{insserv_cleanup}
 %endif
 %post 32bit
 # Old library name links
 cd %{_libdir}/opencryptoki && ln -sf ./libopencryptoki.so PKCS11_API.so
 ln -sf %{_sbindir} %{_libdir}/opencryptoki/methods
 rm -rf %{_libdir}/pkcs11/stdll
-test -d /usr/lib/pkcs11 || mkdir -p /usr/lib/pkcs11
+test -d %{_prefix}/lib/pkcs11 || mkdir -p %{_prefix}/lib/pkcs11
-cd /usr/lib/pkcs11
+cd %{_prefix}/lib/pkcs11
 ln -sf ../opencryptoki/stdll stdll
 cd stdll
 [ -f libpkcs11_cca.so ] && ln -sf ./libpkcs11_cca.so PKCS11_CCA.so || true
@ -251,12 +214,13 @@ cd stdll
 [ -f libpkcs11_sw.so ] && ln -sf ./libpkcs11_sw.so PKCS11_SW.so || true
 /sbin/ldconfig
 %endif
-%ifarch %openCryptoki_64bit_arch
+
 %ifarch %{openCryptoki_64bit_arch}
 %post 64bit
 # Old library name for 64bit libs were under /usr/lib/pkcs11. For migration purposes only.
-test -d /usr/lib/pkcs11 || mkdir -p /usr/lib/pkcs11
+test -d %{_prefix}/lib/pkcs11 || mkdir -p %{_prefix}/lib/pkcs11
-ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so64
+ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_API.so64
 /sbin/ldconfig
 %endif
@ -268,19 +232,13 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6
 %dir %{_sysconfdir}/opencryptoki
 %config %{_sysconfdir}/opencryptoki/opencryptoki.conf
 %ifarch s390 s390x
 %{_sbindir}/pkcsep11_session
 %config %{_sysconfdir}/opencryptoki/ep11tok.conf
 %config %{_sysconfdir}/opencryptoki/ep11cpfilter.conf
 %{_sbindir}/pkcsep11_migrate
 %endif
 %if %{uses_systemd}
 %{_unitdir}/pkcsslotd.service
 %{_tmpfilesdir}/opencryptoki.conf
 %else
 %{_sysconfdir}/init.d/pkcsslotd
 %ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki
 %ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/ccatok
 %ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/swtok
 %ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/tpm
 %endif
 %{_sbindir}/rcpkcsslotd
  # utilities
 %{_sbindir}/pkcsslotd
@ -312,7 +270,7 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6
 %dir %{_libdir}/opencryptoki/stdll
 %{_includedir}/opencryptoki
-%ifarch %openCryptoki_32bit_arch
+%ifarch %{openCryptoki_32bit_arch}
 %files 32bit
 %defattr(-,root,root)
  # these don't conflict because they only exist as 64bit binaries if
@ -342,7 +300,7 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6
 %{_sysconfdir}/ld.so.conf.d/*
 %endif
-%ifarch %openCryptoki_64bit_arch
+%ifarch %{openCryptoki_64bit_arch}
 %files 64bit
 %defattr(-,root,root)
 %dir %{_libdir}/opencryptoki
--- a/opencryptoki-3.11.0.tar.gz
+++ b/opencryptoki-3.11.0.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:4d901373b08ed0b0d56a4df5e3f35a7d17142bdc5c5bf9b37c8a10200a08d6fd
 size 935891
--- a/opencryptoki-3.8.2.tar.gz
+++ b/opencryptoki-3.8.2.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:d235d32a6c892139696f3372e203a90d718a5c9896eb536d1a077ea6185abe0e
 size 835210
		`@ -0,0 +1 @@`
							`addFilter("openCryptoki.* tmpfile-not-in-filelist /var/lock/opencryptoki/")`