From 437f73eba9da95139667936f720243f577cfcf50b9d41dc8d4e37ecdae266ffb Mon Sep 17 00:00:00 2001 From: Mark Post Date: Thu, 21 Oct 2021 20:48:47 +0000 Subject: [PATCH 1/2] Accepting request 926834 from home:markkp:branches:security - Upgraded to version 3.17.0 (jsc#SLE-18326) * Removed the following obsolete patches: ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch ocki-3.15.1-Fix-compiling-with-c.patch ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch - Added the following patches for bsc#1188879: * ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch When modifying opencryptoki.conf during token migration, put quotes around strings that contain spaces, e.g. for the slot description and manufacturer. * ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch When migrating a slot the opencryptoki.conf file is modified. If it contains slots that already contain the 'tokversion = x.y' keyword, this is accidentally removed when migrating another slot. * ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch Change the code to use the pid file that pkcsslotd creates, and check if the process with the pid contained in the pid file still exists and runs pkcsslotd. * ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch Always quote the value of 'description' and 'manufacturer'. Quote the value of 'stdll', 'confname', and 'tokname' if it contains spaces, and never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'. OBS-URL: https://build.opensuse.org/request/show/926834 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=120 --- ...thing-to-do-with-the-number-of-slots.patch | 45 --- ...er-to-avoid-double-free-for-the-list.patch | 40 --- ...age-handling-for-p11sak-remove-key-c.patch | 132 -------- ocki-3.15.1-Fix-compiling-with-c.patch | 25 -- ...d-p11sak-and-corresponding-test-case.patch | 28 -- ...C-Key-on-C_CreateObject-and-C_Derive.patch | 52 ---- ...-with-C_Get-SetOperationState-and-di.patch | 291 ------------------ ...3.15.1-p11sak-Fix-CKA_LABEL-handling.patch | 43 --- openCryptoki-3.15.1.tar.gz | 3 - openCryptoki-3.17.0.tar.gz | 3 + openCryptoki.changes | 39 +++ openCryptoki.spec | 20 +- 12 files changed, 45 insertions(+), 676 deletions(-) delete mode 100644 ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch delete mode 100644 ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch delete mode 100644 ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch delete mode 100644 ocki-3.15.1-Fix-compiling-with-c.patch delete mode 100644 ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch delete mode 100644 ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch delete mode 100644 ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch delete mode 100644 ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch delete mode 100644 openCryptoki-3.15.1.tar.gz create mode 100644 openCryptoki-3.17.0.tar.gz diff --git a/ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch b/ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch deleted file mode 100644 index f7b6942..0000000 --- a/ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch +++ /dev/null @@ -1,45 +0,0 @@ -From caa4bbba51cf470986944820ea773163084da0b7 Mon Sep 17 00:00:00 2001 -From: Patrick Steuer -Date: Tue, 19 Jan 2021 14:29:57 +0100 -Subject: [PATCH] A slot ID has nothing to do with the number of slots - -Signed-off-by: Patrick Steuer ---- - usr/sbin/pkcscca/pkcscca.c | 14 -------------- - 1 file changed, 14 deletions(-) - -diff --git a/usr/sbin/pkcscca/pkcscca.c b/usr/sbin/pkcscca/pkcscca.c -index c09f16b3..aa74eeb8 100644 ---- a/usr/sbin/pkcscca/pkcscca.c -+++ b/usr/sbin/pkcscca/pkcscca.c -@@ -1973,7 +1973,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey) - { - CK_FUNCTION_LIST *funcs; - CK_KEY_TYPE key_type = 0; -- CK_ULONG slot_count; - CK_SESSION_HANDLE sess; - CK_RV rv; - struct key_count count = { 0, 0, 0, 0, 0, 0, 0 }; -@@ -1985,19 +1984,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey) - return 2; - } - -- rv = funcs->C_GetSlotList(TRUE, NULL_PTR, &slot_count); -- if (rv != CKR_OK) { -- p11_error("C_GetSlotList", rv); -- exit_code = 3; -- goto finalize; -- } -- -- if (slot_id >= slot_count) { -- print_error("%lu is not a valid slot ID.", slot_id); -- exit_code = 4; -- goto finalize; -- } -- - rv = funcs->C_OpenSession(slot_id, CKF_RW_SESSION | - CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &sess); - if (rv != CKR_OK) { --- -2.26.2 - diff --git a/ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch b/ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch deleted file mode 100644 index 7311e55..0000000 --- a/ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 900a480c3c4e1cfb1496d80fb20e8eab4a8108db Mon Sep 17 00:00:00 2001 -From: Matthias Reumann -Date: Wed, 17 Mar 2021 11:22:31 +0100 -Subject: [PATCH] Added NULL pointer to avoid double free() for the list-key - and remove-key commands. - -Signed-off by Matthias Reumann ---- - usr/sbin/p11sak/p11sak.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c -index d99db970..3ba57022 100644 ---- a/usr/sbin/p11sak/p11sak.c -+++ b/usr/sbin/p11sak/p11sak.c -@@ -2149,7 +2149,9 @@ static CK_RV list_ckey(CK_SESSION_HANDLE session, p11sak_kt kt, int long_print) - printf("%s\n", label); - } - free(label); -+ label = NULL; - free(keytype); -+ keytype = NULL; - } - - rc = funcs->C_FindObjectsFinal(session); -@@ -2313,9 +2315,10 @@ static CK_RV delete_key(CK_SESSION_HANDLE session, p11sak_kt kt, char *rm_label, - } - } - } -- - free(label); -+ label = NULL; - free(keytype); -+ keytype = NULL; - } - - rc = funcs->C_FindObjectsFinal(session); --- -2.26.2 - diff --git a/ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch b/ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch deleted file mode 100644 index 9b6dcdf..0000000 --- a/ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 821bc7ab4635e189d31bc3c808c626b9fcda5d02 Mon Sep 17 00:00:00 2001 -From: Matthias Reumann -Date: Tue, 24 Nov 2020 15:52:16 +0100 -Subject: [PATCH] Added error message handling for p11sak remove-key command. - -Signed-off-by: Matthias Reumann ---- - usr/sbin/p11sak/p11sak.c | 43 +++++++++++++++++++++++++++++----------- - 1 file changed, 31 insertions(+), 12 deletions(-) - -diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c -index c783b29f..e87b6f97 100644 ---- a/usr/sbin/p11sak/p11sak.c -+++ b/usr/sbin/p11sak/p11sak.c -@@ -2192,10 +2192,8 @@ static CK_RV confirm_destroy(char **user_input, char* label) - while (1){ - nread = getline(user_input, &buflen, stdin); - if (nread == -1) { -- printf("User input failed (error code 0x%lX: %s)\n", -- rc, p11_get_ckr(rc)); -- rc = -1; -- return rc; -+ printf("User input: EOF\n"); -+ return CKR_CANCEL; - } - - if (user_input_ok(*user_input)) { -@@ -2210,17 +2208,16 @@ static CK_RV confirm_destroy(char **user_input, char* label) - return rc; - } - -- - static CK_RV finalize_destroy_object(char *label, CK_SESSION_HANDLE *session, -- CK_OBJECT_HANDLE *hkey) -+ CK_OBJECT_HANDLE *hkey, CK_BBOOL *boolDestroyFlag) - { - char *user_input = NULL; - CK_RV rc = CKR_OK; - - rc = confirm_destroy(&user_input, label); - if (rc != CKR_OK) { -- printf("User input failed (error code 0x%lX: %s)\n", -- rc, p11_get_ckr(rc)); -+ printf("Skip deleting Key. User input %s\n", p11_get_ckr(rc)); -+ rc = CKR_CANCEL; - goto done; - } - -@@ -2232,9 +2229,11 @@ static CK_RV finalize_destroy_object(char *label, CK_SESSION_HANDLE *session, - label, rc, p11_get_ckr(rc)); - goto done; - } -+ *boolDestroyFlag = CK_TRUE; - printf("DONE - Destroy Object with Label: %s\n", label); - } else if (strncmp(user_input, "n", 1) == 0) { - printf("Skip deleting Key\n"); -+ *boolDestroyFlag = CK_FALSE; - } else { - printf("Please just enter (y) for yes or (n) for no.\n"); - } -@@ -2254,6 +2253,8 @@ static CK_RV delete_key(CK_SESSION_HANDLE session, p11sak_kt kt, char *rm_label, - CK_OBJECT_HANDLE hkey; - char *keytype = NULL; - char *label = NULL; -+ CK_BBOOL boolDestroyFlag = CK_FALSE; -+ CK_BBOOL boolSkipFlag = CK_FALSE; - CK_RV rc = CKR_OK; - - rc = tok_key_list_init(session, kt, label); -@@ -2290,6 +2291,7 @@ static CK_RV delete_key(CK_SESSION_HANDLE session, p11sak_kt kt, char *rm_label, - if (*forceAll) { - if ((strcmp(rm_label, "") == 0) || (strcmp(rm_label, label) == 0)) { - printf("Destroy Object with Label: %s\n", label); -+ - rc = funcs->C_DestroyObject(session, hkey); - if (rc != CKR_OK) { - printf( -@@ -2297,14 +2299,18 @@ static CK_RV delete_key(CK_SESSION_HANDLE session, p11sak_kt kt, char *rm_label, - label, rc, p11_get_ckr(rc)); - goto done; - } -- printf("DONE - Destroy Object with Label: %s\n", label); -+ boolDestroyFlag = CK_TRUE; - } - } else { - if ((strcmp(rm_label, "") == 0) || (strcmp(rm_label, label) == 0)) { -- rc = finalize_destroy_object(label, &session, &hkey); -+ rc = finalize_destroy_object(label, &session, &hkey, &boolDestroyFlag); - if (rc != CKR_OK) { - goto done; - } -+ -+ if (!boolDestroyFlag) { -+ boolSkipFlag = CK_TRUE; -+ } - } - } - -@@ -2321,6 +2327,16 @@ static CK_RV delete_key(CK_SESSION_HANDLE session, p11sak_kt kt, char *rm_label, - - done: - -+ if (strlen(rm_label) > 0) { -+ if (boolDestroyFlag) { -+ printf("Object with Label: %s found and destroyed \n", rm_label); -+ } else if (boolSkipFlag) { -+ printf("Object with Label: %s not deleted\n", rm_label); -+ } else if (rc == CKR_OK) { -+ printf("Object with Label: %s not found\n", rm_label); -+ } -+ } -+ - if (rc != CKR_OK) { - free(label); - free(keytype); -@@ -2494,8 +2510,11 @@ int main(int argc, char *argv[]) - /* Execute command */ - rc = execute_cmd(session, slot, cmd, kt, keylength, exponent, ECcurve, - label, attr_string, long_print, &forceAll); -- if (rc != CKR_OK) { -- printf("Failed to execute p11sak command (error code 0x%lX: %s)\n", rc, -+ if (rc == CKR_CANCEL) { -+ printf("Cancel execution: p11sak %s command (error code 0x%lX: %s)\n", cmd2str(cmd), rc, -+ p11_get_ckr(rc)); -+ } else if (rc != CKR_OK) { -+ printf("Failed to execute p11sak %s command (error code 0x%lX: %s)\n", cmd2str(cmd), rc, - p11_get_ckr(rc)); - goto done; - } --- -2.26.2 - diff --git a/ocki-3.15.1-Fix-compiling-with-c.patch b/ocki-3.15.1-Fix-compiling-with-c.patch deleted file mode 100644 index 3692b2a..0000000 --- a/ocki-3.15.1-Fix-compiling-with-c.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 2d16f003911ceee50967546f4b3c7cac2db9ba86 Mon Sep 17 00:00:00 2001 -From: Bjar Ne <43565432+gleichdick@users.noreply.github.com> -Date: Wed, 25 Nov 2020 09:13:57 +0000 -Subject: [PATCH] Fix compiling with c++ - ---- - usr/include/pkcs11types.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/usr/include/pkcs11types.h b/usr/include/pkcs11types.h -index 18a82715..c9a475dd 100644 ---- a/usr/include/pkcs11types.h -+++ b/usr/include/pkcs11types.h -@@ -1483,7 +1483,7 @@ typedef CK_FUNCTION_LIST_3_0_PTR CK_PTR CK_FUNCTION_LIST_3_0_PTR_PTR; - - typedef struct CK_IBM_FUNCTION_LIST_1_0 CK_IBM_FUNCTION_LIST_1_0; - typedef struct CK_IBM_FUNCTION_LIST_1_0 CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR; --typedef struct CK_IBM_FUNCTION_LIST_1_0_PTR CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR_PTR; -+typedef CK_IBM_FUNCTION_LIST_1_0_PTR CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR_PTR; - - typedef CK_RV (CK_PTR CK_C_Initialize) (CK_VOID_PTR pReserved); - typedef CK_RV (CK_PTR CK_C_Finalize) (CK_VOID_PTR pReserved); --- -2.26.2 - diff --git a/ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch b/ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch deleted file mode 100644 index bbe2104..0000000 --- a/ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch +++ /dev/null @@ -1,28 +0,0 @@ -From e4786baf61c107c65a3b9ed0eb1415400866eab0 Mon Sep 17 00:00:00 2001 -From: Juergen Christ -Date: Thu, 25 Feb 2021 14:02:33 +0100 -Subject: [PATCH] Fixed p11sak and corresponding test case - -Fixed off-by-one write to heap, testcase and test case executor. - -Signed-off-by: Juergen Christ ---- - usr/sbin/p11sak/p11sak.c | 2 +- - 3 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c -index 38c1f88b..d99db970 100644 ---- a/usr/sbin/p11sak/p11sak.c -+++ b/usr/sbin/p11sak/p11sak.c -@@ -1353,7 +1353,7 @@ static CK_RV tok_key_get_label_attr(CK_SESSION_HANDLE session, - return rc; - } - -- label = malloc(template[0].ulValueLen); -+ label = malloc(template[0].ulValueLen + 1); - if (!label) { - printf("Error: cannot malloc storage for label.\n"); - return CKR_HOST_MEMORY; --- -2.26.2 - diff --git a/ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch b/ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch deleted file mode 100644 index ea32a37..0000000 --- a/ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch +++ /dev/null @@ -1,52 +0,0 @@ -From f6588fac5c767500df7fba97244a41db60e9d737 Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Mon, 3 May 2021 10:05:07 +0200 -Subject: [PATCH] SOFT: Check the EC Key on C_CreateObject and C_DeriveKey - -When constructing an OpenSSL EC public or private key from PKCS#11 -attributes or ECDH public data, check that the key is valid, i.e. that -the point is on the curve. - -This prevents one from creating an EC key object via C_CreateObject with -invalid key data. It also prevents C_DeriveKey to derive a secret using -ECDH with an EC public key (public data) that uses a different curve -or is invalid by other means. - -Signed-off-by: Ingo Franzki ---- - usr/lib/soft_stdll/soft_specific.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c -index 25a97e29..9f6c2d47 100644 ---- a/usr/lib/soft_stdll/soft_specific.c -+++ b/usr/lib/soft_stdll/soft_specific.c -@@ -4207,6 +4207,12 @@ static CK_RV fill_ec_key_from_pubkey(EC_KEY *ec_key, const CK_BYTE *data, - goto out; - } - -+ if (!EC_KEY_check_key(ec_key)) { -+ TRACE_ERROR("EC_KEY_check_key failed\n"); -+ rc = CKR_FUNCTION_FAILED; -+ goto out; -+ } -+ - out: - if (temp != NULL) - free(temp); -@@ -4246,6 +4252,12 @@ static CK_RV fill_ec_key_from_privkey(EC_KEY *ec_key, const CK_BYTE *data, - goto out; - } - -+ if (!EC_KEY_check_key(ec_key)) { -+ TRACE_ERROR("EC_KEY_check_key failed\n"); -+ rc = CKR_FUNCTION_FAILED; -+ goto out; -+ } -+ - out: - if (point != NULL) - EC_POINT_free(point); --- -2.16.2.windows.1 - diff --git a/ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch b/ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch deleted file mode 100644 index c3d9883..0000000 --- a/ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch +++ /dev/null @@ -1,291 +0,0 @@ -From 1e98001ff63cd7e75d95b4ea0d3d2a69965d8890 Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Tue, 9 Feb 2021 16:22:51 +0100 -Subject: [PATCH] SOFT: Fix problem with C_Get/SetOperationState and digest - contexts - -In commit 46829bf986d45262ad45c782c084a3f908f4acb8 the SOFT token was changed -to use OpenSSL's EVP interface for implementing SHA digest. With this change, -the OpenSSL digest context (EVP_MD_CTX) was saved in the DIGEST_CONTEXT's -context field. Since EVP_MD_CTX is opaque, its length is not known, so context_len -was set to 1. - -This hinders C_Get/SetOperationState to correctly save and restore the digest -state, since the EVP_MD_CTX is not saved by C_GetOperationState, and -C_SetOperationState also can't restore the digest state, leaving a subsequent -C_DigestUpdate or C_DigestFinal with an invalid EVP_MD_CTX. This most likely -produces a segfault. - -Fix this by saving the md_data from within the EVP_MD_CTX after each digest operation, -and restoring md_data on every operation with a fresh initialized EVP_MD_CTX. - -Fixes: 46829bf986d45262ad45c782c084a3f908f4acb8 - -Signed-off-by: Ingo Franzki ---- - usr/lib/soft_stdll/soft_specific.c | 160 +++++++++++++++++++++++------ - 1 file changed, 127 insertions(+), 33 deletions(-) - -diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c -index 0b28daa8..a836efa9 100644 ---- a/usr/lib/soft_stdll/soft_specific.c -+++ b/usr/lib/soft_stdll/soft_specific.c -@@ -2926,24 +2926,15 @@ CK_RV token_specific_get_mechanism_info(STDLL_TokData_t *tokdata, - return ock_generic_get_mechanism_info(tokdata, type, pInfo); - } - --CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, -- CK_MECHANISM *mech) -+#ifdef OLDER_OPENSSL -+#define EVP_MD_meth_get_app_datasize(md) md->ctx_size -+#define EVP_MD_CTX_md_data(ctx) ctx->md_data -+#endif -+ -+static const EVP_MD *md_from_mech(CK_MECHANISM *mech) - { - const EVP_MD *md = NULL; - -- UNUSED(tokdata); -- -- ctx->context_len = 1; /* Dummy length, size of EVP_MD_CTX is unknown */ --#if OPENSSL_VERSION_NUMBER < 0x10101000L -- ctx->context = (CK_BYTE *)EVP_MD_CTX_create(); --#else -- ctx->context = (CK_BYTE *)EVP_MD_CTX_new(); --#endif -- if (ctx->context == NULL) { -- TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); -- return CKR_HOST_MEMORY; -- } -- - switch (mech->mechanism) { - case CKM_SHA_1: - md = EVP_sha1(); -@@ -2994,19 +2985,85 @@ CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, - break; - } - -+ return md; -+} -+ -+static EVP_MD_CTX *md_ctx_from_context(DIGEST_CONTEXT *ctx) -+{ -+ const EVP_MD *md; -+ EVP_MD_CTX *md_ctx; -+ -+#if OPENSSL_VERSION_NUMBER < 0x10101000L -+ md_ctx = EVP_MD_CTX_create(); -+#else -+ md_ctx = EVP_MD_CTX_new(); -+#endif -+ if (md_ctx == NULL) -+ return NULL; -+ -+ md = md_from_mech(&ctx->mech); - if (md == NULL || -- !EVP_DigestInit_ex((EVP_MD_CTX *)ctx->context, md, NULL)) { -+ !EVP_DigestInit_ex(md_ctx, md, NULL)) { -+ TRACE_ERROR("md_from_mech or EVP_DigestInit_ex failed\n"); - #if OPENSSL_VERSION_NUMBER < 0x10101000L -- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context); -+ EVP_MD_CTX_destroy(md_ctx); - #else -- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context); -+ EVP_MD_CTX_free(md_ctx); - #endif -- ctx->context = NULL; -- ctx->context_len = 0; -+ return NULL; -+ } - -- return CKR_FUNCTION_FAILED; -+ if (ctx->context_len == 0) { -+ ctx->context_len = EVP_MD_meth_get_app_datasize(EVP_MD_CTX_md(md_ctx)); -+ ctx->context = malloc(ctx->context_len); -+ if (ctx->context == NULL) { -+ TRACE_ERROR("malloc failed\n"); -+ #if OPENSSL_VERSION_NUMBER < 0x10101000L -+ EVP_MD_CTX_destroy(md_ctx); -+ #else -+ EVP_MD_CTX_free(md_ctx); -+ #endif -+ ctx->context_len = 0; -+ return NULL; -+ } -+ -+ /* Save context data for later use */ -+ memcpy(ctx->context, EVP_MD_CTX_md_data(md_ctx), ctx->context_len); -+ } else { -+ if (ctx->context_len != -+ (CK_ULONG)EVP_MD_meth_get_app_datasize(EVP_MD_CTX_md(md_ctx))) { -+ TRACE_ERROR("context size mismatcht\n"); -+ return NULL; -+ } -+ /* restore the MD context data */ -+ memcpy(EVP_MD_CTX_md_data(md_ctx), ctx->context, ctx->context_len); - } - -+ return md_ctx; -+} -+ -+CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, -+ CK_MECHANISM *mech) -+{ -+ EVP_MD_CTX *md_ctx; -+ -+ UNUSED(tokdata); -+ -+ ctx->mech.ulParameterLen = mech->ulParameterLen; -+ ctx->mech.mechanism = mech->mechanism; -+ -+ md_ctx = md_ctx_from_context(ctx); -+ if (md_ctx == NULL) { -+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); -+ return CKR_HOST_MEMORY; -+ } -+ -+#if OPENSSL_VERSION_NUMBER < 0x10101000L -+ EVP_MD_CTX_destroy(md_ctx); -+#else -+ EVP_MD_CTX_free(md_ctx); -+#endif -+ - return CKR_OK; - } - -@@ -3016,6 +3073,7 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, - { - unsigned int len; - CK_RV rc = CKR_OK; -+ EVP_MD_CTX *md_ctx; - - UNUSED(tokdata); - -@@ -3025,11 +3083,18 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, - if (!in_data || !out_data) - return CKR_ARGUMENTS_BAD; - -- if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size((EVP_MD_CTX *)ctx->context)) -+ /* Recreate the OpenSSL MD context from the saved context */ -+ md_ctx = md_ctx_from_context(ctx); -+ if (md_ctx == NULL) { -+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); -+ return CKR_HOST_MEMORY; -+ } -+ -+ if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size(md_ctx)) - return CKR_BUFFER_TOO_SMALL; - -- if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len) || -- !EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) { -+ if (!EVP_DigestUpdate(md_ctx, in_data, in_data_len) || -+ !EVP_DigestFinal(md_ctx, out_data, &len)) { - rc = CKR_FUNCTION_FAILED; - goto out; - } -@@ -3038,10 +3103,11 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, - - out: - #if OPENSSL_VERSION_NUMBER < 0x10101000L -- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context); -+ EVP_MD_CTX_destroy(md_ctx); - #else -- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context); -+ EVP_MD_CTX_free(md_ctx); - #endif -+ free(ctx->context); - ctx->context = NULL; - ctx->context_len = 0; - -@@ -3051,6 +3117,8 @@ out: - CK_RV token_specific_sha_update(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, - CK_BYTE *in_data, CK_ULONG in_data_len) - { -+ EVP_MD_CTX *md_ctx; -+ - UNUSED(tokdata); - - if (!ctx || !ctx->context) -@@ -3059,17 +3127,34 @@ CK_RV token_specific_sha_update(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, - if (!in_data) - return CKR_ARGUMENTS_BAD; - -- if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len)) { -+ /* Recreate the OpenSSL MD context from the saved context */ -+ md_ctx = md_ctx_from_context(ctx); -+ if (md_ctx == NULL) { -+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); -+ return CKR_HOST_MEMORY; -+ } -+ -+ if (!EVP_DigestUpdate(md_ctx, in_data, in_data_len)) { - #if OPENSSL_VERSION_NUMBER < 0x10101000L -- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context); -+ EVP_MD_CTX_destroy(md_ctx); - #else -- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context); -+ EVP_MD_CTX_free(md_ctx); - #endif -+ free(ctx->context); - ctx->context = NULL; - ctx->context_len = 0; - return CKR_FUNCTION_FAILED; - } - -+ /* Save context data for later use */ -+ memcpy(ctx->context, EVP_MD_CTX_md_data(md_ctx), ctx->context_len); -+ -+#if OPENSSL_VERSION_NUMBER < 0x10101000L -+ EVP_MD_CTX_destroy(md_ctx); -+#else -+ EVP_MD_CTX_free(md_ctx); -+#endif -+ - return CKR_OK; - } - -@@ -3078,6 +3163,7 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, - { - unsigned int len; - CK_RV rc = CKR_OK; -+ EVP_MD_CTX *md_ctx; - - UNUSED(tokdata); - -@@ -3087,10 +3173,17 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, - if (!out_data) - return CKR_ARGUMENTS_BAD; - -- if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size((EVP_MD_CTX *)ctx->context)) -+ /* Recreate the OpenSSL MD context from the saved context */ -+ md_ctx = md_ctx_from_context(ctx); -+ if (md_ctx == NULL) { -+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); -+ return CKR_HOST_MEMORY; -+ } -+ -+ if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size(md_ctx)) - return CKR_BUFFER_TOO_SMALL; - -- if (!EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) { -+ if (!EVP_DigestFinal(md_ctx, out_data, &len)) { - rc = CKR_FUNCTION_FAILED; - goto out; - } -@@ -3098,10 +3191,11 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, - - out: - #if OPENSSL_VERSION_NUMBER < 0x10101000L -- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context); -+ EVP_MD_CTX_destroy(md_ctx); - #else -- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context); -+ EVP_MD_CTX_free(md_ctx); - #endif -+ free(ctx->context); - ctx->context = NULL; - ctx->context_len = 0; - --- -2.26.2 - diff --git a/ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch b/ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch deleted file mode 100644 index 091f4c2..0000000 --- a/ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 93c01ffd75cd9f855596377fcf0fbf3912459549 Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Fri, 16 Apr 2021 11:18:36 +0200 -Subject: [PATCH] p11sak: Fix CKA_LABEL handling - -The value of CKA_LABEL does not contain the terminating zero of a C-string. - -Signed-off-by: Ingo Franzki ---- - usr/sbin/p11sak/p11sak.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c -index 05ab9e27..6c2f61bc 100644 ---- a/usr/sbin/p11sak/p11sak.c -+++ b/usr/sbin/p11sak/p11sak.c -@@ -689,12 +689,12 @@ static CK_RV set_labelpair_attr(const char *label, CK_ATTRIBUTE *pubattr, - - pubattr[*pubcount].type = CKA_LABEL; - pubattr[*pubcount].pValue = publabel; -- pubattr[*pubcount].ulValueLen = strlen(publabel) + 1; -+ pubattr[*pubcount].ulValueLen = strlen(publabel); - (*pubcount)++; - - prvattr[*prvcount].type = CKA_LABEL; - prvattr[*prvcount].pValue = prvlabel; -- prvattr[*prvcount].ulValueLen = strlen(prvlabel) + 1; -+ prvattr[*prvcount].ulValueLen = strlen(prvlabel); - (*prvcount)++; - - return CKR_OK; -@@ -1021,7 +1021,7 @@ static CK_RV tok_key_list_init(CK_SESSION_HANDLE session, p11sak_kt kt, - if (label != NULL_PTR) { - tmplt[3].type = CKA_LABEL; - tmplt[3].pValue = label; -- tmplt[3].ulValueLen = strlen(label) + 1; -+ tmplt[3].ulValueLen = strlen(label); - count = 4; - } else - count = 3; --- -2.26.2 - diff --git a/openCryptoki-3.15.1.tar.gz b/openCryptoki-3.15.1.tar.gz deleted file mode 100644 index c66013b..0000000 --- a/openCryptoki-3.15.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1732ce8e39a535c3199cb1a447d48c67651eed52e4b9c18d122ef244fb0ddaf4 -size 1145869 diff --git a/openCryptoki-3.17.0.tar.gz b/openCryptoki-3.17.0.tar.gz new file mode 100644 index 0000000..40fcc94 --- /dev/null +++ b/openCryptoki-3.17.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:785596925738855b33b29bdff2399f613b892e7c6000d9ffbf79fe32c2aeaeee +size 1290050 diff --git a/openCryptoki.changes b/openCryptoki.changes index 0d53a4c..2697e0e 100644 --- a/openCryptoki.changes +++ b/openCryptoki.changes @@ -1,3 +1,42 @@ +------------------------------------------------------------------- +Thu Oct 21 19:31:51 UTC 2021 - Mark Post + +- Upgraded to version 3.17.0 (jsc#SLE-18326) + * Removed the following obsolete patches: + ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch + ocki-3.15.1-Fix-compiling-with-c.patch + ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch + ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch + ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch + ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch + ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch + ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch + ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch + ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch + ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch + ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch + +------------------------------------------------------------------- +Thu Aug 5 20:33:40 UTC 2021 - Mark Post + +- Added the following patches for bsc#1188879: + * ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch + When modifying opencryptoki.conf during token migration, put quotes + around strings that contain spaces, e.g. for the slot description and + manufacturer. + * ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch + When migrating a slot the opencryptoki.conf file is modified. If it + contains slots that already contain the 'tokversion = x.y' keyword, + this is accidentally removed when migrating another slot. + * ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch + Change the code to use the pid file that pkcsslotd creates, and check + if the process with the pid contained in the pid file still exists and + runs pkcsslotd. + * ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch + Always quote the value of 'description' and 'manufacturer'. Quote the + value of 'stdll', 'confname', and 'tokname' if it contains spaces, and + never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'. + ------------------------------------------------------------------- Tue Jun 22 14:47:36 UTC 2021 - Mark Post diff --git a/openCryptoki.spec b/openCryptoki.spec index 3e567c3..c23d599 100644 --- a/openCryptoki.spec +++ b/openCryptoki.spec @@ -26,7 +26,7 @@ %define oc_cvs_tag opencryptoki Name: openCryptoki -Version: 3.15.1 +Version: 3.17.0 Release: 0 Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware License: CPL-1.0 @@ -39,20 +39,13 @@ Source3: openCryptoki-rpmlintrc # Patch 1 is needed because group pkcs11 doesn't exist in the build environment # and because we don't want(?) various file and directory permissions to be 0700. Patch1: ocki-3.11-remove-make-install-chgrp.patch -Patch2: ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch -Patch3: ocki-3.15.1-Fix-compiling-with-c.patch -Patch4: ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch -Patch5: ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch -Patch6: ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch -Patch7: ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch -Patch8: ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch -Patch9: ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch BuildRequires: bison BuildRequires: dos2unix BuildRequires: flex BuildRequires: gcc-c++ BuildRequires: libitm1 BuildRequires: libtool +BuildRequires: libudev-devel BuildRequires: openldap2-devel BuildRequires: openssl-devel >= 1.0 BuildRequires: pkgconfig @@ -135,14 +128,6 @@ Cryptographic Accelerator (FC 4960 on pSeries). %prep %setup -q -n %{oc_cvs_tag}-%{version} %patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 cp %{SOURCE2} . @@ -150,6 +135,7 @@ cp %{SOURCE2} . ./bootstrap.sh %configure --with-systemd=%{_unitdir} \ + --with-libudev=yes \ --enable-tpmtok \ %ifarch aarch64 # Apparently, gcc for aarch64 doesn't support transactional memory --enable-locks \ From 0fae8d9d81554717293532245082361d4c3720cd04c3394f7da58dc69aa600f0 Mon Sep 17 00:00:00 2001 From: Mark Post Date: Fri, 22 Oct 2021 14:14:12 +0000 Subject: [PATCH 2/2] Accepting request 926994 from home:markkp:branches:security - Upgraded to version 3.17.0 (jsc#SLE-18326) + openCryptoki 3.17 - tools: added function to list keys to p11sak - common: added support for OpenSSL 3.0 - common: added support for event notifications - ICA: added SW fallbacks * openCryptoki 3.16 - EP11: protected-key option - EP11: support attribute-bound keys - CCA: import and export of secure key objects - Bug fixes - Removed the following obsolete patches: ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch ocki-3.15.1-Fix-compiling-with-c.patch ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch - Added the following patches for bsc#1188879: * ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch When modifying opencryptoki.conf during token migration, put quotes around strings that contain spaces, e.g. for the slot description and manufacturer. * ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch When migrating a slot the opencryptoki.conf file is modified. If it contains slots that already contain the 'tokversion = x.y' keyword, this is accidentally removed when migrating another slot. * ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch Change the code to use the pid file that pkcsslotd creates, and check if the process with the pid contained in the pid file still exists and runs pkcsslotd. * ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch Always quote the value of 'description' and 'manufacturer'. Quote the value of 'stdll', 'confname', and 'tokname' if it contains spaces, and never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'. - Added the following patches for bsc#1182726 " p11sak list-key segfault" * ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch Added NULL pointer to avoid double free() for the list-key and remove-key commands. * ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch Note that two hunks that were unrelated to fixing the running code were removed from this patch. * ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch - Added ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch When constructing an OpenSSL EC public or private key from PKCS#11 attributes or ECDH public data, check that the key is valid, i.e. that the point is on the curve. (bsc#1185976) - Added ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch (bsc#1182120) Fix pkcscca migration fails with usr/sb2 is not a valid slot ID - Added ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch (bsc#1182190) Fix a segmentation fault of the sess_opstate test on the Soft Token - Added the following patches for bsc#1179319 * Fix compiling with C++: ocki-3.15.1-Fix-compiling-with-c.patch * Added error message handling for p11sak remove-key command. ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch - Don't require pwdutils for build, dropped long ago and not needed - Upgraded to version 3.15.1 (jsc#SLE-13749, jsc#SLE-13666, jsc#SLE-13813, jsc#SLE-13812, jsc#SLE-13723, jsc#SLE-13714, jsc#SLE-13715, jsc#SLE-13710, jsc#SLE-13774, jsc#SLE-13786) * openCryptoki 3.15.1 - Bug fixes * openCryptoki 3.15.0 - common: conform to PKCS 11 3.0 Baseline Provider profile - Introduce new vendor defined interface named "Vendor IBM" - Support C_IBM_ReencryptSingle via "Vendor IBM" interface - CCA: support key wrapping - SOFT: support ECC - p11sak tool: add remove-key command - Bug fixes * openCryptoki 3.14.0 - EP11: Dilitium support stage 2 - Common: Rework on process and thread locking - Common: Rework on btree and object locking - ICSF: minor fixes - TPM, ICA, ICSF: support multiple token instances - new tool p11sak * openCryptoki 3.13.0 - EP11: Dilithium support - EP11: EdDSA support - EP11: support RSA-OAEP with non-SHA1 hash and MGF - Removed obsolete oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch - Added oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch (bsc#1159114) The EP11 token may fail to import an ECC public key. Function C_CreateObject returns CKR_BUFFER_TOO_SMALL in this case. - Upgraded to version 3.12.1 (bsc#1157863) * Fix pkcsep11_migrate tool - Upgraded to version 3.12.0 (jsc#SLE-7647, jsc#SLE-7915, jsc#SLE-7918) * Update token pin and data store encryption for soft,ica,cca and ep11 * EP11: Allow importing of compressed EC public keys * EP11: Add support for the CMAC mechanisms * EP11: Add support for the IBM-SHA3 mechanisms * SOFT: Add AES-CMAC and 3DES-CMAC support to the soft token * ICA: Add AES-CMAC and 3DES-CMAC support to the ICA token * EP11: Add config option USE_PRANDOM * CCA: Use Random Number Generate Long for token_specific_rng() * Common rng function: Prefer /dev/prandom over /dev/urandom * ICA: add SHA*_RSA_PKCS_PSS mechanisms * Bug fixes - Removed obsolete ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch - Added ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch (bsc#1152015) Add support for new IBM crypto card. - Upgraded to version 3.11.1 (Fate#327837) Bug fixes. - Dropped obsolete ocki-3.11-Fix-target_list-passing-for-EP11-session.patch - Added ocki-3.11-Fix-target_list-passing-for-EP11-session.patch (bsc#1123988) - Do not ignore errors from groupadd. If groupadd fails, installation ought not to proceed because files would have the wrong ownership. - Don't hide error messages from the groupadd command. To eliminate a potentially common one, check to see if the pkcs11 group is already defined before trying to add it. - Update the summary for the -devel package. - Changed several PreReq entries to Requires(pre) as a result of the output from spec-cleaner. Removed a couple of obsolete lines. - Removed obsolete check for whether systemd is in use or not. - Upgraded to version 3.11.0 (Fate#325685) * opencryptoki 3.11.0 EP11 enhancements A lot of bug fixes - Reworked the ocki-3.1-remove-make-install-chgrp.patch to apply properly to 3.11, and renamed it to ocki-3.11-remove-make-install-chgrp.patch - Removed obsolete patch ocki-3.5-icsf-coverity-memoryleakfix.patch - Upgraded to version 3.10.0 (Fate#325685) * opencryptoki 3.10.0 Add support to ECC on ICA token and to common code. Add SHA224 support to SOFT token. Improve pkcsslotd logging. Fix sha512_hmac_sign and rsa_x509_verify for ICA token. Fix tracing of session id. Fix and improve testcases. Fix spec file permission for log directory. Fix build warnings. * opencryptoki 3.9.0 Fix token reinitialization Fix conditional man pages EP11 enhancements EP11 EC Key import Increase RSA max key length Fix broken links on documentation Define CK_FALSE and CK_TRUE macros Improve build flags - Dropped obsolete patch ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch - Made multiple changes to the spec file based on spec-cleaner output. - Added an rpmlintrc file to squelch warnings about adding ghost entries for files under /var/lock/opencryptoki/ - Added ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch (bsc#1086678) - Re-enabled ARM architectures now that gcc6 is in SLE15. (bsc#1084617) - Upgraded to version 3.8.2 (fate#323295, bsc#1066412) * v3.8.2 Update man pages. Improve ock_tests for parallel execution. Fix FindObjectsInit for hidden HW-feature. Fix to allow vendor defined hardware features. Fix unresolved symbols. Fix tracing. Code/project cleanup. * v3.8.1 Fix TPM data-structure reset function. Fix error message when dlsym fails. Update configure.ac Update travis. * v3.8.0 Multi token instance feature. Added possibility to run opencryptoki with transactional memory or locks (--enable-locks on configure step). Updated documentation. Fix segfault on ec_test. Bunch of small fixes. - Removed ARM architectures from the build list until gcc6 becomes available for SLES. (bsc#1039510). - Updated to version 3.7.0 (Fate#321451) (bsc#1036640) - Update example spec file - Performance improvement. Moving from mutexes to transactional memory. - Add ECDSA SHA2 support for EP11 and CCA. - Fix declaration of inline functions. - Fix wrong testcase and ber en/decoding for integers. - Check for 'flex' and 'YACC' on configure. - EP11 config file rework. - Add enable-debug on travis build. - Add testcase for C_GetOperationState/C_SetOperationState. - Upgrade License to CPL-1.0 - Ica token: fix openssh/ibmpkcs11 engine/libica crash. - Fix segfault and logic in hardware feature test. - Fix spelling of documentation and manuals. - Fix the retrieval of p from a generated rsa key. - Coverity scan fixes - incompatible pointer type and unused variables. - Added libica-tools to the BuildRequires due to repackaging of libica. - Modified the spec file - Changed libca3-devel BuildRequires to just libica-devel - Check for systemd in the 32bit postun scriptlet. - Upgraded to version 3.6.2 (fate#321451) - Support OpenSSL-1.1. - Add Travis CI support. - Update autotools scripts and documentation. - Fix SegFault when a invalid session handle is passed in SC_EncryptUpdate and SC_DecryptUpdate. - Updated spec file to use libica3-devel instead of libica2-devel. - Upgraded to version 3.6.1 (fate#321451) - opencryptoki 3.6.1 - Fix SOFT token implementation of digest functions. - Replace deprecated OpenSSL interfaces. - opencryptoki 3.6 - Replace deprecated libica interfaces. - Performance improvement for ICA. - Improvement in documentation on system resources. - Improvement in testcases. - Added support for rc=8, reasoncode=2028 in icsf token. - Fix for session handle not set in session issue. - Multiple fixes for lock and log directories. - Downgraded a syslog error to warning. - Multiple fixes based on coverity scan results. - Added pkcs11 mapping for icsf reason code 72 for return code 8. - opencryptoki 3.5.1 - Fix Illegal Intruction on pkcscca tool. - Removed the following obsolete patches: - ocki-3.5-sanity-checking.patch - ocki-3.5-icsf-reasoncode72-support.patch - ocki-3.5-downgrade-syslogerror.patch - ocki-3.5-icsf-sessionhandle-missing-fix.patch - ocki-3.5-icsf-reasoncode-2028-added.patch - ocki-3.5-added-NULLreturn-check.patch - ocki-3.5-create-missing-tpm-token-lock-directory.patch - ocki-3.5-fix-pkcscca-calls.patch - Removed reference to pkcs1_startup from pkcsslotd (bsc#1007081) - Added ocki-3.5-fix-pkcscca-calls.patch (bsc#996867). - Added %doc FAQ to the spec file (bsc#991168). - Added ocki-3.5-create-missing-tpm-token-lock-directory.patch (bsc#989602). - Added the following patches (bsc#986854) - ocki-3.5-icsf-reasoncode72-support.patch - ocki-3.5-icsf-coverity-memoryleakfix.patch - ocki-3.5-downgrade-syslogerror.patch - ocki-3.5-icsf-sessionhandle-missing-fix.patch - ocki-3.5-icsf-reasoncode-2028-added.patch - ocki-3.5-added-NULLreturn-check.patch - Added ocki-3.5-sanity-checking.patch (bsc#983496). - Added %dir entry for %{_localstatedir}/log/opencryptoki/ (bsc#983990) - Upgraded to openCryptoki 3.5 (bsc#978005). - Full Coverity scan fixes. - Fixes for compiler warnings. - Added support for C_GetObjectSize in icsf token. - Various bug fixes and memory leak fixes. - Removed global read permissions from token files - Added missing PKCS#11v2.2 constants. - Fix for symbol resolution issue seen in Fedora 22 and 23 for ep11 and cca tokens. - Improvements in socket read operation when a token comes up. - Replaced 32 bit CCA API declarations with latest header from version 5.0 libsculcca rpm. - Upgraded to openCryptoki v3.4.1 (Fate#319576, 319585, 319592, 319938). - Changed BuildRequires for libica_2_3_0-devel to libica2-devel. - Changed BuildRequires for openssl-devel to specify >= 1.0 Contrary to what the README says, version 0.9.7 isn't sufficient. - Removed the redundant DESTDIR= parameter from the %make_install - Removed the following obsolete patches opencryptoki-run-lock.patch (/var/lock and run/lock are actually the same place) Also reverted the changed to openCryptoki-tmp.conf to match. ocki-3.1_10_0001-ica-sha-update-empty-msg.patch ocki-3.1-fix-implicit-decl.patch ocki-3.1-fix-init_d-path.patch ocki-3.1-fix-libica-link.patch ocki-3.2_01_fix-return-type-error.patch ocki-3.2_02_ep11-token-incorrectly-copied-the-public-key-object-.patch ocki-3.2_03_ICSF-Token-C_SignUpdate-was-sometimes-segfaulting-an.patch ocki-3.2_04_CKA_EC_POINT-is-not-required-in-the-ECDSA-private-ke.patch ocki-3.2_05_icsf_ldap_handles.patch ocki-3.2_06_icsf_sign_verify.patch - renamed: ocki-3.1-remove-make-install-chgrp-chmod.patch to ocki-3.1-remove-make-install-chgrp.patch - Get a new ldap handle for each session opened in the icsf token, once the user has authenticated. (bsc#953347,LTC#130078) - ocki-3.2_05_icsf_ldap_handles.patch - ocki-3.2_06_icsf_sign_verify.patch - Added /var/lib/opencryptoki/lite/TOK_OBJ token directory (bsc#943070) - Added ocki-3.2_02_ep11-token-incorrectly-copied-the-public-key-object-.patch - Fixed two public key object inclusion in EP11 token (bsc#946808) - Added ocki-3.2_03_ICSF-Token-C_SignUpdate-was-sometimes-segfaulting-an.patch - Fixed GPF when calling C_SignUpdate using ICFS toekn (bsc#946172) - Added ocki-3.2_04_CKA_EC_POINT-is-not-required-in-the-ECDSA-private-ke.patch - Fixed failure to import ECDSA because of lack of attribute (bsc#948114) - Fixed BuildRequires: libica2-devel - Added ocki-3.2_01_fix-return-type-error.patch - Changing doc/README.ep11_stdll to unix-style EOL - Added BuildRequires: dos2unix - Removed globbing in %files and specified libraries to include (bsc#942162) - Updated to openCryptoki v3.2 (FATE#318240) - Removed unnecessary patches: - ocki-3.1_01_ep11_makefile.patch - ocki-3.1_02_ep11_m_init.patch - ocki-3.1_03_ock_obj_mgr.patch - ocki-3.1_04_ep11_opaque2blob_error_handl.patch - ocki-3.1_05_ep11_readme_update.patch - ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch - ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch - ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch - ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch - ocki-3.1_06_0005-Small-reworks.patch - ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch - ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch - ocki-3.1_07_0001-Man-page-corrections.patch - ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch - ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch - ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch - Also create parent directory /run/lock/opencryptoki in tmpfiles snippet if it does not exists. - spec: do not use -D__USE_BSD, a glibc-internal macro which no longer has any meaning. - spec: use %{_unitdir} %{_tmpfilesdir) - spec: call tmpfiles_create macro, if defined in %post - opencryptoki-run-lock.patch, openCryptoki-tmp.conf: use /run/lock instead of /var/lock. - Update to version 3.2 +New pkcscca tool. Currently it assists in migrating cca private token objects from opencryptoki version 2 to the clear key encryption method used in opencryptoki version 3. Includes a manpage for pkcscca tool. Changes to README.cca_stdll to assist in using the CCA token and migrating the private token objects. + Support for CKM_RSA_PKCS_OAEP and CKM_RSA_PKCS_PSS algorithms. + Various bugfixes. + New testcases for various crypto algorithms. - Only depend on insserv if builded with sysvinit support - Remove obsolete patches; merged on upstream release + ocki-3.1_01_ep11_makefile.patch + ocki-3.1_02_ep11_m_init.patch + ocki-3.1_03_ock_obj_mgr.patch + ocki-3.1_04_ep11_opaque2blob_error_handl.patch + ocki-3.1_05_ep11_readme_update.patch + ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch + ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch + ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch + ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch + ocki-3.1_06_0005-Small-reworks.patch + ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch + ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch + ocki-3.1_07_0001-Man-page-corrections.patch + ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch + ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch + ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch + ocki-3.1_10_0001-ica-sha-update-empty-msg.patch - Project is now hosted on sourceforge; fix the Url - Remove cvs related stuff; tarball is produced by upstream - Use %configure macro instead of manually defined options - Build with parallel support; use %{?_smp_mflags} macro - Fixed ica token's SHA update function when passing zero message size (bnc#892644) - Added patch ocki-3.1_10_0001-ica-sha-update-empty-msg.patch - Fixed README.ep11_stdll to have Unix-style EOL characters. - Added patch ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch - Added all files from %src/doc as rpm %doc (bnc#894780) - Added pkcscca utility and documentation to convert private token objects from v2 to v3. (bnc#893757) - Added patches: - ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch - ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch - Fixed pkcsslotd and opencryptoki.conf man pages (bnc#889183) - Added patch ocki-3.1_07_0001-Man-page-corrections.patch - Specfile Cleanup, Added directory macros in appropriate places - Several package changes as per bnc#880217 - Added openCryptoki-tmp.conf for lock directory management - Added 'lite' token support - Changed from init.d daemon to systemd service - Updated macros in %pre %post %preun and %postun sections - Added missing icsf and ep11tok directories to %files section ocki-3.1_01_ep11_makefile.patch ocki-3.1_02_ep11_m_init.patch - Patches added: ocki-3.1-fix-libica-link.patch ocki-3.1_03_ock_obj_mgr.patch ocki-3.1_04_ep11_opaque2blob_error_handl.patch ocki-3.1_05_ep11_readme_update.patch ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch ocki-3.1_06_0005-Small-reworks.patch ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch - Moved libpkcs11_icsf 32-bit out of s390-specific files - Made ep11tok.conf and pkcsep11_migrate specific to s390/s390x - Added libpkcs11_ep11.so and libpkcs11_icsf.so to 32-bit s390/s390x - EP11 token available in the opencryptoki V3.1 package (bnc#879303) - Specfile changed to include ep11tok.conf - Specfile changed to include pkcsep11_migrate and pkcsicsf tools - Specfile changed to BuildRequires openldap2-devel - ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch - print_mechanism() ignored bad returncodes from the called function token_specific_get_mechanism_list() - ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch - Fix failure when confname is not given, use default ep11tok.conf instead - ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch - Removed check for ep11 lib at configure - ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch - Move stdint.h before zcrypt.h to resolve dependencies - ocki-3.1_06_0005-Small-reworks.patch - testcase fixes and file permission changes - ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch - Fix for s390 31-bit build error - ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch - zcrypt library included in build by default - Patches applied (bnc#865549) - Fixed Makefile to complement common code dependencies - switched to official m_init() function based on library change - checking the global token object count - catch the return code from object_mgr_find_in_map1 - some README updates about usage and restrictions - fix build on x86 (add CCA and TPM to filelist) - fix libica detection on s390/s390x to get ICA module built - Updated to openCryptoki v3.1: See ChangeLog for complete details (FATE#315426) - opencryptoki-3.1 - New ep11 token to support IBM Crypto Express adpaters (starting with Crypto Express 4S adapters) configured with Enterprise PKCS#11(EP11) firmware. (FATE#315330) - opencryptoki-3.0 - New opencryptoki.conf file to replace pk_config_data and pkcs11_starup. The opencryptoki.conf contains slot entry information for tokens. - Removed pkcs_slot and pkcs11_startup shell scripts. - ICA token supports CKM_DES_OFB64, CKM_DES_CFB8, CKM_DES_CFB6 mechanisms using 3DES keys. (FATE#315323) - ICA token supports CKM_DES3_MAC and CKM_DES3_MAC_GENERAL mechanisms. (FATE#315323) - ICA token supports CKM_AES_OFB, CKM_AES_CFB8, CKM_AES_CFB64, CKM_AES_CFB128, CKM_AES_MAC, and CKM_AES_MAC_GENERAL mechanisms. (FATE#315323) - opencryptoki-2.4.1 (21 Feb 2012) - SHA256 support added for CCA token (FATE#315289) - Using insserv macros in %post, %preun and %postun sections - Cleaned up spec file - removed patches: - ocki-2.2.6-PIN-backspace.patch - added patches: - ocki-3.1-fix-implicit-decl.patch - ocki-3.1-remove-make-install-chgrp-chmod.patch - ocki-3.1-fix-init_d-path.patch - add aarch64 to 64bit archs - enable ppc64le - remove -o from groupadd - fixed sed script to not a grouplist with leading , - don't package man pages twice - add libtool as buildrequire to avoid implicit dependency - enable TPM support (bnc#641919) - pkcsslotd: Updated to use new pidfile location (bnc#475800) - Added fix to allow backspacing during PIN entry (bnc#448089) - run ldconfig in postinstall [bnc#417925] - Enable build on x86_64 [bnc#417925] - Overhaul of the specfile. All platforms build the base package and each architecture builds the appropriate 32 or 64 bit package - Updated to openCryptoki v2.2.6 - fix init script - added pwdutils to buildreq - fix missing return values from non-void funcs - pkcsslotd: create PID file in the right place, delete it on exit (bug #164664) - added 64-bit patches from IBM (bug #145666) - added small change missing from patch for bug #156651 - fixed location of pkcs11_startup in init script (bug #162372) - fixed proc_t structure mixup (bug #156651) - initialize head pointer (bug #156229) - %ghost symlinks that are generated in %post (bug #154961) - stuffed memleak (patch by IBM, bug #147036) - changed RPM layout to meet IBM's demands (based on patch by IBM, bug #145666) - removed mmap, per-user data store support (patch by IBM, bug #145666) - converted neededforbuild to BuildRequires - Update to 2.2.2-rc2 - Update to 2.2.1-rc2 - Fixed build errors - Cleaned up spec file. - copy TFAQ to build directory (fix build) - Update to 2.1.6-rc5. - Port fixes from SLES9 SP3. - enabled for ARM - fix #50050: - ./configure.in: wrong test against $host makes ppc(64) miss -DPKCS64 in CFLAGS - corrected: S390 flag was set for ppc in this conditional - run full autoreconf / simplify specfile a little - Print correct error message (#37427 again). - Check for the correct module on startup (#37427) - update to openCryptoki-2.1.5, ppc64 version (#39026) - adapt filelist on ppc - Fix owner/group of files/directories - no need to specify "root" as supplementary group for root, it's already primary - Update to openCryptoki-2.1.3 - Fixed configure errors. - added directories to filelist - remove CVS subdirs - remove unpackaged files from buildroot - removed duplicates from configure.in - exclude ppc64 from the architectures, the package is built for. 64bit mode is not supported by IBM yet; dlopen wrappers are also missing 64bit filename handling. (#20380) - actually compress the openCryptoki-1.4*.tar.bz2 - make it even build ... - make openCryptoki-XXbit PreReq: openCryptoki to enforce pkcs11 group creation before package installation (#20079) - correct version number (the patch actiually lifts openCryptoki to 1.5) - fix groupadd call to no longer silently ignore errors in all cases using (hopefully) posix exit codes. alternative would be to use undocumented '-f' option of groupadd. - add user root to group pkcs11 to enable root to administrate the crypto hardware support (#19566) - misc security fixes (#18377) - replaced openCryptoki-tools with openCryptoki-32bit and openCryptoki-64bit - moved dlopen objects that are available for non-x86 out of the ifarch ix86 - moved postun to tools subpackge (which contains the daemon) - removed include files. no development support for now. - replaced %%ix86, etc by appropriate generic %%openCryptoki_tools_arch and %%openCryptoki_no_tools_arch - replaced all i386 occurrences with %ix86 - changed filelist to what's really built - split package to openCryptoki and openCryptoki-tools to allow parallel installation of 32bit tools with 64bit dlopen objects for foreign middleware. - removed automatical insserv on install, because the package needs manual configuration (#18031) - added missing %post before insserv (Bug #17600) - Fix path in PreReq. - add groupadd pkcs11 in %pre install - updated to current version - removed old START_ variable - always use macros when calling insserv - add lib64 support - Added openssl to #neededforbuild, which is needed in addition to openssl-devel - initial version OBS-URL: https://build.opensuse.org/request/show/926994 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=121 --- openCryptoki.changes | 36 +++++++++++++++++++++++------------- 1 file changed, 23 insertions(+), 13 deletions(-) diff --git a/openCryptoki.changes b/openCryptoki.changes index 2697e0e..ddab622 100644 --- a/openCryptoki.changes +++ b/openCryptoki.changes @@ -2,19 +2,29 @@ Thu Oct 21 19:31:51 UTC 2021 - Mark Post - Upgraded to version 3.17.0 (jsc#SLE-18326) - * Removed the following obsolete patches: - ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch - ocki-3.15.1-Fix-compiling-with-c.patch - ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch - ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch - ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch - ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch - ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch - ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch - ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch - ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch - ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch - ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch + + openCryptoki 3.17 + - tools: added function to list keys to p11sak + - common: added support for OpenSSL 3.0 + - common: added support for event notifications + - ICA: added SW fallbacks + * openCryptoki 3.16 + - EP11: protected-key option + - EP11: support attribute-bound keys + - CCA: import and export of secure key objects + - Bug fixes +- Removed the following obsolete patches: + ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch + ocki-3.15.1-Fix-compiling-with-c.patch + ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch + ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch + ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch + ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch + ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch + ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch + ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch + ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch + ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch + ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch ------------------------------------------------------------------- Thu Aug 5 20:33:40 UTC 2021 - Mark Post