forked from pool/openCryptoki
Compare commits
162 Commits
| Author | SHA256 | Message | Date | |
|---|---|---|---|---|
| 979c716e03 |
Accepting request 1188413 from security
Removed 'Requires(pre): %{_sbindir}/getent' and '%{_sbindir}/getent' from the commands in the .spec file
OBS-URL: https://build.opensuse.org/request/show/1188413
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=76
|
|||
| 9a9c04005d |
Accepting request 1187558 from security
OBS-URL: https://build.opensuse.org/request/show/1187558 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=75 |
|||
| ca14227cab |
- Updated the .spec file (bsc#1225876, bsc#1227280)
* Amended for group %{pkcs_group} and user pkcsslotd
* Copying example script files from /usr/share/doc/opencryptoki to
/usr/share/opencryptoki (policy-example.conf and strength-example.conf)
in case that there is 'rpm.install.excludedocs=yes' set in the
zypper.conf(zypp.conf)
- Upgrade openCryptoki to version 3.23 (jsc#PED-3360, jsc#PED-3361)
* EP11: Add support for FIPS-session mode
* Updates to harden against RSA timing attacks (bsc#1219217,CVE-2024-0914)
* Bug fixes
- Renamed ocki-3.22-remove-make-install-chgrp.patch to
ocki-3.23-remove-make-install-chgrp.patch
- provide user(pkcs11) and group(pkcs11)
- Amended the .spec file for pkcsslotd (jsc#1217703)
* Renamed the patch ocki-3.21-remove-make-install-chgrp.patch to
ocki-3.22-remove-make-install-chgrp.patch
- Upgrade to version 3.22 (jsc#PED-3361)
* openCryptoki 3.22
- CCA: Add support for the AES-XTS key type using CPACF protected keys
- p11sak: Add support for managing certificate objects
- p11sak: Add support for public sessions (no-login option)
- p11sak: Add support for logging in as SO (security Officer)
- p11sak: Add support for importing/exporting Edwards and Montgomery keys
- p11sak: Add support for importing of RSA-PSS keys and certificates
- CCA/EP11/Soft/ICA: Ensure that the 2 key parts of an AES-XTS key are different
* Bug fixes
- Update to version 3.21 (jsc#PED-3360, jsc#PED-3361)
* openCryptoki 3.21
- EP11 and CCA: Support concurrent HSM master key changes
- CCA: protected-key option
- pkcsslotd: no longer run as root user and further hardening
- p11sak: Add support for additional key types (DH, DSA, generic secret)
- p11sak: Allow wildcards in label filter
- p11sak: Allow to specify hex value for CKA_ID attribute
- p11sak: Support sorting when listing keys
- p11sak: New commands: set-key-attr, copy-key to modify and copy keys
- p11sak: New commands: import-key, export-key to import and export keys
- Remove support for --disable-locks (transactional memory)
- Updates to harden against RSA timing attacks
- Bug fixes
- Amended a new patch to fit the version 3.21
* ocki-3.21-remove-make-install-chgrp.patch
- Removed the old patch for the version 3.20
* ocki-3.20-remove-make-install-chgrp.patch
- Updated package to openCryptoki 3.20 (bsc#1207760,
jsc#PED-3376, jsc#PED-2870, jsc#PED-2869 )
- Removed the following obsolite patches:
* ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch
* ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch
* ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch
* ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch
* ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch
* ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch
* ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
* ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch
* ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch
* ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch
* ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch
* ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch
* ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch
* ocki-3.19.0-0014-EP11-Add-new-control-points.patch
* ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch
* ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch
* ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch
* ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch
* ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch
* ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch
* ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch
* ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch
* ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch
* ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch
* ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch
* ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch
* ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch
* ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch
* ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch
* ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch
* ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch
* ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch
* ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
* ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch
* ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch
- Reworked ocki-3.19-remove-make-install-chgrp.patch to fit the current version of
the package and renamed it to ocki-3.20-remove-make-install-chgrp.patch.
- Added patch for compile errors
* ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch
-- Changed spec file to use %autosetup instead of %setup.
- Updated the package openCryptoki 3.19.0 (jsc#PED-616, bsc#1207760), added the
following patches:
* ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch
* ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch
* ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch
* ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch
* ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch
* ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch
* ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
* ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch
* ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch
* ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch
* ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch
* ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch
* ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch
* ocki-3.19.0-0014-EP11-Add-new-control-points.patch
* ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch
* ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch
* ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch
* ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch
* ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch
* ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch
* ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch
* ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch
* ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch
* ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch
* ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch
* ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch
* ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch
* ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch
* ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch
* ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch
* ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch
* ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch
* ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
* ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch
- Updated spec file to set permissions on /etc/opencryptoki/strength.conf
to be owned by root:pkcs11 with permissions of 640. (bsc#1205566)
- Upgrade to version 3.19.0 (jsc#PED-616)
+ openCryptoki 3.19
- CCA: check for expected master key verification patterns at token init
- CCA: check master key verification pattern of created keys to be as expected
- EP11: check for expected wrapping key verification pattern at token init
- EP11: check wrapping key verification pattern of created keys to be as expected
- p11sak/pkcsconf: display PKCS#11 URIs
- p11sak: add support for IBM specific Dilithium keys
- p11sak: allow to list keys filtered by label
- common: add support for dual-function cryptographic functions
- Add support for C_SessionCancel function (PKCS#11 v3.0)
- EP11: add support for schnorr signatures (mechanism CKM_IBM_ECDSA_OTHER)
- EP11: add support for Bitcoin key derivation (mechanism CKM_IBM_BTC_DERIVE)
- Bug fixes
+ openCryptoki 3.18
- Default to FIPS compliant token data format (tokversion = 3.12)
- Add support for restricting usage of mechanisms and keys via a global policy
- Add support for statistics counting of mechanism usage
- ICA/EP11: Support libica version 4
- p11sak tool: Allow to set different attributes for public and private keys
- Replaced ocki-3.17-remove-make-install-chgrp.patch with an updated
version named ocki-3.19-remove-make-install-chgrp.patch to fit
the current state of the source.
- Removed the following obsolete patches:
openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch
openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch
ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch
- Added ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch
for bsc#1202106. One test of the gen_purpose test cases fails with
C_GetMechanismList #2 rc=CKR_BUFFER_TOO_SMALL" error on the EP11 Token.
- Made the following changes for bsc#1199862 "Please install
p11sak_defined_attrs.conf."
* Replaced ocki-3.11-remove-make-install-chgrp.patch with
ocki-3.17-remove-make-install-chgrp.patch to remove the
"-g pkcs11" parameter from the install command in the Makefile
* Updated the spec file to include
/etc/opencryptoki/p11sak_defined_attrs.conf as a %config file
with the necessary permissions and group ownership.
- Added the following two patches for bac#1197395. The CKM_IBM_DILITHIUM
mechanism does not show up as supported by the EP11 token when an
upgraded EP11 host library is used.
* openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch
* openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch
- Upgraded to version 3.17.0 (jsc#SLE-18326)
+ openCryptoki 3.17
- tools: added function to list keys to p11sak
- common: added support for OpenSSL 3.0
- common: added support for event notifications
- ICA: added SW fallbacks
* openCryptoki 3.16
- EP11: protected-key option
- EP11: support attribute-bound keys
- CCA: import and export of secure key objects
- Bug fixes
- Removed the following obsolete patches:
ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch
ocki-3.15.1-Fix-compiling-with-c.patch
ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch
ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch
ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch
ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch
ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch
ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch
- Added the following patches for bsc#1188879:
* ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch
When modifying opencryptoki.conf during token migration, put quotes
around strings that contain spaces, e.g. for the slot description and
manufacturer.
* ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch
When migrating a slot the opencryptoki.conf file is modified. If it
contains slots that already contain the 'tokversion = x.y' keyword,
this is accidentally removed when migrating another slot.
* ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch
Change the code to use the pid file that pkcsslotd creates, and check
if the process with the pid contained in the pid file still exists and
runs pkcsslotd.
* ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch
Always quote the value of 'description' and 'manufacturer'. Quote the
value of 'stdll', 'confname', and 'tokname' if it contains spaces, and
never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'.
- Added the following patches for bsc#1182726 " p11sak list-key segfault"
* ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
Added NULL pointer to avoid double free() for the list-key and
remove-key commands.
* ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
Note that two hunks that were unrelated to fixing the running
code were removed from this patch.
* ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
- Added ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
When constructing an OpenSSL EC public or private key from PKCS#11
attributes or ECDH public data, check that the key is valid, i.e. that
the point is on the curve.
(bsc#1185976)
- Added ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch
(bsc#1182120)
Fix pkcscca migration fails with usr/sb2 is not a valid slot ID
- Added ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch
(bsc#1182190)
Fix a segmentation fault of the sess_opstate test on the Soft Token
- Added the following patches for bsc#1179319
* Fix compiling with C++:
ocki-3.15.1-Fix-compiling-with-c.patch
* Added error message handling for p11sak remove-key command.
ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch
- Don't require pwdutils for build, dropped long ago and not needed
- Upgraded to version 3.15.1 (jsc#SLE-13749, jsc#SLE-13666,
jsc#SLE-13813, jsc#SLE-13812, jsc#SLE-13723, jsc#SLE-13714,
jsc#SLE-13715, jsc#SLE-13710, jsc#SLE-13774, jsc#SLE-13786)
* openCryptoki 3.15.1
- Bug fixes
* openCryptoki 3.15.0
- common: conform to PKCS 11 3.0 Baseline Provider profile
- Introduce new vendor defined interface named "Vendor IBM"
- Support C_IBM_ReencryptSingle via "Vendor IBM" interface
- CCA: support key wrapping
- SOFT: support ECC
- p11sak tool: add remove-key command
- Bug fixes
* openCryptoki 3.14.0
- EP11: Dilitium support stage 2
- Common: Rework on process and thread locking
- Common: Rework on btree and object locking
- ICSF: minor fixes
- TPM, ICA, ICSF: support multiple token instances
- new tool p11sak
* openCryptoki 3.13.0
- EP11: Dilithium support
- EP11: EdDSA support
- EP11: support RSA-OAEP with non-SHA1 hash and MGF
- Removed obsolete oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch
- Added oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch (bsc#1159114)
The EP11 token may fail to import an ECC public key. Function
C_CreateObject returns CKR_BUFFER_TOO_SMALL in this case.
- Upgraded to version 3.12.1 (bsc#1157863)
* Fix pkcsep11_migrate tool
- Upgraded to version 3.12.0 (jsc#SLE-7647, jsc#SLE-7915, jsc#SLE-7918)
* Update token pin and data store encryption for soft,ica,cca and ep11
* EP11: Allow importing of compressed EC public keys
* EP11: Add support for the CMAC mechanisms
* EP11: Add support for the IBM-SHA3 mechanisms
* SOFT: Add AES-CMAC and 3DES-CMAC support to the soft token
* ICA: Add AES-CMAC and 3DES-CMAC support to the ICA token
* EP11: Add config option USE_PRANDOM
* CCA: Use Random Number Generate Long for token_specific_rng()
* Common rng function: Prefer /dev/prandom over /dev/urandom
* ICA: add SHA*_RSA_PKCS_PSS mechanisms
* Bug fixes
- Removed obsolete ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch
- Added ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch
(bsc#1152015)
Add support for new IBM crypto card.
- Upgraded to version 3.11.1 (Fate#327837)
Bug fixes.
- Dropped obsolete ocki-3.11-Fix-target_list-passing-for-EP11-session.patch
- Added ocki-3.11-Fix-target_list-passing-for-EP11-session.patch
(bsc#1123988)
- Do not ignore errors from groupadd. If groupadd fails,
installation ought not to proceed because files would have the
wrong ownership.
- Don't hide error messages from the groupadd command. To eliminate
a potentially common one, check to see if the pkcs11 group is
already defined before trying to add it.
- Update the summary for the -devel package.
- Changed several PreReq entries to Requires(pre) as a result of
the output from spec-cleaner. Removed a couple of obsolete lines.
- Removed obsolete check for whether systemd is in use or not.
- Upgraded to version 3.11.0 (Fate#325685)
* opencryptoki 3.11.0
EP11 enhancements
A lot of bug fixes
- Reworked the ocki-3.1-remove-make-install-chgrp.patch to apply
properly to 3.11, and renamed it to
ocki-3.11-remove-make-install-chgrp.patch
- Removed obsolete patch ocki-3.5-icsf-coverity-memoryleakfix.patch
- Upgraded to version 3.10.0 (Fate#325685)
* opencryptoki 3.10.0
Add support to ECC on ICA token and to common code.
Add SHA224 support to SOFT token.
Improve pkcsslotd logging.
Fix sha512_hmac_sign and rsa_x509_verify for ICA token.
Fix tracing of session id.
Fix and improve testcases.
Fix spec file permission for log directory.
Fix build warnings.
* opencryptoki 3.9.0
Fix token reinitialization
Fix conditional man pages
EP11 enhancements
EP11 EC Key import
Increase RSA max key length
Fix broken links on documentation
Define CK_FALSE and CK_TRUE macros
Improve build flags
- Dropped obsolete patch ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch
- Made multiple changes to the spec file based on spec-cleaner output.
- Added an rpmlintrc file to squelch warnings about adding ghost
entries for files under /var/lock/opencryptoki/
- Added ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch
(bsc#1086678)
- Re-enabled ARM architectures now that gcc6 is in SLE15. (bsc#1084617)
- Upgraded to version 3.8.2 (fate#323295, bsc#1066412)
* v3.8.2
Update man pages.
Improve ock_tests for parallel execution.
Fix FindObjectsInit for hidden HW-feature.
Fix to allow vendor defined hardware features.
Fix unresolved symbols.
Fix tracing.
Code/project cleanup.
* v3.8.1
Fix TPM data-structure reset function.
Fix error message when dlsym fails.
Update configure.ac
Update travis.
* v3.8.0
Multi token instance feature.
Added possibility to run opencryptoki with transactional memory or locks
(--enable-locks on configure step).
Updated documentation.
Fix segfault on ec_test.
Bunch of small fixes.
- Removed ARM architectures from the build list until gcc6 becomes
available for SLES. (bsc#1039510).
- Updated to version 3.7.0 (Fate#321451) (bsc#1036640)
- Update example spec file
- Performance improvement. Moving from mutexes to transactional memory.
- Add ECDSA SHA2 support for EP11 and CCA.
- Fix declaration of inline functions.
- Fix wrong testcase and ber en/decoding for integers.
- Check for 'flex' and 'YACC' on configure.
- EP11 config file rework.
- Add enable-debug on travis build.
- Add testcase for C_GetOperationState/C_SetOperationState.
- Upgrade License to CPL-1.0
- Ica token: fix openssh/ibmpkcs11 engine/libica crash.
- Fix segfault and logic in hardware feature test.
- Fix spelling of documentation and manuals.
- Fix the retrieval of p from a generated rsa key.
- Coverity scan fixes - incompatible pointer type and unused variables.
- Added libica-tools to the BuildRequires due to repackaging of libica.
- Modified the spec file
- Changed libca3-devel BuildRequires to just libica-devel
- Check for systemd in the 32bit postun scriptlet.
- Upgraded to version 3.6.2 (fate#321451)
- Support OpenSSL-1.1.
- Add Travis CI support.
- Update autotools scripts and documentation.
- Fix SegFault when a invalid session handle is passed in
SC_EncryptUpdate and SC_DecryptUpdate.
- Updated spec file to use libica3-devel instead of libica2-devel.
- Upgraded to version 3.6.1 (fate#321451)
- opencryptoki 3.6.1
- Fix SOFT token implementation of digest functions.
- Replace deprecated OpenSSL interfaces.
- opencryptoki 3.6
- Replace deprecated libica interfaces.
- Performance improvement for ICA.
- Improvement in documentation on system resources.
- Improvement in testcases.
- Added support for rc=8, reasoncode=2028 in icsf token.
- Fix for session handle not set in session issue.
- Multiple fixes for lock and log directories.
- Downgraded a syslog error to warning.
- Multiple fixes based on coverity scan results.
- Added pkcs11 mapping for icsf reason code 72 for return code 8.
- opencryptoki 3.5.1
- Fix Illegal Intruction on pkcscca tool.
- Removed the following obsolete patches:
- ocki-3.5-sanity-checking.patch
- ocki-3.5-icsf-reasoncode72-support.patch
- ocki-3.5-downgrade-syslogerror.patch
- ocki-3.5-icsf-sessionhandle-missing-fix.patch
- ocki-3.5-icsf-reasoncode-2028-added.patch
- ocki-3.5-added-NULLreturn-check.patch
- ocki-3.5-create-missing-tpm-token-lock-directory.patch
- ocki-3.5-fix-pkcscca-calls.patch
- Removed reference to pkcs1_startup from pkcsslotd (bsc#1007081)
- Added ocki-3.5-fix-pkcscca-calls.patch (bsc#996867).
- Added %doc FAQ to the spec file (bsc#991168).
- Added ocki-3.5-create-missing-tpm-token-lock-directory.patch
(bsc#989602).
- Added the following patches (bsc#986854)
- ocki-3.5-icsf-reasoncode72-support.patch
- ocki-3.5-icsf-coverity-memoryleakfix.patch
- ocki-3.5-downgrade-syslogerror.patch
- ocki-3.5-icsf-sessionhandle-missing-fix.patch
- ocki-3.5-icsf-reasoncode-2028-added.patch
- ocki-3.5-added-NULLreturn-check.patch
- Added ocki-3.5-sanity-checking.patch (bsc#983496).
- Added %dir entry for %{_localstatedir}/log/opencryptoki/
(bsc#983990)
- Upgraded to openCryptoki 3.5 (bsc#978005).
- Full Coverity scan fixes.
- Fixes for compiler warnings.
- Added support for C_GetObjectSize in icsf token.
- Various bug fixes and memory leak fixes.
- Removed global read permissions from token files
- Added missing PKCS#11v2.2 constants.
- Fix for symbol resolution issue seen in Fedora 22 and 23 for
ep11 and cca tokens.
- Improvements in socket read operation when a token comes up.
- Replaced 32 bit CCA API declarations with latest header from
version 5.0 libsculcca rpm.
- Upgraded to openCryptoki v3.4.1 (Fate#319576, 319585, 319592, 319938).
- Changed BuildRequires for libica_2_3_0-devel to libica2-devel.
- Changed BuildRequires for openssl-devel to specify >= 1.0
Contrary to what the README says, version 0.9.7 isn't
sufficient.
- Removed the redundant DESTDIR= parameter from the %make_install
- Removed the following obsolete patches
opencryptoki-run-lock.patch (/var/lock and run/lock are actually the
same place) Also reverted the changed to openCryptoki-tmp.conf to match.
ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
ocki-3.1-fix-implicit-decl.patch
ocki-3.1-fix-init_d-path.patch
ocki-3.1-fix-libica-link.patch
ocki-3.2_01_fix-return-type-error.patch
ocki-3.2_02_ep11-token-incorrectly-copied-the-public-key-object-.patch
ocki-3.2_03_ICSF-Token-C_SignUpdate-was-sometimes-segfaulting-an.patch
ocki-3.2_04_CKA_EC_POINT-is-not-required-in-the-ECDSA-private-ke.patch
ocki-3.2_05_icsf_ldap_handles.patch
ocki-3.2_06_icsf_sign_verify.patch
- renamed: ocki-3.1-remove-make-install-chgrp-chmod.patch to
ocki-3.1-remove-make-install-chgrp.patch
- Get a new ldap handle for each session opened in the icsf token,
once the user has authenticated. (bsc#953347,LTC#130078)
- ocki-3.2_05_icsf_ldap_handles.patch
- ocki-3.2_06_icsf_sign_verify.patch
- Added /var/lib/opencryptoki/lite/TOK_OBJ token directory (bsc#943070)
- Added ocki-3.2_02_ep11-token-incorrectly-copied-the-public-key-object-.patch
- Fixed two public key object inclusion in EP11 token (bsc#946808)
- Added ocki-3.2_03_ICSF-Token-C_SignUpdate-was-sometimes-segfaulting-an.patch
- Fixed GPF when calling C_SignUpdate using ICFS toekn (bsc#946172)
- Added ocki-3.2_04_CKA_EC_POINT-is-not-required-in-the-ECDSA-private-ke.patch
- Fixed failure to import ECDSA because of lack of attribute (bsc#948114)
- Fixed BuildRequires: libica2-devel
- Added ocki-3.2_01_fix-return-type-error.patch
- Changing doc/README.ep11_stdll to unix-style EOL
- Added BuildRequires: dos2unix
- Removed globbing in %files and specified libraries to include (bsc#942162)
- Updated to openCryptoki v3.2 (FATE#318240)
- Removed unnecessary patches:
- ocki-3.1_01_ep11_makefile.patch
- ocki-3.1_02_ep11_m_init.patch
- ocki-3.1_03_ock_obj_mgr.patch
- ocki-3.1_04_ep11_opaque2blob_error_handl.patch
- ocki-3.1_05_ep11_readme_update.patch
- ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
- ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
- ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
- ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
- ocki-3.1_06_0005-Small-reworks.patch
- ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
- ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- ocki-3.1_07_0001-Man-page-corrections.patch
- ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
- ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
- ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
- Also create parent directory /run/lock/opencryptoki in
tmpfiles snippet if it does not exists.
- spec: do not use -D__USE_BSD, a glibc-internal macro
which no longer has any meaning.
- spec: use %{_unitdir} %{_tmpfilesdir)
- spec: call tmpfiles_create macro, if defined in %post
- opencryptoki-run-lock.patch, openCryptoki-tmp.conf: use
/run/lock instead of /var/lock.
- Update to version 3.2
+New pkcscca tool. Currently it assists in migrating cca private token
objects from opencryptoki version 2 to the clear key encryption method
used in opencryptoki version 3. Includes a manpage for pkcscca tool.
Changes to README.cca_stdll to assist in using the CCA token and
migrating the private token objects.
+ Support for CKM_RSA_PKCS_OAEP and CKM_RSA_PKCS_PSS algorithms.
+ Various bugfixes.
+ New testcases for various crypto algorithms.
- Only depend on insserv if builded with sysvinit support
- Remove obsolete patches; merged on upstream release
+ ocki-3.1_01_ep11_makefile.patch
+ ocki-3.1_02_ep11_m_init.patch
+ ocki-3.1_03_ock_obj_mgr.patch
+ ocki-3.1_04_ep11_opaque2blob_error_handl.patch
+ ocki-3.1_05_ep11_readme_update.patch
+ ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
+ ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
+ ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
+ ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
+ ocki-3.1_06_0005-Small-reworks.patch
+ ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
+ ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
+ ocki-3.1_07_0001-Man-page-corrections.patch
+ ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
+ ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
+ ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
+ ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
- Project is now hosted on sourceforge; fix the Url
- Remove cvs related stuff; tarball is produced by upstream
- Use %configure macro instead of manually defined options
- Build with parallel support; use %{?_smp_mflags} macro
- Fixed ica token's SHA update function when passing zero message
size (bnc#892644)
- Added patch ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
- Fixed README.ep11_stdll to have Unix-style EOL characters.
- Added patch ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
- Added all files from %src/doc as rpm %doc (bnc#894780)
- Added pkcscca utility and documentation to convert private
token objects from v2 to v3. (bnc#893757)
- Added patches:
- ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
- ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
- Fixed pkcsslotd and opencryptoki.conf man pages (bnc#889183)
- Added patch ocki-3.1_07_0001-Man-page-corrections.patch
- Specfile Cleanup, Added directory macros in appropriate places
- Several package changes as per bnc#880217
- Added openCryptoki-tmp.conf for lock directory management
- Added 'lite' token support
- Changed from init.d daemon to systemd service
- Updated macros in %pre %post %preun and %postun sections
- Added missing icsf and ep11tok directories to %files section
ocki-3.1_01_ep11_makefile.patch
ocki-3.1_02_ep11_m_init.patch
- Patches added:
ocki-3.1-fix-libica-link.patch
ocki-3.1_03_ock_obj_mgr.patch
ocki-3.1_04_ep11_opaque2blob_error_handl.patch
ocki-3.1_05_ep11_readme_update.patch
ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
ocki-3.1_06_0005-Small-reworks.patch
ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- Moved libpkcs11_icsf 32-bit out of s390-specific files
- Made ep11tok.conf and pkcsep11_migrate specific to s390/s390x
- Added libpkcs11_ep11.so and libpkcs11_icsf.so to 32-bit s390/s390x
- EP11 token available in the opencryptoki V3.1 package (bnc#879303)
- Specfile changed to include ep11tok.conf
- Specfile changed to include pkcsep11_migrate and pkcsicsf tools
- Specfile changed to BuildRequires openldap2-devel
- ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
- print_mechanism() ignored bad returncodes from the called
function token_specific_get_mechanism_list()
- ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
- Fix failure when confname is not given, use default
ep11tok.conf instead
- ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
- Removed check for ep11 lib at configure
- ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
- Move stdint.h before zcrypt.h to resolve dependencies
- ocki-3.1_06_0005-Small-reworks.patch
- testcase fixes and file permission changes
- ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
- Fix for s390 31-bit build error
- ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- zcrypt library included in build by default
- Patches applied (bnc#865549)
- Fixed Makefile to complement common code dependencies
- switched to official m_init() function based on library change
- checking the global token object count
- catch the return code from object_mgr_find_in_map1
- some README updates about usage and restrictions
- fix build on x86 (add CCA and TPM to filelist)
- fix libica detection on s390/s390x to get ICA module built
- Updated to openCryptoki v3.1: See ChangeLog for complete details
(FATE#315426)
- opencryptoki-3.1
- New ep11 token to support IBM Crypto Express adpaters
(starting with Crypto Express 4S adapters) configured with
Enterprise PKCS#11(EP11) firmware. (FATE#315330)
- opencryptoki-3.0
- New opencryptoki.conf file to replace pk_config_data and
pkcs11_starup. The opencryptoki.conf contains slot entry
information for tokens.
- Removed pkcs_slot and pkcs11_startup shell scripts.
- ICA token supports CKM_DES_OFB64, CKM_DES_CFB8, CKM_DES_CFB6
mechanisms using 3DES keys. (FATE#315323)
- ICA token supports CKM_DES3_MAC and CKM_DES3_MAC_GENERAL
mechanisms. (FATE#315323)
- ICA token supports CKM_AES_OFB, CKM_AES_CFB8, CKM_AES_CFB64,
CKM_AES_CFB128, CKM_AES_MAC, and CKM_AES_MAC_GENERAL
mechanisms. (FATE#315323)
- opencryptoki-2.4.1 (21 Feb 2012)
- SHA256 support added for CCA token (FATE#315289)
- Using insserv macros in %post, %preun and %postun sections
- Cleaned up spec file
- removed patches:
- ocki-2.2.6-PIN-backspace.patch
- added patches:
- ocki-3.1-fix-implicit-decl.patch
- ocki-3.1-remove-make-install-chgrp-chmod.patch
- ocki-3.1-fix-init_d-path.patch
- add aarch64 to 64bit archs
- enable ppc64le
- remove -o from groupadd
- fixed sed script to not a grouplist with leading ,
- don't package man pages twice
- add libtool as buildrequire to avoid implicit dependency
- enable TPM support (bnc#641919)
- pkcsslotd: Updated to use new pidfile location (bnc#475800)
- Added fix to allow backspacing during PIN entry (bnc#448089)
- run ldconfig in postinstall [bnc#417925]
- Enable build on x86_64 [bnc#417925]
- Overhaul of the specfile. All platforms build the base package
and each architecture builds the appropriate 32 or 64 bit package
- Updated to openCryptoki v2.2.6
- fix init script
- added pwdutils to buildreq
- fix missing return values from non-void funcs
- pkcsslotd: create PID file in the right place, delete it on
exit (bug #164664)
- added 64-bit patches from IBM (bug #145666)
- added small change missing from patch for bug #156651
- fixed location of pkcs11_startup in init script (bug #162372)
- fixed proc_t structure mixup (bug #156651)
- initialize head pointer (bug #156229)
- %ghost symlinks that are generated in %post (bug #154961)
- stuffed memleak (patch by IBM, bug #147036)
- changed RPM layout to meet IBM's demands (based on patch by IBM,
bug #145666)
- removed mmap, per-user data store support (patch by IBM, bug
#145666)
- converted neededforbuild to BuildRequires
- Update to 2.2.2-rc2
- Update to 2.2.1-rc2
- Fixed build errors
- Cleaned up spec file.
- copy TFAQ to build directory (fix build)
- Update to 2.1.6-rc5.
- Port fixes from SLES9 SP3.
- enabled for ARM
- fix #50050:
- ./configure.in: wrong test against $host makes ppc(64) miss
-DPKCS64 in CFLAGS
- corrected: S390 flag was set for ppc in this conditional
- run full autoreconf / simplify specfile a little
- Print correct error message (#37427 again).
- Check for the correct module on startup (#37427)
- update to openCryptoki-2.1.5, ppc64 version (#39026)
- adapt filelist on ppc
- Fix owner/group of files/directories
- no need to specify "root" as supplementary group for root,
it's already primary
- Update to openCryptoki-2.1.3
- Fixed configure errors.
- added directories to filelist
- remove CVS subdirs
- remove unpackaged files from buildroot
- removed duplicates from configure.in
- exclude ppc64 from the architectures, the package is built for.
64bit mode is not supported by IBM yet; dlopen wrappers are also
missing 64bit filename handling. (#20380)
- actually compress the openCryptoki-1.4*.tar.bz2
- make it even build ...
- make openCryptoki-XXbit PreReq: openCryptoki to enforce pkcs11 group
creation before package installation (#20079)
- correct version number (the patch actiually lifts openCryptoki to 1.5)
- fix groupadd call to no longer silently ignore errors in all cases
using (hopefully) posix exit codes. alternative would be to use
undocumented '-f' option of groupadd.
- add user root to group pkcs11 to enable root to administrate the
crypto hardware support (#19566)
- misc security fixes (#18377)
- replaced openCryptoki-tools with openCryptoki-32bit and
openCryptoki-64bit
- moved dlopen objects that are available for non-x86 out of the
ifarch ix86
- moved postun to tools subpackge (which contains the daemon)
- removed include files. no development support for now.
- replaced %%ix86, etc by appropriate generic %%openCryptoki_tools_arch
and %%openCryptoki_no_tools_arch
- replaced all i386 occurrences with %ix86
- changed filelist to what's really built
- split package to openCryptoki and openCryptoki-tools to allow
parallel installation of 32bit tools with 64bit dlopen objects for
foreign middleware.
- removed automatical insserv on install, because the package needs
manual configuration (#18031)
- added missing %post before insserv (Bug #17600)
- Fix path in PreReq.
- add groupadd pkcs11 in %pre install
- updated to current version
- removed old START_ variable
- always use macros when calling insserv
- add lib64 support
- Added openssl to #neededforbuild, which is needed in addition to
openssl-devel
- initial version
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=149
|
|||
| dfcb5e44da |
Accepting request 1187028 from security
OBS-URL: https://build.opensuse.org/request/show/1187028 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=74 |
|||
| 6adf9fe8e7 |
- Updated the .spec file (bsc#1225876, bsc#1227280)
* Amended for group %{pkcs_group} and user pkcsslotd
* Copying example script files from /usr/share/doc/opencryptoki to
/usr/share/opencryptoki (policy-example.conf and strength-example.conf)
in case that there is 'rpm.install.excludedocs=yes' set in the
zypper.conf(zypp.conf)
- Upgrade openCryptoki to version 3.23 (jsc#PED-3360, jsc#PED-3361)
* EP11: Add support for FIPS-session mode
* Updates to harden against RSA timing attacks (bsc#1219217)
* Bug fixes
- Renamed ocki-3.22-remove-make-install-chgrp.patch to
ocki-3.23-remove-make-install-chgrp.patch
- provide user(pkcs11) and group(pkcs11)
- Amended the .spec file for pkcsslotd (jsc#1217703)
* Renamed the patch ocki-3.21-remove-make-install-chgrp.patch to
ocki-3.22-remove-make-install-chgrp.patch
- Upgrade to version 3.22 (jsc#PED-3361)
* openCryptoki 3.22
- CCA: Add support for the AES-XTS key type using CPACF protected keys
- p11sak: Add support for managing certificate objects
- p11sak: Add support for public sessions (no-login option)
- p11sak: Add support for logging in as SO (security Officer)
- p11sak: Add support for importing/exporting Edwards and Montgomery keys
- p11sak: Add support for importing of RSA-PSS keys and certificates
- CCA/EP11/Soft/ICA: Ensure that the 2 key parts of an AES-XTS key are different
* Bug fixes
- Update to version 3.21 (jsc#PED-3360, jsc#PED-3361)
* openCryptoki 3.21
- EP11 and CCA: Support concurrent HSM master key changes
- CCA: protected-key option
- pkcsslotd: no longer run as root user and further hardening
- p11sak: Add support for additional key types (DH, DSA, generic secret)
- p11sak: Allow wildcards in label filter
- p11sak: Allow to specify hex value for CKA_ID attribute
- p11sak: Support sorting when listing keys
- p11sak: New commands: set-key-attr, copy-key to modify and copy keys
- p11sak: New commands: import-key, export-key to import and export keys
- Remove support for --disable-locks (transactional memory)
- Updates to harden against RSA timing attacks
- Bug fixes
- Amended a new patch to fit the version 3.21
* ocki-3.21-remove-make-install-chgrp.patch
- Removed the old patch for the version 3.20
* ocki-3.20-remove-make-install-chgrp.patch
- Updated package to openCryptoki 3.20 (bsc#1207760,
jsc#PED-3376, jsc#PED-2870, jsc#PED-2869 )
- Removed the following obsolite patches:
* ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch
* ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch
* ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch
* ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch
* ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch
* ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch
* ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
* ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch
* ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch
* ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch
* ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch
* ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch
* ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch
* ocki-3.19.0-0014-EP11-Add-new-control-points.patch
* ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch
* ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch
* ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch
* ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch
* ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch
* ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch
* ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch
* ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch
* ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch
* ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch
* ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch
* ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch
* ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch
* ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch
* ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch
* ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch
* ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch
* ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch
* ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
* ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch
* ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch
- Reworked ocki-3.19-remove-make-install-chgrp.patch to fit the current version of
the package and renamed it to ocki-3.20-remove-make-install-chgrp.patch.
- Added patch for compile errors
* ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch
-- Changed spec file to use %autosetup instead of %setup.
- Updated the package openCryptoki 3.19.0 (jsc#PED-616, bsc#1207760), added the
following patches:
* ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch
* ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch
* ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch
* ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch
* ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch
* ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch
* ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
* ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch
* ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch
* ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch
* ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch
* ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch
* ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch
* ocki-3.19.0-0014-EP11-Add-new-control-points.patch
* ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch
* ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch
* ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch
* ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch
* ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch
* ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch
* ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch
* ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch
* ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch
* ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch
* ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch
* ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch
* ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch
* ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch
* ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch
* ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch
* ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch
* ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch
* ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
* ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch
- Updated spec file to set permissions on /etc/opencryptoki/strength.conf
to be owned by root:pkcs11 with permissions of 640. (bsc#1205566)
- Upgrade to version 3.19.0 (jsc#PED-616)
+ openCryptoki 3.19
- CCA: check for expected master key verification patterns at token init
- CCA: check master key verification pattern of created keys to be as expected
- EP11: check for expected wrapping key verification pattern at token init
- EP11: check wrapping key verification pattern of created keys to be as expected
- p11sak/pkcsconf: display PKCS#11 URIs
- p11sak: add support for IBM specific Dilithium keys
- p11sak: allow to list keys filtered by label
- common: add support for dual-function cryptographic functions
- Add support for C_SessionCancel function (PKCS#11 v3.0)
- EP11: add support for schnorr signatures (mechanism CKM_IBM_ECDSA_OTHER)
- EP11: add support for Bitcoin key derivation (mechanism CKM_IBM_BTC_DERIVE)
- Bug fixes
+ openCryptoki 3.18
- Default to FIPS compliant token data format (tokversion = 3.12)
- Add support for restricting usage of mechanisms and keys via a global policy
- Add support for statistics counting of mechanism usage
- ICA/EP11: Support libica version 4
- p11sak tool: Allow to set different attributes for public and private keys
- Replaced ocki-3.17-remove-make-install-chgrp.patch with an updated
version named ocki-3.19-remove-make-install-chgrp.patch to fit
the current state of the source.
- Removed the following obsolete patches:
openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch
openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch
ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch
- Added ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch
for bsc#1202106. One test of the gen_purpose test cases fails with
C_GetMechanismList #2 rc=CKR_BUFFER_TOO_SMALL" error on the EP11 Token.
- Made the following changes for bsc#1199862 "Please install
p11sak_defined_attrs.conf."
* Replaced ocki-3.11-remove-make-install-chgrp.patch with
ocki-3.17-remove-make-install-chgrp.patch to remove the
"-g pkcs11" parameter from the install command in the Makefile
* Updated the spec file to include
/etc/opencryptoki/p11sak_defined_attrs.conf as a %config file
with the necessary permissions and group ownership.
- Added the following two patches for bac#1197395. The CKM_IBM_DILITHIUM
mechanism does not show up as supported by the EP11 token when an
upgraded EP11 host library is used.
* openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch
* openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch
- Upgraded to version 3.17.0 (jsc#SLE-18326)
+ openCryptoki 3.17
- tools: added function to list keys to p11sak
- common: added support for OpenSSL 3.0
- common: added support for event notifications
- ICA: added SW fallbacks
* openCryptoki 3.16
- EP11: protected-key option
- EP11: support attribute-bound keys
- CCA: import and export of secure key objects
- Bug fixes
- Removed the following obsolete patches:
ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch
ocki-3.15.1-Fix-compiling-with-c.patch
ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch
ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch
ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch
ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch
ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch
ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch
- Added the following patches for bsc#1188879:
* ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch
When modifying opencryptoki.conf during token migration, put quotes
around strings that contain spaces, e.g. for the slot description and
manufacturer.
* ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch
When migrating a slot the opencryptoki.conf file is modified. If it
contains slots that already contain the 'tokversion = x.y' keyword,
this is accidentally removed when migrating another slot.
* ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch
Change the code to use the pid file that pkcsslotd creates, and check
if the process with the pid contained in the pid file still exists and
runs pkcsslotd.
* ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch
Always quote the value of 'description' and 'manufacturer'. Quote the
value of 'stdll', 'confname', and 'tokname' if it contains spaces, and
never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'.
- Added the following patches for bsc#1182726 " p11sak list-key segfault"
* ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
Added NULL pointer to avoid double free() for the list-key and
remove-key commands.
* ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
Note that two hunks that were unrelated to fixing the running
code were removed from this patch.
* ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
- Added ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
When constructing an OpenSSL EC public or private key from PKCS#11
attributes or ECDH public data, check that the key is valid, i.e. that
the point is on the curve.
(bsc#1185976)
- Added ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch
(bsc#1182120)
Fix pkcscca migration fails with usr/sb2 is not a valid slot ID
- Added ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch
(bsc#1182190)
Fix a segmentation fault of the sess_opstate test on the Soft Token
- Added the following patches for bsc#1179319
* Fix compiling with C++:
ocki-3.15.1-Fix-compiling-with-c.patch
* Added error message handling for p11sak remove-key command.
ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch
- Don't require pwdutils for build, dropped long ago and not needed
- Upgraded to version 3.15.1 (jsc#SLE-13749, jsc#SLE-13666,
jsc#SLE-13813, jsc#SLE-13812, jsc#SLE-13723, jsc#SLE-13714,
jsc#SLE-13715, jsc#SLE-13710, jsc#SLE-13774, jsc#SLE-13786)
* openCryptoki 3.15.1
- Bug fixes
* openCryptoki 3.15.0
- common: conform to PKCS 11 3.0 Baseline Provider profile
- Introduce new vendor defined interface named "Vendor IBM"
- Support C_IBM_ReencryptSingle via "Vendor IBM" interface
- CCA: support key wrapping
- SOFT: support ECC
- p11sak tool: add remove-key command
- Bug fixes
* openCryptoki 3.14.0
- EP11: Dilitium support stage 2
- Common: Rework on process and thread locking
- Common: Rework on btree and object locking
- ICSF: minor fixes
- TPM, ICA, ICSF: support multiple token instances
- new tool p11sak
* openCryptoki 3.13.0
- EP11: Dilithium support
- EP11: EdDSA support
- EP11: support RSA-OAEP with non-SHA1 hash and MGF
- Removed obsolete oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch
- Added oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch (bsc#1159114)
The EP11 token may fail to import an ECC public key. Function
C_CreateObject returns CKR_BUFFER_TOO_SMALL in this case.
- Upgraded to version 3.12.1 (bsc#1157863)
* Fix pkcsep11_migrate tool
- Upgraded to version 3.12.0 (jsc#SLE-7647, jsc#SLE-7915, jsc#SLE-7918)
* Update token pin and data store encryption for soft,ica,cca and ep11
* EP11: Allow importing of compressed EC public keys
* EP11: Add support for the CMAC mechanisms
* EP11: Add support for the IBM-SHA3 mechanisms
* SOFT: Add AES-CMAC and 3DES-CMAC support to the soft token
* ICA: Add AES-CMAC and 3DES-CMAC support to the ICA token
* EP11: Add config option USE_PRANDOM
* CCA: Use Random Number Generate Long for token_specific_rng()
* Common rng function: Prefer /dev/prandom over /dev/urandom
* ICA: add SHA*_RSA_PKCS_PSS mechanisms
* Bug fixes
- Removed obsolete ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch
- Added ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch
(bsc#1152015)
Add support for new IBM crypto card.
- Upgraded to version 3.11.1 (Fate#327837)
Bug fixes.
- Dropped obsolete ocki-3.11-Fix-target_list-passing-for-EP11-session.patch
- Added ocki-3.11-Fix-target_list-passing-for-EP11-session.patch
(bsc#1123988)
- Do not ignore errors from groupadd. If groupadd fails,
installation ought not to proceed because files would have the
wrong ownership.
- Don't hide error messages from the groupadd command. To eliminate
a potentially common one, check to see if the pkcs11 group is
already defined before trying to add it.
- Update the summary for the -devel package.
- Changed several PreReq entries to Requires(pre) as a result of
the output from spec-cleaner. Removed a couple of obsolete lines.
- Removed obsolete check for whether systemd is in use or not.
- Upgraded to version 3.11.0 (Fate#325685)
* opencryptoki 3.11.0
EP11 enhancements
A lot of bug fixes
- Reworked the ocki-3.1-remove-make-install-chgrp.patch to apply
properly to 3.11, and renamed it to
ocki-3.11-remove-make-install-chgrp.patch
- Removed obsolete patch ocki-3.5-icsf-coverity-memoryleakfix.patch
- Upgraded to version 3.10.0 (Fate#325685)
* opencryptoki 3.10.0
Add support to ECC on ICA token and to common code.
Add SHA224 support to SOFT token.
Improve pkcsslotd logging.
Fix sha512_hmac_sign and rsa_x509_verify for ICA token.
Fix tracing of session id.
Fix and improve testcases.
Fix spec file permission for log directory.
Fix build warnings.
* opencryptoki 3.9.0
Fix token reinitialization
Fix conditional man pages
EP11 enhancements
EP11 EC Key import
Increase RSA max key length
Fix broken links on documentation
Define CK_FALSE and CK_TRUE macros
Improve build flags
- Dropped obsolete patch ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch
- Made multiple changes to the spec file based on spec-cleaner output.
- Added an rpmlintrc file to squelch warnings about adding ghost
entries for files under /var/lock/opencryptoki/
- Added ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch
(bsc#1086678)
- Re-enabled ARM architectures now that gcc6 is in SLE15. (bsc#1084617)
- Upgraded to version 3.8.2 (fate#323295, bsc#1066412)
* v3.8.2
Update man pages.
Improve ock_tests for parallel execution.
Fix FindObjectsInit for hidden HW-feature.
Fix to allow vendor defined hardware features.
Fix unresolved symbols.
Fix tracing.
Code/project cleanup.
* v3.8.1
Fix TPM data-structure reset function.
Fix error message when dlsym fails.
Update configure.ac
Update travis.
* v3.8.0
Multi token instance feature.
Added possibility to run opencryptoki with transactional memory or locks
(--enable-locks on configure step).
Updated documentation.
Fix segfault on ec_test.
Bunch of small fixes.
- Removed ARM architectures from the build list until gcc6 becomes
available for SLES. (bsc#1039510).
- Updated to version 3.7.0 (Fate#321451) (bsc#1036640)
- Update example spec file
- Performance improvement. Moving from mutexes to transactional memory.
- Add ECDSA SHA2 support for EP11 and CCA.
- Fix declaration of inline functions.
- Fix wrong testcase and ber en/decoding for integers.
- Check for 'flex' and 'YACC' on configure.
- EP11 config file rework.
- Add enable-debug on travis build.
- Add testcase for C_GetOperationState/C_SetOperationState.
- Upgrade License to CPL-1.0
- Ica token: fix openssh/ibmpkcs11 engine/libica crash.
- Fix segfault and logic in hardware feature test.
- Fix spelling of documentation and manuals.
- Fix the retrieval of p from a generated rsa key.
- Coverity scan fixes - incompatible pointer type and unused variables.
- Added libica-tools to the BuildRequires due to repackaging of libica.
- Modified the spec file
- Changed libca3-devel BuildRequires to just libica-devel
- Check for systemd in the 32bit postun scriptlet.
- Upgraded to version 3.6.2 (fate#321451)
- Support OpenSSL-1.1.
- Add Travis CI support.
- Update autotools scripts and documentation.
- Fix SegFault when a invalid session handle is passed in
SC_EncryptUpdate and SC_DecryptUpdate.
- Updated spec file to use libica3-devel instead of libica2-devel.
- Upgraded to version 3.6.1 (fate#321451)
- opencryptoki 3.6.1
- Fix SOFT token implementation of digest functions.
- Replace deprecated OpenSSL interfaces.
- opencryptoki 3.6
- Replace deprecated libica interfaces.
- Performance improvement for ICA.
- Improvement in documentation on system resources.
- Improvement in testcases.
- Added support for rc=8, reasoncode=2028 in icsf token.
- Fix for session handle not set in session issue.
- Multiple fixes for lock and log directories.
- Downgraded a syslog error to warning.
- Multiple fixes based on coverity scan results.
- Added pkcs11 mapping for icsf reason code 72 for return code 8.
- opencryptoki 3.5.1
- Fix Illegal Intruction on pkcscca tool.
- Removed the following obsolete patches:
- ocki-3.5-sanity-checking.patch
- ocki-3.5-icsf-reasoncode72-support.patch
- ocki-3.5-downgrade-syslogerror.patch
- ocki-3.5-icsf-sessionhandle-missing-fix.patch
- ocki-3.5-icsf-reasoncode-2028-added.patch
- ocki-3.5-added-NULLreturn-check.patch
- ocki-3.5-create-missing-tpm-token-lock-directory.patch
- ocki-3.5-fix-pkcscca-calls.patch
- Removed reference to pkcs1_startup from pkcsslotd (bsc#1007081)
- Added ocki-3.5-fix-pkcscca-calls.patch (bsc#996867).
- Added %doc FAQ to the spec file (bsc#991168).
- Added ocki-3.5-create-missing-tpm-token-lock-directory.patch
(bsc#989602).
- Added the following patches (bsc#986854)
- ocki-3.5-icsf-reasoncode72-support.patch
- ocki-3.5-icsf-coverity-memoryleakfix.patch
- ocki-3.5-downgrade-syslogerror.patch
- ocki-3.5-icsf-sessionhandle-missing-fix.patch
- ocki-3.5-icsf-reasoncode-2028-added.patch
- ocki-3.5-added-NULLreturn-check.patch
- Added ocki-3.5-sanity-checking.patch (bsc#983496).
- Added %dir entry for %{_localstatedir}/log/opencryptoki/
(bsc#983990)
- Upgraded to openCryptoki 3.5 (bsc#978005).
- Full Coverity scan fixes.
- Fixes for compiler warnings.
- Added support for C_GetObjectSize in icsf token.
- Various bug fixes and memory leak fixes.
- Removed global read permissions from token files
- Added missing PKCS#11v2.2 constants.
- Fix for symbol resolution issue seen in Fedora 22 and 23 for
ep11 and cca tokens.
- Improvements in socket read operation when a token comes up.
- Replaced 32 bit CCA API declarations with latest header from
version 5.0 libsculcca rpm.
- Upgraded to openCryptoki v3.4.1 (Fate#319576, 319585, 319592, 319938).
- Changed BuildRequires for libica_2_3_0-devel to libica2-devel.
- Changed BuildRequires for openssl-devel to specify >= 1.0
Contrary to what the README says, version 0.9.7 isn't
sufficient.
- Removed the redundant DESTDIR= parameter from the %make_install
- Removed the following obsolete patches
opencryptoki-run-lock.patch (/var/lock and run/lock are actually the
same place) Also reverted the changed to openCryptoki-tmp.conf to match.
ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
ocki-3.1-fix-implicit-decl.patch
ocki-3.1-fix-init_d-path.patch
ocki-3.1-fix-libica-link.patch
ocki-3.2_01_fix-return-type-error.patch
ocki-3.2_02_ep11-token-incorrectly-copied-the-public-key-object-.patch
ocki-3.2_03_ICSF-Token-C_SignUpdate-was-sometimes-segfaulting-an.patch
ocki-3.2_04_CKA_EC_POINT-is-not-required-in-the-ECDSA-private-ke.patch
ocki-3.2_05_icsf_ldap_handles.patch
ocki-3.2_06_icsf_sign_verify.patch
- renamed: ocki-3.1-remove-make-install-chgrp-chmod.patch to
ocki-3.1-remove-make-install-chgrp.patch
- Get a new ldap handle for each session opened in the icsf token,
once the user has authenticated. (bsc#953347,LTC#130078)
- ocki-3.2_05_icsf_ldap_handles.patch
- ocki-3.2_06_icsf_sign_verify.patch
- Added /var/lib/opencryptoki/lite/TOK_OBJ token directory (bsc#943070)
- Added ocki-3.2_02_ep11-token-incorrectly-copied-the-public-key-object-.patch
- Fixed two public key object inclusion in EP11 token (bsc#946808)
- Added ocki-3.2_03_ICSF-Token-C_SignUpdate-was-sometimes-segfaulting-an.patch
- Fixed GPF when calling C_SignUpdate using ICFS toekn (bsc#946172)
- Added ocki-3.2_04_CKA_EC_POINT-is-not-required-in-the-ECDSA-private-ke.patch
- Fixed failure to import ECDSA because of lack of attribute (bsc#948114)
- Fixed BuildRequires: libica2-devel
- Added ocki-3.2_01_fix-return-type-error.patch
- Changing doc/README.ep11_stdll to unix-style EOL
- Added BuildRequires: dos2unix
- Removed globbing in %files and specified libraries to include (bsc#942162)
- Updated to openCryptoki v3.2 (FATE#318240)
- Removed unnecessary patches:
- ocki-3.1_01_ep11_makefile.patch
- ocki-3.1_02_ep11_m_init.patch
- ocki-3.1_03_ock_obj_mgr.patch
- ocki-3.1_04_ep11_opaque2blob_error_handl.patch
- ocki-3.1_05_ep11_readme_update.patch
- ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
- ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
- ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
- ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
- ocki-3.1_06_0005-Small-reworks.patch
- ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
- ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- ocki-3.1_07_0001-Man-page-corrections.patch
- ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
- ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
- ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
- Also create parent directory /run/lock/opencryptoki in
tmpfiles snippet if it does not exists.
- spec: do not use -D__USE_BSD, a glibc-internal macro
which no longer has any meaning.
- spec: use %{_unitdir} %{_tmpfilesdir)
- spec: call tmpfiles_create macro, if defined in %post
- opencryptoki-run-lock.patch, openCryptoki-tmp.conf: use
/run/lock instead of /var/lock.
- Update to version 3.2
+New pkcscca tool. Currently it assists in migrating cca private token
objects from opencryptoki version 2 to the clear key encryption method
used in opencryptoki version 3. Includes a manpage for pkcscca tool.
Changes to README.cca_stdll to assist in using the CCA token and
migrating the private token objects.
+ Support for CKM_RSA_PKCS_OAEP and CKM_RSA_PKCS_PSS algorithms.
+ Various bugfixes.
+ New testcases for various crypto algorithms.
- Only depend on insserv if builded with sysvinit support
- Remove obsolete patches; merged on upstream release
+ ocki-3.1_01_ep11_makefile.patch
+ ocki-3.1_02_ep11_m_init.patch
+ ocki-3.1_03_ock_obj_mgr.patch
+ ocki-3.1_04_ep11_opaque2blob_error_handl.patch
+ ocki-3.1_05_ep11_readme_update.patch
+ ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
+ ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
+ ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
+ ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
+ ocki-3.1_06_0005-Small-reworks.patch
+ ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
+ ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
+ ocki-3.1_07_0001-Man-page-corrections.patch
+ ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
+ ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
+ ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
+ ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
- Project is now hosted on sourceforge; fix the Url
- Remove cvs related stuff; tarball is produced by upstream
- Use %configure macro instead of manually defined options
- Build with parallel support; use %{?_smp_mflags} macro
- Fixed ica token's SHA update function when passing zero message
size (bnc#892644)
- Added patch ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
- Fixed README.ep11_stdll to have Unix-style EOL characters.
- Added patch ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
- Added all files from %src/doc as rpm %doc (bnc#894780)
- Added pkcscca utility and documentation to convert private
token objects from v2 to v3. (bnc#893757)
- Added patches:
- ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
- ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
- Fixed pkcsslotd and opencryptoki.conf man pages (bnc#889183)
- Added patch ocki-3.1_07_0001-Man-page-corrections.patch
- Specfile Cleanup, Added directory macros in appropriate places
- Several package changes as per bnc#880217
- Added openCryptoki-tmp.conf for lock directory management
- Added 'lite' token support
- Changed from init.d daemon to systemd service
- Updated macros in %pre %post %preun and %postun sections
- Added missing icsf and ep11tok directories to %files section
ocki-3.1_01_ep11_makefile.patch
ocki-3.1_02_ep11_m_init.patch
- Patches added:
ocki-3.1-fix-libica-link.patch
ocki-3.1_03_ock_obj_mgr.patch
ocki-3.1_04_ep11_opaque2blob_error_handl.patch
ocki-3.1_05_ep11_readme_update.patch
ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
ocki-3.1_06_0005-Small-reworks.patch
ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- Moved libpkcs11_icsf 32-bit out of s390-specific files
- Made ep11tok.conf and pkcsep11_migrate specific to s390/s390x
- Added libpkcs11_ep11.so and libpkcs11_icsf.so to 32-bit s390/s390x
- EP11 token available in the opencryptoki V3.1 package (bnc#879303)
- Specfile changed to include ep11tok.conf
- Specfile changed to include pkcsep11_migrate and pkcsicsf tools
- Specfile changed to BuildRequires openldap2-devel
- ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
- print_mechanism() ignored bad returncodes from the called
function token_specific_get_mechanism_list()
- ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
- Fix failure when confname is not given, use default
ep11tok.conf instead
- ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
- Removed check for ep11 lib at configure
- ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
- Move stdint.h before zcrypt.h to resolve dependencies
- ocki-3.1_06_0005-Small-reworks.patch
- testcase fixes and file permission changes
- ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
- Fix for s390 31-bit build error
- ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- zcrypt library included in build by default
- Patches applied (bnc#865549)
- Fixed Makefile to complement common code dependencies
- switched to official m_init() function based on library change
- checking the global token object count
- catch the return code from object_mgr_find_in_map1
- some README updates about usage and restrictions
- fix build on x86 (add CCA and TPM to filelist)
- fix libica detection on s390/s390x to get ICA module built
- Updated to openCryptoki v3.1: See ChangeLog for complete details
(FATE#315426)
- opencryptoki-3.1
- New ep11 token to support IBM Crypto Express adpaters
(starting with Crypto Express 4S adapters) configured with
Enterprise PKCS#11(EP11) firmware. (FATE#315330)
- opencryptoki-3.0
- New opencryptoki.conf file to replace pk_config_data and
pkcs11_starup. The opencryptoki.conf contains slot entry
information for tokens.
- Removed pkcs_slot and pkcs11_startup shell scripts.
- ICA token supports CKM_DES_OFB64, CKM_DES_CFB8, CKM_DES_CFB6
mechanisms using 3DES keys. (FATE#315323)
- ICA token supports CKM_DES3_MAC and CKM_DES3_MAC_GENERAL
mechanisms. (FATE#315323)
- ICA token supports CKM_AES_OFB, CKM_AES_CFB8, CKM_AES_CFB64,
CKM_AES_CFB128, CKM_AES_MAC, and CKM_AES_MAC_GENERAL
mechanisms. (FATE#315323)
- opencryptoki-2.4.1 (21 Feb 2012)
- SHA256 support added for CCA token (FATE#315289)
- Using insserv macros in %post, %preun and %postun sections
- Cleaned up spec file
- removed patches:
- ocki-2.2.6-PIN-backspace.patch
- added patches:
- ocki-3.1-fix-implicit-decl.patch
- ocki-3.1-remove-make-install-chgrp-chmod.patch
- ocki-3.1-fix-init_d-path.patch
- add aarch64 to 64bit archs
- enable ppc64le
- remove -o from groupadd
- fixed sed script to not a grouplist with leading ,
- don't package man pages twice
- add libtool as buildrequire to avoid implicit dependency
- enable TPM support (bnc#641919)
- pkcsslotd: Updated to use new pidfile location (bnc#475800)
- Added fix to allow backspacing during PIN entry (bnc#448089)
- run ldconfig in postinstall [bnc#417925]
- Enable build on x86_64 [bnc#417925]
- Overhaul of the specfile. All platforms build the base package
and each architecture builds the appropriate 32 or 64 bit package
- Updated to openCryptoki v2.2.6
- fix init script
- added pwdutils to buildreq
- fix missing return values from non-void funcs
- pkcsslotd: create PID file in the right place, delete it on
exit (bug #164664)
- added 64-bit patches from IBM (bug #145666)
- added small change missing from patch for bug #156651
- fixed location of pkcs11_startup in init script (bug #162372)
- fixed proc_t structure mixup (bug #156651)
- initialize head pointer (bug #156229)
- %ghost symlinks that are generated in %post (bug #154961)
- stuffed memleak (patch by IBM, bug #147036)
- changed RPM layout to meet IBM's demands (based on patch by IBM,
bug #145666)
- removed mmap, per-user data store support (patch by IBM, bug
#145666)
- converted neededforbuild to BuildRequires
- Update to 2.2.2-rc2
- Update to 2.2.1-rc2
- Fixed build errors
- Cleaned up spec file.
- copy TFAQ to build directory (fix build)
- Update to 2.1.6-rc5.
- Port fixes from SLES9 SP3.
- enabled for ARM
- fix #50050:
- ./configure.in: wrong test against $host makes ppc(64) miss
-DPKCS64 in CFLAGS
- corrected: S390 flag was set for ppc in this conditional
- run full autoreconf / simplify specfile a little
- Print correct error message (#37427 again).
- Check for the correct module on startup (#37427)
- update to openCryptoki-2.1.5, ppc64 version (#39026)
- adapt filelist on ppc
- Fix owner/group of files/directories
- no need to specify "root" as supplementary group for root,
it's already primary
- Update to openCryptoki-2.1.3
- Fixed configure errors.
- added directories to filelist
- remove CVS subdirs
- remove unpackaged files from buildroot
- removed duplicates from configure.in
- exclude ppc64 from the architectures, the package is built for.
64bit mode is not supported by IBM yet; dlopen wrappers are also
missing 64bit filename handling. (#20380)
- actually compress the openCryptoki-1.4*.tar.bz2
- make it even build ...
- make openCryptoki-XXbit PreReq: openCryptoki to enforce pkcs11 group
creation before package installation (#20079)
- correct version number (the patch actiually lifts openCryptoki to 1.5)
- fix groupadd call to no longer silently ignore errors in all cases
using (hopefully) posix exit codes. alternative would be to use
undocumented '-f' option of groupadd.
- add user root to group pkcs11 to enable root to administrate the
crypto hardware support (#19566)
- misc security fixes (#18377)
- replaced openCryptoki-tools with openCryptoki-32bit and
openCryptoki-64bit
- moved dlopen objects that are available for non-x86 out of the
ifarch ix86
- moved postun to tools subpackge (which contains the daemon)
- removed include files. no development support for now.
- replaced %%ix86, etc by appropriate generic %%openCryptoki_tools_arch
and %%openCryptoki_no_tools_arch
- replaced all i386 occurrences with %ix86
- changed filelist to what's really built
- split package to openCryptoki and openCryptoki-tools to allow
parallel installation of 32bit tools with 64bit dlopen objects for
foreign middleware.
- removed automatical insserv on install, because the package needs
manual configuration (#18031)
- added missing %post before insserv (Bug #17600)
- Fix path in PreReq.
- add groupadd pkcs11 in %pre install
- updated to current version
- removed old START_ variable
- always use macros when calling insserv
- add lib64 support
- Added openssl to #neededforbuild, which is needed in addition to
openssl-devel
- initial version
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=147
|
|||
| c45457d1b7 |
Accepting request 1186784 from security
OBS-URL: https://build.opensuse.org/request/show/1186784 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=73 |
|||
| 5a473c2505 |
- Updated the .spec file (bsc#1225876, bsc#1227280)
* Amended for group %{pkcs_group} and user pkcsslotd
* Copying example script files from /usr/share/doc/opencryptoki to
/usr/share/opencryptoki (policy-example.conf and strength-example.conf)
in case that there is 'rpm.install.excludedocs=yes' set in the
zypper.conf(zypp.conf)
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=145
|
|||
| b58c7a82ee |
Accepting request 1144813 from security
OBS-URL: https://build.opensuse.org/request/show/1144813 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=72 |
|||
| 2724046aa7 |
Accepting request 1144812 from home:ngueorguiev:branches:security
- Upgrade openCryptoki to version 3.23 (jsc#PED-3360, jsc#PED-3361)
* EP11: Add support for FIPS-session mode
* Updates to harden against RSA timing attacks
* Bug fixes
- Renamed ocki-3.22-remove-make-install-chgrp.patch to
ocki-3.23-remove-make-install-chgrp.patch
OBS-URL: https://build.opensuse.org/request/show/1144812
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=143
|
|||
| e643acdba0 |
Accepting request 1144144 from security
OBS-URL: https://build.opensuse.org/request/show/1144144 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=71 |
|||
| dc5f0e29cf |
Accepting request 1144142 from home:msmeissn:branches:security
- provide user(pkcs11) and group(pkcs11) OBS-URL: https://build.opensuse.org/request/show/1144142 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=141 |
|||
| 6e0c8bdcc5 |
Accepting request 1130787 from security
Amended the .spec file for pkcsslotd (jsc#1217703) OBS-URL: https://build.opensuse.org/request/show/1130787 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=70 |
|||
| 1ec37d5138 |
Accepting request 1130784 from home:ngueorguiev:branches:security
- Amended the .spec file for pkcsslotd (jsc#1217703)
* Renamed the patch ocki-3.21-remove-make-install-chgrp.patch to
ocki-3.22-remove-make-install-chgrp.patch
- Upgrade to version 3.22 (jsc#PED-3361)
* openCryptoki 3.22
- CCA: Add support for the AES-XTS key type using CPACF protected keys
- p11sak: Add support for managing certificate objects
- p11sak: Add support for public sessions (no-login option)
- p11sak: Add support for logging in as SO (security Officer)
- p11sak: Add support for importing/exporting Edwards and Montgomery keys
- p11sak: Add support for importing of RSA-PSS keys and certificates
- CCA/EP11/Soft/ICA: Ensure that the 2 key parts of an AES-XTS key are different
* Bug fixes
- Update to version 3.21 (jsc#PED-3360, jsc#PED-3361)
* openCryptoki 3.21
- EP11 and CCA: Support concurrent HSM master key changes
- CCA: protected-key option
- pkcsslotd: no longer run as root user and further hardening
- p11sak: Add support for additional key types (DH, DSA, generic secret)
- p11sak: Allow wildcards in label filter
- p11sak: Allow to specify hex value for CKA_ID attribute
- p11sak: Support sorting when listing keys
- p11sak: New commands: set-key-attr, copy-key to modify and copy keys
- p11sak: New commands: import-key, export-key to import and export keys
- Remove support for --disable-locks (transactional memory)
- Updates to harden against RSA timing attacks
- Bug fixes
- Amended a new patch to fit the version 3.21
* ocki-3.21-remove-make-install-chgrp.patch
- Removed the old patch for the version 3.20
* ocki-3.20-remove-make-install-chgrp.patch
- Updated package to openCryptoki 3.20 (jsc#PED-2870)
- Removed the following obsolite patches:
* ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch
* ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch
* ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch
* ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch
* ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch
* ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch
* ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
* ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch
* ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch
* ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch
* ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch
* ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch
* ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch
* ocki-3.19.0-0014-EP11-Add-new-control-points.patch
* ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch
* ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch
* ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch
* ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch
* ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch
* ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch
* ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch
* ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch
* ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch
* ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch
* ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch
* ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch
* ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch
* ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch
* ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch
* ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch
* ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch
* ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch
* ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
* ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch
* ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch
- Reworked ocki-3.19-remove-make-install-chgrp.patch to fit the current version of
the package and renamed it to ocki-3.20-remove-make-install-chgrp.patch.
- Added patch for compile errors
* ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch
-- Changed spec file to use %autosetup instead of %setup.
- Updated the package openCryptoki 3.19.0 (jsc#PED-616, bsc#1207760), added the
following patches:
* ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch
* ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch
* ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch
* ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch
* ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch
* ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch
* ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
* ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch
* ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch
* ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch
* ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch
* ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch
* ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch
* ocki-3.19.0-0014-EP11-Add-new-control-points.patch
* ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch
* ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch
* ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch
* ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch
* ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch
* ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch
* ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch
* ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch
* ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch
* ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch
* ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch
* ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch
* ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch
* ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch
* ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch
* ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch
* ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch
* ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch
* ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
* ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch
- Updated spec file to set permissions on /etc/opencryptoki/strength.conf
to be owned by root:pkcs11 with permissions of 640. (bsc#1205566)
- Upgrade to version 3.19.0 (jsc#PED-616)
+ openCryptoki 3.19
- CCA: check for expected master key verification patterns at token init
- CCA: check master key verification pattern of created keys to be as expected
- EP11: check for expected wrapping key verification pattern at token init
- EP11: check wrapping key verification pattern of created keys to be as expected
- p11sak/pkcsconf: display PKCS#11 URIs
- p11sak: add support for IBM specific Dilithium keys
- p11sak: allow to list keys filtered by label
- common: add support for dual-function cryptographic functions
- Add support for C_SessionCancel function (PKCS#11 v3.0)
- EP11: add support for schnorr signatures (mechanism CKM_IBM_ECDSA_OTHER)
- EP11: add support for Bitcoin key derivation (mechanism CKM_IBM_BTC_DERIVE)
- Bug fixes
+ openCryptoki 3.18
- Default to FIPS compliant token data format (tokversion = 3.12)
- Add support for restricting usage of mechanisms and keys via a global policy
- Add support for statistics counting of mechanism usage
- ICA/EP11: Support libica version 4
- p11sak tool: Allow to set different attributes for public and private keys
- Replaced ocki-3.17-remove-make-install-chgrp.patch with an updated
version named ocki-3.19-remove-make-install-chgrp.patch to fit
the current state of the source.
- Removed the following obsolete patches:
openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch
openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch
ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch
- Added ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch
for bsc#1202106. One test of the gen_purpose test cases fails with
C_GetMechanismList #2 rc=CKR_BUFFER_TOO_SMALL" error on the EP11 Token.
- Made the following changes for bsc#1199862 "Please install
p11sak_defined_attrs.conf."
* Replaced ocki-3.11-remove-make-install-chgrp.patch with
ocki-3.17-remove-make-install-chgrp.patch to remove the
"-g pkcs11" parameter from the install command in the Makefile
* Updated the spec file to include
/etc/opencryptoki/p11sak_defined_attrs.conf as a %config file
with the necessary permissions and group ownership.
- Added the following two patches for bac#1197395. The CKM_IBM_DILITHIUM
mechanism does not show up as supported by the EP11 token when an
upgraded EP11 host library is used.
* openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch
* openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch
- Upgraded to version 3.17.0 (jsc#SLE-18326)
+ openCryptoki 3.17
- tools: added function to list keys to p11sak
- common: added support for OpenSSL 3.0
- common: added support for event notifications
- ICA: added SW fallbacks
* openCryptoki 3.16
- EP11: protected-key option
- EP11: support attribute-bound keys
- CCA: import and export of secure key objects
- Bug fixes
- Removed the following obsolete patches:
ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch
ocki-3.15.1-Fix-compiling-with-c.patch
ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch
ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch
ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch
ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch
ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch
ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch
- Added the following patches for bsc#1188879:
* ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch
When modifying opencryptoki.conf during token migration, put quotes
around strings that contain spaces, e.g. for the slot description and
manufacturer.
* ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch
When migrating a slot the opencryptoki.conf file is modified. If it
contains slots that already contain the 'tokversion = x.y' keyword,
this is accidentally removed when migrating another slot.
* ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch
Change the code to use the pid file that pkcsslotd creates, and check
if the process with the pid contained in the pid file still exists and
runs pkcsslotd.
* ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch
Always quote the value of 'description' and 'manufacturer'. Quote the
value of 'stdll', 'confname', and 'tokname' if it contains spaces, and
never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'.
- Added the following patches for bsc#1182726 " p11sak list-key segfault"
* ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
Added NULL pointer to avoid double free() for the list-key and
remove-key commands.
* ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
Note that two hunks that were unrelated to fixing the running
code were removed from this patch.
* ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
- Added ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
When constructing an OpenSSL EC public or private key from PKCS#11
attributes or ECDH public data, check that the key is valid, i.e. that
the point is on the curve.
(bsc#1185976)
- Added ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch
(bsc#1182120)
Fix pkcscca migration fails with usr/sb2 is not a valid slot ID
- Added ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch
(bsc#1182190)
Fix a segmentation fault of the sess_opstate test on the Soft Token
- Added the following patches for bsc#1179319
* Fix compiling with C++:
ocki-3.15.1-Fix-compiling-with-c.patch
* Added error message handling for p11sak remove-key command.
ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch
- Don't require pwdutils for build, dropped long ago and not needed
- Upgraded to version 3.15.1 (jsc#SLE-13749, jsc#SLE-13666,
jsc#SLE-13813, jsc#SLE-13812, jsc#SLE-13723, jsc#SLE-13714,
jsc#SLE-13715, jsc#SLE-13710, jsc#SLE-13774, jsc#SLE-13786)
* openCryptoki 3.15.1
- Bug fixes
* openCryptoki 3.15.0
- common: conform to PKCS 11 3.0 Baseline Provider profile
- Introduce new vendor defined interface named "Vendor IBM"
- Support C_IBM_ReencryptSingle via "Vendor IBM" interface
- CCA: support key wrapping
- SOFT: support ECC
- p11sak tool: add remove-key command
- Bug fixes
* openCryptoki 3.14.0
- EP11: Dilitium support stage 2
- Common: Rework on process and thread locking
- Common: Rework on btree and object locking
- ICSF: minor fixes
- TPM, ICA, ICSF: support multiple token instances
- new tool p11sak
* openCryptoki 3.13.0
- EP11: Dilithium support
- EP11: EdDSA support
- EP11: support RSA-OAEP with non-SHA1 hash and MGF
- Removed obsolete oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch
- Added oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch (bsc#1159114)
The EP11 token may fail to import an ECC public key. Function
C_CreateObject returns CKR_BUFFER_TOO_SMALL in this case.
- Upgraded to version 3.12.1 (bsc#1157863)
* Fix pkcsep11_migrate tool
- Upgraded to version 3.12.0 (jsc#SLE-7647, jsc#SLE-7915, jsc#SLE-7918)
* Update token pin and data store encryption for soft,ica,cca and ep11
* EP11: Allow importing of compressed EC public keys
* EP11: Add support for the CMAC mechanisms
* EP11: Add support for the IBM-SHA3 mechanisms
* SOFT: Add AES-CMAC and 3DES-CMAC support to the soft token
* ICA: Add AES-CMAC and 3DES-CMAC support to the ICA token
* EP11: Add config option USE_PRANDOM
* CCA: Use Random Number Generate Long for token_specific_rng()
* Common rng function: Prefer /dev/prandom over /dev/urandom
* ICA: add SHA*_RSA_PKCS_PSS mechanisms
* Bug fixes
- Removed obsolete ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch
- Added ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch
(bsc#1152015)
Add support for new IBM crypto card.
- Upgraded to version 3.11.1 (Fate#327837)
Bug fixes.
- Dropped obsolete ocki-3.11-Fix-target_list-passing-for-EP11-session.patch
- Added ocki-3.11-Fix-target_list-passing-for-EP11-session.patch
(bsc#1123988)
- Do not ignore errors from groupadd. If groupadd fails,
installation ought not to proceed because files would have the
wrong ownership.
- Don't hide error messages from the groupadd command. To eliminate
a potentially common one, check to see if the pkcs11 group is
already defined before trying to add it.
- Update the summary for the -devel package.
- Changed several PreReq entries to Requires(pre) as a result of
the output from spec-cleaner. Removed a couple of obsolete lines.
- Removed obsolete check for whether systemd is in use or not.
- Upgraded to version 3.11.0 (Fate#325685)
* opencryptoki 3.11.0
EP11 enhancements
A lot of bug fixes
- Reworked the ocki-3.1-remove-make-install-chgrp.patch to apply
properly to 3.11, and renamed it to
ocki-3.11-remove-make-install-chgrp.patch
- Removed obsolete patch ocki-3.5-icsf-coverity-memoryleakfix.patch
- Upgraded to version 3.10.0 (Fate#325685)
* opencryptoki 3.10.0
Add support to ECC on ICA token and to common code.
Add SHA224 support to SOFT token.
Improve pkcsslotd logging.
Fix sha512_hmac_sign and rsa_x509_verify for ICA token.
Fix tracing of session id.
Fix and improve testcases.
Fix spec file permission for log directory.
Fix build warnings.
* opencryptoki 3.9.0
Fix token reinitialization
Fix conditional man pages
EP11 enhancements
EP11 EC Key import
Increase RSA max key length
Fix broken links on documentation
Define CK_FALSE and CK_TRUE macros
Improve build flags
- Dropped obsolete patch ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch
- Made multiple changes to the spec file based on spec-cleaner output.
- Added an rpmlintrc file to squelch warnings about adding ghost
entries for files under /var/lock/opencryptoki/
- Added ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch
(bsc#1086678)
- Re-enabled ARM architectures now that gcc6 is in SLE15. (bsc#1084617)
- Upgraded to version 3.8.2 (fate#323295, bsc#1066412)
* v3.8.2
Update man pages.
Improve ock_tests for parallel execution.
Fix FindObjectsInit for hidden HW-feature.
Fix to allow vendor defined hardware features.
Fix unresolved symbols.
Fix tracing.
Code/project cleanup.
* v3.8.1
Fix TPM data-structure reset function.
Fix error message when dlsym fails.
Update configure.ac
Update travis.
* v3.8.0
Multi token instance feature.
Added possibility to run opencryptoki with transactional memory or locks
(--enable-locks on configure step).
Updated documentation.
Fix segfault on ec_test.
Bunch of small fixes.
- Removed ARM architectures from the build list until gcc6 becomes
available for SLES. (bsc#1039510).
- Updated to version 3.7.0 (Fate#321451) (bsc#1036640)
- Update example spec file
- Performance improvement. Moving from mutexes to transactional memory.
- Add ECDSA SHA2 support for EP11 and CCA.
- Fix declaration of inline functions.
- Fix wrong testcase and ber en/decoding for integers.
- Check for 'flex' and 'YACC' on configure.
- EP11 config file rework.
- Add enable-debug on travis build.
- Add testcase for C_GetOperationState/C_SetOperationState.
- Upgrade License to CPL-1.0
- Ica token: fix openssh/ibmpkcs11 engine/libica crash.
- Fix segfault and logic in hardware feature test.
- Fix spelling of documentation and manuals.
- Fix the retrieval of p from a generated rsa key.
- Coverity scan fixes - incompatible pointer type and unused variables.
- Added libica-tools to the BuildRequires due to repackaging of libica.
- Modified the spec file
- Changed libca3-devel BuildRequires to just libica-devel
- Check for systemd in the 32bit postun scriptlet.
- Upgraded to version 3.6.2 (fate#321451)
- Support OpenSSL-1.1.
- Add Travis CI support.
- Update autotools scripts and documentation.
- Fix SegFault when a invalid session handle is passed in
SC_EncryptUpdate and SC_DecryptUpdate.
- Updated spec file to use libica3-devel instead of libica2-devel.
- Upgraded to version 3.6.1 (fate#321451)
- opencryptoki 3.6.1
- Fix SOFT token implementation of digest functions.
- Replace deprecated OpenSSL interfaces.
- opencryptoki 3.6
- Replace deprecated libica interfaces.
- Performance improvement for ICA.
- Improvement in documentation on system resources.
- Improvement in testcases.
- Added support for rc=8, reasoncode=2028 in icsf token.
- Fix for session handle not set in session issue.
- Multiple fixes for lock and log directories.
- Downgraded a syslog error to warning.
- Multiple fixes based on coverity scan results.
- Added pkcs11 mapping for icsf reason code 72 for return code 8.
- opencryptoki 3.5.1
- Fix Illegal Intruction on pkcscca tool.
- Removed the following obsolete patches:
- ocki-3.5-sanity-checking.patch
- ocki-3.5-icsf-reasoncode72-support.patch
- ocki-3.5-downgrade-syslogerror.patch
- ocki-3.5-icsf-sessionhandle-missing-fix.patch
- ocki-3.5-icsf-reasoncode-2028-added.patch
- ocki-3.5-added-NULLreturn-check.patch
- ocki-3.5-create-missing-tpm-token-lock-directory.patch
- ocki-3.5-fix-pkcscca-calls.patch
- Removed reference to pkcs1_startup from pkcsslotd (bsc#1007081)
- Added ocki-3.5-fix-pkcscca-calls.patch (bsc#996867).
- Added %doc FAQ to the spec file (bsc#991168).
- Added ocki-3.5-create-missing-tpm-token-lock-directory.patch
(bsc#989602).
- Added the following patches (bsc#986854)
- ocki-3.5-icsf-reasoncode72-support.patch
- ocki-3.5-icsf-coverity-memoryleakfix.patch
- ocki-3.5-downgrade-syslogerror.patch
- ocki-3.5-icsf-sessionhandle-missing-fix.patch
- ocki-3.5-icsf-reasoncode-2028-added.patch
- ocki-3.5-added-NULLreturn-check.patch
- Added ocki-3.5-sanity-checking.patch (bsc#983496).
- Added %dir entry for %{_localstatedir}/log/opencryptoki/
(bsc#983990)
- Upgraded to openCryptoki 3.5 (bsc#978005).
- Full Coverity scan fixes.
- Fixes for compiler warnings.
- Added support for C_GetObjectSize in icsf token.
- Various bug fixes and memory leak fixes.
- Removed global read permissions from token files
- Added missing PKCS#11v2.2 constants.
- Fix for symbol resolution issue seen in Fedora 22 and 23 for
ep11 and cca tokens.
- Improvements in socket read operation when a token comes up.
- Replaced 32 bit CCA API declarations with latest header from
version 5.0 libsculcca rpm.
- Upgraded to openCryptoki v3.4.1 (Fate#319576, 319585, 319592, 319938).
- Changed BuildRequires for libica_2_3_0-devel to libica2-devel.
- Changed BuildRequires for openssl-devel to specify >= 1.0
Contrary to what the README says, version 0.9.7 isn't
sufficient.
- Removed the redundant DESTDIR= parameter from the %make_install
- Removed the following obsolete patches
opencryptoki-run-lock.patch (/var/lock and run/lock are actually the
same place) Also reverted the changed to openCryptoki-tmp.conf to match.
ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
ocki-3.1-fix-implicit-decl.patch
ocki-3.1-fix-init_d-path.patch
ocki-3.1-fix-libica-link.patch
ocki-3.2_01_fix-return-type-error.patch
ocki-3.2_02_ep11-token-incorrectly-copied-the-public-key-object-.patch
ocki-3.2_03_ICSF-Token-C_SignUpdate-was-sometimes-segfaulting-an.patch
ocki-3.2_04_CKA_EC_POINT-is-not-required-in-the-ECDSA-private-ke.patch
ocki-3.2_05_icsf_ldap_handles.patch
ocki-3.2_06_icsf_sign_verify.patch
- renamed: ocki-3.1-remove-make-install-chgrp-chmod.patch to
ocki-3.1-remove-make-install-chgrp.patch
- Get a new ldap handle for each session opened in the icsf token,
once the user has authenticated. (bsc#953347,LTC#130078)
- ocki-3.2_05_icsf_ldap_handles.patch
- ocki-3.2_06_icsf_sign_verify.patch
- Added /var/lib/opencryptoki/lite/TOK_OBJ token directory (bsc#943070)
- Added ocki-3.2_02_ep11-token-incorrectly-copied-the-public-key-object-.patch
- Fixed two public key object inclusion in EP11 token (bsc#946808)
- Added ocki-3.2_03_ICSF-Token-C_SignUpdate-was-sometimes-segfaulting-an.patch
- Fixed GPF when calling C_SignUpdate using ICFS toekn (bsc#946172)
- Added ocki-3.2_04_CKA_EC_POINT-is-not-required-in-the-ECDSA-private-ke.patch
- Fixed failure to import ECDSA because of lack of attribute (bsc#948114)
- Fixed BuildRequires: libica2-devel
- Added ocki-3.2_01_fix-return-type-error.patch
- Changing doc/README.ep11_stdll to unix-style EOL
- Added BuildRequires: dos2unix
- Removed globbing in %files and specified libraries to include (bsc#942162)
- Updated to openCryptoki v3.2 (FATE#318240)
- Removed unnecessary patches:
- ocki-3.1_01_ep11_makefile.patch
- ocki-3.1_02_ep11_m_init.patch
- ocki-3.1_03_ock_obj_mgr.patch
- ocki-3.1_04_ep11_opaque2blob_error_handl.patch
- ocki-3.1_05_ep11_readme_update.patch
- ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
- ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
- ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
- ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
- ocki-3.1_06_0005-Small-reworks.patch
- ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
- ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- ocki-3.1_07_0001-Man-page-corrections.patch
- ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
- ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
- ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
- Also create parent directory /run/lock/opencryptoki in
tmpfiles snippet if it does not exists.
- spec: do not use -D__USE_BSD, a glibc-internal macro
which no longer has any meaning.
- spec: use %{_unitdir} %{_tmpfilesdir)
- spec: call tmpfiles_create macro, if defined in %post
- opencryptoki-run-lock.patch, openCryptoki-tmp.conf: use
/run/lock instead of /var/lock.
- Update to version 3.2
+New pkcscca tool. Currently it assists in migrating cca private token
objects from opencryptoki version 2 to the clear key encryption method
used in opencryptoki version 3. Includes a manpage for pkcscca tool.
Changes to README.cca_stdll to assist in using the CCA token and
migrating the private token objects.
+ Support for CKM_RSA_PKCS_OAEP and CKM_RSA_PKCS_PSS algorithms.
+ Various bugfixes.
+ New testcases for various crypto algorithms.
- Only depend on insserv if builded with sysvinit support
- Remove obsolete patches; merged on upstream release
+ ocki-3.1_01_ep11_makefile.patch
+ ocki-3.1_02_ep11_m_init.patch
+ ocki-3.1_03_ock_obj_mgr.patch
+ ocki-3.1_04_ep11_opaque2blob_error_handl.patch
+ ocki-3.1_05_ep11_readme_update.patch
+ ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
+ ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
+ ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
+ ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
+ ocki-3.1_06_0005-Small-reworks.patch
+ ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
+ ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
+ ocki-3.1_07_0001-Man-page-corrections.patch
+ ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
+ ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
+ ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
+ ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
- Project is now hosted on sourceforge; fix the Url
- Remove cvs related stuff; tarball is produced by upstream
- Use %configure macro instead of manually defined options
- Build with parallel support; use %{?_smp_mflags} macro
- Fixed ica token's SHA update function when passing zero message
size (bnc#892644)
- Added patch ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
- Fixed README.ep11_stdll to have Unix-style EOL characters.
- Added patch ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
- Added all files from %src/doc as rpm %doc (bnc#894780)
- Added pkcscca utility and documentation to convert private
token objects from v2 to v3. (bnc#893757)
- Added patches:
- ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
- ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
- Fixed pkcsslotd and opencryptoki.conf man pages (bnc#889183)
- Added patch ocki-3.1_07_0001-Man-page-corrections.patch
- Specfile Cleanup, Added directory macros in appropriate places
- Several package changes as per bnc#880217
- Added openCryptoki-tmp.conf for lock directory management
- Added 'lite' token support
- Changed from init.d daemon to systemd service
- Updated macros in %pre %post %preun and %postun sections
- Added missing icsf and ep11tok directories to %files section
ocki-3.1_01_ep11_makefile.patch
ocki-3.1_02_ep11_m_init.patch
- Patches added:
ocki-3.1-fix-libica-link.patch
ocki-3.1_03_ock_obj_mgr.patch
ocki-3.1_04_ep11_opaque2blob_error_handl.patch
ocki-3.1_05_ep11_readme_update.patch
ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
ocki-3.1_06_0005-Small-reworks.patch
ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- Moved libpkcs11_icsf 32-bit out of s390-specific files
- Made ep11tok.conf and pkcsep11_migrate specific to s390/s390x
- Added libpkcs11_ep11.so and libpkcs11_icsf.so to 32-bit s390/s390x
- EP11 token available in the opencryptoki V3.1 package (bnc#879303)
- Specfile changed to include ep11tok.conf
- Specfile changed to include pkcsep11_migrate and pkcsicsf tools
- Specfile changed to BuildRequires openldap2-devel
- ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
- print_mechanism() ignored bad returncodes from the called
function token_specific_get_mechanism_list()
- ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
- Fix failure when confname is not given, use default
ep11tok.conf instead
- ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
- Removed check for ep11 lib at configure
- ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
- Move stdint.h before zcrypt.h to resolve dependencies
- ocki-3.1_06_0005-Small-reworks.patch
- testcase fixes and file permission changes
- ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
- Fix for s390 31-bit build error
- ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- zcrypt library included in build by default
- Patches applied (bnc#865549)
- Fixed Makefile to complement common code dependencies
- switched to official m_init() function based on library change
- checking the global token object count
- catch the return code from object_mgr_find_in_map1
- some README updates about usage and restrictions
- fix build on x86 (add CCA and TPM to filelist)
- fix libica detection on s390/s390x to get ICA module built
- Updated to openCryptoki v3.1: See ChangeLog for complete details
(FATE#315426)
- opencryptoki-3.1
- New ep11 token to support IBM Crypto Express adpaters
(starting with Crypto Express 4S adapters) configured with
Enterprise PKCS#11(EP11) firmware. (FATE#315330)
- opencryptoki-3.0
- New opencryptoki.conf file to replace pk_config_data and
pkcs11_starup. The opencryptoki.conf contains slot entry
information for tokens.
- Removed pkcs_slot and pkcs11_startup shell scripts.
- ICA token supports CKM_DES_OFB64, CKM_DES_CFB8, CKM_DES_CFB6
mechanisms using 3DES keys. (FATE#315323)
- ICA token supports CKM_DES3_MAC and CKM_DES3_MAC_GENERAL
mechanisms. (FATE#315323)
- ICA token supports CKM_AES_OFB, CKM_AES_CFB8, CKM_AES_CFB64,
CKM_AES_CFB128, CKM_AES_MAC, and CKM_AES_MAC_GENERAL
mechanisms. (FATE#315323)
- opencryptoki-2.4.1 (21 Feb 2012)
- SHA256 support added for CCA token (FATE#315289)
- Using insserv macros in %post, %preun and %postun sections
- Cleaned up spec file
- removed patches:
- ocki-2.2.6-PIN-backspace.patch
- added patches:
- ocki-3.1-fix-implicit-decl.patch
- ocki-3.1-remove-make-install-chgrp-chmod.patch
- ocki-3.1-fix-init_d-path.patch
- add aarch64 to 64bit archs
- enable ppc64le
- remove -o from groupadd
- fixed sed script to not a grouplist with leading ,
- don't package man pages twice
- add libtool as buildrequire to avoid implicit dependency
- enable TPM support (bnc#641919)
- pkcsslotd: Updated to use new pidfile location (bnc#475800)
- Added fix to allow backspacing during PIN entry (bnc#448089)
- run ldconfig in postinstall [bnc#417925]
- Enable build on x86_64 [bnc#417925]
- Overhaul of the specfile. All platforms build the base package
and each architecture builds the appropriate 32 or 64 bit package
- Updated to openCryptoki v2.2.6
- fix init script
- added pwdutils to buildreq
- fix missing return values from non-void funcs
- pkcsslotd: create PID file in the right place, delete it on
exit (bug #164664)
- added 64-bit patches from IBM (bug #145666)
- added small change missing from patch for bug #156651
- fixed location of pkcs11_startup in init script (bug #162372)
- fixed proc_t structure mixup (bug #156651)
- initialize head pointer (bug #156229)
- %ghost symlinks that are generated in %post (bug #154961)
- stuffed memleak (patch by IBM, bug #147036)
- changed RPM layout to meet IBM's demands (based on patch by IBM,
bug #145666)
- removed mmap, per-user data store support (patch by IBM, bug
#145666)
- converted neededforbuild to BuildRequires
- Update to 2.2.2-rc2
- Update to 2.2.1-rc2
- Fixed build errors
- Cleaned up spec file.
- copy TFAQ to build directory (fix build)
- Update to 2.1.6-rc5.
- Port fixes from SLES9 SP3.
- enabled for ARM
- fix #50050:
- ./configure.in: wrong test against $host makes ppc(64) miss
-DPKCS64 in CFLAGS
- corrected: S390 flag was set for ppc in this conditional
- run full autoreconf / simplify specfile a little
- Print correct error message (#37427 again).
- Check for the correct module on startup (#37427)
- update to openCryptoki-2.1.5, ppc64 version (#39026)
- adapt filelist on ppc
- Fix owner/group of files/directories
- no need to specify "root" as supplementary group for root,
it's already primary
- Update to openCryptoki-2.1.3
- Fixed configure errors.
- added directories to filelist
- remove CVS subdirs
- remove unpackaged files from buildroot
- removed duplicates from configure.in
- exclude ppc64 from the architectures, the package is built for.
64bit mode is not supported by IBM yet; dlopen wrappers are also
missing 64bit filename handling. (#20380)
- actually compress the openCryptoki-1.4*.tar.bz2
- make it even build ...
- make openCryptoki-XXbit PreReq: openCryptoki to enforce pkcs11 group
creation before package installation (#20079)
- correct version number (the patch actiually lifts openCryptoki to 1.5)
- fix groupadd call to no longer silently ignore errors in all cases
using (hopefully) posix exit codes. alternative would be to use
undocumented '-f' option of groupadd.
- add user root to group pkcs11 to enable root to administrate the
crypto hardware support (#19566)
- misc security fixes (#18377)
- replaced openCryptoki-tools with openCryptoki-32bit and
openCryptoki-64bit
- moved dlopen objects that are available for non-x86 out of the
ifarch ix86
- moved postun to tools subpackge (which contains the daemon)
- removed include files. no development support for now.
- replaced %%ix86, etc by appropriate generic %%openCryptoki_tools_arch
and %%openCryptoki_no_tools_arch
- replaced all i386 occurrences with %ix86
- changed filelist to what's really built
- split package to openCryptoki and openCryptoki-tools to allow
parallel installation of 32bit tools with 64bit dlopen objects for
foreign middleware.
- removed automatical insserv on install, because the package needs
manual configuration (#18031)
- added missing %post before insserv (Bug #17600)
- Fix path in PreReq.
- add groupadd pkcs11 in %pre install
- updated to current version
- removed old START_ variable
- always use macros when calling insserv
- add lib64 support
- Added openssl to #neededforbuild, which is needed in addition to
openssl-devel
- initial version
OBS-URL: https://build.opensuse.org/request/show/1130784
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=139
|
|||
| 8547c44c9d |
Accepting request 1130765 from home:ngueorguiev:branches:security
Amended the .spec file (bsc#1217703) OBS-URL: https://build.opensuse.org/request/show/1130765 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=138 |
|||
| d8a4f57221 |
Accepting request 1112796 from security
OBS-URL: https://build.opensuse.org/request/show/1112796 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=69 |
|||
| a44a3cdeeb |
Accepting request 1112795 from home:ngueorguiev:branches:security
- Upgrade to version 3.22 (jsc#PED-3361)
* openCryptoki 3.22
- CCA: Add support for the AES-XTS key type using CPACF protected keys
- p11sak: Add support for managing certificate objects
- p11sak: Add support for public sessions (no-login option)
- p11sak: Add support for logging in as SO (security Officer)
- p11sak: Add support for importing/exporting Edwards and Montgomery keys
- p11sak: Add support for importing of RSA-PSS keys and certificates
- CCA/EP11/Soft/ICA: Ensure that the 2 key parts of an AES-XTS key are different
* Bug fixes
OBS-URL: https://build.opensuse.org/request/show/1112795
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=136
|
|||
| 36a196394b |
Accepting request 1089152 from security
OBS-URL: https://build.opensuse.org/request/show/1089152 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=68 |
|||
| 7aa2bb9da2 |
Accepting request 1089151 from home:ngueorguiev:branches:security
- Update to version 3.21 (jsc#PED-3360, jsc#PED-3361)
* openCryptoki 3.21
- EP11 and CCA: Support concurrent HSM master key changes
- CCA: protected-key option
- pkcsslotd: no longer run as root user and further hardening
- p11sak: Add support for additional key types (DH, DSA, generic secret)
- p11sak: Allow wildcards in label filter
- p11sak: Allow to specify hex value for CKA_ID attribute
- p11sak: Support sorting when listing keys
- p11sak: New commands: set-key-attr, copy-key to modify and copy keys
- p11sak: New commands: import-key, export-key to import and export keys
- Remove support for --disable-locks (transactional memory)
- Updates to harden against RSA timing attacks
- Bug fixes
- Amended a new patch to fit the version 3.21
* ocki-3.21-remove-make-install-chgrp.patch
- Removed the old patch for the version 3.20
* ocki-3.20-remove-make-install-chgrp.patch
- Updated package to openCryptoki 3.20 (jsc#PED-2870)
- Removed the following obsolite patches:
* ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch
* ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch
* ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch
* ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch
* ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch
* ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch
* ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
* ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch
* ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch
* ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch
* ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch
* ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch
* ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch
* ocki-3.19.0-0014-EP11-Add-new-control-points.patch
* ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch
* ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch
* ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch
* ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch
* ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch
* ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch
* ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch
* ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch
* ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch
* ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch
* ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch
* ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch
* ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch
* ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch
* ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch
* ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch
* ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch
* ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch
* ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
* ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch
* ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch
- Reworked ocki-3.19-remove-make-install-chgrp.patch to fit the current version of
the package and renamed it to ocki-3.20-remove-make-install-chgrp.patch.
- Added patch for compile errors
* ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch
-- Changed spec file to use %autosetup instead of %setup.
- Updated the package openCryptoki 3.19.0 (jsc#PED-616, bsc#1207760), added the
following patches:
* ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch
* ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch
* ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch
* ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch
* ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch
* ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch
* ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
* ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch
* ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch
* ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch
* ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch
* ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch
* ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch
* ocki-3.19.0-0014-EP11-Add-new-control-points.patch
* ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch
* ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch
* ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch
* ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch
* ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch
* ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch
* ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch
* ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch
* ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch
* ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch
* ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch
* ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch
* ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch
* ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch
* ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch
* ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch
* ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch
* ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch
* ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
* ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch
- Updated spec file to set permissions on /etc/opencryptoki/strength.conf
to be owned by root:pkcs11 with permissions of 640. (bsc#1205566)
- Upgrade to version 3.19.0 (jsc#PED-616)
+ openCryptoki 3.19
- CCA: check for expected master key verification patterns at token init
- CCA: check master key verification pattern of created keys to be as expected
- EP11: check for expected wrapping key verification pattern at token init
- EP11: check wrapping key verification pattern of created keys to be as expected
- p11sak/pkcsconf: display PKCS#11 URIs
- p11sak: add support for IBM specific Dilithium keys
- p11sak: allow to list keys filtered by label
- common: add support for dual-function cryptographic functions
- Add support for C_SessionCancel function (PKCS#11 v3.0)
- EP11: add support for schnorr signatures (mechanism CKM_IBM_ECDSA_OTHER)
- EP11: add support for Bitcoin key derivation (mechanism CKM_IBM_BTC_DERIVE)
- Bug fixes
+ openCryptoki 3.18
- Default to FIPS compliant token data format (tokversion = 3.12)
- Add support for restricting usage of mechanisms and keys via a global policy
- Add support for statistics counting of mechanism usage
- ICA/EP11: Support libica version 4
- p11sak tool: Allow to set different attributes for public and private keys
- Replaced ocki-3.17-remove-make-install-chgrp.patch with an updated
version named ocki-3.19-remove-make-install-chgrp.patch to fit
the current state of the source.
- Removed the following obsolete patches:
openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch
openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch
ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch
- Added ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch
for bsc#1202106. One test of the gen_purpose test cases fails with
C_GetMechanismList #2 rc=CKR_BUFFER_TOO_SMALL" error on the EP11 Token.
- Made the following changes for bsc#1199862 "Please install
p11sak_defined_attrs.conf."
* Replaced ocki-3.11-remove-make-install-chgrp.patch with
ocki-3.17-remove-make-install-chgrp.patch to remove the
"-g pkcs11" parameter from the install command in the Makefile
* Updated the spec file to include
/etc/opencryptoki/p11sak_defined_attrs.conf as a %config file
with the necessary permissions and group ownership.
- Added the following two patches for bac#1197395. The CKM_IBM_DILITHIUM
mechanism does not show up as supported by the EP11 token when an
upgraded EP11 host library is used.
* openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch
* openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch
- Upgraded to version 3.17.0 (jsc#SLE-18326)
+ openCryptoki 3.17
- tools: added function to list keys to p11sak
- common: added support for OpenSSL 3.0
- common: added support for event notifications
- ICA: added SW fallbacks
* openCryptoki 3.16
- EP11: protected-key option
- EP11: support attribute-bound keys
- CCA: import and export of secure key objects
- Bug fixes
- Removed the following obsolete patches:
ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch
ocki-3.15.1-Fix-compiling-with-c.patch
ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch
ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch
ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch
ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch
ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch
ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch
- Added the following patches for bsc#1188879:
* ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch
When modifying opencryptoki.conf during token migration, put quotes
around strings that contain spaces, e.g. for the slot description and
manufacturer.
* ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch
When migrating a slot the opencryptoki.conf file is modified. If it
contains slots that already contain the 'tokversion = x.y' keyword,
this is accidentally removed when migrating another slot.
* ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch
Change the code to use the pid file that pkcsslotd creates, and check
if the process with the pid contained in the pid file still exists and
runs pkcsslotd.
* ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch
Always quote the value of 'description' and 'manufacturer'. Quote the
value of 'stdll', 'confname', and 'tokname' if it contains spaces, and
never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'.
- Added the following patches for bsc#1182726 " p11sak list-key segfault"
* ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
Added NULL pointer to avoid double free() for the list-key and
remove-key commands.
* ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
Note that two hunks that were unrelated to fixing the running
code were removed from this patch.
* ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
- Added ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
When constructing an OpenSSL EC public or private key from PKCS#11
attributes or ECDH public data, check that the key is valid, i.e. that
the point is on the curve.
(bsc#1185976)
- Added ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch
(bsc#1182120)
Fix pkcscca migration fails with usr/sb2 is not a valid slot ID
- Added ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch
(bsc#1182190)
Fix a segmentation fault of the sess_opstate test on the Soft Token
- Added the following patches for bsc#1179319
* Fix compiling with C++:
ocki-3.15.1-Fix-compiling-with-c.patch
* Added error message handling for p11sak remove-key command.
ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch
- Don't require pwdutils for build, dropped long ago and not needed
- Upgraded to version 3.15.1 (jsc#SLE-13749, jsc#SLE-13666,
jsc#SLE-13813, jsc#SLE-13812, jsc#SLE-13723, jsc#SLE-13714,
jsc#SLE-13715, jsc#SLE-13710, jsc#SLE-13774, jsc#SLE-13786)
* openCryptoki 3.15.1
- Bug fixes
* openCryptoki 3.15.0
- common: conform to PKCS 11 3.0 Baseline Provider profile
- Introduce new vendor defined interface named "Vendor IBM"
- Support C_IBM_ReencryptSingle via "Vendor IBM" interface
- CCA: support key wrapping
- SOFT: support ECC
- p11sak tool: add remove-key command
- Bug fixes
* openCryptoki 3.14.0
- EP11: Dilitium support stage 2
- Common: Rework on process and thread locking
- Common: Rework on btree and object locking
- ICSF: minor fixes
- TPM, ICA, ICSF: support multiple token instances
- new tool p11sak
* openCryptoki 3.13.0
- EP11: Dilithium support
- EP11: EdDSA support
- EP11: support RSA-OAEP with non-SHA1 hash and MGF
- Removed obsolete oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch
- Added oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch (bsc#1159114)
The EP11 token may fail to import an ECC public key. Function
C_CreateObject returns CKR_BUFFER_TOO_SMALL in this case.
- Upgraded to version 3.12.1 (bsc#1157863)
* Fix pkcsep11_migrate tool
- Upgraded to version 3.12.0 (jsc#SLE-7647, jsc#SLE-7915, jsc#SLE-7918)
* Update token pin and data store encryption for soft,ica,cca and ep11
* EP11: Allow importing of compressed EC public keys
* EP11: Add support for the CMAC mechanisms
* EP11: Add support for the IBM-SHA3 mechanisms
* SOFT: Add AES-CMAC and 3DES-CMAC support to the soft token
* ICA: Add AES-CMAC and 3DES-CMAC support to the ICA token
* EP11: Add config option USE_PRANDOM
* CCA: Use Random Number Generate Long for token_specific_rng()
* Common rng function: Prefer /dev/prandom over /dev/urandom
* ICA: add SHA*_RSA_PKCS_PSS mechanisms
* Bug fixes
- Removed obsolete ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch
- Added ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch
(bsc#1152015)
Add support for new IBM crypto card.
- Upgraded to version 3.11.1 (Fate#327837)
Bug fixes.
- Dropped obsolete ocki-3.11-Fix-target_list-passing-for-EP11-session.patch
- Added ocki-3.11-Fix-target_list-passing-for-EP11-session.patch
(bsc#1123988)
- Do not ignore errors from groupadd. If groupadd fails,
installation ought not to proceed because files would have the
wrong ownership.
- Don't hide error messages from the groupadd command. To eliminate
a potentially common one, check to see if the pkcs11 group is
already defined before trying to add it.
- Update the summary for the -devel package.
- Changed several PreReq entries to Requires(pre) as a result of
the output from spec-cleaner. Removed a couple of obsolete lines.
- Removed obsolete check for whether systemd is in use or not.
- Upgraded to version 3.11.0 (Fate#325685)
* opencryptoki 3.11.0
EP11 enhancements
A lot of bug fixes
- Reworked the ocki-3.1-remove-make-install-chgrp.patch to apply
properly to 3.11, and renamed it to
ocki-3.11-remove-make-install-chgrp.patch
- Removed obsolete patch ocki-3.5-icsf-coverity-memoryleakfix.patch
- Upgraded to version 3.10.0 (Fate#325685)
* opencryptoki 3.10.0
Add support to ECC on ICA token and to common code.
Add SHA224 support to SOFT token.
Improve pkcsslotd logging.
Fix sha512_hmac_sign and rsa_x509_verify for ICA token.
Fix tracing of session id.
Fix and improve testcases.
Fix spec file permission for log directory.
Fix build warnings.
* opencryptoki 3.9.0
Fix token reinitialization
Fix conditional man pages
EP11 enhancements
EP11 EC Key import
Increase RSA max key length
Fix broken links on documentation
Define CK_FALSE and CK_TRUE macros
Improve build flags
- Dropped obsolete patch ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch
- Made multiple changes to the spec file based on spec-cleaner output.
- Added an rpmlintrc file to squelch warnings about adding ghost
entries for files under /var/lock/opencryptoki/
- Added ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch
(bsc#1086678)
- Re-enabled ARM architectures now that gcc6 is in SLE15. (bsc#1084617)
- Upgraded to version 3.8.2 (fate#323295, bsc#1066412)
* v3.8.2
Update man pages.
Improve ock_tests for parallel execution.
Fix FindObjectsInit for hidden HW-feature.
Fix to allow vendor defined hardware features.
Fix unresolved symbols.
Fix tracing.
Code/project cleanup.
* v3.8.1
Fix TPM data-structure reset function.
Fix error message when dlsym fails.
Update configure.ac
Update travis.
* v3.8.0
Multi token instance feature.
Added possibility to run opencryptoki with transactional memory or locks
(--enable-locks on configure step).
Updated documentation.
Fix segfault on ec_test.
Bunch of small fixes.
- Removed ARM architectures from the build list until gcc6 becomes
available for SLES. (bsc#1039510).
- Updated to version 3.7.0 (Fate#321451) (bsc#1036640)
- Update example spec file
- Performance improvement. Moving from mutexes to transactional memory.
- Add ECDSA SHA2 support for EP11 and CCA.
- Fix declaration of inline functions.
- Fix wrong testcase and ber en/decoding for integers.
- Check for 'flex' and 'YACC' on configure.
- EP11 config file rework.
- Add enable-debug on travis build.
- Add testcase for C_GetOperationState/C_SetOperationState.
- Upgrade License to CPL-1.0
- Ica token: fix openssh/ibmpkcs11 engine/libica crash.
- Fix segfault and logic in hardware feature test.
- Fix spelling of documentation and manuals.
- Fix the retrieval of p from a generated rsa key.
- Coverity scan fixes - incompatible pointer type and unused variables.
- Added libica-tools to the BuildRequires due to repackaging of libica.
- Modified the spec file
- Changed libca3-devel BuildRequires to just libica-devel
- Check for systemd in the 32bit postun scriptlet.
- Upgraded to version 3.6.2 (fate#321451)
- Support OpenSSL-1.1.
- Add Travis CI support.
- Update autotools scripts and documentation.
- Fix SegFault when a invalid session handle is passed in
SC_EncryptUpdate and SC_DecryptUpdate.
- Updated spec file to use libica3-devel instead of libica2-devel.
- Upgraded to version 3.6.1 (fate#321451)
- opencryptoki 3.6.1
- Fix SOFT token implementation of digest functions.
- Replace deprecated OpenSSL interfaces.
- opencryptoki 3.6
- Replace deprecated libica interfaces.
- Performance improvement for ICA.
- Improvement in documentation on system resources.
- Improvement in testcases.
- Added support for rc=8, reasoncode=2028 in icsf token.
- Fix for session handle not set in session issue.
- Multiple fixes for lock and log directories.
- Downgraded a syslog error to warning.
- Multiple fixes based on coverity scan results.
- Added pkcs11 mapping for icsf reason code 72 for return code 8.
- opencryptoki 3.5.1
- Fix Illegal Intruction on pkcscca tool.
- Removed the following obsolete patches:
- ocki-3.5-sanity-checking.patch
- ocki-3.5-icsf-reasoncode72-support.patch
- ocki-3.5-downgrade-syslogerror.patch
- ocki-3.5-icsf-sessionhandle-missing-fix.patch
- ocki-3.5-icsf-reasoncode-2028-added.patch
- ocki-3.5-added-NULLreturn-check.patch
- ocki-3.5-create-missing-tpm-token-lock-directory.patch
- ocki-3.5-fix-pkcscca-calls.patch
- Removed reference to pkcs1_startup from pkcsslotd (bsc#1007081)
- Added ocki-3.5-fix-pkcscca-calls.patch (bsc#996867).
- Added %doc FAQ to the spec file (bsc#991168).
- Added ocki-3.5-create-missing-tpm-token-lock-directory.patch
(bsc#989602).
- Added the following patches (bsc#986854)
- ocki-3.5-icsf-reasoncode72-support.patch
- ocki-3.5-icsf-coverity-memoryleakfix.patch
- ocki-3.5-downgrade-syslogerror.patch
- ocki-3.5-icsf-sessionhandle-missing-fix.patch
- ocki-3.5-icsf-reasoncode-2028-added.patch
- ocki-3.5-added-NULLreturn-check.patch
- Added ocki-3.5-sanity-checking.patch (bsc#983496).
- Added %dir entry for %{_localstatedir}/log/opencryptoki/
(bsc#983990)
- Upgraded to openCryptoki 3.5 (bsc#978005).
- Full Coverity scan fixes.
- Fixes for compiler warnings.
- Added support for C_GetObjectSize in icsf token.
- Various bug fixes and memory leak fixes.
- Removed global read permissions from token files
- Added missing PKCS#11v2.2 constants.
- Fix for symbol resolution issue seen in Fedora 22 and 23 for
ep11 and cca tokens.
- Improvements in socket read operation when a token comes up.
- Replaced 32 bit CCA API declarations with latest header from
version 5.0 libsculcca rpm.
- Upgraded to openCryptoki v3.4.1 (Fate#319576, 319585, 319592, 319938).
- Changed BuildRequires for libica_2_3_0-devel to libica2-devel.
- Changed BuildRequires for openssl-devel to specify >= 1.0
Contrary to what the README says, version 0.9.7 isn't
sufficient.
- Removed the redundant DESTDIR= parameter from the %make_install
- Removed the following obsolete patches
opencryptoki-run-lock.patch (/var/lock and run/lock are actually the
same place) Also reverted the changed to openCryptoki-tmp.conf to match.
ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
ocki-3.1-fix-implicit-decl.patch
ocki-3.1-fix-init_d-path.patch
ocki-3.1-fix-libica-link.patch
ocki-3.2_01_fix-return-type-error.patch
ocki-3.2_02_ep11-token-incorrectly-copied-the-public-key-object-.patch
ocki-3.2_03_ICSF-Token-C_SignUpdate-was-sometimes-segfaulting-an.patch
ocki-3.2_04_CKA_EC_POINT-is-not-required-in-the-ECDSA-private-ke.patch
ocki-3.2_05_icsf_ldap_handles.patch
ocki-3.2_06_icsf_sign_verify.patch
- renamed: ocki-3.1-remove-make-install-chgrp-chmod.patch to
ocki-3.1-remove-make-install-chgrp.patch
- Get a new ldap handle for each session opened in the icsf token,
once the user has authenticated. (bsc#953347,LTC#130078)
- ocki-3.2_05_icsf_ldap_handles.patch
- ocki-3.2_06_icsf_sign_verify.patch
- Added /var/lib/opencryptoki/lite/TOK_OBJ token directory (bsc#943070)
- Added ocki-3.2_02_ep11-token-incorrectly-copied-the-public-key-object-.patch
- Fixed two public key object inclusion in EP11 token (bsc#946808)
- Added ocki-3.2_03_ICSF-Token-C_SignUpdate-was-sometimes-segfaulting-an.patch
- Fixed GPF when calling C_SignUpdate using ICFS toekn (bsc#946172)
- Added ocki-3.2_04_CKA_EC_POINT-is-not-required-in-the-ECDSA-private-ke.patch
- Fixed failure to import ECDSA because of lack of attribute (bsc#948114)
- Fixed BuildRequires: libica2-devel
- Added ocki-3.2_01_fix-return-type-error.patch
- Changing doc/README.ep11_stdll to unix-style EOL
- Added BuildRequires: dos2unix
- Removed globbing in %files and specified libraries to include (bsc#942162)
- Updated to openCryptoki v3.2 (FATE#318240)
- Removed unnecessary patches:
- ocki-3.1_01_ep11_makefile.patch
- ocki-3.1_02_ep11_m_init.patch
- ocki-3.1_03_ock_obj_mgr.patch
- ocki-3.1_04_ep11_opaque2blob_error_handl.patch
- ocki-3.1_05_ep11_readme_update.patch
- ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
- ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
- ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
- ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
- ocki-3.1_06_0005-Small-reworks.patch
- ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
- ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- ocki-3.1_07_0001-Man-page-corrections.patch
- ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
- ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
- ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
- Also create parent directory /run/lock/opencryptoki in
tmpfiles snippet if it does not exists.
- spec: do not use -D__USE_BSD, a glibc-internal macro
which no longer has any meaning.
- spec: use %{_unitdir} %{_tmpfilesdir)
- spec: call tmpfiles_create macro, if defined in %post
- opencryptoki-run-lock.patch, openCryptoki-tmp.conf: use
/run/lock instead of /var/lock.
- Update to version 3.2
+New pkcscca tool. Currently it assists in migrating cca private token
objects from opencryptoki version 2 to the clear key encryption method
used in opencryptoki version 3. Includes a manpage for pkcscca tool.
Changes to README.cca_stdll to assist in using the CCA token and
migrating the private token objects.
+ Support for CKM_RSA_PKCS_OAEP and CKM_RSA_PKCS_PSS algorithms.
+ Various bugfixes.
+ New testcases for various crypto algorithms.
- Only depend on insserv if builded with sysvinit support
- Remove obsolete patches; merged on upstream release
+ ocki-3.1_01_ep11_makefile.patch
+ ocki-3.1_02_ep11_m_init.patch
+ ocki-3.1_03_ock_obj_mgr.patch
+ ocki-3.1_04_ep11_opaque2blob_error_handl.patch
+ ocki-3.1_05_ep11_readme_update.patch
+ ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
+ ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
+ ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
+ ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
+ ocki-3.1_06_0005-Small-reworks.patch
+ ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
+ ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
+ ocki-3.1_07_0001-Man-page-corrections.patch
+ ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
+ ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
+ ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
+ ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
- Project is now hosted on sourceforge; fix the Url
- Remove cvs related stuff; tarball is produced by upstream
- Use %configure macro instead of manually defined options
- Build with parallel support; use %{?_smp_mflags} macro
- Fixed ica token's SHA update function when passing zero message
size (bnc#892644)
- Added patch ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
- Fixed README.ep11_stdll to have Unix-style EOL characters.
- Added patch ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
- Added all files from %src/doc as rpm %doc (bnc#894780)
- Added pkcscca utility and documentation to convert private
token objects from v2 to v3. (bnc#893757)
- Added patches:
- ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
- ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
- Fixed pkcsslotd and opencryptoki.conf man pages (bnc#889183)
- Added patch ocki-3.1_07_0001-Man-page-corrections.patch
- Specfile Cleanup, Added directory macros in appropriate places
- Several package changes as per bnc#880217
- Added openCryptoki-tmp.conf for lock directory management
- Added 'lite' token support
- Changed from init.d daemon to systemd service
- Updated macros in %pre %post %preun and %postun sections
- Added missing icsf and ep11tok directories to %files section
ocki-3.1_01_ep11_makefile.patch
ocki-3.1_02_ep11_m_init.patch
- Patches added:
ocki-3.1-fix-libica-link.patch
ocki-3.1_03_ock_obj_mgr.patch
ocki-3.1_04_ep11_opaque2blob_error_handl.patch
ocki-3.1_05_ep11_readme_update.patch
ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
ocki-3.1_06_0005-Small-reworks.patch
ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- Moved libpkcs11_icsf 32-bit out of s390-specific files
- Made ep11tok.conf and pkcsep11_migrate specific to s390/s390x
- Added libpkcs11_ep11.so and libpkcs11_icsf.so to 32-bit s390/s390x
- EP11 token available in the opencryptoki V3.1 package (bnc#879303)
- Specfile changed to include ep11tok.conf
- Specfile changed to include pkcsep11_migrate and pkcsicsf tools
- Specfile changed to BuildRequires openldap2-devel
- ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
- print_mechanism() ignored bad returncodes from the called
function token_specific_get_mechanism_list()
- ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
- Fix failure when confname is not given, use default
ep11tok.conf instead
- ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
- Removed check for ep11 lib at configure
- ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
- Move stdint.h before zcrypt.h to resolve dependencies
- ocki-3.1_06_0005-Small-reworks.patch
- testcase fixes and file permission changes
- ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
- Fix for s390 31-bit build error
- ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- zcrypt library included in build by default
- Patches applied (bnc#865549)
- Fixed Makefile to complement common code dependencies
- switched to official m_init() function based on library change
- checking the global token object count
- catch the return code from object_mgr_find_in_map1
- some README updates about usage and restrictions
- fix build on x86 (add CCA and TPM to filelist)
- fix libica detection on s390/s390x to get ICA module built
- Updated to openCryptoki v3.1: See ChangeLog for complete details
(FATE#315426)
- opencryptoki-3.1
- New ep11 token to support IBM Crypto Express adpaters
(starting with Crypto Express 4S adapters) configured with
Enterprise PKCS#11(EP11) firmware. (FATE#315330)
- opencryptoki-3.0
- New opencryptoki.conf file to replace pk_config_data and
pkcs11_starup. The opencryptoki.conf contains slot entry
information for tokens.
- Removed pkcs_slot and pkcs11_startup shell scripts.
- ICA token supports CKM_DES_OFB64, CKM_DES_CFB8, CKM_DES_CFB6
mechanisms using 3DES keys. (FATE#315323)
- ICA token supports CKM_DES3_MAC and CKM_DES3_MAC_GENERAL
mechanisms. (FATE#315323)
- ICA token supports CKM_AES_OFB, CKM_AES_CFB8, CKM_AES_CFB64,
CKM_AES_CFB128, CKM_AES_MAC, and CKM_AES_MAC_GENERAL
mechanisms. (FATE#315323)
- opencryptoki-2.4.1 (21 Feb 2012)
- SHA256 support added for CCA token (FATE#315289)
- Using insserv macros in %post, %preun and %postun sections
- Cleaned up spec file
- removed patches:
- ocki-2.2.6-PIN-backspace.patch
- added patches:
- ocki-3.1-fix-implicit-decl.patch
- ocki-3.1-remove-make-install-chgrp-chmod.patch
- ocki-3.1-fix-init_d-path.patch
- add aarch64 to 64bit archs
- enable ppc64le
- remove -o from groupadd
- fixed sed script to not a grouplist with leading ,
- don't package man pages twice
- add libtool as buildrequire to avoid implicit dependency
- enable TPM support (bnc#641919)
- pkcsslotd: Updated to use new pidfile location (bnc#475800)
- Added fix to allow backspacing during PIN entry (bnc#448089)
- run ldconfig in postinstall [bnc#417925]
- Enable build on x86_64 [bnc#417925]
- Overhaul of the specfile. All platforms build the base package
and each architecture builds the appropriate 32 or 64 bit package
- Updated to openCryptoki v2.2.6
- fix init script
- added pwdutils to buildreq
- fix missing return values from non-void funcs
- pkcsslotd: create PID file in the right place, delete it on
exit (bug #164664)
- added 64-bit patches from IBM (bug #145666)
- added small change missing from patch for bug #156651
- fixed location of pkcs11_startup in init script (bug #162372)
- fixed proc_t structure mixup (bug #156651)
- initialize head pointer (bug #156229)
- %ghost symlinks that are generated in %post (bug #154961)
- stuffed memleak (patch by IBM, bug #147036)
- changed RPM layout to meet IBM's demands (based on patch by IBM,
bug #145666)
- removed mmap, per-user data store support (patch by IBM, bug
#145666)
- converted neededforbuild to BuildRequires
- Update to 2.2.2-rc2
- Update to 2.2.1-rc2
- Fixed build errors
- Cleaned up spec file.
- copy TFAQ to build directory (fix build)
- Update to 2.1.6-rc5.
- Port fixes from SLES9 SP3.
- enabled for ARM
- fix #50050:
- ./configure.in: wrong test against $host makes ppc(64) miss
-DPKCS64 in CFLAGS
- corrected: S390 flag was set for ppc in this conditional
- run full autoreconf / simplify specfile a little
- Print correct error message (#37427 again).
- Check for the correct module on startup (#37427)
- update to openCryptoki-2.1.5, ppc64 version (#39026)
- adapt filelist on ppc
- Fix owner/group of files/directories
- no need to specify "root" as supplementary group for root,
it's already primary
- Update to openCryptoki-2.1.3
- Fixed configure errors.
- added directories to filelist
- remove CVS subdirs
- remove unpackaged files from buildroot
- removed duplicates from configure.in
- exclude ppc64 from the architectures, the package is built for.
64bit mode is not supported by IBM yet; dlopen wrappers are also
missing 64bit filename handling. (#20380)
- actually compress the openCryptoki-1.4*.tar.bz2
- make it even build ...
- make openCryptoki-XXbit PreReq: openCryptoki to enforce pkcs11 group
creation before package installation (#20079)
- correct version number (the patch actiually lifts openCryptoki to 1.5)
- fix groupadd call to no longer silently ignore errors in all cases
using (hopefully) posix exit codes. alternative would be to use
undocumented '-f' option of groupadd.
- add user root to group pkcs11 to enable root to administrate the
crypto hardware support (#19566)
- misc security fixes (#18377)
- replaced openCryptoki-tools with openCryptoki-32bit and
openCryptoki-64bit
- moved dlopen objects that are available for non-x86 out of the
ifarch ix86
- moved postun to tools subpackge (which contains the daemon)
- removed include files. no development support for now.
- replaced %%ix86, etc by appropriate generic %%openCryptoki_tools_arch
and %%openCryptoki_no_tools_arch
- replaced all i386 occurrences with %ix86
- changed filelist to what's really built
- split package to openCryptoki and openCryptoki-tools to allow
parallel installation of 32bit tools with 64bit dlopen objects for
foreign middleware.
- removed automatical insserv on install, because the package needs
manual configuration (#18031)
- added missing %post before insserv (Bug #17600)
- Fix path in PreReq.
- add groupadd pkcs11 in %pre install
- updated to current version
- removed old START_ variable
- always use macros when calling insserv
- add lib64 support
- Added openssl to #neededforbuild, which is needed in addition to
openssl-devel
- initial version
OBS-URL: https://build.opensuse.org/request/show/1089151
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=134
|
|||
| 788aa4046a |
Accepting request 1089144 from home:ngueorguiev:branches:security
- Update to version 3.21 (jsc#PED-3360, jsc#PED-3361)
* openCryptoki 3.21
- EP11 and CCA: Support concurrent HSM master key changes
- CCA: protected-key option
- pkcsslotd: no longer run as root user and further hardening
- p11sak: Add support for additional key types (DH, DSA, generic secret)
- p11sak: Allow wildcards in label filter
- p11sak: Allow to specify hex value for CKA_ID attribute
- p11sak: Support sorting when listing keys
- p11sak: New commands: set-key-attr, copy-key to modify and copy keys
- p11sak: New commands: import-key, export-key to import and export keys
- Remove support for --disable-locks (transactional memory)
- Updates to harden against RSA timing attacks
- Bug fixes
- Amended a patch to fit the version 3.21
* ocki-3.21-remove-make-install-chgrp.patch
OBS-URL: https://build.opensuse.org/request/show/1089144
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=133
|
|||
| 1c939703a3 |
Accepting request 1066182 from security
OBS-URL: https://build.opensuse.org/request/show/1066182 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=67 |
|||
| 8c6d50ec24 |
Accepting request 1066181 from home:ngueorguiev:branches:security
Updated package for (jsc#PED-2870) OBS-URL: https://build.opensuse.org/request/show/1066181 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=131 |
|||
| d227b6f7d5 |
Accepting request 1063654 from security
- Added patch for compile errors * ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch - Changed spec file to use %autosetup instead of %setup. - Updated the package openCryptoki 3.19.0 (jsc#PED-616, bsc#1207760), added the following patches: * ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch * ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch * ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch * ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch * ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch * ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch * ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch * ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch * ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch * ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch * ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch * ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch * ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch * ocki-3.19.0-0014-EP11-Add-new-control-points.patch * ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch * ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch * ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch * ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch * ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch * ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch * ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch * ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch * ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch * ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch * ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch * ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch * ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch * ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch * ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch * ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch * ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch * ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch * ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch * ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch OBS-URL: https://build.opensuse.org/request/show/1063654 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=66 |
|||
Mark Post
|
b617a4aaa3 | OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=129 | ||
|
Mark Post
|
f41ca9bf97 |
Accepting request 1063652 from home:ngueorguiev:branches:security
- Added patch for compile errors * ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch - Changed spec file to use %autosetup instead of %setup. - Updated the package openCryptoki 3.19.0 (jsc#PED-616, bsc#1207760), added the following patches: * ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch * ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch * ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch * ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch * ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch * ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch * ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch * ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch * ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch * ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch * ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch * ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch * ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch * ocki-3.19.0-0014-EP11-Add-new-control-points.patch * ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch * ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch * ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch * ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch * ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch * ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch * ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch * ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch * ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch * ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch * ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch * ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch * ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch * ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch * ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch * ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch * ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch * ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch * ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch * ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch OBS-URL: https://build.opensuse.org/request/show/1063652 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=128 |
||
| 9f24a418bb |
Accepting request 1038744 from security
OBS-URL: https://build.opensuse.org/request/show/1038744 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=65 |
|||
|
Mark Post
|
2048190bdd |
Accepting request 1038743 from home:markkp:branches:security
- Updated spec file to set permissions on /etc/opencryptoki/strength.conf to be owned by root:pkcs11 with permissions of 640. (bsc#1205566) OBS-URL: https://build.opensuse.org/request/show/1038743 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=126 |
||
| b0fff8ca7a |
Accepting request 1008259 from security
OBS-URL: https://build.opensuse.org/request/show/1008259 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=64 |
|||
|
Mark Post
|
4ab3207014 |
Accepting request 1008258 from home:markkp:branches:security
- Upgrade to version 3.19.0 (jsc#PED-616)
+ openCryptoki 3.19
- CCA: check for expected master key verification patterns at token init
- CCA: check master key verification pattern of created keys to be as expected
- EP11: check for expected wrapping key verification pattern at token init
- EP11: check wrapping key verification pattern of created keys to be as expected
- p11sak/pkcsconf: display PKCS#11 URIs
- p11sak: add support for IBM specific Dilithium keys
- p11sak: allow to list keys filtered by label
- common: add support for dual-function cryptographic functions
- Add support for C_SessionCancel function (PKCS#11 v3.0)
- EP11: add support for schnorr signatures (mechanism CKM_IBM_ECDSA_OTHER)
- EP11: add support for Bitcoin key derivation (mechanism CKM_IBM_BTC_DERIVE)
- Bug fixes
+ openCryptoki 3.18
- Default to FIPS compliant token data format (tokversion = 3.12)
- Add support for restricting usage of mechanisms and keys via a global policy
- Add support for statistics counting of mechanism usage
- ICA/EP11: Support libica version 4
- p11sak tool: Allow to set different attributes for public and private keys
- Replaced ocki-3.17-remove-make-install-chgrp.patch with an updated
version named ocki-3.19-remove-make-install-chgrp.patch to fit
the current state of the source.
- Removed the following obsolete patches:
openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch
openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch
ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch
- Added ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch
for bsc#1202106. One test of the gen_purpose test cases fails with
C_GetMechanismList #2 rc=CKR_BUFFER_TOO_SMALL" error on the EP11 Token.
- Made the following changes for bsc#1199862 "Please install
p11sak_defined_attrs.conf."
* Replaced ocki-3.11-remove-make-install-chgrp.patch with
ocki-3.17-remove-make-install-chgrp.patch to remove the
"-g pkcs11" parameter from the install command in the Makefile
* Updated the spec file to include
/etc/opencryptoki/p11sak_defined_attrs.conf as a %config file
with the necessary permissions and group ownership.
OBS-URL: https://build.opensuse.org/request/show/1008258
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=124
|
||
| 364ea8530c |
Accepting request 964349 from security
OBS-URL: https://build.opensuse.org/request/show/964349 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=63 |
|||
|
Mark Post
|
30e85a8c82 |
Accepting request 964348 from home:markkp:branches:security
- Added the following two patches for bac#1197395. The CKM_IBM_DILITHIUM mechanism does not show up as supported by the EP11 token when an upgraded EP11 host library is used. * openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch * openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch OBS-URL: https://build.opensuse.org/request/show/964348 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=122 |
||
| 66e9144b70 |
Accepting request 926995 from security
OBS-URL: https://build.opensuse.org/request/show/926995 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=62 |
|||
|
Mark Post
|
0fae8d9d81 |
Accepting request 926994 from home:markkp:branches:security
- Upgraded to version 3.17.0 (jsc#SLE-18326)
+ openCryptoki 3.17
- tools: added function to list keys to p11sak
- common: added support for OpenSSL 3.0
- common: added support for event notifications
- ICA: added SW fallbacks
* openCryptoki 3.16
- EP11: protected-key option
- EP11: support attribute-bound keys
- CCA: import and export of secure key objects
- Bug fixes
- Removed the following obsolete patches:
ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch
ocki-3.15.1-Fix-compiling-with-c.patch
ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch
ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch
ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch
ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch
ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch
ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch
- Added the following patches for bsc#1188879:
* ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch
When modifying opencryptoki.conf during token migration, put quotes
around strings that contain spaces, e.g. for the slot description and
manufacturer.
* ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch
When migrating a slot the opencryptoki.conf file is modified. If it
contains slots that already contain the 'tokversion = x.y' keyword,
this is accidentally removed when migrating another slot.
* ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch
Change the code to use the pid file that pkcsslotd creates, and check
if the process with the pid contained in the pid file still exists and
runs pkcsslotd.
* ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch
Always quote the value of 'description' and 'manufacturer'. Quote the
value of 'stdll', 'confname', and 'tokname' if it contains spaces, and
never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'.
- Added the following patches for bsc#1182726 " p11sak list-key segfault"
* ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
Added NULL pointer to avoid double free() for the list-key and
remove-key commands.
* ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
Note that two hunks that were unrelated to fixing the running
code were removed from this patch.
* ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
- Added ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
When constructing an OpenSSL EC public or private key from PKCS#11
attributes or ECDH public data, check that the key is valid, i.e. that
the point is on the curve.
(bsc#1185976)
- Added ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch
(bsc#1182120)
Fix pkcscca migration fails with usr/sb2 is not a valid slot ID
- Added ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch
(bsc#1182190)
Fix a segmentation fault of the sess_opstate test on the Soft Token
- Added the following patches for bsc#1179319
* Fix compiling with C++:
ocki-3.15.1-Fix-compiling-with-c.patch
* Added error message handling for p11sak remove-key command.
ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch
- Don't require pwdutils for build, dropped long ago and not needed
- Upgraded to version 3.15.1 (jsc#SLE-13749, jsc#SLE-13666,
jsc#SLE-13813, jsc#SLE-13812, jsc#SLE-13723, jsc#SLE-13714,
jsc#SLE-13715, jsc#SLE-13710, jsc#SLE-13774, jsc#SLE-13786)
* openCryptoki 3.15.1
- Bug fixes
* openCryptoki 3.15.0
- common: conform to PKCS 11 3.0 Baseline Provider profile
- Introduce new vendor defined interface named "Vendor IBM"
- Support C_IBM_ReencryptSingle via "Vendor IBM" interface
- CCA: support key wrapping
- SOFT: support ECC
- p11sak tool: add remove-key command
- Bug fixes
* openCryptoki 3.14.0
- EP11: Dilitium support stage 2
- Common: Rework on process and thread locking
- Common: Rework on btree and object locking
- ICSF: minor fixes
- TPM, ICA, ICSF: support multiple token instances
- new tool p11sak
* openCryptoki 3.13.0
- EP11: Dilithium support
- EP11: EdDSA support
- EP11: support RSA-OAEP with non-SHA1 hash and MGF
- Removed obsolete oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch
- Added oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch (bsc#1159114)
The EP11 token may fail to import an ECC public key. Function
C_CreateObject returns CKR_BUFFER_TOO_SMALL in this case.
- Upgraded to version 3.12.1 (bsc#1157863)
* Fix pkcsep11_migrate tool
- Upgraded to version 3.12.0 (jsc#SLE-7647, jsc#SLE-7915, jsc#SLE-7918)
* Update token pin and data store encryption for soft,ica,cca and ep11
* EP11: Allow importing of compressed EC public keys
* EP11: Add support for the CMAC mechanisms
* EP11: Add support for the IBM-SHA3 mechanisms
* SOFT: Add AES-CMAC and 3DES-CMAC support to the soft token
* ICA: Add AES-CMAC and 3DES-CMAC support to the ICA token
* EP11: Add config option USE_PRANDOM
* CCA: Use Random Number Generate Long for token_specific_rng()
* Common rng function: Prefer /dev/prandom over /dev/urandom
* ICA: add SHA*_RSA_PKCS_PSS mechanisms
* Bug fixes
- Removed obsolete ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch
- Added ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch
(bsc#1152015)
Add support for new IBM crypto card.
- Upgraded to version 3.11.1 (Fate#327837)
Bug fixes.
- Dropped obsolete ocki-3.11-Fix-target_list-passing-for-EP11-session.patch
- Added ocki-3.11-Fix-target_list-passing-for-EP11-session.patch
(bsc#1123988)
- Do not ignore errors from groupadd. If groupadd fails,
installation ought not to proceed because files would have the
wrong ownership.
- Don't hide error messages from the groupadd command. To eliminate
a potentially common one, check to see if the pkcs11 group is
already defined before trying to add it.
- Update the summary for the -devel package.
- Changed several PreReq entries to Requires(pre) as a result of
the output from spec-cleaner. Removed a couple of obsolete lines.
- Removed obsolete check for whether systemd is in use or not.
- Upgraded to version 3.11.0 (Fate#325685)
* opencryptoki 3.11.0
EP11 enhancements
A lot of bug fixes
- Reworked the ocki-3.1-remove-make-install-chgrp.patch to apply
properly to 3.11, and renamed it to
ocki-3.11-remove-make-install-chgrp.patch
- Removed obsolete patch ocki-3.5-icsf-coverity-memoryleakfix.patch
- Upgraded to version 3.10.0 (Fate#325685)
* opencryptoki 3.10.0
Add support to ECC on ICA token and to common code.
Add SHA224 support to SOFT token.
Improve pkcsslotd logging.
Fix sha512_hmac_sign and rsa_x509_verify for ICA token.
Fix tracing of session id.
Fix and improve testcases.
Fix spec file permission for log directory.
Fix build warnings.
* opencryptoki 3.9.0
Fix token reinitialization
Fix conditional man pages
EP11 enhancements
EP11 EC Key import
Increase RSA max key length
Fix broken links on documentation
Define CK_FALSE and CK_TRUE macros
Improve build flags
- Dropped obsolete patch ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch
- Made multiple changes to the spec file based on spec-cleaner output.
- Added an rpmlintrc file to squelch warnings about adding ghost
entries for files under /var/lock/opencryptoki/
- Added ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch
(bsc#1086678)
- Re-enabled ARM architectures now that gcc6 is in SLE15. (bsc#1084617)
- Upgraded to version 3.8.2 (fate#323295, bsc#1066412)
* v3.8.2
Update man pages.
Improve ock_tests for parallel execution.
Fix FindObjectsInit for hidden HW-feature.
Fix to allow vendor defined hardware features.
Fix unresolved symbols.
Fix tracing.
Code/project cleanup.
* v3.8.1
Fix TPM data-structure reset function.
Fix error message when dlsym fails.
Update configure.ac
Update travis.
* v3.8.0
Multi token instance feature.
Added possibility to run opencryptoki with transactional memory or locks
(--enable-locks on configure step).
Updated documentation.
Fix segfault on ec_test.
Bunch of small fixes.
- Removed ARM architectures from the build list until gcc6 becomes
available for SLES. (bsc#1039510).
- Updated to version 3.7.0 (Fate#321451) (bsc#1036640)
- Update example spec file
- Performance improvement. Moving from mutexes to transactional memory.
- Add ECDSA SHA2 support for EP11 and CCA.
- Fix declaration of inline functions.
- Fix wrong testcase and ber en/decoding for integers.
- Check for 'flex' and 'YACC' on configure.
- EP11 config file rework.
- Add enable-debug on travis build.
- Add testcase for C_GetOperationState/C_SetOperationState.
- Upgrade License to CPL-1.0
- Ica token: fix openssh/ibmpkcs11 engine/libica crash.
- Fix segfault and logic in hardware feature test.
- Fix spelling of documentation and manuals.
- Fix the retrieval of p from a generated rsa key.
- Coverity scan fixes - incompatible pointer type and unused variables.
- Added libica-tools to the BuildRequires due to repackaging of libica.
- Modified the spec file
- Changed libca3-devel BuildRequires to just libica-devel
- Check for systemd in the 32bit postun scriptlet.
- Upgraded to version 3.6.2 (fate#321451)
- Support OpenSSL-1.1.
- Add Travis CI support.
- Update autotools scripts and documentation.
- Fix SegFault when a invalid session handle is passed in
SC_EncryptUpdate and SC_DecryptUpdate.
- Updated spec file to use libica3-devel instead of libica2-devel.
- Upgraded to version 3.6.1 (fate#321451)
- opencryptoki 3.6.1
- Fix SOFT token implementation of digest functions.
- Replace deprecated OpenSSL interfaces.
- opencryptoki 3.6
- Replace deprecated libica interfaces.
- Performance improvement for ICA.
- Improvement in documentation on system resources.
- Improvement in testcases.
- Added support for rc=8, reasoncode=2028 in icsf token.
- Fix for session handle not set in session issue.
- Multiple fixes for lock and log directories.
- Downgraded a syslog error to warning.
- Multiple fixes based on coverity scan results.
- Added pkcs11 mapping for icsf reason code 72 for return code 8.
- opencryptoki 3.5.1
- Fix Illegal Intruction on pkcscca tool.
- Removed the following obsolete patches:
- ocki-3.5-sanity-checking.patch
- ocki-3.5-icsf-reasoncode72-support.patch
- ocki-3.5-downgrade-syslogerror.patch
- ocki-3.5-icsf-sessionhandle-missing-fix.patch
- ocki-3.5-icsf-reasoncode-2028-added.patch
- ocki-3.5-added-NULLreturn-check.patch
- ocki-3.5-create-missing-tpm-token-lock-directory.patch
- ocki-3.5-fix-pkcscca-calls.patch
- Removed reference to pkcs1_startup from pkcsslotd (bsc#1007081)
- Added ocki-3.5-fix-pkcscca-calls.patch (bsc#996867).
- Added %doc FAQ to the spec file (bsc#991168).
- Added ocki-3.5-create-missing-tpm-token-lock-directory.patch
(bsc#989602).
- Added the following patches (bsc#986854)
- ocki-3.5-icsf-reasoncode72-support.patch
- ocki-3.5-icsf-coverity-memoryleakfix.patch
- ocki-3.5-downgrade-syslogerror.patch
- ocki-3.5-icsf-sessionhandle-missing-fix.patch
- ocki-3.5-icsf-reasoncode-2028-added.patch
- ocki-3.5-added-NULLreturn-check.patch
- Added ocki-3.5-sanity-checking.patch (bsc#983496).
- Added %dir entry for %{_localstatedir}/log/opencryptoki/
(bsc#983990)
- Upgraded to openCryptoki 3.5 (bsc#978005).
- Full Coverity scan fixes.
- Fixes for compiler warnings.
- Added support for C_GetObjectSize in icsf token.
- Various bug fixes and memory leak fixes.
- Removed global read permissions from token files
- Added missing PKCS#11v2.2 constants.
- Fix for symbol resolution issue seen in Fedora 22 and 23 for
ep11 and cca tokens.
- Improvements in socket read operation when a token comes up.
- Replaced 32 bit CCA API declarations with latest header from
version 5.0 libsculcca rpm.
- Upgraded to openCryptoki v3.4.1 (Fate#319576, 319585, 319592, 319938).
- Changed BuildRequires for libica_2_3_0-devel to libica2-devel.
- Changed BuildRequires for openssl-devel to specify >= 1.0
Contrary to what the README says, version 0.9.7 isn't
sufficient.
- Removed the redundant DESTDIR= parameter from the %make_install
- Removed the following obsolete patches
opencryptoki-run-lock.patch (/var/lock and run/lock are actually the
same place) Also reverted the changed to openCryptoki-tmp.conf to match.
ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
ocki-3.1-fix-implicit-decl.patch
ocki-3.1-fix-init_d-path.patch
ocki-3.1-fix-libica-link.patch
ocki-3.2_01_fix-return-type-error.patch
ocki-3.2_02_ep11-token-incorrectly-copied-the-public-key-object-.patch
ocki-3.2_03_ICSF-Token-C_SignUpdate-was-sometimes-segfaulting-an.patch
ocki-3.2_04_CKA_EC_POINT-is-not-required-in-the-ECDSA-private-ke.patch
ocki-3.2_05_icsf_ldap_handles.patch
ocki-3.2_06_icsf_sign_verify.patch
- renamed: ocki-3.1-remove-make-install-chgrp-chmod.patch to
ocki-3.1-remove-make-install-chgrp.patch
- Get a new ldap handle for each session opened in the icsf token,
once the user has authenticated. (bsc#953347,LTC#130078)
- ocki-3.2_05_icsf_ldap_handles.patch
- ocki-3.2_06_icsf_sign_verify.patch
- Added /var/lib/opencryptoki/lite/TOK_OBJ token directory (bsc#943070)
- Added ocki-3.2_02_ep11-token-incorrectly-copied-the-public-key-object-.patch
- Fixed two public key object inclusion in EP11 token (bsc#946808)
- Added ocki-3.2_03_ICSF-Token-C_SignUpdate-was-sometimes-segfaulting-an.patch
- Fixed GPF when calling C_SignUpdate using ICFS toekn (bsc#946172)
- Added ocki-3.2_04_CKA_EC_POINT-is-not-required-in-the-ECDSA-private-ke.patch
- Fixed failure to import ECDSA because of lack of attribute (bsc#948114)
- Fixed BuildRequires: libica2-devel
- Added ocki-3.2_01_fix-return-type-error.patch
- Changing doc/README.ep11_stdll to unix-style EOL
- Added BuildRequires: dos2unix
- Removed globbing in %files and specified libraries to include (bsc#942162)
- Updated to openCryptoki v3.2 (FATE#318240)
- Removed unnecessary patches:
- ocki-3.1_01_ep11_makefile.patch
- ocki-3.1_02_ep11_m_init.patch
- ocki-3.1_03_ock_obj_mgr.patch
- ocki-3.1_04_ep11_opaque2blob_error_handl.patch
- ocki-3.1_05_ep11_readme_update.patch
- ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
- ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
- ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
- ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
- ocki-3.1_06_0005-Small-reworks.patch
- ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
- ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- ocki-3.1_07_0001-Man-page-corrections.patch
- ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
- ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
- ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
- Also create parent directory /run/lock/opencryptoki in
tmpfiles snippet if it does not exists.
- spec: do not use -D__USE_BSD, a glibc-internal macro
which no longer has any meaning.
- spec: use %{_unitdir} %{_tmpfilesdir)
- spec: call tmpfiles_create macro, if defined in %post
- opencryptoki-run-lock.patch, openCryptoki-tmp.conf: use
/run/lock instead of /var/lock.
- Update to version 3.2
+New pkcscca tool. Currently it assists in migrating cca private token
objects from opencryptoki version 2 to the clear key encryption method
used in opencryptoki version 3. Includes a manpage for pkcscca tool.
Changes to README.cca_stdll to assist in using the CCA token and
migrating the private token objects.
+ Support for CKM_RSA_PKCS_OAEP and CKM_RSA_PKCS_PSS algorithms.
+ Various bugfixes.
+ New testcases for various crypto algorithms.
- Only depend on insserv if builded with sysvinit support
- Remove obsolete patches; merged on upstream release
+ ocki-3.1_01_ep11_makefile.patch
+ ocki-3.1_02_ep11_m_init.patch
+ ocki-3.1_03_ock_obj_mgr.patch
+ ocki-3.1_04_ep11_opaque2blob_error_handl.patch
+ ocki-3.1_05_ep11_readme_update.patch
+ ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
+ ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
+ ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
+ ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
+ ocki-3.1_06_0005-Small-reworks.patch
+ ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
+ ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
+ ocki-3.1_07_0001-Man-page-corrections.patch
+ ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
+ ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
+ ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
+ ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
- Project is now hosted on sourceforge; fix the Url
- Remove cvs related stuff; tarball is produced by upstream
- Use %configure macro instead of manually defined options
- Build with parallel support; use %{?_smp_mflags} macro
- Fixed ica token's SHA update function when passing zero message
size (bnc#892644)
- Added patch ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
- Fixed README.ep11_stdll to have Unix-style EOL characters.
- Added patch ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
- Added all files from %src/doc as rpm %doc (bnc#894780)
- Added pkcscca utility and documentation to convert private
token objects from v2 to v3. (bnc#893757)
- Added patches:
- ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
- ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
- Fixed pkcsslotd and opencryptoki.conf man pages (bnc#889183)
- Added patch ocki-3.1_07_0001-Man-page-corrections.patch
- Specfile Cleanup, Added directory macros in appropriate places
- Several package changes as per bnc#880217
- Added openCryptoki-tmp.conf for lock directory management
- Added 'lite' token support
- Changed from init.d daemon to systemd service
- Updated macros in %pre %post %preun and %postun sections
- Added missing icsf and ep11tok directories to %files section
ocki-3.1_01_ep11_makefile.patch
ocki-3.1_02_ep11_m_init.patch
- Patches added:
ocki-3.1-fix-libica-link.patch
ocki-3.1_03_ock_obj_mgr.patch
ocki-3.1_04_ep11_opaque2blob_error_handl.patch
ocki-3.1_05_ep11_readme_update.patch
ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
ocki-3.1_06_0005-Small-reworks.patch
ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- Moved libpkcs11_icsf 32-bit out of s390-specific files
- Made ep11tok.conf and pkcsep11_migrate specific to s390/s390x
- Added libpkcs11_ep11.so and libpkcs11_icsf.so to 32-bit s390/s390x
- EP11 token available in the opencryptoki V3.1 package (bnc#879303)
- Specfile changed to include ep11tok.conf
- Specfile changed to include pkcsep11_migrate and pkcsicsf tools
- Specfile changed to BuildRequires openldap2-devel
- ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
- print_mechanism() ignored bad returncodes from the called
function token_specific_get_mechanism_list()
- ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
- Fix failure when confname is not given, use default
ep11tok.conf instead
- ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
- Removed check for ep11 lib at configure
- ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
- Move stdint.h before zcrypt.h to resolve dependencies
- ocki-3.1_06_0005-Small-reworks.patch
- testcase fixes and file permission changes
- ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
- Fix for s390 31-bit build error
- ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- zcrypt library included in build by default
- Patches applied (bnc#865549)
- Fixed Makefile to complement common code dependencies
- switched to official m_init() function based on library change
- checking the global token object count
- catch the return code from object_mgr_find_in_map1
- some README updates about usage and restrictions
- fix build on x86 (add CCA and TPM to filelist)
- fix libica detection on s390/s390x to get ICA module built
- Updated to openCryptoki v3.1: See ChangeLog for complete details
(FATE#315426)
- opencryptoki-3.1
- New ep11 token to support IBM Crypto Express adpaters
(starting with Crypto Express 4S adapters) configured with
Enterprise PKCS#11(EP11) firmware. (FATE#315330)
- opencryptoki-3.0
- New opencryptoki.conf file to replace pk_config_data and
pkcs11_starup. The opencryptoki.conf contains slot entry
information for tokens.
- Removed pkcs_slot and pkcs11_startup shell scripts.
- ICA token supports CKM_DES_OFB64, CKM_DES_CFB8, CKM_DES_CFB6
mechanisms using 3DES keys. (FATE#315323)
- ICA token supports CKM_DES3_MAC and CKM_DES3_MAC_GENERAL
mechanisms. (FATE#315323)
- ICA token supports CKM_AES_OFB, CKM_AES_CFB8, CKM_AES_CFB64,
CKM_AES_CFB128, CKM_AES_MAC, and CKM_AES_MAC_GENERAL
mechanisms. (FATE#315323)
- opencryptoki-2.4.1 (21 Feb 2012)
- SHA256 support added for CCA token (FATE#315289)
- Using insserv macros in %post, %preun and %postun sections
- Cleaned up spec file
- removed patches:
- ocki-2.2.6-PIN-backspace.patch
- added patches:
- ocki-3.1-fix-implicit-decl.patch
- ocki-3.1-remove-make-install-chgrp-chmod.patch
- ocki-3.1-fix-init_d-path.patch
- add aarch64 to 64bit archs
- enable ppc64le
- remove -o from groupadd
- fixed sed script to not a grouplist with leading ,
- don't package man pages twice
- add libtool as buildrequire to avoid implicit dependency
- enable TPM support (bnc#641919)
- pkcsslotd: Updated to use new pidfile location (bnc#475800)
- Added fix to allow backspacing during PIN entry (bnc#448089)
- run ldconfig in postinstall [bnc#417925]
- Enable build on x86_64 [bnc#417925]
- Overhaul of the specfile. All platforms build the base package
and each architecture builds the appropriate 32 or 64 bit package
- Updated to openCryptoki v2.2.6
- fix init script
- added pwdutils to buildreq
- fix missing return values from non-void funcs
- pkcsslotd: create PID file in the right place, delete it on
exit (bug #164664)
- added 64-bit patches from IBM (bug #145666)
- added small change missing from patch for bug #156651
- fixed location of pkcs11_startup in init script (bug #162372)
- fixed proc_t structure mixup (bug #156651)
- initialize head pointer (bug #156229)
- %ghost symlinks that are generated in %post (bug #154961)
- stuffed memleak (patch by IBM, bug #147036)
- changed RPM layout to meet IBM's demands (based on patch by IBM,
bug #145666)
- removed mmap, per-user data store support (patch by IBM, bug
#145666)
- converted neededforbuild to BuildRequires
- Update to 2.2.2-rc2
- Update to 2.2.1-rc2
- Fixed build errors
- Cleaned up spec file.
- copy TFAQ to build directory (fix build)
- Update to 2.1.6-rc5.
- Port fixes from SLES9 SP3.
- enabled for ARM
- fix #50050:
- ./configure.in: wrong test against $host makes ppc(64) miss
-DPKCS64 in CFLAGS
- corrected: S390 flag was set for ppc in this conditional
- run full autoreconf / simplify specfile a little
- Print correct error message (#37427 again).
- Check for the correct module on startup (#37427)
- update to openCryptoki-2.1.5, ppc64 version (#39026)
- adapt filelist on ppc
- Fix owner/group of files/directories
- no need to specify "root" as supplementary group for root,
it's already primary
- Update to openCryptoki-2.1.3
- Fixed configure errors.
- added directories to filelist
- remove CVS subdirs
- remove unpackaged files from buildroot
- removed duplicates from configure.in
- exclude ppc64 from the architectures, the package is built for.
64bit mode is not supported by IBM yet; dlopen wrappers are also
missing 64bit filename handling. (#20380)
- actually compress the openCryptoki-1.4*.tar.bz2
- make it even build ...
- make openCryptoki-XXbit PreReq: openCryptoki to enforce pkcs11 group
creation before package installation (#20079)
- correct version number (the patch actiually lifts openCryptoki to 1.5)
- fix groupadd call to no longer silently ignore errors in all cases
using (hopefully) posix exit codes. alternative would be to use
undocumented '-f' option of groupadd.
- add user root to group pkcs11 to enable root to administrate the
crypto hardware support (#19566)
- misc security fixes (#18377)
- replaced openCryptoki-tools with openCryptoki-32bit and
openCryptoki-64bit
- moved dlopen objects that are available for non-x86 out of the
ifarch ix86
- moved postun to tools subpackge (which contains the daemon)
- removed include files. no development support for now.
- replaced %%ix86, etc by appropriate generic %%openCryptoki_tools_arch
and %%openCryptoki_no_tools_arch
- replaced all i386 occurrences with %ix86
- changed filelist to what's really built
- split package to openCryptoki and openCryptoki-tools to allow
parallel installation of 32bit tools with 64bit dlopen objects for
foreign middleware.
- removed automatical insserv on install, because the package needs
manual configuration (#18031)
- added missing %post before insserv (Bug #17600)
- Fix path in PreReq.
- add groupadd pkcs11 in %pre install
- updated to current version
- removed old START_ variable
- always use macros when calling insserv
- add lib64 support
- Added openssl to #neededforbuild, which is needed in addition to
openssl-devel
- initial version
OBS-URL: https://build.opensuse.org/request/show/926994
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=121
|
||
|
Mark Post
|
437f73eba9 |
Accepting request 926834 from home:markkp:branches:security
- Upgraded to version 3.17.0 (jsc#SLE-18326)
* Removed the following obsolete patches:
ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch
ocki-3.15.1-Fix-compiling-with-c.patch
ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch
ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch
ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch
ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch
ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch
ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch
- Added the following patches for bsc#1188879:
* ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch
When modifying opencryptoki.conf during token migration, put quotes
around strings that contain spaces, e.g. for the slot description and
manufacturer.
* ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch
When migrating a slot the opencryptoki.conf file is modified. If it
contains slots that already contain the 'tokversion = x.y' keyword,
this is accidentally removed when migrating another slot.
* ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch
Change the code to use the pid file that pkcsslotd creates, and check
if the process with the pid contained in the pid file still exists and
runs pkcsslotd.
* ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch
Always quote the value of 'description' and 'manufacturer'. Quote the
value of 'stdll', 'confname', and 'tokname' if it contains spaces, and
never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'.
OBS-URL: https://build.opensuse.org/request/show/926834
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=120
|
||
| a86d9d3f8e |
Accepting request 919254 from security
Bug fixes for bsc#1190527:
- Added the following patches for bsc#1182726 " p11sak list-key segfault"
* ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
Added NULL pointer to avoid double free() for the list-key and
remove-key commands.
* ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
Note that two hunks that were unrelated to fixing the running
code were removed from this patch.
* ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
- Added ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
When constructing an OpenSSL EC public or private key from PKCS#11
attributes or ECDH public data, check that the key is valid, i.e. that
the point is on the curve.
(bsc#1185976)
OBS-URL: https://build.opensuse.org/request/show/919254
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=61
|
|||
|
Mark Post
|
a778db96d8 | OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=119 | ||
|
Mark Post
|
407ecfdaa4 |
- Added the following patches for bsc#1182726 " p11sak list-key segfault"
* ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
Added NULL pointer to avoid double free() for the list-key and
remove-key commands.
* ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
Note that two hunks that were unrelated to fixing the running
code were removed from this patch.
* ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
- Added ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
When constructing an OpenSSL EC public or private key from PKCS#11
attributes or ECDH public data, check that the key is valid, i.e. that
the point is on the curve.
(bsc#1185976)
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=118
|
||
| 45d43aadc0 |
Accepting request 872977 from security
OBS-URL: https://build.opensuse.org/request/show/872977 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=60 |
|||
|
Mark Post
|
6e14030074 |
Accepting request 872976 from home:markkp:branches:security
- Added ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch (bsc#1182120) Fix pkcscca migration fails with usr/sb2 is not a valid slot ID - Added ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch (bsc#1182190) Fix a segmentation fault of the sess_opstate test on the Soft Token OBS-URL: https://build.opensuse.org/request/show/872976 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=116 |
||
| aa124905ea |
Accepting request 866674 from security
OBS-URL: https://build.opensuse.org/request/show/866674 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=59 |
|||
|
Mark Post
|
a15ba93dba |
Accepting request 866673 from home:markkp:branches:security
- Added the following patches for bsc#1179319
* Fix compiling with C++:
ocki-3.15.1-Fix-compiling-with-c.patch
* Added error message handling for p11sak remove-key command.
ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch
OBS-URL: https://build.opensuse.org/request/show/866673
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=114
|
||
| c901ea9431 |
Accepting request 865508 from security
- Don't require pwdutils for build, dropped long ago and not needed OBS-URL: https://build.opensuse.org/request/show/865508 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=58 |
|||
|
Mark Post
|
247e91e02d | OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=112 | ||
|
Mark Post
|
b05ff947e8 |
Accepting request 865419 from home:kukuk:branches:security
- Don't require pwdutils for build, dropped long ago and not needed OBS-URL: https://build.opensuse.org/request/show/865419 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=111 |
||
| 939afd4257 |
Accepting request 844928 from security
OBS-URL: https://build.opensuse.org/request/show/844928 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=57 |
|||
|
Mark Post
|
5d9c7f380f |
Accepting request 844927 from home:markkp:branches:security
- Upgraded to version 3.15.1 (jsc#SLE-13749, jsc#SLE-13666,
jsc#SLE-13813, jsc#SLE-13812, jsc#SLE-13723, jsc#SLE-13714,
jsc#SLE-13715, jsc#SLE-13710, jsc#SLE-13774, jsc#SLE-13786)
* openCryptoki 3.15.1
- Bug fixes
* openCryptoki 3.15.0
- common: conform to PKCS 11 3.0 Baseline Provider profile
- Introduce new vendor defined interface named "Vendor IBM"
- Support C_IBM_ReencryptSingle via "Vendor IBM" interface
- CCA: support key wrapping
- SOFT: support ECC
- p11sak tool: add remove-key command
- Bug fixes
* openCryptoki 3.14.0
- EP11: Dilitium support stage 2
- Common: Rework on process and thread locking
- Common: Rework on btree and object locking
- ICSF: minor fixes
- TPM, ICA, ICSF: support multiple token instances
- new tool p11sak
* openCryptoki 3.13.0
- EP11: Dilithium support
- EP11: EdDSA support
- EP11: support RSA-OAEP with non-SHA1 hash and MGF
- Removed obsolete oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch
- Added oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch (bsc#1159114)
The EP11 token may fail to import an ECC public key. Function
C_CreateObject returns CKR_BUFFER_TOO_SMALL in this case.
- Upgraded to version 3.12.1 (bsc#1157863)
* Fix pkcsep11_migrate tool
- Upgraded to version 3.12.0 (jsc#SLE-7647, jsc#SLE-7915, jsc#SLE-7918)
* Update token pin and data store encryption for soft,ica,cca and ep11
* EP11: Allow importing of compressed EC public keys
* EP11: Add support for the CMAC mechanisms
* EP11: Add support for the IBM-SHA3 mechanisms
* SOFT: Add AES-CMAC and 3DES-CMAC support to the soft token
* ICA: Add AES-CMAC and 3DES-CMAC support to the ICA token
* EP11: Add config option USE_PRANDOM
* CCA: Use Random Number Generate Long for token_specific_rng()
* Common rng function: Prefer /dev/prandom over /dev/urandom
* ICA: add SHA*_RSA_PKCS_PSS mechanisms
* Bug fixes
- Removed obsolete ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch
- Added ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch
(bsc#1152015)
Add support for new IBM crypto card.
- Upgraded to version 3.11.1 (Fate#327837)
Bug fixes.
- Dropped obsolete ocki-3.11-Fix-target_list-passing-for-EP11-session.patch
- Added ocki-3.11-Fix-target_list-passing-for-EP11-session.patch
(bsc#1123988)
- Do not ignore errors from groupadd. If groupadd fails,
installation ought not to proceed because files would have the
wrong ownership.
- Don't hide error messages from the groupadd command. To eliminate
a potentially common one, check to see if the pkcs11 group is
already defined before trying to add it.
- Update the summary for the -devel package.
- Changed several PreReq entries to Requires(pre) as a result of
the output from spec-cleaner. Removed a couple of obsolete lines.
- Removed obsolete check for whether systemd is in use or not.
- Upgraded to version 3.11.0 (Fate#325685)
* opencryptoki 3.11.0
EP11 enhancements
A lot of bug fixes
- Reworked the ocki-3.1-remove-make-install-chgrp.patch to apply
properly to 3.11, and renamed it to
ocki-3.11-remove-make-install-chgrp.patch
- Removed obsolete patch ocki-3.5-icsf-coverity-memoryleakfix.patch
- Upgraded to version 3.10.0 (Fate#325685)
* opencryptoki 3.10.0
Add support to ECC on ICA token and to common code.
Add SHA224 support to SOFT token.
Improve pkcsslotd logging.
Fix sha512_hmac_sign and rsa_x509_verify for ICA token.
Fix tracing of session id.
Fix and improve testcases.
Fix spec file permission for log directory.
Fix build warnings.
* opencryptoki 3.9.0
Fix token reinitialization
Fix conditional man pages
EP11 enhancements
EP11 EC Key import
Increase RSA max key length
Fix broken links on documentation
Define CK_FALSE and CK_TRUE macros
Improve build flags
- Dropped obsolete patch ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch
- Made multiple changes to the spec file based on spec-cleaner output.
- Added an rpmlintrc file to squelch warnings about adding ghost
entries for files under /var/lock/opencryptoki/
- Added ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch
(bsc#1086678)
- Re-enabled ARM architectures now that gcc6 is in SLE15. (bsc#1084617)
- Upgraded to version 3.8.2 (fate#323295, bsc#1066412)
* v3.8.2
Update man pages.
Improve ock_tests for parallel execution.
Fix FindObjectsInit for hidden HW-feature.
Fix to allow vendor defined hardware features.
Fix unresolved symbols.
Fix tracing.
Code/project cleanup.
* v3.8.1
Fix TPM data-structure reset function.
Fix error message when dlsym fails.
Update configure.ac
Update travis.
* v3.8.0
Multi token instance feature.
Added possibility to run opencryptoki with transactional memory or locks
(--enable-locks on configure step).
Updated documentation.
Fix segfault on ec_test.
Bunch of small fixes.
- Removed ARM architectures from the build list until gcc6 becomes
available for SLES. (bsc#1039510).
- Updated to version 3.7.0 (Fate#321451) (bsc#1036640)
- Update example spec file
- Performance improvement. Moving from mutexes to transactional memory.
- Add ECDSA SHA2 support for EP11 and CCA.
- Fix declaration of inline functions.
- Fix wrong testcase and ber en/decoding for integers.
- Check for 'flex' and 'YACC' on configure.
- EP11 config file rework.
- Add enable-debug on travis build.
- Add testcase for C_GetOperationState/C_SetOperationState.
- Upgrade License to CPL-1.0
- Ica token: fix openssh/ibmpkcs11 engine/libica crash.
- Fix segfault and logic in hardware feature test.
- Fix spelling of documentation and manuals.
- Fix the retrieval of p from a generated rsa key.
- Coverity scan fixes - incompatible pointer type and unused variables.
- Added libica-tools to the BuildRequires due to repackaging of libica.
- Modified the spec file
- Changed libca3-devel BuildRequires to just libica-devel
- Check for systemd in the 32bit postun scriptlet.
- Upgraded to version 3.6.2 (fate#321451)
- Support OpenSSL-1.1.
- Add Travis CI support.
- Update autotools scripts and documentation.
- Fix SegFault when a invalid session handle is passed in
SC_EncryptUpdate and SC_DecryptUpdate.
- Updated spec file to use libica3-devel instead of libica2-devel.
- Upgraded to version 3.6.1 (fate#321451)
- opencryptoki 3.6.1
- Fix SOFT token implementation of digest functions.
- Replace deprecated OpenSSL interfaces.
- opencryptoki 3.6
- Replace deprecated libica interfaces.
- Performance improvement for ICA.
- Improvement in documentation on system resources.
- Improvement in testcases.
- Added support for rc=8, reasoncode=2028 in icsf token.
- Fix for session handle not set in session issue.
- Multiple fixes for lock and log directories.
- Downgraded a syslog error to warning.
- Multiple fixes based on coverity scan results.
- Added pkcs11 mapping for icsf reason code 72 for return code 8.
- opencryptoki 3.5.1
- Fix Illegal Intruction on pkcscca tool.
- Removed the following obsolete patches:
- ocki-3.5-sanity-checking.patch
- ocki-3.5-icsf-reasoncode72-support.patch
- ocki-3.5-downgrade-syslogerror.patch
- ocki-3.5-icsf-sessionhandle-missing-fix.patch
- ocki-3.5-icsf-reasoncode-2028-added.patch
- ocki-3.5-added-NULLreturn-check.patch
- ocki-3.5-create-missing-tpm-token-lock-directory.patch
- ocki-3.5-fix-pkcscca-calls.patch
- Removed reference to pkcs1_startup from pkcsslotd (bsc#1007081)
- Added ocki-3.5-fix-pkcscca-calls.patch (bsc#996867).
- Added %doc FAQ to the spec file (bsc#991168).
- Added ocki-3.5-create-missing-tpm-token-lock-directory.patch
(bsc#989602).
- Added the following patches (bsc#986854)
- ocki-3.5-icsf-reasoncode72-support.patch
- ocki-3.5-icsf-coverity-memoryleakfix.patch
- ocki-3.5-downgrade-syslogerror.patch
- ocki-3.5-icsf-sessionhandle-missing-fix.patch
- ocki-3.5-icsf-reasoncode-2028-added.patch
- ocki-3.5-added-NULLreturn-check.patch
- Added ocki-3.5-sanity-checking.patch (bsc#983496).
- Added %dir entry for %{_localstatedir}/log/opencryptoki/
(bsc#983990)
- Upgraded to openCryptoki 3.5 (bsc#978005).
- Full Coverity scan fixes.
- Fixes for compiler warnings.
- Added support for C_GetObjectSize in icsf token.
- Various bug fixes and memory leak fixes.
- Removed global read permissions from token files
- Added missing PKCS#11v2.2 constants.
- Fix for symbol resolution issue seen in Fedora 22 and 23 for
ep11 and cca tokens.
- Improvements in socket read operation when a token comes up.
- Replaced 32 bit CCA API declarations with latest header from
version 5.0 libsculcca rpm.
- Upgraded to openCryptoki v3.4.1 (Fate#319576, 319585, 319592, 319938).
- Changed BuildRequires for libica_2_3_0-devel to libica2-devel.
- Changed BuildRequires for openssl-devel to specify >= 1.0
Contrary to what the README says, version 0.9.7 isn't
sufficient.
- Removed the redundant DESTDIR= parameter from the %make_install
- Removed the following obsolete patches
opencryptoki-run-lock.patch (/var/lock and run/lock are actually the
same place) Also reverted the changed to openCryptoki-tmp.conf to match.
ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
ocki-3.1-fix-implicit-decl.patch
ocki-3.1-fix-init_d-path.patch
ocki-3.1-fix-libica-link.patch
ocki-3.2_01_fix-return-type-error.patch
ocki-3.2_02_ep11-token-incorrectly-copied-the-public-key-object-.patch
ocki-3.2_03_ICSF-Token-C_SignUpdate-was-sometimes-segfaulting-an.patch
ocki-3.2_04_CKA_EC_POINT-is-not-required-in-the-ECDSA-private-ke.patch
ocki-3.2_05_icsf_ldap_handles.patch
ocki-3.2_06_icsf_sign_verify.patch
- renamed: ocki-3.1-remove-make-install-chgrp-chmod.patch to
ocki-3.1-remove-make-install-chgrp.patch
- Get a new ldap handle for each session opened in the icsf token,
once the user has authenticated. (bsc#953347,LTC#130078)
- ocki-3.2_05_icsf_ldap_handles.patch
- ocki-3.2_06_icsf_sign_verify.patch
- Added /var/lib/opencryptoki/lite/TOK_OBJ token directory (bsc#943070)
- Added ocki-3.2_02_ep11-token-incorrectly-copied-the-public-key-object-.patch
- Fixed two public key object inclusion in EP11 token (bsc#946808)
- Added ocki-3.2_03_ICSF-Token-C_SignUpdate-was-sometimes-segfaulting-an.patch
- Fixed GPF when calling C_SignUpdate using ICFS toekn (bsc#946172)
- Added ocki-3.2_04_CKA_EC_POINT-is-not-required-in-the-ECDSA-private-ke.patch
- Fixed failure to import ECDSA because of lack of attribute (bsc#948114)
- Fixed BuildRequires: libica2-devel
- Added ocki-3.2_01_fix-return-type-error.patch
- Changing doc/README.ep11_stdll to unix-style EOL
- Added BuildRequires: dos2unix
- Removed globbing in %files and specified libraries to include (bsc#942162)
- Updated to openCryptoki v3.2 (FATE#318240)
- Removed unnecessary patches:
- ocki-3.1_01_ep11_makefile.patch
- ocki-3.1_02_ep11_m_init.patch
- ocki-3.1_03_ock_obj_mgr.patch
- ocki-3.1_04_ep11_opaque2blob_error_handl.patch
- ocki-3.1_05_ep11_readme_update.patch
- ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
- ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
- ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
- ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
- ocki-3.1_06_0005-Small-reworks.patch
- ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
- ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- ocki-3.1_07_0001-Man-page-corrections.patch
- ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
- ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
- ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
- Also create parent directory /run/lock/opencryptoki in
tmpfiles snippet if it does not exists.
- spec: do not use -D__USE_BSD, a glibc-internal macro
which no longer has any meaning.
- spec: use %{_unitdir} %{_tmpfilesdir)
- spec: call tmpfiles_create macro, if defined in %post
- opencryptoki-run-lock.patch, openCryptoki-tmp.conf: use
/run/lock instead of /var/lock.
- Update to version 3.2
+New pkcscca tool. Currently it assists in migrating cca private token
objects from opencryptoki version 2 to the clear key encryption method
used in opencryptoki version 3. Includes a manpage for pkcscca tool.
Changes to README.cca_stdll to assist in using the CCA token and
migrating the private token objects.
+ Support for CKM_RSA_PKCS_OAEP and CKM_RSA_PKCS_PSS algorithms.
+ Various bugfixes.
+ New testcases for various crypto algorithms.
- Only depend on insserv if builded with sysvinit support
- Remove obsolete patches; merged on upstream release
+ ocki-3.1_01_ep11_makefile.patch
+ ocki-3.1_02_ep11_m_init.patch
+ ocki-3.1_03_ock_obj_mgr.patch
+ ocki-3.1_04_ep11_opaque2blob_error_handl.patch
+ ocki-3.1_05_ep11_readme_update.patch
+ ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
+ ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
+ ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
+ ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
+ ocki-3.1_06_0005-Small-reworks.patch
+ ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
+ ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
+ ocki-3.1_07_0001-Man-page-corrections.patch
+ ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
+ ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
+ ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
+ ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
- Project is now hosted on sourceforge; fix the Url
- Remove cvs related stuff; tarball is produced by upstream
- Use %configure macro instead of manually defined options
- Build with parallel support; use %{?_smp_mflags} macro
- Fixed ica token's SHA update function when passing zero message
size (bnc#892644)
- Added patch ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
- Fixed README.ep11_stdll to have Unix-style EOL characters.
- Added patch ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
- Added all files from %src/doc as rpm %doc (bnc#894780)
- Added pkcscca utility and documentation to convert private
token objects from v2 to v3. (bnc#893757)
- Added patches:
- ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
- ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
- Fixed pkcsslotd and opencryptoki.conf man pages (bnc#889183)
- Added patch ocki-3.1_07_0001-Man-page-corrections.patch
- Specfile Cleanup, Added directory macros in appropriate places
- Several package changes as per bnc#880217
- Added openCryptoki-tmp.conf for lock directory management
- Added 'lite' token support
- Changed from init.d daemon to systemd service
- Updated macros in %pre %post %preun and %postun sections
- Added missing icsf and ep11tok directories to %files section
ocki-3.1_01_ep11_makefile.patch
ocki-3.1_02_ep11_m_init.patch
- Patches added:
ocki-3.1-fix-libica-link.patch
ocki-3.1_03_ock_obj_mgr.patch
ocki-3.1_04_ep11_opaque2blob_error_handl.patch
ocki-3.1_05_ep11_readme_update.patch
ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
ocki-3.1_06_0005-Small-reworks.patch
ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- Moved libpkcs11_icsf 32-bit out of s390-specific files
- Made ep11tok.conf and pkcsep11_migrate specific to s390/s390x
- Added libpkcs11_ep11.so and libpkcs11_icsf.so to 32-bit s390/s390x
- EP11 token available in the opencryptoki V3.1 package (bnc#879303)
- Specfile changed to include ep11tok.conf
- Specfile changed to include pkcsep11_migrate and pkcsicsf tools
- Specfile changed to BuildRequires openldap2-devel
- ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
- print_mechanism() ignored bad returncodes from the called
function token_specific_get_mechanism_list()
- ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
- Fix failure when confname is not given, use default
ep11tok.conf instead
- ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
- Removed check for ep11 lib at configure
- ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
- Move stdint.h before zcrypt.h to resolve dependencies
- ocki-3.1_06_0005-Small-reworks.patch
- testcase fixes and file permission changes
- ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
- Fix for s390 31-bit build error
- ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- zcrypt library included in build by default
- Patches applied (bnc#865549)
- Fixed Makefile to complement common code dependencies
- switched to official m_init() function based on library change
- checking the global token object count
- catch the return code from object_mgr_find_in_map1
- some README updates about usage and restrictions
- fix build on x86 (add CCA and TPM to filelist)
- fix libica detection on s390/s390x to get ICA module built
- Updated to openCryptoki v3.1: See ChangeLog for complete details
(FATE#315426)
- opencryptoki-3.1
- New ep11 token to support IBM Crypto Express adpaters
(starting with Crypto Express 4S adapters) configured with
Enterprise PKCS#11(EP11) firmware. (FATE#315330)
- opencryptoki-3.0
- New opencryptoki.conf file to replace pk_config_data and
pkcs11_starup. The opencryptoki.conf contains slot entry
information for tokens.
- Removed pkcs_slot and pkcs11_startup shell scripts.
- ICA token supports CKM_DES_OFB64, CKM_DES_CFB8, CKM_DES_CFB6
mechanisms using 3DES keys. (FATE#315323)
- ICA token supports CKM_DES3_MAC and CKM_DES3_MAC_GENERAL
mechanisms. (FATE#315323)
- ICA token supports CKM_AES_OFB, CKM_AES_CFB8, CKM_AES_CFB64,
CKM_AES_CFB128, CKM_AES_MAC, and CKM_AES_MAC_GENERAL
mechanisms. (FATE#315323)
- opencryptoki-2.4.1 (21 Feb 2012)
- SHA256 support added for CCA token (FATE#315289)
- Using insserv macros in %post, %preun and %postun sections
- Cleaned up spec file
- removed patches:
- ocki-2.2.6-PIN-backspace.patch
- added patches:
- ocki-3.1-fix-implicit-decl.patch
- ocki-3.1-remove-make-install-chgrp-chmod.patch
- ocki-3.1-fix-init_d-path.patch
- add aarch64 to 64bit archs
- enable ppc64le
- remove -o from groupadd
- fixed sed script to not a grouplist with leading ,
- don't package man pages twice
- add libtool as buildrequire to avoid implicit dependency
- enable TPM support (bnc#641919)
- pkcsslotd: Updated to use new pidfile location (bnc#475800)
- Added fix to allow backspacing during PIN entry (bnc#448089)
- run ldconfig in postinstall [bnc#417925]
- Enable build on x86_64 [bnc#417925]
- Overhaul of the specfile. All platforms build the base package
and each architecture builds the appropriate 32 or 64 bit package
- Updated to openCryptoki v2.2.6
- fix init script
- added pwdutils to buildreq
- fix missing return values from non-void funcs
- pkcsslotd: create PID file in the right place, delete it on
exit (bug #164664)
- added 64-bit patches from IBM (bug #145666)
- added small change missing from patch for bug #156651
- fixed location of pkcs11_startup in init script (bug #162372)
- fixed proc_t structure mixup (bug #156651)
- initialize head pointer (bug #156229)
- %ghost symlinks that are generated in %post (bug #154961)
- stuffed memleak (patch by IBM, bug #147036)
- changed RPM layout to meet IBM's demands (based on patch by IBM,
bug #145666)
- removed mmap, per-user data store support (patch by IBM, bug
#145666)
- converted neededforbuild to BuildRequires
- Update to 2.2.2-rc2
- Update to 2.2.1-rc2
- Fixed build errors
- Cleaned up spec file.
- copy TFAQ to build directory (fix build)
- Update to 2.1.6-rc5.
- Port fixes from SLES9 SP3.
- enabled for ARM
- fix #50050:
- ./configure.in: wrong test against $host makes ppc(64) miss
-DPKCS64 in CFLAGS
- corrected: S390 flag was set for ppc in this conditional
- run full autoreconf / simplify specfile a little
- Print correct error message (#37427 again).
- Check for the correct module on startup (#37427)
- update to openCryptoki-2.1.5, ppc64 version (#39026)
- adapt filelist on ppc
- Fix owner/group of files/directories
- no need to specify "root" as supplementary group for root,
it's already primary
- Update to openCryptoki-2.1.3
- Fixed configure errors.
- added directories to filelist
- remove CVS subdirs
- remove unpackaged files from buildroot
- removed duplicates from configure.in
- exclude ppc64 from the architectures, the package is built for.
64bit mode is not supported by IBM yet; dlopen wrappers are also
missing 64bit filename handling. (#20380)
- actually compress the openCryptoki-1.4*.tar.bz2
- make it even build ...
- make openCryptoki-XXbit PreReq: openCryptoki to enforce pkcs11 group
creation before package installation (#20079)
- correct version number (the patch actiually lifts openCryptoki to 1.5)
- fix groupadd call to no longer silently ignore errors in all cases
using (hopefully) posix exit codes. alternative would be to use
undocumented '-f' option of groupadd.
- add user root to group pkcs11 to enable root to administrate the
crypto hardware support (#19566)
- misc security fixes (#18377)
- replaced openCryptoki-tools with openCryptoki-32bit and
openCryptoki-64bit
- moved dlopen objects that are available for non-x86 out of the
ifarch ix86
- moved postun to tools subpackge (which contains the daemon)
- removed include files. no development support for now.
- replaced %%ix86, etc by appropriate generic %%openCryptoki_tools_arch
and %%openCryptoki_no_tools_arch
- replaced all i386 occurrences with %ix86
- changed filelist to what's really built
- split package to openCryptoki and openCryptoki-tools to allow
parallel installation of 32bit tools with 64bit dlopen objects for
foreign middleware.
- removed automatical insserv on install, because the package needs
manual configuration (#18031)
- added missing %post before insserv (Bug #17600)
- Fix path in PreReq.
- add groupadd pkcs11 in %pre install
- updated to current version
- removed old START_ variable
- always use macros when calling insserv
- add lib64 support
- Added openssl to #neededforbuild, which is needed in addition to
openssl-devel
- initial version
OBS-URL: https://build.opensuse.org/request/show/844927
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=109
|
||
| 726ec042cb |
Accepting request 843292 from security
- Upgraded to version 3.15.0 (jsc#SLE-13749, jsc#SLE-13666,
jsc#SLE-13813, jsc#SLE-13812, jsc#SLE-13723, jsc#SLE-13714,
jsc#SLE-13715, jsc#SLE-13710, jsc#SLE-13774, jsc#SLE-13786)
* openCryptoki 3.15.0
- common: conform to PKCS 11 3.0 Baseline Provider profile
- Introduce new vendor defined interface named "Vendor IBM"
- Support C_IBM_ReencryptSingle via "Vendor IBM" interface
- CCA: support key wrapping
- SOFT: support ECC
- p11sak tool: add remove-key command
- Bug fixes
* openCryptoki 3.14.0
- EP11: Dilitium support stage 2
- Common: Rework on process and thread locking
- Common: Rework on btree and object locking
- ICSF: minor fixes
- TPM, ICA, ICSF: support multiple token instances
- new tool p11sak
* openCryptoki 3.13.0
- EP11: Dilithium support
- EP11: EdDSA support
- EP11: support RSA-OAEP with non-SHA1 hash and MGF
- Removed obsolete oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch
OBS-URL: https://build.opensuse.org/request/show/843292
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=56
|
|||
|
Mark Post
|
18f1af0cf7 |
Accepting request 843291 from home:markkp:branches:security
- Upgraded to version 3.15.0 (jsc#SLE-13749, jsc#SLE-13666,
jsc#SLE-13813, jsc#SLE-13812, jsc#SLE-13723, jsc#SLE-13714,
jsc#SLE-13715, jsc#SLE-13710, jsc#SLE-13774, jsc#SLE-13786)
* openCryptoki 3.15.0
- common: conform to PKCS 11 3.0 Baseline Provider profile
- Introduce new vendor defined interface named "Vendor IBM"
- Support C_IBM_ReencryptSingle via "Vendor IBM" interface
- CCA: support key wrapping
- SOFT: support ECC
- p11sak tool: add remove-key command
- Bug fixes
* openCryptoki 3.14.0
- EP11: Dilitium support stage 2
- Common: Rework on process and thread locking
- Common: Rework on btree and object locking
- ICSF: minor fixes
- TPM, ICA, ICSF: support multiple token instances
- new tool p11sak
* openCryptoki 3.13.0
- EP11: Dilithium support
- EP11: EdDSA support
- EP11: support RSA-OAEP with non-SHA1 hash and MGF
- Removed obsolete oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch
- Added oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch (bsc#1159114)
The EP11 token may fail to import an ECC public key. Function
C_CreateObject returns CKR_BUFFER_TOO_SMALL in this case.
- Upgraded to version 3.12.1 (bsc#1157863)
* Fix pkcsep11_migrate tool
- Upgraded to version 3.12.0 (jsc#SLE-7647, jsc#SLE-7915, jsc#SLE-7918)
* Update token pin and data store encryption for soft,ica,cca and ep11
* EP11: Allow importing of compressed EC public keys
* EP11: Add support for the CMAC mechanisms
* EP11: Add support for the IBM-SHA3 mechanisms
* SOFT: Add AES-CMAC and 3DES-CMAC support to the soft token
* ICA: Add AES-CMAC and 3DES-CMAC support to the ICA token
* EP11: Add config option USE_PRANDOM
* CCA: Use Random Number Generate Long for token_specific_rng()
* Common rng function: Prefer /dev/prandom over /dev/urandom
* ICA: add SHA*_RSA_PKCS_PSS mechanisms
* Bug fixes
- Removed obsolete ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch
- Added ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch
(bsc#1152015)
Add support for new IBM crypto card.
- Upgraded to version 3.11.1 (Fate#327837)
Bug fixes.
- Dropped obsolete ocki-3.11-Fix-target_list-passing-for-EP11-session.patch
- Added ocki-3.11-Fix-target_list-passing-for-EP11-session.patch
(bsc#1123988)
- Do not ignore errors from groupadd. If groupadd fails,
installation ought not to proceed because files would have the
wrong ownership.
- Don't hide error messages from the groupadd command. To eliminate
a potentially common one, check to see if the pkcs11 group is
already defined before trying to add it.
- Update the summary for the -devel package.
- Changed several PreReq entries to Requires(pre) as a result of
the output from spec-cleaner. Removed a couple of obsolete lines.
- Removed obsolete check for whether systemd is in use or not.
- Upgraded to version 3.11.0 (Fate#325685)
* opencryptoki 3.11.0
EP11 enhancements
A lot of bug fixes
- Reworked the ocki-3.1-remove-make-install-chgrp.patch to apply
properly to 3.11, and renamed it to
ocki-3.11-remove-make-install-chgrp.patch
- Removed obsolete patch ocki-3.5-icsf-coverity-memoryleakfix.patch
- Upgraded to version 3.10.0 (Fate#325685)
* opencryptoki 3.10.0
Add support to ECC on ICA token and to common code.
Add SHA224 support to SOFT token.
Improve pkcsslotd logging.
Fix sha512_hmac_sign and rsa_x509_verify for ICA token.
Fix tracing of session id.
Fix and improve testcases.
Fix spec file permission for log directory.
Fix build warnings.
* opencryptoki 3.9.0
Fix token reinitialization
Fix conditional man pages
EP11 enhancements
EP11 EC Key import
Increase RSA max key length
Fix broken links on documentation
Define CK_FALSE and CK_TRUE macros
Improve build flags
- Dropped obsolete patch ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch
- Made multiple changes to the spec file based on spec-cleaner output.
- Added an rpmlintrc file to squelch warnings about adding ghost
entries for files under /var/lock/opencryptoki/
- Added ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch
(bsc#1086678)
- Re-enabled ARM architectures now that gcc6 is in SLE15. (bsc#1084617)
- Upgraded to version 3.8.2 (fate#323295, bsc#1066412)
* v3.8.2
Update man pages.
Improve ock_tests for parallel execution.
Fix FindObjectsInit for hidden HW-feature.
Fix to allow vendor defined hardware features.
Fix unresolved symbols.
Fix tracing.
Code/project cleanup.
* v3.8.1
Fix TPM data-structure reset function.
Fix error message when dlsym fails.
Update configure.ac
Update travis.
* v3.8.0
Multi token instance feature.
Added possibility to run opencryptoki with transactional memory or locks
(--enable-locks on configure step).
Updated documentation.
Fix segfault on ec_test.
Bunch of small fixes.
- Removed ARM architectures from the build list until gcc6 becomes
available for SLES. (bsc#1039510).
- Updated to version 3.7.0 (Fate#321451) (bsc#1036640)
- Update example spec file
- Performance improvement. Moving from mutexes to transactional memory.
- Add ECDSA SHA2 support for EP11 and CCA.
- Fix declaration of inline functions.
- Fix wrong testcase and ber en/decoding for integers.
- Check for 'flex' and 'YACC' on configure.
- EP11 config file rework.
- Add enable-debug on travis build.
- Add testcase for C_GetOperationState/C_SetOperationState.
- Upgrade License to CPL-1.0
- Ica token: fix openssh/ibmpkcs11 engine/libica crash.
- Fix segfault and logic in hardware feature test.
- Fix spelling of documentation and manuals.
- Fix the retrieval of p from a generated rsa key.
- Coverity scan fixes - incompatible pointer type and unused variables.
- Added libica-tools to the BuildRequires due to repackaging of libica.
- Modified the spec file
- Changed libca3-devel BuildRequires to just libica-devel
- Check for systemd in the 32bit postun scriptlet.
- Upgraded to version 3.6.2 (fate#321451)
- Support OpenSSL-1.1.
- Add Travis CI support.
- Update autotools scripts and documentation.
- Fix SegFault when a invalid session handle is passed in
SC_EncryptUpdate and SC_DecryptUpdate.
- Updated spec file to use libica3-devel instead of libica2-devel.
- Upgraded to version 3.6.1 (fate#321451)
- opencryptoki 3.6.1
- Fix SOFT token implementation of digest functions.
- Replace deprecated OpenSSL interfaces.
- opencryptoki 3.6
- Replace deprecated libica interfaces.
- Performance improvement for ICA.
- Improvement in documentation on system resources.
- Improvement in testcases.
- Added support for rc=8, reasoncode=2028 in icsf token.
- Fix for session handle not set in session issue.
- Multiple fixes for lock and log directories.
- Downgraded a syslog error to warning.
- Multiple fixes based on coverity scan results.
- Added pkcs11 mapping for icsf reason code 72 for return code 8.
- opencryptoki 3.5.1
- Fix Illegal Intruction on pkcscca tool.
- Removed the following obsolete patches:
- ocki-3.5-sanity-checking.patch
- ocki-3.5-icsf-reasoncode72-support.patch
- ocki-3.5-downgrade-syslogerror.patch
- ocki-3.5-icsf-sessionhandle-missing-fix.patch
- ocki-3.5-icsf-reasoncode-2028-added.patch
- ocki-3.5-added-NULLreturn-check.patch
- ocki-3.5-create-missing-tpm-token-lock-directory.patch
- ocki-3.5-fix-pkcscca-calls.patch
- Removed reference to pkcs1_startup from pkcsslotd (bsc#1007081)
- Added ocki-3.5-fix-pkcscca-calls.patch (bsc#996867).
- Added %doc FAQ to the spec file (bsc#991168).
- Added ocki-3.5-create-missing-tpm-token-lock-directory.patch
(bsc#989602).
- Added the following patches (bsc#986854)
- ocki-3.5-icsf-reasoncode72-support.patch
- ocki-3.5-icsf-coverity-memoryleakfix.patch
- ocki-3.5-downgrade-syslogerror.patch
- ocki-3.5-icsf-sessionhandle-missing-fix.patch
- ocki-3.5-icsf-reasoncode-2028-added.patch
- ocki-3.5-added-NULLreturn-check.patch
- Added ocki-3.5-sanity-checking.patch (bsc#983496).
- Added %dir entry for %{_localstatedir}/log/opencryptoki/
(bsc#983990)
- Upgraded to openCryptoki 3.5 (bsc#978005).
- Full Coverity scan fixes.
- Fixes for compiler warnings.
- Added support for C_GetObjectSize in icsf token.
- Various bug fixes and memory leak fixes.
- Removed global read permissions from token files
- Added missing PKCS#11v2.2 constants.
- Fix for symbol resolution issue seen in Fedora 22 and 23 for
ep11 and cca tokens.
- Improvements in socket read operation when a token comes up.
- Replaced 32 bit CCA API declarations with latest header from
version 5.0 libsculcca rpm.
- Upgraded to openCryptoki v3.4.1 (Fate#319576, 319585, 319592, 319938).
- Changed BuildRequires for libica_2_3_0-devel to libica2-devel.
- Changed BuildRequires for openssl-devel to specify >= 1.0
Contrary to what the README says, version 0.9.7 isn't
sufficient.
- Removed the redundant DESTDIR= parameter from the %make_install
- Removed the following obsolete patches
opencryptoki-run-lock.patch (/var/lock and run/lock are actually the
same place) Also reverted the changed to openCryptoki-tmp.conf to match.
ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
ocki-3.1-fix-implicit-decl.patch
ocki-3.1-fix-init_d-path.patch
ocki-3.1-fix-libica-link.patch
ocki-3.2_01_fix-return-type-error.patch
ocki-3.2_02_ep11-token-incorrectly-copied-the-public-key-object-.patch
ocki-3.2_03_ICSF-Token-C_SignUpdate-was-sometimes-segfaulting-an.patch
ocki-3.2_04_CKA_EC_POINT-is-not-required-in-the-ECDSA-private-ke.patch
ocki-3.2_05_icsf_ldap_handles.patch
ocki-3.2_06_icsf_sign_verify.patch
- renamed: ocki-3.1-remove-make-install-chgrp-chmod.patch to
ocki-3.1-remove-make-install-chgrp.patch
- Get a new ldap handle for each session opened in the icsf token,
once the user has authenticated. (bsc#953347,LTC#130078)
- ocki-3.2_05_icsf_ldap_handles.patch
- ocki-3.2_06_icsf_sign_verify.patch
- Added /var/lib/opencryptoki/lite/TOK_OBJ token directory (bsc#943070)
- Added ocki-3.2_02_ep11-token-incorrectly-copied-the-public-key-object-.patch
- Fixed two public key object inclusion in EP11 token (bsc#946808)
- Added ocki-3.2_03_ICSF-Token-C_SignUpdate-was-sometimes-segfaulting-an.patch
- Fixed GPF when calling C_SignUpdate using ICFS toekn (bsc#946172)
- Added ocki-3.2_04_CKA_EC_POINT-is-not-required-in-the-ECDSA-private-ke.patch
- Fixed failure to import ECDSA because of lack of attribute (bsc#948114)
- Fixed BuildRequires: libica2-devel
- Added ocki-3.2_01_fix-return-type-error.patch
- Changing doc/README.ep11_stdll to unix-style EOL
- Added BuildRequires: dos2unix
- Removed globbing in %files and specified libraries to include (bsc#942162)
- Updated to openCryptoki v3.2 (FATE#318240)
- Removed unnecessary patches:
- ocki-3.1_01_ep11_makefile.patch
- ocki-3.1_02_ep11_m_init.patch
- ocki-3.1_03_ock_obj_mgr.patch
- ocki-3.1_04_ep11_opaque2blob_error_handl.patch
- ocki-3.1_05_ep11_readme_update.patch
- ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
- ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
- ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
- ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
- ocki-3.1_06_0005-Small-reworks.patch
- ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
- ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- ocki-3.1_07_0001-Man-page-corrections.patch
- ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
- ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
- ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
- Also create parent directory /run/lock/opencryptoki in
tmpfiles snippet if it does not exists.
- spec: do not use -D__USE_BSD, a glibc-internal macro
which no longer has any meaning.
- spec: use %{_unitdir} %{_tmpfilesdir)
- spec: call tmpfiles_create macro, if defined in %post
- opencryptoki-run-lock.patch, openCryptoki-tmp.conf: use
/run/lock instead of /var/lock.
- Update to version 3.2
+New pkcscca tool. Currently it assists in migrating cca private token
objects from opencryptoki version 2 to the clear key encryption method
used in opencryptoki version 3. Includes a manpage for pkcscca tool.
Changes to README.cca_stdll to assist in using the CCA token and
migrating the private token objects.
+ Support for CKM_RSA_PKCS_OAEP and CKM_RSA_PKCS_PSS algorithms.
+ Various bugfixes.
+ New testcases for various crypto algorithms.
- Only depend on insserv if builded with sysvinit support
- Remove obsolete patches; merged on upstream release
+ ocki-3.1_01_ep11_makefile.patch
+ ocki-3.1_02_ep11_m_init.patch
+ ocki-3.1_03_ock_obj_mgr.patch
+ ocki-3.1_04_ep11_opaque2blob_error_handl.patch
+ ocki-3.1_05_ep11_readme_update.patch
+ ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
+ ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
+ ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
+ ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
+ ocki-3.1_06_0005-Small-reworks.patch
+ ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
+ ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
+ ocki-3.1_07_0001-Man-page-corrections.patch
+ ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
+ ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
+ ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
+ ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
- Project is now hosted on sourceforge; fix the Url
- Remove cvs related stuff; tarball is produced by upstream
- Use %configure macro instead of manually defined options
- Build with parallel support; use %{?_smp_mflags} macro
- Fixed ica token's SHA update function when passing zero message
size (bnc#892644)
- Added patch ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
- Fixed README.ep11_stdll to have Unix-style EOL characters.
- Added patch ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch
- Added all files from %src/doc as rpm %doc (bnc#894780)
- Added pkcscca utility and documentation to convert private
token objects from v2 to v3. (bnc#893757)
- Added patches:
- ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch
- ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch
- Fixed pkcsslotd and opencryptoki.conf man pages (bnc#889183)
- Added patch ocki-3.1_07_0001-Man-page-corrections.patch
- Specfile Cleanup, Added directory macros in appropriate places
- Several package changes as per bnc#880217
- Added openCryptoki-tmp.conf for lock directory management
- Added 'lite' token support
- Changed from init.d daemon to systemd service
- Updated macros in %pre %post %preun and %postun sections
- Added missing icsf and ep11tok directories to %files section
ocki-3.1_01_ep11_makefile.patch
ocki-3.1_02_ep11_m_init.patch
- Patches added:
ocki-3.1-fix-libica-link.patch
ocki-3.1_03_ock_obj_mgr.patch
ocki-3.1_04_ep11_opaque2blob_error_handl.patch
ocki-3.1_05_ep11_readme_update.patch
ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
ocki-3.1_06_0005-Small-reworks.patch
ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- Moved libpkcs11_icsf 32-bit out of s390-specific files
- Made ep11tok.conf and pkcsep11_migrate specific to s390/s390x
- Added libpkcs11_ep11.so and libpkcs11_icsf.so to 32-bit s390/s390x
- EP11 token available in the opencryptoki V3.1 package (bnc#879303)
- Specfile changed to include ep11tok.conf
- Specfile changed to include pkcsep11_migrate and pkcsicsf tools
- Specfile changed to BuildRequires openldap2-devel
- ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
- print_mechanism() ignored bad returncodes from the called
function token_specific_get_mechanism_list()
- ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
- Fix failure when confname is not given, use default
ep11tok.conf instead
- ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
- Removed check for ep11 lib at configure
- ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
- Move stdint.h before zcrypt.h to resolve dependencies
- ocki-3.1_06_0005-Small-reworks.patch
- testcase fixes and file permission changes
- ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
- Fix for s390 31-bit build error
- ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- zcrypt library included in build by default
- Patches applied (bnc#865549)
- Fixed Makefile to complement common code dependencies
- switched to official m_init() function based on library change
- checking the global token object count
- catch the return code from object_mgr_find_in_map1
- some README updates about usage and restrictions
- fix build on x86 (add CCA and TPM to filelist)
- fix libica detection on s390/s390x to get ICA module built
- Updated to openCryptoki v3.1: See ChangeLog for complete details
(FATE#315426)
- opencryptoki-3.1
- New ep11 token to support IBM Crypto Express adpaters
(starting with Crypto Express 4S adapters) configured with
Enterprise PKCS#11(EP11) firmware. (FATE#315330)
- opencryptoki-3.0
- New opencryptoki.conf file to replace pk_config_data and
pkcs11_starup. The opencryptoki.conf contains slot entry
information for tokens.
- Removed pkcs_slot and pkcs11_startup shell scripts.
- ICA token supports CKM_DES_OFB64, CKM_DES_CFB8, CKM_DES_CFB6
mechanisms using 3DES keys. (FATE#315323)
- ICA token supports CKM_DES3_MAC and CKM_DES3_MAC_GENERAL
mechanisms. (FATE#315323)
- ICA token supports CKM_AES_OFB, CKM_AES_CFB8, CKM_AES_CFB64,
CKM_AES_CFB128, CKM_AES_MAC, and CKM_AES_MAC_GENERAL
mechanisms. (FATE#315323)
- opencryptoki-2.4.1 (21 Feb 2012)
- SHA256 support added for CCA token (FATE#315289)
- Using insserv macros in %post, %preun and %postun sections
- Cleaned up spec file
- removed patches:
- ocki-2.2.6-PIN-backspace.patch
- added patches:
- ocki-3.1-fix-implicit-decl.patch
- ocki-3.1-remove-make-install-chgrp-chmod.patch
- ocki-3.1-fix-init_d-path.patch
- add aarch64 to 64bit archs
- enable ppc64le
- remove -o from groupadd
- fixed sed script to not a grouplist with leading ,
- don't package man pages twice
- add libtool as buildrequire to avoid implicit dependency
- enable TPM support (bnc#641919)
- pkcsslotd: Updated to use new pidfile location (bnc#475800)
- Added fix to allow backspacing during PIN entry (bnc#448089)
- run ldconfig in postinstall [bnc#417925]
- Enable build on x86_64 [bnc#417925]
- Overhaul of the specfile. All platforms build the base package
and each architecture builds the appropriate 32 or 64 bit package
- Updated to openCryptoki v2.2.6
- fix init script
- added pwdutils to buildreq
- fix missing return values from non-void funcs
- pkcsslotd: create PID file in the right place, delete it on
exit (bug #164664)
- added 64-bit patches from IBM (bug #145666)
- added small change missing from patch for bug #156651
- fixed location of pkcs11_startup in init script (bug #162372)
- fixed proc_t structure mixup (bug #156651)
- initialize head pointer (bug #156229)
- %ghost symlinks that are generated in %post (bug #154961)
- stuffed memleak (patch by IBM, bug #147036)
- changed RPM layout to meet IBM's demands (based on patch by IBM,
bug #145666)
- removed mmap, per-user data store support (patch by IBM, bug
#145666)
- converted neededforbuild to BuildRequires
- Update to 2.2.2-rc2
- Update to 2.2.1-rc2
- Fixed build errors
- Cleaned up spec file.
- copy TFAQ to build directory (fix build)
- Update to 2.1.6-rc5.
- Port fixes from SLES9 SP3.
- enabled for ARM
- fix #50050:
- ./configure.in: wrong test against $host makes ppc(64) miss
-DPKCS64 in CFLAGS
- corrected: S390 flag was set for ppc in this conditional
- run full autoreconf / simplify specfile a little
- Print correct error message (#37427 again).
- Check for the correct module on startup (#37427)
- update to openCryptoki-2.1.5, ppc64 version (#39026)
- adapt filelist on ppc
- Fix owner/group of files/directories
- no need to specify "root" as supplementary group for root,
it's already primary
- Update to openCryptoki-2.1.3
- Fixed configure errors.
- added directories to filelist
- remove CVS subdirs
- remove unpackaged files from buildroot
- removed duplicates from configure.in
- exclude ppc64 from the architectures, the package is built for.
64bit mode is not supported by IBM yet; dlopen wrappers are also
missing 64bit filename handling. (#20380)
- actually compress the openCryptoki-1.4*.tar.bz2
- make it even build ...
- make openCryptoki-XXbit PreReq: openCryptoki to enforce pkcs11 group
creation before package installation (#20079)
- correct version number (the patch actiually lifts openCryptoki to 1.5)
- fix groupadd call to no longer silently ignore errors in all cases
using (hopefully) posix exit codes. alternative would be to use
undocumented '-f' option of groupadd.
- add user root to group pkcs11 to enable root to administrate the
crypto hardware support (#19566)
- misc security fixes (#18377)
- replaced openCryptoki-tools with openCryptoki-32bit and
openCryptoki-64bit
- moved dlopen objects that are available for non-x86 out of the
ifarch ix86
- moved postun to tools subpackge (which contains the daemon)
- removed include files. no development support for now.
- replaced %%ix86, etc by appropriate generic %%openCryptoki_tools_arch
and %%openCryptoki_no_tools_arch
- replaced all i386 occurrences with %ix86
- changed filelist to what's really built
- split package to openCryptoki and openCryptoki-tools to allow
parallel installation of 32bit tools with 64bit dlopen objects for
foreign middleware.
- removed automatical insserv on install, because the package needs
manual configuration (#18031)
- added missing %post before insserv (Bug #17600)
- Fix path in PreReq.
- add groupadd pkcs11 in %pre install
- updated to current version
- removed old START_ variable
- always use macros when calling insserv
- add lib64 support
- Added openssl to #neededforbuild, which is needed in addition to
openssl-devel
- initial version
OBS-URL: https://build.opensuse.org/request/show/843291
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=107
|
||
|
Mark Post
|
dbe3a3a7ff |
Accepting request 843288 from home:markkp:branches:security
- Upgraded to version 3.15.0 (jsc#SLE-13749, jsc#SLE-13666,
jsc#SLE-13813, jsc#SLE-13812, jsc#SLE-13723, jsc#SLE-13714
jsc#SLE-13715, jsc#SLE-13710, jsc#SLE-13774, jsc#SLE-13786)
* openCryptoki 3.15.0
- common: conform to PKCS 11 3.0 Baseline Provider profile
- Introduce new vendor defined interface named "Vendor IBM"
- Support C_IBM_ReencryptSingle via "Vendor IBM" interface
- CCA: support key wrapping
- SOFT: support ECC
- p11sak tool: add remove-key command
- Bug fixes
* openCryptoki 3.14.0
- EP11: Dilitium support stage 2
- Common: Rework on process and thread locking
- Common: Rework on btree and object locking
- ICSF: minor fixes
- TPM, ICA, ICSF: support multiple token instances
- new tool p11sak
* openCryptoki 3.13.0
- EP11: Dilithium support
- EP11: EdDSA support
- EP11: support RSA-OAEP with non-SHA1 hash and MGF
- Removed obsolete oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch
OBS-URL: https://build.opensuse.org/request/show/843288
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=106
|
||
| 3535ace4c8 |
Accepting request 761262 from security
OBS-URL: https://build.opensuse.org/request/show/761262 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=55 |
|||
|
Mark Post
|
22f37498e5 |
Accepting request 761261 from home:markkp:branches:security
- Added oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch (bsc#1159114) The EP11 token may fail to import an ECC public key. Function C_CreateObject returns CKR_BUFFER_TOO_SMALL in this case. OBS-URL: https://build.opensuse.org/request/show/761261 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=104 |
||
| 5a672f85f2 |
Accepting request 753057 from security
- Upgraded to version 3.12.1 (bsc#1157863) * Fix pkcsep11_migrate tool OBS-URL: https://build.opensuse.org/request/show/753057 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=54 |
|||
|
Mark Post
|
1470911ed6 | OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=102 | ||
|
Mark Post
|
c0154ab939 |
- Upgraded to version 3.12.0 (jsc#SLE-7647, jsc#SLE-7915, jsc#SLE-7918)
* Update token pin and data store encryption for soft,ica,cca and ep11 * EP11: Allow importing of compressed EC public keys * EP11: Add support for the CMAC mechanisms * EP11: Add support for the IBM-SHA3 mechanisms * SOFT: Add AES-CMAC and 3DES-CMAC support to the soft token * ICA: Add AES-CMAC and 3DES-CMAC support to the ICA token * EP11: Add config option USE_PRANDOM * CCA: Use Random Number Generate Long for token_specific_rng() * Common rng function: Prefer /dev/prandom over /dev/urandom * ICA: add SHA*_RSA_PKCS_PSS mechanisms * Bug fixes - Removed obsolete ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch - Added ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch (bsc#1152015) Add support for new IBM crypto card. OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=101 |
||
| cbd45d26e5 |
Accepting request 747496 from security
- Upgraded to version 3.12.0 (jsc#SLE-7647, jsc#SLE-7915, jsc#SLE-7918) * Update token pin and data store encryption for soft,ica,cca and ep11 * EP11: Allow importing of compressed EC public keys * EP11: Add support for the CMAC mechanisms * EP11: Add support for the IBM-SHA3 mechanisms * SOFT: Add AES-CMAC and 3DES-CMAC support to the soft token * ICA: Add AES-CMAC and 3DES-CMAC support to the ICA token * EP11: Add config option USE_PRANDOM * CCA: Use Random Number Generate Long for token_specific_rng() * Common rng function: Prefer /dev/prandom over /dev/urandom * ICA: add SHA*_RSA_PKCS_PSS mechanisms * Bug fixes - Removed obsolete ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch - Added ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch (bsc#1152015) Add support for new IBM crypto card. OBS-URL: https://build.opensuse.org/request/show/747496 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=53 |
|||
|
Mark Post
|
e32a01b2c9 | OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=99 | ||
|
Mark Post
|
c1dc5b2de9 | OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=98 | ||
|
Mark Post
|
013583e4c0 | OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=97 | ||
|
Mark Post
|
b8166a529f | OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=96 | ||
|
Mark Post
|
fa64604504 | OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=95 | ||
|
Mark Post
|
be04f8e20e |
- Upgraded to version 3.12.0 (jsc#SLE-7647, jsc#SLE-7915, jsc#SLE-7918)
* Update token pin and data store encryption for soft,ica,cca and ep11 * EP11: Allow importing of compressed EC public keys * EP11: Add support for the CMAC mechanisms * EP11: Add support for the IBM-SHA3 mechanisms * SOFT: Add AES-CMAC and 3DES-CMAC support to the soft token * ICA: Add AES-CMAC and 3DES-CMAC support to the ICA token * EP11: Add config option USE_PRANDOM * CCA: Use Random Number Generate Long for token_specific_rng() * Common rng function: Prefer /dev/prandom over /dev/urandom * ICA: add SHA*_RSA_PKCS_PSS mechanisms * Bug fixes - Removed obsolete ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch - Added ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch (bsc#1152015) Add support for new IBM crypto card. - Upgraded to version 3.11.1 (Fate#327837) Bug fixes. - Dropped obsolete ocki-3.11-Fix-target_list-passing-for-EP11-session.patch - Added ocki-3.11-Fix-target_list-passing-for-EP11-session.patch (bsc#1123988) - Do not ignore errors from groupadd. If groupadd fails, installation ought not to proceed because files would have the wrong ownership. - Don't hide error messages from the groupadd command. To eliminate OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=94 |
||
|
Mark Post
|
f819296223 | OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=93 | ||
|
Mark Post
|
125bf08e32 | OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=92 | ||
|
Mark Post
|
d6fbf12ace |
Accepting request 747465 from home:markkp:branches:security
- Upgraded to version 3.12.0 (jsc#SLE-7647, jsc#SLE-7894, jsc#SLE-7915, jsc#SLE-7918) * Update token pin and data store encryption for soft,ica,cca and ep11 * EP11: Allow importing of compressed EC public keys * EP11: Add support for the CMAC mechanisms * EP11: Add support for the IBM-SHA3 mechanisms * SOFT: Add AES-CMAC and 3DES-CMAC support to the soft token * ICA: Add AES-CMAC and 3DES-CMAC support to the ICA token * EP11: Add config option USE_PRANDOM * CCA: Use Random Number Generate Long for token_specific_rng() * Common rng function: Prefer /dev/prandom over /dev/urandom * ICA: add SHA*_RSA_PKCS_PSS mechanisms * Bug fixes - Removed obsolete ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch - Added ocki-3.11.1-EP11-Support-tolerated-new-crypto-cards.patch (bsc#1152015) Add support for new IBM crypto card. OBS-URL: https://build.opensuse.org/request/show/747465 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=91 |
||
| 9a0779e2dd |
Accepting request 728363 from security
OBS-URL: https://build.opensuse.org/request/show/728363 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=52 |
|||
|
Mark Post
|
b9b0c3bdde |
Accepting request 728362 from home:markkp:branches:security
Upgrade to 3.11.1 OBS-URL: https://build.opensuse.org/request/show/728362 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=89 |
||
| 83aa39444a |
Accepting request 676277 from security
OBS-URL: https://build.opensuse.org/request/show/676277 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=51 |
|||
|
Mark Post
|
61fa2dac51 |
Accepting request 676276 from home:markkp:branches:security
- Added ocki-3.11-Fix-target_list-passing-for-EP11-session.patch (bsc#1123988) OBS-URL: https://build.opensuse.org/request/show/676276 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=87 |
||
| 273033a82d |
Accepting request 655691 from security
OBS-URL: https://build.opensuse.org/request/show/655691 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=50 |
|||
| 4008088d68 |
Accepting request 652754 from home:jengelh:branches:security
- Do not ignore errors from groupadd. If groupadd fails, installation ought not to proceed because files would have the wrong ownership. OBS-URL: https://build.opensuse.org/request/show/652754 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=85 |
|||
|
Mark Post
|
521acbf5c9 | OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=84 | ||
| 3087c3c1ce |
Accepting request 652748 from security
OBS-URL: https://build.opensuse.org/request/show/652748 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=49 |
|||
|
Mark Post
|
78bf8e7c8a |
Accepting request 652747 from home:markkp:branches:security
Misc changes OBS-URL: https://build.opensuse.org/request/show/652747 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=82 |
||
|
Mark Post
|
482abee6f9 | OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=81 | ||
|
Mark Post
|
f072b8698a |
- Don't hide error messages from the groupadd command. To eliminate
a potentially common one, check to see if the pkcs11 group is already defined before trying to add it. - Update the summary for the -devel package. - Changed several PreReq entries to Requires(pre) as a result of the output from spec-cleaner. Removed a couple of obsolete lines. OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=80 |
||
| bc9b0c7ad7 |
Accepting request 649627 from security
OBS-URL: https://build.opensuse.org/request/show/649627 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=48 |
|||
|
Mark Post
|
e7f80fc66d |
Accepting request 649626 from home:markkp:branches:security
- Upgraded to version 3.11.0 (Fate#325685)
* opencryptoki 3.11.0
EP11 enhancements
A lot of bug fixes
- Reworked the ocki-3.1-remove-make-install-chgrp.patch to apply
properly to 3.11, and renamed it to
ocki-3.11-remove-make-install-chgrp.patch
- Removed obsolete patch ocki-3.5-icsf-coverity-memoryleakfix.patch
- Upgraded to version 3.10.0 (Fate#325685)
* opencryptoki 3.10.0
Add support to ECC on ICA token and to common code.
Add SHA224 support to SOFT token.
Improve pkcsslotd logging.
Fix sha512_hmac_sign and rsa_x509_verify for ICA token.
Fix tracing of session id.
Fix and improve testcases.
Fix spec file permission for log directory.
Fix build warnings.
* opencryptoki 3.9.0
Fix token reinitialization
Fix conditional man pages
EP11 enhancements
EP11 EC Key import
Increase RSA max key length
Fix broken links on documentation
Define CK_FALSE and CK_TRUE macros
Improve build flags
- Dropped obsolete patch ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch
- Made multiple changes to the spec file based on spec-cleaner output.
- Added an rpmlintrc file to squelch warnings about adding ghost
entries for files under /var/log/opencryptoki/
OBS-URL: https://build.opensuse.org/request/show/649626
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=78
|
||
| aa50de6dc7 |
Accepting request 597603 from security
- Added ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch (bsc#1086678) OBS-URL: https://build.opensuse.org/request/show/597603 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=47 |
|||
|
Mark Post
|
4866a500c9 |
Accepting request 597601 from home:markkp:branches:security
- Added ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch (bsc#1086678) OBS-URL: https://build.opensuse.org/request/show/597601 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=76 |
||
| 9a4d74717d |
Accepting request 585158 from security
OBS-URL: https://build.opensuse.org/request/show/585158 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=46 |
|||
|
Mark Post
|
4539918c49 |
Accepting request 585157 from home:markkp:branches:security
- Re-enabled ARM architectures now that gcc6 is in SLE15. (bsc#1084617) OBS-URL: https://build.opensuse.org/request/show/585157 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=74 |
||
| cd7943207e |
Accepting request 546864 from security
OBS-URL: https://build.opensuse.org/request/show/546864 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=45 |
|||
|
Mark Post
|
cfbd8bf303 |
Accepting request 546863 from home:markkp:branches:security
- Upgraded to version 3.8.2 (fate#323295, bsc#1066412)
* v3.8.2
Update man pages.
Improve ock_tests for parallel execution.
Fix FindObjectsInit for hidden HW-feature.
Fix to allow vendor defined hardware features.
Fix unresolved symbols.
Fix tracing.
Code/project cleanup.
* v3.8.1
Fix TPM data-structure reset function.
Fix error message when dlsym fails.
Update configure.ac
Update travis.
* v3.8.0
Multi token instance feature.
Added possibility to run opencryptoki with transactional memory or locks
(--enable-locks on configure step).
Updated documentation.
Fix segfault on ec_test.
Bunch of small fixes.
OBS-URL: https://build.opensuse.org/request/show/546863
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=72
|
||
| 6165f39b1f |
Accepting request 500232 from security
Fix for bsc#1039510 OBS-URL: https://build.opensuse.org/request/show/500232 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=44 |
|||
|
Mark Post
|
3d264fa667 |
Accepting request 500228 from home:markkp:branches:security
Fix for bsc#1039510 OBS-URL: https://build.opensuse.org/request/show/500228 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=70 |
||
| 0c6c511ab1 |
Accepting request 494813 from security
Updated to version 3.7.0 (Fate#321451) (bsc#1036640) OBS-URL: https://build.opensuse.org/request/show/494813 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=43 |
|||
|
Mark Post
|
cd6812de23 |
- Updated to version 3.7.0 (Fate#321451) (bsc#1036640)
- Update example spec file - Performance improvement. Moving from mutexes to transactional memory. - Add ECDSA SHA2 support for EP11 and CCA. - Fix declaration of inline functions. - Fix wrong testcase and ber en/decoding for integers. - Check for 'flex' and 'YACC' on configure. - EP11 config file rework. - Add enable-debug on travis build. - Add testcase for C_GetOperationState/C_SetOperationState. - Upgrade License to CPL-1.0 - Ica token: fix openssh/ibmpkcs11 engine/libica crash. - Fix segfault and logic in hardware feature test. - Fix spelling of documentation and manuals. - Fix the retrieval of p from a generated rsa key. - Coverity scan fixes - incompatible pointer type and unused variables. OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=67 |
||
| bfbc78d27e |
Accepting request 491366 from security
1 OBS-URL: https://build.opensuse.org/request/show/491366 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=42 |
|||
|
Mark Post
|
5f9d2f2ce9 |
Accepting request 491365 from home:markkp:branches:security
Added libica-tools to the BuildRequires due to repackaging of libica. OBS-URL: https://build.opensuse.org/request/show/491365 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=65 |
||
| 399e119092 |
Accepting request 481629 from security
1 OBS-URL: https://build.opensuse.org/request/show/481629 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=41 |
|||
|
Mark Post
|
f168c8daed |
Accepting request 481628 from home:markkp:branches:security
Missed a second BuildRequires for libica3-devel. OBS-URL: https://build.opensuse.org/request/show/481628 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=63 |
||
|
Mark Post
|
18e79c3575 |
Accepting request 481620 from home:markkp:branches:security
Missed a second BuildRequires for libica3-devel. OBS-URL: https://build.opensuse.org/request/show/481620 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=62 |
||
| 294be4d5ed |
Accepting request 480952 from security
1 OBS-URL: https://build.opensuse.org/request/show/480952 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=40 |
|||
|
Mark Post
|
4d86d0db29 |
Accepting request 480951 from home:markkp:branches:security
Fix problem with building on 32bit systems and make libica-devel requirement more generic. OBS-URL: https://build.opensuse.org/request/show/480951 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=60 |
||
|
Mark Post
|
9b51cd5951 |
Accepting request 480948 from home:markkp:branches:security
Fix problem with building on 32bit systems and make libica-devel requirement more generic. OBS-URL: https://build.opensuse.org/request/show/480948 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=59 |
||
| 3ff97425b0 |
Accepting request 460935 from security
1 OBS-URL: https://build.opensuse.org/request/show/460935 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=39 |
|||
|
Mark Post
|
1e158a83bf |
Accepting request 460930 from home:markkp:branches:security
Upgraded to version 3.6.2 (fate#321451) OBS-URL: https://build.opensuse.org/request/show/460930 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=57 |
||
| d71451abde |
Accepting request 451674 from security
Upgraded to latest version per IBM request (fate#321451) OBS-URL: https://build.opensuse.org/request/show/451674 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=38 |
|||
|
Mark Post
|
e9742235f7 |
- Removed reference to pkcs1_startup from pkcsslotd (bsc#1007081)
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=55 |
||
|
Mark Post
|
d78499d297 |
- ocki-3.5-fix-pkcscca-calls.patch
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=54 |
||
|
Mark Post
|
1ceb830200 |
- ocki-3.5-create-missing-tpm-token-lock-directory.patch
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=53 |
||
|
Mark Post
|
1bad7c6c08 |
- ocki-3.5-added-NULLreturn-check.patch
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=52 |
||
|
Mark Post
|
ad23c5b038 | OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=51 | ||
|
Mark Post
|
86f5b3be6b |
- ocki-3.5-icsf-reasoncode-2028-added.patch
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=50 |
||
|
Mark Post
|
6633cafee3 |
- ocki-3.5-icsf-sessionhandle-missing-fix.patch
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=49 |
||
|
Mark Post
|
150ba1b024 |
- ocki-3.5-downgrade-syslogerror.patch
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=48 |
||
|
Mark Post
|
89a8628923 | OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=47 | ||
|
Mark Post
|
77def9041e |
- Removed the following obsolete patches:
- ocki-3.5-sanity-checking.patch
- ocki-3.5-icsf-reasoncode72-support.patch
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=46
|
||
|
Mark Post
|
62e0f2c13e |
- Removed obsolete ocki-3.5-sanity-checking.patch.
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=45 |
||
|
Mark Post
|
5bf8c27619 |
- Upgraded to version 3.6.1 (fate#321451)
- opencryptoki 3.6.1
- Fix SOFT token implementation of digest functions.
- Replace deprecated OpenSSL interfaces.
- opencryptoki 3.6
- Replace deprecated libica interfaces.
- Performance improvement for ICA.
- Improvement in documentation on system resources.
- Improvement in testcases.
- Added support for rc=8, reasoncode=2028 in icsf token.
- Fix for session handle not set in session issue.
- Multiple fixes for lock and log directories.
- Downgraded a syslog error to warning.
- Multiple fixes based on coverity scan results.
- Added pkcs11 mapping for icsf reason code 72 for return code 8.
- opencryptoki 3.5.1
- Fix Illegal Intruction on pkcscca tool.21451
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=44
|
||
| c69a1cd5d6 |
Accepting request 425354 from security
Corrected bug number in changes file. OBS-URL: https://build.opensuse.org/request/show/425354 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=37 |
|||
|
Mark Post
|
99ab635d6c | OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=43 | ||
| 9a3dd47c2b |
Accepting request 424303 from home:markkp:branches:openSUSE:Factory
Latest fix from IBM developers. OBS-URL: https://build.opensuse.org/request/show/424303 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=42 |
|||
| 1427467aaa |
Accepting request 416905 from security
1 OBS-URL: https://build.opensuse.org/request/show/416905 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=36 |
|||
| ff7be92b95 |
Accepting request 415916 from home:markkp:branches:security
Trivial change to add FAQ file to %doc. bsc#991168 OBS-URL: https://build.opensuse.org/request/show/415916 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=40 |
|||
| 4a376b4d8c |
Accepting request 415809 from security
1 OBS-URL: https://build.opensuse.org/request/show/415809 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=35 |
|||
| ad9b7480fa |
Accepting request 412843 from home:markkp:branches:security
Latest patch from IBM. OBS-URL: https://build.opensuse.org/request/show/412843 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=38 |
|||
| 0dceb4baf5 |
Accepting request 407345 from security
IBM fixes for bsc#986854. OBS-URL: https://build.opensuse.org/request/show/407345 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=34 |
|||
|
Mark Post
|
d795e80599 |
- Added the following patches (bsc#986854)
- ocki-3.5-icsf-reasoncode72-support.patch - ocki-3.5-icsf-coverity-memoryleakfix.patch - ocki-3.5-downgrade-syslogerror.patch - ocki-3.5-icsf-sessionhandle-missing-fix.patch - ocki-3.5-icsf-reasoncode-2028-added.patch - ocki-3.5-added-NULLreturn-check.patch OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=37 |
||
| e37eab988e |
Accepting request 403770 from security
Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/403770 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=33 |
|||
|
Mark Post
|
dfc5337165 |
- Added ocki-3.5-sanity-checking.patch (bsc#983496).
- Added %dir entry for %{_localstatedir}/log/opencryptoki/
(bsc#983990)
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=35
|
||
| 87bc50dce4 |
Accepting request 400390 from security
1 OBS-URL: https://build.opensuse.org/request/show/400390 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=32 |
|||
| 80f427e8ac |
Accepting request 399027 from home:markkp:branches:security
Added more bullet items to the changes file per dimstar's request. OBS-URL: https://build.opensuse.org/request/show/399027 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=33 |
|||
|
Mark Post
|
3303e660f7 |
Accepting request 398345 from home:oertel:branches:security
- Upgraded to openCryptoki 3.5 (bsc#978005). OBS-URL: https://build.opensuse.org/request/show/398345 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=32 |
||
| b1973cba38 |
Accepting request 390331 from security
- Upgraded to openCryptoki v3.4.1 (Fate#319576, 319585, 319592, 319938).
- Changed BuildRequires for libica_2_3_0-devel to libica2-devel.
- Changed BuildRequires for openssl-devel to specify >= 1.0
Contrary to what the README says, version 0.9.7 isn't
sufficient.
- Removed the redundant DESTDIR= parameter from the %make_install
- Removed the following obsolete patches
opencryptoki-run-lock.patch (/var/lock and run/lock are actually the
same place) Also reverted the changed to openCryptoki-tmp.conf to match.
ocki-3.1_10_0001-ica-sha-update-empty-msg.patch
ocki-3.1-fix-implicit-decl.patch
ocki-3.1-fix-init_d-path.patch
ocki-3.1-fix-libica-link.patch
ocki-3.2_01_fix-return-type-error.patch
ocki-3.2_02_ep11-token-incorrectly-copied-the-public-key-object-.patch
ocki-3.2_03_ICSF-Token-C_SignUpdate-was-sometimes-segfaulting-an.patch
ocki-3.2_04_CKA_EC_POINT-is-not-required-in-the-ECDSA-private-ke.patch
ocki-3.2_05_icsf_ldap_handles.patch
ocki-3.2_06_icsf_sign_verify.patch
- renamed: ocki-3.1-remove-make-install-chgrp-chmod.patch to
ocki-3.1-remove-make-install-chgrp.patch
- Get a new ldap handle for each session opened in the icsf token,
once the user has authenticated. (bsc#953347,LTC#130078)
- ocki-3.2_05_icsf_ldap_handles.patch
- ocki-3.2_06_icsf_sign_verify.patch
- Added /var/lib/opencryptoki/lite/TOK_OBJ token directory (bsc#943070)
- Added ocki-3.2_02_ep11-token-incorrectly-copied-the-public-key-object-.patch
- Fixed two public key object inclusion in EP11 token (bsc#946808)
OBS-URL: https://build.opensuse.org/request/show/390331
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=31
|
|||
| 1e173dfe5e |
- renamed: ocki-3.1-remove-make-install-chgrp-chmod.patch to
ocki-3.1-remove-make-install-chgrp.patch OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=30 |
|||
| 695604103a |
Accepting request 390252 from home:markkp:branches:security
Reconciled all the differences between the OBS and IBS versions of the package. Merged the changelog files so that everything is in there. OBS-URL: https://build.opensuse.org/request/show/390252 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=29 |
|||
| 6156f42135 |
Accepting request 298532 from security
1 OBS-URL: https://build.opensuse.org/request/show/298532 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=30 |
|||
| 7d406e241d |
Accepting request 294859 from home:elvigia:branches:security
- Also create parent directory /run/lock/opencryptoki in
tmpfiles snippet if it does not exists.
- spec: do not use -D__USE_BSD, a glibc-internal macro
which no longer has any meaning.
- spec: use %{_unitdir} %{_tmpfilesdir)
- spec: call tmpfiles_create macro, if defined in %post
- opencryptoki-run-lock.patch, openCryptoki-tmp.conf: use
/run/lock instead of /var/lock.
OBS-URL: https://build.opensuse.org/request/show/294859
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=27
|
|||
Stephan Kulow
|
6564ad7bd1 |
Accepting request 265803 from security
- Update to version 3.2 +New pkcscca tool. Currently it assists in migrating cca private token objects from opencryptoki version 2 to the clear key encryption method used in opencryptoki version 3. Includes a manpage for pkcscca tool. Changes to README.cca_stdll to assist in using the CCA token and migrating the private token objects. + Support for CKM_RSA_PKCS_OAEP and CKM_RSA_PKCS_PSS algorithms. + Various bugfixes. + New testcases for various crypto algorithms. - Only depend on insserv if builded with sysvinit support - Remove obsolete patches; merged on upstream release + ocki-3.1_01_ep11_makefile.patch + ocki-3.1_02_ep11_m_init.patch + ocki-3.1_03_ock_obj_mgr.patch + ocki-3.1_04_ep11_opaque2blob_error_handl.patch + ocki-3.1_05_ep11_readme_update.patch + ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch + ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch + ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch + ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch + ocki-3.1_06_0005-Small-reworks.patch + ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch + ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch + ocki-3.1_07_0001-Man-page-corrections.patch + ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch + ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch + ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch + ocki-3.1_10_0001-ica-sha-update-empty-msg.patch - Project is now hosted on sourceforge; fix the Url - Remove cvs related stuff; tarball is produced by upstream OBS-URL: https://build.opensuse.org/request/show/265803 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=29 |
||
| adb9bc9138 | OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=25 | |||
| a15255e127 |
Accepting request 265545 from home:posophe:branches:security
Update + changes OBS-URL: https://build.opensuse.org/request/show/265545 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=24 |
|||
|
Stephan Kulow
|
2dccdb2e72 |
Accepting request 247774 from security
1 OBS-URL: https://build.opensuse.org/request/show/247774 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=28 |
||
Cristian Rodríguez
|
e535e749ba |
Accepting request 247737 from home:jjolly:branches:security
Fixed zero length bug in ica token OBS-URL: https://build.opensuse.org/request/show/247737 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=22 |
||
| bbdcb346df |
Accepting request 247627 from home:jjolly:branches:security
Fixed several bugs and cleaned up changes and specfile OBS-URL: https://build.opensuse.org/request/show/247627 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=21 |
|||
|
Stephan Kulow
|
6e19df1fb8 |
Accepting request 247238 from security
- Specfile Cleanup, Added directory macros in appropriate places
- Several package changes as per bnc#880217
- Added openCryptoki-tmp.conf for lock directory management
- Added 'lite' token support
- Changed from init.d daemon to systemd service
- Updated macros in %pre %post %preun and %postun sections
- Added missing icsf and ep11tok directories to %files section
ocki-3.1_01_ep11_makefile.patch
ocki-3.1_02_ep11_m_init.patch
- Patches added:
ocki-3.1-fix-libica-link.patch
ocki-3.1_03_ock_obj_mgr.patch
ocki-3.1_04_ep11_opaque2blob_error_handl.patch
ocki-3.1_05_ep11_readme_update.patch
ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
ocki-3.1_06_0005-Small-reworks.patch
ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- Moved libpkcs11_icsf 32-bit out of s390-specific files
- Made ep11tok.conf and pkcsep11_migrate specific to s390/s390x
- Added libpkcs11_ep11.so and libpkcs11_icsf.so to 32-bit s390/s390x
- EP11 token available in the opencryptoki V3.1 package (bnc#879303)
- Specfile changed to include ep11tok.conf
OBS-URL: https://build.opensuse.org/request/show/247238
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=27
|
||
| eb0091de2e |
ocki-3.1_01_ep11_makefile.patch
ocki-3.1_02_ep11_m_init.patch - Patches added: ocki-3.1-fix-libica-link.patch ocki-3.1_03_ock_obj_mgr.patch ocki-3.1_04_ep11_opaque2blob_error_handl.patch ocki-3.1_05_ep11_readme_update.patch ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch ocki-3.1_06_0005-Small-reworks.patch ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=19 |
|||
| f04f03e4fb |
Accepting request 244776 from home:sfalken:branches:security
- Specfile Cleanup, Added directory macros in appropriate places OBS-URL: https://build.opensuse.org/request/show/244776 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=18 |
|||
Tomáš Chvátal
|
d6c48bed19 |
Accepting request 238818 from home:jjolly:branches:security
Fixes for bnc#880217 - systemd enabled OBS-URL: https://build.opensuse.org/request/show/238818 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=17 |
||
|
Stephan Kulow
|
2ff7602f87 |
Accepting request 221145 from security
- Updated to openCryptoki v3.1: See ChangeLog for complete details
(FATE#315426)
- opencryptoki-3.1
- New ep11 token to support IBM Crypto Express adpaters
(starting with Crypto Express 4S adapters) configured with
Enterprise PKCS#11(EP11) firmware. (FATE#315330)
- opencryptoki-3.0
- New opencryptoki.conf file to replace pk_config_data and
pkcs11_starup. The opencryptoki.conf contains slot entry
information for tokens.
- Removed pkcs_slot and pkcs11_startup shell scripts.
- ICA token supports CKM_DES_OFB64, CKM_DES_CFB8, CKM_DES_CFB6
mechanisms using 3DES keys. (FATE#315323)
- ICA token supports CKM_DES3_MAC and CKM_DES3_MAC_GENERAL
mechanisms. (FATE#315323)
- ICA token supports CKM_AES_OFB, CKM_AES_CFB8, CKM_AES_CFB64,
CKM_AES_CFB128, CKM_AES_MAC, and CKM_AES_MAC_GENERAL
mechanisms. (FATE#315323)
- opencryptoki-2.4.1 (21 Feb 2012)
- SHA256 support added for CCA token (FATE#315289)
- Using insserv macros in %post, %preun and %postun sections
- Cleaned up spec file
- removed patches:
- ocki-2.2.6-PIN-backspace.patch
- added patches:
- ocki-3.1-fix-implicit-decl.patch
- ocki-3.1-remove-make-install-chgrp-chmod.patch
- ocki-3.1-fix-init_d-path.patch
- add aarch64 to 64bit archs
OBS-URL: https://build.opensuse.org/request/show/221145
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=25
|
||
| 8883ecb0ec | OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=15 | |||
| 7de3ec42fa | OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=14 | |||
| 58a54abac4 |
Accepting request 220960 from home:oertel:branches:security
- Updated to openCryptoki v3.1: See ChangeLog for complete details
(FATE#315426)
- opencryptoki-3.1
- New ep11 token to support IBM Crypto Express adpaters
(starting with Crypto Express 4S adapters) configured with
Enterprise PKCS#11(EP11) firmware. (FATE#315330)
- opencryptoki-3.0
- New opencryptoki.conf file to replace pk_config_data and
pkcs11_starup. The opencryptoki.conf contains slot entry
information for tokens.
- Removed pkcs_slot and pkcs11_startup shell scripts.
- ICA token supports CKM_DES_OFB64, CKM_DES_CFB8, CKM_DES_CFB6
mechanisms using 3DES keys. (FATE#315323)
- ICA token supports CKM_DES3_MAC and CKM_DES3_MAC_GENERAL
mechanisms. (FATE#315323)
- ICA token supports CKM_AES_OFB, CKM_AES_CFB8, CKM_AES_CFB64,
CKM_AES_CFB128, CKM_AES_MAC, and CKM_AES_MAC_GENERAL
mechanisms. (FATE#315323)
- opencryptoki-2.4.1 (21 Feb 2012)
- SHA256 support added for CCA token (FATE#315289)
- Using insserv macros in %post, %preun and %postun sections
- Cleaned up spec file
- removed patches:
- ocki-2.2.6-PIN-backspace.patch
- added patches:
- ocki-3.1-fix-implicit-decl.patch
- ocki-3.1-remove-make-install-chgrp-chmod.patch
- ocki-3.1-fix-init_d-path.patch
- add aarch64 to 64bit archs
OBS-URL: https://build.opensuse.org/request/show/220960
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=13
|
|||
|
Stephan Kulow
|
faa609e4a8 |
Accepting request 210666 from security
- enable ppc64le (forwarded request 210434 from k0da) OBS-URL: https://build.opensuse.org/request/show/210666 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=24 |
||
| 69ccf932a4 |
Accepting request 210434 from openSUSE:Factory:PowerLE
- enable ppc64le OBS-URL: https://build.opensuse.org/request/show/210434 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=11 |
|||
|
Stephan Kulow
|
3192086b77 |
Accepting request 144723 from security
- remove -o from groupadd - fixed sed script to not a grouplist with leading , OBS-URL: https://build.opensuse.org/request/show/144723 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=21 |
||
| 111fc52ebc | OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=9 | |||
| bddeada3ae |
- remove -o from groupadd
- fixed sed script to not a grouplist with leading , OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=8 |
|||
| 4ce1688b56 |
tst
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=7 |
|||
|
Stephan Kulow
|
9df010dfe3 |
replace license with spdx.org variant
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=19 |
||
|
Stephan Kulow
|
13cc05d070 |
Accepting request 93939 from security
- don't package man pages twice - add libtool as buildrequire to avoid implicit dependency (forwarded request 93825 from coolo) OBS-URL: https://build.opensuse.org/request/show/93939 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=18 |
||
OBS User autobuild
|
79cff14eaa |
Accepting request 49193 from security
Copy from security/openCryptoki based on submit request 49193 from user msmeissn OBS-URL: https://build.opensuse.org/request/show/49193 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=15 |
||
|
OBS User autobuild
|
c18d901469 | OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=12 | ||
|
OBS User unknown
|
a5878ecb54 | OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=10 | ||
|
OBS User unknown
|
7af27b0998 | OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=9 | ||
|
OBS User unknown
|
0e42b677b0 | OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=8 | ||
|
OBS User unknown
|
84ae498888 | OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=7 | ||
|
OBS User unknown
|
021e988f55 | OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=6 | ||
|
OBS User unknown
|
96cc5a8614 | OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=5 | ||
|
OBS User unknown
|
ee5cc2e86f | OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=4 | ||
|
OBS User unknown
|
bc1979e539 | OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=3 | ||
|
OBS User unknown
|
b9b5fe6119 | OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=2 | ||
|
OBS User unknown
|
f6f067176e | OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=1 |
