Accepting request 1328731 from security

OBS-URL: https://build.opensuse.org/request/show/1328731
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=91

ocki-3.26-remove-make-install-chgrp.patch

@@ -1,21 +1,26 @@
---- Makefile.am	2023-05-15 14:42:55.000000000 +0200
-+++ Makefile-3.21.am	2023-05-25 17:13:36.266936832 +0200
-@@ -39,14 +39,9 @@
+--- a/Makefile.am	2025-11-11 08:58:19.000000000 +0100
++++ b/Makefile.am	2025-11-12 10:21:00.563936369 +0100
+@@ -51,19 +51,9 @@
  include doc/doc.mk
  
  install-data-hook:
+-if AIX
+-	lsgroup $(pkcs_group) > /dev/null || $(GROUPADD) -a pkcs11
+-	lsuser $(pkcsslotd_user) > /dev/null || $(USERADD) -g $(pkcs_group) -d $(DESTDIR)$(RUN_PATH)/opencryptoki -c "Opencryptoki pkcsslotd user" $(pkcsslotd_user)
+-else
 -	getent group $(pkcs_group) > /dev/null || $(GROUPADD) -r $(pkcs_group)
--	getent passwd $(pkcsslotd_user) >/dev/null || $(USERADD) -r -g $(pkcs_group) -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" $(pkcsslotd_user)
- 	$(MKDIR_P) $(DESTDIR)/run/opencryptoki/
--	$(CHOWN) $(pkcsslotd_user):$(pkcs_group) $(DESTDIR)/run/opencryptoki/
--	$(CHGRP) $(pkcs_group) $(DESTDIR)/run/opencryptoki/
- 	$(CHMOD) 0710 $(DESTDIR)/run/opencryptoki/
+-	getent passwd $(pkcsslotd_user) >/dev/null || $(USERADD) -r -g $(pkcs_group) -d $(RUN_PATH)/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" $(pkcsslotd_user)
+-endif
+ 	$(MKDIR_P) $(DESTDIR)$(RUN_PATH)/opencryptoki/
+-	$(CHOWN) $(pkcsslotd_user):$(pkcs_group) $(DESTDIR)$(RUN_PATH)/opencryptoki/
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(RUN_PATH)/opencryptoki/
+ 	$(CHMOD) 0710 $(DESTDIR)$(RUN_PATH)/opencryptoki/
  	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki
  	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki
  if ENABLE_LIBRARY
  	$(MKDIR_P) $(DESTDIR)$(libdir)/opencryptoki/stdll
-@@ -66,19 +61,15 @@
+@@ -83,19 +73,15 @@
  endif
  if ENABLE_PKCSHSM_MK_CHANGE
  	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/HSM_MK_CHANGE
@@ -24,7 +29,7 @@
  endif
  if ENABLE_CCATOK
  	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
- 		ln -fs libpkcs11_cca.so PKCS11_CCA.so
+ 		ln -fs libpkcs11_cca.$(SHLIBEXT) PKCS11_CCA.$(SHLIBEXT)
  	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok
@@ -35,9 +40,9 @@
  	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/ccatok
  	test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
  	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ccatok.conf || $(INSTALL) -m 644 $(srcdir)/usr/lib/cca_stdll/ccatok.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ccatok.conf || true
-@@ -87,12 +78,9 @@
+@@ -104,12 +90,9 @@
  	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
- 		ln -fs libpkcs11_ep11.so PKCS11_EP11.so
+ 		ln -fs libpkcs11_ep11.$(SHLIBEXT) PKCS11_EP11.$(SHLIBEXT)
  	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok
@@ -48,16 +53,21 @@
  	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/ep11tok
  	test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
  	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || $(INSTALL) -m 644 $(srcdir)/usr/lib/ep11_stdll/ep11tok.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || true
-@@ -100,30 +88,24 @@
+@@ -117,34 +100,28 @@
  endif
  if ENABLE_P11SAK
  	test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
 -	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
-+	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL)  -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
++	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
+ endif
+ if ENABLE_P11KMIP
+ 	test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
+-	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11kmip/p11kmip.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || true
++	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11kmip/p11kmip.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || true
  endif
  if ENABLE_ICATOK
  	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
- 		ln -fs libpkcs11_ica.so PKCS11_ICA.so
+ 		ln -fs libpkcs11_ica.$(SHLIBEXT) PKCS11_ICA.$(SHLIBEXT)
  	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite
@@ -69,7 +79,7 @@
  endif
  if ENABLE_SWTOK
  	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
- 		ln -fs libpkcs11_sw.so PKCS11_SW.so
+ 		ln -fs libpkcs11_sw.$(SHLIBEXT) PKCS11_SW.$(SHLIBEXT)
  	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok
@@ -80,9 +90,9 @@
  	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/swtok
  endif
  if ENABLE_TPMTOK
-@@ -131,10 +113,8 @@
+@@ -152,10 +129,8 @@
  	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
- 		ln -fs libpkcs11_tpm.so PKCS11_TPM.so
+ 		ln -fs libpkcs11_tpm.$(SHLIBEXT) PKCS11_TPM.$(SHLIBEXT)
  	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
  	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
@@ -91,9 +101,9 @@
  	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/tpm
  endif
  if ENABLE_ICSFTOK
-@@ -142,16 +122,14 @@
+@@ -163,16 +138,14 @@
  	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
- 		ln -fs libpkcs11_icsf.so PKCS11_ICSF.so
+ 		ln -fs libpkcs11_icsf.$(SHLIBEXT) PKCS11_ICSF.$(SHLIBEXT)
  	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
  	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
@@ -107,11 +117,11 @@
 -	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g $(pkcs_group) -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
 +	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
  endif
+ if !AIX
  	$(MKDIR_P) $(DESTDIR)/etc/ld.so.conf.d
- 	echo "$(libdir)/opencryptoki" >\
-@@ -162,7 +140,6 @@
- 	@echo "Remember you must run ldconfig before using the above settings"
+@@ -185,7 +158,6 @@
  	@echo "--------------------------------------------------------------"
+ endif
  	$(MKDIR_P) $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
 -	$(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
  	$(CHMOD) 0770 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)

openCryptoki-CVE-2026-22791-commit-e37e912.patch

@@ -0,0 +1,113 @@
+From e37e9127deeeb7bf3c3c4d852c594256c57ec3a8 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Thu, 8 Jan 2026 10:48:29 +0100
+Subject: [PATCH] COMMON: Fix CKM_ECDH_AES_KEY_WRAP buffer size calculation
+ with compressed keys
+
+When a C_WrapKey with CKM_ECDH_AES_KEY_WRAP is performed, and the EC public
+key used with it uses a compressed EC point, then the size of the wrapped
+key material is calculated wrongly. This may lead to an out-of-bounds write
+when the caller provides a buffer of that calculated size.
+
+The temporary EC key generated internally by this mechanism is always
+uses an uncompressed EC point, but the buffer size is erroneously calculated
+using the EC point of the supplied EC public key. Thus, in case a compressed
+EC point is supplied, the buffer size calculation results in a too short
+buffer.
+
+Fix this by calculating the buffer size using the EC point of the internally
+generated EC key, because this is what is later on written to the buffer.
+
+Fixes: 785d7577e1477d12fbe235554e7e7b24f2de34b7
+Reported-by: Pavel Kohout of Aisle Research, www.aisle.com
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ usr/lib/common/mech_ec.c | 54 ++++++++++++++++++++--------------------
+ 1 file changed, 27 insertions(+), 27 deletions(-)
+
+diff --git a/usr/lib/common/mech_ec.c b/usr/lib/common/mech_ec.c
+index 2399c1cfb..ce031ec0c 100644
+--- a/usr/lib/common/mech_ec.c
++++ b/usr/lib/common/mech_ec.c
+@@ -1758,6 +1758,31 @@ CK_RV ecdh_aes_key_wrap(STDLL_TokData_t *tokdata, SESSION *sess,
+         goto done;
+     }
+ 
++    /* Get the (raw) size of the generated EC point */
++    rc = object_mgr_find_in_map1(tokdata, ec_publ_key_handle,
++                                 &pub_key_obj, READ_LOCK);
++    if (rc != CKR_OK) {
++        TRACE_ERROR("Failed to acquire key from EC public key handle.\n");
++        if (rc == CKR_OBJECT_HANDLE_INVALID)
++            rc = CKR_KEY_HANDLE_INVALID;
++        goto done;
++    }
++
++    rc = template_attribute_get_non_empty(pub_key_obj->template, CKA_EC_POINT,
++                                          &ec_point);
++    if (rc != CKR_OK) {
++        TRACE_DEVEL("Failed to get CKA_EC_POINT.\n");
++        goto done;
++    }
++
++    rc = ber_decode_OCTET_STRING((CK_BYTE *)ec_point->pValue,
++                                  &pub_ec_point, &pub_ec_point_len, &field_len);
++    if (rc != CKR_OK || field_len != ec_point->ulValueLen) {
++        rc = CKR_FUNCTION_FAILED;
++        TRACE_DEVEL("Failed to decode CKA_EC_POINT.\n");
++        goto done;
++    }
++
+     /* Perform ECDH to derive a shared AES key */
+     ecdh_params.kdf = params->kdf;
+     ecdh_params.pSharedData = params->pSharedData;
+@@ -1813,7 +1838,7 @@ CK_RV ecdh_aes_key_wrap(STDLL_TokData_t *tokdata, SESSION *sess,
+     }
+ 
+     /* Calculate the final length of the wrapped key data */
+-    total_len = ecdh_params.ulPublicDataLen + wrapped_key_len;
++    total_len = pub_ec_point_len + wrapped_key_len;
+ 
+     if (length_only) {
+         *out_data_len = total_len;
+@@ -1831,31 +1856,6 @@ CK_RV ecdh_aes_key_wrap(STDLL_TokData_t *tokdata, SESSION *sess,
+      * Copy the (raw) EC point of the public transport EC key as first part of
+      * the wrapped key data.
+      */
+-    rc = object_mgr_find_in_map1(tokdata, ec_publ_key_handle,
+-                                 &pub_key_obj, READ_LOCK);
+-    if (rc != CKR_OK) {
+-        TRACE_ERROR("Failed to acquire key from EC public key handle.\n");
+-        if (rc == CKR_OBJECT_HANDLE_INVALID)
+-            return CKR_KEY_HANDLE_INVALID;
+-        else
+-            return rc;
+-    }
+-
+-    rc = template_attribute_get_non_empty(pub_key_obj->template, CKA_EC_POINT,
+-                                          &ec_point);
+-    if (rc != CKR_OK) {
+-        TRACE_DEVEL("Failed to get CKA_EC_POINT.\n");
+-        goto done;
+-    }
+-
+-    rc = ber_decode_OCTET_STRING((CK_BYTE *)ec_point->pValue,
+-                                  &pub_ec_point, &pub_ec_point_len, &field_len);
+-    if (rc != CKR_OK || field_len != ec_point->ulValueLen) {
+-        rc = CKR_FUNCTION_FAILED;
+-        TRACE_DEVEL("Failed to decode CKA_EC_POINT.\n");
+-        goto done;
+-    }
+-
+     memcpy(out_data, pub_ec_point, pub_ec_point_len);
+ 
+     /*
+@@ -1864,7 +1864,7 @@ CK_RV ecdh_aes_key_wrap(STDLL_TokData_t *tokdata, SESSION *sess,
+      */
+     rc = encr_mgr_encrypt(tokdata, sess, FALSE, &aeskw_ctx,
+                           in_data, in_data_len,
+-                          out_data + ecdh_params.ulPublicDataLen,
++                          out_data + pub_ec_point_len,
+                           &wrapped_key_len);
+     if (rc != CKR_OK) {
+         TRACE_ERROR("Failed to encrypt the to-be-wrapped key: %s (0x%lx)\n",

openCryptoki-CVE-2026-23893-commit-5e6e4b4.patch

@@ -0,0 +1,460 @@
+From 5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45 Mon Sep 17 00:00:00 2001
+From: Pavel Kohout <pavel@aisle.com>
+Date: Tue, 13 Jan 2026 00:00:00 +0000
+Subject: [PATCH] Fix symlink-following vulnerabilities (CWE-59)
+
+Multiple symlink-following vulnerabilities exist in OpenCryptoki that run
+in privileged contexts. These allow a token-group user to redirect file
+operations to arbitrary filesystem targets by planting symlinks in
+group-writable token directories, resulting in privilege escalation or
+data exposure.
+
+Affected components:
+1. pkcstok_admin: set_file_permissions() uses stat() which follows symlinks,
+   then applies chmod/chown to the symlink target.
+2. pkcstok_migrate: fopen() follows symlinks, then set_perm() modifies the
+   target permissions.
+3. loadsave.c: Multiple wrapper functions use fopen() followed by set_perm().
+4. hsm_mk_change.c: hsm_mk_change_op_open() uses fopen() followed by
+   hsm_mk_change_op_set_perm().
+5. pbkdf.c: fopen() followed by set_perms() in two locations.
+
+This fix:
+- Introduces fopen_nofollow() helper in platform.h
+- Checks for O_NOFOLLOW at compile time (not hardcoded per-platform)
+- On platforms with O_NOFOLLOW: uses open(O_NOFOLLOW) + fdopen() for atomic
+  symlink rejection (race-condition free)
+- On platforms without O_NOFOLLOW: falls back to lstat() + fopen() and emits
+  a compiler warning so the unsafe fallback doesn't go unnoticed
+- Updates all affected wrapper functions to use fopen_nofollow()
+- pkcstok_admin: Uses lstat() instead of stat() and skips symlinks
+
+Reported-by: Pavel Kohout, Aisle Research, www.aisle.com
+Signed-off-by: Pavel Kohout <pavel@aisle.com>
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ usr/lib/common/loadsave.c                  | 81 +++++++++++++++++----
+ usr/lib/common/platform.h                  | 82 +++++++++++++++++++++-
+ usr/lib/hsm_mk_change/hsm_mk_change.c      |  8 ++-
+ usr/lib/icsf_stdll/pbkdf.c                 | 17 +++--
+ usr/sbin/pkcstok_admin/pkcstok_admin.c     |  9 ++-
+ usr/sbin/pkcstok_migrate/pkcstok_migrate.c | 23 ++++--
+ 6 files changed, 194 insertions(+), 26 deletions(-)
+
+diff --git a/usr/lib/common/loadsave.c b/usr/lib/common/loadsave.c
+index 18b8aa044..f9c0cc7f0 100644
+--- a/usr/lib/common/loadsave.c
++++ b/usr/lib/common/loadsave.c
+@@ -68,9 +68,17 @@ static FILE *open_token_object_path(char *buf, size_t buflen,
+                                     STDLL_TokData_t *tokdata, const char *path,
+                                     const char *mode)
+ {
++    FILE *fp;
++
+     if (get_token_object_path(buf, buflen, tokdata, path, NULL) < 0)
+         return NULL;
+-    return fopen(buf, mode);
++
++    /* CWE-59 fix: Use fopen_nofollow to prevent symlink attacks */
++    fp = fopen_nofollow(buf, mode);
++    if (fp == NULL && errno == ELOOP)
++        TRACE_ERROR("Refusing to follow symlink: %s\n", buf);
++
++    return fp;
+ }
+ 
+ static FILE *open_token_object_path_new(char *newbuf, size_t newbuflen,
+@@ -78,11 +86,19 @@ static FILE *open_token_object_path_new(char *newbuf, size_t newbuflen,
+                                         STDLL_TokData_t *tokdata,
+                                         const char *path, const char *mode)
+ {
++    FILE *fp;
++
+     if (get_token_object_path(newbuf, newbuflen, tokdata, path, ".TMP") < 0)
+         return NULL;
+     if (get_token_object_path(basebuf, basebuflen, tokdata, path, NULL) < 0)
+         return NULL;
+-    return fopen(newbuf, mode);
++
++    /* CWE-59 fix: Use fopen_nofollow to prevent symlink attacks */
++    fp = fopen_nofollow(newbuf, mode);
++    if (fp == NULL && errno == ELOOP)
++        TRACE_ERROR("Refusing to follow symlink: %s\n", newbuf);
++
++    return fp;
+ }
+ 
+ static int get_token_data_store_path(char *buf, size_t buflen,
+@@ -101,9 +117,17 @@ static FILE *open_token_data_store_path(char *buf, size_t buflen,
+                                         STDLL_TokData_t *tokdata,
+                                         const char *path, const char *mode)
+ {
++    FILE *fp;
++
+     if (get_token_data_store_path(buf, buflen, tokdata, path, NULL) < 0)
+         return NULL;
+-    return fopen(buf, mode);
++
++    /* CWE-59 fix: Use fopen_nofollow to prevent symlink attacks */
++    fp = fopen_nofollow(buf, mode);
++    if (fp == NULL && errno == ELOOP)
++        TRACE_ERROR("Refusing to follow symlink: %s\n", buf);
++
++    return fp;
+ }
+ 
+ static FILE *open_token_data_store_path_new(char *newbuf, size_t newbuflen,
+@@ -111,11 +135,19 @@ static FILE *open_token_data_store_path_new(char *newbuf, size_t newbuflen,
+                                             STDLL_TokData_t *tokdata,
+                                             const char *path, const char *mode)
+ {
++    FILE *fp;
++
+     if (get_token_data_store_path(newbuf, newbuflen, tokdata, path, ".TMP") < 0)
+         return NULL;
+     if (get_token_data_store_path(basebuf, basebuflen, tokdata, path, NULL) < 0)
+         return NULL;
+-    return fopen(newbuf, mode);
++
++    /* CWE-59 fix: Use fopen_nofollow to prevent symlink attacks */
++    fp = fopen_nofollow(newbuf, mode);
++    if (fp == NULL && errno == ELOOP)
++        TRACE_ERROR("Refusing to follow symlink: %s\n", newbuf);
++
++    return fp;
+ }
+ 
+ static FILE *open_token_object_index(char *buf, size_t buflen,
+@@ -127,17 +159,27 @@ static FILE *open_token_object_index(char *buf, size_t buflen,
+ static FILE *open_token_nvdat(char *buf, size_t buflen,
+                               STDLL_TokData_t *tokdata, const char *mode)
+ {
++    FILE *fp;
++
+     if (ock_snprintf(buf, buflen, "%s/" PK_LITE_NV, tokdata->data_store)) {
+         TRACE_ERROR("NVDAT.TOK file name buffer overflow\n");
+         return NULL;
+     }
+-    return fopen(buf, mode);
++
++    /* CWE-59 fix: Use fopen_nofollow to prevent symlink attacks */
++    fp = fopen_nofollow(buf, mode);
++    if (fp == NULL && errno == ELOOP)
++        TRACE_ERROR("Refusing to follow symlink: %s\n", buf);
++
++    return fp;
+ }
+ 
+ static FILE *open_token_nvdat_new(char *newbuf, size_t newbuflen,
+                                   char *basebuf, size_t basebuflen,
+                                   STDLL_TokData_t *tokdata, const char *mode)
+ {
++    FILE *fp;
++
+     if (ock_snprintf(newbuf, newbuflen, "%s/" PK_LITE_NV ".TMP",
+                      tokdata->data_store)) {
+         TRACE_ERROR("NVDAT.TOK file name buffer overflow\n");
+@@ -148,7 +190,13 @@ static FILE *open_token_nvdat_new(char *newbuf, size_t newbuflen,
+         TRACE_ERROR("NVDAT.TOK file name buffer overflow\n");
+         return NULL;
+     }
+-    return fopen(newbuf, mode);
++
++    /* CWE-59 fix: Use fopen_nofollow to prevent symlink attacks */
++    fp = fopen_nofollow(newbuf, mode);
++    if (fp == NULL && errno == ELOOP)
++        TRACE_ERROR("Refusing to follow symlink: %s\n", newbuf);
++
++    return fp;
+ }
+ 
+ static CK_RV close_token_file_new(FILE * fp, CK_RV rc,
+@@ -289,9 +337,12 @@ CK_RV save_token_object(STDLL_TokData_t *tokdata, OBJECT *obj)
+     // we didn't find it...either the index file doesn't exist or this
+     // is a new object...
+     //
+-    fp = fopen(fname, "a");
++    fp = fopen_nofollow(fname, "a");
+     if (!fp) {
+-        TRACE_ERROR("fopen(%s): %s\n", fname, strerror(errno));
++        if (errno == ELOOP)
++            TRACE_ERROR("Refusing to follow symlink: %s\n", fname);
++        else
++            TRACE_ERROR("fopen(%s): %s\n", fname, strerror(errno));
+         return CKR_FUNCTION_FAILED;
+     }
+ 
+@@ -663,11 +714,14 @@ CK_RV load_token_data_old(STDLL_TokData_t *tokdata, CK_SLOT_ID slot_id)
+         if (errno == ENOENT) {
+             init_token_data(tokdata, slot_id);
+ 
+-            fp = fopen(fname, "r");
++            fp = fopen_nofollow(fname, "r");
+             if (!fp) {
+                 // were really hosed here since the created
+                 // did not occur
+-                TRACE_ERROR("fopen(%s): %s\n", fname, strerror(errno));
++                if (errno == ELOOP)
++                    TRACE_ERROR("Refusing to follow symlink: %s\n", fname);
++                else
++                    TRACE_ERROR("fopen(%s): %s\n", fname, strerror(errno));
+                 rc = CKR_FUNCTION_FAILED;
+                 goto out_unlock;
+             }
+@@ -2345,11 +2399,14 @@ CK_RV load_token_data(STDLL_TokData_t *tokdata, CK_SLOT_ID slot_id)
+         if (errno == ENOENT) {
+             init_token_data(tokdata, slot_id);
+ 
+-            fp = fopen(fname, "r");
++            fp = fopen_nofollow(fname, "r");
+             if (!fp) {
+                 // were really hosed here since the created
+                 // did not occur
+-                TRACE_ERROR("fopen(%s): %s\n", fname, strerror(errno));
++                if (errno == ELOOP)
++                    TRACE_ERROR("Refusing to follow symlink: %s\n", fname);
++                else
++                    TRACE_ERROR("fopen(%s): %s\n", fname, strerror(errno));
+                 rc = CKR_FUNCTION_FAILED;
+                 goto out_unlock;
+             }
+diff --git a/usr/lib/common/platform.h b/usr/lib/common/platform.h
+index 799821b57..51cc1c737 100644
+--- a/usr/lib/common/platform.h
++++ b/usr/lib/common/platform.h
+@@ -7,7 +7,16 @@
+  * found in the file LICENSE file or at
+  * https://opensource.org/licenses/cpl1.0.php
+  */
++#ifndef PLATFORM_H
++#define PLATFORM_H
++
+ #include <dlfcn.h>
++#include <stdio.h>
++#include <fcntl.h>
++#include <unistd.h>
++#include <string.h>
++#include <errno.h>
++#include <sys/stat.h>
+ 
+ #if defined(_AIX)
+ #include "aix/getopt.h"
+@@ -30,10 +39,81 @@
+ /* for htobexx, htolexx, bexxtoh and lexxtoh macros */
+ #include <endian.h>
+ /* macros from bsdlog and friends */
+-#include <stdio.h>
+ #include <err.h>
+ 
+ #define OCK_API_LIBNAME "libopencryptoki.so"
+ #define DYNLIB_LDFLAGS (RTLD_NOW)
+ 
+ #endif /* _AIX */
++
++/*
++ * Check for O_NOFOLLOW support at compile time.
++ * If not available, fall back to lstat() + fopen() (has TOCTOU race).
++ */
++#ifndef O_NOFOLLOW
++#define OCK_NO_O_NOFOLLOW 1
++#warning "O_NOFOLLOW not supported, symlink protection uses racy lstat() fallback!"
++#endif
++
++/*
++ * CWE-59 fix: Open file without following symlinks.
++ *
++ * On platforms with O_NOFOLLOW support:
++ *   Uses open(O_NOFOLLOW) + fdopen() for atomic symlink rejection.
++ *
++ * On platforms without O_NOFOLLOW (e.g., older AIX):
++ *   Falls back to lstat() + fopen(). This has a TOCTOU race condition,
++ *   but still catches pre-planted symlinks which is the common attack
++ *   scenario. Better than no protection at all.
++ *
++ * Returns NULL with errno=ELOOP if path is a symlink.
++ */
++static inline FILE *fopen_nofollow(const char *path, const char *mode)
++{
++#ifdef OCK_NO_O_NOFOLLOW
++    /*
++     * Fallback for platforms without O_NOFOLLOW: use lstat() check.
++     * This has a TOCTOU race but catches pre-planted symlinks.
++     */
++    struct stat sb;
++
++    if (lstat(path, &sb) == 0) {
++        if (S_ISLNK(sb.st_mode)) {
++            errno = ELOOP;
++            return NULL;
++        }
++    }
++    /* Note: if lstat fails (e.g., file doesn't exist for "w" mode),
++     * we proceed with fopen() which will handle the error appropriately */
++    return fopen(path, mode);
++#else
++    /* Preferred: atomic symlink rejection via O_NOFOLLOW */
++    int flags = O_NOFOLLOW;
++    int fd;
++    FILE *fp;
++
++    /* Determine flags based on mode */
++    if (mode[0] == 'r') {
++        flags |= (mode[1] == '+') ? O_RDWR : O_RDONLY;
++    } else if (mode[0] == 'w') {
++        flags |= O_CREAT | O_TRUNC | ((mode[1] == '+') ? O_RDWR : O_WRONLY);
++    } else if (mode[0] == 'a') {
++        flags |= O_CREAT | O_APPEND | ((mode[1] == '+') ? O_RDWR : O_WRONLY);
++    } else {
++        return NULL;
++    }
++
++    fd = open(path, flags, 0600);
++    if (fd < 0)
++        return NULL;
++
++    fp = fdopen(fd, mode);
++    if (fp == NULL) {
++        close(fd);
++        return NULL;
++    }
++    return fp;
++#endif
++}
++
++#endif /* PLATFORM_H */
+diff --git a/usr/lib/hsm_mk_change/hsm_mk_change.c b/usr/lib/hsm_mk_change/hsm_mk_change.c
+index f40dfb43e..8c66546f6 100644
+--- a/usr/lib/hsm_mk_change/hsm_mk_change.c
++++ b/usr/lib/hsm_mk_change/hsm_mk_change.c
+@@ -623,9 +623,13 @@ static FILE* hsm_mk_change_op_open(const char *id, CK_SLOT_ID slot_id,
+ 
+     TRACE_DEVEL("file to open: %s mode: %s\n", hsm_mk_change_file, mode);
+ 
+-    fp = fopen(hsm_mk_change_file, mode);
++    /* CWE-59 fix: Use fopen_nofollow to prevent symlink attacks */
++    fp = fopen_nofollow(hsm_mk_change_file, mode);
+     if (fp == NULL) {
+-        TRACE_ERROR("%s fopen(%s, %s): %s\n", __func__,
++        if (errno == ELOOP)
++            TRACE_ERROR("Refusing to follow symlink: %s\n", hsm_mk_change_file);
++        else
++            TRACE_ERROR("%s fopen(%s, %s): %s\n", __func__,
+                         hsm_mk_change_file, mode, strerror(errno));
+     }
+ 
+diff --git a/usr/lib/icsf_stdll/pbkdf.c b/usr/lib/icsf_stdll/pbkdf.c
+index 47d1b97c3..91230804f 100644
+--- a/usr/lib/icsf_stdll/pbkdf.c
++++ b/usr/lib/icsf_stdll/pbkdf.c
+@@ -26,6 +26,7 @@
+ #include "h_extern.h"
+ #include "pbkdf.h"
+ #include "trace.h"
++#include "platform.h"
+ 
+ 
+ CK_RV get_randombytes(unsigned char *output, int bytes)
+@@ -546,9 +547,13 @@ CK_RV secure_racf(STDLL_TokData_t *tokdata,
+     totallen = outputlen + AES_INIT_VECTOR_SIZE;
+ 
+     snprintf(fname, sizeof(fname), "%s/%s/%s", CONFIG_PATH, tokname, RACFFILE);
+-    fp = fopen(fname, "w");
++    /* CWE-59 fix: Use fopen_nofollow to prevent symlink attacks */
++    fp = fopen_nofollow(fname, "w");
+     if (!fp) {
+-        TRACE_ERROR("fopen failed: %s\n", strerror(errno));
++        if (errno == ELOOP)
++            TRACE_ERROR("Refusing to follow symlink: %s\n", fname);
++        else
++            TRACE_ERROR("fopen failed: %s\n", strerror(errno));
+         return CKR_FUNCTION_FAILED;
+     }
+ 
+@@ -619,9 +624,13 @@ CK_RV secure_masterkey(STDLL_TokData_t *tokdata,
+     /* get the total length */
+     totallen = outputlen + SALTSIZE;
+ 
+-    fp = fopen(fname, "w");
++    /* CWE-59 fix: Use fopen_nofollow to prevent symlink attacks */
++    fp = fopen_nofollow(fname, "w");
+     if (!fp) {
+-        TRACE_ERROR("fopen failed: %s\n", strerror(errno));
++        if (errno == ELOOP)
++            TRACE_ERROR("Refusing to follow symlink: %s\n", fname);
++        else
++            TRACE_ERROR("fopen failed: %s\n", strerror(errno));
+         return CKR_FUNCTION_FAILED;
+     }
+ 
+diff --git a/usr/sbin/pkcstok_admin/pkcstok_admin.c b/usr/sbin/pkcstok_admin/pkcstok_admin.c
+index 9912804ee..d144cc04c 100644
+--- a/usr/sbin/pkcstok_admin/pkcstok_admin.c
++++ b/usr/sbin/pkcstok_admin/pkcstok_admin.c
+@@ -336,11 +336,18 @@ static int set_file_permissions(const char *fname, const struct group *group,
+     pr_verbose("Setting permissions for '%s' with group '%s'", fname,
+                group->gr_name);
+ 
+-    if (stat(fname, &sb) != 0) {
++    /* CWE-59 fix: Use lstat to detect symlinks */
++    if (lstat(fname, &sb) != 0) {
+         warnx("'%s' does not exist.", fname);
+         return -1;
+     }
+ 
++    /* Only process regular files and directories (CWE-59 fix) */
++    if (!S_ISREG(sb.st_mode) && !S_ISDIR(sb.st_mode)) {
++        warnx("Skipping '%s': not a regular file or directory.", fname);
++        return 0;
++    }
++
+     if (sb.st_uid != 0) {
+         /* owner is not root */
+         pwd = getpwuid(sb.st_uid);
+diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+index 12b605b5b..9579e2364 100644
+--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
++++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+@@ -48,6 +48,7 @@
+ #include "local_types.h"
+ #include "h_extern.h"
+ #include "slotmgr.h" // for ock_snprintf
++#include "platform.h"
+ 
+ #define OCK_TOOL
+ #include "pkcs_utils.h"
+@@ -77,9 +78,14 @@ static FILE *open_datastore_file(char *buf, size_t buflen,
+         TRACE_ERROR("Path overflow for datastore file %s\n", file);
+         return NULL;
+     }
+-    res = fopen(buf, mode);
+-    if (!res)
+-        TRACE_ERROR("fopen(%s) failed, errno=%s\n", buf, strerror(errno));
++    /* CWE-59 fix: Use fopen_nofollow to prevent symlink attacks */
++    res = fopen_nofollow(buf, mode);
++    if (!res) {
++        if (errno == ELOOP)
++            TRACE_ERROR("Refusing to follow symlink: %s\n", buf);
++        else
++            TRACE_ERROR("fopen(%s) failed, errno=%s\n", buf, strerror(errno));
++    }
+     return res;
+ }
+ 
+@@ -94,9 +100,14 @@ static FILE *open_tokenobject(char *buf, size_t buflen,
+                     file, tokenobj);
+         return NULL;
+     }
+-    res = fopen(buf, mode);
+-    if (!res)
+-        TRACE_ERROR("fopen(%s) failed, errno=%s\n", buf, strerror(errno));
++    /* CWE-59 fix: Use fopen_nofollow to prevent symlink attacks */
++    res = fopen_nofollow(buf, mode);
++    if (!res) {
++        if (errno == ELOOP)
++            TRACE_ERROR("Refusing to follow symlink: %s\n", buf);
++        else
++            TRACE_ERROR("fopen(%s) failed, errno=%s\n", buf, strerror(errno));
++    }
+     return res;
+ }
+ 

openCryptoki.changes

@@ -1,3 +1,154 @@
+-------------------------------------------------------------------
+Thu Jan 22 16:34:43 UTC 2026 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Applied a patch (bsc#1257116,  CVE-2026-23893) 
+ * openCryptoki-CVE-2026-23893-commit-5e6e4b4.patch
+
+-------------------------------------------------------------------
+Wed Jan 14 13:06:33 UTC 2026 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Applied a patch (bsc#1256673, CVE-2026-22791)
+  * openCryptoki-CVE-2026-22791-commit-e37e912.patch
+
+-------------------------------------------------------------------
+Thu Jan  8 10:14:17 UTC 2026 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Modified the .spec file for Immutable Mode (jsc#PED-14798)
+
+-------------------------------------------------------------------
+Wed Nov 12 09:04:02 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Upgrade openCryptoki to 3.26
+  * Soft: Add support for RSA keys up to 16K bits.
+  * CCA: Add support for RSA keys up to 8K bits (requires CCA v8.4 or v7.6 or later).
+  * p11sak: Add support for generating RSA keys up to 16K bits.
+  * Soft/ICA: Add support for SHA512/224 and SHA512/256 key derivation mechanism (CKM_SHA512_224_KEY_DERIVATION and CKM_SHA512_256_KEY_DERIVATION).
+  * Soft/ICA/CCA/EP11: Add support for SHA-HMAC key types CKK_SHAxxx_HMAC and key gen mechanisms CKM_SHAxxx_KEY_GEN.
+  * p11sak: Add support for SHA-HMAC key types and key generation.
+  * p11sak: Add support for key wrap and unwrap commands to export and import private and secret keys by means of key wrapping/unwrapping 
+    with various key wrapping mechanism.
+  * p11kmip: Add support for using an HSM-protected TLS client key via a PKCS#11 provider.
+  * p11sak: Add support for exporting non-sensitive private keys to password protected PEM files.
+  * Add support for canceling an operation via NULL mechanism pointer at C_XxxInit() call as an alternative to C_SessionCancel() (PKCS#11 v3.0).
+  * EP11: Add support for pairing friendly BLS12-381 EC curve for sign/verify using CKM_IBM_ECDSA_OTHER and signature/public key aggregation using CKM_IBM_EC_AGGREGATE.
+  * p11sak: Add support for generating BLS12-381 EC keys.
+  * EP11: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires an EP11 host library v4.2 or later, and 
+    a CEX8P crypto card with firmware v9.6 or later on IBM z17, and v8.39 or later on IBM z16).
+  * CCA: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires CCA v8.4 or later).
+  * Soft: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires OpenSSL 3.5 or later, or the OQS-provider must be configured).
+  * p11sak: Add support for IBM-specific ML-DSA and ML-KEM key types.
+  * Bug fixes. 
+- Removed obsolete patches
+  * ocki-3.25-remove-make-install-chgrp.patch 
+  * ocki-3.25-PKCSSLOTD-Remove-the-use-of-MD5.patch
+- Applied a new patch for version 3.26
+  * ocki-3.26-remove-make-install-chgrp.patch 
+
+-------------------------------------------------------------------
+Thu Aug 14 04:56:04 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Applied a patch (bsc#1248002) 
+  * ocki-3.25-PKCSSLOTD-Remove-the-use-of-MD5.patch
+
+-------------------------------------------------------------------
+Tue Jul 29 07:27:20 UTC 2025 - Andreas Schwab <schwab@suse.de>
+
+- Add riscv64 to openCryptoki_64bit_arch
+
+-------------------------------------------------------------------
+Mon Jun 16 09:43:23 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Upgrade openCryptoki to version 3.25 (jsc#PED-3361)
+  * Updates/add supports
+    - ICA/Soft: Add support for PKCS#11 v3.0 SHAKE key derivation
+    - EP11: Add support for PKCS#11 v3.0 SHA3 and SHA3-HMAC mechanisms
+    - EP11: Add support for PKCS#11 v3.0 SHA3 mechanisms and MGFs for RSA-OAEP
+    - EP11: Add support for PKCS#11 v3.0 SHA3 variants of RSA-PKCS and ECDSA mechanisms
+    - CCA: Add support for CCA AES CIPHER secure key types
+    - CCA: Add support for the CKM_ECDH1_DERIVE mechanism
+    - Soft/ICA: Add support for the CKM_AES_KEY_WRAP[_*] mechanisms
+    - CCA/Soft/ICA: Add support for the CKM_RSA_AES_KEY_WRAP mechanism
+    - Soft/ICA: Add support for the CKM_ECDH_AES_KEY_WRAP mechanism
+    - ICA: Report mechanisms dependent on if libica is in FIPS mode
+    - P11KMIP: Add a tool for import and exporting PKCS#11 keys to a KMIP server
+    - EP11: Add support for opaque secure key blob import via C_CreateObject
+    - Soft/ICA: Add support for key wrapping with AES-GCM
+    - CCA: Add support for newer CCA versions on s390x and non-s390x platforms
+    - CCA: Add support for CKM_AES_GCM (single-part operations only)
+  * Amended the .spec file
+  * Removed obsolete patches:
+    - ocki-3.24-remove-group-from-tests.patch
+    - ocki-3.24-remove-make-install-chgrp.patch
+  * Applied a new patch for version 3.25
+    - ocki-3.25-remove-make-install-chgrp.patch 
+  * Bug fixes 
+
+-------------------------------------------------------------------
+Wed Dec 11 07:25:11 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Moved pkcshsm_mk_change from openCryptoki-devel to openCryptoki 
+        (jsc#PED-10291, jsc#PED-10290) 
+
+-------------------------------------------------------------------
+Tue Dec 10 07:08:59 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Amended the .spec file (jsc#PED-10291, jsc#PED-10290)
+  * Changed attributes - %attr(0640,root,%{pkcs_group}) - of files below:
+    - %{_sysconfdir}/opencryptoki/strength.conf
+    - %{_sysconfdir}/opencryptoki/p11sak_defined_attrs.conf
+
+-------------------------------------------------------------------
+Thu Nov 21 10:42:00 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Amended the .spec file (jsc#PED-10291, jsc#PED-10290)
+- Improved handling of user/group. use existing user/group if they
+  exist. create user/group if not (bsc#1225876)
+- Applied additional patch
+  * ocki-3.24-remove-group-from-tests.patch
+
+-------------------------------------------------------------------
+Fri Oct  4 08:11:35 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Amended the .spec file (jsc#PED-10241) 
+- Updated the %configure flags for i586
+- Implemented a logic to exclude i586 arch
+
+-------------------------------------------------------------------
+Fri Sep 20 08:33:19 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Upgrade openCryptoki to version 3.24
+   (jsc#PED-10291, jsc#PED-10290, jsc#PED-10241)
+  * Add support for building Opencryptoki on the IBM AIX platform
+  * Add support for the CCA token on non-IBM Z platforms (x86_64, ppc64)
+  * Add support for protecting tokens with a token specific user group
+  * EP11: Add support for combined CKA_EXTRACTABLE and CKA_IBM_PROTKEY_EXTRACTABLE
+  * CCA: Add support for Koblitz curve secp256k1. Requires CCA v7.2 or later
+  * CCA: Add support for IBM Dilithium (CKM_IBM_DILITHIUM). 
+    - On Linux on IBM Z: Requires CCA v7.1 or later for Round2-65, and 
+    CCA v8.0 for the Round 3 variants. 
+    - On other platforms: 
+    Requires CCA v7.2.43 or later for Round2-65, the Round 3 variants are currently not supported
+  * CCA: Add support for RSA-OAEP with SHA224, SHA384, and SHA512 on en-/decrypt. 
+    - Requires CCA v8.1 or later on Linux on IBM Z, not supported on other platforms
+  * CCA: Add support for PKCS#11 v3.0 SHA3 mechanisms. 
+    - Requires CCA v8.1 on Linux on IBM Z, not supported on other platforms
+  * ICA: Support new libica AES-GCM api using the KMA instruction on z14 and later
+  * ICA/Soft/ICSF: Add support for PKCS#11 v3.0 SHA3 mechanisms
+  * ICA/Soft: Add support for SHA based key derivation mechanisms
+  * ICA/Soft: Add support for CKD_*_SP800 KDFs for ECDH
+  * EP11/CCA/ICA/Soft: Add support for CKA_ALWAYS_AUTHENTICATE
+  * EP11/CCA: Support live guest relocation for protected key (PKEY) operations
+  * Soft: Experimental support for IBM Dilithium via OpenSSL OQS provider
+  * ICSF: Add support for SHA-2 mechanisms
+  * ICSF: Performance improvements for attribute retrieval
+  * p11sak: Add support for exporting a key or certificate as URI-PEM file
+  * p11sak: Import/export of IBM Dilithium keys in 'oqsprovider' format PEM files
+  * p11sak: Add option to show the master key verification patterns of secure keys
+  * Bug fixes
+- Amended the .spec file
+- Removed obsolete patch ocki-3.23-remove-make-install-chgrp.patchi
+- Added a new patch ocki-3.24-remove-make-install-chgrp.patch
+
 -------------------------------------------------------------------
 Thu Jul 18 06:07:40 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
 
@@ -1239,5 +1390,3 @@ Tue Feb  5 11:01:16 CET 2002 - froh@suse.de
 Wed Jan 30 16:20:48 CET 2002 - froh@suse.de
 
 - initial version
-
--------------------------------------------------------------------

openCryptoki.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package openCryptoki
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2026 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,15 +19,25 @@
 %define openCryptoki_32bit_arch %{ix86} s390 ppc %{arm}
 # support in the workings for: ppc64
 # no support in sight for: ia64
-%define openCryptoki_64bit_arch s390x ppc64 ppc64le x86_64 aarch64
+%define openCryptoki_64bit_arch s390x ppc64 ppc64le x86_64 aarch64 riscv64
 # autobuild:/work/cd/lib/misc/group
 #   openCryptoki    pkcs11:x:64:
 %define pkcs11_group_id 64
 %define pkcs_group pkcs11
 %define oc_cvs_tag opencryptoki
 
+%ifarch s390 s390x
+    %define ocki_conf_flags --enable-icatok --enable-ccatok --enable-ep11tok --enable-pkcsep11_migrate
+%else
+    %ifnarch i586
+        %define ocki_conf_flags --disable-icatok --enable-ccatok --disable-ep11tok --disable-pkcsep11_migrate --enable-pkcscca_migrate
+    %else
+        %define ocki_conf_flags --disable-icatok --disable-ccatok --disable-ep11tok --disable-pkcsep11_migrate --disable-pkcscca_migrate
+    %endif
+%endif
+
 Name:           openCryptoki
-Version:        3.23.0
+Version:        3.26.0
 Release:        0
 Summary:        An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
 License:        CPL-1.0
@@ -39,8 +49,10 @@ Source2:        openCryptoki-TFAQ.html
 Source3:        openCryptoki-rpmlintrc
 # Patch 0 is needed because group pkcs11 doesn't exist in the build environment
 # and because we don't want(?) various file and directory permissions to be 0700.
-Patch000:       ocki-3.23-remove-make-install-chgrp.patch
+Patch000:       ocki-3.26-remove-make-install-chgrp.patch
 #
+Patch010:       openCryptoki-CVE-2026-22791-commit-e37e912.patch
+Patch011:       openCryptoki-CVE-2026-23893-commit-5e6e4b4.patch
 #
 BuildRequires:  bison
 BuildRequires:  dos2unix
@@ -51,7 +63,7 @@ BuildRequires:  libitm1
 BuildRequires:  libtool
 BuildRequires:  libudev-devel
 BuildRequires:  openldap2-devel
-BuildRequires:  openssl-devel >= 1.0
+BuildRequires:  openssl-devel >= 1.1.1
 BuildRequires:  pkgconfig
 BuildRequires:  trousers-devel
 BuildRequires:  pkgconfig(systemd)
@@ -67,25 +79,27 @@ Provides:       group(pkcs11)
 ExclusiveArch:  %{openCryptoki_32bit_arch} %{openCryptoki_64bit_arch}
 %{?systemd_requires}
 %ifarch s390 s390x
-BuildRequires:  libica-devel
+BuildRequires:  libica-devel >= 3.3
 BuildRequires:  libica-tools
 %endif
 
 %description
-The PKCS#11 version 2.11 API implemented for the IBM cryptographic
-cards. This package includes support for the IBM 4758 cryptographic
-coprocessor (with the PKCS#11 firmware loaded) and the IBM eServer
-Cryptographic Accelerator (FC 4960 on pSeries).
+Opencryptoki implements the PKCS#11 specification v2.20 for a set of
+cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
+Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
+token implementation that can be used without any cryptographic
+hardware.
+This package contains the Slot Daemon (pkcsslotd) and general utilities.
 
 %package devel
 Summary:        Development files for openCryptoki, a PKCS#11 implementation for IBM hardware
 Group:          Development/Languages/C and C++
 Requires:       glibc-devel
-Requires:       libopenssl-devel
+Requires:       libopenssl-devel >= 1.1.1
 Requires:       openldap2-devel
 Requires:       trousers-devel
 %ifarch s390 s390x
-Requires:       libica-devel
+Requires:       libica-devel >= 3.3
 %endif
 
 %description devel
@@ -93,6 +107,9 @@ The PKCS#11 version 2.01 API implemented for the IBM cryptographic
 cards. This package includes support for the IBM 4758 cryptographic
 co-processor (with the PKCS#11 firmware loaded) and the IBM eServer
 Cryptographic Accelerator (FC 4960 on pSeries).
+This package contains the development header files for building
+opencryptoki and PKCS#11 based applications
+
 
 %ifarch %{openCryptoki_32bit_arch}
 %package 32bit
@@ -136,7 +153,7 @@ Cryptographic Accelerator (FC 4960 on pSeries).
 
 %prep
 # setup -q -n %{oc_cvs_tag}-%{version}
-%autosetup -p 0 -n %{oc_cvs_tag}-%{version}
+%autosetup -p 1 -n %{oc_cvs_tag}-%{version}
 
 cp %{SOURCE2} .
 
@@ -149,11 +166,7 @@ cp %{SOURCE2} .
 %ifarch aarch64  # Apparently, gcc for aarch64 doesn't support transactional memory
     --enable-locks \
 %endif
-%ifarch s390 s390x
-    --enable-pkcsep11_migrate
-%else
-    --disable-ccatok
-%endif
+    %{ocki_conf_flags}
 
 make %{?_smp_mflags}
 dos2unix doc/README.ep11_stdll
@@ -161,10 +174,25 @@ dos2unix doc/README.ep11_stdll
 %install
 %make_install
 install -d %{buildroot}%{_includedir}
-install -d %{buildroot}%{_localstatedir}/lib/opencryptoki
+# Move data templates from /var to /usr/share/opencryptoki for tmpfiles to use
+install -d %{buildroot}%{_datadir}/opencryptoki/templates
 install -d %{buildroot}%{_initddir}
 install -d %{buildroot}%{_sbindir}
 install -d %{buildroot}%{_prefix}/lib/tmpfiles.d
+# Define the tmpfiles.d configuration
+cat > %{buildroot}%{_prefix}/lib/tmpfiles.d/opencryptoki.conf <<EOF
+# Type Path        Mode UID  GID  Age Argument
+d /var/lib/opencryptoki 0755 root pkcs11 - -
+d /var/lib/opencryptoki/swtok 0770 root pkcs11 - -
+d /var/lib/opencryptoki/swtok/TOK_OBJ 0770 root pkcs11 - -
+d /var/lib/opencryptoki/tpm 0770 root pkcs11 - -
+d /var/lib/opencryptoki/icsf 0770 root pkcs11 - -
+d /var/log/opencryptoki 0770 root pkcs11 - -
+L+ /etc/pkcs11 - - - - /var/lib/opencryptoki
+EOF
+# Remove manual directory creation in %install that belongs in /var
+rm -rf %{buildroot}%{_localstatedir}/lib/opencryptoki
+rm -rf %{buildroot}%{_localstatedir}/log/opencryptoki
 #
 mkdir -p %{buildroot}%{_datadir}/opencryptoki
 cp %{buildroot}%{_datadir}/doc/opencryptoki/*.conf %{buildroot}%{_datadir}/opencryptoki
@@ -182,29 +210,20 @@ rm -f %{buildroot}%{_libdir}/opencryptoki/methods
 # openCryptoki    pkcs11:x:64:
 # openCryptoki    pkcsslotd:x:64:
 getent group %{pkcs_group} 2>/dev/null || %{_sbindir}/groupadd -g %{pkcs11_group_id} -r %{pkcs_group} 2>/dev/null || true
-getent passwd pkcsslotd 2>/dev/null || %{_sbindir}/useradd -g %{pkcs11_group_id} -r pkcsslotd -s /sbin/nologin -d /run/opencryptoki 2>/dev/null || true
+getent passwd pkcsslotd 2>/dev/null || %{_sbindir}/useradd -g %{pkcs_group} -r pkcsslotd -s /sbin/nologin -d /run/opencryptoki 2>/dev/null || true
 %{_sbindir}/usermod -a -G %{pkcs_group} root
 
 %preun
 %{service_del_preun pkcsslotd.service}
 
 %post
-# Symlink from /var/lib/opencryptoki to /etc/pkcs11
-if [ ! -L %{_sysconfdir}/pkcs11 ] ; then
-	if [ -e %{_sysconfdir}/pkcs11/pk_config_data ] ; then
-		mv %{_sysconfdir}/pkcs11/* %{_localstatedir}/lib/opencryptoki
-		cd %{_sysconfdir} && rm -rf pkcs11 && \
-			ln -sf %{_localstatedir}/lib/opencryptoki pkcs11
-	fi
-fi
+# Use the systemd-tmpfiles macro to ensure directories are created on next boot/transaction
+%tmpfiles_create %{_tmpfilesdir}/opencryptoki.conf
 /sbin/ldconfig
-%{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/opencryptoki.conf}
 %{service_add_post pkcsslotd.service}
 
 %postun
-if [ -L %{_sysconfdir}/pkcs11 ] ; then
-	rm %{_sysconfdir}/pkcs11
-fi
+/sbin/ldconfig
 %{service_del_postun pkcsslotd.service}
 
 %ifarch %{openCryptoki_32bit_arch}
@@ -213,6 +232,7 @@ if [ -L %{_sysconfdir}/pkcs11 ] ; then
 	rm %{_sysconfdir}/pkcs11
 fi
 %{service_del_postun pkcsslotd.service}
+/sbin/ldconfig
 
 %post 32bit
 # Old library name links
@@ -244,19 +264,20 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
 %dir %{_datadir}/doc/opencryptoki
 %doc %{_datadir}/doc/opencryptoki/policy-example.conf
 %doc %{_datadir}/doc/opencryptoki/strength-example.conf
+%doc %{_datadir}/doc/opencryptoki/README.token_data
+%doc %{_datadir}/doc/opencryptoki/opencryptoki-howto.md
 %dir %{_datadir}/opencryptoki
 %{_datadir}/opencryptoki/policy-example.conf
 %{_datadir}/opencryptoki/strength-example.conf
   # configuration directory
 %dir %{_sysconfdir}/opencryptoki
 %config %{_sysconfdir}/opencryptoki/opencryptoki.conf
-%config %attr(640,root,%{pkcs_group}) %{_sysconfdir}/opencryptoki/strength.conf
-%config %attr(640,root,%{pkcs_group}) %{_sysconfdir}/opencryptoki/p11sak_defined_attrs.conf
+%config %{_sysconfdir}/opencryptoki/p11kmip.conf
+%attr(0640,root,%{pkcs_group}) %config %{_sysconfdir}/opencryptoki/strength.conf
+%attr(0640,root,%{pkcs_group}) %config %{_sysconfdir}/opencryptoki/p11sak_defined_attrs.conf
 %ifarch s390 s390x
-%config %{_sysconfdir}/opencryptoki/ccatok.conf
 %config %{_sysconfdir}/opencryptoki/ep11cpfilter.conf
 %config %{_sysconfdir}/opencryptoki/ep11tok.conf
-%{_sbindir}/pkcsep11_migrate
 %endif
 %{_sbindir}/p11sak
 %{_unitdir}/pkcsslotd.service
@@ -264,42 +285,35 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
 %{_sbindir}/rcpkcsslotd
   # utilities
 %ifarch s390 s390x
+%{_sbindir}/pkcsep11_migrate
 %{_sbindir}/pkcsep11_session
+%endif
+%ifnarch i586
+%config %{_sysconfdir}/opencryptoki/ccatok.conf
 %{_sbindir}/pkcscca
 %endif
+%{_sbindir}/p11kmip
 %{_sbindir}/pkcsslotd
 %{_sbindir}/pkcsconf
 %{_sbindir}/pkcsicsf
 %{_sbindir}/pkcsstats
 %{_sbindir}/pkcstok_migrate
+%{_sbindir}/pkcstok_admin
 %dir %{_libdir}/opencryptoki
 %dir %{_libdir}/opencryptoki/stdll
   # State and lock directories
-%dir %attr(755,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki
-%ifarch s390 s390x
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ccatok
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ccatok/TOK_OBJ
-%endif
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/swtok
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/swtok/TOK_OBJ
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/tpm
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/icsf
-%ifarch s390 s390x
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ep11tok
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ep11tok/TOK_OBJ
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/lite
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/lite/TOK_OBJ
-%endif
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/log/opencryptoki/
 %{_mandir}/man*/*
+%{_sbindir}/pkcshsm_mk_change
+#
+%{_prefix}/lib/tmpfiles.d/opencryptoki.conf
+# Ensure we don't package files in /var directly
+%ghost %dir %attr(755,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki
 
 %files devel
 %dir %{_libdir}/opencryptoki
 %dir %{_libdir}/opencryptoki/stdll
 %{_includedir}/opencryptoki
 %{_libdir}/pkgconfig/opencryptoki.pc
-###
-%{_sbindir}/pkcshsm_mk_change
 
 %ifarch %{openCryptoki_32bit_arch}
 %files 32bit
@@ -312,6 +326,10 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
 %{_libdir}/opencryptoki/stdll/libpkcs11_cca.so
 %ghost %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
 %endif
+%ifnarch i586
+%{_libdir}/opencryptoki/stdll/libpkcs11_cca.so
+%endif
+%ghost %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
 %{_libdir}/opencryptoki/stdll/libpkcs11_tpm.so
 %ghost %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
 %{_libdir}/opencryptoki/stdll/libpkcs11_sw.so