Tree - rpms/opencryptoki - CentOS Git server

rpms / opencryptoki

Blame SOURCES/0012-EP11-Update-EP11-host-library-header-files.patch

Blob History Raw

		253609	`From 1197829d87732e1cae18ee64eefe44f0a6cb391f Mon Sep 17 00:00:00 2001`
		253609	`From: Ingo Franzki <ifranzki@linux.ibm.com>`
		253609	`Date: Wed, 16 Feb 2022 10:09:10 +0100`
		253609	`Subject: [PATCH 12/34] EP11: Update EP11 host library header files`
		253609
		253609	`Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>`
		253609	`---`
		253609	`usr/lib/ep11_stdll/ep11.h \| 1345 +++++++++++++++++++++++++-----------------`
		253609	`usr/lib/ep11_stdll/ep11adm.h \| 305 +++-------`
		253609	`2 files changed, 911 insertions(+), 739 deletions(-)`
		253609
		253609	`diff --git a/usr/lib/ep11_stdll/ep11.h b/usr/lib/ep11_stdll/ep11.h`
		253609	`index cd4f11e5..c68dd045 100644`
		253609	`--- a/usr/lib/ep11_stdll/ep11.h`
		253609	`+++ b/usr/lib/ep11_stdll/ep11.h`
		253609	`@@ -16,7 +16,6 @@`
		253609
		253609	`#if !defined(XCP_H__)`
		253609	`#define XCP_H__`
		253609	`-`
		253609	`#if !defined(CKR_OK)`
		253609	`#include "pkcs11.h"`
		253609	`#endif`
		253609	`@@ -25,195 +24,10 @@`
		253609	`#error "We need 64-bit <stdint.h> types, please include before this file."`
		253609	`#endif`
		253609
		253609	`-// SHA224 etc. are additions to PKCS#11 2.20`
		253609	`-// remove these if host migrates beyond 2.20 as base minimum [unlikely]`
		253609	`-//`
		253609	`-#if !defined(CKM_SHA224)`
		253609	`-#define CKM_SHA224 0x00000255`
		253609	`-#define CKM_SHA224_HMAC 0x00000256`
		253609	`-#define CKM_SHA224_HMAC_GENERAL 0x00000257`
		253609	`-#define CKM_SHA224_RSA_PKCS 0x00000046`
		253609	`-#define CKM_SHA224_RSA_PKCS_PSS 0x00000047`
		253609	`-#define CKM_SHA224_KEY_DERIVATION 0x00000396`
		253609	`-#define CKM_AES_CTR 0x00001086`
		253609	`-#define CKG_MGF1_SHA224 0x00000005`
		253609	`-#endif`
		253609	`-`
		253609	`-#if !defined(CKM_AES_CMAC)`
		253609	`-#define CKM_AES_CMAC 0x0000108a`
		253609	`-#endif`
		253609	`-`
		253609	`-#if !defined(CKM_DES3_CMAC)`
		253609	`-#define CKM_DES3_CMAC 0x00000138`
		253609	`-#endif`
		253609	`-`
		253609	`-`
		253609	`-`
		253609	`-// max value for target groups`
		253609	`-#define XCP_MAX_GRPIDX 1024u`
		253609	`-//`
		253609	`-// current version of XCP_Module structure; host code SHOULD interact with`
		253609	`-// future/past versions, MUST be set by caller before using m_add_module()`
		253609	`-// valid versions are all >0`
		253609	`-#define XCP_MOD_VERSION 2`
		253609	`//`
		253609	`// used for internal and external paths/addresses`
		253609	`#define MAX_FNAME_CHARS 256`
		253609
		253609	`-// macros for setting/checking and removing domains from (tgt.mgmt) domain mask`
		253609	`-#define XCPTGTMASK_SET_DOM(mask, domain) \`
		253609	`- mask[((domain)/8)] \|= (1 << (7-(domain)%8))`
		253609	`-#define XCPTGTMASK_DOM_IS_SET(mask, domain) \`
		253609	`- (mask[((domain)/8)] & (1 << (7-(domain)%8)))`
		253609	`-#define XCPTGTMASK_CLR_DOM(mask, domain) \`
		253609	`- mask[((domain)/8)] &= ~(1 << (7-(domain)%8))`
		253609	`-//`
		253609	`-`
		253609	`-`
		253609	`-/* flags that can be set for the target tokens`
		253609	`- *`
		253609	`- * This flags are domain specific and are therefore called domain flags`
		253609	`- *`
		253609	`- * start of flags is >16 Bit. Max value for domains is 0xFF. Should be enough`
		253609	`- * room for extensions`
		253609	`- */`
		253609	`-#define XCP_TGTFL_WCAP 0x10000000 /* Capture wire request in output buffer`
		253609	`- * without sending it to the module`
		253609	`- */`
		253609	`-#define XCP_TGTFL_WCAP_SQ 0x20000000 /* Size query: Return size of request in`
		253609	`- * output buffer length field`
		253609	`- */`
		253609	`-#define XCP_TGTFL_SET_SCMD 0x40000000 /* Protected key special command: Set the`
		253609	`- * special command flag in the CPRB`
		253609	`- * header`
		253609	`- */`
		253609	`-#define XCP_TGTFL_API_CHKD 0x80000000 /* supported API version of modules in`
		253609	`- * target (group) has been checked`
		253609	`- */`
		253609	`-`
		253609	`-#define XCP_TGTFL_NO_LOCK 0x01000000 /* target token ignores sequential locks`
		253609	`- * for target probing`
		253609	`- */`
		253609	`-#define XCP_TGTFL_SET_ACMD 0x04000000 /* add CPRB admin flag to CPRB header */`
		253609	`-`
		253609	`-//--------------------------------------`
		253609	`-// socket use only`
		253609	`-#define XCP_MAXCONNECTIONS 64 /* max value for active connections */`
		253609	`-#define XCP_MAX_PORT 0xffff`
		253609	`-`
		253609	`-// hostname and port value fore one module`
		253609	`-typedef struct XCP_ModuleSocket {`
		253609	`- char host[ MAX_FNAME_CHARS +1 ];`
		253609	`- uint32_t port;`
		253609	`-} *XCP_ModuleSocket_t ;`
		253609	`-`
		253609	`-`
		253609	`-//--------------------------------------`
		253609	`-// diagnostics use only`
		253609	`-typedef struct XCP_DomainPerf {`
		253609	`- /* perf value of last request per domain`
		253609	`- *`
		253609	`- * At the moment unused`
		253609	`- * */`
		253609	`- unsigned int lastperf[ 256 ];`
		253609	`-} *XCP_DomainPerf_t;`
		253609	`-`
		253609	`-`
		253609	`-//--------------------------------------`
		253609	`-// subsequent communications with a module MAY skip infrastructure-specific`
		253609	`-// fields, such as a query not reporting device handles etc., even if they`
		253609	`-// have been supplied originally when the module has been registered.`
		253609	`-//`
		253609	`-typedef struct XCP_Module {`
		253609	`- uint32_t version; /* >0 for supported API versions */`
		253609	`-`
		253609	`- uint64_t flags; /* see XCP_Module_Flags */`
		253609	`-`
		253609	`- uint32_t domains; /* max# addressable under this module;`
		253609	`- * cached from OS`
		253609	`- *`
		253609	`- * when callers set domains to 0, the library`
		253609	`- * returns the module-claimed domain count.`
		253609	`- */`
		253609	`-`
		253609	`- unsigned char domainmask[ 256 /8 ];`
		253609	`- /* higher domain# through future flags (none`
		253609	`- * currently defined) which would add things`
		253609	`- * like 'FLAG_256_1023' etc. at the same time,`
		253609	`- * we would add domainmask2[] etc.`
		253609	`- * corresponding new fields.`
		253609	`- *`
		253609	`- * new fields would then store mask for`
		253609	`- * domains 256+ etc.`
		253609	`- *`
		253609	`- * domain #0 is bit x80 of 1st byte,`
		253609	`- * #255 is bit 0x01 of last byte.`
		253609	`- */`
		253609	`-`
		253609	`- // when a domainmask is supplied, with bits set beyond`
		253609	`- // what the module supports, the bitmask is trimmed to`
		253609	`- // the supported range, but this is NOT reported as an`
		253609	`- // error, unless XCP_MFL_STRICT is also supplied.`
		253609	`- //`
		253609	`- // without XCP_MFL_STRICT, callers are expected to check`
		253609	`- // at least the returned domain count.`
		253609	`-`
		253609	`- /* used only when flags includes XCP_MFL_SOCKET */`
		253609	`- struct XCP_ModuleSocket socket;`
		253609	`-`
		253609	`- /* used when system exposes modules through an`
		253609	`- * array of transparent pipes, or similar abstraction`
		253609	`- * (such as mainframe AP Queues, or other Linux`
		253609	`- * 'device-minor' numbers etc.). Interpretation`
		253609	`- * is platform-dependent.`
		253609	`- *`
		253609	`- * used only when flags includes XCP_MFL_MODULE`
		253609	`- */`
		253609	`- uint32_t module_nr;`
		253609	`-`
		253609	`- /* used by systems which associate devices with`
		253609	`- * device handles/structs/etc. persistent state.`
		253609	`- * opaque pointer, usually a const pointer to`
		253609	`- * such aux structs, MAY be stored here.`
		253609	`- *`
		253609	`- * interpretation is platform-dependent.`
		253609	`- * used only when flags includes XCP_MFL_MHANDLE`
		253609	`- */`
		253609	`- void *mhandle;`
		253609	`- /* diagnostics use only, when XCP_MFL_PERF is set */`
		253609	`- struct XCP_DomainPerf perf;`
		253609	`- //----- end of v1 fields -------------------------------------------`
		253609	`-`
		253609	`- uint32_t api; /* module api version*/`
		253609	`- //----- end of v2 fields -------------------------------------------`
		253609	`-} *XCP_Module_t ;`
		253609	`-`
		253609	`-typedef enum {`
		253609	`- XCP_MFL_SOCKET = 1, /* backend is socket-attached */`
		253609	`- XCP_MFL_MODULE = 2, /* backends identified in`
		253609	`- array-of-modules */`
		253609	`- XCP_MFL_MHANDLE = 4, /* backends uses 'module handle' field */`
		253609	`- XCP_MFL_PERF = 8, /* performance statistics collected`
		253609	`- * for this module, see .perf`
		253609	`- */`
		253609	`- XCP_MFL_VIRTUAL = 0x10, /* queried 'target' is a load-balancer,`
		253609	`- * other other group.`
		253609	`- */`
		253609	`- XCP_MFL_STRICT = 0x20, /* enable aggressive error checking,`
		253609	`- * see field descriptions for effect`
		253609	`- */`
		253609	`- XCP_MFL_PROBE = 0x40, /* send api query to module, to check if`
		253609	`- * target(s) can be used`
		253609	`- */`
		253609	`- XCP_MFL_ALW_TGT_ADD = 0x80, /* Allows it to use a target in any`
		253609	`- * functional and admin call without`
		253609	`- * adding it beforehand with`
		253609	`- * m_add_module()`
		253609	`- */`
		253609	`- XCP_MFL_MAX = 0xff`
		253609	`-} XCP_Module_Flags;`
		253609	`-`
		253609	`-`
		253609	`// Error Values for functions that do not return CK_RV`
		253609	`// general errors`
		253609	`#define XCP_OK 0 /* function successful`
		253609	`@@ -282,17 +96,15 @@ typedef enum {`
		253609	`* flag is not active`
		253609	`*/`
		253609
		253609	`-`
		253609	`/--------------------------------------------------------------------------/`
		253609	`#define XCP_COMMON_PUBLIC_H__`
		253609
		253609
		253609	`-#define XCP_API_VERSION 0x071d /* major[8] minor[8] */`
		253609	`+#define XCP_API_VERSION 0x0810 /* major[8] minor[8] */`
		253609	`#define XCP_API_ORDINAL 0x0004`
		253609	`/* increment this with every major/minor change */`
		253609
		253609	`-#define XCP_HOST_API_VER 0x030100 /* major[8] minor[8] fixpack[8] */`
		253609	`-#define XCP_RPM_VERSION XCP_HOST_API_VER /* deprecated */`
		253609	`+#define XCP_HOST_API_VER 0x040000 /* major[8] minor[8] fixpack[8] */`
		253609
		253609	`/* HSM connection information; not for PKCS11 user consumption */`
		253609	`#define XCP_HSM_AGENT_ID 0x5843 /* ASCII "XC" */`
		253609	`@@ -375,6 +187,8 @@ typedef enum {`
		253609	`#define CKR_IBM_TARGET_INVALID (CKR_VENDOR_DEFINED +0x10030)`
		253609
		253609
		253609	`+#define CKR_IBM_PQC_PARAMS_NOT_SUPPORTED (CKR_VENDOR_DEFINED +0x10031)`
		253609	`+`
		253609
		253609	`// Error returned if internal verification of crypto engines fail`
		253609	`#define CKR_IBM_ERROR_STATE (CKR_VENDOR_DEFINED +0x10101)`
		253609	`@@ -445,12 +259,18 @@ typedef enum {`
		253609	`#define CKM_IBM_ED448_SHA3 (CKM_VENDOR_DEFINED +0x1001f)`
		253609
		253609
		253609	`+// round counts are passed as mechanism parameters`
		253609	`+#define CKM_IBM_SIPHASH (CKM_VENDOR_DEFINED +0x10021)`
		253609	`+`
		253609	`+`
		253609	`// these need a strength definition`
		253609	`// XCP_U32_VALUE_BITS/CKA_VALUE_BITS would be sufficient; strength->K/L mapping`
		253609	`//`
		253609	`// umbrella mech for PQC/Crystals variants`
		253609	`#define CKM_IBM_DILITHIUM (CKM_VENDOR_DEFINED +0x10023)`
		253609	`// ^^^ sign/verify plus keygen only`
		253609	`+#define CKM_IBM_KYBER (CKM_VENDOR_DEFINED +0x10024)`
		253609	`+ // ^^^ en/decrypt, keygen, key transport, and (hybrid) key derivation`
		253609
		253609	`// SHA-3 HMAC variants`
		253609	`#define CKM_IBM_SHA3_224_HMAC (CKM_VENDOR_DEFINED +0x10025)`
		253609	`@@ -481,6 +301,10 @@ typedef enum {`
		253609	`ECSG_IBM_MAX = ECSG_IBM_ECSDSA_COMPR_MULTI,`
		253609	`} ECSG_Var_t;`
		253609
		253609	`+#define CK_IBM_ECSG_IBM_ECSDSA_S256 ECSG_IBM_ECSDSA_S256`
		253609	`+#define CK_IBM_ECSG_IBM_ECDSA_COMPR_MULTI_S256 ECSG_IBM_ECDSA_COMPR_MULTI_S256`
		253609	`+#define CK_IBM_ECSG_IBM_MAX ECSG_IBM_MAX`
		253609	`+`
		253609
		253609	`//--- transport additions --------------------------------------------------`
		253609	`#define CKM_IBM_CLEARKEY_TRANSPORT (CKM_VENDOR_DEFINED +0x20001)`
		253609	`@@ -565,6 +389,12 @@ typedef enum {`
		253609
		253609	`#define CKA_IBM_PQC_PARAMS (CKA_VENDOR_DEFINED +0x1000e)`
		253609
		253609	`+// query or modify login session an object is bound to`
		253609	`+#define CKA_IBM_LOGIN_SESSION (CKA_VENDOR_DEFINED +0x1000f)`
		253609	`+`
		253609	`+// query MAC'd spki from a private key`
		253609	`+#define CKA_IBM_MACED_PUBLIC_KEY_INFO (CKA_VENDOR_DEFINED +0x20002)`
		253609	`+`
		253609	`// direct access to attributes' wire form`
		253609	`// parameters of this attribute, if it's the only one present,`
		253609	`// inserted verbatim into request package`
		253609	`@@ -574,6 +404,9 @@ typedef enum {`
		253609	`// matches the key type constant for clear key Dilithium with ICSF`
		253609	`#define CKK_IBM_PQC_DILITHIUM (CKK_VENDOR_DEFINED +0x10023)`
		253609
		253609	`+#define CKK_IBM_PQC_KYBER (CKK_VENDOR_DEFINED +0x10024)`
		253609	`+`
		253609	`+`
		253609
		253609
		253609
		253609	`@@ -583,6 +416,7 @@ typedef enum {`
		253609	`#define XCP_MOD_ERROR_STATE_SYSTEST_CMD 0x00000003`
		253609	`#define XCP_MOD_ERROR_STATE_TRNG_HEALTH 0x00000004`
		253609
		253609	`+`
		253609	`/*----------------------------------------------------------------------------`
		253609	`* sizes related to blobs and host-visible entities`
		253609	`*`
		253609	`@@ -599,10 +433,10 @@ typedef enum {`
		253609	`#define XCP_BLOBCLRATTR_BYTES 8 /* clear blob attr's bytecount */`
		253609	`/* keep in sync with objattr_t */`
		253609	`#define XCP_BLOBCLRMODE_BYTES 8 /* clear blob modefield bytecount */`
		253609	`-#define MOD_WRAP_BLOCKSIZE ((size_t) (128 /8)) /* blob crypt block bytecount */`
		253609	`+#define XCP_WRAP_BLOCKSIZE ((size_t) (128 /8)) /* blob crypt block bytecount */`
		253609	`#define XCP_MACKEY_BYTES (256 /8) /* derived from controlling WK */`
		253609	`//`
		253609	`-#define XCP_PIN_SALT_BYTES MOD_WRAP_BLOCKSIZE`
		253609	`+#define XCP_PIN_SALT_BYTES XCP_WRAP_BLOCKSIZE`
		253609	`#define XCP_PINBLOB_BYTES \`
		253609	`(XCP_WK_BYTES +XCP_PIN_SALT_BYTES +XCP_HMAC_BYTES)`
		253609
		253609	`@@ -664,6 +498,18 @@ typedef enum {`
		253609
		253609	`#define XCP_BTC_VERSION 1`
		253609
		253609	`+#define XCP_KYBER_KEM_VERSION 0`
		253609	`+`
		253609	`+#define XCP_KYBER_KEM_MIN_WIRE_BYTES (4 + 4 + 4 + 4 + 4 + 4) /* version[32] \|\|`
		253609	`+ kdf[32] \|\|`
		253609	`+ mode[32] \|\|`
		253609	`+ cphr[32] \|\|`
		253609	`+ shrd[32] \|\|`
		253609	`+ blob [32] */`
		253609	`+`
		253609	`+#define XCP_KYBER_RAW_BYTES 32`
		253609	`+`
		253609	`+`
		253609	`#define XCP_ECDH1_DERIVE_MAX_PUBLIC_BYTES 1024 /* limit public data length to`
		253609	`reasonable number of bytes */`
		253609	`//`
		253609	`@@ -698,6 +544,8 @@ typedef enum {`
		253609	`// related to the protected-key capability`
		253609	`// see also CKA_IBM_PROTKEY_* description`
		253609
		253609	`+ CKF_IBM_HW_DUAL_OA = 0x1000, // module supports dual OA certs/signatures`
		253609	`+ // see CK_IBM_XCPXQ_OA_CAP for more details`
		253609	`} XCP_CK_EXTFLAGS_t;`
		253609
		253609	`// these numbers apply to current version, subject to change`
		253609	`@@ -720,7 +568,7 @@ typedef enum {`
		253609
		253609	`// ~arbitrary limit on acceptable admin. certificates`
		253609	`// additional limits, such as transport-bytecount, may restrict further`
		253609	`-#define XCP_CERT_MAX_BYTES ((size_t) 4096)`
		253609	`+#define XCP_CERT_MAX_BYTES ((size_t) 12288) /* fits dil certs (8k + meta) */`
		253609	`#define XCP_CERTHASH_BYTES (256/8)`
		253609	`/* hash or SKI of public key, or other hash-identified things; SHA-256 */`
		253609
		253609	`@@ -734,6 +582,9 @@ typedef enum {`
		253609	`/* ^^^ increase this when policy moves beyond shorter curves */`
		253609	`#define XCP_MAX_EC_CURVE_BITS 521`
		253609
		253609	`+#define XCP_MAX_DIL_SIGNATURE_BYTES 4668 /* max. length of dil. 8-7 sigs */`
		253609	`+#define XCP_MAX_SINFO_META_BYTES 100 /* signer info framework bytes */`
		253609	`+`
		253609	`/* bytecount of raw (generic) keys, not key schedules */`
		253609	`#define MOD_MAX_SYMMKEY_BYTES 256`
		253609
		253609	`@@ -754,8 +605,20 @@ typedef enum {`
		253609	`/* trailing big-endian bitcount field after UnwrapKey() checksum */`
		253609
		253609	`/* card(OA) signature bytecount: SKI-identified SignerInfo,`
		253609	`- 4096-bit RSA signature, with SHA-256 hash */`
		253609	`-#define XCP_RSPSIG_MAX_BYTES (75 +4096/8)`
		253609	`+ * Non quantum safe: Must contain space for either:`
		253609	`+ * - 4096-bit RSA signature, hash OID, encr. OID and SKI`
		253609	`+ * - EC-P521 signature, hash OID, encr. OID and SKI`
		253609	`+ */`
		253609	`+#define XCP_RSPSIG_RSA (4096 / 8)`
		253609	`+#define XCP_RSPSIG_MAX_BYTES (XCP_MAX_SINFO_META_BYTES + \`
		253609	`+ XCP_RSPSIG_RSA)`
		253609	`+`
		253609	`+/* card(OA) signature bytecount: SKI-identified SignerInfo,`
		253609	`+ * Quantum safe: Must contain space for:`
		253609	`+ * - DIL signature, hash OID, encr. OID and SKI`
		253609	`+ */`
		253609	`+#define XCP_RSPSIG_QS_MAX_BYTES (XCP_MAX_SINFO_META_BYTES + \`
		253609	`+ XCP_MAX_DIL_SIGNATURE_BYTES)`
		253609
		253609	`/* minimal padding for raw RSA enc/dec/sign/ver/wr/unwr`
		253609	`* Used for example in CKM_RSA_PKCS. See RFC 2313 chapter 8 for a complete`
		253609	`@@ -772,84 +635,85 @@ typedef enum {`
		253609	`/* indicates particular events, not generic event types/categories, */`
		253609	`/* if bits in this region are non-zero */`
		253609
		253609	`-typedef enum { /* functionality categories: keep within uint16_t range */`
		253609	`- XCP_LOGEV_QUERY = 0,`
		253609	`- XCP_LOGEV_FUNCTION = 1,`
		253609	`- XCP_LOGEV_ADMFUNCTION = 2,`
		253609	`- XCP_LOGEV_STARTUP = 3,`
		253609	`- XCP_LOGEV_SHUTDOWN = 4,`
		253609	`- XCP_LOGEV_SELFTEST = 5,`
		253609	`- XCP_LOGEV_DOM_IMPORT = 6, /* import sec-relevant data to domain */`
		253609	`- XCP_LOGEV_DOM_EXPORT = 7, /* export sec-relevant data from domain */`
		253609	`- XCP_LOGEV_FAILURE = 8,`
		253609	`- XCP_LOGEV_GENERATE = 9,`
		253609	`- XCP_LOGEV_REMOVE = 10,`
		253609	`- XCP_LOGEV_SPECIFIC = 11, /* obtain meaning elsewhere */`
		253609	`- XCP_LOGEV_STATE_IMPORT = 12, /* import to card/multiple domains */`
		253609	`- XCP_LOGEV_STATE_EXPORT = 13, /* export from card/multiple domains */`
		253609	`- /* [after successful export] */`
		253609	`- XCP_LOGEV_IMPORT = 14, /* key/state import (UnwrapKey) */`
		253609	`- /* fields provide more context */`
		253609	`- XCP_LOGEV_EXPORT = 15, /* key/state import (WrapKey) */`
		253609	`- /* fields provide more context */`
		253609	`-`
		253609	`- /--- specific events (any including XCP_LOGEV_SPEC) ---------/`
		253609	`-`
		253609	`- XCP_LOGSPEV_TRANSACT_ZEROIZE = XCP_LOGEV_SPEC +1,`
		253609	`- /* zeroize card by transaction */`
		253609	`-`
		253609	`- XCP_LOGSPEV_KAT_FAILED = XCP_LOGEV_SPEC +2,`
		253609	`- /* algorithm selftest failed */`
		253609	`-`
		253609	`- XCP_LOGSPEV_KAT_COMPLETED = XCP_LOGEV_SPEC +3,`
		253609	`- /* algorithm selftests completed */`
		253609	`- /* redundant; logged only to */`
		253609	`- /* provide specific event */`
		253609	`-`
		253609	`- XCP_LOGSPEV_EARLY_Q_START = XCP_LOGEV_SPEC +4,`
		253609	`- /* subsequent events were found */`
		253609	`- /* in the early-event queue. */`
		253609	`- /* their timestamps are only */`
		253609	`- /* approximate; order is correct */`
		253609	`-`
		253609	`- XCP_LOGSPEV_EARLY_Q_END = XCP_LOGEV_SPEC +5,`
		253609	`- /* early-even queue processing ends. */`
		253609	`- /* subsequent events are through */`
		253609	`- /* regular auditing, with valid */`
		253609	`- /* timestamps and ordering. */`
		253609	`-`
		253609	`- XCP_LOGSPEV_AUDIT_NEWCHAIN = XCP_LOGEV_SPEC +6,`
		253609	`- /* audit state is corrupted; removed. */`
		253609	`- /* generating new instance and start */`
		253609	`- /* new chain as a replacement */`
		253609	`-`
		253609	`- XCP_LOGSPEV_TIMECHG_BEFORE = XCP_LOGEV_SPEC +7,`
		253609	`- /* time change: original time */`
		253609	`-`
		253609	`- XCP_LOGSPEV_TIMECHG_AFTER = XCP_LOGEV_SPEC +8,`
		253609	`- /* time change: updated time */`
		253609	`-`
		253609	`- XCP_LOGSPEV_MODSTIMPORT_START = XCP_LOGEV_SPEC +9,`
		253609	`- /* accepted full-state import */`
		253609	`- /* data structure */`
		253609	`- /* starting update procedure */`
		253609	`-`
		253609	`- XCP_LOGSPEV_MODSTIMPORT_FAIL = XCP_LOGEV_SPEC +10,`
		253609	`- /* rejected import structure */`
		253609	`- /* issued after initial verify; */`
		253609	`- /* indicates some inconsistency */`
		253609	`- /* of import data structures */`
		253609	`-`
		253609	`- XCP_LOGSPEV_MODSTIMPORT_END = XCP_LOGEV_SPEC +11,`
		253609	`- /* completed full-state import */`
		253609	`-`
		253609	`- XCP_LOGSPEV_MODSTEXPORT_START = XCP_LOGEV_SPEC +12,`
		253609	`- /* started full-state export */`
		253609	`- /* see also: XCP_LOGEV_STATE_EXPORT */`
		253609	`-`
		253609	`- XCP_LOGSPEV_MODSTEXPORT_FAIL = XCP_LOGEV_SPEC +13`
		253609	`- /* full-state export did not complete */`
		253609	`-} XCP_LogEvent_t;`
		253609	`+ /* functionality categories: keep within uint16_t range */`
		253609	`+#define XCP_LOGEV_QUERY 0`
		253609	`+#define XCP_LOGEV_FUNCTION 1`
		253609	`+#define XCP_LOGEV_ADMFUNCTION 2`
		253609	`+#define XCP_LOGEV_STARTUP 3`
		253609	`+#define XCP_LOGEV_SHUTDOWN 4`
		253609	`+#define XCP_LOGEV_SELFTEST 5`
		253609	`+#define XCP_LOGEV_DOM_IMPORT 6 /* import sec-relevant data to */`
		253609	`+ /* domain */`
		253609	`+#define XCP_LOGEV_DOM_EXPORT 7 /* export sec-relevant data from */`
		253609	`+ /* domain */`
		253609	`+#define XCP_LOGEV_FAILURE 8`
		253609	`+#define XCP_LOGEV_GENERATE 9`
		253609	`+#define XCP_LOGEV_REMOVE 10`
		253609	`+#define XCP_LOGEV_SPECIFIC 11 /* obtain meaning elsewhere */`
		253609	`+#define XCP_LOGEV_STATE_IMPORT 12 /* import to card/multiple domains */`
		253609	`+#define XCP_LOGEV_STATE_EXPORT 13 /* export from card/multiple */`
		253609	`+ /* domains */`
		253609	`+ /* [after successful export] */`
		253609	`+#define XCP_LOGEV_IMPORT 14 /* key/state import (UnwrapKey) */`
		253609	`+ /* fields provide more context */`
		253609	`+#define XCP_LOGEV_EXPORT 15 /* key/state import (WrapKey) */`
		253609	`+ /* fields provide more context */`
		253609	`+`
		253609	`+ /--- specific events (any including XCP_LOGEV_SPEC) ---------/`
		253609	`+`
		253609	`+#define XCP_LOGSPEV_TRANSACT_ZEROIZE (XCP_LOGEV_SPEC +1)`
		253609	`+ /* zeroize card by transaction */`
		253609	`+`
		253609	`+#define XCP_LOGSPEV_KAT_FAILED (XCP_LOGEV_SPEC +2)`
		253609	`+ /* algorithm selftest failed */`
		253609	`+`
		253609	`+#define XCP_LOGSPEV_KAT_COMPLETED (XCP_LOGEV_SPEC +3)`
		253609	`+ /* algorithm selftests completed */`
		253609	`+ /* redundant; logged only to */`
		253609	`+ /* provide specific event */`
		253609	`+`
		253609	`+#define XCP_LOGSPEV_EARLY_Q_START (XCP_LOGEV_SPEC +4)`
		253609	`+ /* subsequent events were found */`
		253609	`+ /* in the early-event queue. */`
		253609	`+ /* their timestamps are only */`
		253609	`+ /* approximate; order is correct */`
		253609	`+`
		253609	`+#define XCP_LOGSPEV_EARLY_Q_END (XCP_LOGEV_SPEC +5)`
		253609	`+ /* early-even queue processing ends. */`
		253609	`+ /* subsequent events are through */`
		253609	`+ /* regular auditing, with valid */`
		253609	`+ /* timestamps and ordering. */`
		253609	`+`
		253609	`+#define XCP_LOGSPEV_AUDIT_NEWCHAIN (XCP_LOGEV_SPEC +6)`
		253609	`+ /* audit state is corrupted; removed. */`
		253609	`+ /* generating new instance and start */`
		253609	`+ /* new chain as a replacement */`
		253609	`+`
		253609	`+#define XCP_LOGSPEV_TIMECHG_BEFORE (XCP_LOGEV_SPEC +7)`
		253609	`+ /* time change: original time */`
		253609	`+`
		253609	`+#define XCP_LOGSPEV_TIMECHG_AFTER (XCP_LOGEV_SPEC +8)`
		253609	`+ /* time change: updated time */`
		253609	`+`
		253609	`+#define XCP_LOGSPEV_MODSTIMPORT_START (XCP_LOGEV_SPEC +9)`
		253609	`+ /* accepted full-state import */`
		253609	`+ /* data structure */`
		253609	`+ /* starting update procedure */`
		253609	`+`
		253609	`+#define XCP_LOGSPEV_MODSTIMPORT_FAIL (XCP_LOGEV_SPEC +10)`
		253609	`+ /* rejected import structure */`
		253609	`+ /* issued after initial verify; */`
		253609	`+ /* indicates some inconsistency */`
		253609	`+ /* of import data structures */`
		253609	`+`
		253609	`+#define XCP_LOGSPEV_MODSTIMPORT_END (XCP_LOGEV_SPEC +11)`
		253609	`+ /* completed full-state import */`
		253609	`+`
		253609	`+#define XCP_LOGSPEV_MODSTEXPORT_START (XCP_LOGEV_SPEC +12)`
		253609	`+ /* started full-state export */`
		253609	`+ /* see also: XCP_LOGEV_STATE_EXPORT */`
		253609	`+`
		253609	`+#define XCP_LOGSPEV_MODSTEXPORT_FAIL (XCP_LOGEV_SPEC +13)`
		253609
		253609
		253609	`typedef enum {`
		253609	`@@ -863,21 +727,19 @@ typedef enum {`
		253609	`} XCP_LogSystem_t;`
		253609
		253609	`/* bitmask of audit-event flags (mainly optional fields) */`
		253609	`-typedef enum {`
		253609	`- XCP_LOGFL_WK_PRESENT = 0x80000000,`
		253609	`- XCP_LOGFL_COMPLIANCE_PRESENT = 0x40000000, /* ...of hosting domain */`
		253609	`- XCP_LOGFL_FINALWK_PRESENT = 0x20000000,`
		253609	`- XCP_LOGFL_KEYREC0_PRESENT = 0x10000000,`
		253609	`- XCP_LOGFL_KEYREC0_COMPL = 0x08000000, /* key0 compliance */`
		253609	`- XCP_LOGFL_KEYREC1_PRESENT = 0x04000000,`
		253609	`- XCP_LOGFL_KEYREC2_PRESENT = 0x02000000,`
		253609	`- XCP_LOGFL_FINTIME_PRESENT = 0x01000000,`
		253609	`- XCP_LOGFL_SALT0_PRESENT = 0x00800000,`
		253609	`- XCP_LOGFL_SALT1_PRESENT = 0x00400000,`
		253609	`- XCP_LOGFL_SALT2_PRESENT = 0x00200000,`
		253609	`- XCP_LOGFL_REASON_PRESENT = 0x00100000,`
		253609	`- XCP_LOGFL_SEQPRF_PRESENT = 0x00080000`
		253609	`-} XCP_LogFlags_t;`
		253609	`+#define XCP_LOGFL_WK_PRESENT 0x80000000`
		253609	`+#define XCP_LOGFL_COMPLIANCE_PRESENT 0x40000000 /* ...of hosting domain */`
		253609	`+#define XCP_LOGFL_FINALWK_PRESENT 0x20000000`
		253609	`+#define XCP_LOGFL_KEYREC0_PRESENT 0x10000000`
		253609	`+#define XCP_LOGFL_KEYREC0_COMPL 0x08000000 /* key0 compliance */`
		253609	`+#define XCP_LOGFL_KEYREC1_PRESENT 0x04000000`
		253609	`+#define XCP_LOGFL_KEYREC2_PRESENT 0x02000000`
		253609	`+#define XCP_LOGFL_FINTIME_PRESENT 0x01000000`
		253609	`+#define XCP_LOGFL_SALT0_PRESENT 0x00800000`
		253609	`+#define XCP_LOGFL_SALT1_PRESENT 0x00400000`
		253609	`+#define XCP_LOGFL_SALT2_PRESENT 0x00200000`
		253609	`+#define XCP_LOGFL_REASON_PRESENT 0x00100000`
		253609	`+#define XCP_LOGFL_SEQPRF_PRESENT 0x00080000`
		253609
		253609
		253609
		253609	`@@ -885,16 +747,26 @@ typedef enum {`
		253609	`typedef enum {`
		253609	`XCP_IMPRKEY_RSA_2048 = 0,`
		253609	`XCP_IMPRKEY_RSA_4096 = 1,`
		253609	`- XCP_IMPRKEY_EC_P256 = 2, /* EC, NIST P-256 */`
		253609	`- XCP_IMPRKEY_EC_P521 = 3, /* EC, NIST P-521 */`
		253609	`- XCP_IMPRKEY_EC_BP256r = 4, /* EC, Brainpool BP-256r */`
		253609	`- XCP_IMPRKEY_EC_BP320r = 5, /* EC, Brainpool BP-320r */`
		253609	`- XCP_IMPRKEY_EC_BP512r = 6, /* EC, Brainpool BP-512r */`
		253609	`+ XCP_IMPRKEY_EC_P256 = 2, /* EC, NIST P-256 */`
		253609	`+ XCP_IMPRKEY_EC_P521 = 3, /* EC, NIST P-521 */`
		253609	`+ XCP_IMPRKEY_EC_BP256r = 4, /* EC, Brainpool BP-256r */`
		253609	`+ XCP_IMPRKEY_EC_BP320r = 5, /* EC, Brainpool BP-320r */`
		253609	`+ XCP_IMPRKEY_EC_BP512r = 6, /* EC, Brainpool BP-512r */`
		253609	`XCP_IMPRKEY_RSA_3072 = 7,`
		253609	`- XCP_IMPRKEY_MAX = XCP_IMPRKEY_RSA_3072`
		253609	`+ XCP_IMPRKEY_EC_P521_TKE = 8, /* EC, NIST P-521 (TKE propr. sign.) */`
		253609	`+ XCP_IMPRKEY_MAX = XCP_IMPRKEY_EC_P521_TKE`
		253609	`} XCP_IMPRKEY_t;`
		253609
		253609
		253609	`+//--- OA key types ----------------------------------------------------`
		253609	`+typedef enum {`
		253609	`+ XCP_OAKEY_RSA_4096 = 1, /* RSA 4096 bit */`
		253609	`+ XCP_OAKEY_ECC_P521 = 2, /* ECC NIST P-521 */`
		253609	`+ XCP_OAKEY_DIL_87R2 = 3, /* DIL 8-7 R2 */`
		253609	`+ XCP_OAKEY_MAX = XCP_OAKEY_DIL_87R2`
		253609	`+} XCP_OAKEY_t;`
		253609	`+`
		253609	`+`
		253609
		253609	`//--- retained key structures ---------------------------`
		253609	`// initial loading:`
		253609	`@@ -914,6 +786,7 @@ typedef struct CK_RETAINEDKEY_PARAMS {`
		253609
		253609
		253609
		253609	`+`
		253609	`//--- operation categories (perf. measurement) -----------------------------`
		253609	`typedef enum {`
		253609	`XCP_OPCAT_ASYMM_SLOW = 1,`
		253609	`@@ -951,7 +824,12 @@ typedef enum {`
		253609	`/* never be enabled due to */`
		253609	`/* policy-minimum restrictions. */`
		253609
		253609	`- CK_IBM_XCPQ_MAX = CK_IBM_XCPQ_CP_BLACKLIST`
		253609	`+ CK_IBM_XCPQ_PQC_STRENGTHS`
		253609	`+ = 14, /* supported quantum safe levels*/`
		253609	`+ /* of strength */`
		253609	`+ /* see: XCP_PQCStrength_t */`
		253609	`+`
		253609	`+ CK_IBM_XCPQ_MAX = CK_IBM_XCPQ_PQC_STRENGTHS`
		253609	`} CK_IBM_XCPQUERY_t;`
		253609
		253609	`//--- module sub-query sub-types --------------------------------------------`
		253609	`@@ -966,6 +844,9 @@ typedef enum {`
		253609	`/* attributes bitmask */`
		253609	`CK_IBM_XCPMSQ_ATTRS = 6, /* number of supported */`
		253609	`/* administrative attributes */`
		253609	`+ CK_IBM_XCPMSQ_MOD_V2 = 7, /* add version two fields to */`
		253609	`+ /* module query */`
		253609	`+ CK_IBM_XCPMSQ_MAX = CK_IBM_XCPMSQ_MOD_V2`
		253609	`} CK_IBM_XCPMSUBQUERY_t;`
		253609
		253609	`// byte sizes of queries which are not represented as structures`
		253609	`@@ -976,48 +857,34 @@ typedef enum {`
		253609
		253609	`#define CK_IBM_XCP_HOSTQ_IDX 0xff000000 /* host-only queries index, min. */`
		253609
		253609	`-typedef enum {`
		253609	`- CK_IBM_XCPHQ_COUNT = 0xff000000, /* number of host-query indexes */`
		253609	`- /* including this type itself */`
		253609	`- CK_IBM_XCPHQ_VERSION = 0xff000001, /* host-specific package version */`
		253609	`- /* such as packaging library ID */`
		253609	`- CK_IBM_XCPHQ_VERSION_HASH = 0xff000002,`
		253609	`- /* assumed-unique identifier of */`
		253609	`- /* host code, such as version- */`
		253609	`- /* identifying cryptographic hash */`
		253609	`- /* (library signature field...) */`
		253609	`- CK_IBM_XCPHQ_DIAGS = 0xff000003, /* host code diagnostic level */`
		253609	`- /* 0 if non-diagnostics host code */`
		253609	`- CK_IBM_XCPHQ_HVERSION = 0xff000004, /* human-readable host version */`
		253609	`- /* identification (recommended: */`
		253609	`- /* UTF-8 string) */`
		253609	`- CK_IBM_XCPHQ_TGT_MODE = 0xff000005, /* host targeting modes */`
		253609	`- /* returns supported target modes */`
		253609	`- /* as bitmask */`
		253609	`- /* if not available only compat */`
		253609	`- /* target mode is in use */`
		253609	`- /* See CK_IBM_XCPHQ_TGT_MODES_t */`
		253609	`- CK_IBM_XCPHQ_ECDH_DERPRM = 0xff000006,`
		253609	`- /* ECDH DeriveKey parameter usage */`
		253609	`- /* is being enforced with hostlib */`
		253609	`- /* version */`
		253609	`- /**/`
		253609	`- CK_IBM_XCPHQ_TOL_MODES = 0xff000007,/* check if toleration mode for */`
		253609	`- /* key attribute checking is */`
		253609	`- /* enabled */`
		253609	`- /* If it is, some attribute values*/`
		253609	`- /* are always set to correct */`
		253609	`- /* values automatically - */`
		253609	`- CK__IBM_XCPHQ_MAX = CK_IBM_XCPHQ_TGT_MODE`
		253609	`-} CK_IBM_XCPHQUERY_t;`
		253609	`-`
		253609	`-#define CK_IBM_XCPHQ_ATTR_TOL_ENABLED 0x00000001`
		253609	`- /* flag to indicate that toleration */`
		253609	`- /* mode for key attribute checking */`
		253609	`- /* is enabled i.e. all attributes */`
		253609	`- /* that may no longer be set CK_TRUE */`
		253609	`- /* using a CEX8S HSM will be reset */`
		253609	`- /* to CK_FALSE automatically */`
		253609	`+#define CK_IBM_XCPHQ_COUNT 0xff000000 /* number of host-query indexes */`
		253609	`+ /* including this type itself */`
		253609	`+#define CK_IBM_XCPHQ_VERSION 0xff000001 /* host-specific package version */`
		253609	`+ /* such as packaging library ID */`
		253609	`+#define CK_IBM_XCPHQ_VERSION_HASH 0xff000002`
		253609	`+ /* assumed-unique identifier of */`
		253609	`+ /* host code, such as version- */`
		253609	`+ /* identifying cryptographic hash*/`
		253609	`+ /* (library signature field...) */`
		253609	`+#define CK_IBM_XCPHQ_DIAGS 0xff000003 /* host code diagnostic level */`
		253609	`+ /* 0 if non-diagnostics host code*/`
		253609	`+#define CK_IBM_XCPHQ_HVERSION 0xff000004 /* human-readable host version */`
		253609	`+ /* identification (recommended: */`
		253609	`+ /* UTF-8 string) */`
		253609	`+#define CK_IBM_XCPHQ_TGT_MODE 0xff000005 /* host targeting modes */`
		253609	`+ /* returns supported target modes*/`
		253609	`+ /* as bitmask */`
		253609	`+ /* if not available only compat */`
		253609	`+ /* target mode is in use */`
		253609	`+ /* See CK_IBM_XCPHQ_TGT_MODES_t */`
		253609	`+#define CK_IBM_XCPHQ_ECDH_DERPRM 0xff000006`
		253609	`+ /* ECDH DeriveKey parameter usage*/`
		253609	`+ /* is being enforced with hostlib*/`
		253609	`+ /* version */`
		253609	`+ /**/`
		253609	`+`
		253609	`+#define CK__IBM_XCPHQ_MAX CK_IBM_XCPHQ_TGT_MODE`
		253609	`+`
		253609
		253609	`typedef enum {`
		253609	`CK_IBM_XCPHQ_TGT_MODES_TGTGRP = 1, /* target groups are supported */`
		253609	`@@ -1040,7 +907,6 @@ typedef enum {`
		253609	`CK_IBM_XCPXQ_IMPEXP_CAPS = 7, /* capability for WK and state */`
		253609	`/* export / import. See 8.7.1.1.1 */`
		253609	`/* for more info */`
		253609	`- CK_IBM_XCPXQ_DOMIMPORT_VER = 7, /* DEPRECATED */`
		253609	`CK_IBM_XCPXQ_CERT_MAXBYTES = 8, /* bytecount of largest accepted */`
		253609	`/* administrative certificate, if */`
		253609	`/* there is an upper limit. 0 if */`
		253609	`@@ -1058,20 +924,20 @@ typedef enum {`
		253609
		253609	`CK_IBM_XCPXQ_ECDSA_OTHER = 15, /* bitmask of supported, other EC`
		253609	`signing mechanisms */`
		253609	`+ CK_IBM_XCPXQ_OA_CAP = 16, /* bitmask of supported outbound`
		253609	`+ authority signing mechanisms */`
		253609
		253609	`- CK_IBM_XCPXQ_MAXIDX = CK_IBM_XCPXQ_ECDSA_OTHER,`
		253609	`+ CK_IBM_XCPXQ_MAXIDX = CK_IBM_XCPXQ_OA_CAP,`
		253609	`} CK_IBM_XCPEXTCAP_t;`
		253609
		253609
		253609	`-typedef enum {`
		253609	`- CK_IBM_DOM_ADMIND = 1, /* administrators present */`
		253609	`- CK_IBM_DOM_CURR_WK = 2, /* domain has current WK */`
		253609	`- CK_IBM_DOM_NEXT_WK = 4, /* domain has pending/next WK */`
		253609	`- CK_IBM_DOM_COMMITTED_NWK = 8, /* next WK is active(committed) */`
		253609	`- CK_IBM_DOM_IMPRINTED = 0x10, /* has left imprint mode */`
		253609	`- CK_IBM_DOM_IMPRINTS = 0x80000000, /* enforces imprint mode */`
		253609	`- CK_IBM_DOM_PROTKEY_ALLOW = 0x20 /* policies allow protected key */`
		253609	`-} CK_IBM_DOMAINQ_t;`
		253609	`+#define CK_IBM_DOM_ADMIND 1 /* administrators present */`
		253609	`+#define CK_IBM_DOM_CURR_WK 2 /* domain has current WK */`
		253609	`+#define CK_IBM_DOM_NEXT_WK 4 /* domain has pending/next WK */`
		253609	`+#define CK_IBM_DOM_COMMITTED_NWK 8 /* next WK is active(committed) */`
		253609	`+#define CK_IBM_DOM_IMPRINTED 0x10 /* has left imprint mode */`
		253609	`+#define CK_IBM_DOM_IMPRINTS 0x80000000 /* enforces imprint mode */`
		253609	`+#define CK_IBM_DOM_PROTKEY_ALLOW 0x20 /* policies allow protected key */`
		253609	`//`
		253609	`// note: CK_IBM_DOM_IMPRINTS will go away`
		253609
		253609	`@@ -1142,34 +1008,54 @@ typedef CK_IBM_XCPAPI_INFO CK_PTR CK_IBM_XCPAPI_INFO_PTR;`
		253609	`CK_BYTE infra_count; \`
		253609	`CK_BYTE comp_count;`
		253609
		253609	`+#define CK_IBM_XCP_ADMATTRLIST_MEMBER_V2 \`
		253609	`+ CK_BYTE perm_ext01_modes[ 8 ];`
		253609	`+`
		253609	`+#define CK_IBM_XCP_ADMATTRCOUNT_MEMBER_V2 \`
		253609	`+ CK_BYTE perm_ext01_count;`
		253609	`+`
		253609	`// see chapter 5.1.1. in the wire spec`
		253609	`typedef struct CK_IBM_XCP_INFO {`
		253609	`- CK_IBM_XCP_INFO_MEMBERS_V0;`
		253609	`+ CK_IBM_XCP_INFO_MEMBERS_V0`
		253609	`} CK_IBM_XCP_INFO;`
		253609	`//`
		253609	`// see chapter 5.1.1. in the wire spec`
		253609	`typedef struct CK_IBM_XCP_INFO_V1 {`
		253609	`- CK_IBM_XCP_INFO_MEMBERS_V0;`
		253609	`- CK_IBM_XCP_DESCINFO_MEMBER;`
		253609	`+ CK_IBM_XCP_INFO_MEMBERS_V0`
		253609	`+ CK_IBM_XCP_DESCINFO_MEMBER`
		253609	`CK_BYTE fnid_mask[ 16 ];`
		253609	`CK_BYTE fnid_count;`
		253609	`- CK_IBM_XCP_ADMATTRLIST_MEMBER;`
		253609	`- CK_IBM_XCP_ADMATTRCOUNT_MEMBER;`
		253609	`+ CK_IBM_XCP_ADMATTRLIST_MEMBER`
		253609	`+ CK_IBM_XCP_ADMATTRCOUNT_MEMBER`
		253609	`} CK_IBM_XCP_INFO_V1;`
		253609	`//`
		253609	`+// see chapter 5.1.1. in the wire spec`
		253609	`+typedef struct CK_IBM_XCP_INFO_V2 {`
		253609	`+ CK_IBM_XCP_INFO_MEMBERS_V0`
		253609	`+ CK_IBM_XCP_DESCINFO_MEMBER`
		253609	`+ CK_BYTE fnid_mask[ 16 ];`
		253609	`+ CK_BYTE fnid_count;`
		253609	`+ CK_IBM_XCP_ADMATTRLIST_MEMBER`
		253609	`+ CK_IBM_XCP_ADMATTRCOUNT_MEMBER`
		253609	`+ CK_IBM_XCP_ADMATTRLIST_MEMBER_V2`
		253609	`+ CK_IBM_XCP_ADMATTRCOUNT_MEMBER_V2`
		253609	`+} CK_IBM_XCP_INFO_V2;`
		253609	`+//`
		253609	`// see chapter 5.1.1.1. in the wire spec`
		253609	`typedef struct CK_IBM_XCP_DESCINFO {`
		253609	`- CK_IBM_XCP_DESCINFO_MEMBER;`
		253609	`+ CK_IBM_XCP_DESCINFO_MEMBER`
		253609	`} CK_IBM_XCP_DESCINFO;`
		253609	`//`
		253609	`// see chapter 5.1.1.3. in the wire spec`
		253609	`typedef struct CK_IBM_XCP_ATTRLIST {`
		253609	`CK_IBM_XCP_ADMATTRLIST_MEMBER`
		253609	`+ CK_IBM_XCP_ADMATTRLIST_MEMBER_V2`
		253609	`} CK_IBM_XCP_ATTRLIST;`
		253609	`//`
		253609	`// see chapter 5.1.1.3. in the wire spec`
		253609	`typedef struct CK_IBM_XCP_ATTRCOUNT {`
		253609	`CK_IBM_XCP_ADMATTRCOUNT_MEMBER`
		253609	`+ CK_IBM_XCP_ADMATTRCOUNT_MEMBER_V2`
		253609	`} CK_IBM_XCP_ATTRCOUNT;`
		253609
		253609	`/**/`
		253609	`@@ -1177,14 +1063,18 @@ typedef struct CK_IBM_XCP_ATTRCOUNT {`
		253609	`{ 0,0, {0,0,},{0,0,}, {0,},{0,},{0,}, {0,},{0,}, \`
		253609	`0,0, 0,0, 0,0,0,0,0,0,0, 0,0,0, }`
		253609
		253609	`-typedef CK_IBM_XCP_INFO CK_PTR CK_IBM_XCP_INFO_PTR;`
		253609	`-typedef CK_IBM_XCP_INFO_V1 CK_PTR CK_IBM_XCP_INFO_V1_PTR;`
		253609	`-typedef CK_IBM_XCP_DESCINFO CK_PTR CK_IBM_XCP_DESCINFO_PTR;`
		253609	`-typedef CK_IBM_XCP_ATTRLIST CK_PTR CK_IBM_XCP_ATTRLIST_PTR;`
		253609	`-typedef CK_IBM_XCP_ATTRCOUNT CK_PTR CK_IBM_XCP_ATTRCOUNT_PTR;`
		253609	`+#define CK_IBM_XCP_INFO_V2_INIT0 \`
		253609	`+ { 0,0, {0,0,},{0,0,}, {0,},{0,},{0,}, {0,},{0,}, \`
		253609	`+ 0,0, 0,0, 0,0,0,0,0,0,0, 0,0,0, \`
		253609	`+ {0}, {0}, {0}, 0, {0}, {0}, {0}, 0, 0, 0, \`
		253609	`+ {0}, 0}`
		253609
		253609	`-// DEPRECATED - use CK_IBM_XCP_INFO`
		253609	`-typedef CK_IBM_XCP_INFO CK_IBM_EP11_INFO;`
		253609	`+typedef CK_IBM_XCP_INFO CK_PTR CK_IBM_XCP_INFO_PTR;`
		253609	`+typedef CK_IBM_XCP_INFO_V1 CK_PTR CK_IBM_XCP_INFO_V1_PTR;`
		253609	`+typedef CK_IBM_XCP_INFO_V2 CK_PTR CK_IBM_XCP_INFO_V2_PTR;`
		253609	`+typedef CK_IBM_XCP_DESCINFO CK_PTR CK_IBM_XCP_DESCINFO_PTR;`
		253609	`+typedef CK_IBM_XCP_ATTRLIST CK_PTR CK_IBM_XCP_ATTRLIST_PTR;`
		253609	`+typedef CK_IBM_XCP_ATTRCOUNT CK_PTR CK_IBM_XCP_ATTRCOUNT_PTR;`
		253609
		253609	`typedef struct CK_IBM_DOMAIN_INFO {`
		253609	`CK_ULONG domain;`
		253609	`@@ -1227,9 +1117,31 @@ typedef enum {`
		253609	`} CK_IBM_BTC_t;`
		253609
		253609
		253609	`+typedef enum {`
		253609	`+ XCP_KEM_ENCAPSULATE = 1,`
		253609	`+ XCP_KEM_DECAPSULATE = 2,`
		253609	`+} XCP_KEM_t;`
		253609	`+`
		253609	`+typedef CK_ULONG CK_IBM_KEM_MODE;`
		253609	`+`
		253609	`+#define CK_IBM_KEM_ENCAPSULATE XCP_KEM_ENCAPSULATE`
		253609	`+#define CK_IBM_KEM_DECAPSULATE XCP_KEM_DECAPSULATE`
		253609	`+`
		253609	`+typedef struct XCP_KYBER_KEM_PARAMS {`
		253609	`+ CK_ULONG version;`
		253609	`+ CK_IBM_KEM_MODE mode;`
		253609	`+ CK_ULONG kdf;`
		253609	`+ CK_BBOOL prepend;`
		253609	`+ CK_BYTE *pCipher;`
		253609	`+ CK_ULONG ulCipherLen;`
		253609	`+ CK_BYTE *pSharedData;`
		253609	`+ CK_ULONG ulSharedDataLen;`
		253609	`+ CK_BYTE *pBlob;`
		253609	`+ CK_ULONG ulBlobLen;`
		253609	`+} XCP_KYBER_KEM_PARAMS_t;`
		253609	`+`
		253609	`+`
		253609	`//--- attribute constants --------------------------------------------------`
		253609	`-// keep in sync with unprivileged object (XCP_BLOB_NO_RIGHTS)`
		253609	`-// table is parsed by automated tools; please do not change layout`
		253609	`//`
		253609	`typedef enum {`
		253609	`XCP_BLOB_EXTRACTABLE = 1,`
		253609	`@@ -1309,8 +1221,8 @@ typedef enum {`
		253609	`/* CP sets get padded to multiple */`
		253609
		253609	`typedef enum {`
		253609	`- XCP_CPB_ADD_CPBS = 0, // allow addition (activation) of CP bits`
		253609	`- XCP_CPB_DELETE_CPBS = 1, // disable activating further control points`
		253609	`+ XCP_CPB_ADD_CPBS = 0, // allow activation of CP bits`
		253609	`+ XCP_CPB_DELETE_CPBS = 1, // allow deactivation of CP bits`
		253609	`// (remove both ADD_CPBs and DELETE_CPBs`
		253609	`// to make unit read-only)`
		253609
		253609	`@@ -1424,8 +1336,12 @@ typedef enum {`
		253609
		253609	`XCP_CPB_COMPAT_LEGACY_SHA3 = 70, // allow fall-back to non-standard`
		253609	`// SHA3 defaults`
		253609	`-`
		253609	`- XCP_CPBITS_MAX = XCP_CPB_COMPAT_LEGACY_SHA3 // marks last used CPB`
		253609	`+ XCP_CPB_DSA_PARAMETER_GEN = 71, // allow DSA/PQG parameter generation`
		253609	`+ XCP_CPB_DERIVE_NON_AB_KEYS = 72, // allow the derivation of a non-AB or raw`
		253609	`+ // from an AB key. Only relevant if`
		253609	`+ // XCP_CPB_NON_ATTRBOUND`
		253609	`+ XCP_CPBITS_MAX = XCP_CPB_DERIVE_NON_AB_KEYS`
		253609	`+ // marks last used CPB`
		253609	`} XCP_CPbit_t;`
		253609
		253609
		253609	`@@ -1623,7 +1539,7 @@ typedef enum {`
		253609	`// blob/SPKI`
		253609	`XCP_ADM_DOMAINS_ZEROIZE = 36, // multi-domain zeroize`
		253609	`// XCP_ADM_EXPORT_NEXT_WK = 38, // placeholder, find real entry above`
		253609	`- XCP_ADM_SESSIONS_DROP = 39, // drop all open sessions`
		253609	`+ XCP_ADM_SESSION_REMOVE = 39, // remove all or selected sessions`
		253609
		253609	`XCP_ADMQ_ADMIN = 1 \| XCP_ADM_QUERY, // admin SKI/cert`
		253609	`XCP_ADMQ_DOMADMIN = 2 \| XCP_ADM_QUERY, // domain adm. SKI/cert`
		253609	`@@ -1648,10 +1564,11 @@ typedef enum {`
		253609	`// current migration importer`
		253609	`XCP_ADMQ_AUDIT_STATE = 16 \| XCP_ADM_QUERY,`
		253609	`// audit state entry or event count`
		253609	`- XCP_ADMQ_LASTCMD_DOM_MASK = 17 \| XCP_ADM_QUERY`
		253609	`+ XCP_ADMQ_LASTCMD_DOM_MASK = 17 \| XCP_ADM_QUERY,`
		253609	`// domain-bitmask affected by last`
		253609	`// state-related administrative`
		253609	`// command (export, import)`
		253609	`+ XCP_ADMQ_SVCADMIN = 18 \| XCP_ADM_QUERY, // svc admin SKI/cert`
		253609	`} XCP_Admcmd_t;`
		253609
		253609	`typedef enum {`
		253609	`@@ -1660,7 +1577,8 @@ typedef enum {`
		253609	`XCP_ADMINT_PERMS = 3, // permissions`
		253609	`XCP_ADMINT_MODE = 4, // operating mode`
		253609	`XCP_ADMINT_STD = 5, // standards' compliance`
		253609	`- XCP_ADMINT_IDX_MAX = XCP_ADMINT_STD`
		253609	`+ XCP_ADMINT_PERMS_EXT01 = 6, // permissions (extension #1)`
		253609	`+ XCP_ADMINT_IDX_MAX = XCP_ADMINT_PERMS_EXT01`
		253609	`} XCP_AdmAttr_t;`
		253609
		253609	`#define XCP_ADMIN_ATTRIBUTE_COUNT XCP_ADMINT_IDX_MAX`
		253609	`@@ -1719,6 +1637,29 @@ typedef enum {`
		253609	`#define XCP_ADMP_CHG_DO_NOT_DISTURB \`
		253609	`0x80000000 // allow changing the corresponding`
		253609	`// Do Not Disturb bit`
		253609	`+`
		253609	`+//`
		253609	`+// permissions (extension 01)`
		253609	`+//`
		253609	`+#define XCP_ADMP_NQS_OA_SIGNATURES 1 // enable non-quantum-safe OA signat.`
		253609	`+#define XCP_ADMP_QS_OA_SIGNATURES 2 // enable quantum-safe OA signatures`
		253609	`+#define XCP_ADMP_NQS_ADM_SIGNATURES 4 // enable non-quantum-safe adm signat.`
		253609	`+#define XCP_ADMP_QS_ADM_SIGNATURES 8 // enable quantum-safe adm signatures`
		253609	`+`
		253609	`+#define XCP_ADMP_CHG_NQS_OA_SIGNATURES \`
		253609	`+ 0x10000 // allow changing the corresponding`
		253609	`+ // non-quantum-safe OA signature bit`
		253609	`+#define XCP_ADMP_CHG_QS_OA_SIGNATURES \`
		253609	`+ 0x20000 // allow changing the corresponding`
		253609	`+ // quantum-safe OA signature bit`
		253609	`+#define XCP_ADMP_CHG_NQS_ADM_SIGNATURES \`
		253609	`+ 0x40000 // allow changing the corresponding`
		253609	`+ // non-quantum-safe adm signature bit`
		253609	`+#define XCP_ADMP_CHG_QS_ADM_SIGNATURES \`
		253609	`+ 0x80000 // allow changing the corresponding`
		253609	`+ // quantum-safe adm signature bit`
		253609	`+`
		253609	`+`
		253609	`//`
		253609	`// if adding other change-control bits, also update:`
		253609	`// prevented_perm_changes()`
		253609	`@@ -1754,15 +1695,49 @@ typedef enum {`
		253609	`XCP_ADMP_STATE_1PART \| \`
		253609	`XCP_ADMP_DO_NOT_DISTURB)`
		253609	`//`
		253609	`+// CHGBITS / PERMS (extension 01)`
		253609	`+#define XCP_ADMP__CHGBITS_EXT01 \`
		253609	`+ (XCP_ADMP_CHG_NQS_OA_SIGNATURES \| \`
		253609	`+ XCP_ADMP_CHG_QS_OA_SIGNATURES \| \`
		253609	`+ XCP_ADMP_CHG_NQS_ADM_SIGNATURES \| \`
		253609	`+ XCP_ADMP_CHG_QS_ADM_SIGNATURES)`
		253609	`+//`
		253609	`+#define XCP_ADMP__PERMS_EXT01 \`
		253609	`+ (XCP_ADMP_NQS_OA_SIGNATURES \| \`
		253609	`+ XCP_ADMP_QS_OA_SIGNATURES \| \`
		253609	`+ XCP_ADMP_NQS_ADM_SIGNATURES \| \`
		253609	`+ XCP_ADMP_QS_ADM_SIGNATURES)`
		253609	`+//`
		253609	`+#define XCP__ADMP_SUP_EXT01 (XCP_ADMP__PERMS_EXT01 \| \`
		253609	`+ XCP_ADMP__CHGBITS_EXT01)`
		253609	`+//`
		253609	`+//`
		253609	`#define XCP_ADMP__DEFAULT \`
		253609	`(XCP_ADMP_WK_IMPORT \| \`
		253609	`XCP_ADMP_1SIGN \| \`
		253609	`XCP_ADMP__CHGBITS)`
		253609	`//`
		253609	`+#define XCP_ADMP__DEFAULT_EXT01 \`
		253609	`+ (XCP_ADMP__CHGBITS_EXT01 \| \`
		253609	`+ XCP_ADMP_NQS_OA_SIGNATURES \| \`
		253609	`+ XCP_ADMP_QS_OA_SIGNATURES \| \`
		253609	`+ XCP_ADMP_NQS_ADM_SIGNATURES \| \`
		253609	`+ XCP_ADMP_QS_ADM_SIGNATURES)`
		253609	`+//`
		253609	`#define XCPM_ADMP__MODULE_DEFAULTS_MASK \`
		253609	`(XCP_ADMP_DO_NOT_DISTURB \| \`
		253609	`XCP_ADMP_CHG_DO_NOT_DISTURB)`
		253609	`//`
		253609	`+#define XCPM_ADMP__MODULE_DEFAULTS_MASK_EXT01 \`
		253609	`+ (XCP_ADMP_NQS_OA_SIGNATURES \| \`
		253609	`+ XCP_ADMP_CHG_NQS_OA_SIGNATURES \| \`
		253609	`+ XCP_ADMP_QS_OA_SIGNATURES \| \`
		253609	`+ XCP_ADMP_CHG_QS_OA_SIGNATURES \| \`
		253609	`+ XCP_ADMP_NQS_ADM_SIGNATURES \| \`
		253609	`+ XCP_ADMP_CHG_NQS_ADM_SIGNATURES \| \`
		253609	`+ XCP_ADMP_QS_ADM_SIGNATURES \| \`
		253609	`+ XCP_ADMP_CHG_QS_ADM_SIGNATURES)`
		253609	`+//`
		253609	`#define XCP_ADMP__CARD_MASK \`
		253609	`~(XCP_ADMP_WK_IMPORT \| \`
		253609	`XCP_ADMP_WK_EXPORT \| \`
		253609	`@@ -1775,6 +1750,9 @@ typedef enum {`
		253609	`XCP_ADMP_CHG_WK_RANDOM \| \`
		253609	`XCP_ADMP_CHG_CP_1SIGN)`
		253609	`//`
		253609	`+#define XCP_ADMP__CARD_MASK_EXT01 \`
		253609	`+ ~(0U)`
		253609	`+//`
		253609	`#define XCP_ADMP__DOM_MASK \`
		253609	`~(XCP_ADMP_NO_DOMAIN_IMPRINT \| \`
		253609	`XCP_ADMP_STATE_IMPORT \| \`
		253609	`@@ -1784,6 +1762,12 @@ typedef enum {`
		253609	`XCP_ADMP_CHG_ST_EXPORT \| \`
		253609	`XCP_ADMP_CHG_ST_1PART)`
		253609	`//`
		253609	`+#define XCP_ADMP__DOM_MASK_EXT01 \`
		253609	`+ ~(0U)`
		253609	`+//`
		253609	`+`
		253609	`+#define XCP__ADMP_SUP ((XCP_ADMP__PERMS \| XCP_ADMP__CHGBITS) &\`
		253609	`+ ~XCP_ADMP_NOT_SUP)`
		253609
		253609	`// card modes`
		253609	`#define XCP_ADMM_AUTHENTICATED 1U // no longer in imprint mode`
		253609	`@@ -1838,6 +1822,8 @@ typedef enum {`
		253609	`XCP_ADMM_STR_192BIT \| \`
		253609	`XCP_ADMM_STR_256BIT)`
		253609
		253609	`+#define XCP__ADMM_SUP XCP_ADMM__MASK`
		253609	`+`
		253609	`// specific standards' compliance suites`
		253609	`#define XCP_ADMS_FIPS2009 1 // NIST, 80+ bits, -2011.01.01.`
		253609	`#define XCP_ADMS_BSI2009 2 // BSI , 80+ bits, -2011.01.01.`
		253609	`@@ -1850,18 +1836,74 @@ typedef enum {`
		253609	`//`
		253609	`#define XCP_ADMS_BSICC2017 0x40 // BSI, EP11 Common Criteria EAL4 2017`
		253609	`//`
		253609	`+#define XCP_ADMS_FIPS2021 0x80 // NIST SP800-131A REV.2, 2021.01.01`
		253609	`+#define XCP_ADMS_FIPS2024 0x100 // NIST SP800-131A REV.2, 2024.01.01`
		253609	`+#define XCP_ADMS_ADM_FIPS2021 0x200 // NIST SP800-131A REV.2, 2021.01.01`
		253609
		253609	`#define XCP_ADMS__ALL \`
		253609	`(XCP_ADMS_FIPS2009 \| \`
		253609	`XCP_ADMS_BSI2009 \| \`
		253609	`XCP_ADMS_FIPS2011 \| \`
		253609	`XCP_ADMS_BSI2011 \| \`
		253609	`+ XCP_ADMS_BSICC2017 \| \`
		253609	`+ XCP_ADMS_FIPS2021 \| \`
		253609	`+ XCP_ADMS_FIPS2024 \| \`
		253609	`+ XCP_ADMS_ADM_FIPS2021)`
		253609	`+`
		253609	`+#define XCP_ADMS__SUPP (XCP_ADMS__ALL & \`
		253609	`+ ~(XCP_ADMS_FIPS2021 \| \`
		253609	`+ XCP_ADMS_ADM_FIPS2021 \| \`
		253609	`+ XCP_ADMS_FIPS2024))`
		253609	`+`
		253609	`+// The following 'legacy' defines are used as default 'supported bit masks'`
		253609	`+// for older devices that do not have native bit masks for that purpose.`
		253609	`+// Note: If supported bits are not present, the import of these bits are`
		253609	`+// skipped and the default values will be kept.`
		253609	`+#define XCP__ADMP_SUP_LEGACY \`
		253609	`+ (XCP_ADMP_WK_IMPORT \| \`
		253609	`+ XCP_ADMP_WK_EXPORT \| \`
		253609	`+ XCP_ADMP_WK_1PART \| \`
		253609	`+ XCP_ADMP_WK_RANDOM \| \`
		253609	`+ XCP_ADMP_1SIGN \| \`
		253609	`+ XCP_ADMP_CP_1SIGN \| \`
		253609	`+ XCP_ADMP_ZERO_1SIGN \| \`
		253609	`+ XCP_ADMP_NO_DOMAIN_IMPRINT \| \`
		253609	`+ XCP_ADMP_STATE_IMPORT \| \`
		253609	`+ XCP_ADMP_STATE_EXPORT \| \`
		253609	`+ XCP_ADMP_STATE_1PART \| \`
		253609	`+ XCP_ADMP_CHG_WK_IMPORT \| \`
		253609	`+ XCP_ADMP_CHG_WK_EXPORT \| \`
		253609	`+ XCP_ADMP_CHG_WK_1PART \| \`
		253609	`+ XCP_ADMP_CHG_WK_RANDOM \| \`
		253609	`+ XCP_ADMP_CHG_SIGN_THR \| \`
		253609	`+ XCP_ADMP_CHG_REVOKE_THR \| \`
		253609	`+ XCP_ADMP_CHG_1SIGN \| \`
		253609	`+ XCP_ADMP_CHG_CP_1SIGN \| \`
		253609	`+ XCP_ADMP_CHG_ZERO_1SIGN \| \`
		253609	`+ XCP_ADMP_CHG_ST_IMPORT \| \`
		253609	`+ XCP_ADMP_CHG_ST_EXPORT \| \`
		253609	`+ XCP_ADMP_CHG_ST_1PART)`
		253609	`+`
		253609	`+#define XCP__ADMM_SUP_LEGACY \`
		253609	`+ (XCP_ADMM_AUTHENTICATED \| \`
		253609	`+ XCP_ADMM_EXTWNG \| \`
		253609	`+ XCP_ADMM_WKCLEAN_EXTWNG \| \`
		253609	`+ XCP_ADMM_BATT_LOW \| \`
		253609	`+ XCP_ADMM_API_ACTIVE)`
		253609	`+`
		253609	`+#define XCP_ADMS__ALL_LEGACY \`
		253609	`+ (XCP_ADMS_FIPS2009 \| \`
		253609	`+ XCP_ADMS_BSI2009 \| \`
		253609	`+ XCP_ADMS_FIPS2011 \| \`
		253609	`+ XCP_ADMS_BSI2011 \| \`
		253609	`XCP_ADMS_BSICC2017)`
		253609
		253609	`+#define XCP__ADMP_SUP_EXT01_LEGACY (0)`
		253609	`+`
		253609	`// has compliance any BSI mode`
		253609	`-#define XCP_ADMS_IS_BSI(mode) (!!(mode & (XCP_ADMS_BSI2009 \| \`
		253609	`- XCP_ADMS_BSI2011 \| \`
		253609	`- XCP_ADMS_BSICC2017 )) )`
		253609	`+#define XCP_ADMS_IS_BSI(mode) (!!((mode) & (XCP_ADMS_BSI2009 \| \`
		253609	`+ XCP_ADMS_BSI2011 \| \`
		253609	`+ XCP_ADMS_BSICC2017 )) )`
		253609	`// mask of supported import keys`
		253609	`// 3k and 4k RSA are not supported`
		253609	`#define XCP_ADM_IMPEXP_KEYS__MASK \`
		253609	`@@ -1870,7 +1912,8 @@ typedef enum {`
		253609	`(1 << XCP_IMPRKEY_EC_P521) \| \`
		253609	`(1 << XCP_IMPRKEY_EC_BP256r) \| \`
		253609	`(1 << XCP_IMPRKEY_EC_BP320r) \| \`
		253609	`- (1 << XCP_IMPRKEY_EC_BP512r))`
		253609	`+ (1 << XCP_IMPRKEY_EC_BP512r) \| \`
		253609	`+ (1 << XCP_IMPRKEY_EC_P521_TKE))`
		253609
		253609
		253609	`/--- audit chains -------------------------------------------------------/`
		253609	`@@ -1922,50 +1965,55 @@ typedef enum {`
		253609
		253609	`/--- state serialization ------------------------------------------------/`
		253609	`typedef enum {`
		253609	`- XCP_STSTYPE_SECTIONCOUNT = 1, // section count +file hash`
		253609	`- XCP_STSTYPE_DOMAINIDX_MAX = 2, // largest index +total nr of domains`
		253609	`- XCP_STSTYPE_DOMAINS_MASK = 3, // bitmask of included domains`
		253609	`- XCP_STSTYPE_SERIALNR = 4,`
		253609	`- XCP_STSTYPE_CREATE_TIME = 5, // file date/time (UTC)`
		253609	`- XCP_STSTYPE_FCV = 6, // public parts of originating FCV`
		253609	`- XCP_STSTYPE_CARD_QUERY = 7, // card state structure (xcp_info)`
		253609	`- XCP_STSTYPE_CARD_ADM_SKIS = 8, // card admin SKIs, packed`
		253609	`- XCP_STSTYPE_CARD_ADM_CERTS = 9, // card admin certificates, packed`
		253609	`- XCP_STSTYPE_DOM_ADM_SKIS = 10, // domain admin SKIs, packed`
		253609	`- XCP_STSTYPE_DOM_ADM_CERTS = 11, // domain admin certificates, packed`
		253609	`- XCP_STSTYPE_DOM_QUERY = 12, // domain state structure (xcp_info)`
		253609	`- XCP_STSTYPE_KPH_SKIS = 13, // count and SKIs of targeted KPHs`
		253609	`- XCP_STSTYPE_CARD_ATTRS = 14, // card attributes`
		253609	`- XCP_STSTYPE_DOM_ATTRS = 15, // domain attributes`
		253609	`- XCP_STSTYPE_CARD_TRANSCTR = 16, // card transaction counter`
		253609	`- XCP_STSTYPE_DOM_TRANSCTR = 17, // domain transaction counter`
		253609	`- XCP_STSTYPE_WK_ENCR_ALG = 18,`
		253609	`- XCP_STSTYPE_WK_ENCR_DATA = 19,`
		253609	`- XCP_STSTYPE_SIG_CERT_COUNT = 20,`
		253609	`- XCP_STSTYPE_SIG_CERTS = 21,`
		253609	`- XCP_STSTYPE_FILE_SIG = 22,`
		253609	`- XCP_STSTYPE_DOM_CPS = 23, // full set of control points`
		253609	`- XCP_STSTYPE_STATE_SALT = 24,`
		253609	`- XCP_STSTYPE_KEYPART = 25, // encrypted keypart (RecipientInfo)`
		253609	`- XCP_STSTYPE_KEYPART_SIG = 26, // signature on encrypted keypart`
		253609	`- XCP_STSTYPE_KEYPART_COUNT = 27, // total number of keyparts`
		253609	`- XCP_STSTYPE_KEYPART_LIMIT = 28, // number of keyparts needed to`
		253609	`- // restore`
		253609	`- XCP_STSTYPE_KEYPART_CERT = 29, // certificate of keypart holder`
		253609	`- XCP_STSTYPE_CERT_AUTH = 30, // certificate authority issuing`
		253609	`- // some of the certificates. This`
		253609	`- // field contains host-supplied data`
		253609	`- // and it is ignored by EP11 itself.`
		253609	`- XCP_STSTYPE_STATE_SCOPE = 31, // restriction on contents of full`
		253609	`- // state structure`
		253609	`- XCP_STSTYPE_MULTIIMPORT_MASK`
		253609	`- = 32, // import only: designate import`
		253609	`- // request to be replicated into`
		253609	`- // multiple recipient domains`
		253609	`- XCP_STSTYPE_CPS_MASK = 33, // bitmask of all CPs supported`
		253609	`- // by the exporting module`
		253609	`-`
		253609	`- XCP_STSTYPE_MAX = XCP_STSTYPE_CPS_MASK`
		253609	`+ XCP_STSTYPE_SECTIONCOUNT = 1, // section count +file hash`
		253609	`+ XCP_STSTYPE_DOMAINIDX_MAX = 2, // largest index +total nr of doms`
		253609	`+ XCP_STSTYPE_DOMAINS_MASK = 3, // bitmask of included domains`
		253609	`+ XCP_STSTYPE_SERIALNR = 4,`
		253609	`+ XCP_STSTYPE_CREATE_TIME = 5, // file date/time (UTC)`
		253609	`+ XCP_STSTYPE_FCV = 6, // public parts of originating FCV`
		253609	`+ XCP_STSTYPE_CARD_QUERY = 7, // V0 card state struct (xcp_info)`
		253609	`+ XCP_STSTYPE_CARD_ADM_SKIS = 8, // card admin SKIs, packed`
		253609	`+ XCP_STSTYPE_CARD_ADM_CERTS = 9, // card admin certificates, packed`
		253609	`+ XCP_STSTYPE_DOM_ADM_SKIS = 10, // domain admin SKIs, packed`
		253609	`+ XCP_STSTYPE_DOM_ADM_CERTS = 11, // domain admin certs, packed`
		253609	`+ XCP_STSTYPE_DOM_QUERY = 12, // domain state struct (xcp_info)`
		253609	`+ XCP_STSTYPE_KPH_SKIS = 13, // count and SKIs of targeted KPHs`
		253609	`+ XCP_STSTYPE_CARD_ATTRS = 14, // card attributes`
		253609	`+ XCP_STSTYPE_DOM_ATTRS = 15, // domain attributes`
		253609	`+ XCP_STSTYPE_CARD_TRANSCTR = 16, // card transaction counter`
		253609	`+ XCP_STSTYPE_DOM_TRANSCTR = 17, // domain transaction counter`
		253609	`+ XCP_STSTYPE_WK_ENCR_ALG = 18,`
		253609	`+ XCP_STSTYPE_WK_ENCR_DATA = 19,`
		253609	`+ XCP_STSTYPE_SIG_CERT_COUNT = 20,`
		253609	`+ XCP_STSTYPE_SIG_CERTS = 21,`
		253609	`+ XCP_STSTYPE_FILE_SIG = 22,`
		253609	`+ XCP_STSTYPE_DOM_CPS = 23, // full set of control points`
		253609	`+ XCP_STSTYPE_STATE_SALT = 24,`
		253609	`+ XCP_STSTYPE_KEYPART = 25, // encrypted keypart (RecipientInfo)`
		253609	`+ XCP_STSTYPE_KEYPART_SIG = 26, // signature on encrypted keypart`
		253609	`+ XCP_STSTYPE_KEYPART_COUNT = 27, // total number of keyparts`
		253609	`+ XCP_STSTYPE_KEYPART_LIMIT = 28, // number of keyparts needed to`
		253609	`+ // restore`
		253609	`+ XCP_STSTYPE_KEYPART_CERT = 29, // certificate of keypart holder`
		253609	`+ XCP_STSTYPE_CERT_AUTH = 30, // certificate authority issuing`
		253609	`+ // some of the certificates. This`
		253609	`+ // field contains host-supplied data`
		253609	`+ // and it is ignored by EP11 itself.`
		253609	`+ XCP_STSTYPE_STATE_SCOPE = 31, // restriction on contents of full`
		253609	`+ // state structure`
		253609	`+ XCP_STSTYPE_MULTIIMPORT_MASK = 32, // import only: designate import`
		253609	`+ // request to be replicated into`
		253609	`+ // multiple recipient domains`
		253609	`+ XCP_STSTYPE_CPS_MASK = 33, // bitmask of all CPs supported`
		253609	`+ // by the exporting module`
		253609	`+ XCP_STSTYPE_CARD_QUERY_V1 = 34, // V1 card state struct (xcp_info)`
		253609	`+ XCP_STSTYPE_CARD_QUERY_V2 = 35, // V2 card state struct (xcp_info)`
		253609	`+ XCP_STSTYPE_CARD_EXTADM_SKIS = 36, // ext. card admin SKIs, packed`
		253609	`+ XCP_STSTYPE_CARD_EXTADM_CERTS = 37, // ext. card admin certs, packed`
		253609	`+ XCP_STSTYPE_DOM_EXTADM_SKIS = 38, // ext. dom admin SKIs, packed`
		253609	`+ XCP_STSTYPE_DOM_EXTADM_CERTS = 39, // ext. dom admin certs, packed`
		253609	`+`
		253609	`+ XCP_STSTYPE_MAX = XCP_STSTYPE_DOM_EXTADM_CERTS`
		253609	`} XCP_StateSection_t;`
		253609
		253609	`typedef enum {`
		253609	`@@ -1991,7 +2039,11 @@ typedef enum {`
		253609	`// not return KPH certificates`
		253609	`XCP_STWK_KP_NO_OA_CHAIN = 8, // keypart section restricted to`
		253609	`// not return OA certificate chain`
		253609	`- XCP_STDATA_MAX = ((XCP_STWK_KP_NO_OA_CHAIN *2) -1)`
		253609	`+ XCP_STDATA_NQS = 0x20,// allow use of non-quantum-safe`
		253609	`+ // algorithms in KP export/signature`
		253609	`+ XCP_STDATA_QS = 0x40,// allow use of quantum-safe`
		253609	`+ // algorithms in KP export/signature`
		253609	`+ XCP_STDATA_MAX = ((XCP_STDATA_QS *2) -1)`
		253609	`} XCP_StateType_t;`
		253609
		253609	`// type \|\| identifier prefixes`
		253609	`@@ -2124,10 +2176,6 @@ typedef enum {`
		253609	`#define XCP_EC_MAX_ID_BYTES 11 /* fits all EC names/OIDs */`
		253609
		253609
		253609	`-// Dilithium related OIDs`
		253609	`-#define XCP_PQC_DILITHIUM_65_NAME "\x6\xB\x2B\x6\x1\x4\x1\x2\x82\xB\x1\x6\x5"`
		253609	`-#define XCP_PQC_DILITHIUM_65_NAME_BYTES 13`
		253609	`-`
		253609	`/------------------------------------/`
		253609	`typedef enum {`
		253609	`XCP_EC_C_NIST_P192 = 1, /* NIST, FP curves */`
		253609	`@@ -2158,6 +2206,7 @@ typedef enum {`
		253609	`XCP_EC_C_ED25519 = 26, /* ed25519, EDDSA */`
		253609
		253609
		253609	`+ XCP_EC_C_MAX = 27 /* last possible value */`
		253609
		253609	`} XCP_ECcurve_t;`
		253609
		253609	`@@ -2175,6 +2224,56 @@ typedef enum {`
		253609	`} XCP_ECCurveGrp_t;`
		253609
		253609
		253609	`+/--- PQC algorithms ------------------------------------------------------/`
		253609	`+`
		253609	`+// Dilithium related OIDs`
		253609	`+// Round 2 Dilithium-3 (5-4)`
		253609	`+#define XCP_PQC_DILITHIUM_R2_54 "\x6\xb\x2b\x6\x1\x4\x1\x2\x82\xb\x1\x5\x4"`
		253609	`+#define XCP_PQC_DILITHIUM_R2_54_BYTES 13`
		253609	`+// Round 2 Dilithium-4 (6-5)`
		253609	`+#define XCP_PQC_DILITHIUM_R2_65 "\x6\xb\x2b\x6\x1\x4\x1\x2\x82\xb\x1\x6\x5"`
		253609	`+#define XCP_PQC_DILITHIUM_R2_65_BYTES 13`
		253609	`+// Round 2 Dilithium-5 (8-7)`
		253609	`+#define XCP_PQC_DILITHIUM_R2_87 "\x6\xb\x2b\x6\x1\x4\x1\x2\x82\xb\x1\x8\x7"`
		253609	`+#define XCP_PQC_DILITHIUM_R2_87_BYTES 13`
		253609	`+// Round 3 Dilithium-2 (4-4)`
		253609	`+#define XCP_PQC_DILITHIUM_R3_44 "\x6\xb\x2b\x6\x1\x4\x1\x2\x82\xb\x7\x4\x4"`
		253609	`+#define XCP_PQC_DILITHIUM_R3_44_BYTES 13`
		253609	`+// Round 3 Dilithium-3 (6-5)`
		253609	`+#define XCP_PQC_DILITHIUM_R3_65 "\x6\xb\x2b\x6\x1\x4\x1\x2\x82\xb\x7\x6\x5"`
		253609	`+#define XCP_PQC_DILITHIUM_R3_65_BYTES 13`
		253609	`+// Round 3 Dilithium-5 (8-7)`
		253609	`+#define XCP_PQC_DILITHIUM_R3_87 "\x6\xb\x2b\x6\x1\x4\x1\x2\x82\xb\x7\x8\x7"`
		253609	`+#define XCP_PQC_DILITHIUM_R3_87_BYTES 13`
		253609	`+`
		253609	`+// Round 2 Kyber 512`
		253609	`+#define XCP_PQC_KYBER_R2_512 "\x6\x9\x2B\x6\x1\x4\x1\x2\x82\xB\x5"`
		253609	`+#define XCP_PQC_KYBER_R2_512_BYTES 11`
		253609	`+`
		253609	`+// Round 2 Kyber 768`
		253609	`+#define XCP_PQC_KYBER_R2_768 "\x6\xB\x2B\x6\x1\x4\x1\x2\x82\xB\x5\x3\x3"`
		253609	`+#define XCP_PQC_KYBER_R2_768_BYTES 13`
		253609	`+`
		253609	`+// Round 2 Kyber 1024`
		253609	`+#define XCP_PQC_KYBER_R2_1024 "\x6\xB\x2B\x6\x1\x4\x1\x2\x82\xB\x5\x4\x4"`
		253609	`+#define XCP_PQC_KYBER_R2_1024_BYTES 13`
		253609	`+`
		253609	`+/------------------------------------/`
		253609	`+typedef enum {`
		253609	`+ XCP_PQC_S_DILITHIUM_R2_54 = 1, /* Round-2 Dilithium */`
		253609	`+ XCP_PQC_S_DILITHIUM_R2_65 = 2,`
		253609	`+ XCP_PQC_S_DILITHIUM_R2_87 = 3,`
		253609	`+ XCP_PQC_S_DILITHIUM_R3_44 = 4, /* Round-3 Dilithium */`
		253609	`+ XCP_PQC_S_DILITHIUM_R3_65 = 5,`
		253609	`+ XCP_PQC_S_DILITHIUM_R3_87 = 6,`
		253609	`+ XCP_PQC_S_KYBER_R2_512 = 7, /* Round-2 Kyber */`
		253609	`+ XCP_PQC_S_KYBER_R2_768 = 8,`
		253609	`+ XCP_PQC_S_KYBER_R2_1024 = 9,`
		253609	`+`
		253609	`+ XCP_PQC_MAX = XCP_PQC_S_KYBER_R2_1024,`
		253609	`+} XCP_PQCStrength_t;`
		253609	`+`
		253609	`+`
		253609	`// binary encoding of function/version query`
		253609	`// SEQUENCE { OCTET STRING (0) }`
		253609	`// module responds with API version and build ID`
		253609	`@@ -2343,12 +2442,15 @@ typedef enum {`
		253609	`XCP_DEV_FLIP_ERRORSTATE = 68, // explicitly flip the setting of the`
		253609	`// error state of the module`
		253609	`XCP_DEV_AESKW = 69,`
		253609	`- XCP_DEV_MAX_INDEX = XCP_DEV_AESKW`
		253609	`+ XCP_DEV_UNIT_TEST = 72, // run unit tests on module`
		253609	`+`
		253609	`+`
		253609	`+ XCP_DEV_MAX_INDEX = XCP_DEV_UNIT_TEST`
		253609	`} XCP_DEVcmd_t;`
		253609	`//`
		253609	`// upper limit on additional data bytes, for SYS-TEST commands with aux. data`
		253609	`// (arbitrary limit, commands may restict further)`
		253609	`-#define XCP_DEV_MAX_DATABYTES ((size_t) 4096)`
		253609	`+#define XCP_DEV_MAX_DATABYTES ((size_t) 64000)`
		253609	`//`
		253609	`// iteration-count limit applies to any iterative call`
		253609	`// driver[timeout] may interfere; dev-only feature is not otherwise restricted`
		253609	`@@ -2412,23 +2514,207 @@ typedef enum {`
		253609	`#define CKG_IBM_MGF1_SHA3_384 (CKG_VENDOR_DEFINED +3)`
		253609	`#define CKG_IBM_MGF1_SHA3_512 (CKG_VENDOR_DEFINED +4)`
		253609
		253609	`+#if !defined(CKD_VENDOR_DEFINED)`
		253609	`+#define CKD_VENDOR_DEFINED 0x80000000UL`
		253609	`+#endif`
		253609
		253609	`+#define CKD_IBM_HYBRID_NULL (CKD_VENDOR_DEFINED + 0x00000001UL)`
		253609	`+#define CKD_IBM_HYBRID_SHA1_KDF (CKD_VENDOR_DEFINED + 0x00000002UL)`
		253609	`+#define CKD_IBM_HYBRID_SHA224_KDF (CKD_VENDOR_DEFINED + 0x00000003UL)`
		253609	`+#define CKD_IBM_HYBRID_SHA256_KDF (CKD_VENDOR_DEFINED + 0x00000004UL)`
		253609	`+#define CKD_IBM_HYBRID_SHA384_KDF (CKD_VENDOR_DEFINED + 0x00000005UL)`
		253609	`+#define CKD_IBM_HYBRID_SHA512_KDF (CKD_VENDOR_DEFINED + 0x00000006UL)`
		253609
		253609	`-typedef uint64_t target_t;`
		253609	`-`
		253609	`-#define XCP_TGT_INIT ~0UL`
		253609	`+#define XCP_MODEL_CEX4P 4`
		253609	`+#define XCP_MODEL_CEX5P 5`
		253609	`+#define XCP_MODEL_CEX6P 6`
		253609	`+#define XCP_MODEL_CEX7P 7`
		253609	`+#define XCP_MODEL_CEX8P 8`
		253609
		253609	`-#define XCP_TGT_FMT "x%016" PRIx64`
		253609	`+/--------------------------------------------------------------------------/`
		253609	`+// max value for target groups`
		253609	`+#define XCP_MAX_GRPIDX 1024u`
		253609
		253609	`-// initializes the library`
		253609	`-int m_init(void);`
		253609	`-// shutting down the library`
		253609	`-int m_shutdown(void);`
		253609	`+//`
		253609	`+// macros for setting/checking and removing domains from (tgt.mgmt) domain mask`
		253609	`+#define XCPTGTMASK_SET_DOM(mask, domain) \`
		253609	`+ ((mask)[((domain)/8)] \|= (1 << (7-(domain)%8)))`
		253609	`+#define XCPTGTMASK_DOM_IS_SET(mask, domain) \`
		253609	`+ ((mask)[((domain)/8)] & (1 << (7-(domain)%8)))`
		253609	`+#define XCPTGTMASK_CLR_DOM(mask, domain) \`
		253609	`+ ((mask)[((domain)/8)] &= ~(1 << (7-(domain)%8)))`
		253609	`+`
		253609	`+`
		253609	`+/* flags that can be set for the target tokens`
		253609	`+ *`
		253609	`+ * This flags are domain specific and are therefore called domain flags`
		253609	`+ *`
		253609	`+ * start of flags is >16 Bit. Max value for domains is 0xFF. Should be enough`
		253609	`+ * room for extensions`
		253609	`+ */`
		253609	`+#define XCP_TGTFL_WCAP 0x10000000 /* Capture wire request in output buffer`
		253609	`+ * without sending it to the module`
		253609	`+ */`
		253609	`+#define XCP_TGTFL_WCAP_SQ 0x20000000 /* Size query: Return size of request in`
		253609	`+ * output buffer length field`
		253609	`+ */`
		253609	`+#define XCP_TGTFL_SET_SCMD 0x40000000 /* Protected key special command: Set the`
		253609	`+ * special command flag in the CPRB`
		253609	`+ * header`
		253609	`+ */`
		253609	`+#define XCP_TGTFL_API_CHKD 0x80000000 /* supported API version of modules in`
		253609	`+ * target (group) has been checked`
		253609	`+ */`
		253609	`+`
		253609	`+#define XCP_TGTFL_NO_LOCK 0x01000000 /* target token ignores sequential locks`
		253609	`+ * for target probing`
		253609	`+ */`
		253609	`+#define XCP_TGTFL_CHK_ATTR 0x02000000 /* reject unknown attribute in attribute`
		253609	`+ * templates with`
		253609	`+ * CKR_TEMPLATE_INCONSISTENT. Default is`
		253609	`+ * to ignore unknown attributes.`
		253609	`+ */`
		253609	`+#define XCP_TGTFL_SET_ACMD 0x04000000 /* add CPRB admin flag to CPRB header */`
		253609	`+`
		253609	`+#define XCP_TGTFL_NO_SPLIT 0x08000000 /* enforce single-shot requests */`
		253609	`+`
		253609	`+//--------------------------------------`
		253609	`+// socket use only`
		253609	`+#define XCP_MAXCONNECTIONS 64 /* max value for active connections */`
		253609	`+#define XCP_MAX_PORT 0xffff`
		253609	`+`
		253609	`+// hostname and port value fore one module`
		253609	`+typedef struct XCP_ModuleSocket {`
		253609	`+ char host[ MAX_FNAME_CHARS +1 ];`
		253609	`+ uint32_t port;`
		253609	`+} *XCP_ModuleSocket_t ;`
		253609	`+`
		253609	`+`
		253609	`+//--------------------------------------`
		253609	`+// diagnostics use only`
		253609	`+typedef struct XCP_DomainPerf {`
		253609	`+ /* perf value of last request per domain`
		253609	`+ *`
		253609	`+ * At the moment unused`
		253609	`+ * */`
		253609	`+ unsigned int lastperf[ 256 ];`
		253609	`+} *XCP_DomainPerf_t;`
		253609	`+`
		253609	`+`
		253609	`+// current version of XCP_Module structure; host code SHOULD interact with`
		253609	`+// future/past versions, MUST be set by caller before using m_add_module()`
		253609	`+// valid versions are all >0`
		253609	`+#define XCP_MOD_VERSION 2`
		253609	`+//--------------------------------------`
		253609	`+// subsequent communications with a module MAY skip infrastructure-specific`
		253609	`+// fields, such as a query not reporting device handles etc., even if they`
		253609	`+// have been supplied originally when the module has been registered.`
		253609	`+//`
		253609	`+typedef struct XCP_Module {`
		253609	`+ uint32_t version; /* >0 for supported API versions */`
		253609	`+`
		253609	`+ uint64_t flags; /* see XCP_Module_Flags */`
		253609	`+`
		253609	`+ uint32_t domains; /* max# addressable under this module;`
		253609	`+ * cached from OS`
		253609	`+ *`
		253609	`+ * when callers set domains to 0, the library`
		253609	`+ * returns the module-claimed domain count.`
		253609	`+ */`
		253609	`+`
		253609	`+ unsigned char domainmask[ 256 /8 ];`
		253609	`+ /* higher domain# through future flags (none`
		253609	`+ * currently defined) which would add things`
		253609	`+ * like 'FLAG_256_1023' etc. at the same time,`
		253609	`+ * we would add domainmask2[] etc.`
		253609	`+ * corresponding new fields.`
		253609	`+ *`
		253609	`+ * new fields would then store mask for`
		253609	`+ * domains 256+ etc.`
		253609	`+ *`
		253609	`+ * domain #0 is bit x80 of 1st byte,`
		253609	`+ * #255 is bit 0x01 of last byte.`
		253609	`+ */`
		253609	`+`
		253609	`+ // when a domainmask is supplied, with bits set beyond`
		253609	`+ // what the module supports, the bitmask is trimmed to`
		253609	`+ // the supported range, but this is NOT reported as an`
		253609	`+ // error, unless XCP_MFL_STRICT is also supplied.`
		253609	`+ //`
		253609	`+ // without XCP_MFL_STRICT, callers are expected to check`
		253609	`+ // at least the returned domain count.`
		253609	`+`
		253609	`+ /* used only when flags includes XCP_MFL_SOCKET */`
		253609	`+ struct XCP_ModuleSocket socket;`
		253609	`+`
		253609	`+ /* used when system exposes modules through an`
		253609	`+ * array of transparent pipes, or similar abstraction`
		253609	`+ * (such as mainframe AP Queues, or other Linux`
		253609	`+ * 'device-minor' numbers etc.). Interpretation`
		253609	`+ * is platform-dependent.`
		253609	`+ *`
		253609	`+ * used only when flags includes XCP_MFL_MODULE`
		253609	`+ */`
		253609	`+ uint32_t module_nr;`
		253609	`+`
		253609	`+ /* used by systems which associate devices with`
		253609	`+ * device handles/structs/etc. persistent state.`
		253609	`+ * opaque pointer, usually a const pointer to`
		253609	`+ * such aux structs, MAY be stored here.`
		253609	`+ *`
		253609	`+ * interpretation is platform-dependent.`
		253609	`+ * used only when flags includes XCP_MFL_MHANDLE`
		253609	`+ */`
		253609	`+ void *mhandle;`
		253609	`+ /* diagnostics use only, when XCP_MFL_PERF is set */`
		253609	`+ struct XCP_DomainPerf perf;`
		253609	`+ //----- end of v1 fields -------------------------------------------`
		253609	`+`
		253609	`+ uint32_t api; /* module api version*/`
		253609	`+ //----- end of v2 fields -------------------------------------------`
		253609	`+} *XCP_Module_t ;`
		253609	`+`
		253609	`+typedef enum {`
		253609	`+ XCP_MFL_SOCKET = 1, /* backend is socket-attached */`
		253609	`+ XCP_MFL_MODULE = 2, /* backends identified in`
		253609	`+ array-of-modules */`
		253609	`+ XCP_MFL_MHANDLE = 4, /* backends uses 'module handle' field */`
		253609	`+ XCP_MFL_PERF = 8, /* performance statistics collected`
		253609	`+ * for this module, see .perf`
		253609	`+ */`
		253609	`+ XCP_MFL_VIRTUAL = 0x10, /* queried 'target' is a load-balancer,`
		253609	`+ * other other group.`
		253609	`+ */`
		253609	`+ XCP_MFL_STRICT = 0x20, /* enable aggressive error checking,`
		253609	`+ * see field descriptions for effect`
		253609	`+ */`
		253609	`+ XCP_MFL_PROBE = 0x40, /* send api query to module, to check if`
		253609	`+ * target(s) can be used`
		253609	`+ */`
		253609	`+ XCP_MFL_ALW_TGT_ADD = 0x80, /* Allows it to use a target in any`
		253609	`+ * functional and admin call without`
		253609	`+ * adding it beforehand with`
		253609	`+ * m_add_module()`
		253609	`+ */`
		253609	`+ XCP_MFL_MAX = 0xff`
		253609	`+} XCP_Module_Flags;`
		253609	`+`
		253609	`+typedef uint64_t target_t;`
		253609	`+`
		253609	`+#define XCP_TGT_INIT ~0UL`
		253609	`+`
		253609	`+#define XCP_TGT_FMT "x%016" PRIx64`
		253609
		253609	`int m_add_module(XCP_Module_t module, target_t *target) ;`
		253609
		253609	`int m_rm_module(XCP_Module_t module, target_t target) ;`
		253609
		253609	`+CK_RV m_admin (unsigned char response1, size_t r1len,`
		253609	`+ unsigned char response2, size_t r2len,`
		253609	`+ const unsigned char *cmd, size_t clen,`
		253609	`+ const unsigned char *sigs, size_t slen,`
		253609	`+ target_t target) ;`
		253609	`+`
		253609	`/*----------------------------------------------------------------------`
		253609	`* CK_... type arguments correspond to the original PKCS#11 call's`
		253609	`* arguments. Standard types mean PKCS#11 objects (session, token etc.)`
		253609	`@@ -2442,11 +2728,31 @@ int m_rm_module(XCP_Module_t module, target_t target) ;`
		253609	`* For certain operations, such as _GenerateKey, there are no real`
		253609	`* PKCS#11 type parameters at this level.`
		253609	`*/`
		253609	`+`
		253609	`+`
		253609	`+CK_RV m_Login ( CK_UTF8CHAR_PTR pin, CK_ULONG pinlen,`
		253609	`+ const unsigned char *nonce, size_t nlen,`
		253609	`+ unsigned char pinblob, size_t pinbloblen,`
		253609	`+ target_t target) ;`
		253609	`+CK_RV m_Logout ( const unsigned char *pin, size_t len, target_t target) ;`
		253609	`+`
		253609	`+CK_RV m_LoginExtended( CK_UTF8CHAR_PTR pin, CK_ULONG pinlen,`
		253609	`+ const unsigned char *nonce, size_t nlen,`
		253609	`+ const unsigned char *xstruct, size_t xslen,`
		253609	`+ unsigned char pinblob, size_t pinbloblen,`
		253609	`+ target_t target) ;`
		253609	`+`
		253609	`+CK_RV m_LogoutExtended( CK_UTF8CHAR_PTR pin, CK_ULONG pinlen,`
		253609	`+ const unsigned char *nonce, size_t nlen,`
		253609	`+ const unsigned char *xstruct, size_t xslen,`
		253609	`+ target_t target) ;`
		253609	`+`
		253609	`CK_RV m_GenerateRandom (CK_BYTE_PTR rnd, CK_ULONG len, target_t target) ;`
		253609	`/**/`
		253609	`/* note: external seeding not supported */`
		253609	`CK_RV m_SeedRandom (CK_BYTE_PTR pSeed, CK_ULONG ulSeedLen,`
		253609	`target_t target) ;`
		253609	`+`
		253609	`CK_RV m_DigestInit (unsigned char state, size_t len,`
		253609	`const CK_MECHANISM_PTR pmech,`
		253609	`target_t target) ;`
		253609	`@@ -2469,6 +2775,73 @@ CK_RV m_DigestSingle (CK_MECHANISM_PTR pmech,`
		253609	`CK_BYTE_PTR digest, CK_ULONG_PTR dlen,`
		253609	`target_t target) ;`
		253609
		253609	`+CK_RV m_GenerateKey (CK_MECHANISM_PTR pmech,`
		253609	`+ CK_ATTRIBUTE_PTR ptempl, CK_ULONG templcount,`
		253609	`+ const unsigned char *pin, size_t pinlen,`
		253609	`+ unsigned char key, size_t klen,`
		253609	`+ unsigned char csum, size_t clen,`
		253609	`+ target_t target) ;`
		253609	`+/**/`
		253609	`+CK_RV m_GenerateKeyPair (CK_MECHANISM_PTR pmech,`
		253609	`+ CK_ATTRIBUTE_PTR ppublic, CK_ULONG pubattrs,`
		253609	`+ CK_ATTRIBUTE_PTR pprivate, CK_ULONG prvattrs,`
		253609	`+ const unsigned char *pin, size_t pinlen,`
		253609	`+ unsigned char key, size_t klen,`
		253609	`+ unsigned char pubkey, size_t pklen,`
		253609	`+ target_t target) ;`
		253609	`+`
		253609	`+/* mackey is NULL for PKCS#11 formats, not for authenticated ones */`
		253609	`+CK_RV m_WrapKey (const unsigned char *key, size_t keylen,`
		253609	`+ const unsigned char *kek, size_t keklen,`
		253609	`+ const unsigned char *mackey, size_t mklen,`
		253609	`+ const CK_MECHANISM_PTR pmech,`
		253609	`+ CK_BYTE_PTR wrapped, CK_ULONG_PTR wlen,`
		253609	`+ target_t target) ;`
		253609	`+/**/`
		253609	`+/* mackey is NULL for PKCS#11 formats, not for authenticated ones */`
		253609	`+CK_RV m_UnwrapKey (const CK_BYTE_PTR wrapped, CK_ULONG wlen,`
		253609	`+ const unsigned char *kek, size_t keklen,`
		253609	`+ const unsigned char *mackey, size_t mklen,`
		253609	`+ const unsigned char *pin, size_t pinlen,`
		253609	`+ const CK_MECHANISM_PTR uwmech,`
		253609	`+ const CK_ATTRIBUTE_PTR ptempl, CK_ULONG pcount,`
		253609	`+ unsigned char unwrapped, size_t uwlen,`
		253609	`+ CK_BYTE_PTR csum, CK_ULONG *cslen,`
		253609	`+ target_t target) ;`
		253609	`+`
		253609	`+CK_RV m_DeriveKey ( CK_MECHANISM_PTR pderivemech,`
		253609	`+ CK_ATTRIBUTE_PTR ptempl, CK_ULONG templcount,`
		253609	`+ const unsigned char *basekey, size_t bklen,`
		253609	`+ const unsigned char *data, size_t dlen,`
		253609	`+ const unsigned char *pin, size_t pinlen,`
		253609	`+ unsigned char newkey, size_t nklen,`
		253609	`+ unsigned char csum, size_t cslen,`
		253609	`+ target_t target) ;`
		253609	`+`
		253609	`+CK_RV m_GetAttributeValue (const unsigned char *obj, size_t olen,`
		253609	`+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,`
		253609	`+ target_t target) ;`
		253609	`+CK_RV m_SetAttributeValue (unsigned char *obj, size_t olen,`
		253609	`+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,`
		253609	`+ target_t target) ;`
		253609	`+`
		253609	`+/**/`
		253609	`+CK_RV m_GetMechanismList (CK_SLOT_ID slot,`
		253609	`+ CK_MECHANISM_TYPE_PTR mechs,`
		253609	`+ CK_ULONG_PTR count,`
		253609	`+ target_t target) ;`
		253609	`+CK_RV m_GetMechanismInfo (CK_SLOT_ID slot,`
		253609	`+ CK_MECHANISM_TYPE mech,`
		253609	`+ CK_MECHANISM_INFO_PTR pmechinfo,`
		253609	`+ target_t target) ;`
		253609	`+`
		253609	`+CK_RV m_get_xcp_info (CK_VOID_PTR pinfo, CK_ULONG_PTR infbytes,`
		253609	`+ unsigned int query,`
		253609	`+ unsigned int subquery,`
		253609	`+ target_t target) ;`
		253609	`+`
		253609	`+// see also: CK_IBM_XCPQUERY_t`
		253609	`+`
		253609	`CK_RV m_EncryptInit (unsigned char state, size_t slen,`
		253609	`CK_MECHANISM_PTR pmech,`
		253609	`const unsigned char *key, size_t klen,`
		253609	`@@ -2516,21 +2889,6 @@ CK_RV m_DecryptSingle (const unsigned char *key, size_t klen,`
		253609	`CK_BYTE_PTR plain, CK_ULONG_PTR plen,`
		253609	`target_t target) ;`
		253609
		253609	`-CK_RV m_GenerateKey (CK_MECHANISM_PTR pmech,`
		253609	`- CK_ATTRIBUTE_PTR ptempl, CK_ULONG templcount,`
		253609	`- const unsigned char *pin, size_t pinlen,`
		253609	`- unsigned char key, size_t klen,`
		253609	`- unsigned char csum, size_t clen,`
		253609	`- target_t target) ;`
		253609	`-/**/`
		253609	`-CK_RV m_GenerateKeyPair (CK_MECHANISM_PTR pmech,`
		253609	`- CK_ATTRIBUTE_PTR ppublic, CK_ULONG pubattrs,`
		253609	`- CK_ATTRIBUTE_PTR pprivate, CK_ULONG prvattrs,`
		253609	`- const unsigned char *pin, size_t pinlen,`
		253609	`- unsigned char key, size_t klen,`
		253609	`- unsigned char pubkey, size_t pklen,`
		253609	`- target_t target) ;`
		253609	`-`
		253609	`CK_RV m_SignInit (unsigned char state, size_t slen,`
		253609	`CK_MECHANISM_PTR alg,`
		253609	`const unsigned char *key, size_t klen,`
		253609	`@@ -2574,72 +2932,6 @@ CK_RV m_VerifySingle (const unsigned char *key, size_t klen,`
		253609	`CK_BYTE_PTR sig, CK_ULONG slen,`
		253609	`target_t target) ;`
		253609
		253609	`-/* mackey is NULL for PKCS#11 formats, not for authenticated ones */`
		253609	`-CK_RV m_WrapKey (const unsigned char *key, size_t keylen,`
		253609	`- const unsigned char *kek, size_t keklen,`
		253609	`- const unsigned char *mackey, size_t mklen,`
		253609	`- const CK_MECHANISM_PTR pmech,`
		253609	`- CK_BYTE_PTR wrapped, CK_ULONG_PTR wlen,`
		253609	`- target_t target) ;`
		253609	`-/**/`
		253609	`-/* mackey is NULL for PKCS#11 formats, not for authenticated ones */`
		253609	`-CK_RV m_UnwrapKey (const CK_BYTE_PTR wrapped, CK_ULONG wlen,`
		253609	`- const unsigned char *kek, size_t keklen,`
		253609	`- const unsigned char *mackey, size_t mklen,`
		253609	`- const unsigned char *pin, size_t pinlen,`
		253609	`- const CK_MECHANISM_PTR uwmech,`
		253609	`- const CK_ATTRIBUTE_PTR ptempl, CK_ULONG pcount,`
		253609	`- unsigned char unwrapped, size_t uwlen,`
		253609	`- CK_BYTE_PTR csum, CK_ULONG *cslen,`
		253609	`- target_t target) ;`
		253609	`-`
		253609	`-CK_RV m_DeriveKey ( CK_MECHANISM_PTR pderivemech,`
		253609	`- CK_ATTRIBUTE_PTR ptempl, CK_ULONG templcount,`
		253609	`- const unsigned char *basekey, size_t bklen,`
		253609	`- const unsigned char *data, size_t dlen,`
		253609	`- const unsigned char *pin, size_t pinlen,`
		253609	`- unsigned char newkey, size_t nklen,`
		253609	`- unsigned char csum, size_t cslen,`
		253609	`- target_t target) ;`
		253609	`-`
		253609	`-/**/`
		253609	`-CK_RV m_GetMechanismList (CK_SLOT_ID slot,`
		253609	`- CK_MECHANISM_TYPE_PTR mechs,`
		253609	`- CK_ULONG_PTR count,`
		253609	`- target_t target) ;`
		253609	`-CK_RV m_GetMechanismInfo (CK_SLOT_ID slot,`
		253609	`- CK_MECHANISM_TYPE mech,`
		253609	`- CK_MECHANISM_INFO_PTR pmechinfo,`
		253609	`- target_t target) ;`
		253609	`-`
		253609	`-CK_RV m_GetAttributeValue (const unsigned char *obj, size_t olen,`
		253609	`- CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,`
		253609	`- target_t target) ;`
		253609	`-CK_RV m_SetAttributeValue (unsigned char *obj, size_t olen,`
		253609	`- CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,`
		253609	`- target_t target) ;`
		253609	`-`
		253609	`-`
		253609	`-CK_RV m_Login ( CK_UTF8CHAR_PTR pin, CK_ULONG pinlen,`
		253609	`- const unsigned char *nonce, size_t nlen,`
		253609	`- unsigned char pinblob, size_t pinbloblen,`
		253609	`- target_t target) ;`
		253609	`-CK_RV m_Logout ( const unsigned char *pin, size_t len, target_t target) ;`
		253609	`-`
		253609	`-CK_RV m_admin (unsigned char response1, size_t r1len,`
		253609	`- unsigned char response2, size_t r2len,`
		253609	`- const unsigned char *cmd, size_t clen,`
		253609	`- const unsigned char *sigs, size_t slen,`
		253609	`- target_t target) ;`
		253609	`-`
		253609	`-CK_RV m_get_xcp_info (CK_VOID_PTR pinfo, CK_ULONG_PTR infbytes,`
		253609	`- unsigned int query,`
		253609	`- unsigned int subquery,`
		253609	`- target_t target) ;`
		253609	`-`
		253609	`-// see also: CK_IBM_XCPQUERY_t`
		253609	`-`
		253609	`-`
		253609	`// m_wire() by default removes transport headers of responses (CPRB header etc.)`
		253609	`// setting to prevent stripping:`
		253609	`//`
		253609	`@@ -2661,17 +2953,20 @@ CK_RV m_wire (unsigned char rsp, size_t rsplen, CK_RV *irv,`
		253609	`#define XCP_W_NO_SEND_CPRB 1 /* data already includes request header */`
		253609	`#define XCP_W_NO_RECV_CPRB 2 /* leave transport header in response */`
		253609
		253609	`+// initializes the library`
		253609	`+int m_init(void);`
		253609	`+// shutting down the library`
		253609	`+int m_shutdown(void);`
		253609
		253609	`-/-- build identification ------------------------------------------------/`
		253609
		253609	`-#define XCP_BUILD_ID 0x9c14a5e6`
		253609	`-#define XCP_BUILD_DATE 0x20220610 /* UTC */`
		253609	`-#define XCP_BUILD_TIME 0x123354 /* UTC */`
		253609
		253609	`-/--------------------------------------------------------------------------/`
		253609	`-/--------------------------------------------------------------------------/`
		253609	`+/-- build identification ------------------------------------------------/`
		253609
		253609	`+#define XCP_BUILD_ID 0xf1d34cc2`
		253609	`+#define XCP_BUILD_DATE 0x20221214 /* UTC */`
		253609	`+#define XCP_BUILD_TIME 0x094523 /* UTC */`
		253609
		253609	`+/--------------------------------------------------------------------------/`
		253609	`#define __XCP_REASONCODES_H__ 1`
		253609
		253609
		253609	`@@ -2823,14 +3118,10 @@ typedef enum {`
		253609	`} XCP_ReasonCode_t ;`
		253609
		253609
		253609	`-`
		253609	`-`
		253609	`-#if ! defined(__transport_fns_h__)`
		253609	`-#define __transport_fns_h__`
		253609	`-`
		253609	`/* function identifiers must be consecutive, between: */`
		253609	`#define __MIN_MOD_FNID 1`
		253609	`-#define __MAX_MOD_FNID 43`
		253609	`+#define __MAX_MOD_FNID 42`
		253609	`+/* selectively disabled functions within that range reported separately */`
		253609
		253609	`#define __FNID_Login 1`
		253609	`#define __FNID_Logout 2`
		253609	`@@ -2938,8 +3229,6 @@ typedef enum {`
		253609	`#define __HOST2MOD_DATAPRM 9`
		253609	`#define __MOD2HOST_DATAPRM 2`
		253609
		253609	`-#endif /* n defined(__transport_fns_h__) */`
		253609	`-`
		253609
		253609	`#endif /* n defined(XCP_H__) */`
		253609
		253609	`diff --git a/usr/lib/ep11_stdll/ep11adm.h b/usr/lib/ep11_stdll/ep11adm.h`
		253609	`index ecb524d5..0cd50a65 100644`
		253609	`--- a/usr/lib/ep11_stdll/ep11adm.h`
		253609	`+++ b/usr/lib/ep11_stdll/ep11adm.h`
		253609	`@@ -25,34 +25,6 @@`
		253609	`#error "We need <ep11.h> types, please include before this file."`
		253609	`#endif`
		253609
		253609	`-// these numbers apply to current version, subject to change`
		253609	`-// Please note that this defines are DEPRECATED. Please use their XCP_*`
		253609	`-// counterpart in ep11.h`
		253609	`-//`
		253609	`-#if !defined(EP11_SERIALNR_CHARS)`
		253609	`-#define EP11_SERIALNR_CHARS XCP_SERIALNR_CHARS`
		253609	`-#endif`
		253609	`-`
		253609	`-#if !defined(EP11_KEYCSUM_BYTES)`
		253609	`-/* full size of verific. pattern */`
		253609	`-#define EP11_KEYCSUM_BYTES XCP_KEYCSUM_BYTES`
		253609	`-#endif`
		253609	`-`
		253609	`-#if !defined(EP11_ADMCTR_BYTES)`
		253609	`-/* admin transaction ctrs */`
		253609	`-#define EP11_ADMCTR_BYTES XCP_ADMCTR_BYTES`
		253609	`-#endif`
		253609	`-`
		253609	`-#if !defined(EP11_ADM_REENCRYPT)`
		253609	`-/* transform blobs to next WK */`
		253609	`-#define EP11_ADM_REENCRYPT XCP_ADM_REENCRYPT`
		253609	`-#endif`
		253609	`-`
		253609	`-#if !defined(CK_IBM_EP11Q_DOMAIN)`
		253609	`-/* list domain's WK hashes */`
		253609	`-#define CK_IBM_EP11Q_DOMAIN CK_IBM_XCPQ_DOMAIN`
		253609	`-#endif`
		253609	`-// end of DEPRECATED defines`
		253609
		253609	`//-------------------------------------`
		253609	`// flags common to all functions that have a flag parameter`
		253609	`@@ -100,13 +72,22 @@`
		253609
		253609	`#define DOMAIN_MASK_LENGTH XCP_DOMAINS/8 // space for 256 domains`
		253609
		253609	`-`
		253609	`+//-------------------------------------`
		253609	`+// Key-Part-Holder template`
		253609	`+// contain credentials of a key-part holder. Those credentials`
		253609	`+// can be file based and/or smart card based references.`
		253609	`struct KPH {`
		253609	`- const unsigned char *cert;`
		253609	`- size_t clen;`
		253609	`- const char *id;`
		253609	`- const char *pw;`
		253609	`- const char *kpfname;`
		253609	`+ const unsigned char *cert; // certificate`
		253609	`+ size_t clen; // certificate length`
		253609	`+ const char *id; // private key`
		253609	`+ const char *pw; // private key passphrase`
		253609	`+ const char *kpfname; // filename of the key-part`
		253609	`+ char scard; // indicates a smart card user`
		253609	`+ char ski_id; // subject key identifier ID`
		253609	`+ int rdr_id; // smart card reader number`
		253609	`+ char kp_id; // key-part ID`
		253609	`+ uint64_t sigmech; // signature mechenism`
		253609	`+ const char *padmode; // padding mode`
		253609	`} ;`
		253609
		253609
		253609	`@@ -159,30 +140,6 @@ typedef struct XCPadmresp {`
		253609	`#define XCP_ADMRESP_INIT0 { 0,0,0, {0},{0},{0}, {0}, CKR_OK, 0, NULL,0, }`
		253609
		253609
		253609	`-// ep11_admresp_t is DEPRECATED. Please use XCPadmresp_t directly`
		253609	`-typedef struct ep11_admresp {`
		253609	`- uint32_t fn;`
		253609	`- uint32_t domain;`
		253609	`- uint32_t domainInst;`
		253609	`-`
		253609	`- /* module ID \|\| module instance */`
		253609	`- unsigned char module[ EP11_SERIALNR_CHARS + EP11_SERIALNR_CHARS ];`
		253609	`- unsigned char modNr[ EP11_SERIALNR_CHARS ];`
		253609	`- unsigned char modInst[ EP11_SERIALNR_CHARS ];`
		253609	`-`
		253609	`- unsigned char tctr[ EP11_ADMCTR_BYTES ]; /* transaction counter */`
		253609	`-`
		253609	`- CK_RV rv;`
		253609	`- uint32_t reason;`
		253609	`-`
		253609	`- // points to original response; NULL if no payload`
		253609	`- // make sure it's copied if used after releasing response block`
		253609	`- //`
		253609	`- const unsigned char *payload;`
		253609	`- size_t pllen;`
		253609	`-} *ep11_admresp_t;`
		253609	`-`
		253609	`-`
		253609	`//-------------------------------------`
		253609	`// listing of CP modes with their respective sets of control points that are`
		253609	`// either required or prohibited`
		253609	`@@ -249,9 +206,39 @@ static const struct {`
		253609	`XCP_CPB_ALG_NBSI2011, XCP_CPB_ALG_DH,`
		253609	`XCP_CPB_DERIVE },`
		253609	`},`
		253609	`+ { XCP_ADMS_FIPS2021, "fips2021",`
		253609	`+ 15,`
		253609	`+ { XCP_CPB_ALG_NFIPS2011, XCP_CPB_KEYSZ_80BIT,`
		253609	`+ XCP_CPB_KEYSZ_RSA65536,`
		253609	`+ XCP_CPB_ALG_NFIPS2021, XCP_CPB_ALG_EC_25519,`
		253609	`+ XCP_CPB_ALG_PQC, XCP_CPB_BTC,`
		253609	`+ XCP_CPB_ECDSA_OTHER, XCP_CPB_ALLOW_NONSESSION,`
		253609	`+ XCP_CPB_ALG_EC_SECGCRV, XCP_CPB_ALG_EC_BPOOLCRV,`
		253609	`+ XCP_CPB_COMPAT_LEGACY_SHA3, XCP_CPB_DSA_PARAMETER_GEN,`
		253609	`+ XCP_CPB_WRAP_ASYMM, XCP_CPB_UNWRAP_ASYMM`
		253609	`+ },`
		253609	`+ 0,`
		253609	`+ { },`
		253609	`+ },`
		253609	`+ { XCP_ADMS_FIPS2024, "fips2024",`
		253609	`+ 16,`
		253609	`+ { XCP_CPB_ALG_NFIPS2011, XCP_CPB_KEYSZ_80BIT,`
		253609	`+ XCP_CPB_KEYSZ_RSA65536,`
		253609	`+ XCP_CPB_ALG_NFIPS2021, XCP_CPB_ALG_EC_25519,`
		253609	`+ XCP_CPB_ALG_PQC, XCP_CPB_BTC,`
		253609	`+ XCP_CPB_ECDSA_OTHER, XCP_CPB_ALLOW_NONSESSION,`
		253609	`+ XCP_CPB_ALG_EC_SECGCRV, XCP_CPB_ALG_EC_BPOOLCRV,`
		253609	`+ XCP_CPB_ALG_NFIPS2024, XCP_CPB_COMPAT_LEGACY_SHA3,`
		253609	`+ XCP_CPB_DSA_PARAMETER_GEN, XCP_CPB_WRAP_ASYMM,`
		253609	`+ XCP_CPB_UNWRAP_ASYMM`
		253609	`+ },`
		253609	`+ 0,`
		253609	`+ { },`
		253609	`+ // XCP_ADMS_ADM_FIPS2021 is not reported here as it is not set with`
		253609	`+ // control points`
		253609	`+ }`
		253609	`} ;`
		253609
		253609	`-`
		253609	`//-------------------------------------`
		253609	`// Structure to collect all relevant data for state export/import`
		253609	`//`
		253609	`@@ -351,21 +338,12 @@ long xcpa_certreplace(unsigned char *blk, size_t blen,`
		253609
		253609
		253609	`//-------------------------------------`
		253609	`-// xcpa_query_wk queries the hash of the current/next WK for the given target`
		253609	`-// xcpa_query_wk without the feature define EP11ADM_V2 can only query the hash`
		253609	`-// of the current WK. Latter version is deprecated and will be removed with the`
		253609	`-// next major release`
		253609	`+// Queries the current/next WK for the given target`
		253609	`//`
		253609	`-// Parameter description:`
		253609	`-// wk pointer to the output buffer, contains current/next WK hash after`
		253609	`-// call`
		253609	`-// wlen needs to be set to the size of the output buffer`
		253609	`-// type CK_IBM_DOM_CURR_WK or CK_IBM_DOM_NEXT_WK (only available with`
		253609	`-// EP11ADM_V2 defined)`
		253609	`-// target a single target set up with m_add_module`
		253609	`+// WK Hash is returned in (*wk, wlen) on success if wk is not NULL`
		253609	`//`
		253609	`// returns >0 (bytecount) if present`
		253609	`-// 0 if valid but no current/next WK`
		253609	`+// 0 if valid but no current WK`
		253609	`// <0 if anything failed`
		253609	`//`
		253609	`// Possible error return codes:`
		253609	`@@ -375,14 +353,7 @@ long xcpa_certreplace(unsigned char *blk, size_t blen,`
		253609	`//`
		253609	`// Uses xcpa_queryblock() - See function header for possible return codes`
		253609	`//`
		253609	`-#if defined(EP11ADM_V2)`
		253609	`-__asm__(".symver xcpa_query_wk, xcpa_query_wk@EP11ADM_V2");`
		253609	`-long xcpa_query_wk(unsigned char *wk, size_t wlen, int type,`
		253609	`- target_t target) ;`
		253609	`-#else`
		253609	`-long xcpa_query_wk(unsigned char *wk, size_t wlen, target_t target)`
		253609	`- __attribute__ ((deprecated));`
		253609	`-#endif`
		253609	`+long xcpa_query_wk(unsigned char *wk, size_t wlen, int type, target_t target) ;`
		253609
		253609
		253609	`//-------------------------------------`
		253609	`@@ -681,12 +652,13 @@ long xcpa_set_cps(target_t target,`
		253609	`//-------------------------------------`
		253609	`// get compliance mode from CP set (see ep11_cpt_modes[] for possible compliance`
		253609	`// modes)`
		253609	`+// can not check for administrative compliance modes`
		253609	`//`
		253609	`// cps CP set of XCP_CP_BYTES length, see xcpa_query_cps`
		253609	`//`
		253609	`// returns >0 compliance mode (see XCP_ADMS_...)`
		253609	`//`
		253609	`-// does not verify CP set!`
		253609	`+// does not verify CP set`
		253609	`//`
		253609	`uint32_t xcpa_cps2compliance(const unsigned char cps / XCP_CP_BYTES */) ;`
		253609
		253609	`@@ -823,7 +795,10 @@ typedef struct Encrdkey {`
		253609	`// EC only: RSA recipients must keep these lengths 0`
		253609	`//`
		253609	`// largest supported curve: P-521`
		253609	`-`
		253609	`+ unsigned char srcprivate[ 66 ]; /* private key (PKCS#8) */`
		253609	`+ size_t sprivlen; /* priv. key byte count */`
		253609	`+ unsigned char oid; / EC curve OID */`
		253609	`+ size_t olen; /* EC curve OID length */`
		253609	`unsigned char srcpublic[ 1+66+66 ]; /* originator public point */`
		253609	`size_t splen; /* pub. point bytecount */`
		253609
		253609	`@@ -840,18 +815,10 @@ typedef struct Encrdkey {`
		253609	`int ktype; /* one of the wire-specified types */`
		253609
		253609	`CK_MECHANISM alg; / currently, ignored */`
		253609	`+ unsigned char wrap_alg[25]; /* AES Key Wrap algorithm OID */`
		253609	`// largest supported importer type: 4096-bit RSA`
		253609	`unsigned char raw[ 4096/8 ]; /* actual encrypted bytes */`
		253609	`size_t rlen;`
		253609	`-`
		253609	`-#if defined(EP11ADM_V2)`
		253609	`- unsigned char srcprivate[ 66 ]; /* private key (PKCS#8) */`
		253609	`- size_t sprivlen; /* priv. key byte count */`
		253609	`- unsigned char oid; / EC curve OID */`
		253609	`- size_t olen; /* EC curve OID length */`
		253609	`-`
		253609	`- unsigned char wrap_alg[25]; /* AES Key Wrap algorithm OID */`
		253609	`-#endif`
		253609	`} *Encrdkey_t;`
		253609
		253609
		253609	`@@ -893,9 +860,6 @@ long xcp_rcptinfo_sharedinfo(unsigned char *sinfo, size_t slen,`
		253609	`// creates RecipientInfo ASN.1 sequence (asn) from encr structure following RFC`
		253609	`// 3852 for RSA and RFC 5753 for EC`
		253609	`//`
		253609	`-// uses encr->wrap_alg if EP11ADM_V2 defined. Otherwise assumes aes256-wrap is`
		253609	`-// used for EC`
		253609	`-//`
		253609	`// verifies if a known importer key is used and if the SPKI does match`
		253609	`// the importer key type`
		253609	`//`
		253609	`@@ -907,9 +871,10 @@ long xcp_rcptinfo_sharedinfo(unsigned char *sinfo, size_t slen,`
		253609	`// XCP_ADMERR_RI_IMPR_INVALID: if the importer type or the key import structure`
		253609	`// encr is not supported / invalid`
		253609	`//`
		253609	`-long xcp_rcptinfo(unsigned char *asn, size_t alen,`
		253609	`- const struct Encrdkey *encr,`
		253609	`- const CK_MECHANISM *encrmech) ;`
		253609	`+long xcp_rcptinfo (unsigned char *asn, size_t alen,`
		253609	`+ const struct Encrdkey *encr,`
		253609	`+ const CK_MECHANISM *encrmech) ;`
		253609	`+`
		253609
		253609	`//-------------------------------------`
		253609	`// reads ASN.1 formatted RecipientInfo (asn) and turns it into rinfo structure`
		253609	`@@ -990,12 +955,8 @@ long xcpa_import_keypart (unsigned char *out, size_t olen,`
		253609	`// XCP_ADMERR_RI_IMPR_INVALID: importer key type invalid / unsupported or does`
		253609	`// not match SPKI`
		253609	`//`
		253609	`-// uses xcp_rcptinfo and xcpa_cmdblock() - see function header for more return`
		253609	`-// codes and EP11AMD_V2 specific changes`
		253609	`+// uses xcpa_cmdblock() - see function header for more return codes`
		253609	`//`
		253609	`-#if defined(EP11ADM_V2)`
		253609	`-__asm__(".symver xcpa_import_cmdblock, xcpa_import_cmdblock@EP11ADM_V2");`
		253609	`-#endif`
		253609	`long xcpa_import_cmdblock (unsigned char *out, size_t olen,`
		253609	`const struct Encrdkey *key,`
		253609	`const struct XCPadmresp *minf,`
		253609	`@@ -1164,19 +1125,10 @@ long xcpa_fill_export_req(unsigned char *asn, size_t alen,`
		253609	`// Constructs key part file with ASN.1 envelope`
		253609	`// writes output to (*reqprep, reqpreplen)`
		253609	`//`
		253609	`-// default version:`
		253609	`-// statesave contains the target domain mask`
		253609	`-// kphs keypart holder certificates`
		253609	`-// ekps contains re-encrypted keyparts`
		253609	`-// kcnt number of kphs`
		253609	`-// reqprep output buffer`
		253609	`-// reqpreplen output length`
		253609	`-//`
		253609	`-// with EP11ADM_V2 feature define active:`
		253609	`// domainmask target domain mask`
		253609	`// kphs keypart holder certificates`
		253609	`-// ekps contains re-encrypted keyparts`
		253609	`// kcnt number of kphs`
		253609	`+// ekps contains re-encrypted keyparts`
		253609	`// reqprep output buffer`
		253609	`// reqpreplen output length`
		253609	`// headerinfo set to 0 if no header info requested`
		253609	`@@ -1184,9 +1136,6 @@ long xcpa_fill_export_req(unsigned char *asn, size_t alen,`
		253609	`//`
		253609	`// returns 0 if successful`
		253609	`// <0 if something fails`
		253609	`-#if defined(EP11ADM_V2)`
		253609	`-__asm__(".symver xcpa_construct_keypart_file, "`
		253609	`- "xcpa_construct_keypart_file@EP11ADM_V2");`
		253609	`long xcpa_construct_keypart_file(unsigned char *domainmask,`
		253609	`const struct KPH *kphs,`
		253609	`const struct Encrdkey *ekps,`
		253609	`@@ -1194,15 +1143,7 @@ long xcpa_construct_keypart_file(unsigned char *domainmask,`
		253609	`unsigned char *reqprep,`
		253609	`size_t *reqpreplen,`
		253609	`unsigned int headerinfo);`
		253609	`-#else`
		253609	`-long xcpa_construct_keypart_file(struct STATESAVE *statesave,`
		253609	`- const struct KPH *kphs,`
		253609	`- const struct Encrdkey *ekps,`
		253609	`- unsigned int kcnt,`
		253609	`- unsigned char *reqprep,`
		253609	`- size_t *reqpreplen)`
		253609	`- __attribute__((deprecated));`
		253609	`-#endif`
		253609	`+`
		253609
		253609	`//-------------------------------------`
		253609	`// Enable export WK permission`
		253609	`@@ -1254,17 +1195,6 @@ long xcpa_enable_import_state(target_t target,`
		253609	`// Export the domain WK of the given target`
		253609	`// writes output to (*resp, resplen)`
		253609	`//`
		253609	`-// default version:`
		253609	`-// target addresses target module/domain`
		253609	`-// keyparts pointer to the encrypted keyparts`
		253609	`-// keypartlen length of encrypted keyparts`
		253609	`-// request pointer to the export request data`
		253609	`-// requestlen length of request data`
		253609	`-// sign_cb provide the callback for generating signatures`
		253609	`-// may be NULL if no signatures required`
		253609	`-// signopts number of signatures requested`
		253609	`-//`
		253609	`-// with EP11ADM_V2 feature define active:`
		253609	`// target addresses target module/domain`
		253609	`// wktype indicates either current or next WK`
		253609	`// keyparts pointer to the encrypted keyparts`
		253609	`@@ -1274,20 +1204,11 @@ long xcpa_enable_import_state(target_t target,`
		253609	`// sign_cb provide the callback for generating signatures`
		253609	`// may be NULL if no signatures required`
		253609	`// signopts number of signatures requested`
		253609	`-//`
		253609	`-#if defined(EP11ADM_V2)`
		253609	`-__asm__(".symver xcpa_export_wk, xcpa_export_wk@EP11ADM_V2");`
		253609	`long xcpa_export_wk(target_t target, int wktype,`
		253609	`unsigned char keyparts, size_t keypartlen,`
		253609	`const unsigned char *request, size_t requestlen,`
		253609	`xcpa_admin_signs_cb_t sign_cb, const void *signopts);`
		253609	`-#else`
		253609	`-long xcpa_export_wk(target_t target,`
		253609	`- unsigned char keyparts, size_t keypartlen,`
		253609	`- const unsigned char *request, size_t requestlen,`
		253609	`- xcpa_admin_signs_cb_t sign_cb, const void *signopts)`
		253609	`- __attribute__((deprecated));`
		253609	`-#endif`
		253609	`+`
		253609
		253609	`//-------------------------------------`
		253609	`// Export the state of the given target`
		253609	`@@ -1337,11 +1258,6 @@ long xcpa_import_wk_rcptinfo(target_t target,`
		253609	`// sign_cb provide the callback for generating signatures`
		253609	`// may be NULL if no signatures required`
		253609	`// signopts number of signatures requested`
		253609	`-//`
		253609	`-// uses xcp_rcptinfo and is therefore dependent on EP11ADM_V2`
		253609	`-#if defined(EP11ADM_V2)`
		253609	`-__asm__(".symver xcpa_import_wk, xcpa_import_wk@EP11ADM_V2");`
		253609	`-#endif`
		253609	`long xcpa_import_wk(target_t target, const struct Encrdkey *ekps,`
		253609	`unsigned int kcnt, const unsigned char *wkvp,`
		253609	`xcpa_admin_signs_cb_t sign_cb, const void *signopts);`
		253609	`@@ -1436,11 +1352,11 @@ long xcpa_gen_random_wk(target_t target, unsigned char *wkvp,`
		253609	`// XCP_ADMERR_SI_OID_MECH_MISMATCH: mismatch between signature and hash`
		253609	`// mechanism`
		253609	`//`
		253609	`-long xcp_signerinfo(unsigned char *asn, size_t alen,`
		253609	`- const unsigned char ski, size_t skilen, / signer */`
		253609	`- const unsigned char *sig, size_t siglen,`
		253609	`- const CK_MECHANISM *sigmech,`
		253609	`- const CK_MECHANISM *hashmech) ;`
		253609	`+long xcp_signerinfo (unsigned char *asn, size_t alen,`
		253609	`+ const unsigned char ski, size_t skilen, / signer */`
		253609	`+ const unsigned char *sig, size_t siglen,`
		253609	`+ const CK_MECHANISM *sigmech,`
		253609	`+ const CK_MECHANISM *hashmech) ;`
		253609
		253609
		253609	`//-------------------------------------`
		253609	`@@ -1461,13 +1377,13 @@ long xcp_signerinfo(unsigned char *asn, size_t alen,`
		253609	`//`
		253609	`// no length checks on signature or SKI, other than checking both for non-empty`
		253609	`//`
		253609	`-long xcp_signerinfo_read(const unsigned char *sinfo, size_t silen,`
		253609	`- const unsigned char *ski, size_t skilen,`
		253609	`- const unsigned char *sig, size_t siglen,`
		253609	`- const unsigned char *hoid, size_t hoidlen,`
		253609	`- const unsigned char *soid, size_t soidlen,`
		253609	`- CK_MECHANISM *signmech,`
		253609	`- CK_MECHANISM *hashmech) ;`
		253609	`+long xcp_signerinfo_read (const unsigned char *sinfo, size_t silen,`
		253609	`+ const unsigned char *ski, size_t skilen,`
		253609	`+ const unsigned char *sig, size_t siglen,`
		253609	`+ const unsigned char *hoid, size_t hoidlen,`
		253609	`+ const unsigned char *soid, size_t soidlen,`
		253609	`+ CK_MECHANISM *signmech,`
		253609	`+ CK_MECHANISM *hashmech) ;`
		253609
		253609
		253609	`//-------------------------------------`
		253609	`@@ -1488,57 +1404,10 @@ long xcp_signerinfo_read(const unsigned char *sinfo, size_t silen,`
		253609	`//`
		253609	`// note: we do not verify other details of SPKI; caller must do so`
		253609	`//`
		253609	`-long xcp_spki2pubkey(const unsigned char **bitstr,`
		253609	`- const unsigned char *spki, size_t slen) ;`
		253609	`-`
		253609	`-`
		253609	`-`
		253609	`-//----------------------------------------------------------------------`
		253609	`-// The following functions are DEPRECTATED!`
		253609	`-// for return values see their xcpa_* counterpart`
		253609	`+long xcp_spki2pubkey (const unsigned char **bitstr,`
		253609	`+ const unsigned char *spki, size_t slen) ;`
		253609
		253609
		253609	`-/*----------------------------------------------------------------------`
		253609	`- * build a command block to (blk,blen), querying 'fn'`
		253609	`- * (payload,plen) copied to query block if non-NULL`
		253609	`- *`
		253609	`- * returns written bytecount; size query if blk is NULL`
		253609	`- * *minf used for module ID and transaction counter`
		253609	`- * ignored for commands where those fields are ignored`
		253609	`- */`
		253609	`-long ep11a_cmdblock(unsigned char *blk, size_t blen,`
		253609	`- unsigned int fn,`
		253609	`- const struct ep11_admresp *minf,`
		253609	`- const unsigned char tctr, / EP11_ADMCTR_BYTES */`
		253609	`- const unsigned char *payload, size_t plen)`
		253609	`- __attribute__ ((deprecated)) ;`
		253609	`-`
		253609	`-`
		253609	`-/*----------------------------------------------------------------------`
		253609	`- * returns <0 if response is malformed, or contents invalid`
		253609	`- *`
		253609	`- * parse embedded return value from response, writes to *rv if non-NULL`
		253609	`- * (outside envelope always reports CKR_OK, unless infrastructure`
		253609	`- * failed)`
		253609	`- */`
		253609	`-long ep11a_internal_rv(const unsigned char *rsp, size_t rlen,`
		253609	`- struct ep11_admresp rspblk, CK_RV rv)`
		253609	`- __attribute__ ((deprecated)) ;`
		253609	`-`
		253609	`-`
		253609	`-/*----------------------------------------------------------------------`
		253609	`- * in: [0] query type`
		253609	`- * out: [0] packed info structure`
		253609	`- *`
		253609	`- * outputs are fixed size, except CK_IBM_XCPQ_DOMAINS, which returns a`
		253609	`- * list therefore, infbytes is ignored by other types (we still check`
		253609	`- * if present)`
		253609	`- */`
		253609	`-CK_RV m_get_ep11_info(CK_VOID_PTR pinfo, CK_ULONG_PTR infbytes,`
		253609	`- unsigned int query,`
		253609	`- unsigned int subquery,`
		253609	`- target_t target)`
		253609	`- __attribute__ ((deprecated)) ;`
		253609
		253609
		253609	`/*`
		253609	`@@ -1548,7 +1417,7 @@ CK_RV m_get_ep11_info(CK_VOID_PTR pinfo, CK_ULONG_PTR infbytes,`
		253609	`* mask pointer to an 32 byte array that represents our domain mask`
		253609	`* masksize bit-length of the mask`
		253609	`*/`
		253609	`-int xcp_args2mask(char args, unsigned char mask, int masksize) ;`
		253609	`+int xcp_args2mask(char args, unsigned char mask, int masksize);`
		253609
		253609
		253609	`/*`
		253609	`@@ -1602,6 +1471,10 @@ long xcpa_write_full_file(target_t target,`
		253609	`unsigned int fileid, unsigned int block);`
		253609
		253609
		253609	`+long xcpa_remove_file(target_t target, unsigned int fileid,`
		253609	`+ xcpa_admin_signs_cb_t sign_cb, const void *signopts);`
		253609	`+`
		253609	`+`
		253609	`/* brute-force section parser: enumerate all encrypted-KP sections`
		253609	`*`
		253609	`* returns >0 offset of full OCTET STRING T+L+V section`
		253609	`@@ -1627,5 +1500,15 @@ long xcpa_kps_retrieve_rcptinfo(struct Recipient_info *rcpti,`
		253609	`const unsigned char *kpexport,`
		253609	`size_t kplen);`
		253609
		253609	`+`
		253609	`+/*`
		253609	`+ * report domain compliance`
		253609	`+ *`
		253609	`+ * returns compliance bitmask if successful and 0 if anything failed`
		253609	`+ * (as zero is invalid as we always have a default compliance active)`
		253609	`+ *`
		253609	`+ */`
		253609	`+uint64_t get_dom_compl(target_t target);`
		253609	`+`
		253609	`#endif /* !defined(__xcpadm_h__) */`
		253609
		253609	`--`
		253609	`2.16.2.windows.1`
		253609

rpms / opencryptoki

Source Code

Blame SOURCES/0012-EP11-Update-EP11-host-library-header-files.patch