From 8a74ed6dc2928307ed5f44a9fd3cc31afe344cfe Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 02 2019 17:02:17 +0000 Subject: import opencryptoki-3.11.0-5.el7 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d7ed41a --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/opencryptoki-3.11.0.tar.gz diff --git a/.opencryptoki.metadata b/.opencryptoki.metadata new file mode 100644 index 0000000..7bea2cc --- /dev/null +++ b/.opencryptoki.metadata @@ -0,0 +1 @@ +86808ac3d57f22e9ba7d27b0d3bd50a686e72fad SOURCES/opencryptoki-3.11.0.tar.gz diff --git a/SOURCES/opencryptoki-3.11.0-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch b/SOURCES/opencryptoki-3.11.0-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch new file mode 100644 index 0000000..d5b516a --- /dev/null +++ b/SOURCES/opencryptoki-3.11.0-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch @@ -0,0 +1,55 @@ +commit 1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b +Author: Ingo Franzki +Date: Mon Nov 19 13:30:09 2018 +0100 + + EP11: Fix target_list passing for EP11-session logon/logoff + + The target list is passed incorrectly to the handle_all_ep11_cards() + function. Dependent on memory content, this can cause it to + fail processing all EP11 cards. This will most likely cause a + CKR_DEVICE_ERROR to be returned by C_Login when the STRICT_SESSION + and/or VHSM_MODE is enabled in the ep11tok.conf config file. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c +index 2129762f..05332429 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.c ++++ b/usr/lib/ep11_stdll/ep11_specific.c +@@ -7600,7 +7600,7 @@ CK_RV ep11tok_login_session(STDLL_TokData_t * tokdata, SESSION * session) + } + } + +- rc = handle_all_ep11_cards((ep11_target_t *) & ep11_data->target_list, ++ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, + ep11_login_handler, ep11_session); + if (rc != CKR_OK) { + TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lx\n", __func__, rc); +@@ -7646,8 +7646,7 @@ done: + if (ep11_session->flags & + (EP11_SESS_PINBLOB_VALID | EP11_VHSM_PINBLOB_VALID)) { + rc2 = +- handle_all_ep11_cards((ep11_target_t *) & +- ep11_data->target_list, ++ handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, + ep11_logout_handler, ep11_session); + if (rc2 != CKR_OK) + TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lx\n", +@@ -7700,7 +7699,7 @@ static CK_RV ep11tok_relogin_session(STDLL_TokData_t * tokdata, + return CKR_USER_NOT_LOGGED_IN; + } + +- rc = handle_all_ep11_cards((ep11_target_t *) & ep11_data->target_list, ++ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, + ep11_login_handler, ep11_session); + if (rc != CKR_OK) + TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lx\n", __func__, rc); +@@ -7747,7 +7746,7 @@ CK_RV ep11tok_logout_session(STDLL_TokData_t * tokdata, SESSION * session) + return CKR_USER_NOT_LOGGED_IN; + } + +- rc = handle_all_ep11_cards((ep11_target_t *) & ep11_data->target_list, ++ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, + ep11_logout_handler, ep11_session); + if (rc != CKR_OK) + TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lx\n", __func__, rc); diff --git a/SOURCES/opencryptoki-3.11.0-bedf46da28da6231607a12e35414cd59b4432f9f.patch b/SOURCES/opencryptoki-3.11.0-bedf46da28da6231607a12e35414cd59b4432f9f.patch new file mode 100644 index 0000000..6a841c6 --- /dev/null +++ b/SOURCES/opencryptoki-3.11.0-bedf46da28da6231607a12e35414cd59b4432f9f.patch @@ -0,0 +1,215 @@ +commit bedf46da28da6231607a12e35414cd59b4432f9f +Author: Ingo Franzki +Date: Fri Mar 1 11:03:47 2019 +0100 + + EP11: Created MACed-SPKIs when importing public keys + + The EP11 host library does not allow to use plain SPKIs as + public key blobs for encrypt operations, this requires + MACed-SPKIs. Create MACed-SPKIs whenever public keys are + imported, and store it in CKA_IBM_OPAQUE instead of the + plain SPKI. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c +index 41d500a4..5416a413 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.c ++++ b/usr/lib/ep11_stdll/ep11_specific.c +@@ -2043,6 +2043,120 @@ CK_RV ep11tok_final(STDLL_TokData_t * tokdata) + return CKR_OK; + } + ++/* ++ * Makes a public key blob which is a MACed SPKI of the public key. ++ */ ++static CK_RV make_maced_spki(STDLL_TokData_t *tokdata, SESSION * sess, ++ OBJECT *pub_key_obj, ++ CK_BYTE *spki, CK_ULONG spki_len, ++ CK_BYTE *maced_spki, CK_ULONG *maced_spki_len) ++{ ++ ep11_private_data_t *ep11_data = tokdata->private_data; ++ unsigned char *ep11_pin_blob = NULL; ++ CK_ULONG ep11_pin_blob_len = 0; ++ ep11_session_t *ep11_session = (ep11_session_t *) sess->private_data; ++ CK_MECHANISM mech = { CKM_IBM_TRANSPORTKEY, 0, 0 }; ++ CK_ATTRIBUTE_PTR p_attrs = NULL; ++ CK_ULONG attrs_len = 0; ++ CK_ATTRIBUTE_PTR attr; ++ CK_BBOOL bool_value; ++ DL_NODE *node; ++ CK_BYTE csum[MAX_BLOBSIZE]; ++ CK_ULONG cslen = sizeof(csum); ++ CK_KEY_TYPE keytype; ++ CK_RV rc; ++ ++ rc = template_attribute_find(pub_key_obj->template, CKA_KEY_TYPE, &attr); ++ if (rc == FALSE) { ++ TRACE_ERROR("Could not find CKA_KEY_TYPE for the key.\n"); ++ return CKR_TEMPLATE_INCOMPLETE; ++ } ++ keytype = *(CK_KEY_TYPE *)attr->pValue; ++ ++ /* ++ * m_UnwrapKey with CKM_IBM_TRANSPORTKEY allows boolean attributes only to ++ * be added to MACed-SPKIs ++ */ ++ node = pub_key_obj->template->attribute_list; ++ while (node != NULL) { ++ attr = node->data; ++ ++ switch (attr->type) { ++ case CKA_ENCRYPT: ++ case CKA_VERIFY: ++ case CKA_VERIFY_RECOVER: ++ /* ++ * EP11 does not allow to restrict public RSA/DSA/EC keys with ++ * CKA_VERIFY=FALSE and/or CKA_ENCRYPT=FALSE since it can not ++ * technically enforce the restrictions. Therefore override these ++ * attributes for the EP11 library, but keep the original attribute ++ * values in the object. ++ */ ++ if (keytype == CKK_EC || keytype == CKK_RSA || keytype == CKK_DSA) ++ bool_value = CK_TRUE; ++ else ++ bool_value = *(CK_BBOOL *)attr->pValue; ++ rc = add_to_attribute_array(&p_attrs, &attrs_len, attr->type, ++ &bool_value, sizeof(bool_value)); ++ if (rc != CKR_OK) { ++ TRACE_ERROR("%s adding attribute failed type=0x%lx rc=0x%lx\n", ++ __func__, attr->type, rc); ++ goto make_maced_spki_end; ++ } ++ break; ++ ++ case CKA_EXTRACTABLE: ++ //case CKA_NEVER_EXTRACTABLE: ++ //case CKA_MODIFIABLE: ++ case CKA_DERIVE: ++ case CKA_WRAP: ++ //case CKA_LOCAL: ++ case CKA_TRUSTED: ++ case CKA_IBM_RESTRICTABLE: ++ case CKA_IBM_NEVER_MODIFIABLE: ++ case CKA_IBM_ATTRBOUND: ++ case CKA_IBM_USE_AS_DATA: ++ rc = add_to_attribute_array(&p_attrs, &attrs_len, attr->type, ++ attr->pValue, attr->ulValueLen); ++ if (rc != CKR_OK) { ++ TRACE_ERROR("%s adding attribute failed type=0x%lx rc=0x%lx\n", ++ __func__, attr->type, rc); ++ goto make_maced_spki_end; ++ } ++ break; ++ ++ default: ++ break; ++ } ++ node = node->next; ++ } ++ ++ ep11_get_pin_blob(ep11_session, object_is_session_object(pub_key_obj), ++ &ep11_pin_blob, &ep11_pin_blob_len); ++ ++ RETRY_START ++ rc = dll_m_UnwrapKey(spki, spki_len, NULL, 0, NULL, 0, ++ ep11_pin_blob, ep11_pin_blob_len, &mech, ++ p_attrs, attrs_len, maced_spki, maced_spki_len, ++ csum, &cslen, ++ (uint64_t) ep11_data->target_list); ++ RETRY_END(rc, tokdata, sess) ++ ++ if (rc != CKR_OK) { ++ rc = ep11_error_to_pkcs11_error(rc, sess); ++ TRACE_ERROR("%s unwrapping SPKI rc=0x%lx spki_len=0x%zx maced_spki_len=0x%zx\n", ++ __func__, rc, spki_len, *maced_spki_len); ++ } else { ++ TRACE_INFO("%s unwrapping SPKI rc=0x%lx spki_len=0x%zx maced_spki_len=0x%zx\n", ++ __func__, rc, spki_len, *maced_spki_len); ++ } ++ ++make_maced_spki_end: ++ if (p_attrs != NULL) ++ cleanse_and_free_attribute_array(p_attrs, attrs_len); ++ ++ return rc; ++} + + /* + * makes blobs for private imported RSA keys and +@@ -2140,10 +2254,15 @@ static CK_RV import_RSA_key(STDLL_TokData_t * tokdata, SESSION * sess, + } + + /* save the SPKI as blob although it is not a blob. +- * The card expects SPKIs as public keys. ++ * The card expects MACed-SPKIs as public keys. + */ +- memcpy(blob, data, data_len); +- *blob_size = data_len; ++ rc = make_maced_spki(tokdata, sess, rsa_key_obj, data, data_len, ++ blob, blob_size); ++ if (rc != CKR_OK) { ++ TRACE_ERROR("%s failed to make a MACed-SPKI rc=0x%lx\n", ++ __func__, rc); ++ goto import_RSA_key_end; ++ } + + } else { + +@@ -2331,10 +2450,15 @@ static CK_RV import_EC_key(STDLL_TokData_t * tokdata, SESSION * sess, + } + + /* save the SPKI as blob although it is not a blob. +- * The card expects SPKIs as public keys. ++ * The card expects MACed-SPKIs as public keys. + */ +- memcpy(blob, data, data_len); +- *blob_size = data_len; ++ rc = make_maced_spki(tokdata, sess, ec_key_obj, data, data_len, ++ blob, blob_size); ++ if (rc != CKR_OK) { ++ TRACE_ERROR("%s failed to make a MACed-SPKI rc=0x%lx\n", ++ __func__, rc); ++ goto import_EC_key_end; ++ } + + } else { + +@@ -2531,10 +2655,15 @@ static CK_RV import_DSA_key(STDLL_TokData_t * tokdata, SESSION * sess, + } + + /* save the SPKI as blob although it is not a blob. +- * The card expects SPKIs as public keys. ++ * The card expects MACed-SPKIs as public keys. + */ +- memcpy(blob, data, data_len); +- *blob_size = data_len; ++ rc = make_maced_spki(tokdata, sess, dsa_key_obj, data, data_len, ++ blob, blob_size); ++ if (rc != CKR_OK) { ++ TRACE_ERROR("%s failed to make a MACed-SPKI rc=0x%lx\n", ++ __func__, rc); ++ goto import_DSA_key_end; ++ } + + } else { + +@@ -2723,10 +2852,15 @@ static CK_RV import_DH_key(STDLL_TokData_t * tokdata, SESSION * sess, + } + + /* save the SPKI as blob although it is not a blob. +- * The card expects SPKIs as public keys. ++ * The card expects MACed-SPKIs as public keys. + */ +- memcpy(blob, data, data_len); +- *blob_size = data_len; ++ rc = make_maced_spki(tokdata, sess, dh_key_obj, data, data_len, ++ blob, blob_size); ++ if (rc != CKR_OK) { ++ TRACE_ERROR("%s failed to make a MACed-SPKI rc=0x%lx\n", ++ __func__, rc); ++ goto import_DH_key_end; ++ } + + } else { + diff --git a/SOURCES/opencryptoki-3.11.0-covscan.patch b/SOURCES/opencryptoki-3.11.0-covscan.patch new file mode 100644 index 0000000..b1538f4 --- /dev/null +++ b/SOURCES/opencryptoki-3.11.0-covscan.patch @@ -0,0 +1,53 @@ +diff -up opencryptoki-3.11.0/usr/lib/api/apiutil.c.coverity opencryptoki-3.11.0/usr/lib/api/apiutil.c +--- opencryptoki-3.11.0/usr/lib/api/apiutil.c.coverity 2018-11-16 15:53:03.000000000 +0100 ++++ opencryptoki-3.11.0/usr/lib/api/apiutil.c 2019-02-21 11:56:00.131624101 +0100 +@@ -51,16 +51,12 @@ extern API_Proc_Struct_t *Anchor; + + CK_RV CreateProcLock(void) + { +- struct stat statbuf; +- + if (xplfd == -1) { + + /* The slot mgr daemon should have already created lock, + * so just open it so we can get a lock... + */ +- if (stat(OCK_API_LOCK_FILE, &statbuf) == 0) +- xplfd = open(OCK_API_LOCK_FILE, O_RDONLY); +- ++ xplfd = open(OCK_API_LOCK_FILE, O_RDONLY); + if (xplfd == -1) { + OCK_SYSLOG(LOG_ERR, "Could not open %s\n", OCK_API_LOCK_FILE); + return CKR_FUNCTION_FAILED; +diff -up opencryptoki-3.11.0/usr/sbin/pkcsslotd/mutex.c.coverity opencryptoki-3.11.0/usr/sbin/pkcsslotd/mutex.c +--- opencryptoki-3.11.0/usr/sbin/pkcsslotd/mutex.c.coverity 2018-11-16 15:53:03.000000000 +0100 ++++ opencryptoki-3.11.0/usr/sbin/pkcsslotd/mutex.c 2019-02-21 11:47:52.097612395 +0100 +@@ -26,15 +26,10 @@ int CreateXProcLock(void) + { + struct group *grp; + mode_t mode = (S_IRUSR | S_IRGRP); +- struct stat statbuf; + + if (xplfd == -1) { +- if (stat(OCK_API_LOCK_FILE, &statbuf) == 0) { +- xplfd = open(OCK_API_LOCK_FILE, O_RDONLY, mode); +- } else { +- xplfd = open(OCK_API_LOCK_FILE, O_CREAT | O_RDONLY, mode); +- +- if (xplfd != -1) { ++ xplfd = open(OCK_API_LOCK_FILE, O_CREAT | O_RDONLY, mode); ++ if (xplfd != -1) { + if (fchmod(xplfd, mode) == -1) { + DbgLog(DL0, "%s:fchmod(%s):%s\n", + __func__, OCK_API_LOCK_FILE, strerror(errno)); +@@ -54,9 +49,7 @@ int CreateXProcLock(void) + __func__, strerror(errno)); + goto error; + } +- } +- } +- if (xplfd == -1) { ++ } else { + DbgLog(DL0, "open(%s): %s\n", OCK_API_LOCK_FILE, strerror(errno)); + return FALSE; + } diff --git a/SOURCES/opencryptoki-3.11.0-d6ba9ff61743ce869a5a677f6f77339642efef.patch b/SOURCES/opencryptoki-3.11.0-d6ba9ff61743ce869a5a677f6f77339642efef.patch new file mode 100644 index 0000000..dca81c1 --- /dev/null +++ b/SOURCES/opencryptoki-3.11.0-d6ba9ff61743ce869a5a677f6f77339642efef.patch @@ -0,0 +1,59 @@ +commit d6ba9ff61743ce869a5a677f6f77339642efef4b +Author: Ingo Franzki +Date: Tue Sep 24 14:35:59 2019 +0200 + + EP11: Support tolerated new crypto cards + + With just toleration support of new crypt cards, new crypto + cards are reported as the last known crypto card version. + E.g. a CEX7 card is reported as CEX6, when CEX6 is the last + known crypto card version. + + The EP11 token checks the card versions and needs to distinguish + tolerated cards from supported cards. New (tolerated) crypto cards + may have different API and firmware versions, and thus need to be + handled differently. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c +index e22dad5d..a65accea 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.c ++++ b/usr/lib/ep11_stdll/ep11_specific.c +@@ -8253,6 +8253,7 @@ static CK_RV get_card_type(uint_32 adapter, CK_ULONG *type) + char fname[PATH_MAX]; + char buf[250]; + CK_RV rc; ++ CK_ULONG hwtype, rawtype; + + sprintf(fname, "%scard%02x/type", SYSFS_DEVICES_AP, adapter); + rc = file_fgets(fname, buf, sizeof(buf)); +@@ -8260,6 +8261,28 @@ static CK_RV get_card_type(uint_32 adapter, CK_ULONG *type) + return rc; + if (sscanf(buf, "CEX%luP", type) != 1) + return CKR_FUNCTION_FAILED; ++ ++ sprintf(fname, "%scard%02x/hwtype", SYSFS_DEVICES_AP, adapter); ++ rc = file_fgets(fname, buf, sizeof(buf)); ++ if (rc != CKR_OK) ++ return rc; ++ if (sscanf(buf, "%lu", &hwtype) != 1) ++ return CKR_FUNCTION_FAILED; ++ ++ sprintf(fname, "%scard%02x/raw_hwtype", SYSFS_DEVICES_AP, adapter); ++ rc = file_fgets(fname, buf, sizeof(buf)); ++ if (rc != CKR_OK) ++ return rc; ++ if (sscanf(buf, "%lu", &rawtype) != 1) ++ return CKR_FUNCTION_FAILED; ++ ++ if (rawtype > hwtype) { ++ TRACE_DEVEL("%s adapter: %u hwtype: %lu raw_hwtype: %lu\n", ++ __func__, adapter, hwtype, rawtype); ++ /* Tolerated new card level: report calculated type */ ++ *type += (rawtype - hwtype); ++ } ++ + return CKR_OK; + } + diff --git a/SOURCES/opencryptoki-3.11.0-group.patch b/SOURCES/opencryptoki-3.11.0-group.patch new file mode 100644 index 0000000..e88b391 --- /dev/null +++ b/SOURCES/opencryptoki-3.11.0-group.patch @@ -0,0 +1,31 @@ +diff -up opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in.me opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in +--- opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in.me 2019-01-31 10:42:23.325797012 +0100 ++++ opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in 2019-01-31 10:52:17.585191667 +0100 +@@ -55,9 +55,11 @@ void *attach_shared_memory() + int shmid; + char *shmp; + struct stat statbuf; ++#if 0 + struct group *grp; + struct passwd *pw, *epw; + uid_t uid, euid; ++#endif + + #if !(MMAP) + // Really should fstat the tok_path, since it will be the actual +@@ -69,6 +71,7 @@ void *attach_shared_memory() + return NULL; + } + ++#if 0 + uid = getuid(); + euid = geteuid(); + // only check group membership if not root user +@@ -102,6 +105,7 @@ void *attach_shared_memory() + return NULL; + } + } ++#endif + + Anchor->shm_tok = ftok(TOK_PATH, 'b'); + diff --git a/SOURCES/opencryptoki-3.11.0-lockdir.patch b/SOURCES/opencryptoki-3.11.0-lockdir.patch new file mode 100644 index 0000000..936a654 --- /dev/null +++ b/SOURCES/opencryptoki-3.11.0-lockdir.patch @@ -0,0 +1,12 @@ +diff -up opencryptoki-3.11.0/configure.ac.me opencryptoki-3.11.0/configure.ac +--- opencryptoki-3.11.0/configure.ac.me 2019-01-30 17:10:19.660952694 +0100 ++++ opencryptoki-3.11.0/configure.ac 2019-01-30 17:13:54.150089964 +0100 +@@ -62,7 +62,7 @@ AC_SUBST([OPENLDAP_LIBS]) + + dnl Define custom variables + +-lockdir=$localstatedir/lock/opencryptoki ++lockdir=/run/lock/opencryptoki + AC_SUBST(lockdir) + + logdir=$localstatedir/log/opencryptoki diff --git a/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch b/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch new file mode 100644 index 0000000..756f55d --- /dev/null +++ b/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch @@ -0,0 +1,13 @@ +diff -up opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c.me opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c +--- opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c.me 2019-01-31 13:27:05.720647942 +0100 ++++ opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c 2019-01-31 13:36:05.763624633 +0100 +@@ -1072,6 +1072,9 @@ CK_RV init(void) + if (rc != CKR_OK) { + printf("Error initializing the PKCS11 library: 0x%lX (%s)\n", rc, + p11_get_ckr(rc)); ++ printf("Note: all non-root users that require access to PKCS#11 tokens " ++ "using opencryptoki must be assigned to the pkcs11 group to be " ++ "able to communicate with the pkcsslotd daemon.\n"); + fflush(stdout); + cleanup(); + } diff --git a/SOURCES/opencryptoki-3.11.1-use-soname.patch b/SOURCES/opencryptoki-3.11.1-use-soname.patch new file mode 100644 index 0000000..07793ee --- /dev/null +++ b/SOURCES/opencryptoki-3.11.1-use-soname.patch @@ -0,0 +1,61 @@ +From 73f05eb53f12197f081fd7ec75619c6ea3a39b2c Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Mon, 12 Aug 2019 10:54:27 +0200 +Subject: [opencryptoki PATCH 1/2] ICA: Refer libica by its so name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Ingo Franzki +Signed-off-by: Dan Horák +--- + usr/lib/ica_s390_stdll/ica_specific.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/usr/lib/ica_s390_stdll/ica_specific.c b/usr/lib/ica_s390_stdll/ica_specific.c +index d5a6d554..a72ce774 100644 +--- a/usr/lib/ica_s390_stdll/ica_specific.c ++++ b/usr/lib/ica_s390_stdll/ica_specific.c +@@ -61,7 +61,7 @@ const char label[] = "IBM ICA PKCS #11"; + + static pthread_mutex_t rngmtx = PTHREAD_MUTEX_INITIALIZER; + +-#define LIBICA_SHARED_LIB "libica.so" ++#define LIBICA_SHARED_LIB "libica.so.3" + #define BIND(dso, sym) (*(void **)(&p_##sym) = dlsym(dso, #sym)) + + #ifndef NO_EC +-- +2.21.0 + + +From 7f4113ba8653b8b18a6f1af6ab1d8eb90987626d Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Mon, 12 Aug 2019 10:54:44 +0200 +Subject: [opencryptoki PATCH 2/2] EP11: Refer libica by its so name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Ingo Franzki +Signed-off-by: Dan Horák +--- + usr/lib/ep11_stdll/ep11_specific.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c +index 231dd200..a3f14351 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.c ++++ b/usr/lib/ep11_stdll/ep11_specific.c +@@ -58,7 +58,7 @@ + #include "ep11_specific.h" + + #define EP11SHAREDLIB "libep11.so" +-#define ICASHAREDLIB "libica.so" ++#define ICASHAREDLIB "libica.so.3" + + CK_RV ep11tok_get_mechanism_list(STDLL_TokData_t * tokdata, + CK_MECHANISM_TYPE_PTR mlist, +-- +2.21.0 + diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec new file mode 100644 index 0000000..d7760f5 --- /dev/null +++ b/SPECS/opencryptoki.spec @@ -0,0 +1,592 @@ +%global _hardened_build 1 + +Name: opencryptoki +Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11 +Version: 3.11.0 +Release: 5%{?dist} +License: CPL +Group: System Environment/Base +URL: https://github.com/opencryptoki/opencryptoki +Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz + +# https://bugzilla.redhat.com/show_bug.cgi?id=732756 +Patch0: opencryptoki-3.11.0-group.patch +# bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/* +Patch1: opencryptoki-3.11.0-lockdir.patch +# bz#1063763, inform the user that he is not in pkcs11 group +Patch2: opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch +# EP11 token fails when using Strict-Session mode or VHSM-Mode +Patch3: opencryptoki-3.11.0-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch +# coverity issues +Patch4: opencryptoki-3.11.0-covscan.patch +# bz#1688891, C_EncryptInit fails with CKR_KEY_TYPE_INCONSISTENT. on ep11 token when using imported RSA public key +Patch5: opencryptoki-3.11.0-bedf46da28da6231607a12e35414cd59b4432f9f.patch +# bz#1755463, EP11: Support tolerated new crypto cards +Patch6: opencryptoki-3.11.0-d6ba9ff61743ce869a5a677f6f77339642efef.patch +# bz#1756956 - ICA HW token missing after the package update +Patch7: opencryptoki-3.11.1-use-soname.patch + +Requires(pre): shadow-utils coreutils sed +BuildRequires: openssl-devel +BuildRequires: trousers-devel +BuildRequires: openldap-devel +BuildRequires: autoconf automake libtool +BuildRequires: bison flex +BuildRequires: systemd +BuildRequires: libitm-devel +%ifarch s390 s390x +BuildRequires: libica-devel >= 2.5 +%endif +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}(token) +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +conflicts: selinux-policy < 3.13.1-84 + + +%description +Opencryptoki implements the PKCS#11 specification v2.11 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package contains the Slot Daemon (pkcsslotd) and general utilities. + + +%package libs +Group: System Environment/Libraries +Summary: The run-time libraries for opencryptoki package +Requires(pre): shadow-utils + +%description libs +Opencryptoki implements the PKCS#11 specification v2.11 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package contains the PKCS#11 library implementation, and requires +at least one token implementation (packaged separately) to be fully +functional. + + +%package devel +Group: Development/Libraries +Summary: Development files for openCryptoki +Requires: %{name}-libs%{?_isa} = %{version}-%{release} + +%description devel +This package contains the development header files for building +opencryptoki and PKCS#11 based applications + + +%package swtok +Group: System Environment/Libraries +Summary: The software token implementation for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) + +%description swtok +Opencryptoki implements the PKCS#11 specification v2.11 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package brings the software token implementation to use opencryptoki +without any specific cryptographic hardware. + + +%package tpmtok +Group: System Environment/Libraries +Summary: Trusted Platform Module (TPM) device support for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) + +%description tpmtok +Opencryptoki implements the PKCS#11 specification v2.11 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package brings the necessary libraries and files to support +Trusted Platform Module (TPM) devices in the opencryptoki stack. + + +%package icsftok +Group: System Environment/Libraries +Summary: ICSF token support for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) + +%description icsftok +Opencryptoki implements the PKCS#11 specification v2.11 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package brings the necessary libraries and files to support +ICSF token in the opencryptoki stack. + + +%ifarch s390 s390x +%package icatok +Group: System Environment/Libraries +Summary: ICA cryptographic devices (clear-key) support for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) + +%description icatok +Opencryptoki implements the PKCS#11 specification v2.11 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package brings the necessary libraries and files to support ICA +devices in the opencryptoki stack. ICA is an interface to IBM +cryptographic hardware such as IBM 4764 or 4765 that uses the +"accelerator" or "clear-key" path. + +%package ccatok +Group: System Environment/Libraries +Summary: CCA cryptographic devices (secure-key) support for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) + +%description ccatok +Opencryptoki implements the PKCS#11 specification v2.11 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package brings the necessary libraries and files to support CCA +devices in the opencryptoki stack. CCA is an interface to IBM +cryptographic hardware such as IBM 4764 or 4765 that uses the +"co-processor" or "secure-key" path. + +%package ep11tok +Group: System Environment/Libraries +Summary: CCA cryptographic devices (secure-key) support for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) + +%description ep11tok +Opencryptoki implements the PKCS#11 specification v2.11 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package brings the necessary libraries and files to support EP11 +tokens in the opencryptoki stack. The EP11 token is a token that uses +the IBM Crypto Express adapters (starting with Crypto Express 4S adapters) +configured with Enterprise PKCS#11 (EP11) firmware. +%endif + + +%prep +%setup -q -n %{name}-%{version} +%patch0 -p1 -b .group +%patch1 -p1 -b .lockdir +%patch2 -p1 -b .warn-user-not-in-pkcs11-group +%patch3 -p1 -b .EP11_token_fails_when_using_Strict-Session_mode_or_VHSM-Mode +%patch4 -p1 -b .coverity +%patch5 -p1 -b .created-MACed-SPKIs-when-importing-public-keys +%patch6 -p1 -b .support-tolerated-new-crypto-cards +%patch7 -p1 -b .soname + +# Upstream tarball has unnecessary executable perms set on the sources +find . -name '*.[ch]' -print0 | xargs -0 chmod -x + +%build +./bootstrap.sh + +%configure --with-systemd=%{_unitdir} \ +%ifarch s390 s390x + --enable-icatok --enable-ccatok --enable-ep11tok --enable-pkcsep11_migrate +%else + --disable-icatok --disable-ccatok --disable-ep11tok --disable-pkcsep11_migrate --disable-pkcscca_migrate +%endif + +make %{?_smp_mflags} CHGRP=/bin/true + + +%install +make install DESTDIR=$RPM_BUILD_ROOT CHGRP=/bin/true + +# Remove unwanted cruft +rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/*.la +rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/stdll/*.la + + + +%post libs -p /sbin/ldconfig +%post swtok -p /sbin/ldconfig +%post tpmtok -p /sbin/ldconfig +%post icsftok -p /sbin/ldconfig +%ifarch s390 s390x +%post icatok -p /sbin/ldconfig +%post ccatok -p /sbin/ldconfig +%post ep11tok -p /sbin/ldconfig +%endif + +%postun libs -p /sbin/ldconfig +%postun swtok -p /sbin/ldconfig +%postun tpmtok -p /sbin/ldconfig +%postun icsftok -p /sbin/ldconfig +%ifarch s390 s390x +%postun icatok -p /sbin/ldconfig +%postun ccatok -p /sbin/ldconfig +%postun ep11tok -p /sbin/ldconfig +%endif + +%pre libs +getent group pkcs11 >/dev/null || groupadd -r pkcs11 +exit 0 + +%post +%systemd_post pkcsslotd.service +if test $1 -eq 1; then + %tmpfiles_create +fi + +%preun +%systemd_preun pkcsslotd.service + +%postun +%systemd_postun_with_restart pkcsslotd.service + + +%files +%doc ChangeLog FAQ README.md +%doc doc/opencryptoki-howto.md +%doc doc/README.token_data +%dir %{_sysconfdir}/%{name} +%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf +%{_tmpfilesdir}/%{name}.conf +%{_unitdir}/pkcsslotd.service +%{_sbindir}/pkcsconf +%{_sbindir}/pkcsslotd +%{_mandir}/man1/pkcsconf.1* +%{_mandir}/man5/%{name}.conf.5* +%{_mandir}/man7/%{name}.7* +%{_mandir}/man8/pkcsslotd.8* +%{_libdir}/opencryptoki/methods +%{_libdir}/pkcs11/methods +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name} +%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name} +%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}/* +%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki + +%files libs +%doc LICENSE +%{_sysconfdir}/ld.so.conf.d/* +# Unversioned .so symlinks usually belong to -devel packages, but opencryptoki +# needs them in the main package, because: +# documentation suggests that programs should dlopen "PKCS11_API.so". +%dir %{_libdir}/opencryptoki +%{_libdir}/opencryptoki/libopencryptoki.* +%{_libdir}/opencryptoki/PKCS11_API.so +%dir %{_libdir}/opencryptoki/stdll +%dir %{_libdir}/pkcs11 +%{_libdir}/pkcs11/libopencryptoki.so +%{_libdir}/pkcs11/PKCS11_API.so +%{_libdir}/pkcs11/stdll + +%files devel +%{_includedir}/%{name}/ + +%files swtok +%{_libdir}/opencryptoki/stdll/libpkcs11_sw.* +%{_libdir}/opencryptoki/stdll/PKCS11_SW.so +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/ +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/ + +%files tpmtok +%doc doc/README.tpm_stdll +%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.* +%{_libdir}/opencryptoki/stdll/PKCS11_TPM.so +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/ + +%files icsftok +%doc doc/README.icsf_stdll +%{_sbindir}/pkcsicsf +%{_mandir}/man1/pkcsicsf.1* +%{_libdir}/opencryptoki/stdll/libpkcs11_icsf.* +%{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/ + +%ifarch s390 s390x +%files icatok +%{_libdir}/opencryptoki/stdll/libpkcs11_ica.* +%{_libdir}/opencryptoki/stdll/PKCS11_ICA.so +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/ +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/ + +%files ccatok +%doc doc/README.cca_stdll +%{_sbindir}/pkcscca +%{_mandir}/man1/pkcscca.1* +%{_libdir}/opencryptoki/stdll/libpkcs11_cca.* +%{_libdir}/opencryptoki/stdll/PKCS11_CCA.so +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/ +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/ + +%files ep11tok +%doc doc/README.ep11_stdll +%config(noreplace) %{_sysconfdir}/%{name}/ep11tok.conf +%config(noreplace) %{_sysconfdir}/%{name}/ep11cpfilter.conf +%{_sbindir}/pkcsep11_migrate +%{_sbindir}/pkcsep11_session +%{_mandir}/man1/pkcsep11_migrate.1.* +%{_mandir}/man1/pkcsep11_session.1* +%{_libdir}/opencryptoki/stdll/libpkcs11_ep11.* +%{_libdir}/opencryptoki/stdll/PKCS11_EP11.so +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/ +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/TOK_OBJ/ +%endif + + +%changelog +* Mon Sep 30 2019 Than Ngo - 3.11.0-5 +- Resolves: #1756956, ICA HW token missing after the package update + +* Thu Sep 26 2019 Than Ngo - 3.11.0-4 +- Resolves: #1755463, EP11: Support tolerated new crypto cards + +* Thu Mar 14 2019 Than Ngo - 3.11.0-3 +- Resolves: #1688891 - C_EncryptInit fails with CKR_KEY_TYPE_INCONSISTENT. on ep11 token when using imported RSA public key + +* Thu Feb 21 2019 Than Ngo - 3.11.0-2 +- Resolves: #1678788 - EP11 token fails when using Strict-Session mode or VHSM-Mode + +* Tue Feb 19 2019 Than Ngo - 3.11.0-1 +- Resolves: #1063763 - opencryptoki tools should inform the user that he is not in pkcs11 group +- Resolves: #1641027 - enhanced IBM z14 functions +- Resolves: #1641026 - support m_*Single functions from ep11 lib +- Resolves: #1641025 - rebase to 3.11.0 +- Resolves: #1519386 - use CPACF hashes in ep11 token +- Resolves: #1373833 - lock file directory is %%ghost now + +* Thu Aug 23 2018 Sinny Kumari - 3.10.0-2 +- Resolves: #1613743 - ICA Token specific des3 cbc encrypt failed - token not available + +* Fri Jun 22 2018 Sinny Kumari - 3.10.0-1 +- Rebase to 3.10.0 +- Resolves: #1519383 - openCryptoki token for EP11 - crucial enhancements for s390x +- Remove opencryptoki-3.4-fix-root-checks.patch, fixed in 3.9.0 +- Remove opencryptoki-3.2-conditional-manpages.patch, fixed in 3.9.0 + +* Tue Oct 03 2017 Sinny Kumari - 3.7.0-1 +- RHBZ#1456520 - Rebase opencryptoki to 3.7.0 +- Include libitm-devel as BuildRequires + +* Mon Feb 20 2017 Sinny Kumari - 3.6.2-1 +- Rebase opencryptoki to 3.6.2 +- Remove patches from spec file applied during 3.5 release +- Resolves: #1391559, #1380784, #1417905 + +* Mon Sep 19 2016 Sinny Kumari - 3.5-7 +- Related: RHBZ#1343671 - Make selinux-policy as Conflicts instead of Requires + +* Fri Sep 02 2016 Sinny Kumari - 3.5-6 +- RHBZ#1371095: coverity scan fixes - memory leak and variable initialization +- RHBZ#1372188: fix illegal instruction on pkcscca tool + +* Wed Jul 20 2016 Jakub Jelen - 3.5-5 +- Create missing tpm lock directory from tpm stdll (#1343671) + +* Thu Jul 14 2016 Jakub Jelen - 3.5-4 +- Require selinux-policy with changes related to #1343671 + +* Tue Jun 28 2016 Jakub Jelen - 3.5-3 +- Downgraded a syslog dlopen error to warning (#1059821) +- Coverity: NULL_RETURNS fixes + +* Tue Jun 28 2016 Jakub Jelen - 3.5-2 +- icsf token does not validate data length for verify operation for ECDSA (#1344383) +- Create lock and log directories from opencryptoki (#1343671) +- Create log directory with appropriate permissions (#1185421) +- Added support for rc=8, reasoncode=2028 in icsf token (#1348803) +- Fix for session handle not set in session issue (#1348804) +- Fix memory leak in icsf specific code + +* Fri May 13 2016 Jakub Jelen - 3.5-1 +- New upstream relase (#1185421) +- Implicit dependence on libica >= 2.5 + +* Fri Apr 29 2016 Jakub Jelen - 3.4.1-4 +- Added support for icsf reason code 11028 (#1325827) + +* Thu Mar 31 2016 Jakub Jelen 3.4.1-3 +- Few more issues reported by Coverity +- Fix Segfault when trace in enabled in api_interface.c +- Fix the misleading indentation +- Fix memory leak by closing the lock file descriptor in C_Final + +* Thu Mar 24 2016 Jakub Jelen 3.4.1-2 +- Fix problems reported by Coverity scan + +* Fri Feb 12 2016 Jakub Jelen 3.4.1-1 +- New upstream release (#1185421) +- Fix translating ICSF return code (#1306654) +- Fix getObjectsize call for opencryptoki ICSF token (#1303839) +- Fix for openCryptoki ICSF token failure (#1300194) + +* Thu Jan 28 2016 Jakub Jelen 3.2-5 +- Fix obj class for ep11 token (#1263179) + +* Wed Dec 03 2014 Petr Lautrbach 3.2-4.1 +- don't check if root is in pkcs11 group + +* Mon Nov 10 2014 Petr Lautrbach 3.2-3 +- Correctly declare OAEP parameter in RSA Wrap tests to prevent a possible + scope issue (#1088512) +- several fixes for pkcsep11_migrate + +* Mon Oct 20 2014 Petr Lautrbach 3.2-2 +- opencryptoki-libs needs shadow-utils to be installed (#1154647) + +* Wed Sep 10 2014 Petr Lautrbach 3.2-1 +- new upstream release 3.2 (#1088512) +- add new sub-package opencryptoki-ep11tok on s390x + +* Thu Feb 06 2014 Petr Lautrbach 3.0-11 +- create the right lock directory for cca tokens (#1054442) + +* Mon Feb 03 2014 Petr Lautrbach 3.0-10 +- use Requires(pre): opencryptoki-libs for subpackages (#1058814) + +* Fri Jan 24 2014 Daniel Mach - 3.0-9 +- Mass rebuild 2014-01-24 + +* Mon Jan 20 2014 Dan Horák - 3.0-8 +- include token specific directories (#1013017, #1045775, #1054442) +- fix pkcsconf crash for non-root users (#1054661) +- the libs subpackage must care of creating the pkcs11 group, it's the first to be installed +- fix build with -Werror=format-security (#1037228) +- Resolves: #1054442, #1054661 + +* Fri Dec 27 2013 Daniel Mach - 3.0-7 +- Mass rebuild 2013-12-27 + +* Fri Nov 22 2013 Dan Horák - 3.0-6 +- apply post-3.0 fixes (#1033284) +- Resolves: #1033284 + +* Tue Nov 19 2013 Dan Horák - 3.0-5 +- update opencryptoki man page (#1001729) +- Resolves: #1001729 + +* Fri Aug 23 2013 Dan Horák - 3.0-4 +- update unit file (#995002) + +* Tue Jul 23 2013 Dan Horák - 3.0-2 +- update pkcsconf man page (#948460) + +* Mon Jul 22 2013 Dan Horák - 3.0-1 +- new upstream release 3.0 + +* Tue Jun 25 2013 Dan Horák - 2.4.3.1-1 +- new upstream release 2.4.3.1 + +* Fri May 03 2013 Dan Horák - 2.4.3-1 +- new upstream release 2.4.3 + +* Thu Apr 04 2013 Dan Horák - 2.4.2-4 +- enable hardened build +- switch to systemd macros in scriptlets (#850240) + +* Mon Jan 28 2013 Dan Horák - 2.4.2-3 +- add virtual opencryptoki(token) Provides to token modules and as Requires + to main package (#904986) + +* Fri Jul 20 2012 Fedora Release Engineering - 2.4.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jun 21 2012 Dan Horák - 2.4.2-1 +- new upstream release 2.4.2 +- add pkcs_slot man page +- don't add root to the pkcs11 group + +* Mon Jun 11 2012 Dan Horák - 2.4.1-2 +- fix unresolved symbols in TPM module (#830129) + +* Sat Feb 25 2012 Dan Horák - 2.4.1-1 +- new upstream release 2.4.1 +- convert from initscript to systemd unit +- import fixes from RHEL-6 about root's group membership (#732756, #730903) + +* Fri Jan 13 2012 Fedora Release Engineering - 2.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Jul 07 2011 Dan Horák - 2.4-1 +- new upstream release 2.4 + +* Tue Feb 08 2011 Fedora Release Engineering - 2.3.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Jan 17 2011 Dan Horák 2.3.3-1 +- new upstream release 2.3.3 + +* Tue Nov 09 2010 Michal Schmidt 2.3.2-2 +- Apply Obsoletes to package names, not provides. + +* Tue Sep 14 2010 Dan Horák 2.3.2-1 +- new upstream release 2.3.2 +- put STDLLs in separate packages to match upstream package design + +* Thu Jul 08 2010 Michal Schmidt 2.3.1-7 +- Move the LICENSE file to the -libs subpackage. + +* Tue Jun 29 2010 Dan Horák 2.3.1-6 +- rebuilt with CCA enabled (#604287) +- fixed issues from #546274 + +* Fri Apr 30 2010 Dan Horák 2.3.1-5 +- fixed one more issue in the initscript (#547324) + +* Mon Apr 26 2010 Dan Horák 2.3.1-4 +- fixed pidfile creating and usage (#547324) + +* Mon Feb 08 2010 Michal Schmidt 2.3.1-3 +- Also list 'reload' and 'force-reload' in "Usage: ...". + +* Mon Feb 08 2010 Michal Schmidt 2.3.1-2 +- Support 'force-reload' in the initscript. + +* Wed Jan 27 2010 Michal Schmidt 2.3.1-1 +- New upstream release 2.3.1. +- opencryptoki-2.3.0-fix-nss-breakage.patch was merged. + +* Fri Jan 22 2010 Dan Horák 2.3.0-5 +- made pkcsslotd initscript LSB compliant (#522149) + +* Mon Sep 07 2009 Michal Schmidt 2.3.0-4 +- Added opencryptoki-2.3.0-fix-nss-breakage.patch on upstream request. + +* Fri Aug 21 2009 Tomas Mraz - 2.3.0-3 +- rebuilt with new openssl + +* Sun Aug 16 2009 Michal Schmidt 2.3.0-2 +- Require libica-2.0. + +* Fri Aug 07 2009 Michal Schmidt 2.3.0-1 +- New upstream release 2.3.0: + - adds support for RSA 4096 bit keys in the ICA token. + +* Tue Jul 21 2009 Michal Schmidt - 2.2.8-5 +- Require arch-specific dependency on -libs. + +* Tue Jul 21 2009 Michal Schmidt - 2.2.8-4 +- Return support for crypto hw on s390. +- Renamed to opencryptoki. +- Simplified multilib by putting libs in subpackage as suggested by Dan Horák. + +* Tue Jul 21 2009 Michal Schmidt - 2.2.8-2 +- Fedora package based on RHEL-5 package.