diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c3c8ab0 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/opencryptoki-3.10.0.tar.gz diff --git a/.opencryptoki.metadata b/.opencryptoki.metadata new file mode 100644 index 0000000..b92278a --- /dev/null +++ b/.opencryptoki.metadata @@ -0,0 +1 @@ +93908d16d61ec2c60aa0809378308d2d9e634d5f SOURCES/opencryptoki-3.10.0.tar.gz diff --git a/SOURCES/opencryptoki-2.4-group.patch b/SOURCES/opencryptoki-2.4-group.patch new file mode 100644 index 0000000..dcabb60 --- /dev/null +++ b/SOURCES/opencryptoki-2.4-group.patch @@ -0,0 +1,51 @@ +diff -upr opencryptoki-3.7.0.orig/usr/lib/pkcs11/api/shrd_mem.c.in opencryptoki-3.7.0/usr/lib/pkcs11/api/shrd_mem.c.in +--- opencryptoki-3.7.0.orig/usr/lib/pkcs11/api/shrd_mem.c.in 2017-05-17 15:13:54.711536688 +0530 ++++ opencryptoki-3.7.0/usr/lib/pkcs11/api/shrd_mem.c.in 2017-05-17 15:22:27.758655055 +0530 +@@ -56,9 +56,6 @@ attach_shared_memory() { + int shmid; + char *shmp; + struct stat statbuf; +- struct group *grp; +- struct passwd *pw, *epw; +- uid_t uid, euid; + + #if !(MMAP) + // Really should fstat the tok_path, since it will be the actual +@@ -70,37 +67,6 @@ attach_shared_memory() { + return NULL; + } + +- uid = getuid(); +- euid = geteuid(); +- // only check group membership if not root user +- if (uid != 0 && euid != 0) { +- int i, member=0; +- grp = getgrnam("pkcs11"); +- if (!grp) { +- // group pkcs11 not known to the system +- return NULL; +- } +- pw = getpwuid(uid); +- epw = getpwuid(euid); +- for (i=0; grp->gr_mem[i]; i++) { +- if (pw) { +- if (!strncmp(pw->pw_name, grp->gr_mem[i],strlen(pw->pw_name))) { +- member = 1; +- break; +- } +- } +- if (epw) { +- if (!strncmp(epw->pw_name, grp->gr_mem[i],strlen(epw->pw_name))) { +- member = 1; +- break; +- } +- } +- } +- if (!member) { +- return NULL; +- } +- } +- + Anchor->shm_tok = ftok(TOK_PATH,'b'); + + // Get the shared memory id. diff --git a/SOURCES/opencryptoki-227ffdba6b919e18b03fed59b07e2c0212b40303.patch b/SOURCES/opencryptoki-227ffdba6b919e18b03fed59b07e2c0212b40303.patch new file mode 100644 index 0000000..ec5de55 --- /dev/null +++ b/SOURCES/opencryptoki-227ffdba6b919e18b03fed59b07e2c0212b40303.patch @@ -0,0 +1,61 @@ +commit 227ffdba6b919e18b03fed59b07e2c0212b40303 +Author: Ingo Franzki +Date: Thu Aug 2 14:48:47 2018 +0200 + + Fix bug with master key encryption with FIPS enabled libica + + When running with a FIPS enabled libica, the ICA token fails to + initialize, because the 3DES key derived from the user or SO pin is + considered invalid because the first and the third part of the + 3DES key is the same. + + For clear key tokens, the token specific 3DES-CBC function is + used for the master key encryption. In case of the ICA token, + the ICA token specific 3DES-CBC function fails, because libica + rejects the key when compiled with FIPS support. This leads to + an error during token initialization. + + Instead of using the token specific 3DES-CBC function, the code + now always falls back to the (OpenSSL) based software encryption + function, as it is also done for secure key tokens. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/lib/pkcs11/common/loadsave.c b/usr/lib/pkcs11/common/loadsave.c +index a593b932..a5532c9d 100644 +--- a/usr/lib/pkcs11/common/loadsave.c ++++ b/usr/lib/pkcs11/common/loadsave.c +@@ -206,12 +206,14 @@ static CK_RV encrypt_data_with_clear_key(STDLL_TokData_t * tokdata, + /* If token doesn't have a specific key size that means that it uses a + * clear key. + */ +- if (token_specific.token_keysize == 0) { ++ if (token_specific.token_keysize == 0 && ++ token_specific.data_store.encryption_algorithm != CKM_DES3_CBC) { + return encrypt_data(tokdata, key, keylen, iv, clear, clear_len, + cipher, p_cipher_len); + } + +- /* Fall back to a software alternative if key is secure. */ ++ /* Fall back to a software alternative if key is secure, or ++ * if token's data store encryption algorithm is 3DES_CBC */ + initial_vector = duplicate_initial_vector(iv); + if (initial_vector == NULL) { + TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); +@@ -322,12 +324,14 @@ static CK_RV decrypt_data_with_clear_key(STDLL_TokData_t *tokdata, + /* If token doesn't have a specific key size that means that it uses a + * clear key. + */ +- if (token_specific.token_keysize == 0) { ++ if (token_specific.token_keysize == 0 && ++ token_specific.data_store.encryption_algorithm != CKM_DES3_CBC) { + return decrypt_data(tokdata, key, keylen, iv, cipher, + cipher_len, clear, p_clear_len); + } + +- /* Fall back to a software alternative if key is secure. */ ++ /* Fall back to a software alternative if key is secure, or ++ * if token's data store encryption algorithm is 3DES_CBC */ + initial_vector = duplicate_initial_vector(iv); + if (initial_vector == NULL) { + TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); diff --git a/SOURCES/opencryptoki-3.10.0-backport-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch b/SOURCES/opencryptoki-3.10.0-backport-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch new file mode 100644 index 0000000..5373fe3 --- /dev/null +++ b/SOURCES/opencryptoki-3.10.0-backport-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch @@ -0,0 +1,39 @@ +diff -up opencryptoki-3.10.0/usr/lib/pkcs11/ep11_stdll/ep11_specific.c.me opencryptoki-3.10.0/usr/lib/pkcs11/ep11_stdll/ep11_specific.c +--- opencryptoki-3.10.0/usr/lib/pkcs11/ep11_stdll/ep11_specific.c.me 2018-12-14 18:48:48.945096527 +0100 ++++ opencryptoki-3.10.0/usr/lib/pkcs11/ep11_stdll/ep11_specific.c 2018-12-14 18:55:18.198260044 +0100 +@@ -6268,7 +6268,7 @@ CK_RV ep11tok_login_session(STDLL_TokDat + } + } + +- rc = handle_all_ep11_cards((ep11_target_t *)&ep11_data->target_list, ++ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, + ep11_login_handler, ep11_session); + if (rc != CKR_OK) { + TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lu\n", __func__, rc); +@@ -6310,7 +6310,7 @@ CK_RV ep11tok_login_session(STDLL_TokDat + done: + if (rc != CKR_OK) { + if (ep11_session->flags & (EP11_SESS_PINBLOB_VALID | EP11_VHSM_PINBLOB_VALID)) { +- rc2 = handle_all_ep11_cards((ep11_target_t *)&ep11_data->target_list, ++ rc2 = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, + ep11_logout_handler, ep11_session); + if (rc2 != CKR_OK) + TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lu\n", __func__, rc2); +@@ -6356,7 +6356,7 @@ CK_RV ep11tok_relogin_session(STDLL_TokD + return CKR_USER_NOT_LOGGED_IN; + } + +- rc = handle_all_ep11_cards((ep11_target_t *)&ep11_data->target_list, ++ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, + ep11_login_handler, ep11_session); + if (rc != CKR_OK) + TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lu\n", __func__, rc); +@@ -6401,7 +6401,7 @@ CK_RV ep11tok_logout_session(STDLL_TokDa + return CKR_USER_NOT_LOGGED_IN; + } + +- rc = handle_all_ep11_cards((ep11_target_t *)&ep11_data->target_list, ++ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, + ep11_logout_handler, ep11_session); + if (rc != CKR_OK) + TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lu\n", __func__, rc); diff --git a/SOURCES/opencryptoki-3.10.0-coverity.patch b/SOURCES/opencryptoki-3.10.0-coverity.patch new file mode 100644 index 0000000..b994278 --- /dev/null +++ b/SOURCES/opencryptoki-3.10.0-coverity.patch @@ -0,0 +1,23 @@ +diff -up opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ec.c.me opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ec.c +--- opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ec.c.me 2018-06-06 21:55:55.000000000 +0200 ++++ opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ec.c 2018-10-26 13:52:11.461448596 +0200 +@@ -797,6 +797,7 @@ ckm_kdf_X9_63(STDLL_TokData_t *tokdata, + counter++; + } + ++ free(ctx); + return CKR_OK; + } + +diff -up opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ssl3.c.me opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ssl3.c +--- opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ssl3.c.me 2018-06-06 21:55:55.000000000 +0200 ++++ opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ssl3.c 2018-10-26 13:51:12.538255825 +0200 +@@ -1195,7 +1195,7 @@ error: + if (value_len_attr) free( value_len_attr ); + if (always_sens_attr) free( always_sens_attr ); + if (extract_attr) free( extract_attr ); +- ++ if (derived_key_obj) object_free(derived_key_obj); + return rc; + } + diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec new file mode 100644 index 0000000..e18e1ac --- /dev/null +++ b/SPECS/opencryptoki.spec @@ -0,0 +1,545 @@ +Name: opencryptoki +Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11 +Version: 3.10.0 +Release: 3%{?dist} +License: CPL +Group: System Environment/Base +URL: http://sourceforge.net/projects/opencryptoki +Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz +# https://bugzilla.redhat.com/show_bug.cgi?id=732756 +Patch0: %{name}-2.4-group.patch +Patch1: %{name}-3.10.0-coverity.patch +# 1652856, EP11 token fails when using Strict-Session mode or VHSM-Mode +Patch2: %{name}-3.10.0-backport-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch +# 1657683, can't establish libica token in FIPS mode +Patch3: %{name}-227ffdba6b919e18b03fed59b07e2c0212b40303.patch + +# Use --no-undefined to debug missing symbols +#Patch100: %{name}-3.2-no-undefined.patch + +Requires(pre): coreutils +BuildRequires: gcc +BuildRequires: openssl-devel +BuildRequires: trousers-devel +BuildRequires: openldap-devel +BuildRequires: autoconf automake libtool +BuildRequires: bison flex +BuildRequires: systemd +BuildRequires: libitm-devel +%ifarch s390 s390x +BuildRequires: libica-devel >= 2.3 +%endif +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}(token) +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd + + +%description +Opencryptoki implements the PKCS#11 specification v2.11 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package contains the Slot Daemon (pkcsslotd) and general utilities. + + +%package libs +Group: System Environment/Libraries +Summary: The run-time libraries for opencryptoki package +Requires(pre): shadow-utils + +%description libs +Opencryptoki implements the PKCS#11 specification v2.11 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package contains the PKCS#11 library implementation, and requires +at least one token implementation (packaged separately) to be fully +functional. + + +%package devel +Group: Development/Libraries +Summary: Development files for openCryptoki +Requires: %{name}-libs%{?_isa} = %{version}-%{release} + +%description devel +This package contains the development header files for building +opencryptoki and PKCS#11 based applications + + +%package swtok +Group: System Environment/Libraries +Summary: The software token implementation for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) + +%description swtok +Opencryptoki implements the PKCS#11 specification v2.11 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package brings the software token implementation to use opencryptoki +without any specific cryptographic hardware. + + +%package tpmtok +Group: System Environment/Libraries +Summary: Trusted Platform Module (TPM) device support for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) + +%description tpmtok +Opencryptoki implements the PKCS#11 specification v2.11 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package brings the necessary libraries and files to support +Trusted Platform Module (TPM) devices in the opencryptoki stack. + + +%package icsftok +Group: System Environment/Libraries +Summary: ICSF token support for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) + +%description icsftok +Opencryptoki implements the PKCS#11 specification v2.11 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package brings the necessary libraries and files to support +ICSF token in the opencryptoki stack. + + +%ifarch s390 s390x +%package icatok +Group: System Environment/Libraries +Summary: ICA cryptographic devices (clear-key) support for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) + +%description icatok +Opencryptoki implements the PKCS#11 specification v2.11 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package brings the necessary libraries and files to support ICA +devices in the opencryptoki stack. ICA is an interface to IBM +cryptographic hardware such as IBM 4764 or 4765 that uses the +"accelerator" or "clear-key" path. + +%package ccatok +Group: System Environment/Libraries +Summary: CCA cryptographic devices (secure-key) support for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) + +%description ccatok +Opencryptoki implements the PKCS#11 specification v2.11 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package brings the necessary libraries and files to support CCA +devices in the opencryptoki stack. CCA is an interface to IBM +cryptographic hardware such as IBM 4764 or 4765 that uses the +"co-processor" or "secure-key" path. + +%package ep11tok +Group: System Environment/Libraries +Summary: CCA cryptographic devices (secure-key) support for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) + +%description ep11tok +Opencryptoki implements the PKCS#11 specification v2.11 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package brings the necessary libraries and files to support EP11 +tokens in the opencryptoki stack. The EP11 token is a token that uses +the IBM Crypto Express adapters (starting with Crypto Express 4S adapters) +configured with Enterprise PKCS#11 (EP11) firmware. +%endif + + +%prep +%autosetup -p1 + + +%build +./bootstrap.sh + +%configure --with-systemd=%{_unitdir} \ +%ifarch s390 s390x + --enable-icatok --enable-ccatok --enable-ep11tok --enable-pkcsep11_migrate +%else + --disable-icatok --disable-ccatok --disable-ep11tok --disable-pkcsep11_migrate --disable-pkcscca_migrate +%endif + +make %{?_smp_mflags} CHGRP=/bin/true + + +%install +make install DESTDIR=$RPM_BUILD_ROOT CHGRP=/bin/true + +# Remove unwanted cruft +rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/*.la +rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/stdll/*.la + + +%post libs -p /sbin/ldconfig +%post swtok -p /sbin/ldconfig +%post tpmtok -p /sbin/ldconfig +%post icsftok -p /sbin/ldconfig +%ifarch s390 s390x +%post icatok -p /sbin/ldconfig +%post ccatok -p /sbin/ldconfig +%post ep11tok -p /sbin/ldconfig +%endif + +%postun libs -p /sbin/ldconfig +%postun swtok -p /sbin/ldconfig +%postun tpmtok -p /sbin/ldconfig +%postun icsftok -p /sbin/ldconfig +%ifarch s390 s390x +%postun icatok -p /sbin/ldconfig +%postun ccatok -p /sbin/ldconfig +%postun ep11tok -p /sbin/ldconfig +%endif + +%pre libs +getent group pkcs11 >/dev/null || groupadd -r pkcs11 +exit 0 + +%post +%systemd_post pkcsslotd.service + +%preun +%systemd_preun pkcsslotd.service + +%postun +%systemd_postun_with_restart pkcsslotd.service + + +%files +%doc ChangeLog FAQ README.md +%doc doc/opencryptoki-howto.md +%doc doc/README.token_data +%dir %{_sysconfdir}/%{name} +%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf +%{_prefix}/lib/tmpfiles.d/%{name}.conf +%{_unitdir}/pkcsslotd.service +%{_sbindir}/pkcsconf +%{_sbindir}/pkcsslotd +%{_mandir}/man1/pkcsconf.1* +%{_mandir}/man5/%{name}.conf.5* +%{_mandir}/man7/%{name}.7* +%{_mandir}/man8/pkcsslotd.8* +%{_libdir}/opencryptoki/methods +%{_libdir}/pkcs11/methods +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name} +%dir %attr(770,root,pkcs11) %{_localstatedir}/lock/%{name} +%dir %attr(770,root,pkcs11) %{_localstatedir}/lock/%{name}/* + +%files libs +%license LICENSE +%{_sysconfdir}/ld.so.conf.d/* +# Unversioned .so symlinks usually belong to -devel packages, but opencryptoki +# needs them in the main package, because: +# documentation suggests that programs should dlopen "PKCS11_API.so". +%dir %{_libdir}/opencryptoki +%{_libdir}/opencryptoki/libopencryptoki.* +%{_libdir}/opencryptoki/PKCS11_API.so +%dir %{_libdir}/opencryptoki/stdll +%dir %{_libdir}/pkcs11 +%{_libdir}/pkcs11/libopencryptoki.so +%{_libdir}/pkcs11/PKCS11_API.so +%{_libdir}/pkcs11/stdll +%{_localstatedir}/log/opencryptoki + +%files devel +%{_includedir}/%{name}/ + +%files swtok +%{_libdir}/opencryptoki/stdll/libpkcs11_sw.* +%{_libdir}/opencryptoki/stdll/PKCS11_SW.so +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/ +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/ + +%files tpmtok +%doc doc/README.tpm_stdll +%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.* +%{_libdir}/opencryptoki/stdll/PKCS11_TPM.so +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/ + +%files icsftok +%doc doc/README.icsf_stdll +%{_sbindir}/pkcsicsf +%{_mandir}/man1/pkcsicsf.1* +%{_libdir}/opencryptoki/stdll/libpkcs11_icsf.* +%{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/ + +%ifarch s390 s390x +%files icatok +%{_libdir}/opencryptoki/stdll/libpkcs11_ica.* +%{_libdir}/opencryptoki/stdll/PKCS11_ICA.so +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/ +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/ + +%files ccatok +%doc doc/README.cca_stdll +%{_sbindir}/pkcscca +%{_mandir}/man1/pkcscca.1* +%{_libdir}/opencryptoki/stdll/libpkcs11_cca.* +%{_libdir}/opencryptoki/stdll/PKCS11_CCA.so +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/ +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/ + +%files ep11tok +%doc doc/README.ep11_stdll +%config(noreplace) %{_sysconfdir}/%{name}/ep11tok.conf +%config(noreplace) %{_sysconfdir}/%{name}/ep11cpfilter.conf +%{_sbindir}/pkcsep11_migrate +%{_sbindir}/pkcsep11_session +%{_mandir}/man1/pkcsep11_migrate.1* +%{_mandir}/man1/pkcsep11_session.1* +%{_libdir}/opencryptoki/stdll/libpkcs11_ep11.* +%{_libdir}/opencryptoki/stdll/PKCS11_EP11.so +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/ +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/TOK_OBJ/ +%endif + + +%changelog +* Fri Dec 14 2018 Than Ngo - 3.10.0-3 +- Resolves: #1657683, can't establish libica token in FIPS mode +- Resolves: #1652856, EP11 token fails when using Strict-Session mode or VHSM-Mode + +* Thu Oct 25 2018 Than Ngo - 3.10.0-2 +- Resolves: #1602641, covscan + +* Tue Jun 12 2018 Dan Horák - 3.10.0-1 +- Rebase to 3.10.0 + +* Fri Feb 23 2018 Dan Horák - 3.9.0-1 +- Rebase to 3.9.0 + +* Thu Feb 08 2018 Fedora Release Engineering - 3.8.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Nov 24 2017 Dan Horák - 3.8.2-2 +- use upstream tmpfiles config + +* Thu Nov 23 2017 Dan Horák - 3.8.2-1 +- Rebase to 3.8.2 (#1512678) + +* Thu Aug 03 2017 Fedora Release Engineering - 3.7.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 3.7.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed May 17 2017 Sinny Kumari - 3.7.0-1 +- Rebase to 3.7.0 +- Added libitm-devel as BuildRequires + +* Mon Apr 03 2017 Sinny Kumari - 3.6.2-1 +- Rebase to 3.6.2 +- RHBZ#1424017 - opencryptoki: FTBFS in rawhide + +* Sat Feb 11 2017 Fedora Release Engineering - 3.5.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Sep 01 2016 Jakub Jelen - 3.5.1-1 +- New upstream release + +* Tue May 03 2016 Jakub Jelen - 3.5-1 +- New upstream release + +* Thu Feb 04 2016 Fedora Release Engineering - 3.4.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Dec 07 2015 Jakub Jelen 3.4.1-1 +- New bugfix upstream release + +* Wed Nov 18 2015 Jakub Jelen 3.4-1 +- New upstream release +- Adding post-release patch fixing compile warnings + +* Thu Aug 27 2015 Jakub Jelen 3.3-1.1 +- New upstream release +- Correct dependencies for group creation + +* Wed Jun 17 2015 Fedora Release Engineering - 3.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Thu May 07 2015 Jakub Jelen 3.2-3 +- Few more undefined symbols fixed for s390(x) specific targets +- Do not require --no-undefined, because s390(x) requires some + +* Mon May 04 2015 Jakub Jelen 3.2-2 +- Fix missing sources and libraries in makefiles causing undefined symbols (#1193560) +- Make inline function compatible for GCC5 + +* Wed Sep 10 2014 Petr Lautrbach 3.2-1 +- new upstream release 3.2 +- add new sub-package opencryptoki-ep11tok on s390x + +* Sun Aug 17 2014 Fedora Release Engineering - 3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Thu Jul 24 2014 Petr Lautrbach 3.1-1 +- new upstream release 3.1 + +* Sat Jun 07 2014 Fedora Release Engineering - 3.0-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Mon Feb 17 2014 Petr Lautrbach 3.0-10 +- create the right lock directory for cca tokens (#1054442) + +* Wed Jan 29 2014 Petr Lautrbach 3.0-9 +- use Requires(pre): opencryptoki-libs for subpackages + +* Mon Jan 20 2014 Dan Horák - 3.0-8 +- include token specific directories (#1013017, #1045775, #1054442) +- fix pkcsconf crash for non-root users (#10054661) +- the libs subpackage must care of creating the pkcs11 group, it's the first to be installed + +* Tue Dec 03 2013 Dan Horák - 3.0-7 +- fix build with -Werror=format-security (#1037228) + +* Fri Nov 22 2013 Dan Horák - 3.0-6 +- apply post-3.0 fixes (#1033284) + +* Tue Nov 19 2013 Dan Horák - 3.0-5 +- update opencryptoki man page (#1001729) + +* Fri Aug 23 2013 Dan Horák - 3.0-4 +- update unit file (#995002) + +* Sat Aug 03 2013 Fedora Release Engineering - 3.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Jul 23 2013 Dan Horák - 3.0-2 +- update pkcsconf man page (#948460) + +* Mon Jul 22 2013 Dan Horák - 3.0-1 +- new upstream release 3.0 + +* Tue Jun 25 2013 Dan Horák - 2.4.3.1-1 +- new upstream release 2.4.3.1 + +* Fri May 03 2013 Dan Horák - 2.4.3-1 +- new upstream release 2.4.3 + +* Thu Apr 04 2013 Dan Horák - 2.4.2-4 +- enable hardened build +- switch to systemd macros in scriptlets (#850240) + +* Mon Jan 28 2013 Dan Horák - 2.4.2-3 +- add virtual opencryptoki(token) Provides to token modules and as Requires + to main package (#904986) + +* Fri Jul 20 2012 Fedora Release Engineering - 2.4.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jun 21 2012 Dan Horák - 2.4.2-1 +- new upstream release 2.4.2 +- add pkcs_slot man page +- don't add root to the pkcs11 group + +* Mon Jun 11 2012 Dan Horák - 2.4.1-2 +- fix unresolved symbols in TPM module (#830129) + +* Sat Feb 25 2012 Dan Horák - 2.4.1-1 +- new upstream release 2.4.1 +- convert from initscript to systemd unit +- import fixes from RHEL-6 about root's group membership (#732756, #730903) + +* Fri Jan 13 2012 Fedora Release Engineering - 2.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Jul 07 2011 Dan Horák - 2.4-1 +- new upstream release 2.4 + +* Tue Feb 08 2011 Fedora Release Engineering - 2.3.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Jan 17 2011 Dan Horák 2.3.3-1 +- new upstream release 2.3.3 + +* Tue Nov 09 2010 Michal Schmidt 2.3.2-2 +- Apply Obsoletes to package names, not provides. + +* Tue Sep 14 2010 Dan Horák 2.3.2-1 +- new upstream release 2.3.2 +- put STDLLs in separate packages to match upstream package design + +* Thu Jul 08 2010 Michal Schmidt 2.3.1-7 +- Move the LICENSE file to the -libs subpackage. + +* Tue Jun 29 2010 Dan Horák 2.3.1-6 +- rebuilt with CCA enabled (#604287) +- fixed issues from #546274 + +* Fri Apr 30 2010 Dan Horák 2.3.1-5 +- fixed one more issue in the initscript (#547324) + +* Mon Apr 26 2010 Dan Horák 2.3.1-4 +- fixed pidfile creating and usage (#547324) + +* Mon Feb 08 2010 Michal Schmidt 2.3.1-3 +- Also list 'reload' and 'force-reload' in "Usage: ...". + +* Mon Feb 08 2010 Michal Schmidt 2.3.1-2 +- Support 'force-reload' in the initscript. + +* Wed Jan 27 2010 Michal Schmidt 2.3.1-1 +- New upstream release 2.3.1. +- opencryptoki-2.3.0-fix-nss-breakage.patch was merged. + +* Fri Jan 22 2010 Dan Horák 2.3.0-5 +- made pkcsslotd initscript LSB compliant (#522149) + +* Mon Sep 07 2009 Michal Schmidt 2.3.0-4 +- Added opencryptoki-2.3.0-fix-nss-breakage.patch on upstream request. + +* Fri Aug 21 2009 Tomas Mraz - 2.3.0-3 +- rebuilt with new openssl + +* Sun Aug 16 2009 Michal Schmidt 2.3.0-2 +- Require libica-2.0. + +* Fri Aug 07 2009 Michal Schmidt 2.3.0-1 +- New upstream release 2.3.0: + - adds support for RSA 4096 bit keys in the ICA token. + +* Tue Jul 21 2009 Michal Schmidt - 2.2.8-5 +- Require arch-specific dependency on -libs. + +* Tue Jul 21 2009 Michal Schmidt - 2.2.8-4 +- Return support for crypto hw on s390. +- Renamed to opencryptoki. +- Simplified multilib by putting libs in subpackage as suggested by Dan Horák. + +* Tue Jul 21 2009 Michal Schmidt - 2.2.8-2 +- Fedora package based on RHEL-5 package.