diff --git a/.gitignore b/.gitignore
index c3c8ab0..bbcd392 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/opencryptoki-3.10.0.tar.gz
+SOURCES/opencryptoki-3.11.1.tar.gz
diff --git a/.opencryptoki.metadata b/.opencryptoki.metadata
index b92278a..64653b0 100644
--- a/.opencryptoki.metadata
+++ b/.opencryptoki.metadata
@@ -1 +1 @@
-93908d16d61ec2c60aa0809378308d2d9e634d5f SOURCES/opencryptoki-3.10.0.tar.gz
+26348de186bbc9d52eaca043445053c6cdaad489 SOURCES/opencryptoki-3.11.1.tar.gz
diff --git a/SOURCES/opencryptoki-2.4-group.patch b/SOURCES/opencryptoki-2.4-group.patch
deleted file mode 100644
index dcabb60..0000000
--- a/SOURCES/opencryptoki-2.4-group.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-diff -upr opencryptoki-3.7.0.orig/usr/lib/pkcs11/api/shrd_mem.c.in opencryptoki-3.7.0/usr/lib/pkcs11/api/shrd_mem.c.in
---- opencryptoki-3.7.0.orig/usr/lib/pkcs11/api/shrd_mem.c.in 2017-05-17 15:13:54.711536688 +0530
-+++ opencryptoki-3.7.0/usr/lib/pkcs11/api/shrd_mem.c.in 2017-05-17 15:22:27.758655055 +0530
-@@ -56,9 +56,6 @@ attach_shared_memory() {
- int shmid;
- char *shmp;
- struct stat statbuf;
-- struct group *grp;
-- struct passwd *pw, *epw;
-- uid_t uid, euid;
-
- #if !(MMAP)
- // Really should fstat the tok_path, since it will be the actual
-@@ -70,37 +67,6 @@ attach_shared_memory() {
- return NULL;
- }
-
-- uid = getuid();
-- euid = geteuid();
-- // only check group membership if not root user
-- if (uid != 0 && euid != 0) {
-- int i, member=0;
-- grp = getgrnam("pkcs11");
-- if (!grp) {
-- // group pkcs11 not known to the system
-- return NULL;
-- }
-- pw = getpwuid(uid);
-- epw = getpwuid(euid);
-- for (i=0; grp->gr_mem[i]; i++) {
-- if (pw) {
-- if (!strncmp(pw->pw_name, grp->gr_mem[i],strlen(pw->pw_name))) {
-- member = 1;
-- break;
-- }
-- }
-- if (epw) {
-- if (!strncmp(epw->pw_name, grp->gr_mem[i],strlen(epw->pw_name))) {
-- member = 1;
-- break;
-- }
-- }
-- }
-- if (!member) {
-- return NULL;
-- }
-- }
--
- Anchor->shm_tok = ftok(TOK_PATH,'b');
-
- // Get the shared memory id.
diff --git a/SOURCES/opencryptoki-227ffdba6b919e18b03fed59b07e2c0212b40303.patch b/SOURCES/opencryptoki-227ffdba6b919e18b03fed59b07e2c0212b40303.patch
deleted file mode 100644
index ec5de55..0000000
--- a/SOURCES/opencryptoki-227ffdba6b919e18b03fed59b07e2c0212b40303.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-commit 227ffdba6b919e18b03fed59b07e2c0212b40303
-Author: Ingo Franzki <ifranzki@linux.ibm.com>
-Date: Thu Aug 2 14:48:47 2018 +0200
-
- Fix bug with master key encryption with FIPS enabled libica
-
- When running with a FIPS enabled libica, the ICA token fails to
- initialize, because the 3DES key derived from the user or SO pin is
- considered invalid because the first and the third part of the
- 3DES key is the same.
-
- For clear key tokens, the token specific 3DES-CBC function is
- used for the master key encryption. In case of the ICA token,
- the ICA token specific 3DES-CBC function fails, because libica
- rejects the key when compiled with FIPS support. This leads to
- an error during token initialization.
-
- Instead of using the token specific 3DES-CBC function, the code
- now always falls back to the (OpenSSL) based software encryption
- function, as it is also done for secure key tokens.
-
- Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
-
-diff --git a/usr/lib/pkcs11/common/loadsave.c b/usr/lib/pkcs11/common/loadsave.c
-index a593b932..a5532c9d 100644
---- a/usr/lib/pkcs11/common/loadsave.c
-+++ b/usr/lib/pkcs11/common/loadsave.c
-@@ -206,12 +206,14 @@ static CK_RV encrypt_data_with_clear_key(STDLL_TokData_t * tokdata,
- /* If token doesn't have a specific key size that means that it uses a
- * clear key.
- */
-- if (token_specific.token_keysize == 0) {
-+ if (token_specific.token_keysize == 0 &&
-+ token_specific.data_store.encryption_algorithm != CKM_DES3_CBC) {
- return encrypt_data(tokdata, key, keylen, iv, clear, clear_len,
- cipher, p_cipher_len);
- }
-
-- /* Fall back to a software alternative if key is secure. */
-+ /* Fall back to a software alternative if key is secure, or
-+ * if token's data store encryption algorithm is 3DES_CBC */
- initial_vector = duplicate_initial_vector(iv);
- if (initial_vector == NULL) {
- TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
-@@ -322,12 +324,14 @@ static CK_RV decrypt_data_with_clear_key(STDLL_TokData_t *tokdata,
- /* If token doesn't have a specific key size that means that it uses a
- * clear key.
- */
-- if (token_specific.token_keysize == 0) {
-+ if (token_specific.token_keysize == 0 &&
-+ token_specific.data_store.encryption_algorithm != CKM_DES3_CBC) {
- return decrypt_data(tokdata, key, keylen, iv, cipher,
- cipher_len, clear, p_clear_len);
- }
-
-- /* Fall back to a software alternative if key is secure. */
-+ /* Fall back to a software alternative if key is secure, or
-+ * if token's data store encryption algorithm is 3DES_CBC */
- initial_vector = duplicate_initial_vector(iv);
- if (initial_vector == NULL) {
- TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
diff --git a/SOURCES/opencryptoki-3.10.0-backport-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch b/SOURCES/opencryptoki-3.10.0-backport-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch
deleted file mode 100644
index 5373fe3..0000000
--- a/SOURCES/opencryptoki-3.10.0-backport-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-diff -up opencryptoki-3.10.0/usr/lib/pkcs11/ep11_stdll/ep11_specific.c.me opencryptoki-3.10.0/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
---- opencryptoki-3.10.0/usr/lib/pkcs11/ep11_stdll/ep11_specific.c.me 2018-12-14 18:48:48.945096527 +0100
-+++ opencryptoki-3.10.0/usr/lib/pkcs11/ep11_stdll/ep11_specific.c 2018-12-14 18:55:18.198260044 +0100
-@@ -6268,7 +6268,7 @@ CK_RV ep11tok_login_session(STDLL_TokDat
- }
- }
-
-- rc = handle_all_ep11_cards((ep11_target_t *)&ep11_data->target_list,
-+ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list,
- ep11_login_handler, ep11_session);
- if (rc != CKR_OK) {
- TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lu\n", __func__, rc);
-@@ -6310,7 +6310,7 @@ CK_RV ep11tok_login_session(STDLL_TokDat
- done:
- if (rc != CKR_OK) {
- if (ep11_session->flags & (EP11_SESS_PINBLOB_VALID | EP11_VHSM_PINBLOB_VALID)) {
-- rc2 = handle_all_ep11_cards((ep11_target_t *)&ep11_data->target_list,
-+ rc2 = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list,
- ep11_logout_handler, ep11_session);
- if (rc2 != CKR_OK)
- TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lu\n", __func__, rc2);
-@@ -6356,7 +6356,7 @@ CK_RV ep11tok_relogin_session(STDLL_TokD
- return CKR_USER_NOT_LOGGED_IN;
- }
-
-- rc = handle_all_ep11_cards((ep11_target_t *)&ep11_data->target_list,
-+ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list,
- ep11_login_handler, ep11_session);
- if (rc != CKR_OK)
- TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lu\n", __func__, rc);
-@@ -6401,7 +6401,7 @@ CK_RV ep11tok_logout_session(STDLL_TokDa
- return CKR_USER_NOT_LOGGED_IN;
- }
-
-- rc = handle_all_ep11_cards((ep11_target_t *)&ep11_data->target_list,
-+ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list,
- ep11_logout_handler, ep11_session);
- if (rc != CKR_OK)
- TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lu\n", __func__, rc);
diff --git a/SOURCES/opencryptoki-3.10.0-coverity.patch b/SOURCES/opencryptoki-3.10.0-coverity.patch
deleted file mode 100644
index b994278..0000000
--- a/SOURCES/opencryptoki-3.10.0-coverity.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-diff -up opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ec.c.me opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ec.c
---- opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ec.c.me 2018-06-06 21:55:55.000000000 +0200
-+++ opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ec.c 2018-10-26 13:52:11.461448596 +0200
-@@ -797,6 +797,7 @@ ckm_kdf_X9_63(STDLL_TokData_t *tokdata,
- counter++;
- }
-
-+ free(ctx);
- return CKR_OK;
- }
-
-diff -up opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ssl3.c.me opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ssl3.c
---- opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ssl3.c.me 2018-06-06 21:55:55.000000000 +0200
-+++ opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ssl3.c 2018-10-26 13:51:12.538255825 +0200
-@@ -1195,7 +1195,7 @@ error:
- if (value_len_attr) free( value_len_attr );
- if (always_sens_attr) free( always_sens_attr );
- if (extract_attr) free( extract_attr );
--
-+ if (derived_key_obj) object_free(derived_key_obj);
- return rc;
- }
-
diff --git a/SOURCES/opencryptoki-3.11.0-group.patch b/SOURCES/opencryptoki-3.11.0-group.patch
new file mode 100644
index 0000000..e88b391
--- /dev/null
+++ b/SOURCES/opencryptoki-3.11.0-group.patch
@@ -0,0 +1,31 @@
+diff -up opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in.me opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in
+--- opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in.me 2019-01-31 10:42:23.325797012 +0100
++++ opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in 2019-01-31 10:52:17.585191667 +0100
+@@ -55,9 +55,11 @@ void *attach_shared_memory()
+ int shmid;
+ char *shmp;
+ struct stat statbuf;
++#if 0
+ struct group *grp;
+ struct passwd *pw, *epw;
+ uid_t uid, euid;
++#endif
+
+ #if !(MMAP)
+ // Really should fstat the tok_path, since it will be the actual
+@@ -69,6 +71,7 @@ void *attach_shared_memory()
+ return NULL;
+ }
+
++#if 0
+ uid = getuid();
+ euid = geteuid();
+ // only check group membership if not root user
+@@ -102,6 +105,7 @@ void *attach_shared_memory()
+ return NULL;
+ }
+ }
++#endif
+
+ Anchor->shm_tok = ftok(TOK_PATH, 'b');
+
diff --git a/SOURCES/opencryptoki-3.11.0-lockdir.patch b/SOURCES/opencryptoki-3.11.0-lockdir.patch
new file mode 100644
index 0000000..936a654
--- /dev/null
+++ b/SOURCES/opencryptoki-3.11.0-lockdir.patch
@@ -0,0 +1,12 @@
+diff -up opencryptoki-3.11.0/configure.ac.me opencryptoki-3.11.0/configure.ac
+--- opencryptoki-3.11.0/configure.ac.me 2019-01-30 17:10:19.660952694 +0100
++++ opencryptoki-3.11.0/configure.ac 2019-01-30 17:13:54.150089964 +0100
+@@ -62,7 +62,7 @@ AC_SUBST([OPENLDAP_LIBS])
+
+ dnl Define custom variables
+
+-lockdir=$localstatedir/lock/opencryptoki
++lockdir=/run/lock/opencryptoki
+ AC_SUBST(lockdir)
+
+ logdir=$localstatedir/log/opencryptoki
diff --git a/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch b/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch
new file mode 100644
index 0000000..756f55d
--- /dev/null
+++ b/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch
@@ -0,0 +1,13 @@
+diff -up opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c.me opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c
+--- opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c.me 2019-01-31 13:27:05.720647942 +0100
++++ opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c 2019-01-31 13:36:05.763624633 +0100
+@@ -1072,6 +1072,9 @@ CK_RV init(void)
+ if (rc != CKR_OK) {
+ printf("Error initializing the PKCS11 library: 0x%lX (%s)\n", rc,
+ p11_get_ckr(rc));
++ printf("Note: all non-root users that require access to PKCS#11 tokens "
++ "using opencryptoki must be assigned to the pkcs11 group to be "
++ "able to communicate with the pkcsslotd daemon.\n");
+ fflush(stdout);
+ cleanup();
+ }
diff --git a/SOURCES/opencryptoki-3.11.1-use-soname.patch b/SOURCES/opencryptoki-3.11.1-use-soname.patch
new file mode 100644
index 0000000..07793ee
--- /dev/null
+++ b/SOURCES/opencryptoki-3.11.1-use-soname.patch
@@ -0,0 +1,61 @@
+From 73f05eb53f12197f081fd7ec75619c6ea3a39b2c Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Mon, 12 Aug 2019 10:54:27 +0200
+Subject: [opencryptoki PATCH 1/2] ICA: Refer libica by its so name
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Signed-off-by: Dan Horák <dan@danny.cz>
+---
+ usr/lib/ica_s390_stdll/ica_specific.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/usr/lib/ica_s390_stdll/ica_specific.c b/usr/lib/ica_s390_stdll/ica_specific.c
+index d5a6d554..a72ce774 100644
+--- a/usr/lib/ica_s390_stdll/ica_specific.c
++++ b/usr/lib/ica_s390_stdll/ica_specific.c
+@@ -61,7 +61,7 @@ const char label[] = "IBM ICA PKCS #11";
+
+ static pthread_mutex_t rngmtx = PTHREAD_MUTEX_INITIALIZER;
+
+-#define LIBICA_SHARED_LIB "libica.so"
++#define LIBICA_SHARED_LIB "libica.so.3"
+ #define BIND(dso, sym) (*(void **)(&p_##sym) = dlsym(dso, #sym))
+
+ #ifndef NO_EC
+--
+2.21.0
+
+
+From 7f4113ba8653b8b18a6f1af6ab1d8eb90987626d Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Mon, 12 Aug 2019 10:54:44 +0200
+Subject: [opencryptoki PATCH 2/2] EP11: Refer libica by its so name
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Signed-off-by: Dan Horák <dan@danny.cz>
+---
+ usr/lib/ep11_stdll/ep11_specific.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
+index 231dd200..a3f14351 100644
+--- a/usr/lib/ep11_stdll/ep11_specific.c
++++ b/usr/lib/ep11_stdll/ep11_specific.c
+@@ -58,7 +58,7 @@
+ #include "ep11_specific.h"
+
+ #define EP11SHAREDLIB "libep11.so"
+-#define ICASHAREDLIB "libica.so"
++#define ICASHAREDLIB "libica.so.3"
+
+ CK_RV ep11tok_get_mechanism_list(STDLL_TokData_t * tokdata,
+ CK_MECHANISM_TYPE_PTR mlist,
+--
+2.21.0
+
diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec
index e18e1ac..51ded01 100644
--- a/SPECS/opencryptoki.spec
+++ b/SPECS/opencryptoki.spec
@@ -1,22 +1,19 @@
Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11
-Version: 3.10.0
-Release: 3%{?dist}
+Version: 3.11.1
+Release: 2%{?dist}
License: CPL
Group: System Environment/Base
-URL: http://sourceforge.net/projects/opencryptoki
+URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
# https://bugzilla.redhat.com/show_bug.cgi?id=732756
-Patch0: %{name}-2.4-group.patch
-Patch1: %{name}-3.10.0-coverity.patch
-# 1652856, EP11 token fails when using Strict-Session mode or VHSM-Mode
-Patch2: %{name}-3.10.0-backport-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch
-# 1657683, can't establish libica token in FIPS mode
-Patch3: %{name}-227ffdba6b919e18b03fed59b07e2c0212b40303.patch
-
-# Use --no-undefined to debug missing symbols
-#Patch100: %{name}-3.2-no-undefined.patch
-
+Patch0: opencryptoki-3.11.0-group.patch
+# bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/*
+Patch1: opencryptoki-3.11.0-lockdir.patch
+# bz#1063763, inform the user that he is not in pkcs11 group
+Patch2: opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1739433
+Patch3: opencryptoki-3.11.1-use-soname.patch
Requires(pre): coreutils
BuildRequires: gcc
BuildRequires: openssl-devel
@@ -231,6 +228,9 @@ exit 0
%post
%systemd_post pkcsslotd.service
+if test $1 -eq 1; then
+ %tmpfiles_create
+fi
%preun
%systemd_preun pkcsslotd.service
@@ -245,7 +245,7 @@ exit 0
%doc doc/README.token_data
%dir %{_sysconfdir}/%{name}
%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
-%{_prefix}/lib/tmpfiles.d/%{name}.conf
+%{_tmpfilesdir}/%{name}.conf
%{_unitdir}/pkcsslotd.service
%{_sbindir}/pkcsconf
%{_sbindir}/pkcsslotd
@@ -256,8 +256,9 @@ exit 0
%{_libdir}/opencryptoki/methods
%{_libdir}/pkcs11/methods
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lock/%{name}
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lock/%{name}/*
+%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}
+%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}/*
+%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki
%files libs
%license LICENSE
@@ -273,7 +274,6 @@ exit 0
%{_libdir}/pkcs11/libopencryptoki.so
%{_libdir}/pkcs11/PKCS11_API.so
%{_libdir}/pkcs11/stdll
-%{_localstatedir}/log/opencryptoki
%files devel
%{_includedir}/%{name}/
@@ -330,6 +330,20 @@ exit 0
%changelog
+* Mon Aug 26 2019 Dan Horák <dhorak@redhat.com> - 3.11.1-2
+- Resolves: #1739433, ICA HW token missing after the package update
+
+* Mon May 06 2019 Than Ngo <than@redhat.com> - 3.11.1-1
+- Resolves: #1706140, rebase to 3.11.1
+
+* Tue Mar 26 2019 Than Ngo <than@redhat.com> - 3.11.0-3
+- Resolves: #1667941, 3des tests failures due to FIPS incompatible test scenarios
+- Resolves: #1651731, ep11 token: enhanced IBM z14 functions
+- Resolves: #1651732, ep11 token: support m_*Single functions from ep11 lib
+- Resolves: #1525407, use CPACF hashes in ep11 token
+- Resolves: #1651238, rebase to 3.11.0
+- Resolves: #1682530, gating
+
* Fri Dec 14 2018 Than Ngo <than@redhat.com> - 3.10.0-3
- Resolves: #1657683, can't establish libica token in FIPS mode
- Resolves: #1652856, EP11 token fails when using Strict-Session mode or VHSM-Mode