import OL opencryptoki-3.22.0-3.el8_10.1

.gitignore

@@ -1 +1 @@
-SOURCES/opencryptoki-3.21.0.tar.gz
+SOURCES/opencryptoki-3.22.0.tar.gz

.opencryptoki.metadata

@@ -1 +1 @@
-4a0f2ed8f965a948057ab833f1fafabf58929d3f SOURCES/opencryptoki-3.21.0.tar.gz
+4618b82afde56a8177e888c26d336c6f521bed8a SOURCES/opencryptoki-3.22.0.tar.gz

SOURCES/3.22-CCA-Adjust-CCA-host-library-version-detection-for-ne.patch

@@ -0,0 +1,55 @@
+From 742463a3c5a25313ab7ceb578d81b9998db65f67 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Wed, 2 Apr 2025 16:36:45 +0200
+Subject: [PATCH] CCA: Adjust CCA host library version detection for newer CCA
+ versions
+
+Newer CCA versions might report the version string with CSUACFV or CSUACFQ
+with keyword STATCCA using a different indicator character after the version
+information. Ignore the indication character and the remaining data entirely.
+Only the version information as such is of interest.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ usr/lib/cca_stdll/cca_specific.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/usr/lib/cca_stdll/cca_specific.c b/usr/lib/cca_stdll/cca_specific.c
+index 80369248..08e794d0 100644
+--- a/usr/lib/cca_stdll/cca_specific.c
++++ b/usr/lib/cca_stdll/cca_specific.c
+@@ -751,7 +751,6 @@ static CK_RV cca_get_version(STDLL_TokData_t *tokdata)
+     long return_code, reason_code;
+     long version_data_length;
+     long exit_data_len = 0;
+-    char date[20];
+ 
+     /* Get CCA host library version */
+     version_data_length = sizeof(version_data);
+@@ -767,10 +766,10 @@ static CK_RV cca_get_version(STDLL_TokData_t *tokdata)
+     version_data[sizeof(version_data) - 1] = '\0';
+     TRACE_DEVEL("CCA Version string: %s\n", version_data);
+ 
+-    if (sscanf((char *)version_data, "%u.%u.%uz%s",
++    if (sscanf((char *)version_data, "%u.%u.%u",
+                &cca_private->cca_lib_version.ver,
+                &cca_private->cca_lib_version.rel,
+-               &cca_private->cca_lib_version.mod, date) != 4) {
++               &cca_private->cca_lib_version.mod) != 3) {
+         TRACE_ERROR("CCA library version is invalid: %s\n", version_data);
+         return CKR_FUNCTION_FAILED;
+     }
+@@ -3431,8 +3430,8 @@ static CK_RV cca_get_adapter_version(cca_min_card_version_t *data)
+     memcpy(ccaversion, &rule_array[CCA_STATCCA_CCA_VERSION_OFFSET],
+            CCA_STATCCA_CCA_VERSION_LENGTH);
+ 
+-    if (sscanf(ccaversion, "%d.%d.%02d*", (int *)&adapter_version.ver,
+-               (int *)&adapter_version.rel, (int *)&adapter_version.mod) != 3) {
++    if (sscanf(ccaversion, "%u.%u.%u", &adapter_version.ver,
++               &adapter_version.rel, &adapter_version.mod) != 3) {
+         TRACE_ERROR("sscanf of string %s failed, cannot determine CCA card version\n",
+                     ccaversion);
+         return CKR_FUNCTION_FAILED;
+-- 
+2.16.2.windows.1
+

SOURCES/opencryptoki-3.21.0-2ba0f41ef5e14d4b509c8854e27cf98e3ee89445.patch

@@ -1,34 +0,0 @@
-commit 2ba0f41ef5e14d4b509c8854e27cf98e3ee89445
-Author: Ingo Franzki <ifranzki@linux.ibm.com>
-Date:   Mon Jul 10 13:22:48 2023 +0200
-
-    p11sak: Fix parsing of slot number 0
-    
-    Running command 'p11sak list-key aes --slot 0' may result in
-    'p11sak: Invalid argument '0' for option '-s/--slot''
-    
-    This is because of the error checking after strtoul() within function
-    process_number_argument(). In case errno is not zero, it treats a
-    parsed value of zero as an error.
-    
-    Under certain circumstances, errno is non-zero already before calling
-    strtoul(), and stays non-zero in case of strtoul() succeeds. This leads to
-    an incorrect error checking, and it is treated as error.
-    
-    Initialize errno to zero before calling strtoul() to avoid such false error
-    detection.
-    
-    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
-
-diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
-index 6e11cb41..38665bbd 100644
---- a/usr/sbin/p11sak/p11sak.c
-+++ b/usr/sbin/p11sak/p11sak.c
-@@ -1712,6 +1712,7 @@ static CK_RV process_number_argument(const struct p11sak_arg *arg, char *val)
- {
-     char *endptr;
- 
-+    errno = 0;
-     *arg->value.number = strtoul(val, &endptr, 0);
- 
-     if ((errno == ERANGE && *arg->value.number == ULONG_MAX) ||

SOURCES/opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch

@@ -1,52 +0,0 @@
-commit 4ff774568e334a719fc8de16fe2309e2070f0da8
-Author: Ingo Franzki <ifranzki@linux.ibm.com>
-Date:   Mon May 22 11:40:01 2023 +0200
-
-    p11sak: Fix user confirmation prompt behavior when stdin is closed
-    
-    Treat any error during user confirmation prompt as 'cancel' and skip all
-    operations.
-    
-    One can for example close stdin during a user prompt via CTRL+D. This was
-    erroneously treated as positive confirmation and therefore caused the
-    operation to be performed on the current key object and all further objects
-    matching the filter as well, instead of canceling the operation entirely.
-    
-    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
-
-diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
-index d75d8343..5b54b538 100644
---- a/usr/sbin/p11sak/p11sak.c
-+++ b/usr/sbin/p11sak/p11sak.c
-@@ -4736,6 +4736,7 @@ static CK_RV handle_key_remove(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
-             data->num_skipped++;
-             return CKR_OK;
-         case 'c':
-+        case '\0':
-             data->skip_all = true;
-             data->num_skipped++;
-             return CKR_OK;
-@@ -4825,6 +4826,7 @@ static CK_RV handle_key_set_attr(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
-             data->num_skipped++;
-             return CKR_OK;
-         case 'c':
-+        case '\0':
-             data->skip_all = true;
-             data->num_skipped++;
-             return CKR_OK;
-@@ -4974,6 +4976,7 @@ static CK_RV handle_key_copy(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
-             data->num_skipped++;
-             return CKR_OK;
-         case 'c':
-+        case '\0':
-             data->skip_all = true;
-             data->num_skipped++;
-             return CKR_OK;
-@@ -6983,6 +6986,7 @@ static CK_RV handle_key_export(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
-             data->num_skipped++;
-             return CKR_OK;
-         case 'c':
-+        case '\0':
-             data->skip_all = true;
-             data->num_skipped++;
-             return CKR_OK;

SOURCES/opencryptoki-3.21.0-92999f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch

@@ -1,96 +0,0 @@
-commit 92999f344a3ad99a67a1bcfd9ad28f28c33e51bc
-Author: Ingo Franzki <ifranzki@linux.ibm.com>
-Date:   Mon Jul 10 10:19:13 2023 +0200
-
-    p11sak: Fix listing of key objects when other object types are present
-    
-    A command like 'p11sak list-key all --slot N ...' fails with
-    
-      p11sak: Attribute CKA_KEY_TYPE is not available in key object
-      p11sak: Failed to iterate over key objects for key type All: 0xD0: CKR_TEMPLATE_INCOMPLETE
-      p11sak: Failed to perform the 'list-key' command: CKR_TEMPLATE_INCOMPLETE
-    
-    when the object repository contains other, non-key objects, e.g. certificates.
-    
-    When 'all' is used as key type, then no filter for CKA_KEY_TYPE is used
-    with C_FindObjects(), and thus other non-key objects also match the filter.
-    When a specific key type is specified, then only such objects match that
-    have the desired CKA_KEY_TYPE attribute value.
-    
-    Fix this by checking the object class in get_key_infos() and skip the object,
-    if it is not a key object.
-    
-    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
-
-diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
-index a6213720..6e11cb41 100644
---- a/usr/sbin/p11sak/p11sak.c
-+++ b/usr/sbin/p11sak/p11sak.c
-@@ -3403,6 +3403,16 @@ static CK_RV get_key_infos(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS *class,
-         }
-     }
- 
-+    switch (class_val) {
-+    case CKO_PUBLIC_KEY:
-+    case CKO_PRIVATE_KEY:
-+    case CKO_SECRET_KEY:
-+        break;
-+    default:
-+        free(attrs[0].pValue);
-+        return CKR_KEY_NEEDED;
-+    }
-+
-     for (i = 0; i < num_attrs; i++) {
-         if (attrs[i].ulValueLen == CK_UNAVAILABLE_INFORMATION) {
-             warnx("Attribute %s is not available in key object",
-@@ -3614,6 +3624,10 @@ static CK_RV iterate_key_objects(const struct p11sak_keytype *keytype,
-             if (manual_filtering) {
-                 rc = get_key_infos(keys[i], NULL, NULL, NULL, &label,
-                                    NULL, NULL);
-+                if (rc == CKR_KEY_NEEDED) {
-+                    rc = CKR_OK;
-+                    goto next;
-+                }
-                 if (rc != CKR_OK)
-                     break;
- 
-@@ -3672,6 +3686,10 @@ done_find:
-     for (i = 0; i < num_matched_keys; i++) {
-         rc = get_key_infos(matched_keys[i], &class, &ktype, &keysize,
-                            &label, &typestr, &type);
-+        if (rc == CKR_KEY_NEEDED) {
-+            rc = CKR_OK;
-+            goto next2;
-+        }
-         if (rc != CKR_OK)
-             break;
- 
-@@ -3680,6 +3698,7 @@ done_find:
-         if (rc != CKR_OK)
-             break;
- 
-+next2:
-         if (label != NULL)
-             free(label);
-         label = NULL;
-@@ -4480,10 +4499,20 @@ static CK_RV p11sak_list_key_compare(CK_OBJECT_HANDLE key1,
-     *result = 0;
- 
-     rc = get_key_infos(key1, &class1, &ktype1, &keysize1, &label1, NULL, NULL);
-+    if (rc == CKR_KEY_NEEDED) {
-+        rc = CKR_OK;
-+        *result = 1; /* non-key objects are always greater than key objects */
-+        goto done;
-+    }
-     if (rc != CKR_OK)
-         goto done;
- 
-     rc = get_key_infos(key2, &class2, &ktype2, &keysize2, &label2, NULL, NULL);
-+    if (rc == CKR_KEY_NEEDED) {
-+        rc = CKR_OK;
-+        *result = -1; /* key objects are always smaller than non-key objects */
-+        goto done;
-+    }
-     if (rc != CKR_OK)
-         goto done;
- 

SOURCES/opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch

@@ -1,84 +0,0 @@
-commit f4166214552a92d8d66de8011ab11c9c2c6bb0a4
-Author: Ingo Franzki <ifranzki@linux.ibm.com>
-Date:   Mon May 22 13:31:21 2023 +0200
-
-    pkcsstats: Fix handling of user name
-    
-    The struct passwd returned by getpwuid() is a pointer to a static area, that
-    may get overwritten by subsequent calls to getpwuid() or similar.
-    Actually, C_Initialize() itself is using getpwuid() internally, and thus will
-    interfere with the getpwuid() usage in pkcsstats.
-    
-    Make a copy of the returned user name before calling C_Initialize() in
-    init_ock() to ensure to work with the desired user name, and not with anything
-    left over from previous calls.
-    
-    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
-
-diff --git a/usr/sbin/pkcsstats/pkcsstats.c b/usr/sbin/pkcsstats/pkcsstats.c
-index c2444cf5..a842a295 100644
---- a/usr/sbin/pkcsstats/pkcsstats.c
-+++ b/usr/sbin/pkcsstats/pkcsstats.c
-@@ -783,6 +783,7 @@ int main(int argc, char **argv)
-     int opt = 0;
-     struct passwd *pswd = NULL;
-     int user_id = -1;
-+    char *user_name = NULL;
-     bool summary = false, all_users = false, all_mechs = false;
-     bool reset = false, reset_all = false;
-     bool delete = false, delete_all = false;
-@@ -903,19 +904,27 @@ int main(int argc, char **argv)
-         }
-     }
- 
-+    user_name = strdup(pswd->pw_name);
-+    if (user_name == NULL) {
-+        warnx("Failed to get current user name");
-+        exit(EXIT_FAILURE);
-+    }
-+
-     if (delete) {
-         if (slot_id_specified) {
-             warnx("Options -s/--slot and -d/--delete can not be specified together");
-+            free(user_name);
-             exit(EXIT_FAILURE);
-         }
- 
--        rc = delete_shm(user_id, pswd->pw_name);
-+        rc = delete_shm(user_id, user_name);
-         goto done;
-     }
- 
-     if (delete_all) {
-         if (slot_id_specified) {
-             warnx("Options -s/--slot and -D/--delete-all can not be specified together");
-+            free(user_name);
-             exit(EXIT_FAILURE);
-         }
- 
-@@ -932,7 +941,7 @@ int main(int argc, char **argv)
-         goto done;
- 
-     if (reset) {
--        rc = reset_shm(user_id, pswd->pw_name, num_slots, slots,
-+        rc = reset_shm(user_id, user_name, num_slots, slots,
-                        slot_id_specified, slot_id);
-         goto done;
-     }
-@@ -968,7 +977,7 @@ int main(int argc, char **argv)
-         rc = display_summary(&dd);
-         goto done;
-     } else {
--        rc = display_stats(user_id, pswd->pw_name, &dd);
-+        rc = display_stats(user_id, user_name, &dd);
-         goto done;
-     }
- 
-@@ -984,5 +993,7 @@ done:
-         dlclose(dll);
-     }
- 
-+    free(user_name);
-+
-     return rc == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
- }

SOURCES/opencryptoki-3.21.0-f8ddcd5ba7e5b0bab00dedc89021147ec55b41b3.patch

@@ -1,37 +0,0 @@
-commit f8ddcd5ba7e5b0bab00dedc89021147ec55b41b3
-Author: Ingo Franzki <ifranzki@linux.ibm.com>
-Date:   Tue May 23 15:07:02 2023 +0200
-
-    p11sak: Fix segfault in PEM_write_bio() on OpenSSL 1.1.1
-    
-    On OpenSSL version before 1.1.1r function PEM_write_bio() segfaults when the
-    'header' argument is NULL. This was fixed in OpenSSL 1.1.1r with commit
-    https://github.com/openssl/openssl/commit/3b9082c844913d3a0efada9fac0bd2924ce1a8f2
-    
-    As a workaround, specify an empty string instead of NULL, which results in the
-    same output.
-    
-    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
-
-diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
-index 5b54b538..3baae560 100644
---- a/usr/sbin/p11sak/p11sak.c
-+++ b/usr/sbin/p11sak/p11sak.c
-@@ -6794,7 +6794,7 @@ static CK_RV p11sak_export_spki(const struct p11sak_keytype *keytype,
-         return rc;
-     }
- 
--    ret = PEM_write_bio(bio, PEM_STRING_PUBLIC, NULL,
-+    ret = PEM_write_bio(bio, PEM_STRING_PUBLIC, "",
-                         attr.pValue, attr.ulValueLen);
-     if (ret <= 0) {
-         warnx("Failed to write SPKI of %s key object \"%s\" to PEM file '%s'.",
-@@ -6888,7 +6888,7 @@ static CK_RV p11sak_export_asym_key(const struct p11sak_keytype *keytype,
-         ret = PEM_write_bio(bio, private ?
-                                     keytype->pem_name_private :
-                                     keytype->pem_name_public,
--                            NULL, data, data_len);
-+                            "", data, data_len);
-         if (ret <= 0) {
-             warnx("Failed to write %s key object \"%s\" to PEM file '%s'.",
-                   typestr, label, opt_file);

SPECS/opencryptoki.spec

@@ -1,7 +1,7 @@
 Name: opencryptoki
 Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
-Version: 3.21.0
-Release: 10%{?dist}.alma.1
+Version: 3.22.0
+Release: 3%{?dist}.1
 License: CPL
 Group: System Environment/Base
 URL: https://github.com/opencryptoki/opencryptoki
@@ -15,23 +15,14 @@ Patch2: opencryptoki-3.21.0-p11sak.patch
 Patch3: opencryptoki-3.21-sandboxing.patch
 
 # upstream patches
-# pkcsstats: Fix handling of user name
-Patch100: opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch
-# p11sak: Fix user confirmation prompt behavior when stdin is closed
-Patch101: opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch
-# p11sak: Fix segfault in PEM_write_bio() on OpenSSL 1.1.1
-Patch102: opencryptoki-3.21.0-f8ddcd5ba7e5b0bab00dedc89021147ec55b41b3.patch
-# p11sak fails as soon as there reside non-key objects
-Patch103: opencryptoki-3.21.0-92999f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch
-# opencryptoki p11sak tool: slot option does not accept argument 0 for slot index 0
-Patch104: opencryptoki-3.21.0-2ba0f41ef5e14d4b509c8854e27cf98e3ee89445.patch
-
 # CVE-2024-0914 opencryptoki: timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts
 Patch20: opencryptoki-CVE-2024-0914-part1.patch
 Patch21: opencryptoki-CVE-2024-0914-part2.patch
 Patch22: opencryptoki-CVE-2024-0914-part3.patch
 Patch23: opencryptoki-CVE-2024-0914-part4.patch
 Patch24: opencryptoki-CVE-2024-0914-part5.patch
+# supporting CCA 8.4
+Patch25: 3.22-CCA-Adjust-CCA-host-library-version-detection-for-ne.patch
 
 Requires(pre): coreutils diffutils
 Requires: (selinux-policy >= 3.14.3-121 if selinux-policy-targeted)
@@ -392,8 +383,19 @@ fi
 
 
 %changelog
-* Wed Apr 03 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 3.21.0-10.alma.1
-- timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts (Marvin) (CVE-2024-0914)
+* Mon Aug 11 2025 Than Ngo <than@redhat.com> - 3.22.0-3.1
+- Resolves: RHEL-105918, fix for supporting CCA 8.4
+
+* Fri Feb 16 2024 Than Ngo <than@redhat.com> - 3.22.0-3
+- Fix implicit rejection with RSA keys with empty CKA_PRIVATE_EXPONENT
+Related: RHEL-22791
+
+* Thu Feb 08 2024 Than Ngo <than@redhat.com> - 3.22.0-2
+- timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts (Marvin)
+Resolves: RHEL-22791
+
+* Thu Nov 23 2023 Than Ngo <than@redhat.com> - 3.22.0-1
+- Resolves: RHEL-11413, update to 3.22.0
 
 * Tue Jul 18 2023 Than Ngo <than@redhat.com> - 3.21.0-9
 - Resolves: #2223588, FTBFS