.gitignore

@@ -1 +1 @@
-SOURCES/opencryptoki-3.22.0.tar.gz
+SOURCES/opencryptoki-3.21.0.tar.gz

.opencryptoki.metadata

@@ -0,0 +1 @@
+4a0f2ed8f965a948057ab833f1fafabf58929d3f SOURCES/opencryptoki-3.21.0.tar.gz

SOURCES/opencryptoki-3.21-sandboxing.patch

@@ -1,27 +0,0 @@
-diff -up opencryptoki-3.21.0/misc/pkcsslotd.service.in.me opencryptoki-3.21.0/misc/pkcsslotd.service.in
---- opencryptoki-3.21.0/misc/pkcsslotd.service.in.me	2023-05-16 20:50:08.128841932 +0200
-+++ opencryptoki-3.21.0/misc/pkcsslotd.service.in	2023-05-16 21:19:35.208570589 +0200
-@@ -22,17 +22,17 @@ PrivateUsers=no
- PrivateNetwork=no
- RestrictAddressFamilies=AF_UNIX AF_NETLINK
- IPAddressDeny=any
--ProtectClock=yes
-+#ProtectClock=yes
- ProtectKernelTunables=yes
- ProtectKernelModules=yes
--ProtectKernelLogs=yes
-+#ProtectKernelLogs=yes
- ProtectControlGroups=yes
- ProtectHome=yes
--ProtectHostname=yes
--ProtectProc=default
-+#ProtectHostname=yes
-+#ProtectProc=default
- ProtectSystem=strict
--ReadWritePaths=@localstatedir@
--ProcSubset=all
-+ReadWritePaths=@localstatedir@ /run
-+#ProcSubset=all
- MemoryDenyWriteExecute=yes
- RestrictRealtime=yes
- RestrictNamespaces=yes

SOURCES/opencryptoki-3.21.0-2ba0f41ef5e14d4b509c8854e27cf98e3ee89445.patch

@@ -0,0 +1,34 @@
+commit 2ba0f41ef5e14d4b509c8854e27cf98e3ee89445
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Mon Jul 10 13:22:48 2023 +0200
+
+    p11sak: Fix parsing of slot number 0
+    
+    Running command 'p11sak list-key aes --slot 0' may result in
+    'p11sak: Invalid argument '0' for option '-s/--slot''
+    
+    This is because of the error checking after strtoul() within function
+    process_number_argument(). In case errno is not zero, it treats a
+    parsed value of zero as an error.
+    
+    Under certain circumstances, errno is non-zero already before calling
+    strtoul(), and stays non-zero in case of strtoul() succeeds. This leads to
+    an incorrect error checking, and it is treated as error.
+    
+    Initialize errno to zero before calling strtoul() to avoid such false error
+    detection.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
+index 6e11cb41..38665bbd 100644
+--- a/usr/sbin/p11sak/p11sak.c
++++ b/usr/sbin/p11sak/p11sak.c
+@@ -1712,6 +1712,7 @@ static CK_RV process_number_argument(const struct p11sak_arg *arg, char *val)
+ {
+     char *endptr;
+ 
++    errno = 0;
+     *arg->value.number = strtoul(val, &endptr, 0);
+ 
+     if ((errno == ERANGE && *arg->value.number == ULONG_MAX) ||

SOURCES/opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch

@@ -0,0 +1,52 @@
+commit 4ff774568e334a719fc8de16fe2309e2070f0da8
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Mon May 22 11:40:01 2023 +0200
+
+    p11sak: Fix user confirmation prompt behavior when stdin is closed
+    
+    Treat any error during user confirmation prompt as 'cancel' and skip all
+    operations.
+    
+    One can for example close stdin during a user prompt via CTRL+D. This was
+    erroneously treated as positive confirmation and therefore caused the
+    operation to be performed on the current key object and all further objects
+    matching the filter as well, instead of canceling the operation entirely.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
+index d75d8343..5b54b538 100644
+--- a/usr/sbin/p11sak/p11sak.c
++++ b/usr/sbin/p11sak/p11sak.c
+@@ -4736,6 +4736,7 @@ static CK_RV handle_key_remove(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
+             data->num_skipped++;
+             return CKR_OK;
+         case 'c':
++        case '\0':
+             data->skip_all = true;
+             data->num_skipped++;
+             return CKR_OK;
+@@ -4825,6 +4826,7 @@ static CK_RV handle_key_set_attr(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
+             data->num_skipped++;
+             return CKR_OK;
+         case 'c':
++        case '\0':
+             data->skip_all = true;
+             data->num_skipped++;
+             return CKR_OK;
+@@ -4974,6 +4976,7 @@ static CK_RV handle_key_copy(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
+             data->num_skipped++;
+             return CKR_OK;
+         case 'c':
++        case '\0':
+             data->skip_all = true;
+             data->num_skipped++;
+             return CKR_OK;
+@@ -6983,6 +6986,7 @@ static CK_RV handle_key_export(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
+             data->num_skipped++;
+             return CKR_OK;
+         case 'c':
++        case '\0':
+             data->skip_all = true;
+             data->num_skipped++;
+             return CKR_OK;

SOURCES/opencryptoki-3.21.0-92999f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch

@@ -0,0 +1,96 @@
+commit 92999f344a3ad99a67a1bcfd9ad28f28c33e51bc
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Mon Jul 10 10:19:13 2023 +0200
+
+    p11sak: Fix listing of key objects when other object types are present
+    
+    A command like 'p11sak list-key all --slot N ...' fails with
+    
+      p11sak: Attribute CKA_KEY_TYPE is not available in key object
+      p11sak: Failed to iterate over key objects for key type All: 0xD0: CKR_TEMPLATE_INCOMPLETE
+      p11sak: Failed to perform the 'list-key' command: CKR_TEMPLATE_INCOMPLETE
+    
+    when the object repository contains other, non-key objects, e.g. certificates.
+    
+    When 'all' is used as key type, then no filter for CKA_KEY_TYPE is used
+    with C_FindObjects(), and thus other non-key objects also match the filter.
+    When a specific key type is specified, then only such objects match that
+    have the desired CKA_KEY_TYPE attribute value.
+    
+    Fix this by checking the object class in get_key_infos() and skip the object,
+    if it is not a key object.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
+index a6213720..6e11cb41 100644
+--- a/usr/sbin/p11sak/p11sak.c
++++ b/usr/sbin/p11sak/p11sak.c
+@@ -3403,6 +3403,16 @@ static CK_RV get_key_infos(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS *class,
+         }
+     }
+ 
++    switch (class_val) {
++    case CKO_PUBLIC_KEY:
++    case CKO_PRIVATE_KEY:
++    case CKO_SECRET_KEY:
++        break;
++    default:
++        free(attrs[0].pValue);
++        return CKR_KEY_NEEDED;
++    }
++
+     for (i = 0; i < num_attrs; i++) {
+         if (attrs[i].ulValueLen == CK_UNAVAILABLE_INFORMATION) {
+             warnx("Attribute %s is not available in key object",
+@@ -3614,6 +3624,10 @@ static CK_RV iterate_key_objects(const struct p11sak_keytype *keytype,
+             if (manual_filtering) {
+                 rc = get_key_infos(keys[i], NULL, NULL, NULL, &label,
+                                    NULL, NULL);
++                if (rc == CKR_KEY_NEEDED) {
++                    rc = CKR_OK;
++                    goto next;
++                }
+                 if (rc != CKR_OK)
+                     break;
+ 
+@@ -3672,6 +3686,10 @@ done_find:
+     for (i = 0; i < num_matched_keys; i++) {
+         rc = get_key_infos(matched_keys[i], &class, &ktype, &keysize,
+                            &label, &typestr, &type);
++        if (rc == CKR_KEY_NEEDED) {
++            rc = CKR_OK;
++            goto next2;
++        }
+         if (rc != CKR_OK)
+             break;
+ 
+@@ -3680,6 +3698,7 @@ done_find:
+         if (rc != CKR_OK)
+             break;
+ 
++next2:
+         if (label != NULL)
+             free(label);
+         label = NULL;
+@@ -4480,10 +4499,20 @@ static CK_RV p11sak_list_key_compare(CK_OBJECT_HANDLE key1,
+     *result = 0;
+ 
+     rc = get_key_infos(key1, &class1, &ktype1, &keysize1, &label1, NULL, NULL);
++    if (rc == CKR_KEY_NEEDED) {
++        rc = CKR_OK;
++        *result = 1; /* non-key objects are always greater than key objects */
++        goto done;
++    }
+     if (rc != CKR_OK)
+         goto done;
+ 
+     rc = get_key_infos(key2, &class2, &ktype2, &keysize2, &label2, NULL, NULL);
++    if (rc == CKR_KEY_NEEDED) {
++        rc = CKR_OK;
++        *result = -1; /* key objects are always smaller than non-key objects */
++        goto done;
++    }
+     if (rc != CKR_OK)
+         goto done;
+ 

SOURCES/opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch

@@ -0,0 +1,84 @@
+commit f4166214552a92d8d66de8011ab11c9c2c6bb0a4
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Mon May 22 13:31:21 2023 +0200
+
+    pkcsstats: Fix handling of user name
+    
+    The struct passwd returned by getpwuid() is a pointer to a static area, that
+    may get overwritten by subsequent calls to getpwuid() or similar.
+    Actually, C_Initialize() itself is using getpwuid() internally, and thus will
+    interfere with the getpwuid() usage in pkcsstats.
+    
+    Make a copy of the returned user name before calling C_Initialize() in
+    init_ock() to ensure to work with the desired user name, and not with anything
+    left over from previous calls.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/sbin/pkcsstats/pkcsstats.c b/usr/sbin/pkcsstats/pkcsstats.c
+index c2444cf5..a842a295 100644
+--- a/usr/sbin/pkcsstats/pkcsstats.c
++++ b/usr/sbin/pkcsstats/pkcsstats.c
+@@ -783,6 +783,7 @@ int main(int argc, char **argv)
+     int opt = 0;
+     struct passwd *pswd = NULL;
+     int user_id = -1;
++    char *user_name = NULL;
+     bool summary = false, all_users = false, all_mechs = false;
+     bool reset = false, reset_all = false;
+     bool delete = false, delete_all = false;
+@@ -903,19 +904,27 @@ int main(int argc, char **argv)
+         }
+     }
+ 
++    user_name = strdup(pswd->pw_name);
++    if (user_name == NULL) {
++        warnx("Failed to get current user name");
++        exit(EXIT_FAILURE);
++    }
++
+     if (delete) {
+         if (slot_id_specified) {
+             warnx("Options -s/--slot and -d/--delete can not be specified together");
++            free(user_name);
+             exit(EXIT_FAILURE);
+         }
+ 
+-        rc = delete_shm(user_id, pswd->pw_name);
++        rc = delete_shm(user_id, user_name);
+         goto done;
+     }
+ 
+     if (delete_all) {
+         if (slot_id_specified) {
+             warnx("Options -s/--slot and -D/--delete-all can not be specified together");
++            free(user_name);
+             exit(EXIT_FAILURE);
+         }
+ 
+@@ -932,7 +941,7 @@ int main(int argc, char **argv)
+         goto done;
+ 
+     if (reset) {
+-        rc = reset_shm(user_id, pswd->pw_name, num_slots, slots,
++        rc = reset_shm(user_id, user_name, num_slots, slots,
+                        slot_id_specified, slot_id);
+         goto done;
+     }
+@@ -968,7 +977,7 @@ int main(int argc, char **argv)
+         rc = display_summary(&dd);
+         goto done;
+     } else {
+-        rc = display_stats(user_id, pswd->pw_name, &dd);
++        rc = display_stats(user_id, user_name, &dd);
+         goto done;
+     }
+ 
+@@ -984,5 +993,7 @@ done:
+         dlclose(dll);
+     }
+ 
++    free(user_name);
++
+     return rc == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
+ }

SPECS/opencryptoki.spec

@@ -1,49 +1,57 @@
-Name: opencryptoki
-Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
-Version: 3.22.0
-Release: 3%{?dist}
-License: CPL
-Group: System Environment/Base
-URL: https://github.com/opencryptoki/opencryptoki
-Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
+Name:			opencryptoki
+Summary:		Implementation of the PKCS#11 (Cryptoki) specification v3.0
+Version:		3.21.0
+Release:		9%{?dist}.alma.1
+License:		CPL
+URL:			https://github.com/opencryptoki/opencryptoki
+Source0:		https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
 # bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/*
-Patch1: opencryptoki-3.11.0-lockdir.patch
-# add missing p11sak_defined_attrs.conf
-Patch2: opencryptoki-3.21.0-p11sak.patch
-# comment some unsupported sandbox options and add /run to ReadWritePaths to exclude
-# /run directory from being made read-only on rhel8
-Patch3: opencryptoki-3.21-sandboxing.patch
+Patch1:			opencryptoki-3.11.0-lockdir.patch
+# add missing p11sak_defined_attrs.conf, strength.conf
+Patch2:			opencryptoki-3.21.0-p11sak.patch
 
 # upstream patches
-# CVE-2024-0914 opencryptoki: timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts
-Patch20: opencryptoki-CVE-2024-0914-part1.patch
-Patch21: opencryptoki-CVE-2024-0914-part2.patch
-Patch22: opencryptoki-CVE-2024-0914-part3.patch
-Patch23: opencryptoki-CVE-2024-0914-part4.patch
-Patch24: opencryptoki-CVE-2024-0914-part5.patch
+# pkcsstats: Fix handling of user name
+Patch100: opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch
+# p11sak: Fix user confirmation prompt behavior when stdin is closed
+Patch101: opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch
+# p11sak fails as soon as there reside non-key objects
+Patch102: opencryptoki-3.21.0-92999f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch
+# opencryptoki p11sak tool: slot option does not accept argument 0 for slot index 0
+Patch103: opencryptoki-3.21.0-2ba0f41ef5e14d4b509c8854e27cf98e3ee89445.patch
 
-Requires(pre): coreutils diffutils
-Requires: (selinux-policy >= 3.14.3-121 if selinux-policy-targeted)
-BuildRequires: gcc
-BuildRequires: gcc-c++
-BuildRequires: openssl-devel >= 1.1.1
-BuildRequires: trousers-devel
-BuildRequires: openldap-devel
-BuildRequires: autoconf automake libtool
-BuildRequires: bison flex
-BuildRequires: systemd-devel
-BuildRequires: libcap-devel
-BuildRequires: expect
-BuildRequires: make
-%ifarch s390 s390x
-BuildRequires: libica-devel >= 3.3
+# Patches were taken from:
+# https://gitlab.com/redhat/centos-stream/rpms/opencryptoki/-/commit/d8e7a718822e260fa1d80b74bda90d28a7db92dd
+Patch50: opencryptoki-CVE-2024-0914-part1.patch
+Patch51: opencryptoki-CVE-2024-0914-part2.patch
+Patch52: opencryptoki-CVE-2024-0914-part3.patch
+Patch53: opencryptoki-CVE-2024-0914-part4.patch
+Patch54: opencryptoki-CVE-2024-0914-part5.patch
+
+Requires(pre):		coreutils diffutils
+Requires: 		(selinux-policy >= 38.1.14-1 if selinux-policy-targeted)
+BuildRequires:		gcc
+BuildRequires:		gcc-c++
+BuildRequires:		openssl-devel >= 1.1.1
+%if 0%{?tmptok}
+BuildRequires:		trousers-devel
 %endif
-Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
-Requires: %{name}-libs%{?_isa} = %{version}-%{release}
-Requires: %{name}(token)
-Requires(post): systemd
-Requires(preun): systemd
-Requires(postun): systemd
+BuildRequires:		openldap-devel
+BuildRequires:		autoconf automake libtool
+BuildRequires:		bison flex
+BuildRequires:		systemd-devel
+BuildRequires:		libcap-devel
+BuildRequires:		expect
+BuildRequires:		make
+%ifarch s390 s390x
+BuildRequires:		libica-devel >= 3.3
+%endif
+Requires(pre):		%{name}-libs%{?_isa} = %{version}-%{release}
+Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
+Requires:		%{name}(token)
+Requires(post):		systemd
+Requires(preun):	systemd
+Requires(postun):	systemd
 
 
 %description
@@ -56,7 +64,6 @@ This package contains the Slot Daemon (pkcsslotd) and general utilities.
 
 
 %package libs
-Group:			System Environment/Libraries
 Summary:		The run-time libraries for opencryptoki package
 Requires(pre):	shadow-utils
 
@@ -72,7 +79,6 @@ functional.
 
 
 %package devel
-Group:			Development/Libraries
 Summary:		Development files for openCryptoki
 Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
 
@@ -82,7 +88,6 @@ opencryptoki and PKCS#11 based applications
 
 
 %package swtok
-Group:			System Environment/Libraries
 Summary:		The software token implementation for opencryptoki
 Requires(pre):		%{name}-libs%{?_isa} = %{version}-%{release}
 Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
@@ -99,7 +104,6 @@ without any specific cryptographic hardware.
 
 
 %package tpmtok
-Group:			System Environment/Libraries
 Summary:		Trusted Platform Module (TPM) device support for opencryptoki
 Requires(pre):		%{name}-libs%{?_isa} = %{version}-%{release}
 Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
@@ -116,7 +120,6 @@ Trusted Platform Module (TPM) devices in the opencryptoki stack.
 
 
 %package icsftok
-Group:			System Environment/Libraries
 Summary:		ICSF token support for opencryptoki
 Requires(pre):		%{name}-libs%{?_isa} = %{version}-%{release}
 Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
@@ -134,7 +137,6 @@ ICSF token in the opencryptoki stack.
 
 %ifarch s390 s390x
 %package icatok
-Group:			System Environment/Libraries
 Summary:		ICA cryptographic devices (clear-key) support for opencryptoki
 Requires(pre):		%{name}-libs%{?_isa} = %{version}-%{release}
 Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
@@ -152,7 +154,6 @@ cryptographic hardware such as IBM 4764 or 4765 that uses the
 "accelerator" or "clear-key" path.
 
 %package ccatok
-Group:			System Environment/Libraries
 Summary:		CCA cryptographic devices (secure-key) support for opencryptoki
 Requires(pre):		%{name}-libs%{?_isa} = %{version}-%{release}
 Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
@@ -170,7 +171,6 @@ cryptographic hardware such as IBM 4764 or 4765 that uses the
 "co-processor" or "secure-key" path.
 
 %package ep11tok
-Group:			System Environment/Libraries
 Summary:		CCA cryptographic devices (secure-key) support for opencryptoki
 Requires(pre):		%{name}-libs%{?_isa} = %{version}-%{release}
 Requires:		%{name}-libs%{?_isa} = %{version}-%{release}
@@ -196,44 +196,24 @@ configured with Enterprise PKCS#11 (EP11) firmware.
 %build
 ./bootstrap.sh
 
-%configure --with-systemd=%{_unitdir}  \
+%configure --with-systemd=%{_unitdir} --enable-testcases	\
     --with-pkcsslotd-user=pkcsslotd --with-pkcs-group=pkcs11 \
+%if 0%{?tpmtok}
+    --enable-tpmtok \
+%else
+    --disable-tpmtok \
+%endif
 %ifarch s390 s390x
     --enable-icatok --enable-ccatok --enable-ep11tok --enable-pkcsep11_migrate
 %else
-    --disable-icatok --disable-ccatok --disable-ep11tok --disable-pkcsep11_migrate --disable-pkcscca_migrate
+    --disable-icatok --disable-ccatok --disable-ep11tok --disable-pkcsep11_migrate
 %endif
 
-make %{?_smp_mflags} CHGRP=/bin/true
+%make_build CHGRP=/bin/true
 
 
 %install
-make install DESTDIR=$RPM_BUILD_ROOT CHGRP=/bin/true
-
-# Remove unwanted cruft
-rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/*.la
-rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/stdll/*.la
-
-
-%post libs -p /sbin/ldconfig
-%post swtok -p /sbin/ldconfig
-%post tpmtok -p /sbin/ldconfig
-%post icsftok -p /sbin/ldconfig
-%ifarch s390 s390x
-%post icatok -p /sbin/ldconfig
-%post ccatok -p /sbin/ldconfig
-%post ep11tok -p /sbin/ldconfig
-%endif
-
-%postun libs -p /sbin/ldconfig
-%postun swtok -p /sbin/ldconfig
-%postun tpmtok -p /sbin/ldconfig
-%postun icsftok -p /sbin/ldconfig
-%ifarch s390 s390x
-%postun icatok -p /sbin/ldconfig
-%postun ccatok -p /sbin/ldconfig
-%postun ep11tok -p /sbin/ldconfig
-%endif
+%make_install CHGRP=/bin/true
 
 %pre
 # don't touch opencryptoki.conf even if it is unchanged due to new tokversion
@@ -260,7 +240,7 @@ fi
 
 %systemd_post pkcsslotd.service
 if test $1 -eq 1; then
-    %tmpfiles_create
+	%tmpfiles_create %{name}.conf
 fi
 
 %preun
@@ -269,8 +249,6 @@ fi
 %postun
 %systemd_postun_with_restart pkcsslotd.service
 
-%triggerun -- opencryptoki < 3.21.0-1
-/usr/bin/systemctl daemon-reload
 
 %files
 %doc ChangeLog FAQ README.md
@@ -334,11 +312,13 @@ fi
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/
 
+%if 0%{?tmptok}
 %files tpmtok
 %doc doc/README.tpm_stdll
 %{_libdir}/opencryptoki/stdll/libpkcs11_tpm.*
 %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/
+%endif
 
 %files icsftok
 %doc doc/README.icsf_stdll
@@ -381,196 +361,199 @@ fi
 
 
 %changelog
-* Fri Feb 16 2024 Than Ngo <than@redhat.com> - 3.22.0-3
-- Fix implicit rejection with RSA keys with empty CKA_PRIVATE_EXPONENT
-Related: RHEL-22791
+* Mon Mar 11 2024 Eduard Abdullin <eabdullin@almalinux.org> - 3.21.0-9.alma.1
+- A timing side-channel vulnerability has been discovered in
+ the opencryptoki package while processing RSA PKCS#1 v1.5 padded ciphertexts
 
-* Thu Feb 08 2024 Than Ngo <than@redhat.com> - 3.22.0-2
-- timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts (Marvin)
-Resolves: RHEL-22791
-
-* Thu Nov 23 2023 Than Ngo <than@redhat.com> - 3.22.0-1
-- Resolves: RHEL-11413, update to 3.22.0
-
-* Tue Jul 18 2023 Than Ngo <than@redhat.com> - 3.21.0-9
-- Resolves: #2223588, FTBFS
-
-* Tue Jul 18 2023 Than Ngo <than@redhat.com> - 3.21.0-8
-- Related: #2222595, add triggerun to reload daemon
-
-* Fri Jul 14 2023 Than Ngo <than@redhat.com> - 3.21.0-7
-- Resolves: #2222595, p11sak tool: slot option does not accept argument 0 for slot index 0
-- Resolves: #2222594, p11sak fails as soon as there reside non-key objects
-
-* Tue Jul 04 2023 Than Ngo <than@redhat.com> - 3.21.0-6
-- add workaround for segfault in PEM_write_bio() on OpenSSL 1.1.1
-Related: #2159741
+* Fri Jul 14 2023 Than Ngo <than@redhat.com> - 3.21.0-8
+- Resolves: #2222592, p11sak tool: slot option does not accept argument 0 for slot index 0
+- Resolves: #2222596, p11sak fails as soon as there reside non-key objects
 
 * Tue Jun 13 2023 Than Ngo <than@redhat.com> - 3.21.0-5
-- add requirement on selinux-policy >= 3.14.3-121 for pkcsslotd policy sandboxing
-Related: #2159697
+- add requirement on selinux-policy >= 38.1.14-1 for pkcsslotd policy sandboxing
+Related: #2160061
 
-* Thu May 25 2023 Than Ngo <than@redhat.com> - 3.21.0-4
+* Fri May 26 2023 Than Ngo <than@redhat.com> - 3.21.0-4
 - add verify attributes for opencryptoki.conf to ignore the verification
-Related: #2159697
+
+Related: #2160061
 
 * Mon May 22 2023 Than Ngo <than@redhat.com> - 3.21.0-3
-- pkcsstats: Fix handling of user name
-- p11sak: Fix user confirmation prompt behavior when stdin is closed
-Related: #2159697
-
-* Tue May 16 2023 Than Ngo <than@redhat.com> - 3.21.0-2
-- add missing /var/lib/opencryptoki/HSM_MK_CHANGE
-- disable unsupported sandbox options and add /run to ReadWritePaths to exclude
-  /run directory from being made read-only on rhel8
-Related: #2159697
-
-* Mon May 15 2023 Than Ngo <than@redhat.com> - 3.21.0-1
-- Resolves: #1984865, ep11 and cca: support concurrent HSM master key changes
-- Resolves: #2110500, ep11 token: PKCS #11 3.0 - support AES_XTS 
-- Resolves: #2111011, cca token: protected key support
-- Resolves: #2159697, update to 3.21.0
-- Resolves: #2159740, pkcsslotd hardening
-- Resolves: #2159741, p11sak support Dilithium and Kyber keys
-- Resolves: #2159742, ica and soft tokens: PKCS #11 3.0 - support AES_XTS
+- Resolves: #2110497, concurrent MK rotation for cca token
+- Resolves: #2110498, concurrent MK rotation for ep11 token
+- Resolves: #2110499, ep11 token: PKCS #11 3.0 - support AES_XTS
+- Resolves: #2111010, cca token: protected key support 
+- Resolves: #2160061, rebase to 3.21.0
+- Resolves: #2160105, pkcsslotd hardening
+- Resolves: #2160107, p11sak support Dilithium and Kyber keys
+- Resolves: #2160109, ica and soft tokens: PKCS #11 3.0 - support AES_XTS
 
 * Mon Jan 30 2023 Than Ngo <than@redhat.com> - 3.19.0-2
-- Resolves: #2043856, Support of ep11 token for new IBM Z Hardware (IBM z16)
+- Resolves: #2044182, Support of ep11 token for new IBM Z Hardware (IBM z16) 
 
-* Tue Nov 01 2022 Than Ngo <than@redhat.com> - 3.19.0-1
-- Resolves: #2126612, opencryptoki fails after generating > 500 RSA keys
-- Resolves: #2110315, rebase to 3.19.0
-- Resolves: #2110990, openCryptoki key generation with expected MKVP only on CCA and EP11 tokens
-- Resolves: #2110477, openCryptoki ep11 token: master key consistency
-- Resolves: #1984871, openCryptoki ep11 token: vendor specific key derivation
+* Tue Oct 11 2022 Than Ngo <than@redhat.com> - 3.19.0-1
+- Resolves: #2126294, opencryptoki fails after generating > 500 RSA keys
+- Resolves: #2110314, rebase to 3.19.0
+- Resolves: #2110989, openCryptoki key generation with expected MKVP only on CCA and EP11 tokens
+- Resolves: #2110476, openCryptoki ep11 token: master key consistency
+- Resolves: #2018458, openCryptoki ep11 token: vendor specific key derivation
 
-* Mon Aug 01 2022 Than Ngo <than@redhat.com> - 3.18.0-3
-- Related: #2043854, do not touch opencryptoki.conf if it is in place already and even if it is unchanged
-- Resolves: #2112785, EP11: Fix C_GetMechanismList returning CKR_BUFFER_TOO_SMALL
+* Fri Jul 29 2022 Than Ngo <than@redhat.com> - 3.18.0-4
+- Related: #2044179, do not touch opencryptoki.conf if it is in place already and even if it is unchanged
 
-* Tue Jun 07 2022 Than Ngo <than@redhat.com> - 3.18.0-2
-- Related: #2043854, fix json output
+* Tue Jun 07 2022 Than Ngo <than@redhat.com> - 3.18.0-3
+- Related: #2044179, fix json output
 
-* Tue May 24 2022 Than Ngo <than@redhat.com> - 3.18.0-1
-- Resolves: #2043845, rebase to 3.18.0
-- Resolves: #2043854, add crypto counters
-- Resolves: #2043855, support crypto profiles
+* Mon May 09 2022 Than Ngo <than@redhat.com> - 3.18.0-2
+- Related: #2044179, add missing strength.conf
 
-* Fri Apr 15 2022 Than Ngo <than@redhat.com> - 3.17.0-4
-- Resolves: #2066762, Dilithium support not available 
+* Mon May 09 2022 Than Ngo <than@redhat.com> - 3.18.0-1
+- Resolves: #2044179, rebase to 3.18.0
+- Resolves: #2068091, pkcsconf -t failed with Segmentation fault in FIPS mode
+- Resolves: #2066763, Dilithium support not available
+- Resolves: #2064697, OpenSSL 3.0 Compatibility for IBM Security Libraries and Tools
+- Resolves: #2044181, support crypto profiles
+- Resolves: #2044180, add crypto counters
 
-* Mon Jan 17 2022 Than Ngo <than@redhat.com> - 3.17.0-3
-- Resolves: #2040677, API: Unlock GlobMutex if user and group check fails
+* Tue May 03 2022 Than Ngo <than@redhat.com> - 3.17.0-6
+- Resolves: #2066763, Dilithium support not available
 
-* Tue Nov 09 2021 Than Ngo <than@redhat.com> - 3.17.0-2
-- Related: #1984993, add missing p11sak_defined_attrs.conf 
+* Mon Mar 14 2022 Than Ngo <than@redhat.com> - 3.17.0-5
+- Resolves: #2064697, ICA/EP11: Support libica version 4
 
-* Tue Oct 19 2021 Than Ngo <than@redhat.com> - 3.17.0-1
-- Resolves: #1984993, rebase to 3.17.0
-- Resolves: #1984870, openCryptoki key management tool
+* Mon Jan 17 2022 Than Ngo <than@redhat.com> - 3.17.0-4
+- Resolves: #2040678, API: Unlock GlobMutex if user and group check fails
 
-* Mon Sep 13 2021 Than Ngo <than@redhat.com> - 3.16.0-6
-- Fix: Could not open /run/lock/opencryptoki/LCK..APIlock
+* Sat Dec 04 2021 Than Ngo <than@redhat.com> - 3.17.0-3
+- Related: #2015888, added missing patch pkcsslotd-pidfile
 
-* Thu Aug 19 2021 Than Ngo <than@redhat.com> - 3.16.0-5
-- Resolves: #1987256, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes
+* Wed Nov 24 2021 Than Ngo <than@redhat.com> - 3.17.0-2
+- Related: #2015888, add missing p11sak_defined_attrs.conf
 
-* Fri Jul 16 2021 Than Ngo <than@redhat.com> - 3.16.0-4
-- Resolves: #1964304, Fix detection if pkcsslotd is still running
+* Wed Nov 03 2021 Than Ngo <than@redhat.com> - 3.17.0-1
+- Resolves: #2015888, rebase to 3.17.0
+- Resolves: #2017720, openCryptoki key management tool 
 
-* Tue Jun 15 2021 Than Ngo <than@redhat.com> - 3.16.0-3
-- Related: #1919223, add conditional requirement
+* Thu Aug 26 2021 Than Ngo <than@redhat.com> - 3.16.0-12
+- Related: #1989138, Support for OpenSSL 3.0
 
-* Fri Jun 11 2021 Than Ngo <than@redhat.com> - 3.16.0-2
-- Related: #1919223, add requirement on selinux-policy >= 3.14.3-70 for using ipsec
+* Mon Aug 23 2021 Than Ngo <than@redhat.com> - 3.16.0-11
+- Resolves: #1989138, Support for OpenSSL 3.0
 
-* Tue Jun 01 2021 Than Ngo <than@redhat.com> - 3.16.0-1
-- Resolves: #1919223, rebase to 3.16.0
-- Resolves: #1922195, Event Notification Support
-- Resolves: #1959936, Soft token does not check if an EC key is valid
-- Resolves: #1851104, import and export of secure key objects
-- Resolves: #1851106, openCryptoki ep11 token: protected key support
-- Resolves: #1851107, openCryptoki ep11 token: support attribute bound keys
+* Thu Aug 19 2021 Than Ngo <than@redhat.com> - 3.16.0-10
+- Resolves: #1987186, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.16.0-9
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Wed Jul 28 2021 Florian Weimer <fweimer@redhat.com> - 3.16.0-8
+- Rebuild to pick up OpenSSL 3.0 Beta ABI (#1984097)
+
+* Fri Jul 16 2021 Than Ngo <than@redhat.com> - 3.16.0-7
+- Resolves: #1974365, Fix detection if pkcsslotd is still running
+
+* Fri Jun 25 2021 Than Ngo <than@redhat.com> - 3.16.0-6
+- Resolves: #1974693, pkcsslotd PIDfile below legacy directory /var/run/
+
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.16.0-5
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Tue Jun 15 2021 Than Ngo <than@redhat.com> - 3.16.0-4
+- Related: #1924120, add conditional requirement on new selinux-policy
+
+* Mon May 17 2021 Than Ngo <than@redhat.com> - 3.16.0-3
+- Resolves: #1959894, Soft token does not check if an EC key is valid
+- Resolves: #1924120, Event Notification Support
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.16.0-2
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Wed Mar 31 2021 Dan Horák <dan[at]danny.cz> - 3.16.0-1
+- Rebase to 3.16.0
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.15.1-6
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
 
 * Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-5
-- Resolves: #1928120, Fix problem with C_Get/SetOperationState and digest contexts
+- Added upstream patch, a slot ID has nothing to do with the number of slots
 
-* Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-4
-- Resolves: #1927745, pkcscca migration fails with usr/sb2 is not a valid slot ID
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.15.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 
-* Thu Nov 26 2020 Than Ngo <than@redhat.com> - 3.15.1-3
-- Resolves: #1902022
-   Fix compiling with c++
-   Added error message handling for p11sak remove-key command
+* Tue Dec 22 2020 Than Ngo <than@redhat.com> - 3.15.1-3
+- Drop tpm1.2 support by default
 
-* Thu Nov 26 2020 Than Ngo <than@redhat.com> - 3.15.1-2
-- Related: #1847433, Added error message handling for p11sak remove-key command
+* Tue Dec 22 2020 Than Ngo <than@redhat.com> - 3.15.1-2
+- Fix compiling with c++
+- Added error message handling for p11sak remove-key command
+- Add BR on make
 
 * Mon Nov 02 2020 Than Ngo <than@redhat.com> - 3.15.1-1
-- Related: #1847433
-  upstream fixes:
-    - Free generated key in all error cases
-    - CCA: Zeroize key buffer to avoid CCA 8/32 error
-    - Do not delete the map-btree entry if destroying an object is not allowed
-    - Remove now unused header timeb.h
-    - TESTCASES: Use FIPS conforming keys for 3DES CBC-MAC test vectors
-    - Fix buffer overrun in C_CopyObject
-    - TPM: Fix double free in openssl_gen_key
+- Rebase to 3.15.1
 
-* Mon Oct 19 2020 Than Ngo <than@redhat.com> - 3.15.0-1
-- Resolves: #1847433, rebase to 3.15.0 
-- Resolves: #1851105, PKCS #11 3.0 - baseline provider support
-- Resolves: #1851108, openCryptoki ep11 token: enhanced functionality
-- Resolves: #1851109, openCryptoki key management tool: key deletion function
+* Mon Oct 19 2020 Dan Horák <dan[at]danny.cz> - 3.15.0-1
+- Rebase to 3.15.0
 
-* Mon Jul 06 2020 Than Ngo <than@redhat.com> - 3.14.0-5
-- Related: #1853420, more fixes
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 
-* Fri Jul 03 2020 Than Ngo <than@redhat.com> - 3.14.0-4
-- Resolves: #1853420, endian issue 
+* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 3.14.0-5
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
 
-* Mon Jun 15 2020 Than Ngo <than@redhat.com> - 3.14.0-3
-- Resolves: #1780294, PIN conversion tool
+* Wed Jul 08 2020 Than Ngo <than@redhat.com> - 3.14.0-4
+- added PIN conversion tool
 
-* Tue May 26 2020 Than Ngo <than@redhat.com> - 3.14.0-2
-- Related: #1780293, fix regression, segfault in C_SetPin
+* Wed Jul 01 2020 Than Ngo <than@redhat.com> - 3.14.0-3
+- upstream fix - handle early error cases in C_Initialize
 
-* Tue May 19 2020 Than Ngo <than@redhat.com> - 3.14.0-1
-- Resolves: #1723863 - ep11 token: Enhanced Support
-- Resolves: #1780285 - ep11 token: Support for new IBM Z hardware z15
-- Resolves: #1780293 - rebase to 3.14.0
-- Resolves: #1800549 - key management tool: list keys function
- -Resolves: #1800555 - key management tool: random key generation function
+* Wed May 27 2020 Than Ngo <than@redhat.com> - 3.14.0-2
+- fix regression, segfault in C_SetPin
 
-* Fri Dec 13 2019 Than Ngo <than@redhat.com> - 3.12.1-2
-- Resolves: #1782445, EP11: Fix EC-uncompress buffer length
+* Fri May 15 2020 Dan Horák <dan[at]danny.cz> - 3.14.0-1
+- Rebase to 3.14.0
 
-* Thu Nov 28 2019 Than Ngo <than@redhat.com> - 3.12.1-1
-- Resolves: #1777313, rebase to 3.12.1
+* Fri Mar 06 2020 Dan Horák <dan[at]danny.cz> - 3.13.0-1
+- Rebase to 3.13.0
 
-* Tue Nov 12 2019 Than Ngo <than@redhat.com> - 3.12.0-1
-- Resolves: #1726243, rebase to 3.12.0
+* Mon Feb 03 2020 Dan Horák <dan[at]danny.cz> - 3.12.1-3
+- fix build with gcc 10
 
-* Mon Aug 26 2019 Dan Horák <dhorak@redhat.com> - 3.11.1-2
-- Resolves: #1739433, ICA HW token missing after the package update
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.12.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 
-* Mon May 06 2019 Than Ngo <than@redhat.com> - 3.11.1-1
-- Resolves: #1706140, rebase to 3.11.1
+* Wed Nov 27 2019 Dan Horák <dan[at]danny.cz> - 3.12.1-1
+- Rebase to 3.12.1
 
-* Tue Mar 26 2019 Than Ngo <than@redhat.com> - 3.11.0-3
-- Resolves: #1667941, 3des tests failures due to FIPS incompatible test scenarios
-- Resolves: #1651731, ep11 token: enhanced IBM z14 functions
-- Resolves: #1651732, ep11 token: support m_*Single functions from ep11 lib
-- Resolves: #1525407, use CPACF hashes in ep11 token
-- Resolves: #1651238, rebase to 3.11.0
-- Resolves: #1682530, gating
+* Wed Nov 13 2019 Dan Horák <dan[at]danny.cz> - 3.12.0-1
+- Rebase to 3.12.0
 
-* Fri Dec 14 2018 Than Ngo <than@redhat.com> - 3.10.0-3
-- Resolves: #1657683, can't establish libica token in FIPS mode
-- Resolves: #1652856, EP11 token fails when using Strict-Session mode or VHSM-Mode
+* Sun Sep 22 2019 Dan Horák <dan[at]danny.cz> - 3.11.1-1
+- Rebase to 3.11.1
 
-* Thu Oct 25 2018 Than Ngo <than@redhat.com> - 3.10.0-2
-- Resolves: #1602641, covscan
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.11.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Mar 28 2019 Than Ngo <than@redhat.com> - 3.11.0-4
+- enable testcase by default
+- fix URL
+
+* Tue Feb 19 2019 Than Ngo <than@redhat.com> - 3.11.0-3
+- Resolved #1063763 - opencryptoki tools should inform the user that he is not in pkcs11 group
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.11.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Thu Jan 31 2019 Than Ngo <than@redhat.com> - 3.11.0-1
+- Updated to 3.11.0
+- Resolved #1341079 - Failed to create directory or subvolume "/var/lock/opencryptoki"
+- Ported root's group membership's patch for 3.11.0
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.10.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
 * Tue Jun 12 2018 Dan Horák <dan[at]danny.cz> - 3.10.0-1
 - Rebase to 3.10.0