Add missing .alma dist

.gitignore

@@ -1 +1 @@
-SOURCES/opencryptoki-3.22.0.tar.gz
+SOURCES/opencryptoki-3.21.0.tar.gz

.opencryptoki.metadata

@@ -0,0 +1 @@
+4a0f2ed8f965a948057ab833f1fafabf58929d3f SOURCES/opencryptoki-3.21.0.tar.gz

SOURCES/opencryptoki-3.21.0-2ba0f41ef5e14d4b509c8854e27cf98e3ee89445.patch

@@ -0,0 +1,34 @@
+commit 2ba0f41ef5e14d4b509c8854e27cf98e3ee89445
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Mon Jul 10 13:22:48 2023 +0200
+
+    p11sak: Fix parsing of slot number 0
+    
+    Running command 'p11sak list-key aes --slot 0' may result in
+    'p11sak: Invalid argument '0' for option '-s/--slot''
+    
+    This is because of the error checking after strtoul() within function
+    process_number_argument(). In case errno is not zero, it treats a
+    parsed value of zero as an error.
+    
+    Under certain circumstances, errno is non-zero already before calling
+    strtoul(), and stays non-zero in case of strtoul() succeeds. This leads to
+    an incorrect error checking, and it is treated as error.
+    
+    Initialize errno to zero before calling strtoul() to avoid such false error
+    detection.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
+index 6e11cb41..38665bbd 100644
+--- a/usr/sbin/p11sak/p11sak.c
++++ b/usr/sbin/p11sak/p11sak.c
+@@ -1712,6 +1712,7 @@ static CK_RV process_number_argument(const struct p11sak_arg *arg, char *val)
+ {
+     char *endptr;
+ 
++    errno = 0;
+     *arg->value.number = strtoul(val, &endptr, 0);
+ 
+     if ((errno == ERANGE && *arg->value.number == ULONG_MAX) ||

SOURCES/opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch

@@ -0,0 +1,52 @@
+commit 4ff774568e334a719fc8de16fe2309e2070f0da8
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Mon May 22 11:40:01 2023 +0200
+
+    p11sak: Fix user confirmation prompt behavior when stdin is closed
+    
+    Treat any error during user confirmation prompt as 'cancel' and skip all
+    operations.
+    
+    One can for example close stdin during a user prompt via CTRL+D. This was
+    erroneously treated as positive confirmation and therefore caused the
+    operation to be performed on the current key object and all further objects
+    matching the filter as well, instead of canceling the operation entirely.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
+index d75d8343..5b54b538 100644
+--- a/usr/sbin/p11sak/p11sak.c
++++ b/usr/sbin/p11sak/p11sak.c
+@@ -4736,6 +4736,7 @@ static CK_RV handle_key_remove(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
+             data->num_skipped++;
+             return CKR_OK;
+         case 'c':
++        case '\0':
+             data->skip_all = true;
+             data->num_skipped++;
+             return CKR_OK;
+@@ -4825,6 +4826,7 @@ static CK_RV handle_key_set_attr(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
+             data->num_skipped++;
+             return CKR_OK;
+         case 'c':
++        case '\0':
+             data->skip_all = true;
+             data->num_skipped++;
+             return CKR_OK;
+@@ -4974,6 +4976,7 @@ static CK_RV handle_key_copy(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
+             data->num_skipped++;
+             return CKR_OK;
+         case 'c':
++        case '\0':
+             data->skip_all = true;
+             data->num_skipped++;
+             return CKR_OK;
+@@ -6983,6 +6986,7 @@ static CK_RV handle_key_export(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
+             data->num_skipped++;
+             return CKR_OK;
+         case 'c':
++        case '\0':
+             data->skip_all = true;
+             data->num_skipped++;
+             return CKR_OK;

SOURCES/opencryptoki-3.21.0-92999f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch

@@ -0,0 +1,96 @@
+commit 92999f344a3ad99a67a1bcfd9ad28f28c33e51bc
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Mon Jul 10 10:19:13 2023 +0200
+
+    p11sak: Fix listing of key objects when other object types are present
+    
+    A command like 'p11sak list-key all --slot N ...' fails with
+    
+      p11sak: Attribute CKA_KEY_TYPE is not available in key object
+      p11sak: Failed to iterate over key objects for key type All: 0xD0: CKR_TEMPLATE_INCOMPLETE
+      p11sak: Failed to perform the 'list-key' command: CKR_TEMPLATE_INCOMPLETE
+    
+    when the object repository contains other, non-key objects, e.g. certificates.
+    
+    When 'all' is used as key type, then no filter for CKA_KEY_TYPE is used
+    with C_FindObjects(), and thus other non-key objects also match the filter.
+    When a specific key type is specified, then only such objects match that
+    have the desired CKA_KEY_TYPE attribute value.
+    
+    Fix this by checking the object class in get_key_infos() and skip the object,
+    if it is not a key object.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
+index a6213720..6e11cb41 100644
+--- a/usr/sbin/p11sak/p11sak.c
++++ b/usr/sbin/p11sak/p11sak.c
+@@ -3403,6 +3403,16 @@ static CK_RV get_key_infos(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS *class,
+         }
+     }
+ 
++    switch (class_val) {
++    case CKO_PUBLIC_KEY:
++    case CKO_PRIVATE_KEY:
++    case CKO_SECRET_KEY:
++        break;
++    default:
++        free(attrs[0].pValue);
++        return CKR_KEY_NEEDED;
++    }
++
+     for (i = 0; i < num_attrs; i++) {
+         if (attrs[i].ulValueLen == CK_UNAVAILABLE_INFORMATION) {
+             warnx("Attribute %s is not available in key object",
+@@ -3614,6 +3624,10 @@ static CK_RV iterate_key_objects(const struct p11sak_keytype *keytype,
+             if (manual_filtering) {
+                 rc = get_key_infos(keys[i], NULL, NULL, NULL, &label,
+                                    NULL, NULL);
++                if (rc == CKR_KEY_NEEDED) {
++                    rc = CKR_OK;
++                    goto next;
++                }
+                 if (rc != CKR_OK)
+                     break;
+ 
+@@ -3672,6 +3686,10 @@ done_find:
+     for (i = 0; i < num_matched_keys; i++) {
+         rc = get_key_infos(matched_keys[i], &class, &ktype, &keysize,
+                            &label, &typestr, &type);
++        if (rc == CKR_KEY_NEEDED) {
++            rc = CKR_OK;
++            goto next2;
++        }
+         if (rc != CKR_OK)
+             break;
+ 
+@@ -3680,6 +3698,7 @@ done_find:
+         if (rc != CKR_OK)
+             break;
+ 
++next2:
+         if (label != NULL)
+             free(label);
+         label = NULL;
+@@ -4480,10 +4499,20 @@ static CK_RV p11sak_list_key_compare(CK_OBJECT_HANDLE key1,
+     *result = 0;
+ 
+     rc = get_key_infos(key1, &class1, &ktype1, &keysize1, &label1, NULL, NULL);
++    if (rc == CKR_KEY_NEEDED) {
++        rc = CKR_OK;
++        *result = 1; /* non-key objects are always greater than key objects */
++        goto done;
++    }
+     if (rc != CKR_OK)
+         goto done;
+ 
+     rc = get_key_infos(key2, &class2, &ktype2, &keysize2, &label2, NULL, NULL);
++    if (rc == CKR_KEY_NEEDED) {
++        rc = CKR_OK;
++        *result = -1; /* key objects are always smaller than non-key objects */
++        goto done;
++    }
+     if (rc != CKR_OK)
+         goto done;
+ 

SOURCES/opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch

@@ -0,0 +1,84 @@
+commit f4166214552a92d8d66de8011ab11c9c2c6bb0a4
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Mon May 22 13:31:21 2023 +0200
+
+    pkcsstats: Fix handling of user name
+    
+    The struct passwd returned by getpwuid() is a pointer to a static area, that
+    may get overwritten by subsequent calls to getpwuid() or similar.
+    Actually, C_Initialize() itself is using getpwuid() internally, and thus will
+    interfere with the getpwuid() usage in pkcsstats.
+    
+    Make a copy of the returned user name before calling C_Initialize() in
+    init_ock() to ensure to work with the desired user name, and not with anything
+    left over from previous calls.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/sbin/pkcsstats/pkcsstats.c b/usr/sbin/pkcsstats/pkcsstats.c
+index c2444cf5..a842a295 100644
+--- a/usr/sbin/pkcsstats/pkcsstats.c
++++ b/usr/sbin/pkcsstats/pkcsstats.c
+@@ -783,6 +783,7 @@ int main(int argc, char **argv)
+     int opt = 0;
+     struct passwd *pswd = NULL;
+     int user_id = -1;
++    char *user_name = NULL;
+     bool summary = false, all_users = false, all_mechs = false;
+     bool reset = false, reset_all = false;
+     bool delete = false, delete_all = false;
+@@ -903,19 +904,27 @@ int main(int argc, char **argv)
+         }
+     }
+ 
++    user_name = strdup(pswd->pw_name);
++    if (user_name == NULL) {
++        warnx("Failed to get current user name");
++        exit(EXIT_FAILURE);
++    }
++
+     if (delete) {
+         if (slot_id_specified) {
+             warnx("Options -s/--slot and -d/--delete can not be specified together");
++            free(user_name);
+             exit(EXIT_FAILURE);
+         }
+ 
+-        rc = delete_shm(user_id, pswd->pw_name);
++        rc = delete_shm(user_id, user_name);
+         goto done;
+     }
+ 
+     if (delete_all) {
+         if (slot_id_specified) {
+             warnx("Options -s/--slot and -D/--delete-all can not be specified together");
++            free(user_name);
+             exit(EXIT_FAILURE);
+         }
+ 
+@@ -932,7 +941,7 @@ int main(int argc, char **argv)
+         goto done;
+ 
+     if (reset) {
+-        rc = reset_shm(user_id, pswd->pw_name, num_slots, slots,
++        rc = reset_shm(user_id, user_name, num_slots, slots,
+                        slot_id_specified, slot_id);
+         goto done;
+     }
+@@ -968,7 +977,7 @@ int main(int argc, char **argv)
+         rc = display_summary(&dd);
+         goto done;
+     } else {
+-        rc = display_stats(user_id, pswd->pw_name, &dd);
++        rc = display_stats(user_id, user_name, &dd);
+         goto done;
+     }
+ 
+@@ -984,5 +993,7 @@ done:
+         dlclose(dll);
+     }
+ 
++    free(user_name);
++
+     return rc == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
+ }

SOURCES/opencryptoki-3.21.0-f8ddcd5ba7e5b0bab00dedc89021147ec55b41b3.patch

@@ -0,0 +1,37 @@
+commit f8ddcd5ba7e5b0bab00dedc89021147ec55b41b3
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Tue May 23 15:07:02 2023 +0200
+
+    p11sak: Fix segfault in PEM_write_bio() on OpenSSL 1.1.1
+    
+    On OpenSSL version before 1.1.1r function PEM_write_bio() segfaults when the
+    'header' argument is NULL. This was fixed in OpenSSL 1.1.1r with commit
+    https://github.com/openssl/openssl/commit/3b9082c844913d3a0efada9fac0bd2924ce1a8f2
+    
+    As a workaround, specify an empty string instead of NULL, which results in the
+    same output.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
+index 5b54b538..3baae560 100644
+--- a/usr/sbin/p11sak/p11sak.c
++++ b/usr/sbin/p11sak/p11sak.c
+@@ -6794,7 +6794,7 @@ static CK_RV p11sak_export_spki(const struct p11sak_keytype *keytype,
+         return rc;
+     }
+ 
+-    ret = PEM_write_bio(bio, PEM_STRING_PUBLIC, NULL,
++    ret = PEM_write_bio(bio, PEM_STRING_PUBLIC, "",
+                         attr.pValue, attr.ulValueLen);
+     if (ret <= 0) {
+         warnx("Failed to write SPKI of %s key object \"%s\" to PEM file '%s'.",
+@@ -6888,7 +6888,7 @@ static CK_RV p11sak_export_asym_key(const struct p11sak_keytype *keytype,
+         ret = PEM_write_bio(bio, private ?
+                                     keytype->pem_name_private :
+                                     keytype->pem_name_public,
+-                            NULL, data, data_len);
++                            "", data, data_len);
+         if (ret <= 0) {
+             warnx("Failed to write %s key object \"%s\" to PEM file '%s'.",
+                   typestr, label, opt_file);

SPECS/opencryptoki.spec

@@ -1,7 +1,7 @@
 Name: opencryptoki
 Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
-Version: 3.22.0
-Release: 3%{?dist}
+Version: 3.21.0
+Release: 10%{?dist}.alma.1
 License: CPL
 Group: System Environment/Base
 URL: https://github.com/opencryptoki/opencryptoki
@@ -15,6 +15,17 @@ Patch2: opencryptoki-3.21.0-p11sak.patch
 Patch3: opencryptoki-3.21-sandboxing.patch
 
 # upstream patches
+# pkcsstats: Fix handling of user name
+Patch100: opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch
+# p11sak: Fix user confirmation prompt behavior when stdin is closed
+Patch101: opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch
+# p11sak: Fix segfault in PEM_write_bio() on OpenSSL 1.1.1
+Patch102: opencryptoki-3.21.0-f8ddcd5ba7e5b0bab00dedc89021147ec55b41b3.patch
+# p11sak fails as soon as there reside non-key objects
+Patch103: opencryptoki-3.21.0-92999f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch
+# opencryptoki p11sak tool: slot option does not accept argument 0 for slot index 0
+Patch104: opencryptoki-3.21.0-2ba0f41ef5e14d4b509c8854e27cf98e3ee89445.patch
+
 # CVE-2024-0914 opencryptoki: timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts
 Patch20: opencryptoki-CVE-2024-0914-part1.patch
 Patch21: opencryptoki-CVE-2024-0914-part2.patch
@@ -381,16 +392,8 @@ fi
 
 
 %changelog
-* Fri Feb 16 2024 Than Ngo <than@redhat.com> - 3.22.0-3
-- Fix implicit rejection with RSA keys with empty CKA_PRIVATE_EXPONENT
-Related: RHEL-22791
-
-* Thu Feb 08 2024 Than Ngo <than@redhat.com> - 3.22.0-2
-- timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts (Marvin)
-Resolves: RHEL-22791
-
-* Thu Nov 23 2023 Than Ngo <than@redhat.com> - 3.22.0-1
-- Resolves: RHEL-11413, update to 3.22.0
+* Wed Apr 03 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 3.21.0-10.alma.1
+- timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts (Marvin) (CVE-2024-0914)
 
 * Tue Jul 18 2023 Than Ngo <than@redhat.com> - 3.21.0-9
 - Resolves: #2223588, FTBFS