.gitignore

@@ -1,2 +1,3 @@
 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
 SOURCES/p11-kit-0.23.22.tar.xz
+SOURCES/p11-kit-0.23.22.tar.xz.sig

.p11-kit.metadata

@@ -1,2 +1,3 @@
 526f07b62624739ba318a171bab3352af91d0134 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
 339e5163ed50a9984a74739b9207ea8cd77fa7e2 SOURCES/p11-kit-0.23.22.tar.xz
+1ab50d9f01bb186c60c32b56467c6f9f56e365da SOURCES/p11-kit-0.23.22.tar.xz.sig

SOURCES/002-doc-dep.patch

@@ -0,0 +1,42 @@
+From 9f01a8a45ba913a9b65894cef9369b6010005096 Mon Sep 17 00:00:00 2001
+From: Eli Schwartz <eschwartz@archlinux.org>
+Date: Tue, 11 Jan 2022 23:25:05 -0500
+Subject: [PATCH] gtkdoc: remove dependencies on custom target files
+
+Sadly, the `dependencies` kwarg does not actually do what it seems to be
+trying to be used for, here. It is for listing dependency or library
+objects whose compiler flags should be added to gtkdoc-scangobj.
+
+It will not actually add ninja target dependencies. The similar kwarg in
+other meson functions (e.g. genmarshal and compile_schemas) that *do*
+allow adding target dependencies, is `depend_files`.
+
+Older versions of meson simply did nothing in an if/elif/elif block
+where these custom_targets never matched anything, and were thus
+silently ignored.
+
+Meson 0.61 type-validates the arguments and rejects CustomTarget as
+invalid:
+
+```
+doc/manual/meson.build:72:8: ERROR: gnome.gtkdoc keyword argument 'dependencies' was of type array[CustomTarget | PkgConfigDependency] but should have been array[Dependency | SharedLibrary | StaticLibrary]
+```
+
+Fixes #406
+---
+ doc/manual/meson.build | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/manual/meson.build b/doc/manual/meson.build
+index cf8758dbf..560df8dbc 100644
+--- a/doc/manual/meson.build
++++ b/doc/manual/meson.build
+@@ -73,7 +73,7 @@ if get_option('gtk_doc')
+               main_xml: 'p11-kit-docs.xml',
+               namespace: 'p11_kit',
+               src_dir: 'p11-kit',
+-              dependencies: libffi_deps + dlopen_deps + xml_deps,
++              dependencies: libffi_deps + dlopen_deps,
+               scan_args: [
+                 '--ignore-headers=' + ' '.join(ignore_headers),
+                 '--rebuild-types',

SOURCES/003-IBM-mechs-and-attrs.patch

@@ -0,0 +1,953 @@
+diff --color -ruNp a/common/attrs.c b/common/attrs.c
+--- a/common/attrs.c	2020-12-11 15:48:46.000000000 +0100
++++ b/common/attrs.c	2023-11-29 14:29:45.130552239 +0100
+@@ -709,6 +709,23 @@ attribute_is_sensitive (const CK_ATTRIBU
+ 	X (CKA_TRUST_STEP_UP_APPROVED)
+ 	X (CKA_CERT_SHA1_HASH)
+ 	X (CKA_CERT_MD5_HASH)
++	X (CKA_IBM_OPAQUE)
++	X (CKA_IBM_RESTRICTABLE)
++	X (CKA_IBM_NEVER_MODIFIABLE)
++	X (CKA_IBM_RETAINKEY)
++	X (CKA_IBM_ATTRBOUND)
++	X (CKA_IBM_KEYTYPE)
++	X (CKA_IBM_CV)
++	X (CKA_IBM_MACKEY)
++	X (CKA_IBM_USE_AS_DATA)
++	X (CKA_IBM_STRUCT_PARAMS)
++	X (CKA_IBM_STD_COMPLIANCE1)
++	X (CKA_IBM_PROTKEY_EXTRACTABLE)
++	X (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE)
++	X (CKA_IBM_OPAQUE_PKEY)
++	X (CKA_IBM_DILITHIUM_KEYFORM)
++	X (CKA_IBM_DILITHIUM_RHO)
++	X (CKA_IBM_DILITHIUM_T1)
+ 	case CKA_VALUE:
+ 		return (klass != CKO_CERTIFICATE &&
+ 			klass != CKO_X_CERTIFICATE_EXTENSION);
+diff --color -ruNp a/common/constants.c b/common/constants.c
+--- a/common/constants.c	2020-12-11 15:48:46.000000000 +0100
++++ b/common/constants.c	2023-11-29 14:29:45.130552239 +0100
+@@ -141,6 +141,28 @@ const p11_constant p11_constant_types[]
+ 	CT (CKA_WRAP_TEMPLATE, "wrap-template")
+ 	CT (CKA_UNWRAP_TEMPLATE, "unwrap-template")
+ 	CT (CKA_ALLOWED_MECHANISMS, "allowed-mechanisms")
++	CT (CKA_IBM_OPAQUE, "ibm-opaque")
++	CT (CKA_IBM_RESTRICTABLE, "ibm-restrictable")
++	CT (CKA_IBM_NEVER_MODIFIABLE, "ibm-never-modifiable")
++	CT (CKA_IBM_RETAINKEY, "ibm-retainkey")
++	CT (CKA_IBM_ATTRBOUND, "ibm-attrbound")
++	CT (CKA_IBM_KEYTYPE, "ibm-keytype")
++	CT (CKA_IBM_CV, "ibm-cv")
++	CT (CKA_IBM_MACKEY, "ibm-mackey")
++	CT (CKA_IBM_USE_AS_DATA, "ibm-use-as-data")
++	CT (CKA_IBM_STRUCT_PARAMS, "ibm-struct-params")
++	CT (CKA_IBM_STD_COMPLIANCE1, "ibm-std_compliance1")
++	CT (CKA_IBM_PROTKEY_EXTRACTABLE, "ibm-protkey-extractable")
++	CT (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE, "ibm-protkey-never-extractable")
++	CT (CKA_IBM_DILITHIUM_KEYFORM, "ibm-dilithium-keyform")
++	CT (CKA_IBM_DILITHIUM_RHO, "ibm-dilithium-rho")
++	CT (CKA_IBM_DILITHIUM_SEED, "ibm-dilithium-seed")
++	CT (CKA_IBM_DILITHIUM_TR, "ibm-dilithium-tr")
++	CT (CKA_IBM_DILITHIUM_S1, "ibm-dilithium-s1")
++	CT (CKA_IBM_DILITHIUM_S2, "ibm-dilithium-s2")
++	CT (CKA_IBM_DILITHIUM_T0, "ibm-dilithium-t0")
++	CT (CKA_IBM_DILITHIUM_T1, "ibm-dilithium-t1")
++	CT (CKA_IBM_OPAQUE_PKEY, "ibm-opaque-pkey")
+ 	CT (CKA_NSS_URL, "nss-url")
+ 	CT (CKA_NSS_EMAIL, "nss-email")
+ 	CT (CKA_NSS_SMIME_INFO, "nss-smime-constant")
+@@ -247,6 +269,7 @@ const p11_constant p11_constant_keys[] =
+ 	CT (CKK_AES, "aes")
+ 	CT (CKK_BLOWFISH, "blowfish")
+ 	CT (CKK_TWOFISH, "twofish")
++	CT (CKK_IBM_PQC_DILITHIUM, "ibm-dilithium")
+ 	CT (CKK_NSS_PKCS8, "nss-pkcs8")
+ 	{ CKA_INVALID },
+ };
+@@ -595,6 +618,21 @@ const p11_constant p11_constant_mechanis
+ 	CT (CKM_DSA_PARAMETER_GEN, "dsa-parameter-gen")
+ 	CT (CKM_DH_PKCS_PARAMETER_GEN, "dh-pkcs-parameter-gen")
+ 	CT (CKM_X9_42_DH_PARAMETER_GEN, "x9-42-dh-parameter-gen")
++	CT (CKM_IBM_SHA3_224, "ibm-sha3-224")
++	CT (CKM_IBM_SHA3_256, "ibm-sha3-256")
++	CT (CKM_IBM_SHA3_384, "ibm-sha3-384")
++	CT (CKM_IBM_SHA3_512, "ibm-sha3-512")
++	CT (CKM_IBM_CMAC, "ibm-cmac")
++	CT (CKM_IBM_EC_X25519, "ibm-ec-x25519")
++	CT (CKM_IBM_ED25519_SHA512, "ibm-ed25519-sha512")
++	CT (CKM_IBM_EC_X448, "ibm-ec-x448")
++	CT (CKM_IBM_ED448_SHA3, "ibm-ed448-sha3")
++	CT (CKM_IBM_DILITHIUM, "ibm-dilithium")
++	CT (CKM_IBM_SHA3_224_HMAC, "ibm-sha3-224-hmac")
++	CT (CKM_IBM_SHA3_256_HMAC, "ibm-sha3-256-hmac")
++	CT (CKM_IBM_SHA3_384_HMAC, "ibm-sha3-384-hmac")
++	CT (CKM_IBM_SHA3_512_HMAC, "ibm-sha3-512-hmac")
++	CT (CKM_IBM_ATTRIBUTEBOUND_WRAP, "ibm-attributebound-wrap")
+ 	{ CKA_INVALID },
+ };
+ 
+diff --color -ruNp a/common/pkcs11x.h b/common/pkcs11x.h
+--- a/common/pkcs11x.h	2020-12-11 16:24:01.000000000 +0100
++++ b/common/pkcs11x.h	2023-11-29 14:29:45.252554771 +0100
+@@ -181,6 +181,71 @@ typedef CK_ULONG
+ 
+ #endif /* CRYPTOKI_RU_TEAM_TC26_VENDOR_DEFINED */
+ 
++/* Define this if you want the IBM specific symbols */
++#define CRYPTOKI_IBM_VENDOR_DEFINED 1
++#ifdef CRYPTOKI_IBM_VENDOR_DEFINED
++
++#define CKK_IBM_PQC_DILITHIUM    CKK_VENDOR_DEFINED + 0x10023
++
++#define CKA_IBM_OPAQUE                         (CKA_VENDOR_DEFINED + 1)
++#define CKA_IBM_RESTRICTABLE                   (CKA_VENDOR_DEFINED + 0x10001)
++#define CKA_IBM_NEVER_MODIFIABLE               (CKA_VENDOR_DEFINED + 0x10002)
++#define CKA_IBM_RETAINKEY                      (CKA_VENDOR_DEFINED + 0x10003)
++#define CKA_IBM_ATTRBOUND                      (CKA_VENDOR_DEFINED + 0x10004)
++#define CKA_IBM_KEYTYPE                        (CKA_VENDOR_DEFINED + 0x10005)
++#define CKA_IBM_CV                             (CKA_VENDOR_DEFINED + 0x10006)
++#define CKA_IBM_MACKEY                         (CKA_VENDOR_DEFINED + 0x10007)
++#define CKA_IBM_USE_AS_DATA                    (CKA_VENDOR_DEFINED + 0x10008)
++#define CKA_IBM_STRUCT_PARAMS                  (CKA_VENDOR_DEFINED + 0x10009)
++#define CKA_IBM_STD_COMPLIANCE1                (CKA_VENDOR_DEFINED + 0x1000a)
++#define CKA_IBM_PROTKEY_EXTRACTABLE            (CKA_VENDOR_DEFINED + 0x1000c)
++#define CKA_IBM_PROTKEY_NEVER_EXTRACTABLE      (CKA_VENDOR_DEFINED + 0x1000d)
++#define CKA_IBM_DILITHIUM_KEYFORM              (CKA_VENDOR_DEFINED + 0xd0001)
++#define CKA_IBM_DILITHIUM_RHO                  (CKA_VENDOR_DEFINED + 0xd0002)
++#define CKA_IBM_DILITHIUM_SEED                 (CKA_VENDOR_DEFINED + 0xd0003)
++#define CKA_IBM_DILITHIUM_TR                   (CKA_VENDOR_DEFINED + 0xd0004)
++#define CKA_IBM_DILITHIUM_S1                   (CKA_VENDOR_DEFINED + 0xd0005)
++#define CKA_IBM_DILITHIUM_S2                   (CKA_VENDOR_DEFINED + 0xd0006)
++#define CKA_IBM_DILITHIUM_T0                   (CKA_VENDOR_DEFINED + 0xd0007)
++#define CKA_IBM_DILITHIUM_T1                   (CKA_VENDOR_DEFINED + 0xd0008)
++#define CKA_IBM_OPAQUE_PKEY                    (CKA_VENDOR_DEFINED + 0xd0100)
++
++#define CKM_IBM_SHA3_224                       (CKM_VENDOR_DEFINED + 0x10001)
++#define CKM_IBM_SHA3_256                       (CKM_VENDOR_DEFINED + 0x10002)
++#define CKM_IBM_SHA3_384                       (CKM_VENDOR_DEFINED + 0x10003)
++#define CKM_IBM_SHA3_512                       (CKM_VENDOR_DEFINED + 0x10004)
++#define CKM_IBM_CMAC                           (CKM_VENDOR_DEFINED + 0x10007)
++#define CKM_IBM_EC_X25519                      (CKM_VENDOR_DEFINED + 0x1001b)
++#define CKM_IBM_ED25519_SHA512                 (CKM_VENDOR_DEFINED + 0x1001c)
++#define CKM_IBM_EC_X448                        (CKM_VENDOR_DEFINED + 0x1001e)
++#define CKM_IBM_ED448_SHA3                     (CKM_VENDOR_DEFINED + 0x1001f)
++#define CKM_IBM_DILITHIUM                      (CKM_VENDOR_DEFINED + 0x10023)
++#define CKM_IBM_SHA3_224_HMAC                  (CKM_VENDOR_DEFINED + 0x10025)
++#define CKM_IBM_SHA3_256_HMAC                  (CKM_VENDOR_DEFINED + 0x10026)
++#define CKM_IBM_SHA3_384_HMAC                  (CKM_VENDOR_DEFINED + 0x10027)
++#define CKM_IBM_SHA3_512_HMAC                  (CKM_VENDOR_DEFINED + 0x10028)
++#define CKM_IBM_ATTRIBUTEBOUND_WRAP            (CKM_VENDOR_DEFINED + 0x20004)
++
++/*
++ * If the caller is using the PKCS#11 GNU calling convention, then we cater
++ * to that here.
++ */
++#ifdef CRYPTOKI_GNU
++#define hSignVerifyKey h_sign_verify_key
++#endif
++
++struct ck_ibm_attributebound_wrap {
++	CK_OBJECT_HANDLE hSignVerifyKey;
++};
++
++typedef struct ck_ibm_attributebound_wrap CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS;
++
++#ifdef CRYPTOKI_GNU
++#undef hSignVerifyKey
++#endif
++
++#endif /* CRYPTOKI_IBM_VENDOR_DEFINED */
++
+ #if defined(__cplusplus)
+ }
+ #endif
+diff --color -ruNp a/p11-kit/meson.build b/p11-kit/meson.build
+--- a/p11-kit/meson.build	2023-11-29 14:27:53.265231072 +0100
++++ b/p11-kit/meson.build	2023-11-29 14:29:45.264555020 +0100
+@@ -211,6 +211,9 @@ gnu_h = gnu_h_gen.process(pkcs11_gnu_hea
+ static_library('p11-kit-pkcs11-gnu',
+                gnu_h,
+                'pkcs11-gnu.c',
++               c_args: [
++                 '-DCRYPTOKI_GNU=1', '-DP11_KIT_FUTURE_UNSTABLE_API=1',
++               ],
+                include_directories: [configinc, commoninc])
+ 
+ # Tests ----------------------------------------------------------------
+diff --color -ruNp a/p11-kit/p11-kit.h b/p11-kit/p11-kit.h
+--- a/p11-kit/p11-kit.h	2020-12-11 15:48:46.000000000 +0100
++++ b/p11-kit/p11-kit.h	2023-11-29 14:29:45.265555041 +0100
+@@ -43,12 +43,17 @@
+  */
+ #ifdef CRYPTOKI_GNU
+ typedef ck_rv_t CK_RV;
++typedef ck_object_handle_t CK_OBJECT_HANDLE;
++typedef unsigned long int CK_ULONG;
+ typedef struct ck_function_list* CK_FUNCTION_LIST_PTR;
+ typedef struct ck_function_list CK_FUNCTION_LIST;
+ #endif
+ 
+ #include "p11-kit/deprecated.h"
+ 
++/* For size_t.  */
++#include <stddef.h>
++
+ #ifdef __cplusplus
+ extern "C" {
+ #endif
+diff --color -ruNp a/p11-kit/pkcs11-gnu.c b/p11-kit/pkcs11-gnu.c
+--- a/p11-kit/pkcs11-gnu.c	2020-12-11 15:48:46.000000000 +0100
++++ b/p11-kit/pkcs11-gnu.c	2023-11-29 14:29:45.265555041 +0100
+@@ -1,3 +1,8 @@
++#include "config.h"
++
++#include "p11-kit.h"
++#include "pkcs11x.h"
++
+ #include "pkcs11-gnu-iter.h"
+ #include "pkcs11-gnu-pin.h"
+ #include "pkcs11-gnu-uri.h"
+diff --color -ruNp a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c
+--- a/p11-kit/rpc-client.c	2020-12-11 15:48:46.000000000 +0100
++++ b/p11-kit/rpc-client.c	2023-11-29 14:29:45.220554107 +0100
+@@ -570,7 +570,7 @@ proto_read_sesssion_info (p11_rpc_messag
+ #define IN_BYTE_BUFFER(arr, len) \
+ 	if (len == NULL) \
+ 		{ _ret = CKR_ARGUMENTS_BAD; goto _cleanup; } \
+-	if (!p11_rpc_message_write_byte_buffer (&_msg, arr ? *len : 0)) \
++	if (!p11_rpc_message_write_byte_buffer (&_msg, arr ? (*len > 0 ? *len : (uint32_t)-1) : 0)) \
+ 		{ _ret = CKR_HOST_MEMORY; goto _cleanup; }
+ 
+ #define IN_BYTE_ARRAY(arr, len) \
+@@ -1489,8 +1489,6 @@ rpc_C_SignUpdate (CK_X_FUNCTION_LIST *se
+                   CK_BYTE_PTR part,
+                   CK_ULONG part_len)
+ {
+-	return_val_if_fail (part_len, CKR_ARGUMENTS_BAD);
+-
+ 	BEGIN_CALL_OR (C_SignUpdate, self, CKR_SESSION_HANDLE_INVALID);
+ 		IN_ULONG (session);
+ 		IN_BYTE_ARRAY (part, part_len);
+diff --color -ruNp a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c
+--- a/p11-kit/rpc-message.c	2020-12-11 16:25:36.000000000 +0100
++++ b/p11-kit/rpc-message.c	2023-11-29 14:29:45.243554584 +0100
+@@ -372,7 +372,7 @@ p11_rpc_message_write_byte_array (p11_rp
+ 	assert (!msg->signature || p11_rpc_message_verify_part (msg, "ay"));
+ 
+ 	/* No array, no data, just length */
+-	if (!arr) {
++	if (!arr && num != 0) {
+ 		p11_rpc_buffer_add_byte (msg->output, 0);
+ 		p11_rpc_buffer_add_uint32 (msg->output, num);
+ 	} else {
+@@ -800,6 +800,13 @@ map_attribute_to_value_type (CK_ATTRIBUT
+ 	case CKA_RESET_ON_INIT:
+ 	case CKA_HAS_RESET:
+ 	case CKA_COLOR:
++	case CKA_IBM_RESTRICTABLE:
++	case CKA_IBM_NEVER_MODIFIABLE:
++	case CKA_IBM_RETAINKEY:
++	case CKA_IBM_ATTRBOUND:
++	case CKA_IBM_USE_AS_DATA:
++	case CKA_IBM_PROTKEY_EXTRACTABLE:
++	case CKA_IBM_PROTKEY_NEVER_EXTRACTABLE:
+ 		return P11_RPC_VALUE_BYTE;
+ 	case CKA_CLASS:
+ 	case CKA_CERTIFICATE_TYPE:
+@@ -821,9 +828,13 @@ map_attribute_to_value_type (CK_ATTRIBUT
+ 	case CKA_CHAR_COLUMNS:
+ 	case CKA_BITS_PER_PIXEL:
+ 	case CKA_MECHANISM_TYPE:
++	case CKA_IBM_DILITHIUM_KEYFORM:
++	case CKA_IBM_STD_COMPLIANCE1:
++	case CKA_IBM_KEYTYPE:
+ 		return P11_RPC_VALUE_ULONG;
+ 	case CKA_WRAP_TEMPLATE:
+ 	case CKA_UNWRAP_TEMPLATE:
++	case CKA_DERIVE_TEMPLATE:
+ 		return P11_RPC_VALUE_ATTRIBUTE_ARRAY;
+ 	case CKA_ALLOWED_MECHANISMS:
+ 		return P11_RPC_VALUE_MECHANISM_TYPE_ARRAY;
+@@ -869,6 +880,18 @@ map_attribute_to_value_type (CK_ATTRIBUT
+ 	case CKA_REQUIRED_CMS_ATTRIBUTES:
+ 	case CKA_DEFAULT_CMS_ATTRIBUTES:
+ 	case CKA_SUPPORTED_CMS_ATTRIBUTES:
++	case CKA_IBM_OPAQUE:
++	case CKA_IBM_CV:
++	case CKA_IBM_MACKEY:
++	case CKA_IBM_STRUCT_PARAMS:
++	case CKA_IBM_OPAQUE_PKEY:
++	case CKA_IBM_DILITHIUM_RHO:
++	case CKA_IBM_DILITHIUM_SEED:
++	case CKA_IBM_DILITHIUM_TR:
++	case CKA_IBM_DILITHIUM_S1:
++	case CKA_IBM_DILITHIUM_S2:
++	case CKA_IBM_DILITHIUM_T0:
++	case CKA_IBM_DILITHIUM_T1:
+ 		return P11_RPC_VALUE_BYTE_ARRAY;
+ 	}
+ }
+@@ -1406,9 +1429,466 @@ p11_rpc_buffer_get_rsa_pkcs_oaep_mechani
+ 	return true;
+ }
+ 
++void
++p11_rpc_buffer_add_ecdh1_derive_mechanism_value (p11_buffer *buffer,
++						 const void *value,
++						 CK_ULONG value_length)
++{
++	CK_ECDH1_DERIVE_PARAMS params;
++
++	/* Check if value can be converted to CK_ECDH1_DERIVE_PARAMS. */
++	if (value_length != sizeof (CK_ECDH1_DERIVE_PARAMS)) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	memcpy (&params, value, value_length);
++
++	/* Check if params.kdf can be converted to uint64_t. */
++	if (params.kdf > UINT64_MAX) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	p11_rpc_buffer_add_uint64 (buffer, params.kdf);
++
++	/* parmas.shared_data can only be an array of CK_BYTE or
++	 * NULL */
++	p11_rpc_buffer_add_byte_array (buffer,
++				       (unsigned char *)params.shared_data,
++				       params.shared_data_len);
++
++	/* parmas.public_data can only be an array of CK_BYTE or
++	 * NULL */
++	p11_rpc_buffer_add_byte_array (buffer,
++				       (unsigned char *)params.public_data,
++				       params.public_data_len);
++}
++
++bool
++p11_rpc_buffer_get_ecdh1_derive_mechanism_value (p11_buffer *buffer,
++						 size_t *offset,
++						 void *value,
++						 CK_ULONG *value_length)
++{
++	uint64_t val;
++	const unsigned char *data1, *data2;
++	size_t len1, len2;
++
++	if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
++		return false;
++
++	if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data1, &len1))
++		return false;
++
++	if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data2, &len2))
++		return false;
++
++
++	if (value) {
++		CK_ECDH1_DERIVE_PARAMS params;
++
++		params.kdf = val;
++		params.shared_data = (void *) data1;
++		params.shared_data_len = len1;
++		params.public_data = (void *) data2;
++		params.public_data_len = len2;
++
++		memcpy (value, &params, sizeof (CK_ECDH1_DERIVE_PARAMS));
++	}
++
++	if (value_length)
++		*value_length = sizeof (CK_ECDH1_DERIVE_PARAMS);
++
++	return true;
++}
++
++void
++p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer,
++						       const void *value,
++						       CK_ULONG value_length)
++{
++	CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params;
++
++	/* Check if value can be converted to CKM_IBM_ATTRIBUTEBOUND_WRAP. */
++	if (value_length != sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS)) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	memcpy (&params, value, value_length);
++
++	/* Check if params.hSignVerifyKey can be converted to uint64_t. */
++	if (params.hSignVerifyKey > UINT64_MAX) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	p11_rpc_buffer_add_uint64 (buffer, params.hSignVerifyKey);
++}
++
++bool
++p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer,
++						       size_t *offset,
++						       void *value,
++						       CK_ULONG *value_length)
++{
++	uint64_t val;
++
++	if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
++		return false;
++
++	if (value) {
++		CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params;
++
++		params.hSignVerifyKey = val;
++
++		memcpy (value, &params, sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS));
++	}
++
++	if (value_length)
++		*value_length = sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS);
++
++	return true;
++}
++
++void
++p11_rpc_buffer_add_aes_iv_mechanism_value (p11_buffer *buffer,
++					   const void *value,
++					   CK_ULONG value_length)
++{
++	/* Check if value can be converted to an AES IV. */
++	if (value_length != 16) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	p11_rpc_buffer_add_byte_array (buffer,
++				       (unsigned char *)value,
++				       value_length);
++}
++
++bool
++p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer,
++					   size_t *offset,
++					   void *value,
++					   CK_ULONG *value_length)
++{
++	const unsigned char *data;
++	size_t len;
++
++	if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len))
++		return false;
++
++	if (len != 16)
++		return false;
++
++	if (value)
++		memcpy (value, data, len);
++
++	if (value_length)
++		*value_length = len;
++
++	return true;
++}
++
++void
++p11_rpc_buffer_add_aes_ctr_mechanism_value (p11_buffer *buffer,
++					    const void *value,
++					    CK_ULONG value_length)
++{
++	CK_AES_CTR_PARAMS params;
++
++	/* Check if value can be converted to CK_AES_CTR_PARAMS. */
++	if (value_length != sizeof (CK_AES_CTR_PARAMS)) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	memcpy (&params, value, value_length);
++
++	/* Check if params.counter_bits can be converted to uint64_t. */
++	if (params.counter_bits > UINT64_MAX) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	p11_rpc_buffer_add_uint64 (buffer, params.counter_bits);
++
++	p11_rpc_buffer_add_byte_array (buffer,
++				       (unsigned char *)params.cb,
++				       sizeof(params.cb));
++}
++
++bool
++p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer,
++					    size_t *offset,
++					    void *value,
++					    CK_ULONG *value_length)
++{
++	uint64_t val;
++	const unsigned char *data;
++	size_t len;
++
++	if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
++		return false;
++	if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len))
++		return false;
++
++	if (value) {
++		CK_AES_CTR_PARAMS params;
++
++		params.ulCounterBits = val;
++
++		if (len != sizeof (params.cb))
++			return false;
++
++		memcpy (params.cb, data, sizeof (params.cb));
++		memcpy (value, &params, sizeof (CK_AES_CTR_PARAMS));
++	}
++
++	if (value_length)
++		*value_length = sizeof (CK_AES_CTR_PARAMS);
++
++	return true;
++}
++
++void
++p11_rpc_buffer_add_aes_gcm_mechanism_value (p11_buffer *buffer,
++					    const void *value,
++					    CK_ULONG value_length)
++{
++	CK_GCM_PARAMS params;
++
++	/* Check if value can be converted to CK_GCM_PARAMS. */
++	if (value_length != sizeof (CK_GCM_PARAMS)) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	memcpy (&params, value, value_length);
++
++	/* Check if params.ulTagBits/ulIvBits can be converted to uint64_t. */
++	if (params.ulTagBits > UINT64_MAX || params.ulIvBits > UINT64_MAX) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	p11_rpc_buffer_add_byte_array (buffer,
++				       (unsigned char *)params.pIv,
++				       params.ulIvLen);
++	p11_rpc_buffer_add_uint64 (buffer, params.ulIvBits);
++	p11_rpc_buffer_add_byte_array (buffer,
++				       (unsigned char *)params.pAAD,
++				       params.ulAADLen);
++	p11_rpc_buffer_add_uint64 (buffer, params.ulTagBits);
++}
++
++bool
++p11_rpc_buffer_get_aes_gcm_mechanism_value (p11_buffer *buffer,
++					    size_t *offset,
++					    void *value,
++					    CK_ULONG *value_length)
++{
++	uint64_t val1, val2;
++	const unsigned char *data1, *data2;
++	size_t len1, len2;
++
++	if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data1, &len1))
++		return false;
++	if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val1))
++		return false;
++	if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data2, &len2))
++		return false;
++	if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val2))
++		return false;
++
++	if (value) {
++		CK_GCM_PARAMS params;
++
++		params.pIv = (void *) data1;
++		params.ulIvLen = len1;
++		params.ulIvBits = val1;
++		params.pAAD = (void *) data2;
++		params.ulAADLen = len2;
++		params.ulTagBits = val2;
++
++		memcpy (value, &params, sizeof (CK_GCM_PARAMS));
++	}
++
++	if (value_length)
++		*value_length = sizeof (CK_GCM_PARAMS);
++
++	return true;
++}
++
++void
++p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer,
++					   const void *value,
++					   CK_ULONG value_length)
++{
++	/* Check if value can be converted to an DES IV. */
++	if (value_length != 8) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	p11_rpc_buffer_add_byte_array (buffer,
++				       (unsigned char *)value,
++				       value_length);
++}
++
++bool
++p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer,
++					   size_t *offset,
++					   void *value,
++					   CK_ULONG *value_length)
++{
++	const unsigned char *data;
++	size_t len;
++
++	if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len))
++		return false;
++
++	if (len != 8)
++		return false;
++
++	if (value)
++		memcpy (value, data, len);
++
++	if (value_length)
++		*value_length = len;
++
++	return true;
++}
++
++void
++p11_rpc_buffer_add_mac_general_mechanism_value (p11_buffer *buffer,
++						const void *value,
++						CK_ULONG value_length)
++{
++	CK_ULONG val;
++	uint64_t params;
++
++	/*
++	 * Check if value can be converted to an CK_MAC_GENERAL_PARAMS which
++	 * is a CK_ULONG.
++	 */
++	if (value_length != sizeof (CK_ULONG)) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	memcpy (&val, value, value_length);
++	params = val;
++
++	p11_rpc_buffer_add_uint64 (buffer, params);
++}
++
++bool
++p11_rpc_buffer_get_mac_general_mechanism_value (p11_buffer *buffer,
++						size_t *offset,
++						void *value,
++						CK_ULONG *value_length)
++{
++	uint64_t val;
++	CK_ULONG params;
++
++	if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
++		return false;
++
++	params = val;
++
++	if (value)
++		memcpy (value, &params, sizeof (params));
++
++	if (value_length)
++		*value_length = sizeof (params);
++
++	return true;
++}
++
++void
++p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value (p11_buffer *buffer,
++						   const void *value,
++						   CK_ULONG value_length)
++{
++	/* Mechanism parameter is public value of the other party */
++	if (value_length == 0) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	p11_rpc_buffer_add_byte_array (buffer,
++				       (unsigned char *)value,
++				       value_length);
++}
++
++bool
++p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value (p11_buffer *buffer,
++						   size_t *offset,
++						   void *value,
++						   CK_ULONG *value_length)
++{
++	const unsigned char *data;
++	size_t len;
++
++	if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len))
++		return false;
++
++	if (len == 0)
++		return false;
++
++	if (value)
++		memcpy (value, data, len);
++
++	if (value_length)
++		*value_length = len;
++
++	return true;
++}
++
+ static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = {
+ 	{ CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
+-	{ CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value }
++	{ CKM_SHA1_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
++	{ CKM_SHA224_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
++	{ CKM_SHA256_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
++	{ CKM_SHA384_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
++	{ CKM_SHA512_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
++	{ CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value },
++	{ CKM_ECDH1_DERIVE, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value },
++	{ CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value },
++	{ CKM_IBM_EC_X25519, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value },
++	{ CKM_IBM_EC_X448, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value },
++	{ CKM_AES_CBC, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
++	{ CKM_AES_CBC_PAD, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
++	{ CKM_AES_OFB, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
++	{ CKM_AES_CFB1, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
++	{ CKM_AES_CFB8, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
++	{ CKM_AES_CFB64, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
++	{ CKM_AES_CFB128, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
++	{ CKM_AES_CTS, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
++	{ CKM_AES_CTR, p11_rpc_buffer_add_aes_ctr_mechanism_value, p11_rpc_buffer_get_aes_ctr_mechanism_value },
++	{ CKM_AES_GCM, p11_rpc_buffer_add_aes_gcm_mechanism_value, p11_rpc_buffer_get_aes_gcm_mechanism_value },
++	{ CKM_DES_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
++	{ CKM_DES_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
++	{ CKM_DES3_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
++	{ CKM_DES3_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
++	{ CKM_DES_CFB8, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
++	{ CKM_DES_CFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
++	{ CKM_DES_OFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
++	{ CKM_SHA_1_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
++	{ CKM_SHA224_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
++	{ CKM_SHA256_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
++	{ CKM_SHA384_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
++	{ CKM_SHA512_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
++	{ CKM_SHA512_224_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
++	{ CKM_SHA512_256_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
++	{ CKM_AES_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
++	{ CKM_AES_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
++	{ CKM_DES3_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
++	{ CKM_DES3_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
++	{ CKM_DH_PKCS_DERIVE, p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value, p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value },
+ };
+ 
+ static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = {
+@@ -1453,6 +1933,7 @@ mechanism_has_no_parameters (CK_MECHANIS
+ 	case CKM_MD2_RSA_PKCS:
+ 	case CKM_MD5_RSA_PKCS:
+ 	case CKM_SHA1_RSA_PKCS:
++	case CKM_SHA224_RSA_PKCS:
+ 	case CKM_SHA256_RSA_PKCS:
+ 	case CKM_SHA384_RSA_PKCS:
+ 	case CKM_SHA512_RSA_PKCS:
+@@ -1467,6 +1948,10 @@ mechanism_has_no_parameters (CK_MECHANIS
+ 	case CKM_EC_KEY_PAIR_GEN:
+ 	case CKM_ECDSA:
+ 	case CKM_ECDSA_SHA1:
++	case CKM_ECDSA_SHA224:
++	case CKM_ECDSA_SHA256:
++	case CKM_ECDSA_SHA384:
++	case CKM_ECDSA_SHA512:
+ 	case CKM_DH_PKCS_KEY_PAIR_GEN:
+ 	case CKM_DH_PKCS_PARAMETER_GEN:
+ 	case CKM_X9_42_DH_KEY_PAIR_GEN:
+@@ -1480,6 +1965,7 @@ mechanism_has_no_parameters (CK_MECHANIS
+ 	case CKM_AES_KEY_GEN:
+ 	case CKM_AES_ECB:
+ 	case CKM_AES_MAC:
++	case CKM_AES_CMAC:
+ 	case CKM_DES_KEY_GEN:
+ 	case CKM_DES2_KEY_GEN:
+ 	case CKM_DES3_KEY_GEN:
+@@ -1505,6 +1991,7 @@ mechanism_has_no_parameters (CK_MECHANIS
+ 	case CKM_RC2_MAC:
+ 	case CKM_DES_MAC:
+ 	case CKM_DES3_MAC:
++	case CKM_DES3_CMAC:
+ 	case CKM_CDMF_MAC:
+ 	case CKM_CAST_MAC:
+ 	case CKM_CAST3_MAC:
+@@ -1521,18 +2008,46 @@ mechanism_has_no_parameters (CK_MECHANIS
+ 	case CKM_MD5_HMAC:
+ 	case CKM_SHA_1:
+ 	case CKM_SHA_1_HMAC:
++	case CKM_SHA1_KEY_DERIVATION:
++	case CKM_SHA224:
++	case CKM_SHA224_HMAC:
++	case CKM_SHA224_KEY_DERIVATION:
+ 	case CKM_SHA256:
+ 	case CKM_SHA256_HMAC:
++	case CKM_SHA256_KEY_DERIVATION:
+ 	case CKM_SHA384:
+ 	case CKM_SHA384_HMAC:
++	case CKM_SHA384_KEY_DERIVATION:
+ 	case CKM_SHA512:
+ 	case CKM_SHA512_HMAC:
++	case CKM_SHA512_KEY_DERIVATION:
++	case CKM_SHA512_T:
++	case CKM_SHA512_T_HMAC:
++	case CKM_SHA512_T_KEY_DERIVATION:
++	case CKM_SHA512_224:
++	case CKM_SHA512_224_HMAC:
++	case CKM_SHA512_224_KEY_DERIVATION:
++	case CKM_SHA512_256:
++	case CKM_SHA512_256_HMAC:
++	case CKM_SHA512_256_KEY_DERIVATION:
+ 	case CKM_FASTHASH:
+ 	case CKM_RIPEMD128:
+ 	case CKM_RIPEMD128_HMAC:
+ 	case CKM_RIPEMD160:
+ 	case CKM_RIPEMD160_HMAC:
+ 	case CKM_KEY_WRAP_LYNKS:
++	case CKM_IBM_SHA3_224:
++	case CKM_IBM_SHA3_256:
++	case CKM_IBM_SHA3_384:
++	case CKM_IBM_SHA3_512:
++	case CKM_IBM_CMAC:
++	case CKM_IBM_DILITHIUM:
++	case CKM_IBM_SHA3_224_HMAC:
++	case CKM_IBM_SHA3_256_HMAC:
++	case CKM_IBM_SHA3_384_HMAC:
++	case CKM_IBM_SHA3_512_HMAC:
++	case CKM_IBM_ED25519_SHA512:
++	case CKM_IBM_ED448_SHA3:
+ 		return true;
+ 	default:
+ 		return false;
+diff --color -ruNp a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h
+--- a/p11-kit/rpc-message.h	2020-12-11 16:25:36.000000000 +0100
++++ b/p11-kit/rpc-message.h	2023-11-29 14:29:45.243554584 +0100
+@@ -42,6 +42,7 @@
+ 
+ #include "buffer.h"
+ #include "pkcs11.h"
++#include "pkcs11x.h"
+ 
+ /* The calls, must be in sync with array below */
+ enum {
+@@ -478,5 +479,85 @@ bool             p11_rpc_buffer_get_rsa_
+ 							   size_t *offset,
+ 							   void *value,
+ 							   CK_ULONG *value_length);
++
++void            p11_rpc_buffer_add_ecdh1_derive_mechanism_value
++							  (p11_buffer *buffer,
++							   const void *value,
++							   CK_ULONG value_length);
++
++bool            p11_rpc_buffer_get_ecdh1_derive_mechanism_value
++							  (p11_buffer *buffer,
++							   size_t *offset,
++							   void *value,
++							   CK_ULONG *value_length);
++
++void            p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value
++							  (p11_buffer *buffer,
++							   const void *value,
++							   CK_ULONG value_length);
++
++bool            p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value
++							  (p11_buffer *buffer,
++							   size_t *offset,
++							   void *value,
++							   CK_ULONG *value_length);
++
++void		p11_rpc_buffer_add_aes_iv_mechanism_value (p11_buffer *buffer,
++							   const void *value,
++							   CK_ULONG value_length);
++
++bool		p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer,
++							   size_t *offset,
++							   void *value,
++							   CK_ULONG *value_length);
++
++void		p11_rpc_buffer_add_aes_ctr_mechanism_value (p11_buffer *buffer,
++							    const void *value,
++							    CK_ULONG value_length);
++
++bool		p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer,
++							    size_t *offset,
++							    void *value,
++							    CK_ULONG *value_length);
++
++void		p11_rpc_buffer_add_aes_gcm_mechanism_value (p11_buffer *buffer,
++							    const void *value,
++							    CK_ULONG value_length);
++
++bool		p11_rpc_buffer_get_aes_gcm_mechanism_value (p11_buffer *buffer,
++							    size_t *offset,
++							    void *value,
++							    CK_ULONG *value_length);
++
++void		p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer,
++							   const void *value,
++							   CK_ULONG value_length);
++
++bool		p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer,
++							   size_t *offset,
++							   void *value,
++							   CK_ULONG *value_length);
++
++void		p11_rpc_buffer_add_mac_general_mechanism_value
++							  (p11_buffer *buffer,
++							   const void *value,
++							   CK_ULONG value_length);
++
++bool		p11_rpc_buffer_get_mac_general_mechanism_value
++							  (p11_buffer *buffer,
++							   size_t *offset,
++							   void *value,
++							   CK_ULONG *value_length);
++
++void		p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value
++							  (p11_buffer *buffer,
++							   const void *value,
++							   CK_ULONG value_length);
++
++bool		p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value
++							  (p11_buffer *buffer,
++							   size_t *offset,
++							   void *value,
++							   CK_ULONG *value_length);
+ 
+ #endif /* _RPC_MESSAGE_H */
+diff --color -ruNp a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c
+--- a/p11-kit/rpc-server.c	2020-12-11 16:25:36.000000000 +0100
++++ b/p11-kit/rpc-server.c	2023-11-29 14:29:45.221554128 +0100
+@@ -84,6 +84,12 @@ proto_read_byte_buffer (p11_rpc_message
+ 	*n_buffer = length;
+ 	*buffer = NULL;
+ 
++	/* length = -1 indicates length = 0, but buffer not NULL */
++	if (length == (uint32_t)-1) {
++		*n_buffer = 0;
++		length = 1; /*allocate 1 dummy byte */
++	}
++
+ 	/* If set to zero, then they just want the length */
+ 	if (length == 0)
+ 		return CKR_OK;

SPECS/p11-kit.spec

@@ -1,10 +1,10 @@
 # This spec file has been automatically updated
-Version:	0.23.22
-Release: 1%{?dist}
+Version:        0.23.22
+Release:        2%{?dist}
 Name:           p11-kit
 Summary:        Library for loading and sharing PKCS#11 modules
 
-License:        BSD
+License:        BSD-3-Clause
 URL:            http://p11-glue.freedesktop.org/p11-kit.html
 Source0:        https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.xz
 Source1:        https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.xz.sig
@@ -12,7 +12,11 @@ Source2:        gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
 Source3:        trust-extract-compat
 Source4:        p11-kit-client.service
 
-Patch1:         p11-kit-dt-needed.patch
+Patch0:         001-dt-needed.patch
+Patch1:         002-doc-dep.patch
+# commits: 4059f17, d07a8ff, 218e971, c4ade85, 242e5db, ac0da82, 7235af6,
+#          b72aa47, 506b941, 3c0be1d, 7ea5901, 7675f86, d1782b6
+Patch2:         003-IBM-mechs-and-attrs.patch
 
 BuildRequires:  gcc
 BuildRequires:  libtasn1-devel >= 2.3
@@ -26,6 +30,7 @@ BuildRequires:  bash-completion
 # Work around for https://bugzilla.redhat.com/show_bug.cgi?id=1497147
 # Remove this once it is fixed
 BuildRequires:  pkgconfig(glib-2.0)
+BuildRequires:  pkgconfig(systemd)
 BuildRequires:  gnupg2
 BuildRequires:  /usr/bin/xsltproc
 
@@ -47,13 +52,13 @@ developing applications that use %{name}.
 %package trust
 Summary:            System trust module from %{name}
 Requires:           %{name}%{?_isa} = %{version}-%{release}
-Requires(post):     %{_sbindir}/update-alternatives
-Requires(postun):   %{_sbindir}/update-alternatives
+Requires(post):     %{_sbindir}/alternatives
+Requires(postun):   %{_sbindir}/alternatives
 Conflicts:          nss < 3.14.3-9
 
 %description trust
 The %{name}-trust package contains a system trust PKCS#11 module which
-contains certificate anchors and black lists.
+contains certificate anchors and blocklists.
 
 
 %package server
@@ -102,13 +107,12 @@ install -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_userunitdir}
 
 
 %post trust
-%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
-        %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30
+%{_sbindir}/alternatives --install %{_libdir}/libnssckbi.so %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30
 
 %postun trust
 if [ $1 -eq 0 ] ; then
         # package removal
-        %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so
+        %{_sbindir}/alternatives --remove %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so
 fi
 
 
@@ -155,6 +159,10 @@ fi
 
 
 %changelog
+* Fri Dec 01 2023 Zoltan Fridrich <zfridric@redhat.com> - 0.23.22-2
+- Add IBM specific mechanisms and attributes
+  Resolves: RHEL-10571
+
 * Mon Jan 11 2021 Daiki Ueno <dueno@redhat.com> - 0.23.22-1
 - Rebase to 0.23.22 to fix memory safety issues (CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363)
 - Preserve DT_NEEDED information from the previous version, flagged by rpmdiff