.gitignore

@@ -1 +1 @@
-/volume_key-0.3.11.tar.xz
+SOURCES/volume_key-0.3.12.tar.xz

.volume_key.metadata

@@ -0,0 +1 @@
+c983123b3b7f36819d26c7421a290657a02534b7 SOURCES/volume_key-0.3.12.tar.xz

SOURCES/volume_key-0.3.12-fix_resource_leaks.patch

@@ -0,0 +1,59 @@
+diff --git a/lib/kmip.c b/lib/kmip.c
+index dda819a..333603c 100644
+--- a/lib/kmip.c
++++ b/lib/kmip.c
+@@ -1152,6 +1152,7 @@ kmip_decode_key_value (struct kmip_decoding_state *kmip,
+       break;
+ 
+     default:
++      kmip_key_value_free (res);
+       g_return_val_if_reached (-1);
+     }
+   res->attributes = g_ptr_array_new ();
+@@ -1348,6 +1349,7 @@ kmip_decode_object_symmetric_key (struct kmip_decoding_state *kmip,
+       g_snprintf (num, sizeof (num), "%" G_GUINT32_FORMAT, res->block->type);
+       g_set_error (error, LIBVK_ERROR, LIBVK_ERROR_KMIP_UNSUPPORTED_VALUE,
+ 		   _("Unsupported symmetric key format %s"), num);
++      kmip_object_symmetric_key_free (res);
+       return -1;
+     }
+   *obj = res;
+@@ -1384,6 +1386,7 @@ kmip_decode_object_secret_data (struct kmip_decoding_state *kmip,
+       g_snprintf (num, sizeof (num), "%" G_GUINT32_FORMAT, res->block->type);
+       g_set_error (error, LIBVK_ERROR, LIBVK_ERROR_KMIP_UNSUPPORTED_VALUE,
+ 		   _("Unsupported symmetric key format %s"), num);
++      kmip_object_secret_data_free (res);
+       return -1;
+     }
+   *obj = res;
+diff --git a/lib/volume_luks.c b/lib/volume_luks.c
+index d1c5d47..4d32d9b 100644
+--- a/lib/volume_luks.c
++++ b/lib/volume_luks.c
+@@ -547,8 +547,8 @@ luks_apply_secret (struct libvk_volume *vol, const struct libvk_volume *packet,
+     }
+   g_free (last_log_entry);
+ 
+-  g_return_val_if_fail (vol->v.luks->key_bytes == packet->v.luks->key_bytes,
+-			-1);
++  if (vol->v.luks->key_bytes != packet->v.luks->key_bytes)
++    goto err_passphrase;
+   luks_replace_key (vol, packet->v.luks->key);
+   luks_replace_passphrase (vol, passphrase);
+   vol->v.luks->passphrase_slot = res;
+diff --git a/src/volume_key.c b/src/volume_key.c
+index 074b187..24b70d6 100644
+--- a/src/volume_key.c
++++ b/src/volume_key.c
+@@ -735,6 +735,11 @@ write_packet (struct packet_output_state *pos, const char *filename,
+       || g_file_set_contents (filename, packet, size, error) == FALSE)
+     {
+       g_prefix_error (error, _("Error creating `%s': "), filename);
++      if (packet != NULL) {
++        if (output_format_cleartext != 0)
++          memset (packet, 0, size);
++        g_free (packet);
++      }
+       return -1;
+     }
+   if (output_format_cleartext != 0)

SOURCES/volume_key-0.3.12-support_LUKS2_and_more.patch

@@ -1,12 +1,3 @@
-From d0aa966c014d8301371e693966dcac3d9e9c0ccd Mon Sep 17 00:00:00 2001
-From: Vojtech Trefny <vtrefny@redhat.com>
-Date: Mon, 10 Sep 2018 13:07:41 +0200
-Subject: [PATCH] Add suppport for opening LUKS2 devices
-
----
- lib/volume_luks.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
 diff --git a/lib/volume_luks.c b/lib/volume_luks.c
 index f4bf2c8..d1c5d47 100644
 --- a/lib/volume_luks.c
@@ -31,6 +22,3 @@ index f4bf2c8..d1c5d47 100644
    if (r < 0)
      goto err_cd;
    return cd;
--- 
-2.17.1
-

SPECS/volume_key.spec

@@ -1,104 +1,139 @@
+# Define `python3_sitearch' if there is no one:
+%{!?python3_sitearch:%global python3_sitearch %(%{__python3} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
+
+# Enable Python 3 in Fedora and RHEL > 7 as default:
+%if 0%{?fedora} || 0%{?rhel} > 7
+# Add `--without python3' option (enable python3 by default):
+%bcond_without python3
+%else
+# Add `--with python3' option (disable python3 by default):
+%bcond_with python3
+%endif
+
+# Drop Python 2 in Fedora >= 30 and RHEL > 7 as default:
+%if 0%{?fedora} >= 30 || 0%{?rhel} > 7
+%global drop_python2 1
+%global configure_with_python2 no
+%else
+# Define `python2_sitearch' if there is no one:
+%{!?python2_sitearch:%global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
+%global configure_with_python2 yes
+%endif
+
+%if %{with python3}
+%global configure_with_python3 yes
+%else
+%global configure_with_python3 no
+%endif
+
+# Additional configure options:
+%global with_pythons --with-python=%{configure_with_python2} --with-python3=%{?configure_with_python3}
+
 Summary: An utility for manipulating storage encryption keys and passphrases
 Name: volume_key
-Version: 0.3.11
-Release: 7%{?dist}
-# lib/{SECerrs,SSLerrs}.h are both licensed under MPLv1.1, GPLv2 and LGPLv2
-License: GPLv2 and (MPLv1.1 or GPLv2 or LGPLv2)
-Group: Applications/System
-URL: https://pagure.io/volume_key/
-Requires: volume_key-libs%{?_isa} = %{version}-%{release}
+Version: 0.3.12
+Release: 16%{?dist}
+License: GPLv2
+URL: https://pagure.io/%{name}/
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 
-Source0: https://releases.pagure.org/volume_key/volume_key-%{version}.tar.xz
-# Add support for opening all types of LUKS devices (not just LUKS1)
-# Resolves: rhbz#1626974
-Patch0: volume_key-0.3.11-support_LUKS_all.patch
-# Make volume_key working in FIPS mode
-# Resolves: rhbz#2143223
-Patch1: volume_key-0.3.11-FIPS.patch
-# Diagnose patch to get more insight on whats wrong
-Patch2: volume_key-0.3.11-show_get_password_error.patch
-# fix getting backup password from secret the FIPS way, RHEL-113242
-Patch3: volume_key-0.3.12-fips2.patch
-BuildRequires: cryptsetup-luks-devel, gettext-devel, glib2-devel, /usr/bin/gpg2
+Source0: https://releases.pagure.org/%{name}/%{name}-%{version}.tar.xz
+# Support all LUKS devices
+# - backport of 26c09768662d8958debe8c9410dae9fda02292c3
+Patch0: volume_key-0.3.12-support_LUKS2_and_more.patch
+# Fix resource leaks
+# - backport of bf6618ec0b09b4e51fc97fa021e687fbd87599ba
+Patch1: volume_key-0.3.12-fix_resource_leaks.patch
+Patch2:  volume_key-0.3.12-FIPS.patch
+BuildRequires: make
+BuildRequires: gcc
+BuildRequires: cryptsetup-devel, gettext-devel, glib2-devel, /usr/bin/gpg2
 BuildRequires: gpgme-devel, libblkid-devel, nss-devel, python3-devel
+%if 0%{?drop_python2} < 1
+BuildRequires: python2-devel
+%endif
 # Needed by %%check:
 BuildRequires: nss-tools
 
-%description
-This package provides a command-line tool for manipulating storage volume
-encryption keys and storing them separately from volumes.
-
-The main goal of the software is to allow restoring access to an encrypted
-hard drive if the primary user forgets the passphrase.  The encryption key
-back up can also be useful for extracting data after a hardware or software
-failure that corrupts the header of the encrypted volume, or to access the
+%global desc_common The main goal of the software is to allow restoring access to an encrypted\
+hard drive if the primary user forgets the passphrase.  The encryption key\
+back up can also be useful for extracting data after a hardware or software\
+failure that corrupts the header of the encrypted volume, or to access the\
 company data after an employee leaves abruptly.
 
+%global desc_app This package provides a command-line tool for manipulating storage volume\
+encryption keys and storing them separately from volumes.\
+\
+%{desc_common}
+
+%global desc_lib This package provides lib%{name}, a library for manipulating storage volume\
+encryption keys and storing them separately from volumes.\
+\
+%{desc_common}
+
+%global desc_python(V:) This package provides %%{-V:Python %%{-V*}}%%{!-V:Python} bindings for lib%{name}, a library for\
+manipulating storage volume encryption keys and storing them separately from\
+volumes.\
+\
+%{desc_common}\
+\
+%{name} currently supports only the LUKS volume encryption format.  Support\
+for other formats is possible, some formats are planned for future releases.
+
+%description
+%{desc_app}
+
 %package devel
 Summary: A library for manipulating storage encryption keys and passphrases
-Group: Development/Libraries
-Requires: volume_key-libs%{?_isa} = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 
 %description devel
-This package provides libvolume_key, a library for manipulating storage volume
-encryption keys and storing them separately from volumes.
-
-The main goal of the software is to allow restoring access to an encrypted
-hard drive if the primary user forgets the passphrase.  The encryption key
-back up can also be useful for extracting data after a hardware or software
-failure that corrupts the header of the encrypted volume, or to access the
-company data after an employee leaves abruptly.
+%{desc_lib}
 
 %package libs
 Summary: A library for manipulating storage encryption keys and passphrases
-Group: System Environment/Libraries
 Requires: /usr/bin/gpg2
 
 %description libs
-This package provides libvolume_key, a library for manipulating storage volume
-encryption keys and storing them separately from volumes.
+%{desc_lib}
 
-The main goal of the software is to allow restoring access to an encrypted
-hard drive if the primary user forgets the passphrase.  The encryption key
-back up can also be useful for extracting data after a hardware or software
-failure that corrupts the header of the encrypted volume, or to access the
-company data after an employee leaves abruptly.
+%if 0%{?drop_python2} < 1
+%package -n python2-%{name}
+%{?python_provide:%python_provide python2-%{name}}
+Summary: Python bindings for lib%{name}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 
-%package -n python3-volume_key
-%{?python_provide:%python_provide python3-volume_key}
-Summary: Python bindings for libvolume_key
-Group: System Environment/Libraries
-Requires: volume_key-libs%{?_isa} = %{version}-%{release}
+%description -n python2-%{name}
+%desc_python
+%endif
 
-%description -n python3-volume_key
-This package provides Python bindings for libvolume_key, a library for
-manipulating storage volume encryption keys and storing them separately from
-volumes.
+%if %{with python3}
+%package -n python3-%{name}
+%{?python_provide:%python_provide python3-%{name}}
+Summary: Python 3 bindings for lib%{name}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 
-The main goal of the software is to allow restoring access to an encrypted
-hard drive if the primary user forgets the passphrase.  The encryption key
-back up can also be useful for extracting data after a hardware or software
-failure that corrupts the header of the encrypted volume, or to access the
-company data after an employee leaves abruptly.
-
-volume_key currently supports only the LUKS volume encryption format.  Support
-for other formats is possible, some formats are planned for future releases.
+%description -n python3-%{name}
+%desc_python -V 3
+%endif
 
 %prep
 %setup -q
 %patch -P 0 -p1
 %patch -P 1 -p1
-%patch -P 2 -p1
-%patch -P 3 -p1 -b .fips2
+%patch -P 2 -p1 -b .FIPS
 
 %build
-%configure
+%configure %{?with_pythons}
 make %{?_smp_mflags}
 
 %install
 make install DESTDIR=$RPM_BUILD_ROOT INSTALL='install -p'
 
-%find_lang volume_key
+# Remove libtool archive
+find %{buildroot} -type f -name "*.la" -delete
+
+%find_lang %{name}
 
 %check
 make check || { \
@@ -108,67 +143,99 @@ echo "=================================================================="; \
 exit 1; \
 }
 
-%clean
-rm -rf $RPM_BUILD_ROOT
-
 %ldconfig_scriptlets libs
 
 %files
-%defattr(-,root,root,-)
 %doc README contrib
-%{_bindir}/volume_key
-%{_mandir}/man8/volume_key.8*
+%{_bindir}/%{name}
+%{_mandir}/man8/%{name}.8*
 
 %files devel
-%defattr(-,root,root,-)
-%{_includedir}/volume_key
-%exclude %{_libdir}/libvolume_key.la
-%{_libdir}/libvolume_key.so
+%{_includedir}/%{name}
+%{_libdir}/lib%{name}.so
 
-%files libs -f volume_key.lang
-%defattr(-,root,root,-)
+%files libs -f %{name}.lang
 %doc AUTHORS COPYING ChangeLog NEWS
-%{_libdir}/libvolume_key.so.*
+%{_libdir}/lib%{name}.so.*
 
-%files -n python3-volume_key
-%defattr(-,root,root,-)
-%exclude %{python3_sitearch}/_volume_key.la
-%{python3_sitearch}/_volume_key.so
-%{python3_sitearch}/volume_key.py*
-%{python3_sitearch}/__pycache__/volume_key.*
+%if 0%{?drop_python2} < 1
+%files -n python2-%{name}
+%{python2_sitearch}/_%{name}.so
+%{python2_sitearch}/%{name}.py*
+%endif
+
+%if %{with python3}
+%files -n python3-%{name}
+%{python3_sitearch}/_%{name}.so
+%{python3_sitearch}/%{name}.py*
+%{python3_sitearch}/__pycache__/%{name}.*
+%endif
 
 %changelog
-* Thu Feb 12 2026 Michal Hlavinka <mhlavink@redhat.com> - 0.3.11-7
-- make getting password from backed up secret FIPS compatible (RHEL-113242)
+* Thu Feb 06 2025 Michal Hlavinka <mhlavink@redhat.com> - 0.3.12-16
+- make volume_key FIPS compliant (RHEL-78044)
 
-* Fri Jul 21 2023 Jiri Kucera <jkucera@redhat.com> - 0.3.11-6
-- Make volume_key working in FIPS mode
-  Resolves: #2143223
+* Thu Aug 26 2021 Jiri Kucera <jkucera@redhat.com> - 0.3.12-15
+- Fix FTBFS
+  Related: #1986584
 
-* Wed Aug 14 2019 Jiri Kucera <jkucera@redhat.com> - 0.3.11-5
-- Place %%find_lang to proper place
-  Resolves: #1665135
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.3.12-14
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Tue Jan 08 2019 Jiri Kucera <jkucera@redhat.com> - 0.3.11-4
-- fixed License
-- Requires: /usr/bin/gpg2 in libs subpackage
-- Added support for opening all types of LUKS devices
-  Resolves: #1626974
+* Fri Aug 06 2021 Jiri Kucera <jkucera@redhat.com> - 0.3.12-13
+- Adjust License tag to the effective license
+  Resolves: #1986584
 
-* Thu Aug 09 2018 Jiri Kucera <jkucera@redhat.com> - 0.3.11-3
-- Added %%check
-  Resolves: #1614420
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.3.12-12
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 
-* Tue Jul 24 2018 Jiri Kucera <jkucera@redhat.com> - 0.3.11-2
-- added missing licenses
-- update to gpg2
+* Wed Mar 31 2021 Jiri Kucera <jkucera@redhat.com> - 0.3.12-11
+- Fix resource leaks
+  Resolves: #1938896
 
-* Thu Jul 19 2018 Charalampos Stratakis <cstratak@redhat.com> - 0.3.11-1
-- Update to 3.11
-- Change to Python 3
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.12-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 
-* Fri Jul 13 2018 Petr Viktorin <pviktori@redhat.com> - 0.3.9-20
-- Allow Python 2 for build
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.12-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 0.3.12-8
+- Rebuilt for Python 3.9
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.12-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 0.3.12-6
+- Rebuilt for Python 3.8.0rc1 (#1748018)
+
+* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 0.3.12-5
+- Rebuilt for Python 3.8
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.12-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.12-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Wed Jan 23 2019 Jiri Kucera <jkucera@redhat.com> - 0.3.12-2
+- Add support for LUKS2 and more
+- Fix License tag
+
+* Mon Oct 08 2018 Jiri Kucera <jkucera@redhat.com> - 0.3.12-1
+- Update to volume_key-0.3.12
+  Resolves: #1634850
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Wed May 16 2018 Jiri Kucera <jkucera@redhat.com> - 0.3.10-1
+- Update to volume_key-0.3.10
+  Resolves: #1479349, #1517016
+
+* Wed Feb 14 2018 Iryna Shcherbina <ishcherb@redhat.com> - 0.3.9-20
+- Update Python 2 dependency declarations to new packaging standards
+  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
 
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.9-19
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

gating.yaml

@@ -1,6 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-8
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

sources

@@ -1 +0,0 @@
-SHA512 (volume_key-0.3.11.tar.xz) = b9da00578b31c96231ebde55fd91c9aafbd663e541c560460fb6c3305e1a0e1fb3115a95682dc4713027d084e14ffa39d638653384a18d69f5dc892fc4855a97

volume_key-0.3.11-show_get_password_error.patch

@@ -1,49 +0,0 @@
-diff --git a/src/volume_key.c b/src/volume_key.c
-index 24b70d6..9642072 100644
---- a/src/volume_key.c
-+++ b/src/volume_key.c
-@@ -17,6 +17,7 @@ Author: Miloslav Trmač <mitr@redhat.com> */
- #include <config.h>
- 
- #include <assert.h>
-+#include <errno.h>
- #include <langinfo.h>
- #include <locale.h>
- #include <regex.h>
-@@ -403,6 +404,7 @@ get_password (const char *prompt)
-   char buf[LINE_MAX], *p;
-   struct termios otermios;
-   gboolean echo_disabled;
-+  int saved_errno = 0;
- 
-   tty = fopen ("/dev/tty", "r+");
-   if (tty != NULL)
-@@ -430,7 +432,8 @@ get_password (const char *prompt)
-       echo_disabled = tcsetattr (fileno (in_file), TCSAFLUSH, &ntermios) == 0;
-     }
- 
--  p = fgets(buf, sizeof(buf), in_file);
-+  p = fgets (buf, sizeof (buf), in_file);
-+  saved_errno = errno;
- 
-   if (echo_disabled)
-     {
-@@ -441,13 +444,15 @@ get_password (const char *prompt)
-   if (tty != NULL)
-     fclose (tty);
- 
--  if (p == NULL)
-+  if (p == NULL) {
-+    fprintf (stderr, "fgets: %s\n", strerror (saved_errno));
-     return NULL;
-+  }
- 
--  p = strchr(buf, '\r');
-+  p = strchr (buf, '\r');
-   if (p != NULL)
-     *p = '\0';
--  p = strchr(buf, '\n');
-+  p = strchr (buf, '\n');
-   if (p != NULL)
-     *p = '\0';
- 

volume_key-0.3.12-fips2.patch

@@ -1,207 +0,0 @@
-diff --git a/lib/crypto.c b/lib/crypto.c
-index 7554f19..7b8dc39 100644
---- a/lib/crypto.c
-+++ b/lib/crypto.c
-@@ -179,6 +179,150 @@ import_sym_key (PK11SlotInfo *slot, CK_MECHANISM_TYPE type, PK11Origin origin,
- }
- 
-  /* LIBVK_PACKET_FORMAT_ASYMMETRIC */
-+/*
-+ * FIPS compliant implementation of PK11_ExtractKeyValue() + PK11_GetKeyData().
-+ * Instead of directly extracting the key value (which is not allowed in FIPS mode),
-+ * we wrap the symmetric key with a temporary wrapping key, then decrypt the
-+ * wrapped data to get the raw key bytes.
-+ * Returns a newly allocated SECItem with the key data on success, NULL on failure.
-+ * The caller must free the result with SECITEM_FreeItem(result, PR_TRUE).
-+ */
-+static SECItem *
-+extract_sym_key (PK11SymKey *sym_key)
-+{
-+  CK_MECHANISM_TYPE wrap_mechanism = 0UL;
-+  PK11SlotInfo *slot = NULL;
-+  PK11SymKey *wrapping_key = NULL;
-+  SECItem tmp_sec_item, wrapped_key_item;
-+  PK11Context *wrap_key_crypt_context = NULL;
-+  int block_size = 0;
-+  size_t wrapped_key_size = 0;
-+  unsigned char *wrapped_key = NULL;
-+  SECItem *clear_key = NULL;
-+  int out_len = 0;
-+  unsigned int final_len = 0;
-+  SECStatus ret = 0;
-+  int key_len = 0;
-+
-+  /* Fall back to PK11_ExtractKeyValue() + PK11_GetKeyData() if FIPS mode is disabled. */
-+  if (PK11_IsFIPS () == PR_FALSE)
-+    {
-+      SECItem *key_data;
-+
-+      if (PK11_ExtractKeyValue (sym_key) != SECSuccess)
-+        return NULL;
-+      key_data = PK11_GetKeyData (sym_key);
-+      if (key_data == NULL)
-+        return NULL;
-+      return SECITEM_DupItem (key_data);
-+    }
-+
-+  slot = PK11_GetSlotFromKey (sym_key);
-+  if (slot == NULL)
-+    return NULL;
-+
-+  /* Get the best mechanism for the wrapping operation. */
-+  wrap_mechanism = PK11_GetBestWrapMechanism (slot);
-+
-+  /* Generate a symmetric wrapping key. */
-+  wrapping_key = PK11_KeyGen (slot, wrap_mechanism, NULL,
-+                              PK11_GetBestKeyLength (slot, wrap_mechanism),
-+                              NULL);
-+  PK11_FreeSlot (slot);
-+  if (wrapping_key == NULL)
-+    return NULL;
-+
-+  /* Get block size and key length. */
-+  block_size = PK11_GetBlockSize (wrap_mechanism, NULL);
-+  if (block_size == 0)
-+    block_size = 1;
-+  key_len = PK11_GetKeyLength (sym_key);
-+  if (key_len <= 0)
-+    {
-+      PK11_FreeSymKey (wrapping_key);
-+      return NULL;
-+    }
-+
-+  /* Allocate space for the wrapped key.
-+   * Add extra space for padding (up to one block size).
-+   */
-+  wrapped_key_size = key_len + block_size;
-+  wrapped_key = g_try_malloc0 (wrapped_key_size);
-+  if (wrapped_key == NULL)
-+    {
-+      PK11_FreeSymKey (wrapping_key);
-+      return NULL;
-+    }
-+
-+  memset (&tmp_sec_item, 0, sizeof (tmp_sec_item));
-+  memset (&wrapped_key_item, 0, sizeof (wrapped_key_item));
-+  wrapped_key_item.data = wrapped_key;
-+  wrapped_key_item.len = wrapped_key_size;
-+
-+  /* Wrap the symmetric key using the wrapping key. */
-+  ret = PK11_WrapSymKey (wrap_mechanism, &tmp_sec_item, wrapping_key, sym_key,
-+                         &wrapped_key_item);
-+  if (ret != SECSuccess)
-+    {
-+      g_free (wrapped_key);
-+      PK11_FreeSymKey (wrapping_key);
-+      return NULL;
-+    }
-+
-+  /* Now decrypt the wrapped key to get the raw bytes.
-+   * Create a decryption context with the wrapping key.
-+   */
-+  wrap_key_crypt_context = PK11_CreateContextBySymKey (wrap_mechanism,
-+                                                       CKA_DECRYPT,
-+                                                       wrapping_key,
-+                                                       &tmp_sec_item);
-+  if (wrap_key_crypt_context == NULL)
-+    {
-+      g_free (wrapped_key);
-+      PK11_FreeSymKey (wrapping_key);
-+      return NULL;
-+    }
-+
-+  /* Allocate space for the decrypted (clear) key. */
-+  clear_key = SECITEM_AllocItem (NULL, NULL, wrapped_key_item.len);
-+  if (clear_key == NULL)
-+    {
-+      g_free (wrapped_key);
-+      PK11_DestroyContext (wrap_key_crypt_context, PR_TRUE);
-+      PK11_FreeSymKey (wrapping_key);
-+      return NULL;
-+    }
-+
-+  /* Decrypt to get the raw key bytes. */
-+  ret = PK11_CipherOp (wrap_key_crypt_context, clear_key->data, &out_len,
-+                       clear_key->len, wrapped_key_item.data,
-+                       wrapped_key_item.len);
-+  if (ret != SECSuccess)
-+    {
-+      SECITEM_FreeItem (clear_key, PR_TRUE);
-+      g_free (wrapped_key);
-+      PK11_DestroyContext (wrap_key_crypt_context, PR_TRUE);
-+      PK11_FreeSymKey (wrapping_key);
-+      return NULL;
-+    }
-+
-+  ret = PK11_DigestFinal (wrap_key_crypt_context, clear_key->data + out_len,
-+                          &final_len, clear_key->len - out_len);
-+  g_free (wrapped_key);
-+  PK11_DestroyContext (wrap_key_crypt_context, PR_TRUE);
-+  PK11_FreeSymKey (wrapping_key);
-+  if (ret != SECSuccess)
-+    {
-+      SECITEM_FreeItem (clear_key, PR_TRUE);
-+      return NULL;
-+    }
-+
-+  /* Adjust the length to the actual key length (remove padding). */
-+  clear_key->len = key_len;
-+
-+  return clear_key;
-+}
-+
- 
- /* Encrypt DATA of SIZE for CERT.
-    Return encrypted data (for g_free()), setting RES_SIZE to the size of the
-@@ -532,20 +676,19 @@ unwrap_asymmetric (size_t *clear_secret_size, const void *wrapped_secret_data,
-       error_from_pr (error);
-       goto err;
-     }
--  if (PK11_ExtractKeyValue (secret_key) != SECSuccess)
-+  clear_secret_item = extract_sym_key (secret_key);
-+  PK11_FreeSymKey (secret_key);
-+  if (clear_secret_item == NULL)
-     {
-       error_from_pr (error);
--      goto err_secret_key;
-+      goto err;
-     }
--  clear_secret_item = PK11_GetKeyData (secret_key);
-   ret = g_memdup (clear_secret_item->data, clear_secret_item->len);
-   *clear_secret_size = clear_secret_item->len;
--  PK11_FreeSymKey (secret_key);
-+  SECITEM_FreeItem (clear_secret_item, PR_TRUE);
- 
-   return ret;
- 
-- err_secret_key:
--  PK11_FreeSymKey (secret_key);
-  err:
-   return NULL;
- }
-@@ -665,20 +808,19 @@ unwrap_symmetric (size_t *clear_secret_size, PK11SymKey *wrapping_key,
-       error_from_pr (error);
-       goto err;
-     }
--  if (PK11_ExtractKeyValue (secret_key) != SECSuccess)
-+  clear_secret_item = extract_sym_key (secret_key);
-+  PK11_FreeSymKey (secret_key);
-+  if (clear_secret_item == NULL)
-     {
-       error_from_pr (error);
--      goto err_secret_key;
-+      goto err;
-     }
--  clear_secret_item = PK11_GetKeyData (secret_key);
-   ret = g_memdup (clear_secret_item->data, clear_secret_item->len);
-   *clear_secret_size = clear_secret_item->len;
--  PK11_FreeSymKey (secret_key);
-+  SECITEM_FreeItem (clear_secret_item, PR_TRUE);
- 
-   return ret;
- 
-- err_secret_key:
--  PK11_FreeSymKey (secret_key);
-  err:
-   return NULL;
- }