Compare commits

...

No commits in common. 'c9' and 'i8c' have entirely different histories.
c9 ... i8c

@ -0,0 +1,27 @@
diff -up opencryptoki-3.21.0/misc/pkcsslotd.service.in.me opencryptoki-3.21.0/misc/pkcsslotd.service.in
--- opencryptoki-3.21.0/misc/pkcsslotd.service.in.me 2023-05-16 20:50:08.128841932 +0200
+++ opencryptoki-3.21.0/misc/pkcsslotd.service.in 2023-05-16 21:19:35.208570589 +0200
@@ -22,17 +22,17 @@ PrivateUsers=no
PrivateNetwork=no
RestrictAddressFamilies=AF_UNIX AF_NETLINK
IPAddressDeny=any
-ProtectClock=yes
+#ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
-ProtectKernelLogs=yes
+#ProtectKernelLogs=yes
ProtectControlGroups=yes
ProtectHome=yes
-ProtectHostname=yes
-ProtectProc=default
+#ProtectHostname=yes
+#ProtectProc=default
ProtectSystem=strict
-ReadWritePaths=@localstatedir@
-ProcSubset=all
+ReadWritePaths=@localstatedir@ /run
+#ProcSubset=all
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictNamespaces=yes

@ -0,0 +1,37 @@
commit f8ddcd5ba7e5b0bab00dedc89021147ec55b41b3
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue May 23 15:07:02 2023 +0200
p11sak: Fix segfault in PEM_write_bio() on OpenSSL 1.1.1
On OpenSSL version before 1.1.1r function PEM_write_bio() segfaults when the
'header' argument is NULL. This was fixed in OpenSSL 1.1.1r with commit
https://github.com/openssl/openssl/commit/3b9082c844913d3a0efada9fac0bd2924ce1a8f2
As a workaround, specify an empty string instead of NULL, which results in the
same output.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
index 5b54b538..3baae560 100644
--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
@@ -6794,7 +6794,7 @@ static CK_RV p11sak_export_spki(const struct p11sak_keytype *keytype,
return rc;
}
- ret = PEM_write_bio(bio, PEM_STRING_PUBLIC, NULL,
+ ret = PEM_write_bio(bio, PEM_STRING_PUBLIC, "",
attr.pValue, attr.ulValueLen);
if (ret <= 0) {
warnx("Failed to write SPKI of %s key object \"%s\" to PEM file '%s'.",
@@ -6888,7 +6888,7 @@ static CK_RV p11sak_export_asym_key(const struct p11sak_keytype *keytype,
ret = PEM_write_bio(bio, private ?
keytype->pem_name_private :
keytype->pem_name_public,
- NULL, data, data_len);
+ "", data, data_len);
if (ret <= 0) {
warnx("Failed to write %s key object \"%s\" to PEM file '%s'.",
typestr, label, opt_file);

@ -1,14 +1,18 @@
Name: opencryptoki Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
Version: 3.21.0 Version: 3.21.0
Release: 9%{?dist} Release: 10%{?dist}
License: CPL License: CPL
Group: System Environment/Base
URL: https://github.com/opencryptoki/opencryptoki URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
# bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/* # bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/*
Patch1: opencryptoki-3.11.0-lockdir.patch Patch1: opencryptoki-3.11.0-lockdir.patch
# add missing p11sak_defined_attrs.conf, strength.conf # add missing p11sak_defined_attrs.conf
Patch2: opencryptoki-3.21.0-p11sak.patch Patch2: opencryptoki-3.21.0-p11sak.patch
# comment some unsupported sandbox options and add /run to ReadWritePaths to exclude
# /run directory from being made read-only on rhel8
Patch3: opencryptoki-3.21-sandboxing.patch
# upstream patches # upstream patches
# CVE-2024-0914 opencryptoki: timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts # CVE-2024-0914 opencryptoki: timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts
@ -22,19 +26,19 @@ Patch24: opencryptoki-v3.21.0-CVE-2024-0914-part05.patch
Patch100: opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch Patch100: opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch
# p11sak: Fix user confirmation prompt behavior when stdin is closed # p11sak: Fix user confirmation prompt behavior when stdin is closed
Patch101: opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch Patch101: opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch
# p11sak: Fix segfault in PEM_write_bio() on OpenSSL 1.1.1
Patch102: opencryptoki-3.21.0-f8ddcd5ba7e5b0bab00dedc89021147ec55b41b3.patch
# p11sak fails as soon as there reside non-key objects # p11sak fails as soon as there reside non-key objects
Patch102: opencryptoki-3.21.0-92999f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch Patch103: opencryptoki-3.21.0-92999f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch
# opencryptoki p11sak tool: slot option does not accept argument 0 for slot index 0 # opencryptoki p11sak tool: slot option does not accept argument 0 for slot index 0
Patch103: opencryptoki-3.21.0-2ba0f41ef5e14d4b509c8854e27cf98e3ee89445.patch Patch104: opencryptoki-3.21.0-2ba0f41ef5e14d4b509c8854e27cf98e3ee89445.patch
Requires(pre): coreutils diffutils Requires(pre): coreutils diffutils
Requires: (selinux-policy >= 38.1.14-1 if selinux-policy-targeted) Requires: (selinux-policy >= 3.14.3-121 if selinux-policy-targeted)
BuildRequires: gcc BuildRequires: gcc
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: openssl-devel >= 1.1.1 BuildRequires: openssl-devel >= 1.1.1
%if 0%{?tmptok}
BuildRequires: trousers-devel BuildRequires: trousers-devel
%endif
BuildRequires: openldap-devel BuildRequires: openldap-devel
BuildRequires: autoconf automake libtool BuildRequires: autoconf automake libtool
BuildRequires: bison flex BuildRequires: bison flex
@ -63,6 +67,7 @@ This package contains the Slot Daemon (pkcsslotd) and general utilities.
%package libs %package libs
Group: System Environment/Libraries
Summary: The run-time libraries for opencryptoki package Summary: The run-time libraries for opencryptoki package
Requires(pre): shadow-utils Requires(pre): shadow-utils
@ -78,6 +83,7 @@ functional.
%package devel %package devel
Group: Development/Libraries
Summary: Development files for openCryptoki Summary: Development files for openCryptoki
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -87,6 +93,7 @@ opencryptoki and PKCS#11 based applications
%package swtok %package swtok
Group: System Environment/Libraries
Summary: The software token implementation for opencryptoki Summary: The software token implementation for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -103,6 +110,7 @@ without any specific cryptographic hardware.
%package tpmtok %package tpmtok
Group: System Environment/Libraries
Summary: Trusted Platform Module (TPM) device support for opencryptoki Summary: Trusted Platform Module (TPM) device support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -119,6 +127,7 @@ Trusted Platform Module (TPM) devices in the opencryptoki stack.
%package icsftok %package icsftok
Group: System Environment/Libraries
Summary: ICSF token support for opencryptoki Summary: ICSF token support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -136,6 +145,7 @@ ICSF token in the opencryptoki stack.
%ifarch s390 s390x %ifarch s390 s390x
%package icatok %package icatok
Group: System Environment/Libraries
Summary: ICA cryptographic devices (clear-key) support for opencryptoki Summary: ICA cryptographic devices (clear-key) support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -153,6 +163,7 @@ cryptographic hardware such as IBM 4764 or 4765 that uses the
"accelerator" or "clear-key" path. "accelerator" or "clear-key" path.
%package ccatok %package ccatok
Group: System Environment/Libraries
Summary: CCA cryptographic devices (secure-key) support for opencryptoki Summary: CCA cryptographic devices (secure-key) support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -170,6 +181,7 @@ cryptographic hardware such as IBM 4764 or 4765 that uses the
"co-processor" or "secure-key" path. "co-processor" or "secure-key" path.
%package ep11tok %package ep11tok
Group: System Environment/Libraries
Summary: CCA cryptographic devices (secure-key) support for opencryptoki Summary: CCA cryptographic devices (secure-key) support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -195,24 +207,44 @@ configured with Enterprise PKCS#11 (EP11) firmware.
%build %build
./bootstrap.sh ./bootstrap.sh
%configure --with-systemd=%{_unitdir} --enable-testcases \ %configure --with-systemd=%{_unitdir} \
--with-pkcsslotd-user=pkcsslotd --with-pkcs-group=pkcs11 \ --with-pkcsslotd-user=pkcsslotd --with-pkcs-group=pkcs11 \
%if 0%{?tpmtok}
--enable-tpmtok \
%else
--disable-tpmtok \
%endif
%ifarch s390 s390x %ifarch s390 s390x
--enable-icatok --enable-ccatok --enable-ep11tok --enable-pkcsep11_migrate --enable-icatok --enable-ccatok --enable-ep11tok --enable-pkcsep11_migrate
%else %else
--disable-icatok --disable-ccatok --disable-ep11tok --disable-pkcsep11_migrate --disable-icatok --disable-ccatok --disable-ep11tok --disable-pkcsep11_migrate --disable-pkcscca_migrate
%endif %endif
%make_build CHGRP=/bin/true make %{?_smp_mflags} CHGRP=/bin/true
%install %install
%make_install CHGRP=/bin/true make install DESTDIR=$RPM_BUILD_ROOT CHGRP=/bin/true
# Remove unwanted cruft
rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/*.la
rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/stdll/*.la
%post libs -p /sbin/ldconfig
%post swtok -p /sbin/ldconfig
%post tpmtok -p /sbin/ldconfig
%post icsftok -p /sbin/ldconfig
%ifarch s390 s390x
%post icatok -p /sbin/ldconfig
%post ccatok -p /sbin/ldconfig
%post ep11tok -p /sbin/ldconfig
%endif
%postun libs -p /sbin/ldconfig
%postun swtok -p /sbin/ldconfig
%postun tpmtok -p /sbin/ldconfig
%postun icsftok -p /sbin/ldconfig
%ifarch s390 s390x
%postun icatok -p /sbin/ldconfig
%postun ccatok -p /sbin/ldconfig
%postun ep11tok -p /sbin/ldconfig
%endif
%pre %pre
# don't touch opencryptoki.conf even if it is unchanged due to new tokversion # don't touch opencryptoki.conf even if it is unchanged due to new tokversion
@ -239,7 +271,7 @@ fi
%systemd_post pkcsslotd.service %systemd_post pkcsslotd.service
if test $1 -eq 1; then if test $1 -eq 1; then
%tmpfiles_create %{name}.conf %tmpfiles_create
fi fi
%preun %preun
@ -248,6 +280,8 @@ fi
%postun %postun
%systemd_postun_with_restart pkcsslotd.service %systemd_postun_with_restart pkcsslotd.service
%triggerun -- opencryptoki < 3.21.0-1
/usr/bin/systemctl daemon-reload
%files %files
%doc ChangeLog FAQ README.md %doc ChangeLog FAQ README.md
@ -311,13 +345,11 @@ fi
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/
%if 0%{?tmptok}
%files tpmtok %files tpmtok
%doc doc/README.tpm_stdll %doc doc/README.tpm_stdll
%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.* %{_libdir}/opencryptoki/stdll/libpkcs11_tpm.*
%{_libdir}/opencryptoki/stdll/PKCS11_TPM.so %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/
%endif
%files icsftok %files icsftok
%doc doc/README.icsf_stdll %doc doc/README.icsf_stdll
@ -360,199 +392,192 @@ fi
%changelog %changelog
* Wed Feb 07 2024 Than Ngo <than@redhat.com> - 3.21.0-9 * Thu Feb 08 2024 Than Ngo <than@redhat.com> - 3.21.0-10
- timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts (Marvin) - timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts (Marvin)
Resolves: RHEL-23490 Resolves: RHEL-23488
* Fri Jul 14 2023 Than Ngo <than@redhat.com> - 3.21.0-8
- Resolves: #2222592, p11sak tool: slot option does not accept argument 0 for slot index 0
- Resolves: #2222596, p11sak fails as soon as there reside non-key objects
* Tue Jun 13 2023 Than Ngo <than@redhat.com> - 3.21.0-5
- add requirement on selinux-policy >= 38.1.14-1 for pkcsslotd policy sandboxing
Related: #2160061
* Fri May 26 2023 Than Ngo <than@redhat.com> - 3.21.0-4
- add verify attributes for opencryptoki.conf to ignore the verification
Related: #2160061
* Mon May 22 2023 Than Ngo <than@redhat.com> - 3.21.0-3
- Resolves: #2110497, concurrent MK rotation for cca token
- Resolves: #2110498, concurrent MK rotation for ep11 token
- Resolves: #2110499, ep11 token: PKCS #11 3.0 - support AES_XTS
- Resolves: #2111010, cca token: protected key support
- Resolves: #2160061, rebase to 3.21.0
- Resolves: #2160105, pkcsslotd hardening
- Resolves: #2160107, p11sak support Dilithium and Kyber keys
- Resolves: #2160109, ica and soft tokens: PKCS #11 3.0 - support AES_XTS
* Mon Jan 30 2023 Than Ngo <than@redhat.com> - 3.19.0-2
- Resolves: #2044182, Support of ep11 token for new IBM Z Hardware (IBM z16)
* Tue Oct 11 2022 Than Ngo <than@redhat.com> - 3.19.0-1
- Resolves: #2126294, opencryptoki fails after generating > 500 RSA keys
- Resolves: #2110314, rebase to 3.19.0
- Resolves: #2110989, openCryptoki key generation with expected MKVP only on CCA and EP11 tokens
- Resolves: #2110476, openCryptoki ep11 token: master key consistency
- Resolves: #2018458, openCryptoki ep11 token: vendor specific key derivation
* Fri Jul 29 2022 Than Ngo <than@redhat.com> - 3.18.0-4 * Wed Jul 26 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 3.21.0-9
- Related: #2044179, do not touch opencryptoki.conf if it is in place already and even if it is unchanged - Rebuilt for MSVSphere 8.8
* Tue Jun 07 2022 Than Ngo <than@redhat.com> - 3.18.0-3 * Tue Jul 18 2023 Than Ngo <than@redhat.com> - 3.21.0-9
- Related: #2044179, fix json output - Resolves: #2223588, FTBFS
* Mon May 09 2022 Than Ngo <than@redhat.com> - 3.18.0-2 * Tue Jul 18 2023 Than Ngo <than@redhat.com> - 3.21.0-8
- Related: #2044179, add missing strength.conf - Related: #2222595, add triggerun to reload daemon
* Mon May 09 2022 Than Ngo <than@redhat.com> - 3.18.0-1 * Fri Jul 14 2023 Than Ngo <than@redhat.com> - 3.21.0-7
- Resolves: #2044179, rebase to 3.18.0 - Resolves: #2222595, p11sak tool: slot option does not accept argument 0 for slot index 0
- Resolves: #2068091, pkcsconf -t failed with Segmentation fault in FIPS mode - Resolves: #2222594, p11sak fails as soon as there reside non-key objects
- Resolves: #2066763, Dilithium support not available
- Resolves: #2064697, OpenSSL 3.0 Compatibility for IBM Security Libraries and Tools
- Resolves: #2044181, support crypto profiles
- Resolves: #2044180, add crypto counters
* Tue May 03 2022 Than Ngo <than@redhat.com> - 3.17.0-6 * Tue Jul 04 2023 Than Ngo <than@redhat.com> - 3.21.0-6
- Resolves: #2066763, Dilithium support not available - add workaround for segfault in PEM_write_bio() on OpenSSL 1.1.1
Related: #2159741
* Mon Mar 14 2022 Than Ngo <than@redhat.com> - 3.17.0-5 * Tue Jun 13 2023 Than Ngo <than@redhat.com> - 3.21.0-5
- Resolves: #2064697, ICA/EP11: Support libica version 4 - add requirement on selinux-policy >= 3.14.3-121 for pkcsslotd policy sandboxing
Related: #2159697
* Mon Jan 17 2022 Than Ngo <than@redhat.com> - 3.17.0-4 * Thu May 25 2023 Than Ngo <than@redhat.com> - 3.21.0-4
- Resolves: #2040678, API: Unlock GlobMutex if user and group check fails - add verify attributes for opencryptoki.conf to ignore the verification
Related: #2159697
* Sat Dec 04 2021 Than Ngo <than@redhat.com> - 3.17.0-3 * Mon May 22 2023 Than Ngo <than@redhat.com> - 3.21.0-3
- Related: #2015888, added missing patch pkcsslotd-pidfile - pkcsstats: Fix handling of user name
- p11sak: Fix user confirmation prompt behavior when stdin is closed
Related: #2159697
* Tue May 16 2023 Than Ngo <than@redhat.com> - 3.21.0-2
- add missing /var/lib/opencryptoki/HSM_MK_CHANGE
- disable unsupported sandbox options and add /run to ReadWritePaths to exclude
/run directory from being made read-only on rhel8
Related: #2159697
* Mon May 15 2023 Than Ngo <than@redhat.com> - 3.21.0-1
- Resolves: #1984865, ep11 and cca: support concurrent HSM master key changes
- Resolves: #2110500, ep11 token: PKCS #11 3.0 - support AES_XTS
- Resolves: #2111011, cca token: protected key support
- Resolves: #2159697, update to 3.21.0
- Resolves: #2159740, pkcsslotd hardening
- Resolves: #2159741, p11sak support Dilithium and Kyber keys
- Resolves: #2159742, ica and soft tokens: PKCS #11 3.0 - support AES_XTS
* Wed Nov 24 2021 Than Ngo <than@redhat.com> - 3.17.0-2 * Mon Jan 30 2023 Than Ngo <than@redhat.com> - 3.19.0-2
- Related: #2015888, add missing p11sak_defined_attrs.conf - Resolves: #2043856, Support of ep11 token for new IBM Z Hardware (IBM z16)
* Wed Nov 03 2021 Than Ngo <than@redhat.com> - 3.17.0-1 * Tue Nov 01 2022 Than Ngo <than@redhat.com> - 3.19.0-1
- Resolves: #2015888, rebase to 3.17.0 - Resolves: #2126612, opencryptoki fails after generating > 500 RSA keys
- Resolves: #2017720, openCryptoki key management tool - Resolves: #2110315, rebase to 3.19.0
- Resolves: #2110990, openCryptoki key generation with expected MKVP only on CCA and EP11 tokens
- Resolves: #2110477, openCryptoki ep11 token: master key consistency
- Resolves: #1984871, openCryptoki ep11 token: vendor specific key derivation
* Thu Aug 26 2021 Than Ngo <than@redhat.com> - 3.16.0-12 * Mon Aug 01 2022 Than Ngo <than@redhat.com> - 3.18.0-3
- Related: #1989138, Support for OpenSSL 3.0 - Related: #2043854, do not touch opencryptoki.conf if it is in place already and even if it is unchanged
- Resolves: #2112785, EP11: Fix C_GetMechanismList returning CKR_BUFFER_TOO_SMALL
* Mon Aug 23 2021 Than Ngo <than@redhat.com> - 3.16.0-11 * Tue Jun 07 2022 Than Ngo <than@redhat.com> - 3.18.0-2
- Resolves: #1989138, Support for OpenSSL 3.0 - Related: #2043854, fix json output
* Thu Aug 19 2021 Than Ngo <than@redhat.com> - 3.16.0-10 * Tue May 24 2022 Than Ngo <than@redhat.com> - 3.18.0-1
- Resolves: #1987186, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes - Resolves: #2043845, rebase to 3.18.0
- Resolves: #2043854, add crypto counters
- Resolves: #2043855, support crypto profiles
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.16.0-9 * Fri Apr 15 2022 Than Ngo <than@redhat.com> - 3.17.0-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Resolves: #2066762, Dilithium support not available
Related: rhbz#1991688
* Wed Jul 28 2021 Florian Weimer <fweimer@redhat.com> - 3.16.0-8 * Mon Jan 17 2022 Than Ngo <than@redhat.com> - 3.17.0-3
- Rebuild to pick up OpenSSL 3.0 Beta ABI (#1984097) - Resolves: #2040677, API: Unlock GlobMutex if user and group check fails
* Fri Jul 16 2021 Than Ngo <than@redhat.com> - 3.16.0-7 * Tue Nov 09 2021 Than Ngo <than@redhat.com> - 3.17.0-2
- Resolves: #1974365, Fix detection if pkcsslotd is still running - Related: #1984993, add missing p11sak_defined_attrs.conf
* Fri Jun 25 2021 Than Ngo <than@redhat.com> - 3.16.0-6 * Tue Oct 19 2021 Than Ngo <than@redhat.com> - 3.17.0-1
- Resolves: #1974693, pkcsslotd PIDfile below legacy directory /var/run/ - Resolves: #1984993, rebase to 3.17.0
- Resolves: #1984870, openCryptoki key management tool
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.16.0-5 * Mon Sep 13 2021 Than Ngo <than@redhat.com> - 3.16.0-6
- Rebuilt for RHEL 9 BETA for openssl 3.0 - Fix: Could not open /run/lock/opencryptoki/LCK..APIlock
Related: rhbz#1971065
* Tue Jun 15 2021 Than Ngo <than@redhat.com> - 3.16.0-4 * Thu Aug 19 2021 Than Ngo <than@redhat.com> - 3.16.0-5
- Related: #1924120, add conditional requirement on new selinux-policy - Resolves: #1987256, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes
* Mon May 17 2021 Than Ngo <than@redhat.com> - 3.16.0-3 * Fri Jul 16 2021 Than Ngo <than@redhat.com> - 3.16.0-4
- Resolves: #1959894, Soft token does not check if an EC key is valid - Resolves: #1964304, Fix detection if pkcsslotd is still running
- Resolves: #1924120, Event Notification Support
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.16.0-2 * Tue Jun 15 2021 Than Ngo <than@redhat.com> - 3.16.0-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 - Related: #1919223, add conditional requirement
* Wed Mar 31 2021 Dan Horák <dan[at]danny.cz> - 3.16.0-1 * Fri Jun 11 2021 Than Ngo <than@redhat.com> - 3.16.0-2
- Rebase to 3.16.0 - Related: #1919223, add requirement on selinux-policy >= 3.14.3-70 for using ipsec
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.15.1-6 * Tue Jun 01 2021 Than Ngo <than@redhat.com> - 3.16.0-1
- Rebuilt for updated systemd-rpm-macros - Resolves: #1919223, rebase to 3.16.0
See https://pagure.io/fesco/issue/2583. - Resolves: #1922195, Event Notification Support
- Resolves: #1959936, Soft token does not check if an EC key is valid
- Resolves: #1851104, import and export of secure key objects
- Resolves: #1851106, openCryptoki ep11 token: protected key support
- Resolves: #1851107, openCryptoki ep11 token: support attribute bound keys
* Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-5 * Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-5
- Added upstream patch, a slot ID has nothing to do with the number of slots - Resolves: #1928120, Fix problem with C_Get/SetOperationState and digest contexts
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.15.1-4 * Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - Resolves: #1927745, pkcscca migration fails with usr/sb2 is not a valid slot ID
* Tue Dec 22 2020 Than Ngo <than@redhat.com> - 3.15.1-3 * Thu Nov 26 2020 Than Ngo <than@redhat.com> - 3.15.1-3
- Drop tpm1.2 support by default - Resolves: #1902022
Fix compiling with c++
Added error message handling for p11sak remove-key command
* Tue Dec 22 2020 Than Ngo <than@redhat.com> - 3.15.1-2 * Thu Nov 26 2020 Than Ngo <than@redhat.com> - 3.15.1-2
- Fix compiling with c++ - Related: #1847433, Added error message handling for p11sak remove-key command
- Added error message handling for p11sak remove-key command
- Add BR on make
* Mon Nov 02 2020 Than Ngo <than@redhat.com> - 3.15.1-1 * Mon Nov 02 2020 Than Ngo <than@redhat.com> - 3.15.1-1
- Rebase to 3.15.1 - Related: #1847433
upstream fixes:
* Mon Oct 19 2020 Dan Horák <dan[at]danny.cz> - 3.15.0-1 - Free generated key in all error cases
- Rebase to 3.15.0 - CCA: Zeroize key buffer to avoid CCA 8/32 error
- Do not delete the map-btree entry if destroying an object is not allowed
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.0-6 - Remove now unused header timeb.h
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - TESTCASES: Use FIPS conforming keys for 3DES CBC-MAC test vectors
- Fix buffer overrun in C_CopyObject
* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 3.14.0-5 - TPM: Fix double free in openssl_gen_key
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro * Mon Oct 19 2020 Than Ngo <than@redhat.com> - 3.15.0-1
- Resolves: #1847433, rebase to 3.15.0
* Wed Jul 08 2020 Than Ngo <than@redhat.com> - 3.14.0-4 - Resolves: #1851105, PKCS #11 3.0 - baseline provider support
- added PIN conversion tool - Resolves: #1851108, openCryptoki ep11 token: enhanced functionality
- Resolves: #1851109, openCryptoki key management tool: key deletion function
* Wed Jul 01 2020 Than Ngo <than@redhat.com> - 3.14.0-3
- upstream fix - handle early error cases in C_Initialize * Mon Jul 06 2020 Than Ngo <than@redhat.com> - 3.14.0-5
- Related: #1853420, more fixes
* Wed May 27 2020 Than Ngo <than@redhat.com> - 3.14.0-2
- fix regression, segfault in C_SetPin * Fri Jul 03 2020 Than Ngo <than@redhat.com> - 3.14.0-4
- Resolves: #1853420, endian issue
* Fri May 15 2020 Dan Horák <dan[at]danny.cz> - 3.14.0-1
- Rebase to 3.14.0 * Mon Jun 15 2020 Than Ngo <than@redhat.com> - 3.14.0-3
- Resolves: #1780294, PIN conversion tool
* Fri Mar 06 2020 Dan Horák <dan[at]danny.cz> - 3.13.0-1
- Rebase to 3.13.0 * Tue May 26 2020 Than Ngo <than@redhat.com> - 3.14.0-2
- Related: #1780293, fix regression, segfault in C_SetPin
* Mon Feb 03 2020 Dan Horák <dan[at]danny.cz> - 3.12.1-3
- fix build with gcc 10 * Tue May 19 2020 Than Ngo <than@redhat.com> - 3.14.0-1
- Resolves: #1723863 - ep11 token: Enhanced Support
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.12.1-2 - Resolves: #1780285 - ep11 token: Support for new IBM Z hardware z15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - Resolves: #1780293 - rebase to 3.14.0
- Resolves: #1800549 - key management tool: list keys function
* Wed Nov 27 2019 Dan Horák <dan[at]danny.cz> - 3.12.1-1 -Resolves: #1800555 - key management tool: random key generation function
- Rebase to 3.12.1
* Fri Dec 13 2019 Than Ngo <than@redhat.com> - 3.12.1-2
* Wed Nov 13 2019 Dan Horák <dan[at]danny.cz> - 3.12.0-1 - Resolves: #1782445, EP11: Fix EC-uncompress buffer length
- Rebase to 3.12.0
* Thu Nov 28 2019 Than Ngo <than@redhat.com> - 3.12.1-1
* Sun Sep 22 2019 Dan Horák <dan[at]danny.cz> - 3.11.1-1 - Resolves: #1777313, rebase to 3.12.1
- Rebase to 3.11.1
* Tue Nov 12 2019 Than Ngo <than@redhat.com> - 3.12.0-1
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.11.0-5 - Resolves: #1726243, rebase to 3.12.0
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Aug 26 2019 Dan Horák <dhorak@redhat.com> - 3.11.1-2
* Thu Mar 28 2019 Than Ngo <than@redhat.com> - 3.11.0-4 - Resolves: #1739433, ICA HW token missing after the package update
- enable testcase by default
- fix URL * Mon May 06 2019 Than Ngo <than@redhat.com> - 3.11.1-1
- Resolves: #1706140, rebase to 3.11.1
* Tue Feb 19 2019 Than Ngo <than@redhat.com> - 3.11.0-3
- Resolved #1063763 - opencryptoki tools should inform the user that he is not in pkcs11 group * Tue Mar 26 2019 Than Ngo <than@redhat.com> - 3.11.0-3
- Resolves: #1667941, 3des tests failures due to FIPS incompatible test scenarios
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.11.0-2 - Resolves: #1651731, ep11 token: enhanced IBM z14 functions
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - Resolves: #1651732, ep11 token: support m_*Single functions from ep11 lib
- Resolves: #1525407, use CPACF hashes in ep11 token
* Thu Jan 31 2019 Than Ngo <than@redhat.com> - 3.11.0-1 - Resolves: #1651238, rebase to 3.11.0
- Updated to 3.11.0 - Resolves: #1682530, gating
- Resolved #1341079 - Failed to create directory or subvolume "/var/lock/opencryptoki"
- Ported root's group membership's patch for 3.11.0 * Fri Dec 14 2018 Than Ngo <than@redhat.com> - 3.10.0-3
- Resolves: #1657683, can't establish libica token in FIPS mode
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.10.0-2 - Resolves: #1652856, EP11 token fails when using Strict-Session mode or VHSM-Mode
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Oct 25 2018 Than Ngo <than@redhat.com> - 3.10.0-2
- Resolves: #1602641, covscan
* Tue Jun 12 2018 Dan Horák <dan[at]danny.cz> - 3.10.0-1 * Tue Jun 12 2018 Dan Horák <dan[at]danny.cz> - 3.10.0-1
- Rebase to 3.10.0 - Rebase to 3.10.0

Loading…
Cancel
Save