import p11-kit-0.23.22-2.el8

.gitignore

@@ -0,0 +1,3 @@
+SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
+SOURCES/p11-kit-0.23.22.tar.xz
+SOURCES/p11-kit-0.23.22.tar.xz.sig

.p11-kit.metadata

@@ -0,0 +1,3 @@
+526f07b62624739ba318a171bab3352af91d0134 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
+339e5163ed50a9984a74739b9207ea8cd77fa7e2 SOURCES/p11-kit-0.23.22.tar.xz
+1ab50d9f01bb186c60c32b56467c6f9f56e365da SOURCES/p11-kit-0.23.22.tar.xz.sig

SOURCES/001-dt-needed.patch

@@ -0,0 +1,42 @@
+From a91266ef087532e2332c75c4fd9244df66f30b64 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 18 Dec 2020 13:37:10 +0100
+Subject: [PATCH] meson: Link trust/client modules explicitly to -ldl
+
+This adds the -ldl link flag missing in the meson build, but present
+in the autotools build.  Although the use-case is unlikely, this
+allows those modules to be linked as a normal shared library to a
+program.
+---
+ p11-kit/meson.build | 1 +
+ trust/meson.build   | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/p11-kit/meson.build b/p11-kit/meson.build
+index 7d57cd7..02147a9 100644
+--- a/p11-kit/meson.build
++++ b/p11-kit/meson.build
+@@ -92,6 +92,7 @@ if host_system != 'windows'
+                 'client.c', 'client-init.c',
+                 name_prefix: '',
+                 include_directories: [configinc, commoninc],
++                dependencies: dlopen_deps,
+                 link_args: p11_module_ldflags,
+                 link_depends: [p11_module_symbol_map,
+                                p11_module_symbol_def],
+diff --git a/trust/meson.build b/trust/meson.build
+index 482a3c1..d4a8e15 100644
+--- a/trust/meson.build
++++ b/trust/meson.build
+@@ -56,7 +56,7 @@ shared_module('p11-kit-trust',
+               'module-init.c',
+               name_prefix: '',
+               c_args: p11_kit_trust_c_args,
+-              dependencies: [asn_h_dep, libp11_library_dep] + libtasn1_deps,
++              dependencies: [asn_h_dep, libp11_library_dep] + dlopen_deps + libtasn1_deps,
+               link_args: p11_module_ldflags,
+               link_depends: [p11_module_symbol_map,
+                              p11_module_symbol_def],
+-- 
+2.29.2
+

SOURCES/002-doc-dep.patch

@@ -0,0 +1,42 @@
+From 9f01a8a45ba913a9b65894cef9369b6010005096 Mon Sep 17 00:00:00 2001
+From: Eli Schwartz <eschwartz@archlinux.org>
+Date: Tue, 11 Jan 2022 23:25:05 -0500
+Subject: [PATCH] gtkdoc: remove dependencies on custom target files
+
+Sadly, the `dependencies` kwarg does not actually do what it seems to be
+trying to be used for, here. It is for listing dependency or library
+objects whose compiler flags should be added to gtkdoc-scangobj.
+
+It will not actually add ninja target dependencies. The similar kwarg in
+other meson functions (e.g. genmarshal and compile_schemas) that *do*
+allow adding target dependencies, is `depend_files`.
+
+Older versions of meson simply did nothing in an if/elif/elif block
+where these custom_targets never matched anything, and were thus
+silently ignored.
+
+Meson 0.61 type-validates the arguments and rejects CustomTarget as
+invalid:
+
+```
+doc/manual/meson.build:72:8: ERROR: gnome.gtkdoc keyword argument 'dependencies' was of type array[CustomTarget | PkgConfigDependency] but should have been array[Dependency | SharedLibrary | StaticLibrary]
+```
+
+Fixes #406
+---
+ doc/manual/meson.build | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/manual/meson.build b/doc/manual/meson.build
+index cf8758dbf..560df8dbc 100644
+--- a/doc/manual/meson.build
++++ b/doc/manual/meson.build
+@@ -73,7 +73,7 @@ if get_option('gtk_doc')
+               main_xml: 'p11-kit-docs.xml',
+               namespace: 'p11_kit',
+               src_dir: 'p11-kit',
+-              dependencies: libffi_deps + dlopen_deps + xml_deps,
++              dependencies: libffi_deps + dlopen_deps,
+               scan_args: [
+                 '--ignore-headers=' + ' '.join(ignore_headers),
+                 '--rebuild-types',

SOURCES/003-IBM-mechs-and-attrs.patch

@@ -0,0 +1,953 @@
+diff --color -ruNp a/common/attrs.c b/common/attrs.c
+--- a/common/attrs.c	2020-12-11 15:48:46.000000000 +0100
++++ b/common/attrs.c	2023-11-29 14:29:45.130552239 +0100
+@@ -709,6 +709,23 @@ attribute_is_sensitive (const CK_ATTRIBU
+ 	X (CKA_TRUST_STEP_UP_APPROVED)
+ 	X (CKA_CERT_SHA1_HASH)
+ 	X (CKA_CERT_MD5_HASH)
++	X (CKA_IBM_OPAQUE)
++	X (CKA_IBM_RESTRICTABLE)
++	X (CKA_IBM_NEVER_MODIFIABLE)
++	X (CKA_IBM_RETAINKEY)
++	X (CKA_IBM_ATTRBOUND)
++	X (CKA_IBM_KEYTYPE)
++	X (CKA_IBM_CV)
++	X (CKA_IBM_MACKEY)
++	X (CKA_IBM_USE_AS_DATA)
++	X (CKA_IBM_STRUCT_PARAMS)
++	X (CKA_IBM_STD_COMPLIANCE1)
++	X (CKA_IBM_PROTKEY_EXTRACTABLE)
++	X (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE)
++	X (CKA_IBM_OPAQUE_PKEY)
++	X (CKA_IBM_DILITHIUM_KEYFORM)
++	X (CKA_IBM_DILITHIUM_RHO)
++	X (CKA_IBM_DILITHIUM_T1)
+ 	case CKA_VALUE:
+ 		return (klass != CKO_CERTIFICATE &&
+ 			klass != CKO_X_CERTIFICATE_EXTENSION);
+diff --color -ruNp a/common/constants.c b/common/constants.c
+--- a/common/constants.c	2020-12-11 15:48:46.000000000 +0100
++++ b/common/constants.c	2023-11-29 14:29:45.130552239 +0100
+@@ -141,6 +141,28 @@ const p11_constant p11_constant_types[]
+ 	CT (CKA_WRAP_TEMPLATE, "wrap-template")
+ 	CT (CKA_UNWRAP_TEMPLATE, "unwrap-template")
+ 	CT (CKA_ALLOWED_MECHANISMS, "allowed-mechanisms")
++	CT (CKA_IBM_OPAQUE, "ibm-opaque")
++	CT (CKA_IBM_RESTRICTABLE, "ibm-restrictable")
++	CT (CKA_IBM_NEVER_MODIFIABLE, "ibm-never-modifiable")
++	CT (CKA_IBM_RETAINKEY, "ibm-retainkey")
++	CT (CKA_IBM_ATTRBOUND, "ibm-attrbound")
++	CT (CKA_IBM_KEYTYPE, "ibm-keytype")
++	CT (CKA_IBM_CV, "ibm-cv")
++	CT (CKA_IBM_MACKEY, "ibm-mackey")
++	CT (CKA_IBM_USE_AS_DATA, "ibm-use-as-data")
++	CT (CKA_IBM_STRUCT_PARAMS, "ibm-struct-params")
++	CT (CKA_IBM_STD_COMPLIANCE1, "ibm-std_compliance1")
++	CT (CKA_IBM_PROTKEY_EXTRACTABLE, "ibm-protkey-extractable")
++	CT (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE, "ibm-protkey-never-extractable")
++	CT (CKA_IBM_DILITHIUM_KEYFORM, "ibm-dilithium-keyform")
++	CT (CKA_IBM_DILITHIUM_RHO, "ibm-dilithium-rho")
++	CT (CKA_IBM_DILITHIUM_SEED, "ibm-dilithium-seed")
++	CT (CKA_IBM_DILITHIUM_TR, "ibm-dilithium-tr")
++	CT (CKA_IBM_DILITHIUM_S1, "ibm-dilithium-s1")
++	CT (CKA_IBM_DILITHIUM_S2, "ibm-dilithium-s2")
++	CT (CKA_IBM_DILITHIUM_T0, "ibm-dilithium-t0")
++	CT (CKA_IBM_DILITHIUM_T1, "ibm-dilithium-t1")
++	CT (CKA_IBM_OPAQUE_PKEY, "ibm-opaque-pkey")
+ 	CT (CKA_NSS_URL, "nss-url")
+ 	CT (CKA_NSS_EMAIL, "nss-email")
+ 	CT (CKA_NSS_SMIME_INFO, "nss-smime-constant")
+@@ -247,6 +269,7 @@ const p11_constant p11_constant_keys[] =
+ 	CT (CKK_AES, "aes")
+ 	CT (CKK_BLOWFISH, "blowfish")
+ 	CT (CKK_TWOFISH, "twofish")
++	CT (CKK_IBM_PQC_DILITHIUM, "ibm-dilithium")
+ 	CT (CKK_NSS_PKCS8, "nss-pkcs8")
+ 	{ CKA_INVALID },
+ };
+@@ -595,6 +618,21 @@ const p11_constant p11_constant_mechanis
+ 	CT (CKM_DSA_PARAMETER_GEN, "dsa-parameter-gen")
+ 	CT (CKM_DH_PKCS_PARAMETER_GEN, "dh-pkcs-parameter-gen")
+ 	CT (CKM_X9_42_DH_PARAMETER_GEN, "x9-42-dh-parameter-gen")
++	CT (CKM_IBM_SHA3_224, "ibm-sha3-224")
++	CT (CKM_IBM_SHA3_256, "ibm-sha3-256")
++	CT (CKM_IBM_SHA3_384, "ibm-sha3-384")
++	CT (CKM_IBM_SHA3_512, "ibm-sha3-512")
++	CT (CKM_IBM_CMAC, "ibm-cmac")
++	CT (CKM_IBM_EC_X25519, "ibm-ec-x25519")
++	CT (CKM_IBM_ED25519_SHA512, "ibm-ed25519-sha512")
++	CT (CKM_IBM_EC_X448, "ibm-ec-x448")
++	CT (CKM_IBM_ED448_SHA3, "ibm-ed448-sha3")
++	CT (CKM_IBM_DILITHIUM, "ibm-dilithium")
++	CT (CKM_IBM_SHA3_224_HMAC, "ibm-sha3-224-hmac")
++	CT (CKM_IBM_SHA3_256_HMAC, "ibm-sha3-256-hmac")
++	CT (CKM_IBM_SHA3_384_HMAC, "ibm-sha3-384-hmac")
++	CT (CKM_IBM_SHA3_512_HMAC, "ibm-sha3-512-hmac")
++	CT (CKM_IBM_ATTRIBUTEBOUND_WRAP, "ibm-attributebound-wrap")
+ 	{ CKA_INVALID },
+ };
+ 
+diff --color -ruNp a/common/pkcs11x.h b/common/pkcs11x.h
+--- a/common/pkcs11x.h	2020-12-11 16:24:01.000000000 +0100
++++ b/common/pkcs11x.h	2023-11-29 14:29:45.252554771 +0100
+@@ -181,6 +181,71 @@ typedef CK_ULONG
+ 
+ #endif /* CRYPTOKI_RU_TEAM_TC26_VENDOR_DEFINED */
+ 
++/* Define this if you want the IBM specific symbols */
++#define CRYPTOKI_IBM_VENDOR_DEFINED 1
++#ifdef CRYPTOKI_IBM_VENDOR_DEFINED
++
++#define CKK_IBM_PQC_DILITHIUM    CKK_VENDOR_DEFINED + 0x10023
++
++#define CKA_IBM_OPAQUE                         (CKA_VENDOR_DEFINED + 1)
++#define CKA_IBM_RESTRICTABLE                   (CKA_VENDOR_DEFINED + 0x10001)
++#define CKA_IBM_NEVER_MODIFIABLE               (CKA_VENDOR_DEFINED + 0x10002)
++#define CKA_IBM_RETAINKEY                      (CKA_VENDOR_DEFINED + 0x10003)
++#define CKA_IBM_ATTRBOUND                      (CKA_VENDOR_DEFINED + 0x10004)
++#define CKA_IBM_KEYTYPE                        (CKA_VENDOR_DEFINED + 0x10005)
++#define CKA_IBM_CV                             (CKA_VENDOR_DEFINED + 0x10006)
++#define CKA_IBM_MACKEY                         (CKA_VENDOR_DEFINED + 0x10007)
++#define CKA_IBM_USE_AS_DATA                    (CKA_VENDOR_DEFINED + 0x10008)
++#define CKA_IBM_STRUCT_PARAMS                  (CKA_VENDOR_DEFINED + 0x10009)
++#define CKA_IBM_STD_COMPLIANCE1                (CKA_VENDOR_DEFINED + 0x1000a)
++#define CKA_IBM_PROTKEY_EXTRACTABLE            (CKA_VENDOR_DEFINED + 0x1000c)
++#define CKA_IBM_PROTKEY_NEVER_EXTRACTABLE      (CKA_VENDOR_DEFINED + 0x1000d)
++#define CKA_IBM_DILITHIUM_KEYFORM              (CKA_VENDOR_DEFINED + 0xd0001)
++#define CKA_IBM_DILITHIUM_RHO                  (CKA_VENDOR_DEFINED + 0xd0002)
++#define CKA_IBM_DILITHIUM_SEED                 (CKA_VENDOR_DEFINED + 0xd0003)
++#define CKA_IBM_DILITHIUM_TR                   (CKA_VENDOR_DEFINED + 0xd0004)
++#define CKA_IBM_DILITHIUM_S1                   (CKA_VENDOR_DEFINED + 0xd0005)
++#define CKA_IBM_DILITHIUM_S2                   (CKA_VENDOR_DEFINED + 0xd0006)
++#define CKA_IBM_DILITHIUM_T0                   (CKA_VENDOR_DEFINED + 0xd0007)
++#define CKA_IBM_DILITHIUM_T1                   (CKA_VENDOR_DEFINED + 0xd0008)
++#define CKA_IBM_OPAQUE_PKEY                    (CKA_VENDOR_DEFINED + 0xd0100)
++
++#define CKM_IBM_SHA3_224                       (CKM_VENDOR_DEFINED + 0x10001)
++#define CKM_IBM_SHA3_256                       (CKM_VENDOR_DEFINED + 0x10002)
++#define CKM_IBM_SHA3_384                       (CKM_VENDOR_DEFINED + 0x10003)
++#define CKM_IBM_SHA3_512                       (CKM_VENDOR_DEFINED + 0x10004)
++#define CKM_IBM_CMAC                           (CKM_VENDOR_DEFINED + 0x10007)
++#define CKM_IBM_EC_X25519                      (CKM_VENDOR_DEFINED + 0x1001b)
++#define CKM_IBM_ED25519_SHA512                 (CKM_VENDOR_DEFINED + 0x1001c)
++#define CKM_IBM_EC_X448                        (CKM_VENDOR_DEFINED + 0x1001e)
++#define CKM_IBM_ED448_SHA3                     (CKM_VENDOR_DEFINED + 0x1001f)
++#define CKM_IBM_DILITHIUM                      (CKM_VENDOR_DEFINED + 0x10023)
++#define CKM_IBM_SHA3_224_HMAC                  (CKM_VENDOR_DEFINED + 0x10025)
++#define CKM_IBM_SHA3_256_HMAC                  (CKM_VENDOR_DEFINED + 0x10026)
++#define CKM_IBM_SHA3_384_HMAC                  (CKM_VENDOR_DEFINED + 0x10027)
++#define CKM_IBM_SHA3_512_HMAC                  (CKM_VENDOR_DEFINED + 0x10028)
++#define CKM_IBM_ATTRIBUTEBOUND_WRAP            (CKM_VENDOR_DEFINED + 0x20004)
++
++/*
++ * If the caller is using the PKCS#11 GNU calling convention, then we cater
++ * to that here.
++ */
++#ifdef CRYPTOKI_GNU
++#define hSignVerifyKey h_sign_verify_key
++#endif
++
++struct ck_ibm_attributebound_wrap {
++	CK_OBJECT_HANDLE hSignVerifyKey;
++};
++
++typedef struct ck_ibm_attributebound_wrap CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS;
++
++#ifdef CRYPTOKI_GNU
++#undef hSignVerifyKey
++#endif
++
++#endif /* CRYPTOKI_IBM_VENDOR_DEFINED */
++
+ #if defined(__cplusplus)
+ }
+ #endif
+diff --color -ruNp a/p11-kit/meson.build b/p11-kit/meson.build
+--- a/p11-kit/meson.build	2023-11-29 14:27:53.265231072 +0100
++++ b/p11-kit/meson.build	2023-11-29 14:29:45.264555020 +0100
+@@ -211,6 +211,9 @@ gnu_h = gnu_h_gen.process(pkcs11_gnu_hea
+ static_library('p11-kit-pkcs11-gnu',
+                gnu_h,
+                'pkcs11-gnu.c',
++               c_args: [
++                 '-DCRYPTOKI_GNU=1', '-DP11_KIT_FUTURE_UNSTABLE_API=1',
++               ],
+                include_directories: [configinc, commoninc])
+ 
+ # Tests ----------------------------------------------------------------
+diff --color -ruNp a/p11-kit/p11-kit.h b/p11-kit/p11-kit.h
+--- a/p11-kit/p11-kit.h	2020-12-11 15:48:46.000000000 +0100
++++ b/p11-kit/p11-kit.h	2023-11-29 14:29:45.265555041 +0100
+@@ -43,12 +43,17 @@
+  */
+ #ifdef CRYPTOKI_GNU
+ typedef ck_rv_t CK_RV;
++typedef ck_object_handle_t CK_OBJECT_HANDLE;
++typedef unsigned long int CK_ULONG;
+ typedef struct ck_function_list* CK_FUNCTION_LIST_PTR;
+ typedef struct ck_function_list CK_FUNCTION_LIST;
+ #endif
+ 
+ #include "p11-kit/deprecated.h"
+ 
++/* For size_t.  */
++#include <stddef.h>
++
+ #ifdef __cplusplus
+ extern "C" {
+ #endif
+diff --color -ruNp a/p11-kit/pkcs11-gnu.c b/p11-kit/pkcs11-gnu.c
+--- a/p11-kit/pkcs11-gnu.c	2020-12-11 15:48:46.000000000 +0100
++++ b/p11-kit/pkcs11-gnu.c	2023-11-29 14:29:45.265555041 +0100
+@@ -1,3 +1,8 @@
++#include "config.h"
++
++#include "p11-kit.h"
++#include "pkcs11x.h"
++
+ #include "pkcs11-gnu-iter.h"
+ #include "pkcs11-gnu-pin.h"
+ #include "pkcs11-gnu-uri.h"
+diff --color -ruNp a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c
+--- a/p11-kit/rpc-client.c	2020-12-11 15:48:46.000000000 +0100
++++ b/p11-kit/rpc-client.c	2023-11-29 14:29:45.220554107 +0100
+@@ -570,7 +570,7 @@ proto_read_sesssion_info (p11_rpc_messag
+ #define IN_BYTE_BUFFER(arr, len) \
+ 	if (len == NULL) \
+ 		{ _ret = CKR_ARGUMENTS_BAD; goto _cleanup; } \
+-	if (!p11_rpc_message_write_byte_buffer (&_msg, arr ? *len : 0)) \
++	if (!p11_rpc_message_write_byte_buffer (&_msg, arr ? (*len > 0 ? *len : (uint32_t)-1) : 0)) \
+ 		{ _ret = CKR_HOST_MEMORY; goto _cleanup; }
+ 
+ #define IN_BYTE_ARRAY(arr, len) \
+@@ -1489,8 +1489,6 @@ rpc_C_SignUpdate (CK_X_FUNCTION_LIST *se
+                   CK_BYTE_PTR part,
+                   CK_ULONG part_len)
+ {
+-	return_val_if_fail (part_len, CKR_ARGUMENTS_BAD);
+-
+ 	BEGIN_CALL_OR (C_SignUpdate, self, CKR_SESSION_HANDLE_INVALID);
+ 		IN_ULONG (session);
+ 		IN_BYTE_ARRAY (part, part_len);
+diff --color -ruNp a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c
+--- a/p11-kit/rpc-message.c	2020-12-11 16:25:36.000000000 +0100
++++ b/p11-kit/rpc-message.c	2023-11-29 14:29:45.243554584 +0100
+@@ -372,7 +372,7 @@ p11_rpc_message_write_byte_array (p11_rp
+ 	assert (!msg->signature || p11_rpc_message_verify_part (msg, "ay"));
+ 
+ 	/* No array, no data, just length */
+-	if (!arr) {
++	if (!arr && num != 0) {
+ 		p11_rpc_buffer_add_byte (msg->output, 0);
+ 		p11_rpc_buffer_add_uint32 (msg->output, num);
+ 	} else {
+@@ -800,6 +800,13 @@ map_attribute_to_value_type (CK_ATTRIBUT
+ 	case CKA_RESET_ON_INIT:
+ 	case CKA_HAS_RESET:
+ 	case CKA_COLOR:
++	case CKA_IBM_RESTRICTABLE:
++	case CKA_IBM_NEVER_MODIFIABLE:
++	case CKA_IBM_RETAINKEY:
++	case CKA_IBM_ATTRBOUND:
++	case CKA_IBM_USE_AS_DATA:
++	case CKA_IBM_PROTKEY_EXTRACTABLE:
++	case CKA_IBM_PROTKEY_NEVER_EXTRACTABLE:
+ 		return P11_RPC_VALUE_BYTE;
+ 	case CKA_CLASS:
+ 	case CKA_CERTIFICATE_TYPE:
+@@ -821,9 +828,13 @@ map_attribute_to_value_type (CK_ATTRIBUT
+ 	case CKA_CHAR_COLUMNS:
+ 	case CKA_BITS_PER_PIXEL:
+ 	case CKA_MECHANISM_TYPE:
++	case CKA_IBM_DILITHIUM_KEYFORM:
++	case CKA_IBM_STD_COMPLIANCE1:
++	case CKA_IBM_KEYTYPE:
+ 		return P11_RPC_VALUE_ULONG;
+ 	case CKA_WRAP_TEMPLATE:
+ 	case CKA_UNWRAP_TEMPLATE:
++	case CKA_DERIVE_TEMPLATE:
+ 		return P11_RPC_VALUE_ATTRIBUTE_ARRAY;
+ 	case CKA_ALLOWED_MECHANISMS:
+ 		return P11_RPC_VALUE_MECHANISM_TYPE_ARRAY;
+@@ -869,6 +880,18 @@ map_attribute_to_value_type (CK_ATTRIBUT
+ 	case CKA_REQUIRED_CMS_ATTRIBUTES:
+ 	case CKA_DEFAULT_CMS_ATTRIBUTES:
+ 	case CKA_SUPPORTED_CMS_ATTRIBUTES:
++	case CKA_IBM_OPAQUE:
++	case CKA_IBM_CV:
++	case CKA_IBM_MACKEY:
++	case CKA_IBM_STRUCT_PARAMS:
++	case CKA_IBM_OPAQUE_PKEY:
++	case CKA_IBM_DILITHIUM_RHO:
++	case CKA_IBM_DILITHIUM_SEED:
++	case CKA_IBM_DILITHIUM_TR:
++	case CKA_IBM_DILITHIUM_S1:
++	case CKA_IBM_DILITHIUM_S2:
++	case CKA_IBM_DILITHIUM_T0:
++	case CKA_IBM_DILITHIUM_T1:
+ 		return P11_RPC_VALUE_BYTE_ARRAY;
+ 	}
+ }
+@@ -1406,9 +1429,466 @@ p11_rpc_buffer_get_rsa_pkcs_oaep_mechani
+ 	return true;
+ }
+ 
++void
++p11_rpc_buffer_add_ecdh1_derive_mechanism_value (p11_buffer *buffer,
++						 const void *value,
++						 CK_ULONG value_length)
++{
++	CK_ECDH1_DERIVE_PARAMS params;
++
++	/* Check if value can be converted to CK_ECDH1_DERIVE_PARAMS. */
++	if (value_length != sizeof (CK_ECDH1_DERIVE_PARAMS)) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	memcpy (&params, value, value_length);
++
++	/* Check if params.kdf can be converted to uint64_t. */
++	if (params.kdf > UINT64_MAX) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	p11_rpc_buffer_add_uint64 (buffer, params.kdf);
++
++	/* parmas.shared_data can only be an array of CK_BYTE or
++	 * NULL */
++	p11_rpc_buffer_add_byte_array (buffer,
++				       (unsigned char *)params.shared_data,
++				       params.shared_data_len);
++
++	/* parmas.public_data can only be an array of CK_BYTE or
++	 * NULL */
++	p11_rpc_buffer_add_byte_array (buffer,
++				       (unsigned char *)params.public_data,
++				       params.public_data_len);
++}
++
++bool
++p11_rpc_buffer_get_ecdh1_derive_mechanism_value (p11_buffer *buffer,
++						 size_t *offset,
++						 void *value,
++						 CK_ULONG *value_length)
++{
++	uint64_t val;
++	const unsigned char *data1, *data2;
++	size_t len1, len2;
++
++	if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
++		return false;
++
++	if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data1, &len1))
++		return false;
++
++	if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data2, &len2))
++		return false;
++
++
++	if (value) {
++		CK_ECDH1_DERIVE_PARAMS params;
++
++		params.kdf = val;
++		params.shared_data = (void *) data1;
++		params.shared_data_len = len1;
++		params.public_data = (void *) data2;
++		params.public_data_len = len2;
++
++		memcpy (value, &params, sizeof (CK_ECDH1_DERIVE_PARAMS));
++	}
++
++	if (value_length)
++		*value_length = sizeof (CK_ECDH1_DERIVE_PARAMS);
++
++	return true;
++}
++
++void
++p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer,
++						       const void *value,
++						       CK_ULONG value_length)
++{
++	CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params;
++
++	/* Check if value can be converted to CKM_IBM_ATTRIBUTEBOUND_WRAP. */
++	if (value_length != sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS)) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	memcpy (&params, value, value_length);
++
++	/* Check if params.hSignVerifyKey can be converted to uint64_t. */
++	if (params.hSignVerifyKey > UINT64_MAX) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	p11_rpc_buffer_add_uint64 (buffer, params.hSignVerifyKey);
++}
++
++bool
++p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer,
++						       size_t *offset,
++						       void *value,
++						       CK_ULONG *value_length)
++{
++	uint64_t val;
++
++	if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
++		return false;
++
++	if (value) {
++		CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params;
++
++		params.hSignVerifyKey = val;
++
++		memcpy (value, &params, sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS));
++	}
++
++	if (value_length)
++		*value_length = sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS);
++
++	return true;
++}
++
++void
++p11_rpc_buffer_add_aes_iv_mechanism_value (p11_buffer *buffer,
++					   const void *value,
++					   CK_ULONG value_length)
++{
++	/* Check if value can be converted to an AES IV. */
++	if (value_length != 16) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	p11_rpc_buffer_add_byte_array (buffer,
++				       (unsigned char *)value,
++				       value_length);
++}
++
++bool
++p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer,
++					   size_t *offset,
++					   void *value,
++					   CK_ULONG *value_length)
++{
++	const unsigned char *data;
++	size_t len;
++
++	if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len))
++		return false;
++
++	if (len != 16)
++		return false;
++
++	if (value)
++		memcpy (value, data, len);
++
++	if (value_length)
++		*value_length = len;
++
++	return true;
++}
++
++void
++p11_rpc_buffer_add_aes_ctr_mechanism_value (p11_buffer *buffer,
++					    const void *value,
++					    CK_ULONG value_length)
++{
++	CK_AES_CTR_PARAMS params;
++
++	/* Check if value can be converted to CK_AES_CTR_PARAMS. */
++	if (value_length != sizeof (CK_AES_CTR_PARAMS)) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	memcpy (&params, value, value_length);
++
++	/* Check if params.counter_bits can be converted to uint64_t. */
++	if (params.counter_bits > UINT64_MAX) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	p11_rpc_buffer_add_uint64 (buffer, params.counter_bits);
++
++	p11_rpc_buffer_add_byte_array (buffer,
++				       (unsigned char *)params.cb,
++				       sizeof(params.cb));
++}
++
++bool
++p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer,
++					    size_t *offset,
++					    void *value,
++					    CK_ULONG *value_length)
++{
++	uint64_t val;
++	const unsigned char *data;
++	size_t len;
++
++	if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
++		return false;
++	if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len))
++		return false;
++
++	if (value) {
++		CK_AES_CTR_PARAMS params;
++
++		params.ulCounterBits = val;
++
++		if (len != sizeof (params.cb))
++			return false;
++
++		memcpy (params.cb, data, sizeof (params.cb));
++		memcpy (value, &params, sizeof (CK_AES_CTR_PARAMS));
++	}
++
++	if (value_length)
++		*value_length = sizeof (CK_AES_CTR_PARAMS);
++
++	return true;
++}
++
++void
++p11_rpc_buffer_add_aes_gcm_mechanism_value (p11_buffer *buffer,
++					    const void *value,
++					    CK_ULONG value_length)
++{
++	CK_GCM_PARAMS params;
++
++	/* Check if value can be converted to CK_GCM_PARAMS. */
++	if (value_length != sizeof (CK_GCM_PARAMS)) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	memcpy (&params, value, value_length);
++
++	/* Check if params.ulTagBits/ulIvBits can be converted to uint64_t. */
++	if (params.ulTagBits > UINT64_MAX || params.ulIvBits > UINT64_MAX) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	p11_rpc_buffer_add_byte_array (buffer,
++				       (unsigned char *)params.pIv,
++				       params.ulIvLen);
++	p11_rpc_buffer_add_uint64 (buffer, params.ulIvBits);
++	p11_rpc_buffer_add_byte_array (buffer,
++				       (unsigned char *)params.pAAD,
++				       params.ulAADLen);
++	p11_rpc_buffer_add_uint64 (buffer, params.ulTagBits);
++}
++
++bool
++p11_rpc_buffer_get_aes_gcm_mechanism_value (p11_buffer *buffer,
++					    size_t *offset,
++					    void *value,
++					    CK_ULONG *value_length)
++{
++	uint64_t val1, val2;
++	const unsigned char *data1, *data2;
++	size_t len1, len2;
++
++	if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data1, &len1))
++		return false;
++	if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val1))
++		return false;
++	if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data2, &len2))
++		return false;
++	if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val2))
++		return false;
++
++	if (value) {
++		CK_GCM_PARAMS params;
++
++		params.pIv = (void *) data1;
++		params.ulIvLen = len1;
++		params.ulIvBits = val1;
++		params.pAAD = (void *) data2;
++		params.ulAADLen = len2;
++		params.ulTagBits = val2;
++
++		memcpy (value, &params, sizeof (CK_GCM_PARAMS));
++	}
++
++	if (value_length)
++		*value_length = sizeof (CK_GCM_PARAMS);
++
++	return true;
++}
++
++void
++p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer,
++					   const void *value,
++					   CK_ULONG value_length)
++{
++	/* Check if value can be converted to an DES IV. */
++	if (value_length != 8) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	p11_rpc_buffer_add_byte_array (buffer,
++				       (unsigned char *)value,
++				       value_length);
++}
++
++bool
++p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer,
++					   size_t *offset,
++					   void *value,
++					   CK_ULONG *value_length)
++{
++	const unsigned char *data;
++	size_t len;
++
++	if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len))
++		return false;
++
++	if (len != 8)
++		return false;
++
++	if (value)
++		memcpy (value, data, len);
++
++	if (value_length)
++		*value_length = len;
++
++	return true;
++}
++
++void
++p11_rpc_buffer_add_mac_general_mechanism_value (p11_buffer *buffer,
++						const void *value,
++						CK_ULONG value_length)
++{
++	CK_ULONG val;
++	uint64_t params;
++
++	/*
++	 * Check if value can be converted to an CK_MAC_GENERAL_PARAMS which
++	 * is a CK_ULONG.
++	 */
++	if (value_length != sizeof (CK_ULONG)) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	memcpy (&val, value, value_length);
++	params = val;
++
++	p11_rpc_buffer_add_uint64 (buffer, params);
++}
++
++bool
++p11_rpc_buffer_get_mac_general_mechanism_value (p11_buffer *buffer,
++						size_t *offset,
++						void *value,
++						CK_ULONG *value_length)
++{
++	uint64_t val;
++	CK_ULONG params;
++
++	if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
++		return false;
++
++	params = val;
++
++	if (value)
++		memcpy (value, &params, sizeof (params));
++
++	if (value_length)
++		*value_length = sizeof (params);
++
++	return true;
++}
++
++void
++p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value (p11_buffer *buffer,
++						   const void *value,
++						   CK_ULONG value_length)
++{
++	/* Mechanism parameter is public value of the other party */
++	if (value_length == 0) {
++		p11_buffer_fail (buffer);
++		return;
++	}
++
++	p11_rpc_buffer_add_byte_array (buffer,
++				       (unsigned char *)value,
++				       value_length);
++}
++
++bool
++p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value (p11_buffer *buffer,
++						   size_t *offset,
++						   void *value,
++						   CK_ULONG *value_length)
++{
++	const unsigned char *data;
++	size_t len;
++
++	if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len))
++		return false;
++
++	if (len == 0)
++		return false;
++
++	if (value)
++		memcpy (value, data, len);
++
++	if (value_length)
++		*value_length = len;
++
++	return true;
++}
++
+ static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = {
+ 	{ CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
+-	{ CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value }
++	{ CKM_SHA1_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
++	{ CKM_SHA224_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
++	{ CKM_SHA256_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
++	{ CKM_SHA384_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
++	{ CKM_SHA512_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
++	{ CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value },
++	{ CKM_ECDH1_DERIVE, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value },
++	{ CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value },
++	{ CKM_IBM_EC_X25519, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value },
++	{ CKM_IBM_EC_X448, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value },
++	{ CKM_AES_CBC, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
++	{ CKM_AES_CBC_PAD, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
++	{ CKM_AES_OFB, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
++	{ CKM_AES_CFB1, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
++	{ CKM_AES_CFB8, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
++	{ CKM_AES_CFB64, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
++	{ CKM_AES_CFB128, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
++	{ CKM_AES_CTS, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
++	{ CKM_AES_CTR, p11_rpc_buffer_add_aes_ctr_mechanism_value, p11_rpc_buffer_get_aes_ctr_mechanism_value },
++	{ CKM_AES_GCM, p11_rpc_buffer_add_aes_gcm_mechanism_value, p11_rpc_buffer_get_aes_gcm_mechanism_value },
++	{ CKM_DES_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
++	{ CKM_DES_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
++	{ CKM_DES3_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
++	{ CKM_DES3_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
++	{ CKM_DES_CFB8, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
++	{ CKM_DES_CFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
++	{ CKM_DES_OFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
++	{ CKM_SHA_1_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
++	{ CKM_SHA224_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
++	{ CKM_SHA256_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
++	{ CKM_SHA384_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
++	{ CKM_SHA512_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
++	{ CKM_SHA512_224_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
++	{ CKM_SHA512_256_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
++	{ CKM_AES_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
++	{ CKM_AES_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
++	{ CKM_DES3_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
++	{ CKM_DES3_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
++	{ CKM_DH_PKCS_DERIVE, p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value, p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value },
+ };
+ 
+ static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = {
+@@ -1453,6 +1933,7 @@ mechanism_has_no_parameters (CK_MECHANIS
+ 	case CKM_MD2_RSA_PKCS:
+ 	case CKM_MD5_RSA_PKCS:
+ 	case CKM_SHA1_RSA_PKCS:
++	case CKM_SHA224_RSA_PKCS:
+ 	case CKM_SHA256_RSA_PKCS:
+ 	case CKM_SHA384_RSA_PKCS:
+ 	case CKM_SHA512_RSA_PKCS:
+@@ -1467,6 +1948,10 @@ mechanism_has_no_parameters (CK_MECHANIS
+ 	case CKM_EC_KEY_PAIR_GEN:
+ 	case CKM_ECDSA:
+ 	case CKM_ECDSA_SHA1:
++	case CKM_ECDSA_SHA224:
++	case CKM_ECDSA_SHA256:
++	case CKM_ECDSA_SHA384:
++	case CKM_ECDSA_SHA512:
+ 	case CKM_DH_PKCS_KEY_PAIR_GEN:
+ 	case CKM_DH_PKCS_PARAMETER_GEN:
+ 	case CKM_X9_42_DH_KEY_PAIR_GEN:
+@@ -1480,6 +1965,7 @@ mechanism_has_no_parameters (CK_MECHANIS
+ 	case CKM_AES_KEY_GEN:
+ 	case CKM_AES_ECB:
+ 	case CKM_AES_MAC:
++	case CKM_AES_CMAC:
+ 	case CKM_DES_KEY_GEN:
+ 	case CKM_DES2_KEY_GEN:
+ 	case CKM_DES3_KEY_GEN:
+@@ -1505,6 +1991,7 @@ mechanism_has_no_parameters (CK_MECHANIS
+ 	case CKM_RC2_MAC:
+ 	case CKM_DES_MAC:
+ 	case CKM_DES3_MAC:
++	case CKM_DES3_CMAC:
+ 	case CKM_CDMF_MAC:
+ 	case CKM_CAST_MAC:
+ 	case CKM_CAST3_MAC:
+@@ -1521,18 +2008,46 @@ mechanism_has_no_parameters (CK_MECHANIS
+ 	case CKM_MD5_HMAC:
+ 	case CKM_SHA_1:
+ 	case CKM_SHA_1_HMAC:
++	case CKM_SHA1_KEY_DERIVATION:
++	case CKM_SHA224:
++	case CKM_SHA224_HMAC:
++	case CKM_SHA224_KEY_DERIVATION:
+ 	case CKM_SHA256:
+ 	case CKM_SHA256_HMAC:
++	case CKM_SHA256_KEY_DERIVATION:
+ 	case CKM_SHA384:
+ 	case CKM_SHA384_HMAC:
++	case CKM_SHA384_KEY_DERIVATION:
+ 	case CKM_SHA512:
+ 	case CKM_SHA512_HMAC:
++	case CKM_SHA512_KEY_DERIVATION:
++	case CKM_SHA512_T:
++	case CKM_SHA512_T_HMAC:
++	case CKM_SHA512_T_KEY_DERIVATION:
++	case CKM_SHA512_224:
++	case CKM_SHA512_224_HMAC:
++	case CKM_SHA512_224_KEY_DERIVATION:
++	case CKM_SHA512_256:
++	case CKM_SHA512_256_HMAC:
++	case CKM_SHA512_256_KEY_DERIVATION:
+ 	case CKM_FASTHASH:
+ 	case CKM_RIPEMD128:
+ 	case CKM_RIPEMD128_HMAC:
+ 	case CKM_RIPEMD160:
+ 	case CKM_RIPEMD160_HMAC:
+ 	case CKM_KEY_WRAP_LYNKS:
++	case CKM_IBM_SHA3_224:
++	case CKM_IBM_SHA3_256:
++	case CKM_IBM_SHA3_384:
++	case CKM_IBM_SHA3_512:
++	case CKM_IBM_CMAC:
++	case CKM_IBM_DILITHIUM:
++	case CKM_IBM_SHA3_224_HMAC:
++	case CKM_IBM_SHA3_256_HMAC:
++	case CKM_IBM_SHA3_384_HMAC:
++	case CKM_IBM_SHA3_512_HMAC:
++	case CKM_IBM_ED25519_SHA512:
++	case CKM_IBM_ED448_SHA3:
+ 		return true;
+ 	default:
+ 		return false;
+diff --color -ruNp a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h
+--- a/p11-kit/rpc-message.h	2020-12-11 16:25:36.000000000 +0100
++++ b/p11-kit/rpc-message.h	2023-11-29 14:29:45.243554584 +0100
+@@ -42,6 +42,7 @@
+ 
+ #include "buffer.h"
+ #include "pkcs11.h"
++#include "pkcs11x.h"
+ 
+ /* The calls, must be in sync with array below */
+ enum {
+@@ -478,5 +479,85 @@ bool             p11_rpc_buffer_get_rsa_
+ 							   size_t *offset,
+ 							   void *value,
+ 							   CK_ULONG *value_length);
++
++void            p11_rpc_buffer_add_ecdh1_derive_mechanism_value
++							  (p11_buffer *buffer,
++							   const void *value,
++							   CK_ULONG value_length);
++
++bool            p11_rpc_buffer_get_ecdh1_derive_mechanism_value
++							  (p11_buffer *buffer,
++							   size_t *offset,
++							   void *value,
++							   CK_ULONG *value_length);
++
++void            p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value
++							  (p11_buffer *buffer,
++							   const void *value,
++							   CK_ULONG value_length);
++
++bool            p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value
++							  (p11_buffer *buffer,
++							   size_t *offset,
++							   void *value,
++							   CK_ULONG *value_length);
++
++void		p11_rpc_buffer_add_aes_iv_mechanism_value (p11_buffer *buffer,
++							   const void *value,
++							   CK_ULONG value_length);
++
++bool		p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer,
++							   size_t *offset,
++							   void *value,
++							   CK_ULONG *value_length);
++
++void		p11_rpc_buffer_add_aes_ctr_mechanism_value (p11_buffer *buffer,
++							    const void *value,
++							    CK_ULONG value_length);
++
++bool		p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer,
++							    size_t *offset,
++							    void *value,
++							    CK_ULONG *value_length);
++
++void		p11_rpc_buffer_add_aes_gcm_mechanism_value (p11_buffer *buffer,
++							    const void *value,
++							    CK_ULONG value_length);
++
++bool		p11_rpc_buffer_get_aes_gcm_mechanism_value (p11_buffer *buffer,
++							    size_t *offset,
++							    void *value,
++							    CK_ULONG *value_length);
++
++void		p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer,
++							   const void *value,
++							   CK_ULONG value_length);
++
++bool		p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer,
++							   size_t *offset,
++							   void *value,
++							   CK_ULONG *value_length);
++
++void		p11_rpc_buffer_add_mac_general_mechanism_value
++							  (p11_buffer *buffer,
++							   const void *value,
++							   CK_ULONG value_length);
++
++bool		p11_rpc_buffer_get_mac_general_mechanism_value
++							  (p11_buffer *buffer,
++							   size_t *offset,
++							   void *value,
++							   CK_ULONG *value_length);
++
++void		p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value
++							  (p11_buffer *buffer,
++							   const void *value,
++							   CK_ULONG value_length);
++
++bool		p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value
++							  (p11_buffer *buffer,
++							   size_t *offset,
++							   void *value,
++							   CK_ULONG *value_length);
+ 
+ #endif /* _RPC_MESSAGE_H */
+diff --color -ruNp a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c
+--- a/p11-kit/rpc-server.c	2020-12-11 16:25:36.000000000 +0100
++++ b/p11-kit/rpc-server.c	2023-11-29 14:29:45.221554128 +0100
+@@ -84,6 +84,12 @@ proto_read_byte_buffer (p11_rpc_message
+ 	*n_buffer = length;
+ 	*buffer = NULL;
+ 
++	/* length = -1 indicates length = 0, but buffer not NULL */
++	if (length == (uint32_t)-1) {
++		*n_buffer = 0;
++		length = 1; /*allocate 1 dummy byte */
++	}
++
+ 	/* If set to zero, then they just want the length */
+ 	if (length == 0)
+ 		return CKR_OK;

SOURCES/p11-kit-client.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=p11-kit client
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+RuntimeDirectory=p11-kit
+ExecStart=/usr/bin/true
+
+[Install]
+WantedBy=default.target

SOURCES/trust-extract-compat

@@ -0,0 +1,15 @@
+#!/usr/bin/bash
+
+set -e
+
+if test "$UID" != "0"; then
+	echo "p11-kit: the 'extract-trust' command must be run as root" >&2
+	exit 2
+fi
+
+if test $# -gt 1; then
+	echo "p11-kit: no additional arguments are supported for this command" >&2
+	exit 2
+fi
+
+exec /usr/bin/update-ca-trust

SPECS/p11-kit.spec

@@ -0,0 +1,430 @@
+# This spec file has been automatically updated
+Version:        0.23.22
+Release:        2%{?dist}
+Name:           p11-kit
+Summary:        Library for loading and sharing PKCS#11 modules
+
+License:        BSD-3-Clause
+URL:            http://p11-glue.freedesktop.org/p11-kit.html
+Source0:        https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.xz
+Source1:        https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.xz.sig
+Source2:        gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
+Source3:        trust-extract-compat
+Source4:        p11-kit-client.service
+
+Patch0:         001-dt-needed.patch
+Patch1:         002-doc-dep.patch
+# commits: 4059f17, d07a8ff, 218e971, c4ade85, 242e5db, ac0da82, 7235af6,
+#          b72aa47, 506b941, 3c0be1d, 7ea5901, 7675f86, d1782b6
+Patch2:         003-IBM-mechs-and-attrs.patch
+
+BuildRequires:  gcc
+BuildRequires:  libtasn1-devel >= 2.3
+BuildRequires:  libtasn1-tools
+BuildRequires:  libffi-devel
+BuildRequires:  gettext
+BuildRequires:  gtk-doc
+BuildRequires:  meson
+BuildRequires:  systemd-devel
+BuildRequires:  bash-completion
+# Work around for https://bugzilla.redhat.com/show_bug.cgi?id=1497147
+# Remove this once it is fixed
+BuildRequires:  pkgconfig(glib-2.0)
+BuildRequires:  pkgconfig(systemd)
+BuildRequires:  gnupg2
+BuildRequires:  /usr/bin/xsltproc
+
+%description
+p11-kit provides a way to load and enumerate PKCS#11 modules, as well
+as a standard configuration setup for installing PKCS#11 modules in
+such a way that they're discoverable.
+
+
+%package devel
+Summary:        Development files for %{name}
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+
+%description devel
+The %{name}-devel package contains libraries and header files for
+developing applications that use %{name}.
+
+
+%package trust
+Summary:            System trust module from %{name}
+Requires:           %{name}%{?_isa} = %{version}-%{release}
+Requires(post):     %{_sbindir}/alternatives
+Requires(postun):   %{_sbindir}/alternatives
+Conflicts:          nss < 3.14.3-9
+
+%description trust
+The %{name}-trust package contains a system trust PKCS#11 module which
+contains certificate anchors and blocklists.
+
+
+%package server
+Summary:        Server and client commands for %{name}
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+
+%description server
+The %{name}-server package contains command line tools that enable to
+export PKCS#11 modules through a Unix domain socket.  Note that this
+feature is still experimental.
+
+
+# solution taken from icedtea-web.spec
+%define multilib_arches ppc64 sparc64 x86_64 ppc64le
+%ifarch %{multilib_arches}
+%define alt_ckbi  libnssckbi.so.%{_arch}
+%else
+%define alt_ckbi  libnssckbi.so
+%endif
+
+
+%prep
+gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
+
+%autosetup -p1
+
+%build
+# These paths are the source paths that  come from the plan here:
+# https://fedoraproject.org/wiki/Features/SharedSystemCertificates:SubTasks
+%meson -Dgtk_doc=true -Dman=true -Dtrust_paths=%{_sysconfdir}/pki/ca-trust/source:%{_datadir}/pki/ca-trust-source
+%meson_build
+
+%install
+%meson_install
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/modules
+install -p -m 755 %{SOURCE3} $RPM_BUILD_ROOT%{_libexecdir}/p11-kit/
+# Install the example conf with %%doc instead
+mkdir -p $RPM_BUILD_ROOT%{_docdir}/%{name}
+mv $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/pkcs11.conf.example $RPM_BUILD_ROOT%{_docdir}/%{name}/pkcs11.conf.example
+mkdir -p $RPM_BUILD_ROOT%{_userunitdir}
+install -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_userunitdir}
+%find_lang %{name}
+
+%check
+%meson_test
+
+
+%post trust
+%{_sbindir}/alternatives --install %{_libdir}/libnssckbi.so %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30
+
+%postun trust
+if [ $1 -eq 0 ] ; then
+        # package removal
+        %{_sbindir}/alternatives --remove %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so
+fi
+
+
+%files -f %{name}.lang
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%doc AUTHORS NEWS README
+%{_docdir}/%{name}/pkcs11.conf.example
+%dir %{_sysconfdir}/pkcs11
+%dir %{_sysconfdir}/pkcs11/modules
+%dir %{_datadir}/p11-kit
+%dir %{_datadir}/p11-kit/modules
+%dir %{_libexecdir}/p11-kit
+%{_bindir}/p11-kit
+%{_libdir}/libp11-kit.so.*
+%{_libdir}/p11-kit-proxy.so
+%{_libexecdir}/p11-kit/p11-kit-remote
+%{_mandir}/man1/trust.1.gz
+%{_mandir}/man8/p11-kit.8.gz
+%{_mandir}/man5/pkcs11.conf.5.gz
+%{_datadir}/bash-completion/completions/p11-kit
+
+%files devel
+%{_includedir}/p11-kit-1/
+%{_libdir}/libp11-kit.so
+%{_libdir}/pkgconfig/p11-kit-1.pc
+%doc %{_datadir}/gtk-doc/
+
+%files trust
+%{_bindir}/trust
+%dir %{_libdir}/pkcs11
+%ghost %{_libdir}/libnssckbi.so
+%{_libdir}/pkcs11/p11-kit-trust.so
+%{_datadir}/p11-kit/modules/p11-kit-trust.module
+%{_libexecdir}/p11-kit/trust-extract-compat
+%{_datadir}/bash-completion/completions/trust
+
+%files server
+%{_libdir}/pkcs11/p11-kit-client.so
+%{_userunitdir}/p11-kit-client.service
+%{_libexecdir}/p11-kit/p11-kit-server
+%{_userunitdir}/p11-kit-server.service
+%{_userunitdir}/p11-kit-server.socket
+
+
+%changelog
+* Fri Dec 01 2023 Zoltan Fridrich <zfridric@redhat.com> - 0.23.22-2
+- Add IBM specific mechanisms and attributes
+  Resolves: RHEL-10571
+
+* Mon Jan 11 2021 Daiki Ueno <dueno@redhat.com> - 0.23.22-1
+- Rebase to 0.23.22 to fix memory safety issues (CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363)
+- Preserve DT_NEEDED information from the previous version, flagged by rpmdiff
+- Add xsltproc to BR
+
+* Tue Nov 10 2020 Daiki Ueno <dueno@redhat.com> - 0.23.21-4
+- Fix realloc usage on proxy cleanup (#1894979)
+- Make 'trust anchor --store' preserve all attributes from .p11-kit files
+
+* Tue Nov  3 2020 Daiki Ueno <dueno@redhat.com> - 0.23.21-3
+- Restore clobbered changelog entry
+
+* Mon Nov  2 2020 Daiki Ueno <dueno@redhat.com> - 0.23.21-2
+- Update p11-kit-invalid-config.patch to be more thorough (thanks to
+  Alexander Sosedkin)
+
+* Tue Oct 20 2020 Daiki Ueno <dueno@redhat.com> - 0.23.21-1
+- Update to upstream 0.23.21 release
+
+* Fri Mar 29 2019 Daiki Ueno <dueno@redhat.com> - 0.23.14-5
+- Fix crash on unloading the library, when it is both linked and dlopen'ed
+
+* Mon Oct 29 2018 Daiki Ueno <dueno@redhat.com> - 0.23.14-4
+- Prefer fixed closures to libffi closures
+
+* Wed Oct 17 2018 Daiki Ueno <dueno@redhat.com> - 0.23.14-3
+- Update p11-kit-coverity.patch
+
+* Tue Oct 16 2018 Daiki Ueno <dueno@redhat.com> - 0.23.14-2
+- Fix issues spotted by coverity
+
+* Wed Oct 10 2018 Daiki Ueno <dueno@redhat.com> - 0.23.14-1
+- Update to upstream 0.23.14 release
+
+* Wed May 30 2018 Daiki Ueno <dueno@redhat.com> - 0.23.12-1
+- Update to upstream 0.23.11 release
+
+* Wed Feb 28 2018 Daiki Ueno <dueno@redhat.com> - 0.23.10-1
+- Update to upstream 0.23.10 release
+
+* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.9-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Thu Oct 05 2017 Daiki Ueno <dueno@redhat.com> - 0.23.9-2
+- server: Make it possible to eval envvar settings
+
+* Wed Oct 04 2017 Daiki Ueno <dueno@redhat.com> - 0.23.9-1
+- Update to upstream 0.23.9
+
+* Fri Aug 25 2017 Kai Engert <kaie@redhat.com> - 0.23.8-2
+- Fix a regression caused by a recent nss.rpm change, add a %%ghost file
+  for %%{_libdir}/libnssckbi.so that p11-kit-trust scripts install.
+
+* Tue Aug 15 2017 Daiki Ueno <dueno@redhat.com> - 0.23.8-1
+- Update to 0.23.8 release
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Jun  2 2017 Daiki Ueno <dueno@redhat.com> - 0.23.7-1
+- Update to 0.23.7 release
+
+* Thu May 18 2017 Daiki Ueno <dueno@redhat.com> - 0.23.5-3
+- Update p11-kit-modifiable.patch to simplify the logic
+
+* Thu May 18 2017 Daiki Ueno <dueno@redhat.com> - 0.23.5-2
+- Make "trust anchor --remove" work again
+
+* Thu Mar  2 2017 Daiki Ueno <dueno@redhat.com> - 0.23.5-1
+- Update to 0.23.5 release
+- Rename -tools subpackage to -server and remove systemd unit files
+
+* Fri Feb 24 2017 Daiki Ueno <dueno@redhat.com> - 0.23.4-3
+- Move p11-kit command back to main package
+
+* Fri Feb 24 2017 Daiki Ueno <dueno@redhat.com> - 0.23.4-2
+- Split out command line tools to -tools subpackage, to avoid a
+  multilib issue with the main package.  Suggested by Yanko Kaneti.
+
+* Wed Feb 22 2017 Daiki Ueno <dueno@redhat.com> - 0.23.4-1
+- Update to 0.23.4 release
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Fri Jan  6 2017 Daiki Ueno <dueno@redhat.com> - 0.23.3-2
+- Use internal hash implementation instead of NSS (#1390598)
+
+* Tue Dec 20 2016 Daiki Ueno <dueno@redhat.com> - 0.23.3-1
+- Update to 0.23.3 release
+- Adjust executables location from %%libdir to %%libexecdir
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.23.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Tue Jan 12 2016 Martin Preisler <mpreisle@redhat.com> - 0.23.2-1
+- Update to stable 0.23.2 release
+
+* Tue Jun 30 2015 Martin Preisler <mpreisle@redhat.com> - 0.23.1-4
+- In proxy module don't call C_Finalize on a forked process [#1217915]
+- Do not deinitialize libffi's wrapper functions [#1217915]
+
+* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.23.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Sat Feb 21 2015 Till Maas <opensource@till.name> - 0.23.1-2
+- Rebuilt for Fedora 23 Change
+  https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
+
+* Fri Feb 20 2015 Stef Walter <stefw@redhat.com> - 0.23.1-1
+- Update to 0.23.1 release
+
+* Thu Oct 09 2014 Stef Walter <stefw@redhat.com> - 0.22.1-1
+- Update to 0.22.1 release
+- Use SubjectKeyIdentifier as a CKA_ID if possible rhbz#1148895
+
+* Sat Oct 04 2014 Stef Walter <stefw@redhat.com> 0.22.0-1
+- Update to 0.22.0 release
+
+* Wed Sep 17 2014 Stef Walter <stefw@redhat.com> 0.21.3-1
+- Update to 0.21.3 release
+- Includes definitions for trust extensions rhbz#1136817
+
+* Fri Sep 05 2014 Stef Walter <stefw@redhat.com> 0.21.2-1
+- Update to 0.21.2 release
+- Fix problems with erroneous messages printed rhbz#1133857
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.21.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Thu Aug 07 2014 Stef Walter <stefw@redhat.com> - 0.21.1-1
+- Update to 0.21.1 release
+
+* Wed Jul 30 2014 Tom Callaway <spot@fedoraproject.org> - 0.20.3-3
+- fix license handling
+
+* Fri Jul 04 2014 Stef Walter <stefw@redhat.com> - 0.20.3-2
+- Update to stable 0.20.3 release
+
+* Fri Jun 06 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.20.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Sat Jan 25 2014 Ville Skyttä <ville.skytta@iki.fi> - 0.20.2-2
+- Own the %%{_libdir}/pkcs11 dir in -trust.
+
+* Tue Jan 14 2014 Stef Walter <stefw@redhat.com> - 0.20.2-1
+- Update to upstream stable 0.20.2 release
+- Fix regression involving blacklisted anchors [#1041328]
+- Support ppc64le in build [#1052707]
+
+* Mon Sep 09 2013 Stef Walter <stefw@redhat.com> - 0.20.1-1
+- Update to upstream stable 0.20.1 release
+- Extract compat trust data after we've changes
+- Skip compat extraction if running as non-root
+- Better failure messages when removing anchors
+
+* Thu Aug 29 2013 Stef Walter <stefw@redhat.com> - 0.19.4-1
+- Update to new upstream 0.19.4 release
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.19.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Wed Jul 24 2013 Stef Walter <stefw@redhat.com> - 0.19.3-1
+- Update to new upstream 0.19.3 release (#967822)
+
+* Wed Jun 05 2013 Stef Walter <stefw@redhat.com> - 0.18.3-1
+- Update to new upstream stable release
+- Fix intermittent firefox cert validation issues (#960230)
+- Include the manual pages in the package
+
+* Tue May 14 2013 Stef Walter <stefw@redhat.com> - 0.18.2-1
+- Update to new upstream stable release
+- Reduce the libtasn1 dependency minimum version
+
+* Thu May 02 2013 Stef Walter <stefw@redhat.com> - 0.18.1-1
+- Update to new upstream stable release
+- 'p11-kit extract-trust' lives in libdir
+
+* Thu Apr 04 2013 Stef Walter <stefw@redhat.com> - 0.18.0-1
+- Update to new upstream stable release
+- Various logging tweaks (#928914, #928750)
+- Make the 'p11-kit extract-trust' explicitly reject
+  additional arguments
+
+* Thu Mar 28 2013 Stef Walter <stefw@redhat.com> - 0.17.5-1
+- Make 'p11-kit extract-trust' call update-ca-trust
+- Work around 32-bit oveflow of certificate dates
+- Build fixes
+
+* Tue Mar 26 2013 Stef Walter <stefw@redhat.com> - 0.17.4-2
+- Pull in patch from upstream to fix build on ppc (#927394)
+
+* Wed Mar 20 2013 Stef Walter <stefw@redhat.com> - 0.17.4-1
+- Update to upstream version 0.17.4
+
+* Mon Mar 18 2013 Stef Walter <stefw@redhat.com> - 0.17.3-1
+- Update to upstream version 0.17.3
+- Put the trust input paths in the right order
+
+* Tue Mar 12 2013 Stef Walter <stefw@redhat.com> - 0.16.4-1
+- Update to upstream version 0.16.4
+
+* Fri Mar 08 2013 Stef Walter <stefw@redhat.com> - 0.16.3-1
+- Update to upstream version 0.16.3
+- Split out system trust module into its own package.
+- p11-kit-trust provides an alternative to an nss module
+
+* Tue Mar 05 2013 Stef Walter <stefw@redhat.com> - 0.16.1-1
+- Update to upstream version 0.16.1
+- Setup source directories as appropriate for Shared System Certificates feature
+
+* Tue Mar 05 2013 Stef Walter <stefw@redhat.com> - 0.16.0-1
+- Update to upstream version 0.16.0
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.14-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Mon Sep 17 2012 Kalev Lember <kalevlember@gmail.com> - 0.14-1
+- Update to 0.14
+
+* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.13-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Mon Jul 16 2012 Kalev Lember <kalevlember@gmail.com> - 0.13-1
+- Update to 0.13
+
+* Tue Mar 27 2012 Kalev Lember <kalevlember@gmail.com> - 0.12-1
+- Update to 0.12
+- Run self tests in %%check
+
+* Sat Feb 11 2012 Kalev Lember <kalevlember@gmail.com> - 0.11-1
+- Update to 0.11
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Tue Dec 20 2011 Matthias Clasen <mclasen@redhat.com> - 0.9-1
+- Update to 0.9
+
+* Wed Oct 26 2011 Kalev Lember <kalevlember@gmail.com> - 0.8-1
+- Update to 0.8
+
+* Mon Sep 19 2011 Matthias Clasen <mclasen@redhat.com> - 0.6-1
+- Update to 0.6
+
+* Sun Sep 04 2011 Kalev Lember <kalevlember@gmail.com> - 0.5-1
+- Update to 0.5
+
+* Sun Aug 21 2011 Kalev Lember <kalevlember@gmail.com> - 0.4-1
+- Update to 0.4
+- Install the example config file to documentation directory
+
+* Wed Aug 17 2011 Kalev Lember <kalevlember@gmail.com> - 0.3-2
+- Tighten -devel subpackage deps (#725905)
+
+* Fri Jul 29 2011 Kalev Lember <kalevlember@gmail.com> - 0.3-1
+- Update to 0.3
+- Upstream rewrote the ASL 2.0 bits, which makes the whole package
+  BSD-licensed
+
+* Tue Jul 12 2011 Kalev Lember <kalevlember@gmail.com> - 0.2-1
+- Initial RPM release