public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Than Ngo <than@redhat.com>
To: git-commits@fedoraproject.org
Subject: [rpms/opencryptoki] rawhide: - Update to 3.27.0
Date: Wed, 10 Jun 2026 09:34:04 GMT [thread overview]
Message-ID: <178108404461.1.4299779273821712031.rpms-opencryptoki-e7c357a52b70@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/opencryptoki
Branch : rawhide
Commit : e7c357a52b7072d97f4bdbef07b1aedd685bd252
Author : Than Ngo <than@redhat.com>
Date : 2026-06-10T11:33:32+02:00
Stats : +94/-515 in 6 file(s)
URL : https://src.fedoraproject.org/rpms/opencryptoki/c/e7c357a52b7072d97f4bdbef07b1aedd685bd252?branch=rawhide
Log:
- Update to 3.27.0
* Add base support for PKCS#11 v3.2
* Add support for PKCS#11 v3.2 C_VerifySignature[Init|Update|Final]
* Add support for PKCS#11 v3.2 C_EncapsulateKey/C_DecapsulateKey
* Soft/ICA/CCA/EP11: Add support for PKCS#11 v3.2 en-/decapsulate with RSA-PKCS and RSA-OAEP mechanisms
* Soft/ICA/CCA/EP11: Add support for PKCS#11 v3.2 en-/decapsulate with the ECDH mechanism
* Soft/EP11: Add support for PKCS#11 v3.2 en-/decapsulate with the DH-PKCS mechanism
* Soft: Add support for PKCS#11 v3.2 ML-DSA and ML-KEM key types
and mechanisms (requires OpenSSL 3.5 or later, or the OQS-provider must be configured)
* CCA: Add support for PKCS#11 v3.2 ML-DSA key type and mechanisms (requires CCA v8.4 or later)
* EP11: Add support for PKCS#11 v3.2 ML-DSA and ML-KEM key types and mechanisms
(requires an EP11 host library v4.2 or later, and a CEX8P crypto card with firmware v9.6 or
later on IBM z17, and v8.39 or later on IBM z16)
* p11sak: Add support for PKCS#11 v3.2 ML-DSA and ML-KEM key types
* Soft/ICA: Add support for PKCS#11 v3.2 mechanisms CKM_ECDH_X_AES_KEY_WRAP and CKM_ECDH_COF_AES_KEY_WRAP
* p11sak: Add support for key wrapping with PKCS#11 v3.2 mechanisms
CKM_ECDH_X_AES_KEY_WRAP and CKM_ECDH_COF_AES_KEY_WRAP
* Soft/ICA/CCA/EP11: Add support for PKCS#11 v3.2 mechanism CKM_PUB_KEY_FROM_PRIV_KEY
* Soft/ICA/CCA/EP11: Add support for PKCS#11 v3.0 Edwards and Montgomery key types and mechanisms
* Soft/ICA: Support CKM_ECDH_AES_KEY_WRAP also for Montgomery keys
* p11sak: Add support for PKCS#11 v3.0 Edwards and Montgomery key types
* Soft: Add support for CKM_ECDH1_COFACTOR_DERIVE
* CCA: Add support for additional RSA public exponent values 5, 17, or 257
* p11sak: Add option to list-key command to show EP11 session IDs
* Make the maximum number of token objects supported configurable
* Fixes for CVE-2026-40253, CVE-2026-23893, and CVE-2026-22791
* Bug fixes
- Drop %%{ix86} build
---
diff --git a/.gitignore b/.gitignore
index 025cfc4..6237dad 100644
--- a/.gitignore
+++ b/.gitignore
@@ -38,3 +38,4 @@ opencryptoki-2.3.1.tar.gz
/opencryptoki-3.24.0.tar.gz
/opencryptoki-3.25.0.tar.gz
/opencryptoki-3.26.0.tar.gz
+/opencryptoki-3.27.0.tar.gz
diff --git a/opencryptoki-3.25.0-buildroot-install.patch b/opencryptoki-3.25.0-buildroot-install.patch
new file mode 100644
index 0000000..b079eac
--- /dev/null
+++ b/opencryptoki-3.25.0-buildroot-install.patch
@@ -0,0 +1,47 @@
+diff -up opencryptoki-3.25.0/Makefile.am.me opencryptoki-3.25.0/Makefile.am
+--- opencryptoki-3.25.0/Makefile.am.me 2025-06-10 08:52:39.000000000 +0200
++++ opencryptoki-3.25.0/Makefile.am 2025-06-10 15:32:06.974976310 +0200
+@@ -51,20 +51,8 @@ include tools/tools.mk
+ include doc/doc.mk
+
+ install-data-hook:
+-if AIX
+- lsgroup $(pkcs_group) > /dev/null || $(GROUPADD) -a pkcs11
+- lsuser $(pkcsslotd_user) > /dev/null || $(USERADD) -g $(pkcs_group) -d $(DESTDIR)$(RUN_PATH)/opencryptoki -c "Opencryptoki pkcsslotd user" $(pkcsslotd_user)
+-else
+- getent group $(pkcs_group) > /dev/null || $(GROUPADD) -r $(pkcs_group)
+- getent passwd $(pkcsslotd_user) >/dev/null || $(USERADD) -r -g $(pkcs_group) -d $(RUN_PATH)/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" $(pkcsslotd_user)
+-endif
+ $(MKDIR_P) $(DESTDIR)$(RUN_PATH)/opencryptoki/
+- $(CHOWN) $(pkcsslotd_user):$(pkcs_group) $(DESTDIR)$(RUN_PATH)/opencryptoki/
+- $(CHGRP) $(pkcs_group) $(DESTDIR)$(RUN_PATH)/opencryptoki/
+- $(CHMOD) 0710 $(DESTDIR)$(RUN_PATH)/opencryptoki/
+ $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki
+- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki
+- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki
+ if ENABLE_LIBRARY
+ $(MKDIR_P) $(DESTDIR)$(libdir)/opencryptoki/stdll
+ $(MKDIR_P) $(DESTDIR)$(libdir)/pkcs11
+@@ -117,11 +105,11 @@ if ENABLE_EP11TOK
+ endif
+ if ENABLE_P11SAK
+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
+- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
++ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
+ endif
+ if ENABLE_P11KMIP
+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
+- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11kmip/p11kmip.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || true
++ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11kmip/p11kmip.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || true
+ endif
+ if ENABLE_ICATOK
+ cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
+@@ -172,7 +160,7 @@ endif
+ if ENABLE_DAEMON
+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || $(INSTALL) -m 644 $(srcdir)/usr/sbin/pkcsslotd/opencryptoki.conf $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || true
+- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g $(pkcs_group) -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
++ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
+ endif
+ if !AIX
+ $(MKDIR_P) $(DESTDIR)/etc/ld.so.conf.d
diff --git a/opencryptoki-3.25.0-p11sak.patch b/opencryptoki-3.25.0-p11sak.patch
deleted file mode 100644
index b079eac..0000000
--- a/opencryptoki-3.25.0-p11sak.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-diff -up opencryptoki-3.25.0/Makefile.am.me opencryptoki-3.25.0/Makefile.am
---- opencryptoki-3.25.0/Makefile.am.me 2025-06-10 08:52:39.000000000 +0200
-+++ opencryptoki-3.25.0/Makefile.am 2025-06-10 15:32:06.974976310 +0200
-@@ -51,20 +51,8 @@ include tools/tools.mk
- include doc/doc.mk
-
- install-data-hook:
--if AIX
-- lsgroup $(pkcs_group) > /dev/null || $(GROUPADD) -a pkcs11
-- lsuser $(pkcsslotd_user) > /dev/null || $(USERADD) -g $(pkcs_group) -d $(DESTDIR)$(RUN_PATH)/opencryptoki -c "Opencryptoki pkcsslotd user" $(pkcsslotd_user)
--else
-- getent group $(pkcs_group) > /dev/null || $(GROUPADD) -r $(pkcs_group)
-- getent passwd $(pkcsslotd_user) >/dev/null || $(USERADD) -r -g $(pkcs_group) -d $(RUN_PATH)/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" $(pkcsslotd_user)
--endif
- $(MKDIR_P) $(DESTDIR)$(RUN_PATH)/opencryptoki/
-- $(CHOWN) $(pkcsslotd_user):$(pkcs_group) $(DESTDIR)$(RUN_PATH)/opencryptoki/
-- $(CHGRP) $(pkcs_group) $(DESTDIR)$(RUN_PATH)/opencryptoki/
-- $(CHMOD) 0710 $(DESTDIR)$(RUN_PATH)/opencryptoki/
- $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki
-- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki
-- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki
- if ENABLE_LIBRARY
- $(MKDIR_P) $(DESTDIR)$(libdir)/opencryptoki/stdll
- $(MKDIR_P) $(DESTDIR)$(libdir)/pkcs11
-@@ -117,11 +105,11 @@ if ENABLE_EP11TOK
- endif
- if ENABLE_P11SAK
- test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
-- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
-+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
- endif
- if ENABLE_P11KMIP
- test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
-- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11kmip/p11kmip.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || true
-+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11kmip/p11kmip.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || true
- endif
- if ENABLE_ICATOK
- cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
-@@ -172,7 +160,7 @@ endif
- if ENABLE_DAEMON
- test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || $(INSTALL) -m 644 $(srcdir)/usr/sbin/pkcsslotd/opencryptoki.conf $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || true
-- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g $(pkcs_group) -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
-+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
- endif
- if !AIX
- $(MKDIR_P) $(DESTDIR)/etc/ld.so.conf.d
diff --git a/opencryptoki-3.26.0-CVE-3-2026-23893.patch b/opencryptoki-3.26.0-CVE-3-2026-23893.patch
deleted file mode 100644
index 85bb2fd..0000000
--- a/opencryptoki-3.26.0-CVE-3-2026-23893.patch
+++ /dev/null
@@ -1,453 +0,0 @@
-commit a1aaf9f9080202f48570d3a207d0595db159f99c
-Author: Pavel Kohout <pavel@aisle.com>
-Date: Tue Jan 13 00:00:00 2026 +0000
-
- Fix symlink-following vulnerabilities (CWE-59)
-
- Multiple symlink-following vulnerabilities exist in OpenCryptoki that run
- in privileged contexts. These allow a token-group user to redirect file
- operations to arbitrary filesystem targets by planting symlinks in
- group-writable token directories, resulting in privilege escalation or
- data exposure.
-
- Affected components:
- 1. pkcstok_admin: set_file_permissions() uses stat() which follows symlinks,
- then applies chmod/chown to the symlink target.
- 2. pkcstok_migrate: fopen() follows symlinks, then set_perm() modifies the
- target permissions.
- 3. loadsave.c: Multiple wrapper functions use fopen() followed by set_perm().
- 4. hsm_mk_change.c: hsm_mk_change_op_open() uses fopen() followed by
- hsm_mk_change_op_set_perm().
- 5. pbkdf.c: fopen() followed by set_perms() in two locations.
-
- This fix:
- - Introduces fopen_nofollow() helper in platform.h
- - Checks for O_NOFOLLOW at compile time (not hardcoded per-platform)
- - On platforms with O_NOFOLLOW: uses open(O_NOFOLLOW) + fdopen() for atomic
- symlink rejection (race-condition free)
- - On platforms without O_NOFOLLOW: falls back to lstat() + fopen() and emits
- a compiler warning so the unsafe fallback doesn't go unnoticed
- - Updates all affected wrapper functions to use fopen_nofollow()
- - pkcstok_admin: Uses lstat() instead of stat() and skips symlinks
-
- Reported-by: Pavel Kohout, Aisle Research, www.aisle.com
- Signed-off-by: Pavel Kohout <pavel@aisle.com>
- Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
-
-diff --git a/usr/lib/common/loadsave.c b/usr/lib/common/loadsave.c
-index 18b8aa04..f9c0cc7f 100644
---- a/usr/lib/common/loadsave.c
-+++ b/usr/lib/common/loadsave.c
-@@ -68,9 +68,17 @@ static FILE *open_token_object_path(char *buf, size_t buflen,
- STDLL_TokData_t *tokdata, const char *path,
- const char *mode)
- {
-+ FILE *fp;
-+
- if (get_token_object_path(buf, buflen, tokdata, path, NULL) < 0)
- return NULL;
-- return fopen(buf, mode);
-+
-+ /* CWE-59 fix: Use fopen_nofollow to prevent symlink attacks */
-+ fp = fopen_nofollow(buf, mode);
-+ if (fp == NULL && errno == ELOOP)
-+ TRACE_ERROR("Refusing to follow symlink: %s\n", buf);
-+
-+ return fp;
- }
-
- static FILE *open_token_object_path_new(char *newbuf, size_t newbuflen,
-@@ -78,11 +86,19 @@ static FILE *open_token_object_path_new(char *newbuf, size_t newbuflen,
- STDLL_TokData_t *tokdata,
- const char *path, const char *mode)
- {
-+ FILE *fp;
-+
- if (get_token_object_path(newbuf, newbuflen, tokdata, path, ".TMP") < 0)
- return NULL;
- if (get_token_object_path(basebuf, basebuflen, tokdata, path, NULL) < 0)
- return NULL;
-- return fopen(newbuf, mode);
-+
-+ /* CWE-59 fix: Use fopen_nofollow to prevent symlink attacks */
-+ fp = fopen_nofollow(newbuf, mode);
-+ if (fp == NULL && errno == ELOOP)
-+ TRACE_ERROR("Refusing to follow symlink: %s\n", newbuf);
-+
-+ return fp;
- }
-
- static int get_token_data_store_path(char *buf, size_t buflen,
-@@ -101,9 +117,17 @@ static FILE *open_token_data_store_path(char *buf, size_t buflen,
- STDLL_TokData_t *tokdata,
- const char *path, const char *mode)
- {
-+ FILE *fp;
-+
- if (get_token_data_store_path(buf, buflen, tokdata, path, NULL) < 0)
- return NULL;
-- return fopen(buf, mode);
-+
-+ /* CWE-59 fix: Use fopen_nofollow to prevent symlink attacks */
-+ fp = fopen_nofollow(buf, mode);
-+ if (fp == NULL && errno == ELOOP)
-+ TRACE_ERROR("Refusing to follow symlink: %s\n", buf);
-+
-+ return fp;
- }
-
- static FILE *open_token_data_store_path_new(char *newbuf, size_t newbuflen,
-@@ -111,11 +135,19 @@ static FILE *open_token_data_store_path_new(char *newbuf, size_t newbuflen,
- STDLL_TokData_t *tokdata,
- const char *path, const char *mode)
- {
-+ FILE *fp;
-+
- if (get_token_data_store_path(newbuf, newbuflen, tokdata, path, ".TMP") < 0)
- return NULL;
- if (get_token_data_store_path(basebuf, basebuflen, tokdata, path, NULL) < 0)
- return NULL;
-- return fopen(newbuf, mode);
-+
-+ /* CWE-59 fix: Use fopen_nofollow to prevent symlink attacks */
-+ fp = fopen_nofollow(newbuf, mode);
-+ if (fp == NULL && errno == ELOOP)
-+ TRACE_ERROR("Refusing to follow symlink: %s\n", newbuf);
-+
-+ return fp;
- }
-
- static FILE *open_token_object_index(char *buf, size_t buflen,
-@@ -127,17 +159,27 @@ static FILE *open_token_object_index(char *buf, size_t buflen,
- static FILE *open_token_nvdat(char *buf, size_t buflen,
- STDLL_TokData_t *tokdata, const char *mode)
- {
-+ FILE *fp;
-+
- if (ock_snprintf(buf, buflen, "%s/" PK_LITE_NV, tokdata->data_store)) {
- TRACE_ERROR("NVDAT.TOK file name buffer overflow\n");
- return NULL;
- }
-- return fopen(buf, mode);
-+
-+ /* CWE-59 fix: Use fopen_nofollow to prevent symlink attacks */
-+ fp = fopen_nofollow(buf, mode);
-+ if (fp == NULL && errno == ELOOP)
-+ TRACE_ERROR("Refusing to follow symlink: %s\n", buf);
-+
-+ return fp;
- }
-
- static FILE *open_token_nvdat_new(char *newbuf, size_t newbuflen,
- char *basebuf, size_t basebuflen,
- STDLL_TokData_t *tokdata, const char *mode)
- {
-+ FILE *fp;
-+
- if (ock_snprintf(newbuf, newbuflen, "%s/" PK_LITE_NV ".TMP",
- tokdata->data_store)) {
- TRACE_ERROR("NVDAT.TOK file name buffer overflow\n");
-@@ -148,7 +190,13 @@ static FILE *open_token_nvdat_new(char *newbuf, size_t newbuflen,
- TRACE_ERROR("NVDAT.TOK file name buffer overflow\n");
- return NULL;
- }
-- return fopen(newbuf, mode);
-+
-+ /* CWE-59 fix: Use fopen_nofollow to prevent symlink attacks */
-+ fp = fopen_nofollow(newbuf, mode);
-+ if (fp == NULL && errno == ELOOP)
-+ TRACE_ERROR("Refusing to follow symlink: %s\n", newbuf);
-+
-+ return fp;
- }
-
- static CK_RV close_token_file_new(FILE * fp, CK_RV rc,
-@@ -289,9 +337,12 @@ CK_RV save_token_object(STDLL_TokData_t *tokdata, OBJECT *obj)
- // we didn't find it...either the index file doesn't exist or this
- // is a new object...
- //
-- fp = fopen(fname, "a");
-+ fp = fopen_nofollow(fname, "a");
- if (!fp) {
-- TRACE_ERROR("fopen(%s): %s\n", fname, strerror(errno));
-+ if (errno == ELOOP)
-+ TRACE_ERROR("Refusing to follow symlink: %s\n", fname);
-+ else
-+ TRACE_ERROR("fopen(%s): %s\n", fname, strerror(errno));
- return CKR_FUNCTION_FAILED;
- }
-
-@@ -663,11 +714,14 @@ CK_RV load_token_data_old(STDLL_TokData_t *tokdata, CK_SLOT_ID slot_id)
- if (errno == ENOENT) {
- init_token_data(tokdata, slot_id);
-
-- fp = fopen(fname, "r");
-+ fp = fopen_nofollow(fname, "r");
- if (!fp) {
- // were really hosed here since the created
- // did not occur
-- TRACE_ERROR("fopen(%s): %s\n", fname, strerror(errno));
-+ if (errno == ELOOP)
-+ TRACE_ERROR("Refusing to follow symlink: %s\n", fname);
-+ else
-+ TRACE_ERROR("fopen(%s): %s\n", fname, strerror(errno));
- rc = CKR_FUNCTION_FAILED;
- goto out_unlock;
- }
-@@ -2345,11 +2399,14 @@ CK_RV load_token_data(STDLL_TokData_t *tokdata, CK_SLOT_ID slot_id)
- if (errno == ENOENT) {
- init_token_data(tokdata, slot_id);
-
-- fp = fopen(fname, "r");
-+ fp = fopen_nofollow(fname, "r");
- if (!fp) {
- // were really hosed here since the created
- // did not occur
-- TRACE_ERROR("fopen(%s): %s\n", fname, strerror(errno));
-+ if (errno == ELOOP)
-+ TRACE_ERROR("Refusing to follow symlink: %s\n", fname);
-+ else
-+ TRACE_ERROR("fopen(%s): %s\n", fname, strerror(errno));
- rc = CKR_FUNCTION_FAILED;
- goto out_unlock;
- }
-diff --git a/usr/lib/common/platform.h b/usr/lib/common/platform.h
-index 799821b5..51cc1c73 100644
---- a/usr/lib/common/platform.h
-+++ b/usr/lib/common/platform.h
-@@ -7,7 +7,16 @@
- * found in the file LICENSE file or at
- * https://opensource.org/licenses/cpl1.0.php
- */
-+#ifndef PLATFORM_H
-+#define PLATFORM_H
-+
- #include <dlfcn.h>
-+#include <stdio.h>
-+#include <fcntl.h>
-+#include <unistd.h>
-+#include <string.h>
-+#include <errno.h>
-+#include <sys/stat.h>
-
- #if defined(_AIX)
- #include "aix/getopt.h"
-@@ -30,10 +39,81 @@
- /* for htobexx, htolexx, bexxtoh and lexxtoh macros */
- #include <endian.h>
- /* macros from bsdlog and friends */
--#include <stdio.h>
- #include <err.h>
-
- #define OCK_API_LIBNAME "libopencryptoki.so"
- #define DYNLIB_LDFLAGS (RTLD_NOW)
-
- #endif /* _AIX */
-+
-+/*
-+ * Check for O_NOFOLLOW support at compile time.
-+ * If not available, fall back to lstat() + fopen() (has TOCTOU race).
-+ */
-+#ifndef O_NOFOLLOW
-+#define OCK_NO_O_NOFOLLOW 1
-+#warning "O_NOFOLLOW not supported, symlink protection uses racy lstat() fallback!"
-+#endif
-+
-+/*
-+ * CWE-59 fix: Open file without following symlinks.
-+ *
-+ * On platforms with O_NOFOLLOW support:
-+ * Uses open(O_NOFOLLOW) + fdopen() for atomic symlink rejection.
-+ *
-+ * On platforms without O_NOFOLLOW (e.g., older AIX):
-+ * Falls back to lstat() + fopen(). This has a TOCTOU race condition,
-+ * but still catches pre-planted symlinks which is the common attack
-+ * scenario. Better than no protection at all.
-+ *
-+ * Returns NULL with errno=ELOOP if path is a symlink.
-+ */
-+static inline FILE *fopen_nofollow(const char *path, const char *mode)
-+{
-+#ifdef OCK_NO_O_NOFOLLOW
-+ /*
-+ * Fallback for platforms without O_NOFOLLOW: use lstat() check.
-+ * This has a TOCTOU race but catches pre-planted symlinks.
-+ */
-+ struct stat sb;
-+
-+ if (lstat(path, &sb) == 0) {
-+ if (S_ISLNK(sb.st_mode)) {
-+ errno = ELOOP;
-+ return NULL;
-+ }
-+ }
-+ /* Note: if lstat fails (e.g., file doesn't exist for "w" mode),
-+ * we proceed with fopen() which will handle the error appropriately */
-+ return fopen(path, mode);
-+#else
-+ /* Preferred: atomic symlink rejection via O_NOFOLLOW */
-+ int flags = O_NOFOLLOW;
-+ int fd;
-+ FILE *fp;
-+
-+ /* Determine flags based on mode */
-+ if (mode[0] == 'r') {
-+ flags |= (mode[1] == '+') ? O_RDWR : O_RDONLY;
-+ } else if (mode[0] == 'w') {
-+ flags |= O_CREAT | O_TRUNC | ((mode[1] == '+') ? O_RDWR : O_WRONLY);
-+ } else if (mode[0] == 'a') {
-+ flags |= O_CREAT | O_APPEND | ((mode[1] == '+') ? O_RDWR : O_WRONLY);
-+ } else {
-+ return NULL;
-+ }
-+
-+ fd = open(path, flags, 0600);
-+ if (fd < 0)
-+ return NULL;
-+
-+ fp = fdopen(fd, mode);
-+ if (fp == NULL) {
-+ close(fd);
-+ return NULL;
-+ }
-+ return fp;
-+#endif
-+}
-+
-+#endif /* PLATFORM_H */
-diff --git a/usr/lib/hsm_mk_change/hsm_mk_change.c b/usr/lib/hsm_mk_change/hsm_mk_change.c
-index f40dfb43..8c66546f 100644
---- a/usr/lib/hsm_mk_change/hsm_mk_change.c
-+++ b/usr/lib/hsm_mk_change/hsm_mk_change.c
-@@ -623,9 +623,13 @@ static FILE* hsm_mk_change_op_open(const char *id, CK_SLOT_ID slot_id,
-
- TRACE_DEVEL("file to open: %s mode: %s\n", hsm_mk_change_file, mode);
-
-- fp = fopen(hsm_mk_change_file, mode);
-+ /* CWE-59 fix: Use fopen_nofollow to prevent symlink attacks */
-+ fp = fopen_nofollow(hsm_mk_change_file, mode);
- if (fp == NULL) {
-- TRACE_ERROR("%s fopen(%s, %s): %s\n", __func__,
-+ if (errno == ELOOP)
-+ TRACE_ERROR("Refusing to follow symlink: %s\n", hsm_mk_change_file);
-+ else
-+ TRACE_ERROR("%s fopen(%s, %s): %s\n", __func__,
- hsm_mk_change_file, mode, strerror(errno));
- }
-
-diff --git a/usr/lib/icsf_stdll/pbkdf.c b/usr/lib/icsf_stdll/pbkdf.c
-index 47d1b97c..91230804 100644
---- a/usr/lib/icsf_stdll/pbkdf.c
-+++ b/usr/lib/icsf_stdll/pbkdf.c
-@@ -26,6 +26,7 @@
- #include "h_extern.h"
- #include "pbkdf.h"
- #include "trace.h"
-+#include "platform.h"
-
-
- CK_RV get_randombytes(unsigned char *output, int bytes)
-@@ -546,9 +547,13 @@ CK_RV secure_racf(STDLL_TokData_t *tokdata,
- totallen = outputlen + AES_INIT_VECTOR_SIZE;
-
- snprintf(fname, sizeof(fname), "%s/%s/%s", CONFIG_PATH, tokname, RACFFILE);
-- fp = fopen(fname, "w");
-+ /* CWE-59 fix: Use fopen_nofollow to prevent symlink attacks */
-+ fp = fopen_nofollow(fname, "w");
- if (!fp) {
-- TRACE_ERROR("fopen failed: %s\n", strerror(errno));
-+ if (errno == ELOOP)
-+ TRACE_ERROR("Refusing to follow symlink: %s\n", fname);
-+ else
-+ TRACE_ERROR("fopen failed: %s\n", strerror(errno));
- return CKR_FUNCTION_FAILED;
- }
-
-@@ -619,9 +624,13 @@ CK_RV secure_masterkey(STDLL_TokData_t *tokdata,
- /* get the total length */
- totallen = outputlen + SALTSIZE;
-
-- fp = fopen(fname, "w");
-+ /* CWE-59 fix: Use fopen_nofollow to prevent symlink attacks */
-+ fp = fopen_nofollow(fname, "w");
- if (!fp) {
-- TRACE_ERROR("fopen failed: %s\n", strerror(errno));
-+ if (errno == ELOOP)
-+ TRACE_ERROR("Refusing to follow symlink: %s\n", fname);
-+ else
-+ TRACE_ERROR("fopen failed: %s\n", strerror(errno));
- return CKR_FUNCTION_FAILED;
- }
-
-diff --git a/usr/sbin/pkcstok_admin/pkcstok_admin.c b/usr/sbin/pkcstok_admin/pkcstok_admin.c
-index 9912804e..d144cc04 100644
---- a/usr/sbin/pkcstok_admin/pkcstok_admin.c
-+++ b/usr/sbin/pkcstok_admin/pkcstok_admin.c
-@@ -336,11 +336,18 @@ static int set_file_permissions(const char *fname, const struct group *group,
- pr_verbose("Setting permissions for '%s' with group '%s'", fname,
- group->gr_name);
-
-- if (stat(fname, &sb) != 0) {
-+ /* CWE-59 fix: Use lstat to detect symlinks */
-+ if (lstat(fname, &sb) != 0) {
- warnx("'%s' does not exist.", fname);
- return -1;
- }
-
-+ /* Only process regular files and directories (CWE-59 fix) */
-+ if (!S_ISREG(sb.st_mode) && !S_ISDIR(sb.st_mode)) {
-+ warnx("Skipping '%s': not a regular file or directory.", fname);
-+ return 0;
-+ }
-+
- if (sb.st_uid != 0) {
- /* owner is not root */
- pwd = getpwuid(sb.st_uid);
-diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
-index 12b605b5..9579e236 100644
---- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
-+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
-@@ -48,6 +48,7 @@
- #include "local_types.h"
- #include "h_extern.h"
- #include "slotmgr.h" // for ock_snprintf
-+#include "platform.h"
-
- #define OCK_TOOL
- #include "pkcs_utils.h"
-@@ -77,9 +78,14 @@ static FILE *open_datastore_file(char *buf, size_t buflen,
- TRACE_ERROR("Path overflow for datastore file %s\n", file);
- return NULL;
- }
-- res = fopen(buf, mode);
-- if (!res)
-- TRACE_ERROR("fopen(%s) failed, errno=%s\n", buf, strerror(errno));
-+ /* CWE-59 fix: Use fopen_nofollow to prevent symlink attacks */
-+ res = fopen_nofollow(buf, mode);
-+ if (!res) {
-+ if (errno == ELOOP)
-+ TRACE_ERROR("Refusing to follow symlink: %s\n", buf);
-+ else
-+ TRACE_ERROR("fopen(%s) failed, errno=%s\n", buf, strerror(errno));
-+ }
- return res;
- }
-
-@@ -94,9 +100,14 @@ static FILE *open_tokenobject(char *buf, size_t buflen,
- file, tokenobj);
- return NULL;
- }
-- res = fopen(buf, mode);
-- if (!res)
-- TRACE_ERROR("fopen(%s) failed, errno=%s\n", buf, strerror(errno));
-+ /* CWE-59 fix: Use fopen_nofollow to prevent symlink attacks */
-+ res = fopen_nofollow(buf, mode);
-+ if (!res) {
-+ if (errno == ELOOP)
-+ TRACE_ERROR("Refusing to follow symlink: %s\n", buf);
-+ else
-+ TRACE_ERROR("fopen(%s) failed, errno=%s\n", buf, strerror(errno));
-+ }
- return res;
- }
-
diff --git a/opencryptoki.spec b/opencryptoki.spec
index ced7ee7..ef3f945 100644
--- a/opencryptoki.spec
+++ b/opencryptoki.spec
@@ -1,7 +1,7 @@
Name: opencryptoki
-Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 and partially v3.1
-Version: 3.26.0
-Release: 3%{?dist}
+Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 and partially v3.1, v3.2
+Version: 3.27.0
+Release: 1%{?dist}
License: CPL-1.0
URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@@ -11,7 +11,7 @@ Source1: opencryptoki.module
Source2: opencryptoki.sysusers.conf
# fix install problem in buildroot
-Patch1: opencryptoki-3.25.0-p11sak.patch
+Patch1: opencryptoki-3.25.0-buildroot-install.patch
# tmpfiles.d config files for image mode
Patch2: opencryptoki-3.24.0-tmpfiles-image-mode.patch
@@ -21,8 +21,9 @@ Patch2: opencryptoki-3.24.0-tmpfiles-image-mode.patch
Patch3: opencryptoki-lockdir-image-mode.patch
# upstream patches
-# CVE-3-2026-23893
-Patch100: opencryptoki-3.26.0-CVE-3-2026-23893.patch
+
+# https://fedoraproject.org/wiki/Changes/EncourageI686LeafRemoval
+ExcludeArch: %{ix86}
Requires(pre): coreutils
Requires: (selinux-policy >= 34.9-1 if selinux-policy-targeted)
@@ -59,7 +60,7 @@ Requires(postun): systemd
%description
-Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
+Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1, v3.2
for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
brings a software token implementation that can be used without any cryptographic
@@ -72,7 +73,7 @@ Summary: The run-time libraries for opencryptoki package
Requires(pre): shadow-utils
%description libs
-Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
+Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1, v3.2
for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
brings a software token implementation that can be used without any cryptographic
@@ -98,7 +99,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description swtok
-Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
+Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1, v3.2
for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
brings a software token implementation that can be used without any cryptographic
@@ -114,7 +115,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description tpmtok
-Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
+Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1, v3.2
for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
brings a software token implementation that can be used without any cryptographic
@@ -130,7 +131,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description icsftok
-Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
+Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1, v3.2
for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
brings a software token implementation that can be used without any cryptographic
@@ -146,7 +147,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description icatok
-Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
+Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1, v3.2
for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
brings a software token implementation that can be used without any cryptographic
@@ -163,7 +164,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description ccatok
-Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
+Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1, v3.2
for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
brings a software token implementation that can be used without any cryptographic
@@ -180,7 +181,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description ep11tok
-Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
+Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1, v3.2
for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
brings a software token implementation that can be used without any cryptographic
@@ -410,6 +411,36 @@ fi
%changelog
+* Tue Jun 09 2026 Than Ngo <than@redhat.com> - 3.27.0-1
+- Update to 3.27.0
+ * Add base support for PKCS#11 v3.2
+ * Add support for PKCS#11 v3.2 C_VerifySignature[Init|Update|Final]
+ * Add support for PKCS#11 v3.2 C_EncapsulateKey/C_DecapsulateKey
+ * Soft/ICA/CCA/EP11: Add support for PKCS#11 v3.2 en-/decapsulate with RSA-PKCS and RSA-OAEP mechanisms
+ * Soft/ICA/CCA/EP11: Add support for PKCS#11 v3.2 en-/decapsulate with the ECDH mechanism
+ * Soft/EP11: Add support for PKCS#11 v3.2 en-/decapsulate with the DH-PKCS mechanism
+ * Soft: Add support for PKCS#11 v3.2 ML-DSA and ML-KEM key types
+ and mechanisms (requires OpenSSL 3.5 or later, or the OQS-provider must be configured)
+ * CCA: Add support for PKCS#11 v3.2 ML-DSA key type and mechanisms (requires CCA v8.4 or later)
+ * EP11: Add support for PKCS#11 v3.2 ML-DSA and ML-KEM key types and mechanisms
+ (requires an EP11 host library v4.2 or later, and a CEX8P crypto card with firmware v9.6 or
+ later on IBM z17, and v8.39 or later on IBM z16)
+ * p11sak: Add support for PKCS#11 v3.2 ML-DSA and ML-KEM key types
+ * Soft/ICA: Add support for PKCS#11 v3.2 mechanisms CKM_ECDH_X_AES_KEY_WRAP and CKM_ECDH_COF_AES_KEY_WRAP
+ * p11sak: Add support for key wrapping with PKCS#11 v3.2 mechanisms
+ CKM_ECDH_X_AES_KEY_WRAP and CKM_ECDH_COF_AES_KEY_WRAP
+ * Soft/ICA/CCA/EP11: Add support for PKCS#11 v3.2 mechanism CKM_PUB_KEY_FROM_PRIV_KEY
+ * Soft/ICA/CCA/EP11: Add support for PKCS#11 v3.0 Edwards and Montgomery key types and mechanisms
+ * Soft/ICA: Support CKM_ECDH_AES_KEY_WRAP also for Montgomery keys
+ * p11sak: Add support for PKCS#11 v3.0 Edwards and Montgomery key types
+ * Soft: Add support for CKM_ECDH1_COFACTOR_DERIVE
+ * CCA: Add support for additional RSA public exponent values 5, 17, or 257
+ * p11sak: Add option to list-key command to show EP11 session IDs
+ * Make the maximum number of token objects supported configurable
+ * Fixes for CVE-2026-40253, CVE-2026-23893, and CVE-2026-22791
+ * Bug fixes
+- Drop %%{ix86} build
+
* Tue May 05 2026 Than Ngo <than@redhat.com> - 3.26.0-3
- Fix rhbz#2432016: CVE-2026-23893, Privilege Escalation or Data Exposure via Symlink Following
diff --git a/sources b/sources
index 687cb88..d85e3bb 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (opencryptoki-3.26.0.tar.gz) = b135139494bfb619de7bb05f0d45f5fa09314405ff21eeacfc55b7fb73b352d7c36328ca85f4efac40e0c346ac9472683348635e6b88262952fdaf9f29664ad2
+SHA512 (opencryptoki-3.27.0.tar.gz) = 4574539522efbcca0e836a71b3e0dbbfe56e5959fb94b1d6f7523c27b63ce6fbaae2814422a1aab27c11b283fe035d559747a93f71c8c2531cf396e5803f6447
reply other threads:[~2026-06-10 9:34 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178108404461.1.4299779273821712031.rpms-opencryptoki-e7c357a52b70@fedoraproject.org \
--to=than@redhat.com \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox