From: Jakub Bogusz <qboosh@pld-linux.org>
Date: Sun, 6 Mar 2016 07:12:42 +0000 (+0100)
Subject: - updated to 3.4.1
X-Git-Tag: auto/th/opencryptoki-3.4.1-1
X-Git-Url: http://git.pld-linux.org/gitweb.cgi?a=commitdiff_plain;h=aabc4c144d61825e812b552750f1dc6dd78f0c74;p=packages%2Fopencryptoki.git

- updated to 3.4.1
- updated sh,noroot patches
- removed outdated ica,bcom,aep,format patches
- aeptok,crtok,bcomtok support is gone; new ep11tok available on s390*
---

diff --git a/opencryptoki-aep.patch b/opencryptoki-aep.patch
deleted file mode 100644
index 6fecbef..0000000
--- a/opencryptoki-aep.patch
+++ /dev/null
@@ -1,478 +0,0 @@
---- opencryptoki-2.4/usr/lib/pkcs11/aep_stdll/aeptok_api.c.orig	2011-05-18 00:27:00.000000000 +0200
-+++ opencryptoki-2.4/usr/lib/pkcs11/aep_stdll/aeptok_api.c	2011-06-19 20:39:06.422327697 +0200
-@@ -34,6 +34,12 @@
- #include <sys/types.h>
- #include <sys/stat.h>
- #include <fcntl.h>
-+#include <string.h>
-+
-+#include "pkcs11types.h"
-+#include "defs.h"
-+#include "host_defs.h"
-+#include "h_extern.h"
- 
- #include "aeptok_api.h"
- 
---- opencryptoki/usr/lib/pkcs11/aep_stdll/aeptok_specific.c.orig	2013-07-15 19:25:40.000000000 +0200
-+++ opencryptoki/usr/lib/pkcs11/aep_stdll/aeptok_specific.c	2013-12-30 22:59:58.222059030 +0100
-@@ -14,7 +14,6 @@
- #include "defs.h"
- #include "host_defs.h"
- #include "h_extern.h"
--#include "args.h"
- #include "errno.h"
- #include "tok_specific.h"
- 
-@@ -49,13 +48,13 @@ int cryptoki_aep_avail = TRUE;
- static int max_key_len = 2176;
- 
- CK_RV
--token_specific_session(CK_SLOT_ID  slotid)
-+token_specific_open_session(SESSION *session)
- {
- 	return CKR_OK;
- }
- 
- CK_RV
--token_rng(CK_BYTE *output, CK_ULONG bytes)
-+token_specific_rng(CK_BYTE *output, CK_ULONG bytes)
- {
- #if 0
- 	int bytes2 = 384;
-@@ -97,19 +96,19 @@ tok_slot2local(CK_SLOT_ID snum)
- 
- 
- CK_RV
--token_specific_init(char * Correlator,CK_SLOT_ID SlotNumber)
-+token_specific_init(char * Correlator,CK_SLOT_ID SlotNumber,char * conf_name)
- {
- 	return CKR_OK;
- }
- 
- CK_RV
--token_specific_final()
-+token_specific_final(void)
- {
- 	return CKR_OK;
- }
- 
- CK_RV
--token_specific_des_key_gen(CK_BYTE  *des_key,CK_ULONG len)
-+token_specific_des_key_gen(CK_BYTE  *des_key,CK_ULONG len,CK_ULONG keysize)
- {
-       
- 	// Nothing different to do for DES or TDES here as this is just
-@@ -127,10 +126,11 @@ token_specific_des_ecb(CK_BYTE * in_data
-                        CK_ULONG in_data_len,
-                        CK_BYTE *out_data,
-                        CK_ULONG *out_data_len,
--                       CK_BYTE  *key_value,
-+                       OBJECT  *key,
-                        CK_BYTE  encrypt)
- {
- 	CK_ULONG       rc;
-+	CK_ATTRIBUTE *attr = NULL;
- 	
- 	des_key_schedule des_key2;
-    	const_des_cblock key_val_SSL, in_key_data;
-@@ -138,8 +138,14 @@ token_specific_des_ecb(CK_BYTE * in_data
- 	int i,j;
-    	int ret;
- 
-+	// get the key value
-+	if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
-+		OCK_LOG_ERR(ERR_FUNCTION_FAILED);
-+		return CKR_FUNCTION_FAILED;
-+	}
-+
-   	// Create the key schedule
--	memcpy(&key_val_SSL, key_value, 8);
-+	memcpy(&key_val_SSL, attr->pValue, 8);
- 	des_set_key_unchecked(&key_val_SSL, des_key2);
- 
- 	// the des decrypt will only fail if the data length is not 
-@@ -181,11 +187,12 @@ token_specific_des_cbc(CK_BYTE * in_data
-                        CK_ULONG in_data_len,
-                        CK_BYTE *out_data,
-                        CK_ULONG *out_data_len,
--                       CK_BYTE  *key_value, 
-+                       OBJECT  *key, 
-                        CK_BYTE *init_v,
-                        CK_BYTE  encrypt)
- {
- 	CK_ULONG         rc;
-+	CK_ATTRIBUTE *attr = NULL;
- 	
- 	des_cblock ivec;
- 	int ret;
-@@ -194,8 +201,14 @@ token_specific_des_cbc(CK_BYTE * in_data
-    	const_des_cblock key_val_SSL, in_key_data;
- 	des_cblock out_key_data;
- 
-+	// get the key value
-+	if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
-+		OCK_LOG_ERR(ERR_FUNCTION_FAILED);
-+		return CKR_FUNCTION_FAILED;
-+	}
-+
- 	// Create the key schedule
--	memcpy(&key_val_SSL, key_value, 8);
-+	memcpy(&key_val_SSL, attr->pValue, 8);
-    	des_set_key_unchecked(&key_val_SSL, des_key2);
-    
- 	memcpy(&ivec, init_v, 8);
-@@ -225,10 +238,13 @@ token_specific_tdes_ecb(CK_BYTE * in_dat
- 			CK_ULONG in_data_len,
- 			CK_BYTE *out_data,
- 			CK_ULONG *out_data_len,
--			CK_BYTE  *key_value,
-+			OBJECT   *key,
- 			CK_BYTE  encrypt)
- {
- 	CK_RV  rc;
-+	CK_ATTRIBUTE *attr = NULL;
-+	CK_KEY_TYPE keytype;
-+	CK_BYTE key_value[3*DES_KEY_SIZE];
- 	
- 	int k,j, ret;
- 	des_cblock out_temp;
-@@ -239,6 +255,25 @@ token_specific_tdes_ecb(CK_BYTE * in_dat
-    	const_des_cblock key_SSL1, key_SSL2, key_SSL3, in_key_data;
- 	des_cblock out_key_data;
- 
-+	// get the key type
-+	rc = template_attribute_find(key->template, CKA_KEY_TYPE, &attr);
-+	if (rc == FALSE) {
-+		OCK_LOG_ERR(ERR_FUNCTION_FAILED);
-+		return CKR_FUNCTION_FAILED;
-+	}
-+	keytype = *(CK_KEY_TYPE *)attr->pValue;
-+
-+	// get the key value
-+	if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
-+		OCK_LOG_ERR(ERR_FUNCTION_FAILED);
-+		return CKR_FUNCTION_FAILED;
-+	}
-+	if (keytype == CKK_DES2) {
-+		memcpy(key_value, attr->pValue, 2*DES_KEY_SIZE);
-+		memcpy(key_value + (2*DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE);
-+	} else
-+		memcpy(key_value, attr->pValue, 3*DES_KEY_SIZE);
-+
- 	// The key as passed is a 24 byte long string containing three des keys
- 	// pick them apart and create the 3 corresponding key schedules
- 	memcpy(&key_SSL1, key_value, 8);
-@@ -291,12 +326,16 @@ token_specific_tdes_cbc(CK_BYTE * in_dat
-                        CK_ULONG in_data_len,
-                        CK_BYTE *out_data,
-                        CK_ULONG *out_data_len,
--                       CK_BYTE  *key_value, 
-+                       OBJECT  *key, 
-                        CK_BYTE *init_v,
-                        CK_BYTE  encrypt)
- {
- 
- 	CK_RV rc = CKR_OK;
-+	CK_ATTRIBUTE *attr = NULL;
-+	CK_KEY_TYPE keytype;
-+	CK_BYTE key_value[3*DES_KEY_SIZE];
-+
- 	des_key_schedule des_key1;
- 	des_key_schedule des_key2;
- 	des_key_schedule des_key3;
-@@ -304,6 +343,25 @@ token_specific_tdes_cbc(CK_BYTE * in_dat
-    	const_des_cblock key_SSL1, key_SSL2, key_SSL3, in_key_data;
- 	des_cblock ivec;
- 
-+	// get the key type
-+	rc = template_attribute_find(key->template, CKA_KEY_TYPE, &attr);
-+	if (rc == FALSE) {
-+		OCK_LOG_ERR(ERR_FUNCTION_FAILED);
-+		return CKR_FUNCTION_FAILED;
-+	}
-+	keytype = *(CK_KEY_TYPE *)attr->pValue;
-+
-+	// get the key value
-+	if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
-+		OCK_LOG_ERR(ERR_FUNCTION_FAILED);
-+		return CKR_FUNCTION_FAILED;
-+	}
-+	if (keytype == CKK_DES2) {
-+		memcpy(key_value, attr->pValue, 2*DES_KEY_SIZE);
-+		memcpy(key_value + (2*DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE);
-+	} else
-+		memcpy(key_value, attr->pValue, 3*DES_KEY_SIZE);
-+
- 	// The key as passed in is a 24 byte string containing 3 keys
- 	// pick it apart and create the key schedules
- 	memcpy(&key_SSL1, key_value, 8);
-@@ -829,12 +887,18 @@ CK_RV
- token_specific_rsa_encrypt( CK_BYTE   * in_data,
- 			    CK_ULONG    in_data_len,
- 			    CK_BYTE   * out_data,
-+			    CK_ULONG  * out_data_len,
- 			    OBJECT    * key_obj )
- {
- 	CK_RV rc;
- 	RSA *rsa;
- 	int mLen;
- 	
-+	if (in_data_len > *out_data_len) {
-+		OCK_LOG_DEBUG("CKR_DATA_LEN_RANGE\n");
-+		return CKR_DATA_LEN_RANGE;
-+	}
-+
- 	// Convert the local representation to an RSA representation
- 	rsa = (RSA *)rsa_convert_public_key(key_obj, &mLen);
- 	if (rsa==NULL) {
-@@ -862,6 +926,7 @@ token_specific_rsa_encrypt( CK_BYTE   *
- 	}
- 	
- 	if (rc != 0) {
-+		*out_data_len = in_data_len;
- 		rc = CKR_OK;
- 	} else {
- 		OCK_LOG_ERR(ERR_FUNCTION_FAILED);
-@@ -879,12 +944,18 @@ CK_RV
- token_specific_rsa_decrypt( CK_BYTE   * in_data,
- 			    CK_ULONG    in_data_len,
- 			    CK_BYTE   * out_data,
-+			    CK_ULONG  * out_data_len,
- 			    OBJECT    * key_obj )
- {
- 	CK_RV  rc;
- 	RSA   *rsa;
- 	int mLen;
- 
-+	if (*out_data_len < in_data_len) {
-+		OCK_LOG_ERR(ERR_BUFFER_TOO_SMALL);
-+		return CKR_BUFFER_TOO_SMALL;
-+	}
-+
- 	// Convert the local key representation to an RSA key representaion
- 	rsa = (RSA *)rsa_convert_private_key(key_obj, &mLen);
- 	if (rsa == NULL) {
-@@ -910,6 +981,7 @@ token_specific_rsa_decrypt( CK_BYTE   *
- 					 rsa, RSA_NO_PADDING);
- 	}
- 	if (rc != 0) {
-+		*out_data_len = in_data_len;
- 		rc = CKR_OK;
- 	} else {
- 		OCK_LOG_ERR(ERR_FUNCTION_FAILED);
-@@ -925,7 +997,7 @@ token_specific_rsa_decrypt( CK_BYTE   *
- #ifndef NOAES
- 
- CK_RV
--token_specific_aes_key_gen( CK_BYTE *key, CK_ULONG len )
-+token_specific_aes_key_gen( CK_BYTE *key, CK_ULONG len, CK_ULONG keysize )
- {
-         return rng_generate(key, len);
- }
-@@ -935,22 +1007,28 @@ token_specific_aes_ecb( CK_BYTE
-                         CK_ULONG        in_data_len,
-                         CK_BYTE         *out_data,
-                         CK_ULONG        *out_data_len,
--                        CK_BYTE         *key_value,
--                        CK_ULONG        key_len,
-+                        OBJECT          *key,
-                         CK_BYTE         encrypt)
- {
-+	CK_ATTRIBUTE *attr = NULL;
-         AES_KEY         ssl_aes_key;
-         int             i;
-         /* There's a previous check that in_data_len % AES_BLOCK_SIZE == 0,
-          * so this is fine */
-         CK_ULONG        loops = (CK_ULONG)(in_data_len/AES_BLOCK_SIZE);
- 
-+	// get the key value
-+	if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
-+		OCK_LOG_ERR(ERR_FUNCTION_FAILED);
-+		return CKR_FUNCTION_FAILED;
-+	}
-+
-         memset( &ssl_aes_key, 0, sizeof(AES_KEY));
- 
-         // AES_ecb_encrypt encrypts only a single block, so we have to break up the
-         // input data here
-         if (encrypt) {
--                AES_set_encrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key);
-+                AES_set_encrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key);
-                 for( i=0; i<loops; i++ ) {
-                         AES_ecb_encrypt((unsigned char *)in_data + (i*AES_BLOCK_SIZE),
-                                         (unsigned char *)out_data + (i*AES_BLOCK_SIZE),
-@@ -958,7 +1036,7 @@ token_specific_aes_ecb( CK_BYTE
-                                         AES_ENCRYPT);
-                 }
-         } else {
--                AES_set_decrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key);
-+                AES_set_decrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key);
-                 for( i=0; i<loops; i++ ) {
-                         AES_ecb_encrypt((unsigned char *)in_data + (i*AES_BLOCK_SIZE),
-                                         (unsigned char *)out_data + (i*AES_BLOCK_SIZE),
-@@ -976,25 +1054,31 @@ token_specific_aes_cbc( CK_BYTE
-                         CK_ULONG        in_data_len,
-                         CK_BYTE         *out_data,
-                         CK_ULONG        *out_data_len,
--                        CK_BYTE         *key_value,
--                        CK_ULONG        key_len,
-+                        OBJECT          *key,
-                         CK_BYTE         *init_v,
-                         CK_BYTE         encrypt)
- {
-         AES_KEY         ssl_aes_key;
-+	CK_ATTRIBUTE *attr = NULL;
-         int             i;
- 
-+	// get the key value
-+	if(template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
-+		OCK_LOG_ERR(ERR_FUNCTION_FAILED);
-+		return CKR_FUNCTION_FAILED;
-+	}
-+
-         memset( &ssl_aes_key, 0, sizeof(AES_KEY));
- 
-         // AES_cbc_encrypt chunks the data into AES_BLOCK_SIZE blocks, unlike
-         // AES_ecb_encrypt, so no looping required.
-         if (encrypt) {
--                AES_set_encrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key);
-+                AES_set_encrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key);
-                 AES_cbc_encrypt((unsigned char *)in_data, (unsigned char *)out_data,
-                                 in_data_len,              &ssl_aes_key,
-                                 init_v,                   AES_ENCRYPT);
-         } else {
--                AES_set_decrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key);
-+                AES_set_decrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key);
-                 AES_cbc_encrypt((unsigned char *)in_data, (unsigned char *)out_data,
-                                 in_data_len,              &ssl_aes_key,
-                                 init_v,                   AES_DECRYPT);
---- opencryptoki/usr/lib/pkcs11/aep_stdll/tok_struct.h.orig	2013-07-15 19:25:40.000000000 +0200
-+++ opencryptoki/usr/lib/pkcs11/aep_stdll/tok_struct.h	2013-12-30 23:06:15.798709893 +0100
-@@ -310,26 +310,91 @@
- token_spec_t token_specific  = {
-      AEP_CONFIG_PATH,
-      "aep",
--     "AEP_STDLL_Debug",
-+     0,
-+     {
-+	     FALSE,
-+	     FALSE,
-+	     CKM_DES3_CBC,
-+	     "12345678",
-+	     "10293847"
-+     },
-+     NULL, /* creatlock */
-+     NULL, /* attach_shm */
-      &token_specific_init,
-+     NULL, /* init_token_data */
-+     NULL, /* load_token_data */
-+     NULL, /* save_token_data */
-      &tok_slot2local,
--     &token_rng,
--     &token_specific_session,
-+     &token_specific_rng,
-+     &token_specific_open_session,
-+     NULL, /* close_session */
-      &token_specific_final,
-+     NULL, /* init_token */
-+     NULL, /* login */
-+     NULL, /* logout */
-+     NULL, /* init_pin */
-+     NULL, /* set_pin */
-+     NULL, /* copy object */
-+     NULL, /* create_object */
-+     NULL, /* get_attribute_value */
-+     NULL, /* set_attribute_value */
-+     NULL, /* find_objects_init */
-+     NULL, /* destroy_object */
-+     NULL, /* generate_key */
-+     NULL, /* generate_key_pair */
-+     NULL, /* encrypt_init */
-+     NULL, /* encrypt */
-+     NULL, /* encrypt_update */
-+     NULL, /* encrypt_final */
-+     NULL, /* decrypt_init */
-+     NULL, /* decrypt */
-+     NULL, /* decrypt_update */
-+     NULL, /* decrypt_final */
-+     NULL, /* derive_key */
-+     NULL, /* wrap_key */
-+     NULL, /* unwrap_key */
-+     NULL, /* sign_init */
-+     NULL, /* sign */
-+     NULL, /* sign_update */
-+     NULL, /* sign_final */
-+     NULL, /* verify_init */
-+     NULL, /* verify */
-+     NULL, /* verify_update */
-+     NULL, /* verify_final */
-+
-      &token_specific_des_key_gen,
-      &token_specific_des_ecb,
-      &token_specific_des_cbc,
- 
-      &token_specific_tdes_ecb,
-      &token_specific_tdes_cbc,
--
-+     NULL, /* tdes_ofb */
-+     NULL, /* tdes_cfb */
-+     NULL, /* tdes_mac */
- 
-      &token_specific_rsa_decrypt,
-      &token_specific_rsa_encrypt,
-+     NULL, /* rsa_sign */
-+     NULL, /* rsa_verify */
-+     NULL, /* rsa_verify_recover */
-+     NULL, /* rsa_x509_decrypt */
-+     NULL, /* rsa_x509_encrypt */
-+     NULL, /* rsa_x509_sign */
-+     NULL, /* rsa_x509_verify */
-+     NULL, /* rsa_x509_verify_recover */
-      &token_specific_rsa_generate_keypair,
-+
-+     NULL, /* ec_sign */
-+     NULL, /* ec_verify */
-+     NULL, /* ec_generate_keypair */
-      // DH
-+#ifndef NODH
-      &token_specific_dh_pkcs_derive,
-      &token_specific_dh_pkcs_key_pair_gen,
-+#else
-+     NULL,
-+     NULL,
-+#endif
-      // SHA1
-      NULL,
-      NULL,
-@@ -346,15 +411,29 @@ token_spec_t token_specific  = {
-      NULL,
-      NULL,
-      NULL,
--#ifndef NOAES
-      // AES
-+#ifndef NOAES
-      &token_specific_aes_key_gen,
-      &token_specific_aes_ecb,
-      &token_specific_aes_cbc,
-+#else
-+     NULL,
-+     NULL,
-      NULL,
- #endif
-+     NULL,
-+
-+     NULL, /* t_aes_ofb */
-+     NULL, /* t_aes_cfb */
-+     NULL, /* t_aes_mac */
-+
-+     NULL, /* dsa_generate_keypair */
-+     NULL, /* dsa_sign */
-+     NULL, /* dsa_verify */
-+
-      &token_specific_get_mechanism_list,
--     &token_specific_get_mechanism_info
-+     &token_specific_get_mechanism_info,
-+     NULL /* object_add */
- };
- 
- #endif
diff --git a/opencryptoki-bcom.patch b/opencryptoki-bcom.patch
deleted file mode 100644
index 98d4b86..0000000
--- a/opencryptoki-bcom.patch
+++ /dev/null
@@ -1,468 +0,0 @@
---- opencryptoki-2.3.2/configure.in.orig	2010-10-09 21:43:05.827741882 +0200
-+++ opencryptoki-2.3.2/configure.in	2010-10-09 23:12:37.735734339 +0200
-@@ -597,7 +597,7 @@
- else
- 	enable_bcomtok=no
- fi
--AM_CONDITIONAL([ENABLE_BCOMTOK], [test "x$enable_bcom" = "xyes"])
-+AM_CONDITIONAL([ENABLE_BCOMTOK], [test "x$enable_bcomtok" = "xyes"])
- 
- dnl --- enable_crtok
- if test "x$enable_crtok" = "xyes"; then
---- opencryptoki/usr/lib/pkcs11/bcom_stdll/bcom_specific.c.orig	2013-07-15 19:25:40.000000000 +0200
-+++ opencryptoki/usr/lib/pkcs11/bcom_stdll/bcom_specific.c	2013-12-30 23:06:27.528709358 +0100
-@@ -6,7 +6,6 @@
- #include "defs.h"
- #include "host_defs.h"
- #include "h_extern.h"
--#include "args.h"
- #include "errno.h"
- #include "tok_specific.h"
- #include "tok_struct.h"
-@@ -62,14 +61,14 @@ void swapper(char *s, char *d, int size)
- 
- 
- CK_RV
--token_specific_session(CK_SLOT_ID  slotid)
-+token_specific_open_session(SESSION *session)
- {
-        return CKR_OK;
- 
- }
- 
- CK_RV
--token_rng(CK_BYTE *output, CK_ULONG bytes)
-+token_specific_rng(CK_BYTE *output, CK_ULONG bytes)
- {
- 
- #if 1
-@@ -115,14 +114,14 @@ tok_slot2local(CK_SLOT_ID snum)
- 
- 
- CK_RV
--token_specific_init(char * Correlator,CK_SLOT_ID SlotNumber)
-+token_specific_init(char * Correlator,CK_SLOT_ID SlotNumber,char * conf_name)
- {
-    bcomfd = ubsec_open(UBSEC_KEY_DEVICE);
-    return CKR_OK;
- }
- 
- CK_RV
--token_specific_final()
-+token_specific_final(void)
- {
-   
-   ubsec_close(bcomfd);
-@@ -132,7 +131,7 @@ token_specific_final()
- 
- 
- CK_RV
--token_specific_des_key_gen(CK_BYTE  *des_key,CK_ULONG _len)
-+token_specific_des_key_gen(CK_BYTE  *des_key,CK_ULONG _len,CK_ULONG keysize)
- {
-   
-   // Nothing different to do for DES or TDES here as this is just
-@@ -150,18 +149,25 @@ token_specific_des_ecb(CK_BYTE * in_data
-                        CK_ULONG in_data__len,
-                        CK_BYTE *out_data,
-                        CK_ULONG *out_data__len,
--                       CK_BYTE  *key_value,
-+                       OBJECT  *key,
-                        CK_BYTE  encrypt)
- {
-   CK_ULONG       rc;
-+  CK_ATTRIBUTE *attr = NULL;
-   unsigned char in_block_data[8];
-   unsigned char out_block_data[8];
-   int i,j;
-   int ret;
-   ubsec_crypto_context_t ctx;
-   
-+  // get the key value
-+  if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
-+    OCK_LOG_ERR(ERR_FUNCTION_FAILED);
-+    return CKR_FUNCTION_FAILED;
-+  }
-+
-   // Initialize the crypto contexte	
--  ubsec_crypto_init(key_value, ZERO_KEY, ZERO_KEY, 
-+  ubsec_crypto_init(attr->pValue, ZERO_KEY, ZERO_KEY, 
- 		    ZERO_KEY, UBSEC_DES, 0, &ctx);
-   
-   // the des decrypt will only fail if the data _length is not evenly divisible
-@@ -213,16 +219,23 @@ token_specific_des_cbc(CK_BYTE * in_data
-                        CK_ULONG in_data__len,
-                        CK_BYTE *out_data,
-                        CK_ULONG *out_data__len,
--                       CK_BYTE  *key_value, 
-+                       OBJECT  *key, 
-                        CK_BYTE *init_v,
-                        CK_BYTE  encrypt)
- {
-   CK_ULONG       rc;
-+  CK_ATTRIBUTE *attr = NULL;
-   int ret;
-   ubsec_crypto_context_t ctx;
-   
-+  // get the key value
-+  if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
-+    OCK_LOG_ERR(ERR_FUNCTION_FAILED);
-+    return CKR_FUNCTION_FAILED;
-+  }
-+
-   // Initialize the crypto contexte	
--  ubsec_crypto_init(key_value, ZERO_KEY, ZERO_KEY, 
-+  ubsec_crypto_init(attr->pValue, ZERO_KEY, ZERO_KEY, 
- 		    ZERO_KEY, UBSEC_DES, 0, &ctx);
-   
-   // the des decrypt will only fail if the data _length is not evenly divisible
-@@ -255,16 +268,38 @@ token_specific_tdes_ecb(CK_BYTE * in_dat
-                        CK_ULONG in_data__len,
-                        CK_BYTE *out_data,
-                        CK_ULONG *out_data__len,
--                       CK_BYTE  *key_value,
-+                       OBJECT   *key,
-                        CK_BYTE  encrypt)
- {
-   CK_ULONG       rc;
-+  CK_ATTRIBUTE *attr = NULL;
-+  CK_KEY_TYPE keytype;
-+  CK_BYTE key_value[3*DES_KEY_SIZE];
-   unsigned char in_block_data[8];
-   unsigned char out_block_data[8];
-   int i,j;
-   int ret;
-   ubsec_crypto_context_t ctx;
-   
-+  // get the key type
-+  rc = template_attribute_find(key->template, CKA_KEY_TYPE, &attr);
-+  if (rc == FALSE) {
-+    OCK_LOG_ERR(ERR_FUNCTION_FAILED);
-+    return CKR_FUNCTION_FAILED;
-+  }
-+  keytype = *(CK_KEY_TYPE *)attr->pValue;
-+
-+  // get the key value
-+  if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
-+    OCK_LOG_ERR(ERR_FUNCTION_FAILED);
-+    return CKR_FUNCTION_FAILED;
-+  }
-+  if (keytype == CKK_DES2) {
-+    memcpy(key_value, attr->pValue, 2*DES_KEY_SIZE);
-+    memcpy(key_value + (2*DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE);
-+  } else
-+    memcpy(key_value, attr->pValue, 3*DES_KEY_SIZE);
-+
-   // Initialize the crypto contexte	
-   // the triple DES key is in the 24-byte array key_value
-   ubsec_crypto_init(key_value, key_value+8, key_value+16, 
-@@ -318,14 +353,36 @@ token_specific_tdes_cbc(CK_BYTE * in_dat
-                        CK_ULONG in_data__len,
-                        CK_BYTE *out_data,
-                        CK_ULONG *out_data__len,
--                       CK_BYTE  *key_value, 
-+                       OBJECT  *key,
-                        CK_BYTE *init_v,
-                        CK_BYTE  encrypt)
- {
-  CK_ULONG       rc;
-+  CK_ATTRIBUTE *attr = NULL;
-+  CK_KEY_TYPE keytype;
-+  CK_BYTE key_value[3*DES_KEY_SIZE];
-   int ret;
-   ubsec_crypto_context_t ctx;
-   
-+  // get the key type
-+  rc = template_attribute_find(key->template, CKA_KEY_TYPE, &attr);
-+  if (rc == FALSE) {
-+    OCK_LOG_ERR(ERR_FUNCTION_FAILED);
-+    return CKR_FUNCTION_FAILED;
-+  }
-+  keytype = *(CK_KEY_TYPE *)attr->pValue;
-+  
-+  // get the key value
-+  if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
-+    OCK_LOG_ERR(ERR_FUNCTION_FAILED);
-+    return CKR_FUNCTION_FAILED;
-+  }
-+  if (keytype == CKK_DES2) {
-+    memcpy(key_value, attr->pValue, 2*DES_KEY_SIZE);
-+    memcpy(key_value + (2*DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE);
-+  } else
-+    memcpy(key_value, attr->pValue, 3*DES_KEY_SIZE);
-+
-   // Initialize the crypto contexte	
-   // Triple DES key is in the 24-byte array key_value
-   ubsec_crypto_init(key_value, key_value+8, key_value+16, 
-@@ -947,6 +1004,7 @@ CK_RV
- token_specific_rsa_encrypt( CK_BYTE   *in_data,
- 			    CK_ULONG   in_data_len,
- 			    CK_BYTE   *out_data,
-+			    CK_ULONG  * out_data_len,
- 			    OBJECT    *key_obj )
- {
-   CK_RV               rc;
-@@ -954,6 +1012,11 @@ token_specific_rsa_encrypt( CK_BYTE   *i
-   int                 out_len_bits;
-   CK_BYTE             *tcipher, *tclear;
-   
-+  if (in_data_len > *out_data_len) {
-+    OCK_LOG_DEBUG("CKR_DATA_LEN_RANGE\n");
-+    return CKR_DATA_LEN_RANGE;
-+  }
-+
-   rc = bcom_rsa_pub_from_object(key_obj, &pubKey);
-   if ( rc != 0) {
-     rc = CKR_FUNCTION_FAILED;
-@@ -1017,6 +1080,7 @@ token_specific_rsa_encrypt( CK_BYTE   *i
-   /* swapp to get back PKCS11 representation */
-   swapper(tcipher, out_data, in_data_len);
-   
-+  *out_data_len = in_data_len;
-   rc = CKR_OK;
-  done:
-   
-@@ -1038,6 +1102,7 @@ CK_RV
- token_specific_rsa_decrypt( CK_BYTE   * in_data,
-                  CK_ULONG    in_data_len,
-                  CK_BYTE   * out_data,
-+                 CK_ULONG  * out_data_len,
-                  OBJECT    * key_obj )
- {
-    CK_RV               rc;
-@@ -1046,6 +1111,11 @@ token_specific_rsa_decrypt( CK_BYTE   *
-    BCOM_RSA_CRT_KEY_t  *privKey;
-    int                 out_len;
- 
-+   if (*out_data_len < in_data_len) {
-+      OCK_LOG_ERR(ERR_BUFFER_TOO_SMALL);
-+      return CKR_BUFFER_TOO_SMALL;
-+   }
-+
-    rc = bcom_rsa_crt_key_from_object(key_obj, &privKey);
-    if (rc != 0) {
-       rc = CKR_FUNCTION_FAILED;
-@@ -1114,6 +1184,7 @@ token_specific_rsa_decrypt( CK_BYTE   *
-    swapper(tclear, out_data,in_data_len);
-    
- 
-+   *out_data_len = in_data_len;
-    rc = CKR_OK;
-    
-  done:
-@@ -1154,7 +1225,7 @@ PrintNumber(FILE *ofptr, void *num, unsi
- 
- #ifndef NOAES
- CK_RV
--token_specific_aes_key_gen( CK_BYTE *key, CK_ULONG len )
-+token_specific_aes_key_gen( CK_BYTE *key, CK_ULONG len, CK_ULONG keysize )
- {
-         return rng_generate(key, len);
- }
-@@ -1164,22 +1235,28 @@ token_specific_aes_ecb( CK_BYTE
-                         CK_ULONG        in_data_len,
-                         CK_BYTE         *out_data,
-                         CK_ULONG        *out_data_len,
--                        CK_BYTE         *key_value,
--                        CK_ULONG        key_len,
-+                        OBJECT          *key,
-                         CK_BYTE         encrypt)
- {
-+	CK_ATTRIBUTE *attr = NULL;
-         AES_KEY         ssl_aes_key;
-         int             i;
-         /* There's a previous check that in_data_len % AES_BLOCK_SIZE == 0,
-          * so this is fine */
-         CK_ULONG        loops = (CK_ULONG)(in_data_len/AES_BLOCK_SIZE);
- 
-+	// get the key value
-+	if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
-+		OCK_LOG_ERR(ERR_FUNCTION_FAILED);
-+		return CKR_FUNCTION_FAILED;
-+	}
-+
-         memset( &ssl_aes_key, 0, sizeof(AES_KEY));
- 
-         // AES_ecb_encrypt encrypts only a single block, so we have to break up the
-         // input data here
-         if (encrypt) {
--                AES_set_encrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key);
-+                AES_set_encrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key);
-                 for( i=0; i<loops; i++ ) {
-                         AES_ecb_encrypt((unsigned char *)in_data + (i*AES_BLOCK_SIZE),
-                                         (unsigned char *)out_data + (i*AES_BLOCK_SIZE),
-@@ -1187,7 +1264,7 @@ token_specific_aes_ecb( CK_BYTE
-                                         AES_ENCRYPT);
-                 }
-         } else {
--                AES_set_decrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key);
-+                AES_set_decrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key);
-                 for( i=0; i<loops; i++ ) {
-                         AES_ecb_encrypt((unsigned char *)in_data + (i*AES_BLOCK_SIZE),
-                                         (unsigned char *)out_data + (i*AES_BLOCK_SIZE),
-@@ -1204,25 +1281,31 @@ token_specific_aes_cbc( CK_BYTE
-                         CK_ULONG        in_data_len,
-                         CK_BYTE         *out_data,
-                         CK_ULONG        *out_data_len,
--                        CK_BYTE         *key_value,
--                        CK_ULONG        key_len,
-+                        OBJECT          *key,
-                         CK_BYTE         *init_v,
-                         CK_BYTE         encrypt)
- {
-         AES_KEY         ssl_aes_key;
-+	CK_ATTRIBUTE *attr = NULL;
-         int             i;
- 
-+	// get the key value
-+	if(template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
-+		OCK_LOG_ERR(ERR_FUNCTION_FAILED);
-+		return CKR_FUNCTION_FAILED;
-+	}
-+
-         memset( &ssl_aes_key, 0, sizeof(AES_KEY));
- 
-         // AES_cbc_encrypt chunks the data into AES_BLOCK_SIZE blocks, unlike
-         // AES_ecb_encrypt, so no looping required.
-         if (encrypt) {
--                AES_set_encrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key);
-+                AES_set_encrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key);
-                 AES_cbc_encrypt((unsigned char *)in_data, (unsigned char *)out_data,
-                                 in_data_len,              &ssl_aes_key,
-                                 init_v,                   AES_ENCRYPT);
-         } else {
--                AES_set_decrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key);
-+                AES_set_decrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key);
-                 AES_cbc_encrypt((unsigned char *)in_data, (unsigned char *)out_data,
-                                 in_data_len,              &ssl_aes_key,
-                                 init_v,                   AES_DECRYPT);
---- opencryptoki/usr/lib/pkcs11/bcom_stdll/tok_struct.h.orig	2013-07-15 19:25:41.000000000 +0200
-+++ opencryptoki/usr/lib/pkcs11/bcom_stdll/tok_struct.h	2013-12-30 23:06:13.915376610 +0100
-@@ -310,27 +310,90 @@
- token_spec_t token_specific  = {
-      BCOM_CONFIG_PATH,
-      "bcom",
--     "BC_STDLL_Debug",
-+     0,
-+     {
-+	     FALSE,
-+	     FALSE,
-+	     CKM_DES3_CBC,
-+	     "12345678",
-+	     NULL
-+     },
-+     NULL, /* creatlock */
-+     NULL, /* attach_shm */
-      &token_specific_init,
-+     NULL, /* init_token_data */
-+     NULL, /* load_token_data */
-+     NULL, /* save_token_data */
-      &tok_slot2local,
--     &token_rng,
--     &token_specific_session,
-+     &token_specific_rng,
-+     &token_specific_open_session,
-+     NULL, /* close_session */
-      &token_specific_final,
-+     NULL, /* init_token */
-+     NULL, /* login */
-+     NULL, /* logout */
-+     NULL, /* init_pin */
-+     NULL, /* set_pin */
-+     NULL, /* copy object */
-+     NULL, /* create_object */
-+     NULL, /* get_attribute_value */
-+     NULL, /* set_attribute_value */
-+     NULL, /* find_objects_init */
-+     NULL, /* destroy_object */
-+     NULL, /* generate_key */
-+     NULL, /* generate_key_pair */
-+     NULL, /* encrypt_init */
-+     NULL, /* encrypt */
-+     NULL, /* encrypt_update */
-+     NULL, /* encrypt_final */
-+     NULL, /* decrypt_init */
-+     NULL, /* decrypt */
-+     NULL, /* decrypt_update */
-+     NULL, /* decrypt_final */
-+     NULL, /* derive_key */
-+     NULL, /* wrap_key */
-+     NULL, /* unwrap_key */
-+     NULL, /* sign_init */
-+     NULL, /* sign */
-+     NULL, /* sign_update */
-+     NULL, /* sign_final */
-+     NULL, /* verify_init */
-+     NULL, /* verify */
-+     NULL, /* verify_update */
-+     NULL, /* verify_final */
-+
-      &token_specific_des_key_gen,
-      &token_specific_des_ecb,
-      &token_specific_des_cbc,
- 
-      &token_specific_tdes_ecb,
-      &token_specific_tdes_cbc,
--
-+     NULL, /* tdes_ofb */
-+     NULL, /* tdes_cfb */
-+     NULL, /* tdes_mac */
- 
-      &token_specific_rsa_decrypt,
-      &token_specific_rsa_encrypt,
-+     NULL, /* rsa_sign */
-+     NULL, /* rsa_verify */
-+     NULL, /* rsa_verify_recover */
-+     NULL, /* rsa_x509_decrypt */
-+     NULL, /* rsa_x509_encrypt */
-+     NULL, /* rsa_x509_sign */
-+     NULL, /* rsa_x509_verify */
-+     NULL, /* rsa_x509_verify_recover */
-      &token_specific_rsa_generate_keypair,
--#ifndef NODH
-+
-+     NULL, /* ec_sign */
-+     NULL, /* ec_verify */
-+     NULL, /* ec_generate_keypair */
-      // DH
-+#ifndef NODH
-      &token_specific_dh_pkcs_derive,
-      &token_specific_dh_pkcs_key_pair_gen,
-+#else
-+     NULL,
-+     NULL,
- #endif
-      // SHA1
-      NULL,
-@@ -348,15 +411,29 @@ token_spec_t token_specific  = {
-      NULL,
-      NULL,
-      NULL,
--#ifndef NOAES
-      // AES
-+#ifndef NOAES
-      &token_specific_aes_key_gen,
-      &token_specific_aes_ecb,
-      &token_specific_aes_cbc,
-+#else
-+     NULL,
-+     NULL,
-      NULL,
- #endif
-+     NULL,
-+
-+     NULL, /* t_aes_ofb */
-+     NULL, /* t_aes_cfb */
-+     NULL, /* t_aes_mac */
-+
-+     NULL, /* dsa_generate_keypair */
-+     NULL, /* dsa_sign */
-+     NULL, /* dsa_verify */
-+
-      &token_specific_get_mechanism_list,
--     &token_specific_get_mechanism_info
-+     &token_specific_get_mechanism_info,
-+     NULL /* object_add */
- };
- 
- #endif
diff --git a/opencryptoki-format.patch b/opencryptoki-format.patch
deleted file mode 100644
index a96c1ef..0000000
--- a/opencryptoki-format.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- opencryptoki/usr/sbin/pkcsslotd/log.c.orig	2013-07-15 19:25:41.000000000 +0200
-+++ opencryptoki/usr/sbin/pkcsslotd/log.c	2013-12-30 23:09:12.875369087 +0100
-@@ -823,7 +823,7 @@
- 
-   /* Always log to syslog, if we're using it */
-   if ( pInfo->UseSyslog ) {
--    syslog(pInfo->LogLevel,  Buffer);
-+    syslog(pInfo->LogLevel,  "%s", Buffer);
-   }
- 
-   return TRUE;
diff --git a/opencryptoki-ica.patch b/opencryptoki-ica.patch
deleted file mode 100644
index 0a3eae2..0000000
--- a/opencryptoki-ica.patch
+++ /dev/null
@@ -1,53 +0,0 @@
---- opencryptoki-2.2.5/usr/lib/pkcs11/ica_stdll/ica_specific.c.orig	2007-09-06 17:40:13.000000000 +0200
-+++ opencryptoki-2.2.5/usr/lib/pkcs11/ica_stdll/ica_specific.c	2008-01-13 19:31:06.979358339 +0100
-@@ -1101,27 +1101,27 @@
- CK_RV
- token_specific_sha_init( DIGEST_CONTEXT * ctx )
- {
--	oc_sha1_ctx	*sc;
-+	struct oc_sha_ctx *sc;
- 
- 	/* For the C_DigestInit, C_Digest case, we may have already 
- 	 * created ctx->context... - KEY 
- 	 */
- 	if(ctx->context) {
--		sc = (oc_sha1_ctx *)ctx->context;
-+		sc = (struct oc_sha_ctx *)ctx->context;
- 		if(sc->dev_ctx)
- 			free(sc->dev_ctx);
- 		free(ctx->context);
- 	}
- 	
- 	/* The caller will check to see if ctx->context == NULL */
--	ctx->context_len = sizeof(oc_sha1_ctx);
--	ctx->context = malloc(sizeof(oc_sha1_ctx));
-+	ctx->context_len = sizeof(struct oc_sha_ctx);
-+	ctx->context = malloc(sizeof(struct oc_sha_ctx));
- 
- 	if(ctx->context == NULL) 
- 		return CKR_HOST_MEMORY;
- 	
- 	memset(ctx->context, 0, ctx->context_len);
--	sc = (oc_sha1_ctx *)ctx->context;
-+	sc = (struct oc_sha_ctx *)ctx->context;
- 	sc->hash_len = SHA1_HASH_SIZE;
- 	sc->message_part = SHA_MSG_PART_ONLY;
- 	/* This is libica's LENGTH_SHA_CONTEXT */
-@@ -1142,7 +1142,7 @@
- 				CK_ULONG	in_data_len )
- {
- 	unsigned int	rc, i, fill_size = 0;
--	oc_sha1_ctx	*oc_sha_ctx = (oc_sha1_ctx *)ctx->context;
-+	struct oc_sha_ctx *oc_sha_ctx = (struct oc_sha_ctx *)ctx->context;
- 	SHA_CONTEXT	*ica_sha_ctx = (SHA_CONTEXT *)oc_sha_ctx->dev_ctx;
- 	
- 	if( !ctx )
-@@ -1316,7 +1316,7 @@
- 				CK_ULONG	*out_data_len )
- {
- 	CK_RV rv = CKR_OK;
--	oc_sha1_ctx *oc_sha_ctx = (oc_sha1_ctx *)ctx->context;
-+	struct oc_sha_ctx *oc_sha_ctx = (struct oc_sha_ctx *)ctx->context;
- 	int copy_len = MIN(*out_data_len, LENGTH_SHA_HASH);
- 	
- 	if( !ctx )
diff --git a/opencryptoki-noroot.patch b/opencryptoki-noroot.patch
index 2d1c95b..8c81611 100644
--- a/opencryptoki-noroot.patch
+++ b/opencryptoki-noroot.patch
@@ -39,11 +39,11 @@
  	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/icsf
  
  uninstall-hook:
---- opencryptoki/usr/Makefile.am.orig	2013-07-15 19:25:40.000000000 +0200
-+++ opencryptoki/usr/Makefile.am	2013-12-31 09:26:05.323815816 +0100
+--- opencryptoki/usr/Makefile.am.orig	2016-03-05 22:26:13.779273281 +0100
++++ opencryptoki/usr/Makefile.am	2016-03-05 23:06:04.015839640 +0100
 @@ -6,5 +6,4 @@
  
  install-data-hook:
- 	$(MKDIR_P) $(DESTDIR)$(lockdir)
--	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)
- 	$(CHMOD) 0770 $(DESTDIR)$(lockdir)
+ 	$(MKDIR_P) $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
+-	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
+ 	$(CHMOD) 0770 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
diff --git a/opencryptoki-sh.patch b/opencryptoki-sh.patch
index 1c78b11..d715d48 100644
--- a/opencryptoki-sh.patch
+++ b/opencryptoki-sh.patch
@@ -1,11 +1,11 @@
---- opencryptoki/configure.in.orig	2013-12-30 15:35:25.853178364 +0100
-+++ opencryptoki/configure.in	2013-12-30 15:36:03.333176738 +0100
-@@ -721,7 +721,7 @@
+--- opencryptoki/configure.in.orig	2016-03-05 21:11:02.889462586 +0100
++++ opencryptoki/configure.in	2016-03-05 21:12:55.766124521 +0100
+@@ -556,7 +556,7 @@
  
- CFLAGS="$CFLAGS -DPKCS64 -D_XOPEN_SOURCE=500"
+ CFLAGS="$CFLAGS -DPKCS64 -D_XOPEN_SOURCE=500 -Wall -Wno-pointer-sign"
  
--CFLAGS+=' -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" -DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\" -DLOCKDIR_PATH=\"$(lockdir)\" -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\"' 
-+CFLAGS="$CFLAGS"' -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" -DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\" -DLOCKDIR_PATH=\"$(lockdir)\" -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\"' 
+-CFLAGS+=' -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" -DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\" -DLOCKDIR_PATH=\"$(lockdir)\" -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\" -DOCK_LOGDIR=\"$(logdir)\"'
++CFLAGS="$CFLAGS"' -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" -DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\" -DLOCKDIR_PATH=\"$(lockdir)\" -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\" -DOCK_LOGDIR=\"$(logdir)\"'
  
  # At this point, CFLAGS is set to something sensible
  AC_PROG_CC
diff --git a/opencryptoki.spec b/opencryptoki.spec
index 728c22f..89e2911 100644
--- a/opencryptoki.spec
+++ b/opencryptoki.spec
@@ -1,31 +1,18 @@
-#
-# Conditional build:
-%bcond_without	aep	# AEP Crypto Accelerator support
-%bcond_without	bcom	# Broadcom Crypto Accelerator support
-%bcond_with	corrent	# Corrent Crypto Accelerator support [BR: libsocketarmor/typhoon.h; probably no longer available]
-%bcond_with	pkcscca	# CCA token key migration tool [BR: xcryptolinz, s390x arch]
-#
 Summary:	An Implementation of PKCS#11 (Cryptoki) v2.11
 Summary(pl.UTF-8):	Implementacja PKCS#11 (Cryptoki) v2.11
 Name:		opencryptoki
-Version:	3.0
+Version:	3.4.1
 Release:	1
 License:	CPL v0.5
 Group:		Applications/System
-Source0:	http://downloads.sourceforge.net/opencryptoki/%{name}-v%{version}.tar.gz
-# Source0-md5:	ec4e2a196c8a336d400d3b17288260af
-Patch0:		%{name}-ica.patch
-Patch1:		%{name}-sh.patch
-Patch2:		%{name}-bcom.patch
-Patch3:		%{name}-aep.patch
-Patch4:		%{name}-format.patch
-Patch5:		%{name}-noroot.patch
-Patch6:		%{name}-notonlysystemd.patch
+Source0:	http://downloads.sourceforge.net/opencryptoki/%{name}-v%{version}.tgz
+# Source0-md5:	100d587be68f299b1f196aba0e6e0b76
+Patch0:		%{name}-sh.patch
+Patch1:		%{name}-noroot.patch
+Patch2:		%{name}-notonlysystemd.patch
 URL:		http://opencryptoki.sourceforge.net/
-%{?with_aep:BuildRequires:	aep1000-devel}
 BuildRequires:	autoconf
 BuildRequires:	automake >= 1.6
-%{?with_bcom:BuildRequires:	bcm5820-devel}
 %ifarch s390 s390x
 BuildRequires:	libica-devel >= 2.0
 %endif
@@ -34,11 +21,6 @@ BuildRequires:	openldap-devel
 BuildRequires:	openssl-devel
 BuildRequires:	rpmbuild(macros) >= 1.647
 BuildRequires:	trousers-devel >= 0.2.9
-%if %{with pkcscca}
-# from http://www-03.ibm.com/security/cryptocards/pcixcc/ordersoftware.shtml :
-# http://www-03.ibm.com/security/cryptocards/dwnlds/xcryptolinzGA-3.28-rc08.s390x.rpm
-BuildRequires:	xcryptolinzGA
-%endif
 Requires(post,preun):	/sbin/chkconfig
 Requires(post,preun,postun):	systemd-units >= 38
 Requires(postun):	/usr/sbin/groupdel
@@ -48,6 +30,9 @@ Requires:	%{name}-libs = %{version}-%{release}
 Requires:	rc-scripts
 Requires:	systemd-units >= 38
 Provides:	group(pkcs11)
+Obsoletes:	opencrytoki-module-aeptok
+Obsoletes:	opencrytoki-module-crtok
+Obsoletes:	opencrytoki-module-bcomtok
 BuildRoot:	%{tmpdir}/%{name}-%{version}-root-%(id -u -n)
 
 %define		skip_post_check_so	.*%{_libdir}/opencryptoki/stdll/libpkcs11_.*\.so.*
@@ -87,34 +72,6 @@ Header files for openCryptoki library.
 %description devel -l pl.UTF-8
 Pliki nagÅÃ³wkowe biblioteki openCryptoki.
 
-%package module-aeptok
-Summary:	AEP Crypto Accelerator support for openCryptoki
-Summary(pl.UTF-8):	ObsÅuga urzÄdzeÅ AEP Crypto Accelerator dla openCryptoki
-Group:		Libraries
-Requires:	%{name} = %{version}-%{release}
-
-%description module-aeptok
-This package brings the necessary libraries and files to support AEP
-Crypto Accelerator devices in the openCryptoki stack.
-
-%description module-aeptok -l pl.UTF-8
-Ten pakiet dostarcza biblioteki i pliki potrzebne do obsÅugi urzÄdzeÅ
-kryptograficznych AEP Crypto Accelerator w stosie openCryptoki.
-
-%package module-bcomtok
-Summary:	Broadcom Crypto Accelerator support for openCryptoki
-Summary(pl.UTF-8):	ObsÅuga urzÄdzeÅ Broadcom Crypto Accelerator dla openCryptoki
-Group:		Libraries
-Requires:	%{name} = %{version}-%{release}
-
-%description module-bcomtok
-This package brings the necessary libraries and files to support
-Broadcom Crypto Accelerator devices in the openCryptoki stack.
-
-%description module-bcomtok -l pl.UTF-8
-Ten pakiet dostarcza biblioteki i pliki potrzebne do obsÅugi urzÄdzeÅ
-kryptograficznych Broadcom Crypto Accelerator w stosie openCryptoki.
-
 %package module-ccatok
 Summary:	CCA cryptographics devices (secure-key) support for openCryptoki
 Summary(pl.UTF-8):	ObsÅuga urzÄdzeÅ kryptograficznych ICA (z bezpiecznym kluczem) dla openCryptoki
@@ -133,20 +90,6 @@ kryptograficznych CCA w stosie openCryptoki. CCA to interfejs do
 sprzÄtu kryptograficznego firmy IBM, takiego jak IBM 4764 lub 4765,
 wykorzystujÄcego "koprocesor" lub ÅcieÅ¼kÄ "bezpiecznego klucza".
 
-%package module-crtok
-Summary:	Corrent Crypto Accelerator support for openCryptoki
-Summary(pl.UTF-8):	ObsÅuga urzÄdzeÅ Corrent Crypto Accelerator dla openCryptoki
-Group:		Libraries
-Requires:	%{name} = %{version}-%{release}
-
-%description module-crtok
-This package brings the necessary libraries and files to support
-Corrent Crypto Accelerator devices in the openCryptoki stack.
-
-%description module-crtok -l pl.UTF-8
-Ten pakiet dostarcza biblioteki i pliki potrzebne do obsÅugi urzÄdzeÅ
-kryptograficznych Corrent Crypto Accelerator w stosie openCryptoki.
-
 %package module-icatok
 Summary:	ICA cryptographics devices (clear-key) support for openCryptoki
 Summary(pl.UTF-8):	ObsÅuga urzÄdzeÅ kryptograficznych ICA (z jawnym kluczem) dla openCryptoki
@@ -215,10 +158,6 @@ urzÄdzeÅ TPM (Trusted Platform Module) w stosie openCryptoki.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
 
 %build
 %{__libtoolize}
@@ -226,20 +165,17 @@ urzÄdzeÅ TPM (Trusted Platform Module) w stosie openCryptoki.
 %{__autoconf}
 %{__automake}
 %configure \
-	%{!?with_aep:--disable-aeptok} \
-	%{!?with_bcom:--disable-bcomtok} \
-	%{!?with_corrent:--disable-crtok} \
 %ifarch s390 s390x
 	--enable-ccatok \
+	--enable-ep11tok \
 	--enable-icatok \
 %else
 	--disable-ccatok \
+	--disable-ep11tok \
 	--disable-icatok \
 %endif
-	%{!?with_pkcsccs:--disable-pkcscca-migrate} \
 	--enable-tpmtok \
 	--with-systemd=%{systemdunitdir}
-# icctok (PCICC) not supported on Linux (only AIX, Windows, OS/2)
 
 %{__make}
 
@@ -251,6 +187,9 @@ rm -rf $RPM_BUILD_ROOT
 	initdir=/etc/rc.d/init.d
 
 %{__rm} $RPM_BUILD_ROOT%{_libdir}/opencryptoki/stdll/*.la
+%ifnarch s390 s390x
+%{__rm} $RPM_BUILD_ROOT%{_mandir}/man1/{pkcscca,pkcsep11_migrate}.1
+%endif
 
 %clean
 rm -rf $RPM_BUILD_ROOT
@@ -318,37 +257,32 @@ fi
 %{_libdir}/opencryptoki/libopencryptoki.la
 %{_includedir}/opencryptoki
 
-%if %{with aep}
-%files module-aeptok
-%defattr(644,root,root,755)
-%attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_aep.so*
-%attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_AEP.so
-%endif
-
-%if %{with bcom}
-%files module-bcomtok
-%defattr(644,root,root,755)
-%attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_bc.so*
-%attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_BC.so
-%endif
-
 %ifarch s390 s390x
 %files module-ccatok
 %defattr(644,root,root,755)
-%doc doc/{README-IBM_CCA_users,README.cca_stdll} %{?with_pkcscca:doc/README.pkcscca_migrate}
-%if %{with pkcscca}
+%doc doc/{README-IBM_CCA_users,README.cca_stdll,README.pkcscca_migrate}
 %attr(755,root,root) %{_sbindir}/pkcscca_migrate
 %attr(755,root,root) %{_sbindir}/pkcscca_migrate.sh
-%endif
 %attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_cca.so*
 %attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
+%attr(770,root,pkcs11) %dir /var/lib/opencryptoki/ccatok
+%attr(770,root,pkcs11) %dir /var/lib/opencryptoki/ccatok/TOK_OBJ
+%attr(770,root,pkcs11) %dir /var/lock/opencryptoki/ccatok
+%{_mandir}/man1/pkcscca.1*
 %endif
 
-%if %{with corrent}
-%files module-crtok
+%ifarch s390 s390x
+%files module-ep11tok
 %defattr(644,root,root,755)
-%attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_cr.so*
-%attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_CR.so
+%doc doc/README.ep11_stdll
+%attr(755,root,root) %{_sbindir}/pkcsep11_migrate
+%attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_ep11.so*
+%attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_EP11.so
+%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/opencryptoki/ep11tok.conf
+%attr(770,root,pkcs11) %dir /var/lib/opencryptoki/ep11tok
+%attr(770,root,pkcs11) %dir /var/lib/opencryptoki/ep11tok/TOK_OBJ
+%attr(770,root,pkcs11) %dir /var/lock/opencryptoki/ep11tok
+%{_mandir}/man1/pkcsep11_migrate.1*
 %endif
 
 %ifarch s390 s390x
@@ -356,6 +290,9 @@ fi
 %defattr(644,root,root,755)
 %attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_ica.so*
 %attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
+%attr(770,root,pkcs11) %dir /var/lib/opencryptoki/lite
+%attr(770,root,pkcs11) %dir /var/lib/opencryptoki/lite/TOK_OBJ
+%attr(770,root,pkcs11) %dir /var/lock/opencryptoki/lite
 %endif
 
 %files module-icsftok