+ Opencryptoki 3.14

- EP11: Dilitium support stage 2

- Common: Rework on process and thread locking

- Common: Rework on btree and object locking

- ICSF: minor fixes

- TPM, ICA, ICSF: support multiple token instances

- new tool p11sak

+ openCryptoki 3.13.0

- EP11: Dilithium support

- EP11: EdDSA support

- EP11: support RSA-OAEP with non-SHA1 hash and MGF

+ openCryptoki 3.12.1

- Fix pkcsep11_migrate tool

+ openCryptoki 3.12.0

- Update token pin and data store encryption for soft,ica,cca and ep11

- EP11: Allow importing of compressed EC public keys

- EP11: Add support for the CMAC mechanisms

- EP11: Add support for the IBM-SHA3 mechanisms

- SOFT: Add AES-CMAC and 3DES-CMAC support to the soft token

- ICA: Add AES-CMAC and 3DES-CMAC support to the ICA token

- EP11: Add config option USE_PRANDOM

- CCA: Use Random Number Generate Long for token_specific_rng()

- Common rng function: Prefer /dev/prandom over /dev/urandom

- ICA: add SHA*_RSA_PKCS_PSS mechanisms

- Bug fixes

+ openCryptoki 3.11.1

- Bug fixes

* opencryptoki 3.11.0

- EP11 enhancements

- A lot of bug fixes

* opencryptoki 3.10.0

- Add support to ECC on ICA token and to common code.

- Add SHA224 support to SOFT token.

- Improve pkcsslotd logging.

- Fix sha512_hmac_sign and rsa_x509_verify for ICA token.

- Fix tracing of session id.

- Fix and improve testcases.

- Fix spec file permission for log directory.

- Fix build warnings.

* opencryptoki 3.9.0

- Fix token reinitialization

- Fix conditional man pages

- EP11 enhancements

- EP11 EC Key import

- Increase RSA max key length

- Fix broken links on documentation

- Define CK_FALSE and CK_TRUE macros

- Improve build flags

* opencryptoki 3.8.2

- Update man pages.

- Improve ock_tests for parallel execution.

- Fix FindObjectsInit for hidden HW-feature.

- Fix to allow vendor defined hardware features.

- Fix unresolved symbols.

- Fix tracing.

- Code/project cleanup.

* opencryptoki 3.8.1

- Fix TPM data-structure reset function.

- Fix error message when dlsym fails.

- Update configure.ac

- Update travis.

* opencryptoki 3.8.0

- Multi token instance feature.

- Added possibility to run opencryptoki with transactional memory or locks

(--enable-locks on configure step).

- Updated documentation.

- Fix segfault on ec_test.

- Bunch of small fixes.

* opencryptoki 3.7.0

- Update example spec file

- Performance improvement. Moving from mutexes to transactional memory.

- Add ECDSA SHA2 support for EP11 and CCA.

- Fix declaration of inline functions.

- Fix wrong testcase and ber en/decoding for integers.

- Check for 'flex' and 'YACC' on configure.

- EP11 config file rework.

- Add enable-debug on travis build.

- Add testcase for C_GetOperationState/C_SetOperationState.

- Upgrade License to CPL-1.0

- Ica token: fix openssh/ibmpkcs11 engine/libica crash.

- Fix segfault and logic in hardware feature test.

- Fix spelling of documentation and manuals.

- Fix the retrieval of p from a generated rsa key.

- Coverity scan fixes - incompatible pointer type and unused variables.

* opencryptoki 3.6.2

- Support OpenSSL-1.1.

- Add Travis CI support.

- Update autotools scripts and documentation.

- Fix SegFault when a invalid session handle is passed in SC_EncryptUpdate and

SC_DecryptUpdate.

* opencryptoki 3.6.1

- Fix SOFT token implementation of digest functions.

- Replace deprecated OpenSSL interfaces.

* opencryptoki 3.6

- Replace deprecated libica interfaces.

- Performance improvement for ICA.

- Improvement in documentation on system resources.

- Improvement in testcases.

- Added support for rc=8, reasoncode=2028 in icsf token.

- Fix for session handle not set in session issue.

- Multiple fixes for lock and log directories.

- Downgraded a syslog error to warning.

- Multiple fixes based on coverity scan results.

- Added pkcs11 mapping for icsf reason code 72 for return code 8.

* opencryptoki 3.5.1

- Fix Illegal Intruction on pkcscca tool.

* opencryptoki 3.5

- Full Coverity scan fixes.

- Fixes for compiler warnings.

- Added support for C_GetObjectSize in icsf token.

- Various bug fixes and memory leak fixes.

- Removed global read permissions from token files.

- Added missing PKCS#11v2.2 constants.

- Fix for symbol resolution issue seen in Fedora 22 and 23 for

  ep11 and cca tokens.

- Improvements in socket read operation when a token comes up.

- Replaced 32 bit CCA API declarations with latest header from

  version 5.0 libsculcca rpm.

* opencryptoki 3.4.1

- fix 32-bit compiler error for ep11

- fix buffer overflow for cca token

- fix a testcase

* opencryptoki 3.4

- CCA master key migration added to the pkcscca tool. When the masterkey on

  the CCA adapter changes, this allows the token key objects containing

  keys wrapped with the card's former masterkey to be wrapped under the

  card's new masterkey. And thus "migrated".

- AES GCM support added to ica token.

- Ability to generate generic secret keys for CKM_GENERIC_SECRET_KEY_GEN

  added to opencryptoki.

- The soft, cca, ep11, and icsf tokens support HMAC single and multipart for

  SHA1, SHA256, SHA384, and SHA512.

- CCA token, a secure key token, can now import AES, DES3 and

  Generic Secret keys.

- Add -Wall and fix various compiler warnings.

- Coverity scan cleanup.

- Additional test vectors and various testcase improvements made.

- Various bugfixes

* opencryptoki 3.3

- Dynamic tracing introduced via the new environment variable,

  OPENCRYPTOKI_TRACE_LEVEL=<level>. The opencryptoki base as well as all

  tokens changed to use the new tracing.

- Allow root to run pkcs11 commands without being in pkcs11 group.

- EncryptUpdate, DecryptUpdate, DigestUpdate, SignUpdate, VerifyUpdate

  now allow zero length data.

- Refactored ICA token's SHA .

- Various testcase improvements.

- Various bugfixes.

* opencryptoki 3.2

- New pkcscca tool. Currently it assists in migrating cca private token

  objects from opencryptoki version 2 to the clear key encryption method

  used in opencryptoki version 3. Includes a manpage for pkcscca tool.

  Changes to README.cca_stdll to assist in using the CCA token and

  migrating the private token objects.

- Support for CKM_RSA_PKCS_OAEP and CKM_RSA_PKCS_PSS algorithms.

- Various bugfixes.

- New testcases for various crypto algorithms.

* opencryptoki-3.1

- New ep11 token to support IBM Crypto Express adpaters (starting with

  Crypto Express 4S adapters) configured with Enterprise PKCS#11(EP11)

  firmware.

- New pkcsep11_migrate utility (and manpage) to migrate token objects

  when card's masterkey changes.

- Various bugfixes.

* opencryptoki-3.0

- Aggregated source files in common, tpm, and cca directories.

- Re-factored shared memory functions in the stdlls.

- New opencryptoki.conf file to replace pk_config_data and pkcs11_starup.

  The opencryptoki.conf contains slot entry information for tokens.

- New manpage for opencryptoki.conf

- Removed pkcs_slot and pkcs11_startup shell scripts.

- New ICSF token to do remote crypto.

- New pkcsicsf utility to setup the ICSF token.

- New manpage for pkcsicsf utility.

- ICA token supports CKM_DES_OFB64, CKM_DES_CFB8, CKM_DES_CFB6 mechanisms

  using 3DES keys.

- ICA token supports CKM_DES3_MAC and CKM_DES3_MAC_GENERAL mechanisms.

- ICA token supports CKM_AES_OFB, CKM_AES_CFB8, CKM_AES_CFB64, CKM_AES_CFB128,

  CKM_AES_MAC, and CKM_AES_MAC_GENERAL mechanisms.

- Some code cleanup in pkcsslotd.

- pkcsslotd daemon uses a socket rather than shared memory to pass

  slot information to the opencryptoki library.

- New testcases added for various crypto algorithms and pkcs#11 api calls.

- Add README to docs directory for how to setup ICSF token.

* opencryptoki-2.4.3.1 (May 17, 2013)

- Allow imported rsa private keys in cca to also decrypt.

* opencryptoki-2.4.3 (April 29, 2013)

- CKM_SHA256_RSA_PKCS,CKM_SHA384_RSA_PKCS,CKM_SHA512_RSA_PKCS support

  for ICA token.

- Allow import of RSA public and private keys into CCA token.

- Systemd support added.

- Various bugfixes and additional testcases.

* opencryptoki-2.4.2 (April 27, 2012)

- Re-factored spinlocks, such that each token has its own spinlock

  in its own directory relative to /var/locks/opencryptoki.

* opencryptoki-2.4.1 (February 21, 2012)

- SHA256 support added for CCA token

- Several crypto algorithm testcases refactored to include published

  test vectors.

- Testcase directory restructured for future improvements.

- Allow tpm stdll to get SRK passwd and mode from new env variables.

  See [1] for info on how to use this feature and please report any bugs.

- Renamed spinlocks for shared memory to /var/lock dir and did

  some cleanup of unused locking schemes.

- Various bugfixes and cleanup.

[1] http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=blob;f=doc/README.tpm_stdll;h=dda0d2263cfbb3df8c65ebc64b8006e3242f6321;hb=HEAD#l58

* opencryptoki-2.4

- Support for Elliptic Curve Support in CCA token.

- Support for AES CTR in ICA token.

- Session handling refactored from using a reference to memory to

  using a handle that references a binray tree node.

- Cleanup logging. Debug messages now go to a file referenced in

  OPENCRYPTOKI_DEBUG_FILE env variable.

- Various bugfixes and cleanup.

* opencryptoki-2.3.3 (Jan 13 2011)

- Moderate fixes and clean-ups to key unwrapping mechanisms

- several pkcsconf fixes, some minor changes

- Important fix to CCA library name in pkcs11_startup

- PKCS padding length fix for symmetric ciphers

- Better RSA public exponent validations in all supported tokens

- Huge testsuite refactor

- Several other minor fixes and cleanups

* opencryptoki-2.3.2 (Jul 29 2010)

- Significant clean-ups to the building and packaging systems and many

  small fixes by Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>

- Various minor fixes to slot daemon and init script by Dan Horák

  <dan@danny.cz>

- Some RSA PKCS#1 v1.5 padding clean-ups by Ramon de Carvalho Valle

  <rcvalle@linux.vnet.ibm.com>

- Human-readable flags output to pkcsconf, some minor soft-token

  fixes by Kent Yoder <key@linux.vnet.ibm.com>

- Improved overall session/object look-up performance. Note that this

  change might crash buggy callers with badly-written session/object

  handle tracking - Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>

* openCryptoki-2.3.1

- Moved ICA token to use libica-2.0, supporting newer hardware and 4K

  RSA modulus. Libica-2.x is now *required* to build the ICA token.

- Moved CCA token to use CCA-4.0, supporting AES, SHA-2 and 4K RSA

  keys in newer hardware. Although not required for building, CCA-4.0

  is *required* for running the CCA token.

* openCryptoki-2.2.5

- Fixed bug in comparison of PINs in pkcsconf.

- Added code to set the encryption and signature schemes of keys imported

into the TPM token.

- Added tpm token message to warn when only owner can read the pub SRK.

- Fixed return code of function failed when it should be buffer too small in

various mech_des.c mech_des3.c and mech_aes.c files.

- Moved doc/*.txt to manpage format and integrated them into the build/install

- Updated testcases to query env vars for PINs and call a set of common

routines for common operations

- Added SHA256 support for all tokens

- Fixed object cleanup when max number of token objects is hit

- Fixed fd exhaustion bug with spin lock fd

- Updated TPM stdll for TSS policy handling changes. Trousers 0.2.9+ now

required with openCryptoki 2.2.5

- Updated TPM stdll to use TSS_TSPATTRIB_KEYINFO_RSA_MODULUS when retrieving

the public modulus

- pkcs11_startup fix for use with s/w fallback support in libica on s390

- Added the CCA secure key token and migration utility

- Replaced bcopy/bzero with memcpy/memset throughout the code

- Removed unused variables throughout the code

* openCryptoki-2.2.4