From c242e8c3837f80afd2e5e4bb386658b7b1e898cd Mon Sep 17 00:00:00 2001
From: Per Nilsson <per.nilsson@yubico.com>
Date: Mon, 6 May 2024 18:42:46 +0200
Subject: [PATCH] Versioning on C_GetMechanismInfo RSA keysizes (#486)

* Versioning on C_GetMechanismInfo RSA keysizes

* Fix broken openssl dependency
---
 .github/workflows/macos_build.yml   |  6 +++---
 .github/workflows/macos_release.yml |  4 ++--
 ykcs11/ykcs11.c                     | 11 +++++++++--
 3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/macos_build.yml b/.github/workflows/macos_build.yml
index 0dcbc255..3727507b 100644
--- a/.github/workflows/macos_build.yml
+++ b/.github/workflows/macos_build.yml
@@ -10,12 +10,12 @@ jobs:
     steps:
       # This action checks-out the repository under $GITHUB_WORKSPACE, so the workflow can access it.
       - name: checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Install prerequisites
         run: |
           set -x
-          brew install pkg-config check gengetopt help2man opensc
-          brew reinstall openssl
+          brew install check gengetopt help2man opensc zlib
+          brew reinstall openssl@3
       - name: Build and install
         run: |
           set -x
diff --git a/.github/workflows/macos_release.yml b/.github/workflows/macos_release.yml
index 043a6982..63f789aa 100644
--- a/.github/workflows/macos_release.yml
+++ b/.github/workflows/macos_release.yml
@@ -60,8 +60,8 @@ jobs:
       - name: Install prerequisites
         run: |
           set -x
-          brew install pkg-config check gengetopt help2man openssl zlib
-          brew reinstall openssl
+          brew install check gengetopt help2man opensc zlib
+          brew reinstall openssl@3
 
       - name: Build MacOS binaries
         env:
diff --git a/ykcs11/ykcs11.c b/ykcs11/ykcs11.c
index 5ec01cdd..43599c1f 100644
--- a/ykcs11/ykcs11.c
+++ b/ykcs11/ykcs11.c
@@ -695,13 +695,20 @@ CK_DEFINE_FUNCTION(CK_RV, C_GetMechanismInfo)(
     goto mechinfo_out;
   }
 
-  locking.pfnUnlockMutex(global_mutex);
-
   if ((rv = get_token_mechanism_info(type, pInfo)) != CKR_OK) {
     DBG("Unable to retrieve mechanism information");
+    locking.pfnUnlockMutex(global_mutex);
     goto mechinfo_out;
   }
 
+  if(!is_version_compatible(slots[slotID].piv_state, 5, 7, 0)) {
+    if(pInfo->ulMaxKeySize == 4096) {
+      pInfo->ulMaxKeySize = 2048;
+    }
+  }
+
+  locking.pfnUnlockMutex(global_mutex);
+
   rv = CKR_OK;
 
 mechinfo_out: