Index: opencryptoki-3.9.0+dfsg/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c
===================================================================
--- opencryptoki-3.9.0+dfsg.orig/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c
+++ opencryptoki-3.9.0+dfsg/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c
@@ -56,20 +56,14 @@ typedef struct
 } __attribute__((packed)) ep11_target_t;
 
 
-#define blobsize 2048*4
-
-typedef struct
-{
-  size_t        blob_size;
-  size_t        blob_id;
-  unsigned char blob[blobsize];
-} ep11_opaque;
+#define BLOBSIZE         2048*4
 
 static int
-reencrypt(CK_SESSION_HANDLE session, CK_ULONG obj, CK_BYTE *old)
+reencrypt(CK_SESSION_HANDLE session, CK_ULONG obj, CK_BYTE *old,
+          CK_ULONG old_len)
 {
-  CK_BYTE req[blobsize];
-  CK_BYTE resp[blobsize];
+  CK_BYTE req[BLOBSIZE];
+  CK_BYTE resp[BLOBSIZE];
   CK_LONG req_len;
   size_t  resp_len;
   struct ep11_admresp rb;
@@ -78,12 +72,11 @@ reencrypt(CK_SESSION_HANDLE session, CK_
   CK_RV rc;
   CK_BYTE name[256];
 
-  ep11_opaque *op_old = (ep11_opaque *) old;
-  ep11_opaque  op_new;
-
+  unsigned char blob[BLOBSIZE];
+  CK_ULONG blob_len;
 
   CK_ATTRIBUTE opaque_template[] = {
-    {CKA_IBM_OPAQUE, &op_new, sizeof(op_new)}
+    { CKA_IBM_OPAQUE, blob, BLOBSIZE }
   };
 
   CK_ATTRIBUTE name_template[] = {
@@ -104,7 +97,6 @@ reencrypt(CK_SESSION_HANDLE session, CK_
 
   memset(&rb,0, sizeof(rb));
   memset(&lrb,0, sizeof(lrb));
-  memset(&target,0,sizeof(target));
   target.length   = 1;
 
   target.apqns[0] = adapter;
@@ -112,11 +104,12 @@ reencrypt(CK_SESSION_HANDLE session, CK_
   rb.domain  = domain;
   lrb.domain = domain;
 
-  fprintf(stderr,"going to reencrpyt key %lx with blob len %lx %s\n",obj,op_old->blob_size,name);
-  resp_len = blobsize;
+  fprintf(stderr, "going to reencrpyt key %lx with blob len %lx: '%s'\n", obj,
+          old_len, name);
+  resp_len = BLOBSIZE;
 
-  req_len  = _ep11a_cmdblock(req, blobsize, EP11_ADM_REENCRYPT, &rb,
-                            NULL, op_old->blob, op_old->blob_size);
+  req_len  = _ep11a_cmdblock(req, BLOBSIZE, EP11_ADM_REENCRYPT, &rb,
+                            NULL, old, old_len);
 
   if (req_len < 0)
     {
@@ -128,36 +121,40 @@ reencrypt(CK_SESSION_HANDLE session, CK_
 
   if(rc != CKR_OK || resp_len == 0 || resp == NULL)
     {
-      fprintf(stderr,"reencryption failed %lx %ld\n",rc,req_len);
+      fprintf(stderr, "reencryption failed: %lx %ld\n", rc, req_len);
       return -3;
     }
 
   if (_ep11a_internal_rv(resp, resp_len, &lrb, &rc) < 0)
     {
-      fprintf(stderr, "reencryption response malformed %lx\n",rc);
+      fprintf(stderr, "reencryption response malformed: %lx\n", rc);
       return -4;
      }
 
-  if(op_old->blob_size != lrb.pllen)
-    {
-      fprintf(stderr, "reencryption blob size changed %lx %lx %lx %lx\n",
-              op_old->blob_size,lrb.pllen,resp_len,req_len);
+  if (rc != 0) {
+      fprintf(stderr, "reencryption failed: %lx\n", rc);
+      rc = -7;
+  }
+
+  if (old_len != lrb.pllen) {
+      fprintf(stderr, "reencryption blob size changed: %lx %lx %lx %lx\n",
+              old_len, lrb.pllen, resp_len, req_len);
       return -5;
-    }
+  }
 
-  memset(&op_new,0,sizeof(op_new));
-  op_new.blob_id   = op_old->blob_id;
-  op_new.blob_size = op_old->blob_size;
-  memcpy(op_new.blob,lrb.payload,op_new.blob_size);
+  memset(blob, 0, sizeof(blob));
+  blob_len = old_len;
+  memcpy(blob, lrb.payload, blob_len);
+  opaque_template[0].ulValueLen = blob_len;
 
   rc = funcs->C_SetAttributeValue(session, key_store[obj], opaque_template, 1);
   if (rc != CKR_OK)
     {
-      fprintf(stderr, "reencryption C_SetAttributeValue failed obj %lx %s rc %lx\n",obj,name,rc);
+      fprintf(stderr, "reencryption C_SetAttributeValue failed obj: %lx %s rc: %lx\n",obj,name,rc);
       return -6;
     }
 
-  fprintf(stderr, "reencryption success obj %lx %s\n",obj,name);
+  fprintf(stderr, "reencryption success obj: %lx %s:\n",obj,name);
   return 0;
 }
 
@@ -529,7 +526,7 @@ int main  (int argc, char **argv){
               }
             else
               {
-                if (reencrypt(session,obj,(CK_BYTE *) opaque_template[0].pValue) != 0)
+                if (reencrypt(session,obj,(CK_BYTE *) opaque_template[0].pValue, opaque_template[0].ulValueLen) != 0)
                   {
                     /* reencrypt failed */
                     return -1;
