From 32aa47f0869dbd486f41a271ef27e167a5fb74cc Mon Sep 17 00:00:00 2001
From: Than Ngo <than@redhat.com>
Date: Mon, 14 Jul 2025 14:15:02 +0200
Subject: [PATCH] - Related: RHEL-73344, Fix detection of EC curve not
 supported by OpenSSL-3.5.x - Related: RHEL-77147, Fix the image mode issue
 again as bootc expects to use /run/lock

---
 opencryptoki-lockdir-image-mode.patch | 12 +++++++
 opencryptoki-openssl-3.5.x.patch      | 48 +++++++++++++++++++++++++++
 opencryptoki.spec                     | 12 ++++++-
 3 files changed, 71 insertions(+), 1 deletion(-)
 create mode 100644 opencryptoki-lockdir-image-mode.patch
 create mode 100644 opencryptoki-openssl-3.5.x.patch

diff --git a/opencryptoki-lockdir-image-mode.patch b/opencryptoki-lockdir-image-mode.patch
new file mode 100644
index 0000000..0393ccd
--- /dev/null
+++ b/opencryptoki-lockdir-image-mode.patch
@@ -0,0 +1,12 @@
+diff -up opencryptoki-3.25.0/configure.ac.me opencryptoki-3.25.0/configure.ac
+--- opencryptoki-3.25.0/configure.ac.me	2025-07-09 16:20:51.825293158 +0200
++++ opencryptoki-3.25.0/configure.ac	2025-07-09 16:23:42.416757050 +0200
+@@ -322,7 +322,7 @@ case "${host_os}" in
+ esac
+ 
+ dnl Define custom variables
+-lockdir=${localstatedir}/lock/opencryptoki
++lockdir=/run/lock/opencryptoki
+ logdir=${localstatedir}/log/opencryptoki
+ 
+ dnl runstatedir is only defined starting from autoconf 2.70
diff --git a/opencryptoki-openssl-3.5.x.patch b/opencryptoki-openssl-3.5.x.patch
new file mode 100644
index 0000000..e6dcb3a
--- /dev/null
+++ b/opencryptoki-openssl-3.5.x.patch
@@ -0,0 +1,48 @@
+commit 8209874fc0ea78079aa21c386df0f385ee0e5dca
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Wed Jul 9 09:09:32 2025 +0200
+
+    COMMON: Fix detection of EC curve not supported by OpenSSL
+    
+    OpenSSL 3.5 recently changed the behavior in regards of error reporting
+    with EVP_PKEY_keygen(). When the EC curve is not supported it used to
+    return error EC_R_INVALID_CURVE as top most entry in the error stack.
+    
+    Since commit https://github.com/openssl/openssl/commit/72351b0d18078170af270418b2d5e9fc579cb1af
+    this is no longer the case, instead a generic EVP_R_PROVIDER_KEYMGMT_FAILURE
+    error is now the top most entry, and EC_R_INVALID_CURVE is the second one.
+    
+    Make the detection independent of the error reporting and check for the
+    curve already in curve_nid_from_params().
+    
+    Closes: https://github.com/opencryptoki/opencryptoki/issues/877
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/lib/common/mech_openssl.c b/usr/lib/common/mech_openssl.c
+index f29b4946..e1bb6b83 100644
+--- a/usr/lib/common/mech_openssl.c
++++ b/usr/lib/common/mech_openssl.c
+@@ -1854,6 +1854,7 @@ static int curve_nid_from_params(const CK_BYTE *params, CK_ULONG params_len)
+ {
+     const unsigned char *oid;
+     ASN1_OBJECT *obj = NULL;
++    EC_GROUP *grp;
+     int nid;
+ 
+     oid = params;
+@@ -1866,6 +1867,14 @@ static int curve_nid_from_params(const CK_BYTE *params, CK_ULONG params_len)
+     nid = OBJ_obj2nid(obj);
+     ASN1_OBJECT_free(obj);
+ 
++    grp = EC_GROUP_new_by_curve_name(nid);
++    if (grp == NULL) {
++        TRACE_ERROR("curve not supported by OpenSSL.\n");
++        return NID_undef;
++    }
++
++    EC_GROUP_free(grp);
++
+     return nid;
+ }
+ 
diff --git a/opencryptoki.spec b/opencryptoki.spec
index aa1ecaa..0e91c74 100644
--- a/opencryptoki.spec
+++ b/opencryptoki.spec
@@ -1,7 +1,7 @@
 Name: opencryptoki
 Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
 Version: 3.25.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: CPL-1.0
 URL: https://github.com/opencryptoki/opencryptoki
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@@ -14,7 +14,13 @@ Patch1: opencryptoki-3.25.0-p11sak.patch
 # tmpfiles.d config files for image mode
 Patch2: opencryptoki-3.24.0-tmpfiles-image-mode.patch
 
+# everything using /var/lock should be fixed in the end to use /run/lock
+# https://gitlab.com/fedora/bootc/base-images/-/issues/48
+Patch3: opencryptoki-lockdir-image-mode.patch
+
 # upstream patches
+# Fix detection of EC curve not supported by OpenSSL-3.5.x
+Patch10: opencryptoki-openssl-3.5.x.patch
 
 Requires(pre): coreutils
 Requires: (selinux-policy >= 38.1.14-1 if selinux-policy-targeted)
@@ -401,6 +407,10 @@ fi
 
 
 %changelog
+* Mon Jul 14 2025 Than Ngo <than@redhat.com> - 3.25.0-2
+- Related: RHEL-73344, Fix detection of EC curve not supported by OpenSSL-3.5.x
+- Related: RHEL-77147, Fix the image mode issue again as bootc expects to use /run/lock
+
 * Fri Jul 04 2025 Than Ngo <than@redhat.com> - 3.25.0-1
 - Resolves: RHEL-73344, upgrade openCryptoki
 - Resolves: RHEL-90590, basic support of AES-GCM