From 089f7ad5c7406caa7c40f3a88fde8a55bf3b7b99 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dhorak@redhat.com>
Date: Wed, 12 Jul 2023 09:32:59 +0200
Subject: [PATCH] - engine: Only register those algos specified with
 default_algorithms (#2221894)

- Resolves: #2221894
---
 openssl-ibmca-2.4.0-engine-defaults.patch | 40 +++++++++++++++++++++++
 openssl-ibmca.spec                        |  9 ++++-
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 openssl-ibmca-2.4.0-engine-defaults.patch

diff --git a/openssl-ibmca-2.4.0-engine-defaults.patch b/openssl-ibmca-2.4.0-engine-defaults.patch
new file mode 100644
index 0000000..40785b6
--- /dev/null
+++ b/openssl-ibmca-2.4.0-engine-defaults.patch
@@ -0,0 +1,40 @@
+From 3ea8f4ed58e075e097856437c0732e11771931d0 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Wed, 19 Apr 2023 10:07:01 +0200
+Subject: [PATCH] engine: Only register those algos specified with
+ default_algorithms
+
+As part of OpenSSL initialization, the engine(s) configured in the OpenSSL
+config file are loaded, and its algorithms (methods) are registered according
+to the default_algorithms setting.
+
+However, later during initialization, ENGINE_register_all_complete() is called
+which unconditionally registered all algorithms (methods) of the loaded engines
+again, unless the engine flag ENGINE_FLAGS_NO_REGISTER_ALL is set.
+
+Set the ENGINE_FLAGS_NO_REGISTER_ALL flag during IBMCA engine initialization
+to avoid unconditional registration of all algorithms. We only want to register
+algorithms specified in the default_algorithms configuration setting.
+
+Note that if the default_algorithms setting is omitted in the OpenSSL config
+file, then no algorithms will be registered.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ src/engine/e_ibmca.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c
+index fe21897..6cbf745 100644
+--- a/src/engine/e_ibmca.c
++++ b/src/engine/e_ibmca.c
+@@ -642,6 +642,9 @@ static int set_supported_meths(ENGINE *e)
+         if (!ENGINE_set_pkey_meths(e, ibmca_engine_pkey_meths))
+             goto out;
+ 
++    if (!ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL))
++        goto out;
++
+     rc = 1;
+ out:
+     free(pmech_list);
diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec
index 0ab0e7c..e635b32 100644
--- a/openssl-ibmca.spec
+++ b/openssl-ibmca.spec
@@ -9,7 +9,7 @@
 Summary: OpenSSL engine and provider for IBMCA
 Name: openssl-ibmca
 Version: 2.4.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: ASL 2.0
 URL: https://github.com/opencryptoki
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@@ -17,6 +17,9 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{v
 #Patch0: %%{name}-%%{version}-fixes.patch
 # warn the user about engine being deprecated
 Patch1: %{name}-2.3.1-engine-warning.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2221894
+# https://github.com/opencryptoki/openssl-ibmca/commit/3ea8f4ed58e075e097856437c0732e11771931d0
+Patch2: %{name}-2.4.0-engine-defaults.patch
 Requires: libica >= 4.0.0
 BuildRequires: make
 BuildRequires: gcc
@@ -79,6 +82,10 @@ make check
 
 
 %changelog
+* Tue Jul 11 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-2
+- engine: Only register those algos specified with default_algorithms (#2221894)
+- Resolves: #2221894
+
 * Thu Apr 06 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-1
 - updated to 2.4.0 (#2160084)
 - Resolves: #2160084