- engine: Only register those algos specified with default_algorithms (#2221894)

- Resolves: #2221894
2023-07-12 09:32:59 +02:00 · 2023-07-12 09:32:59 +02:00 · 089f7ad5c7
commit 089f7ad5c7
parent 09b4e7109f
2 changed files with 48 additions and 1 deletions
--- a/openssl-ibmca-2.4.0-engine-defaults.patch
+++ b/openssl-ibmca-2.4.0-engine-defaults.patch
@ -0,0 +1,40 @@
+From 3ea8f4ed58e075e097856437c0732e11771931d0 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Wed, 19 Apr 2023 10:07:01 +0200
+Subject: [PATCH] engine: Only register those algos specified with
+ default_algorithms
+
+As part of OpenSSL initialization, the engine(s) configured in the OpenSSL
+config file are loaded, and its algorithms (methods) are registered according
+to the default_algorithms setting.
+
+However, later during initialization, ENGINE_register_all_complete() is called
+which unconditionally registered all algorithms (methods) of the loaded engines
+again, unless the engine flag ENGINE_FLAGS_NO_REGISTER_ALL is set.
+
+Set the ENGINE_FLAGS_NO_REGISTER_ALL flag during IBMCA engine initialization
+to avoid unconditional registration of all algorithms. We only want to register
+algorithms specified in the default_algorithms configuration setting.
+
+Note that if the default_algorithms setting is omitted in the OpenSSL config
+file, then no algorithms will be registered.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ src/engine/e_ibmca.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c
+index fe21897..6cbf745 100644
+--- a/src/engine/e_ibmca.c
+++ b/src/engine/e_ibmca.c
+@@ -642,6 +642,9 @@ static int set_supported_meths(ENGINE *e)
+         if (!ENGINE_set_pkey_meths(e, ibmca_engine_pkey_meths))
+             goto out;
+ 
+    if (!ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL))
+        goto out;
+
+     rc = 1;
+ out:
+     free(pmech_list);
--- a/openssl-ibmca.spec
+++ b/openssl-ibmca.spec
@ -9,7 +9,7 @@
 Summary: OpenSSL engine and provider for IBMCA
 Name: openssl-ibmca
 Version: 2.4.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: ASL 2.0
 URL: https://github.com/opencryptoki
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@ -17,6 +17,9 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{v
 #Patch0: %%{name}-%%{version}-fixes.patch
 # warn the user about engine being deprecated
 Patch1: %{name}-2.3.1-engine-warning.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2221894
+# https://github.com/opencryptoki/openssl-ibmca/commit/3ea8f4ed58e075e097856437c0732e11771931d0
+Patch2: %{name}-2.4.0-engine-defaults.patch
 Requires: libica >= 4.0.0
 BuildRequires: make
 BuildRequires: gcc
@ -79,6 +82,10 @@ make check


 %changelog
+* Tue Jul 11 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-2
+- engine: Only register those algos specified with default_algorithms (#2221894)
+- Resolves: #2221894
+
 * Thu Apr 06 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-1
 - updated to 2.4.0 (#2160084)
 - Resolves: #2160084