From 687eb1ae323ade36e867df8a9c5a5d59ef45d043 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dhorak@redhat.com>
Date: Wed, 12 Jul 2023 10:15:54 +0200
Subject: [PATCH] - engine: Only register those algos specified with
 default_algorithms (#2221891)

- Resolves: #2221891
---
 openssl-ibmca-2.4.0-engine-defaults.patch | 40 +++++++++++++++++++++++
 openssl-ibmca.spec                        |  9 ++++-
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 openssl-ibmca-2.4.0-engine-defaults.patch

diff --git a/openssl-ibmca-2.4.0-engine-defaults.patch b/openssl-ibmca-2.4.0-engine-defaults.patch
new file mode 100644
index 0000000..40785b6
--- /dev/null
+++ b/openssl-ibmca-2.4.0-engine-defaults.patch
@@ -0,0 +1,40 @@
+From 3ea8f4ed58e075e097856437c0732e11771931d0 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Wed, 19 Apr 2023 10:07:01 +0200
+Subject: [PATCH] engine: Only register those algos specified with
+ default_algorithms
+
+As part of OpenSSL initialization, the engine(s) configured in the OpenSSL
+config file are loaded, and its algorithms (methods) are registered according
+to the default_algorithms setting.
+
+However, later during initialization, ENGINE_register_all_complete() is called
+which unconditionally registered all algorithms (methods) of the loaded engines
+again, unless the engine flag ENGINE_FLAGS_NO_REGISTER_ALL is set.
+
+Set the ENGINE_FLAGS_NO_REGISTER_ALL flag during IBMCA engine initialization
+to avoid unconditional registration of all algorithms. We only want to register
+algorithms specified in the default_algorithms configuration setting.
+
+Note that if the default_algorithms setting is omitted in the OpenSSL config
+file, then no algorithms will be registered.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ src/engine/e_ibmca.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/engine/e_ibmca.c b/src/engine/e_ibmca.c
+index fe21897..6cbf745 100644
+--- a/src/engine/e_ibmca.c
++++ b/src/engine/e_ibmca.c
+@@ -642,6 +642,9 @@ static int set_supported_meths(ENGINE *e)
+         if (!ENGINE_set_pkey_meths(e, ibmca_engine_pkey_meths))
+             goto out;
+ 
++    if (!ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL))
++        goto out;
++
+     rc = 1;
+ out:
+     free(pmech_list);
diff --git a/openssl-ibmca.spec b/openssl-ibmca.spec
index 4eaabd7..ab290d1 100644
--- a/openssl-ibmca.spec
+++ b/openssl-ibmca.spec
@@ -3,11 +3,14 @@
 Summary: A dynamic OpenSSL engine for IBMCA
 Name: openssl-ibmca
 Version: 2.4.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: ASL 2.0
 Group: System Environment/Libraries
 URL: https://github.com/opencryptoki
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
+# https://bugzilla.redhat.com/show_bug.cgi?id=2221891
+# https://github.com/opencryptoki/openssl-ibmca/commit/3ea8f4ed58e075e097856437c0732e11771931d0
+Patch0: %{name}-2.4.0-engine-defaults.patch
 Requires: libica >= 3.8.0
 BuildRequires: gcc
 BuildRequires: libica-devel >= 3.8.0
@@ -55,6 +58,10 @@ make check
 
 
 %changelog
+* Wed Jul 12 2023 Dan Horák <dhorak@redhat.com> - 2.4.0-2
+- engine: Only register those algos specified with default_algorithms (#2221891)
+- Resolves: #2221891
+
 * Mon May 29 2023 Dan Horák <dhorak[at]redhat.com> - 2.4.0-1
 - updated to 2.4.0 (#2159722)
 - Resolves: #2159722