From 072e32bb199ff772148f1cbe0b2faadf9ab33c12 Mon Sep 17 00:00:00 2001
From: Juergen Christ <jchrist@linux.ibm.com>
Date: Thu, 27 Oct 2022 16:13:01 +0200
Subject: [PATCH 1/2] provider: Fix configuration script

Small typo in the configuration script created an invalid configuration.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
---
 src/provider/ibmca-provider-opensslconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/provider/ibmca-provider-opensslconfig b/src/provider/ibmca-provider-opensslconfig
index 21ed6f6..d45428e 100755
--- a/src/provider/ibmca-provider-opensslconfig
+++ b/src/provider/ibmca-provider-opensslconfig
@@ -83,7 +83,7 @@ sub generate()
         }
         if ($providersect && $line =~ /\[\s*$providersect\s*\]/) {
             print $oh "ibmca_provider = ibmca_provider_section\n";
-            print $oh # Make sure that you have configured and activated at least one other provider!\n";
+            print $oh "# Make sure that you have configured and activated at least one other provider!\n";
             print "WARNING: The IBMCA provider was added to section [$providersect].\n"; 
             print "Make sure that you have configured and activated at least one other provider, e.g. the default provider!\n";
         }
-- 
2.39.0


From e90203dbc9bf0d9a4488af470adf11852860991a Mon Sep 17 00:00:00 2001
From: Juergen Christ <jchrist@linux.ibm.com>
Date: Wed, 2 Nov 2022 14:29:35 +0100
Subject: [PATCH 2/2] provider: Fix order of providers in configuration

Since libica requires a provider that supports HMAC to be loaded and
available, fix the order of providers loaded by our sample configuration
generator.  The "default" provider has to come first such that libica can do
the file integrity test with a HMAC provided by this provider when being
loaded via the ibmca provider.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
---
 src/provider/ibmca-provider-opensslconfig | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/src/provider/ibmca-provider-opensslconfig b/src/provider/ibmca-provider-opensslconfig
index d45428e..d87fa8e 100755
--- a/src/provider/ibmca-provider-opensslconfig
+++ b/src/provider/ibmca-provider-opensslconfig
@@ -30,7 +30,7 @@ use warnings;
 sub generate()
 {
     my ($osslconfpath);
-    my ($ih, $line, $oh, $defaultcnfsect, $indefaultsect, $providersect);
+    my ($ih, $line, $oh, $defaultcnfsect, $indefaultsect, $providersect, $inprovidersect);
     my ($inalgsect, $algsection);
 
     $osslconfpath = `openssl version -d` || die "Please install openssl binary";
@@ -43,6 +43,7 @@ sub generate()
     $defaultcnfsect = undef;
     $indefaultsect = 0;
     $providersect = undef;
+    $inprovidersect = 0;
     while ($line = <$ih>) {
         if ($line =~ /openssl_conf\s*=\s*(.*)/) {
             $defaultcnfsect = $1;
@@ -67,13 +68,22 @@ sub generate()
         } elsif ($inalgsect) {
             if ($line =~ /\[\s*\w+\s*\]/) {
                 print $oh "default_properties = ?provider=ibmca\n";
+		$inalgsect = 0;
             } elsif ($line =~ /^\s*default_properties\s*=\s*(\w+)\s*/) {
                 print $oh "default_properties = ?provider=ibmca\n";
                 print $oh "# The following was commented out by ibmca-provider-opensslconfig script\n";
                 print "WARNING: The default_properties in $algsection was modified by this script.\n";
                 $line = "# $line";
             }
-        }
+        } elsif ($inprovidersect) {
+	    if ($line =~ /\[\s*\w+\s*\]/) {
+		$inprovidersect = 0;
+		print $oh "ibmca_provider = ibmca_provider_section\n";
+		print $oh "# Make sure that you have configured and activated at least one other provider!\n";
+		print "WARNING: The IBMCA provider was added to section [$providersect].\n"; 
+		print "Make sure that you have configured and activated at least one other provider, e.g. the default provider!\n";
+	    }
+	}
         print $oh "$line";
         if ($defaultcnfsect && $line =~ /\[\s*$defaultcnfsect\s*\]/) {
             $indefaultsect = 1;
@@ -81,11 +91,8 @@ sub generate()
         if ($algsection && $line =~ /\[\s*$algsection\s*\]/) {
             $inalgsect = 1;
         }
-        if ($providersect && $line =~ /\[\s*$providersect\s*\]/) {
-            print $oh "ibmca_provider = ibmca_provider_section\n";
-            print $oh "# Make sure that you have configured and activated at least one other provider!\n";
-            print "WARNING: The IBMCA provider was added to section [$providersect].\n"; 
-            print "Make sure that you have configured and activated at least one other provider, e.g. the default provider!\n";
+	if ($providersect && $line =~ /\[\s*$providersect\s*\]/) {
+	    $inprovidersect = 1;
         }
     }
 
@@ -100,8 +107,8 @@ providers = provider_section
     if (!$providersect) {
         print $oh qq|
 [provider_section]
-ibmca_provider = ibmca_provider_section
 default = default_sect
+ibmca_provider = ibmca_provider_section
 
 [default_sect]
 activate = 1
-- 
2.39.0