Sync from SUSE:SLFO:Main openssl-ibmca revision 4dfeab0ad13fee19ce72db2dd0900db4

openssl-ibmca-07-engine-Fix-Do-not-report-errors-if-libica-does-not-support-EC.patch

@@ -0,0 +1,52 @@
+From 6bc53d814762b24045bfd5bb6003949a163fa58b Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Tue, 18 Feb 2025 09:00:59 +0100
+Subject: [PATCH] engine: Do not report errors if libica does not support EC
+ key
+
+In case EC key creation using libica fails (for whatever reason), and
+the software fallback is used to perform the operation, do not report
+the errors that have been put to the error stack by the failing attempt
+to use libica.
+
+Fixes: a462093d2478b287cb9a7a25131788eba16b7640
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ src/engine/ibmca_ec.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/engine/ibmca_ec.c b/src/engine/ibmca_ec.c
+index 5206ae3..c264f32 100644
+--- a/src/engine/ibmca_ec.c
++++ b/src/engine/ibmca_ec.c
+@@ -337,7 +337,9 @@ int ibmca_ecdh_compute_key(unsigned char **pout, size_t *poutlen,
+     }
+ 
+     /* Create ICA_EC_KEY object for private key */
++    ERR_set_mark();
+     ica_privkey = ibmca_ec_make_and_cache_ica_key((EC_KEY*)ecdh, &privlen);
++    ERR_pop_to_mark();
+     if (ica_privkey == NULL) {
+         /* This curve is not supported by libica. */
+     #ifdef OLDER_OPENSSL
+@@ -502,7 +504,9 @@ ECDSA_SIG *ibmca_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
+     }
+ 
+     /* Create ICA_EC_KEY object */
++    ERR_set_mark();
+     icakey = ibmca_ec_make_and_cache_ica_key(eckey, &privlen);
++    ERR_pop_to_mark();
+     if (icakey == NULL) {
+         /* This curve is not supported by libica. */
+  #ifdef OLDER_OPENSSL
+@@ -633,7 +637,9 @@ int ibmca_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
+     }
+ 
+     /* Create ICA_EC_KEY object */
++    ERR_set_mark();
+     icakey = ibmca_ec_make_and_cache_ica_key(eckey, &privlen);
++    ERR_pop_to_mark();
+     if (icakey == NULL) {
+         /* This curve is not supported by libica. */
+  #ifdef OLDER_OPENSSL

openssl-ibmca-08-Fix-compiler-error-for-undefined-ERR_pop_to_mark.patch

@@ -0,0 +1,29 @@
+From 5cdcbf0d5b7169a60826c7c0893d7f59798fc409 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Wed, 19 Feb 2025 13:48:12 +0100
+Subject: [PATCH] Fix compiler error for undefined ERR_pop_to_mark
+
+    ibmca_ec.c:342:5: error: implicit declaration of function
+           'ERR_pop_to_mark' [-Wimplicit-function-declaration]
+      342 |     ERR_pop_to_mark();
+          |     ^~~~~~~~~~~~~~~
+
+Fixes: 6bc53d814762b24045bfd5bb6003949a163fa58b
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ src/engine/ibmca_ec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/engine/ibmca_ec.c b/src/engine/ibmca_ec.c
+index c264f32..1bbb37e 100644
+--- a/src/engine/ibmca_ec.c
++++ b/src/engine/ibmca_ec.c
+@@ -17,6 +17,7 @@
+ 
+ #include <stdlib.h>
+ #include <pthread.h>
++#include <openssl/err.h>
+ #include "ibmca.h"
+ #include "e_ibmca_err.h"
+ 

openssl-ibmca.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Feb 19 13:38:24 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Applied additonal patches(bsc#1237344)
+  * openssl-ibmca-07-engine-Fix-Do-not-report-errors-if-libica-does-not-support-EC.patch
+  * openssl-ibmca-08-Fix-compiler-error-for-undefined-ERR_pop_to_mark.patch
+
 -------------------------------------------------------------------
 Wed Feb  5 10:40:59 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
 

openssl-ibmca.spec

@@ -66,6 +66,8 @@ Patch12:        openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-aft
 Patch13:        openssl-ibmca-04-engine-Fix-compile-error.patch
 Patch14:        openssl-ibmca-05-provider-Fix-segfault-with-openssl-list-key-managers.patch
 Patch15:        openssl-ibmca-06-Provider-Fix-segfault-with-openssl-list-signature-algorithms-verbose.patch
+Patch16:        openssl-ibmca-07-engine-Fix-Do-not-report-errors-if-libica-does-not-support-EC.patch
+Patch17:        openssl-ibmca-08-Fix-compiler-error-for-undefined-ERR_pop_to_mark.patch
 ###
 
 %description