openssl-3/openssl-load-legacy-provider.patch

287863366dcdd6548dee78c7a4 Mon Sep 17 00:00:00 2001
From: rpm-build &lt;rpm-build&gt;
Date: Mon, 31 Jul 2023 09:41:28 +0200
Subject: [PATCH 14/35] 0024-load-legacy-prov.patch

Patch-name: 0024-load-legacy-prov.patch
Patch-id: 24
Patch-status: |
    # Instructions to load legacy provider in openssl.cnf
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
---
 apps/openssl.cnf    | 37 +++++++++++++++----------------------
 doc/man5/config.pod |  8 ++++++++
 2 files changed, 23 insertions(+), 22 deletions(-)

Index: openssl-3.1.4/apps/openssl.cnf
===================================================================
--- openssl-3.1.4.orig/apps/openssl.cnf
+++ openssl-3.1.4/apps/openssl.cnf
@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1
 tsa_policy2 = 1.2.3.4.5.6
 tsa_policy3 = 1.2.3.4.5.7
 
-# For FIPS
-# Optionally include a file that is generated by the OpenSSL fipsinstall
-# application. This file contains configuration data required by the OpenSSL
-# fips provider. It contains a named section e.g. [fips_sect] which is
-# referenced from the [provider_sect] below.
-# Refer to the OpenSSL security policy for more information.
-# .include fipsmodule.cnf
-
 [openssl_init]
 providers = provider_sect
 # Load default TLS policy configuration
 ssl_conf = ssl_module
 
-# List of providers to load
+# Uncomment the sections that start with ## below to enable the legacy provider.
+# Loading the legacy provider enables support for the following algorithms:
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
+# Key Derivation Function (KDF): PBKDF1
+# In general it is not recommended to use the above mentioned algorithms for
+# security critical operations, as they are cryptographically weak or vulnerable
+# to side-channel attacks and as such have been deprecated.
+
 [provider_sect]
 default = default_sect
-# The fips section name should match the section name inside the
-# included fipsmodule.cnf.
-# fips = fips_sect
-
-# If no providers are activated explicitly, the default one is activated implicitly.
-# See man 7 OSSL_PROVIDER-default for more details.
-#
-# If you add a section explicitly activating any other provider(s), you most
-# probably need to explicitly activate the default provider, otherwise it
-# becomes unavailable in openssl.  As a consequence applications depending on
-# OpenSSL may not work correctly which could lead to significant system
-# problems including inability to remotely access the system.
+##legacy = legacy_sect
+
 [default_sect]
-# activate = 1
+activate = 1
+
+##[legacy_sect]
+##activate = 1
 
 [ ssl_module ]
 
Index: openssl-3.1.4/doc/man5/config.pod
===================================================================
--- openssl-3.1.4.orig/doc/man5/config.pod
+++ openssl-3.1.4/doc/man5/config.pod
@@ -273,6 +273,14 @@ significant.
 All parameters in the section as well as sub-sections are made
 available to the provider.
 
+=head3 Loading the legacy provider
+
+Uncomment the sections that start with ## in openssl.cnf
+to enable the legacy provider.
+Note: In general it is not recommended to use the above mentioned algorithms for
+security critical operations, as they are cryptographically weak or vulnerable
+to side-channel attacks and as such have been deprecated.
+
 =head3 Default provider and its activation
 
 If no providers are activated explicitly, the default one is activated implicitly.
Sync from SUSE:SLFO:Main openssl-3 revision f1e5b5790b36d62448b0f56f23f02c6b 2024-05-03 17:32:23 +02:00			`287863366dcdd6548dee78c7a4 Mon Sep 17 00:00:00 2001`
			`From: rpm-build <rpm-build>`
			`Date: Mon, 31 Jul 2023 09:41:28 +0200`
			`Subject: [PATCH 14/35] 0024-load-legacy-prov.patch`

			`Patch-name: 0024-load-legacy-prov.patch`
			`Patch-id: 24`
			`Patch-status: \|`
			`# Instructions to load legacy provider in openssl.cnf`
			`From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd`
			`---`
			`apps/openssl.cnf \| 37 +++++++++++++++----------------------`
			`doc/man5/config.pod \| 8 ++++++++`
			`2 files changed, 23 insertions(+), 22 deletions(-)`

			`Index: openssl-3.1.4/apps/openssl.cnf`
			`===================================================================`
			`--- openssl-3.1.4.orig/apps/openssl.cnf`
			`+++ openssl-3.1.4/apps/openssl.cnf`
			`@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1`
			`tsa_policy2 = 1.2.3.4.5.6`
			`tsa_policy3 = 1.2.3.4.5.7`

			`-# For FIPS`
			`-# Optionally include a file that is generated by the OpenSSL fipsinstall`
			`-# application. This file contains configuration data required by the OpenSSL`
			`-# fips provider. It contains a named section e.g. [fips_sect] which is`
			`-# referenced from the [provider_sect] below.`
			`-# Refer to the OpenSSL security policy for more information.`
			`-# .include fipsmodule.cnf`
			`-`
			`[openssl_init]`
			`providers = provider_sect`
			`# Load default TLS policy configuration`
			`ssl_conf = ssl_module`

			`-# List of providers to load`
			`+# Uncomment the sections that start with ## below to enable the legacy provider.`
			`+# Loading the legacy provider enables support for the following algorithms:`
			`+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160`
			`+# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED`
			`+# Key Derivation Function (KDF): PBKDF1`
			`+# In general it is not recommended to use the above mentioned algorithms for`
			`+# security critical operations, as they are cryptographically weak or vulnerable`
			`+# to side-channel attacks and as such have been deprecated.`
			`+`
			`[provider_sect]`
			`default = default_sect`
			`-# The fips section name should match the section name inside the`
			`-# included fipsmodule.cnf.`
			`-# fips = fips_sect`
			`-`
			`-# If no providers are activated explicitly, the default one is activated implicitly.`
			`-# See man 7 OSSL_PROVIDER-default for more details.`
			`-#`
			`-# If you add a section explicitly activating any other provider(s), you most`
			`-# probably need to explicitly activate the default provider, otherwise it`
			`-# becomes unavailable in openssl. As a consequence applications depending on`
			`-# OpenSSL may not work correctly which could lead to significant system`
			`-# problems including inability to remotely access the system.`
			`+##legacy = legacy_sect`
			`+`
			`[default_sect]`
			`-# activate = 1`
			`+activate = 1`
			`+`
			`+##[legacy_sect]`
			`+##activate = 1`

			`[ ssl_module ]`

			`Index: openssl-3.1.4/doc/man5/config.pod`
			`===================================================================`
			`--- openssl-3.1.4.orig/doc/man5/config.pod`
			`+++ openssl-3.1.4/doc/man5/config.pod`
			`@@ -273,6 +273,14 @@ significant.`
			`All parameters in the section as well as sub-sections are made`
			`available to the provider.`

			`+=head3 Loading the legacy provider`
			`+`
			`+Uncomment the sections that start with ## in openssl.cnf`
			`+to enable the legacy provider.`
			`+Note: In general it is not recommended to use the above mentioned algorithms for`
			`+security critical operations, as they are cryptographically weak or vulnerable`
			`+to side-channel attacks and as such have been deprecated.`
			`+`
			`=head3 Default provider and its activation`

			`If no providers are activated explicitly, the default one is activated implicitly.`