- Add patch to use proper SSL exponent bnc#922571

* cfengine-fips.patch

OBS-URL: https://build.opensuse.org/package/show/systemsmanagement/cfengine?expand=0&rev=117

cfengine-fips.patch

@@ -0,0 +1,66 @@
+Index: core-3.6.5/cf-key/cf-key-functions.c
+===================================================================
+--- core-3.6.5.orig/cf-key/cf-key-functions.c
++++ core-3.6.5/cf-key/cf-key-functions.c
+@@ -243,11 +243,11 @@ void KeepKeyPromises(const char *public_
+     printf("Making a key pair for cfengine, please wait, this could take a minute...\n");
+ 
+ #ifdef OPENSSL_NO_DEPRECATED
+-    BN_set_word(rsa_bignum, 35);
++    BN_set_word(rsa_bignum, RSA_F4);
+ 
+     if (!RSA_generate_key_ex(pair, 2048, rsa_bignum, NULL))
+ #else
+-    pair = RSA_generate_key(2048, 35, NULL, NULL);
++    pair = RSA_generate_key(2048, 65537, NULL, NULL);
+ 
+     if (pair == NULL)
+ #endif
+Index: core-3.6.5/tests/unit/hash_test.c
+===================================================================
+--- core-3.6.5.orig/tests/unit/hash_test.c
++++ core-3.6.5/tests/unit/hash_test.c
+@@ -52,7 +52,7 @@ void tests_setup()
+             initialized = 0;
+             return;
+         }
+-        BN_set_word(bn, 3);
++        BN_set_word(bn, RSA_F4);
+         RSA_generate_key_ex(rsa, 1024, bn, NULL);
+         BN_free(bn);
+     }
+Index: core-3.6.5/tests/unit/key_test.c
+===================================================================
+--- core-3.6.5.orig/tests/unit/key_test.c
++++ core-3.6.5/tests/unit/key_test.c
+@@ -25,7 +25,7 @@ void test_setup()
+             initialized = 0;
+             return;
+         }
+-        BN_set_word(bn, 3);
++        BN_set_word(bn, RSA_F4);
+         RSA_generate_key_ex(rsa, 1024, bn, NULL);
+         BN_free(bn);
+     }
+Index: core-3.6.5/tests/unit/tls_generic_test.c
+===================================================================
+--- core-3.6.5.orig/tests/unit/tls_generic_test.c
++++ core-3.6.5/tests/unit/tls_generic_test.c
+@@ -54,7 +54,7 @@ static bool init_test_server()
+     int ret;
+     RSA *key = RSA_new();
+     BIGNUM *bignum = BN_new();
+-    BN_set_word(bignum, 17);
++    BN_set_word(bignum, RSA_F4);
+     ret = RSA_generate_key_ex(key, 1024, bignum, NULL);
+     if (!ret)
+     {
+@@ -450,7 +450,7 @@ static bool init_test_client()
+     int ret;
+     RSA *key = RSA_new();
+     BIGNUM *bignum = BN_new();
+-    BN_set_word(bignum, 17);
++    BN_set_word(bignum, RSA_F4);
+     ret = RSA_generate_key_ex(key, 1024, bignum, NULL);
+     if (!ret)
+     {

cfengine.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Mar 17 13:51:18 UTC 2015 - tchvatal@suse.com
+
+- Add patch to use proper SSL exponent bnc#922571
+  * cfengine-fips.patch
+
 -------------------------------------------------------------------
 Tue Mar 17 13:41:26 UTC 2015 - tchvatal@suse.com
 

cfengine.spec

@@ -64,6 +64,8 @@ Patch5:         0001-Simplify-and-fix-parsing-of-etc-SuSE-release-fixes-i.patch
 # set cfengine's notion of bindir to /usr/sbin instead of /var/cfengine/bin
 # kkaempf@suse.de
 Patch6:         0001-Set-sys.bindir-to-usr-sbin-expect-cf-components-ther.patch
+# PATCH-FIX-UPSTREAM: Use ssl exponent of 65537 for FIPS bnc#922571
+Patch7:         cfengine-fips.patch
 BuildRequires:  bison
 BuildRequires:  db-devel
 BuildRequires:  flex
@@ -186,6 +188,7 @@ Lots of examples promises for CFEngine.
 %endif
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
 
 ##### rpmlint
 #### wrong-file-end-of-line-encoding