Accepting request 936137 from home:markkp:branches:security:tls

- Added openssl-1_1-use-include-directive.patch so that the default /etc/ssl/openssl.cnf file will include any configuration files that other packages might place into /etc/ssl/engines.d/ and /etc/ssl/engdef.d/ This is a fix for bsc#1004463 where scripting was being used to modify the openssl.cnf file. The scripting would fail if either the default openssl.cnf file, or the sample openssl-ibmca configuration file would be changed by upstream. - Updated spec file to create the two new necessary directores for the above patch. OBS-URL: https://build.opensuse.org/request/show/936137 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=100
2021-12-14 12:43:58 +00:00 · 2021-12-14 12:43:58 +00:00 · c13b2fd4bf
commit c13b2fd4bf
parent 81ba30e4f7
3 changed files with 46 additions and 0 deletions
--- a/openssl-1_1-use-include-directive.patch
+++ b/openssl-1_1-use-include-directive.patch
@ -0,0 +1,26 @@
+--- a/apps/openssl.cnf	2021-08-24 09:38:47.000000000 -0400
+++ b/apps/openssl.cnf	2021-12-06 17:13:34.549291242 -0500
+@@ -11,9 +11,23 @@
+ # defined.
+ HOME			= .
+ 
+openssl_conf = openssl_init
+
+[openssl_init]
+
+ # Extra OBJECT IDENTIFIER info:
+ #oid_file		= $ENV::HOME/.oid
+ oid_section		= new_oids
+engines			= engine_section
+
+# This include will look through the directory that will contain the
+# engine declarations for any engines provided by other packages.
+[engine_section]
+.include /etc/ssl/engines.d/
+
+# This include will look through the directory that will contain the
+# definitions of the engines declared in the engine section.
+.include /etc/ssl/engdef.d/
+ 
+ # To use this configuration file with the "-extfile" option of the
+ # "openssl x509" utility, name here the section containing the
--- a/openssl-1_1.changes
+++ b/openssl-1_1.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Mon Dec  6 22:21:15 UTC 2021 - Mark Post <mpost@suse.com>
+
+- Added openssl-1_1-use-include-directive.patch so that the default
+  /etc/ssl/openssl.cnf file will include any configuration files that
+  other packages might place into /etc/ssl/engines.d/ and
+  /etc/ssl/engdef.d/ This is a fix for bsc#1004463 where scripting was
+  being used to modify the openssl.cnf file. The scripting would fail
+  if either the default openssl.cnf file, or the sample openssl-ibmca
+  configuration file would be changed by upstream.
+- Updated spec file to create the two new necessary directores for
+  the above patch.
+
 -------------------------------------------------------------------
 Thu Nov 11 18:50:47 UTC 2021 - Giuliano Belinassi <giuliano.belinassi@suse.com>

--- a/openssl-1_1.spec
+++ b/openssl-1_1.spec
@ -111,6 +111,7 @@ Patch53:        openssl-1_1-seclevel.patch
 Patch54:        openssl-1_1-use-seclevel2-in-tests.patch
 Patch55:        openssl-1_1-disable-test_srp-sslapi.patch
 Patch56:        openssl-add_rfc3526_rfc7919.patch
+Patch57:        openssl-1_1-use-include-directive.patch
 BuildRequires:  pkgconfig
 %if 0%{?suse_version} && ! 0%{?sle_version}
 Requires:       crypto-policies
@ -285,6 +286,10 @@ rm -f %{buildroot}%{_sysconfdir}/ssl/openssl.cnf.dist
 ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl
 mkdir %{buildroot}/%{_datadir}/ssl
 mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/
+# Create the two directories into which packages will drop their configuration
+# files.
+mkdir %{buildroot}/%{ssletcdir}/engines.d/
+mkdir %{buildroot}/%{ssletcdir}/engdef.d/

 # avoid file conflicts with man pages from other packages
 #
@ -382,6 +387,8 @@ unset LD_LIBRARY_PATH
 %dir %{ssletcdir}
 %config (noreplace) %{ssletcdir}/openssl.cnf
 %attr(700,root,root) %{ssletcdir}/private
+%dir %{ssletcdir}/engines.d
+%dir %{ssletcdir}/engdef.d
 %{ssletcdir}/ct_log_list.cnf
 %{ssletcdir}/ct_log_list.cnf.dist