From c13b2fd4bf992144f538144a5cf3679a12dd0f11b2e8e0211b85bc8d0d2aebba Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Tue, 14 Dec 2021 12:43:58 +0000 Subject: [PATCH] Accepting request 936137 from home:markkp:branches:security:tls - Added openssl-1_1-use-include-directive.patch so that the default /etc/ssl/openssl.cnf file will include any configuration files that other packages might place into /etc/ssl/engines.d/ and /etc/ssl/engdef.d/ This is a fix for bsc#1004463 where scripting was being used to modify the openssl.cnf file. The scripting would fail if either the default openssl.cnf file, or the sample openssl-ibmca configuration file would be changed by upstream. - Updated spec file to create the two new necessary directores for the above patch. OBS-URL: https://build.opensuse.org/request/show/936137 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=100 --- openssl-1_1-use-include-directive.patch | 26 +++++++++++++++++++++++++ openssl-1_1.changes | 13 +++++++++++++ openssl-1_1.spec | 7 +++++++ 3 files changed, 46 insertions(+) create mode 100644 openssl-1_1-use-include-directive.patch diff --git a/openssl-1_1-use-include-directive.patch b/openssl-1_1-use-include-directive.patch new file mode 100644 index 0000000..cc1e0c4 --- /dev/null +++ b/openssl-1_1-use-include-directive.patch @@ -0,0 +1,26 @@ +--- a/apps/openssl.cnf 2021-08-24 09:38:47.000000000 -0400 ++++ b/apps/openssl.cnf 2021-12-06 17:13:34.549291242 -0500 +@@ -11,9 +11,23 @@ + # defined. + HOME = . + ++openssl_conf = openssl_init ++ ++[openssl_init] ++ + # Extra OBJECT IDENTIFIER info: + #oid_file = $ENV::HOME/.oid + oid_section = new_oids ++engines = engine_section ++ ++# This include will look through the directory that will contain the ++# engine declarations for any engines provided by other packages. ++[engine_section] ++.include /etc/ssl/engines.d/ ++ ++# This include will look through the directory that will contain the ++# definitions of the engines declared in the engine section. ++.include /etc/ssl/engdef.d/ + + # To use this configuration file with the "-extfile" option of the + # "openssl x509" utility, name here the section containing the diff --git a/openssl-1_1.changes b/openssl-1_1.changes index be68827..62324b8 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Mon Dec 6 22:21:15 UTC 2021 - Mark Post + +- Added openssl-1_1-use-include-directive.patch so that the default + /etc/ssl/openssl.cnf file will include any configuration files that + other packages might place into /etc/ssl/engines.d/ and + /etc/ssl/engdef.d/ This is a fix for bsc#1004463 where scripting was + being used to modify the openssl.cnf file. The scripting would fail + if either the default openssl.cnf file, or the sample openssl-ibmca + configuration file would be changed by upstream. +- Updated spec file to create the two new necessary directores for + the above patch. + ------------------------------------------------------------------- Thu Nov 11 18:50:47 UTC 2021 - Giuliano Belinassi diff --git a/openssl-1_1.spec b/openssl-1_1.spec index b47fd3a..280cbce 100644 --- a/openssl-1_1.spec +++ b/openssl-1_1.spec @@ -111,6 +111,7 @@ Patch53: openssl-1_1-seclevel.patch Patch54: openssl-1_1-use-seclevel2-in-tests.patch Patch55: openssl-1_1-disable-test_srp-sslapi.patch Patch56: openssl-add_rfc3526_rfc7919.patch +Patch57: openssl-1_1-use-include-directive.patch BuildRequires: pkgconfig %if 0%{?suse_version} && ! 0%{?sle_version} Requires: crypto-policies @@ -285,6 +286,10 @@ rm -f %{buildroot}%{_sysconfdir}/ssl/openssl.cnf.dist ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl mkdir %{buildroot}/%{_datadir}/ssl mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/ +# Create the two directories into which packages will drop their configuration +# files. +mkdir %{buildroot}/%{ssletcdir}/engines.d/ +mkdir %{buildroot}/%{ssletcdir}/engdef.d/ # avoid file conflicts with man pages from other packages # @@ -382,6 +387,8 @@ unset LD_LIBRARY_PATH %dir %{ssletcdir} %config (noreplace) %{ssletcdir}/openssl.cnf %attr(700,root,root) %{ssletcdir}/private +%dir %{ssletcdir}/engines.d +%dir %{ssletcdir}/engdef.d %{ssletcdir}/ct_log_list.cnf %{ssletcdir}/ct_log_list.cnf.dist