From 7957f2e845221ea16fd601ef6ccd032f3d7fa8590f91c7743c7928479934fa73 Mon Sep 17 00:00:00 2001 From: Otto Hollmann Date: Thu, 18 Jan 2024 15:17:04 +0000 Subject: [PATCH] Accepting request 1139750 from security:tls:unstable OBS-URL: https://build.opensuse.org/request/show/1139750 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=85 --- openssl-3.changes | 23 ++ openssl-3.spec | 40 ++- openssl-FIPS-SUSE-version.patch | 40 +++ openssl-FIPS-embed-hmac.patch | 250 ++++++++++++++++++ openssl-Force-FIPS.patch | 68 +++++ ...h => openssl-crypto-policies-support.patch | 9 +- 6 files changed, 416 insertions(+), 14 deletions(-) create mode 100644 openssl-FIPS-SUSE-version.patch create mode 100644 openssl-FIPS-embed-hmac.patch create mode 100644 openssl-Force-FIPS.patch rename openssl-Override-default-paths-for-the-CA-directory-tree.patch => openssl-crypto-policies-support.patch (71%) diff --git a/openssl-3.changes b/openssl-3.changes index 0781e16..e150048 100644 --- a/openssl-3.changes +++ b/openssl-3.changes @@ -5,6 +5,29 @@ Tue Jan 16 09:45:24 UTC 2024 - Otto Hollmann * Limit the execution time of RSA public key check * Add openssl-CVE-2023-6237.patch +------------------------------------------------------------------- +Sun Jan 14 13:36:33 UTC 2024 - Pedro Monreal + +- Rename openssl-Override-default-paths-for-the-CA-directory-tree.patch + to openssl-crypto-policies.patch + +------------------------------------------------------------------- +Sat Jan 13 23:59:27 UTC 2024 - Pedro Monreal + +- Embed the FIPS hmac. Add openssl-FIPS-embed-hmac.patch + +------------------------------------------------------------------- +Sat Jan 13 22:52:50 UTC 2024 - Pedro Monreal + +- Define SUSE_OPENSSL_FIPS_VERSION for the FIPS provider + * Add openssl-FIPS-SUSE-version.patch + +------------------------------------------------------------------- +Sat Jan 13 22:31:15 UTC 2024 - Pedro Monreal + +- Load FIPS the provider and set FIPS properties implicitly (bsc#1218091) + * Add openssl-Force-FIPS.patch + ------------------------------------------------------------------- Thu Jan 11 08:07:48 UTC 2024 - Otto Hollmann diff --git a/openssl-3.spec b/openssl-3.spec index 9115aa8..e4e5c81 100644 --- a/openssl-3.spec +++ b/openssl-3.spec @@ -44,7 +44,7 @@ Patch4: openssl-DEFAULT_SUSE_cipher.patch Patch5: openssl-ppc64-config.patch # Add crypto-policies support Patch6: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch -Patch7: openssl-Override-default-paths-for-the-CA-directory-tree.patch +Patch7: openssl-crypto-policies-support.patch # PATCH-FIX-OPENSUSE: Revert of 0e55c3ab8d702ffc897c9beb51d19b14b789618 # Makefile: Call mknum.pl on 'make ordinals' only if needed Patch8: openssl-Revert-Makefile-Call-mknum.pl-on-make-ordinals-only-if.patch @@ -57,8 +57,14 @@ Patch11: openssl-Fix_test_symbol_presence.patch Patch12: openssl-Enable-BTI-feature-for-md5-on-aarch64.patch # PATCH-FIX-UPSTREAM: bsc#1218690 CVE-2023-6129 - POLY1305 MAC implementation corrupts vector registers on PowerPC Patch13: openssl-CVE-2023-6129.patch +# PATCH-FIX-FEDORA Load FIPS the provider and set FIPS properties implicitly +Patch14: openssl-Force-FIPS.patch +# PATCH-FIX-OPENSUSE Define SUSE_OPENSSL_FIPS_VERSION for the FIPS provider +#Patch15: openssl-FIPS-SUSE-version.patch +# PATCH-FIX-FEDORA Embed the FIPS hmac +Patch16: openssl-FIPS-embed-hmac.patch # PATCH-FIX-UPSTREAM: bsc#1218810 CVE-2023-6237: Excessive time spent checking invalid RSA public keys -Patch14: openssl-CVE-2023-6237.patch +Patch17: openssl-CVE-2023-6237.patch BuildRequires: pkgconfig BuildRequires: pkgconfig(zlib) Requires: libopenssl3 = %{version}-%{release} @@ -142,7 +148,7 @@ export MACHINE=armv5el export MACHINE=armv6l %endif -./config \ +./Configure \ no-mdc2 no-ec2m no-sm2 no-sm4 \ enable-rfc3779 enable-camellia enable-seed \ %ifarch x86_64 aarch64 ppc64le @@ -165,7 +171,8 @@ export MACHINE=armv6l $(getconf LFS_CFLAGS) \ -Wall \ --with-rand-seed=getrandom \ - --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config + --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ + -DSUSE_OPENSSL_FIPS_VERSION=%{release} # Show build configuration perl configdata.pm --dump @@ -181,12 +188,33 @@ perl configdata.pm --dump # Revert patch7 before running tests patch -p1 -R < %{PATCH7} export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file - export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) -#export HARNESS_VERBOSE=yes +# export HARNESS_VERBOSE=yes +# Embed HMAC into fips provider for test run +OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac +objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac +mv providers/fips.so.mac providers/fips.so + +# Run the tests in non FIPS mode LD_LIBRARY_PATH="$PWD" make test -j16 +# Run the tests also in FIPS mode +OPENSSL_FORCE_FIPS_MODE=1 LD_LIBRARY_PATH="$PWD" make test -j16 || : + +# Add generation of HMAC checksum of the final stripped library +# We manually copy standard definition of __spec_install_post +# and add hmac calculation/embedding to fips.so +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \ + objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \ + mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \ + rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \ +%{nil} + # show ciphers gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers diff --git a/openssl-FIPS-SUSE-version.patch b/openssl-FIPS-SUSE-version.patch new file mode 100644 index 0000000..c4a71ac --- /dev/null +++ b/openssl-FIPS-SUSE-version.patch @@ -0,0 +1,40 @@ +Index: openssl-3.2.0/providers/fips/fipsprov.c +=================================================================== +--- openssl-3.2.0.orig/providers/fips/fipsprov.c ++++ openssl-3.2.0/providers/fips/fipsprov.c +@@ -199,7 +199,7 @@ static int fips_get_params(void *provctx + OSSL_LIB_CTX_FIPS_PROV_INDEX); + + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); +- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider")) ++ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "SUSE OpenSSL FIPS Provider")) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION); + if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR)) +Index: openssl-3.2.0/include/openssl/opensslv.h.in +=================================================================== +--- openssl-3.2.0.orig/include/openssl/opensslv.h.in ++++ openssl-3.2.0/include/openssl/opensslv.h.in +@@ -17,6 +17,9 @@ + extern "C" { + # endif + ++#define SUSE_OPENSSL_STRING_PARAM_FUNCA(x) #x ++#define SUSE_OPENSSL_STRING_PARAM_FUNCB(x) SUSE_OPENSSL_STRING_PARAM_FUNCA(x) ++ + /* + * SECTION 1: VERSION DATA. These will change for each release + */ +@@ -87,7 +90,11 @@ extern "C" { + * SECTION 4: BACKWARD COMPATIBILITY + */ + +-# define OPENSSL_VERSION_TEXT "OpenSSL {- "$config{full_version} $config{release_date}" -}" ++# ifndef FIPS_MODULE ++# define OPENSSL_VERSION_TEXT "OpenSSL {- "$config{full_version} $config{release_date}" -}" ++# else ++# define OPENSSL_VERSION_TEXT "OpenSSL {- $config{full_version} -}-fips {- $config{release_date} -} SUSE release SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_FIPS_VERSION)" ++# endif + + /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */ + # ifdef OPENSSL_VERSION_PRE_RELEASE diff --git a/openssl-FIPS-embed-hmac.patch b/openssl-FIPS-embed-hmac.patch new file mode 100644 index 0000000..288361b --- /dev/null +++ b/openssl-FIPS-embed-hmac.patch @@ -0,0 +1,250 @@ +From e364a858262c8f563954544cc81e66f1b3b8db8c Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 19 Oct 2023 13:12:40 +0200 +Subject: [PATCH 16/46] 0033-FIPS-embed-hmac.patch + +Patch-name: 0033-FIPS-embed-hmac.patch +Patch-id: 33 +Patch-status: | + # # Embed HMAC into the fips.so +From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911 +--- + providers/fips/self_test.c | 70 ++++++++++++++++++++++++--- + test/fipsmodule.cnf | 2 + + test/recipes/00-prep_fipsmodule_cnf.t | 2 +- + test/recipes/01-test_fipsmodule_cnf.t | 2 +- + test/recipes/03-test_fipsinstall.t | 2 +- + test/recipes/30-test_defltfips.t | 2 +- + test/recipes/80-test_ssl_new.t | 2 +- + test/recipes/90-test_sslapi.t | 2 +- + 8 files changed, 71 insertions(+), 13 deletions(-) + create mode 100644 test/fipsmodule.cnf + +diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c +index b8dc9817b2..e3a629018a 100644 +--- a/providers/fips/self_test.c ++++ b/providers/fips/self_test.c +@@ -230,11 +230,27 @@ err: + return ok; + } + ++#define HMAC_LEN 32 ++/* ++ * The __attribute__ ensures we've created the .rodata1 section ++ * static ensures it's zero filled ++*/ ++static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0}; ++ + /* + * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify + * the result matches the expected value. + * Return 1 if verified, or 0 if it fails. + */ ++#ifndef __USE_GNU ++#define __USE_GNU ++#include ++#undef __USE_GNU ++#else ++#include ++#endif ++#include ++ + static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb, + unsigned char *expected, size_t expected_len, + OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, +@@ -247,12 +263,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex + EVP_MAC *mac = NULL; + EVP_MAC_CTX *ctx = NULL; + OSSL_PARAM params[2], *p = params; ++ Dl_info info; ++ void *extra_info = NULL; ++ struct link_map *lm = NULL; ++ unsigned long paddr; ++ unsigned long off = 0; + + if (!integrity_self_test(ev, libctx)) + goto err; + + OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); + ++ if (!dladdr1 ((const void *)fips_hmac_container, ++ &info, &extra_info, RTLD_DL_LINKMAP)) ++ goto err; ++ lm = extra_info; ++ paddr = (unsigned long)fips_hmac_container - lm->l_addr; ++ + mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); + if (mac == NULL) + goto err; +@@ -266,13 +293,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex + if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) + goto err; + +- while (1) { +- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read); ++ while ((off + INTEGRITY_BUF_SIZE) <= paddr) { ++ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); ++ if (status != 1) ++ break; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ if (off + INTEGRITY_BUF_SIZE > paddr) { ++ int delta = paddr - off; ++ status = read_ex_cb(bio, buf, delta, &bytes_read); ++ if (status != 1) ++ goto err; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ ++ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read); ++ memset(buf, 0, HMAC_LEN); ++ if (status != 1) ++ goto err; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ while (bytes_read > 0) { ++ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); + if (status != 1) + break; + if (!EVP_MAC_update(ctx, buf, bytes_read)) + goto err; ++ off += bytes_read; + } ++ + if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) + goto err; + +@@ -282,6 +338,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex + goto err; + ret = 1; + err: ++ OPENSSL_cleanse(out, sizeof(out)); + OSSL_SELF_TEST_onend(ev, ret); + EVP_MAC_CTX_free(ctx); + EVP_MAC_free(mac); +@@ -335,8 +392,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + return 0; + } + +- if (st == NULL +- || st->module_checksum_data == NULL) { ++ if (st == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); + goto end; + } +@@ -345,8 +401,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + if (ev == NULL) + goto end; + +- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, +- &checksum_len); ++ module_checksum = fips_hmac_container; ++ checksum_len = sizeof(fips_hmac_container); ++ + if (module_checksum == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA); + goto end; +@@ -420,7 +477,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + end: + EVP_RAND_free(testrand); + OSSL_SELF_TEST_free(ev); +- OPENSSL_free(module_checksum); + OPENSSL_free(indicator_checksum); + + if (st != NULL) { +diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf +new file mode 100644 +index 0000000000..f05d0dedbe +--- /dev/null ++++ b/test/fipsmodule.cnf +@@ -0,0 +1,2 @@ ++[fips_sect] ++activate = 1 +diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t +index 4e3a6d85e8..e8255ba974 100644 +--- a/test/recipes/00-prep_fipsmodule_cnf.t ++++ b/test/recipes/00-prep_fipsmodule_cnf.t +@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations'); + use lib bldtop_dir('.'); + use platform; + +-my $no_check = disabled("fips"); ++my $no_check = 1; + plan skip_all => "FIPS module config file only supported in a fips build" + if $no_check; + +diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t +index ce594817d5..00cebacff8 100644 +--- a/test/recipes/01-test_fipsmodule_cnf.t ++++ b/test/recipes/01-test_fipsmodule_cnf.t +@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations'); + use lib bldtop_dir('.'); + use platform; + +-my $no_check = disabled("fips"); ++my $no_check = 1; + plan skip_all => "Test only supported in a fips build" + if $no_check; + plan tests => 1; +diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t +index b8b136d110..8242f4ebc3 100644 +--- a/test/recipes/03-test_fipsinstall.t ++++ b/test/recipes/03-test_fipsinstall.t +@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations'); + use lib bldtop_dir('.'); + use platform; + +-plan skip_all => "Test only supported in a fips build" if disabled("fips"); ++plan skip_all => "Test only supported in a fips build" if 1; + + # Compatible options for pedantic FIPS compliance + my @pedantic_okay = +diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t +index c8f145405b..56a2ec5dc4 100644 +--- a/test/recipes/30-test_defltfips.t ++++ b/test/recipes/30-test_defltfips.t +@@ -24,7 +24,7 @@ use lib bldtop_dir('.'); + plan skip_all => "Configuration loading is turned off" + if disabled("autoload-config"); + +-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); + + plan tests => + ($no_fips ? 1 : 5); +diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t +index 0c6d6402d9..e45f9cb560 100644 +--- a/test/recipes/80-test_ssl_new.t ++++ b/test/recipes/80-test_ssl_new.t +@@ -27,7 +27,7 @@ setup("test_ssl_new"); + use lib srctop_dir('Configurations'); + use lib bldtop_dir('.'); + +-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); + + $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs"); + +diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t +index 9e9e32b51e..1a1a7159b5 100644 +--- a/test/recipes/90-test_sslapi.t ++++ b/test/recipes/90-test_sslapi.t +@@ -17,7 +17,7 @@ setup("test_sslapi"); + use lib srctop_dir('Configurations'); + use lib bldtop_dir('.'); + +-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); + my $fipsmodcfg_filename = "fipsmodule.cnf"; + my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename); + +-- +2.41.0 + diff --git a/openssl-Force-FIPS.patch b/openssl-Force-FIPS.patch new file mode 100644 index 0000000..8596ef9 --- /dev/null +++ b/openssl-Force-FIPS.patch @@ -0,0 +1,68 @@ +From 2c110cf5551a3869514e697d8dc06682b62ca57d Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 11:59:02 +0200 +Subject: [PATCH 16/48] 0032-Force-fips.patch + +Patch-name: 0032-Force-fips.patch +Patch-id: 32 +Patch-status: | + # We load FIPS provider and set FIPS properties implicitly +--- + crypto/provider_conf.c | 28 +++++++++++++++++++++++++++- + 1 file changed, 27 insertions(+), 1 deletion(-) + +diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c +index 058fb58837..5274265a70 100644 +--- a/crypto/provider_conf.c ++++ b/crypto/provider_conf.c +@@ -10,6 +10,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -169,7 +171,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name, + if (path != NULL) + ossl_provider_set_module_path(prov, path); + +- ok = provider_conf_params(prov, NULL, NULL, value, cnf); ++ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1; + + if (ok) { + if (!ossl_provider_activate(prov, 1, 0)) { +@@ -309,6 +311,30 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf) + return 0; + } + ++ if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */ ++ OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf); ++# define FIPS_LOCAL_CONF OPENSSLDIR "/fips_local.cnf" ++ ++ if (access(FIPS_LOCAL_CONF, R_OK) == 0) { ++ CONF *fips_conf = NCONF_new_ex(libctx, NCONF_default()); ++ if (NCONF_load(fips_conf, FIPS_LOCAL_CONF, NULL) <= 0) ++ return 0; ++ ++ if (provider_conf_load(libctx, "fips", "fips_sect", fips_conf) != 1) { ++ NCONF_free(fips_conf); ++ return 0; ++ } ++ NCONF_free(fips_conf); ++ } else { ++ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1) ++ return 0; ++ } ++ if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1) ++ return 0; ++ if (EVP_default_properties_enable_fips(libctx, 1) != 1) ++ return 0; ++ } ++ + return 1; + } + +-- +2.41.0 diff --git a/openssl-Override-default-paths-for-the-CA-directory-tree.patch b/openssl-crypto-policies-support.patch similarity index 71% rename from openssl-Override-default-paths-for-the-CA-directory-tree.patch rename to openssl-crypto-policies-support.patch index 0fd31e4..c7f3f16 100644 --- a/openssl-Override-default-paths-for-the-CA-directory-tree.patch +++ b/openssl-crypto-policies-support.patch @@ -1,14 +1,7 @@ -From 6790960076742a9053c624e26fbb87fcd5789e27 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 24 Sep 2020 09:17:26 +0200 -Subject: Override default paths for the CA directory tree - -Also add default section to load crypto-policies configuration -for TLS. +Add default section to load crypto-policies configuration for TLS. It needs to be reverted before running tests. -(was openssl-1.1.1-conf-paths.patch) --- apps/openssl.cnf | 20 ++++++++++++++++++-- 2 files changed, 19 insertions(+), 3 deletions(-)