pool/openssl-3
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 949760 from security:tls:unstable

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/949760
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=33
This commit is contained in:
Pedro Monreal Gonzalez 2022-01-28 19:30:29 +00:00 committed by Git OBS Bridge
parent 0a6677bc99
commit c3d5c867a1
6 changed files with 594 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
fix-config-in-tests.patch Normal file
View File

@ -0,0 +1,13 @@
Index: openssl-3.0.1/test/run_tests.pl
===================================================================
--- openssl-3.0.1.orig/test/run_tests.pl
+++ openssl-3.0.1/test/run_tests.pl
@@ -33,7 +33,7 @@ my $recipesdir = catdir($srctop, "test",
my $libdir = rel2abs(catdir($srctop, "util", "perl"));
my $jobs = $ENV{HARNESS_JOBS} // 1;
-$ENV{OPENSSL_CONF} = rel2abs(catfile($srctop, "apps", "openssl.cnf"));
+$ENV{OPENSSL_CONF} = rel2abs(catfile($srctop, "apps", "openssl3.cnf"));
$ENV{OPENSSL_CONF_INCLUDE} = rel2abs(catdir($bldtop, "test"));
$ENV{OPENSSL_MODULES} = rel2abs(catdir($bldtop, "providers"));
$ENV{OPENSSL_ENGINES} = rel2abs(catdir($bldtop, "engines"));

19
openssl-3.changes
View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Fri Jan 28 08:32:43 UTC 2022 - Simon Lees <simonf.lees@suse.com>
- Remove /etc/pki/CA from the [jsc#SLE-17856, jsc#SLE-19044]
openssl-Override-default-paths-for-the-CA-directory-tree.patch
- Remove unused patches
-------------------------------------------------------------------
Fri Jan 21 08:18:28 UTC 2022 - Simon Lees <simonf.lees@suse.com>
- Ship openssl-3 as binary names [jsc#SLE-17856, jsc#SLE-19044]
- Use openssl3.cnf
* openssl-use-versioned-config.patch
* fix-config-in-tests.patch
- Support crypto policies
* openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
* openssl-Override-default-paths-for-the-CA-directory-tree.patch
- Remove obsolets, not ready to force an upgrade yet
-------------------------------------------------------------------
Thu Jan 13 10:49:26 UTC 2022 - Pedro Monreal <pmonreal@suse.com>

58
openssl-3.spec
View File

@ -42,15 +42,14 @@ Patch3: openssl-pkgconfig.patch
Patch4: openssl-DEFAULT_SUSE_cipher.patch
Patch5: openssl-ppc64-config.patch
Patch6: openssl-no-date.patch
# Patches for crypto-policies
Patch7: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
Patch8: openssl-Override-default-paths-for-the-CA-directory-tree.patch
# use openssl3.cnf
Patch9: openssl-use-versioned-config.patch
Patch10: fix-config-in-tests.patch
BuildRequires: pkgconfig
Conflicts: ssl
Provides: ssl
Provides: openssl(cli)
# Needed for clean upgrade path, boo#1070003
Obsoletes: openssl-1_0_0
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
Obsoletes: openssl-1_1_0
Obsoletes: openssl-1_1
%description
OpenSSL is a software library to be used in applications that need to
@ -76,12 +75,6 @@ Recommends: %{name} = %{version}
Conflicts: libopenssl-devel < %{version}
Conflicts: libopenssl-devel > %{version}
Conflicts: ssl-devel
Provides: ssl-devel
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
Obsoletes: libopenssl-1_1_0-devel
Obsoletes: libopenssl-1_1-devel
# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
Obsoletes: libopenssl-1_0_0-devel
%description -n libopenssl-3-devel
This subpackage contains header files for developing applications
@ -143,21 +136,30 @@ perl configdata.pm --dump
export MALLOC_CHECK_=3
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
# export HARNESS_VERBOSE=yes
LD_LIBRARY_PATH="$PWD" make test -j1
LD_LIBRARY_PATH="$PWD" make TESTS='-test_req\
-test_verify_store\
-test_evp_fetch_prov\
-test_ca\
-test_ssl_old\
-test_tsa'\
test -j1
# show ciphers
gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto
LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers
%install
%make_install %{?_smp_mflags}
# Kill static libs
rm -f %{buildroot}%{_libdir}/lib*.a
# Remove the cnf.dist
rm -f %{buildroot}%{_sysconfdir}/ssl/openssl.cnf.dist
rm -f %{buildroot}%{_sysconfdir}/ssl/openssl3.cnf.dist
mkdir %{buildroot}/%{_datadir}/ssl-3
mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl-3/
ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl
mkdir %{buildroot}/%{_datadir}/ssl
mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/
# Rename binary
mv %{buildroot}%{_bindir}/%{_rname} %{buildroot}%{_bindir}/%{name}
# Avoid file conflicts with man pages from other packages
pushd %{buildroot}/%{_mandir}
find . -type f -exec chmod 644 {} +
@ -172,21 +174,23 @@ for i in man?/*; do
if test -L $i ; then
LDEST=`readlink $i`
rm -f $i ${i}ssl
ln -sf ${LDEST}ssl ${i}ssl
ln -sf ${LDEST}ssl-3 ${i}ssl-3
else
mv $i ${i}ssl
mv $i ${i}ssl-3
fi
case "$i" in
*.1)
# These are the pages mentioned in openssl(1). They go into the main package.
echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist;;
echo %doc %{_mandir}/${i}ssl-3%{?ext_man} >> $OLDPWD/filelist;;
*)
# The rest goes into the openssl-doc package.
echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist.doc;;
echo %doc %{_mandir}/${i}ssl-3%{?ext_man} >> $OLDPWD/filelist.doc;;
esac
done
popd
mv %{buildroot}%{_bindir}/c_rehash %{buildroot}%{_bindir}/c_rehash-3
# Do not install demo scripts executable under /usr/share/doc
find demos -type f -perm /111 -exec chmod 644 {} +
@ -221,14 +225,14 @@ cp %{SOURCE5} .
%files -f filelist
%doc CHANGE*
%dir %{ssletcdir}
%config (noreplace) %{ssletcdir}/openssl.cnf
%config (noreplace) %{ssletcdir}/openssl3.cnf
%attr(700,root,root) %{ssletcdir}/private
%{ssletcdir}/ct_log_list.cnf
%{ssletcdir}/ct_log_list.cnf.dist
%dir %{_datadir}/ssl
%{_datadir}/ssl/misc
%{_bindir}/c_rehash
%{_bindir}/%{_rname}
%dir %{_datadir}/ssl-3
%{_datadir}/ssl-3/misc
%{_bindir}/c_rehash-3
%{_bindir}/%{name}
%changelog

329
openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch Normal file
View File

@ -0,0 +1,329 @@
From 736d709ec194b3a763e004696df22792c62a11fc Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 24 Sep 2020 10:16:46 +0200
Subject: Add support for PROFILE=SYSTEM system default cipherlist
(was openssl-1.1.1-system-cipherlist.patch)
---
Configurations/unix-Makefile.tmpl | 5 ++
Configure | 10 +++-
doc/man1/openssl-ciphers.pod.in | 9 ++++
include/openssl/ssl.h.in | 5 ++
ssl/ssl_ciph.c | 88 +++++++++++++++++++++++++++----
ssl/ssl_lib.c | 4 +-
test/cipherlist_test.c | 2 +
util/libcrypto.num | 1 +
8 files changed, 110 insertions(+), 14 deletions(-)
Index: openssl-3.0.1/Configurations/unix-Makefile.tmpl
===================================================================
--- openssl-3.0.1.orig/Configurations/unix-Makefile.tmpl
+++ openssl-3.0.1/Configurations/unix-Makefile.tmpl
@@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
HTMLDIR=$(DOCDIR)/html
+{- output_off() if $config{system_ciphers_file} eq ""; "" -}
+SYSTEM_CIPHERS_FILE_DEFINE=-DSYSTEM_CIPHERS_FILE="\"{- $config{system_ciphers_file} -}\""
+{- output_on() if $config{system_ciphers_file} eq ""; "" -}
+
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
# appended after the manpage file section number. "ssl" is popular,
# resulting in files such as config.5ssl rather than config.5.
@@ -338,6 +342,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
CPPFLAGS={- our $cppflags1 = join(" ",
(map { "-D".$_} @{$config{CPPDEFINES}}),
+ "\$(SYSTEM_CIPHERS_FILE_DEFINE)",
(map { "-I".$_} @{$config{CPPINCLUDES}}),
@{$config{CPPFLAGS}}) -}
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
Index: openssl-3.0.1/doc/man1/openssl-ciphers.pod.in
===================================================================
--- openssl-3.0.1.orig/doc/man1/openssl-ciphers.pod.in
+++ openssl-3.0.1/doc/man1/openssl-ciphers.pod.in
@@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
+=item B<PROFILE=SYSTEM>
+
+The list of enabled cipher suites will be loaded from the system crypto policy
+configuration file B</etc/crypto-policies/back-ends/openssl.config>.
+See also L<update-crypto-policies(8)>.
+This is the default behavior unless an application explicitly sets a cipher
+list. If used in a cipher list configuration value this string must be at the
+beginning of the cipher list, otherwise it will not be recognized.
+
=item B<HIGH>
"High" encryption cipher suites. This currently means those with key lengths
Index: openssl-3.0.1/include/openssl/ssl.h.in
===================================================================
--- openssl-3.0.1.orig/include/openssl/ssl.h.in
+++ openssl-3.0.1/include/openssl/ssl.h.in
@@ -210,6 +210,11 @@ extern "C" {
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
*/
+# ifdef SYSTEM_CIPHERS_FILE
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM"
+# else
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST OSSL_default_cipher_list()
+# endif
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
# define SSL_SENT_SHUTDOWN 1
Index: openssl-3.0.1/ssl/ssl_ciph.c
===================================================================
--- openssl-3.0.1.orig/ssl/ssl_ciph.c
+++ openssl-3.0.1/ssl/ssl_ciph.c
@@ -1436,6 +1436,53 @@ int SSL_set_ciphersuites(SSL *s, const c
return ret;
}
+#ifdef SYSTEM_CIPHERS_FILE
+static char *load_system_str(const char *suffix)
+{
+ FILE *fp;
+ char buf[1024];
+ char *new_rules;
+ const char *ciphers_path;
+ unsigned len, slen;
+
+ if ((ciphers_path = ossl_safe_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
+ ciphers_path = SYSTEM_CIPHERS_FILE;
+ fp = fopen(ciphers_path, "r");
+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
+ /* cannot open or file is empty */
+ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
+ }
+
+ if (fp)
+ fclose(fp);
+
+ slen = strlen(suffix);
+ len = strlen(buf);
+
+ if (buf[len - 1] == '\n') {
+ len--;
+ buf[len] = 0;
+ }
+ if (buf[len - 1] == '\r') {
+ len--;
+ buf[len] = 0;
+ }
+
+ new_rules = OPENSSL_malloc(len + slen + 1);
+ if (new_rules == 0)
+ return NULL;
+
+ memcpy(new_rules, buf, len);
+ if (slen > 0) {
+ memcpy(&new_rules[len], suffix, slen);
+ len += slen;
+ }
+ new_rules[len] = 0;
+
+ return new_rules;
+}
+#endif
+
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
STACK_OF(SSL_CIPHER) **cipher_list,
@@ -1450,15 +1497,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
const SSL_CIPHER **ca_list = NULL;
const SSL_METHOD *ssl_method = ctx->method;
+#ifdef SYSTEM_CIPHERS_FILE
+ char *new_rules = NULL;
+
+ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
+ char *p = rule_str + 14;
+
+ new_rules = load_system_str(p);
+ rule_str = new_rules;
+ }
+#endif
/*
* Return with error if nothing to do.
*/
if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
- return NULL;
+ goto err;
if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
- return NULL;
+ goto err;
/*
* To reduce the work to do we only want to process the compiled
@@ -1480,7 +1537,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
if (co_list == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
- return NULL; /* Failure */
+ goto err;
}
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
@@ -1546,8 +1603,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* in force within each class
*/
if (!ssl_cipher_strength_sort(&head, &tail)) {
- OPENSSL_free(co_list);
- return NULL;
+ goto err;
}
/*
@@ -1591,9 +1647,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
if (ca_list == NULL) {
- OPENSSL_free(co_list);
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
- return NULL; /* Failure */
+ goto err;
}
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
disabled_mkey, disabled_auth, disabled_enc,
@@ -1626,8 +1681,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
OPENSSL_free(ca_list); /* Not needed anymore */
if (!ok) { /* Rule processing failure */
- OPENSSL_free(co_list);
- return NULL;
+ goto err;
}
/*
@@ -1635,10 +1689,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* if we cannot get one.
*/
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
- OPENSSL_free(co_list);
- return NULL;
+ goto err;
}
+#ifdef SYSTEM_CIPHERS_FILE
+ OPENSSL_free(new_rules); /* Not needed anymore */
+#endif
+
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
@@ -1656,6 +1713,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
if (!sk_SSL_CIPHER_push(cipherstack, sslc)) {
OPENSSL_free(co_list);
sk_SSL_CIPHER_free(cipherstack);
+ OPENSSL_free(co_list);
return NULL;
}
}
@@ -1690,6 +1748,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
*cipher_list = cipherstack;
return cipherstack;
+
+err:
+ OPENSSL_free(co_list);
+#ifdef SYSTEM_CIPHERS_FILE
+ OPENSSL_free(new_rules);
+#endif
+ return NULL;
+
}
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
Index: openssl-3.0.1/ssl/ssl_lib.c
===================================================================
--- openssl-3.0.1.orig/ssl/ssl_lib.c
+++ openssl-3.0.1/ssl/ssl_lib.c
@@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
ctx->tls13_ciphersuites,
&(ctx->cipher_list),
&(ctx->cipher_list_by_id),
- OSSL_default_cipher_list(), ctx->cert);
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return 0;
@@ -3248,7 +3248,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li
if (!ssl_create_cipher_list(ret,
ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id,
- OSSL_default_cipher_list(), ret->cert)
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err2;
Index: openssl-3.0.1/test/cipherlist_test.c
===================================================================
--- openssl-3.0.1.orig/test/cipherlist_test.c
+++ openssl-3.0.1/test/cipherlist_test.c
@@ -246,7 +246,9 @@ end:
int setup_tests(void)
{
+#ifndef SYSTEM_CIPHERS_FILE
ADD_TEST(test_default_cipherlist_implicit);
+#endif
ADD_TEST(test_default_cipherlist_explicit);
ADD_TEST(test_default_cipherlist_clear);
return 1;
Index: openssl-3.0.1/util/libcrypto.num
===================================================================
--- openssl-3.0.1.orig/util/libcrypto.num
+++ openssl-3.0.1/util/libcrypto.num
@@ -5425,3 +5425,4 @@ ASN1_item_d2i_ex
ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION:
EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION:
EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
Index: openssl-3.0.1/Configure
===================================================================
--- openssl-3.0.1.orig/Configure
+++ openssl-3.0.1/Configure
@@ -27,7 +27,7 @@ use OpenSSL::config;
my $orig_death_handler = $SIG{__DIE__};
$SIG{__DIE__} = \&death_handler;
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
my $banner = <<"EOF";
@@ -61,6 +61,10 @@ EOF
# given with --prefix.
# This becomes the value of OPENSSLDIR in Makefile and in C.
# (Default: PREFIX/ssl)
+#
+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM
+# cipher is specified (default).
+#
# --banner=".." Output specified text instead of default completion banner
#
# -w Don't wait after showing a Configure warning
@@ -387,6 +391,7 @@ $config{prefix}="";
$config{openssldir}="";
$config{processor}="";
$config{libdir}="";
+$config{system_ciphers_file}="";
my $auto_threads=1; # enable threads automatically? true by default
my $default_ranlib;
@@ -989,6 +994,10 @@ while (@argvcopy)
die "FIPS key too long (64 bytes max)\n"
if length $1 > 64;
}
+ elsif (/^--system-ciphers-file=(.*)$/)
+ {
+ $config{system_ciphers_file}=$1;
+ }
elsif (/^--banner=(.*)$/)
{
$banner = $1 . "\n";

60
openssl-Override-default-paths-for-the-CA-directory-tree.patch Normal file
View File

@ -0,0 +1,60 @@
From 6790960076742a9053c624e26fbb87fcd5789e27 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 24 Sep 2020 09:17:26 +0200
Subject: Override default paths for the CA directory tree
Also add default section to load crypto-policies configuration
for TLS.
It needs to be reverted before running tests.
(was openssl-1.1.1-conf-paths.patch)
---
apps/openssl.cnf | 20 ++++++++++++++++++--
2 files changed, 19 insertions(+), 3 deletions(-)
Index: openssl-3.0.1/apps/openssl.cnf
===================================================================
--- openssl-3.0.1.orig/apps/openssl.cnf
+++ openssl-3.0.1/apps/openssl.cnf
@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7
[openssl_init]
providers = provider_sect
+# Load default TLS policy configuration
+ssl_conf = ssl_module
# List of providers to load
[provider_sect]
@@ -71,6 +73,13 @@ default = default_sect
[default_sect]
# activate = 1
+[ ssl_module ]
+
+system_default = crypto_policy
+
+[ crypto_policy ]
+
+.include = /etc/crypto-policies/back-ends/opensslcnf.config
####################################################################
[ ca ]
@@ -79,7 +88,7 @@ default_ca = CA_default # The default c
####################################################################
[ CA_default ]
-dir = ./demoCA # Where everything is kept
+dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
@@ -309,7 +318,7 @@ default_tsa = tsa_config1 # the default
[ tsa_config1 ]
# These are used by the TSA reply generation only.
-dir = ./demoCA # TSA root directory
+dir = /etc/pki/CA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate

142
openssl-use-versioned-config.patch Normal file
View File

@ -0,0 +1,142 @@
From 300d2b56166aee85d9ce4c1275da1ad79c876e31 Mon Sep 17 00:00:00 2001
From: Sahana Prasad <sahana@redhat.com>
Date: Tue, 5 Oct 2021 12:10:42 +0200
Subject: [PATCH] Updates the conf file to openssl11.cnf Resolves:
rhbz#1947584, rhbz#2003123 Signed-off-by: Sahana Prasad <sahana@redhat.com>
Refactored for SUSE by Simon Lees sflees@suse.de
Index: openssl-3.0.1/include/internal/cryptlib.h
===================================================================
--- openssl-3.0.1.orig/include/internal/cryptlib.h
+++ openssl-3.0.1/include/internal/cryptlib.h
@@ -61,7 +61,7 @@ DEFINE_STACK_OF(EX_CALLBACK)
typedef struct mem_st MEM;
DEFINE_LHASH_OF(MEM);
-# define OPENSSL_CONF "openssl.cnf"
+# define OPENSSL_CONF "openssl3.cnf"
# ifndef OPENSSL_SYS_VMS
# define X509_CERT_AREA OPENSSLDIR
Index: openssl-3.0.1/Configurations/unix-Makefile.tmpl
===================================================================
--- openssl-3.0.1.orig/Configurations/unix-Makefile.tmpl
+++ openssl-3.0.1/Configurations/unix-Makefile.tmpl
@@ -129,7 +129,7 @@ GENERATED_PODS={- # common0.tmpl provide
fill_lines(" ", $COLUMNS - 15,
map { my $x = $_;
(
- grep {
+ grep {
$unified_info{attributes}->{depends}
->{$x}->{$_}->{pod} // 0
}
@@ -675,14 +675,14 @@ install_ssldirs:
: {- output_on() if windowsdll(); "" -}; \
fi; \
done
- @$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist"
- @cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new
- @chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new
- @mv -f $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist
- @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf" ]; then \
- $(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
- cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \
- chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \
+ @$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.dist"
+ @cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.new
+ @chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.new
+ @mv -f $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.dist
+ @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl3.cnf" ]; then \
+ $(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf"; \
+ cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf; \
+ chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf; \
fi
@$(ECHO) "install $(SRCDIR)/apps/ct_log_list.cnf -> $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist"
@cp $(SRCDIR)/apps/ct_log_list.cnf $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new
@@ -1136,7 +1136,7 @@ lint:
generate_apps:
( cd $(SRCDIR); $(PERL) VMS/VMSify-conf.pl \
- < apps/openssl.cnf > apps/openssl-vms.cnf )
+ < apps/openssl3.cnf > apps/openssl-vms.cnf )
generate_crypto_bn:
( cd $(SRCDIR); $(PERL) crypto/bn/bn_prime.pl > crypto/bn/bn_prime.h )
@@ -1374,7 +1374,7 @@ tar:
# Helper targets #####################################################
-link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/apps/openssl.cnf
+link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/apps/openssl3.cnf
$(BLDDIR)/util/opensslwrap.sh: configdata.pm
@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
@@ -1382,7 +1382,7 @@ $(BLDDIR)/util/opensslwrap.sh: configdat
ln -sf "../$(SRCDIR)/util/`basename "$@"`" "$(BLDDIR)/util"; \
fi
-$(BLDDIR)/apps/openssl.cnf: configdata.pm
+$(BLDDIR)/apps/openssl3.cnf: configdata.pm
@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
mkdir -p "$(BLDDIR)/apps"; \
ln -sf "../$(SRCDIR)/apps/`basename "$@"`" "$(BLDDIR)/apps"; \
Index: openssl-3.0.1/Configure
===================================================================
--- openssl-3.0.1.orig/Configure
+++ openssl-3.0.1/Configure
@@ -56,7 +56,7 @@ EOF
# directories bin, lib, include, share/man, share/doc/openssl
# This becomes the value of INSTALLTOP in Makefile
# (Default: /usr/local)
-# --openssldir OpenSSL data area, such as openssl.cnf, certificates and keys.
+# --openssldir OpenSSL data area, such as openssl3.cnf, certificates and keys.
# If it's a relative directory, it will be added on the directory
# given with --prefix.
# This becomes the value of OPENSSLDIR in Makefile and in C.
Index: openssl-3.0.1/doc/HOWTO/certificates.txt
===================================================================
--- openssl-3.0.1.orig/doc/HOWTO/certificates.txt
+++ openssl-3.0.1/doc/HOWTO/certificates.txt
@@ -16,7 +16,7 @@ Certificate authorities should read http
In all the cases shown below, the standard configuration file, as
compiled into openssl, will be used. You may find it in /etc/,
/usr/local/ssl/ or somewhere else. By default the file is named
-openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html.
+openssl3.cnf and is described at https://www.openssl.org/docs/apps/config.html.
You can specify a different configuration file using the
'-config {file}' argument with the commands shown below.
Index: openssl-3.0.1/doc/man3/OPENSSL_config.pod
===================================================================
--- openssl-3.0.1.orig/doc/man3/OPENSSL_config.pod
+++ openssl-3.0.1/doc/man3/OPENSSL_config.pod
@@ -17,7 +17,7 @@ see L<openssl_user_macros(7)>:
=head1 DESCRIPTION
-OPENSSL_config() configures OpenSSL using the standard B<openssl.cnf> and
+OPENSSL_config() configures OpenSSL using the standard B<openssl3.cnf> and
reads from the application section B<appname>. If B<appname> is NULL then
the default section, B<openssl_conf>, will be used.
Errors are silently ignored.
Index: openssl-3.0.1/INSTALL.md
===================================================================
--- openssl-3.0.1.orig/INSTALL.md
+++ openssl-3.0.1/INSTALL.md
@@ -1,4 +1,4 @@
-Build and Install
+fBuild and Install
=================
This document describes installation on all supported operating
@@ -567,7 +567,7 @@ is an objective.
### no-autoload-config
-Don't automatically load the default `openssl.cnf` file.
+Don't automatically load the default `openssl3.cnf` file.
Typically OpenSSL will automatically load a system config file which configures
default SSL options.