From 4c5f82af274dd0cf0846abc83b29f343874b65a8 Mon Sep 17 00:00:00 2001
From: Adam Samalik <asamalik@redhat.com>
Date: Thu, 29 Jun 2023 18:17:45 +0200
Subject: [PATCH] re-import sources as agreed with the maintainer

---
 .gitignore                          | 47 +++++++++++++++++-
 fixpatch                            | 15 ++++++
 hobble-openssl                      |  0
 make-dummy-cert                     |  0
 openssl-1.1.1-ignore-bound.patch    | 14 ++++++
 renew-dummy-cert                    |  0
 tests/simple-rsapss-test/Makefile   | 63 ++++++++++++++++++++++++
 tests/simple-rsapss-test/PURPOSE    |  3 ++
 tests/simple-rsapss-test/runtest.sh | 74 +++++++++++++++++++++++++++++
 tests/tests.yml                     | 15 ++++++
 10 files changed, 230 insertions(+), 1 deletion(-)
 create mode 100644 fixpatch
 mode change 100755 => 100644 hobble-openssl
 mode change 100755 => 100644 make-dummy-cert
 create mode 100644 openssl-1.1.1-ignore-bound.patch
 mode change 100755 => 100644 renew-dummy-cert
 create mode 100644 tests/simple-rsapss-test/Makefile
 create mode 100644 tests/simple-rsapss-test/PURPOSE
 create mode 100755 tests/simple-rsapss-test/runtest.sh
 create mode 100644 tests/tests.yml

diff --git a/.gitignore b/.gitignore
index 9b85738..9772b1d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,47 @@
-SOURCES/openssl-1.1.1k-hobbled.tar.xz
+.build*.log
+clog
+000*.patch
+*.src.rpm
+openssl-1.0.0a-usa.tar.bz2
+/openssl-1.0.0b-usa.tar.bz2
+/openssl-1.0.0c-usa.tar.bz2
+/openssl-1.0.0d-usa.tar.bz2
+/openssl-1.0.0e-usa.tar.bz2
+/openssl-1.0.0f-usa.tar.bz2
+/openssl-1.0.0g-usa.tar.xz
+/openssl-1.0.1-beta2-usa.tar.xz
+/openssl-1.0.1-beta3-usa.tar.xz
+/openssl-1.0.1-usa.tar.xz
+/openssl-1.0.1a-usa.tar.xz
+/openssl-1.0.1b-usa.tar.xz
+/openssl-1.0.1c-usa.tar.xz
+/openssl-1.0.1e-usa.tar.xz
+/openssl-1.0.1e-hobbled.tar.xz
+/openssl-1.0.1g-hobbled.tar.xz
+/openssl-1.0.1h-hobbled.tar.xz
+/openssl-1.0.1i-hobbled.tar.xz
+/openssl-1.0.1j-hobbled.tar.xz
+/openssl-1.0.1k-hobbled.tar.xz
+/openssl-1.0.2a-hobbled.tar.xz
+/openssl-1.0.2c-hobbled.tar.xz
+/openssl-1.0.2d-hobbled.tar.xz
+/openssl-1.0.2e-hobbled.tar.xz
+/openssl-1.0.2f-hobbled.tar.xz
+/openssl-1.0.2g-hobbled.tar.xz
+/openssl-1.0.2h-hobbled.tar.xz
+/openssl-1.0.2i-hobbled.tar.xz
+/openssl-1.0.2j-hobbled.tar.xz
+/openssl-1.1.0b-hobbled.tar.xz
+/openssl-1.1.0c-hobbled.tar.xz
+/openssl-1.1.0d-hobbled.tar.xz
+/openssl-1.1.0e-hobbled.tar.xz
+/openssl-1.1.0f-hobbled.tar.xz
+/openssl-1.1.0g-hobbled.tar.xz
+/openssl-1.1.0h-hobbled.tar.xz
+/openssl-1.1.1-pre8-hobbled.tar.xz
+/openssl-1.1.1-pre9-hobbled.tar.xz
+/openssl-1.1.1-hobbled.tar.xz
+/openssl-1.1.1b-hobbled.tar.xz
+/openssl-1.1.1c-hobbled.tar.xz
+/openssl-1.1.1g-hobbled.tar.xz
 /openssl-1.1.1k-hobbled.tar.xz
diff --git a/fixpatch b/fixpatch
new file mode 100644
index 0000000..bf5eb67
--- /dev/null
+++ b/fixpatch
@@ -0,0 +1,15 @@
+#!/bin/sh
+# Fixes patch from upstream tracker view
+gawk '
+BEGIN {
+   dir=""
+}
+/^Index: openssl\// {
+   dir = $2
+}
+/^(---|\+\+\+)/ {
+   $2 = dir
+}
+{
+   print
+}'
diff --git a/hobble-openssl b/hobble-openssl
old mode 100755
new mode 100644
diff --git a/make-dummy-cert b/make-dummy-cert
old mode 100755
new mode 100644
diff --git a/openssl-1.1.1-ignore-bound.patch b/openssl-1.1.1-ignore-bound.patch
new file mode 100644
index 0000000..4838f3d
--- /dev/null
+++ b/openssl-1.1.1-ignore-bound.patch
@@ -0,0 +1,14 @@
+Do not return failure when setting version bound on fixed protocol
+version method.
+diff -up openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound openssl-1.1.1-pre8/ssl/statem/statem_lib.c
+--- openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound	2018-06-20 16:48:13.000000000 +0200
++++ openssl-1.1.1-pre8/ssl/statem/statem_lib.c	2018-08-13 11:07:52.826304045 +0200
+@@ -1595,7 +1595,7 @@ int ssl_set_version_bound(int method_ver
+          * methods are not subject to controls that disable individual protocol
+          * versions.
+          */
+-        return 0;
++        return 1;
+ 
+     case TLS_ANY_VERSION:
+         if (version < SSL3_VERSION || version > TLS_MAX_VERSION)
diff --git a/renew-dummy-cert b/renew-dummy-cert
old mode 100755
new mode 100644
diff --git a/tests/simple-rsapss-test/Makefile b/tests/simple-rsapss-test/Makefile
new file mode 100644
index 0000000..13a123d
--- /dev/null
+++ b/tests/simple-rsapss-test/Makefile
@@ -0,0 +1,63 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/openssl/Sanity/simple-rsapss-test
+#   Description: Test if RSA-PSS signature scheme is supported
+#   Author: Hubert Kario <hkario@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/openssl/Sanity/simple-rsapss-test
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+-include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Hubert Kario <hkario@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Test if RSA-PSS signature scheme is supported" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        1m" >> $(METADATA)
+	@echo "RunFor:          openssl" >> $(METADATA)
+	@echo "Requires:        openssl man man-db" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+
+	rhts-lint $(METADATA)
diff --git a/tests/simple-rsapss-test/PURPOSE b/tests/simple-rsapss-test/PURPOSE
new file mode 100644
index 0000000..66848e7
--- /dev/null
+++ b/tests/simple-rsapss-test/PURPOSE
@@ -0,0 +1,3 @@
+PURPOSE of /CoreOS/openssl/Sanity/simple-rsapss-test
+Description: Test if RSA-PSS signature scheme is supported
+Author: Hubert Kario <hkario@redhat.com>
diff --git a/tests/simple-rsapss-test/runtest.sh b/tests/simple-rsapss-test/runtest.sh
new file mode 100755
index 0000000..8b60e2f
--- /dev/null
+++ b/tests/simple-rsapss-test/runtest.sh
@@ -0,0 +1,74 @@
+#!/bin/bash
+# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/openssl/Sanity/simple-rsapss-test
+#   Description: Test if RSA-PSS signature scheme is supported
+#   Author: Hubert Kario <hkario@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="openssl"
+
+PUB_KEY="rsa_pubkey.pem"
+PRIV_KEY="rsa_key.pem"
+FILE="text.txt"
+SIG="text.sig"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm $PACKAGE
+        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
+        rlRun "pushd $TmpDir"
+        rlRun "openssl genrsa -out $PRIV_KEY 2048" 0 "Generate RSA key"
+        rlRun "openssl rsa -in $PRIV_KEY -out $PUB_KEY -pubout" 0 "Split the public key from private key"
+        rlRun "echo 'sign me!' > $FILE" 0 "Create file for signing"
+        rlAssertExists $FILE
+        rlAssertExists $PRIV_KEY
+        rlAssertExists $PUB_KEY
+    rlPhaseEnd
+
+    rlPhaseStartTest "Test RSA-PSS padding mode"
+        set -o pipefail
+        rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -out $SIG -sign $PRIV_KEY $FILE" 0 "Sign the file"
+        rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -prverify $PRIV_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using the private key file"
+        rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -verify $PUB_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using public key file"
+        rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -prverify $PRIV_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using the private key file without specifying salt length"
+        rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -verify $PUB_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using public key file without specifying salt length"
+        set +o pipefail
+        rlRun "sed -i 's/sign/Sign/' $FILE" 0 "Modify signed file"
+        rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -verify $PUB_KEY -signature $SIG $FILE | grep 'Verification Failure'" 0 "Verify that the signature is no longer valid"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Documentation check"
+        [ -e "$(rpm -ql openssl | grep dgst)"] && rlRun "man dgst | col -b | grep -- -sigopt" 0 "Check if -sigopt option is described in man page"
+        rlRun "openssl dgst -help 2>&1 | grep -- -sigopt" 0 "Check if -sigopt option is present in help message"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "popd"
+        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd
diff --git a/tests/tests.yml b/tests/tests.yml
new file mode 100644
index 0000000..4b71d56
--- /dev/null
+++ b/tests/tests.yml
@@ -0,0 +1,15 @@
+---
+# This first play always runs on the local staging system
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - classic
+    - container
+    tests:
+    - simple-rsapss-test
+    required_packages:
+    - findutils         # beakerlib needs find command
+    - man               # needed by simple-rsapss-test
+    - man-db            # needed by simple-rsapss-test
+    - openssl           # needed by simple-rsapss-test