freeradius/freeradius-bootstrap-pass-noenc-to-certificate-generation.patch

From e089777942552c4fe3e58aa328566e7bb745dbf8 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Fri, 22 Apr 2022 12:27:43 +0200
Subject: [PATCH] bootstrap: pass -noenc to certificate generation

Bootstrap script would fail to generate certificates if run on systems
with FIPS enabled. By passing the -noenc option, we can skip the usage
of unsupported algorithms on these systems.

Signed-off-by: Antonio Torres <antorres@redhat.com>

[antorres@redhat.com]: patch adapted to work together with freeradius-bootstrap-create-only.patch.
In bootstrap diff, -f is changed to -e in conditionals.
---
 raddb/certs/Makefile  | 8 ++++----
 raddb/certs/bootstrap | 6 +++---
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
index 5cbfd467ce..df45884a55 100644
--- a/raddb/certs/Makefile
+++ b/raddb/certs/Makefile
@@ -71,7 +71,7 @@ ca.key ca.pem: ca.cnf
 	@[ -f serial ] || $(MAKE) serial
 	$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
 		-days $(CA_DEFAULT_DAYS) -config ./ca.cnf \
-		-passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA)
+		-passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) -noenc
 	chmod g+r ca.key
 
 ca.der: ca.pem
@@ -88,7 +88,7 @@ ca.crl: ca.pem
 #
 ######################################################################
 server.csr server.key: server.cnf
-	$(OPENSSL) req -new  -out server.csr -keyout server.key -config ./server.cnf
+	$(OPENSSL) req -new  -out server.csr -keyout server.key -config ./server.cnf -noenc
 	chmod g+r server.key
 
 server.crt: server.csr ca.key ca.pem
@@ -113,7 +113,7 @@ server.vrfy: ca.pem
 #
 ######################################################################
 client.csr client.key: client.cnf
-	$(OPENSSL) req -new  -out client.csr -keyout client.key -config ./client.cnf
+	$(OPENSSL) req -new  -out client.csr -keyout client.key -config ./client.cnf -noenc
 	chmod g+r client.key
 
 client.crt: client.csr ca.pem ca.key
@@ -139,7 +139,7 @@ client.vrfy: ca.pem client.pem
 #
 ######################################################################
 inner-server.csr inner-server.key: inner-server.cnf
-	$(OPENSSL) req -new  -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf
+	$(OPENSSL) req -new  -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf -noenc
 	chmod g+r inner-server.key
 
 inner-server.crt: inner-server.csr ca.key ca.pem
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index 57de8cf0d7..c258ec45e0 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -41,12 +41,12 @@ if [ ! -f dh ]; then
 fi
 
 if [ ! -e server.key ]; then
-  openssl req -new  -out server.csr -keyout server.key -config ./server.cnf || exit 1
+  openssl req -new  -out server.csr -keyout server.key -config ./server.cnf -noenc || exit 1
   chmod g+r server.key
 fi
 
 if [ ! -e ca.key ]; then
-  openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
+  openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf -noenc || exit 1
 fi
 
 if [ ! -e index.txt ]; then
@@ -77,7 +77,7 @@ if [ ! -f ca.der ]; then
 fi
 
 if [ ! -e client.key ]; then
-  openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
+  openssl req -new  -out client.csr -keyout client.key -config ./client.cnf -noenc
   chmod g+r client.key
 fi
bootstrap: pass -noenc to certificate generation Bootstrap script would fail to generate certificates if run on systems with FIPS enabled. By passing the -noenc option, we can skip the usage of unsupported algorithms on these systems. Related: rhbz#2069224 Signed-off-by: Antonio Torres <antorres@redhat.com> 2022-04-22 11:01:55 +00:00			`From e089777942552c4fe3e58aa328566e7bb745dbf8 Mon Sep 17 00:00:00 2001`
			`From: Antonio Torres <antorres@redhat.com>`
			`Date: Fri, 22 Apr 2022 12:27:43 +0200`
			`Subject: [PATCH] bootstrap: pass -noenc to certificate generation`

			`Bootstrap script would fail to generate certificates if run on systems`
			`with FIPS enabled. By passing the -noenc option, we can skip the usage`
			`of unsupported algorithms on these systems.`

			`Signed-off-by: Antonio Torres <antorres@redhat.com>`
bootstrap: pass -noenc to cert generation on script as well Commit cb13e6677690b6cf0ed0f6ee06d76839a568fb35 added this change to certificate Makefile, change it on base script as well for consistency. Resolves: #2069224 Signed-off-by: Antonio Torres <antorres@redhat.com> 2022-04-25 16:25:16 +00:00
			`[antorres@redhat.com]: patch adapted to work together with freeradius-bootstrap-create-only.patch.`
			`In bootstrap diff, -f is changed to -e in conditionals.`
bootstrap: pass -noenc to certificate generation Bootstrap script would fail to generate certificates if run on systems with FIPS enabled. By passing the -noenc option, we can skip the usage of unsupported algorithms on these systems. Related: rhbz#2069224 Signed-off-by: Antonio Torres <antorres@redhat.com> 2022-04-22 11:01:55 +00:00			`---`
bootstrap: pass -noenc to cert generation on script as well Commit cb13e6677690b6cf0ed0f6ee06d76839a568fb35 added this change to certificate Makefile, change it on base script as well for consistency. Resolves: #2069224 Signed-off-by: Antonio Torres <antorres@redhat.com> 2022-04-25 16:25:16 +00:00			`raddb/certs/Makefile \| 8 ++++----`
			`raddb/certs/bootstrap \| 6 +++---`
			`2 files changed, 7 insertions(+), 7 deletions(-)`
bootstrap: pass -noenc to certificate generation Bootstrap script would fail to generate certificates if run on systems with FIPS enabled. By passing the -noenc option, we can skip the usage of unsupported algorithms on these systems. Related: rhbz#2069224 Signed-off-by: Antonio Torres <antorres@redhat.com> 2022-04-22 11:01:55 +00:00
			`diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile`
			`index 5cbfd467ce..df45884a55 100644`
			`--- a/raddb/certs/Makefile`
			`+++ b/raddb/certs/Makefile`
			`@@ -71,7 +71,7 @@ ca.key ca.pem: ca.cnf`
			`@[ -f serial ] \|\| $(MAKE) serial`
			`$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \`
			`-days $(CA_DEFAULT_DAYS) -config ./ca.cnf \`
			`- -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA)`
			`+ -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) -noenc`
			`chmod g+r ca.key`

			`ca.der: ca.pem`
			`@@ -88,7 +88,7 @@ ca.crl: ca.pem`
			`#`
			`######################################################################`
			`server.csr server.key: server.cnf`
			`- $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf`
			`+ $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf -noenc`
			`chmod g+r server.key`

			`server.crt: server.csr ca.key ca.pem`
			`@@ -113,7 +113,7 @@ server.vrfy: ca.pem`
			`#`
			`######################################################################`
			`client.csr client.key: client.cnf`
			`- $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf`
			`+ $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf -noenc`
			`chmod g+r client.key`

			`client.crt: client.csr ca.pem ca.key`
			`@@ -139,7 +139,7 @@ client.vrfy: ca.pem client.pem`
			`#`
			`######################################################################`
			`inner-server.csr inner-server.key: inner-server.cnf`
			`- $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf`
			`+ $(OPENSSL) req -new -out inner-server.csr -keyout inner-server.key -config ./inner-server.cnf -noenc`
			`chmod g+r inner-server.key`

			`inner-server.crt: inner-server.csr ca.key ca.pem`
bootstrap: pass -noenc to cert generation on script as well Commit cb13e6677690b6cf0ed0f6ee06d76839a568fb35 added this change to certificate Makefile, change it on base script as well for consistency. Resolves: #2069224 Signed-off-by: Antonio Torres <antorres@redhat.com> 2022-04-25 16:25:16 +00:00			`diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap`
			`index 57de8cf0d7..c258ec45e0 100755`
			`--- a/raddb/certs/bootstrap`
			`+++ b/raddb/certs/bootstrap`
			`@@ -41,12 +41,12 @@ if [ ! -f dh ]; then`
			`fi`

			`if [ ! -e server.key ]; then`
			`- openssl req -new -out server.csr -keyout server.key -config ./server.cnf \|\| exit 1`
			`+ openssl req -new -out server.csr -keyout server.key -config ./server.cnf -noenc \|\| exit 1`
			`chmod g+r server.key`
			`fi`

			`if [ ! -e ca.key ]; then`
			- openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf \| sed 's/.=//;s/^ //'` -config ./ca.cnf \|\| exit 1
			+ openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf \| sed 's/.=//;s/^ //'` -config ./ca.cnf -noenc \|\| exit 1
			`fi`

			`if [ ! -e index.txt ]; then`
			`@@ -77,7 +77,7 @@ if [ ! -f ca.der ]; then`
			`fi`

			`if [ ! -e client.key ]; then`
			`- openssl req -new -out client.csr -keyout client.key -config ./client.cnf`
			`+ openssl req -new -out client.csr -keyout client.key -config ./client.cnf -noenc`
			`chmod g+r client.key`
			`fi`