From 34e41ff20039783e1a753f86b0a2e88c80a19a92 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Fri, 24 Jan 2025 16:45:56 +0100 Subject: [PATCH] Get rid of checking /etc/crypto-policies/back-ends/openssl.config Resolves: RHEL-71132 --- ...PROFILE-SYSTEM-system-default-cipher.patch | 38 +++++++++---------- openssl.spec | 6 ++- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch index 5189459..c9c7a4f 100644 --- a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +++ b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch @@ -96,7 +96,7 @@ index d4df30686f..cec4835268 100644 +=item B + +The list of enabled cipher suites will be loaded from the system crypto policy -+configuration file B. ++configuration file B. +See also L. +This is the default behavior unless an application explicitly sets a cipher +list. If used in a cipher list configuration value this string must be at the @@ -125,14 +125,13 @@ diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 8360991ce4..33c23efb0d 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c -@@ -1455,6 +1455,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str) +@@ -1455,6 +1455,49 @@ int SSL_set_ciphersuites(SSL *s, const char *str) return ret; } +#ifdef SYSTEM_CIPHERS_FILE +static char *load_system_str(const char *suffix) +{ -+ FILE *fp; + char buf[1024]; + char *new_rules; + const char *ciphers_path; @@ -140,29 +139,26 @@ index 8360991ce4..33c23efb0d 100644 + + if ((ciphers_path = secure_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL) + ciphers_path = SYSTEM_CIPHERS_FILE; -+ fp = fopen(ciphers_path, "r"); -+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) { -+ /* cannot open or file is empty */ ++ ++ if (access(ciphers_path, R_OK) == 0) { ++ CONF *conf = NCONF_new_ex(NULL, NCONF_default()); ++ char *value = NULL; ++ ++ if (NCONF_load(conf, ciphers_path, NULL) > 0) ++ value = NCONF_get_string(conf, "global", "CipherString"); ++ ++ snprintf(buf, sizeof(buf), "%s", value ? value : SSL_DEFAULT_CIPHER_LIST); ++ ++ NCONF_free(conf); ++ } else { + snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST); + } + -+ if (fp) -+ fclose(fp); -+ + slen = strlen(suffix); + len = strlen(buf); + -+ if (buf[len - 1] == '\n') { -+ len--; -+ buf[len] = 0; -+ } -+ if (buf[len - 1] == '\r') { -+ len--; -+ buf[len] = 0; -+ } -+ -+ new_rules = OPENSSL_malloc(len + slen + 1); -+ if (new_rules == 0) ++ new_rules = OPENSSL_zalloc(len + slen + 1); ++ if (new_rules == NULL) + return NULL; + + memcpy(new_rules, buf, len); @@ -187,7 +183,7 @@ index 8360991ce4..33c23efb0d 100644 + char *new_rules = NULL; + + if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) { -+ char *p = rule_str + 14; ++ const char *p = rule_str + 14; + + new_rules = load_system_str(p); + rule_str = new_rules; diff --git a/openssl.spec b/openssl.spec index 19c869b..413f179 100644 --- a/openssl.spec +++ b/openssl.spec @@ -325,7 +325,7 @@ export HASHBANGPERL=/usr/bin/perl # RPM_OPT_FLAGS, so we can skip specifiying them here. ./Configure \ --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ - --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ + --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config \ zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips -D_GNU_SOURCE\ no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++\ @@ -550,6 +550,10 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h Resolves: RHEL-73170 - Locally configured providers should not interfere with openssl build-time tests Resolves: RHEL-76182 +- Load system default cipher string from crypto-policies configuration file + include /etc/crypto-policies/back-ends/opensslcnf.config and remove + /etc/crypto-policies/back-ends/openssl.config. + Resolves: RHEL-71132 * Tue Oct 29 2024 Troy Dawson - 1:3.2.2-14 - Bump release for October 2024 mass rebuild: