Get rid of checking /etc/crypto-policies/back-ends/openssl.config

Resolves: RHEL-71132

0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch

@@ -96,7 +96,7 @@ index d4df30686f..cec4835268 100644
 +=item B<PROFILE=SYSTEM>
 +
 +The list of enabled cipher suites will be loaded from the system crypto policy
-+configuration file B</etc/crypto-policies/back-ends/openssl.config>.
++configuration file B</etc/crypto-policies/back-ends/opensslcnf.config>.
 +See also L<update-crypto-policies(8)>.
 +This is the default behavior unless an application explicitly sets a cipher
 +list. If used in a cipher list configuration value this string must be at the
@@ -125,14 +125,13 @@ diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
 index 8360991ce4..33c23efb0d 100644
 --- a/ssl/ssl_ciph.c
 +++ b/ssl/ssl_ciph.c
-@@ -1455,6 +1455,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
+@@ -1455,6 +1455,49 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
      return ret;
  }
  
 +#ifdef SYSTEM_CIPHERS_FILE
 +static char *load_system_str(const char *suffix)
 +{
-+    FILE *fp;
 +    char buf[1024];
 +    char *new_rules;
 +    const char *ciphers_path;
@@ -140,29 +139,26 @@ index 8360991ce4..33c23efb0d 100644
 +
 +    if ((ciphers_path = secure_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
 +        ciphers_path = SYSTEM_CIPHERS_FILE;
-+    fp = fopen(ciphers_path, "r");
++
-+    if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
++    if (access(ciphers_path, R_OK) == 0) {
-+        /* cannot open or file is empty */
++        CONF *conf = NCONF_new_ex(NULL, NCONF_default());
++        char *value = NULL;
++
++        if (NCONF_load(conf, ciphers_path, NULL) > 0)
++            value = NCONF_get_string(conf, "global", "CipherString");
++
++        snprintf(buf, sizeof(buf), "%s", value ? value : SSL_DEFAULT_CIPHER_LIST);
++
++        NCONF_free(conf);
++    } else {
 +        snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
 +    }
 +
-+    if (fp)
-+        fclose(fp);
-+
 +    slen = strlen(suffix);
 +    len = strlen(buf);
 +
-+    if (buf[len - 1] == '\n') {
++    new_rules = OPENSSL_zalloc(len + slen + 1);
-+        len--;
++    if (new_rules == NULL)
-+        buf[len] = 0;
-+    }
-+    if (buf[len - 1] == '\r') {
-+        len--;
-+        buf[len] = 0;
-+    }
-+
-+    new_rules = OPENSSL_malloc(len + slen + 1);
-+    if (new_rules == 0)
 +        return NULL;
 +
 +    memcpy(new_rules, buf, len);
@@ -187,7 +183,7 @@ index 8360991ce4..33c23efb0d 100644
 +    char *new_rules = NULL;
 +
 +    if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
-+        char *p = rule_str + 14;
++        const char *p = rule_str + 14;
 +
 +        new_rules = load_system_str(p);
 +        rule_str = new_rules;

openssl.spec

@@ -325,7 +325,7 @@ export HASHBANGPERL=/usr/bin/perl
 # RPM_OPT_FLAGS, so we can skip specifiying them here.
 ./Configure \
 	--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
-	--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
+	--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config \
 	zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
 	enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips -D_GNU_SOURCE\
 	no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++\
@@ -550,6 +550,10 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h
   Resolves: RHEL-73170
 - Locally configured providers should not interfere with openssl build-time tests
   Resolves: RHEL-76182
+- Load system default cipher string from crypto-policies configuration file
+  include /etc/crypto-policies/back-ends/opensslcnf.config and remove
+  /etc/crypto-policies/back-ends/openssl.config.
+  Resolves: RHEL-71132
 
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1:3.2.2-14
 - Bump release for October 2024 mass rebuild: