diff --git a/openwsman-2.6.8-ssl-certs-gen-changes.patch b/openwsman-2.6.8-ssl-certs-gen-changes.patch index 11de1d5..0f0b96a 100644 --- a/openwsman-2.6.8-ssl-certs-gen-changes.patch +++ b/openwsman-2.6.8-ssl-certs-gen-changes.patch @@ -51,10 +51,10 @@ diff -up openwsman-2.8.1/etc/owsmangencert.sh.cmake.orig openwsman-2.8.1/etc/ows +function selfsign_sscg() +{ + sscg --quiet \ -+ --lifetime "${DAYS}" \ -+ --cert-key-file "${KEYFILE}" \ -+ --cert-file "${CERTFILE}" \ -+ --ca-file "${CAFILE}" ++ --lifetime "$DAYS" \ ++ --cert-key-file "$KEYFILE" \ ++ --cert-file "$CERTFILE" \ ++ --ca-file "$CAFILE" +} + +function selfsign_openssl() diff --git a/openwsman-2.8.1-post-quantum.patch b/openwsman-2.8.1-post-quantum.patch new file mode 100644 index 0000000..3f0f53f --- /dev/null +++ b/openwsman-2.8.1-post-quantum.patch @@ -0,0 +1,128 @@ +diff -up openwsman-2.8.1/etc/openwsman.conf.orig openwsman-2.8.1/etc/openwsman.conf +--- openwsman-2.8.1/etc/openwsman.conf.orig 2025-01-23 10:23:52.000000000 +0100 ++++ openwsman-2.8.1/etc/openwsman.conf 2026-01-27 14:55:28.358323530 +0100 +@@ -32,8 +32,12 @@ ipv6 = yes + + # the openwsman server certificate file, in .pem format + ssl_cert_file = /etc/openwsman/servercert.pem ++# the openwsman server certificate fallback file, in .pem format ++#ssl_cert_fallback_file = /etc/openwsman/servercert-fallback.pem + # the openwsman server private key, in .pem format + ssl_key_file = /etc/openwsman/serverkey.pem ++# the openwsman server private key fallback, in .pem format ++#ssl_key_fallback_file = /etc/openwsman/serverkey-fallback.pem + + # space-separated list of SSL protocols to *dis*able + # possible values: SSLv2 SSLv3 TLSv1 TLSv1_1 TLSv1_2 +diff -up openwsman-2.8.1/src/server/shttpd/shttpd.c.orig openwsman-2.8.1/src/server/shttpd/shttpd.c +--- openwsman-2.8.1/src/server/shttpd/shttpd.c.orig 2026-01-27 14:55:28.353983369 +0100 ++++ openwsman-2.8.1/src/server/shttpd/shttpd.c 2026-01-27 15:02:00.178890046 +0100 +@@ -1508,7 +1508,6 @@ set_ssl(struct shttpd_ctx *ctx, const ch + char *ssl_disabled_protocols = wsmand_options_get_ssl_disabled_protocols(); + char *ssl_cipher_list = wsmand_options_get_ssl_cipher_list(); + int retval = FALSE; +- EC_KEY* key; + + /* Initialize SSL crap */ + +@@ -1527,11 +1526,15 @@ set_ssl(struct shttpd_ctx *ctx, const ch + else + retval = TRUE; + +- /* This enables ECDH Perfect Forward secrecy. Currently with just the most generic p256 prime curve */ +- key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); +- if (key != NULL) { +- SSL_CTX_set_tmp_ecdh(CTX, key); +- EC_KEY_free(key); ++ /* Add fall back certificate/key pair */ ++ if (wsmand_options_get_ssl_cert_fallback_file() && ++ wsmand_options_get_ssl_key_fallback_file()) { ++ if (SSL_CTX_use_certificate_file(CTX, wsmand_options_get_ssl_cert_fallback_file(), SSL_FILETYPE_PEM) != 1) ++ _shttpd_elog(E_LOG, NULL, "cannot open certificate fallback file %s", pem); ++ else if (SSL_CTX_use_PrivateKey_file(CTX, wsmand_options_get_ssl_key_fallback_file(), SSL_FILETYPE_PEM) != 1) ++ _shttpd_elog(E_LOG, NULL, "cannot open fallback PrivateKey %s", pem); ++ else ++ retval = TRUE; + } + + while (ssl_disabled_protocols) { +@@ -1593,6 +1596,26 @@ set_ssl(struct shttpd_ctx *ctx, const ch + } + ctx->ssl_ctx = CTX; + ++ /* Configure TLS key exchange groups with PQC support */ ++ if (SSL_CTX_set1_groups_list(CTX, "X25519MLKEM768:P-256:P-384:X25519") != 1) { ++ unsigned long err = ERR_peek_last_error(); ++ _shttpd_elog(E_LOG, NULL, "SSL: Failed to set PQC groups: %s", ++ ERR_error_string(err, NULL)); ++ /* Fallback to traditional groups */ ++ if (SSL_CTX_set1_groups_list(CTX, "P-256:P-384:X25519") != 1) ++ _shttpd_elog(E_LOG, NULL, "SSL: Failed to set traditional groups"); ++ } ++ ++ /* Configure TLS signature algorithms with PQC support (ML-DSA) */ ++ if (SSL_CTX_set1_sigalgs_list(CTX, "mldsa65:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384") != 1) { ++ unsigned long err = ERR_peek_last_error(); ++ _shttpd_elog(E_LOG, NULL, "SSL: Failed to set PQC signature algorithms: %s", ++ ERR_error_string(err, NULL)); ++ /* Fallback to traditional signature algorithms */ ++ if (SSL_CTX_set1_sigalgs_list(CTX, "rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384") != 1) ++ _shttpd_elog(E_LOG, NULL, "SSL: Failed to set traditional signature algorithms"); ++ } ++ + return (retval); + } + #endif /* NO_SSL */ +diff -up openwsman-2.8.1/src/server/wsmand-daemon.c.orig openwsman-2.8.1/src/server/wsmand-daemon.c +--- openwsman-2.8.1/src/server/wsmand-daemon.c.orig 2025-01-23 10:23:52.000000000 +0100 ++++ openwsman-2.8.1/src/server/wsmand-daemon.c 2026-01-27 14:55:28.358709575 +0100 +@@ -76,8 +76,10 @@ static int use_ipv6 = 0; + #endif + static int use_digest = 0; + static char *ssl_key_file = NULL; ++static char *ssl_key_fallback_file = NULL; + static char *service_path = DEFAULT_SERVICE_PATH; + static char *ssl_cert_file = NULL; ++static char *ssl_cert_fallback_file = NULL; + static char *ssl_disabled_protocols = NULL; + static char *ssl_cipher_list = NULL; + static char *pid_file = DEFAULT_PID_PATH; +@@ -186,7 +188,9 @@ int wsmand_read_config(dictionary * ini) + service_path = + iniparser_getstring(ini, "server:service_path", "/wsman"); + ssl_key_file = iniparser_getstr(ini, "server:ssl_key_file"); ++ ssl_key_fallback_file = iniparser_getstr(ini, "server:ssl_key_fallback_file"); + ssl_cert_file = iniparser_getstr(ini, "server:ssl_cert_file"); ++ ssl_cert_fallback_file = iniparser_getstr(ini, "server:ssl_cert_fallback_file"); + ssl_disabled_protocols = iniparser_getstr(ini, "server:ssl_disabled_protocols"); + ssl_cipher_list = iniparser_getstr(ini, "server:ssl_cipher_list"); + use_ipv4 = iniparser_getboolean(ini, "server:ipv4", 1); +@@ -364,6 +368,16 @@ char *wsmand_options_get_ssl_cert_file(v + return ssl_cert_file; + } + ++char *wsmand_options_get_ssl_key_fallback_file(void) ++{ ++ return ssl_key_fallback_file; ++} ++ ++char *wsmand_options_get_ssl_cert_fallback_file(void) ++{ ++ return ssl_cert_fallback_file; ++} ++ + char *wsmand_options_get_ssl_disabled_protocols(void) + { + return ssl_disabled_protocols; +diff -up openwsman-2.8.1/src/server/wsmand-daemon.h.orig openwsman-2.8.1/src/server/wsmand-daemon.h +--- openwsman-2.8.1/src/server/wsmand-daemon.h.orig 2025-01-23 10:23:52.000000000 +0100 ++++ openwsman-2.8.1/src/server/wsmand-daemon.h 2026-01-27 14:55:28.358825793 +0100 +@@ -76,6 +76,8 @@ int wsmand_options_get_server_port(void) + int wsmand_options_get_server_ssl_port(void); + char *wsmand_options_get_ssl_key_file(void); + char *wsmand_options_get_ssl_cert_file(void); ++char *wsmand_options_get_ssl_key_fallback_file(void); ++char *wsmand_options_get_ssl_cert_fallback_file(void); + char *wsmand_options_get_ssl_disabled_protocols(void); + char *wsmand_options_get_ssl_cipher_list(void); + int wsmand_options_get_digest(void); diff --git a/openwsman.spec b/openwsman.spec index e0b9128..d2ba69a 100644 --- a/openwsman.spec +++ b/openwsman.spec @@ -4,7 +4,7 @@ Name: openwsman Version: 2.8.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Open source Implementation of WS-Management License: BSD @@ -28,6 +28,7 @@ Patch8: openwsman-2.6.8-update-ssleay-conf.patch Patch10: openwsman-2.6.8-ssl-certs-gen-changes.patch # Patch11 is just for compat Patch11: openwsman-2.8.1-facility-definition.patch +Patch12: openwsman-2.8.1-post-quantum.patch BuildRequires: make BuildRequires: swig BuildRequires: libcurl-devel libxml2-devel pam-devel sblim-sfcc-devel @@ -141,6 +142,7 @@ cd %{name}-%{version} %patch -P8 -p1 -b .update-ssleay-conf %patch -P10 -p1 -b .ssl-certs-gen-changes %patch -P11 -p1 -b .facility-definition +%patch -P12 -p1 -b .post-quantum # apply patches for compatibility source cd ../%{name}-%{compatver} @@ -341,6 +343,12 @@ rm -f /var/log/wsmand.log %{_bindir}/winrs %changelog +* Wed Feb 04 2026 Vitezslav Crhonek - 2.8.1-2 +- Support added for post-quantum cryptography + Resolves: RHEL-127516 +- Fix bogus 'sscg' arguments + Related: RHEL-118292 + * Thu Oct 23 2025 Vitezslav Crhonek - 2.8.1-1 - Update to openwsman-2.8.1 Resolves: RHEL-97643