diff --git a/.gitignore b/.gitignore index 4798d97..6c1f038 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/sscg-3.0.0.tar.xz +sscg-3.0.5.tar.gz diff --git a/.sscg.metadata b/.sscg.metadata deleted file mode 100644 index ba54818..0000000 --- a/.sscg.metadata +++ /dev/null @@ -1 +0,0 @@ -81e3b33e118edff96583314ceb4bfde9a1e6b45c SOURCES/sscg-3.0.0.tar.xz diff --git a/0001-Extend-maximum-DNS-name-to-255.patch b/0001-Extend-maximum-DNS-name-to-255.patch new file mode 100644 index 0000000..7ce5725 --- /dev/null +++ b/0001-Extend-maximum-DNS-name-to-255.patch @@ -0,0 +1,205 @@ +From 750dee2eded3b1c16e0434fa387d35a869545d9e Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Wed, 15 Feb 2023 15:49:38 -0500 +Subject: [PATCH 1/2] Extend maximum DNS name to 255 + +The hostname part is still restricted to 63 characters + +See RFC 1035, section 2.3.4 + +Signed-off-by: Stephen Gallagher +--- + include/sscg.h | 3 +++ + src/arguments.c | 35 +++++++++++++++++++++++++++-------- + src/authority.c | 26 +++++++++++++++++++++++--- + src/cert.c | 5 +++++ + src/x509.c | 6 +++--- + 5 files changed, 61 insertions(+), 14 deletions(-) + +diff --git a/include/sscg.h b/include/sscg.h +index 0f35631018dc2745e986cd1e7e094e3e37be8e54..f0c6d93b871e4bd3f2c805be8dfa7485ec34746a 100644 +--- a/include/sscg.h ++++ b/include/sscg.h +@@ -313,6 +313,9 @@ enum sscg_cert_type + #define SSCG_MIN_KEY_PASS_LEN 4 + #define SSCG_MAX_KEY_PASS_LEN 1023 + ++/* RFC 1035, section 2.3.4 (Size Limits) */ ++#define MAX_HOST_LEN 63 ++#define MAX_FQDN_LEN 255 + + int + sscg_handle_arguments (TALLOC_CTX *mem_ctx, +diff --git a/src/arguments.c b/src/arguments.c +index 0b7a060d31bed97130c7cb9b7feacf0876e25c0d..2f412bee1bee9620f28b6e84aed4aef17aee3a6a 100644 +--- a/src/arguments.c ++++ b/src/arguments.c +@@ -786,10 +786,19 @@ sscg_handle_arguments (TALLOC_CTX *mem_ctx, + } + CHECK_MEM (options->hostname); + +- if (strnlen (options->hostname, MAXHOSTNAMELEN + 1) > MAXHOSTNAMELEN) ++ if (strnlen (options->hostname, MAX_FQDN_LEN + 1) > MAX_FQDN_LEN) + { +- fprintf ( +- stderr, "Hostnames may not exceed %d characters\n", MAXHOSTNAMELEN); ++ fprintf (stderr, "FQDNs may not exceed %d characters\n", MAX_FQDN_LEN); ++ ret = EINVAL; ++ goto done; ++ } ++ ++ if ((strchr (options->hostname, '.') - options->hostname) > MAX_HOST_LEN + 4) ++ { ++ fprintf (stderr, ++ "Hostnames may not exceed %d characters in Subject " ++ "Alternative Names\n", ++ MAX_HOST_LEN); + ret = EINVAL; + goto done; + } +@@ -798,25 +807,35 @@ sscg_handle_arguments (TALLOC_CTX *mem_ctx, + options struct. It's not the most efficient approach, but + it's only done one time, so there is no sense in optimizing + it. */ ++ size_t i = 0; + if (alternative_names) + { +- size_t i = 0; + while (alternative_names[i] != NULL) + { + options->subject_alt_names = talloc_realloc ( +- options, options->subject_alt_names, char *, i + 2); ++ options, options->subject_alt_names, char *, i + 1); + CHECK_MEM (options->subject_alt_names); + + options->subject_alt_names[i] = + talloc_strdup (options->subject_alt_names, alternative_names[i]); + CHECK_MEM (options->subject_alt_names[i]); +- +- /* Add a NULL terminator to the end */ +- options->subject_alt_names[i + 1] = NULL; + i++; + } + } + ++ /* ++ The hostname must always be listed in SubjectAlternativeNames as well. ++ Note that the realloc also adds an extra entry for the NULL terminator ++ */ ++ options->subject_alt_names = ++ talloc_realloc (options, options->subject_alt_names, char *, i + 2); ++ CHECK_MEM (options->subject_alt_names); ++ options->subject_alt_names[i] = ++ talloc_strdup (options->subject_alt_names, options->hostname); ++ CHECK_MEM (options->subject_alt_names[i]); ++ /* Add a NULL terminator to the end */ ++ options->subject_alt_names[i + 1] = NULL; ++ + if (options->key_strength < options->minimum_key_strength) + { + fprintf (stderr, +diff --git a/src/authority.c b/src/authority.c +index 4efaa9e730964b9762b59d0e6698c1623901ccfe..f509fd4316c3b7b230f99de6464491c319fc5d45 100644 +--- a/src/authority.c ++++ b/src/authority.c +@@ -56,6 +56,7 @@ create_private_CA (TALLOC_CTX *mem_ctx, + char *name_constraint; + char *san; + char *tmp; ++ char *dot; + + tmp_ctx = talloc_new (NULL); + CHECK_MEM (tmp_ctx); +@@ -89,6 +90,26 @@ create_private_CA (TALLOC_CTX *mem_ctx, + + ca_certinfo->cn = talloc_strdup (ca_certinfo, options->hostname); + CHECK_MEM (ca_certinfo->cn); ++ /* Truncate the CN at the first dot */ ++ if ((dot = strchr (ca_certinfo->cn, '.'))) ++ *dot = '\0'; ++ ++ if (options->subject_alt_names) ++ { ++ for (i = 0; options->subject_alt_names[i]; i++) ++ { ++ ca_certinfo->subject_alt_names = talloc_realloc ( ++ ca_certinfo, ca_certinfo->subject_alt_names, char *, i + 2); ++ CHECK_MEM (ca_certinfo->subject_alt_names); ++ ++ ca_certinfo->subject_alt_names[i] = talloc_strdup ( ++ ca_certinfo->subject_alt_names, options->subject_alt_names[i]); ++ CHECK_MEM (ca_certinfo->subject_alt_names[i]); ++ ++ /* Add a NULL terminator to the end */ ++ ca_certinfo->subject_alt_names[i + 1] = NULL; ++ } ++ } + + /* Make this a CA certificate */ + +@@ -106,10 +127,9 @@ create_private_CA (TALLOC_CTX *mem_ctx, + CHECK_MEM (ex); + sk_X509_EXTENSION_push (ca_certinfo->extensions, ex); + +- /* Restrict signing to the hostname and subjectAltNames of the +- service certificate */ ++ /* Restrict signing to the CN and subjectAltNames of the service certificate */ + name_constraint = +- talloc_asprintf (tmp_ctx, "permitted;DNS:%s", options->hostname); ++ talloc_asprintf (tmp_ctx, "permitted;DNS:%s", ca_certinfo->cn); + CHECK_MEM (name_constraint); + + if (options->subject_alt_names) +diff --git a/src/cert.c b/src/cert.c +index 99d9109f5981ef408aeb7d05a8327e1a38d5700a..e36de71e7ca9b34f87734542d5646b466cd61d4c 100644 +--- a/src/cert.c ++++ b/src/cert.c +@@ -31,6 +31,7 @@ + */ + + ++#include + #include "include/sscg.h" + #include "include/cert.h" + #include "include/x509.h" +@@ -52,6 +53,7 @@ create_cert (TALLOC_CTX *mem_ctx, + struct sscg_x509_req *csr; + struct sscg_evp_pkey *pkey; + struct sscg_x509_cert *cert; ++ char *dot; + X509_EXTENSION *ex = NULL; + EXTENDED_KEY_USAGE *extended; + TALLOC_CTX *tmp_ctx = NULL; +@@ -87,6 +89,9 @@ create_cert (TALLOC_CTX *mem_ctx, + + certinfo->cn = talloc_strdup (certinfo, options->hostname); + CHECK_MEM (certinfo->cn); ++ /* Truncate the CN at the first dot */ ++ if ((dot = strchr (certinfo->cn, '.'))) ++ *dot = '\0'; + + if (options->subject_alt_names) + { +diff --git a/src/x509.c b/src/x509.c +index 4f3f11cd3411f00cf6de3a72ba897adc97944e35..9f6f21b49c2dd70629fed67d327027374eb21b15 100644 +--- a/src/x509.c ++++ b/src/x509.c +@@ -290,12 +290,12 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx, + } + CHECK_MEM (san); + +- if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4) ++ if (strnlen (san, MAX_FQDN_LEN + 5) > MAX_FQDN_LEN + 4) + { + fprintf (stderr, +- "Hostnames may not exceed %d characters in Subject " ++ "FQDNs may not exceed %d characters in Subject " + "Alternative Names\n", +- MAXHOSTNAMELEN); ++ MAX_FQDN_LEN); + ret = EINVAL; + goto done; + } +-- +2.41.0 + diff --git a/SOURCES/0001-Drop-usage-of-ERR_GET_FUNC.patch b/SOURCES/0001-Drop-usage-of-ERR_GET_FUNC.patch deleted file mode 100644 index 5ad7b9d..0000000 --- a/SOURCES/0001-Drop-usage-of-ERR_GET_FUNC.patch +++ /dev/null @@ -1,34 +0,0 @@ -From d2277e711bb16e3b98f43565e71b7865b5fed423 Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Sat, 7 Aug 2021 11:48:04 -0400 -Subject: [PATCH 1/2] Drop usage of ERR_GET_FUNC() - -This macro was dropped in OpenSSL 3.0 and has actually not been -providing a valid return code for some time. - -Related: rhbz#1964837 - -Signed-off-by: Stephen Gallagher ---- - include/sscg.h | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/include/sscg.h b/include/sscg.h -index faf86ba4f68e186bd35c7bc3ec77b98b8e37d253..851dc93175607e5223a70ef40a5feb24b7b69215 100644 ---- a/include/sscg.h -+++ b/include/sscg.h -@@ -94,11 +94,10 @@ - if (_sslret != 1) \ - { \ - /* Get information about error from OpenSSL */ \ - unsigned long _ssl_error = ERR_get_error (); \ - if ((ERR_GET_LIB (_ssl_error) == ERR_LIB_UI) && \ -- (ERR_GET_FUNC (_ssl_error) == UI_F_UI_SET_RESULT_EX) && \ - ((ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_LARGE) || \ - (ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_SMALL))) \ - { \ - fprintf ( \ - stderr, \ --- -2.33.0 - diff --git a/SOURCES/0002-Correct-certificate-lifetime-calculation.patch b/SOURCES/0002-Correct-certificate-lifetime-calculation.patch deleted file mode 100644 index 5a0b87b..0000000 --- a/SOURCES/0002-Correct-certificate-lifetime-calculation.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 87604820a935f87a8f533e3f294419d27c0514eb Mon Sep 17 00:00:00 2001 -From: Allison Karlitskaya -Date: Tue, 26 Oct 2021 12:32:13 +0200 -Subject: [PATCH 2/2] Correct certificate lifetime calculation - -sscg allows passing the certificate lifetime, as a number of days, as a -commandline argument. It converts this value to seconds using the -formula - - days * 24 * 3650 - -which is incorrect. The correct value is 3600. - -This effectively adds an extra 20 minutes to the lifetime of the -certificate for each day as given on the commandline, and was enough to -cause some new integration tests in cockpit to fail. - -Interestingly, 3650 is the old default value for the number of days of -certificate validity (~10 years) so this probably slipped in as a sort -of muscle-memory-assisted typo. - -Let's just write `24 * 60 * 60` to make things clear. ---- - src/x509.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/x509.c b/src/x509.c -index dc1594a4bdcb9d81607f0fe5ad2d4562e5edb533..7c7e4dfe56d5756862f3e0f851941e846ce96f31 100644 ---- a/src/x509.c -+++ b/src/x509.c -@@ -416,11 +416,11 @@ sscg_sign_x509_csr (TALLOC_CTX *mem_ctx, - X509_set_issuer_name (cert, X509_REQ_get_subject_name (csr)); - } - - /* set time */ - X509_gmtime_adj (X509_get_notBefore (cert), 0); -- X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 3650); -+ X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 60 * 60); - - /* set subject */ - subject = X509_NAME_dup (X509_REQ_get_subject_name (csr)); - sslret = X509_set_subject_name (cert, subject); - CHECK_SSL (sslret, X509_set_subject_name); --- -2.33.0 - diff --git a/SOURCES/0003-Truncate-IP-address-in-SAN.patch b/SOURCES/0003-Truncate-IP-address-in-SAN.patch deleted file mode 100644 index c492f38..0000000 --- a/SOURCES/0003-Truncate-IP-address-in-SAN.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 0875cd6169e876c4296a307631d49b801fc686dc Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Tue, 8 Mar 2022 16:33:35 -0500 -Subject: [PATCH] Truncate IP address in SAN - -In OpenSSL 1.1, this was done automatically when addind a SAN extension, -but in OpenSSL 3.0 it is rejected as an invalid input. - -Signed-off-by: Stephen Gallagher ---- - src/x509.c | 15 ++++++++++++++- - 1 file changed, 14 insertions(+), 1 deletion(-) - -diff --git a/src/x509.c b/src/x509.c -index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e2f61bdb8 100644 ---- a/src/x509.c -+++ b/src/x509.c -@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx, - size_t i; - X509_NAME *subject; - char *alt_name = NULL; - char *tmp = NULL; - char *san = NULL; -+ char *slash = NULL; - TALLOC_CTX *tmp_ctx; - X509_EXTENSION *ex = NULL; - struct sscg_x509_req *csr; - - /* Make sure we have a key available */ -@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx, - tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]); - } - else - { - san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]); -+ /* SAN IP addresses cannot include the subnet mask */ -+ if ((slash = strchr (san, '/'))) -+ { -+ /* Truncate at the slash */ -+ *slash = '\0'; -+ } - } - CHECK_MEM (san); - - if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4) - { -@@ -287,11 +294,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx, - alt_name = tmp; - } - } - - ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name); -- CHECK_MEM (ex); -+ if (!ex) -+ { -+ ret = EINVAL; -+ fprintf (stderr, "Invalid subjectAlternativeName: %s\n", alt_name); -+ goto done; -+ } -+ - sk_X509_EXTENSION_push (certinfo->extensions, ex); - - /* Set the public key for the certificate */ - sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey); - CHECK_SSL (sslret, X509_REQ_set_pubkey (OU)); --- -2.35.1 - diff --git a/SOURCES/0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch b/SOURCES/0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch deleted file mode 100644 index 27deba5..0000000 --- a/SOURCES/0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch +++ /dev/null @@ -1,139 +0,0 @@ -From 282f819bc39c9557ee34f73c6f6623182f680792 Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Wed, 16 Nov 2022 15:27:58 -0500 -Subject: [PATCH] dhparams: don't fail if default file can't be created - -Resolves: rhbz#2143206 - -Signed-off-by: Stephen Gallagher ---- - src/arguments.c | 1 - - src/io_utils.c | 12 +++++++++++ - src/sscg.c | 55 +++++++++++++++++++++++++++++++++---------------- - 3 files changed, 49 insertions(+), 19 deletions(-) - -diff --git a/src/arguments.c b/src/arguments.c -index 7b9da14a732875b0f33a12e22a97d51a78216839..770d834aacc05d6d92cc0c855852eadb88f8c9bc 100644 ---- a/src/arguments.c -+++ b/src/arguments.c -@@ -69,7 +69,6 @@ set_default_options (struct sscg_options *opts) - - opts->lifetime = 398; - -- opts->dhparams_file = talloc_strdup (opts, "dhparams.pem"); - opts->dhparams_group = talloc_strdup (opts, "ffdhe4096"); - opts->dhparams_generator = 2; - -diff --git a/src/io_utils.c b/src/io_utils.c -index 1b8bc41c3849acbe4657ae14dfe55e3010957129..5d34327bdbe450add5326ac20c337c9399b471dc 100644 ---- a/src/io_utils.c -+++ b/src/io_utils.c -@@ -544,6 +544,18 @@ sscg_io_utils_open_output_files (struct sscg_stream **streams, bool overwrite) - { - SSCG_LOG (SSCG_DEBUG, "Opening %s\n", stream->path); - stream->bio = BIO_new_file (stream->path, create_mode); -+ if (!stream->bio) -+ { -+ fprintf (stderr, -+ "Could not write to %s. Check directory permissions.\n", -+ stream->path); -+ -+ /* The dhparams file is special, it will be handled later */ -+ if (i != SSCG_FILE_TYPE_DHPARAMS) -+ { -+ continue; -+ } -+ } - CHECK_BIO (stream->bio, stream->path); - } - -diff --git a/src/sscg.c b/src/sscg.c -index 1bf8019c2dda136abe56acd101dfe8ad0b3d725d..dcff4cd2b8dfd2e11c8612d36ecc94b175e9dc26 100644 ---- a/src/sscg.c -+++ b/src/sscg.c -@@ -93,6 +93,7 @@ main (int argc, const char **argv) - int ret, sret; - struct sscg_options *options; - bool build_client_cert = false; -+ char *dhparams_file = NULL; - - struct sscg_x509_cert *cacert; - struct sscg_evp_pkey *cakey; -@@ -182,9 +183,19 @@ main (int argc, const char **argv) - options->crl_mode); - CHECK_OK (ret); - -+ if (options->dhparams_file) -+ { -+ dhparams_file = talloc_strdup (main_ctx, options->dhparams_file); -+ } -+ else -+ { -+ dhparams_file = talloc_strdup (main_ctx, "./dhparams.pem"); -+ } -+ CHECK_MEM (dhparams_file); -+ - ret = sscg_io_utils_add_output_file (options->streams, - SSCG_FILE_TYPE_DHPARAMS, -- options->dhparams_file, -+ dhparams_file, - options->dhparams_mode); - CHECK_OK (ret); - -@@ -281,28 +292,36 @@ main (int argc, const char **argv) - - - /* Create DH parameters file */ -- bp = GET_BIO (SSCG_FILE_TYPE_DHPARAMS); -- if (options->dhparams_prime_len > 0) -+ if ((bp = GET_BIO (SSCG_FILE_TYPE_DHPARAMS))) - { -- ret = create_dhparams (options->verbosity, -- options->dhparams_prime_len, -- options->dhparams_generator, -- &dhparams); -- CHECK_OK (ret); -+ if (options->dhparams_prime_len > 0) -+ { -+ ret = create_dhparams (options->verbosity, -+ options->dhparams_prime_len, -+ options->dhparams_generator, -+ &dhparams); -+ CHECK_OK (ret); -+ } -+ else -+ { -+ ret = get_params_by_named_group (options->dhparams_group, &dhparams); -+ CHECK_OK (ret); -+ } -+ -+ /* Export the DH parameters to the file */ -+ sret = PEM_write_bio_Parameters (bp, dhparams); -+ CHECK_SSL (sret, PEM_write_bio_Parameters ()); -+ ANNOUNCE_WRITE (SSCG_FILE_TYPE_DHPARAMS); -+ EVP_PKEY_free (dhparams); - } -- else -+ else if (options->dhparams_file) - { -- ret = get_params_by_named_group (options->dhparams_group, &dhparams); -- CHECK_OK (ret); -+ /* A filename was explicitly passed, but it couldn't be created */ -+ ret = EPERM; -+ fprintf (stderr, "Could not write to %s: ", options->dhparams_file); -+ goto done; - } - -- /* Export the DH parameters to the file */ -- sret = PEM_write_bio_Parameters (bp, dhparams); -- CHECK_SSL (sret, PEM_write_bio_Parameters ()); -- ANNOUNCE_WRITE (SSCG_FILE_TYPE_DHPARAMS); -- EVP_PKEY_free (dhparams); -- -- - /* Set the final file permissions */ - sscg_io_utils_finalize_output_files (options->streams); - --- -2.38.1 - diff --git a/sources b/sources new file mode 100644 index 0000000..e51b29d --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (sscg-3.0.5.tar.gz) = da4db537096608683726084ea342cf3e06ec25da16c4475a29e83a466486a4ace8b58253520034eb263d8cefde14e21f3fe69d23fa75686cab5e3a7f8e170442 diff --git a/SPECS/sscg.spec b/sscg.spec similarity index 51% rename from SPECS/sscg.spec rename to sscg.spec index 217fade..61bd2e1 100644 --- a/SPECS/sscg.spec +++ b/sscg.spec @@ -1,3 +1,13 @@ +## START: Set by rpmautospec +## (rpmautospec version 0.6.5) +## RPMAUTOSPEC: autorelease, autochangelog +%define autorelease(e:s:pb:n) %{?-p:0.}%{lua: + release_number = 9; + base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); + print(release_number + base_release_number - 1); +}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} +## END: Set by rpmautospec + %global provider github %global provider_tld com %global project sgallagher @@ -6,18 +16,22 @@ %global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo} %global import_path %{provider_prefix} +%{!?meson_test: %global meson_test %{__meson} test -C %{_vpath_builddir} --num-processes %{_smp_build_ncpus} --print-errorlogs} Name: sscg -Version: 3.0.0 -Release: 7%{?dist} +Version: 3.0.5 +Release: %autorelease Summary: Simple SSL certificate generator -License: GPLv3+ with exceptions +License: GPL-3.0-or-later WITH cryptsetup-OpenSSL-exception URL: https://%{provider_prefix} -Source0: https://%{provider_prefix}/releases/download/%{repo}-%{version}/%{repo}-%{version}.tar.xz - +Source0: sscg-3.0.5.tar.gz +# Extend maximum DNS name to 255 +# Author: Stephen Gallagher +Patch1: 0001-Extend-maximum-DNS-name-to-255.patch BuildRequires: gcc BuildRequires: libtalloc-devel +BuildRequires: openssl BuildRequires: openssl-devel BuildRequires: popt-devel BuildRequires: libpath_utils-devel @@ -26,12 +40,6 @@ BuildRequires: ninja-build BuildRequires: help2man -Patch0001: 0001-Drop-usage-of-ERR_GET_FUNC.patch -Patch0002: 0002-Correct-certificate-lifetime-calculation.patch -Patch0003: 0003-Truncate-IP-address-in-SAN.patch -Patch0004: 0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch - - %description A utility to aid in the creation of more secure "self-signed" certificates. The certificates created by this tool are generated in a @@ -41,7 +49,7 @@ up a full PKI environment and without exposing the machine to a risk of false signatures from the service certificate. %prep -%autosetup -p1 +%autosetup -p1 -n sscg-3.0.5 %build @@ -61,69 +69,152 @@ false signatures from the service certificate. %{_mandir}/man8/%{name}.8* %changelog -* Thu Dec 08 2022 Stephen Gallagher - 3.0.0-7 -- Correctly apply the patch for default dhparams -- Resolves: rhbz#2143206 +## START: Generated by rpmautospec +* Tue Oct 29 2024 Troy Dawson - 3.0.5-9 +- Bump release for October 2024 mass rebuild: -* Mon Nov 28 2022 Stephen Gallagher - 3.0.0-6 -- Don't fail if default dhparams file can't be created -- Resolves: rhbz#2143206 +* Mon Jun 24 2024 Troy Dawson - 3.0.5-8 +- Bump release for June 2024 mass rebuild -* Thu Jul 14 2022 Stephen Gallagher - 3.0.0-5 -- Rebase to sscg 3.0.0 -- Resolves: rhbz#2107369 -- Resolves: rhbz#2091525 +* Fri Jun 21 2024 Branislav Náter - 3.0.5-7 +- Adding gating rules for RHEL -* Thu Jun 02 2022 Stephen Gallagher - 2.3.3-15 -- Fix certificate lifetime calculation -- Resolves: rhbz#2091525 +* Sat Jan 27 2024 Fedora Release Engineering - 3.0.5-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild -* Tue Jan 21 2020 Stephen Gallagher - 2.3.3-14 -- Properly handling reading long passphrase files. +* Thu Nov 16 2023 Joe Orton - 3.0.5-5 +- SPDX migration -* Tue Jan 21 2020 Stephen Gallagher - 2.3.3-13 -- Fix missing error check for --*-key-passfile +* Fri Sep 01 2023 Stephen Gallagher - 3.0.5-4 +- Update README.md with latest usage -* Thu Jan 09 2020 Stephen Gallagher - 2.3.3-12 -- Improve validation of command-line arguments -- Resolves: rhbz#1784441 -- Resolves: rhbz#1784443 +* Sat Jul 22 2023 Fedora Release Engineering - 3.0.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild -* Tue Jan 07 2020 Stephen Gallagher - 2.3.3-11 -- Further improve --client-key-file help message -- Resolves: rhbz#1720667 +* Wed Jul 19 2023 Stephen Gallagher - 3.0.5-2 +- Extend maximum DNS name to 256 -* Fri Dec 13 2019 Stephen Gallagher - 2.3.3-10 -- Fix incorrect help message -- Resolves: rhbz#1720667 +* Tue Jun 20 2023 Stephen Gallagher - 3.0.5-1 +- Release 3.0.5 -* Fri Dec 13 2019 Stephen Gallagher - 2.3.3-9 -- Fix null-dereference and memory leak issues with client certs -- Resolves: rhbz#1720667 +* Thu Jun 08 2023 Stephen Gallagher - 3.0.3-4 +- [packit] 3.0.4 upstream release -* Wed Dec 11 2019 Stephen Gallagher - 2.3.3-8 -- Add support for generating client authentication certificates -- Resolves: rhbz#1720667 +* Sat Jan 21 2023 Fedora Release Engineering - 3.0.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild -* Fri Nov 01 2019 Stephen Gallagher - 2.3.3-7 -- Add support for password-protecting the private key files -- Resolves: rhbz#1717880 +* Mon Jan 16 2023 Stephen Gallagher - 3.0.3-2 +- Add missing BR: openssl -* Wed Nov 28 2018 Stephen Gallagher - 2.3.3-6 -- Fixes for issues detected by automated testing. -- Resolves: rhbz#1653323 +* Mon Jan 16 2023 Stephen Gallagher - 3.0.3-1 +- Release 3.0.3 -* Wed Nov 28 2018 Stephen Gallagher - 2.3.3-5 +* Sat Jul 23 2022 Fedora Release Engineering - 3.0.2-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Wed Apr 20 2022 Branislav Náter - 3.0.2-8 +- Adding fmf metadata + +* Wed Apr 20 2022 Branislav Náter - 3.0.2-7 +- Adding tmt test plans and gating configuration + +* Wed Mar 09 2022 Stephen Gallagher - 3.0.2-3 +- Truncate IP address in SAN + +* Wed Mar 09 2022 Stephen Gallagher - 3.0.2-2 +- Remove old packit data + +* Mon Feb 28 2022 Stephen Gallagher - 3.0.2-1 +- [packit] 3.0.2 upstream release + +* Sat Jan 22 2022 Fedora Release Engineering - 3.0.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Fri Oct 29 2021 Packit Service - 3.0.1-1 +- [packit] 3.0.1 upstream release + +* Tue Sep 14 2021 Sahana Prasad - 3.0.0-5 +- Rebuilt with OpenSSL 3.0.0 + +* Sat Aug 07 2021 Stephen Gallagher - 3.0.0-4 +- Drop usage of ERR_GET_FUNC() + +* Sat Aug 07 2021 Stephen Gallagher - 3.0.0-3 +- Enable autorelease and autochangelog + +* Wed Jul 21 2021 Stephen Gallagher - 3.0.0-1 +- Release 3.0.0 +- Support for OpenSSL 3.0 +- Support for outputting named Diffie-Hellman parameter groups +- Support for CentOS Stream 9 + +* Wed Mar 17 2021 Stephen Gallagher - 2.6.2-5 +- Fixing incorrect license declaration + +* Wed Mar 17 2021 Stephen Gallagher - 2.6.2-4 +- Updating to rebuild against the latest glibc + +* Wed Jan 27 2021 Fedora Release Engineering - 2.6.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Jul 29 2020 Fedora Release Engineering - 2.6.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jun 23 2020 Stephen Gallagher - 2.6.2-1 +- Update to 2.6.2 +- Handle very short and very long passphrases properly (fixes rhbz#1850183) +- Drop upstreamed patch + +* Thu Apr 30 2020 Stephen Gallagher - 2.6.1-4 +- Rebuild with corrected ELN macro definitions + +* Thu Apr 30 2020 Stephen Gallagher - 2.6.1-3 +- Don't bother running clang-format in the RPM build +- Lengthen the test timeout so ARM tests pass + +* Fri Jan 31 2020 Fedora Release Engineering - 2.6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Jan 09 2020 Stephen Gallagher - 2.6.1-1 +- Bugfixes from upstream + +* Fri Dec 13 2019 Stephen Gallagher - 2.6.0-2 +- Fix incorrect help description for --client-key-file + +* Fri Dec 13 2019 Stephen Gallagher - 2.6.0-1 +- Update to 2.6.0 +- Can now generate an empty CRL file. +- Can now create and store a Diffie-Hellman parameters (dhparams) file. +- Support for setting a password on private keys. +- Support for generating a client authentication certificate and key. +- Better support for OpenSSL 1.0 + +* Sat Jul 27 2019 Fedora Release Engineering - 2.5.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sun Feb 03 2019 Fedora Release Engineering - 2.5.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Nov 28 2018 Stephen Gallagher - 2.5.1-1 +- Update to 2.5.1 +- Fixes discovered by automated testing. + +* Wed Nov 28 2018 Stephen Gallagher - 2.5.0-1 +- Update to 2.5.0 +- Auto-detect the hash algorithm to use by default. + +* Tue Nov 27 2018 Stephen Gallagher - 2.4.0-1 +- Update to 2.4.0 - Autodetect the minimum key strength from the system security level. -- Autodetect the hash algorithm to use from the system security level. - Disallow setting a key strength below the system minimum. -- Resolves: rhbz#1653323 + +- Drop upstreamed patches * Mon Sep 17 2018 Stephen Gallagher - 2.3.3-4 -- Add a manpage for sscg. +- Add a manpage. -* Thu Jul 05 2018 Stephen Gallagher - 2.3.3-3 -- Strip out bundled popt since RHEL 8 has a new-enough version. +* Sat Jul 14 2018 Fedora Release Engineering - 2.3.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Fri Feb 09 2018 Fedora Release Engineering - 2.3.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild @@ -266,3 +357,5 @@ false signatures from the service certificate. * Mon Mar 16 2015 Stephen Gallagher 0.1-1 - First packaging + +## END: Generated by rpmautospec