rpms/sscg
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Restore creation of dhparams file by default

Browse Source 
This was removed upstream in 4.0, but for backwards-compatibility in
RHEL, it will continue to be created.

Related: 123675

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
This commit is contained in:
Stephen Gallagher 2025-10-27 15:04:09 -04:00
parent f5a0062ca0
commit 7ef4b1df20
No known key found for this signature in database
GPG Key ID: 45DB85A568286D11
2 changed files with 176 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

171
0001-Revert-Don-t-default-to-generating-DH-params-file.patch Normal file
View File

@ -0,0 +1,171 @@
From 70fddc4518f88624b141a056a07e5baf9ed2b31b Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Mon, 27 Oct 2025 14:58:11 -0400
Subject: [PATCH] Revert "Don't default to generating DH params file"
This reverts commit 0e5e011acc2dc19f3c2fcb5699cf8fa662a2b135.
---
src/arguments.c | 4 ++--
src/sscg.c | 12 +++++++++---
test/test_dhparams_creation.sh | 30 +++++++++++++-----------------
3 files changed, 24 insertions(+), 22 deletions(-)
diff --git a/src/arguments.c b/src/arguments.c
index c9345342a353cc0ef68bbb668f8cc2baab168120..29373a33c232d54056ff14eec0819019a9ca4f10 100644
--- a/src/arguments.c
+++ b/src/arguments.c
@@ -681,7 +681,7 @@ sscg_handle_arguments (TALLOC_CTX *mem_ctx,
&options->dhparams_file,
0,
_("A file to contain a set of Diffie-Hellman parameters. "
- "(Default: not created)"),
+ "(Default: \"./dhparams.pem\")"),
NULL
},
@@ -691,7 +691,7 @@ sscg_handle_arguments (TALLOC_CTX *mem_ctx,
POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN,
&options->skip_dhparams,
0,
- _ ("Deprecated: Retained for backwards compatibility. To be removed in SSCG 5.0."),
+ _ ("Do not create the dhparams file"),
NULL
},
diff --git a/src/sscg.c b/src/sscg.c
index e4f9bfef624bfdb5df79a198a000c6cc5610c94d..cf0f80d47c37ebe26deaedd1c5bf4218b33e2dee 100644
--- a/src/sscg.c
+++ b/src/sscg.c
@@ -187,9 +187,16 @@ main (int argc, const char **argv)
options->crl_mode);
CHECK_OK (ret);
- if (options->dhparams_file)
+ if (!options->skip_dhparams)
{
- dhparams_file = talloc_strdup (main_ctx, options->dhparams_file);
+ if (options->dhparams_file)
+ {
+ dhparams_file = talloc_strdup (main_ctx, options->dhparams_file);
+ }
+ else
+ {
+ dhparams_file = talloc_strdup (main_ctx, "./dhparams.pem");
+ }
CHECK_MEM (dhparams_file);
ret = sscg_io_utils_add_output_file (options->streams,
@@ -198,7 +205,6 @@ main (int argc, const char **argv)
options->dhparams_mode);
CHECK_OK (ret);
}
-
/* Validate and open the file paths */
ret = sscg_io_utils_open_output_files (options->streams, options->overwrite);
CHECK_OK (ret);
diff --git a/test/test_dhparams_creation.sh b/test/test_dhparams_creation.sh
index c7c289cce00e303621562fb8b160faa9a122cd00..5c957e3e226f915bfe77458f55d81b0f752a3370 100755
--- a/test/test_dhparams_creation.sh
+++ b/test/test_dhparams_creation.sh
@@ -42,10 +42,6 @@
# just warn and ignore it if it was not (returning 0). However, if it is
# explicitly requested on the command-line and cannot be written to that
# location, it should fail with an error code.
-#
-# Updated 2025-10-21: SSCG 4.0 no longer creates the dhparams file by default.
-# It should not attempt to create it unless explicitly requested using the
-# --dhparams-file option.
set -e
@@ -90,9 +86,9 @@ function run_test {
local expected_file="$6"
local should_create_file="$7"
local output_dir="$8"
-
+
echo "Test $test_num: $description"
-
+
pushd "$work_dir" >/dev/null
# Check if the expected file exists before running sscg
@@ -106,7 +102,7 @@ function run_test {
if [ -z "$output_dir" ]; then
output_dir="."
fi
-
+
# Run sscg with the specified arguments
local cmd_args=(
"${MESON_BUILD_ROOT}/sscg"
@@ -114,22 +110,22 @@ function run_test {
--cert-file "${output_dir}/service.pem"
--cert-key-file "${output_dir}/service-key.pem"
)
-
+
if [ -n "$dhparams_output_file" ]; then
cmd_args+=("--dhparams-file=$dhparams_output_file")
fi
-
+
local exit_code=0
"${cmd_args[@]}" >/dev/null 2>&1 || exit_code=$?
-
+
local test_passed=true
-
+
# Check exit code
if [ "$exit_code" -ne "$expected_exit_code" ]; then
echo " FAIL: Expected exit code $expected_exit_code, got $exit_code"
test_passed=false
fi
-
+
# Check file creation
if [ "$should_create_file" = "true" ]; then
if [ ! -f "$expected_file" ]; then
@@ -149,17 +145,17 @@ function run_test {
test_passed=false
fi
fi
-
+
if [ "$test_passed" = "true" ]; then
echo " PASS"
else
((failed_tests++))
fi
-
+
# Clean up any created files for next test
rm -f "${output_dir}/ca.crt" "${output_dir}/service.pem" "${output_dir}/service-key.pem"
rm -f "$expected_file" || true # Ignore errors
-
+
popd >/dev/null
echo
}
@@ -176,7 +172,7 @@ run_test \
"" \
0 \
"$WRITABLE_DIR/dhparams.pem" \
- "false" \
+ "true" \
"$WRITABLE_DIR"
# Test 2: No --dhparams-file, readonly directory, no existing file
@@ -252,7 +248,7 @@ run_test \
"false" \
"$WRITABLE_DIR"
-# Test 8: --dhparams-file to non-writable path, existing file
+# Test 8: --dhparams-file to non-writable path, existing file
# Arguments: test_num description work_dir dhparams_output_file expected_exit_code expected_file should_create_file output_dir
run_test \
8 \
--
2.51.0

5
sscg.spec
View File

@ -27,6 +27,11 @@ BuildRequires: ninja-build
BuildRequires: help2man
# For backwards-compatibility in RHEL, revert the 4.0 patch that disables
# dhparam file generation by default.
Patch: 0001-Revert-Don-t-default-to-generating-DH-params-file.patch
%description
A utility to aid in the creation of more secure "self-signed"
certificates. The certificates created by this tool are generated in a