From 7ef4b1df2086bbe98373eb12ccefec01fb7e08a5 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Mon, 27 Oct 2025 15:04:09 -0400 Subject: [PATCH] Restore creation of dhparams file by default This was removed upstream in 4.0, but for backwards-compatibility in RHEL, it will continue to be created. Related: 123675 Signed-off-by: Stephen Gallagher --- ...default-to-generating-DH-params-file.patch | 171 ++++++++++++++++++ sscg.spec | 5 + 2 files changed, 176 insertions(+) create mode 100644 0001-Revert-Don-t-default-to-generating-DH-params-file.patch diff --git a/0001-Revert-Don-t-default-to-generating-DH-params-file.patch b/0001-Revert-Don-t-default-to-generating-DH-params-file.patch new file mode 100644 index 0000000..95396e9 --- /dev/null +++ b/0001-Revert-Don-t-default-to-generating-DH-params-file.patch @@ -0,0 +1,171 @@ +From 70fddc4518f88624b141a056a07e5baf9ed2b31b Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Mon, 27 Oct 2025 14:58:11 -0400 +Subject: [PATCH] Revert "Don't default to generating DH params file" + +This reverts commit 0e5e011acc2dc19f3c2fcb5699cf8fa662a2b135. +--- + src/arguments.c | 4 ++-- + src/sscg.c | 12 +++++++++--- + test/test_dhparams_creation.sh | 30 +++++++++++++----------------- + 3 files changed, 24 insertions(+), 22 deletions(-) + +diff --git a/src/arguments.c b/src/arguments.c +index c9345342a353cc0ef68bbb668f8cc2baab168120..29373a33c232d54056ff14eec0819019a9ca4f10 100644 +--- a/src/arguments.c ++++ b/src/arguments.c +@@ -681,7 +681,7 @@ sscg_handle_arguments (TALLOC_CTX *mem_ctx, + &options->dhparams_file, + 0, + _("A file to contain a set of Diffie-Hellman parameters. " +- "(Default: not created)"), ++ "(Default: \"./dhparams.pem\")"), + NULL + }, + +@@ -691,7 +691,7 @@ sscg_handle_arguments (TALLOC_CTX *mem_ctx, + POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, + &options->skip_dhparams, + 0, +- _ ("Deprecated: Retained for backwards compatibility. To be removed in SSCG 5.0."), ++ _ ("Do not create the dhparams file"), + NULL + }, + +diff --git a/src/sscg.c b/src/sscg.c +index e4f9bfef624bfdb5df79a198a000c6cc5610c94d..cf0f80d47c37ebe26deaedd1c5bf4218b33e2dee 100644 +--- a/src/sscg.c ++++ b/src/sscg.c +@@ -187,9 +187,16 @@ main (int argc, const char **argv) + options->crl_mode); + CHECK_OK (ret); + +- if (options->dhparams_file) ++ if (!options->skip_dhparams) + { +- dhparams_file = talloc_strdup (main_ctx, options->dhparams_file); ++ if (options->dhparams_file) ++ { ++ dhparams_file = talloc_strdup (main_ctx, options->dhparams_file); ++ } ++ else ++ { ++ dhparams_file = talloc_strdup (main_ctx, "./dhparams.pem"); ++ } + CHECK_MEM (dhparams_file); + + ret = sscg_io_utils_add_output_file (options->streams, +@@ -198,7 +205,6 @@ main (int argc, const char **argv) + options->dhparams_mode); + CHECK_OK (ret); + } +- + /* Validate and open the file paths */ + ret = sscg_io_utils_open_output_files (options->streams, options->overwrite); + CHECK_OK (ret); +diff --git a/test/test_dhparams_creation.sh b/test/test_dhparams_creation.sh +index c7c289cce00e303621562fb8b160faa9a122cd00..5c957e3e226f915bfe77458f55d81b0f752a3370 100755 +--- a/test/test_dhparams_creation.sh ++++ b/test/test_dhparams_creation.sh +@@ -42,10 +42,6 @@ + # just warn and ignore it if it was not (returning 0). However, if it is + # explicitly requested on the command-line and cannot be written to that + # location, it should fail with an error code. +-# +-# Updated 2025-10-21: SSCG 4.0 no longer creates the dhparams file by default. +-# It should not attempt to create it unless explicitly requested using the +-# --dhparams-file option. + + set -e + +@@ -90,9 +86,9 @@ function run_test { + local expected_file="$6" + local should_create_file="$7" + local output_dir="$8" +- ++ + echo "Test $test_num: $description" +- ++ + pushd "$work_dir" >/dev/null + + # Check if the expected file exists before running sscg +@@ -106,7 +102,7 @@ function run_test { + if [ -z "$output_dir" ]; then + output_dir="." + fi +- ++ + # Run sscg with the specified arguments + local cmd_args=( + "${MESON_BUILD_ROOT}/sscg" +@@ -114,22 +110,22 @@ function run_test { + --cert-file "${output_dir}/service.pem" + --cert-key-file "${output_dir}/service-key.pem" + ) +- ++ + if [ -n "$dhparams_output_file" ]; then + cmd_args+=("--dhparams-file=$dhparams_output_file") + fi +- ++ + local exit_code=0 + "${cmd_args[@]}" >/dev/null 2>&1 || exit_code=$? +- ++ + local test_passed=true +- ++ + # Check exit code + if [ "$exit_code" -ne "$expected_exit_code" ]; then + echo " FAIL: Expected exit code $expected_exit_code, got $exit_code" + test_passed=false + fi +- ++ + # Check file creation + if [ "$should_create_file" = "true" ]; then + if [ ! -f "$expected_file" ]; then +@@ -149,17 +145,17 @@ function run_test { + test_passed=false + fi + fi +- ++ + if [ "$test_passed" = "true" ]; then + echo " PASS" + else + ((failed_tests++)) + fi +- ++ + # Clean up any created files for next test + rm -f "${output_dir}/ca.crt" "${output_dir}/service.pem" "${output_dir}/service-key.pem" + rm -f "$expected_file" || true # Ignore errors +- ++ + popd >/dev/null + echo + } +@@ -176,7 +172,7 @@ run_test \ + "" \ + 0 \ + "$WRITABLE_DIR/dhparams.pem" \ +- "false" \ ++ "true" \ + "$WRITABLE_DIR" + + # Test 2: No --dhparams-file, readonly directory, no existing file +@@ -252,7 +248,7 @@ run_test \ + "false" \ + "$WRITABLE_DIR" + +-# Test 8: --dhparams-file to non-writable path, existing file ++# Test 8: --dhparams-file to non-writable path, existing file + # Arguments: test_num description work_dir dhparams_output_file expected_exit_code expected_file should_create_file output_dir + run_test \ + 8 \ +-- +2.51.0 + diff --git a/sscg.spec b/sscg.spec index 6093d06..229a56a 100644 --- a/sscg.spec +++ b/sscg.spec @@ -27,6 +27,11 @@ BuildRequires: ninja-build BuildRequires: help2man +# For backwards-compatibility in RHEL, revert the 4.0 patch that disables +# dhparam file generation by default. +Patch: 0001-Revert-Don-t-default-to-generating-DH-params-file.patch + + %description A utility to aid in the creation of more secure "self-signed" certificates. The certificates created by this tool are generated in a