Use EVP_default_properties_is_fips_enabled() on OpenSSL 3.0

Don't fail if default dhparams file can't be created
Resolves: rhbz#2149064 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-05-19 09:57:22 +00:00 · 2022-11-28 13:15:39 -05:00 · 2022-03-09 09:35:58 -05:00 · 2021-10-29 13:20:12 -04:00 · 2021-08-10 00:58:02 +00:00 · 2021-08-07 15:19:02 -04:00
10 changed files with 379 additions and 3 deletions
--- a/.gitignore
+++ b/.gitignore
@ -22,3 +22,4 @@
 /sscg-2.6.0.tar.xz
 /sscg-2.6.1.tar.xz
 /sscg-2.6.2.tar.xz
+/sscg-3.0.0.tar.xz
--- a/.sscg.metadata
+++ b/.sscg.metadata
@ -0,0 +1 @@
+81e3b33e118edff96583314ceb4bfde9a1e6b45c sscg-3.0.0.tar.xz
--- a/0001-Drop-usage-of-ERR_GET_FUNC.patch
+++ b/0001-Drop-usage-of-ERR_GET_FUNC.patch
@ -0,0 +1,34 @@
+From d2277e711bb16e3b98f43565e71b7865b5fed423 Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Sat, 7 Aug 2021 11:48:04 -0400
+Subject: [PATCH 1/2] Drop usage of ERR_GET_FUNC()
+
+This macro was dropped in OpenSSL 3.0 and has actually not been
+providing a valid return code for some time.
+
+Related: rhbz#1964837
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ include/sscg.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/include/sscg.h b/include/sscg.h
+index faf86ba4f68e186bd35c7bc3ec77b98b8e37d253..851dc93175607e5223a70ef40a5feb24b7b69215 100644
+--- a/include/sscg.h
+++ b/include/sscg.h
+@@ -94,11 +94,10 @@
+       if (_sslret != 1)                                                       \
+         {                                                                     \
+           /* Get information about error from OpenSSL */                      \
+           unsigned long _ssl_error = ERR_get_error ();                        \
+           if ((ERR_GET_LIB (_ssl_error) == ERR_LIB_UI) &&                     \
+-              (ERR_GET_FUNC (_ssl_error) == UI_F_UI_SET_RESULT_EX) &&         \
+               ((ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_LARGE) ||      \
+                (ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_SMALL)))       \
+             {                                                                 \
+               fprintf (                                                       \
+                 stderr,                                                       \
+-- 
+2.33.0
+
--- a/0002-Correct-certificate-lifetime-calculation.patch
+++ b/0002-Correct-certificate-lifetime-calculation.patch
@ -0,0 +1,46 @@
+From 87604820a935f87a8f533e3f294419d27c0514eb Mon Sep 17 00:00:00 2001
+From: Allison Karlitskaya <allison.karlitskaya@redhat.com>
+Date: Tue, 26 Oct 2021 12:32:13 +0200
+Subject: [PATCH 2/2] Correct certificate lifetime calculation
+
+sscg allows passing the certificate lifetime, as a number of days, as a
+commandline argument.  It converts this value to seconds using the
+formula
+
+  days * 24 * 3650
+
+which is incorrect.  The correct value is 3600.
+
+This effectively adds an extra 20 minutes to the lifetime of the
+certificate for each day as given on the commandline, and was enough to
+cause some new integration tests in cockpit to fail.
+
+Interestingly, 3650 is the old default value for the number of days of
+certificate validity (~10 years) so this probably slipped in as a sort
+of muscle-memory-assisted typo.
+
+Let's just write `24 * 60 * 60` to make things clear.
+---
+ src/x509.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/x509.c b/src/x509.c
+index dc1594a4bdcb9d81607f0fe5ad2d4562e5edb533..7c7e4dfe56d5756862f3e0f851941e846ce96f31 100644
+--- a/src/x509.c
+++ b/src/x509.c
+@@ -416,11 +416,11 @@ sscg_sign_x509_csr (TALLOC_CTX *mem_ctx,
+       X509_set_issuer_name (cert, X509_REQ_get_subject_name (csr));
+     }
+ 
+   /* set time */
+   X509_gmtime_adj (X509_get_notBefore (cert), 0);
+-  X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 3650);
+  X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 60 * 60);
+ 
+   /* set subject */
+   subject = X509_NAME_dup (X509_REQ_get_subject_name (csr));
+   sslret = X509_set_subject_name (cert, subject);
+   CHECK_SSL (sslret, X509_set_subject_name);
+-- 
+2.33.0
+
--- a/0003-Truncate-IP-address-in-SAN.patch
+++ b/0003-Truncate-IP-address-in-SAN.patch
@ -0,0 +1,68 @@
+From 0875cd6169e876c4296a307631d49b801fc686dc Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Tue, 8 Mar 2022 16:33:35 -0500
+Subject: [PATCH] Truncate IP address in SAN
+
+In OpenSSL 1.1, this was done automatically when addind a SAN extension,
+but in OpenSSL 3.0 it is rejected as an invalid input.
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ src/x509.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/x509.c b/src/x509.c
+index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e2f61bdb8 100644
+--- a/src/x509.c
+++ b/src/x509.c
+@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
+   size_t i;
+   X509_NAME *subject;
+   char *alt_name = NULL;
+   char *tmp = NULL;
+   char *san = NULL;
+  char *slash = NULL;
+   TALLOC_CTX *tmp_ctx;
+   X509_EXTENSION *ex = NULL;
+   struct sscg_x509_req *csr;
+ 
+   /* Make sure we have a key available */
+@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
+                 tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]);
+             }
+           else
+             {
+               san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]);
+              /* SAN IP addresses cannot include the subnet mask */
+              if ((slash = strchr (san, '/')))
+                {
+                  /* Truncate at the slash */
+                  *slash = '\0';
+                }
+             }
+           CHECK_MEM (san);
+ 
+           if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
+             {
+@@ -287,11 +294,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
+           alt_name = tmp;
+         }
+     }
+ 
+   ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name);
+-  CHECK_MEM (ex);
+  if (!ex)
+    {
+      ret = EINVAL;
+      fprintf (stderr, "Invalid subjectAlternativeName: %s\n", alt_name);
+      goto done;
+    }
+
+   sk_X509_EXTENSION_push (certinfo->extensions, ex);
+ 
+   /* Set the public key for the certificate */
+   sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey);
+   CHECK_SSL (sslret, X509_REQ_set_pubkey (OU));
+-- 
+2.35.1
+
--- a/0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch
+++ b/0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch
@ -0,0 +1,139 @@
+From 282f819bc39c9557ee34f73c6f6623182f680792 Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Wed, 16 Nov 2022 15:27:58 -0500
+Subject: [PATCH] dhparams: don't fail if default file can't be created
+
+Resolves: rhbz#2143206
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ src/arguments.c |  1 -
+ src/io_utils.c  | 12 +++++++++++
+ src/sscg.c      | 55 +++++++++++++++++++++++++++++++++----------------
+ 3 files changed, 49 insertions(+), 19 deletions(-)
+
+diff --git a/src/arguments.c b/src/arguments.c
+index 7b9da14a732875b0f33a12e22a97d51a78216839..770d834aacc05d6d92cc0c855852eadb88f8c9bc 100644
+--- a/src/arguments.c
+++ b/src/arguments.c
+@@ -69,7 +69,6 @@ set_default_options (struct sscg_options *opts)
+ 
+   opts->lifetime = 398;
+ 
+-  opts->dhparams_file = talloc_strdup (opts, "dhparams.pem");
+   opts->dhparams_group = talloc_strdup (opts, "ffdhe4096");
+   opts->dhparams_generator = 2;
+ 
+diff --git a/src/io_utils.c b/src/io_utils.c
+index 1b8bc41c3849acbe4657ae14dfe55e3010957129..5d34327bdbe450add5326ac20c337c9399b471dc 100644
+--- a/src/io_utils.c
+++ b/src/io_utils.c
+@@ -544,6 +544,18 @@ sscg_io_utils_open_output_files (struct sscg_stream **streams, bool overwrite)
+     {
+       SSCG_LOG (SSCG_DEBUG, "Opening %s\n", stream->path);
+       stream->bio = BIO_new_file (stream->path, create_mode);
+      if (!stream->bio)
+        {
+          fprintf (stderr,
+                   "Could not write to %s. Check directory permissions.\n",
+                   stream->path);
+
+          /* The dhparams file is special, it will be handled later */
+          if (i != SSCG_FILE_TYPE_DHPARAMS)
+            {
+              continue;
+            }
+        }
+       CHECK_BIO (stream->bio, stream->path);
+     }
+ 
+diff --git a/src/sscg.c b/src/sscg.c
+index 1bf8019c2dda136abe56acd101dfe8ad0b3d725d..dcff4cd2b8dfd2e11c8612d36ecc94b175e9dc26 100644
+--- a/src/sscg.c
+++ b/src/sscg.c
+@@ -93,6 +93,7 @@ main (int argc, const char **argv)
+   int ret, sret;
+   struct sscg_options *options;
+   bool build_client_cert = false;
+  char *dhparams_file = NULL;
+ 
+   struct sscg_x509_cert *cacert;
+   struct sscg_evp_pkey *cakey;
+@@ -182,9 +183,19 @@ main (int argc, const char **argv)
+                                        options->crl_mode);
+   CHECK_OK (ret);
+ 
+  if (options->dhparams_file)
+    {
+      dhparams_file = talloc_strdup (main_ctx, options->dhparams_file);
+    }
+  else
+    {
+      dhparams_file = talloc_strdup (main_ctx, "./dhparams.pem");
+    }
+  CHECK_MEM (dhparams_file);
+
+   ret = sscg_io_utils_add_output_file (options->streams,
+                                        SSCG_FILE_TYPE_DHPARAMS,
+-                                       options->dhparams_file,
+                                       dhparams_file,
+                                        options->dhparams_mode);
+   CHECK_OK (ret);
+ 
+@@ -281,28 +292,36 @@ main (int argc, const char **argv)
+ 
+ 
+   /* Create DH parameters file */
+-  bp = GET_BIO (SSCG_FILE_TYPE_DHPARAMS);
+-  if (options->dhparams_prime_len > 0)
+  if ((bp = GET_BIO (SSCG_FILE_TYPE_DHPARAMS)))
+     {
+-      ret = create_dhparams (options->verbosity,
+-                             options->dhparams_prime_len,
+-                             options->dhparams_generator,
+-                             &dhparams);
+-      CHECK_OK (ret);
+      if (options->dhparams_prime_len > 0)
+        {
+          ret = create_dhparams (options->verbosity,
+                                 options->dhparams_prime_len,
+                                 options->dhparams_generator,
+                                 &dhparams);
+          CHECK_OK (ret);
+        }
+      else
+        {
+          ret = get_params_by_named_group (options->dhparams_group, &dhparams);
+          CHECK_OK (ret);
+        }
+
+      /* Export the DH parameters to the file */
+      sret = PEM_write_bio_Parameters (bp, dhparams);
+      CHECK_SSL (sret, PEM_write_bio_Parameters ());
+      ANNOUNCE_WRITE (SSCG_FILE_TYPE_DHPARAMS);
+      EVP_PKEY_free (dhparams);
+     }
+-  else
+  else if (options->dhparams_file)
+     {
+-      ret = get_params_by_named_group (options->dhparams_group, &dhparams);
+-      CHECK_OK (ret);
+      /* A filename was explicitly passed, but it couldn't be created */
+      ret = EPERM;
+      fprintf (stderr, "Could not write to %s: ", options->dhparams_file);
+      goto done;
+     }
+ 
+-  /* Export the DH parameters to the file */
+-  sret = PEM_write_bio_Parameters (bp, dhparams);
+-  CHECK_SSL (sret, PEM_write_bio_Parameters ());
+-  ANNOUNCE_WRITE (SSCG_FILE_TYPE_DHPARAMS);
+-  EVP_PKEY_free (dhparams);
+-
+-
+   /* Set the final file permissions */
+   sscg_io_utils_finalize_output_files (options->streams);
+ 
+-- 
+2.38.1
+
--- a/0005-dhparams-Fix-the-FIPS_mode-call-for-OpenSSL-3.0.patch
+++ b/0005-dhparams-Fix-the-FIPS_mode-call-for-OpenSSL-3.0.patch
@ -0,0 +1,32 @@
+From e65a507c487a37dd5a8c90b7dbd1ff3274146239 Mon Sep 17 00:00:00 2001
+From: Simon Chopin <simon.chopin@canonical.com>
+Date: Mon, 13 Dec 2021 15:20:55 +0100
+Subject: [PATCH 5/5] dhparams: Fix the FIPS_mode() call for OpenSSL 3.0
+
+This function has been removed from OpenSSL 3.0, replaced by
+EVP_default_properties_is_fips_enabled().
+
+Closes #50
+---
+ src/dhparams.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/dhparams.c b/src/dhparams.c
+index 5c50128970d48790df910b9f9531e61e1d4c5758..61fd57aeedca47fba49f75d356cd5f42b9586696 100644
+--- a/src/dhparams.c
+++ b/src/dhparams.c
+@@ -231,7 +231,11 @@ is_valid_named_group (const char *group_name)
+     }
+ 
+   /* Check non-FIPS groups */
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+   if (!FIPS_mode ())
+#else
+  if (!EVP_default_properties_is_fips_enabled(NULL))
+#endif
+     {
+       i = 0;
+       while (dh_nonfips_groups[i])
+-- 
+2.31.1
+
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,9 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier2.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier3.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.acceptance-tier.functional}
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (sscg-2.6.2.tar.xz) = 5e900b4bc52d867325db2bd3ad83c072b0dac14ffcb2bf5539ea7b3d1701384ab0428a342d99928ea29d1a6ddec81664eac4a1255cd2aee2ba37e3a8105f1467
+SHA512 (sscg-3.0.0.tar.xz) = d5bbd14c102bb11b387b6018dced09b23b053498c60befd916aa142ece8240f443e364d9a578b6b5aa15c68cb943725ed96ef44cce77eb01013e464a6d4dc0f1
--- a/sscg.spec
+++ b/sscg.spec
@ -8,8 +8,8 @@


 Name:           sscg
-Version:        2.6.2
-Release:        6%{?dist}
+Version:        3.0.0
+Release:        7%{?dist}
 Summary:        Simple SSL certificate generator

 License:        GPLv3+ with exceptions
@ -26,6 +26,12 @@ BuildRequires:  ninja-build
 BuildRequires:  help2man


+Patch: 0001-Drop-usage-of-ERR_GET_FUNC.patch
+Patch: 0002-Correct-certificate-lifetime-calculation.patch
+Patch: 0003-Truncate-IP-address-in-SAN.patch
+Patch: 0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch
+Patch: 0005-dhparams-Fix-the-FIPS_mode-call-for-OpenSSL-3.0.patch
+
 %description
 A utility to aid in the creation of more secure "self-signed"
 certificates. The certificates created by this tool are generated in a
@ -55,6 +61,45 @@ false signatures from the service certificate.
 %{_mandir}/man8/%{name}.8*

 %changelog
+* Fri Dec 02 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-6
+- Use EVP_default_properties_is_fips_enabled() on OpenSSL 3.0
+- Related: rhbz#2083879
+
+* Mon Nov 28 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-6
+- Don't fail if default dhparams file can't be created
+- Resolves: rhbz#2149064
+
+* Wed Mar 09 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-5
+- Handle IP addresses in subjectAlternativeName correctly
+- Resolves: rhbz#2061923
+
+* Fri Oct 29 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-4
+- Correct certificate lifetime calculation
+- Resolves: rhbz#2017667
+
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.0-3
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Sat Aug 07 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-2
+- Drop usage of removed macro ERR_GET_FUNC()
+- Related: rhbz#1964837
+
+* Wed Jul 21 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-1
+- Release 3.0.0
+- Support for OpenSSL 3.0
+- Support for outputting named Diffie-Hellman parameter groups
+- Support for CentOS Stream 9
+- Resolves: rhbz#1984468
+
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.2-8
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Wed May 26 2021 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-7
+- OpenSSL 3.0 compatibility: fix RSA key-generation test
+- Resolves: rhbz#1964837
+
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.2-6
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937

@ -267,3 +312,4 @@ false signatures from the service certificate.

 * Mon Mar 16 2015 Stephen Gallagher <sgallagh@redhat.com> 0.1-1
 - First packaging
+
Author	SHA1	Message	Date
Stephen Gallagher	2f92285054	Use EVP_default_properties_is_fips_enabled() on OpenSSL 3.0	2023-05-19 09:57:22 +00:00
Stephen Gallagher	34be907513	Don't fail if default dhparams file can't be created Resolves: rhbz#2149064 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>	2022-11-28 13:15:39 -05:00
Stephen Gallagher	7f6afd68f8	Handle IP addresses in subjectAlternativeName correctly Resolves: rhbz#2061923 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>	2022-03-09 09:35:58 -05:00
Stephen Gallagher	29dbec123b	Correct certificate lifetime calculation Resolves: rhbz#2017667 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>	2021-10-29 13:20:12 -04:00
Mohan Boddu	b40aa7ee5c	Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688 Signed-off-by: Mohan Boddu <mboddu@redhat.com>	2021-08-10 00:58:02 +00:00
Stephen Gallagher	a3ce8bd969	Drop usage of removed macro ERR_GET_FUNC() Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>	2021-08-07 15:19:02 -04:00
Stephen Gallagher	0d91054d47	Release 3.0.0 Support for OpenSSL 3.0 Support for outputting named Diffie-Hellman parameter groups Support for CentOS Stream 9 Resolves: rhbz#1984468 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>	2021-07-21 14:32:18 -04:00
Mohan Boddu	2bd8fafbbc	Rebuilt for RHEL 9 BETA for openssl 3.0 Related: rhbz#1971065 Signed-off-by: Mohan Boddu <mboddu@redhat.com>	2021-06-16 03:39:03 +00:00
Stephen Gallagher	2db8955928	OpenSSL 3.0: fix RSA key-generation test Resolves: rhbz#1964837 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>	2021-05-26 15:54:32 +00:00
Branislav Náter	516bc844e5	Adding gating configuration	2021-05-26 17:30:19 +02:00
				`@ -0,0 +1 @@`
				`81e3b33e118edff96583314ceb4bfde9a1e6b45c sscg-3.0.0.tar.xz`