rpms/sscg
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c9-beta
rpms:c10s
rpms:c9s
rpms:c10
rpms:c9
rpms:c8s
rpms:c8-beta
rpms:c8s-patch-a3cf
rpms:stream-testbranch-rhel
rpms:imports/c9-beta/sscg-4.0.3-2.el9
rpms:imports/c10s/sscg-4.0.3-2.el10
rpms:imports/c10/sscg-3.0.5-12.el10
rpms:imports/c9/sscg-3.0.0-10.el9
rpms:imports/c10s/sscg-4.0.0-2.el10
rpms:imports/c9-beta/sscg-3.0.0-10.el9
rpms:imports/c10s/sscg-3.0.5-13.el10
rpms:imports/c10s/sscg-3.0.5-12.el10
rpms:imports/c10/sscg-3.0.5-9.el10_0
rpms:imports/c10s/sscg-3.0.5-11.el10
rpms:imports/c10s/sscg-3.0.5-10.el10
rpms:imports/c10s/sscg-3.0.5-9.el10
rpms:imports/c10s/sscg-3.0.5-1.el10
rpms:imports/c10s/sscg-3.0.5-8.el10
rpms:imports/c8/sscg-3.0.0-7.el8
rpms:imports/c9/sscg-3.0.0-7.el9
rpms:imports/c9-beta/sscg-3.0.0-7.el9
rpms:imports/c8-beta/sscg-3.0.0-7.el8
rpms:imports/c8s/sscg-3.0.0-7.el8
rpms:imports/c8/sscg-3.0.0-5.el8
rpms:imports/c9-beta/sscg-3.0.0-5.el9
rpms:imports/c8-beta/sscg-3.0.0-5.el8
rpms:imports/c8s/sscg-3.0.0-5.el8
rpms:imports/c8s/sscg-2.3.3-15.el8
rpms:imports/c9/sscg-3.0.0-5.el9
rpms:imports/c9/sscg-3.0.0-5.el9_0
rpms:imports/c9/sscg-3.0.0-4.el9
rpms:imports/c9-beta/sscg-3.0.0-4.el9
rpms:imports/c9-beta/sscg-3.0.0-3.el9
rpms:imports/c8-beta/sscg-2.3.3-14.el8
rpms:imports/c8-beta/sscg-2.3.3-10.el8
rpms:imports/c8-beta/sscg-2.3.3-6.el8
rpms:imports/c8s/sscg-2.3.3-14.el8
rpms:imports/c8/sscg-2.3.3-14.el8
rpms:imports/c8/sscg-2.3.3-6.el8
...
pull from: rpms:c9-beta
Branches Tags
rpms:c9-beta
rpms:c10s
rpms:c9s
rpms:c10
rpms:c9
rpms:c8s
rpms:c8
rpms:c8-beta
rpms:c8s-patch-a3cf
rpms:stream-testbranch-rhel
rpms:imports/c9-beta/sscg-4.0.3-2.el9
rpms:imports/c10s/sscg-4.0.3-2.el10
rpms:imports/c10/sscg-3.0.5-12.el10
rpms:imports/c9/sscg-3.0.0-10.el9
rpms:imports/c10s/sscg-4.0.0-2.el10
rpms:imports/c9-beta/sscg-3.0.0-10.el9
rpms:imports/c10s/sscg-3.0.5-13.el10
rpms:imports/c10s/sscg-3.0.5-12.el10
rpms:imports/c10/sscg-3.0.5-9.el10_0
rpms:imports/c10s/sscg-3.0.5-11.el10
rpms:imports/c10s/sscg-3.0.5-10.el10
rpms:imports/c10s/sscg-3.0.5-9.el10
rpms:imports/c10s/sscg-3.0.5-1.el10
rpms:imports/c10s/sscg-3.0.5-8.el10
rpms:imports/c8/sscg-3.0.0-7.el8
rpms:imports/c9/sscg-3.0.0-7.el9
rpms:imports/c9-beta/sscg-3.0.0-7.el9
rpms:imports/c8-beta/sscg-3.0.0-7.el8
rpms:imports/c8s/sscg-3.0.0-7.el8
rpms:imports/c8/sscg-3.0.0-5.el8
rpms:imports/c9-beta/sscg-3.0.0-5.el9
rpms:imports/c8-beta/sscg-3.0.0-5.el8
rpms:imports/c8s/sscg-3.0.0-5.el8
rpms:imports/c8s/sscg-2.3.3-15.el8
rpms:imports/c9/sscg-3.0.0-5.el9
rpms:imports/c9/sscg-3.0.0-5.el9_0
rpms:imports/c9/sscg-3.0.0-4.el9
rpms:imports/c9-beta/sscg-3.0.0-4.el9
rpms:imports/c9-beta/sscg-3.0.0-3.el9
rpms:imports/c8-beta/sscg-2.3.3-14.el8
rpms:imports/c8-beta/sscg-2.3.3-10.el8
rpms:imports/c8-beta/sscg-2.3.3-6.el8
rpms:imports/c8s/sscg-2.3.3-14.el8
rpms:imports/c8/sscg-2.3.3-14.el8
rpms:imports/c8/sscg-2.3.3-6.el8

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

10 changed files with 330 additions and 344 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/sscg-3.0.0.tar.xz
SOURCES/sscg-4.0.3.tar.gz

2
.sscg.metadata
View File

@ -1 +1 @@
81e3b33e118edff96583314ceb4bfde9a1e6b45c SOURCES/sscg-3.0.0.tar.xz
829d6dd6d5ad493499317a2bf6f25167c9b3c623 SOURCES/sscg-4.0.3.tar.gz

34
SOURCES/0001-Drop-usage-of-ERR_GET_FUNC.patch
View File

@ -1,34 +0,0 @@
From d2277e711bb16e3b98f43565e71b7865b5fed423 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Sat, 7 Aug 2021 11:48:04 -0400
Subject: [PATCH 1/2] Drop usage of ERR_GET_FUNC()
This macro was dropped in OpenSSL 3.0 and has actually not been
providing a valid return code for some time.
Related: rhbz#1964837
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
include/sscg.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/include/sscg.h b/include/sscg.h
index faf86ba4f68e186bd35c7bc3ec77b98b8e37d253..851dc93175607e5223a70ef40a5feb24b7b69215 100644
--- a/include/sscg.h
+++ b/include/sscg.h
@@ -94,11 +94,10 @@
if (_sslret != 1) \
{ \
/* Get information about error from OpenSSL */ \
unsigned long _ssl_error = ERR_get_error (); \
if ((ERR_GET_LIB (_ssl_error) == ERR_LIB_UI) && \
- (ERR_GET_FUNC (_ssl_error) == UI_F_UI_SET_RESULT_EX) && \
((ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_LARGE) || \
(ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_SMALL))) \
{ \
fprintf ( \
stderr, \
--
2.33.0

119
SOURCES/0001-Restore-defaulting-to-dhparams.pem-creation.patch Normal file
View File

@ -0,0 +1,119 @@
From 771a7663bccbd360f017c4c22358a46abcdfa93f Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Mon, 27 Oct 2025 14:58:11 -0400
Subject: [PATCH] Restore defaulting to dhparams.pem creation
This was disabled upstream, but for backwards-compatibility in the RHEL
9 and RHEL 10 lifecycle, we'll continue to do so there.
This reverts commit 0e5e011acc2dc19f3c2fcb5699cf8fa662a2b135.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/arguments.c | 4 ++--
src/sscg.c | 39 +++++++++++++++++++++++++---------
test/test_dhparams_creation.sh | 6 +-----
3 files changed, 32 insertions(+), 17 deletions(-)
diff --git a/src/arguments.c b/src/arguments.c
index 38c8740c1f159368d6fc92d51ba48d83700c3320..4ff75fdf86728592e7ca05db4cf4ac88bf79ca2e 100644
--- a/src/arguments.c
+++ b/src/arguments.c
@@ -682,7 +682,7 @@ sscg_handle_arguments (TALLOC_CTX *mem_ctx,
&options->dhparams_file,
0,
_("A file to contain a set of Diffie-Hellman parameters. "
- "(Default: not created)"),
+ "(Default: \"./dhparams.pem\")"),
NULL
},
@@ -692,7 +692,7 @@ sscg_handle_arguments (TALLOC_CTX *mem_ctx,
POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN,
&options->skip_dhparams,
0,
- _ ("Deprecated: Retained for backwards compatibility. To be removed in SSCG 5.0."),
+ _ ("Do not create the dhparams file"),
NULL
},
diff --git a/src/sscg.c b/src/sscg.c
index b9b191f109300f6447262858f57a3a8321a14966..d2dce334cff1342d975e9867a2c82a222d76925e 100644
--- a/src/sscg.c
+++ b/src/sscg.c
@@ -166,19 +166,38 @@ main (int argc, const char **argv)
options->crl_mode);
CHECK_OK (ret);
- if (options->dhparams_file)
+ if (!options->skip_dhparams)
{
- dhparams_file = talloc_strdup (main_ctx, options->dhparams_file);
- CHECK_MEM (dhparams_file);
+ if (options->dhparams_file)
+ {
+ dhparams_file = talloc_strdup (main_ctx, options->dhparams_file);
+ CHECK_MEM (dhparams_file);
- ret = sscg_io_utils_add_output_file (options->streams,
- SSCG_FILE_TYPE_DHPARAMS,
- dhparams_file,
- options->overwrite,
- options->dhparams_mode);
- CHECK_OK (ret);
+ ret = sscg_io_utils_add_output_file (options->streams,
+ SSCG_FILE_TYPE_DHPARAMS,
+ dhparams_file,
+ options->overwrite,
+ options->dhparams_mode);
+ CHECK_OK (ret);
+ }
+ else
+ {
+ dhparams_file = talloc_strdup (main_ctx, "./dhparams.pem");
+ CHECK_MEM (dhparams_file);
+
+ ret = sscg_io_utils_add_output_file (options->streams,
+ SSCG_FILE_TYPE_DHPARAMS,
+ dhparams_file,
+ options->overwrite,
+ options->dhparams_mode);
+ SSCG_LOG (SSCG_VERBOSE,
+ "Could not open dhparams file %s: %s\n",
+ dhparams_file,
+ strerror (ret));
+ /* This is non-fatal if the file path was not explicitly passed */
+ ret = EOK;
+ }
}
-
/* Validate and open the file paths */
ret = sscg_io_utils_open_BIOs (options->streams);
CHECK_OK (ret);
diff --git a/test/test_dhparams_creation.sh b/test/test_dhparams_creation.sh
index d0b4cbb71f3cd1656f1422524c4da7b30fbf3e0a..49f2b08d23246c90663eb7d2e5078817eb42139b 100755
--- a/test/test_dhparams_creation.sh
+++ b/test/test_dhparams_creation.sh
@@ -42,10 +42,6 @@
# just warn and ignore it if it was not (returning 0). However, if it is
# explicitly requested on the command-line and cannot be written to that
# location, it should fail with an error code.
-#
-# Updated 2025-10-21: SSCG 4.0 no longer creates the dhparams file by default.
-# It should not attempt to create it unless explicitly requested using the
-# --dhparams-file option.
set -e
@@ -181,7 +177,7 @@ run_test \
"" \
0 \
"$WRITABLE_DIR/dhparams.pem" \
- "false" \
+ "true" \
"$WRITABLE_DIR"
# Test 2: No --dhparams-file, readonly directory, no existing file
--
2.52.0

38
SOURCES/0002-Avoid-segfault-on-receiving-bad-CLI-arguments.patch Normal file
View File

@ -0,0 +1,38 @@
From f40d0070641543a140428d70211d53d36fd2c34b Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 2 Dec 2025 12:12:26 -0500
Subject: [PATCH 2/3] Avoid segfault on receiving bad CLI arguments
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/sscg.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/sscg.c b/src/sscg.c
index d2dce334cff1342d975e9867a2c82a222d76925e..070d567bb189d42a20fd0a80f8fe2f7caae4d9eb 100644
--- a/src/sscg.c
+++ b/src/sscg.c
@@ -59,7 +59,7 @@ int
main (int argc, const char **argv)
{
int ret, sret;
- struct sscg_options *options;
+ struct sscg_options *options = NULL;
bool build_client_cert = false;
char *dhparams_file = NULL;
@@ -361,7 +361,10 @@ main (int argc, const char **argv)
done:
if (ret != EOK)
{
- sscg_io_utils_delete_output_files (options->streams);
+ if (options)
+ {
+ sscg_io_utils_delete_output_files (options->streams);
+ }
}
talloc_zfree (main_ctx);
if (getenv ("SSCG_TALLOC_REPORT"))
--
2.52.0

46
SOURCES/0002-Correct-certificate-lifetime-calculation.patch
View File

@ -1,46 +0,0 @@
From 87604820a935f87a8f533e3f294419d27c0514eb Mon Sep 17 00:00:00 2001
From: Allison Karlitskaya <allison.karlitskaya@redhat.com>
Date: Tue, 26 Oct 2021 12:32:13 +0200
Subject: [PATCH 2/2] Correct certificate lifetime calculation
sscg allows passing the certificate lifetime, as a number of days, as a
commandline argument. It converts this value to seconds using the
formula
days * 24 * 3650
which is incorrect. The correct value is 3600.
This effectively adds an extra 20 minutes to the lifetime of the
certificate for each day as given on the commandline, and was enough to
cause some new integration tests in cockpit to fail.
Interestingly, 3650 is the old default value for the number of days of
certificate validity (~10 years) so this probably slipped in as a sort
of muscle-memory-assisted typo.
Let's just write `24 * 60 * 60` to make things clear.
---
src/x509.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/x509.c b/src/x509.c
index dc1594a4bdcb9d81607f0fe5ad2d4562e5edb533..7c7e4dfe56d5756862f3e0f851941e846ce96f31 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -416,11 +416,11 @@ sscg_sign_x509_csr (TALLOC_CTX *mem_ctx,
X509_set_issuer_name (cert, X509_REQ_get_subject_name (csr));
}
/* set time */
X509_gmtime_adj (X509_get_notBefore (cert), 0);
- X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 3650);
+ X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 60 * 60);
/* set subject */
subject = X509_NAME_dup (X509_REQ_get_subject_name (csr));
sslret = X509_set_subject_name (cert, subject);
CHECK_SSL (sslret, X509_set_subject_name);
--
2.33.0

29
SOURCES/0003-Restore-error-message.patch Normal file
View File

@ -0,0 +1,29 @@
From 08dacb632cc331027f39dcfa0b782aeb6f2f893a Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 2 Dec 2025 12:19:04 -0500
Subject: [PATCH 3/3] Restore error message
This was dropped in 4.0, but should be retained in RHEL 9 and 10 for
compatibility, particularly with existing tests that look for specific
messages.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/sscg.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/sscg.c b/src/sscg.c
index 070d567bb189d42a20fd0a80f8fe2f7caae4d9eb..9f46cd622a4d55bd634a370ccc81ff063422b5af 100644
--- a/src/sscg.c
+++ b/src/sscg.c
@@ -361,6 +361,7 @@ main (int argc, const char **argv)
done:
if (ret != EOK)
{
+ SSCG_ERROR ("%s\n", strerror (ret));
if (options)
{
sscg_io_utils_delete_output_files (options->streams);
--
2.52.0

68
SOURCES/0003-Truncate-IP-address-in-SAN.patch
View File

@ -1,68 +0,0 @@
From 0875cd6169e876c4296a307631d49b801fc686dc Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 8 Mar 2022 16:33:35 -0500
Subject: [PATCH] Truncate IP address in SAN
In OpenSSL 1.1, this was done automatically when addind a SAN extension,
but in OpenSSL 3.0 it is rejected as an invalid input.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/x509.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/x509.c b/src/x509.c
index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e2f61bdb8 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
size_t i;
X509_NAME *subject;
char *alt_name = NULL;
char *tmp = NULL;
char *san = NULL;
+ char *slash = NULL;
TALLOC_CTX *tmp_ctx;
X509_EXTENSION *ex = NULL;
struct sscg_x509_req *csr;
/* Make sure we have a key available */
@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]);
}
else
{
san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]);
+ /* SAN IP addresses cannot include the subnet mask */
+ if ((slash = strchr (san, '/')))
+ {
+ /* Truncate at the slash */
+ *slash = '\0';
+ }
}
CHECK_MEM (san);
if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
{
@@ -287,11 +294,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
alt_name = tmp;
}
}
ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name);
- CHECK_MEM (ex);
+ if (!ex)
+ {
+ ret = EINVAL;
+ fprintf (stderr, "Invalid subjectAlternativeName: %s\n", alt_name);
+ goto done;
+ }
+
sk_X509_EXTENSION_push (certinfo->extensions, ex);
/* Set the public key for the certificate */
sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey);
CHECK_SSL (sslret, X509_REQ_set_pubkey (OU));
--
2.35.1

139
SOURCES/0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch
View File

@ -1,139 +0,0 @@
From 282f819bc39c9557ee34f73c6f6623182f680792 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 16 Nov 2022 15:27:58 -0500
Subject: [PATCH] dhparams: don't fail if default file can't be created
Resolves: rhbz#2143206
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
src/arguments.c | 1 -
src/io_utils.c | 12 +++++++++++
src/sscg.c | 55 +++++++++++++++++++++++++++++++++----------------
3 files changed, 49 insertions(+), 19 deletions(-)
diff --git a/src/arguments.c b/src/arguments.c
index 7b9da14a732875b0f33a12e22a97d51a78216839..770d834aacc05d6d92cc0c855852eadb88f8c9bc 100644
--- a/src/arguments.c
+++ b/src/arguments.c
@@ -69,7 +69,6 @@ set_default_options (struct sscg_options *opts)
opts->lifetime = 398;
- opts->dhparams_file = talloc_strdup (opts, "dhparams.pem");
opts->dhparams_group = talloc_strdup (opts, "ffdhe4096");
opts->dhparams_generator = 2;
diff --git a/src/io_utils.c b/src/io_utils.c
index 1b8bc41c3849acbe4657ae14dfe55e3010957129..5d34327bdbe450add5326ac20c337c9399b471dc 100644
--- a/src/io_utils.c
+++ b/src/io_utils.c
@@ -544,6 +544,18 @@ sscg_io_utils_open_output_files (struct sscg_stream **streams, bool overwrite)
{
SSCG_LOG (SSCG_DEBUG, "Opening %s\n", stream->path);
stream->bio = BIO_new_file (stream->path, create_mode);
+ if (!stream->bio)
+ {
+ fprintf (stderr,
+ "Could not write to %s. Check directory permissions.\n",
+ stream->path);
+
+ /* The dhparams file is special, it will be handled later */
+ if (i != SSCG_FILE_TYPE_DHPARAMS)
+ {
+ continue;
+ }
+ }
CHECK_BIO (stream->bio, stream->path);
}
diff --git a/src/sscg.c b/src/sscg.c
index 1bf8019c2dda136abe56acd101dfe8ad0b3d725d..dcff4cd2b8dfd2e11c8612d36ecc94b175e9dc26 100644
--- a/src/sscg.c
+++ b/src/sscg.c
@@ -93,6 +93,7 @@ main (int argc, const char **argv)
int ret, sret;
struct sscg_options *options;
bool build_client_cert = false;
+ char *dhparams_file = NULL;
struct sscg_x509_cert *cacert;
struct sscg_evp_pkey *cakey;
@@ -182,9 +183,19 @@ main (int argc, const char **argv)
options->crl_mode);
CHECK_OK (ret);
+ if (options->dhparams_file)
+ {
+ dhparams_file = talloc_strdup (main_ctx, options->dhparams_file);
+ }
+ else
+ {
+ dhparams_file = talloc_strdup (main_ctx, "./dhparams.pem");
+ }
+ CHECK_MEM (dhparams_file);
+
ret = sscg_io_utils_add_output_file (options->streams,
SSCG_FILE_TYPE_DHPARAMS,
- options->dhparams_file,
+ dhparams_file,
options->dhparams_mode);
CHECK_OK (ret);
@@ -281,28 +292,36 @@ main (int argc, const char **argv)
/* Create DH parameters file */
- bp = GET_BIO (SSCG_FILE_TYPE_DHPARAMS);
- if (options->dhparams_prime_len > 0)
+ if ((bp = GET_BIO (SSCG_FILE_TYPE_DHPARAMS)))
{
- ret = create_dhparams (options->verbosity,
- options->dhparams_prime_len,
- options->dhparams_generator,
- &dhparams);
- CHECK_OK (ret);
+ if (options->dhparams_prime_len > 0)
+ {
+ ret = create_dhparams (options->verbosity,
+ options->dhparams_prime_len,
+ options->dhparams_generator,
+ &dhparams);
+ CHECK_OK (ret);
+ }
+ else
+ {
+ ret = get_params_by_named_group (options->dhparams_group, &dhparams);
+ CHECK_OK (ret);
+ }
+
+ /* Export the DH parameters to the file */
+ sret = PEM_write_bio_Parameters (bp, dhparams);
+ CHECK_SSL (sret, PEM_write_bio_Parameters ());
+ ANNOUNCE_WRITE (SSCG_FILE_TYPE_DHPARAMS);
+ EVP_PKEY_free (dhparams);
}
- else
+ else if (options->dhparams_file)
{
- ret = get_params_by_named_group (options->dhparams_group, &dhparams);
- CHECK_OK (ret);
+ /* A filename was explicitly passed, but it couldn't be created */
+ ret = EPERM;
+ fprintf (stderr, "Could not write to %s: ", options->dhparams_file);
+ goto done;
}
- /* Export the DH parameters to the file */
- sret = PEM_write_bio_Parameters (bp, dhparams);
- CHECK_SSL (sret, PEM_write_bio_Parameters ());
- ANNOUNCE_WRITE (SSCG_FILE_TYPE_DHPARAMS);
- EVP_PKEY_free (dhparams);
-
-
/* Set the final file permissions */
sscg_io_utils_finalize_output_files (options->streams);
--
2.38.1

197
SPECS/sscg.spec
View File

@ -1,3 +1,13 @@
## START: Set by rpmautospec
## (rpmautospec version 0.6.5)
## RPMAUTOSPEC: autorelease, autochangelog
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
release_number = 2;
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
## END: Set by rpmautospec
%global provider github
%global provider_tld com
%global project sgallagher
@ -8,29 +18,32 @@
Name: sscg
Version: 3.0.0
Release: 7%{?dist}
Summary: Simple SSL certificate generator
Version: 4.0.3
Release: %autorelease
Summary: Simple Signed Certificate Generator
License: GPLv3+ with exceptions
License: GPL-3.0-or-later WITH cryptsetup-OpenSSL-exception
URL: https://%{provider_prefix}
Source0: https://%{provider_prefix}/releases/download/%{repo}-%{version}/%{repo}-%{version}.tar.xz
Source0: %{URL}/archive/refs/tags/sscg-%{version}.tar.gz
BuildRequires: gcc
BuildRequires: libtalloc-devel
BuildRequires: openssl-devel
BuildRequires: popt-devel
BuildRequires: libpath_utils-devel
BuildRequires: meson
BuildRequires: ninja-build
BuildRequires: help2man
Patch0001: 0001-Drop-usage-of-ERR_GET_FUNC.patch
Patch0002: 0002-Correct-certificate-lifetime-calculation.patch
Patch0003: 0003-Truncate-IP-address-in-SAN.patch
Patch0004: 0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch
# For backwards-compatibility in RHEL, revert the 4.0 patch that disables
# dhparam file generation by default.
Patch: 0001-Restore-defaulting-to-dhparams.pem-creation.patch
# Upstream patch to avoid segfault when receiving bad CLI arguments
Patch: 0002-Avoid-segfault-on-receiving-bad-CLI-arguments.patch
# Downstream patch to restore error message at the end of execution that is
# checked by certain tests
Patch: 0003-Restore-error-message.patch
%description
A utility to aid in the creation of more secure "self-signed"
@ -41,7 +54,7 @@ up a full PKI environment and without exposing the machine to a risk of
false signatures from the service certificate.
%prep
%autosetup -p1
%autosetup -p1 -n sscg-sscg-%{version}
%build
@ -61,69 +74,140 @@ false signatures from the service certificate.
%{_mandir}/man8/%{name}.8*
%changelog
* Thu Dec 08 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-7
- Correctly apply the patch for default dhparams
- Resolves: rhbz#2143206
## START: Generated by rpmautospec
* Tue Dec 02 2025 Stephen Gallagher <sgallagh@redhat.com> - 4.0.3-2
- Fix issues discovered by OSCI tests
* Tue Dec 02 2025 Stephen Gallagher <sgallagh@redhat.com> - 4.0.3-1
- Update to SSCG 4.0.3
* Tue Dec 02 2025 Stephen Gallagher <sgallagh@redhat.com> - 4.0.1-1
- Update to SSCG 4.0.1
* Mon Oct 27 2025 Stephen Gallagher <sgallagh@redhat.com> - 4.0.0-2
- Restore creation of dhparams file by default
* Mon Aug 11 2025 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-10
- Fix IP address handling in CA certificate SAN constraints
- Resolves: RHEL-107289
* Tue Apr 22 2025 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-9
- Ensure 'critical' basicConstraint for CA cert
- Resolves: RHEL-88119
* Wed Apr 02 2025 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-8
- x509: Use proper version for CSR
- Resolves: RHEL-85851
* Fri Dec 02 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-7
- Use EVP_default_properties_is_fips_enabled() on OpenSSL 3.0
- Related: rhbz#2083879
* Mon Nov 28 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-6
- Don't fail if default dhparams file can't be created
- Resolves: rhbz#2143206
- Resolves: rhbz#2149064
* Thu Jul 14 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-5
- Rebase to sscg 3.0.0
- Resolves: rhbz#2107369
- Resolves: rhbz#2091525
* Wed Mar 09 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-5
- Handle IP addresses in subjectAlternativeName correctly
- Resolves: rhbz#2061923
* Thu Jun 02 2022 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-15
- Fix certificate lifetime calculation
- Resolves: rhbz#2091525
* Fri Oct 29 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-4
- Correct certificate lifetime calculation
- Resolves: rhbz#2017667
* Tue Jan 21 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-14
- Properly handling reading long passphrase files.
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.0-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Jan 21 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-13
- Fix missing error check for --*-key-passfile
* Sat Aug 07 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-2
- Drop usage of removed macro ERR_GET_FUNC()
- Related: rhbz#1964837
* Thu Jan 09 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-12
- Improve validation of command-line arguments
- Resolves: rhbz#1784441
- Resolves: rhbz#1784443
* Wed Jul 21 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-1
- Release 3.0.0
- Support for OpenSSL 3.0
- Support for outputting named Diffie-Hellman parameter groups
- Support for CentOS Stream 9
- Resolves: rhbz#1984468
* Tue Jan 07 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-11
- Further improve --client-key-file help message
- Resolves: rhbz#1720667
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.2-8
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-10
- Fix incorrect help message
- Resolves: rhbz#1720667
* Wed May 26 2021 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-7
- OpenSSL 3.0 compatibility: fix RSA key-generation test
- Resolves: rhbz#1964837
* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-9
- Fix null-dereference and memory leak issues with client certs
- Resolves: rhbz#1720667
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.2-6
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Dec 11 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-8
- Add support for generating client authentication certificates
- Resolves: rhbz#1720667
* Wed Mar 17 2021 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-5
- Fixing incorrect license declaration
* Fri Nov 01 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-7
- Add support for password-protecting the private key files
- Resolves: rhbz#1717880
* Wed Mar 17 2021 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-4
- Updating to rebuild against the latest glibc
* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-6
- Fixes for issues detected by automated testing.
- Resolves: rhbz#1653323
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-5
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jun 23 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-1
- Update to 2.6.2
- Handle very short and very long passphrases properly (fixes rhbz#1850183)
- Drop upstreamed patch
* Thu Apr 30 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.1-4
- Rebuild with corrected ELN macro definitions
* Thu Apr 30 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.1-3
- Don't bother running clang-format in the RPM build
- Lengthen the test timeout so ARM tests pass
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jan 09 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.1-1
- Bugfixes from upstream
* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.6.0-2
- Fix incorrect help description for --client-key-file
* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.6.0-1
- Update to 2.6.0
- Can now generate an empty CRL file.
- Can now create and store a Diffie-Hellman parameters (dhparams) file.
- Support for setting a password on private keys.
- Support for generating a client authentication certificate and key.
- Better support for OpenSSL 1.0
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.5.1-1
- Update to 2.5.1
- Fixes discovered by automated testing.
* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.5.0-1
- Update to 2.5.0
- Auto-detect the hash algorithm to use by default.
* Tue Nov 27 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.4.0-1
- Update to 2.4.0
- Autodetect the minimum key strength from the system security level.
- Autodetect the hash algorithm to use from the system security level.
- Disallow setting a key strength below the system minimum.
- Resolves: rhbz#1653323
- Drop upstreamed patches
* Mon Sep 17 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-4
- Add a manpage for sscg.
- Add a manpage.
* Thu Jul 05 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-3
- Strip out bundled popt since RHEL 8 has a new-enough version.
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
@ -266,3 +350,6 @@ false signatures from the service certificate.
* Mon Mar 16 2015 Stephen Gallagher <sgallagh@redhat.com> 0.1-1
- First packaging
## END: Generated by rpmautospec