Compare commits

...

No commits in common. "c8" and "c9s" have entirely different histories.
c8 ... c9s

14 changed files with 231 additions and 50 deletions

26
.gitignore vendored
View File

@ -1 +1,25 @@
SOURCES/sscg-3.0.0.tar.xz
/sscg-0.4.1.tar.gz
/sscg-1.0.0-a3fe426.tar.gz
/sscg-1.0.1-6858b79.tar.gz
/sscg-1.0.2-897a89a.tar.gz
/sscg-1.0.3-ecdee74.tar.gz
/sscg-1.0.4-024d20e.tar.gz
/sscg-1.1.0-4f90b27.tar.gz
/sscg-2.0.0.tar.gz
/sscg-2.0.1.tar.gz
/sscg-2.0.2.tar.gz
/sscg-2.0.3.tar.gz
/sscg-2.0.4.tar.gz
/sscg-2.1.0.tar.gz
/sscg-2.2.0.tar.gz
/sscg-2.3.0.tar.xz
/sscg-2.3.1.tar.xz
/sscg-2.3.2.tar.xz
/sscg-2.3.3.tar.xz
/sscg-2.4.0.tar.xz
/sscg-2.5.0.tar.xz
/sscg-2.5.1.tar.xz
/sscg-2.6.0.tar.xz
/sscg-2.6.1.tar.xz
/sscg-2.6.2.tar.xz
/sscg-3.0.0.tar.xz

View File

@ -1 +0,0 @@
81e3b33e118edff96583314ceb4bfde9a1e6b45c SOURCES/sscg-3.0.0.tar.xz

View File

@ -0,0 +1,32 @@
From e65a507c487a37dd5a8c90b7dbd1ff3274146239 Mon Sep 17 00:00:00 2001
From: Simon Chopin <simon.chopin@canonical.com>
Date: Mon, 13 Dec 2021 15:20:55 +0100
Subject: [PATCH 5/5] dhparams: Fix the FIPS_mode() call for OpenSSL 3.0
This function has been removed from OpenSSL 3.0, replaced by
EVP_default_properties_is_fips_enabled().
Closes #50
---
src/dhparams.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/dhparams.c b/src/dhparams.c
index 5c50128970d48790df910b9f9531e61e1d4c5758..61fd57aeedca47fba49f75d356cd5f42b9586696 100644
--- a/src/dhparams.c
+++ b/src/dhparams.c
@@ -231,7 +231,11 @@ is_valid_named_group (const char *group_name)
}
/* Check non-FIPS groups */
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
if (!FIPS_mode ())
+#else
+ if (!EVP_default_properties_is_fips_enabled(NULL))
+#endif
{
i = 0;
while (dh_nonfips_groups[i])
--
2.31.1

9
gating.yaml Normal file
View File

@ -0,0 +1,9 @@
--- !Policy
product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier2.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier3.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.acceptance-tier.functional}

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (sscg-3.0.0.tar.xz) = d5bbd14c102bb11b387b6018dced09b23b053498c60befd916aa142ece8240f443e364d9a578b6b5aa15c68cb943725ed96ef44cce77eb01013e464a6d4dc0f1

View File

@ -26,11 +26,11 @@ BuildRequires: ninja-build
BuildRequires: help2man
Patch0001: 0001-Drop-usage-of-ERR_GET_FUNC.patch
Patch0002: 0002-Correct-certificate-lifetime-calculation.patch
Patch0003: 0003-Truncate-IP-address-in-SAN.patch
Patch0004: 0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch
Patch: 0001-Drop-usage-of-ERR_GET_FUNC.patch
Patch: 0002-Correct-certificate-lifetime-calculation.patch
Patch: 0003-Truncate-IP-address-in-SAN.patch
Patch: 0004-dhparams-don-t-fail-if-default-file-can-t-be-created.patch
Patch: 0005-dhparams-Fix-the-FIPS_mode-call-for-OpenSSL-3.0.patch
%description
A utility to aid in the creation of more secure "self-signed"
@ -61,69 +61,115 @@ false signatures from the service certificate.
%{_mandir}/man8/%{name}.8*
%changelog
* Thu Dec 08 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-7
- Correctly apply the patch for default dhparams
- Resolves: rhbz#2143206
* Fri Dec 02 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-6
- Use EVP_default_properties_is_fips_enabled() on OpenSSL 3.0
- Related: rhbz#2083879
* Mon Nov 28 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-6
- Don't fail if default dhparams file can't be created
- Resolves: rhbz#2143206
- Resolves: rhbz#2149064
* Thu Jul 14 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-5
- Rebase to sscg 3.0.0
- Resolves: rhbz#2107369
- Resolves: rhbz#2091525
* Wed Mar 09 2022 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-5
- Handle IP addresses in subjectAlternativeName correctly
- Resolves: rhbz#2061923
* Thu Jun 02 2022 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-15
- Fix certificate lifetime calculation
- Resolves: rhbz#2091525
* Fri Oct 29 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-4
- Correct certificate lifetime calculation
- Resolves: rhbz#2017667
* Tue Jan 21 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-14
- Properly handling reading long passphrase files.
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.0-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Jan 21 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-13
- Fix missing error check for --*-key-passfile
* Sat Aug 07 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-2
- Drop usage of removed macro ERR_GET_FUNC()
- Related: rhbz#1964837
* Thu Jan 09 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-12
- Improve validation of command-line arguments
- Resolves: rhbz#1784441
- Resolves: rhbz#1784443
* Wed Jul 21 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-1
- Release 3.0.0
- Support for OpenSSL 3.0
- Support for outputting named Diffie-Hellman parameter groups
- Support for CentOS Stream 9
- Resolves: rhbz#1984468
* Tue Jan 07 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-11
- Further improve --client-key-file help message
- Resolves: rhbz#1720667
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.2-8
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-10
- Fix incorrect help message
- Resolves: rhbz#1720667
* Wed May 26 2021 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-7
- OpenSSL 3.0 compatibility: fix RSA key-generation test
- Resolves: rhbz#1964837
* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-9
- Fix null-dereference and memory leak issues with client certs
- Resolves: rhbz#1720667
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.2-6
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Dec 11 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-8
- Add support for generating client authentication certificates
- Resolves: rhbz#1720667
* Wed Mar 17 2021 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-5
- Fixing incorrect license declaration
* Fri Nov 01 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-7
- Add support for password-protecting the private key files
- Resolves: rhbz#1717880
* Wed Mar 17 2021 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-4
- Updating to rebuild against the latest glibc
* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-6
- Fixes for issues detected by automated testing.
- Resolves: rhbz#1653323
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-5
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jun 23 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.2-1
- Update to 2.6.2
- Handle very short and very long passphrases properly (fixes rhbz#1850183)
- Drop upstreamed patch
* Thu Apr 30 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.1-4
- Rebuild with corrected ELN macro definitions
* Thu Apr 30 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.1-3
- Don't bother running clang-format in the RPM build
- Lengthen the test timeout so ARM tests pass
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jan 09 2020 Stephen Gallagher <sgallagh@redhat.com> - 2.6.1-1
- Bugfixes from upstream
* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.6.0-2
- Fix incorrect help description for --client-key-file
* Fri Dec 13 2019 Stephen Gallagher <sgallagh@redhat.com> - 2.6.0-1
- Update to 2.6.0
- Can now generate an empty CRL file.
- Can now create and store a Diffie-Hellman parameters (dhparams) file.
- Support for setting a password on private keys.
- Support for generating a client authentication certificate and key.
- Better support for OpenSSL 1.0
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.5.1-1
- Update to 2.5.1
- Fixes discovered by automated testing.
* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.5.0-1
- Update to 2.5.0
- Auto-detect the hash algorithm to use by default.
* Tue Nov 27 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.4.0-1
- Update to 2.4.0
- Autodetect the minimum key strength from the system security level.
- Autodetect the hash algorithm to use from the system security level.
- Disallow setting a key strength below the system minimum.
- Resolves: rhbz#1653323
- Drop upstreamed patches
* Mon Sep 17 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-4
- Add a manpage for sscg.
- Add a manpage.
* Thu Jul 05 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-3
- Strip out bundled popt since RHEL 8 has a new-enough version.
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
@ -266,3 +312,4 @@ false signatures from the service certificate.
* Mon Mar 16 2015 Stephen Gallagher <sgallagh@redhat.com> 0.1-1
- First packaging

14
test/help-usage/Makefile Normal file
View File

@ -0,0 +1,14 @@
.PHONY: all install download clean
BUILT_FILES=
FILES=runtest.sh Makefile
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
chmod a+x ./runtest.sh
clean:
rm -f *~ $(BUILT_FILES)

View File

@ -0,0 +1,13 @@
help-usage
==========
This is an example task for `Taskotron <https://fedoraproject.org/wiki/Taskotron>`_
that tests the basic functionality of 'sscg --help' to confirm it generates a usage message.
Standalone you can run it like this::
$ make run
Through taskotron runner you can run it like this::
$ runtask -i sscg-2.0.4-1.fc27 -t koji_build -a x86_64 runtask.yml

View File

@ -0,0 +1,29 @@
---
name: help-usage
desc: "Tests the basic functionality of 'sscg --help' to confirm it generates a usage message."
maintainer: sgallagh
input:
args:
- koji_build
- arch
environment:
rpm:
- make
actions:
- name: download the build
koji:
action: download
koji_build: ${koji_build}
arch: $arch
target_dir: ${workdir}/rpms
- name: install the build
shell:
- dnf install -y ${workdir}/rpms/*.rpm
- name: run test
shell:
- make run

13
test/help-usage/runtest.sh Executable file
View File

@ -0,0 +1,13 @@
#!/bin/sh
PACKAGE=sscg
# Assume the test will pass.
result=PASS
sscg --help | grep -q -i '^usage:'
if [ $? -ne 0 ]; then
result=FAIL
fi
echo $result