From 49de59749c67dd13e4a2fc02f9b0e380cf0cc75c Mon Sep 17 00:00:00 2001
From: Sahana Prasad <sahana@redhat.com>
Date: Mon, 16 Aug 2021 12:49:09 +0200
Subject: [PATCH] Add instruction for loading legacy provider in openssl.cnf
 Resolves: rhbz#1975836

Signed-off-by: Sahana Prasad <sahana@redhat.com>
---
 0024-load-legacy-prov.patch | 67 +++++++++++++++++++++++++++++++++++++
 openssl.spec                |  8 ++++-
 2 files changed, 74 insertions(+), 1 deletion(-)
 create mode 100644 0024-load-legacy-prov.patch

diff --git a/0024-load-legacy-prov.patch b/0024-load-legacy-prov.patch
new file mode 100644
index 0000000..be0b354
--- /dev/null
+++ b/0024-load-legacy-prov.patch
@@ -0,0 +1,67 @@
+diff -up openssl-3.0.0-beta2/apps/openssl.cnf.legacy-prov openssl-3.0.0-beta2/apps/openssl.cnf
+--- openssl-3.0.0-beta2/apps/openssl.cnf.legacy-prov	2021-08-16 14:02:48.029645419 +0200
++++ openssl-3.0.0-beta2/apps/openssl.cnf	2021-08-16 14:14:48.006409467 +0200
+@@ -43,28 +43,29 @@ tsa_policy1 = 1.2.3.4.1
+ tsa_policy2 = 1.2.3.4.5.6
+ tsa_policy3 = 1.2.3.4.5.7
+ 
+-# For FIPS
+-# Optionally include a file that is generated by the OpenSSL fipsinstall
+-# application. This file contains configuration data required by the OpenSSL
+-# fips provider. It contains a named section e.g. [fips_sect] which is
+-# referenced from the [provider_sect] below.
+-# Refer to the OpenSSL security policy for more information.
+-# .include fipsmodule.cnf
+-
+ [openssl_init]
+ providers = provider_sect
+ # Load default TLS policy configuration
+ ssl_conf = ssl_module
+ 
+-# List of providers to load
++# Uncomment the sections that start with ## below to enable the legacy provider.
++# Loading the legacy provider enables support for the following algorithms:
++# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
++# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
++# Key Derivation Function (KDF): PBKDF1
++# In general it is not recommended to use the above mentioned algorithms for
++# security critical operations, as they are cryptographically weak or vulnerable
++# to side-channel attacks and as such have been deprecated.
++     
+ [provider_sect]
+-default = default_sect
+-# The fips section name should match the section name inside the
+-# included fipsmodule.cnf.
+-# fips = fips_sect
+-
+-[default_sect]
+-# activate = 1
++##default = default_sect
++##legacy = legacy_sect
++##
++##[default_sect]
++##activate = 1
++##
++##[legacy_sect]
++##activate = 1
+ 
+ [ ssl_module ]
+ 
+diff -up openssl-3.0.0-beta2/doc/man5/config.pod.legacy-prov openssl-3.0.0-beta2/doc/man5/config.pod
+--- openssl-3.0.0-beta2/doc/man5/config.pod.legacy-prov	2021-08-16 14:12:35.021606001 +0200
++++ openssl-3.0.0-beta2/doc/man5/config.pod	2021-08-16 14:14:47.077396867 +0200
+@@ -269,6 +269,14 @@ significant.
+ All parameters in the section as well as sub-sections are made
+ available to the provider.
+ 
++=head3 Loading the legacy provider
++
++Uncomment the sections that start with ## in openssl.cnf
++to enable the legacy provider.
++Note: In general it is not recommended to use the above mentioned algorithms for
++security critical operations, as they are cryptographically weak or vulnerable
++to side-channel attacks and as such have been deprecated.
++
+ =head2 EVP Configuration
+ 
+ The name B<alg_section> in the initialization section names the section
diff --git a/openssl.spec b/openssl.spec
index 47051b5..6d1bc37 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -15,7 +15,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.0
-Release: 0.beta2.4%{?dist}
+Release: 0.beta2.5%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -62,6 +62,8 @@ Patch21: 0021-fix-core-dump-req.patch
 Patch22: 0022-fix-openssl-req-password.patch
 # cms: Do not try to check binary format on stdin and -rctform fix
 Patch23: 0023-cms-stdin.patch
+# Instructions to load legacy provider in openssl.cnf
+Patch24: 0024-load-legacy-prov.patch
 
 License: ASL 2.0
 URL: http://www.openssl.org/
@@ -384,6 +386,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Mon Aug 16 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-0.beta2.5
+- Add instruction for loading legacy provider in openssl.cnf
+- Resolves: rhbz#1975836
+
 * Mon Aug 16 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-0.beta2.4
 - Adds support for IDEA encryption.
 - Resolves: rhbz#1990602