From e7c35f0edebd46cd8e18f8ab596d08e559fec21c Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Fri, 24 Nov 2023 16:16:54 +0100
Subject: [PATCH] Add a directory for OpenSSL providers configuration

Resolves: RHEL-17193
---
 0024-load-legacy-prov.patch | 5 ++++-
 openssl.spec                | 4 ++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/0024-load-legacy-prov.patch b/0024-load-legacy-prov.patch
index 26ec5f5..edbe50b 100644
--- a/0024-load-legacy-prov.patch
+++ b/0024-load-legacy-prov.patch
@@ -16,7 +16,7 @@ diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.c
  [openssl_init]
  providers = provider_sect
  # Load default TLS policy configuration
-@@ -42,23 +42,24 @@ [ evp_properties ]
+@@ -42,23 +42,27 @@ [ evp_properties ]
  #This section is intentionally added empty here
  #to be tuned on particular systems
  
@@ -54,6 +54,9 @@ diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.c
 +
 +##[legacy_sect]
 +##activate = 1
++
++#Place the third party provider configuration files into this folder
++.include /etc/pki/tls/include
  
  [ ssl_module ]
  
diff --git a/openssl.spec b/openssl.spec
index 8e936ab..e050ec3 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -415,6 +415,7 @@ done
 # Install a makefile for generating keys and self-signed certs, and a script
 # for generating them on the fly.
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/include
 install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate
 install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert
 install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert
@@ -497,6 +498,7 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
 %dir %{_sysconfdir}/pki/tls/certs
 %dir %{_sysconfdir}/pki/tls/misc
 %dir %{_sysconfdir}/pki/tls/private
+%dir %{_sysconfdir}/pki/tls/include
 %config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
 %config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
 %config %{_sysconfdir}/pki/tls/fips_local.cnf
@@ -534,6 +536,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
   Related: RHEL-1780
 - In FIPS mode, prevent any other operations when rsa_keygen_pairwise_test fails
   Resolves: RHEL-17104
+- Add a directory for OpenSSL providers configuration
+  Resolves: RHEL-17193
 
 * Mon Oct 16 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-25
 - Provide relevant diagnostics when FIPS checksum is corrupted