From ec6d7cf2723f8e57f5cc38296af8401d8b5478b6 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Tue, 17 Oct 2023 12:56:38 +0200
Subject: [PATCH] Provide empty evp_properties section in main OpenSSL
 configuration file

Resolves: RHEL-11439
---
 ...-Override-default-paths-for-the-CA-directory-tree.patch | 7 ++++++-
 0024-load-legacy-prov.patch                                | 6 ++++--
 openssl.spec                                               | 2 ++
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/0004-Override-default-paths-for-the-CA-directory-tree.patch b/0004-Override-default-paths-for-the-CA-directory-tree.patch
index 7c70c60..f16e22b 100644
--- a/0004-Override-default-paths-for-the-CA-directory-tree.patch
+++ b/0004-Override-default-paths-for-the-CA-directory-tree.patch
@@ -30,12 +30,17 @@ index c0afb96716..d6a5fabd16 100644
 diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha16/apps/openssl.cnf
 --- openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls	2021-07-06 13:41:39.204978272 +0200
 +++ openssl-3.0.0-alpha16/apps/openssl.cnf	2021-07-06 13:49:50.362857683 +0200
-@@ -53,6 +53,8 @@ tsa_policy3 = 1.2.3.4.5.7
+@@ -53,6 +53,13 @@ tsa_policy3 = 1.2.3.4.5.7
  
  [openssl_init]
  providers = provider_sect
 +# Load default TLS policy configuration
 +ssl_conf = ssl_module
++alg_section = evp_properties
++
++[ evp_properties ]
++#This section is intentionally added empty here
++#to be tuned on particular systems
  
  # List of providers to load
  [provider_sect]
diff --git a/0024-load-legacy-prov.patch b/0024-load-legacy-prov.patch
index c7d2958..26ec5f5 100644
--- a/0024-load-legacy-prov.patch
+++ b/0024-load-legacy-prov.patch
@@ -1,7 +1,7 @@
 diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf
 --- openssl-3.0.0/apps/openssl.cnf.legacy-prov	2021-09-09 12:06:40.895793297 +0200
 +++ openssl-3.0.0/apps/openssl.cnf	2021-09-09 12:12:33.947482500 +0200
-@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1
+@@ -42,14 +42,6 @@ tsa_policy1 = 1.2.3.4.1
  tsa_policy2 = 1.2.3.4.5.6
  tsa_policy3 = 1.2.3.4.5.7
  
@@ -16,7 +16,9 @@ diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.c
  [openssl_init]
  providers = provider_sect
  # Load default TLS policy configuration
- ssl_conf = ssl_module
+@@ -42,23 +42,24 @@ [ evp_properties ]
+ #This section is intentionally added empty here
+ #to be tuned on particular systems
  
 -# List of providers to load
 -[provider_sect]
diff --git a/openssl.spec b/openssl.spec
index f9230a0..0036747 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -527,6 +527,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
   Resolves: RHEL-5317
 - Don't limit using SHA1 in KDFs in non-FIPS mode.
   Resolves: RHEL-5295
+- Provide empty evp_properties section in main OpenSSL configuration file
+  Resolves: RHEL-11439
 
 * Wed Jul 12 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-24
 - Make FIPS module configuration more crypto-policies friendly