Compare commits
No commits in common. 'c10-beta' and 'c9' have entirely different histories.
@ -1 +1 @@
|
|||||||
SOURCES/sscg-3.0.5.tar.gz
|
SOURCES/sscg-3.0.0.tar.xz
|
||||||
|
|||||||
@ -1 +1 @@
|
|||||||
5e6bf0b81e1a607d5c72c4edec33584fa924ecfa SOURCES/sscg-3.0.5.tar.gz
|
81e3b33e118edff96583314ceb4bfde9a1e6b45c SOURCES/sscg-3.0.0.tar.xz
|
||||||
|
|||||||
@ -0,0 +1,34 @@
|
|||||||
|
From d2277e711bb16e3b98f43565e71b7865b5fed423 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Date: Sat, 7 Aug 2021 11:48:04 -0400
|
||||||
|
Subject: [PATCH 1/2] Drop usage of ERR_GET_FUNC()
|
||||||
|
|
||||||
|
This macro was dropped in OpenSSL 3.0 and has actually not been
|
||||||
|
providing a valid return code for some time.
|
||||||
|
|
||||||
|
Related: rhbz#1964837
|
||||||
|
|
||||||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
---
|
||||||
|
include/sscg.h | 1 -
|
||||||
|
1 file changed, 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/include/sscg.h b/include/sscg.h
|
||||||
|
index faf86ba4f68e186bd35c7bc3ec77b98b8e37d253..851dc93175607e5223a70ef40a5feb24b7b69215 100644
|
||||||
|
--- a/include/sscg.h
|
||||||
|
+++ b/include/sscg.h
|
||||||
|
@@ -94,11 +94,10 @@
|
||||||
|
if (_sslret != 1) \
|
||||||
|
{ \
|
||||||
|
/* Get information about error from OpenSSL */ \
|
||||||
|
unsigned long _ssl_error = ERR_get_error (); \
|
||||||
|
if ((ERR_GET_LIB (_ssl_error) == ERR_LIB_UI) && \
|
||||||
|
- (ERR_GET_FUNC (_ssl_error) == UI_F_UI_SET_RESULT_EX) && \
|
||||||
|
((ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_LARGE) || \
|
||||||
|
(ERR_GET_REASON (_ssl_error) == UI_R_RESULT_TOO_SMALL))) \
|
||||||
|
{ \
|
||||||
|
fprintf ( \
|
||||||
|
stderr, \
|
||||||
|
--
|
||||||
|
2.33.0
|
||||||
|
|
||||||
@ -1,205 +0,0 @@
|
|||||||
From 750dee2eded3b1c16e0434fa387d35a869545d9e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
|
||||||
Date: Wed, 15 Feb 2023 15:49:38 -0500
|
|
||||||
Subject: [PATCH 1/2] Extend maximum DNS name to 255
|
|
||||||
|
|
||||||
The hostname part is still restricted to 63 characters
|
|
||||||
|
|
||||||
See RFC 1035, section 2.3.4
|
|
||||||
|
|
||||||
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
||||||
---
|
|
||||||
include/sscg.h | 3 +++
|
|
||||||
src/arguments.c | 35 +++++++++++++++++++++++++++--------
|
|
||||||
src/authority.c | 26 +++++++++++++++++++++++---
|
|
||||||
src/cert.c | 5 +++++
|
|
||||||
src/x509.c | 6 +++---
|
|
||||||
5 files changed, 61 insertions(+), 14 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/include/sscg.h b/include/sscg.h
|
|
||||||
index 0f35631018dc2745e986cd1e7e094e3e37be8e54..f0c6d93b871e4bd3f2c805be8dfa7485ec34746a 100644
|
|
||||||
--- a/include/sscg.h
|
|
||||||
+++ b/include/sscg.h
|
|
||||||
@@ -313,6 +313,9 @@ enum sscg_cert_type
|
|
||||||
#define SSCG_MIN_KEY_PASS_LEN 4
|
|
||||||
#define SSCG_MAX_KEY_PASS_LEN 1023
|
|
||||||
|
|
||||||
+/* RFC 1035, section 2.3.4 (Size Limits) */
|
|
||||||
+#define MAX_HOST_LEN 63
|
|
||||||
+#define MAX_FQDN_LEN 255
|
|
||||||
|
|
||||||
int
|
|
||||||
sscg_handle_arguments (TALLOC_CTX *mem_ctx,
|
|
||||||
diff --git a/src/arguments.c b/src/arguments.c
|
|
||||||
index 0b7a060d31bed97130c7cb9b7feacf0876e25c0d..2f412bee1bee9620f28b6e84aed4aef17aee3a6a 100644
|
|
||||||
--- a/src/arguments.c
|
|
||||||
+++ b/src/arguments.c
|
|
||||||
@@ -786,10 +786,19 @@ sscg_handle_arguments (TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
CHECK_MEM (options->hostname);
|
|
||||||
|
|
||||||
- if (strnlen (options->hostname, MAXHOSTNAMELEN + 1) > MAXHOSTNAMELEN)
|
|
||||||
+ if (strnlen (options->hostname, MAX_FQDN_LEN + 1) > MAX_FQDN_LEN)
|
|
||||||
{
|
|
||||||
- fprintf (
|
|
||||||
- stderr, "Hostnames may not exceed %d characters\n", MAXHOSTNAMELEN);
|
|
||||||
+ fprintf (stderr, "FQDNs may not exceed %d characters\n", MAX_FQDN_LEN);
|
|
||||||
+ ret = EINVAL;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if ((strchr (options->hostname, '.') - options->hostname) > MAX_HOST_LEN + 4)
|
|
||||||
+ {
|
|
||||||
+ fprintf (stderr,
|
|
||||||
+ "Hostnames may not exceed %d characters in Subject "
|
|
||||||
+ "Alternative Names\n",
|
|
||||||
+ MAX_HOST_LEN);
|
|
||||||
ret = EINVAL;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
@@ -798,25 +807,35 @@ sscg_handle_arguments (TALLOC_CTX *mem_ctx,
|
|
||||||
options struct. It's not the most efficient approach, but
|
|
||||||
it's only done one time, so there is no sense in optimizing
|
|
||||||
it. */
|
|
||||||
+ size_t i = 0;
|
|
||||||
if (alternative_names)
|
|
||||||
{
|
|
||||||
- size_t i = 0;
|
|
||||||
while (alternative_names[i] != NULL)
|
|
||||||
{
|
|
||||||
options->subject_alt_names = talloc_realloc (
|
|
||||||
- options, options->subject_alt_names, char *, i + 2);
|
|
||||||
+ options, options->subject_alt_names, char *, i + 1);
|
|
||||||
CHECK_MEM (options->subject_alt_names);
|
|
||||||
|
|
||||||
options->subject_alt_names[i] =
|
|
||||||
talloc_strdup (options->subject_alt_names, alternative_names[i]);
|
|
||||||
CHECK_MEM (options->subject_alt_names[i]);
|
|
||||||
-
|
|
||||||
- /* Add a NULL terminator to the end */
|
|
||||||
- options->subject_alt_names[i + 1] = NULL;
|
|
||||||
i++;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /*
|
|
||||||
+ The hostname must always be listed in SubjectAlternativeNames as well.
|
|
||||||
+ Note that the realloc also adds an extra entry for the NULL terminator
|
|
||||||
+ */
|
|
||||||
+ options->subject_alt_names =
|
|
||||||
+ talloc_realloc (options, options->subject_alt_names, char *, i + 2);
|
|
||||||
+ CHECK_MEM (options->subject_alt_names);
|
|
||||||
+ options->subject_alt_names[i] =
|
|
||||||
+ talloc_strdup (options->subject_alt_names, options->hostname);
|
|
||||||
+ CHECK_MEM (options->subject_alt_names[i]);
|
|
||||||
+ /* Add a NULL terminator to the end */
|
|
||||||
+ options->subject_alt_names[i + 1] = NULL;
|
|
||||||
+
|
|
||||||
if (options->key_strength < options->minimum_key_strength)
|
|
||||||
{
|
|
||||||
fprintf (stderr,
|
|
||||||
diff --git a/src/authority.c b/src/authority.c
|
|
||||||
index 4efaa9e730964b9762b59d0e6698c1623901ccfe..f509fd4316c3b7b230f99de6464491c319fc5d45 100644
|
|
||||||
--- a/src/authority.c
|
|
||||||
+++ b/src/authority.c
|
|
||||||
@@ -56,6 +56,7 @@ create_private_CA (TALLOC_CTX *mem_ctx,
|
|
||||||
char *name_constraint;
|
|
||||||
char *san;
|
|
||||||
char *tmp;
|
|
||||||
+ char *dot;
|
|
||||||
|
|
||||||
tmp_ctx = talloc_new (NULL);
|
|
||||||
CHECK_MEM (tmp_ctx);
|
|
||||||
@@ -89,6 +90,26 @@ create_private_CA (TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
ca_certinfo->cn = talloc_strdup (ca_certinfo, options->hostname);
|
|
||||||
CHECK_MEM (ca_certinfo->cn);
|
|
||||||
+ /* Truncate the CN at the first dot */
|
|
||||||
+ if ((dot = strchr (ca_certinfo->cn, '.')))
|
|
||||||
+ *dot = '\0';
|
|
||||||
+
|
|
||||||
+ if (options->subject_alt_names)
|
|
||||||
+ {
|
|
||||||
+ for (i = 0; options->subject_alt_names[i]; i++)
|
|
||||||
+ {
|
|
||||||
+ ca_certinfo->subject_alt_names = talloc_realloc (
|
|
||||||
+ ca_certinfo, ca_certinfo->subject_alt_names, char *, i + 2);
|
|
||||||
+ CHECK_MEM (ca_certinfo->subject_alt_names);
|
|
||||||
+
|
|
||||||
+ ca_certinfo->subject_alt_names[i] = talloc_strdup (
|
|
||||||
+ ca_certinfo->subject_alt_names, options->subject_alt_names[i]);
|
|
||||||
+ CHECK_MEM (ca_certinfo->subject_alt_names[i]);
|
|
||||||
+
|
|
||||||
+ /* Add a NULL terminator to the end */
|
|
||||||
+ ca_certinfo->subject_alt_names[i + 1] = NULL;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/* Make this a CA certificate */
|
|
||||||
|
|
||||||
@@ -106,10 +127,9 @@ create_private_CA (TALLOC_CTX *mem_ctx,
|
|
||||||
CHECK_MEM (ex);
|
|
||||||
sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
|
|
||||||
|
|
||||||
- /* Restrict signing to the hostname and subjectAltNames of the
|
|
||||||
- service certificate */
|
|
||||||
+ /* Restrict signing to the CN and subjectAltNames of the service certificate */
|
|
||||||
name_constraint =
|
|
||||||
- talloc_asprintf (tmp_ctx, "permitted;DNS:%s", options->hostname);
|
|
||||||
+ talloc_asprintf (tmp_ctx, "permitted;DNS:%s", ca_certinfo->cn);
|
|
||||||
CHECK_MEM (name_constraint);
|
|
||||||
|
|
||||||
if (options->subject_alt_names)
|
|
||||||
diff --git a/src/cert.c b/src/cert.c
|
|
||||||
index 99d9109f5981ef408aeb7d05a8327e1a38d5700a..e36de71e7ca9b34f87734542d5646b466cd61d4c 100644
|
|
||||||
--- a/src/cert.c
|
|
||||||
+++ b/src/cert.c
|
|
||||||
@@ -31,6 +31,7 @@
|
|
||||||
*/
|
|
||||||
|
|
||||||
|
|
||||||
+#include <string.h>
|
|
||||||
#include "include/sscg.h"
|
|
||||||
#include "include/cert.h"
|
|
||||||
#include "include/x509.h"
|
|
||||||
@@ -52,6 +53,7 @@ create_cert (TALLOC_CTX *mem_ctx,
|
|
||||||
struct sscg_x509_req *csr;
|
|
||||||
struct sscg_evp_pkey *pkey;
|
|
||||||
struct sscg_x509_cert *cert;
|
|
||||||
+ char *dot;
|
|
||||||
X509_EXTENSION *ex = NULL;
|
|
||||||
EXTENDED_KEY_USAGE *extended;
|
|
||||||
TALLOC_CTX *tmp_ctx = NULL;
|
|
||||||
@@ -87,6 +89,9 @@ create_cert (TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
certinfo->cn = talloc_strdup (certinfo, options->hostname);
|
|
||||||
CHECK_MEM (certinfo->cn);
|
|
||||||
+ /* Truncate the CN at the first dot */
|
|
||||||
+ if ((dot = strchr (certinfo->cn, '.')))
|
|
||||||
+ *dot = '\0';
|
|
||||||
|
|
||||||
if (options->subject_alt_names)
|
|
||||||
{
|
|
||||||
diff --git a/src/x509.c b/src/x509.c
|
|
||||||
index 4f3f11cd3411f00cf6de3a72ba897adc97944e35..9f6f21b49c2dd70629fed67d327027374eb21b15 100644
|
|
||||||
--- a/src/x509.c
|
|
||||||
+++ b/src/x509.c
|
|
||||||
@@ -290,12 +290,12 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
CHECK_MEM (san);
|
|
||||||
|
|
||||||
- if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
|
|
||||||
+ if (strnlen (san, MAX_FQDN_LEN + 5) > MAX_FQDN_LEN + 4)
|
|
||||||
{
|
|
||||||
fprintf (stderr,
|
|
||||||
- "Hostnames may not exceed %d characters in Subject "
|
|
||||||
+ "FQDNs may not exceed %d characters in Subject "
|
|
||||||
"Alternative Names\n",
|
|
||||||
- MAXHOSTNAMELEN);
|
|
||||||
+ MAX_FQDN_LEN);
|
|
||||||
ret = EINVAL;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
||||||
@ -0,0 +1,46 @@
|
|||||||
|
From 87604820a935f87a8f533e3f294419d27c0514eb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Allison Karlitskaya <allison.karlitskaya@redhat.com>
|
||||||
|
Date: Tue, 26 Oct 2021 12:32:13 +0200
|
||||||
|
Subject: [PATCH 2/2] Correct certificate lifetime calculation
|
||||||
|
|
||||||
|
sscg allows passing the certificate lifetime, as a number of days, as a
|
||||||
|
commandline argument. It converts this value to seconds using the
|
||||||
|
formula
|
||||||
|
|
||||||
|
days * 24 * 3650
|
||||||
|
|
||||||
|
which is incorrect. The correct value is 3600.
|
||||||
|
|
||||||
|
This effectively adds an extra 20 minutes to the lifetime of the
|
||||||
|
certificate for each day as given on the commandline, and was enough to
|
||||||
|
cause some new integration tests in cockpit to fail.
|
||||||
|
|
||||||
|
Interestingly, 3650 is the old default value for the number of days of
|
||||||
|
certificate validity (~10 years) so this probably slipped in as a sort
|
||||||
|
of muscle-memory-assisted typo.
|
||||||
|
|
||||||
|
Let's just write `24 * 60 * 60` to make things clear.
|
||||||
|
---
|
||||||
|
src/x509.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/x509.c b/src/x509.c
|
||||||
|
index dc1594a4bdcb9d81607f0fe5ad2d4562e5edb533..7c7e4dfe56d5756862f3e0f851941e846ce96f31 100644
|
||||||
|
--- a/src/x509.c
|
||||||
|
+++ b/src/x509.c
|
||||||
|
@@ -416,11 +416,11 @@ sscg_sign_x509_csr (TALLOC_CTX *mem_ctx,
|
||||||
|
X509_set_issuer_name (cert, X509_REQ_get_subject_name (csr));
|
||||||
|
}
|
||||||
|
|
||||||
|
/* set time */
|
||||||
|
X509_gmtime_adj (X509_get_notBefore (cert), 0);
|
||||||
|
- X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 3650);
|
||||||
|
+ X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 60 * 60);
|
||||||
|
|
||||||
|
/* set subject */
|
||||||
|
subject = X509_NAME_dup (X509_REQ_get_subject_name (csr));
|
||||||
|
sslret = X509_set_subject_name (cert, subject);
|
||||||
|
CHECK_SSL (sslret, X509_set_subject_name);
|
||||||
|
--
|
||||||
|
2.33.0
|
||||||
|
|
||||||
@ -0,0 +1,68 @@
|
|||||||
|
From 0875cd6169e876c4296a307631d49b801fc686dc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Date: Tue, 8 Mar 2022 16:33:35 -0500
|
||||||
|
Subject: [PATCH] Truncate IP address in SAN
|
||||||
|
|
||||||
|
In OpenSSL 1.1, this was done automatically when addind a SAN extension,
|
||||||
|
but in OpenSSL 3.0 it is rejected as an invalid input.
|
||||||
|
|
||||||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
---
|
||||||
|
src/x509.c | 15 ++++++++++++++-
|
||||||
|
1 file changed, 14 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/x509.c b/src/x509.c
|
||||||
|
index 7c7e4dfe56d5756862f3e0f851941e846ce96f31..e828ec725b23d7ea79393151e7bb436e2f61bdb8 100644
|
||||||
|
--- a/src/x509.c
|
||||||
|
+++ b/src/x509.c
|
||||||
|
@@ -131,10 +131,11 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
|
||||||
|
size_t i;
|
||||||
|
X509_NAME *subject;
|
||||||
|
char *alt_name = NULL;
|
||||||
|
char *tmp = NULL;
|
||||||
|
char *san = NULL;
|
||||||
|
+ char *slash = NULL;
|
||||||
|
TALLOC_CTX *tmp_ctx;
|
||||||
|
X509_EXTENSION *ex = NULL;
|
||||||
|
struct sscg_x509_req *csr;
|
||||||
|
|
||||||
|
/* Make sure we have a key available */
|
||||||
|
@@ -265,10 +266,16 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
|
||||||
|
tmp_ctx, "DNS:%s", certinfo->subject_alt_names[i]);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
san = talloc_strdup (tmp_ctx, certinfo->subject_alt_names[i]);
|
||||||
|
+ /* SAN IP addresses cannot include the subnet mask */
|
||||||
|
+ if ((slash = strchr (san, '/')))
|
||||||
|
+ {
|
||||||
|
+ /* Truncate at the slash */
|
||||||
|
+ *slash = '\0';
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
CHECK_MEM (san);
|
||||||
|
|
||||||
|
if (strnlen (san, MAXHOSTNAMELEN + 5) > MAXHOSTNAMELEN + 4)
|
||||||
|
{
|
||||||
|
@@ -287,11 +294,17 @@ sscg_x509v3_csr_new (TALLOC_CTX *mem_ctx,
|
||||||
|
alt_name = tmp;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
ex = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, alt_name);
|
||||||
|
- CHECK_MEM (ex);
|
||||||
|
+ if (!ex)
|
||||||
|
+ {
|
||||||
|
+ ret = EINVAL;
|
||||||
|
+ fprintf (stderr, "Invalid subjectAlternativeName: %s\n", alt_name);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
sk_X509_EXTENSION_push (certinfo->extensions, ex);
|
||||||
|
|
||||||
|
/* Set the public key for the certificate */
|
||||||
|
sslret = X509_REQ_set_pubkey (csr->x509_req, spkey->evp_pkey);
|
||||||
|
CHECK_SSL (sslret, X509_REQ_set_pubkey (OU));
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
||||||
@ -0,0 +1,139 @@
|
|||||||
|
From 282f819bc39c9557ee34f73c6f6623182f680792 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
Date: Wed, 16 Nov 2022 15:27:58 -0500
|
||||||
|
Subject: [PATCH] dhparams: don't fail if default file can't be created
|
||||||
|
|
||||||
|
Resolves: rhbz#2143206
|
||||||
|
|
||||||
|
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
||||||
|
---
|
||||||
|
src/arguments.c | 1 -
|
||||||
|
src/io_utils.c | 12 +++++++++++
|
||||||
|
src/sscg.c | 55 +++++++++++++++++++++++++++++++++----------------
|
||||||
|
3 files changed, 49 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/arguments.c b/src/arguments.c
|
||||||
|
index 7b9da14a732875b0f33a12e22a97d51a78216839..770d834aacc05d6d92cc0c855852eadb88f8c9bc 100644
|
||||||
|
--- a/src/arguments.c
|
||||||
|
+++ b/src/arguments.c
|
||||||
|
@@ -69,7 +69,6 @@ set_default_options (struct sscg_options *opts)
|
||||||
|
|
||||||
|
opts->lifetime = 398;
|
||||||
|
|
||||||
|
- opts->dhparams_file = talloc_strdup (opts, "dhparams.pem");
|
||||||
|
opts->dhparams_group = talloc_strdup (opts, "ffdhe4096");
|
||||||
|
opts->dhparams_generator = 2;
|
||||||
|
|
||||||
|
diff --git a/src/io_utils.c b/src/io_utils.c
|
||||||
|
index 1b8bc41c3849acbe4657ae14dfe55e3010957129..5d34327bdbe450add5326ac20c337c9399b471dc 100644
|
||||||
|
--- a/src/io_utils.c
|
||||||
|
+++ b/src/io_utils.c
|
||||||
|
@@ -544,6 +544,18 @@ sscg_io_utils_open_output_files (struct sscg_stream **streams, bool overwrite)
|
||||||
|
{
|
||||||
|
SSCG_LOG (SSCG_DEBUG, "Opening %s\n", stream->path);
|
||||||
|
stream->bio = BIO_new_file (stream->path, create_mode);
|
||||||
|
+ if (!stream->bio)
|
||||||
|
+ {
|
||||||
|
+ fprintf (stderr,
|
||||||
|
+ "Could not write to %s. Check directory permissions.\n",
|
||||||
|
+ stream->path);
|
||||||
|
+
|
||||||
|
+ /* The dhparams file is special, it will be handled later */
|
||||||
|
+ if (i != SSCG_FILE_TYPE_DHPARAMS)
|
||||||
|
+ {
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
CHECK_BIO (stream->bio, stream->path);
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/src/sscg.c b/src/sscg.c
|
||||||
|
index 1bf8019c2dda136abe56acd101dfe8ad0b3d725d..dcff4cd2b8dfd2e11c8612d36ecc94b175e9dc26 100644
|
||||||
|
--- a/src/sscg.c
|
||||||
|
+++ b/src/sscg.c
|
||||||
|
@@ -93,6 +93,7 @@ main (int argc, const char **argv)
|
||||||
|
int ret, sret;
|
||||||
|
struct sscg_options *options;
|
||||||
|
bool build_client_cert = false;
|
||||||
|
+ char *dhparams_file = NULL;
|
||||||
|
|
||||||
|
struct sscg_x509_cert *cacert;
|
||||||
|
struct sscg_evp_pkey *cakey;
|
||||||
|
@@ -182,9 +183,19 @@ main (int argc, const char **argv)
|
||||||
|
options->crl_mode);
|
||||||
|
CHECK_OK (ret);
|
||||||
|
|
||||||
|
+ if (options->dhparams_file)
|
||||||
|
+ {
|
||||||
|
+ dhparams_file = talloc_strdup (main_ctx, options->dhparams_file);
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ dhparams_file = talloc_strdup (main_ctx, "./dhparams.pem");
|
||||||
|
+ }
|
||||||
|
+ CHECK_MEM (dhparams_file);
|
||||||
|
+
|
||||||
|
ret = sscg_io_utils_add_output_file (options->streams,
|
||||||
|
SSCG_FILE_TYPE_DHPARAMS,
|
||||||
|
- options->dhparams_file,
|
||||||
|
+ dhparams_file,
|
||||||
|
options->dhparams_mode);
|
||||||
|
CHECK_OK (ret);
|
||||||
|
|
||||||
|
@@ -281,28 +292,36 @@ main (int argc, const char **argv)
|
||||||
|
|
||||||
|
|
||||||
|
/* Create DH parameters file */
|
||||||
|
- bp = GET_BIO (SSCG_FILE_TYPE_DHPARAMS);
|
||||||
|
- if (options->dhparams_prime_len > 0)
|
||||||
|
+ if ((bp = GET_BIO (SSCG_FILE_TYPE_DHPARAMS)))
|
||||||
|
{
|
||||||
|
- ret = create_dhparams (options->verbosity,
|
||||||
|
- options->dhparams_prime_len,
|
||||||
|
- options->dhparams_generator,
|
||||||
|
- &dhparams);
|
||||||
|
- CHECK_OK (ret);
|
||||||
|
+ if (options->dhparams_prime_len > 0)
|
||||||
|
+ {
|
||||||
|
+ ret = create_dhparams (options->verbosity,
|
||||||
|
+ options->dhparams_prime_len,
|
||||||
|
+ options->dhparams_generator,
|
||||||
|
+ &dhparams);
|
||||||
|
+ CHECK_OK (ret);
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ ret = get_params_by_named_group (options->dhparams_group, &dhparams);
|
||||||
|
+ CHECK_OK (ret);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Export the DH parameters to the file */
|
||||||
|
+ sret = PEM_write_bio_Parameters (bp, dhparams);
|
||||||
|
+ CHECK_SSL (sret, PEM_write_bio_Parameters ());
|
||||||
|
+ ANNOUNCE_WRITE (SSCG_FILE_TYPE_DHPARAMS);
|
||||||
|
+ EVP_PKEY_free (dhparams);
|
||||||
|
}
|
||||||
|
- else
|
||||||
|
+ else if (options->dhparams_file)
|
||||||
|
{
|
||||||
|
- ret = get_params_by_named_group (options->dhparams_group, &dhparams);
|
||||||
|
- CHECK_OK (ret);
|
||||||
|
+ /* A filename was explicitly passed, but it couldn't be created */
|
||||||
|
+ ret = EPERM;
|
||||||
|
+ fprintf (stderr, "Could not write to %s: ", options->dhparams_file);
|
||||||
|
+ goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* Export the DH parameters to the file */
|
||||||
|
- sret = PEM_write_bio_Parameters (bp, dhparams);
|
||||||
|
- CHECK_SSL (sret, PEM_write_bio_Parameters ());
|
||||||
|
- ANNOUNCE_WRITE (SSCG_FILE_TYPE_DHPARAMS);
|
||||||
|
- EVP_PKEY_free (dhparams);
|
||||||
|
-
|
||||||
|
-
|
||||||
|
/* Set the final file permissions */
|
||||||
|
sscg_io_utils_finalize_output_files (options->streams);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.38.1
|
||||||
|
|
||||||
@ -0,0 +1,32 @@
|
|||||||
|
From e65a507c487a37dd5a8c90b7dbd1ff3274146239 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simon Chopin <simon.chopin@canonical.com>
|
||||||
|
Date: Mon, 13 Dec 2021 15:20:55 +0100
|
||||||
|
Subject: [PATCH 5/5] dhparams: Fix the FIPS_mode() call for OpenSSL 3.0
|
||||||
|
|
||||||
|
This function has been removed from OpenSSL 3.0, replaced by
|
||||||
|
EVP_default_properties_is_fips_enabled().
|
||||||
|
|
||||||
|
Closes #50
|
||||||
|
---
|
||||||
|
src/dhparams.c | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/dhparams.c b/src/dhparams.c
|
||||||
|
index 5c50128970d48790df910b9f9531e61e1d4c5758..61fd57aeedca47fba49f75d356cd5f42b9586696 100644
|
||||||
|
--- a/src/dhparams.c
|
||||||
|
+++ b/src/dhparams.c
|
||||||
|
@@ -231,7 +231,11 @@ is_valid_named_group (const char *group_name)
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Check non-FIPS groups */
|
||||||
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
if (!FIPS_mode ())
|
||||||
|
+#else
|
||||||
|
+ if (!EVP_default_properties_is_fips_enabled(NULL))
|
||||||
|
+#endif
|
||||||
|
{
|
||||||
|
i = 0;
|
||||||
|
while (dh_nonfips_groups[i])
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
||||||
Loading…
Reference in new issue