[rpms/openssl] rebase_40beta: load crypto policy config file from the default config

[Tomas Mraz <tmraz@fedoraproject.org>]

A new commit has been pushed.

Repo   : rpms/openssl
Branch : rebase_40beta
Commit : 60357072e0011a7802718f126050e81a793e1911
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date   : 2018-07-31T16:24:45+02:00
Stats  : +64/-29 in 3 file(s)
URL    : https://src.fedoraproject.org/rpms/openssl/c/60357072e0011a7802718f126050e81a793e1911?branch=rebase_40beta

Log:
load crypto policy config file from the default config

---
diff --git a/openssl-1.1.0-ca-dir.patch b/openssl-1.1.0-ca-dir.patch
deleted file mode 100644
index 421559d..0000000
--- a/openssl-1.1.0-ca-dir.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff -up openssl-1.1.0-pre5/apps/CA.pl.in.ca-dir openssl-1.1.0-pre5/apps/CA.pl.in
---- openssl-1.1.0-pre5/apps/CA.pl.in.ca-dir	2016-07-18 15:19:40.118110405 +0200
-+++ openssl-1.1.0-pre5/apps/CA.pl.in	2016-07-18 15:21:06.531061337 +0200
-@@ -26,7 +26,7 @@ my $X509 = "$openssl x509";
- my $PKCS12 = "$openssl pkcs12";
- 
- # default openssl.cnf file has setup as per the following
--my $CATOP = "./demoCA";
-+my $CATOP = "/etc/pki/CA";
- my $CAKEY = "cakey.pem";
- my $CAREQ = "careq.pem";
- my $CACERT = "cacert.pem";
-diff -up openssl-1.1.0-pre5/apps/openssl.cnf.ca-dir openssl-1.1.0-pre5/apps/openssl.cnf
---- openssl-1.1.0-pre5/apps/openssl.cnf.ca-dir	2016-07-18 15:19:40.114110315 +0200
-+++ openssl-1.1.0-pre5/apps/openssl.cnf	2016-07-18 15:19:48.492299467 +0200
-@@ -39,7 +39,7 @@ default_ca	= CA_default		# The default c
- ####################################################################
- [ CA_default ]
- 
--dir		= ./demoCA		# Where everything is kept
-+dir		= /etc/pki/CA		# Where everything is kept
- certs		= $dir/certs		# Where the issued certs are kept
- crl_dir		= $dir/crl		# Where the issued crl are kept
- database	= $dir/index.txt	# database index file.

diff --git a/openssl-1.1.1-conf-paths.patch b/openssl-1.1.1-conf-paths.patch
new file mode 100644
index 0000000..1b02c2f
--- /dev/null
+++ b/openssl-1.1.1-conf-paths.patch
@@ -0,0 +1,56 @@
+diff -up openssl-1.1.1-pre8/apps/CA.pl.in.conf-paths openssl-1.1.1-pre8/apps/CA.pl.in
+--- openssl-1.1.1-pre8/apps/CA.pl.in.conf-paths	2018-06-20 16:48:09.000000000 +0200
++++ openssl-1.1.1-pre8/apps/CA.pl.in	2018-07-25 17:26:58.388624296 +0200
+@@ -33,7 +33,7 @@ my $X509 = "$openssl x509";
+ my $PKCS12 = "$openssl pkcs12";
+ 
+ # default openssl.cnf file has setup as per the following
+-my $CATOP = "./demoCA";
++my $CATOP = "/etc/pki/CA";
+ my $CAKEY = "cakey.pem";
+ my $CAREQ = "careq.pem";
+ my $CACERT = "cacert.pem";
+diff -up openssl-1.1.1-pre8/apps/openssl.cnf.conf-paths openssl-1.1.1-pre8/apps/openssl.cnf
+--- openssl-1.1.1-pre8/apps/openssl.cnf.conf-paths	2018-07-25 17:26:58.378624057 +0200
++++ openssl-1.1.1-pre8/apps/openssl.cnf	2018-07-27 13:20:08.198513471 +0200
+@@ -23,6 +23,22 @@ oid_section		= new_oids
+ # (Alternatively, use a configuration file that has only
+ # X.509v3 extensions in its main [= default] section.)
+ 
++# Load default TLS policy configuration
++
++openssl_conf = default_modules
++
++[ default_modules ]
++
++ssl_conf = ssl_module
++
++[ ssl_module ]
++
++system_default = crypto_policy
++
++[ crypto_policy ]
++
++.include /etc/crypto-policies/back-ends/opensslcnf.config
++
+ [ new_oids ]
+ 
+ # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+@@ -43,7 +59,7 @@ default_ca	= CA_default		# The default c
+ ####################################################################
+ [ CA_default ]
+ 
+-dir		= ./demoCA		# Where everything is kept
++dir		= /etc/pki/CA		# Where everything is kept
+ certs		= $dir/certs		# Where the issued certs are kept
+ crl_dir		= $dir/crl		# Where the issued crl are kept
+ database	= $dir/index.txt	# database index file.
+@@ -329,7 +345,7 @@ default_tsa = tsa_config1	# the default
+ [ tsa_config1 ]
+ 
+ # These are used by the TSA reply generation only.
+-dir		= ./demoCA		# TSA root directory
++dir		= /etc/pki/CA		# TSA root directory
+ serial		= $dir/tsaserial	# The current serial number (mandatory)
+ crypto_device	= builtin		# OpenSSL engine to use for signing
+ signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate

diff --git a/openssl.spec b/openssl.spec
index ff9e2f4..b0c3116 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -24,7 +24,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.1.1
-Release: 0.%{prerelease}%{?dist}
+Release: 0.%{prerelease}.2%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -47,7 +47,7 @@ Patch4: openssl-1.1.1-man-rename.patch
 # Bug fixes
 Patch21: openssl-1.1.0-issuer-hash.patch
 # Functionality changes
-Patch31: openssl-1.1.0-ca-dir.patch
+Patch31: openssl-1.1.1-conf-paths.patch
 Patch32: openssl-1.1.1-version-add-engines.patch
 Patch33: openssl-1.1.0-apps-dgst.patch
 Patch36: openssl-1.1.1-secure-getenv.patch
@@ -85,7 +85,7 @@ protocols.
 Summary: A general purpose cryptography library with TLS implementation
 Group: System Environment/Libraries
 Requires: ca-certificates >= 2008-5
-Requires: crypto-policies
+Requires: crypto-policies >= 20180730
 Recommends: openssl-pkcs11%{?_isa}
 # Needed obsoletes due to the base/lib subpackage split
 Obsoletes: openssl < 1:1.0.1-0.3.beta3
@@ -148,7 +148,7 @@ cp %{SOURCE13} test/
 
 %patch21 -p1 -b .issuer-hash
 
-%patch31 -p1 -b .ca-dir
+%patch31 -p1 -b .conf-paths
 %patch32 -p1 -b .version-add-engines
 %patch33 -p1 -b .dgst
 %patch36 -p1 -b .secure-getenv
@@ -440,7 +440,10 @@ export LD_LIBRARY_PATH
 %postun libs -p /sbin/ldconfig
 
 %changelog
-* Wed Jul 25 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre8.1
+* Fri Jul 27 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre8.2
+- load crypto policy config file from the default config
+
+* Wed Jul 25 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre8
 - update to the latest 1.1.1 beta version
 
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.0h-6