[rpms/openssl] rebase_40beta: Load system default cipher string from crypto-policies configuration file

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

* [rpms/openssl] rebase_40beta: Load system default cipher string from crypto-policies configuration file
@ 2026-06-09 12:45 Dmitry Belyavskiy
  0 siblings, 0 replies; only message in thread
From: Dmitry Belyavskiy @ 2026-06-09 12:45 UTC (permalink / raw)
  To: git-commits

            A new commit has been pushed.

            Repo   : rpms/openssl
            Branch : rebase_40beta
            Commit : e7e252da3e8b46f800c0d1cb5acb72bc7dac6be9
            Author : Dmitry Belyavskiy <dbelyavs@redhat.com>
            Date   : 2025-01-27T14:42:52+01:00
            Stats  : +20/-21 in 2 file(s)
            URL    : https://src.fedoraproject.org/rpms/openssl/c/e7e252da3e8b46f800c0d1cb5acb72bc7dac6be9?branch=rebase_40beta

            Log:
            Load system default cipher string from crypto-policies configuration file

include /etc/crypto-policies/back-ends/opensslcnf.config and remove
/etc/crypto-policies/back-ends/openssl.config.

---
diff --git a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
index 5189459..c9c7a4f 100644
--- a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
+++ b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
@@ -96,7 +96,7 @@ index d4df30686f..cec4835268 100644
 +=item B<PROFILE=SYSTEM>
 +
 +The list of enabled cipher suites will be loaded from the system crypto policy
-+configuration file B</etc/crypto-policies/back-ends/openssl.config>.
++configuration file B</etc/crypto-policies/back-ends/opensslcnf.config>.
 +See also L<update-crypto-policies(8)>.
 +This is the default behavior unless an application explicitly sets a cipher
 +list. If used in a cipher list configuration value this string must be at the
@@ -125,14 +125,13 @@ diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
 index 8360991ce4..33c23efb0d 100644
 --- a/ssl/ssl_ciph.c
 +++ b/ssl/ssl_ciph.c
-@@ -1455,6 +1455,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
+@@ -1455,6 +1455,49 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
      return ret;
  }
  
 +#ifdef SYSTEM_CIPHERS_FILE
 +static char *load_system_str(const char *suffix)
 +{
-+    FILE *fp;
 +    char buf[1024];
 +    char *new_rules;
 +    const char *ciphers_path;
@@ -140,29 +139,26 @@ index 8360991ce4..33c23efb0d 100644
 +
 +    if ((ciphers_path = secure_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
 +        ciphers_path = SYSTEM_CIPHERS_FILE;
-+    fp = fopen(ciphers_path, "r");
-+    if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
-+        /* cannot open or file is empty */
++
++    if (access(ciphers_path, R_OK) == 0) {
++        CONF *conf = NCONF_new_ex(NULL, NCONF_default());
++        char *value = NULL;
++
++        if (NCONF_load(conf, ciphers_path, NULL) > 0)
++            value = NCONF_get_string(conf, "global", "CipherString");
++
++        snprintf(buf, sizeof(buf), "%s", value ? value : SSL_DEFAULT_CIPHER_LIST);
++
++        NCONF_free(conf);
++    } else {
 +        snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
 +    }
 +
-+    if (fp)
-+        fclose(fp);
-+
 +    slen = strlen(suffix);
 +    len = strlen(buf);
 +
-+    if (buf[len - 1] == '\n') {
-+        len--;
-+        buf[len] = 0;
-+    }
-+    if (buf[len - 1] == '\r') {
-+        len--;
-+        buf[len] = 0;
-+    }
-+
-+    new_rules = OPENSSL_malloc(len + slen + 1);
-+    if (new_rules == 0)
++    new_rules = OPENSSL_zalloc(len + slen + 1);
++    if (new_rules == NULL)
 +        return NULL;
 +
 +    memcpy(new_rules, buf, len);
@@ -187,7 +183,7 @@ index 8360991ce4..33c23efb0d 100644
 +    char *new_rules = NULL;
 +
 +    if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
-+        char *p = rule_str + 14;
++        const char *p = rule_str + 14;
 +
 +        new_rules = load_system_str(p);
 +        rule_str = new_rules;

diff --git a/openssl.spec b/openssl.spec
index 640a2b4..13cd9cb 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -559,6 +559,9 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
 %changelog
 * Mon Jan 27 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-13
 - Locally configured providers should not interfere with openssl build-time tests
+- Load system default cipher string from crypto-policies configuration file
+  include /etc/crypto-policies/back-ends/opensslcnf.config and remove
+  /etc/crypto-policies/back-ends/openssl.config.
 
 * Fri Jan 17 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.2.2-12
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-06-09 12:45 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-09 12:45 [rpms/openssl] rebase_40beta: Load system default cipher string from crypto-policies configuration file Dmitry Belyavskiy

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox