Skip to content

Commit 8dd0bef

Browse files
authored
allow RHEL/Fedora OpenSSL specific configuration (#1013)
Patch OpenSSL to allow reading configurations which contain the RHEL/Fedora specific 'rh-allow-sha1-signatures' configuration value. This is does change the behavior of OpenSSL based on the value of this setting. closes #999
1 parent fb382b4 commit 8dd0bef

1 file changed

Lines changed: 27 additions & 0 deletions

File tree

cpython-unix/build-openssl-3.5.sh

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,33 @@ tar -xf "openssl-${OPENSSL_3_5_VERSION}.tar.gz"
1313

1414
pushd "openssl-${OPENSSL_3_5_VERSION}"
1515

16+
# Fedora and RHEL patch OpenSSL to selectively disallow SHA1 signatures via the
17+
# 'rh-allow-sha1-signatures' configuration entry.
18+
# Patch OpenSSL so that this key is allowed in configuration files but has no effect.
19+
# For details see: https://github.com/astral-sh/python-build-standalone/issues/999
20+
if [[ "$TARGET_TRIPLE" =~ "linux" ]]; then
21+
patch -p1 << 'EOF'
22+
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
23+
index 184bab9..7dc8037 100644
24+
--- a/crypto/evp/evp_cnf.c
25+
+++ b/crypto/evp/evp_cnf.c
26+
@@ -51,6 +51,13 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf)
27+
ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
28+
return 0;
29+
}
30+
+ } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) {
31+
+ int m;
32+
+
33+
+ /* Detailed error already reported. */
34+
+ if (!X509V3_get_value_bool(oval, &m))
35+
+ return 0;
36+
+
37+
} else if (strcmp(oval->name, "default_properties") == 0) {
38+
if (!evp_set_default_properties_int(NCONF_get0_libctx((CONF *)cnf),
39+
oval->value, 0, 0)) {
40+
EOF
41+
fi
42+
1643
# Otherwise it gets set to /tools/deps/ssl by default.
1744
case "${TARGET_TRIPLE}" in
1845
*apple*)

0 commit comments

Comments
 (0)