Skip to content

Commit

Permalink
fixup! OpenSslEnginesCheck: New actor for OpenSSL engines (9->10)
Browse files Browse the repository at this point in the history
  • Loading branch information
@pirat89
pirat89 committed Feb 6, 2025
1 parent c887ab6 commit c6e9940
Show file tree
Hide file tree
Showing 3 changed files with 99 additions and 92 deletions.
2 changes: 2 additions & 0 deletions repos/system_upgrade/el9toel10/actors/opensslenginescheck/actor.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ def process(self):
if list(openssl_messages):
api.current_logger().warning('Unexpectedly received more than one OpenSslConfig message.')
if not config:
# NOTE: unexpected situation - putting the check just as a seatbelt
# - not covered by unit-tests.
raise StopActorExecutionError(
'Could not check openssl configuration', details={'details': 'No OpenSslConfig facts found.'}
)
Expand Down
95 changes: 51 additions & 44 deletions repos/system_upgrade/el9toel10/actors/opensslenginescheck/libraries/opensslenginescheck.py
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,24 @@
from leapp import reporting
from leapp.libraries.stdlib import api

FMT_LIST_SEPARATOR = '\n - '
RESOURCES = [
reporting.RelatedResource('package', 'openssl'),
reporting.RelatedResource('file', '/etc/pki/tls/openssl.cnf')
]


def _formatted_list_output(input_list, sep=FMT_LIST_SEPARATOR):
return ['{}{}'.format(sep, item) for item in input_list]


# FIXME: This is taken from the el8toel9 library in
# repos/system_upgrade/el8toel9/actors/opensslconfigcheck/libraries/opensslconfigcheck.py
def _normalize_key(key):
"""
Strip the part of the key before the first dot
"""
s = key.split(".", 1)
s = key.split('.', 1)
if len(s) == 2:
return s[1]
return key
Expand Down Expand Up @@ -55,12 +65,6 @@ def _openssl_find_block(config, name):
return None


resources = [
reporting.RelatedResource('package', 'openssl'),
reporting.RelatedResource('file', '/etc/pki/tls/openssl.cnf')
]


def check_openssl_engines(config):
"""
Check there are no engines configured in openssl.cnf
Expand All @@ -71,29 +75,13 @@ def check_openssl_engines(config):
and suggest removal.
"""
init_block = _openssl_find_block(config, config.openssl_conf)
if config.openssl_conf != "openssl_init" or not init_block:
reporting.create_report([
reporting.Title('Non-standard configuration of openssl.cnf'),
reporting.Summary(
'The OpenSSL configuration file `/etc/pki/tls/openssl.cnf` does not contain '
'expected initialization (openssl_conf = openssl_init key-value pair).'
),
reporting.Remediation(
'The openssl.cnf file needs to contain the following initialization: '
'`openssl_conf = openssl_init` The `openssl_conf` now contains {} or '
'the `[ openssl_init ]` block is missing. '.format(config.openssl_conf)
),
reporting.Groups([reporting.Groups.INHIBITOR]),
reporting.Severity(reporting.Severity.HIGH),
reporting.Groups([
reporting.Groups.SECURITY,
reporting.Groups.NETWORK,
reporting.Groups.SERVICES
]),
] + resources)
if config.openssl_conf != 'openssl_init' or not init_block:
api.current_logger().warning(
'Non standard configuration in /etc/pki/tls/openssl.cnf: missing "openssl_init" section.'
)
return

engines_pair = _find_pair(init_block, "engines")
engines_pair = _find_pair(init_block, 'engines')
if not engines_pair:
# No engines no problem
return
Expand All @@ -111,44 +99,63 @@ def check_openssl_engines(config):

# the engine is defined by name, but does not have a corresponding block
if not engine_block:
api.current_logger().debug("The engine {} does not have corresponding configuration block."
.format(name))
api.current_logger().debug(
'The engine {} does not have corresponding configuration block.'
.format(name)
)
continue

enabled_engines.append(name)

if "pkcs11" in enabled_engines:
if 'pkcs11' in enabled_engines:
reporting.create_report([
reporting.Title('There is pkcs11 engine configured in openssl.cnf'),
reporting.Title('Detected pkcs11 engine configured in openssl.cnf'),
# FIXME: does it really affect the system in the way I could not
# connect to the system or the system could be totally malfunction?
reporting.Summary(
'The OpenSSL configuration file `/etc/pki/tls/openssl.cnf` contains the '
'initialization of pkcs11 engine. The pkcs11 engine was removed from RHEL 10 '
'and replaced with pkcs11-provider. Before continuing the update, please remove '
'the pkcs11 engine configuration.'
'The /etc/pki/tls/openssl.cnf OpenSSL configuration file contains the'
' initialization of pkcs11 engine. The pkcs11 engine was removed from RHEL 10'
' and it is replaced with pkcs11-provider. Any applications depending on this'
' engine will not work on the upgraded system which could potentially'
' negatively affect accessibility to the system.'
),
reporting.Remediation(hint=(
'Before continuing the upgrade, remove the pkcs11 engine configuration'
' and .....TODO.'
' Then configure your system and applications to use the pkcs11-provider'
' instead.'
))
reporting.Groups([reporting.Groups.INHIBITOR]),
reporting.Severity(reporting.Severity.HIGH),
reporting.Groups([
reporting.Groups.SECURITY,
reporting.Groups.NETWORK,
reporting.Groups.SERVICES
]),
] + resources)
] + RESOURCES)
# do not report it again below if it is the only one
enabled_engines.remove("pkcs11")
enabled_engines.remove('pkcs11')

if enabled_engines:
reporting.create_report([
reporting.Title('There are enabled engines in openssl.cnf'),
reporting.Title('Detected enabled deprecated engines in openssl.cnf'),
reporting.Summary(
'The OpenSSL configuration file `/etc/pki/tls/openssl.cnf` contains the '
'following enabled engines: {}. They are deprecated in OpenSSL 3.0, will '
'not work in the following versions. '.format(', '.join(enabled_engines))
'OpenSSL engines are deprecated since OpenSSL version 3.0'
' and they are no longer supported nor available on the target'
' RHEL 10 system. Any applications depending on OpenSSL engines'
' will not work correctly on the target system and must be configured'
' to use OpenSSL providers instead.'
' The following OpenSSL engines are configured inside the /etc/pki/tls/openssl.cnf file:'
.format(''.join(_formatted_list_output(enabled_engines)))
),
reporting.Severity(reporting.Severity.LOW),
reporting.Remediation(hint=(
'After the upgrade configure your system and applications'
' to use OpenSSL providers instead of OpenSSL engines.'
))
reporting.Severity(reporting.Severity.MEDIUM),
reporting.Groups([
reporting.Groups.SECURITY,
reporting.Groups.NETWORK,
reporting.Groups.SERVICES
]),
] + resources)
] + RESOURCES)
94 changes: 46 additions & 48 deletions ..._upgrade/el9toel10/actors/opensslenginescheck/tests/component_test_opensslenginescheck.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,7 @@ def test_actor_execution_empty_modified(current_actor_context):
)
)
current_actor_context.run()
r = current_actor_context.consume(Report)
assert r
assert 'Non-standard configuration of openssl.cnf' in r[0].report['title']
assert not current_actor_context.consume(Report)


def test_actor_execution_default_modified(current_actor_context):
Expand All @@ -31,59 +29,59 @@ def test_actor_execution_default_modified(current_actor_context):
openssl_conf='openssl_init',
blocks=[
OpenSslConfigBlock(
name="openssl_init",
name='openssl_init',
pairs=[
OpenSslConfigPair(
key="providers",
value="provider_sect"
key='providers',
value='provider_sect'
),
OpenSslConfigPair(
key="ssl_conf",
value="ssl_module"
key='ssl_conf',
value='ssl_module'
),
OpenSslConfigPair(
key="alg_section",
value="evp_properties"
key='alg_section',
value='evp_properties'
)
]
),
OpenSslConfigBlock(
name="evp_properties",
name='evp_properties',
pairs=[]
),
OpenSslConfigBlock(
name="provider_sect",
name='provider_sect',
pairs=[
OpenSslConfigPair(
key="default",
value="default_sect"
key='default',
value='default_sect'
)
]
),
OpenSslConfigBlock(
name="default_sect",
name='default_sect',
pairs=[
OpenSslConfigPair(
key="activate",
value="1"
key='activate',
value='1'
)
]
),
OpenSslConfigBlock(
name="ssl_module",
name='ssl_module',
pairs=[
OpenSslConfigPair(
key="system_default",
value="crypto_policy"
key='system_default',
value='crypto_policy'
)
]
),
OpenSslConfigBlock(
name="crypto_policy",
name='crypto_policy',
pairs=[
OpenSslConfigPair(
key=".include",
value="/etc/crypto-policies/back-ends/opensslcnf.config"
key='.include',
value='/etc/crypto-policies/back-ends/opensslcnf.config'
)
]
),
Expand All @@ -102,29 +100,29 @@ def test_actor_execution_pkcs11_engine_modified(current_actor_context):
openssl_conf='openssl_init',
blocks=[
OpenSslConfigBlock(
name="openssl_init",
name='openssl_init',
pairs=[
OpenSslConfigPair(
key="engines",
value="engines_sect"
key='engines',
value='engines_sect'
)
]
),
OpenSslConfigBlock(
name="engines_sect",
name='engines_sect',
pairs=[
OpenSslConfigPair(
key="pkcs11",
value="pkcs11_sect"
key='pkcs11',
value='pkcs11_sect'
)
]
),
OpenSslConfigBlock(
name="pkcs11_sect",
name='pkcs11_sect',
pairs=[
OpenSslConfigPair(
key="dynamic_path",
value="/usr/lib64/engines-3/pkcs11.so"
key='dynamic_path',
value='/usr/lib64/engines-3/pkcs11.so'
)
]
)
Expand All @@ -133,9 +131,9 @@ def test_actor_execution_pkcs11_engine_modified(current_actor_context):
)
)
current_actor_context.run()
r = current_actor_context.consume(Report)
assert r
assert 'There is pkcs11 engine configured in openssl.cnf' in r[0].report['title']
report = current_actor_context.consume(Report)
assert report
assert 'Detected pkcs11 engine configured in openssl.cnf' in report[0].report['title']


def test_actor_execution_other_engine_modified(current_actor_context):
Expand All @@ -145,29 +143,29 @@ def test_actor_execution_other_engine_modified(current_actor_context):
openssl_conf='openssl_init',
blocks=[
OpenSslConfigBlock(
name="openssl_init",
name='openssl_init',
pairs=[
OpenSslConfigPair(
key="engines",
value="engines_sect"
key='engines',
value='engines_sect'
)
]
),
OpenSslConfigBlock(
name="engines_sect",
name='engines_sect',
pairs=[
OpenSslConfigPair(
key="acme",
value="acme_sect"
key='acme',
value='acme_sect'
)
]
),
OpenSslConfigBlock(
name="acme_sect",
name='acme_sect',
pairs=[
OpenSslConfigPair(
key="init",
value="0"
key='init',
value='0'
)
]
)
Expand All @@ -176,7 +174,7 @@ def test_actor_execution_other_engine_modified(current_actor_context):
)
)
current_actor_context.run()
r = current_actor_context.consume(Report)
assert r
assert 'There are enabled engines in openssl.cnf' in r[0].report['title']
assert 'acme' in r[0].report['summary']
report = current_actor_context.consume(Report)
assert report
assert 'Detected enabled deprecated engines in openssl.cnf' in report[0].report['title']
assert 'acme' in report[0].report['summary']

0 comments on commit c6e9940

Please sign in to comment.