commit 3dee4f7cff34f9b0d2951364e1313ec389a93557 Author: Adrian Schröter Date: Mon Dec 18 17:01:59 2023 +0100 Sync from SUSE:ALP:Source:Standard:1.0 crypto-policies revision 9cefc04f311fdcca5a7b3a6516a7e9bc diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..fecc750 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/README.SUSE b/README.SUSE new file mode 100644 index 0000000..6a73c6c --- /dev/null +++ b/README.SUSE @@ -0,0 +1,6 @@ +Currently, the supported back-end policies are: + * OpenSSL library + * GnuTLS library + * OpenJDK + +The rest of the modules ignore the policy settings for the time being. diff --git a/_service b/_service new file mode 100644 index 0000000..e039e31 --- /dev/null +++ b/_service @@ -0,0 +1,14 @@ + + + https://gitlab.com/redhat-crypto/fedora-crypto-policies.git + git + %cd.%h + enable + 570ea89092555c6c289f226bb48c2d8c1f332b0f + + + *.tar + gz + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..726a584 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://gitlab.com/redhat-crypto/fedora-crypto-policies.git + 570ea89092555c6c289f226bb48c2d8c1f332b0f \ No newline at end of file diff --git a/crypto-policies-FIPS.patch b/crypto-policies-FIPS.patch new file mode 100644 index 0000000..ed98b45 --- /dev/null +++ b/crypto-policies-FIPS.patch @@ -0,0 +1,181 @@ +Index: fedora-crypto-policies-20230920.570ea89/fips-mode-setup +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/fips-mode-setup ++++ fedora-crypto-policies-20230920.570ea89/fips-mode-setup +@@ -81,6 +81,19 @@ if [ "$(id -u)" != 0 ]; then + exit 1 + fi + ++# This check must be done as root, otherwise it will fail. ++is_transactional_system=0 ++if test ! -w /usr ; then ++ is_transactional_system=1 ++fi ++ ++# We don't handle the setup on transactional systems as the process is ++# quite different and involves several reboots. ++if test "$is_transactional_system" = 1 && test "$check" = 0 ; then ++ cond_echo -n "Cannot handle transactional systems. " ++ cond_echo "Please, refer to the fips-mode-setup man pages for more information." ++ exit 1 ++fi + + # Detect 1: kernel FIPS flag + fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled) +@@ -204,9 +217,22 @@ else + fi + fi + +-if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then +- echo "The grubby command is missing, please configure the bootloader manually." +- boot_config=0 ++if test "$boot_config" = 1 ; then ++ # Install required packages: patterns-base-fips and perl-Bootloader ++ if test ! -f /etc/dracut.conf.d/40-fips.conf && \ ++ test ! -x "$(command -v pbl)" && \ ++ test "$enable_fips" = 1; then ++ zypper -n install patterns-base-fips perl-Bootloader ++ elif test ! -f /etc/dracut.conf.d/40-fips.conf && \ ++ test "$enable_fips" = 1 ; then ++ zypper -n install patterns-base-fips ++ elif test ! -x "$(command -v pbl)" ; then ++ zypper -n install perl-Bootloader ++ fi ++ if test $? != 0 ; then ++ echo "The pbl command or the fips pattern are missing, please configure the bootloader manually." ++ boot_config=0 ++ fi + fi + + echo "FIPS mode will be $(enable2txt $enable_fips)." +@@ -217,15 +243,19 @@ if test $boot_config = 0 ; then + echo "Now you need to configure the bootloader to add kernel options \"$fipsopts\"" + echo "and reboot the system for the setting to take effect." + else +- grubby --update-kernel=ALL --args="$fipsopts" +- if test x"$(uname -m)" = xs390x; then +- if command -v zipl >/dev/null; then +- zipl +- else +- echo -n '`zipl` execution has been skipped: ' +- echo '`zipl` not found.' +- fi +- fi ++ pbl --add-option "$fipsopts" ++ grub2-mkconfig -o /boot/grub2/grub.cfg && dracut -f --regenerate-all ++ ++ # grubby --update-kernel=ALL --args="$fipsopts" ++ # if test x"$(uname -m)" = xs390x; then ++ # if command -v zipl >/dev/null; then ++ # zipl ++ # else ++ # echo -n '`zipl` execution has been skipped: ' ++ # echo '`zipl` not found.' ++ # fi ++ # fi ++ + echo "Please reboot the system for the setting to take effect." + fi + +Index: fedora-crypto-policies-20230920.570ea89/fips-finish-install +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/fips-finish-install ++++ fedora-crypto-policies-20230920.570ea89/fips-finish-install +@@ -24,6 +24,15 @@ fi + + umask 022 + ++# Install required packages: patterns-base-fips and perl-Bootloader ++if test ! -f $dracut_cfg && test ! -x "$(command -v pbl)" ; then ++ zypper -n install patterns-base-fips perl-Bootloader ++elif test ! -f $dracut_cfg ; then ++ zypper -n install patterns-base-fips ++elif test ! -x "$(command -v pbl)" ; then ++ zypper -n install perl-Bootloader ++fi ++ + if test ! -d $dracut_cfg_d -o ! -d /boot -o "$is_ostree_system" = 1 ; then + # No dracut configuration or boot directory present, do not try to modify it. + # Also, on OSTree systems, we currently rely on the initrd already including +@@ -31,28 +40,28 @@ if test ! -d $dracut_cfg_d -o ! -d /boot + exit 0 + fi + +-if test x"$1" == x--complete; then +- trap "rm -f $dracut_cfg" ERR +- cat >$dracut_cfg </dev/null; then +- zipl +- else +- echo '`zipl` execution has been skipped: `zipl` not found.' +- fi +-fi ++# if test x"$1" == x--complete; then ++# trap "rm -f $dracut_cfg" ERR ++# cat >$dracut_cfg </dev/null; then ++# zipl ++# else ++# echo '`zipl` execution has been skipped: `zipl` not found.' ++# fi ++# fi +Index: fedora-crypto-policies-20230920.570ea89/fips-mode-setup.8.txt +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/fips-mode-setup.8.txt ++++ fedora-crypto-policies-20230920.570ea89/fips-mode-setup.8.txt +@@ -45,6 +45,23 @@ Then the command modifies the boot loade + When disabling the system FIPS mode the system crypto policy is switched + to DEFAULT and the kernel command line option 'fips=0' is set. + ++On transactional systems, enabling the system in FIPS mode with the ++fips-mode-setup tool is not implemented. To enable the FIPS mode in these ++systems requires the following steps: ++ ++ 1.- Install the FIPS pattern on a running system: ++ # transactional-update pkg install -t pattern microos-fips ++ ++ 2.- Reboot your system. ++ ++ 3.- Add the kernel command line parameter fips=1 to the boot loader ++ configuration. To do so, edit the file /etc/default/grub and add ++ fips=1 to the GRUB_CMDLINE_LINUX_DEFAULT variable. ++ ++ 4.- After logging in to the system, run: ++ # transactional-update grub.cfg ++ ++ 5.- Reboot your system. + + [[options]] + OPTIONS diff --git a/crypto-policies-no-build-manpages.patch b/crypto-policies-no-build-manpages.patch new file mode 100644 index 0000000..3f7e2b1 --- /dev/null +++ b/crypto-policies-no-build-manpages.patch @@ -0,0 +1,28 @@ +Index: fedora-crypto-policies-20230420.3d08ae7/Makefile +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/Makefile ++++ fedora-crypto-policies-20230420.3d08ae7/Makefile +@@ -28,9 +28,9 @@ install: $(MANPAGES) + mkdir -p $(DESTDIR)$(MANDIR)/man7 + mkdir -p $(DESTDIR)$(MANDIR)/man8 + mkdir -p $(DESTDIR)$(BINDIR) +- install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 +- install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 +- install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) ++ # install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 ++ # install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 ++ # install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) + mkdir -p $(DESTDIR)$(DIR)/ + install -p -m 644 default-config $(DESTDIR)$(DIR) + install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR) +@@ -114,8 +114,8 @@ clean: + rm -rf output + + %: %.txt +- $(ASCIIDOC) -v -d manpage -b docbook $< +- xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml ++ #$(ASCIIDOC) -v -d manpage -b docbook $< ++ #xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml + + dist: + rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies diff --git a/crypto-policies-nss.patch b/crypto-policies-nss.patch new file mode 100644 index 0000000..a0a66ca --- /dev/null +++ b/crypto-policies-nss.patch @@ -0,0 +1,42 @@ +Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/nss.py ++++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/nss.py +@@ -198,12 +198,20 @@ class NSSGenerator(ConfigGenerator): + try: + with os.fdopen(fd, 'w') as f: + f.write(config) +- try: +- ret = call(f'/usr/bin/nss-policy-check {options} {path}' +- '>/dev/null', +- shell=True) +- except CalledProcessError: +- cls.eprint("/usr/bin/nss-policy-check: Execution failed") ++ if os.path.exists('/usr/bin/nss-policy-check'): ++ # Perform a policy check only if the mozilla-nss-tools ++ # package is installed. This avoids adding more ++ # dependencies to Ring0. ++ try: ++ ret = call(f'/usr/bin/nss-policy-check {options} {path}' ++ '>/dev/null', shell=True) ++ except CalledProcessError: ++ cls.eprint("/usr/bin/nss-policy-check: Execution failed") ++ else: ++ # The mozilla-nss-tools package is not installed and we can ++ # temporarily skip the policy check for mozilla-nss. ++ ret = 3 ++ + finally: + os.unlink(path) + +@@ -211,6 +219,10 @@ class NSSGenerator(ConfigGenerator): + cls.eprint("There is a warning in NSS generated policy") + cls.eprint(f'Policy:\n{config}') + return False ++ elif ret == 3: ++ cls.eprint('Skipping NSS policy check: ' ++ '/usr/bin/nss-policy-check not found') ++ return True + elif ret: + cls.eprint("There is an error in NSS generated policy") + cls.eprint(f'Policy:\n{config}') diff --git a/crypto-policies-policygenerators.patch b/crypto-policies-policygenerators.patch new file mode 100644 index 0000000..d8bb342 --- /dev/null +++ b/crypto-policies-policygenerators.patch @@ -0,0 +1,43 @@ +Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/__init__.py +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/__init__.py ++++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/__init__.py +@@ -8,7 +8,7 @@ from .gnutls import GnuTLSGenerator + from .java import JavaGenerator + from .java import JavaSystemGenerator + from .krb5 import KRB5Generator +-from .libreswan import LibreswanGenerator ++# from .libreswan import LibreswanGenerator + from .libssh import LibsshGenerator + from .nss import NSSGenerator + from .openssh import OpenSSHClientGenerator +@@ -16,8 +16,8 @@ from .openssh import OpenSSHServerGenera + from .openssl import OpenSSLConfigGenerator + from .openssl import OpenSSLGenerator + from .openssl import OpenSSLFIPSGenerator +-from .sequoia import SequoiaGenerator +-from .sequoia import RPMSequoiaGenerator ++# from .sequoia import SequoiaGenerator ++# from .sequoia import RPMSequoiaGenerator + + __all__ = [ + 'BindGenerator', +@@ -25,7 +25,6 @@ __all__ = [ + 'JavaGenerator', + 'JavaSystemGenerator', + 'KRB5Generator', +- 'LibreswanGenerator', + 'LibsshGenerator', + 'NSSGenerator', + 'OpenSSHClientGenerator', +@@ -33,6 +32,8 @@ __all__ = [ + 'OpenSSLConfigGenerator', + 'OpenSSLGenerator', + 'OpenSSLFIPSGenerator', +- 'SequoiaGenerator', +- 'RPMSequoiaGenerator', + ] ++ ++# 'LibreswanGenerator', ++# 'SequoiaGenerator', ++# 'RPMSequoiaGenerator', diff --git a/crypto-policies-pylint.patch b/crypto-policies-pylint.patch new file mode 100644 index 0000000..265f061 --- /dev/null +++ b/crypto-policies-pylint.patch @@ -0,0 +1,15 @@ +Index: fedora-crypto-policies-20230614.5f3458e/Makefile +=================================================================== +--- fedora-crypto-policies-20230614.5f3458e.orig/Makefile ++++ fedora-crypto-policies-20230614.5f3458e/Makefile +@@ -44,8 +44,8 @@ runflake8: + @find -name '*.py' | grep -v krb5check | xargs flake8 --config .flake8 + + runpylint: +- PYTHONPATH=. pylint$(PYVERSION) --rcfile=pylintrc python +- PYTHONPATH=. pylint$(PYVERSION) --rcfile=pylintrc tests ++ PYTHONPATH=. pylint --rcfile=pylintrc python ++ PYTHONPATH=. pylint --rcfile=pylintrc tests + @echo "[ OK ]" + + runcodespell: diff --git a/crypto-policies-revert-rh-allow-sha1-signatures.patch b/crypto-policies-revert-rh-allow-sha1-signatures.patch new file mode 100644 index 0000000..3da74a5 --- /dev/null +++ b/crypto-policies-revert-rh-allow-sha1-signatures.patch @@ -0,0 +1,327 @@ +From 97fe4494571fd90a05f9bc42af152762eca2fac5 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Fri, 8 Apr 2022 13:47:29 +0200 +Subject: openssl: disable SHA-1 signatures in FUTURE/NO-SHA1 + + +Index: fedora-crypto-policies-20230920.570ea89/policies/FUTURE.pol +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/policies/FUTURE.pol ++++ fedora-crypto-policies-20230920.570ea89/policies/FUTURE.pol +@@ -66,7 +66,3 @@ sha1_in_certs = 0 + arbitrary_dh_groups = 1 + ssh_certs = 1 + ssh_etm = 1 +- +-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1 +-# SHA-1 signatures are blocked in OpenSSL in FUTURE only +-__openssl_block_sha1_signatures = 1 +Index: fedora-crypto-policies-20230920.570ea89/policies/modules/NO-SHA1.pmod +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/policies/modules/NO-SHA1.pmod ++++ fedora-crypto-policies-20230920.570ea89/policies/modules/NO-SHA1.pmod +@@ -3,7 +3,3 @@ + hash = -SHA1 + sign = -*-SHA1 + sha1_in_certs = 0 +- +-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1 +-# SHA-1 signatures are blocked in OpenSSL in FUTURE only +-__openssl_block_sha1_signatures = 1 +Index: fedora-crypto-policies-20230920.570ea89/python/cryptopolicies/cryptopolicies.py +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/python/cryptopolicies/cryptopolicies.py ++++ fedora-crypto-policies-20230920.570ea89/python/cryptopolicies/cryptopolicies.py +@@ -24,7 +24,6 @@ from . import validation # moved out of + INT_DEFAULTS = {k: 0 for k in ( + 'arbitrary_dh_groups', + 'min_dh_size', 'min_dsa_size', 'min_rsa_size', +- '__openssl_block_sha1_signatures', # FUTURE/TEST-FEDORA39/NO-SHA1 + 'sha1_in_certs', + 'ssh_certs', 'ssh_etm', + )} +Index: fedora-crypto-policies-20230920.570ea89/python/policygenerators/openssl.py +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/python/policygenerators/openssl.py ++++ fedora-crypto-policies-20230920.570ea89/python/policygenerators/openssl.py +@@ -7,13 +7,6 @@ from subprocess import check_output, Cal + + from .configgenerator import ConfigGenerator + +-RH_SHA1_SECTION = ''' +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = {} +-''' + + FIPS_MODULE_CONFIG = ''' + [fips_sect] +@@ -263,12 +256,6 @@ class OpenSSLConfigGenerator(OpenSSLGene + if policy.enums['__ems'] == 'RELAX': + s += 'Options = RHNoEnforceEMSinFIPS\n' + +- # In the future it'll be just +- # s += RH_SHA1_SECTION.format('yes' if 'SHA1' in p['hash'] else 'no') +- # but for now we slow down the roll-out and we have +- sha1_sig = not policy.integers['__openssl_block_sha1_signatures'] +- s += RH_SHA1_SECTION.format('yes' if sha1_sig else 'no') +- + return s + + @classmethod +Index: fedora-crypto-policies-20230920.570ea89/tests/alternative-policies/FUTURE.pol +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/tests/alternative-policies/FUTURE.pol ++++ fedora-crypto-policies-20230920.570ea89/tests/alternative-policies/FUTURE.pol +@@ -73,7 +73,3 @@ sha1_in_dnssec = 0 + arbitrary_dh_groups = 1 + ssh_certs = 1 + ssh_etm = 1 +- +-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1 +-# SHA-1 signatures are blocked in OpenSSL in FUTURE only +-__openssl_block_sha1_signatures = 1 +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/DEFAULT-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 + Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1 + Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:GOST-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/DEFAULT:GOST-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 + Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/EMPTY-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/EMPTY-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/EMPTY-opensslcnf.txt +@@ -2,9 +2,3 @@ CipherString = @SECLEVEL=0:-kPSK:-kDHEPS + Ciphersuites = + SignatureAlgorithms = + Groups = +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 + Groups = secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 + Groups = secp256r1:secp521r1:secp384r1 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FUTURE-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FUTURE-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FUTURE-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512 + Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = no +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/GOST-ONLY-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/GOST-ONLY-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/GOST-ONLY-opensslcnf.txt +@@ -4,9 +4,3 @@ TLS.MinProtocol = TLSv1 + TLS.MaxProtocol = TLSv1.3 + SignatureAlgorithms = + Groups = +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/LEGACY-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 + Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 + Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230920.570ea89/tests/unit/test_cryptopolicy.py +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/tests/unit/test_cryptopolicy.py ++++ fedora-crypto-policies-20230920.570ea89/tests/unit/test_cryptopolicy.py +@@ -260,7 +260,6 @@ def test_cryptopolicy_to_string_empty(tm + min_dh_size = 0 + min_dsa_size = 0 + min_rsa_size = 0 +- __openssl_block_sha1_signatures = 0 + sha1_in_certs = 0 + ssh_certs = 0 + ssh_etm = 0 +@@ -292,7 +291,6 @@ def test_cryptopolicy_to_string_twisted( + min_dh_size = 0 + min_dsa_size = 0 + min_rsa_size = 0 +- __openssl_block_sha1_signatures = 0 + sha1_in_certs = 0 + ssh_certs = 0 + ssh_etm = 0 +Index: fedora-crypto-policies-20230920.570ea89/policies/TEST-FEDORA39.pol +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/policies/TEST-FEDORA39.pol ++++ fedora-crypto-policies-20230920.570ea89/policies/TEST-FEDORA39.pol +@@ -68,7 +68,3 @@ sha1_in_certs = 0 + arbitrary_dh_groups = 1 + ssh_certs = 1 + ssh_etm = 1 +- +-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1 +-# SHA-1 signatures will blocked in OpenSSL +-__openssl_block_sha1_signatures = 1 +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FEDORA38-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FEDORA38-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FEDORA38-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 + Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/TEST-FEDORA39-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/TEST-FEDORA39-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/TEST-FEDORA39-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 + Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = no +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:OSPP-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS:OSPP-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:OSPP-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512 + Groups = secp521r1:secp384r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/BSI-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512 + Groups = secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:brainpoolP512r1:brainpoolP384r1:brainpoolP256r1 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt ++++ fedora-crypto-policies-20230920.570ea89/tests/outputs/FIPS:NO-ENFORCE-EMS-opensslcnf.txt +@@ -7,9 +7,3 @@ DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 + Groups = secp256r1:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 + Options = RHNoEnforceEMSinFIPS +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes diff --git a/crypto-policies-rpmlintrc b/crypto-policies-rpmlintrc new file mode 100644 index 0000000..bd2ffb0 --- /dev/null +++ b/crypto-policies-rpmlintrc @@ -0,0 +1,3 @@ +addFilter(".*files-duplicate.*") +addFilter(".*zero-length.*") +addFilter(".non-conffile-in-etc.*") diff --git a/crypto-policies-supported.patch b/crypto-policies-supported.patch new file mode 100644 index 0000000..62a1c11 --- /dev/null +++ b/crypto-policies-supported.patch @@ -0,0 +1,37 @@ +Index: fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/update-crypto-policies.8.txt ++++ fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt +@@ -54,23 +54,23 @@ are configured to follow the default pol + The generated back-end policies will be placed in /etc/crypto-policies/back-ends. + Currently the supported back-ends (and directive scopes they respect) are: + +-* GnuTLS library (GnuTLS, SSL, TLS) ++* GnuTLS library (GnuTLS, SSL, TLS) (Supported) + +-* OpenSSL library (OpenSSL, SSL, TLS) ++* OpenSSL library (OpenSSL, SSL, TLS) (Supported) + +-* NSS library (NSS, SSL, TLS) ++* NSS library (NSS, SSL, TLS) (Not supported) + +-* OpenJDK (java-tls, SSL, TLS) ++* OpenJDK (java-tls, SSL, TLS) (Supported) + +-* Libkrb5 (krb5, kerberos) ++* Libkrb5 (krb5, kerberos) (Not supported) + +-* BIND (BIND, DNSSec) ++* BIND (BIND, DNSSec) (Not supported) + +-* OpenSSH (OpenSSH, SSH) ++* OpenSSH (OpenSSH, SSH) (Not supported) + +-* Libreswan (libreswan, IKE, IPSec) ++* Libreswan (libreswan, IKE, IPSec) (Not supported) + +-* libssh (libssh, SSH) ++* libssh (libssh, SSH) (Not supported) + + Applications and languages which rely on any of these back-ends will follow + the system policies as well. Examples are apache httpd, nginx, php, and diff --git a/crypto-policies.7.gz b/crypto-policies.7.gz new file mode 100644 index 0000000..9fa738c --- /dev/null +++ b/crypto-policies.7.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e827416a5fcfaad62e92def75aba69413f66c0e8b15d87db492629152838f097 +size 7322 diff --git a/crypto-policies.changes b/crypto-policies.changes new file mode 100644 index 0000000..a783624 --- /dev/null +++ b/crypto-policies.changes @@ -0,0 +1,330 @@ +------------------------------------------------------------------- +Thu Oct 5 12:35:57 UTC 2023 - Daniel Garcia + +- Remove dependency on /usr/bin/python3, making scripts to depends on + the real python3 binary, not the link. bsc#1212476 + +------------------------------------------------------------------- +Wed Sep 27 10:54:17 UTC 2023 - Pedro Monreal + +- nss: Skip the NSS policy check if the mozilla-nss-tools package + is not installed. This avoids adding more dependencies in ring0. + * Add crypto-policies-nss.patch [bsc#1211301] + +------------------------------------------------------------------- +Fri Sep 22 10:27:53 UTC 2023 - Pedro Monreal + +- Update to version 20230920.570ea89: + * fips-mode-setup: more thorough --disable, still unsupported + * FIPS:OSPP: tighten beyond reason for OSPP 4.3 + * krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones + * openssl: implement relaxing EMS in FIPS (NO-ENFORCE-EMS) + * gnutls: prepare for tls-session-hash option coming + * nss: prepare for TLS-REQUIRE-EMS option coming + * NO-ENFORCE-EMS: add subpolicy + * FIPS: set __ems = ENFORCE + * cryptopolicies: add enums and __ems tri-state + * docs: replace `FIPS 140-2` with just `FIPS 140` + * .gitlab-ci: remove forcing OPENSSH_MIN_RSA_SIZE + * cryptopolicies: add comments on dunder options + * nss: retire NSS_OLD and replace with NSS_LAX 3.80 check + * BSI: start a BSI TR 02102 policy [jsc#PED-4933] + * Rebase patches: + - crypto-policies-policygenerators.patch + - crypto-policies-revert-rh-allow-sha1-signatures.patch + - crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Fri Sep 15 11:23:06 UTC 2023 - Pedro Monreal + +- Conditionally recommend the crypto-policies-scripts package + when python is not installed in the system [bsc#1215201] + +------------------------------------------------------------------- +Thu Aug 31 12:17:44 UTC 2023 - Pedro Monreal + +- Tests: Fix pylint versioning for TW and fix the parsing of the + policygenerators to account for the commented lines correctly. + * Add crypto-policies-pylint.patch + * Rebase crypto-policies-policygenerators.patch + +------------------------------------------------------------------- +Tue Aug 1 12:23:33 UTC 2023 - Pedro Monreal + +- FIPS: Adapt the fips-mode-setup script to use the pbl command + from the perl-Bootloader package to replace grubby. Add a note + for transactional systems [jsc#PED-5041]. + * Rebase crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Fri Jul 14 14:59:06 UTC 2023 - Marcus Meissner + +- BSI.pol: Added a new BSI policy for BSI TR 02102* (jsc#PED-4933) + derived from NEXT.pol + +------------------------------------------------------------------- +Thu Jul 13 06:36:20 UTC 2023 - Pedro Monreal + +- Update to version 20230614.5f3458e: + * policies: impose old OpenSSL groups order for all back-ends + * Rebase patches: + - crypto-policies-revert-rh-allow-sha1-signatures.patch + - crypto-policies-supported.patch + +------------------------------------------------------------------- +Thu May 25 11:28:12 UTC 2023 - Pedro Monreal + +- FIPS: Enable to set the kernel FIPS mode with fips-mode-setup + and fips-finish-install commands, add also the man pages. The + required FIPS modules are left to be installed by the user. + * Rebase crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Wed May 24 20:04:20 UTC 2023 - Pedro Monreal + +- Revert a breaking change that introduces the config option + rh-allow-sha1-signatures that is unkown to OpenSSL and fails + on startup. We will consider adding this option to openssl. + * https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/97fe4494 + * Add crypto-policies-revert-rh-allow-sha1-signatures.patch + +------------------------------------------------------------------- +Mon May 8 09:45:45 UTC 2023 - Pedro Monreal + +- Update the update-crypto-policies(8) man pages and README.SUSE + to mention the supported back-end policies. [bsc#1209998] + * Add crypto-policies-supported.patch + +------------------------------------------------------------------- +Mon May 08 06:32:49 UTC 2023 - Pedro Monreal + +- Update to version 20230420.3d08ae7: + * openssl, alg_lists: add brainpool support + * openssl: set Groups explicitly + * codespell: ignore aNULL + * rpm-sequoia: allow 1024 bit DSA and SHA-1 per FeSCO decision 2960 + * sequoia: add separate rpm-sequoia backend + * crypto-policies.7: state upfront that FUTURE is not so interoperable + * Makefile: update for asciidoc 10 + * Skip not needed LibreswanGenerator and SequoiaGenerator: + - Add crypto-policies-policygenerators.patch + * Remove crypto-policies-test_supported_modules_only.patch + * Rebase crypto-policies-no-build-manpages.patch + +------------------------------------------------------------------- +Fri Jan 20 09:25:22 UTC 2023 - Pedro Monreal + +- Update to version 20221214.a4c31a3: + * bind: expand the list of disableable algorithms + * libssh: Add support for openssh fido keys + * .gitlab-ci.yml: install krb5-devel for krb5-config + * sequoia: check using sequoia-policy-config-check + * sequoia: introduce new back-end + * Makefile: support overriding asciidoc executable name + * openssh: make none and auto explicit and different + * openssh: autodetect and allow forcing RequiredRSASize presence/name + * openssh: remove _pre_8_5_ssh + * pylintrc: update + * Revert "disable SHA-1 further for a Fedora 38 Rawhide "jump scare"..." + * disable SHA-1 further for a Fedora 38 Rawhide "jump scare"... + * Makefile: exclude built manpages from codespell + * add openssh HostbasedAcceptedAlgorithms + * openssh: add RSAMinSize option following min_rsa_size + * Revert ".gitlab-ci.yml: skip pylint (bz2069837)" + * docs: add customization recommendation + * tests/java: fix java.security.disableSystemPropertiesFile=true + * policies: add FEDORA38 and TEST-FEDORA39 + * bind: control ED25519/ED448 + * openssl: disable SHA-1 signatures in FUTURE/NO-SHA1 + * .gitlab-ci.yml: skip pylint (bz2069837) + * openssh: add support for sntrup761x25519-sha512@openssh.com + * fips-mode-setup: fix one unrelated check to intended state + * fips-mode-setup, fips-finish-install: abandon /etc/system-fips + * Makefile: fix alt-policy test of LEGACY:AD-SUPPORT + * fips-mode-setup: catch more inconsistencies, clarify --check + * fips-mode-setup: improve handling FIPS plus subpolicies + * .gitlab-ci.yml: use rawhide so that we get gnutls 3.7.3 + * gnutls: enable SHAKE, needed for Ed448 + * gnutls: use allowlisting + * openssl: add newlines at the end of the output + * FIPS:OSPP: relax -ECDSA-SHA2-512, -FFDHE-* + * fips-mode-setup, fips-finish-install: call zipl more often + * Add crypto-policies-rpmlintrc file to avoid files-duplicate, + zero-length and non-conffile-in-etc warnings. + * Rebase patches: + - crypto-policies-FIPS.patch + - crypto-policies-no-build-manpages.patch + * Update README.SUSE + +------------------------------------------------------------------- +Fri Sep 24 11:30:21 UTC 2021 - Pedro Monreal + +- Remove the scripts and documentation regarding + fips-finish-install and test-fips-setup + * Add crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Fri Sep 24 09:34:03 UTC 2021 - Pedro Monreal + +- Update to version 20210917.c9d86d1: + * openssl: fix disabling ChaCha20 + * pacify pylint 2.11: use format strings + * pacify pylint 2.11: specify explicit encoding + * fix minor things found by new pylint + * update-crypto-policies: --check against regenerated + * update-crypto-policies: fix --check's walking order + * policygenerators/gnutls: revert disabling DTLS0.9... + * policygenerators/java: add javasystem backend + * LEGACY: bump 1023 key size to 1024 + * cryptopolicies: fix 'and' in deprecation warnings + * *ssh: condition ecdh-sha2-nistp384 on SECP384R1 + * nss: hopefully the last fix for nss sigalgs check + * cryptopolicies: Python 3.10 compatibility + * nss: postponing check + testing at least something + * Rename 'policy modules' to 'subpolicies' + * validation.rules: fix a missing word in error + * cryptopolicies: raise errors right after warnings + * update-crypto-policies: capitalize warnings + * cryptopolicies: syntax-precheck scope errors + * .gitlab-ci.yml, Makefile: enable codespell + * all: fix several typos + * docs: don't leave zero TLS/DTLS protocols on + * openssl: separate TLS/DTLS MinProtocol/MaxProtocol + * alg_lists: order protocols new-to-old for consistency + * alg_lists: max_{d,}tls_version + * update-crypto-policies: fix pregenerated + local.d + * openssh: allow validation with pre-8.5 + * .gitlab-ci.yml: run commit-range against upstream + * openssh: Use the new name for PubkeyAcceptedKeyTypes + * sha1_in_dnssec: deprecate + * .gitlab-ci.yml: test commit ranges + * FIPS:OSPP: sign = -*-SHA2-224 + * scoped policies: documentation update + * scoped policies: use new features to the fullest... + * scoped policies: rewrite + minimal policy changes + * scoped policies: rewrite preparations + * nss: postponing the version check again, to 3.64 +- Remove patches fixed upstream: crypto-policies-typos.patch +- Rebase: crypto-policies-test_supported_modules_only.patch +- Merge crypto-policies-asciidoc.patch into + crypto-policies-no-build-manpages.patch + +------------------------------------------------------------------- +Thu Feb 25 12:05:39 UTC 2021 - Pedro Monreal + +- Update to version 20210225.05203d2: + * Disable DTLS0.9 protocol in the DEFAULT policy. + * policies/FIPS: insignificant reformatting + * policygenerators/libssh: respect ssh_certs + * policies/modules/OSPP: tighten to follow RHEL 8 + * crypto-policies(7): drop not-reenableable comment + * follow up on disabling RC4 + +------------------------------------------------------------------- +Thu Feb 25 11:59:44 UTC 2021 - Pedro Monreal + +- Remove not needed scripts: fips-finish-install fips-mode-setup + +------------------------------------------------------------------- +Wed Feb 24 16:22:08 UTC 2021 - Pedro Monreal + +- Disable DTLS0.9 protocol in GnuTLS DEFAULT policy. [bsc#1180938] + * The minimum DTLS protocol version in the DEFAULT and FUTURE + policies is DTLS1.2. + * Fixed upstream: 05203d21f6d0ea9bbdb351e4600f1e273720bb8e + +------------------------------------------------------------------- +Wed Feb 17 12:36:05 UTC 2021 - Pedro Monreal + +- Update to version 20210213.5c710c0: [bsc#1180938] + * setup_directories(): perform safer creation of directories + * save_config(): avoid re-opening output file for each iteration + * save_config(): break after first match to avoid unnecessary stat() calls + * CryptoPolicy.parse(): actually stop parsing line on syntax error + * ProfileConfig.parse_string(): correctly extended subpolicies + * Exclude RC4 from LEGACY + * Introduce rc4_md5_in_krb5 to narrow AD_SUPPORT + * code style: fix 'not in' membership testing + * pylintrc: tighten up a bit + * formatting: avoid long lines + * formatting: use f-strings instead of format() + * formatting: reformat all python code with autopep8 + * nss: postponing the version check again, to 3.61 + * Revert "Unfortunately we have to keep ignoring the openssh check for sk-" + +------------------------------------------------------------------- +Tue Feb 9 10:50:47 UTC 2021 - Dominique Leuenberger + +- Use tar_scm service, not obs_scm: With crypto-policies entering + Ring0 (distro bootstrap) we want to be sure to keep the buildtime + deps as low as possible. +- Add python3-base BuildRequires: previously, OBS' tar service + pulled this in for us. + +------------------------------------------------------------------- +Mon Feb 8 11:45:38 UTC 2021 - Pedro Monreal + +- Add a BuildIgnore for crypto-policies + +------------------------------------------------------------------- +Mon Feb 8 11:22:31 UTC 2021 - Pedro Monreal + +- Use gzip instead of xz in obscpio and sources + +------------------------------------------------------------------- +Fri Feb 5 10:57:46 UTC 2021 - Pedro Monreal + +- Do not build the manpages to avoid build cycles +- Add crypto-policies-no-build-manpages.patch + +------------------------------------------------------------------- +Tue Feb 2 17:38:27 UTC 2021 - Dominique Leuenberger + +- Convert to use a proper git source _service: + + To update, one just needs to update the commit/revision in the + _service file and run `osc service dr`. + + The version of the package is defined by the commit date of the + revision, followed by the abbreviated git hash (The same + revision used before results thus in a downgrade to 20210118, + but as this is a alltime new package, this is acceptable. + +------------------------------------------------------------------- +Tue Feb 2 12:33:19 UTC 2021 - Pedro Monreal + +- Update to git version 20210127 + * Bump Python requirement to 3.6 + * Output sigalgs required by nss >=3.59 + * Do not require bind during build + * Break build cycles with openssl and gnutls + +------------------------------------------------------------------- +Thu Jan 21 14:44:07 UTC 2021 - Pedro Monreal + +- Update to git version 20210118 + * Output sigalgs required by nss >=3.59 + * Bump Python requirement to 3.6 + * Kerberos 5: Fix policy generator to account for macs + * Add AES-192 support (non-TLS scenarios) + * Add documentation of the --check option + +------------------------------------------------------------------- +Thu Jan 21 14:42:13 UTC 2021 - Pedro Monreal + +- Fix the man pages generation +- Add crypto-policies-asciidoc.patch + +------------------------------------------------------------------- +Thu Jan 21 09:56:42 UTC 2021 - Pedro Monreal + +- Test only supported modules +- Add crypto-policies-test_supported_modules_only.patch + +------------------------------------------------------------------- +Tue Dec 22 10:50:36 UTC 2020 - Pedro Monreal + +- Add crypto-policies-typos.patch to fix some typos + +------------------------------------------------------------------- +Thu Nov 12 08:20:19 UTC 2020 - Vítězslav Čížek + +- Initial packaging, git version 20200918 (jsc#SLE-15832) diff --git a/crypto-policies.spec b/crypto-policies.spec new file mode 100644 index 0000000..8039b7f --- /dev/null +++ b/crypto-policies.spec @@ -0,0 +1,288 @@ +# +# spec file for package crypto-policies +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +# testsuite is disabled by default +%bcond_with testsuite +# manbuild is disabled by default +%bcond_with manbuild +%global _python_bytecompile_extra 0 +Name: crypto-policies +Version: 20230920.570ea89 +Release: 0 +Summary: System-wide crypto policies +License: LGPL-2.1-or-later +Group: Productivity/Networking/Security +URL: https://gitlab.com/redhat-crypto/fedora-%{name} +Source0: fedora-%{name}-%{version}.tar.gz +Source1: README.SUSE +Source2: crypto-policies.7.gz +Source3: update-crypto-policies.8.gz +Source4: fips-mode-setup.8.gz +Source5: fips-finish-install.8.gz +Source6: crypto-policies-rpmlintrc +%if %{without manbuild} +#PATCH-FIX-OPENSUSE Manpages build cycles and dependencies +# To reduce the build dependencies in Ring0, we have to compile the +# man pages locally (use --with testsuite) and add the built files +# crypto-policies.7.gz, update-crypto-policies.8.gz, fips-mode-setup.8.gz +# and fips-finish-install.8.gz as sources. +Patch1: crypto-policies-no-build-manpages.patch +%endif +#PATCH-FIX-OPENSUSE Skip not needed LibreswanGenerator and SequoiaGenerator +Patch2: crypto-policies-policygenerators.patch +#PATCH-FIX-OPENSUSE bsc#1209998 Mention the supported back-end policies +Patch3: crypto-policies-supported.patch +#PATCH-FIX-OPENSUSE Revert a breaking change that introduces rh-allow-sha1-signatures +Patch4: crypto-policies-revert-rh-allow-sha1-signatures.patch +#PATCH-FIX-OPENSUSE Remove version for pylint from Makefile +Patch5: crypto-policies-pylint.patch +#PATCH-FIX-OPENSUSE Adpat the fips-mode-setup script for SUSE/openSUSE [jsc#PED-4578] +Patch6: crypto-policies-FIPS.patch +#PATCH-FIX-OPENSUSE Skip NSS policy check if not installed mozilla-nss-tools [bsc#1211301] +Patch7: crypto-policies-nss.patch +BuildRequires: python3-base >= 3.6 +# The sequoia stuff needs python3-toml, removed until needed +# BuildRequires: python3-toml +%if %{with manbuild} +BuildRequires: asciidoc +%endif +%if %{with testsuite} +# The following packages are needed for the testsuite +BuildRequires: bind +BuildRequires: codespell +BuildRequires: gnutls >= 3.6.0 +BuildRequires: java-devel +BuildRequires: krb5-devel +BuildRequires: libxslt +BuildRequires: mozilla-nss-tools +BuildRequires: openssl +BuildRequires: perl +BuildRequires: python-rpm-macros +BuildRequires: python3-coverage +BuildRequires: python3-devel >= 3.6 +BuildRequires: python3-flake8 +BuildRequires: python3-pylint +BuildRequires: python3-pytest +BuildRequires: perl(File::Copy) +BuildRequires: perl(File::Temp) +BuildRequires: perl(File::Which) +BuildRequires: perl(File::pushd) +%endif +%if 0%{?primary_python:1} +Recommends: crypto-policies-scripts +%endif +Conflicts: gnutls < 3.7.3 +#Conflicts: libreswan < 3.28 +Conflicts: nss < 3.90.0 +#Conflicts: openssh < 8.2p1 +#!BuildIgnore: crypto-policies +BuildArch: noarch + +%description +This package provides pre-built configuration files with +cryptographic policies for various cryptographic back-ends, +such as SSL/TLS libraries. + +%package scripts +Summary: Tool to switch between crypto policies +Requires: %{name} = %{version}-%{release} +Recommends: perl-Bootloader + +%description scripts +This package provides a tool update-crypto-policies, which applies +the policies provided by the crypto-policies package. These can be +either the pre-built policies from the base package or custom policies +defined in simple policy definition files. + +The package also provides a tool fips-mode-setup, which can be used +to enable or disable the system FIPS mode. + +%prep +%autosetup -p1 -n fedora-%{name}-%{version} + +# Make README.SUSE available for %%doc +cp -p %{SOURCE1} . + +# Remove not needed policy generators +find -name libreswan.py -delete +find -name sequoia.py -delete + +%build +export OPENSSL_CONF='' +sed -i "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = 'RequiredRSASize'/" \ + python/policygenerators/openssh.py +grep "MIN_RSA_DEFAULT = 'RequiredRSASize'" python/policygenerators/openssh.py +%make_build + +%install +mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/ +mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/state/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/ +mkdir -p -m 755 %{buildroot}%{_bindir} + +make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install + +install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config +touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current +touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol + +mkdir -p -m 755 %{buildroot}%{_mandir}/ +mkdir -p -m 755 %{buildroot}%{_mandir}/man7/ +mkdir -p -m 755 %{buildroot}%{_mandir}/man8/ +%if %{without manbuild} +# Install the manpages from defined sources +cp %{SOURCE2} %{buildroot}%{_mandir}/man7/ +cp %{SOURCE3} %{SOURCE4} %{SOURCE5} %{buildroot}%{_mandir}/man8/ +%endif + +# Install the executable scripts +install -p -m 755 update-crypto-policies %{buildroot}%{_bindir}/ +install -p -m 755 fips-mode-setup %{buildroot}%{_bindir}/ +install -p -m 755 fips-finish-install %{buildroot}%{_bindir}/ + +# Drop pre-generated GOST-ONLY policy, we do not need to ship them +rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY + +# Drop FEDORA policies +rm -rf %{buildroot}%{_datarootdir}/crypto-policies/*FEDORA* + +# Create back-end configs for mounting with read-only /etc/ +for d in LEGACY DEFAULT FUTURE FIPS BSI ; do + mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d + for f in %{buildroot}%{_datarootdir}/crypto-policies/$d/* ; do + ln $f %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d/$(basename $f .txt).config + done +done + +for f in %{buildroot}%{_datarootdir}/crypto-policies/DEFAULT/* ; do + ln -sf %{_datarootdir}/crypto-policies/DEFAULT/$(basename $f) %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/$(basename $f .txt).config +done + +# Fix shebang in scripts +for f in %{buildroot}%{_datadir}/crypto-policies/python/* +do + [ -f $f ] && sed -i "1s@#!.*python.*@#!$(realpath %__python3)@" $f +done + +%py3_compile %{buildroot}%{_datadir}/crypto-policies/python + +# Install README.SUSE to %%doc +install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies + +%check +%if %{with testsuite} +export OPENSSL_CONF='' +%make_build test +%make_build test-install test-fips-setup || : +%endif + +%post -p +if not posix.access("%{_sysconfdir}/crypto-policies/config") then + local policy = "DEFAULT" + local cf = io.open("/proc/sys/crypto/fips_enabled", "r") + if cf then + if cf:read() == "1" then + policy = "FIPS" + end + cf:close() + end + cf = io.open("%{_sysconfdir}/crypto-policies/config", "w") + if cf then + cf:write(policy.."\n") + cf:close() + end + cf = io.open("%{_sysconfdir}/crypto-policies/state/current", "w") + if cf then + cf:write(policy.."\n") + cf:close() + end + local policypath = "%{_datarootdir}/crypto-policies/"..policy + for fn in posix.files(policypath) do + if fn ~= "." and fn ~= ".." then + local backend = fn:gsub(".*/", ""):gsub("%%..*", "") + local cfgfn = "%{_sysconfdir}/crypto-policies/back-ends/"..backend..".config" + posix.unlink(cfgfn) + posix.symlink(policypath.."/"..fn, cfgfn) + end + end +end + +%posttrans scripts +%{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || : + +%files +%license COPYING.LESSER +%doc README.md NEWS CONTRIBUTING.md +%doc %{_sysconfdir}/crypto-policies/README.SUSE + +%dir %{_sysconfdir}/crypto-policies/ +%dir %{_sysconfdir}/crypto-policies/back-ends/ +%dir %{_sysconfdir}/crypto-policies/state/ +%dir %{_sysconfdir}/crypto-policies/local.d/ +%dir %{_sysconfdir}/crypto-policies/policies/ +%dir %{_sysconfdir}/crypto-policies/policies/modules/ +%dir %{_datarootdir}/crypto-policies/ + +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config + +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssh.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/bind.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/java.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/sequoia.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/rpm-sequoia.config +# %%verify(not mode) comes from the fact that these turn into symlinks and back to regular files at will. + +%ghost %{_sysconfdir}/crypto-policies/state/current +%ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol + +%{_mandir}/man7/crypto-policies.7%{?ext_man} +%{_datarootdir}/crypto-policies/LEGACY +%{_datarootdir}/crypto-policies/DEFAULT +%{_datarootdir}/crypto-policies/FUTURE +%{_datarootdir}/crypto-policies/FIPS +%{_datarootdir}/crypto-policies/BSI +%{_datarootdir}/crypto-policies/EMPTY +%{_datarootdir}/crypto-policies/back-ends +%{_datarootdir}/crypto-policies/default-config +%{_datarootdir}/crypto-policies/reload-cmds.sh +%{_datarootdir}/crypto-policies/policies + +%files scripts +%{_bindir}/update-crypto-policies +%{_bindir}/fips-mode-setup +%{_bindir}/fips-finish-install +%{_mandir}/man8/update-crypto-policies.8%{?ext_man} +%{_mandir}/man8/fips-mode-setup.8%{?ext_man} +%{_mandir}/man8/fips-finish-install.8%{?ext_man} +%{_datarootdir}/crypto-policies/python + +%changelog diff --git a/fedora-crypto-policies-20230920.570ea89.tar.gz b/fedora-crypto-policies-20230920.570ea89.tar.gz new file mode 100644 index 0000000..7d739b2 --- /dev/null +++ b/fedora-crypto-policies-20230920.570ea89.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5af6d1bf4e8f75e27dbcfb27f83814dd486926b302325e4974a96f0a806892c5 +size 90127 diff --git a/fips-finish-install.8.gz b/fips-finish-install.8.gz new file mode 100644 index 0000000..04cdc5b --- /dev/null +++ b/fips-finish-install.8.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:af99d2b749bd8276adcf4579a71411b7c028031e0c68d13702b7ef19bced7e89 +size 950 diff --git a/fips-mode-setup.8.gz b/fips-mode-setup.8.gz new file mode 100644 index 0000000..b900daf --- /dev/null +++ b/fips-mode-setup.8.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:67c8f9d38bcfdf2ecc265245d88138c46444bee5883a14fb2c7d520af6c0078e +size 1783 diff --git a/update-crypto-policies.8.gz b/update-crypto-policies.8.gz new file mode 100644 index 0000000..ba102ec --- /dev/null +++ b/update-crypto-policies.8.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aeca399e889653394e5016ad57333c55a9a2cb0ed4ae2e7538700ffea5b7089b +size 4154