Accepting request 1089055 from security:tls

OBS-URL: https://build.opensuse.org/request/show/1089055 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/crypto-policies?expand=0&rev=3
2023-05-28 17:21:39 +00:00 · 2023-05-28 17:21:39 +00:00 · d79ae5c3ad
commit d79ae5c3ad
parent 2b2d22c74e 743dc266bd
18 changed files with 768 additions and 152 deletions
--- a/README.SUSE
+++ b/README.SUSE
@ -1,2 +1,6 @@
-Currently only OpenSSL and GnuTLS policies are supported.
+Currently, the supported back-end policies are:
+  * OpenSSL library
+  * GnuTLS library
+  * OpenJDK (only for java-1_8_0-openjdk and java-11-openjdk)
+
 The rest of the modules ignore the policy settings for the time being.
--- a/2
+++ b/2
@ -4,7 +4,7 @@
    <param name="scm">git</param>
    <param name="versionformat">%cd.%h</param>
    <param name="changesgenerate">enable</param>
-    <param name="revision">c9d86d1154c4b286c9be3d5e9e32451df6f64e19</param>
+    <param name="revision">3d08ae70557e5a86686e5b24e443731bfdf232bb</param>
  </service>
  <service name="recompress" mode="disabled">
    <param name="file">*.tar</param>
--- a/2
+++ b/2
@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://gitlab.com/redhat-crypto/fedora-crypto-policies.git</param>
-              <param name="changesrevision">c9d86d1154c4b286c9be3d5e9e32451df6f64e19</param></service></servicedata>
+              <param name="changesrevision">3d08ae70557e5a86686e5b24e443731bfdf232bb</param></service></servicedata>
--- a/crypto-policies-FIPS.patch
+++ b/crypto-policies-FIPS.patch
@ -1,72 +1,206 @@
-Index: fedora-crypto-policies/Makefile
+Index: fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup
 ===================================================================
--- fedora-crypto-policies.orig/Makefile
-+++ fedora-crypto-policies/Makefile
-@@ -5,8 +5,8 @@ MANDIR?=/usr/share/man
- CONFDIR?=/etc/crypto-policies
- DESTDIR?=
- MAN7PAGES=crypto-policies.7
-MAN8PAGES=update-crypto-policies.8 fips-finish-install.8 fips-mode-setup.8
-SCRIPTS=update-crypto-policies fips-finish-install fips-mode-setup
-+MAN8PAGES=update-crypto-policies.8 fips-finish-install.8
-+SCRIPTS=update-crypto-policies fips-finish-install
- NUM_PROCS = $$(getconf _NPROCESSORS_ONLN)
- PYVERSION = -3
- DIFFTOOL?=meld
-Index: fedora-crypto-policies/crypto-policies.7.txt
-===================================================================
--- fedora-crypto-policies.orig/crypto-policies.7.txt
-+++ fedora-crypto-policies/crypto-policies.7.txt
-@@ -144,9 +144,6 @@ PROVIDED POLICIES
+--- fedora-crypto-policies-20230420.3d08ae7.orig/fips-mode-setup
+++ fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup
+@@ -7,6 +7,7 @@ enable_fips=
+ check=0
+ boot_config=1
+ err_if_disabled=0
+fips_install_complete=0
+ output_text=1
 
- *FIPS*::
-   A policy to aid conformance to the *FIPS 140-2* requirements.
-  This policy is used internally by the *fips-mode-setup(8)* tool
-  which can switch the system into the *FIPS 140-2* mode.
-  This policy provides at least 112-bit security.
+ is_ostree_system=0
+@@ -75,109 +76,74 @@ if test "$is_ostree_system" = 1 && test
+     exit 1
+ fi
 
-   * MACs: all *HMAC* with *SHA1* or better
-   * Curves: all prime >= 256 bits
-@@ -255,12 +252,6 @@ COMMANDS
-   back ends and allows the system administrator to change the active
-   cryptographic policy.
- 
-*fips-mode-setup(8)*::
-  This command allows the system administrator to enable, or disable the
-  system FIPS mode and also apply the *FIPS* cryptographic policy
-  which limits the allowed algorithms and protocols to these allowed by
-  the FIPS 140-2 requirements.
 -
+-if [ "$(id -u)" != 0 ]; then
+-	echo "You must be root to run $(basename $0)"
+-	exit 1
+-fi
+-
+-
+-# Detect 1: kernel FIPS flag
+-fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled)
+-
+-# Detect 2: initramfs fips module presence; not always can be done
+-initramfs_fips_module=0
+-initramfs_inspectable=0
+-if test -d /boot -a -x /usr/bin/lsinitrd; then
+-	initramfs_inspectable=1
+-	if lsinitrd -m 2>/dev/null | grep -Fxq fips; then
+-		initramfs_fips_module=1
+if test "$enable_fips" = 1 ; then
+	# Check the required FIPS modules are installed
+	if test ! -x "$(command -v grubby)" -o ! -f /usr/share/doc/packages/patterns/fips.txt -o ! -f /etc/dracut.conf.d/40-fips.conf; then
+		cond_echo "Installation of FIPS modules is not complete."
+		cond_echo "Please, install grubby and the fips pattern."
+		exit 1
+ 	fi
+ fi
 
- NOTES
- -----
-@@ -427,7 +418,7 @@ FILES
+-# Detect 3: crypto-policy base policy
+-current_policy="$(cat /etc/crypto-policies/state/current)"
+-base_policy="$(echo $current_policy| cut -f 1 -d :)"
+-if test "$base_policy" == "FIPS" ; then
+-	base_policy_is_fips=1
+-else
+-	base_policy_is_fips=0
+if test "$enable_fips" = 1 ; then
+	if test ! -d /boot -o ! -x /usr/bin/lsinitrd -o x"$(/usr/bin/lsinitrd -f etc/system-fips 2>/dev/null || test $? = 2 && echo y)" != x ; then
+	fips_install_complete=1
+	fi
+ fi
 
- SEE ALSO
- --------
-update-crypto-policies(8), fips-mode-setup(8)
-+update-crypto-policies(8)
+-
+ if test $check = 1 ; then
+-	# Look for signs for both enabling and disabling FIPS mode
+-	fips_positive=0
+-	fips_negative=0
+-
+-	# Display 1: kernel FIPS flag
+-	cond_echo "FIPS mode is $(enable2txt $fips_kernel_enabled)."
+-
+-	# Display 2: initramfs fips module
+-	if test "$initramfs_inspectable" = 1 ; then
+-		cond_echo -n "Initramfs fips module is "
+-		cond_echo "$(enable2txt $initramfs_fips_module)."
+-	fi
+-
+-	# Display 3: active crypto-policy
+-	cond_echo -n "The current crypto policy ($current_policy) "
+-	if test "$base_policy_is_fips" == 1 ; then
+-		cond_echo 'is based on the FIPS policy.'
+-	else
+-		cond_echo -n 'neither is the FIPS policy '
+-		cond_echo 'nor is based on the FIPS policy.'
+-	fi
+-
+-	# Decide 1: kernel FIPS flag
+-	if test "$fips_kernel_enabled" = 1 ; then
+-		fips_positive=1
+-	else
+-		fips_negative=1
+-	fi
+-
+-	# Decide 2: initramfs module presence
+-	if test "$initramfs_inspectable" = 1 ; then
+-		if test "$initramfs_fips_module" = 1 ; then
+-			fips_positive=1
+-		else
+-			fips_negative=1
+	test $fips_install_complete = 0 && cond_echo "Installation of FIPS modules is not complete."
+	fips_enabled=$(cat /proc/sys/crypto/fips_enabled)
+	cond_echo "FIPS mode is $(enable2txt $fips_enabled)."
+	if test "$fips_enabled" = 1 ; then
+		if test $fips_install_complete = 0 ; then
+			cond_echo "Inconsistent state detected."
+			exit 1
+		fi
+		current="$(cat /etc/crypto-policies/state/current)"
+		if test "$(echo $current | cut -f 1 -d :)" != "FIPS" ; then
+			cond_echo -n "The current crypto policy ($current) "
+			cond_echo -n 'neither is the FIPS policy '
+			cond_echo 'nor is based on the FIPS policy.'
+			cond_echo 'Inconsistent state detected.'
+			exit 1
+ 		fi
+-	fi
+-
+-	# Decide 3: active crypto-policy
+-	if test "$base_policy_is_fips" = 1 ; then
+-		fips_positive=1
+ 	else
+-		fips_negative=1
+-	fi
+-
+-	# Make the FIPS mode consistency decision
+-	if test "$fips_positive" = 1 -a "$fips_negative" = 1 ; then
+-		cond_echo 'Inconsistent state detected.'
+-		exit 1
+		if test $fips_install_complete = 1 ; then
+			cond_echo "Inconsistent state detected."
+			exit 1
+		fi
+		current="$(cat /etc/crypto-policies/state/current)"
+		if test "$(echo $current | cut -f 1 -d :)" == "FIPS" ; then
+			cond_echo -n "The current crypto policy ($current) "
+			cond_echo -n 'is based on the FIPS policy, '
+			cond_echo 'but FIPS mode is not enabled.'
+			cond_echo 'Inconsistent state detected.'
+			exit 1
+		fi
+ 	fi
+-
+-	# Error out if `--is-enabled` was passed and FIPS mode is not enabled
+-	if test "$fips_positive" = 0 -a "$err_if_disabled" = 1 ; then
+-		cond_echo 'FIPS mode is not enabled.'
+	if test "$fips_enabled" != 1 && test "$err_if_disabled" = 1; then
+ 		exit 2
+ 	fi
+-
+ 	exit 0
+ fi
 
+if [ "$(id -u)" != 0 ]; then
+	echo "You must be root to run $(basename $0)"
+	exit 1
+fi
 
- AUTHOR
-Index: fedora-crypto-policies/python/update-crypto-policies.py
+ if test $enable_fips = 1 ; then
+-	if test "$initramfs_fips_module" = 0 ; then
+	if test $fips_install_complete = 1 ; then
+ 		fips-finish-install --complete
+ 		if test $? != 0 ; then
+-			echo "Installation of FIPS modules could not be completed."
+	 		echo "Installation of FIPS modules could not be completed."
+ 			exit 1
+ 		fi
+ 	fi
+-	if test "$base_policy_is_fips" == 1 ; then
+-		cond_echo -n 'Preserving current FIPS-based policy '
+-		cond_echo "${current_policy}."
+	target="$(cat /etc/crypto-policies/state/current)"
+	if test "$(echo $target | cut -f 1 -d :)" == "FIPS" ; then
+	    cond_echo "Preserving current FIPS-based policy ${target}."
+ 		cond_echo -n 'Please review the subpolicies to ensure they '
+ 		cond_echo 'only restrict, not relax the FIPS policy.'
+ 	else
+@@ -196,11 +162,11 @@ if test x"$boot_device" = x ; then
+ 	boot_device_opt=" boot=UUID=<your-boot-device-uuid>"
+ 	boot_config=0
+ else
+-        if test "$boot_device" = / ; then
+-            boot_device_opt=""
+-        else
+-            boot_device_opt=" boot=UUID=$(blkid -s UUID -o value $boot_device)"
+-        fi
+	if test "$boot_device" = / ; then
+		boot_device_opt=""
+	else
+		boot_device_opt=" boot=UUID=$(blkid -s UUID -o value $boot_device)"
+	fi
+ fi
+ 
+ if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then
+Index: fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup.8.txt
 ===================================================================
--- fedora-crypto-policies.orig/python/update-crypto-policies.py
-+++ fedora-crypto-policies/python/update-crypto-policies.py
-@@ -344,16 +344,12 @@ def apply_policy(pconfig, profile=None,
-                 eprint("Warning: Using 'update-crypto-policies --set FIPS' "
-                        "is not sufficient for")
-                 eprint("         FIPS compliance.")
-                eprint("         Use 'fips-mode-setup --enable' "
-                       "command instead.")
-             elif fips_mode():
-                 eprint("Warning: Using 'update-crypto-policies --set' "
-                        "in FIPS mode will make the system")
-                 eprint("         non-compliant with FIPS.")
-                 eprint("         It can also break "
-                        "the ssh access to the system.")
-                eprint("         Use 'fips-mode-setup --disable' "
-                       "to disable the system FIPS mode.")
+--- fedora-crypto-policies-20230420.3d08ae7.orig/fips-mode-setup.8.txt
+++ fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup.8.txt
+@@ -39,8 +39,15 @@ system crypto policy to FIPS
+ (unless the policy has already been set to FIPS plus subpolicies on top,
+ in which case the currently active subpolicies is retained).
 
-     if base_dir == DEFAULT_BASE_DIR:
-         if not os.geteuid() == 0:
+Some required FIPS modules (grubby, fips pattern) might not be
+installed by default. These can be installed in SUSE/openSUSE with
+the following command:
+
+    zypper in -y grubby && zypper in -y -t pattern fips
+
+ Then the command modifies the boot loader configuration to add
+ 'fips=1' and 'boot=<boot-device>' options to the kernel command line.
+Note that, grubby could show a harmless warning about leaked file descriptors.
+ 
+ When disabling the system FIPS mode the system crypto policy is switched
+ to DEFAULT and the kernel command line option 'fips=0' is set.
--- a/crypto-policies-no-build-manpages.patch
+++ b/crypto-policies-no-build-manpages.patch
@ -1,28 +1,28 @@
-Index: fedora-crypto-policies/Makefile
+Index: fedora-crypto-policies-20230420.3d08ae7/Makefile
 ===================================================================
--- fedora-crypto-policies.orig/Makefile
-+++ fedora-crypto-policies/Makefile
-@@ -22,9 +22,9 @@ install: $(MANPAGES)
+--- fedora-crypto-policies-20230420.3d08ae7.orig/Makefile
+++ fedora-crypto-policies-20230420.3d08ae7/Makefile
+@@ -28,9 +28,9 @@ install: $(MANPAGES)
 	mkdir -p $(DESTDIR)$(MANDIR)/man7
 	mkdir -p $(DESTDIR)$(MANDIR)/man8
 	mkdir -p $(DESTDIR)$(BINDIR)
 -	install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
 -	install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
 -	install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
-+# install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
-+# install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
-+# install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
+	# install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
+	# install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
+	# install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
 	mkdir -p $(DESTDIR)$(DIR)/
 	install -p -m 644 default-config $(DESTDIR)$(DIR)
 	install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR)
-@@ -106,8 +106,8 @@ clean:
+@@ -114,8 +114,8 @@ clean:
 	rm -rf output
 
 %: %.txt
-	asciidoc.py -v -d manpage -b docbook $<
-	xsltproc --nonet -o $@ /usr/share/asciidoc/docbook-xsl/manpage.xsl $@.xml
-+	# asciidoc -v -d manpage -b docbook $<
-+	# xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl $@.xml
+-	$(ASCIIDOC) -v -d manpage -b docbook $<
+-	xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml
+	#$(ASCIIDOC) -v -d manpage -b docbook $<
+	#xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml
 
 dist:
 	rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies
--- a/crypto-policies-policygenerators.patch
+++ b/crypto-policies-policygenerators.patch
@ -0,0 +1,40 @@
+Index: fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/__init__.py
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/python/policygenerators/__init__.py
+++ fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/__init__.py
+@@ -8,15 +8,15 @@ from .gnutls import GnuTLSGenerator
+ from .java import JavaGenerator
+ from .java import JavaSystemGenerator
+ from .krb5 import KRB5Generator
+-from .libreswan import LibreswanGenerator
+#from .libreswan import LibreswanGenerator
+ from .libssh import LibsshGenerator
+ from .nss import NSSGenerator
+ from .openssh import OpenSSHClientGenerator
+ from .openssh import OpenSSHServerGenerator
+ from .openssl import OpenSSLConfigGenerator
+ from .openssl import OpenSSLGenerator
+-from .sequoia import SequoiaGenerator
+-from .sequoia import RPMSequoiaGenerator
+#from .sequoia import SequoiaGenerator
+#from .sequoia import RPMSequoiaGenerator
+ 
+ __all__ = [
+     'BindGenerator',
+@@ -24,13 +24,13 @@ __all__ = [
+     'JavaGenerator',
+     'JavaSystemGenerator',
+     'KRB5Generator',
+-    'LibreswanGenerator',
+#    'LibreswanGenerator',
+     'LibsshGenerator',
+     'NSSGenerator',
+     'OpenSSHClientGenerator',
+     'OpenSSHServerGenerator',
+     'OpenSSLConfigGenerator',
+     'OpenSSLGenerator',
+-    'SequoiaGenerator',
+-    'RPMSequoiaGenerator',
+#    'SequoiaGenerator',
+#    'RPMSequoiaGenerator',
+ ]
--- a/crypto-policies-revert-rh-allow-sha1-signatures.patch
+++ b/crypto-policies-revert-rh-allow-sha1-signatures.patch
@ -0,0 +1,272 @@
+From 97fe4494571fd90a05f9bc42af152762eca2fac5 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Fri, 8 Apr 2022 13:47:29 +0200
+Subject: openssl: disable SHA-1 signatures in FUTURE/NO-SHA1
+
+
+Index: fedora-crypto-policies-20230420.3d08ae7/policies/FUTURE.pol
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/policies/FUTURE.pol
+++ fedora-crypto-policies-20230420.3d08ae7/policies/FUTURE.pol
+@@ -65,7 +65,3 @@ sha1_in_certs = 0
+ arbitrary_dh_groups = 1
+ ssh_certs = 1
+ ssh_etm = 1
+-
+-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1
+-# SHA-1 signatures are blocked in OpenSSL in FUTURE only
+-__openssl_block_sha1_signatures = 1
+Index: fedora-crypto-policies-20230420.3d08ae7/policies/modules/NO-SHA1.pmod
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/policies/modules/NO-SHA1.pmod
+++ fedora-crypto-policies-20230420.3d08ae7/policies/modules/NO-SHA1.pmod
+@@ -3,7 +3,3 @@
+ hash = -SHA1
+ sign = -*-SHA1
+ sha1_in_certs = 0
+-
+-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1
+-# SHA-1 signatures are blocked in OpenSSL in FUTURE only
+-__openssl_block_sha1_signatures = 1
+Index: fedora-crypto-policies-20230420.3d08ae7/python/cryptopolicies/cryptopolicies.py
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/python/cryptopolicies/cryptopolicies.py
+++ fedora-crypto-policies-20230420.3d08ae7/python/cryptopolicies/cryptopolicies.py
+@@ -19,7 +19,6 @@ from . import validation  # moved out of
+ INT_DEFAULTS = {k: 0 for k in (
+     'arbitrary_dh_groups',
+     'min_dh_size', 'min_dsa_size', 'min_rsa_size',
+-    '__openssl_block_sha1_signatures',
+     'sha1_in_certs',
+     'ssh_certs', 'ssh_etm',
+ )}
+Index: fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/openssl.py
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/python/policygenerators/openssl.py
+++ fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/openssl.py
+@@ -7,14 +7,6 @@ from subprocess import check_output, Cal
+ 
+ from .configgenerator import ConfigGenerator
+ 
+-RH_SHA1_SECTION = '''
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = {}
+-'''
+-
+ 
+ class OpenSSLGenerator(ConfigGenerator):
+     CONFIG_NAME = 'openssl'
+@@ -254,12 +246,6 @@ class OpenSSLConfigGenerator(OpenSSLGene
+         groups = [cls.group_map[i] for i in p['group'] if i in cls.group_map]
+         s += 'Groups = ' + ':'.join(groups) + '\n'
+ 
+-        # In the future it'll be just
+-        # s += RH_SHA1_SECTION.format('yes' if 'SHA1' in p['hash'] else 'no')
+-        # but for now we slow down the roll-out and we have
+-        sha1_sig = not policy.integers['__openssl_block_sha1_signatures']
+-        s += RH_SHA1_SECTION.format('yes' if sha1_sig else 'no')
+-
+         return s
+ 
+     @classmethod
+Index: fedora-crypto-policies-20230420.3d08ae7/tests/alternative-policies/FUTURE.pol
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/alternative-policies/FUTURE.pol
+++ fedora-crypto-policies-20230420.3d08ae7/tests/alternative-policies/FUTURE.pol
+@@ -71,7 +71,3 @@ sha1_in_dnssec = 0
+ arbitrary_dh_groups = 1
+ ssh_certs = 1
+ ssh_etm = 1
+-
+-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1
+-# SHA-1 signatures are blocked in OpenSSL in FUTURE only
+-__openssl_block_sha1_signatures = 1
+Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/DEFAULT-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+ Groups = X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
+ Groups = X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:GOST-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:GOST-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+ Groups = X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/EMPTY-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/EMPTY-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/EMPTY-opensslcnf.txt
+@@ -2,9 +2,3 @@ CipherString = @SECLEVEL=0:-kPSK:-kDHEPS
+ Ciphersuites = 
+ SignatureAlgorithms = 
+ Groups = 
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/FIPS-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+ Groups = secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
+ Groups = secp256r1:secp384r1:secp521r1
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:OSPP-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/FIPS:OSPP-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:OSPP-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
+ Groups = secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FUTURE-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/FUTURE-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FUTURE-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
+ Groups = X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = no
+Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/GOST-ONLY-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/GOST-ONLY-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/GOST-ONLY-opensslcnf.txt
+@@ -4,9 +4,3 @@ TLS.MinProtocol = TLSv1
+ TLS.MaxProtocol = TLSv1.3
+ SignatureAlgorithms = 
+ Groups = 
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/LEGACY-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
+ Groups = X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
+@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
+ DTLS.MaxProtocol = DTLSv1.2
+ SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
+ Groups = X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
+-
+-[openssl_init]
+-alg_section = evp_properties
+-
+-[evp_properties]
+-rh-allow-sha1-signatures = yes
+Index: fedora-crypto-policies-20230420.3d08ae7/tests/unit/test_cryptopolicy.py
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/unit/test_cryptopolicy.py
+++ fedora-crypto-policies-20230420.3d08ae7/tests/unit/test_cryptopolicy.py
+@@ -260,7 +260,6 @@ def test_cryptopolicy_to_string_empty(tm
+         min_dh_size = 0
+         min_dsa_size = 0
+         min_rsa_size = 0
+-        __openssl_block_sha1_signatures = 0
+         sha1_in_certs = 0
+         ssh_certs = 0
+         ssh_etm = 0
+@@ -291,7 +290,6 @@ def test_cryptopolicy_to_string_twisted(
+         min_dh_size = 0
+         min_dsa_size = 0
+         min_rsa_size = 0
+-        __openssl_block_sha1_signatures = 0
+         sha1_in_certs = 0
+         ssh_certs = 0
+         ssh_etm = 0
+Index: fedora-crypto-policies-20230420.3d08ae7/policies/TEST-FEDORA39.pol
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/policies/TEST-FEDORA39.pol
+++ fedora-crypto-policies-20230420.3d08ae7/policies/TEST-FEDORA39.pol
+@@ -67,7 +67,3 @@ sha1_in_certs = 0
+ arbitrary_dh_groups = 1
+ ssh_certs = 1
+ ssh_etm = 1
+-
+-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1
+-# SHA-1 signatures will blocked in OpenSSL
+-__openssl_block_sha1_signatures = 1
--- a/3
+++ b/3
@ -0,0 +1,3 @@
+addFilter(".*files-duplicate.*")
+addFilter(".*zero-length.*")
+addFilter(".non-conffile-in-etc.*")
--- a/crypto-policies-supported.patch
+++ b/crypto-policies-supported.patch
@ -0,0 +1,37 @@
+Index: fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt
+===================================================================
+--- fedora-crypto-policies-20230420.3d08ae7.orig/update-crypto-policies.8.txt
+++ fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt
+@@ -54,23 +54,23 @@ are configured to follow the default pol
+ The generated back-end policies will be placed in /etc/crypto-policies/back-ends.
+ Currently the supported back-ends (and directive scopes they respect) are:
+ 
+-* GnuTLS library (GnuTLS, SSL, TLS)
+* GnuTLS library (GnuTLS, SSL, TLS) (Supported)
+ 
+-* OpenSSL library (OpenSSL, SSL, TLS)
+* OpenSSL library (OpenSSL, SSL, TLS) (Supported)
+ 
+-* NSS library (NSS, SSL, TLS)
+* NSS library (NSS, SSL, TLS) (Not supported)
+ 
+-* OpenJDK (java-tls, SSL, TLS)
+* OpenJDK (java-tls, SSL, TLS) (Supported only for java-1_8_0-openjdk and java-11-openjdk)
+ 
+-* Libkrb5 (krb5, kerberos)
+* Libkrb5 (krb5, kerberos) (Not supported)
+ 
+-* BIND (BIND, DNSSec)
+* BIND (BIND, DNSSec) (Not supported)
+ 
+-* OpenSSH (OpenSSH, SSH)
+* OpenSSH (OpenSSH, SSH) (Not supported)
+ 
+-* Libreswan (libreswan, IKE, IPSec)
+* Libreswan (libreswan, IKE, IPSec) (Not supported)
+ 
+-* libssh (libssh, SSH)
+* libssh (libssh, SSH) (Not supported)
+ 
+ Applications and languages which rely on any of these back-ends will follow
+ the system policies as well. Examples are apache httpd, nginx, php, and
--- a/crypto-policies-test_supported_modules_only.patch
+++ b/crypto-policies-test_supported_modules_only.patch
@ -1,13 +0,0 @@
-Index: fedora-crypto-policies/Makefile
-===================================================================
--- fedora-crypto-policies.orig/Makefile
-+++ fedora-crypto-policies/Makefile
-@@ -56,8 +56,6 @@ check:
- 	tests/openssl.pl
- 	tests/gnutls.pl
- 	tests/nss.py
-	tests/java.pl
-	tests/krb5.py
- 	top_srcdir=. tests/update-crypto-policies.sh
- 
- # Alternative, equivalent ways to write the same policies
--- a/crypto-policies.7.gz
+++ b/crypto-policies.7.gz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:cbc5e573f2bd5dad2e405f9de35cc94c469d434b466b40890d87400f7f4cb8c1
-size 6127
+oid sha256:08e4778d0c659ec3d5f408ba889634255f462b5fe6ee0d22194347103da69a7e
+size 6896
--- a/crypto-policies.changes
+++ b/crypto-policies.changes
@ -1,3 +1,88 @@
+-------------------------------------------------------------------
+Thu May 25 11:28:12 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- FIPS: Enable to set the kernel FIPS mode with fips-mode-setup
+  and fips-finish-install commands, add also the man pages. The
+  required FIPS modules are left to be installed by the user.
+  * Rebase crypto-policies-FIPS.patch
+
+-------------------------------------------------------------------
+Wed May 24 20:04:20 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Revert a breaking change that introduces the config option
+  rh-allow-sha1-signatures that is unkown to OpenSSL and fails
+  on startup. We will consider adding this option to openssl.
+  * https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/97fe4494
+  * Add crypto-policies-revert-rh-allow-sha1-signatures.patch
+
+-------------------------------------------------------------------
+Mon May  8 09:45:45 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Update the update-crypto-policies(8) man pages and README.SUSE
+  to mention the supported back-end policies. [bsc#1209998]
+  * Add crypto-policies-supported.patch
+
+-------------------------------------------------------------------
+Mon May 08 06:32:49 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to version 20230420.3d08ae7:
+  * openssl, alg_lists: add brainpool support
+  * openssl: set Groups explicitly
+  * codespell: ignore aNULL
+  * rpm-sequoia: allow 1024 bit DSA and SHA-1 per FeSCO decision 2960
+  * sequoia: add separate rpm-sequoia backend
+  * crypto-policies.7: state upfront that FUTURE is not so interoperable
+  * Makefile: update for asciidoc 10
+  * Skip not needed LibreswanGenerator and SequoiaGenerator:
+    - Add crypto-policies-policygenerators.patch
+  * Remove crypto-policies-test_supported_modules_only.patch
+  * Rebase crypto-policies-no-build-manpages.patch
+
+-------------------------------------------------------------------
+Fri Jan 20 09:25:22 UTC 2023  - Pedro Monreal <pmonreal@suse.com>
+
+- Update to version 20221214.a4c31a3:
+  * bind: expand the list of disableable algorithms
+  * libssh: Add support for openssh fido keys
+  * .gitlab-ci.yml: install krb5-devel for krb5-config
+  * sequoia: check using sequoia-policy-config-check
+  * sequoia: introduce new back-end
+  * Makefile: support overriding asciidoc executable name
+  * openssh: make none and auto explicit and different
+  * openssh: autodetect and allow forcing RequiredRSASize presence/name
+  * openssh: remove _pre_8_5_ssh
+  * pylintrc: update
+  * Revert "disable SHA-1 further for a Fedora 38 Rawhide "jump scare"..."
+  * disable SHA-1 further for a Fedora 38 Rawhide "jump scare"...
+  * Makefile: exclude built manpages from codespell
+  * add openssh HostbasedAcceptedAlgorithms
+  * openssh: add RSAMinSize option following min_rsa_size
+  * Revert ".gitlab-ci.yml: skip pylint (bz2069837)"
+  * docs: add customization recommendation
+  * tests/java: fix java.security.disableSystemPropertiesFile=true
+  * policies: add FEDORA38 and TEST-FEDORA39
+  * bind: control ED25519/ED448
+  * openssl: disable SHA-1 signatures in FUTURE/NO-SHA1
+  * .gitlab-ci.yml: skip pylint (bz2069837)
+  * openssh: add support for sntrup761x25519-sha512@openssh.com
+  * fips-mode-setup: fix one unrelated check to intended state
+  * fips-mode-setup, fips-finish-install: abandon /etc/system-fips
+  * Makefile: fix alt-policy test of LEGACY:AD-SUPPORT
+  * fips-mode-setup: catch more inconsistencies, clarify --check
+  * fips-mode-setup: improve handling FIPS plus subpolicies
+  * .gitlab-ci.yml: use rawhide so that we get gnutls 3.7.3
+  * gnutls: enable SHAKE, needed for Ed448
+  * gnutls: use allowlisting
+  * openssl: add newlines at the end of the output
+  * FIPS:OSPP: relax -ECDSA-SHA2-512, -FFDHE-*
+  * fips-mode-setup, fips-finish-install: call zipl more often
+  * Add crypto-policies-rpmlintrc file to avoid files-duplicate,
+    zero-length and non-conffile-in-etc warnings.
+  * Rebase patches:
+    - crypto-policies-FIPS.patch
+    - crypto-policies-no-build-manpages.patch
+  * Update README.SUSE
+
 -------------------------------------------------------------------
 Fri Sep 24 11:30:21 UTC 2021 - Pedro Monreal <pmonreal@suse.com>

--- a/crypto-policies.spec
+++ b/crypto-policies.spec
@ -1,7 +1,7 @@
 #
 # spec file for package crypto-policies
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -16,9 +16,13 @@
 #


+# testsuite is disabled by default
+%bcond_with testsuite
+# manbuild is disabled by default
+%bcond_with manbuild
 %global _python_bytecompile_extra 0
 Name:           crypto-policies
-Version:        20210917.c9d86d1
+Version:        20230420.3d08ae7
 Release:        0
 Summary:        System-wide crypto policies
 License:        LGPL-2.1-or-later
@ -28,27 +32,50 @@ Source0:        fedora-%{name}-%{version}.tar.gz
 Source1:        README.SUSE
 Source2:        crypto-policies.7.gz
 Source3:        update-crypto-policies.8.gz
-Patch0:         crypto-policies-test_supported_modules_only.patch
+Source4:        fips-mode-setup.8.gz
+Source5:        fips-finish-install.8.gz
+Source6:        crypto-policies-rpmlintrc
+%if %{without manbuild}
+#PATCH-FIX-OPENSUSE Manpages build cycles and dependencies
+# To reduce the build dependencies in Ring0, we have to compile the
+# man pages locally (use --with testsuite) and add the built files
+# crypto-policies.7.gz, update-crypto-policies.8.gz, fips-mode-setup.8.gz
+# and fips-finish-install.8.gz as sources.
 Patch1:         crypto-policies-no-build-manpages.patch
-Patch2:         crypto-policies-FIPS.patch
-BuildRequires:  python3-base
-# For testing, the following buildrequires need to be uncommented.
-# BuildRequires:  asciidoc
-# BuildRequires:  bind
-# BuildRequires:  gnutls >= 3.6.0
-# BuildRequires:  java-devel
-# BuildRequires:  libxslt
-# BuildRequires:  openssl
-# BuildRequires:  perl
-# BuildRequires:  python3-coverage
-# BuildRequires:  python3-devel >= 3.6
-# BuildRequires:  python3-flake8
-# BuildRequires:  python3-pylint
-# BuildRequires:  python3-pytest
-# BuildRequires:  perl(File::Copy)
-# BuildRequires:  perl(File::Temp)
-# BuildRequires:  perl(File::Which)
-# BuildRequires:  perl(File::pushd)
+%endif
+#PATCH-FIX-OPENSUSE Skip not needed LibreswanGenerator and SequoiaGenerator
+Patch2:         crypto-policies-policygenerators.patch
+#PATCH-FIX-OPENSUSE bsc#1209998 Mention the supported back-end policies
+Patch3:         crypto-policies-supported.patch
+#PATCH-FIX-OPENSUSE Revert a breaking change that introduces rh-allow-sha1-signatures
+Patch4:         crypto-policies-revert-rh-allow-sha1-signatures.patch
+#PATCH-FIX-OPENSUSE Adpat the fips-mode-setup script for TW
+Patch5:         crypto-policies-FIPS.patch
+BuildRequires:  python3-base >= 3.6
+# The sequoia stuff needs python3-toml, removed until needed
+# BuildRequires:  python3-toml
+%if %{with manbuild}
+BuildRequires:  asciidoc
+%endif
+%if %{with testsuite}
+# The following buildrequires are needed for the testsuite
+BuildRequires:  bind
+BuildRequires:  gnutls >= 3.6.0
+BuildRequires:  java-devel
+BuildRequires:  krb5-devel
+BuildRequires:  libxslt
+BuildRequires:  openssl
+BuildRequires:  perl
+BuildRequires:  python3-coverage
+BuildRequires:  python3-devel >= 3.6
+BuildRequires:  python3-flake8
+BuildRequires:  python3-pylint
+BuildRequires:  python3-pytest
+BuildRequires:  perl(File::Copy)
+BuildRequires:  perl(File::Temp)
+BuildRequires:  perl(File::Which)
+BuildRequires:  perl(File::pushd)
+%endif
 Recommends:     crypto-policies-scripts
 Conflicts:      gnutls < 3.7.0
 #Conflicts:      libreswan < 3.28
@ -75,7 +102,15 @@ defined in simple policy definition files.
 %prep
 %autosetup -p1 -n fedora-%{name}-%{version}

+# Make README.SUSE available for %%doc
+cp -p %{SOURCE1} .
+
+# Remove not needed policy generators
+find -name libreswan.py -delete
+find -name sequoia.py -delete
+
 %build
+export OPENSSL_CONF=''
 %make_build

 %install
@ -89,28 +124,29 @@ mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/
 mkdir -p -m 755 %{buildroot}%{_bindir}

 make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install
-
-# Install the manpages
-mkdir -p -m 755 %{buildroot}%{_mandir}/
-mkdir -p -m 755 %{buildroot}%{_mandir}/man7/
-mkdir -p -m 755 %{buildroot}%{_mandir}/man8/
-cp %{SOURCE2} %{buildroot}%{_mandir}/man7/
-cp %{SOURCE3} %{buildroot}%{_mandir}/man8/
-
-# Install the executable files
-install -p -m 755 update-crypto-policies %{buildroot}%{_bindir}/
-
 install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config
 touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current
 touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol

-# Drop pre-generated GOST-ONLY policy, we do not need to ship the files
+%if %{without manbuild}
+# Install the manpages from defined sources
+mkdir -p -m 755 %{buildroot}%{_mandir}/
+mkdir -p -m 755 %{buildroot}%{_mandir}/man7/
+mkdir -p -m 755 %{buildroot}%{_mandir}/man8/
+cp %{SOURCE2} %{buildroot}%{_mandir}/man7/
+cp %{SOURCE3} %{SOURCE4} %{SOURCE5} %{buildroot}%{_mandir}/man8/
+%endif
+
+# Install the executable scripts
+install -p -m 755 update-crypto-policies %{buildroot}%{_bindir}/
+install -p -m 755 fips-mode-setup %{buildroot}%{_bindir}/
+install -p -m 755 fips-finish-install %{buildroot}%{_bindir}/
+
+# Drop pre-generated GOST-ONLY policy, we do not need to ship them
 rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY

-# Remove fips-finish-install and test-fips-setup scripts and man
-find -type f -name fips-finish-install -delete
-find -type f -name fips-finish-install.8.txt -delete
-find -type f -name test-fips-setup.sh -delete
+# Drop FEDORA policies
+rm -rf %{buildroot}%{_datarootdir}/crypto-policies/*FEDORA*

 # Create back-end configs for mounting with read-only /etc/
 for d in LEGACY DEFAULT FUTURE FIPS ; do
@ -126,10 +162,14 @@ done

 %py3_compile %{buildroot}%{_datadir}/crypto-policies/python

-cp %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies
+# Install README.SUSE to %%doc
+install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies

 %check
+%if %{with testsuite}
+export OPENSSL_CONF=''
 %make_build test || :
+%endif

 %post -p <lua>
 if not posix.access("%{_sysconfdir}/crypto-policies/config") then
@ -153,7 +193,7 @@ if not posix.access("%{_sysconfdir}/crypto-policies/config") then
    end
    local policypath = "%{_datarootdir}/crypto-policies/"..policy
    for fn in posix.files(policypath) do
-	    if fn ~= "." and fn ~= ".." then
+        if fn ~= "." and fn ~= ".." then
            local backend = fn:gsub(".*/", ""):gsub("%%..*", "")
            local cfgfn = "%{_sysconfdir}/crypto-policies/back-ends/"..backend..".config"
            posix.unlink(cfgfn)
@ -166,6 +206,10 @@ end
 %{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || :

 %files
+%license COPYING.LESSER
+%doc README.md NEWS CONTRIBUTING.md
+%doc %{_sysconfdir}/crypto-policies/README.SUSE
+
 %dir %{_sysconfdir}/crypto-policies/
 %dir %{_sysconfdir}/crypto-policies/back-ends/
 %dir %{_sysconfdir}/crypto-policies/state/
@ -174,21 +218,23 @@ end
 %dir %{_sysconfdir}/crypto-policies/policies/modules/
 %dir %{_datarootdir}/crypto-policies/

-%{_sysconfdir}/crypto-policies/README.SUSE
 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config

-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssl.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssh.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/nss.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/bind.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/java.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
-%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssh.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/bind.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/java.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/sequoia.config
+%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/rpm-sequoia.config
+# %%verify(not mode) comes from the fact that these turn into symlinks and back to regular files at will.

 %ghost %{_sysconfdir}/crypto-policies/state/current
 %ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol
@ -204,11 +250,13 @@ end
 %{_datarootdir}/crypto-policies/reload-cmds.sh
 %{_datarootdir}/crypto-policies/policies

-%license COPYING.LESSER
-
 %files scripts
 %{_bindir}/update-crypto-policies
+%{_bindir}/fips-mode-setup
+%{_bindir}/fips-finish-install
 %{_mandir}/man8/update-crypto-policies.8%{?ext_man}
+%{_mandir}/man8/fips-mode-setup.8%{?ext_man}
+%{_mandir}/man8/fips-finish-install.8%{?ext_man}
 %{_datarootdir}/crypto-policies/python

 %changelog
--- a/fedora-crypto-policies-20210917.c9d86d1.tar.gz
+++ b/fedora-crypto-policies-20210917.c9d86d1.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d5e57503a00c247d549aab27de2a3d96c7d8756910939aec5acd38df6e73c252
-size 75022
--- a/fedora-crypto-policies-20230420.3d08ae7.tar.gz
+++ b/fedora-crypto-policies-20230420.3d08ae7.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0554a9e3965970a2233dee8770fe414527e073b80106db89a1170fa845c3903b
+size 85811
--- a/fips-finish-install.8.gz
+++ b/fips-finish-install.8.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c127272faa0580e5969d1a1b33ea4a8811a60da45d23fe50a782eaaf8c0c9075
+size 824
--- a/fips-mode-setup.8.gz
+++ b/fips-mode-setup.8.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7a427092b98f11bf8bb0606afd71dbe1d153362f9c3a15ed53e479436f45e43b
+size 1541
--- a/update-crypto-policies.8.gz
+++ b/update-crypto-policies.8.gz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:0151e1a8a5e4bb626284b6a2f93824f849b8d070ed017b6995a20a90f9180b2b
-size 4018
+oid sha256:3530ed7a871a3b9c72ea761ff45f9a80ab2720f76bb223e58debad848b8aa7a1
+size 4178