1
0

Accepting request 1086482 from home:pmonrealgonzalez:branches:security:tls

- Update the update-crypto-policies(8) man pages and README.SUSE
  to mention the supported back-end policies. [bsc#1209998]
  * Add crypto-policies-supported.patch

- Update to version 20230420.3d08ae7:
  * openssl, alg_lists: add brainpool support
  * openssl: set Groups explicitly
  * codespell: ignore aNULL
  * rpm-sequoia: allow 1024 bit DSA and SHA-1 per FeSCO decision 2960
  * sequoia: add separate rpm-sequoia backend
  * crypto-policies.7: state upfront that FUTURE is not so interoperable
  * Makefile: update for asciidoc 10
  * Skip the LibreswanGenerator and SequoiaGenerator:
    - Add crypto-policies-policygenerators.patch
  * Remove crypto-policies-test_supported_modules_only.patch
  * Rebase crypto-policies-no-build-manpages.patch

- Update to version 20221214.a4c31a3:
  * bind: expand the list of disableable algorithms
  * libssh: Add support for openssh fido keys
  * .gitlab-ci.yml: install krb5-devel for krb5-config
  * sequoia: check using sequoia-policy-config-check
  * sequoia: introduce new back-end
  * Makefile: support overriding asciidoc executable name
  * openssh: make none and auto explicit and different
  * openssh: autodetect and allow forcing RequiredRSASize presence/name
  * openssh: remove _pre_8_5_ssh
  * pylintrc: update
  * Revert "disable SHA-1 further for a Fedora 38 Rawhide "jump scare"..."
  * disable SHA-1 further for a Fedora 38 Rawhide "jump scare"...

OBS-URL: https://build.opensuse.org/request/show/1086482
OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=15
This commit is contained in:
Martin Pluskal 2023-05-14 10:09:24 +00:00 committed by Git OBS Bridge
parent 64434f6b7a
commit 4ac1e9ad7b
15 changed files with 271 additions and 95 deletions

View File

@ -1,2 +1,6 @@
Currently only OpenSSL and GnuTLS policies are supported. Currently, the supported back-end policies are:
* OpenSSL library
* GnuTLS library
* OpenJDK (only for java-1_8_0-openjdk and java-11-openjdk)
The rest of the modules ignore the policy settings for the time being. The rest of the modules ignore the policy settings for the time being.

View File

@ -4,7 +4,7 @@
<param name="scm">git</param> <param name="scm">git</param>
<param name="versionformat">%cd.%h</param> <param name="versionformat">%cd.%h</param>
<param name="changesgenerate">enable</param> <param name="changesgenerate">enable</param>
<param name="revision">c9d86d1154c4b286c9be3d5e9e32451df6f64e19</param> <param name="revision">3d08ae70557e5a86686e5b24e443731bfdf232bb</param>
</service> </service>
<service name="recompress" mode="disabled"> <service name="recompress" mode="disabled">
<param name="file">*.tar</param> <param name="file">*.tar</param>

View File

@ -1,4 +1,4 @@
<servicedata> <servicedata>
<service name="tar_scm"> <service name="tar_scm">
<param name="url">https://gitlab.com/redhat-crypto/fedora-crypto-policies.git</param> <param name="url">https://gitlab.com/redhat-crypto/fedora-crypto-policies.git</param>
<param name="changesrevision">c9d86d1154c4b286c9be3d5e9e32451df6f64e19</param></service></servicedata> <param name="changesrevision">3d08ae70557e5a86686e5b24e443731bfdf232bb</param></service></servicedata>

View File

@ -1,7 +1,7 @@
Index: fedora-crypto-policies/Makefile Index: fedora-crypto-policies-20221214.a4c31a3/Makefile
=================================================================== ===================================================================
--- fedora-crypto-policies.orig/Makefile --- fedora-crypto-policies-20221214.a4c31a3.orig/Makefile
+++ fedora-crypto-policies/Makefile +++ fedora-crypto-policies-20221214.a4c31a3/Makefile
@@ -5,8 +5,8 @@ MANDIR?=/usr/share/man @@ -5,8 +5,8 @@ MANDIR?=/usr/share/man
CONFDIR?=/etc/crypto-policies CONFDIR?=/etc/crypto-policies
DESTDIR?= DESTDIR?=
@ -13,11 +13,11 @@ Index: fedora-crypto-policies/Makefile
NUM_PROCS = $$(getconf _NPROCESSORS_ONLN) NUM_PROCS = $$(getconf _NPROCESSORS_ONLN)
PYVERSION = -3 PYVERSION = -3
DIFFTOOL?=meld DIFFTOOL?=meld
Index: fedora-crypto-policies/crypto-policies.7.txt Index: fedora-crypto-policies-20221214.a4c31a3/crypto-policies.7.txt
=================================================================== ===================================================================
--- fedora-crypto-policies.orig/crypto-policies.7.txt --- fedora-crypto-policies-20221214.a4c31a3.orig/crypto-policies.7.txt
+++ fedora-crypto-policies/crypto-policies.7.txt +++ fedora-crypto-policies-20221214.a4c31a3/crypto-policies.7.txt
@@ -144,9 +144,6 @@ PROVIDED POLICIES @@ -153,9 +153,6 @@ PROVIDED POLICIES
*FIPS*:: *FIPS*::
A policy to aid conformance to the *FIPS 140-2* requirements. A policy to aid conformance to the *FIPS 140-2* requirements.
@ -27,7 +27,7 @@ Index: fedora-crypto-policies/crypto-policies.7.txt
* MACs: all *HMAC* with *SHA1* or better * MACs: all *HMAC* with *SHA1* or better
* Curves: all prime >= 256 bits * Curves: all prime >= 256 bits
@@ -255,12 +252,6 @@ COMMANDS @@ -264,12 +261,6 @@ COMMANDS
back ends and allows the system administrator to change the active back ends and allows the system administrator to change the active
cryptographic policy. cryptographic policy.
@ -40,7 +40,7 @@ Index: fedora-crypto-policies/crypto-policies.7.txt
NOTES NOTES
----- -----
@@ -427,7 +418,7 @@ FILES @@ -447,7 +438,7 @@ FILES
SEE ALSO SEE ALSO
-------- --------
@ -49,10 +49,10 @@ Index: fedora-crypto-policies/crypto-policies.7.txt
AUTHOR AUTHOR
Index: fedora-crypto-policies/python/update-crypto-policies.py Index: fedora-crypto-policies-20221214.a4c31a3/python/update-crypto-policies.py
=================================================================== ===================================================================
--- fedora-crypto-policies.orig/python/update-crypto-policies.py --- fedora-crypto-policies-20221214.a4c31a3.orig/python/update-crypto-policies.py
+++ fedora-crypto-policies/python/update-crypto-policies.py +++ fedora-crypto-policies-20221214.a4c31a3/python/update-crypto-policies.py
@@ -344,16 +344,12 @@ def apply_policy(pconfig, profile=None, @@ -344,16 +344,12 @@ def apply_policy(pconfig, profile=None,
eprint("Warning: Using 'update-crypto-policies --set FIPS' " eprint("Warning: Using 'update-crypto-policies --set FIPS' "
"is not sufficient for") "is not sufficient for")

View File

@ -1,28 +1,28 @@
Index: fedora-crypto-policies/Makefile Index: fedora-crypto-policies-20230420.3d08ae7/Makefile
=================================================================== ===================================================================
--- fedora-crypto-policies.orig/Makefile --- fedora-crypto-policies-20230420.3d08ae7.orig/Makefile
+++ fedora-crypto-policies/Makefile +++ fedora-crypto-policies-20230420.3d08ae7/Makefile
@@ -22,9 +22,9 @@ install: $(MANPAGES) @@ -28,9 +28,9 @@ install: $(MANPAGES)
mkdir -p $(DESTDIR)$(MANDIR)/man7 mkdir -p $(DESTDIR)$(MANDIR)/man7
mkdir -p $(DESTDIR)$(MANDIR)/man8 mkdir -p $(DESTDIR)$(MANDIR)/man8
mkdir -p $(DESTDIR)$(BINDIR) mkdir -p $(DESTDIR)$(BINDIR)
- install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 - install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
- install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 - install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
- install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) - install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
+# install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 + # install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
+# install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 + # install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
+# install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) + # install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
mkdir -p $(DESTDIR)$(DIR)/ mkdir -p $(DESTDIR)$(DIR)/
install -p -m 644 default-config $(DESTDIR)$(DIR) install -p -m 644 default-config $(DESTDIR)$(DIR)
install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR) install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR)
@@ -106,8 +106,8 @@ clean: @@ -114,8 +114,8 @@ clean:
rm -rf output rm -rf output
%: %.txt %: %.txt
- asciidoc.py -v -d manpage -b docbook $< - $(ASCIIDOC) -v -d manpage -b docbook $<
- xsltproc --nonet -o $@ /usr/share/asciidoc/docbook-xsl/manpage.xsl $@.xml - xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml
+ # asciidoc -v -d manpage -b docbook $< + #$(ASCIIDOC) -v -d manpage -b docbook $<
+ # xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl $@.xml + #xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml
dist: dist:
rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies

View File

@ -0,0 +1,40 @@
Index: fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/__init__.py
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/python/policygenerators/__init__.py
+++ fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/__init__.py
@@ -8,15 +8,15 @@ from .gnutls import GnuTLSGenerator
from .java import JavaGenerator
from .java import JavaSystemGenerator
from .krb5 import KRB5Generator
-from .libreswan import LibreswanGenerator
+#from .libreswan import LibreswanGenerator
from .libssh import LibsshGenerator
from .nss import NSSGenerator
from .openssh import OpenSSHClientGenerator
from .openssh import OpenSSHServerGenerator
from .openssl import OpenSSLConfigGenerator
from .openssl import OpenSSLGenerator
-from .sequoia import SequoiaGenerator
-from .sequoia import RPMSequoiaGenerator
+#from .sequoia import SequoiaGenerator
+#from .sequoia import RPMSequoiaGenerator
__all__ = [
'BindGenerator',
@@ -24,13 +24,13 @@ __all__ = [
'JavaGenerator',
'JavaSystemGenerator',
'KRB5Generator',
- 'LibreswanGenerator',
+# 'LibreswanGenerator',
'LibsshGenerator',
'NSSGenerator',
'OpenSSHClientGenerator',
'OpenSSHServerGenerator',
'OpenSSLConfigGenerator',
'OpenSSLGenerator',
- 'SequoiaGenerator',
- 'RPMSequoiaGenerator',
+# 'SequoiaGenerator',
+# 'RPMSequoiaGenerator',
]

View File

@ -0,0 +1,3 @@
addFilter(".*files-duplicate.*")
addFilter(".*zero-length.*")
addFilter(".non-conffile-in-etc.*")

View File

@ -0,0 +1,37 @@
Index: fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/update-crypto-policies.8.txt
+++ fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt
@@ -54,23 +54,23 @@ are configured to follow the default pol
The generated back-end policies will be placed in /etc/crypto-policies/back-ends.
Currently the supported back-ends (and directive scopes they respect) are:
-* GnuTLS library (GnuTLS, SSL, TLS)
+* GnuTLS library (GnuTLS, SSL, TLS) (Supported)
-* OpenSSL library (OpenSSL, SSL, TLS)
+* OpenSSL library (OpenSSL, SSL, TLS) (Supported)
-* NSS library (NSS, SSL, TLS)
+* NSS library (NSS, SSL, TLS) (Not supported)
-* OpenJDK (java-tls, SSL, TLS)
+* OpenJDK (java-tls, SSL, TLS) (Supported only for java-1_8_0-openjdk and java-11-openjdk)
-* Libkrb5 (krb5, kerberos)
+* Libkrb5 (krb5, kerberos) (Not supported)
-* BIND (BIND, DNSSec)
+* BIND (BIND, DNSSec) (Not supported)
-* OpenSSH (OpenSSH, SSH)
+* OpenSSH (OpenSSH, SSH) (Not supported)
-* Libreswan (libreswan, IKE, IPSec)
+* Libreswan (libreswan, IKE, IPSec) (Not supported)
-* libssh (libssh, SSH)
+* libssh (libssh, SSH) (Not supported)
Applications and languages which rely on any of these back-ends will follow
the system policies as well. Examples are apache httpd, nginx, php, and

View File

@ -1,13 +0,0 @@
Index: fedora-crypto-policies/Makefile
===================================================================
--- fedora-crypto-policies.orig/Makefile
+++ fedora-crypto-policies/Makefile
@@ -56,8 +56,6 @@ check:
tests/openssl.pl
tests/gnutls.pl
tests/nss.py
- tests/java.pl
- tests/krb5.py
top_srcdir=. tests/update-crypto-policies.sh
# Alternative, equivalent ways to write the same policies

View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1 version https://git-lfs.github.com/spec/v1
oid sha256:cbc5e573f2bd5dad2e405f9de35cc94c469d434b466b40890d87400f7f4cb8c1 oid sha256:e0f927cbf526fbd0bec4eaf6b2456a6d148d42abdfb25978c71ede20b3a5e2ce
size 6127 size 6770

View File

@ -1,3 +1,71 @@
-------------------------------------------------------------------
Mon May 8 09:45:45 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Update the update-crypto-policies(8) man pages and README.SUSE
to mention the supported back-end policies. [bsc#1209998]
* Add crypto-policies-supported.patch
-------------------------------------------------------------------
Mon May 08 06:32:49 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Update to version 20230420.3d08ae7:
* openssl, alg_lists: add brainpool support
* openssl: set Groups explicitly
* codespell: ignore aNULL
* rpm-sequoia: allow 1024 bit DSA and SHA-1 per FeSCO decision 2960
* sequoia: add separate rpm-sequoia backend
* crypto-policies.7: state upfront that FUTURE is not so interoperable
* Makefile: update for asciidoc 10
* Skip the LibreswanGenerator and SequoiaGenerator:
- Add crypto-policies-policygenerators.patch
* Remove crypto-policies-test_supported_modules_only.patch
* Rebase crypto-policies-no-build-manpages.patch
-------------------------------------------------------------------
Fri Jan 20 09:25:22 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Update to version 20221214.a4c31a3:
* bind: expand the list of disableable algorithms
* libssh: Add support for openssh fido keys
* .gitlab-ci.yml: install krb5-devel for krb5-config
* sequoia: check using sequoia-policy-config-check
* sequoia: introduce new back-end
* Makefile: support overriding asciidoc executable name
* openssh: make none and auto explicit and different
* openssh: autodetect and allow forcing RequiredRSASize presence/name
* openssh: remove _pre_8_5_ssh
* pylintrc: update
* Revert "disable SHA-1 further for a Fedora 38 Rawhide "jump scare"..."
* disable SHA-1 further for a Fedora 38 Rawhide "jump scare"...
* Makefile: exclude built manpages from codespell
* add openssh HostbasedAcceptedAlgorithms
* openssh: add RSAMinSize option following min_rsa_size
* Revert ".gitlab-ci.yml: skip pylint (bz2069837)"
* docs: add customization recommendation
* tests/java: fix java.security.disableSystemPropertiesFile=true
* policies: add FEDORA38 and TEST-FEDORA39
* bind: control ED25519/ED448
* openssl: disable SHA-1 signatures in FUTURE/NO-SHA1
* .gitlab-ci.yml: skip pylint (bz2069837)
* openssh: add support for sntrup761x25519-sha512@openssh.com
* fips-mode-setup: fix one unrelated check to intended state
* fips-mode-setup, fips-finish-install: abandon /etc/system-fips
* Makefile: fix alt-policy test of LEGACY:AD-SUPPORT
* fips-mode-setup: catch more inconsistencies, clarify --check
* fips-mode-setup: improve handling FIPS plus subpolicies
* .gitlab-ci.yml: use rawhide so that we get gnutls 3.7.3
* gnutls: enable SHAKE, needed for Ed448
* gnutls: use allowlisting
* openssl: add newlines at the end of the output
* FIPS:OSPP: relax -ECDSA-SHA2-512, -FFDHE-*
* fips-mode-setup, fips-finish-install: call zipl more often
* Add crypto-policies-rpmlintrc file to avoid files-duplicate,
zero-length and non-conffile-in-etc warnings.
* Rebase patches:
- crypto-policies-FIPS.patch
- crypto-policies-no-build-manpages.patch
* Update README.SUSE
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Sep 24 11:30:21 UTC 2021 - Pedro Monreal <pmonreal@suse.com> Fri Sep 24 11:30:21 UTC 2021 - Pedro Monreal <pmonreal@suse.com>

View File

@ -1,7 +1,7 @@
# #
# spec file for package crypto-policies # spec file for package crypto-policies
# #
# Copyright (c) 2021 SUSE LLC # Copyright (c) 2023 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -16,9 +16,13 @@
# #
# testsuite is disabled by default
%bcond_with testsuite
# manbuild is disabled by default
%bcond_with manbuild
%global _python_bytecompile_extra 0 %global _python_bytecompile_extra 0
Name: crypto-policies Name: crypto-policies
Version: 20210917.c9d86d1 Version: 20230420.3d08ae7
Release: 0 Release: 0
Summary: System-wide crypto policies Summary: System-wide crypto policies
License: LGPL-2.1-or-later License: LGPL-2.1-or-later
@ -28,27 +32,41 @@ Source0: fedora-%{name}-%{version}.tar.gz
Source1: README.SUSE Source1: README.SUSE
Source2: crypto-policies.7.gz Source2: crypto-policies.7.gz
Source3: update-crypto-policies.8.gz Source3: update-crypto-policies.8.gz
Patch0: crypto-policies-test_supported_modules_only.patch Source4: crypto-policies-rpmlintrc
%if %{without manbuild}
# To reduce the build dependencies in Ring0, we have to compile the
# man pages locally (use --with testsuite) and add crypto-policies.7.gz
# and update-crypto-policies.8.gz as sources.
Patch1: crypto-policies-no-build-manpages.patch Patch1: crypto-policies-no-build-manpages.patch
%endif
Patch2: crypto-policies-FIPS.patch Patch2: crypto-policies-FIPS.patch
BuildRequires: python3-base Patch3: crypto-policies-policygenerators.patch
# For testing, the following buildrequires need to be uncommented. Patch4: crypto-policies-supported.patch
# BuildRequires: asciidoc BuildRequires: python3-base >= 3.6
# BuildRequires: bind # The sequoia stuff needs python3-toml, removed until needed
# BuildRequires: gnutls >= 3.6.0 # BuildRequires: python3-toml
# BuildRequires: java-devel %if %{with manbuild}
# BuildRequires: libxslt BuildRequires: asciidoc
# BuildRequires: openssl %endif
# BuildRequires: perl %if %{with testsuite}
# BuildRequires: python3-coverage # The following buildrequires are needed for the testsuite
# BuildRequires: python3-devel >= 3.6 BuildRequires: bind
# BuildRequires: python3-flake8 BuildRequires: gnutls >= 3.6.0
# BuildRequires: python3-pylint BuildRequires: java-devel
# BuildRequires: python3-pytest BuildRequires: krb5-devel
# BuildRequires: perl(File::Copy) BuildRequires: libxslt
# BuildRequires: perl(File::Temp) BuildRequires: openssl
# BuildRequires: perl(File::Which) BuildRequires: perl
# BuildRequires: perl(File::pushd) BuildRequires: python3-coverage
BuildRequires: python3-devel >= 3.6
BuildRequires: python3-flake8
BuildRequires: python3-pylint
BuildRequires: python3-pytest
BuildRequires: perl(File::Copy)
BuildRequires: perl(File::Temp)
BuildRequires: perl(File::Which)
BuildRequires: perl(File::pushd)
%endif
Recommends: crypto-policies-scripts Recommends: crypto-policies-scripts
Conflicts: gnutls < 3.7.0 Conflicts: gnutls < 3.7.0
#Conflicts: libreswan < 3.28 #Conflicts: libreswan < 3.28
@ -75,7 +93,15 @@ defined in simple policy definition files.
%prep %prep
%autosetup -p1 -n fedora-%{name}-%{version} %autosetup -p1 -n fedora-%{name}-%{version}
# Make README.SUSE available for %%doc
cp -p %{SOURCE1} .
# Remove not needed policy generators
find -name libreswan.py -delete
find -name sequoia.py -delete
%build %build
export OPENSSL_CONF=''
%make_build %make_build
%install %install
@ -89,28 +115,31 @@ mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/
mkdir -p -m 755 %{buildroot}%{_bindir} mkdir -p -m 755 %{buildroot}%{_bindir}
make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install
install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config
touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current
touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
# Install the manpages %if %{without manbuild}
# Install the manpages from defined sources
mkdir -p -m 755 %{buildroot}%{_mandir}/ mkdir -p -m 755 %{buildroot}%{_mandir}/
mkdir -p -m 755 %{buildroot}%{_mandir}/man7/ mkdir -p -m 755 %{buildroot}%{_mandir}/man7/
mkdir -p -m 755 %{buildroot}%{_mandir}/man8/ mkdir -p -m 755 %{buildroot}%{_mandir}/man8/
cp %{SOURCE2} %{buildroot}%{_mandir}/man7/ cp %{SOURCE2} %{buildroot}%{_mandir}/man7/
cp %{SOURCE3} %{buildroot}%{_mandir}/man8/ cp %{SOURCE3} %{buildroot}%{_mandir}/man8/
%endif
# Install the executable files # Install the executable scripts
install -p -m 755 update-crypto-policies %{buildroot}%{_bindir}/ install -p -m 755 update-crypto-policies %{buildroot}%{_bindir}/
install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config # Remove the fips-related scripts and man pages
touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current find -type f -name "*fips*" -delete
touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol find %{buildroot} -type f -name "*fips*" -delete
# Drop pre-generated GOST-ONLY policy, we do not need to ship the files # Drop pre-generated GOST-ONLY policy, we do not need to ship them
rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY
# Remove fips-finish-install and test-fips-setup scripts and man # Drop FEDORA policies
find -type f -name fips-finish-install -delete rm -rf %{buildroot}%{_datarootdir}/crypto-policies/*FEDORA*
find -type f -name fips-finish-install.8.txt -delete
find -type f -name test-fips-setup.sh -delete
# Create back-end configs for mounting with read-only /etc/ # Create back-end configs for mounting with read-only /etc/
for d in LEGACY DEFAULT FUTURE FIPS ; do for d in LEGACY DEFAULT FUTURE FIPS ; do
@ -126,10 +155,14 @@ done
%py3_compile %{buildroot}%{_datadir}/crypto-policies/python %py3_compile %{buildroot}%{_datadir}/crypto-policies/python
cp %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies # Install README.SUSE to %%doc
install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies
%check %check
%if %{with testsuite}
export OPENSSL_CONF=''
%make_build test || : %make_build test || :
%endif
%post -p <lua> %post -p <lua>
if not posix.access("%{_sysconfdir}/crypto-policies/config") then if not posix.access("%{_sysconfdir}/crypto-policies/config") then
@ -153,7 +186,7 @@ if not posix.access("%{_sysconfdir}/crypto-policies/config") then
end end
local policypath = "%{_datarootdir}/crypto-policies/"..policy local policypath = "%{_datarootdir}/crypto-policies/"..policy
for fn in posix.files(policypath) do for fn in posix.files(policypath) do
if fn ~= "." and fn ~= ".." then if fn ~= "." and fn ~= ".." then
local backend = fn:gsub(".*/", ""):gsub("%%..*", "") local backend = fn:gsub(".*/", ""):gsub("%%..*", "")
local cfgfn = "%{_sysconfdir}/crypto-policies/back-ends/"..backend..".config" local cfgfn = "%{_sysconfdir}/crypto-policies/back-ends/"..backend..".config"
posix.unlink(cfgfn) posix.unlink(cfgfn)
@ -166,6 +199,10 @@ end
%{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || : %{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || :
%files %files
%license COPYING.LESSER
%doc README.md NEWS CONTRIBUTING.md
%doc %{_sysconfdir}/crypto-policies/README.SUSE
%dir %{_sysconfdir}/crypto-policies/ %dir %{_sysconfdir}/crypto-policies/
%dir %{_sysconfdir}/crypto-policies/back-ends/ %dir %{_sysconfdir}/crypto-policies/back-ends/
%dir %{_sysconfdir}/crypto-policies/state/ %dir %{_sysconfdir}/crypto-policies/state/
@ -174,21 +211,23 @@ end
%dir %{_sysconfdir}/crypto-policies/policies/modules/ %dir %{_sysconfdir}/crypto-policies/policies/modules/
%dir %{_datarootdir}/crypto-policies/ %dir %{_datarootdir}/crypto-policies/
%{_sysconfdir}/crypto-policies/README.SUSE
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssl.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssh.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssh.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/nss.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/bind.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/bind.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/java.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/java.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/krb5.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libssh.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/sequoia.config
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/rpm-sequoia.config
# %%verify(not mode) comes from the fact that these turn into symlinks and back to regular files at will.
%ghost %{_sysconfdir}/crypto-policies/state/current %ghost %{_sysconfdir}/crypto-policies/state/current
%ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol %ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol
@ -204,8 +243,6 @@ end
%{_datarootdir}/crypto-policies/reload-cmds.sh %{_datarootdir}/crypto-policies/reload-cmds.sh
%{_datarootdir}/crypto-policies/policies %{_datarootdir}/crypto-policies/policies
%license COPYING.LESSER
%files scripts %files scripts
%{_bindir}/update-crypto-policies %{_bindir}/update-crypto-policies
%{_mandir}/man8/update-crypto-policies.8%{?ext_man} %{_mandir}/man8/update-crypto-policies.8%{?ext_man}

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d5e57503a00c247d549aab27de2a3d96c7d8756910939aec5acd38df6e73c252
size 75022

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:0554a9e3965970a2233dee8770fe414527e073b80106db89a1170fa845c3903b
size 85811

View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1 version https://git-lfs.github.com/spec/v1
oid sha256:0151e1a8a5e4bb626284b6a2f93824f849b8d070ed017b6995a20a90f9180b2b oid sha256:ce03018475d3b1e4cb06951fa1c13017f13fa6600b3b10e04912af5e3e426692
size 4018 size 4179