diff --git a/README.SUSE b/README.SUSE
index fee7848..e34c3c5 100644
--- a/README.SUSE
+++ b/README.SUSE
@@ -1,2 +1,2 @@
-Currently only OpenSSL, GnuTLS, and NSS policies are supported.
+Currently only OpenSSL and GnuTLS policies are supported.
The rest of the modules ignore the policy settings for the time being.
diff --git a/_service b/_service
index 00587be..d9ed9a5 100644
--- a/_service
+++ b/_service
@@ -4,7 +4,7 @@
git
%cd.%h
enable
- 05203d21f6d0ea9bbdb351e4600f1e273720bb8e
+ c9d86d1154c4b286c9be3d5e9e32451df6f64e19
*.tar
diff --git a/_servicedata b/_servicedata
index 5c64a5c..e9d2fc7 100644
--- a/_servicedata
+++ b/_servicedata
@@ -1,4 +1,4 @@
https://gitlab.com/redhat-crypto/fedora-crypto-policies.git
- 05203d21f6d0ea9bbdb351e4600f1e273720bb8e
\ No newline at end of file
+ c9d86d1154c4b286c9be3d5e9e32451df6f64e19
\ No newline at end of file
diff --git a/crypto-policies-FIPS.patch b/crypto-policies-FIPS.patch
new file mode 100644
index 0000000..acbcea7
--- /dev/null
+++ b/crypto-policies-FIPS.patch
@@ -0,0 +1,72 @@
+Index: fedora-crypto-policies/Makefile
+===================================================================
+--- fedora-crypto-policies.orig/Makefile
++++ fedora-crypto-policies/Makefile
+@@ -5,8 +5,8 @@ MANDIR?=/usr/share/man
+ CONFDIR?=/etc/crypto-policies
+ DESTDIR?=
+ MAN7PAGES=crypto-policies.7
+-MAN8PAGES=update-crypto-policies.8 fips-finish-install.8 fips-mode-setup.8
+-SCRIPTS=update-crypto-policies fips-finish-install fips-mode-setup
++MAN8PAGES=update-crypto-policies.8 fips-finish-install.8
++SCRIPTS=update-crypto-policies fips-finish-install
+ NUM_PROCS = $$(getconf _NPROCESSORS_ONLN)
+ PYVERSION = -3
+ DIFFTOOL?=meld
+Index: fedora-crypto-policies/crypto-policies.7.txt
+===================================================================
+--- fedora-crypto-policies.orig/crypto-policies.7.txt
++++ fedora-crypto-policies/crypto-policies.7.txt
+@@ -144,9 +144,6 @@ PROVIDED POLICIES
+
+ *FIPS*::
+ A policy to aid conformance to the *FIPS 140-2* requirements.
+- This policy is used internally by the *fips-mode-setup(8)* tool
+- which can switch the system into the *FIPS 140-2* mode.
+- This policy provides at least 112-bit security.
+
+ * MACs: all *HMAC* with *SHA1* or better
+ * Curves: all prime >= 256 bits
+@@ -255,12 +252,6 @@ COMMANDS
+ back ends and allows the system administrator to change the active
+ cryptographic policy.
+
+-*fips-mode-setup(8)*::
+- This command allows the system administrator to enable, or disable the
+- system FIPS mode and also apply the *FIPS* cryptographic policy
+- which limits the allowed algorithms and protocols to these allowed by
+- the FIPS 140-2 requirements.
+-
+
+ NOTES
+ -----
+@@ -427,7 +418,7 @@ FILES
+
+ SEE ALSO
+ --------
+-update-crypto-policies(8), fips-mode-setup(8)
++update-crypto-policies(8)
+
+
+ AUTHOR
+Index: fedora-crypto-policies/python/update-crypto-policies.py
+===================================================================
+--- fedora-crypto-policies.orig/python/update-crypto-policies.py
++++ fedora-crypto-policies/python/update-crypto-policies.py
+@@ -344,16 +344,12 @@ def apply_policy(pconfig, profile=None,
+ eprint("Warning: Using 'update-crypto-policies --set FIPS' "
+ "is not sufficient for")
+ eprint(" FIPS compliance.")
+- eprint(" Use 'fips-mode-setup --enable' "
+- "command instead.")
+ elif fips_mode():
+ eprint("Warning: Using 'update-crypto-policies --set' "
+ "in FIPS mode will make the system")
+ eprint(" non-compliant with FIPS.")
+ eprint(" It can also break "
+ "the ssh access to the system.")
+- eprint(" Use 'fips-mode-setup --disable' "
+- "to disable the system FIPS mode.")
+
+ if base_dir == DEFAULT_BASE_DIR:
+ if not os.geteuid() == 0:
diff --git a/crypto-policies-asciidoc.patch b/crypto-policies-asciidoc.patch
deleted file mode 100644
index a294fe0..0000000
--- a/crypto-policies-asciidoc.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Index: fedora-crypto-policies-master/Makefile
-===================================================================
---- fedora-crypto-policies-master.orig/Makefile 2020-09-23 08:49:28.000000000 +0200
-+++ fedora-crypto-policies-master/Makefile 2020-11-12 10:00:52.418204054 +0100
-@@ -60,8 +60,8 @@ clean:
- rm -rf output
-
- %: %.txt
-- asciidoc.py -v -d manpage -b docbook $<
-- xsltproc --nonet -o $@ /usr/share/asciidoc/docbook-xsl/manpage.xsl $@.xml
-+ asciidoc -v -d manpage -b docbook $<
-+ xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl $@.xml
-
- dist:
- rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies
diff --git a/crypto-policies-no-build-manpages.patch b/crypto-policies-no-build-manpages.patch
index 3278da4..61f504b 100644
--- a/crypto-policies-no-build-manpages.patch
+++ b/crypto-policies-no-build-manpages.patch
@@ -1,23 +1,8 @@
-Index: fedora-crypto-policies-master/Makefile
+Index: fedora-crypto-policies/Makefile
===================================================================
---- fedora-crypto-policies-master.orig/Makefile 2020-09-23 08:49:28.000000000 +0200
-+++ fedora-crypto-policies-master/Makefile 2020-11-12 10:00:52.418204054 +0100
-@@ -60,8 +60,8 @@ clean:
- rm -rf output
-
- %: %.txt
-- asciidoc -v -d manpage -b docbook $<
-- xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl $@.xml
-+ # asciidoc -v -d manpage -b docbook $<
-+ # xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl $@.xml
-
- dist:
- rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies
-Index: fedora-crypto-policies-master
-===================================================================
---- fedora-crypto-policies-master.orig/Makefile
-+++ fedora-crypto-policies-master/Makefile
-@@ -21,9 +21,9 @@ install: $(MANPAGES)
+--- fedora-crypto-policies.orig/Makefile
++++ fedora-crypto-policies/Makefile
+@@ -22,9 +22,9 @@ install: $(MANPAGES)
mkdir -p $(DESTDIR)$(MANDIR)/man7
mkdir -p $(DESTDIR)$(MANDIR)/man8
mkdir -p $(DESTDIR)$(BINDIR)
@@ -30,3 +15,14 @@ Index: fedora-crypto-policies-master
mkdir -p $(DESTDIR)$(DIR)/
install -p -m 644 default-config $(DESTDIR)$(DIR)
install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR)
+@@ -106,8 +106,8 @@ clean:
+ rm -rf output
+
+ %: %.txt
+- asciidoc.py -v -d manpage -b docbook $<
+- xsltproc --nonet -o $@ /usr/share/asciidoc/docbook-xsl/manpage.xsl $@.xml
++ # asciidoc -v -d manpage -b docbook $<
++ # xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl $@.xml
+
+ dist:
+ rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies
diff --git a/crypto-policies-test_supported_modules_only.patch b/crypto-policies-test_supported_modules_only.patch
index 9e25a9f..c2f1a90 100644
--- a/crypto-policies-test_supported_modules_only.patch
+++ b/crypto-policies-test_supported_modules_only.patch
@@ -1,8 +1,8 @@
-Index: fedora-crypto-policies-master/Makefile
+Index: fedora-crypto-policies/Makefile
===================================================================
---- fedora-crypto-policies-master.orig/Makefile
-+++ fedora-crypto-policies-master/Makefile
-@@ -45,8 +45,6 @@ check:
+--- fedora-crypto-policies.orig/Makefile
++++ fedora-crypto-policies/Makefile
+@@ -56,8 +56,6 @@ check:
tests/openssl.pl
tests/gnutls.pl
tests/nss.py
@@ -10,4 +10,4 @@ Index: fedora-crypto-policies-master/Makefile
- tests/krb5.py
top_srcdir=. tests/update-crypto-policies.sh
- test: check runpylint
+ # Alternative, equivalent ways to write the same policies
diff --git a/crypto-policies-typos.patch b/crypto-policies-typos.patch
deleted file mode 100644
index 1cf79ea..0000000
--- a/crypto-policies-typos.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From: Hideki Yamane
-Date: Sun, 25 Aug 2019 04:08:35 +0900
-Subject: fix typos
-
----
- crypto-policies.7.txt | 2 +-
- fips-finish-install | 2 +-
- fips-finish-install.8.txt | 2 +-
-
-Index: fedora-crypto-policies-master/crypto-policies.7.txt
-===================================================================
---- fedora-crypto-policies-master.orig/crypto-policies.7.txt
-+++ fedora-crypto-policies-master/crypto-policies.7.txt
-@@ -236,7 +236,7 @@ To completely override a list value in a
- sign. Combining 'list-items' with and without signs in a single list value assignment is
- not allowed however an existing list value can be modified in multiple further assignments.
-
--Non-list key values in the policy module files are simply overriden.
-+Non-list key values in the policy module files are simply overridden.
-
- The keys marked as *Optional* can be omitted in the policy definition
- files. In that case, the values will be derived from the base
-Index: fedora-crypto-policies-master/fips-finish-install
-===================================================================
---- fedora-crypto-policies-master.orig/fips-finish-install
-+++ fedora-crypto-policies-master/fips-finish-install
-@@ -12,7 +12,7 @@ if test -f /run/ostree-booted; then
- fi
-
- if test x"$1" != x--complete ; then
-- echo "Complete the instalation of FIPS modules."
-+ echo "Complete the installation of FIPS modules."
- echo "usage: $0 --complete"
- exit 2
- fi
-Index: fedora-crypto-policies-master/fips-finish-install.8.txt
-===================================================================
---- fedora-crypto-policies-master.orig/fips-finish-install.8.txt
-+++ fedora-crypto-policies-master/fips-finish-install.8.txt
-@@ -21,7 +21,7 @@ fips-finish-install(8)
-
- NAME
- ----
--fips-finish-install - complete the instalation of FIPS modules.
-+fips-finish-install - complete the installation of FIPS modules.
-
-
- SYNOPSIS
diff --git a/crypto-policies.changes b/crypto-policies.changes
index d65560f..efdf80e 100644
--- a/crypto-policies.changes
+++ b/crypto-policies.changes
@@ -1,3 +1,56 @@
+-------------------------------------------------------------------
+Fri Sep 24 11:30:21 UTC 2021 - Pedro Monreal
+
+- Remove the scripts and documentation regarding
+ fips-finish-install and test-fips-setup
+ * Add crypto-policies-FIPS.patch
+
+-------------------------------------------------------------------
+Fri Sep 24 09:34:03 UTC 2021 - Pedro Monreal
+
+- Update to version 20210917.c9d86d1:
+ * openssl: fix disabling ChaCha20
+ * pacify pylint 2.11: use format strings
+ * pacify pylint 2.11: specify explicit encoding
+ * fix minor things found by new pylint
+ * update-crypto-policies: --check against regenerated
+ * update-crypto-policies: fix --check's walking order
+ * policygenerators/gnutls: revert disabling DTLS0.9...
+ * policygenerators/java: add javasystem backend
+ * LEGACY: bump 1023 key size to 1024
+ * cryptopolicies: fix 'and' in deprecation warnings
+ * *ssh: condition ecdh-sha2-nistp384 on SECP384R1
+ * nss: hopefully the last fix for nss sigalgs check
+ * cryptopolicies: Python 3.10 compatibility
+ * nss: postponing check + testing at least something
+ * Rename 'policy modules' to 'subpolicies'
+ * validation.rules: fix a missing word in error
+ * cryptopolicies: raise errors right after warnings
+ * update-crypto-policies: capitalize warnings
+ * cryptopolicies: syntax-precheck scope errors
+ * .gitlab-ci.yml, Makefile: enable codespell
+ * all: fix several typos
+ * docs: don't leave zero TLS/DTLS protocols on
+ * openssl: separate TLS/DTLS MinProtocol/MaxProtocol
+ * alg_lists: order protocols new-to-old for consistency
+ * alg_lists: max_{d,}tls_version
+ * update-crypto-policies: fix pregenerated + local.d
+ * openssh: allow validation with pre-8.5
+ * .gitlab-ci.yml: run commit-range against upstream
+ * openssh: Use the new name for PubkeyAcceptedKeyTypes
+ * sha1_in_dnssec: deprecate
+ * .gitlab-ci.yml: test commit ranges
+ * FIPS:OSPP: sign = -*-SHA2-224
+ * scoped policies: documentation update
+ * scoped policies: use new features to the fullest...
+ * scoped policies: rewrite + minimal policy changes
+ * scoped policies: rewrite preparations
+ * nss: postponing the version check again, to 3.64
+- Remove patches fixed upstream: crypto-policies-typos.patch
+- Rebase: crypto-policies-test_supported_modules_only.patch
+- Merge crypto-policies-asciidoc.patch into
+ crypto-policies-no-build-manpages.patch
+
-------------------------------------------------------------------
Thu Feb 25 12:05:39 UTC 2021 - Pedro Monreal
diff --git a/crypto-policies.spec b/crypto-policies.spec
index 05c25b0..b137da1 100644
--- a/crypto-policies.spec
+++ b/crypto-policies.spec
@@ -1,7 +1,7 @@
#
# spec file for package crypto-policies
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
%global _python_bytecompile_extra 0
Name: crypto-policies
-Version: 20210225.05203d2
+Version: 20210917.c9d86d1
Release: 0
Summary: System-wide crypto policies
License: LGPL-2.1-or-later
@@ -28,18 +28,23 @@ Source0: fedora-%{name}-%{version}.tar.gz
Source1: README.SUSE
Source2: crypto-policies.7.gz
Source3: update-crypto-policies.8.gz
-Patch0: crypto-policies-asciidoc.patch
-Patch1: crypto-policies-typos.patch
-Patch2: crypto-policies-test_supported_modules_only.patch
-Patch3: crypto-policies-no-build-manpages.patch
+Patch0: crypto-policies-test_supported_modules_only.patch
+Patch1: crypto-policies-no-build-manpages.patch
+Patch2: crypto-policies-FIPS.patch
BuildRequires: python3-base
+# For testing, the following buildrequires need to be uncommented.
# BuildRequires: asciidoc
+# BuildRequires: bind
# BuildRequires: gnutls >= 3.6.0
# BuildRequires: java-devel
# BuildRequires: libxslt
# BuildRequires: openssl
# BuildRequires: perl
+# BuildRequires: python3-coverage
# BuildRequires: python3-devel >= 3.6
+# BuildRequires: python3-flake8
+# BuildRequires: python3-pylint
+# BuildRequires: python3-pytest
# BuildRequires: perl(File::Copy)
# BuildRequires: perl(File::Temp)
# BuildRequires: perl(File::Which)
@@ -102,6 +107,11 @@ touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
# Drop pre-generated GOST-ONLY policy, we do not need to ship the files
rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY
+# Remove fips-finish-install and test-fips-setup scripts and man
+find -type f -name fips-finish-install -delete
+find -type f -name fips-finish-install.8.txt -delete
+find -type f -name test-fips-setup.sh -delete
+
# Create back-end configs for mounting with read-only /etc/
for d in LEGACY DEFAULT FUTURE FIPS ; do
mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d
@@ -119,7 +129,7 @@ done
cp %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies
%check
-%make_build check || :
+%make_build test || :
%post -p
if not posix.access("%{_sysconfdir}/crypto-policies/config") then
@@ -175,6 +185,7 @@ end
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/nss.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/bind.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/java.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
diff --git a/fedora-crypto-policies-20210225.05203d2.tar.gz b/fedora-crypto-policies-20210225.05203d2.tar.gz
deleted file mode 100644
index 9f65652..0000000
--- a/fedora-crypto-policies-20210225.05203d2.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:773522be2bf98a7e88bc684d33c846b337d170cf33001dc2b20eee35c82c8030
-size 58094
diff --git a/fedora-crypto-policies-20210917.c9d86d1.tar.gz b/fedora-crypto-policies-20210917.c9d86d1.tar.gz
new file mode 100644
index 0000000..2203014
--- /dev/null
+++ b/fedora-crypto-policies-20210917.c9d86d1.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d5e57503a00c247d549aab27de2a3d96c7d8756910939aec5acd38df6e73c252
+size 75022