1
0

Accepting request 921336 from home:pmonrealgonzalez:branches:security:tls

- Remove the scripts and documentation regarding
  fips-finish-install and test-fips-setup
  * Add crypto-policies-FIPS.patch

- Update to version 20210917.c9d86d1:
  * openssl: fix disabling ChaCha20
  * pacify pylint 2.11: use format strings
  * pacify pylint 2.11: specify explicit encoding
  * fix minor things found by new pylint
  * update-crypto-policies: --check against regenerated
  * update-crypto-policies: fix --check's walking order
  * policygenerators/gnutls: revert disabling DTLS0.9...
  * policygenerators/java: add javasystem backend
  * LEGACY: bump 1023 key size to 1024
  * cryptopolicies: fix 'and' in deprecation warnings
  * *ssh: condition ecdh-sha2-nistp384 on SECP384R1
  * nss: hopefully the last fix for nss sigalgs check
  * cryptopolicies: Python 3.10 compatibility
  * nss: postponing check + testing at least something
  * Rename 'policy modules' to 'subpolicies'
  * validation.rules: fix a missing word in error
  * cryptopolicies: raise errors right after warnings
  * update-crypto-policies: capitalize warnings
  * cryptopolicies: syntax-precheck scope errors
  * .gitlab-ci.yml, Makefile: enable codespell
  * all: fix several typos
  * docs: don't leave zero TLS/DTLS protocols on
  * openssl: separate TLS/DTLS MinProtocol/MaxProtocol
  * alg_lists: order protocols new-to-old for consistency
  * alg_lists: max_{d,}tls_version

OBS-URL: https://build.opensuse.org/request/show/921336
OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=14
This commit is contained in:
Pedro Monreal Gonzalez 2021-09-27 08:09:29 +00:00 committed by Git OBS Bridge
parent 220a4c63a6
commit 64434f6b7a
12 changed files with 169 additions and 100 deletions

View File

@ -1,2 +1,2 @@
Currently only OpenSSL, GnuTLS, and NSS policies are supported.
Currently only OpenSSL and GnuTLS policies are supported.
The rest of the modules ignore the policy settings for the time being.

View File

@ -4,7 +4,7 @@
<param name="scm">git</param>
<param name="versionformat">%cd.%h</param>
<param name="changesgenerate">enable</param>
<param name="revision">05203d21f6d0ea9bbdb351e4600f1e273720bb8e</param>
<param name="revision">c9d86d1154c4b286c9be3d5e9e32451df6f64e19</param>
</service>
<service name="recompress" mode="disabled">
<param name="file">*.tar</param>

View File

@ -1,4 +1,4 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://gitlab.com/redhat-crypto/fedora-crypto-policies.git</param>
<param name="changesrevision">05203d21f6d0ea9bbdb351e4600f1e273720bb8e</param></service></servicedata>
<param name="changesrevision">c9d86d1154c4b286c9be3d5e9e32451df6f64e19</param></service></servicedata>

View File

@ -0,0 +1,72 @@
Index: fedora-crypto-policies/Makefile
===================================================================
--- fedora-crypto-policies.orig/Makefile
+++ fedora-crypto-policies/Makefile
@@ -5,8 +5,8 @@ MANDIR?=/usr/share/man
CONFDIR?=/etc/crypto-policies
DESTDIR?=
MAN7PAGES=crypto-policies.7
-MAN8PAGES=update-crypto-policies.8 fips-finish-install.8 fips-mode-setup.8
-SCRIPTS=update-crypto-policies fips-finish-install fips-mode-setup
+MAN8PAGES=update-crypto-policies.8 fips-finish-install.8
+SCRIPTS=update-crypto-policies fips-finish-install
NUM_PROCS = $$(getconf _NPROCESSORS_ONLN)
PYVERSION = -3
DIFFTOOL?=meld
Index: fedora-crypto-policies/crypto-policies.7.txt
===================================================================
--- fedora-crypto-policies.orig/crypto-policies.7.txt
+++ fedora-crypto-policies/crypto-policies.7.txt
@@ -144,9 +144,6 @@ PROVIDED POLICIES
*FIPS*::
A policy to aid conformance to the *FIPS 140-2* requirements.
- This policy is used internally by the *fips-mode-setup(8)* tool
- which can switch the system into the *FIPS 140-2* mode.
- This policy provides at least 112-bit security.
* MACs: all *HMAC* with *SHA1* or better
* Curves: all prime >= 256 bits
@@ -255,12 +252,6 @@ COMMANDS
back ends and allows the system administrator to change the active
cryptographic policy.
-*fips-mode-setup(8)*::
- This command allows the system administrator to enable, or disable the
- system FIPS mode and also apply the *FIPS* cryptographic policy
- which limits the allowed algorithms and protocols to these allowed by
- the FIPS 140-2 requirements.
-
NOTES
-----
@@ -427,7 +418,7 @@ FILES
SEE ALSO
--------
-update-crypto-policies(8), fips-mode-setup(8)
+update-crypto-policies(8)
AUTHOR
Index: fedora-crypto-policies/python/update-crypto-policies.py
===================================================================
--- fedora-crypto-policies.orig/python/update-crypto-policies.py
+++ fedora-crypto-policies/python/update-crypto-policies.py
@@ -344,16 +344,12 @@ def apply_policy(pconfig, profile=None,
eprint("Warning: Using 'update-crypto-policies --set FIPS' "
"is not sufficient for")
eprint(" FIPS compliance.")
- eprint(" Use 'fips-mode-setup --enable' "
- "command instead.")
elif fips_mode():
eprint("Warning: Using 'update-crypto-policies --set' "
"in FIPS mode will make the system")
eprint(" non-compliant with FIPS.")
eprint(" It can also break "
"the ssh access to the system.")
- eprint(" Use 'fips-mode-setup --disable' "
- "to disable the system FIPS mode.")
if base_dir == DEFAULT_BASE_DIR:
if not os.geteuid() == 0:

View File

@ -1,15 +0,0 @@
Index: fedora-crypto-policies-master/Makefile
===================================================================
--- fedora-crypto-policies-master.orig/Makefile 2020-09-23 08:49:28.000000000 +0200
+++ fedora-crypto-policies-master/Makefile 2020-11-12 10:00:52.418204054 +0100
@@ -60,8 +60,8 @@ clean:
rm -rf output
%: %.txt
- asciidoc.py -v -d manpage -b docbook $<
- xsltproc --nonet -o $@ /usr/share/asciidoc/docbook-xsl/manpage.xsl $@.xml
+ asciidoc -v -d manpage -b docbook $<
+ xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl $@.xml
dist:
rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies

View File

@ -1,23 +1,8 @@
Index: fedora-crypto-policies-master/Makefile
Index: fedora-crypto-policies/Makefile
===================================================================
--- fedora-crypto-policies-master.orig/Makefile 2020-09-23 08:49:28.000000000 +0200
+++ fedora-crypto-policies-master/Makefile 2020-11-12 10:00:52.418204054 +0100
@@ -60,8 +60,8 @@ clean:
rm -rf output
%: %.txt
- asciidoc -v -d manpage -b docbook $<
- xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl $@.xml
+ # asciidoc -v -d manpage -b docbook $<
+ # xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl $@.xml
dist:
rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies
Index: fedora-crypto-policies-master
===================================================================
--- fedora-crypto-policies-master.orig/Makefile
+++ fedora-crypto-policies-master/Makefile
@@ -21,9 +21,9 @@ install: $(MANPAGES)
--- fedora-crypto-policies.orig/Makefile
+++ fedora-crypto-policies/Makefile
@@ -22,9 +22,9 @@ install: $(MANPAGES)
mkdir -p $(DESTDIR)$(MANDIR)/man7
mkdir -p $(DESTDIR)$(MANDIR)/man8
mkdir -p $(DESTDIR)$(BINDIR)
@ -30,3 +15,14 @@ Index: fedora-crypto-policies-master
mkdir -p $(DESTDIR)$(DIR)/
install -p -m 644 default-config $(DESTDIR)$(DIR)
install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR)
@@ -106,8 +106,8 @@ clean:
rm -rf output
%: %.txt
- asciidoc.py -v -d manpage -b docbook $<
- xsltproc --nonet -o $@ /usr/share/asciidoc/docbook-xsl/manpage.xsl $@.xml
+ # asciidoc -v -d manpage -b docbook $<
+ # xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl $@.xml
dist:
rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies

View File

@ -1,8 +1,8 @@
Index: fedora-crypto-policies-master/Makefile
Index: fedora-crypto-policies/Makefile
===================================================================
--- fedora-crypto-policies-master.orig/Makefile
+++ fedora-crypto-policies-master/Makefile
@@ -45,8 +45,6 @@ check:
--- fedora-crypto-policies.orig/Makefile
+++ fedora-crypto-policies/Makefile
@@ -56,8 +56,6 @@ check:
tests/openssl.pl
tests/gnutls.pl
tests/nss.py
@ -10,4 +10,4 @@ Index: fedora-crypto-policies-master/Makefile
- tests/krb5.py
top_srcdir=. tests/update-crypto-policies.sh
test: check runpylint
# Alternative, equivalent ways to write the same policies

View File

@ -1,48 +0,0 @@
From: Hideki Yamane <h-yamane@sios.com>
Date: Sun, 25 Aug 2019 04:08:35 +0900
Subject: fix typos
---
crypto-policies.7.txt | 2 +-
fips-finish-install | 2 +-
fips-finish-install.8.txt | 2 +-
Index: fedora-crypto-policies-master/crypto-policies.7.txt
===================================================================
--- fedora-crypto-policies-master.orig/crypto-policies.7.txt
+++ fedora-crypto-policies-master/crypto-policies.7.txt
@@ -236,7 +236,7 @@ To completely override a list value in a
sign. Combining 'list-items' with and without signs in a single list value assignment is
not allowed however an existing list value can be modified in multiple further assignments.
-Non-list key values in the policy module files are simply overriden.
+Non-list key values in the policy module files are simply overridden.
The keys marked as *Optional* can be omitted in the policy definition
files. In that case, the values will be derived from the base
Index: fedora-crypto-policies-master/fips-finish-install
===================================================================
--- fedora-crypto-policies-master.orig/fips-finish-install
+++ fedora-crypto-policies-master/fips-finish-install
@@ -12,7 +12,7 @@ if test -f /run/ostree-booted; then
fi
if test x"$1" != x--complete ; then
- echo "Complete the instalation of FIPS modules."
+ echo "Complete the installation of FIPS modules."
echo "usage: $0 --complete"
exit 2
fi
Index: fedora-crypto-policies-master/fips-finish-install.8.txt
===================================================================
--- fedora-crypto-policies-master.orig/fips-finish-install.8.txt
+++ fedora-crypto-policies-master/fips-finish-install.8.txt
@@ -21,7 +21,7 @@ fips-finish-install(8)
NAME
----
-fips-finish-install - complete the instalation of FIPS modules.
+fips-finish-install - complete the installation of FIPS modules.
SYNOPSIS

View File

@ -1,3 +1,56 @@
-------------------------------------------------------------------
Fri Sep 24 11:30:21 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
- Remove the scripts and documentation regarding
fips-finish-install and test-fips-setup
* Add crypto-policies-FIPS.patch
-------------------------------------------------------------------
Fri Sep 24 09:34:03 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
- Update to version 20210917.c9d86d1:
* openssl: fix disabling ChaCha20
* pacify pylint 2.11: use format strings
* pacify pylint 2.11: specify explicit encoding
* fix minor things found by new pylint
* update-crypto-policies: --check against regenerated
* update-crypto-policies: fix --check's walking order
* policygenerators/gnutls: revert disabling DTLS0.9...
* policygenerators/java: add javasystem backend
* LEGACY: bump 1023 key size to 1024
* cryptopolicies: fix 'and' in deprecation warnings
* *ssh: condition ecdh-sha2-nistp384 on SECP384R1
* nss: hopefully the last fix for nss sigalgs check
* cryptopolicies: Python 3.10 compatibility
* nss: postponing check + testing at least something
* Rename 'policy modules' to 'subpolicies'
* validation.rules: fix a missing word in error
* cryptopolicies: raise errors right after warnings
* update-crypto-policies: capitalize warnings
* cryptopolicies: syntax-precheck scope errors
* .gitlab-ci.yml, Makefile: enable codespell
* all: fix several typos
* docs: don't leave zero TLS/DTLS protocols on
* openssl: separate TLS/DTLS MinProtocol/MaxProtocol
* alg_lists: order protocols new-to-old for consistency
* alg_lists: max_{d,}tls_version
* update-crypto-policies: fix pregenerated + local.d
* openssh: allow validation with pre-8.5
* .gitlab-ci.yml: run commit-range against upstream
* openssh: Use the new name for PubkeyAcceptedKeyTypes
* sha1_in_dnssec: deprecate
* .gitlab-ci.yml: test commit ranges
* FIPS:OSPP: sign = -*-SHA2-224
* scoped policies: documentation update
* scoped policies: use new features to the fullest...
* scoped policies: rewrite + minimal policy changes
* scoped policies: rewrite preparations
* nss: postponing the version check again, to 3.64
- Remove patches fixed upstream: crypto-policies-typos.patch
- Rebase: crypto-policies-test_supported_modules_only.patch
- Merge crypto-policies-asciidoc.patch into
crypto-policies-no-build-manpages.patch
-------------------------------------------------------------------
Thu Feb 25 12:05:39 UTC 2021 - Pedro Monreal <pmonreal@suse.com>

View File

@ -1,7 +1,7 @@
#
# spec file for package crypto-policies
#
# Copyright (c) 2020 SUSE LLC
# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -18,7 +18,7 @@
%global _python_bytecompile_extra 0
Name: crypto-policies
Version: 20210225.05203d2
Version: 20210917.c9d86d1
Release: 0
Summary: System-wide crypto policies
License: LGPL-2.1-or-later
@ -28,18 +28,23 @@ Source0: fedora-%{name}-%{version}.tar.gz
Source1: README.SUSE
Source2: crypto-policies.7.gz
Source3: update-crypto-policies.8.gz
Patch0: crypto-policies-asciidoc.patch
Patch1: crypto-policies-typos.patch
Patch2: crypto-policies-test_supported_modules_only.patch
Patch3: crypto-policies-no-build-manpages.patch
Patch0: crypto-policies-test_supported_modules_only.patch
Patch1: crypto-policies-no-build-manpages.patch
Patch2: crypto-policies-FIPS.patch
BuildRequires: python3-base
# For testing, the following buildrequires need to be uncommented.
# BuildRequires: asciidoc
# BuildRequires: bind
# BuildRequires: gnutls >= 3.6.0
# BuildRequires: java-devel
# BuildRequires: libxslt
# BuildRequires: openssl
# BuildRequires: perl
# BuildRequires: python3-coverage
# BuildRequires: python3-devel >= 3.6
# BuildRequires: python3-flake8
# BuildRequires: python3-pylint
# BuildRequires: python3-pytest
# BuildRequires: perl(File::Copy)
# BuildRequires: perl(File::Temp)
# BuildRequires: perl(File::Which)
@ -102,6 +107,11 @@ touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
# Drop pre-generated GOST-ONLY policy, we do not need to ship the files
rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY
# Remove fips-finish-install and test-fips-setup scripts and man
find -type f -name fips-finish-install -delete
find -type f -name fips-finish-install.8.txt -delete
find -type f -name test-fips-setup.sh -delete
# Create back-end configs for mounting with read-only /etc/
for d in LEGACY DEFAULT FUTURE FIPS ; do
mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d
@ -119,7 +129,7 @@ done
cp %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies
%check
%make_build check || :
%make_build test || :
%post -p <lua>
if not posix.access("%{_sysconfdir}/crypto-policies/config") then
@ -175,6 +185,7 @@ end
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/nss.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/bind.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/java.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libssh.config

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:773522be2bf98a7e88bc684d33c846b337d170cf33001dc2b20eee35c82c8030
size 58094

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d5e57503a00c247d549aab27de2a3d96c7d8756910939aec5acd38df6e73c252
size 75022