Accepting request 850540 from home:vitezslav_cizek

System crypto policies from Fedora. https://jira.suse.com/browse/SLE-15832 https://fedoraproject.org/wiki/Changes/CryptoPolicy OBS-URL: https://build.opensuse.org/request/show/850540 OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=1
2020-11-25 11:15:23 +00:00 · 2020-11-25 11:15:23 +00:00 · af8d3f38d5
commit af8d3f38d5
6 changed files with 241 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+.osc
--- a/crypto-policies-asciidoc.patch
+++ b/crypto-policies-asciidoc.patch
@ -0,0 +1,15 @@
+Index: fedora-crypto-policies-master/Makefile
+===================================================================
+--- fedora-crypto-policies-master.orig/Makefile	2020-09-23 08:49:28.000000000 +0200
+++ fedora-crypto-policies-master/Makefile	2020-11-12 10:00:52.418204054 +0100
+@@ -60,8 +60,8 @@ clean:
+ 	rm -rf output
+ 
+ %: %.txt
+-	asciidoc.py -v -d manpage -b docbook $<
+-	xsltproc --nonet -o $@ /usr/share/asciidoc/docbook-xsl/manpage.xsl $@.xml
+	asciidoc -v -d manpage -b docbook $<
+	xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl $@.xml
+ 
+ dist:
+ 	rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies
--- a/crypto-policies.changes
+++ b/crypto-policies.changes
@ -0,0 +1,4 @@
+-------------------------------------------------------------------
+Thu Nov 12 08:20:19 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
+
+- Initial packaging, git version 20200918 (jsc#SLE-15832)
--- a/crypto-policies.spec
+++ b/crypto-policies.spec
@ -0,0 +1,195 @@
+#
+# spec file for package crypto-policies
+#
+# Copyright (c) 2020 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%global git_date 20201115
+#%global git_commit 85dccc5a5b7127e54e0c82b2b5ab5f5fb6fb5490
+#%{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})}
+%global _python_bytecompile_extra 0
+Name:           crypto-policies
+Version:        %{git_date}
+Release:        1.git%{git_commit_hash}%{?dist}
+Summary:        System-wide crypto policies
+License:        LGPL-2.1-or-later
+URL:            https://gitlab.com/redhat-crypto/fedora-crypto-policies
+#Source0:        https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/archive/%{git_commit_hash}/%{name}-git%{git_commit_hash}.tar.gz
+Source0:        fedora-crypto-policies-master.tar.gz
+Patch0:         crypto-policies-asciidoc.patch
+BuildRequires:  asciidoc
+BuildRequires:  bind
+BuildRequires:  gnutls >= 3.6.0
+BuildRequires:  java-devel
+BuildRequires:  libxslt
+BuildRequires:  openssl
+BuildRequires:  perl
+BuildRequires:  python3-devel
+BuildRequires:  perl(File::Copy)
+BuildRequires:  perl(File::Temp)
+BuildRequires:  perl(File::Which)
+BuildRequires:  perl(File::pushd)
+Recommends:     crypto-policies-scripts
+Conflicts:      gnutls < 3.6.11
+Conflicts:      libreswan < 3.28
+Conflicts:      nss < 3.44.0
+Conflicts:      openssh < 8.2p1
+BuildArch:      noarch
+
+%description
+This package provides pre-built configuration files with
+cryptographic policies for various cryptographic back-ends,
+such as SSL/TLS libraries.
+
+%package scripts
+Summary:        Tool to switch between crypto policies
+Requires:       %{name} = %{version}-%{release}
+Recommends:     grubby
+Provides:       fips-mode-setup = %{version}-%{release}
+
+%description scripts
+This package provides a tool update-crypto-policies, which applies
+the policies provided by the crypto-policies package. These can be
+either the pre-built policies from the base package or custom policies
+defined in simple policy definition files.
+
+The package also provides a tool fips-mode-setup, which can be used
+to enable or disable the system FIPS mode.
+
+%prep
+#%setup -q -n fedora-crypto-policies-%{git_commit_hash}-%{git_commit}
+%autosetup -p1 -n fedora-crypto-policies-master
+
+%build
+%make_build
+
+%install
+mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/
+mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/
+mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/
+mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/state/
+mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/
+mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/
+mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/
+mkdir -p -m 755 %{buildroot}%{_bindir}
+
+make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install
+install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config
+touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current
+touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
+
+# Drop pre-generated GOST-ONLY policy, we do not need to ship the files
+rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY
+
+# Create back-end configs for mounting with read-only /etc/
+for d in LEGACY DEFAULT FUTURE FIPS ; do
+    mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d
+    for f in %{buildroot}%{_datarootdir}/crypto-policies/$d/* ; do
+        ln $f %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d/$(basename $f .txt).config
+    done
+done
+
+for f in %{buildroot}%{_datarootdir}/crypto-policies/DEFAULT/* ; do
+    ln -sf %{_datarootdir}/crypto-policies/DEFAULT/$(basename $f) %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/$(basename $f .txt).config
+done
+
+%py3_compile %{buildroot}%{_datadir}/crypto-policies/python
+
+%check
+%make_build check
+
+%post -p <lua>
+if not posix.access("%{_sysconfdir}/crypto-policies/config") then
+    local policy = "DEFAULT"
+    local cf = io.open("/proc/sys/crypto/fips_enabled", "r")
+    if cf then
+        if cf:read() == "1" then
+            policy = "FIPS"
+        end
+        cf:close()
+    end
+    cf = io.open("%{_sysconfdir}/crypto-policies/config", "w")
+    if cf then
+        cf:write(policy.."\n")
+        cf:close()
+    end
+    cf = io.open("%{_sysconfdir}/crypto-policies/state/current", "w")
+    if cf then
+        cf:write(policy.."\n")
+        cf:close()
+    end
+    local policypath = "%{_datarootdir}/crypto-policies/"..policy
+    for fn in posix.files(policypath) do
+        local backend = fn:gsub(".*/", ""):gsub("%%..*", "")
+        local cfgfn = "%{_sysconfdir}/crypto-policies/back-ends/"..backend..".config"
+        posix.unlink(cfgfn)
+        posix.symlink(policypath.."/"..fn, cfgfn)
+    end
+end
+
+%posttrans scripts
+%{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || :
+
+%files
+
+%dir %{_sysconfdir}/crypto-policies/
+%dir %{_sysconfdir}/crypto-policies/back-ends/
+%dir %{_sysconfdir}/crypto-policies/state/
+%dir %{_sysconfdir}/crypto-policies/local.d/
+%dir %{_sysconfdir}/crypto-policies/policies/
+%dir %{_sysconfdir}/crypto-policies/policies/modules/
+%dir %{_datarootdir}/crypto-policies/
+
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config
+
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssl.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssh.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/nss.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/bind.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/java.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
+
+%ghost %{_sysconfdir}/crypto-policies/state/current
+%ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol
+
+%{_mandir}/man7/crypto-policies.7%{?ext_man}
+%{_datarootdir}/crypto-policies/LEGACY
+%{_datarootdir}/crypto-policies/DEFAULT
+%{_datarootdir}/crypto-policies/FUTURE
+%{_datarootdir}/crypto-policies/FIPS
+%{_datarootdir}/crypto-policies/EMPTY
+%{_datarootdir}/crypto-policies/back-ends
+%{_datarootdir}/crypto-policies/default-config
+%{_datarootdir}/crypto-policies/reload-cmds.sh
+%{_datarootdir}/crypto-policies/policies
+
+%license COPYING.LESSER
+
+%files scripts
+%{_bindir}/update-crypto-policies
+%{_mandir}/man8/update-crypto-policies.8%{?ext_man}
+%{_datarootdir}/crypto-policies/python
+
+%{_bindir}/fips-mode-setup
+%{_bindir}/fips-finish-install
+%{_mandir}/man8/fips-mode-setup.8%{?ext_man}
+%{_mandir}/man8/fips-finish-install.8%{?ext_man}
+
+%changelog
--- a/fedora-crypto-policies-master.tar.gz
+++ b/fedora-crypto-policies-master.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3c9b25736802f9f0af94f213eae8f146cd7ba5cc5288fe33ab6e09c60e50ccb9
+size 54714