From 4ac1e9ad7b36fd1ece2a7a5c84e76c584b6f980b4a857328745c1ba7b33d623b Mon Sep 17 00:00:00 2001 From: Martin Pluskal Date: Sun, 14 May 2023 10:09:24 +0000 Subject: [PATCH 1/2] Accepting request 1086482 from home:pmonrealgonzalez:branches:security:tls - Update the update-crypto-policies(8) man pages and README.SUSE to mention the supported back-end policies. [bsc#1209998] * Add crypto-policies-supported.patch - Update to version 20230420.3d08ae7: * openssl, alg_lists: add brainpool support * openssl: set Groups explicitly * codespell: ignore aNULL * rpm-sequoia: allow 1024 bit DSA and SHA-1 per FeSCO decision 2960 * sequoia: add separate rpm-sequoia backend * crypto-policies.7: state upfront that FUTURE is not so interoperable * Makefile: update for asciidoc 10 * Skip the LibreswanGenerator and SequoiaGenerator: - Add crypto-policies-policygenerators.patch * Remove crypto-policies-test_supported_modules_only.patch * Rebase crypto-policies-no-build-manpages.patch - Update to version 20221214.a4c31a3: * bind: expand the list of disableable algorithms * libssh: Add support for openssh fido keys * .gitlab-ci.yml: install krb5-devel for krb5-config * sequoia: check using sequoia-policy-config-check * sequoia: introduce new back-end * Makefile: support overriding asciidoc executable name * openssh: make none and auto explicit and different * openssh: autodetect and allow forcing RequiredRSASize presence/name * openssh: remove _pre_8_5_ssh * pylintrc: update * Revert "disable SHA-1 further for a Fedora 38 Rawhide "jump scare"..." * disable SHA-1 further for a Fedora 38 Rawhide "jump scare"... OBS-URL: https://build.opensuse.org/request/show/1086482 OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=15 --- README.SUSE | 6 +- _service | 2 +- _servicedata | 2 +- crypto-policies-FIPS.patch | 24 ++-- crypto-policies-no-build-manpages.patch | 24 ++-- crypto-policies-policygenerators.patch | 40 ++++++ crypto-policies-rpmlintrc | 3 + crypto-policies-supported.patch | 37 +++++ ...policies-test_supported_modules_only.patch | 13 -- crypto-policies.7.gz | 4 +- crypto-policies.changes | 68 +++++++++ crypto-policies.spec | 133 +++++++++++------- ...ra-crypto-policies-20210917.c9d86d1.tar.gz | 3 - ...ra-crypto-policies-20230420.3d08ae7.tar.gz | 3 + update-crypto-policies.8.gz | 4 +- 15 files changed, 271 insertions(+), 95 deletions(-) create mode 100644 crypto-policies-policygenerators.patch create mode 100644 crypto-policies-rpmlintrc create mode 100644 crypto-policies-supported.patch delete mode 100644 crypto-policies-test_supported_modules_only.patch delete mode 100644 fedora-crypto-policies-20210917.c9d86d1.tar.gz create mode 100644 fedora-crypto-policies-20230420.3d08ae7.tar.gz diff --git a/README.SUSE b/README.SUSE index e34c3c5..46ae71a 100644 --- a/README.SUSE +++ b/README.SUSE @@ -1,2 +1,6 @@ -Currently only OpenSSL and GnuTLS policies are supported. +Currently, the supported back-end policies are: + * OpenSSL library + * GnuTLS library + * OpenJDK (only for java-1_8_0-openjdk and java-11-openjdk) + The rest of the modules ignore the policy settings for the time being. diff --git a/_service b/_service index d9ed9a5..9b955e3 100644 --- a/_service +++ b/_service @@ -4,7 +4,7 @@ git %cd.%h enable - c9d86d1154c4b286c9be3d5e9e32451df6f64e19 + 3d08ae70557e5a86686e5b24e443731bfdf232bb *.tar diff --git a/_servicedata b/_servicedata index e9d2fc7..424997b 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://gitlab.com/redhat-crypto/fedora-crypto-policies.git - c9d86d1154c4b286c9be3d5e9e32451df6f64e19 \ No newline at end of file + 3d08ae70557e5a86686e5b24e443731bfdf232bb \ No newline at end of file diff --git a/crypto-policies-FIPS.patch b/crypto-policies-FIPS.patch index acbcea7..5a98b37 100644 --- a/crypto-policies-FIPS.patch +++ b/crypto-policies-FIPS.patch @@ -1,7 +1,7 @@ -Index: fedora-crypto-policies/Makefile +Index: fedora-crypto-policies-20221214.a4c31a3/Makefile =================================================================== ---- fedora-crypto-policies.orig/Makefile -+++ fedora-crypto-policies/Makefile +--- fedora-crypto-policies-20221214.a4c31a3.orig/Makefile ++++ fedora-crypto-policies-20221214.a4c31a3/Makefile @@ -5,8 +5,8 @@ MANDIR?=/usr/share/man CONFDIR?=/etc/crypto-policies DESTDIR?= @@ -13,11 +13,11 @@ Index: fedora-crypto-policies/Makefile NUM_PROCS = $$(getconf _NPROCESSORS_ONLN) PYVERSION = -3 DIFFTOOL?=meld -Index: fedora-crypto-policies/crypto-policies.7.txt +Index: fedora-crypto-policies-20221214.a4c31a3/crypto-policies.7.txt =================================================================== ---- fedora-crypto-policies.orig/crypto-policies.7.txt -+++ fedora-crypto-policies/crypto-policies.7.txt -@@ -144,9 +144,6 @@ PROVIDED POLICIES +--- fedora-crypto-policies-20221214.a4c31a3.orig/crypto-policies.7.txt ++++ fedora-crypto-policies-20221214.a4c31a3/crypto-policies.7.txt +@@ -153,9 +153,6 @@ PROVIDED POLICIES *FIPS*:: A policy to aid conformance to the *FIPS 140-2* requirements. @@ -27,7 +27,7 @@ Index: fedora-crypto-policies/crypto-policies.7.txt * MACs: all *HMAC* with *SHA1* or better * Curves: all prime >= 256 bits -@@ -255,12 +252,6 @@ COMMANDS +@@ -264,12 +261,6 @@ COMMANDS back ends and allows the system administrator to change the active cryptographic policy. @@ -40,7 +40,7 @@ Index: fedora-crypto-policies/crypto-policies.7.txt NOTES ----- -@@ -427,7 +418,7 @@ FILES +@@ -447,7 +438,7 @@ FILES SEE ALSO -------- @@ -49,10 +49,10 @@ Index: fedora-crypto-policies/crypto-policies.7.txt AUTHOR -Index: fedora-crypto-policies/python/update-crypto-policies.py +Index: fedora-crypto-policies-20221214.a4c31a3/python/update-crypto-policies.py =================================================================== ---- fedora-crypto-policies.orig/python/update-crypto-policies.py -+++ fedora-crypto-policies/python/update-crypto-policies.py +--- fedora-crypto-policies-20221214.a4c31a3.orig/python/update-crypto-policies.py ++++ fedora-crypto-policies-20221214.a4c31a3/python/update-crypto-policies.py @@ -344,16 +344,12 @@ def apply_policy(pconfig, profile=None, eprint("Warning: Using 'update-crypto-policies --set FIPS' " "is not sufficient for") diff --git a/crypto-policies-no-build-manpages.patch b/crypto-policies-no-build-manpages.patch index 61f504b..7e09857 100644 --- a/crypto-policies-no-build-manpages.patch +++ b/crypto-policies-no-build-manpages.patch @@ -1,28 +1,28 @@ -Index: fedora-crypto-policies/Makefile +Index: fedora-crypto-policies-20230420.3d08ae7/Makefile =================================================================== ---- fedora-crypto-policies.orig/Makefile -+++ fedora-crypto-policies/Makefile -@@ -22,9 +22,9 @@ install: $(MANPAGES) +--- fedora-crypto-policies-20230420.3d08ae7.orig/Makefile ++++ fedora-crypto-policies-20230420.3d08ae7/Makefile +@@ -28,9 +28,9 @@ install: $(MANPAGES) mkdir -p $(DESTDIR)$(MANDIR)/man7 mkdir -p $(DESTDIR)$(MANDIR)/man8 mkdir -p $(DESTDIR)$(BINDIR) - install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 - install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 - install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) -+# install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 -+# install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 -+# install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) ++ # install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 ++ # install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 ++ # install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) mkdir -p $(DESTDIR)$(DIR)/ install -p -m 644 default-config $(DESTDIR)$(DIR) install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR) -@@ -106,8 +106,8 @@ clean: +@@ -114,8 +114,8 @@ clean: rm -rf output %: %.txt -- asciidoc.py -v -d manpage -b docbook $< -- xsltproc --nonet -o $@ /usr/share/asciidoc/docbook-xsl/manpage.xsl $@.xml -+ # asciidoc -v -d manpage -b docbook $< -+ # xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl $@.xml +- $(ASCIIDOC) -v -d manpage -b docbook $< +- xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml ++ #$(ASCIIDOC) -v -d manpage -b docbook $< ++ #xsltproc --nonet -o $@ ${MANPAGEXSL} $@.xml dist: rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies diff --git a/crypto-policies-policygenerators.patch b/crypto-policies-policygenerators.patch new file mode 100644 index 0000000..d5e2eb0 --- /dev/null +++ b/crypto-policies-policygenerators.patch @@ -0,0 +1,40 @@ +Index: fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/__init__.py +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/python/policygenerators/__init__.py ++++ fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/__init__.py +@@ -8,15 +8,15 @@ from .gnutls import GnuTLSGenerator + from .java import JavaGenerator + from .java import JavaSystemGenerator + from .krb5 import KRB5Generator +-from .libreswan import LibreswanGenerator ++#from .libreswan import LibreswanGenerator + from .libssh import LibsshGenerator + from .nss import NSSGenerator + from .openssh import OpenSSHClientGenerator + from .openssh import OpenSSHServerGenerator + from .openssl import OpenSSLConfigGenerator + from .openssl import OpenSSLGenerator +-from .sequoia import SequoiaGenerator +-from .sequoia import RPMSequoiaGenerator ++#from .sequoia import SequoiaGenerator ++#from .sequoia import RPMSequoiaGenerator + + __all__ = [ + 'BindGenerator', +@@ -24,13 +24,13 @@ __all__ = [ + 'JavaGenerator', + 'JavaSystemGenerator', + 'KRB5Generator', +- 'LibreswanGenerator', ++# 'LibreswanGenerator', + 'LibsshGenerator', + 'NSSGenerator', + 'OpenSSHClientGenerator', + 'OpenSSHServerGenerator', + 'OpenSSLConfigGenerator', + 'OpenSSLGenerator', +- 'SequoiaGenerator', +- 'RPMSequoiaGenerator', ++# 'SequoiaGenerator', ++# 'RPMSequoiaGenerator', + ] diff --git a/crypto-policies-rpmlintrc b/crypto-policies-rpmlintrc new file mode 100644 index 0000000..6fdbe70 --- /dev/null +++ b/crypto-policies-rpmlintrc @@ -0,0 +1,3 @@ +addFilter(".*files-duplicate.*") +addFilter(".*zero-length.*") +addFilter(".non-conffile-in-etc.*") diff --git a/crypto-policies-supported.patch b/crypto-policies-supported.patch new file mode 100644 index 0000000..1867856 --- /dev/null +++ b/crypto-policies-supported.patch @@ -0,0 +1,37 @@ +Index: fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/update-crypto-policies.8.txt ++++ fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt +@@ -54,23 +54,23 @@ are configured to follow the default pol + The generated back-end policies will be placed in /etc/crypto-policies/back-ends. + Currently the supported back-ends (and directive scopes they respect) are: + +-* GnuTLS library (GnuTLS, SSL, TLS) ++* GnuTLS library (GnuTLS, SSL, TLS) (Supported) + +-* OpenSSL library (OpenSSL, SSL, TLS) ++* OpenSSL library (OpenSSL, SSL, TLS) (Supported) + +-* NSS library (NSS, SSL, TLS) ++* NSS library (NSS, SSL, TLS) (Not supported) + +-* OpenJDK (java-tls, SSL, TLS) ++* OpenJDK (java-tls, SSL, TLS) (Supported only for java-1_8_0-openjdk and java-11-openjdk) + +-* Libkrb5 (krb5, kerberos) ++* Libkrb5 (krb5, kerberos) (Not supported) + +-* BIND (BIND, DNSSec) ++* BIND (BIND, DNSSec) (Not supported) + +-* OpenSSH (OpenSSH, SSH) ++* OpenSSH (OpenSSH, SSH) (Not supported) + +-* Libreswan (libreswan, IKE, IPSec) ++* Libreswan (libreswan, IKE, IPSec) (Not supported) + +-* libssh (libssh, SSH) ++* libssh (libssh, SSH) (Not supported) + + Applications and languages which rely on any of these back-ends will follow + the system policies as well. Examples are apache httpd, nginx, php, and diff --git a/crypto-policies-test_supported_modules_only.patch b/crypto-policies-test_supported_modules_only.patch deleted file mode 100644 index c2f1a90..0000000 --- a/crypto-policies-test_supported_modules_only.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: fedora-crypto-policies/Makefile -=================================================================== ---- fedora-crypto-policies.orig/Makefile -+++ fedora-crypto-policies/Makefile -@@ -56,8 +56,6 @@ check: - tests/openssl.pl - tests/gnutls.pl - tests/nss.py -- tests/java.pl -- tests/krb5.py - top_srcdir=. tests/update-crypto-policies.sh - - # Alternative, equivalent ways to write the same policies diff --git a/crypto-policies.7.gz b/crypto-policies.7.gz index d8cc82c..40ad731 100644 --- a/crypto-policies.7.gz +++ b/crypto-policies.7.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:cbc5e573f2bd5dad2e405f9de35cc94c469d434b466b40890d87400f7f4cb8c1 -size 6127 +oid sha256:e0f927cbf526fbd0bec4eaf6b2456a6d148d42abdfb25978c71ede20b3a5e2ce +size 6770 diff --git a/crypto-policies.changes b/crypto-policies.changes index efdf80e..4eef770 100644 --- a/crypto-policies.changes +++ b/crypto-policies.changes @@ -1,3 +1,71 @@ +------------------------------------------------------------------- +Mon May 8 09:45:45 UTC 2023 - Pedro Monreal + +- Update the update-crypto-policies(8) man pages and README.SUSE + to mention the supported back-end policies. [bsc#1209998] + * Add crypto-policies-supported.patch + +------------------------------------------------------------------- +Mon May 08 06:32:49 UTC 2023 - Pedro Monreal + +- Update to version 20230420.3d08ae7: + * openssl, alg_lists: add brainpool support + * openssl: set Groups explicitly + * codespell: ignore aNULL + * rpm-sequoia: allow 1024 bit DSA and SHA-1 per FeSCO decision 2960 + * sequoia: add separate rpm-sequoia backend + * crypto-policies.7: state upfront that FUTURE is not so interoperable + * Makefile: update for asciidoc 10 + * Skip the LibreswanGenerator and SequoiaGenerator: + - Add crypto-policies-policygenerators.patch + * Remove crypto-policies-test_supported_modules_only.patch + * Rebase crypto-policies-no-build-manpages.patch + +------------------------------------------------------------------- +Fri Jan 20 09:25:22 UTC 2023 - Pedro Monreal + +- Update to version 20221214.a4c31a3: + * bind: expand the list of disableable algorithms + * libssh: Add support for openssh fido keys + * .gitlab-ci.yml: install krb5-devel for krb5-config + * sequoia: check using sequoia-policy-config-check + * sequoia: introduce new back-end + * Makefile: support overriding asciidoc executable name + * openssh: make none and auto explicit and different + * openssh: autodetect and allow forcing RequiredRSASize presence/name + * openssh: remove _pre_8_5_ssh + * pylintrc: update + * Revert "disable SHA-1 further for a Fedora 38 Rawhide "jump scare"..." + * disable SHA-1 further for a Fedora 38 Rawhide "jump scare"... + * Makefile: exclude built manpages from codespell + * add openssh HostbasedAcceptedAlgorithms + * openssh: add RSAMinSize option following min_rsa_size + * Revert ".gitlab-ci.yml: skip pylint (bz2069837)" + * docs: add customization recommendation + * tests/java: fix java.security.disableSystemPropertiesFile=true + * policies: add FEDORA38 and TEST-FEDORA39 + * bind: control ED25519/ED448 + * openssl: disable SHA-1 signatures in FUTURE/NO-SHA1 + * .gitlab-ci.yml: skip pylint (bz2069837) + * openssh: add support for sntrup761x25519-sha512@openssh.com + * fips-mode-setup: fix one unrelated check to intended state + * fips-mode-setup, fips-finish-install: abandon /etc/system-fips + * Makefile: fix alt-policy test of LEGACY:AD-SUPPORT + * fips-mode-setup: catch more inconsistencies, clarify --check + * fips-mode-setup: improve handling FIPS plus subpolicies + * .gitlab-ci.yml: use rawhide so that we get gnutls 3.7.3 + * gnutls: enable SHAKE, needed for Ed448 + * gnutls: use allowlisting + * openssl: add newlines at the end of the output + * FIPS:OSPP: relax -ECDSA-SHA2-512, -FFDHE-* + * fips-mode-setup, fips-finish-install: call zipl more often + * Add crypto-policies-rpmlintrc file to avoid files-duplicate, + zero-length and non-conffile-in-etc warnings. + * Rebase patches: + - crypto-policies-FIPS.patch + - crypto-policies-no-build-manpages.patch + * Update README.SUSE + ------------------------------------------------------------------- Fri Sep 24 11:30:21 UTC 2021 - Pedro Monreal diff --git a/crypto-policies.spec b/crypto-policies.spec index b137da1..ff3a1f8 100644 --- a/crypto-policies.spec +++ b/crypto-policies.spec @@ -1,7 +1,7 @@ # # spec file for package crypto-policies # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,9 +16,13 @@ # +# testsuite is disabled by default +%bcond_with testsuite +# manbuild is disabled by default +%bcond_with manbuild %global _python_bytecompile_extra 0 Name: crypto-policies -Version: 20210917.c9d86d1 +Version: 20230420.3d08ae7 Release: 0 Summary: System-wide crypto policies License: LGPL-2.1-or-later @@ -28,27 +32,41 @@ Source0: fedora-%{name}-%{version}.tar.gz Source1: README.SUSE Source2: crypto-policies.7.gz Source3: update-crypto-policies.8.gz -Patch0: crypto-policies-test_supported_modules_only.patch +Source4: crypto-policies-rpmlintrc +%if %{without manbuild} +# To reduce the build dependencies in Ring0, we have to compile the +# man pages locally (use --with testsuite) and add crypto-policies.7.gz +# and update-crypto-policies.8.gz as sources. Patch1: crypto-policies-no-build-manpages.patch +%endif Patch2: crypto-policies-FIPS.patch -BuildRequires: python3-base -# For testing, the following buildrequires need to be uncommented. -# BuildRequires: asciidoc -# BuildRequires: bind -# BuildRequires: gnutls >= 3.6.0 -# BuildRequires: java-devel -# BuildRequires: libxslt -# BuildRequires: openssl -# BuildRequires: perl -# BuildRequires: python3-coverage -# BuildRequires: python3-devel >= 3.6 -# BuildRequires: python3-flake8 -# BuildRequires: python3-pylint -# BuildRequires: python3-pytest -# BuildRequires: perl(File::Copy) -# BuildRequires: perl(File::Temp) -# BuildRequires: perl(File::Which) -# BuildRequires: perl(File::pushd) +Patch3: crypto-policies-policygenerators.patch +Patch4: crypto-policies-supported.patch +BuildRequires: python3-base >= 3.6 +# The sequoia stuff needs python3-toml, removed until needed +# BuildRequires: python3-toml +%if %{with manbuild} +BuildRequires: asciidoc +%endif +%if %{with testsuite} +# The following buildrequires are needed for the testsuite +BuildRequires: bind +BuildRequires: gnutls >= 3.6.0 +BuildRequires: java-devel +BuildRequires: krb5-devel +BuildRequires: libxslt +BuildRequires: openssl +BuildRequires: perl +BuildRequires: python3-coverage +BuildRequires: python3-devel >= 3.6 +BuildRequires: python3-flake8 +BuildRequires: python3-pylint +BuildRequires: python3-pytest +BuildRequires: perl(File::Copy) +BuildRequires: perl(File::Temp) +BuildRequires: perl(File::Which) +BuildRequires: perl(File::pushd) +%endif Recommends: crypto-policies-scripts Conflicts: gnutls < 3.7.0 #Conflicts: libreswan < 3.28 @@ -75,7 +93,15 @@ defined in simple policy definition files. %prep %autosetup -p1 -n fedora-%{name}-%{version} +# Make README.SUSE available for %%doc +cp -p %{SOURCE1} . + +# Remove not needed policy generators +find -name libreswan.py -delete +find -name sequoia.py -delete + %build +export OPENSSL_CONF='' %make_build %install @@ -89,28 +115,31 @@ mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/ mkdir -p -m 755 %{buildroot}%{_bindir} make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install +install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config +touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current +touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol -# Install the manpages +%if %{without manbuild} +# Install the manpages from defined sources mkdir -p -m 755 %{buildroot}%{_mandir}/ mkdir -p -m 755 %{buildroot}%{_mandir}/man7/ mkdir -p -m 755 %{buildroot}%{_mandir}/man8/ cp %{SOURCE2} %{buildroot}%{_mandir}/man7/ cp %{SOURCE3} %{buildroot}%{_mandir}/man8/ +%endif -# Install the executable files +# Install the executable scripts install -p -m 755 update-crypto-policies %{buildroot}%{_bindir}/ -install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config -touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current -touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol +# Remove the fips-related scripts and man pages +find -type f -name "*fips*" -delete +find %{buildroot} -type f -name "*fips*" -delete -# Drop pre-generated GOST-ONLY policy, we do not need to ship the files +# Drop pre-generated GOST-ONLY policy, we do not need to ship them rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY -# Remove fips-finish-install and test-fips-setup scripts and man -find -type f -name fips-finish-install -delete -find -type f -name fips-finish-install.8.txt -delete -find -type f -name test-fips-setup.sh -delete +# Drop FEDORA policies +rm -rf %{buildroot}%{_datarootdir}/crypto-policies/*FEDORA* # Create back-end configs for mounting with read-only /etc/ for d in LEGACY DEFAULT FUTURE FIPS ; do @@ -126,10 +155,14 @@ done %py3_compile %{buildroot}%{_datadir}/crypto-policies/python -cp %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies +# Install README.SUSE to %%doc +install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies %check +%if %{with testsuite} +export OPENSSL_CONF='' %make_build test || : +%endif %post -p if not posix.access("%{_sysconfdir}/crypto-policies/config") then @@ -153,7 +186,7 @@ if not posix.access("%{_sysconfdir}/crypto-policies/config") then end local policypath = "%{_datarootdir}/crypto-policies/"..policy for fn in posix.files(policypath) do - if fn ~= "." and fn ~= ".." then + if fn ~= "." and fn ~= ".." then local backend = fn:gsub(".*/", ""):gsub("%%..*", "") local cfgfn = "%{_sysconfdir}/crypto-policies/back-ends/"..backend..".config" posix.unlink(cfgfn) @@ -166,6 +199,10 @@ end %{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || : %files +%license COPYING.LESSER +%doc README.md NEWS CONTRIBUTING.md +%doc %{_sysconfdir}/crypto-policies/README.SUSE + %dir %{_sysconfdir}/crypto-policies/ %dir %{_sysconfdir}/crypto-policies/back-ends/ %dir %{_sysconfdir}/crypto-policies/state/ @@ -174,21 +211,23 @@ end %dir %{_sysconfdir}/crypto-policies/policies/modules/ %dir %{_datarootdir}/crypto-policies/ -%{_sysconfdir}/crypto-policies/README.SUSE %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssl.config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssh.config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/nss.config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/bind.config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/java.config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/krb5.config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config -%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libssh.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssh.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/bind.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/java.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/sequoia.config +%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/rpm-sequoia.config +# %%verify(not mode) comes from the fact that these turn into symlinks and back to regular files at will. %ghost %{_sysconfdir}/crypto-policies/state/current %ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol @@ -204,8 +243,6 @@ end %{_datarootdir}/crypto-policies/reload-cmds.sh %{_datarootdir}/crypto-policies/policies -%license COPYING.LESSER - %files scripts %{_bindir}/update-crypto-policies %{_mandir}/man8/update-crypto-policies.8%{?ext_man} diff --git a/fedora-crypto-policies-20210917.c9d86d1.tar.gz b/fedora-crypto-policies-20210917.c9d86d1.tar.gz deleted file mode 100644 index 2203014..0000000 --- a/fedora-crypto-policies-20210917.c9d86d1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d5e57503a00c247d549aab27de2a3d96c7d8756910939aec5acd38df6e73c252 -size 75022 diff --git a/fedora-crypto-policies-20230420.3d08ae7.tar.gz b/fedora-crypto-policies-20230420.3d08ae7.tar.gz new file mode 100644 index 0000000..e3a354d --- /dev/null +++ b/fedora-crypto-policies-20230420.3d08ae7.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0554a9e3965970a2233dee8770fe414527e073b80106db89a1170fa845c3903b +size 85811 diff --git a/update-crypto-policies.8.gz b/update-crypto-policies.8.gz index 98fec27..8261690 100644 --- a/update-crypto-policies.8.gz +++ b/update-crypto-policies.8.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:0151e1a8a5e4bb626284b6a2f93824f849b8d070ed017b6995a20a90f9180b2b -size 4018 +oid sha256:ce03018475d3b1e4cb06951fa1c13017f13fa6600b3b10e04912af5e3e426692 +size 4179 From 743dc266bd73a1039650b6e74f95ba01641386716f942adc4941b5885e39a2e5 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Thu, 25 May 2023 16:40:03 +0000 Subject: [PATCH 2/2] Accepting request 1089054 from home:pmonrealgonzalez:branches:security:tls - FIPS: Enable to set the kernel FIPS mode with fips-mode-setup and fips-finish-install commands, add also the man pages. The required FIPS modules are left to be installed by the user. * Rebase crypto-policies-FIPS.patch - Revert a breaking change that introduces the config option rh-allow-sha1-signatures that is unkown to OpenSSL and fails on startup. We will consider adding this option to openssl. * https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/97fe4494 * Add crypto-policies-revert-rh-allow-sha1-signatures.patch * Skip not needed LibreswanGenerator and SequoiaGenerator: OBS-URL: https://build.opensuse.org/request/show/1089054 OBS-URL: https://build.opensuse.org/package/show/security:tls/crypto-policies?expand=0&rev=16 --- crypto-policies-FIPS.patch | 258 +++++++++++++---- ...cies-revert-rh-allow-sha1-signatures.patch | 272 ++++++++++++++++++ crypto-policies.7.gz | 4 +- crypto-policies.changes | 19 +- crypto-policies.spec | 33 ++- fips-finish-install.8.gz | 3 + fips-mode-setup.8.gz | 3 + update-crypto-policies.8.gz | 4 +- 8 files changed, 518 insertions(+), 78 deletions(-) create mode 100644 crypto-policies-revert-rh-allow-sha1-signatures.patch create mode 100644 fips-finish-install.8.gz create mode 100644 fips-mode-setup.8.gz diff --git a/crypto-policies-FIPS.patch b/crypto-policies-FIPS.patch index 5a98b37..6dedf84 100644 --- a/crypto-policies-FIPS.patch +++ b/crypto-policies-FIPS.patch @@ -1,72 +1,206 @@ -Index: fedora-crypto-policies-20221214.a4c31a3/Makefile +Index: fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup =================================================================== ---- fedora-crypto-policies-20221214.a4c31a3.orig/Makefile -+++ fedora-crypto-policies-20221214.a4c31a3/Makefile -@@ -5,8 +5,8 @@ MANDIR?=/usr/share/man - CONFDIR?=/etc/crypto-policies - DESTDIR?= - MAN7PAGES=crypto-policies.7 --MAN8PAGES=update-crypto-policies.8 fips-finish-install.8 fips-mode-setup.8 --SCRIPTS=update-crypto-policies fips-finish-install fips-mode-setup -+MAN8PAGES=update-crypto-policies.8 fips-finish-install.8 -+SCRIPTS=update-crypto-policies fips-finish-install - NUM_PROCS = $$(getconf _NPROCESSORS_ONLN) - PYVERSION = -3 - DIFFTOOL?=meld -Index: fedora-crypto-policies-20221214.a4c31a3/crypto-policies.7.txt -=================================================================== ---- fedora-crypto-policies-20221214.a4c31a3.orig/crypto-policies.7.txt -+++ fedora-crypto-policies-20221214.a4c31a3/crypto-policies.7.txt -@@ -153,9 +153,6 @@ PROVIDED POLICIES +--- fedora-crypto-policies-20230420.3d08ae7.orig/fips-mode-setup ++++ fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup +@@ -7,6 +7,7 @@ enable_fips= + check=0 + boot_config=1 + err_if_disabled=0 ++fips_install_complete=0 + output_text=1 - *FIPS*:: - A policy to aid conformance to the *FIPS 140-2* requirements. -- This policy is used internally by the *fips-mode-setup(8)* tool -- which can switch the system into the *FIPS 140-2* mode. -- This policy provides at least 112-bit security. + is_ostree_system=0 +@@ -75,109 +76,74 @@ if test "$is_ostree_system" = 1 && test + exit 1 + fi - * MACs: all *HMAC* with *SHA1* or better - * Curves: all prime >= 256 bits -@@ -264,12 +261,6 @@ COMMANDS - back ends and allows the system administrator to change the active - cryptographic policy. - --*fips-mode-setup(8)*:: -- This command allows the system administrator to enable, or disable the -- system FIPS mode and also apply the *FIPS* cryptographic policy -- which limits the allowed algorithms and protocols to these allowed by -- the FIPS 140-2 requirements. - +-if [ "$(id -u)" != 0 ]; then +- echo "You must be root to run $(basename $0)" +- exit 1 +-fi +- +- +-# Detect 1: kernel FIPS flag +-fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled) +- +-# Detect 2: initramfs fips module presence; not always can be done +-initramfs_fips_module=0 +-initramfs_inspectable=0 +-if test -d /boot -a -x /usr/bin/lsinitrd; then +- initramfs_inspectable=1 +- if lsinitrd -m 2>/dev/null | grep -Fxq fips; then +- initramfs_fips_module=1 ++if test "$enable_fips" = 1 ; then ++ # Check the required FIPS modules are installed ++ if test ! -x "$(command -v grubby)" -o ! -f /usr/share/doc/packages/patterns/fips.txt -o ! -f /etc/dracut.conf.d/40-fips.conf; then ++ cond_echo "Installation of FIPS modules is not complete." ++ cond_echo "Please, install grubby and the fips pattern." ++ exit 1 + fi + fi - NOTES - ----- -@@ -447,7 +438,7 @@ FILES +-# Detect 3: crypto-policy base policy +-current_policy="$(cat /etc/crypto-policies/state/current)" +-base_policy="$(echo $current_policy| cut -f 1 -d :)" +-if test "$base_policy" == "FIPS" ; then +- base_policy_is_fips=1 +-else +- base_policy_is_fips=0 ++if test "$enable_fips" = 1 ; then ++ if test ! -d /boot -o ! -x /usr/bin/lsinitrd -o x"$(/usr/bin/lsinitrd -f etc/system-fips 2>/dev/null || test $? = 2 && echo y)" != x ; then ++ fips_install_complete=1 ++ fi + fi - SEE ALSO - -------- --update-crypto-policies(8), fips-mode-setup(8) -+update-crypto-policies(8) +- + if test $check = 1 ; then +- # Look for signs for both enabling and disabling FIPS mode +- fips_positive=0 +- fips_negative=0 +- +- # Display 1: kernel FIPS flag +- cond_echo "FIPS mode is $(enable2txt $fips_kernel_enabled)." +- +- # Display 2: initramfs fips module +- if test "$initramfs_inspectable" = 1 ; then +- cond_echo -n "Initramfs fips module is " +- cond_echo "$(enable2txt $initramfs_fips_module)." +- fi +- +- # Display 3: active crypto-policy +- cond_echo -n "The current crypto policy ($current_policy) " +- if test "$base_policy_is_fips" == 1 ; then +- cond_echo 'is based on the FIPS policy.' +- else +- cond_echo -n 'neither is the FIPS policy ' +- cond_echo 'nor is based on the FIPS policy.' +- fi +- +- # Decide 1: kernel FIPS flag +- if test "$fips_kernel_enabled" = 1 ; then +- fips_positive=1 +- else +- fips_negative=1 +- fi +- +- # Decide 2: initramfs module presence +- if test "$initramfs_inspectable" = 1 ; then +- if test "$initramfs_fips_module" = 1 ; then +- fips_positive=1 +- else +- fips_negative=1 ++ test $fips_install_complete = 0 && cond_echo "Installation of FIPS modules is not complete." ++ fips_enabled=$(cat /proc/sys/crypto/fips_enabled) ++ cond_echo "FIPS mode is $(enable2txt $fips_enabled)." ++ if test "$fips_enabled" = 1 ; then ++ if test $fips_install_complete = 0 ; then ++ cond_echo "Inconsistent state detected." ++ exit 1 ++ fi ++ current="$(cat /etc/crypto-policies/state/current)" ++ if test "$(echo $current | cut -f 1 -d :)" != "FIPS" ; then ++ cond_echo -n "The current crypto policy ($current) " ++ cond_echo -n 'neither is the FIPS policy ' ++ cond_echo 'nor is based on the FIPS policy.' ++ cond_echo 'Inconsistent state detected.' ++ exit 1 + fi +- fi +- +- # Decide 3: active crypto-policy +- if test "$base_policy_is_fips" = 1 ; then +- fips_positive=1 + else +- fips_negative=1 +- fi +- +- # Make the FIPS mode consistency decision +- if test "$fips_positive" = 1 -a "$fips_negative" = 1 ; then +- cond_echo 'Inconsistent state detected.' +- exit 1 ++ if test $fips_install_complete = 1 ; then ++ cond_echo "Inconsistent state detected." ++ exit 1 ++ fi ++ current="$(cat /etc/crypto-policies/state/current)" ++ if test "$(echo $current | cut -f 1 -d :)" == "FIPS" ; then ++ cond_echo -n "The current crypto policy ($current) " ++ cond_echo -n 'is based on the FIPS policy, ' ++ cond_echo 'but FIPS mode is not enabled.' ++ cond_echo 'Inconsistent state detected.' ++ exit 1 ++ fi + fi +- +- # Error out if `--is-enabled` was passed and FIPS mode is not enabled +- if test "$fips_positive" = 0 -a "$err_if_disabled" = 1 ; then +- cond_echo 'FIPS mode is not enabled.' ++ if test "$fips_enabled" != 1 && test "$err_if_disabled" = 1; then + exit 2 + fi +- + exit 0 + fi ++if [ "$(id -u)" != 0 ]; then ++ echo "You must be root to run $(basename $0)" ++ exit 1 ++fi - AUTHOR -Index: fedora-crypto-policies-20221214.a4c31a3/python/update-crypto-policies.py + if test $enable_fips = 1 ; then +- if test "$initramfs_fips_module" = 0 ; then ++ if test $fips_install_complete = 1 ; then + fips-finish-install --complete + if test $? != 0 ; then +- echo "Installation of FIPS modules could not be completed." ++ echo "Installation of FIPS modules could not be completed." + exit 1 + fi + fi +- if test "$base_policy_is_fips" == 1 ; then +- cond_echo -n 'Preserving current FIPS-based policy ' +- cond_echo "${current_policy}." ++ target="$(cat /etc/crypto-policies/state/current)" ++ if test "$(echo $target | cut -f 1 -d :)" == "FIPS" ; then ++ cond_echo "Preserving current FIPS-based policy ${target}." + cond_echo -n 'Please review the subpolicies to ensure they ' + cond_echo 'only restrict, not relax the FIPS policy.' + else +@@ -196,11 +162,11 @@ if test x"$boot_device" = x ; then + boot_device_opt=" boot=UUID=" + boot_config=0 + else +- if test "$boot_device" = / ; then +- boot_device_opt="" +- else +- boot_device_opt=" boot=UUID=$(blkid -s UUID -o value $boot_device)" +- fi ++ if test "$boot_device" = / ; then ++ boot_device_opt="" ++ else ++ boot_device_opt=" boot=UUID=$(blkid -s UUID -o value $boot_device)" ++ fi + fi + + if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then +Index: fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup.8.txt =================================================================== ---- fedora-crypto-policies-20221214.a4c31a3.orig/python/update-crypto-policies.py -+++ fedora-crypto-policies-20221214.a4c31a3/python/update-crypto-policies.py -@@ -344,16 +344,12 @@ def apply_policy(pconfig, profile=None, - eprint("Warning: Using 'update-crypto-policies --set FIPS' " - "is not sufficient for") - eprint(" FIPS compliance.") -- eprint(" Use 'fips-mode-setup --enable' " -- "command instead.") - elif fips_mode(): - eprint("Warning: Using 'update-crypto-policies --set' " - "in FIPS mode will make the system") - eprint(" non-compliant with FIPS.") - eprint(" It can also break " - "the ssh access to the system.") -- eprint(" Use 'fips-mode-setup --disable' " -- "to disable the system FIPS mode.") +--- fedora-crypto-policies-20230420.3d08ae7.orig/fips-mode-setup.8.txt ++++ fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup.8.txt +@@ -39,8 +39,15 @@ system crypto policy to FIPS + (unless the policy has already been set to FIPS plus subpolicies on top, + in which case the currently active subpolicies is retained). - if base_dir == DEFAULT_BASE_DIR: - if not os.geteuid() == 0: ++Some required FIPS modules (grubby, fips pattern) might not be ++installed by default. These can be installed in SUSE/openSUSE with ++the following command: ++ ++ zypper in -y grubby && zypper in -y -t pattern fips ++ + Then the command modifies the boot loader configuration to add + 'fips=1' and 'boot=' options to the kernel command line. ++Note that, grubby could show a harmless warning about leaked file descriptors. + + When disabling the system FIPS mode the system crypto policy is switched + to DEFAULT and the kernel command line option 'fips=0' is set. diff --git a/crypto-policies-revert-rh-allow-sha1-signatures.patch b/crypto-policies-revert-rh-allow-sha1-signatures.patch new file mode 100644 index 0000000..8c59d9b --- /dev/null +++ b/crypto-policies-revert-rh-allow-sha1-signatures.patch @@ -0,0 +1,272 @@ +From 97fe4494571fd90a05f9bc42af152762eca2fac5 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Fri, 8 Apr 2022 13:47:29 +0200 +Subject: openssl: disable SHA-1 signatures in FUTURE/NO-SHA1 + + +Index: fedora-crypto-policies-20230420.3d08ae7/policies/FUTURE.pol +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/policies/FUTURE.pol ++++ fedora-crypto-policies-20230420.3d08ae7/policies/FUTURE.pol +@@ -65,7 +65,3 @@ sha1_in_certs = 0 + arbitrary_dh_groups = 1 + ssh_certs = 1 + ssh_etm = 1 +- +-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1 +-# SHA-1 signatures are blocked in OpenSSL in FUTURE only +-__openssl_block_sha1_signatures = 1 +Index: fedora-crypto-policies-20230420.3d08ae7/policies/modules/NO-SHA1.pmod +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/policies/modules/NO-SHA1.pmod ++++ fedora-crypto-policies-20230420.3d08ae7/policies/modules/NO-SHA1.pmod +@@ -3,7 +3,3 @@ + hash = -SHA1 + sign = -*-SHA1 + sha1_in_certs = 0 +- +-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1 +-# SHA-1 signatures are blocked in OpenSSL in FUTURE only +-__openssl_block_sha1_signatures = 1 +Index: fedora-crypto-policies-20230420.3d08ae7/python/cryptopolicies/cryptopolicies.py +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/python/cryptopolicies/cryptopolicies.py ++++ fedora-crypto-policies-20230420.3d08ae7/python/cryptopolicies/cryptopolicies.py +@@ -19,7 +19,6 @@ from . import validation # moved out of + INT_DEFAULTS = {k: 0 for k in ( + 'arbitrary_dh_groups', + 'min_dh_size', 'min_dsa_size', 'min_rsa_size', +- '__openssl_block_sha1_signatures', + 'sha1_in_certs', + 'ssh_certs', 'ssh_etm', + )} +Index: fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/openssl.py +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/python/policygenerators/openssl.py ++++ fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/openssl.py +@@ -7,14 +7,6 @@ from subprocess import check_output, Cal + + from .configgenerator import ConfigGenerator + +-RH_SHA1_SECTION = ''' +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = {} +-''' +- + + class OpenSSLGenerator(ConfigGenerator): + CONFIG_NAME = 'openssl' +@@ -254,12 +246,6 @@ class OpenSSLConfigGenerator(OpenSSLGene + groups = [cls.group_map[i] for i in p['group'] if i in cls.group_map] + s += 'Groups = ' + ':'.join(groups) + '\n' + +- # In the future it'll be just +- # s += RH_SHA1_SECTION.format('yes' if 'SHA1' in p['hash'] else 'no') +- # but for now we slow down the roll-out and we have +- sha1_sig = not policy.integers['__openssl_block_sha1_signatures'] +- s += RH_SHA1_SECTION.format('yes' if sha1_sig else 'no') +- + return s + + @classmethod +Index: fedora-crypto-policies-20230420.3d08ae7/tests/alternative-policies/FUTURE.pol +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/alternative-policies/FUTURE.pol ++++ fedora-crypto-policies-20230420.3d08ae7/tests/alternative-policies/FUTURE.pol +@@ -71,7 +71,3 @@ sha1_in_dnssec = 0 + arbitrary_dh_groups = 1 + ssh_certs = 1 + ssh_etm = 1 +- +-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1 +-# SHA-1 signatures are blocked in OpenSSL in FUTURE only +-__openssl_block_sha1_signatures = 1 +Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/DEFAULT-opensslcnf.txt ++++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 + Groups = X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt ++++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1 + Groups = X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:GOST-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt ++++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:GOST-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 + Groups = X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/EMPTY-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/EMPTY-opensslcnf.txt ++++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/EMPTY-opensslcnf.txt +@@ -2,9 +2,3 @@ CipherString = @SECLEVEL=0:-kPSK:-kDHEPS + Ciphersuites = + SignatureAlgorithms = + Groups = +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/FIPS-opensslcnf.txt ++++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 + Groups = secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt ++++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 + Groups = secp256r1:secp384r1:secp521r1 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:OSPP-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/FIPS:OSPP-opensslcnf.txt ++++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:OSPP-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512 + Groups = secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FUTURE-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/FUTURE-opensslcnf.txt ++++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FUTURE-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512 + Groups = X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = no +Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/GOST-ONLY-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/GOST-ONLY-opensslcnf.txt ++++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/GOST-ONLY-opensslcnf.txt +@@ -4,9 +4,3 @@ TLS.MinProtocol = TLSv1 + TLS.MaxProtocol = TLSv1.3 + SignatureAlgorithms = + Groups = +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/LEGACY-opensslcnf.txt ++++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 + Groups = X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt ++++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt +@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1 + DTLS.MaxProtocol = DTLSv1.2 + SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 + Groups = X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192 +- +-[openssl_init] +-alg_section = evp_properties +- +-[evp_properties] +-rh-allow-sha1-signatures = yes +Index: fedora-crypto-policies-20230420.3d08ae7/tests/unit/test_cryptopolicy.py +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/unit/test_cryptopolicy.py ++++ fedora-crypto-policies-20230420.3d08ae7/tests/unit/test_cryptopolicy.py +@@ -260,7 +260,6 @@ def test_cryptopolicy_to_string_empty(tm + min_dh_size = 0 + min_dsa_size = 0 + min_rsa_size = 0 +- __openssl_block_sha1_signatures = 0 + sha1_in_certs = 0 + ssh_certs = 0 + ssh_etm = 0 +@@ -291,7 +290,6 @@ def test_cryptopolicy_to_string_twisted( + min_dh_size = 0 + min_dsa_size = 0 + min_rsa_size = 0 +- __openssl_block_sha1_signatures = 0 + sha1_in_certs = 0 + ssh_certs = 0 + ssh_etm = 0 +Index: fedora-crypto-policies-20230420.3d08ae7/policies/TEST-FEDORA39.pol +=================================================================== +--- fedora-crypto-policies-20230420.3d08ae7.orig/policies/TEST-FEDORA39.pol ++++ fedora-crypto-policies-20230420.3d08ae7/policies/TEST-FEDORA39.pol +@@ -67,7 +67,3 @@ sha1_in_certs = 0 + arbitrary_dh_groups = 1 + ssh_certs = 1 + ssh_etm = 1 +- +-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1 +-# SHA-1 signatures will blocked in OpenSSL +-__openssl_block_sha1_signatures = 1 diff --git a/crypto-policies.7.gz b/crypto-policies.7.gz index 40ad731..e0e574c 100644 --- a/crypto-policies.7.gz +++ b/crypto-policies.7.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:e0f927cbf526fbd0bec4eaf6b2456a6d148d42abdfb25978c71ede20b3a5e2ce -size 6770 +oid sha256:08e4778d0c659ec3d5f408ba889634255f462b5fe6ee0d22194347103da69a7e +size 6896 diff --git a/crypto-policies.changes b/crypto-policies.changes index 4eef770..8dfa498 100644 --- a/crypto-policies.changes +++ b/crypto-policies.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Thu May 25 11:28:12 UTC 2023 - Pedro Monreal + +- FIPS: Enable to set the kernel FIPS mode with fips-mode-setup + and fips-finish-install commands, add also the man pages. The + required FIPS modules are left to be installed by the user. + * Rebase crypto-policies-FIPS.patch + +------------------------------------------------------------------- +Wed May 24 20:04:20 UTC 2023 - Pedro Monreal + +- Revert a breaking change that introduces the config option + rh-allow-sha1-signatures that is unkown to OpenSSL and fails + on startup. We will consider adding this option to openssl. + * https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/97fe4494 + * Add crypto-policies-revert-rh-allow-sha1-signatures.patch + ------------------------------------------------------------------- Mon May 8 09:45:45 UTC 2023 - Pedro Monreal @@ -16,7 +33,7 @@ Mon May 08 06:32:49 UTC 2023 - Pedro Monreal * sequoia: add separate rpm-sequoia backend * crypto-policies.7: state upfront that FUTURE is not so interoperable * Makefile: update for asciidoc 10 - * Skip the LibreswanGenerator and SequoiaGenerator: + * Skip not needed LibreswanGenerator and SequoiaGenerator: - Add crypto-policies-policygenerators.patch * Remove crypto-policies-test_supported_modules_only.patch * Rebase crypto-policies-no-build-manpages.patch diff --git a/crypto-policies.spec b/crypto-policies.spec index ff3a1f8..488514a 100644 --- a/crypto-policies.spec +++ b/crypto-policies.spec @@ -32,16 +32,25 @@ Source0: fedora-%{name}-%{version}.tar.gz Source1: README.SUSE Source2: crypto-policies.7.gz Source3: update-crypto-policies.8.gz -Source4: crypto-policies-rpmlintrc +Source4: fips-mode-setup.8.gz +Source5: fips-finish-install.8.gz +Source6: crypto-policies-rpmlintrc %if %{without manbuild} +#PATCH-FIX-OPENSUSE Manpages build cycles and dependencies # To reduce the build dependencies in Ring0, we have to compile the -# man pages locally (use --with testsuite) and add crypto-policies.7.gz -# and update-crypto-policies.8.gz as sources. +# man pages locally (use --with testsuite) and add the built files +# crypto-policies.7.gz, update-crypto-policies.8.gz, fips-mode-setup.8.gz +# and fips-finish-install.8.gz as sources. Patch1: crypto-policies-no-build-manpages.patch %endif -Patch2: crypto-policies-FIPS.patch -Patch3: crypto-policies-policygenerators.patch -Patch4: crypto-policies-supported.patch +#PATCH-FIX-OPENSUSE Skip not needed LibreswanGenerator and SequoiaGenerator +Patch2: crypto-policies-policygenerators.patch +#PATCH-FIX-OPENSUSE bsc#1209998 Mention the supported back-end policies +Patch3: crypto-policies-supported.patch +#PATCH-FIX-OPENSUSE Revert a breaking change that introduces rh-allow-sha1-signatures +Patch4: crypto-policies-revert-rh-allow-sha1-signatures.patch +#PATCH-FIX-OPENSUSE Adpat the fips-mode-setup script for TW +Patch5: crypto-policies-FIPS.patch BuildRequires: python3-base >= 3.6 # The sequoia stuff needs python3-toml, removed until needed # BuildRequires: python3-toml @@ -125,15 +134,13 @@ mkdir -p -m 755 %{buildroot}%{_mandir}/ mkdir -p -m 755 %{buildroot}%{_mandir}/man7/ mkdir -p -m 755 %{buildroot}%{_mandir}/man8/ cp %{SOURCE2} %{buildroot}%{_mandir}/man7/ -cp %{SOURCE3} %{buildroot}%{_mandir}/man8/ +cp %{SOURCE3} %{SOURCE4} %{SOURCE5} %{buildroot}%{_mandir}/man8/ %endif # Install the executable scripts install -p -m 755 update-crypto-policies %{buildroot}%{_bindir}/ - -# Remove the fips-related scripts and man pages -find -type f -name "*fips*" -delete -find %{buildroot} -type f -name "*fips*" -delete +install -p -m 755 fips-mode-setup %{buildroot}%{_bindir}/ +install -p -m 755 fips-finish-install %{buildroot}%{_bindir}/ # Drop pre-generated GOST-ONLY policy, we do not need to ship them rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY @@ -245,7 +252,11 @@ end %files scripts %{_bindir}/update-crypto-policies +%{_bindir}/fips-mode-setup +%{_bindir}/fips-finish-install %{_mandir}/man8/update-crypto-policies.8%{?ext_man} +%{_mandir}/man8/fips-mode-setup.8%{?ext_man} +%{_mandir}/man8/fips-finish-install.8%{?ext_man} %{_datarootdir}/crypto-policies/python %changelog diff --git a/fips-finish-install.8.gz b/fips-finish-install.8.gz new file mode 100644 index 0000000..c08c63d --- /dev/null +++ b/fips-finish-install.8.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c127272faa0580e5969d1a1b33ea4a8811a60da45d23fe50a782eaaf8c0c9075 +size 824 diff --git a/fips-mode-setup.8.gz b/fips-mode-setup.8.gz new file mode 100644 index 0000000..1847553 --- /dev/null +++ b/fips-mode-setup.8.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7a427092b98f11bf8bb0606afd71dbe1d153362f9c3a15ed53e479436f45e43b +size 1541 diff --git a/update-crypto-policies.8.gz b/update-crypto-policies.8.gz index 8261690..7a759dc 100644 --- a/update-crypto-policies.8.gz +++ b/update-crypto-policies.8.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:ce03018475d3b1e4cb06951fa1c13017f13fa6600b3b10e04912af5e3e426692 -size 4179 +oid sha256:3530ed7a871a3b9c72ea761ff45f9a80ab2720f76bb223e58debad848b8aa7a1 +size 4178