1
0
crypto-policies/crypto-policies.spec

203 lines
7.8 KiB
RPMSpec

#
# spec file for package crypto-policies
#
# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%global git_date 20210127
%global git_commit b21c8114995e07965c2ccde5f5767d0618d854bf
%{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:8})}
# source_validator doesn't allow command execution
%global git_commit_shash b21c8114
%global _python_bytecompile_extra 0
Name: crypto-policies
Version: %{git_date}
Release: 0
Summary: System-wide crypto policies
License: LGPL-2.1-or-later
Group: Productivity/Networking/Security
URL: https://gitlab.com/redhat-crypto/fedora-%{name}
Source0: https://gitlab.com/redhat-crypto/fedora-%{name}/-/archive/%{git_commit_shash}/%{name}-git%{git_commit_shash}.tar.bz2
Source1: README.SUSE
Patch0: crypto-policies-asciidoc.patch
Patch1: crypto-policies-typos.patch
Patch2: crypto-policies-test_supported_modules_only.patch
BuildRequires: asciidoc
# BuildRequires: gnutls >= 3.6.0
BuildRequires: java-devel
BuildRequires: libxslt
# BuildRequires: openssl
BuildRequires: perl
BuildRequires: python3-devel >= 3.6
BuildRequires: perl(File::Copy)
BuildRequires: perl(File::Temp)
BuildRequires: perl(File::Which)
#BuildRequires: perl(File::pushd)
Recommends: crypto-policies-scripts
Conflicts: gnutls < 3.7.0
#Conflicts: libreswan < 3.28
Conflicts: nss < 3.44.0
#Conflicts: openssh < 8.2p1
BuildArch: noarch
%description
This package provides pre-built configuration files with
cryptographic policies for various cryptographic back-ends,
such as SSL/TLS libraries.
%package scripts
Summary: Tool to switch between crypto policies
Requires: %{name} = %{version}-%{release}
Recommends: grubby
Provides: fips-mode-setup = %{version}-%{release}
%description scripts
This package provides a tool update-crypto-policies, which applies
the policies provided by the crypto-policies package. These can be
either the pre-built policies from the base package or custom policies
defined in simple policy definition files.
The package also provides a tool fips-mode-setup, which can be used
to enable or disable the system FIPS mode.
%prep
%autosetup -p1 -n fedora-crypto-policies-%{git_commit_shash}-%{git_commit}
%build
%make_build
%install
mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/
mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/
mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/
mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/state/
mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/
mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/
mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/
mkdir -p -m 755 %{buildroot}%{_bindir}
make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install
install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config
touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current
touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
# Drop pre-generated GOST-ONLY policy, we do not need to ship the files
rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY
# Create back-end configs for mounting with read-only /etc/
for d in LEGACY DEFAULT FUTURE FIPS ; do
mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d
for f in %{buildroot}%{_datarootdir}/crypto-policies/$d/* ; do
ln $f %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d/$(basename $f .txt).config
done
done
for f in %{buildroot}%{_datarootdir}/crypto-policies/DEFAULT/* ; do
ln -sf %{_datarootdir}/crypto-policies/DEFAULT/$(basename $f) %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/$(basename $f .txt).config
done
%py3_compile %{buildroot}%{_datadir}/crypto-policies/python
cp %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies
%check
%make_build check || :
%post -p <lua>
if not posix.access("%{_sysconfdir}/crypto-policies/config") then
local policy = "DEFAULT"
local cf = io.open("/proc/sys/crypto/fips_enabled", "r")
if cf then
if cf:read() == "1" then
policy = "FIPS"
end
cf:close()
end
cf = io.open("%{_sysconfdir}/crypto-policies/config", "w")
if cf then
cf:write(policy.."\n")
cf:close()
end
cf = io.open("%{_sysconfdir}/crypto-policies/state/current", "w")
if cf then
cf:write(policy.."\n")
cf:close()
end
local policypath = "%{_datarootdir}/crypto-policies/"..policy
for fn in posix.files(policypath) do
if fn ~= "." and fn ~= ".." then
local backend = fn:gsub(".*/", ""):gsub("%%..*", "")
local cfgfn = "%{_sysconfdir}/crypto-policies/back-ends/"..backend..".config"
posix.unlink(cfgfn)
posix.symlink(policypath.."/"..fn, cfgfn)
end
end
end
%posttrans scripts
%{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || :
%files
%dir %{_sysconfdir}/crypto-policies/
%dir %{_sysconfdir}/crypto-policies/back-ends/
%dir %{_sysconfdir}/crypto-policies/state/
%dir %{_sysconfdir}/crypto-policies/local.d/
%dir %{_sysconfdir}/crypto-policies/policies/
%dir %{_sysconfdir}/crypto-policies/policies/modules/
%dir %{_datarootdir}/crypto-policies/
%{_sysconfdir}/crypto-policies/README.SUSE
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssl.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssh.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/nss.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/bind.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/java.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
%ghost %{_sysconfdir}/crypto-policies/state/current
%ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol
%{_mandir}/man7/crypto-policies.7%{?ext_man}
%{_datarootdir}/crypto-policies/LEGACY
%{_datarootdir}/crypto-policies/DEFAULT
%{_datarootdir}/crypto-policies/FUTURE
%{_datarootdir}/crypto-policies/FIPS
%{_datarootdir}/crypto-policies/EMPTY
%{_datarootdir}/crypto-policies/back-ends
%{_datarootdir}/crypto-policies/default-config
%{_datarootdir}/crypto-policies/reload-cmds.sh
%{_datarootdir}/crypto-policies/policies
%license COPYING.LESSER
%files scripts
%{_bindir}/update-crypto-policies
%{_mandir}/man8/update-crypto-policies.8%{?ext_man}
%{_datarootdir}/crypto-policies/python
%{_bindir}/fips-mode-setup
%{_bindir}/fips-finish-install
%{_mandir}/man8/fips-mode-setup.8%{?ext_man}
%{_mandir}/man8/fips-finish-install.8%{?ext_man}
%changelog