Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package crypto-policies for openSUSE:Factory
checked in at 2023-05-28 19:21:39
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/crypto-policies (Old)
and /work/SRC/openSUSE:Factory/.crypto-policies.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "crypto-policies"
Sun May 28 19:21:39 2023 rev:3 rq:1089055 version:20230420.3d08ae7
Changes:
--------
--- /work/SRC/openSUSE:Factory/crypto-policies/crypto-policies.changes
2021-10-01 22:29:00.233368559 +0200
+++
/work/SRC/openSUSE:Factory/.crypto-policies.new.1533/crypto-policies.changes
2023-05-28 19:21:47.560587205 +0200
@@ -1,0 +2,85 @@
+Thu May 25 11:28:12 UTC 2023 - Pedro Monreal <[email protected]>
+
+- FIPS: Enable to set the kernel FIPS mode with fips-mode-setup
+ and fips-finish-install commands, add also the man pages. The
+ required FIPS modules are left to be installed by the user.
+ * Rebase crypto-policies-FIPS.patch
+
+-------------------------------------------------------------------
+Wed May 24 20:04:20 UTC 2023 - Pedro Monreal <[email protected]>
+
+- Revert a breaking change that introduces the config option
+ rh-allow-sha1-signatures that is unkown to OpenSSL and fails
+ on startup. We will consider adding this option to openssl.
+ * https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/97fe4494
+ * Add crypto-policies-revert-rh-allow-sha1-signatures.patch
+
+-------------------------------------------------------------------
+Mon May 8 09:45:45 UTC 2023 - Pedro Monreal <[email protected]>
+
+- Update the update-crypto-policies(8) man pages and README.SUSE
+ to mention the supported back-end policies. [bsc#1209998]
+ * Add crypto-policies-supported.patch
+
+-------------------------------------------------------------------
+Mon May 08 06:32:49 UTC 2023 - Pedro Monreal <[email protected]>
+
+- Update to version 20230420.3d08ae7:
+ * openssl, alg_lists: add brainpool support
+ * openssl: set Groups explicitly
+ * codespell: ignore aNULL
+ * rpm-sequoia: allow 1024 bit DSA and SHA-1 per FeSCO decision 2960
+ * sequoia: add separate rpm-sequoia backend
+ * crypto-policies.7: state upfront that FUTURE is not so interoperable
+ * Makefile: update for asciidoc 10
+ * Skip not needed LibreswanGenerator and SequoiaGenerator:
+ - Add crypto-policies-policygenerators.patch
+ * Remove crypto-policies-test_supported_modules_only.patch
+ * Rebase crypto-policies-no-build-manpages.patch
+
+-------------------------------------------------------------------
+Fri Jan 20 09:25:22 UTC 2023 - Pedro Monreal <[email protected]>
+
+- Update to version 20221214.a4c31a3:
+ * bind: expand the list of disableable algorithms
+ * libssh: Add support for openssh fido keys
+ * .gitlab-ci.yml: install krb5-devel for krb5-config
+ * sequoia: check using sequoia-policy-config-check
+ * sequoia: introduce new back-end
+ * Makefile: support overriding asciidoc executable name
+ * openssh: make none and auto explicit and different
+ * openssh: autodetect and allow forcing RequiredRSASize presence/name
+ * openssh: remove _pre_8_5_ssh
+ * pylintrc: update
+ * Revert "disable SHA-1 further for a Fedora 38 Rawhide "jump scare"..."
+ * disable SHA-1 further for a Fedora 38 Rawhide "jump scare"...
+ * Makefile: exclude built manpages from codespell
+ * add openssh HostbasedAcceptedAlgorithms
+ * openssh: add RSAMinSize option following min_rsa_size
+ * Revert ".gitlab-ci.yml: skip pylint (bz2069837)"
+ * docs: add customization recommendation
+ * tests/java: fix java.security.disableSystemPropertiesFile=true
+ * policies: add FEDORA38 and TEST-FEDORA39
+ * bind: control ED25519/ED448
+ * openssl: disable SHA-1 signatures in FUTURE/NO-SHA1
+ * .gitlab-ci.yml: skip pylint (bz2069837)
+ * openssh: add support for [email protected]
+ * fips-mode-setup: fix one unrelated check to intended state
+ * fips-mode-setup, fips-finish-install: abandon /etc/system-fips
+ * Makefile: fix alt-policy test of LEGACY:AD-SUPPORT
+ * fips-mode-setup: catch more inconsistencies, clarify --check
+ * fips-mode-setup: improve handling FIPS plus subpolicies
+ * .gitlab-ci.yml: use rawhide so that we get gnutls 3.7.3
+ * gnutls: enable SHAKE, needed for Ed448
+ * gnutls: use allowlisting
+ * openssl: add newlines at the end of the output
+ * FIPS:OSPP: relax -ECDSA-SHA2-512, -FFDHE-*
+ * fips-mode-setup, fips-finish-install: call zipl more often
+ * Add crypto-policies-rpmlintrc file to avoid files-duplicate,
+ zero-length and non-conffile-in-etc warnings.
+ * Rebase patches:
+ - crypto-policies-FIPS.patch
+ - crypto-policies-no-build-manpages.patch
+ * Update README.SUSE
+
+-------------------------------------------------------------------
Old:
----
crypto-policies-test_supported_modules_only.patch
fedora-crypto-policies-20210917.c9d86d1.tar.gz
New:
----
crypto-policies-policygenerators.patch
crypto-policies-revert-rh-allow-sha1-signatures.patch
crypto-policies-rpmlintrc
crypto-policies-supported.patch
fedora-crypto-policies-20230420.3d08ae7.tar.gz
fips-finish-install.8.gz
fips-mode-setup.8.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ crypto-policies.spec ++++++
--- /var/tmp/diff_new_pack.jPuehl/_old 2023-05-28 19:21:48.304591633 +0200
+++ /var/tmp/diff_new_pack.jPuehl/_new 2023-05-28 19:21:48.308591657 +0200
@@ -1,7 +1,7 @@
#
# spec file for package crypto-policies
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,9 +16,13 @@
#
+# testsuite is disabled by default
+%bcond_with testsuite
+# manbuild is disabled by default
+%bcond_with manbuild
%global _python_bytecompile_extra 0
Name: crypto-policies
-Version: 20210917.c9d86d1
+Version: 20230420.3d08ae7
Release: 0
Summary: System-wide crypto policies
License: LGPL-2.1-or-later
@@ -28,27 +32,50 @@
Source1: README.SUSE
Source2: crypto-policies.7.gz
Source3: update-crypto-policies.8.gz
-Patch0: crypto-policies-test_supported_modules_only.patch
+Source4: fips-mode-setup.8.gz
+Source5: fips-finish-install.8.gz
+Source6: crypto-policies-rpmlintrc
+%if %{without manbuild}
+#PATCH-FIX-OPENSUSE Manpages build cycles and dependencies
+# To reduce the build dependencies in Ring0, we have to compile the
+# man pages locally (use --with testsuite) and add the built files
+# crypto-policies.7.gz, update-crypto-policies.8.gz, fips-mode-setup.8.gz
+# and fips-finish-install.8.gz as sources.
Patch1: crypto-policies-no-build-manpages.patch
-Patch2: crypto-policies-FIPS.patch
-BuildRequires: python3-base
-# For testing, the following buildrequires need to be uncommented.
-# BuildRequires: asciidoc
-# BuildRequires: bind
-# BuildRequires: gnutls >= 3.6.0
-# BuildRequires: java-devel
-# BuildRequires: libxslt
-# BuildRequires: openssl
-# BuildRequires: perl
-# BuildRequires: python3-coverage
-# BuildRequires: python3-devel >= 3.6
-# BuildRequires: python3-flake8
-# BuildRequires: python3-pylint
-# BuildRequires: python3-pytest
-# BuildRequires: perl(File::Copy)
-# BuildRequires: perl(File::Temp)
-# BuildRequires: perl(File::Which)
-# BuildRequires: perl(File::pushd)
+%endif
+#PATCH-FIX-OPENSUSE Skip not needed LibreswanGenerator and SequoiaGenerator
+Patch2: crypto-policies-policygenerators.patch
+#PATCH-FIX-OPENSUSE bsc#1209998 Mention the supported back-end policies
+Patch3: crypto-policies-supported.patch
+#PATCH-FIX-OPENSUSE Revert a breaking change that introduces
rh-allow-sha1-signatures
+Patch4: crypto-policies-revert-rh-allow-sha1-signatures.patch
+#PATCH-FIX-OPENSUSE Adpat the fips-mode-setup script for TW
+Patch5: crypto-policies-FIPS.patch
+BuildRequires: python3-base >= 3.6
+# The sequoia stuff needs python3-toml, removed until needed
+# BuildRequires: python3-toml
+%if %{with manbuild}
+BuildRequires: asciidoc
+%endif
+%if %{with testsuite}
+# The following buildrequires are needed for the testsuite
+BuildRequires: bind
+BuildRequires: gnutls >= 3.6.0
+BuildRequires: java-devel
+BuildRequires: krb5-devel
+BuildRequires: libxslt
+BuildRequires: openssl
+BuildRequires: perl
+BuildRequires: python3-coverage
+BuildRequires: python3-devel >= 3.6
+BuildRequires: python3-flake8
+BuildRequires: python3-pylint
+BuildRequires: python3-pytest
+BuildRequires: perl(File::Copy)
+BuildRequires: perl(File::Temp)
+BuildRequires: perl(File::Which)
+BuildRequires: perl(File::pushd)
+%endif
Recommends: crypto-policies-scripts
Conflicts: gnutls < 3.7.0
#Conflicts: libreswan < 3.28
@@ -75,7 +102,15 @@
%prep
%autosetup -p1 -n fedora-%{name}-%{version}
+# Make README.SUSE available for %%doc
+cp -p %{SOURCE1} .
+
+# Remove not needed policy generators
+find -name libreswan.py -delete
+find -name sequoia.py -delete
+
%build
+export OPENSSL_CONF=''
%make_build
%install
@@ -89,28 +124,29 @@
mkdir -p -m 755 %{buildroot}%{_bindir}
make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies
MANDIR=%{_mandir} %{?_smp_mflags} install
+install -p -m 644 default-config
%{buildroot}%{_sysconfdir}/crypto-policies/config
+touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current
+touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
-# Install the manpages
+%if %{without manbuild}
+# Install the manpages from defined sources
mkdir -p -m 755 %{buildroot}%{_mandir}/
mkdir -p -m 755 %{buildroot}%{_mandir}/man7/
mkdir -p -m 755 %{buildroot}%{_mandir}/man8/
cp %{SOURCE2} %{buildroot}%{_mandir}/man7/
-cp %{SOURCE3} %{buildroot}%{_mandir}/man8/
+cp %{SOURCE3} %{SOURCE4} %{SOURCE5} %{buildroot}%{_mandir}/man8/
+%endif
-# Install the executable files
+# Install the executable scripts
install -p -m 755 update-crypto-policies %{buildroot}%{_bindir}/
+install -p -m 755 fips-mode-setup %{buildroot}%{_bindir}/
+install -p -m 755 fips-finish-install %{buildroot}%{_bindir}/
-install -p -m 644 default-config
%{buildroot}%{_sysconfdir}/crypto-policies/config
-touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current
-touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
-
-# Drop pre-generated GOST-ONLY policy, we do not need to ship the files
+# Drop pre-generated GOST-ONLY policy, we do not need to ship them
rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY
-# Remove fips-finish-install and test-fips-setup scripts and man
-find -type f -name fips-finish-install -delete
-find -type f -name fips-finish-install.8.txt -delete
-find -type f -name test-fips-setup.sh -delete
+# Drop FEDORA policies
+rm -rf %{buildroot}%{_datarootdir}/crypto-policies/*FEDORA*
# Create back-end configs for mounting with read-only /etc/
for d in LEGACY DEFAULT FUTURE FIPS ; do
@@ -126,10 +162,14 @@
%py3_compile %{buildroot}%{_datadir}/crypto-policies/python
-cp %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies
+# Install README.SUSE to %%doc
+install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies
%check
+%if %{with testsuite}
+export OPENSSL_CONF=''
%make_build test || :
+%endif
%post -p <lua>
if not posix.access("%{_sysconfdir}/crypto-policies/config") then
@@ -166,6 +206,10 @@
%{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || :
%files
+%license COPYING.LESSER
+%doc README.md NEWS CONTRIBUTING.md
+%doc %{_sysconfdir}/crypto-policies/README.SUSE
+
%dir %{_sysconfdir}/crypto-policies/
%dir %{_sysconfdir}/crypto-policies/back-ends/
%dir %{_sysconfdir}/crypto-policies/state/
@@ -174,21 +218,23 @@
%dir %{_sysconfdir}/crypto-policies/policies/modules/
%dir %{_datarootdir}/crypto-policies/
-%{_sysconfdir}/crypto-policies/README.SUSE
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config
-%ghost %config(missingok,noreplace)
%{_sysconfdir}/crypto-policies/back-ends/gnutls.config
-%ghost %config(missingok,noreplace)
%{_sysconfdir}/crypto-policies/back-ends/openssl.config
-%ghost %config(missingok,noreplace)
%{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
-%ghost %config(missingok,noreplace)
%{_sysconfdir}/crypto-policies/back-ends/openssh.config
-%ghost %config(missingok,noreplace)
%{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
-%ghost %config(missingok,noreplace)
%{_sysconfdir}/crypto-policies/back-ends/nss.config
-%ghost %config(missingok,noreplace)
%{_sysconfdir}/crypto-policies/back-ends/bind.config
-%ghost %config(missingok,noreplace)
%{_sysconfdir}/crypto-policies/back-ends/java.config
-%ghost %config(missingok,noreplace)
%{_sysconfdir}/crypto-policies/back-ends/javasystem.config
-%ghost %config(missingok,noreplace)
%{_sysconfdir}/crypto-policies/back-ends/krb5.config
-%ghost %config(missingok,noreplace)
%{_sysconfdir}/crypto-policies/back-ends/libreswan.config
-%ghost %config(missingok,noreplace)
%{_sysconfdir}/crypto-policies/back-ends/libssh.config
+%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/gnutls.config
+%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/openssl.config
+%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
+%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/openssh.config
+%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
+%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/nss.config
+%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/bind.config
+%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/java.config
+%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/javasystem.config
+%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/krb5.config
+%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/libreswan.config
+%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/libssh.config
+%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/sequoia.config
+%ghost %config(missingok,noreplace) %verify(not mode)
%{_sysconfdir}/crypto-policies/back-ends/rpm-sequoia.config
+# %%verify(not mode) comes from the fact that these turn into symlinks and
back to regular files at will.
%ghost %{_sysconfdir}/crypto-policies/state/current
%ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol
@@ -204,11 +250,13 @@
%{_datarootdir}/crypto-policies/reload-cmds.sh
%{_datarootdir}/crypto-policies/policies
-%license COPYING.LESSER
-
%files scripts
%{_bindir}/update-crypto-policies
+%{_bindir}/fips-mode-setup
+%{_bindir}/fips-finish-install
%{_mandir}/man8/update-crypto-policies.8%{?ext_man}
+%{_mandir}/man8/fips-mode-setup.8%{?ext_man}
+%{_mandir}/man8/fips-finish-install.8%{?ext_man}
%{_datarootdir}/crypto-policies/python
%changelog
++++++ README.SUSE ++++++
--- /var/tmp/diff_new_pack.jPuehl/_old 2023-05-28 19:21:48.340591848 +0200
+++ /var/tmp/diff_new_pack.jPuehl/_new 2023-05-28 19:21:48.344591871 +0200
@@ -1,3 +1,7 @@
-Currently only OpenSSL and GnuTLS policies are supported.
+Currently, the supported back-end policies are:
+ * OpenSSL library
+ * GnuTLS library
+ * OpenJDK (only for java-1_8_0-openjdk and java-11-openjdk)
+
The rest of the modules ignore the policy settings for the time being.
++++++ _service ++++++
--- /var/tmp/diff_new_pack.jPuehl/_old 2023-05-28 19:21:48.360591967 +0200
+++ /var/tmp/diff_new_pack.jPuehl/_new 2023-05-28 19:21:48.368592014 +0200
@@ -4,7 +4,7 @@
<param name="scm">git</param>
<param name="versionformat">%cd.%h</param>
<param name="changesgenerate">enable</param>
- <param name="revision">c9d86d1154c4b286c9be3d5e9e32451df6f64e19</param>
+ <param name="revision">3d08ae70557e5a86686e5b24e443731bfdf232bb</param>
</service>
<service name="recompress" mode="disabled">
<param name="file">*.tar</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.jPuehl/_old 2023-05-28 19:21:48.384592109 +0200
+++ /var/tmp/diff_new_pack.jPuehl/_new 2023-05-28 19:21:48.388592133 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://gitlab.com/redhat-crypto/fedora-crypto-policies.git</param>
- <param
name="changesrevision">c9d86d1154c4b286c9be3d5e9e32451df6f64e19</param></service></servicedata>
+ <param
name="changesrevision">3d08ae70557e5a86686e5b24e443731bfdf232bb</param></service></servicedata>
(No newline at EOF)
++++++ crypto-policies-FIPS.patch ++++++
--- /var/tmp/diff_new_pack.jPuehl/_old 2023-05-28 19:21:48.396592181 +0200
+++ /var/tmp/diff_new_pack.jPuehl/_new 2023-05-28 19:21:48.400592205 +0200
@@ -1,73 +1,207 @@
-Index: fedora-crypto-policies/Makefile
+Index: fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup
===================================================================
---- fedora-crypto-policies.orig/Makefile
-+++ fedora-crypto-policies/Makefile
-@@ -5,8 +5,8 @@ MANDIR?=/usr/share/man
- CONFDIR?=/etc/crypto-policies
- DESTDIR?=
- MAN7PAGES=crypto-policies.7
--MAN8PAGES=update-crypto-policies.8 fips-finish-install.8 fips-mode-setup.8
--SCRIPTS=update-crypto-policies fips-finish-install fips-mode-setup
-+MAN8PAGES=update-crypto-policies.8 fips-finish-install.8
-+SCRIPTS=update-crypto-policies fips-finish-install
- NUM_PROCS = $$(getconf _NPROCESSORS_ONLN)
- PYVERSION = -3
- DIFFTOOL?=meld
-Index: fedora-crypto-policies/crypto-policies.7.txt
-===================================================================
---- fedora-crypto-policies.orig/crypto-policies.7.txt
-+++ fedora-crypto-policies/crypto-policies.7.txt
-@@ -144,9 +144,6 @@ PROVIDED POLICIES
-
- *FIPS*::
- A policy to aid conformance to the *FIPS 140-2* requirements.
-- This policy is used internally by the *fips-mode-setup(8)* tool
-- which can switch the system into the *FIPS 140-2* mode.
-- This policy provides at least 112-bit security.
-
- * MACs: all *HMAC* with *SHA1* or better
- * Curves: all prime >= 256 bits
-@@ -255,12 +252,6 @@ COMMANDS
- back ends and allows the system administrator to change the active
- cryptographic policy.
-
--*fips-mode-setup(8)*::
-- This command allows the system administrator to enable, or disable the
-- system FIPS mode and also apply the *FIPS* cryptographic policy
-- which limits the allowed algorithms and protocols to these allowed by
-- the FIPS 140-2 requirements.
--
-
- NOTES
- -----
-@@ -427,7 +418,7 @@ FILES
-
- SEE ALSO
- --------
--update-crypto-policies(8), fips-mode-setup(8)
-+update-crypto-policies(8)
+--- fedora-crypto-policies-20230420.3d08ae7.orig/fips-mode-setup
++++ fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup
+@@ -7,6 +7,7 @@ enable_fips=
+ check=0
+ boot_config=1
+ err_if_disabled=0
++fips_install_complete=0
+ output_text=1
+
+ is_ostree_system=0
+@@ -75,109 +76,74 @@ if test "$is_ostree_system" = 1 && test
+ exit 1
+ fi
+
+-
+-if [ "$(id -u)" != 0 ]; then
+- echo "You must be root to run $(basename $0)"
+- exit 1
+-fi
+-
+-
+-# Detect 1: kernel FIPS flag
+-fips_kernel_enabled=$(cat /proc/sys/crypto/fips_enabled)
+-
+-# Detect 2: initramfs fips module presence; not always can be done
+-initramfs_fips_module=0
+-initramfs_inspectable=0
+-if test -d /boot -a -x /usr/bin/lsinitrd; then
+- initramfs_inspectable=1
+- if lsinitrd -m 2>/dev/null | grep -Fxq fips; then
+- initramfs_fips_module=1
++if test "$enable_fips" = 1 ; then
++ # Check the required FIPS modules are installed
++ if test ! -x "$(command -v grubby)" -o ! -f
/usr/share/doc/packages/patterns/fips.txt -o ! -f
/etc/dracut.conf.d/40-fips.conf; then
++ cond_echo "Installation of FIPS modules is not complete."
++ cond_echo "Please, install grubby and the fips pattern."
++ exit 1
+ fi
+ fi
+
+-# Detect 3: crypto-policy base policy
+-current_policy="$(cat /etc/crypto-policies/state/current)"
+-base_policy="$(echo $current_policy| cut -f 1 -d :)"
+-if test "$base_policy" == "FIPS" ; then
+- base_policy_is_fips=1
+-else
+- base_policy_is_fips=0
++if test "$enable_fips" = 1 ; then
++ if test ! -d /boot -o ! -x /usr/bin/lsinitrd -o x"$(/usr/bin/lsinitrd
-f etc/system-fips 2>/dev/null || test $? = 2 && echo y)" != x ; then
++ fips_install_complete=1
++ fi
+ fi
+
+-
+ if test $check = 1 ; then
+- # Look for signs for both enabling and disabling FIPS mode
+- fips_positive=0
+- fips_negative=0
+-
+- # Display 1: kernel FIPS flag
+- cond_echo "FIPS mode is $(enable2txt $fips_kernel_enabled)."
+-
+- # Display 2: initramfs fips module
+- if test "$initramfs_inspectable" = 1 ; then
+- cond_echo -n "Initramfs fips module is "
+- cond_echo "$(enable2txt $initramfs_fips_module)."
+- fi
+-
+- # Display 3: active crypto-policy
+- cond_echo -n "The current crypto policy ($current_policy) "
+- if test "$base_policy_is_fips" == 1 ; then
+- cond_echo 'is based on the FIPS policy.'
+- else
+- cond_echo -n 'neither is the FIPS policy '
+- cond_echo 'nor is based on the FIPS policy.'
+- fi
+-
+- # Decide 1: kernel FIPS flag
+- if test "$fips_kernel_enabled" = 1 ; then
+- fips_positive=1
+- else
+- fips_negative=1
+- fi
+-
+- # Decide 2: initramfs module presence
+- if test "$initramfs_inspectable" = 1 ; then
+- if test "$initramfs_fips_module" = 1 ; then
+- fips_positive=1
+- else
+- fips_negative=1
++ test $fips_install_complete = 0 && cond_echo "Installation of FIPS
modules is not complete."
++ fips_enabled=$(cat /proc/sys/crypto/fips_enabled)
++ cond_echo "FIPS mode is $(enable2txt $fips_enabled)."
++ if test "$fips_enabled" = 1 ; then
++ if test $fips_install_complete = 0 ; then
++ cond_echo "Inconsistent state detected."
++ exit 1
++ fi
++ current="$(cat /etc/crypto-policies/state/current)"
++ if test "$(echo $current | cut -f 1 -d :)" != "FIPS" ; then
++ cond_echo -n "The current crypto policy ($current) "
++ cond_echo -n 'neither is the FIPS policy '
++ cond_echo 'nor is based on the FIPS policy.'
++ cond_echo 'Inconsistent state detected.'
++ exit 1
+ fi
+- fi
+-
+- # Decide 3: active crypto-policy
+- if test "$base_policy_is_fips" = 1 ; then
+- fips_positive=1
+ else
+- fips_negative=1
+- fi
+-
+- # Make the FIPS mode consistency decision
+- if test "$fips_positive" = 1 -a "$fips_negative" = 1 ; then
+- cond_echo 'Inconsistent state detected.'
+- exit 1
++ if test $fips_install_complete = 1 ; then
++ cond_echo "Inconsistent state detected."
++ exit 1
++ fi
++ current="$(cat /etc/crypto-policies/state/current)"
++ if test "$(echo $current | cut -f 1 -d :)" == "FIPS" ; then
++ cond_echo -n "The current crypto policy ($current) "
++ cond_echo -n 'is based on the FIPS policy, '
++ cond_echo 'but FIPS mode is not enabled.'
++ cond_echo 'Inconsistent state detected.'
++ exit 1
++ fi
+ fi
+-
+- # Error out if `--is-enabled` was passed and FIPS mode is not enabled
+- if test "$fips_positive" = 0 -a "$err_if_disabled" = 1 ; then
+- cond_echo 'FIPS mode is not enabled.'
++ if test "$fips_enabled" != 1 && test "$err_if_disabled" = 1; then
+ exit 2
+ fi
+-
+ exit 0
+ fi
++if [ "$(id -u)" != 0 ]; then
++ echo "You must be root to run $(basename $0)"
++ exit 1
++fi
+
+ if test $enable_fips = 1 ; then
+- if test "$initramfs_fips_module" = 0 ; then
++ if test $fips_install_complete = 1 ; then
+ fips-finish-install --complete
+ if test $? != 0 ; then
+- echo "Installation of FIPS modules could not be
completed."
++ echo "Installation of FIPS modules could not be
completed."
+ exit 1
+ fi
+ fi
+- if test "$base_policy_is_fips" == 1 ; then
+- cond_echo -n 'Preserving current FIPS-based policy '
+- cond_echo "${current_policy}."
++ target="$(cat /etc/crypto-policies/state/current)"
++ if test "$(echo $target | cut -f 1 -d :)" == "FIPS" ; then
++ cond_echo "Preserving current FIPS-based policy ${target}."
+ cond_echo -n 'Please review the subpolicies to ensure they '
+ cond_echo 'only restrict, not relax the FIPS policy.'
+ else
+@@ -196,11 +162,11 @@ if test x"$boot_device" = x ; then
+ boot_device_opt=" boot=UUID=<your-boot-device-uuid>"
+ boot_config=0
+ else
+- if test "$boot_device" = / ; then
+- boot_device_opt=""
+- else
+- boot_device_opt=" boot=UUID=$(blkid -s UUID -o value
$boot_device)"
+- fi
++ if test "$boot_device" = / ; then
++ boot_device_opt=""
++ else
++ boot_device_opt=" boot=UUID=$(blkid -s UUID -o value
$boot_device)"
++ fi
+ fi
- AUTHOR
-Index: fedora-crypto-policies/python/update-crypto-policies.py
+ if test "$boot_config" = 1 && test ! -x "$(command -v grubby)" ; then
+Index: fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup.8.txt
===================================================================
---- fedora-crypto-policies.orig/python/update-crypto-policies.py
-+++ fedora-crypto-policies/python/update-crypto-policies.py
-@@ -344,16 +344,12 @@ def apply_policy(pconfig, profile=None,
- eprint("Warning: Using 'update-crypto-policies --set FIPS' "
- "is not sufficient for")
- eprint(" FIPS compliance.")
-- eprint(" Use 'fips-mode-setup --enable' "
-- "command instead.")
- elif fips_mode():
- eprint("Warning: Using 'update-crypto-policies --set' "
- "in FIPS mode will make the system")
- eprint(" non-compliant with FIPS.")
- eprint(" It can also break "
- "the ssh access to the system.")
-- eprint(" Use 'fips-mode-setup --disable' "
-- "to disable the system FIPS mode.")
+--- fedora-crypto-policies-20230420.3d08ae7.orig/fips-mode-setup.8.txt
++++ fedora-crypto-policies-20230420.3d08ae7/fips-mode-setup.8.txt
+@@ -39,8 +39,15 @@ system crypto policy to FIPS
+ (unless the policy has already been set to FIPS plus subpolicies on top,
+ in which case the currently active subpolicies is retained).
+
++Some required FIPS modules (grubby, fips pattern) might not be
++installed by default. These can be installed in SUSE/openSUSE with
++the following command:
++
++ zypper in -y grubby && zypper in -y -t pattern fips
++
+ Then the command modifies the boot loader configuration to add
+ 'fips=1' and 'boot=<boot-device>' options to the kernel command line.
++Note that, grubby could show a harmless warning about leaked file descriptors.
- if base_dir == DEFAULT_BASE_DIR:
- if not os.geteuid() == 0:
+ When disabling the system FIPS mode the system crypto policy is switched
+ to DEFAULT and the kernel command line option 'fips=0' is set.
++++++ crypto-policies-no-build-manpages.patch ++++++
--- /var/tmp/diff_new_pack.jPuehl/_old 2023-05-28 19:21:48.412592276 +0200
+++ /var/tmp/diff_new_pack.jPuehl/_new 2023-05-28 19:21:48.416592300 +0200
@@ -1,28 +1,28 @@
-Index: fedora-crypto-policies/Makefile
+Index: fedora-crypto-policies-20230420.3d08ae7/Makefile
===================================================================
---- fedora-crypto-policies.orig/Makefile
-+++ fedora-crypto-policies/Makefile
-@@ -22,9 +22,9 @@ install: $(MANPAGES)
+--- fedora-crypto-policies-20230420.3d08ae7.orig/Makefile
++++ fedora-crypto-policies-20230420.3d08ae7/Makefile
+@@ -28,9 +28,9 @@ install: $(MANPAGES)
mkdir -p $(DESTDIR)$(MANDIR)/man7
mkdir -p $(DESTDIR)$(MANDIR)/man8
mkdir -p $(DESTDIR)$(BINDIR)
- install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
- install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
- install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
-+# install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
-+# install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
-+# install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
++ # install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
++ # install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
++ # install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
mkdir -p $(DESTDIR)$(DIR)/
install -p -m 644 default-config $(DESTDIR)$(DIR)
install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR)
-@@ -106,8 +106,8 @@ clean:
+@@ -114,8 +114,8 @@ clean:
rm -rf output
%: %.txt
-- asciidoc.py -v -d manpage -b docbook $<
-- xsltproc --nonet -o $@ /usr/share/asciidoc/docbook-xsl/manpage.xsl
[email protected]
-+ # asciidoc -v -d manpage -b docbook $<
-+ # xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl [email protected]
+- $(ASCIIDOC) -v -d manpage -b docbook $<
+- xsltproc --nonet -o $@ ${MANPAGEXSL} [email protected]
++ #$(ASCIIDOC) -v -d manpage -b docbook $<
++ #xsltproc --nonet -o $@ ${MANPAGEXSL} [email protected]
dist:
rm -rf crypto-policies && git clone . crypto-policies && rm -rf
crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz
crypto-policies && rm -rf crypto-policies
++++++ crypto-policies-policygenerators.patch ++++++
Index:
fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/__init__.py
===================================================================
---
fedora-crypto-policies-20230420.3d08ae7.orig/python/policygenerators/__init__.py
+++ fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/__init__.py
@@ -8,15 +8,15 @@ from .gnutls import GnuTLSGenerator
from .java import JavaGenerator
from .java import JavaSystemGenerator
from .krb5 import KRB5Generator
-from .libreswan import LibreswanGenerator
+#from .libreswan import LibreswanGenerator
from .libssh import LibsshGenerator
from .nss import NSSGenerator
from .openssh import OpenSSHClientGenerator
from .openssh import OpenSSHServerGenerator
from .openssl import OpenSSLConfigGenerator
from .openssl import OpenSSLGenerator
-from .sequoia import SequoiaGenerator
-from .sequoia import RPMSequoiaGenerator
+#from .sequoia import SequoiaGenerator
+#from .sequoia import RPMSequoiaGenerator
__all__ = [
'BindGenerator',
@@ -24,13 +24,13 @@ __all__ = [
'JavaGenerator',
'JavaSystemGenerator',
'KRB5Generator',
- 'LibreswanGenerator',
+# 'LibreswanGenerator',
'LibsshGenerator',
'NSSGenerator',
'OpenSSHClientGenerator',
'OpenSSHServerGenerator',
'OpenSSLConfigGenerator',
'OpenSSLGenerator',
- 'SequoiaGenerator',
- 'RPMSequoiaGenerator',
+# 'SequoiaGenerator',
+# 'RPMSequoiaGenerator',
]
++++++ crypto-policies-revert-rh-allow-sha1-signatures.patch ++++++
>From 97fe4494571fd90a05f9bc42af152762eca2fac5 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <[email protected]>
Date: Fri, 8 Apr 2022 13:47:29 +0200
Subject: openssl: disable SHA-1 signatures in FUTURE/NO-SHA1
Index: fedora-crypto-policies-20230420.3d08ae7/policies/FUTURE.pol
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/policies/FUTURE.pol
+++ fedora-crypto-policies-20230420.3d08ae7/policies/FUTURE.pol
@@ -65,7 +65,3 @@ sha1_in_certs = 0
arbitrary_dh_groups = 1
ssh_certs = 1
ssh_etm = 1
-
-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1
-# SHA-1 signatures are blocked in OpenSSL in FUTURE only
-__openssl_block_sha1_signatures = 1
Index: fedora-crypto-policies-20230420.3d08ae7/policies/modules/NO-SHA1.pmod
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/policies/modules/NO-SHA1.pmod
+++ fedora-crypto-policies-20230420.3d08ae7/policies/modules/NO-SHA1.pmod
@@ -3,7 +3,3 @@
hash = -SHA1
sign = -*-SHA1
sha1_in_certs = 0
-
-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1
-# SHA-1 signatures are blocked in OpenSSL in FUTURE only
-__openssl_block_sha1_signatures = 1
Index:
fedora-crypto-policies-20230420.3d08ae7/python/cryptopolicies/cryptopolicies.py
===================================================================
---
fedora-crypto-policies-20230420.3d08ae7.orig/python/cryptopolicies/cryptopolicies.py
+++
fedora-crypto-policies-20230420.3d08ae7/python/cryptopolicies/cryptopolicies.py
@@ -19,7 +19,6 @@ from . import validation # moved out of
INT_DEFAULTS = {k: 0 for k in (
'arbitrary_dh_groups',
'min_dh_size', 'min_dsa_size', 'min_rsa_size',
- '__openssl_block_sha1_signatures',
'sha1_in_certs',
'ssh_certs', 'ssh_etm',
)}
Index:
fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/openssl.py
===================================================================
---
fedora-crypto-policies-20230420.3d08ae7.orig/python/policygenerators/openssl.py
+++ fedora-crypto-policies-20230420.3d08ae7/python/policygenerators/openssl.py
@@ -7,14 +7,6 @@ from subprocess import check_output, Cal
from .configgenerator import ConfigGenerator
-RH_SHA1_SECTION = '''
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = {}
-'''
-
class OpenSSLGenerator(ConfigGenerator):
CONFIG_NAME = 'openssl'
@@ -254,12 +246,6 @@ class OpenSSLConfigGenerator(OpenSSLGene
groups = [cls.group_map[i] for i in p['group'] if i in cls.group_map]
s += 'Groups = ' + ':'.join(groups) + '\n'
- # In the future it'll be just
- # s += RH_SHA1_SECTION.format('yes' if 'SHA1' in p['hash'] else 'no')
- # but for now we slow down the roll-out and we have
- sha1_sig = not policy.integers['__openssl_block_sha1_signatures']
- s += RH_SHA1_SECTION.format('yes' if sha1_sig else 'no')
-
return s
@classmethod
Index:
fedora-crypto-policies-20230420.3d08ae7/tests/alternative-policies/FUTURE.pol
===================================================================
---
fedora-crypto-policies-20230420.3d08ae7.orig/tests/alternative-policies/FUTURE.pol
+++
fedora-crypto-policies-20230420.3d08ae7/tests/alternative-policies/FUTURE.pol
@@ -71,7 +71,3 @@ sha1_in_dnssec = 0
arbitrary_dh_groups = 1
ssh_certs = 1
ssh_etm = 1
-
-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Preview1
-# SHA-1 signatures are blocked in OpenSSL in FUTURE only
-__openssl_block_sha1_signatures = 1
Index:
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT-opensslcnf.txt
===================================================================
---
fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/DEFAULT-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Groups =
X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
Index:
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
===================================================================
---
fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
+++
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:FEDORA32-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
Groups =
X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
Index:
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:GOST-opensslcnf.txt
===================================================================
---
fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/DEFAULT:GOST-opensslcnf.txt
+++
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/DEFAULT:GOST-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Groups =
X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
Index:
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/EMPTY-opensslcnf.txt
===================================================================
---
fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/EMPTY-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/EMPTY-opensslcnf.txt
@@ -2,9 +2,3 @@ CipherString = @SECLEVEL=0:-kPSK:-kDHEPS
Ciphersuites =
SignatureAlgorithms =
Groups =
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
Index: fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS-opensslcnf.txt
===================================================================
---
fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/FIPS-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Groups =
secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
Index:
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
===================================================================
---
fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
+++
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:ECDHE-ONLY-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Groups = secp256r1:secp384r1:secp521r1
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
Index:
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:OSPP-opensslcnf.txt
===================================================================
---
fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/FIPS:OSPP-opensslcnf.txt
+++
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FIPS:OSPP-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Groups =
secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
Index:
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FUTURE-opensslcnf.txt
===================================================================
---
fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/FUTURE-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/FUTURE-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Groups =
X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = no
Index:
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/GOST-ONLY-opensslcnf.txt
===================================================================
---
fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/GOST-ONLY-opensslcnf.txt
+++
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/GOST-ONLY-opensslcnf.txt
@@ -4,9 +4,3 @@ TLS.MinProtocol = TLSv1
TLS.MaxProtocol = TLSv1.3
SignatureAlgorithms =
Groups =
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
Index:
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY-opensslcnf.txt
===================================================================
---
fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/LEGACY-opensslcnf.txt
+++ fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Groups =
X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
Index:
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
===================================================================
---
fedora-crypto-policies-20230420.3d08ae7.orig/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
+++
fedora-crypto-policies-20230420.3d08ae7/tests/outputs/LEGACY:AD-SUPPORT-opensslcnf.txt
@@ -6,9 +6,3 @@ DTLS.MinProtocol = DTLSv1
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms =
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Groups =
X25519:X448:secp256r1:secp384r1:secp521r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192
-
-[openssl_init]
-alg_section = evp_properties
-
-[evp_properties]
-rh-allow-sha1-signatures = yes
Index: fedora-crypto-policies-20230420.3d08ae7/tests/unit/test_cryptopolicy.py
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/tests/unit/test_cryptopolicy.py
+++ fedora-crypto-policies-20230420.3d08ae7/tests/unit/test_cryptopolicy.py
@@ -260,7 +260,6 @@ def test_cryptopolicy_to_string_empty(tm
min_dh_size = 0
min_dsa_size = 0
min_rsa_size = 0
- __openssl_block_sha1_signatures = 0
sha1_in_certs = 0
ssh_certs = 0
ssh_etm = 0
@@ -291,7 +290,6 @@ def test_cryptopolicy_to_string_twisted(
min_dh_size = 0
min_dsa_size = 0
min_rsa_size = 0
- __openssl_block_sha1_signatures = 0
sha1_in_certs = 0
ssh_certs = 0
ssh_etm = 0
Index: fedora-crypto-policies-20230420.3d08ae7/policies/TEST-FEDORA39.pol
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/policies/TEST-FEDORA39.pol
+++ fedora-crypto-policies-20230420.3d08ae7/policies/TEST-FEDORA39.pol
@@ -67,7 +67,3 @@ sha1_in_certs = 0
arbitrary_dh_groups = 1
ssh_certs = 1
ssh_etm = 1
-
-# https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1
-# SHA-1 signatures will blocked in OpenSSL
-__openssl_block_sha1_signatures = 1
++++++ crypto-policies-rpmlintrc ++++++
addFilter(".*files-duplicate.*")
addFilter(".*zero-length.*")
addFilter(".non-conffile-in-etc.*")
++++++ crypto-policies-supported.patch ++++++
Index: fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt
===================================================================
--- fedora-crypto-policies-20230420.3d08ae7.orig/update-crypto-policies.8.txt
+++ fedora-crypto-policies-20230420.3d08ae7/update-crypto-policies.8.txt
@@ -54,23 +54,23 @@ are configured to follow the default pol
The generated back-end policies will be placed in
/etc/crypto-policies/back-ends.
Currently the supported back-ends (and directive scopes they respect) are:
-* GnuTLS library (GnuTLS, SSL, TLS)
+* GnuTLS library (GnuTLS, SSL, TLS) (Supported)
-* OpenSSL library (OpenSSL, SSL, TLS)
+* OpenSSL library (OpenSSL, SSL, TLS) (Supported)
-* NSS library (NSS, SSL, TLS)
+* NSS library (NSS, SSL, TLS) (Not supported)
-* OpenJDK (java-tls, SSL, TLS)
+* OpenJDK (java-tls, SSL, TLS) (Supported only for java-1_8_0-openjdk and
java-11-openjdk)
-* Libkrb5 (krb5, kerberos)
+* Libkrb5 (krb5, kerberos) (Not supported)
-* BIND (BIND, DNSSec)
+* BIND (BIND, DNSSec) (Not supported)
-* OpenSSH (OpenSSH, SSH)
+* OpenSSH (OpenSSH, SSH) (Not supported)
-* Libreswan (libreswan, IKE, IPSec)
+* Libreswan (libreswan, IKE, IPSec) (Not supported)
-* libssh (libssh, SSH)
+* libssh (libssh, SSH) (Not supported)
Applications and languages which rely on any of these back-ends will follow
the system policies as well. Examples are apache httpd, nginx, php, and
++++++ crypto-policies.7.gz ++++++
++++ 782 lines (skipped)
++++ between crypto-policies.7.gz
++++ and
/work/SRC/openSUSE:Factory/.crypto-policies.new.1533/crypto-policies.7.gz
++++++ fedora-crypto-policies-20210917.c9d86d1.tar.gz ->
fedora-crypto-policies-20230420.3d08ae7.tar.gz ++++++
++++ 6091 lines of diff (skipped)
++++++ update-crypto-policies.8.gz ++++++
--- /var/tmp/diff_new_pack.jPuehl/_old 2023-05-28 19:21:48.616593490 +0200
+++ /var/tmp/diff_new_pack.jPuehl/_new 2023-05-28 19:21:48.624593538 +0200
@@ -2,12 +2,12 @@
.\" Title: update-crypto-policies
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\" Date: 01/21/2021
+.\" Date: 05/25/2023
.\" Manual: \ \&
.\" Source: update-crypto-policies
.\" Language: English
.\"
-.TH "UPDATE\-CRYPTO\-POLI" "8" "01/21/2021" "update\-crypto\-policies" "\ \&"
+.TH "UPDATE\-CRYPTO\-POLI" "8" "05/25/2023" "update\-crypto\-policies" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -34,15 +34,15 @@
\fBupdate\-crypto\-policies\fR [\fICOMMAND\fR]
.SH "DESCRIPTION"
.sp
-\fBupdate\-crypto\-policies(8)\fR is used to set the policy applicable for the
various cryptographic back\-ends, such as SSL/TLS libraries\&. That will be the
default policy used by these back\-ends unless the application user configures
them otherwise\&.
+\fBupdate\-crypto\-policies(8)\fR is used to set the policy applicable for the
various cryptographic back\-ends, such as SSL/TLS libraries\&. The policy aims
to control the back\-end default algorithm selections unless the application
user configures them otherwise\&.
.sp
The available policies are described in the \fBcrypto\-policies(7)\fR manual
page\&.
.sp
-The desired system policy is selected in /etc/crypto\-policies/config and this
tool will generate the individual policy requirements for all back\-ends that
support such configuration\&. After this tool is called the administrator is
assured that any application that utilizes the supported back\-ends will follow
a policy that adheres to the configured profile\&.
+The desired system policy is selected in /etc/crypto\-policies/config and this
tool will generate the individual policy requirements for all back\-ends that
support such configuration\&. After this tool is called and all the affected
applications are restarted, the administrator is assured that any application
that utilizes the supported back\-ends will follow the specified policy\&.
.sp
Note that the above assurance does apply to the extent that applications are
configured to follow the default policy (the details vary on the back\-end, see
below for more information)\&.
.sp
-The generated back\-end policies will be placed in
/etc/crypto\-policies/back\-ends\&. Currently the supported back\-ends are:
+The generated back\-end policies will be placed in
/etc/crypto\-policies/back\-ends\&. Currently the supported back\-ends (and
directive scopes they respect) are:
.sp
.RS 4
.ie n \{\
@@ -52,7 +52,7 @@
.sp -1
.IP \(bu 2.3
.\}
-GnuTLS library
+GnuTLS library (GnuTLS, SSL, TLS) (Supported)
.RE
.sp
.RS 4
@@ -63,7 +63,7 @@
.sp -1
.IP \(bu 2.3
.\}
-OpenSSL library
+OpenSSL library (OpenSSL, SSL, TLS) (Supported)
.RE
.sp
.RS 4
@@ -74,7 +74,7 @@
.sp -1
.IP \(bu 2.3
.\}
-NSS library
+NSS library (NSS, SSL, TLS) (Not supported)
.RE
.sp
.RS 4
@@ -85,7 +85,7 @@
.sp -1
.IP \(bu 2.3
.\}
-OpenJDK
+OpenJDK (java\-tls, SSL, TLS) (Supported only for java\-1_8_0\-openjdk and
java\-11\-openjdk)
.RE
.sp
.RS 4
@@ -96,7 +96,7 @@
.sp -1
.IP \(bu 2.3
.\}
-Libkrb5
+Libkrb5 (krb5, kerberos) (Not supported)
.RE
.sp
.RS 4
@@ -107,7 +107,7 @@
.sp -1
.IP \(bu 2.3
.\}
-BIND
+BIND (BIND, DNSSec) (Not supported)
.RE
.sp
.RS 4
@@ -118,7 +118,7 @@
.sp -1
.IP \(bu 2.3
.\}
-OpenSSH
+OpenSSH (OpenSSH, SSH) (Not supported)
.RE
.sp
.RS 4
@@ -129,7 +129,7 @@
.sp -1
.IP \(bu 2.3
.\}
-Libreswan
+Libreswan (libreswan, IKE, IPSec) (Not supported)
.RE
.sp
.RS 4
@@ -140,7 +140,7 @@
.sp -1
.IP \(bu 2.3
.\}
-libssh
+libssh (libssh, SSH) (Not supported)
.RE
.sp
Applications and languages which rely on any of these back\-ends will follow
the system policies as well\&. Examples are apache httpd, nginx, php, and
others\&.
@@ -285,7 +285,7 @@
.sp -1
.IP \(bu 2.3
.\}
-BIND: This application inherits the set of blacklisted algorithms\&. To
opt\-out from the policy, remove the policy include directive in the
named\&.conf file\&.
+BIND: This application inherits the set of disabled algorithms\&. To opt\-out
from the policy, remove the policy include directive in the named\&.conf file\&.
.RE
.sp
.RS 4
@@ -325,14 +325,14 @@
.RE
.SH "POLICY CONFIGURATION"
.sp
-One of the supported profiles should be set in /etc/crypto\-policies/config
and this script should be run afterwards\&.
+One of the supported policies should be set in /etc/crypto\-policies/config
and this script should be run afterwards\&.
.sp
In case of a parsing error no policies will be updated\&.
.SH "CUSTOM POLICIES"
.sp
The custom policies can take two forms\&. First form is a full custom policy
file which is supported by the update\-crypto\-policies tool in the same way as
the policies shipped along the tool in the package\&.
.sp
-The second form can be called a subpolicy or policy modifier\&. This form
modifies aspects of any base policy file by removing or adding algorithms or
protocols\&. The subpolicies can be appended on the update\-crypto\-policies
\-\-set command line to the base policy separated by the : character\&. There
can be multiple subpolicies appended\&.
+The second form can be called a subpolicy or policy modifier\&. This form
modifies aspects of any base policy file by removing or adding algorithms or
protocols\&. The subpolicies can be appended on the update\-crypto\-policies
\-\-set command line to the base policy separated by the : character\&. There
can be multiple subpolicies appended\&. The resulting configuration is the same
as if the policy and subpolicies were concatenated together\&.
.sp
Let\(cqs suppose we have subpolicy NO\-SHA1 that drops support for SHA1 hash
and subpolicy GOST that enables support for the various algorithms specified in
Russian GOST standards\&. You can set the DEFAULT policy with disabled SHA1
support and enabled GOST support by running the following command:
.sp
@@ -345,7 +345,7 @@
.RS 4
The file contains the system policy to be applied when
update\-crypto\-policies
-is run without any arguments\&. It should contain a string of one of the
profiles listed in the
+is run without any arguments\&. It should contain a string of one of the
policies listed in the
\fBcrypto\-policies(7)\fR
page (e\&.g\&., DEFAULT) or any custom policy name with subpolicies separated
by the
:
