Initialize for crypto-policies

2024-02-06 18:25:57 +08:00 · 2024-02-06 18:25:57 +08:00 · 357c714c71
commit 357c714c71
8 changed files with 446 additions and 0 deletions
--- a/.crypto-policies.metadata
+++ b/.crypto-policies.metadata
@ -0,0 +1,3 @@
+0c6f285b8e09f3435510f035c6f5fa831c86a80d10eb416fb326abe39d891ae1 crypto-policies.7.gz
+38d354ec0f44850e13078f8dfa237cf7faea69f51cd4aab612f310f0f9fff500 fedora-crypto-policies-20210917.c9d86d1.tar.gz
+da85dc41627504bafad10aa0905699ca5f19d854f6a890c7bd87ec73d8e32a21 update-crypto-policies.8.gz
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,3 @@
+crypto-policies.7.gz
+fedora-crypto-policies-20210917.c9d86d1.tar.gz
+update-crypto-policies.8.gz
--- a/README.SUSE
+++ b/README.SUSE
@ -0,0 +1,2 @@
+Currently only OpenSSL and GnuTLS policies are supported.
+The rest of the modules ignore the policy settings for the time being.
--- a/crypto-policies-FIPS.patch
+++ b/crypto-policies-FIPS.patch
@ -0,0 +1,72 @@
+Index: fedora-crypto-policies/Makefile
+===================================================================
+--- fedora-crypto-policies.orig/Makefile
+++ fedora-crypto-policies/Makefile
+@@ -5,8 +5,8 @@ MANDIR?=/usr/share/man
+ CONFDIR?=/etc/crypto-policies
+ DESTDIR?=
+ MAN7PAGES=crypto-policies.7
+-MAN8PAGES=update-crypto-policies.8 fips-finish-install.8 fips-mode-setup.8
+-SCRIPTS=update-crypto-policies fips-finish-install fips-mode-setup
+MAN8PAGES=update-crypto-policies.8 fips-finish-install.8
+SCRIPTS=update-crypto-policies fips-finish-install
+ NUM_PROCS = $$(getconf _NPROCESSORS_ONLN)
+ PYVERSION = -3
+ DIFFTOOL?=meld
+Index: fedora-crypto-policies/crypto-policies.7.txt
+===================================================================
+--- fedora-crypto-policies.orig/crypto-policies.7.txt
+++ fedora-crypto-policies/crypto-policies.7.txt
+@@ -144,9 +144,6 @@ PROVIDED POLICIES
+ 
+ *FIPS*::
+   A policy to aid conformance to the *FIPS 140-2* requirements.
+-  This policy is used internally by the *fips-mode-setup(8)* tool
+-  which can switch the system into the *FIPS 140-2* mode.
+-  This policy provides at least 112-bit security.
+ 
+   * MACs: all *HMAC* with *SHA1* or better
+   * Curves: all prime >= 256 bits
+@@ -255,12 +252,6 @@ COMMANDS
+   back ends and allows the system administrator to change the active
+   cryptographic policy.
+ 
+-*fips-mode-setup(8)*::
+-  This command allows the system administrator to enable, or disable the
+-  system FIPS mode and also apply the *FIPS* cryptographic policy
+-  which limits the allowed algorithms and protocols to these allowed by
+-  the FIPS 140-2 requirements.
+-
+ 
+ NOTES
+ -----
+@@ -427,7 +418,7 @@ FILES
+ 
+ SEE ALSO
+ --------
+-update-crypto-policies(8), fips-mode-setup(8)
+update-crypto-policies(8)
+ 
+ 
+ AUTHOR
+Index: fedora-crypto-policies/python/update-crypto-policies.py
+===================================================================
+--- fedora-crypto-policies.orig/python/update-crypto-policies.py
+++ fedora-crypto-policies/python/update-crypto-policies.py
+@@ -344,16 +344,12 @@ def apply_policy(pconfig, profile=None,
+                 eprint("Warning: Using 'update-crypto-policies --set FIPS' "
+                        "is not sufficient for")
+                 eprint("         FIPS compliance.")
+-                eprint("         Use 'fips-mode-setup --enable' "
+-                       "command instead.")
+             elif fips_mode():
+                 eprint("Warning: Using 'update-crypto-policies --set' "
+                        "in FIPS mode will make the system")
+                 eprint("         non-compliant with FIPS.")
+                 eprint("         It can also break "
+                        "the ssh access to the system.")
+-                eprint("         Use 'fips-mode-setup --disable' "
+-                       "to disable the system FIPS mode.")
+ 
+     if base_dir == DEFAULT_BASE_DIR:
+         if not os.geteuid() == 0:
--- a/crypto-policies-no-build-manpages.patch
+++ b/crypto-policies-no-build-manpages.patch
@ -0,0 +1,28 @@
+Index: fedora-crypto-policies/Makefile
+===================================================================
+--- fedora-crypto-policies.orig/Makefile
+++ fedora-crypto-policies/Makefile
+@@ -22,9 +22,9 @@ install: $(MANPAGES)
+ 	mkdir -p $(DESTDIR)$(MANDIR)/man7
+ 	mkdir -p $(DESTDIR)$(MANDIR)/man8
+ 	mkdir -p $(DESTDIR)$(BINDIR)
+-	install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
+-	install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
+-	install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
+# install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
+# install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
+# install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
+ 	mkdir -p $(DESTDIR)$(DIR)/
+ 	install -p -m 644 default-config $(DESTDIR)$(DIR)
+ 	install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR)
+@@ -106,8 +106,8 @@ clean:
+ 	rm -rf output
+ 
+ %: %.txt
+-	asciidoc.py -v -d manpage -b docbook $<
+-	xsltproc --nonet -o $@ /usr/share/asciidoc/docbook-xsl/manpage.xsl $@.xml
+	# asciidoc -v -d manpage -b docbook $<
+	# xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl $@.xml
+ 
+ dist:
+ 	rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies
--- a/crypto-policies-test_supported_modules_only.patch
+++ b/crypto-policies-test_supported_modules_only.patch
@ -0,0 +1,13 @@
+Index: fedora-crypto-policies/Makefile
+===================================================================
+--- fedora-crypto-policies.orig/Makefile
+++ fedora-crypto-policies/Makefile
+@@ -56,8 +56,6 @@ check:
+ 	tests/openssl.pl
+ 	tests/gnutls.pl
+ 	tests/nss.py
+-	tests/java.pl
+-	tests/krb5.py
+ 	top_srcdir=. tests/update-crypto-policies.sh
+ 
+ # Alternative, equivalent ways to write the same policies
--- a/crypto-policies.changes
+++ b/crypto-policies.changes
@ -0,0 +1,122 @@
+* Fri Sep 24 2021 pmonreal@suse.com
+- Remove the scripts and documentation regarding
+  fips-finish-install and test-fips-setup
+  * Add crypto-policies-FIPS.patch
+* Fri Sep 24 2021 pmonreal@suse.com
+- Update to version 20210917.c9d86d1:
+  * openssl: fix disabling ChaCha20
+  * pacify pylint 2.11: use format strings
+  * pacify pylint 2.11: specify explicit encoding
+  * fix minor things found by new pylint
+  * update-crypto-policies: --check against regenerated
+  * update-crypto-policies: fix --check's walking order
+  * policygenerators/gnutls: revert disabling DTLS0.9...
+  * policygenerators/java: add javasystem backend
+  * LEGACY: bump 1023 key size to 1024
+  * cryptopolicies: fix 'and' in deprecation warnings
+  * *ssh: condition ecdh-sha2-nistp384 on SECP384R1
+  * nss: hopefully the last fix for nss sigalgs check
+  * cryptopolicies: Python 3.10 compatibility
+  * nss: postponing check + testing at least something
+  * Rename 'policy modules' to 'subpolicies'
+  * validation.rules: fix a missing word in error
+  * cryptopolicies: raise errors right after warnings
+  * update-crypto-policies: capitalize warnings
+  * cryptopolicies: syntax-precheck scope errors
+  * .gitlab-ci.yml, Makefile: enable codespell
+  * all: fix several typos
+  * docs: don't leave zero TLS/DTLS protocols on
+  * openssl: separate TLS/DTLS MinProtocol/MaxProtocol
+  * alg_lists: order protocols new-to-old for consistency
+  * alg_lists: max_{d,}tls_version
+  * update-crypto-policies: fix pregenerated + local.d
+  * openssh: allow validation with pre-8.5
+  * .gitlab-ci.yml: run commit-range against upstream
+  * openssh: Use the new name for PubkeyAcceptedKeyTypes
+  * sha1_in_dnssec: deprecate
+  * .gitlab-ci.yml: test commit ranges
+  * FIPS:OSPP: sign = -*-SHA2-224
+  * scoped policies: documentation update
+  * scoped policies: use new features to the fullest...
+  * scoped policies: rewrite + minimal policy changes
+  * scoped policies: rewrite preparations
+  * nss: postponing the version check again, to 3.64
+- Remove patches fixed upstream: crypto-policies-typos.patch
+- Rebase: crypto-policies-test_supported_modules_only.patch
+- Merge crypto-policies-asciidoc.patch into
+    crypto-policies-no-build-manpages.patch
+* Thu Feb 25 2021 pmonreal@suse.com
+- Update to version 20210225.05203d2:
+  * Disable DTLS0.9 protocol in the DEFAULT policy.
+  * policies/FIPS: insignificant reformatting
+  * policygenerators/libssh: respect ssh_certs
+  * policies/modules/OSPP: tighten to follow RHEL 8
+  * crypto-policies(7): drop not-reenableable comment
+  * follow up on disabling RC4
+* Thu Feb 25 2021 pmonreal@suse.com
+- Remove not needed scripts: fips-finish-install fips-mode-setup
+* Wed Feb 24 2021 pmonreal@suse.com
+- Disable DTLS0.9 protocol in GnuTLS DEFAULT policy. [bsc#1180938]
+  * The minimum DTLS protocol version in the DEFAULT and FUTURE
+    policies is DTLS1.2.
+  * Fixed upstream: 05203d21f6d0ea9bbdb351e4600f1e273720bb8e
+* Wed Feb 17 2021 pmonreal@suse.com
+- Update to version 20210213.5c710c0: [bsc#1180938]
+  * setup_directories(): perform safer creation of directories
+  * save_config(): avoid re-opening output file for each iteration
+  * save_config(): break after first match to avoid unnecessary stat() calls
+  * CryptoPolicy.parse(): actually stop parsing line on syntax error
+  * ProfileConfig.parse_string(): correctly extended subpolicies
+  * Exclude RC4 from LEGACY
+  * Introduce rc4_md5_in_krb5 to narrow AD_SUPPORT
+  * code style: fix 'not in' membership testing
+  * pylintrc: tighten up a bit
+  * formatting: avoid long lines
+  * formatting: use f-strings instead of format()
+  * formatting: reformat all python code with autopep8
+  * nss: postponing the version check again, to 3.61
+  * Revert "Unfortunately we have to keep ignoring the openssh check for sk-"
+* Tue Feb  9 2021 dimstar@opensuse.org
+- Use tar_scm service, not obs_scm: With crypto-policies entering
+  Ring0 (distro bootstrap) we want to be sure to keep the buildtime
+  deps as low as possible.
+- Add python3-base BuildRequires: previously, OBS' tar service
+  pulled this in for us.
+* Mon Feb  8 2021 pmonreal@suse.com
+- Add a BuildIgnore for crypto-policies
+* Mon Feb  8 2021 pmonreal@suse.com
+- Use gzip instead of xz in obscpio and sources
+* Fri Feb  5 2021 pmonreal@suse.com
+- Do not build the manpages to avoid build cycles
+- Add crypto-policies-no-build-manpages.patch
+* Tue Feb  2 2021 dimstar@opensuse.org
+- Convert to use a proper git source _service:
+  + To update, one just needs to update the commit/revision in the
+    _service file and run `osc service dr`.
+  + The version of the package is defined by the commit date of the
+    revision, followed by the abbreviated git hash (The same
+    revision used before results thus in a downgrade to 20210118,
+    but as this is a alltime new package, this is acceptable.
+* Tue Feb  2 2021 pmonreal@suse.com
+- Update to git version 20210127
+  * Bump Python requirement to 3.6
+  * Output sigalgs required by nss >=3.59
+  * Do not require bind during build
+  * Break build cycles with openssl and gnutls
+* Thu Jan 21 2021 pmonreal@suse.com
+- Update to git version 20210118
+  * Output sigalgs required by nss >=3.59
+  * Bump Python requirement to 3.6
+  * Kerberos 5: Fix policy generator to account for macs
+  * Add AES-192 support (non-TLS scenarios)
+  * Add documentation of the --check option
+* Thu Jan 21 2021 pmonreal@suse.com
+- Fix the man pages generation
+- Add crypto-policies-asciidoc.patch
+* Thu Jan 21 2021 pmonreal@suse.com
+- Test only supported modules
+- Add crypto-policies-test_supported_modules_only.patch
+* Tue Dec 22 2020 pmonreal@suse.com
+- Add crypto-policies-typos.patch to fix some typos
+* Thu Nov 12 2020 vcizek@suse.com
+- Initial packaging, git version 20200918 (jsc#SLE-15832)
--- a/crypto-policies.spec
+++ b/crypto-policies.spec
@ -0,0 +1,203 @@
+#
+# spec file for package crypto-policies
+#
+# Copyright (c) 2022-2023 ZhuningOS
+#
+
+
+%global _python_bytecompile_extra 0
+Name:           crypto-policies
+Version:        20210917.c9d86d1
+Release:        150400.1.7
+Summary:        System-wide crypto policies
+License:        LGPL-2.1-or-later
+Group:          Productivity/Networking/Security
+URL:            https://gitlab.com/redhat-crypto/fedora-%{name}
+Source0:        fedora-%{name}-%{version}.tar.gz
+Source1:        README.SUSE
+Source2:        crypto-policies.7.gz
+Source3:        update-crypto-policies.8.gz
+Patch0:         crypto-policies-test_supported_modules_only.patch
+Patch1:         crypto-policies-no-build-manpages.patch
+Patch2:         crypto-policies-FIPS.patch
+BuildRequires:  python3-base
+# For testing, the following buildrequires need to be uncommented.
+# BuildRequires:  asciidoc
+# BuildRequires:  bind
+# BuildRequires:  gnutls >= 3.6.0
+# BuildRequires:  java-devel
+# BuildRequires:  libxslt
+# BuildRequires:  openssl
+# BuildRequires:  perl
+# BuildRequires:  python3-coverage
+# BuildRequires:  python3-devel >= 3.6
+# BuildRequires:  python3-flake8
+# BuildRequires:  python3-pylint
+# BuildRequires:  python3-pytest
+# BuildRequires:  perl(File::Copy)
+# BuildRequires:  perl(File::Temp)
+# BuildRequires:  perl(File::Which)
+# BuildRequires:  perl(File::pushd)
+Recommends:     crypto-policies-scripts
+Conflicts:      gnutls < 3.7.0
+#Conflicts:      libreswan < 3.28
+Conflicts:      nss < 3.44.0
+#Conflicts:      openssh < 8.2p1
+#!BuildIgnore:  crypto-policies
+BuildArch:      noarch
+
+%description
+This package provides pre-built configuration files with
+cryptographic policies for various cryptographic back-ends,
+such as SSL/TLS libraries.
+
+%package scripts
+Summary:        Tool to switch between crypto policies
+Requires:       %{name} = %{version}-%{release}
+
+%description scripts
+This package provides a tool update-crypto-policies, which applies
+the policies provided by the crypto-policies package. These can be
+either the pre-built policies from the base package or custom policies
+defined in simple policy definition files.
+
+%prep
+%autosetup -p1 -n fedora-%{name}-%{version}
+
+%build
+%make_build
+
+%install
+mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/
+mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/
+mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/
+mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/state/
+mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/
+mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/
+mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/
+mkdir -p -m 755 %{buildroot}%{_bindir}
+
+make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install
+
+# Install the manpages
+mkdir -p -m 755 %{buildroot}%{_mandir}/
+mkdir -p -m 755 %{buildroot}%{_mandir}/man7/
+mkdir -p -m 755 %{buildroot}%{_mandir}/man8/
+cp %{SOURCE2} %{buildroot}%{_mandir}/man7/
+cp %{SOURCE3} %{buildroot}%{_mandir}/man8/
+
+# Install the executable files
+install -p -m 755 update-crypto-policies %{buildroot}%{_bindir}/
+
+install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config
+touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current
+touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
+
+# Drop pre-generated GOST-ONLY policy, we do not need to ship the files
+rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY
+
+# Remove fips-finish-install and test-fips-setup scripts and man
+find -type f -name fips-finish-install -delete
+find -type f -name fips-finish-install.8.txt -delete
+find -type f -name test-fips-setup.sh -delete
+
+# Create back-end configs for mounting with read-only /etc/
+for d in LEGACY DEFAULT FUTURE FIPS ; do
+    mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d
+    for f in %{buildroot}%{_datarootdir}/crypto-policies/$d/* ; do
+        ln $f %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d/$(basename $f .txt).config
+    done
+done
+
+for f in %{buildroot}%{_datarootdir}/crypto-policies/DEFAULT/* ; do
+    ln -sf %{_datarootdir}/crypto-policies/DEFAULT/$(basename $f) %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/$(basename $f .txt).config
+done
+
+%py3_compile %{buildroot}%{_datadir}/crypto-policies/python
+
+cp %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies
+
+%check
+%make_build test || :
+
+%post -p <lua>
+if not posix.access("%{_sysconfdir}/crypto-policies/config") then
+    local policy = "DEFAULT"
+    local cf = io.open("/proc/sys/crypto/fips_enabled", "r")
+    if cf then
+        if cf:read() == "1" then
+            policy = "FIPS"
+        end
+        cf:close()
+    end
+    cf = io.open("%{_sysconfdir}/crypto-policies/config", "w")
+    if cf then
+        cf:write(policy.."\n")
+        cf:close()
+    end
+    cf = io.open("%{_sysconfdir}/crypto-policies/state/current", "w")
+    if cf then
+        cf:write(policy.."\n")
+        cf:close()
+    end
+    local policypath = "%{_datarootdir}/crypto-policies/"..policy
+    for fn in posix.files(policypath) do
+	    if fn ~= "." and fn ~= ".." then
+            local backend = fn:gsub(".*/", ""):gsub("%%..*", "")
+            local cfgfn = "%{_sysconfdir}/crypto-policies/back-ends/"..backend..".config"
+            posix.unlink(cfgfn)
+            posix.symlink(policypath.."/"..fn, cfgfn)
+        end
+    end
+end
+
+%posttrans scripts
+%{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || :
+
+%files
+%dir %{_sysconfdir}/crypto-policies/
+%dir %{_sysconfdir}/crypto-policies/back-ends/
+%dir %{_sysconfdir}/crypto-policies/state/
+%dir %{_sysconfdir}/crypto-policies/local.d/
+%dir %{_sysconfdir}/crypto-policies/policies/
+%dir %{_sysconfdir}/crypto-policies/policies/modules/
+%dir %{_datarootdir}/crypto-policies/
+
+%{_sysconfdir}/crypto-policies/README.SUSE
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config
+
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssl.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssh.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/nss.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/bind.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/java.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
+%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
+
+%ghost %{_sysconfdir}/crypto-policies/state/current
+%ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol
+
+%{_mandir}/man7/crypto-policies.7%{?ext_man}
+%{_datarootdir}/crypto-policies/LEGACY
+%{_datarootdir}/crypto-policies/DEFAULT
+%{_datarootdir}/crypto-policies/FUTURE
+%{_datarootdir}/crypto-policies/FIPS
+%{_datarootdir}/crypto-policies/EMPTY
+%{_datarootdir}/crypto-policies/back-ends
+%{_datarootdir}/crypto-policies/default-config
+%{_datarootdir}/crypto-policies/reload-cmds.sh
+%{_datarootdir}/crypto-policies/policies
+
+%license COPYING.LESSER
+
+%files scripts
+%{_bindir}/update-crypto-policies
+%{_mandir}/man8/update-crypto-policies.8%{?ext_man}
+%{_datarootdir}/crypto-policies/python
+
+%changelog