commit 357c714c716b640dd63a376eedb7b89871deb3c4 Author: zyppe <210hcl@gmail.com> Date: Tue Feb 6 18:25:57 2024 +0800 Initialize for crypto-policies diff --git a/.crypto-policies.metadata b/.crypto-policies.metadata new file mode 100644 index 0000000..9a94c18 --- /dev/null +++ b/.crypto-policies.metadata @@ -0,0 +1,3 @@ +0c6f285b8e09f3435510f035c6f5fa831c86a80d10eb416fb326abe39d891ae1 crypto-policies.7.gz +38d354ec0f44850e13078f8dfa237cf7faea69f51cd4aab612f310f0f9fff500 fedora-crypto-policies-20210917.c9d86d1.tar.gz +da85dc41627504bafad10aa0905699ca5f19d854f6a890c7bd87ec73d8e32a21 update-crypto-policies.8.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..6fe1ec2 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +crypto-policies.7.gz +fedora-crypto-policies-20210917.c9d86d1.tar.gz +update-crypto-policies.8.gz diff --git a/README.SUSE b/README.SUSE new file mode 100644 index 0000000..e8339d3 --- /dev/null +++ b/README.SUSE @@ -0,0 +1,2 @@ +Currently only OpenSSL and GnuTLS policies are supported. +The rest of the modules ignore the policy settings for the time being. diff --git a/crypto-policies-FIPS.patch b/crypto-policies-FIPS.patch new file mode 100644 index 0000000..ceeb4ed --- /dev/null +++ b/crypto-policies-FIPS.patch @@ -0,0 +1,72 @@ +Index: fedora-crypto-policies/Makefile +=================================================================== +--- fedora-crypto-policies.orig/Makefile ++++ fedora-crypto-policies/Makefile +@@ -5,8 +5,8 @@ MANDIR?=/usr/share/man + CONFDIR?=/etc/crypto-policies + DESTDIR?= + MAN7PAGES=crypto-policies.7 +-MAN8PAGES=update-crypto-policies.8 fips-finish-install.8 fips-mode-setup.8 +-SCRIPTS=update-crypto-policies fips-finish-install fips-mode-setup ++MAN8PAGES=update-crypto-policies.8 fips-finish-install.8 ++SCRIPTS=update-crypto-policies fips-finish-install + NUM_PROCS = $$(getconf _NPROCESSORS_ONLN) + PYVERSION = -3 + DIFFTOOL?=meld +Index: fedora-crypto-policies/crypto-policies.7.txt +=================================================================== +--- fedora-crypto-policies.orig/crypto-policies.7.txt ++++ fedora-crypto-policies/crypto-policies.7.txt +@@ -144,9 +144,6 @@ PROVIDED POLICIES + + *FIPS*:: + A policy to aid conformance to the *FIPS 140-2* requirements. +- This policy is used internally by the *fips-mode-setup(8)* tool +- which can switch the system into the *FIPS 140-2* mode. +- This policy provides at least 112-bit security. + + * MACs: all *HMAC* with *SHA1* or better + * Curves: all prime >= 256 bits +@@ -255,12 +252,6 @@ COMMANDS + back ends and allows the system administrator to change the active + cryptographic policy. + +-*fips-mode-setup(8)*:: +- This command allows the system administrator to enable, or disable the +- system FIPS mode and also apply the *FIPS* cryptographic policy +- which limits the allowed algorithms and protocols to these allowed by +- the FIPS 140-2 requirements. +- + + NOTES + ----- +@@ -427,7 +418,7 @@ FILES + + SEE ALSO + -------- +-update-crypto-policies(8), fips-mode-setup(8) ++update-crypto-policies(8) + + + AUTHOR +Index: fedora-crypto-policies/python/update-crypto-policies.py +=================================================================== +--- fedora-crypto-policies.orig/python/update-crypto-policies.py ++++ fedora-crypto-policies/python/update-crypto-policies.py +@@ -344,16 +344,12 @@ def apply_policy(pconfig, profile=None, + eprint("Warning: Using 'update-crypto-policies --set FIPS' " + "is not sufficient for") + eprint(" FIPS compliance.") +- eprint(" Use 'fips-mode-setup --enable' " +- "command instead.") + elif fips_mode(): + eprint("Warning: Using 'update-crypto-policies --set' " + "in FIPS mode will make the system") + eprint(" non-compliant with FIPS.") + eprint(" It can also break " + "the ssh access to the system.") +- eprint(" Use 'fips-mode-setup --disable' " +- "to disable the system FIPS mode.") + + if base_dir == DEFAULT_BASE_DIR: + if not os.geteuid() == 0: diff --git a/crypto-policies-no-build-manpages.patch b/crypto-policies-no-build-manpages.patch new file mode 100644 index 0000000..f023a8e --- /dev/null +++ b/crypto-policies-no-build-manpages.patch @@ -0,0 +1,28 @@ +Index: fedora-crypto-policies/Makefile +=================================================================== +--- fedora-crypto-policies.orig/Makefile ++++ fedora-crypto-policies/Makefile +@@ -22,9 +22,9 @@ install: $(MANPAGES) + mkdir -p $(DESTDIR)$(MANDIR)/man7 + mkdir -p $(DESTDIR)$(MANDIR)/man8 + mkdir -p $(DESTDIR)$(BINDIR) +- install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 +- install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 +- install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) ++# install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7 ++# install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8 ++# install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR) + mkdir -p $(DESTDIR)$(DIR)/ + install -p -m 644 default-config $(DESTDIR)$(DIR) + install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR) +@@ -106,8 +106,8 @@ clean: + rm -rf output + + %: %.txt +- asciidoc.py -v -d manpage -b docbook $< +- xsltproc --nonet -o $@ /usr/share/asciidoc/docbook-xsl/manpage.xsl $@.xml ++ # asciidoc -v -d manpage -b docbook $< ++ # xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl $@.xml + + dist: + rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies diff --git a/crypto-policies-test_supported_modules_only.patch b/crypto-policies-test_supported_modules_only.patch new file mode 100644 index 0000000..e338069 --- /dev/null +++ b/crypto-policies-test_supported_modules_only.patch @@ -0,0 +1,13 @@ +Index: fedora-crypto-policies/Makefile +=================================================================== +--- fedora-crypto-policies.orig/Makefile ++++ fedora-crypto-policies/Makefile +@@ -56,8 +56,6 @@ check: + tests/openssl.pl + tests/gnutls.pl + tests/nss.py +- tests/java.pl +- tests/krb5.py + top_srcdir=. tests/update-crypto-policies.sh + + # Alternative, equivalent ways to write the same policies diff --git a/crypto-policies.changes b/crypto-policies.changes new file mode 100644 index 0000000..c1b0cca --- /dev/null +++ b/crypto-policies.changes @@ -0,0 +1,122 @@ +* Fri Sep 24 2021 pmonreal@suse.com +- Remove the scripts and documentation regarding + fips-finish-install and test-fips-setup + * Add crypto-policies-FIPS.patch +* Fri Sep 24 2021 pmonreal@suse.com +- Update to version 20210917.c9d86d1: + * openssl: fix disabling ChaCha20 + * pacify pylint 2.11: use format strings + * pacify pylint 2.11: specify explicit encoding + * fix minor things found by new pylint + * update-crypto-policies: --check against regenerated + * update-crypto-policies: fix --check's walking order + * policygenerators/gnutls: revert disabling DTLS0.9... + * policygenerators/java: add javasystem backend + * LEGACY: bump 1023 key size to 1024 + * cryptopolicies: fix 'and' in deprecation warnings + * *ssh: condition ecdh-sha2-nistp384 on SECP384R1 + * nss: hopefully the last fix for nss sigalgs check + * cryptopolicies: Python 3.10 compatibility + * nss: postponing check + testing at least something + * Rename 'policy modules' to 'subpolicies' + * validation.rules: fix a missing word in error + * cryptopolicies: raise errors right after warnings + * update-crypto-policies: capitalize warnings + * cryptopolicies: syntax-precheck scope errors + * .gitlab-ci.yml, Makefile: enable codespell + * all: fix several typos + * docs: don't leave zero TLS/DTLS protocols on + * openssl: separate TLS/DTLS MinProtocol/MaxProtocol + * alg_lists: order protocols new-to-old for consistency + * alg_lists: max_{d,}tls_version + * update-crypto-policies: fix pregenerated + local.d + * openssh: allow validation with pre-8.5 + * .gitlab-ci.yml: run commit-range against upstream + * openssh: Use the new name for PubkeyAcceptedKeyTypes + * sha1_in_dnssec: deprecate + * .gitlab-ci.yml: test commit ranges + * FIPS:OSPP: sign = -*-SHA2-224 + * scoped policies: documentation update + * scoped policies: use new features to the fullest... + * scoped policies: rewrite + minimal policy changes + * scoped policies: rewrite preparations + * nss: postponing the version check again, to 3.64 +- Remove patches fixed upstream: crypto-policies-typos.patch +- Rebase: crypto-policies-test_supported_modules_only.patch +- Merge crypto-policies-asciidoc.patch into + crypto-policies-no-build-manpages.patch +* Thu Feb 25 2021 pmonreal@suse.com +- Update to version 20210225.05203d2: + * Disable DTLS0.9 protocol in the DEFAULT policy. + * policies/FIPS: insignificant reformatting + * policygenerators/libssh: respect ssh_certs + * policies/modules/OSPP: tighten to follow RHEL 8 + * crypto-policies(7): drop not-reenableable comment + * follow up on disabling RC4 +* Thu Feb 25 2021 pmonreal@suse.com +- Remove not needed scripts: fips-finish-install fips-mode-setup +* Wed Feb 24 2021 pmonreal@suse.com +- Disable DTLS0.9 protocol in GnuTLS DEFAULT policy. [bsc#1180938] + * The minimum DTLS protocol version in the DEFAULT and FUTURE + policies is DTLS1.2. + * Fixed upstream: 05203d21f6d0ea9bbdb351e4600f1e273720bb8e +* Wed Feb 17 2021 pmonreal@suse.com +- Update to version 20210213.5c710c0: [bsc#1180938] + * setup_directories(): perform safer creation of directories + * save_config(): avoid re-opening output file for each iteration + * save_config(): break after first match to avoid unnecessary stat() calls + * CryptoPolicy.parse(): actually stop parsing line on syntax error + * ProfileConfig.parse_string(): correctly extended subpolicies + * Exclude RC4 from LEGACY + * Introduce rc4_md5_in_krb5 to narrow AD_SUPPORT + * code style: fix 'not in' membership testing + * pylintrc: tighten up a bit + * formatting: avoid long lines + * formatting: use f-strings instead of format() + * formatting: reformat all python code with autopep8 + * nss: postponing the version check again, to 3.61 + * Revert "Unfortunately we have to keep ignoring the openssh check for sk-" +* Tue Feb 9 2021 dimstar@opensuse.org +- Use tar_scm service, not obs_scm: With crypto-policies entering + Ring0 (distro bootstrap) we want to be sure to keep the buildtime + deps as low as possible. +- Add python3-base BuildRequires: previously, OBS' tar service + pulled this in for us. +* Mon Feb 8 2021 pmonreal@suse.com +- Add a BuildIgnore for crypto-policies +* Mon Feb 8 2021 pmonreal@suse.com +- Use gzip instead of xz in obscpio and sources +* Fri Feb 5 2021 pmonreal@suse.com +- Do not build the manpages to avoid build cycles +- Add crypto-policies-no-build-manpages.patch +* Tue Feb 2 2021 dimstar@opensuse.org +- Convert to use a proper git source _service: + + To update, one just needs to update the commit/revision in the + _service file and run `osc service dr`. + + The version of the package is defined by the commit date of the + revision, followed by the abbreviated git hash (The same + revision used before results thus in a downgrade to 20210118, + but as this is a alltime new package, this is acceptable. +* Tue Feb 2 2021 pmonreal@suse.com +- Update to git version 20210127 + * Bump Python requirement to 3.6 + * Output sigalgs required by nss >=3.59 + * Do not require bind during build + * Break build cycles with openssl and gnutls +* Thu Jan 21 2021 pmonreal@suse.com +- Update to git version 20210118 + * Output sigalgs required by nss >=3.59 + * Bump Python requirement to 3.6 + * Kerberos 5: Fix policy generator to account for macs + * Add AES-192 support (non-TLS scenarios) + * Add documentation of the --check option +* Thu Jan 21 2021 pmonreal@suse.com +- Fix the man pages generation +- Add crypto-policies-asciidoc.patch +* Thu Jan 21 2021 pmonreal@suse.com +- Test only supported modules +- Add crypto-policies-test_supported_modules_only.patch +* Tue Dec 22 2020 pmonreal@suse.com +- Add crypto-policies-typos.patch to fix some typos +* Thu Nov 12 2020 vcizek@suse.com +- Initial packaging, git version 20200918 (jsc#SLE-15832) diff --git a/crypto-policies.spec b/crypto-policies.spec new file mode 100644 index 0000000..3049c59 --- /dev/null +++ b/crypto-policies.spec @@ -0,0 +1,203 @@ +# +# spec file for package crypto-policies +# +# Copyright (c) 2022-2023 ZhuningOS +# + + +%global _python_bytecompile_extra 0 +Name: crypto-policies +Version: 20210917.c9d86d1 +Release: 150400.1.7 +Summary: System-wide crypto policies +License: LGPL-2.1-or-later +Group: Productivity/Networking/Security +URL: https://gitlab.com/redhat-crypto/fedora-%{name} +Source0: fedora-%{name}-%{version}.tar.gz +Source1: README.SUSE +Source2: crypto-policies.7.gz +Source3: update-crypto-policies.8.gz +Patch0: crypto-policies-test_supported_modules_only.patch +Patch1: crypto-policies-no-build-manpages.patch +Patch2: crypto-policies-FIPS.patch +BuildRequires: python3-base +# For testing, the following buildrequires need to be uncommented. +# BuildRequires: asciidoc +# BuildRequires: bind +# BuildRequires: gnutls >= 3.6.0 +# BuildRequires: java-devel +# BuildRequires: libxslt +# BuildRequires: openssl +# BuildRequires: perl +# BuildRequires: python3-coverage +# BuildRequires: python3-devel >= 3.6 +# BuildRequires: python3-flake8 +# BuildRequires: python3-pylint +# BuildRequires: python3-pytest +# BuildRequires: perl(File::Copy) +# BuildRequires: perl(File::Temp) +# BuildRequires: perl(File::Which) +# BuildRequires: perl(File::pushd) +Recommends: crypto-policies-scripts +Conflicts: gnutls < 3.7.0 +#Conflicts: libreswan < 3.28 +Conflicts: nss < 3.44.0 +#Conflicts: openssh < 8.2p1 +#!BuildIgnore: crypto-policies +BuildArch: noarch + +%description +This package provides pre-built configuration files with +cryptographic policies for various cryptographic back-ends, +such as SSL/TLS libraries. + +%package scripts +Summary: Tool to switch between crypto policies +Requires: %{name} = %{version}-%{release} + +%description scripts +This package provides a tool update-crypto-policies, which applies +the policies provided by the crypto-policies package. These can be +either the pre-built policies from the base package or custom policies +defined in simple policy definition files. + +%prep +%autosetup -p1 -n fedora-%{name}-%{version} + +%build +%make_build + +%install +mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/ +mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/state/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/ +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/ +mkdir -p -m 755 %{buildroot}%{_bindir} + +make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install + +# Install the manpages +mkdir -p -m 755 %{buildroot}%{_mandir}/ +mkdir -p -m 755 %{buildroot}%{_mandir}/man7/ +mkdir -p -m 755 %{buildroot}%{_mandir}/man8/ +cp %{SOURCE2} %{buildroot}%{_mandir}/man7/ +cp %{SOURCE3} %{buildroot}%{_mandir}/man8/ + +# Install the executable files +install -p -m 755 update-crypto-policies %{buildroot}%{_bindir}/ + +install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config +touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current +touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol + +# Drop pre-generated GOST-ONLY policy, we do not need to ship the files +rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY + +# Remove fips-finish-install and test-fips-setup scripts and man +find -type f -name fips-finish-install -delete +find -type f -name fips-finish-install.8.txt -delete +find -type f -name test-fips-setup.sh -delete + +# Create back-end configs for mounting with read-only /etc/ +for d in LEGACY DEFAULT FUTURE FIPS ; do + mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d + for f in %{buildroot}%{_datarootdir}/crypto-policies/$d/* ; do + ln $f %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d/$(basename $f .txt).config + done +done + +for f in %{buildroot}%{_datarootdir}/crypto-policies/DEFAULT/* ; do + ln -sf %{_datarootdir}/crypto-policies/DEFAULT/$(basename $f) %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/$(basename $f .txt).config +done + +%py3_compile %{buildroot}%{_datadir}/crypto-policies/python + +cp %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies + +%check +%make_build test || : + +%post -p +if not posix.access("%{_sysconfdir}/crypto-policies/config") then + local policy = "DEFAULT" + local cf = io.open("/proc/sys/crypto/fips_enabled", "r") + if cf then + if cf:read() == "1" then + policy = "FIPS" + end + cf:close() + end + cf = io.open("%{_sysconfdir}/crypto-policies/config", "w") + if cf then + cf:write(policy.."\n") + cf:close() + end + cf = io.open("%{_sysconfdir}/crypto-policies/state/current", "w") + if cf then + cf:write(policy.."\n") + cf:close() + end + local policypath = "%{_datarootdir}/crypto-policies/"..policy + for fn in posix.files(policypath) do + if fn ~= "." and fn ~= ".." then + local backend = fn:gsub(".*/", ""):gsub("%%..*", "") + local cfgfn = "%{_sysconfdir}/crypto-policies/back-ends/"..backend..".config" + posix.unlink(cfgfn) + posix.symlink(policypath.."/"..fn, cfgfn) + end + end +end + +%posttrans scripts +%{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || : + +%files +%dir %{_sysconfdir}/crypto-policies/ +%dir %{_sysconfdir}/crypto-policies/back-ends/ +%dir %{_sysconfdir}/crypto-policies/state/ +%dir %{_sysconfdir}/crypto-policies/local.d/ +%dir %{_sysconfdir}/crypto-policies/policies/ +%dir %{_sysconfdir}/crypto-policies/policies/modules/ +%dir %{_datarootdir}/crypto-policies/ + +%{_sysconfdir}/crypto-policies/README.SUSE +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config + +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssl.config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssh.config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/nss.config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/bind.config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/java.config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/krb5.config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config +%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libssh.config + +%ghost %{_sysconfdir}/crypto-policies/state/current +%ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol + +%{_mandir}/man7/crypto-policies.7%{?ext_man} +%{_datarootdir}/crypto-policies/LEGACY +%{_datarootdir}/crypto-policies/DEFAULT +%{_datarootdir}/crypto-policies/FUTURE +%{_datarootdir}/crypto-policies/FIPS +%{_datarootdir}/crypto-policies/EMPTY +%{_datarootdir}/crypto-policies/back-ends +%{_datarootdir}/crypto-policies/default-config +%{_datarootdir}/crypto-policies/reload-cmds.sh +%{_datarootdir}/crypto-policies/policies + +%license COPYING.LESSER + +%files scripts +%{_bindir}/update-crypto-policies +%{_mandir}/man8/update-crypto-policies.8%{?ext_man} +%{_datarootdir}/crypto-policies/python + +%changelog