Initialize for crypto-policies

2024-02-06 18:25:57 +08:00 · 2024-02-06 18:25:57 +08:00 · 357c714c71
commit 357c714c71
8 changed files with 446 additions and 0 deletions
--- a/.crypto-policies.metadata
+++ b/.crypto-policies.metadata
@ -0,0 +1,3 @@
 0c6f285b8e09f3435510f035c6f5fa831c86a80d10eb416fb326abe39d891ae1 crypto-policies.7.gz
 38d354ec0f44850e13078f8dfa237cf7faea69f51cd4aab612f310f0f9fff500 fedora-crypto-policies-20210917.c9d86d1.tar.gz
 da85dc41627504bafad10aa0905699ca5f19d854f6a890c7bd87ec73d8e32a21 update-crypto-policies.8.gz
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,3 @@
 crypto-policies.7.gz
 fedora-crypto-policies-20210917.c9d86d1.tar.gz
 update-crypto-policies.8.gz
--- a/README.SUSE
+++ b/README.SUSE
@ -0,0 +1,2 @@
 Currently only OpenSSL and GnuTLS policies are supported.
 The rest of the modules ignore the policy settings for the time being.
--- a/crypto-policies-FIPS.patch
+++ b/crypto-policies-FIPS.patch
@ -0,0 +1,72 @@
 Index: fedora-crypto-policies/Makefile
 ===================================================================
 --- fedora-crypto-policies.orig/Makefile
 +++ fedora-crypto-policies/Makefile
@@ -5,8 +5,8 @@ MANDIR?=/usr/share/man
 CONFDIR?=/etc/crypto-policies
 DESTDIR?=
 MAN7PAGES=crypto-policies.7
 -MAN8PAGES=update-crypto-policies.8 fips-finish-install.8 fips-mode-setup.8
 -SCRIPTS=update-crypto-policies fips-finish-install fips-mode-setup
 +MAN8PAGES=update-crypto-policies.8 fips-finish-install.8
 +SCRIPTS=update-crypto-policies fips-finish-install
 NUM_PROCS = $$(getconf _NPROCESSORS_ONLN)
 PYVERSION = -3
 DIFFTOOL?=meld
 Index: fedora-crypto-policies/crypto-policies.7.txt
 ===================================================================
 --- fedora-crypto-policies.orig/crypto-policies.7.txt
 +++ fedora-crypto-policies/crypto-policies.7.txt
@@ -144,9 +144,6 @@ PROVIDED POLICIES
 *FIPS*::
   A policy to aid conformance to the *FIPS 140-2* requirements.
 -  This policy is used internally by the *fips-mode-setup(8)* tool
 -  which can switch the system into the *FIPS 140-2* mode.
 -  This policy provides at least 112-bit security.
   * MACs: all *HMAC* with *SHA1* or better
   * Curves: all prime >= 256 bits
@@ -255,12 +252,6 @@ COMMANDS
   back ends and allows the system administrator to change the active
   cryptographic policy.
 -*fips-mode-setup(8)*::
 -  This command allows the system administrator to enable, or disable the
 -  system FIPS mode and also apply the *FIPS* cryptographic policy
 -  which limits the allowed algorithms and protocols to these allowed by
 -  the FIPS 140-2 requirements.
 -
 NOTES
 -----
@@ -427,7 +418,7 @@ FILES
 SEE ALSO
 --------
 -update-crypto-policies(8), fips-mode-setup(8)
 +update-crypto-policies(8)
 AUTHOR
 Index: fedora-crypto-policies/python/update-crypto-policies.py
 ===================================================================
 --- fedora-crypto-policies.orig/python/update-crypto-policies.py
 +++ fedora-crypto-policies/python/update-crypto-policies.py
@@ -344,16 +344,12 @@ def apply_policy(pconfig, profile=None,
                 eprint("Warning: Using 'update-crypto-policies --set FIPS' "
                        "is not sufficient for")
                 eprint("         FIPS compliance.")
 -                eprint("         Use 'fips-mode-setup --enable' "
 -                       "command instead.")
             elif fips_mode():
                 eprint("Warning: Using 'update-crypto-policies --set' "
                        "in FIPS mode will make the system")
                 eprint("         non-compliant with FIPS.")
                 eprint("         It can also break "
                        "the ssh access to the system.")
 -                eprint("         Use 'fips-mode-setup --disable' "
 -                       "to disable the system FIPS mode.")
     if base_dir == DEFAULT_BASE_DIR:
         if not os.geteuid() == 0:
--- a/crypto-policies-no-build-manpages.patch
+++ b/crypto-policies-no-build-manpages.patch
@ -0,0 +1,28 @@
 Index: fedora-crypto-policies/Makefile
 ===================================================================
 --- fedora-crypto-policies.orig/Makefile
 +++ fedora-crypto-policies/Makefile
@@ -22,9 +22,9 @@ install: $(MANPAGES)
 	mkdir -p $(DESTDIR)$(MANDIR)/man7
 	mkdir -p $(DESTDIR)$(MANDIR)/man8
 	mkdir -p $(DESTDIR)$(BINDIR)
 -	install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
 -	install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
 -	install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
 +# install -p -m 644 $(MAN7PAGES) $(DESTDIR)$(MANDIR)/man7
 +# install -p -m 644 $(MAN8PAGES) $(DESTDIR)$(MANDIR)/man8
 +# install -p -m 755 $(SCRIPTS) $(DESTDIR)$(BINDIR)
 	mkdir -p $(DESTDIR)$(DIR)/
 	install -p -m 644 default-config $(DESTDIR)$(DIR)
 	install -p -m 644 output/reload-cmds.sh $(DESTDIR)$(DIR)
@@ -106,8 +106,8 @@ clean:
 	rm -rf output
 %: %.txt
 -	asciidoc.py -v -d manpage -b docbook $<
 -	xsltproc --nonet -o $@ /usr/share/asciidoc/docbook-xsl/manpage.xsl $@.xml
 +	# asciidoc -v -d manpage -b docbook $<
 +	# xsltproc --nonet -o $@ /etc/asciidoc/docbook-xsl/manpage.xsl $@.xml
 dist:
 	rm -rf crypto-policies && git clone . crypto-policies && rm -rf crypto-policies/.git/ && tar -czf crypto-policies-git$(VERSION).tar.gz crypto-policies && rm -rf crypto-policies
--- a/crypto-policies-test_supported_modules_only.patch
+++ b/crypto-policies-test_supported_modules_only.patch
@ -0,0 +1,13 @@
 Index: fedora-crypto-policies/Makefile
 ===================================================================
 --- fedora-crypto-policies.orig/Makefile
 +++ fedora-crypto-policies/Makefile
@@ -56,8 +56,6 @@ check:
 	tests/openssl.pl
 	tests/gnutls.pl
 	tests/nss.py
 -	tests/java.pl
 -	tests/krb5.py
 	top_srcdir=. tests/update-crypto-policies.sh
 # Alternative, equivalent ways to write the same policies
--- a/crypto-policies.changes
+++ b/crypto-policies.changes
@ -0,0 +1,122 @@
 * Fri Sep 24 2021 pmonreal@suse.com
 - Remove the scripts and documentation regarding
  fips-finish-install and test-fips-setup
  * Add crypto-policies-FIPS.patch
 * Fri Sep 24 2021 pmonreal@suse.com
 - Update to version 20210917.c9d86d1:
  * openssl: fix disabling ChaCha20
  * pacify pylint 2.11: use format strings
  * pacify pylint 2.11: specify explicit encoding
  * fix minor things found by new pylint
  * update-crypto-policies: --check against regenerated
  * update-crypto-policies: fix --check's walking order
  * policygenerators/gnutls: revert disabling DTLS0.9...
  * policygenerators/java: add javasystem backend
  * LEGACY: bump 1023 key size to 1024
  * cryptopolicies: fix 'and' in deprecation warnings
  * *ssh: condition ecdh-sha2-nistp384 on SECP384R1
  * nss: hopefully the last fix for nss sigalgs check
  * cryptopolicies: Python 3.10 compatibility
  * nss: postponing check + testing at least something
  * Rename 'policy modules' to 'subpolicies'
  * validation.rules: fix a missing word in error
  * cryptopolicies: raise errors right after warnings
  * update-crypto-policies: capitalize warnings
  * cryptopolicies: syntax-precheck scope errors
  * .gitlab-ci.yml, Makefile: enable codespell
  * all: fix several typos
  * docs: don't leave zero TLS/DTLS protocols on
  * openssl: separate TLS/DTLS MinProtocol/MaxProtocol
  * alg_lists: order protocols new-to-old for consistency
  * alg_lists: max_{d,}tls_version
  * update-crypto-policies: fix pregenerated + local.d
  * openssh: allow validation with pre-8.5
  * .gitlab-ci.yml: run commit-range against upstream
  * openssh: Use the new name for PubkeyAcceptedKeyTypes
  * sha1_in_dnssec: deprecate
  * .gitlab-ci.yml: test commit ranges
  * FIPS:OSPP: sign = -*-SHA2-224
  * scoped policies: documentation update
  * scoped policies: use new features to the fullest...
  * scoped policies: rewrite + minimal policy changes
  * scoped policies: rewrite preparations
  * nss: postponing the version check again, to 3.64
 - Remove patches fixed upstream: crypto-policies-typos.patch
 - Rebase: crypto-policies-test_supported_modules_only.patch
 - Merge crypto-policies-asciidoc.patch into
    crypto-policies-no-build-manpages.patch
 * Thu Feb 25 2021 pmonreal@suse.com
 - Update to version 20210225.05203d2:
  * Disable DTLS0.9 protocol in the DEFAULT policy.
  * policies/FIPS: insignificant reformatting
  * policygenerators/libssh: respect ssh_certs
  * policies/modules/OSPP: tighten to follow RHEL 8
  * crypto-policies(7): drop not-reenableable comment
  * follow up on disabling RC4
 * Thu Feb 25 2021 pmonreal@suse.com
 - Remove not needed scripts: fips-finish-install fips-mode-setup
 * Wed Feb 24 2021 pmonreal@suse.com
 - Disable DTLS0.9 protocol in GnuTLS DEFAULT policy. [bsc#1180938]
  * The minimum DTLS protocol version in the DEFAULT and FUTURE
    policies is DTLS1.2.
  * Fixed upstream: 05203d21f6d0ea9bbdb351e4600f1e273720bb8e
 * Wed Feb 17 2021 pmonreal@suse.com
 - Update to version 20210213.5c710c0: [bsc#1180938]
  * setup_directories(): perform safer creation of directories
  * save_config(): avoid re-opening output file for each iteration
  * save_config(): break after first match to avoid unnecessary stat() calls
  * CryptoPolicy.parse(): actually stop parsing line on syntax error
  * ProfileConfig.parse_string(): correctly extended subpolicies
  * Exclude RC4 from LEGACY
  * Introduce rc4_md5_in_krb5 to narrow AD_SUPPORT
  * code style: fix 'not in' membership testing
  * pylintrc: tighten up a bit
  * formatting: avoid long lines
  * formatting: use f-strings instead of format()
  * formatting: reformat all python code with autopep8
  * nss: postponing the version check again, to 3.61
  * Revert "Unfortunately we have to keep ignoring the openssh check for sk-"
 * Tue Feb  9 2021 dimstar@opensuse.org
 - Use tar_scm service, not obs_scm: With crypto-policies entering
  Ring0 (distro bootstrap) we want to be sure to keep the buildtime
  deps as low as possible.
 - Add python3-base BuildRequires: previously, OBS' tar service
  pulled this in for us.
 * Mon Feb  8 2021 pmonreal@suse.com
 - Add a BuildIgnore for crypto-policies
 * Mon Feb  8 2021 pmonreal@suse.com
 - Use gzip instead of xz in obscpio and sources
 * Fri Feb  5 2021 pmonreal@suse.com
 - Do not build the manpages to avoid build cycles
 - Add crypto-policies-no-build-manpages.patch
 * Tue Feb  2 2021 dimstar@opensuse.org
 - Convert to use a proper git source _service:
  + To update, one just needs to update the commit/revision in the
    _service file and run `osc service dr`.
  + The version of the package is defined by the commit date of the
    revision, followed by the abbreviated git hash (The same
    revision used before results thus in a downgrade to 20210118,
    but as this is a alltime new package, this is acceptable.
 * Tue Feb  2 2021 pmonreal@suse.com
 - Update to git version 20210127
  * Bump Python requirement to 3.6
  * Output sigalgs required by nss >=3.59
  * Do not require bind during build
  * Break build cycles with openssl and gnutls
 * Thu Jan 21 2021 pmonreal@suse.com
 - Update to git version 20210118
  * Output sigalgs required by nss >=3.59
  * Bump Python requirement to 3.6
  * Kerberos 5: Fix policy generator to account for macs
  * Add AES-192 support (non-TLS scenarios)
  * Add documentation of the --check option
 * Thu Jan 21 2021 pmonreal@suse.com
 - Fix the man pages generation
 - Add crypto-policies-asciidoc.patch
 * Thu Jan 21 2021 pmonreal@suse.com
 - Test only supported modules
 - Add crypto-policies-test_supported_modules_only.patch
 * Tue Dec 22 2020 pmonreal@suse.com
 - Add crypto-policies-typos.patch to fix some typos
 * Thu Nov 12 2020 vcizek@suse.com
 - Initial packaging, git version 20200918 (jsc#SLE-15832)
--- a/crypto-policies.spec
+++ b/crypto-policies.spec
@ -0,0 +1,203 @@
 #
 # spec file for package crypto-policies
 #
 # Copyright (c) 2022-2023 ZhuningOS
 #
 %global _python_bytecompile_extra 0
 Name:           crypto-policies
 Version:        20210917.c9d86d1
 Release:        150400.1.7
 Summary:        System-wide crypto policies
 License:        LGPL-2.1-or-later
 Group:          Productivity/Networking/Security
 URL:            https://gitlab.com/redhat-crypto/fedora-%{name}
 Source0:        fedora-%{name}-%{version}.tar.gz
 Source1:        README.SUSE
 Source2:        crypto-policies.7.gz
 Source3:        update-crypto-policies.8.gz
 Patch0:         crypto-policies-test_supported_modules_only.patch
 Patch1:         crypto-policies-no-build-manpages.patch
 Patch2:         crypto-policies-FIPS.patch
 BuildRequires:  python3-base
 # For testing, the following buildrequires need to be uncommented.
 # BuildRequires:  asciidoc
 # BuildRequires:  bind
 # BuildRequires:  gnutls >= 3.6.0
 # BuildRequires:  java-devel
 # BuildRequires:  libxslt
 # BuildRequires:  openssl
 # BuildRequires:  perl
 # BuildRequires:  python3-coverage
 # BuildRequires:  python3-devel >= 3.6
 # BuildRequires:  python3-flake8
 # BuildRequires:  python3-pylint
 # BuildRequires:  python3-pytest
 # BuildRequires:  perl(File::Copy)
 # BuildRequires:  perl(File::Temp)
 # BuildRequires:  perl(File::Which)
 # BuildRequires:  perl(File::pushd)
 Recommends:     crypto-policies-scripts
 Conflicts:      gnutls < 3.7.0
 #Conflicts:      libreswan < 3.28
 Conflicts:      nss < 3.44.0
 #Conflicts:      openssh < 8.2p1
 #!BuildIgnore:  crypto-policies
 BuildArch:      noarch
 %description
 This package provides pre-built configuration files with
 cryptographic policies for various cryptographic back-ends,
 such as SSL/TLS libraries.
 %package scripts
 Summary:        Tool to switch between crypto policies
 Requires:       %{name} = %{version}-%{release}
 %description scripts
 This package provides a tool update-crypto-policies, which applies
 the policies provided by the crypto-policies package. These can be
 either the pre-built policies from the base package or custom policies
 defined in simple policy definition files.
 %prep
 %autosetup -p1 -n fedora-%{name}-%{version}
 %build
 %make_build
 %install
 mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/
 mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/
 mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/
 mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/state/
 mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/
 mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/
 mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/
 mkdir -p -m 755 %{buildroot}%{_bindir}
 make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install
 # Install the manpages
 mkdir -p -m 755 %{buildroot}%{_mandir}/
 mkdir -p -m 755 %{buildroot}%{_mandir}/man7/
 mkdir -p -m 755 %{buildroot}%{_mandir}/man8/
 cp %{SOURCE2} %{buildroot}%{_mandir}/man7/
 cp %{SOURCE3} %{buildroot}%{_mandir}/man8/
 # Install the executable files
 install -p -m 755 update-crypto-policies %{buildroot}%{_bindir}/
 install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config
 touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current
 touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
 # Drop pre-generated GOST-ONLY policy, we do not need to ship the files
 rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY
 # Remove fips-finish-install and test-fips-setup scripts and man
 find -type f -name fips-finish-install -delete
 find -type f -name fips-finish-install.8.txt -delete
 find -type f -name test-fips-setup.sh -delete
 # Create back-end configs for mounting with read-only /etc/
 for d in LEGACY DEFAULT FUTURE FIPS ; do
    mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d
    for f in %{buildroot}%{_datarootdir}/crypto-policies/$d/* ; do
        ln $f %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d/$(basename $f .txt).config
    done
 done
 for f in %{buildroot}%{_datarootdir}/crypto-policies/DEFAULT/* ; do
    ln -sf %{_datarootdir}/crypto-policies/DEFAULT/$(basename $f) %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/$(basename $f .txt).config
 done
 %py3_compile %{buildroot}%{_datadir}/crypto-policies/python
 cp %{SOURCE1} %{buildroot}%{_sysconfdir}/crypto-policies
 %check
 %make_build test || :
 %post -p <lua>
 if not posix.access("%{_sysconfdir}/crypto-policies/config") then
    local policy = "DEFAULT"
    local cf = io.open("/proc/sys/crypto/fips_enabled", "r")
    if cf then
        if cf:read() == "1" then
            policy = "FIPS"
        end
        cf:close()
    end
    cf = io.open("%{_sysconfdir}/crypto-policies/config", "w")
    if cf then
        cf:write(policy.."\n")
        cf:close()
    end
    cf = io.open("%{_sysconfdir}/crypto-policies/state/current", "w")
    if cf then
        cf:write(policy.."\n")
        cf:close()
    end
    local policypath = "%{_datarootdir}/crypto-policies/"..policy
    for fn in posix.files(policypath) do
 	    if fn ~= "." and fn ~= ".." then
            local backend = fn:gsub(".*/", ""):gsub("%%..*", "")
            local cfgfn = "%{_sysconfdir}/crypto-policies/back-ends/"..backend..".config"
            posix.unlink(cfgfn)
            posix.symlink(policypath.."/"..fn, cfgfn)
        end
    end
 end
 %posttrans scripts
 %{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || :
 %files
 %dir %{_sysconfdir}/crypto-policies/
 %dir %{_sysconfdir}/crypto-policies/back-ends/
 %dir %{_sysconfdir}/crypto-policies/state/
 %dir %{_sysconfdir}/crypto-policies/local.d/
 %dir %{_sysconfdir}/crypto-policies/policies/
 %dir %{_sysconfdir}/crypto-policies/policies/modules/
 %dir %{_datarootdir}/crypto-policies/
 %{_sysconfdir}/crypto-policies/README.SUSE
 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config
 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config
 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssl.config
 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssh.config
 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/nss.config
 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/bind.config
 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/java.config
 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config
 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
 %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
 %ghost %{_sysconfdir}/crypto-policies/state/current
 %ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol
 %{_mandir}/man7/crypto-policies.7%{?ext_man}
 %{_datarootdir}/crypto-policies/LEGACY
 %{_datarootdir}/crypto-policies/DEFAULT
 %{_datarootdir}/crypto-policies/FUTURE
 %{_datarootdir}/crypto-policies/FIPS
 %{_datarootdir}/crypto-policies/EMPTY
 %{_datarootdir}/crypto-policies/back-ends
 %{_datarootdir}/crypto-policies/default-config
 %{_datarootdir}/crypto-policies/reload-cmds.sh
 %{_datarootdir}/crypto-policies/policies
 %license COPYING.LESSER
 %files scripts
 %{_bindir}/update-crypto-policies
 %{_mandir}/man8/update-crypto-policies.8%{?ext_man}
 %{_datarootdir}/crypto-policies/python
 %changelog
		`@ -0,0 +1,2 @@`
							`Currently only OpenSSL and GnuTLS policies are supported.`
							`The rest of the modules ignore the policy settings for the time being.`