Update to 20240202-1.git283706d

i9 changed/i9/crypto-policies-20240202-1.git283706d.el9.inferit
Arkady L. Shane 6 months ago
parent 3657dfb292
commit 4fddb12622
Signed by: tigro
GPG Key ID: 1EC08A25C9DB2503

@ -1 +1 @@
7b2c7705996b7c988b1fa4852da8e14656326979 SOURCES/crypto-policies-gitb972148.tar.gz
61d1e62750bb43415038892681dd29637832ee4d SOURCES/crypto-policies-git283706d.tar.gz

2
.gitignore vendored

@ -1 +1 @@
SOURCES/crypto-policies-gitb972148.tar.gz
SOURCES/crypto-policies-git283706d.tar.gz

@ -1,6 +1,6 @@
From a62a60980cb42127f000ea42548a31dc068cb39f Mon Sep 17 00:00:00 2001
From: Alexey Berezhok <aberezhok@msvsphere-os.ru>
Date: Sat, 10 Feb 2024 18:31:11 +0300
From 856e52f120f6e4fa0a6ef2f134970cfe59cce6b2 Mon Sep 17 00:00:00 2001
From: tigro <tigro@msvsphere-os.ru>
Date: Mon, 13 May 2024 17:06:55 +0300
Subject: [PATCH] Added GOST policy also added experimental PAM generator
---
@ -1155,10 +1155,10 @@ index 792cbe1..88d79e3 100644
def earliest_occurrence(needles, ordered_haystack):
diff --git a/python/cryptopolicies/cryptopolicies.py b/python/cryptopolicies/cryptopolicies.py
index 9e3d48b..4197873 100644
index bca0519..fff016a 100644
--- a/python/cryptopolicies/cryptopolicies.py
+++ b/python/cryptopolicies/cryptopolicies.py
@@ -40,7 +40,7 @@ ALL_SCOPES = ( # defined explicitly to catch typos / globbing nothing
@@ -41,7 +41,7 @@ ALL_SCOPES = ( # defined explicitly to catch typos / globbing nothing
'ssh', 'openssh', 'openssh-server', 'openssh-client', 'libssh',
'ipsec', 'ike', 'libreswan',
'kerberos', 'krb5',
@ -1167,7 +1167,7 @@ index 9e3d48b..4197873 100644
)
DUMPABLE_SCOPES = { # TODO: fix duplication, backends specify same things
'bind': {'bind', 'dnssec'},
@@ -53,6 +53,7 @@ DUMPABLE_SCOPES = { # TODO: fix duplication, backends specify same things
@@ -54,6 +54,7 @@ DUMPABLE_SCOPES = { # TODO: fix duplication, backends specify same things
'openssh-client': {'openssh-client', 'openssh', 'ssh'},
'openssh-server': {'openssh-server', 'openssh', 'ssh'},
'openssl': {'openssl', 'tls', 'ssl'},
@ -1175,7 +1175,7 @@ index 9e3d48b..4197873 100644
}
@@ -458,6 +459,8 @@ class UnscopedCryptoPolicy:
@@ -468,6 +469,8 @@ class UnscopedCryptoPolicy:
**generic_scoped.integers,
**generic_scoped.enums}
for prop_name, value in generic_all.items():
@ -1184,7 +1184,7 @@ index 9e3d48b..4197873 100644
s += fmt(prop_name, value)
anything_scope_specific = False
for scope_name, scope_set in DUMPABLE_SCOPES.items():
@@ -466,6 +469,8 @@ class UnscopedCryptoPolicy:
@@ -476,6 +479,8 @@ class UnscopedCryptoPolicy:
**specific_scoped.integers,
**specific_scoped.enums}
for prop_name, value in specific_all.items():
@ -1257,7 +1257,7 @@ diff --git a/python/policygenerators/fedora-crypto-policies.code-workspace b/pyt
new file mode 100644
index 0000000..e69de29
diff --git a/python/policygenerators/openssl.py b/python/policygenerators/openssl.py
index 165a26b..75940d8 100644
index 571dc79..57c7476 100644
--- a/python/policygenerators/openssl.py
+++ b/python/policygenerators/openssl.py
@@ -2,6 +2,7 @@
@ -1294,7 +1294,7 @@ index 165a26b..75940d8 100644
class OpenSSLGenerator(ConfigGenerator):
CONFIG_NAME = 'openssl'
@@ -263,6 +283,9 @@ class OpenSSLConfigGenerator(OpenSSLGenerator):
@@ -266,6 +286,9 @@ class OpenSSLConfigGenerator(OpenSSLGenerator):
if 'SHA1' in p['hash']:
s += RH_ALLOW_SHA1
@ -1302,8 +1302,8 @@ index 165a26b..75940d8 100644
+ if 'GOST' in p['action_do']:
+ s += GOST_MODULE_ENABLE
if policy.enums['__ems'] == 'RELAX':
s += 'Options = RHNoEnforceEMSinFIPS\n'
return s
diff --git a/scripts/auth_apply.sh b/scripts/auth_apply.sh
new file mode 100755
index 0000000..5b2ecad
@ -3225,5 +3225,5 @@ diff --git a/tests/outputs/LEGACY:AD-SUPPORT-LEGACY-auth.txt b/tests/outputs/LEG
new file mode 100644
index 0000000..e69de29
--
2.43.0
2.44.0

@ -1,33 +0,0 @@
diff --git a/python/build-crypto-policies.py b/python/build-crypto-policies.py
index 2eab19b..767209b 100755
--- a/python/build-crypto-policies.py
+++ b/python/build-crypto-policies.py
@@ -66,11 +66,12 @@ def save_config(cmdline, policy_name, config_name, config):
with open(path, mode='r', encoding='utf-8') as f:
old_config = f.read()
if '[gost_section]' in old_config:
- arch, links = platform.architecture()
- if arch == '32bit':
- #Make test expected file same for x86 and x86_64 systems
- old_config = old_config.replace('dynamic_path = /usr/lib/engines-3/gost.so', 'dynamic_path = /usr/lib64/engines-3/gost.so')
+ #Make test expected file same for x86 and x86_64 systems
+ old_config = old_config.replace('dynamic_path = /usr/lib/engines-3/gost.so', 'dynamic_path = /usr/lib64/engines-3/gost.so')
+ print('Replace of GOST done')
if old_config != config:
+ print ("------------------------------------------------------------expected----------------------------------------------\n%s------------------------------------------------------------expected----------------------------------------------\n" % old_config)
+ print ("------------------------------------------------------------got----------------------------------------------\n%s------------------------------------------------------------expected----------------------------------------------\n" % config)
eprint(f'Config for {config_name} for policy {policy_name} '
'differs from the existing one')
return False
diff --git a/python/policygenerators/openssl.py b/python/policygenerators/openssl.py
index 75940d8..6d97ff3 100644
--- a/python/policygenerators/openssl.py
+++ b/python/policygenerators/openssl.py
@@ -27,6 +27,7 @@ arch, links = platform.architecture()
library_path = '64'
if arch == '32bit':
library_path = ''
+print("I got such arch: %s" % arch)
GOST_MODULE_ENABLE = '''
[openssl_init]

@ -1,4 +1,5 @@
%global git_commit b972148fd57556f86921a85c960b8808a8a09291
%global git_date 20240202
%global git_commit 283706dbc258f4ac0b19b3291bc18f9b691b222f
%{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})}
%global _python_bytecompile_extra 0
@ -26,16 +27,20 @@
%endif
Name: crypto-policies
Version: 20230731
Release: 1.git94f0e2c%{?dist}.1.inferit.4
Version: %{git_date}
Release: 1.git%{git_commit_hash}%{?dist}.inferit
Summary: System-wide crypto policies
License: LGPLv2+
License: LGPL-2.1-or-later
URL: https://gitlab.com/redhat-crypto/fedora-crypto-policies
# For RHEL-9.3 we use the upstream branch rhel9.3 and are freezing version at 20230731-1.git94f0e2c.
# For RHEL-9 we use the upstream branch rhel9.
Source0: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/archive/%{git_commit_hash}/%{name}-git%{git_commit_hash}.tar.gz
Patch1: 0001-Added-GOST-policy-also-added-experimental-PAM-genera.patch
Patch2: 0001-Added-tests-fix-for-9.4-version.patch
%if 0%{?rhel} >= 10
ExclusiveArch: %{java_arches} noarch
%endif
BuildArch: noarch
BuildRequires: asciidoc
BuildRequires: libxslt
@ -251,17 +256,36 @@ end
%{_mandir}/man8/fips-finish-install.8*
%changelog
* Sat Feb 10 2024 Alexey Berezhok <alexey.berezhok@msvsphere-os.ru> - 20230731-1.git94f0e2c.1.inferit.4
* Mon May 13 2024 Arkady L. Shane <tigro@msvsphere-os.ru> - 20240202-1.git283706d.inferit
- Added GOST policy also added experimental PAM generator
- Use Recommends: openssl-gost-engine instead of Requires
* Thu Feb 08 2024 Arkady L. Shane <tigro@msvsphere-os.ru> - 20230731-1.git94f0e2c.1.inferit.3
- Use Recommends: openssl-gost-engine instead of Requires.
* Fri Feb 02 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240202-1.git283706d
- fips-finish-install: make sure ostree is detected in chroot
- fips-mode-setup: make sure ostree is detected in chroot
- fips-finish-install: Create/remove /etc/system-fips on ostree systems
- java: disable ChaCha20-Poly1305 where applicable
* Tue Jan 23 2024 Alexey Berezhok <alexey.berezhok@msvsphere-os.ru> - 20230731-1.git94f0e2c.1.inferit.2
- Added GOST policy also added experimental PAM generator
* Mon Nov 13 2023 Clemens Lang <cllang@redhat.com> - 20231113-1.gite9247c2
- fips-mode-setup: Fix test for empty /boot (RHEL-11350)
- fips-mode-setup: Avoid 'boot=UUID=' if /boot == / (RHEL-11350)
* Thu Nov 09 2023 Clemens Lang <cllang@redhat.com> - 20231109-1.git0ceff7f
- Restore support for scoped ssh_etm directives (RHEL-15925)
- Print matches in syntax deprecation warnings (RHEL-15925)
* Wed Nov 08 2023 Clemens Lang <cllang@redhat.com> - 20231108-1.git994ae09
- turn ssh_etm into an etm@SSH tri-state (RHEL-15925)
- fips-mode-setup: increase chroot-friendliness (RHEL-11350)
- fips-mode-setup: Fix usage with --no-bootcfg (RHEL-11350)
* Mon Oct 16 2023 Alexander Sosedkin <asosedkin@redhat.com> - 20231016-1.git77ceb0b
- openssl: fix SHA1 and NO-ENFORCE-EMS interaction
- bind: fix a typo that led to duplication of ECDSAPxxxSHAxxx
* Wed Sep 20 2023 Alexander Sosedkin <asosedkin@redhat.com> - 20230731-1.git94f0e2c.1
* Wed Sep 20 2023 Alexander Sosedkin <asosedkin@redhat.com> - 20230920-1.git8dcf74d
- OSPP subpolicy: tighten beyond reason for OSPP 4.3
- fips-mode-setup: more thorough --disable, still unsupported
* Mon Jul 31 2023 Alexander Sosedkin <asosedkin@redhat.com> - 20230731-1.git94f0e2c
- krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones
@ -279,8 +303,8 @@ end
- openssl: set Groups explicitly
- openssl: add support for Brainpool curves
* Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 20221215-1.git9a18988
- Rebuilt for MSVSphere 9.1.
* Fri Apr 14 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 20221215-1.git9a18988
- Rebuilt for MSVSphere 9.2 beta
* Thu Dec 15 2022 Alexander Sosedkin <asosedkin@redhat.com> - 20221215-1.git9a18988
- bind: expand the list of disableable algorithms

Loading…
Cancel
Save