Compare commits

...

No commits in common. 'c9' and 'i9-beta' have entirely different histories.
c9 ... i9-beta

@ -1 +1 @@
d43a8ec9893ba0079437515360db8b2483bb0351 SOURCES/crypto-policies-git626aa59.tar.gz ebca51d3017ee207680f9ae109e49ed78e8f479b SOURCES/crypto-policies-git94f0e2c.tar.gz

2
.gitignore vendored

@ -1 +1 @@
SOURCES/crypto-policies-git626aa59.tar.gz SOURCES/crypto-policies-git94f0e2c.tar.gz

@ -1,37 +1,71 @@
%global git_date 20240828 %global git_date 20230731
%global git_commit 626aa590f9c1ffe7ce108952e9449f22a642cca2 %global git_commit 94f0e2c4f7ebf2b1513b405d11227bae79ffe070
%{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})} %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})}
%global _python_bytecompile_extra 0 %global _python_bytecompile_extra 0
# RSAMinSize vs RequiredRSASize vs nothing, remove when OpenSSH >= 9.1
%if 0%{?rhel} == 9
# RHEL-9: must be RequiredRSASize in RHEL >= 9.2, Conflicts-enforced,
%global MIN_RSA_NAME RequiredRSASize
%elif 0%{?rhel} == 10
# ELN: RequiredRSASize for openssh >= 9.0p1-5, RSAMinSize for >= 9.0p1-2
%if v"%(rpm -q openssh | head -n1)" >= v"openssh-9.0p1-5"
%global MIN_RSA_NAME RequiredRSASize
%elif v"%(rpm -q openssh | head -n1)" >= v"openssh-9.0p1-2"
%global MIN_RSA_NAME RSAMinSize
%else
%global MIN_RSA_NAME none
%endif
%else
# some other distro, follow autodetection which checks for openssh >= 9.1
%if v"%(rpm -q openssh | head -n1)" >= v"openssh-9.1"
%global MIN_RSA_NAME RequiredRSASize
%else
%global MIN_RSA_NAME none
%endif
%endif
Name: crypto-policies Name: crypto-policies
Version: %{git_date} Version: %{git_date}
Release: 2.git%{git_commit_hash}%{?dist} Release: 1.git%{git_commit_hash}%{?dist}.inferit.2
Summary: System-wide crypto policies Summary: System-wide crypto policies
License: LGPL-2.1-or-later License: LGPLv2+
URL: https://gitlab.com/redhat-crypto/fedora-crypto-policies URL: https://gitlab.com/redhat-crypto/fedora-crypto-policies
# For RHEL-9 we use the upstream branch rhel9. # For RHEL-9 we use the upstream branch rhel9.
Source0: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/archive/%{git_commit_hash}/%{name}-git%{git_commit_hash}.tar.gz Source0: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/archive/%{git_commit_hash}/%{name}-git%{git_commit_hash}.tar.gz
Patch1: 0001-Added-GOST-policy-also-added-experimental-PAM-genera.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: asciidoc BuildRequires: asciidoc
BuildRequires: libxslt BuildRequires: libxslt
BuildRequires: openssl BuildRequires: openssl
BuildRequires: nss-tools BuildRequires: nss-tools
BuildRequires: gnutls-utils BuildRequires: gnutls-utils >= 3.6.0
BuildRequires: openssh-clients BuildRequires: java-1.8.0-openjdk-devel
BuildRequires: java-devel
BuildRequires: bind BuildRequires: bind
BuildRequires: python3-devel >= 3.9 BuildRequires: perl-interpreter
BuildRequires: perl-generators
BuildRequires: perl(File::pushd), perl(File::Temp), perl(File::Copy)
BuildRequires: perl(File::Which)
BuildRequires: python3-devel >= 3.6
BuildRequires: python3-pytest BuildRequires: python3-pytest
BuildRequires: make BuildRequires: make
Conflicts: openssl-libs < 1:3.0.1-10 Conflicts: openssl < 1:3.0.1-10
Conflicts: nss < 3.90.0 Conflicts: nss < 3.90.0
Conflicts: libreswan < 3.28 Conflicts: libreswan < 3.28
Conflicts: openssh < 8.7p1-24 Conflicts: openssh < 8.7p1-24
%if 0%{?rhel} == 10
Conflicts: gnutls < 3.7.2-3
%else
Conflicts: gnutls < 3.7.6-22 Conflicts: gnutls < 3.7.6-22
%endif
Recommends: openssl-gost-engine
Requires: authselect
Requires: findutils
%description %description
This package provides pre-built configuration files with This package provides pre-built configuration files with
@ -59,9 +93,20 @@ to enable or disable the system FIPS mode.
%build %build
sed -i \ sed -i \
"s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = 'RequiredRSASize'/" \ "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'/" \
python/policygenerators/openssh.py python/policygenerators/openssh.py
grep "MIN_RSA_DEFAULT = 'RequiredRSASize'" python/policygenerators/openssh.py grep "MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'" python/policygenerators/openssh.py
%if 0%{?rhel} == 10
# currently ELN 3.90-1 doesn't carry the TLS-REQUIRE-EMS patch
sed -i "s/'NSS_NO_TLS_REQUIRE_EMS', '0'/'NSS_NO_TLS_REQUIRE_EMS', '1'/" \
python/policygenerators/nss.py tests/nss.py
sed -i "s/:TLS-REQUIRE-EMS:/:/" tests/outputs/*FIPS*.txt
# currently ELN/RHEL gnutls do not carry the tls-session-hash patch
sed -i "s/'GNUTLS_NO_TLS_SESSION_HASH', '0'/'GNUTLS_NO_TLS_SESSION_HASH', '1'/" \
python/policygenerators/gnutls.py
sed -i "/^tls-session-hash =/d" tests/outputs/*FIPS*.txt
%endif
%make_build %make_build
@ -74,6 +119,7 @@ mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/
mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/ mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/
mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/ mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/policies/modules/
mkdir -p -m 755 %{buildroot}%{_bindir} mkdir -p -m 755 %{buildroot}%{_bindir}
mkdir -p -m 755 %{buildroot}/var/log/crypto-cmc/
make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install
install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config
@ -98,7 +144,16 @@ done
%py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python %py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python
%check %check
make test SKIP_LINTING=1 # RSAMinSize vs RequiredRSASize vs nothing, remove when OpenSSH >= 9.1
%if "%{MIN_RSA_NAME}" == "none"
sed -i '/RequiredRSASize .*/d' tests/outputs/*.txt
%elif "%{MIN_RSA_NAME}" == "RSAMinSize"
sed -i 's/RequiredRSASize/RSAMinSize/' tests/outputs/*.txt
%else
[ "%{MIN_RSA_NAME}" == "RequiredRSASize" ] || exit 7
%endif
make ON_RHEL9=1 test
%post -p <lua> %post -p <lua>
if not posix.access("%{_sysconfdir}/crypto-policies/config") then if not posix.access("%{_sysconfdir}/crypto-policies/config") then
@ -144,6 +199,11 @@ end
%dir %{_sysconfdir}/crypto-policies/policies/ %dir %{_sysconfdir}/crypto-policies/policies/
%dir %{_sysconfdir}/crypto-policies/policies/modules/ %dir %{_sysconfdir}/crypto-policies/policies/modules/
%dir %{_datarootdir}/crypto-policies/ %dir %{_datarootdir}/crypto-policies/
%dir %{_sysconfdir}/authselect/custom/sssd_gost/
%dir %{_sysconfdir}/authselect/custom/minimal_gost/
%dir /var/log/crypto-cmc
%{_sysconfdir}/authselect/custom/sssd_gost/*
%{_sysconfdir}/authselect/custom/minimal_gost/*
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config %ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config
@ -160,6 +220,7 @@ end
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config %ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/auth.config
# %verify(not mode) comes from the fact # %verify(not mode) comes from the fact
# these turn into symlinks and back to regular files at will, see bz1898986 # these turn into symlinks and back to regular files at will, see bz1898986
@ -171,19 +232,20 @@ end
%{_datarootdir}/crypto-policies/DEFAULT %{_datarootdir}/crypto-policies/DEFAULT
%{_datarootdir}/crypto-policies/FUTURE %{_datarootdir}/crypto-policies/FUTURE
%{_datarootdir}/crypto-policies/FIPS %{_datarootdir}/crypto-policies/FIPS
%{_datarootdir}/crypto-policies/GOST-ONLY
%{_datarootdir}/crypto-policies/GOST-ONLY-PAM
%{_datarootdir}/crypto-policies/back-ends %{_datarootdir}/crypto-policies/back-ends
%{_datarootdir}/crypto-policies/default-config %{_datarootdir}/crypto-policies/default-config
%{_datarootdir}/crypto-policies/reload-cmds.sh %{_datarootdir}/crypto-policies/reload-cmds.sh
%{_datarootdir}/crypto-policies/policies %{_datarootdir}/crypto-policies/policies
%{_libexecdir}/fips-setup-helper
%license COPYING.LESSER %license COPYING.LESSER
%files scripts %files scripts
%{_bindir}/update-crypto-policies %{_bindir}/update-crypto-policies
%{_mandir}/man8/update-crypto-policies.8* %{_mandir}/man8/update-crypto-policies.8*
%{_datarootdir}/crypto-policies/python %{_datarootdir}/crypto-policies/python
%{_datarootdir}/crypto-policies-scripts/auth_apply.sh
%{_bindir}/fips-mode-setup %{_bindir}/fips-mode-setup
%{_bindir}/fips-finish-install %{_bindir}/fips-finish-install
@ -191,60 +253,14 @@ end
%{_mandir}/man8/fips-finish-install.8* %{_mandir}/man8/fips-finish-install.8*
%changelog %changelog
* Tue Sep 17 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240828-2.git626aa59 * Sat Feb 10 2024 Alexey Berezhok <alexey.berezhok@msvsphere-os.ru> - 20230731-1.git94f0e2c.inferit.2
- release bump - Added GOST policy also added experimental PAM generator
* Wed Aug 28 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240828-1.git626aa59 * Thu Feb 08 2024 Arkady L. Shane <tigro@msvsphere-os.ru> - 20230731-1.git94f0e2c.inferit.1
- fips-mode-setup: small Argon2 detection fix - Use Recommends: openssl-gost-engine instead of Requires
* Thu Aug 22 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240822-1.gitbaf3e06 * Tue Jan 23 2024 Alexey Berezhok <alexey.berezhok@msvsphere-os.ru> - 20230731-1.git94f0e2c.inferit
- fips-mode-setup: block if LUKS devices using Argon2 are detected - Added GOST policy also added experimental PAM generator
* Thu Aug 15 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240815-1.gite217f03
- java: start controlling / disable DTLSv1.0
- java: disable anon ciphersuites, tying them to NULL
- java: respect more key size restrictions
- java: specify jdk.tls.namedGroups system property
- java: make hash, mac and sign more orthogonal
- fips-mode-setup: add another scary "unsupported"
- fips-mode-setup: flashy ticking warning upon use
- java: use and include jdk.disabled.namedCurves
- ec_min_size: introduce and use in java, default to 256
- java: stop specifying jdk.tls.namedGroups in javasystem
- fips-setup-helper: add a libexec helper for anaconda
- fips-mode-setup: force --no-bootcfg when UKI is detected
* Mon Mar 04 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240304-1.gitb1c706d
- packaging: remove perl build-dependency, it's not needed anymore
- packaging: use newly introduced SKIP_LINTING=1
- packaging: drop stale workarounds
* Fri Feb 02 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240202-1.git283706d
- fips-finish-install: make sure ostree is detected in chroot
- fips-mode-setup: make sure ostree is detected in chroot
- fips-finish-install: Create/remove /etc/system-fips on ostree systems
- java: disable ChaCha20-Poly1305 where applicable
* Mon Nov 13 2023 Clemens Lang <cllang@redhat.com> - 20231113-1.gite9247c2
- fips-mode-setup: Fix test for empty /boot (RHEL-11350)
- fips-mode-setup: Avoid 'boot=UUID=' if /boot == / (RHEL-11350)
* Thu Nov 09 2023 Clemens Lang <cllang@redhat.com> - 20231109-1.git0ceff7f
- Restore support for scoped ssh_etm directives (RHEL-15925)
- Print matches in syntax deprecation warnings (RHEL-15925)
* Wed Nov 08 2023 Clemens Lang <cllang@redhat.com> - 20231108-1.git994ae09
- turn ssh_etm into an etm@SSH tri-state (RHEL-15925)
- fips-mode-setup: increase chroot-friendliness (RHEL-11350)
- fips-mode-setup: Fix usage with --no-bootcfg (RHEL-11350)
* Mon Oct 16 2023 Alexander Sosedkin <asosedkin@redhat.com> - 20231016-1.git77ceb0b
- openssl: fix SHA1 and NO-ENFORCE-EMS interaction
- bind: fix a typo that led to duplication of ECDSAPxxxSHAxxx
* Wed Sep 20 2023 Alexander Sosedkin <asosedkin@redhat.com> - 20230920-1.git8dcf74d
- OSPP subpolicy: tighten beyond reason for OSPP 4.3
- fips-mode-setup: more thorough --disable, still unsupported
* Mon Jul 31 2023 Alexander Sosedkin <asosedkin@redhat.com> - 20230731-1.git94f0e2c * Mon Jul 31 2023 Alexander Sosedkin <asosedkin@redhat.com> - 20230731-1.git94f0e2c
- krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones - krb5: sort enctypes mac-first, cipher-second, prioritize SHA-2 ones
@ -262,6 +278,9 @@ end
- openssl: set Groups explicitly - openssl: set Groups explicitly
- openssl: add support for Brainpool curves - openssl: add support for Brainpool curves
* Fri Apr 14 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 20221215-1.git9a18988
- Rebuilt for MSVSphere 9.2 beta
* Thu Dec 15 2022 Alexander Sosedkin <asosedkin@redhat.com> - 20221215-1.git9a18988 * Thu Dec 15 2022 Alexander Sosedkin <asosedkin@redhat.com> - 20221215-1.git9a18988
- bind: expand the list of disableable algorithms - bind: expand the list of disableable algorithms

Loading…
Cancel
Save